mirror of
https://github.com/GAM-team/GAM.git
synced 2026-07-03 12:21:35 +00:00
Update deprecated scopes checking
Some checks failed
Build and test GAM / build (build, 1, Build Intel Ubuntu Jammy, ubuntu-22.04) (push) Has been cancelled
Build and test GAM / build (build, 10, Build Intel Windows, windows-2022) (push) Has been cancelled
Build and test GAM / build (build, 11, Build Arm Windows, windows-11-arm) (push) Has been cancelled
Build and test GAM / build (build, 2, Build Intel Ubuntu Noble, ubuntu-24.04) (push) Has been cancelled
Build and test GAM / build (build, 3, Build Arm Ubuntu Noble, ubuntu-24.04-arm) (push) Has been cancelled
Build and test GAM / build (build, 4, Build Arm Ubuntu Jammy, ubuntu-22.04-arm) (push) Has been cancelled
Build and test GAM / build (build, 5, Build Intel StaticX Legacy, ubuntu-22.04, yes) (push) Has been cancelled
Build and test GAM / build (build, 6, Build Arm StaticX Legacy, ubuntu-22.04-arm, yes) (push) Has been cancelled
Build and test GAM / build (build, 7, Build Intel MacOS, macos-13) (push) Has been cancelled
Build and test GAM / build (build, 8, Build Arm MacOS 14, macos-14) (push) Has been cancelled
Build and test GAM / build (build, 9, Build Arm MacOS 15, macos-15) (push) Has been cancelled
Build and test GAM / build (test, 12, Test Python 3.10, ubuntu-24.04, 3.10) (push) Has been cancelled
Build and test GAM / build (test, 13, Test Python 3.11, ubuntu-24.04, 3.11) (push) Has been cancelled
Build and test GAM / build (test, 14, Test Python 3.12, ubuntu-24.04, 3.12) (push) Has been cancelled
Build and test GAM / build (test, 15, Test Python 3.14-dev, ubuntu-24.04, 3.14-dev) (push) Has been cancelled
Build and test GAM / merge (push) Has been cancelled
Build and test GAM / publish (push) Has been cancelled
CodeQL / Analyze (python) (push) Has been cancelled
Check for Google Root CA Updates / check-apis (push) Has been cancelled
Push wiki / pushwiki (push) Has been cancelled
Some checks failed
Build and test GAM / build (build, 1, Build Intel Ubuntu Jammy, ubuntu-22.04) (push) Has been cancelled
Build and test GAM / build (build, 10, Build Intel Windows, windows-2022) (push) Has been cancelled
Build and test GAM / build (build, 11, Build Arm Windows, windows-11-arm) (push) Has been cancelled
Build and test GAM / build (build, 2, Build Intel Ubuntu Noble, ubuntu-24.04) (push) Has been cancelled
Build and test GAM / build (build, 3, Build Arm Ubuntu Noble, ubuntu-24.04-arm) (push) Has been cancelled
Build and test GAM / build (build, 4, Build Arm Ubuntu Jammy, ubuntu-22.04-arm) (push) Has been cancelled
Build and test GAM / build (build, 5, Build Intel StaticX Legacy, ubuntu-22.04, yes) (push) Has been cancelled
Build and test GAM / build (build, 6, Build Arm StaticX Legacy, ubuntu-22.04-arm, yes) (push) Has been cancelled
Build and test GAM / build (build, 7, Build Intel MacOS, macos-13) (push) Has been cancelled
Build and test GAM / build (build, 8, Build Arm MacOS 14, macos-14) (push) Has been cancelled
