 Welcome to Google Summer of Code 2021. It's the 3rd of June. This is the Git Credentials Binding Project. Thanks. So Harshik, I had username, password, binding prototype on Windows and I think you'd suggested a demonstration. I like that a lot. And even if that was all we completed, that would be great. Are there any other things you'd like to put on today's session? Yeah, I just wanted to know like, is there a fixed number of meetings that we have to have every week during the coding phase also? Oh, good question. Yeah, and I don't think there is. So meeting plans during coding phase. So that's what we may wanna do is bring that to the next meeting when we've got Justin there and Rishabh first meeting next week because I think they may be willing to say, let's switch to once a week rather than doing twice a week. If you think it will work for you or once a week plus the option, if you say, hey, I have a question, they'll happy to meet separately. So I believe in the past or I think last year we did one meeting a week and it was sufficient. Particularly since this year, your expected time is actually less per week than last year's was, right? The assumption is you're roughly, I think the assumption is you're putting roughly 20 hours a week into this and last year the assumption I think was 40. So one meeting a week may be more than enough. So that's a good topic for next meeting. Any other topics? All right, then let's go ahead and have you share your screen and show a demo. Oh, hello Rishabh. Hello, hi, I was on mute, I'm sorry. So Rishabh was just asking a question that I proposed to have answered in the next meeting about how many times a week to meet during the coding phase. Coding phase starts next Monday and Rishabh, do I remember correctly that we only met once a week during coding phase? We used to meet twice. Oh, okay. So open to both. It's something to negotiate with the mentors. Yeah, I can say it depends on how it works. I can say this again. However, the schedule may change. Sorry for being late, I really didn't mean to. Great that you're here with us. So Harshad is going to show us username, username password credentials running on Windows. It is visible to all that. We can see your browser. I just have to make a few changes in there. I mean, I first, I was first using this command. So actually this, you created a separate directory under the pipeline job directory there. So due to which I have to use that. Right. Yeah, it was causing problems. So I think I should switch to this only. The Git step provided in the pipeline. And are you using the same credential ID in the Git step as you are in the, oh yes, you are. It's the same, good, very good. Okay, so good confirmation that it works. So now I wasn't sure you made two copies of that. What was the motivation for two copies? Oh, no, good step. Yeah, well, when you bring it up in the editor again, we'll see it. Okay, so the delete durr on line seven clears out the workspace, good. And then on line eight, you do a checkout using the Git step of a branch named main without collecting changelog information using that credentials ID. And then I assume that the URL is off on the end of that. Yeah. And then in the with credentials, you do a git push to delete the v3 tag. Ah, okay. I can't close it to your request. But now why the next, why the clone on line 16? Why the Git step on line 16? Yeah, I have to, I mean, fetch the change. Like I'm pushing the tag, but I have to fetch the changes again, I'm not sure, but it is causing error if I don't use this step. Okay, I think so what you're doing the thing you're doing in line 12, I think you're doing a git push origin effectively minus, minus delete a tag named v3, is that right? So then what you're doing here in line 16 is saying, I need to retrieve that repository without the tag v3. Okay, so what you're doing is that that step you're doing in 16 at most is just doing a delete of a local tag. Yes. Okay, and that's a very optimistic thing because Git doesn't always promise to do deletion of local tags. So this, okay, now I remember that this command is for deleting the tag from the server. There's another command for deleting the tag on the local server, but it won't delete in the remote server. So I'm directly deleting the remote server not in the local server. So using this, I'm just fetching the changes so it is automatically deleted in the local server as well. Right, and what I was warning is that I'm not, I think in that case you may actually be depending on a behavior that command line Git has changed over its lifetime. That if I remember right, there's actually code inside the Git plugin or the Git client plugin that does some very explicit deletion of remote tags because command line Git has changed its behavior over its lifetime for that. But this is great, what you're doing is good. Okay, so you clone the remote repository, delete the v3 tag from the remote, clone it again so that the deletion is now recorded locally and then you're going to tag, push the tag and you're going to push the branch named main as well. Is that correct on line 20? Yeah. Okay. Is there a missing back, I don't know if she's there? Yes, I guess so I have just corrected it because it already exists. Okay, but we can actually adjust that as well. So this is trying to apply the tag locally. So let's adjust inside your pipeline and let's do the tag deletion locally. So after line 12, you could just insert another, yeah, another bat command. And I think it's Git tag minus, minus delete v3, right? Now, I don't know if that