patches/gh: support reading auth tokens from fds

3 files changed, 87 insertions, 0 deletions

diff --git a/overlays/patches/default.nix b/overlays/patches/default.nix
index 1fd87159ee17..b7c2f7b7f6bd 100644
--- a/overlays/patches/default.nix
+++ b/overlays/patches/default.nix
@@ -16,6 +16,8 @@ self: super: {
     llvmPackages = self.llvmPackages_latest;
   };
 
+  gh = self.callPackage ./gh { inherit (super) gh; };
+
   gnupg = self.callPackage ./gnupg { inherit (super) gnupg; };
 
   public-inbox = self.callPackage ./public-inbox {
diff --git a/overlays/patches/gh/Support-reading-auth-token-from-file-descriptor.patch b/overlays/patches/gh/Support-reading-auth-token-from-file-descriptor.patch
new file mode 100644
index 000000000000..36544ed7fdb3
--- /dev/null
+++ b/overlays/patches/gh/Support-reading-auth-token-from-file-descriptor.patch
@@ -0,0 +1,76 @@
+From 195e1f1f08e2aa92bcdbfba5848d732a2147ccd1 Mon Sep 17 00:00:00 2001
+From: Alyssa Ross <hi@alyssa.is>
+Date: Mon, 29 Mar 2021 14:12:17 +0000
+Subject: [PATCH] Support reading auth token from file descriptor
+
+This is a quick hack:
+
+* It would make more sense to use a command line argument than an
+  environment variable, because there's not really any sense
+  propagating this to children.
+* `gh auth status' doesn't work.
+---
+ internal/config/from_env.go | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/internal/config/from_env.go b/internal/config/from_env.go
+index 7b2853bd..4d4734e1 100644
+--- a/internal/config/from_env.go
++++ b/internal/config/from_env.go
+@@ -2,12 +2,15 @@ package config
+ 
+ import (
+ 	"fmt"
++	"io"
+ 	"os"
++	"strconv"
+ 
+ 	"github.com/cli/cli/internal/ghinstance"
+ )
+ 
+ const (
++	GH_TOKEN_FD             = "GH_TOKEN_FD"
+ 	GH_TOKEN                = "GH_TOKEN"
+ 	GITHUB_TOKEN            = "GITHUB_TOKEN"
+ 	GH_ENTERPRISE_TOKEN     = "GH_ENTERPRISE_TOKEN"
+@@ -71,7 +74,27 @@ func (c *envConfig) CheckWriteable(hostname, key string) error {
+ 	return c.Config.CheckWriteable(hostname, key)
+ }
+ 
++var tokenFromFd string
++
+ func AuthTokenFromEnv(hostname string) (string, string) {
++	if tokenFromFd != "" {
++		return tokenFromFd, GH_TOKEN_FD
++	}
++
++	if fd := os.Getenv(GH_TOKEN_FD); fd != "" {
++		if fd, err := strconv.ParseUint(fd, 10, 32); err == nil {
++			bytes := make([]byte, 40)
++			f := os.NewFile(uintptr(fd), "token")
++			defer f.Close()
++			if _, err := io.ReadFull(f, bytes); err == nil {
++				tokenFromFd = string(bytes)
++				return tokenFromFd, GH_TOKEN_FD
++			}
++		}
++
++		return "", GH_TOKEN_FD
++	}
++
+ 	if ghinstance.IsEnterprise(hostname) {
+ 		if token := os.Getenv(GH_ENTERPRISE_TOKEN); token != "" {
+ 			return token, GH_ENTERPRISE_TOKEN
+@@ -88,7 +111,8 @@ func AuthTokenFromEnv(hostname string) (string, string) {
+ }
+ 
+ func AuthTokenProvidedFromEnv() bool {
+-	return os.Getenv(GH_ENTERPRISE_TOKEN) != "" ||
++	return os.Getenv(GH_TOKEN_FD) != "" ||
++		os.Getenv(GH_ENTERPRISE_TOKEN) != "" ||
+ 		os.Getenv(GITHUB_ENTERPRISE_TOKEN) != "" ||
+ 		os.Getenv(GH_TOKEN) != "" ||
+ 		os.Getenv(GITHUB_TOKEN) != ""
+-- 
+2.30.0
+
diff --git a/overlays/patches/gh/default.nix b/overlays/patches/gh/default.nix
new file mode 100644
index 000000000000..e4e3548ab5cf
--- /dev/null
+++ b/overlays/patches/gh/default.nix
@@ -0,0 +1,9 @@
+{ gh, ... } @ args:
+
+(gh.override (builtins.removeAttrs args [ "gh" ])).overrideGoAttrs (
+  { patches ? [], ... }: {
+    patches = patches ++ [
+      ./Support-reading-auth-token-from-file-descriptor.patch
+    ];
+  }
+)