def extend_service_account_access(service_account_email, db=None):
"""
Extend the Google service accounts access to data by extending the
expiration time for each of the Google Bucket Access Groups it's in.
WARNING: This does NOT do any AuthZ, do before this.
Args:
service_account_email (str): service account email
db(str): db connection string
"""
session = get_db_session(db)
service_account = (
session.query(UserServiceAccount).filter_by(email=service_account_email).first()
)
if service_account:
bucket_access_groups = get_google_access_groups_for_service_account(
service_account
)
# timestamp at which the SA will lose bucket access
# by default: use configured time or 7 days
expiration_time = int(time.time()) + config.get(
"GOOGLE_USER_SERVICE_ACCOUNT_ACCESS_EXPIRES_IN", 604800
)
requested_expires_in = get_valid_expiration_from_request()
if requested_expires_in:
requested_expiration = int(time.time()) + requested_expires_in
expiration_time = min(expiration_time, requested_expiration)
logger.debug(
"Service Account ({}) access extended to {}.".format(
service_account.email, expiration_time
)
)
for access_group in bucket_access_groups:
bucket_access = (
session.query(ServiceAccountToGoogleBucketAccessGroup)
.filter_by(
service_account_id=service_account.id,
access_group_id=access_group.id,
)
.first()
)
if not bucket_access:
bucket_access = ServiceAccountToGoogleBucketAccessGroup(
service_account_id=service_account.id,
access_group_id=access_group.id,
expires=expiration_time,
)
session.add(bucket_access)
bucket_access.expires = expiration_time
session.commit()
def extend_service_account_access(service_account_email, db=None):
"""
Extend the Google service accounts access to data by extending the
expiration time for each of the Google Bucket Access Groups it's in.
WARNING: This does NOT do any AuthZ, do before this.
Args:
service_account_email (str): service account email
db(str): db connection string
"""
session = get_db_session(db)
service_account = (
session.query(UserServiceAccount).filter_by(email=service_account_email).first()
)
if service_account:
bucket_access_groups = get_google_access_groups_for_service_account(
service_account
)
# use configured time or 7 days
expiration_time = int(time.time()) + flask.current_app.config.get(
"GOOGLE_USER_SERVICE_ACCOUNT_ACCESS_EXPIRES_IN", 604800
)
for access_group in bucket_access_groups:
bucket_access = (
session.query(ServiceAccountToGoogleBucketAccessGroup)
.filter_by(
service_account_id=service_account.id,
access_group_id=access_group.id,
)
.first()
)
if not bucket_access:
bucket_access = ServiceAccountToGoogleBucketAccessGroup(
service_account_id=service_account.id,
access_group_id=access_group.id,
expires=expiration_time,
)
session.add(bucket_access)
bucket_access.expires = expiration_time
session.commit()