will cause a problem if the tag does not exist. No, actually, it is on the local repository. Oh, okay. Let's see. Okay, and there is a way to, there is a way to ignore the return value from the bat command, I think just a minute, let me look to be sure. Pipeline notes and processes, bat, yeah, so you can add an additional statement. It is return status. It is a bat command. Yeah, the bat command takes it. So if you put it in, if you put parentheses around the argument, well, actually maybe, wait a sec, maybe there's a better way to do it. There's probably a better, a simpler way to do it. Just a minute. So cause a batch file to always succeed. I'm not finding it. There's a, how to make, how can I make my bat file continue after an error? There it is. Yes. Okay. So, so if after your Git tag command, they get tag minus, minus delete. Yeah. Right. On line 13, if on the end of that line, inside the single quote, you put an ampersand space and then something that succeeds like echo tag deleted. Because what that does is that says the first command that you issued, it's return value will be ignored. And the second commands result will be used. Actually. It worked. Yeah. Okay. So what we should. Yeah, actually it worked. I commented the delete tag from the local repository and started the build again. Now. Okay. Great. I can show. There it is. Congratulations. I can build it again. Yep. Oh, this is also working. Excellent. That's great. Our shit. 23 seconds. I mean, I have tested on the bat comma batch files. I have to like in the project proposal, we were. Well, there was a discussion about the power shell steps as well. So I have to test it on that. Right. I have to install the plug in for that. Power shell support. Oh, no, power shell should already be included in the same plugin that gives you the bat step, at least as far as I know it is. I think if you, if you just replaced one of your power shell commands in the demo you just did with a bat or bat command with a power shell command, it should just work. Oh, what, what is the command for that? Power P O W E R. S H E L L. Let's try it just to see. Yeah. And I think that modern windows versions now do all have power shell installed. So, and you're running windows 10, is that correct? Yes. Okay. I will see. Okay, it's got some message. Oh, right. The ampersand. Yeah, probably not. You're, that's that good point. It did, it did some things. Yeah. I think it deleted the time. Okay. Yeah. I think power shell may be hiding failures from us. No. No. Okay. Yeah, I think power shell may be hiding failures from us. No, it's not. No. Okay. I can just comment. It shows success, but there is. It was the title that I three minutes ago. Right. So it's, it's not, it's not doing its job. Even if it's reporting success. Try catch throw. It's like it. It's like it's missing a closing. Double quote. There's some syntax problem in the script. Well, so open up the, open up the, open up the pipeline editor again. Let's take a look at it. Maybe we're just missing a closing double quote. Ah, yes. Look at that. I don't know why it ever worked line 20. You could either take out. The double quote that's there, or put a second double quote in either is fine. Yes. Yeah. Interesting. Bat was more forgiving. Yes. Asking supported pattern matches of get underscore username. Get password. Okay. Tag already exists. So now we need to delete the tag. Command. I should remove this. I think so. Yeah, because the tag should exist. Now it says tag V three not found. Okay. So why, what happened there? All right. So. When is it same? After deleting the tag. V three not found. Okay. So it says, so I can't tell if that's the push that's trying to push the tag that doesn't. Okay. So it has been deleted from the remote. That's good. Okay. So we know a part of the script is working. I think it is probably the script. Well, there's, there's work to be done to be sure it works on PowerShell. And you know that. So that's, that's good work to do. Yeah. Right. Congratulations. That's, that's great progress. Thanks. I have a question. So the process here is that. How should this testing. The binding is an imposter bindings for. Multiple platforms. With multiple executable and then this. The steps to. Be sure that this is working. The first is the interactive testing. We're doing right now. And. After that, we're going to look at the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the the, the, the, the, the, the, the. Then we're going to look at it, we're going to look at automatic tests or we're going to look at. Adding this to get client plugin. And then look, look at those things. How are we sure that this is going to work. And we're not missing each basis. Okay. I just wanted to know that since this is, this is. So we, of course have interactive testing to. it's kind of a sanity check. I assume that, okay, this is working and the binding works for the commands, but also you're saying that you're going to cover, going to write automated test cases for the binding them in the Gitlan project. Yes. So at least for me, that was quite challenging. The writing automated tests for authentication cases usually means sharing a credential that publicly and that for me never worked. I just wasn't willing to share a credential publicly. So there are some tests either in the Git plugin or the Git client plugin that use a technique of relying on the existence of a file on the local disk to provide those credentials. And if the file doesn't exist, the test is skipped. So, and you could consider doing something like that