Class: Ace::Git::Secrets::Atoms::ServiceApiClient

Inherits:

Object

• Object
• Ace::Git::Secrets::Atoms::ServiceApiClient

Defined in:

lib/ace/git/secrets/atoms/service_api_client.rb

Overview

HTTP API client for token revocation services Builds requests for GitHub, Anthropic, OpenAI credential revocation APIs

Constant Summary

DEFAULT_GITHUB_REVOKE_URL =

Default GitHub Credential Revocation API (unauthenticated, rate limited)

"https://api.github.com/credentials/revoke"

DEFAULT_USER_AGENT =

Default user agent for API requests

"ace-git-secrets/#{Ace::Git::Secrets::VERSION}"

Instance Attribute Summary

• #github_api_base_url ⇒ Object readonly

  Returns the value of attribute github_api_base_url.

• #github_revoke_url ⇒ Object readonly

  Returns the value of attribute github_revoke_url.

• #retry_count ⇒ Object readonly

  Returns the value of attribute retry_count.

• #timeout ⇒ Object readonly

  Returns the value of attribute timeout.

• #user_agent ⇒ Object readonly

  Returns the value of attribute user_agent.

Instance Method Summary

• #build_revocation_request(service, token) ⇒ Hash

  Build revocation request for a service.

• #github_rate_limit ⇒ Hash

  Check API rate limit status for GitHub Uses configured GitHub API base URL (supports GitHub Enterprise).

• #github_revoke_connection ⇒ Faraday::Connection

  Get cached GitHub revoke connection for bulk operations.

• #initialize(timeout: 30, retry_count: 3, github_api_url: nil, user_agent: nil) ⇒ ServiceApiClient constructor

  A new instance of ServiceApiClient.

• #revoke_github_token(token, check_rate_limit: false) ⇒ Hash

  Revoke a GitHub token Uses GitHub’s Credential Revocation API (unauthenticated) Connection is reused for bulk revocation efficiency.

Constructor Details

#initialize(timeout: 30, retry_count: 3, github_api_url: nil, user_agent: nil) ⇒ ServiceApiClient

Returns a new instance of ServiceApiClient.

Parameters:

• timeout (Integer) (defaults to: 30) —

  Request timeout in seconds

• retry_count (Integer) (defaults to: 3) —

  Number of retries

• github_api_url (String, nil) (defaults to: nil) —

  Custom GitHub API URL (for GitHub Enterprise)

• user_agent (String, nil) (defaults to: nil) —

  Custom User-Agent header

# File 'lib/ace/git/secrets/atoms/service_api_client.rb', line 26

def initialize(timeout: 30, retry_count: 3, github_api_url: nil, user_agent: nil)
  @timeout = timeout
  @retry_count = retry_count
  @github_api_base_url = github_api_url&.chomp("/") || "https://api.github.com"
  @github_revoke_url = "#{@github_api_base_url}/credentials/revoke"
  @user_agent = user_agent || DEFAULT_USER_AGENT
end

Instance Attribute Details

#github_api_base_url ⇒ Object (readonly)

Returns the value of attribute github_api_base_url.

# File 'lib/ace/git/secrets/atoms/service_api_client.rb', line 20

def github_api_base_url
  @github_api_base_url
end

#github_revoke_url ⇒ Object (readonly)

Returns the value of attribute github_revoke_url.

# File 'lib/ace/git/secrets/atoms/service_api_client.rb', line 20

def github_revoke_url
  @github_revoke_url
end

#retry_count ⇒ Object (readonly)

Returns the value of attribute retry_count.

# File 'lib/ace/git/secrets/atoms/service_api_client.rb', line 20

def retry_count
  @retry_count
end

#timeout ⇒ Object (readonly)

Returns the value of attribute timeout.

# File 'lib/ace/git/secrets/atoms/service_api_client.rb', line 20

def timeout
  @timeout
end

#user_agent ⇒ Object (readonly)

Returns the value of attribute user_agent.

