Git ssh private key binding(GSoC-21)

README.adoc

@@ -54,7 +54,10 @@ image:images/multibranch-pipeline.png[link=https://youtu.be/B_2FXWI6CWg]
 [#credential-binding]
 === Git Credentials Binding
 
-The git plugin provides `Git Username and Password` binding that allows authenticated git operations over *HTTP* and *HTTPS* protocols using command line git in a Pipeline job.
+The git plugin provides two credential bindings
+
+* `Git Username and Password` binding that allows authenticated git operations over *HTTP* and *HTTPS* protocols using command line git in a Pipeline job.
+* `Git SSH Private Key` binding that allows authenticated git operations over *SSH* protocol using command line git for sh, bat, powershell in a Pipeline job.
 
 The git credential bindings are accessible through the link:https://www.jenkins.io/doc/pipeline/steps/credentials-binding/#withcredentials-bind-credentials-to-variables[`withCredentials`] step of the link:https://plugins.jenkins.io/credentials-binding/[Credentials Binding] plugin.
 The binding retrieves credentials from the link:https://plugins.jenkins.io/credentials/[Credentials] plugin.
@@ -96,6 +99,45 @@ withCredentials([gitUsernamePassword(credentialsId: 'my-credentials-id',
   powershell 'git push'
 }
 ```
+
+==== Git SSH Private Key
+
+The binding provides *SSH* protocol support for git operation which requires authentication.
+
+Procedure::
+
+. Click the Pipeline Syntax _Snippet Generator_ and choose the `withCredentials` step, add Git SSH Private Key binding.
+. Choose the required credentials and Git tool name, specific to the generated Pipeline snippet.
+
+image:images/git-credentials-binding-git-ssh-private-key-pipeline-job.png[Git-SSH-Private-Key-Binding]
+
+Unlike `Git Username and Password` binding, variable bindings are not provided in `Git SSH Private Key` binding.
+
+
+.Shell example
+```groovy
+withCredentials([gitSshPrivateKey(credentialsId: 'my-credentials-id',
+                 gitToolName: 'git-tool')]) {
+  sh 'git fetch --all'
+}
+```
+
+.Batch example
+```groovy
+withCredentials([gitSshPrivateKey(credentialsId: 'my-credentials-id',
+                 gitToolName: 'git-tool')]) {
+  bat 'git submodule update --init --recursive'
+}
+```
+
+.Powershell example
+```groovy
+withCredentials([gitSshPrivateKey(credentialsId: 'my-credentials-id',
+                gitToolName: 'git-tool')]) {
+    powershell 'git push'
+}
+```
+
 [#configuration]
 == [[GitPlugin-ProjectConfiguration]]Configuration
 
@@ -592,13 +634,18 @@ Project Name in ViewGit::
 [#git-bindings]
 == Git Credential Binding
 
-The git plugin provides one binding to support authenticated git operations over *HTTP* or *HTTPS* protocol, namely `Git Username and Password`.
-The git plugin depends on the Credential Binding Plugin to support these bindings.
+The git plugin provides two binding to support authenticated git operations-
+
+* `Git Username and Password` supports git authentication over *HTTP* or *HTTPS* protocol.
+* `Git SSH Private Key` supports git authentication over *SSH* protocol.
+
+The git plugin depends on the https://plugins.jenkins.io/credentials-binding/[Credential Binding Plugin] to support these bindings.
 
-To access the `Git Username and Password` binding in a Pipeline job, visit <<credential-binding>>
+To access the `Git Username and Password` and `Git SSH Private Key` binding in a Pipeline job, visit <<credential-binding>>
 
-Freestyle projects can use git credential binding with the following steps:
+Freestyle projects can use git credentials binding
 
+Git Username and Password::
 . Check the box _Use secret text(s) or file(s)_, add Git Username and Password binding.
 
 . Choose the required credentials and Git tool name.
@@ -608,6 +655,14 @@ image:images/git-credentials-usernamepassword-binding-freestyle-project.png[Git-
 Two variable bindings are used, `GIT_USERNAME` and `GIT_PASSWORD`, to pass the username and password to shell, batch, and powershell steps in a Freestyle job.
 The variable bindings are available even if the `JGit` or `JGit with Apache HTTP Client` git implementation is being used.
 
+Git SSH Private Key::
+. Check the box _Use secret text(s) or file(s)_, add Git SSH Private Key binding.
+
+. Choose the required credentials and Git tool name.
+
+image:images/git-credentials-binding-git-ssh-private-key-freestyle-job.png[Git-SSH-Private-Key-Freestyle-Job]
+
+Variable bindings are not provided in this binding.
