Giter VIP home page Giter VIP logo

sheriff's Introduction

Sheriff: Permissions Bot

This bot, when deployed as a Heroku app and configured correctly, is capable of controlling permissions across GitHub, Slack and GSuite. It also actively monitors and alerts you to suspicious or unexpected activity on GitHub.

How It Works

Using a combination of webhooks and a YAML configuration file, Sheriff will automatically control your permissions and access controls across GitHub, Slack and GSuite. (Slack and GSuite plugins are optional and disabled by default).

It will post to a designated Slack channel every time it updates any permission setting or any time it detects potentially suspect actions including new deploy keys with write access, tag deletion or release branch deletion.

If you have an organization with a lot of repositories and/or org members using Sheriff can help ensure your organization remains secure and transparent.

Deployment

We recommend deploying this as a Heroku app (this is how Electron has deployed it), although you can use another deployment strategy if you want. There are three core components to Sheriff, all of which need to be configured for it to work:

The Webhook

Deploy the webhook to Heroku with this button ➡️ Deploy

To the run the webhook server, you need to start the main Sheriff entry point.

npm start

You then need to create a webhook for your entire organization; you can do this on your organization's GitHub webhooks page:

https://github.com/organizations/{orgname}/settings/hooks/new

You want to specify the following options:

  • Payload URL - The deployed URL of your webhook server, e.g. https://my-sheriff.mysite.com
  • Content type - application/json
  • Secret - Generate a random and secure secret here and save it for later in the configuration
  • Which events? - Choose "Send me everything"

Finally, click "Add webhook".

The GitHub App

To manage GitHub instances, Sheriff requires you to create a GitHub App that gets installed in the desired Org.

The app needs the following OAuth scopes permitted:

Org:
administration:write
contents:read
metadata:read

Repo:
members:write

Once created, you can generate and download a Private Key for the app, and supply it to Sheriff.

Before setting it as SHERIFF_GITHUB_APP_CREDS, you must pass it through a utility to change the format to what Octokit is expecting:

npx @electron/github-app-auth --creds={path-to-downloaded-private-key} --app-id={id-from-created-github-app}

The Cron Job

The actual permissions controller should be triggered every 10 minutes as a cron job. You can run this job with:

node lib/permissions/run.js --do-it-for-real-this-time

If you leave off the --do-it-for-real-this-time Sheriff will "dry run" and tell you what it would have done if you had let it run.

On Heroku you use the "Heroku Scheduler" addon to configure this cron job.

The Slack App

In order to provide realtime information on the actions Sheriff takes, we use a Slack app that sends messages to a channel. You'll need to create your own Slack App by following the instructions below.

  1. Create a new Slack app on https://api.slack.com/apps - Name it whatever you like and choose your workspace as the development workspace
  2. Go to "Incoming Webhooks" and enable it
  3. Click "Add New Webhook to Workspace" and choose the channel you want Sheriff to post in to
  4. Keep a note of the newly created Webhook URL as you'll need it later for configuration purposes.
  5. Go to "OAuth & Permissions" and add the following OAuth scopes. usergroups:read, usergroups:write, users:read and users:read:email.
  6. Follow the prompt to reinstall your app for the new OAuth scopes to take effect
  7. Keep a note of the OAuth Access Token at the top of the page as you'll need it later for configuration purposes.

Configuration

Service Config

The following environment variables represent the configuration of the actual Sheriff deployment. For the permissions.yaml reference see the Permissions File section.

Name Required Value For Plugin
PERMISSIONS_FILE_ORG ✔️ The name of the GitHub org where you put the .permissions repository
PERMISSIONS_FILE_REPO Override the default repo to look for config.yaml .permissions
PERMISSIONS_FILE_PATH Override the default filepath to look for the Sheriff config config.yaml
PERMISSIONS_FILE_REF Override the default repo branch to look for the Sheriff config main
GITHUB_WEBHOOK_SECRET ✔️ The secret for the org-wide webhook you configured earlier
SLACK_TOKEN ✔️ The token for your Slack App you created earlier
SLACK_WEBHOOK_URL ✔️ The webhook URL for your Slack App you created earlier
SHERIFF_HOST_URL ✔️ The fully qualified URL for your deployed webhook
SHERIFF_PLUGINS A comma separated list of plugins to enable. Possible plugins are gsuite and slack
SHERIFF_IMPORTANT_BRANCH A regular expression to match important branches you want to monitor for deletion
SHERIFF_GITHUB_APP_CREDS ✔️ Private key credentials generated for a GitHub App.
GSUITE_CREDENTIALS GSuite credentials gsuite
GSUITE_TOKEN GSuite authentication token gsuite
SHERIFF_GSUITE_DOMAIN The primary domain of your GSuite account gsuite slack
SHERIFF_SLACK_DOMAIN The "domain" part of {domain}.slack.com for your Slack instance gsuite if you add slack email addresses to your google groups for notifications

