github: add support for github apps

Author: aliculPix4D

.github/workflows/ci.yml

@@ -33,6 +33,7 @@ jobs:
         env:
           COGITO_TEST_OAUTH_TOKEN: ${{ secrets.COGITO_TEST_OAUTH_TOKEN }}
           COGITO_TEST_GCHAT_HOOK: ${{ secrets.COGITO_TEST_GCHAT_HOOK }}
+          COGITO_TEST_GH_APP_PRIVATE_KEY: ${{ secrets.COGITO_TEST_GH_APP_PRIVATE_KEY }}
       - run: task docker:build
       - run: task docker:smoke
       - run: task docker:login

Taskfile.yml

@@ -57,6 +57,10 @@ tasks:
       COGITO_TEST_REPO_OWNER: '{{default "pix4d" .COGITO_TEST_REPO_OWNER}}'
       COGITO_TEST_GCHAT_HOOK:
         sh: 'echo {{default "$(gopass show cogito/test_gchat_webhook)" .COGITO_TEST_GCHAT_HOOK}}'
+      COGITO_TEST_GH_APP_CLIENT_ID: '{{default "Iv23lir9pyQlqmweDPbz" .COGITO_TEST_GH_APP_CLIENT_ID}}'
+      COGITO_TEST_GH_APP_INSTALLATION_ID: '{{default "64650729" .COGITO_TEST_GH_APP_INSTALLATION_ID}}'
+      COGITO_TEST_GH_APP_PRIVATE_KEY:
+        sh: 'echo {{default "$(gopass show cogito/test_gh_app_private_key)" .COGITO_TEST_GH_APP_PRIVATE_KEY}}'
 
   test:unit:
     desc: Run the unit tests.

cmd/cogito/main_test.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+	"strconv"
 	"strings"
 	"testing"
 	"testing/iotest"
@@ -134,6 +135,49 @@ func TestRunPutSuccessIntegration(t *testing.T) {
 		`level=INFO msg="state posted successfully to chat" name=cogito.put name=gChat state=error`))
 }
 
+func TestRunPutGhAppSuccessIntegration(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping integration test (reason: -short)")
+	}
+
+	gitHubCfg := testhelp.GitHubSecretsOrFail(t)
+	googleChatCfg := testhelp.GoogleChatSecretsOrFail(t)
+	ghAppInstallationID, err := strconv.ParseInt(gitHubCfg.GhAppInstallationID, 10, 64)
+	assert.NilError(t, err)
+	stdin := bytes.NewReader(testhelp.ToJSON(t, cogito.PutRequest{
+		Source: cogito.Source{
+			Owner: gitHubCfg.Owner,
+			Repo:  gitHubCfg.Repo,
+			GitHubApp: github.GitHubApp{
+				ClientId:       gitHubCfg.GhAppClientID,
+				InstallationId: ghAppInstallationID,
+				PrivateKey:     gitHubCfg.GhAppPrivateKey,
+			},
+			GChatWebHook: googleChatCfg.Hook,
+			LogLevel:     "debug",
+		},
+		Params: cogito.PutParams{State: cogito.StateError},
+	}))
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+	inputDir := testhelp.MakeGitRepoFromTestdata(t, "../../cogito/testdata/one-repo/a-repo",
+		testhelp.HttpsRemote(github.GhDefaultHostname, gitHubCfg.Owner, gitHubCfg.Repo), gitHubCfg.SHA,
+		"ref: refs/heads/a-branch-FIXME")
+	t.Setenv("BUILD_JOB_NAME", "TestRunPutGhAppSuccessIntegration")
+	t.Setenv("ATC_EXTERNAL_URL", "https://cogito.invalid")
+	t.Setenv("BUILD_PIPELINE_NAME", "the-test-pipeline")
+	t.Setenv("BUILD_TEAM_NAME", "the-test-team")
+	t.Setenv("BUILD_NAME", "42")
+
+	err = mainErr(stdin, &stdout, &stderr, []string{"out", inputDir})
+
+	assert.NilError(t, err, "\nstdout:\n%s\nstderr:\n%s", stdout.String(), stderr.String())
+	assert.Assert(t, cmp.Contains(stderr.String(),
+		`level=INFO msg="commit status posted successfully" name=cogito.put name=ghCommitStatus state=error`))
+	assert.Assert(t, cmp.Contains(stderr.String(),
+		`level=INFO msg="state posted successfully to chat" name=cogito.put name=gChat state=error`))
+}
+
 func TestRunFailure(t *testing.T) {
 	type testCase struct {
 		name    string

cogito/ghcommitsink.go

@@ -36,17 +36,27 @@ func (sink GitHubCommitStatusSink) Send() error {
 	ghState := ghAdaptState(sink.Request.Params.State)
 	buildURL := concourseBuildURL(sink.Request.Env)
 	context := ghMakeContext(sink.Request)
+	server := github.ApiRoot(sink.Request.Source.GhHostname)
+
+	token := sink.Request.Source.AccessToken
+	if token == "" {
+		installationToken, err := github.GenerateInstallationToken(server, sink.Request.Source.GitHubApp)
+		if err != nil {
+			return err
+		}
+		token = installationToken
+	}
 
 	target := &github.Target{
-		Server: github.ApiRoot(sink.Request.Source.GhHostname),
+		Server: server,
 		Retry: retry.Retry{
 			FirstDelay:   retryFirstDelay,
 			BackoffLimit: retryBackoffLimit,
 			UpTo:         retryUpTo,
 			Log:          sink.Log,
 		},
 	}
-	commitStatus := github.NewCommitStatus(target, sink.Request.Source.AccessToken,
+	commitStatus := github.NewCommitStatus(target, token,
 		sink.Request.Source.Owner, sink.Request.Source.Repo, context, sink.Log)
 	description := "Build " + sink.Request.Env.BuildName
 

cogito/ghcommitsink_test.go

@@ -1,6 +1,8 @@
 package cogito_test
 
 import (
+	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -28,7 +30,7 @@ func TestSinkGitHubCommitStatusSendSuccess(t *testing.T) {
 		Log:    testhelp.MakeTestLog(),
 		GitRef: wantGitRef,
 		Request: cogito.PutRequest{
-			Source: cogito.Source{GhHostname: gitHubSpyURL.Host},
+			Source: cogito.Source{GhHostname: gitHubSpyURL.Host, AccessToken: "dummy-token"},
 			Params: cogito.PutParams{State: wantState},
 			Env:    cogito.Environment{BuildJobName: jobName},
 		},
@@ -43,6 +45,62 @@ func TestSinkGitHubCommitStatusSendSuccess(t *testing.T) {
 	assert.Equal(t, ghReq.Context, wantContext)
 }
 
+func TestSinkGitHubCommitStatusSendGhAppSuccess(t *testing.T) {
+	wantGitRef := "deadbeefdeadbeef"
+	wantState := cogito.StatePending
+	jobName := "the-job"
+	wantContext := jobName
+	var ghReq github.AddRequest
+
+	handler := func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.String() == "/repos/statuses/deadbeefdeadbeef" {
+			dec := json.NewDecoder(r.Body)
+			if err := dec.Decode(&ghReq); err != nil {
+				w.WriteHeader(http.StatusTeapot)
+				fmt.Fprintln(w, "test: decoding request:", err)
+				return
+			}
+		}
+
+		w.WriteHeader(http.StatusCreated)
+		if r.URL.String() == "/app/installations/12345/access_tokens" {
+			fmt.Fprintln(w, `{"token": "dummy_installation_token"}`)
+			return
+		}
+	}
+	ts := httptest.NewServer(http.HandlerFunc(handler))
+	defer ts.Close()
+
+	gitHubSpyURL, err := url.Parse(ts.URL)
+	assert.NilError(t, err, "error parsing SpyHttpServer URL: %s", err)
+
+	privateKey, err := testhelp.GeneratePrivateKey(t, 2048)
+	assert.NilError(t, err)
+
+	sink := cogito.GitHubCommitStatusSink{
+		Log:    testhelp.MakeTestLog(),
+		GitRef: wantGitRef,
+		Request: cogito.PutRequest{
+			Source: cogito.Source{
+				GhHostname: gitHubSpyURL.Host,
+				GitHubApp: github.GitHubApp{
+					ClientId:       "client-id",
+					InstallationId: 12345,
+					PrivateKey:     string(testhelp.EncodePrivateKeyToPEM(privateKey)),
+				},
+			},
+			Params: cogito.PutParams{State: wantState},
+			Env:    cogito.Environment{BuildJobName: jobName},
+		},
+	}
+
+	err = sink.Send()
+
+	assert.NilError(t, err)
+	assert.Equal(t, ghReq.State, string(wantState))
+	assert.Equal(t, ghReq.Context, wantContext)
+}
+
 func TestSinkGitHubCommitStatusSendFailure(t *testing.T) {
 	ts := httptest.NewServer(
 		http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
@@ -55,7 +113,7 @@ func TestSinkGitHubCommitStatusSendFailure(t *testing.T) {
 		Log:    testhelp.MakeTestLog(),
 		GitRef: "deadbeefdeadbeef",
 		Request: cogito.PutRequest{
-			Source: cogito.Source{GhHostname: gitHubSpyURL.Host},
+			Source: cogito.Source{GhHostname: gitHubSpyURL.Host, AccessToken: "dummy-token"},
 			Params: cogito.PutParams{State: cogito.StatePending},
 		},
 	}

