fix: specific functions for github access tokens (#227)

Create specific function for calling the GitHub API for generating
installation access tokens.

Author: verbanicm

githubapp/githubapp.go

@@ -115,10 +115,18 @@ func NewConfig(appID, installationID string, privateKey *rsa.PrivateKey, opts ..
 // requested permissions / scopes that are requested when generating a
 // new installation access token.
 type TokenRequest struct {
-	Repositories *[]string         `json:"repositories,omitempty"`
+	Repositories []string          `json:"repositories"`
 	Permissions  map[string]string `json:"permissions"`
 }
 
+// TokenRequestAllRepos is a struct that contains the requested permissions/scopes
+// that are requested when generating a new installation access token.
+// This struct intentionally omits the repository properties to generate a token
+// for all repositories granted to this GitHub app installation.
+type TokenRequestAllRepos struct {
+	Permissions map[string]string `json:"permissions"`
+}
+
 // GitHubApp is an object that can be used to generate application level JWTs
 // or to request an OIDC token on behalf of an installation.
 type GitHubApp struct {
@@ -203,16 +211,39 @@ func (g *GitHubApp) generateAppJWT() ([]byte, error) {
 // access token for this application installation with the requested
 // permissions and repositories.
 func (g *GitHubApp) AccessToken(ctx context.Context, request *TokenRequest) (string, error) {
-	appJWT, err := g.AppToken()
+	if request.Repositories == nil {
+		return "", fmt.Errorf("requested repositories cannot be nil, did you mean to use AccessTokenAllRepos to request all repos?")
+	}
+
+	requestJSON, err := json.Marshal(request)
 	if err != nil {
-		return "", fmt.Errorf("error generating app jwt: %w", err)
+		return "", fmt.Errorf("error marshalling request data: %w", err)
 	}
-	requestURL := fmt.Sprintf(g.config.accessTokenURLPattern, g.config.InstallationID)
+
+	return g.githubAccessToken(ctx, requestJSON)
+}
+
+// AccessTokenAllRepos calls the GitHub API to generate a new
+// access token for this application installation with the requested
+// permissions and all granted repositories.
+func (g *GitHubApp) AccessTokenAllRepos(ctx context.Context, request *TokenRequestAllRepos) (string, error) {
 	requestJSON, err := json.Marshal(request)
 	if err != nil {
 		return "", fmt.Errorf("error marshalling request data: %w", err)
 	}
 
+	return g.githubAccessToken(ctx, requestJSON)
+}
+
+// githubAccessToken calls the GitHub API to generate a new
+// access token with provided JSON payload bytes.
+func (g *GitHubApp) githubAccessToken(ctx context.Context, requestJSON []byte) (string, error) {
+	appJWT, err := g.AppToken()
+	if err != nil {
+		return "", fmt.Errorf("error generating app jwt: %w", err)
+	}
+	requestURL := fmt.Sprintf(g.config.accessTokenURLPattern, g.config.InstallationID)
+
 	requestReader := bytes.NewReader(requestJSON)
 	req, err := http.NewRequestWithContext(ctx, http.MethodPost, requestURL, requestReader)
 	if err != nil {

githubapp/githubapp_test.go

@@ -146,6 +146,7 @@ func TestGitHubApp_AccessToken(t *testing.T) {
 		appID       string
 		installID   string
 		options     []ConfigOption
+		request     *TokenRequest
 		want        string
 		expErr      string
 		handlerFunc http.HandlerFunc
@@ -155,6 +156,7 @@ func TestGitHubApp_AccessToken(t *testing.T) {
 			appID:       "test-app-id",
 			installID:   "test-install-id",
 			options:     []ConfigOption{},
+			request:     &TokenRequest{Repositories: []string{"test"}, Permissions: map[string]string{"test": "test"}},
 			want:        `{"token":"this-is-the-token-from-github"}`,
 			expErr:      "",
 			handlerFunc: nil,
@@ -164,6 +166,7 @@ func TestGitHubApp_AccessToken(t *testing.T) {
 			appID:     "test-app-id",
 			installID: "test-install-id",
 			options:   []ConfigOption{},
+			request:   &TokenRequest{Repositories: []string{"test"}, Permissions: map[string]string{"test": "test"}},
 			expErr:    "failed to retrieve token from GitHub - Status: 500 Internal Server Error - Body: ",
 			handlerFunc: func(w http.ResponseWriter, r *http.Request) {
 				w.WriteHeader(500)
@@ -174,6 +177,7 @@ func TestGitHubApp_AccessToken(t *testing.T) {
 			appID:     "test-app-id",
 			installID: "test-install-id",
 			options:   []ConfigOption{},
+			request:   &TokenRequest{Repositories: []string{"test"}, Permissions: map[string]string{"test": "test"}},
 			expErr:    "invalid access token from GitHub - Body: not json",
 			handlerFunc: func(w http.ResponseWriter, r *http.Request) {
 				w.WriteHeader(201)
@@ -185,11 +189,33 @@ func TestGitHubApp_AccessToken(t *testing.T) {
 			appID:     "test-app-id",
 			installID: "test-install-id",
 			options:   []ConfigOption{},
+			request:   &TokenRequest{Repositories: []string{"test"}, Permissions: map[string]string{"test": "test"}},
 			expErr:    "invalid access token from GitHub - Body:",
 			handlerFunc: func(w http.ResponseWriter, r *http.Request) {
 				w.WriteHeader(201)
 			},
 		},
+		{
+			name:        "allow_empty_repositories",
+			appID:       "test-app-id",
+			installID:   "test-install-id",
+			options:     []ConfigOption{},
+			request:     &TokenRequest{Repositories: []string{}, Permissions: map[string]string{"test": "test"}},
+			want:        `{"token":"this-is-the-token-from-github"}`,
+			expErr:      "",
+			handlerFunc: nil,
+		},
+		{
+			name:      "missing_repositories",
+			appID:     "test-app-id",
+			installID: "test-install-id",
+			options:   []ConfigOption{},
+			request:   &TokenRequest{Permissions: map[string]string{"test": "test"}},
+			expErr:    "requested repositories cannot be nil, did you mean to use AccessTokenAllRepos to request all repos?",
+			handlerFunc: func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(201)
+			},
+		},
 	}
 
 	for _, tc := range cases {
@@ -221,7 +247,7 @@ func TestGitHubApp_AccessToken(t *testing.T) {
 			tc.options = append(tc.options, WithAccessTokenURLPattern(fakeGitHub.URL+"/%s/access_tokens"))
 
 			app := New(NewConfig(tc.appID, tc.installID, rsaPrivateKey, tc.options...))
-			got, err := app.AccessToken(context.Background(), &TokenRequest{})
+			got, err := app.AccessToken(context.Background(), tc.request)
 			if diff := testutil.DiffErrString(err, tc.expErr); diff != "" {
 				t.Errorf(diff)
 			}