cloud-platform-repository-checker 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 46a88955fe8e5cbfdc0df49317cc0bc5706e37319df3467107696ff40da9167f
+  data.tar.gz: dcbd98ac827af616d4ad056d5dca408d8d76d2d476f439b6d230685061fd1eef
+SHA512:
+  metadata.gz: fedd1dba7604e13daa9d6db89fc1c3e63f616a4f3cf5fbf8479bf0f77ac137cecc605ec51a8fc5fd5ef9b5e0fdc352bbfbdd9045e040b8c326bd67fde0590d56
+  data.tar.gz: 16e38af1b932b204dae2e3e46d52677433e1904b76fedd5b54a1895eb27c381afb66416049ff36f25cc3c42a9cc3d44cff53ad50319ef2d05667eb3ca75552a0

data/Gemfile

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+gem "octokit"
+
+group :development do
+  gem "pry-byebug"
+end

data/Gemfile.lock

@@ -0,0 +1,34 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    byebug (11.1.3)
+    coderay (1.1.2)
+    faraday (1.0.1)
+      multipart-post (>= 1.2, < 3)
+    method_source (1.0.0)
+    multipart-post (2.1.1)
+    octokit (4.18.0)
+      faraday (>= 0.9)
+      sawyer (~> 0.8.0, >= 0.5.3)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    pry-byebug (3.9.0)
+      byebug (~> 11.0)
+      pry (~> 0.13.0)
+    public_suffix (4.0.5)
+    sawyer (0.8.2)
+      addressable (>= 2.3.5)
+      faraday (> 0.8, < 2.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  octokit
+  pry-byebug
+
+BUNDLED WITH
+   2.1.2

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Ministry of Justice
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,2 @@
+# cloud-platform-repository-checker
+Checks all Cloud Platform repositories for compliance

data/bin/cloud-platform-repository-checker

@@ -0,0 +1,38 @@
+#!/usr/bin/env ruby
+
+# Script to list repositories in the ministryofjustice organisation whose names
+# match a regular expression, and output a JSON report of how well they
+# do/don't comply with our team-wide standards for how github repositories
+# should be configured.
+
+require "bundler/setup"
+require "json"
+require "net/http"
+require "uri"
+require "octokit"
+
+libdir = File.join(".", File.dirname(__FILE__), "..", "lib")
+require File.join(libdir, "github_graph_ql_client")
+require File.join(libdir, "repository_lister")
+require File.join(libdir, "repository_report")
+
+############################################################
+
+params = {
+  organization: ENV.fetch("ORGANIZATION"),
+  regexp: Regexp.new(ENV.fetch("REGEXP")),
+  team: ENV.fetch("TEAM"),
+  github_token: ENV.fetch("GITHUB_TOKEN")
+}
+
+repositories = RepositoryLister.new(params)
+  .repository_names
+  .inject([]) do |arr, repo_name|
+    report = RepositoryReport.new(params.merge(repo_name: repo_name)).report
+    arr << report
+end
+
+puts({
+  repositories: repositories,
+  updated_at: Time.now
+}.to_json)

data/env.example

@@ -0,0 +1,4 @@
+export GITHUB_TOKEN="your github personal access token with public_repos scope"
+export ORGANIZATION="ministryofjustice"
+export TEAM="WebOps"
+export REGEXP="^cloud-platform-*"

data/lib/github_graph_ql_client.rb

@@ -0,0 +1,24 @@
+class GithubGraphQlClient
+  attr_reader :github_token
+
+  GITHUB_GRAPHQL_URL = "https://api.github.com/graphql"
+
+  def initialize(params)
+    @github_token = params.fetch(:github_token)
+  end
+
+  private
+
+  def run_query(params)
+    body = params.fetch(:body)
+    token = params.fetch(:token)
+
+    json = {query: body}.to_json
+    headers = {"Authorization" => "bearer #{token}"}
+
+    uri = URI.parse(GITHUB_GRAPHQL_URL)
+    resp = Net::HTTP.post(uri, json, headers)
+
+    resp.body
+  end
+end

data/lib/repository_lister.rb

@@ -0,0 +1,82 @@
+class RepositoryLister < GithubGraphQlClient
+  attr_reader :organization, :regexp
+
+  PAGE_SIZE = 100
+
+  def initialize(params)
+    @organization = params.fetch(:organization)
+    @regexp = params.fetch(:regexp)
+    super(params)
+  end
+
+  # Returns a list of repository names which match `regexp`
+  def repository_names
+    list_repos
+      .filter { |repo| repo["name"] =~ regexp }
+      .map { |repo| repo["name"] }
+  end
+
+  private
+
+  # TODO:
+  #   * figure out a way to only fetch cloud-platform-* repos
+  #   * de-duplicate the code
+  #   * filter out archived repos
+  #   * filter out disabled repos
+  #
+  def list_repos
+    repos = []
+    end_cursor = nil
+
+    data = get_repos(end_cursor)
+    repos = repos + data.fetch("nodes")
+    next_page = data.dig("pageInfo", "hasNextPage")
+    end_cursor = data.dig("pageInfo", "endCursor")
+
+    while next_page do
+      data = get_repos(end_cursor)
+      repos = repos + data.fetch("nodes")
+      next_page = data.dig("pageInfo", "hasNextPage")
+      end_cursor = data.dig("pageInfo", "endCursor")
+    end
+
+    repos.reject { |r| r.dig("isArchived") || r.dig("isDisabled") }
+  end
+
+  def get_repos(end_cursor = nil)
+    json = run_query(
+      body: repositories_query(end_cursor),
+      token: github_token
+    )
+
+    JSON.parse(json).dig("data", "organization", "repositories")
+  end
+
+  # TODO: it should be possible to exclude disabled/archived repos in this
+  # query, but I don't know how to do that yet, so I'm just fetching everything
+  # and throwing away the disabled/archived repos later. We should also be able
+  # to only fetch repos whose names match the pattern we're interested in, at
+  # this stage.
+  def repositories_query(end_cursor)
+    after = end_cursor.nil? ? "" : %[, after: "#{end_cursor}"]
+    %[
+    {
+      organization(login: "#{organization}") {
+        repositories(first: #{PAGE_SIZE} #{after}) {
+          nodes {
+            id
+            name
+            isLocked
+            isArchived
+            isDisabled
+          }
+          pageInfo {
+            hasNextPage
+            endCursor
+          }
+        }
+      }
+    }
+    ]
+  end
+end

