Add support for GitHub app authentication

.github/workflows/main.yml

@@ -44,6 +44,13 @@ jobs:
 
       - name: make test
         working-directory: git-sync
+        env:
+          SKIP_GITHUB_APP_TEST: false
+          TEST_GITHUB_APP_APPLICATION_ID: ${{ secrets.TEST_GITHUB_APP_APPLICATION_ID }}
+          TEST_GITHUB_APP_AUTH_TEST_REPO: ${{ secrets.TEST_GITHUB_APP_AUTH_TEST_REPO }}
+          TEST_GITHUB_APP_CLIENT_ID: ${{ secrets.TEST_GITHUB_APP_CLIENT_ID }}
+          TEST_GITHUB_APP_INSTALLATION_ID: ${{ secrets.TEST_GITHUB_APP_INSTALLATION_ID }}
+          TEST_GITHUB_APP_PRIVATE_KEY: ${{ secrets.TEST_GITHUB_APP_PRIVATE_KEY }}
         run: |
           make test
 

README.md

@@ -246,6 +246,29 @@ OPTIONS
             - off: Disable explicit git garbage collection, which may be a good
               fit when also using --one-time.
 
+    --github-base-url <string>, $GITSYNC_GITHUB_BASE_URL
+            The GitHub base URL to use in GitHub requests when GitHub app
+            authentication is used. If not specified, defaults to
+            https://api.github.com/.
+
+    --github-app-private-key-file <string>, $GITSYNC_GITHUB_APP_PRIVATE_KEY_FILE
+            The file from which the private key to use for GitHub app
+            authentication will be read.
+
+    --github-app-installation-id <int>, $GITSYNC_GITHUB_APP_INSTALLATION_ID
+            The installation ID of the GitHub app used for GitHub app
+            authentication.
+
+    --github-app-application-id <int>, $GITSYNC_GITHUB_APP_APPLICATION_ID
+            The app ID of the GitHub app used for GitHub app authentication.
+            One of --github-app-application-id or --github-app-client-id is required
+            when GitHub app authentication is used.
+
+    --github-app-client-id <int>, $GITSYNC_GITHUB_APP_CLIENT_ID
+            The client ID of the GitHub app used for GitHub app authentication.
+            One of --github-app-application-id or --github-app-client-id is required
+            when GitHub app authentication is used.
+
     --group-write, $GITSYNC_GROUP_WRITE
             Ensure that data written to disk (including the git repo metadata,
             checked out files, worktrees, and symlink) are all group writable.
@@ -462,6 +485,23 @@ AUTHENTICATION
             When --cookie-file ($GITSYNC_COOKIE_FILE) is specified, the
             associated cookies can contain authentication information.
 
+    github app
+           When --github-app-private-key-file ($GITSYNC_GITHUB_APP_PRIVATE_KEY_FILE),
+           --github-app-application-id ($GITSYNC_GITHUB_APP_APPLICATION_ID) or
+           --github-app-client-id ($GITSYNC_GITHUB_APP_CLIENT_ID)
+           and --github-app-installation_id ($GITSYNC_GITHUB_APP_INSTALLATION_ID)
+           are specified, GitHub app authentication will be used.
+
+           These credentials are used to request a short-lived token which
+           is used for authentication. The base URL of the GitHub request made
+           to retrieve the token can also be specified via
+           --github-base-url ($GITSYNC_GITHUB_BASE_URL), which defaults to
+           https://api.github.com/.
+
+           The GitHub app must have sufficient access to the repository to sync.
+           It should be installed to the repository or organization containing
+           the repository, and given read access (see github docs).
+
 HOOKS
 
     Webhooks and exechooks are executed asynchronously from the main git-sync
@@ -480,3 +520,4 @@ HOOKS
     if a hook fails and a new hash is synced during the backoff period, the
     retried hook will fire for the newest hash.
 ```
+

docs/dev/testing_github_app_auth.md

@@ -0,0 +1,43 @@
+# Testing GitHub app auth
+
+## Step 1: Create and install a dummy GitHub app for testing with
+
+Go to https://github.com/settings/apps/new
+
+1. Enter a name for the app (needs to be unique across GitHub).
+2. Set the required `homepage URL` field (can be any valid URL).
+3. Under `Webhook`, uncheck the `Active` checkbox.
+4. Click on `Repository permissions` under `Permissions`, and set `Contents` to `Read-only`
+5. Click on `Create GitHub App` at the bottom of the page.
+6. You should be navigated to a new page with a `Registration successful. You must generate a private key in order to install your GitHub App.` message. Click on the `generate a private key` link, and then the `Generate a private key` button, and save it somewhere; it will be used to test the app authentication.
+7. Click on the `Install App` tab on the left, and then click on `Install` on the right.
+8. Select `Only select repositories`, and pick any private repository that contains a "LICENSE" file (may need to be created beforehand).
+
+## Step 2: Export the necessary environment variables
+
+The following environment variables are *required* to run the git-sync GitHub app auth tests:
+- `TEST_GITHUB_APP_PRIVATE_KEY` or `TEST_GITHUB_APP_PRIVATE_KEY_FILE`. If both are set, `TEST_GITHUB_APP_PRIVATE_KEY` overwrites `TEST_GITHUB_APP_PRIVATE_KEY_FILE`.
+- `TEST_GITHUB_APP_APPLICATION_ID`
+- `TEST_GITHUB_APP_CLIENT_ID`
+- `TEST_GITHUB_APP_INSTALLATION_ID`
+- `TEST_GITHUB_APP_AUTH_TEST_REPO`
+
+### TEST_GITHUB_APP_PRIVATE_KEY
+The content of the GitHub app's private key file. It should have been saved when creating the app.
+If `TEST_GITHUB_APP_PRIVATE_KEY_FILE` is also set, it overwrites the file with the content.
+Otherwise, it saves the content to `/tmp/git-sync-e2e.random-id/github_app_private_key.pem`.
+
+### TEST_GITHUB_APP_PRIVATE_KEY_FILE
+The absolute path to the file that stores the GitHub app's private key file. It should have been saved when creating the app.
+
+### TEST_GITHUB_APP_APPLICATION_ID
+The value after "App ID" in the app's settings page.
+
+### TEST_GITHUB_APP_CLIENT_ID
+The value after "Client ID" in the app's settings page.
+
+### TEST_GITHUB_APP_INSTALLATION_ID
+Found in the URL of the app's installation page if you installed it to a repository: https://github.com/settings/installations/<installation_id>
+
+### TEST_GITHUB_APP_AUTH_TEST_REPO.
+Should be set to the repository that the GitHub app is installed to.

go.mod

@@ -2,6 +2,7 @@ module k8s.io/git-sync
 
 require (
 	github.com/go-logr/logr v1.2.3
+	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/prometheus/client_golang v1.14.0
 	github.com/spf13/pflag v1.0.5
 	go.uber.org/goleak v1.2.1

go.sum

@@ -73,6 +73,8 @@ github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
 github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=