[bitbucket-server] add token validator

Author: AlexTugarev

components/server/src/bitbucket-server/bitbucket-server-api.ts

@@ -120,13 +120,13 @@ export class BitbucketServerApi {
     }
 
     async getPermission(
-        user: User,
+        userOrToken: User | string,
         params: { username: string; repoKind: BitbucketServer.RepoKind; owner: string; repoName?: string },
     ): Promise<string | undefined> {
         const { username, repoKind, owner, repoName } = params;
         if (repoName) {
             const repoPermissions = await this.runQuery<BitbucketServer.Paginated<BitbucketServer.PermissionEntry>>(
-                user,
+                userOrToken,
                 `/${repoKind}/${owner}/repos/${repoName}/permissions/users`,
             );
             const repoPermission = repoPermissions.values?.find((p) => p.user.name === username)?.permission;
@@ -136,7 +136,7 @@ export class BitbucketServerApi {
         }
         if (repoKind === "projects") {
             const projectPermissions = await this.runQuery<BitbucketServer.Paginated<BitbucketServer.PermissionEntry>>(
-                user,
+                userOrToken,
                 `/${repoKind}/${owner}/permissions/users`,
             );
             const projectPermission = projectPermissions.values?.find((p) => p.user.name === username)?.permission;
@@ -149,11 +149,11 @@ export class BitbucketServerApi {
     }
 
     async getRepository(
-        user: User,
+        userOrToken: User | string,
         params: { repoKind: "projects" | "users"; owner: string; repositorySlug: string },
     ): Promise<BitbucketServer.Repository> {
         return this.runQuery<BitbucketServer.Repository>(
-            user,
+            userOrToken,
             `/${params.repoKind}/${params.owner}/repos/${params.repositorySlug}`,
         );
     }

components/server/src/bitbucket-server/bitbucket-server-container-module.ts

@@ -8,13 +8,15 @@ import { ContainerModule } from "inversify";
 import { AuthProvider } from "../auth/auth-provider";
 import { FileProvider, LanguagesProvider, RepositoryHost, RepositoryProvider } from "../repohost";
 import { IContextParser } from "../workspace/context-parser";
+import { IGitTokenValidator } from "../workspace/git-token-validator";
 import { BitbucketServerApi } from "./bitbucket-server-api";
 import { BitbucketServerAuthProvider } from "./bitbucket-server-auth-provider";
 import { BitbucketServerContextParser } from "./bitbucket-server-context-parser";
 import { BitbucketServerFileProvider } from "./bitbucket-server-file-provider";
 import { BitbucketServerLanguagesProvider } from "./bitbucket-server-language-provider";
 import { BitbucketServerRepositoryProvider } from "./bitbucket-server-repository-provider";
 import { BitbucketServerTokenHelper } from "./bitbucket-server-token-handler";
+import { BitbucketServerTokenValidator } from "./bitbucket-server-token-validator";
 
 export const bitbucketServerContainerModule = new ContainerModule((bind, _unbind, _isBound, _rebind) => {
     bind(RepositoryHost).toSelf().inSingletonScope();
@@ -30,4 +32,6 @@ export const bitbucketServerContainerModule = new ContainerModule((bind, _unbind
     bind(BitbucketServerAuthProvider).toSelf().inSingletonScope();
     bind(AuthProvider).to(BitbucketServerAuthProvider).inSingletonScope();
     bind(BitbucketServerTokenHelper).toSelf().inSingletonScope();
+    bind(BitbucketServerTokenValidator).toSelf().inSingletonScope();
+    bind(IGitTokenValidator).toService(BitbucketServerTokenValidator);
 });

