Add git-client ssh host key verifier setting
New git-client plugin requires additional configuration
PROD-37234
Change-Id: I56270355deb361a49a1beca3827ee66d18db4388
diff --git a/README.rst b/README.rst
index 96e6b1e..ff3a48a 100644
--- a/README.rst
+++ b/README.rst
@@ -892,6 +892,22 @@
security:
csp: "sandbox; default-src 'none'; img-src 'self'; style-src 'self';"
+Git-client plugin's ssh host key verification strategy:
+
+Allowed settings:
+
+.. code-block:: yaml
+ - noHostKeyVerificationStrategy
+ - knownHostsFileVerificationStrategy
+ - acceptFirstConnectionStrategy
+
+.. code-block:: yaml
+
+ jenkins:
+ client:
+ security:
+ git_ssh_host_key_strategy: "acceptFirstConnectionStrategy"
+
Usage
=====
diff --git a/_states/jenkins_security.py b/_states/jenkins_security.py
index ae4a496..785c56c 100644
--- a/_states/jenkins_security.py
+++ b/_states/jenkins_security.py
@@ -132,6 +132,25 @@
"matrix_class": "ProjectMatrixAuthorizationStrategy" if project_based else "GlobalMatrixAuthorizationStrategy"},
"Jenkins Matrix security setting")
+
+def git_ssh_host_key(name, strategy):
+ """
+ Jenkins git client plugin SSH host key strategy
+
+ :param name: salt state name
+ :param strategy: chosen strategy, one of
+ noHostKeyVerificationStrategy, knownHostsFileVerificationStrategy, acceptFirstConnectionStrategy
+ :returns: salt-specified state dict
+ """
+ template = __salt__['jenkins_common.load_template'](
+ 'salt://jenkins/files/groovy/security.git_ssh_host_key_strategy.template',
+ __env__)
+ return __salt__['jenkins_common.api_call'](name, template,
+ ["CHANGED", "SKIPPED"],
+ {"strategy": strategy},
+ "Jenkins Git client plugin SSH host key strategy setting")
+
+
def _build_strategies(permissions):
strategies_str = ""
for strategy in _to_strategies_list(
diff --git a/jenkins/client/security.sls b/jenkins/client/security.sls
index d86adcd..08ae31c 100644
--- a/jenkins/client/security.sls
+++ b/jenkins/client/security.sls
@@ -43,3 +43,8 @@
{{ client.security.agent2master.get('file_path_rules', '')|indent(8) }}
{%- endif %}
+{%- if client.security.git_ssh_host_key_strategy is defined %}
+jenkins_git_host_key_strategy:
+ jenkins_security.git_ssh_host_key:
+ - strategy: {{ client.security.get('git_ssh_host_key_strategy') }}
+{%- endif %}
diff --git a/jenkins/files/groovy/security.git_ssh_host_key_strategy.template b/jenkins/files/groovy/security.git_ssh_host_key_strategy.template
new file mode 100644
index 0000000..19f8b49
--- /dev/null
+++ b/jenkins/files/groovy/security.git_ssh_host_key_strategy.template
@@ -0,0 +1,25 @@
+#!groovy
+
+
+import org.jenkinsci.plugins.gitclient.verifier.*
+
+def instance = Jenkins.getInstance().getDescriptor("org.jenkinsci.plugins.gitclient.GitHostKeyVerificationConfiguration")
+
+if (!instance){
+ print ("SKIPPED")
+ return true
+}
+
+noHostKeyVerificationStrategy = new NoHostKeyVerificationStrategy()
+knownHostsFileVerificationStrategy = new KnownHostsFileVerificationStrategy()
+acceptFirstConnectionStrategy = new AcceptFirstConnectionStrategy()
+
+acceptableStrategies = ['noHostKeyVerificationStrategy', 'knownHostsFileVerificationStrategy', 'acceptFirstConnectionStrategy']
+if (acceptableStrategies.contains("${strategy}")){
+ instance.setSshHostKeyVerificationStrategy(${strategy})
+ instance.save()
+ print("CHANGED")
+}
+else {
+ print "Error: '${strategy}' is not in available strategies: ${acceptableStrategies}"
+}
\ No newline at end of file