mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
35953 Commits
59 Branches
Tree: 29994d2a4f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '29994d2a4f'
${ noResults }
sonarqube/server/sonar-alm-client/src/main/java/org/sonar/alm/client/github/GithubApplicationClientImpl...

GithubApplicationClientImpl.java 19KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2024 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.alm.client.github;

  21. 

  22. import com.google.gson.Gson;

  23. import com.google.gson.reflect.TypeToken;

  24. import java.io.IOException;

  25. import java.lang.reflect.Type;

  26. import java.net.URI;

  27. import java.util.Arrays;

  28. import java.util.HashMap;

  29. import java.util.List;

  30. import java.util.Locale;

  31. import java.util.Map;

  32. import java.util.Objects;

  33. import java.util.Optional;

  34. import java.util.Set;

  35. import java.util.function.Function;

  36. import java.util.stream.Collectors;

  37. import javax.annotation.Nullable;

  38. import org.slf4j.Logger;

  39. import org.slf4j.LoggerFactory;

  40. import org.sonar.alm.client.ApplicationHttpClient;

  41. import org.sonar.alm.client.ApplicationHttpClient.GetResponse;

  42. import org.sonar.auth.github.AppInstallationToken;

  43. import org.sonar.auth.github.GithubBinding;

  44. import org.sonar.auth.github.GithubBinding.GsonGithubRepository;

  45. import org.sonar.auth.github.GithubBinding.GsonInstallations;

  46. import org.sonar.auth.github.GithubBinding.GsonRepositorySearch;

  47. import org.sonar.auth.github.GsonRepositoryCollaborator;

  48. import org.sonar.auth.github.GsonRepositoryTeam;

  49. import org.sonar.auth.github.GithubAppConfiguration;

  50. import org.sonar.auth.github.GithubAppInstallation;

  51. import org.sonar.auth.github.security.AccessToken;

  52. import org.sonar.alm.client.github.security.AppToken;

  53. import org.sonar.alm.client.github.security.GithubAppSecurity;

  54. import org.sonar.auth.github.security.UserAccessToken;

  55. import org.sonar.alm.client.gitlab.GsonApp;

  56. import org.sonar.api.internal.apachecommons.lang.StringUtils;

  57. import org.sonar.auth.github.GitHubSettings;

  58. import org.sonar.auth.github.client.GithubApplicationClient;

  59. import org.sonar.server.exceptions.ServerException;

  60. import org.sonarqube.ws.client.HttpException;

  61. 

  62. import static com.google.common.base.Preconditions.checkArgument;

  63. import static java.lang.String.format;

  64. import static java.net.HttpURLConnection.HTTP_FORBIDDEN;

  65. import static java.net.HttpURLConnection.HTTP_INTERNAL_ERROR;

  66. import static java.net.HttpURLConnection.HTTP_OK;

  67. import static java.net.HttpURLConnection.HTTP_UNAUTHORIZED;

  68. 

  69. public class GithubApplicationClientImpl implements GithubApplicationClient {

  70.   private static final Logger LOG = LoggerFactory.getLogger(GithubApplicationClientImpl.class);

  71.   protected static final Gson GSON = new Gson();

  72. 

  73.   protected static final String WRITE_PERMISSION_NAME = "write";

  74.   protected static final String READ_PERMISSION_NAME = "read";

  75.   protected static final String FAILED_TO_REQUEST_BEGIN_MSG = "Failed to request ";

  76.   private static final TypeToken<List<GsonRepositoryTeam>> REPOSITORY_TEAM_LIST_TYPE = new TypeToken<>() {

  77.   };

  78.   private static final TypeToken<List<GsonRepositoryCollaborator>> REPOSITORY_COLLABORATORS_LIST_TYPE = new TypeToken<>() {

  79.   };

  80.   private static final TypeToken<List<GithubBinding.GsonInstallation>> ORGANIZATION_LIST_TYPE = new TypeToken<>() {

  81.   };

  82.   protected final GithubApplicationHttpClient githubApplicationHttpClient;

  83.   protected final GithubAppSecurity appSecurity;

  84.   private final GitHubSettings gitHubSettings;

  85.   private final GithubPaginatedHttpClient githubPaginatedHttpClient;

  86. 

  87.   public GithubApplicationClientImpl(GithubApplicationHttpClient githubApplicationHttpClient, GithubAppSecurity appSecurity, GitHubSettings gitHubSettings,

  88.     GithubPaginatedHttpClient githubPaginatedHttpClient) {

  89.     this.githubApplicationHttpClient = githubApplicationHttpClient;

  90.     this.appSecurity = appSecurity;

  91.     this.gitHubSettings = gitHubSettings;

  92.     this.githubPaginatedHttpClient = githubPaginatedHttpClient;

  93.   }

  94. 

