[BB-508] baton-github: use github app to sync

Author: Bencheng21

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/conductorone/baton-sdk v0.3.8
 	github.com/deckarep/golang-set/v2 v2.7.0
 	github.com/ennyjfrick/ruleguard-logfatal v0.0.2
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/google/go-github/v63 v63.0.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/migueleliasweb/go-github-mock v0.0.23

go.sum

@@ -116,6 +116,8 @@ github.com/go-toolsmith/astequal v1.0.3 h1:+LVdyRatFS+XO78SGV4I3TCEA0AC7fKEGma+f
 github.com/go-toolsmith/astequal v1.0.3/go.mod h1:9Ai4UglvtR+4up+bAD4+hCj7iTo4m/OXVTSLnCyTAx4=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=

pkg/config/conf.gen.go

@@ -1,14 +1,15 @@
 package config
 
 import (
+	"fmt"
+
 	"github.com/conductorone/baton-sdk/pkg/field"
 )
 
 var (
 	accessTokenField = field.StringField(
 		"token",
 		field.WithDescription("The GitHub access token used to connect to the GitHub API."),
-		field.WithRequired(true),
 	)
 	orgsField = field.StringSliceField(
 		"orgs",
@@ -18,11 +19,30 @@ var (
 		"instance-url",
 		field.WithDescription(`The GitHub instance URL to connect to. (default "https://github.com")`),
 	)
+	appIDField = field.StringField(
+		"app-id",
+		field.WithDescription("The GitHub App to connect to."),
+	)
+	appPrivateKey = field.StringField(
+		"app-privatekey",
+		field.WithDescription("The private key used to connect to the GitHub App"),
+	)
 )
 
 //go:generate go run ./gen
 var Config = field.NewConfiguration([]field.SchemaField{
 	accessTokenField,
 	orgsField,
 	instanceUrlField,
+	appIDField,
+	appPrivateKey,
 })
+
+func ValidateConfig(cfg *Github) error {
+	apiKey := cfg.GetString(accessTokenField.FieldName)
+	appKey := cfg.GetString(appIDField.FieldName)
+	if len(apiKey) == 0 && len(appKey) == 0 {
+		return fmt.Errorf("api-key or app-privatekey is missing")
+	}
+	return nil
+}

pkg/config/config.go

@@ -2,16 +2,24 @@ package connector
 
 import (
 	"context"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"errors"
 	"fmt"
+	"io"
 	"net/http"
 	"net/url"
 	"strings"
+	"time"
 
 	cfg "github.com/conductorone/baton-github/pkg/config"
 	v2 "github.com/conductorone/baton-sdk/pb/c1/connector/v2"
 	"github.com/conductorone/baton-sdk/pkg/annotations"
 	"github.com/conductorone/baton-sdk/pkg/connectorbuilder"
 	"github.com/conductorone/baton-sdk/pkg/uhttp"
+	jwtv5 "github.com/golang-jwt/jwt/v5"
 	"github.com/google/go-github/v63/github"
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
 	"github.com/shurcooL/githubv4"
@@ -54,6 +62,7 @@ var (
 type GitHub struct {
 	orgs           []string
 	client         *github.Client
+	appClient      *github.Client
 	instanceURL    string
 	graphqlClient  *githubv4.Client
 	hasSAMLEnabled *bool
@@ -62,7 +71,7 @@ type GitHub struct {
 
 func (gh *GitHub) ResourceSyncers(ctx context.Context) []connectorbuilder.ResourceSyncer {
 	return []connectorbuilder.ResourceSyncer{
-		orgBuilder(gh.client, gh.orgCache, gh.orgs),
+		orgBuilder(gh.client, gh.appClient, gh.orgCache, gh.orgs),
 		teamBuilder(gh.client, gh.orgCache),
 		userBuilder(gh.client, gh.hasSAMLEnabled, gh.graphqlClient, gh.orgCache),
 		repositoryBuilder(gh.client, gh.orgCache),
@@ -78,6 +87,10 @@ func (gh *GitHub) Metadata(ctx context.Context) (*v2.ConnectorMetadata, error) {
 
 // Validate hits the GitHub API to validate that the configured credentials are still valid.
 func (gh *GitHub) Validate(ctx context.Context) (annotations.Annotations, error) {
+	if gh.appClient != nil {
+		return gh.validateAppCredentials(ctx)
+	}
+
 	page := 0
 	orgLogins := gh.orgs
 	filterOrgs := true
@@ -99,7 +112,6 @@ func (gh *GitHub) Validate(ctx context.Context) (annotations.Annotations, error)
 			if resp.NextPage == 0 {
 				break
 			}
-
 			page = resp.NextPage
 		}
 	}
@@ -132,6 +144,40 @@ func (gh *GitHub) Validate(ctx context.Context) (annotations.Annotations, error)
 	return nil, nil
 }
 
