batches: fix commit signing with changeset forks (#57520)

[Context](https://sourcegraph.slack.com/archives/C04UV9ZVBB2/p1696374182439959)

The customer reported an issue where a Sourcegraph instance configured with a GitHub app for Batch Changes couldn't sign commits on forked changesets even when the GitHub app was granted access to the forked repo. 

This happens because while creating an authenticator used to create the signed commits, we always assume the repository to find the GitHub app installation for is the original repository where the Batch CHange was executed.

https://github.com/sourcegraph/sourcegraph/blob/main/internal/batches/sources/sources.go#L161

In this PR, I changed the approach and instead checked if the changeset is pushed to a fork, then figured out the namespace where the forked changeset is created and used that to get the GitHub app installation record.

![CleanShot 2023-10-11 at 11 49 50@2x](https://github.com/sourcegraph/sourcegraph/assets/25608335/3f90937e-6d1f-4631-8ce4-ca7a06a8423f)


## Test plan

* MAnual testing

- Add a GitHub app for BAtch Changes commit signing. Ensure you give it access to the forked repository of your choice.
- Add `batchChanges.enforceForks` to your site config, and create a batch change. 
- The changeset should be verified and created in your repository fork once published.

* Updated unit tests

Author: BolajiOlajide

cmd/frontend/internal/batches/resolvers/changeset_counts_test.go

@@ -190,7 +190,7 @@ func TestChangesetCountsOverTimeIntegration(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		src, err := sourcer.ForChangeset(ctx, bstore, c, sources.AuthenticationStrategyUserCredential)
+		src, err := sourcer.ForChangeset(ctx, bstore, c, sources.AuthenticationStrategyUserCredential, githubRepo)
 		if err != nil {
 			t.Fatalf("failed to build source for repo: %s", err)
 		}

cmd/frontend/internal/batches/webhooks/bitbucketserver_test.go

@@ -167,7 +167,7 @@ func testBitbucketServerWebhook(db database.DB, userID int32) func(*testing.T) {
 			if err := s.CreateChangeset(ctx, ch); err != nil {
 				t.Fatal(err)
 			}
-			src, err := sourcer.ForChangeset(ctx, s, ch, sources.AuthenticationStrategyUserCredential)
+			src, err := sourcer.ForChangeset(ctx, s, ch, sources.AuthenticationStrategyUserCredential, bitbucketRepo)
 			if err != nil {
 				t.Fatal(err)
 			}

cmd/frontend/internal/batches/webhooks/github_test.go

@@ -156,7 +156,7 @@ func testGitHubWebhook(db database.DB, userID int32) func(*testing.T) {
 		})
 		defer state.Unmock()
 
-		src, err := sourcer.ForChangeset(ctx, s, changeset, sources.AuthenticationStrategyUserCredential)
+		src, err := sourcer.ForChangeset(ctx, s, changeset, sources.AuthenticationStrategyUserCredential, githubRepo)
 		if err != nil {
 			t.Fatal(err)
 		}

internal/batches/reconciler/executor.go

@@ -592,7 +592,7 @@ func (e *executor) decorateChangesetBody(ctx context.Context) (string, error) {
 }
 
 func loadChangesetSource(ctx context.Context, s *store.Store, sourcer sources.Sourcer, ch *btypes.Changeset, repo *types.Repo) (sources.ChangesetSource, error) {
-	css, err := sourcer.ForChangeset(ctx, s, ch, sources.AuthenticationStrategyUserCredential)
+	css, err := sourcer.ForChangeset(ctx, s, ch, sources.AuthenticationStrategyUserCredential, repo)
 	if err != nil {
 		switch err {
 		case sources.ErrMissingCredentials:
@@ -648,7 +648,7 @@ func (e *executor) runAfterCommit(ctx context.Context, css sources.ChangesetSour
 	// configured for Batch Changes to sign commits on this code host with.
 	if _, ok := css.(*sources.GitHubSource); ok {
 		// Attempt to get a ChangesetSource authenticated with a GitHub App.
-		css, err = e.sourcer.ForChangeset(ctx, e.tx, e.ch, sources.AuthenticationStrategyGitHubApp)
+		css, err = e.sourcer.ForChangeset(ctx, e.tx, e.ch, sources.AuthenticationStrategyGitHubApp, e.remote)
 		if err != nil {
 			switch err {
 			case sources.ErrNoGitHubAppConfigured:

internal/batches/sources/mocks_test.go

@@ -85,6 +85,7 @@ type SourcerStore interface {
 	ExternalServices() database.ExternalServiceStore
 	UserCredentials() database.UserCredentialsStore
 	GitHubAppsStore() ghastore.GitHubAppsStore
+	GetChangesetSpecByID(ctx context.Context, id int64) (*btypes.ChangesetSpec, error)
 }
 
