class AuthDBRevisionsHandler(auth.ApiHandler):
"""Serves deflated AuthDB proto message with snapshot of all groups.
Args:
rev: version of the snapshot to get ('latest' or concrete revision number).
Not all versions may be available (i.e. there may be gaps in revision
numbers).
skip_body: if '1' will not return actual snapshot, just its SHA256 hash,
revision number and timestamp.
"""
@auth.require(lambda: (auth.is_admin() or acl.is_trusted_service(
) or replication.is_replica(auth.get_current_identity())))
def get(self, rev):
skip_body = self.request.get('skip_body') == '1'
if rev == 'latest':
snapshot = replication.get_latest_auth_db_snapshot(skip_body)
else:
try:
rev = int(rev)
except ValueError:
self.abort_with_error(
400, text='Bad revision number, not an integer')
snapshot = replication.get_auth_db_snapshot(rev, skip_body)
if not snapshot:
self.abort_with_error(404, text='No such snapshot: %s' % rev)
resp = {
'auth_db_rev': snapshot.key.integer_id(),
'created_ts': utils.datetime_to_timestamp(snapshot.created_ts),
'sha256': snapshot.auth_db_sha256,
}
if not skip_body:
assert snapshot.auth_db_deflated
resp['deflated_body'] = base64.b64encode(snapshot.auth_db_deflated)
self.send_response({'snapshot': resp})
def revoke_stale_authorization():
"""Removes pubsub.subscriber role from accounts that no longer have access."""
with pubsub.iam_policy(topic_name()) as p:
for iam_ident in p.members('roles/pubsub.subscriber'):
email = _iam_ident_to_email(iam_ident)
if email:
ident = auth.Identity.from_bytes('user:'******'Removing "%s" from subscribers list', iam_ident)
p.remove_member('roles/pubsub.subscriber', iam_ident)
def revoke_stale_authorization():
"""Removes pubsub.subscriber role from accounts that no longer have access."""
with pubsub.iam_policy(topic_name()) as p:
for iam_ident in p.members('roles/pubsub.subscriber'):
email = _iam_ident_to_email(iam_ident)
if email:
ident = auth.Identity.from_bytes('user:'******'Removing "%s" from subscribers list',
iam_ident)
p.remove_member('roles/pubsub.subscriber', iam_ident)
def revoke_stale_authorization():
"""Removes authorization from accounts that no longer have access."""
to_delete = []
for email in _list_authorized_readers():
ident = auth.Identity.from_bytes('user:'******'Removing "%s" as authorized GCS reader', email)
to_delete.append(_auth_db_reader_key(email))
ndb.delete_multi(to_delete)
# Update ACLs even if we didn't delete anything. This is necessary to make
# revoke_stale_authorization() idempotent: even if it crashes right after
# ndb.delete_multi, we still will remove stale GCS ACLs on a retry.
_update_gcs_acls()