Abstract out permissions to scuba constantspy (#812)

* move scopes to scuba_constants.py

Author: adhilto

scubagoggles/auth.py

@@ -12,6 +12,7 @@
 from google.oauth2.credentials import Credentials
 from google.oauth2.service_account import Credentials as SvcCredentials
 from google_auth_oauthlib.flow import InstalledAppFlow
+from scubagoggles.scuba_constants import API_SCOPES
 
 # The class is worth it just for the encapsulation.  It allows the potential
 # of credential refresh multiple times, which may be beneficial during a
@@ -24,17 +25,6 @@ class GwsAuth:
     """Generates an Oauth token for accessing Google's APIs
     """
 
-    _base_auth_url = 'https://www.googleapis.com/auth'
-
-    _scopes = (f'{_base_auth_url}/admin.reports.audit.readonly',
-               f'{_base_auth_url}/admin.directory.domain.readonly',
-               f'{_base_auth_url}/admin.directory.orgunit.readonly',
-               f'{_base_auth_url}/admin.directory.user.readonly',
-               f'{_base_auth_url}/admin.directory.group.readonly',
-               f'{_base_auth_url}/admin.directory.customer.readonly',
-               f'{_base_auth_url}/apps.groups.settings',
-               f'{_base_auth_url}/cloud-identity.policies.readonly')
-
     def __init__(self, credentials_path: Path, svc_account_email: str = None):
         """GwsAuth class initialization.
 
@@ -61,7 +51,7 @@ def __init__(self, credentials_path: Path, svc_account_email: str = None):
         if svc_account_email:
             get_credentials = SvcCredentials.from_service_account_file
             self._token = get_credentials(str(credentials_path),
-                                          scopes=self._scopes,
+                                          scopes=API_SCOPES,
                                           subject=svc_account_email)
             return
 
@@ -79,7 +69,7 @@ def __init__(self, credentials_path: Path, svc_account_email: str = None):
         # have worked when no browser was available).
         credentials_file = str(self._credentials_path)
         flow = InstalledAppFlow.from_client_secrets_file(credentials_file,
-                                                         self._scopes)
+                                                         API_SCOPES)
 
         try:
             self._token = flow.run_local_server(
@@ -116,7 +106,7 @@ def _check_scopes(self):
             token = json.load(in_stream)
 
         token_scopes = frozenset(token['scopes'])
-        valid_scopes = frozenset(self._scopes)
+        valid_scopes = frozenset(API_SCOPES)
 
         # Delete the token file if its scopes don't match those defined in
         # this class.  The token file will be recreated in the constructor
@@ -145,7 +135,7 @@ def _load_token(self):
         # refresh the token if it has expired.
         token_file = str(self._token_path)
         self._token = Credentials.from_authorized_user_file(token_file,
-                                                            self._scopes)
+                                                            API_SCOPES)
 
         self._refresh_token()
 

scubagoggles/scuba_constants.py

@@ -45,3 +45,13 @@ class ApiUrl(Enum):
 NUMBER_OF_UUID_CHARACTERS_TO_TRUNCATE_CHOICES = (
     0, 13, 18, 36
 )
+
+BASE_AUTH_URL = 'https://www.googleapis.com/auth'
+API_SCOPES = (f'{BASE_AUTH_URL}/admin.reports.audit.readonly',
+              f'{BASE_AUTH_URL}/admin.directory.domain.readonly',
+              f'{BASE_AUTH_URL}/admin.directory.orgunit.readonly',
+              f'{BASE_AUTH_URL}/admin.directory.user.readonly',
+              f'{BASE_AUTH_URL}/admin.directory.group.readonly',
+              f'{BASE_AUTH_URL}/admin.directory.customer.readonly',
+              f'{BASE_AUTH_URL}/apps.groups.settings',
+              f'{BASE_AUTH_URL}/cloud-identity.policies.readonly')