Support Github App

PlaytikaOSS · Jan 29, 2023 · bcb9567 · bcb9567
1 parent c3cb92e
commit bcb9567
Show file tree

Hide file tree

Showing 8 changed files with 60 additions and 1 deletion.
diff --git a/.env.example b/.env.example
@@ -114,6 +114,12 @@ ELK_VERSION=7.17.4
 # GITHUB_ACCESS_TOKEN=xxxxxxxxxxxxxxx
 GITHUB_ACCESS_TOKEN=[GITHUB_ACCESS_TOKEN]
 
+# Using Github App
+#GITHUB_USE_APP=True
+#GITHUB_APP_ID=xxxxx
+#GITHUB_INSTALLATION_ID=xxxxx
+#GITHUB_APP_PRIVATE_KEY_PATH=/app/private-key.pem
+
 ES_INDEXING_ENABLED=1
 ES_HOST=elasticsearch
 ES_PORT=9200

diff --git a/.gitignore b/.gitignore
@@ -6,3 +6,4 @@ docker-compose.override.yml
 venv
 __pycache__
 *.sqlite
+leaktopus_backend/private-key.pem
diff --git a/README.md b/README.md
@@ -78,6 +78,24 @@ Based on the **Code C.A.I.N** framework:
   - The UI should be available at http://{LEAKTOPUS_HOST}:8080
 
 
+### Using Github App
+In addition to the basic personal access token option, Leaktopus supports Github App authentication.
+Using Github App is recommended due to the increased rate limits.
+
+1. To use Github App authentication, you need to create a Github App and install it on your organization/account.
+  See [Github's documentation](https://docs.github.com/en/developers/apps/creating-a-github-app) for more details.
+
+1. After creating the app, you need to set the following environment variables:
+    - `GITHUB_USE_APP=True`
+    - `GITHUB_APP_ID`
+    - `GITHUB_INSTALLATION_ID` - The installation id can be found in [your app installation](https://stackoverflow.com/a/74474953/533842).
+    - `GITHUB_APP_PRIVATE_KEY_PATH` (defaults to `/app/private-key.pem`)
+
+1. Mount the private key file to the container (see `docker-compose.yml` for an example).
+  `./leaktopus_backend/private-key.pem:/app/private-key.pem`
+
+_* Note that `GITHUB_ACCESS_TOKEN` will be ignored if `GITHUB_USE_APP` is set to `True`._
+
 ## Updating Leaktopus
 If you wish to update your Leaktopus version (pulling a newer version), just follow the next steps.
 

diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
@@ -16,6 +16,7 @@ x-app: &default-app
   volumes:
     - "./leaktopus_backend/db/:/db"
     - "./leaktopus_backend/:/app"
+#    - "./leaktopus_backend/private-key.pem:/app/private-key.pem"
 
 services:
   redis:

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -15,6 +15,7 @@ x-app: &default-app
   tty: true
   volumes:
     - "db:/db"
+#    - "./leaktopus_backend/private-key.pem:/app/private-key.pem"
 
 services:
   redis:

diff --git a/leaktopus_backend/config/settings.py b/leaktopus_backend/config/settings.py
@@ -93,6 +93,12 @@
 # Redis.
 REDIS_URL = os.getenv("REDIS_URL", "redis://localhost:6379/0")
 
+# Github.
+GITHUB_USE_APP = os.getenv("GITHUB_USE_APP", False)
+GITHUB_APP_ID = os.getenv("GITHUB_APP_ID", None)
+GITHUB_APP_PRIVATE_KEY_PATH = os.getenv("GITHUB_APP_PRIVATE_KEY_PATH", "/app/private-key.pem")
+GITHUB_INSTALLATION_ID = os.getenv("GITHUB_INSTALLATION_ID", None)
+
 # Celery.
 CELERY_CONFIG = {
     "broker_url": REDIS_URL,

diff --git a/leaktopus_backend/leaktopus/common/scanner_async.py b/leaktopus_backend/leaktopus/common/scanner_async.py
@@ -4,6 +4,7 @@
 from flask import current_app
 from github import (
     Github,
+    GithubIntegration,
     RateLimitExceededException,
     BadCredentialsException,
     GithubException,
@@ -180,13 +181,37 @@ def github_get_num_of_pages(results):
     return num_of_pages
 
 
+def get_github_connection():
+    if current_app.config["GITHUB_USE_APP"]:
+        logger.info("Using GitHub App for authentication.")
+        private_key_path = current_app.config["GITHUB_APP_PRIVATE_KEY_PATH"]
+        app_id = current_app.config["GITHUB_APP_ID"]
+
+        # Read the app certificate
+        with open(private_key_path, 'r') as cert_file:
+            app_key = cert_file.read()
+
+        # Create an GitHub integration instance
+        git_integration = GithubIntegration(
+            app_id,
+            app_key
+        )
+
+        return Github(
+            login_or_token=git_integration.get_access_token(current_app.config["GITHUB_INSTALLATION_ID"]).token
+        )
+    else:
+        logger.info("Using GitHub Personal Access Token for authentication.")
+        return github_authenticate()
+
+
 @shared_task(bind=True, max_retries=200)
 def github_preprocessor(self, search_query, scan_id):
     from leaktopus.exceptions.scans import ScanHasNoResults
 
     # Authenticates to Github, get results object, get number of pages the object has
     try:
-        g = github_authenticate()
+        g = get_github_connection()
         if not g:
             return None
 

diff --git a/leaktopus_backend/requirements.txt b/leaktopus_backend/requirements.txt
@@ -28,6 +28,7 @@ elasticsearch==7.17.4
 GitPython
 truffleHog==2.2.1
 pyjwt>=2.4.0 # not directly required, pinned to avoid a vulnerability
+cryptography==39
 
 # Documentation libs
 flasgger==0.9.5