github: add support for github apps

Author: aliculPix4D

cogito/ghcommitsink.go

@@ -36,17 +36,27 @@ func (sink GitHubCommitStatusSink) Send() error {
 	ghState := ghAdaptState(sink.Request.Params.State)
 	buildURL := concourseBuildURL(sink.Request.Env)
 	context := ghMakeContext(sink.Request)
+	server := github.ApiRoot(sink.Request.Source.GhHostname)
+
+	token := sink.Request.Source.AccessToken
+	if token == "" {
+		installationToken, err := github.GenerateInstallationToken(server, sink.Request.Source.GitHubApp)
+		if err != nil {
+			return err
+		}
+		token = installationToken
+	}
 
 	target := &github.Target{
-		Server: github.ApiRoot(sink.Request.Source.GhHostname),
+		Server: server,
 		Retry: retry.Retry{
 			FirstDelay:   retryFirstDelay,
 			BackoffLimit: retryBackoffLimit,
 			UpTo:         retryUpTo,
 			Log:          sink.Log,
 		},
 	}
-	commitStatus := github.NewCommitStatus(target, sink.Request.Source.AccessToken,
+	commitStatus := github.NewCommitStatus(target, token,
 		sink.Request.Source.Owner, sink.Request.Source.Repo, context, sink.Log)
 	description := "Build " + sink.Request.Env.BuildName
 

cogito/ghcommitsink_test.go

@@ -28,7 +28,7 @@ func TestSinkGitHubCommitStatusSendSuccess(t *testing.T) {
 		Log:    testhelp.MakeTestLog(),
 		GitRef: wantGitRef,
 		Request: cogito.PutRequest{
-			Source: cogito.Source{GhHostname: gitHubSpyURL.Host},
+			Source: cogito.Source{GhHostname: gitHubSpyURL.Host, AccessToken: "dummy-token"},
 			Params: cogito.PutParams{State: wantState},
 			Env:    cogito.Environment{BuildJobName: jobName},
 		},
@@ -55,7 +55,7 @@ func TestSinkGitHubCommitStatusSendFailure(t *testing.T) {
 		Log:    testhelp.MakeTestLog(),
 		GitRef: "deadbeefdeadbeef",
 		Request: cogito.PutRequest{
-			Source: cogito.Source{GhHostname: gitHubSpyURL.Host},
+			Source: cogito.Source{GhHostname: gitHubSpyURL.Host, AccessToken: "dummy-token"},
 			Params: cogito.PutParams{State: cogito.StatePending},
 		},
 	}

cogito/protocol.go

@@ -162,9 +162,14 @@ type Source struct {
 	//
 	// Mandatory
 	//
-	Owner       string `json:"owner"`
-	Repo        string `json:"repo"`
+	Owner string `json:"owner"`
+	Repo  string `json:"repo"`
+	// Mandatory if not using github app auth
 	AccessToken string `json:"access_token"` // SENSITIVE
+
+	// Mandatory if using github app auth
+	GitHubApp github.GitHubApp `json:"github_app,omitempty"`
+
 	//
 	// Optional
 	//
@@ -188,6 +193,9 @@ func (src Source) String() string {
 	fmt.Fprintf(&bld, "github_hostname:       %s\n", src.GhHostname)
 	fmt.Fprintf(&bld, "access_token:          %s\n", redact(src.AccessToken))
 	fmt.Fprintf(&bld, "gchat_webhook:         %s\n", redact(src.GChatWebHook))
+	fmt.Fprintf(&bld, "github_app.client_id:        %s\n", src.GitHubApp.ClientId)
+	fmt.Fprintf(&bld, "github_app.installation_id:  %d\n", src.GitHubApp.InstallationId)
+	fmt.Fprintf(&bld, "github_app.private_key:      %s\n", redact(src.GitHubApp.PrivateKey))
 	fmt.Fprintf(&bld, "log_level:             %s\n", src.LogLevel)
 	fmt.Fprintf(&bld, "context_prefix:        %s\n", src.ContextPrefix)
 	fmt.Fprintf(&bld, "omit_target_url:       %t\n", src.OmitTargetURL)
@@ -245,8 +253,22 @@ func (src *Source) Validate() error {
 		if src.Repo == "" {
 			mandatory = append(mandatory, "repo")
 		}
-		if src.AccessToken == "" {
-			mandatory = append(mandatory, "access_token")
+
+		if src.GitHubApp != (github.GitHubApp{}) {
+			if src.GitHubApp.ClientId == "" {
+				mandatory = append(mandatory, "github_app.client_id")
+			}
+			if src.GitHubApp.InstallationId == 0 {
+				mandatory = append(mandatory, "github_app.installation_id")
+			}
+			if src.GitHubApp.PrivateKey == "" {
+				mandatory = append(mandatory, "github_app.private_key")
+			}
+		} else {
+			if src.AccessToken == "" {
+				// missing access token
+				mandatory = append(mandatory, "access_token")
+			}
 		}
 	}
 

cogito/protocol_test.go

@@ -12,6 +12,7 @@ import (
 	"gotest.tools/v3/assert/cmp"
 
