[JENKINS-74965] Add support for Repository, Project and Workspace Access Token for Bitbucket Cloud (#934)

Update the bitbucket token authenticator to be used as workspace, project or repository Access Token as described in Atlassian documentation at:
- https://support.atlassian.com/bitbucket-cloud/docs/using-workspace-access-tokens/
- https://support.atlassian.com/bitbucket-cloud/docs/using-project-access-tokens/
- https://support.atlassian.com/bitbucket-cloud/docs/using-access-tokens/

Convert BitbucketAuthenticatorTest to JUnit5

Author: nfalco79

docs/USER_GUIDE.adoc

@@ -123,7 +123,27 @@ image::images/screenshot-7.png[scaledwidth=90%]
 
 === Access Token
 
-The plugin can make use of a personal access token (Bitbucket Server only) instead of the standard username/password.
+The plugin can make use of a repository, project or workspace access token (Bitbucket Cloud only).
+
+First, create a new _access token_ in Bitbucket as instructed in one of the following links:
+.Bulleted
+. https://support.atlassian.com/bitbucket-cloud/docs/create-a-repository-access-token/[Repository Access Token | Atlassian Documentation];
+. https://support.atlassian.com/bitbucket-cloud/docs/create-a-project-access-token/[Project Access Token | Atlassian Documentation];
+. https://support.atlassian.com/bitbucket-cloud/docs/create-a-workspace-access-token/[Workspace Access Token | Atlassian Documentation];
+
+At least allow _read_ access for repositories. If you want the plugin to install the webhooks, allow _Read and write_ access for Webhooks.
+
+image::images/screenshot-16.png[scaledwidth=90%]
+
+Then create a new _Secret text_ credential in Jenkins, enter the Bitbucket token generated in the previous steps in the _Secret_ field.
+
+If you want be able to perform git push operation from CLI than you have to setup _write_ access for repositories. Than configure the _Custom user name/e-mail address_ trait with the Repository Access Token email generated when you created the Repository Access Token (for example, 52c16467c5f19101ff2061cc@bots.bitbucket.org).
+
+image::images/screenshot-17.png[scaledwidth=90%]
+
+=== Personal Access Token
+
+The plugin can make use of a personal access token (Bitbucket Datacenter only) instead of the standard username/password.
 
 First, create a new _personal access token_ in Bitbucket as instructed in the link:https://confluence.atlassian.com/bitbucketserver080/http-access-tokens-1115142284.html[HTTP access tokens | Bitbucket Data Center and Server 8.0 | Atlassian Documentation].
 At least allow _read_ access for repositories. If you want the plugin to install the webhooks, allow _admin_ access for repositories.

docs/images/screenshot-16.png

@@ -82,15 +82,9 @@ public PullRequestSCMHead(String name, String repoOwner, String repository, Stri
 
     public PullRequestSCMHead(String name, String repoOwner, String repository, String branchName,
                               BitbucketPullRequest pr, SCMHeadOrigin origin, ChangeRequestCheckoutStrategy strategy) {
-        super(name);
-        this.repoOwner = repoOwner;
-        this.repository = repository;
-        this.branchName = branchName;
-        this.number = pr.getId();
-        this.title = pr.getTitle();
-        this.target = new BranchSCMHead(pr.getDestination().getBranch().getName());
-        this.origin = origin;
-        this.strategy = strategy;
+        this(name, repoOwner, repository, branchName,
+             pr.getId(), pr.getTitle(), new BranchSCMHead(pr.getDestination().getBranch().getName()),
+             origin, strategy);
     }
 
     @Deprecated

docs/images/screenshot-17.png

@@ -37,11 +37,7 @@
  * @since 2.2.0
  */
 public class PullRequestSCMRevision extends ChangeRequestSCMRevision<PullRequestSCMHead> {
-
-    /**
-     * Standardize serialization.
-     */
-    private static final long serialVersionUID = 1L;
+    private static final long serialVersionUID = 6656650901355298126L;
 
