Better permission reporting and CSV file support for groovy examples (#270)

jonico · web-flow · commit c3f12cb245e6 · 2019-12-06T18:30:53.000+01:00
* Added CSV and permission details to PrintRepoAccess

* bumped library number
* introduced -c parameter to support reading repository names from CSV 
files
* introduced -p parameter to print detailed permissions about user 
access

* Added CSV file support for AuditUsers

* introduced -c option to read users from CSV file
* renamed skipPublicRepo option and made it opt-in
* use CSV file header for generated output

* Added extended permission reporting option

* added -e switch to split repositories based on access type
diff --git a/api/groovy/AuditUsers.groovy b/api/groovy/AuditUsers.groovy
@@ -2,38 +2,40 @@
 
 /**
  * groovy script to show all repositories that can be accessed by given users on an GitHub Enterprise instance
- * 
- * 
+ *
+ *
  * Run 'groovy AuditUsers.groovy' to see the list of command line options
- * 
+ *
  *  First run may take some time as required dependencies have to get downloaded, then it should be quite fast
- *  
+ *
  *  If you do not have groovy yet, run 'brew install groovy'
  */
 
-@Grab(group='org.kohsuke', module='github-api', version='1.75')
+@Grab(group='org.kohsuke', module='github-api', version='1.99')
 @Grab(group='org.codehaus.groovy.modules.http-builder', module='http-builder', version='0.7.2' )
 import org.kohsuke.github.GitHub
 import groovyx.net.http.RESTClient
 import static groovyx.net.http.ContentType.*
 import groovy.json.JsonOutput
+import org.kohsuke.github.GHMyself.RepositoryListFilter
 
 
 // parsing command line args
 cli = new CliBuilder(usage: 'groovy AuditUsers.groovy [options] [user accounts]\nReports all repositories that can be accessed by given users')
 cli.t(longOpt: 'token', 'personal access token of a GitHub Enterprise site admin with repo skope (or use GITHUB_TOKEN env variable)', required: false  , args: 1 )
 cli.u(longOpt: 'url', 'GitHub Enterprise URL (or use GITHUB_URL env variable), e.g. https://myghe.com', required: false  , args: 1 )
-cli.s(longOpt: 'skipPublicRepos', 'Do not print publicly available repositories at the end of the report', required: false  , args: 0 )
+cli.p(longOpt: 'printPublicRepos', 'Print publicly available repositories at the end of the report', required: false  , args: 0 )
 cli.h(longOpt: 'help', 'Print this usage info', required: false  , args: 0 )
+cli.c(longOpt: 'csv', 'CSV file with users in the format produced by stafftools/reports (show access for all contained users)', required: false, args: 1)
+cli.e(longOpt: 'extendedpermissions', 'Print extended permissions (ALL, OWNER, PUBLIC, PRIVATE, MEMBER) why a repository can be accessed by that user, needs 4 times more API calls', required: false, args: 0)
 
 OptionAccessor opt = cli.parse(args)
 
 token = opt.t?opt.t:System.getenv("GITHUB_TOKEN")
 url = opt.u?opt.u:System.getenv("GITHUB_URL")
-listOnly = opt.l
 
 // bail out if help parameter was supplied or not sufficient input to proceed
-if (opt.h || !token || !url || opt.arguments().size() == 0) {
+if (opt.h || !token || !url) {
 	cli.usage()
 	return
 }
@@ -44,10 +46,37 @@ url = url.replaceAll('/\$', "")
 
 RESTClient restSiteAdmin = getGithubApi(url , token)
 
