Merge branch 'main' of https://github.com/gam-team/gam

docs/Authorization.md

@@ -163,12 +163,11 @@ as required by Google for headless computers/cloud shells; this is required as o
 ```
 ## Manage Projects
 In all of the project commands, the Google Workspace admin/GCP project manager `<EmailAddress>` can be omitted; you will be prompted for a value.
-You must enter a full address, i.e., user@domain.com; you will be required to enter the password.
+You must enter a full address, i.e., user@domain.com; you will be required to authenticate.
 
-For `print|show projects`, you can eliminate the password requirement by enabling the following scope in `gam update serviceaccount`;
-GAM will then use Service Account access to display projects.
+For `print|show projects`, you can eliminate the password prompt and authentication requirement by specifying the super admin emailaddress used in `gam oauth create`.
 ```
-[*]  9)  Cloud Resource Manager API v3
+gam print projects admin admin@domain.com
 ```
 
 ## Authorize a super admin to create projects

docs/GamUpdates.md

@@ -10,6 +10,13 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation
 
+### 7.00.26
+
+Updated `drive_dir` in `gam.cfg` to allow the value `.` that causes `redirect csv|stdout|stderr <FileName>`
+to write `<FileName>` in the current directory without having to prefix `<FileName>` with `./`.
+
+Upgraded to OpenSSL 3.4.0 where possible.
+
 ### 7.00.25
 
 Updated authentication process for `gam print|show projects`.

docs/How-to-Upgrade-Legacy-GAM-to-GAM7.md

@@ -251,7 +251,7 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAM 7.00.25 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.00.26 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.0 64-bit final
 MacOS Sonoma 14.5 x86_64
@@ -923,7 +923,7 @@ writes the credentials into the file oauth2.txt.
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAM7 7.00.25 - https://github.com/GAM-team/GAM - pythonsource
+GAM7 7.00.26 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.0 64-bit final
 Windows-10-10.0.17134 AMD64

docs/Version-and-Help.md

@@ -3,7 +3,7 @@
 Print the current version of Gam with details
 ```
 gam version
-GAM 7.00.25 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.00.26 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.0 64-bit final
 MacOS Sonoma 14.5 x86_64
@@ -15,7 +15,7 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.00.25 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.00.26 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.0 64-bit final
 MacOS Sonoma 14.5 x86_64
@@ -27,7 +27,7 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.00.25 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.00.26 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.0 64-bit final
 MacOS Sonoma 14.5 x86_64
@@ -35,17 +35,17 @@ Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
 Your system time differs from admin.googleapis.com by less than 1 second
-OpenSSL 3.1.1 30 May 2023
-cryptography 41.0.1
-filelock 3.13.0
-google-api-python-client 2.88.0
-google-auth-httplib2 0.1.0
-google-auth-oauthlib 1.0.0
-google-auth 2.19.1
+OpenSSL 3.4.0 22 Oct Sep 2024
+cryptography 43.0.3
+filelock 3.16.1
+google-api-python-client 2.149.0
+google-auth-httplib2 0.2.0
+google-auth-oauthlib 1.2.1
+google-auth 2.35.0
 httplib2 0.22.0
 passlib 1.7.4
-python-dateutil 2.8.2
-yubikey-manager 5.1.1
+python-dateutil 2.9.0.post0
+yubikey-manager 5.5.1
 admin.googleapis.com connects using TLSv1.3 TLS_AES_256_GCM_SHA384
 ```
 
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gam7
 Version Check:
   Current: 5.35.08
-   Latest: 7.00.25
+   Latest: 7.00.26
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.00.25
+7.00.26
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,7 +82,7 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.00.25 - https://github.com/GAM-team/GAM
+GAM 7.00.26 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.0 64-bit final
 MacOS Sonoma 14.5 x86_64

src/GamUpdate.txt

@@ -1,3 +1,12 @@
+7.00.26
+
+Updated `drive_dir` in `gam.cfg` to allow the value `.` that causes `redirect csv|stdout|stderr <FileName>`
+to write `<FileName>` in the current directory without having to prefix `<FileName>` with `./`.
