Add support for Bitbucket Server OAuth2 (#64179)

Docs here: sourcegraph/docs#561

This PR adds support for using Bitbucket Server OAuth2 application links
for sign-in and permission syncing.

When used for permission syncing, the user's oauth token is used to
fetch user permissions (and now permissions are fetched via the server).

## Test plan

Tests added and updated.

## Changelog

- Sourcegraph now supports Bitbucket Server OAuth2 application links for
user sign-in and permission syncing.

Author: pjlast

Diff for: client/web/src/auth/SignInPage.tsx

@@ -222,6 +222,9 @@ const ProviderIcon: React.FunctionComponent<{ serviceType: AuthProvider['service
         case 'bitbucketCloud': {
             return <Icon aria-hidden={true} svgPath={mdiBitbucket} />
         }
+        case 'bitbucketServer': {
+            return <Icon aria-hidden={true} svgPath={mdiBitbucket} />
+        }
         case 'azuredevops': {
             return <Icon aria-hidden={true} svgPath={mdiMicrosoftAzureDevops} />
         }

Diff for: client/web/src/auth/SignUpForm.tsx

@@ -226,6 +226,8 @@ export const SignUpForm: React.FunctionComponent<React.PropsWithChildren<SignUpF
                                         <Icon aria-hidden={true} svgPath={mdiGitlab} />
                                     ) : provider.serviceType === 'bitbucketCloud' ? (
                                         <Icon aria-hidden={true} svPath={mdiBitbucket} />
+                                    ) : provider.serviceType === 'bitbucketServer' ? (
+                                        <Icon aria-hidden={true} svgPath={mdiBitbucket} />
                                     ) : null}{' '}
                                     Continue with {provider.displayName}
                                 </Button>

Diff for: client/web/src/components/externalAccounts/externalAccounts.ts

@@ -51,6 +51,10 @@ export const defaultExternalAccounts: Record<ExternalAccountKind, ExternalAccoun
         title: 'Bitbucket Cloud',
         icon: BitbucketIcon,
     },
+    bitbucketServer: {
+        title: 'Bitbucket Server',
+        icon: BitbucketIcon,
+    },
     gerrit: {
         title: 'Gerrit',
         icon: GerritIcon,

Diff for: client/web/src/jscontext.ts

@@ -23,6 +23,7 @@ export interface AuthProvider {
         | 'github'
         | 'gitlab'
         | 'bitbucketCloud'
+        | 'bitbucketServer'
         | 'http-header'
         | 'openidconnect'
         | 'sourcegraph-operator'

Diff for: client/web/src/repo/utils.tsx

@@ -34,6 +34,9 @@ export const stringToCodeHostType = (codeHostType: string): CodeHostType => {
         case 'bitbucketCloud': {
             return CodeHostType.BITBUCKETCLOUD
         }
+        case 'bitbucketServer': {
+            return CodeHostType.BITBUCKETSERVER
+        }
         case 'gitolite': {
             return CodeHostType.GITOLITE
         }

Diff for: client/web/src/util/constants.ts

@@ -73,4 +73,5 @@ export const V2AuthProviderTypes: { [k in AuthProvider['serviceType']]: number }
     builtin: 7,
     gerrit: 8,
     azuredevops: 9,
+    bitbucketServer: 10,
 }

Diff for: cmd/frontend/graphqlbackend/external_account_data_resolver_test.go

@@ -38,6 +38,10 @@ func (m mockAuthnProvider) CachedInfo() *providers.Info {
 	// return &providers.Info{ServiceID: m.serviceID}
 }
 
+func (m mockAuthnProvider) Type() providers.ProviderType {
+	return providers.ProviderTypeOAuth
+}
+
 type mockAuthnProviderUser struct {
 	Username string `json:"username,omitempty"`
 	ID       int32  `json:"id,omitempty"`

Diff for: cmd/frontend/internal/auth/BUILD.bazel

@@ -11,6 +11,7 @@ go_library(
         "//cmd/frontend/internal/auth/authutil",
         "//cmd/frontend/internal/auth/azureoauth",
         "//cmd/frontend/internal/auth/bitbucketcloudoauth",
+        "//cmd/frontend/internal/auth/bitbucketserveroauth",
         "//cmd/frontend/internal/auth/gerrit",
         "//cmd/frontend/internal/auth/githuboauth",
         "//cmd/frontend/internal/auth/gitlaboauth",

Diff for: cmd/frontend/internal/auth/azureoauth/middleware.go

@@ -7,15 +7,8 @@ import (
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/internal/database"
 	"github.com/sourcegraph/sourcegraph/internal/extsvc"
-	"github.com/sourcegraph/sourcegraph/schema"
 )
 
-func init() {
-	oauth.AddIsOAuth(func(p schema.AuthProviders) bool {
-		return p.AzureDevOps != nil
-	})
-}
-
 func Middleware(db database.DB) *auth.Middleware {
 	return &auth.Middleware{
 		API: func(next http.Handler) http.Handler {

Diff for: cmd/frontend/internal/auth/bitbucketcloudoauth/middleware.go

@@ -7,17 +7,10 @@ import (
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/internal/database"
 	"github.com/sourcegraph/sourcegraph/internal/extsvc"
-	"github.com/sourcegraph/sourcegraph/schema"
 )
 
 const authPrefix = auth.AuthURLPrefix + "/bitbucketcloud"
 
-func init() {
-	oauth.AddIsOAuth(func(p schema.AuthProviders) bool {
-		return p.Bitbucketcloud != nil
-	})
-}
-
 func Middleware(db database.DB) *auth.Middleware {
 	return &auth.Middleware{
 		API: func(next http.Handler) http.Handler {

