GitHub app (#617)

cmd/otfd/main.go

@@ -10,6 +10,8 @@ import (
 	"github.com/leg100/otf/internal/agent"
 	"github.com/leg100/otf/internal/authenticator"
 	"github.com/leg100/otf/internal/daemon"
+	"github.com/leg100/otf/internal/github"
+	"github.com/leg100/otf/internal/gitlab"
 	"github.com/leg100/otf/internal/logr"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
@@ -81,21 +83,19 @@ func parseFlags(ctx context.Context, args []string, out io.Writer) error {
 	cmd.Flags().BoolVar(&cfg.EnableRequestLogging, "log-http-requests", false, "Log HTTP requests")
 	cmd.Flags().BoolVar(&cfg.DevMode, "dev-mode", false, "Enable developer mode.")
 
-	cmd.Flags().StringVar(&cfg.Github.Hostname, "github-hostname", cfg.Github.Hostname, "github hostname")
-	cmd.Flags().BoolVar(&cfg.Github.SkipTLSVerification, "github-skip-tls-verification", false, "Skip github TLS verification")
-	cmd.Flags().StringVar(&cfg.Github.OAuthConfig.ClientID, "github-client-id", "", "github client ID")
-	cmd.Flags().StringVar(&cfg.Github.OAuthConfig.ClientSecret, "github-client-secret", "", "github client secret")
+	cmd.Flags().StringVar(&cfg.GithubHostname, "github-hostname", github.DefaultHostname, "github hostname")
+	cmd.Flags().StringVar(&cfg.GithubClientID, "github-client-id", "", "github client ID")
+	cmd.Flags().StringVar(&cfg.GithubClientSecret, "github-client-secret", "", "github client secret")
 
-	cmd.Flags().StringVar(&cfg.Gitlab.Hostname, "gitlab-hostname", cfg.Gitlab.Hostname, "gitlab hostname")
-	cmd.Flags().BoolVar(&cfg.Gitlab.SkipTLSVerification, "gitlab-skip-tls-verification", false, "Skip gitlab TLS verification")
-	cmd.Flags().StringVar(&cfg.Gitlab.OAuthConfig.ClientID, "gitlab-client-id", "", "gitlab client ID")
-	cmd.Flags().StringVar(&cfg.Gitlab.OAuthConfig.ClientSecret, "gitlab-client-secret", "", "gitlab client secret")
+	cmd.Flags().StringVar(&cfg.GitlabHostname, "gitlab-hostname", gitlab.DefaultHostname, "gitlab hostname")
+	cmd.Flags().StringVar(&cfg.GitlabClientID, "gitlab-client-id", "", "gitlab client ID")
+	cmd.Flags().StringVar(&cfg.GitlabClientSecret, "gitlab-client-secret", "", "gitlab client secret")
 
-	cmd.Flags().StringVar(&cfg.OIDC.Name, "oidc-name", cfg.OIDC.Name, "User friendly OIDC name")
-	cmd.Flags().StringVar(&cfg.OIDC.IssuerURL, "oidc-issuer-url", cfg.OIDC.IssuerURL, "OIDC issuer URL")
+	cmd.Flags().StringVar(&cfg.OIDC.Name, "oidc-name", "", "User friendly OIDC name")
+	cmd.Flags().StringVar(&cfg.OIDC.IssuerURL, "oidc-issuer-url", "", "OIDC issuer URL")
 	cmd.Flags().StringVar(&cfg.OIDC.ClientID, "oidc-client-id", "", "OIDC client ID")
 	cmd.Flags().StringVar(&cfg.OIDC.ClientSecret, "oidc-client-secret", "", "OIDC client secret")
-	cmd.Flags().StringSliceVar(&cfg.OIDC.Scopes, "oidc-scopes", authenticator.DefaultScopes, "OIDC scopes")
+	cmd.Flags().StringSliceVar(&cfg.OIDC.Scopes, "oidc-scopes", authenticator.DefaultOIDCScopes, "OIDC scopes")
 	cmd.Flags().StringVar(&cfg.OIDC.UsernameClaim, "oidc-username-claim", string(authenticator.DefaultUsernameClaim), "OIDC claim to be used for username (name, email, or sub)")
 
