Update build.yml

* Cleanup

* Update oauth.py

.github/workflows/build.yml

@@ -12,10 +12,10 @@ defaults:
     working-directory: src
 
 env:
-  OPENSSL_CONFIG_OPTS: no-asm no-fips
-  OPENSSL_INSTALL_PATH: ${{ github.workspace }}/src/ssl
+  OPENSSL_CONFIG_OPTS: no-fips
+  OPENSSL_INSTALL_PATH: ${{ github.workspace }}/bin/ssl
   OPENSSL_SOURCE_PATH: ${{ github.workspace }}/src/openssl
-  PYTHON_INSTALL_PATH: ${{ github.workspace }}/src/python
+  PYTHON_INSTALL_PATH: ${{ github.workspace }}/bin/python
   PYTHON_SOURCE_PATH: ${{ github.workspace }}/src/cpython
 
 jobs:
@@ -25,44 +25,50 @@ jobs:
       matrix:
         include:
           - os: ubuntu-20.04
+            jid: 1
+            goal: build
+            arch: x86_64
+            openssl_archs: linux-x86_64
+          - os: [self-hosted, linux, arm64]
             jid: 2
             goal: build
-            arch: x86_64
-          - os: macos-11
+            arch: aarch64
+            openssl_archs: linux-aarch64
+          - os: [self-hosted, linux, arm]
             jid: 3
             goal: build
-            arch: x86_64
-          - os: windows-2022
+            arch: armv7l
+            openssl_archs: linux-armv4
+          - os: macos-11
             jid: 4
             goal: build
-            arch: Win64
+            arch: universal2
+            openssl_archs: darwin64-x86_64 darwin64-arm64
           - os: windows-2022
             jid: 5
             goal: build
+            arch: Win64
+            openssl_archs: VC-WIN64A
+          - os: windows-2022
+            jid: 6
+            goal: build
             arch: Win32
+            openssl_archs: VC-WIN32
           - os: ubuntu-20.04
             goal: test
             python: "3.7"
-            jid: 6
-            arch: x86_64
-          - os: ubuntu-20.04
-            goal: test
-            python: "3.8"
             jid: 7
             arch: x86_64
           - os: ubuntu-20.04
             goal: test
-            python: "3.9"
+            python: "3.8"
             jid: 8
             arch: x86_64
-          - os: [self-hosted, linux, arm64]
+          - os: ubuntu-20.04
+            goal: test
+            python: "3.9"
             jid: 9
-            goal: build
-            arch: aarch64
-          - os: [self-hosted, linux, arm]
-            jid: 10
-            goal: build
-            arch: armv7l
+            arch: x86_64
 
     steps:
 
@@ -76,9 +82,8 @@ jobs:
         id: cache-python-ssl
         with:
           path: |
-            src/python
-            src/ssl
-          key: gam-${{ matrix.jid }}-20220131
+            bin
+          key: gam-${{ matrix.jid }}-20220316-01
 
       - name: Use pre-compiled Python for testing
         if: matrix.python != ''
@@ -105,7 +110,6 @@ jobs:
              echo "JID=${JID}" >> $GITHUB_ENV
              echo "ACTIONS_CACHE=${ACTIONS_CACHE}" >> $GITHUB_ENV
              echo "ACTIONS_GOAL=${ACTIONS_GOAL}" >> $GITHUB_ENV
-             echo "date=date" >> $GITHUB_ENV
 
       - name: Install necessary hosted Linux packages
         if: matrix.os == 'ubuntu-20.04'
@@ -114,6 +118,22 @@ jobs:
           sudo apt-get -qq --yes update
           sudo apt-get -qq --yes install swig libpcsclite-dev
 
