Merge pull request #89 from toolsplus/feature/support-forge-system-token-storage

Add Forge System Access Token repository

Author: tbinna

modules/api/src/main/scala/io/toolsplus/atlassian/connect/play/api/models/DefaultForgeSystemAccessToken.scala

@@ -0,0 +1,11 @@
+package io.toolsplus.atlassian.connect.play.api.models
+import java.time.Instant
+
+/**
+  * Default case class implementation of [[ForgeSystemAccessToken]]
+  */
+case class DefaultForgeSystemAccessToken(installationId: String,
+                                         apiBaseUrl: String,
+                                         accessToken: String,
+                                         expirationTime: Instant)
+    extends ForgeSystemAccessToken

modules/api/src/main/scala/io/toolsplus/atlassian/connect/play/api/models/ForgeSystemAccessToken.scala

@@ -0,0 +1,39 @@
+package io.toolsplus.atlassian.connect.play.api.models
+
+import java.time.Instant
+
+/**
+  * Forge system access token
+  *
+  * @see https://developer.atlassian.com/platform/forge/remote/essentials/
+  */
+trait ForgeSystemAccessToken {
+
+  /**
+    * Unique identifier of a Forge installation in ARI format, e.g. ari:cloud:ecosystem::installation/c3658f0f-8380-41e5-bb1e-68903f8efdca.
+    *
+    * This ID is stable across upgrades but not uninstallation and re-installation. This value should be used to key
+    * Forge-related tenant details in the app.
+    *
+    * @return Forge installation id.
+    */
+  def installationId: String
+
+  /**
+    * OAuth2 API base URL in the format https://api.atlassian.com/ex/confluence/00000000-0000-0000-0000-000000000000
+    * @return OAuth2 API base URL
+    */
+  def apiBaseUrl: String
+
+  /**
+    * System access token this entity represents.
+    * @return System access token
+    */
+  def accessToken: String
+
+  /**
+    * Timestamp when this token expires.
+    * @return Access token expiry time.
+    */
+  def expirationTime: Instant
+}

modules/api/src/main/scala/io/toolsplus/atlassian/connect/play/api/repositories/ForgeSystemAccessTokenRepository.scala

@@ -0,0 +1,59 @@
+package io.toolsplus.atlassian.connect.play.api.repositories
+
+import io.toolsplus.atlassian.connect.play.api.models.ForgeSystemAccessToken
+
+import java.time.Instant
+import scala.concurrent.Future
+
+trait ForgeSystemAccessTokenRepository {
+
+  def all(): Future[Seq[ForgeSystemAccessToken]]
+
+  /** Saves the given Forge system access token by inserting it if it does not
+    * exist or updating an existing record if it's already present.
+    *
+    * @param token
+    *   Forge system access token to store.
+    * @return
+    *   Saved Forge system access token.
+    */
+  def save(token: ForgeSystemAccessToken): Future[ForgeSystemAccessToken]
+
+  /** Finds the access token for the given installation ID. If an access token
+    * is returned, it may be expired.
+    *
+    * @param installationId
+    *   ID of the installation associated with the access token
+    * @return
+    *   Access token and with metadata, if one is found.
+    */
+  def findByInstallationId(
+      installationId: String
+  ): Future[Option[ForgeSystemAccessToken]]
+
+  /** Find the access token that is not yet expired
+    *
+    * @param installationId
+    *   ID of the installation associated with the access token
+    * @param expirationTime
+    *   In most cases, specify the timestamp as of the moment this method is
+    *   called with some leeway
+    * @return
+    *   Valid access token and with metadata, if one is found.
+    */
+  def findByInstallationIdAndExpirationTimeAfter(
+      installationId: String,
+      expirationTime: Instant
+  ): Future[Option[ForgeSystemAccessToken]]
+
+  /** Clean up stale records
+    *
+    * @param expirationTime
+    *   In most cases, specify the timestamp as of the moment this method is
+    *   called
+    * @return
+    *   Number of affected rows
+    */
+  def deleteAllByExpirationTimeBefore(expirationTime: Instant): Future[Int]
+
+}

modules/core/app/io/toolsplus/atlassian/connect/play/auth/frc/jwt/ForgeInvocationContext.scala

@@ -3,60 +3,110 @@ package io.toolsplus.atlassian.connect.play.auth.frc.jwt
 import com.nimbusds.jose.proc.SecurityContext
 import io.circe.JsonObject
 
