deepblue/GoogleDriveManagement
1
0
Fork 0
mirror of https://github.com/GAM-team/GAM.git synced 2026-06-28 18:01:36 +00:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

add email scope to SA, check serviceaccount verifies proper DwD and scopes for token

Browse Source
This commit is contained in:
Jay Lee
2019-08-27 10:18:36 -04:00
parent 021c3bfb13
commit caef16bdee
2 changed files with 22 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/gam.py
View File

@@ -1491,16 +1491,29 @@ def doCheckServiceAccount(users):
all_scopes.sort()
for user in users:
all_scopes_pass = True
oa2 = googleapiclient.discovery.build('oauth2', 'v1', _createHttpObj())
print('User: %s' % (user))
for scope in all_scopes:
try:
credentials = getSvcAcctCredentials([scope], user)
request = google_auth_httplib2.Request(_createHttpObj())
credentials.refresh(request)
result = 'PASS'
except (httplib2.ServerNotFoundError, RuntimeError) as e:
systemErrorExit(4, e)
except google.auth.exceptions.RefreshError:
# try with and without email scope
for scopes in [[scope, 'https://www.googleapis.com/auth/userinfo.email'], [scope]]:
try:
credentials = getSvcAcctCredentials(scopes, user)
request = google_auth_httplib2.Request(_createHttpObj())
credentials.refresh(request)
break
except (httplib2.ServerNotFoundError, RuntimeError) as e:
systemErrorExit(4, e)
except google.auth.exceptions.RefreshError:
continue
if credentials.token:
token_info = callGAPI(oa2, 'tokeninfo', access_token=credentials.token)
has_scopes = token_info.get('scope', '').split(' ')
if scope in has_scopes and ('email' not in token_info or user.lower() == token_info.get('email')):
result = 'PASS'
else:
result = 'FAIL'
all_scopes_pass = False
else:
result = 'FAIL'
all_scopes_pass = False
print(' Scope: {0:60} {1}'.format(scope, result))

1
src/var.py
View File

@@ -161,6 +161,7 @@ API_SCOPE_MAPPING = {
'calendar': ['https://www.googleapis.com/auth/calendar',],
'drive': ['https://www.googleapis.com/auth/drive',],
'drive3': ['https://www.googleapis.com/auth/drive',],
'email': ['https://www.googleapis.com/auth/userinfo.email'],
'gmail': ['https://mail.google.com/',
'https://www.googleapis.com/auth/gmail.settings.basic',
'https://www.googleapis.com/auth/gmail.settings.sharing',],