github-authentication 0.1.2 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 10d63c1d1bf541971469409ba5a47e3ff2ca8e34d53300d4f0af5aa3d28aed22
-  data.tar.gz: 12facda5d7b25f772a56732419d9f0e934d385a3e85451bd44b7ff8002fb0dff
+  metadata.gz: 60a26b87df203d0cad754620484922850747654443f26cc73ec60660f7b414f5
+  data.tar.gz: 959c06de8b2f7e4c7647baf651021c8c59071f655815cdb79b5958dd437e1628
 SHA512:
-  metadata.gz: 31b569ecaebbbd1107ff9c9d0bad15baea88b230b3958a62f8a8e6c7af7d1d20c405a1d2d5008fcf12cf0e72faf5b861d158bca069181996b8ab23b84067f72d
-  data.tar.gz: 45519a0abbaa8b7ce2ff5e6ca42be4a845d078bc5b1b6e4b8b57e4161c38bd41e52d3f0cb5a288b6e0058622dcc9ffc39971100598c70fa5a79b29558c8b8ae1
+  metadata.gz: 60cbe032c88f1b003524acbe8f2ff55ac2d96b1b2605d646e25165253fdfdd91f6e218a4c8ecd064ad0e9f7818a6dccdfa95c7752bc4db7b48294e6ca995c3c4
+  data.tar.gz: ca10a2668358b6c061e0d786aa8a5d637ca551ae5d65bf1640edce9064c939f71c391ae49fbba5f10fe46230c18b5f950de5c0a98b7b8a342bfff80714d80aa4

data/Gemfile

@@ -3,5 +3,5 @@ source "https://rubygems.org"
 
 git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
 
-# Specify your gem's dependencies in github-authentication-provider.gemspec
+# Specify your gem's dependencies in github-authentication.gemspec
 gemspec

data/Gemfile.lock

@@ -1,29 +1,38 @@
 PATH
   remote: .
   specs:
-    github-authentication (0.1.2)
+    github-authentication (1.0.0)
       jwt (~> 2.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.7.0)
+    activesupport (6.1.4.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
+    addressable (2.8.0)
       public_suffix (>= 2.0.2, < 5.0)
     ast (2.4.0)
+    concurrent-ruby (1.1.9)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
     hashdiff (1.0.1)
+    i18n (1.8.10)
+      concurrent-ruby (~> 1.0)
     jaro_winkler (1.5.4)
-    jwt (2.2.1)
+    jwt (2.2.3)
     minitest (5.14.0)
     mocha (1.11.2)
     parallel (1.19.1)
     parser (2.7.1.2)
       ast (~> 2.4.0)
-    public_suffix (4.0.4)
+    public_suffix (4.0.6)
     rainbow (3.0.0)
     rake (12.3.3)
-    rexml (3.2.4)
+    rexml (3.2.5)
     rubocop (0.82.0)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
@@ -37,18 +46,21 @@ GEM
     ruby-progressbar (1.10.1)
     safe_yaml (1.0.5)
     timecop (0.9.1)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
     unicode-display_width (1.7.0)
     vcr (5.1.0)
     webmock (3.8.3)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
+    zeitwerk (2.4.2)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler (~> 1.17)
+  activesupport
   github-authentication!
   minitest (~> 5.0)
   mocha (~> 1.11)
@@ -60,4 +72,4 @@ DEPENDENCIES
   webmock (~> 3.8)
 
 BUNDLED WITH
-   1.17.3
+   2.2.22

data/README.md

@@ -1,4 +1,4 @@
-# Github::Authentication
+# GithubAuthentication
 
 This gem allows you to authenticate with GitHub. Specifically, as a [GitHub app](https://developer.github.com/apps/building-github-apps/creating-a-github-app/).
 
