Move bitbucket name check to GitCredentialsManager (#825) (#827)

Signed-off-by: Ihor Vinokur <[email protected]>

Author: vinokurig

assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2012-2024 Red Hat, Inc.
+# Copyright (c) 2012-2025 Red Hat, Inc.
 # This program and the accompanying materials are made
 # available under the terms of the Eclipse Public License 2.0
 # which is available at https://www.eclipse.org/legal/epl-2.0/

infrastructures/infrastructure-factory/src/main/java/org/eclipse/che/api/factory/server/scm/kubernetes/KubernetesGitCredentialManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2023 Red Hat, Inc.
+ * Copyright (c) 2012-2025 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -177,6 +177,11 @@ private String getUsernameSegment(PersonalAccessToken personalAccessToken) {
     // Special characters are not allowed in URL username segment, so we need to escape them.
     PercentEscaper percentEscaper = new PercentEscaper("", false);
     return personalAccessToken.getScmTokenName().startsWith(OAUTH_2_PREFIX)
+            // Most of the git providers work with git credentials with OAuth token in format
+            // "ouath2:<oauth token>"
+            // but bitbucket requires username to be explicitly set: "<username>:<oauth token>
+            // TODO: needs to be moved to the specific bitbucket implementation.
+            && !personalAccessToken.getScmProviderName().equals("bitbucket")
         ? "oauth2"
         : isNullOrEmpty(personalAccessToken.getScmOrganization())
             ? percentEscaper.escape(personalAccessToken.getScmUserName())

infrastructures/infrastructure-factory/src/test/java/org/eclipse/che/api/factory/server/scm/kubernetes/KubernetesGitCredentialManagerTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2024 Red Hat, Inc.
+ * Copyright (c) 2012-2025 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -200,6 +200,42 @@ public void testCreateAndSaveNewOAuthGitCredential() throws Exception {
     assertFalse(createdSecret.getMetadata().getName().contains(token.getScmUserName()));
   }
 
+  @Test
+  public void testCreateAndSaveNewBitbucketOAuthGitCredential() throws Exception {
+    KubernetesNamespaceMeta meta = new KubernetesNamespaceMetaImpl("test");
+    when(namespaceFactory.list()).thenReturn(Collections.singletonList(meta));
+
+    when(cheServerKubernetesClientFactory.create()).thenReturn(kubeClient);
+    when(kubeClient.secrets()).thenReturn(secretsMixedOperation);
+    when(secretsMixedOperation.inNamespace(eq(meta.getName()))).thenReturn(nonNamespaceOperation);
+    when(nonNamespaceOperation.withLabels(anyMap())).thenReturn(filterWatchDeletable);
+    when(filterWatchDeletable.list()).thenReturn(secretList);
+    when(secretList.getItems()).thenReturn(emptyList());
+    ArgumentCaptor<Secret> captor = ArgumentCaptor.forClass(Secret.class);
+
+    PersonalAccessToken token =
+        new PersonalAccessToken(
+            "https://bitbucket.com",
+            "bitbucket",
+            "cheUser",
+            "username",
+            "oauth2-token-name",
+            "tid-23434",
+            "token123");
+
+    // when
+    kubernetesGitCredentialManager.createOrReplace(token);
+    // then
+    verify(nonNamespaceOperation).createOrReplace(captor.capture());
+    Secret createdSecret = captor.getValue();
+    assertNotNull(createdSecret);
+    assertEquals(
+        new String(Base64.getDecoder().decode(createdSecret.getData().get("credentials"))),
+        "https://username:[email protected]");
+    assertTrue(createdSecret.getMetadata().getName().startsWith(NAME_PATTERN));
+    assertFalse(createdSecret.getMetadata().getName().contains(token.getScmUserName()));
+  }
+
   @Test
   public void testUpdateTokenInExistingCredential() throws Exception {
     KubernetesNamespaceMeta namespaceMeta = new KubernetesNamespaceMetaImpl("test");

wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth/EmbeddedOAuthAPI.java

@@ -114,7 +114,7 @@ public Response callback(UriInfo uriInfo, @Nullable List<String> errorValues)
               EnvironmentContext.getCurrent().getSubject().getUserId(),
               null,
               null,
-              generateTokenName(providerName),
+              NameGenerator.generate(OAUTH_2_PREFIX, 5),
               NameGenerator.generate("id-", 5),
               token));
     } catch (OAuthAuthenticationException e) {
@@ -161,18 +161,6 @@ public static String getRedirectAfterLoginUrl(
     return redirectAfterLogin;
   }
 
-  /*
-   * This value is used for generating git credentials. Most of the git providers work with git
-   * credentials with OAuth token in format "ouath2:<oauth token>" but bitbucket requires username
-   * to be explicitly set: "<username>:<oauth token>, see {@link
-   * GitCredentialManager#createOrReplace}
-   * TODO: needs to be moved to the specific bitbucket implementation.
-   */
-  private String generateTokenName(String providerName) {
-    return NameGenerator.generate(
-        "bitbucket".equals(providerName) ? providerName + "-" : OAUTH_2_PREFIX, 5);
-  }
-
   /**
    * Encode the redirect URL query parameters to avoid the error when the redirect URL contains
    * JSON, as a query parameter. This prevents passing unsupported characters, like '{' and '}' to

wsmaster/che-core-api-auth/src/test/java/org/eclipse/che/security/oauth/EmbeddedOAuthAPITest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2024 Red Hat, Inc.
+ * Copyright (c) 2012-2025 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -170,35 +170,6 @@ public void shouldStoreTokenOnCallback() throws Exception {
     assertEquals(token.getToken(), "token");
   }
 
-  @Test
-  public void shouldStoreBitbucketTokenOnCallback() throws Exception {
-    // given
-    UriInfo uriInfo = mock(UriInfo.class);
-    OAuthAuthenticator authenticator = mock(OAuthAuthenticator.class);
-    when(authenticator.getEndpointUrl()).thenReturn("http://eclipse.che");
-    when(authenticator.callback(any(URL.class), anyList())).thenReturn("token");
-    when(uriInfo.getRequestUri())
-        .thenReturn(
-            new URI(
-                "http://eclipse.che?state=oauth_provider%3Dbitbucket%26redirect_after_login%3DredirectUrl"));
-    when(oauth2Providers.getAuthenticator("bitbucket")).thenReturn(authenticator);
-    ArgumentCaptor<PersonalAccessToken> tokenCapture =
-        ArgumentCaptor.forClass(PersonalAccessToken.class);
-
-    // when
-    embeddedOAuthAPI.callback(uriInfo, emptyList());
-
-    // then
-    verify(personalAccessTokenManager).store(tokenCapture.capture());
-    PersonalAccessToken token = tokenCapture.getValue();
-    assertEquals(token.getScmProviderUrl(), "http://eclipse.che");
-    assertEquals(token.getScmProviderName(), "bitbucket");
-    assertEquals(token.getCheUserId(), "0000-00-0000");
-    assertTrue(token.getScmTokenId().startsWith("id-"));
-    assertTrue(token.getScmTokenName().startsWith("bitbucket-"));
-    assertEquals(token.getToken(), "token");
-  }
-
   @Test
   public void shouldEncodeRedirectUrl() throws Exception {
     // given