Files
simstudioai--sim/apps/sim/lib/credentials/atlassian-service-account.ts
T
wehub-resource-sync d25d482dc2
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

128 lines
4.5 KiB
TypeScript

import { parseAtlassianErrorMessage } from '@/tools/jira/utils'
/**
* Discrete validation failure codes returned to the client. The UI maps each
* code to a human message; raw Atlassian response bodies stay in server logs.
*/
export type AtlassianValidationCode =
| 'invalid_credentials'
| 'site_not_found'
| 'atlassian_unavailable'
export class AtlassianValidationError extends Error {
constructor(
public readonly code: AtlassianValidationCode,
public readonly status: number,
public readonly logDetail?: Record<string, unknown>
) {
super(code)
this.name = 'AtlassianValidationError'
}
}
/**
* Atlassian Cloud sites are always served from `*.atlassian.net` (production)
* or `*.jira-dev.com` (Atlassian's developer sandbox). Anything else is either
* a typo (`atlassian.com`, `jira.com`), a Data Center hostname (which our
* gateway URL doesn't support), or — worse — an attempt to point this
* server-side fetch at internal infrastructure (`localhost`, `169.254.169.254`,
* `*.corp`). Restricting to the public Atlassian Cloud suffixes blocks SSRF
* at the boundary before any outbound request.
*/
const ATLASSIAN_CLOUD_HOST_REGEX =
/^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.(?:atlassian\.net|jira-dev\.com)$/i
export function normalizeAtlassianDomain(rawDomain: string): string {
return rawDomain.replace(/^https?:\/\//i, '').replace(/\/+$/, '')
}
function assertAtlassianCloudHost(domain: string): void {
if (!ATLASSIAN_CLOUD_HOST_REGEX.test(domain)) {
throw new AtlassianValidationError('site_not_found', 400, {
step: 'host_validation',
domain,
reason: 'host is not an Atlassian Cloud site (expected *.atlassian.net)',
})
}
}
/**
* Throws an `AtlassianValidationError` with `unauthorizedCode` for 401/403 responses
* (which mean the token itself was rejected) and `atlassian_unavailable` for any
* other non-2xx.
*/
async function assertAtlassianResponseOk(
res: Response,
step: string,
unauthorizedCode: AtlassianValidationCode,
context: Record<string, unknown> = {}
): Promise<void> {
if (res.ok) return
const body = parseAtlassianErrorMessage(res.status, res.statusText, await res.text())
if (res.status === 401 || res.status === 403) {
throw new AtlassianValidationError(unauthorizedCode, res.status, { step, body, ...context })
}
throw new AtlassianValidationError('atlassian_unavailable', res.status, {
step,
body,
...context,
})
}
/**
* Validates an Atlassian service account scoped API token.
*
* Scoped service-account tokens cannot call `api.atlassian.com/oauth/token/accessible-resources`
* (that endpoint is for OAuth-3LO tokens). Instead we use the public, unauthenticated
* `tenant_info` discovery endpoint to resolve cloudId from the site domain, then verify
* the token works by hitting `/myself` through the gateway.
*/
export async function validateAtlassianServiceAccount(
apiToken: string,
domain: string
): Promise<{ accountId: string; displayName: string; cloudId: string }> {
assertAtlassianCloudHost(domain)
const tenantInfoRes = await fetch(`https://${domain}/_edge/tenant_info`, {
headers: { Accept: 'application/json' },
})
if (tenantInfoRes.status === 404) {
throw new AtlassianValidationError('site_not_found', 404, { step: 'tenant_info', domain })
}
// tenant_info is unauthenticated, so there is no "invalid credentials" branch here —
// any non-OK that isn't a 404 means Atlassian is unavailable, not the token's fault.
await assertAtlassianResponseOk(tenantInfoRes, 'tenant_info', 'atlassian_unavailable', { domain })
const tenantInfo = (await tenantInfoRes.json()) as { cloudId?: string }
if (!tenantInfo.cloudId) {
throw new AtlassianValidationError('atlassian_unavailable', 502, {
step: 'tenant_info',
reason: 'missing cloudId in response',
domain,
})
}
const cloudId = tenantInfo.cloudId
const myselfRes = await fetch(`https://api.atlassian.com/ex/jira/${cloudId}/rest/api/3/myself`, {
headers: { Authorization: `Bearer ${apiToken}`, Accept: 'application/json' },
})
await assertAtlassianResponseOk(myselfRes, 'myself', 'invalid_credentials', { cloudId })
const myself = (await myselfRes.json()) as {
accountId?: string
displayName?: string
emailAddress?: string
}
if (!myself.accountId) {
throw new AtlassianValidationError('atlassian_unavailable', 502, {
step: 'myself',
reason: 'missing accountId in response',
})
}
return {
accountId: myself.accountId,
displayName: myself.displayName || myself.emailAddress || domain,
cloudId,
}
}