Add latest changes from gitlab-org/gitlab@13-4-stable-ee

4 files changed, 207 insertions, 0 deletions

diff --git a/app/controllers/jira_connect/app_descriptor_controller.rb b/app/controllers/jira_connect/app_descriptor_controller.rb
new file mode 100644
index 00000000000..bf53c61601b
--- /dev/null
+++ b/app/controllers/jira_connect/app_descriptor_controller.rb
@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+# This returns an app descriptor for use with Jira in development mode
+# For the Atlassian Marketplace, a static copy of this JSON is uploaded to the marketplace
+# https://developer.atlassian.com/cloud/jira/platform/app-descriptor/
+
+class JiraConnect::AppDescriptorController < JiraConnect::ApplicationController
+  skip_before_action :verify_atlassian_jwt!
+
+  def show
+    render json: {
+      name: Atlassian::JiraConnect.app_name,
+      description: 'Integrate commits, branches and merge requests from GitLab into Jira',
+      key: Atlassian::JiraConnect.app_key,
+      baseUrl: jira_connect_base_url(protocol: 'https'),
+      lifecycle: {
+        installed: relative_to_base_path(jira_connect_events_installed_path),
+        uninstalled: relative_to_base_path(jira_connect_events_uninstalled_path)
+      },
+      vendor: {
+        name: 'GitLab',
+        url: 'https://gitlab.com'
+      },
+      links: {
+        documentation: help_page_url('integration/jira_development_panel', anchor: 'gitlabcom-1')
+      },
+      authentication: {
+        type: 'jwt'
+      },
+      scopes: %w(READ WRITE DELETE),
+      apiVersion: 1,
+      modules: {
+        jiraDevelopmentTool: {
+          key: 'gitlab-development-tool',
+          application: {
+            value: 'GitLab'
+          },
+          name: {
+            value: 'GitLab'
+          },
+          url: 'https://gitlab.com',
+          logoUrl: view_context.image_url('gitlab_logo.png'),
+          capabilities: %w(branch commit pull_request)
+        },
+        postInstallPage: {
+          key: 'gitlab-configuration',
+          name: {
+            value: 'GitLab Configuration'
+          },
+          url: relative_to_base_path(jira_connect_subscriptions_path)
+        }
+      },
+      apiMigrations: {
+        gdpr: true
+      }
+    }
+  end
+
+  private
+
+  def relative_to_base_path(full_path)
+    full_path.sub(/^#{jira_connect_base_path}/, '')
+  end
+end
diff --git a/app/controllers/jira_connect/application_controller.rb b/app/controllers/jira_connect/application_controller.rb
new file mode 100644
index 00000000000..a84f25998a6
--- /dev/null
+++ b/app/controllers/jira_connect/application_controller.rb
@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+class JiraConnect::ApplicationController < ApplicationController
+  include Gitlab::Utils::StrongMemoize
+
+  skip_before_action :authenticate_user!
+  skip_before_action :verify_authenticity_token
+  before_action :verify_atlassian_jwt!
+
+  attr_reader :current_jira_installation
+
+  private
+
+  def verify_atlassian_jwt!
+    return render_403 unless atlassian_jwt_valid?
+
+    @current_jira_installation = installation_from_jwt
+  end
+
+  def verify_qsh_claim!
+    payload, _ = decode_auth_token!
+
+    # Make sure `qsh` claim matches the current request
+    render_403 unless payload['qsh'] == Atlassian::Jwt.create_query_string_hash(request.url, request.method, jira_connect_base_url)
+  rescue
+    render_403
+  end
+
+  def atlassian_jwt_valid?
+    return false unless installation_from_jwt
+
+    # Verify JWT signature with our stored `shared_secret`
+    decode_auth_token!
+  rescue JWT::DecodeError
+    false
+  end
+
+  def installation_from_jwt
+    return unless auth_token
+
+    strong_memoize(:installation_from_jwt) do
+      # Decode without verification to get `client_key` in `iss`
+      payload, _ = Atlassian::Jwt.decode(auth_token, nil, false)
+      JiraConnectInstallation.find_by_client_key(payload['iss'])
+    end
+  end
+
+  def decode_auth_token!
+    Atlassian::Jwt.decode(auth_token, installation_from_jwt.shared_secret)
+  end
+
+  def auth_token
+    strong_memoize(:auth_token) do
+      params[:jwt] || request.headers['Authorization']&.split(' ', 2)&.last
+    end
+  end
+end
diff --git a/app/controllers/jira_connect/events_controller.rb b/app/controllers/jira_connect/events_controller.rb
new file mode 100644
index 00000000000..8f79c82d847
--- /dev/null
+++ b/app/controllers/jira_connect/events_controller.rb
@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+class JiraConnect::EventsController < JiraConnect::ApplicationController
+  skip_before_action :verify_atlassian_jwt!, only: :installed
+  before_action :verify_qsh_claim!, only: :uninstalled
+
+  def installed
+    installation = JiraConnectInstallation.new(install_params)
+
+    if installation.save
+      head :ok
+    else
+      head :unprocessable_entity
+    end
+  end
+
+  def uninstalled
+    if current_jira_installation.destroy
+      head :ok
+    else
+      head :unprocessable_entity
+    end
+  end
+
+  private
+
+  def install_params
+    params.permit(:clientKey, :sharedSecret, :baseUrl).transform_keys(&:underscore)
+  end
+end
diff --git a/app/controllers/jira_connect/subscriptions_controller.rb b/app/controllers/jira_connect/subscriptions_controller.rb
new file mode 100644
index 00000000000..3ff12f29f10
--- /dev/null
+++ b/app/controllers/jira_connect/subscriptions_controller.rb
@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+class JiraConnect::SubscriptionsController < JiraConnect::ApplicationController
+  layout 'jira_connect'
+
+  content_security_policy do |p|
+    next if p.directives.blank?
+
+    # rubocop: disable Lint/PercentStringArray
+    script_src_values = Array.wrap(p.directives['script-src']) | %w('self' https://connect-cdn.atl-paas.net https://unpkg.com/jquery@3.3.1/)
+    style_src_values = Array.wrap(p.directives['style-src']) | %w('self' 'unsafe-inline' https://unpkg.com/@atlaskit/)
+    # rubocop: enable Lint/PercentStringArray
+
+    p.frame_ancestors :self, 'https://*.atlassian.net'
+    p.script_src(*script_src_values)
+    p.style_src(*style_src_values)
+  end
+
+  before_action :allow_rendering_in_iframe, only: :index
+  before_action :verify_qsh_claim!, only: :index
+  before_action :authenticate_user!, only: :create
+
+  def index
+    @subscriptions = current_jira_installation.subscriptions.preload_namespace_route
+  end
+
+  def create
+    result = create_service.execute
+
+    if result[:status] == :success
+      render json: { success: true }
+    else
+      render json: { error: result[:message] }, status: result[:http_status]
+    end
+  end
+
+  def destroy
+    subscription = current_jira_installation.subscriptions.find(params[:id])
+
+    if subscription.destroy
+      render json: { success: true }
+    else
+      render json: { error: subscription.errors.full_messages.join(', ') }, status: :unprocessable_entity
+    end
+  end
+
+  private
+
+  def create_service
+    JiraConnectSubscriptions::CreateService.new(current_jira_installation, current_user, namespace_path: params['namespace_path'])
+  end
+
+  def allow_rendering_in_iframe
+    response.headers.delete('X-Frame-Options')
+  end
+end