Do not truncate client_id by default

```
matchfield attendeesonlydomainlist <DomainNameList>
```

.github/workflows/build.yml

@@ -118,7 +118,7 @@ jobs:
         with:
           path: |
             cache.tar.xz
-          key: gam-${{ matrix.jid }}-20240210
+          key: gam-${{ matrix.jid }}-20240416
 
       - name: Untar Cache archive
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'

docs/Authorization.md

@@ -7,6 +7,7 @@
 - [Definitions](#definitions)
 - [Manage Projects](#manage-projects)
   - [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+  - [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
   - [Authorize GAM to create projects](#authorize-gam-to-create-projects)
   - [Create a new GCP project folder](#create-a-new-gcp-project-folder)
   - [Create a new project for GAM authorization](#create-a-new-project-for-gam-authorization)
@@ -116,6 +117,7 @@ Verify whether the super admin you'll be using is in an OU where reauthenticatio
 
 Additional steps may be required if errors are encountered.
 * [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+* [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
 * [Authorize GAM to create projects](#authorize-gam-to-create-projects)
 
 ## Headless computers and Cloud Shells
@@ -205,6 +207,46 @@ perform these steps and then retry the create project command.
 * Click Project Creator
 * Click Save
 
+## Authorize Service Account Key Uploads
+
+If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxx`
+perform these steps and then retry the create project command.
+
+* Login as an existing super admin at console.cloud.google.com
+* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
+* Under IAM & Admin select IAM
+* Click the down arrow in the box to the right of Google Cloud
+* Click the three dots at the right and select IAM/Permissions
+* Now you should be at "Permissions for organization ..."
+* Click on Grant Access
+* Enter the new admin address in Principals
+* Click in the Select a role box
+* Type orgpolicy.policies.update in the Filter box
+* Click Organization Policy Administrator
+* Click Save
+* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
+* Under IAM & Admin select IAM
+* Click the down arrow in the box to the right of Google Cloud
+* Click the three dots at the right and select Manage Resources
+* Click the three dots and the end of the line for the GAM project just created
+* Click Settings
+* Click Organization Policies in the left column
+* Now you should be at "Policies for Gam Project"
+* Click in the Filter box
+* Enter iam.disableServiceAccountKeyUpload
+* Click the three dots at the end of the Disable Service Account Key Upload
+* Choose Edit policy
+* Click Override parent's policy
+* Click Add A Rule
+* Select Enforcement/Off
+* Click Done
+* Click Set Policy
+
+Do the following to upload the service account key:
+```
+gam update sakey
+```
+
 ## Authorize GAM to create projects
 If you try to create a project and get an error saying "This app has been blocked on your domain for either being
 insecure or non-edutational"; you'll have to mark the GAM Project Creation app as trusted.

docs/Calendars-Events.md

@@ -196,6 +196,7 @@ Client access works when accessing Resource calendars.
 
 <EventMatchProperty> ::=
         (matchfield attendees <EmailAddressEntity>)|
+        (matchfield attendeesonlydomainlist <DomainNameList>)|
         (matchfield attendeesdomainlist <DomainNameList>)|
         (matchfield attendeesnotdomainlist <DomainNameList>)|
         (matchfield attendeespattern <RegularExpression>)|
@@ -218,7 +219,6 @@ Client access works when accessing Resource calendars.
         (event|events <EventIdList> |
         <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVSubkeySelector> | <CSVDataSelector>)
         See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
-
 <EventSelectEntity> ::=
         (<EventSelectProperty>+ <EventMatchProperty>*)
 
@@ -231,6 +231,7 @@ Client access works when accessing Resource calendars.
         lavender|peacock|sage|tangerine|tomato
 <PropertyKey> ::= <String>
 <PropertyValue> ::= <String>
+<TimeZone> ::= <String>
 
 <EventAttribute> ::=
         (allday <Date>)|
@@ -358,10 +359,12 @@ The Google Calendar API processes `<EventSelectProperty>*`; you may specify none
 
 GAM processes `<EventMatchProperty>*`; you may specify none or multiple properties.
 * `matchfield attendees <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
+* `matchfield attendeesonlydomainlist <DomainNameList>` - All attendee's email addresses must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with all attendees in your internal domains
 * `matchfield attendeesdomainlist <DomainNameList>` - Some attendee's email address must be in a domain in `<DomainNameList>`
   * For example, this lets you look for events with attendees in specific external domains
 * `matchfield attendeesnotdomainlist <DomainNameList>` - Some attendee's email address must be in a domain not in `<DomainNameList>`
-  * For example, this let you look for events with attendees not in your internal domains
+  * For example, this lets you look for events with attendees not in your internal domains
 * `matchfield attendeespattern <RegularExpression>` - Some attendee's email address must match `<RegularExpression>`
 * `matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
 and must have the specified values.

docs/GamUpdates.md

@@ -10,6 +10,39 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads](https://github.com/taers232c/GAMADV-XTD3/wiki/Downloads) for Windows or other options, including manual installation
 
+### 6.73.00
+
+The Google Chat API has been updated so that chat members can now have their role set to manager.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Chat#manage-chat-members
+
+### 6.72.16
+
+Updated `emailaddressList <EmailAddressList>` and `domainlist|notdomainlist <DomainNameList>`
+in `<PermissionMatch>` to perform case-insensitive matches as the API is returning mixed case
+ACL email addresses in some cases.
+
+### 6.75.15
+
+Updated all commands that display tasks to display the due date in GMT as the time portion
+is not supported by the API and converting the due date to local time may display the wrong date.
+
+Renamed license SKU `1010400001` from `Beyond Corp Enterprise` to `Chrome Enterprise Premium`.
+
+### 6.72.14
+
+Upgraded to Python 3.12.3 where possible.
+
+### 6.72.13
+
+Added the following option to `<EventMatchProperty>` that can be used to select
+events based on the domains of the attendees.
+```
+matchfield attendeesonlydomainlist <DomainNameList>
+```
+This returns true if all attendee's email addresses are in a domain in `<DomainNameList>`;
+for example this lets you look for events with attendees only in your internal domains.
+
 ### 6.72.12
 
 Added the following options to `<EventMatchProperty>` that can be used to select

docs/How-to-Upgrade-from-Standard-GAM.md

@@ -334,10 +334,10 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin/bin/gamadv-xtd3$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAMADV-XTD3 6.72.12 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.73.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
+Python 3.12.3 64-bit final
+MacOS Sonoma 14.4.1 x86_64
 Path: /Users/admin/bin/gamadv-xtd3
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 
@@ -1006,9 +1006,9 @@ writes the credentials into the file oauth2.txt.
 C:\GAMADV-XTD3>del C:\GAMConfig\oauth2.txt
 C:\GAMADV-XTD3>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAMADV-XTD3 6.72.12 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.73.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
+Python 3.12.3 64-bit final
 Windows-10-10.0.17134 AMD64
 Path: C:\GAMADV-XTD3
 Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com

docs/Licenses.md

@@ -20,7 +20,7 @@
 |--------------|------------|
 | AppSheet | 101038 |
 | Assured Controls | 101039 |
-| Beyond Corp Enterprise | 101040 |
+| Chrome Enterprise | 101040 |
 | Cloud Identity Free | 101001 |
 | Cloud Identity Premium | 101005 |
 | Cloud Search | 101035 |
@@ -43,7 +43,7 @@
 | AppSheet Enterprise Standard | 1010380002 | appsheetstandard |
 | AppSheet Enterprise Plus | 1010380003 | appsheetplus |
 | Assured Controls | 1010390001 | assuredcontrols |
-| Beyond Corp Enterprise | 1010400001 | bce |
+| Chrome Enterprise Premium | 1010400001 | cep | chromeenterprisepremium |
 | Cloud Identity Free | 1010010001 | cloudidentity |
 | Cloud Identity Premium | 1010050001 | cloudidentitypremium |
 | Cloud Search | 1010350001 | cloudsearch |
@@ -140,7 +140,7 @@
         appsheetstandard | appsheetenterprisestandard | 1010380002 | AppSheet Enterprise Standard |
         appsheetplus | appsheetenterpriseplus | 1010380003 | AppSheet Enterprise Plus |
         assuredcontrols | 1010390001 | Assured Controls |
-        bce | beyondcorp | beyondcorpenterprise | 1010400001 | Beyond Corp Enterprise |
+        bce | beyondcorp | beyondcorpenterprise | cep | chromeenterprisepremium | 1010400001 | Chrome Enterprise Premium |
         cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
         cloudidentity | identity | 1010010001 | Cloud Identity |
         cloudidentitypremium | identitypremium | 1010050001 | Cloud Identity Premium |