+      - name: MacOS remove Homebrew
+        if: matrix.os == 'macos-11'
+        run: |
+          # remove everything except the libraries needed by yubikey-manager
+          brew uninstall $(brew list | grep -v 'pcre\|swig\|pcsc-lite')
+
+      - name: MacOS install tools
+        if: matrix.os == 'macos-11'
+        run: |
+          # Install latest Rust
+          curl -fsS -o rust.sh https://sh.rustup.rs
+          bash ./rust.sh -y
+          source $HOME/.cargo/env
+          # needed for Rust to compile cryptography Python package for universal2
+          rustup target add aarch64-apple-darwin
+
       - name: Windows Configure VCode
         uses: ilammy/msvc-dev-cmd@v1
         if: matrix.os == 'windows-2022' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -125,54 +145,44 @@ jobs:
         env:
           arch: ${{ matrix.arch }}
           jid: ${{ matrix.jid }}
+          openssl_archs: ${{ matrix.openssl_archs }}
         run: |
           echo "We are running on ${RUNNER_OS}"
           if [[ "${arch}" == "Win64" ]]; then
             PYEXTERNALS_PATH="amd64"
             PYBUILDRELEASE_ARCH="x64"
-            OPENSSL_CONFIG_TARGET="VC-WIN64A"
             GAM_ARCHIVE_ARCH="x86_64"
             WIX_ARCH="x64"
             CHOC_OPS=""
           elif [[ "${arch}" == "Win32" ]]; then
             PYEXTERNALS_PATH="win32"
             PYBUILDRELEASE_ARCH="Win32"
-            OPENSSL_CONFIG_TARGET="VC-WIN32"
             GAM_ARCHIVE_ARCH="x86"
             WIX_ARCH="x86"
             CHOC_OPS="--forcex86"
           fi
           if [[ "${RUNNER_OS}" == "macOS" ]]; then
-            brew install coreutils
-            brew install bash
+            #brew install coreutils
+            #brew install bash
             MAKE=make
             MAKEOPT="-j$(sysctl -n hw.logicalcpu)"
             PERL=perl
-            # We only care about non-deprecated OSes
-            MACOSX_DEPLOYMENT_TARGET="10.15"
-            echo "MACOSX_DEPLOYMENT_TARGET=${MACOSX_DEPLOYMENT_TARGET}" >> $GITHUB_ENV
+            echo "MACOSX_DEPLOYMENT_TARGET=10.15" >> $GITHUB_ENV
             echo "PYTHON=${PYTHON_INSTALL_PATH}/bin/python3" >> $GITHUB_ENV
-            export date=gdate
-            export realpath=grealpath
+            echo "PIP_ARGS=--no-binary=:all:" >> $GITHUB_ENV
           elif [[ "${RUNNER_OS}" == "Linux" ]]; then
             MAKE=make
             MAKEOPT="-j$(nproc)"
             PERL=perl
             echo "PYTHON=${PYTHON_INSTALL_PATH}/bin/python3" >> $GITHUB_ENV
-            export date=date
-            export realpath=realpath
           elif [[ "${RUNNER_OS}" == "Windows" ]]; then
             MAKE=nmake
             MAKEOPT=""
             PERL="c:\strawberry\perl\bin\perl.exe"
             echo "PYTHON=${PYTHON_INSTALL_PATH}\python.exe" >> $GITHUB_ENV
-            export date=date
-            export realpath=realpath
             echo "GAM_ARCHIVE_ARCH=${GAM_ARCHIVE_ARCH}" >> $GITHUB_ENV
             echo "WIX_ARCH=${WIX_ARCH}" >> $GITHUB_ENV
           fi
-          echo "date=${date}" >> $GITHUB_ENV
-          echo "realpath=${realpath}" >> $GITHUB_ENV
           echo "We'll run make with: ${MAKEOPT}"
           echo "JID=${jid}" >> $GITHUB_ENV
           echo "arch=${arch}" >> $GITHUB_ENV
@@ -181,13 +191,15 @@ jobs:
           echo "PERL=${PERL}" >> $GITHUB_ENV
           echo "PYEXTERNALS_PATH=${PYEXTERNALS_PATH}" >> $GITHUB_ENV
           echo "PYBUILDRELEASE_ARCH=${PYBUILDRELEASE_ARCH}" >> $GITHUB_ENV
-          echo "OPENSSL_CONFIG_TARGET=${OPENSSL_CONFIG_TARGET}" >> $GITHUB_ENV
+          echo "openssl_archs=${openssl_archs}" >> $GITHUB_ENV
           echo "LD_LIBRARY_PATH=${OPENSSL_INSTALL_PATH}/lib:${PYTHON_INSTALL_PATH}/lib" >> $GITHUB_ENV
           #echo "PATH=${PATH}:${PYTHON_INSTALL_PATH}/scripts" >> $GITHUB_ENV
 
       - name: Get latest stable OpenSSL source
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         run: |
+          mkdir -vp "${GITHUB_WORKSPACE}/src"
+          cd "${GITHUB_WORKSPACE}/src"
           git clone https://github.com/openssl/openssl.git
           cd "${OPENSSL_SOURCE_PATH}"
           export LATEST_STABLE_TAG=$(git tag --list openssl-* | grep -v alpha | grep -v beta | sort -Vr | head -n1)
@@ -195,6 +207,16 @@ jobs:
           git checkout "${LATEST_STABLE_TAG}"
           export COMPILED_OPENSSL_VERSION=${LATEST_STABLE_TAG:8} # Trim the openssl- prefix
           echo "COMPILED_OPENSSL_VERSION=${COMPILED_OPENSSL_VERSION}" >> $GITHUB_ENV
+          if [[ "${RUNNER_OS}" == "macOS" ]]; then
+            for openssl_arch in $openssl_archs; do
+              ssldir="${OPENSSL_SOURCE_PATH}-${openssl_arch}"
+              mkdir -v "${ssldir}"
+              cp -vrf ${OPENSSL_SOURCE_PATH}/* "${ssldir}/"
+            done
+            rm -vrf "${OPENSSL_SOURCE_PATH}"
+          else
+            mv -v "${OPENSSL_SOURCE_PATH}" "${OPENSSL_SOURCE_PATH}-${openssl_archs}"
+          fi
 
       - name: Windows NASM Install
         uses: ilammy/setup-nasm@v1
@@ -203,9 +225,11 @@ jobs:
       - name: Config OpenSSL
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         run: |
-          cd "${OPENSSL_SOURCE_PATH}"
-          # --libdir=lib is needed so Python can find OpenSSL libraries
-          "${PERL}" ./Configure "${OPENSSL_CONFIG_TARGET}" --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS
+          for openssl_arch in $openssl_archs; do
+            cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
+            # --libdir=lib is needed so Python can find OpenSSL libraries
+            "${PERL}" ./Configure "${openssl_arch}" --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS
+          done
 
