jlengrand/github-api
1
0
Fork 0
mirror of https://github.com/jlengrand/github-api.git synced 2026-03-10 08:21:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use only credential providers internally to track credentials

Browse Source 
Removes extra fields from GitHubClient.
This commit is contained in:
Liam Newman
2020-12-30 09:39:36 -08:00
parent 43efa78750
commit f546cf4521
11 changed files with 205 additions and 193 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/main/java/org/kohsuke/github/CredentialProvider.java
View File

@@ -31,6 +31,14 @@ public interface CredentialProvider {
*/
String getEncodedAuthorization() throws IOException;
/**
* Binds this credential provider to a github instance.
*
* @param github
*/
default void bind(GitHub github) {
}
/**
* A {@link CredentialProvider} that ensures that no credentials are returned
*/

54
src/main/java/org/kohsuke/github/GitHub.java
View File

@@ -93,32 +93,25 @@ public class GitHub {
* "http://ghe.acme.com/api/v3". Note that GitHub Enterprise has <code>/api/v3</code> in the URL. For
* historical reasons, this parameter still accepts the bare domain name, but that's considered
* deprecated. Password is also considered deprecated as it is no longer required for api usage.
* @param login
* The user ID on GitHub that you are logging in as. Can be omitted if the OAuth token is provided or if
* logging in anonymously. Specifying this would save one API call.
* @param oauthAccessToken
* Secret OAuth token.
* @param password
* User's password. Always used in conjunction with the {@code login} parameter
* @param connector
* a connector
* @param rateLimitHandler
* rateLimitHandler
* @param abuseLimitHandler
* abuseLimitHandler
* @param rateLimitChecker
* rateLimitChecker
* @param credentialProvider
* a credential provider, takes preference over all other auth-related parameters if it's not null
* a credential provider
*/
GitHub(String apiUrl,
String login,
String oauthAccessToken,
String jwtToken,
String password,
HttpConnector connector,
RateLimitHandler rateLimitHandler,
AbuseLimitHandler abuseLimitHandler,
GitHubRateLimitChecker rateLimitChecker,
CredentialProvider credentialProvider) throws IOException {
credentialProvider.bind(this);
this.client = new GitHubHttpUrlConnectionClient(apiUrl,
login,
oauthAccessToken,
jwtToken,
password,
connector,
rateLimitHandler,
abuseLimitHandler,
@@ -129,6 +122,35 @@ public class GitHub {
orgs = new ConcurrentHashMap<>();
}
private GitHub(GitHubClient client) {
this.client = client;
users = new ConcurrentHashMap<>();
orgs = new ConcurrentHashMap<>();
}
static class CredentialRefreshGitHubWrapper extends GitHub {
CredentialProvider credentialProvider;
CredentialRefreshGitHubWrapper(GitHub github, CredentialProvider credentialProvider) {
super(github.client);
this.credentialProvider = credentialProvider;
this.credentialProvider.bind(this);
}
@Nonnull
@Override
Requester createRequest() {
try {
// Override
return super.createRequest().setHeader("Authorization", credentialProvider.getEncodedAuthorization())
.rateLimit(RateLimitTarget.NONE);
} catch (IOException e) {
throw new GHException("Failed to create requester to refresh credentials", e);
}
}
}
/**
* Obtains the credential from "~/.github" or from the System Environment Properties.
*

