bin/check-user-2fa.rb
#! /usr/bin/env ruby
#
# check-user-2fa.rb
#
# DESCRIPTION:
# Interacts with Github API to generate metrics about repo.
#
# OUTPUT:
#
# PLATFORMS:
# All
#
# DEPENDENCIES:
# gem: sensu-plugin
# gem: rest-client
# gem: json
#
# USAGE:
#
#
# NOTES:
#
#
# LICENSE:
# Copyright 2015 Yieldbot, devops@yieldbot.com
# Released under the same terms as Sensu (the MIT license); see LICENSE
# for details.
#
require 'sensu-plugin/check/cli'
require 'rest-client'
require 'json'
$LOAD_PATH.unshift([File.expand_path(File.dirname(__FILE__)), '..', 'lib'].join('/'))
require 'sensu-plugins-github'
class CheckUser2FA < Sensu::Plugin::Check::CLI
option :api,
short: '-a URL',
long: '--api URL',
description: 'Github API URL',
default: 'https://api.github.com'
option :token,
short: '-t TOKEN',
long: '--token TOKEN',
description: 'Github OAuth Token',
default: SensuPluginsGithub::Auth.acquire_git_token
option :org,
short: '-o ORG',
long: '--org ORG',
description: 'Github Org',
required: true
option :exclude,
short: '-x E',
long: '--exclude-list EXCLUDE_LIST',
proc: proc { |a| a.split(/[,;]\s*/) },
description: 'List of users to exclude'
def api_request(resource, api, token) #rubocop:disable all
endpoint = api + resource
request = RestClient::Resource.new(endpoint, timeout: 30)
headers = {}
headers[:Authorization] = "token #{token}"
JSON.parse(request.get(headers), symbolize_names: true)
rescue RestClient::ResourceNotFound
warning "Resource not found (or not accessible): #{resource}"
rescue Errno::ECONNREFUSED
warning 'Connection refused'
rescue RestClient::RequestFailed => e
# #YELLOW Better handle github rate limiting case
# (with data from e.response.headers)
warning "Request failed: #{e.inspect}"
rescue RestClient::RequestTimeout
warning 'Connection timed out'
rescue RestClient::Unauthorized
warning 'Missing or incorrect Github API credentials'
rescue JSON::ParserError
warning 'Github API returned invalid JSON'
end
def run
# List to hold users who do not have 2FA
user_list = []
exclude_list = config[:exclude] || ''
data = api_request("/orgs/#{config[:org]}/members?filter=2fa_disabled", @config[:api], @config[:token])
data.each do |d|
user_list << d[:login] unless exclude_list.include?(d[:login])
end
critical("The following users don't have 2FA enabled: #{user_list}") unless user_list == []
ok
end
end