gcpdetails/scopes cleanup #1891

This commit is contained in:
Ross Scroggs
2026-03-18 16:39:20 -07:00
parent d302563045
commit ce47c9bc7c
2 changed files with 51 additions and 49 deletions

View File

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
""" """
__author__ = 'GAM Team <google-apps-manager@googlegroups.com>' __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
__version__ = '7.36.03' __version__ = '7.37.00'
__license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)' __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
# pylint: disable=wrong-import-position # pylint: disable=wrong-import-position
@@ -10821,9 +10821,9 @@ def getScopesFromUser(scopesList, clientAccess, currentScopes=None):
oauth2_menu += '\n' oauth2_menu += '\n'
oauth2_menu += ''' oauth2_menu += '''
Select an unselected scope [ ] by entering a number; yields [*] Select an unselected scope [ ] by entering a number; yields [*]
For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R] For scopes that optionally support readonly, enter a number and an 'r' to grant readonly access; yields [R]
For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A] For scopes that optionally support actiononly, enter a number and an 'a' to grant actiononly access; yields [A]
Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*] Clear readonly access [R] or actiononly access [A] from a scope by entering a number; yields [*]
Unselect a selected scope [*] by entering a number; yields [ ] Unselect a selected scope [*] by entering a number; yields [ ]
Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
Unselect all scopes by entering a 'u'; yields [ ] for all scopes Unselect all scopes by entering a 'u'; yields [ ] for all scopes
@@ -10844,15 +10844,16 @@ Continue to authorization by entering a 'c'
for a_scope in scopesList: for a_scope in scopesList:
selectedScopes[i] = ' ' selectedScopes[i] = ' '
possibleScope = a_scope['scope'] possibleScope = a_scope['scope']
subScopes = a_scope.get('subscopes', [])
for currentScope in currentScopes: for currentScope in currentScopes:
if currentScope == possibleScope: if currentScope == possibleScope:
selectedScopes[i] = '*' selectedScopes[i] = '*'
break break
if 'readonly' in a_scope['subscopes']: if 'readonly' in subScopes:
if currentScope == possibleScope+'.readonly': if currentScope == possibleScope+'.readonly':
selectedScopes[i] = 'R' selectedScopes[i] = 'R'
break break
if 'action' in a_scope['subscopes']: if 'actiononly' in subScopes:
if currentScope == possibleScope+'.action': if currentScope == possibleScope+'.action':
selectedScopes[i] = 'A' selectedScopes[i] = 'A'
break break
@@ -10863,13 +10864,14 @@ Continue to authorization by entering a 'c'
selectedScopes[i] = ' ' selectedScopes[i] = ' '
api = a_scope['api'] api = a_scope['api']
possibleScope = a_scope['scope'] possibleScope = a_scope['scope']
subScopes = a_scope.get('subscopes', [])
if api in currentScopes: if api in currentScopes:
if not isinstance(possibleScope, list): if not isinstance(possibleScope, list):
for scope in currentScopes[api]: for scope in currentScopes[api]:
if scope == possibleScope: if scope == possibleScope:
selectedScopes[i] = '*' selectedScopes[i] = '*'
break break
if 'readonly' in a_scope['subscopes']: if 'readonly' in subScopes:
if (scope == possibleScope+'.readonly') or (scope == a_scope.get('roscope')): if (scope == possibleScope+'.readonly') or (scope == a_scope.get('roscope')):
selectedScopes[i] = 'R' selectedScopes[i] = 'R'
break break
@@ -10910,12 +10912,12 @@ Continue to authorization by entering a 'c'
selection = int(selection) selection = int(selection)
if isinstance(selection, int) and selection < numScopes: if isinstance(selection, int) and selection < numScopes:
if mode == 'R': if mode == 'R':
if 'readonly' not in scopesList[selection]['subscopes']: if 'readonly' not in scopesList[selection].get('subscopes',[]):
sys.stdout.write(f'{ERROR_PREFIX}Scope {selection} does not support read-only mode!\n') sys.stdout.write(f'{ERROR_PREFIX}Scope {selection} does not support readonly mode!\n')
continue continue
elif mode == 'A': elif mode == 'A':
if 'action' not in scopesList[selection]['subscopes']: if 'actiononly' not in scopesList[selection].get('subscopes', []):
sys.stdout.write(f'{ERROR_PREFIX}Scope {selection} does not support action-only mode!\n') sys.stdout.write(f'{ERROR_PREFIX}Scope {selection} does not support actiononly mode!\n')
continue continue
elif selectedScopes[selection] != '*': elif selectedScopes[selection] != '*':
mode = '*' mode = '*'
@@ -11357,9 +11359,10 @@ def doOAuthCreate():
if uscope in {'openid', 'email', API.USERINFO_EMAIL_SCOPE, 'profile', API.USERINFO_PROFILE_SCOPE}: if uscope in {'openid', 'email', API.USERINFO_EMAIL_SCOPE, 'profile', API.USERINFO_PROFILE_SCOPE}:
continue continue
for scope in scopesList: for scope in scopesList:
subScopes = scope.get('subscopes', [])
if ((uscope == scope['scope']) or if ((uscope == scope['scope']) or
(uscope.endswith('.action') and 'action' in scope['subscopes']) or (uscope.endswith('.action') and 'actiononly' in subscopes) or
(uscope.endswith('.readonly') and 'readonly' in scope['subscopes'])): (uscope.endswith('.readonly') and 'readonly' in subscopes)):
scopes.append(uscope) scopes.append(uscope)
break break
else: else:
@@ -11992,12 +11995,13 @@ def getGCPOrg(crm, login_hint, login_domain):
try: try:
getorg = callGAPI(crm.organizations(), 'search', getorg = callGAPI(crm.organizations(), 'search',
throwReasons=[GAPI.INVALID_ARGUMENT, GAPI.PERMISSION_DENIED], throwReasons=[GAPI.INVALID_ARGUMENT, GAPI.PERMISSION_DENIED],
query=f'domain:{login_domain}') query=f'domain:{login_domain}',
pageSize=1, fields='organizations/name')
except (GAPI.invalidArgument, GAPI.permissionDenied) as e: except (GAPI.invalidArgument, GAPI.permissionDenied) as e:
entityActionFailedExit([Ent.USER, login_hint, Ent.DOMAIN, login_domain], str(e)) entityActionFailedExit([Ent.USER, login_hint, Ent.DOMAIN, login_domain], str(e))
try: try:
organization = getorg['organizations'][0]['name'] organization = getorg['organizations'][0]['name']
sys.stdout.write(Msg.YOUR_ORGANIZATION_NAME_IS.format(organization)) # sys.stdout.write(Msg.YOUR_ORGANIZATION_NAME_IS.format(organization))
return organization return organization
except (KeyError, IndexError): except (KeyError, IndexError):
systemErrorExit(3, Msg.YOU_HAVE_NO_RIGHTS_TO_CREATE_PROJECTS_AND_YOU_ARE_NOT_A_SUPER_ADMIN) systemErrorExit(3, Msg.YOU_HAVE_NO_RIGHTS_TO_CREATE_PROJECTS_AND_YOU_ARE_NOT_A_SUPER_ADMIN)
@@ -72448,12 +72452,10 @@ def _printShowTokens(entityType, users):
result['internal'] = True result['internal'] = True
return return
try: try:
results = callGAPI(crm1.projects(), results = callGAPI(crm1.projects(), 'getAncestry',
'getAncestry', throwReasons=[GAPI.PERMISSION_DENIED],
projectId=result['project'], projectId=result['project'])
throwReasons=[GAPI.PERMISSION_DENIED]) for ancestor in results.get('ancestor', []):
ancestors = results.get('ancestor', [])
for ancestor in ancestors:
if ancestor.get('resourceId', {}).get('type') == 'organization' and ancestor.get('resourceId', {}).get('id') == org_id: if ancestor.get('resourceId', {}).get('type') == 'organization' and ancestor.get('resourceId', {}).get('id') == org_id:
result['internal'] = True result['internal'] = True
internal_projects.append(result['project']) internal_projects.append(result['project'])

