[JENKINS-28399] Add binding for SSH private keys

[matthauck]

JENKINS-28399

[matthauck]

ping. Any chance this might get merged in?

[matthauck]

Hello? Is this plugin still active?

[afalko]

Not sure how to vote this one up, but we'd love to have this as well.

[jglick]

I will take a look when I have a moment.

[jglick]

JENKINS-28399 I suppose. Note that the usual alternative is to use the SSH Agent plugin so that the key is not actually used directly.

[thomasgl-orange]

Maybe this could/should be implemented in the jenkinsci/ssh-credentials-plugin instead? From discussion in #22, my understanding was that it would be better to implement new bindings directly in the plugins which provide the credentials types, inverting the dependency (that's what I ended up proposing in jenkinsci/docker-commons-plugin#54 for Docker client certificates).
@jglick: could you confirm/infirm?

[matthauck]

fwiw, I did not want to use the ssh agent plugin because of its extra installation burden (dependency on tomcat native libraries and needing to install BouncyCastle as a security provider). Having direct access to the key turned out to be easier.

Not sure about where this should live. Seems like putting the ssh key binding into the "binding" plugin seemed like the best place to me. I'll leave that decision up to the maintainer as to where it should live.

[jglick]

Maybe this could/should be implemented in the jenkinsci/ssh-credentials-plugin instead?

No strong preference I guess. Generally “domain-specific” bindings should live in the plugin defining that Credentials type. OTOH SSH credentials are very widely used and considered close to fundamental.

JENKINS-19508 is really the right solution IMO, but that is not available now.

@stephenc any particular opinion?

[jglick]

This will not work with Image.inside from docker-workflow. It is necessary to use the standard “temp workspace”. See FileBinding and #25.

[matthauck]

👍

[jglick]

No. Extend MasterToSlaveFileCallable instead.

[matthauck]

👍

[jglick]

tip: ImmutableSet.of

[matthauck]

👍

[jglick]

workspace.child(filePath)

[matthauck]

👍

[jglick]

Should be unnecessary; use a normal BasicSSHUserPrivateKey.

[matthauck]

Was going to do that originally but got hung on all the other stuff necessary to construct one (like PrivateKeySource), and seemed easier to just create a simple implementation of the interface here. Are you okay maybe with leaving this as is?

[jglick]

Up to you. BasicSSHUserPrivateKey would probably be easier.

[matthauck]

would prefer to keep as-is if it's okay with you.

[jglick]

Collections.<TheType>singletonList

[jglick]

Use story.j.waitForCompletion. Jenkins dependency irrelevant.

[matthauck]

👍

[naphthalene]

Is this dead in the water? I'm trying to figure out how to inject SSH creds into a kubernetes jnlp slave. I think I'm stuck with using a custom image with a key baked in.

[matthauck]

Sorry, by the time the review came in I had ditched this workflow for something else and have been distracted since. I can get this back up to date and address the review feedback.

[naphthalene]

No problem! I've got a workaround going.

[matthauck]

just rebased from master. will update per review feedback.

[stephenc]

@jglick I think this plugin is the correct place given that JENKINS-19508 has not been implemented (ssh-credentials being slightly more generic than this)

[jglick]

I would just make it a mandatory dep, as we do for plain-credentials: ssh-credentials does no harm if unused.

[matthauck]

okay. was trying to be less aggressive here. can change this if you like.

[jglick]

Really? :-)

[jglick]

Better to use the new API in #25 when ready.

[matthauck]

i see you reverted that PR. Do you want to wait until that api is ready?

[jglick]

Yes.

[matthauck]

Okay. Please ping me then when it is ready and I can update this PR.

[jglick]

Since passphraseVariable and usernameVariable are not necessarily required, better to make these @CheckForNull properties with @DataBoundSetter.

[jglick]

?

[matthauck]

hah. was copy-pasting from other tests probably. i'll take that out.

[matthauck]

Can I just leave out this copyright?

[jglick]

Add a @Symbol.

[jglick]

Up to you. BasicSSHUserPrivateKey would probably be easier.

[tutipeti]

Hey, any chance to merge this soon? Would be much appreciated :)

[matthauck]

It's already been another month since #25 was opened and closed. Not seeing any open PRs on that either. It seems strange to me to hold up this PR (which other people than myself clearly have interest in) for a new API that isn't there yet, and it is a little frustrating how long this PR has dragged on.

If you guys think this is a worthwhile feature to add, and if the current implementation here is correct, then why not just merge in this PR now and change to use the new API when it is done?

[jglick]

#36 now.

[jglick]

This annotation is meaningless on a method returning void! Did you mean to place it on the getter?

[jglick]

ditto

[jglick]

Simpler to use FilePath.write().

[jglick]

Nice to create help-passphraseVariable.html giving specifics, such as that two parameters are optional. Can also add doCheck* methods to the descriptor guiding the user to fill in keyFileVariable but allowing the others to remain blank.

[jglick]

After I get #42 to pass and merge it, you will need to merge with master to resolve conflicts and get the new CI builder running the tests on both Linux and Windows.

[jglick]

Done, please merge.

[naphthalene]

Thank you for pushing this through!!

[jglick]

Some test failures caught by CI.

[jglick]

fails on Windows

[jglick]

fails on Windows

[jglick]

Misleading semaphore name BTW; could use a more generic name (they are not shared between tests).

[jglick]

not actually necessary

[jglick]

not actually necessary

[matthauck]

yeah, the test were written originally w/ only linux in mind....

