[JENKINS-75680] Authentication fails when call secured REST API (#1048)

Add a check to fail fast a client instance if the authenticator is not supported.

Author: nfalco79

docs/USER_GUIDE.adoc

@@ -155,9 +155,26 @@ As the `Checkout Credential` configuration was removed in commit (link:https://g
 
 image::images/screenshot-7.png[]
 
-=== Access Token
+=== Username/Password (Bitbucket Data Center only)
 
-The plugin can make use of a repository, project or workspace access token (Bitbucket Cloud only).
+The plugin can use a personal username and password to login (if SSO and MFA in not enabled).
+
+The user must have _admin_ access to the Project if you are configuring an _Organization Folder_ or _admin_ right to the repositories if you are configuring a _Multibrach Project_.
+
+=== Personal Access Token (Bitbucket Data Center only)
+
+The plugin can make use of a personal access token instead of the standard username/password.
+
+First, create a new _personal access token_ in Bitbucket as instructed in the link:https://confluence.atlassian.com/bitbucketserver080/http-access-tokens-1115142284.html[HTTP access tokens | Bitbucket Data Center and Server 8.0 | Atlassian Documentation].
+At least allow _read_ access for Projects. If you want the plugin to install the webhooks, allow _admin_ access for repositories.
+
+image::images/screenshot-21.png[]
+
+Then create a new _Username with password_ credential in Jenkins, enter the Bitbucket username (not the email) in the _Username_ field and the created access token in the _Password_ field.
+
+=== Access Token (Bitbucket Cloud only)
+
+The plugin can make use of a repository, project or workspace access token.
 
 First, create a new _access token_ in Bitbucket as instructed in one of the following links:
 
@@ -175,18 +192,9 @@ If you want be able to perform git push operation from CLI than you have to setu
 
 image::images/screenshot-17.png[]
 
-=== Personal Access Token
-
-The plugin can make use of a personal access token (Bitbucket Datacenter only) instead of the standard username/password.
-
-First, create a new _personal access token_ in Bitbucket as instructed in the link:https://confluence.atlassian.com/bitbucketserver080/http-access-tokens-1115142284.html[HTTP access tokens | Bitbucket Data Center and Server 8.0 | Atlassian Documentation].
-At least allow _read_ access for repositories. If you want the plugin to install the webhooks, allow _admin_ access for repositories.
-
-Then create a new _Username with password_ credential in Jenkins, enter the Bitbucket username (not the email) in the _Username_ field and the created access token in the _Password_ field.
-
-=== App Passwords
+=== App Passwords (Bitbucket Cloud only)
 
-Bitbucket https://community.atlassian.com/t5/Bitbucket-articles/Announcement-Bitbucket-Cloud-account-password-usage-for-Git-over/ba-p/1948231[deprecated usage of Atlassian account password] for Bitbucket API and Git over HTTPS starting from March 1st, 2022 (Bitbucket Cloud only).
+Bitbucket https://community.atlassian.com/t5/Bitbucket-articles/Announcement-Bitbucket-Cloud-account-password-usage-for-Git-over/ba-p/1948231[deprecated usage of Atlassian account password] for Bitbucket API and Git over HTTPS starting from March 1st, 2022.
 
 The plugin can make use of an app password instead of the standard username/password.
 
@@ -196,9 +204,9 @@ Then create a new _Username with password credentials_ in Jenkins, enter the Bit
 
  IMPORTANT: App passwords do not support email address as a username for authentication. Using the email address will raise an authentication error in scanning/checkout process.
 
-=== OAuth credentials
+=== OAuth credentials (Bitbucket Cloud only)
 
-The plugin can make use of OAuth credentials (Bitbucket Cloud only) instead of the standard username/password.
+The plugin can make use of OAuth credentials instead of the standard username/password.
 
 First create a new _OAuth consumer_ in Bitbucket as instructed in the https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html[Bitbucket OAuth Documentation].
 Don't forget to check _This is a private consumer_ and at least allow _read_ access for repositories and pull requests. If you want the plugin to install the webhooks, also allow _read_ and _write_ access for webhooks.
@@ -313,4 +321,4 @@ By default, the plugin triggers *a full branch indexing* when a push event conta
 * For a fork, when link:https://confluence.atlassian.com/bitbucketserver/keeping-forks-synchronized-776639961.html[Auto-Sync] is on and a branch cannot be synchronised
 * A link:http://confluence.atlassian.com/bitbucketserver/event-payload-938025882.html#Eventpayload-Mirrorsynchronized[mirror:repo_synchronized] event with too many refs
 
-This behavior can be disabled by adding the system property `bitbucket.hooks.processor.scanOnEmptyChanges=false` on Jenkins startup.
+This behaviour can be disabled by adding the system property `bitbucket.hooks.processor.scanOnEmptyChanges=false` on Jenkins startup.

docs/images/screenshot-21.png

@@ -45,6 +45,9 @@
 import com.cloudbees.jenkins.plugins.bitbucket.filesystem.BitbucketSCMFile;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.client.AbstractBitbucketApi;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.client.ICheckedCallable;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketAccessTokenAuthenticator;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketOAuthAuthenticator;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketUsernamePasswordAuthenticator;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketApiUtils;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.JsonParser;
 import com.damnhandy.uri.template.UriTemplate;
@@ -139,6 +142,14 @@ public BitbucketCloudApiClient(boolean enableCache, int teamCacheDuration, int r
         this.client = super.setupClientBuilder().build();
     }
 
+    @Override
+    protected boolean isSupportedAuthenticator(@CheckForNull BitbucketAuthenticator authenticator) {
+        return authenticator == null
+                || authenticator instanceof BitbucketAccessTokenAuthenticator
+                || authenticator instanceof BitbucketOAuthAuthenticator
+                || authenticator instanceof BitbucketUsernamePasswordAuthenticator; // app password
+    }
+
     /**
      * {@inheritDoc}
      */

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/client/BitbucketCloudApiClient.java

@@ -24,6 +24,7 @@
 package com.cloudbees.jenkins.plugins.bitbucket.impl.client;
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
+import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketException;
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketRequestException;
 import com.cloudbees.jenkins.plugins.bitbucket.client.ClosingConnectionInputStream;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
@@ -85,6 +86,9 @@ public abstract class AbstractBitbucketApi implements AutoCloseable {
     private HttpClientContext context;
 
     protected AbstractBitbucketApi(BitbucketAuthenticator authenticator) {
+        if (!isSupportedAuthenticator(authenticator)) {
+            throw new BitbucketException("Authentication " + authenticator.getClass().getSimpleName() + " is not supported by this client. Please refer to the user documention at https://github.com/jenkinsci/bitbucket-branch-source-plugin/blob/master/docs/USER_GUIDE.adoc");
+        }
         this.authenticator = authenticator;
     }
 
@@ -217,6 +221,11 @@ protected void setClientProxyParams(HttpClientBuilder builder) {
         }
     }
 
+    /**
+     * Implementation must validate if the configured authenticator is supported by this client implementation.
+     */
+    protected abstract boolean isSupportedAuthenticator(@CheckForNull BitbucketAuthenticator authenticator);
+
     @CheckForNull
     protected abstract HttpClientConnectionManager getConnectionManager();
 

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/client/AbstractBitbucketApi.java

@@ -40,6 +40,9 @@
 import com.cloudbees.jenkins.plugins.bitbucket.endpoints.BitbucketServerEndpoint;
 import com.cloudbees.jenkins.plugins.bitbucket.filesystem.BitbucketSCMFile;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.client.AbstractBitbucketApi;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketAccessTokenAuthenticator;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketClientCertificateAuthenticator;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketUsernamePasswordAuthenticator;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketApiUtils;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.JsonParser;
 import com.cloudbees.jenkins.plugins.bitbucket.server.BitbucketServerVersion;
@@ -176,6 +179,14 @@ public BitbucketServerAPIClient(@NonNull String baseURL, @NonNull String owner,
         this.client = setupClientBuilder().build();
     }
 
+    @Override
+    protected boolean isSupportedAuthenticator(@CheckForNull BitbucketAuthenticator authenticator) {
+        return authenticator == null
+                || authenticator instanceof BitbucketClientCertificateAuthenticator // undocumented mutual TLS
+                || authenticator instanceof BitbucketAccessTokenAuthenticator // personal access token
+                || authenticator instanceof BitbucketUsernamePasswordAuthenticator; // username/password credentials
+    }
+
     /**
      * Bitbucket Server manages two top level entities, owner and/or project.
      * Only one of them makes sense for a specific client object.

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/server/client/BitbucketServerAPIClient.java

@@ -27,9 +27,14 @@
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketBuildStatus;
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketBuildStatus.Status;
+import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketException;
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketWebHook;
 import com.cloudbees.jenkins.plugins.bitbucket.client.repository.BitbucketCloudRepository;
 import com.cloudbees.jenkins.plugins.bitbucket.endpoints.BitbucketCloudEndpoint;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketAccessTokenAuthenticator;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketClientCertificateAuthenticator;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketOAuthAuthenticator;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketUsernamePasswordAuthenticator;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.DateUtils;
 import com.cloudbees.jenkins.plugins.bitbucket.impl.util.JsonParser;
 import com.cloudbees.jenkins.plugins.bitbucket.test.util.BitbucketTestUtil;
@@ -50,7 +55,9 @@
 
 import static net.javacrumbs.jsonunit.assertj.JsonAssertions.assertThatJson;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.verify;
@@ -127,4 +134,13 @@ void verifyUpdateWebhookURL() throws Exception {
                 assertThat(put.getRequestUri()).isEqualTo("https://api.bitbucket.org/2.0/repositories/amuniz/test-repos/hooks/%7B202cf34e-7ccf-44b7-ba6b-8827a14d5324%7D"));
     }
 
+    @Test
+    void test_supported_auth() throws Exception {
+        try (BitbucketApi client = new BitbucketCloudApiClient(false, 0, 0, null, null, null, mock(BitbucketUsernamePasswordAuthenticator.class))) {}
+        try (BitbucketApi client = new BitbucketCloudApiClient(false, 0, 0, null, null, null, mock(BitbucketOAuthAuthenticator.class))) {}
+        try (BitbucketApi client = new BitbucketCloudApiClient(false, 0, 0, null, null, null, mock(BitbucketAccessTokenAuthenticator.class))) {}
+
+        assertThatThrownBy(() -> new BitbucketCloudApiClient(false, 0, 0, null, null, null, mock(BitbucketClientCertificateAuthenticator.class)))
+            .isInstanceOf(BitbucketException.class);
+    }
 }

src/test/java/com/cloudbees/jenkins/plugins/bitbucket/client/BitbucketCloudApiClientTest.java

@@ -155,6 +155,11 @@ private BitbucketServerIntegrationClient(String payloadRootPath, String baseURL,
             this.audit = new RequestAudit();
         }
 
+        @Override
+        protected boolean isSupportedAuthenticator(BitbucketAuthenticator authenticator) {
+            return true;
+        }
+
         @Override
         protected ClassicHttpResponse executeMethod(HttpUriRequest httpMethod) throws IOException {
             String requestURI = httpMethod.getRequestUri();
@@ -204,6 +209,11 @@ private BitbucketClouldIntegrationClient(String payloadRootPath, String owner, S
             this.audit = new RequestAudit();
         }
 
+        @Override
+        protected boolean isSupportedAuthenticator(BitbucketAuthenticator authenticator) {
+            return true;
+        }
+
         @Override
         protected CloseableHttpClient getClient() {
             CloseableHttpClient client = mock(CloseableHttpClient.class);

src/test/java/com/cloudbees/jenkins/plugins/bitbucket/client/BitbucketIntegrationClientFactory.java

@@ -27,9 +27,14 @@
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketBuildStatus;
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketBuildStatus.Status;
+import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketException;
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketRepository;
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketTeam;
 import com.cloudbees.jenkins.plugins.bitbucket.client.BitbucketIntegrationClientFactory;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketAccessTokenAuthenticator;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketClientCertificateAuthenticator;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketOAuthAuthenticator;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.credentials.BitbucketUsernamePasswordAuthenticator;
 import com.cloudbees.jenkins.plugins.bitbucket.server.BitbucketServerWebhookImplementation;
 import com.cloudbees.jenkins.plugins.bitbucket.test.util.BitbucketTestUtil;
 import hudson.ProxyConfiguration;
@@ -57,6 +62,7 @@
 
 import static net.javacrumbs.jsonunit.assertj.JsonAssertions.assertThatJson;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.is;
@@ -263,7 +269,7 @@ void test_no_proxy_configurations() throws Exception {
         j.jenkins.setProxy(proxyConfiguration);
 
         AtomicReference<HttpClientBuilder> builderReference = new AtomicReference<>();
-        try(BitbucketApi client = new BitbucketServerAPIClient(serverURL, "amuniz", "test-repos", mock(BitbucketAuthenticator.class), false, BitbucketServerWebhookImplementation.NATIVE) {
+        try(BitbucketApi client = new BitbucketServerAPIClient(serverURL, "amuniz", "test-repos", mock(BitbucketUsernamePasswordAuthenticator.class), false, BitbucketServerWebhookImplementation.NATIVE) {
             @Override
             protected void setClientProxyParams(HttpClientBuilder builder) {
                 builderReference.set(spy(builder));
@@ -275,4 +281,13 @@ protected void setClientProxyParams(HttpClientBuilder builder) {
         verify(builderReference.get(), never()).setProxy(any(HttpHost.class));
     }
 
+    @Test
+    void test_supported_auth() throws Exception {
+        try (BitbucketApi client = new BitbucketServerAPIClient("http://localhost:7990/bitbucket", "owner", "test-repos", mock(BitbucketUsernamePasswordAuthenticator.class), false)) {}
+        try (BitbucketApi client = new BitbucketServerAPIClient("http://localhost:7990/bitbucket", "owner", "test-repos", mock(BitbucketClientCertificateAuthenticator.class), false)) {}
+        try (BitbucketApi client = new BitbucketServerAPIClient("http://localhost:7990/bitbucket", "owner", "test-repos", mock(BitbucketAccessTokenAuthenticator.class), false)) {}
+
+        assertThatThrownBy(() -> new BitbucketServerAPIClient("http://localhost:7990/bitbucket", "owner", "test-repos", mock(BitbucketOAuthAuthenticator.class), false))
+            .isInstanceOf(BitbucketException.class);
+    }
 }