Add command to generate a GitHub app installation access token

Disable the branch-protection command. We don't use it anymore and it's
now dangerous to use because it would override our manualy brancht
protection configuration.

Author: bernd

cmd/github.go

@@ -1,14 +1,11 @@
 package cmd
 
 import (
-	cfg "github.com/Graylog2/graylog-project-cli/config"
+	"fmt"
 	"github.com/Graylog2/graylog-project-cli/gh"
 	"github.com/Graylog2/graylog-project-cli/logger"
-	"github.com/Graylog2/graylog-project-cli/manifest"
-	p "github.com/Graylog2/graylog-project-cli/project"
-	"github.com/Graylog2/graylog-project-cli/utils"
 	"github.com/spf13/cobra"
-	"os"
+	"github.com/spf13/viper"
 )
 
 var githubCmd = &cobra.Command{
@@ -18,105 +15,74 @@ var githubCmd = &cobra.Command{
 	Long: `Management of GitHub projects.
 
 Examples:
-    # Enable branch protection for a GitHub repository branch
-    graylog-project github branch-protection --enable --repo Graylog2/graylog2-server --branch 2.4
-
-    # Disable branch protection for a GitHub repository branch
-    graylog-project github branch-protection --disable --repo Graylog2/graylog2-server --branch 2.4
-
-    # Enable branch protection for all GitHub repositories in the currently checked out manifest
-    graylog-project github branch-protection --enable --manifest --branch 2.4
+    # Create app installation access token for a GitHub org
+    graylog-project github generate-app-token -o GitHub-org-name -a 1234 -k path/to/app/private.key
 `,
 }
 
+var githubAppAccessTokenGenerateCmd = &cobra.Command{
+	Use:     "generate-app-access-token",
+	Aliases: []string{"gaat"},
+	Short:   "Create an access token for an installed GitHub App",
+	Run:     githubAppAccessTokenGenerateCommand,
+}
+
 var githubBranchProtectionCmd = &cobra.Command{
 	Use:     "branch-protection",
 	Aliases: []string{"bp"},
 	Short:   "Manages the branch protection for a repository",
-	Run:     githubBranchProtectionCommand,
+	Hidden:  true,
+	Run: func(cmd *cobra.Command, args []string) {
+		logger.Fatal("This command is deprecated and doesn't work anymore.")
+	},
 }
 
-var githubBPEnable bool
-var githubBPDisable bool
-var githubBPManifest bool
-var githubBPDryRun bool
-var githubRepository string
-var githubRepositoryBranch string
-
 func init() {
+	githubAppAccessTokenGenerateCmd.Flags().StringP("app-id", "a", "", "the GitHub app ID (env: GPC_GITHUB_APP_ID)")
+	githubAppAccessTokenGenerateCmd.Flags().StringP("key", "k", "", "path to the private key to use for token generation (env: GPC_GITHUB_APP_KEY)")
+	githubAppAccessTokenGenerateCmd.Flags().StringP("org", "o", "", "GitHub org for the generated token (app needs to be installed in the org) (env: GPC_GITHUB_ORG)")
+
+	viper.BindPFlag("github.app-id", githubAppAccessTokenGenerateCmd.Flags().Lookup("app-id"))
+	viper.BindPFlag("github.app-key", githubAppAccessTokenGenerateCmd.Flags().Lookup("key"))
+	viper.BindPFlag("github.org", githubAppAccessTokenGenerateCmd.Flags().Lookup("org"))
+
+	viper.MustBindEnv("github.app-id", "GPC_GITHUB_APP_ID")
+	viper.MustBindEnv("github.app-key", "GPC_GITHUB_APP_KEY")
+	viper.MustBindEnv("github.org", "GPC_GITHUB_ORG")
+
+	githubCmd.AddCommand(githubAppAccessTokenGenerateCmd)
 	githubCmd.AddCommand(githubBranchProtectionCmd)
 	RootCmd.AddCommand(githubCmd)
+}
 
