Add additional up-front auth validation

Author: SteveDesmond-ca

src/App.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Security.Authentication;
 using System.Threading.Tasks;
+using Octokit;
 
 namespace GitHubLabelSync
 {
@@ -22,13 +23,7 @@ public async Task Run(Settings settings)
 			_setStatus($"Starting...");
 			_log(settings.Name);
 
-			var validation = await _sync.ValidateAccess();
-			if(!validation.Successful)
-			{
-				throw new AuthenticationException(validation.Message);
-			}
-
-			var account = await _sync.GetAccount(settings.Name);
+			var account = await GetValidAccount(settings);
 			var repos = await _sync.GetRepositories(account);
 			var labels = await _sync.GetAccountLabels(account);
 			_log(string.Empty);
@@ -41,5 +36,24 @@ public async Task Run(Settings settings)
 
 			_log("Done!");
 		}
+
+		private async Task<Account> GetValidAccount(Settings settings)
+		{
+			var access = await _sync.ValidateAccess();
+			if (!access.Successful)
+			{
+				throw new AuthenticationException(access.Message);
+			}
+
+			var account = await _sync.GetAccount(settings.Name);
+
+			var auth = await _sync.ValidateUser(account);
+			if (!auth.Successful)
+			{
+				throw new AuthenticationException(auth.Message);
+			}
+
+			return account;
+		}
 	}
 }

src/GitHub.cs

@@ -37,6 +37,14 @@ public async Task<Account> GetOrganization(string name)
 			return account;
 		}
 
+		public async Task<Account> GetCurrentUser()
+		{
+			_setStatus("Finding current user...");
+			var account = await _client.User.Current();
+			_log($"{"User ID",-13} : {account.Id}");
+			return account;
+		}
+
 		public async Task<Account> GetUser(string name)
 		{
 			_setStatus($"Finding user for {name}...");
@@ -45,6 +53,21 @@ public async Task<Account> GetUser(string name)
 			return account;
 		}
 
+		public async Task<MembershipRole?> GetRole(string user, string org)
+		{
+			_setStatus($"Finding membership for {user} in {org}...");
+			try
+			{
+				var membership = await _client.Organization.Member.GetOrganizationMembership(org, user);
+				_log($"{"Role",-13} : {membership.Role}");
+				return membership.Role.Value;
+			}
+			catch
+			{
+				return null;
+			}
+		}
+
 		public async Task<IReadOnlyList<Repository>> GetRepositoriesForOrganization(Account account)
 		{
 			_setStatus($"Finding repositories for {account.Login}...");

src/IGitHub.cs

@@ -8,7 +8,9 @@ public interface IGitHub
 	{
 		Task<IReadOnlyList<string>> GetAccess();
 		Task<Account> GetOrganization(string name);
+		Task<Account> GetCurrentUser();
 		Task<Account> GetUser(string name);
+		Task<MembershipRole?> GetRole(string user, string org);
 
 		Task<IReadOnlyList<Repository>> GetRepositoriesForOrganization(Account account);
 		Task<IReadOnlyList<Repository>> GetRepositoriesForUser(Account account);

src/ISynchronizer.cs

@@ -8,9 +8,12 @@ namespace GitHubLabelSync
 	public interface ISynchronizer
 	{
 		Task<ValidationResult> ValidateAccess();
+		Task<ValidationResult> ValidateUser(Account account);
+
 		Task<Account> GetAccount(string name);
 		Task<IEnumerable<Repository>> GetRepositories(Account account);
 		Task<IReadOnlyList<Label>> GetAccountLabels(Account account);
+
 		Task SyncRepo(Repository repo, Settings settings, IReadOnlyList<Label> accountLabels);
 	}
 }

src/Synchronizer.cs

@@ -26,23 +26,29 @@ public async Task<ValidationResult> ValidateAccess()
 		{
 			var access = await _gitHub.GetAccess();
 
-			if (!access.Any(a => a == "repo"))
-			{
-				return ValidationResult.Error("API key does not have `repo` access");
-			}
+			return access.All(a => a != "repo") ? ValidationResult.Error("API key does not have `repo` access")
+				: access.All(a => a != "delete_repo") ? ValidationResult.Error("API key does not have `delete_repo` access")
+				: ValidationResult.Success();
+		}
 
-			if (!access.Any(a => a == "delete_repo"))
-			{
-				return ValidationResult.Error("API key does not have `delete_repo` access");
-			}
+		public async Task<ValidationResult> ValidateUser(Account account)
+		{
+			var current = await _gitHub.GetCurrentUser();
 
-			return ValidationResult.Success();
+			if (account.Type == AccountType.User)
+				return current.Login == account.Login
+					? ValidationResult.Success()
+					: ValidationResult.Error($"API key for {current.Login} does not match target user {account.Login}");
+
+			var role = await _gitHub.GetRole(current.Login, account.Login);
+			return role == MembershipRole.Admin
+				? ValidationResult.Success()
+				: ValidationResult.Error($"{current.Login} is not an administrator of {account.Login}");
 		}
 
 		public async Task<Account> GetAccount(string name)
 		{
 			_setStatus($"Finding information for {name}...");
-
 			try
 			{
 				return await _gitHub.GetOrganization(name);

test/AppTests.cs

@@ -18,6 +18,7 @@ public async Task SyncsAllReposFound()
 			//arrange
 			var sync = Substitute.For<ISynchronizer>();
 			sync.ValidateAccess().Returns(ValidationResult.Success());
+			sync.ValidateUser(Arg.Any<Account>()).Returns(ValidationResult.Success());
 			sync.GetRepositories(Arg.Any<Account>()).Returns(new[] { new Repository(), new Repository(), new Repository() });
 			var app = new App(sync, NoOp, NoOp);
 
@@ -32,11 +33,30 @@ public async Task SyncsAllReposFound()
 		}
 
 		[Fact]
-		public async Task ThrowsOnValidationFailure()
+		public async Task ThrowsOnAccessValidationFailure()
 		{
 			//arrange
 			var sync = Substitute.For<ISynchronizer>();
 			sync.ValidateAccess().Returns(ValidationResult.Error(":("));
+			sync.ValidateUser(Arg.Any<Account>()).Returns(ValidationResult.Success());
+			var app = new App(sync, NoOp, NoOp);
+
+			var settings = new Settings { Name = "ecoAPM" };
+
+			//act
+			var task = app.Run(settings);
+
+			//assert
+			await Assert.ThrowsAnyAsync<Exception>(async () => await task);
+		}
+
+		[Fact]
+		public async Task ThrowsOnUserValidationFailure()
+		{
+			//arrange
+			var sync = Substitute.For<ISynchronizer>();
+			sync.ValidateAccess().Returns(ValidationResult.Success());
+			sync.ValidateUser(Arg.Any<Account>()).Returns(ValidationResult.Error(":("));
 			var app = new App(sync, NoOp, NoOp);
 
 			var settings = new Settings { Name = "ecoAPM" };

test/GitHubTests.cs

@@ -1,8 +1,9 @@
 using System;
 using System.Collections.Generic;
-using System.Collections.ObjectModel;
+using System.Net;
 using System.Threading.Tasks;
 using NSubstitute;
+using NSubstitute.ExceptionExtensions;
 using Octokit;
 using Xunit;
 
@@ -20,7 +21,7 @@ public async Task CanGetAccess()
 			{
 				{"X-OAuth-Scopes", "repo, delete_repo"}
 			};
-			
+
 			var http = Substitute.For<IResponse>();
 			http.Headers.Returns(headers);
 
@@ -31,7 +32,7 @@ public async Task CanGetAccess()
 			client.Connection.Get<string>(Arg.Any<Uri>(), null, null).Returns(response);
 			client.Connection.BaseAddress.Returns(new Uri("http://localhost/"));
 			var gitHub = new GitHub(client, _noop, _noop);
-		
+
 			//act
 			var access = await gitHub.GetAccess();
 
@@ -42,7 +43,7 @@ public async Task CanGetAccess()
 		}
 
 		[Fact]
-		public async Task CanGetOrganizationFromClient()
+		public async Task CanGetOrganization()
 		{
 			//arrange
 			var client = Substitute.For<IGitHubClient>();
@@ -57,7 +58,7 @@ public async Task CanGetOrganizationFromClient()
 		}
 
 		[Fact]
-		public async Task CanGetUserFromClient()
+		public async Task CanGetUser()
 		{
 			//arrange
 			var client = Substitute.For<IGitHubClient>();
@@ -71,6 +72,53 @@ public async Task CanGetUserFromClient()
 			Assert.Equal("SteveDesmond-ca", account.Login);
 		}
 
+		[Fact]
+		public async Task CanGetCurrentUser()
+		{
+			//arrange
+			var client = Substitute.For<IGitHubClient>();
+			client.User.Current().Returns(new Stubs.User("SteveDesmond-ca"));
+			var gitHub = new GitHub(client, _noop, _noop);
+
+			//act
+			var account = await gitHub.GetCurrentUser();
+
+			//assert
+			Assert.Equal("SteveDesmond-ca", account.Login);
+		}
+
+		[Fact]
+		public async Task CanGetRoleForUser()
+		{
+			//arrange
+			var client = Substitute.For<IGitHubClient>();
+			var membership = new OrganizationMembership(null, new StringEnum<MembershipState>(MembershipState.Active), new StringEnum<MembershipRole>(MembershipRole.Admin), null, null, null);
+			client.Organization.Member.GetOrganizationMembership("ecoAPM", "SteveDesmond-ca").Returns(membership);
+			var gitHub = new GitHub(client, _noop, _noop);
+
+			//act
+			var role = await gitHub.GetRole("SteveDesmond-ca", "ecoAPM");
+
+			//assert
+			Assert.Equal(MembershipRole.Admin, role);
+		}
+
+		[Fact]
+		public async Task NonExistentOrgMemberReturnsNull()
+		{
+			//arrange
+			var client = Substitute.For<IGitHubClient>();
+			var membership = new OrganizationMembership(null, new StringEnum<MembershipState>(MembershipState.Active), new StringEnum<MembershipRole>(MembershipRole.Admin), null, null, null);
+			client.Organization.Member.GetOrganizationMembership("ecoAPM", "SteveDesmond-ca").Throws(new NotFoundException(":(", HttpStatusCode.NotFound));
+			var gitHub = new GitHub(client, _noop, _noop);
+
+			//act
+			var role = await gitHub.GetRole("SteveDesmond-ca", "ecoAPM");
+
+			//assert
+			Assert.Null(role);
+		}
+
 		[Fact]
 		public async Task CanGetRepositoriesForOrganization()
 		{