Do not validate bitbucket server token scopes

[vinokurig]

What does this PR do?

BitBucket Server get token() API method does not work with PAT token. It returns unauthorised exception. Omit the BitBucket Server token skopes check because there is not other way to get the token scopes.

Screenshot/screencast of this PR

What issues does this PR fix or reference?

https://issues.redhat.com/browse/CRW-4560

How to test this PR?

1. Configure BitBucket Server Oauth
2. Start a workspace from the BitBucket Server repository url.
3. Apply the authorization agreement.
   See workspace starts successfully, a new Personal Access Token item is created in the dashboard user preferences page.

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[vinokurig]

/retest

[tolusha]

From my understanding, if we won't validate scopes, then user might occur issue while using token with git operations.
BTW, We don't validate scopes for Azure Dev Ops as well, because of lack of API.

[vinokurig]

@tolusha

From my understanding, if we won't validate scopes, then user might occur issue while using token with git operations.

We generate Oauth tokens with predefined list of scopes:

che-server/wsmaster/che-core-api-factory-bitbucket-server/src/main/java/org/eclipse/che/api/factory/server/bitbucket/BitbucketServerPersonalAccessTokenFetcher.java

Lines 109 to 110 in f3635b9

	BitbucketPersonalAccessToken token =
	bitbucketServerApiClient.createPersonalAccessTokens(tokenName, DEFAULT_TOKEN_SCOPE);

so there is no way user can have an Oauth token with another scopes. As for PATs, we do not validate scopes for BitBucket Server at all.

[artaleks9]

Verified on Eclipse Che with quay.io/eclipse/che-server:pr-706 - the functionality works properly.

[ibuziuk]

@vinokurig could BitBucket OAuth be affected by this change? why scope validation was in place before?

[vinokurig]

could BitBucket OAuth be affected by this change?

I do not think so because the commit just simplifies the check, it does not add new requests or stuff like that.

why scope validation was in place before?

I believe this was copied from the GitHub token fetcher:

che-server/wsmaster/che-core-api-factory-github-common/src/main/java/org/eclipse/che/api/factory/server/github/AbstractGithubPersonalAccessTokenFetcher.java

Lines 238 to 243 in 88b965f

	if (params.getScmTokenName() != null && params.getScmTokenName().startsWith(OAUTH_2_PREFIX)) {
	Pair<String, String[]> pair = apiClient.getTokenScopes(params.getToken());
	return Optional.of(
	Pair.of(
	containsScopes(pair.second, DEFAULT_TOKEN_SCOPES) ? Boolean.TRUE : Boolean.FALSE,
	pair.first));

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: artaleks9, ibuziuk, vinokurig

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[devstudio-release]

Build 3.16 :: server_3.x/351: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: server_3.x/352: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: sync-to-downstream_3.x/7327: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: sync-to-downstream_3.x/7328: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: get-sources-rhpkg-container-build_3.x/7311: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: get-sources-rhpkg-container-build_3.x/7312: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: push-latest-container-to-quay_3.x/4804: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: push-latest-container-to-quay_3.x/4805: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: get-sources-rhpkg-container-build_3.x/7311:

server : 3.x :: Build 62945526 : quay.io/devspaces/server-rhel8:3.16-10
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.x/4804 triggered

[devstudio-release]

Build 3.16 :: server_3.x/351:

Upstream sync done; /DS_CI/sync-to-downstream_3.x/7327 triggered

[devstudio-release]

Build 3.16 :: get-sources-rhpkg-container-build_3.x/7312:

server : 3.x :: Build 62945529 : quay.io/devspaces/server-rhel8:3.16-11
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.x/4805 triggered

[devstudio-release]

Build 3.16 :: update-digests_3.x/7172: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: server_3.x/352:

Upstream sync done; /DS_CI/sync-to-downstream_3.x/7328 triggered

[devstudio-release]

Build 3.16 :: operator-bundle_3.x/3365: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: sync-to-downstream_3.x/7331: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: get-sources-rhpkg-container-build_3.x/7315: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: push-latest-container-to-quay_3.x/4808: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: copyIIBsToQuay/2724: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: get-sources-rhpkg-container-build_3.x/7315:

devspaces-operator-bundle : 3.x :: Build 62946238 : quay.io/devspaces/devspaces-operator-bundle:3.16-19
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.x/4808 triggered;

Bundle CSV related images:
- quay.io/devspaces/code-rhel8:3.16-13
- quay.io/devspaces/configbump-rhel8:3.16-2
- quay.io/devspaces/dashboard-rhel8:3.16-12
- quay.io/devspaces/devfileregistry-rhel8:3.16-50
- quay.io/devspaces/devspaces-rhel8-operator:3.16-2
- quay.io/devspaces/idea-rhel8:3.16-1
- quay.io/devspaces/pluginregistry-rhel8:3.16-8
- quay.io/devspaces/server-rhel8:3.16-12
- quay.io/devspaces/traefik-rhel8:3.16-1
- quay.io/devspaces/udi-rhel8:3.16-3
= registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12.0-202407151105.p0.gb17014f.assembly.stream.el8
= registry.redhat.io/openshift4/ose-oauth-proxy:v4.12.0-202407151105.p0.g03e5b13.assembly.stream.el8
= registry.redhat.io/rhscl/mongodb-36-rhel7:1-50
= registry.redhat.io/ubi8/ubi-minimal:8.8-1072.1697626218

[devstudio-release]

Build 3.16 :: sync-to-downstream_3.x/7331:

Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.x/7315 triggered; /job/DS_CI/job/dsc_3.x triggered;

[devstudio-release]

Build 3.16 :: operator-bundle_3.x/3365:

Upstream sync done; /DS_CI/sync-to-downstream_3.x/7331 triggered

[devstudio-release]

Build 3.16 :: dsc_3.x/1962: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: update-digests_3.x/7172:

Detected new images: rebuild operator-bundle
* server; /DS_CI/operator-bundle_3.x/3365 triggered

[devstudio-release]

Build 3.16 :: update-digests_3.x/7173: Console, Changes, Git Data

[devstudio-release]

Build 3.16 :: update-digests_3.x/7173:

No new images detected: nothing to do!