@@ -23,13 +23,13 @@ Or install it yourself as:
 ## Usage
 
 ```ruby
-require 'github/authentication'
+require 'github_authentication'
 
-cache = Github::Authentication::Cache.new(storage: Github::Authentication::ObjectCache.new)
-generator = Github::Authentication::Generator::App.new(pem: ENV['GITHUB_PEM'],
+cache = GithubAuthentication::Cache.new(storage: GithubAuthentication::ObjectCache.new)
+generator = GithubAuthentication::Generator::App.new(pem: ENV['GITHUB_PEM'],
                                           installation_id: ENV['GITHUB_INSTALLATION_ID'],
                                           app_id: ENV['GITHUB_APP_ID'])
-provider = Github::Authentication::Provider.new(generator: generator, cache: cache)
+provider = GithubAuthentication::Provider.new(generator: generator, cache: cache)
 
 provider.token
 provider.reset_token
@@ -38,14 +38,14 @@ provider.reset_token
 ### Cache
 
 The cache takes a storage argument. You can pass an instance of an `ActiveSupport::Cache` implementation or use the provided 
-`Github::Authentication::ObjectCache` if you are using it in a script.
+`GithubAuthentication::ObjectCache` if you are using it in a script.
 
 ### Generator::App
 
 Generates a token for a GitHub app.
 
 ```ruby
-Github::Authentication::Generator::App.new(pem: ENV['GITHUB_PEM'],
+GithubAuthentication::Generator::App.new(pem: ENV['GITHUB_PEM'],
                                           installation_id: ENV['GITHUB_INSTALLATION_ID'],
                                           app_id: ENV['GITHUB_APP_ID'])
 ```
@@ -54,7 +54,7 @@ Github::Authentication::Generator::App.new(pem: ENV['GITHUB_PEM'],
 
 Mostly for testing purposes you can provide a github token that gets retrieved.
 ```ruby
-Github::Authentication::Generator::Personal.new(github_token: ENV['GITHUB_TOKEN'])
+GithubAuthentication::Generator::Personal.new(github_token: ENV['GITHUB_TOKEN'])
 ```
 
 ## Example
@@ -71,16 +71,16 @@ module GitHub
     def token
       @token_provider ||= begin
         if ENV['GITHUB_TOKEN']
-          storage = Github::Authentication::ObjectCache.new
-          generator = Github::Authentication::Generator::Personal.new(github_token: ENV['GITHUB_TOKEN'])
+          storage = GithubAuthentication::ObjectCache.new
+          generator = GithubAuthentication::Generator::Personal.new(github_token: ENV['GITHUB_TOKEN'])
         else
           storage = ActiveSupport::Cache::RedisCacheStore.new
           pem = Base64.decode64(ENV['GITHUB_PEM'])
-          generator = Github::Authentication::Generator::App.new(pem: pem, installation_id: INSTALLATION_ID,
+          generator = GithubAuthentication::Generator::App.new(pem: pem, installation_id: INSTALLATION_ID,
                                                                  app_id: APP_ID)
         end
-        cache = Github::Authentication::Cache.new(storage: storage)
-        Github::Authentication::Provider.new(generator: generator, cache: cache)
+        cache = GithubAuthentication::Cache.new(storage: storage)
+        GithubAuthentication::Provider.new(generator: generator, cache: cache)
       end
       @token_provider.token
     end
@@ -96,6 +96,12 @@ module GitHub
 end
 ```
 
+## Git credential helper
+
+This gem also ships with a [git credential helper][0] to authenticate git
+operations as an App. See [this doc](docs/github_credential_helper.md) for
+detail on setup and configuration.
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
@@ -110,3 +116,4 @@ Bug reports and pull requests are welcome on GitHub at https://github.com/Shopif
 
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
 
+[0]: https://git-scm.com/docs/gitcredentials

data/bin/console

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 require "bundler/setup"
-require "github/authentication/provider"
+require "github_authentication/provider"
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.

data/docs/github_credential_helper.md

@@ -0,0 +1,40 @@
+## Git credential helper
+
+The `github-authentication` gem bundles a [git credential helper][0] to
+authenticate git operations as [GitHub Apps][1]. This is much preferred to
+hard-coding long lived credentials like personal access tokens or SSH keys
+inside e.g. a CI or build system.
+
+For efficiency this helper requires the `activesupport` gem to allow for caching
+credentials between git calls.
+
+### Configuration
+
+Token authentication is only supported over HTTPS, so as well as configuring the
+credential helper we can also have git automatically rewrite SSH addresses. Add
+this configuration snippet to `/etc/gitconfig` or `~/.gitconfig` depending on
+your environment:
+
+```
+[url "https://github.com/"]
+  insteadOf = git@github.com:
+  insteadOf = ssh://git@github.com/
+[credential "https://github.com"]
+  useHttpPath = true
+  helper = github-app
+  # Or, if using bundler:
+  # helper = !bundle exec git-credential-github-app
+```
+
+The credential helper also requires a few environment variables:
+
+* `GITHUB_APP_ID` -> The App ID of the GitHub App
+* `GITHUB_APP_INSTALLATION_ID` -> The Installation ID for the Org you want to
+  access
+* `GITHUB_APP_KEYFILE` -> Path to a [private key][2] generated for your app
+* `GITHUB_APP_CREDENTIAL_STORAGE_PATH` -> Directory to store cached credentials,
+  must already exist
+
+[0]: https://git-scm.com/docs/gitcredentials
+[1]: https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps
+[2]: https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#generating-a-private-key

data/exe/git-credential-github-app

@@ -0,0 +1,31 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'github_authentication'
+
+begin
+  require 'active_support/cache'
+  require 'active_support/notifications'
+rescue LoadError
+  warn("Active Support is required for the credential helper")
+  exit(2)
+end
+
+case ARGV[0]
+when 'get'
+  exit_status = GithubAuthentication::GitCredentialHelper.new(
+    pem: File.read(ENV.fetch('GITHUB_APP_KEYFILE')),
+    app_id: ENV.fetch('GITHUB_APP_ID'),
+    installation_id: ENV.fetch('GITHUB_APP_INSTALLATION_ID'),
+    storage: ActiveSupport::Cache::FileStore.new(ENV.fetch('GITHUB_APP_CREDENTIAL_STORAGE_PATH'))
+  ).handle_get
+  exit(exit_status)
+when 'store'
+  # We maintain our own internal storage, so no-op any `store` requests
+when nil, ''
+  warn('Supported operations: get, store')
+  exit(1)
+else
+  warn("Unknown argument: #{ARGV[0]}")
+  exit(1)
+end

data/github-authentication.gemspec

@@ -2,15 +2,15 @@
 
 lib = File.expand_path("../lib", __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require "github/authentication/version"
+require "github_authentication/version"
 
 Gem::Specification.new do |spec|
   spec.name          = "github-authentication"
-  spec.version       = Github::Authentication::VERSION
+  spec.version       = GithubAuthentication::VERSION
   spec.authors       = ["Frederik Dudzik"]
   spec.email         = ["frederik.dudzik@shopify.com"]
 
-  spec.summary       = "GitHub authetication"
+  spec.summary       = "GitHub Authetication"
   spec.description   = "Authenticate with GitHub"
   spec.homepage      = "https://github.com/Shopify/github-authentication"
   spec.license       = "MIT"
@@ -20,6 +20,7 @@ Gem::Specification.new do |spec|
   if spec.respond_to?(:metadata)
     spec.metadata["homepage_uri"] = spec.homepage
     spec.metadata["source_code_uri"] = "https://github.com/Shopify/github-authentication"
+    spec.metadata["allowed_push_host"] = "https://rubygems.org"
   else
     raise "RubyGems 2.0 or newer is required to protect against " \
       "public gem pushes."
@@ -36,7 +37,6 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency("jwt", "~> 2.2")
 
-  spec.add_development_dependency("bundler", "~> 1.17")
   spec.add_development_dependency("rake", "~> 12.3")
   spec.add_development_dependency("minitest", "~> 5.0")
   spec.add_development_dependency("timecop", "~> 0.9")
@@ -45,4 +45,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency("vcr", "~> 5.1")
   spec.add_development_dependency("rubocop", "~> 0.52")
   spec.add_development_dependency("rubocop-shopify")
+  spec.add_development_dependency("activesupport")
 end

data/lib/github_authentication/cache.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'github_authentication/token'
+
+module GithubAuthentication
+  class Cache
+    # storage = ActiveSupport::Cache
+    def initialize(storage:, key: '')
+      @storage = storage
+      @key = "github:authentication:#{key}"
+    end
+
+    def read
+      json = @storage.read(@key)
+      Token.from_json(json)
+    end
+
+    def write(token)
+      @storage.write(@key, token.to_json, expires_in: token.expires_in)
+    end
+
+    def clear
+      @storage.delete(@key)
+    end
+  end
+end

