Key based authentication (#414)

README.md

@@ -68,7 +68,7 @@ To use this plugin to create VM agents, first you need to have an Azure Service
      Jenkins will only build a project on this node when that project is restricted to certain nodes using a label expression, and that expression matches this node's name and/or labels.
      This allows an agent to be reserved for certain kinds of jobs.
 10. Select a built-in image, you can choose between Windows Server 2016 and Ubuntu 16.04 LTS. You can also choose to install some tools on the agent, including Git, Maven and Docker (JDK is always installed).
-11. Specify Admin Credentials (a username/password credentials), this is the username and password if you want to log into the agent VM.
+11. Specify Admin Credentials - This needs to be either an "SSH Username with private key" or "Username with password" credential
 12. Click Verify Template to make sure all your configurations are correct, then Save.
 
 ### Run Jenkins Jobs on Azure VM Agents

pom.xml

@@ -77,6 +77,11 @@
             <groupId>org.jenkins-ci.plugins</groupId>
             <artifactId>jsch</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.sshtools</groupId>
+            <artifactId>maverick-synergy-client</artifactId>
+            <version>3.0.10</version>
+        </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-core</artifactId>

src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java

@@ -16,10 +16,8 @@
 package com.microsoft.azure.vmagent;
 
 import com.azure.resourcemanager.compute.models.OperatingSystemTypes;
-import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
 import com.microsoft.azure.util.AzureCredentials;
 import com.microsoft.azure.vmagent.remote.AzureVMAgentSSHLauncher;
-import com.microsoft.azure.vmagent.util.AzureUtil;
 import com.microsoft.azure.vmagent.util.CleanUpAction;
 import com.microsoft.azure.vmagent.util.Constants;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
@@ -40,8 +38,15 @@
 import hudson.slaves.SlaveComputer;
 import hudson.util.FormValidation;
 import hudson.util.LogTaskListener;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.nio.charset.StandardCharsets;
+import java.util.Collections;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import jenkins.model.Jenkins;
-
 import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.cloudstats.CloudStatistics;
 import org.jenkinsci.plugins.cloudstats.ProvisioningActivity;
@@ -51,15 +56,6 @@
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.interceptor.RequirePOST;
 
-import java.io.IOException;
-import java.io.PrintStream;
-import java.io.ByteArrayInputStream;
-import java.nio.charset.StandardCharsets;
-import java.util.Collections;
-import java.util.List;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
 public class AzureVMAgent extends AbstractCloudSlave implements TrackedItem {
 
     private static final long serialVersionUID = -760014706860995557L;
@@ -633,9 +629,6 @@ public synchronized void deprovision(Localizable reason) throws Exception {
                     // Execute termination script
                     // Make sure to change file permission for execute if needed.
 
-                    // Grab the username/pass
-                    StandardUsernamePasswordCredentials creds = AzureUtil.getCredentials(vmCredentialsId);
-
                     if (isUnix) {
                         command = "sh " + REMOTE_TERMINATE_FILE_NAME;
                     } else {
@@ -647,8 +640,7 @@ public synchronized void deprovision(Localizable reason) throws Exception {
                             command,
                             terminateStream,
                             isUnix,
-                            executeInitScriptAsRoot,
-                            creds.getPassword().getPlainText());
+                            executeInitScriptAsRoot);
                     if (exitStatus != 0) {
                         LOGGER.log(Level.SEVERE,
                                 "Terminate script failed: exit code={0} ", exitStatus);

src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java

@@ -21,10 +21,11 @@
 import com.azure.resourcemanager.compute.models.DiskSkuTypes;
 import com.azure.resourcemanager.storage.models.SkuName;
 import com.azure.resourcemanager.storage.models.StorageAccount;
+import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
 import com.cloudbees.plugins.credentials.CredentialsProvider;
 import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
+import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
 import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
-import com.cloudbees.plugins.credentials.domains.DomainRequirement;
 import com.jcraft.jsch.OpenSSHConfig;
 import com.microsoft.azure.util.AzureBaseCredentials;
 import com.microsoft.azure.util.AzureCredentialUtil;
@@ -49,7 +50,6 @@
 import hudson.Util;
 import hudson.model.Describable;
 import hudson.model.Descriptor;
-import hudson.model.Item;
 import hudson.model.Label;
 import hudson.model.Node;
 import hudson.model.TaskListener;
@@ -65,7 +65,6 @@
 import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.Base64;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -80,11 +79,11 @@
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.DoNotUse;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
-import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.interceptor.RequirePOST;
+import org.kohsuke.stapler.verb.POST;
 
 /**
  * This class defines the configuration of Azure instance templates.
@@ -1086,7 +1085,7 @@ public String getCredentialsId() {
         return credentialsId;
     }
 
-    public StandardUsernamePasswordCredentials getVMCredentials() throws AzureCloudException {
+    public StandardUsernameCredentials getVMCredentials() throws AzureCloudException {
         return AzureUtil.getCredentials(credentialsId);
     }
 
@@ -1444,16 +1443,19 @@ public ListBoxModel doFillVirtualMachineSizeItems(
             return model;
         }
 
-        public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item owner) {
-            // when configuring the job, you only want those credentials that are available to ACL.SYSTEM selectable
-            // as we cannot select from a user's credentials unless they are the only user submitting the build
-            // (which we cannot assume) thus ACL.SYSTEM is correct here.
-            return new StandardListBoxModel().withAll(
-                    CredentialsProvider.lookupCredentials(
-                            StandardUsernamePasswordCredentials.class,
-                            owner,
-                            ACL.SYSTEM,
-                            Collections.<DomainRequirement>emptyList()));
+        @POST
+        public ListBoxModel doFillCredentialsIdItems(@QueryParameter String credentialsId) {
+            StandardListBoxModel model = new StandardListBoxModel();
+            Jenkins context = Jenkins.get();
+            if (!context.hasPermission(CredentialsProvider.CREATE)
+                    && !context.hasPermission(CredentialsProvider.UPDATE)) {
+                return model.includeCurrentValue(credentialsId);
+            }
+
+            return model
+                    .includeAs(ACL.SYSTEM, context, SSHUserPrivateKey.class)
+                    .includeAs(ACL.SYSTEM, context, StandardUsernamePasswordCredentials.class)
+                    .includeCurrentValue(credentialsId);
         }
 
         public ListBoxModel doFillOsTypeItems() throws IOException, ServletException {

src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java

@@ -1029,7 +1029,7 @@ private void releaseLockForAgent(AzureVMAgent agent) {
     }
 
     public AzureResourceManager getAzureClient() {
-        if (azureClient == null) {
+        if (azureClient == null && credentialsId != null) {
             this.azureClient = AzureResourceManagerCache.get(credentialsId);
         }
 

src/main/java/com/microsoft/azure/vmagent/AzureVMManagementServiceDelegate.java

@@ -49,6 +49,8 @@
 import com.azure.storage.blob.BlobUrlParts;
 import com.azure.storage.blob.models.BlobItem;
 import com.azure.storage.common.StorageSharedKeyCredential;
+import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
+import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
 import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -60,10 +62,12 @@
 import com.microsoft.azure.vmagent.exceptions.AzureCloudException;
 import com.microsoft.azure.vmagent.launcher.AzureComputerLauncher;
 import com.microsoft.azure.vmagent.launcher.AzureSSHLauncher;
-import com.microsoft.azure.vmagent.retry.NoRetryStrategy;
 import com.microsoft.azure.vmagent.util.*;
 import com.microsoft.jenkins.credentials.AzureResourceManagerCache;
+import com.sshtools.common.publickey.InvalidPassphraseException;
+import com.sshtools.common.ssh.SshException;
 import hudson.model.Descriptor.FormException;
+import hudson.util.Secret;
 import io.jenkins.plugins.azuresdk.HttpClientRetriever;
 import jenkins.model.Jenkins;
 import jenkins.slaves.JnlpAgentReceiver;
@@ -579,9 +583,8 @@ public AzureVMDeploymentInfo createDeployment(
 
             putVariable(tmp, "vmSize", template.getVirtualMachineSize());
             // Grab the username/pass
-            StandardUsernamePasswordCredentials creds = template.getVMCredentials();
+            StandardUsernameCredentials creds = template.getVMCredentials();
 
-            putVariable(tmp, "adminUsername", creds.getUsername());
             putVariableIfNotBlank(tmp, "storageAccountName", storageAccountName);
             putVariableIfNotBlank(tmp, "storageAccountType", storageAccountType);
             putVariableIfNotBlank(tmp, "blobEndpointSuffix", blobEndpointSuffix);
@@ -618,8 +621,22 @@ public AzureVMDeploymentInfo createDeployment(
 
             final ObjectNode parameters = MAPPER.createObjectNode();
 
