Currently there are specific tasks within GitHub that require the "Owner" permission. We would like to avoid individuals having long standing super-user permissions on their user. This app will enable users to operate as normal member level permissions for the majority of their tasks, only assuming the "Owner" level permissions when they require them. This will also provide an audit of when these permissions are assumed and the reason that they are assumed for.
This app will monitor for an issue being created requesting for the creator to be elevated to an Owner of the GitHub Organization. This user should be from a specific GitHub Team, and when another member of that team responds with "approved" or some other positive response, the app will update the user to "Owner". After a set period of time the app should demote the user back to a normal permission level.
There are a few steps to configure the organisation to facilitate this app.
Clone the repository
git clone https://github.com/nhs-england-tools/github-permissions-elevation.git
cd nhs-england-tools/github-permissions-elevation
To run locally it is assumed that you have Python 3.12 installed.
sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt install python3.12
sudo apt install python3.12-venv
This team is for your trusted users to be members of. Members of this team will be able to request to be elevated to an Owner and will be able to approve requests to be elevated to Owner. From the organisation page in GitHub navigate to Teams
- Create a new team
- set the Team name to
can escalate to become an owner
- Set Team visibility to
Secret
- Ensure that Team notifications are set to
Enabled
- Click the button to
Create team
- Add the appropriate team members to this team
The app should only be notified when new issues are created on specific repositories, namely we want a dedicated repository that org Owners can use to request elevation. Therefore, in your target Org create a new repository called ElevateMeToOwner
this should be a Private repository that can only be accessed by the team created above.
Create a GitHub App with the necessary permissions to manage organization members and read issues. Install the app in your GitHub organization.
- Navigate to your GitHub User
- In the left hand navigation select "Developer Settings"
- Under GitHub Apps select the "New GitHub App" button.
- Provide the Apps name as
ElevateMeToOwner
- In the Write text box provide some information about the app.
- In Homepage URL paste the link to your GitHub repository README file.
- In the Webhook section, ensure that the checkbox next to Active is ticked.
- In the Webhook URL paste in the link output from the Terraform run.
- Create a secret for the token
openssl rand -base64 32
and paste it in to the Secret field. - Expand the "Repository permissions" drop down and scroll down to "Issues" select
Access: Read and write
- Expand the "Organization permissions" drop down and scroll down to "Members" select
Access: Read and write
- Under "Subscribe to events" ensure that the checkbox for "Issues" and "Issue comment" is selected.
- Under "Where can this GitHub App be installed?" ensure that
Any account
is selected. - Press the
Create GitHub App
button.
You must create a private key to be able to install your GitHub app.
- Press the
generate a private key
link from the app page - Press the
Generate a private key
button. - This will download your private key to your local machine.
- We will need to store this key as an SSM parameter in AWS.
To authenticate as the app you need to generate a Client Secret. From the app settings page:
- Press the Generate a new client secret button
- Copy the provided client secret
- This should then be stored in SSM parameter store
We now need to ensure that the necessary information is stored in our AWS SSM parameters for this installation.
- private key
- client id
- secret - this is the secret for the client
- webhook secret
- app id
- installation ID
From the GitHub app page select the Install App
option from the left hand menu.
You will be shown all of the organisations you can install to as well as your user - please select the organisation you wish to install to and press the Install
button.
In the Install dialogue select to Install on your org to Only select repositories
Select the ElevateMeToOwner
repository you created earlier.
Review the permissions being requested - these are:
- Read access to metadata
- Read and write access to issues and members
Press the Install
button.
Installation and configuration of the toolchain dependencies
make config
After a successful installation and Terraform apply follow the steps above to configure the app in AWS lambda.
There are make
tasks for you to configure to run your tests. Run make test
to see how they work. You should be able to use the same entry points for local development as in your CI pipeline.
The C4 model is a simple and intuitive way to create software architecture diagrams that are clear, consistent, scalable and most importantly collaborative. This should result in documenting all the system interfaces, external dependencies and integration points.
The source for diagrams should be in Git for change control and review purposes. Recommendations are draw.io (example above in docs folder) and Mermaids. Here is an example Mermaids sequence diagram:
sequenceDiagram
User->>+Service: GET /users?params=...
Service->>Service: auth request
Service->>Database: get all users
Database-->>Service: list of users
Service->>Service: filter users
Service-->>-User: list[User]
Most of the projects are built with customisability and extendability in mind. At a minimum, this can be achieved by implementing service level configuration options and settings. The intention of this section is to show how this can be used. If the system processes data, you could mention here for example how the input is prepared for testing - anonymised, synthetic or live data.
Describe or link templates on how to raise an issue, feature request or make a contribution to the codebase. Reference the other documentation files, like
- Environment setup for contribution, i.e.
CONTRIBUTING.md
- Coding standards, branching, linting, practices for development and testing
- Release process, versioning, changelog
- Backlog, board, roadmap, ways of working
- High-level requirements, guiding principles, decision records, etc.
Provide a way to contact the owners of this project. It can be a team, an individual or information on the means of getting in touch via active communication channels, e.g. opening a GitHub discussion, raising an issue, etc.
The LICENCE.md file will need to be updated with the correct year and owner
Unless stated otherwise, the codebase is released under the MIT License. This covers both the codebase and any sample code in the documentation.
Any HTML or Markdown documentation is © Crown Copyright and available under the terms of the Open Government Licence v3.0.