feat(db, webserver): Implement GitHubRepositoryProvider connect flow

ee/tabby-db/migrations/0022_github-provider.down.sql

@@ -0,0 +1 @@
+DROP TABLE github_repository_provider;

ee/tabby-db/migrations/0022_github-provider.up.sql

@@ -0,0 +1,8 @@
+CREATE TABLE github_repository_provider(
+    id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+    display_name TEXT NOT NULL,
+    application_id TEXT NOT NULL,
+    secret TEXT NOT NULL,
+    access_token TEXT,
+    CONSTRAINT `idx_application_id` UNIQUE (`application_id`)
+);

ee/tabby-db/src/github_repository_provider.rs

@@ -0,0 +1,73 @@
+use anyhow::{anyhow, Result};
+use sqlx::{prelude::FromRow, query, query_as};
+
+use crate::{DbConn, SQLXResultExt};
+
+pub struct GithubRepositoryProviderDAO {
+    pub display_name: String,
+    pub application_id: String,
+    pub secret: String,
+}
+
+#[derive(FromRow)]
+pub struct GithubProvidedRepositoryDAO {
+    pub github_repository_provider_id: i64,
+    pub vendor_id: String,
+    pub name: String,
+    pub git_url: String,
+}
+
+impl DbConn {
+    pub async fn create_github_provider(
+        &self,
+        name: String,
+        application_id: String,
+        secret: String,
+    ) -> Result<i64> {
+        let res = query!("INSERT INTO github_repository_provider (display_name, application_id, secret) VALUES ($1, $2, $3);",
+            name,
+            application_id,
+            secret
+        ).execute(&self.pool).await.unique_error("GitHub Application ID already exists")?;
+        Ok(res.last_insert_rowid())
+    }
+
+    pub async fn get_github_provider(&self, id: i64) -> Result<GithubRepositoryProviderDAO> {
+        let provider = query_as!(
+            GithubRepositoryProviderDAO,
+            "SELECT display_name, application_id, secret FROM github_repository_provider WHERE id = ?;",
+            id
+        )
+        .fetch_one(&self.pool)
+        .await?;
+        Ok(provider)
+    }
+
+    pub async fn delete_github_provider(&self, id: i64) -> Result<()> {
+        let res = query!("DELETE FROM github_repository_provider WHERE id = ?;", id)
+            .execute(&self.pool)
+            .await?;
+        if res.rows_affected() != 1 {
+            return Err(anyhow!("No github provider details to delete"));
+        }
+        Ok(())
+    }
+
+    pub async fn update_github_provider_token(&self, id: i64, access_token: String) -> Result<()> {
+        let res = query!(
+            "UPDATE github_repository_provider SET access_token = ? WHERE id = ?",
+            access_token,
+            id
+        )
+        .execute(&self.pool)
+        .await?;
+
+        if res.rows_affected() != 1 {
+            return Err(anyhow!(
+                "The specified Github repository provider does not exist"
+            ));
+        }
+
+        Ok(())
+    }
+}

ee/tabby-db/src/lib.rs

@@ -17,6 +17,7 @@ pub use users::UserDAO;
 
 pub mod cache;
 mod email_setting;
+mod github_repository_provider;
 mod invitations;
 mod job_runs;
 mod oauth_credential;

ee/tabby-webserver/src/handler.rs

@@ -82,7 +82,12 @@
             )
             .nest(
                 "/repositories",
-                repositories::routes(rs.clone(), ctx.auth()),
+                repositories::routes(
+                    rs.clone(),
+                    ctx.auth(),
+                    ctx.setting(),
+                    ctx.github_repository_provider(),
+                ),
             )
             .route(
                 "/avatar/:id",

ee/tabby-webserver/src/oauth/github.rs

@@ -9,20 +9,20 @@ use crate::schema::auth::{AuthenticationService, OAuthCredential, OAuthProvider}
 
 #[derive(Debug, Deserialize)]
 #[allow(dead_code)]
-struct GithubOAuthResponse {
+pub struct GithubOAuthResponse {
     #[serde(default)]
-    access_token: String,
+    pub access_token: String,
     #[serde(default)]
-    scope: String,
+    pub scope: String,
     #[serde(default)]
-    token_type: String,
+    pub token_type: String,
 
