Issue #218 Address PR comments with minor updates

Author: mminns

src/shared/Atlassian.Bitbucket.Tests/BitbucketHostProviderTest.cs

@@ -156,7 +156,7 @@ public void BitbucketHostProvider_GetCredentialAsync_Succeeds_ForFreshValidBasic
 
             MockUserEntersValidBasicCredentials(bitbucketAuthentication, input, password);
 
-            if(BITBUCKET_DOT_ORG_HOST.Equals(host)) 
+            if (BITBUCKET_DOT_ORG_HOST.Equals(host)) 
             {
                 MockRemoteOAuthAccountIsValid(bitbucketApi, input, password, true);
             }
@@ -190,12 +190,6 @@ public void BitbucketHostProvider_GetCredentialAsync_Succeeds_ForFreshValid2FAAc
 
             var provider = new BitbucketHostProvider(context, bitbucketAuthentication.Object, bitbucketApi.Object);
 
-            //if (userEntersCredentials.HasValue && !userEntersCredentials.Value)
-            //{
-            //    Assert.ThrowsAsync<Exception>(async () => await provider.GetCredentialAsync(input));
-            //    return;
-            //}
-
             var credential = provider.GetCredentialAsync(input);
 
             VerifyOAuthFlowRan(password, false, true, input, credential, null);
@@ -222,7 +216,6 @@ public void BitbucketHostProvider_GetCredentialAsync_ForcedAuthMode_IsRespected(
             MockUserEntersValidBasicCredentials(bitbucketAuthentication, input, password);
             MockRemoteBasicAuthAccountIsValidRequires2FA(bitbucketApi, input, password);
             bitbucketAuthentication.Setup(m => m.ShowOAuthRequiredPromptAsync()).ReturnsAsync(true);
-            //MockRemoteValidRefreshToken();
 
             var provider = new BitbucketHostProvider(context, bitbucketAuthentication.Object, bitbucketApi.Object);
 
@@ -536,25 +529,25 @@ private void VerifyInteractiveOAuthFlowNeverRan(InputArguments input, System.Thr
         private void VerifyValidateBasicAuthCredentialsNeverRan() 
         {
             // never check username/password works
-            bitbucketApi.Verify(m => m.GetUserInformationAsync(It.IsAny<string>(), It.IsAny<string>(), BitbucketHostProvider.USE_BASIC_TOKEN), Times.Never);
+            bitbucketApi.Verify(m => m.GetUserInformationAsync(It.IsAny<string>(), It.IsAny<string>(), false), Times.Never);
         }
 
         private void VerifyValidateBasicAuthCredentialsRan() 
         {
             // check username/password works
-            bitbucketApi.Verify(m => m.GetUserInformationAsync(It.IsAny<string>(), It.IsAny<string>(), BitbucketHostProvider.USE_BASIC_TOKEN), Times.Once);
+            bitbucketApi.Verify(m => m.GetUserInformationAsync(It.IsAny<string>(), It.IsAny<string>(), false), Times.Once);
         }
 
         private void VerifyValidateOAuthCredentialsNeverRan() 
         {
             // never check username/password works
-            bitbucketApi.Verify(m => m.GetUserInformationAsync(null, It.IsAny<string>(), BitbucketHostProvider.USE_BASIC_TOKEN), Times.Never);
+            bitbucketApi.Verify(m => m.GetUserInformationAsync(null, It.IsAny<string>(), false), Times.Never);
         }
 
         private void VerifyValidateOAuthCredentialsRan() 
         {
             // check username/password works
-            bitbucketApi.Verify(m => m.GetUserInformationAsync(null, It.IsAny<string>(), BitbucketHostProvider.USE_BEARER_TOKEN), Times.Once);
+            bitbucketApi.Verify(m => m.GetUserInformationAsync(null, It.IsAny<string>(), true), Times.Once);
         }
 