29
src/main/java/org/kohsuke/github/GitHubBuilder.java
View File

@@ -24,17 +24,13 @@ public class GitHubBuilder implements Cloneable {
// default scoped so unit tests can read them.
/* private */ String endpoint = GitHubClient.GITHUB_URL;
/* private */ String user;
/* private */ String password;
/* private */ String oauthToken;
/* private */ String jwtToken;
private HttpConnector connector;
private RateLimitHandler rateLimitHandler = RateLimitHandler.WAIT;
private AbuseLimitHandler abuseLimitHandler = AbuseLimitHandler.WAIT;
private GitHubRateLimitChecker rateLimitChecker = new GitHubRateLimitChecker();
private CredentialProvider credentialProvider = null;
private CredentialProvider credentialProvider = CredentialProvider.ANONYMOUS;
/**
* Instantiates a new Git hub builder.
@@ -62,13 +58,13 @@ public class GitHubBuilder implements Cloneable {
builder = fromEnvironment();
if (builder.oauthToken != null || builder.user != null || builder.jwtToken != null)
if (builder.credentialProvider != null)
return builder;
try {
builder = fromPropertyFile();
if (builder.oauthToken != null || builder.user != null || builder.jwtToken != null)
if (builder.credentialProvider != null)
return builder;
} catch (FileNotFoundException e) {
// fall through
@@ -248,9 +244,7 @@ public class GitHubBuilder implements Cloneable {
* @return the git hub builder
*/
public GitHubBuilder withPassword(String user, String password) {
this.user = user;
this.password = password;
return this;
return withCredentialProvider(ImmutableCredentialProvider.fromLoginAndPassword(user, password));
}
/**
@@ -261,7 +255,7 @@ public class GitHubBuilder implements Cloneable {
* @return the git hub builder
*/
public GitHubBuilder withOAuthToken(String oauthToken) {
return withOAuthToken(oauthToken, null);
return withCredentialProvider(ImmutableCredentialProvider.fromOauthToken(oauthToken));
}
/**
@@ -274,9 +268,7 @@ public class GitHubBuilder implements Cloneable {
* @return the git hub builder
*/
public GitHubBuilder withOAuthToken(String oauthToken, String user) {
this.oauthToken = oauthToken;
this.user = user;
return this;
return withCredentialProvider(ImmutableCredentialProvider.fromOauthToken(oauthToken, user));
}
public GitHubBuilder withCredentialProvider(final CredentialProvider credentialProvider) {
@@ -293,7 +285,7 @@ public class GitHubBuilder implements Cloneable {
* @see GHAppInstallation#createToken(java.util.Map) GHAppInstallation#createToken(java.util.Map)
*/
public GitHubBuilder withAppInstallationToken(String appInstallationToken) {
return withOAuthToken(appInstallationToken, "");
return withCredentialProvider(ImmutableCredentialProvider.fromAppInstallationToken(appInstallationToken));
}
/**
@@ -304,8 +296,7 @@ public class GitHubBuilder implements Cloneable {
* @return the git hub builder
*/
public GitHubBuilder withJwtToken(String jwtToken) {
this.jwtToken = jwtToken;
return this;
return withCredentialProvider(ImmutableCredentialProvider.fromJwtToken(jwtToken));
}
/**
@@ -427,10 +418,6 @@ public class GitHubBuilder implements Cloneable {
*/
public GitHub build() throws IOException {
return new GitHub(endpoint,
user,
oauthToken,
jwtToken,
password,
connector,
rateLimitHandler,
abuseLimitHandler,