     #[serde(default)]
-    error: String,
+    pub error: String,
     #[serde(default)]
-    error_description: String,
+    pub error_description: String,
     #[serde(default)]
-    error_uri: String,
+    pub error_uri: String,
 }
 
 #[derive(Debug, Deserialize)]

ee/tabby-webserver/src/repositories/mod.rs

@@ -1,3 +1,4 @@
+mod oauth;
 mod resolve;
 
 use std::sync::Arc;
@@ -16,12 +17,26 @@
 use crate::{
     handler::require_login_middleware,
     repositories::resolve::{RepositoryMeta, ResolveParams},
-    schema::auth::AuthenticationService,
+    schema::{
+        auth::AuthenticationService, github_repository_provider::GithubRepositoryProviderService,
+        setting::SettingService,
+    },
 };
 
+use self::oauth::OAuthState;
+
 pub type ResolveState = Arc<RepositoryCache>;
 
-pub fn routes(rs: Arc<ResolveState>, auth: Arc<dyn AuthenticationService>) -> Router {
+pub fn routes(
+    rs: Arc<ResolveState>,
+    auth: Arc<dyn AuthenticationService>,
+    settings: Arc<dyn SettingService>,
+    github_repository_provider: Arc<dyn GithubRepositoryProviderService>,
+) -> Router {
+    let oauth_state = OAuthState {
+        settings,
+        github_repository_provider,
+    };
     Router::new()
         .route("/resolve", routing::get(resolve))
         .route("/resolve/", routing::get(resolve))
@@ -32,6 +47,7 @@
         .route("/:name/meta/", routing::get(meta))
         .route("/:name/meta/*path", routing::get(meta))
         .with_state(rs.clone())
+        .nest("/oauth", oauth::routes(oauth_state))
         .fallback(not_found)
         .layer(from_fn_with_state(auth, require_login_middleware))
 }

ee/tabby-webserver/src/repositories/oauth.rs

@@ -0,0 +1,120 @@
+use anyhow::Result;
+use std::sync::Arc;
+
+use axum::{
+    extract::{Path, Query, State},
+    response::Redirect,
+    routing, Router,
+};
+use hyper::StatusCode;
+use juniper::ID;
+use serde::Deserialize;
+
+use crate::{
+    oauth::github::GithubOAuthResponse,
+    schema::{
+        github_repository_provider::GithubRepositoryProviderService, setting::SettingService,
+    },
+};
+
+#[derive(Clone)]
+pub struct OAuthState {
+    pub settings: Arc<dyn SettingService>,
+    pub github_repository_provider: Arc<dyn GithubRepositoryProviderService>,
+}
+
+pub fn routes(state: OAuthState) -> Router {
+    Router::new()
+        .route("/github/login/:id", routing::get(login))
+        .route("/github/callback", routing::get(callback))
+        .with_state(state)
+}
+
+fn github_redirect_url(client_id: &str, redirect_uri: &str, id: &ID) -> String {
+    format!("https://github.com/login/oauth/authorize?client_id={client_id}&response_type=code&scope=repo&redirect_uri={redirect_uri}/repositories/oauth/github/callback&state={id}")
+}
+
+#[derive(Deserialize)]
+struct CallbackParams {
+    state: ID,
+    code: String,
+}
+
+macro_rules! log_error {
+    ($val:expr) => {
+        $val.map_err(|e| {
+            tracing::error!("{e}");
+            StatusCode::INTERNAL_SERVER_ERROR
+        })
+    };
+}
+
+async fn exchange_access_token(
+    state: &OAuthState,
+    params: &CallbackParams,
+) -> Result<GithubOAuthResponse> {
+    let client = reqwest::Client::new();
+
+    let client_id = state
+        .github_repository_provider
+        .get_github_repository_provider(params.state.clone())
+        .await?
+        .application_id;
+
+    let secret = state
+        .github_repository_provider
+        .read_github_repository_provider_secret(params.state.clone())
+        .await?;
+
+    Ok(client
+        .post("https://github.com/login/oauth/access_token")
+        .header(reqwest::header::ACCEPT, "application/json")
+        .form(&[
+            ("client_id", &client_id),
+            ("client_secret", &secret),
+            ("code", &params.code),
+        ])
+        .send()
+        .await?
+        .json()
+        .await?)
+}
+
+async fn callback(
+    State(state): State<OAuthState>,
+    Query(params): Query<CallbackParams>,
+) -> Result<Redirect, StatusCode> {
+    let network_setting = log_error!(state.settings.read_network_setting().await)?;
+    let external_url = network_setting.external_url;
+
+    let response = log_error!(exchange_access_token(&state, &params).await)?;
+    dbg!(&response);
+    log_error!(
+        state
+            .github_repository_provider
+            .set_github_repository_provider_token(params.state, response.access_token)
+            .await
+    )?;
+
+    Ok(Redirect::permanent(&external_url))
+}
+
+async fn login(
+    State(state): State<OAuthState>,
+    Path(id): Path<ID>,
+) -> Result<Redirect, StatusCode> {
+    let network_setting = log_error!(state.settings.read_network_setting().await)?;
+    let external_url = network_setting.external_url;
+    let client_id = log_error!(
+        state
+            .github_repository_provider
+            .get_github_repository_provider(id.clone())
+            .await
+    )?
+    .application_id;
+    Ok(Redirect::temporary(&github_redirect_url(
+        &client_id,
+        &external_url,
+        &id,
+    )))
+}

