Ndewo!
Edemede a ga-akọwa mmejuputa mmekọrịta PowerShell na Google API iji megharịa ndị ọrụ G Suite.
Anyị na-eji ọtụtụ ọrụ ime na igwe ojii gafee nzukọ a. Maka ọtụtụ akụkụ, ikike n'ime ha na-agbadata na Google ma ọ bụ Active Directory, n'etiti nke anyị enweghị ike idowe oyiri; ya mere, mgbe onye ọrụ ọhụrụ hapụrụ, ịkwesịrị ịmepụta / mee ka akaụntụ dị na sistemụ abụọ a. Iji megharịa usoro ahụ, anyị kpebiri ide edemede na-anakọta ozi ma ziga ya na ọrụ abụọ ahụ.
Ikike
Mgbe ị na-edepụta ihe achọrọ, anyị kpebiri iji ezigbo ndị nchịkwa mmadụ maka ikike; nke a na-eme ka nyocha nke omume dị mfe ma ọ bụrụ na enwere nnukwu mgbanwe mberede ma ọ bụ kpachapụrụ anya.
Google API na-eji OAuth 2.0 protocol maka nyocha na ikike. Jiri ikpe na nkọwa zuru ezu nwere ike ịhụ ebe a: .
Ahọọrọ m edemede nke ejiri maka ikike na ngwa desktọpụ. Enwekwara nhọrọ iji akaụntụ ọrụ, nke na-adịghị achọ mmegharị na-enweghị isi n'aka onye ọrụ.
Foto dị n'okpuru bụ nkọwa nhazi nke ọnọdụ ahọpụtara site na ibe Google.
- Nke mbụ, anyị na-eziga onye ọrụ na ibe nyocha akaụntụ Google, na-akọwapụta paramita GET:
- ngwa id
- mpaghara ngwa chọrọ ịnweta
- adreesị nke a ga-ebugharị onye ọrụ ahụ mgbe emechara usoro ahụ
- ụzọ anyị ga-esi melite token
- Koodu nchekwa
- Usoro nnyefe koodu nkwenye
- Mgbe emechara ikike, a ga-atụgharị onye ọrụ ahụ gaa na ibe akọwapụtara na arịrịọ mbụ, yana njehie ma ọ bụ koodu ikike gafere site na paramita GET.
- Ngwa (edemede) ga-achọ ịnata paramita ndị a ma, ọ bụrụ na enwetara koodu ahụ, rịọ arịrịọ ndị a iji nweta akara ngosi
- Ọ bụrụ na arịrịọ ahụ ziri ezi, Google API ga-alaghachi:
- Nweta akara nke anyị nwere ike iji rịọ arịrịọ
- Oge nkwado nke akara ngosi a
- Achọrọ ume ọhụrụ ka ịweghachi token Access.
Mbụ ị ga-aga na Google API console: , họrọ ngwa achọrọ na na ngalaba nzere mepụta ihe njirimara OAuth nke ndị ahịa. N'ebe ahụ (ma ọ bụ mgbe e mesịrị, na njirimara nke njirimara emepụtara) ịkwesịrị ịkọwapụta adreesị nke ekwere redirection. N'ọnọdụ anyị, ndị a ga-abụ ọtụtụ ntinye localhost nwere ọdụ ụgbọ mmiri dị iche iche (lee n'okpuru).
Iji mee ka ọ dịkwuo mfe ịgụ algọridim edemede, ị nwere ike igosipụta nzọụkwụ mbụ na ọrụ dị iche nke ga-eweghachite Access na nweta ume ọhụrụ maka ngwa ahụ:
$client_secret = 'Our Client Secret'
$client_id = 'Our Client ID'
function Get-GoogleAuthToken {
if (-not [System.Net.HttpListener]::IsSupported) {
"HttpListener is not supported."
exit 1
}
$codeverifier = -join ((65..90) + (97..122) + (48..57) + 45 + 46 + 95 + 126 |Get-Random -Count 60| % {[char]$_})
$hasher = new-object System.Security.Cryptography.SHA256Managed
$hashByteArray = $hasher.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($codeverifier))
$base64 = ((([System.Convert]::ToBase64String($hashByteArray)).replace('=','')).replace('+','-')).replace('/','_')
$ports = @(10600,15084,39700,42847,65387,32079)
$port = $ports[(get-random -Minimum 0 -maximum 5)]
Write-Host "Start browser..."
Start-Process "https://accounts.google.com/o/oauth2/v2/auth?code_challenge_method=S256&code_challenge=$base64&access_type=offline&client_id=$client_id&redirect_uri=http://localhost:$port&response_type=code&scope=https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.group"
$listener = New-Object System.Net.HttpListener
$listener.Prefixes.Add("http://localhost:"+$port+'/')
try {$listener.Start()} catch {
"Unable to start listener."
exit 1
}
while (($code -eq $null)) {
$context = $listener.GetContext()
Write-Host "Connection accepted" -f 'mag'
$url = $context.Request.RawUrl
$code = $url.split('?')[1].split('=')[1].split('&')[0]
if ($url.split('?')[1].split('=')[0] -eq 'error') {
Write-Host "Error!"$code -f 'red'
$buffer = [System.Text.Encoding]::UTF8.GetBytes("Error!"+$code)
$context.Response.ContentLength64 = $buffer.Length
$context.Response.OutputStream.Write($buffer, 0, $buffer.Length)
$context.Response.OutputStream.Close()
$listener.Stop()
exit 1
}
$buffer = [System.Text.Encoding]::UTF8.GetBytes("Now you can close this browser tab.")
$context.Response.ContentLength64 = $buffer.Length
$context.Response.OutputStream.Write($buffer, 0, $buffer.Length)
$context.Response.OutputStream.Close()
$listener.Stop()
}
Return Invoke-RestMethod -Method Post -Uri "https://www.googleapis.com/oauth2/v4/token" -Body @{
code = $code
client_id = $client_id
client_secret = $client_secret
redirect_uri = 'http://localhost:'+$port
grant_type = 'authorization_code'
code_verifier = $codeverifier
}
$code = $null
Anyị na-edobe ID onye ahịa na nzuzo nke ndị ahịa enwetara na njirimara njirimara ndị ahịa OAuth, yana koodu nkwenye bụ eriri mkpụrụedemede 43 ruo 128 nke a ga-emerịrị site na mkpụrụedemede edobereghị: [AZ] / [az] / [0-9] / "-" / "." / "_" / "~".
A ga-ebunye koodu a ọzọ. Ọ na-ewepụ adịghị ike nke onye na-awakpo nwere ike igbochi nzaghachi eweghachiri dị ka redirect mgbe ikike onye ọrụ gasịrị.
Ị nwere ike izipu nkwenye koodu na arịrịọ dị ugbu a na ederede doro anya (nke na-eme ka ọ bụrụ ihe efu - nke a bụ naanị maka usoro na-akwadoghị SHA256), ma ọ bụ site na ịmepụta hash site na iji SHA256 algọridim, nke a ga-etinyerịrị na BASE64Url (iche. site na Base64 site na mkpụrụedemede tebụl abụọ) na iwepu njedebe akara agwa: =.
Ọzọ, anyị kwesịrị ịmalite ige http na igwe mpaghara iji nweta nzaghachi mgbe ikike, nke a ga-eweghachi dị ka redirect.
A na-arụ ọrụ nchịkwa na ihe nkesa pụrụ iche, anyị enweghị ike iwepụ ohere na ọtụtụ ndị nchịkwa ga-agba ọsọ edemede ahụ n'otu oge ahụ, ya mere ọ ga-ahọrọ ọdụ ụgbọ mmiri maka onye ọrụ ugbu a, mana m kpọmkwem ọdụ ụgbọ mmiri ndị a kpọpụtara n'ihi na a ga-atụkwasịrịrị ha dịka ntụkwasị obi na njikwa API.
access_type=anọghị n'ịntanetị pụtara na ngwa ahụ nwere ike imelite token kubie ume n'onwe ya na-enweghị mmekọrịta onye ọrụ na ihe nchọgharị ahụ,
nzaghachi_type=koodu na-esetịpụ usoro ka a ga-esi weghachi koodu ahụ (ntụaka maka usoro ikike ochie, mgbe onye ọrụ depụtaghachiri koodu site na ihe nchọgharị n'ime edemede),
oghere na-egosi oke na ụdị nnweta. A ga-ekewarịrị ha site na oghere ma ọ bụ %20 (dị ka URL Encoding si dị). Enwere ike ịhụ ndepụta mpaghara ohere nwere ụdị ebe a: .
