MM-15455 Some improvments to cloud connect flow. #55
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
crspeller
commented
May 10, 2019
| @@ -165,7 +165,7 @@ func (jci jiraCloudInstance) parseHTTPRequestJWT(r *http.Request) (*jwt.Token, s | |||
| // HMAC secret is a []byte | |||
| return []byte(jci.AtlassianSecurityContext.SharedSecret), nil | |||
| }) | |||
| if err != nil { | |||
| if err != nil || !token.Valid { | |||
There was a problem hiding this comment.
It will return an error if not valid, but just for sanity. (they check this in their docs)
| if requireUserApproval { | ||
| submitURL = path.Join(jci.Plugin.GetPluginURLPath(), routeACUserConfirm) | ||
| } | ||
| submitURL := path.Join(jci.Plugin.GetPluginURLPath(), routeACUserConfirm) |
There was a problem hiding this comment.
The confirmation is required to be secure. Otherwise you can trick people into clicking the link.
There was a problem hiding this comment.
@jasonblais is requesting the opposite :) Can you two please resolve it? (I'm 3/5 that security should win, and we should have the explicit warning/confirmation)
There was a problem hiding this comment.
Yup. Will chat with @jasonblais
There was a problem hiding this comment.
Chatted with @crspeller, given the level of a security vulnerability if this button wasn't added, I'm good with this change.
Approving PR.
levb
approved these changes
May 10, 2019
jasonblais
approved these changes
May 10, 2019
|
@crspeller do you mind also removing the definition of requiresUserApproval? (nit, can wait) |
|
@levb Not sure what you mean. |
levb
added
4: Reviews Complete
crspeller
added a commit
that referenced
this pull request
May 21, 2019
crspeller
pushed a commit
that referenced
this pull request
May 24, 2019
* JIRAv2 initial PR (#36) * Refactored the JIRA plugin to support more events * Removed Enabled config setting * PR feedback * PR feedback from @hanzei * Added back webhook tests, updated for MD * coverage * Added back formatting as Slack attachments * Add atlassian connect functionality * Updated plugin.json * merged the minimal webapp from hackathon * Updated .gitignore * wip Merged plugin.go from hackathon * wip oauth failures * wip oauth2 with a static clientid seems to work * wip /jira connect seems to work * wip trying JWT webhook setup * wiop * wip * wip connect auth and the beginning of issue * Added webapp from hackathon * Create JIRA Issue is showing up * wip create issue with semi-fakeuser mapping * JWT verification in user-config page * moved JWT verification into auth.go * WIP WIP WIP in the middle of something * wip flow works, need to add encryption * User mapping works * added /jira-disconnect * Fix websocket event handling for connect and add disconnect * WIP fixed websocket initialization * WIP - TODO encrypt Atl account ID in config * Secured the auth flow, passing mm_token and jwt to the final endpoint * Restored legacy webhook support * Process mentions in Webhooks, rearrange files * Point Gopkg.toml at mattermost-server/master for now * Adding comments for posts mentioning JIRA issues * Some error logging * Cleanup * 5.8 compatibility: replace GetBundlePath with old-style config hacking * go test cleanup * Removed unused files * Fixed MM-15004, no lnger requires admin to connect user * wip prefixing and instances - appears to work with connect * MM-15003 Prefix KV keys with the JIRA instance ID - Reworked the kv store functions to use the JIRA BaseURL as a part of the key. - Other cleanup * Added JIRA Server and OAuth1 - Added back OAuth1 functionality - Added `type JIRAInstance` and moved a lot of instance-specific data there - Added "cloud" and "server" instance types, for now with switches - Added `/jira add server url` command to add JIRA Server instances * wip style/naming * JIRA Server auth appears to work * Cosmetic PR feedback, fixed atlassian-connect.json * Fixed a crash if no current JIRAInsttance exists * GetJIRAClient refactor * GetJIRACLient appears to work * CreateIssue works in server and cloud * Added (encoded) URL to Atlassian-connect.json `key` value (e.g. `"mattermost-https-e1ba36fb-ngrok-io"`), making it unique per Mattermost instance. Now can add multiple Mattermost instances to the same JIRA Cloud instance * Removed caching of the project keys in anticipation of the new cache * Webapp CreateIssue: use f.schema.system rather than f.key to identify field keys, this works with JIRA Server and Cloud versions. * Webapp: CreateIssue renderFields: initialize `description` to an empty value to avoid JS errors * PR feedback: ephf -> responsef * Cleanup, /jira command improvements - added `/jira help` - added instance numbers to `/jira instance list`, ability to do `/jira instance select {number}` - style: refactored command.go - style: http naming, and using constants for all routes - style: updated webapp to match - style: eliminated unused oauth2.code * Fixed 2 typos in 1 URL * WIP prep to having a revoke button on the confirm page - fixed a typo in `/jira instance listt` output - removed unused routeOAuth1Connect and related code - renamed StoreOAuth1RequestToken to StoreOneTimeSecret and such * PR feedback (style), expire OTS * PR feedback: Do not change original posts - Do not change the original posts when creating issues - require MM server 5.6 to build - Style, error handling * Fixed "Connect to JIRA" URL in post menu item * PR feedback: added explicit Gopkg.toml deps * PR feedback: style and error handling * PR feedback: more style * Fix tests. * Fix linting. * Removed notify() from webhooks for now, to pass the tests * Uncommented the tests @cristopher took out * Uncommented the test I missed * Minor fixes * Update README.md * Revert accidental commit * Update README.md (#38) * Update README.md * Update README.md * Update README.md * Update README.md * quick fix of url * correct the menu item used in Jira * Proposed text updates for /jira slash commands (#41) * Proposed text updates for /jira slash commands Feedback welcome * Address review feedback on command.go * Some cleanup for Jira plugin (#42) * Update instance_server.go * JIRA -> Jira in error text * JIRA > Jira, text update for Jira Server URL help text * Update kv.go * Update message_posted.go * JIRA > Jira * Update user_oauth1.go * Update utils.go * JIRA > Jira * JIRA > Jira * Update create_issue.jsx * Update http.go * JIRA > Jira * MM-15244 Jira Cloud user connect security (#39) * Adjusted the cloud auth flow as per spec - changed cloud user mapping flow: 1. serve a page that retrieves mm_token and auto-resubmits (`/ac/user_redirect.html`) 2. (skipped/not implemented) a confirm page that would displat both usernames, and have a submit button 3. connect the accounts, and serve a summary page with a "Disconnect" button (`/ac/user_connected.html`) 4. disconnect the accounts if the above button is clicked, (`/ac/user_disconnected.html`) - refactored http to use withXxxInstance - refactored use of templates * Added OTS to Jira Cloud user connect flow - Added `Secret` field to `type AuthToken` - Populate `Secret` with a random md5(256bytes) secret - Verify and remove OTS - Added a missing ./server/templates/ac/user_connected.html * Added a confirm page in tthe flow * Cleanup of Jira server connect flow * PR feedback: style * Careful with that lock, Eugene * Style, govet, added a template I missed * CAREFUL with that lock, Eugene * resolved merge conflicts * PR feedback: clarified respondWithTemplate * PR feedback: md5->sha256 * PR feedback: separated Store[Current]JIRAInstance functions * PR feedback: Like _really_ careful with that lock, Eugene * Doc updates for roadmap and Jira Server install docs (#40) * WIP: Doc updates for roadmap and Jira Server install docs * Update README.md * Update README.md * Update based on feedback * MM-15101 Adding /jira transition (#46) * Adding /jira transition * Moving transitionJiraIssue to a better home. * MM-15253 Refactor of create-issue modal. (#44) * Refactor of create-issue modal. * Names feeback. * Fixed /jira subcommand parsing consistency (#45) * Fixed creating server/dist/templates/templates on a 2nd make (#50) * Fixed creating server/dist/templates/templates on 2nd make * make the cp switch portable ref: https://unix.stackexchange.com/questions/18712/difference-between-cp-r-and-cp-r-copy-command * small fixes to /jira instance delete (#52) * Some improvments to cloud connect flow. (#55) * MM-15096 UI fixes for template pages and menu item (#54) * UI fixes for template and menu item * Updating flexparent * Updating templates * Update Jira application link for Cloud (#48) * (no ticket?) Fixed a bug in unescaping webhook secret (#53) Also added `/jira webhook` command to see a URL custom-fit to the current channel * MM-15400 Added some protections to /installed link (#47) * Added some protections to /installed link * Forgot to reset the timeout back to 15min * PR feedback: Installed flag * Fixed s in URLs * PR feedback: use more consistently * PR feedback: return a 403, not a 401 if already installed * Update README.md * Update README.md * Add 'subject to change' for timeline in README * Added response logging for Jira API errors (#59) * * notifications working, added issue_created * wip * * new make lifecycle commands: debug, webapp-debug, reset, stop * [MM-14773] [MM-15440] - simplify settings and setup (#57) * [MM-14773] [MM-15440] - simplify settings and setup * * restrict `/jira webhook` to system admins; some cleanup * * remove public webhook instructions, remove generate webhook secret * fixups * Update server/command.go Co-Authored-By: Jason Blais <13119842+jasonblais@users.noreply.github.com> * Update server/command.go Co-Authored-By: Jason Blais <13119842+jasonblais@users.noreply.github.com> * PR comments * * notification setting persisted, command line updated * * disable notifications working * Revert "* new make lifecycle commands: debug, webapp-debug, reset, stop" This reverts commit 92b691d * Fix govet * Adding new CI * Updating Makefile and moving to go modules * Temporarily use jira2 as CI branch. * fixing tests * PR comments * fixes needed after The Great Merge * updated for firehose webhook (#61) now on master * PR comments
