lex-github 0.2.4 → 0.3.0

data/lib/legion/extensions/github/app/actor/webhook_poller.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Actor
+          class WebhookPoller < Legion::Extensions::Actors::Poll # rubocop:disable Legion/Extension/SelfContainedActorRunnerClass,Legion/Extension/EveryActorRequiresTime
+            def use_runner?    = false
+            def check_subtask? = false
+            def generate_task? = false
+
+            def time
+              60
+            end
+
+            # rubocop:disable Legion/Extension/ActorEnabledSideEffects
+            def enabled?
+              github_poll_settings[:owner] && github_poll_settings[:repo]
+            rescue StandardError => _e
+              false
+            end
+            # rubocop:enable Legion/Extension/ActorEnabledSideEffects
+
+            def manual
+              settings = github_poll_settings
+              owner = settings[:owner]
+              repo = settings[:repo]
+              return unless owner && repo
+
+              client = Legion::Extensions::Github::Client.new
+              return unless client.respond_to?(:list_events)
+
+              result = client.list_events(owner: owner, repo: repo)
+              events = result[:result]
+              return unless events.is_a?(Array)
+
+              events.each do |event|
+                publish_event(event)
+              end
+            rescue StandardError => e
+              log.error("App::Actor::WebhookPoller: #{e.message}")
+            end
+
+            private
+
+            def github_poll_settings
+              return {} unless defined?(Legion::Settings)
+
+              Legion::Settings[:github]&.dig(:webhook_poller) || {}
+            rescue StandardError => _e
+              {}
+            end
+
+            def publish_event(event)
+              Legion::Extensions::Github::App::Transport::Messages::Event.new(event).publish
+            rescue StandardError => e
+              log.warn("WebhookPoller#publish_event: #{e.message}")
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/hooks/setup.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Hooks
+          class Setup < Legion::Extensions::Hooks::Base # rubocop:disable Legion/Extension/HookMissingRunnerClass
+            mount '/setup/callback'
+
+            def self.runner_class
+              'Legion::Extensions::Github::App::Runners::Manifest'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/hooks/webhook.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Hooks
+          class Webhook < Legion::Extensions::Hooks::Base # rubocop:disable Legion/Extension/HookMissingRunnerClass
+            mount '/webhook'
+
+            def self.runner_class
+              'Legion::Extensions::Github::App::Runners::Webhooks'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/runners/auth.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'openssl'
+require 'legion/extensions/github/helpers/client'
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Runners
+          module Auth
+            include Legion::Extensions::Github::Helpers::Client
+
+            def generate_jwt(app_id:, private_key:, **)
+              key = OpenSSL::PKey::RSA.new(private_key)
+              now = Time.now.to_i
+              payload = { iat: now - 60, exp: now + (10 * 60), iss: app_id.to_s }
+              token = JWT.encode(payload, key, 'RS256')
+              { result: token }
+            end
+
+            def create_installation_token(jwt:, installation_id:, **)
+              conn = connection(token: jwt, **)
+              response = conn.post("/app/installations/#{installation_id}/access_tokens")
+              { result: response.body }
+            end
+
+            def list_installations(jwt:, per_page: 30, page: 1, **)
+              conn = connection(token: jwt, **)
+              response = conn.get('/app/installations', per_page: per_page, page: page)
+              { result: response.body }
+            end
+
+            def get_installation(jwt:, installation_id:, **)
+              conn = connection(token: jwt, **)
+              response = conn.get("/app/installations/#{installation_id}")
+              { result: response.body }
+            end
+
+            include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers, false) &&
+                                                        Legion::Extensions::Helpers.const_defined?(:Lex, false)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/runners/credential_store.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'time'
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Runners
+          module CredentialStore
+            def store_app_credentials(app_id:, private_key:, client_id:, client_secret:, webhook_secret:, **)
+              vault_set('github/app/app_id', app_id)
+              vault_set('github/app/private_key', private_key)
+              vault_set('github/app/client_id', client_id)
+              vault_set('github/app/client_secret', client_secret)
+              vault_set('github/app/webhook_secret', webhook_secret)
+              { result: true }
+            end
+
+            def store_oauth_token(user:, access_token:, refresh_token:, expires_in: nil, scope: nil, **)
+              data = { 'access_token' => access_token, 'refresh_token' => refresh_token,
+                       'expires_in' => expires_in, 'scope' => scope,
+                       'stored_at' => Time.now.iso8601 }.compact
+              vault_set("github/oauth/#{user}/token", data)
+              # Also write to canonical delegated path so resolve_vault_delegated can discover the token
+              vault_set('github/oauth/delegated/token', data)
+              { result: true }
+            end
