public function testUsernamePasswordAuthenticationFlow()
{
$io = $this->getIOMock();
$io->expects($this->at(0))->method('writeError')->with($this->message);
$io->expects($this->exactly(2))->method('askAndHideAnswer')->withConsecutive(array('Consumer Key (hidden): '), array('Consumer Secret (hidden): '))->willReturnOnConsecutiveCalls($this->username, $this->password);
$rfs = $this->getRemoteFilesystemMock();
$rfs->expects($this->once())->method('getContents')->with($this->equalTo($this->origin), $this->equalTo(sprintf('https://%s/site/oauth2/access_token', $this->origin)), $this->isFalse(), $this->anything())->willReturn(sprintf('{}', $this->token));
$config = $this->getConfigMock();
$config->expects($this->exactly(2))->method('getAuthConfigSource')->willReturn($this->getAuthJsonMock());
$config->expects($this->once())->method('getConfigSource')->willReturn($this->getConfJsonMock());
$bitbucket = new Bitbucket($io, $config, null, $rfs);
$this->assertTrue($bitbucket->authorizeOAuthInteractively($this->origin, $this->message));
}
public function runCommand($commandCallable, $url, $cwd, $initialClone = false)
{
// Ensure we are allowed to use this URL by config
$this->config->prohibitUrlByConfig($url, $this->io);
if ($initialClone) {
$origCwd = $cwd;
$cwd = null;
}
if (preg_match('{^ssh://[^@]+@[^:]+:[^0-9]+}', $url)) {
throw new \InvalidArgumentException('The source URL ' . $url . ' is invalid, ssh URLs should have a port number after ":".' . "\n" . 'Use ssh://git@example.com:22/path or just git@example.com:path if you do not want to provide a password or custom port.');
}
if (!$initialClone) {
// capture username/password from URL if there is one
$this->process->execute('git remote -v', $output, $cwd);
if (preg_match('{^(?:composer|origin)\\s+https?://(.+):(.+)@([^/]+)}im', $output, $match)) {
$this->io->setAuthentication($match[3], urldecode($match[1]), urldecode($match[2]));
}
}
$protocols = $this->config->get('github-protocols');
if (!is_array($protocols)) {
throw new \RuntimeException('Config value "github-protocols" must be an array, got ' . gettype($protocols));
}
// public github, autoswitch protocols
if (preg_match('{^(?:https?|git)://' . self::getGitHubDomainsRegex($this->config) . '/(.*)}', $url, $match)) {
$messages = array();
foreach ($protocols as $protocol) {
if ('ssh' === $protocol) {
$protoUrl = "git@" . $match[1] . ":" . $match[2];
} else {
$protoUrl = $protocol . "://" . $match[1] . "/" . $match[2];
}
if (0 === $this->process->execute(call_user_func($commandCallable, $protoUrl), $ignoredOutput, $cwd)) {
return;
}
$messages[] = '- ' . $protoUrl . "\n" . preg_replace('#^#m', ' ', $this->process->getErrorOutput());
if ($initialClone) {
$this->filesystem->removeDirectory($origCwd);
}
}
// failed to checkout, first check git accessibility
$this->throwException('Failed to clone ' . $url . ' via ' . implode(', ', $protocols) . ' protocols, aborting.' . "\n\n" . implode("\n", $messages), $url);
}
// if we have a private github url and the ssh protocol is disabled then we skip it and directly fallback to https
$bypassSshForGitHub = preg_match('{^git@' . self::getGitHubDomainsRegex($this->config) . ':(.+?)\\.git$}i', $url) && !in_array('ssh', $protocols, true);
$command = call_user_func($commandCallable, $url);
$auth = null;
if ($bypassSshForGitHub || 0 !== $this->process->execute($command, $ignoredOutput, $cwd)) {
// private github repository without git access, try https with auth
if (preg_match('{^git@' . self::getGitHubDomainsRegex($this->config) . ':(.+?)\\.git$}i', $url, $match)) {
if (!$this->io->hasAuthentication($match[1])) {
$gitHubUtil = new GitHub($this->io, $this->config, $this->process);
