I am trying to list groups on my Google Apps for Business account. I set up a service account and gave it the Service Directory Admin role. I now want to test this on my local machine (I'm using RubyMine to run this through Rspec). The tests look like this:
require 'rails_helper'
describe GoogleApiHelper, type: :helper do
it 'should authenticate successfully to Google' do
google_auth_creds = OpenStruct.new authenticate(Api::Application.config.google[:auth][:scopes])
expect(google_auth_creds).to_not be_nil
expect(google_auth_creds.access_token).to match(/[A-Za-z\._-]*/)
puts(google_auth_creds)
end
it 'should list all of the groups in the sinkingmoon.com domain' do
groups = OpenStruct.new list_groups 'mydomain.com'
puts(groups)
end
end
The implementation under test looks like this:
require 'googleauth'
require 'google/apis/admin_directory_v1'
module GoogleApiHelper
def authenticate(scopes)
authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
json_key_io: File.open(Api::Application.config.google[:auth][:json_file]),
scope: scopes)
authorizer.fetch_access_token!
end
def retrieve_group(domain, groupId)
authorizer = authenticate(Api::Application.config.google[:scopes])
directory_service = Google::Apis::AdminDirectoryV1::DirectoryService.new
directory_service.authorization = authorizer
directory_service.get_group groupId
end
def list_groups(domain)
authorizer = authenticate(Api::Application.config.google[:scopes])
directory_service = Google::Apis::AdminDirectoryV1::DirectoryService.new
directory_service.authorization = authorizer
directory_service.list_groups(domain: domain)
end
end
The test for authentication works as I would expect, in that it gives me an authorization token and an expiration. The test for listing groups, though, fails, with the following message:
Google::Apis::AuthorizationError: Unauthorized
0) GoogleApiHelper should retrieve a group by the domain
Failure/Error: directory_service.get_group groupId
Google::Apis::AuthorizationError:
Unauthorized
I'm not quite sure what I'm doing incorrectly. My credentials are stored in a .json file, and the configuration is set up in the environments/test.rb file:
Api::Application.config.google = {
:auth => {
:json_file => 'config/auth/credentials.json',
:scopes => [ 'https://www.googleapis.com/auth/admin.directory.group', 'https://www.googleapis.com/auth/admin.directory.domain' ]
},
:group => 'mygroup@mydomain.com'
}
I'm wondering if perhaps I actually have incorrectly set up the scopes for this service account. Alternatively, could it be that I'm trying to access the API from my local machine, rather than from my server on the domain that's registered? If the latter is the case, how could I go about testing this before deploying it to my production or staging webapp?
Update
I printed out the scopes the app is using, which are:
["https://www.googleapis.com/auth/admin.directory.group", "https://www.googleapis.com/auth/admin.directory.domain"]. I believe these are the correct ones. I've added these to the admin console under Security -> Advanced Settings -> Manage API Client Access, and put in the name of my service account, which happens to be something like test-account@myprojectname.iam.gserviceaccount.com, and the scopes listed above. This gets translated to the unique id of the service account.
