Support full GitHub app authentication

github/ApplicationOAuth.pyi

@@ -12,6 +12,11 @@ class ApplicationOAuth(NonCompletableGithubObject):
     @property
     def client_secret(self) -> str: ...
     def get_login_url(
-        self, redirect_uri: Optional[str], state: Optional[str], login: Optional[str]
+        self,
+        redirect_uri: Optional[str] = ...,
+        state: Optional[str] = ...,
+        login: Optional[str] = ...,
     ) -> str: ...
-    def get_access_token(self, code: str, state: Optional[str]) -> AccessToken: ...
+    def get_access_token(
+        self, code: str, state: Optional[str] = ...
+    ) -> AccessToken: ...

github/AuthenticatedUser.pyi

@@ -1,5 +1,5 @@
 from datetime import datetime
-from typing import Any, Dict, List, Optional, Union, NamedTuple
+from typing import Any, Dict, List, NamedTuple, Union
 
 from github.Authorization import Authorization
 from github.Event import Event
@@ -85,6 +85,7 @@ class AuthenticatedUser(CompletableGithubObject):
         allow_squash_merge: Union[bool, _NotSetType] = ...,
         allow_merge_commit: Union[bool, _NotSetType] = ...,
         allow_rebase_merge: Union[bool, _NotSetType] = ...,
+        delete_branch_on_merge: Union[bool, _NotSetType] = ...,
     ) -> Repository: ...
     @property
     def created_at(self) -> datetime: ...

github/Branch.pyi

@@ -42,8 +42,6 @@ class Branch(NonCompletableGithubObject):
         strict: Union[_NotSetType, bool] = ...,
         contexts: Union[List[str], _NotSetType] = ...,
     ) -> None: ...
-    def edit_team_push_restrictions(self, *teams: str) -> None: ...
-    def edit_user_push_restrictions(self, *users: str) -> None: ...
     def get_admin_enforcement(self) -> bool: ...
     def get_protection(self) -> BranchProtection: ...
     def get_required_pull_request_reviews(self) -> RequiredPullRequestReviews: ...

github/CheckSuite.pyi

@@ -1,10 +1,10 @@
 from datetime import datetime
-from typing import Any, Dict, List
+from typing import Any, Dict, List, Union
 
 from github.CheckRun import CheckRun
 from github.GitCommit import GitCommit
 from github.GithubApp import GithubApp
-from github.GithubObject import CompletableGithubObject
+from github.GithubObject import CompletableGithubObject, _NotSetType
 from github.PaginatedList import PaginatedList
 from github.PullRequest import PullRequest
 from github.Repository import Repository
@@ -47,5 +47,8 @@ class CheckSuite(CompletableGithubObject):
     def url(self) -> str: ...
     def rerequest(self) -> bool: ...
     def get_check_runs(
-        self, check_name: str, status: str, filter: str
+        self,
+        check_name: Union[str, _NotSetType] = ...,
+        status: Union[str, _NotSetType] = ...,
+        filter: Union[str, _NotSetType] = ...,
     ) -> PaginatedList[CheckRun]: ...

github/Commit.pyi

@@ -45,8 +45,8 @@ class Commit(CompletableGithubObject):
     def files(self) -> List[File]: ...
     def get_check_suites(
         self,
-        app_id: Union[_NotSetType, int],
-        check_name: Union[_NotSetType, str],
+        app_id: Union[_NotSetType, int] = ...,
+        check_name: Union[_NotSetType, str] = ...,
     ) -> PaginatedList[CheckSuite]: ...
     def get_combined_status(self) -> CommitCombinedStatus: ...
     def get_comments(self) -> PaginatedList[CommitComment]: ...

github/Consts.py

@@ -131,3 +131,15 @@
 
 # https://developer.github.com/changes/2019-12-03-internal-visibility-changes/
 repoVisibilityPreview = "application/vnd.github.nebula-preview+json"
+
+DEFAULT_BASE_URL = "https://api.github.com"
+DEFAULT_STATUS_URL = "https://status.github.com"
+# As of 2018-05-17, Github imposes a 10s limit for completion of API requests.
+# Thus, the timeout should be slightly > 10s to account for network/front-end
+# latency.
+DEFAULT_TIMEOUT = 15
+DEFAULT_PER_PAGE = 30
+
+# JWT expiry in seconds. Could be set for max 600 seconds (10 minutes).
+# https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app
+JWT_EXPIRY = 60

github/GithubIntegration.py

@@ -0,0 +1,198 @@
+import time
+
+import deprecated
+import jwt
+
+from github import Consts
+from github.GithubException import GithubException, UnknownObjectException
+from github.Installation import Installation
+from github.InstallationAuthorization import InstallationAuthorization
+from github.PaginatedList import PaginatedList
+from github.Requester import Requester
+
+
+class GithubIntegration:
+    """
+    Main class to obtain tokens for a GitHub integration.
+    """
+
+    def __init__(
+        self,
+        integration_id,
+        private_key,
+        base_url=Consts.DEFAULT_BASE_URL,
+        jwt_expiry=Consts.JWT_EXPIRY,
+    ):
+        """
+        :param integration_id: int
+        :param private_key: string
+        :param base_url: string
+        :param jwt_expiry: int
+        """
+        assert isinstance(integration_id, (int, str)), integration_id
+        assert isinstance(private_key, str), private_key
+        assert isinstance(base_url, str), base_url
+        assert isinstance(jwt_expiry, int), jwt_expiry
+        assert 15 <= jwt_expiry <= 600, jwt_expiry
+
+        self.base_url = base_url
+        self.integration_id = integration_id
+        self.private_key = private_key
+        self.jwt_expiry = jwt_expiry
+        self.__requester = Requester(
+            login_or_token=None,
+            password=None,
+            jwt=self.create_jwt(),
+            app_id=None,
+            app_private_key=None,
+            app_installation_id=None,
+            app_token_permissions=None,
+            base_url=self.base_url,
+            timeout=Consts.DEFAULT_TIMEOUT,
+            user_agent="PyGithub/Python",
+            per_page=Consts.DEFAULT_PER_PAGE,
+            verify=True,
+            retry=None,
+            pool_size=None,
+        )
+
+    def _get_headers(self):
+        """
+        Get headers for the requests.
+
+        :return: dict
+        """
+        return {
+            "Authorization": f"Bearer {self.create_jwt()}",
+            "Accept": Consts.mediaTypeIntegrationPreview,
+            "User-Agent": "PyGithub/Python",
+        }
+
+    def _get_installed_app(self, url):
+        """
+        Get installation for the given URL.
+
+        :param url: str
+        :rtype: :class:`github.Installation.Installation`
+        """
+        try:
+            headers, response = self.__requester.requestJsonAndCheck(
+                "GET", url, headers=self._get_headers()
+            )
+        except UnknownObjectException:
+            raise
+        except GithubException:
+            raise
+        return Installation(
+            requester=self.__requester,
+            headers=headers,
+            attributes=response,
+            completed=True,
+        )
+
+    def create_jwt(self):
+        """
+        Creates a signed JWT, valid for 60 seconds by default. Could be set to a maximum of 600 seconds.
+        https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app
+
+        :return string:
+        """
+        now = int(time.time())
+        payload = {"iat": now, "exp": now + self.jwt_expiry, "iss": self.integration_id}
+        encrypted = jwt.encode(payload, key=self.private_key, algorithm="RS256")
+
+        if isinstance(encrypted, bytes):
+            encrypted = encrypted.decode("utf-8")
+
+        return encrypted
+
+    def get_access_token(self, installation_id, permissions=None):
+        """
+        :calls: `POST /app/installations/{installation_id}/access_tokens <https://docs.github.com/en/rest/apps/apps#create-an-installation-access-token-for-an-app>`
+        :param installation_id: int
+        :param permissions: dict
+        :return: :class:`github.InstallationAuthorization.InstallationAuthorization`
+        """
+        if permissions is None:
+            permissions = {}
+
+        if not isinstance(permissions, dict):
+            raise GithubException(
+                status=400, data={"message": "Invalid permissions"}, headers=None
+            )
+
+        body = {"permissions": permissions}
+        try:
+            headers, response = self.__requester.requestJsonAndCheck(
+                "POST",
+                f"/app/installations/{installation_id}/access_tokens",
+                input=body,
+            )
+        except UnknownObjectException:
+            raise
+        except GithubException:
+            raise
+
+        return InstallationAuthorization(
+            requester=self.__requester,
+            headers=headers,
+            attributes=response,
+            completed=True,
+        )
+
+    @deprecated.deprecated("Use get_repo_installation")
+    def get_installation(self, owner, repo):
+        """
+        :calls: `GET /repos/{owner}/{repo}/installation <https://docs.github.com/en/rest/reference/apps#get-a-repository-installation-for-the-authenticated-app>`
+        :param owner: str
+        :param repo: str
+        :rtype: :class:`github.Installation.Installation`
+        """
+        return self._get_installed_app(url=f"/repos/{owner}/{repo}/installation")
+
+    def get_installations(self):
+        """
+        :calls: GET /app/installations <https://docs.github.com/en/rest/reference/apps#list-installations-for-the-authenticated-app>
+        :rtype: :class:`github.PaginatedList.PaginatedList[github.Installation.Installation]`
+        """
+        return PaginatedList(
+            contentClass=Installation,
+            requester=self.__requester,
+            firstUrl="/app/installations",
+            firstParams=None,
+            headers=self._get_headers(),
+            list_item="installations",
+        )
+
+    def get_org_installation(self, org):
+        """
+        :calls: `GET /orgs/{org}/installation <https://docs.github.com/en/rest/apps/apps#get-an-organization-installation-for-the-authenticated-app>`
+        :param org: str
+        :rtype: :class:`github.Installation.Installation`
+        """
+        return self._get_installed_app(url=f"/orgs/{org}/installation")
+
+    def get_repo_installation(self, owner, repo):
+        """
+        :calls: `GET /repos/{owner}/{repo}/installation <https://docs.github.com/en/rest/reference/apps#get-a-repository-installation-for-the-authenticated-app>`
+        :param owner: str
+        :param repo: str
+        :rtype: :class:`github.Installation.Installation`
+        """
+        return self._get_installed_app(url=f"/repos/{owner}/{repo}/installation")
+
+    def get_user_installation(self, username):
+        """
+        :calls: `GET /users/{username}/installation <https://docs.github.com/en/rest/apps/apps#get-a-user-installation-for-the-authenticated-app>`
+        :param username: str
+        :rtype: :class:`github.Installation.Installation`
+        """
+        return self._get_installed_app(url=f"/users/{username}/installation")
+
+    def get_app_installation(self, installation_id):
+        """
+        :calls: `GET /app/installations/{installation_id} <https://docs.github.com/en/rest/apps/apps#get-an-installation-for-the-authenticated-app>`
+        :param installation_id: int
+        :rtype: :class:`github.Installation.Installation`
+        """
+        return self._get_installed_app(url=f"/app/installations/{installation_id}")

