Merge pull request #152 from mongodb/development

v1.68.0

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 All notable changes to this project will be documented in this file.
 
+## [v1.68.0]
+- Fixed Bitbucket authenticated cloning bug
+
 ## [v1.67.0]
 - Added checksum to GitLab rule
 - Fixed deduplication to consider rule identifiers so overlapping patterns are not merged before validation

Cargo.toml

@@ -10,7 +10,7 @@ publish = false
 
 [package]
 name = "kingfisher"
-version = "1.67.0"
+version = "1.68.0"
 description = "MongoDB's blazingly fast and accurate secret scanning and validation tool"
 edition.workspace = true
 rust-version.workspace = true

README.md

@@ -934,9 +934,7 @@ kingfisher scan bitbucket --workspace my-team --bitbucket-exclude my-team/**/exp
 
 Kingfisher supports Bitbucket Cloud and Bitbucket Server credentials:
 
-- **Workspace API token (Cloud)** – set `KF_BITBUCKET_TOKEN`. `KF_BITBUCKET_USERNAME`
-  is optional; Kingfisher automatically uses the token for Bitbucket REST APIs
-  and authenticates git operations as `x-token-auth`.
+- **Workspace API token (Cloud)** – set `KF_BITBUCKET_TOKEN`. Kingfisher automatically uses the token for Bitbucket REST APIs and authenticates git operations as `x-token-auth`.
 - **Bitbucket Server token** – set `KF_BITBUCKET_USERNAME` and either
   `KF_BITBUCKET_TOKEN` or `KF_BITBUCKET_PASSWORD`.
 - **Legacy app password (Cloud)** – set `KF_BITBUCKET_USERNAME` and

src/git_binary.rs

@@ -156,9 +156,12 @@ impl Git {
         } else if let Some(token) = bitbucket_access_token.clone() {
             Some(("x-token-auth".to_string(), token))
         } else if let (Some(username), Some(password)) =
-            (bitbucket_username.clone(), bitbucket_basic_password)
+            (bitbucket_username.clone(), bitbucket_basic_password.clone())
         {
             Some((username, password))
+        } else if let Some(token) = bitbucket_token.clone() {
+            // Allow token-only authentication (common for x-token-auth URLs).
+            Some(("x-token-auth".to_string(), token))
         } else {
             None
         };
@@ -169,6 +172,7 @@ impl Git {
         let has_bitbucket_oauth_token = bitbucket_oauth_token.is_some();
         let has_bitbucket_credentials = has_bitbucket_oauth_token
             || bitbucket_access_token.is_some()
+            || bitbucket_token.is_some()
             || (has_bitbucket_username && has_bitbucket_password);
         let has_azure_token = ["KF_AZURE_TOKEN", "KF_AZURE_PAT"]
             .iter()
@@ -454,6 +458,21 @@ mod tests {
         });
     }
 
+    #[test]
+    fn test_repo_arg_for_clone_uses_token_only_auth() {
+        let url =
+            GitUrl::try_from(url::Url::parse("https://bitbucket.org/workspace/demo.git").unwrap())
+                .unwrap();
+
+        temp_env::with_vars(&[("KF_BITBUCKET_TOKEN", Some("token123"))], || {
+            let git = Git::new(false);
+            assert_eq!(
+                git.repo_arg_for_clone(&url),
+                "https://x-token-auth:token123@bitbucket.org/workspace/demo.git"
+            );
+        });
+    }
+
     #[test]
     fn test_repo_arg_for_clone_leaves_non_bitbucket_urls_untouched() {
         let url = GitUrl::try_from(
@@ -484,6 +503,20 @@ mod tests {
         });
     }
 
+    #[test]
+    fn test_git_new_bitbucket_token_without_username() {
+        temp_env::with_var("KF_BITBUCKET_TOKEN", Some("token123"), || {
+            let git = Git::new(false);
+            assert_eq!(git.credentials.len(), 4);
+            assert!(git.credentials.iter().any(|value| value == BITBUCKET_CREDENTIAL_HELPER));
+            assert_eq!(git.bitbucket_access_token.as_deref(), None);
+            assert_eq!(
+                git.bitbucket_basic_auth,
+                Some(("x-token-auth".to_string(), "token123".to_string()))
+            );
+        });
+    }
+
     #[test]
     fn test_git_new_bitbucket_trims_whitespace() {
         let trimmed_token = "AT1234567890_ACCESS_TOKEN_EXAMPLE_WITH_UNDERSCORE";