Build and test GAM / build (build, 9, Build Arm MacOS 15, macos-15) (push) Has been cancelled
Build and test GAM / build (test, 12, Test Python 3.10, ubuntu-24.04, 3.10) (push) Has been cancelled
Build and test GAM / build (test, 13, Test Python 3.11, ubuntu-24.04, 3.11) (push) Has been cancelled
Build and test GAM / build (test, 14, Test Python 3.12, ubuntu-24.04, 3.12) (push) Has been cancelled
Build and test GAM / build (test, 15, Test Python 3.14-dev, ubuntu-24.04, 3.14-dev) (push) Has been cancelled
Build and test GAM / merge (push) Has been cancelled
Build and test GAM / publish (push) Has been cancelled
CodeQL / Analyze (python) (push) Has been cancelled
Check for Google Root CA Updates / check-apis (push) Has been cancelled
Push wiki / pushwiki (push) Has been cancelled
This commit is contained in:
@@ -12233,7 +12233,7 @@ def checkServiceAccount(users):
|
|||||||
|
|
||||||
def authorizeScopes(message):
|
def authorizeScopes(message):
|
||||||
long_url = ('https://admin.google.com/ac/owl/domainwidedelegation'
|
long_url = ('https://admin.google.com/ac/owl/domainwidedelegation'
|
||||||
f'?clientScopeToAdd={",".join(sorted(checkScopesSet-API.FORCE_OFF_SA_SCOPES))}'
|
f'?clientScopeToAdd={",".join(sorted(checkScopes))}'
|
||||||
f'&clientIdToAdd={service_account}&overwriteClientId=true')
|
f'&clientIdToAdd={service_account}&overwriteClientId=true')
|
||||||
if GC.Values[GC.DOMAIN]:
|
if GC.Values[GC.DOMAIN]:
|
||||||
long_url += f'&dn={GC.Values[GC.DOMAIN]}'
|
long_url += f'&dn={GC.Values[GC.DOMAIN]}'
|
||||||
@@ -12245,12 +12245,12 @@ def checkServiceAccount(users):
|
|||||||
allScopes = API.getSvcAcctScopes(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], Act.Get() == Act.UPDATE)
|
allScopes = API.getSvcAcctScopes(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], Act.Get() == Act.UPDATE)
|
||||||
checkScopesSet = set()
|
checkScopesSet = set()
|
||||||
saScopes = {}
|
saScopes = {}
|
||||||
addForceOffScopes = True
|
checkDeprecatedScopes = True
|
||||||
useColor = False
|
useColor = False
|
||||||
while Cmd.ArgumentsRemaining():
|
while Cmd.ArgumentsRemaining():
|
||||||
myarg = getArgument()
|
myarg = getArgument()
|
||||||
if myarg in {'scope', 'scopes'}:
|
if myarg in {'scope', 'scopes'}:
|
||||||
addForceOffScopes = False
|
checkDeprecatedScopes = False
|
||||||
for scope in getString(Cmd.OB_API_SCOPE_URL_LIST).lower().replace(',', ' ').split():
|
for scope in getString(Cmd.OB_API_SCOPE_URL_LIST).lower().replace(',', ' ').split():
|
||||||
api = API.getSvcAcctScopeAPI(scope)
|
api = API.getSvcAcctScopeAPI(scope)
|
||||||
if api is not None:
|
if api is not None:
|
||||||
@@ -12267,14 +12267,12 @@ def checkServiceAccount(users):
|
|||||||
testPass = createGreenText('PASS')
|
testPass = createGreenText('PASS')
|
||||||
testFail = createRedText('FAIL')
|
testFail = createRedText('FAIL')
|
||||||
testWarn = createYellowText('WARN')
|
testWarn = createYellowText('WARN')
|
||||||
testDisable = createRedText('DISABLE')
|
testDeprecated = createRedText('DEPRECATED')
|
||||||
