Bug: Github service not working for GitHub enterprise when using Github App

[GSZoominfo]

Summary

Bug: wrong Github Enterprise API URL is being used

Diagnostics

Setting up argo notification GitHub service:

1. Created new Github app and changed Commit Statuses pre-missions to read-write, saved the pem file and installed the GitHub app

2. set the config map:

service.github: |
       appID: <GITHUB_APP_ID>
       installationID: <GITHUB_INSTALLATION_ID>
       privateKey: $github_privateKey
       enterpriseBaseURL: https://git.<ENTERPRISE>.com

3. added a message:

template.<trigger>: |
  message: |
    Application {{.app.metadata.name}} deploy-started.
  github:
    status:
      state: started
      label: "continuous-delivery/{{.app.metadata.name}}"
      targetURL: "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true

4. created the secret same as the Docs

5. adde the annotation:
   notifications.argoproj.io/subscribe.<trigger>.github: {{ <REPO_NAME> | quote }}

POST command used by argo notification in order to connect with the GitHub app that we created:
POST URL:https://git.<ENTERPRISe>.com/app/installations/<INSTALLATION_ID>/access_tokens

The response for that POST was: “non 2xx response and a redirect”

received non 2xx response status {\"<html><body>You are being <a href=\\\"https://git.<ENTERPRISE>.com/login?return_to=https%3A%2F%2Fgit.<ENTERPRISE>.com%2Fapp%2Finstallations%2F<INSTALLATION_ID>%2Faccess_tokens\\\">redirected</a>.</body></html>\"}

Our lead was checking the Bearer token so we tested it locally (followed the Authenticating with GitHub Apps - Doc)

Steps to reproduce the error:

Generate the fingerprint of your private key (PEM) locally by using the following command:
openssl rsa -in PATH_TO_PEM_FILE -pubout -outform DER | openssl sha256 -binary | openssl base64

No diff was found when compared the results of the locally generated fingerprint to the fingerprint of the private key in GitHub.

Created the Bearer token locally using the following ruby script:

YOUR_PATH_TO_PEM and YOUR_APP_ID are the values you must replace. Make sure to enclose the values in double quotes.

require 'openssl'
require 'jwt'  # https://rubygems.org/gems/jwt

// Private key contents
private_pem = File.read("YOUR_PATH_TO_PEM")
private_key = OpenSSL::PKey::RSA.new(private_pem)

// Generate the JWT
payload = {
  // issued at time, 60 seconds in the past to allow for clock drift
  iat: Time.now.to_i - 60,
  // JWT expiration time (10 minute maximum)
  exp: Time.now.to_i + (10 * 60),
 // GitHub App's identifier
  iss: "YOUR_APP_ID"
}

jwt = JWT.encode(payload, private_key, "RS256")
puts jwt

Trying to POST to GitHub, with the same URL that was used by argo notification

Error Reproduced

$ curl -i -X POST \
-H "Authorization: Bearer $JWT" \
-H "Accept: application/vnd.github.v3+json" \
https://git.<ENTERPRISE>.com/app/installations/<INSTALLATIN_ID>/access_tokens

We got the same error message that we saw in the log of argo notification.

When changing the url to the correct github enterprise api url

from: https://git.<ENTERPRISE>.com/app/installations/<INSTALLATION_ID>/access_tokens
to: https://git.<ENTERPRISE>.com/api/v3/app/installations/<INSTALLATION_ID>/access_tokens

curl -i -X POST \
-H "Authorization: Bearer $JWT" \
-H "Accept: application/vnd.github.v3+json" \
https://git.<ENTERPRISE>.com/api/v3/app/installations/<INSTALLATIN_ID>/access_tokens

We were able to connect with our GitHub app.

Full Error Log:
time="2022-05-01T09:05:06Z" level=error msg="Failed to notify recipient {github <REPO_NAME>} defined in resource argo/<APP_NAME>: Post \"https://git/.<Enterprise>.com/api/v3/repos/<REPO_NAME>/<CHART_NAME>/statuses/<REVISION>\": could not refresh installation id <INSTALATION_ID>'s token: request &{Method:POST URL:https://git/.<Enterprise>.com//app/installations/<INSTALATION_ID>/access_tokens Proto:HTTP/1.1 ProtoMajor:1 ProtoMinor:1 Header:map[Accept:[application/vnd.github.machine-man-preview+json application/vnd.github.machine-man-preview+json] Authorization:[Bearer <TOKEN>] Content-Type:[application/json]] Body:0xc00039e2b8 GetBody:0x7592e0 ContentLength:5 TransferEncoding:[] Close:false Host:git.<Enterprise>.com Form:map[] PostForm:map[] MultipartForm:<nil> Trailer:map[] RemoteAddr: RequestURI: TLS:<nil> Cancel:<nil> Response:<nil> ctx:0xc000058018} received non 2xx response status {\"<html><body>You are being <a href=\\\"https://git/.<Enterprise>.com/login?return_to=https%3A%2F%2Fgit.<Enterprise>.com%2Fapp%2Finstallations%2F<INSTALATION_ID>%2Faccess_tokens\\\">redirected</a>.</body></html>\"} with body &{Method:POST URL:https://git/.<Enterprise>.com//app/installations/<INSTALATION_ID>/access_tokens Proto:HTTP/1.1 ProtoMajor:1 ProtoMinor:1 Header:map[Accept:[application/vnd.github.machine-man-preview+json application/vnd.github.machine-man-preview+json] Authorization:[Bearer <TOKEN>] Content-Type:[application/json]] Body:0xc00039e2b8 GetBody:0x7592e0 ContentLength:5 TransferEncoding:[] Close:false Host:git.<Enterprise>.com Form:map[] PostForm:map[] MultipartForm:<nil> Trailer:map[] RemoteAddr: RequestURI: TLS:<nil> Cancel:<nil> Response:<nil> ctx:0xc000058018} and TLS &{Version:772 HandshakeComplete:true DidResume:false CipherSuite:4865 NegotiatedProtocol:h2 NegotiatedProtocolIsMutual:true ServerName:git.<Enterprise>.com PeerCertificates:[0xc000854b00 0xc000855080] VerifiedChains:[[0xc000854b00 0xc000855080 0xc000720c00]] SignedCertificateTimestamps:[] OCSPResponse:[48 130 1 20 10 1 0 160 130 1 13 48 130 1 9 6 9 43 6 1 5 5 7 48 1 1 4 129 251 48 129 248 48 129 158 162 22 4 20 165 206 55 234 235 176 117 14 148 103 136 180 69 250 217 36 16 135 150 31 24 15 50 48 50 50 48 52 51 48 48 48 53 55 48 49 90 48 115 48 113 48 73 48 9 6 5 43 14 3 2 26 5 0 4 20 18 215 139 64 44 53 98 6 250 130 127 142 216 146 36 17 180 172 245 4 4 20 165 206 55 234 235 176 117 14 148 103 136 180 69 250 217 36 16 135 150 31 2 16 8 72 124 32 138 115 52 97 43 184 227 28 182 128 174 208 128 0 24 15 50 48 50 50 48 52 51 48 48 48 52 50 48 49 90 160 17 24 15 50 48 50 50 48 53 48 54 50 51 53 55 48 49 90 48 10 6 8 42 134 72 206 61 4 3 2 3 73 0 48 70 2 33 0 209 201 6 60 251 230 149 144 10 19 124 176 74 240 167 150 74 163 25 212 123 156 98 83 250 36 133 150 19 216 164 56 2 33 0 220 226 67 245 146 74 149 44 244 65 157 220 6 205 206 100 24 145 89 56 73 38 78 117 142 63 133 94 6 74 234 211] TLSUnique:[] ekm:0x6a31a0}" resource=argo/<APP_NAME>

[karol-szymanowski]

Hi,

I don't think it's a bug but a deliberate design choice.

We include /api/v3 in enterpriseBaseURL for notifications and sso and it works fine (eg.: https://<ENTERPRISE>.com/api/v3).

[GSZoominfo]

@tetrash well...
if you look at the log under the "request method" you will see that the url is: https://git..com/app/installations/<INSTALLATION_ID>/access_tokens
which doesn’t included the api/v3 and that is the reason why we get the redirect
as mentioned in the bug report we were able to replicate the issue using GitHub app token to logging (the redirect that we are receiving)

[karol-szymanowski]

yup I undestand but I don't understand why won't you include api/v3 in yours enterpriseBaseURL? And btw this repo is no longer mantained, it was moved here https://github.com/argoproj/notifications-engine.

[GSZoominfo]

@tetrash
Manipulating the enterpriseURL to fix the api call:
We tried to change the enterpriseBaseURL: https://git.zoominfo.com
to enterpriseBaseURL: https://git.zoominfo.com/api/v3 but we got the following error:
404 Not Found []

and will move the bug to the relevant repo