Implement CredentialsProvider support

Fixes #600

Author: gsmet

deployment/pom.xml

@@ -32,6 +32,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-caffeine-deployment</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-credentials-deployment</artifactId>
+        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-smallrye-graphql-client-deployment</artifactId>

docs/modules/ROOT/pages/includes/attributes.adoc

@@ -1,4 +1,4 @@
-:quarkus-version: 3.8.2
+:quarkus-version: 3.9.1
 :quarkus-github-app-version: 2.4.2
 
 :github-api-javadoc-root-url: https://github-api.kohsuke.org/apidocs/org/kohsuke/github

docs/modules/ROOT/pages/includes/quarkus-github-app.adoc

@@ -102,6 +102,48 @@ endif::add-copy-button-to-env-var[]
 |
 
 
+a| [[quarkus-github-app_quarkus-github-app-credentials-provider]]`link:#quarkus-github-app_quarkus-github-app-credentials-provider[quarkus.github-app.credentials-provider]`
+
+
+[.description]
+--
+The credentials provider name.
+
+This is the name of the "keyring" containing the GitHub App secrets.
+
+Key names are defined in `Credentials`.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_GITHUB_APP_CREDENTIALS_PROVIDER+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_GITHUB_APP_CREDENTIALS_PROVIDER+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
+a| [[quarkus-github-app_quarkus-github-app-credentials-provider-name]]`link:#quarkus-github-app_quarkus-github-app-credentials-provider-name[quarkus.github-app.credentials-provider-name]`
+
+
+[.description]
+--
+The credentials provider bean name.
+
+This is a bean name (as in `@Named`) of a bean that implements `CredentialsProvider`. It is used to select the credentials provider bean when multiple exist. This is unnecessary when there is only one credentials provider available.
+
+For Vault, the credentials provider bean name is `vault-credentials-provider`.
+
+ifdef::add-copy-button-to-env-var[]
+Environment variable: env_var_with_copy_button:+++QUARKUS_GITHUB_APP_CREDENTIALS_PROVIDER_NAME+++[]
+endif::add-copy-button-to-env-var[]
+ifndef::add-copy-button-to-env-var[]
+Environment variable: `+++QUARKUS_GITHUB_APP_CREDENTIALS_PROVIDER_NAME+++`
+endif::add-copy-button-to-env-var[]
+--|string 
+|
+
+
 a| [[quarkus-github-app_quarkus-github-app-webhook-proxy-url]]`link:#quarkus-github-app_quarkus-github-app-webhook-proxy-url[quarkus.github-app.webhook-proxy-url]`
 
 

runtime/pom.xml

@@ -38,6 +38,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-caffeine</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-credentials</artifactId>
+        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-smallrye-graphql-client</artifactId>

runtime/src/main/java/io/quarkiverse/githubapp/Credentials.java

@@ -0,0 +1,13 @@
+package io.quarkiverse.githubapp;
+
+import io.quarkus.credentials.CredentialsProvider;
+
+/**
+ * The name of the credentials to use in your {@link CredentialsProvider}.
+ */
+public final class Credentials {
+
+    public static final String PRIVATE_KEY = "githubAppPrivateKey";
+    public static final String WEBHOOK_SECRET = "githubAppWebhookSecret";
+
+}

runtime/src/main/java/io/quarkiverse/githubapp/runtime/config/CheckedConfigProvider.java

@@ -1,6 +1,7 @@
 package io.quarkiverse.githubapp.runtime.config;
 
 import java.security.PrivateKey;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.TreeSet;
@@ -11,8 +12,12 @@
 import org.jboss.logging.Logger;
 
 import io.quarkiverse.githubapp.ConfigFile;
+import io.quarkiverse.githubapp.Credentials;
 import io.quarkiverse.githubapp.GitHubEvent;
 import io.quarkiverse.githubapp.runtime.config.GitHubAppRuntimeConfig.Debug;
+import io.quarkus.arc.Arc;
+import io.quarkus.arc.ArcContainer;
+import io.quarkus.credentials.CredentialsProvider;
 import io.quarkus.runtime.LaunchMode;
 import io.quarkus.runtime.Startup;
 
@@ -26,28 +31,45 @@ public class CheckedConfigProvider {
 
     private final LaunchMode launchMode;
 
+    private final Optional<PrivateKey> privateKey;
+    private final Optional<String> webhookSecret;
+
     private final Set<String> missingPropertyKeys = new TreeSet<>();
 
     @Inject
     CheckedConfigProvider(GitHubAppRuntimeConfig gitHubAppRuntimeConfig, LaunchMode launchMode) {
         this.gitHubAppRuntimeConfig = gitHubAppRuntimeConfig;
         this.launchMode = launchMode;
 
