sa email address cleanup

src/GamCommands.txt

@@ -244,6 +244,7 @@ If an item contains spaces, it should be surrounded by ".
         101043 |
         101047 |
         101049 |
+        101050 |
         Google-Apps |
         Google-Chrome-Device-Management |
         Google-Drive-storage |
@@ -270,6 +271,8 @@ If an item contains spaces, it should be surrounded by ".
         cloudidentity | identity | 1010010001 | Cloud Identity |
         cloudidentitypremium | identitypremium | 1010050001 | Cloud Identity Premium |
         cloudsearch | 1010350001 | Cloud Search |
+        colabpro | 1010500001 | Colab Pro |
+        colabpro+ | colabproplus | 1010500002 | Colab Pro+ |
         eeu | 1010490001 | SKU Endpoint Education Upgrade |
         geminibiz | 1010470003 | Gemini Business |
         geminiedu | 1010470004 | Gemini Education |

src/GamUpdate.txt

@@ -2,6 +2,17 @@
 
 Merged GAM-Team version
 
+6.77.03
+
+Thanks to jay, added the following Colab License SKUs:
+```
+1010500001 - Colab Pro
+1010500002 - Colab Pro+
+```
+
+Thanks to Jay, updated `gam print|show admins` to properly display addresses
+of service accounts with admin role assignments.
+
 6.77.02
 
 Cleaned up problems with some of the new Chat API asadmin commands.

src/gam/__init__.py

@@ -5485,8 +5485,7 @@ def buildGAPIObject(api, credentials=None):
       API_Scopes = set(API.VAULT_SCOPES) if api == API.VAULT else set()
     GM.Globals[GM.CURRENT_CLIENT_API] = api
     GM.Globals[GM.CURRENT_CLIENT_API_SCOPES] = API_Scopes.intersection(GM.Globals[GM.CREDENTIALS_SCOPES])
-    scopeless_apis = {API.OAUTH2, API.CHROMEVERSIONHISTORY, API.SERVICEACCOUNTLOOKUP}
-    if api not in scopeless_apis and not GM.Globals[GM.CURRENT_CLIENT_API_SCOPES]:
+    if api not in API.SCOPELESS_APIS and not GM.Globals[GM.CURRENT_CLIENT_API_SCOPES]:
       systemErrorExit(NO_SCOPES_FOR_API_RC, Msg.NO_SCOPES_FOR_API.format(API.getAPIName(api)))
     if not GC.Values[GC.DOMAIN]:
       GC.Values[GC.DOMAIN] = GM.Globals[GM.DECODED_ID_TOKEN].get('hd', 'UNKNOWN').lower()
@@ -5604,7 +5603,6 @@ def getSitesObject(entityType=Ent.DOMAIN, entityName=None, i=0, count=0):
     sitesObject.debug = True
   return (userEmail, sitesObject)
 
-
 def getUserEmailFromID(uid, cd):
   try:
     result = callGAPI(cd.users(), 'get',
@@ -5624,6 +5622,26 @@ def getGroupEmailFromID(uid, cd):
   except (GAPI.groupNotFound, GAPI.domainNotFound, GAPI.domainCannotUseApis, GAPI.forbidden, GAPI.badRequest):
     return None
 