data/lib/github_authentication/generator/app.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require "uri"
+require 'openssl'
+
+require "github_authentication/http"
+
+module GithubAuthentication
+  module Generator
+    class App
+      attr_reader :app_id, :installation_id
+
+      def initialize(pem:, installation_id:, app_id:)
+        @private_key = OpenSSL::PKey::RSA.new(pem)
+        @installation_id = installation_id
+        @app_id = app_id
+      end
+
+      def generate
+        url = "https://api.github.com/app/installations/#{installation_id}/access_tokens"
+        response = Http.post(url) do |request|
+          request["Authorization"] = "Bearer #{jwt}"
+          request["Accept"] = "application/vnd.github.machine-man-preview+json"
+          request
+        end
+
+        unless response.is_a?(Net::HTTPSuccess)
+          raise TokenGeneratorError, "[#{response.code}] #{response.body}"
+        end
+
+        Token.from_json(response.body)
+      end
+
+      private
+
+      def jwt
+        payload = {
+          # issued at time
+          iat: Time.now.utc.to_i,
+          # JWT expiration time (10 minute maximum)
+          exp: Time.now.utc.to_i + (10 * 60),
+          # GitHub App's identifier
+          iss: app_id,
+        }
+        JWT.encode(payload, @private_key, "RS256")
+      end
+    end
+  end
+end

data/lib/github_authentication/generator/personal.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require "github_authentication/token"
+
+module GithubAuthentication
+  module Generator
+    class Personal
+      def initialize(github_token:)
+        @github_token = github_token
+      end
+
+      def generate
+        a_year_from_now = Time.now.utc + 31_556_952
+        Token.new(@github_token, a_year_from_now)
+      end
+    end
+  end
+end

data/lib/github_authentication/generator.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "github_authentication/generator/app"
+require "github_authentication/generator/personal"
+
+module GithubAuthentication
+  module Generator
+    Error = Class.new(StandardError)
+    TokenGeneratorError = Class.new(Error)
+  end
+end

data/lib/github_authentication/git_credential_helper.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module GithubAuthentication
+  class GitCredentialHelper
+    def initialize(pem:, installation_id:, app_id:, storage: nil, stdin: $stdin)
+      @pem = pem
+      @installation_id = installation_id
+      @app_id = app_id
+      @storage = storage
+      @stdin = stdin
+    end
+
+    def handle_get
+      description = parse_stdin
+
+      unless description['protocol'] == 'https' && description['host'] == 'github.com'
+        warn("Unsupported description: #{description}")
+        return 2
+      end
+
+      token = provider.token(seconds_ttl: min_cache_ttl)
+      puts("password=#{token}")
+      puts('username=api')
+
+      0
+    end
+
+    private
+
+    def min_cache_ttl
+      # Tokens are valid for 60 minutes, allow a 10 minute buffer
+      10 * 60
+    end
+
+    def parse_stdin
+      # Credential description is written to STDIN in line delimited key=value form,
+      # see https://git-scm.com/docs/git-credential#IOFMT
+      @stdin.each_line.map { |line| line.split('=', 2).map(&:strip) }.to_h
+    end
+
+    def provider
+      @provider ||= Provider.new(
+        generator: generator,
+        cache: Cache.new(storage: @storage || ObjectCache.new)
+      )
+    end
+
+    def generator
+      @generator ||= Generator::App.new(
+        pem: @pem,
+        app_id: @app_id,
+        installation_id: @installation_id
+      )
+    end
+  end
+end

data/lib/github_authentication/http.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'timeout'
+
+require 'github_authentication/retriable'
+
+module GithubAuthentication
+  module Http
+    class << self
+      include Retriable
+
+      def post(url)
+        uri = URI.parse(url)
+        with_retries(SystemCallError, Timeout::Error) do
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = true
+          http.start
+          begin
+
+            request = Net::HTTP::Post.new(uri.request_uri)
+            yield(request) if block_given?
+
+            http.request(request)
+          ensure
+            http.finish
+          end
+        end
+      end
+    end
+  end
+end

