Add support for GitHub Enterprise (#75)

* Add support for GitHub Enterprise

* Ran black and added a test

http://gistpreview.github.io/?1e3016b4e52380fd9e6e7ad84386db09

---------

Co-authored-by: Simon Willison <swillison@gmail.com>

Author: suhlig

README.md

@@ -36,6 +36,8 @@ Datasette plugin that authenticates users against GitHub.
 }
 ```
 
+For a GitHub Enterprise server, add `"host": "github.example.com"` to `datasette-auth-github`.
+
 Now you can start Datasette like this, passing in the secrets as environment variables:
 
     $ GITHUB_CLIENT_ID=XXX GITHUB_CLIENT_SECRET=YYY datasette \

datasette_auth_github/utils.py

@@ -9,8 +9,8 @@ async def load_orgs_and_teams(config, profile, access_token):
         load_orgs = config["load_orgs"]
         gh_orgs = []
         for org in force_list(load_orgs):
-            url = "https://api.github.com/orgs/{}/memberships/{}".format(
-                org, profile["login"]
+            url = "https://api.{}/orgs/{}/memberships/{}".format(
+                config["host"], org, profile["login"]
             )
             async with httpx.AsyncClient() as client:
                 response = await client.get(
@@ -26,8 +26,8 @@ async def load_orgs_and_teams(config, profile, access_token):
         for team in force_list(load_teams):
             org_slug, _, team_slug = team.partition("/")
             # Figure out the team_id
-            lookup_url = "https://api.github.com/orgs/{}/teams/{}".format(
-                org_slug, team_slug
+            lookup_url = "https://api.{}/orgs/{}/teams/{}".format(
+                config["host"], org_slug, team_slug
             )
             async with httpx.AsyncClient() as client:
                 response = await client.get(
@@ -39,10 +39,8 @@ async def load_orgs_and_teams(config, profile, access_token):
             else:
                 continue
             # Now check if user is an active member of the team:
-            team_membership_url = (
-                "https://api.github.com/teams/{}/memberships/{}".format(
-                    team_id, profile["login"]
-                )
+            team_membership_url = "https://api.{}/teams/{}/memberships/{}".format(
+                config["host"], team_id, profile["login"]
             )
             async with httpx.AsyncClient() as client:
                 response = await client.get(

datasette_auth_github/views.py

@@ -11,6 +11,7 @@ def verify_config(config):
     config = config or {}
     for key in DEPRECATED_KEYS:
         assert key not in config, "{} is no longer a supported option".format(key)
+    config.setdefault("host", "github.com")
 
 
 async def github_auth_start(datasette):
@@ -20,10 +21,8 @@ async def github_auth_start(datasette):
         scope = "read:org"
     else:
         scope = "user:email"
-    github_login_url = (
-        "https://github.com/login/oauth/authorize?scope={}&client_id={}".format(
-            scope, config["client_id"]
-        )
+    github_login_url = "https://{}/login/oauth/authorize?scope={}&client_id={}".format(
+        config["host"], scope, config["client_id"]
     )
     return Response.redirect(github_login_url)
 
@@ -46,7 +45,7 @@ async def github_auth_callback(datasette, request, scope, receive, send):
     # Exchange that code for a token
     async with httpx.AsyncClient() as client:
         github_response = await client.post(
-            "https://github.com/login/oauth/access_token",
+            "https://{}/login/oauth/access_token".format(config["host"]),
             data={
                 "client_id": config["client_id"],
                 "client_secret": config["client_secret"],
@@ -64,7 +63,7 @@ async def github_auth_callback(datasette, request, scope, receive, send):
         return await response_error(datasette, "No valid access token")
 
     # Use access_token to verify user
-    profile_url = "https://api.github.com/user"
+    profile_url = "https://api.{}/user".format(config["host"])
     try:
         async with httpx.AsyncClient() as client:
             profile = (
@@ -86,7 +85,7 @@ async def github_auth_callback(datasette, request, scope, receive, send):
     extras = await load_orgs_and_teams(config, profile, access_token)
     actor.update(extras)
 
-   # Set a signed cookie and redirect to homepage (respecting 'base_url' setting)
+    # Set a signed cookie and redirect to homepage (respecting 'base_url' setting)
     response = Response.redirect(datasette.urls.path("/"))
     response.set_cookie("ds_actor", datasette.sign({"a": actor}, "actor"))
     return response

tests/test_datasette_auth_github.py

@@ -198,3 +198,76 @@ async def test_database_access_permissions(
         cookies = {"ds_actor": auth_response.cookies["ds_actor"]}
     databases = await ds.client.get("/.json", cookies=cookies)
     assert set(databases.json()["databases"].keys()) == expected_databases
+
+
+@pytest.mark.asyncio
+async def test_github_enterprise_host(tmpdir, httpx_mock):
+    """Test that GitHub Enterprise host configuration works correctly"""
+    # Mock GitHub Enterprise endpoints
+    enterprise_host = "github.example.com"
+
+    httpx_mock.add_response(
+        url=f"https://{enterprise_host}/login/oauth/access_token",
+        method="POST",
+        content=b"access_token=enterprise_access_token",
+    )
+
+    httpx_mock.add_response(
+        url=f"https://api.{enterprise_host}/user",
+        json={
+            "id": 456,
+            "name": "Enterprise User",
+            "login": "enterpriseuser",
+            "email": "enterprise@example.com",
+        },
+    )
+
+    httpx_mock.add_response(
+        url=re.compile(
+            rf"^https://api\.{re.escape(enterprise_host)}/orgs/enterprise-org/memberships/.*"
+        ),
+        json={"state": "active", "role": "member"},
+    )
+
+    # Create Datasette instance with GitHub Enterprise configuration
+    filepath = str(tmpdir / "test.db")
+    ds = Datasette(
+        [filepath],
+        metadata={
+            "plugins": {
+                "datasette-auth-github": {
+                    "client_id": "enterprise_client_id",
+                    "client_secret": "enterprise_client_secret",
+                    "host": enterprise_host,
+                    "load_orgs": ["enterprise-org"],
+                }
+            }
+        },
+    )
+
+    def create_tables(conn):
+        sqlite_utils.Database(conn)["example"].insert({"name": "example"})
+
+    await ds.get_database().execute_write_fn(create_tables, block=True)
+
+    # Test that the auth start URL uses the enterprise host
+    response = await ds.client.get("/-/github-auth-start", follow_redirects=False)
+    expected_url = f"https://{enterprise_host}/login/oauth/authorize?scope=read:org&client_id=enterprise_client_id"
+    assert expected_url == response.headers["location"]
+
+    # Test that the auth callback uses the enterprise host for API calls
+    response = await ds.client.get(
+        "/-/github-auth-callback?code=enterprise-code",
+        follow_redirects=False,
+    )
+
+    actor = ds.unsign(response.cookies["ds_actor"], "actor")["a"]
+    assert {
+        "id": "github:456",
+        "display": "enterpriseuser",
+        "gh_id": "456",
+        "gh_name": "Enterprise User",
+        "gh_login": "enterpriseuser",
+        "gh_email": "enterprise@example.com",
+        "gh_orgs": ["enterprise-org"],
+    }.items() <= actor.items()