Add OmniAuth sign-in via Atlassian Cloud

Adds a new OmniAuth integration for signing in via Atlassian
Cloud. The stored identity will also include credentials so
GitLab can communicate with the Atlassian API.

Gemfile

@@ -45,6 +45,7 @@ gem 'omniauth_crowd', '~> 2.4.0'
 gem 'omniauth-authentiq', '~> 0.3.3'
 gem 'omniauth_openid_connect', '~> 0.3.5'
 gem 'omniauth-salesforce', '~> 1.0.5'
+gem 'omniauth-atlassian-oauth2', '~> 0.2.0'
 gem 'rack-oauth2', '~> 1.9.3'
 gem 'jwt', '~> 2.1.0'
 

Gemfile.lock

@@ -737,6 +737,9 @@ GEM
     omniauth (1.9.0)
       hashie (>= 3.4.6, < 3.7.0)
       rack (>= 1.6.2, < 3)
+    omniauth-atlassian-oauth2 (0.2.0)
+      omniauth (>= 1.1.1)
+      omniauth-oauth2 (>= 1.5)
     omniauth-auth0 (2.0.0)
       omniauth-oauth2 (~> 1.4)
     omniauth-authentiq (0.3.3)
@@ -1393,6 +1396,7 @@ DEPENDENCIES
   octokit (~> 4.15)
   oj (~> 3.10.6)
   omniauth (~> 1.8)
+  omniauth-atlassian-oauth2 (~> 0.2.0)
   omniauth-auth0 (~> 2.0.0)
   omniauth-authentiq (~> 0.3.3)
   omniauth-azure-oauth2 (~> 0.0.9)

app/controllers/omniauth_callbacks_controller.rb

@@ -83,6 +83,10 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     end
   end
 
+  def atlassian_oauth2
+    omniauth_flow(Gitlab::Auth::Atlassian)
+  end
+
   private
 
   def log_failed_login(user, provider)

app/controllers/profiles/accounts_controller.rb

@@ -7,10 +7,9 @@ class Profiles::AccountsController < Profiles::ApplicationController
     render(locals: show_view_variables)
   end
 
-  # rubocop: disable CodeReuse/ActiveRecord
   def unlink
     provider = params[:provider]
-    identity = current_user.identities.find_by(provider: provider)
+    identity = find_identity(provider)
 
     return render_404 unless identity
 
@@ -22,13 +21,18 @@ class Profiles::AccountsController < Profiles::ApplicationController
 
     redirect_to profile_account_path
   end
-  # rubocop: enable CodeReuse/ActiveRecord
 
   private
 
   def show_view_variables
     {}
   end
+
+  def find_identity(provider)
+    return current_user.atlassian_identity if provider == 'atlassian_oauth2'
+
+    current_user.identities.find_by(provider: provider) # rubocop: disable CodeReuse/ActiveRecord
+  end
 end
 
 Profiles::AccountsController.prepend_if_ee('EE::Profiles::AccountsController')

app/helpers/auth_helper.rb

 # frozen_string_literal: true
 
 module AuthHelper
-  PROVIDERS_WITH_ICONS = %w(twitter github gitlab bitbucket google_oauth2 facebook azure_oauth2 authentiq salesforce).freeze
+  PROVIDERS_WITH_ICONS = %w(twitter github gitlab bitbucket google_oauth2 facebook azure_oauth2 authentiq salesforce atlassian_oauth2).freeze
   LDAP_PROVIDER = /\Aldap/.freeze
 
   def ldap_enabled?
@@ -133,6 +133,8 @@ module AuthHelper
 
   # rubocop: disable CodeReuse/ActiveRecord
   def auth_active?(provider)
+    return current_user.atlassian_identity.present? if provider == :atlassian_oauth2
+
     current_user.identities.exists?(provider: provider.to_s)
   end
   # rubocop: enable CodeReuse/ActiveRecord

changelogs/unreleased/dblessing-atlassian-integration-sign-in.yml

+---
+title: Add OmniAuth sign-in via Atlassian Cloud
+merge_request: 40178
+author:
+type: added

config/gitlab.yml.example

@@ -1404,6 +1404,11 @@ test:
           app_id: 'YOUR_CLIENT_ID',
           app_secret: 'YOUR_CLIENT_SECRET'
         }
+      - { name: 'atlassian_oauth2',
+          app_id: 'YOUR_CLIENT_ID',
+          app_secret: 'YOUR_CLIENT_SECRET',
+          args: { scope: 'offline_access read:jira-user read:jira-work', prompt: 'consent' }
+      }
   ldap:
     enabled: false
     servers:

doc/administration/auth/README.md

@@ -11,6 +11,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 GitLab integrates with the following external authentication and authorization
 providers:
 
