[#148] [#149] add support for api token based authentication

README.md

@@ -27,6 +27,7 @@
       * [Templates](#templates)
          * [Writing/Editing Templates](#writingediting-templates)
       * [Authentication](#authentication)
+         * [login vs user](#login-vs-user)
          * [keyring password source](#keyring-password-source)
          * [pass password source](#pass-password-source)
    * [Usage](#usage)
@@ -115,7 +116,7 @@ Flags:
 ```
 
 ###### **Incompatible command changes**
-Unfortunately during the rewrite between v0 and v1 there were some changes necessary that broke backwards compatibility with existing commands.  Specifically the `dups`, `blocks`, `add worklog` and `add|remove|set labels` commands have had the command word swapped around:
+Unfortunately during the rewrite between v0 and v1 there were some necessary changes that broke backwards compatibility with existing commands.  Specifically the `dups`, `blocks`, `add worklog` and `add|remove|set labels` commands have had the command word swapped around:
   * `jira DUPLICATE dups ISSUE` => `jira dup DUPLICATE ISSUE`
   * `jira BLOCKER blocks ISSUE` => `jira block BLOCKER ISSUE`
   * `jira add worklog` => `jira worklog add`
@@ -124,20 +125,17 @@ Unfortunately during the rewrite between v0 and v1 there were some changes neces
   * `jira set labels` => `jira labels set`
 
 ###### **Login process change**
+We have, once again, changed how login happens for Jira.  When authenticating against Atlassian Cloud Jira [API Tokens are now required](https://developer.atlassian.com/cloud/jira/platform/deprecation-notice-basic-auth-and-cookie-based-auth/).  Please read [the Authentication section](#authentication) below for more information.
+
+If you use a privately hosted Jira service, you can chose to use the API Token method or continue using the session login api.  Please read [the Authentication section](#authentication) below for more information.  
+
 Previously `jira` used attempt to get a `JSESSION` cookies by authenticating with the webservice standard GUI login process.  This has been especially problematic as users need to authenticate with various credential providers (google auth, etc).  We now attempt to authenticate via the [session login api](https://docs.atlassian.com/jira/REST/cloud/#auth/1/session-login).  This may be problematic for users if admins have locked down the session-login api, so we might have to bring back the error-prone Basic-Auth approach.  For users that are unable to authenticate via `jira` hopefully someone in your organization can provide me with details on a process for you to authenticate and we can try to update `jira`.
 
 ## Configuration
 
-**go-jira** uses a configuration hierarchy.  When loading the configuration from disk it will recursively look through
-all parent directories in your current path looking for a **.jira.d** directory.  If your current directory is not
-a child directory of your homedir, then your homedir will also be inspected for a **.jira.d** directory.  From all of **.jira.d** directories
-discovered **go-jira** will load a **<command>.yml** file (ie for `jira list` it will load `.jira.d/list.yml`) then it will merge in any properties from the **config.yml** if found.  The configuration properties found in a file closests to your current working directory
-will have precedence.  Properties overriden with command line options will have final precedence.
+**go-jira** uses a configuration hierarchy.  When loading the configuration from disk it will recursively look through all parent directories in your current path looking for a **.jira.d** directory.  If your current directory is not a child directory of your homedir, then your homedir will also be inspected for a **.jira.d** directory.  From all of **.jira.d** directories discovered **go-jira** will load a **<command>.yml** file (ie for `jira list` it will load `.jira.d/list.yml`) then it will merge in any properties from the **config.yml** if found.  The configuration properties found in a file closests to your current working directory will have precedence.  Properties overriden with command line options will have final precedence.
 
-The complicated configuration hierarchy is used because **go-jira** attempts to be context aware.  For example, if you are working on a "foo" project and
-you `cd` into your project workspace, wouldn't it be nice if `jira ls` automatically knew to list only issues related to the "foo" project?  Likewise when you
-`cd` to the "bar" project then `jira ls` should only list issues related to "bar" project.  You can do this with by creating a configuration under your project
-workspace at **./.jira.d/config.yml** that looks like:
+The complicated configuration hierarchy is used because **go-jira** attempts to be context aware.  For example, if you are working on a "foo" project and you `cd` into your project workspace, wouldn't it be nice if `jira ls` automatically knew to list only issues related to the "foo" project?  Likewise when you `cd` to the "bar" project then `jira ls` should only list issues related to "bar" project.  You can do this with by creating a configuration under your project workspace at **./.jira.d/config.yml** that looks like:
 
