feat: Add a tool to audit github users.

Compare the currently active github users with those that we expect based on entries in the salesforce CSV.
openedx · Sep 25, 2023 · 25658a5 · 25658a5
1 parent cdedcaf
commit 25658a5
Show file tree

Hide file tree

Showing 6 changed files with 139 additions and 0 deletions.
diff --git a/edx_repo_tools/audit_gh_users/README.rst b/edx_repo_tools/audit_gh_users/README.rst
@@ -0,0 +1,43 @@
+Audit GitHub Users
+##################
+
+This script will compare the list of users in a github org against a list of
+users in a CSV and tell you which github users are not listed in the CSV.
+
+CSV Location and Format
+***********************
+
+The CSV is expected to be in a GitHub repo and it should contain a column name
+"GitHub Username" that contains a GitHub username.
+
+Usage
+*****
+
+You will need a GH pesonal access token with the following scopes:
+
+* read:org
+* repo
+
+First, set up repo-tools as described in `the root README <../../README.rst>`_.
+There are a few ways to do this; one way is::
+
+  export GITHUB_TOKEN="$(pass github-token)"  # assumes you have passwordstore.org
+
+  python3 -m venv venv
+  . venv/bin/activate
+  pip install -e .[repo_checks]
+
+Then, run the script::
+
+  audit_users
+
+Contributing
+************
+
+* Make changes on your branch.
+
+* CI will run tests for you, but not linting, so ensure your changes don't break pylint: ``pylint edx_repo_tools/audit_users``.
+
+* Ping ``#ask-axim`` for review.
+
+* Once approved, apply and merge (non-Axim engineers: ask your Axim reviewer to do this part for you).
diff --git a/edx_repo_tools/audit_gh_users/__init__.py b/edx_repo_tools/audit_gh_users/__init__.py
diff --git a/edx_repo_tools/audit_gh_users/audit_users.py b/edx_repo_tools/audit_gh_users/audit_users.py
@@ -0,0 +1,72 @@
+"""
+Audit github users in an org.  Comparing the list of users to those in a CSV.
+
+See the README for more info.
+"""
+
+import base64
+import csv
+import io
+from itertools import chain
+import click
+from ghapi.all import GhApi, paged
+
+
+@click.command()
+@click.option(
+    "--github-token",
+    "_github_token",
+    envvar="GITHUB_TOKEN",
+    required=True,
+    help="A github personal access token.",
+)
+@click.option(
+    "--org",
+    "org",
+    default="openedx",
+    help="The github org that you wish check.",
+)
+@click.option(
+    "--csv-repo",
+    "csv_repo",
+    default="openedx-webhooks-data",
+    help="The github repo that contains the CSV we should compare against.",
+)
+@click.option(
+    "--csv-path",
+    "csv_path",
+    default="salesforce-export.csv",
+    help="The path in the repo to the csv file. The file should contain a 'GitHub Username' column.",
+)
+def main(org, _github_token, csv_repo, csv_path):
+    """
+    Entry point for command-line invocation.
+    """
+    api = GhApi()
+
+    # Get all github users in the org.
+    current_org_users = [
+        member.login
+        for member in chain.from_iterable(
+            paged(api.orgs.list_members, org, per_page=100)
+        )
+    ]
+
+    # Get all github usernames from openedx-webhooks-data/salesforce-export.csv
+    csv_file = io.StringIO(
+        base64.decodebytes(
+            api.repos.get_content(org, csv_repo, csv_path).content.encode()
+        ).decode("utf-8")
+    )
+    reader = csv.DictReader(csv_file)
+    csv_github_users = [row["GitHub Username"] for row in reader]
+
+    # Find all the people that are in the org but not in sales force.
+    extra_org_users = set(current_org_users) - set(csv_github_users)
+
+    # List the users we need to investigate
+    print("\n".join(sorted(extra_org_users)))
+
+
+if __name__ == "__main__":
+    main()  # pylint: disable=no-value-for-parameter
diff --git a/edx_repo_tools/audit_gh_users/extra.in b/edx_repo_tools/audit_gh_users/extra.in
@@ -0,0 +1,4 @@
+-c ../../requirements/constraints.txt
+
+click
+ghapi
diff --git a/edx_repo_tools/audit_gh_users/extra.txt b/edx_repo_tools/audit_gh_users/extra.txt
@@ -0,0 +1,19 @@
+#
+# This file is autogenerated by pip-compile with Python 3.8
+# by the following command:
+#
+#    make upgrade
+#
+click==8.1.7
+    # via -r edx_repo_tools/repo_checks/extra.in
+fastcore==1.5.29
+    # via ghapi
+ghapi==1.0.4
+    # via -r edx_repo_tools/repo_checks/extra.in
+packaging==23.1
+    # via
+    #   fastcore
+    #   ghapi
+
+# The following packages are considered to be unsafe in a requirements file:
+# pip
diff --git a/setup.py b/setup.py
@@ -87,6 +87,7 @@ def is_requirement(line):
             'add_common_constraint = edx_repo_tools.add_common_constraint:main',
             'add_dependabot_ecosystem = edx_repo_tools.dependabot_yml:main',
             'add_django32_settings = edx_repo_tools.codemods.django3.add_new_django32_settings:main',
+            'audit_users = edx_repo_tools.audit_gh_users.audit_users:main',
             'clone_org = edx_repo_tools.dev.clone_org:main',
             'conventional_commits = edx_repo_tools.conventional_commits.commitstats:main',
             'find_dependencies = edx_repo_tools.find_dependencies.find_dependencies:main',