Updated gam create vaultexport to include corpus gemini.

ERROR: 400 - invalidArgument - Service account gam-project-a1b2c@gam-project-a1b2c.iam.gserviceaccount.com does not exist.

.github/workflows/build.yml

@@ -17,7 +17,7 @@ defaults:
     working-directory: src
 
 env:
-  SCRATCH_COUNTER: 7
+  SCRATCH_COUNTER: 9
   OPENSSL_CONFIG_OPTS: no-fips --api=3.0.0
   OPENSSL_INSTALL_PATH: ${{ github.workspace }}/bin/ssl
   OPENSSL_SOURCE_PATH: ${{ github.workspace }}/src/openssl
@@ -129,7 +129,7 @@ jobs:
         with:
           path: |
             cache.tar.xz
-          key: gam-${{ matrix.jid }}-20250116
+          key: gam-${{ matrix.jid }}-20250204
 
       - name: Untar Cache archive
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'

.github/workflows/pypi.yml

@@ -0,0 +1,32 @@
+name: build and publish releases to PyPi
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+jobs:
+  pypi:
+    name: Upload release to PyPI
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/gam7
+    permissions:
+      id-token: write
+    steps:
+
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Install required packages to publish
+        run: |
+          python3 -m pip install --upgrade build
+
+      - name: Build packages
+        run: |
+          python -m build
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

pyproject.toml

@@ -0,0 +1,42 @@
+[project]
+name = "gam7"
+dynamic = [
+    "dependencies",
+    "version",
+]
+authors = [
+    { name="Jay Lee", email="jay0lee@gmail.com" },
+    { name="Ross Scroggs", email="Ross.Scroggs@gmail.com" },
+]
+description = "CLI tool to manage Google Workspace"
+readme = "README.md"
+requires-python = ">=3.9"
+classifiers = [
+    "Programming Language :: Python :: 3",
+    "Operating System :: OS Independent",
+]
+license = {text = "Apache License (2.0)"}
+license-files = ["LICEN[CS]E*"]
+
+[project.scripts]
+gam = "gam.__main__:main"
+
+[project.urls]
+Homepage = "https://github.com/GAM-team/GAM"
+Issues = "https://github.com/GAM-team/GAM/issues"
+
+[tool.hatch.version]
+path = "src/gam/__init__.py"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/gam"]
+
+[tool.hatch.metadata.hooks.requirements_txt]
+files = ["src/requirements.txt"]
+
+[build-system]
+requires = [
+    "hatchling",
+    "hatch-requirements_txt",
+]
+build-backend = "hatchling.build"

src/GamCommands.txt

@@ -2090,19 +2090,25 @@ gam move browsers ou|org|orgunit <OrgUnitPath>
         [batchsize <Integer>]
 
 gam info browser <DeviceID>
-        [basic|full|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+        (basic|full|annotated | 
+         (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+         (rawfields "<BrowserFieldNameList>"))
         [formatjson]
 gam show browsers
         ([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser>)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
         [querytime<String> <Time>]
         [orderby <BrowserOrderByFieldName> [ascending|descending]]
-        [basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+        (basic|full|annotated | 
+         (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+         (rawfields "<BrowserFieldNameList>"))
         [formatjson]
 gam print browsers [todrive <ToDriveAttribute>*]
         ([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser>)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
         [querytime<String> <Time>]
         [orderby <BrowserOrderByFieldName> [ascending|descending]]
-        [basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+        (basic|full|annotated | 
+         (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+         (rawfields "<BrowserFieldNameList>"))
         [sortheaders]
         [formatjson [quotechar <Character>]]
 
@@ -3927,8 +3933,11 @@ gam print group-members [todrive <ToDriveAttribute>*]
         updatetime
 <CIGroupFieldNameList> ::= "<CIGroupFieldName>(,<CIGroupFieldName>)*"
 
-gam create cigroup <EmailAddress> [copyfrom <GroupItem>] <GroupAttribute>*
-        [makeowner] [alias|aliases <CIGroupAliasList>] [dynamic <QueryDynamicGroup>]
+gam create cigroup <EmailAddress>
+        [copyfrom <GroupItem>] <GroupAttribute>*
+        [makeowner] [alias|aliases <CIGroupAliasList>]
+        [security|makesecuritygroup]
+        [dynamic <QueryDynamicGroup>]
 gam update cigroup <GroupEntity> [copyfrom <GroupItem>] <GroupAttribute>
         [security|makesecuritygroup|
          dynamicsecurity|makedynamicsecuritygroup|
@@ -4515,7 +4524,7 @@ gam report users|user [todrive <ToDriveAttribute>*]
         (country|countrycode <String>)
 
 gam create|add resoldcustomer <CustomerDomain> (customer_auth_token <String>) <ResoldCustomerAttribute>+
-gam update resoldcustomer <CustomerID> [customer_auth_token <String>] <ResoldCustomerAttribues>+
+gam update resoldcustomer <CustomerID> <ResoldCustomerAttribues>+
 gam info resoldcustomer <CustomerID> [formatjson]
 
 gam create|add resoldsubscription <CustomerID> (sku <SKUID>)
@@ -5261,7 +5270,7 @@ gam print vaultcounts [todrive <ToDriveAttributes>*]
 gam print vaultcounts [todrive <ToDriveAttributes>*]
         matter <MatterItem> operation <String> [wait <Integer>]
 
