[BB-508] baton-github: use github app to sync

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/conductorone/baton-sdk v0.3.8
 	github.com/deckarep/golang-set/v2 v2.7.0
 	github.com/ennyjfrick/ruleguard-logfatal v0.0.2
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/google/go-github/v63 v63.0.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/migueleliasweb/go-github-mock v0.0.23

go.sum

@@ -116,6 +116,8 @@ github.com/go-toolsmith/astequal v1.0.3 h1:+LVdyRatFS+XO78SGV4I3TCEA0AC7fKEGma+f
 github.com/go-toolsmith/astequal v1.0.3/go.mod h1:9Ai4UglvtR+4up+bAD4+hCj7iTo4m/OXVTSLnCyTAx4=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=

pkg/config/config.go

@@ -8,7 +8,6 @@ var (
 	accessTokenField = field.StringField(
 		"token",
 		field.WithDescription("The GitHub access token used to connect to the GitHub API."),
-		field.WithRequired(true),
 	)
 	orgsField = field.StringSliceField(
 		"orgs",
@@ -18,11 +17,31 @@ var (
 		"instance-url",
 		field.WithDescription(`The GitHub instance URL to connect to. (default "https://github.com")`),
 	)
+	appIDField = field.StringField(
+		"app-id",
+		field.WithDescription("The GitHub App to connect to."),
+	)
+	appPrivateKey = field.StringField(
+		"app-privatekey",
+		field.WithDescription("The private key used to connect to the GitHub App"),
+	)
+	fieldRelationships = []field.SchemaFieldRelationship{
+		field.FieldsAtLeastOneUsed(
+			accessTokenField,
+			appPrivateKey,
+		),
+		field.FieldsRequiredTogether(
+			appPrivateKey,
+			appIDField,
+		),
+	}
 )
 
 //go:generate go run ./gen
 var Config = field.NewConfiguration([]field.SchemaField{
 	accessTokenField,
 	orgsField,
 	instanceUrlField,
-})
+	appIDField,
+	appPrivateKey,
+}, fieldRelationships...)

pkg/connector/connector.go

@@ -2,16 +2,24 @@ package connector
 
 import (
 	"context"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"errors"
 	"fmt"
+	"io"
 	"net/http"
 	"net/url"
 	"strings"
+	"time"
 
 	cfg "github.com/conductorone/baton-github/pkg/config"
 	v2 "github.com/conductorone/baton-sdk/pb/c1/connector/v2"
 	"github.com/conductorone/baton-sdk/pkg/annotations"
 	"github.com/conductorone/baton-sdk/pkg/connectorbuilder"
 	"github.com/conductorone/baton-sdk/pkg/uhttp"
+	jwtv5 "github.com/golang-jwt/jwt/v5"
 	"github.com/google/go-github/v63/github"
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
 	"github.com/shurcooL/githubv4"
@@ -58,14 +66,24 @@ type GitHub struct {
 	graphqlClient  *githubv4.Client
 	hasSAMLEnabled *bool
 	orgCache       *orgNameCache
+	app            gitHubApp
+}
+
+// gitHubApp has app clients that are used by the GitHub App.
+// Each app has a single JWT token shared across all organizations.
+// However, each organization has its own unique installation token.
+type gitHubApp struct {
+	appJWTClient          *github.Client
+	appInstallationClient map[int64]*github.Client
+	graphqlClient         map[int64]*githubv4.Client
 }
 
 func (gh *GitHub) ResourceSyncers(ctx context.Context) []connectorbuilder.ResourceSyncer {
 	return []connectorbuilder.ResourceSyncer{
-		orgBuilder(gh.client, gh.orgCache, gh.orgs),
-		teamBuilder(gh.client, gh.orgCache),
-		userBuilder(gh.client, gh.hasSAMLEnabled, gh.graphqlClient, gh.orgCache),
-		repositoryBuilder(gh.client, gh.orgCache),
+		orgBuilder(gh.client, gh.app, gh.orgCache, gh.orgs),
+		teamBuilder(gh.client, gh.app, gh.orgCache),
+		userBuilder(gh.client, gh.app, gh.hasSAMLEnabled, gh.graphqlClient, gh.orgCache),
+		repositoryBuilder(gh.client, gh.app, gh.orgCache),
 	}
 }
 
