-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathGithubRepoChecker
More file actions
446 lines (409 loc) · 26.7 KB
/
Copy pathGithubRepoChecker
File metadata and controls
446 lines (409 loc) · 26.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
# written by: Juan van Genderen
# Date: 30/03/2022
# Purpose: Automated check of which teams and their level of permissions exist for a list of repositories or a list of teams on GitHub
import requests
import os
import argparse
from datetime import datetime
from dotenv import load_dotenv
# This class contains the Github API endpoints that will be used
class Endpoints:
# Building the API endpoint to query which Teams exist in a repository along with the permission levels
repo_url = "https://api.github.com/repos/{}/{}/teams"
# Building the API endpoint to query which AAD groups are mapped to a Team Slug
slug_url = "https://api.github.com/orgs/{}/teams/{}/team-sync/group-mappings"
# Building the API endpoint to query which repositories are listed for the Team
teams_url = "https://api.github.com/orgs/{}/teams/{}"
# Building the API endpoint to list the pending Organization invites
pending_invite_url = "https://api.github.com/orgs/{}/invitations"
# Building the API endpoint to list the failed Organization invites
failed_invites_url = "https://api.github.com/orgs/{}/failed_invitations"
# Building the API endpoint to list all repositories
all_repos_url = "https://api.github.com/orgs/{}/repos"
# Building the API endpoint to list all teams
all_teams_url = "https://api.github.com/orgs/{}/teams"
# This class contains the Github Username and Personal Access Token stored within the .env file
class Credentials:
# Supply user credentials to sign in to the GitHub API with personal access token from the .env file within the script directory
load_dotenv()
login = os.getenv('login')
token = os.getenv("github_token")
# This function contains all the arguments the user can supply when running this script and calls the appropriate function
def parse_arg(self):
# Pass command line arguments into the script
parser = argparse.ArgumentParser(prog="githubchecks",
description="You can use this tool to carry out some automated Github checks as the website doesn't allow for bulk checks to be carried out. Check the help file for a full list of supported actions.")
parser.add_argument("org",
help="Please supply the organization where the repositories exist.")
parser.add_argument("-r", "--repos",
action="store_true",
help="This switch tells the script to check the list of repositories (Repos.txt).")
parser.add_argument("-t", "--teams",
action="store_true",
help="This switch tells the script to check the list of teams (Teams.txt).")
parser.add_argument("-pi","--pendinginvites",
action="store_true",
help="This switch tells the script to check the pending invitations.")
parser.add_argument("-fi","--failedinvites",
action="store_true",
help="This switch tells the script to check the failed invitations.")
parser.add_argument ("-rr", "--reportrepos",
action="store_true",
help="This switch tells the script to report on all repositories that exist within the organization.")
parser.add_argument("-rt", "--reportteams",
action="store_true",
help="This switch tells the script to report on all teams that exist within the organization.")
args = parser.parse_args()
self.args = args
# Calling the relevant function based on the arguments supplied by the user
if self.args.repos:
print(f"Reading from the Repos.txt file...\n")
return Credentials.github_repo_team_perms_checker()
if self.args.teams:
print(f"Reading from the Teams.txt file...\n")
return Credentials.github_teams_AAD_relation_checker()
if self.args.pendinginvites:
print(f"Listing all pending invitations to the {self.args.org} organization:\n")
return Credentials.github_pending_invitations_checker()
if self.args.failedinvites:
print(f"Listing all failed invitations for the {self.args.org} organization:\n")
return Credentials.github_failed_invitations_checker()
if self.args.reportrepos:
print(f"Listing all repositories within the {self.args.org} organization:\n")
return Credentials.github_report_all_repos()
if self.args.reportteams:
print(f"Listing all teams within the {self.args.org} organization: \n")
return Credentials.github_report_all_teams()
# This function will retreive the Teams listed for the Github repositories supplied in the Repos.txt file
def github_repo_team_perms_checker(self):
# Headers supplied so GitHub treats request as coming from a web browser in case it decides to reject the requests
headers = {'user-agent': ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)'
'AppleWebKit/537.36 (KHTML, like Gecko)'
'Chrome/45.0.2454.101 Safari/537.36')
}
# If file .env doesn't exist then one will be created with variable placeholders and the script will end
if not os.path.exists('.env'):
with open('.env', 'w') as make_envfile:
make_envfile.write(f"login=\n"
f"github_token=")
print(f"No .env file found!\n"
f"**A .env file has been automatically created**\n"
f"Please enter a valid GitHub username for variable 'login'\n"
f"Please enter a valid Personal Access Token for variable 'github_token'")
exit()
# If file Repos.txt doesn't exist then a blank one will be created and the script will end
if not os.path.exists('Repos.txt'):
with open('Repos.txt', 'w') as make_file_repos:
make_file_repos.write('')
print(f"No Repos.txt file found!\n"
f"**Repos.txt has been automatically created.** \n"
f"Enter each repository name on a new line and save this file!\n")
exit()
# Try to fetch the teams listed for each repository within the Repos.txt file
with open('Repos.txt', 'r') as repo_list, open('.env', 'r'):
lines = repo_list.read().splitlines()
size_repos = os.path.getsize('Repos.txt')
size_env = os.path.getsize('.env')
# Check the Repos.txt file is empty
if size_repos < 1:
print(f"The Repos.txt file is empty, please supply a list of repositories to check!")
