Merge pull request #1974 from gitgitgadget/re-architecture-token-handling

Re architecture token handling

Author: dscho

lib/ci-helper.ts

@@ -37,6 +37,7 @@ export class CIHelper {
     protected testing: boolean;
     private gggNotesUpdated: boolean;
     private mail2CommitMapUpdated: boolean;
+    private notesPushToken: string | undefined;
     protected maxCommitsExceptions: string[];
 
     public constructor(workDir: string, skipUpdate?: boolean, gggConfigDir = ".") {
@@ -53,6 +54,13 @@ export class CIHelper {
         this.urlRepo = `${this.urlBase}${this.config.repo.name}/`;
     }
 
+    public setAccessToken(repositoryOwner: string, token: string): void {
+        this.github.setAccessToken(repositoryOwner, token);
+        if (this.config.repo.owner === repositoryOwner) {
+            this.notesPushToken = token;
+        }
+    }
+
     /*
      * Given a commit that was contributed as a patch via GitGitGadget (i.e.
      * a commit with a Message-ID recorded in `refs/notes/gitgitgadget`),
@@ -243,7 +251,7 @@ export class CIHelper {
             }
         }
         if (result) {
-            await this.notes.push(this.urlRepo);
+            await this.pushNotesRef();
         }
         return result;
     }
@@ -408,7 +416,7 @@ export class CIHelper {
         }
 
         if (notesUpdated || optionsUpdated) {
-            await this.notes.push(this.urlRepo);
+            await this.pushNotesRef();
         }
 
         return [notesUpdated, optionsUpdated];
@@ -568,7 +576,7 @@ export class CIHelper {
         };
 
         try {
-            const gitGitGadget = await GitGitGadget.get(this.gggConfigDir, this.workDir);
+            const gitGitGadget = await GitGitGadget.get(this.gggConfigDir, this.workDir, this.notesPushToken);
             if (!gitGitGadget.isUserAllowed(comment.author)) {
                 throw new Error(`User ${comment.author} is not yet permitted to use ${this.config.app.displayName}`);
             }
@@ -774,7 +782,7 @@ export class CIHelper {
             await this.github.addPRComment(prKey, redacted);
         };
 
-        const gitGitGadget = await GitGitGadget.get(this.gggConfigDir, this.workDir);
+        const gitGitGadget = await GitGitGadget.get(this.gggConfigDir, this.workDir, this.notesPushToken);
         if (!pr.hasComments && !gitGitGadget.isUserAllowed(pr.author)) {
             const welcome = (await readFile("res/WELCOME.md")).toString().replace(/\${username}/g, pr.author);
             await this.github.addPRComment(prKey, welcome);
@@ -806,7 +814,7 @@ export class CIHelper {
             this.config.mailrepo.branch,
         );
         if (await mailArchiveGit.processMails(prFilter)) {
-            await this.notes.push(this.urlRepo);
+            await this.pushNotesRef();
             return true;
         }
         return false;
@@ -878,7 +886,7 @@ export class CIHelper {
         if (optionsChanged) {
             console.log(`Changed options:\n${toPrettyJSON(options)}`);
             await this.notes.set("", options, true);
-            await this.notes.push(this.urlRepo);
+            await this.pushNotesRef();
         }
 
         return optionsChanged;
@@ -933,4 +941,8 @@ export class CIHelper {
             this.mail2CommitMapUpdated = true;
         }
     }
+
+    private async pushNotesRef(): Promise<void> {
+        await this.notes.push(this.urlRepo, this.notesPushToken);
+    }
 }

lib/git-notes.ts

@@ -19,10 +19,16 @@ type TemporaryNoteIndex = {
 };
 
 export class GitNotes {
-    public async push(url: string) {
+    public async push(url: string, token: string | undefined = undefined): Promise<void> {
+        const auth = !token
+            ? []
+            : [
+                  "-c",
+                  `http.extraheader=Authorization: Basic ${Buffer.from(`x-access-token:${token}`).toString("base64")}`,
+              ];
         for (const backoff of [50, 500, 2000, 5000, 20000, 0]) {
             try {
-                await git(["push", url, "--", `${this.notesRef}`], {
+                await git([...auth, "push", url, "--", `${this.notesRef}`], {
                     workDir: this.workDir,
                 });
             } catch (e) {