55
src/main/java/org/kohsuke/github/GitHubClient.java
View File

@@ -3,7 +3,6 @@ package org.kohsuke.github;
import com.fasterxml.jackson.databind.*;
import com.fasterxml.jackson.databind.introspect.VisibilityChecker;
import org.apache.commons.io.IOUtils;
import org.jetbrains.annotations.Nullable;
import java.io.FileNotFoundException;
import java.io.IOException;
@@ -72,10 +71,6 @@ abstract class GitHubClient {
}
GitHubClient(String apiUrl,
String login,
String oauthAccessToken,
String jwtToken,
String password,
HttpConnector connector,
RateLimitHandler rateLimitHandler,
AbuseLimitHandler abuseLimitHandler,
@@ -94,42 +89,35 @@ abstract class GitHubClient {
this.connector = connector;
// Prefer credential configuration via provider
if (credentialProvider != null) {
this.credentialProvider = credentialProvider;
} else {
if (oauthAccessToken != null) {
this.credentialProvider = ImmutableCredentialProvider.fromOauthToken(oauthAccessToken);
} else {
if (jwtToken != null) {
this.credentialProvider = ImmutableCredentialProvider.fromJwtToken(jwtToken);
} else if (password != null) {
this.credentialProvider = ImmutableCredentialProvider.fromLoginAndPassword(login, password);
} else {// anonymous access
this.credentialProvider = CredentialProvider.ANONYMOUS;
}
}
}
this.credentialProvider = credentialProvider;
this.rateLimitHandler = rateLimitHandler;
this.abuseLimitHandler = abuseLimitHandler;
this.rateLimitChecker = rateLimitChecker;
this.login = getCurrentUser(login, jwtToken, myselfConsumer);
this.login = getCurrentUser(myselfConsumer);
}
@Nullable
private String getCurrentUser(String login, String jwtToken, Consumer<GHMyself> myselfConsumer) throws IOException {
if (login == null && this.credentialProvider.getEncodedAuthorization() != null && jwtToken == null) {
try {
GHMyself myself = fetch(GHMyself.class, "/user");
if (myselfConsumer != null) {
myselfConsumer.accept(myself);
}
return myself.getLogin();
} catch (IOException e) {
return null;
}
private String getCurrentUser(Consumer<GHMyself> myselfConsumer) throws IOException {
String login = null;
if (this.credentialProvider instanceof ImmutableCredentialProvider.UserCredentialProvider
&& this.credentialProvider.getEncodedAuthorization() != null) {
ImmutableCredentialProvider.UserCredentialProvider userCredentialProvider = (ImmutableCredentialProvider.UserCredentialProvider) this.credentialProvider;
login = userCredentialProvider.getLogin();
if (login == null) {
try {
GHMyself myself = fetch(GHMyself.class, "/user");
if (myselfConsumer != null) {
myselfConsumer.accept(myself);
}
login = myself.getLogin();
} catch (IOException e) {
return null;
}
}
}
return login;
}
@@ -394,7 +382,6 @@ abstract class GitHubClient {
"GitHub API request [" + (login == null ? "anonymous" : login) + "]: "
+ request.method() + " " + request.url().toString());
}
rateLimitChecker.checkRateLimit(this, request);
responseInfo = getResponseInfo(request);

15
src/main/java/org/kohsuke/github/GitHubHttpUrlConnectionClient.java
View File

@@ -33,10 +33,6 @@ import static org.apache.commons.lang3.StringUtils.defaultString;
class GitHubHttpUrlConnectionClient extends GitHubClient {
GitHubHttpUrlConnectionClient(String apiUrl,
String login,
String oauthAccessToken,
String jwtToken,
String password,
HttpConnector connector,
RateLimitHandler rateLimitHandler,
AbuseLimitHandler abuseLimitHandler,
@@ -44,10 +40,6 @@ class GitHubHttpUrlConnectionClient extends GitHubClient {
Consumer<GHMyself> myselfConsumer,
CredentialProvider credentialProvider) throws IOException {
super(apiUrl,
login,
oauthAccessToken,
jwtToken,
password,
connector,
rateLimitHandler,
abuseLimitHandler,
@@ -116,8 +108,11 @@ class GitHubHttpUrlConnectionClient extends GitHubClient {
// if the authentication is needed but no credential is given, try it anyway (so that some calls
// that do work with anonymous access in the reduced form should still work.)
if (client.credentialProvider.getEncodedAuthorization() != null) {
connection.setRequestProperty("Authorization", client.credentialProvider.getEncodedAuthorization());
if (!request.headers().containsKey("Authorization")) {
String authorization = client.credentialProvider.getEncodedAuthorization();
if (authorization != null) {
connection.setRequestProperty("Authorization", client.credentialProvider.getEncodedAuthorization());
}
}
setRequestMethod(request.method(), connection);

