Add hardcoded site flow to the extension

Author: akalia-atlassian

package.json

@@ -100,6 +100,10 @@
     },
     "contributes": {
         "commands": [
+            {
+                "command": "atlascode.authenticateWithBitbucketToken",
+                "title": "Atlasian: Authenticate with Bitbucket Token"
+            },
             {
                 "command": "atlascode.jira.todoIssue",
                 "title": "TO DO"
@@ -1484,6 +1488,46 @@
                     "default": true,
                     "description": "Shows the help explorer treeview",
                     "scope": "window"
+                },
+                "atlascode.internal.hardcodedSite": {
+                    "type": "object",
+                    "properties": {
+                        "product": {
+                            "enum": [
+                                "bitbucket"
+                            ]
+                        },
+                        "host": {
+                            "type": "string"
+                        },
+                        "credentialsPath": {
+                            "type": "string"
+                        },
+                        "credentialsFormat": {
+                            "enum": [
+                                "git-remote",
+                                "self"
+                            ],
+                            "default": "git-remote"
+                        },
+                        "authHeader": {
+                            "enum": [
+                                "bearer",
+                                "basic"
+                            ],
+                            "default": "bearer"
+                        },
+                        "isCloud": {
+                            "type": "boolean",
+                            "default": true
+                        },
+                        "hasResolutionField": {
+                            "type": "boolean",
+                            "default": true
+                        }
+                    },
+                    "description": "The hardcoded site to use for Bitbucket authentication",
+                    "scope": "window"
                 }
             }
         }

src/atlclients/authInfo.ts

@@ -98,7 +98,13 @@ export interface BasicAuthInfo extends AuthInfoCommon {
     password: string;
 }
 
-export type AuthInfo = NoAuthInfo | OAuthInfo | BasicAuthInfo | PATAuthInfo;
+export interface HardCodedAuthInfo extends AuthInfoCommon {
+    type: 'hardcoded';
+    token: string;
+    authHeader: 'bearer' | 'basic';
+}
+
+export type AuthInfo = NoAuthInfo | OAuthInfo | BasicAuthInfo | PATAuthInfo | HardCodedAuthInfo;
 
 export interface UserInfo {
     id: string;
@@ -273,13 +279,11 @@ export function isPATAuthInfo(a: AuthInfo | undefined): a is PATAuthInfo {
 export function getSecretForAuthInfo(info: AuthInfo): string {
     if (isOAuthInfo(info)) {
         return info.access + info.refresh;
-    }
-
-    if (isBasicAuthInfo(info)) {
+    } else if (isBasicAuthInfo(info)) {
         return info.password;
-    }
-
-    if (isPATAuthInfo(info)) {
+    } else if (isPATAuthInfo(info)) {
+        return info.token;
+    } else if (info.type === 'hardcoded') {
         return info.token;
     }
 

src/atlclients/authStore.ts

@@ -308,6 +308,12 @@ export class CredentialManager implements Disposable {
     public async refreshAccessToken(site: DetailedSiteInfo): Promise<boolean> {
         const credentials = await this.getAuthInfo(site);
         if (!isOAuthInfo(credentials)) {
+            if (credentials?.type === 'hardcoded') {
+                const hardcodedSite = Container.calculateHardcodedSite();
+                if (hardcodedSite && hardcodedSite.host === site.host) {
+                    return await Container.loginManager.authenticateHardcodedSite(hardcodedSite, credentials);
+                }
+            }
             return false;
         }
         Logger.debug(`refreshingAccessToken for ${site.baseApiUrl} credentialID: ${site.credentialId}`);

src/atlclients/clientManager.ts

@@ -119,27 +119,31 @@ export class ClientManager implements Disposable {
             let result: BitbucketApi;
             if (site.isCloud) {
                 result = {
-                    repositories: isOAuthInfo(info)
-                        ? new CloudRepositoriesApi(this.createOAuthHTTPClient(site, info))
-                        : undefined!,
-                    pullrequests: isOAuthInfo(info)
-                        ? new CloudPullRequestApi(this.createOAuthHTTPClient(site, info))
-                        : undefined!,
-                    issues: isOAuthInfo(info)
-                        ? new BitbucketIssuesApiImpl(this.createOAuthHTTPClient(site, info))
-                        : undefined!,
-                    pipelines: isOAuthInfo(info)
-                        ? new PipelineApiImpl(this.createOAuthHTTPClient(site, info))
-                        : undefined!,
+                    repositories:
+                        isOAuthInfo(info) || info.type === 'hardcoded'
+                            ? new CloudRepositoriesApi(this.createOAuthHTTPClient(site, info))
+                            : undefined!,
+                    pullrequests:
+                        isOAuthInfo(info) || info.type === 'hardcoded'
+                            ? new CloudPullRequestApi(this.createOAuthHTTPClient(site, info))
+                            : undefined!,
+                    issues:
+                        isOAuthInfo(info) || info.type === 'hardcoded'
+                            ? new BitbucketIssuesApiImpl(this.createOAuthHTTPClient(site, info))
+                            : undefined!,
+                    pipelines:
+                        isOAuthInfo(info) || info.type === 'hardcoded'
+                            ? new PipelineApiImpl(this.createOAuthHTTPClient(site, info))
+                            : undefined!,
                 };
             } else {
                 result = {
                     repositories:
-                        isBasicAuthInfo(info) || isPATAuthInfo(info)
+                        isBasicAuthInfo(info) || isPATAuthInfo(info) || info.type === 'hardcoded'
                             ? new ServerRepositoriesApi(this.createHTTPClient(site, info))
                             : undefined!,
                     pullrequests:
-                        isBasicAuthInfo(info) || isPATAuthInfo(info)
+                        isBasicAuthInfo(info) || isPATAuthInfo(info) || info.type === 'hardcoded'
                             ? new ServerPullRequestApi(this.createHTTPClient(site, info))
                             : undefined!,
                     issues: undefined,

src/atlclients/getUserForBBToken.ts

@@ -0,0 +1,28 @@
+import { Container } from '../container';
+import { getAxiosInstance } from '../jira/jira-client/providers';
+import { OAuthProvider } from './authInfo';
+import { BitbucketResponseHandler } from './responseHandlers/BitbucketResponseHandler';
+import { strategyForProvider } from './strategy';
+
+/**
+ * This is a very oppurtunistic function. This uses different parts of the code written for different purposes
+ * and combines it together instead of rewriting the same code. This ensures that this function will evolve as the code changes.
+ *
+ * Strategy is something catered towarda OAuth flow but their profile / user URLs are universal. So, we use it
+ * to get the URls. Then, `BitbucketResponseHandler` is written exactly to extract the user info given an oauth token.
+ * But the way it is implemented, it does not matter; we can send our auth header ourselves. And so we do.
+ *
+ * `getAxiosInstance` and `Container.analyticsClient` are generic substritutes for their types throughout the code
+ * and so we use them as well.
+ */
+export function getUserForBBToken(authHeader: string) {
+    const axiosInstance = getAxiosInstance();
+
+    const handler = new BitbucketResponseHandler(
+        strategyForProvider(OAuthProvider.BitbucketCloud),
+        Container.analyticsClient,
+        axiosInstance,
+    );
+
+    return handler.user(authHeader);
+}

src/atlclients/loginManager.ts

@@ -1,17 +1,21 @@
+import { readFile } from 'fs/promises';
 import * as vscode from 'vscode';
 