lib/gitgitgadget.ts

@@ -36,7 +36,7 @@ export class GitGitGadget {
         return workDir;
     }
 
-    public static async get(gitGitGadgetDir: string, workDir?: string): Promise<GitGitGadget> {
+    public static async get(gitGitGadgetDir: string, workDir?: string, notesPushToken?: string): Promise<GitGitGadget> {
         if (!workDir) {
             workDir = await this.getWorkDir(gitGitGadgetDir);
         }
@@ -76,6 +76,7 @@ export class GitGitGadget {
             allowedUsers,
             { smtpHost, smtpOpts, smtpPass, smtpUser },
             publishTagsAndNotesToRemote,
+            notesPushToken,
         );
     }
 
@@ -98,13 +99,15 @@ export class GitGitGadget {
     protected readonly smtpOptions: ISMTPOptions;
 
     protected readonly publishTagsAndNotesToRemote: string;
+    private readonly publishToken: string | undefined;
 
     protected constructor(
         notes: GitNotes,
         options: IGitGitGadgetOptions,
         allowedUsers: Set<string>,
         smtpOptions: ISMTPOptions,
         publishTagsAndNotesToRemote: string,
+        publishToken?: string,
     ) {
         if (!notes.workDir) {
             throw new Error("Could not determine Git worktree");
@@ -117,6 +120,7 @@ export class GitGitGadget {
         this.smtpOptions = smtpOptions;
 
         this.publishTagsAndNotesToRemote = publishTagsAndNotesToRemote;
+        this.publishToken = publishToken;
     }
 
     public isUserAllowed(user: string): boolean {
@@ -240,7 +244,7 @@ export class GitGitGadget {
     }
 
     protected async pushNotesRef(): Promise<void> {
-        await this.notes.push(this.publishTagsAndNotesToRemote);
+        await this.notes.push(this.publishTagsAndNotesToRemote, this.publishToken);
 
         // re-read options
         [this.options, this.allowedUsers] = await GitGitGadget.readOptions(this.notes);
@@ -280,6 +284,7 @@ export class GitGitGadget {
             this.publishTagsAndNotesToRemote,
             pr.pullRequestURL,
             new Date(),
+            this.publishToken,
         );
         if (!options.noUpdate) {
             await this.pushNotesRef();

lib/github-glue.ts

@@ -57,6 +57,7 @@ export class GitHubGlue {
     protected authenticated?: string;
     protected owner: string;
     protected repo: string;
+    private tokens: Map<string, string> = new Map();
 
     public constructor(workDir: string, owner: string, repo: string) {
         this.owner = owner;
@@ -472,12 +473,19 @@ export class GitHubGlue {
         }
     }
 
+    public setAccessToken(repositoryOwner: string, token: string): void {
+        this.tokens.set(repositoryOwner, token);
+    }
+
     protected async ensureAuthenticated(repositoryOwner: string): Promise<void> {
         if (repositoryOwner !== this.authenticated) {
-            const infix = repositoryOwner === "gitgitgadget" ? "" : `.${repositoryOwner}`;
-            const tokenKey = `gitgitgadget${infix}.githubToken`;
-            const tokenVar = tokenKey.toUpperCase().replace(/\./, "_");
-            const token = process.env[tokenVar] ? process.env[tokenVar] : await gitConfig(tokenKey);
+            let token = this.tokens.get(repositoryOwner);
+            if (!token) {
+                const infix = repositoryOwner === "gitgitgadget" ? "" : `.${repositoryOwner}`;
+                const tokenKey = `gitgitgadget${infix}.githubToken`;
+                const tokenVar = tokenKey.toUpperCase().replace(/\./, "_");
+                token = process.env[tokenVar] ? process.env[tokenVar] : await gitConfig(tokenKey);
+            }
             if (!token) {
                 throw new Error(`Need a GitHub token for ${repositoryOwner}`);
             }

