[JENKINS-75735] Hook payload is discarded if not recognized and comes from Bitbucket Cloud and DataCenter instances

Change test cases to better reflect the header sent in the request of a webhook
Add payload examples provided by Alexey P. from moveworkforward support team.

Author: nfalco79

docs/USER_GUIDE.adoc

@@ -119,7 +119,7 @@ For Bitbucket Data Center only it is possible chose which webhooks implementatio
 
 - Native implementation will configure the webhooks provided by default with the Server, so it will always be available.
 
-- Plugin implementation relies on the configuration available via specific APIs provided by the https://marketplace.atlassian.com/apps/1215474/post-webhooks-for-bitbucket?tab=overview&hosting=datacenter[Post Webhooks for Bitbucket] plugin itself. To get it worked plugin must be already pre-installed on the server instance. This provider allows custom settings managed by the _ignore committers_ trait. _Note: This specific implementation will be moved to an individual repository as soon as https://issues.jenkins.io/browse/JENKINS-74913[JENKINS-74913] is implemented._
+- Plugin implementation (*deprecated*) relies on the configuration available via specific APIs provided by the https://marketplace.atlassian.com/apps/1215474/post-webhooks-for-bitbucket?tab=overview&hosting=datacenter[Post Webhooks for Bitbucket] plugin itself. To get it worked plugin must be already pre-installed on the server instance. This provider allows custom settings managed by the _ignore committers_ trait. _Note: This specific implementation will be moved to an individual repository as soon as https://issues.jenkins.io/browse/JENKINS-74913[JENKINS-74913] is implemented._
 
 image::images/screenshot-14.png[]
 
@@ -131,7 +131,7 @@ image::images/screenshot-18.png[]
 IMPORTANT: In order to have the auto-registering process working fine the Jenkins base URL must be
 properly configured in _Manage Jenkins_ » _System_
 
-=== Webhooks signature
+=== Signature verification for incoming webhooks
 
 Once Jenkins is configured to receive payloads, it will listen for any delivery that's sent to the endpoint you configured. For security reasons, you should only process deliveries from Bitbucket.
 To ensure your self-hosted server only processes deliveries from Bitbucket, you need to:

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/hooks/BitbucketSCMSourcePushHookReceiver.java

@@ -107,16 +107,20 @@ public HttpResponse doNotify(StaplerRequest2 req) throws IOException {
             return HttpResponses.error(HttpServletResponse.SC_BAD_REQUEST, "X-Event-Key HTTP header invalid: " + eventKey);
         }
 
-        String bitbucketKey = req.getHeader("X-Bitbucket-Type");
+        String bitbucketKey = req.getHeader("X-Bitbucket-Type"); // specific header from Plugin implementation
         String serverURL = req.getParameter("server_url");
 
         BitbucketType instanceType = null;
         if (bitbucketKey != null) {
             instanceType = BitbucketType.fromString(bitbucketKey);
         }
-        if (instanceType == null && serverURL != null) {
-            LOGGER.log(Level.FINE, "server_url request parameter found. Bitbucket Native Server webhook incoming.");
-            instanceType = BitbucketType.SERVER;
+        if (serverURL != null) {
+            if (instanceType == null) {
+                LOGGER.log(Level.FINE, "server_url request parameter found. Bitbucket Native Server webhook incoming.");
+                instanceType = BitbucketType.SERVER;
+            } else {
+                LOGGER.log(Level.FINE, "X-Bitbucket-Type header / server_url request parameter found. Bitbucket Plugin Server webhook incoming.");
+            }
         } else {
             LOGGER.log(Level.FINE, "X-Bitbucket-Type header / server_url request parameter not found. Bitbucket Cloud webhook incoming.");
             instanceType = BitbucketType.CLOUD;
@@ -179,7 +183,7 @@ private HttpResponseException checkSignature(@NonNull StaplerRequest2 req, @NonN
             String requestId = ObjectUtils.firstNonNull(req.getHeader("X-Request-UUID"), req.getHeader("X-Request-Id"));
             String hookSignatureCredentialsId = endpoint.getHookSignatureCredentialsId();
             LOGGER.log(Level.WARNING, "No credentials {0} found to verify the signature of incoming webhook {1} request {2}", new Object[] { hookSignatureCredentialsId, hookId, requestId });
-            return HttpResponses.error(HttpServletResponse.SC_FORBIDDEN, "No credentials " + hookSignatureCredentialsId + " found to verify the signature");
+            return HttpResponses.error(HttpServletResponse.SC_FORBIDDEN, "No credentials " + hookSignatureCredentialsId + " found in Jenkins to verify the signature");
         }
         return null;
     }

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/server/BitbucketServerWebhookImplementation.java

