* Add support for Github App based authentication

* Return git commit ID as buildlabel in the XML

Author: mansab

CHANGELOG.md

@@ -1,3 +1,8 @@
+## 3.0.0
+
+* Add support for Github App based authentication
+* Return git commit ID as buildlabel in the XML
+
 ## 2.2.0
 
 Added /health endpoint

app.py

@@ -2,10 +2,12 @@
 import os
 import re
 import logging
+import argparse
 import datetime
+import xml.etree.ElementTree as ET
 from concurrent.futures import ThreadPoolExecutor
 
-import xml.etree.ElementTree as ET
+import jwt
 import requests
 from flask import Flask, request, make_response, jsonify
 from flask_basicauth import BasicAuth
@@ -24,16 +26,61 @@
 TIMEOUT = 10
 
 def get_token():
-    """Sets the Github API token
+    """Sets the GitHub API token based on the selected mode
 
     Returns:
-        token: Either from the query parameter or the environment variable
+        token: Either the personal access token or the GitHub App access token
     """
-    query_token = request.args.get("token")
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "--mode",
+        choices=[
+            "pat-auth",
+            "app-auth"],
+        default="pat-auth",
+        help="Authentication mode")
+    args = parser.parse_args()
+
+    token = request.args.get("token")
+
+    if token:
+        return token
+    elif args.mode == "pat-auth":
+        token = os.environ.get("GITHUB_TOKEN")
+    elif args.mode == "app-auth":
+        app_auth_id = os.environ.get("APP_AUTH_ID")
+        app_auth_private_key = os.environ.get("APP_AUTH_PRIVATE_KEY")
+        app_auth_installation_id = os.environ.get("APP_AUTH_INSTALLATION_ID")
+        app_auth_base_url = "https://api.github.com"
+
+        now = datetime.datetime.utcnow()
+        iat = int((now - datetime.datetime(1970, 1, 1)).total_seconds())
+        exp = iat + 600
+        payload = {
+            "iat": iat,
+            "exp": exp,
+            "iss": app_auth_id
+        }
+        encoded_jwt = jwt.encode(
+            payload,
+            app_auth_private_key,
+            algorithm="RS256")
+        headers = {
+            "Authorization": f"Bearer {encoded_jwt}",
+            "Accept": "application/vnd.github.v3+json"
+        }
+        response = requests.post(
+            f"{app_auth_base_url}/app/installations/{app_auth_installation_id}/access_tokens",
+            headers=headers,
+            timeout=TIMEOUT)
+
+        if response.status_code == 201:
+            token = response.json()["token"]
+        else:
+            raise Exception(
+                f"Failed to obtain access token: {response.status_code} {response.text}")
 
-    if query_token:
-        return query_token
-    return os.environ.get("GITHUB_TOKEN")
+    return token
 
 
 def get_workflows(owner, repo, headers):
@@ -96,7 +143,11 @@ def get_all_workflow_runs(owner, repo, token):
 
     workflows = get_workflows(owner, repo, headers)
     with ThreadPoolExecutor(max_workers=MAX_WORKERS) as executor:
-        futures = [executor.submit(get_workflow_runs, workflow, headers) for workflow in workflows]
+        futures = [
+            executor.submit(
+                get_workflow_runs,
+                workflow,
+                headers) for workflow in workflows]
 
     results = []
     for future in futures:
@@ -124,7 +175,10 @@ def index():
 
     data = get_all_workflow_runs(owner, repo, token)
 
-    workflow_runs = sorted(data, key=lambda run: run["updated_at"], reverse=True)
+    workflow_runs = sorted(
+        data,
+        key=lambda run: run["updated_at"],
+        reverse=True)
 
     root = ET.Element("Projects")
     project_names = set()  # Set to store unique project names
@@ -152,12 +206,14 @@ def index():
                         else "Unknown")
             project.set("lastBuildTime", run["updated_at"])
             project.set("webUrl", run["html_url"])
+            short_commit_id = run["head_commit"]["id"][:8]
+            project.set("lastBuildLabel", short_commit_id)
 
     response = make_response(ET.tostring(root).decode())
     response.headers['Content-Type'] = 'application/xml'
 