+        Map<String, String> credentials = getCredentials();
+        String privateKeyFromCredentials = credentials.get(Credentials.PRIVATE_KEY);
+        if (privateKeyFromCredentials != null && !privateKeyFromCredentials.isBlank()) {
+            this.privateKey = Optional.of(new PrivateKeyConverter().convert(privateKeyFromCredentials.trim()));
+        } else {
+            this.privateKey = gitHubAppRuntimeConfig.privateKey;
+        }
+        String webhookSecretFromCredentials = credentials.get(Credentials.WEBHOOK_SECRET);
+        if (webhookSecretFromCredentials != null && !webhookSecretFromCredentials.isBlank()) {
+            this.webhookSecret = Optional.of(webhookSecretFromCredentials.trim());
+        } else {
+            this.webhookSecret = gitHubAppRuntimeConfig.webhookSecret;
+        }
+
         if (gitHubAppRuntimeConfig.appId.isEmpty()) {
             missingPropertyKeys.add("quarkus.github-app.app-id (.env: QUARKUS_GITHUB_APP_APP_ID)");
         }
-        if (gitHubAppRuntimeConfig.privateKey.isEmpty()) {
+        if (this.privateKey.isEmpty()) {
             missingPropertyKeys.add("quarkus.github-app.private-key (.env: QUARKUS_GITHUB_APP_PRIVATE_KEY)");
         }
-        if (launchMode == LaunchMode.NORMAL && gitHubAppRuntimeConfig.webhookSecret.isEmpty()) {
+        if (launchMode == LaunchMode.NORMAL && this.webhookSecret.isEmpty()) {
             missingPropertyKeys.add("quarkus.github-app.webhook-secret (.env: QUARKUS_GITHUB_APP_WEBHOOK_SECRET)");
         }
 
         if (launchMode != LaunchMode.TEST) {
             checkConfig();
         }
 
-        if (gitHubAppRuntimeConfig.webhookSecret.isPresent() && launchMode.isDevOrTest()) {
+        if (this.webhookSecret.isPresent() && launchMode.isDevOrTest()) {
             LOG.info("Payload signature checking is disabled in dev and test modes.");
         }
     }
@@ -71,11 +93,11 @@ public PrivateKey privateKey() {
         }
 
         // The optional will never be empty; using orElseThrow instead of get to avoid IDE warnings.
-        return gitHubAppRuntimeConfig.privateKey.orElseThrow();
+        return privateKey.orElseThrow();
     }
 
     public Optional<String> webhookSecret() {
-        return gitHubAppRuntimeConfig.webhookSecret;
+        return webhookSecret;
     }
 
     public Optional<String> webhookProxyUrl() {
@@ -124,4 +146,29 @@ public void checkConfig() {
 
         throw new GitHubAppConfigurationException(errorMessage);
     }
+
+    private Map<String, String> getCredentials() {
+        if (gitHubAppRuntimeConfig.credentialsProvider.isEmpty()) {
+            return Map.of();
+        }
+
+        String beanName = gitHubAppRuntimeConfig.credentialsProviderName.orElse(null);
+        CredentialsProvider credentialsProvider = getCredentialsProvider(beanName);
+        String keyRingName = gitHubAppRuntimeConfig.credentialsProvider.get();
+
+        return credentialsProvider.getCredentials(keyRingName);
+    }
+
+    private static CredentialsProvider getCredentialsProvider(String name) {
+        ArcContainer container = Arc.container();
+        CredentialsProvider credentialsProvider = name != null
+                ? (CredentialsProvider) container.instance(name).get()
+                : container.instance(CredentialsProvider.class).get();
+
+        if (credentialsProvider == null) {
+            throw new RuntimeException("Unable to find credentials provider of name " + (name == null ? "default" : name));
+        }
+
+        return credentialsProvider;
+    }
 }

runtime/src/main/java/io/quarkiverse/githubapp/runtime/config/GitHubAppRuntimeConfig.java

@@ -4,11 +4,13 @@
 import java.security.PrivateKey;
 import java.util.Optional;
 
+import io.quarkiverse.githubapp.Credentials;
 import io.quarkus.runtime.annotations.ConfigGroup;
 import io.quarkus.runtime.annotations.ConfigItem;
 import io.quarkus.runtime.annotations.ConfigPhase;
 import io.quarkus.runtime.annotations.ConfigRoot;
 import io.quarkus.runtime.annotations.ConvertWith;
+import io.quarkus.runtime.configuration.TrimmedStringConverter;
 
 @ConfigRoot(name = "github-app", phase = ConfigPhase.RUN_TIME)
 public class GitHubAppRuntimeConfig {
@@ -50,6 +52,30 @@ public class GitHubAppRuntimeConfig {
     @ConfigItem
     Optional<String> webhookSecret;
 
+    /**
+     * The credentials provider name.
+     * <p>
+     * This is the name of the "keyring" containing the GitHub App secrets.
+     * <p>
+     * Key names are defined in {@link Credentials}.
+     */
+    @ConfigItem
+    @ConvertWith(TrimmedStringConverter.class)
+    Optional<String> credentialsProvider;
+
+    /**
+     * The credentials provider bean name.
+     * <p>
+     * This is a bean name (as in {@code @Named}) of a bean that implements {@code CredentialsProvider}.
+     * It is used to select the credentials provider bean when multiple exist.
+     * This is unnecessary when there is only one credentials provider available.
+     * <p>
+     * For Vault, the credentials provider bean name is {@code vault-credentials-provider}.
+     */
+    @ConfigItem
+    @ConvertWith(TrimmedStringConverter.class)
+    Optional<String> credentialsProviderName;
+
     /**
      * The Smee.io proxy URL used when testing locally.
      */