atlassian-jwt-authentication 0.9.0.pre8

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 4b613184861f6210fe60369212d95288f3bc85a71a9906714c71d966e1606381
+  data.tar.gz: 320921baeac4b8bdfba96131fcb0a05077242f41e96b7ee3d9e3b03ae5dace01
+SHA512:
+  metadata.gz: 026ca8a88864fdfa13db84a94d403291ee10935bdcc99a31366a5f93d467479f21c308789f3e06086d206ab4e9656e992431de705095baefbf347d954549717a
+  data.tar.gz: a91c87fe92112b9bef084198e2d2b6aecf82f64e3c881de0448dab04cb463be430993e8a91ead79656f42f97350bdb620778eb8d73c299027bec88f48b7a25e7

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2016-2016 MeisterLabs
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,296 @@
+# Atlassian JWT Authentication
+
+Atlassian JWT Authentication provides support for handling JWT authentication as required by
+ Atlassian when building add-ons: https://developer.atlassian.com/static/connect/docs/latest/concepts/authentication.html
+
+## Installation
+
+### From Git
+
+You can check out the latest source from git:
+
+`git clone https://github.com/MeisterLabs/atlassian-jwt-authentication.git`
+
+Or, if you're using Bundler, just add the following to your Gemfile:
+
+```ruby
+gem 'atlassian-jwt-authentication', 
+  git: 'https://github.com/MeisterLabs/atlassian-jwt-authentication.git'
+```
+
+## Usage
+
+### Setup
+
+This gem relies on the `jwt_tokens` table being present in your database and 
+the associated JwtToken model.
+
+To create those simply use the provided generators:
+
+```
+bundle exec rails g atlassian_jwt_authentication:setup
+```
+
+If you are using another database for the JWT data storage than the default one, pass the name of the DB config to the generator:
+```
+bundle exec rails g atlassian_jwt_authentication:setup shared
+```
+
+Don't forget to run your migrations now!
+
+### Controller filters
+
+The gem provides 2 endpoints for an Atlassian add-on lifecycle, installed and uninstalled. 
+For more information on the available Atlassian lifecycle callbacks visit 
+https://developer.atlassian.com/static/connect/docs/latest/modules/lifecycle.html.
+
+If your add-on baseUrl is not your application root URL then include the following 
+configuration for the context path. This is needed in the query hash string validation 
+step of verifying the JWT:
+```ruby
+# In the add-on descriptor:
+# "baseUrl": "https://www.example.com/atlassian/confluence",
+
+AtlassianJwtAuthentication.context_path = '/atlassian/confluence'
+```
+
+#### Add-on installation
+The gem will take care of setting up the necessary JWT tokens upon add-on installation and to
+delete the appropriate tokens upon un-installation. To use this functionality, simply call
+ 
+```ruby
+include AtlassianJwtAuthentication
+
+before_action :on_add_on_installed, only: [:installed]
+before_action :on_add_on_uninstalled, only: [:uninstalled]
+```
+
+#### Add-on authentication
+Furthermore, protect the methods that will be JWT aware by using the gem's
+JWT token verification filter. You need to pass your add-on descriptor so that
+the appropriate JWT shared secret can be identified:
+
+```ruby
+include AtlassianJwtAuthentication
+
+# will respond with head(:unauthorized) if verification fails
+before_filter only: [:display, :editor] do |controller|
+  controller.send(:verify_jwt, 'your-add-on-key')
+end
+```
+
+Methods that are protected by the `verify_jwt` filter also give access to information
+about the current JWT token instance and logged in account (when available):
+
+* `current_jwt_token` returns `JwtToken`
+* `current_account_id` returns `String`
+
+Furthermore, this information is stored in the session so you will have access
+to these 2 instances also on subsequent requests even if they are not JWT signed.
+
+```ruby
+# current_jwt_token returns an instance of JwtToken, so you have access to the fields described above
+pp current_jwt_token.addon_key
+pp current_jwt_token.base_url
+```
+
+If you need detailed user information you need to obtain it from the instance and process it respecting GDPR.
+
+#### How to send a signed HTTP request from the iframe back to the add-on service
+
+The initial call to load the iframe content is secured by JWT. However, the loaded content cannot
+sign subsequent requests. A typical example is content that makes AJAX calls back to the add-on. Cookie sessions cannot
+be used, as many browsers block third-party cookies by default. AJA provides middleware that
+works without cookies and helps making secure requests from the iframe.
+
+Standard JWT tokens are used to authenticate requests from the iframe back to the add-on service. A route can be secured
+using the following code:
+
+```ruby
+include AtlassianJwtAuthentication
+
+before_filter only: [:protected] do |controller|
+ controller.send(:verify_jwt, 'your-add-on-key', skip_qsh_verification: true)
+end
+```
+
+In order to secure your route, the token must be part of the HTTP request back to the add-on service. This can be done
+by using the standard `jwt` query parameter:
+
+```html
+<a href="/protected?jwt={{token}}">See more</a>
+```
+
+The second option is to use the Authorization HTTP header, e.g. for AJAX requests:
+
+```javascript
+beforeSend: function(request) {
+  request.setRequestHeader("Authorization", "JWT {{token}}");
+}
+```
+
+You can embed the token anywhere in your iframe content using the `token` content variable. For example, you can embed
+it in a meta tag, from where it can later be read by a script:
+
+```html
+<meta name="token" content="{{token}}">
+
+#### Add-on licensing
+If your add-on has a licensing model you can use the `ensure_license` filter to check for a valid license.
