Added option showwebviewlink to gam print|show shareddrives

.github/workflows/pushwiki.yml

@@ -5,6 +5,8 @@ on:
   push:
     paths:
       - 'wiki/**'
+  workflow_dispatch:
+
 jobs:
   pushwiki:
     runs-on: ubuntu-latest

src/GamCommands.txt

@@ -4817,11 +4817,13 @@ gam print shareddrives [todrive <ToDriveAttribute>*]
         [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [fields <SharedDriveFieldNameList>] [noorgunits [<Boolean>]]
+        [showwebviewlink]
         [formatjson [quotechar <Character>]]
 gam show shareddrives
         [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [fields <SharedDriveFieldNameList>] [noorgunits [<Boolean>]]
+        [showwebviewlink]
         [formatjson] [noorgunits [<Boolean>]]
 
 gam print shareddriveorganizers [todrive <ToDriveAttribute>*]
@@ -4902,12 +4904,14 @@ gam <UserTypeEntity> print shareddrives [todrive <ToDriveAttribute>*]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         (role|roles <SharedDriveACLRoleList>)*
         [fields <SharedDriveFieldNameList>]
+        [showwebviewlink]
         [guiroles [<Boolean>]] [formatjson [quotechar <Character>]]
 gam <UserTypeEntity> show shareddrives
         [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         (role|roles <SharedDriveACLRoleList>)*
         [fields <SharedDriveFieldNameList>]
+        [showwebviewlink]
         [guiroles [<Boolean>]] [formatjson]
 
 <PermissionMatch> ::=

src/GamUpdate.txt

@@ -1,3 +1,14 @@
+7.10.09
+
+Added option `showwebviewlink` to `gam [<UserTypeEntity>] print|show shareddrives` that
+displays the web view link for the Shared Drive: `https://drive.google.com/drive/folders/<SharedDriveID>`.
+
+7.10.08
+
+Fixed bug in commands that modify messages where the `labelids <LabelIdList>` option
+could not be used unless one of these options was also specified: `query`, `matchlabel`, `ids`;
+it can be now be used by itself.
+
 7.10.07
 
 Updated `gam <UserTypeEntity> copy|move drivefile` to hanndle additional instances of

src/gam/__init__.py

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """
 
