Thursday, October 9, 2014

Python and Google Apps Provisioning with the Admin SDK Directory API

After wading through documentation, blog posts, and StackOverflow answers I've finally figured out a way to authenticate using OAuth 2.0. Since we didn't want to have to interactively grant "user consent" for each of our domains, this is acting as a "web server" for computer-computer interactions.

I assume that you have Python 2.7 installed (three shalt thou not use), but I'd recommend installing Anaconda to make your life easier for all of this. You'll also need to install the Google APIs Client Library for Python.

EDIT: I was finally able to get it to work with the default SignedJwtAssertionCredentials.
 as well as PyCryptoSignedJWT. To install PyCryptoSignedJWT, download and unzip, then from the command line (in the directory you unziped to) type python setup.py install in order to install.

The next step is to set up your project. Here's the documentation from here to "Set up your API":
  • Enable the API access from the Admin console in order to make requests to the Directory API. To enable the API, log in to your admin account and select Security. If you do not see Security listed, select More controls and then Security from the options shown in the gray box. Select API reference, and then select the checkbox to Enable API access. Save your changes.
  • Set up a new project in the Google APIs Console and activate Admin SDK service for this project. See the Google APIs Console Help in the upper right corner of the Console page for more information about creating your API project.




Still in the Developers Console, you'll need to create credentials for your project. Click on Credentials (under APIs) and click the button Create new Client ID and then select Service account.


Download the key file, and make a note of the private key password (which is always "notasecret"). Then click the Okay, got it button.

You'll need to make a note of the Service Account EMAIL ADDRESS that is displayed (a long string of characters ending in @developer.gserviceaccount.com) and the CLIENT ID (the same string ending with .apps.googleusercontent.com).

The next step requires you to authorize your API client to access your admin console. Assuming your're still logged in to your Super Admin account, go to Manage API client access (or go to Security, Advanced Settings, Authentication, Manage third party OAuth Client access). For the Client Name, paste in the CLIENT ID that you noted previously. In the One or More API Scopes, put in a comma-separated list of the scopes that you'll be using. For our example I'd suggest https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.orgunit (you can always change this later). Then click the Authorize button.



The file you downloaded previously will be something like APIProject.p12 but we'll need to convert it to a PEM file. On a Mac or Linux machine this can be done from the command line ( openssl pkcs12 -passin pass:notasecret -in APIProject.p12 -nocerts -out APIProject.pem ), but on Windows other software is required (try Win32OpenSSL that can be downloaded from here). As a last resort for those who don't worry about security, you can convert it using this site.

So you now have a p12 key file, a Service Account Email Address, and of course your Super Admin account. You're set to start writing some code. I like the Spyder development environment that is installed with Anaconda, but feel free to just use Notepad (or Notepad++) if you're so inclined.

Here's the minimum Python code that works for me, fill in the appropriate values for yourself.


superAdmin = 'you@example.com'
serviceAccount = 'somethingorother@developer.gserviceaccount.com'
pemFile = 'APIProject.p12'
scope = 'https://www.googleapis.com/auth/admin.directory.user'

import httplib2
from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials

keyFile = file(p12File, 'rb')
key = keyFile.read()
keyFile.close()
credentials = SignedJwtAssertionCredentials(serviceAccount,
  key,
  scope,
  prn=superAdmin)

http = httplib2.Http()
httplib2.debuglevel = False #change this to True if you want to see the output
http = credentials.authorize(http=http)
directoryService = build(serviceName='admin', version='directory_v1', http=http)

# You are now authenticated, so you can say something like this:
user = directoryService.users().get(userKey = 'me@example.com')
print user.execute()



Hopefully that's enough to get you started. The documentation about what you can do with the Admin Directory API is here. just remember that some of them will require you to declare other scopes.

Friday, May 2, 2014

Automating Chromebook Enrollment with Arduino/Teensy

If you find yourself enrolling large numbers of Chromebooks on your domain, and you don't have students to help, I've written an Arduino program that can expedite the process.

Because many Arduinos (and Arduino clones such my favorite Teensy) can act as a keyboard, they can be programmed to output keystrokes (and mouse clicks) when a button is pushed. In this case a button is connected to ground and pin 2 on a Teensy that is running the following code (this is also available on GitHub).

Edit: The code on GitHub has been updated to allow two buttons using a Teensy or a Trinket, with the additional button for inputting the Wi-Fi passphrase. I've included a demo video of the new version at the bottom of this post.

