diff --git a/README.md b/README.md index 524bc6eb..0b5703e6 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,7 @@ * [Templates](#templates) * [Writing/Editing Templates](#writingediting-templates) * [Authentication](#authentication) + * [login vs user](#login-vs-user) * [keyring password source](#keyring-password-source) * [pass password source](#pass-password-source) * [Usage](#usage) @@ -115,7 +116,7 @@ Flags: ``` ###### **Incompatible command changes** -Unfortunately during the rewrite between v0 and v1 there were some changes necessary that broke backwards compatibility with existing commands. Specifically the `dups`, `blocks`, `add worklog` and `add|remove|set labels` commands have had the command word swapped around: +Unfortunately during the rewrite between v0 and v1 there were some necessary changes that broke backwards compatibility with existing commands. Specifically the `dups`, `blocks`, `add worklog` and `add|remove|set labels` commands have had the command word swapped around: * `jira DUPLICATE dups ISSUE` => `jira dup DUPLICATE ISSUE` * `jira BLOCKER blocks ISSUE` => `jira block BLOCKER ISSUE` * `jira add worklog` => `jira worklog add` @@ -124,20 +125,17 @@ Unfortunately during the rewrite between v0 and v1 there were some changes neces * `jira set labels` => `jira labels set` ###### **Login process change** +We have, once again, changed how login happens for Jira. When authenticating against Atlassian Cloud Jira [API Tokens are now required](https://developer.atlassian.com/cloud/jira/platform/deprecation-notice-basic-auth-and-cookie-based-auth/). Please read [the Authentication section](#authentication) below for more information. + +If you use a privately hosted Jira service, you can chose to use the API Token method or continue using the session login api. Please read [the Authentication section](#authentication) below for more information. + Previously `jira` used attempt to get a `JSESSION` cookies by authenticating with the webservice standard GUI login process. This has been especially problematic as users need to authenticate with various credential providers (google auth, etc). We now attempt to authenticate via the [session login api](https://docs.atlassian.com/jira/REST/cloud/#auth/1/session-login). This may be problematic for users if admins have locked down the session-login api, so we might have to bring back the error-prone Basic-Auth approach. For users that are unable to authenticate via `jira` hopefully someone in your organization can provide me with details on a process for you to authenticate and we can try to update `jira`. ## Configuration -**go-jira** uses a configuration hierarchy. When loading the configuration from disk it will recursively look through -all parent directories in your current path looking for a **.jira.d** directory. If your current directory is not -a child directory of your homedir, then your homedir will also be inspected for a **.jira.d** directory. From all of **.jira.d** directories -discovered **go-jira** will load a **<command>.yml** file (ie for `jira list` it will load `.jira.d/list.yml`) then it will merge in any properties from the **config.yml** if found. The configuration properties found in a file closests to your current working directory -will have precedence. Properties overriden with command line options will have final precedence. +**go-jira** uses a configuration hierarchy. When loading the configuration from disk it will recursively look through all parent directories in your current path looking for a **.jira.d** directory. If your current directory is not a child directory of your homedir, then your homedir will also be inspected for a **.jira.d** directory. From all of **.jira.d** directories discovered **go-jira** will load a **<command>.yml** file (ie for `jira list` it will load `.jira.d/list.yml`) then it will merge in any properties from the **config.yml** if found. The configuration properties found in a file closests to your current working directory will have precedence. Properties overriden with command line options will have final precedence. -The complicated configuration hierarchy is used because **go-jira** attempts to be context aware. For example, if you are working on a "foo" project and -you `cd` into your project workspace, wouldn't it be nice if `jira ls` automatically