Mod21 client lib tweaks

Author: wescpy

README.md

@@ -84,7 +84,7 @@ Memcache | [12 ⇒] 13 | Moving off App Engine `memcache` makes your apps mor
 Cloud Functions | 11 | Cloud Functions does not support Python 2, so after the Module 1 migration, you need to upgrade your app to Python 3 before attempting this migration, recommended if you have a very small App Engine app, or it has only one function/feature.
 Cloud Run | 4 or 5 | **Module 4** covers migrating to Cloud Run with Docker. Those unfamiliar with containers or do not wish to create/maintain a `Dockerfile` should do **Module 5**. Those doing **Module 4** will get additional information about Cloud Run in **Module 5** not covered in **Module 4**.
 Blobstore | [15 ⇒] 16 | Moving off App Engine `blobstore` makes your apps more portable, so the **Module 16** Cloud Storage migration is _recommended_ for those using `blobstore`. Those unfamiliar with `blobstore` should do **Module 15** first to add its usage to the sample app.
-Users | [20 ⇒] 21 | Moving off App Engine `users` makes your apps more portable, so the **Module 21** Cloud Storage migration is _recommended_ for those using `users`. Those unfamiliar with `users` should do **Module 20** first to add its usage to the sample app.
+Users | [20 ⇒] 21 | Moving off App Engine `users` makes your apps more portable, so the **Module 21** Cloud Identity Platform migration is _recommended_ for those using `users`. Those unfamiliar with `users` should do **Module 20** first to add its usage to the sample app.
 General migration | 6 ⇒ 10 ⇒ 14 | This series is more generic and not targeting a specific feature migration, but rather if you need to migrate your App Engine apps from one running project to another. It starts with **Module 6** if you need to migrate your code, say from Datastore to Firestore. **Module 10** is if you need to migrate your data from one project to another, and finally, **Module 14** is after you're done migrating your app, your data, or both, and need to migrate a running service on one GCP project to another.
 
 

mod21a-idenplat/main.py

@@ -18,25 +18,30 @@
 from googleapiclient import discovery
 from firebase_admin import auth, initialize_app
 
+# initialize Flask and Cloud NDB API client
+app = Flask(__name__)
+ds_client = ndb.Client()
+
+
 def _get_gae_admins():
     'return set of App Engine admins'
-    # setup constants for calling Cloud IAM Resource Manager
+    # setup constants for calling Cloud IAM Resource Manager API
     CREDS, PROJ_ID = default(  # Application Default Credentials and project ID
             ['https://www.googleapis.com/auth/cloud-platform'])
-    IAM = discovery.build('cloudresourcemanager', 'v1', credentials=CREDS)
+    rm_client = discovery.build('cloudresourcemanager', 'v1', credentials=CREDS)
     _TARGETS = frozenset((     # App Engine admin roles
             'roles/viewer',
             'roles/editor',
             'roles/owner',
             'roles/appengine.appAdmin',
     ))
 
-    # collate all users who are members of at least one GAE admin role (TARGETS)
-    admins = set()             # set of all App Engine admins
-    allow_policy = IAM.projects().getIamPolicy(resource=PROJ_ID).execute()
+    # collate all users who are members of at least one GAE admin role (_TARGETS)
+    admins = set()                      # set of all App Engine admins
+    allow_policy = rm_client.projects().getIamPolicy(resource=PROJ_ID).execute()
     for b in allow_policy['bindings']:  # bindings in IAM allow policy
         if b['role'] in _TARGETS:       # only look at GAE admin roles
-            admins.update(user.split(':', 1)[1] for user in b['members'])
+            admins.update(user.split(':', 1).pop() for user in b['members'])
     return admins
 
 @app.route('/is_admin', methods=['POST'])
@@ -47,10 +52,8 @@ def is_admin():
     return {'admin': email in _ADMINS}, 200
 
 
-# initialize Flask, Firebase, Cloud NDB; fetch set of App Engine admins
-app = Flask(__name__)
+# initialize Firebase and fetch set of App Engine admins
 initialize_app()
-ds_client = ndb.Client()
 _ADMINS = _get_gae_admins()
 
 

mod21a-idenplat/templates/index.html

@@ -16,9 +16,11 @@
         signOut
 } from "https://www.gstatic.com/firebasejs/9.10.0/firebase-auth.js";
 
-// Firebase config: at least 'apiKey' & 'authDomain' are required; go to
-// console.firebase.google.com/project/PROJECT_ID/settings/general/web OR
-// console.firebase.google.com/project/_/settings/general/web & pick project
+// Firebase config:
+// 1a. Go to: console.cloud.google.com/customer-identity/providers
+// 1b. May be prompted to enable GCIP and upgrade from Firebase
+// 2. Click: "Application Setup Details" button
+// 3. Copy: 'apiKey' and 'authDomain' from 'config' variable
 var firebaseConfig = {
         apiKey: "YOUR_API_KEY",
         authDomain: "YOUR_AUTH_DOMAIN",
@@ -28,6 +30,7 @@
 initializeApp(firebaseConfig);
 var auth = getAuth();
 var provider = new GoogleAuthProvider();
+//provider.setCustomParameters({prompt: 'select_account'});
 
 // define login and logout button functions
 function login() {

mod21b-idenplat/main.py

@@ -14,29 +14,33 @@
 
 from flask import Flask, render_template, request
 from google.auth import default
-from google.cloud import ndb
-from googleapiclient import discovery
+from google.cloud import ndb, resourcemanager
 from firebase_admin import auth, initialize_app
 
+# initialize Flask and Cloud NDB API client
+app = Flask(__name__)
+ds_client = ndb.Client()
+
+
 def _get_gae_admins():
     'return set of App Engine admins'
-    # setup constants for calling Cloud IAM Resource Manager
-    CREDS, PROJ_ID = default(  # Application Default Credentials and project ID
-            ['https://www.googleapis.com/auth/cloud-platform'])
-    IAM = discovery.build('cloudresourcemanager', 'v1', credentials=CREDS)
+    # setup constants for calling Cloud IAM Resource Manager API
+    _, PROJ_ID = default(  # Application Default Credentials and project ID
+            ['https://www.googleapis.com/auth/cloudplatformprojects.readonly'])
+    rm_client = resourcemanager.ProjectsClient()
     _TARGETS = frozenset((     # App Engine admin roles
             'roles/viewer',
             'roles/editor',
             'roles/owner',
             'roles/appengine.appAdmin',
     ))
 
-    # collate all users who are members of at least one GAE admin role (TARGETS)
-    admins = set()             # set of all App Engine admins
-    allow_policy = IAM.projects().getIamPolicy(resource=PROJ_ID).execute()
-    for b in allow_policy['bindings']:  # bindings in IAM allow policy
-        if b['role'] in _TARGETS:       # only look at GAE admin roles
-            admins.update(user.split(':', 1)[1] for user in b['members'])
+    # collate all users who are members of at least one GAE admin role (_TARGETS)
+    admins = set()                      # set of all App Engine admins
+    allow_policy = rm_client.get_iam_policy(resource='projects/%s' % PROJ_ID)
+    for b in allow_policy.bindings:     # bindings in IAM allow policy
+        if b.role in _TARGETS:          # only look at GAE admin roles
+            admins.update(user.split(':', 1).pop() for user in b.members)
     return admins
 
 @app.route('/is_admin', methods=['POST'])
@@ -47,10 +51,8 @@ def is_admin():
     return {'admin': email in _ADMINS}, 200
 
 
-# initialize Flask, Firebase, Cloud NDB; fetch set of App Engine admins
-app = Flask(__name__)
+# initialize Firebase and fetch set of App Engine admins
 initialize_app()
-ds_client = ndb.Client()
 _ADMINS = _get_gae_admins()
 
 

mod21b-idenplat/requirements.txt

@@ -1,5 +1,5 @@
 flask
-google-api-python-client
 google-auth
 google-cloud-ndb
+google-cloud-resource-manager
 firebase-admin

mod21b-idenplat/templates/index.html

@@ -16,9 +16,11 @@
         signOut
 } from "https://www.gstatic.com/firebasejs/9.10.0/firebase-auth.js";
 
-// Firebase config: at least 'apiKey' & 'authDomain' are required; go to
-// console.firebase.google.com/project/PROJECT_ID/settings/general/web OR
-// console.firebase.google.com/project/_/settings/general/web & pick project
+// Firebase config:
+// 1a. Go to: console.cloud.google.com/customer-identity/providers
+// 1b. May be prompted to enable GCIP and upgrade from Firebase
+// 2. Click: "Application Setup Details" button
+// 3. Copy: 'apiKey' and 'authDomain' from 'config' variable
 var firebaseConfig = {
         apiKey: "YOUR_API_KEY",
         authDomain: "YOUR_AUTH_DOMAIN",
@@ -28,6 +30,7 @@
 initializeApp(firebaseConfig);
 var auth = getAuth();
 var provider = new GoogleAuthProvider();
+//provider.setCustomParameters({prompt: 'select_account'});
 
 // define login and logout button functions
 function login() {