Git ssh private key binding(GSoC-21)

pom.xml

@@ -30,7 +30,7 @@
     <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <argLine>-Dfile.encoding=${project.build.sourceEncoding}</argLine>
-    <jenkins.version>2.263.1</jenkins.version>
+    <jenkins.version>2.289.1</jenkins.version>
     <java.level>8</java.level>
     <no-test-jar>false</no-test-jar>
     <useBeta>true</useBeta>
@@ -167,6 +167,17 @@
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>credentials-binding</artifactId>
     </dependency>
+    <!-- BouncyCastle API Plugin -->
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>bouncycastle-api</artifactId>
+    </dependency>
+    <!-- SSHD Plugin -->
+    <dependency>
+      <groupId>org.jenkins-ci.modules</groupId>
+      <artifactId>sshd</artifactId>
+      <version>3.1.0</version>
+    </dependency>
     <dependency><!-- we contribute AbstractBuildParameters for Git if it's available -->
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>parameterized-trigger</artifactId>
@@ -267,7 +278,7 @@
     <dependencies>
       <dependency>
         <groupId>io.jenkins.tools.bom</groupId>
-        <artifactId>bom-2.263.x</artifactId>
+        <artifactId>bom-2.289.x</artifactId>
         <version>923.v08bdc07cd40f</version>
         <scope>import</scope>
         <type>pom</type>

src/main/java/jenkins/plugins/git/GitSSHPrivateKeyBinding.java

@@ -0,0 +1,224 @@
+package jenkins.plugins.git;
+
+import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
+import com.cloudbees.plugins.credentials.common.StandardCredentials;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.EnvVars;
+import hudson.FilePath;
+import hudson.Launcher;
+import hudson.model.Run;
+import hudson.model.TaskListener;
+import hudson.plugins.git.GitSCM;
+import hudson.plugins.git.GitTool;
+import hudson.util.ListBoxModel;
+import hudson.Extension;
+import jenkins.model.Jenkins;
+import org.jenkinsci.Symbol;
+import org.jenkinsci.plugins.credentialsbinding.BindingDescriptor;
+import org.jenkinsci.plugins.credentialsbinding.MultiBinding;
+import org.jenkinsci.plugins.credentialsbinding.impl.AbstractOnDiskBinding;
+import org.jenkinsci.plugins.credentialsbinding.impl.UnbindableDir;
+import org.jenkinsci.plugins.gitclient.CliGitAPIImpl;
+import org.jenkinsci.plugins.gitclient.Git;
+import org.jenkinsci.plugins.gitclient.GitClient;
+import org.kohsuke.stapler.DataBoundConstructor;
+
+import javax.annotation.Nullable;
+import java.io.IOException;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Set;
+
+
+public class GitSSHPrivateKeyBinding extends MultiBinding<SSHUserPrivateKey> implements GitCredentialBindings, SSHKeyUtils {
+    final static private String PRIVATE_KEY = "PRIVATE_KEY";
+    final static private String PASSPHRASE = "PASSPHRASE";
+    final private String gitToolName;
+    private transient boolean unixNodeType;
+
+    @DataBoundConstructor
+    public GitSSHPrivateKeyBinding(String gitToolName, String credentialsId) {
+        super(credentialsId);
+        this.gitToolName = gitToolName;
+        //Variables could be added if needed
+    }
+
+    public String getGitToolName() {
+        return this.gitToolName;
+    }
+
+    private void setUnixNodeType(boolean value) {
+        this.unixNodeType = value;
+    }
+
+    @Override
+    public MultiEnvironment bind(@NonNull Run<?, ?> run, @Nullable FilePath filePath,
+                                 @Nullable Launcher launcher, @NonNull TaskListener taskListener) throws IOException, InterruptedException {
+        final Map<String, String> secretValues = new LinkedHashMap<>();
+        final Map<String, String> publicValues = new LinkedHashMap<>();
+        SSHUserPrivateKey credentials = getCredentials(run);
+        setCredentialPairBindings(credentials, secretValues, publicValues);
+        GitTool cliGitTool = getCliGitTool(run, this.gitToolName, taskListener);
+        if (cliGitTool != null && filePath != null && launcher != null) {
+            setUnixNodeType(isCurrentNodeOSUnix(launcher));
+            final UnbindableDir unbindTempDir = UnbindableDir.create(filePath);
+            final GitClient git = getGitClientInstance(cliGitTool.getGitExe(), unbindTempDir.getDirPath(), new EnvVars(), taskListener);
+            final String sshExePath = getSSHPath(git);
+            setGitEnvironmentVariables(git, publicValues);
+            if (isGitVersionAtLeast(git, 2, 3, 0, 0)) {
+                secretValues.put("GIT_SSH_COMMAND", getSSHCmd(credentials, unbindTempDir.getDirPath(), sshExePath));
+            } else {
+                SSHScriptFile sshScript = new SSHScriptFile(credentials, sshExePath, unixNodeType);
+                secretValues.put("GIT_SSH", sshScript.write(credentials, unbindTempDir.getDirPath()).getRemote());
+            }
+            return new MultiEnvironment(secretValues, publicValues, unbindTempDir.getUnbinder());
+        } else {
+            taskListener.getLogger().println("JGit and JGitApache type Git tools are not supported by this binding");
+            return new MultiEnvironment(secretValues, publicValues);
+        }
+    }
+
+    @Override
+    public Set<String> variables(@NonNull Run<?, ?> run) {
+        Set<String> keys = new LinkedHashSet<>();
+        keys.add(PRIVATE_KEY);
+        keys.add(PASSPHRASE);
+        return keys;
+    }
+
+    @Override
+    public void setCredentialPairBindings(@NonNull StandardCredentials credentials, Map<String, String> secretValues, Map<String, String> publicValues) {
+        SSHUserPrivateKey sshUserCredentials = (SSHUserPrivateKey) credentials;
+        secretValues.put(PRIVATE_KEY, SSHKeyUtils.getSinglePrivateKey(sshUserCredentials));
+        secretValues.put(PASSPHRASE, SSHKeyUtils.getPassphrase(sshUserCredentials));
+    }
+
+    /*package*/void setGitEnvironmentVariables(@NonNull GitClient git, Map<String, String> publicValues) throws IOException, InterruptedException {
+        setGitEnvironmentVariables(git, null, publicValues);
+    }
+
+    @Override
+    public void setGitEnvironmentVariables(@NonNull GitClient git, Map<String, String> secretValues, Map<String, String> publicValues) throws IOException, InterruptedException {
+        if (unixNodeType && isGitVersionAtLeast(git, 2, 3, 0, 0)) {
+            publicValues.put("GIT_TERMINAL_PROMPT", "false");
+        } else {
+            publicValues.put("GCM_INTERACTIVE", "false");
+        }
+    }
+
+    @Override
+    public GitClient getGitClientInstance(String gitToolExe, FilePath repository, EnvVars env, TaskListener listener) throws IOException, InterruptedException {
+        Git gitInstance = Git.with(listener, env).using(gitToolExe);
+        return gitInstance.getClient();
+    }
+
+    @Override
+    protected Class<SSHUserPrivateKey> type() {
+        return SSHUserPrivateKey.class;
+    }
+
+    private boolean isGitVersionAtLeast(GitClient git, int major, int minor, int rev, int bugfix) {
+        return ((CliGitAPIImpl) git).isCliGitVerAtLeast(major, minor, rev, bugfix);
+    }
+
+    private String getSSHPath(GitClient git) throws IOException, InterruptedException {
+        if (unixNodeType) {
+            return "ssh";
+        } else {
+            return getSSHExePathInWin(git);
+        }
+    }
+
+    private String getSSHCmd(SSHUserPrivateKey credentials, FilePath tempDir, String sshExePath) throws IOException, InterruptedException {
+        if (unixNodeType) {
+            return
+                    sshExePath
+                            + " -i "
+                            + getPrivateKeyFile(credentials, tempDir).getRemote()
+                            + " -o StrictHostKeyChecking=no";
+        } else {
+            return "\"" + sshExePath + "\""