  95.   private static void checkPageArgs(int page, int pageSize) {

  96.     checkArgument(page > 0, "'page' must be larger than 0.");

  97.     checkArgument(pageSize > 0 && pageSize <= 100, "'pageSize' must be a value larger than 0 and smaller or equal to 100.");

  98.   }

  99. 

  100.   @Override

  101.   public Optional<AppInstallationToken> createAppInstallationToken(GithubAppConfiguration githubAppConfiguration, long installationId) {

  102.     AppToken appToken = appSecurity.createAppToken(githubAppConfiguration.getId(), githubAppConfiguration.getPrivateKey());

  103.     String endPoint = "/app/installations/" + installationId + "/access_tokens";

  104.     return post(githubAppConfiguration.getApiEndpoint(), appToken, endPoint, GithubBinding.GsonInstallationToken.class)

  105.       .map(GithubBinding.GsonInstallationToken::getToken)

  106.       .filter(Objects::nonNull)

  107.       .map(AppInstallationToken::new);

  108.   }

  109. 

  110.   private <T> Optional<T> post(String baseUrl, AccessToken token, String endPoint, Class<T> gsonClass) {

  111.     try {

  112.       ApplicationHttpClient.Response response = githubApplicationHttpClient.post(baseUrl, token, endPoint);

  113.       return handleResponse(response, endPoint, gsonClass);

  114.     } catch (Exception e) {

  115.       LOG.warn(FAILED_TO_REQUEST_BEGIN_MSG + endPoint, e);

  116.       return Optional.empty();

  117.     }

  118.   }

  119. 

  120.   @Override

  121.   public void checkApiEndpoint(GithubAppConfiguration githubAppConfiguration) {

  122.     if (StringUtils.isBlank(githubAppConfiguration.getApiEndpoint())) {

  123.       throw new IllegalArgumentException("Missing URL");

  124.     }

  125. 

  126.     URI apiEndpoint;

  127.     try {

  128.       apiEndpoint = URI.create(githubAppConfiguration.getApiEndpoint());

  129.     } catch (IllegalArgumentException e) {

  130.       throw new IllegalArgumentException("Invalid URL, " + e.getMessage());

  131.     }

  132. 

  133.     if (!"http".equalsIgnoreCase(apiEndpoint.getScheme()) && !"https".equalsIgnoreCase(apiEndpoint.getScheme())) {

  134.       throw new IllegalArgumentException("Only http and https schemes are supported");

  135.     } else if (!"api.github.com".equalsIgnoreCase(apiEndpoint.getHost()) && !apiEndpoint.getPath().toLowerCase(Locale.ENGLISH).startsWith("/api/v3")) {

  136.       throw new IllegalArgumentException("Invalid GitHub URL");

  137.     }

  138.   }

  139. 

  140.   @Override

  141.   public void checkAppPermissions(GithubAppConfiguration githubAppConfiguration) {

  142.     AppToken appToken = appSecurity.createAppToken(githubAppConfiguration.getId(), githubAppConfiguration.getPrivateKey());

  143. 

  144.     Map<String, String> permissions = new HashMap<>();

  145.     permissions.put("checks", WRITE_PERMISSION_NAME);

  146.     permissions.put("pull_requests", WRITE_PERMISSION_NAME);

  147.     permissions.put("metadata", READ_PERMISSION_NAME);

  148. 

  149.     String endPoint = "/app";

  150.     GetResponse response;

  151.     try {

  152.       response = githubApplicationHttpClient.get(githubAppConfiguration.getApiEndpoint(), appToken, endPoint);

  153.     } catch (IOException e) {

  154.       LOG.warn(FAILED_TO_REQUEST_BEGIN_MSG + githubAppConfiguration.getApiEndpoint() + endPoint, e);

  155.       throw new IllegalArgumentException("Failed to validate configuration, check URL and Private Key");

  156.     }

  157.     if (response.getCode() == HTTP_OK) {

  158.       Map<String, String> perms = handleResponse(response, endPoint, GsonApp.class)

  159.         .map(GsonApp::getPermissions)

  160.         .orElseThrow(() -> new IllegalArgumentException("Failed to get app permissions, unexpected response body"));

  161.       List<String> missingPermissions = permissions.entrySet().stream()

  162.         .filter(permission -> !Objects.equals(permission.getValue(), perms.get(permission.getKey())))

  163.         .map(Map.Entry::getKey)

  164.         .toList();

  165. 

