commit

Author: vinokurig

infrastructures/infrastructure-factory/pom.xml

@@ -51,10 +51,6 @@
             <groupId>jakarta.ws.rs</groupId>
             <artifactId>jakarta.ws.rs-api</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.eclipse.che.core</groupId>
-            <artifactId>che-core-api-auth</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.eclipse.che.core</groupId>
             <artifactId>che-core-api-core</artifactId>

infrastructures/infrastructure-factory/src/main/java/org/eclipse/che/api/factory/server/scm/kubernetes/KubernetesGitCredentialManager.java

@@ -14,7 +14,6 @@
 import static com.google.common.base.Strings.isNullOrEmpty;
 import static java.lang.String.format;
 import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.eclipse.che.api.factory.server.scm.PersonalAccessTokenFetcher.OAUTH_2_SUFFIX;
 import static org.eclipse.che.workspace.infrastructure.kubernetes.provision.secret.KubernetesSecretAnnotationNames.ANNOTATION_AUTOMOUNT;
 import static org.eclipse.che.workspace.infrastructure.kubernetes.provision.secret.KubernetesSecretAnnotationNames.ANNOTATION_DEV_WORKSPACE_MOUNT_PATH;
 import static org.eclipse.che.workspace.infrastructure.kubernetes.provision.secret.KubernetesSecretAnnotationNames.ANNOTATION_GIT_CREDENTIALS;
@@ -176,7 +175,7 @@ public void createOrReplace(PersonalAccessToken personalAccessToken)
   private String getUsernameSegment(PersonalAccessToken personalAccessToken) {
     // Special characters are not allowed in URL username segment, so we need to escape them.
     PercentEscaper percentEscaper = new PercentEscaper("", false);
-    return personalAccessToken.getScmProviderName().startsWith(OAUTH_2_SUFFIX)
+    return personalAccessToken.isOAuthToken()
         ? "oauth2"
         : isNullOrEmpty(personalAccessToken.getScmOrganization())
             ? percentEscaper.escape(personalAccessToken.getScmUserName())

infrastructures/infrastructure-factory/src/main/java/org/eclipse/che/api/factory/server/scm/kubernetes/KubernetesPersonalAccessTokenManager.java

@@ -12,6 +12,7 @@
 package org.eclipse.che.api.factory.server.scm.kubernetes;
 
 import static com.google.common.base.Strings.isNullOrEmpty;
+import static java.lang.Boolean.parseBoolean;
 import static org.eclipse.che.commons.lang.StringUtils.trimEnd;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -62,6 +63,7 @@ public class KubernetesPersonalAccessTokenManager implements PersonalAccessToken
   public static final String NAME_PATTERN = "personal-access-token-";
 
   public static final String ANNOTATION_CHE_USERID = "che.eclipse.org/che-userid";
+  public static final String ANNOTATION_SCM_IS_OAUTH_TOKEN = "che.eclipse.org/scm-is-oauth-token";
   public static final String ANNOTATION_SCM_ORGANIZATION = "che.eclipse.org/scm-organization";
   public static final String ANNOTATION_SCM_PERSONAL_ACCESS_TOKEN_ID =
       "che.eclipse.org/scm-personal-access-token-id";
@@ -96,6 +98,9 @@ void save(PersonalAccessToken personalAccessToken)
               .withName(NameGenerator.generate(NAME_PATTERN, 5))
               .withAnnotations(
                   new ImmutableMap.Builder<String, String>()
+                      .put(
+                          ANNOTATION_SCM_IS_OAUTH_TOKEN,
+                          Boolean.toString(personalAccessToken.isOAuthToken()))
                       .put(ANNOTATION_CHE_USERID, personalAccessToken.getCheUserId())
                       .put(ANNOTATION_SCM_URL, personalAccessToken.getScmProviderUrl())
                       .put(
@@ -194,6 +199,7 @@ private Optional<PersonalAccessToken> doGetPersonalAccessToken(
 
