93 | * For backward compatibility with clients that do not supply a valid listener, use one that's connected
94 | * to server's stderr. This way, at least we know the error will be reported somewhere.
95 | *
96 | */
97 | @NonNull
98 | private volatile TaskListener listener = StreamTaskListener.fromStderr();
99 |
100 | /**
101 | * Constructor.
102 | *
103 | * @param connection the connection we will be authenticating.
104 | * @param user the user we will be authenticating as.
105 | * @deprecated use
106 | * {@link #SSHAuthenticator(Object, com.cloudbees.plugins.credentials.common.StandardUsernameCredentials, String)}
107 | */
108 | @Deprecated
109 | protected SSHAuthenticator(@NonNull C connection, @NonNull U user) {
110 | this(connection, user, null);
111 | }
112 |
113 | /**
114 | * Constructor.
115 | *
116 | * @param connection the connection we will be authenticating.
117 | * @param user the user we will be authenticating as.
118 | * @param username the username we will be authenticating as or {@code null} to use the users username.
119 | * @since 1.4
120 | */
121 | protected SSHAuthenticator(@NonNull C connection, @NonNull U user, @CheckForNull String username) {
122 | this.connection = Objects.requireNonNull(connection);
123 | this.user = Objects.requireNonNull(user);
124 | this.username = username;
125 | }
126 |
127 | /**
128 | * Returns the username to authenticate as.
129 | *
130 | * @return the username to authenticate as.
131 | * @since 1.4
132 | */
133 | public String getUsername() {
134 | return username == null ? getUser().getUsername() : username;
135 | }
136 |
137 | @NonNull
138 | public TaskListener getListener() {
139 | return listener;
140 | }
141 |
142 | /**
143 | * Sets the {@link TaskListener} that receives errors that happen during the authentication.
144 | *
145 | * If you are doing this as a part of a build, pass in your {@link BuildListener}.
146 | * Pass in null to suppress the error reporting. Doing so is useful if the caller intends
147 | * to try another {@link SSHAuthenticator} when this one fails.
148 | *
149 | * For assisting troubleshooting with callers that do not provide a valid listener,
150 | * by default the errors will be sent to stderr of the server.
151 | *
152 | */
153 | public void setListener(TaskListener listener) {
154 | if (listener == null) {
155 | listener = TaskListener.NULL;
156 | }
157 | this.listener = listener;
158 | }
159 |
160 | /**
161 | * Creates an authenticator that may be able to authenticate the supplied connection with the supplied user.
162 | *
163 | * @param connection the connection to authenticate on.
164 | * @param user the user to authenticate with.
165 | * @param the type of connection.
166 | * @param the type of user.
167 | * @return a {@link SSHAuthenticator} that may or may not be able to successfully authenticate.
168 | */
169 | @NonNull
170 | public static SSHAuthenticator newInstance(@NonNull C connection,
171 | @NonNull U user)
172 | throws InterruptedException, IOException {
173 | return newInstance(connection, user, null);
174 | }
175 |
176 | /**
177 | * Creates an authenticator that may be able to authenticate the supplied connection with the supplied user.
178 | *
179 | * @param connection the connection to authenticate on.
180 | * @param user the user to authenticate with.
181 | * @param username the username or {@code null} to fall back to the username in the user parameter.
182 | * @param the type of connection.
183 | * @param the type of user.
184 | * @return a {@link SSHAuthenticator} that may or may not be able to successfully authenticate.
185 | * @since 1.4
186 | */
187 | @NonNull
188 | public static SSHAuthenticator newInstance(@NonNull C connection,
189 | @NonNull U user,
190 | @CheckForNull String
191 | username)
192 | throws InterruptedException, IOException {
193 | Objects.requireNonNull(connection);
194 | Objects.requireNonNull(user);
195 | Collection factories;
196 | try {
197 | factories = lookupFactories();
198 | } catch (LinkageError e) {
199 | // we are probably running on a remote agent and controller only classes are banned from remote class loading
200 | factories = null;
201 | } catch (IllegalStateException e) {
202 | // Jenkins.getInstance() is throwing an IllegalStateException when invoked on a remote agent
203 | factories = null;
204 | }
205 | if (factories == null) {
206 | // we are probably running on a remote agent
207 | Channel channel = Channel.current();
208 | if (channel == null) {
209 | // ok we are not running on a remote agent, we have no ability to authenticate
210 | factories = Collections.emptySet();
211 | } else {
212 | // call back to the controller and get an instance
213 | factories = channel.call(new NewInstance());
214 | }
215 |
216 | }
217 |
218 | return factories.stream()
219 | .map(factory -> factory.newInstance(connection, user, username))
220 | .filter(Objects::nonNull)
221 | .filter(SSHAuthenticator::canAuthenticate)
222 | .findFirst()
223 | .orElseGet(() -> new SSHNonauthenticator<>(connection, user, username));
224 | }
225 |
226 | /**
227 | * This method allows a build agent to invoke {@link #newInstance(Object, StandardUsernameCredentials, String)}
228 | * after we start blocking build agents from loading master-only classes such as {@link Jenkins} and
229 | * {@link ExtensionList} as the JVM will not attempt to load these classes until this method gets invoked.
230 | *
231 | * @return the {@link SSHAuthenticatorFactory} instances (or {@code null} if you invoke from a build agent)
232 | * @throws LinkageError if you invoke from a build agent
233 | * @throws IllegalStateException if you invoke from a build agent
234 | */
235 | private static List lookupFactories() {
236 | return JenkinsJVM.isJenkinsJVM() ? ExtensionList.lookup(SSHAuthenticatorFactory.class) : null;
237 | }
238 |
239 | /**
240 | * @deprecated Use {@link #newInstance(Object, StandardUsernameCredentials)} instead.
241 | */
242 | @Deprecated
243 | public static SSHAuthenticator newInstance(Object connection, SSHUser user)
244 | throws InterruptedException, IOException {
245 | return newInstance(connection, user, null);
246 | }
247 |
248 | /**
249 | * Returns {@code true} if and only if the supplied connection class and user class are supported by at least one
250 | * factory.
251 | *
252 | * @param connectionClass the connection class.
253 | * @param userClass the user class.
254 | * @param the type of connection.
255 | * @param the type of user.
256 | * @return {@code true} if and only if the supplied connection class and user class are supported by at least one
257 | * factory.
258 | */
259 | public static boolean isSupported(@NonNull Class connectionClass,
260 | @NonNull Class userClass) {
261 | Objects.requireNonNull(connectionClass);
262 | Objects.requireNonNull(userClass);
263 | return ExtensionList.lookup(SSHAuthenticatorFactory.class).stream()
264 | .anyMatch(factory -> factory.supports(connectionClass, userClass));
265 | }
266 |
267 | /**
268 | * Filters {@link Credentials} returning only those which are supported with the specified type of connection.
269 | *
270 | * @param credentials the credentials to filter.
271 | * @param connectionClass the type of connection to filter for.
272 | * @return a list of {@link SSHUser} credentials appropriate for use with the supplied type of connection.
273 | * @deprecated Use
274 | * {@link CredentialsMatchers#filter(List, CredentialsMatcher)}
275 | * and {@link #matcher(Class)}
276 | */
277 | public static List filter(Iterable credentials,
278 | Class connectionClass) {
279 | CredentialsMatcher matcher = matcher(connectionClass);
280 | return StreamSupport.stream(credentials.spliterator(), false)
281 | .filter(StandardUsernameCredentials.class::isInstance)
282 | .filter(matcher::matches)
283 | .map(StandardUsernameCredentials.class::cast)
284 | .collect(Collectors.toList());
285 | }
286 |
287 |
288 | /**
289 | * Returns a {@link CredentialsMatcher} that matches the generic types of credential that are valid for use over
290 | * SSH.
291 | * When you know the connection type you will be using, it is better to use {@link #matcher(Class)}.
292 | *
293 | * @return a {@link CredentialsMatcher} that matches the generic types of credential that are valid for use over
294 | * SSH.
295 | */
296 | public static CredentialsMatcher matcher() {
297 | return anyOf(
298 | instanceOf(StandardUsernamePasswordCredentials.class),
299 | instanceOf(SSHUserPrivateKey.class)
300 | );
301 | }
302 |
303 | /**
304 | * Creates a {@link CredentialsMatcher} for the specific type of connection.
305 | *
306 | * @param connectionClass the type of connection.
307 | * @return a {@link CredentialsMatcher}
308 | * @since 0.5
309 | */
310 | public static CredentialsMatcher matcher(Class connectionClass) {
311 | return new Matcher(connectionClass);
312 | }
313 |
314 | /**
315 | * {@link CredentialsMatcher} that matches credentials supported by a specific connection class.
316 | *
317 | * @since 0.5
318 | */
319 | private static class Matcher implements CredentialsMatcher {
320 | /**
321 | * Standardize serialization across different JVMs.
322 | *
323 | * @since 1.13
324 | */
325 | // historical value generated from 1.12 code with Java 8
326 | private static final Long serialVersionUID = -5078593817273453864L;
327 |
328 | /**
329 | * The connection class.