testSkip = createGreenText('SKIP')
|
|
||||||
else:
|
else:
|
||||||
testPass = 'PASS'
|
testPass = 'PASS'
|
||||||
testFail = 'FAIL'
|
testFail = 'FAIL'
|
||||||
testWarn = 'WARN'
|
testWarn = 'WARN'
|
||||||
testDisable = 'DISABLE'
|
testDeprecated = 'DEPRECATED'
|
||||||
testSkip = 'SKIP'
|
|
||||||
if Act.Get() == Act.CHECK:
|
if Act.Get() == Act.CHECK:
|
||||||
if not checkScopesSet:
|
if not checkScopesSet:
|
||||||
for scope in iter(GM.Globals[GM.SVCACCT_SCOPES].values()):
|
for scope in iter(GM.Globals[GM.SVCACCT_SCOPES].values()):
|
||||||
@@ -12309,8 +12307,6 @@ def checkServiceAccount(users):
|
|||||||
json.dumps(GM.Globals[GM.OAUTH2SERVICE_JSON_DATA], ensure_ascii=False, sort_keys=True, indent=2),
|
json.dumps(GM.Globals[GM.OAUTH2SERVICE_JSON_DATA], ensure_ascii=False, sort_keys=True, indent=2),
|
||||||
continueOnError=False)
|
continueOnError=False)
|
||||||
checkScopes = sorted(checkScopesSet)
|
checkScopes = sorted(checkScopesSet)
|
||||||
if addForceOffScopes:
|
|
||||||
checkScopes.extend(sorted(API.FORCE_OFF_SA_SCOPES))
|
|
||||||
jcount = len(checkScopes)
|
jcount = len(checkScopes)
|
||||||
printMessage(Msg.SYSTEM_TIME_STATUS)
|
printMessage(Msg.SYSTEM_TIME_STATUS)
|
||||||
offsetSeconds, offsetFormatted = getLocalGoogleTimeOffset()
|
offsetSeconds, offsetFormatted = getLocalGoogleTimeOffset()
|
||||||
@@ -12399,23 +12395,45 @@ def checkServiceAccount(users):
|
|||||||
if credentials.token:
|
if credentials.token:
|
||||||
token_info = callGAPI(oa2, 'tokeninfo', access_token=credentials.token)
|
token_info = callGAPI(oa2, 'tokeninfo', access_token=credentials.token)
|
||||||
if scope in token_info.get('scope', '').split(' ') and user == token_info.get('email', user).lower():
|
if scope in token_info.get('scope', '').split(' ') and user == token_info.get('email', user).lower():
|
||||||
if scope not in API.FORCE_OFF_SA_SCOPES:
|
|
||||||
scopeStatus = testPass
|
scopeStatus = testPass
|
||||||
else:
|
else:
|
||||||
scopeStatus = testDisable
|
|
||||||
allScopesPass = False
|
|
||||||
else:
|
|
||||||
if scope not in API.FORCE_OFF_SA_SCOPES:
|
|
||||||
scopeStatus = testFail
|
scopeStatus = testFail
|
||||||
allScopesPass = False
|
allScopesPass = False
|
||||||
else:
|
else:
|
||||||
scopeStatus = testSkip
|
|
||||||
else:
|
|
||||||
if scope not in API.FORCE_OFF_SA_SCOPES:
|
|
||||||
scopeStatus = testFail
|
scopeStatus = testFail
|
||||||
allScopesPass = False
|
allScopesPass = False
|
||||||
|
printPassFail(scope, f'{scopeStatus}{currentCount(j, jcount)}')
|
||||||
|
Ind.Decrement()
|
||||||
|
if checkDeprecatedScopes:
|
||||||
|
deprecatedScopes = sorted(API.DEPRECATED_SCOPES)
|
||||||
|
jcount = len(deprecatedScopes)
|
||||||
|
printKeyValueListWithCount([Msg.DEPRECATED_SCOPES, '',
|
||||||
|
Ent.Singular(Ent.USER), user,
|
||||||
|
Ent.Choose(Ent.SCOPE, jcount), jcount],
|
||||||
|
i, count)
|
||||||
|
Ind.Increment()
|
||||||
|
j = 0
|
||||||
|
for scope in deprecatedScopes:
|
||||||
|
j += 1
|
||||||
|
# try with and without email scope
|
||||||
|