-	githubBranchProtectionCmd.Flags().BoolVar(&githubBPEnable, "enable", false, "Enable branch protection for the GitHub repository")
-	githubBranchProtectionCmd.Flags().BoolVar(&githubBPDisable, "disable", false, "Disable branch protection for the GitHub repository")
-	githubBranchProtectionCmd.Flags().BoolVar(&githubBPManifest, "manifest", false, "Toggle branch protection for all repos in the manifest")
-	githubBranchProtectionCmd.Flags().BoolVar(&githubBPDryRun, "dry-run", false, "Don't execute branch protection commands, only show what would be done.")
-	githubBranchProtectionCmd.Flags().StringVarP(&githubRepository, "repo", "r", "", "The GitHub repository name (e.g. Graylog2/graylog2-server")
-	githubBranchProtectionCmd.Flags().StringVarP(&githubRepositoryBranch, "branch", "b", "", "The GitHub repository branch (e.g. master")
+type gitHubCmdConfig struct {
+	GitHub struct {
+		AppID  string `mapstructure:"app-id"`
+		AppKey string `mapstructure:"app-key"`
+		Org    string `mapstructure:"org"`
+	} `mapstructure:"github"`
 }
 
-func githubBranchProtectionCommand(cmd *cobra.Command, args []string) {
-	if !githubBPEnable && !githubBPDisable {
-		logger.Fatal("ERROR: You need to use the --enable or --disable flag")
+func githubAppAccessTokenGenerateCommand(cmd *cobra.Command, args []string) {
+	var cfg gitHubCmdConfig
+	if err := viper.Unmarshal(&cfg); err != nil {
+		logger.Fatal("Couldn't deserialize config: %s", err.Error())
 	}
-	if githubRepositoryBranch == "" {
-		logger.Fatal("--branch flag must be set")
-	}
-
-	if githubBPManifest {
-		config := cfg.Get()
-		manifestFiles := manifest.ReadState().Files()
-		project := p.New(config, manifestFiles)
 
-		p.ForEachSelectedModule(project, func(module p.Module) {
-			url, err := utils.ParseGitHubURL(module.Repository)
-			if err != nil {
-				logger.Fatal("ERROR: %s", err)
-			}
-			toggleGitHubBranchProtection(url.Repository)
-		})
-	} else {
-		if githubRepository == "" {
-			logger.Fatal("--repo flag must be set")
-		}
-		toggleGitHubBranchProtection(githubRepository)
+	if cfg.GitHub.AppID == "" {
+		exitWithUsage(cmd, "Missing app ID flag")
 	}
-}
-
-func toggleGitHubBranchProtection(repo string) {
-	accessToken := os.Getenv("GPC_GITHUB_TOKEN")
-
-	if accessToken == "" {
-		logger.Fatal("ERROR: Missing GPC_GITHUB_TOKEN environment variable")
+	if cfg.GitHub.AppKey == "" {
+		exitWithUsage(cmd, "Missing app key flag")
+	}
+	if cfg.GitHub.Org == "" {
+		exitWithUsage(cmd, "Missing GitHub org flag")
 	}
 
-	owner, name, err := gh.SplitRepoString(repo)
+	token, err := gh.GenerateAppToken(cfg.GitHub.Org, cfg.GitHub.AppID, cfg.GitHub.AppKey)
 	if err != nil {
 		logger.Fatal("ERROR: %s", err)
 	}
 
-	branch := githubRepositoryBranch
-	client := gh.NewGitHubClient(accessToken)
-
-	if githubBPEnable {
-		if !githubBPDryRun {
-			logger.Info("Adding branch protection from GitHub repository: %s/%s@%s", owner, name, branch)
-			if err := client.EnableBranchProtection(owner, name, branch); err != nil {
-				logger.Fatal("ERROR: Unable to enable branch protection for %s/%s@%s: %s",
-					owner, name, branch, err)
-			}
-		} else {
-			logger.Info("Would add branch protection from GitHub repository: %s/%s@%s", owner, name, branch)
-		}
-	} else if githubBPDisable {
-		if !githubBPDryRun {
-			logger.Info("Removing branch protection from GitHub repository: %s/%s@%s", owner, name, branch)
-			if err := client.DisableBranchProtection(owner, name, branch); err != nil {
-				logger.Fatal("ERROR: Unable to disable branch protection for %s/%s@%s: %s",
-					owner, name, branch, err)
-			}
-		} else {
-			logger.Info("Would remove branch protection from GitHub repository: %s/%s@%s", owner, name, branch)
-		}
-	}
+	fmt.Println(token)
 }