330 | */
331 | private final Class connectionClass;
332 |
333 | /**
334 | * Constructor.
335 | *
336 | * @param connectionClass the connection class.
337 | */
338 | public Matcher(Class connectionClass) {
339 | this.connectionClass = connectionClass;
340 | }
341 |
342 | /**
343 | * {@inheritDoc}
344 | */
345 | public boolean matches(@NonNull Credentials item) {
346 | return item instanceof StandardUsernameCredentials && isSupported(connectionClass,
347 | ((StandardUsernameCredentials) item).getClass());
348 | }
349 | }
350 |
351 | /**
352 | * Returns {@code true} if the bound connection is in a state where authentication can be tried using the
353 | * supplied credentials.
354 | *
355 | * Subclasses can override this if they can tell whether it is possible to make an authentication attempt, default
356 | * implementation is one-shot always.
357 | *
358 | *
359 | * @return {@code true} if the bound connection is in a state where authentication can be tried using the
360 | * supplied credentials.
361 | */
362 | public boolean canAuthenticate() {
363 | synchronized (lock) {
364 | return authenticated == null;
365 | }
366 | }
367 |
368 | /**
369 | * Returns {@code true} if the bound connection has been authenticated.
370 | *
371 | * @return {@code true} if the bound connection has been authenticated.
372 | */
373 | public final boolean isAuthenticated() {
374 | synchronized (lock) {
375 | return authenticated != null && authenticated;
376 | }
377 | }
378 |
379 | /**
380 | * Gets the bound connection.
381 | *
382 | * @return the bound connection.
383 | */
384 | @NonNull
385 | protected final C getConnection() {
386 | return connection;
387 | }
388 |
389 | /**
390 | * Gets the supplied credentials.
391 | *
392 | * @return the supplied credentials.
393 | */
394 | @NonNull
395 | public U getUser() {
396 | return user;
397 | }
398 |
399 | /**
400 | * SPI for authenticating the bound connection using the supplied credentials.
401 | *
402 | * As a guideline, authentication errors should be reported to {@link #getListener()}
403 | * before this method returns with {@code false}. This helps an user better understand
404 | * what is tried and failing. Logging can be used in addition to this to capture further details.
405 | * (in contrast, please avoid reporting a success to the listener to improve S/N ratio)
406 | *
407 | *
408 | * @return {@code true} if and only if authentication was successful.
409 | */
410 | protected abstract boolean doAuthenticate();
411 |
412 | /**
413 | * Returns the mode of authentication that this {@link SSHAuthenticator} supports.
414 | *
415 | * @return the mode of authentication that this {@link SSHAuthenticator} supports.
416 | * @since 0.2
417 | */
418 | @NonNull
419 | public Mode getAuthenticationMode() {
420 | return Mode.AFTER_CONNECT;
421 | }
422 |
423 | /**
424 | * @deprecated as of 0.3
425 | * Use {@link #authenticate(TaskListener)} and provide a listener to receive errors.
426 | */
427 | public final boolean authenticate() {
428 | synchronized (lock) {
429 | if (canAuthenticate()) {
430 | try {
431 | authenticated = doAuthenticate();
432 | } catch (Throwable t) {
433 | Functions.printStackTrace(t, listener.error("SSH authentication failed"));
434 | authenticated = false;
435 | }
436 | }
437 | return isAuthenticated() || Mode.BEFORE_CONNECT.equals(getAuthenticationMode());
438 | }
439 | }
440 |
441 | /**
442 | * @since TODO
443 | * @throws IOException Failure reason
444 | */
445 | public final void authenticateOrFail() throws IOException {
446 | synchronized (lock) {
447 | if (!canAuthenticate()) {
448 | throw new IOException("Cannot authenticate");
449 | }
450 |
451 | try {
452 | authenticated = doAuthenticate();
453 | } catch (Throwable t) {
454 | throw new IOException("SSH authentication failed", t);
455 | }
456 | }
457 | }
458 |
459 | /**
460 | * Authenticate the bound connection using the supplied credentials.
461 | *
462 | * @return For an {@link #getAuthenticationMode()} of {@link Mode#BEFORE_CONNECT} the return value is
463 | * always {@code true} otherwise the return value is {@code true} if and only if authentication was
464 | * successful.
465 | */
466 | public final boolean authenticate(TaskListener listener) {
467 | setListener(listener);
468 | return authenticate();
469 | }
470 |
471 | /**
472 | * Same as {@link SSHUserPrivateKey#getPrivateKeys} but backward compatible for old implementations.
473 | *
474 | * @since 1.3
475 | */
476 | @SuppressWarnings("deprecation")
477 | public static List getPrivateKeys(SSHUserPrivateKey user) {
478 | try {
479 | return user.getPrivateKeys();
480 | } catch (AbstractMethodError x) {
481 | return Collections.singletonList(user.getPrivateKey());
482 | }
483 | }
484 |
485 | /**
486 | * Reflects the different styles of applying authentication.
487 | *
488 | * @since 0.2
489 | */
490 | public enum Mode {
491 | /**
492 | * This {@link SSHAuthenticator} performs authentication before establishing the connection.
493 | */
494 | BEFORE_CONNECT,
495 | /**
496 | * This {@link SSHAuthenticator} performs authentication after establishing the connection.
497 | */
498 | AFTER_CONNECT
499 | }
500 |
501 | /**
502 | * A callable invoked from the remote agents to retrieve the {@link SSHAuthenticatorFactory} instances.
503 | */
504 | private static class NewInstance extends SlaveToMasterCallable, IOException> {
505 | /**
506 | * Standardize serialization.
507 | */
508 | private static final long serialVersionUID = 1L;
509 |
510 | /**
511 | * {@inheritDoc}
512 | */
513 | public Collection call() {
514 | return new ArrayList<>(ExtensionList.lookup(SSHAuthenticatorFactory.class));
515 | }
516 | }
517 |
518 | /**
519 | * A dummy {@link SSHAuthenticator} that will never authenticate.
520 | *
521 | * @param the connection type.
522 | * @param the credential type.
523 | */
524 | private static class SSHNonauthenticator extends SSHAuthenticator {
525 | /**
526 | * {@inheritDoc}
527 | */
528 | public SSHNonauthenticator(C connection, U user, String username) {
529 | super(connection, user, username);
530 | }
531 |
532 | /**
533 | * {@inheritDoc}
534 | */
535 | @Override
536 | protected boolean doAuthenticate() {
537 | return false;
538 | }
539 | }
540 | }
541 |
--------------------------------------------------------------------------------
/src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/SSHAuthenticatorException.java:
--------------------------------------------------------------------------------
1 | package com.cloudbees.jenkins.plugins.sshcredentials;
2 |
3 | /**
4 | * @author stephenc
5 | * @since 25/10/2012 15:20
6 | */
7 | public class SSHAuthenticatorException extends RuntimeException {
8 | public SSHAuthenticatorException() {
9 | super();
10 | }
11 |
12 | public SSHAuthenticatorException(Throwable cause) {
13 | super(cause);
14 | }
15 |
16 | public SSHAuthenticatorException(String message) {
17 | super(message);
18 | }
19 |
20 | public SSHAuthenticatorException(String message, Throwable cause) {
21 | super(message, cause);
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/SSHAuthenticatorFactory.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2011-2012, CloudBees, Inc., Stephen Connolly.
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package com.cloudbees.jenkins.plugins.sshcredentials;
25 |
26 | import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
27 | import edu.umd.cs.findbugs.annotations.CheckForNull;
28 | import edu.umd.cs.findbugs.annotations.NonNull;
29 | import edu.umd.cs.findbugs.annotations.Nullable;
30 | import hudson.ExtensionPoint;
31 |
32 | import java.io.Serializable;
33 |
34 | /**
35 | * Extension point to allow plugging in {@link SSHAuthenticator} implementations for the many SSH client libraries
36 | * available.
37 | *
38 | * This object can be shipped to remote to create an {@link SSHAuthenticator} on a remote node.
39 | *
40 | *
41 | * @see SSHAuthenticator#newInstance(Object, SSHUser)
42 | */
43 | public abstract class SSHAuthenticatorFactory implements ExtensionPoint, Serializable {
44 |
45 | /**
46 | * Returns an instance of {@link SSHAuthenticator} for the supplied connection and user, or {@code null} if
47 | * the factory does not support the connection and user combination.
48 | *
49 | * @param connection the connection.
50 | * @param user the user.
51 | * @param the type of connection.
52 | * @param the type of user.
53 | * @return {@code null} if the connection or user is not supported by this factory, or a {@link SSHAuthenticator}
54 | * instance bound to the supplied connection and user.
55 | */
56 | @Nullable
57 | protected abstract SSHAuthenticator newInstance(
58 | @NonNull C connection,
59 | @NonNull U user);
60 |
61 | /**
62 | * Returns an instance of {@link SSHAuthenticator} for the supplied connection and user, or {@code null} if
63 | * the factory does not support the connection and user combination.
64 | *
65 | * @param connection the connection.
