Merge pull request #46 from derwasp/derwasp/add-actions-admin-user-switch
Add actions admin user impersonation via a --actions-admin-user flag
This commit is contained in:
Ajay
3
.gitignore
vendored
3
.gitignore
vendored
@@ -2,4 +2,5 @@
|
||||
_tools/bin
|
||||
bin
|
||||
test/tmp
|
||||
dist
|
||||
dist
|
||||
actions-sync
|
||||
|
||||
@@ -24,6 +24,8 @@ When there are machines which have access to both the public internet and the GH
|
||||
|
||||
**Arguments:**
|
||||
|
||||
- `actions-admin-user` _(optional)_
|
||||
The name of the Actions admin user, which will be used for updating the chosen action. To use the default user, pass `actions-admin`. If not set, the impersonation is disabled. Note that `site_admin` scope is required in the token for the impersonation to work.
|
||||
- `cache-dir` _(required)_
|
||||
The directory in which to cache repositories as they are synced. This speeds up re-syncing.
|
||||
- `destination-url` _(required)_
|
||||
@@ -84,6 +86,8 @@ When no machine has access to both the public internet and the GHES instance:
|
||||
|
||||
**Arguments:**
|
||||
|
||||
- `actions-admin-user` _(optional)_
|
||||
The name of the Actions admin user, which will be used for updating the chosen action. To use the default user, pass `actions-admin`. If not set, the impersonation is disabled. Note that `site_admin` scope is required in the token for the impersonation to work.
|
||||
- `cache-dir` _(required)_
|
||||
The directory containing the repositories fetched using the `pull` command.
|
||||
- `destination-url` _(required)_
|
||||
@@ -104,7 +108,7 @@ When no machine has access to both the public internet and the GHES instance:
|
||||
|
||||
## Destination token scopes
|
||||
|
||||
When creating a personal access token include the `repo` and `workflow` scopes. Include the `site_admin` scope (optional) if you want organizations to be created as necessary.
|
||||
When creating a personal access token include the `repo` and `workflow` scopes. Include the `site_admin` scope (optional) if you want organizations to be created as necessary or you want to use the impersonation logic for the `push` or `sync` commands.
|
||||
|
||||
## Contributing
|
||||
|
||||
|
||||
67
src/push.go
67
src/push.go
@@ -17,9 +17,14 @@ import (
|
||||
"golang.org/x/oauth2"
|
||||
)
|
||||
|
||||
const enterpriseAegisVersionHeaderValue = "GitHub AE"
|
||||
const enterpriseAPIPath = "/api/v3"
|
||||
const enterpriseVersionHeaderKey = "X-GitHub-Enterprise-Version"
|
||||
const xOAuthScopesHeader = "X-OAuth-Scopes"
|
||||
|
||||
type PushOnlyFlags struct {
|
||||
BaseURL, Token string
|
||||
DisableGitAuth bool
|
||||
BaseURL, Token, ActionsAdminUser string
|
||||
DisableGitAuth bool
|
||||
}
|
||||
|
||||
type PushFlags struct {
|
||||
@@ -34,6 +39,7 @@ func (f *PushFlags) Init(cmd *cobra.Command) {
|
||||
|
||||
func (f *PushOnlyFlags) Init(cmd *cobra.Command) {
|
||||
cmd.Flags().StringVar(&f.BaseURL, "destination-url", "", "URL of GHES instance")
|
||||
cmd.Flags().StringVar(&f.ActionsAdminUser, "actions-admin-user", "", "A user to impersonate for the push requests. To use the default name, pass 'actions-admin'. Note that the site_admin scope in the token is required for the impersonation to work.")
|
||||
cmd.Flags().StringVar(&f.Token, "destination-token", "", "Token to access API on GHES instance")
|
||||
cmd.Flags().BoolVar(&f.DisableGitAuth, "disable-push-git-auth", false, "Disables git authentication whilst pushing")
|
||||
}
|
||||
@@ -53,7 +59,64 @@ func (f *PushOnlyFlags) Validate() Validations {
|
||||
return validations
|
||||
}
|
||||
|
||||
func GetImpersonationToken(ctx context.Context, flags *PushFlags) (string, error) {
|
||||
fmt.Printf("getting an impersonation token for `%s` ...\n", flags.ActionsAdminUser)
|
||||
|
||||
ts := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: flags.Token})
|
||||
tc := oauth2.NewClient(ctx, ts)
|
||||
ghClient, err := github.NewEnterpriseClient(flags.BaseURL, flags.BaseURL, tc)
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "error creating enterprise client")
|
||||
}
|
||||
|
||||
rootRequest, err := ghClient.NewRequest("GET", enterpriseAPIPath, nil)
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "error constructing request for GitHub Enterprise client.")
|
||||
}
|
||||
rootResponse, err := ghClient.Do(ctx, rootRequest, nil)
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "error checking connectivity for GitHub Enterprise client.")
|
||||
}
|
||||
|
||||
scopesHeader := rootResponse.Header.Get(xOAuthScopesHeader)
|
||||
fmt.Printf("these are the scopes we have for the current token `%s` ...\n", scopesHeader)
|
||||
|
||||
if !strings.Contains(scopesHeader, "site_admin") {
|
||||
return "", errors.Wrap(err, "the current token doesn't have the `site_admin` scope, the impersonation function requires the `site_admin` permission to be able to impersonate.")
|
||||
}
|
||||
|
||||
isAE := rootResponse.Header.Get(enterpriseVersionHeaderKey) == enterpriseAegisVersionHeaderValue
|
||||
minimumRepositoryScope := "public_repo"
|
||||
if isAE {
|
||||
// the default repository scope for non-ae instances is 'public_repo'
|
||||
// while it is `repo` for ae.
|
||||
minimumRepositoryScope = "repo"
|
||||
fmt.Printf("running against GitHub AE, changing the repository scope to '%s' ...\n", minimumRepositoryScope)
|
||||
}
|
||||
|
||||
impersonationToken, _, err := ghClient.Admin.CreateUserImpersonation(ctx, flags.ActionsAdminUser, &github.ImpersonateUserOptions{Scopes: []string{minimumRepositoryScope, "workflow"}})
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "failed to impersonate Actions admin user.")
|
||||
}
|
||||
|
||||
fmt.Printf("got the impersonation token for `%s` ...\n", flags.ActionsAdminUser)
|
||||
|
||||
return impersonationToken.GetToken(), nil
|
||||
}
|
||||
|
||||
func Push(ctx context.Context, flags *PushFlags) error {
|
||||
if flags.ActionsAdminUser != "" {
|
||||
var token, err = GetImpersonationToken(ctx, flags)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "error obtaining the impersonation token")
|
||||
}
|
||||
|
||||
// Override the initial token with the one that we got in the exchange
|
||||
flags.Token = token
|
||||
} else {
|
||||
fmt.Print("not using impersonation for the requests \n")
|
||||
}
|
||||
|
||||
ts := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: flags.Token})
|
||||
tc := oauth2.NewClient(ctx, ts)
|
||||
ghClient, err := github.NewEnterpriseClient(flags.BaseURL, flags.BaseURL, tc)
|
||||
|
||||
@@ -26,6 +26,10 @@ func main() {
|
||||
r := mux.NewRouter()
|
||||
r.HandleFunc("/ping", func(w http.ResponseWriter, r *http.Request) {})
|
||||
|
||||
r.HandleFunc("/api/v3", func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("x-github-enterprise-version", "GitHub AE")
|
||||
})
|
||||
|
||||
r.HandleFunc("/api/v3/user", func(w http.ResponseWriter, r *http.Request) {
|
||||
currentUser := github.User{Login: &authenticatedLogin}
|
||||
b, _ := json.Marshal(currentUser)
|
||||
@@ -35,6 +39,17 @@ func main() {
|
||||
}
|
||||
})
|
||||
|
||||
r.HandleFunc("/api/v3/admin/users/actions-admin/authorizations", func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("x-github-enterprise-version", "GitHub AE")
|
||||
token := "token"
|
||||
auth := github.Authorization{Token: &token}
|
||||
b, _ := json.Marshal(auth)
|
||||
_, err := w.Write(b)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}).Methods("POST")
|
||||
|
||||
r.HandleFunc("/api/v3/admin/organizations", func(w http.ResponseWriter, r *http.Request) {
|
||||
b, err := ioutil.ReadAll(r.Body)
|
||||
if err != nil {
|
||||
|
||||
Reference in New Issue
Block a user