 	"github.com/Pix4D/cogito/cogito"
+	"github.com/Pix4D/cogito/github"
 	"github.com/Pix4D/cogito/testhelp"
 )
 
@@ -63,6 +64,20 @@ func TestSourceValidationSuccess(t *testing.T) {
 				return source
 			},
 		},
+		{
+			name: "git source: github app",
+			mkSource: func() cogito.Source {
+				return cogito.Source{
+					Owner: "the-owner",
+					Repo:  "the-repo",
+					GitHubApp: github.GitHubApp{
+						ClientId:       "client-id-key",
+						InstallationId: 12345,
+						PrivateKey:     "private-ssh-key",
+					},
+				}
+			},
+		},
 	}
 
 	for _, tc := range testCases {
@@ -129,6 +144,7 @@ func TestSourceValidationFailure(t *testing.T) {
 			},
 			wantErr: "source: invalid github_api_hostname: https://github.foo.com/api/v3/. Don't configure the schema or the path",
 		},
+		// FIXME: add the failure tests for github app
 	}
 
 	for _, tc := range testCases {
@@ -204,19 +220,24 @@ func TestSourcePrintLogRedaction(t *testing.T) {
 		Repo:               "the-repo",
 		GhHostname:         "github.com",
 		AccessToken:        "sensitive-the-access-token",
+		GitHubApp:          github.GitHubApp{ClientId: "client-id", InstallationId: 1234, PrivateKey: "sensitive-private-rsa-key"},
 		GChatWebHook:       "sensitive-gchat-webhook",
 		LogLevel:           "debug",
 		ContextPrefix:      "the-prefix",
 		ChatAppendSummary:  true,
 		ChatNotifyOnStates: []cogito.BuildState{cogito.StateSuccess, cogito.StateFailure},
 	}
-
+	// FIXME: extend the tests to verify that the source.github_app.private_key
+	// is properly redacted
 	t.Run("fmt.Print redacts fields", func(t *testing.T) {
 		want := `owner:                 the-owner
 repo:                  the-repo
 github_hostname:       github.com
 access_token:          ***REDACTED***
 gchat_webhook:         ***REDACTED***
+github_app.client_id:        client-id
+github_app.installation_id:  1234
+github_app.private_key:      ***REDACTED***
 log_level:             debug
 context_prefix:        the-prefix
 omit_target_url:       false
@@ -238,6 +259,9 @@ repo:
 github_hostname:       
 access_token:          
 gchat_webhook:         
+github_app.client_id:        
+github_app.installation_id:  0
+github_app.private_key:      
 log_level:             
 context_prefix:        
 omit_target_url:       false

github/githubapp.go

@@ -0,0 +1,96 @@
+package github
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"path"
+	"strconv"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+)
+
+type GitHubApp struct {
+	ClientId       string `json:"client_id"`
+	InstallationId int64  `json:"installation_id"`
+	PrivateKey     string `json:"private_key"` // SENSITIVE
+}
+
+// generateJWTtoken returns a signed JWT token used to authenticate as GitHub App
+func generateJWTtoken(clientId, privateKey string) (string, error) {
+	key, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(privateKey))
+	if err != nil {
+		return "", fmt.Errorf("could not parse private key: %w", err)
+	}
+	// GitHub rejects expiry and issue timestamps that are not an integer,
+	// while the jwt-go library serializes to fractional timestamps.
+	// Truncate them before passing to jwt-go.
+	// Additionally, GitHub recommends setting this value 60 seconds in the past.
+	iat := time.Now().Add(-60 * time.Second).Truncate(time.Second)
+	// maximum validity 10 minutes. Here, we reduce it to 2 minutes.
+	exp := iat.Add(2 * time.Minute)
+	// Docs: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#about-json-web-tokens-jwts
+	claims := &jwt.RegisteredClaims{
+		IssuedAt:  jwt.NewNumericDate(iat),
+		ExpiresAt: jwt.NewNumericDate(exp),
+		// The client ID or application ID of your GitHub App.
+		// Use of the client ID is recommended.
+		Issuer: clientId,
+	}
+
+	// GitHub JWT must be signed using the RS256 algorithm.
+	token, err := jwt.NewWithClaims(jwt.SigningMethodRS256, claims).SignedString(key)
+	if err != nil {
+		return "", fmt.Errorf("could not sign the JWT token: %w", err)
+	}
+	return token, nil
+}
+
+// GenerateInstallationToken returns an installation token used to authenticate as GitHub App installation
+func GenerateInstallationToken(server string, app GitHubApp) (string, error) {
+	// API: POST /app/installations/{installationId}/access_tokens
+	installationId := strconv.FormatInt(app.InstallationId, 10)
+	url := server + path.Join("/app/installations", installationId, "/access_tokens")
+
+	req, err := http.NewRequest(http.MethodPost, url, nil)
+	if err != nil {
+		return "", fmt.Errorf("github post: new request: %s", err)
+	}
+	req.Header.Add("Accept", "application/vnd.github.v3+json")
+
+	jtwToken, err := generateJWTtoken(app.ClientId, app.PrivateKey)
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Authorization", "Bearer "+jtwToken)
+
+	client := &http.Client{Timeout: time.Second * 5}
+
+	// FIXME: add retry here...
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("http client Do: %s", err)
+	}
+	defer resp.Body.Close()
+
+	body, errBody := io.ReadAll(resp.Body)
+	if resp.StatusCode != http.StatusCreated {
+		if errBody != nil {
+			return "", fmt.Errorf("generate github app installation token: status code: %d (%s)", resp.StatusCode, errBody)
+		}
+		return "", fmt.Errorf("generate github app installation token: status code: %d (%s)", resp.StatusCode, string(body))
+	}
+	if errBody != nil {
+		return string(body), fmt.Errorf("generate github app installation token: read body: %s", errBody)
+	}
+
+	var token struct {
+		Value string `json:"token"`
+	}
+	if err := json.Unmarshal(body, &token); err != nil {
+		return "", fmt.Errorf("error: json unmarshal: %s", err)
+	}
+	return token.Value, nil
+}

github/githubapp_test.go

@@ -0,0 +1,52 @@
+package github_test
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/Pix4D/cogito/github"
+	"github.com/Pix4D/cogito/testhelp"
+	"gotest.tools/v3/assert"
+)
+
+func TestGenerateInstallationToken(t *testing.T) {
+	clientID := "abcd1234"
+	var installationID int64 = 12345
+
+	privateKey, err := testhelp.GeneratePrivateKey(t, 2048)
+	assert.NilError(t, err)
+
+	handler := func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			w.WriteHeader(http.StatusMethodNotAllowed)
+			fmt.Fprintln(w, "wrong HTTP emethod")
+			return
+		}
+
+		claims := testhelp.DecodeJWT(t, r, privateKey)
+		if claims.Issuer != clientID {
+			w.WriteHeader(http.StatusUnauthorized)
+			fmt.Fprintln(w, "unauthorized: wrong JWT token")
+			return
+		}
+		w.WriteHeader(http.StatusCreated)
+		fmt.Fprintln(w, `{"token": "dummy_token"}`)
+	}
+
+	ts := httptest.NewServer(http.HandlerFunc(handler))
+	defer ts.Close()
+
+	gotToken, err := github.GenerateInstallationToken(
+		ts.URL,
+		github.GitHubApp{
+			ClientId:       clientID,
+			InstallationId: installationID,
+			PrivateKey:     string(testhelp.EncodePrivateKeyToPEM(privateKey)),
+		},
+	)
+
+	assert.NilError(t, err)
+	assert.Equal(t, "dummy_token", gotToken)
+}

go.mod

@@ -6,6 +6,7 @@ require (
 	dario.cat/mergo v1.0.0
 	github.com/alexflint/go-arg v1.4.3
 	github.com/go-quicktest/qt v1.101.1-0.20240301121107-c6c8733fa1e6
+	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/go-cmp v0.6.0
 	github.com/sasbury/mini v0.0.0-20181226232755-dc74af49394b
 	gotest.tools/v3 v3.5.1

go.sum

@@ -11,6 +11,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-quicktest/qt v1.101.1-0.20240301121107-c6c8733fa1e6 h1:teYtXy9B7y5lHTp8V9KPxpYRAVA7dozigQcMiBust1s=
 github.com/go-quicktest/qt v1.101.1-0.20240301121107-c6c8733fa1e6/go.mod h1:p4lGIVX+8Wa6ZPNDvqcxq36XpUDLh42FLetFU7odllI=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=