Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 5c22447c13
Branches Tags
helm-externa...
/
pkg
/
generator
/
github
/
github.go

github.go 4.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package github
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"crypto/rsa"
    20. 

  20. 	"encoding/json"
    21. 

  21. 	"errors"
    22. 

  22. 	"fmt"
    23. 

  23. 	"net/http"
    24. 

  24. 	"time"
    25. 

  25. 

  26. 	"github.com/golang-jwt/jwt/v5"
    27. 

  27. 	corev1 "k8s.io/api/core/v1"
    28. 

  28. 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
    29. 

  29. 	"sigs.k8s.io/controller-runtime/pkg/client"
    30. 

  30. 	"sigs.k8s.io/yaml"
    31. 

  31. 

  32. 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
    33. 

  33. )
    34. 

  34. 

  35. type Generator struct {
    36. 

  36. 	httpClient *http.Client
    37. 

  37. }
    38. 

  38. 

  39. type Github struct {
    40. 

  40. 	HTTP       *http.Client
    41. 

  41. 	Kube       client.Client
    42. 

  42. 	Namespace  string
    43. 

  43. 	URL        string
    44. 

  44. 	InstallTkn string
    45. 

  45. }
    46. 

  46. 

  47. const (
    48. 

  48. 	defaultLoginUsername = "token"
    49. 

  49. 	defaultGithubAPI     = "https://api.github.com"
    50. 

  50. 

  51. 	errNoSpec    = "no config spec provided"
    52. 

  52. 	errParseSpec = "unable to parse spec: %w"
    53. 

  53. 	errGetToken  = "unable to get authorization token: %w"
    54. 

  54. 

  55. 	contextTimeout    = 30 * time.Second
    56. 

  56. 	httpClientTimeout = 5 * time.Second
    57. 

  57. )
    58. 

  58. 

  59. func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, error) {
    60. 

  60. 	return g.generate(
    61. 

  61. 		ctx,
    62. 

  62. 		jsonSpec,
    63. 

  63. 		kube,
    64. 

  64. 		namespace,
    65. 

  65. 	)
    66. 

  66. }
    67. 

  67. 

  68. func (g *Generator) generate(
    69. 

  69. 	ctx context.Context,
    70. 

  70. 	jsonSpec *apiextensions.JSON,
    71. 

  71. 	kube client.Client,
    72. 

  72. 	namespace string) (map[string][]byte, error) {
    73. 

  73. 	if jsonSpec == nil {
    74. 

  74. 		return nil, errors.New(errNoSpec)
    75. 

  75. 	}
    76. 

  76. 	ctx, cancel := context.WithTimeout(ctx, contextTimeout)
    77. 

  77. 	defer cancel()
    78. 

  78. 

  79. 	gh, err := newGHClient(ctx, kube, namespace, g.httpClient, jsonSpec)
    80. 

  80. 	if err != nil {
    81. 

  81. 		return nil, fmt.Errorf("error creating request: %w", err)
    82. 

  82. 	}
    83. 

  83. 	// Github api expects POST request
    84. 

  84. 	req, err := http.NewRequestWithContext(ctx, http.MethodPost, gh.URL, http.NoBody)
    85. 

  85. 	if err != nil {
    86. 

  86. 		return nil, fmt.Errorf("error creating request: %w", err)
    87. 

  87. 	}
    88. 

  88. 	req.Header.Add("Authorization", "Bearer "+gh.InstallTkn)
    89. 

  89. 	req.Header.Add("Accept", "application/vnd.github.v3+json")
    90. 

  90. 

  91. 	resp, err := gh.HTTP.Do(req)
    92. 

  92. 	if err != nil {
    93. 

  93. 		return nil, fmt.Errorf("error performing request: %w", err)
    94. 

  94. 	}
    95. 

  95. 	defer resp.Body.Close()
    96. 

  96. 

  97. 	// git access token
    98. 

  98. 	var gat map[string]any
    99. 

  99. 	if err := json.NewDecoder(resp.Body).Decode(&gat); err != nil && resp.StatusCode >= 200 && resp.StatusCode < 300 {
    100. 