 	cmd.Flags().BoolVar(&cfg.RestrictOrganizationCreation, "restrict-org-creation", false, "Restrict organization creation capability to site admin role")

docs/auth/site_admins.md

@@ -0,0 +1,23 @@
+# Site Admins
+
+Site admins possesses supreme privileges to an OTF installation. There are two ways to assume the role:
+
+* Promote users to the role using the [`--site-admins`](../../config/flags/#-site-admins) flag.
+* Set a token with the [`--site-token`](../../config/flags/#-site-token) flag and use it to login as the built-in `site-admin` user
+
+## Promoting users
+
+To promote users to the role, simply set the [`--site-admins`](../../config/flags/#-site-admins) flag. There is no need to re-login.
+
+## Site token
+
+Set a site token with the [`--site-token`](../../config/flags/#-site-token) flag. You can use the token with the API, CLI, and the web UI.
+
+To use it to login to the web UI, use the link in the bottom right corner of the login page:
+
+![login page](../images/no_authenticators_site_admin_login.png){.screenshot}
+![site admin enter token](../images/site_admin_login_enter_token.png){.screenshot}
+![site admin profile](../images/site_admin_profile.png){.screenshot}
+
+!!! note
+    Keep the token secure. Anyone with access to the token has complete access to OTF. Use of the site admin token is recommended only for one-off administrative and testing purposes. You should use an Identity Provider in most cases.

