com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey Java Examples

@Test
@ConfiguredWithCode("SSHCredentialsTest.yml")
@Issue("SECURITY-1279")
public void shouldNotExportOrLogCredentials() throws Exception {
    StandardUsernamePasswordCredentials creds = getCredentials(StandardUsernamePasswordCredentials.class);
    assertEquals(CREDENTIALS_PASSWORD, creds.getPassword().getPlainText());
    assertNotInLog(logging, CREDENTIALS_PASSWORD);

    BasicSSHUserPrivateKey certKey = getCredentials(BasicSSHUserPrivateKey.class);
    // JENKINS-50181 made getPrivateKey always append a trailing newline.
    assertEquals(PRIVATE_KEY + "\n", certKey.getPrivateKey());
    assertNotInLog(logging, PRIVATE_KEY);

    // Verify that the password does not get exported
    String exportedConfig = j.exportToString(false);
    assertThat("There should be no password in the exported YAML", exportedConfig, not(containsString(CREDENTIALS_PASSWORD)));
    assertThat("There should be no private key in the exported YAML", exportedConfig, not(containsString(PRIVATE_KEY)));
}
 

@ConfiguredWithCode("GlobalCredentials.yml")
@Test
public void testGlobalScopedCredentials() {
    List<StandardUsernamePasswordCredentials> creds = CredentialsProvider.lookupCredentials(StandardUsernamePasswordCredentials.class,Jenkins.getInstanceOrNull(), null, Collections.emptyList());
    assertThat(creds.size(), is(1));
    assertEquals("user1", creds.get(0).getId());
    assertEquals("Administrator", creds.get(0).getUsername());
    assertEquals("secretPassword", creds.get(0).getPassword().getPlainText());

    List<BasicSSHUserPrivateKey> creds2 = CredentialsProvider.lookupCredentials(BasicSSHUserPrivateKey.class,Jenkins.getInstanceOrNull(), null, Collections.emptyList());
    assertThat(creds2.size(), is(1));
    BasicSSHUserPrivateKey basicSSHUserPrivateKey = creds2.get(0);
    assertEquals("agentuser", basicSSHUserPrivateKey.getUsername());
    assertEquals("password", basicSSHUserPrivateKey.getPassphrase().getPlainText());
    assertEquals("ssh private key used to connect ssh slaves", basicSSHUserPrivateKey.getDescription());
    assertThat(basicSSHUserPrivateKey.getPrivateKeySource().getPrivateKeys().size(), is(1));
    String directKey = basicSSHUserPrivateKey.getPrivateKeySource().getPrivateKeys().get(0);
    assertThat(directKey, is("sp0ds9d+skkfjf"));

}
 

@Test
@ConfiguredWithReadme("README.md#0")
public void configure_demo_first_code_block() throws Exception {
    final Jenkins jenkins = Jenkins.get();
    assertEquals("Jenkins configured automatically by Jenkins Configuration as Code plugin\n\n", jenkins.getSystemMessage());
    final LDAPSecurityRealm securityRealm = (LDAPSecurityRealm) jenkins.getSecurityRealm();
    assertEquals(1, securityRealm.getConfigurations().size());
    assertEquals(50000, jenkins.getSlaveAgentPort());

    assertEquals(1, jenkins.getNodes().size());
    assertEquals("static-agent", jenkins.getNode("static-agent").getNodeName());

    final GitTool.DescriptorImpl gitTool = (GitTool.DescriptorImpl) jenkins.getDescriptor(GitTool.class);
    assertEquals(1, gitTool.getInstallations().length);

