fix: ensure correct enterprise API URLs for GraphQL + http client

ossf · Aug 15, 2024 · 39ab773 · 39ab773
1 parent 03bfde7
commit 39ab773
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 8 deletions.
diff --git a/pkg/ghclients/ghclients.go b/pkg/ghclients/ghclients.go
@@ -19,6 +19,7 @@ package ghclients
 import (
 	"context"
 	"net/http"
+	"strings"
 
 	"github.com/bradleyfalzon/ghinstallation/v2"
 	"github.com/google/go-github/v59/github"
@@ -92,25 +93,45 @@ func (g *GHClients) Get(i int64) (*github.Client, error) {
 	}
 
 	var tr http.RoundTripper
-	var err error
 	if i == 0 {
-		tr, err = ghinstallationNewAppsTransport(ctr, operator.AppID, g.key)
+		appTransport, _ := ghinstallationNewAppsTransport(ctr, operator.AppID, g.key)
+		// other than clien.WithEnterpriseUrls, setting the BaseUrl plainly, we need to ensure the /api/v3 ending
+		appTransport.BaseURL = fullEnterpriseApiUrl(operator.GitHubEnterpriseUrl)
+		tr = appTransport
 	} else {
-		tr, err = ghinstallationNew(ctr, operator.AppID, i, g.key)
+		ghiTransport, _ := ghinstallationNew(ctr, operator.AppID, i, g.key)
+		if operator.GitHubEnterpriseUrl != "" {
+			ghiTransport.BaseURL = fullEnterpriseApiUrl(operator.GitHubEnterpriseUrl)
+		}
+		tr = ghiTransport
+
 	}
 
 	c := github.NewClient(&http.Client{Transport: tr})
 	if operator.GitHubEnterpriseUrl != "" {
-		c, err = c.WithEnterpriseURLs(operator.GitHubEnterpriseUrl, operator.GitHubEnterpriseUrl)
-	}
-	if err != nil {
-		return nil, err
+		newC, err := c.WithEnterpriseURLs(operator.GitHubEnterpriseUrl, operator.GitHubEnterpriseUrl)
+		if err != nil {
+			return nil, err
+		}
+		c = newC
 	}
 
 	g.clients[i] = c
 	return g.clients[i], nil
 }
 
+// fullEnterpriseApiUrl ensures the base url is in the correct format for GitHub Enterprise usage
+func fullEnterpriseApiUrl(baseUrl string) string {
+	if !strings.HasSuffix(baseUrl, "/") {
+		baseUrl += "/"
+	}
+	if !strings.HasSuffix(baseUrl, "api/v3/") {
+		baseUrl += "api/v3/"
+	}
+
+	return baseUrl
+}
+
 func getKeyFromSecretReal(ctx context.Context, keySecretVal string) ([]byte, error) {
 	v, err := runtimevar.OpenVariable(ctx, keySecretVal)
 	if err != nil {

diff --git a/pkg/policies/security/security.go b/pkg/policies/security/security.go
@@ -103,7 +103,7 @@ func (s Security) Check(ctx context.Context, c *github.Client, owner,
 	if operator.GitHubEnterpriseUrl == "" {
 		v4c = githubv4.NewClient(c.Client())
 	} else {
-		v4c = githubv4.NewEnterpriseClient(operator.GitHubEnterpriseUrl, c.Client())
+		v4c = githubv4.NewEnterpriseClient(operator.GitHubEnterpriseUrl+"/api/graphql", c.Client())
 	}
 	return check(ctx, c, v4c, owner, repo)
 }