CR-14127 - validate tokens (#570)

* validate tokens

* wip

* resolve comments

* bump

* wip

* wip

Author: kim-codefresh

Makefile

@@ -1,4 +1,4 @@
-VERSION=v0.0.511
+VERSION=v0.0.512
 
 OUT_DIR=dist
 YEAR?=$(shell date +"%Y")

cmd/commands/common.go

@@ -273,12 +273,15 @@ func ensureGitRuntimeToken(cmd *cobra.Command, gitProvider cfgit.Provider, clone
 	}
 
 	if gitProvider != nil {
-		err := gitProvider.VerifyRuntimeToken(ctx, cloneOpts.Auth.Password)
+		err := gitProvider.VerifyRuntimeToken(ctx, cloneOpts.Auth)
 		if err != nil {
 			// in case when we get invalid value from env variable TOKEN we clean
 			cloneOpts.Auth.Password = ""
 			return fmt.Errorf(errMessage, err)
 		}
+		if cloneOpts.Auth.Username == "" && gitProvider.Type() == cfgit.BITBUCKET {
+			return fmt.Errorf("must provide a git user using --git-user for bitbucket cloud")
+		}
 	} else if cloneOpts.Auth.Password == "" {
 		return fmt.Errorf("must provide a git token using --git-token")
 	}
@@ -303,7 +306,11 @@ func ensureGitUserToken(ctx context.Context, opts *RuntimeInstallOptions) error
 	}
 
 	if opts.gitProvider != nil {
-		return opts.gitProvider.VerifyUserToken(ctx, opts.GitIntegrationRegistrationOpts.Token)
+		auth := apgit.Auth{
+			Password: opts.GitIntegrationRegistrationOpts.Token,
+			Username: opts.GitIntegrationRegistrationOpts.Username,
+		}
+		return opts.gitProvider.VerifyUserToken(ctx, auth)
 	}
 
 	return nil

docs/releases/release_notes.md

@@ -23,7 +23,7 @@ cf version
 
 ```bash
 # download and extract the binary
-curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.511/cf-linux-amd64.tar.gz | tar zx
+curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.512/cf-linux-amd64.tar.gz | tar zx
 
 # move the binary to your $PATH
 mv ./cf-linux-amd64 /usr/local/bin/cf
@@ -36,7 +36,7 @@ cf version
 
 ```bash
 # download and extract the binary
-curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.511/cf-darwin-amd64.tar.gz | tar zx
+curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.512/cf-darwin-amd64.tar.gz | tar zx
 
 # move the binary to your $PATH
 mv ./cf-darwin-amd64 /usr/local/bin/cf

manifests/runtime.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: '{{ namespace }}'
 spec:
   defVersion: 2.0.0
-  version: 0.0.511
+  version: 0.0.512
   bootstrapSpecifier: github.com/codefresh-io/cli-v2/manifests/argo-cd
   components:
     - name: events

pkg/git/provider.go

@@ -19,6 +19,8 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
+
+	apgit "github.com/argoproj-labs/argocd-autopilot/pkg/git"
 )
 
 //go:generate mockgen -destination=./mocks/roundTripper.go -package=mocks net/http RoundTripper
@@ -31,8 +33,8 @@ type (
 		BaseURL() string
 		SupportsMarketplace() bool
 		Type() ProviderType
-		VerifyRuntimeToken(ctx context.Context, token string) error
-		VerifyUserToken(ctx context.Context, token string) error
+		VerifyRuntimeToken(ctx context.Context, auth apgit.Auth) error
+		VerifyUserToken(ctx context.Context, auth apgit.Auth) error
 	}
 )
 

pkg/git/provider_bitbucket-server.go

@@ -22,6 +22,7 @@ import (
 	"net/url"
 	"path"
 
+	apgit "github.com/argoproj-labs/argocd-autopilot/pkg/git"
 	httputil "github.com/codefresh-io/cli-v2/pkg/util/http"
 )
 
@@ -71,12 +72,12 @@ func (bbs *bitbucketServer) Type() ProviderType {
 	return bbs.providerType
 }
 
-func (bbs *bitbucketServer) VerifyRuntimeToken(ctx context.Context, token string) error {
-	return bbs.checkProjectAdminPermission(ctx, token)
+func (bbs *bitbucketServer) VerifyRuntimeToken(ctx context.Context, auth apgit.Auth) error {
+	return bbs.checkProjectAdminPermission(ctx, auth.Password)
 }
 
-func (bbs *bitbucketServer) VerifyUserToken(ctx context.Context, token string) error {
-	return bbs.checkRepoReadPermission(ctx, token)
+func (bbs *bitbucketServer) VerifyUserToken(ctx context.Context, auth apgit.Auth) error {
+	return bbs.checkRepoReadPermission(ctx, auth.Password)
 }
 
 // POST to users/<username>/repos with an invalid repo name (starts with "!").

pkg/git/provider_bitbucket.go

@@ -16,8 +16,17 @@ package git
 
 import (
 	"context"
+	"errors"
+	"fmt"
 	"net/http"
 	"net/url"
+	"path"
+	"strings"
+
+	"encoding/base64"
+
+	apgit "github.com/argoproj-labs/argocd-autopilot/pkg/git"
+	httputil "github.com/codefresh-io/cli-v2/pkg/util/http"
 )
 
 type (
@@ -30,10 +39,25 @@ type (
 
 const (
 	BITBUCKET_CLOUD_DOMAIN               = "bitbucket.org"
-	BITBUCKET_REST_ENDPOINT              = "/2.0"
+	BITBUCKET_REST_ENDPOINT              = "/api/2.0"
 	BITBUCKET               ProviderType = "bitbucket"
 )
 
+var (
+	patScopes = [][]string{
+		{"repository:admin", "repository:write"},
+		{"account:read", "account:write"},
+		{"team", "team:write"},
+	}
+
+	runtimeScopes = [][]string{
+		{"repository:admin"},
+		{"account:read", "account:write"},
+		{"team", "team:write"},
+		{"webhook"},
+	}
+)
+
 func NewBitbucketProvider(baseURL string, client *http.Client) (Provider, error) {
 	u, err := url.Parse(baseURL)
 	if err != nil {
@@ -63,34 +87,70 @@ func (bb *bitbucket) Type() ProviderType {
 	return bb.providerType
 }
 
-func (bb *bitbucket) VerifyRuntimeToken(ctx context.Context, token string) error {
-	return bb.checkProjectAdminPermission(ctx, token)
+func (bb *bitbucket) VerifyRuntimeToken(ctx context.Context, auth apgit.Auth) error {
+	if auth.Password == "" {
+		return fmt.Errorf("user name is require for bitbucket cloud request")
+	}
+
+	return bb.verifyToken(ctx, auth.Password, auth.Username, runtimeScopes)
 }
 
-func (bb *bitbucket) VerifyUserToken(ctx context.Context, token string) error {
-	return bb.checkRepoReadPermission(ctx, token)
+func (bb *bitbucket) VerifyUserToken(ctx context.Context, auth apgit.Auth) error {
+	if auth.Password == "" {
+		return fmt.Errorf("user name is require for bitbucket cloud request")
+	}
+	return bb.verifyToken(ctx, auth.Password, auth.Username, patScopes)
 }
 
-func (bb *bitbucket) checkProjectAdminPermission(ctx context.Context, token string) error {
+func (bb *bitbucket) verifyToken(ctx context.Context, token string, username string, requiredScopes [][]string) error {
+	scopes, err := bb.getCurrentUserScopes(ctx, token, username)
+	if err != nil {
+		return fmt.Errorf("failed checking token scope permission: %w", err)
+	}
+	for _, requiredScope := range requiredScopes {
+		isScopeIncluded := false
+		for _, scopeOpt := range requiredScope {
+			if strings.Contains(scopes, scopeOpt) {
+				isScopeIncluded = true
+			}
+		}
+		if !isScopeIncluded {
+			return fmt.Errorf("the provided token is missing required token scopes, got: %s required: %v", scopes, requiredScopes)
+		}
+	}
+
 	return nil
 }
 
-func (bb *bitbucket) checkRepoReadPermission(ctx context.Context, token string) error {
-	return nil
+func (bb *bitbucket) getCurrentUserScopes(ctx context.Context, token, username string) (string, error) {
+	res, err := bb.request(ctx, username, token, http.MethodHead, "user", nil)
+	if err != nil {
+		return "", fmt.Errorf("failed getting current user: %w", err)
+	}
+	defer res.Body.Close()
+
+	scopes := res.Header.Get("x-oauth-scopes")
+
+	if scopes == "" {
+		return "", errors.New("invalid token")
+	}
+
+	return scopes, nil
 }
 
-// func (bb *bitbucket) request(ctx context.Context, token, method, urlPath string, body interface{}) (*http.Response, error) {
-// 	urlClone := *bb.apiURL
-// 	urlClone.Path = path.Join(urlClone.Path, urlPath)
-// 	headers := map[string]string{
-// 		"Authorization": "Bearer " + token,
-// 		"Accept":        "application/json",
-// 		"Content-Type":  "application/json",
-// 	}
-// 	req, err := httputil.NewRequest(ctx, method, urlClone.String(), headers, body)
-// 	if err != nil {
-// 		return nil, err
-// 	}
-
-// 	return bb.c.Do(req)
-// }
+func (bb *bitbucket) request(ctx context.Context, username, token, method, urlPath string, body interface{}) (*http.Response, error) {
+	urlClone := *bb.apiURL
+	urlClone.Path = path.Join(urlClone.Path, urlPath)
+	auth := base64.StdEncoding.EncodeToString([]byte(username + ":" + token))
+	headers := map[string]string{
+		"Authorization": "Basic " + auth,
+		"Accept":        "application/json",
+		"Content-Type":  "application/json",
+	}
+	req, err := httputil.NewRequest(ctx, method, urlClone.String(), headers, body)
+	if err != nil {
+		return nil, err
+	}
+
+	return bb.c.Do(req)
+}

