Use externalRepoAuth when getting a remote config

This allows users to specify a different token for retrieving the
codeql config from a different repository.

Fixes https://github.com/github/advanced-security-field/issues/185

lib/api-client.js

@@ -20,11 +20,12 @@ var DisallowedAPIVersionReason;
     DisallowedAPIVersionReason[DisallowedAPIVersionReason["ACTION_TOO_OLD"] = 0] = "ACTION_TOO_OLD";
     DisallowedAPIVersionReason[DisallowedAPIVersionReason["ACTION_TOO_NEW"] = 1] = "ACTION_TOO_NEW";
 })(DisallowedAPIVersionReason = exports.DisallowedAPIVersionReason || (exports.DisallowedAPIVersionReason = {}));
-exports.getApiClient = function (apiDetails, allowLocalRun = false) {
+exports.getApiClient = function (apiDetails, { allowLocalRun = false, allowExternal = false } = {}) {
     if (util_1.isLocalRun() && !allowLocalRun) {
         throw new Error("Invalid API call in local run");
     }
-    return new githubUtils.GitHub(githubUtils.getOctokitOptions(apiDetails.auth, {
+    const auth = (allowExternal && apiDetails.externalRepoAuth) || apiDetails.auth;
+    return new githubUtils.GitHub(githubUtils.getOctokitOptions(auth, {
         baseUrl: getApiUrl(apiDetails.url),
         userAgent: "CodeQL Action",
         log: console_log_level_1.default({ level: "debug" }),
@@ -49,7 +50,7 @@ function getActionsApiClient(allowLocalRun = false) {
         auth: actions_util_1.getRequiredInput("token"),
         url: actions_util_1.getRequiredEnvParam("GITHUB_SERVER_URL"),
     };
-    return exports.getApiClient(apiDetails, allowLocalRun);
+    return exports.getApiClient(apiDetails, { allowLocalRun });
 }
 exports.getActionsApiClient = getActionsApiClient;
 //# sourceMappingURL=api-client.js.map

lib/api-client.js.map

@@ -1 +1 @@
-{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,0EAAgD;AAEhD,iDAAuE;AACvE,iCAAoC;AAEpC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAeY,QAAA,YAAY,GAAG,UAC1B,UAA4B,EAC5B,aAAa,GAAG,KAAK;IAErB,IAAI,iBAAU,EAAE,IAAI,CAAC,aAAa,EAAE;QAClC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;KAClD;IACD,OAAO,IAAI,WAAW,CAAC,MAAM,CAC3B,WAAW,CAAC,iBAAiB,CAAC,UAAU,CAAC,IAAI,EAAE;QAC7C,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAClC,SAAS,EAAE,eAAe;QAC1B,GAAG,EAAE,2BAAe,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAEF,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB,CAAC,aAAa,GAAG,KAAK;IACvD,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,+BAAgB,CAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,kCAAmB,CAAC,mBAAmB,CAAC;KAC9C,CAAC;IAEF,OAAO,oBAAY,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;AACjD,CAAC;AAPD,kDAOC"}
+{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,0EAAgD;AAEhD,iDAAuE;AACvE,iCAAoC;AAEpC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAeY,QAAA,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAErD,IAAI,iBAAU,EAAE,IAAI,CAAC,aAAa,EAAE;QAClC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;KAClD;IAED,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,OAAO,IAAI,WAAW,CAAC,MAAM,CAC3B,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAClC,SAAS,EAAE,eAAe;QAC1B,GAAG,EAAE,2BAAe,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAEF,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB,CAAC,aAAa,GAAG,KAAK;IACvD,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,+BAAgB,CAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,kCAAmB,CAAC,mBAAmB,CAAC;KAC9C,CAAC;IAEF,OAAO,oBAAY,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,CAAC,CAAC;AACrD,CAAC;AAPD,kDAOC"}

lib/api-client.test.js

@@ -0,0 +1,72 @@
+"use strict";
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
+    result["default"] = mod;
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const githubUtils = __importStar(require("@actions/github/lib/utils"));
+const ava_1 = __importDefault(require("ava"));
+const sinon_1 = __importDefault(require("sinon"));
+const api_client_1 = require("./api-client");
+const testing_utils_1 = require("./testing-utils");
+testing_utils_1.setupTests(ava_1.default);
+let githubStub;
+ava_1.default.beforeEach(() => {
+    githubStub = sinon_1.default.stub(githubUtils, "GitHub");
+});
+ava_1.default("Get the client API", async (t) => {
+    doTest(t, {
+        auth: "xyz",
+        externalRepoAuth: "abc",
+        url: "http://hucairz",
+    }, undefined, {
+        auth: "token xyz",
+        baseUrl: "http://hucairz/api/v3",
+        userAgent: "CodeQL Action",
+    });
+});
+ava_1.default("Get the client API external", async (t) => {
+    doTest(t, {
+        auth: "xyz",
+        externalRepoAuth: "abc",
+        url: "http://hucairz",
+    }, { allowExternal: true }, {
+        auth: "token abc",
+        baseUrl: "http://hucairz/api/v3",
+        userAgent: "CodeQL Action",
+    });
+});
+ava_1.default("Get the client API external not present", async (t) => {
+    doTest(t, {
+        auth: "xyz",
+        url: "http://hucairz",
+    }, { allowExternal: true }, {
+        auth: "token xyz",
+        baseUrl: "http://hucairz/api/v3",
+        userAgent: "CodeQL Action",
+    });
+});
+ava_1.default("Get the client API with github url", async (t) => {
+    doTest(t, {
+        auth: "xyz",
+        url: "https://github.com/some/invalid/url",
+    }, undefined, {
+        auth: "token xyz",
+        baseUrl: "https://api.github.com",
+        userAgent: "CodeQL Action",
+    });
+});
+function doTest(t, clientArgs, clientOptions, expected) {
+    api_client_1.getApiClient(clientArgs, clientOptions);
+    const firstCallArgs = githubStub.args[0];
+    // log is a function, so we don't need to test for equality of it
+    delete firstCallArgs[0].log;
+    t.deepEqual(firstCallArgs, [expected]);
+}
+//# sourceMappingURL=api-client.test.js.map

lib/api-client.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-client.test.js","sourceRoot":"","sources":["../src/api-client.test.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,uEAAyD;AACzD,8CAA6C;AAC7C,kDAA0B;AAE1B,6CAA4C;AAC5C,mDAA6C;AAE7C,0BAAU,CAAC,aAAI,CAAC,CAAC;AAEjB,IAAI,UAA2B,CAAC;AAEhC,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,UAAU,GAAG,eAAK,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;AACjD,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,oBAAoB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrC,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,6BAA6B,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC9C,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,yCAAyC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1D,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,oCAAoC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrD,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,qCAAqC;KAC3C,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,wBAAwB;QACjC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,SAAS,MAAM,CACb,CAA4B,EAC5B,UAAe,EACf,aAAkB,EAClB,QAAa;IAEb,yBAAY,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IAExC,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACzC,iEAAiE;IACjE,OAAO,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC5B,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;AACzC,CAAC"}

lib/config-utils.js

@@ -304,7 +304,7 @@ exports.getUnknownLanguagesError = getUnknownLanguagesError;
 async function getLanguagesInRepo(repository, apiDetails, logger) {
     logger.debug(`GitHub repo ${repository.owner} ${repository.repo}`);
     const response = await api
-        .getApiClient(apiDetails, true)
+        .getApiClient(apiDetails, { allowLocalRun: true })
         .repos.listLanguages({
         owner: repository.owner,
         repo: repository.repo,
@@ -556,7 +556,9 @@ async function getRemoteConfig(configFile, apiDetails) {
     if (pieces === null || pieces.groups === undefined || pieces.length < 5) {
         throw new Error(getConfigFileRepoFormatInvalidMessage(configFile));
     }
-    const response = await api.getApiClient(apiDetails, true).repos.getContent({
+    const response = await api
+        .getApiClient(apiDetails, { allowLocalRun: true, allowExternal: true })
+        .repos.getContent({
         owner: pieces.groups.owner,
         repo: pieces.groups.repo,
         path: pieces.groups.path,

