From 48ce39a6450a8f525dd0811cde863b69625191bc Mon Sep 17 00:00:00 2001 From: Jay Lee Date: Thu, 3 Oct 2019 21:37:03 -0400 Subject: [PATCH 1/2] Custom scopes for check serviceaccount --- src/gam.py | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/src/gam.py b/src/gam.py index bbb2e28d..bcc737a5 100755 --- a/src/gam.py +++ b/src/gam.py @@ -1546,6 +1546,15 @@ def printPassFail(description, result): print(' {0:74} {1}'.format(description, result)) def doCheckServiceAccount(users): + i = 5 + check_scopes = [] + while i < len(sys.argv): + myarg = sys.argv[i].lower() + if myarg in ['scope', 'scopes']: + check_scopes = sys.argv[i+1].replace(',', ' ').split() + i += 2 + else: + systemErrorExit(3, '%s is not a valid argument for "gam user check serviceaccount"' % myarg) something_failed = False print('Computer clock status:') timeOffset, nicetime = getLocalGoogleTimeOffset() @@ -1574,18 +1583,18 @@ def doCheckServiceAccount(users): something_failed = True auth_error = str(e.args[0]) printPassFail('Authenticating...%s' % auth_error, sa_token_result) - all_scopes = [] - for _, scopes in list(API_SCOPE_MAPPING.items()): - for scope in scopes: - if scope not in all_scopes: - all_scopes.append(scope) - all_scopes.sort() + if not check_scopes: + for _, scopes in list(API_SCOPE_MAPPING.items()): + for scope in scopes: + if scope not in check_scopes: + check_scopes.append(scope) + check_scopes.sort() for user in users: user = user.lower() all_scopes_pass = True oa2 = googleapiclient.discovery.build('oauth2', 'v1', _createHttpObj()) print('Domain-Wide Delegation authentication as %s:' % (user)) - for scope in all_scopes: + for scope in check_scopes: # try with and without email scope for scopes in [[scope, USERINFO_EMAIL_SCOPE], [scope]]: try: @@ -1614,7 +1623,7 @@ def doCheckServiceAccount(users): return user_domain = user[user.find('@')+1:] # Tack on email scope for more accurate checking - all_scopes.append(USERINFO_EMAIL_SCOPE) + check_scopes.append(USERINFO_EMAIL_SCOPE) scopes_failed = '''Some scopes failed! Please go to: https://admin.google.com/%s/AdminHome?#OGX:ManageOauthClients @@ -1625,7 +1634,7 @@ and grant Client name: Access to scopes: -%s\n''' % (user_domain, service_account, ',\n'.join(all_scopes)) +%s\n''' % (user_domain, service_account, ',\n'.join(check_scopes)) systemErrorExit(1, scopes_failed) # Batch processing request_id fields From 464482d19716c50dbdfa94a8ede64d6e315d6f01 Mon Sep 17 00:00:00 2001 From: Ross Scroggs Date: Sat, 5 Oct 2019 08:23:17 -0700 Subject: [PATCH 2/2] Document check serviceaccount scopes argument (#1023) --- src/GamCommands.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/GamCommands.txt b/src/GamCommands.txt index 3dfee753..ac85d24b 100644 --- a/src/GamCommands.txt +++ b/src/GamCommands.txt @@ -140,6 +140,7 @@ If an item contains spaces, it should be surrounded by ". ::= ::= [user:]|group:|domain[:]|default + ::= ::= ::= |id: ::= editor|freebusy|freebusyreader|owner|reader|writer @@ -552,6 +553,7 @@ Items, separated by spaces, with spaces, commas or single quotes in the items th "'it em' 'it,em' \"it'em\"" ::= "(,)*" + ::= "(,)*" ::= "(,)*" ::= "(,)*" ::= "(,)*" @@ -839,7 +841,7 @@ gam oauth|oauth2 delete|revoke gam oauth|oauth2 info|verify [accesstoken ] [idtoken ] [showsecret] gam oauth|oauth2 refresh -gam check serviceaccount +gam check serviceaccount [scope|scopes ] gam whatis