entitlements-github-plugin 0.6.0 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/entitlements/backend/github_team/service.rb +55 -37
- data/lib/version.rb +1 -1
- metadata +32 -18
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9080cc49d01feac15d1437b9d665d00321106ef875daca827daa2f863e422065
|
|
4
|
+
data.tar.gz: d351b657f2fefc75d4e629181bbe17204f41fdd8dc5cb83fb3a2df640ba7957e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d90d3b9eb5663b77ed4e2098a1a06f26322aa7a8c01e75b91e73f1c5635030afe76d93cf819d4df19deff6e9b317247da230d31578acd61b7679e10700d0c6c4
|
|
7
|
+
data.tar.gz: b2510ac0f9d8d318de6e2fe675c29e7c6c9de97c12da03a8661c31baf71e93e996d78f9c310254751007d088da0d691fc34edbbd46e8d512fa7fd0f35429c7fe
|
|
@@ -32,7 +32,7 @@ module Entitlements
|
|
|
32
32
|
ou: String,
|
|
33
33
|
ignore_not_found: C::Maybe[C::Bool],
|
|
34
34
|
] => C::Any
|
|
35
|
-
def initialize(
|
|
35
|
+
def initialize(org:, token:, ou:, addr: nil, ignore_not_found: false)
|
|
36
36
|
super
|
|
37
37
|
Entitlements.cache[:github_team_members] ||= {}
|
|
38
38
|
Entitlements.cache[:github_team_members][org_signature] ||= {}
|
|
@@ -107,8 +107,8 @@ module Entitlements
|
|
|
107
107
|
end
|
|
108
108
|
|
|
109
109
|
maintainers = teamdata[:members].select { |u| teamdata[:roles][u] == "maintainer" }
|
|
110
|
-
team_metadata
|
|
111
|
-
team_metadata = team_metadata.merge({"team_maintainers" => maintainers.any? ? maintainers.join(",") : nil})
|
|
110
|
+
team_metadata ||= {}
|
|
111
|
+
team_metadata = team_metadata.merge({ "team_maintainers" => maintainers.any? ? maintainers.join(",") : nil })
|
|
112
112
|
|
|
113
113
|
team = Entitlements::Backend::GitHubTeam::Models::Team.new(
|
|
114
114
|
team_id: teamdata[:team_id],
|
|
@@ -139,7 +139,7 @@ module Entitlements
|
|
|
139
139
|
def from_predictive_cache?(entitlement_group)
|
|
140
140
|
team_identifier = entitlement_group.cn.downcase
|
|
141
141
|
read_team(entitlement_group) unless @team_cache[team_identifier]
|
|
142
|
-
|
|
142
|
+
@team_cache[team_identifier] && @team_cache[team_identifier][:cache] ? true : false
|
|
143
143
|
end
|
|
144
144
|
|
|
145
145
|
# Declare the entry to be invalid for a specific team, and if the prior knowledge
|
|
@@ -192,7 +192,7 @@ module Entitlements
|
|
|
192
192
|
if desired_metadata["parent_team_name"].nil?
|
|
193
193
|
Entitlements.logger.debug "sync_team(team=#{current_state.team_name}): IGNORING GitHub Parent Team DELETE"
|
|
194
194
|
else
|
|
195
|
-
|
|
195
|
+
# :nocov:
|
|
196
196
|
Entitlements.logger.debug "sync_team(#{current_state.team_name}=#{current_state.team_id}): Parent team change found - From #{current_metadata["parent_team_name"] || "No Parent Team"} to #{desired_metadata["parent_team_name"]}"
|
|
197
197
|
desired_parent_team_id = team_by_name(org_name: org, team_name: desired_metadata["parent_team_name"])[:id]
|
|
198
198
|
unless desired_parent_team_id.nil?
|
|
@@ -240,17 +240,20 @@ module Entitlements
|
|
|
240
240
|
Entitlements.logger.debug "sync_team(#{current_state.team_name}=#{current_state.team_id}): Textual change but no semantic change in maintainers. It is remains: #{current_maintainers.to_a}."
|
|
241
241
|
else
|
|
242
242
|
Entitlements.logger.debug "sync_team(#{current_state.team_name}=#{current_state.team_id}): Maintainer members change found - From #{current_maintainers.to_a} to #{desired_maintainers.to_a}"
|
|
243
|
-
added_maintainers.select!
|
|
243
|
+
added_maintainers.select! do |username|
|
|
244
|
+
add_user_to_team(user: username, team: current_state, role: "maintainer")
|
|
245
|
+
end
|
|
244
246
|
|
|
245
247
|
## We only touch previous maintainers who are actually still going to be members of the team
|
|
246
248
|
removed_maintainers = removed_maintainers.intersection(desired_team_members)
|
|
247
249
|
## Downgrade membership to default (role: "member")
|
|
248
|
-
removed_maintainers.select!
