Github "Direct" User Repo Access #1391
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This is partial and not yet working. Tests and docs are not yet updated, and I haven't reviewed my own code. I am sharing it early because I wanted to ask a couple of questions, which I will share in slack soon. |
danbrauer
force-pushed
the
gh_user_repo_relationships
branch
2 times, most recently
from
170dc34 to
f94f00f
Compare
|
This should be ready for review. I do still intend to do a review of my own for typos and the like but short of stuff like that, I think this is ready. |
danbrauer
commented
Nov 22, 2024
cartography/intel/github/repos.py
Outdated
Comment on lines
23
to
32
| @dataclass(frozen=False) | ||
| class UserAffiliationAndRepoPermission: | ||
| """ | ||
| Representation of a user's permission level and affiliation to a GitHub repo. See: | ||
| - Permission: https://docs.github.com/en/graphql/reference/enums#repositorypermission | ||
| - Affiliation: https://docs.github.com/en/graphql/reference/enums#collaboratoraffiliation | ||
| """ | ||
| user: Dict | ||
| permission: str # WRITE, MAINTAIN, ADMIN, etc | ||
| affiliation: str # OUTSIDE, DIRECT |
There was a problem hiding this comment.
I was led to creating this from a similar thing done in teams.py. There, a namedtuple is used. Here, I used a dataclass. I could go back to using a namedtuple if that'd be preferred?
There was a problem hiding this comment.
Yeah let's use a namedtuple instead so that it matches
achantavy
approved these changes
Nov 23, 2024
cartography/intel/github/repos.py
Outdated
Comment on lines
23
to
32
| @dataclass(frozen=False) | ||
| class UserAffiliationAndRepoPermission: | ||
| """ | ||
| Representation of a user's permission level and affiliation to a GitHub repo. See: | ||
| - Permission: https://docs.github.com/en/graphql/reference/enums#repositorypermission | ||
| - Affiliation: https://docs.github.com/en/graphql/reference/enums#collaboratoraffiliation | ||
| """ | ||
| user: Dict | ||
| permission: str # WRITE, MAINTAIN, ADMIN, etc | ||
| affiliation: str # OUTSIDE, DIRECT |
There was a problem hiding this comment.
Yeah let's use a namedtuple instead so that it matches
Signed-off-by: Daniel Brauer <[email protected]>
Signed-off-by: Daniel Brauer <[email protected]>
Signed-off-by: Daniel Brauer <[email protected]>
Signed-off-by: Daniel Brauer <[email protected]>
Signed-off-by: Daniel Brauer <[email protected]>
Signed-off-by: Daniel Brauer <[email protected]>
Signed-off-by: Daniel Brauer <[email protected]>
danbrauer
force-pushed
the
gh_user_repo_relationships
branch
from
bbc72fa to
7be764f
Compare
|
Updated to named tuple as request. If all looks good, please merge. Otherwise, I'll be back on Tue and happy to work through whatever there is. |
|
Thank you! Including a note for future searchers: we deferred adding the data model here. See this thread for details: https://cloud-native.slack.com/archives/C080M2LRLDA/p1732137038521919 |
chandanchowdhury
pushed a commit
to chandanchowdhury/cartography
that referenced
this pull request
Nov 27, 2024
### Summary This PR adds to the Github graph, adding repo access that is granted to all users who have a 'direct' affiliation to the repo. Cartography currently [does](https://cartography-cncf.github.io/cartography/modules/github/schema.html#id6) already map some direct user repo access, but only for collaborators with an 'outside' affiliation to the repo. This PR broadens that to include all collaborators, aka anybody with a 'direct' affiliation. This follows Github's naming for these concepts, as seen [here](https://docs.github.com/en/graphql/reference/enums#collaboratoraffiliation). In case it is unclear or for people newer to Github, note: this is focusing on access users are granted directly to a repo, as opposed to via a team. Access granted via team is outside the scope of this PR. We think this is a valuable addition to the graph for a few reasons, including: 1. Our analysts want few-to-no users to be granted access directly to repos, on the thinking that managing access via teams can make access easier to automate (ie with ABAC/RBAC type logic) and to audit. Graphing direct-access, regardless of whether a user is within the org or outside it, will help highlight who to clean up. 2. Longer term, we eventually want to know, from the graph, _all_ access a user has. This PR is a step in that direction. (In a future PR, we hope to add a user-team membership relationship. Since Cartography maps team-repo access rel, we could then have a user-team-repo graph, and that would complete the picture of user access in Github.) #### Illustration of the intention  #### Screencaps **A REPO WITH OUTSIDE COLLABORATORS** BEFORE  AFTER  **A REPO WITH NON-OUTSIDE COLLABORATORS** BEFORE (no results, because these sorts of users are not graphed)  AFTER  **GENERAL COUNTS TO GIVE A SENSE OF CONNECTIONS NOW THERE** BEFORE  AFTER  ### Related issues or links None ### Checklist Provide proof that this works (this makes reviews move faster). Please perform one or more of the following: - [X] Update/add unit or integration tests. - [X] Include a screenshot showing what the graph looked like before and after your changes. - [ ] Include console log trace showing what happened before and after your changes. If you are changing a node or relationship: - [X] Update the [schema](https://github.com/lyft/cartography/tree/master/docs/root/modules) and [readme](https://github.com/lyft/cartography/blob/master/docs/schema/README.md). **N/A/** If you are implementing a new intel module: - [ ] Use the NodeSchema [data model](https://cartography-cncf.github.io/cartography/dev/writing-intel-modules.html#defining-a-node). --------- Signed-off-by: Daniel Brauer <[email protected]> Signed-off-by: chandanchowdhury <[email protected]>
cmm-lyft
reviewed
Dec 11, 2024
| def transform(repos_json: List[Dict]) -> Dict: | ||
| def transform( | ||
| repos_json: List[Dict], direct_collaborators: dict[str, List[UserAffiliationAndRepoPermission]], | ||
| outside_collaborators: dict[str, List[UserAffiliationAndRepoPermission]], |
There was a problem hiding this comment.
@achantavy this resulted in a breaking change as it is changing the signature of the function without providing a default value nor allowing to pass None as param.
Should we update this code? or this should be enforced for next versions?
There was a problem hiding this comment.
Is the breaking change in the Lyft internal deployment of cartography? If so share the stack trace with me internally. I thought I accounted for the changes; sorry, I probably missed something.
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds to the Github graph, adding repo access that is granted to all users who have a 'direct' affiliation to the repo.
Cartography currently does already map some direct user repo access, but only for collaborators with an 'outside' affiliation to the repo. This PR broadens that to include all collaborators, aka anybody with a 'direct' affiliation. This follows Github's naming for these concepts, as seen here.
In case it is unclear or for people newer to Github, note: this is focusing on access users are granted directly to a repo, as opposed to via a team. Access granted via team is outside the scope of this PR.
We think this is a valuable addition to the graph for a few reasons, including:
Illustration of the intention
Screencaps
A REPO WITH OUTSIDE COLLABORATORS
BEFORE
AFTER
A REPO WITH NON-OUTSIDE COLLABORATORS
BEFORE
(no results, because these sorts of users are not graphed)
AFTER
GENERAL COUNTS TO GIVE A SENSE OF CONNECTIONS NOW THERE
BEFORE
AFTER
Related issues or links
None
Checklist
Provide proof that this works (this makes reviews move faster). Please perform one or more of the following:
If you are changing a node or relationship:
N/A/ If you are implementing a new intel module: