Additionaly encode Bitbucket Server authentication url state (#808)

vinokurig · web-flow · commit 50f29ad25c8f · 2025-05-15T10:13:01.000+03:00
Encode the Bitbucket Server authentication url twice, because Bitbucket Server Decodes the callback url request.
diff --git a/wsmaster/che-core-api-auth-bitbucket/src/main/java/org/eclipse/che/security/oauth/BitbucketOAuthAuthenticator.java b/wsmaster/che-core-api-auth-bitbucket/src/main/java/org/eclipse/che/security/oauth/BitbucketOAuthAuthenticator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2024 Red Hat, Inc.
+ * Copyright (c) 2012-2025 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -12,6 +12,7 @@
 package org.eclipse.che.security.oauth;
 
 import static com.google.common.base.Strings.isNullOrEmpty;
+import static java.net.URLEncoder.encode;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
 import com.google.api.client.auth.oauth2.AuthorizationCodeRequestUrl;
@@ -49,7 +50,10 @@ public BitbucketOAuthAuthenticator(
   @Override
   public String getAuthenticateUrl(URL requestUrl, List<String> scopes) {
     AuthorizationCodeRequestUrl url = flow.newAuthorizationUrl().setScopes(scopes);
-    url.setState(prepareState(requestUrl));
+    String state = prepareState(requestUrl);
+    // Although the state is encoded in the OAuthAuthenticator class, we need to additionally encode
+    // it because Bitbucket Server decodes it on callback request.
+    url.setState(BITBUCKET_CLOUD_ENDPOINT.equals(bitbucketEndpoint) ? state : encode(state, UTF_8));
     url.set("redirect_uri", findRedirectUrl(requestUrl));
     return url.build();
   }
diff --git a/wsmaster/che-core-api-auth-bitbucket/src/test/java/org/eclipse/che/security/BitbucketOAuthAuthenticatorProviderTest.java b/wsmaster/che-core-api-auth-bitbucket/src/test/java/org/eclipse/che/security/BitbucketOAuthAuthenticatorProviderTest.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2012-2025 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.che.security;
+
+import static java.util.Collections.emptyList;
+import static org.testng.Assert.assertTrue;
+
+import com.google.common.io.Files;
+import java.io.File;
+import java.io.IOException;
+import java.net.URL;
+import java.nio.charset.Charset;
+import org.eclipse.che.security.oauth.BitbucketOAuthAuthenticatorProvider;
+import org.eclipse.che.security.oauth.OAuthAuthenticator;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Test;
+
+public class BitbucketOAuthAuthenticatorProviderTest {
+  private BitbucketOAuthAuthenticatorProvider provider;
+  private File cfgFile;
+
+  @BeforeClass
+  public void setup() throws IOException {
+    cfgFile = File.createTempFile("BitbucketOAuthAuthenticatorProviderTest-", "-cfg");
+    Files.asCharSink(cfgFile, Charset.defaultCharset()).write("tmp-data");
+    cfgFile.deleteOnExit();
+    provider =
+        new BitbucketOAuthAuthenticatorProvider(
+            "http://bitubucket-server.com",
+            cfgFile.getPath(),
+            cfgFile.getPath(),
+            new String[] {"http://che.server.com"},
+            "http://auth.uri",
+            "http://token.uri");
+  }
+
+  @Test
+  public void shouldReturnAuthenticationUrlEncodedOnce() throws Exception {
+    // given
+    BitbucketOAuthAuthenticatorProvider provider =
+        new BitbucketOAuthAuthenticatorProvider(
+            "https://bitbucket.org",
+            cfgFile.getPath(),
+            cfgFile.getPath(),
+            new String[] {"http://che.server.com"},
+            "http://auth.uri",
+            "http://token.uri");
+    OAuthAuthenticator authenticator = provider.get();
+    URL url = new URL("http://che.server.com?query=param");
+    // when
+    String authenticateUrl = authenticator.getAuthenticateUrl(url, emptyList());
+    // then
+    assertTrue(authenticateUrl.endsWith("&state=query%253Dparam"));
+  }
+
+  @Test
+  public void shouldReturnAuthenticationUrlEncodedTwice() throws Exception {
+    // given
+    OAuthAuthenticator authenticator = provider.get();
+    URL url = new URL("http://che.server.com?query=param");
+    // when
+    String authenticateUrl = authenticator.getAuthenticateUrl(url, emptyList());
+    // then
+    assertTrue(authenticateUrl.endsWith("&state=query%25253Dparam"));
+  }
+}
