Hi!
Nkan yii yoo ṣe apejuwe imuse ti ibaraenisepo PowerShell pẹlu Google API lati ṣe afọwọyi awọn olumulo G Suite.
A lo ọpọlọpọ inu ati awọn iṣẹ awọsanma kọja ajo naa. Fun apakan pupọ julọ, aṣẹ ninu wọn wa si Google tabi Itọsọna Active, laarin eyiti a ko le ṣetọju ẹda kan; ni ibamu, nigbati oṣiṣẹ tuntun ba lọ, o nilo lati ṣẹda / mu akọọlẹ ṣiṣẹ ninu awọn ọna ṣiṣe meji wọnyi. Lati ṣe adaṣe ilana naa, a pinnu lati kọ iwe afọwọkọ kan ti o gba alaye ati firanṣẹ si awọn iṣẹ mejeeji.
Aṣẹ
Nigbati o ba n ṣe awọn ibeere, a pinnu lati lo awọn alabojuto eniyan gidi fun aṣẹ; eyi jẹ irọrun itupalẹ awọn iṣe ni iṣẹlẹ ti lairotẹlẹ tabi awọn iyipada nla ti airotẹlẹ.
Google APIs lo OAuth 2.0 Ilana fun ìfàṣẹsí ati aṣẹ. Lo awọn ọran ati awọn apejuwe alaye diẹ sii ni a le rii nibi: .
Mo yan iwe afọwọkọ ti o lo fun aṣẹ ni awọn ohun elo tabili tabili. Aṣayan tun wa lati lo akọọlẹ iṣẹ kan, eyiti ko nilo awọn agbeka ti ko wulo lati ọdọ olumulo.
Aworan ti o wa ni isalẹ jẹ apejuwe sikematiki ti oju iṣẹlẹ ti o yan lati oju-iwe Google.
- Ni akọkọ, a fi olumulo ranṣẹ si oju-iwe ijẹrisi Google Account, ni pato awọn aye GET:
- id elo
- awọn agbegbe ti ohun elo nilo wiwọle si
- adirẹsi si eyiti olumulo yoo darí lẹhin ipari ilana naa
- ọna ti a yoo ṣe imudojuiwọn aami
- Koodu aabo
- ijerisi koodu gbigbe kika
- Lẹhin ti aṣẹ ti pari, olumulo yoo darí si oju-iwe ti o pato ninu ibeere akọkọ, pẹlu aṣiṣe tabi koodu aṣẹ ti o kọja nipasẹ awọn aye GET
- Ohun elo naa (akosile) yoo nilo lati gba awọn paramita wọnyi ati, ti o ba gba koodu naa, ṣe ibeere atẹle lati gba awọn ami-ami
- Ti ibeere naa ba tọ, Google API yoo pada:
- Àmi wiwọle pẹlu eyiti a le ṣe awọn ibeere
- Awọn Wiwulo akoko ti yi àmi
- Tuntun àmi nilo lati tunse Àmi Wiwọle.
Ni akọkọ o nilo lati lọ si Google API console: , yan ohun elo ti o fẹ ati ni apakan Awọn iwe-ẹri ṣẹda idanimọ OAuth alabara kan. Nibẹ (tabi nigbamii, ninu awọn ohun-ini ti idamo ti o ṣẹda) o nilo lati pato awọn adirẹsi si eyiti o gba laaye atunṣe. Ninu ọran wa, iwọnyi yoo jẹ ọpọlọpọ awọn titẹ sii localhost pẹlu awọn ebute oko oju omi oriṣiriṣi (wo isalẹ).
Lati jẹ ki o rọrun diẹ sii lati ka algorithm iwe afọwọkọ, o le ṣafihan awọn igbesẹ akọkọ ni iṣẹ lọtọ ti yoo pada Wiwọle ati awọn ami isọdọtun fun ohun elo naa:
$client_secret = 'Our Client Secret'
$client_id = 'Our Client ID'
function Get-GoogleAuthToken {
if (-not [System.Net.HttpListener]::IsSupported) {
"HttpListener is not supported."
exit 1
}
$codeverifier = -join ((65..90) + (97..122) + (48..57) + 45 + 46 + 95 + 126 |Get-Random -Count 60| % {[char]$_})
$hasher = new-object System.Security.Cryptography.SHA256Managed
$hashByteArray = $hasher.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($codeverifier))
$base64 = ((([System.Convert]::ToBase64String($hashByteArray)).replace('=','')).replace('+','-')).replace('/','_')
$ports = @(10600,15084,39700,42847,65387,32079)
$port = $ports[(get-random -Minimum 0 -maximum 5)]
Write-Host "Start browser..."
