[WIP] feat: support for supplying github repos to be excluded from all acce…

github_access/access.py

@@ -5,6 +5,7 @@
     get_org,
     get_org_invite,
     get_org_repo_list,
+    get_repo_blacklist,
     get_repo,
     get_user,
     grant_access,
@@ -77,7 +78,14 @@ def approve(
                 error_message = constants.REPO_NOT_FOUND % label["repository"]
                 return_value = False
             else:
-                if return_value and grant_access(
+                # Verify that the repository is not in the blacklist
+                blacklisted_repos = set(get_repo_blacklist())
+
+                if label["repository"] in blacklisted_repos:
+                    logger.error(constants.REPO_BLACKLISTED, label["repository"])
+                    error_message = constants.REPO_BLACKLISTED % label["repository"]
+                    return_value = False
+                elif return_value and grant_access(
                     label["repository"], label["access_level"], user_name
                 ):
                     logger.debug(
@@ -199,10 +207,20 @@ def fetch_access_request_form_path(self):
         return "github_access/access_request_form.html"
 
     def access_request_data(self, request, is_group=False):
-        repo_data = [repo for repo in get_org_repo_list()]
-        data = {"githubRepoList": repo_data}
+        repo_data = get_org_repo_list()
+        filtered_repo_data = self.__exclude_blacklisted_repos(repo_data)
+        data = {"githubRepoList": filtered_repo_data}
         return data
 
+    def __exclude_blacklisted_repos(self, repo_data):
+        blacklisted_repos = set(get_repo_blacklist())
+        if not blacklisted_repos:
+            return repo_data
+
+        filtered_repo_data = [repo for repo in repo_data if repo not in blacklisted_repos]
+        logger.debug(f"Filtered out {len(repo_data) - len(filtered_repo_data)} blacklisted repositories")
+        return filtered_repo_data
+
     def fetch_access_approve_email(self, request, data):
         context_details = {
             "approvers": {

github_access/config.json.sample

@@ -1,5 +1,6 @@
 {
   "GITHUB_TOKEN": "test-token",
   "GITHUB_BASE_URL": "https://api.github.com",
-  "GITHUB_ORG": "browserstack"
+  "GITHUB_ORG": "browserstack",
+  "GITHUB_REPO_BLACKLIST": []
 }

github_access/constants.py

@@ -2,6 +2,7 @@
 INVITE_USER_SUCCESS = "Invited user %s to join github org. Access can be granted post inivation acceptance."
 INVITE_USER_FAILED = "Failed to add user %s to github org"
 REPO_NOT_FOUND = "Repository %s does not exist"
+REPO_BLACKLISTED = "Repository %s is blacklisted. Access cannot be granted."
 GRANT_ACCESS_FAILED = "Failed to grant access to user %s for repo %s"
 REVOKE_REQUEST = "Revoke Request: %s for %s"
 REVOKE_SUCCESS = "Successfully revoked access for user %s to %s repository."

github_access/helpers.py

@@ -219,6 +219,11 @@ def get_org_repo_list():
     return []
 
 
+def get_repo_blacklist():
+    config = _get_github_config()
+    return config.get("GITHUB_REPO_BLACKLIST", [])
+
+
 def revoke_access(username, repo=None):
     return _revoke_github_user(username, repo)