-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathgroups.scala
83 lines (75 loc) · 3.5 KB
/
groups.scala
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
package com.gu.googleauth
import java.security.PrivateKey
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport
import com.google.api.client.json.gson.GsonFactory
import com.google.api.services.directory.{Directory, DirectoryScopes}
import com.google.auth.http.HttpCredentialsAdapter
import com.google.auth.oauth2.ServiceAccountCredentials
import scala.jdk.CollectionConverters._
import scala.concurrent._
/**
* A Service Account calls Google APIs on behalf of your application instead of an end-user.
* https://developers.google.com/identity/protocols/OAuth2#serviceaccount
*
* You can create a service account in the Google Developers Console:
*
* https://developers.google.com/identity/protocols/OAuth2ServiceAccount#creatinganaccount
*
* @param email email address of the Service Account
* @param privateKey the Service Account's private key - from the P12 file generated when the Service Account was created
* @param impersonatedUser the email address of the user the application will be impersonating
*/
@deprecated("Use com.google.auth.oauth2.ServiceAccountCredentials instead", "play-googleauth 2.1.0")
case class GoogleServiceAccount(
email: String,
privateKey: PrivateKey,
impersonatedUser: String
)
/**
* The Directory API can tell you what groups (ie Google Group) a user is in.
*
* You can use a Service Account to access the Directory API (in fact, non-Service access, ie web-user,
* doesn't seem to work?). The Service Account needs the following scope:
* https://www.googleapis.com/auth/admin.directory.group.readonly
*
* So long as you have the Service Account certificate as a string, you can easily make
* an instance of com.google.auth.oauth2.ServiceAccountCredentials like this:
*
* {{{
* import org.apache.commons.io.Charsets.UTF_8
* import org.apache.commons.io.IOUtils
* import com.google.auth.oauth2.ServiceAccountCredentials
*
* val serviceAccountCert: String = ... // certificate from Google Developers Console
* val credentials = ServiceAccountCredentials.fromStream(IOUtils.toInputStream(serviceAccountCert, UTF_8))
* }}}
*
* @param impersonatedUser a separate domain-user account email address (eg '[email protected]'), the email address
* of the user the application will be impersonating when making calls.
*/
class GoogleGroupChecker(impersonatedUser: String, serviceAccountCredentials: ServiceAccountCredentials) {
@deprecated(
"this constructor is deprecated, use the constructor accepting com.google.auth.oauth2.ServiceAccountCredentials instead",
"play-googleauth 2.1.0"
)
def this(googleServiceAccount: GoogleServiceAccount) = {
this(
googleServiceAccount.impersonatedUser,
ServiceAccountCredentials.newBuilder()
.setPrivateKey(googleServiceAccount.privateKey)
.setServiceAccountUser(googleServiceAccount.email)
.build()
)
}
val directoryService: Directory = {
val credentials = serviceAccountCredentials
.createDelegated(impersonatedUser)
.createScoped(DirectoryScopes.ADMIN_DIRECTORY_GROUP_READONLY)
val transport = GoogleNetHttpTransport.newTrustedTransport()
val jsonFactory = GsonFactory.getDefaultInstance
new Directory.Builder(transport, jsonFactory, new HttpCredentialsAdapter(credentials)).build
}
def retrieveGroupsFor(userEmail: String)(implicit ec: ExecutionContext): Future[Set[String]] = for {
resp <- Future { blocking { directoryService.groups.list.setUserKey(userEmail).execute() } }
} yield resp.getGroups.asScala.map(_.getEmail).toSet
}