Add support functions to authenticate as GitHub App

In particular, this adds a function to obtain the installation access
token for a given repository. This function will be used e.g. to trigger
GitHub workflow runs.

These functions are slightly edited versions of functions that have been
in use in https://github.com/git-for-windows/gfw-helper-github-app for
quite a while. But the test is new.

Signed-off-by: Johannes Schindelin <[email protected]>

Author: dscho

GitGitGadget/gently.js

@@ -0,0 +1,7 @@
+module.exports = (fn, fallback) => {
+    try {
+        return fn()
+    } catch (e) {
+        return fallback
+    }
+}

GitGitGadget/get-installation-access-token.js

@@ -0,0 +1,14 @@
+const getInstallationAccessToken = async (context, installation_id) => {
+    const { gitHubAPIRequestAsApp } = require('./github-api-request-as-app')
+    const answer = await gitHubAPIRequestAsApp(
+        context,
+        'POST',
+        `/app/installations/${installation_id}/access_tokens`)
+    if (answer.error) throw answer.error
+    if (answer.token) return answer.token
+    throw new Error(`Unhandled response:\n${JSON.stringify(answer, null, 2)}`)
+}
+
+module.exports = {
+    getInstallationAccessToken
+}

GitGitGadget/get-installation-id-for-repo.js

@@ -0,0 +1,14 @@
+const getInstallationIdForRepo = async (context, owner, repo) => {
+    const { gitHubAPIRequestAsApp } = require('./github-api-request-as-app')
+    const answer = await gitHubAPIRequestAsApp(
+        context,
+        'GET',
+        `/repos/${owner}/${repo}/installation`
+    )
+    if (answer.error) throw answer.error
+    return answer.id
+}
+
+module.exports = {
+    getInstallationIdForRepo
+}

GitGitGadget/github-api-request-as-app.js

@@ -0,0 +1,47 @@
+const gitHubAPIRequestAsApp = async (context, requestMethod, requestPath, body) => {
+    const header = {
+        "alg": "RS256",
+        "typ": "JWT"
+    }
+
+    const now = Math.floor(new Date().getTime() / 1000)
+
+    const payload = {
+        // issued at time, 60 seconds in the past to allow for clock drift
+        iat: now - 60,
+        // JWT expiration time (10 minute maximum)
+        exp: now + (10 * 60),
+        // GitHub App's identifier
+        iss: process.env['GITHUB_APP_ID']
+    }
+
+    const toBase64 = (obj) => Buffer.from(JSON.stringify(obj), "utf-8").toString("base64url")
+    const headerAndPayload = `${toBase64(header)}.${toBase64(payload)}`
+
+    const privateKey = process.env['GITHUB_APP_PRIVATE_KEY'].replaceAll('\\n', '\n')
+
+    const crypto = require('crypto')
+    const signer = crypto.createSign("RSA-SHA256")
+    signer.update(headerAndPayload)
+    const signature = signer.sign({
+        key: privateKey
+    }, "base64url")
+
+    const token = `${headerAndPayload}.${signature}`
+
+    const { httpsRequest } = require('./https-request')
+    return await httpsRequest(
+        context,
+        null,
+        requestMethod,
+        requestPath,
+        body,
+        {
+            Authorization: `Bearer ${token}`,
+        }
+    )
+}
+
+module.exports = {
+    gitHubAPIRequestAsApp
+}

GitGitGadget/https-request.js

@@ -0,0 +1,88 @@
+const gently = require('./gently')
+
+const httpsRequest = async (context, hostname, method, requestPath, body, headers) => {
+    headers = {
+        'User-Agent': 'GitForWindowsHelper/0.0',
+        Accept: 'application/json',
+        ...headers || {}
+    }
+    if (body) {
+        if (typeof body === 'object') body = JSON.stringify(body)
+        headers['Content-Type'] = 'application/json'
+        headers['Content-Length'] = body.length
+    }
+    const options = {
+        port: 443,
+        hostname: hostname || 'api.github.com',
+        method: method || 'GET',
+        path: requestPath,
+        headers
+    }
+    return new Promise((resolve, reject) => {
+        try {
+            const https = require('https')
+            const req = https.request(options, res => {
+                res.on('error', e => reject(e))
+
+                if (res.statusCode === 204) resolve({
+                    statusCode: res.statusCode,
+                    statusMessage: res.statusMessage,
+                    headers: res.headers
+                })
+
+                const chunks = []
+                res.on('data', data => chunks.push(data))
+                res.on('end', () => {
+                    const json = Buffer.concat(chunks).toString('utf-8')
+                    if (res.statusCode > 299) {
+                        reject({
+                            statusCode: res.statusCode,
+                            statusMessage: res.statusMessage,
+                            requestMethod: options.method,
+                            requestPath: options.path,
+                            body: json,
+                            json: gently(() => JSON.parse(json))
+                        })
+                        return
+                    }
+                    try {
+                        resolve(JSON.parse(json))
+                    } catch (e) {
+                        reject(`Invalid JSON: ${json}`)
+                    }
+                })
+            })
+            req.on('error', err => reject(err))
+            if (body) req.write(body)
+            req.end()
+        } catch (e) {
+            reject(e)
+        }
+    })
+}
+
+const doesURLReturn404 = async url => {
+    const match = url.match(/^https:\/\/([^/]+?)(:\d+)?(\/.*)?$/)
+    if (!match) throw new Error(`Could not parse URL ${url}`)
+
+    const https = require('https')
+    const options = {
+        method: 'HEAD',
+        host: match[1],
+        port: Number.parseInt(match[2] || '443'),
+        path: match[3] || '/'
+    }
+    return new Promise((resolve, reject) => {
+        https.request(options, res => {
+            if (res.error) reject(res.error)
+            else if (res.statusCode === 404) resolve(true)
+            else if (res.statusCode === 200) resolve(false)
+            else reject(`Unexpected statusCode: ${res.statusCode}`)
+        }).end()
+    })
+}
+
+module.exports = {
+    httpsRequest,
+    doesURLReturn404
+}

README.md

@@ -21,14 +21,16 @@ Instead of pushing the code to Azure all the time, waiting until it is deployed,
 
 To this end, [install the Azure Functions Core Tools (for performance, use Linux)](https://learn.microsoft.com/en-us/azure/azure-functions/functions-run-local?tabs=v4%2Clinux%2Ccsharp%2Cportal%2Cbash#install-the-azure-functions-core-tools, e.g. via [WSL](https://learn.microsoft.com/en-us/windows/wsl/)).
 
-Then, configure [the `GITHUB_WEBHOOK_SECRET` variable](#some-environment-variables) locally, via [a `local.settings.json` file](https://learn.microsoft.com/en-us/azure/azure-functions/functions-develop-local#local-settings-file). The contents would look like this:
+Then, configure [the `GITHUB_APP_ID`, `GITHUB_APP_PRIVATE_KEY` and `GITHUB_WEBHOOK_SECRET` variables](#some-environment-variables) locally, via [a `local.settings.json` file](https://learn.microsoft.com/en-us/azure/azure-functions/functions-develop-local#local-settings-file). The contents would look like this:
 
 ```json
 {
   "IsEncrypted": false,
   "Values": {
     "FUNCTIONS_WORKER_RUNTIME": "node",
     "AzureWebJobsStorage": "<storage-key>",
+    "GITHUB_APP_ID": "<app-id>",
+    "GITHUB_APP_PRIVATE_KEY": "<private-key>",
     "GITHUB_WEBHOOK_SECRET": "<webhook-secret>"
   },
   "Host": {
@@ -61,6 +63,8 @@ A few environment variables will have to be configured for use with the Azure Fu
 
 Concretely, the environment variables `GITHUB_WEBHOOK_SECRET` and `GITGITGADGET_TRIGGER_TOKEN` (a Personal Access Token to trigger the Azure Pipelines) need to be set. For the first, a generated random string was used. The second one was [created](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=Windows#create-a-pat) scoped to the Azure DevOps project `gitgitgadget` with the Build (read & execute) permissions.
 
+Also, the `GITHUB_APP_ID` and `GITHUB_APP_PRIVATE_KEY` variables are needed in order to trigger GitHub workflow runs. These were obtained as part of registering the GitHub App.
+
 ### The repository
 
 On https://github.com/, the `+` link on the top was pressed, and an empty, private repository was registered. Nothing was pushed to it yet.

__tests__/get-installation-access-token.test.js

@@ -0,0 +1,32 @@
+const mockHTTPSRequest = jest.fn(async (context, hostname, method, requestPath, body, headers) => {
+    // We're not validating the authorization, just validating that there is one
+    expect(headers.Authorization).toMatch(/Bearer [-.0-9A-Za-z_]{40,}/)
+
+    if (requestPath === '/repos/hello/world/installation') return { id: 17 }
+    if (requestPath === '/app/installations/17/access_tokens') return { token: 'i-can-haz-access-token' }
+    throw new Error(`Unexpected requestPath: '${requestPath}'`)
+})
+jest.mock('../GitGitGadget/https-request', () => { return { httpsRequest: mockHTTPSRequest } })
+const { getInstallationIdForRepo } = require('../GitGitGadget/get-installation-id-for-repo')
+const { getInstallationAccessToken } = require('../GitGitGadget/get-installation-access-token')
+
+const { generateKeyPairSync } = require('crypto')
+
+const { privateKey } = generateKeyPairSync('rsa', {
+    modulusLength: 2048,
+    publicKeyEncoding: {
+        type: 'spki',
+        format: 'pem'
+    },
+    privateKeyEncoding: {
+        type: 'pkcs8',
+        format: 'pem',
+    }
+})
+process.env['GITHUB_APP_PRIVATE_KEY'] = privateKey
+
+test('get an installation access token', async () => {
+    const context = {}
+    const installationID = await getInstallationIdForRepo(context, 'hello', 'world')
+    expect(await getInstallationAccessToken(context, installationID)).toEqual('i-can-haz-access-token')
+})