Add org permissions fetcher

[mic67mel]

• [ x ] Tick to sign-off your agreement to the Developer Certificate of Origin (DCO) 1.1

What

Add a fetcher that will gather forks list for each repo of a Github organization.

Why

This fetcher is needed to control access to source code.

How

• fetch_org_permissions.py
• README.md

Test

N/A

Context

• New feature: GitHub organization, repo collaborators, forks and teams fetcher #52

[mstancamp]

Copyright should be 2021.

[mic67mel]

ok, thanks

[alfinkel]

Pausing... I think #53 (comment) needs resolution before we proceed.

[alfinkel]

• Rebase and change this to 0.11.0.
• Add punctuation.

Suggested change

	# [0.10.0](https://github.com/ComplianceAsCode/auditree-arboretum/releases/tag/v0.10.0)
	- [ADDED] Added Github org forks
	# [0.11.0](https://github.com/ComplianceAsCode/auditree-arboretum/releases/tag/v0.11.0)
	- [ADDED] GitHub org forks fetcher added to `Permissions`.

[alfinkel]

0.11.0 now

[alfinkel]

This isn't the gh-org-fetcher. You should provide a proper link and reference it here correctly.

Also, it seems like it would make sense to rename the class as GithubOrgForksFetcher? Suggest renaming the class and changing the link ref for gh-org-fetcher to gh-org-collaborators-fetcher and adding a gh-org-forks-fetcher link reference to button it all up.

[alfinkel]

Suggested change

	* Behavior: For each Github organization specified, an evidence file is stored in
	* Behavior: For each Github organization specified, an evidence file is stored in

[alfinkel]

By doing this you're tying the collaborators fetcher and the forks fetcher together. If someone chooses to run both of these fetchers in their environment then they're forced to run them for the exact same set of orgs and repos. Is that the desired behavior?

[alfinkel]

Just some cosmetic refactoring needed. Feel free to squash commits down to one as part of the next review cycle. I think we're almost GTG here.

[alfinkel]

Suggested change

	### Organization Integrity (Repository Collaborators and Forks)
	### Organization Integrity Permissions

[alfinkel]

Suggested change

	* Behavior: For each Github organization specified an evidence file per collaborator type (affiliation) and an evidence file with the list of repository forks are stored in
	the locker. The default is to retrieve all collaborators by affiliation and all forks from all repositories in each specified Github organization. TTL is set to 1 day.
	* Behavior: For each Github organization specified, Github collaborator and Github fork evidence files per collaborator type (affiliation) are stored in
	the locker containing details for the specified repositories in the organization. The default is to
	retrieve all collaborators and all forks by affiliation from all repositories in each specified Github organization. TTL is set to 1 day.

[alfinkel]

Suggested change

	* Use if looking to filter collaborator and fork evidence to a subset of repositories in the organization otherwise do not include.
	* Use if looking to filter permissions evidence to a subset of repositories in the organization otherwise do not include.

[alfinkel]

repository-permissions doesn't seem right here. I think you're breaking the link.

[alfinkel]

Suggested change

	"""Fetch Github repository colaborators and forks."""
	"""Fetch Github repository permissions evidence."""

BTW you should turn auto spell check on in your IDE or editor (collaborators is misspelled). It would make the review go smoother.

[alfinkel]

Remove this. You're just replicating the parent class method and running it twice.

[alfinkel]

Since you've imported the entire fetch_orgs_collaborators module as collabs you don't really need to reimport these. Instead you should be able to just reference them in the code via collabs like collabs.DAY, collabs.Github, etc...

[alfinkel]

Can you explain the purpose of having this empty line? If not then I suggest removing it.

[alfinkel]

Suggested change

	json_file = f'gh_forks_{url_hash}.json'
	path = ['permissions', json_file]
	path = ['permissions', f'gh_forks_{url_hash}.json']

[alfinkel]

Suggested change

	forks_url = f'repos/{org}/{repo}/forks'
	forks[repo] = self.gh_pool[host].paginate_api(
	forks_url
	)
	forks[repo] = self.gh_pool[host].paginate_api(
	f'repos/{org}/{repo}/forks'
	)

[alfinkel]

Can you add a deprecated decorator with a reason (similar to the entry in the CHANGES.md) to the org integrity collabs fetcher class? The deprecated module is already being brought into arboretum through the framework.

ref: https://github.com/tantale/deprecated#usage

see here for framework example.

I think once you do that we should be good to go.

[alfinkel]

Can you add more detail to your [ADDED] entry and add a [DEPRECATED] entry for the org repo collabs fetcher and state that its functionality is now part of the permissions fetcher? Something like:

[ADDED] Github org integrity fetcher added to `permissions`.
[ADDED] Github org integrity forks fetcher functionality added Github org integrity fetcher.
[DEPRECATED] Github org integrity collaborators fetcher functionality moved to Github org integrity fetcher. 

[alfinkel]

This needs a bit of clarification and the parentheses aren't needed. Suggest:

Suggested change

	description = (f'Fork of the {org} GH org')
	description = f'Forks of repos in the {org} GH org'

[alfinkel]

If not for my dumb suggestions in the last review this would be good to go. Make the few tweaks I mentioned below and we can merge. Thanks!

[alfinkel]

Suggested change

	- [DEPRECATED] Github org integrity collaborators fetcher functionality moved to Github org integrity permissions fetcher.
	- [CHANGED] Github org integrity collaborators fetcher functionality added to Github org integrity permissions fetcher.

[alfinkel]

Let's remove all of this. We shouldn't deprecate the fetcher since it is the parent class for the new org integrity fetcher. Sorry for causing the unnecessary thrash here.

[alfinkel]

+1