data/lib/github_authentication/object_cache.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'github_authentication/token'
+
+module GithubAuthentication
+  class ObjectCache
+    def initialize
+      @cache = {}
+    end
+
+    def read(key)
+      return unless @cache.key?(key)
+
+      options = @cache[key][:options]
+      if options.key?(:expires_at) && Time.now.utc > options[:expires_at]
+        @cache.delete(key)
+        return nil
+      end
+
+      @cache[key][:value]
+    end
+
+    def write(key, value, options = {})
+      if options.key?(:expires_in)
+        options[:expires_at] = Time.now.utc + options[:expires_in]
+      end
+      @cache[key] = { value: value, options: options }
+    end
+
+    def clear(key)
+      @cache.delete(key)
+    end
+  end
+end

data/lib/github_authentication/provider.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+require "mutex_m.rb"
+
+require 'github_authentication/retriable'
+
+module GithubAuthentication
+  class Provider
+    include Retriable
+    include Mutex_m
+
+    Error = Class.new(StandardError)
+    TokenGeneratorError = Class.new(Error)
+
+    def initialize(generator:, cache:)
+      super()
+      @token = nil
+      @generator = generator
+      @cache = cache
+    end
+
+    def token(seconds_ttl: 5 * 60)
+      return @token if @token&.valid_for?(seconds_ttl)
+
+      with_retries(TokenGeneratorError) do
+        mu_synchronize do
+          return @token if @token&.valid_for?(seconds_ttl)
+
+          if (@token = @cache.read)
+            return @token if @token.valid_for?(seconds_ttl)
+          end
+
+          if (@token = @generator.generate)
+            if @token.valid_for?(seconds_ttl)
+              @cache.write(@token)
+              return @token
+            end
+          end
+
+          raise TokenGeneratorError, "Couldn't create a token with a TTL of #{seconds_ttl}"
+        end
+      end
+    end
+
+    def reset_token
+      @token = nil
+      @cache.clear
+    end
+
+    # prevent credential leak
+    def inspect
+      "#<#{self.class.name}>"
+    end
+  end
+end

data/lib/github_authentication/retriable.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module GithubAuthentication
+  module Retriable
+    def with_retries(*exceptions, max_attempts: 4, sleep_between_attempts: 0.1, exponential_backoff: true)
+      attempt = 1
+      previous_failure = nil
+
+      begin
+        return_value = yield(attempt, previous_failure)
+      rescue *exceptions => exception
+        raise unless attempt < max_attempts
+
+        sleep_after_attempt(
+          attempt: attempt,
+          base_sleep_time: sleep_between_attempts,
+          exponential_backoff: exponential_backoff
+        )
+
+        attempt += 1
+        previous_failure = exception
+        retry
+      else
+        return_value
+      end
+    end
+
+    private
+
+    def sleep_after_attempt(attempt:, base_sleep_time:, exponential_backoff:)
+      return unless base_sleep_time > 0
+
+      time_to_sleep = if exponential_backoff
+        calculate_exponential_backoff(attempt: attempt, base_sleep_time: base_sleep_time)
+      else
+        base_sleep_time
+      end
+
+      Kernel.sleep(time_to_sleep)
+    end
+
+    def calculate_exponential_backoff(attempt:, base_sleep_time:)
+      # Double the max sleep time for every attempt (exponential backoff).
+      # Randomize sleep time for more optimal request distribution.
+      lower_bound = Float(base_sleep_time)
+      upper_bound = lower_bound * (2 << (attempt - 2))
+      Kernel.rand(lower_bound..upper_bound)
+    end
+  end
+end

