TW-81291: GitHub App: check against token scope for commit status permission, display a more clear success message

aeisele · Space Team · commit 1c0170436db7 · 2023-05-30T11:23:57.000Z
diff --git a/commit-status-publisher-server/src/main/java/jetbrains/buildServer/commitPublisher/github/api/impl/GitHubApiFactoryImpl.java b/commit-status-publisher-server/src/main/java/jetbrains/buildServer/commitPublisher/github/api/impl/GitHubApiFactoryImpl.java
@@ -23,8 +23,10 @@
 import jetbrains.buildServer.commitPublisher.github.api.GitHubApiFactory;
 import jetbrains.buildServer.commitPublisher.github.api.impl.data.RepoInfo;
 import jetbrains.buildServer.http.SimpleCredentials;
-import jetbrains.buildServer.serverSide.oauth.OAuthToken;
-import jetbrains.buildServer.serverSide.oauth.OAuthTokensStorage;
+import jetbrains.buildServer.serverSide.ProjectManager;
+import jetbrains.buildServer.serverSide.oauth.*;
+import jetbrains.buildServer.users.SUser;
+import jetbrains.buildServer.vcs.SVcsRoot;
 import org.jetbrains.annotations.NotNull;
 
 /**
@@ -37,10 +39,20 @@ public class GitHubApiFactoryImpl implements GitHubApiFactory {
   @NotNull
   protected final OAuthTokensStorage myOAuthTokensStorage;
 
+  @NotNull
+  protected final OAuthConnectionsManager myConnectionsManager;
+
+  @NotNull
+  protected final ProjectManager myProjectManager;
+
   public GitHubApiFactoryImpl(@NotNull final HttpClientWrapper wrapper,
-                              @NotNull OAuthTokensStorage oAuthTokensStorage) {
+                              @NotNull OAuthTokensStorage oAuthTokensStorage,
+                              @NotNull OAuthConnectionsManager connectionsManager,
+                              @NotNull ProjectManager projectManager) {
     myWrapper = wrapper;
     myOAuthTokensStorage = oAuthTokensStorage;
+    myConnectionsManager = connectionsManager;
+    myProjectManager = projectManager;
   }
 
 
@@ -93,6 +105,45 @@ protected void checkPermissions(@NotNull Repository repo, @NotNull RepoInfo repo
         if (null == repoInfo.name || null == repoInfo.permissions) {
           throw new PublisherException(String.format("Repository \"%s\" is inaccessible", repo.url()));
         }
+
+        final SVcsRoot vcsRoot = myProjectManager.findVcsRootByExternalId(vcsRootId);
+        if (vcsRoot == null) {
+          throw new PublisherException("Unable to find VCS root by external id " + vcsRootId);
+        }
+
+        final OAuthToken gitHubOAuthToken = myOAuthTokensStorage.getRefreshableToken(vcsRootId, tokenId, false);
+        if (gitHubOAuthToken == null) {
+          throw new PublisherException("Failed to retrieve configured token from storage (tokenId: " + tokenId + ")");
+        }
+
+        if (SUser.UKNOWN_USER_ID == gitHubOAuthToken.getTeamCityUserId()) { // GitHub App Connection
+          final OAuthConnectionDescriptor connection = getConnection(vcsRoot, tokenId);
+          final TokenIntent intent = new TokenIntent(TokenIntentType.PUBLISH_STATUS, vcsRoot.getProperty("url"));
+          if (!connection.getOauthProvider().isSuitableToken(gitHubOAuthToken, intent)) {
+            throw new PublisherException(String.format("The stored token doesn't have push access to the repository \"%s\"", repo.url()));
+          }
+
+        } else { // OAuth connection
+          if (!repoInfo.permissions.push) {
+            throw new PublisherException(String.format("There is no push access to the repository \"%s\"", repo.url()));
+          }
+        }
+      }
+
+
+      @NotNull
+      private OAuthConnectionDescriptor getConnection(@NotNull SVcsRoot vcsRoot, @NotNull String tokenId) throws PublisherException {
+        final TokenFullIdComponents components = OAuthTokensStorage.parseFullTokenId(tokenId);
+        if (components == null) {
+          throw new PublisherException("Unable to parse token id " + tokenId);
+        }
+
+        final OAuthConnectionDescriptor connection = myConnectionsManager.findConnectionByTokenStorageId(vcsRoot.getProject(), components.getTokenStorageId());
+        if (connection == null) {
+          throw new PublisherException("Unable to find connection by token id " + tokenId);
+        }
+
+        return connection;
       }
     };
   }
diff --git a/commit-status-publisher-server/src/main/resources/buildServerResources/github/githubSettings.jsp b/commit-status-publisher-server/src/main/resources/buildServerResources/github/githubSettings.jsp
@@ -146,7 +146,17 @@
           <c:if test="${testConnectionSupported}">
             <script>
               $j(document).ready(function() {
-                PublisherFeature.showTestConnection();
+                PublisherFeature.showTestConnection(() => {
+                  const selectedAuthType = $('${keys.authenticationTypeKey}').value;
+                  if (selectedAuthType === '${keys.authentificationTypeGitHubAppTokenValue}' || selectedAuthType === 'vcsRoot') {
+                    return {
+                      text: `This test confirms that TeamCity can <strong>pull/read</strong> data from the target repository under the provided credentials.<br/></br/>
+                             If builds fail to publish their statuses, check whether the current credentials have corresponding <strong>push/write</strong> permissions.`,
+                      preserveHtml: true
+                    };
+                  }
+                  return "";
+                });
               });
             </script>
           </c:if>
diff --git a/commit-status-publisher-server/src/main/resources/buildServerResources/publisherFeatureHeader.jsp b/commit-status-publisher-server/src/main/resources/buildServerResources/publisherFeatureHeader.jsp
@@ -77,7 +77,18 @@
 