+def getServiceAccountEmailFromID(account_id, sal=None):
+  if sal is None:
+    sal = buildGAPIObject('serviceaccountlookup')
+  try:
+    certs = callGAPI(sal.serviceaccounts(), 'lookup',
+                     throwReasons = [GAPI.BAD_REQUEST, GAPI.RESOURCE_NOT_FOUND,  GAPI.INVALID_ARGUMENT],
+                     account=account_id)
+  except (GAPI.badRequest, GAPI.resourceNotFound, GAPI.invalidArgument):
+    return None
+  sa_cn_rx = r'CN=(.+)\.(.+).iam\.gservice.*'
+  sa_emails = []
+  for _, raw_cert in certs.items():
+    cert = x509.load_pem_x509_certificate(raw_cert.encode(), default_backend())
+    mg = re.match(sa_cn_rx, cert.issuer.rfc4514_string())
+    if mg:
+      sa_email = f'{mg.group(1)}@{mg.group(2)}.iam.gserviceaccount.com'
+      if sa_email not in sa_emails:
+        sa_emails.append(sa_email)
+  return GC.Values[GC.CSV_OUTPUT_FIELD_DELIMITER].join(sa_emails)
+
 # Convert UID to email address and type
 def convertUIDtoEmailAddressWithType(emailAddressOrUID, cd=None, sal=None, emailTypes=None,
                                      checkForCustomerId=False, ciGroupsAPI=False, aliasAllowed=True):
@@ -5677,35 +5695,11 @@ def convertUIDtoEmailAddressWithType(emailAddressOrUID, cd=None, sal=None, email
     except (GAPI.badRequest, GAPI.resourceNotFound, GAPI.forbidden):
       pass
   if 'serviceaccount' in emailTypes:
-    if sal is None:
-      sal = buildGAPIObject(API.SERVICEACCOUNTLOOKUP)
     uid = getServiceAccountEmailFromID(normalizedEmailAddressOrUID, sal)
     if uid:
       return (uid, 'serviceaccount')
   return (normalizedEmailAddressOrUID, 'unknown')
 
-def getServiceAccountEmailFromID(account_id, sal=None):
-  if sal is None:
-    sal = buildGAPIObject('serviceaccountlookup')
-  throwReasons = [GAPI.BAD_REQUEST,
-                  GAPI.RESOURCE_NOT_FOUND,
-                  GAPI.INVALID_ARGUMENT]
-  try:
-    certs = callGAPI(sal.serviceaccounts(),
-                     'lookup',
-                     account=account_id,
-                     throwReasons=throwReasons)
-  except (GAPI.badRequest, GAPI.resourceNotFound, GAPI.invalidArgument):
-    return
-  sa_cn_rx = r'CN=.*\.gserviceaccount\.com$'
-  sa_emails = []
-  for kid, raw_cert in certs.items():
-    cert = x509.load_pem_x509_certificate(raw_cert.encode(), default_backend())
-    subject = cert.issuer.rfc4514_string()
-    if re.match(sa_cn_rx, subject):
-      sa_emails.append(subject[3:])
-  return ' or '.join(sa_emails)
-
 # Convert UID to email address
 def convertUIDtoEmailAddress(emailAddressOrUID, cd=None, emailTypes=None,
                              checkForCustomerId=False, ciGroupsAPI=False, aliasAllowed=True):
@@ -16287,10 +16281,8 @@ def doInfoAdminRole():
   fields = ','.join(set(fieldsList))
   try:
     role = callGAPI(cd.roles(), 'get',
-                    throwReasons=[GAPI.BAD_REQUEST,
-                                  GAPI.CUSTOMER_NOT_FOUND,
-                                  GAPI.FORBIDDEN]+[GAPI.NOT_FOUND,
-                                                   GAPI.FAILED_PRECONDITION],
+                    throwReasons=[GAPI.NOT_FOUND, GAPI.FORBIDDEN, GAPI.FAILED_PRECONDITION,
+                                  GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND],
                     customer=GC.Values[GC.CUSTOMER_ID], roleId=roleId, fields=fields)
     role.setdefault('isSuperAdminRole', False)
     role.setdefault('isSystemRole', False)
@@ -16434,8 +16426,15 @@ def doDeleteAdmin():
   except (GAPI.badRequest, GAPI.customerNotFound):
     accessErrorExit(cd)
 
+ASSIGNEE_EMAILTYPE_TOFIELD_MAP = {
+  'user': 'assignedToUser',
+  'group': 'assignedToGroup',
+  'serviceaccount': 'assignedToServiceAccount',
+  }
 PRINT_ADMIN_FIELDS = ['roleAssignmentId', 'roleId', 'assignedTo', 'scopeType', 'orgUnitId']
-PRINT_ADMIN_TITLES = ['roleAssignmentId', 'roleId', 'role', 'assignedTo', 'assignedToUser', 'assignedToGroup', 'scopeType', 'orgUnitId', 'orgUnit']
+PRINT_ADMIN_TITLES = ['roleAssignmentId', 'roleId', 'role',
+                      'assignedTo', 'assignedToUser', 'assignedToGroup', 'assignedToServiceAccount',
+                      'scopeType', 'orgUnitId', 'orgUnit']
 
