oauth2-proxy/oauth2-proxy

package providers

import (
    "context"
    "net/url"
    "strings"

    "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
    "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
    "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
    "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
)

// BitbucketProvider represents an Bitbucket based Identity Provider
type BitbucketProvider struct {
    *ProviderData
    Team       string
    Repository string
}

var _ Provider = (*BitbucketProvider)(nil)

const (
    bitbucketProviderName = "Bitbucket"
    bitbucketDefaultScope = "email"
)

var (
    // Default Login URL for Bitbucket.
    // Pre-parsed URL of https://bitbucket.org/site/oauth2/authorize.
    bitbucketDefaultLoginURL = &url.URL{
        Scheme: "https",
        Host:   "bitbucket.org",
        Path:   "/site/oauth2/authorize",
    }

    // Default Redeem URL for Bitbucket.
    // Pre-parsed URL of https://bitbucket.org/site/oauth2/access_token.
    bitbucketDefaultRedeemURL = &url.URL{
        Scheme: "https",
        Host:   "bitbucket.org",
        Path:   "/site/oauth2/access_token",
    }

    // Default Validation URL for Bitbucket.
    // This simply returns the email of the authenticated user.
    // Bitbucket does not have a Profile URL to use.
    // Pre-parsed URL of https://api.bitbucket.org/2.0/user/emails.
    bitbucketDefaultValidateURL = &url.URL{
        Scheme: "https",
        Host:   "api.bitbucket.org",
        Path:   "/2.0/user/emails",
    }
)

// NewBitbucketProvider initiates a new BitbucketProvider
func NewBitbucketProvider(p *ProviderData, opts options.BitbucketOptions) *BitbucketProvider {
    p.setProviderDefaults(providerDefaults{
        name:        bitbucketProviderName,
        loginURL:    bitbucketDefaultLoginURL,
        redeemURL:   bitbucketDefaultRedeemURL,
        profileURL:  nil,
        validateURL: bitbucketDefaultValidateURL,
        scope:       bitbucketDefaultScope,
    })

    provider := &BitbucketProvider{ProviderData: p}

    if opts.Team != "" {
        provider.setTeam(opts.Team)
    }
    if opts.Repository != "" {
        provider.setRepository(opts.Repository)
    }
    return provider
}

// setTeam defines the Bitbucket team the user must be part of
func (p *BitbucketProvider) setTeam(team string) {
    p.Team = team
    if !strings.Contains(p.Scope, "team") {
        p.Scope += " team"
    }
}

// setRepository defines the repository the user must have access to
func (p *BitbucketProvider) setRepository(repository string) {
    p.Repository = repository
    if !strings.Contains(p.Scope, "repository") {
        p.Scope += " repository"
    }
}

// GetEmailAddress returns the email of the authenticated user
func (p *BitbucketProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error) {

    var emails struct {
        Values []struct {
            Email   string `json:"email"`
            Primary bool   `json:"is_primary"`
        }
    }
    var teams struct {
        Values []struct {
            Name string `json:"username"`
        }
    }
    var repositories struct {
        Values []struct {
            FullName string `json:"full_name"`
        }
    }

    requestURL := p.ValidateURL.String() + "?access_token=" + s.AccessToken
    err := requests.New(requestURL).
        WithContext(ctx).
        Do().
        UnmarshalInto(&emails)
    if err != nil {
        logger.Errorf("failed making request: %v", err)
        return "", err
    }

    if p.Team != "" {
        teamURL := &url.URL{}
        *teamURL = *p.ValidateURL
        teamURL.Path = "/2.0/teams"

        requestURL := teamURL.String() + "?role=member&access_token=" + s.AccessToken

        err := requests.New(requestURL).
            WithContext(ctx).
            Do().
            UnmarshalInto(&teams)
        if err != nil {
            logger.Errorf("failed requesting teams membership: %v", err)
            return "", err
        }
        var found = false
        for _, team := range teams.Values {
            if p.Team == team.Name {
                found = true
                break
            }
        }
        if !found {
            logger.Error("team membership test failed, access denied")
            return "", nil
        }
    }

    if p.Repository != "" {
        repositoriesURL := &url.URL{}
        *repositoriesURL = *p.ValidateURL
        repositoriesURL.Path = "/2.0/repositories/" + strings.Split(p.Repository, "/")[0]

        requestURL := repositoriesURL.String() + "?role=contributor" +
            "&q=full_name=" + url.QueryEscape("\""+p.Repository+"\"") +
            "&access_token=" + s.AccessToken

        err := requests.New(requestURL).
            WithContext(ctx).
            Do().
            UnmarshalInto(&repositories)
        if err != nil {
            logger.Errorf("failed checking repository access: %v", err)
            return "", err
        }

        var found = false
        for _, repository := range repositories.Values {
            if p.Repository == repository.FullName {
                found = true
                break
            }
        }
        if !found {
            logger.Error("repository access test failed, access denied")
            return "", nil
        }
    }

    for _, email := range emails.Values {
        if email.Primary {
            return email.Email, nil
        }
    }

    return "", nil
}