+
+7.00.25
+
+Updated authentication process for `gam print|show projects`.
+
 7.00.24
 
 Updated `gam print|show projects ... showiampolicies 0|1|3` to use non-service account authentication.

src/gam/__init__.py

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """
 
 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.00.25'
+__version__ = '7.00.26'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 #pylint: disable=wrong-import-position
@@ -3671,7 +3671,7 @@ def SetGlobalVariables():
     dirPath = os.path.expanduser(_stripStringQuotes(GM.Globals[GM.PARSER].get(sectionName, itemName)))
     if (not dirPath) and (itemName in {GC.GMAIL_CSE_INCERT_DIR, GC.GMAIL_CSE_INKEY_DIR}):
       return dirPath
-    if (not dirPath) or (not os.path.isabs(dirPath)):
+    if (not dirPath) or (not os.path.isabs(dirPath) and dirPath != '.'):
       if (sectionName != configparser.DEFAULTSECT) and (GM.Globals[GM.PARSER].has_option(sectionName, itemName)):
         dirPath = os.path.join(os.path.expanduser(_stripStringQuotes(GM.Globals[GM.PARSER].get(configparser.DEFAULTSECT, itemName))), dirPath)
       if not os.path.isabs(dirPath):
@@ -35082,6 +35082,104 @@ def updateFieldsForCIGroupMatchPatterns(matchPatterns, fieldsList, csvPF=None):
       else:
         fieldsList.append(field)
 
+# gam show policies (query <String>) [nowarnings]
+# gam print policies [todrive <ToDriveAttribute>*]
+#   (query <String>) [nowarnings]
+def doPrintCIPolicy():
+
+  def _showPolicy(policy, FJQC, i=0, count=0):
+    if FJQC is not None and FJQC.formatJSON:
+      printLine(json.dumps(policy,
+                           ensure_ascii=False,
+                           sort_keys=True))
+      return
+    printEntity([Ent.POLICY, policy['name']], i, count)
+    Ind.Increment()
+    policy.pop('name')
+    showJSON(None, policy)
+    printBlankLine()
+    Ind.Decrement()
+
+  def _printPolicy(policy):
+    row = flattenJSON(policy)
+    if not FJQC.formatJSON:
+      csvPF.WriteRowTitles(row)
+    elif csvPF.CheckRowTitles(row):
+      csvPF.WriteRowNoFilter({'name': policy['name'],
+                              'JSON': json.dumps(cleanJSON(policy),
+                                                 ensure_ascii=False,
+                                                 sort_keys=True)})
+
+  # Policies where GAM should offer additional guidance and information
+  warnings = {
+          'settings/drive_and_docs.external_sharing': {
+              'warningType': 'SUPERSEDED_POLICY',
+              'warningMessage': 'CAUTION: Drive Sharing settings are superseded by Drive Trust Rules if Trust Rules has been enabled for your domain. Drive Trust Rule settings are not available in the Policy API today so GAM is not able to check if Trust Rules is enabled and if the settings/drive_and_docs.external_sharing policies are actually in effect for your domain. If Drive Trust Rules is enabled for your domain then this settings/drive_and_docs.external_sharing policy does not accurately reflect your current Drive sharing settings.'