lib/patch-series.ts

@@ -555,6 +555,7 @@ export class PatchSeries {
         publishTagsAndNotesToRemote?: string,
         pullRequestURL?: string,
         forceDate?: Date,
+        publishToken?: string,
     ): Promise<IPatchSeriesMetadata | undefined> {
         let globalOptions: IGitGitGadgetOptions | undefined;
         if (this.options.dryRun) {
@@ -822,8 +823,20 @@ export class PatchSeries {
             if (this.options.dryRun) {
                 logger.log("Would publish tag");
             } else {
+                const auth = [];
+                if (publishToken) {
+                    auth.push(
+                        "-c",
+                        [
+                            `http.extraheader=Authorization:`,
+                            `Basic`,
+                            Buffer.from(`x-access-token:${publishToken}`).toString("base64"),
+                        ].join(" "),
+                    );
+                }
+
                 logger.log("Publishing tag");
-                await git(["push", publishTagsAndNotesToRemote, `refs/tags/${tagName}`], {
+                await git([...auth, "push", publishTagsAndNotesToRemote, `refs/tags/${tagName}`], {
                     workDir: this.notes.workDir,
                 });
             }

script/misc-helper.ts

@@ -72,27 +72,38 @@ const commandOptions = commander.opts<ICommanderOptions>();
 
     const ci = new CIHelper(await getGitGitWorkDir(), commandOptions.skipUpdate, commandOptions.gitgitgadgetWorkDir);
 
+    const configureNotesPushToken = async (): Promise<void> => {
+        const token = await gitConfig("gitgitgadget.githubToken");
+        if (!token) {
+            throw new Error("No token configured for gitgitgadget.githubToken");
+        }
+        ci.setAccessToken("gitgitgadget", token);
+    };
+
     const argv = commander.args;
     commander = new Command().version("1.0.0");
     commander
         .usage("[options] command")
         .command("update-open-prs")
         .description("Update GitGitGadget's idea of what PRs are open")
         .action(async () => {
+            await configureNotesPushToken();
             const result = await ci.updateOpenPrs();
             console.log(`Updated notes: ${result}`);
         });
     commander
         .command("update-commit-mappings")
         .description("Determine which commits correspond to which open PRs")
         .action(async () => {
+            await configureNotesPushToken();
             const result = await ci.updateCommitMappings();
             console.log(`Updated notes: ${result}`);
         });
     commander
         .command("handle-open-prs")
         .description("Handle open PRs, i.e. look whether they have been integrated into upstream Git")
         .action(async () => {
+            await configureNotesPushToken();
             const options = await ci.getGitGitGadgetOptions();
             if (!options.openPRs) {
                 throw new Error("No open PRs?");
@@ -437,6 +448,7 @@ const commandOptions = commander.opts<ICommanderOptions>();
             "Handle a comment on a Pull Request",
             async (repositoryOwner: string, commentID: string) => {
                 if (repositoryOwner === undefined) repositoryOwner = config.repo.owner;
+                await configureNotesPushToken();
                 await ci.handleComment(repositoryOwner, parseInt(commentID, 10));
             },
             true,
@@ -447,6 +459,7 @@ const commandOptions = commander.opts<ICommanderOptions>();
             "handle-pr-push",
             "Handle a push to a Pull Request",
             async (repositoryOwner: string, prNumber: string) => {
+                await configureNotesPushToken();
                 await ci.handlePush(repositoryOwner, parseInt(prNumber, 10));
             },
             true,
@@ -456,6 +469,7 @@ const commandOptions = commander.opts<ICommanderOptions>();
         .command("handle-new-mails")
         .description("Handle new mails in the mail archive")
         .action(async () => {
+            await configureNotesPushToken();
             const mailArchiveGitDir = await getVar("loreGitDir", commandOptions.gitgitgadgetWorkDir);
 
             if (!mailArchiveGitDir) {