Provide fine-grained push access to GitHub from a JupyterHub

Overview

github-app-user-auth

Provide fine-grained push access to GitHub from a JupyterHub.

Goals

  1. Allow users on a JupyterHub to grant push access to only specific repositories rather than all the repositories they have access to.
  2. Do not store long-term credentials (like personal access tokens or ssh-keys) on disk, as they may get archived / fall into the wrong hands in the future.
  3. Allow GitHub organization admins visibility and control over what repos users can push to from remote systems (like JupyterHub or a shared cluster), where other admins of the remote system might be able to access the files of users with push access to repos. This has serious implications for supply chain security, as credentials might be stolen or lost and serious vulnerabilities be pushed to the repo.

These goals are accomplished by:

  1. Creating a GitHub app specific to the remote service (JupyterHub, HPC cluster, etc). Users and GitHub organization admins can then provide fine grained, repo level access to this GitHub app - Users can only push to repos that have the app installed.
  2. A commandline tool (github-app-user-auth) that lets specific users authorize push access to the selected repositories temporarily - a token that expires after 8 hours.

In the future, an optional web app might also be provided to aid in authentication.

Installation

You can install github-app-user-auth from PyPI.

pip install github-app-user-auth

GitHub App configuration

  1. Create a GitHub app for use by the service (JupyterHub, HPC cluster, etc). You can either create it under your personal account, or preferably under a GitHub organization account (Go to Settings -> Developer Settings -> GitHub Apps -> New GitHub app from the organization's GitHub page).

  2. Give it a descriptive name and description, as your users will see this when they authenticate. Provide a link to a descriptive page explaining your service (if you are using a JupyterHub, this could be just your JupyterHub URL).

  3. Disable webhooks (uncheck the 'Active' checkbox under 'Webhooks'). All other textboxes can be left empty.

  4. Under 'Repository permissions', select 'Read & write' for 'Contents'. This will provide users authenticating via the app just enough permissions to push and pull from repositories.

  5. Under 'Where can this GitHub App be installed?', select 'Any account'. This will enable users to push to their own user repositories or other organization repositaries, rather than just the repos of the user or organization owning this GitHub app.

  6. Save the Client ID provided in the information page of the app. You'll need this in the client. Save the Public link as well, as users will need to use this to grant access to particular repositories.

Client configuration

  1. github-app-user-auth uses git-credentials-store to provide appropriate authentication, by writing to a /tmp/github-app-git-credentials file. This makes sure we don't override the default ~/.git-credentials file someone might be using. git will have to be configured to use the new file.

    You can put the following snippet in /etc/gitconfig (for containers) or in ~/.gitconfig:

    [credential]
        helper = store --file=/tmp/github-app-git-credentials

    Or you can run the following command (this puts it in ~/.gitconfig)

    git config --global credential.helper "store --file=/tmp/github-app-git-credentials"
    
  2. github-app-user-auth will need to know the "Client ID" of the created GitHub app to perform authentication. This can be either set with the environment variable GITHUB_APP_CLIENT_ID, or be passed in as a commandline parameter --client-id to the github-app-user-auth script when users use it to authenticate.

Usage

Grant access to the GitHub app

Users will first need to go to the public page of the GitHub app, and 'Install' the app on their account and in organizations with repos they want to push to. We highly recommend allowing access only to selected repositories, and explicitly select the repositories this hosted service (JupyterHub, HPC cluster, etc) should be able to push to. You can modify this list afterwards, to make sure you only grant the required permissions.

Given the common usage pattern where you are only pushing to a limited set of repositories from a particular hosted service, this should hopefully not be too cumborsome.

Authenticate to GitHub

The hosted service must have github-app-user-auth installed.

  1. Open a terminal, and type github-app-user-auth.
  2. It should give you a link to go to, and a code to input into the web page when that link is opened. Open the link, enter the code there.
  3. Grant access to the device in the web page, and you're done!

Authentication is valid for 8 hours, and once it expires, this process will need to be repeated. In the future, we might have a web app or other process to make this less painful. However, keeping the length of this session limited drastically helps with security too.

Alternatives

  1. Create an ssh key specifically for the hosted service (JupyterHub, HPC cluster, etc) and add it to your GitHub account. If the key doesn't have a passphrase, this is very insecure - anyone who can exfiltrate your key once can keep it and use it whenever they wish. Even with a passphrase, the key can still be exfiltrated and passphrase stolen when used. There's also no way to restrict which repositories this can push to, which is a big issue.

  2. Create a Personal Access Token and use that. This is a little more insecure than the ssh key, as it can be used to make requests on your behalf too after being stolen! There is also no way to restrict which repositories you can push to.

  3. Create a GitHub deploy key for each repository you want to push to, for each hosted service you want to push from. While this lets you control which repos this ssh key can access, it is still stored long term at risk and can be exfiltrated.