# Check if the Credentials variables are empty
if size_env < 1:
print(f"The .env file is empty!")
# Try to obtain Teams information for each repository within the Repos.txt file
for repos in lines:
if not Credentials.login or not Credentials.token:
print(f"No login details supplied within the .env file, please enter valid credentials!")
break
try:
session = requests.Session()
# Building the request which contains the formatted url, headers and login credentials
r = session.get(Endpoints.repo_url.format(self.args.org, repos), headers=headers,
auth=(Credentials.login, Credentials.token), timeout=(1, 5))
print(f"\nTeams within the '{repos}' repository:\n")
json_response = r.json()
r.raise_for_status()
# Check if the team is not managed by an external group
if not json_response:
print(f"[INFO] No Teams listed for this repository, users will need to be manually added to this repository on Github! ")
continue
if r.status_code // 100 == 2:
# By looking at the entire range of the JSON response object, we index to avoid duplicating efforts and gather the slugs so that we can query the next endpoint
for slug in range(len(json_response)):
if json_response[slug]["slug"]:
# Building a new request which contains the formatted url, headers and login credentials because the next set of information we require needs to be obtained from another endpoint
r2 = session.get(Endpoints.slug_url.format(self.args.org, json_response[slug]["slug"]), headers=headers,
auth=(Credentials.login, Credentials.token), timeout=(1, 5))
json_response2 = r2.json()
r2.raise_for_status()
if r2.status_code // 100 == 2:
# For each group that is returned by this endpoint via the JSON response object, we index to avoid duplicating efforts and gather the teams which are managed by external groups
for groups in json_response2:
#Check if the Team is not managed via AAD
if not json_response2['groups']:
print(f"[INFO] The Team {json_response[slug]['name']} is not managed via AAD, users will need to be manually added on Github!")
if json_response2['groups']:
# For each team we now list the AAD Group it is linked to along with their permission levels
for groups in json_response2['groups']:
print(f"The Team {json_response[slug]['name']} is linked to AAD Group {groups['group_name']} with {json_response[slug]['permission']} permissions")
# Catch any timeouts from GitHub
except requests.exceptions.Timeout as timeout:
print(timeout)
# Catch any HTTP response errors from GitHub (EG: error 404 if the repository doesn't exist or you don't have access)
except requests.exceptions.HTTPError as httperror:
print(httperror)
print(f"[ERROR] No repository found called {repos} owned by {self.args.org}")
print(f"Response from the Github API:\n{json_response}")
print(f"------------------------------------------\n")
print(f"[!] Make sure you have no spelling mistakes within the Repos.txt file and that you've entered the right organization!")
# This function will retrieve the AAD groups linked to the Github teams supplied in the Teams.txt file
def github_teams_AAD_relation_checker(self):
# Headers supplied so GitHub treats request as coming from a web browser in case it decides to reject the requests
headers = {'user-agent': ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)'
'AppleWebKit/537.36 (KHTML, like Gecko)'
'Chrome/45.0.2454.101 Safari/537.36')
}
# If file .env doesn't exist then one will be created with variable placeholders and the script will end
if not os.path.exists('.env'):
with open('.env', 'w') as make_envfile:
make_envfile.write(f"login=\n"
f"github_token=")
print(f"No .env file found!\n"
f"**A .env file has been automatically created**\n"
f"Please enter a valid GitHub username for variable 'login'\n"
f"Please enter a valid Personal Access Token for variable 'github_token'")
exit()
# If file Teams.txt doesn't exist then a blank one will be created and the script will end
if not os.path.exists('Teams.txt'):
with open('Teams.txt', 'w') as make_file_teams:
make_file_teams.write('')
print(f"No Teams.txt file found!\n"
f"**Repos.txt has been automatically created.** \n"
f"Enter each repository name on a new line and save this file!\n")
exit()
# Try to fetch the teams listed for each repository within the Teams.txt file
with open('Teams.txt', 'r') as teams_list, open('.env', 'r'):
lines = teams_list.read().splitlines()
size_teams = os.path.getsize('Teams.txt')
size_env = os.path.getsize('.env')
# Check the Teams.txt file is empty
if size_teams < 1:
print(f"The Teams.txt file is empty, please supply a list of teams to check!")