         private void MockStoredOAuthAccount(TestCommandContext context, InputArguments input)
@@ -592,7 +585,7 @@ private static void MockRemoteBasicAuthAccountIsValid(Mock<IBitbucketRestApi> bi
         {
             var userInfo = new UserInfo() { IsTwoFactorAuthenticationEnabled = twoFAEnabled };
             // Basic
-            bitbucketApi.Setup(x => x.GetUserInformationAsync(input.UserName, password, BitbucketHostProvider.USE_BASIC_TOKEN)).ReturnsAsync(new RestApiResult<UserInfo>(System.Net.HttpStatusCode.OK, userInfo));
+            bitbucketApi.Setup(x => x.GetUserInformationAsync(input.UserName, password, false)).ReturnsAsync(new RestApiResult<UserInfo>(System.Net.HttpStatusCode.OK, userInfo));
 
         }
 
@@ -610,15 +603,15 @@ private static void MockRemoteBasicAuthAccountIsInvalid(Mock<IBitbucketRestApi>
         {
             var userInfo = new UserInfo();
             // Basic
-            bitbucketApi.Setup(x => x.GetUserInformationAsync(input.UserName, password, BitbucketHostProvider.USE_BASIC_TOKEN)).ReturnsAsync(new RestApiResult<UserInfo>(System.Net.HttpStatusCode.Forbidden, userInfo));
+            bitbucketApi.Setup(x => x.GetUserInformationAsync(input.UserName, password, false)).ReturnsAsync(new RestApiResult<UserInfo>(System.Net.HttpStatusCode.Forbidden, userInfo));
 
         }
 
         private static void MockRemoteOAuthAccountIsValid(Mock<IBitbucketRestApi> bitbucketApi, InputArguments input, string password, bool twoFAEnabled)
         {
             var userInfo = new UserInfo() { IsTwoFactorAuthenticationEnabled = twoFAEnabled };
             // OAuth
-            bitbucketApi.Setup(x => x.GetUserInformationAsync(null, password, BitbucketHostProvider.USE_BEARER_TOKEN)).ReturnsAsync(new RestApiResult<UserInfo>(System.Net.HttpStatusCode.OK, userInfo));
+            bitbucketApi.Setup(x => x.GetUserInformationAsync(null, password, true)).ReturnsAsync(new RestApiResult<UserInfo>(System.Net.HttpStatusCode.OK, userInfo));
         }
 
         private static void MockStoredAccount(TestCommandContext context, InputArguments input, string password)

src/shared/Atlassian.Bitbucket.Tests/BitbucketOauth2ClientTest.cs

@@ -1,6 +1,5 @@
 using System;
 using System.Collections.Generic;
-using System.IO;
 using System.Net;
 using System.Net.Http;
 using System.Threading;
@@ -81,7 +80,6 @@ private void VerifyOAuth2TokenResult(OAuth2TokenResult result)
             IEnumerable<char> tokenType = null;
             Assert.Equal(tokenType, result.TokenType);
             Assert.Equal(null, result.Scopes);
-            //Assert.Equal(pkceCodeVerifier, result.ExpiresIn);
         }
 
         private void VerifyAuthorizationCodeResult(OAuth2AuthorizationCodeResult result)

src/shared/Atlassian.Bitbucket.Tests/BitbucketRestApiTest.cs

@@ -33,15 +33,15 @@ public async Task BitbucketRestApi_GetUserInformationAsync_ReturnsUserInfo_ForSu
             var httpHandler = new TestHttpMessageHandler();
             httpHandler.Setup(HttpMethod.Get, expectedRequestUri, request =>
             {
-                if(isBearerToken)
+                if (isBearerToken)
                 {
                     RestTestUtilities.AssertBearerAuth(request, password);
                 }
                 else
                 {
                     RestTestUtilities.AssertBasicAuth(request, username, password);
                 }
-                //AssertAuthCode(request, testAuthCode);
+
                 return httpResponse;
             });
             context.HttpClientFactory.MessageHandler = httpHandler;

