jonico/AuditUsers.groovy

## AuditUsers.groovy
#!/usr/bin/env groovy

/**
 * groovy script to show all repositories that can be accessed by given users on an GitHub Enterprise instance
 *
 *
 * Run 'groovy AuditUsers.groovy' to see the list of command line options
 *
 *  First run may take some time as required dependencies have to get downloaded, then it should be quite fast
 *
 *  If you do not have groovy yet, run 'brew install groovy'
 */

@Grab(group='org.kohsuke', module='github-api', version='1.75')
@Grab(group='org.codehaus.groovy.modules.http-builder', module='http-builder', version='0.7.2' )
import org.kohsuke.github.GitHub
import groovyx.net.http.RESTClient
import static groovyx.net.http.ContentType.*
import groovy.json.JsonOutput


// parsing command line args
cli = new CliBuilder(usage: 'groovy AuditUsers.groovy [options] [user accounts]\nReports all repositories that can be accessed by given users')
cli.t(longOpt: 'token', 'personal access token of a GitHub Enterprise site admin with repo skope (or use GITHUB_TOKEN env variable)', required: false  , args: 1 )
cli.u(longOpt: 'url', 'GitHub Enterprise URL (or use GITHUB_URL env variable), e.g. https://myghe.com', required: false  , args: 1 )
cli.s(longOpt: 'skipPublicRepos', 'Do not print publicly available repositories at the end of the report', required: false  , args: 0 )
cli.h(longOpt: 'help', 'Print this usage info', required: false  , args: 0 )

OptionAccessor opt = cli.parse(args)

token = opt.t?opt.t:System.getenv("GITHUB_TOKEN")
url = opt.u?opt.u:System.getenv("GITHUB_URL")
listOnly = opt.l

// bail out if help parameter was supplied or not sufficient input to proceed
if (opt.h || !token || !url || opt.arguments().size() == 0) {
	cli.usage()
	return
}

// chop potential trailing slash from GitHub Enterprise URL
url = url.replaceAll('/\$', "")


RESTClient restSiteAdmin = getGithubApi(url , token)

// iterate over all supplied users
opt.arguments().each {
	user=it
	println "Showing repositories accessible for user ${user} ... "
	try {
		// get temporary access token for given user
		resp = restSiteAdmin.post(
				path: "/api/v3/admin/users/${user}/authorizations",
				body: JsonOutput.toJson( scopes: ["repo"]),
				requestContentType: URLENC )

		assert resp.data.token != null
		userToken = resp.data.token

		try {
			// list all accessible repositories in organizations and personal repositories of this user
			userRepos = GitHub.connectToEnterprise("${url}/api/v3", userToken).getMyself().listAllRepositories()

			// further fields available on http://github-api.kohsuke.org/apidocs/org/kohsuke/github/GHRepository.html#method_summary
			userRepos.each { println "user: ${user}, repo: ${it.name}, owner: ${it.ownerName}, private: ${it.private}, read: ${it.hasPullAccess()}, write: ${it.hasPushAccess()}, admin: ${it.hasAdminAccess()}, url: ${it.getHtmlUrl()}"    }
		}
		finally {
			// delete the personal access token again even if we ran into an exception
			resp = restClient.delete(path: "/api/v3/admin/users/${user}/authorizations")
			assert resp.status == 204
		}
		println ""
	} catch (Exception e) {
		e.printStackTrace()
		println "An error occurred while fetching repositories for user ${user}, continuing with the next user ..."
	}
}

if (!opt.s) {
	println "Showing repositories accessible by any logged in user ..."
	publicRepos = GitHub.connectToEnterprise("${url}/api/v3", token).listAllPublicRepositories()
	// further fields on http://github-api.kohsuke.org/apidocs/org/kohsuke/github/GHRepository.html#method_summary
	publicRepos.each { println "public repo: ${it.name}, owner: ${it.ownerName}, url: ${it.getHtmlUrl()}"    }
}

def RESTClient getGithubApi(url, token) {
	restClient = new RESTClient(url).with {
		headers['Accept'] = 'application/json'
		headers['Authorization'] = "token ${token}"
		it
	}
}
	#!/usr/bin/env groovy