     /**
      * The pull head revision.
@@ -100,8 +96,8 @@ public int _hashCode() {
      */
     @Override
     public String toString() {
-        return getHead() instanceof PullRequestSCMHead
-                && ((PullRequestSCMHead) getHead()).getCheckoutStrategy() == ChangeRequestCheckoutStrategy.MERGE
+        return getHead() instanceof PullRequestSCMHead prHead
+                && prHead.getCheckoutStrategy() == ChangeRequestCheckoutStrategy.MERGE
                 ? getPull().toString() + "+" + getTarget().toString()
                 : getPull().toString();
     }

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/PullRequestSCMHead.java

@@ -1,3 +1,27 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2018, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 package com.cloudbees.jenkins.plugins.bitbucket.credentials;
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
@@ -6,7 +30,6 @@
 import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
 import hudson.model.Descriptor.FormException;
 import hudson.util.Secret;
-import org.apache.commons.lang.StringUtils;
 import org.apache.http.HttpHeaders;
 import org.apache.http.HttpRequest;
 import org.jenkinsci.plugins.plaincredentials.StringCredentials;
@@ -32,17 +55,25 @@ public BitbucketAccessTokenAuthenticator(StringCredentials credentials) {
     /**
      * Provides the access token as header.
      *
-     * @param request the request
+     * @param request to configure with the access token
      */
     public void configureRequest(HttpRequest request) {
         request.setHeader(HttpHeaders.AUTHORIZATION, "Bearer " + token.getPlainText());
     }
 
+    /**
+     * Provides with the Git command line interface.
+     * <p>
+     * As per documentation the username must be x-token-auth and the password
+     * is the token.
+     *
+     * @return the UsernamePasswordCredentials credential to be used with Git
+     *         command line interface
+     */
     @Override
     public StandardUsernameCredentials getCredentialsForSCM() {
         try {
-            return new UsernamePasswordCredentialsImpl(
-                    CredentialsScope.GLOBAL, getId(), null, StringUtils.EMPTY, token.getPlainText());
+            return new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, getId(), null, "x-token-auth", token.getPlainText());
         } catch (FormException e) {
             throw new RuntimeException(e);
         }

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/PullRequestSCMRevision.java

@@ -1,3 +1,27 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2018, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 package com.cloudbees.jenkins.plugins.bitbucket.credentials;
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/credentials/BitbucketAccessTokenAuthenticator.java

@@ -50,9 +50,6 @@ public class BitbucketClientCertificateAuthenticator implements BitbucketAuthent
 
     private static final Logger LOGGER = Logger.getLogger(BitbucketClientCertificateAuthenticator.class.getName());
 
-    /**
-     * {@inheritDoc}
-     */
     public BitbucketClientCertificateAuthenticator(StandardCertificateCredentials credentials) {
         this.credentialsId = credentials.getId();
         keyStore = credentials.getKeyStore();

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/credentials/BitbucketAccessTokenAuthenticatorSource.java

@@ -1,3 +1,27 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2018, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 package com.cloudbees.jenkins.plugins.bitbucket.credentials;
 
 import com.github.scribejava.core.builder.api.DefaultApi20;

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/credentials/BitbucketClientCertificateAuthenticator.java

@@ -1,3 +1,27 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2018, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 package com.cloudbees.jenkins.plugins.bitbucket.credentials;
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
@@ -11,50 +35,58 @@
 import com.github.scribejava.core.model.OAuthConstants;
 import com.github.scribejava.core.oauth.OAuth20Service;
 import hudson.model.Descriptor.FormException;
+import hudson.util.Secret;
 import java.io.IOException;
 import java.util.concurrent.ExecutionException;
-import jenkins.authentication.tokens.api.AuthenticationTokenException;
 import jenkins.util.SetContextClassLoader;
 import org.apache.http.HttpRequest;
 
 public class BitbucketOAuthAuthenticator implements BitbucketAuthenticator {
 
     private final String credentialsId;
+    private final String username;
+    private final Secret password;
     private OAuth2AccessToken token;
 
     /**
      * Constructor.
      *
      * @param credentials the key/pass that will be used
-     * @throws AuthenticationTokenException
      */
-    public BitbucketOAuthAuthenticator(StandardUsernamePasswordCredentials credentials) throws AuthenticationTokenException {
+    public BitbucketOAuthAuthenticator(StandardUsernamePasswordCredentials credentials) {
         this.credentialsId = credentials.getId();
+        this.username = credentials.getUsername();
+        this.password = credentials.getPassword();
+    }
 
