def add_user_service_account_to_google( session, to_add_project_ids, google_project_id, service_account ): """ Add service account to Google access groups Args: session(current_session): db session to_add_project_ids (List(id)): list of project ids google_project_id (str): google project id service_account (UserServiceAccount): user service account """ logger.debug( "attempting to add {} to groups for projects: {}".format( service_account, to_add_project_ids ) ) for project_id in to_add_project_ids: access_groups = _get_google_access_groups(session, project_id) logger.debug( "google group(s) for project {}: {}".format(project_id, access_groups) ) for access_group in access_groups: try: # TODO: Need to remove try/catch after major refactor with GoogleCloudManager( google_project_id, use_default=False ) as g_manager: response = g_manager.add_member_to_group( member_email=service_account.email, group_id=access_group.email ) if response.get("email", None): logger.debug( "Successfully add member {} to Google group {}.".format( service_account.email, access_group.email ) ) else: raise GoogleAPIError( "Can not add {} to Google group {}".format( service_account.email, access_group.email ) ) except Exception as exc: raise GoogleAPIError( "Can not add {} to Google group {}. Detail {}".format( service_account.email, access_group.email, exc ) )
def _revoke_user_service_account_from_google( session, to_delete_project_ids, google_project_id, service_account ): """ revoke service account from google access group Args: session(current_session): db session to_delete_project_ids (List(str)): list of project ids google_project_id (str): google project id service_account (UserServiceAccount): user service account Returns: None """ for project_id in to_delete_project_ids: access_groups = _get_google_access_groups(session, project_id) for access_group in access_groups: try: # TODO: Need to remove outer try/catch after major refactor with GoogleCloudManager( google_project_id, use_default=False ) as g_manager: if not g_manager.remove_member_from_group( member_email=service_account.email, group_id=access_group.email ): logger.debug( "Removed {} from google group {}".format( service_account.email, access_group.email ) ) else: raise GoogleAPIError("Can not remove {} from group {}") except Exception as exc: raise GoogleAPIError( "Can not remove {} from group {}. Detail {}".format( service_account.email, access_group.email, exc ) )
def force_remove_service_account_from_access( service_account_email, google_project_id, db=None ): """ loop through ServiceAccountToBucket remove from google group delete entries from db Args: service_account_email (str): service account email google_project_id (str): google project id db (None, str): Optional db connection string Returns: None """ session = get_db_session(db) service_account = ( session.query(UserServiceAccount).filter_by(email=service_account_email).first() ) if not service_account: raise fence.errors.NotFound( "{} does not exist in DB".format(service_account_email) ) access_groups = get_google_access_groups_for_service_account(service_account) for bucket_access_group in access_groups: try: with GoogleCloudManager(google_project_id, use_default=False) as g_manager: g_manager.remove_member_from_group( member_email=service_account.email, group_id=bucket_access_group.email, ) except Exception as exc: raise GoogleAPIError( "Can not remove member {} from access group {}. Detail {}".format( service_account.email, bucket_access_group.email, exc ) ) _force_remove_service_account_from_access_db(service_account, access_groups, db)