From beaf4e73cec4066f3732e398b7e63e2b3e2074db Mon Sep 17 00:00:00 2001
From: Derek Roberts <derek.roberts@gmail.com>
Date: Wed, 3 Jan 2024 20:13:52 -0800
Subject: [PATCH 1/6] Reporter script

---
 scripts/rights_reporter.sh | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100755 scripts/rights_reporter.sh

diff --git a/scripts/rights_reporter.sh b/scripts/rights_reporter.sh
new file mode 100755
index 000000000..bc908c278
--- /dev/null
+++ b/scripts/rights_reporter.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+set -euo pipefail
+
+# This script reports on rights in OpenShift projects
+
+# Get the current user's projects
+PROJECTS=$(oc projects | grep -v "*" | grep -E "^ +.*-.*(.*)$")
+
+# Upstream accounts to exclude
+EXCLUDES="admin|legacy-access-github|ministry-viewer|openshift-pipelines-edit|platform-services-controlled-admin|platform-services-controlled-helper|admin-[0-9]*|edit-[0-9]*"
+
+# Loop through the projects and report on rights
+for p in $(echo "${PROJECTS}" | awk '{print $1}'); do
+  echo -e "\n---\n\nProject: $p"
+  echo -e "Name: $(echo "${PROJECTS}" | grep $p | awk -F" - " '{print $2}')\n"
+  oc get rolebindings -n $p | sort | grep -Ev "^(${EXCLUDES}) " | grep -E "ClusterRole/(admin|edit|view)" || echo "Insufficient rights for $p"
+done

From 4920325cb983c0de942ae0c4301b40fc80819811 Mon Sep 17 00:00:00 2001
From: Derek Roberts <derek.roberts@gmail.com>
Date: Wed, 3 Jan 2024 21:01:55 -0800
Subject: [PATCH 2/6] Greatly improve scrubbing

---
 scripts/rights_reporter.sh | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/scripts/rights_reporter.sh b/scripts/rights_reporter.sh
index bc908c278..e7584d47a 100755
--- a/scripts/rights_reporter.sh
+++ b/scripts/rights_reporter.sh
@@ -5,6 +5,7 @@ set -euo pipefail
 
 # Get the current user's projects
 PROJECTS=$(oc projects | grep -v "*" | grep -E "^ +.*-.*(.*)$")
+ROLES="admin edit view"
 
 # Upstream accounts to exclude
 EXCLUDES="admin|legacy-access-github|ministry-viewer|openshift-pipelines-edit|platform-services-controlled-admin|platform-services-controlled-helper|admin-[0-9]*|edit-[0-9]*"
@@ -12,6 +13,9 @@ EXCLUDES="admin|legacy-access-github|ministry-viewer|openshift-pipelines-edit|pl
 # Loop through the projects and report on rights
 for p in $(echo "${PROJECTS}" | awk '{print $1}'); do
   echo -e "\n---\n\nProject: $p"
-  echo -e "Name: $(echo "${PROJECTS}" | grep $p | awk -F" - " '{print $2}')\n"
-  oc get rolebindings -n $p | sort | grep -Ev "^(${EXCLUDES}) " | grep -E "ClusterRole/(admin|edit|view)" || echo "Insufficient rights for $p"
+  echo -e "Name: $(echo "${PROJECTS}" | grep $p | awk -F" - " '{print $2}')"
+  for role in ${ROLES}; do
+    echo -e "\n${role}:"
+    oc get rolebindings -n $p -o json | jq -r '.items[] | select(.subjects[].kind=="User", .roleRef.name=="${role}") | .subjects[].name' | sort | uniq | sed "s/^/  /g" || echo "Insufficient rights for $p"
+  done
 done

From 63dd265efeb235a827a61fa8b5ff0b0ebb393087 Mon Sep 17 00:00:00 2001
From: Derek Roberts <derek.roberts@gmail.com>
Date: Wed, 3 Jan 2024 23:07:42 -0800
Subject: [PATCH 3/6] Error handling for projects with insufficent rights

---
 scripts/rights_reporter.sh | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/scripts/rights_reporter.sh b/scripts/rights_reporter.sh
index e7584d47a..9f0d14e58 100755
--- a/scripts/rights_reporter.sh
+++ b/scripts/rights_reporter.sh
@@ -2,6 +2,7 @@
 set -euo pipefail
 
 # This script reports on rights in OpenShift projects
+echo -e "OpenShift users for projects accessible to $(oc whoami)\n"
 
 # Get the current user's projects
 PROJECTS=$(oc projects | grep -v "*" | grep -E "^ +.*-.*(.*)$")
@@ -12,10 +13,13 @@ EXCLUDES="admin|legacy-access-github|ministry-viewer|openshift-pipelines-edit|pl
 
 # Loop through the projects and report on rights
 for p in $(echo "${PROJECTS}" | awk '{print $1}'); do
-  echo -e "\n---\n\nProject: $p"
-  echo -e "Name: $(echo "${PROJECTS}" | grep $p | awk -F" - " '{print $2}')"
+  echo -e "---\n\nProject: $p"
+  echo -e "Name: $(echo "${PROJECTS}" | grep $p | awk -F" - " '{print $2}')\n"
+
+  oc get rolebindings -n $p > /dev/null || continue
   for role in ${ROLES}; do
-    echo -e "\n${role}:"
+    echo -e "${role}:"
     oc get rolebindings -n $p -o json | jq -r '.items[] | select(.subjects[].kind=="User", .roleRef.name=="${role}") | .subjects[].name' | sort | uniq | sed "s/^/  /g" || echo "Insufficient rights for $p"
+    echo
   done
 done

From 6eb470de0f0dd6ff7c83151cd261a738f0494992 Mon Sep 17 00:00:00 2001
From: Derek Roberts <derek.roberts@gmail.com>
Date: Wed, 3 Jan 2024 23:44:54 -0800
Subject: [PATCH 4/6] Cleanup

---
 scripts/rights_reporter.sh | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/scripts/rights_reporter.sh b/scripts/rights_reporter.sh
index 9f0d14e58..829957cde 100755
--- a/scripts/rights_reporter.sh
+++ b/scripts/rights_reporter.sh
@@ -2,24 +2,28 @@
 set -euo pipefail
 
 # This script reports on rights in OpenShift projects
-echo -e "OpenShift users for projects accessible to $(oc whoami)\n"
+echo -e "OpenShift users for projects accessible to $(oc whoami)"
 
-# Get the current user's projects
+# Projects available to the current user
 PROJECTS=$(oc projects | grep -v "*" | grep -E "^ +.*-.*(.*)$")
-ROLES="admin edit view"
 
-# Upstream accounts to exclude
-EXCLUDES="admin|legacy-access-github|ministry-viewer|openshift-pipelines-edit|platform-services-controlled-admin|platform-services-controlled-helper|admin-[0-9]*|edit-[0-9]*"
+# Roles to report on, can be overridden with a quoted parameter
+ROLES=${1:-"admin edit view"}
 
 # Loop through the projects and report on rights
 for p in $(echo "${PROJECTS}" | awk '{print $1}'); do
-  echo -e "---\n\nProject: $p"
-  echo -e "Name: $(echo "${PROJECTS}" | grep $p | awk -F" - " '{print $2}')\n"
+  echo -e "\n---\n\nProject: $p"
+  echo -e "Name: $(echo "${PROJECTS}" | grep $p | awk -F" - " '{print $2}')"
 
+  # Skip projects with insufficient rights
   oc get rolebindings -n $p > /dev/null || continue
+
+  # Report on requested roles
   for role in ${ROLES}; do
-    echo -e "${role}:"
-    oc get rolebindings -n $p -o json | jq -r '.items[] | select(.subjects[].kind=="User", .roleRef.name=="${role}") | .subjects[].name' | sort | uniq | sed "s/^/  /g" || echo "Insufficient rights for $p"
-    echo
+    echo -e "\n${role}:"
+    (oc get rolebindings -n $p -o json \
+      | jq -r '.items[] | select(.subjects[].kind=="User", .roleRef.name=="${role}") | .subjects[].name' \
+      | sort | uniq | sed "s/^/  /g" \
+    )|| echo "Insufficient rights for $p"
   done
 done

From 5c8f737b811ff611b027aab4cd054425125f1a6c Mon Sep 17 00:00:00 2001
From: Derek Roberts <derek.roberts@gmail.com>
Date: Thu, 4 Jan 2024 00:02:45 -0800
Subject: [PATCH 5/6] Cleanup

---
 scripts/rights_reporter.sh | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/scripts/rights_reporter.sh b/scripts/rights_reporter.sh
index 829957cde..92255a5ef 100755
--- a/scripts/rights_reporter.sh
+++ b/scripts/rights_reporter.sh
@@ -15,15 +15,16 @@ for p in $(echo "${PROJECTS}" | awk '{print $1}'); do
   echo -e "\n---\n\nProject: $p"
   echo -e "Name: $(echo "${PROJECTS}" | grep $p | awk -F" - " '{print $2}')"
 
-  # Skip projects with insufficient rights
-  oc get rolebindings -n $p > /dev/null || continue
-
-  # Report on requested roles
-  for role in ${ROLES}; do
-    echo -e "\n${role}:"
-    (oc get rolebindings -n $p -o json \
-      | jq -r '.items[] | select(.subjects[].kind=="User", .roleRef.name=="${role}") | .subjects[].name' \
-      | sort | uniq | sed "s/^/  /g" \
-    )|| echo "Insufficient rights for $p"
-  done
+  # Report on requested roles, where possible
+  if oc get rolebindings -n $p &> /dev/null; then
+    for role in ${ROLES}; do
+      echo -e "\n${role}:"
+      oc get rolebindings -n $p -o json \
+        | jq -r '.items[] | select(.subjects[].kind=="User", .roleRef.name=="${role}") | .subjects[].name' \
+        | sort | uniq | sed "s/^/  /g"
+    done
+  else
+    echo -e "\nInsufficient rights"
+  fi
 done
+echo -e "\n---\n"

From c50711a7bdabefe5b7c2f672ad784ef350071507 Mon Sep 17 00:00:00 2001
From: Derek Roberts <derek.roberts@gmail.com>
Date: Thu, 4 Jan 2024 08:27:39 -0800
Subject: [PATCH 6/6] Fixed asterisk-related undercount

---
 scripts/rights_reporter.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/rights_reporter.sh b/scripts/rights_reporter.sh
index 92255a5ef..5a1908d40 100755
--- a/scripts/rights_reporter.sh
+++ b/scripts/rights_reporter.sh
@@ -5,7 +5,7 @@ set -euo pipefail
 echo -e "OpenShift users for projects accessible to $(oc whoami)"
 
 # Projects available to the current user
-PROJECTS=$(oc projects | grep -v "*" | grep -E "^ +.*-.*(.*)$")
+PROJECTS=$(oc projects | sed "s/\*/ /g" | grep -E "^ +.*-.*(.*)$")
 
 # Roles to report on, can be overridden with a quoted parameter
 ROLES=${1:-"admin edit view"}