Vendor atlassian-jwt and unlock jwt 3.x#482
Conversation
|
@byroot I'd like to propose a different approach. Since tests are failing after vendoring, what if we just switch to diff --git a/jira-ruby.gemspec b/jira-ruby.gemspec
index e825102..a31c832 100644
--- a/jira-ruby.gemspec
+++ b/jira-ruby.gemspec
@@ -23,8 +23,8 @@ Gem::Specification.new do |s|
s.require_paths = ['lib']
s.add_dependency 'activesupport'
- s.add_dependency 'atlassian-jwt'
s.add_dependency 'cgi'
+ s.add_dependency 'jwt'
s.add_dependency 'multipart-post'
s.add_dependency 'oauth', '~> 1.0'
end
diff --git a/lib/jira/jwt_client.rb b/lib/jira/jwt_client.rb
index 1fa441e..ab0fb7d 100644
--- a/lib/jira/jwt_client.rb
+++ b/lib/jira/jwt_client.rb
@@ -1,6 +1,9 @@
# frozen_string_literal: true
-require 'atlassian/jwt'
+require 'cgi'
+require 'digest'
+require 'jwt'
+require 'uri'
module JIRA
class JwtClient < HttpClient
@@ -29,15 +32,32 @@ module JIRA
end
def build_jwt(url)
- claim = Atlassian::Jwt.build_claims \
- @options[:issuer],
- url,
- http_method.to_s,
- @options[:site],
- (Time.now - 60).to_i,
- (Time.now + 86_400).to_i
+ now = Time.now.to_i
+ claim = {
+ iss: @options[:issuer],
+ iat: now - 60,
+ exp: now + 86_400,
+ qsh: query_string_hash(url, http_method.to_s)
+ }
JWT.encode claim, @options[:shared_secret]
end
+
+ def query_string_hash(url, http_method)
+ uri = URI.parse(url)
+ base_uri = URI.parse(@options[:site])
+
+ path = uri.path.delete_prefix(base_uri.path)
+ path = '/' if path.empty?
+
+ params = CGI.parse(uri.query || '')
+ params.delete('jwt')
+ sorted_params = params.sort.map do |key, values|
+ "#{CGI.escape(key)}=#{values.sort.map { |v| CGI.escape(v) }.join(',')}"
+ end.join('&')
+
+ canonical = "#{http_method.upcase}&#{path}&#{sorted_params}"
+ Digest::SHA256.hexdigest(canonical)
+ end
end
end |
|
My bad on the failing CI, it's unclear to me how these specs ever passed. But regardless, that code isn't actually needed, so I trimed it, it should pass now. But otherwise, yes your proposal seem fine, I just went the simpler route because I only have limited context on this code, I'm not attached to a particular solution, as long as |
|
Respectful nudge |
Hi @byroot, I've updated the permissions on this PR to allow the checks to run and it looks like there's one minor Rubocop issue. If you could clear that up then I'll get this merged, thanks! |
|
Indeed, which is weird because it doesn't fail on my machine 🤔 |
Currently `jira-ruby` depends on `atlassian-jwt` which itself has a dependency on `jwt ~> 2.1`. `jwt` being a popular dependency, this not allowing `jwt 3.x`, prevent updating a lot of other gems. Given the state of `atlassian-jwt`, I don't expect them to ever release a new version, but it's not a whole lot of code so I think it makes more sense to just vendor it. Licensing wise there is compatibility.
|
Nevermind, I was on the wrong machine 😂 . It's fixed now. However I still can't trigger builds, sorry. |
bobbrodie
left a comment
bobbrodie
left a comment
There was a problem hiding this comment.
Thank you so much for the contribution!
|
Great, everything passes, we're merged in, and I'll get this in |
|
Thanks for the merge! |
2 participants
Currently
jira-rubydepends onatlassian-jwtwhich itself has a dependency onjwt ~> 2.1.jwtbeing a popular dependency, this not allowingjwt 3.x, prevent updating a lot of other gems.Given the state of
atlassian-jwt, I don't expect them to ever release a new version, but it's not a whole lot of code so I think it makes more sense to just vendor it. Licensing wise there is compatibility.Ref: https://bitbucket.org/atlassian/atlassian-jwt-ruby/src/master/
Ref: https://rubygems.org/gems/atlassian-jwt