Mgbe ị nwetachara koodu ikike, ngwa ahụ ga-eweghachite ozi dị nso na ihe nchọgharị ahụ, kwụsị ige ntị na ọdụ ụgbọ mmiri wee ziga arịrịọ POST iji nweta akara ngosi ahụ. Anyị na-egosi n'ime ya ID na nzuzo akọwapụtara na mbụ sitere na API console, adreesị nke a ga-atụgharị onye ọrụ na Grant_type dịka nkọwapụta protocol siri dị.
Na nzaghachi, anyị ga-enweta akara Access, oge nkwado ya n'ime sekọnd, yana akara ume ọhụrụ, nke anyị nwere ike imelite akara Access.
Ngwa ahụ ga-echekwa akara ngosi na ebe nchekwa nwere ogologo ndụ, yabụ ruo mgbe anyị kagburu ohere enwetara, ngwa ahụ agaghị eweghachi akara ngosi ume ọhụrụ. Na njedebe, agbakwunyere m arịrịọ ka ịkagbu akara ahụ; ọ bụrụ na emezughị ngwa ahụ nke ọma ma weghachighị akara ume ọhụrụ ahụ, ọ ga-amalite usoro ahụ ọzọ (anyị weere na ọ dịghị mma ịchekwa akara ngosi na mpaghara na njedebe, anyị na-eme ya). 'Achọghị iji cryptography mee ka ihe mgbagwoju anya ma ọ bụ mepee ihe nchọgharị ugboro ugboro).
do {
$token_result = Get-GoogleAuthToken
$token = $token_result.access_token
if ($token_result.refresh_token -eq $null) {
Write-Host ("Session is not destroyed. Revoking token...")
Invoke-WebRequest -Uri ("https://accounts.google.com/o/oauth2/revoke?token="+$token)
}
} while ($token_result.refresh_token -eq $null)
$refresh_token = $token_result.refresh_token
$minute = ([int]("{0:mm}" -f ([timespan]::fromseconds($token_result.expires_in))))+((Get-date).Minute)-2
if ($minute -lt 0) {$minute += 60}
elseif ($minute -gt 59) {$minute -=60}
$token_expire = @{
hour = ([int]("{0:hh}" -f ([timespan]::fromseconds($token_result.expires_in))))+((Get-date).Hour)
minute = $minute
}
Dịka ị chọpụtala, mgbe ị na-akagbu akara, a na-eji Invoke-WebRequest. N'adịghị ka Invoke-RestMethod, ọ naghị eweghachi data enwetara n'ụdị enwere ike iji wee gosi ọkwa arịrịọ a.
Na-esote, edemede ahụ na-arịọ gị ka ịbanye aha mbụ na aha ikpeazụ nke onye ọrụ, na-emepụta nbanye + email.
Arịrịọ
Arịrịọ ọzọ ga-abụ - nke mbụ, ịkwesịrị ịlele ma onye ọrụ nwere otu nbanye adịlarị iji nweta mkpebi maka imepụta nke ọhụrụ ma ọ bụ mee ka nke dị ugbu a nwee ike.