 [#extensions]
 == Extensions
 

pom.xml

@@ -178,6 +178,17 @@
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>credentials-binding</artifactId>
     </dependency>
+    <!-- BouncyCastle API Plugin -->
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>bouncycastle-api</artifactId>
+    </dependency>
+    <!-- SSHD Plugin -->
+    <dependency>
+      <groupId>org.jenkins-ci.modules</groupId>
+      <artifactId>sshd</artifactId>
+      <version>3.1.0</version>
+    </dependency>
     <dependency>
       <!-- we contribute AbstractBuildParameters for Git if it's available -->
       <groupId>org.jenkins-ci.plugins</groupId>

src/main/java/jenkins/plugins/git/GitSSHPrivateKeyBinding.java

@@ -0,0 +1,219 @@
+package jenkins.plugins.git;
+
+import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
+import com.cloudbees.plugins.credentials.common.StandardCredentials;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.EnvVars;
+import hudson.FilePath;
+import hudson.Launcher;
+import hudson.model.Run;
+import hudson.model.TaskListener;
+import hudson.plugins.git.GitSCM;
+import hudson.plugins.git.GitTool;
+import hudson.util.ListBoxModel;
+import hudson.Extension;
+import jenkins.model.Jenkins;
+import org.jenkinsci.Symbol;
+import org.jenkinsci.plugins.credentialsbinding.BindingDescriptor;
+import org.jenkinsci.plugins.credentialsbinding.MultiBinding;
+import org.jenkinsci.plugins.credentialsbinding.impl.AbstractOnDiskBinding;
+import org.jenkinsci.plugins.credentialsbinding.impl.UnbindableDir;
+import org.jenkinsci.plugins.gitclient.CliGitAPIImpl;
+import org.jenkinsci.plugins.gitclient.Git;
+import org.jenkinsci.plugins.gitclient.GitClient;
+import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.interceptor.RequirePOST;
+
+import javax.annotation.Nullable;
+import java.io.IOException;
+import java.util.LinkedHashMap;
+import java.util.Collections;
+import java.util.Map;
+import java.util.List;
+import java.util.Set;
+
+
+public class GitSSHPrivateKeyBinding extends MultiBinding<SSHUserPrivateKey> implements GitCredentialBindings, SSHKeyUtils {
+    final private String gitToolName;
+    private transient boolean unixNodeType;
+
+    @DataBoundConstructor
+    public GitSSHPrivateKeyBinding(String gitToolName, String credentialsId) {
+        super(credentialsId);
+        this.gitToolName = gitToolName;
+        //Variables could be added if needed
+    }
+
+    public String getGitToolName() {
+        return this.gitToolName;
+    }
+
+    private void setUnixNodeType(boolean value) {
+        this.unixNodeType = value;
+    }
+
+    @Override
+    public MultiEnvironment bind(@NonNull Run<?, ?> run, @Nullable FilePath filePath,
+                                 @Nullable Launcher launcher, @NonNull TaskListener taskListener) throws IOException, InterruptedException {
+        final Map<String, String> secretValues = new LinkedHashMap<>();
+        final Map<String, String> publicValues = new LinkedHashMap<>();
+        SSHUserPrivateKey credentials = getCredentials(run);
+        GitTool cliGitTool = getCliGitTool(run, this.gitToolName, taskListener);
+        if (cliGitTool != null && filePath != null && launcher != null) {
+            setUnixNodeType(isCurrentNodeOSUnix(launcher));
+            final UnbindableDir unbindTempDir = UnbindableDir.create(filePath);
+            final GitClient git = getGitClientInstance(cliGitTool.getGitExe(), unbindTempDir.getDirPath(), new EnvVars(), taskListener);
+            final String sshExePath = getSSHPath(git);
+            setGitEnvironmentVariables(git, publicValues);
+            if (isGitVersionAtLeast(git, 2, 3, 0, 0)) {
+                secretValues.put("GIT_SSH_COMMAND", getSSHCmd(credentials, unbindTempDir.getDirPath(), sshExePath));
+            } else {
+                SSHScriptFile sshScript = new SSHScriptFile(credentials, sshExePath, unixNodeType);
+                secretValues.put("GIT_SSH", sshScript.write(credentials, unbindTempDir.getDirPath()).getRemote());
+            }
+            return new MultiEnvironment(secretValues, publicValues, unbindTempDir.getUnbinder());
+        } else {
+            taskListener.getLogger().println("JGit and JGitApache type Git tools are not supported by this binding");
+            return new MultiEnvironment(secretValues, publicValues);
+        }
+    }
+
+    @Override
+    public Set<String> variables(@NonNull Run<?, ?> run) {
+        return Collections.emptySet();
+    }
+
+    /*package*/void setGitEnvironmentVariables(@NonNull GitClient git, Map<String, String> publicValues) throws IOException, InterruptedException {
+        setGitEnvironmentVariables(git, null, publicValues);
+    }
+
+    @Override
+    public void setCredentialPairBindings(@NonNull StandardCredentials credentials, Map<String, String> secretValues, Map<String, String> publicValues) {
+        //Private Key credentials not required to bind with environment variables
+    }
+
+    @Override
+    public void setGitEnvironmentVariables(@NonNull GitClient git, Map<String, String> secretValues, Map<String, String> publicValues) throws IOException, InterruptedException {
+        if (unixNodeType && isGitVersionAtLeast(git, 2, 3, 0, 0)) {
+            publicValues.put("GIT_TERMINAL_PROMPT", "false");
+        } else {
+            publicValues.put("GCM_INTERACTIVE", "false");
+        }
+    }
+
+    @Override
+    public GitClient getGitClientInstance(String gitToolExe, FilePath repository, EnvVars env, TaskListener listener) throws IOException, InterruptedException {
+        Git gitInstance = Git.with(listener, env).using(gitToolExe);
+        return gitInstance.getClient();
+    }
+
+    @Override
+    protected Class<SSHUserPrivateKey> type() {
+        return SSHUserPrivateKey.class;
+    }
+
+    private boolean isGitVersionAtLeast(GitClient git, int major, int minor, int rev, int bugfix) {
+        return ((CliGitAPIImpl) git).isCliGitVerAtLeast(major, minor, rev, bugfix);
+    }
+
+    private String getSSHPath(GitClient git) {
+        if (unixNodeType) {
+            return "ssh";
+        } else {
+            //Use getSSHExePathInWin(GitClient git), when support for finding ssh executable is provided for agents.
