Add Bitbucket Server auth provider

/werft no-preview

Author: corneliusludmann

components/server/ee/src/auth/host-container-mapping.ts

@@ -21,6 +21,9 @@ export class HostContainerMappingEE extends HostContainerMapping {
             return (modules || []).concat([gitlabContainerModuleEE]);
         case "Bitbucket":
             return (modules || []).concat([bitbucketContainerModuleEE]);
+        case "BitbucketServer":
+            // FIXME
+            return (modules || []).concat([bitbucketContainerModuleEE]);
         case "GitHub":
             return (modules || []).concat([gitHubContainerModuleEE]);
         default:

components/server/package.json

@@ -27,6 +27,7 @@
     "/dist"
   ],
   "dependencies": {
+    "@atlassian/bitbucket-server": "^0.0.6",
     "@gitbeaker/node": "^25.6.0",
     "@gitpod/content-service": "0.1.5",
     "@gitpod/gitpod-db": "0.1.5",

components/server/src/auth/host-container-mapping.ts

@@ -9,6 +9,7 @@ import { githubContainerModule } from "../github/github-container-module";
 import { gitlabContainerModule } from "../gitlab/gitlab-container-module";
 import { genericAuthContainerModule } from "./oauth-container-module";
 import { bitbucketContainerModule } from "../bitbucket/bitbucket-container-module";
+import { bitbucketServerContainerModule } from "../bitbucket-server/bitbucket-server-container-module";
 
 @injectable()
 export class HostContainerMapping {
@@ -23,6 +24,8 @@ export class HostContainerMapping {
             return [genericAuthContainerModule];
         case "Bitbucket":
             return [bitbucketContainerModule];
+        case "BitbucketServer":
+            return [bitbucketServerContainerModule];
         default:
             return undefined;
         }

components/server/src/bitbucket-server/bitbucket-server-auth-provider.ts

@@ -0,0 +1,120 @@
+/**
+ * Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { AuthProviderInfo } from "@gitpod/gitpod-protocol";
+import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
+import * as express from "express";
+import { injectable } from "inversify";
+import fetch from "node-fetch";
+import { AuthUserSetup } from "../auth/auth-provider";
+import { GenericAuthProvider } from "../auth/generic-auth-provider";
+import { BitbucketServerOAuthScopes } from "./bitbucket-server-oauth-scopes";
+import BitbucketServer = require("@atlassian/bitbucket-server")
+
+@injectable()
+export class BitbucketServerAuthProvider extends GenericAuthProvider {
+
+    get info(): AuthProviderInfo {
+        return {
+            ...this.defaultInfo(),
+            scopes: BitbucketServerOAuthScopes.ALL,
+            requirements: {
+                default: BitbucketServerOAuthScopes.Requirements.DEFAULT,
+                publicRepo: BitbucketServerOAuthScopes.Requirements.DEFAULT,
+                privateRepo: BitbucketServerOAuthScopes.Requirements.DEFAULT,
+            },
+        }
+    }
+
+    /**
+     * Augmented OAuthConfig for Bitbucket
+     */
+    protected get oauthConfig() {
+        const oauth = this.params.oauth!;
+        const scopeSeparator = " ";
+        return <typeof oauth>{
+            ...oauth,
+            authorizationUrl: oauth.authorizationUrl || `https://${this.params.host}/rest/oauth2/latest/authorize`,
+            tokenUrl: oauth.tokenUrl || `https://${this.params.host}/rest/oauth2/latest/token`,
+            settingsUrl: oauth.settingsUrl || `https://${this.params.host}/plugins/servlet/oauth/users/access-tokens/`,
+            scope: BitbucketServerOAuthScopes.ALL.join(scopeSeparator),
+            scopeSeparator
+        };
+    }
+
+    protected get tokenUsername(): string {
+        return "x-token-auth";
+    }
+
+    authorize(req: express.Request, res: express.Response, next: express.NextFunction, scope?: string[]): void {
+        super.authorize(req, res, next, scope ? scope : BitbucketServerOAuthScopes.Requirements.DEFAULT);
+    }
+
+    protected readAuthUserSetup = async (accessToken: string, _tokenResponse: object) => {
+        try {
+
+            log.warn(`(${this.strategyName}) accessToken ${accessToken}`);
+
+            const fetchResult = await fetch(`https://${this.params.host}/plugins/servlet/applinks/whoami`, {
+                headers: {
+                    "Authorization": `Bearer ${accessToken}`,
+                }
+            });
+            if (!fetchResult.ok) {
+                throw new Error(fetchResult.statusText);
+            }
+            const username = await fetchResult.text();
+            if (!username) {
+                throw new Error("username missing");
+            }
+
+            log.warn(`(${this.strategyName}) username ${username}`);
+
+            const options = {
+                baseUrl: `https://${this.params.host}`,
+            };
+            const client = new BitbucketServer(options);
+
+            client.authenticate({ type: "token", token: accessToken });
+            const result = await client.api.getUser({ userSlug: username });
+
+            const user = result.data;
+            // const headers = result.headers;
+
+            // const currentScopes = this.normalizeScopes((headers as any)["x-oauth-scopes"]
+            //     .split(",")
+            //     .map((s: string) => s.trim())
+            // );
+
+            // TODO: check if user.active === true?
+
+            return <AuthUserSetup>{
+                authUser: {
+                    authId: `${user.id!}`,
+                    authName: user.name!,
+                    primaryEmail: user.emailAddress!,
+                    name: user.displayName!,
+                    // avatarUrl: user.links!.avatar!.href // TODO
+                },
+                currentScopes: BitbucketServerOAuthScopes.ALL, // TODO
+            }
+
+        } catch (error) {
+            log.error(`(${this.strategyName}) Reading current user info failed`, error, { accessToken, error });
+            throw error;
+        }
+    }
+
+    protected normalizeScopes(scopes: string[]) {
+        const set = new Set(scopes);
+        for (const item of set.values()) {
+            if (!(BitbucketServerOAuthScopes.Requirements.DEFAULT.includes(item))) {
+                set.delete(item);
+            }
+        }
+        return Array.from(set).sort();
+    }
+}

