sambauers/github-2fa-nag.sh

## github-2fa-nag.sh
#!/usr/bin/env bash

# 2FA Nag

# This script allows you to nag your organisation members to turn on two factor
# auth on GitHub. It grabs all organisation members, determines which have 2FA
# disabled and enabled, and assigns/deassigns them from a preset issue on a
# repository and adds comments once a week in order to nag them to do it. The
# script should be run once per day via a cron job.

# Configure authentication
# Your GitHub login
GITHUB_USER="your-github-login";
# A personal access token for that login - must have "repo" and "read:org" access
GITHUB_TOKEN="0123456789abcdef0123456789abcdef01234567";

# Configure issue location
GITHUB_OWNER="your-organisation";
GITHUB_REPO="some-repository-in-the-organisation";
GITHUB_ISSUE_NUMBER="1";

# What day would you like to nag people on? "Mon", "Mon Thu", "Fri", etc...
NAG_DAYS="Mon Thu";

# This script requires the `jq` utility - https://stedolan.github.io/jq/
JQ_PATH="/usr/local/bin/jq";

# Don't touch these!
GITHUB_AUTH=$( printf "%s:%s" $GITHUB_USER $GITHUB_TOKEN );
GITHUB_MEMBERS_API=$( printf "https://api.github.com/orgs/%s/members" $GITHUB_OWNER );
GITHUB_ISSUES_API=$( printf "https://api.github.com/repos/%s/%s/issues" $GITHUB_OWNER $GITHUB_REPO );

# in_array() function
function in_array() {
  local x;
  ENTRY=$1;
  shift 1;
  ARRAY=( "$@" );
  [ -z "${ARRAY}" ] && return 1;
  [ -z "${ENTRY}" ] && return 1;
  for x in ${ARRAY[@]};
  do
    [ "${x}" == "${ENTRY}" ] && return 0
  done
  return 1
}

# join_array() function
function join_array() {
  local d=$1;
  shift;
  printf "$1";
  shift;
  printf "%s" "${@/#/$d}";
}

# countup() function
function countup() {
  printf "> ";
  ITEMS=$*;
  for ITEM in $ITEMS;
  do
    sleep 0.2;
    printf ".";
  done
  printf "\\n";
}

LOGINS=$( curl --silent -u $GITHUB_AUTH $GITHUB_MEMBERS_API | $JQ_PATH -r ".[] | .login" );
DISABLED_LOGINS=$( curl --silent -u $GITHUB_AUTH "$GITHUB_MEMBERS_API?filter=2fa_disabled" | $JQ_PATH -r ".[] | .login" );

printf "===========================\\n";
printf "Here is what's going on...\\n";
printf "===========================\\n";
printf "\\n";
printf "Members without 2FA enabled\\n"
printf -- "---------------------------\\n"
printf "$DISABLED_LOGINS\\n";
printf "\\n";

# Loop thorough all logins to remove those with 2FA disabled, and create a list
# of those with 2FA enabled.
ENABLED_LOGINS="";
for LOGIN in $LOGINS;
do

  in_array "$LOGIN" "${DISABLED_LOGINS[@]}";
  if [[ $? == 0 ]];
  then
    continue;
  fi

  if [[ $ENABLED_LOGINS ]];
  then
    ENABLED_LOGINS="$ENABLED_LOGINS
$LOGIN";
  else
    ENABLED_LOGINS="$LOGIN";
  fi
done

printf "Members with 2FA enabled\\n";
printf -- "---------------------------\\n";
printf "$ENABLED_LOGINS\\n";
printf "\\n";

# Remove assignment from the good people
printf "Removing issue assignment for members with 2FA enabled:\\n";
ENABLED_JOINED=$( join_array "\",\"" $ENABLED_LOGINS );
DEASSIGNMENT=$( curl --silent -u $GITHUB_AUTH -H "Content-Type: application/json" -X DELETE -d "{\"assignees\":[\"$ENABLED_JOINED\"]}" "$GITHUB_ISSUES_API/$GITHUB_ISSUE_NUMBER/assignees" );

# Pretend we are doing something
countup $ENABLED_LOGINS;
printf "\\n";

# Add assignment for the bad people
printf "Adding issue assignment for members without 2FA enabled:\\n";
DISABLED_JOINED=$( join_array "\",\"" $DISABLED_LOGINS );
ASSIGNMENT=$( curl --silent -u $GITHUB_AUTH -H 'Content-Type: application/json' -X POST -d "{\"assignees\":[\"$DISABLED_JOINED\"]}" "$GITHUB_ISSUES_API/$GITHUB_ISSUE_NUMBER/assignees" );

