Merge pull request #41 from nextcloud/add_collab_checker

add tool to check non-default permissions of a github user

3 files changed, 97 insertions, 0 deletions

diff --git a/collaboration-checker/README.md b/collaboration-checker/README.md
new file mode 100644
index 0000000..d693a44
--- /dev/null
+++ b/collaboration-checker/README.md
@@ -0,0 +1,12 @@
+# collaboration-checker
+
+```bash
+php check.php [--verbose] github_user
+```
+
+Tests whether the provider user has collaborative access to the repos in the organizations `nextcloud`, `nextcloud-release` and `nextcloud-gmbh`. 
+
+The result in JSON format shows the repos to which the user has access to, with the permission level and role name. Repos are not listed when:
+1. The user lacks permissions
+2. The user has read permissions on repos of public organizations
+3. The user has simple write permissions on repos of `nextcloud`
diff --git a/collaboration-checker/check.php b/collaboration-checker/check.php
new file mode 100644
index 0000000..633867a
--- /dev/null
+++ b/collaboration-checker/check.php
@@ -0,0 +1,78 @@
+<?php
+
+declare(strict_types=1);
+
+if(count($argv) < 2) {
+	die("check.php [--verbose] github_user\n");
+}
+
+require_once 'vendor/autoload.php';
+
+$isVerbose = $argv[1] === '--verbose';
+$githubUser = $isVerbose ? $argv[2] : $argv[1];;
+
+const ORGANIZATIONS = ['nextcloud', 'nextcloud-releases', 'nextcloud-gmbh'];
+$ghClient = initGithubClient();
+
+$results = [];
+foreach (ORGANIZATIONS as $organization) {
+	$results[$organization] = [];
+	$page = 1;
+
+	printVerbose('Checking ' . $organization);
+	do {
+		try {
+			printVerbose(PHP_EOL . 'Page ' . $page);
+			$repos = $ghClient->organization()->repositories($organization, 'all', $page);
+		} catch (\Github\Exception\RuntimeException $e) {
+			if ($e->getMessage() === 'Not Found') {
+				$repos = [];
+			} else {
+				throw $e;
+			}
+		}
+		$page++;
+		foreach ($repos as $repo) {
+			printVerbose('.');
+			try {
+				$collaborator = $ghClient->repository()->collaborators()->permission($organization, $repo['name'], $githubUser);
+			} catch (\Github\Exception\RuntimeException $e) {
+				if ($e->getMessage() === 'Not Found') {
+					printVerbose(PHP_EOL . 'No permissions reported on ' . $repo['name'] . PHP_EOL);
+					continue;
+				}
+				throw $e;
+			}
+			if ($collaborator['permission'] === 'none') {
+				continue;
+			}
+			// ignore read access on public organizations
+			if ($collaborator['permission'] === 'read' && $repo['private'] === false) {
+				continue;
+			}
+			// ignore simple write access on public main organization
+			if ($collaborator['permission'] === 'write' && $organization === 'nextcloud') {
+				continue;
+			}
+			$results[$organization][] = [ 'repo' => $repo['name'], 'permissions' => $collaborator['permission'], 'role' => $collaborator['role_name'] ] ;
+		}
+	} while (!empty($repos));
+	printVerbose(PHP_EOL . PHP_EOL);
+}
+
+print(\json_encode($results, JSON_PRETTY_PRINT) . PHP_EOL);
+
+function initGithubClient(): \Github\Client {
+	$client = $client = new \Github\Client();
+	$authentication = \json_decode(file_get_contents(__DIR__ . '/../credentials.json'));
+	$client->authenticate($authentication->apikey, Github\AuthMethod::ACCESS_TOKEN);
+	return $client;
+}
+
+function printVerbose(string $msg) {
+	global $isVerbose;
+	if (!$isVerbose) {
+		return;
+	}
+	print($msg);
+}
diff --git a/collaboration-checker/composer.json b/collaboration-checker/composer.json
new file mode 100644
index 0000000..ff1dd8f
--- /dev/null
+++ b/collaboration-checker/composer.json
@@ -0,0 +1,7 @@
+{
+    "require": {
+        "knplabs/github-api": "^3.6",
+        "guzzlehttp/guzzle": "^7.4",
+        "ext-json": "*"
+    }
+}