Add Support for SSH Authentication

[Phillipus]

I'm opening this as a new issue so we can make a fresh start.

[Phillipus]

This is really a continuation of PR #78

I've taken the code in PR #78 and made the changes required:

• Removed the following entries from the .classpath file, as they were causing log problems: <classpathentry exported="true" kind="lib" path="lib/slf4j-api-1.7.25.jar"/> <classpathentry exported="true" kind="lib" path="lib/slf4j-simple-1.7.25.jar"/>

• Refactored into SSHAuthenticater class. ArchiRepository class now calls this.

• Throw exceptions if there are problems accessing identity files and passwords

• testConnection(repositoryURL, null); in ProxyAuthenticater checks whether SSH or HTTPS is used

[Phillipus]

The new code has been pushed to the "ssh2" branch.

[Phillipus]

Just to re-iterate, this is building on the PR of @potto007, so credit where it's due.

[Phillipus]

Here's an example of how to create the keyfiles and add the public key to GitHub.

This example uses Windows and a Git Bash terminal.

Create the files:

1. ssh-keygen -t rsa -b 4096 -m PEM -C "yourGitHubEmailAddress"
2. Enter a pass-phrase when prompted
3. eval $(ssh-agent -s)
4. ssh-add ~/.ssh/id_rsa

Add to GitHub:

1. Copy the public key to clipboard with clip < ~/.ssh/id_rsa.pub
2. At GitHub create a new key at https://github.com/settings/keys and paste the contents of the clipboard

For reference:

https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/#platform-windows

https://help.github.com/articles/adding-a-new-ssh-key-to-your-github-account/

[Phillipus]

TODO:

If SSH is used there's no need for the user name and password in these dialogs:

CloneInputDialog NewModelRepoDialog UserNamePasswordDialog

Or in the methods that take username and password as parameters.

Might be possible to have one Authenticator class that handles both SSH and HTTPS and sets the username/password or SSH factory in the TransportConfigCallback#configure(Transport) method.

Note to self - it's "Authenticator" not "Authenticater" ;-)

[Phillipus]

Note to self - it's "Authenticator" not "Authenticater" ;-)

Classes renamed and re-pushed.

[Phillipus]

I've now done a major refactor on this.

• We now have one CredentialsAuthenticator class that handles both SSH and HTTPS and sets the username/password or SSH factory in the TransportConfigCallback#configure(Transport) method.
• Dialogs have disabled username/password text fields if SSH is used
• Checks in several places whether HTTPS or SSH
• Refactored sequence of getting username and password

[Phillipus]

(And I've repushed the "ssh2" branch fresh again, so local copies will be out of sync)

[Phillipus]

Now that I've got this far with it, surely it would be possible to set whether to use SSH or HTTP on a per repository basis?

At the moment it is either all HTTPS or all SSH. Why not set the option per repo? As for different SSH credentials, surely the rsa file can hold more than one?

How to distinguish between them? By URL? By a user setting?

[Phillipus]

Now that I've got this far with it, surely it would be possible to set whether to use SSH or HTTP on a per repository basis?

Yes, and it's done. Both HTTPS and SSH work together. Everything works great. :-)

~When cloning or adding a model to the workspace, the user can choose between the two. Credentials are stored as appropriate. All actions now read the config file to see whether to use SSH or HTTPS.~

[WatchTh1]

Will it be merged into "testing" release with branching support?

пн, 25 февр. 2019 г. в 16:34, Phil Beauvoir notifications@github.com:

Now that I've got this far with it, surely it would be possible to set whether to use SSH or HTTP on a per repository basis?

Yes, and it's done. Both HTTPS and SSH work together. Everything works great. :-)

When cloning or adding a model to the workspace, the user can choose between the two. Credentials are stored as appropriate. All actions now read the config file to see whether to use SSH or HTTPS.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/archimatetool/archi-modelrepository-plugin/issues/81#issuecomment-467012880, or mute the thread https://github.com/notifications/unsubscribe-auth/AlIkQ5yD9--X98UHCSzsXjUL8JyTzlqOks5vQ-Z7gaJpZM4bOErm .

[Phillipus]

@WatchTh1 It will be released this week, hopefully.

[Phillipus]

~A setting is added to the git config file at the clone or add model point if SSH is chosen.~

~The user can thereafter change between SSH and HTTPS in the Properties Authentication section of a selected model in the Collaboration Workspace. This is in case of user error, or if the URL changes rather than manually changing that config entry.~

In the longer term we should be able to determine if the origin git repo is SSH or not by its URL.

[Phillipus]

In the longer term we should be able to determine if the origin git repo is SSH or not by its URL.

Make that the shorter term. This is done now. No need to set this in the config file or ask the user to set one or the other. It is determined by the URL. This is how JGit does it too,

[Phillipus]

Wiki entry added - https://github.com/archimatetool/archi-modelrepository-plugin/wiki/SSH-Authentication

[Phillipus]

~I have a very simple way to determine if a URL uses SSH - if it starts with "git" or "ssh:".~

~I'm sure this doesn't cover all cases. Anyone know what the regex is, or all protocols?~

Edit: solved.

[Phillipus]

Edit: see comment below for binary plug-ins that include SSH support.

[Phillipus]

I'm keen to know if this is working for folks. ;-)

[jbsarrodie]

I'm keen to know if this is working for folks. ;-)

Unfortunately I have no use case for SSH, so I'll test it but will not use it in production (at least with my team and current clients/partners). Will let you know when done.

[Phillipus]

One thing we didn't consider was using the SSH protocol with Archi's CLI implementation of cloning a repository. This was set to do HTTP only.

As the CLI doesn't access Archi's Preferences it can't get the path to the SSH identity file or optional password.

So, after several more hours of refactoring I have implemented a solution. ;-)

CLI options are now:

--modelrepository.cloneModel <url>                  Clone a collaboration model from <url> to the <path> set in option
                                                    --modelrepository.loadModel (optional).
--modelrepository.identityFile <identity file>      Path to SSH identity file (if option modelrepository.cloneModel is used with SSH
                                                    protocol))
--modelrepository.loadModel <path>                  Load a collaboration model from the given repository folder at <path> (required
                                                    if option --modelrepository.cloneModel is used).
--modelrepository.passFile <password file>          Path to a file containing the HTTP login password or the password to the SSH
                                                    identity file (required if option --modelrepository.cloneModel is used).
--modelrepository.userName <userName>               Online repository login user name (required if option
                                                    --modelrepository.cloneModel is used with HTTP protocol).

(Note to self - factor in 5x more time than you originally planned for a new feature ;-) )

[Phillipus]

This has been released now https://www.archimatetool.com/plugins/

If any new issues arise around this please open a new issue.