Merge pull request #22 from arnica-ext/checkin-real-code

Checkin real code

Author: nir-valtman

.gitignore

@@ -1,5 +1,6 @@
 # 
 local_repos/
+public_repos/
 
 # Byte-compiled / optimized / DLL files
 __pycache__/

.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+    "cSpell.words": [
+        "gitgoat"
+    ]
+}

config.yaml

@@ -12,24 +12,55 @@ base_headers:
 ## Organization names to run GitGoat on.
 org_names:
   - GitGoat-Demo
-
-
+  
+  
 ## Repo names to generate
 repo_names:
   - Echinacea
-  - Lavender
+  - Acai
+  - Peppermint
+  - Lavender     
   - Chamomile
   - Calendula
   - Tarragon
   - Ginger
   - Wasabi
-  - Peppermint
-  - Acai
+  
+## Public repo name mapping to private repo names.
+## This setting is used to generate as much as realistic commits as in other repos based on the "days_since_last_commit" setting in the members section below.
+repo_names_mapping_to_public_repos:
+  Acai:
+    org: hardik05
+    repo: Damn_Vulnerable_C_Program
+  Echinacea:
+    org: arnica-ext
+    repo: GitGoat
+  Chamomile:
+    org: bridgecrewio
+    repo: terragoat
+  Calendula:
+    org: WebGoat
+    repo: WebGoat
+  Tarragon:
+    org: appsecco
+    repo: dvna
+  Ginger:
+    org: madhuakula
+    repo: kubernetes-goat
+  Wasabi:
+    org: cider-security-research
+    repo: cicd-goat
+  Peppermint:
+    org: deepfence
+    repo: SecretScanner
+  Lavender:
+    org: OWASP
+    repo: railsgoat
 
 ## Specific configurations per repo (optional).
 ### "branch_protection" means the policy is enabled in the main branch
 ### "branch_protection_restirctions" define who can push to the protected branch. A team name is specified by the prefix, e.g. the team "Lavender-push" should be included as "push".
-### "codeowners" configure the codeowners file definitions. The possible paths are '' (root), './github'. or '/docs'. The patterns and users/teams associations are in the codeowners documentations on GitHub, but the name of the teams should include only the postfixes (as explained above).
+### "codeowners" configure the codeowners file definitions. The possible paths are '' (root), '.github/' or 'docs/'. The patterns and users/teams associations are in the codeowners documentations on GitHub, but the name of the teams should include only the postfixes (as explained above).
 ### "actions_enabled" means that the repo has GitHub Action enabled
 ### "allowed_actions" defines the scope of the allowed actions. The options are "all", "selected" or "local_only". It is applicable only if "actions_enabled" is true.
 ### "verified_allowed_actions" defined if verified actions (not neccesarily owned by GitHub) are allowed. It is applicable only if "actions_enabled" is true.
@@ -219,7 +250,6 @@ members:
     login: miker-gg
     email: miker@@gitgoat.tools
     token: xA6DOQRPkmo6wuP5GUfSJCl6u7H3si2a6AFc
-    gitgoat_repo_permission: push
     member_of_groups:
       - Lavender-push
       - Calendula-triage
@@ -236,7 +266,6 @@ members:
     login: archiet-gg
     email: archiet@gitgoat.tools
     token: EbcLokhBwUKnN5WmJz6eOwiXN0sFC04UxDIs
-    gitgoat_repo_permission: admin
     member_of_groups:
       - Echinacea-admin
       - Echinacea-push
@@ -271,7 +300,7 @@ members:
       - repo: Ginger
         days: 100
         branch: feature_G01
-        create_pr: True
+        create_pr: False
       - repo: Wasabi
         days: 25
         branch: feature_W01
@@ -289,7 +318,6 @@ members:
     login: billdp-gg
     email: billdp@gitgoat.tools
     token: Nk6u8zQjI5o1CX9QWNuY4VOpmGIo452GEq2T
-    gitgoat_repo_permission: maintain
     member_of_groups:
       - Echinacea-push
       - Echinacea-pull
@@ -340,7 +368,7 @@ members:
     login: codeyf-gg
     email: codeyf@gitgoat.tools
     token: B81U7smn2ScvPp7nfDXj7RNpTBZvk90tYwiN
-    gitgoat_repo_permission: push
+
     member_of_groups:
       - Echinacea-pull
       - Lavender-push
@@ -354,7 +382,7 @@ members:
       - Peppermint-push
     days_since_last_commit:
       - repo: Lavender
-        days: 101
+        days: 10
         branch: feature_L03
         create_pr: True
       - repo: Chamomile
@@ -368,13 +396,13 @@ members:
       - repo: Calendula
         days: 95
         branch: feature_C03
-        create_pr: True
+        create_pr: False
       - repo: Tarragon
         days: 93
         branch: main
         create_pr: False
       - repo: Ginger
-        days: 100
+        days: 10
         branch: feature_G03
         create_pr: True
       - repo: Wasabi
@@ -391,7 +419,6 @@ members:
     login: debu-gg
     email: debu@gitgoat.tools
     token: NSWR5qmC4g9Cx8Y8yXzQE4kzUmBYWf16ZTsF
-    gitgoat_repo_permission: triage
     member_of_groups:
       - Echinacea-pull
       - Chamomile-pull
@@ -402,4 +429,4 @@ members:
       - repo: Acai
         days: 100
         branch: feature_A03
-        create_pr: True
+        create_pr: False