Start-Process "https://accounts.google.com/o/oauth2/v2/auth?code_challenge_method=S256&code_challenge=$base64&access_type=offline&client_id=$client_id&redirect_uri=http://localhost:$port&response_type=code&scope=https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.group"
$listener = New-Object System.Net.HttpListener
$listener.Prefixes.Add("http://localhost:"+$port+'/')
try {$listener.Start()} catch {
"Unable to start listener."
exit 1
}
while (($code -eq $null)) {
$context = $listener.GetContext()
Write-Host "Connection accepted" -f 'mag'
$url = $context.Request.RawUrl
$code = $url.split('?')[1].split('=')[1].split('&')[0]
if ($url.split('?')[1].split('=')[0] -eq 'error') {
Write-Host "Error!"$code -f 'red'
$buffer = [System.Text.Encoding]::UTF8.GetBytes("Error!"+$code)
$context.Response.ContentLength64 = $buffer.Length
$context.Response.OutputStream.Write($buffer, 0, $buffer.Length)
$context.Response.OutputStream.Close()
$listener.Stop()
exit 1
}
$buffer = [System.Text.Encoding]::UTF8.GetBytes("Now you can close this browser tab.")
$context.Response.ContentLength64 = $buffer.Length
$context.Response.OutputStream.Write($buffer, 0, $buffer.Length)
$context.Response.OutputStream.Close()
$listener.Stop()
}
Return Invoke-RestMethod -Method Post -Uri "https://www.googleapis.com/oauth2/v4/token" -Body @{
code = $code
client_id = $client_id
client_secret = $client_secret
redirect_uri = 'http://localhost:'+$port
grant_type = 'authorization_code'
code_verifier = $codeverifier
}
$code = $null
A ṣeto ID Onibara ati Aṣiri Onibara ti o gba ni awọn ohun-ini idanimọ alabara OAuth, ati pe oludaniloju koodu jẹ okun ti awọn ohun kikọ 43 si 128 ti o gbọdọ jẹ ipilẹṣẹ laileto lati awọn ohun kikọ ti ko ni ipamọ: [AZ] / [az] / [0-9] / "-" / "." / "_" / "~".
Yi koodu yoo wa ni tan kaakiri lẹẹkansi. O ṣe imukuro ailagbara ninu eyiti ikọlu le ṣe idiwọ esi ti o pada bi atunto lẹhin aṣẹ olumulo.
O le fi ijẹrisi koodu ranṣẹ ni ibeere lọwọlọwọ ni ọrọ ti o han gbangba (eyiti o jẹ ki o jẹ asan - eyi dara nikan fun awọn ọna ṣiṣe ti ko ṣe atilẹyin SHA256), tabi nipa ṣiṣẹda hash nipa lilo algoridimu SHA256, eyiti o gbọdọ jẹ koodu ni BASE64Url (orisirisi lati Base64 nipa meji tabili ohun kikọ) ati yiyọ ti ohun kikọ silẹ ila opin: =.
Nigbamii ti, a nilo lati bẹrẹ tẹtisi si http lori ẹrọ agbegbe lati le gba esi lẹhin igbanilaaye, eyi ti yoo pada bi atunṣe.
Awọn iṣẹ ṣiṣe iṣakoso ni a ṣe lori olupin pataki kan, a ko le ṣe akoso iṣeeṣe pe ọpọlọpọ awọn alakoso yoo ṣiṣẹ iwe afọwọkọ ni akoko kanna, nitorinaa yoo yan ibudo laileto fun olumulo lọwọlọwọ, ṣugbọn Mo ṣalaye awọn ebute oko oju omi ti a ti pinnu tẹlẹ nitori wọn tun gbọdọ ṣafikun bi igbẹkẹle ninu console API.
access_type=aisinipo tumọ si pe ohun elo naa le ṣe imudojuiwọn ami-ami ti o pari fun tirẹ laisi ibaraenisọrọ olumulo pẹlu ẹrọ aṣawakiri naa,
answer_type=koodu ṣeto ọna kika ti bii koodu yoo ṣe dapadabọ (itọkasi si ọna aṣẹ atijọ, nigbati olumulo da koodu naa lati ẹrọ aṣawakiri sinu iwe afọwọkọ),
dopin tọkasi awọn dopin ati iru wiwọle. Wọn gbọdọ jẹ niya nipasẹ awọn alafo tabi %20 (gẹgẹbi URL fifi koodu). Atokọ awọn agbegbe wiwọle pẹlu awọn oriṣi ni a le rii nibi: .
