Merge pull request #58 from OpenRailAssociation/support-app-auth

Author: mxmehl

README.md

@@ -54,6 +54,20 @@ Inside [`config/example`](./config/example), you can find an example configurati
 
 You may also be interested in the [live configuration of the OpenRail Association's organization](https://github.com/OpenRailAssociation/openrail-org-config).
 
+### Authentication via token or app
+
+As this tool issues many API requests (both on REST and GraphQL API), authentication is highly recommended. This is supported via personal access tokens of a user (PAT) or a GitHub App which you can setup yourself.
+
+Access tokens and apps need the following permissions:
+* Repository permissions
+  * Administration: read and write
+  * Metadata: read
+* Organization permissions:
+  * Administration: read and write
+  * Members: read and write
+
+You can set the required secrets in `config/app.yaml` or via environment variables (`GITHUB_TOKEN` or `GITHUB_APP_ID` and `GITHUB_APP_PRIVATE_KEY`).
+
 ## Run the program
 
 You can execute the program using the command `gh-org-mgr`. `gh-org-mgr --help` shows all available arguments and options.

config/example/app.yaml

@@ -7,3 +7,34 @@
 
 # Personal Oauth access token with required scopes
 github_token: ghp_abcdefg123
+
+# GitHub App (if this is set, the personal access token (github_token) will be ignored)
+github_app_id: 123456
+github_app_private_key: |
+  -----BEGIN RSA PRIVATE KEY-----
+  THIS IS JUST AN EXAMPLE KEY, DO NOT USE IT IN PRODUCTION 1234567
+  MIIEowIBAAKCAQEAxkYIq1pp+OH+KTa9ZSAyY0PysSZEoZyXFnwWXLhi7ZDP6pPH
+  9zUg+iVlSeEd2ZOwyBnfpWHG12QAFmbjojpcDT1mlkqv7N7YGS0z8kTp3DfgKBAd
+  Uq0V8BvTubM78NClF4xQmWodfv0hjLmArWLP4cHKPnl1I5Ml7yPUtdwm9wEFT0oe
+  QE7rnEgN8UFbjT4FQg4JvwKUNZsHfPetrXlSOyjztNE8wsRahCvzAaqUv+L//Y8I
+  fX2wUW3A97TzpfiKrPXpb8u84Er7n8cHVSTiMWhksgnQZ4ymk3bLYjNyCN+gln6t
+  qKtbsbynx77m0Q/ykYauWIfxPRBOLbEgmh9/bwIDAQABAoIBACGvOD3USHit/D4I
+  PLj3dVgD7TFHbRV/wvNg9XOfJ79wgMI7hRdsgUO+Iq0gf6+9NaVpL+Oq7tsc9B7a
+  MAYZoBXnvov9+FFnspLkaRTZvFlbbMuhoTmwii+Wqqu71Y0eBU4w2miV7JjsbEy6
+  HzBVvzd9ctyWSd5XW3R7Q+H5mu0PhLKSaHnYitJs0OajFjHg9q28gQ9olnemkaDr
+  IFOevK7LWWDEkvhV/ZyxnL+v/9oCSxgBVgmMGPe2aFHQ9Ej4cHiTrOxFvXH8D3LU
+  jaIcNQ6NA3FWBYFADKA3wY46W8NmUSt3qgQDZttydu3RMzbukGYJ3W6nP9TxLrVE
+  Yu2xIaEML8rCzUIUvwEKlADlkpr5Lz9d92NzhVndIps3FW5UFTHTz0G3fvIHNGWv
+  IPTZDNQWVs3OI1xtMQV2MGPeDINNn3Wg3WIJxMn7zXnFlLxm0vhKEPcCgYEA1vMH
+  f3NBdk9u1IclV+4dCYF7Par9ypcPE4DEutF4gtZu8pDBVmkxaqxXMS5LK++DIhQs
+  YxRhwydMK2n+cYl9bvs9MdMxMh6ZdBVOVLcSL24CzCDSTjeKVmL26j3TTNq6Mi8P
+  A/rG7CWaIDRMd4AuZZmR5M71BVy4rubK4CyzX0kCgYEAzg95WaMbMjyoYW/qjTzZ
+  7XMxtsIjIQKNDIywVRsJZGb8UKmtCdoJEAoFCSiE/ut7xCvG+MpK1c5WhvFPQyiT
+  sf6J3zME4l752Wy2WOxrPa/GFTPUj6ewBB1FjolAmSzsljTgX+e5NA7hxJ+Ly/uU
+  jbswdRYg8jQx81HYlH7v+w8CgYB6noUmdY9geIvW/YmWEaXK6Gxvj33b9jSJgam4
+  kQpYSQ9dnKpOKxAftFTBH5GObMG3zR5NHzFt7JsNIRgfmLlPeE8+fyXPW5lamVTo
+  Cs968xzxab/PEuv9v9LvaXmCnDwfqKy+Lm8QA5tax7rfaOYO235Ysp8gAfbw/4O4
+  QofI0QKBgAxXAlq/AfqpZHrz5B9V0EsnaIiSiDbFr6RVhoGN3zF4ObExee2MOmqA
+  D9zgrlJ8D4bxPrwDrCuXHY7s/1/uCX3K+mS7CWpybOcJY4XzsNznOYcMQzw22fxl
+  u1ioG/s3Ahhd778VIjj5d32Xbjj8vbSFj8vJe5bBNblYbelWfETg
+  -----END RSA PRIVATE KEY-----

