feat: add SSH Key Storage support and refactor code duplication

- Refactor GitPluginUtil: Extract duplicate code into readResourceMetaAsString() helper method
- Add SSH Key Storage support for Resource Model (feature parity with Workflow Steps)
- Add GIT_KEY_STORAGE_PATH property for SSH keys from Rundeck Key Storage
- Update GitResourceModel to retrieve SSH keys from Key Storage with precedence over filesystem
- Add UI field label clarification (Filesystem vs Storage Path)
- Add comprehensive test for SSH Key Storage authentication
- Update README with SSH Key Storage documentation

Maintains backwards compatibility - filesystem SSH key paths still work.

Author: fdevans

README.md

@@ -65,11 +65,14 @@ If both password fields are configured, the Key Storage path takes precedence fo
 #### SSH Key Authentication
 * **SSH: Strict Host Key Checking**: Use strict host key checking.
 If `yes`, require remote host SSH key is defined in the `~/.ssh/known_hosts` file, otherwise do not verify.
-* **SSH Key Path**: SSH Key Path to authenticate
+* **SSH Key Path (Filesystem)**: SSH Key Path from filesystem to authenticate
+* **SSH Key Storage Path**: SSH Key storage path from Rundeck Key Storage (more secure - recommended)
 
-**Recommended:** Use Key Storage for passwords instead of plain text. To use Key Storage:
-1. Store your password in Rundeck Key Storage (under `keys/` path)
-2. Select the password path using the Key Storage browser in the plugin configuration
+If both SSH key fields are configured, the Key Storage path takes precedence for security.
+
+**Recommended:** Use Key Storage for credentials instead of plain text or filesystem paths. To use Key Storage:
+1. Store your password or SSH key in Rundeck Key Storage (under `keys/` path)
+2. Select the credential path using the Key Storage browser in the plugin configuration
 
 ### Limitations
 

src/main/groovy/com/rundeck/plugin/GitResourceModel.groovy

@@ -77,9 +77,23 @@ class GitResourceModel implements ResourceModelSource , WriteableModelSource{
             }
         }
 
+        // SSH Key from filesystem path (checked first)
         if(configuration.getProperty(GitResourceModelFactory.GIT_KEY_STORAGE)) {
             gitManager.setSshPrivateKeyPath(configuration.getProperty(GitResourceModelFactory.GIT_KEY_STORAGE))
         }
+
+        // SSH Key from Key Storage (takes precedence if both are set)
+        if(services && configuration.getProperty(GitResourceModelFactory.GIT_KEY_STORAGE_PATH)){
+            ExecutionContext context = new ExecutionContextImpl.Builder()
+                    .framework(framework)
+                    .storageTree(services.getService(KeyStorageTree.class))
+                    .build();
+
+            def sshKey = GitPluginUtil.getFromKeyStorage(configuration.getProperty(GitResourceModelFactory.GIT_KEY_STORAGE_PATH), context)
+            if (sshKey != null) {
+                gitManager.setSshPrivateKey(sshKey)
+            }
+        }
     }
 
     @Override

src/main/groovy/com/rundeck/plugin/GitResourceModelFactory.groovy

@@ -38,6 +38,7 @@ class GitResourceModelFactory implements ResourceModelSourceFactory,Describable
     public final static String GIT_BRANCH="gitBranch"
     public final static String GIT_HOSTKEY_CHECKING="strictHostKeyChecking"
     public final static String GIT_KEY_STORAGE="gitKeyPath"
+    public final static String GIT_KEY_STORAGE_PATH="gitKeyPathStorage"
     public final static String GIT_PASSWORD_STORAGE="gitPasswordPath"
     public final static String GIT_PASSWORD_STORAGE_PATH="gitPasswordPathStorage"
 
@@ -47,6 +48,7 @@ class GitResourceModelFactory implements ResourceModelSourceFactory,Describable
     final static Map<String, Object> renderingOptionsAuthentication = GitPluginUtil.getRenderOpt("Authentication",false)
     final static Map<String, Object> renderingOptionsAuthenticationPassword = GitPluginUtil.getRenderOpt("Authentication",false, true)
     final static Map<String, Object> renderingOptionsAuthenticationPasswordStorage = GitPluginUtil.getRenderOpt("Authentication",false, false, true)
+    final static Map<String, Object> renderingOptionsAuthenticationKeyStorage = GitPluginUtil.getRenderOpt("Authentication",false, false, false, true)
     final static Map<String, Object> renderingOptionsConfig = GitPluginUtil.getRenderOpt("Configuration",false)
 
