def force_update_google_link(DB, username, google_email): """ WARNING: This function circumvents Google Auth flow, and should only be used for internal testing! WARNING: This function assumes that a user already has a proxy group! Adds user's google account to proxy group and/or updates expiration for that google account's access. WARNING: This assumes that provided arguments represent valid information. This BLINDLY adds without verification. Do verification before this. Specifically, this ASSUMES that the proxy group provided belongs to the given user and that the user has ALREADY authenticated to prove the provided google_email is also their's. Args: DB username (str): Username to link with google_email (str): Google email to link to Raises: NotFound: Linked Google account not found Unauthorized: Couldn't determine user Returns: Expiration time of the newly updated google account's access """ import fence.settings cirrus_config.update(**fence.settings.CIRRUS_CFG) db = SQLAlchemyDriver(DB) with db.session as session: user_account = session.query(User).filter( User.username == username).first() if user_account: user_id = user_account.id proxy_group_id = user_account.google_proxy_group_id else: raise Unauthorized("Could not determine authed user " "from session. Unable to link Google account.") user_google_account = (session.query(UserGoogleAccount).filter( UserGoogleAccount.email == google_email).first()) if not user_google_account: user_google_account = add_new_user_google_account( user_id, google_email, session) now = int(time.time()) expiration = now + GOOGLE_ACCOUNT_ACCESS_EXPIRES_IN force_update_user_google_account_expiration(user_google_account, proxy_group_id, google_email, expiration, session) session.commit() return expiration
def force_update_google_link(DB, username, google_email, expires_in=None): """ WARNING: This function circumvents Google Auth flow, and should only be used for internal testing! WARNING: This function assumes that a user already has a proxy group! Adds user's google account to proxy group and/or updates expiration for that google account's access. WARNING: This assumes that provided arguments represent valid information. This BLINDLY adds without verification. Do verification before this. Specifically, this ASSUMES that the proxy group provided belongs to the given user and that the user has ALREADY authenticated to prove the provided google_email is also their's. Args: DB username (str): Username to link with google_email (str): Google email to link to Raises: NotFound: Linked Google account not found Unauthorized: Couldn't determine user Returns: Expiration time of the newly updated google account's access """ cirrus_config.update(**config["CIRRUS_CFG"]) db = SQLAlchemyDriver(DB) with db.session as session: user_account = query_for_user(session=session, username=username) if user_account: user_id = user_account.id proxy_group_id = user_account.google_proxy_group_id else: raise Unauthorized( "Could not determine authed user " "from session. Unable to link Google account." ) user_google_account = ( session.query(UserGoogleAccount) .filter(UserGoogleAccount.email == google_email) .first() ) if not user_google_account: user_google_account = add_new_user_google_account( user_id, google_email, session ) # timestamp at which the SA will lose bucket access # by default: use configured time or 7 days expiration = int(time.time()) + config.get( "GOOGLE_USER_SERVICE_ACCOUNT_ACCESS_EXPIRES_IN", 604800 ) if expires_in: is_valid_expiration(expires_in) # convert it to timestamp requested_expiration = int(time.time()) + expires_in expiration = min(expiration, requested_expiration) force_update_user_google_account_expiration( user_google_account, proxy_group_id, google_email, expiration, session ) session.commit() return expiration