-        try (SetContextClassLoader cl = new SetContextClassLoader(this.getClass());
-                OAuth20Service service = new ServiceBuilder(credentials.getUsername())
-                    .apiSecret(credentials.getPassword().getPlainText())
-                    .httpClientConfig(JDKHttpClientConfig.defaultConfig())
-                    .build(BitbucketOAuth.instance())) {
-            token = service.getAccessTokenClientCredentialsGrant();
-        } catch (IOException | InterruptedException | ExecutionException e) {
-            throw new AuthenticationTokenException(e);
+    private OAuth2AccessToken getToken() {
+        if (token == null) {
+            try (SetContextClassLoader cl = new SetContextClassLoader(this.getClass());
+                    OAuth20Service service = new ServiceBuilder(username)
+                        .apiSecret(Secret.toString(password))
+                        .httpClientConfig(JDKHttpClientConfig.defaultConfig())
+                        .build(BitbucketOAuth.instance())) {
+                token = service.getAccessTokenClientCredentialsGrant();
+            } catch (IOException | InterruptedException | ExecutionException e) {
+                throw new RuntimeException(e);
+            }
         }
+        return token;
     }
 
     /**
      * Set up request with token in header
      */
     @Override
     public void configureRequest(HttpRequest request) {
-        request.addHeader(OAuthConstants.HEADER, "Bearer " + this.token.getAccessToken());
+        request.addHeader(OAuthConstants.HEADER, "Bearer " + getToken().getAccessToken());
     }
 
     @Override
     public StandardUsernameCredentials getCredentialsForSCM() {
         try {
             return new UsernamePasswordCredentialsImpl(
-                    CredentialsScope.GLOBAL, getId(), null, "x-token-auth", token.getAccessToken());
+                    CredentialsScope.GLOBAL, getId(), null, "x-token-auth", getToken().getAccessToken());
         } catch (FormException e) {
             throw new RuntimeException(e);
         }

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/credentials/BitbucketOAuth.java

@@ -1,3 +1,27 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2018, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 package com.cloudbees.jenkins.plugins.bitbucket.credentials;
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
@@ -32,8 +56,7 @@ public BitbucketOAuthAuthenticatorSource() {
      */
     @NonNull
     @Override
-    public BitbucketOAuthAuthenticator convert(
-            @NonNull StandardUsernamePasswordCredentials standardUsernamePasswordCredentials) throws AuthenticationTokenException {
+    public BitbucketOAuthAuthenticator convert(@NonNull StandardUsernamePasswordCredentials standardUsernamePasswordCredentials) throws AuthenticationTokenException {
         return new BitbucketOAuthAuthenticator(standardUsernamePasswordCredentials);
     }
 
@@ -46,8 +69,8 @@ public BitbucketOAuthAuthenticator convert(
      */
     @Override
     protected boolean isFit(AuthenticationTokenContext<? super BitbucketOAuthAuthenticator> ctx) {
-        return ctx.mustHave(BitbucketAuthenticator.SCHEME, "https") && ctx.mustHave(
-                BitbucketAuthenticator.BITBUCKET_INSTANCE_TYPE, BitbucketAuthenticator.BITBUCKET_INSTANCE_TYPE_CLOUD);
+        return ctx.mustHave(BitbucketAuthenticator.SCHEME, "https")
+                && ctx.mustHave(BitbucketAuthenticator.BITBUCKET_INSTANCE_TYPE, BitbucketAuthenticator.BITBUCKET_INSTANCE_TYPE_CLOUD);
     }
 
     /**

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/credentials/BitbucketOAuthAuthenticator.java

@@ -1,3 +1,27 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2018, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 package com.cloudbees.jenkins.plugins.bitbucket.credentials;
 
 import com.cloudbees.plugins.credentials.Credentials;
@@ -18,8 +42,9 @@ public class BitbucketOAuthCredentialMatcher implements CredentialsMatcher, Cred
      */
     @Override
     public boolean matches(Credentials item) {
-        if (!(item instanceof UsernamePasswordCredentials))
+        if (!(item instanceof UsernamePasswordCredentials)) {
             return false;
+        }
 
         if(item.getClass().getName().equals("com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryCredential")) {
             return false;