Merge pull request #757 from github/jusuchin85/2024-11-19_graphql_ip-allow-lists

Add GraphQL Queries for Managing the IP Allow List (and Other Small Usability Fixes)

Author: jusuchin85

…-list-enterprise-scim-identities.graphql …es/emu-scim-list-scim-identities.graphqlgraphql/queries/scim-emu-list-enterprise-scim-identities.graphql renamed to graphql/queries/emu-scim-list-scim-identities.graphql graphql/queries/scim-emu-list-enterprise-scim-identities.graphql renamed to graphql/queries/emu-scim-list-scim-identities.graphql

@@ -0,0 +1,25 @@
+# Grab current IP allow list settings for an enterprise.
+# This includes:
+# - The IP allow list entries
+# - The IP allow list enabled setting
+# - The IP allow list for GitHub Apps enabled setting
+
+query GetEnterpriseIPAllowList {
+  enterprise(slug: "ENTERPRISE_SLUG") {
+    owner_id: id
+    enterprise_slug: slug
+    enterprise_owner_info: ownerInfo {
+      is_ip_allow_list_enabled: ipAllowListEnabledSetting
+      is_ip_allow_list_for_github_apps_enabled: ipAllowListForInstalledAppsEnabledSetting
+      ipAllowListEntries(first: 100) {
+        nodes {
+          ip_allow_list_entry_id: id
+          ip_allow_list_entry_name: name
+          ip_allow_list_entry_value: allowListValue
+          ip_allow_list_entry_created: createdAt
+          is_ip_allow_list_entry_active: isActive
+        }
+      }
+    }
+  }
+}

…enterprises-list-scim-identities.graphql …u-scim-oidc-list-scim-identities.graphqlgraphql/queries/scim-emu-enterprises-list-scim-identities.graphql renamed to graphql/queries/emu-scim-oidc-list-scim-identities.graphql graphql/queries/scim-emu-enterprises-list-scim-identities.graphql renamed to graphql/queries/emu-scim-oidc-list-scim-identities.graphql

@@ -3,8 +3,8 @@
 # If the Identity Provider has sent an `emails` attribute/value in a previous SAML response for enterprise member(s), it also possible to add the `emails` attribute in the `samlIdentity` section right below `nameID` and query for this SAML identity attribute value as well. 
 # If there are a large number of identities/users (greater than 100), pagination will need to be used. See https://graphql.org/learn/pagination/ for details on pagination. There is an example of pagination in simple-pagination-example.graphql.
 
-query listSSOUserIdentities($enterpriseSlug: String!) {
-  enterprise(slug: $enterpriseSlug) {
+query listSSOUserIdentities {
+  enterprise(slug: "ENTERPRISE_SLUG") {
     ownerInfo {
       samlIdentityProvider {
         externalIdentities(first: 100) {

graphql/queries/enterprise-get-ip-allow-list.graphql

@@ -0,0 +1,29 @@
+# This query is used to add an IP address to the IP allow list.
+# This can be used on both organizations and enterprise accounts.
+#
+# The `OWNER_ID` is the ID of the organization or enterprise account. You can
+# get the ID of an organization or enterprise account by executing either of
+# the following queries and referring to the value from `owner_id` field:
+#
+# - organizations: https://github.com/github/platform-samples/blob/master/graphql/queries/org-get-ip-allow-list.graphql
+# - enterprise accounts: https://github.com/github/platform-samples/blob/master/graphql/queries/enterprise-get-ip-allow-list.graphql
+
+mutation AddIPAddressToIPAllowList {
+  createIpAllowListEntry(
+    input: {
+      ownerId: "OWNER_ID"
+      name: "DESCRIPTION_OF_IP_ADDRESS"
+      allowListValue: "IP_ADDRESS"
+      isActive: true
+    }
+  ) {
+    ipAllowListEntry {
+      ip_allow_list_entry_id: id
+      ip_allow_list_entry_name: name
+      ip_allow_list_entry_ip_address: allowListValue
+      ip_allow_list_entry_created: createdAt
+      ip_allow_list_entry_updated: updatedAt
+      is_ip_allow_list_entry_active: isActive
+    }
+  }
+}

…saml-identities-enterprise-level.graphql …eries/enterprise-saml-identities.graphqlgraphql/queries/saml-identities-enterprise-level.graphql renamed to graphql/queries/enterprise-saml-identities.graphql graphql/queries/saml-identities-enterprise-level.graphql renamed to graphql/queries/enterprise-saml-identities.graphql

