Commit c8ceafc8 authored by Andy Soiron's avatar Andy Soiron

Allow context qsh for Jira subscriptions json

The JSON endpoint will be requested by frontend using a JWT that
Atlassian provides via Javascript. This JWT will likely use a
context-qsh because Atlassian don't know for which
endpoint it will be used.

Read more about context JWT here:
https://developer.atlassian.com/cloud/jira/platform/understanding-jwt-for-connect-apps/

This is the second attempt to add this change. The first one
(https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83836)
got reverted after an incident
(https://gitlab.com/gitlab-com/gl-infra/production/-/issues/6774)

This problem was fixed in this commit by only verifying qsh on the
index action.
parent eb2022fe
...@@ -22,6 +22,8 @@ class JiraConnect::ApplicationController < ApplicationController ...@@ -22,6 +22,8 @@ class JiraConnect::ApplicationController < ApplicationController
def verify_qsh_claim! def verify_qsh_claim!
payload, _ = decode_auth_token! payload, _ = decode_auth_token!
return if request.format.json? && payload['qsh'] == 'context-qsh'
# Make sure `qsh` claim matches the current request # Make sure `qsh` claim matches the current request
render_403 unless payload['qsh'] == Atlassian::Jwt.create_query_string_hash(request.url, request.method, jira_connect_base_url) render_403 unless payload['qsh'] == Atlassian::Jwt.create_query_string_hash(request.url, request.method, jira_connect_base_url)
rescue StandardError rescue StandardError
......
...@@ -75,6 +75,18 @@ RSpec.describe JiraConnect::SubscriptionsController do ...@@ -75,6 +75,18 @@ RSpec.describe JiraConnect::SubscriptionsController do
expect(json_response).to include('login_path' => nil) expect(json_response).to include('login_path' => nil)
end end
end end
context 'with context qsh' do
# The JSON endpoint will be requested by frontend using a JWT that Atlassian provides via Javascript.
# This JWT will likely use a context-qsh because Atlassian don't know for which endpoint it will be used.
# Read more about context JWT here: https://developer.atlassian.com/cloud/jira/platform/understanding-jwt-for-connect-apps/
let(:qsh) { 'context-qsh' }
specify do
expect(response).to have_gitlab_http_status(:ok)
end
end
end end
end end
end end
...@@ -102,7 +114,7 @@ RSpec.describe JiraConnect::SubscriptionsController do ...@@ -102,7 +114,7 @@ RSpec.describe JiraConnect::SubscriptionsController do
end end
context 'with valid JWT' do context 'with valid JWT' do
let(:claims) { { iss: installation.client_key, sub: 1234 } } let(:claims) { { iss: installation.client_key, sub: 1234, qsh: '123' } }
let(:jwt) { Atlassian::Jwt.encode(claims, installation.shared_secret) } let(:jwt) { Atlassian::Jwt.encode(claims, installation.shared_secret) }
let(:jira_user) { { 'groups' => { 'items' => [{ 'name' => jira_group_name }] } } } let(:jira_user) { { 'groups' => { 'items' => [{ 'name' => jira_group_name }] } } }
let(:jira_group_name) { 'site-admins' } let(:jira_group_name) { 'site-admins' }
...@@ -158,7 +170,7 @@ RSpec.describe JiraConnect::SubscriptionsController do ...@@ -158,7 +170,7 @@ RSpec.describe JiraConnect::SubscriptionsController do
.stub_request(:get, "#{installation.base_url}/rest/api/3/user?accountId=1234&expand=groups") .stub_request(:get, "#{installation.base_url}/rest/api/3/user?accountId=1234&expand=groups")
.to_return(body: jira_user.to_json, status: 200, headers: { 'Content-Type' => 'application/json' }) .to_return(body: jira_user.to_json, status: 200, headers: { 'Content-Type' => 'application/json' })
delete :destroy, params: { jwt: jwt, id: subscription.id } delete :destroy, params: { jwt: jwt, id: subscription.id, format: :json }
end end
context 'without JWT' do context 'without JWT' do
...@@ -170,7 +182,7 @@ RSpec.describe JiraConnect::SubscriptionsController do ...@@ -170,7 +182,7 @@ RSpec.describe JiraConnect::SubscriptionsController do
end end
context 'with valid JWT' do context 'with valid JWT' do
let(:claims) { { iss: installation.client_key, sub: 1234 } } let(:claims) { { iss: installation.client_key, sub: 1234, qsh: '123' } }
let(:jwt) { Atlassian::Jwt.encode(claims, installation.shared_secret) } let(:jwt) { Atlassian::Jwt.encode(claims, installation.shared_secret) }
it 'deletes the subscription' do it 'deletes the subscription' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment