I am using Bitbucket Server. I am trying to develop a peer review script that will push in-work feature branches to a personal server branch, open a pull request, and add some default reviewers. I am using curl to post my commands to the Bitbucket REST API. I can authorize using my username and password.
I am trying to improve the security of this process by using something better than username/password entered into my script. Is there any way to use OAuth, or some other public/private key pair authentication to validate a user through the REST API?
My script is currently written in BASH, and I am trying to keep it lightweight and portable. I cannot guarantee all our developers have powershell/Python installed.
I would expect my users to be authenticated through their web-browsers, but that does not seem to matter to curl.
You might want to take a look at our example scripts that use Kerberos authentication instead of hardcoded username and password: https://www.cleito.com/products/iwaac/documentation/integrated-windows-authentication-for-non-browser-clients/
If you don't feel like using PowerShell, Python or Groovy, you can easily adapt those scripts for simple curl commands as curl supports SPNEGO/Kerberos authentication since version 7.38.0.
Hope this helps!
If you want to use Kerberos authentication, yes you will need a plugin.
If you want to stick with OAuth, you should take a look at this nice blog post by Mibex Software: https://medium.com/mibexsoftware/how-to-use-oauth-with-atlassian-products-c0f357ae91eb
Thanks Bruno. In order to set up OAuth, it looks like I will need to create a proxy service that runs parallel to bitbucket to link between a user's Bash calls and bitbucket, then link that application to bitbucket through the UI mentioned above. Instead of trying to make the REST calls directly from my Bash script, I will need to send a command to the proxy service. The proxy service will then authenticate with Bitbucket using OAuth, and all calls will go through this proxy.
If I create one central OAuth proxy on a server, I assume I still need to create one service account, and all REST API calls will use the service account to make changes, etc.
A much simpler alternative might be to create a service account with very strict permissions to allow modifying pull requests, and use this account credentials as a pseudo-public interface.
"I assume I still need to create one service account, and all REST API calls will use the service account to make changes, etc."
Well, in the end the access token you get allows your script to perform actions on behalf of the user who was logged in Bitbucket and granted his permissions in the browser step. You might want your curl requests to be run under personal accounts (and not under a global service account).
Kerberos authentication is the way to go then.
In our latest version for Bitbucket we added the option to enable Kerberos to the REST API.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG