rm bitbucket changes, handle symmetric and assymetric paths

Author: ceorourke

src/sentry/integrations/bitbucket/installed.py

@@ -1,23 +1,14 @@
 from django.http.request import HttpRequest
 from django.http.response import HttpResponseBase
 from django.views.decorators.csrf import csrf_exempt
-from rest_framework import status
 from rest_framework.request import Request
 from rest_framework.response import Response
 
 from sentry.api.api_owners import ApiOwner
 from sentry.api.api_publish_status import ApiPublishStatus
 from sentry.api.base import Endpoint, control_silo_endpoint
-from sentry.integrations.jira.webhooks.installed import INVALID_KEY_IDS
 from sentry.integrations.pipeline import ensure_integration
 from sentry.integrations.types import IntegrationProviderSlug
-from sentry.integrations.utils.atlassian_connect import (
-    AtlassianConnectValidationError,
-    authenticate_asymmetric_jwt,
-    get_token,
-    verify_claims,
-)
-from sentry.utils import jwt
 
 from .integration import BitbucketIntegrationProvider
 
@@ -36,39 +27,7 @@ def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponseBase:
         return super().dispatch(request, *args, **kwargs)
 
     def post(self, request: Request, *args, **kwargs) -> Response:
-        try:
-            token = get_token(request)
-        except AtlassianConnectValidationError:
-            return self.respond(
-                {"detail": "Missing authorization header"}, status=status.HTTP_400_BAD_REQUEST
-            )
-
-        try:
-            key_id = jwt.peek_header(token).get("kid")
-        except jwt.DecodeError:
-            return self.respond(
-                {"detail": "Invalid JWT token"}, status=status.HTTP_400_BAD_REQUEST
-            )
-        if not key_id:
-            return self.respond({"detail": "Missing key id"}, status=status.HTTP_400_BAD_REQUEST)
-
-        if key_id in INVALID_KEY_IDS:
-            return self.respond({"detail": "Invalid key id"}, status=status.HTTP_400_BAD_REQUEST)
-
-        try:
-            decoded_claims = authenticate_asymmetric_jwt(token, key_id)
-            verify_claims(decoded_claims, request.path, request.GET, method="POST")
-        except AtlassianConnectValidationError:
-            return self.respond(
-                {"detail": "Could not validate JWT"}, status=status.HTTP_400_BAD_REQUEST
-            )
-
         state = request.data
-        if decoded_claims.get("iss") != state.get("clientKey"):
-            return self.respond(
-                {"detail": "JWT issuer does not match client key"},
-                status=status.HTTP_400_BAD_REQUEST,
-            )
         data = BitbucketIntegrationProvider().build_integration(state)
         ensure_integration(IntegrationProviderSlug.BITBUCKET.value, data)
 

src/sentry/integrations/jira/webhooks/installed.py

@@ -1,5 +1,6 @@
 import sentry_sdk
 from django.db import router, transaction
+from jwt import DecodeError, ExpiredSignatureError, InvalidAlgorithmError, InvalidSignatureError
 from rest_framework import status
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -55,21 +56,41 @@ def post(self, request: Request, *args, **kwargs) -> Response:
                     "clientKey": state.get("clientKey", ""),
                 }
             )
-            if not key_id:
-                return self.respond(
-                    {"detail": "Missing key id"}, status=status.HTTP_400_BAD_REQUEST
-                )
 
-            if key_id in INVALID_KEY_IDS:
-                lifecycle.record_halt(halt_reason="JWT contained invalid key_id (kid)")
-                return self.respond(
-                    {"detail": "Invalid key id"}, status=status.HTTP_400_BAD_REQUEST
-                )
+            if key_id:
+                if key_id in INVALID_KEY_IDS:
+                    lifecycle.record_halt(halt_reason="JWT contained invalid key_id (kid)")
+                    return self.respond(
+                        {"detail": "Invalid key id"}, status=status.HTTP_400_BAD_REQUEST
+                    )
+                decoded_claims = authenticate_asymmetric_jwt(token, key_id)
+            else:
+                shared_secret = state.get("sharedSecret")
+                if not shared_secret:
+                    return self.respond(
+                        {"detail": "Missing shared secret"}, status=status.HTTP_400_BAD_REQUEST
+                    )
+                try:
+                    decoded_claims = jwt.decode(token, shared_secret, audience=False)
+                except (
+                    InvalidSignatureError,
+                    ExpiredSignatureError,
+                    DecodeError,
+                    InvalidAlgorithmError,
+                ):
+                    return self.respond(
+                        {"detail": "Invalid JWT"}, status=status.HTTP_400_BAD_REQUEST
+                    )
+
             if decoded_claims.get("iss") != state.get("clientKey"):
                 lifecycle.record_halt(halt_reason="JWT issuer does not match client key")
                 return self.respond(
-                    {"detail": "JWT issuer does not match client key"}, status=status.HTTP_400_BAD_REQUEST
+                    {"detail": "JWT issuer does not match client key"},
+                    status=status.HTTP_400_BAD_REQUEST,
                 )
+
+            verify_claims(decoded_claims, request.path, request.GET, method="POST")
+            data = JiraIntegrationProvider().build_integration(state)
             integration = ensure_integration(self.provider, data)
 