66 | * @param user the user.
67 | * @param username the username or {@code null} to fall back to the username in the user parameter.
68 | * @param the type of connection.
69 | * @param the type of user.
70 | * @return {@code null} if the connection or user is not supported by this factory, or a {@link SSHAuthenticator}
71 | * instance bound to the supplied connection and user.
72 | * @since 1.4
73 | */
74 | @Nullable
75 | protected SSHAuthenticator newInstance(
76 | @NonNull C connection,
77 | @NonNull U user,
78 | @CheckForNull String username) {
79 | return newInstance(connection, user);
80 | }
81 |
82 | /**
83 | * Returns {@code true} if and only if the supplied connection class and user class are supported by this factory.
84 | *
85 | * @param connectionClass the connection class.
86 | * @param userClass the user class.
87 | * @param the type of connection.
88 | * @param the type of user.
89 | * @return {@code true} if and only if the supplied connection class and user class are supported by this factory.
90 | */
91 | protected abstract boolean supports(@NonNull Class connectionClass,
92 | @NonNull Class userClass);
93 |
94 | private static final long serialVersionUID = 1L;
95 | }
96 |
--------------------------------------------------------------------------------
/src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/SSHUser.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2011-2012, CloudBees, Inc., Stephen Connolly.
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package com.cloudbees.jenkins.plugins.sshcredentials;
25 |
26 | import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
27 |
28 | /**
29 | * Represents a user name and a secret (password/privateKey/etc) needed to perform an authentication in an SSH
30 | * connection.
31 | *
32 | * This interface is a base interface that defines commonality across all the modes of authentications,
33 | * then the subtype defines a specific type of secret.
34 | *
55 | * These credentials are meant to be used for system configuration and other things scoped to the {@link Jenkins}
56 | * object,
57 | * such as slaves.
58 | *
59 | *
60 | * @return {@code this} for method chaining.
61 | * @deprecated use {@link #withSystemScopeCredentials()}
62 | */
63 | @Deprecated
64 | public SSHUserListBoxModel addSystemScopeCredentials() {
65 | return withSystemScopeCredentials();
66 | }
67 |
68 | /**
69 | * Adds all the system-scoped credentials (they will be filtered with {@link SSHAuthenticator#matcher()}
70 | * implicitly).
71 | *
72 | * These credentials are meant to be used for system configuration and other things scoped to the {@link Jenkins}
73 | * object,
74 | * such as slaves.
75 | *
76 | *
77 | * @return {@code this} for method chaining.
78 | */
79 | public SSHUserListBoxModel withSystemScopeCredentials() {
80 | return withSystemScopeCredentials(Collections.emptyList());
81 | }
82 |
83 | /**
84 | * Adds all the system-scoped credentials (they will be filtered with {@link SSHAuthenticator#matcher()}
85 | * implicitly).
86 | *
87 | * These credentials are meant to be used for system configuration and other things scoped to the {@link Jenkins}
88 | * object,
89 | * such as slaves.
90 | *
102 | * These credentials are meant to be used for system configuration and other things scoped to the {@link Jenkins}
103 | * object,
104 | * such as slaves.
105 | *
106 | *
107 | * @param matcher a matcher to filter the credentials
108 | * @param domainRequirements the domain requirements
109 | * @return {@code this} for method chaining.
110 | */
111 | public SSHUserListBoxModel withSystemScopeCredentials(CredentialsMatcher matcher,
112 | DomainRequirement... domainRequirements) {
113 | return withSystemScopeCredentials(matcher, Arrays.asList(domainRequirements));
114 | }
115 |
116 | /**
117 | * Adds all the system-scoped credentials (they will be filtered with {@link SSHAuthenticator#matcher()}
118 | * implicitly).
119 | *
120 | * These credentials are meant to be used for system configuration and other things scoped to the {@link Jenkins}
121 | * object,
122 | * such as slaves.
123 | *
135 | * These credentials are meant to be used for system configuration and other things scoped to the {@link Jenkins}
136 | * object,
137 | * such as slaves.
138 | *
139 | *
140 | * @param matcher a matcher to filter the credentials
141 | * @param domainRequirements the domain requirements
142 | * @return {@code this} for method chaining.
143 | */
144 | public SSHUserListBoxModel withSystemScopeCredentials(CredentialsMatcher matcher,
145 | List domainRequirements) {
146 | includeMatchingAs(ACL.SYSTEM, Jenkins.getActiveInstance(), StandardUsernameCredentials.class,
147 | domainRequirements, matcher);
148 | return this;
149 | }
150 |
151 | }
152 |
--------------------------------------------------------------------------------
/src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/SSHUserPassword.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2011-2012, CloudBees, Inc., Stephen Connolly.
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package com.cloudbees.jenkins.plugins.sshcredentials;
25 |
26 | import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
27 |
28 | /**
29 | * Details of a SSH user with password.
30 | * @deprecated use {@link StandardUsernamePasswordCredentials}
31 | */
32 | @Deprecated
33 | public interface SSHUserPassword extends SSHUser, StandardUsernamePasswordCredentials {
34 | }
35 |
--------------------------------------------------------------------------------
/src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/SSHUserPrivateKey.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2011-2012, CloudBees, Inc., Stephen Connolly.
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package com.cloudbees.jenkins.plugins.sshcredentials;
25 |
26 | import edu.umd.cs.findbugs.annotations.CheckForNull;
27 | import edu.umd.cs.findbugs.annotations.NonNull;
28 | import hudson.util.Secret;
29 | import java.util.List;
30 |
31 | /**
32 | * Details of a SSH user with a private key.
33 | */
34 | public interface SSHUserPrivateKey extends SSHUser {
35 | /**
36 | * Returns the first private key. This should be in OpenSSH format.
37 | *
38 | * @return This is the actual content of the first private key and not the path to the private key.
39 | * @deprecated use {@link #getPrivateKeys()}
40 | */
41 | @Deprecated
42 | @NonNull
43 | default String getPrivateKey() {
44 | List keys = getPrivateKeys();
45 | return keys.isEmpty() ? "" : keys.get(0);
46 | }
47 |
48 | /**
49 | * Gets the passphrase for the private keys or {@code null} if the private keys are not protected by a
50 | * passphase.
51 | *
52 | * @return the passphrase for the private keys or {@code null} if the private key are not protected by
53 | * a passphase.
54 | */
55 | @CheckForNull
56 | Secret getPassphrase();
57 |
58 | /**
59 | * Returns a collection of keys to try in order for authentication.
60 | *
61 | * @return a collection of keys to try in order for authentication.
62 | * @since 0.5
63 | * @see SSHAuthenticator#getPrivateKeys
64 | */
65 | @NonNull
66 | List getPrivateKeys();
67 |
68 | }
69 |
--------------------------------------------------------------------------------
/src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BaseSSHUser.java:
--------------------------------------------------------------------------------
1 | package com.cloudbees.jenkins.plugins.sshcredentials.impl;
2 |
3 | import com.cloudbees.jenkins.plugins.sshcredentials.SSHUser;
4 | import com.cloudbees.plugins.credentials.CredentialsScope;
5 | import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
6 | import com.cloudbees.plugins.credentials.impl.BaseStandardCredentials;
7 | import edu.umd.cs.findbugs.annotations.NonNull;
8 | import edu.umd.cs.findbugs.annotations.Nullable;
9 | import org.apache.commons.lang.StringUtils;
10 | import org.kohsuke.stapler.DataBoundSetter;
11 |
12 | /**
13 | * @author stephenc
14 | * @since 28/02/2012 13:44
15 | */
16 | public class BaseSSHUser extends BaseStandardCredentials implements SSHUser, StandardUsernameCredentials {
17 |
18 | /**
19 | * Ensure consistent serialization.
20 | */
21 | private static final long serialVersionUID = 1L;
22 |
23 | /**
24 | * The username.
25 | */
26 | protected final String username;
27 |
28 | @Nullable
29 | private Boolean usernameSecret = false;
30 |
31 | public BaseSSHUser(CredentialsScope scope, String id, String username, String description) {
32 | super(scope, id, description);
33 | this.username = username;
34 | }
35 |
36 | protected Object readResolve() {
37 | if (usernameSecret == null) {
38 | usernameSecret = true;
39 | }
40 | return this;
41 | }
42 |
43 | /**
44 | * {@inheritDoc}
45 | */
46 | @NonNull
47 | public String getUsername() {
48 | return StringUtils.isEmpty(username) ? System.getProperty("user.name") : username;
49 | }
50 |
51 | @Override
52 | public boolean isUsernameSecret() {
53 | return usernameSecret;
54 | }
55 |
56 | @DataBoundSetter
57 | public void setUsernameSecret(boolean usernameSecret) {
58 | this.usernameSecret = usernameSecret;
59 | }
60 |
61 | }
62 |
--------------------------------------------------------------------------------
/src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPassword.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2011-2012, CloudBees, Inc., Stephen Connolly.
