GitHub app access token lookup: allow to use PyJWT + cryptography instead of jwt (#10664)

* Fix issue #10299 * Fix issue #10299 * Fix blank lines * Fix blank lines * Add compatibility changes for jwt * Bump to a higher magic number * Update change log fragment * Update changelogs/fragments/10299-github_app_access_token-lookup.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Update changelogs/fragments/10299-github_app_access_token-lookup.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Update changelogs/fragments/10299-github_app_access_token-lookup.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/lookup/github_app_access_token.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/lookup/github_app_access_token.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update requirement document * Remove a whitespace --------- Co-authored-by: Bruno Lavoie <bruno.lavoie@dti.ulaval.ca> Co-authored-by: Felix Fontein <felix@fontein.de>
2025-08-27 00:11:43 -07:00 · 2025-08-24 00:36:53 +08:00 · 2025-08-24 00:36:53 +08:00 · 65bc47068e
commit 65bc47068e
parent e43735659a
4 changed files with 138 additions and 31 deletions
--- a/.github/BOTMETA.yml
+++ b/.github/BOTMETA.yml
@ -287,7 +287,7 @@ files:
    maintainers: dagwieers
  $lookups/flattened.py: {}
  $lookups/github_app_access_token.py:
-    maintainers: weisheng-p
+    maintainers: weisheng-p blavoie
  $lookups/hiera.py:
    maintainers: jparrill
  $lookups/keyring.py: {}
--- a/changelogs/fragments/10299-github_app_access_token-lookup.yml
+++ b/changelogs/fragments/10299-github_app_access_token-lookup.yml
@ -0,0 +1,2 @@
 minor_changes:
  - github_app_access_token lookup plugin - support both ``jwt`` and ``pyjwt`` to avoid conflict with other modules requirements (https://github.com/ansible-collections/community.general/issues/10299).
--- a/plugins/lookup/github_app_access_token.py
+++ b/plugins/lookup/github_app_access_token.py
@ -9,10 +9,12 @@ DOCUMENTATION = r"""
 name: github_app_access_token
 author:
  - Poh Wei Sheng (@weisheng-p)
  - Bruno Lavoie (@blavoie)
 short_description: Obtain short-lived Github App Access tokens
 version_added: '8.2.0'
 requirements:
-  - jwt (https://github.com/GehirnInc/python-jwt)
+  - jwt (https://github.com/GehirnInc/python-jwt) OR
  - PyJWT (https://pypi.org/project/PyJWT/) AND cryptography (https://pypi.org/project/cryptography/)
 description:
  - This generates a Github access token that can be used with a C(git) command, if you use a Github App.
 options:
@ -66,13 +68,24 @@ _raw:
  elements: str
 """
 try:
-    from jwt import JWT, jwk_from_pem
+    import jwt
    HAS_JWT = True
 except ImportError:
    HAS_JWT = False
 HAS_PYTHON_JWT = False  # vs pyjwt
 if HAS_JWT and hasattr(jwt, 'JWT'):
    HAS_PYTHON_JWT = True
    from jwt import jwk_from_pem, jwt_instance
 try:
    from cryptography.hazmat.primitives import serialization
    HAS_CRYPTOGRAPHY = True
 except ImportError:
    HAS_CRYPTOGRAPHY = False
 import time
 import json
 from ansible.module_utils.urls import open_url
@ -81,26 +94,52 @@ from ansible.errors import AnsibleError, AnsibleOptionsError
 from ansible.plugins.lookup import LookupBase
 from ansible.utils.display import Display
 if HAS_JWT:
    jwt_instance = JWT()
 else:
    jwk_from_pem = None
    jwt_instance = None
 display = Display()
 class PythonJWT:
    @staticmethod
    def read_key(path, private_key=None):
        try:
            if private_key:
                return jwk_from_pem(private_key.encode('utf-8'))
            with open(path, 'rb') as pem_file:
                return jwk_from_pem(pem_file.read())
        except Exception as e:
            raise AnsibleError(f"Error while parsing key file: {e}")
    @staticmethod
    def encode_jwt(app_id, jwk, exp=600):
        now = int(time.time())
        payload = {
            'iat': now,
            'exp': now + exp,
            'iss': app_id,
        }
        try:
            return jwt_instance.encode(payload, jwk, alg='RS256')
        except Exception as e:
            raise AnsibleError(f"Error while encoding jwt: {e}")
 def read_key(path, private_key=None):
    if HAS_PYTHON_JWT:
        return PythonJWT.read_key(path, private_key)
    try:
        if private_key:
-            return jwk_from_pem(private_key.encode('utf-8'))
+            key_bytes = private_key.encode('utf-8')
-        with open(path, 'rb') as pem_file:
+        else:
-            return jwk_from_pem(pem_file.read())
+            with open(path, 'rb') as pem_file:
                key_bytes = pem_file.read()
        return serialization.load_pem_private_key(key_bytes, password=None)
    except Exception as e:
        raise AnsibleError(f"Error while parsing key file: {e}")
-def encode_jwt(app_id, jwk, exp=600):
+def encode_jwt(app_id, private_key_obj, exp=600):
    if HAS_PYTHON_JWT:
        return PythonJWT.encode_jwt(app_id, private_key_obj)
    now = int(time.time())
    payload = {
        'iat': now,
@ -108,7 +147,7 @@ def encode_jwt(app_id, jwk, exp=600):
        'iss': app_id,
    }
    try:
-        return jwt_instance.encode(payload, jwk, alg='RS256')
+        return jwt.encode(payload, private_key_obj, algorithm='RS256')
    except Exception as e:
        raise AnsibleError(f"Error while encoding jwt: {e}")
@ -150,7 +189,11 @@ class LookupModule(LookupBase):
    def run(self, terms, variables=None, **kwargs):
        if not HAS_JWT:
            raise AnsibleError('Python jwt library is required. '
-                               'Please install using "pip install jwt"')
+                               'Please install using "pip install pyjwt"')
        if not HAS_PYTHON_JWT and not HAS_CRYPTOGRAPHY:
            raise AnsibleError('Python cryptography library is required. '
                               'Please install using "pip install cryptography"')