+
+            def load_oauth_token(user:, **)
+              data = begin
+                vault_get("github/oauth/#{user}/token")
+              rescue StandardError => _e
+                nil
+              end
+              { result: data }
+            end
+
+            include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers, false) &&
+                                                        Legion::Extensions::Helpers.const_defined?(:Lex, false)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/runners/installations.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/github/helpers/client'
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Runners
+          module Installations
+            include Legion::Extensions::Github::Helpers::Client
+
+            def list_installations(jwt:, per_page: 30, page: 1, **)
+              conn = connection(token: jwt, **)
+              response = conn.get('/app/installations', per_page: per_page, page: page)
+              { result: response.body }
+            end
+
+            def get_installation(jwt:, installation_id:, **)
+              conn = connection(token: jwt, **)
+              response = conn.get("/app/installations/#{installation_id}")
+              { result: response.body }
+            end
+
+            def list_installation_repos(per_page: 30, page: 1, **)
+              response = connection(**).get('/installation/repositories',
+                                            per_page: per_page, page: page)
+              { result: response.body }
+            end
+
+            def suspend_installation(jwt:, installation_id:, **)
+              conn = connection(token: jwt, **)
+              response = conn.put("/app/installations/#{installation_id}/suspended")
+              { result: response.status == 204 }
+            end
+
+            def unsuspend_installation(jwt:, installation_id:, **)
+              conn = connection(token: jwt, **)
+              response = conn.delete("/app/installations/#{installation_id}/suspended")
+              { result: response.status == 204 }
+            end
+
+            def delete_installation(jwt:, installation_id:, **)
+              conn = connection(token: jwt, **)
+              response = conn.delete("/app/installations/#{installation_id}")
+              { result: response.status == 204 }
+            end
+
+            include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers, false) &&
+                                                        Legion::Extensions::Helpers.const_defined?(:Lex, false)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/runners/manifest.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'uri'
+require 'legion/extensions/github/helpers/client'
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Runners
+          module Manifest
+            include Legion::Extensions::Github::Helpers::Client
+
+            DEFAULT_PERMISSIONS = {
+              contents: 'write', issues: 'write', pull_requests: 'write',
+              metadata: 'read', administration: 'write', members: 'read',
+              checks: 'write', statuses: 'write', actions: 'read',
+              workflows: 'write', webhooks: 'write', repository_hooks: 'write'
+            }.freeze
+
+            DEFAULT_EVENTS = %w[
+              push pull_request pull_request_review issues issue_comment
+              create delete check_run check_suite status workflow_run
+              repository installation
+            ].freeze
+
+            def generate_manifest(name:, url:, webhook_url:, callback_url:,
+                                  permissions: DEFAULT_PERMISSIONS, events: DEFAULT_EVENTS,
+                                  public: true, **)
+              manifest = {
+                name: name, url: url, public: public,
+                hook_attributes: { url: webhook_url, active: true },
+                setup_url: callback_url,
+                redirect_url: callback_url,
+                default_permissions: permissions,
+                default_events: events
+              }
+              { result: manifest }
+            end
+
+            def exchange_manifest_code(code:, **)
+              conn = connection(**)
+              response = conn.post("/app-manifests/#{code}/conversions")
+              { result: response.body }
+            end
+
+            def manifest_url(manifest:, org: nil, **)
+              base = if org
+                       "https://github.com/organizations/#{org}/settings/apps/new"
+                     else
+                       'https://github.com/settings/apps/new'
+                     end
+              json_str = ::JSON.generate(manifest)
+              { result: "#{base}?manifest=#{URI.encode_www_form_component(json_str)}" }
+            end
+
+            include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers, false) &&
+                                                        Legion::Extensions::Helpers.const_defined?(:Lex, false)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/runners/webhooks.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'openssl'
+require 'legion/extensions/github/helpers/client'
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Runners
+          module Webhooks
+            include Legion::Extensions::Github::Helpers::Client
+
+            def verify_signature(payload:, signature:, secret:, **)
+              return { result: false } if signature.nil? || signature.empty?
+
+              expected = "sha256=#{OpenSSL::HMAC.hexdigest('SHA256', secret, payload)}"
+              # Use constant-time comparison to prevent timing side-channel attacks.
+              # Pad to equal length so fixed_length_secure_compare can be used safely.
