Restrict access using Github collaborators (#497)

* Allow access based on Github repository

providers/github.go

@@ -19,8 +19,10 @@ import (
 // GitHubProvider represents an GitHub based Identity Provider
 type GitHubProvider struct {
 	*ProviderData
-	Org  string
-	Team string
+	Org   string
+	Team  string
+	Repo  string
+	Token string
 }
 
 var _ Provider = (*GitHubProvider)(nil)
@@ -72,6 +74,12 @@ func (p *GitHubProvider) SetOrgTeam(org, team string) {
 	}
 }
 
+// SetRepo configures the target repository and optional token to use
+func (p *GitHubProvider) SetRepo(repo, token string) {
+	p.Repo = repo
+	p.Token = token
+}
+
 func (p *GitHubProvider) hasOrg(ctx context.Context, accessToken string) (bool, error) {
 	// https://developer.github.com/v3/orgs/#list-your-organizations
 
@@ -263,6 +271,82 @@ func (p *GitHubProvider) hasOrgAndTeam(ctx context.Context, accessToken string)
 	return false, nil
 }
 
+func (p *GitHubProvider) hasRepo(ctx context.Context, accessToken string) (bool, error) {
+	// https://developer.github.com/v3/repos/#get-a-repository
+
+	type permissions struct {
+		Pull bool `json:"pull"`
+		Push bool `json:"push"`
+	}
+
+	type repository struct {
+		Permissions permissions `json:"permissions"`
+		Private     bool        `json:"private"`
+	}
+
+	endpoint := &url.URL{
+		Scheme: p.ValidateURL.Scheme,
+		Host:   p.ValidateURL.Host,
+		Path:   path.Join(p.ValidateURL.Path, "/repo/", p.Repo),
+	}
+
+	req, _ := http.NewRequestWithContext(ctx, "GET", endpoint.String(), nil)
+	req.Header = getGitHubHeader(accessToken)
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return false, err
+	}
+
+	body, err := ioutil.ReadAll(resp.Body)
+	resp.Body.Close()
+	if err != nil {
+		return false, err
+	}
+	if resp.StatusCode != 200 {
+		return false, fmt.Errorf(
+			"got %d from %q %s", resp.StatusCode, endpoint.String(), body)
+	}
+
+	var repo repository
+	if err := json.Unmarshal(body, &repo); err != nil {
+		return false, err
+	}
+
+	// Every user can implicitly pull from a public repo, so only grant access
+	// if they have push access or the repo is private and they can pull
+	return repo.Permissions.Push || (repo.Private && repo.Permissions.Pull), nil
+}
+
+func (p *GitHubProvider) isCollaborator(ctx context.Context, username, accessToken string) (bool, error) {
+	//https://developer.github.com/v3/repos/collaborators/#check-if-a-user-is-a-collaborator
+
+	endpoint := &url.URL{
+		Scheme: p.ValidateURL.Scheme,
+		Host:   p.ValidateURL.Host,
+		Path:   path.Join(p.ValidateURL.Path, "/repos/", p.Repo, "/collaborators/", username),
+	}
+	req, _ := http.NewRequestWithContext(ctx, "GET", endpoint.String(), nil)
+	req.Header = getGitHubHeader(accessToken)
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return false, err
+	}
+	body, err := ioutil.ReadAll(resp.Body)
+	resp.Body.Close()
+	if err != nil {
+		return false, err
+	}
+
+	if resp.StatusCode != 204 {
+		return false, fmt.Errorf("got %d from %q %s",
+			resp.StatusCode, endpoint.String(), body)
+	}
+
+	logger.Printf("got %d from %q %s", resp.StatusCode, endpoint.String(), body)
+
+	return true, nil
+}
+
 // GetEmailAddress returns the Account email address
 func (p *GitHubProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error) {
 
@@ -283,6 +367,10 @@ func (p *GitHubProvider) GetEmailAddress(ctx context.Context, s *sessions.Sessio
 				return "", err
 			}
 		}
+	} else if p.Repo != "" && p.Token == "" { // If we have a token we'll do the collaborator check in GetUserName
+		if ok, err := p.hasRepo(ctx, s.AccessToken); err != nil || !ok {
+			return "", err
+		}
 	}
 
 	endpoint := &url.URL{
@@ -367,6 +455,13 @@ func (p *GitHubProvider) GetUserName(ctx context.Context, s *sessions.SessionSta
 		return "", fmt.Errorf("%s unmarshaling %s", err, body)
 	}
 
+	// Now that we have the username we can check collaborator status
+	if p.Org == "" && p.Repo != "" && p.Token != "" {
+		if ok, err := p.isCollaborator(ctx, user.Login, p.Token); err != nil || !ok {
+			return "", err
+		}
+	}
+
 	return user.Login, nil
 }