implement indexing private repos using app installations

tayloraswift · tayloraswift · commit 21bc9d0973b7 · 2024-07-13T00:21:16.000Z
diff --git a/Assets/css/Main.css b/Assets/css/Main.css
diff --git a/Assets/css/Main.css.map b/Assets/css/Main.css.map
diff --git a/Sources/GitHubAPI/GitHub.Repo.swift b/Sources/GitHubAPI/GitHub.Repo.swift
@@ -49,10 +49,9 @@ extension GitHub
         public
         var fork:Bool
 
-        /// The repo’s visibility on GitHub. Some queries return only public repositories and so
-        /// omit this field.
+        /// The repo’s visibility on GitHub.
         public
-        var visibility:RepoVisibility?
+        var visibility:RepoVisibility
         /// The repo’s dominant language, if GitHub was able to detect one.
         public
         var language:String?
@@ -90,7 +89,7 @@ extension GitHub
             archived:Bool,
             disabled:Bool,
             fork:Bool,
-            visibility:RepoVisibility? = nil,
+            visibility:RepoVisibility,
             language:String? = nil,
             homepage:String? = nil,
             about:String? = nil,
@@ -172,7 +171,7 @@ extension GitHub.Repo:JSONObjectDecodable
             archived: try json[.archived].decode(),
             disabled: try json[.disabled].decode(),
             fork: try json[.fork].decode(),
-            visibility: try json[.visibility]?.decode(),
+            visibility: try json[.visibility].decode(),
             language: try json[.language]?.decode(),
             homepage: try json[.homepage]?.decode(),
             about: try json[.description]?.decode(),
diff --git a/Sources/GitHubAPI/GitHub.RepoVisibility.swift b/Sources/GitHubAPI/GitHub.RepoVisibility.swift
@@ -3,9 +3,47 @@ import JSON
 extension GitHub
 {
     @frozen public
-    enum RepoVisibility:String, JSONEncodable, JSONDecodable, Equatable, Sendable
+    enum RepoVisibility:Equatable, Comparable, Sendable
     {
-        case `public`
         case `private`
+        case `internal`
+        case `public`
+    }
+}
+extension GitHub.RepoVisibility:CustomStringConvertible
+{
+    @inlinable public
+    var description:String
+    {
+        switch self
+        {
+        case .private:  "private"
+        case .internal: "internal"
+        case .public:   "public"
+        }
     }
 }
+extension GitHub.RepoVisibility:LosslessStringConvertible
+{
+    @inlinable public
+    init?(_ description:String)
+    {
+        //  Note: the GraphQL API returns the visibility in all caps, for some reason.
+        switch description
+        {
+        case "PRIVATE":  self = .private
+        case "private":  self = .private
+
+        case "INTERNAL": self = .internal
+        case "internal": self = .internal
+
+        case "PUBLIC":   self = .public
+        case "public":   self = .public
+
+        default:         return nil
+        }
+    }
+}
+extension GitHub.RepoVisibility:JSONStringDecodable
+{
+}
diff --git a/Sources/GitHubClient/GitHub.Client.Connection.swift b/Sources/GitHubClient/GitHub.Client.Connection.swift
@@ -26,16 +26,17 @@ extension GitHub.Client
         }
     }
 }
-extension GitHub.Client<GitHub.PersonalAccessToken>.Connection
+extension GitHub.Client<Void>.Connection
 {
     /// Run a GraphQL API request.
     ///
     /// The request will be charged to the user associated with the stored token. It is not
     /// possible to run a GraphQL API request without a token.
     @inlinable public
-    func post<Response>(query:String,
-        for _:Response.Type = Response.self) async throws -> GraphQL.Response<Response>
-        where Response:JSONDecodable
+    func post<T>(query:String,
+        expecting _:T.Type = T.self,
+        with authorization:GitHub.ClientAuthorization) async throws -> GraphQL.Response<T>
+        where T:JSONDecodable
     {
         let request:HTTP.Client2.Request = .init(headers:
             [
@@ -44,7 +45,7 @@ extension GitHub.Client<GitHub.PersonalAccessToken>.Connection
                 ":authority": self.http2.remote,
                 ":path": "/graphql",
 
-                "authorization": "Bearer \(self.app)",
+                "authorization": authorization.header,
 