  166.       if (!missingPermissions.isEmpty()) {

  167.         String message = missingPermissions.stream()

  168.           .map(perm -> perm + " is '" + perms.get(perm) + "', should be '" + permissions.get(perm) + "'")

  169.           .collect(Collectors.joining(", "));

  170. 

  171.         throw new IllegalArgumentException("Missing permissions; permission granted on " + message);

  172.       }

  173.     } else if (response.getCode() == HTTP_UNAUTHORIZED || response.getCode() == HTTP_FORBIDDEN) {

  174.       throw new IllegalArgumentException("Authentication failed, verify the Client Id, Client Secret and Private Key fields");

  175.     } else {

  176.       throw new IllegalArgumentException("Failed to check permissions with Github, check the configuration");

  177.     }

  178.   }

  179. 

  180.   @Override

  181.   public Optional<Long> getInstallationId(GithubAppConfiguration githubAppConfiguration, String repositorySlug) {

  182.     AppToken appToken = appSecurity.createAppToken(githubAppConfiguration.getId(), githubAppConfiguration.getPrivateKey());

  183.     String endpoint = String.format("/repos/%s/installation", repositorySlug);

  184.     return get(githubAppConfiguration.getApiEndpoint(), appToken, endpoint, GithubBinding.GsonInstallation.class)

  185.       .map(GithubBinding.GsonInstallation::getId)

  186.       .filter(installationId -> installationId != 0L);

  187.   }

  188. 

  189.   @Override

  190.   public Organizations listOrganizations(String appUrl, AccessToken accessToken, int page, int pageSize) {

  191.     checkPageArgs(page, pageSize);

  192. 

  193.     try {

  194.       Organizations organizations = new Organizations();

  195.       GetResponse response = githubApplicationHttpClient.get(appUrl, accessToken, String.format("/user/installations?page=%s&per_page=%s", page, pageSize));

  196.       Optional<GsonInstallations> gsonInstallations = response.getContent().map(content -> GSON.fromJson(content, GsonInstallations.class));

  197. 

  198.       if (!gsonInstallations.isPresent()) {

  199.         return organizations;

  200.       }

  201. 

  202.       organizations.setTotal(gsonInstallations.get().getTotalCount());

  203.       if (gsonInstallations.get().getInstallations() != null) {

  204.         organizations.setOrganizations(gsonInstallations.get().getInstallations().stream()

  205.           .map(gsonInstallation -> new Organization(gsonInstallation.getAccount().getId(), gsonInstallation.getAccount().getLogin(), null, null, null, null, null,

  206.             gsonInstallation.getTargetType()))

  207.           .toList());

  208.       }

  209. 

  210.       return organizations;

  211.     } catch (IOException e) {

  212.       throw new IllegalStateException(format("Failed to list all organizations accessible by user access token on %s", appUrl), e);

  213.     }

  214.   }

  215. 

  216.   @Override

  217.   public List<GithubAppInstallation> getWhitelistedGithubAppInstallations(GithubAppConfiguration githubAppConfiguration) {

  218.     List<GithubBinding.GsonInstallation> gsonAppInstallations = fetchAppInstallationsFromGithub(githubAppConfiguration);

  219.     Set<String> allowedOrganizations = gitHubSettings.getOrganizations();

  220.     return convertToGithubAppInstallationAndFilterWhitelisted(gsonAppInstallations, allowedOrganizations);

  221.   }

  222. 

  223.   private static List<GithubAppInstallation> convertToGithubAppInstallationAndFilterWhitelisted(List<GithubBinding.GsonInstallation> gsonAppInstallations,

  224.     Set<String> allowedOrganizations) {

  225.     return gsonAppInstallations.stream()

  226.       .filter(appInstallation -> appInstallation.getAccount().getType().equalsIgnoreCase("Organization"))

  227.       .map(GithubApplicationClientImpl::toGithubAppInstallation)

  228.       .filter(appInstallation -> isOrganizationWhiteListed(allowedOrganizations, appInstallation.organizationName()))

  229.       .toList();

  230.   }

  231. 

  232.   private static GithubAppInstallation toGithubAppInstallation(GithubBinding.GsonInstallation gsonInstallation) {

  233.     return new GithubAppInstallation(

  234.       Long.toString(gsonInstallation.getId()),

  235.       gsonInstallation.getAccount().getLogin(),

  236.       gsonInstallation.getPermissions(),

  237.       org.apache.commons.lang.StringUtils.isNotEmpty(gsonInstallation.getSuspendedAt()));

  238.   }

  239. 

  240.   private static boolean isOrganizationWhiteListed(Set<String> allowedOrganizations, String organizationName) {

  241.     return allowedOrganizations.isEmpty() || allowedOrganizations.contains(organizationName);

  242.   }

  243. 

  244.   private List<GithubBinding.GsonInstallation> fetchAppInstallationsFromGithub(GithubAppConfiguration githubAppConfiguration) {

  245.     AppToken appToken = appSecurity.createAppToken(githubAppConfiguration.getId(), githubAppConfiguration.getPrivateKey());

  246.     String endpoint = "/app/installations";

  247. 

  248.     return executePaginatedQuery(githubAppConfiguration.getApiEndpoint(), appToken, endpoint, resp -> GSON.fromJson(resp, ORGANIZATION_LIST_TYPE));

  249.   }

  250. 

  251.   protected <T> Optional<T> get(String baseUrl, AccessToken token, String endPoint, Class<T> gsonClass) {

  252.     try {

  253.       GetResponse response = githubApplicationHttpClient.get(baseUrl, token, endPoint);

  254.       return handleResponse(response, endPoint, gsonClass);

  255.     } catch (Exception e) {

  256.       LOG.warn(FAILED_TO_REQUEST_BEGIN_MSG + endPoint, e);

  257.       return Optional.empty();

  258.     }

  259.   }

  260. 

  261.   @Override

  262.   public Repositories listRepositories(String appUrl, AccessToken accessToken, String organization, @Nullable String query, int page, int pageSize) {

  263.     checkPageArgs(page, pageSize);

  264.     String searchQuery = "fork:true+org:" + organization;

  265.     if (query != null) {

  266.       searchQuery = query.replace(" ", "+") + "+" + searchQuery;

  267.     }

  268.     try {

  269.       Repositories repositories = new Repositories();

  270.       GetResponse response = githubApplicationHttpClient.get(appUrl, accessToken, String.format("/search/repositories?q=%s&page=%s&per_page=%s", searchQuery, page, pageSize));

  271.       Optional<GsonRepositorySearch> gsonRepositories = response.getContent().map(content -> GSON.fromJson(content, GsonRepositorySearch.class));

  272.       if (!gsonRepositories.isPresent()) {

  273.         return repositories;

  274.       }

  275. 

  276.       repositories.setTotal(gsonRepositories.get().getTotalCount());

  277. 

  278.       if (gsonRepositories.get().getItems() != null) {

  279.         repositories.setRepositories(gsonRepositories.get().getItems().stream()

  280.           .map(GsonGithubRepository::toRepository)

  281.           .toList());

  282.       }

  283. 

  284.       return repositories;

  285.     } catch (Exception e) {

  286.       throw new IllegalStateException(format("Failed to list all repositories of '%s' accessible by user access token on '%s' using query '%s'", organization, appUrl, searchQuery),

  287.         e);

  288.     }

  289.   }

  290. 

  291.   @Override

  292.   public Optional<Repository> getRepository(String appUrl, AccessToken accessToken, String organizationAndRepository) {

  293.     try {

  294.       GetResponse response = githubApplicationHttpClient.get(appUrl, accessToken, String.format("/repos/%s", organizationAndRepository));

  295.       return Optional.of(response)

  296.         .filter(r -> r.getCode() == HTTP_OK)

  297.         .flatMap(ApplicationHttpClient.Response::getContent)

  298.         .map(content -> GSON.fromJson(content, GsonGithubRepository.class))

  299.         .map(GsonGithubRepository::toRepository);

  300.     } catch (Exception e) {

  301.       throw new IllegalStateException(format("Failed to get repository '%s' on '%s' (this might be related to the GitHub App installation scope)",

  302.         organizationAndRepository, appUrl), e);

  303.     }

  304.   }

  305. 

  306.   @Override

  307.   public UserAccessToken createUserAccessToken(String appUrl, String clientId, String clientSecret, String code) {

  308.     try {

  309.       String endpoint = "/login/oauth/access_token?client_id=" + clientId + "&client_secret=" + clientSecret + "&code=" + code;

  310. 

  311.       String baseAppUrl;

  312.       int apiIndex = appUrl.indexOf("/api/v3");

  313.       if (apiIndex > 0) {

  314.         baseAppUrl = appUrl.substring(0, apiIndex);

  315.       } else if (appUrl.startsWith("https://api.github.com")) {

  316.         baseAppUrl = "https://github.com";

  317.       } else {

  318.         baseAppUrl = appUrl;

  319.       }

  320. 

  321.       ApplicationHttpClient.Response response = githubApplicationHttpClient.post(baseAppUrl, null, endpoint);

  322. 

  323.       if (response.getCode() != HTTP_OK) {

  324.         throw new IllegalStateException("Failed to create GitHub's user access token. GitHub returned code " + code + ". " + response.getContent().orElse(""));

  325.       }

  326. 

  327.       Optional<String> content = response.getContent();

  328.       Optional<UserAccessToken> accessToken = content.flatMap(c -> Arrays.stream(c.split("&"))

  329.           .filter(t -> t.startsWith("access_token="))

  330.           .map(t -> t.split("=")[1])

  331.           .findAny())

  332.         .map(UserAccessToken::new);

  333. 

  334.       if (accessToken.isPresent()) {

  335.         return accessToken.get();

  336.       }

  337. 

  338.       // If token is not in the 200's body, it's because the client ID or client secret are incorrect

  339.       LOG.error("Failed to create GitHub's user access token. GitHub's response: {}", content);

  340.       throw new IllegalArgumentException();

  341.     } catch (IOException e) {

  342.       throw new IllegalStateException("Failed to create GitHub's user access token", e);

  343.     }

  344.   }

  345. 

  346.   @Override

  347.   public GithubBinding.GsonApp getApp(GithubAppConfiguration githubAppConfiguration) {

  348.     AppToken appToken = appSecurity.createAppToken(githubAppConfiguration.getId(), githubAppConfiguration.getPrivateKey());

  349.     String endpoint = "/app";

  350.     return getOrThrowIfNotHttpOk(githubAppConfiguration.getApiEndpoint(), appToken, endpoint, GithubBinding.GsonApp.class);

  351.   }

  352. 

  353.   private <T> T getOrThrowIfNotHttpOk(String baseUrl, AccessToken token, String endPoint, Class<T> gsonClass) {

  354.     try {

  355.       GetResponse response = githubApplicationHttpClient.get(baseUrl, token, endPoint);

  356.       if (response.getCode() != HTTP_OK) {

  357.         throw new HttpException(baseUrl + endPoint, response.getCode(), response.getContent().orElse(""));

  358.       }

  359.       return handleResponse(response, endPoint, gsonClass).orElseThrow(() -> new ServerException(HTTP_INTERNAL_ERROR, "Http response withuot content"));

  360.     } catch (IOException e) {

  361.       throw new ServerException(HTTP_INTERNAL_ERROR, e.getMessage());

  362.     }

  363.   }

  364. 

  365.   protected static <T> Optional<T> handleResponse(ApplicationHttpClient.Response response, String endPoint, Class<T> gsonClass) {

  366.     try {

  367.       return response.getContent().map(c -> GSON.fromJson(c, gsonClass));

  368.     } catch (Exception e) {

  369.       LOG.warn(FAILED_TO_REQUEST_BEGIN_MSG + endPoint, e);

  370.       return Optional.empty();

  371.     }

  372.   }

  373. 

  374.   @Override

  375.   public Set<GsonRepositoryTeam> getRepositoryTeams(String appUrl, AccessToken accessToken, String orgName, String repoName) {

  376.     return Set

  377.       .copyOf(executePaginatedQuery(appUrl, accessToken, format("/repos/%s/%s/teams", orgName, repoName), resp -> GSON.fromJson(resp, REPOSITORY_TEAM_LIST_TYPE)));

  378.   }

  379. 

  380.   @Override

  381.   public Set<GsonRepositoryCollaborator> getRepositoryCollaborators(String appUrl, AccessToken accessToken, String orgName, String repoName) {

  382.     return Set

  383.       .copyOf(

  384.         executePaginatedQuery(

  385.           appUrl,

  386.           accessToken,

  387.           format("/repos/%s/%s/collaborators?affiliation=direct", orgName, repoName),

  388.           resp -> GSON.fromJson(resp, REPOSITORY_COLLABORATORS_LIST_TYPE)));

  389.   }

  390. 

  391.   private <E> List<E> executePaginatedQuery(String appUrl, AccessToken token, String query, Function<String, List<E>> responseDeserializer) {

  392.     return githubPaginatedHttpClient.get(appUrl, token, query, responseDeserializer);

  393.   }

  394. 

  395. }