From bcd327a7f4f45d08d0196a5b2b5f8d82de0d6da1 Mon Sep 17 00:00:00 2001 From: Ross Scroggs Date: Mon, 5 May 2025 20:47:23 -0700 Subject: [PATCH] Improved adminrole commands --- src/GamCommands.txt | 13 ++++--- src/GamUpdate.txt | 8 +++++ src/gam/__init__.py | 88 ++++++++++++++++++++++----------------------- 3 files changed, 61 insertions(+), 48 deletions(-) diff --git a/src/GamCommands.txt b/src/GamCommands.txt index 3db965ed..e65b0942 100644 --- a/src/GamCommands.txt +++ b/src/GamCommands.txt @@ -1461,16 +1461,21 @@ gam update serviceaccount (scope|scopes )* gam print privileges [todrive *] gam show privileges + ::= + ::= "(, ::= ::= id:|uid:| -gam create adminrole privileges all|all_ou| [description ] -gam update adminrole [name ] [privileges all|all_ou|] [description ] +gam create adminrole [description ] + privileges all|all_ou||(select |) +gam update adminrole [name ] [description ] + [privileges all|all_ou||(select |)] gam delete adminrole gam info adminrole [privileges] gam print adminroles|roles [todrive *] - [privileges] [oneitemperrow] -gam show adminroles|roles [privileges] + [role ] [privileges] [oneitemperrow] +gam show adminroles|roles + [role ] [privileges] gam create|add admin | customer|(org_unit ) [condition securitygroup|nonsecuritygroup] diff --git a/src/GamUpdate.txt b/src/GamUpdate.txt index aec91228..a6d4d9a8 100644 --- a/src/GamUpdate.txt +++ b/src/GamUpdate.txt @@ -1,3 +1,11 @@ +7.06.14 + +Updated `gam create|update adminrole` to allow specifying a collection of privileges +with `privileges select |` which makes copying roles much simpler. + +Updated option `role ` to `gam print|show adminroles` to allow display of information +for a specific role. + 7.06.13 Updated `gam print group-members ... recursive` and `gam print cigroup-members ... recursive` diff --git a/src/gam/__init__.py b/src/gam/__init__.py index 3125399f..786e1a5d 100755 --- a/src/gam/__init__.py +++ b/src/gam/__init__.py @@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki """ __author__ = 'GAM Team ' -__version__ = '7.06.13' +__version__ = '7.06.14' __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)' #pylint: disable=wrong-import-position @@ -16497,8 +16497,10 @@ def getRoleId(): invalidChoiceExit(role, GM.Globals[GM.MAP_ROLE_NAME_TO_ID], True) return (role, roleId) -# gam create adminrole privileges all|all_ou| [description ] -# gam update adminrole [name ] [privileges all|all_ou|] [description ] +# gam create adminrole [description ] +# privileges all|all_ou||(select |) +# gam update adminrole [name ] [description ] +# [privileges all|all_ou||(select |)] def doCreateUpdateAdminRoles(): def expandChildPrivileges(privilege): for childPrivilege in privilege.get('childPrivileges', []): @@ -16529,8 +16531,12 @@ def doCreateUpdateAdminRoles(): elif privs == 'ALL_OU': body['rolePrivileges'] = [{'privilegeName': p, 'serviceId': v} for p, v in ouPrivileges.items()] else: + if privs == 'SELECT': + privsList = [p.upper() for p in getEntityList(Cmd.OB_PRIVILEGE_LIST)] + else: + privsList = privs.replace(',', ' ').split() body.setdefault('rolePrivileges', []) - for p in privs.split(','): + for p in privsList: if p in allPrivileges: body['rolePrivileges'].append({'privilegeName': p, 'serviceId': allPrivileges[p]}) elif p in ouPrivileges: @@ -16540,6 +16546,8 @@ def doCreateUpdateAdminRoles(): elif ':' in p: priv, serv = p.split(':') body['rolePrivileges'].append({'privilegeName': priv, 'serviceId': serv.lower()}) + elif p == 'SUPPORT': + pass else: invalidChoiceExit(p, list(allPrivileges.keys())+list(ouPrivileges.keys())+list(childPrivileges.keys()), True) elif myarg == 'description': @@ -16557,12 +16565,12 @@ def doCreateUpdateAdminRoles(): customer=GC.Values[GC.CUSTOMER_ID], body=body, fields='roleId,roleName') else: result = callGAPI(cd.roles(), 'patch', - throwReasons=[GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND, GAPI.FORBIDDEN]+[GAPI.NOT_FOUND, GAPI.FAILED_PRECONDITION], + throwReasons=[GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND, GAPI.FORBIDDEN]+[GAPI.NOT_FOUND, GAPI.FAILED_PRECONDITION, GAPI.CONFLICT], customer=GC.Values[GC.CUSTOMER_ID], roleId=roleId, body=body, fields='roleId,roleName') entityActionPerformed([Ent.ADMIN_ROLE, f"{result['roleName']}({result['roleId']})"]) except GAPI.duplicate as e: entityActionFailedWarning([Ent.ADMIN_ROLE, f"{body['roleName']}"], str(e)) - except (GAPI.notFound, GAPI.forbidden, GAPI.failedPrecondition) as e: + except (GAPI.notFound, GAPI.forbidden, GAPI.failedPrecondition, GAPI.conflict) as e: entityActionFailedWarning([Ent.ADMIN_ROLE, roleId], str(e)) except (GAPI.badRequest, GAPI.customerNotFound): accessErrorExit(cd) @@ -16605,61 +16613,53 @@ def _showAdminRole(role, i=0, count=0): Ind.Decrement() # gam info adminrole [privileges] -def doInfoAdminRole(): - cd = buildGAPIObject(API.DIRECTORY) - fieldsList = PRINT_ADMIN_ROLES_FIELDS[:] - _, roleId = getRoleId() - while Cmd.ArgumentsRemaining(): - myarg = getArgument() - if myarg == 'privileges': - fieldsList.append('rolePrivileges') - else: - unknownArgumentExit() - fields = getFieldsFromFieldsList(fieldsList) - try: - role = callGAPI(cd.roles(), 'get', - throwReasons=[GAPI.NOT_FOUND, GAPI.FORBIDDEN, GAPI.FAILED_PRECONDITION, - GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND], - customer=GC.Values[GC.CUSTOMER_ID], roleId=roleId, fields=fields) - role.setdefault('isSuperAdminRole', False) - role.setdefault('isSystemRole', False) - _showAdminRole(role) - except (GAPI.notFound, GAPI.forbidden, GAPI.failedPrecondition) as e: - entityActionFailedWarning([Ent.ADMIN_ROLE, roleId], str(e)) - except (GAPI.badRequest, GAPI.customerNotFound): - accessErrorExit(cd) - # gam print adminroles|roles [todrive *] -# [privileges] [oneitemperrow] -# gam show adminroles|roles [privileges] -def doPrintShowAdminRoles(): +# [role ] [privileges] [oneitemperrow] +# gam show adminroles|roles +# [role ] [privileges] +def doInfoPrintShowAdminRoles(): cd = buildGAPIObject(API.DIRECTORY) fieldsList = PRINT_ADMIN_ROLES_FIELDS[:] csvPF = CSVPrintFile(fieldsList, PRINT_ADMIN_ROLES_FIELDS) if Act.csvFormat() else None oneItemPerRow = False + if Act.Get() != Act.INFO: + roleId = None + else: + _, roleId = getRoleId() while Cmd.ArgumentsRemaining(): myarg = getArgument() if csvPF and myarg == 'todrive': csvPF.GetTodriveParameters() + elif roleId is None and myarg == 'role': + _, roleId = getRoleId() elif myarg == 'privileges': fieldsList.append('rolePrivileges') elif myarg == 'oneitemperrow': oneItemPerRow = True else: unknownArgumentExit() - if csvPF: + if csvPF and 'rolePrivileges' in fieldsList: if not oneItemPerRow: csvPF.AddTitles(['rolePrivileges']) else: csvPF.AddTitles(['privilegeName', 'serviceId']) - fields = getItemFieldsFromFieldsList('items', fieldsList) - printGettingAllAccountEntities(Ent.ADMIN_ROLE) try: - roles = callGAPIpages(cd.roles(), 'list', 'items', - pageMessage=getPageMessage(), - throwReasons=[GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND, GAPI.FORBIDDEN], - customer=GC.Values[GC.CUSTOMER_ID], fields=fields) - except (GAPI.badRequest, GAPI.customerNotFound, GAPI.forbidden): + if roleId is None: + fields = getItemFieldsFromFieldsList('items', fieldsList) + printGettingAllAccountEntities(Ent.ADMIN_ROLE) + roles = callGAPIpages(cd.roles(), 'list', 'items', + pageMessage=getPageMessage(), + throwReasons=[GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND, GAPI.FORBIDDEN], + customer=GC.Values[GC.CUSTOMER_ID], fields=fields) + else: + fields = getFieldsFromFieldsList(fieldsList) + roles = [callGAPI(cd.roles(), 'get', + throwReasons=[GAPI.NOT_FOUND, GAPI.FORBIDDEN, GAPI.FAILED_PRECONDITION, + GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND], + customer=GC.Values[GC.CUSTOMER_ID], roleId=roleId, fields=fields)] + except (GAPI.notFound, GAPI.forbidden, GAPI.failedPrecondition) as e: + entityActionFailedWarning([Ent.ADMIN_ROLE, roleId], str(e)) + except (GAPI.badRequest, GAPI.customerNotFound): accessErrorExit(cd) for role in roles: role.setdefault('isSuperAdminRole', False) @@ -75613,7 +75613,7 @@ MAIN_COMMANDS_WITH_OBJECTS = { ), 'info': (Act.INFO, - {Cmd.ARG_ADMINROLE: doInfoAdminRole, + {Cmd.ARG_ADMINROLE: doInfoPrintShowAdminRoles, Cmd.ARG_ALERT: doInfoAlert, Cmd.ARG_ALIAS: doInfoAliases, Cmd.ARG_BUILDING: doInfoBuilding, @@ -75688,7 +75688,7 @@ MAIN_COMMANDS_WITH_OBJECTS = { 'print': (Act.PRINT, {Cmd.ARG_ADDRESSES: doPrintAddresses, - Cmd.ARG_ADMINROLE: doPrintShowAdminRoles, + Cmd.ARG_ADMINROLE: doInfoPrintShowAdminRoles, Cmd.ARG_ADMIN: doPrintShowAdmins, Cmd.ARG_ALERT: doPrintShowAlerts, Cmd.ARG_ALERTFEEDBACK: doPrintShowAlertFeedback, @@ -75821,7 +75821,7 @@ MAIN_COMMANDS_WITH_OBJECTS = { ), 'show': (Act.SHOW, - {Cmd.ARG_ADMINROLE: doPrintShowAdminRoles, + {Cmd.ARG_ADMINROLE: doInfoPrintShowAdminRoles, Cmd.ARG_ADMIN: doPrintShowAdmins, Cmd.ARG_ALERT: doPrintShowAlerts, Cmd.ARG_ALERTFEEDBACK: doPrintShowAlertFeedback,