@@ -78,6 +96,10 @@ func (gh *GitHub) Metadata(ctx context.Context) (*v2.ConnectorMetadata, error) {
 
 // Validate hits the GitHub API to validate that the configured credentials are still valid.
 func (gh *GitHub) Validate(ctx context.Context) (annotations.Annotations, error) {
+	if gh.app.appJWTClient != nil {
+		return gh.validateAppCredentials(ctx)
+	}
+
 	page := 0
 	orgLogins := gh.orgs
 	filterOrgs := true
@@ -99,7 +121,6 @@ func (gh *GitHub) Validate(ctx context.Context) (annotations.Annotations, error)
 			if resp.NextPage == 0 {
 				break
 			}
-
 			page = resp.NextPage
 		}
 	}
@@ -132,6 +153,62 @@ func (gh *GitHub) Validate(ctx context.Context) (annotations.Annotations, error)
 	return nil, nil
 }
 
+func (gh *GitHub) validateAppCredentials(ctx context.Context) (annotations.Annotations, error) {
+	iResp, err := getAllInstallations(ctx, gh.app.appJWTClient)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, o := range gh.orgs {
+		if _, ok := iResp.accountNames[o]; !ok {
+			return nil, fmt.Errorf("access token must be an admin on the %s organization", o)
+		}
+	}
+	return nil, nil
+}
+
+type getAllInstallationsResp struct {
+	installationIDs map[int64]*github.Installation
+	accountIDs      map[int64]struct{}
+	accountNames    map[string]struct{}
+}
+
+func getAllInstallations(ctx context.Context, c *github.Client) (getAllInstallationsResp, error) {
+	var (
+		AccountIDMap                  = make(map[int64]struct{})
+		installationsIDToInstallation = make(map[int64]*github.Installation)
+		AccountNameMap                = make(map[string]struct{})
+		page                          = 0
+	)
+	for {
+		installations, resp, err := c.Apps.ListInstallations(ctx, &github.ListOptions{Page: page})
+		if err != nil {
+			return getAllInstallationsResp{}, fmt.Errorf("github-connector: failed to retrieve org: %w", err)
+		}
+		if resp.StatusCode == http.StatusUnauthorized {
+			return getAllInstallationsResp{}, status.Error(codes.Unauthenticated, "github token is not authorized")
+		}
+		for _, installation := range installations {
+			if installation.GetAccount().GetType() != "Organization" {
+				continue
+			}
+			installationsIDToInstallation[installation.GetID()] = installation
+			AccountIDMap[installation.GetAccount().GetID()] = struct{}{}
+			AccountNameMap[installation.GetAccount().GetLogin()] = struct{}{}
+		}
+
+		if resp.NextPage == 0 {
+			break
+		}
+		page = resp.NextPage
+	}
+	return getAllInstallationsResp{
+		installationIDs: installationsIDToInstallation,
+		accountIDs:      AccountIDMap,
+		accountNames:    AccountNameMap,
+	}, nil
+}
+
 // newGitHubClient returns a new GitHub API client authenticated with an access token via oauth2.
 func newGitHubClient(ctx context.Context, instanceURL string, accessToken string) (*github.Client, error) {
 	httpClient, err := uhttp.NewClient(ctx, uhttp.WithLogger(true, ctxzap.Extract(ctx)))
@@ -157,6 +234,19 @@ func newGitHubClient(ctx context.Context, instanceURL string, accessToken string
 
 // New returns the GitHub connector configured to sync against the instance URL.
 func New(ctx context.Context, ghc *cfg.Github) (*GitHub, error) {
+	if ghc.Token == "" {
+		app, err := newAppClient(ctx, ghc)
+		if err != nil {
+			return nil, err
+		}
+		return &GitHub{
+			instanceURL: ghc.InstanceUrl,
+			orgs:        ghc.Orgs,
+			app:         app,
+			orgCache:    newOrgNameCache(nil, app.appInstallationClient),
+		}, nil
+	}
+
 	client, err := newGitHubClient(ctx, ghc.InstanceUrl, ghc.Token)
 	if err != nil {
 		return nil, err
@@ -170,12 +260,56 @@ func New(ctx context.Context, ghc *cfg.Github) (*GitHub, error) {
 		instanceURL:   ghc.InstanceUrl,
 		orgs:          ghc.Orgs,
 		graphqlClient: graphqlClient,
-		orgCache:      newOrgNameCache(client),
+		orgCache:      newOrgNameCache(client, nil),
 	}
 