-            defineParameter(tmp, "adminPassword", "secureString");
-            putParameter(parameters, "adminPassword", creds.getPassword().getPlainText());
+            defineParameter(tmp, "adminUsername", "string");
+            putParameter(parameters, "adminUsername", creds.getUsername());
+
+            defineParameter(tmp, "authenticationType", "string");
+            defineParameter(tmp, "adminPasswordOrKey", "secureString");
+            if (creds instanceof StandardUsernamePasswordCredentials) {
+                StandardUsernamePasswordCredentials passwordCredentials = (StandardUsernamePasswordCredentials) creds;
+                putParameter(parameters, "adminPasswordOrKey", passwordCredentials.getPassword().getPlainText());
+                putParameter(parameters, "authenticationType", "password");
+            } else {
+                SSHUserPrivateKey sshCredentials = (SSHUserPrivateKey) creds;
+                String privateKey = sshCredentials.getPrivateKeys().get(0);
+                String rsaPublicKey = KeyDecoder.getPublicKey(privateKey, Secret.toString(sshCredentials.getPassphrase()));
+                putParameter(parameters, "adminPasswordOrKey", rsaPublicKey);
+                putParameter(parameters, "authenticationType", "key");
+            }
 
             // Register the deployment for cleanup
             deploymentRegistrar.registerDeployment(
@@ -2014,18 +2031,23 @@ public List<String> verifyTemplate(
             }
 
             //verify password
-            String adminPassword = "";
-            try {
-                StandardUsernamePasswordCredentials creds = AzureUtil.getCredentials(credentialsId);
-                adminPassword = creds.getPassword().getPlainText();
-            } catch (AzureCloudException e) {
-                LOGGER.log(Level.SEVERE, "Could not load the VM credentials", e);
-            }
+            String adminPassword;
+            StandardUsernameCredentials creds = AzureUtil.getCredentials(credentialsId);
+            if (creds instanceof StandardUsernamePasswordCredentials) {
+                adminPassword = ((StandardUsernamePasswordCredentials) creds).getPassword().getPlainText();
 
-            validationResult = verifyAdminPassword(adminPassword);
-            addValidationResultIfFailed(validationResult, errors);
-            if (returnOnSingleError && !errors.isEmpty()) {
-                return errors;
+                validationResult = verifyAdminPassword(adminPassword);
+                addValidationResultIfFailed(validationResult, errors);
+                if (returnOnSingleError && !errors.isEmpty()) {
+                    return errors;
+                }
+            } else {
+                SSHUserPrivateKey sshCredentials = (SSHUserPrivateKey) creds;
+                validationResult = verifySSHKey(sshCredentials.getPrivateKeys(), sshCredentials.getPassphrase());
+                addValidationResultIfFailed(validationResult, errors);
+                if (returnOnSingleError && !errors.isEmpty()) {
+                    return errors;
+                }
             }
 
             //verify JVM Options
@@ -2394,6 +2416,26 @@ private static String verifyAdminPassword(String adminPassword) {
         }
     }
 
+    private static String verifySSHKey(List<String> sshKeys, Secret passphrase) throws RuntimeException {
+        if (sshKeys == null || sshKeys.isEmpty()) {
+            return Messages.AzureVMManagementServiceDelegate_SSH_Missing_Key();
+        }
+
+        if (sshKeys.size() > 1) {
+            return Messages.AzureVMManagementServiceDelegate_SSH_Multiple_Keys_Found();
+        }
+
+        String sshKey = sshKeys.get(0);
+        try {
+            KeyDecoder.getPublicKey(sshKey, Secret.toString(passphrase));
+        } catch (IOException | InvalidPassphraseException | SshException e) {
+            LOGGER.log(Level.INFO, "Failed to validate SSH key", e);
+            return Messages.AzureVMManagementServiceDelegate_SSH_Invalid_Key_Format();
+        }
+
+        return Constants.OP_SUCCESS;
+    }
+
     private static String verifyJvmOptions(String jvmOptions) {
         if (StringUtils.isBlank(jvmOptions) || AzureUtil.isValidJvmOption(jvmOptions)) {
             return Constants.OP_SUCCESS;