-    logger.info("Request URI: %s Response Code: %d", request.path, response.status_code)
-
+    logger.info("Request URI: %s Response Code: %d",
+                request.path, response.status_code)
 
     return response
 
@@ -172,9 +228,10 @@ def health():
     with open('CHANGELOG.md', 'r', encoding='utf-8') as changelog_file:
         changelog_content = changelog_file.read()
 
-    latest_version_match = re.search(r'##\s*(\d+\.\d+\.\d+)', changelog_content)
-    latest_version = latest_version_match.group(1) if latest_version_match else 'Unknown'
-
+    latest_version_match = re.search(
+        r'##\s*(\d+\.\d+\.\d+)', changelog_content)
+    latest_version = latest_version_match.group(
+        1) if latest_version_match else 'Unknown'
 
     response = {
         'status': 'ok',
@@ -183,6 +240,7 @@ def health():
 
     return jsonify(response)
 
+
 @app.route('/limit')
 @basic_auth.required
 def limit():
@@ -192,7 +250,6 @@ def limit():
         flask.Response: JSON response containing rate limiting information.
     """
     token = get_token()
-
     headers = {
         'Accept': 'application/vnd.github+json',
         "Authorization": f"Bearer {token}",
@@ -205,7 +262,8 @@ def limit():
         rate = response.json().get('rate', {})
         reset_unix_time = rate.get('reset', 0)
         reset_datetime = datetime.datetime.fromtimestamp(reset_unix_time)
-        reset_cest = reset_datetime.astimezone(datetime.timezone(datetime.timedelta(hours=2)))
+        reset_cest = reset_datetime.astimezone(
+            datetime.timezone(datetime.timedelta(hours=2)))
         rate['reset_cest'] = reset_cest.strftime('%Y-%m-%d %H:%M:%S %Z%z')
 
         if rate.get('remaining', 0) == 0:
@@ -219,13 +277,12 @@ def limit():
                 'rate_limit': rate
             }
     else:
-        response = {
-            'status': 'ok',
-            'rate_limit': {'error': 'Failed to retrieve rate limit information'}
-        }
+        response = {'status': 'ok', 'rate_limit': {
+            'error': 'Failed to retrieve rate limit information'}}
 
     return jsonify(response)
 
+
 @app.errorhandler(Exception)
 def handle_error(exception):
     """Error handler for handling exceptions raised in the application.

tests/test_app.py

@@ -1,79 +1,71 @@
 """Teat Module for the App"""
 import unittest
-from unittest.mock import patch
-from app import app
+from unittest.mock import patch, MagicMock
+from app import get_workflows, get_workflow_runs, app, get_all_workflow_runs
 
 
-class TestApp(unittest.TestCase):
+class AppTests(unittest.TestCase):
     """Test cases for the App module."""
 
