0

Google Apps for Work ドメインと統合するアプリケーションがあり、oauth 1 から oauth 2 に移行する必要があります。

これは、次のことを単純に要求するサーバー アプリケーションです。

  1. ドメイン内のすべてのグループを一覧表示します。
  2. 指定したグループのユーザーを一覧表示します。
  3. 指定したグループにメンバーを追加します。
  4. 指定したグループからメンバーを削除します。

上記を考えると、これはサービス アカウントを使用して行う必要があると思います。これを作成し、P12 トークンをダウンロードし (P12 と JSON トークンの違いは何ですか?)、開発者コンソールを介して Admin SDK API を有効にしました。ドメインのコントロール パネルで API アクセスが有効になり、サービス アカウントに関連付けられたクライアント IDのスコープhttps://www.googleapis.com/auth/admin.directory.group.memberが有効になりました。

グループに対していくつかのランダムな操作を試みましたが、「権限が不十分です」という応答が返されます。

{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Insufficient Permission",
    "reason" : "insufficientPermissions"
  } ],
  "message" : "Insufficient Permission"
}

とにかく、まず、上記の操作を正しく実装するために必要なコードの助けを探しています。次に、権限の問題が残っているかどうかを確認します。

import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Collections;

import org.apache.commons.httpclient.HttpException;

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.services.admin.directory.Directory;
import com.google.api.services.admin.directory.model.Group;
import com.google.api.services.admin.directory.model.Groups;
import com.google.api.services.admin.directory.model.Users;

public class GoogleAppsService {

    HttpTransport httpTransport;
    JsonFactory jsonFactory;

    public GoogleAppsService() throws GeneralSecurityException, IOException {
        httpTransport = GoogleNetHttpTransport.newTrustedTransport();
        jsonFactory = JacksonFactory.getDefaultInstance();
    }

    public GoogleCredential getCredentials() throws HttpException, IOException, GeneralSecurityException {

        GoogleCredential credential = new GoogleCredential.Builder()
                .setTransport(httpTransport)
                .setJsonFactory(jsonFactory)
                .setServiceAccountId("179997031769-pf4t5hifo7dmtbqul1dbl9rulneijl7o@developer.gserviceaccount.com")
                .setServiceAccountScopes(Collections.singleton("https://www.googleapis.com/auth/admin.directory.group.member"))
                .setServiceAccountPrivateKeyFromP12File(
                        new File(this.getClass().getResource("/google_apps/google-apps-key.p12").getPath())).build();

        return credential;
    }

    public void listGroups() throws Exception{
        GoogleCredential credentials = getCredentials();

        Directory directory = new Directory.Builder(
                httpTransport, jsonFactory, credentials)
                .setApplicationName("xyz")
                .build();

        //403 insufficient permissions thrown below is the above correct??
        Groups result = directory.groups().list().execute();
        System.out.println(result);

        //iterate and print id/alias of each group
    }

    public void listUsers(String groupName) throws Exception {
        GoogleCredential credentials = getCredentials();

        //iterate and print email of each member for specified group
    }

    public void addUser(String groupname, String emailAddress)throws Exception {
        GoogleCredential credentials = getCredentials();
    }

    public void removeUser(String groupName, String emailAddress)throws Exception {
        GoogleCredential credentials = getCredentials(); 
    }

    public static void main(String[] args) throws Exception {
        try {
            GoogleAppsService service = new GoogleAppsService();
            service.listGroups();
        } catch (HttpException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}
4

1 に答える 1

0

さて、最後に、以下のように完全なソリューションでこれを機能させます。重要なのは、サービス アカウント ユーザー (Google Apps アカウントの管理者ユーザーのメール アドレス) を指定し、グループのリストを取得するときに setCustomer("my_customer") を呼び出すことでした。

public class GoogleAppsService {

    private static final Logger LOGGER = Logger.getLogger(GoogleAppsService.class);

    private static final String SERVICE_ACCOUNT_ID = "SERVICE_ACCOUNT_KEY";
    private static final String SERVICE_ACCOUNT_USER = "EMAIL_ADDRESS_OF_ADMIN_ACCOUNT_ON_GOOGLE_APPS";
    private static final String APPLICATION_NAME = "APP_NAME";

    private HttpTransport httpTransport;
    private JsonFactory jsonFactory;

    private String googleAppsAllEmailListName;
    private String googleAppsCommitteeEmailListName;

    public GoogleAppsService() throws GeneralSecurityException, IOException {
        httpTransport = GoogleNetHttpTransport.newTrustedTransport();
        jsonFactory = JacksonFactory.getDefaultInstance();
    }

    protected Directory getDirectory() throws HttpException, IOException, GeneralSecurityException {

        InputStream in = this.getClass().getResourceAsStream("/google_apps/google-apps-key.p12");
        PrivateKey privateKey = SecurityUtils.loadPrivateKeyFromKeyStore(SecurityUtils.getPkcs12KeyStore(), in, "notasecret",
                "privatekey", "notasecret");