for scopes in [[scope, API.USERINFO_EMAIL_SCOPE], [scope]]:
|
||||||
|
try:
|
||||||
|
credentials = getSvcAcctCredentials(scopes, user)
|
||||||
|
credentials.refresh(request)
|
||||||
|
break
|
||||||
|
except (httplib2.HttpLib2Error, google.auth.exceptions.TransportError, RuntimeError) as e:
|
||||||
|
handleServerError(e)
|
||||||
|
except google.auth.exceptions.RefreshError:
|
||||||
|
continue
|
||||||
|
if credentials.token:
|
||||||
|
token_info = callGAPI(oa2, 'tokeninfo', access_token=credentials.token)
|
||||||
|
if scope in token_info.get('scope', '').split(' ') and user == token_info.get('email', user).lower():
|
||||||
|
scopeStatus = testDeprecated
|
||||||
|
allScopesPass = False
|
||||||
else:
|
else:
|
||||||
scopeStatus = testSkip
|
scopeStatus = testPass
|
||||||
|
else:
|
||||||
|
scopeStatus = testPass
|
||||||
printPassFail(scope, f'{scopeStatus}{currentCount(j, jcount)}')
|
printPassFail(scope, f'{scopeStatus}{currentCount(j, jcount)}')
|
||||||
Ind.Decrement()
|
Ind.Decrement()
|
||||||
service_account = GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['client_id']
|
service_account = GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['client_id']
|
||||||
|
|||||||
@@ -132,9 +132,10 @@ APIS_NEEDING_ACCESS_TOKEN = {
|
|||||||
CBCM: ['https://www.googleapis.com/auth/admin.directory.device.chromebrowsers']
|
CBCM: ['https://www.googleapis.com/auth/admin.directory.device.chromebrowsers']
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
FORCE_OFF_SA_SCOPES = {
|
DEPRECATED_SCOPES = {
|
||||||
'https://www.googleapis.com/auth/cloud-identity',
|
'https://www.googleapis.com/auth/cloud-identity',
|
||||||
'https://www.googleapis.com/auth/cloud-platform',
|
'https://www.googleapis.com/auth/cloud-platform',
|
||||||
|
'https://www.googleapis.com/auth/iam',
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
REFRESH_PERM_ERRORS = [
|
REFRESH_PERM_ERRORS = [
|
||||||
|
|||||||
@@ -140,6 +140,7 @@ SERVICE_ACCOUNT_PRIVATE_KEY_AGE = 'Service Account Private Key age: {0} days'
|
|||||||
SERVICE_ACCOUNT_SKIPPING_KEY_AGE_CHECK = 'Skipping Private Key age check: {0} rotation not necessary'
|
SERVICE_ACCOUNT_SKIPPING_KEY_AGE_CHECK = 'Skipping Private Key age check: {0} rotation not necessary'
|
||||||
UPDATE_PROJECT_TO_VIEW_MANAGE_SAKEYS = 'Please run "gam update project" to view/manage service account keys'
|
UPDATE_PROJECT_TO_VIEW_MANAGE_SAKEYS = 'Please run "gam update project" to view/manage service account keys'
|
||||||
DOMAIN_WIDE_DELEGATION_AUTHENTICATION = 'Domain-wide Delegation authentication'
|
DOMAIN_WIDE_DELEGATION_AUTHENTICATION = 'Domain-wide Delegation authentication'
|
||||||
|
DEPRECATED_SCOPES = 'Deprecated scopes that GAM should NEVER have DwD access to'
|
||||||
SCOPE_AUTHORIZATION_PASSED = '''All scopes PASSED!
|
SCOPE_AUTHORIZATION_PASSED = '''All scopes PASSED!
|
||||||
|
|
||||||
Service Account Client name: {0} is fully authorized.
|
Service Account Client name: {0} is fully authorized.
|
||||||
|
|||||||
Reference in New Issue
Block a user