// Copyright 2018 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. // Package jira provides claims and JWT signing for OAuth2 to access JIRA/Confluence. package jira import ( "context" "crypto/hmac" "crypto/sha256" "encoding/base64" "encoding/json" "fmt" "io" "io/ioutil" "net/http" "net/url" "strings" "time" "golang.org/x/oauth2" ) // ClaimSet contains information about the JWT signature according // to Atlassian's documentation // https://developer.atlassian.com/cloud/jira/software/oauth-2-jwt-bearer-token-authorization-grant-type/ type ClaimSet struct { Issuer string `json:"iss"` Subject string `json:"sub"` InstalledURL string `json:"tnt"` // URL of installed app AuthURL string `json:"aud"` // URL of auth server ExpiresIn int64 `json:"exp"` // Must be no later that 60 seconds in the future IssuedAt int64 `json:"iat"` } var ( defaultGrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer" defaultHeader = map[string]string{ "typ": "JWT", "alg": "HS256", } ) // Config is the configuration for using JWT to fetch tokens, // commonly known as "two-legged OAuth 2.0". type Config struct { // BaseURL for your app BaseURL string // Subject is the userkey as defined by Atlassian // Different than username (ex: /rest/api/2/user?username=alex) Subject string oauth2.Config } // TokenSource returns a JWT TokenSource using the configuration // in c and the HTTP client from the provided context. func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource { return oauth2.ReuseTokenSource(nil, jwtSource{ctx, c}) } // Client returns an HTTP client wrapping the context's // HTTP transport and adding Authorization headers with tokens // obtained from c. // // The returned client and its Transport should not be modified. func (c *Config) Client(ctx context.Context) *http.Client { return oauth2.NewClient(ctx, c.TokenSource(ctx)) } // jwtSource is a source that always does a signed JWT request for a token. // It should typically be wrapped with a reuseTokenSource. type jwtSource struct { ctx context.Context conf *Config } func (js jwtSource) Token() (*oauth2.Token, error) { exp := time.Duration(59) * time.Second claimSet := &ClaimSet{ Issuer: fmt.Sprintf("urn:atlassian:connect:clientid:%s", js.conf.ClientID), Subject: fmt.Sprintf("urn:atlassian:connect:userkey:%s", js.conf.Subject), InstalledURL: js.conf.BaseURL, AuthURL: js.conf.Endpoint.AuthURL, IssuedAt: time.Now().Unix(), ExpiresIn: time.Now().Add(exp).Unix(), } v := url.Values{} v.Set("grant_type", defaultGrantType) // Add scopes if they exist; If not, it defaults to app scopes if scopes := js.conf.Scopes; scopes != nil { upperScopes := make([]string, len(scopes)) for _, k := range scopes { upperScopes = append(upperScopes, strings.ToUpper(k)) } v.Set("scope", strings.Join(upperScopes, "+")) } // Sign claims for assertion assertion, err := sign(js.conf.ClientSecret, claimSet) if err != nil { return nil, err } v.Set("assertion", string(assertion)) // Fetch access token from auth server hc := oauth2.NewClient(js.ctx, nil) resp, err := hc.PostForm(js.conf.Endpoint.TokenURL, v) if err != nil { return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err) } defer resp.Body.Close() body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20)) if err != nil { return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err) } if c := resp.StatusCode; c < 200 || c > 299 { return nil, fmt.Errorf("oauth2: cannot fetch token: %v\nResponse: %s", resp.Status, body) } // tokenRes is the JSON response body. var tokenRes struct { AccessToken string `json:"access_token"` TokenType string `json:"token_type"` ExpiresIn int64 `json:"expires_in"` // relative seconds from now } if err := json.Unmarshal(body, &tokenRes); err != nil { return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err) } token := &oauth2.Token{ AccessToken: tokenRes.AccessToken, TokenType: tokenRes.TokenType, } if secs := tokenRes.ExpiresIn; secs > 0 { token.Expiry = time.Now().Add(time.Duration(secs) * time.Second) } return token, nil } // Sign the claim set with the shared secret // Result to be sent as assertion func sign(key string, claims *ClaimSet) (string, error) { b, err := json.Marshal(defaultHeader) if err != nil { return "", err } header := base64.RawURLEncoding.EncodeToString(b) jsonClaims, err := json.Marshal(claims) if err != nil { return "", err } encodedClaims := strings.TrimRight(base64.URLEncoding.EncodeToString(jsonClaims), "=") ss := fmt.Sprintf("%s.%s", header, encodedClaims) mac := hmac.New(sha256.New, []byte(key)) mac.Write([]byte(ss)) signature := mac.Sum(nil) return fmt.Sprintf("%s.%s", ss, base64.RawURLEncoding.EncodeToString(signature)), nil }