-gam create vaultexport|export matter <MatterItem> [name <String>] corpus calendar|drive|mail|groups|hangouts_chat|voice
+gam create vaultexport|export matter <MatterItem> [name <String>] corpus calendar|drive|gemini|groups|hangouts_chat|mail|voice
         (accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone
         (shareddrives|teamdrives <SharedDriveIDList>) | (rooms <RoomList>) | (sitesurl <URLList>)
         [scope all_data|held_data|unprocessed_data]
@@ -5269,10 +5278,12 @@ gam create vaultexport|export matter <MatterItem> [name <String>] corpus calenda
         [locationquery <StringList>] [peoplequery <StringList>] [minuswords <StringList>]
         [responsestatuses <AttendeeStatus>(,<AttendeeStatus>)*] [calendarversiondate <Date>|<Time>]
         [includeshareddrives <Boolean>] [driveversiondate <Date>|<Time>] [includeaccessinfo <Boolean>]
+        [driveclientsideencryption any|encrypted|unencrypted]
         [includerooms <Boolean>]
-        [excludedrafts <Boolean>] [format mbox|pst]
+        [excludedrafts <Boolean>] [mailclientsideencryption any|encrypted|unencrypted]
         [showconfidentialmodecontent <Boolean>] [usenewexport <Boolean>] [exportlinkeddrivefiles <Boolean>]
         [covereddata calllogs|textmessages|voicemails]
+        [format ics|mbox|pst|xml]
         [region any|europe|us] [showdetails|returnidonly]
 gam delete vaultexport|export <ExportItem> matter <MatterItem>
 gam delete vaultexport|export <MatterItem> <ExportItem>

src/GamUpdate.txt

@@ -1,3 +1,46 @@
+7.03.07
+
+Updated `gam create vaultexport` to include `corpus gemini`.
+
+* See: https://workspaceupdates.googleblog.com/2025/02/google-vault-now-supports-gemini.html
+
+7.03.06
+
+Added option `rawfields "<BrowserFieldNameList>"` to `gam info|print|show browsers` that allows
+specification of complex field lists with selected subfields.
+
+* See: https://github.com/GAM-team/GAM/wiki/Chrome-Browser-Cloud-Management#raw-fields
+
+7.03.05
+
+Make GAM pip-installable: "pip install gam7"
+
+7.03.04
+
+Added option `security` to `gam create cigroup` that allows creation of a security group
+in a single command.
+
+Updated to Python 3.13.2.
+
+7.03.03
+
+Fixed bug in `gam update resoldcustomer` that caused the following error:
+```
+ERROR: Got an unexpected keyword argument customerAuthToken
+```
+
+7.03.02
+
+Updated `gam <UserTypeEntity> show labels nested` to properly display label nesting
+when labels have embedded `/` characters in their names.
+
+7.03.01
+
+Updated `gam create project` to retry the following unexpected error:
+```
+ERROR: 400 - invalidArgument - Service account gam-project-a1b2c@gam-project-a1b2c.iam.gserviceaccount.com does not exist.
+```
+
 7.03.00
 
 Updated `gam create|use project` to discontinue use of the `Identity-Aware Proxy (IAP) OAuth Admin APIs`

src/gam-install.sh

@@ -112,6 +112,12 @@ else
   check_type="authenticated"
   curl_opts=( "$GHCLIENT" )
 fi
+curl_ver=$(curl --version|head -1|cut -d " " -f 2)
+if [[ "${curl_ver:0:4}" < "7.76" ]]; then
+  curl_fail=( )
+else
+  curl_fail=( "--fail-with-body" )
+fi
 echo_yellow "Checking GitHub URL $release_url for $gamversion GAM release ($check_type)..."
 release_json=$(curl \
 	--silent \
@@ -119,7 +125,7 @@ release_json=$(curl \
 	-H "Accept: application/vnd.github+json" \
 	-H "X-GitHub-Api-Version: 2022-11-28" \
 	"$release_url" \
-	--fail-with-body)
+	"${curl_fail[@]}")
 curl_exit_code=$?
 if [ $curl_exit_code -ne 0 ]; then
   echo_red "ERROR retrieving URL: ${release_json}"

src/gam/__init__.py

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """
 
 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.03.00'
+__version__ = '7.03.07'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 #pylint: disable=wrong-import-position
@@ -7356,6 +7356,12 @@ def addFieldToFieldsList(fieldName, fieldsChoiceMap, fieldsList):
 def _getFieldsList():
   return getString(Cmd.OB_FIELD_NAME_LIST).lower().replace('_', '').replace(',', ' ').split()
 
+def _getRawFields(requiredField=None):
+  rawFields = getString(Cmd.OB_FIELDS)
+  if requiredField is None or requiredField in rawFields:
+    return rawFields
+  return f'{requiredField},{rawFields}'
+
 def _addInitialField(fieldsList, initialField):
   if isinstance(initialField, list):
     fieldsList.extend(initialField)
@@ -11361,13 +11367,32 @@ def doEnableAPIs():
       url = f'https://console.cloud.google.com/apis/enableflow?apiid={apiid}&project={projectId}'
       writeStdout(f'    {url}\n\n')
 