View File

@@ -456,7 +456,7 @@ _CLIENT_SCOPES = [
'scope': 'https://www.googleapis.com/auth/admin.directory.group'}, 'scope': 'https://www.googleapis.com/auth/admin.directory.group'},
{'name': 'Directory API - Mobile Devices Directory', {'name': 'Directory API - Mobile Devices Directory',
'api': DIRECTORY, 'api': DIRECTORY,
'subscopes': ['readonly', 'action'], 'subscopes': ['readonly', 'actiononly'],
'scope': 'https://www.googleapis.com/auth/admin.directory.device.mobile'}, 'scope': 'https://www.googleapis.com/auth/admin.directory.device.mobile'},
{'name': 'Directory API - Organizational Units', {'name': 'Directory API - Organizational Units',
'api': DIRECTORY, 'api': DIRECTORY,
@@ -505,21 +505,21 @@ _CLIENT_SCOPES = [
'api': PUBSUB, 'api': PUBSUB,
'offByDefault': True, 'offByDefault': True,
'scope': 'https://www.googleapis.com/auth/pubsub'}, 'scope': 'https://www.googleapis.com/auth/pubsub'},
{'name': 'Reports API - Audit Reports', {'name': 'Reports API - Audit Reports readonly',
'api': REPORTS, 'api': REPORTS,
'scope': 'https://www.googleapis.com/auth/admin.reports.audit.readonly'}, 'scope': 'https://www.googleapis.com/auth/admin.reports.audit.readonly'},
{'name': 'Reports API - Usage Reports', {'name': 'Reports API - Usage Reports readonly',
'api': REPORTS, 'api': REPORTS,
'scope': 'https://www.googleapis.com/auth/admin.reports.usage.readonly'}, 'scope': 'https://www.googleapis.com/auth/admin.reports.usage.readonly'},
{'name': 'Reseller API', {'name': 'Reseller API',
'api': RESELLER, 'api': RESELLER,
'offByDefault': True, 'offByDefault': True,
'scope': 'https://www.googleapis.com/auth/apps.order'}, 'scope': 'https://www.googleapis.com/auth/apps.order'},
{'name': 'Resource Manager - Organizations', {'name': 'Resource Manager - Organizations readonly',
'api': CLOUDRESOURCEMANAGER, 'api': CLOUDRESOURCEMANAGER,
'offByDefault': True, 'offByDefault': True,
'scope': 'https://www.googleapis.com/auth/cloudplatformorganizations.readonly'}, 'scope': 'https://www.googleapis.com/auth/cloudplatformorganizations.readonly'},
{'name': 'Resource Manager - Projects', {'name': 'Resource Manager - Projects readonly',
'api': CLOUDRESOURCEMANAGER, 'api': CLOUDRESOURCEMANAGER,
'offByDefault': True, 'offByDefault': True,
'scope': 'https://www.googleapis.com/auth/cloudplatformprojects.readonly'}, 'scope': 'https://www.googleapis.com/auth/cloudplatformprojects.readonly'},
@@ -541,7 +541,7 @@ _COMMANDDATA_CLIENT_SCOPES = [
'api': DRIVE3, 'api': DRIVE3,
'subscopes': [], 'subscopes': [],
'scope': DRIVE_READONLY_SCOPE}, 'scope': DRIVE_READONLY_SCOPE},
{'name': 'Sheets API - commanddata_clientaccess', {'name': 'Sheets API - commanddata_clientaccess readonly',
'api': SHEETS, 'api': SHEETS,
'subscopes': [], 'subscopes': [],
'scope': 'https://www.googleapis.com/auth/spreadsheets.readonly'}, 'scope': 'https://www.googleapis.com/auth/spreadsheets.readonly'},
@@ -729,7 +729,7 @@ _SVCACCT_SCOPES = [
'subscopes': [], 'subscopes': [],
'scope': ['https://www.googleapis.com/auth/meetings.space.created', 'scope': ['https://www.googleapis.com/auth/meetings.space.created',
'https://www.googleapis.com/auth/meetings.space.settings']}, 'https://www.googleapis.com/auth/meetings.space.settings']},
{'name': 'Meet API - Read Meeting Spaces metadata', {'name': 'Meet API - Read Meeting Spaces metadata readonly',
'api': MEET_READONLY, 'api': MEET_READONLY,
'subscopes': [], 'subscopes': [],
'scope': 'https://www.googleapis.com/auth/meetings.space.readonly'}, 'scope': 'https://www.googleapis.com/auth/meetings.space.readonly'},