2020-03-07 13:08:03 +01:00
|
|
|
// Copyright 2015 The go-github AUTHORS. All rights reserved.
|
|
|
|
//
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
package github
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Scope models a GitHub authorization scope.
|
|
|
|
//
|
|
|
|
// GitHub API docs: https://developer.github.com/v3/oauth/#scopes
|
|
|
|
type Scope string
|
|
|
|
|
|
|
|
// This is the set of scopes for GitHub API V3
|
|
|
|
const (
|
|
|
|
ScopeNone Scope = "(no scope)" // REVISIT: is this actually returned, or just a documentation artifact?
|
|
|
|
ScopeUser Scope = "user"
|
|
|
|
ScopeUserEmail Scope = "user:email"
|
|
|
|
ScopeUserFollow Scope = "user:follow"
|
|
|
|
ScopePublicRepo Scope = "public_repo"
|
|
|
|
ScopeRepo Scope = "repo"
|
|
|
|
ScopeRepoDeployment Scope = "repo_deployment"
|
|
|
|
ScopeRepoStatus Scope = "repo:status"
|
|
|
|
ScopeDeleteRepo Scope = "delete_repo"
|
|
|
|
ScopeNotifications Scope = "notifications"
|
|
|
|
ScopeGist Scope = "gist"
|
|
|
|
ScopeReadRepoHook Scope = "read:repo_hook"
|
|
|
|
ScopeWriteRepoHook Scope = "write:repo_hook"
|
|
|
|
ScopeAdminRepoHook Scope = "admin:repo_hook"
|
|
|
|
ScopeAdminOrgHook Scope = "admin:org_hook"
|
|
|
|
ScopeReadOrg Scope = "read:org"
|
|
|
|
ScopeWriteOrg Scope = "write:org"
|
|
|
|
ScopeAdminOrg Scope = "admin:org"
|
|
|
|
ScopeReadPublicKey Scope = "read:public_key"
|
|
|
|
ScopeWritePublicKey Scope = "write:public_key"
|
|
|
|
ScopeAdminPublicKey Scope = "admin:public_key"
|
|
|
|
ScopeReadGPGKey Scope = "read:gpg_key"
|
|
|
|
ScopeWriteGPGKey Scope = "write:gpg_key"
|
|
|
|
ScopeAdminGPGKey Scope = "admin:gpg_key"
|
2020-09-24 10:13:52 +01:00
|
|
|
ScopeSecurityEvents Scope = "security_events"
|
2020-03-07 13:08:03 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
// AuthorizationsService handles communication with the authorization related
|
|
|
|
// methods of the GitHub API.
|
|
|
|
//
|
|
|
|
// This service requires HTTP Basic Authentication; it cannot be accessed using
|
|
|
|
// an OAuth token.
|
|
|
|
//
|
|
|
|
// GitHub API docs: https://developer.github.com/v3/oauth_authorizations/
|
|
|
|
type AuthorizationsService service
|
|
|
|
|
|
|
|
// Authorization represents an individual GitHub authorization.
|
|
|
|
type Authorization struct {
|
|
|
|
ID *int64 `json:"id,omitempty"`
|
|
|
|
URL *string `json:"url,omitempty"`
|
|
|
|
Scopes []Scope `json:"scopes,omitempty"`
|
|
|
|
Token *string `json:"token,omitempty"`
|
|
|
|
TokenLastEight *string `json:"token_last_eight,omitempty"`
|
|
|
|
HashedToken *string `json:"hashed_token,omitempty"`
|
|
|
|
App *AuthorizationApp `json:"app,omitempty"`
|
|
|
|
Note *string `json:"note,omitempty"`
|
|
|
|
NoteURL *string `json:"note_url,omitempty"`
|
|
|
|
UpdatedAt *Timestamp `json:"updated_at,omitempty"`
|
|
|
|
CreatedAt *Timestamp `json:"created_at,omitempty"`
|
|
|
|
Fingerprint *string `json:"fingerprint,omitempty"`
|
|
|
|
|
|
|
|
// User is only populated by the Check and Reset methods.
|
|
|
|
User *User `json:"user,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a Authorization) String() string {
|
|
|
|
return Stringify(a)
|
|
|
|
}
|
|
|
|
|
|
|
|
// AuthorizationApp represents an individual GitHub app (in the context of authorization).
|
|
|
|
type AuthorizationApp struct {
|
|
|
|
URL *string `json:"url,omitempty"`
|
|
|
|
Name *string `json:"name,omitempty"`
|
|
|
|
ClientID *string `json:"client_id,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a AuthorizationApp) String() string {
|
|
|
|
return Stringify(a)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Grant represents an OAuth application that has been granted access to an account.
