From 1132d4e2e6d28cc7d1832202935fed17f874e0de Mon Sep 17 00:00:00 2001
From: Antoine Vigneau <antoine.vigneau@sonarsource.com>
Date: Tue, 19 Mar 2024 11:58:22 +0100
Subject: [PATCH] SONAR-21878 Fix SSF-568

---
 .../almIntegration/BitbucketServerForm.tsx    | 11 +++++----
 .../ws/UpdateBitbucketActionIT.java           | 23 +++++++++++++++++--
 .../almsettings/ws/AlmSettingsSupport.java    | 12 ++++++++--
 .../almsettings/ws/UpdateBitbucketAction.java |  4 +++-
 .../resources/org/sonar/l10n/core.properties  |  5 ++--
 5 files changed, 43 insertions(+), 12 deletions(-)

diff --git a/server/sonar-web/src/main/js/apps/settings/components/almIntegration/BitbucketServerForm.tsx b/server/sonar-web/src/main/js/apps/settings/components/almIntegration/BitbucketServerForm.tsx
index 9a2fe35b151..9e48f6a0dbb 100644
--- a/server/sonar-web/src/main/js/apps/settings/components/almIntegration/BitbucketServerForm.tsx
+++ b/server/sonar-web/src/main/js/apps/settings/components/almIntegration/BitbucketServerForm.tsx
@@ -47,11 +47,12 @@ export default function BitbucketServerForm(props: BitbucketServerFormProps) {
       />
       <AlmBindingDefinitionFormField
         help={
-          <FormattedMessage
-            defaultMessage={translate('settings.almintegration.form.url.bitbucket.help')}
-            id="settings.almintegration.form.url.bitbucket.help"
-            values={{ example: 'https://bitbucket-server.your-company.com' }}
-          />
+          <>
+            {translate('settings.almintegration.form.url.bitbucket.help')}
+            <br />
+            <br />
+            {translate('settings.almintegration.form.url.bitbucket.pat_warning')}
+          </>
         }
         id="url.bitbucket"
         maxLength={2000}
diff --git a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/almsettings/ws/UpdateBitbucketActionIT.java b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/almsettings/ws/UpdateBitbucketActionIT.java
index 948abd11faf..c074756df70 100644
--- a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/almsettings/ws/UpdateBitbucketActionIT.java
+++ b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/almsettings/ws/UpdateBitbucketActionIT.java
@@ -31,6 +31,7 @@ import org.sonar.server.component.ComponentFinder;
 import org.sonar.server.exceptions.ForbiddenException;
 import org.sonar.server.exceptions.NotFoundException;
 import org.sonar.server.tester.UserSessionRule;
+import org.sonar.server.ws.TestRequest;
 import org.sonar.server.ws.WsActionTester;
 
 import static java.lang.String.format;
@@ -88,7 +89,23 @@ public class UpdateBitbucketActionIT {
   }
 
   @Test
-  public void update_without_pat() {
+  public void fail_when_url_updated_without_pat() {
+    UserDto user = db.users().insertUser();
+    userSession.logIn(user).setSystemAdministrator();
+
+    AlmSettingDto almSettingDto = db.almSettings().insertBitbucketAlmSetting();
+
+    TestRequest request = ws.newRequest()
+      .setParam("key", almSettingDto.getKey())
+      .setParam("url", "https://bitbucket.enterprise-unicorn.com");
+
+    assertThatThrownBy(() -> request.execute())
+      .isInstanceOf(IllegalArgumentException.class)
+      .hasMessage("Please provide the Personal Access Token to update the URL.");
+  }
+
+  @Test
+  public void update_with_url_change_needs_path() {
     UserDto user = db.users().insertUser();
     userSession.logIn(user).setSystemAdministrator();
 
@@ -97,10 +114,12 @@ public class UpdateBitbucketActionIT {
     ws.newRequest()
       .setParam("key", almSettingDto.getKey())
       .setParam("url", "https://bitbucket.enterprise-unicorn.com")
+      .setParam("personalAccessToken", "0123456789")
       .execute();
+
     assertThat(db.getDbClient().almSettingDao().selectAll(db.getSession()))
       .extracting(AlmSettingDto::getKey, AlmSettingDto::getUrl, s -> s.getDecryptedPersonalAccessToken(encryption))
-      .containsOnly(tuple(almSettingDto.getKey(), "https://bitbucket.enterprise-unicorn.com", almSettingDto.getDecryptedPersonalAccessToken(encryption)));
+      .containsOnly(tuple(almSettingDto.getKey(), "https://bitbucket.enterprise-unicorn.com", "0123456789"));
   }
 
