// Package bitbucketcloud provides authentication strategies using Bitbucket Cloud. package bitbucketcloud import ( "context" "encoding/json" "errors" "fmt" "io" "net/http" "sync" "time" "golang.org/x/oauth2" "golang.org/x/oauth2/bitbucket" "github.com/dexidp/dex/connector" "github.com/dexidp/dex/pkg/groups" "github.com/dexidp/dex/pkg/log" ) const ( apiURL = "https://api.bitbucket.org/2.0" // Switch to API v2.0 when the Atlassian platform services are fully available in Bitbucket legacyAPIURL = "https://api.bitbucket.org/1.0" // Bitbucket requires this scope to access '/user' API endpoints. scopeAccount = "account" // Bitbucket requires this scope to access '/user/emails' API endpoints. scopeEmail = "email" // Bitbucket requires this scope to access '/teams' API endpoints // which are used when a client includes the 'groups' scope. scopeTeams = "team" ) // Config holds configuration options for Bitbucket logins. type Config struct { ClientID string `json:"clientID"` ClientSecret string `json:"clientSecret"` RedirectURI string `json:"redirectURI"` Teams []string `json:"teams"` IncludeTeamGroups bool `json:"includeTeamGroups,omitempty"` } // Open returns a strategy for logging in through Bitbucket. func (c *Config) Open(_ string, logger log.Logger) (connector.Connector, error) { b := bitbucketConnector{ redirectURI: c.RedirectURI, teams: c.Teams, clientID: c.ClientID, clientSecret: c.ClientSecret, includeTeamGroups: c.IncludeTeamGroups, apiURL: apiURL, legacyAPIURL: legacyAPIURL, logger: logger, } return &b, nil } type connectorData struct { AccessToken string `json:"accessToken"` RefreshToken string `json:"refreshToken"` Expiry time.Time `json:"expiry"` } var ( _ connector.CallbackConnector = (*bitbucketConnector)(nil) _ connector.RefreshConnector = (*bitbucketConnector)(nil) ) type bitbucketConnector struct { redirectURI string teams []string clientID string clientSecret string logger log.Logger apiURL string legacyAPIURL string // the following are used only for tests hostName string httpClient *http.Client includeTeamGroups bool } // groupsRequired returns whether dex requires Bitbucket's 'team' scope. func (b *bitbucketConnector) groupsRequired(groupScope bool) bool { return len(b.teams) > 0 || groupScope } func (b *bitbucketConnector) oauth2Config(scopes connector.Scopes) *oauth2.Config { bitbucketScopes := []string{scopeAccount, scopeEmail} if b.groupsRequired(scopes.Groups) { bitbucketScopes = append(bitbucketScopes, scopeTeams) } endpoint := bitbucket.Endpoint if b.hostName != "" { endpoint = oauth2.Endpoint{ AuthURL: "https://" + b.hostName + "/site/oauth2/authorize", TokenURL: "https://" + b.hostName + "/site/oauth2/access_token", } } return &oauth2.Config{ ClientID: b.clientID, ClientSecret: b.clientSecret, Endpoint: endpoint, Scopes: bitbucketScopes, } } func (b *bitbucketConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) { if b.redirectURI != callbackURL { return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, b.redirectURI) } return b.oauth2Config(scopes).AuthCodeURL(state), nil } type oauth2Error struct { error string errorDescription string } func (e *oauth2Error) Error() string { if e.errorDescription == "" { return e.error } return e.error + ": " + e.errorDescription } func (b *bitbucketConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) { q := r.URL.Query() if errType := q.Get("error"); errType != "" { return identity, &oauth2Error{errType, q.Get("error_description")} } oauth2Config := b.oauth2Config(s) ctx := r.Context() if b.httpClient != nil { ctx = context.WithValue(r.Context(), oauth2.HTTPClient, b.httpClient) } token, err := oauth2Config.Exchange(ctx, q.Get("code")) if err != nil { return identity, fmt.Errorf("bitbucket: failed to get token: %v", err) } client := oauth2Config.Client(ctx, token) user, err := b.user(ctx, client) if err != nil { return identity, fmt.Errorf("bitbucket: get user: %v", err) } identity = connector.Identity{ UserID: user.UUID, Username: user.Username, Email: user.Email, EmailVerified: true, } if b.groupsRequired(s.Groups) { groups, err := b.getGroups(ctx, client, s.Groups, user.Username) if err != nil { return identity, err } identity.Groups = groups } if s.OfflineAccess { data := connectorData{ AccessToken: token.AccessToken, RefreshToken: token.RefreshToken, Expiry: token.Expiry, } connData, err := json.Marshal(data) if err != nil { return identity, fmt.Errorf("bitbucket: marshal connector data: %v", err) } identity.ConnectorData = connData } return identity, nil } // Refreshing tokens // https://github.com/golang/oauth2/issues/84#issuecomment-332860871 type tokenNotifyFunc func(*oauth2.Token) error // notifyRefreshTokenSource is essentially `oauth2.ReuseTokenSource` with `TokenNotifyFunc` added. type notifyRefreshTokenSource struct { new oauth2.TokenSource mu sync.Mutex // guards t t *oauth2.Token f tokenNotifyFunc // called when token refreshed so new refresh token can be persisted } // Token returns the current token if it's still valid, else will // refresh the current token (using r.Context for HTTP client // information) and return the new one. func (s *notifyRefreshTokenSource) Token() (*oauth2.Token, error) { s.mu.Lock() defer s.mu.Unlock() if s.t.Valid() { return s.t, nil } t, err := s.new.Token() if err != nil { return nil, err } s.t = t return t, s.f(t) } func (b *bitbucketConnector) Refresh(ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) { if len(identity.ConnectorData) == 0 { return identity, errors.New("bitbucket: no upstream access token found") } var data connectorData if err := json.Unmarshal(identity.ConnectorData, &data); err != nil { return identity, fmt.Errorf("bitbucket: unmarshal access token: %v", err) } tok := &oauth2.Token{ AccessToken: data.AccessToken, RefreshToken: data.RefreshToken, Expiry: data.Expiry, } client := oauth2.NewClient(ctx, ¬ifyRefreshTokenSource{ new: b.oauth2Config(s).TokenSource(ctx, tok), t: tok, f: func(tok *oauth2.Token) error { data := connectorData{ AccessToken: tok.AccessToken, RefreshToken: tok.RefreshToken, Expiry: tok.Expiry, } connData, err := json.Marshal(data) if err != nil { return fmt.Errorf("bitbucket: marshal connector data: %v", err) } identity.ConnectorData = connData return nil }, }) user, err := b.user(ctx, client) if err != nil { return identity, fmt.Errorf("bitbucket: get user: %v", err) } identity.Username = user.Username identity.Email = user.Email if b.groupsRequired(s.Groups) { groups, err := b.getGroups(ctx, client, s.Groups, user.Username) if err != nil { return identity, err } identity.Groups = groups } return identity, nil } // Bitbucket pagination wrapper type pagedResponse struct { Size int `json:"size"` Page int `json:"page"` PageLen int `json:"pagelen"` Next *string `json:"next"` Previous *string `json:"previous"` } // user holds Bitbucket user information (relevant to dex) as defined by // https://developer.atlassian.com/bitbucket/api/2/reference/resource/user type user struct { Username string `json:"username"` UUID string `json:"uuid"` Email string `json:"email"` } // user queries the Bitbucket API for profile information using the provided client. // // The HTTP client is expected to be constructed by the golang.org/x/oauth2 package, // which inserts a bearer token as part of the request. func (b *bitbucketConnector) user(ctx context.Context, client *http.Client) (user, error) { // https://developer.atlassian.com/bitbucket/api/2/reference/resource/user var ( u user err error ) if err = get(ctx, client, b.apiURL+"/user", &u); err != nil { return user{}, err } if u.Email, err = b.userEmail(ctx, client); err != nil { return user{}, err } return u, nil } // userEmail holds Bitbucket user email information as defined by // https://developer.atlassian.com/bitbucket/api/2/reference/resource/user/emails type userEmail struct { IsPrimary bool `json:"is_primary"` IsConfirmed bool `json:"is_confirmed"` Email string `json:"email"` } type userEmailResponse struct { pagedResponse Values []userEmail } // userEmail returns the users primary, confirmed email // // The HTTP client is expected to be constructed by the golang.org/x/oauth2 package, // which inserts a bearer token as part of the request. func (b *bitbucketConnector) userEmail(ctx context.Context, client *http.Client) (string, error) { apiURL := b.apiURL + "/user/emails" for { // https://developer.atlassian.com/bitbucket/api/2/reference/resource/user/emails var response userEmailResponse if err := get(ctx, client, apiURL, &response); err != nil { return "", err } for _, email := range response.Values { if email.IsConfirmed && email.IsPrimary { return email.Email, nil } } if response.Next == nil { break } } return "", errors.New("bitbucket: user has no confirmed, primary email") } // getGroups retrieves Bitbucket teams a user is in, if any. func (b *bitbucketConnector) getGroups(ctx context.Context, client *http.Client, groupScope bool, userLogin string) ([]string, error) { bitbucketTeams, err := b.userTeams(ctx, client) if err != nil { return nil, err } if len(b.teams) > 0 { filteredTeams := groups.Filter(bitbucketTeams, b.teams) if len(filteredTeams) == 0 { return nil, fmt.Errorf("bitbucket: user %q is not in any of the required teams", userLogin) } return filteredTeams, nil } else if groupScope { return bitbucketTeams, nil } return nil, nil } type teamName struct { Name string `json:"username"` // The "username" from Bitbucket Cloud is actually the team name here } type team struct { Team teamName `json:"team"` } type userTeamsResponse struct { pagedResponse Values []team } func (b *bitbucketConnector) userTeams(ctx context.Context, client *http.Client) ([]string, error) { var teams []string apiURL := b.apiURL + "/user/permissions/teams" for { // https://developer.atlassian.com/bitbucket/api/2/reference/resource/user/permissions/teams var response userTeamsResponse if err := get(ctx, client, apiURL, &response); err != nil { return nil, fmt.Errorf("bitbucket: get user teams: %v", err) } for _, value := range response.Values { teams = append(teams, value.Team.Name) } if response.Next == nil { break } } if b.includeTeamGroups { for _, team := range teams { teamGroups, err := b.userTeamGroups(ctx, client, team) if err != nil { return nil, fmt.Errorf("bitbucket: %v", err) } teams = append(teams, teamGroups...) } } return teams, nil } type group struct { Slug string `json:"slug"` } func (b *bitbucketConnector) userTeamGroups(ctx context.Context, client *http.Client, teamName string) ([]string, error) { apiURL := b.legacyAPIURL + "/groups/" + teamName var response []group if err := get(ctx, client, apiURL, &response); err != nil { return nil, fmt.Errorf("get user team %q groups: %v", teamName, err) } teamGroups := make([]string, 0, len(response)) for _, group := range response { teamGroups = append(teamGroups, teamName+"/"+group.Slug) } return teamGroups, nil } // get creates a "GET `apiURL`" request with context, sends the request using // the client, and decodes the resulting response body into v. // Any errors encountered when building requests, sending requests, and // reading and decoding response data are returned. func get(ctx context.Context, client *http.Client, apiURL string, v interface{}) error { req, err := http.NewRequest("GET", apiURL, nil) if err != nil { return fmt.Errorf("bitbucket: new req: %v", err) } req = req.WithContext(ctx) resp, err := client.Do(req) if err != nil { return fmt.Errorf("bitbucket: get URL %v", err) } defer resp.Body.Close() if resp.StatusCode != http.StatusOK { body, err := io.ReadAll(resp.Body) if err != nil { return fmt.Errorf("bitbucket: read body: %s: %v", resp.Status, err) } return fmt.Errorf("%s: %s", resp.Status, body) } if err := json.NewDecoder(resp.Body).Decode(v); err != nil { return fmt.Errorf("bitbucket: failed to decode response: %v", err) } return nil }