               PersonalAccessToken personalAccessToken =
                   new PersonalAccessToken(
+                      parseBoolean(secretAnnotations.get(ANNOTATION_SCM_IS_OAUTH_TOKEN)),
                       personalAccessTokenParams.getScmProviderUrl(),
                       secretAnnotations.get(ANNOTATION_CHE_USERID),
                       personalAccessTokenParams.getOrganization(),
@@ -278,13 +284,15 @@ private boolean deleteSecretIfMisconfigured(Secret secret) throws Infrastructure
   private PersonalAccessTokenParams secret2PersonalAccessTokenParams(Secret secret) {
     Map<String, String> secretAnnotations = secret.getMetadata().getAnnotations();
 
+    boolean isOauth = parseBoolean(secretAnnotations.get(ANNOTATION_SCM_IS_OAUTH_TOKEN));
     String token = new String(Base64.getDecoder().decode(secret.getData().get("token"))).trim();
     String configuredOAuthProviderName = secretAnnotations.get(ANNOTATION_SCM_PROVIDER_NAME);
     String configuredTokenId = secretAnnotations.get(ANNOTATION_SCM_PERSONAL_ACCESS_TOKEN_ID);
     String configuredScmOrganization = secretAnnotations.get(ANNOTATION_SCM_ORGANIZATION);
     String configuredScmServerUrl = secretAnnotations.get(ANNOTATION_SCM_URL);
 
     return new PersonalAccessTokenParams(
+        isOauth,
         trimEnd(configuredScmServerUrl, '/'),
         configuredOAuthProviderName,
         configuredTokenId,

infrastructures/infrastructure-factory/src/test/java/org/eclipse/che/api/factory/server/scm/kubernetes/KubernetesGitCredentialManagerTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2023 Red Hat, Inc.
+ * Copyright (c) 2012-2024 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -92,8 +92,14 @@ public void testCreateAndSaveNewPATGitCredential() throws Exception {
 
     PersonalAccessToken token =
         new PersonalAccessToken(
-            "https://bitbucket.com", "cheUser", "username", "token-name", "tid-23434", "token123");
-
+            false,
+            "https://bitbucket.com",
+            "cheUser",
+            "cheOrganization",
+            "username",
+            "bitbucket",
+            "tid-23434",
+            "token123");
     // when
     kubernetesGitCredentialManager.createOrReplace(token);
     // then
@@ -113,6 +119,7 @@ public void shouldUseHardcodedUsernameIfScmOrganizationIsDefined() throws Except
     KubernetesNamespaceMeta namespaceMeta = new KubernetesNamespaceMetaImpl("test");
     PersonalAccessToken token =
         new PersonalAccessToken(
+            false,
             "https://bitbucket-server.com:5648",
             "cheUser",
             "cheOrganization",
@@ -198,10 +205,12 @@ public void testUpdateTokenInExistingCredential() throws Exception {
     KubernetesNamespaceMeta namespaceMeta = new KubernetesNamespaceMetaImpl("test");
     PersonalAccessToken token =
         new PersonalAccessToken(
+            false,
             "https://bitbucket.com:5648",
             "cheUser",
+            "cheOrganization",
             "username",
-            "token-name",
+            "bitbucket",
             "tid-23434",
             "token123");
 

infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/configurator/OAuthTokenSecretsConfigurator.java

@@ -11,11 +11,12 @@
  */
 package org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator;
 
+import static java.lang.Boolean.parseBoolean;
+
 import com.google.common.collect.ImmutableMap;
 import java.util.Map;
 import javax.inject.Inject;
 import javax.inject.Singleton;
-import org.eclipse.che.api.factory.server.scm.PersonalAccessTokenFetcher;
 import org.eclipse.che.api.factory.server.scm.PersonalAccessTokenManager;
 import org.eclipse.che.api.factory.server.scm.exception.ScmCommunicationException;
 import org.eclipse.che.api.factory.server.scm.exception.ScmConfigurationPersistenceException;
@@ -40,6 +41,7 @@ public class OAuthTokenSecretsConfigurator implements NamespaceConfigurator {
   private static final String ANNOTATION_SCM_URL = "che.eclipse.org/scm-url";
   private static final String ANNOTATION_SCM_PERSONAL_ACCESS_TOKEN_NAME =
       "che.eclipse.org/scm-personal-access-token-name";
+  public static final String ANNOTATION_SCM_IS_OAUTH_TOKEN = "che.eclipse.org/scm-is-oauth-token";
 
