Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Harshit Chopra
    @arpoch
    Hi,
    @MarkEWaite, @rishabhBudhouliya, @justinharringa, I have configured my dev-env so now I have Centos 7.9.2009(core), Ubuntu 20.04(lts), Windows 10 Pro(version 1909 and updating) and the git versions are 1.8.3.1, 2.25.1, and 2.26.0 respectively, will update Ubuntu git to test for GIT_SSH_COMMAND variable. I guess this will be all for the dev setup required for the project.
    Now coming to the SSH binding, as @MarkEWaite we discussed in the previous meeting about the new format used by openssh by default to generate private encryption key and using the bouncycastle api to convert the key first into PEM format and then decrypting the key if protected by passphrase. Well till now what I have learnt is that, to create a PEMEncodable object to be used by bouncy-castle api we require an object of type Key or Keypair for our case but the since the ssh-credential plugin providing the SSHUserPrivateKey interface, used for ssh binding only gives key in string format and it seem right as well because we not have any knowledge about which format and encryption algorithm was used when the key was provided. So keeping it short, we need to have bare minimum knowledge about the algorithm and format used, gone through the JCA api as well.
    I was also wondering if their is any mailing list or chat focused on bouncycastle plugin or encryption/cryptography for Jenkins plugin would be really helpful.
    1 reply
    Harshit Chopra
    @arpoch
    @MarkEWaite - Is there a meeting today, I don't have the link for the meet, can you please share.
    Mark Waite
    @MarkEWaite
    Meeting for git credentials binding GSoC project at https://zoom.us/j/94585783361?pwd=UnJZbTNPVlhvUUxCck9FNG5xK29QUT09
    Harshit Chopra
    @arpoch
    Thanks
    Harshit Chopra
    @arpoch
    I just wanted to share this and was hoping this could help @rishabhBudhouliya in his investigation as well , https://en.wikipedia.org/wiki/ASN.1 here if we look under the protocols using ASN.1 we could find both X.509 and PKCS but noting related to SSH, also if I am correct OpenSSH used the standard ASN.1 formats for private keys. Now, however, OpenSSH has its own private key format. So if we were to work on the conversion of the private key into PEM format following ASN.1 standard then I guess we needed to figure out how it's begin done by ssh-keygen but it just my assumption.
    Gareth Evans
    @garethjevans
    Hi, I'm trying to update the "Branches to build" configuration for an existing job programatically via the Jenkins CLI, I can see the config changes on disk, and the job appears to have updated when I click "Configure", but the "Git Polling Log" always shows the old branch name. From the CLI I have also tried "reload-job" & "reload-configuration" and have tried the "Reload Configuration from Disk" in the Jenkins UI without success. When I click "Build Now" it does update the branch correctly, that seems to be my only workaround. Is this expected behaviour?
    3 replies
    Harshit Chopra
    @arpoch
    @MarkEWaite , @rishabhBudhouliya , @justinharringa , Good news the username password binding for windows is done.
    1 reply
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch did you try the org.bouncycastle.jcajce.spec.OpenSSHPrivateKeySpec to generate a private key?
    this bouncycastle version:
    <dependency>
                <groupId>org.bouncycastle</groupId>
                <artifactId>bcprov-jdk15on</artifactId>
                <version>1.68</version>
            </dependency>
    Mark Waite
    @MarkEWaite
    That is great news! I'm in the Zoom meeting now at https://zoom.us/j/94585783361?pwd=UnJZbTNPVlhvUUxCck9FNG5xK29QUT09
    Harshit Chopra
    @arpoch
    Joining the meeting in a moment.
    Harshit Chopra
    @arpoch
    @MarkEWaite , @rishabhBudhouliya , @justinharringa, I am currently making all the necessary changes for the first GitUsernamePasswrod binding PR. I have created two default environment variable binding i.e Git_Username and Git_Password, these won't be visible in pipeline snippet or modifiable by the user, just in case.
    Also I think I have got a workaround for ssh credential binding but not sure about it yet, will update when explored further.
    Also for the coding phase do I have to the push code on daily or weekly basis.
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch @MarkEWaite @justinharringa please take a look at an edit I've made on the OpenSSH keys decryption experiment: https://docs.google.com/document/d/1gZneYIDWrT5S-1ACG641wfvxs7vnDC0RCYqy-EuuhwY/edit?usp=sharing
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch @MarkEWaite @justinharringa I think I have found a way to decode the SSH keys with passphrase and without passphrase using the sshj library
    I have tested three cases:
    • ssh-keygen -f ssh_key with and without passphrase (the user does not specific an encryption algorithm)
    • ssh-keygen -t rsa -f ssh_key
    • ssh-keygen -t ED25519 -f ssh_key
    I have been able to get the java.security.PrivateKey out of them. How do we want to consume them now?
    I was looking at the Git Client Plugin and as per my understanding we provide the file locations of ssh private key and passphrase and then let git cli talk to ssh?
    The downside is that this is obviously not the BouncyCastle API and I am not sure about our reasons to stick with BouncyCastle. sshj is the java implementation of ssh and it provides much more than just reading OpenSSH keys.
    3 replies
    Will Saxon
    @wsaxon_gitlab

