-
Notifications
You must be signed in to change notification settings - Fork 17
/
octosts.go
88 lines (73 loc) · 1.93 KB
/
octosts.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
/*
Copyright 2024 Chainguard, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package octosts
import (
"context"
"fmt"
"net/http"
"os"
"cloud.google.com/go/compute/metadata"
"github.com/chainguard-dev/clog"
"google.golang.org/api/idtoken"
"chainguard.dev/sdk/sts"
)
const (
OctoSTSEndpoint = "https://octo-sts.dev"
)
// Token mints a new octo sts token based on the policy for a given repo.
func Token(ctx context.Context, policyName, org, repo string) (string, error) {
// To help enable local development, we allow the use of a GitHub token,
// but *only when not running on GCE*.
if tok := os.Getenv("GH_TOKEN"); tok != "" && !metadata.OnGCE() {
clog.Warnf("using GH_TOKEN for token exchange")
return tok, nil
}
if tok := os.Getenv("GITHUB_TOKEN"); tok != "" && !metadata.OnGCE() {
clog.Warnf("using GITHUB_TOKEN for token exchange")
return tok, nil
}
scope := org
if repo != "" {
scope = fmt.Sprintf("%s/%s", org, repo)
}
xchg := sts.New(
OctoSTSEndpoint,
policyName,
sts.WithScope(scope),
sts.WithIdentity(policyName),
)
ts, err := idtoken.NewTokenSource(ctx, "octo-sts.dev" /* aud */)
if err != nil {
return "", err
}
token, err := ts.Token()
if err != nil {
return "", err
}
res, err := xchg.Exchange(ctx, token.AccessToken)
if err != nil {
return "", err
}
return res, nil
}
// Revoke revokes the given security token.
func Revoke(ctx context.Context, tok string) error {
req, err := http.NewRequest(http.MethodDelete, "https://api.github.com/installation/token", nil)
if err != nil {
return fmt.Errorf("creating request: %w", err)
}
req = req.WithContext(ctx)
req.Header.Add("Authorization", "Bearer "+tok)
resp, err := http.DefaultClient.Do(req)
if err != nil {
return fmt.Errorf("making request: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusNoContent {
return fmt.Errorf("unexpected status code: %d", resp.StatusCode)
}
// The token was revoked!
return nil
}