docs/config/flags.md

@@ -191,8 +191,7 @@ comma. For example:
 otfd --site-admins [email protected],[email protected]
 ```
 
-Any users that were previously promoted and are no longer specified with this
-flag are demoted.
+Users are automatically created if they don't exist already.
 
 ## `--site-token`
 

docs/github_app.md

@@ -0,0 +1,61 @@
+# Github app
+
+OTF provides the ability to create a [Github app](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps). The app can then be used as an alternative to a personal access token for a VCS provider, offering the following advantages:
+
+* Unlike a personal token, an app is [not necessarily tied to an individual's personal Github account](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/deciding-when-to-build-a-github-app#choosing-between-a-github-app-or-a-personal-access-token). Instead it can be owned and installed into a Github organization. If an individual leaves an organization then the app continues to function.
+* The app can be installed into more than Github account. For instance, if you install the app into Github organizations `dev` and `prod` you can then create VCS providers for those installations respectively, restricting their access to the repositories belonging to each organization.
+* An app comes with [its own webhook](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/deciding-when-to-build-a-github-app#github-apps-have-built-in-webhooks). Therefore, unlike with personal tokens, OTF does not need to create webhooks on Github repositories. This can be advantage if you want to overcome the maximum 20 webhook per-repo limit (OTF creates a separate webhook on a repo for each VCS provider if using a personal token).
+* An app has a higher [maximum possible rate-limit](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/rate-limits-for-github-apps).
+* The github app creation process automatically persists the app credentials to the database. There is no copying-and-pasting of credentials involved.
+
+!!! note
+    Github apps also have access to a richer API for status checks. A future version of OTF will take advantage of this.
+
+## Create the app
+
+Select **site** in the top right corner menu to take you to the site settings page:
+
+![site settings page](images/site_settings.png){.screenshot}
+
+Select **GitHub app**. You are then prompted to create an app:
+
+![github app page](images/empty_github_app_page.png){.screenshot}
+
+Select the link to create a new app. You are presented with a form to create the app:
+
+![new github app form](images/new_github_app.png){.screenshot}
+
+An app has an owner. By default your github personal account is the owner. If you would prefer a Github organization to own the application then enter the name of the organization.
+
+An app is *private* by default. That means the app can only be installed into the Github account that owns the app, and only repositories in that account will be accessible to OTF. If you want to install the app into more than one Github account then you need to select the **Public** checkbox. (This can be changed once the app has been created, via the app settings page on Github).
+
+Click **Create** and you are redirected to Github. You are given the opportunity to set a name (it must be globally unique and cannot match the name of a Github account):
+
+![create github app on github.com](images/github_create_github_app.png){.screenshot}
+
+Click the **Create GitHub App for ...** button.
+
+You're then redirected back to OTF, where details of the app are now visible:
+
+![github app created](images/github_app_created.png){.screenshot}
+
+## Install the app
+
+Once you've created the app you need to install it.
+
+On the Github app page, click the **Install** button:
+
+![github app created](images/github_app_created.png){.screenshot}
+
+You are re-directed to Github, where you can select the repositories that are to be made accessible to OTF:
+
+![github app created](images/github_install_app.png){.screenshot}
+
+!!! note
+    If you created a *public* app earlier you will first be presented with a choice of accounts to install the app into.
+
+Click the **Install** button and you'll be re-directed back to OTF. The installation should now be listed:
+
+![github app installation listing](images/github_app_install_list.png){.screenshot}
+
+You can create a [VCS provider](vcs_providers.md) from the installation.

docs/index.md

@@ -4,15 +4,16 @@ OTF is an open-source alternative to Terraform Enterprise, sharing many of its f
 