+def _waitForSvcAcctCompletion(i):
+  sleep_time = i*5
+  if i > 3:
+    sys.stdout.write(Msg.WAITING_FOR_ITEM_CREATION_TO_COMPLETE_SLEEPING.format(Ent.Singular(Ent.SVCACCT), sleep_time))
+  time.sleep(sleep_time)
+
 def _grantRotateRights(iam, projectId, service_account, email, account_type='serviceAccount'):
-  printEntityMessage([Ent.PROJECT, projectId, Ent.SVCACCT, email],
-                     Msg.HAS_RIGHTS_TO_ROTATE_OWN_PRIVATE_KEY.format(email, service_account))
   body = {'policy': {'bindings': [{'role': 'roles/iam.serviceAccountKeyAdmin',
                                    'members': [f'{account_type}:{email}']}]}}
-  callGAPI(iam.projects().serviceAccounts(), 'setIamPolicy',
-           resource=f'projects/{projectId}/serviceAccounts/{service_account}', body=body)
+  maxRetries = 10
+  printEntityMessage([Ent.PROJECT, projectId, Ent.SVCACCT, email],
+                     Msg.HAS_RIGHTS_TO_ROTATE_OWN_PRIVATE_KEY.format(email, service_account))
+  for retry in range(1, maxRetries+1):
+    try:
+      callGAPI(iam.projects().serviceAccounts(), 'setIamPolicy',
+               throwReasons=[GAPI.INVALID_ARGUMENT],
+               resource=f'projects/{projectId}/serviceAccounts/{service_account}', body=body)
+      return True
+    except GAPI.invalidArgument as e:
+      entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, service_account], str(e))
+      if 'does not exist' not in str(e) or retry == maxRetries:
+        return False
+      _waitForSvcAcctCompletion(retry)
+    except Exception as e:
+      entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, service_account], str(e))
+      return False
 
 def _createOauth2serviceJSON(httpObj, projectInfo, svcAcctInfo, create_key=True):
   iam = getAPIService(API.IAM, httpObj)
@@ -11392,8 +11417,7 @@ def _createOauth2serviceJSON(httpObj, projectInfo, svcAcctInfo, create_key=True)
                                              clientId=service_account['uniqueId']):
     return False
   sa_email = service_account['name'].rsplit('/', 1)[-1]
-  _grantRotateRights(iam, projectInfo['projectId'], sa_email, sa_email)
-  return True
+  return _grantRotateRights(iam, projectInfo['projectId'], sa_email, sa_email)
 
 def _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo, svcAcctInfo, create_key=True):
   def _checkClientAndSecret(csHttpObj, client_id, client_secret):
@@ -12563,12 +12587,6 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
       else:
         unknownArgumentExit()
 
-  def waitForCompletion(i):
-    sleep_time = i*5
-    if i > 3:
-      sys.stdout.write(Msg.WAITING_FOR_ITEM_CREATION_TO_COMPLETE_SLEEPING.format(Ent.Singular(Ent.SVCACCT), sleep_time))
-    time.sleep(sleep_time)
-
   local_key_size = 2048
   validityHours = 0
   body = {}
@@ -12638,12 +12656,12 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
         if retry == maxRetries:
           entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], str(e))
           return False
-        waitForCompletion(retry)
+        _waitForSvcAcctCompletion(retry)
       except GAPI.permissionDenied:
         if retry == maxRetries:
           entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], Msg.UPDATE_PROJECT_TO_VIEW_MANAGE_SAKEYS)
           return False
-        waitForCompletion(retry)
+        _waitForSvcAcctCompletion(retry)
       except GAPI.badRequest as e:
         entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], str(e))
         return False
@@ -12656,7 +12674,7 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
           new_data['private_key'] = ''
           newPrivateKeyId = ''
           break
-        waitForCompletion(retry)
+        _waitForSvcAcctCompletion(retry)
     new_data['private_key_id'] = newPrivateKeyId
     oauth2service_data = _formatOAuth2ServiceData(new_data)
   else:
@@ -12673,7 +12691,7 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
         if retry == maxRetries:
           entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], Msg.UPDATE_PROJECT_TO_VIEW_MANAGE_SAKEYS)
           return False
-        waitForCompletion(retry)
+        _waitForSvcAcctCompletion(retry)
       except GAPI.badRequest as e:
         entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, clientEmail], str(e))
         return False
@@ -12714,7 +12732,7 @@ def doProcessSvcAcctKeys(mode=None, iam=None, projectId=None, clientEmail=None,
           if retry == maxRetries:
             entityActionFailedWarning([Ent.SVCACCT_KEY, keyName], Msg.UPDATE_PROJECT_TO_VIEW_MANAGE_SAKEYS)
             break
-          waitForCompletion(retry)
+          _waitForSvcAcctCompletion(retry)
         except GAPI.badRequest as e:
           entityActionFailedWarning([Ent.SVCACCT_KEY, keyName], str(e), i, count)
           break
@@ -15094,15 +15112,15 @@ def doCreateResoldCustomer():
   except (GAPI.badRequest, GAPI.resourceNotFound, GAPI.forbidden, GAPI.invalid) as e:
     entityActionFailedWarning([Ent.CUSTOMER_DOMAIN, body['customerDomain']], str(e))
 
