Add walkthrough 7 example code.

Most files are just copied from Step #6. These are the newly added ones:
- coursework_routes.py
- coursework-assignment-created.html
- coursework-modified.html
- example-coursework-assignment.html

Also, index.html was modified from previous steps to add a couple of buttons and handle sign-in.

Change-Id: I3201c3bd10afde223235bc9ecdfeb6eb9dbed839

Author: AndrewMBurke

flask/07-external-attachments/config.py

@@ -0,0 +1,41 @@
+#!/usr/bin/env python3
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+"""The Flask server configuration."""
+
+import os
+
+DATABASE_FILE_NAME = os.path.join(
+    os.path.abspath(os.path.dirname(__file__)), "data.sqlite"
+)
+
+
+class Config(object):
+  # Note: A secret key is included in the sample so that it works.
+  # If you use this code in your application, replace this with a truly secret
+  # key. See https://flask.palletsprojects.com/quickstart/#sessions.
+  SECRET_KEY = (
+      os.environ.get("SECRET_KEY")
+      or "REPLACE ME - this value is here as a placeholder."
+  )
+
+  # Configure the flask cookie settings per the iframe security recommendations:
+  # https://developers.google.com/classroom/add-ons/developer-guides/iframes#iframe_security_guidelines
+  SESSION_COOKIE_SECURE = True
+  SESSION_COOKIE_HTTPONLY = True
+  SESSION_COOKIE_SAMESITE = "None"
+
+  # Point to a database file in the project root.
+  SQLALCHEMY_DATABASE_URI = f"sqlite:///{DATABASE_FILE_NAME}"
+  SQLALCHEMY_TRACK_MODIFICATIONS = False

flask/07-external-attachments/main.py

@@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+"""Entry point for the Flask server.
+
+Loads the webapp module and starts the server. Choose an appropriate launch
+method below before running this program.
+
+WARNING: NOT FOR PRODUCTION
+----------------------------
+This is a sample application for development purposes. You should follow
+best practices when securing your production application and in particular
+how you securely store and use OAuth tokens.
+
+Note that:
++ Storing tokens in the session is for demonstration purposes. Be sure to store
+  your tokens securely in your production application.
++ Be careful not to lose a user's refresh token. You will have to ask the user
+  to re-authorize your add-on to receive a new one.
+
+Review these resources for additional security considerations:
++ Google Identity developer website: https://developers.google.com/identity
++ OAuth 2.0 Security Best Current Practice:
+  https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
++ OAuth 2.0 Threat Model and Security Considerations:
+  https://datatracker.ietf.org/doc/html/rfc6819"""
+
+from webapp import app
+import os
+
+if __name__ == "__main__":
+  # You have several options for running the web server.
+
+  ### OPTION 1: Unsecured localhost
+  # When running locally on unsecured HTTP, use this line to disable
+  # OAuthlib's HTTPs verification.
+
+  # Important: When running in production *do not* leave this option enabled.
+  # os.environ["OAUTHLIB_INSECURE_TRANSPORT"] = "1"
+
+  # Run the application on a local server, defaults to http://localhost:5000.
+  # Note: the OAuth flow requires a TLD, *not* an IP address; "localhost" is
+  # acceptable, but http://127.0.0.1 is not.
+  # app.run(debug=True)
+
+  ### OPTION 2: Secure localhost
+  # Run the application over HTTPs with a locally stored certificate and key.
+  # Defaults to https://localhost:5000.
+  app.run(
+      host="localhost",
+      ssl_context=("localhost.pem", "localhost-key.pem"),
+      debug=True,
+  )
+
+  ### OPTION 3: Production- or cloud-ready server
+  # Start a Gunicorn server, which is appropriate for use in production or a
+  # cloud deployment.
+  # server_port = os.environ.get("PORT", "8080")
+  # app.run(debug=True, port=server_port, host="0.0.0.0")