   private static final Map<String, String> SEARCH_LABELS =
       ImmutableMap.of(
@@ -66,10 +68,8 @@ public void configure(NamespaceResolutionContext namespaceResolutionContext, Str
                     && s.getMetadata()
                         .getAnnotations()
                         .containsKey(ANNOTATION_SCM_PERSONAL_ACCESS_TOKEN_NAME)
-                    && s.getMetadata()
-                        .getAnnotations()
-                        .get(ANNOTATION_SCM_PERSONAL_ACCESS_TOKEN_NAME)
-                        .startsWith(PersonalAccessTokenFetcher.OAUTH_2_SUFFIX))
+                    && parseBoolean(
+                        s.getMetadata().getAnnotations().get(ANNOTATION_SCM_IS_OAUTH_TOKEN)))
         .forEach(
             s -> {
               try {

wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth/EmbeddedOAuthAPI.java

@@ -184,35 +184,31 @@ public OAuthToken getToken(String oauthProvider)
       if (token != null) {
         return token;
       }
-      Optional<PersonalAccessToken> tokenOptional =
-          personalAccessTokenManager.get(subject, oauthProvider, null);
-      if (tokenOptional.isPresent()) {
-        PersonalAccessToken tokenDto = tokenOptional.get();
-        return newDto(OAuthToken.class).withToken(tokenDto.getToken());
-      }
       throw new UnauthorizedException(
           "OAuth token for user " + subject.getUserId() + " was not found");
     } catch (IOException e) {
       throw new ServerException(e.getLocalizedMessage(), e);
-    } catch (ScmCommunicationException
-        | ScmUnauthorizedException
-        | ScmConfigurationPersistenceException e) {
-      throw new RuntimeException(e);
     }
   }
 
   @Override
   public void invalidateToken(String oauthProvider)
-      throws NotFoundException, UnauthorizedException, ServerException {
+      throws NotFoundException, UnauthorizedException {
     OAuthAuthenticator oauth = getAuthenticator(oauthProvider);
-    OAuthToken oauthToken = getToken(oauthProvider);
     try {
-      if (!oauth.invalidateToken(oauthToken.getToken())) {
+      Optional<PersonalAccessToken> tokenOptional =
+          personalAccessTokenManager.get(
+              EnvironmentContext.getCurrent().getSubject(), oauthProvider, null);
+      if (tokenOptional.isPresent() && !oauth.invalidateToken(tokenOptional.get().getToken())) {
         throw new UnauthorizedException(
             "OAuth token for provider " + oauthProvider + " was not found");
       }
-    } catch (IOException e) {
-      throw new ServerException(e.getMessage());
+    } catch (ScmConfigurationPersistenceException
+        | ScmUnauthorizedException
+        | ScmCommunicationException
+        | IOException e) {
+      throw new UnauthorizedException(
+          "OAuth token for provider " + oauthProvider + " was not found");
     }
   }
 

wsmaster/che-core-api-factory-azure-devops/src/main/java/org/eclipse/che/api/factory/server/azure/devops/AzureDevOpsPersonalAccessTokenFetcher.java

