valch85
Reputation: 99
Issue with google OAuth2 server to server authentication
I try to get information about all my clients from Google API Admin SDK who don't turn on 2-step verification and I have a problem with authentication throw Google OAuth2 in my ruby script. Server on what I run script hasn't GUI, so it couldn't run web browser. My script:
require 'google/api_client'
require 'google/api_client/client_secrets'
require 'google/api_client/auth/installed_app'
require 'google/api_client/auth/storage'
require 'google/api_client/auth/storages/file_store'
require 'fileutils'
require 'date'
require 'googleauth'
require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
APPLICATION_NAME = '2stepauthcheck'
SERVICE_ACCOUNT_EMAIL_ADDRESS = '[email protected]' # looks like [email protected]
PATH_TO_KEY_FILE = './2stepauthcheckp12.p12' # the path to the downloaded .p12 key file
date3 = (Date.today - 3)
client = Google::APIClient.new(:application_name => APPLICATION_NAME)
client.authorization = Signet::OAuth2::Client.new(
:token_credential_uri => 'https://accounts.google.com/o/oauth2/token',
:audience => 'https://accounts.google.com/o/oauth2/token',
:scope => 'https://www.googleapis.com/auth/admin.reports.usage.readonly',
:issuer => SERVICE_ACCOUNT_EMAIL_ADDRESS,
:signing_key => Google::APIClient::PKCS12.load_key(PATH_TO_KEY_FILE, 'notasecret')
).tap { |auth| auth.fetch_access_token! }
reports_api = client.discovered_api('admin', 'reports_v1')
def email_send(email)
puts "Sending email"
realname = email.sub(/@.*?$/, '').to_s.gsub(/(\S+)\.(\S+)/){ $1.to_s.capitalize + " " + $2.to_s.capitalize } #remove @domante from email address & create user name for email with capitalize letter with space
#sent emails
Mail.defaults {
delivery_method :smtp, :address => "smtp.gmail.com",
:port => 587,
:user_name => '[email protected]',
:password => '123password',
:enable_ssl => true
}
mail = Mail.new {
to "#{email}"
from '[email protected]'
subject '2 factor auth notification'
text_part {
body "Hi, #{realname} Turn on 2 factor authentication pls.\n"
}
}
mail.deliver
puts "Email sent"
end
# Put emails without 2 auth to array send_list.
results = client.execute!(
:api_method => reports_api.user_usage_report.get,
:parameters => { :userKey => 'all',
:date => date3.to_s,
:filds => 'parameters, entity',
:parameters => 'accounts:is_2sv_enrolled'})
black_list = [ "[email protected]"]
send_list = []
results.data.usageReports.each do |user|
user.parameters.each do |parameter|
unless parameter['boolValue']
send_list << user.entity.user_email
end
end
end
send_list.each do |email|
if black_list.include?(email)
next
end
puts email
# email_send(email)
end
and I have such output:
/Users/val/.rvm/rubies/ruby-2.0.0-p481/bin/ruby -e $stdout.sync=true;$stderr.sync=true;load($0=ARGV.shift) /Users/val/Documents/projects/2authcheck2.rb
/Users/val/Documents/projects/2authcheck2.rb:12: warning: already initialized constant OpenSSL::SSL::VERIFY_PEER
/Users/val/.rvm/rubies/ruby-2.0.0-p481/lib/ruby/site_ruby/2.0.0/rubygems/core_ext/kernel_require.rb:126: warning: previous definition of VERIFY_PEER was here
/Users/val/.rvm/gems/ruby-2.0.0-p481/gems/google-api-client-0.8.6/lib/google/api_client.rb:662:in `block (2 levels) in execute!': Caller does not have access to the customers reporting data. (Google::APIClient::ClientError)
from /Users/val/.rvm/gems/ruby-2.0.0-p481/gems/retriable-1.4.1/lib/retriable/retry.rb:27:in `perform'
from /Users/val/.rvm/gems/ruby-2.0.0-p481/gems/retriable-1.4.1/lib/retriable.rb:15:in `retriable'
from /Users/val/.rvm/gems/ruby-2.0.0-p481/gems/google-api-client-0.8.6/lib/google/api_client.rb:645:in `block in execute!'
from /Users/val/.rvm/gems/ruby-2.0.0-p481/gems/retriable-1.4.1/lib/retriable/retry.rb:27:in `perform'
from /Users/val/.rvm/gems/ruby-2.0.0-p481/gems/retriable-1.4.1/lib/retriable.rb:15:in `retriable'
from /Users/val/.rvm/gems/ruby-2.0.0-p481/gems/google-api-client-0.8.6/lib/google/api_client.rb:636:in `execute!'
from /Users/val/Documents/projects/devops-utils/it/2authcheck2.rb:92:in `<top (required)>'
from -e:1:in `load'
from -e:1:in `<main>'
Process finished with exit code 1
In https://console.developers.google.com Admin SDK enabled & project 2stepauthcheck has service accounts ( in admin console Authorized API clients associate with this API scope https://www.googleapis.com/auth/admin.directory.user.readonly )
So my question why it can't access to customers reporting data?
