Merge branch 'main' into ARC-814-reposyncstate-as-source

atlassian · Dec 16, 2021 · 0c76126 · 0c76126
2 parents cd0e9b9 + c00d99b
commit 0c76126
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 8 deletions.
diff --git a/src/config/feature-flags.ts b/src/config/feature-flags.ts
@@ -25,8 +25,8 @@ export enum BooleanFlags {
 	SUPPORT_BRANCH_AND_MERGE_WORKFLOWS_FOR_BUILDS = "support-branch-and-merge-workflows-for-builds",
 	USE_NEW_GITHUB_CLIENT_FOR_PUSH = "use-new-github-client-for-push",
 	USE_NEW_GITHUB_CLIENT_TO_COUNT_REPOS = "use-new-github-client-to-count-repos",
-	REPO_SYNC_STATE_AS_SOURCE = "repo-sync-state-as-source"
-
+	REPO_SYNC_STATE_AS_SOURCE = "repo-sync-state-as-source",
+	CALL_IS_ADMIN_AS_APP = "call-is-admin-as-app"
 }
 
 export enum StringFlags {

diff --git a/src/frontend/get-github-configuration.ts b/src/frontend/get-github-configuration.ts
@@ -152,8 +152,8 @@ export default async (req: Request, res: Response, next: NextFunction): Promise<
 
 	tracer.trace(`found jira host: ${jiraHost}`);
 
-	const github: GitHubAPI = res.locals.github;
-	const client: GitHubAPI = res.locals.client;
+	const github: GitHubAPI = res.locals.github; // user-authenticated GitHub client
+	const client: GitHubAPI = res.locals.client; // app-authenticated GitHub client
 	const isAdmin = res.locals.isAdmin;
 
 	tracer.trace(`isAdmin: ${isAdmin}`);

diff --git a/src/frontend/github-client-middleware.ts b/src/frontend/github-client-middleware.ts
@@ -3,8 +3,9 @@ import { NextFunction, Request, RequestHandler, Response } from "express";
 import { App } from "@octokit/app";
 import { GitHubAPI } from "probot";
 import Logger from "bunyan";
+import { booleanFlag, BooleanFlags } from "../config/feature-flags";
 
-export default (octokitApp: App): RequestHandler => (req: Request, res: Response, next: NextFunction): void => {
+export default (octokitApp: App): RequestHandler => async (req: Request, res: Response, next: NextFunction): Promise<void> => {
 	if (req.session.githubToken) {
 		res.locals.github = GithubAPI({
 			auth: req.session.githubToken
@@ -16,7 +17,14 @@ export default (octokitApp: App): RequestHandler => (req: Request, res: Response
 	res.locals.client = GithubAPI({
 		auth: octokitApp.getSignedJsonWebToken()
 	});
-	res.locals.isAdmin = isAdmin(res.locals.github, req.log);
+
+	if (res.locals.jiraHost && await booleanFlag(BooleanFlags.CALL_IS_ADMIN_AS_APP, true, res.locals.jiraHost)){
+		req.log.info(`using app-authenticated github client for jira host ${res.locals.jiraHost}`);
+		res.locals.isAdmin = isAdmin(res.locals.client, req.log);
+	} else {
+		req.log.info(`using user-authenticated github client for jira host ${res.locals.jiraHost}`);
+		res.locals.isAdmin = isAdmin(res.locals.github, req.log);
+	}
 
 	next();
 };
@@ -38,11 +46,11 @@ export const isAdmin = (githubClient: GitHubAPI, logger: Logger) =>
 				data: { role }
 			} = await githubClient.orgs.getMembership({ org, username });
 
-			logger.info(`isAdmin: User ${username} has ${role} role`);
+			logger.info(`isAdmin: User ${username} has ${role} role for org ${org}`);
 
 			return role === "admin";
 		} catch (err) {
-			logger.warn({err, org, username}, `${org} has not accepted new permission for getOrgMembership`);
+			logger.warn({ err, org, username }, `could not determine admin status of user ${username} in org ${org}`);
 			return false;
 		}
 	};