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package com.cloudbees.jenkins.plugins.sshcredentials.impl;
25 |
26 | import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPassword;
27 | import com.cloudbees.plugins.credentials.CredentialsResolver;
28 | import com.cloudbees.plugins.credentials.CredentialsScope;
29 | import com.cloudbees.plugins.credentials.ResolveWith;
30 | import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
31 | import edu.umd.cs.findbugs.annotations.NonNull;
32 | import hudson.model.Descriptor;
33 | import hudson.util.Secret;
34 |
35 | /**
36 | * A simple username / password for use with SSH connections.
37 | *
38 | * @deprecated use {@link UsernamePasswordCredentialsImpl}
39 | */
40 | @ResolveWith(BasicSSHUserPassword.ResolverImpl.class)
41 | @Deprecated
42 | public class BasicSSHUserPassword extends BaseSSHUser implements SSHUserPassword {
43 |
44 | /**
45 | * Ensure consistent serialization.
46 | */
47 | private static final long serialVersionUID = 1L;
48 |
49 | /**
50 | * The password.
51 | */
52 | private final Secret password;
53 |
54 | /**
55 | * Constructor for stapler.
56 | *
57 | * @param scope the credentials scope
58 | * @param id
59 | * @param username the username.
60 | * @param password the password.
61 | * @param description the description.
62 | */
63 | public BasicSSHUserPassword(CredentialsScope scope, String id, String username, String password,
64 | String description) {
65 | super(scope, id, username, description);
66 | this.password = Secret.fromString(password);
67 | }
68 |
69 | /**
70 | * {@inheritDoc}
71 | */
72 | @NonNull
73 | public Secret getPassword() {
74 | return password;
75 | }
76 |
77 | @Override
78 | protected Object readResolve() {
79 | UsernamePasswordCredentialsImpl resolved;
80 | try {
81 | resolved = new UsernamePasswordCredentialsImpl(getScope(), getId(), getDescription(), getUsername(), getPassword().getEncryptedValue());
82 | } catch (Descriptor.FormException e) {
83 | throw new RuntimeException(e);
84 | }
85 | resolved.setUsernameSecret(true);
86 | return resolved;
87 | }
88 |
89 | /**
90 | * Resolve credentials for legacy code.
91 | *
92 | * @since 0.5
93 | */
94 | public static class ResolverImpl
95 | extends CredentialsResolver {
96 |
97 | /**
98 | * Default constructor.
99 | */
100 | public ResolverImpl() {
101 | super(UsernamePasswordCredentialsImpl.class);
102 | }
103 |
104 | @NonNull
105 | @Override
106 | protected BasicSSHUserPassword doResolve(@NonNull UsernamePasswordCredentialsImpl original) {
107 | return new BasicSSHUserPassword(original.getScope(), original.getId(), original.getUsername(),
108 | original.getPassword().getEncryptedValue(), original.getDescription());
109 | }
110 | }
111 | }
112 |
--------------------------------------------------------------------------------
/src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2011-2012, CloudBees, Inc., Stephen Connolly.
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package com.cloudbees.jenkins.plugins.sshcredentials.impl;
25 |
26 | import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
27 | import com.cloudbees.plugins.credentials.CredentialsScope;
28 | import edu.umd.cs.findbugs.annotations.CheckForNull;
29 | import edu.umd.cs.findbugs.annotations.NonNull;
30 | import hudson.DescriptorExtensionList;
31 | import hudson.Extension;
32 | import hudson.RelativePath;
33 | import hudson.model.AbstractDescribableImpl;
34 | import hudson.model.Descriptor;
35 | import hudson.model.Items;
36 | import hudson.util.FormValidation;
37 | import hudson.util.Secret;
38 | import java.io.File;
39 | import java.io.IOException;
40 | import java.io.Serializable;
41 | import java.security.PrivateKey;
42 | import java.security.UnrecoverableKeyException;
43 | import java.security.interfaces.RSAPrivateKey;
44 | import java.util.ArrayList;
45 | import java.util.Arrays;
46 | import java.util.Collections;
47 | import java.util.List;
48 | import java.util.concurrent.TimeUnit;
49 | import java.util.logging.Level;
50 | import java.util.logging.Logger;
51 | import java.util.stream.Collectors;
52 |
53 | import jenkins.bouncycastle.api.PEMEncodable;
54 | import jenkins.model.Jenkins;
55 | import jenkins.security.FIPS140;
56 | import net.jcip.annotations.GuardedBy;
57 | import org.apache.commons.io.FileUtils;
58 | import org.apache.commons.lang.StringUtils;
59 | import org.kohsuke.stapler.DataBoundConstructor;
60 | import org.kohsuke.stapler.QueryParameter;
61 | import org.kohsuke.stapler.interceptor.RequirePOST;
62 |
63 | /**
64 | * A simple username / password for use with SSH connections.
65 | */
66 | public class BasicSSHUserPrivateKey extends BaseSSHUser implements SSHUserPrivateKey {
67 |
68 | /**
69 | * Ensure consistent serialization.
70 | */
71 | private static final long serialVersionUID = 1L;
72 |
73 | /**
74 | * The password.
75 | */
76 | private final Secret passphrase;
77 |
78 | /**
79 | * The private key. If you care about securing this, use a passphrase.
80 | */
81 | private final PrivateKeySource privateKeySource;
82 |
83 | /**
84 | * The private key.
85 | */
86 | @GuardedBy("this")
87 | private transient List privateKeys;
88 |
89 | /**
90 | * The maximum amount of time to cache the private keys before refreshing.
91 | *
92 | * @since 1.1
93 | */
94 | @GuardedBy("this")
95 | private transient long privateKeysLastModified;
96 |
97 | /**
98 | * Constructor for stapler.
99 | *
100 | * @param scope the credentials scope
101 | * @param username the username.
102 | * @param privateKeySource the private key.
103 | * @param passphrase the password.
104 | * @param description the description.
105 | */
106 | @DataBoundConstructor
107 | public BasicSSHUserPrivateKey(CredentialsScope scope, String id, String username, PrivateKeySource privateKeySource,
108 | String passphrase,
109 | String description) {
110 | super(scope, id, username, description);
111 | this.privateKeySource = privateKeySource == null ? new DirectEntryPrivateKeySource("") : privateKeySource;
112 | this.passphrase = fixEmpty(passphrase == null ? null : Secret.fromString(passphrase));
113 | checkKeyFipsCompliance(this.privateKeySource.getPrivateKeys().isEmpty() ? "" : this.privateKeySource.getPrivateKeys().get(0), this.passphrase);
114 | }
115 |
116 | private static Secret fixEmpty(Secret secret) {
117 | return secret == null ? null : secret.getPlainText().isEmpty() ? null : secret;
118 | }
119 |
120 | @Override
121 | protected synchronized Object readResolve() {
122 | if (privateKeySource == null) {
123 | Secret passphrase = getPassphrase();
124 | if (privateKeys != null) {
125 | return new BasicSSHUserPrivateKey(
126 | getScope(),
127 | getId(),
128 | getUsername(),
129 | new DirectEntryPrivateKeySource(privateKeys),
130 | passphrase == null ? null : passphrase.getEncryptedValue(),
131 | getDescription()
132 | );
133 | }
134 | return new BasicSSHUserPrivateKey(
135 | getScope(),
136 | getId(),
137 | getUsername(),
138 | new DirectEntryPrivateKeySource(""),
139 | passphrase == null ? null : passphrase.getEncryptedValue(),
140 | getDescription()
141 | );
142 | }
143 | checkKeyFipsCompliance(this.privateKeySource.getPrivateKeys().isEmpty() ? "" : privateKeySource.getPrivateKeys().get(0), passphrase);
144 | if (passphrase != null && fixEmpty(passphrase) == null) {
145 | return new BasicSSHUserPrivateKey(
146 | getScope(),
147 | getId(),
148 | getUsername(),
149 | privateKeySource,
150 | null,
151 | getDescription()
152 | );
153 | }
154 | return super.readResolve();
155 | }
156 |
157 | @NonNull
158 | public synchronized List getPrivateKeys() {
159 | if (privateKeySource == null) {
160 | return Collections.emptyList();
161 | }
162 | long lastModified = privateKeySource.getPrivateKeysLastModified();
163 | if (privateKeys == null || privateKeys.isEmpty() || lastModified > privateKeysLastModified) {
164 | this.privateKeys = privateKeySource.getPrivateKeys().stream()
165 | .map(privateKey -> privateKey.endsWith("\n") ? privateKey : privateKey + "\n")
166 | .collect(Collectors.toList());
167 | this.privateKeysLastModified = lastModified;
168 | }
169 | return privateKeys;
170 | }
171 |
172 | @NonNull
173 | public PrivateKeySource getPrivateKeySource() {
174 | return privateKeySource == null ? new DirectEntryPrivateKeySource("") : privateKeySource;
175 | }
176 |
177 | /**
178 | * {@inheritDoc}
179 | */
180 | @CheckForNull
181 | public Secret getPassphrase() {
182 | return passphrase;
183 | }
184 |
185 | /**
186 | * Checks if provided key is compliant with FIPS 140-2.