flask/07-external-attachments/requirements.txt

@@ -0,0 +1,10 @@
+Flask==2.2.2
+SQLAlchemy==1.4
+Flask_SQLAlchemy==2.5.1
+Flask_WTF==1.0.0
+google_api_python_client==2.56.0
+google_auth_oauthlib==0.4.6
+protobuf==4.21.5
+requests==2.27.1
+WTForms==3.0.1
+Werkzeug==2.3.7

flask/07-external-attachments/webapp/__init__.py

@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+"""Initialize the webapp module.
+
+Starts the flask server, loads the config, and initializes the database."""
+
+import flask
+import config
+from flask_sqlalchemy import SQLAlchemy
+from os import path
+
+app = flask.Flask(__name__)
+app.config.from_object(config.Config)
+
+db = SQLAlchemy(app)
+
+from webapp import attachment_routes
+from webapp import attachment_discovery_routes
+from webapp import coursework_routes
+from webapp import models
+from webapp import credential_handler as ch
+
+# Initialize the database file if not created.
+if not path.exists(config.DATABASE_FILE_NAME):
+  db.create_all()

flask/07-external-attachments/webapp/attachment_discovery_routes.py

@@ -0,0 +1,209 @@
+#!/usr/bin/env python3
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+"""Defines Attachment Discovery iframe-related routes for the Flask server."""
+
+from webapp import app
+from webapp import credential_handler as ch
+
+import json
+import flask
+import pprint
+import requests
+
+import google.oauth2.credentials
+import googleapiclient.discovery
+
+
+@app.route("/")
+@app.route("/index")
+def index():
+  """
+  Render the index page from the "index.html" template. This is meant to act
+  as a facsimile of a company's home page.
+  The Add-on Discovery URL should be set to the /addon-discovery route below.
+  """
+
+  return flask.render_template(
+      "index.html",
+      message="You've reached the index page.\nClick the button below to create a "
+      "new Classroom assignment.",
+  )
+
+
+@app.route("/addon-discovery")
+def classroom_addon():
+  """
+  Checks if a user is signed in. If so, renders the addon discovery page from
+  the "addon-discovery.html" template. This is meant to be the landing page
+  when opening the web app in the Classroom add-on iframe.
+  Otherwise, renders the "authorization.html" template.
+
+  Several GET query parameters can be passed when loading in the Classroom
+  iframe. This example handles three additional parameters:
+  - itemId: The ID of the stream item the add-on is being loaded in.
+  - itemType: The type of the stream item the add-on is being loaded in.
+  - courseId: The ID of the course the add-on is being loaded in.
+  - addOnToken: A unique token provided by Classroom.
+
+  The full list of query parameters is available at
+  https://developers.google.com/classroom/add-ons/developer-guides/iframes#attachment_discovery_iframe
+  """
+
+  # Retrieve the itemId, itemType, courseId, and addOnToken query parameters.
+  if flask.request.args.get("itemId"):
+    flask.session["itemId"] = flask.request.args.get("itemId")
+  # itemType will be one of the following: "announcement", "assignment", "material".
+  # Use this value to route the user to the correct flow or to show an error message
+  # if your app only supports specific item types.
+  if flask.request.args.get("itemType"):
+    flask.session["itemType"] = flask.request.args.get("itemType")
+  if flask.request.args.get("courseId"):
+    flask.session["courseId"] = flask.request.args.get("courseId")
+  if flask.request.args.get("addOnToken"):
+    flask.session["addOnToken"] = flask.request.args.get("addOnToken")
+
+  # If the login_hint query parameter is available, we'll store it in the session.
+  if flask.request.args.get("login_hint"):
+    flask.session["login_hint"] = flask.request.args.get("login_hint")
+
+  # It's possible that we might return to this route later, in which case the
+  # parameters will not be passed in. Instead, use the login_hint cached in the session.
+  login_hint = flask.session.get("login_hint")
+
+  # If there's still no login_hint query parameter, this must be their first time signing
+  # in, so send the user to the sign in page.
+  if login_hint is None:
