Ensure that customer_id, domain and an admin email address are present for DASA (#1242)

* Ensure that customer_id, domain and an admin email address are present for DASA * Fix typos
2026-06-28 01:41:36 +00:00 · 2020-09-18 04:38:38 -07:00
parent 00582d486c
commit 597256d048
6 changed files with 51 additions and 14 deletions
--- a/src/gam/init.py
+++ b/src/gam/init.py
@@ -536,7 +536,7 @@ def SetGlobalVariables():
                      fileAbsentValue=True)
    _getOldSignalFile(GC_NO_SHORT_URLS, 'noshorturls.txt')
    _getOldSignalFile(GC_NO_UPDATE_CHECK, 'noupdatecheck.txt')
-    _getOldSignalFile(GC_ENABLE_DASA, 'enabledasa.txt')
+    _getOldSignalFile(GC_ENABLE_DASA, FN_ENABLEDASA_TXT)
    # Assign directories first
    for itemName in GC_VAR_INFO:
        if GC_VAR_INFO[itemName][GC_VAR_TYPE] == GC_TYPE_DIRECTORY:
@@ -553,9 +553,25 @@ def SetGlobalVariables():
            GC_Values[itemName] = GC_Defaults[itemName]
    GM_Globals[GM_LAST_UPDATE_CHECK_TXT] = os.path.join(
        GC_Values[GC_CONFIG_DIR], FN_LAST_UPDATE_CHECK_TXT)
+    GM_Globals[GM_ENABLEDASA_TXT] = os.path.join(
+        GC_Values[GC_CONFIG_DIR], FN_ENABLEDASA_TXT)
    if not GC_Values[GC_NO_UPDATE_CHECK]:
        doGAMCheckForUpdates()

+# domain must be set and customer_id must be set and != my_customer when enable_dasa = true
+    if GC_Values[GC_ENABLE_DASA]:
+        if not GC_Values[GC_DOMAIN]:
+            controlflow.system_error_exit(
+                3,
+                f'Environment variable GA_DOMAIN must be set when {GM_Globals[GM_ENABLEDASA_TXT]} is present'
+                )
+        if not GC_Values[GC_CUSTOMER_ID] or GC_Values[GC_CUSTOMER_ID] == MY_CUSTOMER:
+            controlflow.system_error_exit(
+                3,
+                f'Environment variable CUSTOMER_ID must be set and not equal to {MY_CUSTOMER} when {GM_Globals[GM_ENABLEDASA_TXT]} is present\n'
+                'Your customer ID can be found at admin.google.com > Account settings > Profile.'
+                )
+

 # Globals derived from config file values
    GM_Globals[GM_OAUTH2SERVICE_JSON_DATA] = None
@@ -951,7 +967,7 @@ def buildGAPIObject(api):
        GC_Values[GC_DOMAIN] = _getValueFromOAuth('hd', credentials=credentials)
        if GC_Values[GC_DOMAIN] == 'Unknown':
            GC_Values[GC_DOMAIN] = getEmailAddressDomain(
-                _getValueFromOAuth('email'))
+                _get_admin_email())
        if not GC_Values[GC_CUSTOMER_ID]:
            GC_Values[GC_CUSTOMER_ID] = MY_CUSTOMER
    return service
@@ -2877,7 +2893,7 @@ def getPermissionId(argstr):
        permissionId = f'{permissionId}@{GC_Values[GC_DOMAIN].lower()}'
    # We have to use v2 here since v3 has no permissions.getIdForEmail equivalent
    # https://code.google.com/a/google.com/p/apps-api-issues/issues/detail?id=4313
-    _, drive2 = buildDriveGAPIObject(_getValueFromOAuth('email'))
+    _, drive2 = buildDriveGAPIObject(_get_admin_email())
    return gapi.call(drive2.permissions(),
                     'getIdForEmail',
                     email=permissionId,
@@ -8487,13 +8503,24 @@ def doCreateResoldCustomer():
        f'Created customer {result["customerDomain"]} with id {result["customerId"]}'
    )

-
 def _getValueFromOAuth(field, credentials=None):
    if not credentials:
        credentials = auth.get_admin_credentials()
    return credentials.get_token_value(field)