 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.10.07'
+__version__ = '7.10.09'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 #pylint: disable=wrong-import-position
@@ -5187,6 +5187,12 @@ def checkGAPIError(e, softErrors=False, retryOnHttpError=False, mapNotFound=True
       return (0, None, None)
     else:
       systemErrorExit(HTTP_ERROR_RC, eContent)
+  requiredScopes = ''
+  wwwAuthenticate = e.resp.get('www-authenticate', '')
+  if 'insufficient_scope' in wwwAuthenticate:
+    mg = re.match(r'.+scope="(.+)"', wwwAuthenticate)
+    if mg:
+      requiredScopes = mg.group(1).split(' ')
   if 'error' in error:
     http_status = error['error']['code']
     reason = ''
@@ -5256,6 +5262,8 @@ def checkGAPIError(e, softErrors=False, retryOnHttpError=False, mapNotFound=True
       elif 'the authenticated user cannot access this service' in lmessage:
         error = makeErrorDict(http_status, GAPI.SERVICE_NOT_AVAILABLE, message)
       elif status == 'PERMISSION_DENIED' or 'the caller does not have permission' in lmessage or 'permission iam.serviceaccountkeys' in lmessage:
+        if requiredScopes:
+          message += f', {Msg.NO_SCOPES_FOR_API.format(API.findAPIforScope(requiredScopes))}'
         error = makeErrorDict(http_status, GAPI.PERMISSION_DENIED, message)
     elif http_status == 404:
       if status == 'NOT_FOUND' or 'requested entity was not found' in lmessage or 'does not exist' in lmessage:
@@ -65792,7 +65800,7 @@ def _showSharedDrive(user, shareddrive, j, jcount, FJQC):
     printKeyValueList(['hidden', shareddrive['hidden']])
   if 'createdTime' in shareddrive:
     printKeyValueList(['createdTime', formatLocalTime(shareddrive['createdTime'])])
-  for setting in ['backgroundImageLink', 'colorRgb', 'themeId', 'orgUnit', 'orgUnitId']:
+  for setting in ['backgroundImageLink', 'colorRgb', 'themeId', 'orgUnit', 'orgUnitId', 'webViewLink']:
     if setting in shareddrive:
       printKeyValueList([setting, shareddrive[setting]])
   if 'role' in shareddrive:
@@ -65867,6 +65875,7 @@ SHAREDDRIVE_ACL_ROLES_MAP = {
 #	[matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
 #	(role|roles <SharedDriveACLRoleList>)*
 #	[fields <SharedDriveFieldNameList>] [noorgunits [<Boolean>]]
+#	[showwebviewlink]
 #	[guiroles [<Boolean>]] [formatjson [quotechar <Character>]]
 # 	[showitemcountonly]
 # gam <UserTypeEntity> show shareddrives
@@ -65874,6 +65883,7 @@ SHAREDDRIVE_ACL_ROLES_MAP = {
 #	[matchname <REMatchPattrn>] [orgunit|org|ou <OrgUnitPath>]
 #	(role|roles <SharedDriveACLRoleLIst>)*
 #	[fields <SharedDriveFieldNameList>] [noorgunits [<Boolean>]]
+#	[showwebviewlink]
 #	[guiroles [<Boolean>]] [formatjson]
 # 	[showitemcountonly]
 def printShowSharedDrives(users, useDomainAdminAccess=False):
@@ -65882,6 +65892,8 @@ def printShowSharedDrives(users, useDomainAdminAccess=False):
       td_ouid = shareddrive.get('orgUnitId')
       if td_ouid:
         shareddrive['orgUnit'] = orgUnitIdToPathMap.get(f'id:{td_ouid}', UNKNOWN)
+    if showWebViewLink:
+      shareddrive['webViewLink'] = 'https://drive.google.com/drive/folders/'+shareddrive['id']
     if not showFields:
       return shareddrive
     sshareddrive = {}
@@ -65900,6 +65912,7 @@ def printShowSharedDrives(users, useDomainAdminAccess=False):
   showOrgUnitPaths = True
   orgUnitIdToPathMap = None
   guiRoles = showItemCountOnly = False
+  showWebViewLink = False
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
     if csvPF and myarg == 'todrive':
@@ -65929,6 +65942,8 @@ def printShowSharedDrives(users, useDomainAdminAccess=False):
       showOrgUnitPaths = not getBoolean()
     elif myarg == 'guiroles':
       guiRoles = getBoolean()
+    elif myarg == 'showwebviewlink':
+      showWebViewLink = True
     elif myarg == 'showitemcountonly':
       showItemCountOnly = True
       showOrgUnitPaths = False
@@ -65953,6 +65968,14 @@ def printShowSharedDrives(users, useDomainAdminAccess=False):
     orgUnitIdToPathMap = getOrgUnitIdToPathMap(cd)
     if showFields:
       showFields.add('orgUnit')
+  if showWebViewLink:
+    if showFields:
+      showFields.add('webViewLink')
+    if csvPF:
+      csvPF.AddTitle('webViewLink')
+      if FJQC.formatJSON:
+        csvPF.AddJSONTitles(['webViewLink'])
+        csvPF.MoveJSONTitlesToEnd(['JSON'])
   i, count, users = getEntityArgument(users)
   for user in users:
     i += 1
@@ -66021,6 +66044,8 @@ def printShowSharedDrives(users, useDomainAdminAccess=False):
           row = {'User': user, 'id': shareddrive['id'], 'name': shareddrive['name']}
           if not useDomainAdminAccess:
             row['role'] = shareddrive['role'] if not guiRoles else SHAREDDRIVE_API_GUI_ROLES_MAP[shareddrive['role']]
+          if showWebViewLink:
+            row['webViewLink'] = shareddrive['webViewLink']
           row['JSON'] = json.dumps(cleanJSON(shareddrive, timeObjects=SHAREDDRIVE_TIME_OBJECTS), ensure_ascii=False, sort_keys=True)
           csvPF.WriteRow(row)
         else:
@@ -70247,14 +70272,16 @@ def _finalizeMessageSelectParameters(parameters, queryOrIdsRequired):
       for queryTimeName, queryTimeValue in iter(parameters['queryTimes'].items()):
         parameters['query'] = parameters['query'].replace(f'#{queryTimeName}#', queryTimeValue)
     _mapMessageQueryDates(parameters)
-  elif queryOrIdsRequired and parameters['messageEntity'] is None:
-    missingArgumentExit('query|matchlabel|ids')
+  elif queryOrIdsRequired and parameters['messageEntity'] is None and not parameters['labelIds']:
+    missingArgumentExit('query|matchlabel|ids|labelids')
   else:
     parameters['query'] = None
   parameters['maxItems'] = parameters['maxToProcess'] if parameters['quick'] and not parameters['labelMatchPattern'] else 0
 
