Merge branch 'andysoiron/allow-context-jwt-for-jira-subscriptions-json-endpoint-2' into 'master'

Allow context qsh for Jira subscriptions json (2nd try) See merge request gitlab-org/gitlab!84642

Merge branch 'andysoiron/allow-context-jwt-for-jira-subscriptions-json-endpoint-2' into 'master'
Allow context qsh for Jira subscriptions json (2nd try) See merge request gitlab-org/gitlab!84642
4d5a577c · James Fargher · de16c73a · c8ceafc8 · 4d5a577c · 4d5a577c
Commit 4d5a577c authored Apr 12, 2022 by James Fargher
2 changed files
--- a/app/controllers/jira_connect/application_controller.rb
+++ b/app/controllers/jira_connect/application_controller.rb
@@ -22,6 +22,8 @@ class JiraConnect::ApplicationController < ApplicationController
  def verify_qsh_claim!
    payload, _ = decode_auth_token!

+    return if request.format.json? && payload['qsh'] == 'context-qsh'
+
    # Make sure `qsh` claim matches the current request
    render_403 unless payload['qsh'] == Atlassian::Jwt.create_query_string_hash(request.url, request.method, jira_connect_base_url)
  rescue StandardError

--- a/spec/controllers/jira_connect/subscriptions_controller_spec.rb
+++ b/spec/controllers/jira_connect/subscriptions_controller_spec.rb
@@ -75,6 +75,18 @@ RSpec.describe JiraConnect::SubscriptionsController do
            expect(json_response).to include('login_path' => nil)
          end
        end
+
+        context 'with context qsh' do
+          # The JSON endpoint will be requested by frontend using a JWT that Atlassian provides via Javascript.
+          # This JWT will likely use a context-qsh because Atlassian don't know for which endpoint it will be used.
+          # Read more about context JWT here: https://developer.atlassian.com/cloud/jira/platform/understanding-jwt-for-connect-apps/
+
+          let(:qsh) { 'context-qsh' }
+
+          specify do
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+        end
      end
    end
  end
@@ -102,7 +114,7 @@ RSpec.describe JiraConnect::SubscriptionsController do
    end

    context 'with valid JWT' do
-      let(:claims) { { iss: installation.client_key, sub: 1234 } }
+      let(:claims) { { iss: installation.client_key, sub: 1234, qsh: '123' } }
      let(:jwt) { Atlassian::Jwt.encode(claims, installation.shared_secret) }
      let(:jira_user) { { 'groups' => { 'items' => [{ 'name' => jira_group_name }] } } }
      let(:jira_group_name) { 'site-admins' }
@@ -158,7 +170,7 @@ RSpec.describe JiraConnect::SubscriptionsController do
        .stub_request(:get, "#{installation.base_url}/rest/api/3/user?accountId=1234&expand=groups")
        .to_return(body: jira_user.to_json, status: 200, headers: { 'Content-Type' => 'application/json' })

-      delete :destroy, params: { jwt: jwt, id: subscription.id }
+      delete :destroy, params: { jwt: jwt, id: subscription.id, format: :json }
    end

    context 'without JWT' do
@@ -170,7 +182,7 @@ RSpec.describe JiraConnect::SubscriptionsController do
    end

    context 'with valid JWT' do
-      let(:claims) { { iss: installation.client_key, sub: 1234 } }
+      let(:claims) { { iss: installation.client_key, sub: 1234, qsh: '123' } }
      let(:jwt) { Atlassian::Jwt.encode(claims, installation.shared_secret) }

      it 'deletes the subscription' do