github: add support for github apps

Author: aliculPix4D

cogito/ghcommitsink.go

@@ -36,17 +36,27 @@ func (sink GitHubCommitStatusSink) Send() error {
 	ghState := ghAdaptState(sink.Request.Params.State)
 	buildURL := concourseBuildURL(sink.Request.Env)
 	context := ghMakeContext(sink.Request)
+	server := github.ApiRoot(sink.Request.Source.GhHostname)
+
+	token := sink.Request.Source.AccessToken
+	if token == "" {
+		installationToken, err := github.GenerateInstallationToken(server, sink.Request.Source.GitHubApp)
+		if err != nil {
+			return err
+		}
+		token = installationToken
+	}
 
 	target := &github.Target{
-		Server: github.ApiRoot(sink.Request.Source.GhHostname),
+		Server: server,
 		Retry: retry.Retry{
 			FirstDelay:   retryFirstDelay,
 			BackoffLimit: retryBackoffLimit,
 			UpTo:         retryUpTo,
 			Log:          sink.Log,
 		},
 	}
-	commitStatus := github.NewCommitStatus(target, sink.Request.Source.AccessToken,
+	commitStatus := github.NewCommitStatus(target, token,
 		sink.Request.Source.Owner, sink.Request.Source.Repo, context, sink.Log)
 	description := "Build " + sink.Request.Env.BuildName
 

cogito/ghcommitsink_test.go

@@ -28,7 +28,7 @@ func TestSinkGitHubCommitStatusSendSuccess(t *testing.T) {
 		Log:    testhelp.MakeTestLog(),
 		GitRef: wantGitRef,
 		Request: cogito.PutRequest{
-			Source: cogito.Source{GhHostname: gitHubSpyURL.Host},
+			Source: cogito.Source{GhHostname: gitHubSpyURL.Host, AccessToken: "dummy-token"},
 			Params: cogito.PutParams{State: wantState},
 			Env:    cogito.Environment{BuildJobName: jobName},
 		},
@@ -55,7 +55,7 @@ func TestSinkGitHubCommitStatusSendFailure(t *testing.T) {
 		Log:    testhelp.MakeTestLog(),
 		GitRef: "deadbeefdeadbeef",
 		Request: cogito.PutRequest{
-			Source: cogito.Source{GhHostname: gitHubSpyURL.Host},
+			Source: cogito.Source{GhHostname: gitHubSpyURL.Host, AccessToken: "dummy-token"},
 			Params: cogito.PutParams{State: cogito.StatePending},
 		},
 	}

cogito/protocol.go

@@ -162,9 +162,14 @@ type Source struct {
 	//
 	// Mandatory
 	//
-	Owner       string `json:"owner"`
-	Repo        string `json:"repo"`
+	Owner string `json:"owner"`
+	Repo  string `json:"repo"`
+	// Mandatory if not using github app auth
 	AccessToken string `json:"access_token"` // SENSITIVE
+
+	// Mandatory if using github app auth
+	GitHubApp *github.GitHubApp `json:"github_app,omitempty"`
+
 	//
 	// Optional
 	//
@@ -193,6 +198,21 @@ func (src Source) String() string {
 	fmt.Fprintf(&bld, "omit_target_url:       %t\n", src.OmitTargetURL)
 	fmt.Fprintf(&bld, "chat_append_summary:   %t\n", src.ChatAppendSummary)
 	fmt.Fprintf(&bld, "chat_notify_on_states: %s\n", src.ChatNotifyOnStates)
+
+	// fmt.Fprintf(&bld, "owner:                       %s\n", src.Owner)
+	// fmt.Fprintf(&bld, "repo:                        %s\n", src.Repo)
+	// fmt.Fprintf(&bld, "github_hostname:             %s\n", src.GhHostname)
+	// fmt.Fprintf(&bld, "access_token:                %s\n", redact(src.AccessToken))
+	// // FIX: avoid panic is src.GitHubApp is nil
+	// fmt.Fprintf(&bld, "github_app.client_id:        %s\n", src.GitHubApp.ClientId)
+	// fmt.Fprintf(&bld, "github_app.installation_id:  %d\n", src.GitHubApp.InstallationId)
+	// fmt.Fprintf(&bld, "github_app.private_key:      %s\n", redact(src.GitHubApp.PrivateKey))
+	// fmt.Fprintf(&bld, "gchat_webhook:         		%s\n", redact(src.GChatWebHook))
+	// fmt.Fprintf(&bld, "log_level:             		%s\n", src.LogLevel)
+	// fmt.Fprintf(&bld, "context_prefix:        		%s\n", src.ContextPrefix)
+	// fmt.Fprintf(&bld, "omit_target_url:       		%t\n", src.OmitTargetURL)
+	// fmt.Fprintf(&bld, "chat_append_summary:   		%t\n", src.ChatAppendSummary)
+	// fmt.Fprintf(&bld, "chat_notify_on_states: 		%s\n", src.ChatNotifyOnStates)
 	// Last one: no newline.
 	fmt.Fprintf(&bld, "sinks: %s", src.Sinks)
 
@@ -245,9 +265,23 @@ func (src *Source) Validate() error {
 		if src.Repo == "" {
 			mandatory = append(mandatory, "repo")
 		}
-		if src.AccessToken == "" {
+		if src.AccessToken == "" && src.GitHubApp == nil {
+			// missing access token or github_app
 			mandatory = append(mandatory, "access_token")
 		}
+		if src.AccessToken == "" && src.GitHubApp != nil {
+			if src.GitHubApp.ClientId == "" {
+				mandatory = append(mandatory, "github_app.client_id")
+			}
+			if src.GitHubApp.InstallationId == 0 {
+				mandatory = append(mandatory, "github_app.installation_id")
+			}
+			if src.GitHubApp.PrivateKey == "" {
+				mandatory = append(mandatory, "github_app.private_key")
+			}
+		}
+		// if both src.AccessToken and src.GitHubApp are set; we should
+		// fail the run
 	}
 
 	if sinks.Contains("gchat") {

cogito/protocol_test.go

@@ -12,6 +12,7 @@ import (
 	"gotest.tools/v3/assert/cmp"
 
 	"github.com/Pix4D/cogito/cogito"
+	"github.com/Pix4D/cogito/github"
 	"github.com/Pix4D/cogito/testhelp"
 )
 
@@ -63,6 +64,20 @@ func TestSourceValidationSuccess(t *testing.T) {
 				return source
 			},
 		},
+		{
+			name: "git source: github app",
+			mkSource: func() cogito.Source {
+				return cogito.Source{
+					Owner: "the-owner",
+					Repo:  "the-repo",
+					GitHubApp: &github.GitHubApp{
+						ClientId:       "client-id-key",
+						InstallationId: 12345,
+						PrivateKey:     "private-ssh-key",
+					},
+				}
+			},
+		},
 	}
 
 	for _, tc := range testCases {
@@ -129,6 +144,7 @@ func TestSourceValidationFailure(t *testing.T) {
 			},
 			wantErr: "source: invalid github_api_hostname: https://github.foo.com/api/v3/. Don't configure the schema or the path",
 		},
+		// FIXME: add the failure tests for github app
 	}
 
 	for _, tc := range testCases {
@@ -210,7 +226,8 @@ func TestSourcePrintLogRedaction(t *testing.T) {
 		ChatAppendSummary:  true,
 		ChatNotifyOnStates: []cogito.BuildState{cogito.StateSuccess, cogito.StateFailure},
 	}
-
+	// FIXME: extend the tests to verify that the source.github_app.private_key
+	// is properly redacted
 	t.Run("fmt.Print redacts fields", func(t *testing.T) {
 		want := `owner:                 the-owner
 repo:                  the-repo