+- [Atlassian](atlassian.md)
 - [Auth0](../../integration/auth0.md)
 - [Authentiq](authentiq.md)
 - [AWS Cognito](cognito.md)

doc/administration/auth/atlassian.md

+---
+type: reference
+stage: Manage
+group: Access
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
+---
+
+# Atlassian OmniAuth Provider
+
+To enable the Atlassian OmniAuth provider for passwordless authentication you must register an application with Atlassian.
+
+## Atlassian application registration
+
+1. Go to <https://developer.atlassian.com/apps/> and sign-in with the Atlassian
+   account that will administer the application.
+
+1. Click **Create a new app**.
+
+1. Choose an App Name, such as 'GitLab', and click **Create**.
+
+1. Note the `Client ID` and `Secret` for the [GitLab configuration](#gitlab-configuration) steps.
+
+1. In the left sidebar under **APIS AND FEATURES**, click **OAuth 2.0 (3LO)**.
+
+1. Enter the GitLab callback URL using the format `https://gitlab.example.com/users/auth/atlassian_oauth2/callback` and click **Save changes**.
+
+1. Click **+ Add** in the left sidebar under **APIS AND FEATURES**.
+
+1. Click **Add** for **Jira platform REST API** and then **Configure**.
+
+1. Click **Add** next to the following scopes:
+    - **View Jira issue data**
+    - **View user profiles**
+    - **Create and manage issues**
+
+## GitLab configuration
+
+1. On your GitLab server, open the configuration file:
+
+   For Omnibus GitLab installations:
+
+   ```shell
+   sudo editor /etc/gitlab/gitlab.rb
+   ```
+
+   For installations from source:
+
+   ```shell
+   sudo -u git -H editor /home/git/gitlab/config/gitlab.yml
+   ```
+
+1. See [Initial OmniAuth Configuration](../../integration/omniauth.md#initial-omniauth-configuration) for initial settings to enable single sign-on and add `atlassian_oauth2` as an OAuth provider.
+
+1. Add the provider configuration for Atlassian:
+
+   For Omnibus GitLab installations:
+
+   ```ruby
+   gitlab_rails['omniauth_providers'] = [
+     {
+       name: "atlassian_oauth2",
+       app_id: "YOUR_CLIENT_ID",
+       app_secret: "YOUR_CLIENT_SECRET",
+       args: { scope: 'offline_access read:jira-user read:jira-work', prompt: 'consent' }
+     }
+   ]
+   ```
+
+   For installations from source:
+
+   ```yaml
+   - name: "atlassian_oauth2",
+     app_id: "YOUR_CLIENT_ID",
+     app_secret: "YOUR_CLIENT_SECRET",
+     args: { scope: 'offline_access read:jira-user read:jira-work', prompt: 'consent' }
+   ```
+
+1. Change `YOUR_CLIENT_ID` and `YOUR_CLIENT_SECRET` to the Client credentials you received in [application registration](#atlassian-application-registration) steps.
+
+1. Save the configuration file.
+
+1. [Reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure) or [restart GitLab](../restart_gitlab.md#installations-from-source) for the changes to take effect if you installed GitLab via Omnibus or from source respectively.
+
+On the sign-in page there should now be an Atlassian icon below the regular sign in form. Click the icon to begin the authentication process.
+
+If everything goes right, the user is signed in to GitLab using their Atlassian credentials.

lib/gitlab/auth/atlassian/auth_hash.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module Auth
+    module Atlassian
+      class AuthHash < Gitlab::Auth::OAuth::AuthHash
+        def token
+          credentials[:token]
+        end
+
+        def refresh_token
+          credentials[:refresh_token]
+        end
+
+        def expires?
+          credentials[:expires]
+        end
+
+        def expires_at
+          credentials[:expires_at]
+        end
+
+        private
+
+        def credentials
+          auth_hash[:credentials]
+        end
+      end
+    end
+  end
+end

lib/gitlab/auth/atlassian/identity_linker.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module Auth
+    module Atlassian
+      class IdentityLinker < OmniauthIdentityLinkerBase
+        extend ::Gitlab::Utils::Override
+        include ::Gitlab::Utils::StrongMemoize
+
+        private
+
+        override :identity
+        def identity
+          strong_memoize(:identity) do
+            current_user.atlassian_identity || build_atlassian_identity
+          end
+        end
+
+        def build_atlassian_identity
+          identity = current_user.build_atlassian_identity
+          ::Gitlab::Auth::Atlassian::User.assign_identity_from_auth_hash!(identity, auth_hash)
+        end
+
+        def auth_hash
+          ::Gitlab::Auth::Atlassian::AuthHash.new(oauth)
+        end
+      end
+    end
+  end
+end

lib/gitlab/auth/atlassian/user.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module Auth
+    module Atlassian
+      class User < Gitlab::Auth::OAuth::User
+        def self.assign_identity_from_auth_hash!(identity, auth_hash)
+          identity.extern_uid = auth_hash.uid
+          identity.token = auth_hash.token
+          identity.refresh_token = auth_hash.refresh_token
+          identity.expires_at = Time.at(auth_hash.expires_at).utc.to_datetime if auth_hash.expires?
+
+          identity
+        end
+
+        protected
+
+        def find_by_uid_and_provider
+          ::Atlassian::Identity.find_by_extern_uid(auth_hash.uid)&.user
+        end
+
+        def add_or_update_user_identities
+          return unless gl_user
+
+          identity = gl_user.atlassian_identity || gl_user.build_atlassian_identity
+          self.class.assign_identity_from_auth_hash!(identity, auth_hash)
+        end
+
+        def auth_hash=(auth_hash)
+          @auth_hash = ::Gitlab::Auth::Atlassian::AuthHash.new(auth_hash)
+        end
+      end
+    end
+  end
+end

lib/gitlab/auth/o_auth/provider.rb

@@ -5,10 +5,11 @@ module Gitlab
     module OAuth
       class Provider
         LABELS = {
-          "github"         => "GitHub",
-          "gitlab"         => "GitLab.com",
-          "google_oauth2"  => "Google",
-          "azure_oauth2"   => "Azure AD"
+          "github"            => "GitHub",
+          "gitlab"            => "GitLab.com",
+          "google_oauth2"     => "Google",
+          "azure_oauth2"      => "Azure AD",
+          'atlassian_oauth2'  => 'Atlassian'
         }.freeze
 
         def self.authentication(user, provider)

spec/controllers/omniauth_callbacks_controller_spec.rb

@@ -276,6 +276,51 @@ RSpec.describe OmniauthCallbacksController, type: :controller do
         end
       end
 
+      context 'atlassian_oauth2' do
+        let(:provider) { :atlassian_oauth2 }
+        let(:extern_uid) { 'my-uid' }
+
+        context 'when the user and identity already exist' do
+          let(:user) { create(:atlassian_user, extern_uid: extern_uid) }
+
+          it 'allows sign-in' do
+            post :atlassian_oauth2
+
+            expect(request.env['warden']).to be_authenticated
+          end
+        end
+
+        context 'for a new user' do
+          before do
+            stub_omniauth_setting(enabled: true, auto_link_user: true, allow_single_sign_on: ['atlassian_oauth2'])
+
+            user.destroy
+          end
+
+          it 'denies sign-in if sign-up is enabled, but block_auto_created_users is set' do
+            post :atlassian_oauth2
+
+            expect(flash[:alert]).to start_with 'Your account has been blocked.'
+          end
+
+          it 'accepts sign-in if sign-up is enabled' do
+            stub_omniauth_setting(block_auto_created_users: false)
+
+            post :atlassian_oauth2
+
+            expect(request.env['warden']).to be_authenticated
+          end
+
+          it 'denies sign-in if sign-up is not enabled' do
+            stub_omniauth_setting(allow_single_sign_on: false, block_auto_created_users: false)
+
+            post :atlassian_oauth2
+
+            expect(flash[:alert]).to start_with 'Signing in using your Atlassian account without a pre-existing GitLab account is not allowed.'
+          end
+        end
+      end
+
       context 'salesforce' do
         let(:extern_uid) { 'my-uid' }
         let(:provider) { :salesforce }