+                    + " -i "
+                    + "\""
+                    + getPrivateKeyFile(credentials, tempDir).getRemote()
+                    + "\""
+                    + " -o StrictHostKeyChecking=no";
+        }
+    }
+
+    protected final class SSHScriptFile extends AbstractOnDiskBinding<SSHUserPrivateKey> {
+
+        private final String sshExePath;
+        private final boolean unixNodeType;
+
+        protected SSHScriptFile(SSHUserPrivateKey credentials, String sshExePath, boolean unixNodeType) {
+            super(SSHKeyUtils.getSinglePrivateKey(credentials) + ":" + SSHKeyUtils.getPassphrase(credentials), credentials.getId());
+            this.sshExePath = sshExePath;
+            this.unixNodeType = unixNodeType;
+        }
+
+        @Override
+        protected FilePath write(SSHUserPrivateKey credentials, FilePath workspace) throws IOException, InterruptedException {
+            FilePath tempFile;
+            if (unixNodeType) {
+                tempFile = workspace.createTempFile("gitSSHScript", ".sh");
+                tempFile.write(
+                        "ssh -i "
+                                + getPrivateKeyFile(credentials, workspace).getRemote()
+                                + " -o StrictHostKeyChecking=no $@", null);
+                tempFile.chmod(0500);
+            } else {
+                tempFile = workspace.createTempFile("gitSSHScript", ".bat");
+                tempFile.write("@echo off\r\n"
+                        + "\""
+                        + this.sshExePath
+                        + "\""
+                        + " -i "
+                        + "\""
+                        + getPrivateKeyFile(credentials, workspace).getRemote()
+                        + "\""
+                        + " -o StrictHostKeyChecking=no", null);
+            }
+            return tempFile;
+        }
+
+        @Override
+        protected Class<SSHUserPrivateKey> type() {
+            return SSHUserPrivateKey.class;
+        }
+    }
+
+    @Symbol("gitSSHPrivateKey")
+    @Extension
+    public static final class DescriptorImpl extends BindingDescriptor<SSHUserPrivateKey> {
+
+        @NonNull
+        @Override
+        public String getDisplayName() {
+            return Messages.GitSSHPrivateKeyBinding_DisplayName();
+        }
+
+        public ListBoxModel doFillGitToolNameItems() {
+            ListBoxModel items = new ListBoxModel();
+            List<GitTool> toolList = Jenkins.get().getDescriptorByType(GitSCM.DescriptorImpl.class).getGitTools();
+            for (GitTool t : toolList) {
+                if (t.getClass().equals(GitTool.class)) {
+                    items.add(t.getName());
+                }
+            }
+            return items;
+        }
+
+        @Override
+        protected Class<SSHUserPrivateKey> type() {
+            return SSHUserPrivateKey.class;
+        }
+
+        @Override
+        public boolean requiresWorkspace() {
+            return true;
+        }
+    }
+}

src/main/java/jenkins/plugins/git/OpenSSHKeyFormatImpl.java

@@ -0,0 +1,106 @@
+package jenkins.plugins.git;
+
+import hudson.FilePath;
+import org.apache.sshd.common.config.keys.loader.openssh.OpenSSHKeyPairResourceParser;
+import org.apache.sshd.common.NamedResource;
+import org.apache.sshd.common.config.keys.FilePasswordProvider;
+import org.apache.sshd.common.config.keys.writer.openssh.OpenSSHKeyPairResourceWriter;
+import org.apache.sshd.common.session.SessionContext;
+import org.apache.sshd.common.util.io.SecureByteArrayOutputStream;
+
+import javax.naming.SizeLimitExceededException;
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.FileOutputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.util.Base64;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Map;
+
+public class OpenSSHKeyFormatImpl {