73
src/main/java/org/kohsuke/github/ImmutableCredentialProvider.java
View File

@@ -4,6 +4,8 @@ import java.io.UnsupportedEncodingException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import javax.annotation.CheckForNull;
/**
* A {@link CredentialProvider} that always returns the same credentials
*/
@@ -24,7 +26,30 @@ public class ImmutableCredentialProvider implements CredentialProvider {
* oauthAccessToken
*/
public static CredentialProvider fromOauthToken(String oauthAccessToken) {
return new ImmutableCredentialProvider(String.format("token %s", oauthAccessToken));
return new UserCredentialProvider(String.format("token %s", oauthAccessToken));
}
/**
* Builds and returns a {@link CredentialProvider} from a given oauthAccessToken
*
* @param oauthAccessToken
* The token
* @return a correctly configured {@link CredentialProvider} that will always return the same provided
* oauthAccessToken
*/
public static CredentialProvider fromOauthToken(String oauthAccessToken, String login) {
return new UserCredentialProvider(String.format("token %s", oauthAccessToken), login);
}
/**
* Builds and returns a {@link CredentialProvider} from a given App Installation Token
*
* @param appInstallationToken
* A string containing the GitHub App installation token
* @return the configured Builder from given GitHub App installation token.
*/
public static CredentialProvider fromAppInstallationToken(String appInstallationToken) {
return fromOauthToken(appInstallationToken, "");
}
/**
@@ -47,20 +72,48 @@ public class ImmutableCredentialProvider implements CredentialProvider {
* The password for the associated user
* @return a correctly configured {@link CredentialProvider} that will always return the credentials for the same
* user and password combo
* @throws UnsupportedEncodingException
* the character encoding is not supported
* @deprecated Login with password credentials are no longer supported by GitHub
*/
public static CredentialProvider fromLoginAndPassword(String login, String password)
throws UnsupportedEncodingException {
String authorization = (String.format("%s:%s", login, password));
String charsetName = StandardCharsets.UTF_8.name();
String b64encoded = Base64.getEncoder().encodeToString(authorization.getBytes(charsetName));
String encodedAuthorization = String.format("Basic %s", b64encoded);
return new ImmutableCredentialProvider(encodedAuthorization);
@Deprecated
public static CredentialProvider fromLoginAndPassword(String login, String password) {
try {
String authorization = (String.format("%s:%s", login, password));
String charsetName = StandardCharsets.UTF_8.name();
String b64encoded = Base64.getEncoder().encodeToString(authorization.getBytes(charsetName));
String encodedAuthorization = String.format("Basic %s", b64encoded);
return new UserCredentialProvider(encodedAuthorization, login);
} catch (UnsupportedEncodingException e) {
// If UTF-8 isn't supported, there are bigger problems
throw new IllegalStateException("Could not generate encoded authorization", e);
}
}
@Override
public String getEncodedAuthorization() {
return this.authorization;
}
/**
* An internal class representing all user-related credentials, which are credentials that have a login or should
* query the user endpoint for the login matching this credential.
*/
static class UserCredentialProvider extends ImmutableCredentialProvider {
private final String login;
UserCredentialProvider(String authorization) {
this(authorization, null);
}
UserCredentialProvider(String authorization, String login) {
super(authorization);
this.login = login;
}
@CheckForNull
String getLogin() {
return login;
}
}
}

43
src/main/java/org/kohsuke/github/OrgInstallationCredentialProvider.java
View File

@@ -1,19 +1,27 @@
package org.kohsuke.github;
import java.io.IOException;
import java.util.Date;
import java.time.Duration;
import java.time.Instant;
import java.util.Objects;
import javax.annotation.Nonnull;
/**
* Provides a CredentialProvider that performs automatic token refresh.
*/
public class OrgInstallationCredentialProvider implements CredentialProvider {
private final GitHub gitHub;
private GitHub baseGitHub;
private GitHub gitHub;
private final CredentialProvider refreshProvider;
private final String organizationName;
private String latestToken;
private Date validUntil;
@Nonnull
private Instant validUntil = Instant.MIN;
/**
* Provides a CredentialProvider that performs automatic token refresh, based on an previously authenticated github
@@ -21,27 +29,38 @@ public class OrgInstallationCredentialProvider implements CredentialProvider {
*
* @param organizationName
* The name of the organization where the application is installed
* @param gitHub
* A GitHub client that must be configured with a valid JWT token
*/
public OrgInstallationCredentialProvider(String organizationName, GitHub gitHub) {
@BetaApi
@Deprecated
public OrgInstallationCredentialProvider(String organizationName, CredentialProvider credentialProvider) {
this.organizationName = organizationName;
this.gitHub = gitHub;
this.refreshProvider = credentialProvider;
}
@Override
public void bind(GitHub github) {
this.baseGitHub = github;
}
@Override
public String getEncodedAuthorization() throws IOException {
if (latestToken == null || validUntil == null || new Date().after(this.validUntil)) {
refreshToken();
synchronized (this) {
if (latestToken == null || Instant.now().isAfter(this.validUntil)) {
refreshToken();
}
return String.format("token %s", latestToken);
}
return String.format("token %s", latestToken);
}
private void refreshToken() throws IOException {
if (gitHub == null) {
gitHub = new GitHub.CredentialRefreshGitHubWrapper(this.baseGitHub, refreshProvider);
}
GHAppInstallation installationByOrganization = gitHub.getApp()
.getInstallationByOrganization(this.organizationName);
GHAppInstallationToken ghAppInstallationToken = installationByOrganization.createToken().create();
this.validUntil = ghAppInstallationToken.getExpiresAt();
this.latestToken = ghAppInstallationToken.getToken();
this.validUntil = ghAppInstallationToken.getExpiresAt().toInstant().minus(Duration.ofMinutes(5));
this.latestToken = Objects.requireNonNull(ghAppInstallationToken.getToken());
}
}

68
src/main/java/org/kohsuke/github/extras/auth/OrgInstallationCredentialProvider.java
View File

@@ -1,68 +0,0 @@
package org.kohsuke.github.extras.auth;
import org.kohsuke.github.*;
import java.io.IOException;
import java.nio.file.Paths;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.Date;
/**
* This helper class provides an example on how to authenticate a GitHub instance with an installation token, that will
* be automatically refreshed when required.
*/
public class OrgInstallationCredentialProvider implements CredentialProvider {
private final GitHub gitHub;
private final String organizationName;
private String latestToken;
private Date validUntil;
public OrgInstallationCredentialProvider(String organizationName, GitHub gitHub) {
this.organizationName = organizationName;
this.gitHub = gitHub;
}
/**
* Obtains a new OAuth2 token, using the configured client to request it. The configured client <b>must</b> be able
* to request the token, this usually means that it needs to have JWT authentication
*
* @throws IOException
* for any problem obtaining the token
*/
@BetaApi
@Override
@Deprecated
public String getEncodedAuthorization() throws IOException {
if (this.latestToken == null || this.validUntil == null || (new Date()).after(this.validUntil)) {
this.refreshToken();
}
return String.format("token %s", this.latestToken);
}
private void refreshToken() throws IOException {
GHAppInstallation installationByOrganization = this.gitHub.getApp()
.getInstallationByOrganization(this.organizationName);
GHAppInstallationToken ghAppInstallationToken = installationByOrganization.createToken().create();
this.validUntil = ghAppInstallationToken.getExpiresAt();
this.latestToken = ghAppInstallationToken.getToken();
}
public static GitHub getAuthenticatedClient()
throws InvalidKeySpecException, NoSuchAlgorithmException, IOException {
// Build a client that will be used to get Oauth tokens with a JWT token
GitHub jwtAuthenticatedClient = new GitHubBuilder()
.withCredentialProvider(new JWTTokenProvider("12345", Paths.get("~/github-api-app.private-key.der")))
.build();
// Build another client (the final one) that will use the Oauth token, and automatically refresh it when
// it is expired. This is the client that can either be further customized, or used directly.
return new GitHubBuilder()
.withCredentialProvider(new OrgInstallationCredentialProvider("myOrganization", jwtAuthenticatedClient))
.build();
}
}

1
src/test/java/org/kohsuke/github/AbstractGitHubWireMockTest.java
View File

@@ -100,7 +100,6 @@ public abstract class AbstractGitHubWireMockTest extends Assert {
// This sets the user and password to a placeholder for wiremock testing
// This makes the tests believe they are running with permissions
// The recorded stubs will behave like they running with permissions
builder.oauthToken = null;
builder.withPassword(STUBBED_USER_LOGIN, STUBBED_USER_PASSWORD);
}

20
src/test/java/org/kohsuke/github/GitHubConnectionTest.java
View File

@@ -65,10 +65,11 @@ public class GitHubConnectionTest extends AbstractGitHubWireMockTest {
GitHubBuilder builder = GitHubBuilder.fromEnvironment();
assertEquals("bogus", builder.user);
assertEquals("bogus", builder.oauthToken);
assertEquals("bogus", builder.password);
assertEquals("bogus", builder.jwtToken);
// TODO: figure out how to test these again
// assertEquals("bogus", builder.user);
// assertEquals("bogus", builder.oauthToken);
// assertEquals("bogus", builder.password);
// assertEquals("bogus", builder.jwtToken);
}
@@ -86,17 +87,18 @@ public class GitHubConnectionTest extends AbstractGitHubWireMockTest {
GitHubBuilder builder = GitHubBuilder
.fromEnvironment("customLogin", "customPassword", "customOauth", "customEndpoint");
assertEquals("bogusLogin", builder.user);
assertEquals("bogusOauth", builder.oauthToken);
assertEquals("bogusPassword", builder.password);
// TODO: figure out how to test these again
// assertEquals("bogusLogin", builder.user);
// assertEquals("bogusOauth", builder.oauthToken);
// assertEquals("bogusPassword", builder.password);
assertEquals("bogusEndpoint", builder.endpoint);
}
@Test
public void testGithubBuilderWithAppInstallationToken() throws Exception {
GitHubBuilder builder = new GitHubBuilder().withAppInstallationToken("bogus");
assertEquals("bogus", builder.oauthToken);
assertEquals("", builder.user);
// assertEquals("bogus", builder.oauthToken);
// assertEquals("", builder.user);
// test authorization header is set as in the RFC6749
GitHub github = builder.build();

32
src/test/java/org/kohsuke/github/OrgInstallationCredentialProviderTest.java
View File

@@ -1,32 +1,40 @@
package org.kohsuke.github;
import net.sf.ezmorph.test.ArrayAssertions;
import org.junit.Test;
import java.io.IOException;
public class OrgInstallationCredentialProviderTest extends AbstractGitHubWireMockTest {
import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.CoreMatchers.notNullValue;
public class OrgInstallationCredentialProviderTest extends AbstractGHAppInstallationTest {
public OrgInstallationCredentialProviderTest() {
useDefaultGitHub = false;
}
@Test(expected = HttpException.class)
public void invalidJWTTokenRaisesException() throws IOException {
gitHub.getClient().credentialProvider = ImmutableCredentialProvider.fromJwtToken("myToken");
OrgInstallationCredentialProvider provider = new OrgInstallationCredentialProvider("testOrganization", gitHub);
OrgInstallationCredentialProvider provider = new OrgInstallationCredentialProvider("testOrganization",
ImmutableCredentialProvider.fromJwtToken("myToken"));
gitHub = getGitHubBuilder().withCredentialProvider(provider)
.withEndpoint(mockGitHub.apiServer().baseUrl())
.build();
provider.getEncodedAuthorization();
}
@Test
public void validJWTTokenAllowsOauthTokenRequest() throws IOException {
gitHub.getClient().credentialProvider = ImmutableCredentialProvider.fromJwtToken("valid-token");
OrgInstallationCredentialProvider provider = new OrgInstallationCredentialProvider("hub4j-test-org", gitHub);
OrgInstallationCredentialProvider provider = new OrgInstallationCredentialProvider("hub4j-test-org",
ImmutableCredentialProvider.fromJwtToken("bogus-valid-token"));
gitHub = getGitHubBuilder().withCredentialProvider(provider)
.withEndpoint(mockGitHub.apiServer().baseUrl())
.build();
String encodedAuthorization = provider.getEncodedAuthorization();
ArrayAssertions.assertNotNull(encodedAuthorization);
ArrayAssertions.assertEquals("token v1.9a12d913f980a45a16ac9c3a9d34d9b7sa314cb6", encodedAuthorization);
assertThat(encodedAuthorization, notNullValue());
assertThat(encodedAuthorization, equalTo("token v1.9a12d913f980a45a16ac9c3a9d34d9b7sa314cb6"));
}
}