cogito/protocol.go

@@ -162,9 +162,14 @@ type Source struct {
 	//
 	// Mandatory
 	//
-	Owner       string `json:"owner"`
-	Repo        string `json:"repo"`
+	Owner string `json:"owner"`
+	Repo  string `json:"repo"`
+	// Mandatory if not using github app auth
 	AccessToken string `json:"access_token"` // SENSITIVE
+
+	// Mandatory if using github app auth
+	GitHubApp github.GitHubApp `json:"github_app,omitempty"`
+
 	//
 	// Optional
 	//
@@ -188,6 +193,9 @@ func (src Source) String() string {
 	fmt.Fprintf(&bld, "github_hostname:       %s\n", src.GhHostname)
 	fmt.Fprintf(&bld, "access_token:          %s\n", redact(src.AccessToken))
 	fmt.Fprintf(&bld, "gchat_webhook:         %s\n", redact(src.GChatWebHook))
+	fmt.Fprintf(&bld, "github_app.client_id:        %s\n", src.GitHubApp.ClientId)
+	fmt.Fprintf(&bld, "github_app.installation_id:  %d\n", src.GitHubApp.InstallationId)
+	fmt.Fprintf(&bld, "github_app.private_key:      %s\n", redact(src.GitHubApp.PrivateKey))
 	fmt.Fprintf(&bld, "log_level:             %s\n", src.LogLevel)
 	fmt.Fprintf(&bld, "context_prefix:        %s\n", src.ContextPrefix)
 	fmt.Fprintf(&bld, "omit_target_url:       %t\n", src.OmitTargetURL)
@@ -245,7 +253,18 @@ func (src *Source) Validate() error {
 		if src.Repo == "" {
 			mandatory = append(mandatory, "repo")
 		}
-		if src.AccessToken == "" {
+
+		if src.GitHubApp != (github.GitHubApp{}) {
+			if src.GitHubApp.ClientId == "" {
+				mandatory = append(mandatory, "github_app.client_id")
+			}
+			if src.GitHubApp.InstallationId == 0 {
+				mandatory = append(mandatory, "github_app.installation_id")
+			}
+			if src.GitHubApp.PrivateKey == "" {
+				mandatory = append(mandatory, "github_app.private_key")
+			}
+		} else if src.AccessToken == "" {
 			mandatory = append(mandatory, "access_token")
 		}
 	}

cogito/protocol_test.go

@@ -12,6 +12,7 @@ import (
 	"gotest.tools/v3/assert/cmp"
 
 	"github.com/Pix4D/cogito/cogito"
+	"github.com/Pix4D/cogito/github"
 	"github.com/Pix4D/cogito/testhelp"
 )
 
@@ -63,6 +64,20 @@ func TestSourceValidationSuccess(t *testing.T) {
 				return source
 			},
 		},
+		{
+			name: "git source: github app",
+			mkSource: func() cogito.Source {
+				return cogito.Source{
+					Owner: "the-owner",
+					Repo:  "the-repo",
+					GitHubApp: github.GitHubApp{
+						ClientId:       "client-id-key",
+						InstallationId: 12345,
+						PrivateKey:     "private-ssh-key",
+					},
+				}
+			},
+		},
 	}
 
 	for _, tc := range testCases {
@@ -93,6 +108,29 @@ func TestSourceValidationFailure(t *testing.T) {
 			source:  cogito.Source{},
 			wantErr: "source: missing keys: owner, repo, access_token",
 		},
+		{
+			name: "missing mandatory git source keys for github app: client-id",
+			source: cogito.Source{
+				Owner: "the-owner",
+				Repo:  "the-repo",
+				GitHubApp: github.GitHubApp{
+					InstallationId: 1234,
+					PrivateKey:     "private-rsa-key",
+				},
+			},
+			wantErr: "source: missing keys: github_app.client_id",
+		},
+		{
+			name: "missing mandatory git source keys for github app: private key",
+			source: cogito.Source{
+				Owner: "the-owner",
+				Repo:  "the-repo",
+				GitHubApp: github.GitHubApp{
+					ClientId: "client-id",
+				},
+			},
+			wantErr: "source: missing keys: github_app.installation_id, github_app.private_key",
+		},
 		{
 			name:    "missing mandatory gchat source key",
 			source:  cogito.Source{Sinks: []string{"gchat"}},
@@ -204,6 +242,7 @@ func TestSourcePrintLogRedaction(t *testing.T) {
 		Repo:               "the-repo",
 		GhHostname:         "github.com",
 		AccessToken:        "sensitive-the-access-token",
+		GitHubApp:          github.GitHubApp{ClientId: "client-id", InstallationId: 1234, PrivateKey: "sensitive-private-rsa-key"},
 		GChatWebHook:       "sensitive-gchat-webhook",
 		LogLevel:           "debug",
 		ContextPrefix:      "the-prefix",
@@ -217,6 +256,9 @@ repo:                  the-repo
 github_hostname:       github.com
 access_token:          ***REDACTED***
 gchat_webhook:         ***REDACTED***
+github_app.client_id:        client-id
+github_app.installation_id:  1234
+github_app.private_key:      ***REDACTED***
 log_level:             debug
 context_prefix:        the-prefix
 omit_target_url:       false
@@ -238,6 +280,9 @@ repo:
 github_hostname:       
 access_token:          
 gchat_webhook:         
+github_app.client_id:        
+github_app.installation_id:  0
+github_app.private_key:      
 log_level:             
 context_prefix:        
 omit_target_url:       false