String email = "example@example.com";
String password = "thisisaweakpassword";
const int enrolButton = 2;

#include <Bounce.h>
Bounce button1 = Bounce(enrolButton, 10); // 10 ms debouce

void setup() {
 pinMode(enrolButton, INPUT_PULLUP);
}

void loop() {
 button1.update();
 if(button1.fallingEdge()) {enrol();} // call the enrol function
}

void enrol() {
 Keyboard.begin();
 Keyboard.press(KEY_LEFT_CTRL);
 Keyboard.press(KEY_LEFT_ALT);
 Keyboard.press('e');
 delay(50); // wait for 50 milliseconds before releasing those keys
 Keyboard.releaseAll();
 delay(2000); // wait for 2 seconds to get the enrol screen
 Keyboard.print(email);
 Keyboard.press(KEY_TAB); //tab to get to the password field
 delay(50);
 Keyboard.releaseAll();
 Keyboard.print(password);
 Keyboard.press(KEY_ENTER);
 delay(50);
 Keyboard.releaseAll();
 Keyboard.end();
}


When you hit the button connected to ground and pin 2, this will send the keystrokes Ctrl-Alt-e and your email and password for enrolling a Chromebook. You'll still manually connect to the Wi-Fi or LAN and click Accept on the licence agreement, but you could probably figure out how to automate that with a few more lines of code here (i.e. using KEY_TAB and KEY_SPACE).

Hopefully this will save you some typing and speed up the Chromebook enrolling process. Let me know if you try this.


Minecraft on a Dell Chromebook

This is what worked on a Dell Chromebook that I tried. It will likely work on other Chromebooks but YMMV.

In order to play Minecraft or use other Java-based programs on a Chromebook, you need to install Linux. However that's not a particularly difficult process thanks to crouton.

Unfortunately it requires the Chromebook to remain in developer mode, meaning you'll need to press Ctrl-d every time you boot it up. As well, is not supported by Google (it may cause hardware, software, or security issues) and may void your warranty.

Make sure you backup/upload any files that are stored locally on your Chromebook before you begin.
  1. Enter recovery mode by holding the esc and refresh keys while you press the power button.
  2. At the recovery screen, press Ctrl-d to reboot into developer mode.
  3. Every time you boot up the Chromebook from now on, you'll need to press Ctrl-d at the "OS verification is OFF" screen. If you "Press SPACE to re-enable" then it will erase the Linux install that we are about to do.
  4. Log in to the Chromebook as usual.
  5. Download crouton from goo.gl/fd3zc.
  6. Press Ctrl-Alt-t to open crosh
  7. Type shell, press enter, and you should be at a chronos@localhost / $ prompt.
  8. To run the crouton install script, type sh -e ~/Downloads/crouton -t unity
  9. It will take a while to run the script and download the files
  10. Answer any questions that the script asks you.
  11. Once that finishes, you can start Linux by typing sudo startunity
You're now running Linux, and you can install software such as Java to run Minecraft.

  1. While still on the Linux side of your Chromebook, press Ctrl-Alt-t to open a terminal window. You should see a prompt that is something like (trusy)username@localhost:~$  where you enter the following commands
  2. sudo apt-add-repository ppa:webupd8team/java
  3. sudo apt-get update
  4. sudo apt-get install oracle-java8-installer
  5. sudo apt-get install oracle-java8-set-default
  6. Make sure you type your password that you entered when setting up Linux, and answer yes to the question about the Java licence.
You can now run Java programs in the Linux install on your Chromebook, which includes Minecraft. If you'd like to use Firefox as a browser on the Linux side, it's as simple as opening a terminal (Ctrl-Alt-t) and typing sudo apt-get install firefox You can also install other Linux games, including the Steam platform.

To start Linux after rebooting the Chromebook (always with Ctrl-d), remember Ctrl-Alt-t then shell then sudo startunity

To switch back and forth between ChromeOS and Linux, press Ctrl-Alt-Shift-Back or Ctrl-Alt-Shift-Forward. Back and forward are the arrow buttons at the top left of your keyboard.

To undo all of this and go back to just a regular Chromebook, reboot and press the spacebar to re-enable OS-verification.

Wednesday, April 9, 2014

Check if Google Apps Users Have Logged in (Google Apps Script)

If you're using Google Apps for Education (with the provisioning API enabled) and have a list of domain users that you want to check if they've logged in or not, here's a quick Spreadsheet script you can try. It queries to see if the user has agreed to the terms or not. Of course you'll need to run this from an account that has admin permissions on your domain.

function onOpen() {
  var spreadsheet = SpreadsheetApp.getActiveSpreadsheet();
  var entries = [{name : "Start Checking", functionName : "startLoop"}];
  spreadsheet.addMenu("Check Users", entries);
}

function startLoop() {
  var spreadsheet = SpreadsheetApp.getActiveSpreadsheet();
  var activeSheet = sheet.getActiveSheet();
  var maxRows = activeSheet.getMaxRows();
  var result = Browser.msgBox('This script will check ' + maxRows + ' rows worth of data from the currently selected cell.', Browser.Buttons.OK_CANCEL);
  if (result != 'cancel') {
    for (var i=0;i<maxRows;i++) {checkUser();}
  } else {Browser.msgBox('Okay, maybe some other time');}
}

function checkUser() {
  var sheet = SpreadsheetApp.getActiveSheet();
  var range = SpreadsheetApp.getActiveRange();
  var newRange =  range.offset(0, 1);
  var username = range.getValue();
  var user = UserManager.getUser(username);
  var agreedToTerms = user.getAgreedToTerms();
  newRange.setValue(agreedToTerms);
  var newSelection = range.offset(1, 0);
  newSelection.activate();
}

I'm assuming that you're somewhat familiar with Google Apps Script and using it with Spreadsheets. Let me know in the comments if you need clarification.