# Check if the Credentials variables are empty
if size_env < 1:
print(f"The .env file is empty!")
# Try to obtain Teams information for each repository within the Repos.txt file
for teams in lines:
if not Credentials.login or not Credentials.token:
print(f"No login details supplied within the .env file, please enter valid credentials!")
break
try:
session = requests.Session()
# Building a new request which contains the formatted url, headers and login credentials because the next set of information we require needs to be obtained from another endpoint
r = session.get(Endpoints.teams_url.format(self.args.org, teams), headers=headers,
auth=(Credentials.login, Credentials.token), timeout=(1, 5))
print(f"\nAAD group linked to '{teams}' team:\n")
json_response = r.json()
r.raise_for_status()
if r.status_code // 100 == 2:
# Building a new request which contains the formatted url, headers and login credentials because the next set of information we require needs to be obtained from another endpoint
r2 = session.get(Endpoints.slug_url.format(self.args.org, teams), headers=headers,
auth=(Credentials.login, Credentials.token), timeout=(1, 5))
json_response2 = r2.json()
r2.raise_for_status()
if r2.status_code // 100 == 2:
if not json_response2['groups']:
print(f"[INFO] The Team {json_response['name']} is not managed via AAD, users will need to be manually added on Github!")
for groups in json_response2['groups']:
print(f"The Team {json_response['name']} is linked to the AAD Group {groups['group_name']}")
# Catch any timeouts from GitHub
except requests.exceptions.Timeout as timeout:
print(timeout)
# Catch any HTTP response errors from GitHub (EG: error 404 if the repository doesn't exist or you don't have access)
except requests.exceptions.HTTPError as httperror:
print(httperror)
print(f"[ERROR] No team found called {teams} owned by {self.args.org}")
print(f"Response from the Github API:\n{json_response}")
print(f"------------------------------------------\n")
print(f"[!] Make sure you have no spelling mistakes within the Teams.txt file and that you've entered the right organization!")
# This function will retrieve all pending invitations for the organization
def github_pending_invitations_checker(self):
# Headers supplied so GitHub treats request as coming from a web browser in case it decides to reject the requests
headers = {'user-agent': ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)'
'AppleWebKit/537.36 (KHTML, like Gecko)'
'Chrome/45.0.2454.101 Safari/537.36')
}
page = 0
while True:
try:
page += 1
session = requests.Session()
params = {
'per_page' : '100',
'page' : {page}
}
# Building a new request which contains the formatted url, headers and login credentials because the next set of information we require needs to be obtained from another endpoint
r = session.get(Endpoints.pending_invite_url.format(self.args.org), headers=headers,
auth=(Credentials.login, Credentials.token), timeout=(1, 5), params=params)
json_response = r.json()
r.raise_for_status()
if r.status_code // 100 == 2:
if not json_response:
break
for invites in range(len(json_response)):
date = datetime.datetime.fromisoformat(json_response[invites]['created_at']).strftime("%d %m %Y %H:%M")
if not json_response[invites]['email'] == None:
#print(json_response[invites]['email'])
print(f"Email {json_response[invites]['email']} was invited by {json_response[invites]['inviter']['login']} on {date}")
if not json_response[invites]['login'] == None:
#print(json_response[invites]['login'])
print(f"User {json_response[invites]['login']} was invited by {json_response[invites]['inviter']['login']} on {date}")
# Catch any timeouts from GitHub
except requests.exceptions.Timeout as timeout:
print(timeout)
# Catch any HTTP response errors from GitHub (EG: error 404 if the repository doesn't exist or you don't have access)
except requests.exceptions.HTTPError as httperror:
print(httperror)
print(f"Response from the Github API:\n{json_response}")
print(f"------------------------------------------\n")
# This function will retrieve all the failed invitations for the organization
def github_failed_invitations_checker(self):
# Headers supplied so GitHub treats request as coming from a web browser in case it decides to reject the requests
headers = {'user-agent': ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)'
'AppleWebKit/537.36 (KHTML, like Gecko)'
'Chrome/45.0.2454.101 Safari/537.36')
}
if not Credentials.login or not Credentials.token:
print(f"No login details supplied within the .env file, please enter valid credentials!")
