Remove GitHub library and just use GitHub API calls via WebClient. Use app installation tokens for API calls.

Author: matthewhorridge

pom.xml

@@ -76,6 +76,31 @@
             <version>1.19.8</version>
             <scope>test</scope>
         </dependency>
+
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-api</artifactId>
+            <version>0.12.6</version>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-impl</artifactId>
+            <version>0.12.6</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-jackson</artifactId> <!-- or jjwt-gson if Gson is preferred -->
+            <version>0.12.6</version>
+            <scope>runtime</scope>
+        </dependency>
+        <!-- BouncyCastle for PKCS#1 PEM parsing -->
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk15on</artifactId>
+            <version>1.70</version>
+        </dependency>
+
         <dependency>
             <groupId>org.testcontainers</groupId>
             <artifactId>rabbitmq</artifactId>
@@ -89,13 +114,6 @@
             <scope>test</scope>
         </dependency>
 
-        <dependency>
-            <groupId>org.kohsuke</groupId>
-            <artifactId>github-api</artifactId>
-            <version>1.316</version>
-        </dependency>
-
-
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>

src/main/java/edu/stanford/webprotege/issues/WebprotegeGhIssuesServiceApplication.java

@@ -1,13 +1,7 @@
 package edu.stanford.webprotege.issues;
 
-import edu.stanford.protege.github.GitHubRepositoryCoordinates;
-import edu.stanford.webprotege.issues.persistence.GitHubRepositoryLinkRecord;
-import edu.stanford.webprotege.issues.persistence.GitHubRepositoryLinkRecordStore;
-import edu.stanford.protege.webprotege.common.ProjectId;
 import edu.stanford.protege.webprotege.ipc.WebProtegeIpcApplication;
 import edu.stanford.protege.webprotege.jackson.WebProtegeJacksonApplication;
-import org.kohsuke.github.GitHub;
-import org.kohsuke.github.GitHubBuilder;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -30,18 +24,10 @@ public static void main(String[] args) {
         SpringApplication.run(WebprotegeGhIssuesServiceApplication.class, args);
     }
 
-    @Bean
-    public GitHub gitHub() throws IOException {
-        return GitHubBuilder.fromEnvironment().build();
-    }
-
     @Autowired
     private ApplicationContext context;
 
     @Override
     public void run(String... args) throws Exception {
-        logger.warn("Forcing linked repo");
-        context.getBean(GitHubRepositoryLinkRecordStore.class)
-                .save(new GitHubRepositoryLinkRecord(ProjectId.valueOf("c6a5fed1-47eb-4be1-9570-7d3eefd9b579"), new GitHubRepositoryCoordinates("matthewhorridge", "testrepo"), null, true));
     }
 }

src/main/java/edu/stanford/webprotege/issues/auth/GitHubAuthConfig.java

@@ -0,0 +1,31 @@
+package edu.stanford.webprotege.issues.auth;
+
+import com.github.benmanes.caffeine.cache.Cache;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpHeaders;
+import org.springframework.web.reactive.function.client.WebClient;
+import edu.stanford.webprotege.issues.model.GitHubInstallationId;
+
+@Configuration
+public class GitHubAuthConfig {
+
+    @Bean
+    public WebClient githubWebClient() {
+        return WebClient.builder()
+                .baseUrl("https://api.github.com" )
+                .defaultHeader(HttpHeaders.ACCEPT, "application/vnd.github+json" )
+                .build();
+    }
+
+    @Bean
+    GitHubInstallationTokenCacheProvider gitHubInstallationTokenCacheProvider() {
+        return new GitHubInstallationTokenCacheProvider();
+    }
+
+    @Bean
+    public Cache<GitHubInstallationId, GitHubInstallationToken> tokenCache(GitHubInstallationTokenCacheProvider tokenCacheProvider) {
+        return tokenCacheProvider.createTokenCache();
+    }
+
+}

src/main/java/edu/stanford/webprotege/issues/auth/GitHubInstallationToken.java

@@ -0,0 +1,13 @@
+package edu.stanford.webprotege.issues.auth;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import edu.stanford.webprotege.issues.model.GitHubPermissions;
+
+import java.time.Instant;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+public record GitHubInstallationToken(@JsonProperty("token") String token,
+                                      @JsonProperty("expires_at") Instant expiresAt,
+                                      @JsonProperty("permissions") GitHubPermissions permissions) {
+}

src/main/java/edu/stanford/webprotege/issues/auth/GitHubInstallationTokenCacheProvider.java

@@ -0,0 +1,14 @@
+package edu.stanford.webprotege.issues.auth;
+
+import com.github.benmanes.caffeine.cache.Cache;
+import com.github.benmanes.caffeine.cache.Caffeine;
+import edu.stanford.webprotege.issues.model.GitHubInstallationId;
+
+public class GitHubInstallationTokenCacheProvider {
+
+    public Cache<GitHubInstallationId, GitHubInstallationToken> createTokenCache() {
+        return Caffeine.newBuilder()
+                .expireAfter(new GitHubInstallationTokenExpiry())
+                .build();
+    }
+}

src/main/java/edu/stanford/webprotege/issues/auth/GitHubInstallationTokenExpiry.java

