advanced-security
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 14 additions & 10 deletions b/‎README.md‎
Lines changed: 14 additions & 10 deletions
diff --git a/‎manage-sec-team.py‎
Lines changed: 173 additions & 75 deletions b/‎manage-sec-team.py‎
Lines changed: 173 additions & 75 deletions
@@ -134,3 +134,6 @@ dmypy.json
 
 # Pyre type checker
 .pyre/
+
+# vscode settings
+.vscode/
@@ -1,12 +1,14 @@
 # Enterprise security management teams
 
-This set of scripts provides some basics of organization governance to GitHub Enterprise (cloud or server) administrators.  The scripts will give you a list of all organizations in the enterprise as a CSV to work with programmatically, add you to all organizations as an owner, and can create/manage a team with the security manager role to see all GitHub Advanced Security alerts throughout the entire enterprise _without_ having admin rights to that code.
+These scripts provide an emulated Enterprise security manager team to GitHub Enterprise (cloud or server) administrators by using the existing organization security manager role.
+
+The scripts will give you a list of all organizations in the enterprise as a CSV to work with programmatically, add you to all organizations as an owner, and can create/manage a team with the security manager role to see all GitHub Advanced Security alerts throughout the entire enterprise _without_ having admin rights to that code.
 
 :information_source:  This uses the [security manager role](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization) and parts of the GraphQL API that is available in GitHub.com (free/pro/teams and enterprise), as well as GitHub Enterprise Server versions 3.5 and higher.
 
 ## Scripts
 
-1. [`org-admin-promote.py`](/org-admin-promote.py) replaces some of the functionality of `ghe-org-admin-promote` ([link](https://docs.github.com/en/enterprise-server@latest/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-org-admin-promote)), a built-in shell command on GHES that promotes an enterprise admin to own all organizations in the enterprise.  It also outputs a CSV file similar to the `all_organizations.csv` [report](https://docs.github.com/en/enterprise-server@latest/admin/configuration/configuring-your-enterprise/site-admin-dashboard#reports), to better inventory organizations.
+1. [`org-admin-promote.py`](/org-admin-promote.py) replaces some of the functionality of [`ghe-org-admin-promote`](https://docs.github.com/en/enterprise-server@latest/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-org-admin-promote), a built-in shell command on GHES that promotes an enterprise admin to own all organizations in the enterprise.  It also outputs a CSV file similar to the `all_organizations.csv` [report](https://docs.github.com/en/enterprise-server@latest/admin/configuration/configuring-your-enterprise/site-admin-dashboard#reports), to better inventory organizations.
 1. [`manage-sec-team.py`](/manage-sec-team.py) creates a team in each organization, assigns it the security manager role, and then adds the people you want to that team (and removes the rest).
 1. [`org-admin-demote.py`](/org-admin-demote.py) takes the text file of orgs that the user wasn't already an owner of and "un-does" that promotion to org owner.  The goal is to keep the admin account's notifications uncluttered, but running this is totally optional.
 
@@ -24,13 +26,15 @@ You need to be an enterprise administrator to use these scripts!
     pip install -r requirements.txt
     ```
 
-1. Edit the inputs at the start of the script as follows:
-    - (for GHES) the API endpoint
-    - Create a file called `token.txt` and save your token there to read it.
-    - Add the enterprise slug, a string URL version of the enterprise identity.  It's easily available in the enterprise admin url (for cloud and server), e.g. `https://github.com/enterprises/ENTERPRISE-SLUG-HERE`.
-    - (for the security manager team), the list of orgs output by `org-admin-promote.py` and the name of the security manager team and the team members to add.
+1. Edit the inputs as arguments to the script as follows:
+
+    - the API endpoint (for GHES, EMU, or data residency) in `--api-url`. For GHEC this is not required.
+    - Create a file and save your token there to read it, and call the script with `--token-file` argument, or call the script with the token in `GITHUB_TOKEN` in your environment.
+    - Add the enterprise slug to `--enterprise-slug`. This is string URL version of the enterprise identity.  It's easily available in the enterprise admin url (for cloud and server), e.g. `https://github.com/enterprises/ENTERPRISE-SLUG-HERE`.
+    - For the security manager team script, the list of orgs output by `org-admin-promote.py` in `--unmanaged-orgs` and the name of the security manager team and the team members to add, in `--team-name` and `--team-members`. If you are using GHES 3.15 or below, please use the `--legacy` flag to use the legacy security managers API.
+
+1. Run them in the following order:
 