components/server/src/bitbucket-server/bitbucket-server-token-validator.spec.ts

@@ -0,0 +1,128 @@
+/**
+ * Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { User } from "@gitpod/gitpod-protocol";
+import { skipIfEnvVarNotSet } from "@gitpod/gitpod-protocol/lib/util/skip-if";
+import { Container, ContainerModule } from "inversify";
+import { retries, suite, test, timeout } from "mocha-typescript";
+import { expect } from "chai";
+import { GitpodHostUrl } from "@gitpod/gitpod-protocol/lib/util/gitpod-host-url";
+import { AuthProviderParams } from "../auth/auth-provider";
+import { BitbucketServerContextParser } from "./bitbucket-server-context-parser";
+import { BitbucketServerTokenHelper } from "./bitbucket-server-token-handler";
+import { TokenService } from "../user/token-service";
+import { Config } from "../config";
+import { TokenProvider } from "../user/token-provider";
+import { BitbucketServerApi } from "./bitbucket-server-api";
+import { HostContextProvider } from "../auth/host-context-provider";
+import { BitbucketServerRepositoryProvider } from "./bitbucket-server-repository-provider";
+
+@suite(timeout(10000), retries(0), skipIfEnvVarNotSet("GITPOD_TEST_TOKEN_BITBUCKET_SERVER"))
+class TestBitbucketServerRepositoryProvider {
+    protected service: BitbucketServerRepositoryProvider;
+    protected user: User;
+
+    static readonly AUTH_HOST_CONFIG: Partial<AuthProviderParams> = {
+        id: "MyBitbucketServer",
+        type: "BitbucketServer",
+        verified: true,
+        description: "",
+        icon: "",
+        host: "bitbucket.gitpod-self-hosted.com",
+        oauth: {
+            callBackUrl: "",
+            clientId: "not-used",
+            clientSecret: "",
+            tokenUrl: "",
+            scope: "",
+            authorizationUrl: "",
+        },
+    };
+
+    public before() {
+        const container = new Container();
+        container.load(
+            new ContainerModule((bind, unbind, isBound, rebind) => {
+                bind(BitbucketServerRepositoryProvider).toSelf().inSingletonScope();
+                bind(BitbucketServerContextParser).toSelf().inSingletonScope();
+                bind(AuthProviderParams).toConstantValue(TestBitbucketServerRepositoryProvider.AUTH_HOST_CONFIG);
+                bind(BitbucketServerTokenHelper).toSelf().inSingletonScope();
+                bind(TokenService).toConstantValue({
+                    createGitpodToken: async () => ({ token: { value: "foobar123-token" } }),
+                } as any);
+                bind(Config).toConstantValue({
+                    hostUrl: new GitpodHostUrl(),
+                });
+                bind(TokenProvider).toConstantValue(<TokenProvider>{
+                    getTokenForHost: async () => {
+                        return {
+                            value: process.env["GITPOD_TEST_TOKEN_BITBUCKET_SERVER"] || "undefined",
+                            scopes: [],
+                        };
+                    },
+                    getFreshPortAuthenticationToken: undefined as any,
+                });
+                bind(BitbucketServerApi).toSelf().inSingletonScope();
+                bind(HostContextProvider).toConstantValue({});
+            }),
+        );
+        this.service = container.get(BitbucketServerRepositoryProvider);
+        this.user = {
+            creationDate: "",
+            id: "user1",
+            identities: [
+                {
+                    authId: "user1",
+                    authName: "AlexTugarev",
+                    authProviderId: "MyBitbucketServer",
+                },
+            ],
+        };
+    }
+
+    @test async test_getRepo_ok() {
+        const result = await this.service.getRepo(this.user, "JLDEC", "jldec-repo-march-30");
+        expect(result).to.deep.include({
+            webUrl: "https://bitbucket.gitpod-self-hosted.com/projects/JLDEC/repos/jldec-repo-march-30",
+            cloneUrl: "https://bitbucket.gitpod-self-hosted.com/scm/jldec/jldec-repo-march-30.git",
+        });
+    }
+
+    @test async test_getBranch_ok() {
+        const result = await this.service.getBranch(this.user, "JLDEC", "jldec-repo-march-30", "main");
+        expect(result).to.deep.include({
+            name: "main",
+        });
+    }
+
+    @test async test_getBranches_ok() {
+        const result = await this.service.getBranches(this.user, "JLDEC", "jldec-repo-march-30");
+        expect(result.length).to.be.gte(1);
+        expect(result[0]).to.deep.include({
+            name: "main",
+        });
+    }
+
+    @test async test_getBranches_ok_2() {
+        try {
+            await this.service.getBranches(this.user, "mil", "gitpod-large-image");
+            expect.fail("this should not happen while 'mil/gitpod-large-image' has NO default branch configured.");
+        } catch (error) {
+            expect(error.message).to.include(
+                "refs/heads/master is set as the default branch, but this branch does not exist",
+            );
+        }
+    }
+
+    @test async test_getCommitInfo_ok() {
+        const result = await this.service.getCommitInfo(this.user, "JLDEC", "jldec-repo-march-30", "test");
+        expect(result).to.deep.include({
+            author: "Alex Tugarev",
+        });
+    }
+}
+
+module.exports = new TestBitbucketServerRepositoryProvider();

components/server/src/bitbucket-server/bitbucket-server-token-validator.ts

@@ -0,0 +1,59 @@
+/**
+ * Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { inject, injectable } from "inversify";
+import { CheckWriteAccessResult, IGitTokenValidator, IGitTokenValidatorParams } from "../workspace/git-token-validator";
+import { BitbucketServerApi } from "./bitbucket-server-api";
+
+@injectable()
+export class BitbucketServerTokenValidator implements IGitTokenValidator {
+    @inject(BitbucketServerApi) protected readonly api: BitbucketServerApi;
+
+    async checkWriteAccess(params: IGitTokenValidatorParams): Promise<CheckWriteAccessResult> {
+        const { token, owner, repo, repoKind } = params;
+        if (!repoKind || !["users", "projects"].includes(repoKind)) {
+            throw new Error("repo kind is missing");
+        }
+
+        let found = false;
+        let isPrivateRepo = false;
+        let writeAccessToRepo = false;
+
+        try {
+            const repository = await this.api.getRepository(token, {
+                repoKind: repoKind as any,
+                owner,
+                repositorySlug: repo,
+            });
+            found = true;
+            isPrivateRepo = !repository.public;
+        } catch (error) {
+            console.error(error);
+        }
+
+        const username = await this.api.currentUsername(token);
+        const userProfile = await this.api.getUserProfile(token, username);
+        if (owner === userProfile.slug) {
+            writeAccessToRepo = true;
+        } else {
+            let permission = await this.api.getPermission(token, {
+                repoKind: repoKind as any,
+                owner,
+                username,
+                repoName: repo,
+            });
+            if (permission && ["REPO_WRITE", "REPO_ADMIN", "PROJECT_ADMIN", ""].includes(permission)) {
+                writeAccessToRepo = true;
+            }
+        }
+
+        return {
+            found,
+            isPrivateRepo,
+            writeAccessToRepo,
+        };
+    }
+}

components/server/src/bitbucket/bitbucket-token-validator.ts

@@ -11,7 +11,8 @@ import { CheckWriteAccessResult, IGitTokenValidator, IGitTokenValidatorParams }
 @injectable()
 export class BitbucketTokenValidator implements IGitTokenValidator {
     async checkWriteAccess(params: IGitTokenValidatorParams): Promise<CheckWriteAccessResult> {
-        const { token, host, repoFullName } = params;
+        const { token, host, owner, repo } = params;
+        const repoFullName = `${owner}/${repo}`;
 
         const result: CheckWriteAccessResult = {
             found: false,

components/server/src/github/github-token-validator.ts

@@ -15,15 +15,16 @@ export class GitHubTokenValidator implements IGitTokenValidator {
     @inject(GitHubGraphQlEndpoint) githubGraphQLEndpoint: GitHubGraphQlEndpoint;
 
     async checkWriteAccess(params: IGitTokenValidatorParams): Promise<CheckWriteAccessResult> {
-        const { token, repoFullName } = params;
+        const { token, owner, repo } = params;
+        const repoFullName = `${owner}/${repo}`;
 
         const parsedRepoName = this.parseGitHubRepoName(repoFullName);
         if (!parsedRepoName) {
             throw new Error(`Could not parse repo name: ${repoFullName}`);
         }
-        let repo;
+        let gitHubRepo;
         try {
-            repo = await this.githubRestApi.run(token, (api) => api.repos.get(parsedRepoName));
+            gitHubRepo = await this.githubRestApi.run(token, (api) => api.repos.get(parsedRepoName));
         } catch (error) {
             if (GitHubApiError.is(error) && error.response?.status === 404) {
                 return { found: false };
@@ -32,12 +33,12 @@ export class GitHubTokenValidator implements IGitTokenValidator {
             return { found: false, error };
         }
 
-        const mayWritePrivate = GitHubResult.mayWritePrivate(repo);
-        const mayWritePublic = GitHubResult.mayWritePublic(repo);
+        const mayWritePrivate = GitHubResult.mayWritePrivate(gitHubRepo);
+        const mayWritePublic = GitHubResult.mayWritePublic(gitHubRepo);
 