@@ -82,12 +82,11 @@ public PersonalAccessToken fetchPersonalAccessToken(Subject cheSubject, String s
 
     try {
       oAuthToken = oAuthAPI.getToken(AzureDevOps.PROVIDER_NAME);
-      String tokenName = NameGenerator.generate(OAUTH_2_SUFFIX, 5);
       String tokenId = NameGenerator.generate("id-", 5);
       Optional<Pair<Boolean, String>> valid =
           isValid(
               new PersonalAccessTokenParams(
-                  scmServerUrl, tokenName, tokenId, oAuthToken.getToken(), null));
+                  true, scmServerUrl, "azure-devops", tokenId, oAuthToken.getToken(), null));
       if (valid.isEmpty()) {
         throw buildScmUnauthorizedException(cheSubject);
       } else if (!valid.get().first) {
@@ -99,7 +98,7 @@ public PersonalAccessToken fetchPersonalAccessToken(Subject cheSubject, String s
           scmServerUrl,
           cheSubject.getUserId(),
           valid.get().second,
-          tokenName,
+          "azure-devops",
           tokenId,
           oAuthToken.getToken());
     } catch (UnauthorizedException e) {
@@ -132,8 +131,7 @@ public Optional<Boolean> isValid(PersonalAccessToken personalAccessToken) {
 
     try {
       AzureDevOpsUser user;
-      if (personalAccessToken.getScmProviderName() != null
-          && personalAccessToken.getScmProviderName().startsWith(OAUTH_2_SUFFIX)) {
+      if (personalAccessToken.getScmProviderName() != null && personalAccessToken.isOAuthToken()) {
         user = azureDevOpsApiClient.getUserWithOAuthToken(personalAccessToken.getToken());
       } else {
         user =
@@ -155,8 +153,7 @@ public Optional<Pair<Boolean, String>> isValid(PersonalAccessTokenParams params)
 
     try {
       AzureDevOpsUser user;
-      if (params.getScmProviderName() != null
-          && params.getScmProviderName().startsWith(OAUTH_2_SUFFIX)) {
+      if (params.isOAuthToken()) {
         user = azureDevOpsApiClient.getUserWithOAuthToken(params.getToken());
       } else {
         user = azureDevOpsApiClient.getUserWithPAT(params.getToken(), params.getOrganization());

wsmaster/che-core-api-factory-bitbucket-server/src/main/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketServerPersonalAccessTokenFetcher.java

@@ -95,11 +95,12 @@ public PersonalAccessToken fetchPersonalAccessToken(Subject cheUser, String scmS
           bitbucketServerApiClient.createPersonalAccessTokens(tokenName, DEFAULT_TOKEN_SCOPE);
       LOG.debug("Token created = {} for {}", token.getId(), token.getUser());
       return new PersonalAccessToken(
+          true,
           scmServerUrl,
           EnvironmentContext.getCurrent().getSubject().getUserId(),
           user.getName(),
           user.getSlug(),
-          token.getName(),
+          "bitbucket-server",
           valueOf(token.getId()),
           token.getToken());
     } catch (ScmBadRequestException | ScmItemNotFoundException e) {

wsmaster/che-core-api-factory-bitbucket/src/main/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketPersonalAccessTokenFetcher.java

@@ -97,7 +97,7 @@ public PersonalAccessToken fetchPersonalAccessToken(Subject cheSubject, String s
       Optional<Pair<Boolean, String>> valid =
           isValid(
               new PersonalAccessTokenParams(
-                  scmServerUrl, tokenName, tokenId, oAuthToken.getToken(), null));
+                  true, scmServerUrl, tokenName, tokenId, oAuthToken.getToken(), null));
       if (valid.isEmpty()) {
         throw buildScmUnauthorizedException(cheSubject);
       } else if (!valid.get().first) {

wsmaster/che-core-api-factory-bitbucket/src/test/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketPersonalAccessTokenFetcherTest.java

@@ -18,7 +18,6 @@
 import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
 import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.wireMockConfig;
 import static java.net.HttpURLConnection.HTTP_FORBIDDEN;
-import static org.eclipse.che.api.factory.server.scm.PersonalAccessTokenFetcher.OAUTH_2_SUFFIX;
 import static org.eclipse.che.dto.server.DtoFactory.newDto;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.Mockito.when;
@@ -87,7 +86,12 @@ public void shouldNotValidateSCMServerWithTrailingSlash() throws Exception {
                     .withBodyFile("bitbucket/rest/user/response.json")));
     PersonalAccessTokenParams personalAccessTokenParams =
         new PersonalAccessTokenParams(
-            "https://bitbucket.org/", "scmTokenName", "scmTokenId", bitbucketOauthToken, null);
+            true,
+            "https://bitbucket.org/",
+            "scmTokenName",
+            "scmTokenId",
+            bitbucketOauthToken,
+            null);
     assertTrue(
         bitbucketPersonalAccessTokenFetcher.isValid(personalAccessTokenParams).isEmpty(),
         "Should not validate SCM server with trailing /");
@@ -165,7 +169,7 @@ public void shouldValidatePersonalToken() throws Exception {
 