+As with the `verify_jwt` filter, this simply responds with an unauthorized header if there is no valid license
+for the installation.
+
+```ruby
+before_filter :ensure_license
+```
+If your add-on was for free and you're just adding licensing now, you can specify
+the version at which you started charging, ie. the minimum version of the add-on
+for which you require a valid license. Simply include the code below with your version
+string in the controller that includes the other add-on code.
+```ruby
+def min_licensing_version
+  Gem::Version.new('1.0.0')
+end
+```
+
+### Middleware
+
+You can use a middleware to verify JWT tokens (for example in Rails `application.rb`):
+
+```ruby
+config.middleware.insert_after ActionDispatch::Session::CookieStore, AtlassianJwtAuthentication::Middleware::VerifyJwtToken, 'your_addon_key'
+```
+
+Token will be taken from params or `Authorization` header, if it's verified successfully request will have following headers set:
+
+* atlassian_jwt_authorization.jwt_token `JwtToken` instance
+* atlassian_jwt_authorization.account_id `String` instance
+* atlassian_jwt_authorization.context `Hash` instance
+
+Middleware will not block requests with invalid or missing JWT tokens, you need to use another layer for that.
+
+### Making a service call
+
+Build the URL required to make a service call with the `rest_api_url` helper or
+make a service call with the `rest_api_call` helper that will handle the request for you.
+Both require the method and the endpoint that you need to access:
+
+```ruby
+# Get available project types
+url = rest_api_url(:get, '/rest/api/2/project/type')
+response = Faraday.get(url)
+
+# Create an issue
+data = {
+    fields: {
+        project: {
+            'id': 10100
+        },
+        summary: 'This is an issue summary',
+        issuetype: {
+            id: 10200
+        }
+    }
+}
+
+response = rest_api_call(:post, '/rest/api/2/issue', data)
+pp response.success?
+
+```
+
+### User impersonification
+
+To make requests on user's behalf add `act_as_user` in scopes required by your app. 
+
+Later you can obtain [OAuth bearer token](https://developer.atlassian.com/cloud/jira/software/oauth-2-jwt-bearer-token-authorization-grant-type/) from Atlassian.
+
+Do that using `AtlassianJwtAuthentication::UserBearerToken.user_bearer_token(account_id, scopes)`
+
+### Logging
+
+If you want to debug the JWT verification define a logger in the controller where you're including `AtlassianJwtAuthentication`:
+
+```ruby
+def logger
+  Logger.new("#{Rails.root}/log/atlassian_jwt.log")
+end
+``` 
+
+### Custom error handling
+
+If you want to render your own pages when the add-on throws one of the following errors:
+- forbidden
+- unauthorized
+- payment_required
+
+overwrite the following methods in your controller:
+
+```ruby
+def render_forbidden
+  # do your own handling there
+  # render your own template 
+  render(template: '...', layout: '...')
+end
+
+# the same for render_payment_required and render_unauthorized
+
+```
+
+## Installing the add-on
+
+You can use rake tasks to simplify plugin installation:
+
+```ruby
+bin/rails atlassian:install[prefix,email,api_token,https://external.address.to/descriptor]
+```
+
+Where `prefix` is your instance name before `.atlassian.net`. You an get an [API token](https://confluence.atlassian.com/cloud/api-tokens-938839638.html) from [Manage your account](https://id.atlassian.com/manage/api-tokens) page.
+
+## Configuration
+
+Config | Environment variable | Description | Default |
+------ | -------------------- | ----------- | ------- |
+`AtlassianJwtAuthentication.context_path` | none | server path your app is running at | `''` 
+`AtlassianJwtAuthentication.verify_jwt_expiration` | `JWT_VERIFY_EXPIRATION` | when `false` allow expired tokens, speeds up development, especially combined with webpack hot module reloading | `true` 
+`AtlassianJwtAuthentication.log_requests` | `AJA_LOG_REQUESTS` | when `true` outgoing HTTP requests will be logged | `false` 
+`AtlassianJwtAuthentication.debug_requests` | `AJA_DEBUG_REQUESTS` | when `true` HTTP requests will include body content, implicitly turns on `log_requests` | `false` 
+`AtlassianJwtAuthentication.signed_install` | `AJA_SIGNED_INSTALL` | Installation lifecycle security improvements. Migration process described [here](https://community.developer.atlassian.com/t/action-required-atlassian-connect-installation-lifecycle-security-improvements/49046). In the descriptor set `"apiMigrations":{"signed-install":AtlassianJwtAuthentication.signed_install}`  | `false`
+
+## Requirements
+
+Ruby 2.0+, ActiveRecord 4.1+
+
+## Integrations
+
+### Message Bus
+
+With middleware enabled you can use following configuration to limit access to message bus per user / instance:
+```ruby
+MessageBus.user_id_lookup do |env|
+  env.try(:[], 'atlassian_jwt_authentication.account_id')
+end
+
+MessageBus.site_id_lookup do |env|
+  env.try(:[], 'atlassian_jwt_authentication.jwt_token').try(:id)
+end
+```
+
+Then use `MessageBus.publish('/test', 'message', site_id: X, user_ids: [Y])` to publish message only for a user.
+
+Requires message_bus patch available at https://github.com/HeroCoders/message_bus/commit/cd7c752fe85a17f7e54aa950a94d7c6378a55ed1
+
+
+## Upgrade guide
+
+### Version 0.7.x
+
+Removed `current_jwt_user`, `JwtUser`, update your code to use `current_account_id`
+
+### Versions < 0.6.x
+
+`current_jwt_auth` has been renamed to `current_jwt_token` to match model name. Either mass rename or add `alias` in your controller:
+
+```ruby
+alias_method :current_jwt_auth, :current_jwt_token
+helper_method :current_jwt_auth
+```

