leanix · mohamedlajmileanix · Jul 5, 2024 · Jun 26, 2024 · Jun 27, 2024 · Jun 27, 2024
@@ -20,12 +20,36 @@ repositories {
     mavenCentral()
 }
 
+extra["springCloudVersion"] = "2023.0.1"
+
+dependencyManagement {
+    imports {
+        mavenBom("org.springframework.cloud:spring-cloud-dependencies:${property("springCloudVersion")}")
+    }
+}
+
 dependencies {
     implementation("org.springframework.boot:spring-boot-starter")
+    implementation("org.springframework.cloud:spring-cloud-starter-openfeign")
     implementation("org.jetbrains.kotlin:kotlin-reflect")
+    implementation("com.fasterxml.jackson.core:jackson-annotations:2.17.1")
+
+    // Dependencies for generating JWT token
+    implementation("io.jsonwebtoken:jjwt-impl:0.11.2")
+    implementation("io.jsonwebtoken:jjwt-jackson:0.11.2")
+
     testImplementation("org.springframework.boot:spring-boot-starter-test")
-    testImplementation("org.jetbrains.kotlin:kotlin-test-junit5")
-    testRuntimeOnly("org.junit.platform:junit-platform-launcher")
+    testImplementation("io.mockk:mockk:1.12.0")
+}
+
+configurations.all {
+    resolutionStrategy {
+        eachDependency {
+            when (requested.module.toString()) {
+                "org.bouncycastle:bcprov-jdk18on" -> useVersion("1.78")
+            }
+        }
+    }
 }
 
 detekt {
@@ -58,4 +82,4 @@ tasks.jacocoTestReport {
         xml.required.set(true)
         xml.outputLocation.set(File("${projectDir}/build/jacocoXml/jacocoTestReport.xml"))
     }
-}
+}
@@ -1,9 +1,13 @@
 package net.leanix.githubagent
 
 import org.springframework.boot.autoconfigure.SpringBootApplication
+import org.springframework.boot.context.properties.EnableConfigurationProperties
 import org.springframework.boot.runApplication
+import org.springframework.cloud.openfeign.EnableFeignClients
 
 @SpringBootApplication
+@EnableFeignClients(value = ["net.leanix.githubagent.client"])
+@EnableConfigurationProperties(value = [net.leanix.githubagent.config.GithubEnterpriseProperties::class])
 class GithubAgentApplication
 
 fun main() {

diff --git a/src/main/kotlin/net/leanix/githubagent/client/GithubClient.kt b/src/main/kotlin/net/leanix/githubagent/client/GithubClient.kt
@@ -0,0 +1,16 @@
+package net.leanix.githubagent.client
+
+import net.leanix.githubagent.dto.GithubAppResponse
+import org.springframework.cloud.openfeign.FeignClient
+import org.springframework.web.bind.annotation.GetMapping
+import org.springframework.web.bind.annotation.RequestHeader
+
+@FeignClient(name = "githubClient", url = "\${github-enterprise.baseUrl}")
+interface GithubClient {
+
+    @GetMapping("/api/v3/app")
+    fun getApp(
+        @RequestHeader("Authorization") jwt: String,
+        @RequestHeader("Accept") accept: String = "application/vnd.github.v3+json"
+    ): GithubAppResponse
+}
@@ -0,0 +1,30 @@
+package net.leanix.githubagent.config
+
+import jakarta.annotation.PostConstruct
+import net.leanix.githubagent.exceptions.GithubEnterpriseConfigurationMissingException
+import org.springframework.stereotype.Component
+
+@Component
+class AgentSetupValidation(
+    private val githubEnterpriseProperties: GithubEnterpriseProperties
+) {
+
+    @PostConstruct
+    fun validateConfiguration() {
+        val missingProperties = mutableListOf<String>()
+
+        if (githubEnterpriseProperties.baseUrl.isBlank()) {
+            missingProperties.add("GITHUB_ENTERPRISE_BASE_URL")
+        }
+        if (githubEnterpriseProperties.githubAppId.isBlank()) {
+            missingProperties.add("GITHUB_ENTERPRISE_GITHUB_APP_ID")
+        }
+        if (githubEnterpriseProperties.pemFile.isBlank()) {
+            missingProperties.add("GITHUB_ENTERPRISE_PEM_FILE")
+        }
+
+        if (missingProperties.isNotEmpty()) {
+            throw GithubEnterpriseConfigurationMissingException(missingProperties.joinToString(", "))
+        }
+    }
+}
diff --git a/src/main/kotlin/net/leanix/githubagent/config/GithubEnterpriseProperties.kt b/src/main/kotlin/net/leanix/githubagent/config/GithubEnterpriseProperties.kt
@@ -0,0 +1,10 @@
+package net.leanix.githubagent.config
+
+import org.springframework.boot.context.properties.ConfigurationProperties
+
+@ConfigurationProperties(prefix = "github-enterprise")
+data class GithubEnterpriseProperties(
+    val baseUrl: String,
+    val githubAppId: String,
+    val pemFile: String,
+)
diff --git a/src/main/kotlin/net/leanix/githubagent/dto/GithubAppResponse.kt b/src/main/kotlin/net/leanix/githubagent/dto/GithubAppResponse.kt
@@ -0,0 +1,11 @@
+package net.leanix.githubagent.dto
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties
+import com.fasterxml.jackson.annotation.JsonProperty
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+data class GithubAppResponse(
+    @JsonProperty("name") val name: String,
+    @JsonProperty("permissions") val permissions: Map<String, String>,
+    @JsonProperty("events") val events: List<String>
+)
@@ -0,0 +1,8 @@
+package net.leanix.githubagent.exceptions
+
+class GithubEnterpriseConfigurationMissingException(properties: String) : RuntimeException(
+    "Github Enterprise properties '$properties' are not set"
+)
+class GithubAppInsufficientPermissionsException(message: String) : RuntimeException(message)
+class FailedToCreateJWTException(message: String) : RuntimeException(message)
+class UnableToConnectToGithubEnterpriseException(message: String) : RuntimeException(message)
@@ -0,0 +1,16 @@
+package net.leanix.githubagent.runners
+
+import net.leanix.githubagent.services.GithubAuthenticationService
+import org.springframework.boot.ApplicationArguments
+import org.springframework.boot.ApplicationRunner
+import org.springframework.context.annotation.Profile
+import org.springframework.stereotype.Component
+
+@Component
+@Profile("!test")
+class PostStartupRunner(private val githubAuthenticationService: GithubAuthenticationService) : ApplicationRunner {
+
+    override fun run(args: ApplicationArguments?) {
+        githubAuthenticationService.generateJwtToken()
+    }
+}
@@ -0,0 +1,26 @@
+package net.leanix.githubagent.services
+
+import jakarta.annotation.PostConstruct
+import net.leanix.githubagent.config.GithubEnterpriseProperties
+import org.springframework.stereotype.Service
+
+@Service
+class CachingService(
+    private val githubEnterpriseProperties: GithubEnterpriseProperties
+) {
+    private val cache = HashMap<String, String?>()
+
+    @PostConstruct
+    private fun init() {
+        cache["baseUrl"] = githubEnterpriseProperties.baseUrl
+        cache["githubAppId"] = githubEnterpriseProperties.githubAppId
+    }
+
+    fun set(key: String, value: String) {
+        cache[key] = value
+    }
+
+    fun get(key: String): String? {
+        return cache[key]
+    }
+}
@@ -0,0 +1,50 @@
+package net.leanix.githubagent.services
+
+import net.leanix.githubagent.client.GithubClient
+import net.leanix.githubagent.dto.GithubAppResponse
+import net.leanix.githubagent.exceptions.GithubAppInsufficientPermissionsException
+import net.leanix.githubagent.exceptions.UnableToConnectToGithubEnterpriseException
+import org.slf4j.LoggerFactory
+import org.springframework.stereotype.Service
+
+@Service
+class GitHubEnterpriseService(private val githubClient: GithubClient) {
+
+    companion object {
+        val expectedPermissions = listOf("administration", "contents", "metadata")
+        val expectedEvents = listOf("label", "public", "repository")
+    }
+    private val logger = LoggerFactory.getLogger(GitHubEnterpriseService::class.java)
+
+    fun verifyJwt(jwt: String) {
