intersystems · isc-rsaptars · Sep 29, 2023 · Oct 2, 2023 · Oct 3, 2023 · Oct 3, 2023
@@ -1,3 +1,6 @@
 .vscode/
 .gitattributes
-*.code-workspace
+*.code-workspace
+
+# using TestClass.cls for objecscript functionality exploration / convince myself that things work the way I expect them to
+cls/SourceControl/Git/TestClass.cls
@@ -106,6 +106,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Partial support for production decomposition with the new interoperability editors
 - Added Lock Branch setting to prevent switching branches for a protected namespace (#709)
 - Tooltips on branch operations in Git UI (#725)
+- Support for https connections (#279)
 
 ### Fixed
 - Changing system mode (environment name) in settings persists after instance restart (#655)

@@ -22,7 +22,7 @@ Embedded Git support for InterSystems platforms, supporting unified source contr
    ```
    do ##class(SourceControl.Git.API).Configure()
    ```
-   This will also allow you to generate an SSH key for use as (e.g.) a deploy key and to initialize or clone a git repo.
+   This will also allow you to generate an SSH key for use as (e.g.) a deploy key and to initialize or clone a git repo. (If you want to use https instead, please see the documentation [here])(/docs/https.md)
 3. If using VSCode: Set up `isfs` server-side editing. First, save your current workspace in which you have the code open. Then, open the `.code-workspace` file generated by VS Code and add the following to the list of folders:
     ```
     {
@@ -151,6 +151,9 @@ Assuming you have the local and remote repositories created,
    `git config core.sshCommand 'ssh -i ~/.ssh/<private key name>'`
 8. Test the refresh button for the remote branches on the WebUI, fetch from the source control menu in Studio or VS Code, and `git fetch` in Git Bash. All 3 should work without any issues.
 
+### HTTPS Support
+We recommend that people connect to their remote git repository using SSH. If you cannot use SSH connections, we also have support for HTTPS connection through OAuth2. See [our documentation for setting up an https connection](/docs/https.md).
+
 ## Editing files in the Git repository server-side
 
 There are some circumstances where you'll want to edit files in the Git repository on the IRIS server. For example,

@@ -39,18 +39,18 @@ ClassMethod Configure()
 
 /// API for git pull - just wraps Utils
 /// - pTerminateOnError: if set to 1, this will terminate on error if there are any errors in the pull, otherwise will return status
-ClassMethod Pull(pTerminateOnError As %Boolean = 0)
+ClassMethod Pull(pTerminateOnError As %Boolean = 0) As %Status
 {
-    set st = ##class(SourceControl.Git.Utils).Pull(,pTerminateOnError)
-    if pTerminateOnError && $$$ISERR(st) {
+    set sc = ##class(SourceControl.Git.Utils).Pull(,pTerminateOnError)
+    if pTerminateOnError && $$$ISERR(sc) {
         Do $System.Process.Terminate($Job,1)
     }
-    quit st
+    quit sc
 }
 
 /// Imports all items from the Git repository into IRIS.
 /// - pForce: if true, will import an item even if the last updated timestamp in IRIS is later than that of the file on disk.
-ClassMethod ImportAll(pForce As %Boolean = 0) as %Status
+ClassMethod ImportAll(pForce As %Boolean = 0) As %Status
 {
     return ##class(SourceControl.Git.Utils).ImportAll(pForce)
 }

@@ -14,4 +14,4 @@ ClassMethod BuildUIForDevMode(devMode As %Boolean, rootDirectory As %String)
     write !, $zf(-100, "/SHELL", "npm", "run", "build", "--prefix", webUIDirectory)
 }
 
-}
+}
@@ -11,6 +11,7 @@ XData Menu
 <MenuBase>
 <Menu Name="%SourceMenu" Type="0">
 <MenuItem Name="Status" />
+<MenuItem Name="Authenticate" />
 <MenuItem Name="Settings" />
 <MenuItem Name="Init" />
 <MenuItem Name="GitWebUI" Save="101" />
@@ -193,6 +194,7 @@ Method OnSourceMenuItem(name As %String, ByRef Enabled As %String, ByRef Display
             set Enabled = $CASE(name,
                 "Status": 1,
                 "GitWebUI" : 1,
+                "Authenticate":1,
                 "Import": 1,
                 "ImportForce": 1,
                 "NewBranch": BranchLocked,
@@ -206,6 +208,7 @@ Method OnSourceMenuItem(name As %String, ByRef Enabled As %String, ByRef Display
                 // cases
                 "Status": 1,
                 "GitWebUI" : 1,
+                "Authenticate" : 1,
                 "Export": 1,
                 "ExportForce": 1,
                 "Import": 1,