@@ -28,7 +28,7 @@
 /** The different webhook implementations available for Bitbucket Server. */
 public enum BitbucketServerWebhookImplementation implements ModelObject {
     /** Plugin-based webhooks. */
-    PLUGIN("Plugin - Deprecated"),
+    PLUGIN("Plugin"),
 
     /** Native webhooks, available since Bitbucket Server 5.4. */
     NATIVE("Native");

src/test/java/com/cloudbees/jenkins/plugins/bitbucket/hooks/BitbucketSCMSourcePushHookReceiverTest.java

@@ -107,8 +107,21 @@ private void mockServerRequest(String serverURL) {
         when(req.getHeader("User-Agent")).thenReturn("Atlassian HttpClient 4.2.0 / Bitbucket-9.5.2 (9005002) / Default");
     }
 
+    private void mockPluginRequest(String serverURL) {
+        when(req.getRemoteHost()).thenReturn("http://localhost:7990");
+        when(req.getParameter("server_url")).thenReturn(serverURL);
+        when(req.getRemoteAddr()).thenReturn("127.0.0.1");
+        when(req.getScheme()).thenReturn("https");
+        when(req.getServerName()).thenReturn("jenkins.example.com");
+        when(req.getLocalPort()).thenReturn(80);
+        when(req.getRequestURI()).thenReturn("/bitbucket-scmsource-hook/notify");
+        when(req.getHeader("Content-Type")).thenReturn("application/json; charset=utf-8");
+        when(req.getHeader("X-Bitbucket-Type")).thenReturn("server");
+        when(req.getHeader("User-Agent")).thenReturn("Bitbucket version: 8.18.0, Post webhook plugin version: 7.13.41-SNAPSHOT");
+    }
+
     @Test
-    void test_signature_is_missing_from_cloud_payload() throws Exception {
+    void test_cloud_signature_is_missing() throws Exception {
         BitbucketCloudEndpoint endpoint = new BitbucketCloudEndpoint(false, 0, 0, false, null , true, credentialsId);
         endpoint.setBitbucketJenkinsRootUrl("http://jenkins.acme.com:8080/jenkins");
         BitbucketEndpointConfiguration.get().updateEndpoint(endpoint);
@@ -126,7 +139,7 @@ void test_signature_is_missing_from_cloud_payload() throws Exception {
     }
 
     @Test
-    void test_signature_from_cloud() throws Exception {
+    void test_cloud_signature() throws Exception {
         mockCloudRequest();
         BitbucketCloudEndpoint endpoint = new BitbucketCloudEndpoint(false, 0, 0, false, null , true, credentialsId);
         endpoint.setBitbucketJenkinsRootUrl("http://jenkins.acme.com:8080/jenkins");
@@ -150,7 +163,7 @@ void test_signature_from_cloud() throws Exception {
     }
 
     @Test
-    void test_bad_signature_from_cloud() throws Exception {
+    void test_cloud_bad_signature() throws Exception {
         BitbucketCloudEndpoint endpoint = new BitbucketCloudEndpoint(false, 0, 0, false, null , true, credentialsId);
         endpoint.setBitbucketJenkinsRootUrl("http://jenkins.acme.com:8080/jenkins");
         BitbucketEndpointConfiguration.get().updateEndpoint(endpoint);
@@ -169,7 +182,7 @@ void test_bad_signature_from_cloud() throws Exception {
     }
 
     @Test
-    void test_signature_from_native_server() throws Exception {
+    void test_native_signature() throws Exception {
         BitbucketServerEndpoint endpoint = new BitbucketServerEndpoint("datacenter", "http://localhost:7990/bitbucket", false, null, true, credentialsId);
         endpoint.setBitbucketJenkinsRootUrl("https://jenkins.example.com");
         BitbucketEndpointConfiguration.get().updateEndpoint(endpoint);
@@ -202,7 +215,7 @@ void test_signature_from_native_server() throws Exception {
     }
 
     @Test
-    void test_ping_from_native_server() throws Exception {
+    void test_native_ping() throws Exception {
         BitbucketServerEndpoint endpoint = new BitbucketServerEndpoint("datacenter", "http://localhost:7990/bitbucket", false, null, false, null);
         endpoint.setBitbucketJenkinsRootUrl("https://jenkins.example.com");
         BitbucketEndpointConfiguration.get().updateEndpoint(endpoint);
@@ -225,7 +238,102 @@ void test_ping_from_native_server() throws Exception {
     }
 
