entitlements-github-plugin 0.6.0 → 0.7.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/entitlements/backend/github_team/service.rb +55 -37
  3. data/lib/version.rb +1 -1
  4. metadata +32 -18
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6c8e5d4e8e883e7e4eb58cc3a8617ce223c6213ead611893bef473b5c95f509f
4
- data.tar.gz: 45f3ca22502cffb65002c5bd651f60bab30e98c14c4f9588dfae0d43565abe73
3
+ metadata.gz: 9080cc49d01feac15d1437b9d665d00321106ef875daca827daa2f863e422065
4
+ data.tar.gz: d351b657f2fefc75d4e629181bbe17204f41fdd8dc5cb83fb3a2df640ba7957e
5
5
  SHA512:
6
- metadata.gz: d1ae84a3fa11c39758e813f6ce8ab1c7d4309ca3b3133ac05d324cfbb9a82161dc075892ff8970ef18c5b141e0b94fa3466cd6f2735c4cd57e5ac62f1df519e5
7
- data.tar.gz: ea80b29e5bac4d316549ead1d04baaa3e8111f5baa69c97530c50089dbbafcdd86db1f1558976d4681199217ccc82c8411581f02e8f03d1d324a5956d5ca0540
6
+ metadata.gz: d90d3b9eb5663b77ed4e2098a1a06f26322aa7a8c01e75b91e73f1c5635030afe76d93cf819d4df19deff6e9b317247da230d31578acd61b7679e10700d0c6c4
7
+ data.tar.gz: b2510ac0f9d8d318de6e2fe675c29e7c6c9de97c12da03a8661c31baf71e93e996d78f9c310254751007d088da0d691fc34edbbd46e8d512fa7fd0f35429c7fe
data/lib/entitlements/backend/github_team/service.rb CHANGED
@@ -32,7 +32,7 @@ module Entitlements
32
32
  ou: String,
33
33
  ignore_not_found: C::Maybe[C::Bool],
34
34
  ] => C::Any
35
- def initialize(addr: nil, org:, token:, ou:, ignore_not_found: false)
35
+ def initialize(org:, token:, ou:, addr: nil, ignore_not_found: false)
36
36
  super
37
37
  Entitlements.cache[:github_team_members] ||= {}
38
38
  Entitlements.cache[:github_team_members][org_signature] ||= {}
@@ -107,8 +107,8 @@ module Entitlements
107
107
  end
108
108
 
109
109
  maintainers = teamdata[:members].select { |u| teamdata[:roles][u] == "maintainer" }
110
- team_metadata = team_metadata || {}
111
- team_metadata = team_metadata.merge({"team_maintainers" => maintainers.any? ? maintainers.join(",") : nil})
110
+ team_metadata ||= {}
111
+ team_metadata = team_metadata.merge({ "team_maintainers" => maintainers.any? ? maintainers.join(",") : nil })
112
112
 
113
113
  team = Entitlements::Backend::GitHubTeam::Models::Team.new(
114
114
  team_id: teamdata[:team_id],
@@ -139,7 +139,7 @@ module Entitlements
139
139
  def from_predictive_cache?(entitlement_group)
140
140
  team_identifier = entitlement_group.cn.downcase
141
141
  read_team(entitlement_group) unless @team_cache[team_identifier]
142
- (@team_cache[team_identifier] && @team_cache[team_identifier][:cache]) ? true : false
142
+ @team_cache[team_identifier] && @team_cache[team_identifier][:cache] ? true : false
143
143
  end
144
144
 
145
145
  # Declare the entry to be invalid for a specific team, and if the prior knowledge
@@ -192,7 +192,7 @@ module Entitlements
192
192
  if desired_metadata["parent_team_name"].nil?
193
193
  Entitlements.logger.debug "sync_team(team=#{current_state.team_name}): IGNORING GitHub Parent Team DELETE"
194
194
  else
195
- # :nocov:
195
+ # :nocov:
196
196
  Entitlements.logger.debug "sync_team(#{current_state.team_name}=#{current_state.team_id}): Parent team change found - From #{current_metadata["parent_team_name"] || "No Parent Team"} to #{desired_metadata["parent_team_name"]}"
197
197
  desired_parent_team_id = team_by_name(org_name: org, team_name: desired_metadata["parent_team_name"])[:id]
198
198
  unless desired_parent_team_id.nil?
@@ -240,17 +240,20 @@ module Entitlements
240
240
  Entitlements.logger.debug "sync_team(#{current_state.team_name}=#{current_state.team_id}): Textual change but no semantic change in maintainers. It is remains: #{current_maintainers.to_a}."
241
241
  else
242
242
  Entitlements.logger.debug "sync_team(#{current_state.team_name}=#{current_state.team_id}): Maintainer members change found - From #{current_maintainers.to_a} to #{desired_maintainers.to_a}"
243
- added_maintainers.select! { |username| add_user_to_team(user: username, team: current_state, role: "maintainer") }
243
+ added_maintainers.select! do |username|
244
+ add_user_to_team(user: username, team: current_state, role: "maintainer")
245
+ end
244
246
 
