Comments (3)
The following modifications to internal/clients/github/client.go
cause Legitify to accept fine-grained PATs:
var githubTokenPattern = regexp.MustCompile("^ghp_[a-zA-Z0-9]{36}$|^github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}$")
func (c *Client) validateToken(token string) error {
if token == "" {
return fmt.Errorf("missing token")
} else if !githubTokenPattern.MatchString(token) {
return fmt.Errorf("GitHub token seems invalid (expected pattern: '%v')", githubTokenPattern)
}
return nil
}
Analysis runs fine until we hit a panic on github.com/Legit-Labs/legitify/cmd/progressbar.(*progressBar).handleTimedBarCreation
with the message, panic: *mpb.Progress instance can't be reused after it's done!
.
___ _______ _______ ___ _______ ___ _______ __ __
| | | || || | | || | | || | | |
| | | ___|| ___|| | |_ _|| | | ___|| |_| |
| | | |___ | | __ | | | | | | | |___ | |
| |___ | ___|| || || | | | | | | ___||_ _|
| || |___ | |_| || | | | | | | | | |
|_______||_______||_______||___| |___| |___| |___| |___|
By Legit Security
Using Github Cloud
Note: to get the OpenSSF scorecard results for the organization repositories use the --scorecard option
metadata 6 / 6 [==============================================================] 100 %
organization 1 / 1 [==============================================================] 100 %
actions 0 / 1 [--------------------------------------------------------------] 0 %
repository 121 / 121 [==============================================================] 100 %
panic: *mpb.Progress instance can't be reused after it's done!
goroutine 30 [running]:
github.com/vbauerster/mpb/v8.(*Progress).AddFiller(0x140000ac730, 0x3b, {0x1055bcf60?, 0x1400039eea0?}, {0x140002328e8, 0x1, 0x1})
/Users/charlton/.go/pkg/mod/github.com/vbauerster/mpb/[email protected]/progress.go:154 +0x1dc
github.com/vbauerster/mpb/v8.(*Progress).New(0x8?, 0x1400007a900?, {0x12def8008?, 0x14000199000?}, {0x140002328e8, 0x1, 0x1})
/Users/charlton/.go/pkg/mod/github.com/vbauerster/mpb/[email protected]/progress.go:125 +0x60
github.com/vbauerster/mpb/v8.(*Progress).AddBar(0x14000bd04e0?, 0x104fa3661?, {0x140002328e8, 0x1, 0x1})
/Users/charlton/.go/pkg/mod/github.com/vbauerster/mpb/[email protected]/progress.go:115 +0x118
github.com/Legit-Labs/legitify/cmd/progressbar.(*progressBar).handleTimedBarCreation(0x140000bb7d0, {{0x104fb5d5a, 0x14}, {0xc10ccd44d4e6bd10, 0x1f0ecb3cae, 0x105f85a40}})
/Users/charlton/Developer/legitify/cmd/progressbar/progressbar.go:190 +0x36c
github.com/Legit-Labs/legitify/cmd/progressbar.(*progressBar).Run.func1()
/Users/charlton/Developer/legitify/cmd/progressbar/progressbar.go:86 +0x1d8
created by github.com/Legit-Labs/legitify/cmd/progressbar.(*progressBar).Run
/Users/charlton/Developer/legitify/cmd/progressbar/progressbar.go:72 +0x94
exit status 2
from legitify.
Note that the above results occur for an organization-scoped PAT that is still pending approval. Even so, it shouldn't cause a panic.
I am still waiting on approval for my test PAT, and will update this issue with those results.
Update: Even with an active approved PAT and patching handleTimedBarCreation
to avoid the panic, it looks like there are some underlying issues authenticating requests to the API.
Legitify's error log states that certain permission scopes (such as repo and read:repo_hook) are missing, despite these being present on the active issued token.
