Group member restrictions

This commit is contained in:
Jay Lee
2021-10-05 18:05:28 -04:00
parent 82b66d53cb
commit 899601569a
2 changed files with 72 additions and 10 deletions

View File

@@ -256,6 +256,8 @@ jobs:
$gam user $gam_user sendemail recipient $newuser subject "test message $newbase" message "GHA test message" $gam user $gam_user sendemail recipient $newuser subject "test message $newbase" message "GHA test message"
$gam user $gam_user sendemail recipient exchange@pdl.jaylee.us subject "test ${tstamp}" message "test message" $gam user $gam_user sendemail recipient exchange@pdl.jaylee.us subject "test ${tstamp}" message "test message"
$gam create group $newgroup name "GHA $JID group" description "This is a description" isarchived true $gam create group $newgroup name "GHA $JID group" description "This is a description" isarchived true
$gam update cigroup $newgroup memberrestriction 'member.type == 1 || member.customer_id == groupCustomerId()'
$gam info cigroup $newgroup
$gam user $newuser add license gsuitebusiness $gam user $newuser add license gsuitebusiness
$gam update group $newgroup add owner $gam_user $gam update group $newgroup add owner $gam_user
$gam update group $newgroup add member $newuser $gam update group $newgroup add member $newuser

View File

@@ -3,7 +3,7 @@ import sys
import googleapiclient import googleapiclient
import gam import gam
from gam.var import * from gam.var import * # pylint: disable=unused-wildcard-import
from gam import controlflow from gam import controlflow
from gam import display from gam import display
from gam import gapi from gam import gapi
@@ -76,6 +76,7 @@ def info():
ci = gapi_cloudidentity.build('cloudidentity_beta') ci = gapi_cloudidentity.build('cloudidentity_beta')
group = gam.normalizeEmailAddressOrUID(sys.argv[3]) group = gam.normalizeEmailAddressOrUID(sys.argv[3])
getUsers = True getUsers = True
getSecuritySettings = True
showJoinDate = True showJoinDate = True
showUpdateDate = False showUpdateDate = False
showMemberTree = False showMemberTree = False
@@ -94,11 +95,20 @@ def info():
elif myarg == 'membertree': elif myarg == 'membertree':
showMemberTree = True showMemberTree = True
i += 1 i += 1
elif myarg in ['nosecurity', 'nosecuritysettings']:
getSecuritySettings = False
else: else:
controlflow.invalid_argument_exit(myarg, 'gam info cigroup') controlflow.invalid_argument_exit(myarg, 'gam info cigroup')
name = group_email_to_id(ci, group) name = group_email_to_id(ci, group)
basic_info = gapi.call(ci.groups(), 'get', name=name) basic_info = gapi.call(ci.groups(), 'get', name=name)
display.print_json(basic_info) display.print_json(basic_info)
if getSecuritySettings:
sec_info = gapi.call(ci.groups(),
'getSecuritySettings',
name=f'{name}/securitySettings',
readMask='*')
print(' Security settings:')
display.print_json(sec_info, spacing=' ')
if getUsers and not showMemberTree: if getUsers and not showMemberTree:
if not showJoinDate and not showUpdateDate: if not showJoinDate and not showUpdateDate:
view = 'BASIC' view = 'BASIC'
@@ -189,7 +199,13 @@ GROUP_ROLES_MAP = {
def print_(): def print_():
ci = gapi_cloudidentity.build('cloudidentity_beta') ci = gapi_cloudidentity.build('cloudidentity_beta')
i = 3 i = 3
members = membersCountOnly = managers = managersCountOnly = owners = ownersCountOnly = False members = False
membersCountOnly = False
managers = False
managersCountOnly = False
owners = False
ownersCountOnly = False
memberRestrictions = False
gapi_directory_customer.setTrueCustomerId() gapi_directory_customer.setTrueCustomerId()
parent = f'customers/{GC_Values[GC_CUSTOMER_ID]}' parent = f'customers/{GC_Values[GC_CUSTOMER_ID]}'
usemember = None usemember = None
@@ -232,6 +248,15 @@ def print_():
if myarg == 'managerscount': if myarg == 'managerscount':
managersCountOnly = True managersCountOnly = True
i += 1 i += 1
elif myarg in ['memberrestrictions']:
memberRestrictions = True
display.add_titles_to_csv_file(
['memberRestrictionQuery',],
titles)
display.add_titles_to_csv_file(
['memberRestrictionEvaluation',],
titles)
i += 1
else: else:
controlflow.invalid_argument_exit(sys.argv[i], 'gam print cigroups') controlflow.invalid_argument_exit(sys.argv[i], 'gam print cigroups')
if roles: if roles:
@@ -363,6 +388,16 @@ def print_():
group['OwnersCount'] = ownersCount group['OwnersCount'] = ownersCount
if not ownersCountOnly: if not ownersCountOnly:
group['Owners'] = memberDelimiter.join(ownersList) group['Owners'] = memberDelimiter.join(ownersList)
if memberRestrictions:
name = f'{groupKey_id}/securitySettings'
print(f'Getting member restrictions for {groupEmail} ({i}/{count}')
sec_info = gapi.call(ci.groups(),
'getSecuritySettings',
name=name,
readMask='*')
if 'memberRestriction' in sec_info:
group['memberRestrictionQuery'] = sec_info['memberRestriction'].get('query', '')
group['memberRestrictionEvaluation'] = sec_info['memberRestriction'].get('evaluation', {}).get('state', '')
csvRows.append(group) csvRows.append(group)
if sortHeaders: if sortHeaders:
display.sort_csv_titles([ display.sort_csv_titles([
@@ -808,6 +843,7 @@ def update():
else: else:
i = 4 i = 4
body = {} body = {}
sec_body = {}
while i < len(sys.argv): while i < len(sys.argv):
myarg = sys.argv[i].lower().replace('_', '') myarg = sys.argv[i].lower().replace('_', '')
if myarg == 'name': if myarg == 'name':
@@ -830,9 +866,21 @@ def update():
}] }]
} }
i += 2 i += 2
elif myarg in ['memberrestriction', 'memberrestrictions']:
query = sys.argv[i + 1]
member_types = {
'USER': '1',
'SERVICE_ACCOUNT': '2',
'GROUP': '3',
}
for key, val in member_types.items():
query = query.replace(key, val)
sec_body['memberRestriction'] = {'query': query}
i += 2
else: else:
controlflow.invalid_argument_exit(sys.argv[i], controlflow.invalid_argument_exit(sys.argv[i],
'gam update cigroup') 'gam update cigroup')
if body:
updateMask = ','.join(body.keys()) updateMask = ','.join(body.keys())
name = group_email_to_id(ci, group) name = group_email_to_id(ci, group)
print(f'Updating group {group}') print(f'Updating group {group}')
@@ -841,6 +889,18 @@ def update():
updateMask=updateMask, updateMask=updateMask,
name=name, name=name,
body=body) body=body)
if sec_body:
updateMask = 'member_restriction.query'
# it seems like a bug that API requires /securitySettings
# appended to name. We'll see if Google servers change this
# at some point.
name = f'{group_email_to_id(ci, group)}/securitySettings'
print(f'Updating group {group} security settings')
gapi.call(ci.groups(),
'updateSecuritySettings',
name=name,
updateMask=updateMask,
body=sec_body)
def group_email_to_id(ci, group, i=0, count=0): def group_email_to_id(ci, group, i=0, count=0):