forked from rbriski/atlassian-jwt
-
Notifications
You must be signed in to change notification settings - Fork 0
/
jwt.go
217 lines (179 loc) · 5.13 KB
/
jwt.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
package jwt
import (
"bytes"
"crypto/sha256"
"encoding/hex"
"net/http"
"net/url"
"sort"
"strings"
"time"
jwt "github.com/dgrijalva/jwt-go"
"github.com/pkg/errors"
)
// Config holds the configuration information for JWT operation
// between an app and JIRA
type Config struct {
// Key holds the app key described in the Atlassian Connect
// JSON file
Key string
// ClientKey holds the key that JIRA returns to validate JWT
// tokens from Jira
ClientKey string
// SharedSecret is the signing secret for the Authorization header
SharedSecret string
// BaseURL is the base URL of the JIRA instance
BaseURL string
}
// AtlassianClaims are all mandatory claims for Atlassian JWT
type AtlassianClaims struct {
QSH string `json:"qsh"`
jwt.StandardClaims
}
// A AuthSetter is anything that can set the authorization header
// on an http.Request
type AuthSetter interface {
// SetAuthHeader takes a request pointer and sets the
// Authorization header with a valid Atlassian JWT
SetAuthHeader(*http.Request) error
}
// Claims returns a valid set of claims for creating
// an Atlassian JWT
func (c *Config) Claims(qsh string) *AtlassianClaims {
issuedAt := time.Now()
expiresAt := issuedAt.Add(180 * time.Second)
return &AtlassianClaims{
qsh,
jwt.StandardClaims{
IssuedAt: issuedAt.Unix(),
ExpiresAt: expiresAt.Unix(),
Issuer: c.Key,
Subject: c.ClientKey,
},
}
}
// Client returns an *http.Client that makes requests that are authenticated
// using Atlassian JWT authentication
func (c *Config) Client() *http.Client {
return &http.Client{
Transport: &Transport{
Config: c,
},
}
}
// Token returns an unsigned Atlassian JWT
func (c *Config) Token(r *http.Request) *jwt.Token {
qsh := c.QSH(r)
claims := c.Claims(qsh)
return jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
}
// SetAuthHeader takes a request pointer and sets the
// Authorization header with a valid Atlassian JWT
func (c *Config) SetAuthHeader(r *http.Request) error {
token := c.Token(r)
ss, err := token.SignedString([]byte(c.SharedSecret))
if err != nil {
return errors.Wrap(err, "failed to sign token")
}
r.Header.Set("Authorization", "JWT "+ss)
return nil
}
// QSH returns the query string hash for this request
// https://developer.atlassian.com/cloud/bitbucket/query-string-hash/
func (c *Config) QSH(req *http.Request) string {
// Uppercase method
method := strings.ToUpper(req.Method)
// Path can not contain &
path := strings.Replace(req.URL.Path, "&", "%26", -1)
params := encodeQuery(req.URL.Query())
// Join method, path and params with &
canonicalURL := strings.Join([]string{method, path, params}, "&")
// SHA-256 encoding
h := sha256.New()
h.Write([]byte(canonicalURL))
// Must return the hash as hex
return hex.EncodeToString(h.Sum(nil))
}
// encodeQuery uses the QSH description from
// https://developer.atlassian.com/cloud/bitbucket/query-string-hash/
func encodeQuery(vals url.Values) string {
// Empty params still must be treated as a value
if len(vals) == 0 {
return ""
}
var buf bytes.Buffer
keys := make([]string, 0, len(vals))
for k := range vals {
keys = append(keys, k)
}
// Keys must be sorted
sort.Strings(keys)
for _, k := range keys {
// Exclude any JWT keys
if strings.ToUpper(k) == "JWT" {
continue
}
vs := vals[k]
// Escaped encoding is upper case
// QueryEscape does this for us
encKey := url.QueryEscape(k)
// QueryEscape encodes spaces as +. According to Atlassian, they
// must be encoded as %20
prefix := strings.Replace(encKey, "+", "%20", -1) + "="
encodedVals := make([]string, 0, len(keys))
// Repeated parameters must be sorted
sort.Strings(vs)
for _, v := range vs {
encVal := url.QueryEscape(v)
encodedVals = append(encodedVals, strings.Replace(encVal, "+", "%20", -1))
}
if buf.Len() > 0 {
buf.WriteByte('&')
}
buf.WriteString(prefix)
// Repeated parameters to be in comma-delimited list
buf.WriteString(strings.Join(encodedVals, ","))
}
return buf.String()
}
// Transport is a http.RoundTripper for tagging requests
// to Atlassian with a JWT auth header
type Transport struct {
// SetAuth sets the
// Authorization headers.
Config AuthSetter
// Base is the base RoundTripper used to make HTTP requests.
// If nil, http.DefaultTransport is used.
Base http.RoundTripper
}
// RoundTrip authenticates the request with a JWT token
func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
if t.Config == nil {
return nil, errors.New("jwt: Transport's config is nil")
}
req2 := cloneRequest(req)
err := t.Config.SetAuthHeader(req2)
if err != nil {
return nil, err
}
return t.base().RoundTrip(req2)
}
func (t *Transport) base() http.RoundTripper {
if t.Base != nil {
return t.Base
}
return http.DefaultTransport
}
// cloneRequest returns a clone of the provided *http.Request.
// The clone is a shallow copy of the struct and its Header map.
func cloneRequest(r *http.Request) *http.Request {
// shallow copy of the struct
r2 := new(http.Request)
*r2 = *r
// deep copy of the Header
r2.Header = make(http.Header, len(r.Header))
for k, s := range r.Header {
r2.Header[k] = append([]string(nil), s...)
}
return r2
}