Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add a new check to ensure no teams have admin or maintain access. #485

Merged
merged 1 commit into from
Mar 12, 2024
Merged

feat: Add a new check to ensure no teams have admin or maintain access. #485

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions edx_repo_tools/repo_checks/repo_checks.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,72 @@ def dry_run(self):
raise NotImplementedError


class EnsureNoAdminOrMaintainTeams(Check):
"""
Teams should not be granted `admin` or `maintain` access to a repository unless the access
is exceptional and it is noted here. All other `admin` and `maintain` access is downgraded to
`write` access.
"""

def __init__(self, api: GhApi, org: str, repo: str):
super().__init__(api, org, repo)
self.teams_to_downgrade = []

def is_relevant(self) -> bool:
"""
All non security fork repos, public or private.
"""
return not is_security_private_fork(self.api, self.org_name, self.repo_name)

def check(self) -> tuple[bool, str]:
"""
Verify whether or not the check is failing.

This should not change anything and should not have a side-effect
other than populating `self` with any data that is needed later for
`fix` or `dry_run`.

The string in the return tuple should be a human readable reason
that the check failed.
"""
teams = all_paged_items(
self.api.repos.list_teams, owner=self.org_name, repo=self.repo_name
)
for team in teams:
if team.permission in ["admin", "maintain"]:
self.teams_to_downgrade.append(team)

if self.teams_to_downgrade:
team_and_permissions = list({f"{team.slug}: {team.permission}" for team in self.teams_to_downgrade})
return (
False,
f"Some teams have excessive permissions:\n\t\t" + "\n\t\t".join(team_and_permissions),
)

return (True, "No teams with `admin` or `maintain` permissions.")

def dry_run(self):
return self.fix(dry_run=True)

def fix(self, dry_run=False):
steps = []
for team in self.teams_to_downgrade:
if not dry_run:
self.api.teams.add_or_update_repo_permissions_in_org(
self.org_name,
team.slug,
self.org_name,
self.repo_name,
"push",
)

steps.append(
f"Reduced permission of `{team.slug}` from `{team.permission}` to `push`"
)

return steps


class EnsureWorkflowTemplates(Check):
"""
There are certain github action workflows that we to exist on all
Expand Down Expand Up @@ -883,6 +949,7 @@ def _get_update_params_from_get_branch_protection(self):
RequireTriageTeamAccess,
EnsureLabels,
EnsureWorkflowTemplates,
EnsureNoAdminOrMaintainTeams,
]
CHECKS_BY_NAME = {check_cls.__name__: check_cls for check_cls in CHECKS}
CHECKS_BY_NAME_LOWER = {check_cls.__name__.lower(): check_cls for check_cls in CHECKS}
Expand Down
Loading