 * Full Terraform CLI integration
 * Remote execution mode: plans and applies run on servers
-* Agent execution mode: plans and applies run on agents
+* Agent execution mode: plans and applies run on [agents](agents.md)
 * Remote state backend: state stored in PostgreSQL
 * SSO: sign in using an identity provider via OIDC, OAuth, etc.
-* Module registry (provider registry coming soon)
 * RBAC: control team access to workspaces
 * VCS integration: trigger runs and publish modules from git commits
+* Create and install a [Github app](github_app.md) to integrate OTF with Github
 * Compatible with much of the Terraform Enterprise/Cloud API
 * Minimal dependencies: requires only PostgreSQL
 * Stateless: horizontally scale servers in pods on Kubernetes, etc
+* Module registry (provider registry coming soon)
 
 <figure markdown>
 ![run page planned and finished state](images/run_page_planned_and_finished_state.png){.screenshot}

docs/vcs_providers.md

@@ -1,23 +1,36 @@
 # VCS Providers
 
-To connect workspaces and modules to git repositories containing Terraform configurations, you need to provide OTF with access to your VCS provider.
+To connect workspaces and modules to git repositories containing Terraform configurations, you need to provide OTF with access to your VCS provider. You have a choice of three providers:
 
-Firstly, create a provider for your organization. On your organization's main menu, select **VCS providers**.
+* [Github app](github_app.md)
+* Github personal access token
+* Gitlab personal access token
+
+## Walkthrough
+
+This walkthrough shows you how to create a VCS provider via the web UI.
+
+On your organization's main menu, select **VCS providers**.
 
 ![organization main menu](images/organization_main_menu.png){.screenshot}
 
-You'll be presented with a choice of providers to create. The choice is restricted to those for which you have enabled [SSO](#authentication). For instance, if you have enabled Github SSO then you can create a Github VCS provider.
+You are presented with a choice of providers to create:
 
-![vcs providers list](images/vcs_providers_list.png){.screenshot}
+![vcs providers list](images/vcs_provider_list_including_github_app.png){.screenshot}
 
-Select the provider you would like to create. You will then be prompted to enter a personal access token. Instructions for generating the token are included on the page. The token permits OTF to access your git repository and retrieve terraform configuration. Once you've generated and inserted the token into the field you also need to give the provider a name that describes it.
+In this walkthrough we will create a provider using a Github personal access token.
+
+Select **New Github VCS Provider (Personal Token)**. You are then presented with a form on which to enter the token:
 
 ![new github vcs provider form](images/new_github_vcs_provider_form.png){.screenshot}
 
-!!! note
-    Be sure to restrict the permissions on the token according to the instructions.
+Click the **personal token** link. It'll take you to Github where you can create the token. Create a **classic** token with the **repo** scope (or you can create a fine-tuned token with the equivalent permissions). The token permits OTF to access your git repository and retrieve terraform configuration. Once you've generated the token, copy and paste it into the **Token** field. Optionally you can also assign the provider a name.
+
+Create the provider and it'll appear on the list of providers:
+
+![vcs providers list](images/vcs_provider_created_github_pat_provider.png){.screenshot}
 
-Create the provider and it'll appear on the list of providers. You can now proceed to connecting workspaces and publishing modules.
+You can now proceed to connecting workspaces (see below) and [publishing modules](registry.md).
 
 ### Connecting a workspace
 

exchange-code.json

@@ -0,0 +1,35 @@
+{
+	"id": 384952,
+	"slug": "otf-new",
+	"node_id": "A_kwHOAc1xa84ABd-4",
+	"owner": {
+		"login": "automatize",
+		"id": 30241131,
+		"node_id": "MDEyOk9yZ2FuaXphdGlvbjMwMjQxMTMx",
+		"avatar_url": "https://avatars.githubusercontent.com/u/30241131?v=4",
+		"html_url": "https://github.com/automatize",
+		"gravatar_id": "",
+		"type": "Organization",
+		"site_admin": false,
+		"url": "https://api.github.com/users/automatize",
+		"events_url": "https://api.github.com/users/automatize/events{/privacy}",
+		"following_url": "https://api.github.com/users/automatize/following{/other_user}",
