Azure Devops support

cmd/server.go

@@ -36,6 +36,10 @@ import (
 // 3. Add your flag's description etc. to the stringFlags, intFlags, or boolFlags slices.
 const (
 	// Flag names.
+	ADBasicPasswordFlag        = "azuredevops-basic-password" // nolint: gosec
+	ADBasicUserFlag            = "azuredevops-basic-user"
+	ADTokenFlag                = "azuredevops-token" // nolint: gosec
+	ADUserFlag                 = "azuredevops-user"
 	AllowForkPRsFlag           = "allow-fork-prs"
 	AllowRepoConfigFlag        = "allow-repo-config"
 	AtlantisURLFlag            = "atlantis-url"
@@ -72,8 +76,9 @@ const (
 	TFETokenFlag               = "tfe-token"
 	WriteGitCredsFlag          = "write-git-creds"
 
-	// Flag defaults.
 	// NOTE: Must manually set these as defaults in the setDefaults function.
+	DefaultADBasicUser      = ""
+	DefaultADBasicPassword  = ""
 	DefaultCheckoutStrategy = "branch"
 	DefaultBitbucketBaseURL = bitbucketcloud.BaseURL
 	DefaultDataDir          = "~/.atlantis"
@@ -85,6 +90,24 @@ const (
 )
 
 var stringFlags = map[string]stringFlag{
+	ADBasicPasswordFlag: {
+		description: "Azure Devops basic authentication password for inbound webhooks " +
+			"(see https://docs.microsoft.com/en-us/azure/devops/service-hooks/authorize?view=azure-devops)." +
+			" SECURITY WARNING: If not specified, Atlantis won't be able to validate that the incoming webhook call came from your Azure Devops org. " +
+			"This means that an attacker could spoof calls to Atlantis and cause it to perform malicious actions. " +
+			"Should be specified via the ATLANTIS_AZUREDEVOPS_BASIC_PASSWORD environment variable.",
+		defaultValue: "",
+	},
+	ADBasicUserFlag: {
+		description:  "Azure Devops basic authentication username for inbound webhooks.",
+		defaultValue: "",
+	},
+	ADTokenFlag: {
+		description: "Azure Devops token of API user. Can also be specified via the ATLANTIS_DO_TOKEN environment variable.",
+	},
+	ADUserFlag: {
+		description: "Azure Devops username of API user.",
+	},
 	AtlantisURLFlag: {
 		description: "URL that Atlantis can be reached at. Defaults to http://$(hostname):$port where $port is from --" + PortFlag + ". Supports a base path ex. https://example.com/basepath.",
 	},
@@ -454,14 +477,15 @@ func (s *ServerCmd) validate(userConfig server.UserConfig) error {
 	// 1. github user and token set
 	// 2. gitlab user and token set
 	// 3. bitbucket user and token set
-	// 4. any combination of the above
-	vcsErr := fmt.Errorf("--%s/--%s or --%s/--%s or --%s/--%s must be set", GHUserFlag, GHTokenFlag, GitlabUserFlag, GitlabTokenFlag, BitbucketUserFlag, BitbucketTokenFlag)
-	if ((userConfig.GithubUser == "") != (userConfig.GithubToken == "")) || ((userConfig.GitlabUser == "") != (userConfig.GitlabToken == "")) || ((userConfig.BitbucketUser == "") != (userConfig.BitbucketToken == "")) {
+	// 4. azuredevops user and token set
+	// 5. any combination of the above
+	vcsErr := fmt.Errorf("--%s/--%s or --%s/--%s or --%s/--%s or --%s/--%s must be set", GHUserFlag, GHTokenFlag, GitlabUserFlag, GitlabTokenFlag, BitbucketUserFlag, BitbucketTokenFlag, ADUserFlag, ADTokenFlag)
+	if ((userConfig.GithubUser == "") != (userConfig.GithubToken == "")) || ((userConfig.GitlabUser == "") != (userConfig.GitlabToken == "")) || ((userConfig.BitbucketUser == "") != (userConfig.BitbucketToken == "")) || ((userConfig.AzureDevopsUser == "") != (userConfig.AzureDevopsToken == "")) {
 		return vcsErr
 	}
 	// At this point, we know that there can't be a single user/token without
 	// its partner, but we haven't checked if any user/token is set at all.
-	if userConfig.GithubUser == "" && userConfig.GitlabUser == "" && userConfig.BitbucketUser == "" {
+	if userConfig.GithubUser == "" && userConfig.GitlabUser == "" && userConfig.BitbucketUser == "" && userConfig.AzureDevopsUser == "" {
 		return vcsErr
 	}
 
@@ -550,6 +574,7 @@ func (s *ServerCmd) trimAtSymbolFromUsers(userConfig *server.UserConfig) {
 	userConfig.GithubUser = strings.TrimPrefix(userConfig.GithubUser, "@")
 	userConfig.GitlabUser = strings.TrimPrefix(userConfig.GitlabUser, "@")
 	userConfig.BitbucketUser = strings.TrimPrefix(userConfig.BitbucketUser, "@")
+	userConfig.AzureDevopsUser = strings.TrimPrefix(userConfig.AzureDevopsUser, "@")
 }
 
 func (s *ServerCmd) securityWarnings(userConfig *server.UserConfig) {
@@ -565,6 +590,9 @@ func (s *ServerCmd) securityWarnings(userConfig *server.UserConfig) {
 	if userConfig.BitbucketUser != "" && userConfig.BitbucketBaseURL == DefaultBitbucketBaseURL && !s.SilenceOutput {
 		s.Logger.Warn("Bitbucket Cloud does not support webhook secrets. This could allow attackers to spoof requests from Bitbucket. Ensure you are whitelisting Bitbucket IPs")
 	}
+	if (userConfig.AzureDevopsWebhookBasicUser == "" || userConfig.AzureDevopsWebhookBasicPassword == "") && !s.SilenceOutput {
+		s.Logger.Warn("no Azure Devops webhook basic user and password set. This could allow attackers to spoof requests from Azure Devops.")
+	}
 }
 
 // deprecationWarnings prints a warning if flags that are deprecated are

cmd/server_test.go

@@ -184,7 +184,7 @@ func TestExecute_ValidateSSLConfig(t *testing.T) {
 }
 
 func TestExecute_ValidateVCSConfig(t *testing.T) {
-	expErr := "--gh-user/--gh-token or --gitlab-user/--gitlab-token or --bitbucket-user/--bitbucket-token must be set"
+	expErr := "--gh-user/--gh-token or --gitlab-user/--gitlab-token or --bitbucket-user/--bitbucket-token or --azuredevops-user/--azuredevops-token must be set"
 	cases := []struct {
 		description string
 		flags       map[string]interface{}
@@ -216,6 +216,13 @@ func TestExecute_ValidateVCSConfig(t *testing.T) {
 			},
 			true,
 		},
+		{
+			"just azuredevops token set",
+			map[string]interface{}{
+				cmd.ADTokenFlag: "token",
+			},
+			true,
+		},
 		{
 			"just github user set",
 			map[string]interface{}{
@@ -237,6 +244,13 @@ func TestExecute_ValidateVCSConfig(t *testing.T) {
 			},
 			true,
 		},
+		{
+			"just azuredevops user set",
+			map[string]interface{}{
+				cmd.ADUserFlag: "user",
+			},
+			true,
+		},
 		{
 			"github user and gitlab token set",
 			map[string]interface{}{
@@ -285,6 +299,14 @@ func TestExecute_ValidateVCSConfig(t *testing.T) {
 			},
 			false,
 		},
+		{
+			"azuredevops user and azuredevops token set and should be successful",
+			map[string]interface{}{
+				cmd.ADUserFlag:  "user",
+				cmd.ADTokenFlag: "token",
+			},
+			false,
+		},
 		{
 			"all set should be successful",
 			map[string]interface{}{
@@ -294,6 +316,8 @@ func TestExecute_ValidateVCSConfig(t *testing.T) {
 				cmd.GitlabTokenFlag:    "token",
 				cmd.BitbucketUserFlag:  "user",
 				cmd.BitbucketTokenFlag: "token",
+				cmd.ADUserFlag:         "user",
+				cmd.ADTokenFlag:        "token",
 			},
 			false,
 		},
@@ -316,13 +340,17 @@ func TestExecute_ValidateVCSConfig(t *testing.T) {
 func TestExecute_Defaults(t *testing.T) {
 	t.Log("Should set the defaults for all unspecified flags.")
 	c := setup(map[string]interface{}{
-		cmd.GHUserFlag:         "user",
-		cmd.GHTokenFlag:        "token",
-		cmd.GitlabUserFlag:     "gitlab-user",
-		cmd.GitlabTokenFlag:    "gitlab-token",
-		cmd.BitbucketUserFlag:  "bitbucket-user",
-		cmd.BitbucketTokenFlag: "bitbucket-token",
-		cmd.RepoWhitelistFlag:  "*",
+		cmd.GHUserFlag:          "user",
+		cmd.GHTokenFlag:         "token",
+		cmd.GitlabUserFlag:      "gitlab-user",
+		cmd.GitlabTokenFlag:     "gitlab-token",
+		cmd.BitbucketUserFlag:   "bitbucket-user",
+		cmd.BitbucketTokenFlag:  "bitbucket-token",
+		cmd.ADBasicUserFlag:     "azuredevops-basic-user",
+		cmd.ADBasicPasswordFlag: "azuredevops-basic-password",
+		cmd.ADTokenFlag:         "azuredevops-token",
+		cmd.ADUserFlag:          "azuredevops-user",
+		cmd.RepoWhitelistFlag:   "*",
 	})
 	err := c.Execute()
 	Ok(t, err)
@@ -354,6 +382,8 @@ func TestExecute_Defaults(t *testing.T) {
 	Equals(t, "https://api.bitbucket.org", passedConfig.BitbucketBaseURL)
 	Equals(t, "bitbucket-token", passedConfig.BitbucketToken)
 	Equals(t, "bitbucket-user", passedConfig.BitbucketUser)
+	Equals(t, "azuredevops-token", passedConfig.AzureDevopsToken)
+	Equals(t, "azuredevops-user", passedConfig.AzureDevopsUser)
 	Equals(t, "", passedConfig.BitbucketWebhookSecret)
 	Equals(t, "info", passedConfig.LogLevel)
 	Equals(t, 4141, passedConfig.Port)

