deepblue/GoogleDriveManagement
1
0
Fork 0
mirror of https://github.com/GAM-team/GAM.git synced 2026-06-03 22:01:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

gcpdetails/scopes cleanup #1891

Browse Source
This commit is contained in:
Ross Scroggs
2026-03-18 16:39:20 -07:00
parent d302563045
commit ce47c9bc7c
2 changed files with 51 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
src/gam/__init__.py
View File

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
"""
__author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
__version__ = '7.36.03'
__version__ = '7.37.00'
__license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
# pylint: disable=wrong-import-position
@@ -10821,9 +10821,9 @@ def getScopesFromUser(scopesList, clientAccess, currentScopes=None):
oauth2_menu += '\n'
oauth2_menu += '''
Select an unselected scope [ ] by entering a number; yields [*]
For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
For scopes that optionally support readonly, enter a number and an 'r' to grant readonly access; yields [R]
For scopes that optionally support actiononly, enter a number and an 'a' to grant actiononly access; yields [A]
Clear readonly access [R] or actiononly access [A] from a scope by entering a number; yields [*]
Unselect a selected scope [*] by entering a number; yields [ ]
Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
Unselect all scopes by entering a 'u'; yields [ ] for all scopes
@@ -10844,15 +10844,16 @@ Continue to authorization by entering a 'c'
for a_scope in scopesList:
selectedScopes[i] = ' '
possibleScope = a_scope['scope']
subScopes = a_scope.get('subscopes', [])
for currentScope in currentScopes:
if currentScope == possibleScope:
selectedScopes[i] = '*'
break
if 'readonly' in a_scope['subscopes']:
if 'readonly' in subScopes:
if currentScope == possibleScope+'.readonly':
selectedScopes[i] = 'R'
break
if 'action' in a_scope['subscopes']:
if 'actiononly' in subScopes:
if currentScope == possibleScope+'.action':
selectedScopes[i] = 'A'
break
@@ -10863,13 +10864,14 @@ Continue to authorization by entering a 'c'
selectedScopes[i] = ' '
api = a_scope['api']
possibleScope = a_scope['scope']
subScopes = a_scope.get('subscopes', [])
if api in currentScopes:
if not isinstance(possibleScope, list):
for scope in currentScopes[api]:
if scope == possibleScope:
selectedScopes[i] = '*'
break
if 'readonly' in a_scope['subscopes']:
if 'readonly' in subScopes:
if (scope == possibleScope+'.readonly') or (scope == a_scope.get('roscope')):
selectedScopes[i] = 'R'
break
@@ -10910,12 +10912,12 @@ Continue to authorization by entering a 'c'
selection = int(selection)
if isinstance(selection, int) and selection < numScopes:
if mode == 'R':
if 'readonly' not in scopesList[selection]['subscopes']:
sys.stdout.write(f'{ERROR_PREFIX}Scope {selection} does not support read-only mode!\n')
if 'readonly' not in scopesList[selection].get('subscopes',[]):
sys.stdout.write(f'{ERROR_PREFIX}Scope {selection} does not support readonly mode!\n')
continue
elif mode == 'A':
if 'action' not in scopesList[selection]['subscopes']:
sys.stdout.write(f'{ERROR_PREFIX}Scope {selection} does not support action-only mode!\n')
if 'actiononly' not in scopesList[selection].get('subscopes', []):
sys.stdout.write(f'{ERROR_PREFIX}Scope {selection} does not support actiononly mode!\n')
continue
elif selectedScopes[selection] != '*':
mode = '*'
@@ -11357,9 +11359,10 @@ def doOAuthCreate():
if uscope in {'openid', 'email', API.USERINFO_EMAIL_SCOPE, 'profile', API.USERINFO_PROFILE_SCOPE}:
continue
for scope in scopesList:
subScopes = scope.get('subscopes', [])
if ((uscope == scope['scope']) or
(uscope.endswith('.action') and 'action' in scope['subscopes']) or
(uscope.endswith('.readonly') and 'readonly' in scope['subscopes'])):
(uscope.endswith('.action') and 'actiononly' in subscopes) or
(uscope.endswith('.readonly') and 'readonly' in subscopes)):
scopes.append(uscope)
break
else:
@@ -11992,12 +11995,13 @@ def getGCPOrg(crm, login_hint, login_domain):
try:
getorg = callGAPI(crm.organizations(), 'search',
throwReasons=[GAPI.INVALID_ARGUMENT, GAPI.PERMISSION_DENIED],
query=f'domain:{login_domain}')
query=f'domain:{login_domain}',
pageSize=1, fields='organizations/name')
except (GAPI.invalidArgument, GAPI.permissionDenied) as e:
entityActionFailedExit([Ent.USER, login_hint, Ent.DOMAIN, login_domain], str(e))
try:
organization = getorg['organizations'][0]['name']
sys.stdout.write(Msg.YOUR_ORGANIZATION_NAME_IS.format(organization))
# sys.stdout.write(Msg.YOUR_ORGANIZATION_NAME_IS.format(organization))
return organization
except (KeyError, IndexError):
systemErrorExit(3, Msg.YOU_HAVE_NO_RIGHTS_TO_CREATE_PROJECTS_AND_YOU_ARE_NOT_A_SUPER_ADMIN)
@@ -72448,12 +72452,10 @@ def _printShowTokens(entityType, users):
result['internal'] = True
return
try:
results = callGAPI(crm1.projects(),
'getAncestry',
projectId=result['project'],
throwReasons=[GAPI.PERMISSION_DENIED])
ancestors = results.get('ancestor', [])
for ancestor in ancestors:
results = callGAPI(crm1.projects(), 'getAncestry',
throwReasons=[GAPI.PERMISSION_DENIED],
projectId=result['project'])
for ancestor in results.get('ancestor', []):
if ancestor.get('resourceId', {}).get('type') == 'organization' and ancestor.get('resourceId', {}).get('id') == org_id:
result['internal'] = True
internal_projects.append(result['project'])