+        runCatching {
+            val githubApp = githubClient.getApp("Bearer $jwt")
+            validateGithubAppResponse(githubApp)
+            logger.info("Authenticated as GitHub App: '${githubApp.name}'")
+        }.onFailure {
+            when (it) {
+                is GithubAppInsufficientPermissionsException -> throw it
+                else -> throw UnableToConnectToGithubEnterpriseException("Failed to verify JWT token")
+            }
+        }
+    }
+
+    fun validateGithubAppResponse(response: GithubAppResponse) {
+        val missingPermissions = expectedPermissions.filterNot { response.permissions.containsKey(it) }
+        val missingEvents = expectedEvents.filterNot { response.events.contains(it) }
+
+        if (missingPermissions.isNotEmpty() || missingEvents.isNotEmpty()) {
+            var message = "GitHub App is missing the following "
+            if (missingPermissions.isNotEmpty()) {
+                message = message.plus("permissions: $missingPermissions")
+            }
+            if (missingEvents.isNotEmpty()) {
+                if (missingPermissions.isNotEmpty()) {
+                    message = message.plus(", and the following")
+                }
+                message = message.plus("events: $missingEvents")
+            }
+            throw GithubAppInsufficientPermissionsException(message)
+        }
+    }
+}
diff --git a/src/main/kotlin/net/leanix/githubagent/services/GithubAuthenticationService.kt b/src/main/kotlin/net/leanix/githubagent/services/GithubAuthenticationService.kt
@@ -0,0 +1,84 @@
+package net.leanix.githubagent.services
+
+import io.jsonwebtoken.Jwts
+import io.jsonwebtoken.SignatureAlgorithm
+import net.leanix.githubagent.config.GithubEnterpriseProperties
+import net.leanix.githubagent.exceptions.FailedToCreateJWTException
+import org.bouncycastle.jce.provider.BouncyCastleProvider
+import org.slf4j.LoggerFactory
+import org.springframework.core.io.ResourceLoader
+import org.springframework.stereotype.Service
+import java.io.File
+import java.io.IOException
+import java.nio.charset.Charset
+import java.nio.file.Files
+import java.security.KeyFactory
+import java.security.PrivateKey
+import java.security.Security
+import java.security.spec.InvalidKeySpecException
+import java.security.spec.PKCS8EncodedKeySpec
+import java.util.*
+
+@Service
+class GithubAuthenticationService(
+    private val cachingService: CachingService,
+    private val githubEnterpriseProperties: GithubEnterpriseProperties,
+    private val resourceLoader: ResourceLoader,
+    private val gitHubEnterpriseService: GitHubEnterpriseService
+) {
+
+    companion object {
+        private const val JWT_EXPIRATION_DURATION = 600000L
+        private const val pemPrefix = "-----BEGIN RSA PRIVATE KEY-----"
+        private const val pemSuffix = "-----END RSA PRIVATE KEY-----"
+        private val logger = LoggerFactory.getLogger(GithubAuthenticationService::class.java)
+    }
+
+    fun generateJwtToken() {
+        runCatching {
+            logger.info("Generating JWT token")
+            Security.addProvider(BouncyCastleProvider())
+            val rsaPrivateKey: String = readPrivateKey()
+            val keySpec = PKCS8EncodedKeySpec(Base64.getDecoder().decode(rsaPrivateKey))
+            val privateKey = KeyFactory.getInstance("RSA").generatePrivate(keySpec)
+            val jwt = createJwtToken(privateKey)
+            cachingService.set("jwtToken", jwt.getOrThrow())
+            gitHubEnterpriseService.verifyJwt(jwt.getOrThrow())
+        }.onFailure {
+            logger.error("Failed to generate/validate JWT token", it)
+            if (it is InvalidKeySpecException) {
+                throw IllegalArgumentException("The provided private key is not in a valid PKCS8 format.", it)
+            } else {
+                throw it
+            }
+        }
+    }
+
+    private fun createJwtToken(privateKey: PrivateKey): Result<String> {
+        return runCatching {
+            Jwts.builder()
+                .setIssuedAt(Date())
+                .setExpiration(Date(System.currentTimeMillis() + JWT_EXPIRATION_DURATION))
+                .setIssuer(cachingService.get("githubAppId"))
+                .signWith(privateKey, SignatureAlgorithm.RS256)
+                .compact()
+        }.onFailure {
+            throw FailedToCreateJWTException("Failed to generate a valid JWT token")
+        }
+    }
+
+    @Throws(IOException::class)
+    private fun readPrivateKey(): String {
+        val pemFile = File(resourceLoader.getResource("file:${githubEnterpriseProperties.pemFile}").uri)
+        val fileContent = String(Files.readAllBytes(pemFile.toPath()), Charset.defaultCharset()).trim()
+
+        require(fileContent.startsWith(pemPrefix) && fileContent.endsWith(pemSuffix)) {
+            "The provided file is not a valid PEM file."
+        }
+
+        return fileContent
+            .replace(pemPrefix, "")
+            .replace(System.lineSeparator().toRegex(), "")
+            .replace(pemSuffix, "")
+    }
+}
@@ -0,0 +1,4 @@
+github-enterprise:
+  baseUrl: ${GITHUB_ENTERPRISE_BASE_URL:}
+  githubAppId: ${GITHUB_APP_ID:}
+  pemFile: ${PEM_FILE:}
@@ -2,8 +2,10 @@ package net.leanix.githubagent
 
 import org.junit.jupiter.api.Test
 import org.springframework.boot.test.context.SpringBootTest
+import org.springframework.test.context.ActiveProfiles
 
 @SpringBootTest
+@ActiveProfiles("test")
 class GithubAgentApplicationTests {
 
     @Test