3

I need to get some admin users using google apps gmail the ability to monitor their employees email. Have you used Google's Audit API to do this.

I wish there there was a way for the admins to just click a view my users email but that doesn't be the case.

If it matters the application is a rails app. The email is completely done on googles mail through google apps. Anyone that has done this any advice would be helpful.

Update! 500 points for this one!

I'm using ruby on rails hosting an app on heroku. The email is completely hosted with google apps standard, not business so we will have to upgrade, and the DNS is with zerigo which you already know if you use heroku.

Community
  • 1
  • 1
thenengah
  • 42,557
  • 33
  • 113
  • 157

1 Answers1

8

Well, I hadn't planned on extending the gdata-ruby-util gem :), but here's some code that could be used for the Google Audit API based on Google's documentation. I only wrote a create_monitor_on method, but the rest are pretty easy to get.

Let me know if it works or needs any rewrites and I'll update it here:

    class Audit < GData::Client::Base

      attr_accessor :store_at

      def initialize(options = {})
        options[:clientlogin_service] ||= 'apps'
        options[:authsub_scope] ||= 'https://apps-apis.google.com/a/feeds/compliance/audit/' 
        super(options)
      end

      def create_monitor_on(email_address)
        user_name, domain_name = email_address.split('@')
        entry = <<-EOF
        <atom:entry xmlns:atom='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
        <apps:property name='destUserName' value='#{@store_at}'/>
        <apps:property name='beginDate' value=''/>
        <apps:property name='endDate' value='2019-06-30 23:20'/>
        <apps:property name='incomingEmailMonitorLevel' value='FULL_MESSAGE'/>
        <apps:property name='outgoingEmailMonitorLevel' value='FULL_MESSAGE'/>
        <apps:property name='draftMonitorLevel' value='FULL_MESSAGE'/>
        <apps:property name='chatMonitorLevel' value='FULL_MESSAGE'/>
        </atom:entry>
        EOF

        return true if post('https://apps-apis.google.com/a/feeds/compliance/audit/mail/monitor/'+domain_name+'/'+user_name, entry).status_code == 201
        false
      end   
   end

Then use it elsewhere like this:

auditor = Audit.new
auditor.store_at = 'this-username'
auditor.clientlogin(username, password)
render :success if auditor.create_monitor_on('email-address@my-domain.com')

My suggestion is to create one core email address that all the email monitors are sent to, so your admins' inboxes aren't slammed with everyone else's mail. Then in your Rails app, use Net::IMAP to download the messages you want from that master email account. i.e., you can create a link that says "View Joe's Email" and the method does something like this:

require 'net/imap'

imap = Net::IMAP.new('imap.gmail.com', 993, true)
imap.login('this-username@my-domain.com', password)
imap.select('INBOX')

messages = []
imap.search(["TO", "joe@email.com").each do |msg_id|
  msg = imap.fetch(msg_id, "(UID RFC822.SIZE ENVELOPE BODY[TEXT])")[0]
  body = msg.attr["BODY[TEXT]"]
  env = imap.fetch(msg_id, "ENVELOPE")[0].attr["ENVELOPE"]
  messages << {:subject => env.subject, :from => env.from[0].name, :body => body }
end

imap.logout
imap.disconnect

Then you can put those messages in your view -- or send them all in one bulk email, or whatever you want to do.

Kelly
  • 40,173
  • 4
  • 42
  • 51
  • for 500pts you should make me a custom gem; jk! Thanks for this and I will check it out. – thenengah Mar 27 '11 at 22:58
  • Haha, well I'm interested in this idea. Let me know if that gist I added above is useful at all. – Kelly Mar 28 '11 at 00:32
  • @Sam Sorry for all the rewrites, I think the code above might be more useful now. – Kelly Mar 28 '11 at 01:14
  • You put a lot of work in on this one. Thanks a lot. I'm gonna get started on this Monday night and we will see how it goes! – thenengah Mar 28 '11 at 02:36
  • So your code did prove to be helpful. I'm on the last leg of this just waiting for the google apps and audit api upgrades. I will post what I actually did which for creating monitors pretty much comes from you +1 – thenengah Mar 30 '11 at 00:32
  • I'm surprised Ruby doesn't already have a versatile gem for interacting with Google like PHP does -- hopefully we are on our way to it. – Kelly Apr 02 '11 at 17:45
  • Its does. It's called gdata. Its a combination of authenticating a user and passing the params to the audit api. It's also got some business concerns because you can only do this with the audit api which needs the upgrade to the business edition etc... – thenengah Apr 03 '11 at 18:30
  • That's what my code uses, the gdata gem, but it doesn't provide the same kind of ease-of-use that the PHP library does. gdata provides basic authentication and basic setup to the different APIs, but it doesn't handle the actual logic of things like handling the actual API calls. It's an intro-level gem rather than a more complete library. – Kelly Apr 03 '11 at 20:50
  • Too bad 250 bounty went down the drain :) – Kelly Apr 03 '11 at 20:51
  • Hey it's no problem, I was confused myself -- apparently if you don't specifically select someone for the bounty, it just applies half of it to the highest answer after it expires. – Kelly Apr 04 '11 at 12:20
  • damn. well 250 ain't bad but sorry for the mistake. Thanks for your help. – thenengah Apr 04 '11 at 17:55
  • Hmm, can you trace it to see if it's on the authentication or the create_monitor_on? – Kelly Apr 06 '11 at 04:47
  • It authenticates. It's the syntax of the url. The google api says that there is the 'ability' to have a public key. Doesn't say it is necessary. – thenengah Apr 06 '11 at 16:22
  • i noticed the URL for the create-monitor method was incorrect... i forgot the `mail/monitor` part. I updated the code for it. – Kelly Apr 07 '11 at 03:37
  • Thanks so fn much for your help!!! Where are you getting your info? I have been using googles audit api code and it says that a public key is optional but then they say it is the cause of many errors so its crazy stuff to me! – thenengah Apr 07 '11 at 04:31
  • yeah, dealing with Google can be a handful sometimes -- most of the information i've found on the audit api comes from [here](http://code.google.com/googleapps/domain/audit/docs/1.0/audit_developers_guide_protocol.html), i don't know if that's where you'd found it too – Kelly Apr 07 '11 at 16:30
  • I'm using gdata to send the headers which pretty much does the same thing as your code. google has a public key. Is the necessary or optional? – thenengah Apr 07 '11 at 17:56