From 37d7d9831da83e667308e5572b0de30aeead5443 Mon Sep 17 00:00:00 2001
From: Igor Vinokur <ivinokur@redhat.com>
Date: Thu, 14 Jul 2022 13:53:31 +0300
Subject: [PATCH] fix: Improve GitHub token validation check (#327) (#328)

Backport from main, see https://github.com/eclipse-che/che-server/pull/327
---
 .../GithubPersonalAccessTokenFetcher.java     | 19 +++-----
 .../GithubPersonalAccessTokenFetcherTest.java | 45 ++++++++++++++++++-
 2 files changed, 51 insertions(+), 13 deletions(-)

diff --git a/wsmaster/che-core-api-factory-github/src/main/java/org/eclipse/che/api/factory/server/github/GithubPersonalAccessTokenFetcher.java b/wsmaster/che-core-api-factory-github/src/main/java/org/eclipse/che/api/factory/server/github/GithubPersonalAccessTokenFetcher.java
index 1606c68f90b..03460064dee 100644
--- a/wsmaster/che-core-api-factory-github/src/main/java/org/eclipse/che/api/factory/server/github/GithubPersonalAccessTokenFetcher.java
+++ b/wsmaster/che-core-api-factory-github/src/main/java/org/eclipse/che/api/factory/server/github/GithubPersonalAccessTokenFetcher.java
@@ -200,27 +200,22 @@ public Optional<Boolean> isValid(PersonalAccessToken personalAccessToken)
       return Optional.empty();
     }
 
-    if (personalAccessToken.getScmTokenName() != null
-        && personalAccessToken.getScmTokenName().startsWith(OAUTH_2_PREFIX)) {
-      try {
+    try {
+      if (personalAccessToken.getScmTokenName() != null
+          && personalAccessToken.getScmTokenName().startsWith(OAUTH_2_PREFIX)) {
         String[] scopes = githubApiClient.getTokenScopes(personalAccessToken.getToken());
         return Optional.of(containsScopes(scopes, DEFAULT_TOKEN_SCOPES));
-      } catch (ScmItemNotFoundException | ScmCommunicationException | ScmBadRequestException e) {
-        LOG.error(e.getMessage(), e);
-        throw new ScmCommunicationException(e.getMessage(), e);
-      }
-    } else {
-      // No REST API for PAT-s in Github found yet. Just try to do some action.
-      try {
+      } else {
+        // No REST API for PAT-s in Github found yet. Just try to do some action.
         GithubUser user = githubApiClient.getUser(personalAccessToken.getToken());
         if (personalAccessToken.getScmUserId().equals(Long.toString(user.getId()))) {
           return Optional.of(Boolean.TRUE);
         } else {
           return Optional.of(Boolean.FALSE);
         }
-      } catch (ScmItemNotFoundException | ScmCommunicationException | ScmBadRequestException e) {
-        return Optional.of(Boolean.FALSE);
       }
+    } catch (ScmItemNotFoundException | ScmCommunicationException | ScmBadRequestException e) {
+      return Optional.of(Boolean.FALSE);
     }
   }
 
diff --git a/wsmaster/che-core-api-factory-github/src/test/java/org/eclipse/che/api/factory/server/github/GithubPersonalAccessTokenFetcherTest.java b/wsmaster/che-core-api-factory-github/src/test/java/org/eclipse/che/api/factory/server/github/GithubPersonalAccessTokenFetcherTest.java
index 67c56b0511c..22ec4454883 100644
--- a/wsmaster/che-core-api-factory-github/src/test/java/org/eclipse/che/api/factory/server/github/GithubPersonalAccessTokenFetcherTest.java
+++ b/wsmaster/che-core-api-factory-github/src/test/java/org/eclipse/che/api/factory/server/github/GithubPersonalAccessTokenFetcherTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2022 Red Hat, Inc.
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
  * which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -17,6 +17,8 @@
 import static com.github.tomakehurst.wiremock.client.WireMock.stubFor;
 import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
 import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.wireMockConfig;
+import static java.net.HttpURLConnection.HTTP_FORBIDDEN;
+import static org.eclipse.che.api.factory.server.scm.PersonalAccessTokenFetcher.OAUTH_2_PREFIX;
 import static org.eclipse.che.dto.server.DtoFactory.newDto;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.Mockito.when;
@@ -204,4 +206,45 @@ public void shouldValidatePersonalToken() throws Exception {
 
     assertTrue(githubPATFetcher.isValid(token).get());
   }
+
+  @Test
+  public void shouldValidateOauthToken() throws Exception {
+    stubFor(
+        get(urlEqualTo("/user"))
+            .withHeader(HttpHeaders.AUTHORIZATION, equalTo("token " + githubOauthToken))
+            .willReturn(
+                aResponse()
+                    .withHeader("Content-Type", "application/json; charset=utf-8")
+                    .withHeader(GithubApiClient.GITHUB_OAUTH_SCOPES_HEADER, "repo")
+                    .withBodyFile("github/rest/user/response.json")));
+
+    PersonalAccessToken token =
+        new PersonalAccessToken(
+            "https://github.com",
+            "cheUser",
+            "username",
+            "123456789",
+            OAUTH_2_PREFIX + "-token-name",
+            "tid-23434",
+            githubOauthToken);
+
+    assertTrue(githubPATFetcher.isValid(token).get());
+  }
+
+  @Test
+  public void shouldNotValidateExpiredOauthToken() throws Exception {
+    stubFor(get(urlEqualTo("/user")).willReturn(aResponse().withStatus(HTTP_FORBIDDEN)));
+
+    PersonalAccessToken token =
+        new PersonalAccessToken(
+            "https://github.com",
+            "cheUser",
+            "username",
+            "123456789",
+            OAUTH_2_PREFIX + "-token-name",
+            "tid-23434",
+            githubOauthToken);
+
+    assertFalse(githubPATFetcher.isValid(token).get());
+  }
 }