ee/tabby-webserver/src/schema/github_repository_provider.rs

@@ -0,0 +1,20 @@
+use crate::schema::Result;
+use async_trait::async_trait;
+use juniper::{GraphQLObject, ID};
+
+#[derive(GraphQLObject)]
+pub struct GithubRepositoryProvider {
+    pub display_name: String,
+    pub application_id: String,
+}
+
+#[async_trait]
+pub trait GithubRepositoryProviderService: Send + Sync {
+    async fn get_github_repository_provider(&self, id: ID) -> Result<GithubRepositoryProvider>;
+    async fn read_github_repository_provider_secret(&self, id: ID) -> Result<String>;
+    async fn set_github_repository_provider_token(
+        &self,
+        id: ID,
+        access_token: String,
+    ) -> Result<()>;
+}

ee/tabby-webserver/src/schema/mod.rs

@@ -1,6 +1,7 @@
 pub mod analytic;
 pub mod auth;
 pub mod email;
+pub mod github_repository_provider;
 pub mod job;
 pub mod license;
 pub mod repository;
@@ -29,16 +30,19 @@ use tracing::error;
 use validator::{Validate, ValidationErrors};
 use worker::{Worker, WorkerService};
 
+use crate::schema::repository::FileEntrySearchResult;
+
 use self::{
     analytic::{AnalyticService, CompletionStats},
     auth::{
         JWTPayload, OAuthCredential, OAuthProvider, PasswordChangeInput, PasswordResetInput,
         RequestInvitationInput, RequestPasswordResetEmailInput, UpdateOAuthCredentialInput,
     },
     email::{EmailService, EmailSetting, EmailSettingInput},
+    github_repository_provider::GithubRepositoryProviderService,
     job::JobStats,
     license::{IsLicenseValid, LicenseInfo, LicenseService, LicenseType},
-    repository::{FileEntrySearchResult, Repository, RepositoryService},
+    repository::{Repository, RepositoryService},
     setting::{
         NetworkSetting, NetworkSettingInput, SecuritySetting, SecuritySettingInput, SettingService,
     },
@@ -55,6 +59,7 @@ pub trait ServiceLocator: Send + Sync {
     fn setting(&self) -> Arc<dyn SettingService>;
     fn license(&self) -> Arc<dyn LicenseService>;
     fn analytic(&self) -> Arc<dyn AnalyticService>;
+    fn github_repository_provider(&self) -> Arc<dyn GithubRepositoryProviderService>;
 }
 
 pub struct Context {