     @Test
-    void test_bad_signature_from_native_server() throws Exception {
+    void test_plugin_pullrequest_created() throws Exception {
+        BitbucketServerEndpoint endpoint = new BitbucketServerEndpoint("datacenter", "http://localhost:7990/bitbucket", false, null, false, null);
+        endpoint.setBitbucketJenkinsRootUrl("https://jenkins.example.com");
+        BitbucketEndpointConfiguration.get().updateEndpoint(endpoint);
+
+        try {
+            mockPluginRequest(endpoint.getServerUrl());
+            when(req.getHeader("X-Event-Key")).thenReturn("pullrequest:created");
+            when(req.getInputStream()).thenReturn(loadResource("plugin/pullrequest_created.json"));
+
+            sut.doNotify(req);
+            verify(hookProcessor).process(
+                    eq(HookEventType.PULL_REQUEST_CREATED),
+                    anyString(),
+                    eq(BitbucketType.SERVER),
+                    eq("http://localhost:7990/127.0.0.1 ⇒ https://jenkins.example.com:80/bitbucket-scmsource-hook/notify"),
+                    eq(endpoint.getServerUrl()));
+        } finally {
+            BitbucketEndpointConfiguration.get().removeEndpoint(endpoint.getServerUrl());
+        }
+    }
+
+    @Test
+    void test_plugin_pullrequest_updated() throws Exception {
+        BitbucketServerEndpoint endpoint = new BitbucketServerEndpoint("datacenter", "http://localhost:7990/bitbucket", false, null, false, null);
+        endpoint.setBitbucketJenkinsRootUrl("https://jenkins.example.com");
+        BitbucketEndpointConfiguration.get().updateEndpoint(endpoint);
+
+        try {
+            mockPluginRequest(endpoint.getServerUrl());
+            when(req.getHeader("X-Event-Key")).thenReturn("pullrequest:updated");
+            when(req.getInputStream()).thenReturn(loadResource("plugin/pullrequest_updated.json"));
+
+            sut.doNotify(req);
+            verify(hookProcessor).process(
+                    eq(HookEventType.PULL_REQUEST_UPDATED),
+                    anyString(),
+                    eq(BitbucketType.SERVER),
+                    eq("http://localhost:7990/127.0.0.1 ⇒ https://jenkins.example.com:80/bitbucket-scmsource-hook/notify"),
+                    eq(endpoint.getServerUrl()));
+        } finally {
+            BitbucketEndpointConfiguration.get().removeEndpoint(endpoint.getServerUrl());
+        }
+    }
+
+    @Test
+    void test_plugin_pullrequest_merged() throws Exception {
+        BitbucketServerEndpoint endpoint = new BitbucketServerEndpoint("datacenter", "http://localhost:7990/bitbucket", false, null, false, null);
+        endpoint.setBitbucketJenkinsRootUrl("https://jenkins.example.com");
+        BitbucketEndpointConfiguration.get().updateEndpoint(endpoint);
+
+        try {
+            mockPluginRequest(endpoint.getServerUrl());
+            when(req.getHeader("X-Event-Key")).thenReturn("pullrequest:fulfilled");
+            when(req.getInputStream()).thenReturn(loadResource("plugin/pullrequest_merged.json"));
+
+            sut.doNotify(req);
+            verify(hookProcessor).process(
+                    eq(HookEventType.PULL_REQUEST_MERGED),
+                    anyString(),
+                    eq(BitbucketType.SERVER),
+                    eq("http://localhost:7990/127.0.0.1 ⇒ https://jenkins.example.com:80/bitbucket-scmsource-hook/notify"),
+                    eq(endpoint.getServerUrl()));
+        } finally {
+            BitbucketEndpointConfiguration.get().removeEndpoint(endpoint.getServerUrl());
+        }
+    }
+
+    @Test
+    void test_plugin_create_branch() throws Exception {
+        BitbucketServerEndpoint endpoint = new BitbucketServerEndpoint("datacenter", "http://localhost:7990/bitbucket", false, null, false, null);
+        endpoint.setBitbucketJenkinsRootUrl("https://jenkins.example.com");
+        BitbucketEndpointConfiguration.get().updateEndpoint(endpoint);
+
+        try {
+            mockPluginRequest(endpoint.getServerUrl());
+            when(req.getHeader("X-Event-Key")).thenReturn("repo:push");
+            when(req.getInputStream()).thenReturn(loadResource("plugin/branch_created.json"));
+            // when(req.getInputStream()).thenReturn(loadResource("plugin/branch_deleted.json"));
+            // when(req.getInputStream()).thenReturn(loadResource("plugin/commit_update.json"));
+            // when(req.getInputStream()).thenReturn(loadResource("plugin/commit_update2.json"));
+
+            sut.doNotify(req);
+            verify(hookProcessor).process(
+                    eq(HookEventType.PUSH),
+                    anyString(),
+                    eq(BitbucketType.SERVER),
+                    eq("http://localhost:7990/127.0.0.1 ⇒ https://jenkins.example.com:80/bitbucket-scmsource-hook/notify"),
+                    eq(endpoint.getServerUrl()));
+        } finally {
+            BitbucketEndpointConfiguration.get().removeEndpoint(endpoint.getServerUrl());
+        }
+    }
+
+    @Test
+    void test_native_bad_signature() throws Exception {
         BitbucketServerEndpoint endpoint = new BitbucketServerEndpoint("datacenter", "http://localhost:7990/bitbucket", false, null, true, credentialsId);
         endpoint.setBitbucketJenkinsRootUrl("https://jenkins.example.com");
         BitbucketEndpointConfiguration.get().updateEndpoint(endpoint);

src/test/resources/com/cloudbees/jenkins/plugins/bitbucket/hooks/plugin/branch_created.json