data/lib/atlassian-jwt-authentication/error_processor.rb

@@ -0,0 +1,17 @@
+module AtlassianJwtAuthentication
+  module ErrorProcessor
+    protected
+
+    def render_forbidden
+      head(:forbidden)
+    end
+
+    def render_payment_required
+      head(:payment_required)
+    end
+
+    def render_unauthorized
+      head(:unauthorized)
+    end
+  end
+end

data/lib/atlassian-jwt-authentication/filters.rb

@@ -0,0 +1,174 @@
+require 'jwt'
+
+module AtlassianJwtAuthentication
+  module Filters
+    protected
+
+    def on_add_on_installed
+      # Add-on key that was installed into the Atlassian Product,
+      # as it appears in your add-on's descriptor.
+      addon_key = params[:key]
+
+      # Identifying key for the Atlassian product instance that the add-on was installed into.
+      # This will never change for a given instance, and is unique across all Atlassian product tenants.
+      # This value should be used to key tenant details in your add-on.
+      client_key = params[:clientKey]
+
+      # Use this string to sign outgoing JWT tokens and validate incoming JWT tokens.
+      shared_secret = params[:sharedSecret]
+
+      # Identifies the category of Atlassian product, e.g. Jira or Confluence.
+      product_type = params[:productType]
+
+      # The base URL of the instance
+      base_url = params[:baseUrl]
+      api_base_url = params[:baseApiUrl] || base_url
+
+      jwt_auth = JwtToken.where(client_key: client_key, addon_key: addon_key).first
+      if jwt_auth
+        # The add-on was previously installed on this client
+        return false unless _verify_jwt(addon_key)
+        if jwt_auth.id != current_jwt_token.id
+          # Update request was issued to another plugin
+          render_forbidden
+          return false
+        end
+      else
+        self.current_jwt_token = JwtToken.new(jwt_token_params)
+      end
+
+      current_jwt_token.addon_key = addon_key
+      current_jwt_token.shared_secret = shared_secret
+      current_jwt_token.product_type = "atlassian:#{product_type}"
+      current_jwt_token.base_url = base_url if current_jwt_token.respond_to?(:base_url)
+      current_jwt_token.api_base_url = api_base_url if current_jwt_token.respond_to?(:api_base_url)
+      current_jwt_token.oauth_client_id = params[:oauthClientId] if current_jwt_token.respond_to?(:oauth_client_id)
+      current_jwt_token.public_key = params[:publicKey] if current_jwt_token.respond_to?(:public_key)
+      current_jwt_token.sen = params[:supportEntitlementNumber] if current_jwt_token.respond_to?(:sen)
+      current_jwt_token.payload = params.to_unsafe_h if current_jwt_token.respond_to?(:payload)
+
+      current_jwt_token.save!
+
+      true
+    end
+
+    def on_add_on_uninstalled
+      addon_key = params[:key]
+
+      return unless _verify_jwt(addon_key)
+
+      client_key = params[:clientKey]
+
+      return false unless client_key.present?
+
+      JwtToken.where(client_key: client_key, addon_key: addon_key).destroy_all
+
+      true
+    end
+
+    def verify_jwt(addon_key, skip_qsh_verification: false)
+      _verify_jwt(addon_key, true, skip_qsh_verification: skip_qsh_verification)
+    end
+
+    def ensure_license
+      unless current_jwt_token
+        raise 'current_jwt_token missing, add the verify_jwt filter'
+      end
+
+      response = rest_api_call(:get, "/rest/atlassian-connect/1/addons/#{current_jwt_token.addon_key}")
+      unless response.success? && response.data
+        log(:error, "Client #{current_jwt_token.client_key}: API call to get the license failed with #{response.status}")
+        render_payment_required
+        return false
+      end
+
+      current_version = Gem::Version.new(response.data['version'])
+
+      if min_licensing_version && current_version > min_licensing_version || !min_licensing_version
+        # do we need to check for licensing on this add-on version?
+        unless params[:lic] && params[:lic] == 'active'
+          log(:error, "Client #{current_jwt_token.client_key}: no active license was found in the params")
+          render_payment_required
+          return false
+        end
+
+        unless response.data['state'] == 'ENABLED' &&
+            response.data['license'] && response.data['license']['active']
+          log(:error, "client #{current_jwt_token.client_key}: no active & enabled license was found")
+          render_payment_required
+          return false
+        end
+      end
+
+      log(:info, "Client #{current_jwt_token.client_key}: license OK")
+
+      true
+    end
+
+    private
+
+    def _verify_jwt(addon_key, consider_param = false, skip_qsh_verification: false)
+      self.current_jwt_token = nil
+      self.current_account_id = nil
+      self.current_jwt_context = nil
+
+      jwt = nil
+
+      # The JWT token can be either in the Authorization header
+      # or can be sent as a parameter. During the installation
+      # handshake we only accept the token coming in the header
+      if consider_param
+        jwt = params[:jwt] if params[:jwt].present?
+      elsif !request.headers['authorization'].present?
+        log(:error, 'Missing authorization header')
+        render_unauthorized
+        return false
+      end
+
+      if request.headers['authorization'].present?
+        algorithm, possible_jwt = request.headers['authorization'].split(' ')
+        jwt = possible_jwt if algorithm == 'JWT'
+      end
+
+      jwt_verification = AtlassianJwtAuthentication::JWTVerification.new(addon_key, nil, jwt, request)
+      jwt_verification.exclude_qsh_params = exclude_qsh_params
+      jwt_verification.logger = logger if defined?(logger)
+
+      jwt_auth, account_id, context, qsh_verified = jwt_verification.verify
+
+      unless jwt_auth && (qsh_verified || skip_qsh_verification)
+        render_unauthorized
+        return false
+      end
+
+      self.current_jwt_token = jwt_auth
+      self.current_account_id = account_id
+      self.current_jwt_context = context
+
+      true
+    end
+
+    def jwt_token_params
+      {
+          client_key: params.permit(:clientKey)['clientKey'],
+          addon_key: params.permit(:key)['key']
+      }
+    end
+
+    # This can be overwritten in the including controller
+    def exclude_qsh_params
+      []
+    end
+
+    # This can be overwritten in the including controller
+    def min_licensing_version
+      nil
+    end
+
+    def log(level, message)
+      return unless defined?(logger)
+
+      logger.send(level.to_sym, message)
+    end
+  end
+end