 ```
 project: foo
@@ -370,7 +368,18 @@ jira list -t debug
 
 ### Authentication
 
-By default `go-jira` will prompt for a password automatically when get a response header from the Jira service that indicates you do not have an active session (ie the `X-Ausername` header is set to `anonymous`).  Then after authentication we cache the `cloud.session.token` cookie returned by the service [session login api](https://docs.atlassian.com/jira/REST/cloud/#auth/1/session-login) and reuse that on subsequent requests.  Typically this cookie will be valid for several hours (depending on the service configuration).  To automatically securely store your password for easy reuse by jira You can enable a `password-source` via `.jira.d/config.yml` with possible values of `keyring` or `pass`.
+For Atlassian Cloud hosted Jira [API Tokens are now required](https://developer.atlassian.com/cloud/jira/platform/deprecation-notice-basic-auth-and-cookie-based-auth/).  You will automatically be prompted for an API Token if your jira endoint ends in `.atlassian.net`.  If you are using a private Jira service, you can force `jira` to use an api-token by setting the `authentication-method: api-token` property in your `$HOME/.jira.d/config.yml` file.  The API Token needs to be presented to the Jira service on every request, so it is recommended to store this API Token security within your OS's keyring, or using the `pass` service as documented below so that it can be programatically accessed via `jira` and not prompt you every time.  For a less-secure option you can also provide the API token via a `JIRA_API_TOKEN` environment variable.  If you are unable to use an api-token for an Atlassian Cloud hosted Jira then you can still force `jira` to use the old session based authentication (until it the hosted system stops accepting it) by setting `authentication-method: session`.
+
+If your Jira service still allows you to use the Session based authention method then `jira` will prompt for a password automatically when get a response header from the Jira service that indicates you do not have an active session (ie the `X-Ausername` header is set to `anonymous`).  Then after authentication we cache the `cloud.session.token` cookie returned by the service [session login api](https://docs.atlassian.com/jira/REST/cloud/#auth/1/session-login) and reuse that on subsequent requests.  Typically this cookie will be valid for several hours (depending on the service configuration).  To automatically securely store your password for easy reuse by jira You can enable a `password-source` via `.jira.d/config.yml` with possible values of `keyring` or `pass`.
+
+#### User vs Login
+The Jira service has sometimes differing opinions about how a user is identified.  In other words the ID you login with might not be ID that the jira system recognized you as.  This matters when trying to identify a user via various Jira REST APIs (like issue assignment).  This is especially relevent when trying to authenticate with an API Token where the authentication user is usually an email address, but within the Jira system the user is identified by a user name.  To accomodate this `jira` now supports two different properties in the config file.  So when authentication using the API Tokens you will likely want something like this in your `$HOME/.jira.d/config.yml` file:
+```
+user: person
+login: [email protected]
+```
+
+You can also override these values on the command line with `jira --user person --login [email protected]`.  The `login` value will be used only for authentication purposes, the `user` value will be used when a user name is required for any Jira service API calls.
 
 #### keyring password source
 On OSX and Linux there are a few keyring providers that `go-jira` can use (via this [golang module](https://github.com/tmc/keyring)).  To integrate `go-jira` with a supported keyring just add this configuration to `$HOME/.jira.d/config.yml`:

jiracli/cli.go

@@ -3,6 +3,7 @@ package jiracli
 import (
 	"bytes"
 	"crypto/tls"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -27,13 +28,15 @@ type Exit struct {
 }
 