+              result = expected.length == signature.length &&
+                       OpenSSL.fixed_length_secure_compare(expected, signature)
+              { result: result }
+            end
+
+            def parse_event(payload:, event_type:, delivery_id:, **)
+              parsed = payload.is_a?(String) ? ::JSON.parse(payload) : payload
+              { result: { event_type: event_type, delivery_id: delivery_id, payload: parsed } }
+            end
+
+            def receive_event(payload:, signature:, secret:, event_type:, delivery_id:, **)
+              verified = verify_signature(payload: payload, signature: signature, secret: secret)[:result]
+              unless verified
+                return { result: { verified: false, event_type: event_type, delivery_id: delivery_id,
+                                   payload: nil } }
+              end
+
+              parsed = parse_event(payload: payload, event_type: event_type, delivery_id: delivery_id)[:result]
+              invalidate_scopes_for_event(event_type: event_type, payload: parsed[:payload])
+              { result: parsed.merge(verified: true) }
+            end
+
+            SCOPE_INVALIDATION_EVENTS = %w[installation installation_repositories].freeze
+
+            def invalidate_scopes_for_event(event_type:, payload:, **)
+              return unless SCOPE_INVALIDATION_EVENTS.include?(event_type.to_s)
+
+              owner = payload&.dig('installation', 'account', 'login')
+              return unless owner
+
+              invalidate_all_scopes_for_owner(owner: owner)
+            end
+
+            def invalidate_all_scopes_for_owner(owner:)
+              known_fingerprints = resolve_known_fingerprints
+              known_fingerprints.each do |fp|
+                invalidate_scope(fingerprint: fp, owner: owner)
+              end
+            end
+
+            private
+
+            def resolve_known_fingerprints
+              fingerprints = []
+
+              # Delegated (OAuth user) — check Vault and settings without resolving tokens
+              fingerprints << credential_fingerprint(auth_type: :oauth_user, identifier: 'vault_delegated') if vault_delegated_configured?
+              fingerprints << credential_fingerprint(auth_type: :oauth_user, identifier: 'settings_delegated') if settings_delegated_configured?
+
+              # App installation — derive from app_id without generating installation tokens
+              if (vault_app_id = safe_vault_get('github/app/app_id'))
+                fingerprints << credential_fingerprint(auth_type: :app_installation, identifier: "vault_app_#{vault_app_id}")
+              end
+              if (settings_app_id = safe_settings_dig(:github, :app, :app_id))
+                fingerprints << credential_fingerprint(auth_type: :app_installation, identifier: "settings_app_#{settings_app_id}")
+              end
+
+              # PAT
+              fingerprints << credential_fingerprint(auth_type: :pat, identifier: 'vault_pat') if safe_vault_get('github/token')
+              fingerprints << credential_fingerprint(auth_type: :pat, identifier: 'settings_pat') if safe_settings_dig(:github, :token)
+
+              # CLI and ENV
+              fingerprints << credential_fingerprint(auth_type: :cli, identifier: 'gh_cli')
+              fingerprints << credential_fingerprint(auth_type: :env, identifier: 'env')
+
+              fingerprints.uniq
+            rescue StandardError => _e
+              []
+            end
+
+            def vault_delegated_configured?
+              defined?(Legion::Crypt) && safe_vault_get('github/oauth/delegated/token')
+            end
+
+            def settings_delegated_configured?