knew to list only issues related to the "foo" project? Likewise when you -`cd` to the "bar" project then `jira ls` should only list issues related to "bar" project. You can do this with by creating a configuration under your project -workspace at **./.jira.d/config.yml** that looks like: +The complicated configuration hierarchy is used because **go-jira** attempts to be context aware. For example, if you are working on a "foo" project and you `cd` into your project workspace, wouldn't it be nice if `jira ls` automatically knew to list only issues related to the "foo" project? Likewise when you `cd` to the "bar" project then `jira ls` should only list issues related to "bar" project. You can do this with by creating a configuration under your project workspace at **./.jira.d/config.yml** that looks like: ``` project: foo @@ -370,7 +368,18 @@ jira list -t debug ### Authentication -By default `go-jira` will prompt for a password automatically when get a response header from the Jira service that indicates you do not have an active session (ie the `X-Ausername` header is set to `anonymous`). Then after authentication we cache the `cloud.session.token` cookie returned by the service [session login api](https://docs.atlassian.com/jira/REST/cloud/#auth/1/session-login) and reuse that on subsequent requests. Typically this cookie will be valid for several hours (depending on the service configuration). To automatically securely store your password for easy reuse by jira You can enable a `password-source` via `.jira.d/config.yml` with possible values of `keyring` or `pass`. +For Atlassian Cloud hosted Jira [API Tokens are now required](https://developer.atlassian.com/cloud/jira/platform/deprecation-notice-basic-auth-and-cookie-based-auth/). You will automatically be prompted for an API Token if your jira endoint ends in `.atlassian.net`. If you are using a private Jira service, you can force `jira` to use an api-token by setting the `authentication-method: api-token` property in your `$HOME/.jira.d/config.yml` file. The API Token needs to be presented to the Jira service on every request, so it is recommended to store this API Token security within your OS's keyring, or using the `pass` service as documented below so that it can be programatically accessed via `jira` and not prompt you every time. For a less-secure option you can also provide the API token via a `JIRA_API_TOKEN` environment variable. If you are unable to use an api-token for an Atlassian Cloud hosted Jira then you can still force `jira` to use the old session based authentication (until it the hosted system stops accepting it) by setting `authentication-method: session`. + +If your Jira service still allows you to use the Session based authention method then `jira` will prompt for a password automatically when get a response header from the Jira service that indicates you do not have an active session (ie the `X-Ausername` header is set to `anonymous`). Then after authentication we cache the `cloud.session.token` cookie returned by the service [session login api](https://docs.atlassian.com/jira/REST/cloud/#auth/1/session-login) and reuse that on subsequent requests. Typically this cookie will be valid for several hours (depending on the service configuration). To automatically securely store your password for easy reuse by jira You can enable a `password-source` via `.jira.d/config.yml` with possible values of `keyring` or `pass`. + +#### User vs Login +The Jira service has sometimes differing opinions about how a user is identified. In other words the ID you login with might not be ID that the jira system recognized you as. This matters when trying to identify a user via various Jira REST APIs (like issue assignment). This is especially relevent when trying to authenticate with an API Token where the authentication user is usually an email address, but within the Jira system the user is identified by a user name. To accomodate this `jira` now supports two different properties in the config file. So when authentication using the API Tokens you will likely want something like this in your `$HOME/.jira.d/config.yml` file: +``` +user: person +login: person@example.com +``` + +You can also override these values on the command line with `jira --user person --login person@example.com`. The `login` value will be used only for