def delete(self, id_):
"""
Delete a service account
Args:
id_ (str): Google service account email to delete
"""
user_id = current_token["sub"]
service_account_email = get_service_account_email(id_)
registered_service_account = get_registered_service_account_from_email(
service_account_email)
if not registered_service_account:
raise NotFound(
"Could not find a registered service account from given email {}"
.format(service_account_email))
google_project_id = registered_service_account.google_project_id
# check if user has permission to delete the service account
with GoogleCloudManager(google_project_id) as gcm:
authorized = is_user_member_of_google_project(user_id, gcm)
if not authorized:
return (
'User "{}" does not have permission to delete the provided '
'service account "{}".'.format(user_id, id_),
403,
)
return self._delete(id_)
def _get_service_account_for_patch(id_):
user_id = current_token["sub"]
service_account_email = get_service_account_email(id_)
registered_service_account = get_registered_service_account_from_email(
service_account_email)
if not registered_service_account:
raise NotFound(
"Could not find a registered service account from given email {}".
format(service_account_email))
payload = flask.request.get_json(silent=True) or {}
# check if the user requested to update more than project_access
project_access = payload.pop("project_access", None)
# if they're trying to patch more fields, error out, we only support the above
if payload:
raise Forbidden("Cannot update provided fields: {}".format(payload))
# if the field is not provided at all, use service accounts current access
# NOTE: the user can provide project_access=[] to remove all datasets so checking
# `if not project_access` here will NOT work
#
# In other words, to extend access you don't provide the field. To remove all
# access you provide it as an empty list
if project_access is None:
project_access = [
access_privilege.project.auth_id for access_privilege in
registered_service_account.access_privileges
]
if len(project_access) > config["SERVICE_ACCOUNT_LIMIT"]:
response = {
"success": False,
"errors": {
"service_account_limit": {
"status":
400,
"error":
"project_limit",
"error_description":
"Exceeded Allowable Number of Projects. Maximum {} Projects allowed per account."
.format(config["SERVICE_ACCOUNT_LIMIT"]),
}
},
}
return response, 400
google_project_id = registered_service_account.google_project_id
return GoogleServiceAccountRegistration(service_account_email,
project_access,
google_project_id,
user_id=user_id)
def _delete(self, id_):
"""
Delete the given service account from our db and Google if it
exists.
WARNING: NO AUTHORIZATION CHECK DONE HERE. This will blindly delete
given service account.
Args:
account_id (str): Google service account identifier
"""
service_account_email = get_service_account_email(id_)
registered_service_account = get_registered_service_account_from_email(
service_account_email)
google_project_id = registered_service_account.google_project_id
try:
force_remove_service_account_from_access(service_account_email,
google_project_id)
force_delete_service_account(service_account_email)
except CirrusNotFound as exc:
return (
"Can not remove the service accout {}. Detail {}".format(
id_, exc),
404,
)
except GoogleAPIError as exc:
return (
"Can not remove the service accout {}. Detail {}".format(
id_, exc),
400,
)
except Exception:
return (" Can not delete the service account {}".format(id_), 500)
return "Successfully delete service account {}".format(id_), 200
def _get_service_account_for_patch(id_):
user_id = current_token["sub"]
service_account_email = get_service_account_email(id_)
registered_service_account = get_registered_service_account_from_email(
service_account_email)
if not registered_service_account:
raise NotFound(
"Could not find a registered service account from given email {}".
format(service_account_email))
payload = flask.request.get_json(silent=True) or {}
# check if the user requested to update more than project_access
project_access = payload.pop("project_access", None)
# if they're trying to patch more fields, error out, we only support the above
if payload:
raise Forbidden("Cannot update provided fields: {}".format(payload))
# if the field is not provided at all, use service accounts current access
# NOTE: the user can provide project_access=[] to remove all datasets so checking
# `if not project_access` here will NOT work
#
# In other words, to extend access you don't provide the field. To remove all
# access you provide it as an empty list
if project_access is None:
project_access = [
access_privilege.project.auth_id for access_privilege in
registered_service_account.access_privileges
]
google_project_id = registered_service_account.google_project_id
return GoogleServiceAccountRegistration(service_account_email,
project_access,
google_project_id,
user_id=user_id)