 type GlobalOptions struct {
-	Endpoint       figtree.StringOption `yaml:"endpoint,omitempty" json:"endpoint,omitempty"`
-	Insecure       figtree.BoolOption   `yaml:"insecure,omitempty" json:"insecure,omitempty"`
-	PasswordSource figtree.StringOption `yaml:"password-source,omitempty" json:"password-source,omitempty"`
-	Quiet          figtree.BoolOption   `yaml:"quiet,omitempty" json:"quiet,omitempty"`
-	UnixProxy      figtree.StringOption `yaml:"unixproxy,omitempty" json:"unixproxy,omitempty"`
-	SocksProxy     figtree.StringOption `yaml:"socksproxy,omitempty" json:"socksproxy,omitempty"`
-	User           figtree.StringOption `yaml:"user,omitempty" json:"user,omitempty"`
+	AuthenticationMethod figtree.StringOption `yaml:"authentication-method,omitempty" json:"authentication-method,omitempty"`
+	Endpoint             figtree.StringOption `yaml:"endpoint,omitempty" json:"endpoint,omitempty"`
+	Insecure             figtree.BoolOption   `yaml:"insecure,omitempty" json:"insecure,omitempty"`
+	Login                figtree.StringOption `yaml:"login,omitempty" json:"login,omitempty"`
+	PasswordSource       figtree.StringOption `yaml:"password-source,omitempty" json:"password-source,omitempty"`
+	Quiet                figtree.BoolOption   `yaml:"quiet,omitempty" json:"quiet,omitempty"`
+	SocksProxy           figtree.StringOption `yaml:"socksproxy,omitempty" json:"socksproxy,omitempty"`
+	UnixProxy            figtree.StringOption `yaml:"unixproxy,omitempty" json:"unixproxy,omitempty"`
+	User                 figtree.StringOption `yaml:"user,omitempty" json:"user,omitempty"`
 }
 
 type CommonOptions struct {
@@ -69,33 +72,56 @@ func RegisterCommand(regEntry CommandRegistry) {
 	globalCommandRegistry = append(globalCommandRegistry, regEntry)
 }
 
+func (o *GlobalOptions) AuthMethod() string {
+	if strings.Contains(o.Endpoint.Value, ".atlassian.net") && o.AuthenticationMethod.Source == "default" {
+		return "api-token"
+	}
+	return o.AuthenticationMethod.Value
+}
+
 func register(app *kingpin.Application, o *oreo.Client, fig *figtree.FigTree) {
 	globals := GlobalOptions{
-		User: figtree.NewStringOption(os.Getenv("USER")),
+		User:                 figtree.NewStringOption(os.Getenv("USER")),
+		AuthenticationMethod: figtree.NewStringOption("session"),
 	}
 	app.Flag("endpoint", "Base URI to use for Jira").Short('e').SetValue(&globals.Endpoint)
 	app.Flag("insecure", "Disable TLS certificate verification").Short('k').SetValue(&globals.Insecure)
 	app.Flag("quiet", "Suppress output to console").Short('Q').SetValue(&globals.Quiet)
 	app.Flag("unixproxy", "Path for a unix-socket proxy").SetValue(&globals.UnixProxy)
 	app.Flag("socksproxy", "Address for a socks proxy").SetValue(&globals.SocksProxy)
-	app.Flag("user", "Login name used for authentication with Jira service").Short('u').SetValue(&globals.User)
+	app.Flag("user", "user name used within the Jira service").Short('u').SetValue(&globals.User)
+	app.Flag("login", "login name that corresponds to the user used for authentication").SetValue(&globals.Login)
+
+	o = o.WithPreCallback(
+		func(req *http.Request) (*http.Request, error) {
+			if globals.AuthMethod() == "api-token" {
+				// need to set basic auth header with user@domain:api-token
+				token := globals.GetPass()
+				authHeader := fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", globals.Login.Value, token))))
+				req.Header.Add("Authorization", authHeader)
+			}
+			return req, nil
+		},
+	)
 