docs/Users-Calendars-Events.md

@@ -261,6 +261,7 @@
 
 <EventMatchProperty> ::=
         (matchfield attendees <EmailAddressEntity>)|
+        (matchfield attendeesonlydomainlist <DomainNameList>)|
         (matchfield attendeesdomainlist <DomainNameList>)|
         (matchfield attendeesnotdomainlist <DomainNameList>)|
         (matchfield attendeespattern <RegularExpression>)|
@@ -440,10 +441,12 @@ The Google Calendar API processes `<EventSelectProperty>*`; you may specify none
 
 GAM processes `<EventMatchProperty>*`; you may specify none or multiple properties.
 * `matchfield attendees <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
+* `matchfield attendeesonlydomainlist <DomainNameList>` - All attendee's email addresses must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with all attendees in your internal domains
 * `matchfield attendeesdomainlist <DomainNameList>` - Some attendee's email address must be in a domain in `<DomainNameList>`
   * For example, this lets you look for events with attendees in specific external domains
 * `matchfield attendeesnotdomainlist <DomainNameList>` - Some attendee's email address must be in a domain not in `<DomainNameList>`
-  * For example, this let you look for events with attendees not in your internal domains
+  * For example, this lets you look for events with attendees not in your internal domains
 * `matchfield attendeespattern <RegularExpression>` - Some attendee's email address must match `<RegularExpression>`
 * `matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
 and must have the specified values.

docs/Users-Chat.md

@@ -238,6 +238,20 @@ Delete members by specifying chatmember names.
 gam <UserTypeEntity> remove chatmember members <ChatMemberList>
 ```
 
+### Update members role
+Update members by specifying a chat space, user/group email addresses and role.
+```
+gam <UserTypeEntity> update chatmember <ChatSpace>
+        role member|manager
+        ((user <UserItem>)|(members <UserTypeEntity>))+
+```
+Update members by specifying chatmember names and role.
+```
+gam <UserTypeEntity> modify chatmember
+        role member|manager
+        members <ChatMemberList>
+```
+
 ## Display Chat Members
 ### Display information about a specific chat members
 ```

docs/Users-Tasks.md

@@ -69,6 +69,8 @@ gam <UserTypeEntity> create task <TasklistEntity>
         <TaskAttribute>* [parent <TaskID>] [previous <TaskID>]
         [compact|formatjson|returnidonly]
 ```
+The API only supports all-day tasks; you should specify: `due YYYY-MM-DDT00:00:00Z`.
+
 By default, Gam displays the created task as an indented list of keys and values; the task notes text is displayed as individual lines.
 * `compact` - Display the task notes text with escaped carriage returns as \r and newlines as \n
 * `formatjson` - Display the task in JSON format
@@ -100,6 +102,9 @@ By default, Gam displays the moved task as an indented list of keys and values;
 * `formatjson` - Display the task in JSON format
 
 ## Display Tasks
+All commands that display tasks display the due date in GMT as the time portion
+is not supported by the API and converting the due date to local time may display the wrong date.
+
 ### Display selected tasks
 ```
 gam <UserTypeEntity> info task <TasklistIDTaskIDEntity>
@@ -119,6 +124,13 @@ gam <UserTypeEntity> show tasks [tasklists <TasklistEntity>]
         [orderby completed|due|updated]
         [countsonly|compact|formatjson]
 ```
+The API only supports dates in `duemin` and `duemax' but you must supply a null time:
+* `duemin YYYY-MM-DDT00:00:00Z` - Specify the starting due date
+* `duemax YYYY-MM-DDT00:00:00Z` - Specify one day beyond the ending due date
+
+For example: `duemin 2024-05-01T00:00:00Z duemax 2024-05-02T00:00:00Z` will
+display all tasks on 2024-05-01.
+
 By default, tasks are displayed in hierarchical order.
 * `orderby completed` - Display tasks in completed date order regardless of the hierarchy.
 * `orderby due` - Display tasks in due date order regardless of the hierarchy.
@@ -142,6 +154,13 @@ gam <UserTypeEntity> print tasks [tasklists <TasklistEntity>] [todrive <ToDriveA
         [orderby completed|due|updated]
         [countsonly | (formatjson [quotechar <Character>])]
 ```
+The API only supports dates in `duemin` and `duemax' but you must supply a null time:
+* `duemin YYYY-MM-DDT00:00:00Z` - Specify the starting due date
+* `duemax YYYY-MM-DDT00:00:00Z` - Specify one day beyond the ending due date
+
+For example: `duemin 2024-05-01T00:00:00Z duemax 2024-05-02T00:00:00Z` will
+display all tasks on 2024-05-01.
+
 By default, tasks are displayed in hierarchical order.
 * `orderby completed` - Display tasks in completed date order regardless of the hierarchy.
 * `orderby due` - Display tasks in due date order regardless of the hierarchy.

