Add module for using cloud identity api to manage google groups (#5149)

ViniciustCosta · web-flow · commit f00b539bd901 · 2026-02-02T16:01:42.000-03:00
This is some groundwork in order to use google groups for CCs in OSS-Fuzz issues. Context: b/477964128, b/388390041 and google/oss-fuzz#12945 Since we used google groups for the auth/access in appengine, I updated it to centralize in the same module under google cloud utils. Tests: * Used a local script (gpaste/4919004936404992) to execute all methods using a test group. Output: gpaste/6567249169219584
diff --git a/src/appengine/libs/access.py b/src/appengine/libs/access.py
@@ -19,6 +19,7 @@
 from clusterfuzz._internal.config import db_config
 from clusterfuzz._internal.config import local_config
 from clusterfuzz._internal.datastore import data_handler
+from clusterfuzz._internal.google_cloud_utils import google_groups
 from clusterfuzz._internal.issue_management import issue_tracker_utils
 from libs import auth
 from libs import helpers
@@ -40,19 +41,17 @@ def _is_privileged_user(email):
   # Check privileged access from google groups.
   privileged_groups = (db_config.get_value('privileged_groups') or
                        '').splitlines()
-  identity_service = auth.get_identity_api()
   for privileged_group in privileged_groups:
     # Filter for non-group patterns.
     if ('@' not in privileged_group or
         utils.is_service_account(privileged_group)):
       continue
 
-    group_id = auth.get_google_group_id(privileged_group, identity_service)
+    group_id = google_groups.get_group_id(privileged_group)
     if not group_id:
       continue
 
-    if auth.check_transitive_group_membership(group_id, email,
-                                              identity_service):
+    if google_groups.check_transitive_group_membership(group_id, email):
       return True
 
   return False
diff --git a/src/appengine/libs/auth.py b/src/appengine/libs/auth.py
@@ -14,22 +14,19 @@
 """Authentication helpers."""
 
 import collections
-from urllib import parse
 
 from firebase_admin import auth
 from google.auth.transport import requests as google_requests
 from google.cloud import ndb
 from google.oauth2 import id_token
 from googleapiclient import discovery
-from googleapiclient.errors import HttpError
 import jwt
 import requests
 