    List<BasicSSHUserPrivateKey> sshPrivateKeys = CredentialsProvider.lookupCredentials(
        BasicSSHUserPrivateKey.class, jenkins, ACL.SYSTEM, Collections.emptyList()
    );
    assertThat(sshPrivateKeys, hasSize(1));

    final BasicSSHUserPrivateKey ssh_with_passphrase = sshPrivateKeys.get(0);
    assertThat(ssh_with_passphrase.getPassphrase().getPlainText(), equalTo("ABCD"));

    final DirectEntryPrivateKeySource source = (DirectEntryPrivateKeySource) ssh_with_passphrase.getPrivateKeySource();
    assertThat(source.getPrivateKey().getPlainText(), equalTo("s3cr3t"));
}
 

private void startSSH(@Nullable User u) throws Exception {
    if (sshd == null) {
        // Set up an SSH server with access to a git repo
        User user;
        if(u == null) {
            user = login();
        } else {
            user = u;
        }
        final BasicSSHUserPrivateKey key = UserSSHKeyManager.getOrCreate(user);
        final JSch jsch = new JSch();
        final KeyPair pair = KeyPair.load(jsch, key.getPrivateKey().getBytes(), null);

        File keyFile = new File(System.getProperty("TEST_SSH_SERVER_KEY_FILE", File.createTempFile("hostkey", "ser").getCanonicalPath()));
        int port = Integer.parseInt(System.getProperty("TEST_SSH_SERVER_PORT", "0"));
        boolean allowLocalUser = Boolean.getBoolean("TEST_SSH_SERVER_ALLOW_LOCAL");
        String userPublicKey = Base64.encode(pair.getPublicKeyBlob());
        sshd = new SSHServer(repoForSSH.getRoot(), keyFile, port, allowLocalUser, ImmutableMap.of("bob", userPublicKey), true);
        // Go, go, go
        sshd.start();
    }
}
 

@Issue({ "JENKINS-47225", "JENKINS-42582" })
@Test
public void sshagent() throws Exception {
    PrivateKeySource source = new BasicSSHUserPrivateKey.DirectEntryPrivateKeySource(
            new String(IOUtils.toByteArray(getClass().getResourceAsStream("id_rsa"))));
    BasicSSHUserPrivateKey credentials = new BasicSSHUserPrivateKey(CredentialsScope.GLOBAL,
            "ContainerExecDecoratorPipelineTest-sshagent", "bob", source, "secret_passphrase", "test credentials");
    SystemCredentialsProvider.getInstance().getCredentials().add(credentials);

    assertNotNull(createJobThenScheduleRun());
    r.waitForCompletion(b);
    r.assertLogContains("Identity added:", b);
    //Assert that ssh-agent provided envVar is now properly contributed and set.
    r.assertLogContains("SSH_AGENT_PID=", b);
    //assert that our private key was loaded and is visible within the ssh-agent scope
    r.assertLogContains("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhvmTBXRnSbtpnkt/Ldw7ws4LFdoX9oI+5NexgpBC4Otqbn8+Ui6FGWeYflOQUcl3rgmBxsHIeFnPr9qSvgME1TWPIyHSQh2kPMd3NQgkEvioBxghnWRy7sal4KBr2P8m7Iusm8j0aCNLZ3nYjJSywWZxiqqrcpnhFuTD//FPIEhXOu2sk2FEP7YsA9TdL8mAruxy/6Ys2pRC2dQhBtmkEOyEGiBnk3ioT5iCw/Qqe+pU0yaYu69vPyAFCuazBMopPcOuRxFgKvrfCPVqcQb3HERJh5eiW5+5Vg3RwoByQUtQMK5PDBVWPo9srB0Q9Aw9DXmeJCgdtFJqhhh4SR+al /home/jenkins/agent/workspace/sshagent@tmp/private_key",b);
     //check that we don't accidentally start exporting sensitive info to the log
    r.assertLogNotContains("secret_passphrase", b);
}
 

/**
 * Tries to set proper credentials for the command
 * @param repo repo to test for url
 * @param command command that needs credentials
 * @param credential credential to use
 */
private static void addCredential(Repository repo, TransportCommand command, StandardCredentials credential) {
    if (isSshUrl(repo) && credential instanceof BasicSSHUserPrivateKey) {
        command.setTransportConfigCallback(getSSHKeyTransport((BasicSSHUserPrivateKey)credential));
    } else  if (credential != null) {
        SmartCredentialsProvider credentialsProvider = new SmartCredentialsProvider(null);
        credentialsProvider.addDefaultCredentials(credential);
        command.setCredentialsProvider(credentialsProvider);
    }
}
 

/**
 * Gets the existing generated SSH key for the user or creates one and
 * returns it in the user's credential store
 * @param user owner of the key
 * @return the user's personal private key
 */
public static @Nonnull BasicSSHUserPrivateKey getOrCreate(@Nonnull User user) {
    Preconditions.checkNotNull(user);

    CredentialsStore store = getUserStore(user);
    if(store == null){
        throw new ServiceException.ForbiddenException(String.format("Logged in user: %s doesn't have writable credentials store", user.getId()));
    }
    // try to find the right key
    for (Credentials cred : store.getCredentials(getDomain(store))) {
        if (cred instanceof BasicSSHUserPrivateKey) {
            BasicSSHUserPrivateKey sshKey = (BasicSSHUserPrivateKey)cred;
            if (BLUEOCEAN_GENERATED_SSH_KEY_ID.equals(sshKey.getId())) {
                return sshKey;
            }
        }
    }
    // if none found, create one
    try {
        // create one!
        String privateKey = SSHKeyUtils.generateKey(KEY_SIZE).trim();
        BasicSSHUserPrivateKey.DirectEntryPrivateKeySource keySource = new BasicSSHUserPrivateKey.DirectEntryPrivateKeySource(privateKey);
        BasicSSHUserPrivateKey key = new BasicSSHUserPrivateKey(CredentialsScope.USER, BLUEOCEAN_GENERATED_SSH_KEY_ID, user.getId(), keySource, null, BLUEOCEAN_GENERATED_SSH_KEY_ID);
        store.addCredentials(getDomain(store), key);
        store.save();
        return key;
    } catch (IOException ex) {
        throw new ServiceException.UnexpectedErrorException("Failed to create the private key", ex);
    }
}
 

/**
 * Gets a readable SSH-compatible public key a user could paste somewhere
 * @param user the user which will be used to build a useful description
 * @param key the private key to use
 * @return a public ssh key
 */
public static @Nonnull UserKey getPublicKey(@Nonnull User user, @Nonnull BasicSSHUserPrivateKey key) {
    Preconditions.checkNotNull(user);
    Preconditions.checkNotNull(key);

    String publicKey = SSHKeyUtils.getPublicKey(key.getPrivateKey(), getKeyComment(user.getId())).trim();
    return new UserKey(key.getId(), publicKey);
}
 

/**
 * Resets the user's generated key by deleting it and creating a new one
 * @param user user to reset a key for
 */
public static void reset(@Nonnull User user) {
    Preconditions.checkNotNull(user);

    try {
        // create one!
        CredentialsStore store = getUserStore(user);
        if(store == null){
            throw new ServiceException.ForbiddenException(String.format("Logged in user: %s doesn't have writable credentials store", user.getId()));
        }

        Credentials key = null;
        // try to find the key
        for (Credentials cred : store.getCredentials(getDomain(store))) {
            if (cred instanceof BasicSSHUserPrivateKey) {
                BasicSSHUserPrivateKey sshKey = (BasicSSHUserPrivateKey)cred;
                if (BLUEOCEAN_GENERATED_SSH_KEY_ID.equals(sshKey.getId())) {
                    key = sshKey;
                    break;
                }
            }
        }
        if (key != null) {
            store.removeCredentials(getDomain(store), key);
            store.save();
        }
    } catch (IOException ex) {
        throw new ServiceException.UnexpectedErrorException("Unable to reset the user's key", ex);
    }
}
 