data/lib/github_authentication/token.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module GithubAuthentication
+  class Token
+    attr_reader :expires_at
+
+    def self.from_json(data)
+      return nil if data.nil?
+
+      token, expires_at = JSON.parse(data).values_at('token', 'expires_at')
+      new(token, Time.iso8601(expires_at))
+    rescue JSON::ParserError
+      nil
+    end
+
+    def initialize(token, expires_at)
+      @token = token
+      @expires_at = expires_at
+    end
+
+    def expires_in
+      (@expires_at - Time.now.utc).to_i
+    end
+
+    def expired?(seconds_ttl: 300)
+      @expires_at < Time.now.utc + seconds_ttl
+    end
+
+    def valid_for?(ttl)
+      !expired?(seconds_ttl: ttl)
+    end
+
+    def inspect
+      # Truncating the token should be enough not to leak it in error messages etc
+      "#<#{self.class.name} @token=#{truncate(@token, 10)} @expires_at=#{@expires_at}>"
+    end
+
+    def to_json
+      JSON.dump(token: @token, expires_at: @expires_at.iso8601)
+    end
+
+    def to_s
+      @token
+    end
+    alias_method :to_str, :to_s
+
+    private
+
+    def truncate(string, max)
+      string.length > max ? "#{string[0...max]}..." : string
+    end
+  end
+end

data/lib/github_authentication/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module GithubAuthentication
+  VERSION = "1.0.0"
+end

data/lib/github_authentication.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "github_authentication/version"
+require "github_authentication/generator"
+require "github_authentication/provider"
+require "github_authentication/cache"
+require "github_authentication/object_cache"
+require "github_authentication/git_credential_helper"
+
+module GithubAuthentication
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: github-authentication
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 1.0.0
 platform: ruby
 authors:
 - Frederik Dudzik
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-08-17 00:00:00.000000000 Z
+date: 2021-10-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -24,20 +24,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.2'
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.17'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.17'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -150,10 +136,25 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Authenticate with GitHub
 email:
 - frederik.dudzik@shopify.com
-executables: []
+executables:
+- git-credential-github-app
 extensions: []
 extra_rdoc_files: []
 files:
@@ -170,24 +171,28 @@ files:
 - bin/rake
 - bin/rubocop
 - bin/setup
+- docs/github_credential_helper.md
+- exe/git-credential-github-app
 - github-authentication.gemspec
-- lib/github/authentication.rb
-- lib/github/authentication/cache.rb
-- lib/github/authentication/generator.rb
-- lib/github/authentication/generator/app.rb
-- lib/github/authentication/generator/personal.rb
-- lib/github/authentication/http.rb
-- lib/github/authentication/object_cache.rb
-- lib/github/authentication/provider.rb
-- lib/github/authentication/retriable.rb
-- lib/github/authentication/token.rb
-- lib/github/authentication/version.rb
+- lib/github_authentication.rb
+- lib/github_authentication/cache.rb
+- lib/github_authentication/generator.rb
+- lib/github_authentication/generator/app.rb
+- lib/github_authentication/generator/personal.rb
+- lib/github_authentication/git_credential_helper.rb
+- lib/github_authentication/http.rb
+- lib/github_authentication/object_cache.rb
+- lib/github_authentication/provider.rb
+- lib/github_authentication/retriable.rb
+- lib/github_authentication/token.rb
+- lib/github_authentication/version.rb
 homepage: https://github.com/Shopify/github-authentication
 licenses:
 - MIT
 metadata:
   homepage_uri: https://github.com/Shopify/github-authentication
   source_code_uri: https://github.com/Shopify/github-authentication
+  allowed_push_host: https://rubygems.org
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -203,8 +208,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.2.20
 signing_key: 
 specification_version: 4
-summary: GitHub authetication
+summary: GitHub Authetication
 test_files: []

data/lib/github/authentication/cache.rb

@@ -1,28 +0,0 @@
-# frozen_string_literal: true
-
-require 'github/authentication/token'
-
-module Github
-  module Authentication
-    class Cache
-      # storage = ActiveSupport::Cache
-      def initialize(storage:, key: '')
-        @storage = storage
-        @key = "github:authentication:#{key}"
-      end
-
-      def read
-        json = @storage.read(@key)
-        Token.from_json(json)
-      end
-
-      def write(token)
-        @storage.write(@key, token.to_json, expires_in: token.expires_in)
-      end
-
-      def clear
-        @storage.delete(@key)
-      end
-    end
-  end
-end