   @Test
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/almsettings/ws/AlmSettingsSupport.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/almsettings/ws/AlmSettingsSupport.java
index 182c3cb11f9..b0b3c247a7f 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/almsettings/ws/AlmSettingsSupport.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/almsettings/ws/AlmSettingsSupport.java
@@ -113,8 +113,16 @@ public class AlmSettingsSupport {
   }
 
   public void checkPrivateKeyOnUrlUpdate(AlmSettingDto almSettingDto, String url, @Nullable String privateKey) {
-    if (!url.equals(almSettingDto.getUrl()) && isEmpty(privateKey)) {
-      throw new IllegalArgumentException("Please provide the Private Key to update the URL.");
+    checkCredentialArtifactOnUrlUpdate(url, almSettingDto, privateKey, "Please provide the Private Key to update the URL.");
+  }
+
+  public void checkPatOnUrlUpdate(AlmSettingDto almSettingDto, String url, @Nullable String pat) {
+    checkCredentialArtifactOnUrlUpdate(url, almSettingDto, pat, "Please provide the Personal Access Token to update the URL.");
+  }
+
+  private static void checkCredentialArtifactOnUrlUpdate(String url, AlmSettingDto almSettingDto, @Nullable String credentialArtifact, String errorMessage) {
+    if (!url.equals(almSettingDto.getUrl()) && isEmpty(credentialArtifact)) {
+      throw new IllegalArgumentException(errorMessage);
     }
   }
 }
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/almsettings/ws/UpdateBitbucketAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/almsettings/ws/UpdateBitbucketAction.java
index e7d330729f1..bd0882fa035 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/almsettings/ws/UpdateBitbucketAction.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/almsettings/ws/UpdateBitbucketAction.java
@@ -85,7 +85,6 @@ public class UpdateBitbucketAction implements AlmSettingsWsAction {
   private void doHandle(Request request) {
     String key = request.mandatoryParam(PARAM_KEY);
     String newKey = request.param(PARAM_NEW_KEY);
-    String url = request.mandatoryParam(PARAM_URL);
     String pat = request.param(PARAM_PERSONAL_ACCESS_TOKEN);
 
     try (DbSession dbSession = dbClient.openSession(false)) {
@@ -94,6 +93,9 @@ public class UpdateBitbucketAction implements AlmSettingsWsAction {
         almSettingsSupport.checkAlmSettingDoesNotAlreadyExist(dbSession, newKey);
       }
 
+      String url = request.mandatoryParam(PARAM_URL);
+      almSettingsSupport.checkPatOnUrlUpdate(almSettingDto, url, pat);
+
       if (isNotBlank(pat)) {
         almSettingDto.setPersonalAccessToken(pat);
       }
diff --git a/sonar-core/src/main/resources/org/sonar/l10n/core.properties b/sonar-core/src/main/resources/org/sonar/l10n/core.properties
index 6fe31ea22cd..1d898ce9376 100644
--- a/sonar-core/src/main/resources/org/sonar/l10n/core.properties
+++ b/sonar-core/src/main/resources/org/sonar/l10n/core.properties
@@ -1456,11 +1456,12 @@ settings.almintegration.form.url.azure=Azure DevOps URL
 settings.almintegration.form.url.azure.help1=For Azure DevOps Server, provide the full collection URL:
 settings.almintegration.form.url.azure.help2=For Azure DevOps Services, provide the full organization URL:
 settings.almintegration.form.url.bitbucket=Bitbucket Server URL
-settings.almintegration.form.url.bitbucket.help=Example: {example}
+settings.almintegration.form.url.bitbucket.help=Example: https://bitbucket-server.your-company.com
+settings.almintegration.form.url.bitbucket.pat_warning=For security reasons, please make sure to provide the Personal Access Token to update the URL.
 settings.almintegration.form.url.github=GitHub API URL
 settings.almintegration.form.url.github.help1=Example for GitHub Enterprise:
 settings.almintegration.form.url.github.help2=If using GitHub.com:
-settings.almintegration.form.url.github.private_key_warning=Please make sure to provide the GitHub App private key for updating the URL.
+settings.almintegration.form.url.github.private_key_warning=For security reasons, please make sure to provide the GitHub App private key to update the URL.
 settings.almintegration.form.url.gitlab=GitLab API URL
 settings.almintegration.form.url.gitlab.help=Provide the GitLab API URL. For example:
 settings.almintegration.form.app_id=GitHub App ID
-- 
2.39.5