data/lib/atlassian-jwt-authentication/helper.rb

@@ -0,0 +1,102 @@
+require 'jwt'
+require 'addressable'
+
+require_relative './http_client'
+
+module AtlassianJwtAuthentication
+  module Helper
+    protected
+
+    # Returns the current JWT auth object if it exists
+    def current_jwt_token
+      @jwt_auth ||= session[:jwt_auth] ? JwtToken.where(id: session[:jwt_auth]).first : nil
+    end
+
+    # Sets the current JWT auth object
+    def current_jwt_token=(jwt_auth)
+      session[:jwt_auth] = jwt_auth.nil? ? nil : jwt_auth.id
+      @jwt_auth = jwt_auth
+    end
+
+    # Returns the current JWT context if it exists
+    def current_jwt_context
+      @jwt_context ||= session[:jwt_context]
+    end
+
+    # Sets the current JWT context
+    def current_jwt_context=(jwt_context)
+      session[:jwt_context] = jwt_context
+      @jwt_context = jwt_context
+    end
+
+    # Returns the current JWT account_id if it exists
+    def current_account_id
+      @account_id ||= session[:account_id]
+    end
+
+    # Sets the current JWT account_id
+    def current_account_id=(account_id)
+      session[:account_id] = account_id
+      @account_id = account_id
+    end
+
+    def user_bearer_token(account_id, scopes)
+      AtlassianJwtAuthentication::UserBearerToken::user_bearer_token(current_jwt_token, account_id, scopes)
+    end
+
+    def rest_api_url(method, endpoint)
+      unless current_jwt_token
+        raise 'Missing Authentication context'
+      end
+
+      # Expiry for the JWT token is 3 minutes from now
+      issued_at = Time.now.utc.to_i
+      expires_at = issued_at + 180
+
+      qsh = Digest::SHA256.hexdigest("#{method.to_s.upcase}&#{endpoint}&")
+
+      jwt = JWT.encode({
+        qsh: qsh,
+        iat: issued_at,
+        exp: expires_at,
+        iss: current_jwt_token.addon_key
+      }, current_jwt_token.shared_secret)
+
+      # return the service call URL with the JWT token added
+      "#{current_jwt_token.api_base_url}#{endpoint}?jwt=#{jwt}"
+    end
+
+    def rest_api_call(method, endpoint, data = nil)
+      url = rest_api_url(method, endpoint)
+
+      response = HttpClient.new(url).send(method) do |request|
+        request.body = data ? data.to_json : nil
+        request.headers['Content-Type'] = 'application/json'
+      end
+
+      to_json_response(response)
+    end
+
+    def to_json_response(response)
+        data = JSON::parse(response.body) rescue nil
+        Response.new(response.status, data)
+    end
+
+    class Response
+      attr_accessor :status, :data
+
+      def initialize(status, data = nil)
+        @status = status
+        @data = data
+      end
+
+      def success?
+        status == 200
+      end
+
+      def failed?
+        !success?
+      end
+    end
+  end
+end