+              }
+          }
+  groups_ci = buildGAPIObject(API.CLOUDIDENTITY_GROUPS)
+  ci = buildGAPIObject(API.CLOUDIDENTITY_POLICY)
+  cd = buildGAPIObject(API.DIRECTORY)
+  csvPF = CSVPrintFile(['name']) if Act.csvFormat() else None
+  FJQC = FormatJSONQuoteChar(csvPF)
+  fields = 'nextPageToken,policies(name,policyQuery(group,orgUnit,sortOrder),type,setting)'
+  ifilter = None
+  add_warnings = True
+  while Cmd.ArgumentsRemaining():
+    myarg = getArgument()
+    if csvPF and myarg == 'todrive':
+      csvPF.GetTodriveParameters()
+    elif myarg == 'filter':
+      ifilter = getString(Cmd.OB_STRING)
+    elif myarg == 'nowarnings':
+      add_warnings = False
+    else:
+      unknownArgumentExit()
+  printGettingAllAccountEntities(Ent.POLICY, ifilter)
+  pageMessage = getPageMessage()
+  throwReasons = [GAPI.INVALID, GAPI.INVALID_ARGUMENT, GAPI.PERMISSION_DENIED]
+  try:
+    policies = callGAPIpages(ci.policies(),
+                             'list',
+                             'policies',
+                             throwReasons=throwReasons,
+                             pageMessage=pageMessage,
+                             filter=ifilter,
+                             fields=fields,
+                             pageSize=100)
+  except (GAPI.invalid, GAPI.invalidArgument, GAPI.permissionDenied) as e:
+    entityActionFailedWarning([Ent.POLICY, None], str(e))
+    return
+  # Google returns unordered results, sort them by setting type
+  policies = sorted(policies, key=lambda p: p.get('setting', {}).get('type', ''))
+  for policy in policies:
+    # convert any wordlists into spaced strings to reduce output complexity
+    if policy['setting']['type'] == 'settings/detector.word_list':
+      policy['setting']['value']['wordList'] = ' '.join(policy['setting']['value']['wordList']['words'])
+    # add any warnings to applicable policies
+    if add_warnings and policy['setting']['type'] in warnings:
+      policy['warning'] = warnings[policy['setting']['type']]
+    if groupId := policy['policyQuery'].get('group'):
+      _, _, policy['policyQuery']['groupEmail'] = convertGroupCloudIDToEmail(groups_ci, groupId)
+      # all groups are in the root OU so the orgUnit attribute is useless
+      policy['policyQuery'].pop('orgUnit')
+    elif orgId := policy['policyQuery'].get('orgUnit'):
+      policy['policyQuery']['orgUnitPath'] = convertOrgUnitIDtoPath(cd, orgId)
+  if not csvPF:
+    jcount = len(policies)
+    performActionNumItems(jcount, Ent.POLICY)
+    Ind.Increment()
+    j = 0
+    for policy in policies:
+      j += 1
+      _showPolicy(policy, FJQC, j, jcount)
+    Ind.Decrement()
+  else:
+    for policy in policies:
+      _printPolicy(policy)
+  if csvPF:
+    csvPF.writeCSVfile('Policies')
+
 PRINT_CIGROUPS_JSON_TITLES = ['email', 'JSON']
 
 # gam print cigroups [todrive <ToDriveAttribute>*]
@@ -75091,6 +75189,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_CHROMEVERSIONS:	doPrintShowChromeVersions,
       Cmd.ARG_CIGROUP:		doPrintCIGroups,
       Cmd.ARG_CIGROUPMEMBERS:	doPrintCIGroupMembers,
+      Cmd.ARG_CIPOLICY: doPrintCIPolicy,
       Cmd.ARG_CLASSROOMINVITATION:	doPrintShowClassroomInvitations,
       Cmd.ARG_CONTACT:		doPrintShowDomainContacts,
       Cmd.ARG_COURSE:		doPrintCourses,
@@ -75130,6 +75229,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_OWNERSHIP:	doPrintShowOwnership,
       Cmd.ARG_PEOPLECONTACT:	doPrintShowDomainPeopleContacts,
       Cmd.ARG_PEOPLEPROFILE:	doPrintShowDomainPeopleProfiles,
+      Cmd.ARG_CIPOLICY: doPrintCIPolicy,
       Cmd.ARG_PRINTER:		doPrintShowPrinters,
       Cmd.ARG_PRINTERMODEL:	doPrintShowPrinterModels,
       Cmd.ARG_PRIVILEGES:	doPrintShowPrivileges,
@@ -75219,6 +75319,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_CHROMESCHEMA:	doPrintShowChromeSchemas,
       Cmd.ARG_CHROMEVERSIONS:	doPrintShowChromeVersions,
       Cmd.ARG_CIGROUPMEMBERS:	doShowCIGroupMembers,
+      Cmd.ARG_CIPOLICY: doPrintCIPolicy,
       Cmd.ARG_CLASSROOMINVITATION:	doPrintShowClassroomInvitations,
       Cmd.ARG_CONTACT:		doPrintShowDomainContacts,
       Cmd.ARG_CROSTELEMETRY:	doInfoPrintShowCrOSTelemetry,

src/gam/gamlib/glapi.py

@@ -45,11 +45,11 @@ CLOUDCHANNEL = 'cloudchannel'
 CLOUDIDENTITY_DEVICES = 'cloudidentitydevices'
 CLOUDIDENTITY_GROUPS = 'cloudidentitygroups'
 CLOUDIDENTITY_INBOUND_SSO = 'cloudidentityinboundsso'
+CLOUDIDENTITY_POLICY = 'cloudidentitypolicy'
 CLOUDIDENTITY_ORGUNITS = 'cloudidentityorgunits'
 CLOUDIDENTITY_ORGUNITS_BETA = 'cloudidentityorgunitsbeta'
 CLOUDIDENTITY_USERINVITATIONS = 'cloudidentityuserinvitations'
 CLOUDRESOURCEMANAGER = 'cloudresourcemanager'
-CLOUDRESOURCEMANAGER_V1 = 'cloudresourcemanager1'
 CONTACTS = 'contacts'
 CONTACTDELEGATION = 'contactdelegation'
 DATATRANSFER = 'datatransfer'
@@ -225,6 +225,7 @@ _INFO = {
   CLOUDIDENTITY_DEVICES: {'name': 'Cloud Identity Devices API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
   CLOUDIDENTITY_GROUPS: {'name': 'Cloud Identity Groups API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
   CLOUDIDENTITY_INBOUND_SSO: {'name': 'Cloud Identity Inbound SSO API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_POLICY: {'name': 'Cloud Identity Policy API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
   CLOUDIDENTITY_ORGUNITS: {'name': 'Cloud Identity OrgUnits API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
   CLOUDIDENTITY_ORGUNITS_BETA: {'name': 'Cloud Identity OrgUnits API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
   CLOUDIDENTITY_USERINVITATIONS: {'name': 'Cloud Identity User Invitations API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
@@ -361,6 +362,11 @@ _CLIENT_SCOPES = [
    'api': CLOUDIDENTITY_INBOUND_SSO,
    'subscopes': READONLY,
    'scope': 'https://www.googleapis.com/auth/cloud-identity.inboundsso'},
+  {'name': 'Cloud Identity - Policy',
+   'api': CLOUDIDENTITY_POLICY,
+   'subscopes': [],
+   'scope': 'https://www.googleapis.com/auth/cloud-identity.policies.readonly'
+  },
   {'name': 'Cloud Identity OrgUnits API',
    'api': CLOUDIDENTITY_ORGUNITS_BETA,
    'subscopes': READONLY,

src/gam/gamlib/glclargs.py

@@ -493,6 +493,7 @@ class GamCLArgs():
   ARG_CIGROUPSMEMBERS = 'cigroupsmembers'
   ARG_CIMEMBER = 'cimember'
   ARG_CIMEMBERS = 'cimembers'
+  ARG_CIPOLICY = 'policies'
   ARG_CLASS = 'class'
   ARG_CLASSES = 'classes'
   ARG_CLASSPARTICIPANTS = 'classparticipants'

src/gam/gamlib/glentity.py

@@ -302,6 +302,7 @@ class GamEntity():
   PERMITTEE = 'prmt'
   PERSONAL_DEVICE = 'pedv'
   PHOTO = 'phot'
+  POLICY = 'poli'
   POP_ENABLED = 'popa'
   PRESENTATION = 'pres'
   PRINTER = 'prin'
@@ -653,6 +654,7 @@ class GamEntity():
     PERMITTEE: ['Permittees', 'Permittee'],
     PERSONAL_DEVICE: ['Personal Devices', 'Personal Device'],
     PHOTO: ['Photos', 'Photo'],
+    POLICY: ['Policies', 'Policy'],
     POP_ENABLED: ['POP Enabled', 'POP Enabled'],
     PRESENTATION: ['Presentations', 'Presentation'],
     PRINTER: ['Printers', 'Printer'],