Add support for bearer token to GithubRepositoryProvider

This commit adds the ability to use the GITHUB_TOKEN env variable to authenticate the access to GitHub repository. The env variable is used when no creds are found in the scm file. Signed-off-by: Paolo Di Tommaso <[email protected]>
nextflow-io · Dec 30, 2022 · c4d3938 · c4d3938
1 parent 6f3ed6e
commit c4d3938
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 3 deletions.
diff --git a/modules/nextflow/src/main/groovy/nextflow/scm/GithubRepositoryProvider.groovy b/modules/nextflow/src/main/groovy/nextflow/scm/GithubRepositoryProvider.groovy
@@ -20,14 +20,17 @@ package nextflow.scm
 import groovy.transform.CompileDynamic
 import groovy.transform.CompileStatic
 import groovy.transform.Memoized
+import groovy.util.logging.Slf4j
+import nextflow.SysEnv
 
 /**
  * Implements a repository provider for GitHub service
  *
  * @author Paolo Di Tommaso <[email protected]>
  */
+@Slf4j
 @CompileStatic
-final class GithubRepositoryProvider extends RepositoryProvider {
+class GithubRepositoryProvider extends RepositoryProvider {
 
     GithubRepositoryProvider(String project, ProviderConfig config=null) {
         this.project = project
@@ -44,6 +47,21 @@ final class GithubRepositoryProvider extends RepositoryProvider {
         return "${config.endpoint}/repos/${project}"
     }
 
+    @Override
+    boolean hasCredentials() {
+        super.hasCredentials() ?: SysEnv.containsKey('GITHUB_TOKEN')
+    }
+
+    @Override
+    String getUser() {
+        super.getUser() ?: SysEnv.get('GITHUB_TOKEN')
+    }
+
+    @Override
+    String getPassword() {
+        super.getPassword() ?: (SysEnv.containsKey('GITHUB_TOKEN') ? 'x-oauth-basic' : null)
+    }
+
     /** {@inheritDoc} */
     @Override
     String getContentUrl( String path ) {

diff --git a/modules/nextflow/src/main/groovy/nextflow/scm/ProviderConfig.groovy b/modules/nextflow/src/main/groovy/nextflow/scm/ProviderConfig.groovy
@@ -176,6 +176,7 @@ class ProviderConfig {
         return result ? result.toString() : null
     }
 
+    @Deprecated
     @PackageScope
     String getAuthObfuscated() {
         "${user ?: '-'}:${password? '*' * password.size() : '-'}"

diff --git a/modules/nextflow/src/main/groovy/nextflow/scm/RepositoryProvider.groovy b/modules/nextflow/src/main/groovy/nextflow/scm/RepositoryProvider.groovy
@@ -17,6 +17,7 @@
 
 package nextflow.scm
 
+import static nextflow.util.StringUtils.*
 
 import groovy.json.JsonSlurper
 import groovy.transform.Canonical
@@ -171,7 +172,7 @@ abstract class RepositoryProvider {
     protected String invoke( String api ) {
         assert api
 
-        log.debug "Request [credentials ${config.getAuthObfuscated() ?: '-'}] -> $api"
+        log.debug "Request [credentials ${getAuthObfuscated() ?: '-'}] -> $api"
         def connection = new URL(api).openConnection() as URLConnection
         connection.setConnectTimeout(5_000)
 
@@ -192,6 +193,12 @@ abstract class RepositoryProvider {
         }
     }
 
+    protected String getAuthObfuscated() {
+        final usr = getUser()
+        final pwd = getPassword()
+        return "${usr ? redact(usr) : '-'}:${pwd ? redact(pwd) : '-'}"
+    }
+
     /**
      * Sets the authentication credential on the connection object
      *

diff --git a/modules/nextflow/src/test/groovy/nextflow/scm/GithubRepositoryProviderTest.groovy b/modules/nextflow/src/test/groovy/nextflow/scm/GithubRepositoryProviderTest.groovy
@@ -17,6 +17,7 @@
 
 package nextflow.scm
 
+import nextflow.SysEnv
 import spock.lang.IgnoreIf
 import spock.lang.Requires
 import spock.lang.Specification
@@ -85,5 +86,40 @@ class GithubRepositoryProviderTest extends Specification {
                 .getContentUrl('main.nf') == 'https://github.com/repos/pditommaso/hello/contents/main.nf?ref=the-commit-id'
 
     }
+
+    def 'should user github token as creds' () {
+        given:
+        SysEnv.push(['GITHUB_TOKEN': '1234567890'])
+        and:
+        def provider = Spy(new GithubRepositoryProvider('foo/bar'))
+
+        expect:
+        provider.getUser() == '1234567890'
+        provider.getPassword() == 'x-oauth-basic'
+
+        when:
+        SysEnv.get().remove('GITHUB_TOKEN')
+        then:
+        provider.getUser() >> null
+        provider.getPassword() >> null
+
+        cleanup:
+        SysEnv.pop()
+    }
+
+    def 'should user from config' () {
+        given:
+        SysEnv.push(['GITHUB_TOKEN': '1234567890'])
+        and:
+        def config = new ProviderConfig('github', [user: 'this', password: 'that'])
+        def provider = Spy(new GithubRepositoryProvider('foo/bar', config))
+
+        expect:
+        provider.getUser() == 'this'
+        provider.getPassword() == 'that'
+
+        cleanup:
+        SysEnv.pop()
+    }
 }
 
diff --git a/modules/nextflow/src/test/groovy/nextflow/scm/RepositoryProviderTest.groovy b/modules/nextflow/src/test/groovy/nextflow/scm/RepositoryProviderTest.groovy
@@ -67,4 +67,23 @@ class RepositoryProviderTest extends Specification {
         1 * config.setPassword('secret1')
 
     }
+
+    def 'should hide creds' () {
+        given:
+        def provider = Spy(RepositoryProvider)
+
+        when:
+        def result = provider.getAuthObfuscated()
+        then:
+        result == '-:-'
+
+        when:
+        result = provider.getAuthObfuscated()
+        then:
+        provider.getUser() >> 'foo123'
+        provider.getPassword() >> 'bar456'
+        and:
+        result == 'foo****:bar****'
+
+    }
 }
diff --git a/modules/nf-commons/src/main/nextflow/plugin/PluginUpdater.groovy b/modules/nf-commons/src/main/nextflow/plugin/PluginUpdater.groovy
@@ -235,7 +235,7 @@ class PluginUpdater extends UpdateManager {
     }
 
     /**
-     * Race condition safe plugin download. Multiple instaces are synchronised
+     * Race condition safe plugin download. Multiple instances are synchronised
      * using a file system lock created in the tmp directory
      *
      * @param id The plugin Id