chore(bitbucket): [FS-1008]: add an allowlist for bitbucket (#75)

* filter down bitbucket allowlist

* ready

* formatting

* formatting

* comment

* more stuff

README.md

@@ -125,6 +125,26 @@ Under the hood, this config adds these allowlist items:
 - PUT `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions/:discussion/notes/:note`
 - PUT `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions/:discussion`
 
+### Bitbucket
+
+Similarly, the `bitbucket` configuration section grants Semgrep access to leave MR comments.
+
+```yaml
+inbound:
+  bitbucket:
+    baseUrl: https://bitbucket.example.com/rest/api/latest
+    token: ...
+```
+
+Under the hood, this config adds these allowlist items:
+
+- GET `https://bitbucket.example.com/rest/api/latest/projects/:project`
+- GET `https://bitbucket.example.com/rest/api/latest/projects/:project/repos`
+- GET `https://bitbucket.example.com/rest/api/latest/projects/:project/repo/:repo`
+- GET `https://bitbucket.example.com/rest/api/latest/projects/:project/repos/:repo/default-branch`
+- GET `https://bitbucket.example.com/rest/api/latest/projects/:project/:repo/pull-requests`
+- POST `https://bitbucket.example.com/rest/api/latest/projects/:project/repos/:repo/pull-requests/:number/comments`
+
 ### Allowlist
 
 The `allowlist` configuration section provides finer-grained control over what HTTP requests are allowed to be forwarded out of the broker. The first matching allowlist item is used. No allowlist match means the request will not be proxied.

pkg/config.go

@@ -212,6 +212,11 @@ type GitLab struct {
 	Token   string `mapstructure:"token" json:"token"`
 }
 
+type BitBucket struct {
+	BaseURL string `mapstructure:"baseUrl" json:"baseUrl"`
+	Token   string `mapstructure:"token" json:"token"`
+}
+
 type HttpClientConfig struct {
 	AdditionalCACerts []string `mapstructure:"additionalCACerts" json:"additionalCACerts"`
 }
@@ -224,6 +229,7 @@ type InboundProxyConfig struct {
 	Heartbeat       HeartbeatConfig  `mapstructure:"heartbeat" json:"heartbeat"`
 	GitHub          *GitHub          `mapstructure:"github" json:"github"`
 	GitLab          *GitLab          `mapstructure:"gitlab" json:"gitlab"`
+	BitBucket       *BitBucket       `mapstructure:"bitbucket" json:"bitbucket"`
 	HttpClient      HttpClientConfig `mapstructure:"httpClient" json:"httpClient"`
 }
 
@@ -316,8 +322,13 @@ func LoadConfig(configFiles []string, deploymentId int) (*Config, error) {
 			return nil, fmt.Errorf("failed to parse github base URL: %v", err)
 		}
 
-		headers := map[string]string{
-			"Authorization": fmt.Sprintf("Bearer %v", gitHub.Token),
+		var headers map[string]string
+		if gitHub.Token != "" {
+			headers = map[string]string{
+				"Authorization": fmt.Sprintf("Bearer %v", gitHub.Token),
+			}
+		} else {
+			headers = map[string]string{}
 		}
 
 		config.Inbound.Allowlist = append(config.Inbound.Allowlist,
@@ -391,8 +402,13 @@ func LoadConfig(configFiles []string, deploymentId int) (*Config, error) {
 			return nil, fmt.Errorf("failed to parse gitlab base URL: %v", err)
 		}
 
-		headers := map[string]string{
-			"PRIVATE-TOKEN": gitLab.Token,
+		var headers map[string]string
+		if gitLab.Token != "" {
+			headers = map[string]string{
+				"PRIVATE-TOKEN": gitLab.Token,
+			}
+		} else {
+			headers = map[string]string{}
 		}
 
 		config.Inbound.Allowlist = append(config.Inbound.Allowlist,
@@ -435,5 +451,63 @@ func LoadConfig(configFiles []string, deploymentId int) (*Config, error) {
 		)
 	}
 
+	if config.Inbound.BitBucket != nil {
+		bitBucket := config.Inbound.BitBucket
+
+		bitBucketBaseUrl, err := url.Parse(bitBucket.BaseURL)
+
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse bitbucket base URL: %v", err)
+		}
+
+		var headers map[string]string
+		if bitBucket.Token != "" {
+			headers = map[string]string{
+				"Authorization": fmt.Sprintf("Bearer %v", bitBucket.Token),
+			}
+		} else {
+			headers = map[string]string{}
+		}
+
+		config.Inbound.Allowlist = append(config.Inbound.Allowlist,
+			// project info
+			AllowlistItem{
+				URL:               bitBucketBaseUrl.JoinPath("/projects/:project").String(),
+				Methods:           ParseHttpMethods([]string{"GET"}),
+				SetRequestHeaders: headers,
+			},
+			// get repos
+			AllowlistItem{
+				URL:               bitBucketBaseUrl.JoinPath("/projects/:project/repos").String(),
+				Methods:           ParseHttpMethods([]string{"GET"}),
+				SetRequestHeaders: headers,
+			},
+			// repo info
+			AllowlistItem{
+				URL:               bitBucketBaseUrl.JoinPath("/projects/:project/repos/:repo").String(),
+				Methods:           ParseHttpMethods([]string{"GET"}),
+				SetRequestHeaders: headers,
+			},
+			// default branch
+			AllowlistItem{
+				URL:               bitBucketBaseUrl.JoinPath("/projects/:project/repos/:repo/default-branch").String(),
+				Methods:           ParseHttpMethods([]string{"GET"}),
+				SetRequestHeaders: headers,
+			},
+			// pull requests
+			AllowlistItem{
+				URL:               bitBucketBaseUrl.JoinPath("/projects/:project/repos/:repo/pull-requests").String(),
+				Methods:           ParseHttpMethods([]string{"GET"}),
+				SetRequestHeaders: headers,
+			},
+			// post PR comment
+			AllowlistItem{
+				URL:               bitBucketBaseUrl.JoinPath("/projects/:project/repos/:repo/pull-requests/:number/comments").String(),
+				Methods:           ParseHttpMethods([]string{"POST"}),
+				SetRequestHeaders: headers,
+			},
+		)
+	}
+
 	return config, nil
 }