Tuesday, March 18, 2014

Google Apps Script: Auto-Query FortiGuard Category List

In case someone is curious, here's a little Google Apps Script I put together for querying FortiGuard's Web Filtering Service site category list from a spreadsheet. It takes a URL from the selected cell in a Google Spreadsheet, and FortiGuard's category for that URL in the cell to the right of it.

function onOpen() {
  var sheet = SpreadsheetApp.getActiveSpreadsheet();
  var menuEntries = [ {name: "pasteCategory", functionName: "pasteCategory"},
                      {name: "Say Hello", functionName: "sayHello"} ];
  sheet.addMenu("FortiGuard", menuEntries);
}

function pasteCategory() { //you can also set this to loop for the number of rows
  var sheet = SpreadsheetApp.getActiveSpreadsheet();
  var range = SpreadsheetApp.getActiveRange();
  var newRange = range.offset(0, 1); //the cell to the right
  var site = range.getValue();//from the currently selected cell
  var category = getCategory(site);
  newRange.setValue(category) //paste in the category
  var newSelection = range.offset(1, 0);
  newSelection.activate();
}

function sayHello() {
  Browser.msgBox("Hello");
}

function getCategory(site) {
  var urlToFetch = "http://www.fortiguard.com/ip_rep/index.php?data="+site
  var html = UrlFetchApp.fetch(urlToFetch).getContentText();
  var startTag = 'Category: ';
  var endTag = '</h3>';
  var startIndex = html.indexOf(startTag) + 10; // add 10 to the index to get rid of 'Category: '
  var endIndex = html.indexOf(endTag);
  var category = html.slice(startIndex,endIndex);
  return(category);
}

Wednesday, March 12, 2014

EIPS Scratch Day 2014

Today was Scratch Day in EIPS. Approximately 120 students in grades five through twelve from eight different schools met in a gym at Bev Facey for a day of computational thinking. We challenged them to participate in various activities and explore resources related to Scratch. To get an idea of what happened, check out the event website and our presentation. After the opening remarks about the importance of computational thinking and human competencies, students had time to play with Scratch and learn from experimentation, online resources, and from others around them. A number of us commented on the fact that we would see students get stuck on a problem and put up their hand, but by the time we got there another student had already helped them out.

In addition to exploratory time, though, we also had a few organized challenges. Right before lunch, catered by Bev Facey Commercial Foods, we "live-action programming" where students were challenged to "program" algorithms for another group member to complete an obstacle course. In the afternoon, mixed groups of students were challenged to create something starting with "Pico was out walking in a hay field, when something very strange happened...". Students had the opportunity to present their creative examples of stories and video games using that character and situation.

This year's event was somewhat different from last year's. The omission of points for completed challenges eliminated the competition aspect and increased student collaboration. We also had a number of technology demonstration booths hosted by Gerald Chung's students, including Raspberry PiLeap MotionKinect Party, and the very popular Oculus Rift.

It was also different this year having about half as many students as last year. This was probably because we weren't as proactive and intentional about the planning process, but some teachers also commented that they were more intentional about choosing students to attend this year. The students that came were engaged, enthusiastic, and well-behaved. While it was nice to have a smaller event, next year we may partner with some other organizations, such as DiscoverE, to have a much larger event on the University of Alberta campus.

This event wouldn't have been possible without help from Technology Services, Bev Facey staff, and the teachers and administrators that brought students to the event. Particular thanks to Gerald ChungJen FerenceAaron Tuckwood, and Peter Barron for help with organization and logistics.

We're looking forward to doing this again. Stay tuned for more posts that include reflections from students and staff that participated in EIPS Scratch Day 2014.

Tuesday, March 4, 2014

Educating for a Posthuman Society

Thanks to recommendations by Netflix and a colleague, my wife and I have started watching Suits. It's a clever show with a protagonist who's eidetic memory allows him to practice law despite having not attended law school. We've only watched a few episodes so far, but it's already clear that this character's memory skills are not enough for him to be a great lawyer.

In a similar way, I would argue that the value of education is not in filling students with facts, but rather in helping them develop the tools to synthesize meaning. Computers are very good at remembering things for us, we need to educate students to accomplish things that humans are uniquely qualified for.

Furthermore, if Ray Kurzweil and others are to be believed, life-extension technologies may soon allow us (or our consciousness) to live forever. Google's Calico project is actively working on idea. We may need to consider what attributes and skills our students, and we ourselves, may need in that sort of future. If you're interested in more about this, start with the Wikipedia articles on transhumanism and posthumanism.

We often hear about educating students for jobs that don't exist yet and the accelerating pace of change, but we're still not sure what that looks like. Will technology become some sort of benevolent babysitter for humanity?

For now, though, I trust my colleague's recommendation more than the automatic recommendations by Netflix.