diff options
author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2022-04-05 14:40:04 +0300 |
---|---|---|
committer | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2022-04-05 14:52:18 +0300 |
commit | 6b9e245266a5234d43c831e3457acc36e515dc63 (patch) | |
tree | 5aeb9b51293f7acc7e7997970f6331c91901a73f | |
parent | e9368e65243acef1b8f4d75d2784d0f83b7463c7 (diff) |
add tool to check non-default permissions of a github user
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
-rw-r--r-- | collaboration-checker/README.md | 12 | ||||
-rw-r--r-- | collaboration-checker/check.php | 78 | ||||
-rw-r--r-- | collaboration-checker/composer.json | 7 |
3 files changed, 97 insertions, 0 deletions
diff --git a/collaboration-checker/README.md b/collaboration-checker/README.md new file mode 100644 index 0000000..d693a44 --- /dev/null +++ b/collaboration-checker/README.md @@ -0,0 +1,12 @@ +# collaboration-checker + +```bash +php check.php [--verbose] github_user +``` + +Tests whether the provider user has collaborative access to the repos in the organizations `nextcloud`, `nextcloud-release` and `nextcloud-gmbh`. + +The result in JSON format shows the repos to which the user has access to, with the permission level and role name. Repos are not listed when: +1. The user lacks permissions +2. The user has read permissions on repos of public organizations +3. The user has simple write permissions on repos of `nextcloud` diff --git a/collaboration-checker/check.php b/collaboration-checker/check.php new file mode 100644 index 0000000..633867a --- /dev/null +++ b/collaboration-checker/check.php @@ -0,0 +1,78 @@ +<?php + +declare(strict_types=1); + +if(count($argv) < 2) { + die("check.php [--verbose] github_user\n"); +} + +require_once 'vendor/autoload.php'; + +$isVerbose = $argv[1] === '--verbose'; +$githubUser = $isVerbose ? $argv[2] : $argv[1];; + +const ORGANIZATIONS = ['nextcloud', 'nextcloud-releases', 'nextcloud-gmbh']; +$ghClient = initGithubClient(); + +$results = []; +foreach (ORGANIZATIONS as $organization) { + $results[$organization] = []; + $page = 1; + + printVerbose('Checking ' . $organization); + do { + try { + printVerbose(PHP_EOL . 'Page ' . $page); + $repos = $ghClient->organization()->repositories($organization, 'all', $page); + } catch (\Github\Exception\RuntimeException $e) { + if ($e->getMessage() === 'Not Found') { + $repos = []; + } else { + throw $e; + } + } + $page++; + foreach ($repos as $repo) { + printVerbose('.'); + try { + $collaborator = $ghClient->repository()->collaborators()->permission($organization, $repo['name'], $githubUser); + } catch (\Github\Exception\RuntimeException $e) { + if ($e->getMessage() === 'Not Found') { + printVerbose(PHP_EOL . 'No permissions reported on ' . $repo['name'] . PHP_EOL); + continue; + } + throw $e; + } + if ($collaborator['permission'] === 'none') { + continue; + } + // ignore read access on public organizations + if ($collaborator['permission'] === 'read' && $repo['private'] === false) { + continue; + } + // ignore simple write access on public main organization + if ($collaborator['permission'] === 'write' && $organization === 'nextcloud') { + continue; + } + $results[$organization][] = [ 'repo' => $repo['name'], 'permissions' => $collaborator['permission'], 'role' => $collaborator['role_name'] ] ; + } + } while (!empty($repos)); + printVerbose(PHP_EOL . PHP_EOL); +} + +print(\json_encode($results, JSON_PRETTY_PRINT) . PHP_EOL); + +function initGithubClient(): \Github\Client { + $client = $client = new \Github\Client(); + $authentication = \json_decode(file_get_contents(__DIR__ . '/../credentials.json')); + $client->authenticate($authentication->apikey, Github\AuthMethod::ACCESS_TOKEN); + return $client; +} + +function printVerbose(string $msg) { + global $isVerbose; + if (!$isVerbose) { + return; + } + print($msg); +} diff --git a/collaboration-checker/composer.json b/collaboration-checker/composer.json new file mode 100644 index 0000000..ff1dd8f --- /dev/null +++ b/collaboration-checker/composer.json @@ -0,0 +1,7 @@ +{ + "require": { + "knplabs/github-api": "^3.6", + "guzzlehttp/guzzle": "^7.4", + "ext-json": "*" + } +} |