github/githubapp.go

@@ -0,0 +1,97 @@
+package github
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"path"
+	"strconv"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+)
+
+type GitHubApp struct {
+	ClientId       string `json:"client_id"`
+	InstallationId int64  `json:"installation_id"`
+	PrivateKey     string `json:"private_key"` // SENSITIVE
+}
+
+// generateJWTtoken returns a signed JWT token used to authenticate as GitHub App
+func generateJWTtoken(clientId, privateKey string) (string, error) {
+	key, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(privateKey))
+	if err != nil {
+		return "", fmt.Errorf("could not parse private key: %w", err)
+	}
+	// GitHub rejects expiry and issue timestamps that are not an integer,
+	// while the jwt-go library serializes to fractional timestamps.
+	// Truncate them before passing to jwt-go.
+	// Additionally, GitHub recommends setting this value 60 seconds in the past.
+	iat := time.Now().Add(-60 * time.Second).Truncate(time.Second)
+	// maximum validity 10 minutes. Here, we reduce it to 2 minutes.
+	exp := iat.Add(2 * time.Minute)
+	// Docs: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#about-json-web-tokens-jwts
+	claims := &jwt.RegisteredClaims{
+		IssuedAt:  jwt.NewNumericDate(iat),
+		ExpiresAt: jwt.NewNumericDate(exp),
+		// The client ID or application ID of your GitHub App.
+		// Use of the client ID is recommended.
+		Issuer: clientId,
+	}
+
+	// GitHub JWT must be signed using the RS256 algorithm.
+	token, err := jwt.NewWithClaims(jwt.SigningMethodRS256, claims).SignedString(key)
+	if err != nil {
+		return "", fmt.Errorf("could not sign the JWT token: %w", err)
+	}
+	return token, nil
+}
+
+// GenerateInstallationToken returns an installation token used to authenticate as GitHub App installation
+func GenerateInstallationToken(server string, app *GitHubApp) (string, error) {
+	// FIXME: prevent panic if app pointer is nil
+	// API: POST /app/installations/{installationId}/access_tokens
+	installationId := strconv.FormatInt(app.InstallationId, 10)
+	url := server + path.Join("/app/installations", installationId, "/access_tokens")
+
+	req, err := http.NewRequest(http.MethodPost, url, nil)
+	if err != nil {
+		return "", fmt.Errorf("github post: new request: %s", err)
+	}
+	req.Header.Add("Accept", "application/vnd.github.v3+json")
+
+	jtwToken, err := generateJWTtoken(app.ClientId, app.PrivateKey)
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Authorization", "Bearer "+jtwToken)
+
+	client := &http.Client{Timeout: time.Second * 5}
+
+	// FIXME: add retry here...
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("http client Do: %s", err)
+	}
+	defer resp.Body.Close()
+
+	body, errBody := io.ReadAll(resp.Body)
+	if resp.StatusCode != http.StatusCreated {
+		if errBody != nil {
+			return "", fmt.Errorf("generate github app installation token: status code: %d (%s)", resp.StatusCode, errBody)
+		}
+		return "", fmt.Errorf("generate github app installation token: status code: %d (%s)", resp.StatusCode, string(body))
+	}
+	if errBody != nil {
+		return string(body), fmt.Errorf("generate github app installation token: read body: %s", errBody)
+	}
+
+	var token struct {
+		Value string `json:"token"`
+	}
+	if err := json.Unmarshal(body, &token); err != nil {
+		return "", fmt.Errorf("error: json unmarshal: %s", err)
+	}
+	return token.Value, nil
+}

github/githubapp_test.go

@@ -0,0 +1,46 @@
+package github_test
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/Pix4D/cogito/github"
+	"github.com/Pix4D/cogito/testhelp"
+	"gotest.tools/v3/assert"
+)
+
+func TestGenerateInstallationToken(t *testing.T) {
+	clientID := "abcd1234"
+	var installationID int64 = 12345
+
+	privateKey, err := testhelp.GeneratePrivateKey(t, 2048)
+	assert.NilError(t, err)
+
+	handler := func(w http.ResponseWriter, r *http.Request) {
+		claims := testhelp.DecodeJWT(t, r, privateKey)
+		if claims.Issuer != clientID {
+			w.WriteHeader(http.StatusUnauthorized)
+			fmt.Fprintln(w, "unauthorized: wrong JWT token")
+			return
+		}
+		w.WriteHeader(http.StatusCreated)
+		fmt.Fprintln(w, `{"token": "dummy_token"}`)
+	}
+
+	ts := httptest.NewServer(http.HandlerFunc(handler))
+	defer ts.Close()
+
+	gotToken, err := github.GenerateInstallationToken(
+		ts.URL,
+		&github.GitHubApp{
+			ClientId:       clientID,
+			InstallationId: installationID,
+			PrivateKey:     string(testhelp.EncodePrivateKeyToPEM(privateKey)),
+		},
+	)
+
+	assert.NilError(t, err)
+	assert.Equal(t, "dummy_token", gotToken)
+}

go.mod

@@ -6,6 +6,7 @@ require (
 	dario.cat/mergo v1.0.0
 	github.com/alexflint/go-arg v1.4.3
 	github.com/go-quicktest/qt v1.101.1-0.20240301121107-c6c8733fa1e6
+	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/go-cmp v0.6.0
 	github.com/sasbury/mini v0.0.0-20181226232755-dc74af49394b
 	gotest.tools/v3 v3.5.1

go.sum

@@ -11,6 +11,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-quicktest/qt v1.101.1-0.20240301121107-c6c8733fa1e6 h1:teYtXy9B7y5lHTp8V9KPxpYRAVA7dozigQcMiBust1s=
 github.com/go-quicktest/qt v1.101.1-0.20240301121107-c6c8733fa1e6/go.mod h1:p4lGIVX+8Wa6ZPNDvqcxq36XpUDLh42FLetFU7odllI=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=

testhelp/testhelper.go

@@ -2,10 +2,15 @@ package testhelp
 
 import (
 	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"io"
+	"net/http"
 	"os"
 	"path"
 	"path/filepath"
@@ -14,6 +19,7 @@ import (
 	"text/template"
 
 	"dario.cat/mergo"
+	"github.com/golang-jwt/jwt/v4"
 	"gotest.tools/v3/assert"
 )
 
@@ -293,3 +299,46 @@ type FailingWriter struct{}
 func (t *FailingWriter) Write([]byte) (n int, err error) {
 	return 0, errors.New("test write error")
 }
+
+// GeneratePrivateKey creates a RSA Private Key of specified byte size
+func GeneratePrivateKey(t *testing.T, bitSize int) (*rsa.PrivateKey, error) {
+	// Private Key generation
+	privateKey, err := rsa.GenerateKey(rand.Reader, bitSize)
+	assert.NilError(t, err)
+
+	// Validate Private Key
+	err = privateKey.Validate()
+	assert.NilError(t, err)
+
+	return privateKey, nil
+}
+
+// EncodePrivateKeyToPEM encodes Private Key from RSA to PEM format
+func EncodePrivateKeyToPEM(privateKey *rsa.PrivateKey) []byte {
+	// Get ASN.1 DER format
+	privDER := x509.MarshalPKCS1PrivateKey(privateKey)
+
+	// pem.Block
+	privBlock := pem.Block{
+		Type:    "RSA PRIVATE KEY",
+		Headers: nil,
+		Bytes:   privDER,
+	}
+
+	return pem.EncodeToMemory(&privBlock)
+}
+
+// DecodeJWT decodes the HTTP request authorization header with the given RSA key
+// and returns the registered claims of the decoded token.
+func DecodeJWT(t *testing.T, r *http.Request, key *rsa.PrivateKey) *jwt.RegisteredClaims {
+	token := strings.Fields(r.Header.Get("Authorization"))[1]
+	tok, err := jwt.ParseWithClaims(token, &jwt.RegisteredClaims{}, func(t *jwt.Token) (interface{}, error) {
+		if t.Header["alg"] != "RS256" {
+			return nil, fmt.Errorf("unexpected signing method: %v, expected: %v", t.Header["alg"], "RS256")
+		}
+		return &key.PublicKey, nil
+	})
+	assert.NilError(t, err)
+
+	return tok.Claims.(*jwt.RegisteredClaims)
+}