Enable GitHub Realtime authentication (#3929)

GitHub Realtime needs to be able to authenticate. This PR adds relevant fields to the relevant protobuf message, and exports/tweaks some stuff from the github source package to permit its (eventual) use by the GitHub Realtime implementation:

The Connector interface and its constructors are now exported
Connector.Clone now accepts additional clone arguments
The github-specific connection construction has been moved into github.go
The injected rate limit handler no longer accepts error reporters that it never uses
I also added an API endpoint field to the GitHub Realtime proto message, because we need that too and I was here.

Author: rosecodym

pkg/pb/sourcespb/sources.pb.go

@@ -1,44 +1,17 @@
 package github
 
 import (
-	"fmt"
-
 	gogit "github.com/go-git/go-git/v5"
 	"github.com/google/go-github/v67/github"
-	"github.com/trufflesecurity/trufflehog/v3/pkg/log"
-
 	"github.com/trufflesecurity/trufflehog/v3/pkg/context"
-	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/sourcespb"
 )
 
 const cloudEndpoint = "https://api.github.com"
 
-type connector interface {
+// Connector abstracts over the authenticated ways to interact with GitHub: cloning and API operations.
+type Connector interface {
 	// APIClient returns a configured GitHub client that can be used for GitHub API operations.
 	APIClient() *github.Client
 	// Clone clones a repository using the configured authentication information.
-	Clone(ctx context.Context, repoURL string) (string, *gogit.Repository, error)
-}
-
-func newConnector(source *Source) (connector, error) {
-	apiEndpoint := source.conn.Endpoint
-	if apiEndpoint == "" || endsWithGithub.MatchString(apiEndpoint) {
-		apiEndpoint = cloudEndpoint
-	}
-
-	switch cred := source.conn.GetCredential().(type) {
-	case *sourcespb.GitHub_GithubApp:
-		log.RedactGlobally(cred.GithubApp.GetPrivateKey())
-		return newAppConnector(apiEndpoint, cred.GithubApp)
-	case *sourcespb.GitHub_BasicAuth:
-		log.RedactGlobally(cred.BasicAuth.GetPassword())
-		return newBasicAuthConnector(apiEndpoint, cred.BasicAuth)
-	case *sourcespb.GitHub_Token:
-		log.RedactGlobally(cred.Token)
-		return newTokenConnector(apiEndpoint, cred.Token, source.handleRateLimit)
-	case *sourcespb.GitHub_Unauthenticated:
-		return newUnauthenticatedConnector(apiEndpoint)
-	default:
-		return nil, fmt.Errorf("unknown connection type")
-	}
+	Clone(ctx context.Context, repoURL string, args ...string) (string, *gogit.Repository, error)
 }

pkg/pb/sourcespb/sources.pb.validate.go

@@ -19,9 +19,9 @@ type appConnector struct {
 	installationID     int64
 }
 
-var _ connector = (*appConnector)(nil)
+var _ Connector = (*appConnector)(nil)
 
-func newAppConnector(apiEndpoint string, app *credentialspb.GitHubApp) (*appConnector, error) {
+func NewAppConnector(apiEndpoint string, app *credentialspb.GitHubApp) (Connector, error) {
 	installationID, err := strconv.ParseInt(app.InstallationId, 10, 64)
 	if err != nil {
 		return nil, fmt.Errorf("could not parse app installation ID %q: %w", app.InstallationId, err)
@@ -78,7 +78,7 @@ func (c *appConnector) APIClient() *github.Client {
 	return c.apiClient
 }
 
-func (c *appConnector) Clone(ctx context.Context, repoURL string) (string, *gogit.Repository, error) {
+func (c *appConnector) Clone(ctx context.Context, repoURL string, args ...string) (string, *gogit.Repository, error) {
 	// TODO: Check rate limit for this call.
 	token, _, err := c.installationClient.Apps.CreateInstallationToken(
 		ctx,
@@ -88,7 +88,7 @@ func (c *appConnector) Clone(ctx context.Context, repoURL string) (string, *gogi
 		return "", nil, fmt.Errorf("could not create installation token: %w", err)
 	}
 
-	return git.CloneRepoUsingToken(ctx, token.GetToken(), repoURL, "x-access-token")
+	return git.CloneRepoUsingToken(ctx, token.GetToken(), repoURL, "x-access-token", args...)
 }
 
 func (c *appConnector) InstallationClient() *github.Client {

pkg/sources/github/connector.go

@@ -17,9 +17,9 @@ type basicAuthConnector struct {
 	password  string
 }
 
-var _ connector = (*basicAuthConnector)(nil)
+var _ Connector = (*basicAuthConnector)(nil)
 
-func newBasicAuthConnector(apiEndpoint string, cred *credentialspb.BasicAuth) (*basicAuthConnector, error) {
+func NewBasicAuthConnector(apiEndpoint string, cred *credentialspb.BasicAuth) (Connector, error) {
 	const httpTimeoutSeconds = 60
 	httpClient := common.RetryableHTTPClientTimeout(int64(httpTimeoutSeconds))
 	httpClient.Transport = &github.BasicAuthTransport{
@@ -43,6 +43,6 @@ func (c *basicAuthConnector) APIClient() *github.Client {
 	return c.apiClient
 }
 