+def _get_admin_email():
+    if GC_Values[GC_ENABLE_DASA]:
+        if not GC_Values[GC_ADMIN_EMAIL]:
+            GC_Values[GC_ADMIN_EMAIL] = os.environ.get('GA_ADMIN_EMAIL', GC_Defaults[GC_ADMIN_EMAIL])
+            if not GC_Values[GC_ADMIN_EMAIL]:
+                controlflow.system_error_exit(
+                    3,
+                    f'Environment variable GA_ADMIN_EMAIL must be set when {GM_Globals[GM_ENABLEDASA_TXT]} is present'
+                    )
+        return GC_Values[GC_ADMIN_EMAIL]
+    return _getValueFromOAuth('email')
+
 def doGetUserInfo(user_email=None):

    def user_lic_result(request_id, response, exception):
@@ -8507,7 +8534,7 @@ def doGetUserInfo(user_email=None):
            user_email = normalizeEmailAddressOrUID(sys.argv[3])
            i = 4
        else:
-            user_email = _getValueFromOAuth('email')
+            user_email = _get_admin_email()
    getSchemas = getAliases = getGroups = getLicenses = True
    projection = 'full'
    customFieldMask = viewType = None
@@ -9179,7 +9206,7 @@ def send_email(subject,
    api_body = {}
    default_sender = default_recipient = False
    if not user:
-        user = _getValueFromOAuth('email')
+        user = _get_admin_email()
    userId, gmail = buildGmailGAPIObject(user)
    if not gmail:
        return
@@ -9504,7 +9531,7 @@ def doPrintUsers():


 def doPrintShowAlerts():
-    _, ac = buildAlertCenterGAPIObject(_getValueFromOAuth('email'))
+    _, ac = buildAlertCenterGAPIObject(_get_admin_email())
    alerts = gapi.get_all_pages(ac.alerts(), 'list', 'alerts')
    titles = []
    csv_rows = []
@@ -9518,7 +9545,7 @@ def doPrintShowAlerts():


 def doPrintShowAlertFeedback():
-    _, ac = buildAlertCenterGAPIObject(_getValueFromOAuth('email'))
+    _, ac = buildAlertCenterGAPIObject(_get_admin_email())
    feedback = gapi.get_all_pages(ac.alerts().feedback(),
                                  'list',
                                  'feedback',
@@ -9528,7 +9555,7 @@ def doPrintShowAlertFeedback():


 def doCreateAlertFeedback():
-    _, ac = buildAlertCenterGAPIObject(_getValueFromOAuth('email'))
+    _, ac = buildAlertCenterGAPIObject(_get_admin_email())
    valid_types = gapi.get_enum_values_minus_unspecified(
        ac._rootDesc['schemas']['AlertFeedback']['properties']['type']['enum'])
    alertId = sys.argv[3]
@@ -9542,7 +9569,7 @@ def doCreateAlertFeedback():


 def doDeleteOrUndeleteAlert(action):
-    _, ac = buildAlertCenterGAPIObject(_getValueFromOAuth('email'))
+    _, ac = buildAlertCenterGAPIObject(_get_admin_email())
    alertId = sys.argv[3]
    kwargs = {}
    if action == 'undelete':
--- a/src/gam/display.py
+++ b/src/gam/display.py
@@ -220,7 +220,7 @@ def write_csv_file(csvRows, titles, list_type, todrive):
    except IOError as e:
        controlflow.system_error_exit(6, e)
    if todrive:
-        admin_email = gam._getValueFromOAuth('email')
+        admin_email = gam._get_admin_email()
        _, drive = gam.buildDrive3GAPIObject(admin_email)
        if not drive:
            print(f'''\nGAM is not authorized to create Drive files. Please run:
--- a/src/gam/gapi/calendar.py
+++ b/src/gam/gapi/calendar.py
@@ -37,7 +37,7 @@ def buildCalendarDataGAPIObject(calname):
    if not calname.endswith('.calendar.google.com'):
        cal = gam.buildGAPIServiceObject('calendar', calendarId, False)
    if cal is None:
-        _, cal = buildCalendarGAPIObject(gam._getValueFromOAuth('email'))
+        _, cal = buildCalendarGAPIObject(gam._get_admin_email())
    return (calendarId, cal)


--- a/src/gam/gapi/cloudidentity/init.py
+++ b/src/gam/gapi/cloudidentity/init.py
@@ -5,5 +5,5 @@ def build(api='cloudidentity'):
    return gam.buildGAPIObject(api)

 def build_dwd(api='cloudidentity'):
-    admin = gam._getValueFromOAuth('email')
+    admin = gam._get_admin_email()
    return gam.buildGAPIServiceObject(api, admin, True)
--- a/src/gam/gapi/reports.py
+++ b/src/gam/gapi/reports.py
@@ -56,7 +56,7 @@ def showUsageParameters():
        kwargs = {}
    elif report == 'user':
        endpoint = rep.userUsageReport()
-        kwargs = {'userKey': gam._getValueFromOAuth('email')}
+        kwargs = {'userKey': gam._get_admin_email()}
    else:
        controlflow.expected_argument_exit('usageparameters',
                                           ['user', 'customer'], report)
--- a/src/gam/var.py
+++ b/src/gam/var.py
@@ -37,6 +37,7 @@ ERROR_PREFIX = 'ERROR: '
 WARNING_PREFIX = 'WARNING: '
 UTF8 = 'utf-8'
 UTF8_SIG = 'utf-8-sig'
+FN_ENABLEDASA_TXT = 'enabledasa.txt'
 FN_EXTRA_ARGS_TXT = 'extra-args.txt'
 FN_LAST_UPDATE_CHECK_TXT = 'lastupdatecheck.txt'
 MY_CUSTOMER = 'my_customer'
@@ -1063,6 +1064,8 @@ GM_CURRENT_API_SCOPES = 'scoc'
 # Values retrieved from oauth2service.json
 GM_OAUTH2SERVICE_JSON_DATA = 'oajd'
 GM_OAUTH2SERVICE_ACCOUNT_CLIENT_ID = 'oaci'
+# Full path to enabledasa.txt
+GM_ENABLEDASA_TXT = 'enda'
 # File containing time of last GAM update check
 GM_LAST_UPDATE_CHECK_TXT = 'lupc'
 # Dictionary mapping OrgUnit ID to Name
@@ -1102,6 +1105,7 @@ GM_Globals = {
    GM_CURRENT_API_SCOPES: [],
    GM_OAUTH2SERVICE_JSON_DATA: None,
    GM_OAUTH2SERVICE_ACCOUNT_CLIENT_ID: None,
+    GM_ENABLEDASA_TXT: '',
    GM_LAST_UPDATE_CHECK_TXT: '',
    GM_MAP_ORGUNIT_ID_TO_NAME: None,
    GM_MAP_ROLE_ID_TO_NAME: None,
@@ -1135,6 +1139,8 @@ GC_CLIENT_SECRETS_JSON = 'client_secrets_json'
 GC_CONFIG_DIR = 'config_dir'
 # custmerId from gam.cfg or retrieved from Google
 GC_CUSTOMER_ID = 'customer_id'
+# Enable Delegated Admin Service Accounts admin user
+GC_ADMIN_EMAIL = 'admin_email'
 # If debug_level > 0: extra_args[u'prettyPrint'] = True,
 # httplib2.debuglevel = gam_debug_level, appsObj.debug = True
 GC_DEBUG_LEVEL = 'debug_level'
@@ -1188,6 +1194,7 @@ GC_CA_FILE = 'ca_file'

 TLS_MIN = 'TLSv1_2' if hasattr(ssl.SSLContext(), 'minimum_version') else None
 GC_Defaults = {
+    GC_ADMIN_EMAIL: '',
    GC_AUTO_BATCH_MIN: 0,
    GC_BATCH_SIZE: 50,
    GC_CACHE_DIR: '',
@@ -1238,6 +1245,9 @@ GC_VAR_TYPE = 'type'
 GC_VAR_LIMITS = 'lmit'

 GC_VAR_INFO = {
+    GC_ADMIN_EMAIL: {
+        GC_VAR_TYPE: GC_TYPE_STRING
+    },
    GC_AUTO_BATCH_MIN: {
        GC_VAR_TYPE: GC_TYPE_INTEGER,
        GC_VAR_LIMITS: (0, None)