@@ -144,4 +144,3 @@ Storage Default
 }
 
 }
-
@@ -0,0 +1,151 @@
+Include %syPrompt
+
+IncludeGenerator %syPrompt
+
+Class SourceControl.Git.OAuth2 Extends %RegisteredObject
+{
+
+/// GenerateVerifier returns a cryptographically random string compliant with RFC 7636 (PKCE)
+/// Requirements:
+/// - Minimum 43 characters, maximum 128 characters
+/// - Character set: [A-Za-z0-9-._~] (unreserved URI characters only)
+/// - High entropy (256+ bits)
+/// 
+/// Implementation: Generates 64 random characters (384 bits entropy) from the allowed charset
+ClassMethod GenerateVerifier() As %String
+{
+    // RFC 7636 unreserved characters: [A-Za-z0-9-._~]
+    set charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~"
+    set charsetLen = $LENGTH(charset)
+
+    // Generate 64 character verifier (384 bits entropy, well above 256-bit minimum)
+    set verifier = ""
+    new $NAMESPACE
+    set $NAMESPACE = "%SYS"
+
+    for i=1:1:64 {
+        // Get random byte (0-255)
+        set randomByte = $ASCII(##class(%SYSTEM.Encryption).GenCryptRand(1))
+        // Map to charset index (1-66)
+        set index = (randomByte # charsetLen) + 1
+        set verifier = verifier _ $EXTRACT(charset, index)
+    }
+
+    return verifier
+}
+
+/// Builds the authorization code URL for the given configuration
+ClassMethod AuthCodeURL(c As SourceControl.Git.OAuth2.Config, namespace As %String, Output state, Output verifier) As %String
+{
+    set state = ..GenerateVerifier()    
+    set verifier = ..GenerateVerifier()
+    set url = c.AuthCodeURL(state, verifier)
+    return url
+}
+
+ClassMethod GetURLsFromRemote(remote As %String, Output authCodeURL, Output tokenURL) As %Boolean
+{
+    if remote [ "github.com/" {
+        set authCodeURL = "https://github.com/login/oauth/authorize"
+        set tokenURL = "https://github.com/login/oauth/access_token"
+        return 1
+    } elseif remote [ "gitlab" {
+        set gitlaburl = $Piece(remote, ".com", 1) _ ".com/"
+        set authCodeURL = gitlaburl _ "/oauth/authorize"
+        set tokenURL = gitlaburl _ "/oauth/token"
+        return 1
+    } else {
+        return 0
+    }
+}
+
+ClassMethod FixRemoteURL(url As %String) As %String
+{
+    /// OAuth Https authentication requires connecting as api
+    if ($extract(url,1,5) = "https") {
+        if (url [ "@") {
+            return url
+        } else {
+            set url = "https://api@"_$piece(url,"https://",2)
+        }
+    }
+    return url
+}
+
+ClassMethod GetToken() As %String
+{
+    return ##class(SourceControl.Git.Util.CredentialManager).GetAccessToken($username, .err, .code)
+}
+
+/// Base64URLEncode converts data to base64url format (RFC 4648 Section 5)
+/// Base64url is like standard base64 but URL-safe:
+/// - Replace + with -
+/// - Replace / with _
+/// - Remove padding (=)
+/// Used for PKCE code_challenge encoding per RFC 7636
+ClassMethod Base64URLEncode(data As %String) As %String
+{
+    // Convert to standard base64
+    set base64 = $SYSTEM.Encryption.Base64Encode(data)
+
+    // Convert to base64url: replace +/= with -_
+    set base64url = $REPLACE(base64, "+", "-")
+    set base64url = $REPLACE(base64url, "/", "_")
+
+    // Remove padding
+    set base64url = $REPLACE(base64url, "=", "")
+
+    return base64url
+}
+
+ClassMethod DeleteOAuthConfig(username As %String) As %Status
+{
+    set sc = $$$OK
+    set error = ""
+    set code = ""
+
+    // Delete access token
+    // Check if token exists first
+    set token = ##class(SourceControl.Git.Util.CredentialManager).GetAccessToken(username, .error, .code)
+    if error '= "" {
+        return $$$ERROR($$$GeneralError,$$$FormatText("Failed to get access token with error: %1; code: %2'",error,code))
+    }
+    if token '= "" {
+        do ##class(SourceControl.Git.Util.CredentialManager).DeleteAccessToken(username, .error, .code)
+        if error '= "" {
+            return $$$ERROR($$$GeneralError,$$$FormatText("Failed to delete access token with error: %1; code: %2'",error,code))
+        }
+    }
+
+    // Clear refresh token
+    do ##class(SourceControl.Git.Util.CredentialManager).SetRefreshToken(username, "", .error, .code)
+    if error '= "" {
+       return $$$ERROR($$$GeneralError,$$$FormatText("Failed to clear refresh token with error: %1; code: %2'",error,code))
+    }
+
+    // Clear client ID; secret
+    do ##class(SourceControl.Git.Util.CredentialManager).SetKeyPair(username, "clientid", "", .error, .code)
+    if error '= "" {
+       return $$$ERROR($$$GeneralError,$$$FormatText("Failed to clear clientid with error: %1; code: %2'",error,code))
+    }
+    do ##class(SourceControl.Git.Util.CredentialManager).SetKeyPair(username, "clientsecret", "", .error, .code)
+    if error '= "" {
+       return $$$ERROR($$$GeneralError,$$$FormatText("Failed to clear clientsecret with error: %1; code: %2'",error,code))
+    }
+    do ##class(SourceControl.Git.Util.CredentialManager).SetKeyPair(username, "state", "", .error, .code)
+    if error '= "" {
+       return $$$ERROR($$$GeneralError,$$$FormatText("Failed to clear state with error: %1; code: %2'",error,code))
+    }
+    do ##class(SourceControl.Git.Util.CredentialManager).SetKeyPair(username, "verifier", "", .error, .code)
+    if error '= "" {
+       return $$$ERROR($$$GeneralError,$$$FormatText("Failed to clear verifier with error: %1; code: %2'",error,code))
+    }
+
+    // Delete persistent config object
+    if ##class(SourceControl.Git.OAuth2.Config).%ExistsId(username) {
+        set sc = ##class(SourceControl.Git.OAuth2.Config).%DeleteId(username)
+    }
+    return sc
+}
+
+}
-Original file line number
+Diff line change
@@ Expand Up @@
         write !, $zf(-100, "/SHELL", "npm", "run", "build", "--prefix", webUIDirectory)
     }
-    }
+    }