github: GitHub app installation auth support (#203)

Author: benbroadaway

tasks/git/pom.xml

@@ -59,6 +59,17 @@
             <artifactId>jackson-core</artifactId>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.datatype</groupId>
+            <artifactId>jackson-datatype-jsr310</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <!-- Immutables -->
+        <dependency>
+            <groupId>org.immutables</groupId>
+            <artifactId>value</artifactId>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>com.jcraft</groupId>
             <artifactId>jsch</artifactId>
@@ -86,6 +97,25 @@
             <artifactId>gson</artifactId>
             <version>2.8.9</version>
         </dependency>
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-ext-jdk15on</artifactId>
+            <version>1.70</version> <!-- TODO use version in future targetplatform -->
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk15on</artifactId>
+            <version>1.70</version> <!-- TODO use version in future targetplatform -->
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk15on</artifactId>
+            <version>1.70</version>
+        </dependency>
 
         <dependency>
             <groupId>org.junit.jupiter</groupId>
@@ -97,6 +127,12 @@
             <artifactId>mockito-core</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-junit-jupiter</artifactId>
+            <version>4.9.0</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.wiremock</groupId>
             <artifactId>wiremock-jetty12</artifactId>

tasks/git/src/main/java/com/walmartlabs/concord/plugins/git/GitHubTask.java

@@ -25,4 +25,7 @@
 public interface GitSecretService {
 
     Path exportPrivateKeyAsFile(String orgName, String secretName, String pwd) throws Exception;
+
+    Path exportFile(String orgName, String secretName, String pwd) throws Exception;
+
 }

tasks/git/src/main/java/com/walmartlabs/concord/plugins/git/GitSecretService.java

@@ -20,6 +20,8 @@
  * =====
  */
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import com.walmartlabs.concord.common.secret.UsernamePassword;
 import com.walmartlabs.concord.sdk.Secret;
 
@@ -29,15 +31,18 @@
 
 public final class Utils {
 
+    private static final ObjectMapper MAPPER = new ObjectMapper()
+            .registerModule(new JavaTimeModule());
+
     public static boolean getBoolean(Map<String, Object> in, String k, boolean fallback) {
         Object v = in.get(k);
 
         if (v == null) {
             return fallback;
         }
 
-        if (v instanceof String) {
-            return Boolean.parseBoolean((String) v);
+        if (v instanceof String s) {
+            return Boolean.parseBoolean(s);
         }
 
         if (!(v instanceof Boolean)) {
@@ -60,20 +65,24 @@ public static String hideSensitiveData(String s, Secret secret) {
             return null;
         }
 
-        if (secret instanceof UsernamePassword) {
-            char[] password = ((UsernamePassword) secret).getPassword();
+        if (secret instanceof UsernamePassword up) {
+            char[] password = up.getPassword();
             if (password != null && password.length != 0) {
                 s = s.replace(new String(password), "***");
             }
-        } else if (secret instanceof TokenSecret) {
-            String token = ((TokenSecret) secret).getToken();
+        } else if (secret instanceof TokenSecret ts) {
+            String token = ts.getToken();
             if (token != null && !token.trim().isEmpty()) {
                 s = s.replace(token, "***");
             }
         }
         return s;
     }
 
+    public static ObjectMapper getObjectMapper() {
+        return MAPPER;
+    }
+
     private Utils() {
     }
 }

tasks/git/src/main/java/com/walmartlabs/concord/plugins/git/Utils.java

@@ -0,0 +1,41 @@
+package com.walmartlabs.concord.plugins.git.model;
+
+/*-
+ * *****
+ * Concord
+ * -----
+ * Copyright (C) 2017 - 2025 Walmart Inc., Concord Authors
+ * -----
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =====
+ */
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import org.immutables.value.Value;
+
+@Value.Immutable
+@Value.Style(jdkOnly = true)
+@JsonDeserialize(as = ImmutableAppInstallation.class)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public interface AppInstallation {
+
+    /*
+    This is all we **need**, even though there's other attributes. Some may differ
+    between GitHub "cloud" and GitHub Enterprise. So, be care if/when adding more.
+     */
+    @JsonProperty("access_tokens_url")
+    String accessTokensUrl();
+
+}

tasks/git/src/main/java/com/walmartlabs/concord/plugins/git/model/AppInstallation.java

@@ -0,0 +1,41 @@
+package com.walmartlabs.concord.plugins.git.model;
+
+/*-
+ * *****
+ * Concord
+ * -----
+ * Copyright (C) 2017 - 2025 Walmart Inc., Concord Authors
+ * -----
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =====
+ */
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import org.immutables.value.Value;
+
+import java.time.OffsetDateTime;
+
+@Value.Immutable
+@Value.Style(jdkOnly = true)
+@JsonDeserialize(as = ImmutableAppInstallationAccessToken.class)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public interface AppInstallationAccessToken {
+
+    String token();
+
+    @JsonProperty("expires_at")
+    OffsetDateTime expiresAt();
+
+}

tasks/git/src/main/java/com/walmartlabs/concord/plugins/git/model/AppInstallationAccessToken.java

