[JENKINS-74983] Add support for authenticated Webhooks registered in Bitbucket

Verify in the webhooks processor when the signature is present is matches the configured
Add configuration in the global settings to setup HMAC credentials

Author: nfalco79

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketSCMNavigator.java

@@ -221,7 +221,7 @@ public String getServerUrl() {
 
     @DataBoundSetter
     public void setServerUrl(@CheckForNull String serverUrl) {
-        serverUrl = BitbucketEndpointConfiguration.normalizeServerUrl(serverUrl);
+        serverUrl = BitbucketEndpointConfiguration.normalizeServerURL(serverUrl);
         if (serverUrl != null && !StringUtils.equals(this.serverUrl, serverUrl)) {
             this.serverUrl = serverUrl;
             resetId();

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketSCMSource.java

@@ -287,7 +287,7 @@ public String getServerUrl() {
 
     @DataBoundSetter
     public void setServerUrl(@CheckForNull String serverUrl) {
-        String url = BitbucketEndpointConfiguration.normalizeServerUrl(serverUrl);
+        String url = BitbucketEndpointConfiguration.normalizeServerURL(serverUrl);
         if (url == null) {
             url = BitbucketEndpointConfiguration.get().getDefaultEndpoint().getServerUrl();
         }

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/endpoints/AbstractBitbucketEndpoint.java

@@ -106,7 +106,7 @@ static String normalizeJenkinsRootUrl(String rootUrl) {
         // This routine is not really BitbucketEndpointConfiguration
         // specific, it just works on strings with some defaults:
         return Util.ensureEndsWith(
-            BitbucketEndpointConfiguration.normalizeServerUrl(rootUrl),"/");
+            BitbucketEndpointConfiguration.normalizeServerURL(rootUrl),"/");
     }
 
     /**

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/endpoints/BitbucketEndpointConfiguration.java

@@ -97,7 +97,7 @@ public Permission getRequiredGlobalConfigPagePermission() {
     @Restricted(NoExternalUse.class) // only for plugin internal use.
     @NonNull
     public String readResolveServerUrl(@CheckForNull String bitbucketServerUrl) {
-        String serverUrl = normalizeServerUrl(bitbucketServerUrl);
+        String serverUrl = normalizeServerURL(bitbucketServerUrl);
         serverUrl = StringUtils.defaultIfBlank(serverUrl, BitbucketCloudEndpoint.SERVER_URL);
         AbstractBitbucketEndpoint endpoint = findEndpoint(serverUrl).orElse(null);
         if (endpoint == null && ACL.SYSTEM2.equals(Jenkins.getAuthentication2())) {
@@ -194,14 +194,14 @@ public synchronized void setEndpoints(@CheckForNull List<? extends AbstractBitbu
      * @return {@code true} if the list of endpoints was modified
      */
     public synchronized boolean addEndpoint(@NonNull AbstractBitbucketEndpoint endpoint) {
-        List<AbstractBitbucketEndpoint> endpoints = new ArrayList<>(getEndpoints());
-        for (AbstractBitbucketEndpoint ep : endpoints) {
+        List<AbstractBitbucketEndpoint> newEndpoints = new ArrayList<>(getEndpoints());
+        for (AbstractBitbucketEndpoint ep : newEndpoints) {
             if (ep.getServerUrl().equals(endpoint.getServerUrl())) {
                 return false;
             }
         }
-        endpoints.add(endpoint);
-        setEndpoints(endpoints);
+        newEndpoints.add(endpoint);
+        setEndpoints(newEndpoints);
         return true;
     }
 
@@ -211,20 +211,20 @@ public synchronized boolean addEndpoint(@NonNull AbstractBitbucketEndpoint endpo
      * @param endpoint the endpoint to update.
      */
     public synchronized void updateEndpoint(@NonNull AbstractBitbucketEndpoint endpoint) {
-        List<AbstractBitbucketEndpoint> endpoints = new ArrayList<>(getEndpoints());
+        List<AbstractBitbucketEndpoint> newEndpoints = new ArrayList<>(getEndpoints());
         boolean found = false;
-        for (int i = 0; i < endpoints.size(); i++) {
-            AbstractBitbucketEndpoint ep = endpoints.get(i);
+        for (int i = 0; i < newEndpoints.size(); i++) {
+            AbstractBitbucketEndpoint ep = newEndpoints.get(i);
             if (ep.getServerUrl().equals(endpoint.getServerUrl())) {
-                endpoints.set(i, endpoint);
+                newEndpoints.set(i, endpoint);
                 found = true;
                 break;
             }
         }
         if (!found) {
-            endpoints.add(endpoint);
+            newEndpoints.add(endpoint);
         }
-        setEndpoints(endpoints);
+        setEndpoints(newEndpoints);
     }
 
     /**
@@ -244,7 +244,7 @@ public boolean removeEndpoint(@NonNull AbstractBitbucketEndpoint endpoint) {
      * @return {@code true} if the list of endpoints was modified
      */
     public synchronized boolean removeEndpoint(@CheckForNull String serverURL) {
-        String fixedServerURL = normalizeServerUrl(serverURL);
+        String fixedServerURL = normalizeServerURL(serverURL);
         List<AbstractBitbucketEndpoint> newEndpoints = new ArrayList<>(getEndpoints());
         boolean modified = newEndpoints.removeIf(endpoint -> Objects.equals(fixedServerURL, endpoint.getServerUrl()));
         setEndpoints(newEndpoints);
@@ -258,7 +258,7 @@ public synchronized boolean removeEndpoint(@CheckForNull String serverURL) {
      * @return the global configuration for the specified server url or {@code null} if not defined.
      */
     public synchronized Optional<AbstractBitbucketEndpoint> findEndpoint(@CheckForNull String serverURL) {
-        serverURL = normalizeServerUrl(serverURL);
+        serverURL = normalizeServerURL(serverURL);
         for (AbstractBitbucketEndpoint endpoint : getEndpoints()) {
             if (Objects.equals(serverURL, endpoint.getServerUrl())) {
                 return Optional.of(endpoint);
@@ -293,7 +293,7 @@ public synchronized AbstractBitbucketEndpoint getDefaultEndpoint() {
      * @return the normalized server URL.
      */
     @CheckForNull
-    public static String normalizeServerUrl(@CheckForNull String serverURL) {
+    public static String normalizeServerURL(@CheckForNull String serverURL) {
         if (StringUtils.isBlank(serverURL)) {
             return null;
         }

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/endpoints/BitbucketServerEndpoint.java

@@ -111,7 +111,7 @@ public BitbucketServerEndpoint(@CheckForNull String displayName,
                                    @CheckForNull String credentialsId) {
         super(manageHooks, credentialsId);
         // use fixNull to silent nullability check
-        this.serverUrl = Util.fixNull(BitbucketEndpointConfiguration.normalizeServerUrl(serverUrl));
+        this.serverUrl = Util.fixNull(BitbucketEndpointConfiguration.normalizeServerURL(serverUrl));
         this.displayName = StringUtils.isBlank(displayName)
                 ? SCMName.fromUrl(this.serverUrl, COMMON_PREFIX_HOSTNAMES)
                 : displayName.trim();

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/hooks/BitbucketSCMSourcePushHookReceiver.java

@@ -23,10 +23,16 @@
  */
 package com.cloudbees.jenkins.plugins.bitbucket.hooks;
 
+import com.cloudbees.jenkins.plugins.bitbucket.endpoints.AbstractBitbucketEndpoint;
+import com.cloudbees.jenkins.plugins.bitbucket.endpoints.BitbucketCloudEndpoint;
+import com.cloudbees.jenkins.plugins.bitbucket.endpoints.BitbucketEndpointConfiguration;
+import com.cloudbees.jenkins.plugins.bitbucket.impl.util.BitbucketCredentials;
+import com.cloudbees.plugins.credentials.common.StandardCredentials;
 import hudson.Extension;
 import hudson.model.UnprotectedRootAction;
 import hudson.security.csrf.CrumbExclusion;
 import hudson.util.HttpResponses;
+import hudson.util.Secret;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -35,8 +41,13 @@
 import java.nio.charset.StandardCharsets;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import javax.crypto.Mac;
+import jenkins.model.Jenkins;
 import jenkins.scm.api.SCMEvent;
+import org.apache.commons.codec.digest.HmacUtils;
 import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang.StringUtils;
+import org.jenkinsci.plugins.plaincredentials.StringCredentials;
 import org.kohsuke.stapler.HttpResponse;
 import org.kohsuke.stapler.StaplerRequest2;
 
@@ -78,6 +89,7 @@ public String getUrlName() {
     public HttpResponse doNotify(StaplerRequest2 req) throws IOException {
         String origin = SCMEvent.originOf(req);
         String body = IOUtils.toString(req.getInputStream(), StandardCharsets.UTF_8);
+
         String eventKey = req.getHeader("X-Event-Key");
         if (eventKey == null) {
             return HttpResponses.error(HttpServletResponse.SC_BAD_REQUEST, "X-Event-Key HTTP header not found");
@@ -89,20 +101,58 @@ public HttpResponse doNotify(StaplerRequest2 req) throws IOException {
         }
 
         String bitbucketKey = req.getHeader("X-Bitbucket-Type");
-        String serverUrl = req.getParameter("server_url");
+        String serverURL = req.getParameter("server_url");
+
         BitbucketType instanceType = null;
         if (bitbucketKey != null) {
             instanceType = BitbucketType.fromString(bitbucketKey);
         }
-        if (instanceType == null && serverUrl != null) {
+        if (instanceType == null && serverURL != null) {
             LOGGER.log(Level.FINE, "server_url request parameter found. Bitbucket Native Server webhook incoming.");
             instanceType = BitbucketType.SERVER;
         } else {
             LOGGER.log(Level.FINE, "X-Bitbucket-Type header / server_url request parameter not found. Bitbucket Cloud webhook incoming.");
+            instanceType = BitbucketType.CLOUD;
+            serverURL = BitbucketCloudEndpoint.SERVER_URL;
+        }
+
+        String signatureHeader = req.getParameter("X-Hub-Signature");
+        if (signatureHeader != null) {
+            // TODO lookup the serverURL hostname from the http request instead trust in the payload, consider also proxy headers
+            AbstractBitbucketEndpoint endpoint = BitbucketEndpointConfiguration.get()
+                    .findEndpoint(serverURL)
+                    .orElse(null);
+            if (endpoint == null) {
+                LOGGER.log(Level.INFO, "No bitbucket endpoint found for {} to verify the signature of incoming webhook.", serverURL);
+            } else if (endpoint.isManageHooks()) {
+                String hmacCredentialsId = endpoint.getHMACCredentialsId();
+
+                String algorithm = StringUtils.substringBefore(signatureHeader, "=");
+                String signature = StringUtils.substringAfter(signatureHeader, "=");
+                String key;
+                StringCredentials hmacCredentials = BitbucketCredentials.lookupCredentials(serverURL, Jenkins.get(), hmacCredentialsId, StringCredentials.class);
+                if (hmacCredentials != null) {
+                    key = Secret.toString(hmacCredentials.getSecret());
+                    HmacUtils util;
+                    try {
+                        util = new HmacUtils(algorithm, key.getBytes());
+                    } catch (IllegalArgumentException e) {
+                        return HttpResponses.error(HttpServletResponse.SC_BAD_REQUEST, "Signature method not supported: " + signature);
+                    }
+                    String mac = util.hmacHex(body);
+                    if (!mac.equals(signature)) {
+                        return HttpResponses.error(HttpServletResponse.SC_FORBIDDEN, "Signature does not match");
+                    }
+                } else {
+                    LOGGER.log(Level.WARNING, "No credentials {} found to verify the signature of incoming webhook.", hmacCredentialsId);
+                }
+            } else {
+                LOGGER.log(Level.FINE, "Signature of incoming webhook not configurted for endpoint {}.", serverURL);
+            }
         }
 
         HookProcessor hookProcessor = getHookProcessor(type);
-        hookProcessor.process(type, body, instanceType, origin, serverUrl);
+        hookProcessor.process(type, body, instanceType, origin, serverURL);
         return HttpResponses.ok();
     }
 

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/hooks/HookProcessor.java

@@ -67,9 +67,9 @@ public abstract class HookProcessor {
      * @param payload the hook payload
      * @param instanceType the Bitbucket type that called the hook
      * @param origin the origin of the event.
-     * @param serverUrl special value for native Bitbucket Server hooks which don't expose the server URL in the payload.
+     * @param serverURL special value for native Bitbucket Server hooks which don't expose the server URL in the payload.
      */
-    public void process(HookEventType type, String payload, BitbucketType instanceType, String origin, String serverUrl) {
+    public void process(HookEventType type, String payload, BitbucketType instanceType, String origin, String serverURL) {
         process(type, payload, instanceType, origin);
     }