  100. 		return nil, fmt.Errorf("error decoding response: %w", err)
    101. 

  101. 	}
    102. 

  102. 

  103. 	accessToken, ok := gat["token"].(string)
    104. 

  104. 	if !ok {
    105. 

  105. 		return nil, errors.New("token isn't a string or token key doesn't exist")
    106. 

  106. 	}
    107. 

  107. 	return map[string][]byte{
    108. 

  108. 		defaultLoginUsername: []byte(accessToken),
    109. 

  109. 	}, nil
    110. 

  110. }
    111. 

  111. 

  112. func newGHClient(ctx context.Context, k client.Client, n string, hc *http.Client,
    113. 

  113. 	js *apiextensions.JSON) (*Github, error) {
    114. 

  114. 	if hc == nil {
    115. 

  115. 		hc = &http.Client{
    116. 

  116. 			Timeout: httpClientTimeout,
    117. 

  117. 		}
    118. 

  118. 	}
    119. 

  119. 	res, err := parseSpec(js.Raw)
    120. 

  120. 	if err != nil {
    121. 

  121. 		return nil, fmt.Errorf(errParseSpec, err)
    122. 

  122. 	}
    123. 

  123. 	gh := &Github{Kube: k, Namespace: n, HTTP: hc}
    124. 

  124. 

  125. 	ghPath := fmt.Sprintf("/app/installations/%s/access_tokens", res.Spec.InstallID)
    126. 

  126. 	gh.URL = defaultGithubAPI + ghPath
    127. 

  127. 	if res.Spec.URL != "" {
    128. 

  128. 		gh.URL = res.Spec.URL + ghPath
    129. 

  129. 	}
    130. 

  130. 	secret := &corev1.Secret{}
    131. 

  131. 	if err := gh.Kube.Get(ctx, client.ObjectKey{Name: res.Spec.Auth.PrivateKey.SecretRef.Name, Namespace: n}, secret); err != nil {
    132. 

  132. 		return nil, fmt.Errorf("error getting GH pem from secret:%w", err)
    133. 

  133. 	}
    134. 

  134. 

  135. 	pk, err := jwt.ParseRSAPrivateKeyFromPEM(secret.Data[res.Spec.Auth.PrivateKey.SecretRef.Key])
    136. 

  136. 	if err != nil {
    137. 

  137. 		return nil, fmt.Errorf("error parsing RSA private key: %w", err)
    138. 

  138. 	}
    139. 

  139. 	if gh.InstallTkn, err = GetInstallationToken(pk, res.Spec.AppID); err != nil {
    140. 

  140. 		return nil, fmt.Errorf("can't get InstallationToken: %w", err)
    141. 

  141. 	}
    142. 

  142. 	return gh, nil
    143. 

  143. }
    144. 

  144. 

  145. // Get github installation token.
    146. 

  146. func GetInstallationToken(key *rsa.PrivateKey, aid string) (string, error) {
    147. 

  147. 	claims := jwt.RegisteredClaims{
    148. 

  148. 		Issuer:    aid,
    149. 

  149. 		IssuedAt:  jwt.NewNumericDate(time.Now().Add(-time.Second * 10)),
    150. 

  150. 		ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Second * 300)),
    151. 

  151. 	}
    152. 

  152. 

  153. 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
    154. 

  154. 	signedToken, err := token.SignedString(key)
    155. 

  155. 	if err != nil {
    156. 

  156. 		return "", fmt.Errorf("error signing token: %w", err)
    157. 

  157. 	}
    158. 

  158. 

  159. 	return signedToken, nil
    160. 

  160. }
    161. 

  161. 

  162. func parseSpec(data []byte) (*genv1alpha1.GithubAccessToken, error) {
    163. 

  163. 	var spec genv1alpha1.GithubAccessToken
    164. 

  164. 	err := yaml.Unmarshal(data, &spec)
    165. 

  165. 	return &spec, err
    166. 

  166. }
    167. 

  167. 

  168. func init() {
    169. 

  169. 	genv1alpha1.Register(genv1alpha1.GithubAccessTokenKind, &Generator{})
    170. 

  170. }
    171.