hardship. There are also tests in the Git plugin that use a pipeline and they actually express pipeline in the test and that again, could be a good place to put that kind of a test where you say, if this special file exists on the disk and it contains a username, password pair, then use that username, password pair to create a Jenkins credential and use that credential to run this test. But for me, that's relatively, well, that's relatively exotic. It could be really great if you could figure out how to do that, but I would think, at least for me, I'm more concerned with getting you through username, password and getting it released than I am worrying about if you get detailed test automation for the authentication cases. Now, Rishabh, you may have a different opinion there, a different view. I just think of, I was assuming it's going to quite difficult to write authentication test cases. I don't have a different opinion. I think if it works for you, then it's good. That's, I was just saying on my test cases because I just thought that interactive testing, I think it's a great thing to do and it's the best thing to do right now. But it's just that sometimes you tend to miss some cases and then we get bugs. But I understand the case here and the writing automated test cases is going to take a lot of considerable time of our shifts. And we already have a lot of other work as well. And that seems challenging as well when it comes to SSH, right? Yeah, see, for me, I was thinking if we accept that username password, we want to get it implemented and released as quickly as possible so that Harshit has been through the experience of going all the way to shipping code. And we do that just as quickly as he can after he's done all the interactive testing. It's been code reviewed, et cetera. After all the usual steps, but, and if automation can be written for it, it should be, right? Test it as much as you can with unit tests. But end-to-end unit tests for this one seemed like it was going to be binding plug-in of how they're doing it. I'm not sure they may have mocks or something that they're using. Credentials binding. Right, because it's got this problem in spades, right? It has this problem everywhere. It, everything it does is binding a credential. And how does, how did Jesse write tests for that thing? And the answer is, I don't know how he did it. But it certainly wouldn't be harmful to look at what he did and see how he did it. So I should maybe that could be a good exercise for you to look at those tests. And if you can, you know, you can see and then estimate how much of an effort that looks like to you. If it looks like something we could easily put to get client back in this environment. It's okay. It's not like it is a necessary step because of course what Marcus said makes total sense. Releasing it, releasing the user password binding first, which is sufficient interactive testing would be a great, it's a progress. And then you would have a lot of material for the phase one evaluations as well. So I think it would be a good systematic way to do it. But yeah, we'll look at the French binding first, to estimate that effort. I will report it on the Gitter Chat. What are some of those? Thank you. Are there any other topics we should review today? I actually explored a little bit on the topic last time we were discussing that is converting open SSH private keys to PEM files using Bouncy Castle. So I have to show some code I tried. I haven't reached, I could not convert it into a PEM. Basically, hardship what we want is that we want a private key, right? We want to generate a private key from the whatever key we are trying to ingest. Essentially what we want is a private key, Java private key from it, right? From the key store we are able to generate a private key and then we pass it to whoever you want. So I like, can I share my screen and show you what I tried? Absolutely. So I have, I created a private key with passphrase and the public key as well. I just heard them here for ease of testing. So what I'm doing here, so Harshad, what I discovered, I'm not sure if you've seen this or not. And it is strange, Bouncy Castle is providing a spec for open SSH private key and a utility to parse it. So they are recognizing that there is a new format with open SSH users to encode their private keys. So what I've essentially done is that I've, so they have a way of ingesting the file, which is to decode it, base 64 decode it and replace the headers. And so I was able to create the spec. The problem I'm facing is generating the private key. It's a weird one. It says that it does not support the encoding type. Oh. Yeah. Okay. What form of open SSH private key was it? Was it an RSA, an ED 252519? So it's not an RSA definitely, because if it was RSA, then it would have said it, right? Well, at least mine, I had a case, I had at least one case where it didn't tell me it was RSA, but I knew it was. How can I confirm that? So I generated my key. I think there is an SS, let's see, what is it? Let me do a quick look. Which crypto format is my open SSH key in using? So what I want to, so in their own code, what they're telling us is that this is how you could use open SSH private key. It tries to figure out the encoded algorithm as well, I think in the code, but here it says that you create the private spec. This is the way they've created the pre-factory as well. They've used the boundary as a provider and the algorithm is thickness RSA. Okay. Yeah, and they generate the private key from this. So if it's just the matter of having the key