使用Google Apps脚本可以使用Google Drive API模拟域用户吗? [英] Is it possible to impersonate domain's users with Google Drive API using Google Apps Script?
问题描述
我是Google Apps for Education的学习主管和学校管理员。
我在很多应用程序中使用Google Apps脚本(控制缺勤,发送电子邮件,自动报告,ScriptDb数据库等)使用天然气服务。这真是太棒了。
基本上我需要在学生的Google Drive中创建一个文件夹结构(年,课程,老师......)。
$ b
借助Google Apps脚本服务,我可以轻松完成此操作,但这些文件夹属于创建者(管理员),因此我认为用户需要花费管理员存储配额。这并不令我感兴趣。
(是的,我可以让应用程序由用户执行并在Google云端硬盘中创建结构,但我宁愿以自动方式进行操作并且无需干预)
要在Google云端硬盘用户(教师,学生...)中创建这些文档(和文件夹),在此响应中修改了Waqar Ahmad提供的代码[将作者添加到电子表格... ]
这使我可以使用Google文档列表API(Google Apps管理访问模拟域的用户)拥有其他用户的文档以进行更新,并且也适应了在其他Google云端硬盘用户上创建文件夹和文件。它完美的作品。我在这里提到:
但现在,我的驱动器部分转发给其他用户/ 13614186#13614186 ,谷歌文档列表AP的第3版已被正式弃用,并鼓励我们使用Google API Drive。
我试图用这个新的Google API。有没有人设法做到这一点?可能吗?我不知道从哪里开始!
谢谢。
Sergi
更新:
这是我正在工作的代码,但我得到一个无效请求错误:
(...)
var user = e.parameter.TB_email //我将用户从a TextBox
//https://developers.google.com/accounts/docs/OAuth2ServiceAccount
// {Base64url编码的标题} {Base64url编码的声明集} {Base64url编码的签名}
$ b $ {Base64url encoding header}
var header ='{alg:RS256,typ:JWT}'
var header_b64e = Utilities .base64Encode(header)
// {Base64url编码声明集}
var t_ara = Math.round((new Date()。getTime())/ 1000)// now
var t_fins = t_ara + 3600 // t + 3600 sec
var claim_set ='{iss:1111111111-xxxxxxxxxxxxxxxxxxxxxx@developer.gserviceaccount.com,'+
'prn:'+ user +','+
'范围:https://www.googleapis.com/auth/prediction,+
'aud:https://accounts.google.com/o/oauth2/token, '+
''exp':'+ t_fins +','+
'iat:'+ t_ara +'}'
//其中'1111111111-xxxxxxxxxxx .. 。是我的CLIENT-ID(API访问 - >服务帐户)
var claim_set_b64e = Utilities.base64Encode(claim_set)
claim_set_b64e = claim_set_b64e.replace(/ = / g,'')
var to_sign = header_b64e +'。'+ claim_set_b64e
// [签名字节] ??? // password'isnotasecret ???'
var key_secret = DocsList.getFileById('0Biiiiiiiiii-XXXXXXXXXXX')。getBlob()。getBytes()
//其中'0Biiiiiiiiii-XXXXXXXXXXX' ...是我的p12文件(key_secret)上传到GDRive
//我不知道这是否正确!
var sign = Utilities.base64Encode(Utilities.computeHmacSha256Signature(to_sign,key_secret))
var JWT_signed = to_sign +'。'+ sign
JWT_signed = JWT_signed.replace(/ = / g,'')
//令牌请求//////////////////////// /////////////////////////////////////
var url ='https:// accounts .google.com / o / oauth2 / token'
// var url ='https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken'???
// var url ='https:'+'%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken'???
var parameter = {
method:POST,
payload:'''''''''''''''''''''''''''' %3Ajwt-bearer& assertion ='+ JWT_signed +'',
contentType:application / x-www-form-urlencoded
}
var content = UrlFetchApp.fetch(url,parameters)//。getContentText()
//令牌请求结束/////////////////////////// /////////////////////////////
我得到一个无效的请求,而不是带有令牌的JSON
2个第一部分(头文件和声明集)是好。结果等于Google OAuth页面的结果。
我不知道签名部分是否正确,或者错误是否在令牌请求中。
上述示例的问题在于它使用hmacsha256来计算签名。你需要使用rsasha256。现在有两个用于应用程序脚本的服务帐户库。我放在一起的是:
https://gist.github.com/Spencer- Easton / f8dad65932bff4c9efc1
这两个库的问题是它们是从服务器端运行速度非常慢的jsrsa派生的。
I am a head of studies and school administrator of our Google Apps for Education.
I used Google Apps Script for a lot of applications (control of absences, sending emails, automatic reporting, ScriptDb databases and more) using gas services. It's fantastic.
Basically I need to create a folder structure (years, courses, teachers, ...) within the Google Drive of students.
With Google Apps Script services I can do it easily but then the folders belong to the creator (administrator) and I think then users spend the administrator storage quota. This does not interest me. (Yes, I can make an application to be executed by the users and create the structure in its Google Drive, but I'd rather do it in an automated manner and without intervention)
To create this documents (and folders) in Google Drive users (teachers, students, ...) have adapted the code provided by Waqar Ahmad in this response [ Add an writer to a spreadsheet ... ]
That allows me to take possession of documents of other users to make updates using the Google Document List API (Google Apps administrative access to impersonate a user of the domain) and also have adapted to create folders and files on other Google Drive users. It works perfectly. I mention here:
How to add a Google Drive folder ...
But now, the version 3 of the Google Documents List AP, has been officially deprecated and encourage us to work with the Google API Drive.
I tried to do the same with this new Google API. Has anyone managed to do this? Is it possible? I have no idea where to start!
Thank you.
Sergi
Updated:
This is the code i'm working but I get an "invalid request" error:
(...)
var user = e.parameter.TB_email // I get user from a TextBox
//https://developers.google.com/accounts/docs/OAuth2ServiceAccount
//{Base64url encoded header}.{Base64url encoded claim set}.{Base64url encoded signature}
//{Base64url encoded header}
var header = '{"alg":"RS256","typ":"JWT"}'
var header_b64e = Utilities.base64Encode(header)
//{Base64url encoded claim set}
var t_ara = Math.round((new Date().getTime())/1000) // now
var t_fins = t_ara + 3600 // t + 3600 sec
var claim_set = '{"iss":"1111111111-xxxxxxxxxxxxxxxxxxxxxx@developer.gserviceaccount.com",'+
'"prn":"' + user + '",' +
'"scope":"https://www.googleapis.com/auth/prediction",'+
'"aud":"https://accounts.google.com/o/oauth2/token",'+
'"exp":'+t_fins+','+
'"iat":'+t_ara+'}'
// where '1111111111-xxxxxxxxxxx... is my CLIENT-ID (API Access -> Service Account)
var claim_set_b64e = Utilities.base64Encode(claim_set)
claim_set_b64e = claim_set_b64e.replace(/=/g,'')
var to_sign = header_b64e + '.' + claim_set_b64e
// [signature bytes] ??? // password 'isnotasecret???'
var key_secret = DocsList.getFileById('0Biiiiiiiiii-XXXXXXXXXXX').getBlob().getBytes()
// where '0Biiiiiiiiii-XXXXXXXXXXX'... is my p12 file (key_secret) uploaded to GDRive
// I don't know if this is correct !!!
var sign = Utilities.base64Encode(Utilities.computeHmacSha256Signature(to_sign, key_secret))
var JWT_signed = to_sign + '.' + sign
JWT_signed = JWT_signed.replace(/=/g,'')
// Token Request /////////////////////////////////////////////////////////////
var url = 'https://accounts.google.com/o/oauth2/token'
//var url = 'https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken' ???
//var url = 'https:' + '%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken' ???
var parameters = {
"method" : "POST",
"payload" : '"' + 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=' + JWT_signed + '"',
"contentType" : "application/x-www-form-urlencoded"
}
var content = UrlFetchApp.fetch(url,parameters) //.getContentText()
// Token Request end ////////////////////////////////////////////////////////
And I get an "Invalid Request" and not a JSON with the token
The 2 first parts ( header & claim set ) are OK. The result are equal to the result of Google OAuth page.
I don't know if the signature part are correct or if the error is in the token request.
The issue with your example above is that it it's computing the signature with hmacsha256. You need to use rsasha256. There are two service account libraries for apps script right now. One that I put together is: https://gist.github.com/Spencer-Easton/f8dad65932bff4c9efc1
The issue with both libraries is they are derived from jsrsa which runs very slow on the server side.
这篇关于使用Google Apps脚本可以使用Google Drive API模拟域用户吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
