search

datopian / metastore-lib

🗄️ Library for storing dataset metadata, with versioning support and pluggable backends including GitHub.
https://tech.datopian.com/versioning/
MIT License
10 stars 1 forks source link

GitHub: add support for GitHub App installation access tokens #15

Open shevron opened 4 years ago

shevron commented 4 years ago

metastore-lib is likely to be installed as a GitHub App for many users. For this reason, we should probably do better to support GitHub App Installation access tokens out of the box.

This requires supporting a more complex flow than just "give me a token and go" which is good for personal access tokens. This flow is currently not supported by PyGitHub so we need to implement it ourselves and just pass the resulting access token to PyGitHub:

Acceptance Criteria

Technical Flow of authenticating as an app

  1. User has to install the app and get a private key as a PEM file
  2. metastore-lib needs an app ID and the PEM key
  3. metastore-lib generates a JWT token as described here: https://docs.github.com/en/developers/apps/authenticating-with-github-apps#authenticating-as-a-github-app
  4. metastore-lib uses said JWT token to obtain an installation access token as described here: https://docs.github.com/en/developers/apps/authenticating-with-github-apps#authenticating-as-an-installation
  5. Once auth token is obtained it can be used with PyGithub
  6. Cache access token for up to 1 hour (exp time should be provided with token, it would be wise to take a minute of grace to allow for clock drift etc.)
  7. Once token is expired / not available, go back to step 3
shevron commented 4 years ago

Note this: https://github.com/PyGithub/PyGithub/issues/828 issue exists for PyGithub and even has an open pull request, but this seems to focus on OAuth apps which is not what we need and does not seem to handle GitHub Apps that are not OAuth based (OAuth apps are good for an app authenticating as a GitHub user rather than as an app that has access to an org/repo).