feat: add feature to move permissions for every users in very repos (#197)

Closes #197

Signed-off-by: Pierre-Yves Lapersonne <pierreyves.lapersonne@orange.com>

Author: pylapp

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- Feature to change permission for everyone absed on other permission (Orange-OpenSource/floss-toolbox#197)
 - GitLab Python script to update permissions
 
 ### Changed

toolbox/github/Gemfile.lock

@@ -22,6 +22,7 @@ GEM
 
 PLATFORMS
   x86_64-darwin-21
+  x86_64-darwin-23
 
 DEPENDENCIES
   git (~> 1.18)

toolbox/github/GitHubWizard.sh

@@ -14,8 +14,9 @@
 # Description.........: Received from arguments a feature to launch and gives it to the Ruby wizard.
 # Parses the RUBY_CONFIGURATION_FILE to get the GitHub personal acces token to set as Ruby env. variable (OCTOKIT_ACCESS_TOKEN).
 
-#set -euxo pipefail
-VERSION="1.5.0"
+set -euo pipefail # set -euxo pipefail
+
+VERSION="1.6.0"
 
 # Common files
 # ------------
@@ -55,6 +56,7 @@ UsageAndExit(){
     echo -e "\t set-users-permissions-to-push..................: For all projects update each user permission to 'push' except for teams and administrators"
     echo -e "\t set-teams-permissions-to-push..................: For all projects update each team permission to 'push'"
     echo -e "\t set-teams-permissions-to-read..................: For all projects update each team permission to 'read'"
+    echo -e "\t downgrade-user-permissions-if-admin............: For all projects update each suer from 'admin' to 'maintain''"
     echo -e "\t backup-all-repositories-from-org...............: Dump all repositories in GitHub to a specific location in the disk"
     echo -e "\t vulnerabilities-alerts-for-all-repositories....: Check if there are vulnerabilities alerts in repositories of the defined organisation"
     echo -e "\t look-for-leaks.................................: Checks with gitleaks if there are leaks in all repositories"
@@ -90,7 +92,7 @@ if [ -z "$feature_to_run" ]; then
 fi
 
 # TODO: Refactor this line. Some day. I have a very big screen. Haven't you?
-if [ $feature_to_run != "get-members-2fa-disabled" -a $feature_to_run != "get-all-members" -a $feature_to_run != "get-members-without-company" -a $feature_to_run != "get-projects-without-team" -a $feature_to_run != "get-users-with-bad-email" -a $feature_to_run != "get-users-with-bad-fullname" -a $feature_to_run != "get-projects-conformity" -a $feature_to_run != "get-projects-without-licenses" -a $feature_to_run != "get-empty-projects" -a $feature_to_run != "set-users-permissions-to-push" -a $feature_to_run != "set-teams-permissions-to-push" -a $feature_to_run != "set-teams-permissions-to-read" -a $feature_to_run != "backup-all-repositories-from-org" -a $feature_to_run != "vulnerabilities-alerts-for-all-repositories" -a $feature_to_run != "look-for-leaks" ]; then
+if [ $feature_to_run != "get-members-2fa-disabled" -a $feature_to_run != "get-all-members" -a $feature_to_run != "get-members-without-company" -a $feature_to_run != "get-projects-without-team" -a $feature_to_run != "get-users-with-bad-email" -a $feature_to_run != "get-users-with-bad-fullname" -a $feature_to_run != "get-projects-conformity" -a $feature_to_run != "get-projects-without-licenses" -a $feature_to_run != "get-empty-projects" -a $feature_to_run != "set-users-permissions-to-push" -a $feature_to_run != "set-teams-permissions-to-push" -a $feature_to_run != "set-teams-permissions-to-read" -a $feature_to_run != "downgrade-user-permissions-if-admin" -a $feature_to_run != "backup-all-repositories-from-org" -a $feature_to_run != "vulnerabilities-alerts-for-all-repositories" -a $feature_to_run != "look-for-leaks" ]; then
     echo "ERROR: '$feature_to_run' is unknown feature. Exit now"
     UsageAndExit
     exit $EXIT_UNKNOWN_FEATURE

toolbox/github/README.md

@@ -18,6 +18,7 @@ Table of Contents
          * [Get repositories which seems to be unconform (i.e. missing files)](#get-repositories-which-seems-to-be-unconform-ie-missing-files)
          * [Get repositories which seems to be empty or have not enough files](#get-repositories-which-seems-to-be-empty-or-have-not-enough-files)
          * [Define users permissions for all projects to "push"](#define-users-permissions-for-all-projects-to-push)
+         * [Downgrade users permissions for all projects from admin to maintain](#downgrade-users-permissions-for-all-projects-from-admin-to-maintain)
          * [Define teams permissions for all projects to "push"](#define-teams-permissions-for-all-projects-to-push)
          * [Make a year review of the GitHub organization](#make-a-year-review-of-the-github-organization)
    * [Play with GitHub CLI (GH)](#play-with-github-cli-gh)
@@ -187,6 +188,17 @@ Permissions will be set to "push", i.e. "write".
 bash GitHubWizard.sh set-users-permissions-to-push
 ```
 
+### Downgrade users permissions for all projects from admin to maintain
+
+_Keywords: #organisation #GitHub #permissions #members #admin #maintain_
+
+Run the following command to update rights of all users except GitHub teams and GitHub administrators, for all projects.
+Permissions will be set to "maintain" if before "admin".
+
+```shell
+bash GitHubWizard.sh downgrade-user-permissions-if-admin
+```
+
 ### Define teams permissions for all projects to "push"
 
 _Keywords: #organisation #GitHub #permissions #teams #push_

toolbox/github/configuration.rb

@@ -10,7 +10,7 @@
 # Software description: A toolbox of scripts to help work of forges admins and open source referents
 
 # Allow debug message or not
-$LOG_DEBUG = false
+$LOG_DEBUG = true
 
 # GitHub organization
 # -------------------
@@ -19,7 +19,7 @@
 $GITHUB_PERSONAL_ACCESS_TOKEN = ""
 
 # Name of the organization name you want to deal with so as to request the GitHub API
-$GITHUB_ORGANIZATION_NAME = ""
+$GITHUB_ORGANIZATION_NAME = "Orange-OpenSource"
 
 # Accurate list of users which are admins (i.e. GitHub organization owners), with login separated by ;
 $GITHUB_ORGANIZATION_ADMINS = ""
@@ -39,8 +39,8 @@
 # Results returned in one page (GitHub pagination), max 100
 $RESULTS_PER_PAGE = 100
 
-# Expected numer of pages to use to load all elements (i.e. if 250 projects, we need 3 pages with 100 items per page)
-$EXPECTED_PAGE_COUNT = 3
+# Expected numer of pages to use to load all elements (i.e. if 398 projects, we need 4 pages with 100 items per page)
+$EXPECTED_PAGE_COUNT = 5
 
 # Result files
 # ------------

toolbox/github/utils/GitHubFacade.rb

@@ -10,7 +10,7 @@
 # Authors: See CONTRIBUTORS.txt
 # Software description: A toolbox of scripts to help work of forges admins and open source referents
 
-# Version.............: 1.2.0
+# Version.............: 1.3.0
 # Since...............: 26/04/2021
 # Description.........: Received from arguments a feature to launch using GitHub API.
 # Loads configuration elements from configuration.rb, writes outputs using FileManager.rb and calls GitHubWrapper.rb for requests
@@ -54,7 +54,7 @@
 end
 feature_to_run=ARGV[0]
 
-if feature_to_run != "get-members-2fa-disabled" && feature_to_run != "get-all-members" && feature_to_run != "get-members-without-company" && feature_to_run != "get-projects-without-team" && feature_to_run != "get-users-with-bad-email" && feature_to_run != "get-users-with-bad-fullname" && feature_to_run != "get-projects-conformity" && feature_to_run != "get-projects-without-licenses" && feature_to_run != "get-empty-projects" && feature_to_run != "set-users-permissions-to-push" && feature_to_run != "set-teams-permissions-to-push" && feature_to_run != "set-teams-permissions-to-read"
+if feature_to_run != "get-members-2fa-disabled" && feature_to_run != "get-all-members" && feature_to_run != "get-members-without-company" && feature_to_run != "get-projects-without-team" && feature_to_run != "get-users-with-bad-email" && feature_to_run != "get-users-with-bad-fullname" && feature_to_run != "get-projects-conformity" && feature_to_run != "get-projects-without-licenses" && feature_to_run != "get-empty-projects" && feature_to_run != "set-users-permissions-to-push" && feature_to_run != "set-teams-permissions-to-push" && feature_to_run != "set-teams-permissions-to-read" && feature_to_run != "downgrade-user-permissions-if-admin"
     Log.error "Unknown feature. Exit now."
     exit $EXIT_UNKNOWN_FEATURE
 end
@@ -277,4 +277,13 @@
     exit $EXIT_OK
 end
 
+# FEATURE: downgrade-user-permissions-if-admin
+# For all projects, mvoe to 'admin' permission to 'maintain' for each user
+if feature_to_run == "downgrade-user-permissions-if-admin"
+    Log.log "Updating all repositories with permission downgrade from admin to maintain..."
+    GitHubWrapper.change_permissions_for_users(client, $GITHUB_ORGANIZATION_NAME, "admin", "maintain")
+    Log.log "Task completed! Exits now."
+    exit $EXIT_OK
+end
+
 exit $EXIT_NO_FEATURE_STARTED

toolbox/github/utils/GitHubWrapper.rb

@@ -253,11 +253,23 @@ def self.add_collaborator_to_repository_with_read_permission(octokit_client, rep
     # +repository_full_name+:: The full name identifier of the repository to get, like 'organization/project-name'
     # +user_login+:: The login of the user
     def self.add_collaborator_to_repository_with_write_permission(octokit_client, repository_full_name, user_login)
+        return self.add_collaborator_to_repository_with_permission(octokit_client, repository_full_name, user_login, "push")
+    end
+
+    ##
+    # Using the given Octokit client, for the repository which has that name, adds the user who has this login as a collaborator with the fiven permission level.
+    # If the user was already added, just changes its permission level.
+    # +octokit_client+:: The Octokit client to use to request the GitHub web API
+    # +repository_full_name+:: The full name identifier of the repository to get, like 'organization/project-name'
+    # +user_login+:: The login of the user
+    # +new_permission+:: The permission for the user
+    def self.add_collaborator_to_repository_with_permission(octokit_client, repository_full_name, user_login, new_permission)
         if octokit_client.nil? 
             Log.error "Nil Octokit client. Returns now." 
             return
         end
-        return octokit_client.add_collaborator(repository_full_name, user_login, permission: "push")
+        Log.debug "For repository '#{repository_full_name}' user named '#{user_login}' has now new permision '#{new_permission}'"
+        return octokit_client.add_collaborator(repository_full_name, user_login, permission: new_permission)
     end
 
     ##
@@ -571,6 +583,49 @@ def self.set_permissions_for_teams(octokit_client, organization_name, permission
         end
     end
 
+    ##
+    # For each repository for the given organization, for all users, if the user permission
+    # is "admin", downgrade to "maintain". Otherwise change nothing. 
+    # Do not change permission for teams and organisation admins.
+    # +octokit_client+:: The Octokit client to use to request the GitHub web API
+    # +organization_name+:: The name of the organization to retrieve from API 
+    # +old_permission+:: Must be "push" (write), "pull" (read), "maintain" (maintain) or "admin" (admin)
+    # +new_permission+:: Must be "push" (write), "pull" (read), "maintain" (maintain) or "admin" (admin)
+    def self.change_permissions_for_users(octokit_client, organization_name, old_permission, new_permission)
+        if octokit_client.nil? 
+            Log.error "Nil Octokit client. Returns now." 
+            return
+        end
+        if old_permission != "push" && old_permission != "pull" && old_permission != "maintain" && old_permission != "admin"
+            Log.warning "Old permission #{old_permission} is not managed. Returns now."
+            return
+        end
+        if new_permission != "push" && new_permission != "pull" && new_permission != "maintain" && new_permission != "admin"
+            Log.warning "New permission #{new_permission} is not managed. Returns now."
+            return
+        end
+        owners = organization_owners
+        Log.debug "Get all projects of organization '#{organization_name}'..."
+        all_repositories = get_all_repositories(octokit_client, organization_name)
+        Log.debug "Found #{all_repositories.length} projects!"
+        all_repositories.each do |repository|
+            repo_full_name = repository.full_name
+            Log.debug "Processing #{repo_full_name}..."
+            members = get_repository_collaborators(octokit_client, repo_full_name)
+            members.each do |member|
+                member_login = member.login
+                unless owners.include? member_login
+                    if member.role_name == "admin"
+                        Log.debug "Update permision from '#{old_permission}' to '#{new_permission} 'for user with login '#{member_login}' on project '#{repo_full_name}'"
+                        add_collaborator_to_repository_with_permission(octokit_client, repo_full_name, member_login, new_permission)
+                    end
+                else 
+                    Log.debug "User with login '#{member_login}' is organization owner, permissions are not changed for project #{repo_full_name}"
+                end
+            end
+        end
+    end
+
     private
 
     ##

toolbox/utils/text-generator/_templates/new-GitHub-repository-contributors.en.template.txt

@@ -69,4 +69,4 @@ Remaining available,
 [13] %RESSOURCES_WEB_GITHUB-SITE%
 [14] %RESSOURCE_DOC_CHARTER%
 
-[This email is automatically generated]
+[This email is automatically generated]

toolbox/utils/text-generator/_templates/new-GitHub-repository-contributors.fr.template.txt

@@ -70,4 +70,4 @@ Restant à disposition,
 [13] %RESSOURCES_WEB_GITHUB-SITE%
 [14] %RESSOURCE_DOC_CHARTER%
 
-[Ce courrier electronique est généré automatiquement]
+[Ce courrier electronique est généré automatiquement]