Abstract
This project implemented two new credential bindings to perform authenticated operations using command line git in Jenkins pipeline and freestyle jobs.
The two credential bindings are gitSshPrivateKey
and gitUsernamePassword
.
Implementation
- Type
-
Feature
- Location
-
The
gitUsernamePassword
binding is implemented in Jenkins git plugin v4.8.0. ThegitSshPrivateKey
binding is implemented in a pull request to the Jenkins git plugin - Dependencies
-
-
Credentials Binding Plugin- It is used to bind Git specific environment variables with shell scripts/commands which perform git authentication on behalf of the user, without their interaction with the command-line.
-
Bouncy Castle API Plugin- Provides an API to do common tasks like PEM/PKCS#8 Encoding/Decoding and ensuring its stability among Bouncy Castle API versions.
-
SSH Server Plugin- Provides an API to perform tasks like OpenSSH private key encoding and decoding.
-
Phase 1: Git Username Password Binding (gitUsernamePassword)
Deliverables
-
Support git authentication over the HTTP protocol
-
Use the
GIT_ASKPASS
environment variable to provide user credentials to command line git
-
-
Support different
-
OS environments: CentOS 7, CentOS 8, Debian 9, Debian 10, FreeBSD 12, OpenBSD 6.9, openSUSE 15.2, Ubuntu 18.04, Ubuntu 20.04, Ubuntu 21.04, and Windows 10.
-
Processors: amd64, arm32, arm64, and s390x.
-
-
Authentication support for command line git only, not JGit or JGit Apache.
-
Check for specific git versions
-
Setting git specific environment variables based on OS type
-
-
Automated test coverage more than 90%
Phase 2: Git SSH Private Key Binding (gitSshPrivateKey)
Deliverables
-
To support git authentication over the SSH protocol
-
Supports:
-
Private Key Formats
-
OpenSSH
-
PEM
-
PKCS#8
-
-
Encryption algorithms
-
RSA
-
DSA
-
ECDSA
-
ED25519
-
-
OS environments: CentOS 7, CentOS 8, Debian 9, Debian 10, FreeBSD 12, OpenBSD 6.9, openSUSE 15.3, Ubuntu 18.04, Ubuntu 20.04, Ubuntu 21.04, and Windows 10.
-
Processors: amd64, arm32, arm64, and s390x.
-
-
Authentication support for command line git only, not JGit or JGit Apache.
-
Use git specific environment variables depending upon the minimum git version
-
GIT_SSH_COMMAND
- If the version is greater than 2.3, provides ssh command including the necessary options. -
SSH_ASKPASS
- If the version is less than 2.3, an executable script is attached to the variable. -
Setting variables based on the OS type
-
Achievements
-
The git credential bindings which are available through the git plugin automate the git authentication process for a user effortlessly
-
The
gitUsernamePassword
andgitSshPrivateKey
binding provides git authentication support for Pipeline and Freestyle Project users in various OS environments on different processors -
The
gitUsernamePassword
binding has been released and is readily available from git plugin v4.8.0 and above -
The
gitSshPrivateKey
binding provides support for OpenSSH format which is default for OpenSSH v7.8 and above
Future Work
-
SSH private key binding pull request merge and release
Unexpected complications from Jenkins class loader required extra effort and investigation, including an experiment shading a dependency into the git plugin We intentionally chose to avoid the complication and risk of shading the dependency If the SSH library use requires shading, then we may need to use maven modules in the git plugin