 from clusterfuzz._internal.base import memoize
 from clusterfuzz._internal.base import utils
 from clusterfuzz._internal.config import local_config
 from clusterfuzz._internal.datastore import data_types
-from clusterfuzz._internal.google_cloud_utils import credentials
 from clusterfuzz._internal.metrics import logs
 from clusterfuzz._internal.system import environment
 from libs import helpers
@@ -252,48 +249,3 @@ def decode_claims(session_cookie):
     return auth.verify_session_cookie(session_cookie, check_revoked=True)
   except (ValueError, auth.AuthError):
     raise AuthError('Invalid session cookie.')
-
-
-def get_identity_api() -> discovery.Resource:
-  """Return cloud identity api client."""
-  creds, _ = credentials.get_default()
-  return discovery.build('cloudidentity', 'v1', credentials=creds)
-
-
-def get_google_group_id(group_email: str,
-                        identity_service: discovery.Resource | None = None
-                       ) -> str | None:
-  """Retrive a google group ID."""
-  if not identity_service:
-    identity_service = get_identity_api()
-
-  try:
-    request = identity_service.groups().lookup(groupKey_id=group_email)
-    response = request.execute()
-    return response.get('name')
-  except HttpError:
-    logs.warning(f"Unable to look up group {group_email}.")
-    return None
-
-
-def check_transitive_group_membership(
-    group_id: str,
-    member: str,
-    identity_service: discovery.Resource | None = None) -> bool:
-  """Check if an user is a member of a google group."""
-  if not identity_service:
-    identity_service = get_identity_api()
-
-  try:
-    query_params = parse.urlencode({
-        "query": "member_key_id == '{}'".format(member)
-    })
-    request = identity_service.groups().memberships().checkTransitiveMembership(
-        parent=group_id)
-    request.uri += "&" + query_params
-    response = request.execute()
-    return response.get('hasMembership', False)
-  except HttpError:
-    logs.warning(
-        f'Unable to check group membership from {member} to {group_id}.')
-    return False
diff --git a/src/clusterfuzz/_internal/google_cloud_utils/google_groups.py b/src/clusterfuzz/_internal/google_cloud_utils/google_groups.py
@@ -0,0 +1,174 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Helper for google groups management."""
+
+import threading
+from urllib import parse
+
+from googleapiclient import discovery
+from googleapiclient import errors
+
+from clusterfuzz._internal.config import local_config
+from clusterfuzz._internal.google_cloud_utils import credentials
+from clusterfuzz._internal.metrics import logs
+
+# pylint: disable=no-member
+
+_FAIL_RETRIES = 3
+
+_local = threading.local()
+
+
+def get_identity_api() -> discovery.Resource | None:
+  """Return cloud identity api client."""
+  if not hasattr(_local, 'identity_service'):
+    creds, _ = credentials.get_default()
+    _local.identity_service = discovery.build(
+        'cloudidentity', 'v1', credentials=creds, cache_discovery=False)
+
+  return _local.identity_service
+
+
+def get_group_id(group_name: str, exists_check: bool = False) -> str | None:
+  """Retrive a google group ID."""
+  identity_service = get_identity_api()
+  try:
+    request = identity_service.groups().lookup(groupKey_id=group_name)
+    response = request.execute()
+    return response.get('name')
+  except errors.HttpError:
+    if not exists_check:
+      logs.warning(f"Unable to look up group {group_name}.")
+    return None
+
+
+def check_transitive_group_membership(group_id: str, member: str) -> bool:
+  """Check if an user is a member of a google group."""
+  identity_service = get_identity_api()
+  try:
+    query_params = parse.urlencode({
+        "query": "member_key_id == '{}'".format(member)
+    })
+    request = identity_service.groups().memberships().checkTransitiveMembership(
+        parent=group_id)
+    request.uri += "&" + query_params
+    response = request.execute(num_retries=_FAIL_RETRIES)
+    return response.get('hasMembership', False)
+  except errors.HttpError:
+    logs.warning(
+        f'Unable to check group membership from {member} to {group_id}.')
+    return False
+
+
+def create_google_group(group_name: str,
+                        group_display_name: str | None = None,
+                        group_description: str | None = None,
+                        customer_id: str | None = None) -> str | None:
+  """Create a google group."""
+  identity_service = get_identity_api()
+
+  customer_id = customer_id or str(
+      local_config.ProjectConfig().get('groups_customer_id'))
+  if not customer_id:
+    logs.error('No customer ID set. Unable to create a new google group.')
+    return None
+
+  group_key = {"id": group_name}
+  group = {
+      "parent": "customers/" + customer_id,
+      "description": group_description,
+      "displayName": group_display_name,
+      "groupKey": group_key,
+      # Set the label to specify creation of a Google Group.
+      "labels": {
+          "cloudidentity.googleapis.com/groups.discussion_forum": ""
+      }
+  }
+  try:
+    request = identity_service.groups().create(body=group)
+    request.uri += "&initialGroupConfig=WITH_INITIAL_OWNER"
+    response = request.execute(num_retries=_FAIL_RETRIES)
+    group_id = response.get('response').get('name')
+    logs.info(f'Created google group {group_name}', request_response=response)
+    return group_id
+  except errors.HttpError:
+    logs.error(f'Failed to create google group {group_name}')
+    return None
+
+
+def get_google_group_memberships(group_id: str) -> dict[str, str] | None:
+  """Get dict of membership name to members id from a google group."""
+  identity_service = get_identity_api()
+
+  try:
+    response = identity_service.groups().memberships().list(
+        parent=group_id).execute()
+    memberships = {
+        member.get('preferredMemberKey').get('id'): member.get('name')
+        for member in response.get('memberships', [])
+    }
+    return memberships
+  except errors.HttpError:
+    logs.error(f'Failed to get list of members from group {group_id}')
+    return None
+
+
+def add_member_to_group(group_id: str, member: str) -> bool:
+  """Add a new member to a google group."""
+  identity_service = get_identity_api()
+
+  try:
+    # Create a membership object with a role type MEMBER
+    membership = {
+        "preferredMemberKey": {
+            "id": member
+        },
+        "roles": {
+            "name": "MEMBER",
+        }
+    }
+    # Create a membership using the group ID and the membership object
+    response = identity_service.groups().memberships().create(
+        parent=group_id, body=membership).execute(num_retries=_FAIL_RETRIES)
+    logs.info(
+        f'Added {member} to google group {group_id}', request_response=response)
+    return True
+  except errors.HttpError:
+    logs.error(f'Failed to add {member} to google group {group_id}')
+    return False
+
+
+def delete_google_group_membership(group_id: str,
+                                   member: str,
+                                   membership_name: str | None = None) -> bool:
+  """Delete a google group membership."""
+  identity_service = get_identity_api()
+
+  try:
+    if not membership_name:
+      membership_lookup_request = identity_service.groups().memberships(
+      ).lookup(parent=group_id)
+      membership_lookup_request.uri += "&memberKey.id=" + member
+      membership_lookup_response = membership_lookup_request.execute()
+      membership_name = membership_lookup_response.get("name")
+
+    response = identity_service.groups().memberships().delete(
+        name=membership_name).execute(num_retries=_FAIL_RETRIES)
+    logs.info(
+        f'Removed {member} ({membership_name}) from google group {group_id}',
+        request_response=response)
+    return True
+  except errors.HttpError:
+    logs.error(f'Failed to remove {member} from google group {group_id}')
+    return False
diff --git a/src/clusterfuzz/_internal/tests/appengine/libs/access_test.py b/src/clusterfuzz/_internal/tests/appengine/libs/access_test.py
@@ -76,9 +76,9 @@ def _get_value_mock(self, key):
   def setUp(self):
     test_helpers.patch(self, [
         'clusterfuzz._internal.config.db_config.get_value',
-        'libs.auth.get_google_group_id',
-        'libs.auth.check_transitive_group_membership',
-        'libs.auth.get_identity_api'
+        'clusterfuzz._internal.google_cloud_utils.google_groups.get_group_id',
+        'clusterfuzz._internal.google_cloud_utils.google_groups.check_transitive_group_membership',
+        'clusterfuzz._internal.google_cloud_utils.google_groups.get_identity_api'
     ])
 
