Merge pull request #8 from helaili/supportghes

support a GHES endpoint
helaili · May 12, 2023 · e63fbdd · e63fbdd
2 parents 80a2943 + 8b9cad7
commit e63fbdd
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -72,6 +72,8 @@ Those are the environment variables that can be used to configure the app:
 
 `CONFIG_FILE`: **Optional**. The name of the configuration file. Default to `oidc_entitlements.yml`
 
+`GHES_URL`: **Optional**. The URL of the GitHub Enterprise Server in the form of `https://ghes.example.com`. If not provided, the app will use `https://github.com`.
+
 # Installation
 
 ## Create a GitHub App 

diff --git a/github-oidc-auth-app.go b/github-oidc-auth-app.go
@@ -27,6 +27,7 @@ type GatewayContext struct {
 	appTransport   *ghinstallation.AppsTransport
 	configRepo     string
 	configFile     string
+	wellKnownURL   string
 }
 
 type ScopedTokenRequest struct {
@@ -256,7 +257,9 @@ func main() {
 	if err != nil {
 		log.Fatal("Wrong format for APP_ID")
 	}
-	var configRepo, configFile string
+
+	var configRepo, configFile, wellKnownURL string
+
 	if configRepo = os.Getenv("CONFIG_REPO"); configRepo == "" {
 		configRepo = ".github-private"
 	}
@@ -269,6 +272,13 @@ func main() {
 		log.Fatal("Failed to initialize GitHub App transport:", err)
 	}
 
+	if ghesUrl := os.Getenv("GHES_URL"); ghesUrl != "" {
+		appTransport.BaseURL = fmt.Sprintf("%s/api/v3", ghesUrl)
+		wellKnownURL = fmt.Sprintf("%s/_services/token/.well-known/jwks", ghesUrl)
+	} else {
+		wellKnownURL = "https://token.actions.githubusercontent.com/.well-known/jwks"
+	}
+
 	fmt.Println("loading installation id cache")
 	err = loadInstallationIdCache(appTransport)
 	if err != nil {
@@ -282,6 +292,7 @@ func main() {
 		appTransport:   appTransport,
 		configRepo:     configRepo,
 		configFile:     configFile,
+		wellKnownURL:   wellKnownURL,
 	}
 
 	server := http.Server{

diff --git a/jwks.go b/jwks.go
@@ -71,7 +71,7 @@ func validateTokenCameFromGitHub(oidcTokenString string, gc *GatewayContext) (jw
 	now := time.Now()
 
 	if now.Sub(gc.jwksLastUpdate) > time.Minute || len(gc.jwksCache) == 0 {
-		resp, err := http.Get("https://token.actions.githubusercontent.com/.well-known/jwks")
+		resp, err := http.Get(gc.wellKnownURL)
 		if err != nil {
 			fmt.Println(err)
 			return nil, fmt.Errorf("unable to get JWKS configuration")