mirror of
https://github.com/GAM-team/GAM.git
synced 2026-07-03 12:21:35 +00:00
Added option recursive to gam print|show admins
This commit is contained in:
@@ -1552,10 +1552,11 @@ gam create|add admin <EmailAddress>|<UniqueID> <RoleItem> customer|(org_unit <Or
|
|||||||
gam delete admin <RoleAssignmentId>
|
gam delete admin <RoleAssignmentId>
|
||||||
|
|
||||||
gam print admins [todrive <ToDriveAttribute>*]
|
gam print admins [todrive <ToDriveAttribute>*]
|
||||||
[user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition]
|
[user|group <EmailAddress>|<UniqueID>] [role <RoleItem>]
|
||||||
[privileges] [oneitemperrow]
|
[recursive] [condition] [privileges] [oneitemperrow]
|
||||||
gam show admins
|
gam show admins
|
||||||
[user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
|
[user|group <EmailAddress>|<UniqueID>] [role <RoleItem>]
|
||||||
|
[recursive] [condition] [privileges]
|
||||||
|
|
||||||
# Alert Center
|
# Alert Center
|
||||||
|
|
||||||
|
|||||||
@@ -1,3 +1,8 @@
|
|||||||
|
7.23.05
|
||||||
|
|
||||||
|
Added option `recursive` to `gam print|show admins` that will display assignments to the members
|
||||||
|
of security groups assigned to roles; the security group membershop is recursively expanded.
|
||||||
|
|
||||||
7.23.04
|
7.23.04
|
||||||
|
|
||||||
Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print events`
|
Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print events`
|
||||||
|
|||||||
@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
|
|||||||
"""
|
"""
|
||||||
|
|
||||||
__author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
|
__author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
|
||||||
__version__ = '7.23.04'
|
__version__ = '7.23.05'
|
||||||
__license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
|
__license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
|
||||||
|
|
||||||
#pylint: disable=wrong-import-position
|
#pylint: disable=wrong-import-position
|
||||||
@@ -16995,16 +16995,17 @@ ASSIGNEE_EMAILTYPE_TOFIELD_MAP = {
|
|||||||
'group': 'assignedToGroup',
|
'group': 'assignedToGroup',
|
||||||
'serviceaccount': 'assignedToServiceAccount',
|
'serviceaccount': 'assignedToServiceAccount',
|
||||||
}
|
}
|
||||||
PRINT_ADMIN_FIELDS = ['roleAssignmentId', 'roleId', 'assignedTo', 'scopeType', 'orgUnitId']
|
PRINT_ADMIN_FIELDS = ['roleAssignmentId', 'roleId', 'assignedTo', 'scopeType', 'orgUnitId', 'assigneeType']
|
||||||
PRINT_ADMIN_TITLES = ['roleAssignmentId', 'roleId', 'role',
|
PRINT_ADMIN_TITLES = ['roleAssignmentId', 'roleId', 'role',
|
||||||
'assignedTo', 'assignedToUser', 'assignedToGroup', 'assignedToServiceAccount', 'assignedToUnknown',
|
'assignedTo', 'assignedToUser', 'assignedToGroup', 'assignedToServiceAccount', 'assignedToUnknown',
|
||||||
'scopeType', 'orgUnitId', 'orgUnit']
|
'scopeType', 'orgUnitId', 'orgUnit']
|
||||||
|
|
||||||
# gam print admins [todrive <ToDriveAttribute>*]
|
# gam print admins [todrive <ToDriveAttribute>*]
|
||||||
# [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition]
|