             # Note: Unlike in all other Jira webhooks, we don't call `bind_org_context_from_integration`

tests/sentry/integrations/bitbucket/test_installed.py

@@ -3,13 +3,11 @@
 from typing import Any
 from unittest import mock
 
-import jwt as pyjwt
 import responses
 
 from sentry.integrations.bitbucket.installed import BitbucketInstalledEndpoint
 from sentry.integrations.bitbucket.integration import BitbucketIntegrationProvider, scopes
 from sentry.integrations.models.integration import Integration
-from sentry.integrations.utils.atlassian_connect import get_query_hash
 from sentry.models.project import Project
 from sentry.models.repository import Repository
 from sentry.organizations.services.organization.serial import serialize_rpc_organization
@@ -18,8 +16,6 @@
 from sentry.silo.base import SiloMode
 from sentry.testutils.cases import APITestCase
 from sentry.testutils.silo import assume_test_silo_mode, control_silo_test
-from sentry.utils.http import absolute_uri
-from tests.sentry.utils.test_jwt import RS256_KEY, RS256_PUB_KEY
 
 
 class BitbucketPlugin(IssueTrackingPlugin2):
@@ -33,7 +29,6 @@ class BitbucketInstalledEndpointTest(APITestCase):
     def setUp(self) -> None:
         self.provider = "bitbucket"
         self.path = "/extensions/bitbucket/installed/"
-        self.kid = "bitbucket-kid"
         self.username = "sentryuser"
         self.client_key = "connection:123"
         self.public_key = "123abcDEFg"
@@ -103,118 +98,27 @@ def tearDown(self) -> None:
         plugins.unregister(BitbucketPlugin)
         super().tearDown()
 
-    def jwt_token_cdn(self) -> str:
-        return pyjwt.encode(
-            {
-                "iss": self.client_key,
-                "aud": absolute_uri(),
-                "qsh": get_query_hash(self.path, method="POST", query_params={}),
-            },
-            RS256_KEY,
-            algorithm="RS256",
-            headers={"kid": self.kid, "alg": "RS256"},
-        )
-
-    def add_cdn_response(self) -> None:
-        responses.add(
-            responses.GET,
-            f"https://connect-install-keys.atlassian.com/{self.kid}",
-            body=RS256_PUB_KEY,
-        )
-
     def test_default_permissions(self) -> None:
         # Permissions must be empty so that it will be accessible to bitbucket.
         assert BitbucketInstalledEndpoint.authentication_classes == ()
         assert BitbucketInstalledEndpoint.permission_classes == ()
 
-    def test_missing_token(self) -> None:
-        response = self.client.post(self.path, data=self.team_data_from_bitbucket)
-        assert response.status_code == 400
-
-    def test_invalid_token(self) -> None:
-        response = self.client.post(
-            self.path,
-            data=self.team_data_from_bitbucket,
-            HTTP_AUTHORIZATION="invalid",
-        )
-        assert response.status_code == 400
-
-    @responses.activate
-    def test_missing_key_id(self) -> None:
-        token = pyjwt.encode(
-            {
-                "iss": self.client_key,
-                "aud": absolute_uri(),
-                "qsh": get_query_hash(self.path, method="POST", query_params={}),
-            },
-            RS256_KEY,
-            algorithm="RS256",
-            headers={"alg": "RS256"},
-        )
-        response = self.client.post(
-            self.path,
-            data=self.team_data_from_bitbucket,
-            HTTP_AUTHORIZATION=f"JWT {token}",
-        )
-        assert response.status_code == 400
-
-    @responses.activate
-    def test_invalid_key_id(self) -> None:
-        token = pyjwt.encode(
-            {
-                "iss": self.client_key,
-                "aud": absolute_uri(),
-                "qsh": get_query_hash(self.path, method="POST", query_params={}),
-            },
-            RS256_KEY,
-            algorithm="RS256",
-            headers={"kid": "fake-kid", "alg": "RS256"},
-        )
-        response = self.client.post(
-            self.path,
-            data=self.team_data_from_bitbucket,
-            HTTP_AUTHORIZATION=f"JWT {token}",
-        )
-        assert response.status_code == 400
-
-    @responses.activate
-    def test_jwt_issuer_mismatch(self) -> None:
-        self.add_cdn_response()
-        response = self.client.post(
-            self.path,
-            data={**self.team_data_from_bitbucket, "clientKey": "different-client-key"},
-            HTTP_AUTHORIZATION=f"JWT {self.jwt_token_cdn()}",
-        )
-        assert response.status_code == 400
-
-    @responses.activate
     def test_installed_with_public_key(self) -> None:
-        self.add_cdn_response()
-        response = self.client.post(
-            self.path,
-            data=self.team_data_from_bitbucket,
-            HTTP_AUTHORIZATION=f"JWT {self.jwt_token_cdn()}",
-        )
+        response = self.client.post(self.path, data=self.team_data_from_bitbucket)
         assert response.status_code == 200
         integration = Integration.objects.get(provider=self.provider, external_id=self.client_key)
         assert integration.name == self.username
         del integration.metadata["webhook_secret"]
         assert integration.metadata == self.metadata
 
