Python auth for kms - google-compute-engine

I'm new to google cloud kms product, is there a tutorial on how to authenticate ( from third party server ) kms with python? The goal is to access the public key, encrypt the data ( async ). Another server will have more permissions and will be able to decrypt. I don't want to use gcloud shell client.

I solved it using the json file. I will post the code if it help someone in the future.
def encrypt_rsa(plaintext, key_name):
# get the public key
credentials = service_account.Credentials.from_service_account_file(
'the_key_file_of_service_account.json')
scoped_credentials = credentials.with_scopes(
['https://www.googleapis.com/auth/cloud-platform'])
client = kms_v1.KeyManagementServiceClient(credentials=credentials)
response = client.get_public_key(key_name)
key_txt = response.pem.encode('ascii')
public_key = serialization.load_pem_public_key(key_txt, default_backend())
# encrypt plaintext
pad = padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()),
algorithm=hashes.SHA256(),
label=None)
plaintext = base64.urlsafe_b64encode(plaintext.encode("ascii"))
return public_key.encrypt(plaintext, pad)

Related

LoginRadius Validating access token .net core

I am trying to validate my access token (not JWT) with LoginRadius, I can do the login but after when I call my API I always get unauthorized or different errors according to my Authentication configuration, I am using like this. I believe the authority url is not correct but I couldn't find any other
services.AddAuthentication(options => {
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect("login-radius", options => {
// Set the authority to your Auth0 domain
options.Authority = $"https://api.loginradius.com/identity/v2/auth/";
// Configure the Auth0 Client ID and Client Secret
options.ClientId = Configuration["ClientId"];
options.ClientSecret = Configuration["ClientSecret"];
// Set response type to code
options.ResponseType = OpenIdConnectResponseType.Code;
options.Scope.Clear();
options.Scope.Add("openid");
options.CallbackPath = new PathString("/callback");
options.ClaimsIssuer = "loginradius";
// Saves tokens to the AuthenticationProperties
options.SaveTokens = true;
});
I believe you are trying to setup OIDC, and to configure it, please refer to the LoginRadius docs on OIDC, as it needs few things that need to be configured in the Admin Console and the correct authority URL: https://www.loginradius.com/docs/single-sign-on/tutorial/federated-sso/openid-connect/openid-connect-overview/#otheropenidfunctionality6
Please refer to the OIDC discovery endpoint, which provides a client with configuration details about the OpenID Connect metadata of the Loginradius App.
URL Format: https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/.well-known/openid-configuration
My account didn't have access to few features

Apache HTTP Client Fluent

Hi I want to use Apache HTTP Client Fluent to create a request to download a file. I need to add Autorization Basic Auth to the request to pass in a username and password which I can't find a good example of how to do.
I can see a addHeader method but can't find good examples of how to construct it. Thanks!
So far the code i have is:
String auth = username + ":"+ token
byte[] encodedBytes = Base64.encodeBase64(auth.getBytes());
String encodedAuth = new String(encodedBytes)
URL downloadFileURL = new URL (urlbuild)
Executor executor = Executor.newInstance();
executor.execute(Request.Get(downloadFileURL.toURI())
.setHeader(HttpHeaders.AUTHORIZATION, "Basic " + encodedAuth )
.connectTimeout(1000))
.saveContent(new File(mobileAppPath + System.getProperty("file.separator") + mobileApp.name));
the problem was due to Java trying to validate the SSL certificate i used Java code below to trust all hosts before executing the request.
https://www.javatips.net/api/java.security.cert.x509certificate