187 | * OpenSSH keys are not compliant. (the structure that contains the key is not ASN.1.)
188 | * Only Ed25519 or RSA (with a minimum size of 2048) keys are accepted.
189 | * Method will throw an {@link IllegalArgumentException} if key is not compliant.
190 | * @param privateKeySource the keySource
191 | * @param passphrase the secret used with the key (null if no secret provided)
192 | */
193 | private static void checkKeyFipsCompliance(String privateKeySource, Secret passphrase) {
194 | if (!FIPS140.useCompliantAlgorithms()) {
195 | return; // maintain existing behaviour if not in FIPS mode
196 | }
197 | if (StringUtils.isBlank(privateKeySource)) {
198 | return;
199 | }
200 | try {
201 | char[] pass = passphrase == null ? null : passphrase.getPlainText().toCharArray();
202 | if (pass != null && pass.length < 14) {
203 | throw new IllegalArgumentException(Messages.BasicSSHUserPrivateKey_TooShortPassphraseFIPS());
204 | }
205 | PEMEncodable pem = PEMEncodable.decode(privateKeySource, pass);
206 | PrivateKey privateKey = pem.toPrivateKey();
207 | if (privateKey == null) { //somehow malformed key or unknown algorithm
208 | throw new IllegalArgumentException(Messages.BasicSSHUserPrivateKey_UnknownAlgorithmFIPS());
209 | }
210 | if (privateKey instanceof RSAPrivateKey) {
211 | if (((RSAPrivateKey) privateKey).getModulus().bitLength() < 2048) {
212 | throw new IllegalArgumentException(Messages.BasicSSHUserPrivateKey_InvalidKeySizeFIPS());
213 | }
214 | } else if (!"Ed25519".equals(privateKey.getAlgorithm())) {
215 | // TODO: update this to use the JDK17 support when available in the plugin baseline
216 | // Using algorithm name to check elliptic curve, as EdECPrivateKey is not available in jdk11
217 | throw new IllegalArgumentException(Messages.BasicSSHUserPrivateKey_InvalidAlgorithmFIPS(privateKey.getAlgorithm()));
218 | }
219 | } catch (IOException ex) { // OpenSSH keys will raise this, so we need to check if it's a valid openssh key
220 | throw new IllegalArgumentException(Messages.BasicSSHUserPrivateKey_InvalidKeyFormatFIPS(ex.getLocalizedMessage()), ex);
221 | } catch (UnrecoverableKeyException ex) {
222 | String errorMessage = ex.getLocalizedMessage() == null ? "wrong passphrase" : ex.getLocalizedMessage();
223 | throw new IllegalArgumentException(Messages.BasicSSHUserPrivateKey_KeyParseErrorFIPS(errorMessage), ex);
224 | }
225 | }
226 |
227 | /**
228 | * {@inheritDoc}
229 | */
230 | @Extension
231 | public static class DescriptorImpl extends BaseStandardCredentialsDescriptor {
232 |
233 | /**
234 | * {@inheritDoc}
235 | */
236 | @NonNull
237 | @Override
238 | public String getDisplayName() {
239 | return Messages.BasicSSHUserPrivateKey_DisplayName();
240 | }
241 |
242 | public DescriptorExtensionList> getPrivateKeySources() {
243 | return Jenkins.get().getDescriptorList(PrivateKeySource.class);
244 | }
245 |
246 | /**
247 | * {@inheritDoc}
248 | */
249 | public String getIconClassName() {
250 | return "symbol-fingerprint";
251 | }
252 | }
253 |
254 | /**
255 | * A source of private keys
256 | */
257 | public static abstract class PrivateKeySource extends AbstractDescribableImpl {
258 | /**
259 | * Gets the private key from the source
260 | */
261 | @NonNull
262 | public abstract List getPrivateKeys();
263 |
264 | /**
265 | * Returns a revision count or a timestamp (in either case strictly increasing after changes to the private
266 | * keys)
267 | *
268 | * @return a revision count or a timestamp.
269 | * @since 1.4
270 | */
271 | public long getPrivateKeysLastModified() {
272 | return 1; // pick a default that is greater than the field initializer for constant sources.
273 | }
274 |
275 | /**
276 | * Returns {@code true} if and only if the source is self contained.
277 | *
278 | * @return {@code true} if and only if the source is self contained.
279 | * @since 1.7
280 | * @deprecated no more used since FileOnMaster- and Users- PrivateKeySource are deprecated too
281 | */
282 | @Deprecated
283 | public boolean isSnapshotSource() {
284 | return false;
285 | }
286 |
287 | }
288 |
289 | /**
290 | * Descriptor for a {@link PrivateKeySource}
291 | */
292 | public static abstract class PrivateKeySourceDescriptor extends Descriptor {
293 | }
294 |
295 | /**
296 | * Let the user enter the key directly via copy & paste
297 | */
298 | public static class DirectEntryPrivateKeySource extends PrivateKeySource implements Serializable {
299 | /**
300 | * Ensure consistent serialization.
301 | */
302 | private static final long serialVersionUID = 1L;
303 |
304 | private final Secret privateKey;
305 |
306 | public DirectEntryPrivateKeySource(String privateKey) {
307 | this(Secret.fromString(privateKey.endsWith("\n") ? privateKey : privateKey + "\n"));
308 | }
309 |
310 | @DataBoundConstructor
311 | public DirectEntryPrivateKeySource(Secret privateKey) {
312 | this.privateKey = privateKey;
313 | }
314 |
315 | public DirectEntryPrivateKeySource(List privateKeys) {
316 | this(StringUtils.join(privateKeys, "\f"));
317 | }
318 |
319 | /**
320 | * {@inheritDoc}
321 | */
322 | @NonNull
323 | @Override
324 | public List getPrivateKeys() {
325 | String privateKeys = Secret.toString(privateKey);
326 | return StringUtils.isBlank(privateKeys)
327 | ? Collections.emptyList()
328 | : Arrays.asList(StringUtils.split(privateKeys, "\f"));
329 | }
330 |
331 | /**
332 | * Returns the private key.
333 | *
334 | * @return the private key.
335 | */
336 | @SuppressWarnings("unused") // used by Jelly EL
337 | public Secret getPrivateKey() {
338 | return privateKey;
339 | }
340 |
341 | /**
342 | * {@inheritDoc}
343 | */
344 | @Override
345 | public boolean isSnapshotSource() {
346 | return true;
347 | }
348 |
349 | /**
350 | * {@inheritDoc}
351 | */
352 | @Extension
353 | public static class DescriptorImpl extends PrivateKeySourceDescriptor {
354 |
355 | /**
356 | * {@inheritDoc}
357 | */
358 | @NonNull
359 | @Override
360 | public String getDisplayName() {
361 | return Messages.BasicSSHUserPrivateKey_DirectEntryPrivateKeySourceDisplayName();
362 | }
363 |
364 | @RequirePOST
365 | public FormValidation doCheckPrivateKey (@QueryParameter String privateKey,
366 | @RelativePath("..") @QueryParameter String passphrase) {
367 | try {
368 | checkKeyFipsCompliance(privateKey, Secret.fromString(passphrase));
369 | return FormValidation.ok();
370 | } catch (IllegalArgumentException ex) {
371 | return FormValidation.error(ex, ex.getMessage());
372 | }
373 |
374 | }
375 | }
376 | }
377 |
378 | /**
379 | * Let the user reference a file on the disk.
380 | * @deprecated This approach has security vulnerability and should be migrated to {@link DirectEntryPrivateKeySource}
381 | */
382 | @Deprecated
383 | public static class FileOnMasterPrivateKeySource extends PrivateKeySource {
384 |
385 | /**
386 | * Our logger
387 | */
388 | private static final Logger LOGGER = Logger.getLogger(FileOnMasterPrivateKeySource.class.getName());
389 |
390 | /**
391 | * The path to the private key.
392 | */
393 | private final String privateKeyFile;
394 |
395 | /**
396 | * When any of the key files was last modified.
397 | */
398 | private transient volatile long lastModified;
399 |
400 | /**
401 | * When we will next try a refresh of the status.
402 | */
403 | private transient volatile long nextCheckLastModified;
404 |
405 | public FileOnMasterPrivateKeySource(String privateKeyFile) {
406 | this.privateKeyFile = privateKeyFile;
407 | }
408 |
409 | /**
410 | * {@inheritDoc}
411 | */
412 | @NonNull
413 | @Override
414 | public List getPrivateKeys() {
415 | if (privateKeyFile != null) {
416 | File key = new File(privateKeyFile);
417 | if (key.isFile()) {
418 | try {
419 | return Collections.singletonList(FileUtils.readFileToString(key));
420 | } catch (IOException e) {
421 | LOGGER.log(Level.WARNING, "Could not read private key file " + privateKeyFile, e);
422 | }
423 | }
424 | }
425 | return Collections.emptyList();
426 | }
427 |
428 | /**
429 | * Returns the private key file name.
430 | *
431 | * @return the private key file name.