authentication purposes, the `user` value will be used when a user name is required for any Jira service API calls. #### keyring password source On OSX and Linux there are a few keyring providers that `go-jira` can use (via this [golang module](https://github.com/tmc/keyring)). To integrate `go-jira` with a supported keyring just add this configuration to `$HOME/.jira.d/config.yml`: diff --git a/jiracli/cli.go b/jiracli/cli.go index 184c32bf..67fbfcd0 100644 --- a/jiracli/cli.go +++ b/jiracli/cli.go @@ -3,6 +3,7 @@ package jiracli import ( "bytes" "crypto/tls" + "encoding/base64" "fmt" "io" "io/ioutil" @@ -27,13 +28,15 @@ type Exit struct { } type GlobalOptions struct { - Endpoint figtree.StringOption `yaml:"endpoint,omitempty" json:"endpoint,omitempty"` - Insecure figtree.BoolOption `yaml:"insecure,omitempty" json:"insecure,omitempty"` - PasswordSource figtree.StringOption `yaml:"password-source,omitempty" json:"password-source,omitempty"` - Quiet figtree.BoolOption `yaml:"quiet,omitempty" json:"quiet,omitempty"` - UnixProxy figtree.StringOption `yaml:"unixproxy,omitempty" json:"unixproxy,omitempty"` - SocksProxy figtree.StringOption `yaml:"socksproxy,omitempty" json:"socksproxy,omitempty"` - User figtree.StringOption `yaml:"user,omitempty" json:"user,omitempty"` + AuthenticationMethod figtree.StringOption `yaml:"authentication-method,omitempty" json:"authentication-method,omitempty"` + Endpoint figtree.StringOption `yaml:"endpoint,omitempty" json:"endpoint,omitempty"` + Insecure figtree.BoolOption `yaml:"insecure,omitempty" json:"insecure,omitempty"` + Login figtree.StringOption `yaml:"login,omitempty" json:"login,omitempty"` + PasswordSource figtree.StringOption `yaml:"password-source,omitempty" json:"password-source,omitempty"` + Quiet figtree.BoolOption `yaml:"quiet,omitempty" json:"quiet,omitempty"` + SocksProxy figtree.StringOption `yaml:"socksproxy,omitempty" json:"socksproxy,omitempty"` + UnixProxy figtree.StringOption `yaml:"unixproxy,omitempty" json:"unixproxy,omitempty"` + User figtree.StringOption `yaml:"user,omitempty" json:"user,omitempty"` } type CommonOptions struct { @@ -69,33 +72,56 @@ func RegisterCommand(regEntry CommandRegistry) { globalCommandRegistry = append(globalCommandRegistry, regEntry) } +func (o *GlobalOptions) AuthMethod() string { + if strings.Contains(o.Endpoint.Value, ".atlassian.net") && o.AuthenticationMethod.Source == "default" { + return "api-token" + } + return o.AuthenticationMethod.Value +} + func register(app *kingpin.Application, o *oreo.Client, fig *figtree.FigTree) { globals := GlobalOptions{ - User: figtree.NewStringOption(os.Getenv("USER")), + User: figtree.NewStringOption(os.Getenv("USER")), + AuthenticationMethod: figtree.NewStringOption("session"), } app.Flag("endpoint", "Base URI to use for Jira").Short('e').SetValue(&globals.Endpoint) app.Flag("insecure", "Disable TLS certificate verification").Short('k').SetValue(&globals.Insecure) app.Flag("quiet", "Suppress output to console").Short('Q').SetValue(&globals.Quiet) app.Flag("unixproxy", "Path for a unix-socket proxy").SetValue(&globals.UnixProxy) app.Flag("socksproxy", "Address for a socks proxy").SetValue(&globals.SocksProxy) - app.Flag("user", "Login name used for authentication with Jira service").Short('u').SetValue(&globals.User) + app.Flag("user", "user name used within the Jira service").Short('u').SetValue(&globals.User) + app.Flag("login", "login name that corresponds to the user used for authentication").SetValue(&globals.Login) + + o = o.WithPreCallback( + func(req *http.Request) (*http.Request, error) { + if globals.AuthMethod() == "api-token" { + // need to set basic auth header with user@domain:api-token + token := globals.GetPass() + authHeader := fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", globals.Login.Value, token)))) + req.Header.Add("Authorization", authHeader) + } + return req, nil + }, + ) o = o.WithPostCallback( func(req *http.Request, resp *http.Response) (*http.Response, error) { - authUser := resp.Header.Get("X-Ausername") - if authUser == "" || authUser == "anonymous" { - // preserve the --quiet value, we need to temporarily disable it so - // the normal login output is surpressed - defer func(quiet bool) { - globals.Quiet.Value = quiet - }(globals.Quiet.Value) - globals.Quiet.Value = true - - // we are not logged in, so force login