create signjwtserviceaccount

This commit is contained in:
Jay Lee
2023-02-17 19:39:02 +00:00
parent 50aadc6ea7
commit ac79cff6b9
2 changed files with 39 additions and 9 deletions

View File

@@ -7853,6 +7853,29 @@ def doShowServiceAccountKeys():
display.print_json(keys) display.print_json(keys)
def create_signjwt_serviceaccount():
_checkForExistingProjectFiles()
sa_info = {
'type': 'service_account',
'key_type': 'signjwt',
'token_uri': 'https://oauth2.googleapis.com/token'
}
try:
creds, sa_info['project_id'] = google.auth.default()
except google.auth.exceptions.DefaultCredentialsError as e:
controlflow.system_error_exit(2, e)
request = transport.create_request()
creds.refresh(request)
sa_info['client_email'] = creds.service_account_email
oa2 = buildGAPIObjectNoAuthentication('oauth2')
token_info = gapi.call(oa2, 'tokeninfo', access_token=creds.token)
sa_info['client_id'] = token_info['issued_to']
sa_output = json.dumps(sa_info, indent=4, sort_keys=True)
fileutils.write_file(GC_Values[GC_OAUTH2SERVICE_JSON],
sa_output,
continue_on_error=False)
def doCreateOrRotateServiceAccountKeys(iam=None, def doCreateOrRotateServiceAccountKeys(iam=None,
project_id=None, project_id=None,
client_email=None, client_email=None,
@@ -11573,6 +11596,8 @@ def ProcessGAMCommand(args):
gapi_chat.create_message() gapi_chat.create_message()
elif argument in ['caalevel']: elif argument in ['caalevel']:
gapi_caa.create_access_level() gapi_caa.create_access_level()
elif argument in ['signjwtserviceaccount']:
create_signjwt_serviceaccount()
else: else:
controlflow.invalid_argument_exit(argument, 'gam create') controlflow.invalid_argument_exit(argument, 'gam create')
sys.exit(0) sys.exit(0)

View File

@@ -2,10 +2,12 @@
import datetime import datetime
import json import json
from google.auth import _helpers, default import google.auth
from google.auth._helpers import datetime_to_secs, scopes_to_string, utcnow
import google.oauth2.service_account import google.oauth2.service_account
from googleapiclient.discovery import build from googleapiclient.discovery import build
from gam import controlflow
from gam import gapi from gam import gapi
_DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds _DEFAULT_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds
@@ -15,14 +17,14 @@ _GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token"
class JWTCredentials(google.auth.jwt.Credentials): class JWTCredentials(google.auth.jwt.Credentials):
''' Class used for DASA ''' ''' Class used for DASA '''
def _make_jwt(self): def _make_jwt(self):
now = _helpers.utcnow() now = utcnow()
lifetime = datetime.timedelta(seconds=self._token_lifetime) lifetime = datetime.timedelta(seconds=self._token_lifetime)
expiry = now + lifetime expiry = now + lifetime
payload = { payload = {
"iss": self._issuer, "iss": self._issuer,
"sub": self._subject, "sub": self._subject,
"iat": _helpers.datetime_to_secs(now), "iat": datetime_to_secs(now),
"exp": _helpers.datetime_to_secs(expiry), "exp": datetime_to_secs(expiry),
} }
if self._audience: if self._audience:
payload["aud"] = self._audience payload["aud"] = self._audience
@@ -35,15 +37,15 @@ class Credentials(google.oauth2.service_account.Credentials):
''' Class used for DwD ''' ''' Class used for DwD '''
def _make_authorization_grant_assertion(self): def _make_authorization_grant_assertion(self):
now = _helpers.utcnow() now = utcnow()
lifetime = datetime.timedelta(seconds=_DEFAULT_TOKEN_LIFETIME_SECS) lifetime = datetime.timedelta(seconds=_DEFAULT_TOKEN_LIFETIME_SECS)
expiry = now + lifetime expiry = now + lifetime
payload = { payload = {
"iat": _helpers.datetime_to_secs(now), "iat": datetime_to_secs(now),
"exp": _helpers.datetime_to_secs(expiry), "exp": datetime_to_secs(expiry),
"iss": self._service_account_email, "iss": self._service_account_email,
"aud": _GOOGLE_OAUTH2_TOKEN_ENDPOINT, "aud": _GOOGLE_OAUTH2_TOKEN_ENDPOINT,
"scope": _helpers.scopes_to_string(self._scopes or ()), "scope": scopes_to_string(self._scopes or ()),
} }
payload.update(self._additional_claims) payload.update(self._additional_claims)
@@ -69,7 +71,10 @@ class SignJwt(google.auth.crypt.Signer):
def sign(self, message): def sign(self, message):
''' Call IAM Credentials SignJWT API to get our signed JWT ''' ''' Call IAM Credentials SignJWT API to get our signed JWT '''
credentials, _ = default() try:
credentials, _ = google.auth.default()
except google.auth.exceptions.DefaultCredentialsError as e:
controlflow.system_error_exit(2, e)
iamc = build('iamcredentials', 'v1', credentials=credentials) iamc = build('iamcredentials', 'v1', credentials=credentials)
response = gapi.call(iamc.projects().serviceAccounts(), response = gapi.call(iamc.projects().serviceAccounts(),
'signJwt', 'signJwt',