docs/Using-GAMADV-XTD3-with-a-YubiKey.md

@@ -28,7 +28,7 @@ The YubiKey can be configured with a PIN that must be entered in order for it to
 Yes but in practice this does not work very well with GAMADV-XTD3. The YubiKey will need to be touched every time there is a GAMADV-XTD3 command running which for batch or cron jobs may be constant. GAMADV-XTD3 can use a PIN configured on the YubiKey in order to offer an additional layer of protection.
 
 ### If I use a YubiKey, do I need to rotate the private key regularly?
-No, because the YubiKey generated the private key it cannot be digitally exported from the YubiKey so there is not chance for it to be copied and stolen. Instead you should physically secure the YubiKey from theft.
+No, because the YubiKey generated the private key it cannot be digitally exported from the YubiKey so there is no chance for it to be copied and stolen. Instead you should physically secure the YubiKey from theft.
 
 ### What data does the service account private key have access to?
 When using domain-wide delegation with GAMADV-XTD3, the service account and anyone possessing the service account private key oauth2service.json file has access to the Gmail, Drive and Calendar data of ALL Workspace users in your domain. For this reason, whether using a YubiKey or not, you should take strong measures to protect the service account private key.

docs/Version-and-Help.md

@@ -3,10 +3,10 @@
 Print the current version of Gam with details
 ```
 gam version
-GAMADV-XTD3 6.72.11 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.73.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
+Python 3.12.3 64-bit final
+MacOS Sonoma 14.4.1 x86_64
 Path: /Users/Admin/bin/gamadv-xtd3
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
@@ -15,10 +15,10 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAMADV-XTD3 6.72.11 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.73.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
+Python 3.12.3 64-bit final
+MacOS Sonoma 14.4.1 x86_64
 Path: /Users/Admin/bin/gamadv-xtd3
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Your system time differs from www.googleapis.com by less than 1 second
@@ -27,17 +27,17 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAMADV-XTD3 6.72.11 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.73.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
+Python 3.12.3 64-bit final
+MacOS Sonoma 14.4.1 x86_64
 Path: /Users/Admin/bin/gamadv-xtd3
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
 Your system time differs from admin.googleapis.com by less than 1 second
 OpenSSL 3.1.1 30 May 2023
 cryptography 41.0.1
-filelock 3.12.2
+filelock 3.12.3
 google-api-python-client 2.88.0
 google-auth-httplib2 0.1.0
 google-auth-oauthlib 1.0.0
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gamadv-xtd3
 Version Check:
   Current: 5.35.08
-   Latest: 6.72.11
+   Latest: 6.73.00
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-6.72.11
+6.73.00
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,10 +82,10 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 6.72.11 - https://github.com/taers232c/GAMADV-XTD3
+GAM 6.73.00 - https://github.com/taers232c/GAMADV-XTD3
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
+Python 3.12.3 64-bit final
+MacOS Sonoma 14.4.1 x86_64
 Path: /Users/Admin/bin/gamadv-xtd3
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00

src/GamCommands.txt

@@ -263,7 +263,7 @@ If an item contains spaces, it should be surrounded by ".
         appsheetstandard | appsheetenterprisestandard | 1010380002 | AppSheet Enterprise Standard |
         appsheetplus | appsheetenterpriseplus | 1010380003 | AppSheet Enterprise Plus |
