diff --git a/.gitignore b/.gitignore index 59ea580..375255d 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,5 @@ _tools/bin bin test/tmp -dist \ No newline at end of file +dist +actions-sync diff --git a/README.md b/README.md index ec111ab..2699269 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,8 @@ When there are machines which have access to both the public internet and the GH **Arguments:** +- `actions-admin-user` _(optional)_ + The name of the Actions admin user, which will be used for updating the chosen action. To use the default user, pass `actions-admin`. If not set, the impersonation is disabled. Note that `site_admin` scope is required in the token for the impersonation to work. - `cache-dir` _(required)_ The directory in which to cache repositories as they are synced. This speeds up re-syncing. - `destination-url` _(required)_ @@ -84,6 +86,8 @@ When no machine has access to both the public internet and the GHES instance: **Arguments:** +- `actions-admin-user` _(optional)_ + The name of the Actions admin user, which will be used for updating the chosen action. To use the default user, pass `actions-admin`. If not set, the impersonation is disabled. Note that `site_admin` scope is required in the token for the impersonation to work. - `cache-dir` _(required)_ The directory containing the repositories fetched using the `pull` command. - `destination-url` _(required)_ @@ -104,7 +108,7 @@ When no machine has access to both the public internet and the GHES instance: ## Destination token scopes -When creating a personal access token include the `repo` and `workflow` scopes. Include the `site_admin` scope (optional) if you want organizations to be created as necessary. +When creating a personal access token include the `repo` and `workflow` scopes. Include the `site_admin` scope (optional) if you want organizations to be created as necessary or you want to use the impersonation logic for the `push` or `sync` commands. ## Contributing diff --git a/src/push.go b/src/push.go index 798f161..ecfcfc6 100644 --- a/src/push.go +++ b/src/push.go @@ -17,9 +17,14 @@ import ( "golang.org/x/oauth2" ) +const enterpriseAegisVersionHeaderValue = "GitHub AE" +const enterpriseAPIPath = "/api/v3" +const enterpriseVersionHeaderKey = "X-GitHub-Enterprise-Version" +const xOAuthScopesHeader = "X-OAuth-Scopes" + type PushOnlyFlags struct { - BaseURL, Token string - DisableGitAuth bool + BaseURL, Token, ActionsAdminUser string + DisableGitAuth bool } type PushFlags struct { @@ -34,6 +39,7 @@ func (f *PushFlags) Init(cmd *cobra.Command) { func (f *PushOnlyFlags) Init(cmd *cobra.Command) { cmd.Flags().StringVar(&f.BaseURL, "destination-url", "", "URL of GHES instance") + cmd.Flags().StringVar(&f.ActionsAdminUser, "actions-admin-user", "", "A user to impersonate for the push requests. To use the default name, pass 'actions-admin'. Note that the site_admin scope in the token is required for the impersonation to work.") cmd.Flags().StringVar(&f.Token, "destination-token", "", "Token to access API on GHES instance") cmd.Flags().BoolVar(&f.DisableGitAuth, "disable-push-git-auth", false, "Disables git authentication whilst pushing") } @@ -53,7 +59,64 @@ func (f *PushOnlyFlags) Validate() Validations { return validations } +func GetImpersonationToken(ctx context.Context, flags *PushFlags) (string, error) { + fmt.Printf("getting an impersonation token for `%s` ...\n", flags.ActionsAdminUser) + + ts := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: flags.Token}) + tc := oauth2.NewClient(ctx, ts) + ghClient, err := github.NewEnterpriseClient(flags.BaseURL, flags.BaseURL, tc) + if err != nil { + return "", errors.Wrap(err, "error creating enterprise client") + } + + rootRequest, err := ghClient.NewRequest("GET", enterpriseAPIPath, nil) + if err != nil { + return "", errors.Wrap(err, "error constructing request for GitHub Enterprise client.") + } + rootResponse, err := ghClient.Do(ctx, rootRequest, nil) + if err != nil { + return "", errors.Wrap(err, "error checking connectivity for GitHub Enterprise client.") + } + + scopesHeader := rootResponse.Header.Get(xOAuthScopesHeader) + fmt.Printf("these are the scopes we have for the current token `%s` ...\n", scopesHeader) + + if !strings.Contains(scopesHeader, "site_admin") { + return "", errors.Wrap(err, "the current token doesn't have the `site_admin` scope, the impersonation function requires the `site_admin` permission to be able to impersonate.") + } + + isAE := rootResponse.Header.Get(enterpriseVersionHeaderKey) == enterpriseAegisVersionHeaderValue + minimumRepositoryScope := "public_repo" + if isAE { + // the default repository scope for non-ae instances is 'public_repo' + // while it is `repo` for ae. + minimumRepositoryScope = "repo" + fmt.Printf("running against GitHub AE, changing the repository scope to '%s' ...\n", minimumRepositoryScope) + } + + impersonationToken, _, err := ghClient.Admin.CreateUserImpersonation(ctx, flags.ActionsAdminUser, &github.ImpersonateUserOptions{Scopes: []string{minimumRepositoryScope, "workflow"}}) + if err != nil { + return "", errors.Wrap(err, "failed to impersonate Actions admin user.") + } + + fmt.Printf("got the impersonation token for `%s` ...\n", flags.ActionsAdminUser) + + return impersonationToken.GetToken(), nil +} + func Push(ctx context.Context, flags *PushFlags) error { + if flags.ActionsAdminUser != "" { + var token, err = GetImpersonationToken(ctx, flags) + if err != nil { + return errors.Wrap(err, "error obtaining the impersonation token") + } + + // Override the initial token with the one that we got in the exchange + flags.Token = token + } else { + fmt.Print("not using impersonation for the requests \n") + } + ts := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: flags.Token}) tc := oauth2.NewClient(ctx, ts) ghClient, err := github.NewEnterpriseClient(flags.BaseURL, flags.BaseURL, tc) diff --git a/test/github.go b/test/github.go index 39bd814..f767798 100644 --- a/test/github.go +++ b/test/github.go @@ -26,6 +26,10 @@ func main() { r := mux.NewRouter() r.HandleFunc("/ping", func(w http.ResponseWriter, r *http.Request) {}) + r.HandleFunc("/api/v3", func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("x-github-enterprise-version", "GitHub AE") + }) + r.HandleFunc("/api/v3/user", func(w http.ResponseWriter, r *http.Request) { currentUser := github.User{Login: &authenticatedLogin} b, _ := json.Marshal(currentUser) @@ -35,6 +39,17 @@ func main() { } }) + r.HandleFunc("/api/v3/admin/users/actions-admin/authorizations", func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("x-github-enterprise-version", "GitHub AE") + token := "token" + auth := github.Authorization{Token: &token} + b, _ := json.Marshal(auth) + _, err := w.Write(b) + if err != nil { + panic(err) + } + }).Methods("POST") + r.HandleFunc("/api/v3/admin/organizations", func(w http.ResponseWriter, r *http.Request) { b, err := ioutil.ReadAll(r.Body) if err != nil {