56
src/gam/gamlib/glapi.py
View File

@@ -140,16 +140,16 @@ SCOPELESS_APIS = {
# Scopes not in the discovery doc that are still valid for the API.
EXTRA_SCOPES = {
BUSINESSACCOUNTMANAGEMENT: [ 'https://www.googleapis.com/auth/business.manage'],
CLOUDRESOURCEMANAGER: ['https://www.googleapis.com/auth/cloudplatformfolders',
'https://www.googleapis.com/auth/cloudplatformfolders.readonly',
'https://www.googleapis.com/auth/cloudplatformprojects',
'https://www.googleapis.com/auth/cloudplatformprojects.readonly',
'https://www.googleapis.com/auth/cloudplatformorganizations',
'https://www.googleapis.com/auth/cloudplatformorganizations.readonly',
],
VAULT: ['https://www.googleapis.com/auth/ediscovery', 'https://www.googleapis.com/auth/ediscovery.readonly'],
}
BUSINESSACCOUNTMANAGEMENT: ['https://www.googleapis.com/auth/business.manage'],
CLOUDRESOURCEMANAGER: ['https://www.googleapis.com/auth/cloudplatformfolders',
'https://www.googleapis.com/auth/cloudplatformfolders.readonly',
'https://www.googleapis.com/auth/cloudplatformprojects',
'https://www.googleapis.com/auth/cloudplatformprojects.readonly',
'https://www.googleapis.com/auth/cloudplatformorganizations',
'https://www.googleapis.com/auth/cloudplatformorganizations.readonly',
],
VAULT: ['https://www.googleapis.com/auth/ediscovery', 'https://www.googleapis.com/auth/ediscovery.readonly'],
}
EXTRA_SCOPES[CLOUDRESOURCEMANAGERV1] = EXTRA_SCOPES[CLOUDRESOURCEMANAGER]
APIS_NEEDING_ACCESS_TOKEN = {
@@ -330,18 +330,18 @@ _CLIENT_SCOPES = [
'api': CBCM,
'subscopes': READONLY,
'scope': 'https://www.googleapis.com/auth/admin.directory.device.chromebrowsers'},
{'name': 'Chrome Management API - read only',
{'name': 'Chrome Management API - readonly',
'api': CHROMEMANAGEMENT,
'subscopes': [],
'scope': 'https://www.googleapis.com/auth/chrome.management.reports.readonly'},
{'name': 'Chrome Management API - AppDetails read only',
{'name': 'Chrome Management API - AppDetails readonly',
'api': CHROMEMANAGEMENT_APPDETAILS,
'scope': 'https://www.googleapis.com/auth/chrome.management.appdetails.readonly'},
{'name': 'Chrome Management API - Profiles',
'api': CHROMEMANAGEMENT_CHROMEPROFILES,
'subscopes': READONLY,
'scope': 'https://www.googleapis.com/auth/chrome.management.profiles'},
{'name': 'Chrome Management API - Telemetry read only',
{'name': 'Chrome Management API - Telemetry readonly',
'api': CHROMEMANAGEMENT_TELEMETRY,
'scope': 'https://www.googleapis.com/auth/chrome.management.telemetry.readonly'},
{'name': 'Chrome Policy API',
@@ -456,7 +456,7 @@ _CLIENT_SCOPES = [
'scope': 'https://www.googleapis.com/auth/admin.directory.group'},
{'name': 'Directory API - Mobile Devices Directory',
'api': DIRECTORY,
'subscopes': ['readonly', 'action'],
'subscopes': ['readonly', 'actiononly'],
'scope': 'https://www.googleapis.com/auth/admin.directory.device.mobile'},
{'name': 'Directory API - Organizational Units',
'api': DIRECTORY,
@@ -494,7 +494,7 @@ _CLIENT_SCOPES = [
{'name': 'License Manager API',
'api': LICENSING,
'scope': 'https://www.googleapis.com/auth/apps.licensing'},
{'name': 'People Directory API - read only',
{'name': 'People Directory API - readonly',
'api': PEOPLE_DIRECTORY,
'scope': 'https://www.googleapis.com/auth/directory.readonly'},
{'name': 'People API',
@@ -505,21 +505,21 @@ _CLIENT_SCOPES = [
'api': PUBSUB,
'offByDefault': True,
'scope': 'https://www.googleapis.com/auth/pubsub'},
{'name': 'Reports API - Audit Reports',
{'name': 'Reports API - Audit Reports readonly',
