Bitbucket Server documentation

The documentation for Bitbucket Server is incorrect, at least, the Registration part. This part is a copy-paste from Bitbucket (cloud).

This can be a starting point:

or, better, the page linked in that question:
https://developer.atlassian.com/jiradev/jira-apis/jira-rest-apis/jira-rest-api-tutorials/jira-rest-api-example-oauth-authentication

See http://readme.drone.io/admin/setup-bitbuket-server/

That is exactly the documentation that is incorrect. More specifically, under the Registration section:

You must register your application with Bitbucket Server in order to generate a consumer key. Navigate to your account settings and choose Applications from the menu, and click Register new application. Now copy & paste the text value from /etc/bitbucket/key.pub into the Public Key in the incoming link part of the application registration.
Please use http://drone.mycompany.com/authorize as the Authorization callback URL.

There is no option to ‘register new application’ in my account settings in Bitbucket Server
The links in my post reference the Atlassian docs on how to register an application to use OAuth. I tried using those combined with the info from http://readme.drone.io/admin/setup-bitbuket-server/ but still can’t make it work.

I faced the same problem.

You have to add Drone in the “Administration” interface (gear icon on the top right) and then under “Settings” -> “Application Link”.

There you add your Drone URL and click “Create new link”.

I don’t know what value has to go in:

  • Shared secret
  • Request Token URL
  • Access token URL

You have to enable “Create incoming link”.

There you set the “consumer key” again and the public key.

When i try to login i get this error multiple times:

time="2017-01-25T17:14:23Z" level=error msg="cannot authenticate user. getBody: httpExecute: HTTP response is not 200/OK as expected. Actual response: \n\tResponse Status: '401 Unauthorized'\n\tResponse Code: 401\n\tResponse Body: oauth_problem=signature_invalid&oauth_signature=... oauth_signature_method=RSA-SHA1\n\tRequest Headers: [key: Authorization, val: OAuth oauth_callback=\"oob\",oauth_consumer_key=\"...\",oauth_nonce=\"...\",oauth_signature=\"...",oauth_signature_method=\"RSA-SHA1\",oauth_timestamp=\"1485364463\",oauth_version=\"1.0\"]" 

oauth_callback="oob" in your error message is interesting. This would tell me that Bitbucket was not configured with a callback URL and is using oob as the redirect. The oob callback is used for non-web applications that don’t have an address:

Non-web applications may wish to use custom URL schemes, or out-of-band handling. Out-of-band handling is triggered by setting the callback URL to the string

I obviously can’t speak to the Bitbucket Server implementation (have never used it) but I do have some experience with oauth1 and this stands out to me as a possible root cause.

That is strange since i set the Authorization callback URL.

For the “Shared secret” i set a random string that Drone don’t knows and for “Request Token URL” and “Request Token URL” the drone base URL, since i have no idea what to put there.

I get a redirect loop when trying to authenticate.

Request URL:https://drone.company.de/authorize
Request Method:GET
Status Code:303 See Other
Remote Address:xxx:443
Response Headers

Access-Control-Allow-Origin:*
Cache-Control:no-cache, no-store, max-age=0, must-revalidate, value
Connection:keep-alive
Content-Length:51
Content-Type:text/html; charset=utf-8
Date:Thu, 26 Jan 2017 09:36:49 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Last-Modified:Thu, 26 Jan 2017 09:36:49 GMT
Location:/login?error=oauth_error
Server:nginx/1.10.0 (Ubuntu)
X-Content-Type-Options:nosniff
X-Drone-Version:0.5.0+859
X-Frame-Options:DENY
X-Xss-Protection:1; mode=block

Request URL:https://drone.company.de/login?error=oauth_error
Request Method:GET
Status Code:303 See Other
Remote Address:xxx:443
Response Headers

Access-Control-Allow-Origin:*
Cache-Control:no-cache, no-store, max-age=0, must-revalidate, value
Connection:keep-alive
Content-Length:37
Content-Type:text/html; charset=utf-8
Date:Thu, 26 Jan 2017 09:36:49 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Last-Modified:Thu, 26 Jan 2017 09:36:49 GMT
Location:/authorize
Server:nginx/1.10.0 (Ubuntu)
X-Content-Type-Options:nosniff
X-Drone-Version:0.5.0+859
X-Frame-Options:DENY
X-Xss-Protection:1; mode=block

If you are getting a redirect loop you should upgrade drone, since that was fixed and merged about a week ago https://github.com/drone/drone/pull/1887

I have never heard of the shared secret, so unfortunately I cannot comment there. Perhaps the “Link Applications” screen is not the correct screen to setup the integration?

In this case I highly recommend everyone having issues with Bitbucket Server contact the guy that implemented this integration. He should be considered the maintainer and is best qualified to support it. His GitHub handle is josmo. He can be contacted in this thread https://github.com/drone/drone/pull/1581

Another option would be to ask Bitbucket support, assuming you pay for enterprise support.

I installed it yesterday and have the newest docker image with 0.5 tag.

root@drone:~# docker pull drone/drone:0.5
0.5: Pulling from drone/drone
Digest: sha256:f04adc8fd1097671af6d74dd809eefea6e5062a881912322d3d908e167253a97
Status: Image is up to date for drone/drone:0.5

Or is there already a newer version available?

I created an issue and mentioned josmo: https://github.com/drone/drone/issues/1914

@davidak You can see my tutorial on the blog in Chinese and you can refer to pictures from the blog post.