data/lib/atlassian-jwt-authentication/http_client.rb

@@ -0,0 +1,21 @@
+require 'faraday'
+
+module AtlassianJwtAuthentication
+  module HttpClient
+    def self.new(url = nil, options = nil)
+      client = Faraday.new(url, options) do |f|
+        if AtlassianJwtAuthentication.debug_requests || AtlassianJwtAuthentication.log_requests
+          f.response :logger, nil, bodies: AtlassianJwtAuthentication.debug_requests
+        end
+        f.request :url_encoded
+        f.adapter Faraday.default_adapter
+      end
+
+      if block_given?
+        yield client
+      end
+
+      client
+    end
+  end
+end

data/lib/atlassian-jwt-authentication/middleware.rb

@@ -0,0 +1,58 @@
+module AtlassianJwtAuthentication
+  module Middleware
+    class VerifyJwtToken
+      PREFIX = 'atlassian_jwt_authentication'.freeze
+
+      JWT_TOKEN_HEADER = "#{PREFIX}.jwt_token".freeze
+      JWT_CONTEXT = "#{PREFIX}.context".freeze
+      JWT_ACCOUNT_ID = "#{PREFIX}.account_id".freeze
+      JWT_QSH_VERIFIED = "#{PREFIX}.qsh_verified".freeze
+
+      def initialize(app, options)
+        @app = app
+        @addon_key = options[:addon_key]
+        @if = options[:if]
+        @audience = options[:audience]
+      end
+
+      def call(env)
+        # Skip if @if predicate is given and evaluates to false
+        if @if && !@if.call(env)
+          return @app.call(env)
+        end
+
+        request = ActionDispatch::Request.new(env)
+
+        jwt = request.params[:jwt]
+
+        if request.headers['authorization'].present?
+          algorithm, possible_jwt = request.headers['authorization'].split(' ')
+          jwt = possible_jwt if algorithm == 'JWT'
+        end
+
+        if jwt
+          jwt_verification = JWTVerification.new(@addon_key, @audience, jwt, request)
+          jwt_auth, account_id, context, qsh_verified = jwt_verification.verify
+
+          if jwt_auth
+            request.set_header(JWT_TOKEN_HEADER, jwt_auth)
+          end
+
+          if account_id
+            request.set_header(JWT_ACCOUNT_ID, account_id)
+          end
+
+          if context
+            request.set_header(JWT_CONTEXT, context)
+          end
+
+          if qsh_verified
+            request.set_header(JWT_QSH_VERIFIED, qsh_verified)
+          end
+        end
+
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/atlassian-jwt-authentication/oauth2.rb

@@ -0,0 +1,49 @@
+require_relative './http_client'
+
+module AtlassianJwtAuthentication
+  module Oauth2
+    EXPIRE_IN_SECONDS = 60
+    AUTHORIZATION_SERVER_URL = "https://auth.atlassian.io"
+    JWT_CLAIM_PREFIX = "urn:atlassian:connect"
+    GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer"
+    SCOPE_SEPARATOR = ' '
+
+    def self.get_access_token(current_jwt_token, account_id, scopes = nil)
+      response = HttpClient.new.post(AUTHORIZATION_SERVER_URL + "/oauth2/token") do |request|
+        request.headers['Content-Type'] = Faraday::Request::UrlEncoded.mime_type
+        request.body = {
+          grant_type: GRANT_TYPE,
+          assertion: prepare_jwt_token(current_jwt_token, account_id),
+          scopes: scopes&.join(SCOPE_SEPARATOR)&.upcase,
+        }.compact
+      end
+
+      raise "Request failed with #{response.status}" unless response.success?
+
+      JSON.parse(response.body)
+    end
+
+    def self.prepare_jwt_token(current_jwt_token, account_id)
+      unless current_jwt_token
+        raise 'Missing Authentication context'
+      end
+
+      unless account_id
+        raise 'Missing User key'
+      end
+
+      # Expiry for the JWT token is 3 minutes from now
+      issued_at = Time.now.utc.to_i
+      expires_at = issued_at + EXPIRE_IN_SECONDS
+
+      JWT.encode({
+        iss: JWT_CLAIM_PREFIX + ":clientid:" + current_jwt_token.oauth_client_id,
+        sub: JWT_CLAIM_PREFIX + ":useraccountid:" + account_id,
+        tnt: current_jwt_token.base_url,
+        aud: AUTHORIZATION_SERVER_URL,
+        iat: issued_at,
+        exp: expires_at,
+      }, current_jwt_token.shared_secret)
+    end
+  end
+end

data/lib/atlassian-jwt-authentication/railtie.rb

@@ -0,0 +1,7 @@
+module AtlassianJwtAuthentication
+  class Railtie < Rails::Railtie
+    rake_tasks do
+      require 'tasks/install'
+    end
+  end
+end

data/lib/atlassian-jwt-authentication/user_bearer_token.rb

@@ -0,0 +1,22 @@
+module AtlassianJwtAuthentication
+  module UserBearerToken
+    def self.user_bearer_token(current_jwt_token, account_id, scopes)
+      scopes_key = (scopes || []).map(&:downcase).sort.uniq.join(',')
+      cache_key = "jwt_token/#{current_jwt_token.id}/user/#{account_id}:scopes:/#{scopes_key}"
+
+      read_from_cache = ->(refresh = false) do
+        Rails.cache.fetch(cache_key, force: refresh) do
+          AtlassianJwtAuthentication::Oauth2::get_access_token(current_jwt_token, account_id, scopes).tap do |token_details|
+            token_details["expires_at"] = Time.now.utc.to_i + token_details["expires_in"] - 3.seconds # some leeway
+          end
+        end
+      end
+
+      access_token = read_from_cache.call(false)
+      if access_token["expires_at"] <= Time.now.utc.to_i
+        access_token = read_from_cache.call(true)
+      end
+      access_token
+    end
+  end
+end

data/lib/atlassian-jwt-authentication/verify.rb

@@ -0,0 +1,142 @@
+require 'jwt'
+
+module AtlassianJwtAuthentication
+  class JWTVerification
+    attr_accessor :addon_key, :jwt, :audience, :request, :exclude_qsh_params, :logger
+
+    def initialize(addon_key, audience, jwt, request, &block)
+      self.addon_key = addon_key
+      self.audience = audience
+      self.jwt = jwt
+      self.request = request
+
+      self.exclude_qsh_params = []
+      self.logger = nil
+
+      yield self if block_given?
+    end
+
+    def verify
+      unless jwt.present? && addon_key.present?
+        return false
+      end
+
+      # First decode the token without signature & claims verification
+      begin
+        decoded = JWT.decode(jwt, nil, false, { verify_expiration: AtlassianJwtAuthentication.verify_jwt_expiration })
+      rescue => e
+        log(:error, "Could not decode JWT: #{e.to_s} \n #{e.backtrace.join("\n")}")
+        return false
+      end
+
+      # Extract the data
+      data = decoded[0]
+      encoding_data = decoded[1]
+
+      # Find a matching JWT token in the DB
+      jwt_auth = JwtToken.where(
+          client_key: data['iss'],
+          addon_key: addon_key
+      ).first
+
+      unless jwt_auth
+        log(:error, "Could not find jwt_token for client_key #{data['iss']} and addon_key #{addon_key}")
+        return false
+      end
+
+      # Discard the tokens without verification
+      if encoding_data['alg'] == 'none'
+        log(:error, "The JWT checking algorithm was set to none for client_key #{data['iss']} and addon_key #{addon_key}")
+        return false
+      end
+
+      if AtlassianJwtAuthentication.signed_install && encoding_data['alg'] == 'RS256'
+        response = Faraday.get("https://connect-install-keys.atlassian.com/#{encoding_data['kid']}")
+        unless response.success? && response.body
+          log(:error, "Error retrieving atlassian public key. Response code #{response.status} and kid #{encoding_data['kid']}")
+          return false
+        end
+
+        decode_key = OpenSSL::PKey::RSA.new(response.body)
+        decode_options = {algorithms: ['RS256'], verify_aud: true, aud: audience}
+      else
+        decode_key = jwt_auth.shared_secret
+        decode_options = {}
+      end
+
+      # Decode the token again, this time with signature & claims verification
+      options = JWT::DefaultOptions::DEFAULT_OPTIONS.merge(verify_expiration: AtlassianJwtAuthentication.verify_jwt_expiration).merge(decode_options)
+      decoder = JWT::Decode.new(jwt, decode_key, true, options)
+      begin
+        payload, header = decoder.decode_segments
+      rescue JWT::VerificationError
+        log(:error, "Error decoding JWT segments - signature is invalid")
+        return false
+      rescue JWT::ExpiredSignature
+        log(:error, "Error decoding JWT segments - signature is expired at #{data['exp']}")
+        return false
+      end
+
+      unless header && payload
+        log(:error, "Error decoding JWT segments - no header and payload for client_key #{data['iss']} and addon_key #{addon_key}")
+        return false
+      end
+
+      if data['qsh']
+        # Verify the query has not been tampered by Creating a Query Hash and
+        # comparing it against the qsh claim on the verified token
+        if jwt_auth.base_url.present? && request.url.include?(jwt_auth.base_url)
+          path = request.url.gsub(jwt_auth.base_url, '')
+        else
+          path = request.path.gsub(AtlassianJwtAuthentication::context_path, '')
+        end
+        path = '/' if path.empty?
+
+        qsh_parameters = request.query_parameters.except(:jwt)
+
+        exclude_qsh_params.each { |param_name| qsh_parameters = qsh_parameters.except(param_name) }
+
+        qsh = request.method.upcase + '&' + path + '&' +
+            qsh_parameters.
+                sort.
+                map{ |param_pair| encode_param(param_pair) }.
+                join('&')
+
+        qsh = Digest::SHA256.hexdigest(qsh)
+
+        qsh_verified = data['qsh'] == qsh
+      else
+        qsh_verified = false
+      end
+
+      context = data['context']
+
+      # In the case of Confluence and Jira we receive user information inside the JWT token
+      if data['context'] && data['context']['user']
+        account_id = data['context']['user']['accountId']
+      else
+        account_id = data['sub']
+      end
+
+      [jwt_auth, account_id, context, qsh_verified]
+    end
+
+    private
+
+    def encode_param(param_pair)
+      key, value = param_pair
+
+      if value.respond_to?(:to_query)
+        value.to_query(key)
+      else
+        ERB::Util.url_encode(key) + '=' + ERB::Util.url_encode(value)
+      end
+    end
+
+    def log(level, message)
+      return if logger.nil?
+
+      logger.send(level.to_sym, message)
+    end
+  end
+end