runatlantis.io/.vuepress/components/HomeCustom.vue

@@ -129,7 +129,7 @@
                   Fargate, etc.
                 </li>
                 <li><img class="checkmark" src="/checkmark.svg">Listens for
-                  webhooks from GitHub/GitLab/Bitbucket.
+                  webhooks from GitHub/GitLab/Bitbucket/Azure Devops.
                 </li>
                 <li><img class="checkmark" src="/checkmark.svg">Runs terraform
                   commands remotely and comments back with their output.

runatlantis.io/docs/access-credentials.md

@@ -1,5 +1,6 @@
 # Git Host Access Credentials
-This page describes how to create credentials for your Git host (GitHub, GitLab or Bitbucket)
+This page describes how to create credentials for your Git host (GitHub, GitLab, Bitbucket, or Azure Devops)
+
 that Atlantis will use to make API calls.
 [[toc]]
 
@@ -19,6 +20,7 @@ generate an access token. Read on for the instructions for your specific Git hos
 * [GitLab](#gitlab)
 * [Bitbucket Cloud (bitbucket.org)](#bitbucket-cloud-bitbucket-org)
 * [Bitbucket Server (aka Stash)](#bitbucket-server-aka-stash)
+* [Azure Devops](#azure-devops)
 
 ### GitHub
 - Create a Personal Access Token by following: [https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/#creating-a-token](https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/#creating-a-token)
@@ -48,5 +50,14 @@ Your Atlantis user must also have "Write permissions" (for repos in an organizat
 - Give the token **Read** Project permissions and **Write** Pull request permissions
 - Click **Create** and record the access token
 
+### Azure Devops
+- Create a Personal access token by following [https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops)
+- Label the password "atlantis"
+- The minimum scopes required for this token are:
+  - Code (Read)
+  - Code (Status)
+  - Work Items (Read & write)
+- Record the access token
+
 ## Next Steps
 Once you've got your user and access token, you're ready to create a webhook secret. See [Creating a Webhook Secret](webhook-secrets.html).

runatlantis.io/docs/apply-requirements.md

@@ -49,6 +49,7 @@ Each VCS provider has different rules around who can approve:
 * **Bitbucket Cloud (bitbucket.org)** – A user can approve their own pull request but
   Atlantis does not count that as an approval and requires an approval from at least one user that
   is not the author of the pull request
+* **Azure Devops** – **All builtin groups include the "Contribute to pull requests"** permission and can approve a pull request
 
 :::tip Tip
 If you want to require **certain people** to approve the pull request, look at the
@@ -120,6 +121,20 @@ merge. We don't check anything else because Bitbucket's API doesn't support it.
 If you need a specific check, please
 [open an issue](https://github.com/runatlantis/atlantis/issues/new).
 