   def test_none(self):
@@ -108,35 +108,35 @@ def test_privileged_group(self):
     """Test success access for member of privileged group."""
     self.mock.get_value.side_effect = self._get_value_mock
     self.mock.get_identity_api.return_value = None
-    self.mock.get_google_group_id.return_value = 1
+    self.mock.get_group_id.return_value = 1
     self.mock.check_transitive_group_membership.return_value = True
 
     self.assertTrue(access._is_privileged_user('usertest@google.com'))
-    self.mock.get_google_group_id.assert_called_with('test@group.com', None)
+    self.mock.get_group_id.assert_called_with('test@group.com')
     self.mock.check_transitive_group_membership.assert_called_with(
-        1, 'usertest@google.com', None)
+        1, 'usertest@google.com')
 
   def test_privileged_group_id_not_available(self):
     """Test failed access if privileged group not found."""
     self.mock.get_value.side_effect = self._get_value_mock
     self.mock.get_identity_api.return_value = None
-    self.mock.get_google_group_id.return_value = None
+    self.mock.get_group_id.return_value = None
 
     self.assertFalse(access._is_privileged_user('usertest@google.com'))
-    self.mock.get_google_group_id.assert_called_with('test@group.com', None)
+    self.mock.get_group_id.assert_called_with('test@group.com')
     self.mock.check_transitive_group_membership.assert_not_called()
 
   def test_not_member_privileged_group(self):
     """Test failed access if user not member of privileged group."""
     self.mock.get_value.side_effect = self._get_value_mock
     self.mock.get_identity_api.return_value = None
-    self.mock.get_google_group_id.return_value = 1
+    self.mock.get_group_id.return_value = 1
     self.mock.check_transitive_group_membership.return_value = False
 
     self.assertFalse(access._is_privileged_user('usertest@google.com'))
-    self.mock.get_google_group_id.assert_called_with('test@group.com', None)
+    self.mock.get_group_id.assert_called_with('test@group.com')
     self.mock.check_transitive_group_membership.assert_called_with(
-        1, 'usertest@google.com', None)
+        1, 'usertest@google.com')
 
 
 class IsDomainAllowedTest(unittest.TestCase):