245
247
  ## We only touch previous maintainers who are actually still going to be members of the team
246
248
  removed_maintainers = removed_maintainers.intersection(desired_team_members)
247
249
  ## Downgrade membership to default (role: "member")
248
- removed_maintainers.select! { |username| add_user_to_team(user: username, team: current_state, role: "member") }
250
+ removed_maintainers.select! do |username|
251
+ add_user_to_team(user: username, team: current_state, role: "member")
252
+ end
249
253
  end
250
254
  end
251
255
  end
252
256
 
253
-
254
257
  Entitlements.logger.debug "sync_team(#{current_state.team_name}=#{current_state.team_id}): Added #{added_members.count}, removed #{removed_members.count}"
255
258
  added_members.any? || removed_members.any? || added_maintainers.any? || removed_maintainers.any? || changed_parent_team
256
259
  end
@@ -264,28 +267,41 @@ module Entitlements
264
267
  entitlement_group: Entitlements::Models::Group,
265
268
  ] => C::Bool
266
269
  def create_team(entitlement_group:)
270
+ team_name = entitlement_group.cn.downcase
271
+ team_options = { name: team_name, repo_names: [], privacy: "closed" }
272
+
267
273
  begin
268
- team_name = entitlement_group.cn.downcase
269
- team_options = { name: team_name, repo_names: [], privacy: "closed" }
274
+ entitlement_metadata = entitlement_group.metadata
275
+ unless entitlement_metadata["parent_team_name"].nil?
270
276
 
271
- begin
272
- entitlement_metadata = entitlement_group.metadata
273
- unless entitlement_metadata["parent_team_name"].nil?
277
+ begin
274
278
  parent_team_data = graphql_team_data(entitlement_metadata["parent_team_name"])
275
279
  team_options[:parent_team_id] = parent_team_data[:team_id]
276
- Entitlements.logger.debug "create_team(team=#{team_name}) Parent team #{entitlement_metadata["parent_team_name"]} with id #{parent_team_data[:team_id]} found"
280
+ rescue TeamNotFound
281
+ # if the parent team does not exist, create it (think `mkdir -p` logic here)
282
+ result = octokit.create_team(
283
+ org,
284
+ { name: entitlement_metadata["parent_team_name"], repo_names: [], privacy: "closed" }
285
+ )
286
+
287
+ Entitlements.logger.debug "created parent team #{entitlement_metadata["parent_team_name"]} with id #{result[:id]}"
288
+
289
+ team_options[:parent_team_id] = result[:id]
277
290
  end
278
- rescue Entitlements::Models::Group::NoMetadata
279
- Entitlements.logger.debug "create_team(team=#{team_name}) No metadata found"
280
- end
281
291
 
282
- Entitlements.logger.debug "create_team(team=#{team_name})"
283
- octokit.create_team(org, team_options)
284
- true
285
- rescue Octokit::UnprocessableEntity => e
286
- Entitlements.logger.debug "create_team(team=#{team_name}) ERROR - #{e.message}"
287
- false
292
+ Entitlements.logger.debug "create_team(team=#{team_name}) Parent team #{entitlement_metadata["parent_team_name"]} with id #{team_options[:parent_team_id]} found"
293
+ end
294
+ rescue Entitlements::Models::Group::NoMetadata
295
+ Entitlements.logger.debug "create_team(team=#{team_name}) No metadata found"
288
296
  end
297
+
298
+ Entitlements.logger.debug "create_team(team=#{team_name})"
299
+ result = octokit.create_team(org, team_options)
300
+ Entitlements.logger.debug "created team #{team_name} with id #{result[:id]}"
301
+ true
302
+ rescue Octokit::UnprocessableEntity => e
303
+ Entitlements.logger.debug "create_team(team=#{team_name}) ERROR - #{e.message}"
304
+ false
289
305
  end
290
306
 
