issue #722

BitbucketHostProvider: fix runtime exceptions  when authentication requests for Bitbucket DC would incorrectly call a Bitbucket Cloud REST API

A bug was introduced in commit: 5a2cfd7. Prior to this only authentication requests for Bitbucket Cloud would try and automatically determine if 2FA was required by the current user by calling a Bitbucket Cloud REST API using user provided Basic Auth credentials

Commit: 5a2cfd7 removed checking of the current host was Bitbucket Cloud vs DC. This meant the check would be run for Bitbucket Cloud and DC regardless. It would fail for Bitbucket DC

The fix is more radical than simply re-instating the check on the type of Bitbucket host. From 1st March 2022 support for using a Bitbucket Cloud user's account password to access REST or Git HTTPS operations has been removed, https://atlassian.community/t5/x/x/ba-p/1948231. As such this automatic test to see if 2FA is required no longer works.

Therefore the check against the Bitbucket Cloud REST API has been removed in its entirety

Author: mminns

src/shared/Atlassian.Bitbucket.Tests/BitbucketHostProviderTest.cs

@@ -219,7 +219,7 @@ public void BitbucketHostProvider_GetCredentialAsync_Succeeds_ForFreshValidBasic
 
             var credential = provider.GetCredentialAsync(input);
 
-            VerifyBasicAuthFlowRan(password, true, input, credential, null);
+            VerifyBasicAuthFlowRan(password, true, input, credential);
 
             VerifyOAuthFlowDidNotRun(password, true, input, credential);
         }
@@ -327,7 +327,7 @@ public void BitbucketHostProvider_GetCredentialAsync_AlwaysRefreshCredentials_Is
 
             if (alwaysRefreshCredentialsBool)
             {
-                VerifyBasicAuthFlowRan(password, true, input, credential, null);
+                VerifyBasicAuthFlowRan(password, true, input, credential);
             }
             else
             {
@@ -450,21 +450,13 @@ private static InputArguments MockInput(string protocol, string host, string use
             });
         }
 
-        private void VerifyBasicAuthFlowRan(string password, bool expected, InputArguments input, Task<ICredential> credential,
-            string preconfiguredAuthModes)
+        private void VerifyBasicAuthFlowRan(string password, bool expected, InputArguments input, Task<ICredential> credential)
         {
             Assert.Equal(expected, credential != null);
 
             var remoteUri = input.GetRemoteUri();
 
             bitbucketAuthentication.Verify(m => m.GetCredentialsAsync(remoteUri, input.UserName, It.IsAny<AuthenticationModes>()), Times.Once);
-
-            // check username/password for Bitbucket.org
-            if ((preconfiguredAuthModes == null && BITBUCKET_DOT_ORG_HOST == remoteUri.Host)
-                || (preconfiguredAuthModes != null && preconfiguredAuthModes.Contains("oauth")))
-            {
-                bitbucketApi.Verify(m => m.GetUserInformationAsync(input.UserName, password, false), Times.Once);
-            }
         }
 
         private void VerifyInteractiveBasicAuthFlowRan(string password, InputArguments input, Task<ICredential> credential)
@@ -473,12 +465,6 @@ private void VerifyInteractiveBasicAuthFlowRan(string password, InputArguments i
 
             // verify users was prompted for username/password credentials
             bitbucketAuthentication.Verify(m => m.GetCredentialsAsync(remoteUri, input.UserName, It.IsAny<AuthenticationModes>()), Times.Once);
-
-            // check username/password for Bitbucket.org
-            if (BITBUCKET_DOT_ORG_HOST == remoteUri.Host)
-            {
-                bitbucketApi.Verify(m => m.GetUserInformationAsync(input.UserName, password, false), Times.Once);
-            }
         }
 
         private void VerifyBasicAuthFlowNeverRan(string password, InputArguments input, bool storedAccount,
@@ -527,13 +513,7 @@ private void VerifyOAuthFlowRan(string password, bool storedAccount, bool expect
                 {
                     // prompt user for basic auth, if basic auth is not excluded
                     bitbucketAuthentication.Verify(m => m.GetCredentialsAsync(remoteUri, input.UserName, It.IsAny<AuthenticationModes>()), Times.Once);
-
-                    // check if entered Basic Auth credentials work, if basic auth is not excluded
-                    bitbucketApi.Verify(m => m.GetUserInformationAsync(input.UserName, password, false), Times.Once);
                 }
-
-                // Basic Auth 403-ed so push user through OAuth flow
-                bitbucketAuthentication.Verify(m => m.ShowOAuthRequiredPromptAsync(), Times.Once);
             }
         }
 

src/shared/Atlassian.Bitbucket/BitbucketHostProvider.cs

@@ -156,28 +156,16 @@ private async Task<ICredential> GetRefreshedCredentials(Uri remoteUri, string us
 
                     switch (result.AuthenticationMode)
                     {
+                        case AuthenticationModes.Basic:
+                            // Return the valid credential
+                            return result.Credential;
+
                         case AuthenticationModes.OAuth:
                             // If the user wants to use OAuth fall through to interactive auth
                             // and avoid the OAuth "continue" confirmation prompt
                             skipOAuthPrompt = true;
                             break;
 
-                        case AuthenticationModes.Basic:
-                            // We need to check if these user/pass credentials require 2FA
-                            _context.Trace.WriteLine("Checking if two-factor requirements for credentials...");
-
-                            bool requires2Fa = await RequiresTwoFactorAuthenticationAsync(result.Credential);
-                            if (!requires2Fa)
-                            {
-                                _context.Trace.WriteLine("Two-factor authentication not required");
-
-                                // Return the valid credential
-                                return result.Credential;
-                            }
-
-                            // 2FA is required; fall through to interactive OAuth flow
-                            break;
-
                         default:
                             throw new ArgumentOutOfRangeException(
                                 $"Unexpected {nameof(AuthenticationModes)} returned from prompt");
@@ -371,31 +359,6 @@ private async Task<string> ResolveBasicAuthUserNameAsync(string username, string
             throw new Exception($"Failed to resolve username. HTTP: {result.StatusCode}");
         }
 
-        private async Task<bool> RequiresTwoFactorAuthenticationAsync(ICredential credentials)
-        {
-            _context.Trace.WriteLineSecrets($"Check if 2FA is required for credentials ({credentials.Account}/{{0}})...", new object[] { credentials.Password });
-
-            RestApiResult<UserInfo> result = await _bitbucketApi.GetUserInformationAsync(
-                credentials.Account, credentials.Password, isBearerToken: false);
-            switch (result.StatusCode)
-            {
-                // 2FA may not be required
-                case HttpStatusCode.OK:
-                    return result.Response.IsTwoFactorAuthenticationEnabled;
-
-                // 2FA is required
-                case HttpStatusCode.Forbidden:
-                    return true;
-
-                // Incorrect credentials
-                case HttpStatusCode.Unauthorized:
-                    throw new Exception("Invalid credentials");
-
-                default:
-                    throw new Exception($"Unknown server response: {result.StatusCode}");
-            }
-        }
-
         private async Task<bool> ValidateCredentialsWork(Uri remoteUri, ICredential credentials, AuthenticationModes authModes)
         {
             if (credentials is null)