Ekpebiri m itinye arịrịọ niile n'ụdị otu ọrụ yana nhọrọ, na-eji mgba ọkụ:
function GoogleQuery {
param (
$type,
$query
)
switch ($type) {
"SearchAccount" {
Return Invoke-RestMethod -Method Get -Uri "https://www.googleapis.com/admin/directory/v1/users" -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body @{
domain = 'rocketguys.com'
query = "email:$query"
}
}
"UpdateAccount" {
$body = @{
name = @{
givenName = $query['givenName']
familyName = $query['familyName']
}
suspended = 'false'
password = $query['password']
changePasswordAtNextLogin = 'true'
phones = @(@{
primary = 'true'
value = $query['phone']
type = "mobile"
})
orgUnitPath = $query['orgunit']
}
Return Invoke-RestMethod -Method Put -Uri ("https://www.googleapis.com/admin/directory/v1/users/"+$query['email']) -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body (ConvertTo-Json $body) -ContentType 'application/json; charset=utf-8'
}
"CreateAccount" {
$body = @{
primaryEmail = $query['email']
name = @{
givenName = $query['givenName']
familyName = $query['familyName']
}
suspended = 'false'
password = $query['password']
changePasswordAtNextLogin = 'true'
phones = @(@{
primary = 'true'
value = $query['phone']
type = "mobile"
})
orgUnitPath = $query['orgunit']
}
Return Invoke-RestMethod -Method Post -Uri "https://www.googleapis.com/admin/directory/v1/users" -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body (ConvertTo-Json $body) -ContentType 'application/json; charset=utf-8'
}
"AddMember" {
$body = @{
userKey = $query['email']
}
$ifrequest = Invoke-RestMethod -Method Get -Uri "https://www.googleapis.com/admin/directory/v1/groups" -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body $body
$array = @()
foreach ($group in $ifrequest.groups) {$array += $group.email}
if ($array -notcontains $query['groupkey']) {
$body = @{
email = $query['email']
role = "MEMBER"
}
Return Invoke-RestMethod -Method Post -Uri ("https://www.googleapis.com/admin/directory/v1/groups/"+$query['groupkey']+"/members") -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body (ConvertTo-Json $body) -ContentType 'application/json; charset=utf-8'
} else {
Return ($query['email']+" now is a member of "+$query['groupkey'])
}
}
}
}Na arịrịọ ọ bụla, ịkwesịrị izipu nkụnye eji isi mee ikike nwere ụdị akara yana akara nnweta n'onwe ya. Ka ọ dị ugbu a, ụdị token na-abụ mgbe niile. N'ihi na anyị kwesịrị ịlele na token ahụ akwụsịbeghị ma melite ya mgbe otu awa gachara site na oge ewepụtara ya, akọwapụtaara m arịrịọ maka ọrụ ọzọ na-eweghachi akara Access. Otu mpempe koodu ahụ dị na mmalite nke edemede mgbe ị na-anata akara nnweta mbụ:
function Get-GoogleToken {
if (((Get-date).Hour -gt $token_expire.hour) -or (((Get-date).Hour -ge $token_expire.hour) -and ((Get-date).Minute -gt $token_expire.minute))) {
Write-Host "Token Expired. Refreshing..."
$request = (Invoke-RestMethod -Method Post -Uri "https://www.googleapis.com/oauth2/v4/token" -ContentType 'application/x-www-form-urlencoded' -Body @{
client_id = $client_id
client_secret = $client_secret
refresh_token = $refresh_token
grant_type = 'refresh_token'
})
$token = $request.access_token
$minute = ([int]("{0:mm}" -f ([timespan]::fromseconds($request.expires_in))))+((Get-date).Minute)-2
if ($minute -lt 0) {$minute += 60}
elseif ($minute -gt 59) {$minute -=60}
$script:token_expire = @{
hour = ([int]("{0:hh}" -f ([timespan]::fromseconds($request.expires_in))))+((Get-date).Hour)
minute = $minute
}
}
return $token
}Na-enyocha nbanye maka ịdị adị:
function Check_Google {
$query = (GoogleQuery 'SearchAccount' $username)
if ($query.users -ne $null) {
$user = $query.users[0]
Write-Host $user.name.fullName' - '$user.PrimaryEmail' - suspended: '$user.Suspended
$GAresult = $user
}
if ($GAresult) {
$return = $GAresult
} else {$return = 'gg'}
return $return
}Arịrịọ ajụjụ email:$ ga-ajụ API ka ọ chọọ onye ọrụ nwere ozi-e ahụ kpọmkwem, gụnyere utu aha. Ị nwekwara ike iji wildcard: =,:, :{PREFIX}*.
Iji nweta data, jiri usoro arịrịọ GET, tinye data (ịmepụta akaụntụ ma ọ bụ tinye onye otu n'otu) - POST, imelite data dị - PUT, hichapụ ndekọ (dịka ọmụmaatụ, onye otu sitere na otu) - HIchapụ.
Edemede a ga-ajụkwa maka nọmba ekwentị (ụdọ na-akwadoghị) yana maka itinye n'ime otu nkesa mpaghara. Ọ na-ekpebi ngalaba nhazi nke onye ọrụ kwesịrị ịnwe dabere na Active Directory OU ahọpụtara wee wepụta paswọọdụ:
do {
$phone = Read-Host "Телефон в формате +7хххххххх"
} while (-not $phone)
do {
$moscow = Read-Host "В Московский офис? (y/n) "
} while (-not (($moscow -eq 'y') -or ($moscow -eq 'n')))
$orgunit = '/'
if ($OU -like "*OU=Delivery,OU=Users,OU=ROOT,DC=rocket,DC=local") {
Write-host "Будет создана в /Team delivery"
$orgunit = "/Team delivery"
}
$Password = -join ( 48..57 + 65..90 + 97..122 | Get-Random -Count 12 | % {[char]$_})+"*Ba"
Ma mgbe ahụ ọ malitere ịchịkwa akaụntụ ahụ:
$query = @{
email = $email
givenName = $firstname
familyName = $lastname
password = $password
phone = $phone
orgunit = $orgunit
}
if ($GMailExist) {
Write-Host "Запускаем изменение аккаунта" -f mag
(GoogleQuery 'UpdateAccount' $query) | fl
write-host "Не забудь проверить группы у включенного $Username в Google."
} else {
Write-Host "Запускаем создание аккаунта" -f mag
(GoogleQuery 'CreateAccount' $query) | fl
}
if ($moscow -eq "y"){
write-host "Добавляем в группу moscowoffice"
$query = @{
groupkey = '[email protected]'
email = $email
}
(GoogleQuery 'AddMember' $query) | fl
}
Ọrụ maka imelite na ịmepụta akaụntụ nwere syntax yiri ya; ọ bụghị mpaghara niile agbakwunyere ka achọrọ; na ngalaba nwere nọmba ekwentị, ịkwesịrị ịkọwapụta usoro nwere ike ịnwe ihe ruru otu ndekọ na ọnụọgụ na ụdị ya.
Ka ị ghara ịnata njehie mgbe ị na-agbakwunye onye ọrụ na otu, anyị nwere ike buru ụzọ lelee ma ọ bụlarị onye otu a site n'inweta ndepụta nke ndị otu ma ọ bụ ihe mejupụtara n'aka onye ọrụ n'onwe ya.
Ịjụ ajụjụ gbasara otu onye ọrụ agaghị abụ ugboro ugboro ma ọ ga-egosi naanị otu onye. Gụnyere onye ọrụ n'ime otu nne na nna nwerelarị otu ụmụaka nke onye ọrụ so na ya ga-aga nke ọma.
nkwubi
Naanị ihe fọdụrụ bụ izipu onye ọrụ paswọọdụ maka akaụntụ ọhụrụ ahụ. Anyị na-eme nke a site na SMS, na-eziga ozi izugbe na ntuziaka na nbanye na email nkeonwe, nke, yana nọmba ekwentị, nyere site na ngalaba ọrụ. Dị ka ihe ọzọ, ị nwere ike ichekwa ego na zipu paswọọdụ gị na nzuzo telegram nkata, nke nwekwara ike na-atụle nke abụọ ihe (MacBooks ga-abụ ihe dị iche).
Daalụ maka ịgụ akwụkwọ ruo ọgwụgwụ. Obi ga-adị m ụtọ ịhụ aro maka imeziwanye ụdị edemede edemede ma chọọ ka ị nweta mperi ole na ole mgbe ị na-ede edemede =)
Ndepụta njikọ ndị nwere ike ịba uru na isiokwu ma ọ bụ zaa ajụjụ naanị:
isi: www.habr.com