 import { authenticatedEvent, editedEvent } from '../analytics';
 import { AnalyticsClient } from '../analytics-node-client/src/client.min.js';
+import { HardcodedSite, ValidHardcodedSite } from '../config/model';
 import { Container } from '../container';
 import { getAgent, getAxiosInstance } from '../jira/jira-client/providers';
 import { Logger } from '../logger';
 import { SiteManager } from '../siteManager';
+import { substitute } from '../util/variable-substitution';
 import {
     AccessibleResource,
     AuthInfo,
     AuthInfoState,
     BasicAuthInfo,
     DetailedSiteInfo,
+    HardCodedAuthInfo,
     isBasicAuthInfo,
     isOAuthInfo,
     isPATAuthInfo,
@@ -27,6 +31,7 @@ import {
 } from './authInfo';
 import { CredentialManager } from './authStore';
 import { BitbucketAuthenticator } from './bitbucketAuthenticator';
+import { getUserForBBToken } from './getUserForBBToken';
 import { JiraAuthentictor as JiraAuthenticator } from './jiraAuthenticator';
 import { OAuthDancer } from './oauthDancer';
 import { basicAuthEncode } from './strategyCrypto';
@@ -113,6 +118,142 @@ export class LoginManager {
         }
     }
 
+    // Look for https://x-token-auth:<token>@bitbucket.org pattern
+    private extractTokenFromGitRemoteRegex(line: string): string | null {
+        const tokenMatch = line.match(/https:\/\/x-token-auth:([^@]+)@bitbucket\.org/);
+        if (tokenMatch && tokenMatch[1]) {
+            Logger.debug('Auth token found in git remote');
+            return tokenMatch[1];
+        }
+        return null;
+    }
+
+    /**
+     * Extracts auth token from git remote URL
+     * @returns The auth token or null if not found
+     */
+    private async getAuthTokenFromCredentialsPath(
+        credentialsPath: string,
+        credentialsFormat: HardcodedSite['credentialsFormat'],
+    ): Promise<string | null> {
+        try {
+            const resolvedPath = substitute(credentialsPath);
+            const credentialsContents = (await readFile(resolvedPath, 'utf-8')).trim();
+
+            let token: string | null = null;
+            switch (credentialsFormat) {
+                case 'git-remote':
+                    token = this.extractTokenFromGitRemoteRegex(credentialsContents);
+                    break;
+                case 'self':
+                    token = credentialsContents;
+                    break;
+            }
+
+            if (token) {
+                Logger.debug(`Auth token for initial site found`);
+            } else {
+                Logger.warn(`No auth token found for initial site`);
+            }
+            return token;
+        } catch (error) {
+            Logger.error(error, `Error extracting auth token for initial site`);
+            return null;
+        }
+    }
+
+    /**
+     * This function is used to authenticate and add a hardcoded site.
+     *
+     * The flow is quite constant: for a given setting, simply read a token the given credentials path
+     * and update the auth info and site based on the VS Code settings.
+     *
+     * The only branching happens if we provide existing auth info too. In that case, the authentication fails
+     * if the existing auth info is the same as the fetched auth info. This flow is used while refreshing to
+     * know if the token got refreshed or not.
+     */
+    public async authenticateHardcodedSite(
+        hardcodedSite: ValidHardcodedSite,
+        existingAuthInfo?: AuthInfo,
+    ): Promise<boolean> {
+        const { product, host, credentialsPath, credentialsFormat, authHeader } = hardcodedSite;
+
+        let siteProduct: Product | null = null;
+        switch (product) {
+            case 'bitbucket':
+                siteProduct = ProductBitbucket;
+                break;
+            default:
+                Logger.warn(`Invalid product for initial site`);
+                return false;
+        }
+
+        const site: SiteInfo = {
+            host,
+            product: siteProduct,
+        };
+
+        try {
+            const token = await this.getAuthTokenFromCredentialsPath(credentialsPath, credentialsFormat);
+
+            if (!token) {
+                Logger.warn('No hardcoded Bitbucket auth token found');
+                vscode.window.showErrorMessage('No hardcoded Bitbucket auth token found');
+                return false;
+            }
+            Logger.debug('Authenticating with Bitbucket using auth token');
+
+            if (existingAuthInfo && existingAuthInfo.type === 'hardcoded' && existingAuthInfo.token === token) {
+                Logger.debug(`Same token found, skipping authentication`);
+                return false;
+            }
+            // The part of the code where the hardcoded site is assumed to be Bitbucket Cloud.
+            // This function can be extended to support other sites as needed.
+            const userData = await getUserForBBToken(LoginManager.authHeaderMaker(hardcodedSite.authHeader, token));
+
+            const hardcodedAuthInfo: HardCodedAuthInfo = {
+                type: 'hardcoded',
+                token,
+                authHeader,
+                user: {
+                    id: userData.id,
+                    displayName: userData.displayName,
+                    email: userData.email,
+                    avatarUrl: userData.avatarUrl,
+                },
+                state: AuthInfoState.Valid,
+            };
+
+            const detailedSiteInfo: DetailedSiteInfo = {
+                ...site,
+                id: site.host,
+                name: site.host,
+                userId: userData.id,
+                credentialId: CredentialManager.generateCredentialId(site.product.key, userData.id),
+                avatarUrl: userData.avatarUrl,
+                baseLinkUrl: site.host,
+                baseApiUrl: site.host,
+                isCloud: hardcodedSite.isCloud ?? true,
+                hasResolutionField: hardcodedSite.hasResolutionField ?? true,
+            };
+
+            await this._credentialManager.saveAuthInfo(detailedSiteInfo, hardcodedAuthInfo);
+
+            this._siteManager.addOrUpdateSite(detailedSiteInfo);
+            // Fire authenticated event
+            authenticatedEvent(detailedSiteInfo, false).then((e) => {
+                this._analyticsClient.sendTrackEvent(e);
+            });
+            Logger.info(`Successfully authenticated with Bitbucket using auth token`);
+
+            return true;
+        } catch (e) {
+            Logger.error(e, 'Error authenticating with Bitbucket token');
+            vscode.window.showErrorMessage(`Error authenticating with Bitbucket token: ${e}`);
+            return false;
+        }
+    }
+
     private async getOAuthSiteDetails(
         product: Product,
         provider: OAuthProvider,
@@ -167,6 +308,8 @@ export class LoginManager {
             return LoginManager.authHeaderMaker('basic', basicAuthEncode(credentials.username, credentials.password));
         } else if (isPATAuthInfo(credentials)) {
             return LoginManager.authHeaderMaker('bearer', credentials.token);
+        } else if (credentials.type === 'hardcoded') {
+            return LoginManager.authHeaderMaker(credentials.authHeader, credentials.token);
         } else {
             return '';
         }

src/commands.ts

@@ -97,6 +97,7 @@ export enum Commands {
     WorkbenchOpenWorkspace = 'atlascode.workbenchOpenWorkspace',
     CloneRepository = 'atlascode.cloneRepository',
     DisableHelpExplorer = 'atlascode.disableHelpExplorer',
+    AuthenticateWithBitbucketToken = 'atlascode.authenticateWithBitbucketToken',
     CreateNewJql = 'atlascode.jira.createNewJql',
     ToDoIssue = 'atlascode.jira.todoIssue',
     InProgressIssue = 'atlascode.jira.inProgressIssue',
@@ -257,8 +258,8 @@ export function registerCommands(vscodeContext: ExtensionContext) {
         commands.registerCommand(Commands.DisableHelpExplorer, () => {
             configuration.updateEffective('helpExplorerEnabled', false, null, true);
         }),
-        commands.registerCommand(Commands.BitbucketOpenPullRequest, (data: { pullRequestUrl: string }) => {
-            Container.openPullRequestHandler(data.pullRequestUrl);
+        commands.registerCommand(Commands.AuthenticateWithBitbucketToken, () => {
+            Container.authenticateHardcodedSite();
         }),
     );
 }