-# gam update resoldcustomer <CustomerID> [customer_auth_token <String>] <ResoldCustomerAttribute>+
+# gam update resoldcustomer <CustomerID> <ResoldCustomerAttribute>+
 def doUpdateResoldCustomer():
   res = buildGAPIObject(API.RESELLER)
   customerId = getString(Cmd.OB_CUSTOMER_ID)
-  customerAuthToken, body = _getResoldCustomerAttr()
+  _, body = _getResoldCustomerAttr()
   try:
     callGAPI(res.customers(), 'patch',
              throwReasons=GAPI.RESELLER_THROW_REASONS,
-             customerId=customerId, body=body, customerAuthToken=customerAuthToken, fields='')
+             customerId=customerId, body=body, fields='')
     entityActionPerformed([Ent.CUSTOMER_ID, customerId])
   except (GAPI.badRequest, GAPI.resourceNotFound, GAPI.forbidden, GAPI.invalid) as e:
     entityActionFailedWarning([Ent.CUSTOMER_ID, customerId], str(e))
@@ -15121,6 +15139,7 @@ def doInfoResoldCustomer():
                             customerId=customerId)
     if not FJQC.formatJSON:
       printKeyValueList(['Customer ID', customerInfo['customerId']])
+      printKeyValueList(['Customer Type', customerInfo['customerType']])
       printKeyValueList(['Customer Domain', customerInfo['customerDomain']])
       if 'customerDomainVerified' in customerInfo:
         printKeyValueList(['Customer Domain Verified', customerInfo['customerDomainVerified']])
@@ -16555,7 +16574,7 @@ def doInfoAdminRole():
       fieldsList.append('rolePrivileges')
     else:
       unknownArgumentExit()
-  fields = ','.join(set(fieldsList))
+  fields = getFieldsFromFieldsList(fieldsList)
   try:
     role = callGAPI(cd.roles(), 'get',
                     throwReasons=[GAPI.NOT_FOUND, GAPI.FORBIDDEN, GAPI.FAILED_PRECONDITION,
@@ -17692,9 +17711,9 @@ def _getOrgUnits(cd, orgUnitPath, fieldsList, listType, showParent, batchSubOrgs
     if 'parentOrgUnitId' not in fieldsList:
       localFieldsList.append('parentOrgUnitId')
       deleteParentOrgUnitId = True
-    fields = ','.join(set(localFieldsList))
+    fields = getFieldsFromFieldsList(localFieldsList)
   else:
-    fields = ','.join(set(fieldsList))
+    fields = getFieldsFromFieldsList(fieldsList)
   listfields = f'organizationUnits({fields})'
   if listType == 'all' and  orgUnitPath == '/':
     printGettingAllAccountEntities(Ent.ORGANIZATIONAL_UNIT)
@@ -22156,8 +22175,7 @@ def printShowUserPeopleContacts(users):
     if not fieldsList:
       ofields = _getPersonFields(PEOPLE_OTHER_CONTACTS_FIELDS_CHOICE_MAP, PEOPLE_CONTACTS_DEFAULT_FIELDS, fieldsList, parameters)
     else:
-      fieldsList = [PEOPLE_OTHER_CONTACTS_FIELDS_CHOICE_MAP[field.lower()] for field in fieldsList if field.lower() in PEOPLE_OTHER_CONTACTS_FIELDS_CHOICE_MAP]
-      ofields = ','.join(set(fieldsList))
+      ofields = getFieldsFromFieldsList([PEOPLE_OTHER_CONTACTS_FIELDS_CHOICE_MAP[field.lower()] for field in fieldsList if field.lower() in PEOPLE_OTHER_CONTACTS_FIELDS_CHOICE_MAP])
   i, count, users = getEntityArgument(users)
   for user in users:
     i += 1
@@ -24771,7 +24789,7 @@ def doPrintCrOSActivity(entityList=None):
   else:
     sortRows = True
     jcount = len(entityList)
-    fields = ','.join(set(fieldsList))
+    fields = getFieldsFromFieldsList(fieldsList)
     svcargs = dict([('customerId', GC.Values[GC.CUSTOMER_ID]), ('deviceId', None), ('projection', projection), ('fields', fields)]+GM.Globals[GM.EXTRA_ARGS_LIST])
     method = getattr(cd.chromeosdevices(), 'get')
     dbatch = cd.new_batch_http_request(callback=_callbackPrintCrOS)
@@ -25061,7 +25079,7 @@ def _showBrowser(browser, FJQC, i=0, count=0):
     return
   printEntity([Ent.CHROME_BROWSER, browser['deviceId']], i, count)
   Ind.Increment()
-  showJSON(None, browser, timeObjects=BROWSER_TIME_OBJECTS)
+  showJSON(None, browser, timeObjects=BROWSER_TIME_OBJECTS, dictObjectsKey={'machinePolicies': 'name'})
   Ind.Decrement()
 
 BROWSER_FIELDS_CHOICE_MAP = {
@@ -25101,11 +25119,13 @@ BROWSER_FIELDS_CHOICE_MAP = {
   'user': 'annotatedUser',
   'virtualdeviceid': 'virtualDeviceId',
   }
-BROWSER_ANNOTATED_FIELDS_LIST = ['annotatedAssetId', 'annotatedLocation', 'annotatedNotes', 'annotatedUser']
+BROWSER_ANNOTATED_FIELDS_LIST = ['annotatedAssetId', 'annotatedLocation', 'annotatedNotes', 'annotatedUser', 'deviceId']
 BROWSER_FULL_ACCESS_FIELDS = {'browsers', 'lastDeviceUsers', 'lastStatusReportTime', 'machinePolicies'}
 