+// printing header
+
+println "user,accesstype,repo,owner,private,read,write,admin,url"
+
 // iterate over all supplied users
 opt.arguments().each {
-	user=it
-	println "Showing repositories accessible for user ${user} ... "
+  printAccessRightsForUser(it, restSiteAdmin, opt.e)
+}
+
+if (opt.c) {
+  userCSVFile = new File(opt.c)
+  if (!userCSVFile.isFile()) {
+    printErr "${userCSVFile.canonicalPath} is not a file"
+    return
+  }
+  boolean firstLine=true
+  userCSVFile.splitEachLine(',') { line ->
+    if (firstLine) {
+      firstLine=false
+    } else {
+      // only display access rights for non-suspended users
+      if (line[5] == "false")
+        printAccessRightsForUser(line[2], restSiteAdmin, opt.e)
+    }
+  }
+}
+
+// END MAIN
+
+def printAccessRightsForUser(user, restSiteAdmin, extendedPermissions) {
+	//println "Showing repositories accessible for user ${user} ... "
 	try {
 		// get temporary access token for given user
 		resp = restSiteAdmin.post(
@@ -57,13 +86,20 @@ opt.arguments().each {
 
 		assert resp.data.token != null
 		userToken = resp.data.token
-		
+
 		try {
-			// list all accessible repositories in organizations and personal repositories of this user
-			userRepos = GitHub.connectToEnterprise("${url}/api/v3", userToken).getMyself().listAllRepositories()
+      gitHubUser = GitHub.connectToEnterprise("${url}/api/v3", userToken).getMyself()
+
+      Set repositories = []
 
-			// further fields available on http://github-api.kohsuke.org/apidocs/org/kohsuke/github/GHRepository.html#method_summary  
-			userRepos.each { println "user: ${user}, repo: ${it.name}, owner: ${it.ownerName}, private: ${it.private}, read: ${it.hasPullAccess()}, write: ${it.hasPushAccess()}, admin: ${it.hasAdminAccess()}, url: ${it.getHtmlUrl()}"    }
+      if (!extendedPermissions) {
+        printRepoAccess(gitHubUser, RepositoryListFilter.ALL, repositories)
+      } else {
+        printRepoAccess(gitHubUser, RepositoryListFilter.OWNER, repositories)
+        printRepoAccess(gitHubUser, RepositoryListFilter.MEMBER, repositories)
+        printRepoAccess(gitHubUser, RepositoryListFilter.PRIVATE, repositories)
+        printRepoAccess(gitHubUser, RepositoryListFilter.PUBLIC, repositories)
+      }
 		}
 		finally {
 			// delete the personal access token again even if we ran into an exception
@@ -73,11 +109,11 @@ opt.arguments().each {
 		println ""
 	} catch (Exception e) {
 		e.printStackTrace()
-		println "An error occurred while fetching repositories for user ${user}, continuing with the next user ..."
+		printErr "An error occurred while fetching repositories for user ${user}, continuing with the next user ..."
 	}
 }
 
-if (!opt.s) {
+if (opt.p) {
 	println "Showing repositories accessible by any logged in user ..."
 	publicRepos = GitHub.connectToEnterprise("${url}/api/v3", token).listAllPublicRepositories()
 	// further fields on http://github-api.kohsuke.org/apidocs/org/kohsuke/github/GHRepository.html#method_summary
@@ -91,3 +127,20 @@ def RESTClient getGithubApi(url, token) {
 		it
 	}
 }
+
+def printRepoAccess(gitHubUser, repoTypeFilter, alreadyProcessedRepos) {
+  // list all accessible repositories in organizations and personal repositories of this user
+  userRepos = gitHubUser.listRepositories(100, repoTypeFilter)
+
+  // further fields available on http://github-api.kohsuke.org/apidocs/org/kohsuke/github/GHRepository.html#method_summary
+  userRepos.each {
+      if (!alreadyProcessedRepos.contains(it.htmlUrl)) {
+        println "${gitHubUser.login},${repoTypeFilter},${it.name},${it.ownerName},${it.private},${it.hasPullAccess()},${it.hasPushAccess()},${it.hasAdminAccess()},${it.htmlUrl}"
+        alreadyProcessedRepos.add(it.htmlUrl)
+      }
+    }
+}
+
+def printErr (msg) {
+  System.err.println "ERROR: ${msg}"
+}
diff --git a/api/groovy/PrintRepoAccess.groovy b/api/groovy/PrintRepoAccess.groovy
@@ -4,7 +4,7 @@
  * groovy script to show all users that can access a given repository in a GitHub Enterprise instance
  *
  * Run 'groovy PrintRepoAccess.groovy' to see the list of command line options
- * 
+ *
  * Example on how to list access rights for repos foo/bar and bar/foo on GitHub Enterprise instance https://foobar.com:
  *
  * groovy PrintRepoAccess.groovy  -u https://foobar.com -t <access token> foo/bar bar/foo
@@ -20,26 +20,29 @@
  *
  * Apart from Groovy (and Java), you do not need to install any libraries on your system as the script will download them when you first start it
  * The first run may take some time as required dependencies have to get downloaded, then it should be quite fast
- *  
+ *
  * If you do not have groovy yet, run 'brew install groovy' on a Mac, for Windows and Linux follow the instructions here:
  * http://groovy-lang.org/install.html
  *
  */
 