# [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>]
|
||||||
# [privileges] [oneitemperrow]
|
# [recursive] [condition] [privileges] [oneitemperrow]
|
||||||
# gam show admins
|
# gam show admins
|
||||||
# [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
|
# [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>]
|
||||||
|
# [recursive] [condition] [privileges]
|
||||||
def doPrintShowAdmins():
|
def doPrintShowAdmins():
|
||||||
def _getPrivileges(admin):
|
def _getPrivileges(admin):
|
||||||
if showPrivileges:
|
if showPrivileges:
|
||||||
@@ -17031,15 +17032,12 @@ def doPrintShowAdmins():
|
|||||||
def _setNamesFromIds(admin, privileges):
|
def _setNamesFromIds(admin, privileges):
|
||||||
admin['role'] = role_from_roleid(admin['roleId'])
|
admin['role'] = role_from_roleid(admin['roleId'])
|
||||||
assignedTo = admin['assignedTo']
|
assignedTo = admin['assignedTo']
|
||||||
admin['assignedToUnknown'] = False
|
|
||||||
if assignedTo not in assignedToIdEmailMap:
|
if assignedTo not in assignedToIdEmailMap:
|
||||||
assigneeType = admin.get('assigneeType')
|
|
||||||
assignedToField = ASSIGNEE_EMAILTYPE_TOFIELD_MAP.get(assigneeType, None)
|
|
||||||
assigneeEmail, assigneeType = convertUIDtoEmailAddressWithType(f'uid:{assignedTo}', cd, sal,
|
assigneeEmail, assigneeType = convertUIDtoEmailAddressWithType(f'uid:{assignedTo}', cd, sal,
|
||||||
emailTypes=list(ASSIGNEE_EMAILTYPE_TOFIELD_MAP.keys()))
|
emailTypes=allAssigneeTypes if admin.get('assigneeType') != 'group' else ['group'])
|
||||||
if not assignedToField and assigneeType in ASSIGNEE_EMAILTYPE_TOFIELD_MAP:
|
if assigneeType in ASSIGNEE_EMAILTYPE_TOFIELD_MAP:
|
||||||
assignedToField = ASSIGNEE_EMAILTYPE_TOFIELD_MAP[assigneeType]
|
assignedToField = ASSIGNEE_EMAILTYPE_TOFIELD_MAP[assigneeType]
|
||||||
if assigneeType == 'unknown':
|
else:
|
||||||
assignedToField = 'assignedToUnknown'
|
assignedToField = 'assignedToUnknown'
|
||||||
assigneeEmail = True
|
assigneeEmail = True
|
||||||
assignedToIdEmailMap[assignedTo] = {'assignedToField': assignedToField, 'assigneeEmail': assigneeEmail}
|
assignedToIdEmailMap[assignedTo] = {'assignedToField': assignedToField, 'assigneeEmail': assigneeEmail}
|
||||||
@@ -17059,11 +17057,12 @@ def doPrintShowAdmins():
|
|||||||
csvPF = CSVPrintFile(PRINT_ADMIN_TITLES) if Act.csvFormat() else None
|
csvPF = CSVPrintFile(PRINT_ADMIN_TITLES) if Act.csvFormat() else None
|
||||||
roleId = None
|
roleId = None
|
||||||
userKey = None
|
userKey = None
|
||||||
oneItemPerRow = showPrivileges = False
|
oneItemPerRow = recursive = showPrivileges = False
|
||||||
kwargs = {}
|
kwargs = {}
|
||||||
rolePrivileges = {}
|
rolePrivileges = {}
|
||||||
fieldsList = PRINT_ADMIN_FIELDS
|
fieldsList = PRINT_ADMIN_FIELDS
|
||||||
assignedToIdEmailMap = {}
|
assignedToIdEmailMap = {}
|
||||||
|
allAssigneeTypes = list(ASSIGNEE_EMAILTYPE_TOFIELD_MAP.keys())
|
||||||
while Cmd.ArgumentsRemaining():
|
while Cmd.ArgumentsRemaining():
|
||||||
myarg = getArgument()
|
myarg = getArgument()
|
||||||
if csvPF and myarg == 'todrive':
|
if csvPF and myarg == 'todrive':
|