# Pretend we are doing something
countup $DISABLED_LOGINS;
printf "\\n";

# What day is it anyway?
DAY=$( date "+%a" );

# Write comments every nag day
in_array "$DAY" "${NAG_DAYS[@]}";
if [[ $? == 0 ]];
then
  printf "Deleting current comments on the issue:\\n";
  COMMENTS=$( curl --silent -u $GITHUB_AUTH "$GITHUB_ISSUES_API/$GITHUB_ISSUE_NUMBER/comments" | $JQ_PATH -r ".[] | .id" );
  printf "> ";

  for COMMENT in $COMMENTS;
  do
    printf ".";
    DELETE_COMMENT=$( curl --silent -u $GITHUB_AUTH -X DELETE "$GITHUB_ISSUES_API/comments/$COMMENT" );
  done
  printf "\\n";
  printf "\\n";

  printf "Writing comments into issue for members without 2FA enabled:\\n";
  printf "> ";

  for DISABLED_LOGIN in $DISABLED_LOGINS;
  do
    printf ".";
    MESSAGE="Hi @$DISABLED_LOGIN, you still haven't got 2FA enabled on your GitHub account. Please enable it today to allow continued access to the @$GITHUB_OWNER GitHub organisation. Follow these instructions to set it up - https://help.github.com/articles/configuring-two-factor-authentication-via-a-totp-mobile-app/";
    ADD_COMMENT=$( curl --silent -u $GITHUB_AUTH -H "Content-Type: application/json" -X POST -d "{\"body\":\"$MESSAGE\"}" "$GITHUB_ISSUES_API/$GITHUB_ISSUE_NUMBER/comments" );
  done
  printf "\\n";
  printf "\\n";
fi

printf "===========================\\n";
printf "All done!\\n";
printf "===========================\\n";
printf "\\n";
exit 0;
	#!/usr/bin/env bash

	# 2FA Nag

	# This script allows you to nag your organisation members to turn on two factor
	# auth on GitHub. It grabs all organisation members, determines which have 2FA
	# disabled and enabled, and assigns/deassigns them from a preset issue on a
	# repository and adds comments once a week in order to nag them to do it. The
	# script should be run once per day via a cron job.

	# Configure authentication
	# Your GitHub login
	GITHUB_USER="your-github-login";
	# A personal access token for that login - must have "repo" and "read:org" access
	GITHUB_TOKEN="0123456789abcdef0123456789abcdef01234567";

	# Configure issue location
	GITHUB_OWNER="your-organisation";
	GITHUB_REPO="some-repository-in-the-organisation";
	GITHUB_ISSUE_NUMBER="1";

	# What day would you like to nag people on? "Mon", "Mon Thu", "Fri", etc...
	NAG_DAYS="Mon Thu";

	# This script requires the `jq` utility - https://stedolan.github.io/jq/
	JQ_PATH="/usr/local/bin/jq";

	# Don't touch these!
	GITHUB_AUTH=$( printf "%s:%s" $GITHUB_USER $GITHUB_TOKEN );
	GITHUB_MEMBERS_API=$( printf "https://api.github.com/orgs/%s/members" $GITHUB_OWNER );
	GITHUB_ISSUES_API=$( printf "https://api.github.com/repos/%s/%s/issues" $GITHUB_OWNER $GITHUB_REPO );

	# in_array() function
	function in_array() {
	local x;
	ENTRY=$1;
	shift 1;
	ARRAY=( "$@" );
	[ -z "${ARRAY}" ] && return 1;
	[ -z "${ENTRY}" ] && return 1;
	for x in ${ARRAY[@]};
	do
	[ "${x}" == "${ENTRY}" ] && return 0
	done
	return 1
	}

	# join_array() function
	function join_array() {
	local d=$1;
	shift;
	printf "$1";
	shift;
	printf "%s" "${@/#/$d}";
	}

	# countup() function
	function countup() {
	printf "> ";
	ITEMS=$*;
	for ITEM in $ITEMS;
	do
	sleep 0.2;
	printf ".";
	done
	printf "\\n";
	}

	LOGINS=$( curl --silent -u $GITHUB_AUTH $GITHUB_MEMBERS_API \| $JQ_PATH -r ".[] \| .login" );
	DISABLED_LOGINS=$( curl --silent -u $GITHUB_AUTH "$GITHUB_MEMBERS_API?filter=2fa_disabled" \| $JQ_PATH -r ".[] \| .login" );

	printf "===========================\\n";
	printf "Here is what's going on...\\n";
	printf "===========================\\n";
	printf "\\n";
	printf "Members without 2FA enabled\\n"
	printf -- "---------------------------\\n"
	printf "$DISABLED_LOGINS\\n";
	printf "\\n";

	# Loop thorough all logins to remove those with 2FA disabled, and create a list
	# of those with 2FA enabled.
	ENABLED_LOGINS="";
	for LOGIN in $LOGINS;
	do

	in_array "$LOGIN" "${DISABLED_LOGINS[@]}";
	if [[ $? == 0 ]];
	then
	continue;
	fi

	if [[ $ENABLED_LOGINS ]];
	then
	ENABLED_LOGINS="$ENABLED_LOGINS
	$LOGIN";
	else
	ENABLED_LOGINS="$LOGIN";
	fi
	done

	printf "Members with 2FA enabled\\n";
	printf -- "---------------------------\\n";
	printf "$ENABLED_LOGINS\\n";
	printf "\\n";

	# Remove assignment from the good people
	printf "Removing issue assignment for members with 2FA enabled:\\n";
	ENABLED_JOINED=$( join_array "\",\"" $ENABLED_LOGINS );
	DEASSIGNMENT=$( curl --silent -u $GITHUB_AUTH -H "Content-Type: application/json" -X DELETE -d "{\"assignees\":[\"$ENABLED_JOINED\"]}" "$GITHUB_ISSUES_API/$GITHUB_ISSUE_NUMBER/assignees" );

	# Pretend we are doing something
	countup $ENABLED_LOGINS;
	printf "\\n";

	# Add assignment for the bad people
	printf "Adding issue assignment for members without 2FA enabled:\\n";
	DISABLED_JOINED=$( join_array "\",\"" $DISABLED_LOGINS );
	ASSIGNMENT=$( curl --silent -u $GITHUB_AUTH -H 'Content-Type: application/json' -X POST -d "{\"assignees\":[\"$DISABLED_JOINED\"]}" "$GITHUB_ISSUES_API/$GITHUB_ISSUE_NUMBER/assignees" );

	# Pretend we are doing something
	countup $DISABLED_LOGINS;
	printf "\\n";

	# What day is it anyway?
	DAY=$( date "+%a" );

	# Write comments every nag day
	in_array "$DAY" "${NAG_DAYS[@]}";
	if [[ $? == 0 ]];
	then
	printf "Deleting current comments on the issue:\\n";
	COMMENTS=$( curl --silent -u $GITHUB_AUTH "$GITHUB_ISSUES_API/$GITHUB_ISSUE_NUMBER/comments" \| $JQ_PATH -r ".[] \| .id" );
	printf "> ";

	for COMMENT in $COMMENTS;
	do
	printf ".";
	DELETE_COMMENT=$( curl --silent -u $GITHUB_AUTH -X DELETE "$GITHUB_ISSUES_API/comments/$COMMENT" );
	done
	printf "\\n";
	printf "\\n";

	printf "Writing comments into issue for members without 2FA enabled:\\n";
	printf "> ";

	for DISABLED_LOGIN in $DISABLED_LOGINS;
	do
	printf ".";
	MESSAGE="Hi @$DISABLED_LOGIN, you still haven't got 2FA enabled on your GitHub account. Please enable it today to allow continued access to the @$GITHUB_OWNER GitHub organisation. Follow these instructions to set it up - https://help.github.com/articles/configuring-two-factor-authentication-via-a-totp-mobile-app/";
	ADD_COMMENT=$( curl --silent -u $GITHUB_AUTH -H "Content-Type: application/json" -X POST -d "{\"body\":\"$MESSAGE\"}" "$GITHUB_ISSUES_API/$GITHUB_ISSUE_NUMBER/comments" );
	done
	printf "\\n";
	printf "\\n";
	fi

	printf "===========================\\n";
	printf "All done!\\n";
	printf "===========================\\n";
	printf "\\n";
	exit 0;