Implementing a PHP Bitbucket API service for a website. One thing I need to do is give a bitbucket user (could be anyone at all as long as they have a bitbucket account) access to a private repository and be able to pull the repo down via composer.
Is this possible by the Bitbucket API?
Should I be giving the user just standard read access to the repo?
If thats the case what happens with SSH keys? How would I handle that?
OR should I use the deployment keys feature? Is this available via the API?
If you know of any documentation apart from the official ones that might highlight some of these features slightly better, it would be greatly appreciated.
Thankyou
To give a user access to a repository through the API: https://confluence.atlassian.com/display/BITBUCKET/privileges+Endpoint#privilegesEndpoint-PUTanewprivilege
If all you need is the ability to clone, then "read" permission is sufficient.
HTTPS vs SSH is orthogonal. Once a user has access, it is up to them to choose the protocol.
Deploy keys are another option is all you need to the ability to clone a repo over SSH (not HTTPS), but it sounds like that may not be a very good fit for what you're trying to do.
The user would need access to the repository... read access is fine
now since your repository is a private one, it's not hosted on packagist, i'm assuming...
so your composer config, well at least the way we do it in our workspace could be as follows:
{
"name" : "bitbucket-users-project-name",
"author" : "bitbucket-users-name",
"repositories": [
{
"type": "git",
"url": "git#bitbucket.org:your-username/your-repo-name.git"
}
],
"require" : {
"your-repo-composer--name" : "version.number.here"
}
}
for testing purposes you could use dev-master instead of version.number.here
now since you're using the ssh git url, that user would require their ssh key added to their own account
Related
I'm using Doxygen to generate documentation on a C++ project. I want to share this documentation with various team members without them having to build the docs themselves. In an ideal world, there's a service to privately host the static HTML that's generated from Doxygen, and gate it behind some sort of login. I think literally all this service needs to do is have some authentication middleware before serving the HTML. Just password protecting a directory is not good enough for what I'd like to do.
Does anyone know of a service like this that already exists? Am I taking the wrong approach?
What you are asking for is a service that host static pages but provide the authentication functionality. I don't know if something like that exists and I have not found anything in a quick search.
However, there's another approach, much more simple. Just generate the documentation and upload it wherever you want that requires authentication (Google Drive, a private repository in GitHub or Bitbucket, etc). Give access to your team members and they will just have to keep it up to date with the remote one and open the index.html locally in their browsers.
Azure has a static web app host available.
You can configure it so users must log in before anything is served up.
This is a bare bones config that will require people log into an app reg I made available to them, otherwise it will redirect to the azure ad login page.
We are already using Azure for our cloud needs, so this wasn't much to stand up for the documentation host.
Custom authentication in Azure Static Web Apps
Authentication and authorization for Azure Static Web Apps
{
"auth": {
"identityProviders": {
"azureActiveDirectory": {
"userDetailsClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"registration": {
"openIdIssuer": "https://login.microsoftonline.com/TENANT_ID",
"clientIdSettingName": "AZURE_CLIENT_ID",
"clientSecretSettingName": "AZURE_CLIENT_SECRET"
}
}
}
},
"routes": [
{
"route": "/*",
"allowedRoles": [
"authenticated"
]
}
],
"responseOverrides": {
"401": {
"statusCode": 302,
"redirect": "/.auth/login/aad"
}
}
}
I am trying to set up a CouchDB instance to:
Not require login at web user interface when to create/edit/delete documents for random people who go to http://my_couchdb:5984
Prevent random people from making admin level changes
Ex: modify design docs, add users or remove pre-existing users
Basically, I would like random people to be something like the members described here: https://docs.couchdb.org/en/2.3.1/api/database/security.html#api-db-security
What settings are necessary to make this happen? Do they live in etc/local.ini?
I would not like to use cookies or individual user databases.
How I Set It Up
I configured CouchDB to have an admin user, boss.
I also made a database bananas: http://my_couchdb:5984/_utils/#database/bananas/_all_docs
What I've Tried So Far
Manipulating require_valid_user in both httpd and chttpd inside etc/local.ini (source) did not work for me, maybe I didn't quite do it right
Per this answer, I tried adding the admin user boss to Permissions --> Admins --> Users of both _users db and bananas db, and it failed to achieve my desired result.
I then removed both of these, and the response of curl $HOST/bananas/_security is now {}.
This answer talks about creating a low-permissions user, but doesn't talk about how to bypass log in.
The below authentication_handler works, but I don't want an Admin Party, so I need a better method.
[chttpd]
authentication_handlers = {couch_httpd_auth, null_authentication_handler}
**Update**
As pointed out by #uminder, out of the box it seems to be possible to make documents without credentials. I ran the following command from a second machine:
curl -X PUT http://my_couchdb:5984/bananas/test -d '{ "name": "test document" }'
And can then view (but not edit) the document by going here:
http://my_couchdb:5984/bananas/test
(Please ignore that the hostname is not actually my_couchdb)
What I need is to use a web UI, without login, to edit that document. Currently, the UI is Fauxton. Here is what I do:
Go here: http://my_couchdb:5984/_utils/#database/bananas/test
It redirects to login page here: http://my_couchdb:5984/_utils/#login
How can I not get redirected to login, and just be able to edit the document using the Web UI?
Setup Information
CouchDB Version: 2.3.1
OS: Ubuntu 16.04.3 LTS
Please let me know what other information is needed to arrive at a solution! I am new to configuring CouchDB.
I just locally installed CouchDB (Single Node Setup) on Windows 10. Then I created an admin user and a bananas database in Fauxton.