src/shared/Atlassian.Bitbucket/BitbucketHostProvider.cs

@@ -10,8 +10,6 @@ namespace Atlassian.Bitbucket
 {
     public class BitbucketHostProvider : IHostProvider
     {
-        public const bool USE_BEARER_TOKEN = true;
-        public const bool USE_BASIC_TOKEN = !USE_BEARER_TOKEN;
         private readonly ICommandContext _context;
         private readonly IBitbucketAuthentication _bitbucketAuth;
         private readonly IBitbucketRestApi _bitbucketApi;
@@ -96,7 +94,7 @@ private static void ValidateTargetUri(InputArguments input)
 
         private async Task<ICredential> GetStoredCredentials(InputArguments input)
         {
-            if(_context.Settings.TryGetSetting(BitbucketConstants.EnvironmentVariables.AlwaysRefreshCredentials, 
+            if (_context.Settings.TryGetSetting(BitbucketConstants.EnvironmentVariables.AlwaysRefreshCredentials, 
                 Constants.GitConfiguration.Credential.SectionName, BitbucketConstants.GitConfiguration.Credential.AlwaysRefreshCredentials, 
                 out string alwaysRefreshCredentials) && alwaysRefreshCredentials.ToBooleanyOrDefault(false))
             {
@@ -110,16 +108,16 @@ private async Task<ICredential> GetStoredCredentials(InputArguments input)
 
             var credentials = _context.CredentialStore.Get(credentialService, input.UserName);
 
-            if(credentials == null)
+            if (credentials == null)
             {
                 _context.Trace.WriteLine($"    Found none");
                 return null;
             }
 
-            _context.Trace.WriteLine($"    Found credentials: {credentials.Account}/**********");
+            _context.Trace.WriteLineSecrets($"    Found credentials: {credentials.Account}/{{0}}", new object[] {credentials.Password});
 
             //check credentials are still valid
-            if(!await ValidateCredentialsWork(input, credentials, GetSupportedAuthenticationModes(targetUri))) {
+            if (!await ValidateCredentialsWork(input, credentials, GetSupportedAuthenticationModes(targetUri))) {
                 return null;
             }
 
@@ -154,7 +152,7 @@ private async Task<ICredential> GetRefreshedCredentials(InputArguments input)
 
                     var basicCredentials = await GetBasicCredentialsInteractive(input, authModes);
 
-                    if(await ValidateCredentialsWork(input, basicCredentials, authModes))
+                    if (await ValidateCredentialsWork(input, basicCredentials, authModes))
                     {
                         return basicCredentials;
                     }
@@ -181,8 +179,6 @@ private async Task<ICredential> GetRefreshedCredentials(InputArguments input)
             else
             {
                 _context.Trace.WriteLine($"    Found refresh token: {refreshToken} ");
-                // TODO: should we try and compute if the AT has expired and use it?
-                // This needs support from the credential store to record the expiry time!
 
                 // It's very likely that any access token expired between the last time we used/stored it.
                 // To ensure the AT is as 'fresh' as it can be, always first try to use the refresh token
@@ -292,7 +288,7 @@ private static bool SupportsBasicAuth(AuthenticationModes authModes)
 
         public AuthenticationModes GetSupportedAuthenticationModes(Uri targetUri)
         {
-            if(!IsBitbucketOrg(targetUri))
+            if (!IsBitbucketOrg(targetUri))
             {
                 // Bitbucket Server/DC should use Basic only
                 return BitbucketConstants.ServerAuthenticationModes;
@@ -361,7 +357,7 @@ public Task EraseCredentialAsync(InputArguments input)
 