Permissions File

Your organization permissions are controlled through a config.yaml file stored in a .permissions repository in your GitHub organization. We keep that .permissions repository private but you can choose to keep it public if you wish. That repository needs a config.yaml file at the top level that is in the following format:

organization: <name of github org>
repository_defaults:
  # Whether repositories should have wikis enabled by default or not
  # For security reasons, you should consider defaulting this to false
  has_wiki: <boolean>
# Teams are not specific to a single platform; they are shared across GitHub, Slack and GSuite
teams:
  - name: <team name>
    # A list of members / maintainers of this GitHub team
    # Maintainer in GitHub conveys some extra permissions over the team (set description, avatar, etc.)
    members:
      - list
      - of
      - gh_usernames
    maintainers:
      - list
      - of
      - gh_usernames
    # Or don't provide members/maintainers and instead provide a list of other
    # teams to draw users from.  This doesn't set any parent/child relationship
    # rather it simply says:
    # for team of formation:
    #   self.members += team.members
    #   self.maintainers += team.maintainers
    # i.e. doing a union of members/maintainers of the formation teams to create
    # a new member list
    formation:
      - list
      - of
      - other
      - teams
    # Optional team properties
    # Human friendly display name for GSuite and Slack groups
    displayName: <string>
    # Hidden GitHub team? true=yes, false=no
    secret: <boolean>
    # Create a slack user group for this team
    # false=no, true=use name of team, string=custom_name
    # Used by the `slack` plugin
    slack: <boolean> | <string>
    # Create a GSuite group for this team
    # Leave undefined for "no"
    # Used by the `gsuite` plugin
    gsuite:
      # internal = only visible to other GSuite members
      # external = public facing group email address
      privacy: internal | external
repositories:
  - name: <repo name>
    teams:
      <team_name>: read | triage | write | maintain | admin
    external_collaborators:
      <gh_username>: read | triage | write | maintain | admin
    # Public vs Private repository, no value is assumed to mean public
    visibility: public | private

Generating your initial configuration

You can generate a permissions file for the current state of your org using the generate helper script.

node lib/permissions/generate.js

Please note you may want to edit this generated YAML file:

  • All org owners are considered maintainers of the teams they are in, this may be semantically incorrect
  • No GSuite or slack configuration is included in the generated file
  • You may want to use the formation property to declare larger teams instead of listing all members individually

However in theory running Sheriff immediately on this generated file should result in a no-op run.

Deployment Recommendations

You should have alerting set up in case the cron job fails. Occasionally, it will fail due to an unexpected state on GitHub or an incorrect/incomplete permissions file.

Known Limitations

  • Sheriff is not currently capable of inviting people to your org
    • Before adding them to the permissions file, ensure you've added them to the org.
  • Sheriff will not remove people from your org, if your has "default member permissions" you should ensure users are manually removed when appropriate

sheriff's People

Contributors

ckerr avatar codebytere avatar dependabot[bot] avatar dsanders11 avatar jeefy avatar marshallofsound avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

robertkielty

sheriff's Issues

Archive this repo to reflect migration from Sheriff to CLOWarden

Sheriff is no longer being used to manage access to repos in the CNCF Github Org.

CLOWarden has been deployed and will continue to be actively developed in order to manage CNCF org repo access.

Track archiving this repository and documenting the transition that has taken place.

Tasks
Beta Give feedback

Migrate project maintainer data over to cncf/people from maintainers.csv

Overview

Lift and shift maintainer data so that it can be used by cncf/sheriff to control access to repos in the CNCF GitHub Org.

Benefits: Maintainer Data will have a single source of truth for use in CNCF Process Automation.