+#### Azure Devops
+In Azure Devops, all pull requests are mergeable unless there is a conflict. You can set a pull request to "Complete" right away, or set "Auto-Complete", which will merge after all branch policies are met. See [Review code with pull requests](https://docs.microsoft.com/en-us/azure/devops/repos/git/pull-requests?view=azure-devops).
+
+[Branch policies](https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops) can:
+* Require a minimum number of reviewers
+* Allow users to approve their own changes
+* Allow completion even if some reviewers vote "Waiting" or "Reject"
+* Reset code reviewer votes when there are new changes
+* Require a specfic merge strategy (squash, rebase, etc.)
+
+::: warning
+At this time, the Azure Devops client only supports merging using the default 'no fast-forward' strategy. Make sure your branch policies permit this type of merge.
+:::
+
 ## Setting Apply Requirements
 As mentioned above, you can set apply requirements via flags, in `repos.yaml`, or in `atlantis.yaml` if `repos.yaml`
 allows the override.
@@ -186,3 +201,4 @@ request can run the actual `atlantis apply` command.
 * For more information on GitHub pull request reviews and approvals see: [https://help.github.com/articles/about-pull-request-reviews/](https://help.github.com/articles/about-pull-request-reviews/)
 * For more information on GitLab merge request reviews and approvals (only supported on GitLab Enterprise) see: [https://docs.gitlab.com/ee/user/project/merge_requests/merge_request_approvals.html](https://docs.gitlab.com/ee/user/project/merge_requests/merge_request_approvals.html).
 * For more information on Bitbucket pull request reviews and approvals see: [https://confluence.atlassian.com/bitbucket/pull-requests-and-code-review-223220593.html](https://confluence.atlassian.com/bitbucket/pull-requests-and-code-review-223220593.html)
+* For more information on Azure Devops pull request reviews and approvals see: [https://docs.microsoft.com/en-us/azure/devops/repos/git/pull-requests-overview?view=azure-devops](https://docs.microsoft.com/en-us/azure/devops/repos/git/pull-requests-overview?view=azure-devops)

runatlantis.io/docs/configuring-webhooks.md

@@ -85,7 +85,40 @@ If you're using GitLab, navigate to your project's home page in GitLab
 - Click **Save**<img src="../guide/images/bitbucket-server-webhook.png" alt="Bitbucket Webhook" style="max-height: 500px;">
 - See [Next Steps](#next-steps)
 
+## Azure Devops
+Webhooks are installed at the [team project](https://docs.microsoft.com/en-us/azure/devops/organizations/projects/about-projects?view=azure-devops) level, but may be restricted to only fire based on events pertaining to [specific repos](https://docs.microsoft.com/en-us/azure/devops/service-hooks/services/webhooks?view=azure-devops) within the team project.
+
+- Navigate anywhere within a team project, ie: `https://dev.azure.com/orgName/projectName/_git/repoName`
+- Select **Project settings** in the lower-left corner
+- Select **Service hooks**
+  - If you see the message "You do not have sufficient permissions to view or configure subscriptions." you need to ensure your user is a member of either the organization's "Project Collection Administrators" group or the project's "Project Administrators" group.
+  - To add your user to the Project Collection Build Administrators group, navigate to the organization level, click **Organization Settings** and then click **Permissions**. You should be at `https://dev.azure.com/<organization>/_settings/groups`. Now click on the **<organization>/Project Collection Administrators** group and add your user as a member.
+  - To add your user to the Project Administrators group, navigate to the project level, click **Project Settings** and then click **Permissions**. You should be at `https://dev.azure.com/<organization>/<project>/_settings/permissions`. Now click on the **[<project>]/Project Administrators** group and add your user as a member.
+- Click **Create subscription** or the green plus icon to add a new webhook
+- Scroll to the bottom of the list and select **Web Hooks**
+- Click **Next**
+- Under "Trigger on this type of event", select **Pull request created**
+  - Optionally, select a repository under **Filters** to restrict the scope of this webhook subscription to a specific repository
+- Click **Next**
+- Set **URL** to `http://$URL/events` where `$URL` is where Atlantis is hosted. Note that SSL, or `https://$URL/events`, is required if you set a Basic username and password for the webhook). **Be sure to add `/events`**
+- It is strongly recommended to set a Basic Username and Password for all webhooks
+- Leave all three drop-down menus for `...to send` set to **All**
+- Resource version should be set to **1.0** for `Pull request created` and `Pull request updated` event types and **2.0** for `Pull request commented on`
+- **NOTE** If you're adding a webhook to multiple team projects or repositories (using filters), each repository will need to use the **same** basic username and password.
+- Click **Finish**
+
+Repeat the process above until you have webhook subscriptions for the following event types that will trigger on all repositories Atlantis will manage:
+
+- Pull request created (you just added this one)
+- Pull request updated
+- Pull request commented on
+
+- See [Next Steps](#next-steps)
+
+## GitLab
+If you're using GitLab, navigate to your project's home page in GitLab
 ## Next Steps
 * To verify that Atlantis is receiving your webhooks, create a test pull request
-  to your repo. You should see the request show up in the Atlantis logs at an `INFO` level.
+  to your repo. 
+* You should see the request show up in the Atlantis logs at an `INFO` level.
 * You'll now need to configure Atlantis to add your [Provider Credentials](provider-credentials.html)