Fix group settings to allow external member into oss-fuzz cc groups (#5155)

Creating groups through the cloud identity API uses a default set of
access settings. We need to change these in order for them to work as CC
groups for OSS-Fuzz projects. Mainly, allowing external members to be
added to the group. These changes cannot be done through the identity
API, so we need to use the groups settings API (which I enabled for the
clusterfuzz-external deployment).

I added some other settings as safeguard to avoid issues with these
groups (as they will be in the public tracker), such as who can
view/post/contact/manage the group to only owners/managers. Also, fixed
some single/double quote style.

**Tests**
* Added unit test.
* Run locally impersonating the clusterfuzz-external service account.
* Output: https://paste.googleplex.com/4898709642018816 (errors in the
first run are expected as googleapiclient logs an error when the
checking for the group and it does not exist).
* Group settings after executing it:
https://screenshot.googleplex.com/5ymqVPoFMwHYraN.png


Context: b/477964128

Author: ViniciustCosta

src/clusterfuzz/_internal/cron/oss_fuzz_cc_groups.py

@@ -28,25 +28,32 @@ def sync_project_cc_group(project_name, info):
 
   group_id = google_groups.get_group_id(group_name)
   # Create the group and bail out since the CIG API might delay to create a
-  # new group. Add members will be done in the next project-setup run.
+  # new group. Add members will be done in the next cron run.
   if not group_id:
     group_description = f'{_CC_GROUP_DESC}: {project_name}'
     created = google_groups.create_google_group(
         group_name, group_description=group_description)
     if not created:
-      logs.info('Failed to create or retrieve the issue tracker CC group '
-                f'for {project_name}')
+      logs.warning('Failed to create or retrieve the issue tracker CC group '
+                   f'for {project_name}')
       return
     logs.info(f'Created issue tracker CC group for {project_name}. '
               'Skipping adding members as group may still not exist.')
     return
 
   group_memberships = google_groups.get_google_group_memberships(group_id)
   if group_memberships is None:
-    logs.info(
+    logs.warning(
         f'Failed to get list of group members for {project_name}. Skipping.')
     return
 
+  if len(group_memberships) <= 1:
+    # If only the SA is a member, we know that the group has just been created
+    # and we need to update settings to allow external members.
+    if not google_groups.set_oss_fuzz_access_settings(group_name):
+      logs.warning(f'Failed to allow external members for {group_name}')
+      return
+
   ccs = set(project_setup.ccs_from_info(info))
 
   to_add = ccs - group_memberships.keys()
@@ -66,6 +73,7 @@ def sync_project_cc_group(project_name, info):
 def main():
   """Sync OSS-Fuzz projects groups used to CC owners in the issue tracker."""
   projects = project_setup.get_oss_fuzz_projects()
+
   for project, info in projects:
     sync_project_cc_group(project, info)
 

src/clusterfuzz/_internal/google_cloud_utils/google_groups.py

@@ -40,6 +40,16 @@ def get_identity_api() -> discovery.Resource | None:
   return _local.identity_service
 
 
+def get_group_settings_api() -> discovery.Resource | None:
+  """Return the groups settings api client."""
+  if not hasattr(_local, 'groups_settings_service'):
+    creds, _ = credentials.get_default()
+    _local.groups_settings_service = discovery.build(
+        'groupssettings', 'v1', credentials=creds, cache_discovery=False)
+
+  return _local.groups_settings_service
+
+
 def get_group_id(group_name: str, exists_check: bool = False) -> str | None:
   """Retrive a google group ID."""
   identity_service = get_identity_api()
@@ -49,7 +59,7 @@ def get_group_id(group_name: str, exists_check: bool = False) -> str | None:
     return response.get('name')
   except errors.HttpError:
     if not exists_check:
-      logs.warning(f"Unable to look up group {group_name}.")
+      logs.warning(f'Unable to look up group {group_name}.')
     return None
 
 
@@ -58,11 +68,11 @@ def check_transitive_group_membership(group_id: str, member: str) -> bool:
   identity_service = get_identity_api()
   try:
     query_params = parse.urlencode({
-        "query": "member_key_id == '{}'".format(member)
+        'query': "member_key_id == '{}'".format(member)
     })
     request = identity_service.groups().memberships().checkTransitiveMembership(
         parent=group_id)
-    request.uri += "&" + query_params
+    request.uri += '&' + query_params
     response = request.execute(num_retries=_FAIL_RETRIES)
     return response.get('hasMembership', False)
   except errors.HttpError:
@@ -71,6 +81,35 @@ def check_transitive_group_membership(group_id: str, member: str) -> bool:
     return False
 
 
+def set_oss_fuzz_access_settings(group_name: str) -> bool:
+  """Sets expected access settings for oss-fuzz projects cc groups.
+  
+  The main setting is allowing external members, but as a safeguard, it sets
+  who can view/post/contact/moderate the group to only owners/managers.
+  """
+  groups_service = get_group_settings_api()
+
+  try:
+    group_resources = {
+        'allowExternalMembers': 'true',
+        'whoCanViewMembership': 'ALL_MANAGERS_CAN_VIEW',
+        'whoCanViewGroup': 'ALL_MANAGERS_CAN_VIEW',
+        'whoCanPostMessage': 'ALL_OWNERS_CAN_POST',
+        'whoCanContactOwner': 'ALL_MANAGERS_CAN_CONTACT',
+        'whoCanModerateMembers': 'OWNERS_ONLY'
+    }
+    response = groups_service.groups().patch(
+        groupUniqueId=group_name,
+        body=group_resources).execute(num_retries=_FAIL_RETRIES)
+    logs.info(
+        f'Updated group access settings for {group_name}',
+        request_response=response)
+    return True
+  except errors.HttpError:
+    logs.error(f'Failed to set access settings for {group_name}')
+    return False
+
+
 def create_google_group(group_name: str,
                         group_display_name: str | None = None,
                         group_description: str | None = None,
@@ -84,20 +123,20 @@ def create_google_group(group_name: str,
     logs.error('No customer ID set. Unable to create a new google group.')
     return None
 
-  group_key = {"id": group_name}
+  group_key = {'id': group_name}
   group = {
-      "parent": "customers/" + customer_id,
-      "description": group_description,
-      "displayName": group_display_name,
-      "groupKey": group_key,
+      'parent': 'customers/' + customer_id,
+      'description': group_description,
+      'displayName': group_display_name,
+      'groupKey': group_key,
       # Set the label to specify creation of a Google Group.
-      "labels": {
-          "cloudidentity.googleapis.com/groups.discussion_forum": ""
+      'labels': {
+          'cloudidentity.googleapis.com/groups.discussion_forum': ''
       }
   }
   try:
     request = identity_service.groups().create(body=group)
-    request.uri += "&initialGroupConfig=WITH_INITIAL_OWNER"
+    request.uri += '&initialGroupConfig=WITH_INITIAL_OWNER'
     response = request.execute(num_retries=_FAIL_RETRIES)
     group_id = response.get('response').get('name')
     logs.info(f'Created google group {group_name}', request_response=response)
@@ -131,11 +170,11 @@ def add_member_to_group(group_id: str, member: str) -> bool:
   try:
     # Create a membership object with a role type MEMBER
     membership = {
-        "preferredMemberKey": {
-            "id": member
+        'preferredMemberKey': {
+            'id': member
         },
-        "roles": {
-            "name": "MEMBER",
+        'roles': {
+            'name': 'MEMBER',
         }
     }
     # Create a membership using the group ID and the membership object
@@ -159,9 +198,9 @@ def delete_google_group_membership(group_id: str,
     if not membership_name:
       membership_lookup_request = identity_service.groups().memberships(
       ).lookup(parent=group_id)
-      membership_lookup_request.uri += "&memberKey.id=" + member
+      membership_lookup_request.uri += '&memberKey.id=' + member
       membership_lookup_response = membership_lookup_request.execute()
-      membership_name = membership_lookup_response.get("name")
+      membership_name = membership_lookup_response.get('name')
 
     response = identity_service.groups().memberships().delete(
         name=membership_name).execute(num_retries=_FAIL_RETRIES)

src/clusterfuzz/_internal/tests/appengine/handlers/cron/oss_fuzz_cc_groups_test.py

@@ -31,6 +31,7 @@ def setUp(self):
         'clusterfuzz._internal.google_cloud_utils.google_groups.get_google_group_memberships',
         'clusterfuzz._internal.google_cloud_utils.google_groups.add_member_to_group',
         'clusterfuzz._internal.google_cloud_utils.google_groups.delete_google_group_membership',
+        'clusterfuzz._internal.google_cloud_utils.google_groups.set_oss_fuzz_access_settings',
         'clusterfuzz._internal.base.utils.is_service_account',
     ])
 
@@ -74,6 +75,26 @@ def test_main(self):
     self.mock.delete_google_group_membership.assert_called_with(
         'group2_id', '[email protected]', 'membership1')
 
+  def test_main_exec_for_new_group(self):
+    """Test main execution for a newly created group."""
+    self.mock.get_oss_fuzz_projects.return_value = [('project1', {'info': 1})]
+    self.mock.get_group_id.return_value = '1'
+    self.mock.get_google_group_memberships.return_value = {
+        '[email protected]': 'membership1'
+    }
+    self.mock.set_oss_fuzz_access_settings.return_value = True
+    self.mock.ccs_from_info.return_value = ['[email protected]']
+    self.mock.is_service_account.return_value = True
+
+    self.assertTrue(oss_fuzz_cc_groups.main())
+    self.mock.create_google_group.assert_not_called()
+    self.mock.get_group_id.assert_called_once_with('[email protected]')
+    self.mock.set_oss_fuzz_access_settings.assert_called_once_with(
+        '[email protected]')
+    self.mock.add_member_to_group.assert_called_once_with(
+        '1', '[email protected]')
+    self.mock.delete_google_group_membership.assert_not_called()
+
   def test_create_fail(self):
     """Test group creation failure."""
     self.mock.get_oss_fuzz_projects.return_value = [('project1', {})]