Fixed bug in gam print|show admins

This commit is contained in:
Ross Scroggs
2025-10-03 07:27:31 -07:00
parent 20e226e57d
commit 5ae25495f7
3 changed files with 37 additions and 25 deletions

View File

@@ -1553,6 +1553,9 @@ gam create|add admin <EmailAddress>|<UniqueID> <RoleItem> customer|(org_unit <Or
[condition securitygroup|nonsecuritygroup] [condition securitygroup|nonsecuritygroup]
gam delete admin <RoleAssignmentId> gam delete admin <RoleAssignmentId>
<AdminAssigneeType> ::= group|user|serviceaccount|unknown
<AdminAssigneeTypeList> ::= "<AdminAssigneeType>(,<AdminAssigneeType>)*"
gam print admins [todrive <ToDriveAttribute>*] gam print admins [todrive <ToDriveAttribute>*]
[user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>]
[types <AdminAssigneeTypeList>] [types <AdminAssigneeTypeList>]

View File

@@ -1,3 +1,8 @@
7.23.07
Fixed bug in `gam print|show admins` where all admin assignments were not displayed when
`types <AdminAssigneeTypeList>` was not specified, i.e., all assignments should be displayed.
7.23.06 7.23.06
Added option `types <AdminAssigneeTypeList>` to `gam print|show admins` that allows filtering Added option `types <AdminAssigneeTypeList>` to `gam print|show admins` that allows filtering

