lex-github 0.2.5 → 0.3.0

data/lib/legion/extensions/github/helpers/browser_auth.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+require 'rbconfig'
+require 'legion/extensions/github/oauth/runners/auth'
+require 'legion/extensions/github/helpers/callback_server'
+
+module Legion
+  module Extensions
+    module Github
+      module Helpers
+        class BrowserAuth
+          DEFAULT_SCOPES = 'repo admin:org admin:repo_hook read:user'
+
+          attr_reader :client_id, :client_secret, :scopes
+
+          def initialize(client_id:, client_secret:, scopes: DEFAULT_SCOPES, auth: nil, **)
+            @client_id = client_id
+            @client_secret = client_secret
+            @scopes = scopes
+            @auth = auth || Object.new.extend(OAuth::Runners::Auth)
+          end
+
+          def authenticate
+            if gui_available?
+              authenticate_browser
+            else
+              authenticate_device_code
+            end
+          end
+
+          def gui_available?
+            os = host_os
+            return true if /darwin|mswin|mingw/.match?(os)
+
+            !ENV['DISPLAY'].nil? || !ENV['WAYLAND_DISPLAY'].nil?
+          end
+
+          def open_browser(url)
+            cmd = case host_os
+                  when /darwin/      then 'open'
+                  when /linux/       then 'xdg-open'
+                  when /mswin|mingw/ then 'start'
+                  end
+            return false unless cmd
+
+            system(cmd, url)
+          end
+
+          private
+
+          def host_os
+            RbConfig::CONFIG['host_os']
+          end
+
+          def authenticate_browser
+            pkce = @auth.generate_pkce[:result]
+            state = SecureRandom.hex(32)
+
+            server = CallbackServer.new
+            server.start
+            callback_uri = server.redirect_uri
+
+            url = @auth.authorize_url(
+              client_id: client_id, redirect_uri: callback_uri,
+              scope: scopes, state: state,
+              code_challenge: pkce[:challenge],
+              code_challenge_method: pkce[:challenge_method]
+            )[:result]
+
+            return authenticate_device_code unless open_browser(url)
+
+            result = server.wait_for_callback(timeout: 120)
+
+            return { error: 'timeout', description: 'No callback received within timeout' } unless result&.dig(:code)
+
+            return { error: 'state_mismatch', description: 'CSRF state parameter mismatch' } unless result[:state] == state
+
+            @auth.exchange_code(
+              client_id: client_id, client_secret: client_secret,
+              code: result[:code], redirect_uri: callback_uri,
+              code_verifier: pkce[:verifier]
+            )
+          ensure
+            server&.shutdown
+          end
+
+          def authenticate_device_code
+            dc = @auth.request_device_code(client_id: client_id, scope: scopes)
+            return { error: dc[:error], description: dc[:description] } if dc[:error]
+
+            body = dc[:result]
+            warn "Go to:  #{body[:verification_uri]}"
+            warn "Code:   #{body[:user_code]}"
+            open_browser(body[:verification_uri]) if gui_available?
+
+            @auth.poll_device_code(
+              client_id:   client_id,
+              device_code: body[:device_code]
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/helpers/cache.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+require 'legion/cache/helper'
+
+module Legion
+  module Extensions
+    module Github
+      module Helpers
+        module Cache
+          include Legion::Cache::Helper
+
+          DEFAULT_TTLS = {
+            repo: 600, issue: 120, pull_request: 60, commit: 86_400,
+            branch: 120, user: 3600, org: 3600, search: 60
+          }.freeze
+
+          DEFAULT_TTL = 300
+
+          def cached_get(cache_key, ttl: nil)
+            if cache_connected?
+              result = cache_get(cache_key)
+              return result if result
+            end
+
+            if local_cache_connected?
+              result = local_cache_get(cache_key)
+              return result if result
+            end
+
+            result = yield
+            effective_ttl = ttl || github_ttl_for(cache_key)
+            cache_set(cache_key, result, ttl: effective_ttl) if cache_connected?
+            local_cache_set(cache_key, result, ttl: effective_ttl) if local_cache_connected?
+            result
+          end
+
+          def cache_write(cache_key, value, ttl: nil)
+            effective_ttl = ttl || github_ttl_for(cache_key)
+            cache_set(cache_key, value, ttl: effective_ttl) if cache_connected?
+            local_cache_set(cache_key, value, ttl: effective_ttl) if local_cache_connected?
+          end
+
+          def cache_invalidate(cache_key)
+            cache_delete(cache_key) if cache_connected?