Using curl, I was able to create, update and delete documents in bananas database without providing any credencials.
curl -X PUT http://127.0.0.1:5984/bananas/1 -d '{ "name": "doc 1" }'
curl -X PUT http://127.0.0.1:5984/bananas/1 -d '{ "name": "doc 2", "_rev": "1-5cd56a944d3d59a44613269396365431" }'
curl -X DELETE http://127.0.0.1:5984/bananas/1?rev=3-2b34329467970cc792cee5931a68ca2e
When trying to create a design document (an index) in bananas however, I got an "unauthorized" error with reason "You are not a db or server admin."
curl -X PUT http://127.0.0.1:5984/bananas/_design/name_idx -d '{ "index": { "fields": ["name"] } }
The result was exactly the same when I installing CouchDB on another computer within the same subnet. It seems that in these cases, a newly installed CouchDB with default settings just behaves the way you wish, at least when referring to the tile of your answer.
If I had to make my CouchDB accessible through a public URL, I would try to change the default security object and enable CORS in the local.ini file.
[couchdb]
default_security = everyone
[httpd]
enable_cors = true
[cors]
origins = *
methods = GET,POST,PUT,DELETE
credentials = false
Bypassing Web-Interface Login
I don't think Fauxton can be configured to bypass the login page in order to allow anonymous users to directly create, update or delete documents. You would have to create a fork of the couchdb-fauxton project and change the code to fit your needs.
Alternatively you could write you own web-interface (Angular, React, Vue.js ...) that internally uses an existing user for authentication but hides this to the end user.
I have cloned the sample myapplication from here(https://cumulocity.com/guides/web/introduction/) and it works.
However, when I change the resourcesUrl to point to my bitbucket repos, it starts getting funny.
{
"availability": "MARKET",
"contextPath": "myapplication",
"key": "myapplication-appkey",
"name": "myapplication",
"resourcesUrl": "https://bitbucket.org/m2m/cumulocity-ui-plugin-examples/raw/develop/build",
"type": "HOSTED",
"imports": [
"core/c8yBranding",
"core/deviceList",
"core/deviceDetail",
"myapplication/myplugin"
]
}
Each time I switch to myapplication on cumulocity, my page will automatically forwarded to bitbucket. Even I delete the myapplication from administration and change back "resourcesUrl" to original, and reregister plugin and app, the portal still continues to forward the page to bitbucket.
Did I miss anything here and how to bring back? Thanks.
Updates,
Looks reregistering the app with original resourcesUrl does work today and possibly was something not right with my PC yesterday.(today I found this is not related to my PC, their is a delay between grunt appRegister and the application is really updated in Cumulocity, wonder how long the delay is?)
The myapplication is forwarded to bitbucket looks to be related to if the repo is private or public. If the repo is public, cumulocity will load the login page as expected. If private, even in the Administration page->Own applications->Myapplication->properties page, set username and password and click save, still goes to bitbucket login page.
So now the question is, how to link("resourcesUrl") to a private repo hosted in bitbucket?
If change "availability" from "MARKET" to "PRIVATE", the application page will be 404 no application found, is this expected?
Thanks.
To point to a resourcesUrl that is protected by basic authentication, which is the case for private bitbucket repos, one must add the properties resourcesUsername and resourcesPassword to the manifest.
In case of bitbucket these are the credentials to a bitbucket user. We recommend a user with just read permissions to this repo.
A MARKETis available to every tenant that subscribes it and a PRIVATEapp is only available to the tenant that owns it. For example, if a tenant 'acme' creates an application 'foo' that same app will only be available at acme.cumulocity.com/apps/foo.
I need to develop a bunch of my own web hooks (or services maybe) for auto deploy, report into project management systems, etc.
But data posted to web hook don't have much information to fill my needs.
For example, I've received simple push event, how can I know is it force push or not? Okay, I have 2 treeishes, let's look at repository and check this push — oops, need user token to do it. Sad.
What is the right method to access gitlab api from web hooks? Probably I've missed something important? I'm really confused.
Upd1:
Let's try to find a solution. Possibilities
Imagine we can have a user who can read all projects in gitlab. But
that user should be connected to each project to have an access. Ok
;-(
What about to read repo by pusher? We can't because we need to use his private token to do this.
Maybe some internal functionality to read all repos or something? Sure not.
So. Maybe database? Nope. Because we need to clone repo at first and can't save data in DB anyway with refreshing caches.
I think we need a security token and maybe many checkboxes with access permissions for each joined web hook or an app (service).
Please feel free to share your ideas.
I've remembered partial solution. So scenario will be like that:
Create web service with your web hook.
Create a ssh key on the same host for some special (usually owner of web hook service) user to have an access to repos.
Add ssh key created at previous step as deploy key.
Finally: Register your webhook and add your deploy key for that hook to project — repeat it for each project what need this hook.
You have event listener (your web hook service), and you have access to that repository (ssh/git).
But still that solution doesn't have access to API itself.
Probably, there is also an another solution.
Create custom admin user with a big random password and some synthetic name like HookBot or something, remember private_token of that user;
Register your web hook;
Use api access to add your deploy key with HookBot (untested);
Use sudo api to get sources or something else. Just mimicry to pusher's account (sudo -u {author_id}) and go on, read repo, work with it, etc.
Maybe some another solutions? More legit?
If I interact with Github over SSH using the git account, how does it know which files to let me access?
Is it possible on the server to detect which specific key in the authorized_keys file was used to authenticate a user? My understanding of SSH is that once my key is authenticated, I'm logged in as the git user and should have access to everything that user account has access to.
Update:
I figured gitosis had to be doing something similar in nature and so I checked out the source. As ephemient says, associating a command with a public key seems like the way to go. You can set it up so that the command receives the user's name as an argument and figure out permissions based on that.
Of course I do not know what github does but https://wincent.com/wiki/Git_repository_access_control explains the how.