                 //  GitHub will reject the API request if the user-agent is not set.
                 "user-agent": self.agent,
@@ -65,8 +66,7 @@ extension GitHub.Client<GitHub.PersonalAccessToken>.Connection
             if  let second:String = response.headers?["x-ratelimit-reset"].first,
                 let second:Int64 = .init(second)
             {
-                throw GitHub.Client<GitHub.PersonalAccessToken>.RateLimitError.init(
-                    until: .second(second))
+                throw GitHub.Client<Application>.RateLimitError.init(until: .second(second))
             }
             else
             {
diff --git a/Sources/GitHubClient/GitHub.Client.swift b/Sources/GitHubClient/GitHub.Client.swift
@@ -27,17 +27,17 @@ extension GitHub
         }
     }
 }
-extension GitHub.Client<GitHub.PersonalAccessToken>
+extension GitHub.Client<Void>
 {
     public static
-    func graphql(pat:consuming GitHub.PersonalAccessToken,
+    func graphql(
         threads:consuming MultiThreadedEventLoopGroup,
         niossl:consuming NIOSSLContext,
-        as agent:String) -> GitHub.Client<GitHub.PersonalAccessToken>
+        as agent:String) -> GitHub.Client<Void>
     {
         .init(http2: .init(threads: threads, niossl: niossl, remote: "api.github.com"),
             agent: agent,
-            app: pat)
+            app: ())
     }
 }
 extension GitHub.Client where Application:GitHubApplication
diff --git a/Sources/GitHubClient/GitHub.ClientAuthorization.swift b/Sources/GitHubClient/GitHub.ClientAuthorization.swift
@@ -4,13 +4,21 @@ import GitHubAPI
 extension GitHub
 {
     @frozen public
-    enum ClientAuthorization
+    enum ClientAuthorization:Sendable
     {
         case basic(GitHub.OAuth)
         case token(String)
     }
 }
 extension GitHub.ClientAuthorization
+{
+    @inlinable public
+    static func token(_ iat:GitHub.InstallationAccessToken) -> Self { .token(iat.rawValue) }
+
+    @inlinable public
+    static func token(_ pat:GitHub.PersonalAccessToken) -> Self { .token(pat.rawValue) }
+}
+extension GitHub.ClientAuthorization
 {
     @inlinable
     var header:String
diff --git a/Sources/UnidocDB/Packages/Unidoc.PackageRepo (ext).swift b/Sources/UnidocDB/Packages/Unidoc.PackageRepo (ext).swift
@@ -45,7 +45,7 @@ extension Unidoc.PackageRepo
             created: .init(created),
             updated: updated,
             license: repo.license.map { .init(spdx: $0.id, name: $0.name) },
-            private: repo.visibility == .private,
+            private: repo.visibility < .public,
             topics: repo.topics,
             master: repo.master,
             origin: .github(.init(
diff --git a/Sources/UnidocServer/Operations/Interactions/Unidoc.PackageIndexOperation.Subject.swift b/Sources/UnidocServer/Operations/Interactions/Unidoc.PackageIndexOperation.Subject.swift
@@ -2,7 +2,7 @@ extension Unidoc.PackageIndexOperation
 {
     enum Subject
     {
-        case repo(owner:String, name:String, private:Bool)
+        case repo(owner:String, name:String, githubInstallation:Int32?)
         case ref(Unidoc.Package, ref:String)
     }
 }
@@ -19,7 +19,9 @@ extension Unidoc.PackageIndexOperation.Subject
                 return nil
             }
 
-            self = .repo(owner: owner, name: repo, private: form["private"] == "true")
+            let githubInstallation:Int32? = form["installation"].flatMap(Int32.init(_:))
+
+            self = .repo(owner: owner, name: repo, githubInstallation: githubInstallation)
         }
         else if
             let package:String = form["package"],
diff --git a/Sources/UnidocServer/Operations/Interactions/Unidoc.PackageIndexOperation.swift b/Sources/UnidocServer/Operations/Interactions/Unidoc.PackageIndexOperation.swift
@@ -45,17 +45,18 @@ extension Unidoc.PackageIndexOperation:Unidoc.MeteredOperation
 
         switch self.subject
         {
-        case .repo(owner: let owner, name: let repo, private: let `private`):
+        case .repo(owner: let owner, name: let repo, githubInstallation: let appInstallation):
             if  let error:Unidoc.PolicyErrorPage = try await self.charge(cost: 8,
                     from: server,
                     with: session)
             {
                 return error.response(format: format)
             }
 
-            let repo:GitHub.Repo? = try await github.connect
+            let repo:GitHub.Repo? = try await github.connect(
+                with: .init(githubInstallation: appInstallation))
             {
-                try await $0.lookup(owner: owner, repo: repo, private: `private`)
+                try await $0.lookup(owner: owner, repo: repo)
             }
 
             guard
@@ -110,7 +111,7 @@ extension Unidoc.PackageIndexOperation:Unidoc.MeteredOperation
                 return error.response(format: format)
             }
 
-            let ref:GitHub.Ref? = try await github.connect
+            let ref:GitHub.Ref? = try await github.connect(with: .init())
             {
                 try await $0.lookup(owner: origin.owner, repo: origin.name, ref: ref)
             }
diff --git a/Sources/UnidocServer/Operations/Interactive/Unidoc.RestrictedOperation.swift b/Sources/UnidocServer/Operations/Interactive/Unidoc.RestrictedOperation.swift
@@ -35,7 +35,7 @@ extension Unidoc.RestrictedOperation
         case .ignored:
             session = try await .init(from: server.db.sessions)
             //  Yes, we need to call this, even though we ignore the result.
-            let _:Bool = self.admit(user: .init(access: [], level: .administratrix))
+            let _:Bool = self.admit(user: .init(level: .administratrix))
 
         case .enforced:
             let user:Unidoc.UserSession
diff --git a/Sources/UnidocServer/Unidoc.Registrar.swift b/Sources/UnidocServer/Unidoc.Registrar.swift
@@ -8,7 +8,8 @@ extension Unidoc
     {
         associatedtype Session:RegistrarSession
 
-        func connect<T>(_ body:(Session) async throws -> T) async throws -> T
+        func connect<T>(with access:Unidoc.RegistrarAccessMechanisms,
+            _ body:(Session) async throws -> T) async throws -> T
 
         func resolve(_ edition:EditionState, rebuild:Bool) async throws -> BuildLabels?
     }
diff --git a/Sources/UnidocServer/Unidoc.RegistrarAccessMechanisms.swift b/Sources/UnidocServer/Unidoc.RegistrarAccessMechanisms.swift
@@ -0,0 +1,15 @@
+extension Unidoc
+{
+    @frozen public
+    struct RegistrarAccessMechanisms:Equatable, Sendable
+    {
+        public
+        let githubInstallation:Int32?
+
+        @inlinable public
+        init(githubInstallation:Int32? = nil)
+        {
+            self.githubInstallation = githubInstallation
+        }
+    }
+}
diff --git a/Sources/UnidocServer/Unidoc.RegistrarSession.swift b/Sources/UnidocServer/Unidoc.RegistrarSession.swift
@@ -6,6 +6,6 @@ extension Unidoc
     protocol RegistrarSession
     {
         func lookup(owner:String, repo:String, ref:String) async throws -> GitHub.Ref?
-        func lookup(owner:String, repo:String, private:Bool) async throws -> GitHub.Repo?
+        func lookup(owner:String, repo:String) async throws -> GitHub.Repo?
     }
 }
diff --git a/Sources/UnidocUI/Endpoints/User/Unidoc.UserSettingsPage.swift b/Sources/UnidocUI/Endpoints/User/Unidoc.UserSettingsPage.swift
@@ -149,26 +149,41 @@ extension Unidoc.UserSettingsPage:Unidoc.ApplicationPage
                                 $0.pattern = #"^[a-zA-Z0-9_\-\.]+$"#
                             }
                         }
-                    }
 
-                    // $0[.p]
-                    // {
-                    //     $0[.label]
-                    //     {
-                    //         $0.class = "checkbox"
-                    //     }
-                    //         content:
-                    //     {
-                    //         $0[.input]
-                    //         {
-                    //             $0.type = "checkbox"
-                    //             $0.name = "private"
-                    //             $0.value = "true"
-                    //         }
-
-                    //         $0[.span] = "This is a private repository"
-                    //     }
-                    // }
+                        $0[.dt] = "Authorize as"
+                        $0[.dd]
+                        {
+                            $0[.select]
+                            {
+                                $0.name = "installation"
+                            }
+                                content:
+                            {
+                                $0[.option]
+                                {
+                                    $0.selected = true
+                                    $0.value = ""
+                                } = "Nobody (public)"
+
+                                if  let id:Int32 = self.user.githubInstallation
+                                {
+                                    $0[.option] { $0.value = "\(id)" } = "Yourself"
+                                }
+
+                                for organization:Unidoc.User in self.organizations
+                                {
+                                    guard
+                                    let id:Int32 = organization.githubInstallation
+                                    else
+                                    {
+                                        continue
+                                    }
+
+                                    $0[.option] { $0.value = "\(id)" } = organization.symbol
+                                }
+                            }
+                        }
+                    }
 
