validate jwt in bitbucket

Author: ceorourke

src/sentry/integrations/bitbucket/installed.py

@@ -1,14 +1,23 @@
 from django.http.request import HttpRequest
 from django.http.response import HttpResponseBase
 from django.views.decorators.csrf import csrf_exempt
+from rest_framework import status
 from rest_framework.request import Request
 from rest_framework.response import Response
 
 from sentry.api.api_owners import ApiOwner
 from sentry.api.api_publish_status import ApiPublishStatus
 from sentry.api.base import Endpoint, control_silo_endpoint
+from sentry.integrations.jira.webhooks.installed import INVALID_KEY_IDS
 from sentry.integrations.pipeline import ensure_integration
 from sentry.integrations.types import IntegrationProviderSlug
+from sentry.integrations.utils.atlassian_connect import (
+    AtlassianConnectValidationError,
+    authenticate_asymmetric_jwt,
+    get_token,
+    verify_claims,
+)
+from sentry.utils import jwt
 
 from .integration import BitbucketIntegrationProvider
 
@@ -27,7 +36,34 @@ def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponseBase:
         return super().dispatch(request, *args, **kwargs)
 
     def post(self, request: Request, *args, **kwargs) -> Response:
+        try:
+            token = get_token(request)
+        except AtlassianConnectValidationError:
+            return self.respond(
+                {"detail": "Missing authorization header"}, status=status.HTTP_400_BAD_REQUEST
+            )
+
+        key_id = jwt.peek_header(token).get("kid")
+        if not key_id:
+            return self.respond({"detail": "Missing key id"}, status=status.HTTP_400_BAD_REQUEST)
+
+        if key_id in INVALID_KEY_IDS:
+            return self.respond({"detail": "Invalid key id"}, status=status.HTTP_400_BAD_REQUEST)
+
+        try:
+            decoded_claims = authenticate_asymmetric_jwt(token, key_id)
+            verify_claims(decoded_claims, request.path, request.GET, method="POST")
+        except AtlassianConnectValidationError:
+            return self.respond(
+                {"detail": "Could not validate JWT"}, status=status.HTTP_400_BAD_REQUEST
+            )
+
         state = request.data
+        if decoded_claims.get("iss") != state.get("clientKey"):
+            return self.respond(
+                {"detail": "JWT issuer does not match client key"},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
         data = BitbucketIntegrationProvider().build_integration(state)
         ensure_integration(IntegrationProviderSlug.BITBUCKET.value, data)
 

tests/sentry/integrations/bitbucket/test_installed.py

@@ -3,11 +3,13 @@
 from typing import Any
 from unittest import mock
 
+import jwt as pyjwt
 import responses
 
 from sentry.integrations.bitbucket.installed import BitbucketInstalledEndpoint
 from sentry.integrations.bitbucket.integration import BitbucketIntegrationProvider, scopes
 from sentry.integrations.models.integration import Integration
+from sentry.integrations.utils.atlassian_connect import get_query_hash
 from sentry.models.project import Project
 from sentry.models.repository import Repository
 from sentry.organizations.services.organization.serial import serialize_rpc_organization
@@ -16,6 +18,8 @@
 from sentry.silo.base import SiloMode
 from sentry.testutils.cases import APITestCase
 from sentry.testutils.silo import assume_test_silo_mode, control_silo_test
+from sentry.utils.http import absolute_uri
+from tests.sentry.utils.test_jwt import RS256_KEY, RS256_PUB_KEY
 
 
 class BitbucketPlugin(IssueTrackingPlugin2):
@@ -29,6 +33,7 @@ class BitbucketInstalledEndpointTest(APITestCase):
     def setUp(self) -> None:
         self.provider = "bitbucket"
         self.path = "/extensions/bitbucket/installed/"
+        self.kid = "bitbucket-kid"
         self.username = "sentryuser"
         self.client_key = "connection:123"
         self.public_key = "123abcDEFg"
@@ -98,27 +103,118 @@ def tearDown(self) -> None:
         plugins.unregister(BitbucketPlugin)
         super().tearDown()
 
+    def jwt_token_cdn(self) -> str:
+        return pyjwt.encode(
+            {
+                "iss": self.client_key,
+                "aud": absolute_uri(),
+                "qsh": get_query_hash(self.path, method="POST", query_params={}),
+            },
+            RS256_KEY,
+            algorithm="RS256",
+            headers={"kid": self.kid, "alg": "RS256"},
+        )
+
+    def add_cdn_response(self) -> None:
+        responses.add(
+            responses.GET,
+            f"https://connect-install-keys.atlassian.com/{self.kid}",
+            body=RS256_PUB_KEY,
+        )
+
     def test_default_permissions(self) -> None:
         # Permissions must be empty so that it will be accessible to bitbucket.
         assert BitbucketInstalledEndpoint.authentication_classes == ()
         assert BitbucketInstalledEndpoint.permission_classes == ()
 
