Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds check 'Users should not have direct repo access' #513

Merged
merged 1 commit into from
May 15, 2024
Merged

Adds check 'Users should not have direct repo access' #513

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions edx_repo_tools/repo_checks/repo_checks.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1038,13 +1038,71 @@ def _get_update_params_from_get_branch_protection(self):
return params


class EnsureNoDirectRepoAccessToUsers(Check):
"""
Users should not have direct repo access
"""

def __init__(self, api: GhApi, org: str, repo: str):
super().__init__(api, org, repo)
self.users_list = []

def is_relevant(self) -> bool:
"""
All non security fork repos, public or private.
"""
return not is_security_private_fork(self.api, self.org_name, self.repo_name)

def check(self) -> tuple[bool, str]:
"""
Verify whether or not the check is failing.

This should not change anything and should not have a side-effect
other than populating `self` with any data that is needed later for
`fix` or `dry_run`.

The string in the return tuple should be a human readable reason
that the check failed.
"""
self.users_list = list(all_paged_items(
self.api.repos.list_collaborators, owner=self.org_name, repo=self.repo_name, affiliation='direct'
))
users = [f"{user.login}: {user.role_name}" for user in self.users_list]
if users:
return (
False,
f"Some users have direct repo access:\n\t\t"
+ "\n\t\t".join(users),
)
return (True, "No user has direct repo access.")

def dry_run(self):
return self.fix(dry_run=True)

def fix(self, dry_run=False):
steps = []
for user in self.users_list:
if not dry_run:
self.api.repos.remove_collaborator(
owner=self.org_name,
repo=self.repo_name,
username=user.login,
)
steps.append(
f"Removed direct access to the repository for user {user.login}"
)

return steps


CHECKS = [
RequiredCLACheck,
RequireTriageTeamAccess,
EnsureLabels,
EnsureWorkflowTemplates,
EnsureNoAdminOrMaintainTeams,
EnsureRepoSettings,
EnsureNoDirectRepoAccessToUsers,
]
CHECKS_BY_NAME = {check_cls.__name__: check_cls for check_cls in CHECKS}
CHECKS_BY_NAME_LOWER = {check_cls.__name__.lower(): check_cls for check_cls in CHECKS}
Expand Down
Loading