gmail with oauth2 credentials.json or API key or service account with credentials?

domainaware / parsedmarc

A Python package and CLI for parsing aggregate and forensic DMARC reports

https://domainaware.github.io/parsedmarc/

Apache License 2.0

981 stars 212 forks source link

gmail with oauth2 credentials.json or API key or service account with credentials? #354

Open greggel opened 1 year ago

greggel commented 1 year ago

I am a little lost and can't connect to gmail via imap over 993 because of google workspace and less secure app being detected. I want to use the gmail_api option but my credentials json file seems to allow parsedmarc container to run but my kibana and elasticsearch seem to be empty and folders are not created in gmail. I can't tell if my authentication isn't fully working or if communication is broken between google and my server?

In the parsedmarc config.ini for gmail_api do I just need to include my credentials json file and it should all work? Do I have the option of using a API key instead? Or should I try the google service account method with credentials? If anyone has any examples of using the gmail api successfully I would really love to see it.

Thanks.

nathanthorpe commented 1 year ago

Yeah you just need to download the credentials.json file and then have it available in the container and it should work. What does your config look like?

viyullas commented 1 year ago

I am having issues to configure this too. If you skip the imap section and just set muy credentials, de docker does... nothing (where do I set up the mailbox where it should connect to?) If I configure the imap section and the gmail_api section it try to use the imap connection only, and an Invalid credentials error is shown...

I am a little bit lost.

[general]
save_aggregate = True
save_forensic = True

# [imap]
# IMAP login
# host = imap.gmail.com
# port = 993
# user = login@gmail.com
# password = password
# ssl = True

[gmail_api]
credentials_file = /etc/parsedmarc/credentials.json

[mailbox]
watch = True
archive_folder = Processed
delete = False
# advanced advanced
test = False

### NO EDIT REQURIED DOWN BELOW
[elasticsearch]
hosts = elasticsearch:9200
ssl = False

I hace created a gmail account, gone to the gcp console, enabled the Gmail API and generated a credential for a Desktop application. Do I need to set some permissions to it?

A configuration example for gmail api will be much appreciated

remsbenz commented 1 year ago

I am having issues to configure this too. If you skip the imap section and just set muy credentials, de docker does... nothing (where do I set up the mailbox where it should connect to?) If I configure the imap section and the gmail_api section it try to use the imap connection only, and an Invalid credentials error is shown...

I am a little bit lost.
[general]
save_aggregate = True
save_forensic = True

# [imap]
# IMAP login
# host = imap.gmail.com
# port = 993
# user = login@gmail.com
# password = password
# ssl = True

[gmail_api]
credentials_file = /etc/parsedmarc/credentials.json

[mailbox]
watch = True
archive_folder = Processed
delete = False
# advanced advanced
test = False

### NO EDIT REQURIED DOWN BELOW
[elasticsearch]
hosts = elasticsearch:9200
ssl = False
I hace created a gmail account, gone to the gcp console, enabled the Gmail API and generated a credential for a Desktop application. Do I need to set some permissions to it?

A configuration example for gmail api will be much appreciated

Hello, did you find a working file with mailbox gmail api ? Thanks

davec25 commented 1 year ago

Yeah you just need to download the credentials.json file and then have it available in the container and it should work. What does your config look like?

Where can I get it? I'm not seeing it anywhere.

nathanthorpe commented 1 year ago

Go to the google cloud console

Make an OAuth 2 client and press download json next to the client secret.

jca1981 commented 2 months ago

you also need to run some python code to get your token_file, . guide here https://domainaware.github.io/parsedmarc/usage.html . search for gmail_api

NiceRath commented 1 day ago

I don't think you need to provide a token.json as this should be auto-created once the application (parsedmarc) logs in. See: https://github.com/domainaware/parsedmarc/blob/master/parsedmarc/mail/gmail.py#L20 (creates token file if it does not exist)

But this is also not happening for me.. Will look into the codebase to check if there is some trigger for the actual fetching of mails

NiceRath commented 1 day ago

It seems the gmail api is stuck at creating the oauth token. Here it calls the external flow module: https://github.com/domainaware/parsedmarc/blob/master/parsedmarc/mail/gmail.py#L30 This flow module states:

The server strategy instructs the user to open the authorization URL in
their browser and will attempt to automatically open the URL for them.

So basically it waits (forever) for you to open the browser and log-in interactively (from what I understand).

I had success using a service account for the non-interactive API access. But for this to work, the _get_creds function needs to be rewritten to this:

from google.oauth2 import service_account

def _get_creds(credentials_file, scopes):
    return service_account.Credentials.from_service_account_file(
        credentials_file, scopes=scopes,
    ).with_subject('<YOUR-DMARC-ACCOUNT-EMAIL-ADDRESS>')

Note that the content of the credentials_file.json needs to replaced by the service account key

I might add a PR later on

NiceRath commented 1 day ago

Folded and using imap with app-passwords for now.. https://support.google.com/accounts/answer/185833?hl=en

superstes commented 1 day ago

See: https://github.com/domainaware/parsedmarc/issues/545