exit
page = 0
while True:
try:
page += 1
session = requests.Session()
#new_results = True
params = {
'per_page' : '100',
'page' : {page}
}
# Building a new request which contains the formatted url, headers and login credentials because the next set of information we require needs to be obtained from another endpoint
r = session.get(Endpoints.failed_invites_url.format(self.args.org), headers=headers,
auth=(Credentials.login, Credentials.token), timeout=(1, 5), params=params)
json_response = r.json()
r.raise_for_status()
if r.status_code // 100 == 2:
if not json_response:
break
for invites in range(len(json_response)):
date = datetime.fromisoformat(json_response[invites]['created_at']).strftime("%d %m %Y %H:%M")
if not json_response[invites]['email'] == None:
print(f"Email {json_response[invites]['email']} invite from {json_response[invites]['inviter']['login']} {json_response[invites]['failed_reason']} on {date}")
if not json_response[invites]['login'] == None:
print(f"User {json_response[invites]['login']} invite from {json_response[invites]['inviter']['login']} {json_response[invites]['failed_reason']} on {date}")
# Catch any timeouts from GitHub
except requests.exceptions.Timeout as timeout:
print(timeout)
# Catch any HTTP response errors from GitHub (EG: error 404 if the repository doesn't exist or you don't have access)
except requests.exceptions.HTTPError as httperror:
print(httperror)
print(f"Response from the Github API:\n{json_response}")
print(f"------------------------------------------\n")
# This function will report back all repositories
def github_report_all_repos(self):
# Headers supplied so GitHub treats request as coming from a web browser in case it decides to reject the requests
headers = {'user-agent': ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)'
'AppleWebKit/537.36 (KHTML, like Gecko)'
'Chrome/45.0.2454.101 Safari/537.36')
}
if not Credentials.login or not Credentials.token:
print(f"No login details supplied within the .env file, please enter valid credentials!")
exit
page = 0
names = []
while True:
try:
page += 1
session = requests.Session()
#new_results = True
params = {
'per_page' : '100',
'page' : {page},
'sort' : 'full_name'
}
# Building a new request which contains the formatted url, headers and login credentials because the next set of information we require needs to be obtained from another endpoint
r = session.get(Endpoints.all_repos_url.format(self.args.org), headers=headers,
auth=(Credentials.login, Credentials.token), timeout=(1, 5), params=params)
json_response = r.json()
r.raise_for_status()
if r.status_code // 100 == 2:
if not json_response:
break
for repos in range(len(json_response)):
# For some reason the Github API adds the letter Z to the datetime string and the datetime module won't recognize this as valid ISO-8601 format
# First we collect the dates from Github
date_from_github = json_response[repos]['created_at']
# Then we replace the letter Z with nothing which will remove it from the string
formatted_date = date_from_github.replace('Z','')
# Now we can convert this from ISO format to a string time format
date = datetime.fromisoformat(formatted_date).strftime("%d %m %Y %H:%M")
# All repositories are returned with with when they were created
print(f"Repository: {json_response[repos]['full_name']}\nDescription: {json_response[repos]['description']}\nCreated: {date}\n")
names.append(json_response[repos]['full_name'])
# Catch any timeouts from GitHub
except requests.exceptions.Timeout as timeout:
print(timeout)
# Catch any HTTP response errors from GitHub (EG: error 404 if the repository doesn't exist or you don't have access)
except requests.exceptions.HTTPError as httperror:
print(httperror)
print(f"Response from the Github API:\n{json_response}")
print(f"------------------------------------------\n")
# Return the amount of repositories found
print(f"Total Repositories: {len(names)}")
# This function will report back all teams
def github_report_all_teams(self):
# Headers supplied so GitHub treats request as coming from a web browser in case it decides to reject the requests
headers = {'user-agent': ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)'
'AppleWebKit/537.36 (KHTML, like Gecko)'
'Chrome/45.0.2454.101 Safari/537.36')
}
if not Credentials.login or not Credentials.token:
print(f"No login details supplied within the .env file, please enter valid credentials!")
exit
page = 0
names = []
while True:
try:
page += 1
session = requests.Session()
#new_results = True
params = {
'per_page' : '100',
'page' : {page},
'sort' : 'name'
}
# Building a new request which contains the formatted url, headers and login credentials because the next set of information we require needs to be obtained from another endpoint
r = session.get(Endpoints.all_teams_url.format(self.args.org), headers=headers,
auth=(Credentials.login, Credentials.token), timeout=(1, 5), params=params)
json_response = r.json()
r.raise_for_status()
if r.status_code // 100 == 2:
if not json_response:
break
for teams in range(len(json_response)):
# All teams are returned with with their permission level
print(f"Repository: {json_response[teams]['name']}\nDescription: {json_response[teams]['description']}\nPermissions: {json_response[teams]['permission']}\n")
names.append(json_response[teams]['name'])
# Catch any timeouts from GitHub
except requests.exceptions.Timeout as timeout:
print(timeout)
# Catch any HTTP response errors from GitHub (EG: error 404 if the repository doesn't exist or you don't have access)
except requests.exceptions.HTTPError as httperror:
print(httperror)
print(f"Response from the Github API:\n{json_response}")
print(f"------------------------------------------\n")
# Return the amount of repositories found
print(f"Total Teams: {len(names)}")
# Main function building
if __name__ == "__main__":
Credentials = Credentials()
Credentials.parse_arg()