Skip to content

Commit 641eadc

Browse files
committed
fix(github): scope App token to triggering repo
Reissue a scoped token in SetClient when no extra scope config is present. The initial token is created before RepositoryIDs are populated, so it has access to all repos in the installation. After ScopeTokenToListOfRepos returns empty, fall back to GetAppToken which now uses the populated RepositoryIDs. Signed-off-by: Akshay Pant <akpant@redhat.com>
1 parent 5c09648 commit 641eadc

2 files changed

Lines changed: 37 additions & 0 deletions

File tree

pkg/provider/github/github.go

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -353,6 +353,17 @@ func (v *Provider) SetClient(ctx context.Context, run *params.Run, event *info.E
353353
// If Global and Repo level configurations are not provided then lets not override the provider token.
354354
if token != "" {
355355
event.Provider.Token = token
356+
} else if len(v.RepositoryIDs) > 0 {
357+
// We need to keep the token unscoped until ScopeTokenToListOfRepos so that CreateToken can
358+
// look up the extra repos from the configmap.
359+
// Token is scoped to only the calling repo if no additional scoping repos are configured
360+
// so that no unwanted remote tasks are executed.
361+
ns := info.GetNS(ctx)
362+
scopedToken, err := v.GetAppToken(ctx, run.Clients.Kube, event.Provider.URL, event.InstallationID, ns)
363+
if err != nil {
364+
return fmt.Errorf("failed to scope token to triggering repository: %w", err)
365+
}
366+
event.Provider.Token = scopedToken
356367
}
357368
}
358369

pkg/provider/github/parse_payload.go

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,9 @@ type Payload struct {
131131
Installation struct {
132132
ID *int64 `json:"id"`
133133
} `json:"installation"`
134+
Repository struct {
135+
ID *int64 `json:"id"`
136+
} `json:"repository"`
134137
}
135138

136139
func getInstallationIDFromPayload(payload string) (int64, error) {
@@ -145,6 +148,18 @@ func getInstallationIDFromPayload(payload string) (int64, error) {
145148
return -1, nil
146149
}
147150

151+
func getRepositoryIDFromPayload(payload string) (int64, error) {
152+
var data Payload
153+
err := json.Unmarshal([]byte(payload), &data)
154+
if err != nil {
155+
return -1, err
156+
}
157+
if data.Repository.ID != nil {
158+
return *data.Repository.ID, nil
159+
}
160+
return -1, nil
161+
}
162+
148163
// ParsePayload will parse the payload and return the event
149164
// it generate the github app token targeting the installation id
150165
// this pieces of code is a bit messy because we need first getting a token to
@@ -189,6 +204,14 @@ func (v *Provider) ParsePayload(ctx context.Context, run *params.Run, request *h
189204
}
190205
}
191206

207+
repoIDFromPayload, err := getRepositoryIDFromPayload(payload)
208+
if err != nil {
209+
return nil, err
210+
}
211+
if repoIDFromPayload > 0 {
212+
v.RepositoryIDs = []int64{repoIDFromPayload}
213+
}
214+
192215
eventInt, err := github.ParseWebHook(event.EventType, []byte(payload))
193216
if err != nil {
194217
return nil, err
@@ -537,6 +560,7 @@ func (v *Provider) handleReRequestEvent(ctx context.Context, event *github.Check
537560
// fine because you can't do a rereq without being a github owner?
538561
runevent.Sender = event.GetSender().GetLogin()
539562
v.userType = event.GetSender().GetType()
563+
v.RepositoryIDs = []int64{event.GetRepo().GetID()}
540564
return runevent, nil
541565
}
542566
runevent.PullRequestNumber = event.GetCheckRun().GetCheckSuite().PullRequests[0].GetNumber()
@@ -584,6 +608,7 @@ func (v *Provider) handleCheckSuites(ctx context.Context, event *github.CheckSui
584608
// fine because you can't do a rereq without being a github owner?
585609
runevent.Sender = event.GetSender().GetLogin()
586610
v.userType = event.GetSender().GetType()
611+
v.RepositoryIDs = []int64{event.GetRepo().GetID()}
587612
return runevent, nil
588613
}
589614
runevent.PullRequestNumber = event.GetCheckSuite().PullRequests[0].GetNumber()
@@ -707,6 +732,7 @@ func (v *Provider) handleCommitCommentEvent(ctx context.Context, event *github.C
707732
runevent.BaseURL = runevent.HeadURL
708733
runevent.TriggerTarget = triggertype.Push
709734
v.userType = event.GetSender().GetType()
735+
v.RepositoryIDs = []int64{event.GetRepo().GetID()}
710736

711737
repo, err := MatchEventURLRepo(ctx, v.Run, runevent, "")
712738
if err != nil {

0 commit comments

Comments
 (0)