Skip to content

Add github_organization_credential_authorization table#552

Open
Kanthi-Hegde wants to merge 2 commits into
turbot:mainfrom
Kanthi-Hegde:add-org-credential-authorization-table
Open

Add github_organization_credential_authorization table#552
Kanthi-Hegde wants to merge 2 commits into
turbot:mainfrom
Kanthi-Hegde:add-org-credential-authorization-table

Conversation

@Kanthi-Hegde

Copy link
Copy Markdown

Description

The plugin currently has no way to query classic personal access tokens (PATs) that members have authorized against an organization. This PR adds a new github_organization_credential_authorization table to close that gap.

It wraps GitHub's List SAML SSO authorizations for an organization REST API (GET /orgs/{org}/credential-authorizations), which is the only API GitHub exposes for classic PATs at the org level. The same endpoint also returns authorized SSH keys, distinguishable via the credential_type column.

What's included

  • New table: github_organization_credential_authorization
  • Registration in plugin.go
  • Docs page with usage guide, required permissions, and example queries

Columns

login, credential_id, token_last_eight, scopes, credential_type, credential_authorized_at, credential_accessed_at, authorized_credential_id, authorized_credential_note, authorized_credential_expires_at, authorized_credential_title, fingerprint.

Notes

  • The organization qualifier is required.
  • This endpoint requires an organization owner token (admin:org) and is only available for organizations on GitHub Enterprise Cloud with SAML SSO enabled; other orgs return no rows. A 403/404 is treated as an empty result, consistent with other org-scoped tables in this plugin.

@cbruno10 cbruno10 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Kanthi-Hegde Thanks for raising this PR! I've left a few minor suggestions.

Also, can you please share the results of the example queries (just for postgres is fine) in a PR comment so we can see the shape of real results? Thanks!

KeyColumns: []*plugin.KeyColumn{
{Name: "organization", Require: plugin.Required},
},
ShouldIgnoreError: isNotFoundError([]string{"404", "403"}),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason we are ignoring 403 errors? I think ignoring these by default for the table is usually not desired behaviour, as the user wouldn't be aware of missing permissions.

org := d.EqualsQuals["organization"].GetStringValue()

// Empty check
if org == "" {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we ever hit this if organization is a required qual for queries?


The `github_organization_credential_authorization` table provides insights into the classic personal access tokens authorized against a GitHub organization. As a security or compliance engineer, use this table to inventory the classic PATs that can reach your organization's resources, review the scopes they have been granted, and identify tokens that are stale, never used, or approaching expiration. The same endpoint also returns authorized SSH keys, which can be distinguished using the `credential_type` column.

To query this table, the credential must be created under an organization owner. Classic personal access tokens require the `admin:org` scope (specifically `read:org`).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To query this table, the credential must be created under an organization owner. Classic personal access tokens require the `admin:org` scope (specifically `read:org`).
To query this table, the credential must be created under an organization owner. Classic personal access tokens require the `admin:org` scope.

From what I can see in GitHub's docs, the token needs admin:org specifically. Is there a reason to mention read:org though?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants