lex-github 0.2.4 → 0.3.0

data/lib/legion/extensions/github/client.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'legion/extensions/github/helpers/client'
+require 'legion/extensions/github/helpers/cache'
 require 'legion/extensions/github/runners/repositories'
 require 'legion/extensions/github/runners/issues'
 require 'legion/extensions/github/runners/pull_requests'
@@ -13,12 +14,24 @@ require 'legion/extensions/github/runners/labels'
 require 'legion/extensions/github/runners/comments'
 require 'legion/extensions/github/runners/branches'
 require 'legion/extensions/github/runners/contents'
+require 'legion/extensions/github/runners/actions'
+require 'legion/extensions/github/runners/checks'
+require 'legion/extensions/github/runners/releases'
+require 'legion/extensions/github/runners/deployments'
+require 'legion/extensions/github/runners/repository_webhooks'
+require 'legion/extensions/github/app/runners/auth'
+require 'legion/extensions/github/app/runners/webhooks'
+require 'legion/extensions/github/app/runners/manifest'
+require 'legion/extensions/github/app/runners/installations'
+require 'legion/extensions/github/app/runners/credential_store'
+require 'legion/extensions/github/oauth/runners/auth'
 
 module Legion
   module Extensions
     module Github
       class Client
         include Helpers::Client
+        include Helpers::Cache
         include Runners::Repositories
         include Runners::Issues
         include Runners::PullRequests
@@ -31,6 +44,17 @@ module Legion
         include Runners::Comments
         include Runners::Branches
         include Runners::Contents
+        include Runners::Actions
+        include Runners::Checks
+        include Runners::Releases
+        include Runners::Deployments
+        include Runners::RepositoryWebhooks
+        include App::Runners::Auth
+        include App::Runners::Webhooks
+        include App::Runners::Manifest
+        include App::Runners::Installations
+        include App::Runners::CredentialStore
+        include OAuth::Runners::Auth
 