 # gam info browser <DeviceID>
-#	[basic|full|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+#	(basic|full|annotated |
+#	 (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+#	 (rawfields <BrowserFieldNameList>))
 #	[formatjson]
 def doInfoBrowsers():
   cbcm = buildGAPIObject(API.CBCM)
@@ -25113,6 +25133,7 @@ def doInfoBrowsers():
   deviceId = getString(Cmd.OB_DEVICE_ID)
   projection = 'BASIC'
   fieldsList = []
+  rawFields = None
   FJQC = FormatJSONQuoteChar()
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
@@ -25124,16 +25145,21 @@ def doInfoBrowsers():
       fieldsList = []
     elif getFieldsList(myarg, BROWSER_FIELDS_CHOICE_MAP, fieldsList, initialField='deviceId'):
       pass
+    elif myarg == 'rawfields':
+      projection = 'FULL'
+      rawFields = _getRawFields('deviceId')
     else:
       FJQC.GetFormatJSON(myarg)
   if projection == 'BASIC' and set(fieldsList).intersection(BROWSER_FULL_ACCESS_FIELDS):
     projection = 'FULL'
-  fields = ','.join(set(fieldsList))
+  fields = getFieldsFromFieldsList(fieldsList) if not rawFields else rawFields
   try:
     browser = callGAPI(cbcm.chromebrowsers(), 'get',
-                       throwReasons=[GAPI.BAD_REQUEST, GAPI.RESOURCE_NOT_FOUND, GAPI.FORBIDDEN],
+                       throwReasons=[GAPI.BAD_REQUEST, GAPI.RESOURCE_NOT_FOUND, GAPI.INVALID_ARGUMENT, GAPI.FORBIDDEN],
                        customer=customerId, deviceId=deviceId, projection=projection, fields=fields)
     _showBrowser(browser, FJQC)
+  except GAPI.invalidArgument as e:
+    entityActionFailedWarning([Ent.CHROME_BROWSER, deviceId], str(e))
   except (GAPI.badRequest, GAPI.resourceNotFound, GAPI.forbidden):
     checkEntityAFDNEorAccessErrorExit(None, Ent.CHROME_BROWSER, deviceId)
 