     GitResourceModelFactory(Framework framework) {
@@ -87,8 +89,10 @@ Some examples:
             .property(PropertyUtil.select(GIT_HOSTKEY_CHECKING, "SSH: Strict Host Key Checking", '''Use strict host key checking.
 If `yes`, require remote host SSH key is defined in the `~/.ssh/known_hosts` file, otherwise do not verify.''', false,
             "yes", LIST_HOSTKEY_CHECKING,null, renderingOptionsAuthentication))
-            .property(PropertyUtil.string(GIT_KEY_STORAGE, "SSH Key Path", 'SSH Key Path', false,
+            .property(PropertyUtil.string(GIT_KEY_STORAGE, "SSH Key Path (Filesystem)", 'SSH Key Path from filesystem', false,
             null,null,null, renderingOptionsAuthentication))
+            .property(PropertyUtil.string(GIT_KEY_STORAGE_PATH, "SSH Key Storage Path", 'SSH Key storage path from Rundeck Key Storage', false,
+            null,null,null, renderingOptionsAuthenticationKeyStorage))
             .build()
 
     @Override

src/main/groovy/com/rundeck/plugin/util/GitPluginUtil.groovy

@@ -37,14 +37,26 @@ class GitPluginUtil {
         return ret;
     }
 
-    static String getFromKeyStorage(String path, PluginStepContext context){
-        ResourceMeta contents = context.getExecutionContext().getStorageTree().getResource(path).getContents();
+    /**
+     * Reads the contents of a ResourceMeta and returns it as a String.
+     * 
+     * @param contents the ResourceMeta to read
+     * @return the contents as a UTF-8 String
+     * @throws IOException if an error occurs reading the contents
+     */
+    private static String readResourceMetaAsString(ResourceMeta contents) throws IOException {
         ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
-        contents.writeContent(byteArrayOutputStream);
-        String password = new String(byteArrayOutputStream.toByteArray(), StandardCharsets.UTF_8);
-
-        return password;
+        try {
+            contents.writeContent(byteArrayOutputStream);
+            return new String(byteArrayOutputStream.toByteArray(), StandardCharsets.UTF_8);
+        } finally {
+            byteArrayOutputStream.close();
+        }
+    }
 
+    static String getFromKeyStorage(String path, PluginStepContext context){
+        ResourceMeta contents = context.getExecutionContext().getStorageTree().getResource(path).getContents();
+        return readResourceMetaAsString(contents);
     }
 
     /**
@@ -68,14 +80,7 @@ class GitPluginUtil {
 
         try {
             ResourceMeta contents = storageTree.getResource(path).getContents();
-            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
-            try {
-                contents.writeContent(byteArrayOutputStream);
-                String password = new String(byteArrayOutputStream.toByteArray(), StandardCharsets.UTF_8);
-                return password;
-            } finally {
-                byteArrayOutputStream.close();
-            }
+            return readResourceMetaAsString(contents);
         } catch (Exception e) {
             ExecutionListener logger = context.getExecutionListener()
             logger.log(1, "Failed to retrieve password from Key Storage at path '${path}': ${e.message}");

src/test/groovy/com/rundeck/plugin/GitResourceModelSpec.groovy

@@ -216,6 +216,58 @@ class GitResourceModelSpec  extends Specification{
         result == nodeSet
     }
 
+    def "retrieve resource success using SSH key authentication from key storage"() {
+        given:
+
+        def nodeSet = Mock(INodeSet)
+        def framework = getFramework(nodeSet)
+
+        String path = "resources"
+        String fileName = "resources.xml"
+        String format = "xml"
+
+        File folder = new File(path)
+        if(!folder.exists()){
+            folder.mkdir()
+        }
+
+        Properties configuration = [
+                gitBaseDirectory:path,
+                gitFormatFile:format,
+                gitFile:fileName,
+                gitKeyPathStorage:"keys/git/ssh-key",
+        ]
+
+        def gitManager = Mock(GitManager)
+
+        def inputStream = GroovyMock(InputStream)
+        KeyStorageTree keyStorageTree = Mock(KeyStorageTree){
+            1 * getResource(_) >> Mock(Resource) {
+                1* getContents() >> Mock(ResourceMeta) {
+                    writeContent(_) >> { args ->
+                        args[0].write('-----BEGIN RSA PRIVATE KEY-----\ntest key content\n-----END RSA PRIVATE KEY-----'.bytes)
+                        return 65L
+                    }
+                }
+            }
+        }
+
+        Services services = Mock(Services){
+            1 * getService(KeyStorageTree) >> keyStorageTree
+        }
+
+        when:
+
+        def resource = new GitResourceModel(services,configuration,framework)
+        resource.setGitManager(gitManager)
+
+        def result = resource.getNodes()
+
+        then:
+        1 * gitManager.getFile(path) >> inputStream
+        result == nodeSet
+    }
+
 
     private Framework getFramework(INodeSet nodeSet){
         def resourceFormatParser = Mock(ResourceFormatParser){