trufflesecurity · rosecodym · Aug 5, 2024 · Jul 26, 2024 · Jul 29, 2024 · Jul 29, 2024
@@ -0,0 +1,39 @@
+package github
+
+import (
+	"fmt"
+
+	gogit "github.com/go-git/go-git/v5"
+	"github.com/google/go-github/v63/github"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/context"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/sourcespb"
+)
+
+const cloudEndpoint = "https://api.github.com"
+
+type connector interface {
+	// APIClient returns a configured GitHub client that can be used for GitHub API operations.
+	APIClient() *github.Client
+	// Clone clones a repository using the configured authentication information.
+	Clone(ctx context.Context, repoURL string) (string, *gogit.Repository, error)
+}
+
+func newConnector(source *Source) (connector, error) {
+	apiEndpoint := source.conn.Endpoint
+	if apiEndpoint == "" || endsWithGithub.MatchString(apiEndpoint) {
+		apiEndpoint = cloudEndpoint
+	}
+
+	switch cred := source.conn.GetCredential().(type) {
+	case *sourcespb.GitHub_GithubApp:
+		return newAppConnector(apiEndpoint, cred.GithubApp)
+	case *sourcespb.GitHub_BasicAuth:
+		return newBasicAuthConnector(apiEndpoint, cred.BasicAuth)
+	case *sourcespb.GitHub_Token:
+		return newTokenConnector(apiEndpoint, cred.Token, source.handleRateLimit)
+	case *sourcespb.GitHub_Unauthenticated:
+		return newUnauthenticatedConnector(apiEndpoint)
+	default:
+		return nil, fmt.Errorf("unknown connection type")
+	}
+}
@@ -0,0 +1,96 @@
+package github
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/bradleyfalzon/ghinstallation/v2"
+	gogit "github.com/go-git/go-git/v5"
+	"github.com/google/go-github/v63/github"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/context"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/credentialspb"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/sources/git"
+)
+
+type appConnector struct {
+	apiClient          *github.Client
+	installationClient *github.Client
+	installationID     int64
+}
+
+var _ connector = (*appConnector)(nil)
+
+func newAppConnector(apiEndpoint string, app *credentialspb.GitHubApp) (*appConnector, error) {
+	installationID, err := strconv.ParseInt(app.InstallationId, 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("could not parse app installation ID %q: %w", app.InstallationId, err)
+	}
+
+	appID, err := strconv.ParseInt(app.AppId, 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("could not parse app ID %q: %w", appID, err)
+	}
+
+	const httpTimeoutSeconds = 60
+	httpClient := common.RetryableHTTPClientTimeout(int64(httpTimeoutSeconds))
+
+	installationTransport, err := ghinstallation.NewAppsTransport(
+		httpClient.Transport,
+		appID,
+		[]byte(app.PrivateKey))
+	if err != nil {
+		return nil, fmt.Errorf("could not create installation client transport: %w", err)
+	}
+	installationTransport.BaseURL = apiEndpoint
+
+	installationHttpClient := common.RetryableHTTPClientTimeout(60)
+	installationHttpClient.Transport = installationTransport
+	installationClient, err := github.NewClient(installationHttpClient).WithEnterpriseURLs(apiEndpoint, apiEndpoint)
+	if err != nil {
+		return nil, fmt.Errorf("could not create installation client: %w", err)
+	}
+
+	apiTransport, err := ghinstallation.New(
+		httpClient.Transport,
+		appID,
+		installationID,
+		[]byte(app.PrivateKey))
+	if err != nil {
+		return nil, fmt.Errorf("could not create API client transport: %w", err)
+	}
+	apiTransport.BaseURL = apiEndpoint
+
+	httpClient.Transport = apiTransport
+	apiClient, err := github.NewClient(httpClient).WithEnterpriseURLs(apiEndpoint, apiEndpoint)
+	if err != nil {
+		return nil, fmt.Errorf("could not create API client: %w", err)
+	}
+
+	return &appConnector{
+		apiClient:          apiClient,
+		installationClient: installationClient,
+		installationID:     installationID,
+	}, nil
+}
+
+func (c *appConnector) APIClient() *github.Client {
+	return c.apiClient
+}
+
+func (c *appConnector) Clone(ctx context.Context, repoURL string) (string, *gogit.Repository, error) {
+	// TODO: Check rate limit for this call.
