Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch @MarkEWaite @justinharringa please take a look at an edit I've made on the OpenSSH keys decryption experiment: https://docs.google.com/document/d/1gZneYIDWrT5S-1ACG641wfvxs7vnDC0RCYqy-EuuhwY/edit?usp=sharing
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch @MarkEWaite @justinharringa I think I have found a way to decode the SSH keys with passphrase and without passphrase using the sshj library
    I have tested three cases:
    • ssh-keygen -f ssh_key with and without passphrase (the user does not specific an encryption algorithm)
    • ssh-keygen -t rsa -f ssh_key
    • ssh-keygen -t ED25519 -f ssh_key
    I have been able to get the java.security.PrivateKey out of them. How do we want to consume them now?
    I was looking at the Git Client Plugin and as per my understanding we provide the file locations of ssh private key and passphrase and then let git cli talk to ssh?
    The downside is that this is obviously not the BouncyCastle API and I am not sure about our reasons to stick with BouncyCastle. sshj is the java implementation of ssh and it provides much more than just reading OpenSSH keys.
    3 replies
    Will Saxon
    @wsaxon_gitlab

    Hello, we're trying to use the Jenkins Git plugin to clone a repo. Our SCM host requires jumping through an SSH proxy, so we've provided a config file to our agent that sets a ProxyCommand for the SCM host; Jenkins doesn't let us configure a ProxyCommand any other way that I can see.

    Our proxy is an SSH host itself, so we need the SSH key for the ProxyCommand to work. We were hoping to use the SSH Agent plugin for this, but it doesn't seem to work. I wrote a wrapper script around git to dump the environment and run ssh-add -l, and I can see that the agent is set up in the environment and has our key, but e.g. the git fetch --tags ... command that Jenkins runs to fetch objects immediately fails as if the key is not present. If I set up the same scenario manually in a shell it works fine.

    Is this a supported configuration? Should I be able to use the SSH agent plugin to provide the SSH key to Jenkins Git plugin?

    3 replies
    Harshit Chopra
    @arpoch
    Create the first pull request of the coding phase 1-
    jenkinsci/git-client-plugin#712
    3 replies
    Harshit Chopra
    @arpoch
    @justinharringa, @rishabhBudhouliya what are your thoughts on https://github.com/jenkinsci/git-client-plugin/pull/712#discussion_r648520322
    2 replies
    Harshit Chopra
    @arpoch
    @rishabhBudhouliya, @justinharringa, I have committed some changes based on @rishabhBudhouliya sugesstions, Now I will be working on the testcases and if everything works as expected, will move to SSH binding by our next meeting.
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    Awesome news @arpoch ! I'm planning on giving these a better look in the next few days.
    Harshit Chopra
    @arpoch

    @justinharringa:matrix.org , @rishabhBudhouliya , regarding the GitTool impl, I have create this snippet

    default String gitToolName(TaskListener listener) {
            String requiredTool = "Default";
            String actualTool = null;
    
            GitTool gitTool = Jenkins.get().getDescriptorByType(GitTool.DescriptorImpl.class).getInstallation(requiredTool);
            if (gitTool == null) {
                listener.getLogger().println("Selected Git installation does not exist. Using Default");
                gitTool = GitTool.getDefaultInstallation();
                actualTool = gitTool.getName();
            }
            if (actualTool != null) {
                if (actualTool.equalsIgnoreCase(requiredTool)) {
                    return actualTool;
                }
            }
            try {
                gitTool = gitTool.forNode(Jenkins.get(), listener);
                actualTool = gitTool.getName();
            } catch (IOException | InterruptedException e) {
                listener.getLogger().println("Failed to get git tool");
            }
    
            return actualTool;
        }

    I have some concerns related to this-

    • The git tool to be used by default will be the one having the name Default but their is no assurance that path to Git executable is of cli git.
    • If their is not git tool with name Default then the first git tool will be used even if git cli exists
    • The name returned by this snippet will only be checked for jgit and jgitapache, as these two implementations will always return same name.
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch if you're putting Default in GitTool gitTool = Jenkins.get().getDescriptorByType(GitTool.DescriptorImpl.class).getInstallation(requiredTool); then isn't this line essentially
    GitTool.getDefaultInstallation() ?
    I am assuming that there is way to get the user decided GitTool from the context where the credentials are working, if that is not the case please feel free to correct me.
    1 reply
    Harshit Chopra
    @arpoch
    I changed the code, so now its
    default String gitToolName(TaskListener listener) {
            String requiredToolByName = "Default";
            String actualToolByPath = null;
    
            GitTool gitTool = Jenkins.get().getDescriptorByType(GitTool.DescriptorImpl.class).getInstallation(requiredToolByName);
            if (gitTool == null) {
                listener.getLogger().println("Selected Git installation does not exist. Using Default");
                gitTool = GitTool.getDefaultInstallation();
            }
            if(gitTool!=null) {
                try {
                    gitTool = gitTool.forNode(Jenkins.get(), listener);
                    actualToolByPath = FilenameUtils.getBaseName(gitTool.getGitExe());
                } catch (IOException | InterruptedException e) {
                    listener.getLogger().println("Failed to get git tool");
                }
            }
    