data/lib/repository_report.rb

@@ -0,0 +1,140 @@
+class RepositoryReport < GithubGraphQlClient
+  attr_reader :organization, :repo_name, :team
+
+  MASTER = "master"
+  ADMIN = "admin"
+  PASS = "PASS"
+  FAIL = "FAIL"
+
+  def initialize(params)
+    @organization = params.fetch(:organization)
+    @repo_name = params.fetch(:repo_name)
+    @team = params.fetch(:team)
+    super(params)
+  end
+
+  # TODO: additional checks
+  #   * has issues enabled
+  #   * deleteBranchOnMerge
+  #   * mergeCommitAllowed (do we want this on or off?)
+  #   * squashMergeAllowed (do we want this on or off?)
+
+  def report
+    {
+      organization: organization,
+      name: repo_name,
+      url: repo_url,
+      status: status,
+      report: all_checks_result
+    }
+  end
+
+  private
+
+  def repo_data
+    @repo_data ||= fetch_repo_data
+  end
+
+  def repo_url
+    @url ||= repo_data.dig("data", "repository", "url")
+  end
+
+  def status
+    all_checks_result.values.all? ? PASS : FAIL
+  end
+
+  def all_checks_result
+    @all_checks_result ||= {
+      has_master_branch_protection: has_master_branch_protection?,
+      requires_approving_reviews: has_branch_protection_property?("requiresApprovingReviews"),
+      requires_code_owner_reviews: has_branch_protection_property?("requiresCodeOwnerReviews"),
+      administrators_require_review: has_branch_protection_property?("isAdminEnforced"),
+      dismisses_stale_reviews: has_branch_protection_property?("dismissesStaleReviews"),
+      requires_strict_status_checks: has_branch_protection_property?("requiresStrictStatusChecks"),
+      team_is_admin: is_team_admin?,
+    }
+  end
+
+  def fetch_repo_data
+    body = repo_settings_query(
+      organization: organization,
+      repo_name: repo_name,
+    )
+
+    json = run_query(
+      body: body,
+      token: github_token
+    )
+
+    JSON.parse(json)
+  end
+
+  def repo_settings_query(params)
+    owner = params.fetch(:organization)
+    repo_name = params.fetch(:repo_name)
+
+    %[
+      {
+        repository(owner: "#{owner}", name: "#{repo_name}") {
+          name
+          url
+          owner {
+            login
+          }
+          branchProtectionRules(first: 50) {
+            edges {
+              node {
+                pattern
+                requiresApprovingReviews
+                requiresCodeOwnerReviews
+                isAdminEnforced
+                dismissesStaleReviews
+                requiresStrictStatusChecks
+              }
+            }
+          }
+        }
+      }
+    ]
+  end
+
+  def is_team_admin?
+    client = Octokit::Client.new(access_token: github_token)
+
+    client.repo_teams([organization, repo_name].join("/")).filter do |team|
+      team[:name] == team && team[:permission] == ADMIN
+    end.any?
+  rescue Octokit::NotFound
+    # This happens if our token does not have permission to view repo settings
+    false
+  end
+
+  def branch_protection_rules
+    @rules ||= repo_data.dig("data", "repository", "branchProtectionRules", "edges")
+  end
+
+  def has_master_branch_protection?
+    requiring_branch_protection_rules do |rules|
+
+      rules
+        .filter { |edge| edge.dig("node", "pattern") == MASTER }
+        .any?
+    end
+  end
+
+  def has_branch_protection_property?(property)
+    requiring_branch_protection_rules do |rules|
+      rules
+        .map { |edge| edge.dig("node", property) }
+        .all?
+    end
+  end
+
+  def requiring_branch_protection_rules
+    rules = branch_protection_rules
+    return false unless rules.any?
+
+    yield rules
+  end
+
+end

metadata

@@ -0,0 +1,54 @@
+--- !ruby/object:Gem::Specification
+name: cloud-platform-repository-checker
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- David Salgado
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-05-14 00:00:00.000000000 Z
+dependencies: []
+description: 
+email: platforms@digital.justice.gov.uk
+executables:
+- cloud-platform-repository-checker
+extensions: []
+extra_rdoc_files:
+- README.md
+files:
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- bin/cloud-platform-repository-checker
+- env.example
+- lib/github_graph_ql_client.rb
+- lib/repository_lister.rb
+- lib/repository_report.rb
+homepage: https://github.com/ministryofjustice/cloud-platform
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options:
+- "--main"
+- README.md
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: What this thing does
+test_files: []