|
|
250
|
+
removed_maintainers.select! do |username|
|
|
251
|
+
add_user_to_team(user: username, team: current_state, role: "member")
|
|
252
|
+
end
|
|
249
253
|
end
|
|
250
254
|
end
|
|
251
255
|
end
|
|
252
256
|
|
|
253
|
-
|
|
254
257
|
Entitlements.logger.debug "sync_team(#{current_state.team_name}=#{current_state.team_id}): Added #{added_members.count}, removed #{removed_members.count}"
|
|
255
258
|
added_members.any? || removed_members.any? || added_maintainers.any? || removed_maintainers.any? || changed_parent_team
|
|
256
259
|
end
|
|
@@ -264,28 +267,41 @@ module Entitlements
|
|
|
264
267
|
entitlement_group: Entitlements::Models::Group,
|
|
265
268
|
] => C::Bool
|
|
266
269
|
def create_team(entitlement_group:)
|
|
270
|
+
team_name = entitlement_group.cn.downcase
|
|
271
|
+
team_options = { name: team_name, repo_names: [], privacy: "closed" }
|
|
272
|
+
|
|
267
273
|
begin
|
|
268
|
-
|
|
269
|
-
|
|
274
|
+
entitlement_metadata = entitlement_group.metadata
|
|
275
|
+
unless entitlement_metadata["parent_team_name"].nil?
|
|
270
276
|
|
|
271
|
-
|
|
272
|
-
entitlement_metadata = entitlement_group.metadata
|
|
273
|
-
unless entitlement_metadata["parent_team_name"].nil?
|
|
277
|
+
begin
|
|
274
278
|
parent_team_data = graphql_team_data(entitlement_metadata["parent_team_name"])
|
|
275
279
|
team_options[:parent_team_id] = parent_team_data[:team_id]
|
|
276
|
-
|
|
280
|
+
rescue TeamNotFound
|
|
281
|
+
# if the parent team does not exist, create it (think `mkdir -p` logic here)
|
|
282
|
+
result = octokit.create_team(
|
|
283
|
+
org,
|
|
284
|
+
{ name: entitlement_metadata["parent_team_name"], repo_names: [], privacy: "closed" }
|
|
285
|
+
)
|
|
286
|
+
|
|
287
|
+
Entitlements.logger.debug "created parent team #{entitlement_metadata["parent_team_name"]} with id #{result[:id]}"
|
|
288
|
+
|
|
289
|
+
team_options[:parent_team_id] = result[:id]
|
|
277
290
|
end
|
|
278
|
-
rescue Entitlements::Models::Group::NoMetadata
|
|
279
|
-
Entitlements.logger.debug "create_team(team=#{team_name}) No metadata found"
|
|
280
|
-
end
|
|
281
291
|
|
|
282
|
-
|
|
283
|
-
|
|
284
|
-
|
|
285
|
-
|
|
286
|
-
Entitlements.logger.debug "create_team(team=#{team_name}) ERROR - #{e.message}"
|
|
287
|
-
false
|
|
292
|
+
Entitlements.logger.debug "create_team(team=#{team_name}) Parent team #{entitlement_metadata["parent_team_name"]} with id #{team_options[:parent_team_id]} found"
|
|
293
|
+
end
|
|
294
|
+
rescue Entitlements::Models::Group::NoMetadata
|
|
295
|
+
Entitlements.logger.debug "create_team(team=#{team_name}) No metadata found"
|
|
288
296
|
end
|
|
297
|
+
|
|
298
|
+
Entitlements.logger.debug "create_team(team=#{team_name})"
|
|
299
|
+
result = octokit.create_team(org, team_options)
|
|
300
|
+
Entitlements.logger.debug "created team #{team_name} with id #{result[:id]}"
|
|
301
|
+
true
|
|
302
|
+
rescue Octokit::UnprocessableEntity => e
|
|
303
|
+
Entitlements.logger.debug "create_team(team=#{team_name}) ERROR - #{e.message}"
|
|
304
|
+
false
|
|
289
305
|
end
|
|
290
306
|
|
|
291
307
|
# Update a team
|
|
@@ -298,15 +314,14 @@ module Entitlements
|
|
|
298
314
|
metadata: C::Or[Hash, nil]
|
|
299
315
|
] => C::Bool
|
|
300
316
|
def update_team(team:, metadata: {})
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
end
|
|
317
|
+
Entitlements.logger.debug "update_team(team=#{team.team_name})"
|
|
318
|
+
options = { name: team.team_name, repo_names: [], privacy: "closed",
|
|
319
|
+
parent_team_id: metadata[:parent_team_id] }
|
|
320
|
+
octokit.update_team(team.team_id, options)
|
|
321
|
+
true
|
|
322
|
+
rescue Octokit::UnprocessableEntity => e
|
|
323
|
+
Entitlements.logger.debug "update_team(team=#{team.team_name}) ERROR - #{e.message}"
