-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support full GitHub app authentication (#1986)
* Support full GitHub app authentication Refactor GithubIntegration class and add test case for app authentication Add permissions and repository properties in InstallationAuthorization Set JWT_EXPIRY=60 by default in GithubIntegration constructor * Modify existing testcases for GithubIntegration as per the framework and add missing tests * Provide installation ID for creating the access token instead of getting the first installation * Add optional permissions support for installation access token * Add lock around app authentication * Keep compatibility for importing GithubIntegration from MainClass * Group app authentication parameters in a class Co-authored-by: Malik Ammar Akbar <malikammar.akbar@pfizer.com> Co-authored-by: Enrico Minack <github@enrico.minack.dev>
- Loading branch information
1 parent
7cf3dfc
commit 5e27c10
Showing
30 changed files
with
808 additions
and
295 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
############################ Copyrights and license ############################ | ||
# # | ||
# Copyright 2023 Denis Blanchette <denisblanchette@gmail.com> # | ||
# # | ||
# This file is part of PyGithub. # | ||
# http://pygithub.readthedocs.io/ # | ||
# # | ||
# PyGithub is free software: you can redistribute it and/or modify it under # | ||
# the terms of the GNU Lesser General Public License as published by the Free # | ||
# Software Foundation, either version 3 of the License, or (at your option) # | ||
# any later version. # | ||
# # | ||
# PyGithub is distributed in the hope that it will be useful, but WITHOUT ANY # | ||
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # | ||
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # | ||
# details. # | ||
# # | ||
# You should have received a copy of the GNU Lesser General Public License # | ||
# along with PyGithub. If not, see <http://www.gnu.org/licenses/>. # | ||
# # | ||
################################################################################ | ||
|
||
|
||
class AppAuthentication: | ||
def __init__( | ||
self, | ||
app_id, | ||
private_key, | ||
installation_id, | ||
token_permissions=None, | ||
): | ||
assert isinstance(app_id, (int, str)), app_id | ||
assert isinstance(private_key, str) | ||
assert isinstance(installation_id, int), installation_id | ||
assert token_permissions is None or isinstance( | ||
token_permissions, dict | ||
), token_permissions | ||
self.app_id = app_id | ||
self.private_key = private_key | ||
self.installation_id = installation_id | ||
self.token_permissions = token_permissions |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
from typing import Optional, Dict, Union | ||
|
||
class AppAuthentication: | ||
def __init__( | ||
self, | ||
app_id: Union[int, str], | ||
private_key: str, | ||
installation_id: int, | ||
token_permissions: Optional[Dict[str, str]] = ..., | ||
): ... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,199 @@ | ||
import time | ||
|
||
import deprecated | ||
import jwt | ||
|
||
from github import Consts | ||
from github.GithubException import GithubException | ||
from github.Installation import Installation | ||
from github.InstallationAuthorization import InstallationAuthorization | ||
from github.PaginatedList import PaginatedList | ||
from github.Requester import Requester | ||
|
||
|
||
class GithubIntegration: | ||
""" | ||
Main class to obtain tokens for a GitHub integration. | ||
""" | ||
|
||
def __init__( | ||
self, | ||
integration_id, | ||
private_key, | ||
base_url=Consts.DEFAULT_BASE_URL, | ||
jwt_expiry=Consts.DEFAULT_JWT_EXPIRY, | ||
jwt_issued_at=Consts.DEFAULT_JWT_ISSUED_AT, | ||
): | ||
""" | ||
:param integration_id: int | ||
:param private_key: string | ||
:param base_url: string | ||