-    def test_installed_with_public_key(self) -> None:
+    def test_missing_token(self) -> None:
         response = self.client.post(self.path, data=self.team_data_from_bitbucket)
+        assert response.status_code == 400
+
+    def test_invalid_token(self) -> None:
+        response = self.client.post(
+            self.path,
+            data=self.team_data_from_bitbucket,
+            HTTP_AUTHORIZATION="invalid",
+        )
+        assert response.status_code == 400
+
+    @responses.activate
+    def test_missing_key_id(self) -> None:
+        token = pyjwt.encode(
+            {
+                "iss": self.client_key,
+                "aud": absolute_uri(),
+                "qsh": get_query_hash(self.path, method="POST", query_params={}),
+            },
+            RS256_KEY,
+            algorithm="RS256",
+            headers={"alg": "RS256"},
+        )
+        response = self.client.post(
+            self.path,
+            data=self.team_data_from_bitbucket,
+            HTTP_AUTHORIZATION=f"JWT {token}",
+        )
+        assert response.status_code == 400
+
+    @responses.activate
+    def test_invalid_key_id(self) -> None:
+        token = pyjwt.encode(
+            {
+                "iss": self.client_key,
+                "aud": absolute_uri(),
+                "qsh": get_query_hash(self.path, method="POST", query_params={}),
+            },
+            RS256_KEY,
+            algorithm="RS256",
+            headers={"kid": "fake-kid", "alg": "RS256"},
+        )
+        response = self.client.post(
+            self.path,
+            data=self.team_data_from_bitbucket,
+            HTTP_AUTHORIZATION=f"JWT {token}",
+        )
+        assert response.status_code == 400
+
+    @responses.activate
+    def test_jwt_issuer_mismatch(self) -> None:
+        self.add_cdn_response()
+        response = self.client.post(
+            self.path,
+            data={**self.team_data_from_bitbucket, "clientKey": "different-client-key"},
+            HTTP_AUTHORIZATION=f"JWT {self.jwt_token_cdn()}",
+        )
+        assert response.status_code == 400
+
+    @responses.activate
+    def test_installed_with_public_key(self) -> None:
+        self.add_cdn_response()
+        response = self.client.post(
+            self.path,
+            data=self.team_data_from_bitbucket,
+            HTTP_AUTHORIZATION=f"JWT {self.jwt_token_cdn()}",
+        )
         assert response.status_code == 200
         integration = Integration.objects.get(provider=self.provider, external_id=self.client_key)
         assert integration.name == self.username
         del integration.metadata["webhook_secret"]
         assert integration.metadata == self.metadata
 
+    @responses.activate
     def test_installed_without_public_key(self) -> None:
         integration, created = Integration.objects.get_or_create(
             provider=self.provider,
             external_id=self.client_key,
             defaults={"name": self.user_display_name, "metadata": self.user_metadata},
         )
         del self.user_data_from_bitbucket["principal"]["username"]
-        response = self.client.post(self.path, data=self.user_data_from_bitbucket)
+        self.add_cdn_response()
+        response = self.client.post(
+            self.path,
+            data=self.user_data_from_bitbucket,
+            HTTP_AUTHORIZATION=f"JWT {self.jwt_token_cdn()}",
+        )
         assert response.status_code == 200
 
         # assert no changes have been made to the integration
@@ -129,22 +225,34 @@ def test_installed_without_public_key(self) -> None:
         del integration_after.metadata["webhook_secret"]
         assert integration.metadata == integration_after.metadata
 
+    @responses.activate
     def test_installed_without_username(self) -> None:
         """Test a user (not team) installation where the user has hidden their username from public view"""
 
         # Remove username to simulate privacy mode
         del self.user_data_from_bitbucket["principal"]["username"]
 
-        response = self.client.post(self.path, data=self.user_data_from_bitbucket)
+        self.add_cdn_response()
+        response = self.client.post(
+            self.path,
+            data=self.user_data_from_bitbucket,
+            HTTP_AUTHORIZATION=f"JWT {self.jwt_token_cdn()}",
+        )
         assert response.status_code == 200
         integration = Integration.objects.get(provider=self.provider, external_id=self.client_key)
         assert integration.name == self.user_display_name
         del integration.metadata["webhook_secret"]
         assert integration.metadata == self.user_metadata
 
+    @responses.activate
     @mock.patch("sentry.integrations.bitbucket.integration.generate_token", return_value="0" * 64)
     def test_installed_with_secret(self, mock_generate_token: mock.MagicMock) -> None:
-        response = self.client.post(self.path, data=self.team_data_from_bitbucket)
+        self.add_cdn_response()
+        response = self.client.post(
+            self.path,
+            data=self.team_data_from_bitbucket,
+            HTTP_AUTHORIZATION=f"JWT {self.jwt_token_cdn()}",
+        )
         assert mock_generate_token.called
         assert response.status_code == 200
         integration = Integration.objects.get(provider=self.provider, external_id=self.client_key)
@@ -172,7 +280,12 @@ def test_plugin_migration(self) -> None:
                 config={"name": "otheruser/otherrepo"},
             )
 
-        self.client.post(self.path, data=self.team_data_from_bitbucket)
+        self.add_cdn_response()
+        self.client.post(
+            self.path,
+            data=self.team_data_from_bitbucket,
+            HTTP_AUTHORIZATION=f"JWT {self.jwt_token_cdn()}",
+        )
 
         integration = Integration.objects.get(provider=self.provider, external_id=self.client_key)
 
@@ -219,7 +332,12 @@ def test_disable_plugin_when_fully_migrated(self) -> None:
                 config={"name": "sentryuser/repo"},
             )
 
-        self.client.post(self.path, data=self.team_data_from_bitbucket)
+        self.add_cdn_response()
+        self.client.post(
+            self.path,
+            data=self.team_data_from_bitbucket,
+            HTTP_AUTHORIZATION=f"JWT {self.jwt_token_cdn()}",
+        )
 
         integration = Integration.objects.get(provider=self.provider, external_id=self.client_key)