View File

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
""" """
__author__ = 'GAM Team <google-apps-manager@googlegroups.com>' __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
__version__ = '7.23.06' __version__ = '7.23.07'
__license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)' __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
#pylint: disable=wrong-import-position #pylint: disable=wrong-import-position
@@ -16998,22 +16998,11 @@ ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP = {
} }
ALL_ASSIGNEE_TYPES = ['user', 'group', 'serviceaccount'] ALL_ASSIGNEE_TYPES = ['user', 'group', 'serviceaccount']
PRINT_ADMIN_FIELDS = ['roleAssignmentId', 'roleId', 'assignedTo', 'scopeType', 'orgUnitId', 'assigneeType'] PRINT_ADMIN_FIELDS = ['roleAssignmentId', 'roleId', 'assignedTo', 'scopeType', 'orgUnitId']
PRINT_ADMIN_TITLES = ['roleAssignmentId', 'roleId', 'role', PRINT_ADMIN_TITLES = ['roleAssignmentId', 'roleId', 'role',
'assignedTo', 'assignedToUser', 'assignedToGroup', 'assignedToServiceAccount', 'assignedToUnknown', 'assignedTo', 'assignedToUser', 'assignedToGroup', 'assignedToServiceAccount', 'assignedToUnknown',
'scopeType', 'orgUnitId', 'orgUnit'] 'scopeType', 'orgUnitId', 'orgUnit']
def getAssigneeTypes(myarg, typesSet):
if myarg in {'type', 'types'}:
for gtype in getString(Cmd.OB_ADMIN_ASSIGNEE_TYPE_LIST).lower().replace(',', ' ').split():
if gtype in ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP:
typesSet.add(ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP[gtype])
else:
invalidChoiceExit(gtype, ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP, True)
else:
return False
return True
# gam print admins [todrive <ToDriveAttribute>*] # gam print admins [todrive <ToDriveAttribute>*]
# [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] # [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>]
# [types <AdminAssigneeTypeList>] # [types <AdminAssigneeTypeList>]
@@ -17023,6 +17012,17 @@ def getAssigneeTypes(myarg, typesSet):
# [types <AdminAssigneeTypeList>] # [types <AdminAssigneeTypeList>]
# [recursive] [condition] [privileges] # [recursive] [condition] [privileges]
def doPrintShowAdmins(): def doPrintShowAdmins():
def _getAssigneeTypes(myarg):
if myarg in {'type', 'types'}:
for gtype in getString(Cmd.OB_ADMIN_ASSIGNEE_TYPE_LIST).lower().replace(',', ' ').split():
if gtype in ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP:
typesSet.add(ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP[gtype])
else:
invalidChoiceExit(gtype, ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP, True)
else:
return False
return True
def _getPrivileges(admin): def _getPrivileges(admin):
if showPrivileges: if showPrivileges:
roleId = admin['roleId'] roleId = admin['roleId']
@@ -17048,9 +17048,10 @@ def doPrintShowAdmins():
def _setNamesFromIds(admin, privileges): def _setNamesFromIds(admin, privileges):
admin['role'] = role_from_roleid(admin['roleId']) admin['role'] = role_from_roleid(admin['roleId'])
assignedTo = admin['assignedTo'] assignedTo = admin['assignedTo']
admin['assignedToUnknown'] = False
if assignedTo not in assignedToIdEmailMap: if assignedTo not in assignedToIdEmailMap:
assigneeEmail, assigneeType = convertUIDtoEmailAddressWithType(f'uid:{assignedTo}', cd, sal, emailTypes = ALL_ASSIGNEE_TYPES if admin.get('assigneeType', '') != 'group' else ['group']
emailTypes=ALL_ASSIGNEE_TYPES if admin.get('assigneeType') != 'group' else ['group']) assigneeEmail, assigneeType = convertUIDtoEmailAddressWithType(f'uid:{assignedTo}', cd, sal, emailTypes=emailTypes)
if assigneeType in ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP: if assigneeType in ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP:
assignedToField = ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP[assigneeType] assignedToField = ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP[assigneeType]
else: else:
@@ -17069,17 +17070,21 @@ def doPrintShowAdmins():
admin['condition'] = 'securitygroup' admin['condition'] = 'securitygroup'
elif admin['condition'] == NONSECURITY_GROUP_CONDITION: elif admin['condition'] == NONSECURITY_GROUP_CONDITION:
admin['condition'] = 'nonsecuritygroup' admin['condition'] = 'nonsecuritygroup'
if debug:
print('******', admin['assignedTo'], admin.get('assigneeType', 'no type'),
admin['assignedToField'], not typesSet or admin['assignedToField'] in typesSet)
return not typesSet or admin['assignedToField'] in typesSet
cd = buildGAPIObject(API.DIRECTORY) cd = buildGAPIObject(API.DIRECTORY)
sal = buildGAPIObject(API.SERVICEACCOUNTLOOKUP) sal = buildGAPIObject(API.SERVICEACCOUNTLOOKUP)
csvPF = CSVPrintFile(PRINT_ADMIN_TITLES) if Act.csvFormat() else None csvPF = CSVPrintFile(PRINT_ADMIN_TITLES) if Act.csvFormat() else None
roleId = None roleId = None
userKey = None userKey = None
oneItemPerRow = recursive = showPrivileges = False debug = oneItemPerRow = recursive = showPrivileges = False
typesSet = set() typesSet = set()
kwargs = {} kwargs = {}
rolePrivileges = {} rolePrivileges = {}
fieldsList = PRINT_ADMIN_FIELDS fieldsList = PRINT_ADMIN_FIELDS+['assigneeType']
assignedToIdEmailMap = {} assignedToIdEmailMap = {}
while Cmd.ArgumentsRemaining(): while Cmd.ArgumentsRemaining():
myarg = getArgument() myarg = getArgument()
@@ -17089,7 +17094,7 @@ def doPrintShowAdmins():
userKey = kwargs['userKey'] = getEmailAddress() userKey = kwargs['userKey'] = getEmailAddress()
elif myarg == 'role': elif myarg == 'role':
_, roleId = getRoleId() _, roleId = getRoleId()
elif getAssigneeTypes(myarg, typesSet): elif _getAssigneeTypes(myarg):
pass pass
elif myarg == 'recursive': elif myarg == 'recursive':
recursive = True recursive = True
@@ -17108,13 +17113,13 @@ def doPrintShowAdmins():
showPrivileges = True showPrivileges = True
elif myarg == 'oneitemperrow': elif myarg == 'oneitemperrow':
oneItemPerRow = True oneItemPerRow = True
elif myarg == 'debug':
debug = True
else: else:
unknownArgumentExit() unknownArgumentExit()
if roleId and not kwargs: if roleId and not kwargs:
kwargs['roleId'] = roleId kwargs['roleId'] = roleId
roleId = None roleId = None
if not typesSet:
typesSet = set(ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP.values())
fields = getItemFieldsFromFieldsList('items', fieldsList) fields = getItemFieldsFromFieldsList('items', fieldsList)
printGettingAllAccountEntities(Ent.ADMIN_ROLE_ASSIGNMENT) printGettingAllAccountEntities(Ent.ADMIN_ROLE_ASSIGNMENT)
try: try:
@@ -17147,8 +17152,7 @@ def doPrintShowAdmins():
continue continue
assignedTo = admin['assignedTo'] assignedTo = admin['assignedTo']
if admin['assigneeType'] != 'group' or not recursive: if admin['assigneeType'] != 'group' or not recursive:
_setNamesFromIds(admin, _getPrivileges(admin)) if _setNamesFromIds(admin, _getPrivileges(admin)):
if admin['assignedToField'] in typesSet:
expandedAdmins.append(admin) expandedAdmins.append(admin)
continue continue
if assignedTo not in groupMembers: if assignedTo not in groupMembers:
@@ -17158,8 +17162,7 @@ def doPrintShowAdmins():
getGroupMembers(cd, assignedTo, allGroupRoles, membersList, membersSet, i, count, getGroupMembers(cd, assignedTo, allGroupRoles, membersList, membersSet, i, count,
memberOptions, memberDisplayOptions, level, {Ent.TYPE_USER}) memberOptions, memberDisplayOptions, level, {Ent.TYPE_USER})
groupMembers[assignedTo] = membersList[:] groupMembers[assignedTo] = membersList[:]
_setNamesFromIds(admin, _getPrivileges(admin)) if not _setNamesFromIds(admin, _getPrivileges(admin)):
if admin[assignedToIdEmailMap[assignedTo]['assignedToField']] not in typesSet:
continue continue
expandedAdmins.append(admin) expandedAdmins.append(admin)
if not groupMembers[assignedTo]: if not groupMembers[assignedTo]:
@@ -17184,7 +17187,7 @@ def doPrintShowAdmins():
Ind.Increment() Ind.Increment()
for field in PRINT_ADMIN_TITLES: for field in PRINT_ADMIN_TITLES:
if field in admin: if field in admin:
if field == 'roleAssignmentId': if (field == 'roleAssignmentId') or (field == 'assignedToUnknown' and not admin[field]):
continue continue
printKeyValueList([field, admin[field]]) printKeyValueList([field, admin[field]])
if showPrivileges: if showPrivileges:
@@ -17199,6 +17202,7 @@ def doPrintShowAdmins():
Ind.Decrement() Ind.Decrement()
else: else:
for admin in expandedAdmins: for admin in expandedAdmins:
admin.pop('assigneeType', None)
admin.pop('assignedToField') admin.pop('assignedToField')
if not oneItemPerRow or 'rolePrivileges' not in admin: if not oneItemPerRow or 'rolePrivileges' not in admin:
csvPF.WriteRowTitles(flattenJSON(admin)) csvPF.WriteRowTitles(flattenJSON(admin))