Skip to content

Instantly share code, notes, and snippets.

@sambauers
Last active October 4, 2016 09:12
Show Gist options
  • Save sambauers/a4ecdabbb015bdbcfcadec2cce28a7b3 to your computer and use it in GitHub Desktop.
Save sambauers/a4ecdabbb015bdbcfcadec2cce28a7b3 to your computer and use it in GitHub Desktop.
This script allows you to nag your organisation members to turn on two factor authentication (2FA) on GitHub.
#!/usr/bin/env bash
# 2FA Nag
# This script allows you to nag your organisation members to turn on two factor
# auth on GitHub. It grabs all organisation members, determines which have 2FA
# disabled and enabled, and assigns/deassigns them from a preset issue on a
# repository and adds comments once a week in order to nag them to do it. The
# script should be run once per day via a cron job.
# Configure authentication
# Your GitHub login
GITHUB_USER="your-github-login";
# A personal access token for that login - must have "repo" and "read:org" access
GITHUB_TOKEN="0123456789abcdef0123456789abcdef01234567";
# Configure issue location
GITHUB_OWNER="your-organisation";
GITHUB_REPO="some-repository-in-the-organisation";
GITHUB_ISSUE_NUMBER="1";
# What day would you like to nag people on? "Mon", "Mon Thu", "Fri", etc...
NAG_DAYS="Mon Thu";
# This script requires the `jq` utility - https://stedolan.github.io/jq/
JQ_PATH="/usr/local/bin/jq";
# Don't touch these!
GITHUB_AUTH=$( printf "%s:%s" $GITHUB_USER $GITHUB_TOKEN );
GITHUB_MEMBERS_API=$( printf "https://api.github.com/orgs/%s/members" $GITHUB_OWNER );
GITHUB_ISSUES_API=$( printf "https://api.github.com/repos/%s/%s/issues" $GITHUB_OWNER $GITHUB_REPO );
# in_array() function
function in_array() {
local x;
ENTRY=$1;
shift 1;
ARRAY=( "$@" );
[ -z "${ARRAY}" ] && return 1;
[ -z "${ENTRY}" ] && return 1;
for x in ${ARRAY[@]};
do
[ "${x}" == "${ENTRY}" ] && return 0
done
return 1
}
# join_array() function
function join_array() {
local d=$1;
shift;
printf "$1";
shift;
printf "%s" "${@/#/$d}";
}
# countup() function
function countup() {
printf "> ";
ITEMS=$*;
for ITEM in $ITEMS;
do
sleep 0.2;
printf ".";
done
printf "\\n";
}
LOGINS=$( curl --silent -u $GITHUB_AUTH $GITHUB_MEMBERS_API | $JQ_PATH -r ".[] | .login" );
DISABLED_LOGINS=$( curl --silent -u $GITHUB_AUTH "$GITHUB_MEMBERS_API?filter=2fa_disabled" | $JQ_PATH -r ".[] | .login" );
printf "===========================\\n";
printf "Here is what's going on...\\n";
printf "===========================\\n";
printf "\\n";
printf "Members without 2FA enabled\\n"
printf -- "---------------------------\\n"
printf "$DISABLED_LOGINS\\n";
printf "\\n";
# Loop thorough all logins to remove those with 2FA disabled, and create a list
# of those with 2FA enabled.
ENABLED_LOGINS="";
for LOGIN in $LOGINS;
do
in_array "$LOGIN" "${DISABLED_LOGINS[@]}";
if [[ $? == 0 ]];
then
continue;
fi
if [[ $ENABLED_LOGINS ]];
then
ENABLED_LOGINS="$ENABLED_LOGINS
$LOGIN";
else
ENABLED_LOGINS="$LOGIN";
fi
done
printf "Members with 2FA enabled\\n";
printf -- "---------------------------\\n";
printf "$ENABLED_LOGINS\\n";
printf "\\n";
# Remove assignment from the good people
printf "Removing issue assignment for members with 2FA enabled:\\n";
ENABLED_JOINED=$( join_array "\",\"" $ENABLED_LOGINS );
DEASSIGNMENT=$( curl --silent -u $GITHUB_AUTH -H "Content-Type: application/json" -X DELETE -d "{\"assignees\":[\"$ENABLED_JOINED\"]}" "$GITHUB_ISSUES_API/$GITHUB_ISSUE_NUMBER/assignees" );
# Pretend we are doing something
countup $ENABLED_LOGINS;
printf "\\n";
# Add assignment for the bad people
printf "Adding issue assignment for members without 2FA enabled:\\n";
DISABLED_JOINED=$( join_array "\",\"" $DISABLED_LOGINS );
ASSIGNMENT=$( curl --silent -u $GITHUB_AUTH -H 'Content-Type: application/json' -X POST -d "{\"assignees\":[\"$DISABLED_JOINED\"]}" "$GITHUB_ISSUES_API/$GITHUB_ISSUE_NUMBER/assignees" );
# Pretend we are doing something
countup $DISABLED_LOGINS;
printf "\\n";
# What day is it anyway?
DAY=$( date "+%a" );
# Write comments every nag day
in_array "$DAY" "${NAG_DAYS[@]}";
if [[ $? == 0 ]];
then
printf "Deleting current comments on the issue:\\n";
COMMENTS=$( curl --silent -u $GITHUB_AUTH "$GITHUB_ISSUES_API/$GITHUB_ISSUE_NUMBER/comments" | $JQ_PATH -r ".[] | .id" );
printf "> ";
for COMMENT in $COMMENTS;
do
printf ".";
DELETE_COMMENT=$( curl --silent -u $GITHUB_AUTH -X DELETE "$GITHUB_ISSUES_API/comments/$COMMENT" );
done
printf "\\n";
printf "\\n";
printf "Writing comments into issue for members without 2FA enabled:\\n";
printf "> ";
for DISABLED_LOGIN in $DISABLED_LOGINS;
do
printf ".";
MESSAGE="Hi @$DISABLED_LOGIN, you still haven't got 2FA enabled on your GitHub account. Please enable it today to allow continued access to the @$GITHUB_OWNER GitHub organisation. Follow these instructions to set it up - https://help.github.com/articles/configuring-two-factor-authentication-via-a-totp-mobile-app/";
ADD_COMMENT=$( curl --silent -u $GITHUB_AUTH -H "Content-Type: application/json" -X POST -d "{\"body\":\"$MESSAGE\"}" "$GITHUB_ISSUES_API/$GITHUB_ISSUE_NUMBER/comments" );
done
printf "\\n";
printf "\\n";
fi
printf "===========================\\n";
printf "All done!\\n";
printf "===========================\\n";
printf "\\n";
exit 0;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment