[RFC-007] Implement GitHub app authentication for git repositories.

- Add github app based authentication method to fetch installation token in auth package. - Add unit tests to test the github app authentication - Add github provider options in git package. - Use the github provider to clone from go-git package. - Add unit tests to fetch git credentials and cloning the repository using github app authentication. - Add e2e tests to test pull/push to git repositories using github app authentication. - Update the github workflow to run e2etests from CI. Signed-off-by: Dipti Pai <[email protected]>
fluxcd · Nov 25, 2024 · 7199971 · 7199971
1 parent aa0e9ce
commit 7199971
Show file tree

Hide file tree

Showing 20 changed files with 867 additions and 50 deletions.
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -61,6 +61,9 @@ jobs:
               export GITHUB_USER="fluxcd-gitprovider-bot"
               export GITHUB_ORG="fluxcd-testing"
               export GITHUB_TOKEN="${{ secrets.GITPROVIDER_BOT_TOKEN }}"
+              export GHAPP_ID="${{ secrets.GHAPP_ID }}"
+              export GHAPP_INSTALL_ID="${{ secrets.GHAPP_INSTALL_ID }}"
+              export GHAPP_PRIVATE_KEY="${{ secrets.GHAPP_PRIVATE_KEY }}"
             elif [[ ${{ matrix.provider }} = "gitlab" ]]; then
               export GO_TEST_PREFIX="TestGitLabE2E"
               export GITLAB_USER="fluxcd-gitprovider-bot"

diff --git a/auth/github/client.go b/auth/github/client.go
@@ -0,0 +1,176 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package github
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strconv"
+	"time"
+
+	"github.com/bradleyfalzon/ghinstallation/v2"
+	"golang.org/x/net/http/httpproxy"
+)
+
+const (
+	AppIDKey             = "githubAppID"
+	AppInstallationIDKey = "githubAppInstallationID"
+	AppPrivateKey        = "githubAppPrivateKey"
+	ApiURLKey            = "githubApiURL"
+)
+
+// Client is an authentication provider for GitHub Apps.
+type Client struct {
+	appID          string
+	installationID string
+	privateKey     []byte
+	apiURL         string
+	proxyURL       *url.URL
+	ghTransport    *ghinstallation.Transport
+}
+
+// OptFunc enables specifying options for the provider.
+type OptFunc func(*Client)
+
+// New returns a new authentication provider for GitHub Apps.
+func New(opts ...OptFunc) (*Client, error) {
+	var err error
+
+	p := &Client{}
+	for _, opt := range opts {
+		opt(p)
+	}
+
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	if p.proxyURL != nil {
+		proxyStr := p.proxyURL.String()
+		proxyConfig := &httpproxy.Config{
+			HTTPProxy:  proxyStr,
+			HTTPSProxy: proxyStr,
+		}
+		proxyFunc := func(req *http.Request) (*url.URL, error) {
+			return proxyConfig.ProxyFunc()(req.URL)
+		}
+		transport.Proxy = proxyFunc
+	}
+
+	appID, err := strconv.Atoi(p.appID)
+	if err != nil {
+		return nil, fmt.Errorf("invalid app id, err: %v", err)
+	}
+	installationID, err := strconv.Atoi(p.installationID)
+	if err != nil {
+		return nil, fmt.Errorf("invalid app installation id, err: %v", err)
+	}
+
+	p.ghTransport, err = ghinstallation.New(transport, int64(appID), int64(installationID), p.privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	if p.apiURL != "" {
+		p.ghTransport.BaseURL = p.apiURL
+	}
+
+	return p, nil
+}
+
+// WithInstallationID configures the installation ID of the GitHub App.
+func WithInstllationID(installationID string) OptFunc {
+	return func(p *Client) {
+		p.installationID = installationID
+	}
+}
+
+// WithAppID configures the app ID of the GitHub App.
+func WithAppID(appID string) OptFunc {
+	return func(p *Client) {
+		p.appID = appID
+	}
+}
+
+// WithPrivateKey configures the private key of the GitHub App.
+func WithPrivateKey(pk []byte) OptFunc {
+	return func(p *Client) {
+		p.privateKey = pk
+	}
+}
+
+// WithApiURL configures the GitHub API endpoint to use to fetch GitHub App
+// installation token.
+func WithApiURL(apiURL string) OptFunc {
+	return func(p *Client) {
+		p.apiURL = apiURL
+	}
+}
+
+// WithAppData configures the client using data from a map
+func WithAppData(appData map[string][]byte) OptFunc {
+	return func(p *Client) {
+		val, ok := appData[AppIDKey]
+		if ok {
+			p.appID = string(val)
+		}
+		val, ok = appData[AppInstallationIDKey]
+		if ok {
+			p.installationID = string(val)
+		}
+		val, ok = appData[AppPrivateKey]
+		if ok {
+			p.privateKey = val
+		}
+		val, ok = appData[ApiURLKey]
+		if ok {
+			p.apiURL = string(val)
+		}
+	}
+}
+
+// WithProxyURL sets the proxy URL to use with the transport.
+func WithProxyURL(proxyURL *url.URL) OptFunc {
+	return func(p *Client) {
+		p.proxyURL = proxyURL
+	}
+}
+
+// AppToken contains a GitHub App installation token and its expiry.
+type AppToken struct {
+	Token     string    `json:"token"`
+	ExpiresAt time.Time `json:"expires_at"`
+}
+
+// GetToken returns the token that can be used to authenticate
+// as a GitHub App installation.
+// Ref: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation
+func (p *Client) GetToken(ctx context.Context) (*AppToken, error) {
+	token, err := p.ghTransport.Token(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	expiresAt, _, err := p.ghTransport.Expiry()
+	if err != nil {
+		return nil, err
+	}
+
+	return &AppToken{
+		Token:     token,
+		ExpiresAt: expiresAt,
+	}, nil
+}