requirements.txt

@@ -3,4 +3,5 @@ Faker
 requests
 pyyaml
 coloredlogs
-tqdm
+tqdm
+pygit2

run.py

@@ -7,7 +7,6 @@
 from src.commit import Commit
 from src.members import Membership
 from src.pull_request import PullRequest
-from src.direct_permissions import DirectPermission
 from src.branch import Branch
 from src.codeowners import CodeOwners
 from src.secrets import Secrets
@@ -28,26 +27,28 @@ async def mock(config_file: str, orgs: list = []):
         await accept_invitations(config, org)
         logging.info('----- Creating Teams -----')
         await create_teams(config, org)
-        logging.info('----- Granting Direct Permissions -----')
-        await add_direct_permissions(config, org)
         logging.info('----- Creating Commits and Pull Requests -----')
         await create_commits(config, org, secrets)
         logging.info('----- Reviewing Pull Requests -----')
         await review_pull_requests(config, org)
         logging.info('----- Merging Pull Requests -----')
         await merge_pull_requests(config, org)
-        logging.info('----- Configuring Branch Protection -----')
-        await configure_branch_protection(config, org)
         logging.info('----- Configuring CODEOWNERS -----')
         await configure_codeowners(config, org)
+        logging.info('----- Configuring Branch Protection -----')
+        await configure_branch_protection(config, org)
 
 async def create_repos(config, org):
     r = Repository(org, config.filename) 
     await r.delete_existing_repos()
     for repo_name in tqdm(config.repo_names, desc='Repos'):
-        await r.create(repo_name)
-    logging.info(f'Cloning GitGoat and pushing to org {org}.')
-    await r.clone_gitgoat()
+        if repo_name in config.repo_names_mapping_to_public_repos:
+            await r.create(repo_name, auto_init = False)
+            await r.clone_public_repo(config.repo_names_mapping_to_public_repos[repo_name]['org'], config.repo_names_mapping_to_public_repos[repo_name]['repo'])
+            logging.debug(f'Cloned {config.repo_names_mapping_to_public_repos[repo_name]["repo"]} to org {org} and repo {repo_name}.')
+        else:
+            await r.create(repo_name, auto_init = True)
+            logging.debug(f'Created {repo_name} in org {org}.')
 
 async def create_teams(config, org):
     t = Team(org, config.filename)
@@ -84,12 +85,6 @@ async def accept_invitations(config, org):
         token =  member['token'] if 'ghp_' in member['token'] else 'ghp_' + member['token']
         await m.accept_invitation_to_org(token)
 