:param jwt_expiry: int. Expiry of the JWT used to get the information about this integration. | ||
The default expiration is in 5 minutes and is capped at 10 minutes according to GitHub documentation | ||
https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#generating-a-json-web-token-jwt | ||
:param jwt_issued_at: int. Number of seconds, relative to now, to set for the "iat" (issued at) parameter. | ||
The default value is -60 to protect against clock drift | ||
""" | ||
assert isinstance(integration_id, (int, str)), integration_id | ||
assert isinstance(private_key, str), "supplied private key should be a string" | ||
assert isinstance(base_url, str), base_url | ||
assert isinstance(jwt_expiry, int), jwt_expiry | ||
assert Consts.MIN_JWT_EXPIRY <= jwt_expiry <= Consts.MAX_JWT_EXPIRY, jwt_expiry | ||
assert isinstance(jwt_issued_at, int) | ||
|
||
self.base_url = base_url | ||
self.integration_id = integration_id | ||
self.private_key = private_key | ||
self.jwt_expiry = jwt_expiry | ||
self.jwt_issued_at = jwt_issued_at | ||
self.__requester = Requester( | ||
login_or_token=None, | ||
password=None, | ||
jwt=self.create_jwt(), | ||
app_auth=None, | ||
base_url=self.base_url, | ||
timeout=Consts.DEFAULT_TIMEOUT, | ||
user_agent="PyGithub/Python", | ||
per_page=Consts.DEFAULT_PER_PAGE, | ||
verify=True, | ||
retry=None, | ||
pool_size=None, | ||
) | ||
|
||
def _get_headers(self): | ||
""" | ||
Get headers for the requests. | ||
:return: dict | ||
""" | ||
return { | ||
"Authorization": f"Bearer {self.create_jwt()}", | ||
"Accept": Consts.mediaTypeIntegrationPreview, | ||
"User-Agent": "PyGithub/Python", | ||
} | ||
|
||
def _get_installed_app(self, url): | ||
""" | ||
Get installation for the given URL. | ||
:param url: str | ||
:rtype: :class:`github.Installation.Installation` | ||
""" | ||
headers, response = self.__requester.requestJsonAndCheck( | ||
"GET", url, headers=self._get_headers() | ||
) | ||
|
||
return Installation( | ||
requester=self.__requester, | ||
headers=headers, | ||
attributes=response, | ||
completed=True, | ||
) | ||
|
||
def create_jwt(self): | ||
""" | ||
Create a signed JWT | ||
https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app | ||
:return string: | ||
""" | ||
now = int(time.time()) | ||
payload = { | ||
"iat": now + self.jwt_issued_at, | ||
"exp": now + self.jwt_expiry, | ||
"iss": self.integration_id, | ||
} | ||
encrypted = jwt.encode(payload, key=self.private_key, algorithm="RS256") | ||
|
||
if isinstance(encrypted, bytes): | ||
encrypted = encrypted.decode("utf-8") | ||
|
||
return encrypted | ||
|
||
def get_access_token(self, installation_id, permissions=None): | ||
""" | ||
:calls: `POST /app/installations/{installation_id}/access_tokens <https://docs.github.com/en/rest/apps/apps#create-an-installation-access-token-for-an-app>` | ||
:param installation_id: int | ||
:param permissions: dict | ||
:return: :class:`github.InstallationAuthorization.InstallationAuthorization` | ||
""" | ||
if permissions is None: | ||
permissions = {} | ||
|
||
if not isinstance(permissions, dict): | ||
raise GithubException( | ||
status=400, data={"message": "Invalid permissions"}, headers=None | ||
) | ||
|
||
body = {"permissions": permissions} | ||
headers, response = self.__requester.requestJsonAndCheck( | ||
"POST", | ||
f"/app/installations/{installation_id}/access_tokens", | ||
input=body, | ||
) | ||
|
||
return InstallationAuthorization( | ||
requester=self.__requester, | ||
headers=headers, | ||
attributes=response, | ||
completed=True, | ||
) | ||
|
||
@deprecated.deprecated("Use get_repo_installation") | ||
def get_installation(self, owner, repo): | ||
""" | ||
Deprecated by get_repo_installation | ||
:calls: `GET /repos/{owner}/{repo}/installation <https://docs.github.com/en/rest/reference/apps#get-a-repository-installation-for-the-authenticated-app>` | ||