@@ -25334,7 +25360,7 @@ def doInfoChromeProfile():
       pass
     else:
       FJQC.GetFormatJSON(myarg)
-  fields = ','.join(set(fieldsList))
+  fields = getFieldsFromFieldsList(fieldsList)
   try:
     profile = callGAPI(cm.customers().profiles(), 'get',
                        throwReasons=[GAPI.INVALID_ARGUMENT, GAPI.NOT_FOUND, GAPI.PERMISSION_DENIED],
@@ -25466,13 +25492,19 @@ BROWSER_ORDERBY_CHOICE_MAP = {
 #	([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
 #	[querytime<String> <Time>]
 #	[orderby <BrowserOrderByFieldName> [ascending|descending]]
-#	[basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+#	(basic|full|annotated |
+#	 (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+#	 (rawfields <BrowserFieldNameList>))
+#	(<BrowserFieldName>* [fields <BrowserFieldNameList>]|(rawfields <BrowserFieldNameList>)
 #	[formatjson]
 # gam print browsers [todrive <ToDriveAttribute>*]
 #	([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
 #	[querytime<String> <Time>]
 #	[orderby <BrowserOrderByFieldName> [ascending|descending]]
-#	[basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+#	(basic|full|annotated |
+#	 (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+#	 (rawfields <BrowserFieldNameList>))
+#	(<BrowserFieldName>* [fields <BrowserFieldNameList>]|(rawfields <BrowserFieldNameList>)
 #	[sortheaders] [formatjson [quotechar <Character>]]
 def doPrintShowBrowsers():
   def _printBrowser(browser):
@@ -25489,6 +25521,7 @@ def doPrintShowBrowsers():
   csvPF = CSVPrintFile(['deviceId']) if Act.csvFormat() else None
   FJQC = FormatJSONQuoteChar(csvPF)
   fieldsList = []
+  rawFields = None
   projection = 'BASIC'
   orderBy = 'id'
   sortOrder = 'ASCENDING'
@@ -25527,22 +25560,25 @@ def doPrintShowBrowsers():
       sortHeaders = True
     elif getFieldsList(myarg, BROWSER_FIELDS_CHOICE_MAP, fieldsList, initialField='deviceId'):
       pass
+    elif myarg == 'rawfields':
+      projection = 'FULL'
+      rawFields = _getRawFields('deviceId')
     else:
       FJQC.GetFormatJSONQuoteChar(myarg, True)
   if projection == 'BASIC' and set(fieldsList).intersection(BROWSER_FULL_ACCESS_FIELDS):
     projection = 'FULL'
-  fields = getItemFieldsFromFieldsList('browsers', fieldsList)
   if FJQC.formatJSON:
     sortHeaders = False
   substituteQueryTimes(queries, queryTimes)
   if entityList is None:
+    fields = getItemFieldsFromFieldsList('browsers', fieldsList) if not rawFields else f'nextPageToken,browsers({rawFields})'
     for query in queries:
       printGettingAllAccountEntities(Ent.CHROME_BROWSER, query)
       pageMessage = getPageMessage()
       try:
         feed = yieldGAPIpages(cbcm.chromebrowsers(), 'list', 'browsers',
                               pageMessage=pageMessage, messageAttribute='deviceId',
-                              throwReasons=[GAPI.INVALID_INPUT, GAPI.BAD_REQUEST, GAPI.INVALID_ORGUNIT, GAPI.FORBIDDEN],
+                              throwReasons=[GAPI.INVALID_INPUT, GAPI.BAD_REQUEST, GAPI.INVALID_ARGUMENT, GAPI.INVALID_ORGUNIT, GAPI.FORBIDDEN],
                               retryReasons=GAPI.SERVICE_NOT_AVAILABLE_RETRY_REASONS,
                               customer=customerId, orgUnitPath=orgUnitPath, query=query, projection=projection,
                               orderBy=orderBy, sortOrder=sortOrder, fields=fields)
@@ -25566,7 +25602,7 @@ def doPrintShowBrowsers():
         else:
           entityActionFailedWarning([Ent.CHROME_BROWSER, None], str(e))
         return
-      except (GAPI.invalidOrgunit, GAPI.forbidden) as e:
+      except (GAPI.invalidArgument, GAPI.invalidOrgunit, GAPI.forbidden) as e:
         entityActionFailedWarning([Ent.CHROME_BROWSER, None], str(e))
         return
       except (GAPI.badRequest, GAPI.resourceNotFound):
@@ -25574,15 +25610,17 @@ def doPrintShowBrowsers():
   else:
     sortRows = True
     jcount = len(entityList)
-    fields = getFieldsFromFieldsList(fieldsList)
+    fields = getFieldsFromFieldsList(fieldsList) if not rawFields else rawFields
     j = 0
     for deviceId in entityList:
       j += 1
       try:
         browser = callGAPI(cbcm.chromebrowsers(), 'get',
-                           throwReasons=[GAPI.BAD_REQUEST, GAPI.RESOURCE_NOT_FOUND, GAPI.FORBIDDEN],
+                           throwReasons=[GAPI.BAD_REQUEST, GAPI.RESOURCE_NOT_FOUND, GAPI.INVALID_ARGUMENT, GAPI.FORBIDDEN],
                            customer=customerId, deviceId=deviceId, projection=projection, fields=fields)
         _printBrowser(browser)
+      except GAPI.invalidArgument as e:
+        entityActionFailedWarning([Ent.CHROME_BROWSER, deviceId], str(e))
       except (GAPI.badRequest, GAPI.resourceNotFound, GAPI.forbidden):
         checkEntityAFDNEorAccessErrorExit(None, Ent.CHROME_BROWSER, deviceId)
   if csvPF:
@@ -31719,6 +31757,8 @@ def doCreateGroup(ciGroupsAPI=False):
                                                       'query': getString(Cmd.OB_QUERY)})
     elif ciGroupsAPI and myarg == 'makeowner':
       initialGroupConfig = 'WITH_INITIAL_OWNER'
+    elif ciGroupsAPI and myarg in {'security', 'makesecuritygroup'}:
+      body['labels'][CIGROUP_SECURITY_LABEL] = ''
     elif myarg == 'verifynotinvitable':
       verifyNotInvitable = True
     else:
@@ -34595,8 +34635,11 @@ def doPrintShowGroupTree():
   if csvPF:
     csvPF.writeCSVfile('Group Tree')
 
-# gam create cigroup <EmailAddress> [copyfrom <GroupItem>] <GroupAttribute>
-#	[makeowner] [alias|aliases <CIGroupAliasList>] [dynamic <QueryDynamicGroup>]
+# gam create cigroup <EmailAddress>
+#	[copyfrom <GroupItem>] <GroupAttribute>
+#	[makeowner] [alias|aliases <CIGroupAliasList>]
+#	[security|makesecuritygroup]
+#	[dynamic <QueryDynamicGroup>]
 def doCreateCIGroup():
   doCreateGroup(ciGroupsAPI=True)
 