levb
pushed a commit
that referenced
this pull request
Jul 8, 2019
* JIRAv2 initial PR (#36) * Refactored the JIRA plugin to support more events * Removed Enabled config setting * PR feedback * PR feedback from @hanzei * Added back webhook tests, updated for MD * coverage * Added back formatting as Slack attachments * Add atlassian connect functionality * Updated plugin.json * merged the minimal webapp from hackathon * Updated .gitignore * wip Merged plugin.go from hackathon * wip oauth failures * wip oauth2 with a static clientid seems to work * wip /jira connect seems to work * wip trying JWT webhook setup * wiop * wip * wip connect auth and the beginning of issue * Added webapp from hackathon * Create JIRA Issue is showing up * wip create issue with semi-fakeuser mapping * JWT verification in user-config page * moved JWT verification into auth.go * WIP WIP WIP in the middle of something * wip flow works, need to add encryption * User mapping works * added /jira-disconnect * Fix websocket event handling for connect and add disconnect * WIP fixed websocket initialization * WIP - TODO encrypt Atl account ID in config * Secured the auth flow, passing mm_token and jwt to the final endpoint * Restored legacy webhook support * Process mentions in Webhooks, rearrange files * Point Gopkg.toml at mattermost-server/master for now * Adding comments for posts mentioning JIRA issues * Some error logging * Cleanup * 5.8 compatibility: replace GetBundlePath with old-style config hacking * go test cleanup * Removed unused files * Fixed MM-15004, no lnger requires admin to connect user * wip prefixing and instances - appears to work with connect * MM-15003 Prefix KV keys with the JIRA instance ID - Reworked the kv store functions to use the JIRA BaseURL as a part of the key. - Other cleanup * Added JIRA Server and OAuth1 - Added back OAuth1 functionality - Added `type JIRAInstance` and moved a lot of instance-specific data there - Added "cloud" and "server" instance types, for now with switches - Added `/jira add server url` command to add JIRA Server instances * wip style/naming * JIRA Server auth appears to work * Cosmetic PR feedback, fixed atlassian-connect.json * Fixed a crash if no current JIRAInsttance exists * GetJIRAClient refactor * GetJIRACLient appears to work * CreateIssue works in server and cloud * Added (encoded) URL to Atlassian-connect.json `key` value (e.g. `"mattermost-https-e1ba36fb-ngrok-io"`), making it unique per Mattermost instance. Now can add multiple Mattermost instances to the same JIRA Cloud instance * Removed caching of the project keys in anticipation of the new cache * Webapp CreateIssue: use f.schema.system rather than f.key to identify field keys, this works with JIRA Server and Cloud versions. * Webapp: CreateIssue renderFields: initialize `description` to an empty value to avoid JS errors * PR feedback: ephf -> responsef * Cleanup, /jira command improvements - added `/jira help` - added instance numbers to `/jira instance list`, ability to do `/jira instance select {number}` - style: refactored command.go - style: http naming, and using constants for all routes - style: updated webapp to match - style: eliminated unused oauth2.code * Fixed 2 typos in 1 URL * WIP prep to having a revoke button on the confirm page - fixed a typo in `/jira instance listt` output - removed unused routeOAuth1Connect and related code - renamed StoreOAuth1RequestToken to StoreOneTimeSecret and such * PR feedback (style), expire OTS * PR feedback: Do not change original posts - Do not change the original posts when creating issues - require MM server 5.6 to build - Style, error handling * Fixed "Connect to JIRA" URL in post menu item * PR feedback: added explicit Gopkg.toml deps * PR feedback: style and error handling * PR feedback: more style * Fix tests. * Fix linting. * Removed notify() from webhooks for now, to pass the tests * Uncommented the tests @cristopher took out * Uncommented the test I missed * Minor fixes * Update README.md * Revert accidental commit * Update README.md (#38) * Update README.md * Update README.md * Update README.md * Update README.md * quick fix of url * correct the menu item used in Jira * Proposed text updates for /jira slash commands (#41) * Proposed text updates for /jira