     PersonalAccessTokenParams params =
         new PersonalAccessTokenParams(
-            "https://bitbucket.org", "params-name", "tid-23434", bitbucketOauthToken, null);
+            false, "https://bitbucket.org", "params-name", "tid-23434", bitbucketOauthToken, null);
 
     Optional<Pair<Boolean, String>> valid = bitbucketPersonalAccessTokenFetcher.isValid(params);
     assertTrue(valid.isPresent());
@@ -187,11 +191,7 @@ public void shouldValidateOauthToken() throws Exception {
 
     PersonalAccessTokenParams params =
         new PersonalAccessTokenParams(
-            "https://bitbucket.org",
-            OAUTH_2_SUFFIX + "-params-name",
-            "tid-23434",
-            bitbucketOauthToken,
-            null);
+            true, "https://bitbucket.org", "azure-devops", "tid-23434", bitbucketOauthToken, null);
 
     Optional<Pair<Boolean, String>> valid = bitbucketPersonalAccessTokenFetcher.isValid(params);
     assertTrue(valid.isPresent());
@@ -204,11 +204,7 @@ public void shouldNotValidateExpiredOauthToken() throws Exception {
 
     PersonalAccessTokenParams params =
         new PersonalAccessTokenParams(
-            "https://bitbucket.org",
-            OAUTH_2_SUFFIX + "-token-name",
-            "tid-23434",
-            bitbucketOauthToken,
-            null);
+            true, "https://bitbucket.org", "azure-devops", "tid-23434", bitbucketOauthToken, null);
 
     assertFalse(bitbucketPersonalAccessTokenFetcher.isValid(params).isPresent());
   }

wsmaster/che-core-api-factory-github-common/src/main/java/org/eclipse/che/api/factory/server/github/AbstractGithubPersonalAccessTokenFetcher.java

@@ -139,7 +139,7 @@ public PersonalAccessToken fetchPersonalAccessToken(Subject cheSubject, String s
       Optional<Pair<Boolean, String>> valid =
           isValid(
               new PersonalAccessTokenParams(
-                  scmServerUrl, providerName, tokenId, oAuthToken.getToken(), null));
+                  true, scmServerUrl, providerName, tokenId, oAuthToken.getToken(), null));
       if (valid.isEmpty()) {
         throw buildScmUnauthorizedException(cheSubject);
       } else if (!valid.get().first) {
@@ -184,8 +184,7 @@ public Optional<Boolean> isValid(PersonalAccessToken personalAccessToken) {
     }
 
     try {
-      if (personalAccessToken.getScmProviderName() != null
-          && personalAccessToken.getScmProviderName().startsWith(OAUTH_2_SUFFIX)) {
+      if (personalAccessToken.isOAuthToken()) {
         String[] scopes = githubApiClient.getTokenScopes(personalAccessToken.getToken()).second;
         return Optional.of(containsScopes(scopes, DEFAULT_TOKEN_SCOPES));
       } else {
@@ -217,8 +216,7 @@ public Optional<Pair<Boolean, String>> isValid(PersonalAccessTokenParams params)
       }
     }
     try {
-      if (params.getScmProviderName() != null
-          && params.getScmProviderName().startsWith(OAUTH_2_SUFFIX)) {
+      if (params.getScmProviderName() != null && params.isOAuthToken()) {
         Pair<String, String[]> pair = apiClient.getTokenScopes(params.getToken());
         return Optional.of(
             Pair.of(