$message = 'Cloning failed using an ssh key for authentication, enter your GitHub credentials to access private repos';
if (!$gitHubUtil->authorizeOAuth($match[1]) && $this->io->isInteractive()) {
$gitHubUtil->authorizeOAuthInteractively($match[1], $message);
}
}
if ($this->io->hasAuthentication($match[1])) {
$auth = $this->io->getAuthentication($match[1]);
$authUrl = 'https://' . rawurlencode($auth['username']) . ':' . rawurlencode($auth['password']) . '@' . $match[1] . '/' . $match[2] . '.git';
$command = call_user_func($commandCallable, $authUrl);
if (0 === $this->process->execute($command, $ignoredOutput, $cwd)) {
return;
}
}
} elseif (preg_match('{^https://(bitbucket\\.org)/(.*)(\\.git)?$}U', $url, $match)) {
//bitbucket oauth
$bitbucketUtil = new Bitbucket($this->io, $this->config, $this->process);
if (!$this->io->hasAuthentication($match[1])) {
$message = 'Enter your Bitbucket credentials to access private repos';
if (!$bitbucketUtil->authorizeOAuth($match[1]) && $this->io->isInteractive()) {
$bitbucketUtil->authorizeOAuthInteractively($match[1], $message);
$token = $bitbucketUtil->getToken();
$this->io->setAuthentication($match[1], 'x-token-auth', $token['access_token']);
}
} else {
//We're authenticating with a locally stored consumer.
$auth = $this->io->getAuthentication($match[1]);
//We already have an access_token from a previous request.
if ($auth['username'] !== 'x-token-auth') {
$token = $bitbucketUtil->requestToken($match[1], $auth['username'], $auth['password']);
if (!empty($token)) {
$this->io->setAuthentication($match[1], 'x-token-auth', $token['access_token']);
}
}
}
if ($this->io->hasAuthentication($match[1])) {
$auth = $this->io->getAuthentication($match[1]);
$authUrl = 'https://' . rawurlencode($auth['username']) . ':' . rawurlencode($auth['password']) . '@' . $match[1] . '/' . $match[2] . '.git';
$command = call_user_func($commandCallable, $authUrl);
if (0 === $this->process->execute($command, $ignoredOutput, $cwd)) {
return;
}
} else {
// Falling back to ssh
$sshUrl = 'git@bitbucket.org:' . $match[2] . '.git';
$this->io->writeError(' No bitbucket authentication configured. Falling back to ssh.');
$command = call_user_func($commandCallable, $sshUrl);
if (0 === $this->process->execute($command, $ignoredOutput, $cwd)) {
return;
}
}
} elseif ($this->isAuthenticationFailure($url, $match)) {
// private non-github repo that failed to authenticate
if (strpos($match[2], '@')) {
list($authParts, $match[2]) = explode('@', $match[2], 2);
}
$storeAuth = false;
if ($this->io->hasAuthentication($match[2])) {
$auth = $this->io->getAuthentication($match[2]);
} elseif ($this->io->isInteractive()) {
$defaultUsername = null;
if (isset($authParts) && $authParts) {
if (false !== strpos($authParts, ':')) {
list($defaultUsername, ) = explode(':', $authParts, 2);
} else {
$defaultUsername = $authParts;
}
}
$this->io->writeError(' Authentication required (<info>' . parse_url($url, PHP_URL_HOST) . '</info>):');
$auth = array('username' => $this->io->ask(' Username: '******'password' => $this->io->askAndHideAnswer(' Password: '******'store-auths');
}
if ($auth) {
$authUrl = $match[1] . rawurlencode($auth['username']) . ':' . rawurlencode($auth['password']) . '@' . $match[2] . $match[3];
$command = call_user_func($commandCallable, $authUrl);
if (0 === $this->process->execute($command, $ignoredOutput, $cwd)) {
$this->io->setAuthentication($match[2], $auth['username'], $auth['password']);
$authHelper = new AuthHelper($this->io, $this->config);
$authHelper->storeAuth($match[2], $storeAuth);
return;
}
}
}
if ($initialClone) {
$this->filesystem->removeDirectory($origCwd);
}
$this->throwException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput(), $url);
}
}
/**
* Get the remote content.
