|
| 1 | +#!/bin/sh |
| 2 | +#/ |
| 3 | +#/ NAME: |
| 4 | +#/ update-user-and-team-dn-for-ldap - For a GitHub Enterprise instance using LDAP, |
| 5 | +#/ reads in a `users.txt` files and `teams.txt` files to change the distinguished |
| 6 | +#/ name (DN) of each user and team to your new LDAP provider's DN. See PRE-REQUISITES |
| 7 | +#/ below for more information on creating and formatting those files. |
| 8 | +#/ |
| 9 | +#/ AUTHOR: @IAmHughes |
| 10 | +#/ |
| 11 | +#/ DESCRIPTION: |
| 12 | +#/ For a GitHub Enterprise instance using LDAP, reads in a `users.txt` files and |
| 13 | +#/ `teams.txt` files to change the distinguished name (DN) of each user and team to |
| 14 | +#/ your new LDAP provider's DN. See PRE-REQUISITES below for more information on |
| 15 | +#/ creating and formatting those files. |
| 16 | +#/ |
| 17 | +#/ PRE-REQUISITES: |
| 18 | +#/ Before running this script, you must create a Personal Access Token (PAT) |
| 19 | +#/ at https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/ |
| 20 | +#/ with the permissions <repo>, <admin:org>, <user>, and <site_admin> scopes. Read more |
| 21 | +#/ about scopes here: https://developer.github.com/apps/building-oauth-apps/scopes-for-oauth-apps/ |
| 22 | +#/ |
| 23 | +#/ Once created, you must export your PAT as an environment variable |
| 24 | +#/ named <GITHUB_TOKEN>. |
| 25 | +#/ |
| 26 | +#/ - Exporting PAT as GITHUB_TOKEN |
| 27 | +#/ $ export GITHUB_TOKEN=abcd1234efg567 |
| 28 | +#/ |
| 29 | +#/ Additionally you will need to set the $API_ROOT at the top of the script to |
| 30 | +#/ your instance of GitHub Enterprise. |
| 31 | +#/ - _i.e._: https://MyGitHubEnterprise.com/api/v3 |
| 32 | +#/ |
| 33 | +#/ Finally, you need to set up your `users.txt` and `teams.txt` files in the directory you |
| 34 | +#/ will run the script from. They need to be in the format of <user>:<newDN> or <team>:<newDN> |
| 35 | +#/ where <user> or <team> is the respective username or team name in GitHub that should map to |
| 36 | +#/ the new DN, <newDN>, for that user or team in the new LDAP provider. |
| 37 | +#/ |
| 38 | +#/ - Sample users.txt file: |
| 39 | +#/ <user1>:<newDN> |
| 40 | +#/ <another_user>:<newDN> |
| 41 | +#/ <my_other_user>:<newDN> |
| 42 | +#/ |
| 43 | +#/ - Sample teams.txt file: |
| 44 | +#/ <team1>:<newDN> |
| 45 | +#/ <my_team>:<newDN> |
| 46 | +#/ <another_team>:<newDN> |
| 47 | +#/ |
| 48 | +#/ API DOCUMENTATION: |
| 49 | +#/ All documentation can be found at https://developer.github.com/v3/ |
| 50 | + |
| 51 | +######## |
| 52 | +# VARS # |
| 53 | +######## |
| 54 | +API_ROOT="https://<your-domain>/api/v3" |
| 55 | +GITHUB_TOKEN="" |
| 56 | +USER_MAPPING_FILE="./users.txt" |
| 57 | +TEAM_MAPPING_FILE="./teams.txt" |
| 58 | + |
| 59 | +##################### |
| 60 | +# PROCESS USER FILE # |
| 61 | +##################### |
| 62 | + |
| 63 | +# Read each line of text file, including last line |
| 64 | +while read -r line || [[ -n "${line}" ]]; do |
| 65 | + |
| 66 | + # Error Handling - Check if line is empty |
| 67 | + if [[ -z ${line} ]]; then |
| 68 | + echo "Line is empty, exiting script." |
| 69 | + continue |
| 70 | + fi |
| 71 | + |
| 72 | + # Get Username |
| 73 | + username=$(echo ${line} | awk -F':' {'print $1'}) |
| 74 | + |
| 75 | + # Get DN |
| 76 | + ldap_dn=$(echo ${line} | awk -F':' {'print $2'}) |
| 77 | + |
| 78 | + # Error Handling - Verify Username and LDAP DN were found |
| 79 | + if [[ -z ${username} ]]; then |
| 80 | + echo "Username not found. Username was set to: ${username}" |
| 81 | + continue |
| 82 | + fi |
| 83 | + |
| 84 | + if [[ -z ${ldap_dn} ]]; then |
| 85 | + echo "LDAP DN not found. LDAP DN was set to: ${ldap_dn} for Username: ${username}" |
| 86 | + fi |
| 87 | + |