         private async Task<string> ResolveOAuthUserNameAsync(string accessToken)
         {
-            RestApiResult<UserInfo> result = await _bitbucketApi.GetUserInformationAsync(null, accessToken, USE_BEARER_TOKEN);
+            RestApiResult<UserInfo> result = await _bitbucketApi.GetUserInformationAsync(null, accessToken, isBearerToken: true);
             if (result.Succeeded)
             {
                 return result.Response.UserName;
@@ -372,7 +368,7 @@ private async Task<string> ResolveOAuthUserNameAsync(string accessToken)
 
         private async Task<string> ResolveBasicAuthUserNameAsync(string username, string password)
         {
-            RestApiResult<UserInfo> result = await _bitbucketApi.GetUserInformationAsync(username, password, USE_BASIC_TOKEN);
+            RestApiResult<UserInfo> result = await _bitbucketApi.GetUserInformationAsync(username, password, isBearerToken: false);
             if (result.Succeeded)
             {
                 return result.Response.UserName;
@@ -383,15 +379,15 @@ private async Task<string> ResolveBasicAuthUserNameAsync(string username, string
 
         private async Task<bool> RequiresTwoFactorAuthenticationAsync(ICredential credentials, AuthenticationModes authModes)
         {
-            _context.Trace.WriteLine($"Check if 2FA si required for credentials ({credentials.Account}/**********) {authModes} ...");
+            _context.Trace.WriteLineSecrets($"Check if 2FA si required for credentials ({credentials.Account}/{{0}}) {authModes} ...", new object[] {credentials.Password});
 
-            if(!SupportsOAuth(authModes))
+            if (!SupportsOAuth(authModes))
             {
                 return false;
             }
 
             RestApiResult<UserInfo> result = await _bitbucketApi.GetUserInformationAsync(
-                credentials.Account, credentials.Password, USE_BASIC_TOKEN);
+                credentials.Account, credentials.Password, isBearerToken: false);
             switch (result.StatusCode)
             {
                 // 2FA may not be required
@@ -413,26 +409,30 @@ private async Task<bool> RequiresTwoFactorAuthenticationAsync(ICredential creden
 
         private async Task<bool> ValidateCredentialsWork(InputArguments input, ICredential credentials, AuthenticationModes authModes) 
         {
-            if(credentials == null)
+            if (credentials == null)
             {
                 return false;
             }
 
+            // TODO ideally we'd also check if the credentials have expired based on some local metadata (once/if we get such metadata storage), 
+            // and return false if they have.
+            // This would be more efficient than having to make REST API calls to check.
+
             var targetUri = input.GetRemoteUri();
-            _context.Trace.WriteLine($"Validate credentials ({credentials.Account}/**********) are fresh for {targetUri} ...");
+            _context.Trace.WriteLineSecrets($"Validate credentials ({credentials.Account}/{{0}}) are fresh for {targetUri} ...", new object[] {credentials.Password});
 
-            if(!IsBitbucketOrg(targetUri))
+            if (!IsBitbucketOrg(targetUri))
             {
                 // TODO Validate DC/Server credentials before returning them to Git
                 // Currently credentials for DC/Server are not checked by GCM.
-                // Instead the validation relies on Git to try and fail with the creneitals and then request GCM to erase them
+                // Instead the validation relies on Git to try and fail with the credentials and then request GCM to erase them
                 _context.Trace.WriteLine("For DC/Server skip validating existing credentials");
                 return await Task.FromResult(true);
             }
 
             // Bitbucket supports both OAuth + Basic Auth unless there is explicit GCM configuration
             // So the credentials could be for either scheme therefore need to potentiall test both posibilities.
-            if(SupportsOAuth(authModes))
+            if (SupportsOAuth(authModes))
             {
                 try
                 {
@@ -446,7 +446,7 @@ private async Task<bool> ValidateCredentialsWork(InputArguments input, ICredenti
                 }
             }
 
-            if(SupportsBasicAuth(authModes))
+            if (SupportsBasicAuth(authModes))
             {
                 try
                 {