-    @responses.activate
     def test_installed_without_public_key(self) -> None:
         integration, created = Integration.objects.get_or_create(
             provider=self.provider,
             external_id=self.client_key,
             defaults={"name": self.user_display_name, "metadata": self.user_metadata},
         )
         del self.user_data_from_bitbucket["principal"]["username"]
-        self.add_cdn_response()
-        response = self.client.post(
-            self.path,
-            data=self.user_data_from_bitbucket,
-            HTTP_AUTHORIZATION=f"JWT {self.jwt_token_cdn()}",
-        )
+        response = self.client.post(self.path, data=self.user_data_from_bitbucket)
         assert response.status_code == 200
 
         # assert no changes have been made to the integration
@@ -225,34 +129,22 @@ def test_installed_without_public_key(self) -> None:
         del integration_after.metadata["webhook_secret"]
         assert integration.metadata == integration_after.metadata
 
-    @responses.activate
     def test_installed_without_username(self) -> None:
         """Test a user (not team) installation where the user has hidden their username from public view"""
 
         # Remove username to simulate privacy mode
         del self.user_data_from_bitbucket["principal"]["username"]
 
-        self.add_cdn_response()
-        response = self.client.post(
-            self.path,
-            data=self.user_data_from_bitbucket,
-            HTTP_AUTHORIZATION=f"JWT {self.jwt_token_cdn()}",
-        )
+        response = self.client.post(self.path, data=self.user_data_from_bitbucket)
         assert response.status_code == 200
         integration = Integration.objects.get(provider=self.provider, external_id=self.client_key)
         assert integration.name == self.user_display_name
         del integration.metadata["webhook_secret"]
         assert integration.metadata == self.user_metadata
 
-    @responses.activate
     @mock.patch("sentry.integrations.bitbucket.integration.generate_token", return_value="0" * 64)
     def test_installed_with_secret(self, mock_generate_token: mock.MagicMock) -> None:
-        self.add_cdn_response()
-        response = self.client.post(
-            self.path,
-            data=self.team_data_from_bitbucket,
-            HTTP_AUTHORIZATION=f"JWT {self.jwt_token_cdn()}",
-        )
+        response = self.client.post(self.path, data=self.team_data_from_bitbucket)
         assert mock_generate_token.called
         assert response.status_code == 200
         integration = Integration.objects.get(provider=self.provider, external_id=self.client_key)
@@ -280,12 +172,7 @@ def test_plugin_migration(self) -> None:
                 config={"name": "otheruser/otherrepo"},
             )
 
-        self.add_cdn_response()
-        self.client.post(
-            self.path,
-            data=self.team_data_from_bitbucket,
-            HTTP_AUTHORIZATION=f"JWT {self.jwt_token_cdn()}",
-        )
+        self.client.post(self.path, data=self.team_data_from_bitbucket)
 
         integration = Integration.objects.get(provider=self.provider, external_id=self.client_key)
 
@@ -332,12 +219,7 @@ def test_disable_plugin_when_fully_migrated(self) -> None:
                 config={"name": "sentryuser/repo"},
             )
 
-        self.add_cdn_response()
-        self.client.post(
-            self.path,
-            data=self.team_data_from_bitbucket,
-            HTTP_AUTHORIZATION=f"JWT {self.jwt_token_cdn()}",
-        )
+        self.client.post(self.path, data=self.team_data_from_bitbucket)
 
         integration = Integration.objects.get(provider=self.provider, external_id=self.client_key)
 

tests/sentry/integrations/jira/test_installed.py

@@ -31,6 +31,7 @@ class JiraInstalledTest(APITestCase):
     kid = "cudi"
     shared_secret = "garden"
     path = "/extensions/jira/installed/"
+    client_key = "limepie"
 
     def _jwt_token(
         self,
@@ -40,7 +41,7 @@ def _jwt_token(
     ) -> str:
         return jwt.encode(
             {
-                "iss": self.external_id,
+                "iss": self.client_key,
                 "aud": absolute_uri(),
                 "qsh": get_query_hash(self.path, method="POST", query_params={}),
             },
@@ -61,7 +62,7 @@ def body(self) -> Mapping[str, Any]:
                 "metadata": {},
                 "external_id": self.external_id,
             },
-            "clientKey": "limepie",
+            "clientKey": self.client_key,
             "oauthClientId": "EFG",
             "publicKey": "yourCar",
             "sharedSecret": self.shared_secret,