     def setUp(self):
-        """Set up the test environment."""
-        app.testing = True
-        app.config['BASIC_AUTH_USERNAME'] = 'user'
-        app.config['BASIC_AUTH_PASSWORD'] = 'pass'
-        self.client = app.test_client()
-        self.headers = {
-            'Authorization': 'Basic dXNlcjpwYXNz'
-        }
-
-    def test_health_endpoint(self):
-        """Test health check status & version in the health route."""
-        response = self.client.get('/health')
-        self.assertEqual(response.status_code, 200)
-        self.assertIn(b'{"status":"ok","version":"2.2.0"}', response.data)
-
-    def test_index_missing_parameters(self):
-        """Test handling missing parameters in the index route."""
-        response = self.client.get('/', headers=self.headers)
-        self.assertEqual(response.status_code, 400)
-        self.assertIn(b"Missing parameter(s)", response.data)
-
-    @patch('app.get_all_workflow_runs')
-    def test_index_successful_response(self, mock_get_all_workflow_runs):
-        """Test successful response in the index route."""
-        mock_get_all_workflow_runs.return_value = [
-            {
-                "name": "CI",
-                "status": "completed",
-                "conclusion": "success",
-                "updated_at": "2021-09-20T18:25:34Z",
-                "html_url": "https://github.com/owner/repo/actions/runs/1234"
-            }
-        ]
-        response = self.client.get('/?owner=owner&repo=repo', headers=self.headers)
-        self.assertEqual(response.status_code, 200)
-        self.assertIn(b'<Project', response.data)
-        self.assertIn(b'name="repo/CI"', response.data)
-        self.assertIn(b'activity="Sleeping', response.data)
-        self.assertIn(b'lastBuildStatus="Success"', response.data)
-        self.assertIn(b'webUrl="https://github.com/owner/repo/actions/runs/1234"', response.data)
-
-    @patch('app.get_all_workflow_runs')
-    def test_index_unknown_build_status(self, mock_get_all_workflow_runs):
-        """Test unknown build status in the index route."""
-        mock_get_all_workflow_runs.return_value = [
-            {
-                "name": "CI",
-                "status": "in_progress",
-                "conclusion": None,
-                "updated_at": "2021-09-20T18:25:34Z",
-                "html_url": "https://github.com/owner/repo/actions/runs/1234"
-            }
-        ]
-        response = self.client.get('/?owner=owner&repo=repo', headers=self.headers)
-        self.assertEqual(response.status_code, 200)
-        self.assertIn(b'<Project', response.data)
-        self.assertIn(b'lastBuildStatus="Unknown"', response.data)
-
-    @patch('app.get_all_workflow_runs')
-    def test_index_failed_response(self, mock_get_all_workflow_runs):
-        """Test failed response in the index route."""
-        mock_get_all_workflow_runs.return_value = []
-        response = self.client.get('/?owner=owner&repo=repo', headers=self.headers)
-        self.assertEqual(response.status_code, 200)
-        self.assertIn(b'<Projects />', response.data)
-
-
-if __name__ == '__main__':
-    unittest.main()
+        """Setup the app"""
+        self.app = app.test_client()
+
+    def test_get_workflows(self):
+        """Test case for getting workflows"""
+        owner = "test_owner"
+        repo = "test_repo"
+        headers = {"Authorization": "Bearer test_token",
+                   "Accept": "application/vnd.github.v3+json"}
+
+        with patch('requests.get') as mock_get:
+            mock_response = MagicMock()
+            mock_response.status_code = 200
+            mock_response.json.return_value = {
+                "workflows": ["workflow1", "workflow2"]}
+            mock_get.return_value = mock_response
+
+            workflows = get_workflows(owner, repo, headers)
+
+            self.assertEqual(workflows, ["workflow1", "workflow2"])
+
+    def test_get_workflow_runs(self):
+        """Test case for getting workflow runs"""
+        workflow = {"url": "test_url"}
+        headers = {"Authorization": "Bearer test_token",
+                   "Accept": "application/vnd.github.v3+json"}
+
+        with patch('requests.get') as mock_get:
+            mock_response = MagicMock()
+            mock_response.status_code = 200
+            mock_response.json.return_value = {
+                "workflow_runs": ["run1", "run2"]}
+            mock_get.return_value = mock_response
+
+            workflow_runs = get_workflow_runs(workflow, headers)
+
+            self.assertEqual(workflow_runs, ["run1", "run2"])
+
+    def test_get_all_workflow_runs(self):
+        """Test case for getting all workflow runs"""
+        owner = "test_owner"
+        repo = "test_repo"
+        token = "test_token"
+        headers = {"Authorization": "Bearer test_token",
+                   "Accept": "application/vnd.github.v3+json"}
+        workflows = [{"url": "workflow1"}, {"url": "workflow2"}]
+        runs1 = [{"id": 1, "status": "completed", "conclusion": "success"}]
+        runs2 = [{"id": 2, "status": "completed", "conclusion": "failure"}]
+
+        with patch('app.get_workflows') as mock_get_workflows, \
+                patch('app.get_workflow_runs') as mock_get_workflow_runs:
+
+            mock_get_workflows.return_value = workflows
+            mock_get_workflow_runs.side_effect = [runs1, runs2]
+
+            result = get_all_workflow_runs(owner, repo, token)
+
+            self.assertEqual(result, runs1 + runs2)
+            mock_get_workflows.assert_called_once_with(owner, repo, headers)
+            mock_get_workflow_runs.assert_any_call(workflows[0], headers)
+            mock_get_workflow_runs.assert_any_call(workflows[1], headers)