def add_user_service_account_to_google(
session, to_add_project_ids, google_project_id, service_account
):
"""
Add service account to Google access groups
Args:
session(current_session): db session
to_add_project_ids (List(id)): list of project ids
google_project_id (str): google project id
service_account (UserServiceAccount): user service account
"""
logger.debug(
"attempting to add {} to groups for projects: {}".format(
service_account, to_add_project_ids
)
)
for project_id in to_add_project_ids:
access_groups = _get_google_access_groups(session, project_id)
logger.debug(
"google group(s) for project {}: {}".format(project_id, access_groups)
)
for access_group in access_groups:
try:
# TODO: Need to remove try/catch after major refactor
with GoogleCloudManager(
google_project_id, use_default=False
) as g_manager:
response = g_manager.add_member_to_group(
member_email=service_account.email, group_id=access_group.email
)
if response.get("email", None):
logger.debug(
"Successfully add member {} to Google group {}.".format(
service_account.email, access_group.email
)
)
else:
raise GoogleAPIError(
"Can not add {} to Google group {}".format(
service_account.email, access_group.email
)
)
except Exception as exc:
raise GoogleAPIError(
"Can not add {} to Google group {}. Detail {}".format(
service_account.email, access_group.email, exc
)
)
def _revoke_user_service_account_from_google(
session, to_delete_project_ids, google_project_id, service_account
):
"""
revoke service account from google access group
Args:
session(current_session): db session
to_delete_project_ids (List(str)): list of project ids
google_project_id (str): google project id
service_account (UserServiceAccount): user service account
Returns:
None
"""
for project_id in to_delete_project_ids:
access_groups = _get_google_access_groups(session, project_id)
for access_group in access_groups:
try:
# TODO: Need to remove outer try/catch after major refactor
with GoogleCloudManager(
google_project_id, use_default=False
) as g_manager:
if not g_manager.remove_member_from_group(
member_email=service_account.email, group_id=access_group.email
):
logger.debug(
"Removed {} from google group {}".format(
service_account.email, access_group.email
)
)
else:
raise GoogleAPIError("Can not remove {} from group {}")
except Exception as exc:
raise GoogleAPIError(
"Can not remove {} from group {}. Detail {}".format(
service_account.email, access_group.email, exc
)
)
def force_remove_service_account_from_access(
service_account_email, google_project_id, db=None
):
"""
loop through ServiceAccountToBucket
remove from google group
delete entries from db
Args:
service_account_email (str): service account email
google_project_id (str): google project id
db (None, str): Optional db connection string
Returns:
None
"""
session = get_db_session(db)
service_account = (
session.query(UserServiceAccount).filter_by(email=service_account_email).first()
)
if not service_account:
raise fence.errors.NotFound(
"{} does not exist in DB".format(service_account_email)
)
access_groups = get_google_access_groups_for_service_account(service_account)
for bucket_access_group in access_groups:
try:
with GoogleCloudManager(google_project_id, use_default=False) as g_manager:
g_manager.remove_member_from_group(
member_email=service_account.email,
group_id=bucket_access_group.email,
)
except Exception as exc:
raise GoogleAPIError(
"Can not remove member {} from access group {}. Detail {}".format(
service_account.email, bucket_access_group.email, exc
)
)
_force_remove_service_account_from_access_db(service_account, access_groups, db)
