Nhai!
Ichi chinyorwa chinotsanangura kuitwa kwePowerShell kudyidzana neGoogle API kunyengera vashandisi veG Suite.
Isu tinoshandisa akati wandei emukati uye makore masevhisi musangano rese. Kazhinji, mvumo mairi inoburukira kuGoogle kana Active Directory, pakati payo isu hatigone kuchengetedza replica; saizvozvo, kana mushandi mutsva aenda, iwe unofanirwa kugadzira / kugonesa account mumasystem maviri aya. Kuti tiite otomatiki maitiro, takasarudza kunyora script inounganidza ruzivo uye kuitumira kune ese masevhisi.
Mvumo
Pakudhirowa zvinodiwa, takasarudza kushandisa vatariri vevanhu chaivo kuti vabvumidzwe; izvi zvinorerutsa kuongororwa kwezviito muchiitiko chetsaona kana nemaune shanduko huru.
MaGoogle APIs anoshandisa OAuth 2.0 protocol yechokwadi nemvumo. Makesi ekushandisa uye tsananguro yakadzama inogona kuwanikwa pano: .
Ini ndakasarudza iyo script inoshandiswa kubvumidza mune desktop desktop. Pane zvakare sarudzo yekushandisa sevhisi account, iyo isingade zvisingaite mafambiro kubva kumushandisi.
Mufananidzo uri pazasi itsananguro yehurongwa hwemamiriro akasarudzwa kubva papeji yeGoogle.
- Kutanga, tinotumira mushandisi kuGoogle Account yechokwadi peji, tichitsanangura GET paramita:
- application id
- nzvimbo dzinoda kuwanikwa neapp
- kero iyo mushandisi achaendeswa kune imwezve mushure mekupedza maitiro
- nzira yatichavandudza chiratidzo
- Security Code
- verification code transmission format
- Mushure mekunge mvumo yapera, mushandisi anodzoserwa kune peji yakataurwa muchikumbiro chekutanga, paine chikanganiso kana kodhi yemvumo yakapfuura neGET paramita.
- Chikumbiro (script) chinoda kugashira ma parameter aya uye, kana wagamuchira kodhi, ita chinotevera chikumbiro kuti uwane tokeni.
- Kana chikumbiro chiri chokwadi, Google API inodzoka:
- Tokeni yekuwana yatinogona kukumbira nayo
- Nguva yechokwadi yechiratidzo ichi
- Refresh token inodiwa kuti utangezve Access token.
Kutanga iwe unofanirwa kuenda kuGoogle API koni: , sarudza chikumbiro chaunoda uye muchikamu cheCredentials gadzira mutengi OAuth identifier. Ikoko (kana kuti gare gare, mune zvivakwa zveiyo yakagadzirwa identifier) ββββiwe unofanirwa kutsanangura kero uko kudzokororwa kunobvumidzwa. Mune yedu kesi, aya achave akati wandei emunohost ekupinda ane akasiyana madoko (ona pazasi).
Kuita kuti zvive nyore kuverenga script algorithm, unogona kuratidza nhanho dzekutanga mune yakaparadzana basa rinodzosa Access uye zorodza tokeni zvekushandisa:
$client_secret = 'Our Client Secret'
$client_id = 'Our Client ID'
function Get-GoogleAuthToken {
if (-not [System.Net.HttpListener]::IsSupported) {
"HttpListener is not supported."
exit 1
}
$codeverifier = -join ((65..90) + (97..122) + (48..57) + 45 + 46 + 95 + 126 |Get-Random -Count 60| % {[char]$_})
$hasher = new-object System.Security.Cryptography.SHA256Managed
$hashByteArray = $hasher.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($codeverifier))
$base64 = ((([System.Convert]::ToBase64String($hashByteArray)).replace('=','')).replace('+','-')).replace('/','_')
$ports = @(10600,15084,39700,42847,65387,32079)
$port = $ports[(get-random -Minimum 0 -maximum 5)]
Write-Host "Start browser..."