-1. Run them in the following order, deciding where to stop.
     1. `org-admin-promote.py` to add the enterprise admin to all organizations as an owner, creating a CSV of organizations.
     1. `manage-sec-team.py` to create a security manager team on all organizations and manage the members.
     1. `org-admin-demote.py` will remove the enterprise admin from all the organizations the previous script added them to.
@@ -69,7 +73,7 @@ Team spy-stuff updated as a security manager for testorg-00003!
 - Scripts that do things are in the root directory.
 - Functions that do small parts are in `/src`, grouped roughly by what part of GitHub they work on.
 - All Python code is formatted with [black](https://black.readthedocs.io/en/stable/) because it's simple and beautiful and no one needs to think about style.
-- Python dependencies are minimal by default.  There are two, both kept up-to-date with [Dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates).  You can check out the config file [here](.github/dependabot.yml) if you'd like.
+- Python dependencies are minimal by default.  There are two, both kept up-to-date with [Dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates).  You can [check out the config file](.github/dependabot.yml) if you'd like.
   - [requests](https://pypi.org/project/requests/) is a simple and extremely popular HTTP library.
-  - [defusedcsv](https://github.com/raphaelm/defusedcsv) is used over CSV to mitigate potential spreadsheet application exploitations based on how it processes user-generated data.  OWASP has written much more about CSV injection attacks on their website [here](https://owasp.org/www-community/attacks/CSV_Injection).
+  - [defusedcsv](https://github.com/raphaelm/defusedcsv) is used over CSV to mitigate potential spreadsheet application exploitations based on how it processes user-generated data.  OWASP has [written much more about CSV injection attacks on their website](https://owasp.org/www-community/attacks/CSV_Injection).
 - The CSV files and TXT files are in the `.gitignore` file to not be accidentally committed into the repo.
@@ -1,98 +1,196 @@
 #!/usr/bin/env python3
 
 """
-This script manages a team in each organization that the user running this owns
+Manages a team in each organization that the user running this owns
 within the enterprise.  It is meant to be run after `org-admin-promote.py` to
 create/update a team with the "security manager" role.
 
 Inputs:
-- GitHub API endpoint
-- PAT with `enterprise:admin` scope, read from a file called `token.txt`
+- GitHub API endpoint (defaults to https://api.github.com)
+- PAT with `admin:enterprise` and `admin:org` scope, read from a named file (or GITHUB_TOKEN if that is not provided)
 - `all_orgs.csv` file from `org-admin-promote.py`
 - Team name for the security manager team
 - List of security manager team members by handle
 
 Outputs:
-- Prints the org names the enterprise admin was removed from to `stdout`
+- Prints the members that were added to and removed from the security managers team
 """
 