+
+    private final String privateKey;
+    private final String passphrase;
+    private static final String BEGIN_MARKER = OpenSSHKeyPairResourceParser.BEGIN_MARKER;
+    private static final String END_MARKER = OpenSSHKeyPairResourceParser.END_MARKER;
+    private static final String DASH_MARKER = "-----";
+
+    public OpenSSHKeyFormatImpl(final String privateKey, final String passphrase) {
+        this.privateKey = privateKey;
+        this.passphrase = passphrase;
+    }
+
+    private byte[] getEncData(String privateKey){
+        String data = privateKey
+                .replace(DASH_MARKER+BEGIN_MARKER+DASH_MARKER,"")
+                .replace(DASH_MARKER+END_MARKER+DASH_MARKER,"")
+                .replaceAll("\\s","");
+        Base64.Decoder decoder = Base64.getDecoder();
+        return decoder.decode(data);
+    }
+
+    private KeyPair getOpenSSHKeyPair(SessionContext session, NamedResource resourceKey,
+                                      String beginMarker, String endMarker,
+                                      FilePasswordProvider passwordProvider,
+                                      InputStream stream, Map<String, String> headers )
+            throws IOException, GeneralSecurityException, SizeLimitExceededException {
+        OpenSSHKeyPairResourceParser openSSHParser = new OpenSSHKeyPairResourceParser();
+        Collection<KeyPair> keyPairs = openSSHParser.extractKeyPairs(session,resourceKey,beginMarker,
+                                                                     endMarker, passwordProvider,
+                                                                     stream, headers);
+        if(keyPairs.size() > 1){
+            throw new SizeLimitExceededException("Expected KeyPair size to be 1");
+        }else {
+            return Collections.unmodifiableCollection(keyPairs).iterator().next();
+        }
+    }
+
+    private File writePrivateKeyOpenSSHFormatted(File tempFile) {
+        OpenSSHKeyPairResourceWriter privateKeyWriter = new OpenSSHKeyPairResourceWriter();
+        SecureByteArrayOutputStream privateKeyBuffer = new SecureByteArrayOutputStream();
+        ByteArrayInputStream stream = new ByteArrayInputStream(getEncData(this.privateKey));
+        KeyPair sshKeyPair = null;
+        try {
+            sshKeyPair = getOpenSSHKeyPair(null,null,"","",
+                    new AcquirePassphrase(this.passphrase),
+                    stream,null);
+            privateKeyWriter.writePrivateKey(sshKeyPair, "", null, privateKeyBuffer);
+            FileOutputStream privateKeyFileStream = new FileOutputStream(tempFile);
+            privateKeyBuffer.writeTo(privateKeyFileStream);
+            privateKeyFileStream.close();
+        } catch (IOException | SizeLimitExceededException | GeneralSecurityException e) {
+            e.printStackTrace();
+        }
+        return tempFile;
+    }
+
+    public static boolean isOpenSSHFormatted(String privateKey) {
+        final String HEADER = DASH_MARKER+BEGIN_MARKER+DASH_MARKER;
+        return privateKey.regionMatches(false, 0, HEADER, 0, HEADER.length());
+    }
+
+    public FilePath writeDecryptedOpenSSHKey(FilePath tempKeyFile) throws IOException, InterruptedException, GeneralSecurityException, SizeLimitExceededException {
+        File tempFile = new File(tempKeyFile.toURI());
+        writePrivateKeyOpenSSHFormatted(tempFile);
+        return new FilePath(tempFile);
+    }
+
+    private final static class AcquirePassphrase implements FilePasswordProvider {
+
+        String passphrase;
+
+        AcquirePassphrase(String passphrase) {
+            this.passphrase = passphrase;
+        }
+
+        @Override
+        public String getPassword(SessionContext session, NamedResource resourceKey, int retryIndex) throws IOException {
+            return this.passphrase;
+        }
+    }
+}