'api': REPORTS,
'scope': 'https://www.googleapis.com/auth/admin.reports.audit.readonly'},
{'name': 'Reports API - Usage Reports',
{'name': 'Reports API - Usage Reports readonly',
'api': REPORTS,
'scope': 'https://www.googleapis.com/auth/admin.reports.usage.readonly'},
{'name': 'Reseller API',
'api': RESELLER,
'offByDefault': True,
'scope': 'https://www.googleapis.com/auth/apps.order'},
{'name': 'Resource Manager - Organizations',
{'name': 'Resource Manager - Organizations readonly',
'api': CLOUDRESOURCEMANAGER,
'offByDefault': True,
'scope': 'https://www.googleapis.com/auth/cloudplatformorganizations.readonly'},
{'name': 'Resource Manager - Projects',
{'name': 'Resource Manager - Projects readonly',
'api': CLOUDRESOURCEMANAGER,
'offByDefault': True,
'scope': 'https://www.googleapis.com/auth/cloudplatformprojects.readonly'},
@@ -541,7 +541,7 @@ _COMMANDDATA_CLIENT_SCOPES = [
'api': DRIVE3,
'subscopes': [],
'scope': DRIVE_READONLY_SCOPE},
{'name': 'Sheets API - commanddata_clientaccess',
{'name': 'Sheets API - commanddata_clientaccess readonly',
'api': SHEETS,
'subscopes': [],
'scope': 'https://www.googleapis.com/auth/spreadsheets.readonly'},
@@ -573,7 +573,7 @@ _SVCACCT_SCOPES = [
'api': ALERTCENTER,
'subscopes': [],
'scope': 'https://www.googleapis.com/auth/apps.alerts'},
{'name': 'Analytics Admin API - read only',
{'name': 'Analytics Admin API - readonly',
'api': ANALYTICS_ADMIN,
'subscopes': [],
'scope': 'https://www.googleapis.com/auth/analytics.readonly'},
@@ -729,7 +729,7 @@ _SVCACCT_SCOPES = [
'subscopes': [],
'scope': ['https://www.googleapis.com/auth/meetings.space.created',
'https://www.googleapis.com/auth/meetings.space.settings']},
{'name': 'Meet API - Read Meeting Spaces metadata',
{'name': 'Meet API - Read Meeting Spaces metadata readonly',
'api': MEET_READONLY,
'subscopes': [],
'scope': 'https://www.googleapis.com/auth/meetings.space.readonly'},
@@ -741,15 +741,15 @@ _SVCACCT_SCOPES = [
'api': PEOPLE,
'subscopes': READONLY,
'scope': PEOPLE_SCOPE},
{'name': 'People Directory API - read only',
{'name': 'People Directory API - readonly',
'api': PEOPLE_DIRECTORY,
'subscopes': [],
'scope': 'https://www.googleapis.com/auth/directory.readonly'},
{'name': 'People API - Other Contacts - read only',
{'name': 'People API - Other Contacts - readonly',
'api': PEOPLE_OTHERCONTACTS,
'subscopes': [],
'scope': 'https://www.googleapis.com/auth/contacts.other.readonly'},
{'name': 'Search Console API - read only',
{'name': 'Search Console API - readonly',
'api': SEARCHCONSOLE,
'subscopes': [],
'offByDefault': True,
@@ -763,7 +763,7 @@ _SVCACCT_SCOPES = [
'subscopes': [],
'offByDefault': True,
'scope': 'https://www.googleapis.com/auth/siteverification'},
{'name': 'Tag Manager API - Accounts, Containers, Workspaces, Tags - read only',
{'name': 'Tag Manager API - Accounts, Containers, Workspaces, Tags - readonly',
'api': TAGMANAGER,
'subscopes': [],
'offByDefault': True,
@@ -777,7 +777,7 @@ _SVCACCT_SCOPES = [
'api': TASKS,
'subscopes': READONLY,
'scope': 'https://www.googleapis.com/auth/tasks'},
{'name': 'Youtube API - read only',
{'name': 'Youtube API - readonly',
'api': YOUTUBE,
'subscopes': [],
'offByDefault': True,
@@ -790,7 +790,7 @@ _SVCACCT_SPECIAL_SCOPES = [
'subscopes': [],
'offByDefault': True,
'scope': DRIVE_SCOPE},
{'name': 'Gmail API - Full Access - read only',
{'name': 'Gmail API - Full Access - readonly',
'api': GMAIL,
'subscopes': [],
'offByDefault': True,