-
Notifications
You must be signed in to change notification settings - Fork 1
/
gh-ssh-allowed-signers
executable file
·125 lines (101 loc) · 2.75 KB
/
gh-ssh-allowed-signers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#!/usr/bin/env bash
set -e
function get_user_signing_keys() {
local USER="$1"
local TEMPLATE="{{ range . }}{{ printf \"$USER@users.noreply.github.com %s\\n\" .key }}{{ end }}"
echo "Pulling signing keys for user: $USER"
gh api /users/$USER/ssh_signing_keys --paginate --template="${TEMPLATE}" >> $OUTPUTFILE
}
APPEND=false
FORCE=false
ORGANIZATION=
OUTPUTFILE=~/.ssh/allowed_signers
TEAM=
USER=
__USAGE="
Generate SSH allowed signers file from GitHub users.
USAGE
$(basename $0) [options] <organization>/<team>
$(basename $0) [options] <user>
FLAGS
-a, --append Append signing keys to existing SSH allowed signers file
-d, --debug Enable debugging
-f, --force Whether to overwrite output file if it exists
-o, --output-file <output-file> Path to SSH allowed signers file to generate; default '$OUTPUTFILE'
";
die() {
printf "\nError: %s\n" "$1"
echo "$__USAGE"
exit 1
}
if ! type -p gh > /dev/null; then
die "'gh' could not be found"
fi
while getopts "adfho:-:" OPT; do
if [ "$OPT" = "-" ]; then # long option: reformulate OPT and OPTARG
OPT="${OPTARG%%=*}" # extract long option name
OPTARG="${OPTARG#$OPT}" # extract long option argument (may be empty)
OPTARG="${OPTARG#=}" # if long option argument, remove assigning `=`
fi
case "$OPT" in
append | a)
APPEND=true
;;
debug | d)
set -x
;;
force | f)
FORCE=true
;;
help | h)
echo "$__USAGE"
exit 0
;;
output-file | o)
OUTPUTFILE="${OPTARG}"
;;
esac
done
# shift so that $@, $1, etc. refer to the non-option arguments
shift "$((OPTIND-1))"
if [ -z "$1" ]; then
die "Must provide organization/team or user"
elif [[ "$1" == *"/"* ]]; then
ORGANIZATION=$(echo $1 | cut -d '/' -f 1)
TEAM=$(echo $1 | cut -d '/' -f 2)
else
USER="$1"
fi
# Handle situation if previous SSH allowed signers file exists
echo "Using SSH allowed signers file: $OUTPUTFILE"
if ! $APPEND && test -e "$OUTPUTFILE"; then
if ! $FORCE; then
die "$OUTPUTFILE exists; -f, --force will delete if exists"
fi
echo "Deleting existing SSH allowed signers file: $OUTPUTFILE"
rm -f $OUTPUTFILE
fi
if [ -z "${USER}" ]; then
QUERY='
query ($login: String!, $slug: String!, $endCursor: String) {
organization(login: $login) {
team(slug: $slug) {
members(first: 10, after: $endCursor, membership: ALL) {
pageInfo {
endCursor
hasNextPage
}
nodes {
login
}
}
}
}
}'
echo "Pulling signing keys for team: $ORGANIZATION/$TEAM"
for user in $(gh api graphql -f query="${QUERY}" -F login="$ORGANIZATION" -F slug="$TEAM" --paginate --jq '.data.organization.team.members.nodes[].login'); do
get_user_signing_keys "${user}"
done
else
get_user_signing_keys "${USER}"
fi