lex-github 0.2.5 → 0.3.0

data/lib/legion/extensions/github/app/runners/auth.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'openssl'
+require 'legion/extensions/github/helpers/client'
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Runners
+          module Auth
+            include Legion::Extensions::Github::Helpers::Client
+
+            def generate_jwt(app_id:, private_key:, **)
+              key = OpenSSL::PKey::RSA.new(private_key)
+              now = Time.now.to_i
+              payload = { iat: now - 60, exp: now + (10 * 60), iss: app_id.to_s }
+              token = JWT.encode(payload, key, 'RS256')
+              { result: token }
+            end
+
+            def create_installation_token(jwt:, installation_id:, **)
+              conn = connection(token: jwt, **)
+              response = conn.post("/app/installations/#{installation_id}/access_tokens")
+              { result: response.body }
+            end
+
+            def list_installations(jwt:, per_page: 30, page: 1, **)
+              conn = connection(token: jwt, **)
+              response = conn.get('/app/installations', per_page: per_page, page: page)
+              { result: response.body }
+            end
+
+            def get_installation(jwt:, installation_id:, **)
+              conn = connection(token: jwt, **)
+              response = conn.get("/app/installations/#{installation_id}")
+              { result: response.body }
+            end
+
+            include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers, false) &&
+                                                        Legion::Extensions::Helpers.const_defined?(:Lex, false)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/runners/credential_store.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'time'
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Runners
+          module CredentialStore
+            def store_app_credentials(app_id:, private_key:, client_id:, client_secret:, webhook_secret:, **)
+              vault_set('github/app/app_id', app_id)
+              vault_set('github/app/private_key', private_key)
+              vault_set('github/app/client_id', client_id)
+              vault_set('github/app/client_secret', client_secret)
+              vault_set('github/app/webhook_secret', webhook_secret)
+              { result: true }
+            end
+
+            def store_oauth_token(user:, access_token:, refresh_token:, expires_in: nil, scope: nil, **)
+              data = { 'access_token' => access_token, 'refresh_token' => refresh_token,
+                       'expires_in' => expires_in, 'scope' => scope,
+                       'stored_at' => Time.now.iso8601 }.compact
+              vault_set("github/oauth/#{user}/token", data)
+              # Also write to canonical delegated path so resolve_vault_delegated can discover the token
+              vault_set('github/oauth/delegated/token', data)
+              { result: true }
+            end
+
+            def load_oauth_token(user:, **)
+              data = begin
+                vault_get("github/oauth/#{user}/token")
+              rescue StandardError => _e
+                nil
+              end
+              { result: data }
+            end
+
+            include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers, false) &&
+                                                        Legion::Extensions::Helpers.const_defined?(:Lex, false)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/runners/installations.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/github/helpers/client'
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Runners
+          module Installations
+            include Legion::Extensions::Github::Helpers::Client
+
+            def list_installations(jwt:, per_page: 30, page: 1, **)
+              conn = connection(token: jwt, **)
+              response = conn.get('/app/installations', per_page: per_page, page: page)
+              { result: response.body }
+            end
+
+            def get_installation(jwt:, installation_id:, **)
+              conn = connection(token: jwt, **)
+              response = conn.get("/app/installations/#{installation_id}")
+              { result: response.body }
+            end
+
+            def list_installation_repos(per_page: 30, page: 1, **)
+              response = connection(**).get('/installation/repositories',
+                                            per_page: per_page, page: page)
+              { result: response.body }
+            end
+
+            def suspend_installation(jwt:, installation_id:, **)
+              conn = connection(token: jwt, **)
+              response = conn.put("/app/installations/#{installation_id}/suspended")
+              { result: response.status == 204 }
+            end
+
+            def unsuspend_installation(jwt:, installation_id:, **)
+              conn = connection(token: jwt, **)
+              response = conn.delete("/app/installations/#{installation_id}/suspended")
+              { result: response.status == 204 }
+            end
+
+            def delete_installation(jwt:, installation_id:, **)
+              conn = connection(token: jwt, **)
+              response = conn.delete("/app/installations/#{installation_id}")
+              { result: response.status == 204 }
+            end
+
+            include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers, false) &&
+                                                        Legion::Extensions::Helpers.const_defined?(:Lex, false)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/runners/manifest.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'uri'
+require 'legion/extensions/github/helpers/client'
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Runners
+          module Manifest
+            include Legion::Extensions::Github::Helpers::Client
+
+            DEFAULT_PERMISSIONS = {
+              contents: 'write', issues: 'write', pull_requests: 'write',
+              metadata: 'read', administration: 'write', members: 'read',
+              checks: 'write', statuses: 'write', actions: 'read',
+              workflows: 'write', webhooks: 'write', repository_hooks: 'write'
+            }.freeze
+
+            DEFAULT_EVENTS = %w[
+              push pull_request pull_request_review issues issue_comment
+              create delete check_run check_suite status workflow_run
+              repository installation
+            ].freeze
+
+            def generate_manifest(name:, url:, webhook_url:, callback_url:,
+                                  permissions: DEFAULT_PERMISSIONS, events: DEFAULT_EVENTS,
+                                  public: true, **)
+              manifest = {
+                name: name, url: url, public: public,
+                hook_attributes: { url: webhook_url, active: true },
+                setup_url: callback_url,
+                redirect_url: callback_url,
+                default_permissions: permissions,
+                default_events: events
+              }
+              { result: manifest }
+            end
+
+            def exchange_manifest_code(code:, **)
+              conn = connection(**)
+              response = conn.post("/app-manifests/#{code}/conversions")
+              { result: response.body }
+            end
+
+            def manifest_url(manifest:, org: nil, **)
+              base = if org
+                       "https://github.com/organizations/#{org}/settings/apps/new"
+                     else
+                       'https://github.com/settings/apps/new'
+                     end
+              json_str = ::JSON.generate(manifest)
+              { result: "#{base}?manifest=#{URI.encode_www_form_component(json_str)}" }
+            end
+
+            include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers, false) &&
+                                                        Legion::Extensions::Helpers.const_defined?(:Lex, false)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/runners/webhooks.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'openssl'
+require 'legion/extensions/github/helpers/client'
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Runners
+          module Webhooks
+            include Legion::Extensions::Github::Helpers::Client
+
+            def verify_signature(payload:, signature:, secret:, **)
+              return { result: false } if signature.nil? || signature.empty?
+
+              expected = "sha256=#{OpenSSL::HMAC.hexdigest('SHA256', secret, payload)}"
+              # Use constant-time comparison to prevent timing side-channel attacks.
+              # Pad to equal length so fixed_length_secure_compare can be used safely.
+              result = expected.length == signature.length &&
+                       OpenSSL.fixed_length_secure_compare(expected, signature)
+              { result: result }
+            end
+
+            def parse_event(payload:, event_type:, delivery_id:, **)
+              parsed = payload.is_a?(String) ? ::JSON.parse(payload) : payload
+              { result: { event_type: event_type, delivery_id: delivery_id, payload: parsed } }
+            end
+
+            def receive_event(payload:, signature:, secret:, event_type:, delivery_id:, **)
+              verified = verify_signature(payload: payload, signature: signature, secret: secret)[:result]
+              unless verified
+                return { result: { verified: false, event_type: event_type, delivery_id: delivery_id,
+                                   payload: nil } }
+              end
+
+              parsed = parse_event(payload: payload, event_type: event_type, delivery_id: delivery_id)[:result]
+              invalidate_scopes_for_event(event_type: event_type, payload: parsed[:payload])
+              { result: parsed.merge(verified: true) }
+            end
+
+            SCOPE_INVALIDATION_EVENTS = %w[installation installation_repositories].freeze
+
+            def invalidate_scopes_for_event(event_type:, payload:, **)
+              return unless SCOPE_INVALIDATION_EVENTS.include?(event_type.to_s)
+
+              owner = payload&.dig('installation', 'account', 'login')
+              return unless owner
+
+              invalidate_all_scopes_for_owner(owner: owner)
+            end
+
+            def invalidate_all_scopes_for_owner(owner:)
+              known_fingerprints = resolve_known_fingerprints
+              known_fingerprints.each do |fp|
+                invalidate_scope(fingerprint: fp, owner: owner)
+              end
+            end
+
+            private
+
+            def resolve_known_fingerprints
+              fingerprints = []
+
+              # Delegated (OAuth user) — check Vault and settings without resolving tokens
+              fingerprints << credential_fingerprint(auth_type: :oauth_user, identifier: 'vault_delegated') if vault_delegated_configured?
+              fingerprints << credential_fingerprint(auth_type: :oauth_user, identifier: 'settings_delegated') if settings_delegated_configured?
+
+              # App installation — derive from app_id without generating installation tokens
+              if (vault_app_id = safe_vault_get('github/app/app_id'))
+                fingerprints << credential_fingerprint(auth_type: :app_installation, identifier: "vault_app_#{vault_app_id}")
+              end
+              if (settings_app_id = safe_settings_dig(:github, :app, :app_id))
+                fingerprints << credential_fingerprint(auth_type: :app_installation, identifier: "settings_app_#{settings_app_id}")
+              end
+
+              # PAT
+              fingerprints << credential_fingerprint(auth_type: :pat, identifier: 'vault_pat') if safe_vault_get('github/token')
+              fingerprints << credential_fingerprint(auth_type: :pat, identifier: 'settings_pat') if safe_settings_dig(:github, :token)
+
+              # CLI and ENV
+              fingerprints << credential_fingerprint(auth_type: :cli, identifier: 'gh_cli')
+              fingerprints << credential_fingerprint(auth_type: :env, identifier: 'env')
+
+              fingerprints.uniq
+            rescue StandardError => _e
+              []
+            end
+
+            def vault_delegated_configured?