-@Grab(group='org.kohsuke', module='github-api', version='1.75')
+@Grab(group='org.kohsuke', module='github-api', version='1.99')
 import org.kohsuke.github.GitHub
 
 // parsing command line args
 cli = new CliBuilder(usage: 'groovy PrintRepoAccess.groovy [options] [repos]\nPrint out users that can access the repos specified, ALL if public repo')
 cli.t(longOpt: 'token', 'personal access token of a GitHub Enterprise site admin with repo scope (or use GITHUB_TOKEN env variable)', required: false  , args: 1 )
 cli.u(longOpt: 'url', 'GitHub Enterprise URL (or use GITHUB_URL env variable), e.g. https://myghe.com', required: false  , args: 1 )
 cli.l(longOpt: 'localDirectory', 'Directory with org/repo directory structure (show access for all contained repos)', required: false, args: 1)
+cli.c(longOpt: 'csv', 'CSV file with repositories in the format produced by stafftools/reports (show access for all contained repos)', required: false, args: 1)
 cli.h(longOpt: 'help', 'Print this usage info', required: false  , args: 0 )
+cli.p(longOpt: 'permissions', 'Print user permissions on repo', required: false  , args: 0 )
 
 OptionAccessor opt = cli.parse(args)
 
 token = opt.t?opt.t:System.getenv("GITHUB_TOKEN")
 url = opt.u?opt.u:System.getenv("GITHUB_URL")
+printPerms = opt.p
 
 // bail out if help parameter was supplied or not sufficient input to proceed
 if (opt.h || !token || !url ) {
@@ -68,6 +71,15 @@ if (opt.l) {
   printAccessRightsForStoredRepos(localRepoStore)
 }
 
+if (opt.c) {
+  repoCSVFile = new File(opt.c)
+  if (!repoCSVFile.isFile()) {
+    printErr "${repoCSVFile.canonicalPath} is not a file"
+    return
+  }
+  printAccessRightsForCSVFile(repoCSVFile)
+}
+
 // END OF MAIN
 
 def printAccessRightsForRepo(org, repo) {
@@ -82,7 +94,7 @@ def printAccessRightsForRepo(org, repo) {
       println "${org}/${repo},ALL"
     } else {
       ghRepo.getCollaboratorNames().each {
-        println "${org}/${repo},${it}"
+        println "${org}/${repo},${it}"+ (printPerms?","+ghRepo.getPermission(it):"")
       }
     }
   } catch (Exception e) {
@@ -111,6 +123,17 @@ def printAccessRightsForStoredRepos(localRepoStore) {
   }
 }
 
+def printAccessRightsForCSVFile(csvFile) {
+  boolean firstLine=true
+  repoCSVFile.splitEachLine(',') { line ->
+    if (firstLine) {
+      firstLine=false
+    } else {
+      printAccessRightsForRepo(line[3],line[5])
+    }
+  }
+}
+
 def printErr (msg) {
   System.err.println "ERROR: ${msg}"
 }