slash commands Feedback welcome * Address review feedback on command.go * Some cleanup for Jira plugin (#42) * Update instance_server.go * JIRA -> Jira in error text * JIRA > Jira, text update for Jira Server URL help text * Update kv.go * Update message_posted.go * JIRA > Jira * Update user_oauth1.go * Update utils.go * JIRA > Jira * JIRA > Jira * Update create_issue.jsx * Update http.go * JIRA > Jira * MM-15244 Jira Cloud user connect security (#39) * Adjusted the cloud auth flow as per spec - changed cloud user mapping flow: 1. serve a page that retrieves mm_token and auto-resubmits (`/ac/user_redirect.html`) 2. (skipped/not implemented) a confirm page that would displat both usernames, and have a submit button 3. connect the accounts, and serve a summary page with a "Disconnect" button (`/ac/user_connected.html`) 4. disconnect the accounts if the above button is clicked, (`/ac/user_disconnected.html`) - refactored http to use withXxxInstance - refactored use of templates * Added OTS to Jira Cloud user connect flow - Added `Secret` field to `type AuthToken` - Populate `Secret` with a random md5(256bytes) secret - Verify and remove OTS - Added a missing ./server/templates/ac/user_connected.html * Added a confirm page in tthe flow * Cleanup of Jira server connect flow * PR feedback: style * Careful with that lock, Eugene * Style, govet, added a template I missed * CAREFUL with that lock, Eugene * resolved merge conflicts * PR feedback: clarified respondWithTemplate * PR feedback: md5->sha256 * PR feedback: separated Store[Current]JIRAInstance functions * PR feedback: Like _really_ careful with that lock, Eugene * Doc updates for roadmap and Jira Server install docs (#40) * WIP: Doc updates for roadmap and Jira Server install docs * Update README.md * Update README.md * Update based on feedback * MM-15101 Adding /jira transition (#46) * Adding /jira transition * Moving transitionJiraIssue to a better home. * MM-15253 Refactor of create-issue modal. (#44) * Refactor of create-issue modal. * Names feeback. * Fixed /jira subcommand parsing consistency (#45) * Fixed creating server/dist/templates/templates on a 2nd make (#50) * Fixed creating server/dist/templates/templates on 2nd make * make the cp switch portable ref: https://unix.stackexchange.com/questions/18712/difference-between-cp-r-and-cp-r-copy-command * small fixes to /jira instance delete (#52) * Some improvments to cloud connect flow. (#55) * MM-15096 UI fixes for template pages and menu item (#54) * UI fixes for template and menu item * Updating flexparent * Updating templates * Update Jira application link for Cloud (#48) * (no ticket?) Fixed a bug in unescaping webhook secret (#53) Also added `/jira webhook` command to see a URL custom-fit to the current channel * MM-15400 Added some protections to /installed link (#47) * Added some protections to /installed link * Forgot to reset the timeout back to 15min * PR feedback: Installed flag * Fixed s in URLs * PR feedback: use more consistently * PR feedback: return a 403, not a 401 if already installed * Update README.md * Update README.md * Add 'subject to change' for timeline in README * Added response logging for Jira API errors (#59) * [MM-14773] [MM-15440] - simplify settings and setup (#57) * [MM-14773] [MM-15440] - simplify settings and setup * * restrict `/jira webhook` to system admins; some cleanup * * remove public webhook instructions, remove generate webhook secret * fixups * Update server/command.go Co-Authored-By: Jason Blais <13119842+jasonblais@users.noreply.github.com> * Update server/command.go Co-Authored-By: Jason Blais <13119842+jasonblais@users.noreply.github.com> * PR comments * Added /jira assign <issue-key> <assignee> command Upgrade go-jira version * Use NewDecoder in place of unmarshaling move /jira assign help to non sys admin section use /api/3/ in place of /api/2/ return string from assignJiraIssue and have caller wrap in responsef() * Move defer to before NewDecoder function * Clean up nits. Pass jiraUsers pointer to Do function and have that function handle decode and defer of resp.Body.Close * Added /jira assign <issue-key> <assignee> command Upgrade go-jira version * Use NewDecoder in place of unmarshaling move /jira assign help to non sys admin section use /api/3/ in place of /api/2/ return string from assignJiraIssue and have caller wrap in responsef() * Move defer to before NewDecoder function * Clean up nits. Pass jiraUsers pointer to Do function and have that function handle decode and defer of resp.Body.Close * Delete file. It is not in master * Add support for assigning issues to jira users - if if multiple returned users, print the display names as bullet list - limit number of users shown to 10 * gofmt fix * Reword response to user
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.