Skip to content

Support "internal" in code host authorization config

Created by: indradhanush

To support visibility of internal repos, a workaround of adding two separate code host connections with the following configs can be used:

Code host config 1

{
  "url": "https://<github-enterprise-url>",
  "token": "<secret-token-with-admin-privileges>",
  "repositoryQuery": [
    "org:<org-name>, -is:internal"
  ],
  "authorization": {
    "groupsCacheTTL": 72
  }
}

Code host config 2

{
  "url": "https://<github-enterprise-url>",
  "token": "<same-token-as-above>",
  "repositoryQuery": [
    "org:<same-org-as-above>, is:internal"
  ]
}

Provided that the site config is updated to support the GitHub Enterprise instance as a login method by adding something similar to the site config:

{
  “auth.providers”: [
    {
      "allowGroupsPermissionsSync": true,
      "clientID": "<redacted>-0083",
      "clientSecret": "<redacted>",
      "displayName": "GitHub Enterprise SGDEV",
      "type": "github",
      "url": "https://ghe.sgdev.org",
      “allowSignup”: “true”
    }
  ]
}

This will allow all users that sign up on Sourcegraph via the GitHub Enterprise account, access to internal repos even if they are not part of the org where the repo belongs. However, this will also allow any user access to the internal repo even if they are not a part of any org whatsoever, which according to GitHub's article is the requirement for gaining access to internal repos:

Now out of beta, the internal repository visibility allows an enterprise-owned repository to be read by any member of any organization that belongs to an enterprise account.

To fix this gap, we will add a new authorization flag in the code host config:

{
    "authorization": {
        "internal": "true"
    }
}

As a result the Code host config 2 will need to be modified to include this authorization config:

{
  "url": "https://<github-enterprise-url>",
  "token": "<same-token-as-above>",
  "repositoryQuery": [
    "org:<same-org-as-above>, is:internal"
  ],
  "authorization": {
    "internal": "true"
  }
}

The permissions syncing code for GitHub will need to utilise this updated config to detect the special case of handling internal repos. It will create a "pseudo org" in the in-memory permissions cache and add any user that is part of an org to this cache.

The "pseudo org" is a way to group all users, such that they can access all repositories that is part of this code host config, which in this case is all GitHub enterprise repos matching the filter org:<org-name> is:internal.

This is the same as using the search bar on the GitHub enterprise instance. For example, visit this URL as the admin user of the instance:

https://ghe.sgdev.org/search?q=org%3Asgtest+is%3Ainternal

Caveats

To support internal repos across all orgs, Sourcegraph admins will need to add one line each for all orgs in their GitHub organisation since just using the is:internal as a filter yields no repositories in the search results on GitHub Enterprise. For example, visit this URl as the admin user of the instance:

https://ghe.sgdev.org/search?q=is%3Ainternal

Finally, this should fix the issues seen in #25904 and #21591, but will not be able to fix the issue in #17153.