components/server/src/bitbucket-server/bitbucket-server-container-module.ts

@@ -0,0 +1,35 @@
+/**
+ * Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { ContainerModule } from "inversify";
+import { AuthProvider } from "../auth/auth-provider";
+import { BitbucketApiFactory } from '../bitbucket/bitbucket-api-factory';
+import { BitbucketContextParser } from "../bitbucket/bitbucket-context-parser";
+import { BitbucketFileProvider } from "../bitbucket/bitbucket-file-provider";
+import { BitbucketLanguagesProvider } from "../bitbucket/bitbucket-language-provider";
+import { BitbucketRepositoryProvider } from "../bitbucket/bitbucket-repository-provider";
+import { BitbucketTokenHelper } from "../bitbucket/bitbucket-token-handler";
+import { FileProvider, LanguagesProvider, RepositoryHost, RepositoryProvider } from "../repohost";
+import { IContextParser } from "../workspace/context-parser";
+import { BitbucketServerAuthProvider } from "./bitbucket-server-auth-provider";
+
+export const bitbucketServerContainerModule = new ContainerModule((bind, _unbind, _isBound, _rebind) => {
+    bind(RepositoryHost).toSelf().inSingletonScope();
+    bind(BitbucketApiFactory).toSelf().inSingletonScope();
+    bind(BitbucketFileProvider).toSelf().inSingletonScope();
+    bind(FileProvider).toService(BitbucketFileProvider);
+    bind(BitbucketContextParser).toSelf().inSingletonScope();
+    bind(BitbucketLanguagesProvider).toSelf().inSingletonScope();
+    bind(LanguagesProvider).toService(BitbucketLanguagesProvider);
+    bind(IContextParser).toService(BitbucketContextParser);
+    bind(BitbucketRepositoryProvider).toSelf().inSingletonScope();
+    bind(RepositoryProvider).toService(BitbucketRepositoryProvider);
+    bind(BitbucketServerAuthProvider).toSelf().inSingletonScope();
+    bind(AuthProvider).to(BitbucketServerAuthProvider).inSingletonScope();
+    bind(BitbucketTokenHelper).toSelf().inSingletonScope();
+    // bind(BitbucketTokenValidator).toSelf().inSingletonScope(); // TODO
+    // bind(IGitTokenValidator).toService(BitbucketTokenValidator);
+});