*
* @param string $url The URL of content
* @param bool $fetchingRepoData
*
* @return mixed The result
*/
protected function getContentsWithOAuthCredentials($url, $fetchingRepoData = false)
{
try {
return parent::getContents($url);
} catch (TransportException $e) {
$bitbucketUtil = new Bitbucket($this->io, $this->config, $this->process, $this->remoteFilesystem);
if (403 === $e->getCode()) {
if (!$this->io->hasAuthentication($this->originUrl) && $bitbucketUtil->authorizeOAuth($this->originUrl)) {
return parent::getContents($url);
}
if (!$this->io->isInteractive() && $fetchingRepoData) {
return $this->attemptCloneFallback();
}
}
throw $e;
}
}
protected function promptAuthAndRetry($httpStatus, $reason = null)
{
if ($this->config && in_array($this->originUrl, $this->config->get('github-domains'), true)) {
$message = "\n" . 'Could not fetch ' . $this->fileUrl . ', please create a GitHub OAuth token ' . ($httpStatus === 404 ? 'to access private repos' : 'to go over the API rate limit');
$gitHubUtil = new GitHub($this->io, $this->config, null);
if (!$gitHubUtil->authorizeOAuth($this->originUrl) && (!$this->io->isInteractive() || !$gitHubUtil->authorizeOAuthInteractively($this->originUrl, $message))) {
throw new TransportException('Could not authenticate against ' . $this->originUrl, 401);
}
} elseif ($this->config && in_array($this->originUrl, $this->config->get('gitlab-domains'), true)) {
$message = "\n" . 'Could not fetch ' . $this->fileUrl . ', enter your ' . $this->originUrl . ' credentials ' . ($httpStatus === 401 ? 'to access private repos' : 'to go over the API rate limit');
$gitLabUtil = new GitLab($this->io, $this->config, null);
if (!$gitLabUtil->authorizeOAuth($this->originUrl) && (!$this->io->isInteractive() || !$gitLabUtil->authorizeOAuthInteractively($this->scheme, $this->originUrl, $message))) {
throw new TransportException('Could not authenticate against ' . $this->originUrl, 401);
}
} elseif ($this->config && $this->originUrl === 'bitbucket.org') {
$askForOAuthToken = true;
if ($this->io->hasAuthentication($this->originUrl)) {
$auth = $this->io->getAuthentication($this->originUrl);
if ($auth['username'] !== 'x-token-auth') {
$bitbucketUtil = new Bitbucket($this->io, $this->config);
$token = $bitbucketUtil->requestToken($this->originUrl, $auth['username'], $auth['password']);
if (!empty($token)) {
$this->io->setAuthentication($this->originUrl, 'x-token-auth', $token['access_token']);
$askForOAuthToken = false;
}
} else {
throw new TransportException('Could not authenticate against ' . $this->originUrl, 401);
}
}
if ($askForOAuthToken) {
$message = "\n" . 'Could not fetch ' . $this->fileUrl . ', please create a bitbucket OAuth token to ' . ($httpStatus === 401 ? 'to access private repos' : 'to go over the API rate limit');
$bitBucketUtil = new Bitbucket($this->io, $this->config);
if (!$bitBucketUtil->authorizeOAuth($this->originUrl) && (!$this->io->isInteractive() || !$bitBucketUtil->authorizeOAuthInteractively($this->originUrl, $message))) {
throw new TransportException('Could not authenticate against ' . $this->originUrl, 401);
}
}
} else {
// 404s are only handled for github
if ($httpStatus === 404) {
return;
}
// fail if the console is not interactive
if (!$this->io->isInteractive()) {
if ($httpStatus === 401) {
$message = "The '" . $this->fileUrl . "' URL required authentication.\nYou must be using the interactive console to authenticate";
}
if ($httpStatus === 403) {
$message = "The '" . $this->fileUrl . "' URL could not be accessed: " . $reason;
}
throw new TransportException($message, $httpStatus);
}
// fail if we already have auth
if ($this->io->hasAuthentication($this->originUrl)) {
throw new TransportException("Invalid credentials for '" . $this->fileUrl . "', aborting.", $httpStatus);
}
$this->io->overwriteError(' Authentication required (<info>' . parse_url($this->fileUrl, PHP_URL_HOST) . '</info>):');
$username = $this->io->ask(' Username: '******' Password: '******'store-auths');
}
$this->retry = true;
throw new TransportException('RETRY');
}
