Git Credentials Binding for sh, bat, powershell

    Abstract

    This project implemented two new credential bindings to perform authenticated operations using command line git in Jenkins pipeline and freestyle jobs.

    The two credential bindings are gitSshPrivateKey and gitUsernamePassword.

    Implementation

    Type

    Feature

    Location

    The gitUsernamePassword binding is implemented in Jenkins git plugin v4.8.0. The gitSshPrivateKey binding is implemented in a pull request to the Jenkins git plugin

    Dependencies
    1. Credentials Binding Plugin- It is used to bind Git specific environment variables with shell scripts/commands which perform git authentication on behalf of the user, without their interaction with the command-line.

    2. Bouncy Castle API Plugin- Provides an API to do common tasks like PEM/PKCS#8 Encoding/Decoding and ensuring its stability among Bouncy Castle API versions.

    3. SSH Server Plugin- Provides an API to perform tasks like OpenSSH private key encoding and decoding.

    Phase 1: Git Username Password Binding (gitUsernamePassword)

    Deliverables

    • Support git authentication over the HTTP protocol

      • Use the GIT_ASKPASS environment variable to provide user credentials to command line git

    • Support different

      • OS environments: CentOS 7, CentOS 8, Debian 9, Debian 10, FreeBSD 12, OpenBSD 6.9, openSUSE 15.2, Ubuntu 18.04, Ubuntu 20.04, Ubuntu 21.04, and Windows 10.

      • Processors: amd64, arm32, arm64, and s390x.

    • Authentication support for command line git only, not JGit or JGit Apache.

      • Check for specific git versions

      • Setting git specific environment variables based on OS type

    • Automated test coverage more than 90%

    Phase 2: Git SSH Private Key Binding (gitSshPrivateKey)

    Deliverables

    • To support git authentication over the SSH protocol

    • Supports:

      • Private Key Formats

        • OpenSSH

        • PEM

        • PKCS#8

      • Encryption algorithms

        • RSA

        • DSA

        • ECDSA

        • ED25519

      • OS environments: CentOS 7, CentOS 8, Debian 9, Debian 10, FreeBSD 12, OpenBSD 6.9, openSUSE 15.3, Ubuntu 18.04, Ubuntu 20.04, Ubuntu 21.04, and Windows 10.

      • Processors: amd64, arm32, arm64, and s390x.

    • Authentication support for command line git only, not JGit or JGit Apache.

    • Use git specific environment variables depending upon the minimum git version

      • GIT_SSH_COMMAND - If the version is greater than 2.3, provides ssh command including the necessary options.

      • SSH_ASKPASS - If the version is less than 2.3, an executable script is attached to the variable.

      • Setting variables based on the OS type

    Achievements

    1. The git credential bindings which are available through the git plugin automate the git authentication process for a user effortlessly

    2. The gitUsernamePassword and gitSshPrivateKey binding provides git authentication support for Pipeline and Freestyle Project users in various OS environments on different processors

    3. The gitUsernamePassword binding has been released and is readily available from git plugin v4.8.0 and above

    4. The gitSshPrivateKey binding provides support for OpenSSH format which is default for OpenSSH v7.8 and above

    Future Work

    • SSH private key binding pull request merge and release

    Unexpected complications from Jenkins class loader required extra effort and investigation, including an experiment shading a dependency into the git plugin We intentionally chose to avoid the complication and risk of shading the dependency If the SSH library use requires shading, then we may need to use maven modules in the git plugin

    About the Author
    Harshit Chopra
    Harshit Chopra

    Harshit Chopra is an open source enthusiast from India.