Skip to content

Commit

Permalink
Merge 11847eb into f1a571d
Browse files Browse the repository at this point in the history
  • Loading branch information
@Avantol13
Avantol13 committed May 26, 2021
2 parents f1a571d + 11847eb commit 39f5b25
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 13 deletions.
12 changes: 9 additions & 3 deletions .secrets.baseline
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
{
"version": "1.0.3",
"exclude": {
"files": "poetry.lock",
"lines": null
},
"generated_at": "2021-05-25T21:22:19Z",
"plugins_used": [
{
"name": "ArtifactoryDetector"
Expand Down Expand Up @@ -215,7 +219,8 @@
"filename": "poetry.lock",
"hashed_secret": "640e60795f08744221f6816fe9dc949c58465256",
"is_verified": false,
"line_number": 223
"line_number": 1177,
"type": "Private Key"
},
{
"type": "Hex High Entropy String",
Expand All @@ -229,7 +234,8 @@
"filename": "poetry.lock",
"hashed_secret": "205b95ce89ff252c6045d78ca9d007e73b45dc00",
"is_verified": false,
"line_number": 1466
"line_number": 1200,
"type": "Base64 High Entropy String"
}
],
"tests/conftest.py": [
Expand Down
16 changes: 8 additions & 8 deletions fence/blueprints/google.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,10 @@
)
from fence.resources.google.utils import (
get_or_create_proxy_group_id,
get_or_create_service_account,
get_monitoring_service_account_email,
get_registered_service_accounts,
get_project_access_from_service_accounts,
get_or_create_primary_service_account_key,
)
from fence.models import UserServiceAccount
from fence.utils import get_valid_expiration_from_request
Expand Down Expand Up @@ -613,20 +613,20 @@ def post(self):
relying on lazy creation at first time of Google Data Access.
"""
user_id = current_token["sub"]
client_id = current_token.get("azp") or None
proxy_group_id = get_or_create_proxy_group_id()
username = current_token.get("context", {}).get("user", {}).get("name")
service_account_email = None

service_account = get_or_create_service_account(
client_id=client_id,
user_id=user_id,
username=username,
proxy_group_id=proxy_group_id,
# do the same thing signed URL creation is doing, but don't use the resulting
# key, just extract the service account email
sa_private_key, _ = get_or_create_primary_service_account_key(
user_id=user_id, username=username, proxy_group_id=proxy_group_id
)
service_account_email = sa_private_key.get("client_email")

# NOTE: service_account_from_db.email is what gets populated in the UserInfo endpoint's
# "primary_google_service_account" as well, so this remains consistent
return flask.jsonify({"primary_google_service_account": service_account.email})
return flask.jsonify({"primary_google_service_account": service_account_email})


def _get_service_account_for_patch(id_):
Expand Down
30 changes: 28 additions & 2 deletions tests/conftest.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
import mock
import os
import copy
import time

from addict import Dict
from authutils.testing.fixtures import (
Expand Down Expand Up @@ -1110,15 +1111,40 @@ def primary_google_service_account_google(
db_session.add(service_account)
db_session.commit()

service_account_key_db_entry = models.GoogleServiceAccountKey(
key_id=1, service_account_id=service_account.id, expires=int(time.time()) + 3600
)

db_session.add(service_account_key_db_entry)
db_session.commit()

private_key = {
"type": "service_account",
"project_id": "project-id",
"private_key_id": "some_number",
"client_email": email,
"client_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/...<api-name>api%40project-id.iam.gserviceaccount.com",
}

mock = MagicMock()
mock.return_value = service_account
patcher = patch("fence.blueprints.google.get_or_create_service_account", mock)
mock.return_value = private_key, service_account_key_db_entry
patcher = patch(
"fence.blueprints.google.get_or_create_primary_service_account_key", mock
)
patcher.start()

yield Dict(
id=service_account_id, email=email, get_or_create_service_account_mock=mock
)

db_session.delete(service_account)
db_session.delete(service_account_key_db_entry)
db_session.commit()

patcher.stop()


Expand Down

0 comments on commit 39f5b25

Please sign in to comment.