Merge branch 'main' of https://github.com/GAM-team/GAM

2026-06-03 22:01:39 +00:00 · 2025-10-22 17:32:55 +00:00
parent c67a4c9147 e583b6e20c
commit e9d911b5cd
8 changed files with 58 additions and 38 deletions
--- a/src/GamUpdate.txt
+++ b/src/GamUpdate.txt
@@ -1,3 +1,16 @@
+7.27.01
+
+Fixed bug in `gam <UserTypeEntity> claim ownership <DriveFileEntity> ... onlyUsers|skipusers <UserTypeEntity>`
+where the email addresses in `onlyUsers|skipusers <UserTypeEntity>` were not normalized.
+
+7.27.00
+
+Added `debug_redaction` Boolean variable to `gam.cfg`. When True, the default,
+sensitive data like access/refresh tokens, client secret and authorization codes
+are redacted from debug output. This allows you to post debug output without
+compromising your account information. Even with debug redaction,
+anything shared publicly should be double-checked for sensitive content. 
+
 7.25.01

 Fixed bug in `gam config timezone <String>` to handle timezone abbreviations correctly;
--- a/src/gam-install.sh
+++ b/src/gam-install.sh
@@ -83,13 +83,8 @@ echo -e '\x1B[0m'

 version_gt()
 {
-# MacOS < 10.13 doesn't support sort -V
-echo "" | sort -V > /dev/null 2>&1
-vsort_failed=$?
 if [ "${1}" = "${2}" ]; then
  true
-elif (( $vsort_failed != 0 )); then
-  false
 else
  test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1"
 fi
--- a/src/gam/init.py
+++ b/src/gam/init.py
@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """

 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.25.01'
+__version__ = '7.27.01'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'

 #pylint: disable=wrong-import-position
@@ -375,27 +375,22 @@ YUBIKEY_VALUE_ERROR_RC = 85
 YUBIKEY_MULTIPLE_CONNECTED_RC = 86
 YUBIKEY_NOT_FOUND_RC = 87

-def redact_sensitive_google_text(text):
-    replace_patterns = [
+DEBUG_REDACTION_PATTERNS = [
+  # Positional patterns that redact sensitive credentials based on their location
+  (r'(Bearer\s+)\S+', r'\1*****'), # access tokens and JWTs in auth header
+  (r'([?&]refresh_token=)[^&]*', r'\1*****'), # refresh token URL parameter
+  (r'([?&]client_secret=)[^&]*', r'\1*****'), # client secret URL parameter
+  (r'([?&]key=)[^&]*', r'\1*****'), # API key URL parameter
+  (r'([?&]code=)[^&]*', r'\1*****'), # auth code URL parameter

-            # Positional patterns that redact sensitive credentials based on their location
-            (r'(Bearer\s+)\S+', r'\1*****'), # access tokens and JWTs in auth header
-            (r'([?&]refresh_token=)[^&]*', r'\1*****'), # refresh token URL parameter
-            (r'([?&]client_secret=)[^&]*', r'\1*****'), # client secret URL parameter
-            (r'([?&]key=)[^&]*', r'\1*****'), # API key URL parameter
-            (r'([?&]code=)[^&]*', r'\1*****'), # auth code URL parameter
-
-            # pattern match patterns that redact sensitive credentials based on known credential pattern
-            (r'ya29.[0-9A-Za-z-_]+', '*****'), # Access token
-            (r'1%2F%2F[0-9A-Za-z-_]{100}|1%2F%2F[0-9A-Za-z-_]{64}|1%2F%2F[0-9A-Za-z-_]{43}', '*****'), # Refresh token
-            (r'4/[0-9A-Za-z-_]+', '*****'), # Auth code
-            (r'GOCSPX-[0-9a-zA-Z-_]{28}', '*****'), # Client secret
-            (r'AIza[0-9A-Za-z-_]{35}', '*****'), # API key
-            (r'eyJ[a-zA-Z0-9\-_]+\.eyJ[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]*', '*****'), # JWT
-            ]
-    for pattern, replace in replace_patterns:
-      text = re.sub(pattern, replace, text)
-    return text
+  # Pattern match patterns that redact sensitive credentials based on known credential pattern
+  (r'ya29.[0-9A-Za-z-_]+', '*****'), # Access token
+  (r'1%2F%2F[0-9A-Za-z-_]{100}|1%2F%2F[0-9A-Za-z-_]{64}|1%2F%2F[0-9A-Za-z-_]{43}', '*****'), # Refresh token
+  (r'4/[0-9A-Za-z-_]+', '*****'), # Auth code
+  (r'GOCSPX-[0-9a-zA-Z-_]{28}', '*****'), # Client secret
+  (r'AIza[0-9A-Za-z-_]{35}', '*****'), # API key
+  (r'eyJ[a-zA-Z0-9\-_]+\.eyJ[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]*', '*****'), # JWT
+  ]

 def redactable_debug_print(*args):
  processed_args = []
@@ -406,7 +401,8 @@ def redactable_debug_print(*args):
      arg = sbytes.decode()
      arg = arg.replace('\\r\\n', "\n          ")
    if GC.Values[GC.DEBUG_REDACTION]:
-      arg = redact_sensitive_google_text(arg)
+      for pattern, replace in DEBUG_REDACTION_PATTERNS:
+        arg = re.sub(pattern, replace, arg)
    processed_args.append(arg)
  print(*processed_args)

@@ -64923,11 +64919,11 @@ def claimOwnership(users):
    elif myarg == 'onlyusers':
      _, userList = getEntityToModify(defaultEntityType=Cmd.ENTITY_USERS)
      checkOnly = True
-      onlyOwners = set(userList)
+      onlyOwners = {normalizeEmailAddressOrUID(user, noUid=True) for user in userList}
    elif myarg == 'skipusers':
      _, userList = getEntityToModify(defaultEntityType=Cmd.ENTITY_USERS)
      checkSkip = len(userList) > 0
-      skipOwners = set(userList)
+      skipOwners = {normalizeEmailAddressOrUID(user, noUid=True) for user in userList}
    elif myarg == 'subdomains':
      subdomains = getEntityList(Cmd.OB_DOMAIN_NAME_ENTITY)
    elif myarg == 'includetrashed':