feat: Added support for GitHub Enterprise instances (#10). (#40)

* Added support for GitHub Enterprise instances (implements #10). Co-authored-by: gal-legit <99600389+gal-legit@users.noreply.github.com>
Legit-Labs · Nov 11, 2022 · 361f1f4 · 361f1f4
1 parent cbf7584
commit 361f1f4
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -50,6 +50,14 @@ GITHUB_TOKEN=<your_token> legitify analyze --org org1,org2 --namespaces organiza
 ```
 The above command will test organization and member policies against org1 and org2.
 
+## GitHub Enterprise Support
+You can run legitify against a GitHub Enterprise instance if you set the endpoint URL in the environment variable ``GITHUB_ENDPOINT``:
+
+```sh
+export GITHUB_ENDPOINT="https://github.example.com/"
+GITHUB_TOKEN=<your_token> legitify analyze --org org1,org2 --namespaces organization,member
+```
+
 ## Namespaces
 Namespaces in legitify are resources that are collected and run against the policies.
 Currently, the following namespaces are supported:

diff --git a/cmd/analyze.go b/cmd/analyze.go
@@ -3,13 +3,14 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"github.com/Legit-Labs/legitify/cmd/common_options"
-	"github.com/Legit-Labs/legitify/internal/analyzers/skippers"
-	"github.com/Legit-Labs/legitify/internal/common/types"
 	"log"
 	"os"
 	"strings"
 
+	"github.com/Legit-Labs/legitify/cmd/common_options"
+	"github.com/Legit-Labs/legitify/internal/analyzers/skippers"
+	"github.com/Legit-Labs/legitify/internal/common/types"
+
 	"github.com/Legit-Labs/legitify/internal/opa"
 
 	"github.com/Legit-Labs/legitify/cmd/progressbar"
@@ -186,6 +187,10 @@ func executeAnalyzeCommand(cmd *cobra.Command, _args []string) error {
 		stdErrLog.Printf("Note: to get the OpenSSF scorecard results for the organization repositories use the --scorecard option\n\n")
 	}
 
+	githubEndpoint := viper.GetString(common_options.EnvGitHubEndpoint)
+	if githubEndpoint != "" {
+		stdErrLog.Printf("Using Github Enterprise Endpoint: %s\n\n", githubEndpoint)
+	}
 	githubClient, err := github.NewClient(ctx, analyzeArgs.Token,
 		analyzeArgs.Organizations, len(parsedRepositories) == 0)
 

diff --git a/cmd/common_options/common_options.go b/cmd/common_options/common_options.go
@@ -7,5 +7,6 @@ const (
 )
 
 const (
-	EnvToken = "github_token"
+	EnvToken          = "github_token"
+	EnvGitHubEndpoint = "github_endpoint"
 )
diff --git a/internal/clients/github/client.go b/internal/clients/github/client.go
@@ -9,8 +9,10 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/Legit-Labs/legitify/cmd/common_options"
 	githubcollected "github.com/Legit-Labs/legitify/internal/collected/github"
 	"github.com/Legit-Labs/legitify/internal/common/permissions"
+	"github.com/spf13/viper"
 
 	"github.com/google/go-github/v44/github"
 	gh "github.com/google/go-github/v44/github"
@@ -54,6 +56,16 @@ func IsTokenValid(token string) error {
 	return nil
 }
 
+func getGitHubGraphURL() string {
+	githubEndpoint := viper.GetString(common_options.EnvGitHubEndpoint)
+	if githubEndpoint == "" {
+		return "https://api.github.com/graphql"
+	}
+
+	githubEndpoint = strings.TrimRight(githubEndpoint, "/")
+	return githubEndpoint + "/api/graphql"
+}
+
 func isBadRequest(err error) bool {
 	return err.Error() == "Bad credentials"
 }
@@ -68,11 +80,27 @@ func NewClient(ctx context.Context, token string, org []string, fillCache bool)
 	)
 
 	tc := oauth2.NewClient(ctx, ts)
-	ghClient := gh.NewClient(tc)
+	var ghClient *gh.Client
+	githubEndpoint := viper.GetString(common_options.EnvGitHubEndpoint)
+	if githubEndpoint == "" {
+		ghClient = gh.NewClient(tc)
+	} else {
+		var err error
+		ghClient, err = gh.NewEnterpriseClient(githubEndpoint, githubEndpoint, tc)
+		if err != nil {
+			return nil, err
+		}
+	}
 
 	acceptHeader := experimentalApiAcceptHeader
 	clientWithAcceptHeader := NewClientWithAcceptHeader(tc.Transport, &acceptHeader)
-	graphQLClient := githubv4.NewClient(&clientWithAcceptHeader)
+
+	var graphQLClient *githubv4.Client
+	if githubEndpoint == "" {
+		graphQLClient = githubv4.NewClient(&clientWithAcceptHeader)
+	} else {
+		graphQLClient = githubv4.NewEnterpriseClient(getGitHubGraphURL(), &clientWithAcceptHeader)
+	}
 
 	client := &client{
 		client:        ghClient,
@@ -219,7 +247,7 @@ func (c *client) getRole(orgName string) (permissions.OrganizationRole, error) {
 }
 
 func (c *client) collectTokenScopes() (permissions.TokenScopes, error) {
-	graphQLUrl := "https://api.github.com/graphql"
+	graphQLUrl := getGitHubGraphURL()
 	var buf bytes.Buffer
 	resp, err := c.rawClient.Post(graphQLUrl, "application/json", &buf)
 	if err != nil {