Create UserPrivateKeySource Credential via Groovy?

1,780 views
Skip to first unread message

Kenneth Baltrinic

unread,
Jan 27, 2015, 8:32:39 AM1/27/15
to jenkins...@googlegroups.com
Its me again--still trying to configure Jenkins via Chef.  In this case I have extracted from the opscode Jenkins cookbook their script for creating ssh credentials and have attempted to modify it to create a credential from a UserPrivateKeySource instead of the DirectEntryPrivateKeySource that the opscode script creates.  Perhaps I don't understand the UserPrivateKeySource class or its purpose correctly but I am not getting the results I want. 

Essentially what I am trying to do is this:  The cookbook has already installed an SSH key pair in the Master Jenkins users' .ssh directory.  Now I want to programmatically create a credential in Jenkins to use that pair.  The script should be the automated equivalent of choosing the "From the Jenkins master ~/.ssh" option in the Manage Credentials UI.  It seems to me that the UserPrivateKeySource class is what I want, but when I use it, what I get in the UI is the "Enter Directly" option checked, with the private key from the .ssh folder loaded into the UI!.  :-(  So its using the right key, but its making it visible in the UI which is a no-no for us.   Moreover, if I go in an manual choose the right option later, the update part of the script switches it back to "Entire Directly" on the next chef run.  

Below is the recipe snippet containing the groovy script hat I am using to create the credentials.  Any advice on what I am doing wrong would be greatly appreciated.


jenkins_script 'create ~/.ssh credentials' do
    command <<-EOH.gsub(/ ^{8}/, '')
        import jenkins.model.*
        import com.cloudbees.plugins.credentials.*
        import com.cloudbees.plugins.credentials.common.*
        import com.cloudbees.plugins.credentials.domains.*
        import com.cloudbees.jenkins.plugins.sshcredentials.impl.*
        import hudson.plugins.sshslaves.*;

        global_domain = Domain.global()
        credentials_store =
          Jenkins.instance.getExtensionList(
            'com.cloudbees.plugins.credentials.SystemCredentialsProvider'
          )[0].getStore()

        credentials = new BasicSSHUserPrivateKey(
          CredentialsScope.GLOBAL,
          "#{node['cvent-jenkins']['ssh-user-id']}",
          "#{node['cvent-jenkins']['ssh-user']}",
          new BasicSSHUserPrivateKey.UsersPrivateKeySource(),
          "",
          "Credential ID: #{node['cvent-jenkins']['ssh-user-id']}"
        )

        // Create or update the credentials in the Jenkins instance
        username_matcher = CredentialsMatchers.withUsername("#{node['cvent-jenkins']['ssh-user']}")
        available_credentials =
          CredentialsProvider.lookupCredentials(
            StandardUsernameCredentials.class,
            Jenkins.getInstance(),
            hudson.security.ACL.SYSTEM,
            new SchemeRequirement("ssh")
          )

        existing_credentials =
          CredentialsMatchers.firstOrNull(
            available_credentials,
            username_matcher
          )

        if(existing_credentials != null) {
          // !!This will take an existing UserPrivateKeySource credential and 
          // turn it into a DirectEntryPrivateKeySource credentials. :(
          credentials_store.updateCredentials(
            global_domain,
            existing_credentials,
            credentials
          )
        } else {
          credentials_store.addCredentials(global_domain, credentials)
        }
    EOH
end

Imran Hayder

unread,
Mar 17, 2015, 12:44:42 AM3/17/15
to jenkins...@googlegroups.com
I have tried and it doesnt work..
call it a bug or whatever, but i just confirmed from the source code of this plugin ,
where one commit in the unit  test folder says:

ReadFileOnMaster etc. did not actually work.

Simpler and better to writeReplace a DirectEntryPrivateKeySource.
Source : https://github.com/jenkinsci/ssh-credentials-plugin/commit/1a17d759c5c559ae050681364703dd5f02b5e0f0
sad :// 
I will prefer giving a path to my ssh private key instead of entering it from a groovy script ..

Imran Hayder

unread,
Mar 17, 2015, 1:56:11 AM3/17/15
to jenkins...@googlegroups.com
OK I FINALLY GOT IT WORKING:))
thanks to your code.
your code works perfectly fine for me ...i just skimmed it down to use "UsersPrivateSource" method ..
i ran it against a live jenkins instance and worked right away:)
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

 import jenkins.model.*
        import com.cloudbees.plugins.credentials.*
        import com.cloudbees.plugins.credentials.common.*
        import com.cloudbees.plugins.credentials.domains.*
        import com.cloudbees.jenkins.plugins.sshcredentials.impl.*
        import hudson.plugins.sshslaves.*;

        global_domain = Domain.global()
        credentials_store =
          Jenkins.instance.getExtensionList(
            'com.cloudbees.plugins.credentials.SystemCredentialsProvider'
          )[0].getStore()
   credentials = new BasicSSHUserPrivateKey(
          CredentialsScope.GLOBAL,
          null,
          "root",
          new BasicSSHUserPrivateKey.UsersPrivateKeySource(),
          "",
          ""
        )
          credentials_store.addCredentials(global_domain, credentials)
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

On Tuesday, January 27, 2015 at 5:32:39 AM UTC-8, Kenneth Baltrinic wrote:
Reply all
Reply to author
Forward
0 new messages