Fix error; DASA suggestions (#1236)

* userKey and customer is an invalid combination; userkey and domain is allowed

* DASA suggestions

I would not use OAUTHFILE to distinguish between normal/DASA, it seems to me that this might lead to oauth2service.json getting deleted by accident.

By using enabledasa.txt you can flip between the two modes easily.

* Update __init__.py

Is this what yuou meant?
This commit is contained in:
Ross Scroggs
2020-09-11 08:33:06 -07:00
committed by GitHub
parent 487e1dc4c1
commit 908edff878
3 changed files with 20 additions and 9 deletions

View File

@@ -534,6 +534,7 @@ def SetGlobalVariables():
fileAbsentValue=True) fileAbsentValue=True)
_getOldSignalFile(GC_NO_SHORT_URLS, 'noshorturls.txt') _getOldSignalFile(GC_NO_SHORT_URLS, 'noshorturls.txt')
_getOldSignalFile(GC_NO_UPDATE_CHECK, 'noupdatecheck.txt') _getOldSignalFile(GC_NO_UPDATE_CHECK, 'noupdatecheck.txt')
_getOldSignalFile(GC_ENABLE_DASA, 'enabledasa.txt')
# Assign directories first # Assign directories first
for itemName in GC_VAR_INFO: for itemName in GC_VAR_INFO:
if GC_VAR_INFO[itemName][GC_VAR_TYPE] == GC_TYPE_DIRECTORY: if GC_VAR_INFO[itemName][GC_VAR_TYPE] == GC_TYPE_DIRECTORY:
@@ -8773,7 +8774,6 @@ def doGetUserInfo(user_email=None):
'list', 'list',
'groups', 'groups',
userKey=user_email, userKey=user_email,
customer=GC_Values[GC_CUSTOMER_ID],
fields='groups(name,email),nextPageToken', fields='groups(name,email),nextPageToken',
throw_reasons=throw_reasons) throw_reasons=throw_reasons)
if groups: if groups:

View File

@@ -2,28 +2,30 @@
import json import json
import os import os
import time
from google.auth.jwt import Credentials as JWTCredentials from google.auth.jwt import Credentials as JWTCredentials
from gam.auth import oauth from gam.auth import oauth
from gam.var import _FN_OAUTH2_TXT from gam.var import _FN_OAUTH2_TXT
from gam.var import _FN_OAUTH2SERVICE_JSON
from gam.var import GC_OAUTH2_TXT from gam.var import GC_OAUTH2_TXT
from gam.var import GC_OAUTH2SERVICE_JSON
from gam.var import GC_ENABLE_DASA
from gam.var import GC_Values from gam.var import GC_Values
# TODO: Move logic that determines file name into this module. We should be able # TODO: Move logic that determines file name into this module. We should be able
# to discover the file location without accessing a private member or waiting # to discover the file location without accessing a private member or waiting
# for a global initialization. # for a global initialization.
DEFAULT_OAUTH_STORAGE_FILE = _FN_OAUTH2_TXT
def get_admin_credentials_filename(): def get_admin_credentials_filename():
"""Gets the name of the file that stores the admin account credentials.""" """Gets the name of the file that stores the admin account credentials."""
# If the environment globals are loaded, use the set global value. It may have # If the environment globals are loaded, use the set global value. It may have
# some custom name in it. Otherwise, just use the default name. # some custom name in it. Otherwise, just use the default name.
if GC_Values[GC_OAUTH2_TXT]: if GC_Values[GC_ENABLE_DASA]:
return GC_Values[GC_OAUTH2_TXT] return GC_Values[GC_OAUTH2SERVICE_JSON] if GC_Values[GC_OAUTH2SERVICE_JSON] else _FN_OAUTH2SERVICE_JSON
return DEFAULT_OAUTH_STORAGE_FILE else:
return GC_Values[GC_OAUTH2_TXT] if GC_Values[GC_OAUTH2_TXT] else _FN_OAUTH2_TXT
def get_admin_credentials(api=None): def get_admin_credentials(api=None):
@@ -33,9 +35,12 @@ def get_admin_credentials(api=None):
raise oauth.InvalidCredentialsFileError raise oauth.InvalidCredentialsFileError
with open(credential_file, 'r') as f: with open(credential_file, 'r') as f:
creds_data = json.load(f) creds_data = json.load(f)
if 'token' in creds_data: # Validate that enable DASA matches content of authorization file
return oauth.Credentials.from_credentials_file(credential_file) if GC_Values[GC_ENABLE_DASA] and 'private_key' in creds_data:
elif 'private_key' in creds_data:
audience = f'https://{api}.googleapis.com/' audience = f'https://{api}.googleapis.com/'
return JWTCredentials.from_service_account_info(creds_data, return JWTCredentials.from_service_account_info(creds_data,
audience=audience) audience=audience)
elif not GC_Values[GC_ENABLE_DASA] and 'token' in creds_data:
return oauth.Credentials.from_credentials_file(credential_file)
else:
raise oauth.InvalidCredentialsFileError

View File

@@ -1134,6 +1134,8 @@ GC_DECODED_ID_TOKEN = 'decoded_id_token'
GC_DOMAIN = 'domain' GC_DOMAIN = 'domain'
# Google Drive download directory # Google Drive download directory
GC_DRIVE_DIR = 'drive_dir' GC_DRIVE_DIR = 'drive_dir'
# Enable Delegated Admin Service Accounts
GC_ENABLE_DASA = 'enabledasa'
# If no_browser is False, writeCSVfile won't open a browser when todrive is set # If no_browser is False, writeCSVfile won't open a browser when todrive is set
# and doRequestOAuth prints a link and waits for the verification code when # and doRequestOAuth prints a link and waits for the verification code when
# oauth2.txt is being created # oauth2.txt is being created
@@ -1187,6 +1189,7 @@ GC_Defaults = {
GC_DECODED_ID_TOKEN: '', GC_DECODED_ID_TOKEN: '',
GC_DOMAIN: '', GC_DOMAIN: '',
GC_DRIVE_DIR: '', GC_DRIVE_DIR: '',
GC_ENABLE_DASA: False,
GC_NO_BROWSER: False, GC_NO_BROWSER: False,
GC_NO_CACHE: False, GC_NO_CACHE: False,
GC_NO_SHORT_URLS: False, GC_NO_SHORT_URLS: False,
@@ -1263,6 +1266,9 @@ GC_VAR_INFO = {
GC_DRIVE_DIR: { GC_DRIVE_DIR: {
GC_VAR_TYPE: GC_TYPE_DIRECTORY GC_VAR_TYPE: GC_TYPE_DIRECTORY
}, },
GC_ENABLE_DASA: {
GC_VAR_TYPE: GC_TYPE_BOOLEAN
},
GC_NO_BROWSER: { GC_NO_BROWSER: {
GC_VAR_TYPE: GC_TYPE_BOOLEAN GC_VAR_TYPE: GC_TYPE_BOOLEAN
}, },