-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathrevoke_access_from_org.ps1
More file actions
88 lines (79 loc) · 3.41 KB
/
revoke_access_from_org.ps1
File metadata and controls
88 lines (79 loc) · 3.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
param(
$RS_HOST = "us-3.rightscale.com",
$EMAIL_DOMAIN = "example.com",
$GRS_ACCOUNT = "78",
$REFRESH_TOKEN = ""
)
$contentType = "application/json"
$oauthHeader = @{"X_API_VERSION"="1.5"}
$oauthBody = @{"grant_type"="refresh_token";"refresh_token"=$REFRESH_TOKEN} | ConvertTo-Json
$oauthResult = Invoke-RestMethod -Uri "https://$RS_HOST/api/oauth2" -Method Post -Headers $oauthHeader -ContentType $contentType -Body $oauthBody
$accessToken = $oauthResult.access_token
$grsHeader = @{"X-API-Version"="2.0";"Authorization"="Bearer $AccessToken"}
$orgUsers = Invoke-RestMethod -UseBasicParsing -Uri "https://$RS_HOST/grs/orgs/$GRS_ACCOUNT/users" -Method Get -Headers $grsHeader -ContentType $contentType
$users = @()
foreach ($orgUser in $orgUsers){
if ($orgUser.email -like "*$EMAIL_DOMAIN") {
$users += $orgUser.href
} else {
# Skip user
}
}
$orgProjects = Invoke-RestMethod -UseBasicParsing -Uri "https://$RS_HOST/grs/orgs/$GRS_ACCOUNT/projects" -Method Get -Headers $grsHeader -ContentType $contentType
$projects = @()
foreach ($orgProject in $orgProjects) {
$projects += "grs/orgs/$GRS_ACCOUNT/projects/$($orgProject.id)"
}
$projects += "grs/orgs/$GRS_ACCOUNT"
foreach ($project in $projects){
foreach ($user in $users){
$payload = [ordered]@{
"subject_href" = $user
} | ConvertTo-Json
# Get Roles in the Project (or applied at Org)
$userRoles = Invoke-RestMethod -UseBasicParsing -Uri "https://$RS_HOST/$project/access_reports/roles" -Method Post -Headers $grsHeader -ContentType $contentType -Body $payload
$roles = $userRoles.items.access_rules.links.role.href
# Revoke explicit roles
foreach ($role in $roles){
$payload = [ordered]@{
"subject" = [ordered]@{
"href" = $user
}
"role" = [ordered]@{
"href" = $role
}
} | ConvertTo-Json
Invoke-RestMethod -UseBasicParsing -Uri "https://$RS_HOST/$project/access_rules/revoke" -Method Put -Headers $grsHeader -ContentType $contentType -Body $payload
}
}
}
foreach ($user in $users){
$payload = @{"view"="extended"}
$userDetails = Invoke-RestMethod -UseBasicParsing -Uri "https://$RS_HOST/grs/orgs/$GRS_ACCOUNT/users/$($user.split('/')[3])" -Method Get -Headers $grsHeader -ContentType $contentType -Body $payload
$groups = $userDetails.groups.href
foreach ($group in $groups){
$groupDetails = Invoke-RestMethod -UseBasicParsing -Uri "https://$RS_Host$group" -Method Get -Headers $grsHeader -ContentType $contentType -Body $payload
$groupUsers = $groupDetails.users
$userPayload = @()
foreach ($groupUser in $groupUsers){
if ($($groupUser.email) -notlike "*$EMAIL_DOMAIN"){
$object = New-Object -TypeName PSObject
$object | Add-Member -MemberType NoteProperty -Name id -Value $groupUser.id
$object | Add-Member -MemberType NoteProperty -Name href -Value $groupUser.href
$object | Add-Member -MemberType NoteProperty -Name kind -Value "user"
$userPayload += $object
}
}
$newMembershipPayload = [ordered]@{
"group" = [ordered]@{
"id" = $group.split('/')[5]
"href" = $group
"kind" = "group"
}
"users" = @(
$userPayload
)
} | ConvertTo-Json
Invoke-WebRequest -UseBasicParsing -Uri "https://$RS_HOST/grs/orgs/$GRS_ACCOUNT/memberships" -Method Put -Headers $grsHeader -ContentType $contentType -Body $newMembershipPayload
}
}