            return actualToolByPath;
        }
    Harshit Chopra
    @arpoch
    I have created a commit regarding alot of changes today, things got messy in between and as of now some test are not passing I must have missed something, will be more care full next time. And will make the changes.
    @rishabhBudhouliya, @justinharringa:matrix.org , @MarkEWaite , I will be mailing regarding my University exam dates.
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch Do we have the deliverables for this coding phase defined somewhere? Can we update them according to the recent developments + anticipation of your exams so that we all know how we want to proceed?
    1 reply
    Justin Harringa
    @justinharringa
    Howdy @arpoch @rishabhBudhouliya @MarkEWaite ! I've moved the office hours meet to Jun 16th @ 7.30 AM IST - I wasn't able to edit the original invite so I created a new one
    1 reply
    Harshit Chopra
    @arpoch
    @justinharringa , @rishabhBudhouliya , @MarkEWaite, if possible we shift the meeting to Jun 17th @ 7:30 AM IST or could reduce the meeting time to half hour instead of an hour?
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    @arpochare you thinking just for this week or regularly?
    1 reply
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    Do you just have a conflict at the beginning or end? Certainly want to make sure you get the time you need. 😀
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    Is 30 minutes sufficient for you or would it be better to move? I can take a look at the zoom tomorrow morning my time
    Harshit Chopra
    @arpoch
    I think it would be better to move.
    Harshit Chopra
    @arpoch
    Will go with the time that suits all the mentors best.
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    @rishabhBudhouliya any preference?
    4 replies
    Harshit Chopra
    @arpoch
    Hey @MarkEWaite , @justinharringa:matrix.org , @rishabhBudhouliya, found something interesting while working on test cases code, the script permissions wont be set using chmod in windows so the the script will have default permission.
    Mark Waite
    @MarkEWaite
    As far as I understand it, there is no concept of execute permission on Windows. Execute permission for a batch file is based on the file name ending with a .bat suffix. Likewise for PowerShell scripts with the .ps1 suffiix
    There are some requirements for specific permissions on private key files, even on Windows, but those specific permissions are set in the git client plugin code that writes the private key file before using it
    Harshit Chopra
    @arpoch
    Project page update:jenkins-infra/jenkins.io#4423
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    Hey folks I may be a few minutes late but you should be able to join if so. Hoping to make it in on time though.
    Mark Waite
    @MarkEWaite
    I should be available as well. See you then
    Harshit Chopra
    @arpoch
    @MarkEWaite , @justinharringa:matrix.org , @rishabhBudhouliya , added the help html, will be changing the image in project page as well.
    Mark Waite
    @MarkEWaite
    Thanks @arpoch . I've built a local copy of your help file addition and uploaded it to my Jenkins installation for some quick tests.
    Harshit Chopra
    @arpoch
    @MarkEWaite , @justinharringa:matrix.org , @rishabhBudhouliya, I have developed the code to solve the gitTool problem, just made a PR, although couldn't test using agents over ssh, but still pretty sure that it would work. I will make the documentation changes by this weeks end.
    Harshit Chopra
    @arpoch
    @rishabhBudhouliya would you like to share some insight, that you gained while investigating the usage of sshj library or something new that you might have learned, making git ssh binding impl more clean.
    12 replies
    Mark Waite
    @MarkEWaite
    Thanks @arpoch . I am running the git client plugin with your help addition. I've seen it. I think users will ask that a detailed example be included inside the help. I'll suggest the detailed example as part of the PR review process.
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch I still have to re-review your PR once (will do it during the weekend), Mark and Justin have already given great comments, would like to understand the progress made on the PR myself.
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch this is the reply I got from the bouncy-castle team for the question on decryption of passphrase protected openssh keys:
    I think we'd need a sample key/password. The issue sounds like it's that
    the key is encrypted - we'd need to add a seperate utility class for
    doing the decryption and recovering the key spec for translation.
    
    Regards,
    
    David
    Harshit Chopra
    @arpoch
    @rishabhBudhouliya @MarkEWaite @justinharringa:matrix.org do we have a meeting today?
    Mark Waite
    @MarkEWaite
    I assume we do. Sorry, but I'm running late in another meeting.
    Harshit Chopra
    @arpoch
    I thought it was scheduled for every Wednesday
    Mark Waite
    @MarkEWaite
    That may be correct. Sorry, I may have failed to remove from the calendar
    If Rishabh and Justin aren't in the meeting, then let's assume it is every Wednesday as you thought it was. I'll remove the Tuesday meeting from the Jenkins calendar
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch @MarkEWaite I saw the invite but I assumed we are defaulting to the Wednesday office hours
    Justin Harringa
    @justinharringa:matrix.org
    [m]
    Wednesday works for everyone at the currently scheduled time? I believe Harshit had perhaps another conflict but maybe only one?
    Mark Waite
    @MarkEWaite
    Wednesday works for me at the currently scheduled time
    Harshit Chopra
    @arpoch
    @MarkEWaite, I test the freestyle project with and without parameter expression using command git fetch --all, it worked as expected no issues. Will check my config.xml with the one you send.
    Mark Waite
    @MarkEWaite
    Very interesting @arpoch . I assume that the repository you were using in your test was a private repository and that if you remove the credentials binding, then the git fetch --all fails. I'll need to explore further after my working day today.
    Rishabh Budhouliya
    @rishabhBudhouliya
    @arpoch will you be presenting the GSoC project in the summit tomorrow?
    Harshit Chopra
    @arpoch
    I added my name under ignite talks, I will be showing a small demo of git username and password binding.
    Harshit Chopra
    @arpoch
    @MarkEWaite, @rishabhBudhouliya , @justinharringa:matrix.org, should credential storage be a concern as credentials will be locally cached if credential.helper is set to store or cache on the system, as mentioned here.
    Harshit Chopra
    @arpoch
    From my point of view I think it could be a concern, because if a user performs a git checkout using credentials and then performs batch/shell build step to perform git fetch --all then it will work even if not using git credential binding, I missed this case since I was not storing my credentials.