[SECURITY-3363]

jenkinsci · Jun 18, 2024 · ad359b3 · ad359b3
1 parent 44cf5e4
commit ad359b3
Show file tree

Hide file tree

Showing 6 changed files with 65 additions and 26 deletions.
diff --git a/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketSCMSource.java b/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketSCMSource.java
@@ -1029,7 +1029,9 @@ public SCM build(SCMHead head, SCMRevision revision) {
         switch (type) {
             case GIT:
             default:
-                return new BitbucketGitSCMBuilder(this, head, revision, getCredentialsId())
+                BitbucketAuthenticator authenticator = authenticator();
+                return new BitbucketGitSCMBuilder(this, head, revision, null)
+                        .withExtension(authenticator == null ? null : new GitClientAuthenticatorExtension(authenticator.getCredentialsForScm()))
                         .withCloneLinks(primaryCloneLinks, mirrorCloneLinks)
                         .withTraits(traits)
                         .build();

diff --git a/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/GitClientAuthenticatorExtension.java b/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/GitClientAuthenticatorExtension.java
@@ -0,0 +1,25 @@
+package com.cloudbees.jenkins.plugins.bitbucket;
+
+import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
+import hudson.plugins.git.GitException;
+import hudson.plugins.git.GitSCM;
+import hudson.plugins.git.extensions.GitSCMExtension;
+import org.jenkinsci.plugins.gitclient.GitClient;
+
+public class GitClientAuthenticatorExtension extends GitSCMExtension {
+
+    private final StandardUsernameCredentials credentials;
+
+    public GitClientAuthenticatorExtension(StandardUsernameCredentials credentials) {
+        this.credentials = credentials;
+    }
+
+    @Override
+    public GitClient decorate(GitSCM scm, GitClient git) throws GitException {
+        if (credentials != null) {
+            git.setCredentials(credentials);
+        }
+
+        return git;
+    }
+}
diff --git a/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/api/BitbucketAuthenticator.java b/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/api/BitbucketAuthenticator.java
@@ -26,6 +26,7 @@
 
 import com.cloudbees.jenkins.plugins.bitbucket.endpoints.BitbucketCloudEndpoint;
 import com.cloudbees.plugins.credentials.common.StandardCredentials;
+import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
 import jenkins.authentication.tokens.api.AuthenticationTokenContext;
 import org.apache.http.HttpHost;
 import org.apache.http.HttpRequest;
@@ -107,6 +108,16 @@ public void configureRequest(HttpRequest request) {
         // override to configure HttpRequest
     }
 
+
+    /**
+     * Provides credentials that can be used for authenticated interactions with SCM.
+     *
+     * @return credentials to be passed to {@link org.jenkinsci.plugins.gitclient.GitClient#setCredentials(StandardUsernameCredentials)}
+     */
+    public StandardUsernameCredentials getCredentialsForScm() {
+        return null;
+    }
+
     /**
      * Add authentication token to clone link if
      * authentication method requires it

diff --git a/...loudbees/jenkins/plugins/bitbucket/api/credentials/BitbucketAccessTokenAuthenticator.java b/...loudbees/jenkins/plugins/bitbucket/api/credentials/BitbucketAccessTokenAuthenticator.java
@@ -1,7 +1,11 @@
 package com.cloudbees.jenkins.plugins.bitbucket.api.credentials;
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
+import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
 import hudson.util.Secret;
+import org.apache.commons.lang.StringUtils;
 import org.apache.http.HttpHeaders;
 import org.apache.http.HttpRequest;
 import org.jenkinsci.plugins.plaincredentials.StringCredentials;
@@ -31,4 +35,10 @@ public BitbucketAccessTokenAuthenticator(StringCredentials credentials) {
     public void configureRequest(HttpRequest request) {
         request.setHeader(HttpHeaders.AUTHORIZATION, "Bearer " + token.getPlainText());
     }
+
+    @Override
+    public StandardUsernameCredentials getCredentialsForScm() {
+        return new UsernamePasswordCredentialsImpl(
+                CredentialsScope.GLOBAL, null, null, StringUtils.EMPTY, token.getPlainText());
+    }
 }
diff --git a/.../com/cloudbees/jenkins/plugins/bitbucket/api/credentials/BitbucketOAuthAuthenticator.java b/.../com/cloudbees/jenkins/plugins/bitbucket/api/credentials/BitbucketOAuthAuthenticator.java
@@ -1,10 +1,11 @@
 package com.cloudbees.jenkins.plugins.bitbucket.api.credentials;
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
-import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketHref;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
 import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
-import java.net.URI;
-import java.net.URISyntaxException;
+import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
+import org.apache.commons.lang.StringUtils;
 import org.apache.http.HttpRequest;
 import org.scribe.model.OAuthConfig;
 import org.scribe.model.OAuthConstants;
@@ -38,27 +39,8 @@ public void configureRequest(HttpRequest request) {
     }
 
     @Override
-    public BitbucketHref addAuthToken(BitbucketHref bitbucketHref) {
-        String link = bitbucketHref.getHref();
-        if (!link.startsWith("http")) {
-            return bitbucketHref;
-        }
-        try {
-            URI uri = new URI(link);
-            String userInfo = "x-token-auth:{" + token.getToken() + "}";
-            String newLink = new URI(
-                uri.getScheme(),
-                userInfo,
-                uri.getHost(),
-                uri.getPort(),
-                uri.getPath(),
-                uri.getQuery(),
-                uri.getFragment()
-            ).toString();
-            return new BitbucketHref(bitbucketHref.getName(), newLink);
-        } catch (URISyntaxException e) {
-            throw new RuntimeException(e);
-        }
+    public StandardUsernameCredentials getCredentialsForScm() {
+        return new UsernamePasswordCredentialsImpl(
+                CredentialsScope.GLOBAL, null, null, StringUtils.EMPTY, token.getToken());
     }
-
 }
diff --git a/...ees/jenkins/plugins/bitbucket/api/credentials/BitbucketUsernamePasswordAuthenticator.java b/...ees/jenkins/plugins/bitbucket/api/credentials/BitbucketUsernamePasswordAuthenticator.java
@@ -26,7 +26,10 @@
 package com.cloudbees.jenkins.plugins.bitbucket.api.credentials;
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
 import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
+import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.http.HttpHost;
@@ -74,4 +77,10 @@ public void configureContext(HttpClientContext context, HttpHost host) {
         context.setCredentialsProvider(credentialsProvider);
         context.setAuthCache(authCache);
     }
+
+    @Override
+    public StandardUsernameCredentials getCredentialsForScm() {
+        return new UsernamePasswordCredentialsImpl(
+                CredentialsScope.GLOBAL, null, null, httpCredentials.getUserName(), httpCredentials.getPassword());
+    }
 }