Skipping policy: missing_default_branch_protection_deletion, missing scope: repo
Skipping policy: missing_default_branch_protection_force_push, missing scope: repo
Skipping policy: non_linear_history, missing scope: repo
Skipping policy: repository_has_too_many_admins, missing scope: read:org
Skipping policy: repository_webhook_doesnt_require_ssl, missing scope: read:repo_hook
Skipping policy: repository_webhook_no_secret, missing scope: read:repo_hook
Skipping policy: requires_status_checks, missing scope: repo
Skipping policy: code_review_by_two_members_not_required, missing scope: repo
Skipping policy: no_conversation_resolution, missing scope: repo
Skipping policy: no_signed_commits, missing scope: repo
Skipping policy: review_dismissal_allowed, missing scope: repo
Skipping policy: scorecard_score_too_low, missing prerequisite: scorecard_enabled
Skipping policy: code_review_not_limited_to_code_owners, missing scope: repo
Skipping policy: dismisses_stale_reviews, missing scope: repo
Skipping policy: pushes_are_not_restricted, missing scope: repo
Skipping policy: repository_not_maintained, missing scope: repo
Skipping policy: requires_branches_up_to_date_before_merge, missing scope: repo
Skipping policy: token_default_permissions_is_read_write, missing scope: admin:org
Skipping policy: actions_can_approve_pull_requests, missing scope: admin:org
Skipping policy: code_review_not_required, missing scope: repo
Skipping policy: forking_allowed_for_repository, missing scope: read:org
Skipping policy: ghas_dependency_review_not_enabled, missing scope: repo
Skipping policy: missing_default_branch_protection, missing scope: repo
Token Permissions
Organization Permissions
- Read access to custom repository roles, members, organization actions variables, organization administration, organization announcement banners, organization codespaces, organization codespaces secrets, organization codespaces settings, organization dependabot secrets, organization events, organization hooks, organization plan, organization projects, organization secrets, organization self hosted runners, organization user blocking, and team discussions
Repository Permissions
- Read access to Dependabot alerts, actions, actions variables, administration, code, codespaces, codespaces lifecycle admin, codespaces metadata, commit statuses, dependabot secrets, deployments, discussions, environments, issues, merge queues, metadata, pages, pull requests, repository advisories, repository hooks, secret scanning alerts, secrets, and security events
The token has access to all repositories owned by the organization.
Update: Looks like the issue is related to the fact that the X-OAuth-Scopes
/X-Accepted-OAuth-Scopes
headers returned when using classic PATs, but it doesn't look like they're returned with fine-grained ones in my testing (and thus, Legitify can't map out the scopes). I'm looking into available methods to introspect a fine-grained PAT permissions.
Update: Inquired about this with GitHub.
Q
Hey folks! Is there an easy way to retrieve OAuth scopes from the GraphQL API when using fine-grained PATs?
I'm familiar with the X-OAuth-Scopes/X-Accepted-OAuth-Scopes headers returned when using classic PATs, but it doesn't look like they're returned with fine-grained ones in my testing. Is there another method I could use to introspect the token's permissions?
A
Unfortunately not at this time [...] Right now you'll need to be an org admin and call the APIs to review token permissions. The missing link currently is that if you just have a raw token, you can't see what it does using the API as you won't know the ID of the token.
from legitify.
Hi @chtzvt, Thanks for doing this research!
Since fine-grained tokens don't support the headers you mentioned and non-repository API's It's not trivial to support them now.
A solution you can try is to support them only for the repository namespace and turn off scope checks (skippers.go).
We'll support fine-grained tokens when they are more mature.
I am closing the issue for now
from legitify.
Related Issues (20)
- Premium GitLab accounts with skipped tests HOT 9
- Ignore invalid or expired certificate
- Reduce GitLab API Calls HOT 6
- Report Script HOT 1
- Policy Skip Support for GitHub Action HOT 1
- Parameterize output report name in GH action HOT 2
- legitify analyze --repo doesn't support gitlab projects within subgroups HOT 5
- When the "ignore-policies" option is enabled, GitHub Action disregards the "extra" parameter HOT 4
- SARIF format results do no supply the actual violation results? HOT 2
- legitify doesn't support nested GitLab projects completely HOT 8
- "organization_has_too_many_admins" policy doesn't flag an organization with 8 owners HOT 5
- Add the needed permissions/scopes to the custom action documentation HOT 4
- Running the GitHub action with ` scorecard: verbose` fails with error `failed to enrich scorecard: expecting []ScorecardCheck` HOT 1
- Support using legitify action with GITHUB_TOKEN
- 1.0.5 release did not get completed HOT 2
- "Reaching out" Message comes with every usage of legitify convert HOT 1
- Unmet prerequisite: premium, but premium license is used HOT 6
- Restricting email notifications (GitHub) HOT 2
- Skip evaluating archived GitHub repos in an org HOT 2
- GHA - unable to add extra: --namespace -unknown flag HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from legitify.