[jglick]

Need to either update them to run on Windows, or at a minimum

assumeFalse(Functions.isWindows()); // TODO provide a Windows equivalent

[matthauck]

sorry. been really busy at work. getting around to this now.

[matthauck]

woot! build passed! 🎉

[ghost]

How would you access this using withCredentials?

e.g: withCredentials([ssh-priv-key(credentialsId: '41341dc3-59fb-47c8-aa31-9d9931ee7c1c', variable: 'SSH-KEY')])

[matthauck]

Please see test for example usage: https://github.com/jenkinsci/credentials-binding-plugin/blob/master/src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/SSHUserPrivateKeyTest.java#L154

[fpelz]

How can I use this inside a Wrapper, like I would do for usernamePassword.

 wrappers { 
    credentialsBinding {
        // here the values from jenkins credentials are available as env. vars. 
        usernamePassword('CF_EMAIL', 'CF_PASSWORD', 'cf-dev-credential')

        // Similarly would like to put the path for the key and passphrase
        ssh('MY_KEY_PATH', 'MY_KEY_USER', 'MY_KEY_PASSPHRASE', 'my-key-id-jenkins-credentials')
   }
}

Is it possible with latest version?

[sgalaviz]

Hello,

I try the usage example (https://github.com/jenkinsci/credentials-binding-plugin/blob/master/src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/SSHUserPrivateKeyTest.java#L154) as follow:

node {
	key = 'mykey'
	stage('Obtención de credenciales') {
		withCredentials([sshUserPrivateKey(keyFileVariable: 'THEKEY',
			passphraseVariable: 'THEPASS',
			usernameVariable: 'THEUSER', credentialsId: key)])
		{
			sh 'echo THEUSER=[$THEUSER] THEKEY=[$THEKEY] THEPASS=[$THEPASS]'
		}
	}
}

But didn't work because:

java.lang.NoSuchMethodError: No such DSL method 'sshUserPrivateKey' found among steps

Any advice is appreciated

[mbarzare]

I am using Jenkins 2.80 with a username / private key in my credentials. I am attempting to use the Credentials Binding Plugin v. 1.13 to retrieve the credentials with the sshUserPrivateKey binding and inject the results into a successive build step. My key does not have a passphrase. The following exception is what is being output in my build. Can anyone let me know if this is supported yet? My Google searches have not been promising. :(

java.lang.NullPointerException
	at hudson.EnvVars.override(EnvVars.java:132)
	at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Overrider.expand(BindingStep.java:146)
	at org.jenkinsci.plugins.workflow.steps.EnvironmentExpander.getEffectiveEnvironment(EnvironmentExpander.java:122)
	at org.jenkinsci.plugins.workflow.support.DefaultStepContext.get(DefaultStepContext.java:66)
	at org.jenkinsci.plugins.workflow.steps.StepDescriptor.checkContextAvailability(StepDescriptor.java:258)
	at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:203)
	at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:150)
	at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:108)
	at sun.reflect.GeneratedMethodAccessor284.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93)
	at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213)
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022)
	at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:155)
	at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:133)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:153)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:157)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:127)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:127)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:127)
	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:17)
	at WorkflowScript.run(WorkflowScript:20)
	at ___cps.transform___(Native Method)
	at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:57)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82)
	at sun.reflect.GeneratedMethodAccessor233.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
	at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
	at com.cloudbees.groovy.cps.Next.step(Next.java:83)
	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:174)
	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:163)
	at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:122)
	at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:261)
	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:163)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:35)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:32)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:32)
	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:174)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:330)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$100(CpsThreadGroup.java:82)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:242)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:230)
	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Finished: FAILURE

[mbarzare]

I should note that I finally discovered what I was doing wrong. To retrieve my key, I did the following in my Jenkinsfile:

withCredentials([sshUserPrivateKey(keyFileVariable: 'KEY', credentialsId: 'GITHUB_PRIVATE_KEY')]) 
{
sh 'echo GITHUB_KEY=$KEY'
}

Hope this helps someone else.

[harmanbirdi]

@mbarzare - I am trying to provide the "SSH User Private Key" that I have created globally to a promoted job. While it lets me create a "Credentials Parameter" and select "SSH Username with Private Key", and set its default value to my Global credential, when I echo it, I just see the UUID for the credentials.

How can I extract the username, and the private key from it? I have used the "SSH User Private Key" binding in the main Build section, but I need to access the same credentials to use in Promotions.

I am not sure how to use the UUID in a shell script to extract the credentials from the UUID.

Any help would be appreciated? Thanks.

[matthauck]

i think this github issue is becoming a support forum -- can we lock this issue maybe?

[kormotodor]

Sorry but is this documentation still correct according to this feature?

[jglick]

@kormotodor job-dsl hard-codes some things rather than using extension points plus @Symbol, so I would not expect it to have complete coverage.

[kormotodor]

@jglick So you mean, that it is impossible to call method "sshUserPrivateKey" from "credentialsBinding" plugin in dsl script on groovy for freestyle job? I expected exactly that behavior like when i use

job('example') {
    wrappers {
        credentialsBinding {
            file('KEYSTORE', 'keystore.jks')
        }
    }
}

just like in documentation is described.

[jglick]

@kormotodor I do not know, I do not maintain the job-dsl plugin. Please use a support forum for questions, or if you believe you have found a bug, file it under job-dsl-plugin in JIRA.