mirror of
https://github.com/GAM-team/GAM.git
synced 2026-07-05 21:31:35 +00:00
Use new sakey code during project create
This commit is contained in:
46
src/gam.py
46
src/gam.py
@@ -54,7 +54,7 @@ import http.client as http_client
|
|||||||
from multiprocessing import Pool as mp_pool
|
from multiprocessing import Pool as mp_pool
|
||||||
from multiprocessing import freeze_support as mp_freeze_support
|
from multiprocessing import freeze_support as mp_freeze_support
|
||||||
from multiprocessing import set_start_method as mp_set_start_method
|
from multiprocessing import set_start_method as mp_set_start_method
|
||||||
from urllib.parse import urlencode, urlparse
|
from urllib.parse import quote, urlencode, urlparse
|
||||||
from passlib.hash import sha512_crypt
|
from passlib.hash import sha512_crypt
|
||||||
import dateutil.parser
|
import dateutil.parser
|
||||||
|
|
||||||
@@ -7496,11 +7496,11 @@ def _createClientSecretsOauth2service(httpObj, projectId):
|
|||||||
service_account = gapi.call(iam.projects().serviceAccounts(), 'create',
|
service_account = gapi.call(iam.projects().serviceAccounts(), 'create',
|
||||||
name='projects/%s' % projectId,
|
name='projects/%s' % projectId,
|
||||||
body={'accountId': projectId, 'serviceAccount': {'displayName': 'GAM Project'}})
|
body={'accountId': projectId, 'serviceAccount': {'displayName': 'GAM Project'}})
|
||||||
key = gapi.call(iam.projects().serviceAccounts().keys(), 'create',
|
GM_Globals[GM_OAUTH2SERVICE_ACCOUNT_CLIENT_ID] = service_account['uniqueId']
|
||||||
name=service_account['name'], body={'privateKeyType': 'TYPE_GOOGLE_CREDENTIALS_FILE', 'keyAlgorithm': 'KEY_ALG_RSA_2048'})
|
doCreateOrRotateServiceAccountKeys(iam, project_id=service_account['projectId'],
|
||||||
|
client_email=service_account['email'],
|
||||||
|
client_id=service_account['uniqueId'])
|
||||||
_grantSARotateRights(iam, service_account['name'].rsplit('/', 1)[-1])
|
_grantSARotateRights(iam, service_account['name'].rsplit('/', 1)[-1])
|
||||||
oauth2service_data = base64.b64decode(key['privateKeyData']).decode(UTF8)
|
|
||||||
fileutils.write_file(GC_Values[GC_OAUTH2SERVICE_JSON], oauth2service_data, continue_on_error=False)
|
|
||||||
console_credentials_url = 'https://console.developers.google.com/apis/credentials/consent/edit?createClient&newAppInternalUser=true&project=%s' % projectId
|
console_credentials_url = 'https://console.developers.google.com/apis/credentials/consent/edit?createClient&newAppInternalUser=true&project=%s' % projectId
|
||||||
while True:
|
while True:
|
||||||
print('''Please go to:
|
print('''Please go to:
|
||||||
@@ -7823,7 +7823,7 @@ def _generatePrivateKeyAndPublicCert(client_id, key_size):
|
|||||||
x509.ExtendedKeyUsage([x509.oid.ExtendedKeyUsageOID.SERVER_AUTH]),
|
x509.ExtendedKeyUsage([x509.oid.ExtendedKeyUsageOID.SERVER_AUTH]),
|
||||||
critical=True)
|
critical=True)
|
||||||
certificate = builder.sign(private_key=private_key,
|
certificate = builder.sign(private_key=private_key,
|
||||||
algorithm=hashes.SHA1(), backend=default_backend())
|
algorithm=hashes.SHA256(), backend=default_backend())
|
||||||
public_cert_pem = certificate.public_bytes(serialization.Encoding.PEM).decode()
|
public_cert_pem = certificate.public_bytes(serialization.Encoding.PEM).decode()
|
||||||
publicKeyData = base64.b64encode(public_cert_pem.encode())
|
publicKeyData = base64.b64encode(public_cert_pem.encode())
|
||||||
if isinstance(publicKeyData, bytes):
|
if isinstance(publicKeyData, bytes):
|
||||||
@@ -7831,11 +7831,19 @@ def _generatePrivateKeyAndPublicCert(client_id, key_size):
|
|||||||
print(' Done generating private key and public certificate.')
|
print(' Done generating private key and public certificate.')