 	return gh, nil
 }
 
+func newAppClient(ctx context.Context, ghc *cfg.Github) (gitHubApp, error) {
+	key, err := loadPrivateKeyFromString(ghc.AppPrivatekey)
+	if err != nil {
+		return gitHubApp{}, err
+	}
+	now := time.Now()
+	token, err := jwtv5.NewWithClaims(jwtv5.SigningMethodRS256, jwtv5.MapClaims{
+		"iat": now.Unix() - 60,                  // issued at
+		"exp": now.Add(time.Minute * 10).Unix(), // expires
+		"iss": ghc.AppId,                        // GitHub App ID
+	}).SignedString(key)
+	if err != nil {
+		return gitHubApp{}, err
+	}
+
+	client, err := newGitHubClient(ctx, ghc.InstanceUrl, token)
+	if err != nil {
+		return gitHubApp{}, err
+	}
+
+	iResp, err := getAllInstallations(ctx, client)
+	if err != nil {
+		return gitHubApp{}, err
+	}
+
+	var (
+		installationsClient   = make(map[int64]*github.Client, len(iResp.installationIDs))
+		installationsGLClient = make(map[int64]*githubv4.Client, len(iResp.accountIDs))
+	)
+	for id, installation := range iResp.installationIDs {
+		c, glc, err := getInstallationClient(ctx, ghc.InstanceUrl, id, token)
+		if err != nil {
+			return gitHubApp{}, err
+		}
+		installationsClient[installation.GetAccount().GetID()] = c
+		installationsGLClient[installation.GetAccount().GetID()] = glc
+	}
+	return gitHubApp{
+		appJWTClient:          client,
+		appInstallationClient: installationsClient,
+		graphqlClient:         installationsGLClient,
+	}, nil
+}
+
 func newGitHubGraphqlClient(ctx context.Context, instanceURL string, accessToken string) (*githubv4.Client, error) {
 	httpClient, err := uhttp.NewClient(ctx, uhttp.WithLogger(true, ctxzap.Extract(ctx)))
 	if err != nil {
@@ -203,3 +337,62 @@ func newGitHubGraphqlClient(ctx context.Context, instanceURL string, accessToken
 
 	return githubv4.NewClient(tc), nil
 }
+
+func loadPrivateKeyFromString(p string) (*rsa.PrivateKey, error) {
+	block, _ := pem.Decode([]byte(p))
+	if block == nil || (block.Type != "PRIVATE KEY" && block.Type != "RSA PRIVATE KEY") {
+		return nil, errors.New("invalid private key PEM format")
+	}
+
+	// PKCS8 format
+	if block.Type == "PRIVATE KEY" {
+		key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, err
+		}
+		rsaKey, ok := key.(*rsa.PrivateKey)
+		if !ok {
+			return nil, errors.New("not an RSA private key")
+		}
+		return rsaKey, nil
+	}
+
+	// PKCS1 format
+	return x509.ParsePKCS1PrivateKey(block.Bytes)
+}
+
+func getInstallationClient(ctx context.Context, instanceURL string, orgId int64, jwtToken string) (*github.Client, *githubv4.Client, error) {
+	url := fmt.Sprintf("https://api.github.com/app/installations/%d/access_tokens", orgId)
+	req, _ := http.NewRequestWithContext(ctx, http.MethodPost, url, nil)
+	req.Header.Set("Authorization", "Bearer "+jwtToken)
+	req.Header.Set("Accept", "application/vnd.github+json")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusCreated {
+		body, _ := io.ReadAll(resp.Body)
+		return nil, nil, fmt.Errorf("GitHub API error: %s", body)
+	}
+
+	var result struct {
+		Token string `json:"token"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&result)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	client, err := newGitHubClient(ctx, instanceURL, result.Token)
+	if err != nil {
+		return nil, nil, err
+	}
+	gcclient, err := newGitHubGraphqlClient(ctx, instanceURL, result.Token)
+	if err != nil {
+		return nil, nil, err
+	}
+	return client, gcclient, nil
+}