         assuredcontrols | 1010390001 | Assured Controls |
-        bce | beyondcorp | beyondcorpenterprise | 1010400001 | Beyond Corp Enterprise |
+        bce | beyondcorp | beyondcorpenterprise | cep | chromeenterprisepremium | 1010400001 | Chrome Enterprise Premium |
         cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
         cloudidentity | identity | 1010010001 | Cloud Identity |
         cloudidentitypremium | identitypremium | 1010050001 | Cloud Identity Premium |
@@ -1597,6 +1597,7 @@ gam calendar <CalendarEntity> printacl [todrive <ToDriveAttribute>*]
 
 <EventMatchProperty> ::=
         (matchfield attendees <EmailAddressEntity>)|
+        (matchfield attendeesonlydomainlist <DomainNameList>)|
         (matchfield attendeesdomainlist <DomainNameList>)|
         (matchfield attendeesnotdomainlist <DomainNameList>)|
         (matchfield attendeespattern <RegularExpression>)|
@@ -5979,6 +5980,12 @@ gam <UserTypeEntity> delete chatmember <ChatSpace>
         ((user <UserItem>)|(members <UserTypeEntity>)|
          (group <GroupItem>)|(groups <GroupEntity>))+
 gam <UserTypeEntity> remove chatmember members <ChatMemberList>
+gam <UserTypeEntity> update chatmember <ChatSpace>
+        role member|manager
+        ((user <UserItem>)|(members <UserTypeEntity>))+
+gam <UserTypeEntity> modify chatmember
+        role member|manager
+        members <ChatMemberList>
 
 gam <UserTypeEntity> info chatmember members <ChatMemberList>
         [formatjson]

src/GamUpdate.txt

@@ -2,6 +2,39 @@
 
 Merged GAM-Team version
 
+6.73.00
+
+The Google Chat API has been updated so that chat members can now have their role set to manager.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Chat#manage-chat-members
+
+6.72.16
+
+Updated `emailaddressList <EmailAddressList>` and `domainlist|notdomainlist <DomainNameList>`
+in `<PermissionMatch>` to perform case-insensitive matches as the API is returning mixed case
+ACL email addresses in some cases.
+
+6.72.15
+
+Updated all commands that display tasks to display the due date in GMT as the time portion
+is not supported by the API and converting the due date to local time may display the wrong date.
+
+Renamed license SKU `1010400001` from `Beyond Corp Enterprise` to `Chrome Enterprise Premium`.
+
+6.72.14
+
+Upgraded to Python 3.12.3 where possible.
+
+6.72.13
+
+Added the following option to `<EventMatchProperty>` that can be used to select
+events based on the domains of the attendees.
+```
+matchfield attendeesonlydomainlist <DomainNameList>
+```
+This returns true if all attendee's email addresses are in a domain in `<DomainNameList>`;
+for example this lets you look for events with attendees only in your internal domains.
+
 6.72.12
 
 Added the following options to `<EventMatchProperty>` that can be used to select

src/gam/__init__.py

@@ -4194,6 +4194,7 @@ def SetGlobalVariables():
 # Set environment variables so GData API can find cacerts.pem
     os.environ['REQUESTS_CA_BUNDLE'] = GC.Values[GC.CACERTS_PEM]
     os.environ['DEFAULT_CA_BUNDLE_PATH'] = GC.Values[GC.CACERTS_PEM]
+    os.environ['HTTPLIB2_CA_CERTS'] = GC.Values[GC.CACERTS_PEM]
     os.environ['SSL_CERT_FILE'] = GC.Values[GC.CACERTS_PEM]
     httplib2.CA_CERTS = GC.Values[GC.CACERTS_PEM]
 # Needs to be set so oauthlib doesn't puke when Google changes our scopes
@@ -4445,6 +4446,9 @@ def getOauth2TxtCredentials(exitOnError=True, api=None, noDASA=False, refreshOnl
         else:
           GM.Globals[GM.CREDENTIALS_SCOPES] = set(jsonDict.pop('scopes', API.REQUIRED_SCOPES))
         token_expiry = jsonDict.get('token_expiry', REFRESH_EXPIRY)
+        if GC.Values[GC.TRUNCATE_CLIENT_ID]:
+          # chop off .apps.googleusercontent.com suffix as it's not needed and we need to keep things short for the Auth URL.