Upvotes: 1
Views: 716
Answers (1)
valch85
Reputation: 99
According to advice Gerardo I made several changes. Here is a fully working script:
#this script connect to admin reports and send email with notification that two-factor authentication should be on; script use oauth 2.0 for server to server applications
require 'google/api_client'
require 'google/api_client/client_secrets'
require 'google/api_client/auth/installed_app'
require 'google/api_client/auth/storage'
require 'google/api_client/auth/storages/file_store'
require 'fileutils'
require 'date'
require 'googleauth'
require 'mail'
require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
# variables
date3 = (Date.today - 3)
APPLICATION_NAME = 'app_name' # name of the project in developers console https://console.developers.google.com/project
SERVICE_ACCOUNT_EMAIL_ADDRESS = '[email protected]' # email address from developers console -> apis&auth -> credential -> sservice accounts; should looks like [email protected]
PATH_TO_KEY_FILE = './key.p12' # the path to the downloaded .p12 key file
CLIENT_ID = 'clientID.apps.googleusercontent.com' # from developers console
SCOPE = 'https://www.googleapis.com/auth/admin.reports.usage.readonly' # from https://developers.google.com/oauthplayground/
EMAIL = '[email protected]' # email under which credential was created
key = Google::APIClient::KeyUtils.load_from_pkcs12('key.p12', 'notasecret') # make a key from .p12
# balack list emails arrays
black_list = [ "[email protected]", "[email protected]"]
send_list = [] # empty array for emails from api call results
# get the environment configured authorization
client = Google::APIClient.new({
application_name: APPLICATION_NAME
})
# make authorization
client.authorization = Signet::OAuth2::Client.new(
:token_credential_uri => 'https://accounts.google.com/o/oauth2/token',
:audience => 'https://accounts.google.com/o/oauth2/token',
:scope => SCOPE,
:issuer => SERVICE_ACCOUNT_EMAIL_ADDRESS,
:sub => EMAIL,
:signing_key => key)
client.authorization.fetch_access_token!
# api discovery
reports_api = client.discovered_api('admin', 'reports_v1')
# send emails method
def email_send(email)
puts "Sending email"
realname = email.sub(/@.*?$/, '').to_s.gsub(/(\S+)\.(\S+)/){ $1.to_s.capitalize + " " + $2.to_s.capitalize } #remove @domante from email address & create user name for email with capitalize letter with space
#sent emails
Mail.defaults {
delivery_method :smtp, :address => "smtp.gmail.com",
:port => 587,
:user_name => '[email protected]',
:password => 'pass',
:enable_ssl => true
}
mail = Mail.new {
to "#{email}"
from '[email protected]'
subject '2 factor auth notification'
text_part {
body "Dear #{realname},\n
it looks as if you have not turned on the two-factor authentication.
Please see the link to activation: https://accounts.google.com/SmsAuthConfig.\n"
}
}
mail.deliver
puts "Email sent"
end
# make call to api
results = client.execute!(
:api_method => reports_api.user_usage_report.get,
:parameters => { :userKey => 'all',
:date => date3.to_s,
:filds => 'parameters, entity',
:parameters => 'accounts:is_2sv_enrolled'})
# put emails without 2 auth to array send_list.
results.data.usageReports.each do |user|
user.parameters.each do |parameter|
unless parameter['boolValue']
send_list << user.entity.user_email
end
end
end
# send notification to emails exclud emails from blacklist
send_list.each do |email|
if black_list.include?(email)
next
end
puts email
email_send(email)
end
Upvotes: 1
Related Questions
- Could not authenticate you from GoogleOauth2 because "Authenticity error"
- Google-Oauth authentication error
- Configuring authlogic-oauth with google
- Google Signin from server side app in ruby
- Ruby Gmail API with OAUTH2 responds with Invalid credentials (Failure) when logging in
- auth/google_oauth2 not working on rails app
- Sign in with Google Oauth2.0: Authorization failed. Server message: { "error" : "redirect_uri_mismatch" }
- OAuth2 error invalid client
- OAuth 2.0 sample error when accessing Google API
- How can I connect to Google using oauth with Ruby?