 # gam <UserTypeEntity> archive messages <GroupItem>
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_archive <Number>])|(ids <MessageIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [doit] [max_to_archive <Number>])|(ids <MessageIDEntity>)
 #	[csv [todrive <ToDriveAttribute>*]]
 def archiveMessages(users):
   def _processMessageFailed(user, idsList, errMsg, j=0, jcount=0):
@@ -70539,39 +70566,59 @@ def _processMessagesThreads(users, entityType):
     csvPF.writeCSVfile(f'{Act.ToPerform()} Messages')
 
 # gam <UserTypeEntity> delete message|messages
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_delete <Number>])|(ids <MessageIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [doit] [max_to_delete <Number>])|(ids <MessageIDEntity>)
 #	[csv [todrive <ToDriveAttribute>*]]
 # gam <UserTypeEntity> modify message|messages
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_modify <Number>])|(ids <MessageIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [doit] [max_to_modify <Number>])|(ids <MessageIDEntity>)
 #	(addlabel <LabelName>)* (removelabel <LabelName>)*
 #	[csv [todrive <ToDriveAttribute>*]]
 # gam <UserTypeEntity> spam message|messages
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_spam <Number>])|(ids <MessageIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [doit] [max_to_spam <Number>])|(ids <MessageIDEntity>)
 #	[csv [todrive <ToDriveAttribute>*]]
 # gam <UserTypeEntity> trash message|messages
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_trash <Number>])|(ids <MessageIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [doit] [max_to_trash <Number>])|(ids <MessageIDEntity>)
 #	[csv [todrive <ToDriveAttribute>*]]
 # gam <UserTypeEntity> untrash message|messages
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_untrash <Number>])|(ids <MessageIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [doit] [max_to_untrash <Number>])|(ids <MessageIDEntity>)
 #	[csv [todrive <ToDriveAttribute>*]]
 def processMessages(users):
   _processMessagesThreads(users, Ent.MESSAGE)
 
 # gam <UserTypeEntity> delete thread|threads
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_delete <Number>])|(ids <ThreadIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [doit] [max_to_delete <Number>])|(ids <ThreadIDEntity>)
 #	[csv [todrive <ToDriveAttribute>*]]
 # gam <UserTypeEntity> modify thread|threads
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_modify <Number>])|(ids <ThreadIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [doit] [max_to_modify <Number>])|(ids <ThreadIDEntity>)
 #	(addlabel <LabelName>)* (removelabel <LabelName>)*
 #	[csv [todrive <ToDriveAttribute>*]]
 # gam <UserTypeEntity> spam thread|threads
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_spam <Number>])|(ids <ThreadIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [doit] [max_to_spam <Number>])|(ids <ThreadIDEntity>)
 #	[csv [todrive <ToDriveAttribute>*]]
 # gam <UserTypeEntity> trash thread|threads
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_trash <Number>])|(ids <MessageIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [doit] [max_to_trash <Number>])|(ids <ThreadIDEntity>)
 #	[csv [todrive <ToDriveAttribute>*]]
 # gam <UserTypeEntity> untrash thread|threads
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_untrash <Number>])|(ids <ThreadIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [doit] [max_to_untrash <Number>])|(ids <ThreadIDEntity>)
 #	[csv [todrive <ToDriveAttribute>*]]
 def processThreads(users):
   _processMessagesThreads(users, Ent.THREAD)
@@ -71993,7 +72040,9 @@ def printShowMessagesThreads(users, entityType):
       csvPF.writeCSVfile('Message Counts' if not show_labels else 'Message Label Counts')
 
 # gam <UserTypeEntity> print message|messages [todrive <ToDriveAttribute>*]
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])* [quick|notquick] [max_to_print <Number>] [includespamtrash])|(ids <MessageIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])*
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [max_to_print <Number>] [includespamtrash])|(ids <MessageIDEntity>)
 #	[labelmatchpattern <REMatchPattern>] [sendermatchpattern <REMatchPattern>]
 #	[headers all|<SMTPHeaderList>] [dateheaderformat iso|rfc2822|<String>] [dateheaderconverttimezone [<Boolean>]]
 #	[showlabels] [showbody] [showhtml] [showdate] [showsize] [showsnippet]
@@ -72003,7 +72052,9 @@ def printShowMessagesThreads(users, entityType):
 #	    [showattachments [noshowtextplain]]]
 #	(addcsvdata <FieldName> <String>)*
 # gam <UserTypeEntity> show message|messages
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])* [quick|notquick] [max_to_show <Number>] [includespamtrash])|(ids <MessageIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])*
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [max_to_show <Number>] [includespamtrash])|(ids <MessageIDEntity>)
 #	[labelmatchpattern <REMatchPattern>] [sendermatchpattern <REMatchPattern>]
 #	[headers all|<SMTPHeaderList>] [dateheaderformat iso|rfc2822|<String>] [dateheaderconverttimezone [<Boolean>]]
 #	[showlabels] [showbody] [showhtml] [showdate] [showsize] [showsnippet]
@@ -72016,7 +72067,9 @@ def printShowMessages(users):
   printShowMessagesThreads(users, Ent.MESSAGE)
 
 # gam <UserTypeEntity> print thread|threads [todrive <ToDriveAttribute>*]
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])* [quick|notquick] [max_to_print <Number>] [includespamtrash])|(ids <ThreadIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])*
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [max_to_print <Number>] [includespamtrash])|(ids <ThreadIDEntity>)
 #	[labelmatchpattern <REMatchPattern>]
 #	[headers all|<SMTPHeaderList>] [dateheaderformat iso|rfc2822|<String>] [dateheaderconverttimezone [<Boolean>]]
 #	[showlabels] [showbody] [showhtml] [showdate] [showsize] [showsnippet]
@@ -72026,7 +72079,9 @@ def printShowMessages(users):
 #	    [showattachments [noshowtextplain]]]
 #	(addcsvdata <FieldName> <String>)*
 # gam <UserTypeEntity> show thread|threads
-#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])* [quick|notquick] [max_to_show <Number>] [includespamtrash])|(ids <ThreadIDEntity>)
+#	(((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])*
+#	 [labelids <LabelIDList>]
+#	 [quick|notquick] [max_to_show <Number>] [includespamtrash])|(ids <ThreadIDEntity>)
 #	[labelmatchpattern <REMatchPattern>]
 #	[headers all|<SMTPHeaderList>] [dateheaderformat iso|rfc2822|<String>] [dateheaderconverttimezone [<Boolean>]]
 #	[showlabels] [showbody] [showhtml] [showdate] [showsize] [showsnippet]

src/gam/gamlib/glapi.py

@@ -226,15 +226,15 @@ _INFO = {
   CHROMEMANAGEMENT_TELEMETRY: {'name': 'Chrome Management API - Telemetry', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHROMEMANAGEMENT},
   CHROMEPOLICY: {'name': 'Chrome Policy API', 'version': 'v1', 'v2discovery': True},
   CHROMEVERSIONHISTORY: {'name': 'Chrome Version History API', 'version': 'v1', 'v2discovery': True},
-  CLOUDCHANNEL: {'name': 'Channel Channel API', 'version': 'v1', 'v2discovery': True},
-  CLOUDIDENTITY_DEVICES: {'name': 'Cloud Identity Devices API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_GROUPS: {'name': 'Cloud Identity Groups API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_GROUPS_BETA: {'name': 'Cloud Identity Groups API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_INBOUND_SSO: {'name': 'Cloud Identity Inbound SSO API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_ORGUNITS: {'name': 'Cloud Identity OrgUnits API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_ORGUNITS_BETA: {'name': 'Cloud Identity OrgUnits API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_POLICY: {'name': 'Cloud Identity Policy API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_USERINVITATIONS: {'name': 'Cloud Identity User Invitations API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDCHANNEL: {'name': 'Cloud Channel API', 'version': 'v1', 'v2discovery': True},
+  CLOUDIDENTITY_DEVICES: {'name': 'Cloud Identity API - Devices', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_GROUPS: {'name': 'Cloud Identity API - Groups', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_GROUPS_BETA: {'name': 'Cloud Identity API - Groups Beta', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_INBOUND_SSO: {'name': 'Cloud Identity API - Inbound SSO Settings', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_ORGUNITS: {'name': 'Cloud Identity API - OrgUnits', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_ORGUNITS_BETA: {'name': 'Cloud Identity API - OrgUnits Beta', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_POLICY: {'name': 'Cloud Identity API - Policy', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_USERINVITATIONS: {'name': 'Cloud Identity API - User Invitations', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
   CLOUDRESOURCEMANAGER: {'name': 'Cloud Resource Manager API v3', 'version': 'v3', 'v2discovery': True},
   CONTACTS: {'name': 'Contacts API', 'version': 'v3', 'v2discovery': False},
   CONTACTDELEGATION: {'name': 'Contact Delegation API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
@@ -258,13 +258,13 @@ _INFO = {
   LICENSING: {'name': 'License Manager API', 'version': 'v1', 'v2discovery': True},
   LOOKERSTUDIO: {'name': 'Looker Studio API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
   MEET: {'name': 'Meet API', 'version': 'v2', 'v2discovery': True},
-  MEET_BETA: {'name': 'Meet API', 'version': 'v2beta', 'v2discovery': True, 'localjson': True, 'mappedAPI': MEET},
+  MEET_BETA: {'name': 'Meet API Beta', 'version': 'v2beta', 'v2discovery': True, 'localjson': True, 'mappedAPI': MEET},
   OAUTH2: {'name': 'OAuth2 API', 'version': 'v2', 'v2discovery': False},
   ORGPOLICY: {'name': 'Organization Policy API', 'version': 'v2', 'v2discovery': True},
   PEOPLE: {'name': 'People API', 'version': 'v1', 'v2discovery': True},
   PEOPLE_DIRECTORY: {'name': 'People Directory API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': PEOPLE},
   PEOPLE_OTHERCONTACTS: {'name': 'People  API - Other Contacts', 'version': 'v1', 'v2discovery': True, 'mappedAPI': PEOPLE},
-  PRINTERS: {'name': 'Directory API Printers', 'version': 'directory_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
+  PRINTERS: {'name': 'Directory API - Printers', 'version': 'directory_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
   PUBSUB: {'name': 'Pub / Sub API', 'version': 'v1', 'v2discovery': True},
   REPORTS: {'name': 'Reports API', 'version': 'reports_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
   RESELLER: {'name': 'Reseller API', 'version': 'v1', 'v2discovery': True},
@@ -362,29 +362,29 @@ _CLIENT_SCOPES = [
    'subscopes': READONLY,
    'offByDefault': True,
    'scope': 'https://www.googleapis.com/auth/apps.order'},
-  {'name': 'Cloud Identity Groups API',
+  {'name': 'Cloud Identity API - Groups',
    'api': CLOUDIDENTITY_GROUPS,
    'subscopes': READONLY,
    'scope': 'https://www.googleapis.com/auth/cloud-identity.groups'},
-  {'name': 'Cloud Identity Groups API Beta (Enables group locking/unlocking)',
+  {'name': 'Cloud Identity API - Groups Beta (Enables group locking/unlocking)',
    'api': CLOUDIDENTITY_GROUPS_BETA,
    'subscopes': [],
    'scope': 'https://www.googleapis.com/auth/cloud-identity.groups'},
-  {'name': 'Cloud Identity - Inbound SSO Settings',
+  {'name': 'Cloud Identity API - Inbound SSO Settings',
    'api': CLOUDIDENTITY_INBOUND_SSO,
    'subscopes': READONLY,
    'scope': 'https://www.googleapis.com/auth/cloud-identity.inboundsso'},
-  {'name': 'Cloud Identity OrgUnits API',
+  {'name': 'Cloud Identity API - OrgUnits Beta',
    'api': CLOUDIDENTITY_ORGUNITS_BETA,
    'subscopes': READONLY,
    'scope': 'https://www.googleapis.com/auth/cloud-identity.orgunits'},
-  {'name': 'Cloud Identity - Policy',
+  {'name': 'Cloud Identity API - Policy',
    'api': CLOUDIDENTITY_POLICY,
    'subscopes': READONLY,
    'roByDefault': True,
    'scope': 'https://www.googleapis.com/auth/cloud-identity.policies'
   },
-  {'name': 'Cloud Identity User Invitations API',
+  {'name': 'Cloud Identity API - User Invitations',
    'api': CLOUDIDENTITY_USERINVITATIONS,
    'subscopes': READONLY,
    'scope': 'https://www.googleapis.com/auth/cloud-identity.userinvitations'},
@@ -833,3 +833,27 @@ def getSvcAcctScopesList(userServiceAccountAccessOnly, svcAcctSpecialScopes):
 
 def hasLocalJSON(api):
   return _INFO[api].get('localjson', False)
+
+def findAPIforScope(scopesList):
+  def checkScopeMatch(scope, cscope):
+    if cscope['scope'] == scope:
+      requiredAPIs.append(cscope['name'])
+      return True
+    if cscope['subscopes'] == READONLY and cscope['scope']+'.readonly' == scope:
+      requiredAPIs.append(cscope['name']+' (supports readonly)')
+      return True
+    return False
+    
+  requiredAPIs = []
+  for scope in scopesList:
+    for cscope in _CLIENT_SCOPES:
+      if checkScopeMatch(scope, cscope):
+        break
+    else:
+      for cscope in _SVCACCT_SCOPES:
+        if checkScopeMatch(scope, cscope):
+          break
+  if not requiredAPIs:
+    requiredAPIs = scopesList
+  return ' or '.join(requiredAPIs)
+    

src/gam/gamlib/glmsgs.py

@@ -184,8 +184,8 @@ ALREADY_EXISTS_IN_TARGET_FOLDER = 'Already exists in {0}: {1}'
 ALREADY_EXISTS_USE_MERGE_ARGUMENT = 'Already exists; use the "merge" argument to merge the labels'
 API_ACCESS_DENIED = 'API access Denied'
 API_CALLS_RETRY_DATA = 'API calls retry data\n'
-API_CHECK_CLIENT_AUTHORIZATION = 'Please make sure the Client ID: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam oauth create\n'
-API_CHECK_SVCACCT_AUTHORIZATION = 'Please make sure the Service Account Client ID: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam user {2} update serviceaccount\n'
+API_CHECK_CLIENT_AUTHORIZATION = 'Please make sure the Client ID: {0} is authorized for the appropriate API or scopes: {1}\n\nRun: gam oauth create\n'
+API_CHECK_SVCACCT_AUTHORIZATION = 'Please make sure the Service Account Client ID: {0} is authorized for the appropriate API or scopes: {1}\n\nRun: gam user {2} update serviceaccount\n'
 API_ERROR_SETTINGS = 'API error, some settings not set'
 ARE_BOTH_REQUIRED = 'Arguments {0} and {1} are both required'
 ARE_MUTUALLY_EXCLUSIVE = 'Arguments {0} and {1} are mutually exclusive'
@@ -425,7 +425,7 @@ NO_LABELS_TO_PROCESS = 'No Labels to process'
 NO_MESSAGES_WITH_LABEL = 'No Messages with Label'
 NO_PARENTS_TO_CONVERT_TO_SHORTCUTS = 'No parents to convert to shortcuts'
 NO_REPORT_AVAILABLE = 'No {0} report available.'
-NO_SCOPES_FOR_API = 'There are no scopes authorized for the {0}'
+NO_SCOPES_FOR_API = 'There are no scopes authorized for the API(s): {0}'
 NO_SERIAL_NUMBERS_SPECIFIED = 'No serial numbers specified'
 NO_SSO_PROFILE_MATCHES = 'No SSO profile matches display name {0}'
 NO_SSO_PROFILE_ASSIGNED = 'No SSO profile assigned to {0} {1}'

wiki/Authorization.md

@@ -5,7 +5,7 @@
 - [Python Regular Expressions](Python-Regular-Expressions)
 - [Definitions](#definitions)
 - [Manage Projects](#manage-projects)
-  - [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+  - [Authorize a user to create projects](#authorize-a-user-to-create-projects)
   - [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
   - [Authorize GAM to create projects](#authorize-gam-to-create-projects)
   - [Create a new GCP project folder](#create-a-new-gcp-project-folder)
@@ -74,11 +74,6 @@ Verify that all scopes are available:
 * Select "ON for everyone"
 * Click "SAVE"
 