@@ -0,0 +1,48 @@
+{
+    "actor": {
+        "username": "admin",
+        "displayName": "Administrator",
+        "emailAddress": "admin@example.com"
+    },
+    "repository": {
+        "scmId": "git",
+        "project": {
+            "key": "PROJECT_1",
+            "name": "Project 1"
+        },
+        "slug": "rep_1",
+        "links": {
+            "self": [
+                {
+                    "href": "http://localhost:7990/bitbucket/projects/PROJECT_1/repos/rep_1/browse"
+                }
+            ]
+        },
+        "public": false,
+        "ownerName": "PROJECT_1",
+        "fullName": "PROJECT_1/rep_1",
+        "owner": {
+            "username": "PROJECT_1",
+            "displayName": "PROJECT_1",
+            "emailAddress": null
+        }
+    },
+    "push": {
+        "changes": [
+            {
+                "created": true,
+                "closed": false,
+                "new": {
+                    "type": "branch",
+                    "name": "test-webhook",
+                    "target": {
+                        "type": "commit",
+                        "hash": "417b2f673581ee6000e260a5fa65e62b56c7a3cd",
+                        "commitMessage": "Test webhooks"
+                    }
+                },
+                "old": null
+            }
+        ]
+    }
+}

src/test/resources/com/cloudbees/jenkins/plugins/bitbucket/hooks/plugin/branch_deleted.json

@@ -0,0 +1,48 @@
+{
+    "actor": {
+        "username": "admin",
+        "displayName": "Administrator",
+        "emailAddress": "admin@example.com"
+    },
+    "repository": {
+        "scmId": "git",
+        "project": {
+            "key": "PROJECT_1",
+            "name": "Project 1"
+        },
+        "slug": "rep_1",
+        "links": {
+            "self": [
+                {
+                    "href": "http://localhost:7990/bitbucket/projects/PROJECT_1/repos/rep_1/browse"
+                }
+            ]
+        },
+        "public": false,
+        "ownerName": "PROJECT_1",
+        "fullName": "PROJECT_1/rep_1",
+        "owner": {
+            "username": "PROJECT_1",
+            "displayName": "PROJECT_1",
+            "emailAddress": null
+        }
+    },
+    "push": {
+        "changes": [
+            {
+                "created": false,
+                "closed": true,
+                "new": null,
+                "old": {
+                    "type": "branch",
+                    "name": "test-webhook",
+                    "target": {
+                        "type": "commit",
+                        "hash": "c0158b3e6c8cecf3bddc39d20957a98660cd23fd",
+                        "commitMessage": "Test webhook 2"
+                    }
+                }
+            }
+        ]
+    }
+}

src/test/resources/com/cloudbees/jenkins/plugins/bitbucket/hooks/plugin/commit_update.json

@@ -0,0 +1,56 @@
+{
+    "actor": {
+        "username": "admin",
+        "displayName": "Administrator",
+        "emailAddress": "admin@example.com"
+    },
+    "repository": {
+        "scmId": "git",
+        "project": {
+            "key": "PROJECT_1",
+            "name": "Project 1"
+        },
+        "slug": "rep_1",
+        "links": {
+            "self": [
+                {
+                    "href": "http://localhost:7990/bitbucket/projects/PROJECT_1/repos/rep_1/browse"
+                }
+            ]
+        },
+        "public": false,
+        "ownerName": "PROJECT_1",
+        "fullName": "PROJECT_1/rep_1",
+        "owner": {
+            "username": "PROJECT_1",
+            "displayName": "PROJECT_1",
+            "emailAddress": null
+        }
+    },
+    "push": {
+        "changes": [
+            {
+                "created": false,
+                "closed": false,
+                "new": {
+                    "type": "branch",
+                    "name": "test-webhook",
+                    "target": {
+                        "type": "commit",
+                        "hash": "c0158b3e6c8cecf3bddc39d20957a98660cd23fd",
+                        "commitMessage": "Test webhook 2"
+                    }
+                },
+                "old": {
+                    "type": "branch",
+                    "name": "test-webhook",
+                    "target": {
+                        "type": "commit",
+                        "hash": "417b2f673581ee6000e260a5fa65e62b56c7a3cd",
+                        "commitMessage": "Test webhooks"
+                    }
+                }
+            }
+        ]
+    }
+}