data/lib/github/authentication/generator/app.rb

@@ -1,47 +0,0 @@
-# frozen_string_literal: true
-
-require 'jwt'
-require "uri"
-require 'openssl'
-
-require "github/authentication/http"
-
-module Github
-  module Authentication
-    module Generator
-      class App
-        attr_reader :app_id, :installation_id
-
-        def initialize(pem:, installation_id:, app_id:)
-          @private_key = OpenSSL::PKey::RSA.new(pem)
-          @installation_id = installation_id
-          @app_id = app_id
-        end
-
-        def generate
-          url = "https://api.github.com/app/installations/#{installation_id}/access_tokens"
-          response = Http.post(url) do |request|
-            request["Authorization"] = "Bearer #{jwt}"
-            request["Accept"] = "application/vnd.github.machine-man-preview+json"
-            request
-          end
-          Token.from_json(response.body)
-        end
-
-        private
-
-        def jwt
-          payload = {
-            # issued at time
-            iat: Time.now.utc.to_i,
-            # JWT expiration time (10 minute maximum)
-            exp: Time.now.utc.to_i + (10 * 60),
-            # GitHub App's identifier
-            iss: app_id,
-          }
-          JWT.encode(payload, @private_key, "RS256")
-        end
-      end
-    end
-  end
-end

data/lib/github/authentication/generator/personal.rb

@@ -1,20 +0,0 @@
-# frozen_string_literal: true
-
-require "github/authentication/token"
-
-module Github
-  module Authentication
-    module Generator
-      class Personal
-        def initialize(github_token:)
-          @github_token = github_token
-        end
-
-        def generate
-          a_year_from_now = Time.now.utc + 31_556_952
-          Token.new(@github_token, a_year_from_now)
-        end
-      end
-    end
-  end
-end

data/lib/github/authentication/generator.rb

@@ -1,4 +0,0 @@
-# frozen_string_literal: true
-
-require "github/authentication/generator/app"
-require "github/authentication/generator/personal"

data/lib/github/authentication/http.rb

@@ -1,34 +0,0 @@
-# frozen_string_literal: true
-
-require 'net/http'
-require 'timeout'
-
-require 'github/authentication/retriable'
-
-module Github
-  module Authentication
-    module Http
-      class << self
-        include Retriable
-
-        def post(url)
-          uri = URI.parse(url)
-          with_retries(SystemCallError, Timeout::Error) do
-            http = Net::HTTP.new(uri.host, uri.port)
-            http.use_ssl = true
-            http.start
-            begin
-
-              request = Net::HTTP::Post.new(uri.request_uri)
-              yield(request) if block_given?
-
-              http.request(request)
-            ensure
-              http.finish
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/github/authentication/object_cache.rb

@@ -1,36 +0,0 @@
-# frozen_string_literal: true
-
-require 'github/authentication/token'
-
-module Github
-  module Authentication
-    class ObjectCache
-      def initialize
-        @cache = {}
-      end
-
-      def read(key)
-        return unless @cache.key?(key)
-
-        options = @cache[key][:options]
-        if options.key?(:expires_at) && Time.now.utc > options[:expires_at]
-          @cache.delete(key)
-          return nil
-        end
-
-        @cache[key][:value]
-      end
-
-      def write(key, value, options = {})
-        if options.key?(:expires_in)
-          options[:expires_at] = Time.now.utc + options[:expires_in]
-        end
-        @cache[key] = { value: value, options: options }
-      end
-
-      def clear(key)
-        @cache.delete(key)
-      end
-    end
-  end
-end

data/lib/github/authentication/provider.rb

@@ -1,56 +0,0 @@
-# frozen_string_literal: true
-require "mutex_m.rb"
-
-require 'github/authentication/retriable'
-
-module Github
-  module Authentication
-    class Provider
-      include Retriable
-      include Mutex_m
-
-      Error = Class.new(StandardError)
-      TokenGeneratorError = Class.new(Error)
-
-      def initialize(generator:, cache:)
-        super()
-        @token = nil
-        @generator = generator
-        @cache = cache
-      end
-
-      def token(seconds_ttl: 5 * 60)
-        return @token if @token&.valid_for?(seconds_ttl)
-
-        with_retries(TokenGeneratorError) do
-          mu_synchronize do
-            return @token if @token&.valid_for?(seconds_ttl)
-
-            if (@token = @cache.read)
-              return @token if @token.valid_for?(seconds_ttl)
-            end
-
-            if (@token = @generator.generate)
-              if @token.valid_for?(seconds_ttl)
-                @cache.write(@token)
-                return @token
-              end
-            end
-
-            raise TokenGeneratorError, "Couldn't create a token with a TTL of #{seconds_ttl}"
-          end
-        end
-      end
-
-      def reset_token
-        @token = nil
-        @cache.clear
-      end
-
-      # prevent credential leak
-      def inspect
-        "#<#{self.class.name}>"
-      end
-    end
-  end
-end