 // Sourcer exposes methods to get a ChangesetSource based on a changeset, repo or
@@ -105,7 +106,7 @@ type Sourcer interface {
 	//
 	// If the changeset was not created by a batch change, then a site credential will be
 	// used. If another AuthenticationStrategy is specified, then it will be used.
-	ForChangeset(ctx context.Context, tx SourcerStore, ch *btypes.Changeset, as AuthenticationStrategy) (ChangesetSource, error)
+	ForChangeset(ctx context.Context, tx SourcerStore, ch *btypes.Changeset, as AuthenticationStrategy, repo *types.Repo) (ChangesetSource, error)
 	// ForUser returns a ChangesetSource for changesets on the given repo.
 	// It will be authenticated with the given authenticator.
 	ForUser(ctx context.Context, tx SourcerStore, uid int32, repo *types.Repo) (ChangesetSource, error)
@@ -135,7 +136,7 @@ func newSourcer(cf *httpcli.Factory, csf changesetSourceFactory) Sourcer {
 	}
 }
 
-func (s *sourcer) ForChangeset(ctx context.Context, tx SourcerStore, ch *btypes.Changeset, as AuthenticationStrategy) (ChangesetSource, error) {
+func (s *sourcer) ForChangeset(ctx context.Context, tx SourcerStore, ch *btypes.Changeset, as AuthenticationStrategy, targetRepo *types.Repo) (ChangesetSource, error) {
 	repo, err := tx.Repos().Get(ctx, ch.RepoID)
 	if err != nil {
 		return nil, errors.Wrap(err, "loading changeset repo")
@@ -159,10 +160,41 @@ func (s *sourcer) ForChangeset(ctx context.Context, tx SourcerStore, ch *btypes.
 	}
 
 	if as == AuthenticationStrategyGitHubApp {
-		repoMetadata := repo.Metadata.(*github.Repository)
-		owner, _, err := github.SplitRepositoryNameWithOwner(repoMetadata.NameWithOwner)
+		cs, err := tx.GetChangesetSpecByID(ctx, ch.CurrentSpecID)
 		if err != nil {
-			return nil, errors.Wrap(err, "getting owner from repo name")
+			return nil, errors.Wrap(err, "getting changeset spec")
+		}
+
+		var owner string
+		// We check if the changeset is meant to be pushed to a fork.
+		// If yes, then we try to figure out the user namespace and get a github app for the user namespace.
+		if cs.IsFork() {
+			// forkNamespace is nil returns a non-nil value if the fork namespace is explicitly defined
+			// e.g sourcegraph.
+			// if it isn't then we assume the changeset will be forked into the current user's namespace
+			forkNamespace := cs.GetForkNamespace()
+			if forkNamespace != nil {
+				owner = *forkNamespace
+			} else {
+				u, err := getCloneURL(targetRepo)
+				if err != nil {
+					return nil, errors.Wrap(err, "getting url for forked changeset")
+				}
+
+				owner, _, err = github.SplitRepositoryNameWithOwner(strings.TrimPrefix(u.Path, "/"))
+				if err != nil {
+					return nil, errors.Wrap(err, "getting owner from repo name")
+				}
+			}
+		} else {
+			// Get owner from repo metadata. We expect repo.Metadata to be a github.Repository because the
+			// authentication strategy `AuthenticationStrategyGitHubApp` only applies to GitHub repositories.
+			// so this is a safe type cast.
+			repoMetadata := repo.Metadata.(*github.Repository)
+			owner, _, err = github.SplitRepositoryNameWithOwner(repoMetadata.NameWithOwner)
+			if err != nil {
+				return nil, errors.Wrap(err, "getting owner from repo name")
+			}
 		}
 
 		return withGitHubAppAuthenticator(ctx, tx, css, extSvc, owner)
@@ -542,7 +574,7 @@ func getCloneURL(repo *types.Repo) (*vcs.URL, error) {
 	}
 
 	sort.SliceStable(parsedURLs, func(i, j int) bool {
-		return !parsedURLs[i].IsSSH()
+		return !parsedURLs[i].IsSSH() && parsedURLs[j].IsSSH()
 	})
 
 	return parsedURLs[0], nil