cmd/root.go

@@ -128,3 +128,11 @@ func initConfig() {
 		logger.Debug("Error reading config file: %v", err)
 	}
 }
+
+func exitWithUsage(cmd *cobra.Command, format string, args ...any) {
+	logger.Error(format, args...)
+	if err := cmd.UsageFunc()(cmd); err != nil {
+		logger.Error(err.Error())
+	}
+	os.Exit(1)
+}

gh/app_token.go

@@ -0,0 +1,52 @@
+package gh
+
+import (
+	"context"
+	"fmt"
+	"github.com/golang-jwt/jwt/v4"
+	"os"
+	"time"
+)
+
+// GenerateAppToken creates an access token for the given GitHub app in the given GitHub org. The app must be installed
+// in the org. The returned access token is valid for one hour.
+// (for details see: https://docs.github.com/en/rest/apps/apps#create-an-installation-access-token-for-an-app)
+func GenerateAppToken(org string, appId string, keyFile string) (string, error) {
+	buf, err := os.ReadFile(keyFile)
+	if err != nil {
+		return "", fmt.Errorf("couldn't read key file: %w", err)
+	}
+
+	key, err := jwt.ParseRSAPrivateKeyFromPEM(buf)
+	if err != nil {
+		return "", fmt.Errorf("couldn't parse key: %w", err)
+	}
+
+	now := time.Now()
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{
+		Issuer:    appId,
+		IssuedAt:  jwt.NewNumericDate(now),
+		ExpiresAt: jwt.NewNumericDate(now.Add(1 * time.Minute)), // We only need it to generate an access token
+	})
+
+	tokenString, err := token.SignedString(key)
+	if err != nil {
+		return "", fmt.Errorf("couldn't sign token: %w", err)
+	}
+
+	ctx := context.Background()
+	github := NewGitHubClient(tokenString)
+
+	installation, _, err := github.client.Apps.FindOrganizationInstallation(ctx, org)
+	if err != nil {
+		return "", fmt.Errorf("couldn't find app installation for org: %w", err)
+	}
+
+	accessToken, _, err := github.client.Apps.CreateInstallationToken(ctx, *installation.ID)
+	if err != nil {
+		return "", fmt.Errorf("couldn't create access token: %w", err)
+	}
+
+	return accessToken.GetToken(), nil
+}

gh/github.go

@@ -24,37 +24,6 @@ func NewGitHubClient(accessToken string) Client {
 	}
 }
 
-func (c Client) EnableBranchProtection(owner string, repo string, branch string) error {
-	request := &github.ProtectionRequest{
-		RequiredStatusChecks: nil,
-		RequiredPullRequestReviews: &github.PullRequestReviewsEnforcementRequest{
-			DismissalRestrictionsRequest: &github.DismissalRestrictionsRequest{
-				Users: &[]string{},
-				Teams: &[]string{},
-			},
-			DismissStaleReviews:          false,
-			RequireCodeOwnerReviews:      false,
-			RequiredApprovingReviewCount: 1,
-		},
-		EnforceAdmins: true,
-		Restrictions:  nil,
-	}
-
-	_, _, err := c.client.Repositories.UpdateBranchProtection(c.ctx, owner, repo, branch, request)
-
-	return err
-}
-
-func (c Client) DisableBranchProtection(owner string, repo string, branch string) error {
-	response, err := c.client.Repositories.RemoveBranchProtection(c.ctx, owner, repo, branch)
-
-	if response != nil && response.StatusCode == 404 {
-		return nil
-	}
-
-	return err
-}
-
 func SplitRepoString(repository string) (string, string, error) {
 	tokens := strings.Split(repository, "/")