    Hello, we're trying to use the Jenkins Git plugin to clone a repo. Our SCM host requires jumping through an SSH proxy, so we've provided a config file to our agent that sets a ProxyCommand for the SCM host; Jenkins doesn't let us configure a ProxyCommand any other way that I can see.

    Our proxy is an SSH host itself, so we need the SSH key for the ProxyCommand to work. We were hoping to use the SSH Agent plugin for this, but it doesn't seem to work. I wrote a wrapper script around git to dump the environment and run ssh-add -l, and I can see that the agent is set up in the environment and has our key, but e.g. the git fetch --tags ... command that Jenkins runs to fetch objects immediately fails as if the key is not present. If I set up the same scenario manually in a shell it works fine.

    Is this a supported configuration? Should I be able to use the SSH agent plugin to provide the SSH key to Jenkins Git plugin?

    3 replies
    Harshit Chopra
    @arpoch
    Create the first pull request of the coding phase 1-
    jenkinsci/git-client-plugin#712
    3 replies
    Harshit Chopra
    @arpoch
    @justinharringa, @rishabhBudhouliya what are your thoughts on https://github.com/jenkinsci/git-client-plugin/pull/712#discussion_r648520322
    2 replies
    Harshit Chopra
    @arpoch
    @rishabhBudhouliya, @justinharringa, I have committed some changes based on @rishabhBudhouliya sugesstions, Now I will be working on the testcases and if everything works as expected, will move to SSH binding by our next meeting.
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    Awesome news @arpoch ! I'm planning on giving these a better look in the next few days.
    Harshit Chopra
    @arpoch

    @justinharringa:matrix.org , @rishabhBudhouliya , regarding the GitTool impl, I have create this snippet

    default String gitToolName(TaskListener listener) {
            String requiredTool = "Default";
            String actualTool = null;
    
            GitTool gitTool = Jenkins.get().getDescriptorByType(GitTool.DescriptorImpl.class).getInstallation(requiredTool);
            if (gitTool == null) {
                listener.getLogger().println("Selected Git installation does not exist. Using Default");
                gitTool = GitTool.getDefaultInstallation();
                actualTool = gitTool.getName();
            }
            if (actualTool != null) {
                if (actualTool.equalsIgnoreCase(requiredTool)) {
                    return actualTool;
                }
            }
            try {
                gitTool = gitTool.forNode(Jenkins.get(), listener);
                actualTool = gitTool.getName();
            } catch (IOException | InterruptedException e) {
                listener.getLogger().println("Failed to get git tool");
            }
    
            return actualTool;
        }

    I have some concerns related to this-

    • The git tool to be used by default will be the one having the name Default but their is no assurance that path to Git executable is of cli git.
    • If their is not git tool with name Default then the first git tool will be used even if git cli exists
    • The name returned by this snippet will only be checked for jgit and jgitapache, as these two implementations will always return same name.
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch if you're putting Default in GitTool gitTool = Jenkins.get().getDescriptorByType(GitTool.DescriptorImpl.class).getInstallation(requiredTool); then isn't this line essentially
    GitTool.getDefaultInstallation() ?
    I am assuming that there is way to get the user decided GitTool from the context where the credentials are working, if that is not the case please feel free to correct me.
    1 reply
    Harshit Chopra
    @arpoch
    I changed the code, so now its
    default String gitToolName(TaskListener listener) {
            String requiredToolByName = "Default";
            String actualToolByPath = null;
    