-# Imports
+from argparse import ArgumentParser
+from typing import Any
 from defusedcsv import csv
-from src import teams, organizations
-
-# Inputs
-api_url = "https://api.github.com"  # for GHEC
-# api_url = "https://GHES-HOSTNAME-HERE/api/v3"  # for GHES/GHAE
-
-# github_pat = "GITHUB-PAT-HERE"  # if you want to set that manually
-with open("token.txt", "r") as f:
-    github_pat = f.read().strip()
-    f.close()
-
-# List of organizations (filename)
-org_list = "all_orgs.csv"
-
-# Team name for the security manager team
-sec_team_name = "security-managers"
-
-# List of security manager team members by handle
-sec_team_members = ["teammate1", "teammate2", "teammate3"]
-
-# Read in the org list
-with open(org_list, "r") as f:
-    orgs = list(csv.DictReader(f))
-
-# Set up the headers
-headers = {
-    "Authorization": "token {}".format(github_pat),
-    "Accept": "application/vnd.github.v3+json",
-}
-
+from src import teams, organizations, github_token
+import logging
+
+LOG = logging.getLogger(__name__)
+
+
+def add_args(parser) -> None:
+    """Add arguments to the command line parser."""
+    parser.add_argument(
+        "--api-url",
+        default="https://api.github.com",
+        help="GitHub API URL (https://github-hostname-here/api/v3/ for GHES, EMU or data residency)",
+    )
+    parser.add_argument(
+        "--token-file", required=False, help="GitHub Personal Access Token file (or use GITHUB_TOKEN)"
+    )
+    parser.add_argument(
+        "--org-list", default="all_orgs.csv", help="CSV file of organizations"
+    )
+    parser.add_argument(
+        "--sec-team-name", default="security-managers", help="Security team name"
+    )
+    parser.add_argument("--sec-team-members", nargs="*", help="Security team members")
+    parser.add_argument("--sec-team-members-file", required=False, help="Security team members file")
+    parser.add_argument("--legacy", action="store_true", help="Use legacy API endpoints to manage the security managers")
+    parser.add_argument(
+        "--debug",
+        "-d",
+        action="store_true",
+        help="Enable debug logging",
+    )
+
+
+def make_security_managers_team(
+    org_name: str, sec_team_name: str, api_url: str, headers: dict[str, str], legacy=False
+) -> None:
+    """Create or update the security managers team in the specified organization."""
+    security_manager_role_id: str | None = None
+
+    if not legacy:
+        org_roles: dict[str, Any] = organizations.list_org_roles(api_url, headers, org_name)
+
+        # Check if the "security manager" role exists
+        if "roles" not in org_roles:
+            LOG.error("⨯ Malformed response from GitHub API")
+            return
+
+        security_manager_role_id_list = [role["id"] for role in org_roles["roles"] if role["name"] == "security_manager"]
+        if not security_manager_role_id_list:
+            LOG.error("⨯ Organization {} does not have a security manager role".format(org_name))
+            return
+        security_manager_role_id = security_manager_role_id_list[0]
+
+    # Get the list of teams
+    teams_info = teams.list_teams(api_url, headers, org_name)
+    teams_list = [team["name"] for team in teams_info]
+
+    # Create the team if it doesn't exist
+    if sec_team_name not in teams_list:
+        LOG.info("Creating team {}".format(sec_team_name))
+        try:
+            teams.create_team(api_url, headers, org_name, sec_team_name)
+        except Exception as e:
+            LOG.error("⨯ Failed to create team {}: {}".format(sec_team_name, e))
+
+    # Update that team to have the "security manager" role
+    try:
+        # only update it if the team does not already have the role
+        if not teams.has_team_role(api_url, headers, org_name, sec_team_name, security_manager_role_id, legacy=legacy):
+            teams.change_team_role(api_url, headers, org_name, sec_team_name, security_manager_role_id, legacy=legacy)
+            LOG.info(
+                "✓ Team {} updated as a security manager for {}".format(sec_team_name, org_name)
+            )
+        else:
+            LOG.debug("✓ Team {} already has the security manager role for {}".format(sec_team_name, org_name))
+    except Exception as e:
+        LOG.error("⨯ Failed to update team {}: {}".format(sec_team_name, e))
+        if LOG.getEffectiveLevel() == logging.DEBUG:
+            raise e
+
+
+def add_security_managers_to_team(
+    org_name: str,
+    sec_team_name: str,
+    sec_team_members: list[str],
+    api_url: str,
+    headers: dict[str, str],
+) -> None:
+    """Add security managers to the specified team in the organization."""
+    # Get the list of org members, adding the missing ones to the org
+    org_members = organizations.list_org_users(api_url, headers, org_name)
+    org_members_list = [member["login"] for member in org_members]
+    for username in sec_team_members:
+        if username not in org_members_list:
+            LOG.info("Adding {} to {}".format(username, org_name))
+            try:
+                organizations.add_org_user(api_url, headers, org_name, username)
+            except Exception as e:
+                LOG.error("⨯ Failed to add user {} to org {}: {}".format(username, org_name, e))
+                return
+
+    # Get the list of team members, adding the missing ones to the team and removing the extra ones
+    team_members = teams.list_team_members(api_url, headers, org_name, sec_team_name)
+    team_members_list = [member["login"] for member in team_members]
+    for username in team_members_list:
+        if username not in sec_team_members:
+            LOG.info("Removing {} from {}".format(username, sec_team_name))
+            try:
+                teams.remove_team_member(
+                    api_url, headers, org_name, sec_team_name, username
+                )
+            except Exception as e:
+                LOG.error("⨯ Failed to remove user {} from team {}: {}".format(username, sec_team_name, e))
+                return
+    for username in sec_team_members:
+        if username not in team_members_list:
+            LOG.info("Adding {} to {}".format(username, sec_team_name))
+            try:
+                teams.add_team_member(api_url, headers, org_name, sec_team_name, username)
+            except Exception as e:
+                LOG.error("⨯ Failed to add user {} to team {}: {}".format(username, sec_team_name, e))
+                return
+        else:
+            LOG.debug("✓ User {} is already a member of {}".format(username, sec_team_name))
+
+
+def main() -> None:
+    """Command line entrypoint."""
+    parser = ArgumentParser(description=__doc__)
+    add_args(parser)
+    args = parser.parse_args()
+
+    logging.basicConfig(level=logging.DEBUG if args.debug else logging.INFO)
+
+    # Read in the org list
+    with open(args.org_list, "r") as f:
+        orgs = list(csv.DictReader(f))
+
+    github_pat = github_token.read_token(args.token_file)
+
+    if not github_pat:
+        LOG.error("⨯ GitHub Personal Access Token not found")
+        return
+
+    if args.sec_team_members and args.sec_team_members_file:
+        LOG.error("⨯ Please use either --sec-team-members or --sec-team-members-file")
+        return
+
+    sec_team_members = []
+    if args.sec_team_members_file:
+        with open(args.sec_team_members_file, "r") as f:
+            sec_team_members = [line.strip() for line in f if line.strip()]
+    elif args.sec_team_members:
+        sec_team_members = args.sec_team_members
+    else:
+        LOG.error("⨯ Please provide either --sec-team-members or --sec-team-members-file")
+        return
+
+    # Set up the headers
+    headers = {
+        "Authorization": "token {}".format(github_pat),
+    }
 
-if __name__ == "__main__":
     # For each organization, do
     for org in orgs:
         org_name = org["login"]
 
-        # Get the list of teams
-        teams_info = teams.list_teams(api_url, headers, org_name)
-        teams_list = [team["name"] for team in teams_info]
-
-        # Create the team if it doesn't exist
-        if sec_team_name not in teams_list:
-            print("Creating team {}".format(sec_team_name))
-            teams.create_team(api_url, headers, org_name, sec_team_name)
-
-        # Update that team to have the "security manager" role
-        teams.change_team_role(api_url, headers, org_name, sec_team_name)
-        print(
-            "Team {} updated as a security manager for {}!".format(
-                sec_team_name, org_name
-            )
+        make_security_managers_team(org_name, args.sec_team_name, args.api_url, headers, legacy=args.legacy)
+        add_security_managers_to_team(
+            org_name, args.sec_team_name, sec_team_members, args.api_url, headers
         )
 
-        # Get the list of org members, adding the missing ones to the org
-        org_members = organizations.list_org_users(api_url, headers, org_name)
-        org_members_list = [member["login"] for member in org_members]
-        for username in sec_team_members:
-            if username not in org_members_list:
-                print("Adding {} to {}".format(username, org_name))
-                organizations.add_org_user(api_url, headers, org_name, username)
 
-        # Get the list of team members, adding the missing ones to the team and removing the extra ones
-        team_members = teams.list_team_members(
-            api_url, headers, org_name, sec_team_name
-        )
-        team_members_list = [member["login"] for member in team_members]
-        for username in team_members_list:
-            if username not in sec_team_members:
-                print("Removing {} from {}".format(username, sec_team_name))
-                teams.remove_team_member(
-                    api_url, headers, org_name, sec_team_name, username
-                )
-        for username in sec_team_members:
-            if username not in team_members_list:
-                print("Adding {} to {}".format(username, sec_team_name))
-                teams.add_team_member(
-                    api_url, headers, org_name, sec_team_name, username
-                )
+if __name__ == "__main__":
+    main()