🚧 Automatic creation of private keys using webscraping

fixes #14

Author: guyzmo

git_repo/services/ext/bitbucket.py

@@ -18,7 +18,8 @@
 
 from requests import Request, Session
 from requests.exceptions import HTTPError
-import os, json
+from lxml import html
+import os, json, platform
 
 
 @register_target('bb', 'bitbucket')
@@ -30,11 +31,16 @@ def __init__(self, *args, **kwarg):
         super(BitbucketService, self).__init__(*args, **kwarg)
 
     def connect(self):
-        if not self._privatekey:
+        if self._privatekey and ':' in self._privatekey:
+            login, password = self._privatekey.split(':')
+        else:
+            login = self._username
+            password = self._privatekey
+
+        if not login or not password:
             raise ConnectionError('Could not connect to BitBucket. Please configure .gitconfig with your bitbucket credentials.')
-        if not ':' in self._privatekey:
-            raise ConnectionError('Could not connect to BitBucket. Please setup your private key with login:password')
-        auth = BasicAuthenticator(*self._privatekey.split(':')+['[email protected]'])
+
+        auth = BasicAuthenticator(login, password, '[email protected]')
         self.bb.client.config = auth
         self.bb.client.session = self.bb.client.config.session = auth.start_http_session(self.bb.client.session)
         try:
@@ -353,8 +359,96 @@ def request_fetch(self, user, repo, request, pull=False):
 
     @classmethod
     def get_auth_token(cls, login, password, prompt=None):
-        log.warn("/!\\ Due to API limitations, the bitbucket login/password is stored as plaintext in configuration.")
-        return "{}:{}".format(login, password)
+        session = Session()
+
+        key_name = 'git-repo@{}'.format(platform.node())
+
+        # get login page
+        log.info('» Login to bitbucket…')
+
+        login_url = "https://bitbucket.org/account/signin/?next=/".format(login)
+
+        session.headers.update({
+            "User-Agent":"Mozilla/5.0 (X11; Linux x86_64) " \
+            "AppleWebKit/537.36 (KHTML, like Gecko) " \
+            "Chrome/52.0.2743.82 Safari/537.36"
+        })
+
+        result = session.get(login_url)
+        tree = html.fromstring(result.text)
+
+        # extract CSRF token
+
+        authenticity_token = list(set(tree.xpath("//input[@name='csrfmiddlewaretoken']/@value")))[0]
+
+        # do login
+
+        payload = {
+            'username': login,
+            'password': password,
+            'csrfmiddlewaretoken': authenticity_token
+        }
+
+        result = session.post(
+            login_url,
+            data = payload,
+            headers = dict(referer=login_url)
+        )
+        tree = html.fromstring(result.text)
+
+        # extract username
+
+        try:
+            username = json.loads(tree.xpath('//meta/@data-current-user')[0])['username']
+        except KeyError:
+            raise ResourceNotFoundError('Invalid login. Please make sure you\'re using your bitbucket email address as username!')
+
+        app_password_url ='https://bitbucket.org/account/user/{}/app-passwords/new'.format(username)
+
+        # load app password page
+        log.info('» Generating app password…')
+
+        result = session.get(
+            app_password_url,
+            headers=dict(referer=app_password_url)
+        )
+        tree = html.fromstring(result.content)
+
+        if 'git-repo@{}'.format(platform.node()) in result:
+            log.warn("A duplicate key is being created!")
+
+        # generate app password
+        log.info('» App password is setup with following scopes:')
+        log.info('»     account, team, project:write, repository:admin, repository:delete')
+        log.info('»     pullrequest:write, snippet, snippet:write')
+
+        authenticity_token = list(set(tree.xpath("//input[@name='csrfmiddlewaretoken']/@value")))[0]
+
+        payload = dict(
+            name=key_name,
+            scope=['account',
+                    'team',
+                    'project',
+                    'project:write',
+                    'repository',
+                    'pullrequest:write',
+                    'repository:admin',
+                    'repository:delete',
+                    'snippet',
+                    'snippet:write'
+                    ],
+            csrfmiddlewaretoken=authenticity_token
+        )
+        result = session.post(
+            app_password_url,
+            data=payload,
+            headers=dict(referer=app_password_url)
+        )
+        tree = html.fromstring(result.content)
+
+        password = json.loads(tree.xpath('//section/@data-app-password')[0])['password']
+
+        return password, username
 
     @property
     def user(self):
@@ -364,4 +458,3 @@ def user(self):
         except (HTTPError, AttributeError) as err:
             raise ResourceError("Couldn't find the current user: {}".format(err)) from err
 
-

git_repo/services/service.py

@@ -167,6 +167,8 @@ def load_configuration(self, c, hc=[]):
                                           c.get('token',
                                                 c.get('private_token',
                                                       c.get('privatekey', None))))
+        self._username = os.environ.get('USERNAME_{}'.format(self.name.upper()),
+                                          c.get('username', None))
         self._alias = c.get('alias', self.name)
 
         self.fqdn = c.get('fqdn', self.fqdn)

requirements.txt

@@ -1,6 +1,7 @@
 docopt
 progress
 python-dateutil
+lxml
 GitPython>=2.1.0
 uritemplate.py==2.0.0
 github3.py==0.9.5

tests/conftest.py

@@ -16,10 +16,13 @@
     # also if an environment variable is not set, then we don't want to record cassettes
     record_mode = 'never'
     for service in services:
+        user_name = 'USERNAME_{}'.format(service.upper())
         token_name = 'PRIVATE_KEY_{}'.format(service.upper())
         namespace_name = '{}_NAMESPACE'.format(service.upper())
+        if user_name not in os.environ:
+            os.environ[user_name] = '_username_'.format(service)
         if token_name not in os.environ:
-            os.environ[token_name] = '_namespace_{}_:_private_'.format(service) # using a : for bitbucket's case
+            os.environ[token_name] = '_token_{}_'.format(service)
         if namespace_name not in os.environ:
             os.environ[namespace_name] = '_namespace_{}_'.format(service)
 else:
@@ -31,21 +34,25 @@
 
     # handle the different forms of token configuration item (yup, technical debt bites here)
     get_section = lambda s: 'gitrepo "{}"'.format(s)
+    get_username = lambda s: config.get_value(get_section(s), 'username',
+                                    '_username_{}'.format(s)
+                                )
     get_token = lambda s: config.get_value(get_section(s), 'token',
                             config.get_value(get_section(s), 'private_token',
                                 config.get_value(get_section(s), 'privatekey',
-                                        '_namespace_{}_:_private_'.format(s) # using a : for bitbucket's case
+                                        '_namespace_{}_'.format(s)
                                     )))
-    # XXX temporary fix that should not be necessary when refactoring with pybitbucket
-    get_default_namespace = lambda s: os.environ[token_name].split(':')[0] if s == 'bitbucket' else '_namespace_{}_'.format(s)
 
     for service in services:
+        user_name = 'USERNAME_{}'.format(service.upper())
         token_name = 'PRIVATE_KEY_{}'.format(service.upper())
         namespace_name = '{}_NAMESPACE'.format(service.upper())
+        if user_name not in os.environ:
+            os.environ[user_name] = get_username(service)
         if token_name not in os.environ:
             os.environ[token_name] = get_token(service)
         if namespace_name not in os.environ:
-            os.environ[namespace_name] = os.environ.get('GITREPO_NAMESPACE', get_default_namespace(service))
+            os.environ[namespace_name] = os.environ.get('GITREPO_NAMESPACE', '_namespace_{}_'.format(service))
 
 betamax.Betamax.register_serializer(pretty_json.PrettyJSONSerializer)