-Verify that internal apps are trusted.
-* Access the admin console and go to Security -> Access and data control -> API Controls
-* Check that "Trust internal, domain-owned apps" is present in the **Settings** section
-* Click "SAVE"
-
 If you run a Google Workspace Education SKU, verify that Classroom API is enabled if required.
 * Access the admin console and go to Apps -> Google Workspace - Classroom
 * Expand "Data access"
@@ -110,12 +105,13 @@ Verify whether the super admin you'll be using is in an OU where reauthenticatio
 * Access the admin console and go to Security -> Overview
 * Scroll down and open Google Cloud session control section
 * Select the OU containing the super admin
-* If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified
-* If that sounds unappealing, check Exempt Trusted apps
-* Click "OVERRIDE"
+* If Require reauthentication is selected, you'll need either:
+  * uncheck Google Cloud Storage and any other GCP APIs that you selected on `gam oauth create` (reauth is only necessary for GCP APIs)
+  * enable "Exempt Trusted apps"
+  * rerun `gam oauth create` at whatever frequency is specified
 
 Additional steps may be required if errors are encountered.
-* [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+* [Authorize a user to create projects](#authorize-a-user-to-create-projects)
 * [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
 * [Authorize GAM to create projects](#authorize-gam-to-create-projects)
 
@@ -169,8 +165,8 @@ For `print|show projects`, you can eliminate the password prompt and authenticat
 gam print projects admin admin@domain.com
 ```
 
-## Authorize a super admin to create projects
-If you try to create a project and get an error saying that the admin you specified is not authorized to create projects,
+## Authorize a user to create projects
+If you try to create a project and get an error saying that the user you specified is not authorized to create projects,
 perform these steps and then retry the create project command.
 
 * Login as an existing super admin at console.cloud.google.com
@@ -184,13 +180,12 @@ perform these steps and then retry the create project command.
 * Click in the Select a role box
 * Type project creator in the Filter box
 * Click Project Creator
-* Click + Add Another Role
-* Type orgpolicy.policyAdmin in the Filter box
-* Click Organization Policy Administrator
 * Click Save
 
 ## Authorize Service Account Key Uploads
 
+*IMPORTANT:* Google best practice is to NOT use service account keys. Rather than overriding Google's default policy please consider [running GAM on Google Compute Engine Securely](https://github.com/GAM-team/GAM/wiki/l-Running-GAM-on-Google-Compute-Engine-(GCE)-Securely) so that service account keys are not necessary.
+
 If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxxxx`,
 perform these steps and then you should be able to authorize and use your project.
 

wiki/Cloud-Identity-Groups.md

@@ -20,7 +20,8 @@
 
 ## Query documentation
 * [Cloud Identity Groups API - Search Dynamic Groups](https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery)
-* [Member REstrictions](https://cloud.google.com/identity/docs/reference/rest/v1/SecuritySettings#MemberRestriction)
+* [Dynamic Groups Member Attributes](https://cloud.google.com/identity/docs/how-to/dynamic-groups-attributes)
+* [Member Restrictions](https://cloud.google.com/identity/docs/reference/rest/v1/SecuritySettings#MemberRestriction)
 
 ## Notes
 

wiki/Cloud-Identity-Policies.md

@@ -12,14 +12,28 @@
 
 ## Notes
 To use these commands you must update your client access authentication.
-You'll enter 19R to turn on the Cloud Identity Policy scope; then continue
+You'll enter 20r to turn on the Cloud Identity Policy scope; then continue
 with authentication.
 ```
 gam oauth delete
 gam oauth create
 ...
-[R] 19)  Cloud Identity - Policy
+[R] 20)  Cloud Identity - Policy (supports readonly)
 ```
+You must enable access to policies in the GCP cloud console.
+
+* Login at console.cloud.google.com
+* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
+* Under IAM & Admin select IAM
+* Click in the box to the right of Google Cloud
+* Click the three dots at the right and select IAM/Permissions
+* Now you should be at "Permissions for organization ..."
+* Click on Grant Access
+* Enter the GAM project creator address in Principals
+* Click in the Select a role box
+* Type orgpolicy.policyAdmin in the Filter box
+* Click Organization Policy Administrator
+* Click Save
 
 ## Definitions
 ```

wiki/GamUpdates.md

@@ -10,13 +10,33 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation
 
+### 7.10.09
+
+Added option `showwebviewlink` to `gam [<UserTypeEntity>] print|show shareddrives` that
+displays the web view link for the Shared Drive: `https://drive.google.com/drive/folders/<SharedDriveID>`.
+
+### 7.10.08
+
+Fixed bug in commands that modify messages where the `labelids <LabelIdList>` option
+could not be used unless one of these options was also specified: `query`, `matchlabel`, `ids`;
+it can be now be used by itself.
+
+### 7.10.07
+
+Updated `gam <UserTypeEntity> copy|move drivefile` to hanndle additional instances of
+the `cannotModifyInheritedPermission` error.
+
+Added license SKU `Google AI Ultra for Business`
+* ProductID - 101047
+* SKUID - 1010470008 | geminiultra
+
 ### 7.10.06
 
 Added option `clientstates` to `gam print devices` to include client states in device output.
 
