|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167 |
- // Copyright 2018 The Go Authors. All rights reserved.
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
- // Package jira provides claims and JWT signing for OAuth2 to access JIRA/Confluence.
- package jira
-
- import (
- "context"
- "crypto/hmac"
- "crypto/sha256"
- "encoding/base64"
- "encoding/json"
- "fmt"
- "io"
- "io/ioutil"
- "net/http"
- "net/url"
- "strings"
- "time"
-
- "golang.org/x/oauth2"
- )
-
- // ClaimSet contains information about the JWT signature according
- // to Atlassian's documentation
- // https://developer.atlassian.com/cloud/jira/software/oauth-2-jwt-bearer-token-authorization-grant-type/
- type ClaimSet struct {
- Issuer string `json:"iss"`
- Subject string `json:"sub"`
- InstalledURL string `json:"tnt"` // URL of installed app
- AuthURL string `json:"aud"` // URL of auth server
- ExpiresIn int64 `json:"exp"` // Must be no later that 60 seconds in the future
- IssuedAt int64 `json:"iat"`
- }
-
- var (
- defaultGrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"
- defaultHeader = map[string]string{
- "typ": "JWT",
- "alg": "HS256",
- }
- )
-
- // Config is the configuration for using JWT to fetch tokens,
- // commonly known as "two-legged OAuth 2.0".
- type Config struct {
- // BaseURL for your app
- BaseURL string
-
- // Subject is the userkey as defined by Atlassian
- // Different than username (ex: /rest/api/2/user?username=alex)
- Subject string
-
- oauth2.Config
- }
-
- // TokenSource returns a JWT TokenSource using the configuration
- // in c and the HTTP client from the provided context.
- func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource {
- return oauth2.ReuseTokenSource(nil, jwtSource{ctx, c})
- }
-
- // Client returns an HTTP client wrapping the context's
- // HTTP transport and adding Authorization headers with tokens
- // obtained from c.
- //
- // The returned client and its Transport should not be modified.
- func (c *Config) Client(ctx context.Context) *http.Client {
- return oauth2.NewClient(ctx, c.TokenSource(ctx))
- }
-
- // jwtSource is a source that always does a signed JWT request for a token.
- // It should typically be wrapped with a reuseTokenSource.
- type jwtSource struct {
- ctx context.Context
- conf *Config
- }
-
- func (js jwtSource) Token() (*oauth2.Token, error) {
- exp := time.Duration(59) * time.Second
- claimSet := &ClaimSet{
- Issuer: fmt.Sprintf("urn:atlassian:connect:clientid:%s", js.conf.ClientID),
- Subject: fmt.Sprintf("urn:atlassian:connect:userkey:%s", js.conf.Subject),
- InstalledURL: js.conf.BaseURL,
- AuthURL: js.conf.Endpoint.AuthURL,
- IssuedAt: time.Now().Unix(),
- ExpiresIn: time.Now().Add(exp).Unix(),
- }
-
- v := url.Values{}
- v.Set("grant_type", defaultGrantType)
-
- // Add scopes if they exist; If not, it defaults to app scopes
- if scopes := js.conf.Scopes; scopes != nil {
- upperScopes := make([]string, len(scopes))
- for i, k := range scopes {
- upperScopes[i] = strings.ToUpper(k)
- }
- v.Set("scope", strings.Join(upperScopes, "+"))
- }
-
- // Sign claims for assertion
- assertion, err := sign(js.conf.ClientSecret, claimSet)
- if err != nil {
- return nil, err
- }
- v.Set("assertion", string(assertion))
-
- // Fetch access token from auth server
- hc := oauth2.NewClient(js.ctx, nil)
- resp, err := hc.PostForm(js.conf.Endpoint.TokenURL, v)
- if err != nil {
- return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
- }
- defer resp.Body.Close()
- body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))
- if err != nil {
- return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
- }
- if c := resp.StatusCode; c < 200 || c > 299 {
- return nil, fmt.Errorf("oauth2: cannot fetch token: %v\nResponse: %s", resp.Status, body)
- }
-
- // tokenRes is the JSON response body.
- var tokenRes struct {
- AccessToken string `json:"access_token"`
- TokenType string `json:"token_type"`
- ExpiresIn int64 `json:"expires_in"` // relative seconds from now
- }
- if err := json.Unmarshal(body, &tokenRes); err != nil {
- return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
- }
- token := &oauth2.Token{
- AccessToken: tokenRes.AccessToken,
- TokenType: tokenRes.TokenType,
- }
-
- if secs := tokenRes.ExpiresIn; secs > 0 {
- token.Expiry = time.Now().Add(time.Duration(secs) * time.Second)
- }
- return token, nil
- }
-
- // Sign the claim set with the shared secret
- // Result to be sent as assertion
- func sign(key string, claims *ClaimSet) (string, error) {
- b, err := json.Marshal(defaultHeader)
- if err != nil {
- return "", err
- }
- header := base64.RawURLEncoding.EncodeToString(b)
-
- jsonClaims, err := json.Marshal(claims)
- if err != nil {
- return "", err
- }
- encodedClaims := strings.TrimRight(base64.URLEncoding.EncodeToString(jsonClaims), "=")
-
- ss := fmt.Sprintf("%s.%s", header, encodedClaims)
-
- mac := hmac.New(sha256.New, []byte(key))
- mac.Write([]byte(ss))
- signature := mac.Sum(nil)
-
- return fmt.Sprintf("%s.%s", ss, base64.RawURLEncoding.EncodeToString(signature)), nil
- }
|