Start-Process "https://accounts.google.com/o/oauth2/v2/auth?code_challenge_method=S256&code_challenge=$base64&access_type=offline&client_id=$client_id&redirect_uri=http://localhost:$port&response_type=code&scope=https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.group"
$listener = New-Object System.Net.HttpListener
$listener.Prefixes.Add("http://localhost:"+$port+'/')
try {$listener.Start()} catch {
"Unable to start listener."
exit 1
}
while (($code -eq $null)) {
$context = $listener.GetContext()
Write-Host "Connection accepted" -f 'mag'
$url = $context.Request.RawUrl
$code = $url.split('?')[1].split('=')[1].split('&')[0]
if ($url.split('?')[1].split('=')[0] -eq 'error') {
Write-Host "Error!"$code -f 'red'
$buffer = [System.Text.Encoding]::UTF8.GetBytes("Error!"+$code)
$context.Response.ContentLength64 = $buffer.Length
$context.Response.OutputStream.Write($buffer, 0, $buffer.Length)
$context.Response.OutputStream.Close()
$listener.Stop()
exit 1
}
$buffer = [System.Text.Encoding]::UTF8.GetBytes("Now you can close this browser tab.")
$context.Response.ContentLength64 = $buffer.Length
$context.Response.OutputStream.Write($buffer, 0, $buffer.Length)
$context.Response.OutputStream.Close()
$listener.Stop()
}
Return Invoke-RestMethod -Method Post -Uri "https://www.googleapis.com/oauth2/v4/token" -Body @{
code = $code
client_id = $client_id
client_secret = $client_secret
redirect_uri = 'http://localhost:'+$port
grant_type = 'authorization_code'
code_verifier = $codeverifier
}
$code = $null
Isu tinoseta iyo Client ID uye Client Chakavanzika chakawanikwa muOAuth mutengi identifier zvivakwa, uye kodhi inosimbisa tambo ine mavara 43 kusvika 128 ayo anofanirwa kugadzirwa zvisina tsarukano kubva kune asina kuchengetwa mavara: [AZ] / [az] / [0-9 ] / "-" / "." / "_" / "~".
Iyi kodhi inozoendeswa zvakare. Iyo inobvisa kusagadzikana uko munhu anorwisa anogona kubata mhinduro yakadzoserwa seyakagadziriswa mushure memvumo yemushandisi.
Iwe unogona kutumira kodhi inovhenekera muchikumbiro chazvino mumavara akajeka (izvo zvinoita kuti zvisave nechirevo - izvi zvinongokodzera masisitimu asingatsigire SHA256), kana nekugadzira hashi uchishandisa SHA256 algorithm, iyo inofanirwa kuvharirwa muBASE64Url (yakasiyana. kubva kuBase64 nemabhii maviri etafura) uye kubvisa magumo emutsara: =.
Zvadaro, tinoda kutanga kuterera http pamushini wemunharaunda kuitira kuti tigamuchire mhinduro mushure memvumo, iyo ichadzorerwa sekugadzirisa zvakare.
Mabasa ekutonga anoitwa pane yakakosha sevha, isu hatigone kubvisa mukana wekuti vatariri vakati wandei vanomhanyisa script panguva imwe chete, saka inozongosarudza chiteshi chemushandisi wazvino, asi ini ndakatsanangura zviteshi zvakafanotsanangurwa nekuti. ivo vanofanirwawo kuwedzerwa sekuvimbwa muiyo API console.
access_type=isina Indaneti zvinoreva kuti chishandiso chinogona kugadzirisa chiratidzo chakapera chega pasina kushamwaridzana nemushandisi nebrowser,
response_type=code inoseta mafomati ekuti kodhi ichadzoserwa sei (referensi yenzira yekare yekubvumidza, kana mushandisi akakopa kodhi kubva kubrowser kuenda kune script),
scope inoratidza chiyero uye mhando yekuwana. Dzinofanirwa kupatsanurwa nenzvimbo kana %20 (maererano neURL Encoding). Rondedzero yenzvimbo dzekuwana dzine mhando dzinogona kuonekwa pano: .
Mushure mekugamuchira kodhi yemvumo, chishandiso chinodzosera meseji yepedyo kubrowser, mira kuteerera pachiteshi uye tumira chikumbiro chePOST kuti uwane chiratidzo. Isu tinoratidza mairi iyo yakambotaurwa id uye chakavanzika kubva kuconsole API, kero iyo mushandisi anozoendeswa kwairi uye grant_type zvinoenderana neprotocol yakatarwa.
Mukupindura, isu tichagamuchira A Access token, iyo yechokwadi nguva mumasekondi, uye Refresh token, iyo isu tinogona kugadzirisa iyo Access token.
Chikumbiro chinofanirwa kuchengetedza ma tokeni munzvimbo yakachengeteka ine hupenyu hurefu hwesherufu, saka kudzamara takanzura mukana wakagamuchirwa, chikumbiro hachidzose chiratidzo chekuzorodza. Pakupedzisira, ndakawedzera chikumbiro chekukanzura chiratidzo; kana chikumbiro chisina kupedzwa zvinobudirira uye chiratidzo chekuvandudza chisina kudzoserwa, chinotanga maitiro zvakare (takaona zvisina kuchengetedzeka kuchengeta tokeni munharaunda, uye isu hatiite. 'kuda kuomesa zvinhu necryptography kana kuvhura bhurawuza kazhinji).
do {
$token_result = Get-GoogleAuthToken
$token = $token_result.access_token
if ($token_result.refresh_token -eq $null) {
Write-Host ("Session is not destroyed. Revoking token...")
Invoke-WebRequest -Uri ("https://accounts.google.com/o/oauth2/revoke?token="+$token)
}
} while ($token_result.refresh_token -eq $null)
$refresh_token = $token_result.refresh_token
$minute = ([int]("{0:mm}" -f ([timespan]::fromseconds($token_result.expires_in))))+((Get-date).Minute)-2
if ($minute -lt 0) {$minute += 60}
elseif ($minute -gt 59) {$minute -=60}
$token_expire = @{
hour = ([int]("{0:hh}" -f ([timespan]::fromseconds($token_result.expires_in))))+((Get-date).Hour)
minute = $minute
}
Sezvawaona kare, kana uchibvisa chiratidzo, Invoke-WebRequest inoshandiswa. Kusiyana neInvoke-RestMethod, haidzore data yakagamuchirwa mune inoshandisika fomati uye inoratidza mamiriro echikumbiro.
Tevere, script inokukumbira kuti uise zita rekutanga uye rekupedzisira remushandisi, uchigadzira login + email.
Zvikumbiro
Zvikumbiro zvinotevera zvichave - chekutanga pane zvese, iwe unofanirwa kutarisa kana mushandisi ane yakafanana login atovepo kuti uwane sarudzo pakugadzira imwe nyowani kana kugonesa iripo.
Ndakafunga kuita zvese zvikumbiro mufomati yeimwe basa nesarudzo, ndichishandisa switch:
function GoogleQuery {
param (
$type,
$query
)
switch ($type) {
"SearchAccount" {
Return Invoke-RestMethod -Method Get -Uri "https://www.googleapis.com/admin/directory/v1/users" -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body @{
domain = 'rocketguys.com'
query = "email:$query"
}
}
"UpdateAccount" {
$body = @{
name = @{
givenName = $query['givenName']
familyName = $query['familyName']
}
suspended = 'false'
password = $query['password']
changePasswordAtNextLogin = 'true'
phones = @(@{
primary = 'true'
value = $query['phone']
type = "mobile"
})
orgUnitPath = $query['orgunit']
}
Return Invoke-RestMethod -Method Put -Uri ("https://www.googleapis.com/admin/directory/v1/users/"+$query['email']) -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body (ConvertTo-Json $body) -ContentType 'application/json; charset=utf-8'
}
"CreateAccount" {
$body = @{
primaryEmail = $query['email']
name = @{