||||||
@@ -17072,6 +17071,15 @@ def doPrintShowAdmins():
|
|||||||
userKey = kwargs['userKey'] = getEmailAddress()
|
userKey = kwargs['userKey'] = getEmailAddress()
|
||||||
elif myarg == 'role':
|
elif myarg == 'role':
|
||||||
_, roleId = getRoleId()
|
_, roleId = getRoleId()
|
||||||
|
elif myarg == 'recursive':
|
||||||
|
recursive = True
|
||||||
|
allGroupRoles = ','.join(sorted(ALL_GROUP_ROLES))
|
||||||
|
memberOptions = initMemberOptions()
|
||||||
|
memberOptions[MEMBEROPTION_INCLUDEDERIVEDMEMBERSHIP] = True
|
||||||
|
memberOptions[MEMBEROPTION_DISPLAYMATCH] = False
|
||||||
|
memberDisplayOptions = initIPSGMGroupMemberDisplayOptions()
|
||||||
|
for role in [Ent.ROLE_MEMBER, Ent.ROLE_MANAGER, Ent.ROLE_OWNER]:
|
||||||
|
memberDisplayOptions[role]['show'] = True
|
||||||
elif myarg == 'condition':
|
elif myarg == 'condition':
|
||||||
fieldsList.append('condition')
|
fieldsList.append('condition')
|
||||||
if csvPF:
|
if csvPF:
|
||||||
@@ -17091,7 +17099,7 @@ def doPrintShowAdmins():
|
|||||||
admins = callGAPIpages(cd.roleAssignments(), 'list', 'items',
|
admins = callGAPIpages(cd.roleAssignments(), 'list', 'items',
|
||||||
pageMessage=getPageMessage(),
|
pageMessage=getPageMessage(),
|
||||||
throwReasons=[GAPI.INVALID, GAPI.USER_NOT_FOUND,
|
throwReasons=[GAPI.INVALID, GAPI.USER_NOT_FOUND,
|
||||||
GAPI.FORBIDDEN, GAPI.SERVICE_NOT_AVAILABLE,
|
GAPI.NOT_FOUND, GAPI.FORBIDDEN, GAPI.SERVICE_NOT_AVAILABLE,
|
||||||
GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND,
|
GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND,
|
||||||
GAPI.FORBIDDEN, GAPI.PERMISSION_DENIED],
|
GAPI.FORBIDDEN, GAPI.PERMISSION_DENIED],
|
||||||
retryReasons=GAPI.SERVICE_NOT_AVAILABLE_RETRY_REASONS,
|
retryReasons=GAPI.SERVICE_NOT_AVAILABLE_RETRY_REASONS,
|
||||||
@@ -17099,39 +17107,72 @@ def doPrintShowAdmins():
|
|||||||
except (GAPI.invalid, GAPI.userNotFound):
|
except (GAPI.invalid, GAPI.userNotFound):
|
||||||
entityUnknownWarning(Ent.ADMINISTRATOR, userKey)
|
entityUnknownWarning(Ent.ADMINISTRATOR, userKey)
|
||||||
return
|
return
|
||||||
except (GAPI.serviceNotAvailable) as e:
|
except GAPI.notFound as e:
|
||||||
entityActionFailedExit([Ent.ADMINISTRATOR, userKey, Ent.ADMIN_ROLE, roleId], str(e))
|
entityActionFailedExit([Ent.ADMIN_ROLE, kwargs['roleId']], str(e))
|
||||||
|
except (GAPI.forbidden, GAPI.serviceNotAvailable) as e:
|
||||||
|
entityActionFailedExit([Ent.ADMINISTRATOR, userKey], str(e))
|
||||||
except (GAPI.badRequest, GAPI.customerNotFound):
|
except (GAPI.badRequest, GAPI.customerNotFound):
|
||||||
accessErrorExit(cd)
|
accessErrorExit(cd)
|
||||||
except (GAPI.forbidden, GAPI.permissionDenied) as e:
|
except (GAPI.forbidden, GAPI.permissionDenied) as e:
|
||||||
ClientAPIAccessDeniedExit(str(e))
|
ClientAPIAccessDeniedExit(str(e))
|
||||||
if not csvPF:
|
|
||||||
count = len(admins)
|
count = len(admins)
|
||||||
performActionNumItems(count, Ent.ADMIN_ROLE_ASSIGNMENT)
|
groupMembers = {}
|
||||||
Ind.Increment()
|
expandedAdmins = []
|
||||||
i = 0
|
i = 0
|
||||||
for admin in admins:
|
for admin in admins:
|
||||||
i += 1
|
i += 1
|
||||||
if roleId and roleId != admin['roleId']:
|
if roleId and roleId != admin['roleId']:
|
||||||
continue
|
continue
|
||||||
|
if admin['assigneeType'] != 'group' or not recursive:
|
||||||
_setNamesFromIds(admin, _getPrivileges(admin))
|
_setNamesFromIds(admin, _getPrivileges(admin))
|
||||||
|
expandedAdmins.append(admin)
|
||||||
|
continue
|
||||||
|
assignedTo = admin['assignedTo']
|
||||||
|
if assignedTo not in groupMembers:
|
||||||
|
membersList = []
|
||||||
|
membersSet = set()
|
||||||
|
level = 0
|
||||||
|
getGroupMembers(cd, assignedTo, allGroupRoles, membersList, membersSet, i, count,
|
||||||
|
memberOptions, memberDisplayOptions, level, {Ent.TYPE_USER})
|
||||||
|
groupMembers[assignedTo] = membersList[:]
|
||||||
|
_setNamesFromIds(admin, _getPrivileges(admin))
|
||||||
|
if not groupMembers[assignedTo]:
|
||||||
|
expandedAdmins.append(admin)
|
||||||
|
continue
|
||||||
|
admin['assigneeType'] = 'user'
|
||||||
|
admin['assignedToGroup'] = assignedToIdEmailMap[assignedTo]['assigneeEmail']
|
||||||
|
for member in groupMembers[assignedTo]:
|
||||||
|
userAdmin = admin.copy()
|
||||||
|
userAdmin['assignedTo'] = member['id']
|
||||||
|
_setNamesFromIds(userAdmin, _getPrivileges(admin))
|
||||||
|
expandedAdmins.append(userAdmin)
|
||||||
|
admins = expandedAdmins
|
||||||
|
count = len(expandedAdmins)
|
||||||
|
if not csvPF:
|
||||||
|
performActionNumItems(count, Ent.ADMIN_ROLE_ASSIGNMENT)
|
||||||
|
Ind.Increment()
|
||||||
|
i = 0
|
||||||
|
for admin in expandedAdmins:
|
||||||
|
i += 1
|
||||||
printEntity([Ent.ADMIN_ROLE_ASSIGNMENT, admin['roleAssignmentId']], i, count)
|
printEntity([Ent.ADMIN_ROLE_ASSIGNMENT, admin['roleAssignmentId']], i, count)
|
||||||
Ind.Increment()
|
Ind.Increment()
|
||||||
for field in PRINT_ADMIN_TITLES:
|
for field in PRINT_ADMIN_TITLES:
|
||||||
if field in admin:
|
if field in admin:
|
||||||
if field == 'roleAssignmentId':
|
if field == 'roleAssignmentId':
|
||||||
continue
|
continue
|
||||||
if field != 'rolePrivileges':
|
|
||||||
printKeyValueList([field, admin[field]])
|
printKeyValueList([field, admin[field]])
|
||||||
else:
|
if showPrivileges:
|
||||||
showJSON(None, admin[field])
|
rolePrivileges = admin.get('rolePrivileges', [])
|
||||||
|
jcount = len(rolePrivileges)
|
||||||
|
if jcount > 0:
|
||||||
|
printKeyValueList(['rolePrivileges', jcount])
|
||||||
|
Ind.Increment()
|
||||||
|
showJSON(None, rolePrivileges)
|
||||||
|
Ind.Decrement()
|
||||||
Ind.Decrement()
|
Ind.Decrement()
|
||||||
Ind.Decrement()
|
Ind.Decrement()
|
||||||
else:
|
else:
|
||||||
for admin in admins:
|
for admin in expandedAdmins:
|
||||||
if roleId and roleId != admin['roleId']:
|
|
||||||
continue
|
|
||||||
_setNamesFromIds(admin, _getPrivileges(admin))
|
|
||||||
if not oneItemPerRow or 'rolePrivileges' not in admin:
|
if not oneItemPerRow or 'rolePrivileges' not in admin:
|
||||||
csvPF.WriteRowTitles(flattenJSON(admin))
|
csvPF.WriteRowTitles(flattenJSON(admin))
|
||||||
else:
|
else:
|
||||||
|
|||||||
Reference in New Issue
Block a user