[devstudio-release]

Build 3.16 :: dsc_3.x/1962:

3.16.0-CI

[devstudio-release]

Build 3.16 :: copyIIBsToQuay/2724:

3.16
arches = x86_64, s390x, ppc64le;
  * LATEST DS OPERATOR BUNDLE = <a href=https://quay.io/repository/devspaces/devspaces-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devspaces-operator-bundle:3.16-19
  * LATEST DWO OPERATOR BUNDLE = <a href=https://quay.io/repository/devworkspace/devworkspace-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devworkspace-operator-bundle:???
+ x86_64-rhel8 IIB(s) copied:
  + <a href=https://quay.io/devspaces/iib:3.16-v4.16-776943- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-x86_64>quay.io/devspaces/iib:3.16-v4.16-776943- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-x86_64
  + quay.io/devspaces/iib:3.16-v4.16-x86_64
  + <a href=https://quay.io/devspaces/iib:3.16-v4.15-777174- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-x86_64>quay.io/devspaces/iib:3.16-v4.15-777174- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-x86_64
  + quay.io/devspaces/iib:3.16-v4.15-x86_64
  + <a href=https://quay.io/devspaces/iib:3.16-v4.14-777173- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-x86_64>quay.io/devspaces/iib:3.16-v4.14-777173- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-x86_64
  + quay.io/devspaces/iib:3.16-v4.14-x86_64
  + <a href=https://quay.io/devspaces/iib:3.16-v4.13-777172- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-x86_64>quay.io/devspaces/iib:3.16-v4.13-777172- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-x86_64
  + quay.io/devspaces/iib:3.16-v4.13-x86_64
  + <a href=https://quay.io/devspaces/iib:3.16-v4.12-777171- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-x86_64>quay.io/devspaces/iib:3.16-v4.12-777171- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-x86_64
  + quay.io/devspaces/iib:3.16-v4.12-x86_64
+ ppc64le-rhel8 IIB(s) copied:
  + <a href=https://quay.io/devspaces/iib:3.16-v4.16-776943- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-ppc64le>quay.io/devspaces/iib:3.16-v4.16-776943- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-ppc64le
  + quay.io/devspaces/iib:3.16-v4.16-ppc64le
  + <a href=https://quay.io/devspaces/iib:3.16-v4.15-777174- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-ppc64le>quay.io/devspaces/iib:3.16-v4.15-777174- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-ppc64le
  + quay.io/devspaces/iib:3.16-v4.15-ppc64le
  + <a href=https://quay.io/devspaces/iib:3.16-v4.14-777173- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-ppc64le>quay.io/devspaces/iib:3.16-v4.14-777173- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-ppc64le
  + quay.io/devspaces/iib:3.16-v4.14-ppc64le
  + <a href=https://quay.io/devspaces/iib:3.16-v4.13-777172- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-ppc64le>quay.io/devspaces/iib:3.16-v4.13-777172- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-ppc64le
  + quay.io/devspaces/iib:3.16-v4.13-ppc64le
  + <a href=https://quay.io/devspaces/iib:3.16-v4.12-777171- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-ppc64le>quay.io/devspaces/iib:3.16-v4.12-777171- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-ppc64le
  + quay.io/devspaces/iib:3.16-v4.12-ppc64le
+ s390x-rhel8 IIB(s) copied:
  + <a href=https://quay.io/devspaces/iib:3.16-v4.16-776943- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-s390x>quay.io/devspaces/iib:3.16-v4.16-776943- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-s390x
  + quay.io/devspaces/iib:3.16-v4.16-s390x
  + <a href=https://quay.io/devspaces/iib:3.16-v4.15-777174- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-s390x>quay.io/devspaces/iib:3.16-v4.15-777174- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-s390x
  + quay.io/devspaces/iib:3.16-v4.15-s390x
  + <a href=https://quay.io/devspaces/iib:3.16-v4.14-777173- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-s390x>quay.io/devspaces/iib:3.16-v4.14-777173- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-s390x
  + quay.io/devspaces/iib:3.16-v4.14-s390x
  + <a href=https://quay.io/devspaces/iib:3.16-v4.13-777172- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-s390x>quay.io/devspaces/iib:3.16-v4.13-777172- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-s390x
  + quay.io/devspaces/iib:3.16-v4.13-s390x
  + <a href=https://quay.io/devspaces/iib:3.16-v4.12-777171- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-s390x>quay.io/devspaces/iib:3.16-v4.12-777171- /tmp/getIIBsForBundle.sh -t PROD_VER [OPTIONS]-s390x
  + quay.io/devspaces/iib:3.16-v4.12-s390x