|
|
324
|
+
false
|
|
310
325
|
end
|
|
311
326
|
|
|
312
327
|
# Gets a team by name
|
|
@@ -332,7 +347,8 @@ module Entitlements
|
|
|
332
347
|
# team_slug - Identifier of the team to retrieve.
|
|
333
348
|
#
|
|
334
349
|
# Returns a data structure with team data.
|
|
335
|
-
Contract String => { members: C::ArrayOf[String], team_id: Integer, parent_team_name: C::Or[String, nil],
|
|
350
|
+
Contract String => { members: C::ArrayOf[String], team_id: Integer, parent_team_name: C::Or[String, nil],
|
|
351
|
+
roles: C::HashOf[String => String] }
|
|
336
352
|
def graphql_team_data(team_slug)
|
|
337
353
|
cursor = nil
|
|
338
354
|
team_id = nil
|
|
@@ -370,9 +386,7 @@ module Entitlements
|
|
|
370
386
|
end
|
|
371
387
|
|
|
372
388
|
team = response[:data].fetch("data").fetch("organization").fetch("team")
|
|
373
|
-
if team.nil?
|
|
374
|
-
raise TeamNotFound, "Requested team #{team_slug} does not exist in #{org}!"
|
|
375
|
-
end
|
|
389
|
+
raise TeamNotFound, "Requested team #{team_slug} does not exist in #{org}!" if team.nil?
|
|
376
390
|
|
|
377
391
|
team_id = team.fetch("databaseId")
|
|
378
392
|
parent_team_name = team.dig("parentTeam", "slug")
|
|
@@ -390,6 +404,7 @@ module Entitlements
|
|
|
390
404
|
|
|
391
405
|
cursor = edges.last.fetch("cursor")
|
|
392
406
|
next if cursor && buffer.size == max_graphql_results
|
|
407
|
+
|
|
393
408
|
break
|
|
394
409
|
end
|
|
395
410
|
|
|
@@ -415,6 +430,7 @@ module Entitlements
|
|
|
415
430
|
team_data[:slug]
|
|
416
431
|
end
|
|
417
432
|
return if @validation_cache[team_id] == team_slug
|
|
433
|
+
|
|
418
434
|
raise "validate_team_id_and_slug! mismatch: team_id=#{team_id} expected=#{team_slug.inspect} got=#{@validation_cache[team_id].inspect}"
|
|
419
435
|
end
|
|
420
436
|
|
|
@@ -432,10 +448,11 @@ module Entitlements
|
|
|
432
448
|
] => C::Bool
|
|
433
449
|
def add_user_to_team(user:, team:, role: "member")
|
|
434
450
|
return false unless org_members.include?(user.downcase)
|
|
435
|
-
unless
|
|
451
|
+
unless ["member", "maintainer"].include?(role)
|
|
436
452
|
# :nocov:
|
|
437
453
|
raise "add_user_to_team role mismatch: team_id=#{team.team_id} user=#{user} expected role=maintainer/member got=#{role}"
|
|
438
454
|
end
|
|
455
|
+
|
|
439
456
|
Entitlements.logger.debug "#{identifier} add_user_to_team(user=#{user}, org=#{org}, team_id=#{team.team_id}, role=#{role})"
|
|
440
457
|
validate_team_id_and_slug!(team.team_id, team.team_name)
|
|
441
458
|
|
|
@@ -462,6 +479,7 @@ module Entitlements
|
|
|
462
479
|
] => C::Bool
|
|
463
480
|
def remove_user_from_team(user:, team:)
|
|
464
481
|
return false unless org_members.include?(user.downcase)
|
|
482
|
+
|
|
465
483
|
Entitlements.logger.debug "#{identifier} remove_user_from_team(user=#{user}, org=#{org}, team_id=#{team.team_id})"
|
|
466
484
|
validate_team_id_and_slug!(team.team_id, team.team_name)
|
|
467
485
|
octokit.remove_team_membership(team.team_id, user)
|
data/lib/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: entitlements-github-plugin
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.7.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- GitHub, Inc. Security Ops
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-05-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: contracts
|
|
@@ -86,56 +86,56 @@ dependencies:
|
|
|
86
86
|
requirements:
|
|
87
87
|
- - "~>"
|
|
88
88
|
- !ruby/object:Gem::Version
|
|
89
|
-
version: 13.0
|
|
89
|
+
version: 13.2.0
|
|
90
90
|
type: :development
|
|
91
91
|
prerelease: false
|
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
|
93
93
|
requirements:
|
|
94
94
|
- - "~>"
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
|
-
version: 13.0
|
|
96
|
+
version: 13.2.0
|
|
97
97
|
- !ruby/object:Gem::Dependency
|
|
98
98
|
name: rspec
|
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|
|
100
100
|
requirements:
|
|
101
|
-
- -
|
|
101
|
+
- - '='
|
|
102
102
|
- !ruby/object:Gem::Version
|
|
103
|
-
version: 3.