 	o = o.WithPostCallback(
 		func(req *http.Request, resp *http.Response) (*http.Response, error) {
-			authUser := resp.Header.Get("X-Ausername")
-			if authUser == "" || authUser == "anonymous" {
-				// preserve the --quiet value, we need to temporarily disable it so
-				// the normal login output is surpressed
-				defer func(quiet bool) {
-					globals.Quiet.Value = quiet
-				}(globals.Quiet.Value)
-				globals.Quiet.Value = true
-
-				// we are not logged in, so force login now by running the "login" command
-				app.Parse([]string{"login"})
-
-				// rerun the original request
-				return o.Do(req)
+			if globals.AuthMethod() == "session" {
+				authUser := resp.Header.Get("X-Ausername")
+				if authUser == "" || authUser == "anonymous" {
+					// preserve the --quiet value, we need to temporarily disable it so
+					// the normal login output is surpressed
+					defer func(quiet bool) {
+						globals.Quiet.Value = quiet
+					}(globals.Quiet.Value)
+					globals.Quiet.Value = true
+
+					// we are not logged in, so force login now by running the "login" command
+					app.Parse([]string{"login"})
+
+					// rerun the original request
+					return o.Do(req)
+				}
 			}
 			return resp, nil
 		},
@@ -132,6 +158,12 @@ func register(app *kingpin.Application, o *oreo.Client, fig *figtree.FigTree) {
 			} else if globals.SocksProxy.Value != "" {
 				o = o.WithTransport(socksProxy(globals.SocksProxy.Value))
 			}
+			if globals.AuthMethod() == "api-token" {
+				o = o.WithCookieFile("")
+			}
+			if globals.Login.Value == "" {
+				globals.Login = globals.User
+			}
 			return nil
 		})
 

jiracli/password.go

@@ -3,6 +3,7 @@ package jiracli
 import (
 	"bytes"
 	"fmt"
+	"os"
 	"os/exec"
 	"strings"
 
@@ -12,24 +13,36 @@ import (
 
 func (o *GlobalOptions) ProvideAuthParams() *jiradata.AuthParams {
 	return &jiradata.AuthParams{
-		Username: o.User.Value,
+		Username: o.Login.Value,
 		Password: o.GetPass(),
 	}
 }
 
+func (o *GlobalOptions) keyName() string {
+	user := o.Login.Value
+	if o.AuthMethod() == "api-token" {
+		user = "api-token:" + user
+	}
+
+	if o.PasswordSource.Value == "pass" {
+		return fmt.Sprintf("GoJira/%s", user)
+	}
+	return user
+}
+
 func (o *GlobalOptions) GetPass() string {
 	passwd := ""
 	if o.PasswordSource.Value != "" {
 		if o.PasswordSource.Value == "keyring" {
 			var err error
-			passwd, err = keyringGet(o.User.Value)
+			passwd, err = keyringGet(o.keyName())
 			if err != nil {
 				panic(err)
 			}
 		} else if o.PasswordSource.Value == "pass" {
 			if bin, err := exec.LookPath("pass"); err == nil {
 				buf := bytes.NewBufferString("")
-				cmd := exec.Command(bin, fmt.Sprintf("GoJira/%s", o.User))
+				cmd := exec.Command(bin, o.keyName())
 				cmd.Stdout = buf
 				cmd.Stderr = buf
 				if err := cmd.Run(); err == nil {
@@ -44,9 +57,23 @@ func (o *GlobalOptions) GetPass() string {
 	if passwd != "" {
 		return passwd
 	}
+
+	if passwd = os.Getenv("JIRA_API_TOKEN"); passwd != "" && o.AuthMethod() == "api-token" {
+		return passwd
+	}
+
+	prompt := fmt.Sprintf("Jira Password [%s]: ", o.Login)
+	help := ""
+
+	if o.AuthMethod() == "api-token" {
+		prompt = fmt.Sprintf("Jira API-Token [%s]: ", o.Login)
+		help = "API Tokens may be required by your Jira service endpoint: https://developer.atlassian.com/cloud/jira/platform/deprecation-notice-basic-auth-and-cookie-based-auth/"
+	}
+
 	err := survey.AskOne(
 		&survey.Password{
-			Message: fmt.Sprintf("Jira Password [%s]: ", o.User),
+			Message: prompt,
+			Help:    help,
 		},
 		&passwd,
 		nil,
@@ -62,15 +89,15 @@ func (o *GlobalOptions) GetPass() string {
 func (o *GlobalOptions) SetPass(passwd string) error {
 	if o.PasswordSource.Value == "keyring" {
 		// save password in keychain so that it can be used for subsequent http requests
-		err := keyringSet(o.User.Value, passwd)
+		err := keyringSet(o.keyName(), passwd)
 		if err != nil {
 			log.Errorf("Failed to set password in keyring: %s", err)
 			return err
 		}
 	} else if o.PasswordSource.Value == "pass" {
 		if bin, err := exec.LookPath("pass"); err == nil {
 			log.Debugf("using %s", bin)
-			passName := fmt.Sprintf("GoJira/%s", o.User)
+			passName := o.keyName()
 			if passwd != "" {
 				in := bytes.NewBufferString(fmt.Sprintf("%s\n%s\n", passwd, passwd))
 				out := bytes.NewBufferString("")

jiracmd/login.go

@@ -46,6 +46,11 @@ func authCallback(req *http.Request, resp *http.Response) (*http.Response, error
 
