From 5a20896b65b34e409e72c4e7d77c0f34b8cd43aa Mon Sep 17 00:00:00 2001 From: Shirish Kamath Date: Mon, 24 Mar 2025 10:59:07 +0530 Subject: [PATCH] feat: support for supplying github repos to be excluded from all access-approve --- github_access/access.py | 24 +++++++++++++++++++++--- github_access/config.json.sample | 3 ++- github_access/constants.py | 1 + github_access/helpers.py | 5 +++++ 4 files changed, 29 insertions(+), 4 deletions(-) diff --git a/github_access/access.py b/github_access/access.py index b98ff50..f9eccd3 100644 --- a/github_access/access.py +++ b/github_access/access.py @@ -5,6 +5,7 @@ get_org, get_org_invite, get_org_repo_list, + get_repo_blacklist, get_repo, get_user, grant_access, @@ -77,7 +78,14 @@ def approve( error_message = constants.REPO_NOT_FOUND % label["repository"] return_value = False else: - if return_value and grant_access( + # Verify that the repository is not in the blacklist + blacklisted_repos = set(get_repo_blacklist()) + + if label["repository"] in blacklisted_repos: + logger.error(constants.REPO_BLACKLISTED, label["repository"]) + error_message = constants.REPO_BLACKLISTED % label["repository"] + return_value = False + elif return_value and grant_access( label["repository"], label["access_level"], user_name ): logger.debug( @@ -199,10 +207,20 @@ def fetch_access_request_form_path(self): return "github_access/access_request_form.html" def access_request_data(self, request, is_group=False): - repo_data = [repo for repo in get_org_repo_list()] - data = {"githubRepoList": repo_data} + repo_data = get_org_repo_list() + filtered_repo_data = self.__exclude_blacklisted_repos(repo_data) + data = {"githubRepoList": filtered_repo_data} return data + def __exclude_blacklisted_repos(self, repo_data): + blacklisted_repos = set(get_repo_blacklist()) + if not blacklisted_repos: + return repo_data + + filtered_repo_data = [repo for repo in repo_data if repo not in blacklisted_repos] + logger.debug(f"Filtered out {len(repo_data) - len(filtered_repo_data)} blacklisted repositories") + return filtered_repo_data + def fetch_access_approve_email(self, request, data): context_details = { "approvers": { diff --git a/github_access/config.json.sample b/github_access/config.json.sample index b8b1a7b..f3fca9a 100644 --- a/github_access/config.json.sample +++ b/github_access/config.json.sample @@ -1,5 +1,6 @@ { "GITHUB_TOKEN": "test-token", "GITHUB_BASE_URL": "https://api.github.com", - "GITHUB_ORG": "browserstack" + "GITHUB_ORG": "browserstack", + "GITHUB_REPO_BLACKLIST": [] } diff --git a/github_access/constants.py b/github_access/constants.py index 66aac2d..0cf3d78 100644 --- a/github_access/constants.py +++ b/github_access/constants.py @@ -2,6 +2,7 @@ INVITE_USER_SUCCESS = "Invited user %s to join github org. Access can be granted post inivation acceptance." INVITE_USER_FAILED = "Failed to add user %s to github org" REPO_NOT_FOUND = "Repository %s does not exist" +REPO_BLACKLISTED = "Repository %s is blacklisted. Access cannot be granted." GRANT_ACCESS_FAILED = "Failed to grant access to user %s for repo %s" REVOKE_REQUEST = "Revoke Request: %s for %s" REVOKE_SUCCESS = "Successfully revoked access for user %s to %s repository." diff --git a/github_access/helpers.py b/github_access/helpers.py index 4a99701..f088dfb 100644 --- a/github_access/helpers.py +++ b/github_access/helpers.py @@ -219,6 +219,11 @@ def get_org_repo_list(): return [] +def get_repo_blacklist(): + config = _get_github_config() + return config.get("GITHUB_REPO_BLACKLIST", []) + + def revoke_access(username, repo=None): return _revoke_github_user(username, repo)