Abstract
This project implemented two new credential bindings to perform authenticated operations using command line git in Jenkins pipeline and freestyle jobs.
The two credential bindings are gitSshPrivateKey and gitUsernamePassword.
Implementation
- Type
Feature
- Location
The
gitUsernamePasswordbinding is implemented in Jenkins git pluginv4.8.0. ThegitSshPrivateKeybinding is implemented in a pull request to the Jenkins git plugin- Dependencies
Credentials Binding Plugin- It is used to bind Git specific environment variables with shell scripts/commands which perform git authentication on behalf of the user, without their interaction with the command-line.
Bouncy Castle API Plugin- Provides an API to do common tasks like PEM/PKCS#8 Encoding/Decoding and ensuring its stability among Bouncy Castle API versions.
SSH Server Plugin- Provides an API to perform tasks like OpenSSH private key encoding and decoding.
Phase 1: Git Username Password Binding (gitUsernamePassword)
Deliverables
Support git authentication over the HTTP protocol
Use the
GIT_ASKPASSenvironment variable to provide user credentials to command line git
Support different
OS environments: CentOS 7, CentOS 8, Debian 9, Debian 10, FreeBSD 12, OpenBSD 6.9, openSUSE 15.2, Ubuntu 18.04, Ubuntu 20.04, Ubuntu 21.04, and Windows 10.
Processors: amd64, arm32, arm64, and s390x.
Authentication support for command line git only, not JGit or JGit Apache.
Check for specific git versions
Setting git specific environment variables based on OS type
Automated test coverage more than 90%
Phase 2: Git SSH Private Key Binding (gitSshPrivateKey)
Deliverables
To support git authentication over the SSH protocol
Supports:
Private Key Formats
OpenSSH
PEM
PKCS#8
Encryption algorithms
RSA
DSA
ECDSA
ED25519
OS environments: CentOS 7, CentOS 8, Debian 9, Debian 10, FreeBSD 12, OpenBSD 6.9, openSUSE 15.3, Ubuntu 18.04, Ubuntu 20.04, Ubuntu 21.04, and Windows 10.
Processors: amd64, arm32, arm64, and s390x.
Authentication support for command line git only, not JGit or JGit Apache.
Use git specific environment variables depending upon the minimum git version
GIT_SSH_COMMAND- If the version is greater than 2.3, provides ssh command including the necessary options.SSH_ASKPASS- If the version is less than 2.3, an executable script is attached to the variable.Setting variables based on the OS type
Achievements
The git credential bindings which are available through the git plugin automate the git authentication process for a user effortlessly
The
gitUsernamePasswordandgitSshPrivateKeybinding provides git authentication support for Pipeline and Freestyle Project users in various OS environments on different processorsThe
gitUsernamePasswordbinding has been released and is readily available from git plugin v4.8.0 and aboveThe
gitSshPrivateKeybinding provides support for OpenSSH format which is default for OpenSSH v7.8 and above
Future Work
SSH private key binding pull request merge and release
Unexpected complications from Jenkins class loader required extra effort and investigation, including an experiment shading a dependency into the git plugin We intentionally chose to avoid the complication and risk of shading the dependency If the SSH library use requires shading, then we may need to use maven modules in the git plugin