Bitbucket DC: Use permissions/search Endpoint to support Unlicensed Service Accounts and Improve Auth Efficiency

[tricktron]

Summary

Follow-up to #2468. Currently, PAC's Bitbucket Data Center integration requires the service account to be a licensed Bitbucket user (LICENSED_USER global permission) because the vendored go-scm library calls /rest/api/1.0/admin/groups/more-members to resolve group membership. This endpoint requires the LICENSED_USER global permission, which means organizations must consume a Bitbucket license seat for what is essentially a technical/bot account.

Motivation

Cost: A licensed Bitbucket DC user seat costs money. Technical service accounts shouldn't need one.

Current Behavior

IsMember() in go-scm (scm/driver/stash/org.go)

1. GET /projects/{key}/permissions/users — finds directly assigned users
2. GET /projects/{key}/permissions/groups — lists groups with project permissions
3. For each group: GET /admin/groups/more-members?context={group} — requires LICENSED_USER

Step 3 fails if the service account is unlicensed. The error surfaces as "No message available" and aborts the entire auth check. The repo-level and OWNERS file fallbacks never execute.

Desired

Bitbucket Data Center 8.5 added the permissions/search endpoint:

• Project level: GET /projects/{projectKey}/permissions/search?filterText={user}
  • Requires: PROJECT_ADMIN
  • Returns: direct and implied permissions (including group-inherited and global)
• Repo level: GET /projects/{projectKey}/repos/{repoSlug}/permissions/search?filterText={user}
  • Requires: REPO_ADMIN
  • Returns: direct and implied permissions (including group-inherited, project-inherited, and global)

These endpoints:

• Do NOT require LICENSED_USER — they are gated by project/repo-level permissions that the service account already has
• Return effective permissions including group inheritance in a single API call
• Eliminate the need for the /admin/ endpoint entirely

Minimum Bitbucket DC version

Requires Bitbucket Data Center 8.5+ (released mid-2022). Bitbucket 7.x reached end of support in February 2024.

Related

• Bitbucket Data Center: PAC Service Account User must be a Licensed User #2468 PAC service account must be a licensed user (root cause / docs fix)
• Stash: IsMember() and IsCollaborator() Fail for Unlicensed Users and Miss Group-Inherited Permissions jenkins-x/go-scm#521
• IsMember for bitbucket does not have check if user in a group has project permissions jenkins-x/go-scm#315
• Bitbucket Server Repo IsCollaborator not working jenkins-x/go-scm#310

[tekton-pac-bot]

[pac-bot] Thank you for this feature request!

After reviewing the codebase, the issue stems from the vendored jenkins-x/go-scm library - specifically usersInGroups() in vendor/github.com/jenkins-x/go-scm/scm/driver/stash/org.go:128 which calls /rest/api/1.0/admin/groups/more-members.

Implementation path:

1. Upstream go-scm changes needed: Add Bitbucket DC version detection and implement /permissions/search endpoint support for DC 8.5+, falling back to current /admin/groups/more-members for older versions
2. PAC changes: Update go-scm dependency once upstream changes land, update docs

The LICENSED_USER limitation is currently documented in the Bitbucket DC installation guide.

Would you be interested in contributing the upstream go-scm changes? We would be happy to review and help guide the implementation.