@Before
public void setUp() throws IOException {
    owner = j.createProject(WorkflowMultiBranchProject.class);
    Credentials userPasswordCredential = new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, "user-pass", null, "git-user", "git-secret");
    Credentials sshPrivateKeyCredential = new BasicSSHUserPrivateKey(CredentialsScope.GLOBAL, "user-key", "git",
            new BasicSSHUserPrivateKey.UsersPrivateKeySource(), null, null);
    SystemCredentialsProvider.getInstance().setDomainCredentialsMap(Collections.singletonMap(Domain.global(),
            Arrays.asList(userPasswordCredential, sshPrivateKeyCredential)));
}
 

private BasicSSHUserPrivateKey newPrivateKeyCredential(String username, File privateKey) throws IOException {
    CredentialsScope scope = CredentialsScope.GLOBAL;
    String id = "private-key-" + privateKey.getPath() + random.nextInt();
    String privateKeyData = Files.toString(privateKey, Charset.forName("UTF-8"));
    BasicSSHUserPrivateKey.PrivateKeySource privateKeySource = new BasicSSHUserPrivateKey.DirectEntryPrivateKeySource(privateKeyData);
    String description = "private key from " + privateKey.getPath();
    if (this.passphrase != null) {
        description = description + " passphrase '" + this.passphrase + "'";
    }
    return new BasicSSHUserPrivateKey(scope, id, username, privateKeySource, this.passphrase, description);
}
 

@Test
    @ConfiguredWithCode("SystemCredentialsTest.yml")
    public void configure_system_credentials() throws Exception {
        Jenkins jenkins = Jenkins.get();

        List<UsernamePasswordCredentials> ups = CredentialsProvider.lookupCredentials(
                UsernamePasswordCredentials.class, jenkins, ACL.SYSTEM, Collections.emptyList()
        );
        assertThat(ups, hasSize(1));
        final UsernamePasswordCredentials up = ups.get(0);
        assertThat(up.getPassword().getPlainText(), equalTo("1234"));

        ConfiguratorRegistry registry = ConfiguratorRegistry.get();
        final ConfigurationContext context = new ConfigurationContext(registry);
        final CNode node = context.lookup(up.getClass()).describe(up, context);
        assertThat(node.asMapping().getScalarValue("password"), not(equals("1234")));


        List<CertificateCredentials> certs = CredentialsProvider.lookupCredentials(
                CertificateCredentials.class, jenkins, ACL.SYSTEM, Collections.emptyList()
        );
        assertThat(certs, hasSize(0));
//       TODO: add test for uploaded certificate
//        assertThat(certs.get(0).getPassword().getPlainText(), equalTo("ABCD"));

        List<BasicSSHUserPrivateKey> sshPrivateKeys = CredentialsProvider.lookupCredentials(
                BasicSSHUserPrivateKey.class, jenkins, ACL.SYSTEM, Collections.emptyList()
        );
        assertThat(sshPrivateKeys, hasSize(1));

        final BasicSSHUserPrivateKey ssh_with_passphrase = sshPrivateKeys.get(0);
        assertThat(ssh_with_passphrase.getPassphrase().getPlainText(), equalTo("ABCD"));

        final DirectEntryPrivateKeySource source = (DirectEntryPrivateKeySource) ssh_with_passphrase.getPrivateKeySource();
        assertThat(source.getPrivateKey().getPlainText(), equalTo("s3cr3t"));


        // credentials should not appear in plain text in log
        for (LogRecord logRecord : log.getRecords()) {
            assertThat(logRecord.getMessage(), not(containsString("1234")));
            assertThat(logRecord.getMessage(), not(containsString("ABCD")));
        }


    }
 

@Restricted(NoExternalUse.class)
static StandardUsernameCredentials makeCredentials(String credId, String user, String privateKey) {
    return new BasicSSHUserPrivateKey(CredentialsScope.SYSTEM, credId, user,
            new BasicSSHUserPrivateKey.DirectEntryPrivateKeySource(privateKey), null,
            "private key for docker ssh agent");
}