 // CmdLogin will attempt to login into jira server
 func CmdLogin(o *oreo.Client, globals *jiracli.GlobalOptions, opts *jiracli.CommonOptions) error {
+	if globals.AuthMethod() == "api-token" {
+		log.Noticef("No need to login when using api-token authentication method")
+		return nil
+	}
+
 	ua := o.WithoutRedirect().WithRetries(0).WithoutCallbacks().WithPostCallback(authCallback)
 	for {
 		if session, err := jira.GetSession(o, globals.Endpoint.Value); err != nil {

jiracmd/logout.go

@@ -27,6 +27,10 @@ func CmdLogoutRegistry() *jiracli.CommandRegistryEntry {
 
 // CmdLogout will attempt to terminate an active Jira session
 func CmdLogout(o *oreo.Client, globals *jiracli.GlobalOptions, opts *jiracli.CommonOptions) error {
+	if globals.AuthMethod() == "api-token" {
+		log.Noticef("No need to logout when using api-token authentication method")
+		return nil
+	}
 	ua := o.WithoutRedirect().WithRetries(0).WithoutCallbacks()
 	err := jira.DeleteSession(ua, globals.Endpoint.Value)
 	if err == nil {

jiracmd/take.go

@@ -17,7 +17,9 @@ func CmdTakeRegistry() *jiracli.CommandRegistryEntry {
 			return CmdAssignUsage(cmd, &opts)
 		},
 		func(o *oreo.Client, globals *jiracli.GlobalOptions) error {
-			opts.Assignee = globals.User.Value
+			if opts.Assignee == "" {
+				opts.Assignee = globals.User.Value
+			}
 			return CmdAssign(o, globals, &opts)
 		},
 	}

t/.jira.d/config.yml

@@ -3,6 +3,7 @@ config:
 password-source: pass
 endpoint: https://go-jira.atlassian.net
 user: gojira
+login: [email protected]
 
 project: BASIC
 

t/100basic.t

@@ -245,7 +245,7 @@ EOF
 # reset login for mothra for voting
 ###############################################################################
 
-jira="$jira --user mothra"
+jira="$jira --user mothra --login [email protected]"
 
 RUNS $jira logout
 RUNS $jira login

t/200scrum.t

@@ -185,7 +185,7 @@ EOF
 # reset login for mothra for voting
 ###############################################################################
 
-jira="$jira --user mothra"
+jira="$jira --user mothra --login [email protected]"
 
 RUNS $jira logout
 echo "mothra123" | RUNS $jira login

t/300kanban.t

@@ -185,7 +185,7 @@ EOF
 # reset login for mothra for voting
 ###############################################################################
 
-jira="$jira --user mothra"
+jira="$jira --user mothra --login [email protected]"
 
 RUNS $jira logout
 echo "mothra123" | RUNS $jira login

t/400project.t

@@ -185,7 +185,7 @@ EOF
 # reset login for mothra for voting
 ###############################################################################
 
-jira="$jira --user mothra"
+jira="$jira --user mothra --login [email protected]"
 
 RUNS $jira logout
 echo "mothra123" | RUNS $jira login

t/500process.t

@@ -194,7 +194,7 @@ EOF
 # reset login for mothra for voting
 ###############################################################################
 
-jira="$jira --user mothra"
+jira="$jira --user mothra --login [email protected]"
 
 RUNS $jira logout
 echo "mothra123" | RUNS $jira login

t/600task.t

@@ -187,7 +187,7 @@ EOF
 # reset login for mothra for voting
 ###############################################################################
 
-jira="$jira --user mothra"
+jira="$jira --user mothra --login [email protected]"
 
 RUNS $jira logout
 echo "mothra123" | RUNS $jira login