:param owner: str | ||
:param repo: str | ||
:rtype: :class:`github.Installation.Installation` | ||
""" | ||
return self._get_installed_app(url=f"/repos/{owner}/{repo}/installation") | ||
|
||
def get_installations(self): | ||
""" | ||
:calls: GET /app/installations <https://docs.github.com/en/rest/reference/apps#list-installations-for-the-authenticated-app> | ||
:rtype: :class:`github.PaginatedList.PaginatedList[github.Installation.Installation]` | ||
""" | ||
return PaginatedList( | ||
contentClass=Installation, | ||
requester=self.__requester, | ||
firstUrl="/app/installations", | ||
firstParams=None, | ||
headers=self._get_headers(), | ||
list_item="installations", | ||
) | ||
|
||
def get_org_installation(self, org): | ||
""" | ||
:calls: `GET /orgs/{org}/installation <https://docs.github.com/en/rest/apps/apps#get-an-organization-installation-for-the-authenticated-app>` | ||
:param org: str | ||
:rtype: :class:`github.Installation.Installation` | ||
""" | ||
return self._get_installed_app(url=f"/orgs/{org}/installation") | ||
|
||
def get_repo_installation(self, owner, repo): | ||
""" | ||
:calls: `GET /repos/{owner}/{repo}/installation <https://docs.github.com/en/rest/reference/apps#get-a-repository-installation-for-the-authenticated-app>` | ||
:param owner: str | ||
:param repo: str | ||
:rtype: :class:`github.Installation.Installation` | ||
""" | ||
return self._get_installed_app(url=f"/repos/{owner}/{repo}/installation") | ||
|
||
def get_user_installation(self, username): | ||
""" | ||
:calls: `GET /users/{username}/installation <https://docs.github.com/en/rest/apps/apps#get-a-user-installation-for-the-authenticated-app>` | ||
:param username: str | ||
:rtype: :class:`github.Installation.Installation` | ||
""" | ||
return self._get_installed_app(url=f"/users/{username}/installation") | ||
|
||
def get_app_installation(self, installation_id): | ||
""" | ||
:calls: `GET /app/installations/{installation_id} <https://docs.github.com/en/rest/apps/apps#get-an-installation-for-the-authenticated-app>` | ||
:param installation_id: int | ||
:rtype: :class:`github.Installation.Installation` | ||
""" | ||
return self._get_installed_app(url=f"/app/installations/{installation_id}") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
from typing import Union, Optional, Dict | ||
|
||
from github.Installation import Installation | ||
from github.InstallationAuthorization import InstallationAuthorization | ||
from github.PaginatedList import PaginatedList | ||
from github.Requester import Requester | ||
|
||
class GithubIntegration: | ||
integration_id: Union[int, str] = ... | ||
private_key: str = ... | ||
base_url: str = ... | ||
jwt_expiry: int = ... | ||
jwt_issued_at: int = ... | ||
__requester: Requester = ... | ||
def __init__( | ||
self, | ||
integration_id: Union[int, str], | ||
private_key: str, | ||
base_url: str = ..., | ||
jwt_expiry: int = ..., | ||
jwt_issued_at: int = ..., | ||
) -> None: ... | ||
def _get_installed_app(self, url: str) -> Installation: ... | ||
def _get_headers(self) -> Dict[str, str]: ... | ||
def create_jwt(self, expiration: int = ...) -> str: ... | ||
def get_access_token( | ||
self, installation_id: int, permissions: Optional[Dict[str, str]] = ... | ||
) -> InstallationAuthorization: ... | ||
def get_app_installation(self, installation_id: int) -> Installation: ... | ||
def get_installation(self, owner: str, repo: str) -> Installation: ... | ||
def get_installations(self) -> PaginatedList[Installation]: ... | ||
def get_org_installation(self, org: str) -> Installation: ... | ||
def get_repo_installation(self, owner: str, repo: str) -> Installation: ... | ||
def get_user_installation(self, username: str) -> Installation: ... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.