Owner
Yuvi Panda
Yuvi Panda
Python Library for Secp256k1 Bitcoin curve to do fast ECC calculation

secp256k1 Python Library for Secp256k1 Bitcoin curve to do fast ECC calculation Example Usage import secp256k1 as ice print('[C]',privatekey_to_addres

iceland 49 Jan 01, 2023
Graviti TensorBay Python SDK

TensorBay Python SDK is a python library to access TensorBay and manage your datasets. It provides: A pythonic way to access your

Graviti 72 Aug 22, 2022
AminoSpamKilla - Spam bot for amino that uses multiprocessing module

AminoSpamKilla Spam bot for amino that uses multiprocessing module Pydroid Open

4 Jun 27, 2022
A Discord bot to easily and quickly format your JSON data

Invite PrettyJSON to your Discord server Table of contents About the project What is JSON? What is pretty printing? How to use Input options Command I

Sem 4 Jan 24, 2022
ELiza music is a telegram music bot project, allow you to play music on voice chat group telegram.

❤️ 𝗘𝗹𝗶𝘇𝗮 𝗠𝘂𝘀𝗶𝗰 ❤️ Unmaintained. The new repo of @MrsElizaRobot is private. (It is no longer based on this source code. The completely rewrit

Team Eliza 2 Dec 08, 2022
Bot Realm of the Mad God Exalt (ROTMG). (Auto_nexus, Auto_HP, Auto_Loot)

Bot_ROTMG Bot Realm of the Mad God Exalt (ROTMG). (Auto_nexus, Auto_HP, Auto_Loot) *Este projeto visa apenas o aprendizado, quem faz mal uso é o único

Guilherme Silva Uchoa 1 Oct 30, 2021
An Undertale RPG Discord bot to fight monsters, bosses, level up and duel with other players

UNDERTALE-RPG An Undertale RPG Discord bot to fight monsters, bosses, level up and duel with other players!. Explanation you can collect gold which is

2 Oct 21, 2021
A Python Tumblr API v2 Client

PyTumblr Installation Install via pip: $ pip install pytumblr Install from source: $ git clone https://github.com/tumblr/pytumblr.git $ cd pytumblr $

Tumblr 677 Dec 21, 2022
PYAW allows you to call assembly from python

PYAW allows you to call assembly from python

2 Dec 13, 2021
GTPS Status Bot

Python GTPS Status Bot (BETA) Python GTPS Status Bot Require Python How To Use Download This Source Extract The Zip File Install the requirements (Mod

Lamp 4 Oct 11, 2021
Kodi script for proper Australian weather data

Kodi Oz Weather weather.ozweather Script for Kodi for high quality Australian weather data sourced directly from the BOM. Available from the Kodi offi

Jeremy Daalder 5 Nov 24, 2022
❤️ DaisyX 2.0 ❤️ A Powerful, Smart And Simple Group Manager ... Written with AioGram , Pyrogram and Telethon...

❤️ DaisyX 2.0 ❤️ A Powerful, Smart And Simple Group Manager ... Written with AioGram , Pyrogram and Telethon... ⭐️ Thanks to everyone who starred Dais

TeamOfDaisyX 44 Oct 06, 2022
This Is Advanced Version Of Old Radio Player, An Telegram Bot to Play Radio/Music in Channel or Group Voice Chats.

Telegram Radio Player V2 An Telegram Bot to Play Radio/Music in Channel or Group Voice Chats. This is also the source code of the bot which is being u

SAF ONE 81 Dec 03, 2022
A fun hangman style game to guess random movie names with a short summary about the movie.

hang-movie-man Hangman but for movies 😉 This is a fun hangman style game to guess random movie names from the local database and show some summary ab

Ankit Josh 10 Sep 07, 2022
Herramienta para transferir eventos de Sucuri WAF hacia Azure Blob Storage.

Transfiere eventos de Sucuri hacia Azure Blob Storage Script para transferir eventos del Sucuri Web Application Firewall (WAF) hacia Azure Blob Storag

CSIRT-RD 1 Dec 22, 2021
A simple telegram bot that takes a list of files sent by the user and returns them 7zipped

A simple telegram bot that takes a list of files sent by the user and returns them 7zipped

1 Oct 28, 2022
Syrax Check User Bot Discord.py

Syrax-Check-User-Bot-Discord.py Guida Italiana il bot nasce con lo scopo di poter caricare il proprio nome utente,tag e foto profilo al forum tramite

Pippoide 0 Feb 04, 2022
This is a TG Video Compress BoT. Product by BINARY Tech

🌀 Video Compressor Bot Product by BINARY Tech Deploy to Heroku The Hard Way virtualenv -p python3 VENV . ./VENV/bin/activate pip install -r requireme

1 Jan 04, 2022
Pancakeswap Sniper Bot GUI Uniswap Matic 2022 (WINDOWS LINUX MAC) AUTO BUY TOKEN ON LAUNCH AFTER ADD LIQUIDITY

Pancakeswap Sniper Bot GUI Uniswap Matic 2022 (WINDOWS LINUX MAC) ⭐️ AUTO BUY TOKEN ON LAUNCH AFTER ADD LIQUIDITY ⭐️ ⭐️ First GUI SNIPER BOT for WINDO

Crypto Trader 1 Jan 05, 2022
Unofficial calendar integration with Gradescope

Gradescope-Calendar This script scrapes your Gradescope account for courses and assignment details. Assignment details currently can be transferred to

6 May 06, 2022