                     $0[.button]
                     {
diff --git a/Stylesheets/_form.scss b/Stylesheets/_form.scss
@@ -40,6 +40,7 @@ form.config
         box-sizing: border-box;
     }
 
+    select,
     input[type="text"],
     input[type="url"]
     {
@@ -56,6 +57,14 @@ form.config
         font-style: italic;
         font-size: inherit;
     }
+
+    select
+    {
+        padding-bottom: 0.2em;
+    }
+
+    select[disabled],
+    select[readonly],
     input[type="text"][disabled],
     input[type="text"][readonly],
     input[type="url"][disabled],
@@ -64,6 +73,8 @@ form.config
         background: none;
         color: var(--fg-semi);
     }
+    select:not([disabled]):not([readonly]):hover,
+    select:not([disabled]):not([readonly]):focus,
     input[type="text"]:not([disabled]):not([readonly]):hover,
     input[type="text"]:not([disabled]):not([readonly]):focus,
     input[type="url"]:not([disabled]):not([readonly]):hover,

Original file line number	Diff line number	Diff line change
`@@ -26,16 +26,17 @@ extension GitHub.Client`
`26`	`26`	`}`
`27`	`27`	`}`
`28`	`28`	`}`
`29`		`-extension GitHub.Client<GitHub.PersonalAccessToken>.Connection`
	`29`	`+extension GitHub.Client<Void>.Connection`
`30`	`30`	`{`
`31`	`31`	`/// Run a GraphQL API request.`
`32`	`32`	`///`
`33`	`33`	`/// The request will be charged to the user associated with the stored token. It is not`
`34`	`34`	`/// possible to run a GraphQL API request without a token.`
`35`	`35`	`@inlinable public`
`36`		`- func post<Response>(query:String,`
`37`		`- for _:Response.Type = Response.self) async throws -> GraphQL.Response<Response>`
`38`		`- where Response:JSONDecodable`
	`36`	`+ func post<T>(query:String,`
	`37`	`+ expecting _:T.Type = T.self,`
	`38`	`+ with authorization:GitHub.ClientAuthorization) async throws -> GraphQL.Response<T>`
	`39`	`+ where T:JSONDecodable`
`39`	`40`	`{`
`40`	`41`	`let request:HTTP.Client2.Request = .init(headers:`
`41`	`42`	`[`
`@@ -44,7 +45,7 @@ extension GitHub.Client<GitHub.PersonalAccessToken>.Connection`
`44`	`45`	`":authority": self.http2.remote,`
`45`	`46`	`":path": "/graphql",`
`46`	`47`
`47`		`- "authorization": "Bearer \(self.app)",`
	`48`	`+ "authorization": authorization.header,`
`48`	`49`
`49`	`50`	`// GitHub will reject the API request if the user-agent is not set.`
`50`	`51`	`"user-agent": self.agent,`
`@@ -65,8 +66,7 @@ extension GitHub.Client<GitHub.PersonalAccessToken>.Connection`
`65`	`66`	`if let second:String = response.headers?["x-ratelimit-reset"].first,`
`66`	`67`	`let second:Int64 = .init(second)`
`67`	`68`	`{`
`68`		`- throw GitHub.Client<GitHub.PersonalAccessToken>.RateLimitError.init(`
`69`		`- until: .second(second))`
	`69`	`+ throw GitHub.Client<Application>.RateLimitError.init(until: .second(second))`
`70`	`70`	`}`
`71`	`71`	`else`
`72`	`72`	`{`
Original file line number	Diff line number	Diff line change
`@@ -27,17 +27,17 @@ extension GitHub`
`27`	`27`	`}`
`28`	`28`	`}`
`29`	`29`	`}`
`30`		`-extension GitHub.Client<GitHub.PersonalAccessToken>`
	`30`	`+extension GitHub.Client<Void>`
`31`	`31`	`{`
`32`	`32`	`public static`
`33`		`- func graphql(pat:consuming GitHub.PersonalAccessToken,`
	`33`	`+ func graphql(`
`34`	`34`	`threads:consuming MultiThreadedEventLoopGroup,`
`35`	`35`	`niossl:consuming NIOSSLContext,`
