[URGENT] Drive integration does not work

[qaisjp]

Seems that something has changed on the CompSoc side and the Drive integration -- which is the main part that CompSoc maintains -- is broken.

I haven't investigated whether it's complaining about not being able use the admin API altogether or checking Google Group presence.

If you've removed a service key, the BI machine will possibly need a new one.

This has been broken for 1 month now. Please fix this. I am happy to pair with someone on this in a voice call over Slack or Discord and help get this fixed.

/cc @compsoc-edinburgh/sigweb @penalosa @findoslice @pkage

[qaisjp]

I am free every day after 6pm or even earlier in the afternoon during lunch.

[penalosa]

@qaisjp Could you send me login details for the bi VM on Tardis? I appreciate this has been long-running (and I do apologise for that), and I'll try and get this fixed tonight

[qaisjp]

Sent details! It now uses regular TARDIS root password.

It uses a service account. https://cloud.google.com/iam/docs/service-accounts

And requires domain-wide delegation of authority: https://developers.google.com/admin-sdk/directory/v1/guides/delegation

This allow it to have special organisation access, as it needs to be able to directly add people to the users@betterinformatics.com Google group, which requires the Admin API

The credentials live in /home/qaisjp/drive-link/private, which corresponds to this: https://github.com/compsoc-edinburgh/bi-app/tree/master/drive-link

[penalosa]

An update: I'm very confused.

The inital issue seemed to be that domain-wide delegation was disabled for the service user - I enabled it.

That caused a new error message:

unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

Which I've been trying to fix - so far I've tried swapping out the service user keyhole, the oath secrets file and a couple other things. Anyone have any ideas?

[himmelmaus]

I'm not familiar with the specifics of google oauth keys, but it looks like the client doesn't have the appropriate scope granted to it, or it has an incorrect grant type (based off of unauthorized to retrieve access tokens using this method)

[pkage]

Has an API been deprecated out from under us?

[neanias]

Google would never do that!

[qaisjp]

I don't think an API has been deprecated.

It uses (iirc) https://developers.google.com/admin-sdk/directory/v1/reference/members/get and https://developers.google.com/admin-sdk/directory/v1/reference/members/insert

(Note that the alert Warning: The Notifications API is deprecated and will be shutdown soon. is referring to a completely different API, and drive-link uses the Directory API.)

I will try and take a look tonight.

[himmelmaus]

Would be worth double checking what grant type is needed

[pkage]

Looking at the scopes required for the calls:

API reference/members/get requires 1 or more of:

https://www.googleapis.com/auth/admin.directory.group.member.readonly
https://www.googleapis.com/auth/admin.directory.group.member
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group

API reference/members/insert requires 1 or more of:

https://www.googleapis.com/auth/admin.directory.group.member
https://www.googleapis.com/auth/admin.directory.group

From compsoc-edinburgh/bi-app/drive-link/app.py (src):

undelegated_group_credentials = ServiceAccountCredentials.from_json_keyfile_name(
    'private/drive_keyfile.json',
    scopes=['https://www.googleapis.com/auth/admin.directory.group.member'])

Should we upgrade the scope to https://www.googleapis.com/auth/admin.directory.group? Seems like that would be the best "god permission" to grant.

[qaisjp]

Worth giving it a go.

[qaisjp]

It will be because it is delegated as this account (I believe you can only delegate as accounts):

From compsoc-edinburgh/bi-app/drive-link/app.py (src):

undelegated_group_credentials = ServiceAccountCredentials.from_json_keyfile_name(
    'private/drive_keyfile.json',
    scopes=['https://www.googleapis.com/auth/admin.directory.group.member'])

group_credentials = undelegated_group_credentials.create_delegated("qaisjp@betterinformatics.com")

And previously I was able to access https://admin.google.com/ to manage the Better Informatics organisation / add+remove user accounts to Better Informatics.

Recently access to admin.google.com was removed + the ability to add/remove user accounts.

tl;dr qaisjp@betterinformatics.com doesn't have access to Admin so it can't use the Admin API.

[qaisjp]

So if it's a case of not being authorized to use the scope (because that account is not authorized to use the admin scopes)

unauthorized_client: Client is unauthorized to retrieve access tokens using this method,or client not authorized for any of the scopes requested.

then widening the scope to admin.directory.group probably wouldn't change anything.

I wish Google provided better error messages.

[pkage]

Okay, how does adding qaisjp@betterinformatics.com as an admin for the BI org unit sound as a fix? I'd be happy to make that change

[qaisjp]

That should work. (I thought that's how it was already?)

[pkage]

Should be added now!

[qaisjp]

Btw please self serve your personal access to admin@betterinformatics.com!

[qaisjp]

Fixed!

---

The final fix was that we had to update ~/drive-link/private/oauth_client_secrets.json and ~/drive-link/private/drive_keyfile.json to use the latest json files, as they were authenticating as the betterinformatics service account and not the betterinformatics-2018 service account.

Why are there two service accounts?

Initially there was only a admin@betterinformatics.com email address. This account created a betterinformatics project on console.cloud.google.com. This project had domain-wide delegation of authority.

Later (in 2018), I realised it should be a group, so others can join. So:

• I renamed qais@hacktheburgh.com to qaisjp@betterinformatics.com.
• Deleted admin@betterinformatics.com.
• Created the admin@betterinformatics.com group.

I realised I no longer had access to that betterinformatics project, so I created a betterinformatics-2018 project as a replacement. It had everything set up, except the secrets were not updated on the bi machine (bi.tardis.ed.ac.uk).

This means that all this time we were using the betterinformatics project, and not the betterinformatics-2018 project.

When @penalosa added back domain-wide delegation of authority, he added it back for the betterinformatics-2018 project. This didn't work because Better Informatics was authenticating using the betterinformatics project, and not the betterinformatics-2018 project.

Nobody has access to the betterinformatics project.

Huh, what? Nobody has access to the betterinformatics project?!

Yes, unfortunately. Because the actual user that created the project has been deleted.

It is exactly the same issue as described here: https://support.google.com/a/thread/13510817?hl=en

I tried renaming the admin@group and creating a new admin@user, but it didn't work. That new admin@betterinformatics.com user could not access the project at console.cloud.google.com.

Interestingly enough, the betterinformatics project is still active and running, without any owner. It would be nice to be able to recover this old project as it has a nice project ID... if you care about that sort of thing — I'm just fussy and pedantic.

An organisation owner will have to create a ticket and ask them to try and recover it.

Practically there's no real reason to do it other than recovering the nice betterinformatics ID (betterinformatics-2018 is quite ugly)!

---

To summarise the entire ticket:

1. Someone removed domain-wide delegation of authority for the betterinformatics project.
2. Someone removed access for the user qaisjp@betterinformatics.com to add or remove users to the Better Informatics organisation.
3. Better Informatics broke.
4. Domain-wide delegation of authority was added back for the betterinformatics-2018 project. ~penalosa
5. Still doesn't work, because we're using the betterinformatics credentials instead of the -2018 credentials.
6. qaisjp@betterinformatics.com added back as admin for the Better Informatics OU. ~pkage
7. Update bi.tardis.ed.ac.uk to use the -2018 credentials. ~qaisjp
8. Things work again.

[pkage]

Man that is gnarly.

Glad we got this squared away. Good work all around!