+		"followers_url": "https://api.github.com/users/automatize/followers",
+		"gists_url": "https://api.github.com/users/automatize/gists{/gist_id}",
+		"organizations_url": "https://api.github.com/users/automatize/orgs",
+		"received_events_url": "https://api.github.com/users/automatize/received_events",
+		"repos_url": "https://api.github.com/users/automatize/repos",
+		"starred_url": "https://api.github.com/users/automatize/starred{/owner}{/repo}",
+		"subscriptions_url": "https://api.github.com/users/automatize/subscriptions"
+	},
+	"name": "OTF-new",
+	"description": "Trigger terraform runs in OTF from GitHub",
+	"external_url": "https://otf.fridayafternoonhangover.com",
+	"html_url": "https://github.com/apps/otf-new",
+	"created_at": "2023-09-03T16:10:38Z",
+	"updated_at": "2023-09-03T16:10:38Z",
+	"client_id": "Iv1.f3fefdd17666291b",
+	"client_secret": "fb14b7b11460196307e08f9b756a28091203f8f9",
+	"webhook_secret": "8a1963079437b7c38744d67931d7f2fc54e7e63d",
+	"pem": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA5Rfz3Utrsw9EycKthYLEt5KNA+9FphNCxklDzy3/KKAlAgu6\ns+SGyWM8mLn1GPYR7yfFZpww7uNh2Ya64YzM9ZTnS0Q80GqMtamCf11owxBS9d4q\nHYsxrFiIDu0fjxnMYeY8gbMkhG7Mr0cWwUsyleb091KWq9Rslcu/pZiKgpOdDnNB\nw7tNxzMYSOWkf/cRHnJ/KoYURdL0sUkqEflc/9XHuAZas3WaZOqjUzSKbVQU18KJ\nkcq/pmoWVsU4DjoyVt1uqPFNMclUBBui20Sng7EAtsB80xh4geDWN/F1EeqkFam3\ny9ycTP8A0A0zFBqXyWgjnEtjM6YntODNxtKV7QIDAQABAoIBAFgWKKdLK6MS2OE3\nIJ84U8k96Ui9BKvBtigl3ZPY3MZTJUevGN+4m/btWExlHA+39ddeFHHK1qnT9ji8\nrDizec9nrLNtDnEYtvfWsJ2mXfS63xs4jDsF3VimRdJvbHYKdmKiM1uvdPgS3lL6\n4435Cv9GaaR7NgHl0MacLBlRGNjxjOWwtTEd+mgVwzq5lCxxDY7+MBNvHbMZscdZ\nxxcpL1hg2K/7WKHz4CaVOnMiWORN8N8yVZ0mdRE4GtFNRsj13sGSpjYhwDOxGT5a\n1dZzuxee5/KrOMTIUU3qBG3yxfJ87eFyuMqdD+MFYoEgiOh7C671aquchtgTbjys\nZi53RoUCgYEA9/uEJQc2pVTPR2rp0Tm+mWUsST0UcXzK2NmR0Tf+vOHtrgovhPqU\nuxALWUQiBBzcwMx5crtCCZwEGwDGJlMUVSqUWWAFd4lCfSOxm7JUCelNS67Pykny\nuOhaoUqjZ8UaDcC4pDdepRQ4ggGyAYtwN92eW8mFOYHI121dk4QV37sCgYEA7IAZ\nEhdma0nIOb68dCJBQ/Zk6S3Z0QHTz46n/f0jEFbLvD9MHaVTuwIKfE/7KyZZGmO9\nLfcnfwMKmZnWjcLxhuhEFkhc5Gelvn12oizbBZ5uziir1ZhIn7U0YbA/Fq83qHZH\nIc9BBBexySKgNttpgcgJhdG0kqHsCoksvo3mYncCgYEA9zTwgskyHJbzG0rlVAGw\nk9Jb15bgLlItFQevaVXcyAahngHhZTs30VMpPQ/CqT7sgfZUi59JMbMqFJEs9z+S\n4WPVB1PFn2hhs8ZFY+TeChNdTrkxw4L8SIC4+FkjlGrUkikw5+Oaog4KVu/Bt/B9\nKfPvzaiS+sT6pmcMBeaCt8kCgYAD55GCZPSB7PPrUCTYXgBp2NWNq/4en0MZ+Cb5\n4IYFrQksEHd3PdWGDuCRcNiau8VY1DC5Y405YZl5M7sBGCjYq1kEbSlrc/KelH+y\n6b6r9xOpP66mlh8M0/cLbdd8zmPC2kEOY9eU87cxtOqkPTcet2jA1td+XEIDYoRk\nmP8mvQKBgQDJ0mx6pReYxZTxUDYQK0Nhl190QNFX9WdwxWQdcn3/ihV+8Im8Og/B\n2+WLZSnVgp9Lq6qMXtA9+pVINrzNIeGyr+JVzWlulySoqcf7gV8pzPH2kSTyJJDb\nXiAMJvx9DcMvSCCjjJvkWWheSjXTNXH9eqHNRY2/A7LyxWA3xnDP0w==\n-----END RSA PRIVATE KEY-----\n"
+}

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/allegro/bigcache v1.2.1
 	github.com/antchfx/htmlquery v1.3.0
+	github.com/bradleyfalzon/ghinstallation/v2 v2.7.0
 	github.com/buildkite/terminal-to-html v3.2.0+incompatible
 	github.com/chromedp/cdproto v0.0.0-20230220211738-2b1ec77315c9
 	github.com/chromedp/chromedp v0.9.1
@@ -19,6 +20,7 @@ require (
 	github.com/gobwas/glob v0.2.3
 	github.com/gomarkdown/markdown v0.0.0-20221013030248-663e2500819c
 	github.com/google/go-github/v41 v41.0.0
+	github.com/google/go-github/v55 v55.0.0
 	github.com/google/goexpect v0.0.0-20210430020637-ab937bf7fd6f
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/handlers v1.5.1
@@ -49,7 +51,7 @@ require (
 	github.com/xanzy/go-gitlab v0.73.1
 	golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb
 	golang.org/x/mod v0.11.0
-	golang.org/x/net v0.9.0
+	golang.org/x/net v0.10.0
 	golang.org/x/oauth2 v0.7.0
 	golang.org/x/sync v0.1.0
 	google.golang.org/api v0.118.0
@@ -63,19 +65,22 @@ require (
 	cloud.google.com/go/iam v0.13.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.1.1 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect
 	github.com/agext/levenshtein v1.2.2 // indirect
 	github.com/antchfx/xpath v1.2.3 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chromedp/sysutil v1.0.0 // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/gobwas/ws v1.1.0 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
@@ -125,9 +130,9 @@ require (
 	github.com/spf13/cast v1.3.2-0.20200723214538-8d17101741c8 // indirect
 	github.com/zclconf/go-cty v1.8.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	golang.org/x/crypto v0.7.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/crypto v0.12.0 // indirect
+	golang.org/x/sys v0.11.0 // indirect
+	golang.org/x/text v0.12.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect