def delete(self):
"""
.. http:get: /google/
Delete keypair(s) for user
?all=true must be specified
True values are y, yes, t, true, on and 1; false values are n, no, f, false, off and 0
:statuscode 204 Success
:statuscode 403 Forbidden to delete access key
:statuscode 405 Method Not Allowed if ?all=true is not included
"""
user_id = current_token["sub"]
try:
all_arg = strtobool(flask.request.args.get("all", "false").lower())
except ValueError:
all_arg = False
if not all_arg:
flask.abort(
405,
"Please include ?all=true to confirm deletion of ALL Google Service account keys.",
)
with GoogleCloudManager() as g_cloud:
client_id = current_token.get("azp") or None
service_account = get_service_account(client_id, user_id)
if service_account:
keys_for_account = g_cloud.get_service_account_keys_info(
service_account.email)
# Only delete the key if is owned by current client's SA
all_client_keys = [
key["name"].split("/")[-1] for key in keys_for_account
]
for key in all_client_keys:
_delete_service_account_key(g_cloud, service_account.email,
key)
else:
flask.abort(
404, "Could not find service account for current user.")
return "", 204
def delete(self, access_key):
"""
.. http:get: /google/(string: access_key)
Delete a keypair for user
:param access_key: existing access key that belongs to this user
:statuscode 204 Success
:statuscode 403 Forbidden to delete access key
:statuscode 404 Access key doesn't exist
"""
user_id = current_token["sub"]
with GoogleCloudManager() as g_cloud:
client_id = current_token.get("azp") or None
service_account = get_service_account(client_id, user_id)
if service_account:
keys_for_account = g_cloud.get_service_account_keys_info(
service_account.google_unique_id)
# Only delete the key if is owned by current client's SA
all_client_keys = [
key["name"].split("/")[-1] for key in keys_for_account
]
if access_key in all_client_keys:
g_cloud.delete_service_account_key(
service_account.google_unique_id, access_key)
db_entry = (current_session.query(GoogleServiceAccountKey).
filter_by(key_id=access_key).first())
if db_entry:
current_session.delete(db_entry)
current_session.commit()
else:
flask.abort(
404,
"Could not delete key " + access_key +
". Not found for current user.",
)
else:
flask.abort(
404, "Could not find service account for current user.")
return "", 204
def delete(self, access_key):
"""
.. http:get: /google/(string: access_key)
Delete keypair(s) for user
:param access_key: existing access key that belongs to this user
:statuscode 204 Success
:statuscode 403 Forbidden to delete access key
:statuscode 404 Access key doesn't exist
"""
user_id = current_token["sub"]
username = current_token.get("context", {}).get("user", {}).get("name")
with GoogleCloudManager() as g_cloud:
client_id = current_token.get("azp") or None
service_account = get_service_account(client_id, user_id, username=username)
if service_account:
keys_for_account = g_cloud.get_service_account_keys_info(
service_account.email
)
# Only delete the key if is owned by current client's SA
all_client_keys = [
key["name"].split("/")[-1] for key in keys_for_account
]
if access_key in all_client_keys:
_delete_service_account_key(
g_cloud, service_account.email, access_key
)
else:
flask.abort(
404,
"Could not delete key "
+ access_key
+ ". Not found for current user.",
)
else:
flask.abort(404, "Could not find service account for current user.")
return "", 204
def get_user_info(current_session, username):
user = get_user(current_session, username)
if user.is_admin:
role = "admin"
else:
role = "user"
groups = udm.get_user_groups(current_session, username)["groups"]
info = {
"user_id": user.id, # TODO deprecated, use 'sub'
"sub": str(user.id),
# getattr b/c the identity_provider sqlalchemy relationship could not exists (be None)
"idp": getattr(user.identity_provider, "name", ""),
"username": user.username, # TODO deprecated, use 'name'
"name": user.username,
"display_name":
user.display_name, # TODO deprecated, use 'preferred_username'
"preferred_username": user.display_name,
"phone_number": user.phone_number,
"email": user.email,
"is_admin": user.is_admin,
"role": role,
"project_access": dict(user.project_access),
"certificates_uploaded": [],
"resources_granted": [],
"groups": groups,
"message": "",
}
if "fence_idp" in flask.session:
info["fence_idp"] = flask.session["fence_idp"]
if "shib_idp" in flask.session:
info["shib_idp"] = flask.session["shib_idp"]
# User SAs are stored in db with client_id = None
primary_service_account = get_service_account(client_id=None,
user_id=user.id) or {}
primary_service_account_email = getattr(primary_service_account, "email",
None)
info["primary_google_service_account"] = primary_service_account_email
if hasattr(flask.current_app, "arborist"):
try:
resources = flask.current_app.arborist.list_resources_for_user(
user.username)
auth_mapping = flask.current_app.arborist.auth_mapping(
user.username)
except ArboristError:
logger.error(
"request to arborist for user's resources failed; going to list empty"
)
resources = []
auth_mapping = {}
info["resources"] = resources
info["authz"] = auth_mapping
if user.tags is not None and len(user.tags) > 0:
info["tags"] = {tag.key: tag.value for tag in user.tags}
if user.application:
info["resources_granted"] = user.application.resources_granted
info["certificates_uploaded"] = [
c.name for c in user.application.certificates_uploaded
]
info["message"] = user.application.message
if flask.request.get_json(force=True, silent=True):
requested_userinfo_claims = (flask.request.get_json(force=True).get(
"claims", {}).get("userinfo", {}))
optional_info = _get_optional_userinfo(user, requested_userinfo_claims)
info.update(optional_info)
# Include ga4gh passport visas if access token has ga4gh_passport_v1 in scope claim
try:
encoded_access_token = flask.g.access_token or get_jwt_header()
except Unauthorized:
# This only happens if a session token was present (since login_required did not throw an error)
# but for some reason there was no access token in flask.g.access_token.
# (Perhaps it was manually deleted by the user.)
# In particular, a curl request made with no tokens shouldn't get here (bc of login_required).
# So the request is probably from a browser.
logger.warning(
"Session token present but no access token found. "
"Unable to check scopes in userinfo; some claims may not be included in response."
)
encoded_access_token = None
if encoded_access_token:
at_scopes = jwt.decode(encoded_access_token,
verify=False).get("scope", "")
if "ga4gh_passport_v1" in at_scopes:
info["ga4gh_passport_v1"] = []
return info
def get_user_info(current_session, username):
user = get_user(current_session, username)
if user.is_admin:
role = "admin"
else:
role = "user"
groups = udm.get_user_groups(current_session, username)["groups"]
info = {
"user_id": user.id, # TODO deprecated, use 'sub'
"sub": user.id,
"username": user.username, # TODO deprecated, use 'name'
"name": user.username,
"display_name": user.display_name, # TODO deprecated, use 'preferred_username'
"preferred_username": user.display_name,
"phone_number": user.phone_number,
"email": user.email,
"is_admin": user.is_admin,
"role": role,
"project_access": dict(user.project_access),
"certificates_uploaded": [],
"resources_granted": [],
"groups": groups,
"message": "",
}
# User SAs are stored in db with client_id = None
primary_service_account = get_service_account(client_id=None, user_id=user.id) or {}
primary_service_account_email = getattr(primary_service_account, "email", None)
info["primary_google_service_account"] = primary_service_account_email
if hasattr(flask.current_app, "arborist"):
try:
resources = flask.current_app.arborist.list_resources_for_user(
user.username
)
auth_mapping = flask.current_app.arborist.auth_mapping(user.username)
except ArboristError:
logger.error(
"request to arborist for user's resources failed; going to list empty"
)
resources = []
auth_mapping = {}
info["resources"] = resources
info["authz"] = auth_mapping
if user.tags is not None and len(user.tags) > 0:
info["tags"] = {tag.key: tag.value for tag in user.tags}
if user.application:
info["resources_granted"] = user.application.resources_granted
info["certificates_uploaded"] = [
c.name for c in user.application.certificates_uploaded
]
info["message"] = user.application.message
if flask.request.get_json(force=True, silent=True):
requested_userinfo_claims = (
flask.request.get_json(force=True).get("claims", {}).get("userinfo", {})
)
optional_info = _get_optional_userinfo(user, requested_userinfo_claims)
info.update(optional_info)
return info