+          jsonDict['client_id'] = re.sub(r'\.apps\.googleusercontent\.com$', '', jsonDict['client_id'])
         creds = google.oauth2.credentials.Credentials.from_authorized_user_info(jsonDict)
         if 'id_token_jwt' not in jsonDict:
           creds.token = jsonDict['token']
@@ -10392,9 +10396,7 @@ def getOAuthClientIDAndSecret():
     cs_json = json.loads(cs_data)
     if not cs_json:
       systemErrorExit(CLIENT_SECRETS_JSON_REQUIRED_RC, Msg.NO_CLIENT_ACCESS_CREATE_UPDATE_ALLOWED)
-    # chop off .apps.googleusercontent.com suffix as it's not needed and we need to keep things short for the Auth URL.
-    return (re.sub(r'\.apps\.googleusercontent\.com$', '', cs_json['installed']['client_id']),
-            cs_json['installed']['client_secret'])
+    return (cs_json['installed']['client_id'], cs_json['installed']['client_secret'])
   except (IndexError, KeyError, SyntaxError, TypeError, ValueError) as e:
     invalidClientSecretsJsonExit(str(e))
 
@@ -25511,7 +25513,7 @@ def createChatMember(users):
           member = callGAPI(chat.spaces().members(), 'patch',
                             bailOnInternalError=True,
                             throwReasons=[GAPI.NOT_FOUND, GAPI.INVALID_ARGUMENT, GAPI.PERMISSION_DENIED, GAPI.INTERNAL_ERROR],
-                            name=name, updateMask='role', body={'role': role})
+                            name=member['name'], updateMask='role', body={'role': role})
         if not returnIdOnly:
           kvList[-1] = member['name']
           _getChatMemberEmail(cd, member)
@@ -36164,6 +36166,7 @@ LIST_EVENTS_SELECT_PROPERTIES = {
 
 LIST_EVENTS_MATCH_FIELDS = {
   'attendees': ['attendees', 'email'],
+  'attendeesonlydomainlist': ['attendees', 'onlydomainlist'],
   'attendeesdomainlist': ['attendees', 'domainlist'],
   'attendeesnotdomainlist': ['attendees', 'notdomainlist'],
   'attendeespattern': ['attendees', 'match'],
@@ -36237,7 +36240,7 @@ def getCalendarEventEntity():
         calendarEventEntity['matches'].append((matchField, getBoolean()))
       elif matchField[0] != 'attendees' or matchField[1] == 'match':
         calendarEventEntity['matches'].append((matchField, getREPattern(re.IGNORECASE)))
-      elif matchField[0] == 'attendees' and matchField[1] in {'domainlist', 'notdomainlist'}:
+      elif matchField[0] == 'attendees' and matchField[1] in {'onlydomainlist', 'domainlist', 'notdomainlist'}:
         calendarEventEntity['matches'].append((matchField, set(getString(Cmd.OB_DOMAIN_NAME_LIST).replace(',', ' ').split())))
       elif matchField[1] == 'email':
         calendarEventEntity['matches'].append((matchField, getNormalizedEmailAddressEntity()))
@@ -36513,6 +36516,12 @@ def _eventMatches(event, match):
       if match[1].search(attendee) is not None:
         return True
     return False
+  if match[0][1] == 'onlydomainlist':
+    for attendee in attendees:
+      _, domain = attendee.lower().split('@', 1)
+      if domain not in match[1]:
+        return False
+    return True
   if match[0][1] == 'domainlist':
     for attendee in attendees:
       _, domain = attendee.lower().split('@', 1)
@@ -52950,7 +52959,7 @@ class PermissionMatch():
         body['emailAddress'] = getREPattern(re.IGNORECASE)
         self.permissionFields.add('emailAddress')
       elif myarg == 'emailaddresslist':
-        body[myarg] = set(getString(Cmd.OB_EMAIL_ADDRESS_LIST).replace(',', ' ').split())
+        body[myarg] = set(getString(Cmd.OB_EMAIL_ADDRESS_LIST).replace(',', ' ').lower().split())
         self.permissionFields.add('emailAddress')
       elif myarg == 'permissionidlist':
         body[myarg] = set(getString(Cmd.OB_PERMISSION_ID_LIST).replace(',', ' ').split())
@@ -52960,7 +52969,7 @@ class PermissionMatch():
         self.permissionFields.add('domain')
         self.permissionFields.add('emailAddress')
       elif myarg in {'domainlist', 'notdomainlist'}:
-        body[myarg] = set(getString(Cmd.OB_DOMAIN_NAME_LIST).replace(',', ' ').split())
+        body[myarg] = set(getString(Cmd.OB_DOMAIN_NAME_LIST).replace(',', ' ').lower().split())
         self.permissionFields.add('domain')
         self.permissionFields.add('emailAddress')
       elif myarg == 'withlink':
@@ -53067,7 +53076,7 @@ class PermissionMatch():
       elif field == 'emailaddresslist':
         emailAddress = permission.get('emailAddress')
         if emailAddress:
-          if emailAddress not in value:
+          if emailAddress.lower() not in value:
             break
         else:
           break
@@ -53083,9 +53092,9 @@ class PermissionMatch():
           break
       else:
         if 'domain' in permission:
-          domain = permission['domain']
+          domain = permission['domain'].lower()
         elif 'emailAddress' in permission and permission['emailAddress']:
-          _, domain = splitEmailAddress(permission['emailAddress'])
+          _, domain = splitEmailAddress(permission['emailAddress'].lower())
         else:
           break
         if ((field == 'domain' and not value.match(domain)) or
@@ -71782,7 +71791,7 @@ def getTaskListIDfromTitle(svc, userTasklists, title, user, i, count):
   return userTasklists, None
 
 TASK_SKIP_OBJECTS = ['selfLink']
-TASK_TIME_OBJECTS = ['due', 'completed', 'updated']
+TASK_TIME_OBJECTS = ['completed', 'updated']
 
 def _showTask(tasklist, task, j=0, jcount=0, FJQC=None, compact=False):
   task['tasklistId'] = tasklist

src/gam/gamlib/glcfg.py

@@ -288,6 +288,8 @@ TODRIVE_TIMEZONE = 'todrive_timezone'
 TODRIVE_UPLOAD_NODATA = 'todrive_upload_nodata'
 # User for todrive files
 TODRIVE_USER = 'todrive_user'
+# Truncate Client ID
+TRUNCATE_CLIENT_ID  = 'truncate_client_id'
 # Update CrOS org unit with orgUnitId
 UPDATE_CROS_OU_WITH_ID = 'update_cros_ou_with_id'
 # Use course owner for course access
@@ -430,6 +432,7 @@ Defaults = {
   TODRIVE_TIMEZONE: '',
   TODRIVE_UPLOAD_NODATA: TRUE,
   TODRIVE_USER: '',
+  TRUNCATE_CLIENT_ID: FALSE,
   UPDATE_CROS_OU_WITH_ID: FALSE,
   USE_COURSE_OWNER_ACCESS: FALSE,
   USE_PROJECTID_AS_NAME: FALSE,
@@ -590,6 +593,7 @@ VAR_INFO = {
   TODRIVE_TIMEZONE: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
   TODRIVE_UPLOAD_NODATA: {VAR_TYPE: TYPE_BOOLEAN},
   TODRIVE_USER: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
+  TRUNCATE_CLIENT_ID: {VAR_TYPE: TYPE_BOOLEAN},
   UPDATE_CROS_OU_WITH_ID: {VAR_TYPE: TYPE_BOOLEAN},
   USE_COURSE_OWNER_ACCESS: {VAR_TYPE: TYPE_BOOLEAN},
   USE_PROJECTID_AS_NAME: {VAR_TYPE: TYPE_BOOLEAN},

src/gam/gamlib/glskus.py

@@ -32,7 +32,7 @@ _PRODUCTS = {
   '101037': 'Google Workspace for Education',
   '101038': 'AppSheet',
   '101039': 'Assured Controls',
-  '101040': 'Beyond Corp Enterprise',
+  '101040': 'Chrome Enterprise',
   '101043': 'Google Workspace Additional Storage',
   '101047': 'Gemini',
   '101049': 'Education Endpoint Management',
@@ -83,7 +83,7 @@ _SKUS = {
   '1010390001': {
     'product': '101039', 'aliases': ['assuredcontrols'], 'displayName': 'Assured Controls'},
   '1010400001': {
-    'product': '101040', 'aliases': ['beyondcorp', 'beyondcorpenterprise', 'bce'], 'displayName': 'Beyond Corp Enterprise'},
+    'product': '101040', 'aliases': ['beyondcorp', 'beyondcorpenterprise', 'bce', 'cep', 'chromeenterprisepremium'], 'displayName': 'Chrome Enterprise Premium'},
   '1010430001': {
     'product': '101043', 'aliases': ['gwas', 'plusstorage'], 'displayName': 'Google Workspace Additional Storage'},
   '1010470001': {