factor, once we have the instance of the key factor, then it's all about generating the private key. So what I believe here is I'm still not 100% sure is that if they're providing the private key spec here, that means there is a possibility of, they do agree that, okay, we can do it. Because I thought initially that Bouncy does not support for my, I mean, using the open, it doesn't support the existence, very existence of open SSH private keys, the new format. But this leads to, I think we could do it. I'm not sure why it's not supporting the encoding. I did ask the same question in the mailing chat, in the Bouncy-Gassett mailing chat, but I haven't seen the reply yet. Maybe what you're saying, Mark, is that maybe the algorithm is different. So you're saying that I should, can we just hit and try that? Sure, try ed25519. I don't know what format you used for your key, but it's worth trying. It may give us a different error message. I actually did not give any format, I just generated them using a file. I did not provide, I just assumed that I'm a user who will not provide the algorithm. Okay, so you didn't use a minus T, so then it definitely is using RSA. The default is still RSA. And this is the problem. So this is what it says, encrypted key is not supported. Encrypted key, huh? Yes, that's it. So maybe it only wants to read the public key, but it's an open SSH private key spec. It seems like it has to be private key. That's what I, it does have a public key spec as well, so I did not try that. I was more focused on generating the private key first. Yeah. So I also tried, I was thinking that, okay, this is a passphrase protected private key. Let's say I don't have a passphrase protected private key and just have a private key without it. And if I do that, let's say if I change the private key to that without passphrase, still it says a different area. Private key block has trading data. Has all interesting. So, so well, but, but private underscore without, does it end with the same end open SSH private key sequence? Yes, it does. This is the private key I have. Private without. So this one is the private key I created the passphrase and without the passphrase, I don't see any difference in the way it is. Right. Yeah. It just seems like they do, they do recognize the existence of open SSH private key. And if that's the case, then there must be a way to, I think there must be a way to get the keys as well. But yeah, I really did not find any one on the internet doing it. So that's weird. I did not find someone using the private key. I did find people using it to generate open SSH private keys. So I did find a case where a person was generating open SSH private keys using the key space. So there is a, they have also provided a utility to encode a private key or pass a private key. So we, if you want to generate private key, you would use encode private key. And this, this works. You can create the same. And it does recognize the new algorithm we have. So this is what the new format is using. Right. This is the new, I was reading about, because I could not figure out what is this new format, which open SSH has adopted. I was reading about it somewhere. Maybe this is something for me. I don't know who is her. I'll, you know, spend some more time on this and try to figure out if this can actually work or not. If you know anything about this, if you've seen this, then maybe you could share something when you were looking at bouncing. Okay. Can you please, can you show that what, which class is this open SSH private aspect? This is in the JCAJCE on spec package. Oh, so we had, oh, okay, okay, okay. So we are using the Bouncycast cell AP provided by the Java. Okay. And should we not use that? I was using this. Yeah. Yeah. And your choice was, it's great. If you've found a bouncy castle implementation that does it, that's wonderful. It looks very promising. Yes. And they also have the test related to. Yeah. Yeah. Yeah. See, I actually went to that cool as well. Just. Acting up and I could not. What I was trying to look at is that if they've implemented this spec, they must have tested it as well. Right. There seems like it. Yes. And I was, that is what I wanted to see if I could. I was like, yeah, yeah, yeah, yeah. This, this is the test. Beautiful. Yeah. And there is an RSA private key. Okay. Oh, except that's an RSA private key, not an open SSH private key. So that's one of the old format. Yes. Which was weird to me because. I was like, yeah, yeah, yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. It says. It says private key spec and I thought that this is specially for the. For that for the RSA private key, the already. Have the key specs. I'm not sure. Why would it use the open SSH private key spec for it? We have a private keys and a specification for RSA. Separately seven length. So that is what confuse me. So it's it's a using the included RSA that it's using the DSA. And I think DSA is deprecated now, but it does not use a DSA to encrypt key. Right. As far as I know, DSA is long deprecated. So in their own tests, I could not find them using the latest format of the OpenSSH. But this is, I think, when this was written long back from it was 2018. I think I need to move forward to this. I need to find something about it. Then someone did report that this unit is failing. There is a certain format. We started to generate private keys. Oh, interesting. Okay, but they say they say that they have fixed it to support. Huh, to support ED25519. This is not, seems to be a different use case, but yeah. This is the