291
307
  # Update a team
@@ -298,15 +314,14 @@ module Entitlements
298
314
  metadata: C::Or[Hash, nil]
299
315
  ] => C::Bool
300
316
  def update_team(team:, metadata: {})
301
- begin
302
- Entitlements.logger.debug "update_team(team=#{team.team_name})"
303
- options = { name: team.team_name, repo_names: [], privacy: "closed", parent_team_id: metadata[:parent_team_id] }
304
- octokit.update_team(team.team_id, options)
305
- true
306
- rescue Octokit::UnprocessableEntity => e
307
- Entitlements.logger.debug "update_team(team=#{team.team_name}) ERROR - #{e.message}"
308
- false
309
- end
317
+ Entitlements.logger.debug "update_team(team=#{team.team_name})"
318
+ options = { name: team.team_name, repo_names: [], privacy: "closed",
319
+ parent_team_id: metadata[:parent_team_id] }
320
+ octokit.update_team(team.team_id, options)
321
+ true
322
+ rescue Octokit::UnprocessableEntity => e
323
+ Entitlements.logger.debug "update_team(team=#{team.team_name}) ERROR - #{e.message}"
324
+ false
310
325
  end
311
326
 
312
327
  # Gets a team by name
@@ -332,7 +347,8 @@ module Entitlements
332
347
  # team_slug - Identifier of the team to retrieve.
333
348
  #
334
349
  # Returns a data structure with team data.
335
- Contract String => { members: C::ArrayOf[String], team_id: Integer, parent_team_name: C::Or[String, nil], roles: C::HashOf[String => String] }
350
+ Contract String => { members: C::ArrayOf[String], team_id: Integer, parent_team_name: C::Or[String, nil],
351
+ roles: C::HashOf[String => String] }
336
352
  def graphql_team_data(team_slug)
337
353
  cursor = nil
338
354
  team_id = nil
@@ -370,9 +386,7 @@ module Entitlements
370
386
  end
371
387
 
372
388
  team = response[:data].fetch("data").fetch("organization").fetch("team")
373
- if team.nil?
374
- raise TeamNotFound, "Requested team #{team_slug} does not exist in #{org}!"
375
- end
389
+ raise TeamNotFound, "Requested team #{team_slug} does not exist in #{org}!" if team.nil?
376
390
 
377
391
  team_id = team.fetch("databaseId")
378
392
  parent_team_name = team.dig("parentTeam", "slug")
@@ -390,6 +404,7 @@ module Entitlements
390
404
 
391
405
  cursor = edges.last.fetch("cursor")
392
406
  next if cursor && buffer.size == max_graphql_results
407
+
393
408
  break
394
409
  end
395
410
 
@@ -415,6 +430,7 @@ module Entitlements
415
430
  team_data[:slug]
416
431
  end
417
432
  return if @validation_cache[team_id] == team_slug
433
+
418
434
  raise "validate_team_id_and_slug! mismatch: team_id=#{team_id} expected=#{team_slug.inspect} got=#{@validation_cache[team_id].inspect}"
419
435
  end
420
436
 
@@ -432,10 +448,11 @@ module Entitlements
432
448
  ] => C::Bool
433
449
  def add_user_to_team(user:, team:, role: "member")
434
450
  return false unless org_members.include?(user.downcase)
435
- unless role == "member" || role == "maintainer"
451
+ unless ["member", "maintainer"].include?(role)
436
452
  # :nocov:
437
453
  raise "add_user_to_team role mismatch: team_id=#{team.team_id} user=#{user} expected role=maintainer/member got=#{role}"
438
454
  end
455
+
439
456
  Entitlements.logger.debug "#{identifier} add_user_to_team(user=#{user}, org=#{org}, team_id=#{team.team_id}, role=#{role})"
440
457
  validate_team_id_and_slug!(team.team_id, team.team_name)
441
458
 
