diff --git a/go.mod b/go.mod index 849c841..dedfc83 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,16 @@ module github.com/fensak-io/github-app-token -go 1.21.3 +go 1.20 + +require ( + github.com/go-resty/resty/v2 v2.10.0 + github.com/golang-jwt/jwt/v5 v5.1.0 + github.com/urfave/cli/v2 v2.25.7 +) + +require ( + github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect + github.com/russross/blackfriday/v2 v2.1.0 // indirect + github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect + golang.org/x/net v0.17.0 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..e9a1b65 --- /dev/null +++ b/go.sum @@ -0,0 +1,54 @@ +github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w= +github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/go-resty/resty/v2 v2.10.0 h1:Qla4W/+TMmv0fOeeRqzEpXPLfTUnR5HZ1+lGs+CkiCo= +github.com/go-resty/resty/v2 v2.10.0/go.mod h1:iiP/OpA0CkcL3IGt1O0+/SIItFUbkkyw5BGXiVdTu+A= +github.com/golang-jwt/jwt/v5 v5.1.0 h1:UGKbA/IPjtS6zLcdB7i5TyACMgSbOTiR8qzXgw8HWQU= +github.com/golang-jwt/jwt/v5 v5.1.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/urfave/cli/v2 v2.25.7 h1:VAzn5oq403l5pHjc4OhD54+XGO9cdKVL/7lDjF+iKUs= +github.com/urfave/cli/v2 v2.25.7/go.mod h1:8qnjx1vcq5s2/wpsqoZFndg2CE5tNFyrTvS6SinrnYQ= +github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU= +github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/main.go b/main.go index da29a2c..1fe349d 100644 --- a/main.go +++ b/main.go @@ -1,4 +1,141 @@ package main +import ( + "encoding/json" + "errors" + "fmt" + "os" + "strconv" + "time" + + "github.com/go-resty/resty/v2" + "github.com/golang-jwt/jwt/v5" + "github.com/urfave/cli/v2" +) + +var httpClt = resty.New() + func main() { + app := &cli.App{ + Name: "github-app-token", + Usage: "Generate a JWT token that can be used to authenticate as a GitHub App.", + Flags: []cli.Flag{ + &cli.DurationFlag{ + Name: "expiry", + Aliases: []string{"e"}, + Value: 5 * time.Minute, + Usage: "amount of time before the JWT token expires, as a duration (e.g., 15m)", + }, + &cli.StringFlag{ + Name: "repo", + Aliases: []string{"r"}, + Usage: "the full repository name that the token is scoped for (e.g., fensak-io/github-app-token). Required.", + }, + }, + Action: func(ctx *cli.Context) error { + expiry := ctx.Duration("expiry") + repo := ctx.String("repo") + if repo == "" { + return errors.New("--repo is required") + } + appID := os.Getenv("GITHUB_APP_ID") + if appID == "" { + return errors.New("env var GITHUB_APP_ID is required to be set") + } + pemKey := os.Getenv("GITHUB_APP_PRIVATE_KEY") + if pemKey == "" { + return errors.New("env var GITHUB_APP_PRIVATE_KEY is required to be set") + } + + jwt, err := generateAppJWT(appID, []byte(pemKey), expiry) + if err != nil { + return err + } + instID, err := getInstallationID(jwt, repo) + if err != nil { + return err + } + token, err := getAccessToken(jwt, instID) + if err != nil { + return err + } + + fmt.Println(token) + + return nil + }, + } + + if err := app.Run(os.Args); err != nil { + fmt.Fprintf(os.Stderr, "ERROR %s\n", err) + os.Exit(1) + } +} + +// Generate a signed JWT token that can be used to authenticate as a GitHub App. +// See https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app +func generateAppJWT(appID string, pemKey []byte, expiry time.Duration) (string, error) { + iss := time.Now().Add(-30 * time.Second).Truncate(time.Second) + exp := iss.Add(expiry).Truncate(time.Second) + token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{ + "iat": jwt.NewNumericDate(iss), + "exp": jwt.NewNumericDate(exp), + "iss": appID, + }) + + privateKey, err := jwt.ParseRSAPrivateKeyFromPEM(pemKey) + if err != nil { + return "", err + } + + return token.SignedString(privateKey) +} + +func getInstallationID(jwt, repo string) (string, error) { + resp, err := httpClt.R(). + SetHeader("Accept", "application/json"). + SetAuthToken(jwt). + Get(fmt.Sprintf("https://api.github.com/repos/%s/installation", repo)) + if err != nil { + return "", err + } + + var respData map[string]any + if err := json.Unmarshal([]byte(resp.String()), &respData); err != nil { + return "", err + } + installationIDRaw, ok := respData["id"] + if !ok { + return "", errors.New("installation ID is missing") + } + installationID, ok := installationIDRaw.(float64) + if !ok { + return "", fmt.Errorf("installation ID %s is not a number", installationIDRaw) + } + return strconv.FormatInt(int64(installationID), 10), nil +} + +func getAccessToken(jwt, instID string) (string, error) { + resp, err := httpClt.R(). + SetHeader("Accept", "application/json"). + SetAuthToken(jwt). + Post(fmt.Sprintf("https://api.github.com/app/installations/%s/access_tokens", instID)) + if err != nil { + return "", err + } + + var respData map[string]any + if err := json.Unmarshal([]byte(resp.String()), &respData); err != nil { + return "", err + } + tokenRaw, ok := respData["token"] + if !ok { + return "", errors.New("access token is missing") + } + token, ok := tokenRaw.(string) + if !ok { + return "", fmt.Errorf("token %v is not a string", tokenRaw) + } + + return token, nil }