        GoogleCredential credentials = new GoogleCredential.Builder().setTransport(httpTransport).setJsonFactory(jsonFactory)
                .setServiceAccountId(SERVICE_ACCOUNT_ID)
                .setServiceAccountScopes(Arrays.asList(DirectoryScopes.ADMIN_DIRECTORY_GROUP))
                .setServiceAccountUser(SERVICE_ACCOUNT_USER).setServiceAccountPrivateKey(privateKey).build();

        Directory directory = new Directory.Builder(httpTransport, jsonFactory, credentials).setApplicationName(APPLICATION_NAME)
                .build();

        return directory;
    }

    protected Groups listGroups(Directory directory) throws Exception {
        //IF SPECIFYING THE SERVICE_ACCOUNT_USER WHEN CONNECTING YOU CAN USE setCustomer("my_customer")
        return directory.groups().list().setCustomer("my_customer").execute();
    }

    protected Group getGroup(Directory directory, String emailAddress) throws IOException {
        Group group = directory.groups().get(emailAddress).execute();

        LOGGER.debug("Returning Group: " + group != null ? group.getEmail() + "(" + group.getDirectMembersCount() + " members)"
                : "! no group loaded");

        return group;
    }

    protected Members listGroupMembers(Directory directory, Group group) throws Exception {
        return directory.members().list(group.getEmail()).execute();
    }

    protected boolean isMemberInGroup(Directory directory, Group group, String emailAddress) throws IOException {
        boolean exists = false;

        Members memberList = directory.members().list(group.getEmail()).execute();
        List<Member> members = memberList.getMembers();

        if (members != null) {
            for (Member member : members) {
                if (member.getEmail().equals(emailAddress)) {
                    exists = true;
                    break;
                }
            }
        }

        return exists;
    }

    protected void addMemberToGroup(Directory directory, Group group, String emailAddress) throws Exception {
        Member member = new Member();
        member.setEmail(emailAddress);

        LOGGER.debug("Attempting Insert of Member to Group: " + group != null ? group.getEmail() : "! no group loaded");

        directory.members().insert(group.getEmail(), member).execute();
    }

    protected void removeMemberFromGroup(Directory directory, Group group, String emailAddress) throws Exception {

        LOGGER.debug("Attempting Deletetion of Member to Group: " + group != null ? group.getEmail() : "! no group loaded");

        directory.members().delete(group.getEmail(), emailAddress).execute();
    }

    public void addMemberToMembersList(String emailAddress) throws MailingListException {
        addMemberToList(googleAppsAllEmailListName, emailAddress);
    }

    public void addMemberToCommitteeList(String emailAddress) throws MailingListException {
        addMemberToList(googleAppsCommitteeEmailListName, emailAddress);
    }

    protected void addMemberToList(String listAddress, String emailAddress) throws MailingListException {
        try {
            Directory directory = getDirectory();
            Group group = getGroup(directory, listAddress);

            if (!isMemberInGroup(directory, group, emailAddress)) {
                addMemberToGroup(directory, group, emailAddress);
            }

        } catch (Exception e) {
            LOGGER.error("Error adding member (" + emailAddress + ") to mailing list " + listAddress, e);
            throw new MailingListException(e);
        }
    }

    public void removeMemberFromMembersList(String emailAddress) throws MailingListException {
        removeMemberFromList(googleAppsAllEmailListName, emailAddress);
    }

    public void removeMemberFromCommitteeList(String emailAddress) throws MailingListException {
        removeMemberFromList(googleAppsCommitteeEmailListName, emailAddress);
    }

    protected void removeMemberFromList(String listAddress, String emailAddress) throws MailingListException {
        try {
            Directory directory = getDirectory();
            Group group = getGroup(directory, listAddress);

            if (isMemberInGroup(directory, group, emailAddress)) {
                removeMemberFromGroup(directory, group, emailAddress);
            }

        } catch (Exception e) {
            LOGGER.error("Error removing member (" + emailAddress + ") from mailing list " + listAddress, e);
            throw new MailingListException(e);
        }
    }

    public void setHttpTransport(HttpTransport httpTransport) {
        this.httpTransport = httpTransport;
    }

    public void setJsonFactory(JsonFactory jsonFactory) {
        this.jsonFactory = jsonFactory;
    }

    public void setGoogleAppsAllEmailListName(String googleAppsAllEmailListName) {
        this.googleAppsAllEmailListName = googleAppsAllEmailListName;
    }

    public void setGoogleAppsCommitteeEmailListName(String googleAppsCommitteeEmailListName) {
        this.googleAppsCommitteeEmailListName = googleAppsCommitteeEmailListName;
    }
}
于 2015-09-05T09:04:43.813 に答える