# File 'lib/ace/git/secrets/atoms/service_api_client.rb', line 20

def user_agent
  @user_agent
end

Instance Method Details

#build_revocation_request(service, token) ⇒ Hash

Build revocation request for a service

Parameters:

• service (String) —

  Service name (github, anthropic, openai)

• token (String) —

  Token to revoke

Returns:

• (Hash) —

  Request details for manual revocation if API not available

# File 'lib/ace/git/secrets/atoms/service_api_client.rb', line 76

def build_revocation_request(service, token)
  case service
  when "github"
    {
      method: :post,
      url: github_revoke_url,
      headers: {"Content-Type" => "application/json"},
      body: {credential: token},
      notes: "GitHub tokens can be revoked via API without authentication"
    }
  when "anthropic"
    {
      method: :manual,
      url: "https://console.anthropic.com/settings/keys",
      notes: "Anthropic API keys must be revoked manually via the console"
    }
  when "openai"
    {
      method: :manual,
      url: "https://platform.openai.com/api-keys",
      notes: "OpenAI API keys must be revoked manually via the platform"
    }
  when "aws"
    {
      method: :manual,
      url: "https://console.aws.amazon.com/iam/home#/security_credentials",
      notes: "AWS credentials must be rotated/deleted via IAM console"
    }
  else
    {
      method: :unsupported,
      url: nil,
      notes: "Automatic revocation not supported for #{service}"
    }
  end
end

#github_rate_limit ⇒ Hash

Check API rate limit status for GitHub Uses configured GitHub API base URL (supports GitHub Enterprise)

Returns:

• (Hash) —

  Rate limit info

# File 'lib/ace/git/secrets/atoms/service_api_client.rb', line 116

def github_rate_limit
  conn = Faraday.new(url: github_api_base_url) do |f|
    f.options.timeout = timeout
    if retry_count > 0
      f.request :retry, max: retry_count
    end
    f.adapter Faraday.default_adapter
  end

  response = conn.get("/rate_limit")

  if response.success?
    data = JSON.parse(response.body)
    resources = data["resources"]["core"]
    {
      limit: resources["limit"],
      remaining: resources["remaining"],
      reset_at: Time.at(resources["reset"])
    }
  else
    {limit: 60, remaining: "unknown", reset_at: nil}
  end
rescue
  {limit: 60, remaining: "unknown", reset_at: nil}
end

#github_revoke_connection ⇒ Faraday::Connection

Get cached GitHub revoke connection for bulk operations

Returns:

• (Faraday::Connection)

# File 'lib/ace/git/secrets/atoms/service_api_client.rb', line 68

def github_revoke_connection
  @github_revoke_connection ||= build_connection(github_revoke_url)
end

#revoke_github_token(token, check_rate_limit: false) ⇒ Hash

Revoke a GitHub token Uses GitHub’s Credential Revocation API (unauthenticated) Connection is reused for bulk revocation efficiency

Parameters:

• token (String) —

  The token to revoke

• check_rate_limit (Boolean) (defaults to: false) —

  Whether to check rate limit before request

Returns:

• (Hash) —

  Result with :success, :message, :response keys

# File 'lib/ace/git/secrets/atoms/service_api_client.rb', line 40

def revoke_github_token(token, check_rate_limit: false)
  # Optionally check rate limit before attempting revocation
  if check_rate_limit
    rate_info = github_rate_limit
    if rate_info[:remaining].is_a?(Integer) && rate_info[:remaining] == 0
      reset_msg = rate_info[:reset_at] ? " Reset at #{rate_info[:reset_at]}" : ""
      return {
        success: false,
        message: "GitHub API rate limit exceeded.#{reset_msg}",
        response: nil,
        rate_limited: true
      }
    end
  end

  response = github_revoke_connection.post do |req|
    req.headers["Content-Type"] = "application/json"
    req.headers["Accept"] = "application/json"
    req.body = JSON.generate({credential: token})
  end

  parse_github_response(response)
rescue Faraday::Error => e
  {success: false, message: "GitHub API error: #{e.message}", response: nil}
end