trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

feat(repo): Add bearer authentication method for support various git hosting platform

Open bunseokbot opened this issue 1 year ago • 4 comments

Description

This PR adds support for the bearer authentication method while pull git repository.

Related issues

  • Close #6833

Checklist

  • [x] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [x] I've added tests that prove my fix is effective or that my feature works.
  • [x] I've updated the documentation with the relevant information (if needed).
  • [x] I've added usage information (if the PR introduces new options)
  • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

bunseokbot avatar Sep 22 '24 15:09 bunseokbot

In https://github.com/aquasecurity/trivy/issues/6833, it looks like the user wants to add support for Bitbucket. What if just adding BITBUCKET_TOKEN?

// Define a slice of token sources
tokenSources := []struct {
	envVar string
	name   string
}{
	{"GITHUB_TOKEN", "GitHub"},
	{"GITLAB_TOKEN", "GitLab"},
	{"BITBUCKET_TOKEN", "Bitbucket"},
}

// Iterate through token sources
for _, source := range tokenSources {
	token := os.Getenv(source.envVar)
	if token != "" {
		auth = &http.BasicAuth{
			Username: gitUsername,
			Password: token,
		}
		log.Printf("Found token for authentication", log.String("source", source.name))
		return auth
	}
}

knqyf263 avatar Sep 23 '24 05:09 knqyf263

In #6833, it looks like the user wants to add support for Bitbucket. What if just adding BITBUCKET_TOKEN?

// Define a slice of token sources
tokenSources := []struct {
	envVar string
	name   string
}{
	{"GITHUB_TOKEN", "GitHub"},
	{"GITLAB_TOKEN", "GitLab"},
	{"BITBUCKET_TOKEN", "Bitbucket"},
}

// Iterate through token sources
for _, source := range tokenSources {
	token := os.Getenv(source.envVar)
	if token != "" {
		auth = &http.BasicAuth{
			Username: gitUsername,
			Password: token,
		}
		log.Printf("Found token for authentication", log.String("source", source.name))
		return auth
	}
}

When I initially submitted the PR, I focused only on bearer authentication for Bitbucket, which is why I implemented it that way.

According to the official document, adding only BITBUCKET_TOKEN works fine.

Additionally, it seems we cannot use a fixed git username when user use AWS CodeCommit repository. Should I create a separate discussion to address this or add commit to review?

bunseokbot avatar Sep 23 '24 12:09 bunseokbot

According to the official document, adding only BITBUCKET_TOKEN works fine.

Thanks for sharing the doc. Doesn't Bitbucket accept basic authentication with a bearer token? Did you see if the current implementation worked with Bitbucket?

For project or repository tokens, you must only use Bearer Auth without the username:

knqyf263 avatar Sep 25 '24 05:09 knqyf263

I think I might have missed some parts of the test. After reproducing the environment again, I confirmed that specifying the username is necessary. I’m not sure if my approach is 100% correct, but I made to allow specifying the username by GIT_USERNAME.

I planned to split the implementation into tokenauth and basicauth as before. However, some services like AWS CodeCommit do not provide bearer authentication at all.

bunseokbot avatar Sep 25 '24 12:09 bunseokbot

I would also love to have support for bitbucket repositories. Is there any update regarding it?

teixeira-fernando avatar Nov 14 '24 12:11 teixeira-fernando

@knqyf263 Is there any additional feedback or thoughts on this PR?

bunseokbot avatar Nov 15 '24 06:11 bunseokbot

Hello @bunseokbot @teixeira-fernando

Hi, We have been busy with other more important issues lately. Please be patient, we will try to get back to all PR as soon as possible.

DmitriyLewen avatar Nov 15 '24 06:11 DmitriyLewen

It looks like the repository access token can be used with the fixed user name x-token-auth. https://support.atlassian.com/bitbucket-cloud/docs/using-access-tokens/

knqyf263 avatar Nov 18 '24 10:11 knqyf263

It seems that using x-token-auth for the username is only valid in the Bitbucket Cloud version. (https://confluence.atlassian.com/bitbucketserver/clone-a-repository-790632786.html)

In the Bitbucket Data Center version, only username is specified, so I configured it to retrieve the username value using the GIT_USERNAME environment variable.

In the same way, if the user is using the Bitbucket Cloud version, it seems possible to resolve this by setting 'x-token-auth' in the GIT_USERNAME environment variable.

bunseokbot avatar Nov 18 '24 14:11 bunseokbot

Then, it's better to add a new CLI flag rather than the env.

knqyf263 avatar Nov 18 '24 14:11 knqyf263

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Jan 21 '25 00:01 github-actions[bot]

Sorry to bother again, but please don't let this improvement die 😢

teixeira-fernando avatar Feb 10 '25 09:02 teixeira-fernando