data/lib/atlassian-jwt-authentication/version.rb

@@ -0,0 +1,18 @@
+module AtlassianJwtAuthentication
+  MAJOR_VERSION = "0"
+  MINOR_VERSION = "9"
+  PATH_VERSION = "0"
+
+  # rubygems don't support semantic versioning - https://github.com/rubygems/rubygems/issues/592, using GITHUB_RUN_NUMBER to represent build number
+  # going to release pre versions automatically
+  BUILD_NUMBER = ENV["GITHUB_RUN_NUMBER"] && ".pre#{ENV["GITHUB_RUN_NUMBER"]}" || ''
+
+  VERSION =
+    (
+      [
+        MAJOR_VERSION,
+        MINOR_VERSION,
+        PATH_VERSION
+      ].join(".") + BUILD_NUMBER
+    ).freeze
+end

data/lib/atlassian-jwt-authentication.rb

@@ -0,0 +1 @@
+require 'atlassian_jwt_authentication'

data/lib/atlassian_jwt_authentication.rb

@@ -0,0 +1,35 @@
+require 'atlassian-jwt-authentication/verify'
+require 'atlassian-jwt-authentication/middleware'
+require 'atlassian-jwt-authentication/filters'
+require 'atlassian-jwt-authentication/error_processor'
+require 'atlassian-jwt-authentication/version'
+require 'atlassian-jwt-authentication/helper'
+require 'atlassian-jwt-authentication/oauth2'
+require 'atlassian-jwt-authentication/user_bearer_token'
+require 'atlassian-jwt-authentication/railtie' if defined?(Rails)
+
+module AtlassianJwtAuthentication
+  include Helper
+  include Filters
+  include ErrorProcessor
+
+  mattr_accessor :context_path
+  self.context_path = ''
+
+  # Decode the JWT parameter without verification
+  mattr_accessor :verify_jwt_expiration
+  self.verify_jwt_expiration = ENV.fetch('JWT_VERIFY_EXPIRATION', 'true') != 'false'
+
+  # Log external HTTP requests?
+  mattr_accessor :log_requests
+  self.log_requests = ENV.fetch('AJA_LOG_REQUESTS', 'false') == 'true'
+
+  # Debug external HTTP requests? Log bodies
+  mattr_accessor :debug_requests
+  self.debug_requests = ENV.fetch('AJA_DEBUG_REQUESTS', 'false') == 'true'
+
+  # installation lifecycle security improvements
+  # https://community.developer.atlassian.com/t/action-required-atlassian-connect-installation-lifecycle-security-improvements/49046
+  mattr_accessor :signed_install
+  self.signed_install = ENV.fetch('AJA_SIGNED_INSTALL', false)
+end

data/lib/generators/atlassian_jwt_authentication/setup_generator.rb

@@ -0,0 +1,38 @@
+require 'rails/generators/active_record'
+
+module AtlassianJwtAuthentication
+  class SetupGenerator < Rails::Generators::Base
+    include Rails::Generators::Migration
+    desc 'Create a migration to add atlassian jwt specific fields to your model.'
+    argument :database_name, required: false,
+             type: :string,
+             desc: 'Additional database name configuration, if different from `database.yml`'
+
+    def self.source_root
+      @source_root ||= File.expand_path('../templates', __FILE__)
+    end
+
+    def self.next_migration_number(dirname)
+      next_migration_number = current_migration_number(dirname) + 1
+      ActiveRecord::Migration.next_migration_number(next_migration_number)
+    end
+
+    def self.current_migration_number(dirname) #:nodoc:
+      migration_lookup_at(dirname).collect do |file|
+        File.basename(file).split('_').first.to_i
+      end.max.to_i
+    end
+
+    def self.migration_lookup_at(dirname) #:nodoc:
+      Dir.glob("#{dirname}/[0-9]*_*.rb")
+    end
+
+    def generate_migration
+      migration_template 'jwt_tokens_migration.rb.erb', "db/#{database_name.present? ? "db_#{database_name}/" : ''}migrate/create_atlassian_jwt_tokens.rb"
+    end
+
+    def generate_models
+      template 'jwt_token.rb.erb', File.join('app/models', '', 'jwt_token.rb')
+    end
+  end
+end

data/lib/generators/atlassian_jwt_authentication/templates/jwt_token.rb.erb

@@ -0,0 +1,6 @@
+class JwtToken < ActiveRecord::Base
+  <% if database_name.present? %>
+  databases = YAML::load(IO.read('config/database_<%= database_name %>.yml'))
+  establish_connection databases[Rails.env]
+  <% end %>
+end

data/lib/generators/atlassian_jwt_authentication/templates/jwt_tokens_migration.rb.erb