|
|
|
|
type Grant struct {
|
|
|
|
ID *int64 `json:"id,omitempty"`
|
|
|
|
URL *string `json:"url,omitempty"`
|
|
|
|
App *AuthorizationApp `json:"app,omitempty"`
|
|
|
|
CreatedAt *Timestamp `json:"created_at,omitempty"`
|
|
|
|
UpdatedAt *Timestamp `json:"updated_at,omitempty"`
|
|
|
|
Scopes []string `json:"scopes,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
func (g Grant) String() string {
|
|
|
|
return Stringify(g)
|
|
|
|
}
|
|
|
|
|
|
|
|
// AuthorizationRequest represents a request to create an authorization.
|
|
|
|
type AuthorizationRequest struct {
|
|
|
|
Scopes []Scope `json:"scopes,omitempty"`
|
|
|
|
Note *string `json:"note,omitempty"`
|
|
|
|
NoteURL *string `json:"note_url,omitempty"`
|
|
|
|
ClientID *string `json:"client_id,omitempty"`
|
|
|
|
ClientSecret *string `json:"client_secret,omitempty"`
|
|
|
|
Fingerprint *string `json:"fingerprint,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a AuthorizationRequest) String() string {
|
|
|
|
return Stringify(a)
|
|
|
|
}
|
|
|
|
|
|
|
|
// AuthorizationUpdateRequest represents a request to update an authorization.
|
|
|
|
//
|
|
|
|
// Note that for any one update, you must only provide one of the "scopes"
|
|
|
|
// fields. That is, you may provide only one of "Scopes", or "AddScopes", or
|
|
|
|
// "RemoveScopes".
|
|
|
|
//
|
|
|
|
// GitHub API docs: https://developer.github.com/v3/oauth_authorizations/#update-an-existing-authorization
|
|
|
|
type AuthorizationUpdateRequest struct {
|
|
|
|
Scopes []string `json:"scopes,omitempty"`
|
|
|
|
AddScopes []string `json:"add_scopes,omitempty"`
|
|
|
|
RemoveScopes []string `json:"remove_scopes,omitempty"`
|
|
|
|
Note *string `json:"note,omitempty"`
|
|
|
|
NoteURL *string `json:"note_url,omitempty"`
|
|
|
|
Fingerprint *string `json:"fingerprint,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a AuthorizationUpdateRequest) String() string {
|
|
|
|
return Stringify(a)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if an OAuth token is valid for a specific app.
|
|
|
|
//
|
|
|
|
// Note that this operation requires the use of BasicAuth, but where the
|
|
|
|
// username is the OAuth application clientID, and the password is its
|
|
|
|
// clientSecret. Invalid tokens will return a 404 Not Found.
|
|
|
|
//
|
|
|
|
// The returned Authorization.User field will be populated.
|
|
|
|
//
|
2020-09-24 10:13:52 +01:00
|
|
|
// GitHub API docs: https://developer.github.com/v3/apps/oauth_applications/#check-a-token
|
|
|
|
func (s *AuthorizationsService) Check(ctx context.Context, clientID, accessToken string) (*Authorization, *Response, error) {
|
|
|
|
u := fmt.Sprintf("applications/%v/token", clientID)
|
|
|
|
|
|
|
|
reqBody := &struct {
|
|
|
|
AccessToken string `json:"access_token"`
|
|
|
|
}{AccessToken: accessToken}
|
2020-03-07 13:08:03 +01:00
|
|
|
|
2020-09-24 10:13:52 +01:00
|
|
|
req, err := s.client.NewRequest("POST", u, reqBody)
|
2020-03-07 13:08:03 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
2020-09-24 10:13:52 +01:00
|
|
|
req.Header.Set("Accept", mediaTypeOAuthAppPreview)
|
2020-03-07 13:08:03 +01:00
|
|
|
|
|
|
|
a := new(Authorization)
|
|
|
|
resp, err := s.client.Do(ctx, req, a)
|
|
|
|
if err != nil {
|
|
|
|
return nil, resp, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return a, resp, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Reset is used to reset a valid OAuth token without end user involvement.
|
|
|
|
// Applications must save the "token" property in the response, because changes
|
|
|
|
// take effect immediately.
|
|
|
|
//
|
|
|
|
// Note that this operation requires the use of BasicAuth, but where the
|
|
|
|
// username is the OAuth application clientID, and the password is its
|
|
|
|
// clientSecret. Invalid tokens will return a 404 Not Found.
|
|
|
|
//
|
|
|
|
// The returned Authorization.User field will be populated.
|
|
|
|
//
|
2020-09-24 10:13:52 +01:00
|
|
|
// GitHub API docs: https://developer.github.com/v3/apps/oauth_applications/#reset-a-token
|
|
|
|
func (s *AuthorizationsService) Reset(ctx context.Context, clientID, accessToken string) (*Authorization, *Response, error) {
|
|
|
|
u := fmt.Sprintf("applications/%v/token", clientID)
|
|
|
|
|
|
|
|
reqBody := &struct {
|
|
|
|
AccessToken string `json:"access_token"`
|
|
|
|
}{AccessToken: accessToken}
|
2020-03-07 13:08:03 +01:00
|
|
|
|
2020-09-24 10:13:52 +01:00
|
|
|
req, err := s.client.NewRequest("PATCH", u, reqBody)
|
2020-03-07 13:08:03 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
2020-09-24 10:13:52 +01:00
|
|
|
req.Header.Set("Accept", mediaTypeOAuthAppPreview)
|
2020-03-07 13:08:03 +01:00
|
|
|
|
|
|
|
a := new(Authorization)
|
|
|
|
resp, err := s.client.Do(ctx, req, a)
|
|
|
|
if err != nil {
|
|
|
|
return nil, resp, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return a, resp, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Revoke an authorization for an application.