| 88 | + # Error Handling - Verify user exists in GitHub Enterprise |
| 89 | + # Curl options used - more info [here](http://www.mit.edu/afs.new/sipb/user/ssen/src/curl-7.11.1/docs/curl.html) |
| 90 | + # -s = silent |
| 91 | + # -o = output - we don't want the output other than the status code, so send to /dev/null |
| 92 | + # -I = fetch header only |
| 93 | + # -w = The option we want to write-out, so we specify %{http_code} |
| 94 | + response="$(curl -s -o /dev/null -I -w "%{http_code}" --request GET \ |
| 95 | + --url ${API_ROOT}/users/${username} \ |
| 96 | + --header "authorization: Bearer ${GITHUB_TOKEN}")" |
| 97 | + |
| 98 | + # Generate body for PATCH curl call below |
| 99 | + function generate_patch_data_for_users() |
| 100 | + { |
| 101 | + cat <<EOF |
| 102 | + { |
| 103 | + "ldap_dn": "$ldap_dn" |
| 104 | + } |
| 105 | +EOF |
| 106 | + } |
| 107 | + |
| 108 | + # User Exists, call API to Update LDAP Mapping |
| 109 | + if [[ response -eq 200 ]]; then |
| 110 | + curl -s --request PATCH \ |
| 111 | + --url ${API_ROOT}/admin/ldap/users/${username}/mapping \ |
| 112 | + --header "authorization: Bearer ${GITHUB_TOKEN}" \ |
| 113 | + --header "content-type: application/json" \ |
| 114 | + --data "$(generate_patch_data)" |
| 115 | + fi |
| 116 | +done < "${USER_MAPPING_FILE}" |
| 117 | + |
| 118 | +##################### |
| 119 | +# PROCESS TEAM FILE # |
| 120 | +##################### |
| 121 | + |
| 122 | +# Read each line of text file, including last line |
| 123 | +while read -r line || [[ -n "${line}" ]]; do |
| 124 | + |
| 125 | + # Error Handling - Check if Line is Empty |
| 126 | + if [[ -z ${line} ]]; then |
| 127 | + echo "Line is empty, exiting script." |
| 128 | + continue |
| 129 | + fi |
| 130 | + |
| 131 | + # Get Team ID |
| 132 | + team_id=$(echo ${line} | awk -F':' {'print $1'}) |
| 133 | + # Get DN |
| 134 | + ldap_dn=$(echo ${line} | awk -F':' {'print $2'} |
| 135 | +
|
| 136 | + # Error Handling - Verify Team ID and LDAP DN were found |
| 137 | + if [[ -z ${team_id} ]]; then |
| 138 | + echo "Team not found. Team ID was set to: ${team_id}" |
| 139 | + continue |
| 140 | + fi |
| 141 | +
|
| 142 | + if [[ -z ${ldap_dn} ]]; then |
| 143 | + echo "LDAP DN not found. LDAP DN was set to: ${ldap_dn} for Team: ${team_id}" |
| 144 | + fi |
| 145 | +
|
| 146 | + # Error Handling - Verify team exists in GitHub Enterprise |
| 147 | + # Curl options used - more info [here](http://www.mit.edu/afs.new/sipb/user/ssen/src/curl-7.11.1/docs/curl.html) |
| 148 | + # -s = silent |
| 149 | + # -o = output - we don't want the output other than the status code, so send to /dev/null |
| 150 | + # -I = fetch header only |
| 151 | + # -w = The option we want to write-out, so we specify %{http_code} |
| 152 | + response="$(curl -s -o /dev/null -I -w "%{http_code}" --request GET \ |
| 153 | + --url ${API_ROOT}/teams/${team_id} \ |
| 154 | + --header 'accept: application/vnd.github.hellcat-preview+json' \ |
| 155 | + --header "authorization: Bearer ${GITHUB_TOKEN}")" |
| 156 | +
|
| 157 | + # Generate body for PATCH curl call below |
| 158 | + function generate_patch_data_for_teams() |
| 159 | + { |
| 160 | + cat <<EOF |
| 161 | + { |
| 162 | + "ldap_dn": "$ldap_dn" |
| 163 | + } |
| 164 | +EOF |
| 165 | + } |
| 166 | +
|
| 167 | + # Team Exists, call API to Update LDAP Mapping |
| 168 | + if [[ response -eq 200 ]]; then |
| 169 | + curl -s --request PATCH \ |
| 170 | + --url ${API_ROOT}/admin/ldap/teams/${team_id}/mapping \ |
| 171 | + --header 'accept: application/vnd.github.hellcat-preview+json' \ |
| 172 | + --header "authorization: Bearer ${GITHUB_TOKEN}" \ |
| 173 | + --header "content-type: application/json" \ |
| 174 | + --data "$(generate_patch_data)" |
| 175 | + fi |
| 176 | +done < "${TEAM_MAPPING_FILE}" |
0 commit comments