@@ -0,0 +1,20 @@
+class CreateAtlassianJwtTokens < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def self.up
+    if table_exists? :jwt_tokens
+      pp 'Skipping jwt_tokens table creation...'
+    else
+      create_table :jwt_tokens do |t|
+        t.string :addon_key
+        t.string :client_key
+        t.string :shared_secret
+        t.string :product_type
+        t.string :base_url
+        t.string :api_base_url
+        t.string :oauth_client_id
+        t.string :public_key
+      end
+
+      add_index(:jwt_tokens, :client_key)
+    end
+  end
+end

data/lib/tasks/install.rb

@@ -0,0 +1,55 @@
+require 'atlassian-jwt-authentication/http_client'
+
+namespace :atlassian do
+  desc 'Install plugin descriptor into Atlassian Cloud product'
+  task :install, :prefix, :email, :api_token, :descriptor_url do |task, args|
+    require 'faraday'
+    require 'json'
+
+    connection =
+      AtlassianJwtAuthentication::HttpClient.new("https://#{args.prefix}.atlassian.net") do |f|
+        f.basic_auth args.email, args.api_token
+      end
+
+    def check_status(connection, status)
+      if status['userInstalled']
+        puts 'Plugin was successfully installed'
+
+      elsif status.fetch('status', {})['done']
+        if status.fetch('status', {})['subCode']
+          puts "Error installing the plugin #{status['status']['subCode']}"
+        else
+          puts 'Plugin was successfully installed'
+        end
+
+      else
+        wait_for = [status['pingAfter'], 5].min
+        puts "waiting #{wait_for} seconds for plugin to load..."
+        sleep(wait_for)
+
+        response = connection.get(status['links']['self'])
+
+        if response.status == 303
+          puts 'Plugin was successfully installed'
+          return
+        end
+
+        check_status(connection, JSON.parse(response.body))
+      end
+    end
+
+    response = connection.get("/rest/plugins/1.0/")
+    if response.success?
+      token = response.headers['upm-token']
+
+      response = connection.post("/rest/plugins/1.0/", {pluginUri: args.descriptor_url}.to_json, 'Content-Type' => 'application/vnd.atl.plugins.remote.install+json') do |req|
+        req.params['token'] = token
+      end
+
+      payload = JSON.parse(response.body)
+      check_status(connection, payload)
+    else
+      puts "Cannot get UPM token: #{response.status}"
+    end
+  end
+end

metadata

@@ -0,0 +1,174 @@
+--- !ruby/object:Gem::Specification
+name: atlassian-jwt-authentication
+version: !ruby/object:Gem::Version
+  version: 0.9.0.pre8
+platform: ruby
+authors:
+- Laura Barladeanu
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2021-10-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.4.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.4.0
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.11'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.11'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.1
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.1.0
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: generator_spec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 'Atlassian JWT Authentication provides support for handling JWT authentication
+  as required by Atlassian when building add-ons: https://developer.atlassian.com/static/connect/docs/latest/concepts/authentication.html'
+email: laura@meisterlabs.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG
+- MIT-LICENSE
+- README.md
+- lib/atlassian-jwt-authentication.rb
+- lib/atlassian-jwt-authentication/error_processor.rb
+- lib/atlassian-jwt-authentication/filters.rb
+- lib/atlassian-jwt-authentication/helper.rb
+- lib/atlassian-jwt-authentication/http_client.rb
+- lib/atlassian-jwt-authentication/middleware.rb
+- lib/atlassian-jwt-authentication/oauth2.rb
+- lib/atlassian-jwt-authentication/railtie.rb
+- lib/atlassian-jwt-authentication/user_bearer_token.rb
+- lib/atlassian-jwt-authentication/verify.rb
+- lib/atlassian-jwt-authentication/version.rb
+- lib/atlassian_jwt_authentication.rb
+- lib/generators/atlassian_jwt_authentication/setup_generator.rb
+- lib/generators/atlassian_jwt_authentication/templates/jwt_token.rb.erb
+- lib/generators/atlassian_jwt_authentication/templates/jwt_tokens_migration.rb.erb
+- lib/tasks/install.rb
+homepage: https://meisterlabs.com/
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubygems_version: 3.1.6
+signing_key: 
+specification_version: 4
+summary: DB architecture and controller filters for dealing with Atlassian's JWT authentication
+test_files: []