Lẹhin gbigba koodu aṣẹ, ohun elo naa yoo da ifiranṣẹ to sunmọ pada si ẹrọ aṣawakiri, da gbigbọran duro lori ibudo ati firanṣẹ ibeere POST lati gba ami naa. A tọka si id ti a ti sọ tẹlẹ ati aṣiri lati API console, adirẹsi eyiti olumulo yoo ṣe darí ati Grant_type ni ibamu pẹlu sipesifikesonu Ilana naa.
Ni idahun, a yoo gba aami Wiwọle kan, akoko iwulo rẹ ni iṣẹju-aaya, ati ami isọdọtun, pẹlu eyiti a le ṣe imudojuiwọn ami-iwọle Wiwọle.
Ohun elo naa gbọdọ tọju awọn ami si aaye to ni aabo pẹlu igbesi aye selifu gigun, nitorinaa titi ti a fi fagile wiwọle ti o gba, ohun elo naa kii yoo da ami isọdọtun pada. Ni ipari, Mo ṣafikun ibeere kan lati fagilee àmi naa; ti ohun elo naa ko ba pari ni aṣeyọri ati pe a ko pada ami isọdọtun, yoo tun bẹrẹ ilana naa lẹẹkansi (a ro pe ko lewu lati tọju awọn ami ni agbegbe lori ebute naa, ati pe a ṣe bẹ. 'ko fẹ lati ṣe idiju awọn nkan pẹlu cryptography tabi ṣii ẹrọ aṣawakiri nigbagbogbo).
do {
$token_result = Get-GoogleAuthToken
$token = $token_result.access_token
if ($token_result.refresh_token -eq $null) {
Write-Host ("Session is not destroyed. Revoking token...")
Invoke-WebRequest -Uri ("https://accounts.google.com/o/oauth2/revoke?token="+$token)
}
} while ($token_result.refresh_token -eq $null)
$refresh_token = $token_result.refresh_token
$minute = ([int]("{0:mm}" -f ([timespan]::fromseconds($token_result.expires_in))))+((Get-date).Minute)-2
if ($minute -lt 0) {$minute += 60}
elseif ($minute -gt 59) {$minute -=60}
$token_expire = @{
hour = ([int]("{0:hh}" -f ([timespan]::fromseconds($token_result.expires_in))))+((Get-date).Hour)
minute = $minute
}
Gẹgẹbi o ti ṣe akiyesi tẹlẹ, nigbati o ba fagile ami-ami kan, Ibeere-Ibeere wẹẹbu ni a lo. Ko dabi Invoke-RestMethod, ko da data ti o gba pada ni ọna kika lilo ati ṣafihan ipo ti ibeere naa.
Nigbamii ti, iwe afọwọkọ naa beere lọwọ rẹ lati tẹ orukọ olumulo akọkọ ati orukọ ikẹhin, ti n ṣe iwọle + imeeli kan.
Awọn ibeere
Awọn ibeere atẹle yoo jẹ - ni akọkọ, o nilo lati ṣayẹwo boya olumulo kan ti o ni iwọle kanna ti wa tẹlẹ lati le gba ipinnu lori ṣiṣẹda tuntun tabi mu eyi ti o wa lọwọlọwọ ṣiṣẹ.