`36`		`- as agent:String) -> GitHub.Client<GitHub.PersonalAccessToken>`
	`36`	`+ as agent:String) -> GitHub.Client<Void>`
`37`	`37`	`{`
`38`	`38`	`.init(http2: .init(threads: threads, niossl: niossl, remote: "api.github.com"),`
`39`	`39`	`agent: agent,`
`40`		`- app: pat)`
	`40`	`+ app: ())`
`41`	`41`	`}`
`42`	`42`	`}`
`43`	`43`	`extension GitHub.Client where Application:GitHubApplication`
Original file line number	Diff line number	Diff line change
`@@ -4,13 +4,21 @@ import GitHubAPI`
`4`	`4`	`extension GitHub`
`5`	`5`	`{`
`6`	`6`	`@frozen public`
`7`		`- enum ClientAuthorization`
	`7`	`+ enum ClientAuthorization:Sendable`
`8`	`8`	`{`
`9`	`9`	`case basic(GitHub.OAuth)`
`10`	`10`	`case token(String)`
`11`	`11`	`}`
`12`	`12`	`}`
`13`	`13`	`extension GitHub.ClientAuthorization`
	`14`	`+{`
	`15`	`+ @inlinable public`
	`16`	`+ static func token(_ iat:GitHub.InstallationAccessToken) -> Self { .token(iat.rawValue) }`
	`17`	`+`
	`18`	`+ @inlinable public`
	`19`	`+ static func token(_ pat:GitHub.PersonalAccessToken) -> Self { .token(pat.rawValue) }`
	`20`	`+}`
	`21`	`+extension GitHub.ClientAuthorization`
`14`	`22`	`{`
`15`	`23`	`@inlinable`
`16`	`24`	`var header:String`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ extension Unidoc.PackageIndexOperation`
`2`	`2`	`{`
`3`	`3`	`enum Subject`
`4`	`4`	`{`
`5`		`- case repo(owner:String, name:String, private:Bool)`
	`5`	`+ case repo(owner:String, name:String, githubInstallation:Int32?)`
`6`	`6`	`case ref(Unidoc.Package, ref:String)`
`7`	`7`	`}`
`8`	`8`	`}`
`@@ -19,7 +19,9 @@ extension Unidoc.PackageIndexOperation.Subject`
`19`	`19`	`return nil`
`20`	`20`	`}`
`21`	`21`
`22`		`- self = .repo(owner: owner, name: repo, private: form["private"] == "true")`
	`22`	`+ let githubInstallation:Int32? = form["installation"].flatMap(Int32.init(_:))`
	`23`	`+`
	`24`	`+ self = .repo(owner: owner, name: repo, githubInstallation: githubInstallation)`
`23`	`25`	`}`
`24`	`26`	`else if`
`25`	`27`	`let package:String = form["package"],`
Original file line number	Diff line number	Diff line change
`@@ -45,17 +45,18 @@ extension Unidoc.PackageIndexOperation:Unidoc.MeteredOperation`
`45`	`45`
`46`	`46`	`switch self.subject`
`47`	`47`	`{`
`48`		- case .repo(owner: let owner, name: let repo, private: let `private`):
	`48`	`+ case .repo(owner: let owner, name: let repo, githubInstallation: let appInstallation):`
`49`	`49`	`if let error:Unidoc.PolicyErrorPage = try await self.charge(cost: 8,`
`50`	`50`	`from: server,`
`51`	`51`	`with: session)`
`52`	`52`	`{`
`53`	`53`	`return error.response(format: format)`
`54`	`54`	`}`
`55`	`55`
`56`		`- let repo:GitHub.Repo? = try await github.connect`
	`56`	`+ let repo:GitHub.Repo? = try await github.connect(`
	`57`	`+ with: .init(githubInstallation: appInstallation))`
`57`	`58`	`{`
`58`		- try await $0.lookup(owner: owner, repo: repo, private: `private`)
	`59`	`+ try await $0.lookup(owner: owner, repo: repo)`
`59`	`60`	`}`
`60`	`61`
`61`	`62`	`guard`
`@@ -110,7 +111,7 @@ extension Unidoc.PackageIndexOperation:Unidoc.MeteredOperation`
`110`	`111`	`return error.response(format: format)`
`111`	`112`	`}`
`112`	`113`
`113`		`- let ref:GitHub.Ref? = try await github.connect`
	`114`	`+ let ref:GitHub.Ref? = try await github.connect(with: .init())`
`114`	`115`	`{`
`115`	`116`	`try await $0.lookup(owner: origin.owner, repo: origin.name, ref: ref)`
`116`	`117`	`}`