ShiftLeft Engineering — Integrating your Go services with JIRA

ShiftLeft Engineering — Integrating your Go companies with JIRA

How did ShiftLeft Engineering combine its Go Companies with JIRA to create a secure bidirectional JIRA based mostly workflow

At ShiftLeft, we selected an purpose to empower builders to handle the safety findings (found by our instrument of their apps). We additionally determined to do it with out stepping out of their conventional JIRA based mostly workflow. With this weblog, I describe the engineering method that helped us obtain that objective by connecting our Go Based mostly companies with JIRA (cloud) infrastructure.

Photograph by Markus Spiske on Unsplash

In case you are to check out free ShiftLeft Code Evaluation providing, please go to this hyperlink.

First, Atlassian Join

In latest occasions Atlassian has been migrating their proposed utilization of their product from a hybrid system of cloud/on-premise to pure play cloud based mostly infrastructure.

The transfer to cloud has additionally had an impact on the way in which plug-ins are developed. As a part of this new structure they proposed a self hosted mannequin powered by their Atlassian join framework.

Join model plugins enable the developer to precise the capabilities of their product in a declarative format. Moreover, interplay with JIRA is finished via safe channels by utilizing web-hooks, callbacks and snippet inserted of their UI. This novel method permits every social gathering to pay attention in their very own strengths. Atlassian shows and manages their clients workflow and course of. Alternatively the plugin developer augments Atlassian product’s data with their very own, and in flip, maintain their facet updated by getting suggestions out of it.

The safety features

The entire course of is sort of air tight. On the plugin facet, Atlassian initiates communication with signed requests. Validity of safety efficacy could be asserted towards their verified servers and subsequent communication is signed with brief lived tokens. The signatures could be checked towards “consumer” sure keys. On the top consumer facet they’re offered with details about the form of permissions the plugin desires and get fairly complete data on what they’re permitting.

ShiftLeft’s use case

For our case this is a wonderful match, we current DevSecOps profiles with the related discovering data in our UI. We facilitate for them to “ship” the related bits to JIRA within the type of new Points/Bugs to be addressed as a part of their common growth cycle. Customers seeing one among these Points can be offered with augmented fields. These comprise the element of the safety flaw detected and a strategy to go dive extra into it on the ShiftLeft display screen if crucial.

On our facet, as soon as we hyperlink a discovering to a JIRA Difficulty/Bug we maintain monitor of their modifications. The operator of our system is all the time knowledgeable of the method of decision of the vulnerability with out having to change their each day workflow to go monitor the event one.

Some Background — ShiftLeft companies, current instruments, current plugin

We constructed most of our API backend on prime of Go.We leverage gorilla mux and use JWT tokens as a way of authentication. Naturally we thought that, given the presence of all the precise substances, we may simply be a part of each worlds.

Photograph by Clint Patterson on Unsplash

Atlassian offers a Node.js Specific and Spring Boot implementations of their framework. The prevailing providing permits builders to shortly create a plugin by implementing the safety features and providing numerous hook factors. The providing simplifies implementing performance with out having to dive within the internals of their pipeline.

Initially one among our skilled groups in Node determined to create our plugin profiting from Atlassian Join Specific ACE. This served as a terrific first step and allowed us to validate that the proposed workflow suited each our customers they usually means they anticipated to work together with JIRA. We took this time to get some suggestions, scale back friction in all potential surfaces and polish a nicely rounded product.

So why new plugin design?

As it’s pure in each software program undertaking, as soon as it really works and finish customers are completely satisfied, the following step is to attempt to make it extra environment friendly and higher built-in. We selected following re-architecture objectives.

• We needed to cut back roundtrip occasions: having a service discuss to each us and JIRA added some latency. In instances of intense use it added potential failure factors and latency.
• Too many fingers in a bowl: Although a number of the features of this plugin had been of relevance for our API staff, addressing each concern/function we labored on, as one maintained the plugin and the opposite the API.
• Repeated performance: We had been beginning to see a development of repeating performance and writing cross via endpoints within the plugin to help already carried out API elements.
• Experience: We’ve got folks nicely versed with Node.js within the firm. Regardless of this, on the space answerable for the core performance of our API we’re more adept in Go. Although we understood the codebase nicely sufficient, we knew that our output on it might by no means be as on level as the opposite staff. This was not preferrred if we had been to take the upkeep accountability.
• JIRA as a first-class citizen: We see JIRA as a first-class citizen of our system. Our purpose is so as to add progressively extra integration. Having it stay as a part of our core performance is a should. We add options with JIRA in thoughts so it is just pure to have it’s a part of our core API.

Our answer

We actually preferred Atlasssian’s method with ACE, so we based mostly our personal growth on it. Sadly there was not a instrument of their listing of third social gathering assets that allowed us to combine the idea with Go. We meant to each help the principle options: including numerous panels, hook listeners, customized fields, and many others. In brief give sufficient instruments to permit a developer to method creating a brand new plugin in an nearly declarative means.

We created atlassian-connect-go which allows the programming of a completely practical plugin by simply instantiating a Go struct and calling just a few strategies in it to arrange the varied listeners.

We supplied a sequence of auto generated varieties for ease of dealing with requests and callbacks. We additionally included a quite simple storage interface for customers to implement their very own persistence backend and have the precise data provided to it.

We combine with gorilla mux . This permits so as to add the plugin endpoints to an current router. You may have the plug-in declaration and it’s endpoints be immediately served but additionally enable for extension for extra on level instances. We facilitated what we use most however since Atlassian Join plugins can attain a really deep degree of integration we made it in a means {that a} developer shouldn’t be restricted to the concrete helpers.

The Safety Side

In features of Safety, a vital level for us, we based mostly our framework strongly on the one supplied by Atlassian. We offer a standalone operate for builders to confirm requests made by a 3rd social gathering towards saved Atlassian credentials. We additionally added, for good measure, a wrapper that may take a handler operate outlined by us and return a regular `http.HandlerFunc` which is able to verify each request to make sure correct credentials.

A developer creating handlers for Atlassian plugin endpoints simply must create them as `func(jii *storage.JiraInstallInformation, retailer storage.Retailer, w http.ResponseWriter, r *http.Request)` and invoke `Plugin{}.VerifiedHandleFunc(yourHandler)`. The result’s a handler whose request is verified earlier than invocation and that will get handed all of the related data to course of the request.

In the end you may name the verifier operate your self as a strategy to securely retrieve consumer data out of your storage.

We additionally added just a few additional helpers to make safe correctly signed calls to the apicommunication package deal. This package deal comprises a strategy to create safe purchasers, the identical means as ACE. It additionally permits to make calls as a given consumer (supplied one has the precise token). The HostClient is sufficiently customizable that one can cross a customized roundtripper to permit personalised timeouts and dialers to regulate it to your companies settings.

Comfort

API communication package deal additionally has each potential (as of the time of writing) kind returned by API V3 so you may deserialize replies into Go varieties and create requests in Go earlier than serializing them, lowering the danger for coding errors.

Conclusion

We loved penning this plugin. We obtained to know extra about JIRA stable structure and provides again to the developer neighborhood very like we did earlier than with gaum, our SQL question builder and executor and Joern, our interactive shell for code evaluation. We hope it will encourage extra integration of merchandise with Atlassian Cloud by the technique of plugins particularly for companies strongly rooted in Go.

Be at liberty to drop us emails, tweets or github points if you wish to know extra about this framework or have solutions about the place it may go from now and, as traditional, Pull Requests and Bug reviews are all the time welcome.

ShiftLeft Engineering — Integrating your Go companies with JIRA was initially printed in ShiftLeft Weblog on Medium, the place persons are persevering with the dialog by highlighting and responding to this story.

*** It is a Safety Bloggers Community syndicated weblog from ShiftLeft Weblog – Medium authored by Horacio Duran. Learn the unique publish at: https://weblog.shiftleft.io/shiftleft-engineering-integrating-your-go-services-with-jira-e31e4aca3d67?supply=rss—-86a4f941c7da—4