         attr_reader :opts
 

data/lib/legion/extensions/github/errors.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      class Error < StandardError; end
+
+      class RateLimitError < Error
+        attr_reader :reset_at, :credential_fingerprint
+
+        def initialize(message = 'GitHub API rate limit exceeded', reset_at: nil, credential_fingerprint: nil)
+          @reset_at = reset_at
+          @credential_fingerprint = credential_fingerprint
+          super(message)
+        end
+      end
+
+      class AuthorizationError < Error
+        attr_reader :owner, :repo, :attempted_sources
+
+        def initialize(message = 'No authorized credential available', owner: nil, repo: nil,
+                       attempted_sources: [])
+          @owner = owner
+          @repo = repo
+          @attempted_sources = attempted_sources
+          super(message)
+        end
+      end
+
+      class ScopeDeniedError < Error
+        attr_reader :owner, :repo, :credential_fingerprint, :auth_type
+
+        def initialize(message = 'Credential not authorized for this scope',
+                       owner: nil, repo: nil, credential_fingerprint: nil, auth_type: nil)
+          @owner = owner
+          @repo = repo
+          @credential_fingerprint = credential_fingerprint
+          @auth_type = auth_type
+          super(message)
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/helpers/browser_auth.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+require 'rbconfig'
+require 'legion/extensions/github/oauth/runners/auth'
+require 'legion/extensions/github/helpers/callback_server'
+
+module Legion
+  module Extensions
+    module Github
+      module Helpers
+        class BrowserAuth
+          DEFAULT_SCOPES = 'repo admin:org admin:repo_hook read:user'
+
+          attr_reader :client_id, :client_secret, :scopes
+
+          def initialize(client_id:, client_secret:, scopes: DEFAULT_SCOPES, auth: nil, **)
+            @client_id = client_id
+            @client_secret = client_secret
+            @scopes = scopes
+            @auth = auth || Object.new.extend(OAuth::Runners::Auth)
+          end
+
+          def authenticate
+            if gui_available?
+              authenticate_browser
+            else
+              authenticate_device_code
+            end
+          end
+
+          def gui_available?
+            os = host_os
+            return true if /darwin|mswin|mingw/.match?(os)
+
+            !ENV['DISPLAY'].nil? || !ENV['WAYLAND_DISPLAY'].nil?
+          end
+
+          def open_browser(url)
+            cmd = case host_os
+                  when /darwin/      then 'open'
+                  when /linux/       then 'xdg-open'
+                  when /mswin|mingw/ then 'start'
+                  end
+            return false unless cmd
+
+            system(cmd, url)
+          end
+
+          private
+
+          def host_os
+            RbConfig::CONFIG['host_os']
+          end
+
+          def authenticate_browser
+            pkce = @auth.generate_pkce[:result]
+            state = SecureRandom.hex(32)
+
+            server = CallbackServer.new
+            server.start
+            callback_uri = server.redirect_uri
+
+            url = @auth.authorize_url(
+              client_id: client_id, redirect_uri: callback_uri,
+              scope: scopes, state: state,
+              code_challenge: pkce[:challenge],
+              code_challenge_method: pkce[:challenge_method]
+            )[:result]
+
+            return authenticate_device_code unless open_browser(url)
+
+            result = server.wait_for_callback(timeout: 120)
+
+            return { error: 'timeout', description: 'No callback received within timeout' } unless result&.dig(:code)
+
+            return { error: 'state_mismatch', description: 'CSRF state parameter mismatch' } unless result[:state] == state
+
+            @auth.exchange_code(
+              client_id: client_id, client_secret: client_secret,
+              code: result[:code], redirect_uri: callback_uri,
+              code_verifier: pkce[:verifier]
+            )
+          ensure
+            server&.shutdown
+          end
+
+          def authenticate_device_code
+            dc = @auth.request_device_code(client_id: client_id, scope: scopes)
+            return { error: dc[:error], description: dc[:description] } if dc[:error]
+
+            body = dc[:result]
+            warn "Go to:  #{body[:verification_uri]}"
+            warn "Code:   #{body[:user_code]}"
+            open_browser(body[:verification_uri]) if gui_available?
+
+            @auth.poll_device_code(
+              client_id:   client_id,
+              device_code: body[:device_code]
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/helpers/cache.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+require 'legion/cache/helper'
+
+module Legion
+  module Extensions
+    module Github
+      module Helpers
+        module Cache
+          include Legion::Cache::Helper
+
+          DEFAULT_TTLS = {
+            repo: 600, issue: 120, pull_request: 60, commit: 86_400,
+            branch: 120, user: 3600, org: 3600, search: 60
+          }.freeze
+
+          DEFAULT_TTL = 300
+
+          def cached_get(cache_key, ttl: nil)
+            if cache_connected?
+              result = cache_get(cache_key)
+              return result if result
+            end
+
+            if local_cache_connected?
+              result = local_cache_get(cache_key)
+              return result if result
+            end
+
+            result = yield
+            effective_ttl = ttl || github_ttl_for(cache_key)
+            cache_set(cache_key, result, ttl: effective_ttl) if cache_connected?
+            local_cache_set(cache_key, result, ttl: effective_ttl) if local_cache_connected?
+            result
+          end
+
+          def cache_write(cache_key, value, ttl: nil)
+            effective_ttl = ttl || github_ttl_for(cache_key)
+            cache_set(cache_key, value, ttl: effective_ttl) if cache_connected?
+            local_cache_set(cache_key, value, ttl: effective_ttl) if local_cache_connected?
+          end
+
+          def cache_invalidate(cache_key)
+            cache_delete(cache_key) if cache_connected?
+            local_cache_delete(cache_key) if local_cache_connected?
+          end
+
+          def github_ttl_for(cache_key)
+            configured_ttls = github_cache_ttls
+            case cache_key
+            when /:commits:/ then configured_ttls[:commit]
+            when /:pulls:/   then configured_ttls[:pull_request]
+            when /:issues:/  then configured_ttls[:issue]
+            when /:branches:/ then configured_ttls[:branch]
+            when /\Agithub:user:/ then configured_ttls[:user]
+            when /\Agithub:org:/  then configured_ttls[:org]
+            when /\Agithub:repo:[^:]+\z/ then configured_ttls[:repo]
+            when /:search:/ then configured_ttls[:search]
+            else configured_ttls.fetch(:default, DEFAULT_TTL)
+            end
+          end
+
+          def cache_connected?
+            ::Legion::Cache.connected?
+          rescue StandardError => _e
+            false
+          end
+
+          def local_cache_connected?
+            false
+          end
+
+          def local_cache_get(_key)
+            nil
+          end
+
+          def local_cache_set(_key, _value, ttl: nil) # rubocop:disable Lint/UnusedMethodArgument
+            nil
+          end
+
+          def local_cache_delete(_key)
+            nil
+          end
+
+          private
+
+          def github_cache_ttls
+            return DEFAULT_TTLS.merge(default: DEFAULT_TTL) unless defined?(Legion::Settings)
+
+            overrides = Legion::Settings.dig(:github, :cache, :ttls) || {}
+            DEFAULT_TTLS.merge(default: DEFAULT_TTL).merge(overrides.transform_keys(&:to_sym))
+          rescue StandardError => _e
+            DEFAULT_TTLS.merge(default: DEFAULT_TTL)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/helpers/callback_server.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require 'socket'
+require 'uri'
+
+module Legion
+  module Extensions
+    module Github
+      module Helpers
+        class CallbackServer
+          RESPONSE_HTML = <<~HTML
+            <html><body style="font-family:sans-serif;text-align:center;padding:40px;">
+            <h2>GitHub authentication complete</h2><p>You can close this window.</p></body></html>
+          HTML
+
+          attr_reader :port
+
+          def initialize
+            @server = nil
+            @port = nil
+            @result = nil
+            @mutex = Mutex.new
+            @cv = ConditionVariable.new
+          end
+
+          def start
+            @server = TCPServer.new('127.0.0.1', 0)
+            @port = @server.addr[1]
+            @thread = Thread.new { listen } # rubocop:disable ThreadSafety/NewThread
+          end
+
+          def wait_for_callback(timeout: 120)
+            @mutex.synchronize do
+              @cv.wait(@mutex, timeout) unless @result
+              @result
+            end
+          end
+
+          def shutdown
+            @server&.close
+          rescue StandardError => _e
+            nil
+          ensure
+            @thread&.join(2)
+            @thread&.kill
+          end
+
+          def redirect_uri
+            "http://127.0.0.1:#{@port}/callback"
+          end
+
+          private
+
+          def listen
+            loop do
+              client = @server.accept
+              request_line = client.gets
+              loop do
+                line = client.gets
+                break if line.nil? || line.strip.empty?
+              end
+
+              if request_line&.include?('/callback?')
+                query = request_line.split[1].split('?', 2).last
+                params = URI.decode_www_form(query).to_h
+
+                @mutex.synchronize do
+                  @result = { code: params['code'], state: params['state'] }
+                  @cv.broadcast
+                end
+              end
+
+              client.print "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nConnection: close\r\n\r\n#{RESPONSE_HTML}"
+              client.close
+              break if @result
+            end
+          rescue IOError # rubocop:disable Legion/RescueLogging/NoCapture
+            nil
+          rescue StandardError => e
+            @mutex.synchronize do
+              @result ||= { error: e.message }
+              @cv.broadcast
+            end
+          end
+        end
+      end
+    end
+  end
+end