From 65fdcc5646c441d8397be67133d9d9f26c5aa1e3 Mon Sep 17 00:00:00 2001 From: bss-mc Date: Mon, 25 Nov 2024 17:47:22 +0900 Subject: [PATCH 1/2] Create `.graphql` files for checking 2FA status of enterprise members / OCs Initial creation of 6 `graphql` files: - Ent members with no 2FA - Ent members with insecure 2FA options - Ent members with secure 2FA - OCs with no 2FA - OCs with insecure 2FA options - OCs with secure 2FA --- .../enterprise-members-2fa-disabled.graphql | 28 +++++++++++++++++++ .../enterprise-members-2fa-insecure.graphql | 28 +++++++++++++++++++ .../enterprise-members-2fa-secure.graphql | 28 +++++++++++++++++++ ...outside-collaborators-2fa-disabled.graphql | 25 +++++++++++++++++ ...outside-collaborators-2fa-insecure.graphql | 25 +++++++++++++++++ ...e-outside-collaborators-2fa-secure.graphql | 25 +++++++++++++++++ 6 files changed, 159 insertions(+) create mode 100644 graphql/queries/enterprise-members-2fa-disabled.graphql create mode 100644 graphql/queries/enterprise-members-2fa-insecure.graphql create mode 100644 graphql/queries/enterprise-members-2fa-secure.graphql create mode 100644 graphql/queries/enterprise-outside-collaborators-2fa-disabled.graphql create mode 100644 graphql/queries/enterprise-outside-collaborators-2fa-insecure.graphql create mode 100644 graphql/queries/enterprise-outside-collaborators-2fa-secure.graphql diff --git a/graphql/queries/enterprise-members-2fa-disabled.graphql b/graphql/queries/enterprise-members-2fa-disabled.graphql new file mode 100644 index 000000000..207ebeeb0 --- /dev/null +++ b/graphql/queries/enterprise-members-2fa-disabled.graphql @@ -0,0 +1,28 @@ +# This GraphQL query will list any enterprise members who have yet to enable 2FA on their personal GitHub account. +# This does not list any outside collaborators, and will not work with Enterprise Managed Users other than the setup user. + +query GetEnterpriseMembersWith2faDisabled { + enterprise(slug: "ENTERPRISE_SLUG") { + enterprise_id: id + enterprise_slug: slug + members_with_no_2fa: members( + first: 100 + twoFactorMethodSecurity: DISABLED + ) { + num_of_members: totalCount + edges { + node { + ... on EnterpriseUserAccount { + login + } + } + } + pageInfo { + endCursor + startCursor + hasNextPage + hasPreviousPage + } + } + } +} \ No newline at end of file diff --git a/graphql/queries/enterprise-members-2fa-insecure.graphql b/graphql/queries/enterprise-members-2fa-insecure.graphql new file mode 100644 index 000000000..b30757f17 --- /dev/null +++ b/graphql/queries/enterprise-members-2fa-insecure.graphql @@ -0,0 +1,28 @@ +# This GraphQL query will list any enterprise members who have enabled 2FA on their GitHub account, but amongst their 2FA methods is SMS (which is deemed insecure). +# This does not list any outside collaborators, and will not work with Enterprise Managed Users other than the setup user. + +query GetEnterpriseMembersWithInsecure2fa { + enterprise(slug: "ENTERPRISE_SLUG") { + enterprise_id: id + enterprise_slug: slug + members_with_insecure_2fa: members( + first: 100 + twoFactorMethodSecurity: INSECURE + ) { + num_of_members: totalCount + edges { + node { + ... on EnterpriseUserAccount { + login + } + } + } + pageInfo { + endCursor + startCursor + hasNextPage + hasPreviousPage + } + } + } +} \ No newline at end of file diff --git a/graphql/queries/enterprise-members-2fa-secure.graphql b/graphql/queries/enterprise-members-2fa-secure.graphql new file mode 100644 index 000000000..0c02797bd --- /dev/null +++ b/graphql/queries/enterprise-members-2fa-secure.graphql @@ -0,0 +1,28 @@ +# This GraphQL query will list any enterprise members who have enabled 2FA on their GitHub account with a secure (non-SMS) method. +# This does not list any outside collaborators, and will not work with Enterprise Managed Users other than the setup user. + +query GetEnterpriseMembersWithSecure2fa { + enterprise(slug: "ENTERPRISE_SLUG") { + enterprise_id: id + enterprise_slug: slug + members_with_secure_2fa: members( + first: 100 + twoFactorMethodSecurity: SECURE + ) { + num_of_members: totalCount + edges { + node { + ... on EnterpriseUserAccount { + login + } + } + } + pageInfo { + endCursor + startCursor + hasNextPage + hasPreviousPage + } + } + } +} \ No newline at end of file diff --git a/graphql/queries/enterprise-outside-collaborators-2fa-disabled.graphql b/graphql/queries/enterprise-outside-collaborators-2fa-disabled.graphql new file mode 100644 index 000000000..e778b6f6d --- /dev/null +++ b/graphql/queries/enterprise-outside-collaborators-2fa-disabled.graphql @@ -0,0 +1,25 @@ +# This GraphQL query will list any outside collaborators in an enterprise who have yet to enable 2FA on their GitHub account. + +query GetEnterpriseollaboratorsWith2faDisabled { + enterprise(slug: "ENTERPRISE_SLUG") { + enterprise_id: id + enterprise_slug: slug + enterprise_owner_info: ownerInfo { + collaborators_with_no_2fa: outsideCollaborators( + twoFactorMethodSecurity: DISABLED + first: 100 + ) { + num_of_collaborators: totalCount + nodes { + login + } + pageInfo { + endCursor + startCursor + hasNextPage + hasPreviousPage + } + } + } + } +} \ No newline at end of file diff --git a/graphql/queries/enterprise-outside-collaborators-2fa-insecure.graphql b/graphql/queries/enterprise-outside-collaborators-2fa-insecure.graphql new file mode 100644 index 000000000..6fde86714 --- /dev/null +++ b/graphql/queries/enterprise-outside-collaborators-2fa-insecure.graphql @@ -0,0 +1,25 @@ +# This GraphQL query will list any outside collaborators in an enterprise who have enabled 2FA on their GitHub account, but amongst the 2FA methods is SMS (which is deemed insecure). + +query GetEnterpriseCollaboratorsWithInsecure2fa { + enterprise(slug: "ENTERPRISE_SLUG") { + enterprise_id: id + enterprise_slug: slug + enterprise_owner_info: ownerInfo { + collaborators_with_insecure_2fa: outsideCollaborators( + twoFactorMethodSecurity: INSECURE + first: 1 + ) { + num_of_collaborators: totalCount + nodes { + login + } + pageInfo { + endCursor + startCursor + hasNextPage + hasPreviousPage + } + } + } + } +} \ No newline at end of file diff --git a/graphql/queries/enterprise-outside-collaborators-2fa-secure.graphql b/graphql/queries/enterprise-outside-collaborators-2fa-secure.graphql new file mode 100644 index 000000000..a3565196e --- /dev/null +++ b/graphql/queries/enterprise-outside-collaborators-2fa-secure.graphql @@ -0,0 +1,25 @@ +# This GraphQL query will list any outside collaborators in an enterprise who have enabled 2FA on their GitHub account with a secure (non-SMS) method. + +query GetEnterpriseCollaboratorsWithSecure2fa { + enterprise(slug: "ENTERPRISE_SLUG") { + enterprise_id: id + enterprise_slug: slug + enterprise_owner_info: ownerInfo { + collaborators_with_secure_2fa: outsideCollaborators( + twoFactorMethodSecurity: SECURE + first: 100 + ) { + num_of_collaborators: totalCount + nodes { + login + } + pageInfo { + endCursor + startCursor + hasNextPage + hasPreviousPage + } + } + } + } +} \ No newline at end of file From c390d9bd8d6317e6846f23fa01fccba05e66e10d Mon Sep 17 00:00:00 2001 From: bss-mc <117171930+bss-mc@users.noreply.github.com> Date: Tue, 26 Nov 2024 09:41:33 +0900 Subject: [PATCH 2/2] Update graphql/queries/enterprise-outside-collaborators-2fa-insecure.graphql Update OC insecure 2FA to increase results returned from 1 to 100. Co-authored-by: Justin Alex <1155821+jusuchin85@users.noreply.github.com> --- .../enterprise-outside-collaborators-2fa-insecure.graphql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/graphql/queries/enterprise-outside-collaborators-2fa-insecure.graphql b/graphql/queries/enterprise-outside-collaborators-2fa-insecure.graphql index 6fde86714..b691eddbd 100644 --- a/graphql/queries/enterprise-outside-collaborators-2fa-insecure.graphql +++ b/graphql/queries/enterprise-outside-collaborators-2fa-insecure.graphql @@ -7,7 +7,7 @@ query GetEnterpriseCollaboratorsWithInsecure2fa { enterprise_owner_info: ownerInfo { collaborators_with_insecure_2fa: outsideCollaborators( twoFactorMethodSecurity: INSECURE - first: 1 + first: 100 ) { num_of_collaborators: totalCount nodes {