Skip to content

Commit

Permalink
Add VerifyProviderTokenIdentity to the GitHubProviderService
Browse files Browse the repository at this point in the history
  • Loading branch information
jhrozek committed May 21, 2024
1 parent 984f168 commit 5e0c1bf
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 0 deletions.
14 changes: 14 additions & 0 deletions internal/providers/github/service/mock/service.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 17 additions & 0 deletions internal/providers/github/service/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ type GitHubProviderService interface {
ValidateGitHubAppWebhookPayload(r *http.Request) (payload []byte, err error)
// DeleteInstallation deletes the installation from GitHub, if the provider has an associated installation
DeleteInstallation(ctx context.Context, providerID uuid.UUID) error
VerifyProviderTokenIdentity(ctx context.Context, remoteUser string, accessToken string) error
}

// TypeGitHubOrganization is the type returned from the GitHub API when the owner is an organization
Expand Down Expand Up @@ -495,6 +496,22 @@ func verifyProviderTokenIdentity(
return nil
}

func (p *ghProviderService) VerifyProviderTokenIdentity(ctx context.Context, remoteUser string, accessToken string) error {
credential := credentials.NewGitHubTokenCredential(accessToken)

// owner is empty, as per original logic
_, delegate, err := p.ghClientFactory.BuildOAuthClient("", credential, "")
if err != nil {
return fmt.Errorf("unable to create github client: %w", err)
}

if err := verifyProviderTokenIdentity(ctx, remoteUser, delegate); err != nil {
return fmt.Errorf("error verifying provider token identity: %w", ErrInvalidTokenIdentity)
}

return nil
}

func (p *ghProviderService) getInstallationOwner(ctx context.Context, installationID int64) (*github.User, error) {
privateKey, err := p.config.GitHubApp.GetPrivateKey()
if err != nil {
Expand Down
36 changes: 36 additions & 0 deletions internal/providers/github/service/service_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ import (
mockcrypto "github.com/stacklok/minder/internal/crypto/mock"
"github.com/stacklok/minder/internal/db"
"github.com/stacklok/minder/internal/db/embedded"
"github.com/stacklok/minder/internal/providers/credentials"
"github.com/stacklok/minder/internal/providers/github/clients"
mockclients "github.com/stacklok/minder/internal/providers/github/clients/mock"
mockgh "github.com/stacklok/minder/internal/providers/github/mock"
Expand Down Expand Up @@ -242,6 +243,41 @@ func TestProviderService_CreateGitHubOAuthProvider(t *testing.T) {
require.Equal(t, dbTokenUpdate[0].EnrollmentNonce, sql.NullString{String: stateNonceUpdate, Valid: true})
}

func TestProviderService_VerifyProviderTokenIdentity(t *testing.T) {
t.Parallel()

const (
accountID = 456
accessToken = "my-access-token"
)

ctrl := gomock.NewController(t)
defer ctrl.Finish()

ghCredential := credentials.NewGitHubTokenCredential(accessToken)

delegate := mockgh.NewMockDelegate(ctrl)
clientFactory := mockclients.NewMockGitHubClientFactory(ctrl)

clientFactory.EXPECT().
BuildOAuthClient(gomock.Any(), ghCredential, gomock.Any()).
Return(nil, delegate, nil).AnyTimes()

delegate.EXPECT().
GetUserId(gomock.Any()).
Return(int64(accountID), nil).AnyTimes()

cfg := &server.ProviderConfig{}

provSvc, _ := testNewGitHubProviderService(t, ctrl, cfg, nil, clientFactory)

err := provSvc.VerifyProviderTokenIdentity(context.Background(), "456", accessToken)
require.NoError(t, err)

err = provSvc.VerifyProviderTokenIdentity(context.Background(), "123", accessToken)
require.ErrorIs(t, err, ErrInvalidTokenIdentity)
}

func TestProviderService_CreateGitHubAppProvider(t *testing.T) {
t.Parallel()

Expand Down

0 comments on commit 5e0c1bf

Please sign in to comment.