432 | */
433 | public String getPrivateKeyFile() {
434 | return privateKeyFile;
435 | }
436 |
437 | private Object readResolve() {
438 | if (privateKeyFile != null
439 | && privateKeyFile.startsWith("---")
440 | && privateKeyFile.contains("---BEGIN")
441 | && privateKeyFile.contains("---END")) {
442 | // this is a borked upgrade, not actually the file name but is actually the key contents
443 | return new DirectEntryPrivateKeySource(privateKeyFile);
444 | }
445 |
446 | Jenkins.get().checkPermission(Jenkins.RUN_SCRIPTS);
447 |
448 | LOGGER.log(Level.INFO, "SECURITY-440: Migrating FileOnMasterPrivateKeySource to DirectEntryPrivateKeySource");
449 | // read the content of the file and then migrate to Direct
450 | return new DirectEntryPrivateKeySource(getPrivateKeys());
451 | }
452 |
453 | @Override
454 | public long getPrivateKeysLastModified() {
455 | if (nextCheckLastModified > System.currentTimeMillis() || lastModified < 0) {
456 | lastModified = Long.MIN_VALUE;
457 | if (privateKeyFile != null) {
458 | File file = new File(privateKeyFile);
459 | if (file.exists()) {
460 | lastModified = file.lastModified();
461 | }
462 | }
463 | nextCheckLastModified = System.currentTimeMillis() + TimeUnit.SECONDS.toMillis(30);
464 | }
465 | return lastModified;
466 | }
467 | }
468 |
469 | /**
470 | * Let the user
471 | * @deprecated This approach has security vulnerability and should be migrated to {@link DirectEntryPrivateKeySource}
472 | */
473 | @Deprecated
474 | public static class UsersPrivateKeySource extends PrivateKeySource {
475 |
476 | /**
477 | * Our logger
478 | */
479 | private static final Logger LOGGER = Logger.getLogger(UsersPrivateKeySource.class.getName());
480 |
481 | /**
482 | * When any of the key files was last modified.
483 | */
484 | private transient volatile long lastModified;
485 |
486 | /**
487 | * When we will next try a refresh of the status.
488 | */
489 | private transient volatile long nextCheckLastModified;
490 |
491 | private List files() {
492 | List files = new ArrayList<>();
493 | File sshHome = new File(new File(System.getProperty("user.home")), ".ssh");
494 | for (String keyName : Arrays.asList("id_ecdsa", "id_ed25519", "id_rsa", "id_dsa", "identity")) {
495 | File key = new File(sshHome, keyName);
496 | if (key.isFile()) {
497 | files.add(key);
498 | }
499 | }
500 | return files;
501 | }
502 |
503 | /**
504 | * {@inheritDoc}
505 | */
506 | @NonNull
507 | @Override
508 | public List getPrivateKeys() {
509 | List keys = new ArrayList<>();
510 | for (File file : files()) {
511 | try {
512 | keys.add(FileUtils.readFileToString(file));
513 | } catch (IOException e) {
514 | LOGGER.log(Level.WARNING, "Could not read private key", e);
515 | }
516 | }
517 | return keys;
518 | }
519 |
520 | @Override
521 | public long getPrivateKeysLastModified() {
522 | if (nextCheckLastModified > System.currentTimeMillis() || lastModified < 0) {
523 | lastModified = Long.MIN_VALUE;
524 | for (File file : files()) {
525 | lastModified = Math.max(lastModified, file.lastModified());
526 | }
527 | nextCheckLastModified = System.currentTimeMillis() + TimeUnit.SECONDS.toMillis(30);
528 | }
529 | return lastModified;
530 | }
531 |
532 | private Object readResolve() {
533 | Jenkins.get().checkPermission(Jenkins.RUN_SCRIPTS);
534 |
535 | LOGGER.log(Level.INFO, "SECURITY-440: Migrating UsersPrivateKeySource to DirectEntryPrivateKeySource");
536 | // read the content of the file and then migrate to Direct
537 | return new DirectEntryPrivateKeySource(getPrivateKeys());
538 | }
539 | }
540 |
541 | static {
542 | // the critical field allow the permission check to make the XML read to fail completely in case of violation
543 | Items.XSTREAM2.addCriticalField(BasicSSHUserPrivateKey.class, "privateKeySource");
544 | }
545 | }
546 |
--------------------------------------------------------------------------------
/src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/SSHUserPrivateKeySnapshotTaker.java:
--------------------------------------------------------------------------------
1 | package com.cloudbees.jenkins.plugins.sshcredentials.impl;
2 |
3 | import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
4 | import com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey.DirectEntryPrivateKeySource;
5 | import com.cloudbees.plugins.credentials.CredentialsSnapshotTaker;
6 |
7 | import hudson.Extension;
8 | import hudson.util.Secret;
9 |
10 | @Extension
11 | public class SSHUserPrivateKeySnapshotTaker extends CredentialsSnapshotTaker {
12 | /**
13 | * {@inheritDoc}
14 | */
15 | @Override
16 | public Class type() {
17 | return SSHUserPrivateKey.class;
18 | }
19 |
20 | /**
21 | * {@inheritDoc}
22 | */
23 | @Override
24 | public SSHUserPrivateKey snapshot(SSHUserPrivateKey credentials) {
25 | if (credentials instanceof BasicSSHUserPrivateKey && ((BasicSSHUserPrivateKey) credentials).getPrivateKeySource() instanceof DirectEntryPrivateKeySource) {
26 | return credentials;
27 | }
28 | final Secret passphrase = credentials.getPassphrase();
29 | return new BasicSSHUserPrivateKey(credentials.getScope(), credentials.getId(), credentials.getUsername(),
30 | new DirectEntryPrivateKeySource(credentials.getPrivateKeys()),
31 | passphrase == null ? null : passphrase.getEncryptedValue(), credentials.getDescription());
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/TrileadSSHPasswordAuthenticator.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2011-2012, CloudBees, Inc., Stephen Connolly.
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package com.cloudbees.jenkins.plugins.sshcredentials.impl;
25 |
26 | import com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator;
27 | import com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticatorFactory;
28 | import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
29 | import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
30 | import com.trilead.ssh2.Connection;
31 | import edu.umd.cs.findbugs.annotations.CheckForNull;
32 | import edu.umd.cs.findbugs.annotations.NonNull;
33 | import edu.umd.cs.findbugs.annotations.Nullable;
34 | import org.jenkinsci.plugins.variant.OptionalExtension;
35 |
36 | import java.io.IOException;
37 | import java.util.Arrays;
38 | import java.util.List;
39 | import java.util.Locale;
40 | import java.util.logging.Logger;
41 |
42 | /**
43 | * Does password auth with a {@link Connection}.
44 | */
45 | public class TrileadSSHPasswordAuthenticator extends SSHAuthenticator {
46 |
47 | /**
48 | * Our logger
49 | */
50 | private static final Logger LOGGER = Logger.getLogger(TrileadSSHPasswordAuthenticator.class.getName());
51 | private static final String PASSWORD = "password";
52 | private static final String KEYBOARD_INTERACTIVE = "keyboard-interactive";
53 |
54 | /**
55 | * Constructor.
56 | *
57 | * @param connection the connection we will be authenticating.
58 | * @deprecated
59 | */
60 | @Deprecated
61 | public TrileadSSHPasswordAuthenticator(Connection connection, StandardUsernamePasswordCredentials user) {
62 | this(connection, user, null);
63 | }
64 |
65 | /**
66 | * Constructor.
67 | *
68 | * @param connection the connection we will be authenticating.
69 | * @since 1.4
70 | */
71 | public TrileadSSHPasswordAuthenticator(@NonNull Connection connection,
72 | @NonNull StandardUsernamePasswordCredentials user,
73 | @CheckForNull String username) {
74 | super(connection, user, username);
75 | }
76 |
77 | /**
78 | * {@inheritDoc}
79 | */
80 | @Override
81 | public boolean canAuthenticate() {
82 | try {
83 | for (String authMethod : getConnection().getRemainingAuthMethods(getUsername())) {
84 | if (PASSWORD.equals(authMethod)) {
85 | // prefer password
86 | return true;
87 | }
88 | if (KEYBOARD_INTERACTIVE.equals(authMethod)) {
89 | return true;
90 | }
91 | }
92 | } catch (IOException e) {
93 | e.printStackTrace(getListener().error("Failed to authenticate"));
94 | }
95 | return false;
96 | }
97 |
98 | /**
99 | * {@inheritDoc}
100 | */
101 | @Override
102 | protected boolean doAuthenticate() {
103 | final StandardUsernamePasswordCredentials user = getUser();
104 | final String username = getUsername();
105 |
106 | try {
107 | final Connection connection = getConnection();
108 | final String password = user.getPassword().getPlainText();
109 | boolean tried = false;
110 |
111 | List availableMethods = Arrays.asList(connection.getRemainingAuthMethods(username));
112 | if (availableMethods.contains(PASSWORD)) {
113 | // prefer password
114 | if (connection.authenticateWithPassword(username, password)) {
115 | LOGGER.fine("Authentication with 'password' succeeded.");
116 | return true;
117 | }
118 | getListener().error("Failed to authenticate as %s. Wrong password. (credentialId:%s/method:password)",
119 | username, user.getId());
120 | tried = true;
121 | }
122 | if (availableMethods.contains(KEYBOARD_INTERACTIVE)) {
123 | if (connection.authenticateWithKeyboardInteractive(username, (name, instruction, numPrompts, prompt, echo) -> {
124 | // most SSH servers just use keyboard interactive to prompt for the password
125 | // match "assword" is safer than "password"... you don't *want* to know why!