+              defined?(Legion::Crypt) && safe_vault_get('github/oauth/delegated/token')
+            end
+
+            def settings_delegated_configured?
+              defined?(Legion::Settings) && safe_settings_dig(:github, :oauth, :access_token)
+            end
+
+            def safe_vault_get(path)
+              vault_get(path) if defined?(Legion::Crypt)
+            rescue StandardError => _e
+              nil
+            end
+
+            def safe_settings_dig(*keys)
+              Legion::Settings.dig(*keys) if defined?(Legion::Settings)
+            rescue StandardError => _e
+              nil
+            end
+
+            include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers, false) &&
+                                                        Legion::Extensions::Helpers.const_defined?(:Lex, false)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/transport/exchanges/app.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Transport
+          module Exchanges
+            class App < Legion::Transport::Exchange
+              def exchange_name = 'lex.github.app'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/transport/messages/event.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Transport
+          module Messages
+            class Event < Legion::Transport::Message
+              def routing_key = 'lex.github.app.runners.webhooks'
+              def exchange    = Legion::Extensions::Github::App::Transport::Exchanges::App
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/transport/queues/auth.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Transport
+          module Queues
+            class Auth < Legion::Transport::Queue
+              def queue_name    = 'lex.github.app.runners.auth'
+              def queue_options = { auto_delete: false }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/app/transport/queues/webhooks.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module App
+        module Transport
+          module Queues
+            class Webhooks < Legion::Transport::Queue
+              def queue_name    = 'lex.github.app.runners.webhooks'
+              def queue_options = { auto_delete: false }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/cli/app.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/github/helpers/client'
+require 'legion/extensions/github/helpers/callback_server'
+require 'legion/extensions/github/app/runners/manifest'
+require 'legion/extensions/github/app/runners/credential_store'
+
+module Legion
+  module Extensions
+    module Github
+      module CLI
+        module App
+          include Helpers::Client
+          include Github::App::Runners::Manifest
+          include Github::App::Runners::CredentialStore
+
+          def setup(name:, url:, webhook_url:, org: nil, callback_timeout: 300, **)
+            server = Helpers::CallbackServer.new
+            server.start
+            callback_url = server.redirect_uri
+
+            manifest = generate_manifest(
+              name: name, url: url,
+              webhook_url: webhook_url,
+              callback_url: callback_url
+            )[:result]
+
+            url_result = manifest_url(manifest: manifest, org: org)[:result]
+
+            { result: { manifest_url: url_result, callback_port: server.port,
+                        message: 'Open the manifest URL in your browser to create the GitHub App',
+                        callback: server.wait_for_callback(timeout: callback_timeout) } }
+          ensure
+            server&.shutdown
+          end
+
+          def complete_setup(code:, **)
+            result = exchange_manifest_code(code: code)[:result]
+            return { error: 'exchange_failed' } unless result&.dig('id')
+
+            if respond_to?(:store_app_credentials, true)
+              store_app_credentials(
+                app_id:         result['id'].to_s,
+                private_key:    result['pem'],
+                client_id:      result['client_id'],
+                client_secret:  result['client_secret'],
+                webhook_secret: result['webhook_secret']
+              )
+            end
+
+            { result: result }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/cli/auth.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/github/helpers/client'
+require 'legion/extensions/github/helpers/browser_auth'
+
+module Legion
+  module Extensions
+    module Github
+      module CLI
+        module Auth
+          include Helpers::Client
+
+          def login(client_id: nil, client_secret: nil, scopes: nil, **)
+            cid = client_id || settings_client_id
+            csec = client_secret || settings_client_secret
+            sc = scopes || settings_scopes
+
+            unless cid && csec
+              return { error:       'missing_config',
+                       description: 'Set github.oauth.client_id or github.app.client_id and github.app.client_secret in settings or pass as arguments' }
+            end
+
+            browser = Helpers::BrowserAuth.new(client_id: cid, client_secret: csec, scopes: sc)
+            result = browser.authenticate
+
+            if result[:result]&.dig('access_token') && respond_to?(:store_oauth_token, true)
+              user = begin
+                current_user(token: result[:result]['access_token'])
+              rescue StandardError => _e
+                'default'
+              end
+              store_oauth_token(
+                user:          user,
+                access_token:  result[:result]['access_token'],
+                refresh_token: result[:result]['refresh_token'],
+                expires_in:    result[:result]['expires_in']
+              )
+            end
+
+            result
+          end
+
+          def status(**)
+            cred = resolve_credential
+            return { result: { authenticated: false } } unless cred
+
+            user_info = {}
+            scopes = nil
+
+            begin
+              response = connection(token: cred[:token]).get('/user')
+              user_info = response.body || {}
+              headers = response.respond_to?(:headers) ? response.headers : {}
+              scopes_header = headers['X-OAuth-Scopes'] || headers['x-oauth-scopes']
+              scopes = scopes_header&.split(',')&.map(&:strip)
+            rescue StandardError => _e
+              user_info = {}
+              scopes = nil
+            end
+
+            { result: { authenticated: true, auth_type: cred[:auth_type],
+                        user: user_info['login'], scopes: scopes } }
+          end
+
+          private
+
+          def current_user(token:)
+            connection(token: token).get('/user').body['login']
+          end
+
+          def settings_client_id
+            return nil unless defined?(Legion::Settings)
+
+            Legion::Settings.dig(:github, :oauth, :client_id) ||
+              Legion::Settings.dig(:github, :app, :client_id)
+          rescue StandardError => _e
+            nil
+          end
+
+          def settings_client_secret
+            return nil unless defined?(Legion::Settings)
+
+            Legion::Settings.dig(:github, :app, :client_secret)
+          rescue StandardError => _e
+            nil
+          end
+
+          def settings_scopes
+            return nil unless defined?(Legion::Settings)
+
+            Legion::Settings.dig(:github, :oauth, :scopes)
+          rescue StandardError => _e
+            nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/client.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'legion/extensions/github/helpers/client'
+require 'legion/extensions/github/helpers/cache'
 require 'legion/extensions/github/runners/repositories'
 require 'legion/extensions/github/runners/issues'
 require 'legion/extensions/github/runners/pull_requests'
@@ -13,12 +14,24 @@ require 'legion/extensions/github/runners/labels'
 require 'legion/extensions/github/runners/comments'
 require 'legion/extensions/github/runners/branches'
 require 'legion/extensions/github/runners/contents'
+require 'legion/extensions/github/runners/actions'
+require 'legion/extensions/github/runners/checks'
+require 'legion/extensions/github/runners/releases'
+require 'legion/extensions/github/runners/deployments'
+require 'legion/extensions/github/runners/repository_webhooks'
+require 'legion/extensions/github/app/runners/auth'
+require 'legion/extensions/github/app/runners/webhooks'
+require 'legion/extensions/github/app/runners/manifest'
+require 'legion/extensions/github/app/runners/installations'
+require 'legion/extensions/github/app/runners/credential_store'
+require 'legion/extensions/github/oauth/runners/auth'
 
 module Legion
   module Extensions
     module Github
       class Client
         include Helpers::Client
+        include Helpers::Cache
         include Runners::Repositories
         include Runners::Issues
         include Runners::PullRequests
@@ -31,6 +44,17 @@ module Legion
         include Runners::Comments
         include Runners::Branches
         include Runners::Contents
+        include Runners::Actions
+        include Runners::Checks
+        include Runners::Releases
+        include Runners::Deployments
+        include Runners::RepositoryWebhooks
+        include App::Runners::Auth
+        include App::Runners::Webhooks
+        include App::Runners::Manifest
+        include App::Runners::Installations
+        include App::Runners::CredentialStore
+        include OAuth::Runners::Auth
 
         attr_reader :opts
 

data/lib/legion/extensions/github/errors.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      class Error < StandardError; end
+
+      class RateLimitError < Error
+        attr_reader :reset_at, :credential_fingerprint
+
+        def initialize(message = 'GitHub API rate limit exceeded', reset_at: nil, credential_fingerprint: nil)
+          @reset_at = reset_at
+          @credential_fingerprint = credential_fingerprint
+          super(message)
+        end
+      end
+
+      class AuthorizationError < Error
+        attr_reader :owner, :repo, :attempted_sources
+
+        def initialize(message = 'No authorized credential available', owner: nil, repo: nil,
+                       attempted_sources: [])
+          @owner = owner
+          @repo = repo
+          @attempted_sources = attempted_sources
+          super(message)
+        end
+      end
+
+      class ScopeDeniedError < Error
+        attr_reader :owner, :repo, :credential_fingerprint, :auth_type
+
+        def initialize(message = 'Credential not authorized for this scope',
+                       owner: nil, repo: nil, credential_fingerprint: nil, auth_type: nil)
+          @owner = owner
+          @repo = repo
+          @credential_fingerprint = credential_fingerprint
+          @auth_type = auth_type
+          super(message)
+        end
+      end
+    end
+  end
+end