data/lib/github/authentication/retriable.rb

@@ -1,52 +0,0 @@
-# frozen_string_literal: true
-
-module Github
-  module Authentication
-    module Retriable
-      def with_retries(*exceptions, max_attempts: 4, sleep_between_attempts: 0.1, exponential_backoff: true)
-        attempt = 1
-        previous_failure = nil
-
-        begin
-          return_value = yield(attempt, previous_failure)
-        rescue *exceptions => exception
-          raise unless attempt < max_attempts
-
-          sleep_after_attempt(
-            attempt: attempt,
-            base_sleep_time: sleep_between_attempts,
-            exponential_backoff: exponential_backoff
-          )
-
-          attempt += 1
-          previous_failure = exception
-          retry
-        else
-          return_value
-        end
-      end
-
-      private
-
-      def sleep_after_attempt(attempt:, base_sleep_time:, exponential_backoff:)
-        return unless base_sleep_time > 0
-
-        time_to_sleep = if exponential_backoff
-          calculate_exponential_backoff(attempt: attempt, base_sleep_time: base_sleep_time)
-        else
-          base_sleep_time
-        end
-
-        Kernel.sleep(time_to_sleep)
-      end
-
-      def calculate_exponential_backoff(attempt:, base_sleep_time:)
-        # Double the max sleep time for every attempt (exponential backoff).
-        # Randomize sleep time for more optimal request distribution.
-        lower_bound = Float(base_sleep_time)
-        upper_bound = lower_bound * (2 << (attempt - 2))
-        Kernel.rand(lower_bound..upper_bound)
-      end
-    end
-  end
-end

data/lib/github/authentication/token.rb

@@ -1,57 +0,0 @@
-# frozen_string_literal: true
-
-require 'json'
-
-module Github
-  module Authentication
-    class Token
-      attr_reader :expires_at
-
-      def self.from_json(data)
-        return nil if data.nil?
-
-        token, expires_at = JSON.parse(data).values_at('token', 'expires_at')
-        new(token, Time.iso8601(expires_at))
-      rescue JSON::ParserError
-        nil
-      end
-
-      def initialize(token, expires_at)
-        @token = token
-        @expires_at = expires_at
-      end
-
-      def expires_in
-        (@expires_at - Time.now.utc).to_i
-      end
-
-      def expired?(seconds_ttl: 300)
-        @expires_at < Time.now.utc + seconds_ttl
-      end
-
-      def valid_for?(ttl)
-        !expired?(seconds_ttl: ttl)
-      end
-
-      def inspect
-        # Truncating the token should be enough not to leak it in error messages etc
-        "#<#{self.class.name} @token=#{truncate(@token, 10)} @expires_at=#{@expires_at}>"
-      end
-
-      def to_json
-        JSON.dump(token: @token, expires_at: @expires_at.iso8601)
-      end
-
-      def to_s
-        @token
-      end
-      alias_method :to_str, :to_s
-
-      private
-
-      def truncate(string, max)
-        string.length > max ? "#{string[0...max]}..." : string
-      end
-    end
-  end
-end

data/lib/github/authentication/version.rb

@@ -1,7 +0,0 @@
-# frozen_string_literal: true
-
-module Github
-  module Authentication
-    VERSION = "0.1.2"
-  end
-end

data/lib/github/authentication.rb

@@ -1,7 +0,0 @@
-# frozen_string_literal: true
-
-require "github/authentication/version"
-require "github/authentication/generator"
-require "github/authentication/provider"
-require "github/authentication/cache"
-require "github/authentication/object_cache"