Data

Source

https://github.com/cncf/foundation/blob/main/project-maintainers.csv

Destination

https://github.com/cncf/people/blob/main/people.json

Approaches

Multiple ways we could do this. Here are two suggestions. Open to hearing others.

Big bang

Write a script to process the full project-maintainer.csv file so it updates the destination files in one go (we would have to merge the data so that there were now repeats) this would generate a single PR for cncf/people

Might be hard to review (will have to gauge the overlap between both datasets)

Create a PR for each Project in maintainers.csv

Write a script to create a per-Project/Team PR. This would allow Projects and the CNCF to review the changes on a per project basis offering the opportunity to review team membership as we work through those PRs.

Migrate periodic GitHub Perm Sync job to Github Action

Presently, the periodic invocation of sheriff that applies changes to resources is run via GCP Cloud Run Job and we would like to move this to a Github Action.

Pros: More transparent, easier debugging, easier for more people to help out.
Note also: we will continue to use Cloud Run for the Webhook listener that currently listens for GH Events.

Add a PR validation check to block invalid config.yaml

Sheriff uses joi for validation of the config.yaml

Example throwing a data validation error
For the following team...

- name: cncf-tech-docs
    members:
      - nate-double-u
      - amye
      - caniszczyk
      - chalin
      - idvoretskyi
      - thisisobate

from ...
validateConfigFast around a required maintainers field.

we get the error ...

Error [ValidationError]: child "teams" fails because ["teams" at position 0 fails because [child "maintainers" fails because ["maintainers" is required]]]

run.ts

https://github.com/cncf/sheriff/blob/main/src/permissions/run.ts#L58 now

run.ts

Schema for teams is hard-coded here

src/permissions/run.ts#L91

  // Ensure the object looks right
  await Joi.validate(config, {
    organization: Joi.string().min(1).required(),
    repository_defaults: Joi.object({
      has_wiki: Joi.boolean().required(),
    }).required(),
    teams: Joi.array()
      .items({
        name: Joi.string().min(1).required(),
        displayName: Joi.string().min(1).optional(),
        parent: Joi.string().min(1).optional(),
        secret: Joi.bool().optional(),
        members: Joi.array().items(Joi.string().min(1)).min(0).required(),
        maintainers: Joi.array().items(Joi.string().min(1)).min(1).required(),
        gsuite: Joi.object({
          privacy: Joi.string().only('internal', 'external').required(),
        }).optional(),
        slack: Joi.string().min(1).allow(true).allow(false).optional(),
      })
      .required(),

Let's add this as a check so that we get that validation before the PR is merged on cncf/people

Migrate project maintainer data over to cncf/people from maintainers.csv

Overview

Lift and shift maintainer data so that it can be used by cncf/sheriff to control access to repos in the CNCF GitHub Org.

Benefits: Maintainer Data will have a single source of truth for use in CNCF Process Automation.

Data

Source

https://github.com/cncf/foundation/blob/main/project-maintainers.csv

Destination

https://github.com/cncf/people/blob/main/people.json
and
https://github.com/cncf/people/blob/main/config.yaml

Approaches

Multiple ways we could do this. Here are two suggestions. Open to hearing others.

Big bang

Write a script to process the full project-maintainer.csv file so it updates the destination files in one go (we would have to merge the data so that there were no repeats) this would generate a single PR for cncf/people

Might be hard to review (will have to gauge the overlap between both datasets)

Create a PR for each Project in maintainers.csv

Write a script to create a per-Project/Team PR. This would allow Projects and the CNCF to review the changes on a per project basis offering the opportunity to review team membership as we work through those PRs.

Manage mailing list groups via Sheriff

Add / Remove folks from existing groups
Create new groups based on team names
Default don't run, enable similar to slack plugin (groupsIO: enabled) something like that

GitHub Organization Updates

In using Sheriff, there are some organizational edits that I'd like to see or use with end user members:

  • Send organization invites to users who have yet to join.
  • Do not block Sheriff runs when users have not joined the org.
  • Remove Slack notifications for "X is not a member of the org" (we can utilize "pending invitations" instead).
  • Sheriff requires GitHub usernames to be case sensitive in the configuration. Auto-updating the PR with the correct username casing or allowing for all lowercase would be great additions.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.