+            local_cache_delete(cache_key) if local_cache_connected?
+          end
+
+          def github_ttl_for(cache_key)
+            configured_ttls = github_cache_ttls
+            case cache_key
+            when /:commits:/ then configured_ttls[:commit]
+            when /:pulls:/   then configured_ttls[:pull_request]
+            when /:issues:/  then configured_ttls[:issue]
+            when /:branches:/ then configured_ttls[:branch]
+            when /\Agithub:user:/ then configured_ttls[:user]
+            when /\Agithub:org:/  then configured_ttls[:org]
+            when /\Agithub:repo:[^:]+\z/ then configured_ttls[:repo]
+            when /:search:/ then configured_ttls[:search]
+            else configured_ttls.fetch(:default, DEFAULT_TTL)
+            end
+          end
+
+          def cache_connected?
+            ::Legion::Cache.connected?
+          rescue StandardError => _e
+            false
+          end
+
+          def local_cache_connected?
+            false
+          end
+
+          def local_cache_get(_key)
+            nil
+          end
+
+          def local_cache_set(_key, _value, ttl: nil) # rubocop:disable Lint/UnusedMethodArgument
+            nil
+          end
+
+          def local_cache_delete(_key)
+            nil
+          end
+
+          private
+
+          def github_cache_ttls
+            return DEFAULT_TTLS.merge(default: DEFAULT_TTL) unless defined?(Legion::Settings)
+
+            overrides = Legion::Settings.dig(:github, :cache, :ttls) || {}
+            DEFAULT_TTLS.merge(default: DEFAULT_TTL).merge(overrides.transform_keys(&:to_sym))
+          rescue StandardError => _e
+            DEFAULT_TTLS.merge(default: DEFAULT_TTL)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/helpers/callback_server.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require 'socket'
+require 'uri'
+
+module Legion
+  module Extensions
+    module Github
+      module Helpers
+        class CallbackServer
+          RESPONSE_HTML = <<~HTML
+            <html><body style="font-family:sans-serif;text-align:center;padding:40px;">
+            <h2>GitHub authentication complete</h2><p>You can close this window.</p></body></html>
+          HTML
+
+          attr_reader :port
+
+          def initialize
+            @server = nil
+            @port = nil
+            @result = nil
+            @mutex = Mutex.new
+            @cv = ConditionVariable.new
+          end
+
+          def start
+            @server = TCPServer.new('127.0.0.1', 0)
+            @port = @server.addr[1]
+            @thread = Thread.new { listen } # rubocop:disable ThreadSafety/NewThread
+          end
+
+          def wait_for_callback(timeout: 120)
+            @mutex.synchronize do
+              @cv.wait(@mutex, timeout) unless @result
+              @result
+            end
+          end
+
+          def shutdown
+            @server&.close
+          rescue StandardError => _e
+            nil
+          ensure
+            @thread&.join(2)
+            @thread&.kill
+          end
+
+          def redirect_uri
+            "http://127.0.0.1:#{@port}/callback"
+          end
+
+          private
+
+          def listen
+            loop do
+              client = @server.accept
+              request_line = client.gets
+              loop do
+                line = client.gets
+                break if line.nil? || line.strip.empty?
+              end
+
+              if request_line&.include?('/callback?')
+                query = request_line.split[1].split('?', 2).last
+                params = URI.decode_www_form(query).to_h
+
+                @mutex.synchronize do
+                  @result = { code: params['code'], state: params['state'] }
+                  @cv.broadcast
+                end
+              end
+
+              client.print "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nConnection: close\r\n\r\n#{RESPONSE_HTML}"
+              client.close
+              break if @result
+            end
+          rescue IOError # rubocop:disable Legion/RescueLogging/NoCapture
+            nil
+          rescue StandardError => e
+            @mutex.synchronize do
+              @result ||= { error: e.message }
+              @cv.broadcast
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/helpers/client.rb

@@ -1,21 +1,311 @@
 # frozen_string_literal: true
 
 require 'faraday'
+require 'legion/extensions/github/helpers/token_cache'
+require 'legion/extensions/github/helpers/scope_registry'
+require 'legion/extensions/github/middleware/credential_fallback'
 
 module Legion
   module Extensions
     module Github
       module Helpers
         module Client
-          def connection(api_url: 'https://api.github.com', token: nil, **_opts)
+          include TokenCache
+          include ScopeRegistry
+
+          CREDENTIAL_RESOLVERS = %i[
+            resolve_vault_delegated resolve_settings_delegated
+            resolve_vault_app resolve_settings_app
+            resolve_vault_pat resolve_settings_pat
+            resolve_gh_cli resolve_env
+          ].freeze
+
+          def connection(owner: nil, repo: nil, api_url: 'https://api.github.com', token: nil, **_opts)
+            resolved = token ? { token: token } : resolve_credential(owner: owner, repo: repo)
+            resolved_token = resolved&.dig(:token)
+            @current_credential = resolved
+            @skipped_fingerprints = []
+
             Faraday.new(url: api_url) do |conn|
+              conn.use :github_credential_fallback, resolver: self
               conn.request :json
               conn.response :json, content_type: /\bjson$/
+              conn.response :github_rate_limit, handler: self
+              conn.response :github_scope_probe, handler: self
               conn.headers['Accept'] = 'application/vnd.github+json'
-              conn.headers['Authorization'] = "Bearer #{token}" if token
+              conn.headers['Authorization'] = "Bearer #{resolved_token}" if resolved_token
               conn.headers['X-GitHub-Api-Version'] = '2022-11-28'
             end
           end
+
+          def resolve_next_credential(owner: nil, repo: nil)
+            fingerprint = @current_credential&.dig(:metadata, :credential_fingerprint)
+            @skipped_fingerprints ||= []
+            @skipped_fingerprints << fingerprint if fingerprint
+
+            CREDENTIAL_RESOLVERS.each do |method|
+              next unless respond_to?(method, true)
+
+              result = send(method)
+              next unless result
+
+              fp = result.dig(:metadata, :credential_fingerprint)
+              next if fp && @skipped_fingerprints.include?(fp)
+              next if fp && rate_limited?(fingerprint: fp)
+
+              if owner && fp
+                scope = scope_status(fingerprint: fp, owner: owner, repo: repo)
+                next if scope == :denied
+              end
+
+              @current_credential = result
+              return result
+            end
+            nil
+          end
+
+          def max_fallback_retries
+            CREDENTIAL_RESOLVERS.size
+          end
+
+          def on_rate_limit(remaining:, reset_at:, status:, url:, **) # rubocop:disable Lint/UnusedMethodArgument
+            fingerprint = @current_credential&.dig(:metadata, :credential_fingerprint)
+            return unless fingerprint
+
+            mark_rate_limited(fingerprint: fingerprint, reset_at: reset_at)
+          end
+
+          def on_scope_denied(status:, url:, path:, **) # rubocop:disable Lint/UnusedMethodArgument
+            fingerprint = @current_credential&.dig(:metadata, :credential_fingerprint)
+            owner, repo = extract_owner_repo(path)
+            return unless fingerprint && owner
+
+            register_scope(fingerprint: fingerprint, owner: owner, repo: repo, status: :denied)
+          end
+
+          def on_scope_authorized(status:, url:, path:, **) # rubocop:disable Lint/UnusedMethodArgument
+            fingerprint = @current_credential&.dig(:metadata, :credential_fingerprint)
+            owner, repo = extract_owner_repo(path)
+            return unless fingerprint && owner
+
+            register_scope(fingerprint: fingerprint, owner: owner, repo: repo, status: :authorized)
+          end
+
+          def resolve_credential(owner: nil, repo: nil)
+            CREDENTIAL_RESOLVERS.each do |method|
+              next unless respond_to?(method, true)
+
+              result = send(method)
+              next unless result
+
+              fingerprint = result.dig(:metadata, :credential_fingerprint)
+
+              next if fingerprint && rate_limited?(fingerprint: fingerprint)
+
+              if owner && fingerprint
+                scope = scope_status(fingerprint: fingerprint, owner: owner, repo: repo)
+                next if scope == :denied
+              end
+
+              return result
+            end
+            nil
+          end
+
+          def resolve_vault_delegated
+            return nil unless defined?(Legion::Crypt)
+
+            token_data = vault_get('github/oauth/delegated/token')
+            return nil unless token_data&.dig('access_token')
+
+            fp = credential_fingerprint(auth_type: :oauth_user, identifier: 'vault_delegated')
+            { token: token_data['access_token'], auth_type: :oauth_user,
+              expires_at: token_data['expires_at'],
+              metadata: { source: :vault, credential_fingerprint: fp } }
+          rescue StandardError => _e
+            nil
+          end
+
+          def resolve_settings_delegated
+            return nil unless defined?(Legion::Settings)
+
+            token = Legion::Settings.dig(:github, :oauth, :access_token)
+            return nil unless token
+
+            fp = credential_fingerprint(auth_type: :oauth_user, identifier: 'settings_delegated')
+            { token: token, auth_type: :oauth_user,
+              metadata: { source: :settings, credential_fingerprint: fp } }
+          rescue StandardError => _e
+            nil
+          end
+
+          def resolve_vault_app
+            return nil unless defined?(Legion::Crypt)
+
+            private_key = begin
+              vault_get('github/app/private_key')
+            rescue StandardError => _e
+              nil
+            end
+            return nil unless private_key
+
+            app_id = begin
+              vault_get('github/app/app_id')
+            rescue StandardError => _e
+              nil
+            end
+            installation_id = begin
+              vault_get('github/app/installation_id')
+            rescue StandardError => _e
+              nil
+            end
+            return nil unless app_id && installation_id
+
+            fp = credential_fingerprint(auth_type: :app_installation, identifier: "vault_app_#{app_id}")
+            cached = fetch_token(auth_type: :app_installation, installation_id: installation_id)
+            return cached.merge(metadata: { source: :vault, credential_fingerprint: fp }) if cached
+
+            jwt = generate_jwt(app_id: app_id, private_key: private_key)[:result]
+            token_data = create_installation_token(jwt: jwt, installation_id: installation_id)[:result]
+            return nil unless token_data&.dig('token')
+
+            expires_at = begin
+              Time.parse(token_data['expires_at'])
+            rescue StandardError => _e
+              Time.now + 3600
+            end
+            result = { token: token_data['token'], auth_type: :app_installation,
+                       expires_at: expires_at, installation_id: installation_id,
+                       metadata: { source: :vault, installation_id: installation_id,
+                                   credential_fingerprint: fp } }
+            store_token(**result)
+            result
+          rescue StandardError => _e
+            nil
+          end
+
+          def resolve_settings_app
+            return nil unless defined?(Legion::Settings)
+
+            app_id = begin
+              Legion::Settings.dig(:github, :app, :app_id)
+            rescue StandardError => _e
+              nil
+            end
+            return nil unless app_id
+
+            fp = credential_fingerprint(auth_type: :app_installation, identifier: "settings_app_#{app_id}")
+
+            key_path = begin
+              Legion::Settings.dig(:github, :app, :private_key_path)
+            rescue StandardError => _e
+              nil
+            end
+            installation_id = begin
+              Legion::Settings.dig(:github, :app, :installation_id)
+            rescue StandardError => _e
+              nil
+            end
+            return nil unless key_path && installation_id
+
+            cached = fetch_token(auth_type: :app_installation, installation_id: installation_id)
+            return cached.merge(metadata: { source: :settings, credential_fingerprint: fp }) if cached
+
+            private_key = ::File.read(key_path)
+            jwt = generate_jwt(app_id: app_id, private_key: private_key)[:result]
+            token_data = create_installation_token(jwt: jwt, installation_id: installation_id)[:result]
+            return nil unless token_data&.dig('token')
+
+            expires_at = begin
+              Time.parse(token_data['expires_at'])
+            rescue StandardError => _e
+              Time.now + 3600
+            end
+            result = { token: token_data['token'], auth_type: :app_installation,
+                       expires_at: expires_at, installation_id: installation_id,
+                       metadata: { source: :settings, installation_id: installation_id,
+                                   credential_fingerprint: fp } }
+            store_token(**result)
+            result
+          rescue StandardError => _e
+            nil
+          end
+
+          def resolve_vault_pat
+            return nil unless defined?(Legion::Crypt)
+
+            token = vault_get('github/token')
+            return nil unless token
+
+            fp = credential_fingerprint(auth_type: :pat, identifier: 'vault_pat')
+            { token: token, auth_type: :pat, metadata: { source: :vault, credential_fingerprint: fp } }
+          rescue StandardError => _e
+            nil
+          end
+
+          def resolve_settings_pat
+            return nil unless defined?(Legion::Settings)
+
+            token = Legion::Settings.dig(:github, :token)
+            return nil unless token
+
+            fp = credential_fingerprint(auth_type: :pat, identifier: 'settings_pat')
+            { token: token, auth_type: :pat, metadata: { source: :settings, credential_fingerprint: fp } }
+          rescue StandardError => _e
+            nil
+          end
+
+          def resolve_gh_cli
+            if cache_connected? || local_cache_connected?
+              cached = cache_connected? ? cache_get('github:cli_token') : local_cache_get('github:cli_token')
+              return cached if cached
+            end
+
+            output = gh_cli_token_output
+            return nil unless output
+
+            fp = credential_fingerprint(auth_type: :cli, identifier: 'gh_cli')
+            result = { token: output, auth_type: :cli, metadata: { source: :gh_cli, credential_fingerprint: fp } }
+            cache_set('github:cli_token', result, ttl: 300) if cache_connected?