+	token, _, err := c.installationClient.Apps.CreateInstallationToken(
+		ctx,
+		c.installationID,
+		&github.InstallationTokenOptions{})
+	if err != nil {
+		return "", nil, fmt.Errorf("could not create installation token: %w", err)
+	}
+
+	return git.CloneRepoUsingToken(ctx, token.GetToken(), repoURL, "x-access-token")
+}
+
+func (c *appConnector) InstallationClient() *github.Client {
+	return c.installationClient
+}
@@ -0,0 +1,48 @@
+package github
+
+import (
+	"fmt"
+
+	gogit "github.com/go-git/go-git/v5"
+	"github.com/google/go-github/v63/github"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/context"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/credentialspb"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/sources/git"
+)
+
+type basicAuthConnector struct {
+	apiClient *github.Client
+	username  string
+	password  string
+}
+
+var _ connector = (*basicAuthConnector)(nil)
+
+func newBasicAuthConnector(apiEndpoint string, cred *credentialspb.BasicAuth) (*basicAuthConnector, error) {
+	const httpTimeoutSeconds = 60
+	httpClient := common.RetryableHTTPClientTimeout(int64(httpTimeoutSeconds))
+	httpClient.Transport = &github.BasicAuthTransport{
+		Username: cred.Username,
+		Password: cred.Password,
+	}
+
+	apiClient, err := createGitHubClient(httpClient, apiEndpoint)
+	if err != nil {
+		return nil, fmt.Errorf("could not create API client: %w", err)
+	}
+
+	return &basicAuthConnector{
+		apiClient: apiClient,
+		username:  cred.Username,
+		password:  cred.Password,
+	}, nil
+}
+
+func (c *basicAuthConnector) APIClient() *github.Client {
+	return c.apiClient
+}
+
+func (c *basicAuthConnector) Clone(ctx context.Context, repoURL string) (string, *gogit.Repository, error) {
+	return git.CloneRepoUsingToken(ctx, c.password, repoURL, c.username)
+}
@@ -0,0 +1,97 @@
+package github
+
+import (
+	"fmt"
+	"strings"
+	"sync"
+
+	gogit "github.com/go-git/go-git/v5"
+	"github.com/google/go-github/v63/github"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/context"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/sources/git"
+	"golang.org/x/oauth2"
+)
+
+type tokenConnector struct {
+	apiClient          *github.Client
+	token              string
+	isGitHubEnterprise bool
+	handleRateLimit    func(error) bool
+	user               string
+	userMu             sync.Mutex
+}
+
+var _ connector = (*tokenConnector)(nil)
+
+func newTokenConnector(apiEndpoint string, token string, handleRateLimit func(error) bool) (*tokenConnector, error) {
+	const httpTimeoutSeconds = 60
+	httpClient := common.RetryableHTTPClientTimeout(int64(httpTimeoutSeconds))
+	tokenSource := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: token})
+	httpClient.Transport = &oauth2.Transport{
+		Base:   httpClient.Transport,
+		Source: oauth2.ReuseTokenSource(nil, tokenSource),
+	}
+
+	apiClient, err := createGitHubClient(httpClient, apiEndpoint)
+	if err != nil {
+		return nil, fmt.Errorf("could not create API client: %w", err)
+	}
+
+	return &tokenConnector{
+		apiClient:          apiClient,
+		token:              token,
+		isGitHubEnterprise: !strings.EqualFold(apiEndpoint, cloudEndpoint),
+		handleRateLimit:    handleRateLimit,
+	}, nil
+}
+
+func (c *tokenConnector) APIClient() *github.Client {
+	return c.apiClient
+}
+
+func (c *tokenConnector) Clone(ctx context.Context, repoURL string) (string, *gogit.Repository, error) {
+	if err := c.setUserIfUnset(ctx); err != nil {
+		return "", nil, err
+	}
+	return git.CloneRepoUsingToken(ctx, c.token, repoURL, c.user)
+}
+
+func (c *tokenConnector) IsGithubEnterprise() bool {
+	return c.isGitHubEnterprise
+}
+
+func (c *tokenConnector) getUser(ctx context.Context) (string, error) {
+	var (
+		user *github.User
+		err  error
+	)
+	for {
+		user, _, err = c.apiClient.Users.Get(ctx, "")
+		if c.handleRateLimit(err) {
+			continue
+		}
+		if err != nil {
+			return "", fmt.Errorf("could not get GitHub user: %w", err)
+		}
+		break
+	}
+	return user.GetLogin(), nil
+}
+
+func (c *tokenConnector) setUserIfUnset(ctx context.Context) error {
+	c.userMu.Lock()
+	defer c.userMu.Unlock()
+
+	if c.user != "" {
+		return nil
+	}
+
+	user, err := c.getUser(ctx)
+	if err != nil {
+		return err
+	}
+
+	c.user = user
+	return nil
+}
@@ -0,0 +1,37 @@
+package github
+
+import (
+	"fmt"
+
+	gogit "github.com/go-git/go-git/v5"
+	"github.com/google/go-github/v63/github"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/context"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/sources/git"
+)
+
+type unauthenticatedConnector struct {
+	apiClient *github.Client
+}
+
+var _ connector = (*unauthenticatedConnector)(nil)
+
+func newUnauthenticatedConnector(apiEndpoint string) (*unauthenticatedConnector, error) {
+	const httpTimeoutSeconds = 60
+	httpClient := common.RetryableHTTPClientTimeout(int64(httpTimeoutSeconds))
+	apiClient, err := createGitHubClient(httpClient, apiEndpoint)
+	if err != nil {
+		return nil, fmt.Errorf("could not create API client: %w", err)
+	}
+	return &unauthenticatedConnector{
+		apiClient: apiClient,
+	}, nil
+}
+
+func (c *unauthenticatedConnector) APIClient() *github.Client {
+	return c.apiClient
+}
+
+func (c *unauthenticatedConnector) Clone(ctx context.Context, repoURL string) (string, *gogit.Repository, error) {
+	return git.CloneRepoUsingUnauthenticated(ctx, repoURL)
+}