Support delegated admin role assignments to groups

src/gam/gapi/calendar.py

@@ -18,9 +18,9 @@ def normalizeCalendarId(calname, checkPrimary=False):
         return calname
     if not GC_Values[GC_DOMAIN]:
         GC_Values[GC_DOMAIN] = gam._getValueFromOAuth('hd')
-    return gam.convertUIDtoEmailAddress(calname,
+    email, _ = gam.convertUIDtoEmailAddress(calname,
                                         email_types=['user', 'resource'])
-
+    return email
 
 def buildCalendarGAPIObject(calname):
     calendarId = normalizeCalendarId(calname)

src/gam/gapi/cloudidentity/groups.py

@@ -230,7 +230,7 @@ def print_():
             todrive = True
             i += 1
         elif myarg == 'enterprisemember':
-            member = gam.convertUIDtoEmailAddress(sys.argv[i + 1], email_types=['user', 'group'])
+            member, _ = gam.convertUIDtoEmailAddress(sys.argv[i + 1], email_types=['user', 'group'])
             usemember = f"member_key_id == '{member}' && 'cloudidentity.googleapis.com/groups.discussion_forum' in labels"
             i += 2
         elif myarg == 'delimiter':
@@ -501,7 +501,7 @@ def print_members():
                     )
             i += 2
         elif myarg == 'enterprisemember':
-            member = gam.convertUIDtoEmailAddress(sys.argv[i + 1], email_types=['user', 'group'])
+            member, _ = gam.convertUIDtoEmailAddress(sys.argv[i + 1], email_types=['user', 'group'])
             usemember = f"member_key_id == '{member}' && 'cloudidentity.googleapis.com/groups.discussion_forum' in labels"
             i += 2
         elif myarg in ['cigroup', 'cigroups']:
@@ -876,6 +876,13 @@ def update():
                     'cloudidentity.googleapis.com/groups.discussion_forum': ''
                 }
                 i += 1
+            elif myarg == 'locked':
+                body['labels'] = {
+                    'cloudidentity.googleapis.com/groups.locked': '',
+                    'cloudidentity.googleapis.com/groups.security': '',
+                    'cloudidentity.googleapis.com/groups.discussion_forum': ''
+                }
+                i += 1
             elif myarg == 'dynamicsecurity':
                 body['labels'] = {
                     'cloudidentity.googleapis.com/groups.dynamic': '',

src/gam/gapi/directory/roleassignments.py

@@ -16,7 +16,9 @@ NONSECURITY_GROUP_CONDITION = f'!{SECURITY_GROUP_CONDITION}'
 def create():
     cd = gapi_directory.build()
     user = gam.normalizeEmailAddressOrUID(sys.argv[3])
-    body = {'assignedTo': gam.convertEmailAddressToUID(user, cd)}
+    body = {'assignedTo': gam.convertEmailAddressToUID(sys.argv[3],
+                          cd=cd,
+                          email_type='any')}
     role = sys.argv[4]
     body['roleId'] = gapi_directory_roles.getRoleId(role)
     body['scopeType'] = sys.argv[5].upper()
@@ -70,7 +72,7 @@ def print_():
     item_fields = ['roleAssignmentId', 'roleId', 'assignedTo', 'scopeType', 'orgUnitId']
     titles = [
         'roleAssignmentId', 'roleId', 'role', 'assignedTo', 'assignedToUser',
-        'scopeType', 'orgUnitId', 'orgUnit'
+        'assignedToGroup', 'scopeType', 'orgUnitId', 'orgUnit'
     ]
     csvRows = []
     i = 3
@@ -107,7 +109,21 @@ def print_():
         admin_attrib = {}
         for key, value in list(admin.items()):
             if key == 'assignedTo':
-                admin_attrib['assignedToUser'] = gam.user_from_userid(value)
+                email_types = admin_attrib.get('assigneeType')
+                if email_types == 'user':
+                    email_field = 'assignedToUser'
+                elif email_types == 'group':
+                    email_field = 'assignedToGroup'
+                else:
+                    email_field = None
+                assignment_email, assignment_type = gam.convertUIDtoEmailAddress(f'uid:{value}', cd, email_types=['user', 'group'])
+                if not email_field and assignment_type in ['user', 'group']:
+                    if assignment_type == 'user':
+                        email_field = 'assignedToUser'
+                    else:
+                        email_field = 'assignedToGroup'
+                if email_field:
+                    admin_attrib[email_field] = assignment_email
             elif key == 'roleId':
                 admin_attrib['role'] = gapi_directory_roles.role_from_roleid(value)
             elif key == 'orgUnitId':

src/gam/gapi/drive/__init__.py

@@ -4,5 +4,5 @@ import gam
 def build(user=None):
     if not user:
         user = gam._get_admin_email()
-    userEmail = gam.convertUIDtoEmailAddress(user)
+    userEmail, _ = gam.convertUIDtoEmailAddress(user)
     return (userEmail, gam.buildGAPIServiceObject('drive3', userEmail))

src/gam/gapi/vault.py

@@ -511,7 +511,7 @@ def getHoldInfo():
         account_type = 'group' if results['corpus'] == 'GROUPS' else 'user'
         for i in range(0, len(results['accounts'])):
             uid = f'uid:{results["accounts"][i]["accountId"]}'
-            acct_email = gam.convertUIDtoEmailAddress(uid, cd, [account_type])
+            acct_email, _ = gam.convertUIDtoEmailAddress(uid, cd, [account_type])
             results['accounts'][i]['email'] = acct_email
     if 'orgUnit' in results:
         results['orgUnit']['orgUnitPath'] = gapi_directory_orgunits.info(
@@ -792,7 +792,7 @@ def getMatterInfo():
         cd = gam.buildGAPIObject('directory')
         for i in range(0, len(result['matterPermissions'])):
             uid = f'uid:{result["matterPermissions"][i]["accountId"]}'
-            user_email = gam.convertUIDtoEmailAddress(uid, cd)
+            user_email, _ = gam.convertUIDtoEmailAddress(uid, cd)
             result['matterPermissions'][i]['email'] = user_email
     display.print_json(result)