@@ -37431,7 +37474,7 @@ def _doDeleteResourceCalendars(entityList):
                retryReasons=GAPI.SERVICE_NOT_AVAILABLE_RETRY_REASONS,
                customer=GC.Values[GC.CUSTOMER_ID], calendarResourceId=resourceId)
       entityActionPerformed([Ent.RESOURCE_CALENDAR, resourceId], i, count)
-    except GAPI.serviceNotAvailable  as e:
+    except GAPI.serviceNotAvailable as e:
       entityActionFailedWarning([Ent.RESOURCE_CALENDAR, resourceId], str(e), i, count)
     except (GAPI.badRequest, GAPI.resourceNotFound, GAPI.forbidden):
       checkEntityAFDNEorAccessErrorExit(cd, Ent.RESOURCE_CALENDAR, resourceId, i, count)
@@ -39150,10 +39193,12 @@ def _wipeCalendarEvents(user, origCal, calIds, count):
       continue
     try:
       callGAPI(cal.calendars(), 'clear',
-               throwReasons=GAPI.CALENDAR_THROW_REASONS+[GAPI.NOT_FOUND, GAPI.FORBIDDEN, GAPI.INVALID, GAPI.REQUIRED_ACCESS_LEVEL],
+               throwReasons=GAPI.CALENDAR_THROW_REASONS+[GAPI.NOT_FOUND, GAPI.FORBIDDEN, GAPI.INVALID,
+                                                         GAPI.REQUIRED_ACCESS_LEVEL, GAPI.SERVICE_NOT_AVAILABLE],
+               retryReasons=GAPI.SERVICE_NOT_AVAILABLE_RETRY_REASONS,
                calendarId=calId)
       entityActionPerformed([Ent.CALENDAR, calId], i, count)
-    except (GAPI.notFound, GAPI.forbidden, GAPI.invalid, GAPI.requiredAccessLevel) as e:
+    except (GAPI.notFound, GAPI.forbidden, GAPI.invalid, GAPI.requiredAccessLevel, GAPI.serviceNotAvailable) as e:
       entityActionFailedWarning([Ent.CALENDAR, calId], str(e), i, count)
     except GAPI.notACalendarUser:
       userCalServiceNotEnabledWarning(calId, i, count)
@@ -40410,9 +40455,10 @@ VAULT_SEARCH_METHODS_MAP = {
 VAULT_CORPUS_ARGUMENT_MAP = {
   'calendar': 'CALENDAR',
   'drive': 'DRIVE',
-  'mail': 'MAIL',
+  'gemini': 'GEMINI',
   'groups': 'GROUPS',
   'hangoutschat': 'HANGOUTS_CHAT',
+  'mail': 'MAIL',
   'voice': 'VOICE',
   }
 VAULT_COUNTS_CORPUS_ARGUMENT_MAP = {
@@ -40439,15 +40485,22 @@ VAULT_EXPORT_FORMAT_MAP = {
   'ics': 'ICS',
   'mbox': 'MBOX',
   'pst': 'PST',
+  'xml': 'XML',
   }
 VAULT_CORPUS_EXPORT_FORMATS = {
   'CALENDAR': ['ICS', 'PST'],
   'DRIVE': [],
+  'GEMINI': ['XML'],
   'GROUPS': ['MBOX', 'PST'],
   'HANGOUTS_CHAT': ['MBOX', 'PST'],
   'MAIL': ['MBOX', 'PST'],
   'VOICE' : ['MBOX', 'PST'],
   }
+VAULT_CSE_OPTION_MAP = {
+  'any': 'CLIENT_SIDE_ENCRYPTED_OPTION_ANY',
+  'encrypted': 'CLIENT_SIDE_ENCRYPTED_OPTION_ENCRYPTED',
+  'unencrypted': 'CLIENT_SIDE_ENCRYPTED_OPTION_UNENCRYPTED',
+  }
 VAULT_EXPORT_REGION_MAP = {
   'any': 'ANY',
   'europe': 'EUROPE',
@@ -40456,16 +40509,18 @@ VAULT_EXPORT_REGION_MAP = {
 VAULT_CORPUS_OPTIONS_MAP = {
   'CALENDAR': 'calendarOptions',
   'DRIVE': 'driveOptions',
-  'MAIL': 'mailOptions',
+  'GEMINI': 'geminiOptions',
   'GROUPS': 'groupsOptions',
   'HANGOUTS_CHAT': 'hangoutsChatOptions',
+  'MAIL': 'mailOptions',
   'VOICE': 'voiceOptions',
   }
 VAULT_CORPUS_QUERY_MAP = {
   'CALENDAR': None,
   'DRIVE': 'driveQuery',
-  'MAIL': 'mailQuery',
+  'GEMINI': None,
   'GROUPS': 'groupsQuery',
+  'MAIL': 'mailQuery',
   'HANGOUTS_CHAT': 'hangoutsChatQuery',
   'VOICE': 'voiceQuery',
   }
@@ -40474,11 +40529,11 @@ VAULT_QUERY_ARGS = [
 # calendar
   'locationquery', 'peoplequery', 'minuswords', 'responsestatuses', 'caldendarversiondate',
 # drive
-  'driveversiondate', 'includeshareddrives', 'includeteamdrives',
+  'driveclientsideencryption', 'driveversiondate', 'includeshareddrives', 'includeteamdrives',
 # hangoutsChat
   'includerooms',
 # mail
-  'excludedrafts',
+  'mailclientsideencryption', 'excludedrafts',
 # voice
   'covereddata',
   ] + list(VAULT_SEARCH_METHODS_MAP.keys())
@@ -40535,12 +40590,16 @@ def _buildVaultQuery(myarg, query, corpusArgumentMap):
     query.setdefault('driveOptions', {})['versionDate'] = getTimeOrDeltaFromNow()
   elif myarg in {'includeshareddrives', 'includeteamdrives'}:
     query.setdefault('driveOptions', {})['includeSharedDrives'] = getBoolean()
+  elif myarg == 'driveclientsideencryption':
+    query.setdefault('driveOptions', {})['clientSideEncryptedOption'] = getChoice(VAULT_CSE_OPTION_MAP, mapChoice=True)
 # hangoutsChat
   elif myarg == 'includerooms':
     query['hangoutsChatOptions'] = {'includeRooms': getBoolean()}
 # mail
   elif myarg == 'excludedrafts':
     query['mailOptions'] = {'excludeDrafts': getBoolean()}
+  elif myarg == 'mailclientsideencryption':
+    query.setdefault('mailOptions', {})['clientSideEncryptedOption'] = getChoice(VAULT_CSE_OPTION_MAP, mapChoice=True)
 # voice
   elif myarg == 'covereddata':
     query['voiceOptions'] = {'coveredData': getChoice(VAULT_VOICE_COVERED_DATA_MAP, mapChoice=True)}
@@ -40555,7 +40614,7 @@ def _validateVaultQuery(body, corpusArgumentMap):
       if body['query']['corpus'] != corpus:
         body['exportOptions'].pop(options, None)
 
-# gam create vaultexport|export matter <MatterItem> [name <String>] corpus calendar|drive|mail|groups|hangouts_chat|voice
+# gam create vaultexport|export matter <MatterItem> [name <String>] corpus calendar|drive|gemini|groups|hangouts_chat|mail|voice
 #	(accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone
 #	(shareddrives|teamdrives <TeamDriveIDList>) | (rooms <RoomList>) | (sitesurl <URLList>)
 #	[scope <all_data|held_data|unprocessed_data>]
@@ -40563,10 +40622,12 @@ def _validateVaultQuery(body, corpusArgumentMap):
 #	[locationquery <StringList>] [peoplequery <StringList>] [minuswords <StringList>]
 #	[responsestatuses <AttendeeStatus>(,<AttendeeStatus>)*] [calendarversiondate <Date>|<Time>]
 #	[includeshareddrives <Boolean>] [driveversiondate <Date>|<Time>] [includeaccessinfo <Boolean>]
+#	[driveclientsideencryption any|encrypted|unencrypted]
 #	[includerooms <Boolean>]
-#	[excludedrafts <Boolean>] [format mbox|pst]
+#	[excludedrafts <Boolean>] [mailclientsideencryption any|encrypted|unencrypted]
 #	[showconfidentialmodecontent <Boolean>] [usenewexport <Boolean>] [exportlinkeddrivefiles <Boolean>]
 #	[covereddata calllogs|textmessages|voicemails]
+#	[format ics|mbox|pst|xml]
 #	[region any|europe|us] [showdetails|returnidonly]
 def doCreateVaultExport():
   v = buildGAPIObject(API.VAULT)
@@ -48226,7 +48287,7 @@ def doPrintCourseTopics():
       jcount = len(courseTopicIds)
       if jcount == 0:
         continue
-      fields = f'{",".join(set(fieldsList))}'
+      fields = getFieldsFromFieldsList(fieldsList)
       j = 0
       for courseTopicId in courseTopicIds:
         j += 1
@@ -48461,7 +48522,7 @@ def doPrintCourseWM(entityIDType, entityStateType):
       jcount = len(courseWMIds)
       if jcount == 0:
         continue
-      fields = f'{",".join(set(fieldsList))}' if fieldsList else None
+      fields = getFieldsFromFieldsList(fieldsList)
       j = 0
       for courseWMId in courseWMIds:
         j += 1
@@ -65481,7 +65542,7 @@ def infoSharedDrive(users, useDomainAdminAccess=False):
       guiRoles = getBoolean()
     else:
       FJQC.GetFormatJSON(myarg)
-  fields = ','.join(set(fieldsList)) if fieldsList else '*'
+  fields = getFieldsFromFieldsList(fieldsList) if fieldsList else '*'
   i, count, users = getEntityArgument(users)
   for user in users:
     i += 1
@@ -69387,13 +69448,18 @@ LABEL_COUNTS_FIELDS = ','.join(LABEL_COUNTS_FIELDS_LIST)
 def printShowLabels(users):
   def _buildLabelTree(labels):
     def _checkChildLabel(label):
-      if label.find('/') != -1:
-        (parent, base) = label.rsplit('/', 1)
+      labelItemList = label.split('/')
+      i = len(labelItemList)-1
+      while i > 0:
+        parent = '/'.join(labelItemList[:i])
+        base = '/'.join(labelItemList[i:])
         if parent in labelTree:
           if label in labelTree:
             labelTree[label]['info']['base'] = base
             labelTree[parent]['children'].append(labelTree.pop(label))
           _checkChildLabel(parent)
+          return
+        i -= 1
 
     labelTree = {}
     for label in labels['labels']:

src/gam/gamlib/glclargs.py

@@ -924,6 +924,7 @@ class GamCLArgs():
   OB_EXPORT_ITEM = 'ExportItem'
   OB_FIELD_NAME = 'FieldName'
   OB_FIELD_NAME_LIST = "FieldNameList"
+  OB_FIELDS = 'Fields'
   OB_FILE_NAME = 'FileName'
   OB_FILE_NAME_FIELD_NAME = OB_FILE_NAME+'(:'+OB_FIELD_NAME+')+'
   OB_FILE_NAME_OR_URL = 'FileName|URL'

src/requirements.txt

@@ -11,4 +11,4 @@ lxml
 passlib>=1.7.2
 pathvalidate
 python-dateutil
-yubikey-manager>=5.0
+yubikey-manager[yubikey]>=5.0