pkg/git/provider_bitbucket_test.go

@@ -0,0 +1,103 @@
+// Copyright 2022 The Codefresh Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package git
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"testing"
+
+	"github.com/codefresh-io/cli-v2/pkg/git/mocks"
+	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/assert"
+)
+
+func newBitbucket(transport http.RoundTripper) *bitbucket {
+	client := &http.Client{
+		Transport: transport,
+	}
+	g, _ := NewBitbucketProvider("https://some.server", client)
+	return g.(*bitbucket)
+}
+
+func Test_bitbucket_verifyToken(t *testing.T) {
+	tests := map[string]struct {
+		requiredScopes [][]string
+		wantErr        string
+		beforeFn       func(t *testing.T, c *mocks.MockRoundTripper)
+	}{
+		"Should fail if HEAD fails": {
+			wantErr: "failed checking token scope permission: failed getting current user: Head \"https://some.server/api/2.0/user\": some error",
+			beforeFn: func(_ *testing.T, c *mocks.MockRoundTripper) {
+				c.EXPECT().RoundTrip(gomock.AssignableToTypeOf(&http.Request{})).Return(nil, errors.New("some error"))
+			},
+		},
+		"Should fail if no x-oauth-Scopes in res headers": {
+			wantErr: "failed checking token scope permission: invalid token",
+			beforeFn: func(_ *testing.T, c *mocks.MockRoundTripper) {
+				header := http.Header{}
+				c.EXPECT().RoundTrip(gomock.AssignableToTypeOf(&http.Request{})).Return(&http.Response{
+					StatusCode: 200,
+					Header:     header,
+				}, nil)
+			},
+		},
+		"Should fail if required scope is not in res header": {
+			requiredScopes: [][]string{{"scope 3"}},
+			wantErr:        "the provided token is missing required token scopes, got: scope 1, scope 2 required: [[scope 3]]",
+			beforeFn: func(t *testing.T, c *mocks.MockRoundTripper) {
+				c.EXPECT().RoundTrip(gomock.AssignableToTypeOf(&http.Request{})).Times(1).DoAndReturn(func(_ *http.Request) (*http.Response, error) {
+					header := http.Header{}
+					header.Add("X-Oauth-Scopes", "scope 1, scope 2")
+					res := &http.Response{
+						StatusCode: 200,
+						Header:     header,
+					}
+					return res, nil
+				})
+			},
+		},
+		"Should succeed if all required scopes or higher are in the res header": {
+			requiredScopes: [][]string{
+				{"scope 3:write", "scope 3:admin"},
+				{"scope 4"},
+			},
+			beforeFn: func(t *testing.T, c *mocks.MockRoundTripper) {
+				c.EXPECT().RoundTrip(gomock.AssignableToTypeOf(&http.Request{})).Times(1).DoAndReturn(func(_ *http.Request) (*http.Response, error) {
+					header := http.Header{}
+					header.Add("X-Oauth-Scopes", "scope 1, scope 2, scope 3:write, scope 4")
+					res := &http.Response{
+						StatusCode: 200,
+						Header:     header,
+					}
+					return res, nil
+				})
+			},
+		},
+	}
+	for name, tt := range tests {
+		t.Run(name, func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			mockTransport := mocks.NewMockRoundTripper(ctrl)
+			tt.beforeFn(t, mockTransport)
+			g := newBitbucket(mockTransport)
+			err := g.verifyToken(context.Background(), "token", "username", tt.requiredScopes)
+			if err != nil || tt.wantErr != "" {
+				assert.EqualError(t, err, tt.wantErr)
+			}
+		})
+	}
+}

pkg/git/provider_github.go

@@ -22,6 +22,7 @@ import (
 	"net/url"
 	"strings"
 
+	apgit "github.com/argoproj-labs/argocd-autopilot/pkg/git"
 	httputil "github.com/codefresh-io/cli-v2/pkg/util/http"
 )
 
@@ -83,17 +84,17 @@ func (g *github) Type() ProviderType {
 	return g.providerType
 }
 
-func (g *github) VerifyRuntimeToken(ctx context.Context, token string) error {
-	err := g.verifyToken(ctx, token, runtime_token_scopes)
+func (g *github) VerifyRuntimeToken(ctx context.Context, auth apgit.Auth) error {
+	err := g.verifyToken(ctx, auth.Password, runtime_token_scopes)
 	if err != nil {
 		return fmt.Errorf("git-token invalid: %w", err)
 	}
 
 	return nil
 }
 
-func (g *github) VerifyUserToken(ctx context.Context, token string) error {
-	err := g.verifyToken(ctx, token, user_token_scopes)
+func (g *github) VerifyUserToken(ctx context.Context, auth apgit.Auth) error {
+	err := g.verifyToken(ctx, auth.Password, user_token_scopes)
 	if err != nil {
 		return fmt.Errorf("personal-git-token invalid: %w", err)
 	}