|
| 1 | +#!/usr/bin/env python3 |
| 2 | +# |
| 3 | +# Returns information about user's GCP entitlements |
| 4 | +# |
| 5 | +# Usage: cred_helper.py [get|test] |
| 6 | +# |
| 7 | +# get prints the GCP auth token |
| 8 | +# test prints the user's GCP entitlements |
| 9 | +# |
| 10 | +# Calling script without arguments prints out usage information and then exits with a non-zero code (per spec) |
| 11 | +# |
| 12 | + |
| 13 | +import subprocess |
| 14 | +import requests |
| 15 | +import json |
| 16 | +import re |
| 17 | +import sys |
| 18 | + |
| 19 | + |
| 20 | +def get_gcloud_auth_token(test): |
| 21 | + """ |
| 22 | + Returns the gcloud auth token based on the .user-bazelrc |
| 23 | + """ |
| 24 | + |
| 25 | + with open(".user-bazelrc") as f: |
| 26 | + all = f.read() |
| 27 | + match = re.search(r"# user: (.*)", all) |
| 28 | + if match is None: |
| 29 | + sys.exit('Did not find username in .user-bazelrc file as "# user: <username>"') |
| 30 | + USER = match.group(1) |
| 31 | + |
| 32 | + cmd = ["gcloud", "auth", "print-access-token", USER] |
| 33 | + if test: |
| 34 | + print("Running: " + subprocess.list2cmdline(cmd)) |
| 35 | + result = subprocess.run(cmd, capture_output=True, text=True, check=True) |
| 36 | + token = result.stdout.strip() |
| 37 | + return token |
| 38 | + |
| 39 | + |
| 40 | +def generate_credentials(test): |
| 41 | + """ |
| 42 | + Generate the credentials in a form that Bazel wants, which is the |
| 43 | + Authorization key points to a list |
| 44 | + """ |
| 45 | + |
| 46 | + bearer_token = get_gcloud_auth_token(test) |
| 47 | + |
| 48 | + # Create the JSON object with the required format |
| 49 | + credentials = {"headers": {"Authorization": [f"Bearer {bearer_token}"]}} |
| 50 | + return credentials |
| 51 | + |
| 52 | + |
| 53 | +def test_permissions(credentials, bucket_name): |
| 54 | + """ |
| 55 | + Tests the user's entitlements for this bucket |
| 56 | +
|
| 57 | + Note that the call to check the permissions needs the Authorization key to |
| 58 | + point to a string and not a list. So, take the first element in the list |
| 59 | + and make it the only value |
| 60 | + """ |
| 61 | + |
| 62 | + credentials["headers"]["Authorization"] = credentials["headers"]["Authorization"][0] |
| 63 | + url = ( |
| 64 | + f"https://storage.googleapis.com/storage/v1/b/{bucket_name}/iam/testPermissions" |
| 65 | + ) |
| 66 | + permissions = {"permissions": ["storage.buckets.get", "storage.objects.create"]} |
| 67 | + |
| 68 | + response = requests.get(url, params=permissions, headers=credentials["headers"]) |
| 69 | + response.raise_for_status() |
| 70 | + return response.json() |
| 71 | + |
| 72 | + |
| 73 | +def main(): |
| 74 | + if ( |
| 75 | + len(sys.argv) <= 1 |
| 76 | + or (len(sys.argv) == 2 and sys.argv[1] not in ["get", "test"]) |
| 77 | + or len(sys.argv) >= 3 |
| 78 | + ): |
| 79 | + sys.exit("Usage: python cred_helper.py [get|test]") |
| 80 | + test = sys.argv[1] == "test" |
| 81 | + |
| 82 | + credentials = generate_credentials(test) |
| 83 | + if not test: |
| 84 | + print(json.dumps(credentials, indent=2)) |
| 85 | + return |
| 86 | + |
| 87 | + permissions = test_permissions(credentials, "megaboom-bazel-artifacts") |
| 88 | + |
| 89 | + print(json.dumps(permissions, indent=2)) |
| 90 | + |
| 91 | + |
| 92 | +if __name__ == "__main__": |
| 93 | + main() |
0 commit comments