-        const isPrivateRepo = repo.data.private;
-        let writeAccessToRepo = repo.data.permissions?.push;
-        const inOrg = repo.data.owner?.type === "Organization";
+        const isPrivateRepo = gitHubRepo.data.private;
+        let writeAccessToRepo = gitHubRepo.data.permissions?.push;
+        const inOrg = gitHubRepo.data.owner?.type === "Organization";
 
         if (inOrg) {
             // if this repository belongs to an organization and Gitpod is not authorized,

components/server/src/gitlab/gitlab-token-validator.ts

@@ -14,7 +14,8 @@ export class GitLabTokenValidator implements IGitTokenValidator {
         let found = false;
         let isPrivateRepo: boolean | undefined;
         let writeAccessToRepo: boolean | undefined;
-        const { token, host, repoFullName } = params;
+        const { token, host, owner, repo } = params;
+        const repoFullName = `${owner}/${repo}`;
 
         try {
             const request = {
@@ -42,7 +43,6 @@ export class GitLabTokenValidator implements IGitTokenValidator {
                 throw new Error(response.statusText);
             }
         } catch (e) {
-            console.error(e);
             throw e;
         }
 

components/server/src/repohost/repo-url.spec.ts

@@ -14,7 +14,7 @@ const expect = chai.expect;
 export class RepoUrlTest {
     @test public parseRepoUrl() {
         const testUrl = RepoURL.parseRepoUrl("https://gitlab.com/hello-group/my-cool-project.git");
-        expect(testUrl).to.deep.equal({
+        expect(testUrl).to.deep.include({
             host: "gitlab.com",
             owner: "hello-group",
             repo: "my-cool-project",
@@ -23,7 +23,7 @@ export class RepoUrlTest {
 
     @test public parseSubgroupOneLevel() {
         const testUrl = RepoURL.parseRepoUrl("https://gitlab.com/hello-group/my-subgroup/my-cool-project.git");
-        expect(testUrl).to.deep.equal({
+        expect(testUrl).to.deep.include({
             host: "gitlab.com",
             owner: "hello-group/my-subgroup",
             repo: "my-cool-project",
@@ -34,7 +34,7 @@ export class RepoUrlTest {
         const testUrl = RepoURL.parseRepoUrl(
             "https://gitlab.com/hello-group/my-subgroup/my-sub-subgroup/my-cool-project.git",
         );
-        expect(testUrl).to.deep.equal({
+        expect(testUrl).to.deep.include({
             host: "gitlab.com",
             owner: "hello-group/my-subgroup/my-sub-subgroup",
             repo: "my-cool-project",
@@ -45,7 +45,7 @@ export class RepoUrlTest {
         const testUrl = RepoURL.parseRepoUrl(
             "https://gitlab.com/hello-group/my-subgroup/my-sub-subgroup/my-sub-sub-subgroup/my-cool-project.git",
         );
-        expect(testUrl).to.deep.equal({
+        expect(testUrl).to.deep.include({
             host: "gitlab.com",
             owner: "hello-group/my-subgroup/my-sub-subgroup/my-sub-sub-subgroup",
             repo: "my-cool-project",
@@ -56,12 +56,22 @@ export class RepoUrlTest {
         const testUrl = RepoURL.parseRepoUrl(
             "https://gitlab.com/hello-group/my-subgroup/my-sub-subgroup/my-sub-sub-subgroup/my-sub-sub-sub-subgroup/my-cool-project.git",
         );
-        expect(testUrl).to.deep.equal({
+        expect(testUrl).to.deep.include({
             host: "gitlab.com",
             owner: "hello-group/my-subgroup/my-sub-subgroup/my-sub-sub-subgroup/my-sub-sub-sub-subgroup",
             repo: "my-cool-project",
         });
     }
+
+    @test public parseScmCloneUrl() {
+        const testUrl = RepoURL.parseRepoUrl("https://bitbucket.gitpod-self-hosted.com/scm/~jan/yolo.git");
+        expect(testUrl).to.deep.include({
+            host: "bitbucket.gitpod-self-hosted.com",
+            repoKind: "users",
+            owner: "jan",
+            repo: "yolo",
+        });
+    }
 }
 
 module.exports = new RepoUrlTest();