I translated it but it’s very bad, sometimes funny:

https://translate.google.com/translate?sl=zh-CN&tl=de&u=https%3A%2F%2Fblog.wu-boy.com%2F2016%2F09%2Fdrone-ci-server-integrate-atlassian-bitbucket-server%2F

I got the information that i have to put the “DRONE_SECRET” into “Shared secret”, but still don’t know what needs to go in “Request Token URL” and “Access token URL”. I leaved it empty this time. I got an error that this fields are needed but the link was still created. And again i get a redirect loop when trying to login.

@davidak I’ll see about updating the docs. Unfortunately depending on what version of stash/bitbucket server the workflow varies slightly.

only the incoming link matters

  1. You’ll need to go to application links in the admin panel
  2. enter the url for where drone will be hosted and click create link (it will say the service isn’t up yet just continue)
  3. give it a name and don’t fill anything out (I know stupid but it’s the only way it works)
  4. edit the application link you just created
  5. select Incoming authentication
  6. Match the Consumer key to the ENV variable for drone
  7. Consumer name doesn’t really matter
  8. copy in the public key that was created and matches what drone is using for the private key
  9. make sure to add the consumer callback url to be the hosted link with /authorize at the end

sorry it’s so many steps and a non intuitive order but Stash/Bitbucket server is not super easy to integrate with :confused:

I followed your instructions but ended again in a redirect loop.

We have Atlassian Bitbucket v4.11.0.

Here are the logs from the bitbucket side:

2017-01-27 10:43:59,510 DEBUG [http-nio-7990-exec-2] @xxx <IP>,127.0.0.1 "POST /plugins/servlet/oauth/request-token HTTP/1.1" c.a.b.i.c.s.CrowdSsoAuthenticationHandler Skipping Crowd SSO as it is not enabled
2017-01-27 10:43:59,511 DEBUG [http-nio-7990-exec-2] @xxx <IP>,127.0.0.1 "POST /plugins/servlet/oauth/request-token HTTP/1.1" c.a.s.i.i18n.PluginI18nService No values found in any valid locale for key ProviderManager.providerNotFound and locales [en_US, en, de_DE, de]
2017-01-27 10:43:59,513 WARN  [http-nio-7990-exec-2] @xxx <IP>,127.0.0.1 "POST /plugins/servlet/oauth/request-token HTTP/1.1" c.a.o.s.i.s.RequestTokenServlet Problem encountered authenticating OAuth client for url "https://bitbucket.company.de/plugins/servlet/oauth/request-token", error was "signature_invalid", with parameters "{oauth_problem=signature_invalid, oauth_signature=xxx+xxxx+xxxxx=, oauth_signature_base_string=POST&https%3A%2F%2Fbitbucket.company.de%2Fplugins%2Fservlet%2Foauth%2Frequest-token&oauth_callback%3Doob%26oauth_consumer_key%xxxxx%26oauth_nonce%xxx%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%xxx%26oauth_version%3D1.0, oauth_signature_method=RSA-SHA1}"

Logs from Drone are above.

https://confluence.atlassian.com/kb/oauth-error-oauth_problem-signature_invalid-720406720.html

looks like this might be the issue?

@davidak per the link @josmo posted, it indicates that error is common when a reverse proxy is not configured with the HOST. This is also a common issue with Drone when a reverse proxy is not configured with X-Forwarded-For and X-Forwarded-Proto headers. Are you using a reverse proxy, and have you configured these headers to get passed to Drone?

I use Nginx and configured it like described in the docs. I use SSL and provided the https URL to Bitbucket.

...

location / {
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;

    proxy_pass http://127.0.0.1:8000;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_read_timeout 240s;

    chunked_transfer_encoding off;
}

...

http://readme.drone.io/questions/how-to-install-behind-nginx/

@davidak maybe it makes sense for you to contact bitbucket support to see what would cause a signature_invalid error? Maybe there is an issue with the private key that was generated?

i generated the pub key again from the private key and it is the same as before. what issue could it be other than mismatch?

i will contact the atlassian support.

@davidak can you add a screenshot of the incoming link with the values blured out and what you have for the container start. Also, if you’re up for it I’m down to screen hero for 15-30 minute to help you out.

sure

docker-compose.yml:

version: '2'

services:
  drone-server:
    image: drone/drone:0.5
    ports:
      - 8000:8000
    volumes:
      - ./drone:/var/lib/drone/
      - /etc/bitbucket/key.pem:/etc/bitbucket/key.pem
    restart: always
    environment:
      - DRONE_OPEN=true
      - DRONE_ADMIN=dkl
      - DRONE_SECRET=xxxxx
      - DRONE_CACHE_TTY=15m
      - DRONE_STASH=true
      - DRONE_STASH_URL=https://bitbucket.company.de/
      - DRONE_STASH_GIT_USERNAME=drone
      - DRONE_STASH_GIT_PASSWORD=yyy
      - DRONE_STASH_CONSUMER_KEY=zzz
      - DRONE_STASH_CONSUMER_RSA=/etc/bitbucket/key.pem

  drone-agent:
    image: drone/drone:0.5
    command: agent
    restart: always
    depends_on: [ drone-server ]
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - DRONE_SERVER=ws://drone-server:8000/ws/broker
      - DRONE_SECRET=xxxxx

right now i’m going to sleep but tomorrow we can have a screensharing session. what do you use? teamviewer? (i’m on linux)

Sorry, new users can only put one image in a post.