            GitTool gitTool = Jenkins.get().getDescriptorByType(GitTool.DescriptorImpl.class).getInstallation(requiredToolByName);
            if (gitTool == null) {
                listener.getLogger().println("Selected Git installation does not exist. Using Default");
                gitTool = GitTool.getDefaultInstallation();
            }
            if(gitTool!=null) {
                try {
                    gitTool = gitTool.forNode(Jenkins.get(), listener);
                    actualToolByPath = FilenameUtils.getBaseName(gitTool.getGitExe());
                } catch (IOException | InterruptedException e) {
                    listener.getLogger().println("Failed to get git tool");
                }
            }
    
            return actualToolByPath;
        }
    Harshit Chopra
    @arpoch
    I have created a commit regarding alot of changes today, things got messy in between and as of now some test are not passing I must have missed something, will be more care full next time. And will make the changes.
    @rishabhBudhouliya, @justinharringa:matrix.org , @MarkEWaite , I will be mailing regarding my University exam dates.
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch Do we have the deliverables for this coding phase defined somewhere? Can we update them according to the recent developments + anticipation of your exams so that we all know how we want to proceed?
    1 reply
    Justin Harringa
    @justinharringa
    Howdy @arpoch @rishabhBudhouliya @MarkEWaite ! I've moved the office hours meet to Jun 16th @ 7.30 AM IST - I wasn't able to edit the original invite so I created a new one
    1 reply
    Harshit Chopra
    @arpoch
    @justinharringa , @rishabhBudhouliya , @MarkEWaite, if possible we shift the meeting to Jun 17th @ 7:30 AM IST or could reduce the meeting time to half hour instead of an hour?
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    @arpochare you thinking just for this week or regularly?
    1 reply
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    Do you just have a conflict at the beginning or end? Certainly want to make sure you get the time you need. 😀
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    Is 30 minutes sufficient for you or would it be better to move? I can take a look at the zoom tomorrow morning my time
    Harshit Chopra
    @arpoch
    I think it would be better to move.
    Harshit Chopra
    @arpoch
    Will go with the time that suits all the mentors best.
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    @rishabhBudhouliya any preference?
    4 replies
    Harshit Chopra
    @arpoch
    Hey @MarkEWaite , @justinharringa:matrix.org , @rishabhBudhouliya, found something interesting while working on test cases code, the script permissions wont be set using chmod in windows so the the script will have default permission.
    Mark Waite
    @MarkEWaite
    As far as I understand it, there is no concept of execute permission on Windows. Execute permission for a batch file is based on the file name ending with a .bat suffix. Likewise for PowerShell scripts with the .ps1 suffiix
    There are some requirements for specific permissions on private key files, even on Windows, but those specific permissions are set in the git client plugin code that writes the private key file before using it
    Harshit Chopra
    @arpoch
    Project page update:jenkins-infra/jenkins.io#4423
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    Hey folks I may be a few minutes late but you should be able to join if so. Hoping to make it in on time though.
    Mark Waite
    @MarkEWaite
    I should be available as well. See you then
    Harshit Chopra
    @arpoch
    @MarkEWaite , @justinharringa:matrix.org , @rishabhBudhouliya , added the help html, will be changing the image in project page as well.
    Mark Waite
    @MarkEWaite
    Thanks @arpoch . I've built a local copy of your help file addition and uploaded it to my Jenkins installation for some quick tests.
    Harshit Chopra
    @arpoch
    @MarkEWaite , @justinharringa:matrix.org , @rishabhBudhouliya, I have developed the code to solve the gitTool problem, just made a PR, although couldn't test using agents over ssh, but still pretty sure that it would work. I will make the documentation changes by this weeks end.
    Harshit Chopra
    @arpoch
    @rishabhBudhouliya would you like to share some insight, that you gained while investigating the usage of sshj library or something new that you might have learned, making git ssh binding impl more clean.
    12 replies
    Mark Waite
    @MarkEWaite
    Thanks @arpoch . I am running the git client plugin with your help addition. I've seen it. I think users will ask that a detailed example be included inside the help. I'll suggest the detailed example as part of the PR review process.
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch I still have to re-review your PR once (will do it during the weekend), Mark and Justin have already given great comments, would like to understand the progress made on the PR myself.
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch this is the reply I got from the bouncy-castle team for the question on decryption of passphrase protected openssh keys:
    I think we'd need a sample key/password. The issue sounds like it's that
    the key is encrypted - we'd need to add a seperate utility class for
    doing the decryption and recovering the key spec for translation.
    
    Regards,
    
    David
    Harshit Chopra
    @arpoch
    @rishabhBudhouliya @MarkEWaite @justinharringa:matrix.org do we have a meeting today?
    Mark Waite
    @MarkEWaite
    I assume we do. Sorry, but I'm running late in another meeting.