CR-8938 verify github token's scopes (#232)

* wip

* verify github token's scopes

* removed unnesecery packages

* added index for different providers
inferring provider from installation repo

* wip

* small fix

* small fix

* bug fix

* support gitlab

* improve errors and logs

* small addition

* small fixes

* bump

* after review

* small fix

* modify decorator

* wip

* wip

* bump

* wip

* wip

* codegen

* improvements

* wip

* bump

* removeed stringifyArray

* removed log

* bump

Author: rotem-codefresh

Makefile

@@ -1,4 +1,4 @@
-VERSION=v0.0.219
+VERSION=v0.0.220
 
 OUT_DIR=dist
 YEAR?=$(shell date +"%Y")

cmd/commands/common.go

@@ -32,6 +32,8 @@ import (
 	"github.com/codefresh-io/cli-v2/pkg/log"
 	"github.com/codefresh-io/cli-v2/pkg/store"
 	"github.com/codefresh-io/cli-v2/pkg/util"
+	cfgit "github.com/codefresh-io/cli-v2/pkg/git"
+
 	"github.com/manifoldco/promptui"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/tools/clientcmd"
@@ -247,10 +249,32 @@ func getIngressClassFromUserSelect(ctx context.Context, ingressClassNames []stri
 	return nil
 }
 
+func inferProviderFromRepo(opts *git.CloneOptions) {
+	if opts.Provider != "" {
+		return
+	}
+
+	if strings.Contains(opts.Repo, "github.com") {
+		opts.Provider = "github"
+	}
+	if strings.Contains(opts.Repo, "gitlab.com") {
+		opts.Provider = "gitlab"
+	}
+}
+
 func ensureGitToken(cmd *cobra.Command, cloneOpts *git.CloneOptions) error {
 	if cloneOpts.Auth.Password == "" && !store.Get().Silent {
-		return getGitTokenFromUserInput(cmd)
+		err := getGitTokenFromUserInput(cmd)
+		if err != nil {
+			return err
+		}
 	}
+
+	err := cfgit.VerifyToken(cmd.Context(), cloneOpts.Provider, cloneOpts.Auth.Password)
+	if err != nil {
+		return fmt.Errorf("failed to verify git token: %w", err)
+	}
+
 	return nil
 }
 

cmd/commands/runtime.go

@@ -187,7 +187,7 @@ func NewRuntimeInstallCommand() *cobra.Command {
 			err := runtimeInstallCommandPreRunHandler(cmd, &installationOpts)
 			handleCliStep(reporter.InstallPhasePreCheckFinish, "Finished pre installation checks", err, false)
 			if err != nil {
-				return fmt.Errorf("Pre installation error: %w", err)
+				return util.DecorateErrorWithDocsLink(fmt.Errorf("Pre installation error: %w", err), store.Get().RequirementsLink)
 			}
 
 			finalParameters = map[string]string{
@@ -272,7 +272,7 @@ func runtimeInstallCommandPreRunHandler(cmd *cobra.Command, opts *RuntimeInstall
 	err = ensureIngressClass(cmd.Context(), opts)
 	handleCliStep(reporter.InstallStepPreCheckEnsureIngressClass, "Getting ingress class", err, false)
 	if err != nil {
-		return err
+		return util.DecorateErrorWithDocsLink(err, store.Get().RequirementsLink)
 	}
 
 	err = ensureIngressHost(cmd, opts)
@@ -287,6 +287,8 @@ func runtimeInstallCommandPreRunHandler(cmd *cobra.Command, opts *RuntimeInstall
 		return err
 	}
 
+	inferProviderFromRepo(opts.InsCloneOpts)
+
 	err = ensureGitToken(cmd, opts.InsCloneOpts)
 	handleCliStep(reporter.InstallStepPreCheckEnsureGitToken, "Getting git token", err, false)
 	if err != nil {
@@ -422,7 +424,7 @@ func ensureIngressClass(ctx context.Context, opts *RuntimeInstallOptions) error
 	cs := opts.KubeFactory.KubernetesClientSetOrDie()
 	ingressClassList, err := cs.NetworkingV1().IngressClasses().List(ctx, metav1.ListOptions{})
 	if err != nil {
-		return fmt.Errorf("failed to get ingressClass list from your cluster: %w", err)
+		return fmt.Errorf("failed to get ingress class list from your cluster: %w", err)
 	}
 
 	var ingressClassNames []string
@@ -443,11 +445,11 @@ func ensureIngressClass(ctx context.Context, opts *RuntimeInstallOptions) error
 			opts.IngressController = ingressClassNameToController[opts.IngressClass]
 			return nil
 		}
-		return fmt.Errorf("Ingress Class '%s' is not supported. Only the ingress class of type NGINX is supported. for more information: %s", opts.IngressClass, store.Get().RequirementsLink)
+		return fmt.Errorf("ingress class '%s' is not supported. only the ingress class of type nginx is supported.", opts.IngressClass)
 	}
 
 	if len(ingressClassNames) == 0 {
-		return fmt.Errorf("No ingressClasses of type nginx were found. please install a nginx ingress controller on your cluster before installing a runtime. see instructions at: %s", store.Get().RequirementsLink)
+		return fmt.Errorf("no ingress classes of type nginx were found. please install a nginx ingress controller on your cluster before installing a runtime.")
 	}
 
 	if len(ingressClassNames) == 1 {
@@ -467,7 +469,7 @@ func ensureIngressClass(ctx context.Context, opts *RuntimeInstallOptions) error
 		return nil
 	}
 