Gooble Cloud KMS: code freezes on calling kms client

I want to encrypt and decrypt son values by using google cloud kms and I am using this code as example https://github.com/GoogleCloudPlatform/java-docs-samples/blob/master/kms/src/main/java/com/example/CryptFile.java
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
// The resource name of the cryptoKey
String resourceName = CryptoKeyName.format(projectId, locationId, keyRingId, cryptoKeyId);
// Encrypt the plaintext with Cloud KMS.
EncryptResponse response = client.encrypt(resourceName, ByteString.copyFrom(plaintext));
// Extract the ciphertext from the response.
return response.getCiphertext().toByteArray();
}
When the code executes the line client.encrypt(resourceName, ByteString.copyFrom(plaintext)); it freezes and I do not get any response.
If I use gcloud command to encrypt/decrypt it works.
I run my application on App Engine standard (runtime java8) and the dependency I am using is
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-kms</artifactId>
<version>1.29.0</version>
</dependency>
I made some changes in my code to get credentials:
AppIdentityService appIdentityService = AppIdentityServiceFactory.getAppIdentityService();
GoogleCredentials credentials = AppEngineCredentials.newBuilder().setScopes(Arrays.asList("https://www.googleapis.com/auth/cloudkms")).
setAppIdentityService(appIdentityService).build();
FixedCredentialsProvider credentialsProvider = FixedCredentialsProvider.create(credentials);
KeyManagementServiceSettings kmsSettings = KeyManagementServiceSettings.newBuilder().setCredentialsProvider(credentialsProvider).build();
try (KeyManagementServiceClient client = KeyManagementServiceClient.create(kmsSettings)) {
But I always get "UNAUTHENTICATED: Failed computing credential metadata".
Any help?
Please let me know if I'm missing something here.
Regards
Same thing, running the code from example hags on the call to encrypt
Json auth file is set to the environment
export GOOGLE_APPLICATION_CREDENTIALS="../my.json"
User is granted the correct permission as per documentation
Cloud KMS CryptoKey Encrypter/Decrypter
Verified in debugger all 4 parameters are correct:
projectId, locationId, keyRingId, cryptoKeyId
This code hangs
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
final String resourceName = CryptoKeyName.format(projectId, locationId, keyRingId, cryptoKeyId);
// Always Hangs here!!!!
final EncryptResponse response = client.encrypt(resourceName, ByteString.copyFromUtf8(data));
return response.getCiphertext().toString();
}

Get Google Drive file owner email address using Google Drive API V3 via python

I'm having trouble getting the owner of a file on Google Drive via the Google Drive API v3.
I could do this under v2, but things have changed.
According to the documentation I need to:
List the permissions on a file (no problem)
Find Id of the permission with the 'owner' role from that list of permissions (no problem)
Get that permission ... which should return a permissions resource which should include the email address (problem!)
Unfortunately, what I'm getting back includes some of the information, but not the email address.
I suspect that I need to change my "get" call to tell the API which fields I'm after, but I can't see how to do this.
This is what I've got (v3):
from oauth2client.service_account import ServiceAccountCredentials
from httplib2 import Http
from apiclient.discovery import build
def build_service(user):
keyfile = 'C:\Python27\Scripts\Certificates for Transfer owner script\Transfer Ownership on Drive-f240cff252af.json'
SCOPE = 'https://www.googleapis.com/auth/drive'
credentials = ServiceAccountCredentials.from_json_keyfile_name(keyfile, scopes=SCOPE).create_delegated(user)
http_auth = credentials.authorize(Http())
return build('drive', 'v2', http=http_auth)
service = build_service('lpglobaldrive#lonelyplanet.com.au')
f = service.files().get(fileId='1lASRBuAHRxEC-T0X5SdlF3w7X_168Q2QV9L0V6QaXUk').execute()
p = service.permissions().get(fileId='1lASRBuAHRxEC-T0X5SdlF3w7X_168Q2QV9L0V6QaXUk',permissionId='18137907375963748644').execute()
currentOwner = p['emailAddress']
Unfortunately I get a "KeyError: 'emailAddress'" (and if I look at the contents of "p", there's role, kind, type and id, but no email Address).
This works for me (using v2):
from oauth2client.service_account import ServiceAccountCredentials
from httplib2 import Http
from apiclient.discovery import build
def build_service(user):
keyfile = 'C:\Python27\Scripts\Certificates for Transfer owner script\Transfer Ownership on Drive-f240cff252af.json'
SCOPE = 'https://www.googleapis.com/auth/drive'
credentials = ServiceAccountCredentials.from_json_keyfile_name(keyfile, scopes=SCOPE).create_delegated(user)
http_auth = credentials.authorize(Http())
return build('drive', 'v2', http=http_auth)
service = build_service('lpglobaldrive#lonelyplanet.com.au')
f = service.files().get(fileId='1lASRBuAHRxEC-T0X5SdlF3w7X_168Q2QV9L0V6QaXUk').execute()
currentOwner = f['owners'][0]['emailAddress']
Too simple ... just needed to add the following to the get call:
,fields='emailAddress'
i.e.
currentOwner = service.permissions().get(fileId='1lASRBuAHRxEC-T0X5SdlF3w7X_168Q2QV9L0V6QaXUk',permissionId='18137907375963748644',fields='emailAddress').execute()['emailAddress']