spec/controllers/profiles/accounts_controller_spec.rb

@@ -45,5 +45,18 @@ RSpec.describe Profiles::AccountsController do
         end
       end
     end
+
+    describe 'atlassian_oauth2 provider' do
+      let(:user) { create(:atlassian_user) }
+
+      it 'allows a user to unlink a connected account' do
+        expect(user.atlassian_identity).not_to be_nil
+
+        delete :unlink, params: { provider: 'atlassian_oauth2' }
+
+        expect(response).to have_gitlab_http_status(:found)
+        expect(user.reload.atlassian_identity).to be_nil
+      end
+    end
   end
 end

spec/factories/users.rb

@@ -136,6 +136,16 @@ FactoryBot.define do
       end
     end
 
+    factory :atlassian_user do
+      transient do
+        extern_uid { generate(:username) }
+      end
+
+      after(:create) do |user, evaluator|
+        create(:atlassian_identity, user: user, extern_uid: evaluator.extern_uid)
+      end
+    end
+
     factory :admin, traits: [:admin]
   end
 end

spec/helpers/auth_helper_spec.rb

@@ -220,4 +220,44 @@ RSpec.describe AuthHelper do
       it { is_expected.to be(false) }
     end
   end
+
+  describe '#auth_active?' do
+    let(:user) { create(:user) }
+
+    def auth_active?
+      helper.auth_active?(provider)
+    end
+
+    before do
+      allow(helper).to receive(:current_user).and_return(user)
+    end
+
+    context 'for atlassian_oauth2 provider' do
+      let_it_be(:provider) { :atlassian_oauth2 }
+
+      it 'returns true when present' do
+        create(:atlassian_identity, user: user)
+
+        expect(auth_active?).to be true
+      end
+
+      it 'returns false when not present' do
+        expect(auth_active?).to be false
+      end
+    end
+
+    context 'for other omniauth providers' do
+      let_it_be(:provider) { 'google_oauth2' }
+
+      it 'returns true when present' do
+        create(:identity, provider: provider, user: user)
+
+        expect(auth_active?).to be true
+      end
+
+      it 'returns false when not present' do
+        expect(auth_active?).to be false
+      end
+    end
+  end
 end

spec/lib/gitlab/auth/atlassian/auth_hash_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Auth::Atlassian::AuthHash do
+  let(:auth_hash) do
+    described_class.new(
+      OmniAuth::AuthHash.new(uid: 'john', credentials: credentials)
+    )
+  end
+
+  let(:credentials) do
+    {
+      token: 'super_secret_token',
+      refresh_token: 'super_secret_refresh_token',
+      expires_at: 2.weeks.from_now.to_i,
+      expires: true
+    }
+  end
+
+  describe '#uid' do
+    it 'returns the correct uid' do
+      expect(auth_hash.uid).to eq('john')
+    end
+  end
+
+  describe '#token' do
+    it 'returns the correct token' do
+      expect(auth_hash.token).to eq(credentials[:token])
+    end
+  end
+
+  describe '#refresh_token' do
+    it 'returns the correct refresh token' do
+      expect(auth_hash.refresh_token).to eq(credentials[:refresh_token])
+    end
+  end
+
+  describe '#token' do
+    it 'returns the correct expires boolean' do
+      expect(auth_hash.expires?).to eq(credentials[:expires])
+    end
+  end
+
+  describe '#token' do
+    it 'returns the correct expiration' do
+      expect(auth_hash.expires_at).to eq(credentials[:expires_at])
+    end
+  end
+end

