feat(bitbucket): check bitbucket webhook signature if webhook_secret is defined

[oioki]

Preparing Bitbucket webhook secret validation. This is actual signature header validation, but no integrations/repos have the associated secret yet.

Follow-up PRs:

• backend endpoint to modify webhook_secret: feat(bitbucket): add webhook secret on each repository creation #83732

To fix the problem, we should avoid returning the exception message directly to the user. Instead, we should log the exception message on the server and return a generic error message to the user. This way, developers can still access the detailed error information in the logs, but external users will not see any sensitive information.

• Modify the code to log the exception message using the logger and return a generic error message in the HTTP response.
• Ensure that the logging captures the necessary details for debugging without exposing them to the user.

[cathteng]

why are we storing the webhook secret in each repository? should the webhook secret be for each integration instance, like we have for gitlab?

sentry/src/sentry/integrations/gitlab/webhooks.py

Lines 317 to 322 in 50658af

	if not constant_time_compare(secret, integration.metadata["webhook_secret"]):
	# Summary and potential workaround mentioned here:
	# https://github.com/getsentry/sentry/issues/34903#issuecomment-1262754478
	extra["reason"] = GITHUB_WEBHOOK_SECRET_INVALID_ERROR
	logger.info("gitlab.webhook.invalid-token-secret", extra=extra)
	return HttpResponse(status=409, reason=GITHUB_WEBHOOK_SECRET_INVALID_ERROR)

[oioki]

Oh I see, we create a webhook via corresponding API once the integration is complete, I will look in that direction for Bitbucket.

[oioki]

From what I can see, all of GitLab, GitHub, and Bitbucket support setting separate webhook secrets on repository level.

It seems like for GitLab, we're creating webhooks on project (=repository) level as well:

sentry/src/sentry/integrations/gitlab/client.py

Lines 259 to 269 in e6d22ef

	def create_project_webhook(self, project_id):
	"""Create a webhook on a project
	See https://docs.gitlab.com/ee/api/projects.html#add-project-hook
	"""
	path = GitLabApiClientPath.project_hooks.format(project=project_id)
	hook_uri = reverse("sentry-extensions-gitlab-webhook")
	model = self.installation.model
	data = {
	"url": absolute_uri(hook_uri),
	"token": "{}:{}".format(model.external_id, model.metadata["webhook_secret"]),

While this change seems misaligned with existing GitLab/GitHub integrations, but it is more secure to have separate secrets for each repo.

[cathteng]

we had a DM conversation but the summary is that other SCM integrations currently have integration-level webhook validation so i think it would be a good idea to get bitbucket up to parity with that first. if we want to do repo-level webhooks we should consider adding it across all SCM integrations at once

[codecov]

Codecov Report

Attention: Patch coverage is 98.30508% with 1 line in your changes missing coverage. Please review.

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/sentry/integrations/bitbucket/webhook.py	96.42%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #82541      +/-   ##
==========================================
- Coverage   87.63%   87.57%   -0.06%     
==========================================
  Files        9490     9462      -28     
  Lines      541228   538831    -2397     
  Branches    21231    21046     -185     
==========================================
- Hits       474294   471897    -2397     
+ Misses      66586    66532      -54     
- Partials      348      402      +54     

[sentaur-athena]

This looks good to me unless @cathteng has any other concerns about the design.

[oioki]

We will do #84309 instead