-func (c *basicAuthConnector) Clone(ctx context.Context, repoURL string) (string, *gogit.Repository, error) {
-	return git.CloneRepoUsingToken(ctx, c.password, repoURL, c.username)
+func (c *basicAuthConnector) Clone(ctx context.Context, repoURL string, args ...string) (string, *gogit.Repository, error) {
+	return git.CloneRepoUsingToken(ctx, c.password, repoURL, c.username, args...)
 }

pkg/sources/github/connector_app.go

@@ -17,14 +17,14 @@ type tokenConnector struct {
 	apiClient          *github.Client
 	token              string
 	isGitHubEnterprise bool
-	handleRateLimit    func(context.Context, error, ...errorReporter) bool
+	handleRateLimit    func(context.Context, error) bool
 	user               string
 	userMu             sync.Mutex
 }
 
-var _ connector = (*tokenConnector)(nil)
+var _ Connector = (*tokenConnector)(nil)
 
-func newTokenConnector(apiEndpoint string, token string, handleRateLimit func(context.Context, error, ...errorReporter) bool) (*tokenConnector, error) {
+func NewTokenConnector(apiEndpoint string, token string, handleRateLimit func(context.Context, error) bool) (Connector, error) {
 	const httpTimeoutSeconds = 60
 	httpClient := common.RetryableHTTPClientTimeout(int64(httpTimeoutSeconds))
 	tokenSource := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: token})
@@ -50,11 +50,11 @@ func (c *tokenConnector) APIClient() *github.Client {
 	return c.apiClient
 }
 
-func (c *tokenConnector) Clone(ctx context.Context, repoURL string) (string, *gogit.Repository, error) {
+func (c *tokenConnector) Clone(ctx context.Context, repoURL string, args ...string) (string, *gogit.Repository, error) {
 	if err := c.setUserIfUnset(ctx); err != nil {
 		return "", nil, err
 	}
-	return git.CloneRepoUsingToken(ctx, c.token, repoURL, c.user)
+	return git.CloneRepoUsingToken(ctx, c.token, repoURL, c.user, args...)
 }
 
 func (c *tokenConnector) IsGithubEnterprise() bool {

pkg/sources/github/connector_basicauth.go

@@ -15,9 +15,9 @@ type unauthenticatedConnector struct {
 	apiClient *github.Client
 }
 
-var _ connector = (*unauthenticatedConnector)(nil)
+var _ Connector = (*unauthenticatedConnector)(nil)
 
-func newUnauthenticatedConnector(apiEndpoint string) (*unauthenticatedConnector, error) {
+func NewUnauthenticatedConnector(apiEndpoint string) (Connector, error) {
 	const httpTimeoutSeconds = 60
 	httpClient := common.RetryableHTTPClientTimeout(int64(httpTimeoutSeconds))
 	apiClient, err := createGitHubClient(httpClient, apiEndpoint)
@@ -33,6 +33,6 @@ func (c *unauthenticatedConnector) APIClient() *github.Client {
 	return c.apiClient
 }
 
-func (c *unauthenticatedConnector) Clone(ctx context.Context, repoURL string) (string, *gogit.Repository, error) {
-	return git.CloneRepoUsingUnauthenticated(ctx, repoURL)
+func (c *unauthenticatedConnector) Clone(ctx context.Context, repoURL string, args ...string) (string, *gogit.Repository, error) {
+	return git.CloneRepoUsingUnauthenticated(ctx, repoURL, args...)
 }

pkg/sources/github/connector_token.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/gobwas/glob"
 	"github.com/google/go-github/v67/github"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/log"
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/anypb"
@@ -64,7 +65,7 @@ type Source struct {
 	jobPool         *errgroup.Group
 	resumeInfoMutex sync.Mutex
 	resumeInfoSlice []string
-	connector       connector
+	connector       Connector
 
 	includePRComments     bool
 	includeIssueComments  bool
@@ -1574,3 +1575,28 @@ func (s *Source) ChunkUnit(ctx context.Context, unit sources.SourceUnit, reporte
 	}
 	return s.scanRepo(ctx, repoURL, reporter)
 }
+
+func newConnector(source *Source) (Connector, error) {
+	apiEndpoint := source.conn.Endpoint
+	if apiEndpoint == "" || endsWithGithub.MatchString(apiEndpoint) {
+		apiEndpoint = cloudEndpoint
+	}
+
+	switch cred := source.conn.GetCredential().(type) {
+	case *sourcespb.GitHub_GithubApp:
+		log.RedactGlobally(cred.GithubApp.GetPrivateKey())
+		return NewAppConnector(apiEndpoint, cred.GithubApp)
+	case *sourcespb.GitHub_BasicAuth:
+		log.RedactGlobally(cred.BasicAuth.GetPassword())
+		return NewBasicAuthConnector(apiEndpoint, cred.BasicAuth)
+	case *sourcespb.GitHub_Token:
+		log.RedactGlobally(cred.Token)
+		return NewTokenConnector(apiEndpoint, cred.Token, func(c context.Context, err error) bool {
+			return source.handleRateLimit(c, err)
+		})
+	case *sourcespb.GitHub_Unauthenticated:
+		return NewUnauthenticatedConnector(apiEndpoint)
+	default:
+		return nil, fmt.Errorf("unknown connection type %T", source.conn.GetCredential())
+	}
+}

pkg/sources/github/connector_unauthenticated.go

@@ -262,6 +262,13 @@ message GitHubExperimental {
 message GitHubRealtime {
   uint32 listener_port = 1;
   string webhook_secret = 2;
+  string endpoint = 3 [(validate.rules).string.uri_ref = true];
+  oneof credential {
+    credentials.GitHubApp github_app = 4;
+    string token = 5;
+    credentials.Unauthenticated unauthenticated = 6;
+    credentials.BasicAuth basic_auth = 7;
+  }
 }
 
 message GoogleDrive {