+            //ssh, will work only if OpenSSH is installed on the system being used to execute the build
+            return "ssh";
+        }
+    }
+
+    private String getSSHCmd(SSHUserPrivateKey credentials, FilePath tempDir, String sshExePath) {
+        if (unixNodeType) {
+            return sshExePath
+                    + " -i "
+                    + getPrivateKeyFile(credentials, tempDir).getRemote()
+                    + " -o StrictHostKeyChecking=no";
+        } else {
+            return "\"" + sshExePath + "\""
+                    + " -i "
+                    + "\""
+                    + getPrivateKeyFile(credentials, tempDir).getRemote()
+                    + "\""
+                    + " -o StrictHostKeyChecking=no";
+        }
+    }
+
+    protected final class SSHScriptFile extends AbstractOnDiskBinding<SSHUserPrivateKey> {
+
+        private final String sshExePath;
+        private final boolean unixNodeType;
+
+        protected SSHScriptFile(SSHUserPrivateKey credentials, String sshExePath, boolean unixNodeType) {
+            super(SSHKeyUtils.getSinglePrivateKey(credentials) + ":" + SSHKeyUtils.getPassphraseAsString(credentials), credentials.getId());
+            this.sshExePath = sshExePath;
+            this.unixNodeType = unixNodeType;
+        }
+
+        @Override
+        protected FilePath write(SSHUserPrivateKey credentials, FilePath workspace) throws IOException, InterruptedException {
+            FilePath tempFile;
+            if (unixNodeType) {
+                tempFile = workspace.createTempFile("gitSSHScript", ".sh");
+                tempFile.write(
+                        "ssh -i "
+                                + getPrivateKeyFile(credentials, workspace).getRemote()
+                                + " -o StrictHostKeyChecking=no $@", null);
+                tempFile.chmod(0500);
+            } else {
+                tempFile = workspace.createTempFile("gitSSHScript", ".bat");
+                tempFile.write("@echo off\r\n"
+                        + "\""
+                        + this.sshExePath
+                        + "\""
+                        + " -i "
+                        + "\""
+                        + getPrivateKeyFile(credentials, workspace).getRemote()
+                        + "\""
+                        + " -o StrictHostKeyChecking=no", null);
+            }
+            return tempFile;
+        }
+
+        @Override
+        protected Class<SSHUserPrivateKey> type() {
+            return SSHUserPrivateKey.class;
+        }
+    }
+
+    @Symbol("gitSshPrivateKey")
+    @Extension
+    public static final class DescriptorImpl extends BindingDescriptor<SSHUserPrivateKey> {
+
+        @NonNull
+        @Override
+        public String getDisplayName() {
+            return Messages.GitSSHPrivateKeyBinding_DisplayName();
+        }
+
+        @RequirePOST
+        public ListBoxModel doFillGitToolNameItems() {
+            ListBoxModel items = new ListBoxModel();
+            List<GitTool> toolList = Jenkins.get().getDescriptorByType(GitSCM.DescriptorImpl.class).getGitTools();
+            for (GitTool t : toolList) {
+                if (t.getClass().equals(GitTool.class)) {
+                    items.add(t.getName());
+                }
+            }
+            return items;
+        }
+
+        @Override
+        protected Class<SSHUserPrivateKey> type() {
+            return SSHUserPrivateKey.class;
+        }
+
+        @Override
+        public boolean requiresWorkspace() {
+            return true;
+        }
+    }
+}