@@ -0,0 +1,28 @@
+package edu.stanford.webprotege.issues.auth;
+
+import com.github.benmanes.caffeine.cache.Expiry;
+import edu.stanford.webprotege.issues.model.GitHubInstallationId;
+
+import java.time.Duration;
+import java.time.Instant;
+
+public class GitHubInstallationTokenExpiry implements Expiry<GitHubInstallationId, GitHubInstallationToken> {
+
+    @Override
+    public long expireAfterCreate(GitHubInstallationId key, GitHubInstallationToken token, long currentTimeNanos) {
+        Instant now = Instant.now();
+        Duration untilExpiry = Duration.between(now, token.expiresAt().minusSeconds(5));
+        long durationNanos = untilExpiry.toNanos();
+        return Math.max(durationNanos, 0);
+    }
+
+    @Override
+    public long expireAfterUpdate(GitHubInstallationId key, GitHubInstallationToken token, long currentTimeNanos, long currentDurationNanos) {
+        return currentDurationNanos;
+    }
+
+    @Override
+    public long expireAfterRead(GitHubInstallationId key, GitHubInstallationToken token, long currentTimeNanos, long currentDurationNanos) {
+        return currentDurationNanos;
+    }
+}

src/main/java/edu/stanford/webprotege/issues/auth/GitHubJwt.java

@@ -0,0 +1,5 @@
+package edu.stanford.webprotege.issues.auth;
+
+public record GitHubJwt(String token) {
+
+}

src/main/java/edu/stanford/webprotege/issues/auth/GitHubJwtConfig.java

@@ -0,0 +1,37 @@
+package edu.stanford.webprotege.issues.auth;
+
+
+import edu.stanford.webprotege.issues.model.GitHubAppId;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class GitHubJwtConfig {
+
+    public static final Logger logger = LoggerFactory.getLogger(GitHubJwtConfig.class);
+
+    @Bean
+    public GitHubPrivateKeyLoader gitHubPrivateKeyLoader(@Value("${webprotege.github.pem-path:}") String pemPath) throws Exception {
+        if(pemPath.isEmpty()) {
+            logger.warn("Missing required property: webprotege.github.pem-path");
+        }
+        return new GitHubPrivateKeyLoader(pemPath);
+    }
+
+    /**
+     * Supplies a new short-lived JWT token (valid for 9 minutes) signed with GitHub App private key.
+     */
+    @Bean
+    public GitHubJwtFactory githubJwtSupplier(GitHubAppId appId,
+                                              GitHubPrivateKeyLoader privateKeyLoader) {
+        return new GitHubJwtFactory(appId, privateKeyLoader);
+    }
+
+    @Bean
+    GitHubAppId gitHubAppId(@Value("${webprotege.github.app-id}") String appId) {
+        return new GitHubAppId(appId);
+    }
+}

src/main/java/edu/stanford/webprotege/issues/auth/GitHubJwtFactory.java

@@ -0,0 +1,34 @@
+package edu.stanford.webprotege.issues.auth;
+
+import edu.stanford.webprotege.issues.model.GitHubAppId;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Date;
+
+public class GitHubJwtFactory {
+
+    private final GitHubAppId appId;
+
+    private final GitHubPrivateKeyLoader privateKeyLoader;
+
+    public GitHubJwtFactory(GitHubAppId appId,
+                            GitHubPrivateKeyLoader privateKeyLoader) {
+        this.appId = appId;
+        this.privateKeyLoader = privateKeyLoader;
+    }
+
+    public GitHubJwt getJwt() {
+        var now = Instant.now();
+        var privateKey = privateKeyLoader.getPrivateKey();
+        var token = Jwts.builder().issuer(appId.id())
+                .issuedAt(Date.from(now))
+                .expiration(Date.from(now.plus(10, ChronoUnit.MINUTES)))  // GitHub max is 10 minutes
+                .signWith(privateKey, SignatureAlgorithm.RS256)
+                .compact();
+        return new GitHubJwt(token);
+    }
+
+}

src/main/java/edu/stanford/webprotege/issues/auth/GitHubPrivateKeyLoader.java

@@ -0,0 +1,56 @@
+package edu.stanford.webprotege.issues.auth;
+
+import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.pkcs.RSAPrivateKey;
+import org.bouncycastle.util.io.pem.PemReader;
+
+import java.io.FileNotFoundException;
+import java.io.FileReader;
+import java.io.IOException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.RSAPrivateCrtKeySpec;
+
+public class GitHubPrivateKeyLoader {
+
+    private final String pemPath;
+
+    public GitHubPrivateKeyLoader(String pemPath) {
+        this.pemPath = pemPath;
+    }
+
+    public PrivateKey getPrivateKey() {
+        if(pemPath.isEmpty()) {
+            throw new IllegalStateException("Path to .pem file is empty.  Make sure that the path to .pem file is specified in the webprotege.github.pem-path property.");
+        }
+        try (var pemReader = new PemReader(new FileReader(pemPath))) {
+            var content = pemReader.readPemObject().getContent();
+            var rsa = RSAPrivateKey.getInstance(ASN1Sequence.getInstance(content));
+
+            var keySpec = new RSAPrivateCrtKeySpec(
+                    rsa.getModulus(),
+                    rsa.getPublicExponent(),
+                    rsa.getPrivateExponent(),
+                    rsa.getPrime1(),
+                    rsa.getPrime2(),
+                    rsa.getExponent1(),
+                    rsa.getExponent2(),
+                    rsa.getCoefficient()
+            );
+            var keyFactory = KeyFactory.getInstance("RSA");
+            return keyFactory.generatePrivate(keySpec);
+
+        } catch (FileNotFoundException e) {
+            throw new RuntimeException(e);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException(e);
+        } catch (InvalidKeySpecException e) {
+            throw new RuntimeException(e);
+        }
+    }
+}
+