|
||||||
return private_pem, publicKeyData
|
return private_pem, publicKeyData
|
||||||
|
|
||||||
def _formatOAuth2ServiceData(private_key, private_key_id):
|
def _formatOAuth2ServiceData(project_id, client_email, client_id, private_key, private_key_id):
|
||||||
_getSvcAcctData() # make sure GM_OAUTH2SERVICE_JSON_DATA is set
|
key_json = {
|
||||||
key_json = GM_Globals[GM_OAUTH2SERVICE_JSON_DATA]
|
'auth_provider_x509_cert_url': 'https://www.googleapis.com/oauth2/v1/certs',
|
||||||
key_json['private_key'] = private_key
|
'auth_uri': 'https://accounts.google.com/o/oauth2/auth',
|
||||||
key_json['private_key_id'] = private_key_id
|
'client_email': client_email,
|
||||||
|
'client_id': client_id,
|
||||||
|
'client_x509_cert_url': 'https://www.googleapis.com/robot/v1/metadata/x509/%s' % quote(client_email),
|
||||||
|
'private_key': private_key,
|
||||||
|
'private_key_id': private_key_id,
|
||||||
|
'project_id': project_id,
|
||||||
|
'token_uri': 'https://oauth2.googleapis.com/token',
|
||||||
|
'type': 'service_account',
|
||||||
|
}
|
||||||
return json.dumps(key_json, indent=2, sort_keys=True)
|
return json.dumps(key_json, indent=2, sort_keys=True)
|
||||||
|
|
||||||
def doShowServiceAccountKeys():
|
def doShowServiceAccountKeys():
|
||||||
@@ -7870,12 +7878,15 @@ def doShowServiceAccountKeys():
|
|||||||
key['current'] = key['name'] == currentPrivateKeyId
|
key['current'] = key['name'] == currentPrivateKeyId
|
||||||
print_json(None, keys)
|
print_json(None, keys)
|
||||||
|
|
||||||
def doRotateServiceAccountKeys():
|
def doCreateOrRotateServiceAccountKeys(iam=None, project_id=None, client_email=None, client_id=None):
|
||||||
iam = buildGAPIServiceObject('iam', None)
|
|
||||||
local_key_size = 2048
|
local_key_size = 2048
|
||||||
body = {}
|
body = {}
|
||||||
|
if iam:
|
||||||
|
mode = 'retainexisting'
|
||||||
|
else:
|
||||||
mode = 'retainnone'
|
mode = 'retainnone'
|
||||||
i = 3
|
i = 3
|
||||||
|
iam = buildGAPIServiceObject('iam', None)
|
||||||
while i < len(sys.argv):
|
while i < len(sys.argv):
|
||||||
myarg = sys.argv[i].lower().replace('_', '')
|
myarg = sys.argv[i].lower().replace('_', '')
|
||||||
if myarg == 'algorithm':
|
if myarg == 'algorithm':
|
||||||
@@ -7895,8 +7906,11 @@ def doRotateServiceAccountKeys():
|
|||||||
i += 1
|
i += 1
|
||||||
else:
|
else:
|
||||||
controlflow.system_error_exit(3, '%s is not a valid argument to "gam rotate sakeys"' % myarg)
|
controlflow.system_error_exit(3, '%s is not a valid argument to "gam rotate sakeys"' % myarg)
|
||||||
clientId = GM_Globals[GM_OAUTH2SERVICE_ACCOUNT_CLIENT_ID]
|
|
||||||
currentPrivateKeyId = GM_Globals[GM_OAUTH2SERVICE_JSON_DATA]['private_key_id']
|
currentPrivateKeyId = GM_Globals[GM_OAUTH2SERVICE_JSON_DATA]['private_key_id']
|
||||||
|
project_id = GM_Globals[GM_OAUTH2SERVICE_JSON_DATA]['project_id']
|
||||||
|
client_email = GM_Globals[GM_OAUTH2SERVICE_JSON_DATA]['client_email']
|
||||||
|
client_id = GM_Globals[GM_OAUTH2SERVICE_JSON_DATA]['client_id']
|
||||||
|
clientId = GM_Globals[GM_OAUTH2SERVICE_ACCOUNT_CLIENT_ID]
|
||||||
name = 'projects/-/serviceAccounts/%s' % clientId
|
name = 'projects/-/serviceAccounts/%s' % clientId
|
||||||
if mode != 'retainexisting':
|
if mode != 'retainexisting':
|
||||||
keys = gapi.get_items(iam.projects().serviceAccounts().keys(), 'list', 'keys',
|
keys = gapi.get_items(iam.projects().serviceAccounts().keys(), 'list', 'keys',
|
||||||
@@ -7907,7 +7921,7 @@ def doRotateServiceAccountKeys():
|
|||||||
result = gapi.call(iam.projects().serviceAccounts().keys(), 'upload',
|
result = gapi.call(iam.projects().serviceAccounts().keys(), 'upload',
|
||||||
name=name, body={'publicKeyData': publicKeyData})
|
name=name, body={'publicKeyData': publicKeyData})
|
||||||
private_key_id = result['name'].rsplit('/', 1)[-1]
|
private_key_id = result['name'].rsplit('/', 1)[-1]
|
||||||
oauth2service_data = _formatOAuth2ServiceData(private_key, private_key_id)
|
oauth2service_data = _formatOAuth2ServiceData(project_id, client_email, client_id, private_key, private_key_id)
|
||||||
else:
|
else:
|
||||||
result = gapi.call(iam.projects().serviceAccounts().keys(), 'create', name=name, body=body)
|
result = gapi.call(iam.projects().serviceAccounts().keys(), 'create', name=name, body=body)
|
||||||
oauth2service_data = base64.b64decode(result['privateKeyData']).decode(UTF8)
|
oauth2service_data = base64.b64decode(result['privateKeyData']).decode(UTF8)
|
||||||
@@ -14390,7 +14404,7 @@ def ProcessGAMCommand(args):
|
|||||||
elif command == 'rotate':
|
elif command == 'rotate':
|
||||||
argument = sys.argv[2].lower()
|
argument = sys.argv[2].lower()
|
||||||
if argument in ['sakey', 'sakeys']:
|
if argument in ['sakey', 'sakeys']:
|
||||||
doRotateServiceAccountKeys()
|
doCreateOrRotateServiceAccountKeys()
|
||||||
else:
|
else:
|
||||||
controlflow.system_error_exit(2, '%s is not a valid argument for "gam rotate"' % argument)
|
controlflow.system_error_exit(2, '%s is not a valid argument for "gam rotate"' % argument)
|
||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
|
|||||||
Reference in New Issue
Block a user