126 | return prompt != null && prompt.length > 0 && prompt[0].toLowerCase(Locale.ENGLISH)
127 | .contains("assword")
128 | ? new String[]{password}
129 | : new String[0];
130 | })) {
131 | LOGGER.fine("Authentication with 'keyboard-interactive' succeeded.");
132 | return true;
133 | }
134 | getListener()
135 | .error("Failed to authenticate as %s. Wrong password. "
136 | + "(credentialId:%s/method:keyboard-interactive)",
137 | username, user.getId());
138 | tried = true;
139 | }
140 |
141 | if (!tried) {
142 | getListener().error("The server does not allow password authentication. Available options are %s",
143 | availableMethods);
144 | }
145 | } catch (IOException e) {
146 | e.printStackTrace(getListener()
147 | .error("Unexpected error while trying to authenticate as %s with credential=%s", username,
148 | user.getId()));
149 | }
150 | return false;
151 | }
152 |
153 | /**
154 | * {@inheritDoc}
155 | */
156 | @OptionalExtension(requirePlugins = {"trilead-api"})
157 | public static class Factory extends SSHAuthenticatorFactory {
158 |
159 | /**
160 | * {@inheritDoc}
161 | */
162 | @Override
163 | protected SSHAuthenticator newInstance(@NonNull C connection,
164 | @NonNull U user) {
165 | return newInstance(connection, user, null);
166 | }
167 |
168 | /**
169 | * {@inheritDoc}
170 | */
171 | @Nullable
172 | @Override
173 | @SuppressWarnings("unchecked")
174 | protected SSHAuthenticator newInstance(@NonNull C connection,
175 | @NonNull U user,
176 | @CheckForNull String
177 | username) {
178 | if (supports(connection.getClass(), user.getClass())) {
179 | return (SSHAuthenticator) new TrileadSSHPasswordAuthenticator((Connection) connection,
180 | (StandardUsernamePasswordCredentials) user, username);
181 | }
182 | return null;
183 | }
184 |
185 | /**
186 | * {@inheritDoc}
187 | */
188 | @Override
189 | protected boolean supports(@NonNull Class connectionClass,
190 | @NonNull Class userClass) {
191 | return Connection.class.isAssignableFrom(connectionClass)
192 | && StandardUsernamePasswordCredentials.class.isAssignableFrom(userClass);
193 | }
194 |
195 | private static final long serialVersionUID = 1L;
196 | }
197 | }
198 |
--------------------------------------------------------------------------------
/src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/TrileadSSHPublicKeyAuthenticator.java:
--------------------------------------------------------------------------------
1 | /*
2 | * The MIT License
3 | *
4 | * Copyright (c) 2011-2012, CloudBees, Inc., Stephen Connolly.
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in
14 | * all copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | * THE SOFTWARE.
23 | */
24 | package com.cloudbees.jenkins.plugins.sshcredentials.impl;
25 |
26 | import com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator;
27 | import com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticatorFactory;
28 | import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
29 | import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
30 | import com.trilead.ssh2.Connection;
31 | import edu.umd.cs.findbugs.annotations.CheckForNull;
32 | import edu.umd.cs.findbugs.annotations.NonNull;
33 | import edu.umd.cs.findbugs.annotations.Nullable;
34 | import hudson.util.Secret;
35 | import org.jenkinsci.plugins.variant.OptionalExtension;
36 |
37 | import java.io.IOException;
38 | import java.util.ArrayList;
39 | import java.util.Arrays;
40 | import java.util.Collection;
41 | import java.util.List;
42 | import java.util.logging.Logger;
43 |
44 | /**
45 | * Does public key auth with a {@link Connection}.
46 | */
47 | public class TrileadSSHPublicKeyAuthenticator extends SSHAuthenticator {
48 |
49 | /**
50 | * Our logger.
51 | */
52 | private static final Logger LOGGER = Logger.getLogger(TrileadSSHPublicKeyAuthenticator.class.getName());
53 | private static final String PUBLICKEY = "publickey";
54 |
55 | /**
56 | * Constructor.
57 | *
58 | * @param connection the connection we will be authenticating.
59 | */
60 | public TrileadSSHPublicKeyAuthenticator(Connection connection, SSHUserPrivateKey user) {
61 | this(connection, user, null);
62 | }
63 |
64 | /**
65 | * Constructor.
66 | *
67 | * @param connection the connection we will be authenticating.
68 | */
69 | public TrileadSSHPublicKeyAuthenticator(@NonNull Connection connection,
70 | @NonNull SSHUserPrivateKey user,
71 | @CheckForNull String username) {
72 | super(connection, user, username);
73 | }
74 |
75 | /**
76 | * {@inheritDoc}
77 | */
78 | @Override
79 | public boolean canAuthenticate() {
80 | try {
81 | return getRemainingAuthMethods().contains(PUBLICKEY);
82 | } catch (IOException e) {
83 | e.printStackTrace(getListener().error("Failed to authenticate"));
84 | return false;
85 | }
86 | }
87 |
88 | private List getRemainingAuthMethods() throws IOException {
89 | return Arrays.asList(getConnection().getRemainingAuthMethods(getUsername()));
90 | }
91 |
92 | /**
93 | * {@inheritDoc}
94 | */
95 | @Override
96 | protected boolean doAuthenticate() {
97 | final SSHUserPrivateKey user = getUser();
98 | final String username = getUsername();
99 | try {
100 | final Connection connection = getConnection();
101 | final Secret userPassphrase = user.getPassphrase();
102 | final String passphrase = userPassphrase == null ? null : userPassphrase.getPlainText();
103 |
104 | Collection availableMethods = getRemainingAuthMethods();
105 | if (availableMethods.contains(PUBLICKEY)) {
106 | int count = 0;
107 | List ioe = new ArrayList<>();
108 | for (String privateKey : getPrivateKeys(user)) {
109 | try {
110 | if (connection.authenticateWithPublicKey(username, privateKey.toCharArray(), passphrase)) {
111 | LOGGER.fine("Authentication with 'publickey' succeeded.");
112 | return true;
113 | }
114 | } catch (IOException e) {
115 | ioe.add(e);
116 | }
117 | count++;
118 | getListener()
119 | .error("Server rejected the %d private key(s) for %s (credentialId:%s/method:publickey)",
120 | count, username, user.getId());
121 | }
122 | for (IOException e : ioe) {
123 | e.printStackTrace(getListener()
124 | .error("Failed to authenticate as %s with credential=%s", username, getUser().getId()));
125 | }
126 | return false;
127 | } else {
128 | getListener().error("The server does not allow public key authentication. Available options are %s",
129 | availableMethods);
130 | return false;
131 | }
132 | } catch (IOException e) {
133 | e.printStackTrace(getListener()
134 | .error("Failed to authenticate as %s with credential=%s", username, getUser().getId()));
135 | return false;
136 | }
137 | }
138 |
139 | /**
140 | * {@inheritDoc}
141 | */
142 | @OptionalExtension(requirePlugins = {"trilead-api"})
143 | public static class Factory extends SSHAuthenticatorFactory {
144 |
145 | /**
146 | * {@inheritDoc}
147 | */
148 | @Override
149 | @SuppressWarnings("unchecked")
150 | protected SSHAuthenticator newInstance(@NonNull C connection,
151 | @NonNull U user) {
152 | return newInstance(connection, user, null);
153 | }
154 |
155 | /**
156 | * {@inheritDoc}
157 | */
158 | @Nullable
159 | @Override
160 | @SuppressWarnings("unchecked")
161 | protected SSHAuthenticator newInstance(@NonNull C connection,
162 | @NonNull U user,
163 | @CheckForNull String
164 | username) {
165 | if (supports(connection.getClass(), user.getClass())) {
166 | return (SSHAuthenticator) new TrileadSSHPublicKeyAuthenticator((Connection) connection,
167 | (SSHUserPrivateKey) user, username);
168 | }
169 | return null;
170 | }
171 |
172 | /**
173 | * {@inheritDoc}
174 | */
175 | @Override
176 | protected boolean supports(@NonNull Class connectionClass,
177 | @NonNull Class userClass) {
178 | return Connection.class.isAssignableFrom(connectionClass)
179 | && SSHUserPrivateKey.class.isAssignableFrom(userClass);
180 | }
181 |
182 | private static final long serialVersionUID = 1L;
183 | }
184 | }
185 |
--------------------------------------------------------------------------------
/src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/Messages.properties:
--------------------------------------------------------------------------------
1 | #
2 | # The MIT License
3 | #
4 | # Copyright (c) 2011-2013, CloudBees, Inc., Stephen Connolly.
5 | #
6 | # Permission is hereby granted, free of charge, to any person obtaining a copy
7 | # of this software and associated documentation files (the "Software"), to deal
8 | # in the Software without restriction, including without limitation the rights
9 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | # copies of the Software, and to permit persons to whom the Software is
11 | # furnished to do so, subject to the following conditions:
12 | #
13 | # The above copyright notice and this permission notice shall be included in
14 | # all copies or substantial portions of the Software.
15 | #
16 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | # THE SOFTWARE.
23 | #
24 | SSHUserListBoxModel.EmptySelection=- none -
--------------------------------------------------------------------------------
/src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey/DirectEntryPrivateKeySource/config.jelly:
--------------------------------------------------------------------------------
1 |
2 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
--------------------------------------------------------------------------------
/src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey/DirectEntryPrivateKeySource/config_de.properties:
--------------------------------------------------------------------------------
1 | #
2 | # The MIT License
3 | #
4 | # Copyright (c) 2013 Harald Albers
5 | #
6 | # Permission is hereby granted, free of charge, to any person obtaining a copy
7 | # of this software and associated documentation files (the "Software"), to deal
8 | # in the Software without restriction, including without limitation the rights
9 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | # copies of the Software, and to permit persons to whom the Software is
11 | # furnished to do so, subject to the following conditions:
12 | #
13 | # The above copyright notice and this permission notice shall be included in
14 | # all copies or substantial portions of the Software.
15 | #
16 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | # THE SOFTWARE.
23 |
24 | Key=Schl\u00FCssel
--------------------------------------------------------------------------------
/src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey/DirectEntryPrivateKeySource/config_ja.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2013 Seiji Sogabe.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Key=\u9375
24 |
25 |
--------------------------------------------------------------------------------
/src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey/credentials.jelly:
--------------------------------------------------------------------------------
1 |
2 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
--------------------------------------------------------------------------------
/src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey/credentials_de.properties:
--------------------------------------------------------------------------------
1 | #
2 | # The MIT License
3 | #
4 | # Copyright (c) 2013 Harald Albers
5 | #
6 | # Permission is hereby granted, free of charge, to any person obtaining a copy
7 | # of this software and associated documentation files (the "Software"), to deal
8 | # in the Software without restriction, including without limitation the rights
9 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | # copies of the Software, and to permit persons to whom the Software is
11 | # furnished to do so, subject to the following conditions:
12 | #
13 | # The above copyright notice and this permission notice shall be included in
14 | # all copies or substantial portions of the Software.
15 | #
16 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | # THE SOFTWARE.
23 |
24 | Username=Benutzername
25 | Private\ Key=Privater Schl\u00fcssel
26 | Passphrase=Passwort/Passphrase
27 |
--------------------------------------------------------------------------------
/src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey/credentials_ja.properties:
--------------------------------------------------------------------------------
1 | # The MIT License
2 | #
3 | # Copyright (c) 2013 Seiji Sogabe.
4 | #
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy
6 | # of this software and associated documentation files (the "Software"), to deal
7 | # in the Software without restriction, including without limitation the rights
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | # copies of the Software, and to permit persons to whom the Software is
10 | # furnished to do so, subject to the following conditions:
11 | #
12 | # The above copyright notice and this permission notice shall be included in
13 | # all copies or substantial portions of the Software.
14 | #
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | # THE SOFTWARE.
22 |
23 | Username=\u30e6\u30fc\u30b6\u30fc\u540d
24 | Private\ Key=\u79d8\u5bc6\u9375
25 | Passphrase=\u30d1\u30b9\u30d5\u30ec\u30fc\u30ba
26 |
--------------------------------------------------------------------------------
/src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey/help-usernameSecret.html:
--------------------------------------------------------------------------------
1 |
2 | By default, usernames are not masked in the build log.
3 | You may choose to mask a credential's username if you consider it to be sensitive information.
4 | However, this can interfere with diagnostics.
5 | For example, if the username is a common word it will cause unrelated occurrences of that word to also be masked.
6 |
7 | Regardless of this setting, the username will be displayed in the selection dropdown to anyone permitted to reconfigure the credentials.
8 |
9 |
--------------------------------------------------------------------------------
/src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey/passphraseChangeEvent.js:
--------------------------------------------------------------------------------
1 | //TODO: this snippet, as well as ids in passphrase and private key fields can be removed once https://issues.jenkins.io/browse/JENKINS-65616 is completed
2 | const passphraseElements = document.getElementsByClassName('sshCredentials_passphrase');
3 |
4 | if (passphraseElements.length > 0) {
5 | // Failsafe in case there's more than 1 element we'll only use the first one. Should not happen.
6 | passphraseElements[0].addEventListener("change", event => {
7 | var newEvent = new Event("change", {"bubbles": true})
8 | const privateKeyElements = document.getElementsByName('_.privateKey');
9 | if (privateKeyElements.length > 0) {
10 | privateKeyElements[0].dispatchEvent(newEvent)
11 | }
12 | })
13 | }
--------------------------------------------------------------------------------
/src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/Messages.properties:
--------------------------------------------------------------------------------
1 | #
2 | # The MIT License
3 | #
4 | # Copyright (c) 2011-2012, CloudBees, Inc., Stephen Connolly.
5 | #
6 | # Permission is hereby granted, free of charge, to any person obtaining a copy
7 | # of this software and associated documentation files (the "Software"), to deal
8 | # in the Software without restriction, including without limitation the rights
9 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | # copies of the Software, and to permit persons to whom the Software is
11 | # furnished to do so, subject to the following conditions:
12 | #
13 | # The above copyright notice and this permission notice shall be included in
14 | # all copies or substantial portions of the Software.
15 | #
16 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | # THE SOFTWARE.
23 | #
24 | BasicSSHUserPrivateKey.DirectEntryPrivateKeySourceDisplayName=Enter directly
25 | BasicSSHUserPrivateKey.DisplayName=SSH Username with private key
26 | BasicSSHUserPrivateKey.UnknownAlgorithmFIPS=Private key can not be obtained from provided data.
27 | BasicSSHUserPrivateKey.InvalidKeySizeFIPS=Key size below 2048 for RSA keys is not accepted in FIPS mode.
28 | BasicSSHUserPrivateKey.InvalidAlgorithmFIPS=Key algorithm {0} is not accepted in FIPS mode.
29 | BasicSSHUserPrivateKey.InvalidKeyFormatFIPS=Provided data can not be parsed: {0}.
30 | BasicSSHUserPrivateKey.KeyParseErrorFIPS=Can not parse key: {0}
31 | BasicSSHUserPrivateKey.TooShortPassphraseFIPS=Password is too short (< 14 characters).
32 |
--------------------------------------------------------------------------------
/src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/Messages_de.properties:
--------------------------------------------------------------------------------
1 | #
2 | # The MIT License
3 | #
4 | # Copyright (c) 2013 Harald Albers
5 | #
6 | # Permission is hereby granted, free of charge, to any person obtaining a copy
7 | # of this software and associated documentation files (the "Software"), to deal
8 | # in the Software without restriction, including without limitation the rights
9 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | # copies of the Software, and to permit persons to whom the Software is
11 | # furnished to do so, subject to the following conditions:
12 | #
13 | # The above copyright notice and this permission notice shall be included in
14 | # all copies or substantial portions of the Software.
15 | #
16 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | # THE SOFTWARE.
23 | #
24 | BasicSSHUserPrivateKey.DirectEntryPrivateKeySourceDisplayName=Direkt eingeben
25 | BasicSSHUserPrivateKey.DisplayName=SSH Benutzername und privater Schl\u00fcssel
26 |
--------------------------------------------------------------------------------
/src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/Messages_ja.properties:
--------------------------------------------------------------------------------
1 | #
2 | # The MIT License
3 | #
4 | # Copyright (c) 2011-2013, CloudBees, Inc., Stephen Connolly, Seiji Sogabe
5 | #
6 | # Permission is hereby granted, free of charge, to any person obtaining a copy
7 | # of this software and associated documentation files (the "Software"), to deal
8 | # in the Software without restriction, including without limitation the rights
9 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | # copies of the Software, and to permit persons to whom the Software is
11 | # furnished to do so, subject to the following conditions:
12 | #
13 | # The above copyright notice and this permission notice shall be included in
14 | # all copies or substantial portions of the Software.
15 | #
16 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | # THE SOFTWARE.
23 | #
24 | BasicSSHUserPrivateKey.DirectEntryPrivateKeySourceDisplayName=\u76f4\u63a5\u5165\u529b
25 | BasicSSHUserPrivateKey.DisplayName=SSH \u30e6\u30fc\u30b6\u30fc\u540d\u3068\u79d8\u5bc6\u9375
26 |
--------------------------------------------------------------------------------
/src/main/resources/index.jelly:
--------------------------------------------------------------------------------
1 |
2 |
3 | Allows storage of SSH credentials in Jenkins
4 |