+              defined?(Legion::Settings) && safe_settings_dig(:github, :oauth, :access_token)
+            end
+
+            def safe_vault_get(path)
+              vault_get(path) if defined?(Legion::Crypt)
+            rescue StandardError => _e
+              nil
+            end
+
+            def safe_settings_dig(*keys)
+              Legion::Settings.dig(*keys) if defined?(Legion::Settings)
+            rescue StandardError => _e
+              nil
+            end
+
+            include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers, false) &&
+                                                        Legion::Extensions::Helpers.const_defined?(:Lex, false)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/transport/exchanges/app.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Transport
+          module Exchanges
+            class App < Legion::Transport::Exchange
+              def exchange_name = 'lex.github.app'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/transport/messages/event.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Transport
+          module Messages
+            class Event < Legion::Transport::Message
+              def routing_key = 'lex.github.app.runners.webhooks'
+              def exchange    = Legion::Extensions::Github::App::Transport::Exchanges::App
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/transport/queues/auth.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Transport
+          module Queues
+            class Auth < Legion::Transport::Queue
+              def queue_name    = 'lex.github.app.runners.auth'
+              def queue_options = { auto_delete: false }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/transport/queues/webhooks.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Transport
+          module Queues
+            class Webhooks < Legion::Transport::Queue
+              def queue_name    = 'lex.github.app.runners.webhooks'
+              def queue_options = { auto_delete: false }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/cli/app.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/github/helpers/client'
+require 'legion/extensions/github/helpers/callback_server'
+require 'legion/extensions/github/app/runners/manifest'
+require 'legion/extensions/github/app/runners/credential_store'
+
+module Legion
+  module Extensions
+    module Github
+      module CLI
+        module App
+          include Helpers::Client
+          include Github::App::Runners::Manifest
+          include Github::App::Runners::CredentialStore
+
+          def setup(name:, url:, webhook_url:, org: nil, callback_timeout: 300, **)
+            server = Helpers::CallbackServer.new
+            server.start
+            callback_url = server.redirect_uri
+
+            manifest = generate_manifest(
+              name: name, url: url,
+              webhook_url: webhook_url,
+              callback_url: callback_url
+            )[:result]
+
+            url_result = manifest_url(manifest: manifest, org: org)[:result]
+
+            { result: { manifest_url: url_result, callback_port: server.port,
+                        message: 'Open the manifest URL in your browser to create the GitHub App',
+                        callback: server.wait_for_callback(timeout: callback_timeout) } }
+          ensure
+            server&.shutdown
+          end
+
+          def complete_setup(code:, **)
+            result = exchange_manifest_code(code: code)[:result]
+            return { error: 'exchange_failed' } unless result&.dig('id')
+
+            if respond_to?(:store_app_credentials, true)
+              store_app_credentials(
+                app_id:         result['id'].to_s,
+                private_key:    result['pem'],
+                client_id:      result['client_id'],
+                client_secret:  result['client_secret'],
+                webhook_secret: result['webhook_secret']
+              )
+            end
+
+            { result: result }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/cli/auth.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/github/helpers/client'
+require 'legion/extensions/github/helpers/browser_auth'
+
+module Legion
+  module Extensions
+    module Github
+      module CLI
+        module Auth
+          include Helpers::Client
+
+          def login(client_id: nil, client_secret: nil, scopes: nil, **)
+            cid = client_id || settings_client_id
+            csec = client_secret || settings_client_secret
+            sc = scopes || settings_scopes
+
+            unless cid && csec
+              return { error:       'missing_config',
+                       description: 'Set github.oauth.client_id or github.app.client_id and github.app.client_secret in settings or pass as arguments' }
+            end
+
+            browser = Helpers::BrowserAuth.new(client_id: cid, client_secret: csec, scopes: sc)
+            result = browser.authenticate
+
+            if result[:result]&.dig('access_token') && respond_to?(:store_oauth_token, true)
+              user = begin
+                current_user(token: result[:result]['access_token'])
+              rescue StandardError => _e
+                'default'
+              end
+              store_oauth_token(
+                user:          user,
+                access_token:  result[:result]['access_token'],
+                refresh_token: result[:result]['refresh_token'],
+                expires_in:    result[:result]['expires_in']
+              )
+            end
+
+            result
+          end
+
+          def status(**)
+            cred = resolve_credential
+            return { result: { authenticated: false } } unless cred
+
+            user_info = {}
+            scopes = nil
+
+            begin
+              response = connection(token: cred[:token]).get('/user')
+              user_info = response.body || {}
+              headers = response.respond_to?(:headers) ? response.headers : {}
+              scopes_header = headers['X-OAuth-Scopes'] || headers['x-oauth-scopes']
+              scopes = scopes_header&.split(',')&.map(&:strip)
+            rescue StandardError => _e
+              user_info = {}
+              scopes = nil
+            end
+
+            { result: { authenticated: true, auth_type: cred[:auth_type],
+                        user: user_info['login'], scopes: scopes } }
+          end
+
+          private
+
+          def current_user(token:)
+            connection(token: token).get('/user').body['login']
+          end
+
+          def settings_client_id
+            return nil unless defined?(Legion::Settings)
+
+            Legion::Settings.dig(:github, :oauth, :client_id) ||
+              Legion::Settings.dig(:github, :app, :client_id)
+          rescue StandardError => _e
+            nil
+          end
+
+          def settings_client_secret
+            return nil unless defined?(Legion::Settings)
+
+            Legion::Settings.dig(:github, :app, :client_secret)
+          rescue StandardError => _e
+            nil
+          end
+
+          def settings_scopes
+            return nil unless defined?(Legion::Settings)
+
+            Legion::Settings.dig(:github, :oauth, :scopes)
+          rescue StandardError => _e
+            nil
+          end
+        end
+      end
+    end
+  end
+end