blob: 814656e9ec0f267e8246948bc98f40be3ab38c71 [file] [log] [blame]
// Copyright 2018 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package jira provides claims and JWT signing for OAuth2 to access JIRA/Confluence.
package jira
import (
"context"
"crypto/hmac"
"crypto/sha256"
"encoding/base64"
"encoding/json"
"fmt"
"io"
"io/ioutil"
"net/http"
"net/url"
"strings"
"time"
"golang.org/x/oauth2"
)
// ClaimSet contains information about the JWT signature according
// to Atlassian's documentation
// https://developer.atlassian.com/cloud/jira/software/oauth-2-jwt-bearer-token-authorization-grant-type/
type ClaimSet struct {
Issuer string `json:"iss"`
Subject string `json:"sub"`
InstalledURL string `json:"tnt"` // URL of installed app
AuthURL string `json:"aud"` // URL of auth server
ExpiresIn int64 `json:"exp"` // Must be no later that 60 seconds in the future
IssuedAt int64 `json:"iat"`
}
var (
defaultGrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"
defaultHeader = map[string]string{
"typ": "JWT",
"alg": "HS256",
}
)
// Config is the configuration for using JWT to fetch tokens,
// commonly known as "two-legged OAuth 2.0".
type Config struct {
// BaseURL for your app
BaseURL string
// Subject is the userkey as defined by Atlassian
// Different than username (ex: /rest/api/2/user?username=alex)
Subject string
oauth2.Config
}
// TokenSource returns a JWT TokenSource using the configuration
// in c and the HTTP client from the provided context.
func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource {
return oauth2.ReuseTokenSource(nil, jwtSource{ctx, c})
}
// Client returns an HTTP client wrapping the context's
// HTTP transport and adding Authorization headers with tokens
// obtained from c.
//
// The returned client and its Transport should not be modified.
func (c *Config) Client(ctx context.Context) *http.Client {
return oauth2.NewClient(ctx, c.TokenSource(ctx))
}
// jwtSource is a source that always does a signed JWT request for a token.
// It should typically be wrapped with a reuseTokenSource.
type jwtSource struct {
ctx context.Context
conf *Config
}
func (js jwtSource) Token() (*oauth2.Token, error) {
exp := time.Duration(59) * time.Second
claimSet := &ClaimSet{
Issuer: fmt.Sprintf("urn:atlassian:connect:clientid:%s", js.conf.ClientID),
Subject: fmt.Sprintf("urn:atlassian:connect:useraccountid:%s", js.conf.Subject),
InstalledURL: js.conf.BaseURL,
AuthURL: js.conf.Endpoint.AuthURL,
IssuedAt: time.Now().Unix(),
ExpiresIn: time.Now().Add(exp).Unix(),
}
v := url.Values{}
v.Set("grant_type", defaultGrantType)
// Add scopes if they exist; If not, it defaults to app scopes
if scopes := js.conf.Scopes; scopes != nil {
upperScopes := make([]string, len(scopes))
for i, k := range scopes {
upperScopes[i] = strings.ToUpper(k)
}
v.Set("scope", strings.Join(upperScopes, "+"))
}
// Sign claims for assertion
assertion, err := sign(js.conf.ClientSecret, claimSet)
if err != nil {
return nil, err
}
v.Set("assertion", assertion)
// Fetch access token from auth server
hc := oauth2.NewClient(js.ctx, nil)
resp, err := hc.PostForm(js.conf.Endpoint.TokenURL, v)
if err != nil {
return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))
if err != nil {
return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
}
if c := resp.StatusCode; c < 200 || c > 299 {
return nil, fmt.Errorf("oauth2: cannot fetch token: %v\nResponse: %s", resp.Status, body)
}
// tokenRes is the JSON response body.
var tokenRes struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
ExpiresIn int64 `json:"expires_in"` // relative seconds from now
}
if err := json.Unmarshal(body, &tokenRes); err != nil {
return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
}
token := &oauth2.Token{
AccessToken: tokenRes.AccessToken,
TokenType: tokenRes.TokenType,
}
if secs := tokenRes.ExpiresIn; secs > 0 {
token.Expiry = time.Now().Add(time.Duration(secs) * time.Second)
}
return token, nil
}
// Sign the claim set with the shared secret
// Result to be sent as assertion
func sign(key string, claims *ClaimSet) (string, error) {
b, err := json.Marshal(defaultHeader)
if err != nil {
return "", err
}
header := base64.RawURLEncoding.EncodeToString(b)
jsonClaims, err := json.Marshal(claims)
if err != nil {
return "", err
}
encodedClaims := strings.TrimRight(base64.URLEncoding.EncodeToString(jsonClaims), "=")
ss := fmt.Sprintf("%s.%s", header, encodedClaims)
mac := hmac.New(sha256.New, []byte(key))
mac.Write([]byte(ss))
signature := mac.Sum(nil)
return fmt.Sprintf("%s.%s", ss, base64.RawURLEncoding.EncodeToString(signature)), nil
}