Store access token from Google OAuth 2.0 to access drive data from application account

I am able to execute quickstart.py for Google Drive using python. But how do we store the token and use it again - again for the same user without prompting user. Is their some way i can map user with access token when sending request for file on Google drive.
There are many different Storage types offered by google-api-python-client, some of which are well documented.
Some examples:
oauth2client.file.Storage:
from oauth2client.file import Storage
...
storage = Storage('a_credentials_file')
storage.put(credentials)
...
credentials = storage.get()
oauth2client.keyring_storage.Storage:
from oauth2client.keyring_storage import Storage
...
storage = Storage('application name', 'user name')
storage.put(credentials)
...
credentials = storage.get()
oauth2client.appengine.StorageByKeyName:
from oauth2client.keyring_storage import StorageByKeyName
from oauth2client.keyring_storage import CredentialsNDBModel
...
storage = StorageByKeyName(CredentialsNDBModel, some_user_id, 'credentials')
storage.put(credentials)
...
credentials = storage.get()
oauth2client.django_orm.Storage:
from django.contrib.auth.models import User
from oauth2client.django_orm import Storage
from your_project.your_app.models import CredentialsModel
...
user = # A User object usually obtained from request.
storage = Storage(CredentialsModel, 'id', user, 'credential')
credential = storage.get()
...
storage.put(credential)
I think you should give credit to bossylobster for a more complete answer, but based on your comment, which is precisely my setup, I've augmented the quickstart.py using the Storage class:
#!/usr/bin/python
import httplib2
import pprint
from apiclient.discovery import build
from apiclient.http import MediaFileUpload
from oauth2client.client import OAuth2WebServerFlow
from oauth2client.file import Storage
# Copy your credentials from the console
CLIENT_ID = 'PASTE_YOUR_ID'
CLIENT_SECRET = 'PASTE_YOUR_SECRET'
# Check https://developers.google.com/drive/scopes for all available scopes
OAUTH_SCOPE = 'https://www.googleapis.com/auth/drive'
# Redirect URI for installed apps
REDIRECT_URI = 'urn:ietf:wg:oauth:2.0:oob'
# Create a credential storage object. You pick the filename.
storage = Storage('a_credentials_file')
# Attempt to load existing credentials. Null is returned if it fails.
credentials = storage.get()
# Only attempt to get new credentials if the load failed.
if not credentials:
# Run through the OAuth flow and retrieve credentials
flow = OAuth2WebServerFlow(CLIENT_ID, CLIENT_SECRET, OAUTH_SCOPE, REDIRECT_URI)
authorize_url = flow.step1_get_authorize_url()
print 'Go to the following link in your browser: ' + authorize_url
code = raw_input('Enter verification code: ').strip()
credentials = flow.step2_exchange(code)
storage.put(credentials)
# Create an httplib2.Http object and authorize it with our credentials
http = httplib2.Http()
http = credentials.authorize(http)
drive_service = build('drive', 'v2', http=http)
# Use 'drive_service' for all of the API calls