 ### 7.10.05
 
-Google renamed an error: cannotModifyInheritedTeamDrivePermission became cannotModifyInheritedPermission.
+Google renamed an error: `cannotModifyInheritedTeamDrivePermission` became `cannotModifyInheritedPermission`.
 GAM will now handle the new error.
 
 ### 7.10.04

wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md

@@ -251,7 +251,7 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAM 7.10.06 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.10.09 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64
@@ -989,7 +989,7 @@ writes the credentials into the file oauth2.txt.
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAM 7.10.06 - https://github.com/GAM-team/GAM - pythonsource
+GAM 7.10.09 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 Windows-10-10.0.17134 AMD64

wiki/Licenses.md

@@ -62,6 +62,7 @@
 | Gemini Education | 1010470004 | geminiedu |
 | Gemini Education Premium | 1010470005 | geminiedupremium |
 | Gemini Enterprise | 1010470001 | geminient | duetai |
+| Google AI Ultra for Business | 1010470008 | geminiultra |
 | Google Apps Message Security | Google-Apps-For-Postini | postini |
 | Google Chrome Device Management | Google-Chrome-Device-Management | cdm |
 | Google Drive Storage 16TB | Google-Drive-storage-16TB | 16tb |

wiki/Shared-Drives.md

@@ -372,7 +372,9 @@ By default, Gam displays the information as an indented list of keys and values.
 gam [<UserTypeEntity>] show shareddrives
         [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
-        [fields <SharedDriveFieldNameList>] [formatjson]
+        [fields <SharedDriveFieldNameList>]
+        [showwebviewlink]
+        [formatjson]
 ```
 By default, all Shared Drives are displayed; use the following options to select a subset of Shared Drives:
 * `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
@@ -385,7 +387,9 @@ By default, Gam displays the information as an indented list of keys and values.
 gam [<UserTypeEntity>] print shareddrives [todrive <ToDriveAttribute>*]
         [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
-        [fields <SharedDriveFieldNameList>] [formatjson [quotechar <Character>]]
+        [fields <SharedDriveFieldNameList>]
+        [showwebviewlink]
+        [formatjson [quotechar <Character>]]
 ```
 By default, all Shared Drives are displayed; use the following options to select a subset of Shared Drives:
 * `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives

wiki/Users-Shared-Drives.md

@@ -318,6 +318,7 @@ gam <UserTypeEntity> show shareddriveinfo <SharedDriveEntity>
 gam <UserTypeEntity> show shareddrives
         [matchname <REMatchPattern>] (role|roles <SharedDriveACLRoleList>)*
         [fields <SharedDriveFieldNameList>]
+        [showwebviewlink]
         [guiroles [<Boolean>] [formatjson]
 ```
 By default, Gam displays all Teams Drives accessible by the user.
@@ -329,7 +330,9 @@ By default, Gam displays the information as an indented list of keys and values.
 ```
 gam <UserTypeEntity> print shareddrives [todrive <ToDriveAttribute>*]
         [matchname <REMatchPattern>] (role|roles <SharedDriveACLRoleList>)*
-        [fields <SharedDriveFieldNameList>] [formatjson [quotechar <Character>]]
+        [fields <SharedDriveFieldNameList>]
+        [showwebviewlink]
+        [guiroles [<Boolean>]] [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays all Teams Drives accessible by the user.
 * `matchname <REMatchPattern>` - Display Shared Drives with names that match a pattern.

wiki/Version-and-Help.md

@@ -3,7 +3,7 @@
 Print the current version of Gam with details
 ```
 gam version
-GAM 7.10.06 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.10.09 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64
@@ -15,7 +15,7 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.10.06 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.10.09 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64
@@ -27,7 +27,7 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.10.06 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.10.09 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gam7
 Version Check:
   Current: 5.35.08
-   Latest: 7.10.06
+   Latest: 7.10.09
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.10.06
+7.10.09
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,7 +82,7 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.10.06 - https://github.com/GAM-team/GAM
+GAM 7.10.09 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64