         onCompleteSave: function (form, responseXML, err) {
           BS.XMLResponse.processErrors(responseXML, that, null);
-          BS.TestConnectionDialog.show(success, success ? (testConnectionSuccessInfo  ? testConnectionSuccessInfo : "") : info, null);
+          let successInfo = "";
+          let preserveHtml = false;
+          if (testConnectionSuccessInfo) {
+            if (testConnectionSuccessInfo instanceof Function) {
+              const info = testConnectionSuccessInfo.call();
+              successInfo = info.text;
+              preserveHtml = info.preserveHtml;
+            } else {
+              successInfo = testConnectionSuccessInfo;
+            }
+          }
+          BS.TestConnectionDialog.show(success, success ? successInfo : info, null, preserveHtml);
           form.setSaving(false);
           form.enable();
         }
diff --git a/commit-status-publisher-server/src/main/resources/buildServerResources/stash/stashSettings.jsp b/commit-status-publisher-server/src/main/resources/buildServerResources/stash/stashSettings.jsp
@@ -97,7 +97,13 @@
     <c:if test="${testConnectionSupported}">
       <script>
         $j(document).ready(function() {
-          PublisherFeature.showTestConnection("This ensures that the repository is reachable under the provided credentials.\nIf status publishing still fails, it can be due to insufficient permissions of the corresponding BitBucket Server user.");
+          PublisherFeature.showTestConnection(() => {
+            return {
+              text: `This test confirms that TeamCity can <strong>pull/read</strong> data from the target repository under the provided credentials.<br/></br/>
+                     If builds fail to publish their statuses, check whether the current Bitbucket server user has corresponding <strong>push/write</strong> permissions.`,
+              preserveHtml: true
+            };
+          });
         });
       </script>
     </c:if>
diff --git a/commit-status-publisher-server/src/test/java/jetbrains/buildServer/commitPublisher/github/GitHubPublisherTest.java b/commit-status-publisher-server/src/test/java/jetbrains/buildServer/commitPublisher/github/GitHubPublisherTest.java
@@ -32,6 +32,7 @@
 import jetbrains.buildServer.commitPublisher.github.api.impl.data.RepoInfo;
 import jetbrains.buildServer.messages.Status;
 import jetbrains.buildServer.serverSide.*;
+import jetbrains.buildServer.serverSide.oauth.OAuthConnectionsManager;
 import jetbrains.buildServer.serverSide.oauth.OAuthTokensStorage;
 import jetbrains.buildServer.util.HTTPRequestBuilder;
 import jetbrains.buildServer.util.TestFor;
@@ -200,7 +201,9 @@ protected void setUp() throws Exception {
     myBuildType.getProject().addParameter(new SimpleParameter("teamcity.commitStatusPublisher.publishQueuedBuildStatus", "true"));
 
     myChangeStatusUpdater = new ChangeStatusUpdater(new GitHubApiFactoryImpl(new HttpClientWrapperImpl(new HTTPRequestBuilder.ApacheClient43RequestHandler(), () -> null),
-                                                                             myFixture.getSingletonService(OAuthTokensStorage.class)), myFixture.getVcsHistory());
+                                                                             myFixture.getSingletonService(OAuthTokensStorage.class),
+                                                                             myFixture.getSingletonService(OAuthConnectionsManager.class),
+                                                                             myFixture.getProjectManager()), myFixture.getVcsHistory());
 
     myPublisherSettings = new GitHubSettings(myChangeStatusUpdater, new MockPluginDescriptor(), myWebLinks, myProblems,
                                              myOAuthConnectionsManager, myOAuthTokenStorage, myFixture.getSecurityContext(),