givenName = $query['givenName']
familyName = $query['familyName']
}
suspended = 'false'
password = $query['password']
changePasswordAtNextLogin = 'true'
phones = @(@{
primary = 'true'
value = $query['phone']
type = "mobile"
})
orgUnitPath = $query['orgunit']
}
Return Invoke-RestMethod -Method Post -Uri "https://www.googleapis.com/admin/directory/v1/users" -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body (ConvertTo-Json $body) -ContentType 'application/json; charset=utf-8'
}
"AddMember" {
$body = @{
userKey = $query['email']
}
$ifrequest = Invoke-RestMethod -Method Get -Uri "https://www.googleapis.com/admin/directory/v1/groups" -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body $body
$array = @()
foreach ($group in $ifrequest.groups) {$array += $group.email}
if ($array -notcontains $query['groupkey']) {
$body = @{
email = $query['email']
role = "MEMBER"
}
Return Invoke-RestMethod -Method Post -Uri ("https://www.googleapis.com/admin/directory/v1/groups/"+$query['groupkey']+"/members") -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body (ConvertTo-Json $body) -ContentType 'application/json; charset=utf-8'
} else {
Return ($query['email']+" now is a member of "+$query['groupkey'])
}
}
}
}Muchikumbiro chega chega, unofanirwa kutumira Mvumo yemusoro ine mhando yechiratidzo uye iyo Access token pachayo. Parizvino, mhando yechiratidzo inogara Mutakuri. Nokuti tinoda kutarisa kuti chiratidzo hachina kupera uye kuchivandudza mushure meawa kubva panguva yayakabudiswa, ndakatsanangura chikumbiro cheimwe basa rinodzorera Access token. Iyo chidimbu chimwe chete chekodhi chiri pakutanga kwechinyorwa paunogamuchira yekutanga Access token:
function Get-GoogleToken {
if (((Get-date).Hour -gt $token_expire.hour) -or (((Get-date).Hour -ge $token_expire.hour) -and ((Get-date).Minute -gt $token_expire.minute))) {
Write-Host "Token Expired. Refreshing..."
$request = (Invoke-RestMethod -Method Post -Uri "https://www.googleapis.com/oauth2/v4/token" -ContentType 'application/x-www-form-urlencoded' -Body @{
client_id = $client_id
client_secret = $client_secret
refresh_token = $refresh_token
grant_type = 'refresh_token'
})
$token = $request.access_token
$minute = ([int]("{0:mm}" -f ([timespan]::fromseconds($request.expires_in))))+((Get-date).Minute)-2
if ($minute -lt 0) {$minute += 60}
elseif ($minute -gt 59) {$minute -=60}
$script:token_expire = @{
hour = ([int]("{0:hh}" -f ([timespan]::fromseconds($request.expires_in))))+((Get-date).Hour)
minute = $minute
}
}
return $token
}Kutarisa kuti pane login here:
function Check_Google {
$query = (GoogleQuery 'SearchAccount' $username)
if ($query.users -ne $null) {
$user = $query.users[0]
Write-Host $user.name.fullName' - '$user.PrimaryEmail' - suspended: '$user.Suspended
$GAresult = $user
}
if ($GAresult) {
$return = $GAresult
} else {$return = 'gg'}
return $return
}Iyo email:$mukumbiro inokumbira iyo API kuti itsvage mushandisi ane iyo email chaiyo, kusanganisira aliases. Iwe unogona zvakare kushandisa wildcard: =, :, :{PREFIX}*.
Kuti uwane data, shandisa nzira yekukumbira yeGET, kuisa data (kugadzira account kana kuwedzera nhengo kuboka) - POST, kugadzirisa data iripo - PUT, kudzima rekodhi (semuenzaniso, nhengo kubva muboka) - DELETE.