@@ -0,0 +1,17 @@
+# This query is used to disable the IP allow list feature. This will apply to GitHub Apps only.
+# This can be used on both organizations and enterprise accounts.
+#
+# The `OWNER_ID` is the ID of the organization or enterprise account. You can
+# get the ID of an organization or enterprise account by executing either of
+# the following queries and referring to the value from `owner_id` field:
+#
+# - organizations: https://github.com/github/platform-samples/blob/master/graphql/queries/org-get-ip-allow-list.graphql
+# - enterprise accounts: https://github.com/github/platform-samples/blob/master/graphql/queries/enterprise-get-ip-allow-list.graphql
+
+mutation DisableIPAllowListForGitHubAppsOnly {
+  updateIpAllowListForInstalledAppsEnabledSetting(
+    input: { ownerId: "OWNER_ID", settingValue: DISABLED }
+  ) {
+    clientMutationId
+  }
+}

…dentities-all-orgs-in-enterprise.graphql …erprise-scim-identities-all-orgs.graphqlgraphql/queries/scim-identities-all-orgs-in-enterprise.graphql renamed to graphql/queries/enterprise-scim-identities-all-orgs.graphql graphql/queries/scim-identities-all-orgs-in-enterprise.graphql renamed to graphql/queries/enterprise-scim-identities-all-orgs.graphql

@@ -0,0 +1,17 @@
+# This query is used to disable the IP allow list feature. This will apply to IP addresses only.
+# This can be used on both organizations and enterprise accounts.
+#
+# The `OWNER_ID` is the ID of the organization or enterprise account. You can
+# get the ID of an organization or enterprise account by executing either of
+# the following queries and referring to the value from `owner_id` field:
+#
+# - organizations: https://github.com/github/platform-samples/blob/master/graphql/queries/org-get-ip-allow-list.graphql
+# - enterprise accounts: https://github.com/github/platform-samples/blob/master/graphql/queries/enterprise-get-ip-allow-list.graphql
+
+mutation DisableAllowListForIpsOnly {
+  updateIpAllowListEnabledSetting(
+    input: { ownerId: "OWNER_ID", settingValue: DISABLED }
+  ) {
+    clientMutationId
+  }
+}

graphql/queries/ip-allow-list-add-ip.graphql

@@ -0,0 +1,22 @@
+# This query is used to disable the IP allow list feature. This will apply to both IP addresses and GitHub Apps.
+# This can be used on both organizations and enterprise accounts.
+#
+# The `OWNER_ID` is the ID of the organization or enterprise account. You can
+# get the ID of an organization or enterprise account by executing either of
+# the following queries and referring to the value from `owner_id` field:
+#
+# - organizations: https://github.com/github/platform-samples/blob/master/graphql/queries/org-get-ip-allow-list.graphql
+# - enterprise accounts: https://github.com/github/platform-samples/blob/master/graphql/queries/enterprise-get-ip-allow-list.graphql
+
+mutation DisableIPAllowList {
+  updateIpAllowListEnabledSetting(
+    input: { ownerId: "OWNER_ID", settingValue: DISABLED }
+  ) {
+    clientMutationId
+  }
+  updateIpAllowListForInstalledAppsEnabledSetting(
+    input: { ownerId: "OWNER_ID", settingValue: DISABLED }
+  ) {
+    clientMutationId
+  }
+}

graphql/queries/ip-allow-list-disable-github-apps-only.graphql

@@ -0,0 +1,17 @@
+# This query is used to enable the IP allow list feature. This will apply to GitHub Apps only.
+# This can be used on both organizations and enterprise accounts.
+#
+# The `OWNER_ID` is the ID of the organization or enterprise account. You can
+# get the ID of an organization or enterprise account by executing either of
+# the following queries and referring to the value from `owner_id` field:
+#
+# - organizations: https://github.com/github/platform-samples/blob/master/graphql/queries/org-get-ip-allow-list.graphql
+# - enterprise accounts: https://github.com/github/platform-samples/blob/master/graphql/queries/enterprise-get-ip-allow-list.graphql
+
+mutation EnableIPAllowListForGitHubAppsOnly {
+  updateIpAllowListForInstalledAppsEnabledSetting(
+    input: { ownerId: "OWNER_ID", settingValue: ENABLED }
+  ) {
+    clientMutationId
+  }
+}