def delete(self, id_): """ Delete a service account Args: id_ (str): Google service account email to delete """ user_id = current_token["sub"] service_account_email = get_service_account_email(id_) registered_service_account = get_registered_service_account_from_email( service_account_email) if not registered_service_account: raise NotFound( "Could not find a registered service account from given email {}" .format(service_account_email)) google_project_id = registered_service_account.google_project_id # check if user has permission to delete the service account with GoogleCloudManager(google_project_id) as gcm: authorized = is_user_member_of_google_project(user_id, gcm) if not authorized: return ( 'User "{}" does not have permission to delete the provided ' 'service account "{}".'.format(user_id, id_), 403, ) return self._delete(id_)
def _get_service_account_for_patch(id_): user_id = current_token["sub"] service_account_email = get_service_account_email(id_) registered_service_account = get_registered_service_account_from_email( service_account_email) if not registered_service_account: raise NotFound( "Could not find a registered service account from given email {}". format(service_account_email)) payload = flask.request.get_json(silent=True) or {} # check if the user requested to update more than project_access project_access = payload.pop("project_access", None) # if they're trying to patch more fields, error out, we only support the above if payload: raise Forbidden("Cannot update provided fields: {}".format(payload)) # if the field is not provided at all, use service accounts current access # NOTE: the user can provide project_access=[] to remove all datasets so checking # `if not project_access` here will NOT work # # In other words, to extend access you don't provide the field. To remove all # access you provide it as an empty list if project_access is None: project_access = [ access_privilege.project.auth_id for access_privilege in registered_service_account.access_privileges ] if len(project_access) > config["SERVICE_ACCOUNT_LIMIT"]: response = { "success": False, "errors": { "service_account_limit": { "status": 400, "error": "project_limit", "error_description": "Exceeded Allowable Number of Projects. Maximum {} Projects allowed per account." .format(config["SERVICE_ACCOUNT_LIMIT"]), } }, } return response, 400 google_project_id = registered_service_account.google_project_id return GoogleServiceAccountRegistration(service_account_email, project_access, google_project_id, user_id=user_id)
def _delete(self, id_): """ Delete the given service account from our db and Google if it exists. WARNING: NO AUTHORIZATION CHECK DONE HERE. This will blindly delete given service account. Args: account_id (str): Google service account identifier """ service_account_email = get_service_account_email(id_) registered_service_account = get_registered_service_account_from_email( service_account_email) google_project_id = registered_service_account.google_project_id try: force_remove_service_account_from_access(service_account_email, google_project_id) force_delete_service_account(service_account_email) except CirrusNotFound as exc: return ( "Can not remove the service accout {}. Detail {}".format( id_, exc), 404, ) except GoogleAPIError as exc: return ( "Can not remove the service accout {}. Detail {}".format( id_, exc), 400, ) except Exception: return (" Can not delete the service account {}".format(id_), 500) return "Successfully delete service account {}".format(id_), 200
def _get_service_account_for_patch(id_): user_id = current_token["sub"] service_account_email = get_service_account_email(id_) registered_service_account = get_registered_service_account_from_email( service_account_email) if not registered_service_account: raise NotFound( "Could not find a registered service account from given email {}". format(service_account_email)) payload = flask.request.get_json(silent=True) or {} # check if the user requested to update more than project_access project_access = payload.pop("project_access", None) # if they're trying to patch more fields, error out, we only support the above if payload: raise Forbidden("Cannot update provided fields: {}".format(payload)) # if the field is not provided at all, use service accounts current access # NOTE: the user can provide project_access=[] to remove all datasets so checking # `if not project_access` here will NOT work # # In other words, to extend access you don't provide the field. To remove all # access you provide it as an empty list if project_access is None: project_access = [ access_privilege.project.auth_id for access_privilege in registered_service_account.access_privileges ] google_project_id = registered_service_account.google_project_id return GoogleServiceAccountRegistration(service_account_email, project_access, google_project_id, user_id=user_id)