Mo pinnu lati ṣe gbogbo awọn ibeere ni ọna kika iṣẹ kan pẹlu yiyan, ni lilo iyipada:
function GoogleQuery {
param (
$type,
$query
)
switch ($type) {
"SearchAccount" {
Return Invoke-RestMethod -Method Get -Uri "https://www.googleapis.com/admin/directory/v1/users" -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body @{
domain = 'rocketguys.com'
query = "email:$query"
}
}
"UpdateAccount" {
$body = @{
name = @{
givenName = $query['givenName']
familyName = $query['familyName']
}
suspended = 'false'
password = $query['password']
changePasswordAtNextLogin = 'true'
phones = @(@{
primary = 'true'
value = $query['phone']
type = "mobile"
})
orgUnitPath = $query['orgunit']
}
Return Invoke-RestMethod -Method Put -Uri ("https://www.googleapis.com/admin/directory/v1/users/"+$query['email']) -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body (ConvertTo-Json $body) -ContentType 'application/json; charset=utf-8'
}
"CreateAccount" {
$body = @{
primaryEmail = $query['email']
name = @{
givenName = $query['givenName']
familyName = $query['familyName']
}
suspended = 'false'
password = $query['password']
changePasswordAtNextLogin = 'true'
phones = @(@{
primary = 'true'
value = $query['phone']
type = "mobile"
})
orgUnitPath = $query['orgunit']
}
Return Invoke-RestMethod -Method Post -Uri "https://www.googleapis.com/admin/directory/v1/users" -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body (ConvertTo-Json $body) -ContentType 'application/json; charset=utf-8'
}
"AddMember" {
$body = @{
userKey = $query['email']
}
$ifrequest = Invoke-RestMethod -Method Get -Uri "https://www.googleapis.com/admin/directory/v1/groups" -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body $body
$array = @()
foreach ($group in $ifrequest.groups) {$array += $group.email}
if ($array -notcontains $query['groupkey']) {
$body = @{
email = $query['email']
role = "MEMBER"
}
Return Invoke-RestMethod -Method Post -Uri ("https://www.googleapis.com/admin/directory/v1/groups/"+$query['groupkey']+"/members") -Headers @{Authorization = "Bearer "+(Get-GoogleToken)} -Body (ConvertTo-Json $body) -ContentType 'application/json; charset=utf-8'
} else {
Return ($query['email']+" now is a member of "+$query['groupkey'])
}
}
}
}Ninu ibeere kọọkan, o nilo lati firanṣẹ akọsori Aṣẹ ti o ni iru ami ati ami-iraye si ara rẹ. Lọwọlọwọ, iru aami jẹ nigbagbogbo Bearer. Nitori a nilo lati ṣayẹwo pe ami naa ko ti pari ki o ṣe imudojuiwọn lẹhin wakati kan lati akoko ti o ti gbejade, Mo ṣalaye ibeere kan fun iṣẹ miiran ti o da ami ami Wiwọle pada. Nkan koodu kanna wa ni ibẹrẹ ti iwe afọwọkọ nigbati o ngba ami ami Wiwọle akọkọ:
function Get-GoogleToken {
if (((Get-date).Hour -gt $token_expire.hour) -or (((Get-date).Hour -ge $token_expire.hour) -and ((Get-date).Minute -gt $token_expire.minute))) {
Write-Host "Token Expired. Refreshing..."
$request = (Invoke-RestMethod -Method Post -Uri "https://www.googleapis.com/oauth2/v4/token" -ContentType 'application/x-www-form-urlencoded' -Body @{
client_id = $client_id
client_secret = $client_secret
refresh_token = $refresh_token
grant_type = 'refresh_token'
})
$token = $request.access_token
$minute = ([int]("{0:mm}" -f ([timespan]::fromseconds($request.expires_in))))+((Get-date).Minute)-2
if ($minute -lt 0) {$minute += 60}
elseif ($minute -gt 59) {$minute -=60}
$script:token_expire = @{
hour = ([int]("{0:hh}" -f ([timespan]::fromseconds($request.expires_in))))+((Get-date).Hour)
minute = $minute
}
}
return $token
}Ṣiṣayẹwo iwọle fun aye:
function Check_Google {
$query = (GoogleQuery 'SearchAccount' $username)
if ($query.users -ne $null) {
$user = $query.users[0]
Write-Host $user.name.fullName' - '$user.PrimaryEmail' - suspended: '$user.Suspended
$GAresult = $user
}
if ($GAresult) {
$return = $GAresult
} else {$return = 'gg'}
return $return
}Imeeli naa: $ibere ibeere yoo beere API lati wa olumulo kan pẹlu imeeli gangan, pẹlu awọn inagijẹ. O tun le lo wildcard: =,:, :{PREFIX}*.
Lati gba data, lo ọna ibeere GET, lati fi data sii (ṣiṣẹda akọọlẹ kan tabi ṣafikun ọmọ ẹgbẹ kan si ẹgbẹ kan) - POST, lati ṣe imudojuiwọn data ti o wa tẹlẹ - PUT, lati paarẹ igbasilẹ kan (fun apẹẹrẹ, ọmọ ẹgbẹ kan lati ẹgbẹ kan) - PAArẹ.
Iwe afọwọkọ naa yoo tun beere fun nọmba foonu kan (okun ti ko wulo) ati fun ifisi ni ẹgbẹ pinpin agbegbe kan. O pinnu iru ẹyọ eto ti olumulo yẹ ki o ti da lori Active Directory OU ti o yan ati pe o wa pẹlu ọrọ igbaniwọle kan:
do {
$phone = Read-Host "Телефон в формате +7хххххххх"
} while (-not $phone)
do {
$moscow = Read-Host "В Московский офис? (y/n) "
} while (-not (($moscow -eq 'y') -or ($moscow -eq 'n')))
$orgunit = '/'
if ($OU -like "*OU=Delivery,OU=Users,OU=ROOT,DC=rocket,DC=local") {
Write-host "Будет создана в /Team delivery"
$orgunit = "/Team delivery"
}
$Password = -join ( 48..57 + 65..90 + 97..122 | Get-Random -Count 12 | % {[char]$_})+"*Ba"
Ati lẹhinna o bẹrẹ lati ṣe afọwọyi akọọlẹ naa:
$query = @{
email = $email
givenName = $firstname
familyName = $lastname
password = $password
phone = $phone
orgunit = $orgunit
}
if ($GMailExist) {
Write-Host "Запускаем изменение аккаунта" -f mag
(GoogleQuery 'UpdateAccount' $query) | fl
write-host "Не забудь проверить группы у включенного $Username в Google."
} else {
Write-Host "Запускаем создание аккаунта" -f mag
(GoogleQuery 'CreateAccount' $query) | fl
}
if ($moscow -eq "y"){
write-host "Добавляем в группу moscowoffice"
$query = @{
groupkey = '[email protected]'
email = $email
}
(GoogleQuery 'AddMember' $query) | fl
}
Awọn iṣẹ fun mimu dojuiwọn ati ṣiṣẹda akọọlẹ kan ni iru sintasi kan; kii ṣe gbogbo awọn aaye afikun ni o nilo; ni apakan pẹlu awọn nọmba foonu, o nilo lati pato akojọpọ ti o le ni igbasilẹ to to ọkan pẹlu nọmba ati iru rẹ.
Ni ibere ki o má ba gba aṣiṣe nigba fifi olumulo kan kun si ẹgbẹ kan, a le kọkọ ṣayẹwo boya o ti jẹ ọmọ ẹgbẹ ti ẹgbẹ yii nipa gbigba akojọ awọn ọmọ ẹgbẹ tabi akojọpọ lati ọdọ olumulo funrararẹ.
Ṣiṣayẹwo awọn ọmọ ẹgbẹ ẹgbẹ ti olumulo kan kii yoo jẹ loorekoore ati pe yoo ṣafihan ẹgbẹ taara nikan. Pẹlu olumulo kan ninu ẹgbẹ obi kan ti o ti ni ẹgbẹ ọmọ tẹlẹ ti olumulo jẹ ọmọ ẹgbẹ yoo ṣaṣeyọri.
ipari
Gbogbo ohun ti o ku ni lati firanṣẹ olumulo ọrọigbaniwọle fun akọọlẹ tuntun naa. A ṣe eyi nipasẹ SMS, ati firanṣẹ alaye gbogbogbo pẹlu awọn itọnisọna ati buwolu wọle si imeeli ti ara ẹni, eyiti, pẹlu nọmba foonu kan, ti pese nipasẹ ẹka igbanisiṣẹ. Gẹgẹbi omiiran, o le ṣafipamọ owo ati firanṣẹ ọrọ igbaniwọle rẹ si iwiregbe tẹlifoonu aṣiri, eyiti o tun le gbero ipin keji (MacBooks yoo jẹ imukuro).
O ṣeun fun kika titi de opin. Inu mi yoo dun lati rii awọn imọran fun ilọsiwaju ara ti awọn nkan kikọ ati pe ki o yẹ awọn aṣiṣe diẹ nigbati o nkọ awọn iwe afọwọkọ =)
Atokọ awọn ọna asopọ ti o le wulo ni imọ-jinlẹ tabi dahun awọn ibeere nirọrun:
orisun: www.habr.com