Use externalRepoAuth when getting a remote config

This allows users to specify a different token for retrieving the codeql config from a different repository. Fixes https://github.com/github/advanced-security-field/issues/185
github · Apr 9, 2021 · 534192f · 534192f
1 parent 7f9fb10
commit 534192f
Showing 9 changed files with 194 additions and 19 deletions.
diff --git a/lib/api-client.js b/lib/api-client.js
diff --git a/lib/api-client.js.map b/lib/api-client.js.map
diff --git a/lib/api-client.test.js b/lib/api-client.test.js
diff --git a/lib/api-client.test.js.map b/lib/api-client.test.js.map
diff --git a/lib/config-utils.js b/lib/config-utils.js
diff --git a/lib/config-utils.js.map b/lib/config-utils.js.map
diff --git a/src/api-client.test.ts b/src/api-client.test.ts
@@ -0,0 +1,94 @@
+import * as githubUtils from "@actions/github/lib/utils";
+import test, { ExecutionContext } from "ava";
+import sinon from "sinon";
+
+import { getApiClient } from "./api-client";
+import { setupTests } from "./testing-utils";
+
+setupTests(test);
+
+let githubStub: sinon.SinonStub;
+
+test.beforeEach(() => {
+  githubStub = sinon.stub(githubUtils, "GitHub");
+});
+
+test("Get the client API", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      externalRepoAuth: "abc",
+      url: "http://hucairz",
+    },
+    undefined,
+    {
+      auth: "token xyz",
+      baseUrl: "http://hucairz/api/v3",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+test("Get the client API external", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      externalRepoAuth: "abc",
+      url: "http://hucairz",
+    },
+    { allowExternal: true },
+    {
+      auth: "token abc",
+      baseUrl: "http://hucairz/api/v3",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+test("Get the client API external not present", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      url: "http://hucairz",
+    },
+    { allowExternal: true },
+    {
+      auth: "token xyz",
+      baseUrl: "http://hucairz/api/v3",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+test("Get the client API with github url", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      url: "https://github.com/some/invalid/url",
+    },
+    undefined,
+    {
+      auth: "token xyz",
+      baseUrl: "https://api.github.com",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+function doTest(
+  t: ExecutionContext<unknown>,
+  clientArgs: any,
+  clientOptions: any,
+  expected: any
+) {
+  getApiClient(clientArgs, clientOptions);
+
+  const firstCallArgs = githubStub.args[0];
+  // log is a function, so we don't need to test for equality of it
+  delete firstCallArgs[0].log;
+  t.deepEqual(firstCallArgs, [expected]);
+}
diff --git a/src/api-client.ts b/src/api-client.ts
@@ -25,14 +25,17 @@ export interface GitHubApiExternalRepoDetails {
 }
 
 export const getApiClient = function (
-  apiDetails: GitHubApiDetails,
-  allowLocalRun = false
+  apiDetails: GitHubApiCombinedDetails,
+  { allowLocalRun = false, allowExternal = false } = {}
 ) {
   if (isLocalRun() && !allowLocalRun) {
     throw new Error("Invalid API call in local run");
   }
+
+  const auth =
+    (allowExternal && apiDetails.externalRepoAuth) || apiDetails.auth;
   return new githubUtils.GitHub(
-    githubUtils.getOctokitOptions(apiDetails.auth, {
+    githubUtils.getOctokitOptions(auth, {
       baseUrl: getApiUrl(apiDetails.url),
       userAgent: "CodeQL Action",
       log: consoleLogLevel({ level: "debug" }),
@@ -63,5 +66,5 @@ export function getActionsApiClient(allowLocalRun = false) {
     url: getRequiredEnvParam("GITHUB_SERVER_URL"),
   };
 
-  return getApiClient(apiDetails, allowLocalRun);
+  return getApiClient(apiDetails, { allowLocalRun });
 }
diff --git a/src/config-utils.ts b/src/config-utils.ts
@@ -601,7 +601,7 @@ async function getLanguagesInRepo(
 ): Promise<Language[]> {
   logger.debug(`GitHub repo ${repository.owner} ${repository.repo}`);
   const response = await api
-    .getApiClient(apiDetails, true)
+    .getApiClient(apiDetails, { allowLocalRun: true })
     .repos.listLanguages({
       owner: repository.owner,
       repo: repository.repo,
@@ -1013,7 +1013,7 @@ function getLocalConfig(configFile: string, checkoutPath: string): UserConfig {
 
 async function getRemoteConfig(
   configFile: string,
-  apiDetails: api.GitHubApiDetails
+  apiDetails: api.GitHubApiCombinedDetails
 ): Promise<UserConfig> {
   // retrieve the various parts of the config location, and ensure they're present
   const format = new RegExp(
@@ -1025,12 +1025,14 @@ async function getRemoteConfig(
     throw new Error(getConfigFileRepoFormatInvalidMessage(configFile));
   }
 
-  const response = await api.getApiClient(apiDetails, true).repos.getContent({
-    owner: pieces.groups.owner,
-    repo: pieces.groups.repo,
-    path: pieces.groups.path,
-    ref: pieces.groups.ref,
-  });
+  const response = await api
+    .getApiClient(apiDetails, { allowLocalRun: true, allowExternal: true })
+    .repos.getContent({
+      owner: pieces.groups.owner,
+      repo: pieces.groups.repo,
+      path: pieces.groups.path,
+      ref: pieces.groups.ref,
+    });
 
   let fileContents: string;
   if ("content" in response.data && response.data.content !== undefined) {