From 66e6caad6930d5bf389b9d84b88a3d213afa32b5 Mon Sep 17 00:00:00 2001 From: gomez385 Date: Mon, 30 Sep 2024 20:59:17 -0400 Subject: [PATCH] first test --- .github/workflows/terraform_plan.yaml | 13 +++-- data.tf | 2 - encode_jwt.py | 80 +++++++++++++++++++++++++++ versions.tf | 2 +- 4 files changed, 90 insertions(+), 7 deletions(-) create mode 100644 encode_jwt.py diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 02841cf..7346d65 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -16,10 +16,10 @@ jobs: runs-on: [ "229685449397" ] env: -# GITHUB_APP_ID: ${{ vars.GH_APP_ID }} -# GITHUB_APP_INSTALLATION_ID: ${{ vars.GH_APP_INSTALLATION_ID }} -# GITHUB_APP_PEM_FILE: ${{ secrets.GH_APP_PEM_FILE }} - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} +# GITHUB_APP_ID: ${{ vars.GH_APP_ID }} + GITHUB_APP_INSTALLATION_ID: ${{ vars.GH_APP_INSTALLATION_ID }} + GITHUB_APP_PEM_FILE: ${{ secrets.GH_APP_PEM_FILE }} +# GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} GITHUB_OWNER: CSVD GITHUB_BASE_URL: https://github.e.it.census.gov/ TF_WORKSPACE: ${{ vars.terraform_workspace }} @@ -48,6 +48,11 @@ jobs: echo AWS_SECRET_ACCESS_KEY=`jq -r '.SecretAccessKey' aws_credentials.json` >> $GITHUB_ENV aws configure set aws_session_token `jq -r '.Token' aws_credentials.json` echo AWS_SESSION_TOKEN=`jq -r '.Token' aws_credentials.json` >> $GITHUB_ENV + + - name: Setup GITHUB Credentials + id: github_credentials + run: | + export GITHUB_TOKEN=$(python encode_jwt.py $GITHUB_APP_PEM_FILE $GITHUB_APP_INSTALLATION_ID $GITHUB_BASE_URL) - name: Terraform Init id: init diff --git a/data.tf b/data.tf index 6692404..ff319be 100644 --- a/data.tf +++ b/data.tf @@ -1,3 +1 @@ -data "aws_region" "current" {} - data "github_organization_teams" "teams" {} diff --git a/encode_jwt.py b/encode_jwt.py new file mode 100644 index 0000000..fd640d4 --- /dev/null +++ b/encode_jwt.py @@ -0,0 +1,80 @@ +## Run this script set the private key as github_app_private_key and installation_id as the installation id of the app + +#export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt +#export github_app_private_key="-----BEGIN" +#export github_app_installation_id=11 +#export github_app_url=https://github.e.it.census.gov +#export GITHUB_TOKEN=$(python encode_jwt.py "$github_app_private_key" "$github_app_installation_id" "$github_app_url") + +import time +import json +import base64 +import argparse +import requests +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.asymmetric import padding +from cryptography.hazmat.primitives.serialization import load_pem_private_key +import sys + +# Set up argument parser +parser = argparse.ArgumentParser(description='Encode JWT with RS256 and get GitHub Enterprise installation access token') +parser.add_argument('private_key', type=str, help='PEM formatted private key string') +parser.add_argument('installation_id', type=str, help='GitHub App Installation ID') +parser.add_argument('enterprise_url', type=str, help='GitHub Enterprise API URL (e.g., https://github.e.it.census.gov)') +args = parser.parse_args() + +# Load the PEM private key +private_key = load_pem_private_key(args.private_key.encode(), password=None) + +# JWT Header +header = { + "alg": "RS256", + "typ": "JWT" +} + +# JWT Payload +payload = { + "iat": int(time.time()), + "exp": int(time.time()) + (10 * 60), + "iss": "6" # Replace with your actual GitHub App ID +} + +# Encode Header and Payload as Base64 +header_encoded = base64.urlsafe_b64encode(json.dumps(header).encode()).decode().rstrip("=") +payload_encoded = base64.urlsafe_b64encode(json.dumps(payload).encode()).decode().rstrip("=") + +# Create the message (header + payload) +message = f"{header_encoded}.{payload_encoded}".encode() + +# Sign the message using RS256 +signature = private_key.sign( + message, + padding.PKCS1v15(), + hashes.SHA256() +) + +# Encode the signature in Base64 +signature_encoded = base64.urlsafe_b64encode(signature).decode().rstrip("=") + +# Construct the full JWT +jwt_token = f"{header_encoded}.{payload_encoded}.{signature_encoded}" + +# Prepare the request to get the installation access token +headers = { + "Authorization": f"Bearer {jwt_token}", + "Accept": "application/vnd.github+json" +} + +# Make the request to the GitHub Enterprise API to get the installation access token +url = f"{args.enterprise_url}/api/v3/app/installations/{args.installation_id}/access_tokens" +response = requests.post(url, headers=headers) + +# Check if the request was successful +if response.status_code == 201: + installation_access_token = response.json().get('token') + print(installation_access_token) # Output the token only +else: + # Raise an error with a message + sys.stderr.write(f"Error: Failed to get installation access token. Status code: {response.status_code}\n") + sys.stderr.write(f"{response.text}\n") + sys.exit(1) # Exit with an error code diff --git a/versions.tf b/versions.tf index 187b843..1030799 100644 --- a/versions.tf +++ b/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { random = { source = "integrations/github" - version = ">= 6.2.2" + version = ">= 6.3.0" } aws = { source = "hashicorp/aws"