-	return fmt.Errorf("Please add the --ingress-class flag and define its value")
+	return fmt.Errorf("please add the --ingress-class flag and define its value")
 }
 
 func getComponents(rt *runtime.Runtime, opts *RuntimeInstallOptions) []string {
@@ -767,11 +769,11 @@ func preInstallationChecks(ctx context.Context, opts *RuntimeInstallOptions) err
 	}
 
 	if rt.Spec.DefVersion.GreaterThan(store.Get().MaxDefVersion) {
-		err = fmt.Errorf("your cli version is out of date. please upgrade to the latest version before installing. for more information: %s", store.Get().DownloadCliLink)
+		err = fmt.Errorf("your cli version is out of date. please upgrade to the latest version before installing.")
 	}
 	handleCliStep(reporter.InstallStepRunPreCheckEnsureCliVersion, "Checking CLI version", err, false)
 	if err != nil {
-		return err
+		return util.DecorateErrorWithDocsLink(err, store.Get().DownloadCliLink)
 	}
 
 	err = checkRuntimeCollisions(ctx, opts.RuntimeName, opts.KubeFactory)
@@ -1699,10 +1701,13 @@ func createCodefreshArgoDashboardAgent(ctx context.Context, path string, cloneOp
 
 func ensureGitIntegrationOpts(opts *RuntimeInstallOptions) error {
 	var err error
+
 	if opts.InsCloneOpts.Provider == "" {
 		if opts.GitIntegrationCreationOpts.Provider, err = inferProviderFromCloneURL(opts.InsCloneOpts.URL()); err != nil {
 			return err
 		}
+	} else {
+		opts.GitIntegrationCreationOpts.Provider = apmodel.GitProviders(strings.ToUpper(opts.InsCloneOpts.Provider))
 	}
 
 	if opts.GitIntegrationCreationOpts.APIURL == "" {

docs/releases/release_notes.md

@@ -23,7 +23,7 @@ cf version
 
 ```bash
 # download and extract the binary
-curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.219/cf-linux-amd64.tar.gz | tar zx
+curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.220/cf-linux-amd64.tar.gz | tar zx
 
 # move the binary to your $PATH
 mv ./cf-linux-amd64 /usr/local/bin/cf
@@ -36,7 +36,7 @@ cf version
 
 ```bash
 # download and extract the binary
-curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.219/cf-darwin-amd64.tar.gz | tar zx
+curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.220/cf-darwin-amd64.tar.gz | tar zx
 
 # move the binary to your $PATH
 mv ./cf-darwin-amd64 /usr/local/bin/cf

manifests/runtime.yaml

@@ -5,7 +5,7 @@ metadata:
     namespace: '{{ namespace }}'
 spec:
     defVersion: 1.0.0
-    version: 0.0.219
+    version: 0.0.220
     bootstrapSpecifier: github.com/codefresh-io/cli-v2/manifests/argo-cd
     components:
         - name: events

pkg/git/git.go

@@ -0,0 +1,89 @@
+// Copyright 2022 The Codefresh Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package git
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/codefresh-io/cli-v2/pkg/log"
+)
+
+
+var (
+	requiredGitHubScopes = []string{ "repo", "admin:repo_hook" }
+)
+
+
+func VerifyToken(ctx context.Context, provider string, token string) error {
+	providerToVerifier := map[string]func(context.Context, string)error {
+		"github": verifyGitHubTokenScope,
+	}
+
+	verifier := providerToVerifier[provider]
+	if verifier == nil {
+		return verifyTokenScopeFallback(ctx, provider)
+	}
+
+	return verifier(ctx, token)
+}
+
+func verifyGitHubTokenScope(ctx context.Context, token string) error {
+	errMessage := "the provided git token is missing one or more of the required scopes:" + strings.Join(requiredGitHubScopes, ", ")
+	
+	req, err := http.NewRequestWithContext(ctx, "HEAD", "https://api.github.com/", nil)
+	if err != nil {
+		return err
+	}
+
+	req.Header.Set("Authorization", fmt.Sprintf("token %s", token))
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	}
+
+	defer resp.Body.Close()
+
+	rawScopes := resp.Header["X-Oauth-Scopes"]
+	var scopes []string
+	if len(rawScopes) > 0 {
+		scopes = strings.Split(rawScopes[0], ", ")
+	}
+
+	for _, rs := range requiredGitHubScopes {
+		var contained bool
+		for _, scope := range scopes {
+			if scope == rs {
+				contained = true
+				break
+			}
+		}
+
+		if !contained {
+			return fmt.Errorf(errMessage)
+		}
+	}
+
+	return nil
+}
+
+func verifyTokenScopeFallback(ctx context.Context, token string) error {
+	log.G(ctx).Info("Skipping token verification")
+
+	return nil
+}

pkg/util/util.go

@@ -171,8 +171,12 @@ func CurrentServer() (string, error) {
 	return server, nil
 }
 
-func DecorateErrorWithDocsLink(err error) error {
-	return fmt.Errorf("%s\nfor more information: %s", err.Error(), store.Get().DocsLink)
+func DecorateErrorWithDocsLink(err error, link ...string) error {
+	if len(link) == 0 {
+		return fmt.Errorf("%s\nfor more information: %s", err.Error(), store.Get().DocsLink)
+	}
+
+	return fmt.Errorf("%s\nfor more information: %s", err.Error(), link[0])
 }
 
 func reportCancel(status reporter.CliStepStatus) {
@@ -183,3 +187,4 @@ func reportCancel(status reporter.CliStepStatus) {
 		Err:         nil,
 	})
 }
+