spec/lib/gitlab/auth/atlassian/identity_linker_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Auth::Atlassian::IdentityLinker do
+  let(:user) { create(:user) }
+  let(:extern_uid) { generate(:username) }
+  let(:oauth) do
+    OmniAuth::AuthHash.new(
+      uid: extern_uid,
+      provider: 'atlassian_oauth2',
+      info: { name: 'John', email: 'john@mail.com' },
+      credentials: credentials
+    )
+  end
+
+  let(:credentials) do
+    {
+      token: SecureRandom.alphanumeric(1254),
+      refresh_token: SecureRandom.alphanumeric(45),
+      expires_at: 2.weeks.from_now.to_i,
+      expires: true
+    }
+  end
+
+  subject { described_class.new(user, oauth) }
+
+  context 'linked identity exists' do
+    let!(:identity) { create(:atlassian_identity, user: user, extern_uid: extern_uid) }
+
+    before do
+      subject.link
+    end
+
+    it 'sets #changed? to false' do
+      expect(subject).not_to be_changed
+    end
+
+    it 'does not mark as failed' do
+      expect(subject).not_to be_failed
+    end
+  end
+
+  context 'identity already linked to different user' do
+    let!(:identity) { create(:atlassian_identity, extern_uid: extern_uid) }
+
+    it 'sets #changed? to false' do
+      subject.link
+
+      expect(subject).not_to be_changed
+    end
+
+    it 'exposes error message' do
+      expect(subject.error_message).to eq 'Extern uid has already been taken'
+    end
+  end
+
+  context 'identity needs to be created' do
+    let(:identity) { user.atlassian_identity }
+
+    before do
+      subject.link
+    end
+
+    it_behaves_like 'an atlassian identity'
+
+    it 'sets #changed? to true' do
+      expect(subject).to be_changed
+    end
+  end
+end

spec/lib/gitlab/auth/atlassian/user_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Auth::Atlassian::User do
+  let(:oauth_user) { described_class.new(oauth) }
+  let(:gl_user) { oauth_user.gl_user }
+  let(:extern_uid) { generate(:username) }
+  let(:oauth) do
+    OmniAuth::AuthHash.new(
+      uid: extern_uid,
+      provider: 'atlassian_oauth2',
+      info: { name: 'John', email: 'john@mail.com' },
+      credentials: credentials)
+  end
+
+  let(:credentials) do
+    {
+      token: SecureRandom.alphanumeric(1254),
+      refresh_token: SecureRandom.alphanumeric(45),
+      expires_at: 2.weeks.from_now.to_i,
+      expires: true
+    }
+  end
+
+  describe '.assign_identity_from_auth_hash!' do
+    let(:auth_hash) { ::Gitlab::Auth::Atlassian::AuthHash.new(oauth) }
+    let(:identity) { described_class.assign_identity_from_auth_hash!(Atlassian::Identity.new, auth_hash) }
+
+    it_behaves_like 'an atlassian identity'
+  end
+
+  describe '#save' do
+    context 'for an existing user' do
+      context 'with an existing Atlassian Identity' do
+        let!(:existing_user) { create(:atlassian_user, extern_uid: extern_uid) }
+        let(:identity) { gl_user.atlassian_identity }
+
+        before do
+          oauth_user.save # rubocop:disable Rails/SaveBang
+        end
+
+        it 'finds the existing user and identity' do
+          expect(gl_user.id).to eq(existing_user.id)
+          expect(identity.id).to eq(existing_user.atlassian_identity.id)
+        end
+
+        it_behaves_like 'an atlassian identity'
+      end
+
+      context 'for a new user' do
+        it 'creates the user and identity' do
+          oauth_user.save # rubocop:disable Rails/SaveBang
+
+          expect(gl_user).to be_valid
+        end
+      end
+    end
+  end
+end

spec/support/shared_examples/lib/gitlab/auth/atlassian_identity_shared_examples.rb

+# frozen_string_literal: true
+
+RSpec.shared_examples 'an atlassian identity' do
+  it 'sets the proper values' do
+    expect(identity.extern_uid).to eq(extern_uid)
+    expect(identity.token).to eq(credentials[:token])
+    expect(identity.refresh_token).to eq(credentials[:refresh_token])
+    expect(identity.expires_at.to_i).to eq(credentials[:expires_at])
+  end
+end