@@ -0,0 +1,78 @@
+package com.walmartlabs.concord.plugins.git.model;
+
+/*-
+ * *****
+ * Concord
+ * -----
+ * Copyright (C) 2017 - 2025 Walmart Inc., Concord Authors
+ * -----
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =====
+ */
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import org.immutables.value.Value;
+
+import javax.annotation.Nullable;
+
+@Value.Immutable
+@Value.Style(jdkOnly = true)
+@JsonDeserialize(as = ImmutableAuth.class)
+public interface Auth {
+
+    @Nullable
+    String accessToken();
+    @Nullable
+    AppInstallationAuth appInstallation();
+    @Nullable
+    AppInstallationSecretAuth appInstallationSecret();
+
+    static ImmutableAuth.Builder builder() {
+        return ImmutableAuth.builder();
+    }
+
+    @Value.Immutable
+    @Value.Style(jdkOnly = true)
+    @JsonDeserialize(as = ImmutableAppInstallationAuth.class)
+    interface AppInstallationAuth {
+        String privateKey();
+
+        String clientId();
+
+        @Value.Default
+        default long refreshBufferSeconds() {
+            return 60;
+        }
+
+        static ImmutableAppInstallationAuth.Builder builder() {
+            return ImmutableAppInstallationAuth.builder();
+        }
+    }
+
+    @Value.Immutable
+    @Value.Style(jdkOnly = true)
+    @JsonDeserialize(as = ImmutableAppInstallationSecretAuth.class)
+    interface AppInstallationSecretAuth {
+        String org();
+
+        String name();
+
+        @Nullable
+        String password();
+
+        static ImmutableAppInstallationSecretAuth.Builder builder() {
+            return ImmutableAppInstallationSecretAuth.builder();
+        }
+    }
+
+}

tasks/git/src/main/java/com/walmartlabs/concord/plugins/git/model/Auth.java

@@ -0,0 +1,37 @@
+package com.walmartlabs.concord.plugins.git.model;
+
+/*-
+ * *****
+ * Concord
+ * -----
+ * Copyright (C) 2017 - 2025 Walmart Inc., Concord Authors
+ * -----
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =====
+ */
+
+import com.walmartlabs.concord.plugins.git.tokens.AccessTokenProvider;
+import org.immutables.value.Value;
+
+@Value.Immutable
+@Value.Style(jdkOnly = true)
+public interface GitHubApiInfo {
+
+    String baseUrl();
+
+    AccessTokenProvider accessTokenProvider();
+
+    static ImmutableGitHubApiInfo.Builder builder() {
+        return ImmutableGitHubApiInfo.builder();
+    }
+}

tasks/git/src/main/java/com/walmartlabs/concord/plugins/git/model/GitHubApiInfo.java

@@ -0,0 +1,63 @@
+package com.walmartlabs.concord.plugins.git.tokens;
+
+/*-
+ * *****
+ * Concord
+ * -----
+ * Copyright (C) 2017 - 2025 Walmart Inc., Concord Authors
+ * -----
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =====
+ */
+
+import com.walmartlabs.concord.plugins.git.GitSecretService;
+import com.walmartlabs.concord.plugins.git.Utils;
+import com.walmartlabs.concord.plugins.git.model.Auth;
+
+import java.nio.file.Files;
+import java.util.Objects;
+import java.util.stream.Stream;
+
+public interface AccessTokenProvider {
+
+    String getToken();
+
+    static AccessTokenProvider fromAuth(Auth auth,
+                                        String baseUrl,
+                                        String installationRepo,
+                                        GitSecretService secretService) {
+
+        Stream.of(auth.accessToken(), auth.appInstallation(), auth.appInstallationSecret())
+                .filter(Objects::nonNull)
+                .findFirst()
+                .orElseThrow(() -> new IllegalArgumentException("Invalid 'auth' input."));
+
+        if (auth.accessToken() != null) {
+            return new BasicTokenProvider(auth.accessToken());
+        } else if (auth.appInstallation() != null) {
+            var appInstallation = auth.appInstallation();
+            return new AppInstallationTokenProvider(appInstallation, baseUrl, installationRepo);
+        } else if (auth.appInstallationSecret() != null) {
+            var sAuth = Objects.requireNonNull(auth.appInstallationSecret());
+            try (var is = Files.newInputStream(secretService.exportFile(sAuth.org(), sAuth.name(), sAuth.password()))) {
+                var a = Utils.getObjectMapper().readValue(is, Auth.AppInstallationAuth.class);
+                return new AppInstallationTokenProvider(a, baseUrl, installationRepo);
+            } catch (Exception e) {
+                throw new RuntimeException("Failed to read the app installation token from secret '" + sAuth.name() + "'", e);
+            }
+        } else {
+            throw new IllegalArgumentException("Unknown auth type");
+        }
+    }
+
+}