-/**
-  * Environment provides information about the Forge environment the app is running in
-  * @param `type` Forge environment type associated with a Forge Remote call, such as DEVELOPMENT, STAGING, PRODUCTION
-  * @param id Forge environment id associated with a Forge Remote call
+/** Environment provides information about the Forge environment the app is
+  * running in
+  * @param `type`
+  *   Forge environment type associated with a Forge Remote call, such as
+  *   DEVELOPMENT, STAGING, PRODUCTION
+  * @param id
+  *   Forge environment id associated with a Forge Remote call
   */
 final case class Environment(`type`: String, id: String)
 
-/**
-  * Module provides information about the module that initiated a Forge remote call.
+/** Module provides information about the module that initiated a Forge remote
+  * call.
   *
-  * @param `type` Module type initiating the remote call, such as `xen:macro` for front-end invocations. Otherwise, it will be core:endpoint. To determine the type of module that specified the remote resolver, refer to `context.extension.type`
-  * @param key Forge module key for this endpoint as specified in the manifest.yml
+  * @param `type`
+  *   Module type initiating the remote call, such as `xen:macro` for front-end
+  *   invocations. Otherwise, it will be core:endpoint. To determine the type of
+  *   module that specified the remote resolver, refer to
+  *   `context.extension.type`
+  * @param key
+  *   Forge module key for this endpoint as specified in the manifest.yml
   */
 final case class Module(`type`: String, key: String)
 
-/**
-  * Contains information about the license of the app. This field is only present for paid apps in the production environment.
-  * `license` is undefined for free apps, apps in DEVELOPMENT and STAGING environments, and apps that are not listed on
-  * the Atlassian Marketplace.
+/** Context where an app is installed.
   *
-  * @param isActive Specifies if the license is active.
+  * @param name
+  *   Name of the context where an app is installed.
+  * @param apiBaseUrl
+  *   API base URL where all Atlassian app API requests should be routed.
   */
-final case class License(isActive: Boolean)
+final case class InstallationContext(name: String, apiBaseUrl: String)
+
+/** Information about an app installation.
+  * @param id
+  *   Identifier for the specific installation of an app. Any remote storage
+  *   should be keyed against this value.
+  * @param contexts
+  *   List of contexts where the app is installed
+  */
+final case class Installation(id: String, contexts: Seq[InstallationContext])
 
-/**
+/** Contains information about the license of the app. This field is only
+  * present for paid apps in the production environment. `license` is undefined
+  * for free apps, apps in DEVELOPMENT and STAGING environments, and apps that
+  * are not listed on the Atlassian Marketplace.
+  *
+  * There are many attributes missing here since it is not clear from the
+  * documentation if they will be available when the license object is present
+  * in a request. Refer to the following post for details:
+  * https://community.developer.atlassian.com/t/is-the-forge-invocation-token-contract-correct/91578/3
   *
-  * @param installationId Identifier for the specific installation of an app. This is the value that any remote storage should be keyed against.
-  * @param apiBaseUrl Base URL where all product API requests should be routed
-  * @param id Forge application ID matching the value in the Forge manifest.yml
-  * @param appVersion Forge application version being invoked
-  * @param environment Information about the environment the app is running in
-  * @param module Information about the module that initiated this remote call
-  * @param license Information about the license associated with the app. This field is only present for paid apps in the production environment.
+  * @param isActive
+  *   Specifies if the license is active.
   */
-final case class App(installationId: String,
-                     apiBaseUrl: String,
-                     id: String,
-                     appVersion: String,
-                     environment: Environment,
-                     module: Module,
-                     license: Option[License])
-
-/**
-  * Forge invocation context represents the payload included in the Forge Invocation Token (FIT).
+final case class License(isActive: Boolean)
+
+/** @param installationId
+  *   Identifier for the specific installation of an app. This is the value that
+  *   any remote storage should be keyed against.
+  * @param apiBaseUrl
+  *   Base URL where all product API requests should be routed
+  * @param id
+  *   Forge application ID matching the value in the Forge manifest.yml
+  * @param appVersion
+  *   Forge application version being invoked
+  * @param environment
+  *   Information about the environment the app is running in
+  * @param module
+  *   Information about the module that initiated this remote call
+  * @param installation
+  *   Information about app installations
+  * @param license
+  *   Information about the license associated with the app. This field is only
+  *   present for paid apps in the production environment.
+  */
+final case class App(
+    installationId: String,
+    apiBaseUrl: String,
+    id: String,
+    appVersion: String,
+    environment: Environment,
+    module: Module,
+    installation: Installation,
+    license: Option[License]
+)
+
+/** Forge invocation context represents the payload included in the Forge
+  * Invocation Token (FIT).
   *
-  * The FIT payload includes details about the invocation context of a Forge Remote call.
+  * The FIT payload includes details about the invocation context of a Forge
+  * Remote call.
   *
-  * @param app Details about the app and installation context
-  * @param context Context depending on how the app is using Forge Remote
-  * @param principal ID of the user who invoked the app. UI modules only
+  * @param app
+  *   Details about the app and installation context
+  * @param context
+  *   Context depending on how the app is using Forge Remote
+  * @param principal
+  *   ID of the user who invoked the app. UI modules only
   *
-  * @see https://developer.atlassian.com/platform/forge/forge-remote-overview/#the-forge-invocation-token--fit-
+  * @see
+  *   https://developer.atlassian.com/platform/forge/forge-remote-overview/#the-forge-invocation-token--fit-
   */
-final case class ForgeInvocationContext(app: App,
-                                        context: Option[JsonObject],
-                                        principal: Option[String])
-    extends SecurityContext
+final case class ForgeInvocationContext(
+    app: App,
+    context: Option[JsonObject],
+    principal: Option[String]
+) extends SecurityContext

modules/core/app/io/toolsplus/atlassian/connect/play/auth/frc/jwt/ForgeRemoteJWKSourceProvider.scala

@@ -42,5 +42,6 @@ class ForgeRemoteJWKSourceProvider @Inject()(
 object ForgeRemoteJWKSourceProvider {
   private val remoteJWKSetHttpConnectTimeoutMs: Int = 1000
   private val remoteJWKSetHttpReadTimeoutMs: Int = 1000
-  private val remoteJWKSetHttpEntitySizeLimitByte: Int = 100 * 1024
+  // Setting the value to zero means infinite
+  private val remoteJWKSetHttpEntitySizeLimitByte: Int = 0
 }

modules/core/app/io/toolsplus/atlassian/connect/play/models/AtlassianForgeProperties.scala

@@ -20,6 +20,9 @@ class AtlassianForgeProperties @Inject()(config: Configuration) {
   lazy val forgeRemoteJWKSetProductionUrl: String =
     atlassianForgeConfig.get[String]("remote.jwkSetProductionUrl")
 
+  lazy val systemAccessTokenExpiryLeewayMs: Int =
+    atlassianForgeConfig.get[Int]("systemAccessTokenExpiryLeewayMs")
+
   private lazy val atlassianForgeConfig =
     config.get[Configuration]("atlassian.forge")
 

modules/core/conf/evolutions/default/1.sql

@@ -33,6 +33,17 @@ CREATE UNIQUE INDEX uq_forge_installation_installation_id
 ALTER TABLE forge_installation
     ADD CONSTRAINT fk_forge_installation_atlassian_host FOREIGN KEY (client_key) REFERENCES atlassian_host (client_key) ON UPDATE CASCADE ON DELETE CASCADE;
 
+CREATE TABLE forge_system_access_token
+(
+    installation_id VARCHAR PRIMARY KEY,
+    api_base_url    VARCHAR NOT NULL,
+    access_token    VARCHAR NOT NULL,
+    expiration_time TIMESTAMP NOT NULL
+);
+CREATE INDEX forge_system_access_token_expiration_time
+    ON forge_system_access_token (expiration_time);
+
 # --- !Downs
+DROP TABLE forge_system_access_token;
 DROP TABLE forge_installation;
 DROP TABLE atlassian_host;

modules/core/conf/reference.conf

@@ -5,6 +5,7 @@ atlassian {
     }
     forge {
         appId = "changeme" # ari:cloud:ecosystem::app/327bc6a8-d0ec-46a4-b42d-e9e5fe2350f9
+        systemAccessTokenExpiryLeewayMs = 200
         remote {
             jwkSetStagingUrl = "https://forge.cdn.stg.atlassian-dev.net/.well-known/jwks.json"
             jwkSetProductionUrl = "https://forge.cdn.prod.atlassian-dev.net/.well-known/jwks.json"