now by running the "login" command - app.Parse([]string{"login"}) - - // rerun the original request - return o.Do(req) + if globals.AuthMethod() == "session" { + authUser := resp.Header.Get("X-Ausername") + if authUser == "" || authUser == "anonymous" { + // preserve the --quiet value, we need to temporarily disable it so + // the normal login output is surpressed + defer func(quiet bool) { + globals.Quiet.Value = quiet + }(globals.Quiet.Value) + globals.Quiet.Value = true + + // we are not logged in, so force login now by running the "login" command + app.Parse([]string{"login"}) + + // rerun the original request + return o.Do(req) + } } return resp, nil }, @@ -132,6 +158,12 @@ func register(app *kingpin.Application, o *oreo.Client, fig *figtree.FigTree) { } else if globals.SocksProxy.Value != "" { o = o.WithTransport(socksProxy(globals.SocksProxy.Value)) } + if globals.AuthMethod() == "api-token" { + o = o.WithCookieFile("") + } + if globals.Login.Value == "" { + globals.Login = globals.User + } return nil }) diff --git a/jiracli/password.go b/jiracli/password.go index 96b2b592..8c89170e 100644 --- a/jiracli/password.go +++ b/jiracli/password.go @@ -3,6 +3,7 @@ package jiracli import ( "bytes" "fmt" + "os" "os/exec" "strings" @@ -12,24 +13,36 @@ import ( func (o *GlobalOptions) ProvideAuthParams() *jiradata.AuthParams { return &jiradata.AuthParams{ - Username: o.User.Value, + Username: o.Login.Value, Password: o.GetPass(), } } +func (o *GlobalOptions) keyName() string { + user := o.Login.Value + if o.AuthMethod() == "api-token" { + user = "api-token:" + user + } + + if o.PasswordSource.Value == "pass" { + return fmt.Sprintf("GoJira/%s", user) + } + return user +} + func (o *GlobalOptions) GetPass() string { passwd := "" if o.PasswordSource.Value != "" { if o.PasswordSource.Value == "keyring" { var err error - passwd, err = keyringGet(o.User.Value) + passwd, err = keyringGet(o.keyName()) if err != nil { panic(err) } } else if o.PasswordSource.Value == "pass" { if bin, err := exec.LookPath("pass"); err == nil { buf := bytes.NewBufferString("") - cmd := exec.Command(bin, fmt.Sprintf("GoJira/%s", o.User)) + cmd := exec.Command(bin, o.keyName()) cmd.Stdout = buf cmd.Stderr = buf if err := cmd.Run(); err == nil { @@ -44,9 +57,23 @@ func (o *GlobalOptions) GetPass() string { if passwd != "" { return passwd } + + if passwd = os.Getenv("JIRA_API_TOKEN"); passwd != "" && o.AuthMethod() == "api-token" { + return passwd + } + + prompt := fmt.Sprintf("Jira Password [%s]: ", o.Login) + help := "" + + if o.AuthMethod() == "api-token" { + prompt = fmt.Sprintf("Jira API-Token [%s]: ", o.Login) + help = "API Tokens may be required by your Jira service endpoint: https://developer.atlassian.com/cloud/jira/platform/deprecation-notice-basic-auth-and-cookie-based-auth/" + } + err := survey.AskOne( &survey.Password{ - Message: fmt.Sprintf("Jira Password [%s]: ", o.User), + Message: prompt, + Help: help, }, &passwd, nil, @@ -62,7 +89,7 @@ func (o *GlobalOptions) GetPass() string { func (o *GlobalOptions) SetPass(passwd string) error { if o.PasswordSource.Value == "keyring" { // save password in keychain so that it can be used for subsequent http requests - err := keyringSet(o.User.Value, passwd) + err := keyringSet(o.keyName(), passwd) if err != nil { log.Errorf("Failed to set password in keyring: %s", err) return err @@ -70,7 +97,7 @@ func (o *GlobalOptions) SetPass(passwd string) error { } else if o.PasswordSource.Value == "pass" { if bin, err := exec.LookPath("pass"); err == nil { log.Debugf("using %s", bin) - passName := fmt.Sprintf("GoJira/%s", o.User) + passName := o.keyName() if passwd != "" { in := bytes.NewBufferString(fmt.Sprintf("%s\n%s\n", passwd, passwd)) out := bytes.NewBufferString("") diff --git a/jiracmd/login.go b/jiracmd/login.go index e7e950c2..23596719 100644 --- a/jiracmd/login.go +++ b/jiracmd/login.go @@ -46,6 +46,11 @@ func authCallback(req *http.Request, resp *http.Response) (*http.Response, error // CmdLogin will attempt to login into jira server func CmdLogin(o *oreo.Client, globals *jiracli.GlobalOptions, opts *jiracli.CommonOptions) error { + if globals.AuthMethod() == "api-token" { + log.Noticef("No need to login when using api-token authentication method") + return nil + } + ua := o.WithoutRedirect().WithRetries(0).WithoutCallbacks().WithPostCallback(authCallback) for { if session, err := jira.GetSession(o, globals.Endpoint.Value); err != nil { diff --git a/jiracmd/logout.go b/jiracmd/logout.go index 23c3ffad..225819f4 100644 --- a/jiracmd/logout.go +++ b/jiracmd/logout.go @@ -27,6 +27,10 @@ func CmdLogoutRegistry() *jiracli.CommandRegistryEntry { // CmdLogout will attempt to terminate an active Jira session func CmdLogout(o *oreo.Client, globals *jiracli.GlobalOptions, opts *jiracli.CommonOptions) error { + if globals.AuthMethod() == "api-token" { + log.Noticef("No need to logout when using api-token authentication method") + return nil + } ua := o.WithoutRedirect().WithRetries(0).WithoutCallbacks() err := jira.DeleteSession(ua, globals.Endpoint.Value) if err == nil { diff --git a/jiracmd/take.go b/jiracmd/take.go index b1f08a5d..54947af0 100644 --- a/jiracmd/take.go +++ b/jiracmd/take.go @@ -17,7 +17,9 @@ func CmdTakeRegistry() *jiracli.CommandRegistryEntry { return CmdAssignUsage(cmd, &opts) }, func(o *oreo.Client, globals *jiracli.GlobalOptions) error { - opts.Assignee = globals.User.Value + if opts.Assignee == "" { + opts.Assignee = globals.User.Value + } return CmdAssign(o, globals, &opts) }, } diff --git a/t/.jira.d/config.yml b/t/.jira.d/config.yml index 5e6a2811..0f7e3a33 100644 --- a/t/.jira.d/config.yml +++ b/t/.jira.d/config.yml @@ -3,6 +3,7 @@ config: password-source: pass endpoint: https://go-jira.atlassian.net user: gojira +login: gojira@corybennett.org project: BASIC diff --git a/t/.password-store/GoJira/api-token:gojira@corybennett.org.gpg b/t/.password-store/GoJira/api-token:gojira@corybennett.org.gpg new file mode 100644 index 00000000..ec7aa46d Binary files /dev/null and b/t/.password-store/GoJira/api-token:gojira@corybennett.org.gpg differ diff --git a/t/.password-store/GoJira/api-token:mothra@corybennett.org.gpg b/t/.password-store/GoJira/api-token:mothra@corybennett.org.gpg new file mode 100644 index 00000000..92766db7 Binary files /dev/null and b/t/.password-store/GoJira/api-token:mothra@corybennett.org.gpg differ diff --git a/t/100basic.t b/t/100basic.t index d4743279..17adce3a 100755 --- a/t/100basic.t +++ b/t/100basic.t @@ -245,7 +245,7 @@ EOF # reset login for mothra for voting ############################################################################### -jira="$jira --user mothra" +jira="$jira --user mothra --login mothra@corybennett.org" RUNS $jira logout RUNS $jira login diff --git a/t/200scrum.t b/t/200scrum.t index 6acb05cb..cb56844a 100755 --- a/t/200scrum.t +++ b/t/200scrum.t @@ -185,7 +185,7 @@ EOF # reset login for mothra for voting ############################################################################### -jira="$jira --user mothra" +jira="$jira --user mothra --login mothra@corybennett.org" RUNS $jira logout echo "mothra123" | RUNS $jira login diff --git a/t/300kanban.t b/t/300kanban.t index 6feb046a..42502cde 100755 --- a/t/300kanban.t +++ b/t/300kanban.t @@ -185,7 +185,7 @@ EOF # reset login for mothra for voting ############################################################################### -jira="$jira --user mothra" +jira="$jira --user mothra --login mothra@corybennett.org" RUNS $jira logout echo "mothra123" | RUNS $jira login diff --git a/t/400project.t b/t/400project.t index 0c5e8838..9b6a6a05 100755 --- a/t/400project.t +++ b/t/400project.t @@ -185,7 +185,7 @@ EOF # reset login for mothra for voting ############################################################################### -jira="$jira --user mothra" +jira="$jira --user mothra --login mothra@corybennett.org" RUNS $jira logout echo "mothra123" | RUNS $jira login diff --git a/t/500process.t b/t/500process.t index 8b4d2f0b..5bc4ae21 100755 --- a/t/500process.t +++ b/t/500process.t @@ -194,7 +194,7 @@ EOF # reset login for mothra for voting ############################################################################### -jira="$jira --user mothra" +jira="$jira --user mothra --login mothra@corybennett.org" RUNS $jira logout echo "mothra123" | RUNS $jira login diff --git a/t/600task.t b/t/600task.t index 1319206b..969c4565 100755 --- a/t/600task.t +++ b/t/600task.t @@ -187,7 +187,7 @@ EOF # reset login for mothra for voting ############################################################################### -jira="$jira --user mothra" +jira="$jira --user mothra --login mothra@corybennett.org" RUNS $jira logout echo "mothra123" | RUNS $jira login