+func (gh *GitHub) validateAppCredentials(ctx context.Context) (annotations.Annotations, error) {
+	page := 0
+	orgLogins := gh.orgs
+
+	installationsMap := make(map[string]struct{})
+	for {
+		installations, resp, err := gh.appClient.Apps.ListInstallations(ctx, &github.ListOptions{Page: page})
+		if err != nil {
+			return nil, fmt.Errorf("github-connector: failed to retrieve org: %w", err)
+		}
+		if resp.StatusCode == http.StatusUnauthorized {
+			return nil, status.Error(codes.Unauthenticated, "github token is not authorized")
+		}
+		for _, installation := range installations {
+			if installation.Account == nil {
+				continue
+			}
+			installationsMap[installation.Account.GetLogin()] = struct{}{}
+		}
+
+		if resp.NextPage == 0 {
+			break
+		}
+		page = resp.NextPage
+	}
+
+	for _, o := range orgLogins {
+		if _, ok := installationsMap[o]; !ok {
+			return nil, fmt.Errorf("access token must be an admin on the %s organization", o)
+		}
+	}
+	return nil, nil
+}
+
 // newGitHubClient returns a new GitHub API client authenticated with an access token via oauth2.
 func newGitHubClient(ctx context.Context, instanceURL string, accessToken string) (*github.Client, error) {
 	httpClient, err := uhttp.NewClient(ctx, uhttp.WithLogger(true, ctxzap.Extract(ctx)))
@@ -157,22 +203,35 @@ func newGitHubClient(ctx context.Context, instanceURL string, accessToken string
 
 // New returns the GitHub connector configured to sync against the instance URL.
 func New(ctx context.Context, ghc *cfg.Github) (*GitHub, error) {
-	client, err := newGitHubClient(ctx, ghc.InstanceUrl, ghc.Token)
+	jwttoken, token, err := getClientToken(ghc)
+	if err != nil {
+		return nil, err
+	}
+
+	client, err := newGitHubClient(ctx, ghc.InstanceUrl, token)
 	if err != nil {
 		return nil, err
 	}
-	graphqlClient, err := newGitHubGraphqlClient(ctx, ghc.InstanceUrl, ghc.Token)
+	graphqlClient, err := newGitHubGraphqlClient(ctx, ghc.InstanceUrl, token)
 	if err != nil {
 		return nil, err
 	}
+
+	var appClient *github.Client
+	if jwttoken != "" {
+		appClient, err = newGitHubClient(ctx, ghc.InstanceUrl, jwttoken)
+		if err != nil {
+			return nil, err
+		}
+	}
 	gh := &GitHub{
 		client:        client,
+		appClient:     appClient,
 		instanceURL:   ghc.InstanceUrl,
 		orgs:          ghc.Orgs,
 		graphqlClient: graphqlClient,
 		orgCache:      newOrgNameCache(client),
 	}
-
 	return gh, nil
 }
 
@@ -203,3 +262,72 @@ func newGitHubGraphqlClient(ctx context.Context, instanceURL string, accessToken
 
 	return githubv4.NewClient(tc), nil
 }
+
+func loadPrivateKeyFromString(p string) (*rsa.PrivateKey, error) {
+	block, _ := pem.Decode([]byte(p))
+	if block == nil || (block.Type != "PRIVATE KEY" && block.Type != "RSA PRIVATE KEY") {
+		return nil, errors.New("invalid private key PEM format")
+	}
+
+	// PKCS8 format
+	if block.Type == "PRIVATE KEY" {
+		key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, err
+		}
+		rsaKey, ok := key.(*rsa.PrivateKey)
+		if !ok {
+			return nil, errors.New("not an RSA private key")
+		}
+		return rsaKey, nil
+	}
+
+	// PKCS1 format
+	return x509.ParsePKCS1PrivateKey(block.Bytes)
+}
+
+// getClientToken returns
+// 1. fine-grained personal access tokens if any.
+// 2. (JWT token, installation access tokens) if using github app.
+func getClientToken(ghc *cfg.Github) (string, string, error) {
+	if ghc.Token != "" {
+		return "", ghc.Token, nil
+	}
+
+	key, err := loadPrivateKeyFromString(ghc.AppPrivatekey)
+	if err != nil {
+		return "", "", err
+	}
+	now := time.Now()
+	token, err := jwtv5.NewWithClaims(jwtv5.SigningMethodRS256, jwtv5.MapClaims{
+		"iat": now.Unix() - 60,                  // issued at
+		"exp": now.Add(time.Minute * 10).Unix(), // expires
+		"iss": ghc.AppId,                        // GitHub App ID
+	}).SignedString(key)
+	if err != nil {
+		return "", "", err
+	}
+
+	url := fmt.Sprintf("https://api.github.com/app/installations/%s/access_tokens", "67110013")
+
+	req, _ := http.NewRequest("POST", url, nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	req.Header.Set("Accept", "application/vnd.github+json")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return "", "", err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 201 {
+		body, _ := io.ReadAll(resp.Body)
+		return "", "", fmt.Errorf("GitHub API error: %s", body)
+	}
+
+	var result struct {
+		Token string `json:"token"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&result)
+	return token, result.Token, err
+}