Add support for get_app endpoint with app authentication

[chantra]

add support for get_app endpoint for app authenticated applications

The /app endpoint requires the use of a JWT to be accessed: https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-the-authenticated-app

This change creates a new GithubIntegration and calls the /app
endpoint through it so the requester used uses JWT and not a token.

• Updated exiting GithubApp testGetAuthenticatedApp to use authentication
• added test to validate assertion is raised when not called by an authenticated app.

Prior to this, an authenticated application would fail to get access to
its attribute with the following error: https://gist.github.com/chantra/f84e6981e2ab732a5e7acb2978872109

[EnricoMi]

I think this method should go into GithubIntegration.

[chantra]

Thanks. It is there already. This method here is just a proxy to get from the GitHub object to a GithubIntegration.
Are you fine with the GithubObject accessing directly the requester’s __app_auth to generate a new GithubIntegration? Or adding a app_auth getter so Github object can re-use it?

[EnricoMi]

I'd rather say GithubIntegration requires some rework to get the authentication, token refresh and Requester init args sorted out: #2461

[chantra]

In github/Requester.py <#2471 (comment)>: > @@ -381,6 +381,15 @@ def _get_installation_authorization(self): permissions=self.__app_auth.token_permissions, ) + def get_app(self): I'd rather say GithubIntegration requires some rework to get the authentication, token refresh and Requester init args sorted out: #2461 <#2461> thanks for sorting out the building blocks. I will rebase and adjust the

PR accordingly.

…

— Reply to this email directly, view it on GitHub <#2471 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAF77HIU7R2S4JGMORZUELW6BNM3ANCNFSM6AAAAAAWFZKRN4> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[chantra]

Ok, attempted chantra@1154f22

There is an issue with being able to call github.get_app() through as I don't see how we can get the GithubIntegration back to call GithubIntegration.get_app().

Also, I believe, if calling using the Github's requester, then the token will be sent, not the jwt, hence the need to be able to get back to the GithubIntegration form Github.

Another solution is to make get_app non-valid call if the slug is not provided, forcing to use the GithubIntegration object only.

[chantra]

@EnricoMi do you have any feedback on my previous comment?

[chantra]

@EnricoMi just checking if you have any feedback on my previous comment? thanks

[EnricoMi]

I think calling the /app endpoint should be moved into GithubIntegration.get_app and Main.get_app should make slug mandatory. This separates the two different endpoints. The former requires a personal access token or app installation token, the latter an application jwt.

Then, together with rework #2461, the following should work:

gh = Github(token)
# calls /apps/{slug} with personal access token
gh.get_app(slug)

gi = GithubIntegration(app_id, private_key, ...)
# calls /app with jwt
gi.get_app()

gh = gi.get_github_for_installation(id, permissions)
# calls /apps/{slug} with installation access token
gh.get_app(slug)

[chantra]

Thanks @EnricoMi . I would be happy to do those changes once your branch is merged. Please tag me when it lands so I can check it out and update this PR.

[EnricoMi]

@chantra auth rework is merged, go ahead and move /app call into GithubIntegration. Maybe a fresh new PR might be easier.

[chantra]

Thanks @EnricoMi

Let me close this PR and start fresh.