Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ref: Use a bot access token to check for Github org membership #307

Merged
merged 10 commits into from
Aug 2, 2022
Merged

ref: Use a bot access token to check for Github org membership #307

merged 10 commits into from
Aug 2, 2022

Conversation

ethanhs
Copy link
Contributor

@ethanhs ethanhs commented Jul 6, 2022

The Github API for checking organization membership will only show membership for people with the "private" setting if the API call is made by a member of that organization.

Since the Github application is not a user thus not part of the Sentry org, we need to use a bot account's Personal Access Token to correctly check that a user is part of the Github org.

Fixes #216

NOTE: Someone with the right permissions will need to generate and add the access token to this repo's secrets.

@ethanhs ethanhs requested a review from chadwhitacre July 6, 2022 21:13
@ethanhs
Copy link
Contributor Author

ethanhs commented Jul 6, 2022
edited
Loading

(Also tests will fail until the secret is added)

chadwhitacre
chadwhitacre requested changes Jul 6, 2022
View reviewed changes
Copy link
Member

@chadwhitacre chadwhitacre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple initial questions.

@chadwhitacre
Copy link
Member

(Also tests will fail until the secret is added)

Why will tests fail? It looks like we didn't add tests for this functionality. Should we?

@ethanhs
Copy link
Contributor Author

ethanhs commented Jul 6, 2022

Why will tests fail? It looks like we didn't add tests for this functionality. Should we?

Actually, it looks like the tests call getClient so I will need to change them. I am not sure what account to test with if I were to add a test. If I choose someone and they make their account public the test wouldn't be testing anything, and it wouldn't be noticed.

Also without the the token the API call would be unauthenticated, and I think it will return a 404 and mark everyone external.

@chadwhitacre
Copy link
Member

Here's some internal docs on available GH bots for reference.

@chadwhitacre chadwhitacre mentioned this pull request Jul 28, 2022
Closed
30 tasks
chadwhitacre
chadwhitacre reviewed Jul 28, 2022
View reviewed changes
src/config/index.ts Outdated Show resolved Hide resolved
chadwhitacre
chadwhitacre requested changes Jul 28, 2022
View reviewed changes
Copy link
Member

@chadwhitacre chadwhitacre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comments inline, mostly renaming a few other q's.

@ethanhs
ref: Use a bot access token to check for Github org membership
08437e5 
The Github API for checking organization membership will only show membership for people with the "private" setting if the API call is made by a member of that organization.

Since the Github application is not a user thus not part of the Sentry org, we need to use a bot account's Personal Access Token to correctly check that a user is part of the Github org.
@ethanhs
Remove unused getClient import
7296c4f
@ethanhs
Rename token environment variable
1137e5b
@ethanhs
WIP Use ClientType enum and getClient
1d08e3f
@ethanhs
Fix enum exporting and tests
0a1dfec
@ethanhs
Argh Mac case-insensitivity
d678df2
@ethanhs
Rename env variable, add check variable is set
12d3d00
ethanhs and others added 2 commits July 28, 2022 12:28
chadwhitacre
chadwhitacre requested changes Jul 28, 2022
View reviewed changes
Copy link
Member

@chadwhitacre chadwhitacre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, another couple questions:

  • Can we cache the user client?
  • Remove duplicate line?

Also, next step is going to be to review available bots, form an opinion about which to use here (or new one!?) for GH_USER_TOKEN, and file a Jira request with Security so we have papertrail (cc me).

@ethanhs @billyvg
Remove duplicate line
e79607f 
Co-authored-by: Billy Vong <billyvg@users.noreply.github.com>
@chadwhitacre
Copy link
Member

I've generated a PAT for @getsentry-bot with read:org and read:user, and set it in GH_USER_TOKEN in the prod env for this repo.

@chadwhitacre
Copy link
Member

I've gained access to the Google account for @getsentry-bot, and I've configured SSO to authorize the PAT for use with the org. I believe this is ready to deploy! 👍

@ethanhs ethanhs merged commit 1effa7c into main Aug 2, 2022
@ethanhs ethanhs deleted the ethanhs/checkprivmembers branch August 2, 2022 16:05
@chadwhitacre
Copy link
Member

chadwhitacre commented Aug 3, 2022
edited
Loading

Confirmed working, I am seeing @antonpirker start to show up in company vs. community. 👍 😉

@chadwhitacre chadwhitacre mentioned this pull request Aug 4, 2022
Closed
@chadwhitacre chadwhitacre mentioned this pull request Jul 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@billyvg billyvg billyvg left review comments

@chadwhitacre chadwhitacre chadwhitacre approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bot does not see private org members
3 participants
@ethanhs @chadwhitacre @billyvg