problem is that I don't see anyone using this spec. The internet to actually do this, but yeah. And I think I did try ED25519 as well. And my factory says it does not understand. This is the right monitor, right? That's the right spelling. That's the spelling I recognize anyway. But it says that it does not. It says that it does not recognize the algorithm. Oh, maybe I use the wrong monitor. I think I use the smaller d. So, uh, I look, look at this one. I just want to share it so that if hardship, you know, you want to build on this. And maybe you know how to use this or to use the spec further with the key factory. If not, if this seems like a dead end, I definitely try it. We can go with your direct approach of converting it into a, so we were also thinking about converting it converting the open SSH private key into a PEM file right into a RSA encoding by using the SSH key gen. Yes. In PEM format, the algorithm will show itself like which encoding algorithm it uses. I mean, the private key will show itself which encoding algorithm it uses. Once it is converted into the PEM format. So essentially what we're thinking is that we will execute a shell. We will use a step and launch a command and the command will be that we're going to convert. Or do we expect the user to give us that key in that format? Do we specify that instead of generating? I'm thinking about the launch command functionality that is provided by the client plugin. But I have not. Which was a SSH key gen hyphen f the key and then hyphen m PEM. That is what I think Mark mentioned. Yeah. It is mentioned in the docs. In the notes. Yeah, I'm, I'm not sure I'm following Rishabh. I apologize for not being entirely up. It's, it's been a sick day for me. Are there things that I need to be doing here? I'm sorry. I just took both of you to Robert. I think it's wonderful that you're looking at open SSH. Thank you very much. What a great thing to do. That's great. Thank you. And it looks promising for me. It does. I mean, your exploration seems to support that there's at least some thought about open SSH private keys inside bouncy castle. So we may be able to do do much more than we expected with it. I, and with this thought, I just wanted to ask, what is the launch command with arguments and doing it programmatically? What are we trading off here? Is it, is it more execution time? It is more, it is much more expensive to create a sub process, run something and then come back than it is to do it native in Java. It's back to the, the J get the J get case and SSH key gen is probably even shorter live than most get commands. You remember how we found that J get could clone much faster on small repositories because the overhead of starting and stopping the process was much less. It didn't exist. But if we need to do SSH key gen, we need to do SSH key gen. So there is a real benefit of if you're able to find it, find bouncy castle or any library to do this. It has a worthwhile benefit for us. I believe so. Yes, I think it's a real benefit. And one real benefit is that it, it makes it much more maintainable and much less reliant on specific programs being installed on the target computer. Every time we need to run an external program, we, we hope that the user has that external program installed on that agent. That's correct. So, so I think this could be done in a way where her shit's progress is not blocked. I will look into it more if I shit you feel like you, you investigate and you see something worthwhile. You can definitely share it with me. Mark from the chat with everyone, but I think you should continue with whatever you're doing and the plan is I can definitely look into it during the weekend. So it should not be a problem. And before we conclude where we're past our hour. Do we want to set a time and a day for our next meeting? So do we want to make it the ninth? So next, next Wednesday, do you want to make it sooner than that? Yeah, we can. I think we can have next Tuesday on eight. June. Okay. Oh, six, oh, eight. And again, at seven 30 a.m. India standard time. That's one that I won't be able to attend because that's during my time of running the, the documentation office hours with contributors in India. So, but Justin and Rishabh, you're both welcome to be there. That would be great with me. I think we can really, you should use your markets as long as you are here. So. Can we reschedule it to a time where you can also be available. So that you. We could, we could go one hour later on that day. But if I remember right, that collides with hardship school schedule. Or we could do it one day later. We can. We can. You go with the one or later. I'm in one hour later would work. Yeah. So my colleges are like. Starting the practical so there's not much. I have to do on that. So, Rishabh, is that okay for you if we start one hour later 830 a.m. on Tuesday. Okay, so that mark to schedule that time. And we'll, we'll plan a, I'll send, I'll send the meeting invitation. We'll see if, if Justin is able, able to meet at that time. Great. Yeah, all we could keep it on. I'll see like if we were sitting Wednesday as the time. If that's what Justin is comfortable with as well. Yeah, for me Wednesday is difficult because that's the, the day before my surgery. So I would rather not do it on the ninth, if we can avoid it. So, so for me, it would be the eighth is much better, particularly if you're willing to do it one hour later. Yeah, for sure. Yeah. All right. I will, I will send the meeting invitation to everyone proposing that time. Thanks everybody. Thanks. Bye.