src/api-client.test.ts

@@ -0,0 +1,94 @@
+import * as githubUtils from "@actions/github/lib/utils";
+import test, { ExecutionContext } from "ava";
+import sinon from "sinon";
+
+import { getApiClient } from "./api-client";
+import { setupTests } from "./testing-utils";
+
+setupTests(test);
+
+let githubStub: sinon.SinonStub;
+
+test.beforeEach(() => {
+  githubStub = sinon.stub(githubUtils, "GitHub");
+});
+
+test("Get the client API", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      externalRepoAuth: "abc",
+      url: "http://hucairz",
+    },
+    undefined,
+    {
+      auth: "token xyz",
+      baseUrl: "http://hucairz/api/v3",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+test("Get the client API external", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      externalRepoAuth: "abc",
+      url: "http://hucairz",
+    },
+    { allowExternal: true },
+    {
+      auth: "token abc",
+      baseUrl: "http://hucairz/api/v3",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+test("Get the client API external not present", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      url: "http://hucairz",
+    },
+    { allowExternal: true },
+    {
+      auth: "token xyz",
+      baseUrl: "http://hucairz/api/v3",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+test("Get the client API with github url", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      url: "https://github.com/some/invalid/url",
+    },
+    undefined,
+    {
+      auth: "token xyz",
+      baseUrl: "https://api.github.com",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+function doTest(
+  t: ExecutionContext<unknown>,
+  clientArgs: any,
+  clientOptions: any,
+  expected: any
+) {
+  getApiClient(clientArgs, clientOptions);
+
+  const firstCallArgs = githubStub.args[0];
+  // log is a function, so we don't need to test for equality of it
+  delete firstCallArgs[0].log;
+  t.deepEqual(firstCallArgs, [expected]);
+}

src/api-client.ts

@@ -25,14 +25,17 @@ export interface GitHubApiExternalRepoDetails {
 }
 
 export const getApiClient = function (
-  apiDetails: GitHubApiDetails,
-  allowLocalRun = false
+  apiDetails: GitHubApiCombinedDetails,
+  { allowLocalRun = false, allowExternal = false } = {}
 ) {
   if (isLocalRun() && !allowLocalRun) {
     throw new Error("Invalid API call in local run");
   }
+
+  const auth =
+    (allowExternal && apiDetails.externalRepoAuth) || apiDetails.auth;
   return new githubUtils.GitHub(
-    githubUtils.getOctokitOptions(apiDetails.auth, {
+    githubUtils.getOctokitOptions(auth, {
       baseUrl: getApiUrl(apiDetails.url),
       userAgent: "CodeQL Action",
       log: consoleLogLevel({ level: "debug" }),
@@ -63,5 +66,5 @@ export function getActionsApiClient(allowLocalRun = false) {
     url: getRequiredEnvParam("GITHUB_SERVER_URL"),
   };
 
-  return getApiClient(apiDetails, allowLocalRun);
+  return getApiClient(apiDetails, { allowLocalRun });
 }

src/config-utils.ts

@@ -601,7 +601,7 @@ async function getLanguagesInRepo(
 ): Promise<Language[]> {
   logger.debug(`GitHub repo ${repository.owner} ${repository.repo}`);
   const response = await api
-    .getApiClient(apiDetails, true)
+    .getApiClient(apiDetails, { allowLocalRun: true })
     .repos.listLanguages({
       owner: repository.owner,
       repo: repository.repo,
@@ -1013,7 +1013,7 @@ function getLocalConfig(configFile: string, checkoutPath: string): UserConfig {
 
 async function getRemoteConfig(
   configFile: string,
-  apiDetails: api.GitHubApiDetails
+  apiDetails: api.GitHubApiCombinedDetails
 ): Promise<UserConfig> {
   // retrieve the various parts of the config location, and ensure they're present
   const format = new RegExp(
@@ -1025,12 +1025,14 @@ async function getRemoteConfig(
     throw new Error(getConfigFileRepoFormatInvalidMessage(configFile));
   }
 
-  const response = await api.getApiClient(apiDetails, true).repos.getContent({
-    owner: pieces.groups.owner,
-    repo: pieces.groups.repo,
-    path: pieces.groups.path,
-    ref: pieces.groups.ref,
-  });
+  const response = await api
+    .getApiClient(apiDetails, { allowLocalRun: true, allowExternal: true })
+    .repos.getContent({
+      owner: pieces.groups.owner,
+      repo: pieces.groups.repo,
+      path: pieces.groups.path,
+      ref: pieces.groups.ref,
+    });
 
   let fileContents: string;
   if ("content" in response.data && response.data.content !== undefined) {