|
|
|
|
//
|
|
|
|
// Note that this operation requires the use of BasicAuth, but where the
|
|
|
|
// username is the OAuth application clientID, and the password is its
|
|
|
|
// clientSecret. Invalid tokens will return a 404 Not Found.
|
|
|
|
//
|
2020-09-24 10:13:52 +01:00
|
|
|
// GitHub API docs: https://developer.github.com/v3/apps/oauth_applications/#delete-an-app-token
|
|
|
|
func (s *AuthorizationsService) Revoke(ctx context.Context, clientID, accessToken string) (*Response, error) {
|
|
|
|
u := fmt.Sprintf("applications/%v/token", clientID)
|
2020-03-07 13:08:03 +01:00
|
|
|
|
2020-09-24 10:13:52 +01:00
|
|
|
reqBody := &struct {
|
|
|
|
AccessToken string `json:"access_token"`
|
|
|
|
}{AccessToken: accessToken}
|
|
|
|
|
|
|
|
req, err := s.client.NewRequest("DELETE", u, reqBody)
|
2020-03-07 13:08:03 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-09-24 10:13:52 +01:00
|
|
|
req.Header.Set("Accept", mediaTypeOAuthAppPreview)
|
2020-03-07 13:08:03 +01:00
|
|
|
|
|
|
|
return s.client.Do(ctx, req, nil)
|
|
|
|
}
|
|
|
|
|
|
|
|
// DeleteGrant deletes an OAuth application grant. Deleting an application's
|
|
|
|
// grant will also delete all OAuth tokens associated with the application for
|
|
|
|
// the user.
|
|
|
|
//
|
2020-09-24 10:13:52 +01:00
|
|
|
// GitHub API docs: https://developer.github.com/v3/apps/oauth_applications/#delete-an-app-authorization
|
|
|
|
func (s *AuthorizationsService) DeleteGrant(ctx context.Context, clientID, accessToken string) (*Response, error) {
|
|
|
|
u := fmt.Sprintf("applications/%v/grant", clientID)
|
|
|
|
|
|
|
|
reqBody := &struct {
|
|
|
|
AccessToken string `json:"access_token"`
|
|
|
|
}{AccessToken: accessToken}
|
|
|
|
|
|
|
|
req, err := s.client.NewRequest("DELETE", u, reqBody)
|
2020-03-07 13:08:03 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-09-24 10:13:52 +01:00
|
|
|
req.Header.Set("Accept", mediaTypeOAuthAppPreview)
|
2020-03-07 13:08:03 +01:00
|
|
|
|
|
|
|
return s.client.Do(ctx, req, nil)
|
|
|
|
}
|
|
|
|
|
|
|
|
// CreateImpersonation creates an impersonation OAuth token.
|
|
|
|
//
|
|
|
|
// This requires admin permissions. With the returned Authorization.Token
|
|
|
|
// you can e.g. create or delete a user's public SSH key. NOTE: creating a
|
|
|
|
// new token automatically revokes an existing one.
|
|
|
|
//
|
|
|
|
// GitHub API docs: https://developer.github.com/enterprise/v3/enterprise-admin/users/#create-an-impersonation-oauth-token
|
|
|
|
func (s *AuthorizationsService) CreateImpersonation(ctx context.Context, username string, authReq *AuthorizationRequest) (*Authorization, *Response, error) {
|
|
|
|
u := fmt.Sprintf("admin/users/%v/authorizations", username)
|
|
|
|
req, err := s.client.NewRequest("POST", u, authReq)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
a := new(Authorization)
|
|
|
|
resp, err := s.client.Do(ctx, req, a)
|
|
|
|
if err != nil {
|
|
|
|
return nil, resp, err
|
|
|
|
}
|
|
|
|
return a, resp, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// DeleteImpersonation deletes an impersonation OAuth token.
|
|
|
|
//
|
|
|
|
// NOTE: there can be only one at a time.
|
|
|
|
//
|
|
|
|
// GitHub API docs: https://developer.github.com/enterprise/v3/enterprise-admin/users/#delete-an-impersonation-oauth-token
|
|
|
|
func (s *AuthorizationsService) DeleteImpersonation(ctx context.Context, username string) (*Response, error) {
|
|
|
|
u := fmt.Sprintf("admin/users/%v/authorizations", username)
|
|
|
|
req, err := s.client.NewRequest("DELETE", u, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return s.client.Do(ctx, req, nil)
|
|
|
|
}
|