+    return ch.start_auth_flow("discovery_callback")
+
+  # Check if we have any stored credentials for this user.
+  credentials = ch._credential_handler.get_credentials(login_hint)
+
+  # Redirect to the authorization page if we received login_hint but don't
+  # have any stored credentials for this user. We need the refresh token
+  # specifically.
+  if credentials is None:
+    return ch.start_auth_flow("discovery_callback")
+
+  return flask.render_template(
+      "addon-discovery.html", message="You've reached the addon discovery page."
+  )
+
+
+@app.route("/test/<request_type>")
+def test_api_request(request_type="username"):
+  """
+  Tests an API request, rendering the result in the
+  "show-api-query-result.html" template.
+
+  Args:
+      request_type: The type of API request to test. Currently only "username"
+      is supported.
+  """
+
+  credentials = ch._credential_handler.get_credentials()
+  if credentials is None:
+    return ch.start_auth_flow("discovery_callback")
+
+  # Create an API client and make an API request.
+  fetched_data = ""
+
+  if request_type == "username":
+    user_info_service = googleapiclient.discovery.build(
+        serviceName="oauth2", version="v2", credentials=credentials
+    )
+
+    flask.session["username"] = user_info_service.userinfo().get().execute().get("name")
+
+    fetched_data = flask.session.get("username")
+
+  # Save credentials in case access token was refreshed.
+  flask.session["credentials"] = ch._credential_handler.session_credentials_to_dict(
+      credentials
+  )
+  ch._credential_handler.save_credentials_to_storage(credentials)
+
+  # Render the results of the API call.
+  return flask.render_template(
+      "show-api-query-result.html",
+      data=json.dumps(fetched_data, indent=2),
+      data_title=request_type,
+  )
+
+
+@app.route("/discovery-callback")
+def discovery_callback():
+  """
+  Runs upon return from the OAuth 2.0 authorization server. Fetches and stores
+  the user's credentials, including the access token, refresh token, and
+  allowed scopes.
+  """
+
+  # Specify the state when creating the flow in the callback so that it can
+  # verified in the authorization server response.
+  flow = ch.build_flow_instance("discovery_callback", flask.session["state"])
+
+  # Use the authorization server's response to fetch the OAuth 2.0 tokens.
+  authorization_response = flask.request.url
+  flow.fetch_token(authorization_response=authorization_response)
+
+  # Store credentials in the session.
+  credentials = flow.credentials
+  flask.session["credentials"] = ch._credential_handler.session_credentials_to_dict(
+      credentials
+  )
+
+  # The flow is complete!
+  # Add the credentials to our persistent storage.
+  # We'll extract the "id" value from the credentials to use as a key.
+  # This is the user's unique Google ID, and will match the login_hint
+  # query parameter in the future.
+
+  # If we've reached this point, and there is already a record in our
+  # database for this user, they must be obtaining new credentials;
+  # update the stored credentials.
+  ch._credential_handler.save_credentials_to_storage(credentials)
+
+  return flask.render_template("close-me.html", redirect_destination="classroom_addon")
+
+
+@app.route("/revoke")
+def revoke():
+  """
+  Revokes the logged in user's credentials.
+  """
+
+  if "credentials" not in flask.session:
+    return flask.render_template(
+        "addon-discovery.html",
+        message="You need to authorize before " + "attempting to revoke credentials.",
+    )
+
+  credentials = google.oauth2.credentials.Credentials(**flask.session["credentials"])
+
+  revoke = requests.post(
+      "https://oauth2.googleapis.com/revoke",
+      params={"token": credentials.token},
+      headers={"content-type": "application/x-www-form-urlencoded"},
+  )
+
+  ch._credential_handler.clear_credentials_in_session()
+
+  status_code = getattr(revoke, "status_code")
+  if status_code == 200:
+    return ch.start_auth_flow("discovery_callback")
+  else:
+    return flask.render_template(
+        "addon-discovery.html", message="An error occurred during revocation!"
+    )