	/**
	* groovy script to show all repositories that can be accessed by given users on an GitHub Enterprise instance
	*
	*
	* Run 'groovy AuditUsers.groovy' to see the list of command line options
	*
	* First run may take some time as required dependencies have to get downloaded, then it should be quite fast
	*
	* If you do not have groovy yet, run 'brew install groovy'
	*/

	@Grab(group='org.kohsuke', module='github-api', version='1.75')
	@Grab(group='org.codehaus.groovy.modules.http-builder', module='http-builder', version='0.7.2' )
	import org.kohsuke.github.GitHub
	import groovyx.net.http.RESTClient
	import static groovyx.net.http.ContentType.*
	import groovy.json.JsonOutput


	// parsing command line args
	cli = new CliBuilder(usage: 'groovy AuditUsers.groovy [options] [user accounts]\nReports all repositories that can be accessed by given users')
	cli.t(longOpt: 'token', 'personal access token of a GitHub Enterprise site admin with repo skope (or use GITHUB_TOKEN env variable)', required: false , args: 1 )
	cli.u(longOpt: 'url', 'GitHub Enterprise URL (or use GITHUB_URL env variable), e.g. https://myghe.com', required: false , args: 1 )
	cli.s(longOpt: 'skipPublicRepos', 'Do not print publicly available repositories at the end of the report', required: false , args: 0 )
	cli.h(longOpt: 'help', 'Print this usage info', required: false , args: 0 )

	OptionAccessor opt = cli.parse(args)

	token = opt.t?opt.t:System.getenv("GITHUB_TOKEN")
	url = opt.u?opt.u:System.getenv("GITHUB_URL")
	listOnly = opt.l

	// bail out if help parameter was supplied or not sufficient input to proceed
	if (opt.h \|\| !token \|\| !url \|\| opt.arguments().size() == 0) {
	cli.usage()
	return
	}

	// chop potential trailing slash from GitHub Enterprise URL
	url = url.replaceAll('/\$', "")


	RESTClient restSiteAdmin = getGithubApi(url , token)

	// iterate over all supplied users
	opt.arguments().each {
	user=it
	println "Showing repositories accessible for user ${user} ... "
	try {
	// get temporary access token for given user
	resp = restSiteAdmin.post(
	path: "/api/v3/admin/users/${user}/authorizations",
	body: JsonOutput.toJson( scopes: ["repo"]),
	requestContentType: URLENC )

	assert resp.data.token != null
	userToken = resp.data.token

	try {
	// list all accessible repositories in organizations and personal repositories of this user
	userRepos = GitHub.connectToEnterprise("${url}/api/v3", userToken).getMyself().listAllRepositories()

	// further fields available on http://github-api.kohsuke.org/apidocs/org/kohsuke/github/GHRepository.html#method_summary
	userRepos.each { println "user: ${user}, repo: ${it.name}, owner: ${it.ownerName}, private: ${it.private}, read: ${it.hasPullAccess()}, write: ${it.hasPushAccess()}, admin: ${it.hasAdminAccess()}, url: ${it.getHtmlUrl()}" }
	}
	finally {
	// delete the personal access token again even if we ran into an exception
	resp = restClient.delete(path: "/api/v3/admin/users/${user}/authorizations")
	assert resp.status == 204
	}
	println ""
	} catch (Exception e) {
	e.printStackTrace()
	println "An error occurred while fetching repositories for user ${user}, continuing with the next user ..."
	}
	}

	if (!opt.s) {
	println "Showing repositories accessible by any logged in user ..."
	publicRepos = GitHub.connectToEnterprise("${url}/api/v3", token).listAllPublicRepositories()
	// further fields on http://github-api.kohsuke.org/apidocs/org/kohsuke/github/GHRepository.html#method_summary
	publicRepos.each { println "public repo: ${it.name}, owner: ${it.ownerName}, url: ${it.getHtmlUrl()}" }
	}

	def RESTClient getGithubApi(url, token) {
	restClient = new RESTClient(url).with {
	headers['Accept'] = 'application/json'
	headers['Authorization'] = "token ${token}"
	it
	}
	}