components/server/src/bitbucket-server/bitbucket-server-oauth-scopes.ts

@@ -0,0 +1,25 @@
+/**
+ * Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+// https://confluence.atlassian.com/bitbucketserver/bitbucket-oauth-2-0-provider-api-1108483661.html#BitbucketOAuth2.0providerAPI-scopesScopes
+
+export namespace BitbucketServerOAuthScopes {
+    /** View projects and repositories that are publicly accessible, including pulling code and cloning repositories. */
+    export const PUBLIC_REPOS = "PUBLIC_REPOS";
+    /** View projects and repositories the user account can view, including pulling code, cloning, and forking repositories. Create and comment on pull requests. */
+    export const REPOSITORY_READ = "REPO_READ";
+    /** Push over https, fork repo */
+    export const REPOSITORY_WRITE = "REPO_WRITE";
+
+    export const ALL = [PUBLIC_REPOS, REPOSITORY_READ, REPOSITORY_WRITE];
+
+    export const Requirements = {
+        /**
+         * Minimal required permission.
+         */
+        DEFAULT: ALL
+    }
+}

yarn.lock

@@ -2,6 +2,18 @@
 # yarn lockfile v1
 
 
+"@atlassian/bitbucket-server@^0.0.6":
+  version "0.0.6"
+  resolved "https://registry.yarnpkg.com/@atlassian/bitbucket-server/-/bitbucket-server-0.0.6.tgz#7a0678264083c851e50a66216e66021efe1638cf"
+  integrity sha512-92EpKlSPw0ZZXiS4Qt+1DKuDxSIntL2j8Q0CWc8o/nUNOJAW/D9szIgcef5VPTbVslHeb2C3gBSMNnETdykdmQ==
+  dependencies:
+    before-after-hook "^1.1.0"
+    btoa-lite "^1.0.0"
+    debug "^3.1.0"
+    is-plain-object "^2.0.4"
+    node-fetch "^2.1.2"
+    url-template "^2.0.8"
+
 "@babel/[email protected]":
   version "7.10.4"
   resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.10.4.tgz#168da1a36e90da68ae8d49c0f1b48c7c6249213a"
@@ -4580,6 +4592,11 @@ bcrypt-pbkdf@^1.0.0:
   dependencies:
     tweetnacl "^0.14.3"
 
+before-after-hook@^1.1.0:
+  version "1.4.0"
+  resolved "https://registry.yarnpkg.com/before-after-hook/-/before-after-hook-1.4.0.tgz#2b6bf23dca4f32e628fd2747c10a37c74a4b484d"
+  integrity sha512-l5r9ir56nda3qu14nAXIlyq1MmUSs0meCIaFAh8HwkFwP1F8eToOuS3ah2VAHHcY04jaYD7FpJC5JTXHYRbkzg==
+
 before-after-hook@^2.1.0, before-after-hook@^2.2.0:
   version "2.2.2"
   resolved "https://registry.yarnpkg.com/before-after-hook/-/before-after-hook-2.2.2.tgz#a6e8ca41028d90ee2c24222f201c90956091613e"
@@ -12029,6 +12046,13 @@ node-emoji@^1.11.0:
   dependencies:
     lodash "^4.17.21"
 
+node-fetch@^2.1.2:
+  version "2.6.7"
+  resolved "https://registry.yarnpkg.com/node-fetch/-/node-fetch-2.6.7.tgz#24de9fba827e3b4ae44dc8b20256a379160052ad"
+  integrity sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==
+  dependencies:
+    whatwg-url "^5.0.0"
+
 node-fetch@^2.6.0, node-fetch@^2.6.1, node-fetch@^2.6.5:
   version "2.6.6"
   resolved "https://registry.yarnpkg.com/node-fetch/-/node-fetch-2.6.6.tgz#1751a7c01834e8e1697758732e9efb6eeadfaf89"