Iyo script ichakumbirawo nhamba yefoni (tambo isina kubvumidzwa) uye yekubatanidzwa muboka rekugovera redunhu. Iyo inosarudza kuti ndeipi unit yesangano mushandisi anofanirwa kuve nayo zvichibva pane yakasarudzwa Active Directory OU uye inouya nepassword:
do {
$phone = Read-Host "Π’Π΅Π»Π΅ΡΠΎΠ½ Π² ΡΠΎΡΠΌΠ°ΡΠ΅ +7Ρ
Ρ
Ρ
Ρ
Ρ
Ρ
Ρ
Ρ
"
} while (-not $phone)
do {
$moscow = Read-Host "Π ΠΠΎΡΠΊΠΎΠ²ΡΠΊΠΈΠΉ ΠΎΡΠΈΡ? (y/n) "
} while (-not (($moscow -eq 'y') -or ($moscow -eq 'n')))
$orgunit = '/'
if ($OU -like "*OU=Delivery,OU=Users,OU=ROOT,DC=rocket,DC=local") {
Write-host "ΠΡΠ΄Π΅Ρ ΡΠΎΠ·Π΄Π°Π½Π° Π² /Team delivery"
$orgunit = "/Team delivery"
}
$Password = -join ( 48..57 + 65..90 + 97..122 | Get-Random -Count 12 | % {[char]$_})+"*Ba"
Uye anobva atanga kushandura account:
$query = @{
email = $email
givenName = $firstname
familyName = $lastname
password = $password
phone = $phone
orgunit = $orgunit
}
if ($GMailExist) {
Write-Host "ΠΠ°ΠΏΡΡΠΊΠ°Π΅ΠΌ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ Π°ΠΊΠΊΠ°ΡΠ½ΡΠ°" -f mag
(GoogleQuery 'UpdateAccount' $query) | fl
write-host "ΠΠ΅ Π·Π°Π±ΡΠ΄Ρ ΠΏΡΠΎΠ²Π΅ΡΠΈΡΡ Π³ΡΡΠΏΠΏΡ Ρ Π²ΠΊΠ»ΡΡΠ΅Π½Π½ΠΎΠ³ΠΎ $Username Π² Google."
} else {
Write-Host "ΠΠ°ΠΏΡΡΠΊΠ°Π΅ΠΌ ΡΠΎΠ·Π΄Π°Π½ΠΈΠ΅ Π°ΠΊΠΊΠ°ΡΠ½ΡΠ°" -f mag
(GoogleQuery 'CreateAccount' $query) | fl
}
if ($moscow -eq "y"){
write-host "ΠΠΎΠ±Π°Π²Π»ΡΠ΅ΠΌ Π² Π³ΡΡΠΏΠΏΡ moscowoffice"
$query = @{
groupkey = '[email protected]'
email = $email
}
(GoogleQuery 'AddMember' $query) | fl
}
Iwo mabasa ekuvandudza nekugadzira account ane syntax yakafanana; haisi yese minda yekuwedzera inodiwa; muchikamu chine nhamba dzenhare, unofanirwa kutsanangura hurongwa hunogona kuve nerekodhi rimwechete nenhamba nerudzi rwayo.
Kuti tisagamuchire chikanganiso kana tichiwedzera mushandisi kuboka, tinogona kutanga tatarisa kana anga achitova nhengo yeboka iri nekuwana runyoro rwenhengo dzeboka kana kuumbwa kubva kumushandisi pachake.
Kubvunza nhengo yeboka yemumwe mushandisi hakuzodzokorore uye zvinongoratidza kuve nhengo yakananga. Kusanganisira mushandisi muboka revabereki ratove neboka revana iro mushandisi inhengo richabudirira.
mhedziso
Chasara kutumira mushandisi password yeaccount nyowani. Isu tinoita izvi kuburikidza neSMS, uye tinotumira ruzivo rwese nemirayiridzo uye kupinda kune email yega, iyo, pamwe chete nenhamba yefoni, yakapihwa nedhipatimendi rekunyorera. Seimwe nzira, iwe unogona kuchengetedza mari uye kutumira password yako kune yakavanzika teregiramu chat, iyo inogona zvakare kutariswa sechipiri chinhu (MacBooks ichave yakasarudzika).
Ndinokutendai nekuverenga kusvika kumagumo. Ndichafara kuona mazano ekuvandudza maitiro ekunyora zvinyorwa uye ndinoshuvira kuti ubate zvikanganiso zvishoma paunenge uchinyora zvinyorwa =)
Rondedzero yezvekubatanidza inogona kubatsira nemusoro kana kungopindura mibvunzo:
Source: www.habr.com