# Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. from rich import print as rprint from rich.panel import Panel from rich.text import Text from pick import pick import typer from airavata_mft_sdk import mft_client from airavata_mft_sdk.gcs import GCSCredential_pb2 from airavata_mft_sdk.gcs import GCSStorage_pb2 from airavata_mft_sdk import MFTTransferApi_pb2 from airavata_mft_sdk import MFTAgentStubs_pb2 from airavata_mft_sdk.common import StorageCommon_pb2 import json import configparser import os import base64 import google.auth import googleapiclient.discovery import sys sys.path.append('../airavata_mft_cli') from airavata_mft_cli import config as configcli gcs_key_path = '.mft/keys/gcs/service_account_key.json' def handle_add_storage(): options = ["Through Google Cloud SDK config file", "Enter manually"] option, index = pick(options, "How do you want to load credentials", indicator="=>") if index == 1: # Manual configuration text_msg = ("MFT uses service accounts to gain access to Google Cloud. " "\n 1) You can create a service account by going to https://console.cloud.google.com/iam-admin/serviceaccounts." "\n 2) Download the JSON format of the service account key." "\n 3) Use that downloaded Service Account Credential JSON file to access Google storage." "\nMore information about service accounts can be found here https://cloud.google.com/iam/docs/service-accounts") panel = Panel.fit(Text(text_msg, justify="left")) rprint(panel) credential_json_path = typer.prompt("Service Account Credential JSON path") with open(credential_json_path) as json_file: sa_entries = json.load(json_file) client_id = sa_entries['client_id'] client_email = sa_entries['client_email'] client_secret = sa_entries['private_key'] project_id = sa_entries['project_id'] else: # Loading credentials from the gcloud cli config file service_account = None client_email = None default_service_account_name = 'mft-gcs-serviceaccount' # Find the active config for Google cloud ADC active_config_path = os.path.join(os.path.expanduser('~'), '.config/gcloud/active_config') with open(active_config_path) as f: active_config = f.readline() print('Active config : ' + active_config) # Load default project config = configparser.RawConfigParser() default_project_path = os.path.join(os.path.expanduser('~'), '.config/gcloud/configurations/config_' + active_config) config.read(default_project_path) project_id = config['core']['project'] account_email = config['core']['account'] print('Project ID : ' + project_id) print(account_email) default_service_account_email = (default_service_account_name + '@' + project_id + '.iam.gserviceaccount.com') path = os.path.join(os.path.expanduser('~'), gcs_key_path) if os.path.exists(path): with open(path, 'r') as config_file: config_data = json.load(config_file) client_id = config_data['client_id'] client_email = config_data['client_email'] project_id = config_data['project_id'] client_secret = config_data['private_key'] print('Client email : ', client_email) if client_email is None or client_email != default_service_account_email: inferred_cred, inferred_project = google.auth.default(active_config) service_acc_list = list_service_accounts(project_id=project_id, credentials=inferred_cred) service_account_available = any(x['email'] == default_service_account_email for x in service_acc_list['accounts']) print('Service account availability : ', service_account_available) if service_account_available: # Already have a service account for mft, But no key get_service_account_key(credentials=inferred_cred, service_account_email=default_service_account_email) else: # No service account for mft # Read OAuth credentials and create the service account service_account = create_service_account(project_id, default_service_account_name, 'Airavata MFT Service Account', credentials=inferred_cred) # Load service account details again if os.path.exists(path): with open(path, 'r') as config_file: config_data = json.load(config_file) client_id = config_data['client_id'] client_email = config_data['client_email'] project_id = config_data['project_id'] client_secret = config_data['private_key'] else: print("No credential found in ~/" + gcs_key_path + " file") exit() client = mft_client.MFTClient(transfer_api_port = configcli.transfer_api_port, transfer_api_secured = configcli.transfer_api_secured, resource_service_host = configcli.resource_service_host, resource_service_port = configcli.resource_service_port, resource_service_secured = configcli.resource_service_secured, secret_service_host = configcli.secret_service_host, secret_service_port = configcli.secret_service_port) gcs_secret = GCSCredential_pb2.GCSSecret(clientEmail=client_email, privateKey=client_secret, projectId=project_id) secret_wrapper = MFTAgentStubs_pb2.SecretWrapper(gcs=gcs_secret) gcs_storage = GCSStorage_pb2.GCSStorage() storage_wrapper = MFTAgentStubs_pb2.StorageWrapper(gcs=gcs_storage) direct_req = MFTAgentStubs_pb2.GetResourceMetadataRequest(resourcePath="", secret=secret_wrapper, storage=storage_wrapper) resource_medata_req = MFTTransferApi_pb2.FetchResourceMetadataRequest(directRequest=direct_req) metadata_resp = client.transfer_api.resourceMetadata(resource_medata_req) bucket_options = ["Manually Enter"] bucket_list = metadata_resp.directory.directories if len(bucket_list) > 0: for b in bucket_list: bucket_options.append(b.friendlyName) title = "Select the Bucket: " selected_bucket, index = pick(bucket_options, title, indicator="=>") if index == 0: selected_bucket = typer.prompt("Enter bucket name ") storage_name = typer.prompt("Name of the storage ", selected_bucket) gcs_storage_create_req = GCSStorage_pb2.GCSStorageCreateRequest(storageId=storage_name, bucketName=selected_bucket, name=storage_name) created_storage = client.gcs_storage_api.createGCSStorage(gcs_storage_create_req) secret_create_req = GCSCredential_pb2.GCSSecretCreateRequest(clientEmail=client_id, privateKey=client_secret, projectId=project_id) created_secret = client.gcs_secret_api.createGCSSecret(secret_create_req) secret_for_storage_req = StorageCommon_pb2.SecretForStorage(storageId=created_storage.storageId, secretId=created_secret.secretId, storageType=StorageCommon_pb2.StorageType.GCS) client.common_api.registerSecretForStorage(secret_for_storage_req) print("Successfully added the GCS Bucket...") def list_service_accounts(project_id, credentials): """Lists all service accounts for the current project.""" service = googleapiclient.discovery.build('iam', 'v1', credentials=credentials) service_accounts = service.projects().serviceAccounts().list(name='projects/' + project_id).execute() # for account in service_accounts['accounts']: # print('Name: ' + account['name']) # print('Email: ' + account['email']) # print(' ') return service_accounts def create_service_account(project_id, name, display_name, credentials): """Creates a service account.""" service = googleapiclient.discovery.build('iam', 'v1', credentials=credentials) my_service_account = service.projects().serviceAccounts().create( name='projects/' + project_id, body={ 'accountId': name, 'serviceAccount': { 'displayName': display_name } }).execute() print('Created service account: ' + my_service_account['email']) resource_service = googleapiclient.discovery.build('cloudresourcemanager', 'v1', credentials=credentials) policy = resource_service.projects().getIamPolicy(resource=project_id).execute() account_handle = f"serviceAccount:{my_service_account['email']}" # Add policy modified = False roles = [role["role"] for role in policy["bindings"]] target_role = "roles/storage.admin" # Service account role which can transfer GCS files if target_role not in roles: for role in policy["bindings"]: if role["role"] == target_role: if account_handle not in role["members"]: role["members"].append(account_handle) modified = True else: # role does not exist policy["bindings"].append({"role": target_role, "members": [account_handle]}) modified = True if modified: # execute policy change resource_service.projects().setIamPolicy(resource=project_id, body={"policy": policy}).execute() # Generate a Service account key get_service_account_key(credentials, my_service_account['email']) return my_service_account def get_service_account_key(credentials, service_account_email): """Creates a key for a service account.""" key_path = os.path.join(os.path.expanduser('~'), gcs_key_path) service = googleapiclient.discovery.build('iam', 'v1', credentials=credentials) # write key file if not os.path.exists(key_path): # list existing keys keys = service.projects().serviceAccounts().keys().list(name="projects/-/serviceAccounts/" + service_account_email).execute() # cannot have more than 10 keys per service account if len(keys["keys"]) >= 10: raise ValueError(f"Service account {service_account_email} has too many keys. Make sure to copy keys to {key_path} or create a new service account.") # create key key = (service.projects().serviceAccounts().keys().create(name="projects/-/serviceAccounts/" + service_account_email, body={}).execute()) print("New Key generated ...") # create service key files os.makedirs(os.path.dirname(key_path), exist_ok=True) json_key_file = base64.b64decode(key["privateKeyData"]).decode("utf-8") open(key_path, "w").write(json_key_file) else: print("Please backup the existing in service_account_key file ~/" + gcs_key_path + " to create new key file") exit() return key_path