git-credential-github-app-auth 0.2.0

Git credential helper using GitHub App authentication to provide Github tokens as credentials to Git.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136

use std::collections::HashMap;

use std::sync::RwLock;
use std::time::SystemTime;

use anyhow::Result;
use chrono::{DateTime, Duration, Utc};
use jsonwebtoken::EncodingKey;
use log::info;
use serde::{Deserialize, Serialize};

use crate::parser::RepoInfo;

#[derive(Clone, Deserialize, Debug)]
pub struct InstallationToken {
    pub token: String,
    pub expires_at: DateTime<Utc>,
}

#[derive(Clone, Deserialize, Debug)]
pub struct RepositoryInstallation {
    pub id: u64,
}

struct GithubClient {
    github_url: String,
    app_id: u64,
    app_key: EncodingKey,
}

impl GithubClient {
    pub fn get_repository_installation(&self, repo_info: &RepoInfo) -> Result<u64> {
        let response: RepositoryInstallation = ureq::get(&format!(
            "{}/repos/{}/{}/installation",
            self.github_url, repo_info.organization, repo_info.name
        ))
        .set("Accept", "application/vnd.github+json")
        .set("Authorization", &format!("Bearer {}", self.create_jwt()?))
        .set("X-GitHub-Api-Version", "2022-11-28")
        .call()?
        .into_json()?;
        Ok(response.id)
    }

    pub fn get_access_token(&self, installation_id: u64) -> Result<InstallationToken> {
        let response: InstallationToken = ureq::post(&format!(
            "{}/app/installations/{installation_id}/access_tokens",
            self.github_url
        ))
        .set("Accept", "application/vnd.github+json")
        .set("Authorization", &format!("Bearer {}", self.create_jwt()?))
        .set("X-GitHub-Api-Version", "2022-11-28")
        .call()?
        .into_json()?;
        Ok(response)
    }

    /// Note: copied from octocrab
    pub fn create_jwt(&self) -> Result<String> {
        #[derive(Serialize)]
        struct Claims {
            iat: usize,
            exp: usize,
            iss: String,
        }

        let header = jsonwebtoken::Header::new(jsonwebtoken::Algorithm::RS256);
        let now = SystemTime::UNIX_EPOCH.elapsed().unwrap().as_secs() as usize;
        let claims = Claims {
            iss: self.app_id.to_string(),
            iat: now - 60,
            exp: now + (9 * 60),
        };

        Ok(jsonwebtoken::encode(&header, &claims, &self.app_key)?)
    }
}

pub struct TokenService {
    github_client: GithubClient,
    installations: RwLock<HashMap<RepoInfo, u64>>,
    cache: RwLock<HashMap<u64, InstallationToken>>,
}

impl TokenService {
    pub fn new(app_id: u64, app_key: EncodingKey, github_url: String) -> Result<TokenService> {
        let client = GithubClient {
            github_url,
            app_id,
            app_key,
        };
        Ok(TokenService {
            github_client: client,
            installations: RwLock::new(HashMap::new()),
            cache: RwLock::new(HashMap::new()),
        })
    }

    pub fn get_token(&self, repo_info: RepoInfo) -> Result<String> {
        let installation_id = {
            let installations = self.installations.read().unwrap();
            if let Some(installation_id) = installations.get(&repo_info) {
                let tokens = self.cache.read().unwrap();
                if let Some(install_token) = tokens.get(installation_id) {
                    if install_token.expires_at > Utc::now() - Duration::minutes(5) {
                        return Ok(install_token.token.clone());
                    }
                }
                *installation_id
            } else {
                self.github_client.get_repository_installation(&repo_info)?
            }
        };
        // drop(installations);
        info!("Installation ID: {installation_id}");

        let installation_token = self.github_client.get_access_token(installation_id)?;

        let mut debug_token = installation_token.token.clone();
        debug_token.truncate(10);
        info!(
            "Installation token: {}... (expires: {})",
            debug_token, installation_token.expires_at
        );

        {
            let mut installations = self.installations.write().unwrap();
            installations.insert(repo_info, installation_id);
        }
        {
            let mut tokens = self.cache.write().unwrap();
            tokens.insert(installation_id, installation_token.clone());
        }
        Ok(installation_token.token)
    }
}