Diff for: cmd/frontend/internal/auth/bitbucketserveroauth/BUILD.bazel

@@ -0,0 +1,71 @@
+load("//dev:go_defs.bzl", "go_test")
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "bitbucketserveroauth",
+    srcs = [
+        "config.go",
+        "middleware.go",
+        "provider.go",
+        "session.go",
+    ],
+    importpath = "github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/bitbucketserveroauth",
+    visibility = ["//cmd/frontend:__subpackages__"],
+    deps = [
+        "//cmd/frontend/auth",
+        "//cmd/frontend/hubspot",
+        "//cmd/frontend/hubspot/hubspotutil",
+        "//cmd/frontend/internal/auth/oauth",
+        "//cmd/frontend/internal/auth/providers",
+        "//cmd/frontend/internal/auth/session",
+        "//internal/actor",
+        "//internal/collections",
+        "//internal/conf",
+        "//internal/conf/conftypes",
+        "//internal/database",
+        "//internal/extsvc",
+        "//internal/extsvc/auth",
+        "//internal/extsvc/bitbucketserver",
+        "//internal/licensing",
+        "//internal/telemetry/telemetryrecorder",
+        "//lib/errors",
+        "//schema",
+        "@com_github_dghubble_gologin_v2//:gologin",
+        "@com_github_dghubble_gologin_v2//bitbucket",
+        "@com_github_dghubble_gologin_v2//oauth2",
+        "@com_github_sourcegraph_log//:log",
+        "@org_golang_x_oauth2//:oauth2",
+    ],
+)
+
+go_test(
+    name = "bitbucketserveroauth_test",
+    srcs = [
+        "config_test.go",
+        "middleware_test.go",
+        "session_test.go",
+    ],
+    embed = [":bitbucketserveroauth"],
+    tags = ["requires-network"],
+    deps = [
+        "//cmd/frontend/auth",
+        "//cmd/frontend/internal/auth/oauth",
+        "//cmd/frontend/internal/auth/providers",
+        "//cmd/frontend/internal/auth/session",
+        "//internal/actor",
+        "//internal/conf",
+        "//internal/database",
+        "//internal/database/dbmocks",
+        "//internal/database/dbtest",
+        "//internal/extsvc",
+        "//internal/extsvc/bitbucketserver",
+        "//internal/httpcli",
+        "//internal/ratelimit",
+        "//lib/errors",
+        "//schema",
+        "@com_github_google_go_cmp//cmp",
+        "@com_github_google_go_cmp//cmp/cmpopts",
+        "@com_github_sourcegraph_log//logtest",
+        "@org_golang_x_oauth2//:oauth2",
+    ],
+)

Diff for: cmd/frontend/internal/auth/bitbucketserveroauth/config.go

@@ -0,0 +1,77 @@
+package bitbucketserveroauth
+
+import (
+	"fmt"
+
+	"github.com/sourcegraph/log"
+
+	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/providers"
+	"github.com/sourcegraph/sourcegraph/internal/collections"
+	"github.com/sourcegraph/sourcegraph/internal/conf"
+	"github.com/sourcegraph/sourcegraph/internal/conf/conftypes"
+	"github.com/sourcegraph/sourcegraph/internal/database"
+	"github.com/sourcegraph/sourcegraph/internal/licensing"
+	"github.com/sourcegraph/sourcegraph/schema"
+)
+
+func Init(logger log.Logger, db database.DB) {
+	const pkgName = "bitbucketserveroauth"
+	logger = logger.Scoped(pkgName)
+	conf.ContributeValidator(func(cfg conftypes.SiteConfigQuerier) conf.Problems {
+		_, problems := parseConfig(logger, cfg, db)
+		return problems
+	})
+
+	go conf.Watch(func() {
+		newProviders, _ := parseConfig(logger, conf.Get(), db)
+		if len(newProviders) == 0 {
+			providers.Update(pkgName, nil)
+			return
+		}
+
+		if err := licensing.Check(licensing.FeatureSSO); err != nil {
+			logger.Error("Check license for SSO (Bitbucket Server OAuth)", log.Error(err))
+			providers.Update(pkgName, nil)
+			return
+		}
+
+		newProvidersList := make([]providers.Provider, 0, len(newProviders))
+		for _, p := range newProviders {
+			newProvidersList = append(newProvidersList, p.Provider)
+		}
+		providers.Update(pkgName, newProvidersList)
+	})
+}
+
+type Provider struct {
+	*schema.BitbucketServerAuthProvider
+	providers.Provider
+}
+
+func parseConfig(logger log.Logger, cfg conftypes.SiteConfigQuerier, db database.DB) (ps []Provider, problems conf.Problems) {
+	existingProviders := make(collections.Set[string])
+
+	for _, pr := range cfg.SiteConfig().AuthProviders {
+		if pr.Bitbucketserver == nil {
+			continue
+		}
+
+		provider, providerProblems := parseProvider(logger, pr.Bitbucketserver, db, pr)
+		problems = append(problems, conf.NewSiteProblems(providerProblems...)...)
+		if provider == nil {
+			continue
+		}
+
+		if existingProviders.Has(provider.CachedInfo().UniqueID()) {
+			problems = append(problems, conf.NewSiteProblems(fmt.Sprintf(`Cannot have more than one Bitbucket Server auth provider with url %q and client ID %q, only the first one will be used`, provider.ServiceID, provider.CachedInfo().ClientID))...)
+			continue
+		}
+
+		ps = append(ps, Provider{
+			BitbucketServerAuthProvider: pr.Bitbucketserver,
+			Provider:                    provider,
+		})
+		existingProviders.Add(provider.CachedInfo().UniqueID())
+	}
+	return ps, problems
+}