github/GithubIntegration.pyi

@@ -0,0 +1,26 @@
+from typing import Union, Optional
+
+from github.Installation import Installation
+from github.InstallationAuthorization import InstallationAuthorization
+from github.PaginatedList import PaginatedList
+
+class GithubIntegration:
+    def __init__(
+        self,
+        integration_id: Union[int, str],
+        private_key: str,
+        base_url: str = ...,
+        jwt_expiry: int = ...,
+    ) -> None: ...
+    def _get_installed_app(self, url: str) -> Installation: ...
+    def _get_headers(self) -> dict: ...
+    def create_jwt(self, expiration: int = ...) -> str: ...
+    def get_access_token(
+        self, installation_id: int, permissions: Optional[dict] = ...
+    ) -> InstallationAuthorization: ...
+    def get_app_installation(self, installation_id: int) -> Installation: ...
+    def get_installation(self, owner: str, repo: str) -> Installation: ...
+    def get_installations(self) -> PaginatedList[Installation]: ...
+    def get_org_installation(self, org: str) -> Installation: ...
+    def get_repo_installation(self, owner: str, repo: str) -> Installation: ...
+    def get_user_installation(self, username: str) -> Installation: ...

github/GithubObject.pyi

@@ -1,11 +1,6 @@
 from typing import Any, Callable, Dict, List, Optional, Type, Union
 
-from github.Commit import Commit
 from github.GistFile import GistFile
-from github.GitRelease import GitRelease
-from github.NamedUser import NamedUser
-from github.Organization import Organization
-from github.PullRequestReview import PullRequestReview
 from github.Requester import Requester
 
 class GithubObject:
@@ -108,7 +103,7 @@ class CompletableGithubObject(GithubObject):
     def _completeIfNotSet(
         self, value: Union[_ValuedAttribute, _BadAttribute, _NotSetType]
     ) -> None: ...
-    def update(self) -> bool: ...
+    def update(self, additional_headers: Optional[Dict[str, str]] = ...) -> bool: ...
 
 class _BadAttribute:
     def __init__(
@@ -120,5 +115,7 @@ class _BadAttribute:
 class _NotSetType:
     def __repr__(self) -> str: ...
 
+NotSet: _NotSetType
+
 class _ValuedAttribute:
     def __init__(self, value: Any) -> None: ...

github/InstallationAuthorization.py

@@ -57,10 +57,26 @@ def on_behalf_of(self):
         """
         return self._on_behalf_of.value
 
+    @property
+    def permissions(self):
+        """
+        :type: dict
+        """
+        return self._permissions.value
+
+    @property
+    def repository_selection(self):
+        """
+        :type: string
+        """
+        return self._repository_selection.value
+
     def _initAttributes(self):
         self._token = github.GithubObject.NotSet
         self._expires_at = github.GithubObject.NotSet
         self._on_behalf_of = github.GithubObject.NotSet
+        self._permissions = github.GithubObject.NotSet
+        self._repository_selection = github.GithubObject.NotSet
 
     def _useAttributes(self, attributes):
         if "token" in attributes:  # pragma no branch
@@ -71,3 +87,9 @@ def _useAttributes(self, attributes):
             self._on_behalf_of = self._makeClassAttribute(
                 github.NamedUser.NamedUser, attributes["on_behalf_of"]
             )
+        if "permissions" in attributes:  # pragma no branch
+            self._permissions = self._makeDictAttribute(attributes["permissions"])
+        if "repository_selection" in attributes:  # pragma no branch
+            self._repository_selection = self._makeStringAttribute(
+                attributes["repository_selection"]
+            )

github/InstallationAuthorization.pyi

@@ -14,3 +14,7 @@ class InstallationAuthorization(NonCompletableGithubObject):
     def on_behalf_of(self) -> NamedUser: ...
     @property
     def token(self) -> str: ...
+    @property
+    def permissions(self) -> dict: ...
+    @property
+    def repository_selection(self) -> str: ...