gh_org_mgr/_gh_api.py

@@ -13,20 +13,15 @@
 import requests
 
 
-def get_github_token(token: str = "") -> str:
-    """Get the GitHub token from config or environment, while environment overrides"""
-    if "GITHUB_TOKEN" in os.environ and os.environ["GITHUB_TOKEN"]:
-        logging.debug("GitHub Token taken from environment variable GITHUB_TOKEN")
-        token = os.environ["GITHUB_TOKEN"]
-    elif token:
-        logging.debug("GitHub Token taken from app configuration file")
-    else:
-        sys.exit(
-            "No token set for GitHub authentication! Set it in config/app_config.yaml "
-            "or via environment variable GITHUB_TOKEN"
-        )
-
-    return token
+def get_github_secrets_from_env(env_variable: str, secret: str | int) -> str:
+    """Get GitHub secrets from config or environment, while environment overrides"""
+    if env_variable in os.environ and os.environ[env_variable]:
+        logging.debug("GitHub secret taken from environment variable %s", env_variable)
+        secret = os.environ[env_variable]
+    elif secret:
+        logging.debug("GitHub secret taken from app configuration file")
+
+    return str(secret)
 
 
 # Function to execute GraphQL query
@@ -51,10 +46,12 @@ def run_graphql_query(query, variables, token):
         return json_return
 
     # Debug information in case of errors
-    print(
-        f"Query failed with HTTP error code '{request.status_code}' when running "
-        f"this query: {query}\n"
-        f"Return: {json_return}\n"
-        f"Headers: {request.headers}"
+    logging.error(
+        "Query failed with HTTP error code '%s' when running this query: %s\n"
+        "Return: %s\nHeaders: %s",
+        request.status_code,
+        query,
+        json_return,
+        request.headers,
     )
     sys.exit(1)

gh_org_mgr/_gh_org.py

@@ -8,13 +8,19 @@
 import sys
 from dataclasses import asdict, dataclass, field
 
-from github import Github, GithubException, UnknownObjectException
+from github import (
+    Auth,
+    Github,
+    GithubException,
+    GithubIntegration,
+    UnknownObjectException,
+)
 from github.NamedUser import NamedUser
 from github.Organization import Organization
 from github.Repository import Repository
 from github.Team import Team
 
-from ._gh_api import get_github_token, run_graphql_query
+from ._gh_api import get_github_secrets_from_env, run_graphql_query
 
 
 @dataclass
@@ -24,6 +30,8 @@ class GHorg:  # pylint: disable=too-many-instance-attributes, too-many-lines
     gh: Github = None  # type: ignore
     org: Organization = None  # type: ignore
     gh_token: str = ""
+    gh_app_id: str | int = ""
+    gh_app_private_key: str = ""
     default_repository_permission: str = ""
     current_org_owners: list[NamedUser] = field(default_factory=list)
     configured_org_owners: list[str] = field(default_factory=list)
@@ -56,18 +64,39 @@ def _sluggify_teamname(self, team: str) -> str:
         # supported, or multiple spaces etc.
         return team.replace(" ", "-")
 
-    def login(self, orgname: str, token: str) -> None:
-        """Login to GH, gather org data"""
-        self.gh_token = get_github_token(token)
-        self.gh = Github(self.gh_token)
-        logging.debug("Logged in as %s", self.gh.get_user().login)
+    def login(
+        self, orgname: str, token: str = "", app_id: str | int = "", app_private_key: str = ""
+    ) -> None:
+        """Login to GH via PAT or App, gather org data"""
+        # Get all login data from config and environment
+        self.gh_token = get_github_secrets_from_env(env_variable="GITHUB_TOKEN", secret=token)
+        self.gh_app_id = get_github_secrets_from_env(env_variable="GITHUB_APP_ID", secret=app_id)
+        self.gh_app_private_key = get_github_secrets_from_env(
+            env_variable="GITHUB_APP_PRIVATE_KEY", secret=app_private_key
+        )
+
+        # Decide how to login. If app set, prefer this
+        if self.gh_app_id and self.gh_app_private_key:
+            logging.debug("Logged in via app %s", self.gh_app_id)
+            auth = Auth.AppAuth(app_id=self.gh_app_id, private_key=self.gh_app_private_key)
+            app = GithubIntegration(auth=auth)
+            installation = app.get_installations()[0]
+            self.gh = installation.get_github_for_installation()
+        elif self.gh_token:
+            logging.debug("Logging in as user with PAT")
+            self.gh = Github(auth=Auth.Token(self.gh_token))
+            logging.debug("Logged in as %s", self.gh.get_user().login)
+        else:
+            logging.error("No GitHub token or App ID+private key provided")
+            sys.exit(1)
+
         self.org = self.gh.get_organization(orgname)
         logging.debug("Gathered data from organization '%s' (%s)", self.org.login, self.org.name)
 
     def ratelimit(self):
-        """Get current rate limit"""
+        """Print current rate limit"""
         core = self.gh.get_rate_limit().core
-        logging.debug(
+        logging.info(
             "Current rate limit: %s/%s (reset: %s)", core.remaining, core.limit, core.reset
         )
 
@@ -917,7 +946,7 @@ def _fetch_collaborators_of_repo(self, repo: Repository):
         permissions using the GraphQL API"""
         # TODO: Consider doing this for all repositories at once, but calculate
         # costs beforehand
-        query = """
+        graphql_query = """
             query($owner: String!, $name: String!, $cursor: String) {
                 repository(owner: $owner, name: $name) {
                     collaborators(first: 100, after: $cursor) {
@@ -944,7 +973,7 @@ def _fetch_collaborators_of_repo(self, repo: Repository):
 
         while has_next_page:
             logging.debug("Requesting collaborators for %s", repo.name)
-            result = run_graphql_query(query, variables, self.gh_token)
+            result = run_graphql_query(graphql_query, variables, self.gh_token)
             try:
                 collaborators.extend(result["data"]["repository"]["collaborators"]["edges"])
                 has_next_page = result["data"]["repository"]["collaborators"]["pageInfo"][