debian-mirror-gitlab/app/controllers/jira_connect/subscriptions_controller.rb

89 lines
3 KiB
Ruby
Raw Normal View History

2020-11-24 15:15:51 +05:30
# frozen_string_literal: true
class JiraConnect::SubscriptionsController < JiraConnect::ApplicationController
2023-03-04 22:38:38 +05:30
ALLOWED_IFRAME_ANCESTORS = [:self, 'https://*.atlassian.net', 'https://*.jira.com'].freeze
2020-11-24 15:15:51 +05:30
layout 'jira_connect'
content_security_policy do |p|
next if p.directives.blank?
# rubocop: disable Lint/PercentStringArray
2023-03-04 22:38:38 +05:30
script_src_values = Array.wrap(p.directives['script-src']) | %w['self' https://connect-cdn.atl-paas.net]
style_src_values = Array.wrap(p.directives['style-src']) | %w['self' 'unsafe-inline']
2020-11-24 15:15:51 +05:30
# rubocop: enable Lint/PercentStringArray
2022-06-21 17:19:12 +05:30
# *.jira.com is needed for some legacy Jira Cloud instances, new ones will use *.atlassian.net
# https://support.atlassian.com/organization-administration/docs/ip-addresses-and-domains-for-atlassian-cloud-products/
2023-03-04 22:38:38 +05:30
p.frame_ancestors(*(ALLOWED_IFRAME_ANCESTORS + Gitlab.config.jira_connect.additional_iframe_ancestors))
2020-11-24 15:15:51 +05:30
p.script_src(*script_src_values)
p.style_src(*style_src_values)
end
2022-05-07 20:08:51 +05:30
before_action do
2022-07-16 23:28:13 +05:30
push_frontend_feature_flag(:jira_connect_oauth, @user)
2022-05-07 20:08:51 +05:30
end
2020-11-24 15:15:51 +05:30
before_action :allow_rendering_in_iframe, only: :index
before_action :verify_qsh_claim!, only: :index
2022-08-13 15:12:31 +05:30
before_action :allow_self_managed_content_security_policy, only: :index
2020-11-24 15:15:51 +05:30
before_action :authenticate_user!, only: :create
def index
@subscriptions = current_jira_installation.subscriptions.preload_namespace_route
2021-10-27 15:23:28 +05:30
respond_to do |format|
format.html
format.json do
render json: JiraConnect::AppDataSerializer.new(@subscriptions, !!current_user).as_json
end
end
2020-11-24 15:15:51 +05:30
end
def create
result = create_service.execute
if result[:status] == :success
render json: { success: true }
else
render json: { error: result[:message] }, status: result[:http_status]
end
end
def destroy
subscription = current_jira_installation.subscriptions.find(params[:id])
2021-09-04 01:27:46 +05:30
if !jira_user&.site_admin?
render json: { error: 'forbidden' }, status: :forbidden
elsif subscription.destroy
2020-11-24 15:15:51 +05:30
render json: { success: true }
else
render json: { error: subscription.errors.full_messages.join(', ') }, status: :unprocessable_entity
end
end
private
2022-08-13 15:12:31 +05:30
def allow_self_managed_content_security_policy
return unless current_jira_installation.instance_url?
request.content_security_policy.directives['connect-src'] ||= []
2022-10-11 01:57:18 +05:30
request.content_security_policy.directives['connect-src'].concat(allowed_instance_connect_src)
2022-08-13 15:12:31 +05:30
end
2020-11-24 15:15:51 +05:30
def create_service
2021-09-04 01:27:46 +05:30
JiraConnectSubscriptions::CreateService.new(current_jira_installation, current_user, namespace_path: params['namespace_path'], jira_user: jira_user)
2020-11-24 15:15:51 +05:30
end
def allow_rendering_in_iframe
response.headers.delete('X-Frame-Options')
end
2022-10-11 01:57:18 +05:30
def allowed_instance_connect_src
[
Gitlab::Utils.append_path(current_jira_installation.instance_url, '/-/jira_connect/'),
2023-01-13 00:05:48 +05:30
Gitlab::Utils.append_path(current_jira_installation.instance_url, '/api/'),
Gitlab::Utils.append_path(current_jira_installation.instance_url, '/oauth/token')
2022-10-11 01:57:18 +05:30
]
end
2020-11-24 15:15:51 +05:30
end