[JENKINS-75735] hook payload is discarded if not recognized and comes from Bitbucket Cloud and Data Center instances

docs/USER_GUIDE.adoc

@@ -119,7 +119,7 @@ For Bitbucket Data Center only it is possible chose which webhooks implementatio
 
 - Native implementation will configure the webhooks provided by default with the Server, so it will always be available.
 
-- Plugin implementation relies on the configuration available via specific APIs provided by the https://marketplace.atlassian.com/apps/1215474/post-webhooks-for-bitbucket?tab=overview&hosting=datacenter[Post Webhooks for Bitbucket] plugin itself. To get it worked plugin must be already pre-installed on the server instance. This provider allows custom settings managed by the _ignore committers_ trait. _Note: This specific implementation will be moved to an individual repository as soon as https://issues.jenkins.io/browse/JENKINS-74913[JENKINS-74913] is implemented._
+- Plugin implementation (*deprecated*) relies on the configuration available via specific APIs provided by the https://marketplace.atlassian.com/apps/1215474/post-webhooks-for-bitbucket?tab=overview&hosting=datacenter[Post Webhooks for Bitbucket] plugin itself. To get it worked plugin must be already pre-installed on the server instance. This provider allows custom settings managed by the _ignore committers_ trait. _Note: This specific implementation will be moved to an individual repository as soon as https://issues.jenkins.io/browse/JENKINS-74913[JENKINS-74913] is implemented._
 
 image::images/screenshot-14.png[]
 
@@ -131,7 +131,7 @@ image::images/screenshot-18.png[]
 IMPORTANT: In order to have the auto-registering process working fine the Jenkins base URL must be
 properly configured in _Manage Jenkins_ » _System_
 
-=== Webhooks signature
+=== Signature verification for incoming webhooks
 
 Once Jenkins is configured to receive payloads, it will listen for any delivery that's sent to the endpoint you configured. For security reasons, you should only process deliveries from Bitbucket.
 To ensure your self-hosted server only processes deliveries from Bitbucket, you need to:

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/endpoints/BitbucketCloudEndpoint.java

@@ -95,7 +95,7 @@ public BitbucketCloudEndpoint(boolean enableCache, int teamCacheDuration, int re
      *        credentials to use for auto-management of hooks.
      * @param enableHookSignature {@code true} hooks that comes Bitbucket Data
      *        Center are signed.
-     * @param credentialsId The {@link StringCredentials#getId()} of the
+     * @param hookSignatureCredentialsId The {@link StringCredentials#getId()} of the
      *        credentials to use for verify the signature of payload.
      */
     @DataBoundConstructor

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/endpoints/BitbucketServerEndpoint.java

@@ -124,7 +124,7 @@ public BitbucketServerEndpoint(@CheckForNull String displayName, @NonNull String
      *        credentials to use for auto-management of hooks.
      * @param enableHookSignature {@code true} hooks that comes Bitbucket Data
      *        Center are signed.
-     * @param credentialsId The {@link StringCredentials#getId()} of the
+     * @param hookSignatureCredentialsId The {@link StringCredentials#getId()} of the
      *        credentials to use for verify the signature of payload.
      */
     @DataBoundConstructor

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/hooks/BitbucketSCMSourcePushHookReceiver.java

@@ -107,16 +107,20 @@ public HttpResponse doNotify(StaplerRequest2 req) throws IOException {
             return HttpResponses.error(HttpServletResponse.SC_BAD_REQUEST, "X-Event-Key HTTP header invalid: " + eventKey);
         }
 
-        String bitbucketKey = req.getHeader("X-Bitbucket-Type");
+        String bitbucketKey = req.getHeader("X-Bitbucket-Type"); // specific header from Plugin implementation
         String serverURL = req.getParameter("server_url");
 
         BitbucketType instanceType = null;
         if (bitbucketKey != null) {
             instanceType = BitbucketType.fromString(bitbucketKey);
         }
-        if (instanceType == null && serverURL != null) {
-            LOGGER.log(Level.FINE, "server_url request parameter found. Bitbucket Native Server webhook incoming.");
-            instanceType = BitbucketType.SERVER;
+        if (serverURL != null) {
+            if (instanceType == null) {
+                LOGGER.log(Level.FINE, "server_url request parameter found. Bitbucket Native Server webhook incoming.");
+                instanceType = BitbucketType.SERVER;
+            } else {
+                LOGGER.log(Level.FINE, "X-Bitbucket-Type header / server_url request parameter found. Bitbucket Plugin Server webhook incoming.");
+            }
         } else {
             LOGGER.log(Level.FINE, "X-Bitbucket-Type header / server_url request parameter not found. Bitbucket Cloud webhook incoming.");
             instanceType = BitbucketType.CLOUD;
@@ -179,7 +183,7 @@ private HttpResponseException checkSignature(@NonNull StaplerRequest2 req, @NonN
             String requestId = ObjectUtils.firstNonNull(req.getHeader("X-Request-UUID"), req.getHeader("X-Request-Id"));
             String hookSignatureCredentialsId = endpoint.getHookSignatureCredentialsId();
             LOGGER.log(Level.WARNING, "No credentials {0} found to verify the signature of incoming webhook {1} request {2}", new Object[] { hookSignatureCredentialsId, hookId, requestId });
-            return HttpResponses.error(HttpServletResponse.SC_FORBIDDEN, "No credentials " + hookSignatureCredentialsId + " found to verify the signature");
+            return HttpResponses.error(HttpServletResponse.SC_FORBIDDEN, "No credentials " + hookSignatureCredentialsId + " found in Jenkins to verify the signature");
         }
         return null;
     }