oauth2-proxy/providers/bitbucket.go

package providers

import (
	"context"
	"net/url"
	"strings"

	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
)

// BitbucketProvider represents an Bitbucket based Identity Provider
type BitbucketProvider struct {
	*ProviderData
	Team       string
	Repository string
}

var _ Provider = (*BitbucketProvider)(nil)

const (
	bitbucketProviderName = "Bitbucket"
	bitbucketDefaultScope = "email"
)

var (
	// Default Login URL for Bitbucket.
	// Pre-parsed URL of https://bitbucket.org/site/oauth2/authorize.
	bitbucketDefaultLoginURL = &url.URL{
		Scheme: "https",
		Host:   "bitbucket.org",
		Path:   "/site/oauth2/authorize",
	}

	// Default Redeem URL for Bitbucket.
	// Pre-parsed URL of https://bitbucket.org/site/oauth2/access_token.
	bitbucketDefaultRedeemURL = &url.URL{
		Scheme: "https",
		Host:   "bitbucket.org",
		Path:   "/site/oauth2/access_token",
	}

	// Default Validation URL for Bitbucket.
	// This simply returns the email of the authenticated user.
	// Bitbucket does not have a Profile URL to use.
	// Pre-parsed URL of https://api.bitbucket.org/2.0/user/emails.
	bitbucketDefaultValidateURL = &url.URL{
		Scheme: "https",
		Host:   "api.bitbucket.org",
		Path:   "/2.0/user/emails",
	}
)

// NewBitbucketProvider initiates a new BitbucketProvider
func NewBitbucketProvider(p *ProviderData, opts options.BitbucketOptions) *BitbucketProvider {
	p.setProviderDefaults(providerDefaults{
		name:        bitbucketProviderName,
		loginURL:    bitbucketDefaultLoginURL,
		redeemURL:   bitbucketDefaultRedeemURL,
		profileURL:  nil,
		validateURL: bitbucketDefaultValidateURL,
		scope:       bitbucketDefaultScope,
	})

	provider := &BitbucketProvider{ProviderData: p}

	if opts.Team != "" {
		provider.setTeam(opts.Team)
	}
	if opts.Repository != "" {
		provider.setRepository(opts.Repository)
	}
	return provider
}

// setTeam defines the Bitbucket team the user must be part of
func (p *BitbucketProvider) setTeam(team string) {
	p.Team = team
	if !strings.Contains(p.Scope, "team") {
		p.Scope += " team"
	}
}

// setRepository defines the repository the user must have access to
func (p *BitbucketProvider) setRepository(repository string) {
	p.Repository = repository
	if !strings.Contains(p.Scope, "repository") {
		p.Scope += " repository"
	}
}

// GetEmailAddress returns the email of the authenticated user
func (p *BitbucketProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error) {

	var emails struct {
		Values []struct {
			Email   string `json:"email"`
			Primary bool   `json:"is_primary"`
		}
	}
	var teams struct {
		Values []struct {
			Name string `json:"username"`
		}
	}
	var repositories struct {
		Values []struct {
			FullName string `json:"full_name"`
		}
	}

	requestURL := p.ValidateURL.String() + "?access_token=" + s.AccessToken
	err := requests.New(requestURL).
		WithContext(ctx).
		Do().
		UnmarshalInto(&emails)
	if err != nil {
		logger.Errorf("failed making request: %v", err)
		return "", err
	}

	if p.Team != "" {
		teamURL := &url.URL{}
		*teamURL = *p.ValidateURL
		teamURL.Path = "/2.0/teams"

		requestURL := teamURL.String() + "?role=member&access_token=" + s.AccessToken

		err := requests.New(requestURL).
			WithContext(ctx).
			Do().
			UnmarshalInto(&teams)
		if err != nil {
			logger.Errorf("failed requesting teams membership: %v", err)
			return "", err
		}
		var found = false
		for _, team := range teams.Values {
			if p.Team == team.Name {
				found = true
				break
			}
		}
		if !found {
			logger.Error("team membership test failed, access denied")
			return "", nil
		}
	}

	if p.Repository != "" {
		repositoriesURL := &url.URL{}
		*repositoriesURL = *p.ValidateURL
		repositoriesURL.Path = "/2.0/repositories/" + strings.Split(p.Repository, "/")[0]

		requestURL := repositoriesURL.String() + "?role=contributor" +
			"&q=full_name=" + url.QueryEscape("\""+p.Repository+"\"") +
			"&access_token=" + s.AccessToken

		err := requests.New(requestURL).
			WithContext(ctx).
			Do().
			UnmarshalInto(&repositories)
		if err != nil {
			logger.Errorf("failed checking repository access: %v", err)
			return "", err
		}

		var found = false
		for _, repository := range repositories.Values {
			if p.Repository == repository.FullName {
				found = true
				break
			}
		}
		if !found {
			logger.Error("repository access test failed, access denied")
			return "", nil
		}
	}

	for _, email := range emails.Values {
		if email.Primary {
			return email.Email, nil
		}
	}

	return "", nil
}