+            local_cache_set('github:cli_token', result, ttl: 300) if local_cache_connected?
+            result
+          rescue StandardError => _e
+            nil
+          end
+
+          def gh_cli_token_output
+            output = `gh auth token 2>/dev/null`.strip
+            return nil unless $?&.success? && !output.empty? # rubocop:disable Style/SpecialGlobalVars
+
+            output
+          rescue StandardError => _e
+            nil
+          end
+
+          def resolve_env
+            token = ENV.fetch('GITHUB_TOKEN', nil)
+            return nil if token.nil? || token.empty?
+
+            fp = credential_fingerprint(auth_type: :env, identifier: 'env')
+            { token: token, auth_type: :env, metadata: { source: :env, credential_fingerprint: fp } }
+          end
+
+          private
+
+          def extract_owner_repo(path)
+            match = path.match(%r{^/repos/([^/]+)/([^/]+)})
+            return [nil, nil] unless match
+
+            [match[1], match[2]]
+          end
+
+          def credential_fallback?
+            return true unless defined?(Legion::Settings)
+
+            Legion::Settings.dig(:github, :credential_fallback) != false
+          rescue StandardError => _e
+            true
+          end
         end
       end
     end

data/lib/legion/extensions/github/helpers/scope_registry.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require 'digest'
+
+module Legion
+  module Extensions
+    module Github
+      module Helpers
+        module ScopeRegistry
+          def credential_fingerprint(auth_type:, identifier:)
+            Digest::SHA256.hexdigest("#{auth_type}:#{identifier}")[0, 16]
+          end
+
+          def scope_status(fingerprint:, owner:, repo: nil)
+            if repo
+              status = scope_cache_get("github:scope:#{fingerprint}:#{owner}/#{repo}")
+              return status if status
+            end
+
+            scope_cache_get("github:scope:#{fingerprint}:#{owner}") || :unknown
+          end
+
+          def register_scope(fingerprint:, owner:, status:, repo: nil)
+            key = repo ? "github:scope:#{fingerprint}:#{owner}/#{repo}" : "github:scope:#{fingerprint}:#{owner}"
+            ttl = if status == :denied
+                    scope_denied_ttl
+                  else
+                    (repo ? scope_repo_ttl : scope_org_ttl)
+                  end
+            cache_set(key, status, ttl: ttl) if cache_connected?
+            local_cache_set(key, status, ttl: ttl) if local_cache_connected?
+          end
+
+          def rate_limited?(fingerprint:)
+            entry = scope_cache_get("github:rate_limit:#{fingerprint}")
+            return false unless entry
+
+            entry[:reset_at] > Time.now
+          end
+
+          def mark_rate_limited(fingerprint:, reset_at:)
+            ttl = [(reset_at - Time.now).ceil, 1].max
+            value = { reset_at: reset_at, remaining: 0 }
+            cache_set("github:rate_limit:#{fingerprint}", value, ttl: ttl) if cache_connected?
+            local_cache_set("github:rate_limit:#{fingerprint}", value, ttl: ttl) if local_cache_connected?
+          end
+
+          def invalidate_scope(fingerprint:, owner:, repo: nil)
+            key = repo ? "github:scope:#{fingerprint}:#{owner}/#{repo}" : "github:scope:#{fingerprint}:#{owner}"
+            cache_delete(key) if cache_connected?
+            local_cache_delete(key) if local_cache_connected?
+          end
+
+          private
+
+          def scope_cache_get(key)
+            if cache_connected?
+              result = cache_get(key)
+              return result if result
+            end
+            local_cache_get(key) if local_cache_connected?
+          end
+
+          def scope_org_ttl
+            return 3600 unless defined?(Legion::Settings)
+
+            Legion::Settings.dig(:github, :scope_registry, :org_ttl) || 3600
+          rescue StandardError => _e
+            3600
+          end
+
+          def scope_repo_ttl
+            return 300 unless defined?(Legion::Settings)
+
+            Legion::Settings.dig(:github, :scope_registry, :repo_ttl) || 300
+          rescue StandardError => _e
+            300
+          end
+
+          def scope_denied_ttl
+            return 300 unless defined?(Legion::Settings)
+
+            Legion::Settings.dig(:github, :scope_registry, :denied_ttl) || 300
+          rescue StandardError => _e
+            300
+          end
+        end
+      end
+    end
+  end
+end