Rework the Bitbucket Server getUser request

[vinokurig]

What does this PR do?

Since Bitbucket Server version 8.19.14, the /plugins/servlet/applinks/whoami request does not return username, if PAT is used. Change the getUser() request to /rest/api/1.0/application-properties instead and extract the username from the response headers.
Example of an authorized response:

< HTTP/1.1 200 
< x-arequestid: @1VT0CNLx453x5668x0
< set-cookie: BITBUCKETSESSIONID=***; Max-Age=1209600; Expires=Mon, 14-Apr-2025 07:33:06 GMT; Path=/; Secure; HttpOnly
< x-auserid: 2
< x-ausername: admin
< x-asessionid: zylcf7
< cache-control: private, no-cache
< pragma: no-cache
< cache-control: no-cache, no-transform
< vary: x-ausername,x-auserid,cookie,accept-encoding
< x-content-type-options: nosniff
< content-type: application/json;charset=UTF-8
< transfer-encoding: chunked
< date: Mon, 31 Mar 2025 07:33:06 GMT
< set-cookie: ***; path=/; HttpOnly; Secure; SameSite=None
< 
* Connection #0 to host bitbucket-bitbucket.apps.ds-airgap-v15.crw-qe.com left intact
{"version":"8.7.0","buildNumber":"8007000","buildDate":"1672975062662","displayName":"Bitbucket"}

Example of unauthorized response:

* Request completely sent off
< HTTP/1.1 200 
< x-arequestid: @1VT0CNLx454x5669x0
< cache-control: no-cache, no-transform
< vary: x-ausername,x-auserid,cookie,accept-encoding
< x-content-type-options: nosniff
< content-type: application/json;charset=UTF-8
< transfer-encoding: chunked
< date: Mon, 31 Mar 2025 07:34:29 GMT
< set-cookie: ***; path=/; HttpOnly; Secure; SameSite=None
< 
* Connection #0 to host bitbucket-bitbucket.apps.ds-airgap-v15.crw-qe.com left intact
{"version":"8.7.0","buildNumber":"8007000","buildDate":"1672975062662","displayName":"Bitbucket"}

Screenshot/screencast of this PR

What issues does this PR fix or reference?

https://issues.redhat.com/browse/CRW-8246

How to test this PR?

1. Deploy Che with the pull request image: quay.io/eclipse/che-server:pr-790
2. In the Bitbucket Server version 8.19.14 or higher, create an HTTP access token in the user account page.
3. Go to Che Dashboard -> User Preferences -> Personal Access Tokens -> Add Personal Access Token
4. Choose Bitbucket Server as provider, fill in the provider endpoint and the token values.

See: token is added successfully.

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Release Notes

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[tolusha]

I believe we need a switcher to return to the previous behaviour in case of emergency

[ibuziuk]

are we sure that the header is going to be there ?

Retrieve version information and other application properties. No authentication is required to call this resource.

[vinokurig]

I could not find any direct documentation about it, but the only more or less official source I could find, is a discussion in the Atlassian community forum: https://community.developer.atlassian.com/t/obtain-authorised-users-username-from-api/24422.

[vinokurig]

So yes, there is no official documentation about the X-AUSERNAME header except the forum discussion, but on the other hand there is no other way to get the username of the authenticated user.

[vinokurig]

@tolusha

I believe we need a switcher to return to the previous behaviour in case of emergency

Could you please elaborate more on what kind of switcher do you mean? Do you mean to keep the previous request for the older versions?

[artaleks9]

/retest

[openshift-ci]

@vinokurig: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v14-gitlab-with-oauth-setup-flow	eb72201	link	true	/test v14-gitlab-with-oauth-setup-flow

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tolusha]

I would like to keep the old behaviour and have a env variable to switch to the old behaviour.

[vinokurig]

@tolusha

I would like to keep the old behaviour and have a env variable to switch to the old behaviour.

I don't think that it is a good idea because in that case customers with the new Bitbucket Server version will still have problems. Sooner or later we would need to switch to the new behaviour anyway. @ibuziuk WDYT?

[ibuziuk]

@vinokurig if we switch to the new behaviour we must be sure that the new flow works with both old and new versions of the BitBucket server

[ibuziuk]

@vinokurig can't we use https://developer.atlassian.com/server/bitbucket/rest/v906/api-group-system-maintenance/#api-api-latest-users-userslug-get ?

[vinokurig]

This method requires username. We do use this method when we have the username retrieved by the application-properties request.

[vinokurig]

@ibuziuk

if we switch to the new behaviour we must be sure that the new flow works with both old and new versions of the BitBucket server

I have tested the functionality with Bitbucket Server 8.0.0, 8.7.0 - versions before the issue was introduced and 8.14.0, 8.15.0 - the latest 8-th versions with the issue. However we can not be 100% sure that this will work for every single Bitbucket version.

[artaleks9]

Verified on Eclipse Che with quay.io/eclipse/che-server:pr-790:

• add PAT using Bitbucket server v8.19.14 - works properly
• add add PAT using Bitbucket server v8.7.1 - works properly
• gitlab-oauth-flow - works properly (it seems a locator was changed, need to fix the test)

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: artaleks9, ibuziuk, vinokurig

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[devspacesbuild]

Build 3.21 :: server_3.x/399: Console, Changes, Git Data

[devspacesbuild]

Build 3.21 :: sync-to-downstream_3.x/9076: Console, Changes, Git Data

[devspacesbuild]

Build 3.21 :: get-sources-rhpkg-container-build_3.x/9198: Console, Changes, Git Data

[devspacesbuild]

Build 3.21 :: push-latest-container-to-quay_3.x/5133: Console, Changes, Git Data

[devspacesbuild]

Build 3.21 :: get-sources-rhpkg-container-build_3.x/9198:

server : 3.x :: Build 67197091 : quay.io/devspaces/server-rhel9:3.21-5
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.x/5133 triggered

[devspacesbuild]

Build 3.21 :: update-digests_3.x/8920: Console, Changes, Git Data

[devspacesbuild]

Build 3.21 :: server_3.x/399:

Upstream sync done; /DS_CI/sync-to-downstream_3.x/9076 triggered

[devspacesbuild]

Build 3.21 :: operator-bundle_3.x/4694: Console, Changes, Git Data

[devspacesbuild]

Build 3.21 :: sync-to-downstream_3.x/9077: Console, Changes, Git Data

[devspacesbuild]

Build 3.21 :: get-sources-rhpkg-container-build_3.x/9199: Console, Changes, Git Data

[devspacesbuild]

Build 3.21 :: get-sources-rhpkg-container-build_3.x/9199:

devspaces-operator-bundle : 3.x :: Failed in 67197485 : BREW:BUILD/STATUS:UNKNOWN
FAILURE:; copied to quay