-async def add_direct_permissions(config, org):
-    dp = DirectPermission(org, config.filename)
-    for member in tqdm(config.members, desc='Direct Permission'):
-        if 'gitgoat_repo_permission' in member:
-            await dp.add_repository_permission('GitGoat',member['login'],member['gitgoat_repo_permission'])
-
 async def setup_actions(config, org):
     a = Actions(org, config.filename)
     await a.enable_selected_repositories_in_org()
@@ -111,12 +106,9 @@ async def setup_actions(config, org):
             await a.enable_selected_actions_in_repo(actions_enabled_repo, verified_allowed=config.repo_configs[actions_enabled_repo]['verified_allowed_actions'])
 
 async def configure_codeowners(config, org):
-    r = Repository(org, config.filename)
     for repo_name in tqdm(config.repo_names, desc='CODEOWNERS'):
-        repo = await r.clone(repo_name, 'GitGoat', Config.get_pat(), 'GitGoat@gitgoat.tools')
-        co = CodeOwners(org,repo_name, repo, config.filename)
-        filename = await co.generate_file()
-        await co.push_file(filename)
+        co = CodeOwners(org,repo_name, config.filename)
+        await co.generate_codeowners()
 
 async def configure_branch_protection(config, org):
     b = Branch(org, config.filename)
@@ -136,13 +128,13 @@ async def create_commits(config, org, secrets):
     for member in config.members:
         token =  member['token'] if 'ghp_' in member['token'] else 'ghp_' + member['token']
         for commit_details in tqdm(member['days_since_last_commit'], desc=f'Commits for {member["login"]}'):
-            repo = await r.clone(commit_details['repo'], member['login'], token, member['email'], commit_details['branch'])
-            c = Commit(repo, secrets)
+            c = Commit(secrets, token, config.filename)
+            sha = await c.get_branch_hash(org, commit_details['repo'], commit_details['branch'])
             add_secret = False
             if 'commit_secrets_in_repositories' in member and commit_details['repo'] in member['commit_secrets_in_repositories']:
                 add_secret = True
-            c.generate_commits(25, commit_details['days'], commit_secret = add_secret)
-            if commit_details['create_pr']:
+            await c.generate_random_commits(org, commit_details['repo'], commit_details['branch'], sha, 15, commit_details['days'], add_secret)
+            if commit_details['create_pr'] and commit_details['branch'] != 'main':
                 await pr.create_pull_request(token, commit_details['repo'], commit_details['branch'])
 
 async def review_pull_requests(config, org):
@@ -225,7 +217,25 @@ def is_member_allowed_to_merge(config, member, repo):
             return True
     return False
 
+def print_banner():
+    print('''
+         _____  _  _    _____                _        _            
+        |  __ \(_)| |  |  __ \              | |      | |           
+        | |  \/ _ | |_ | |  \/  ___    __ _ | |_     | |__   _   _ 
+        | | __ | || __|| | __  / _ \  / _` || __|    | '_ \ | | | |
+        | |_\ \| || |_ | |_\ \| (_) || (_| || |_     | |_) || |_| |
+         \____/|_| \__| \____/ \___/  \__,_| \__|    |_.__/  \__, |
+         ___                      _               ___         __/ |
+        |  _|                    (_)             |_  |       |___/ 
+        | |    __ _  _ __  _ __   _   ___   __ _   | |             
+        | |   / _` || '__|| '_ \ | | / __| / _` |  | |             
+        | |  | (_| || |   | | | || || (__ | (_| |  | |             
+        | |_  \__,_||_|   |_| |_||_| \___| \__,_| _| |             
+        |___|                                    |___|                                                                                                                
+          ''')
+
 if __name__ == '__main__':
+    print_banner()
     try:
         if sys.argv[sys.argv.index("--config")+1].startswith('--'):
             raise