Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Improve BitBucket token scopes validation #547

Merged
merged 1 commit into from
Aug 22, 2023
Merged

fix: Improve BitBucket token scopes validation #547

merged 1 commit into from
Aug 22, 2023

Conversation

tolusha
Copy link
Contributor

@tolusha tolusha commented Aug 21, 2023
edited
Loading

What does this PR do?

This PR improves BitBucket token scopes validation.
The minimal list of permissions:

  • repository:write or pullrequest:write (since pullrequest:write is wider than repository:write)
  • account or account:write (since account:write is wider than account)

Screenshot/screencast of this PR

N/A

What issues does this PR fix or reference?

eclipse-che/che#22301

How to test this PR?

Image to use: quay.io/eclipse/che-server:pr-547

PR Checklist

As the author of this Pull Request I made sure that:

Reviewers

Reviewers, please comment how you tested the PR when approving it.

@vinokurig
Copy link
Contributor

@tolusha Why do we need write permissions? We can use account:read and repository:read as a minimum scope.

@tolusha
Copy link
Contributor Author

tolusha commented Aug 21, 2023

repository:read won't let you push to the repository (I guess).
So, the minimum set is account (not account:read) and repository:write.

The trick is the following: if account:write permission is selected, then BitBucket doesn't return account permission in the list of selected permissions. So, that's why we need to check if returned list contains either account or account:write permission.

The same is valid for repository.

@openshift-ci openshift-ci bot added the lgtm label Aug 21, 2023
@openshift-ci
Copy link

openshift-ci bot commented Aug 21, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tolusha, vinokurig

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tolusha tolusha merged commit ff90b44 into main Aug 22, 2023
4 checks passed
@tolusha tolusha deleted the 22301 branch August 22, 2023 07:17
@devstudio-release
Copy link

Build 3.9 :: server_3.x/199: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.9 :: sync-to-downstream_3.x/4109: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.9 :: get-sources-rhpkg-container-build_3.x/3963: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.9 :: get-sources-rhpkg-container-build_3.x/3963: FAILURE

server : 3.x :: Failed in : BREW:BUILD/STATUS:UNKNOWN
FAILURE:; copied to quay

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vinokurig vinokurig vinokurig approved these changes

@l0rd l0rd Awaiting requested review from l0rd

@ibuziuk ibuziuk Awaiting requested review from ibuziuk ibuziuk is a code owner

@nickboldt nickboldt Awaiting requested review from nickboldt

Assignees

@vinokurig vinokurig

Labels
lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tolusha @vinokurig @devstudio-release