|
|
103
|
+
version: 3.13.0
|
|
104
104
|
type: :development
|
|
105
105
|
prerelease: false
|
|
106
106
|
version_requirements: !ruby/object:Gem::Requirement
|
|
107
107
|
requirements:
|
|
108
|
-
- -
|
|
108
|
+
- - '='
|
|
109
109
|
- !ruby/object:Gem::Version
|
|
110
|
-
version: 3.
|
|
110
|
+
version: 3.13.0
|
|
111
111
|
- !ruby/object:Gem::Dependency
|
|
112
112
|
name: rspec-core
|
|
113
113
|
requirement: !ruby/object:Gem::Requirement
|
|
114
114
|
requirements:
|
|
115
|
-
- -
|
|
115
|
+
- - '='
|
|
116
116
|
- !ruby/object:Gem::Version
|
|
117
|
-
version: 3.
|
|
117
|
+
version: 3.13.0
|
|
118
118
|
type: :development
|
|
119
119
|
prerelease: false
|
|
120
120
|
version_requirements: !ruby/object:Gem::Requirement
|
|
121
121
|
requirements:
|
|
122
|
-
- -
|
|
122
|
+
- - '='
|
|
123
123
|
- !ruby/object:Gem::Version
|
|
124
|
-
version: 3.
|
|
124
|
+
version: 3.13.0
|
|
125
125
|
- !ruby/object:Gem::Dependency
|
|
126
126
|
name: rubocop
|
|
127
127
|
requirement: !ruby/object:Gem::Requirement
|
|
128
128
|
requirements:
|
|
129
129
|
- - '='
|
|
130
130
|
- !ruby/object:Gem::Version
|
|
131
|
-
version: 1.
|
|
131
|
+
version: 1.63.3
|
|
132
132
|
type: :development
|
|
133
133
|
prerelease: false
|
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
|
135
135
|
requirements:
|
|
136
136
|
- - '='
|
|
137
137
|
- !ruby/object:Gem::Version
|
|
138
|
-
version: 1.
|
|
138
|
+
version: 1.63.3
|
|
139
139
|
- !ruby/object:Gem::Dependency
|
|
140
140
|
name: rubocop-github
|
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -156,14 +156,28 @@ dependencies:
|
|
|
156
156
|
requirements:
|
|
157
157
|
- - '='
|
|
158
158
|
- !ruby/object:Gem::Version
|
|
159
|
-
version: 1.
|
|
159
|
+
version: 1.21.0
|
|
160
160
|
type: :development
|
|
161
161
|
prerelease: false
|
|
162
162
|
version_requirements: !ruby/object:Gem::Requirement
|
|
163
163
|
requirements:
|
|
164
164
|
- - '='
|
|
165
165
|
- !ruby/object:Gem::Version
|
|
166
|
-
version: 1.
|
|
166
|
+
version: 1.21.0
|
|
167
|
+
- !ruby/object:Gem::Dependency
|
|
168
|
+
name: ruby-lsp
|
|
169
|
+
requirement: !ruby/object:Gem::Requirement
|
|
170
|
+
requirements:
|
|
171
|
+
- - "~>"
|
|
172
|
+
- !ruby/object:Gem::Version
|
|
173
|
+
version: 0.16.7
|
|
174
|
+
type: :development
|
|
175
|
+
prerelease: false
|
|
176
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
177
|
+
requirements:
|
|
178
|
+
- - "~>"
|
|
179
|
+
- !ruby/object:Gem::Version
|
|
180
|
+
version: 0.16.7
|
|
167
181
|
- !ruby/object:Gem::Dependency
|
|
168
182
|
name: rugged
|
|
169
183
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -190,14 +204,14 @@ dependencies:
|
|
|
190
204
|
requirements:
|
|
191
205
|
- - '='
|
|
192
206
|
- !ruby/object:Gem::Version
|
|
193
|
-
version: 0.
|
|
207
|
+
version: 0.22.0
|
|
194
208
|
type: :development
|
|
195
209
|
prerelease: false
|
|
196
210
|
version_requirements: !ruby/object:Gem::Requirement
|
|
197
211
|
requirements:
|
|
198
212
|
- - '='
|
|
199
213
|
- !ruby/object:Gem::Version
|
|
200
|
-
version: 0.
|
|
214
|
+
version: 0.22.0
|
|
201
215
|
- !ruby/object:Gem::Dependency
|
|
202
216
|
name: simplecov-erb
|
|
203
217
|
requirement: !ruby/object:Gem::Requirement
|