Machine ID: Add bitbucket join method for Bitbucket Pipelines joining

api/proto/teleport/legacy/types/types.proto

@@ -1321,6 +1321,8 @@ message ProvisionTokenSpecV2 {
   ProvisionTokenSpecV2TPM TPM = 15 [(gogoproto.jsontag) = "tpm,omitempty"];
   // TerraformCloud allows the configuration of options specific to the "terraform_cloud" join method.
   ProvisionTokenSpecV2TerraformCloud TerraformCloud = 16 [(gogoproto.jsontag) = "terraform_cloud,omitempty"];
+  // Bitbucket allows the configuration of options specific to the "bitbucket" join method.
+  ProvisionTokenSpecV2Bitbucket Bitbucket = 17 [(gogoproto.jsontag) = "bitbucket,omitempty"];
 }
 
 // ProvisionTokenSpecV2TPM contains the TPM-specific part of the
@@ -1661,6 +1663,51 @@ message ProvisionTokenSpecV2TerraformCloud {
   string Hostname = 3 [(gogoproto.jsontag) = "hostname,omitempty"];
 }
 
+message ProvisionTokenSpecV2Bitbucket {
+  // Rule is a set of properties the Bitbucket-issued token might have to be
+  // allowed to use this ProvisionToken.
+  message Rule {
+    // WorkspaceUUID is the UUID of the workspace for which this token was
+    // issued. Bitbucket UUIDs must begin and end with braces, e.g. '{...}'.
+    // This value may be found in the Pipelines -> OpenID Connect section of the
+    // repository settings.
+    string WorkspaceUUID = 1 [(gogoproto.jsontag) = "workspace_uuid,omitempty"];
+
+    // RepositoryUUID is the UUID of the repository for which this token was
+    // issued. Bitbucket UUIDs must begin and end with braces, e.g. '{...}'.
+    // This value may be found in the Pipelines -> OpenID Connect section of the
+    // repository settings.
+    string RepositoryUUID = 2 [(gogoproto.jsontag) = "repository_uuid,omitempty"];
+
+    // PipelineUUID is the UUID of the pipeline for which this token was issued.
+    // Bitbucket UUIDs must begin and end with braces, e.g. '{...}'
+    string PipelineUUID = 3 [(gogoproto.jsontag) = "pipeline_uuid,omitempty"];
+
+    // StepUUID is the UUID of the pipeline step for which this token was
+    // issued. Bitbucket UUIDs must begin and end with braces, e.g. '{...}'
+    string StepUUID = 4 [(gogoproto.jsontag) = "step_uuid,omitempty"];
+
+    // BranchName is the name of the branch on which this pipeline executed.
+    string BranchName = 5 [(gogoproto.jsontag) = "branch_name,omitempty"];
+  }
+
+  // Allow is a list of Rules, nodes using this token must match one
+  // allow rule to use this token.
+  repeated Rule Allow = 1 [(gogoproto.jsontag) = "allow,omitempty"];
+
+  // Audience is a Bitbucket-specified audience value for this token. It is
+  // unique to each Bitbucket repository, and must be set to the value as
+  // written in the Pipelines -> OpenID Connect section of the repository
+  // settings.
+  string Audience = 2 [(gogoproto.jsontag) = "audience,omitempty"];
+
+  // IdentityProviderURL is a Bitbucket-specified issuer URL for incoming OIDC
+  // tokens. It is unique to each Bitbucket repository, and must be set to the
+  // value as written in the Pipelines -> OpenID Connect section of the
+  // repository settings.
+  string IdentityProviderURL = 3 [(gogoproto.jsontag) = "identity_provider_url,omitempty"];
+}
+
 // StaticTokensV2 implements the StaticTokens interface.
 message StaticTokensV2 {
   option (gogoproto.goproto_stringer) = false;

api/types/provisioning.go

@@ -74,6 +74,9 @@ const (
 	// JoinMethodTerraformCloud indicates that the node will join using the Terraform
 	// join method. See lib/terraformcloud for more.
 	JoinMethodTerraformCloud JoinMethod = "terraform_cloud"
+	// JoinMethodBitbucket indicates that the node will join using the Bitbucket
+	// join method. See lib/bitbucket for more.
+	JoinMethodBitbucket JoinMethod = "bitbucket"
 )
 
 var JoinMethods = []JoinMethod{
@@ -363,6 +366,17 @@ func (p *ProvisionTokenV2) CheckAndSetDefaults() error {
 		if err := providerCfg.checkAndSetDefaults(); err != nil {
 			return trace.Wrap(err, "spec.terraform_cloud: failed validation")
 		}
+	case JoinMethodBitbucket:
+		providerCfg := p.Spec.Bitbucket
+		if providerCfg == nil {
+			return trace.BadParameter(
+				"spec.bitbucket: must be configured for the join method %q",
+				JoinMethodBitbucket,
+			)
+		}
+		if err := providerCfg.checkAndSetDefaults(); err != nil {
+			return trace.Wrap(err, "spec.bitbucket: failed validation")
+		}
 	default:
 		return trace.BadParameter("unknown join method %q", p.Spec.JoinMethod)
 	}
@@ -862,3 +876,31 @@ func (a *ProvisionTokenSpecV2TerraformCloud) checkAndSetDefaults() error {
 
 	return nil
 }
+
+func (a *ProvisionTokenSpecV2Bitbucket) checkAndSetDefaults() error {
+	if len(a.Allow) == 0 {
+		return trace.BadParameter("the %q join method requires at least one token allow rule", JoinMethodBitbucket)
+	}
+
+	if a.Audience == "" {
+		return trace.BadParameter("audience: an OpenID Connect Audience value is required")
+	}
+
+	if a.IdentityProviderURL == "" {
+		return trace.BadParameter("identity_provider_url: an identity provider URL is required")
+	}
+
+	for i, rule := range a.Allow {
+		workspaceSet := rule.WorkspaceUUID != ""
+		repositorySet := rule.RepositoryUUID != ""
+
+		if !workspaceSet && !repositorySet {
+			return trace.BadParameter(
+				"allow[%d]: at least one of ['workspace_uuid', 'repository_uuid'] must be set",
+				i,
+			)
+		}
+	}
+
+	return nil
+}