@@ -462,6 +479,7 @@ module Entitlements
462
479
  ] => C::Bool
463
480
  def remove_user_from_team(user:, team:)
464
481
  return false unless org_members.include?(user.downcase)
482
+
465
483
  Entitlements.logger.debug "#{identifier} remove_user_from_team(user=#{user}, org=#{org}, team_id=#{team.team_id})"
466
484
  validate_team_id_and_slug!(team.team_id, team.team_name)
467
485
  octokit.remove_team_membership(team.team_id, user)
data/lib/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Entitlements
4
4
  module Version
5
- VERSION = "0.6.0"
5
+ VERSION = "0.7.0"
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: entitlements-github-plugin
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.0
4
+ version: 0.7.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - GitHub, Inc. Security Ops
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-04-03 00:00:00.000000000 Z
11
+ date: 2024-05-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: contracts
@@ -86,56 +86,56 @@ dependencies:
86
86
  requirements:
87
87
  - - "~>"
88
88
  - !ruby/object:Gem::Version
89
- version: 13.0.6
89
+ version: 13.2.0
90
90
  type: :development
91
91
  prerelease: false
92
92
  version_requirements: !ruby/object:Gem::Requirement
93
93
  requirements:
94
94
  - - "~>"
95
95
  - !ruby/object:Gem::Version
96
- version: 13.0.6
96
+ version: 13.2.0
97
97
  - !ruby/object:Gem::Dependency
98
98
  name: rspec
99
99
  requirement: !ruby/object:Gem::Requirement
100
100
  requirements:
101
- - - "~>"
101
+ - - '='
102
102
  - !ruby/object:Gem::Version
103
- version: 3.8.0
103
+ version: 3.13.0
104
104
  type: :development
105
105
  prerelease: false
106
106
  version_requirements: !ruby/object:Gem::Requirement
107
107
  requirements:
108
- - - "~>"
108
+ - - '='
109
109
  - !ruby/object:Gem::Version
110
- version: 3.8.0
110
+ version: 3.13.0
111
111
  - !ruby/object:Gem::Dependency
112
112
  name: rspec-core
113
113
  requirement: !ruby/object:Gem::Requirement
114
114
  requirements:
115
- - - "~>"
115
+ - - '='
116
116
  - !ruby/object:Gem::Version
117
- version: 3.8.0
117
+ version: 3.13.0
118
118
  type: :development
119
119
  prerelease: false
120
120
  version_requirements: !ruby/object:Gem::Requirement
121
121
  requirements:
122
- - - "~>"
122
+ - - '='
123
123
  - !ruby/object:Gem::Version
124
- version: 3.8.0
124
+ version: 3.13.0
125
125
  - !ruby/object:Gem::Dependency
126
126
  name: rubocop
127
127
  requirement: !ruby/object:Gem::Requirement
128
128
  requirements:
129
129
  - - '='
130
130
  - !ruby/object:Gem::Version
131
- version: 1.62.1
131
+ version: 1.63.3
132
132
  type: :development
133
133
  prerelease: false
134
134
  version_requirements: !ruby/object:Gem::Requirement
135
135
  requirements:
136
136
  - - '='
137
137
  - !ruby/object:Gem::Version
138
- version: 1.62.1
138
+ version: 1.63.3
139
139
  - !ruby/object:Gem::Dependency
140
140
  name: rubocop-github
141
141
  requirement: !ruby/object:Gem::Requirement
@@ -156,14 +156,28 @@ dependencies:
156
156
  requirements:
157
157
  - - '='
158
158
  - !ruby/object:Gem::Version
159
- version: 1.20.2
159
+ version: 1.21.0
160
160
  type: :development
161
161
  prerelease: false
162
162
  version_requirements: !ruby/object:Gem::Requirement
163
163
  requirements:
164
164
  - - '='
165
165
  - !ruby/object:Gem::Version
166
- version: 1.20.2
166
+ version: 1.21.0
167
+ - !ruby/object:Gem::Dependency
168
+ name: ruby-lsp
169
+ requirement: !ruby/object:Gem::Requirement
170
+ requirements:
171
+ - - "~>"
172
+ - !ruby/object:Gem::Version
173
+ version: 0.16.7
174
+ type: :development
175
+ prerelease: false
176
+ version_requirements: !ruby/object:Gem::Requirement
177
+ requirements:
178
+ - - "~>"
179
+ - !ruby/object:Gem::Version
180
+ version: 0.16.7
167
181
  - !ruby/object:Gem::Dependency
168
182
  name: rugged
169
183
  requirement: !ruby/object:Gem::Requirement
@@ -190,14 +204,14 @@ dependencies:
190
204
  requirements:
191
205
  - - '='
192
206
  - !ruby/object:Gem::Version
193
- version: 0.16.1
207
+ version: 0.22.0
194
208
  type: :development
195
209
  prerelease: false
196
210
  version_requirements: !ruby/object:Gem::Requirement
197
211
  requirements:
198
212
  - - '='
199
213
  - !ruby/object:Gem::Version
200
- version: 0.16.1
214
+ version: 0.22.0
201
215
  - !ruby/object:Gem::Dependency
202
216
  name: simplecov-erb
203
217
  requirement: !ruby/object:Gem::Requirement