Unable to install public R packages on GitHub if SAML turned on (GitHub Enterprise)

[eeholmes]

Background

We have R packages on public repositories on GitHub Enterprise. SAML is turned on. But the repos are fully public and there are no restrictions to downloading, cloning or forking. But if we try to install the packages with install_github(), we get a error if the user has a PAT. Deleting the PAT will cause installation to work. The error is only with packages on GitHub Enterprise with SAML turned on.

Reprex

1. Make sure a PAT is created.

usethis::create_github_token() 
credentials::set_github_pat("YourPAT")

2. Try to install package
   This produces the error:

remotes::install_github("nmfs-ost/satf")
Using GitHub PAT from the git credential store.
Error: Failed to install 'unknown package' from GitHub:
  HTTP error 403.
  Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.

  Rate limit remaining: 4986/5000
  Rate limit reset at: 2024-11-14 17:49:00 UTC

3. Delete the PAT

gitcreds::gitcreds_delete()

Now remotes::install_github("nmfs-ost/satf") works

4. Test on a fork that is not in Enterprise w SAML

remotes::install_github("eeholmes/satf")

works when there is a PAT.

Where the problem appears

curl::curl_fetch_memory(url, handle = h)

called in

remotes:::github_DESCRIPTION()

The values are

url= "https://api.github.com/repos/nmfs-ost/satf/contents/DESCRIPTION?ref=HEAD"

headers

Accept 
"application/vnd.github.v3.raw" 
Authorization 
"token xxxx"

[gaborcsardi]

Did you try what the error message suggests?

[eeholmes]

That is only possible for organization members. These are R packages hosted for public use on GitHub Enterprise. Non-members have no way to authorize PAT for organization use. In contrast, for org members you see a button that says "Configure SSO" or something like that. We turned on SAML and now no one can install our packages without deleting their PATs, which obviously we don't want them to have to do. Also install_github() is used in non-interactive scripts.

[gaborcsardi]

no one can install our packages without deleting their PATs

That's not what I see, I do have a PAT and can install them:

❯ remotes::install_github("nmfs-ost/satf")
Using GitHub PAT from the git credential store.
Downloading GitHub repo nmfs-ost/satf@HEAD
These packages have more recent versions available.
It is recommended to update all of them.
Which would you like to update?
...

[gaborcsardi]

Unfortunately GitHub + SAML are a bit weird when it comes to public repos. Non-members can see the repos, in fact even people without a GItHub account can see them.

But if you are an org member, then you can only see the repo (on the web) if you log in with SAML. Tokens are similar, if you are an org member, you need grant the PAT access to the org.

This is my understanding, mostly based on experience, please correct me if I am wrong.

I am also not sure what remotes could do differently here.

[eeholmes]

@gaborcsardi Interesting. Thanks so much for the comment. This is extremely helpful. I will do more investigation.

[eeholmes]

I am sad to report back that the results of testing are kind of horrible. Within our Enterprise account, we have many orgs. Each member is only a member of some. You can only give PATs access to orgs that you are a member of. That means there is no way to install R packages in public repos from other orgs (in our Enterprise account) that you are not a member of.

Weirdly I AM able to see public repos in other orgs (in our Enterprise) without logging in to Enterprise. I am logged into GitHub in the browser but I am not logged into Enterprise.

• https://github.com/SWFSC/eSDM. I can see this.
• https://github.com/SWFSC but if I try to go here it triggers a SAML request. I cannot see the org without SAML login.

So it seems to me it is not accessing the repo per se that is the issue. I can see that wo SAML log in, but if I try to see the org, it ask for SAML. Note if I log out of GitHub in the browser, I can both see the repo and the org.

Is remotes (or another package it uses) somehow needing to see the org in addition to the repo?

[eeholmes]

@gaborcsardi What remote could do is respect auth_token=NULL to ignore the stored PAT. Is that possible?

Example

remotes::install_github('SWFSC/eSDM', auth_token=NULL)

returns (for me) as a member of the Enterprise account to which SWFSC belongs:

Error: Failed to install 'unknown package' from GitHub:
  HTTP error 403.
  Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.

  Rate limit remaining: 4980/5000
  Rate limit reset at: 2024-11-22 01:41:39 UTC

Note I am not a member of that org so I have no way to authorize my PAT for that org. I am a member of another org in that Enterprise account.

So somewhere it looked for the PAT even though I passed in NULL. If I delete the PAT, then remotes:::github_pat() returns NULL which is the default for the function:

install_github(
  repo,
  ref = "HEAD",
  subdir = NULL,
  auth_token = github_pat(quiet),

[eeholmes]

Ignoring auth_token happens here when

remotes/R/install-github.R

Line 246 in 828ba53

pat = remote$auth_token %||% github_pat(), use_curl = use_curl)

Right at the top of install_remote(), package_name <- remote_package_name(remote) is called and that is where the auth_token=NULL is ignored. It appears in remote$auth_token as NULL.

install_remote(remotes[[i]], ...)
debug: {
    stopifnot(is.remote(remote))
    package_name <- remote_package_name(remote)
    local_sha <- local_sha(package_name)
    remote_sha <- remote_sha(remote, local_sha)
...

remote_package_name(remote) calls this and you can see that remote$auth_token %||% github_pat() uses github_pat() if remote$auth_token is NULL. But if I delete the PAT, then both remote$auth_token is NULL and github_pat() are NULL and it works.

github_DESCRIPTION(username = remote$username, repo = remote$repo,
    subdir = remote$subdir, host = remote$host, ref = remote$ref,
    pat = remote$auth_token %||% github_pat(), use_curl = use_curl)

[eeholmes]

I put in a PR. 2 small changes to make install_github() respect auth_token=NULL.

[e-perl-NOAA]

@gaborcsardi is there any way to move this issue and PR #819 merged in? We have this issue within our enterprise organization. The gh() package has a way to get around this that we were able to implement successfully - see this comment in that repo.

[gaborcsardi]

Closed by #819.