 # gam print admins [todrive <ToDriveAttribute>*]
 #	[user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition]
@@ -16449,10 +16448,8 @@ def doPrintShowAdmins():
       if roleId not in rolePrivileges:
         try:
           rolePrivileges[roleId] = callGAPI(cd.roles(), 'get',
-                                            throwReasons=[GAPI.BAD_REQUEST,
-                                                          GAPI.CUSTOMER_NOT_FOUND,
-                                                          GAPI.FORBIDDEN]+[GAPI.NOT_FOUND,
-                                                                           GAPI.FAILED_PRECONDITION],
+                                            throwReasons=[GAPI.NOT_FOUND, GAPI.FORBIDDEN, GAPI.FAILED_PRECONDITION,
+                                                          GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND],
                                             customer=GC.Values[GC.CUSTOMER_ID],
                                             roleId=roleId,
                                             fields='rolePrivileges')
@@ -16468,26 +16465,13 @@ def doPrintShowAdmins():
     assignedTo = admin['assignedTo']
     if assignedTo not in assignedToIdEmailMap:
       assigneeType = admin.get('assigneeType')
-      if assigneeType == 'user':
-        assignedToField = 'assignedToUser'
-      elif assigneeType == 'group':
-        assignedToField = 'assignedToGroup'
-      elif assigneeType == 'serviceaccount':
-        assignedToField = 'assignedToServiceAccount'
-      else:
-        assignedToField = None
-      emailTypes = ['user', 'group', 'serviceaccount']
+      assignedToField = ASSIGNEE_EMAILTYPE_TOFIELD_MAP.get(assigneeType, None)
       assigneeEmail, assigneeType = convertUIDtoEmailAddressWithType(f'uid:{assignedTo}',
                                                                      cd,
                                                                      sal,
-                                                                     emailTypes=emailTypes)
-      if not assignedToField and assigneeType in ['user', 'group', 'serviceaccount']:
-        if assigneeType == 'user':
-          assignedToField = 'assignedToUser'
-        elif assigneeType == 'group':
-          assignedToField = 'assignedToGroup'
-        elif assigneeType == 'serviceaccount':
-          assignedToField = 'assignedToServiceAccount'
+                                                                     emailTypes=list(ASSIGNEE_EMAILTYPE_TOFIELD_MAP.keys()))
+      if not assignedToField and assigneeType in ASSIGNEE_EMAILTYPE_TOFIELD_MAP:
+        assignedToField = ASSIGNEE_EMAILTYPE_TOFIELD_MAP[assigneeType]
       assignedToIdEmailMap[assignedTo] = {'assignedToField': assignedToField, 'assigneeEmail': assigneeEmail}
     assignedToField = assignedToIdEmailMap[assignedTo]['assignedToField']
     if assignedToField:

src/gam/gamlib/glapi.py

@@ -121,6 +121,12 @@ JWT_APIS = {
   ORGPOLICY: [CLOUD_PLATFORM_SCOPE],
   }
 #
+SCOPELESS_APIS = {
+  CHROMEVERSIONHISTORY,
+  OAUTH2,
+  SERVICEACCOUNTLOOKUP,
+  }
+#
 APIS_NEEDING_ACCESS_TOKEN = {
   CBCM: ['https://www.googleapis.com/auth/admin.directory.device.chromebrowsers']
   }

src/gam/gamlib/glcfg.py

@@ -292,7 +292,7 @@ TODRIVE_USER = 'todrive_user'
 TRUNCATE_CLIENT_ID  = 'truncate_client_id'
 # Update CrOS org unit with orgUnitId
 UPDATE_CROS_OU_WITH_ID = 'update_cros_ou_with_id'
-# Use chat asadmin where possible
+# Use admin access for chat where possible
 USE_CHAT_ADMIN_ACCESS = 'use_chat_admin_access'
 # Use course owner for course access
 USE_COURSE_OWNER_ACCESS = 'use_course_owner_access'