        self.set_options(var_options=variables, direct=kwargs)
--- a/tests/unit/plugins/lookup/test_github_app_access_token.py
+++ b/tests/unit/plugins/lookup/test_github_app_access_token.py
@ -6,19 +6,29 @@
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 import json
 import types
 import sys
 from ansible_collections.community.internal_test_tools.tests.unit.compat import unittest
 from ansible_collections.community.internal_test_tools.tests.unit.compat.mock import (
    patch,
    MagicMock,
-    mock_open
+    mock_open,
 )
 from ansible.plugins.loader import lookup_loader
 ENCODE_RESULT = 'Foobar'
 PRIVATE_KEY = 'private_key'
 class MockJWT(MagicMock):
    def encode(self, payload, key, alg):
-        return 'Foobar'
+        return ENCODE_RESULT
 class serialization(MagicMock):
    def load_pem_private_key(self, key_bytes, password):
        return PRIVATE_KEY
 class MockResponse(MagicMock):
@ -31,14 +41,17 @@ class MockResponse(MagicMock):
 class TestLookupModule(unittest.TestCase):
    def test_get_token_with_file_with_pyjwt(self):
        pyjwt = types.ModuleType("jwt")
        pyjwt.encode = MagicMock(return_value=ENCODE_RESULT)
        with patch.dict(sys.modules, {'jwt': pyjwt}), \
            patch.multiple("ansible_collections.community.general.plugins.lookup.github_app_access_token",
                           open=mock_open(read_data="foo_bar"),
                           open_url=MagicMock(return_value=MockResponse()),
                           HAS_JWT=True,
                           HAS_CRYPTOGRAPHY=True,
                           serialization=serialization()):
    def test_get_token_with_file(self):
        with patch.multiple("ansible_collections.community.general.plugins.lookup.github_app_access_token",
                            open=mock_open(read_data="foo_bar"),
                            open_url=MagicMock(return_value=MockResponse()),
                            jwk_from_pem=MagicMock(return_value='private_key'),
                            jwt_instance=MockJWT(),
                            HAS_JWT=True):
            lookup = lookup_loader.get('community.general.github_app_access_token')
            self.assertListEqual(
                [MockResponse.response_token],
@ -51,12 +64,61 @@ class TestLookupModule(unittest.TestCase):
                )
            )
-    def test_get_token_with_fact(self):
+    def test_get_token_with_fact_with_pyjwt(self):
-        with patch.multiple("ansible_collections.community.general.plugins.lookup.github_app_access_token",
+        pyjwt = types.ModuleType("jwt")
-                            open_url=MagicMock(return_value=MockResponse()),
+        pyjwt.encode = MagicMock(return_value=ENCODE_RESULT)
-                            jwk_from_pem=MagicMock(return_value='private_key'),
+        with patch.dict(sys.modules, {'jwt': pyjwt}), \
-                            jwt_instance=MockJWT(),
+            patch.multiple("ansible_collections.community.general.plugins.lookup.github_app_access_token",
-                            HAS_JWT=True):
+                           open=mock_open(read_data="foo_bar"),
                           open_url=MagicMock(return_value=MockResponse()),
                           HAS_JWT=True,
                           HAS_CRYPTOGRAPHY=True,
                           serialization=serialization()):
            lookup = lookup_loader.get('community.general.github_app_access_token')
            self.assertListEqual(
                [MockResponse.response_token],
                lookup.run(
                    [],
                    app_id="app_id",
                    installation_id="installation_id",
                    private_key="foo_bar",
                    token_expiry=600
                )
            )
    def test_get_token_with_python_jwt(self):
        python_jwt = types.ModuleType("jwt")
        python_jwt.JWT = MagicMock()
        python_jwt.jwk_from_pem = MagicMock(return_value='private_key')
        python_jwt.jwt_instance = MockJWT()
        with patch.dict(sys.modules, {'jwt': python_jwt}), \
            patch.multiple("ansible_collections.community.general.plugins.lookup.github_app_access_token",
                           open=mock_open(read_data="foo_bar"),
                           open_url=MagicMock(return_value=MockResponse()),
                           HAS_JWT=True):
            lookup = lookup_loader.get('community.general.github_app_access_token')
            self.assertListEqual(
                [MockResponse.response_token],
                lookup.run(
                    [],
                    key_path="key",
                    app_id="app_id",
                    installation_id="installation_id",
                    token_expiry=600
                )
            )
    def test_get_token_with_fact_with_python_jwt(self):
        python_jwt = types.ModuleType("jwt")
        python_jwt.JWT = MagicMock()
        python_jwt.jwk_from_pem = MagicMock(return_value='private_key')
        python_jwt.jwt_instance = MockJWT()
        with patch.dict(sys.modules, {'jwt': python_jwt}), \
            patch.multiple("ansible_collections.community.general.plugins.lookup.github_app_access_token",
                           open=mock_open(read_data="foo_bar"),
                           open_url=MagicMock(return_value=MockResponse()),
                           HAS_JWT=True):
            lookup = lookup_loader.get('community.general.github_app_access_token')
            self.assertListEqual(
                [MockResponse.response_token],
		`@ -0,0 +1,2 @@`
							`minor_changes:`
							- github_app_access_token lookup plugin - support both ``jwt`` and ``pyjwt`` to avoid conflict with other modules requirements (https://github.com/ansible-collections/community.general/issues/10299).