       - name: Rename GNU link on Windows
         if: matrix.goal == 'build' && matrix.os == 'windows-2022' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -215,24 +239,54 @@ jobs:
       - name: Make OpenSSL
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         run: |
-          cd "${OPENSSL_SOURCE_PATH}"
-          $MAKE "${MAKEOPT}"
+          for openssl_arch in $openssl_archs; do
+            cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
+            $MAKE "${MAKEOPT}"
+          done
 
       - name: Install OpenSSL
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         run: |
-          cd "${OPENSSL_SOURCE_PATH}"
-          # install_sw saves us ages processing man pages :-)
-          $MAKE install_sw
+          if [[ "${RUNNER_OS}" == "macOS" ]]; then
+            for openssl_arch in $openssl_archs; do
+              cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
+              # install_sw saves us ages processing man pages :-)
+              $MAKE install_sw
+              mv "${OPENSSL_INSTALL_PATH}" "${GITHUB_WORKSPACE}/bin/ssl-${openssl_arch}"
+            done
+            mkdir -vp "${OPENSSL_INSTALL_PATH}/lib"
+            mkdir -vp "${OPENSSL_INSTALL_PATH}/bin"
+            for archlib in libcrypto.3.dylib libssl.3.dylib libcrypto.a libssl.a; do
+              lipo -create "${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/lib/${archlib}" \
+                           "${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64/lib/${archlib}" \
+                   -output "${GITHUB_WORKSPACE}/bin/ssl/lib/${archlib}"
+            done
+            mv ${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/include ${GITHUB_WORKSPACE}/bin/ssl/
+            lipo -create "${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/bin/openssl" \
+                         "${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64/bin/openssl" \
+                 -output "${GITHUB_WORKSPACE}/bin/ssl/bin/openssl"
+            rm -rf ${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64
+            rm -rf ${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64
+            echo "LDFLAGS=-L${OPENSSL_INSTALL_PATH}/lib" >> $GITHUB_ENV
+            echo "CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1" >> $GITHUB_ENV
+            echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include -arch arm64 -arch x86_64" >> $GITHUB_ENV
+            echo "ARCHFLAGS=-arch x86_64 -arch arm64" >> $GITHUB_ENV
+          else
+            cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_archs}"
+            # install_sw saves us ages processing man pages :-)
+            $MAKE install_sw
+          fi
 
       - name: Run OpenSSL
         if: matrix.goal == 'build'
         run: |
           "${OPENSSL_INSTALL_PATH}/bin/openssl" version
+          file "${OPENSSL_INSTALL_PATH}/bin/openssl"
 
       - name: Get latest stable Python source
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         run: |
+          cd "${GITHUB_WORKSPACE}/src"
           git clone https://github.com/python/cpython.git
           cd "${PYTHON_SOURCE_PATH}"
           export LATEST_STABLE_TAG=$(git tag --list | grep -v a | grep -v rc | grep -v b | sort -Vr | head -n1)
@@ -244,12 +298,18 @@ jobs:
         if: matrix.goal == 'build' && matrix.os != 'windows-2022' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         run: |
           cd "${PYTHON_SOURCE_PATH}"
+          if [[ "${RUNNER_OS}" == "macOS" ]]; then
+            extra_args=( "--enable-universalsdk" "--with-universal-archs=universal2" )
+          else
+            extra_args=( )
+          fi
           ./configure --with-openssl="${OPENSSL_INSTALL_PATH}" \
                       --prefix="${PYTHON_INSTALL_PATH}" \
                       --enable-shared \
                       --with-ensurepip=upgrade \
                       --enable-optimizations \
-                      --with-lto
+                      --with-lto \
+                      "${extra_args[@]}"
 
       - name: Windows Get External Python deps
         if: matrix.goal == 'build' && matrix.os == 'windows-2022' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -271,7 +331,7 @@ jobs:
           $env:OPENSSL_EXT_TARGET_PATH = "${env:OPENSSL_EXT_PATH}${env:PYEXTERNALS_PATH}"
           echo "Copying our OpenSSL to ${env:OPENSSL_EXT_TARGET_PATH}"
           mkdir "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\"
-          Copy-Item -Path "${env:OPENSSL_SOURCE_PATH}\LICENSE.txt" -Destination "${env:OPENSSL_EXT_TARGET_PATH}\LICENSE"
+          Copy-Item -Path "${env:GITHUB_WORKSPACE}/src/openssl-${env:openssl_archs}\LICENSE.txt" -Destination "${env:OPENSSL_EXT_TARGET_PATH}\LICENSE"
           cp -v "$env:OPENSSL_INSTALL_PATH\lib\*" "${env:OPENSSL_EXT_TARGET_PATH}"
           cp -v "$env:OPENSSL_INSTALL_PATH\bin\*" "${env:OPENSSL_EXT_TARGET_PATH}"
           cp -v "$env:OPENSSL_INSTALL_PATH\include\openssl\*" "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\"
@@ -354,7 +414,20 @@ jobs:
       - name: Install pip requirements
         run: |
              set +e
-             "${PYTHON}" -m pip install --upgrade -r requirements.txt
+             if [[ "${RUNNER_OS}" == "macOS" ]]; then
+               for package in cryptography; do
+                 "${PYTHON}" -m pip install --upgrade cffi ${PIP_ARGS}
+                 "${PYTHON}" -m pip download --only-binary :all: \
+                                             --dest . \
+                                             --no-cache \
+                                             --no-deps \
+                                             --platform macosx_10_15_universal2 \
+                                             $package
+               "${PYTHON}" -m pip install --force-reinstall --no-deps $package*.whl
+               done
+               find $PYTHON_INSTALL_PATH/lib/python3.10/site-packages -type f -name "*.so" -exec du -sh "{}" \;
+             fi
+             "${PYTHON}" -m pip install --upgrade -r requirements.txt ${PIP_ARGS}
              "${PYTHON}" -m pip list
 
       - name: Build GAM with PyInstaller
@@ -362,7 +435,11 @@ jobs:
         run: |
              export gampath="./dist/gam"
              mkdir -p -v "${gampath}"
-             export gampath="$($realpath $gampath)"
+             if [[ "${RUNNER_OS}" == "macOS" ]]; then
+               export gampath=$($PYTHON -c "import os; print(os.path.realpath('$gampath'))")
+             else
+               export gampath=$(realpath "${gampath}")
+             fi
              export gam="${gampath}/gam"
              echo "gampath=${gampath}" >> $GITHUB_ENV
              echo "gam=${gam}" >> $GITHUB_ENV
@@ -383,7 +460,7 @@ jobs:
           cp -v LICENSE $gampath
           cp -v GamCommands.txt $gampath
           if [[ "${RUNNER_OS}" == "macOS" ]]; then
-              GAM_ARCHIVE="gam-${GAMVERSION}-macos-x86_64.tar.xz"
+              GAM_ARCHIVE="gam-${GAMVERSION}-macos-universal2.tar.xz"
           elif [[ "${RUNNER_OS}" == "Linux" ]]; then
               this_glibc_ver=$(ldd --version | awk '/ldd/{print $NF}')
               GAM_ARCHIVE="gam-${GAMVERSION}-linux-$(arch)-glibc${this_glibc_ver}.tar.xz"
@@ -452,6 +529,9 @@ jobs:
         env:
           PASSCODE: ${{ secrets.PASSCODE }}
         run: |
+             if [[ "${RUNNER_OS}" == "macOS" ]]; then
+               brew install gnupg
+             fi
              source ../.github/actions/decrypt.sh ../.github/actions/creds.tar.gpg creds.tar
              export OAUTHFILE="oauth2.txt-gam-gha-${JID}"
              echo "OAUTHFILE=${OAUTHFILE}" >> $GITHUB_ENV
@@ -462,7 +542,7 @@ jobs:
              $gam oauth refresh
              $gam info user
              #$gam info user $gam_user grouptree
-             export tstamp=$($date +%s%3N)
+             export tstamp=$($PYTHON -c "import time; print(time.time_ns())")
              export newbase=gha-test-$JID-$tstamp
              export newuser=$newbase@pdl.jaylee.us
              export newgroup=$newbase-group@pdl.jaylee.us
@@ -475,9 +555,12 @@ jobs:
                echo "${newbase}-bulkuser-$i" >> sample.csv;
              done
              $gam create user $newuser firstname GHA lastname $JID password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB-
+             $gam user $newuser update photo https://dummyimage.com/400x600/000/fff
+             $gam user $newuser get photo
+             $gam user $newuser delete photo
+             $gam create group $newgroup name "GHA $JID group" description "This is a description" isarchived true
              $gam user $gam_user sendemail recipient $newuser subject "test message $newbase" message "GHA test message"
              $gam user $gam_user sendemail recipient exchange@pdl.jaylee.us subject "test ${tstamp}" message "test message"
-             $gam create group $newgroup name "GHA $JID group" description "This is a description" isarchived true
              $gam update cigroup $newgroup memberrestriction 'member.type == 1 || member.customer_id == groupCustomerId()'
              $gam info cigroup $newgroup
              $gam user $newuser add license workspaceenterpriseplus
@@ -528,14 +611,16 @@ jobs:
              $gam calendar $gam_user add editor $newuser
              $gam calendar $gam_user showacl
              $gam calendar $gam_user printacl | $gam csv - gam calendar $gam_user delete id ~id
-             $gam calendar $gam_user addevent summary "GHA test event" start $($date '+%FT%T.%N%:z' -d "now + 1 hour") end $($date '+%FT%T.%N%:z' -d "now + 2 hours") attendee $newgroup hangoutsmeet guestscanmodify true sendupdates all
+             starttime=$($PYTHON -c "import datetime; print((datetime.datetime.now() + datetime.timedelta(hours=1)).strftime('%Y-%m-%dT%H:%M:%S.%f+00:00'))")
+             endtime=$($PYTHON -c "import datetime; print((datetime.datetime.now() + datetime.timedelta(hours=2)).strftime('%Y-%m-%dT%H:%M:%S.%f+00:00'))")
+             $gam calendar $gam_user addevent summary "GHA test event" start "${starttime}" end "${endtime}" attendee $newgroup hangoutsmeet guestscanmodify true sendupdates all
              $gam calendar $gam_user printevents after -0d
              matterid=uid:$($gam create vaultmatter name "GHA matter $newbase" description "test matter" collaborators $newuser | head -1 | cut -d ' ' -f 3)
              $gam create vaulthold matter $matterid name "GHA hold $newbase" corpus mail accounts $newuser
              $gam print vaultmatters matterstate open
              $gam print vaultholds matter $matterid
              $gam print vaultcount matter $matterid corpus mail everyone todrive
-             $gam create vaultexport matter $matterid name "GHA export $newbase" corpus mail accounts $newuser
+             $gam create vaultexport matter $matterid name "GHA export $newbase" corpus mail accounts $newuser use_new_export true
              $gam print exports matter $matterid | $gam csv - gam info export $matterid id:~~id~~
              $gam csv sample.csv gam user ~email add calendar id:$newresource
              $gam delete resource $newresource
@@ -551,6 +636,8 @@ jobs:
              $gam delete hold "GHA hold $newbase" matter $matterid
              $gam update matter $matterid action close
              $gam update matter $matterid action delete
+             #$gam delete user $newuser
+             #$gam undelete user $newuser
              $gam delete user $newuser
              $gam print users query "gha.jid=$JID" | $gam csv - gam delete user ~primaryEmail
              $gam print mobile
@@ -574,19 +661,19 @@ jobs:
              echo "printer model count:"
              $gam print printermodels | wc -l
              #$gam print printers
-             #$gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by $(date)"
+             #$gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by $(gam_user)"
              rm -f -v $gampath/enabledasa.txt
 
-      - name: Upload to Google Drive, build only.
-        if: github.event_name == 'push' && matrix.goal != 'test'
-        run: |
-             ls gam-$GAMVERSION-*
-             for gamfile in gam-$GAMVERSION-*; do
-               echo "Uploading file ${gamfile} to Google Drive..."
-               fileid=$($gam user $gam_user add drivefile localfile $gamfile drivefilename $GAMVERSION-${GITHUB_SHA:0:7}-$gamfile parentid 1N2zbO33qzUQFsGM49-m9AQC1ijzd_ru1 returnidonly)
-               echo "file uploaded as ${fileid}, setting ACL..."
-               $gam user $gam_user add drivefileacl $fileid anyone role reader withlink
-             done
+     # - name: Upload to Google Drive, build only.
+     #   if: github.event_name == 'push' && matrix.goal != 'test'
+     #   run: |
+     #        ls gam-$GAMVERSION-*
+     #        for gamfile in gam-$GAMVERSION-*; do
+     #          echo "Uploading file ${gamfile} to Google Drive..."
+     #          fileid=$($gam user $gam_user add drivefile localfile $gamfile drivefilename $GAMVERSION-${GITHUB_SHA:0:7}-$gamfile parentid 1N2zbO33qzUQFsGM49-m9AQC1ijzd_ru1 returnidonly)
+     #          echo "file uploaded as ${fileid}, setting ACL..."
+     #          $gam user $gam_user add drivefileacl $fileid anyone role reader withlink
+     #        done
 
       - name: Archive production artifacts
         uses: actions/upload-artifact@v2

LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

src/GamCommands.txt

@@ -992,9 +992,9 @@ gam report <ActivityApplicationName> [todrive]
 	[filter|filters <String>] [event <String>] [ip <String>]
 	[groupidfilter <String>]
 
-gam create admin <UserItem> <RoleItem> customer|(org_unit <OrgUnitItem>)
+gam create admin <UserItem> <RoleItem> customer|(org_unit <OrgUnitItem>) [condition securitygroup|nonsecuritygroup]
 gam delete admin <RoleAssignmentId>
-gam print admins [todrive] [user <UserItem>] [role <RoleItem>]
+gam print admins [todrive] [user <UserItem>] [role <RoleItem>] [condition]
 gam create adminrole <String> privileges all|all_ou|<PrivilegesList> [description <String>]
 gam update adminrole <RoleItem> [name <String>] [privileges all|all_ou|<PrivilegesList>] [description <String>]
 gam delete adminrole <RoleItem>
@@ -1052,7 +1052,7 @@ gam info org|ou <OrgUnitPath> [nousers|notsuspended|suspended] [children|child]
 gam print orgs|ous [todrive] [toplevelonly] [from_parent <OrgUnitPath>] [allfields|(fields <OrgUnitFieldNameList>)]
 
 gam create alias|nickname <EmailAddress> user|group|target <UniqueID>|<EmailAddress> [verifynotinvitable]
-gam update alias|nickname <EmailAddress> user|group|target <UniqueID>|<EmailAddress> [verifynotinvitable]
+gam update alias|nickname <EmailAddress> user|group|target <UniqueID>|<EmailAddress> [notargetverify]
 gam delete alias|nickname [user|group|target] <UniqueID>|<EmailAddress>
 gam info alias|nickname <EmailAddress>
 gam print aliases|nicknames [todrive] [shownoneditable] [nogroups] [nousers] [(query <QueryUser>)|(queries <QueryUserList)]

src/LICENSE

@@ -1,547 +0,0 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-
-
-
-APACHE HTTP SERVER SUBCOMPONENTS:
-
-The Apache HTTP Server includes a number of subcomponents with
-separate copyright notices and license terms. Your use of the source
-code for the these subcomponents is subject to the terms and
-conditions of the following licenses.
-
-For the mod_mime_magic component:
-
-/*
- * mod_mime_magic: MIME type lookup via file magic numbers
- * Copyright (c) 1996-1997 Cisco Systems, Inc.
- *
- * This software was submitted by Cisco Systems to the Apache Group in July
- * 1997.  Future revisions and derivatives of this source code must
- * acknowledge Cisco Systems as the original contributor of this module.
- * All other licensing and usage conditions are those of the Apache Group.
- *
- * Some of this code is derived from the free version of the file command
- * originally posted to comp.sources.unix.  Copyright info for that program
- * is included below as required.
- * ---------------------------------------------------------------------------
- * - Copyright (c) Ian F. Darwin, 1987. Written by Ian F. Darwin.
- *
- * This software is not subject to any license of the American Telephone and
- * Telegraph Company or of the Regents of the University of California.
- *
- * Permission is granted to anyone to use this software for any purpose on any
- * computer system, and to alter it and redistribute it freely, subject to
- * the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission.  Since few users ever read sources, credits
- * must appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software.  Since few users ever read
- * sources, credits must appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- * -------------------------------------------------------------------------
- *
- */
-
-
-For the  modules\mappers\mod_imagemap.c component:
-
-  "macmartinized" polygon code copyright 1992 by Eric Haines, erich@eye.com
-
-For the  server\util_md5.c component:
-
-/************************************************************************
- * NCSA HTTPd Server
- * Software Development Group
- * National Center for Supercomputing Applications
- * University of Illinois at Urbana-Champaign
- * 605 E. Springfield, Champaign, IL 61820
- * httpd@ncsa.uiuc.edu
- *
- * Copyright  (C)  1995, Board of Trustees of the University of Illinois
- *
- ************************************************************************
- *
- * md5.c: NCSA HTTPd code which uses the md5c.c RSA Code
- *
- *  Original Code Copyright (C) 1994, Jeff Hostetler, Spyglass, Inc.
- *  Portions of Content-MD5 code Copyright (C) 1993, 1994 by Carnegie Mellon
- *     University (see Copyright below).
- *  Portions of Content-MD5 code Copyright (C) 1991 Bell Communications
- *     Research, Inc. (Bellcore) (see Copyright below).
- *  Portions extracted from mpack, John G. Myers - jgm+@cmu.edu
- *  Content-MD5 Code contributed by Martin Hamilton (martin@net.lut.ac.uk)
- *
- */
-
-
-/* these portions extracted from mpack, John G. Myers - jgm+@cmu.edu */
-/* (C) Copyright 1993,1994 by Carnegie Mellon University
- * All Rights Reserved.
- *
- * Permission to use, copy, modify, distribute, and sell this software
- * and its documentation for any purpose is hereby granted without
- * fee, provided that the above copyright notice appear in all copies
- * and that both that copyright notice and this permission notice
- * appear in supporting documentation, and that the name of Carnegie
- * Mellon University not be used in advertising or publicity
- * pertaining to distribution of the software without specific,
- * written prior permission.  Carnegie Mellon University makes no
- * representations about the suitability of this software for any
- * purpose.  It is provided "as is" without express or implied
- * warranty.
- *
- * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
- * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
- * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
- * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Copyright (c) 1991 Bell Communications Research, Inc. (Bellcore)
- *
- * Permission to use, copy, modify, and distribute this material
- * for any purpose and without fee is hereby granted, provided
- * that the above copyright notice and this permission notice
- * appear in all copies, and that the name of Bellcore not be
- * used in advertising or publicity pertaining to this
- * material without the specific, prior written permission
- * of an authorized representative of Bellcore.  BELLCORE
- * MAKES NO REPRESENTATIONS ABOUT THE ACCURACY OR SUITABILITY
- * OF THIS MATERIAL FOR ANY PURPOSE.  IT IS PROVIDED "AS IS",
- * WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES.
- */
-
-For the  srclib\apr\include\apr_md5.h component:
-/*
- * This is work is derived from material Copyright RSA Data Security, Inc.
- *
- * The RSA copyright statement and Licence for that original material is
- * included below. This is followed by the Apache copyright statement and
- * licence for the modifications made to that material.
- */
-
-/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
-   rights reserved.
-
-   License to copy and use this software is granted provided that it
-   is identified as the "RSA Data Security, Inc. MD5 Message-Digest
-   Algorithm" in all material mentioning or referencing this software
-   or this function.
-
-   License is also granted to make and use derivative works provided
-   that such works are identified as "derived from the RSA Data
-   Security, Inc. MD5 Message-Digest Algorithm" in all material
-   mentioning or referencing the derived work.
-
-   RSA Data Security, Inc. makes no representations concerning either
-   the merchantability of this software or the suitability of this
-   software for any particular purpose. It is provided "as is"
-   without express or implied warranty of any kind.
-
-   These notices must be retained in any copies of any part of this
-   documentation and/or software.
- */
-
-For the  srclib\apr\passwd\apr_md5.c component:
-
-/*
- * This is work is derived from material Copyright RSA Data Security, Inc.
- *
- * The RSA copyright statement and Licence for that original material is
- * included below. This is followed by the Apache copyright statement and
- * licence for the modifications made to that material.
- */
-
-/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
- */
-
-/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
-   rights reserved.
-
-   License to copy and use this software is granted provided that it
-   is identified as the "RSA Data Security, Inc. MD5 Message-Digest
-   Algorithm" in all material mentioning or referencing this software
-   or this function.
-
-   License is also granted to make and use derivative works provided
-   that such works are identified as "derived from the RSA Data
-   Security, Inc. MD5 Message-Digest Algorithm" in all material
-   mentioning or referencing the derived work.
-
-   RSA Data Security, Inc. makes no representations concerning either
-   the merchantability of this software or the suitability of this
-   software for any particular purpose. It is provided "as is"
-   without express or implied warranty of any kind.
-
-   These notices must be retained in any copies of any part of this
-   documentation and/or software.
- */
-/*
- * The apr_md5_encode() routine uses much code obtained from the FreeBSD 3.0
- * MD5 crypt() function, which is licenced as follows:
- * ----------------------------------------------------------------------------
- * "THE BEER-WARE LICENSE" (Revision 42):
- * <phk@login.dknet.dk> wrote this file.  As long as you retain this notice you
- * can do whatever you want with this stuff. If we meet some day, and you think
- * this stuff is worth it, you can buy me a beer in return.  Poul-Henning Kamp
- * ----------------------------------------------------------------------------
- */
-
-For the srclib\apr-util\crypto\apr_md4.c component:
-
- * This is derived from material copyright RSA Data Security, Inc.
- * Their notice is reproduced below in its entirety.
- *
- * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
- * rights reserved.
- *
- * License to copy and use this software is granted provided that it
- * is identified as the "RSA Data Security, Inc. MD4 Message-Digest
- * Algorithm" in all material mentioning or referencing this software
- * or this function.
- *
- * License is also granted to make and use derivative works provided
- * that such works are identified as "derived from the RSA Data
- * Security, Inc. MD4 Message-Digest Algorithm" in all material
- * mentioning or referencing the derived work.
- *
- * RSA Data Security, Inc. makes no representations concerning either
- * the merchantability of this software or the suitability of this
- * software for any particular purpose. It is provided "as is"
- * without express or implied warranty of any kind.
- *
- * These notices must be retained in any copies of any part of this
- * documentation and/or software.
- */
-
-For the srclib\apr-util\include\apr_md4.h component:
-
- *
- * This is derived from material copyright RSA Data Security, Inc.
- * Their notice is reproduced below in its entirety.
- *
- * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
- * rights reserved.
- *
- * License to copy and use this software is granted provided that it
- * is identified as the "RSA Data Security, Inc. MD4 Message-Digest
- * Algorithm" in all material mentioning or referencing this software
- * or this function.
- *
- * License is also granted to make and use derivative works provided
- * that such works are identified as "derived from the RSA Data
- * Security, Inc. MD4 Message-Digest Algorithm" in all material
- * mentioning or referencing the derived work.
- *
- * RSA Data Security, Inc. makes no representations concerning either
- * the merchantability of this software or the suitability of this
- * software for any particular purpose. It is provided "as is"
- * without express or implied warranty of any kind.
- *
- * These notices must be retained in any copies of any part of this
- * documentation and/or software.
- */
-
-
-For the srclib\apr-util\test\testmd4.c component:
-
- *
- * This is derived from material copyright RSA Data Security, Inc.
- * Their notice is reproduced below in its entirety.
- *
- * Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
- * rights reserved.
- *
- * RSA Data Security, Inc. makes no representations concerning either
- * the merchantability of this software or the suitability of this
- * software for any particular purpose. It is provided "as is"
- * without express or implied warranty of any kind.
- *
- * These notices must be retained in any copies of any part of this
- * documentation and/or software.
- */
-
-For the srclib\apr-util\xml\expat\conftools\install-sh component:
-
-#
-# install - install a program, script, or datafile
-# This comes from X11R5 (mit/util/scripts/install.sh).
-#
-# Copyright 1991 by the Massachusetts Institute of Technology
-#
-# Permission to use, copy, modify, distribute, and sell this software and its
-# documentation for any purpose is hereby granted without fee, provided that
-# the above copyright notice appear in all copies and that both that
-# copyright notice and this permission notice appear in supporting
-# documentation, and that the name of M.I.T. not be used in advertising or
-# publicity pertaining to distribution of the software without specific,
-# written prior permission.  M.I.T. makes no representations about the
-# suitability of this software for any purpose.  It is provided "as is"
-# without express or implied warranty.
-#
-
-For the test\zb.c component:
-
-/*                          ZeusBench V1.01
-			    ===============
-
-This program is Copyright (C) Zeus Technology Limited 1996.
-
-This program may be used and copied freely providing this copyright notice
-is not removed.
-
-This software is provided "as is" and any express or implied warranties,
-including but not limited to, the implied warranties of merchantability and
-fitness for a particular purpose are disclaimed.  In no event shall
-Zeus Technology Ltd. be liable for any direct, indirect, incidental, special,
-exemplary, or consequential damaged (including, but not limited to,
-procurement of substitute good or services; loss of use, data, or profits;
-or business interruption) however caused and on theory of liability.  Whether
-in contract, strict liability or tort (including negligence or otherwise)
-arising in any way out of the use of this software, even if advised of the
-possibility of such damage.
-
-     Written by Adam Twiss (adam@zeus.co.uk).  March 1996
-
-Thanks to the following people for their input:
-  Mike Belshe (mbelshe@netscape.com)
-  Michael Campanella (campanella@stevms.enet.dec.com)
-
-*/
-
-For the expat xml parser component:
-
-Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
-                               and Clark Cooper
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be included
-in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
-CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
-TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
-SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-====================================================================

src/LICENSE

@@ -0,0 +1 @@
+../LICENSE

src/gam-install.sh

@@ -28,8 +28,7 @@ upgrade_only=false
 gamversion="latest"
 adminuser=""
 regularuser=""
-gam_glibc_vers="2.31 2.27"
-#gam_macos_vers="10.15.6 10.14.6 10.13.6"
+gam_glibc_vers="2.31"
 
 while getopts "hd:a:o:b:lp:u:r:v:" OPTION
 do
@@ -129,7 +128,7 @@ case $gamos in
       this_macos_ver=$osversion
     fi
     echo "You are running MacOS $this_macos_ver"
-    gamfile="macos-x86_64.tar.xz"
+    gamfile="macos-universal2.tar.xz"
     ;;
   MINGW64_NT*)
     gamos="windows"

src/gam.spec

@@ -33,12 +33,10 @@ for d in a.datas:
 
 pyz = PYZ(a.pure)
 
-# TODO: fix universal2
-target_arch = None
-#if sys.platform == "darwin":
-#     target_arch="universal2"
-#else:
-#     target_arch=None
+if sys.platform == "darwin":
+     target_arch="universal2"
+else:
+     target_arch=None
 
 exe = EXE(pyz,
           a.scripts,

src/gam/__init__.py

@@ -7118,6 +7118,7 @@ def enableGAMProjectAPIs(GAMProjectAPIs,
             f'  Project: {projectId}, Enable {jcount} APIs{currentCount(i, count)}'
         )
         j = 0
+        tried_universal_tos = False
         for api in apis:
             service_name = f'projects/{projectId}/services/{api}'
             j += 1
@@ -7128,19 +7129,26 @@ def enableGAMProjectAPIs(GAMProjectAPIs,
                               throw_reasons=[
                                   gapi_errors.ErrorReason.FAILED_PRECONDITION,
                                   gapi_errors.ErrorReason.FORBIDDEN,
-                                  gapi_errors.ErrorReason.PERMISSION_DENIED
+                                  gapi_errors.ErrorReason.PERMISSION_DENIED,
+                                  gapi_errors.ErrorReason.FOUR_O_O,
                               ],
                               retry_reasons=[gapi_errors.ErrorReason.INTERNAL_SERVER_ERROR],
                               name=service_name)
                     print(f'    API: {api}, Enabled{currentCount(j, jcount)}')
                     break
-                except gapi_errors.GapiFailedPreconditionError as e:
+                except (gapi_errors.GapiFailedPreconditionError,
+                        googleapiclient.errors.HttpError) as e:
+                    if hasattr(e, 'reason'):
+                        msg = e.reason
+                    else:
+                        msg = str(e)
+                    if 'terms of service' in msg.lower() and not tried_universal_tos:
+                        msg = '''You need to agree to the Google Cloud Terms of Service at:\n\n  https://console.developers.google.com'''
+                        tried_universal_tos = True
                     print(
                         f'\nThere was an error enabling {api}. Please resolve error as described below:'
                     )
-                    print()
-                    print(f'\n{str(e)}\n')
-                    print()
+                    print(f'\n\n{msg}\n\n')
                     input(
                         'Press enter once resolved and we will try enabling the API again.'
                     )
@@ -8327,6 +8335,24 @@ def doRemoveUsersAliases(users):
 
 
 def doUpdateAlias():
+    def verify_alias_target_exists():
+      if target_type != 'group':
+          try:
+              gapi.call(cd.users(), 'get',
+                        throw_reasons=[gapi_errors.ErrorReason.USER_NOT_FOUND],
+                        userKey=target_email)
+              return 'user'
+          except gapi_errors.GapiUserNotFoundError:
+              if target_type == 'user':
+                  return None
+      try:
+          gapi.call(cd.groups(), 'get',
+                    throw_reasons=[gapi_errors.ErrorReason.GROUP_NOT_FOUND],
+                    groupKey=target_email)
+          return 'group'
+      except gapi_errors.GapiGroupNotFoundError:
+          return None
+
     cd = buildGAPIObject('directory')
     alias = normalizeEmailAddressOrUID(sys.argv[3], noUid=True, noLower=True)
     target_type = sys.argv[4].lower()
@@ -8334,15 +8360,19 @@ def doUpdateAlias():
         controlflow.expected_argument_exit(
             'target type', ', '.join(['user', 'group', 'target']), target_type)
     target_email = normalizeEmailAddressOrUID(sys.argv[5])
-    if len(sys.argv) > 6:
-        myarg = sys.argv[6].lower().replace('_', '')
-        if myarg != 'verifynotinvitable':
-            controlflow.system_error_exit(
-                3,
-                f'{myarg} is not a valid argument for "gam update alias"'
-                )
-        if gapi_cloudidentity_userinvitations.is_invitable_user(alias):
-            controlflow.system_error_exit(51, f'Alias not updated, {alias} is an unmanaged account')
+    verifyTarget = True
+    i = 6
+    while i < len(sys.argv):
+        myarg = sys.argv[i].lower().replace('_', '')
+        if myarg == 'noverifytarget':
+            verifyTarget = False
+            i += 1
+        else:
+            controlflow.system_error_exit(3, f'{myarg} is not a valid argument for "gam update alias"')
+    if verifyTarget:
+        target_type = verify_alias_target_exists()
+        if target_type is None:
+            controlflow.system_error_exit(51, f'Alias not updated, {target_email} does not exist')
     try:
         gapi.call(cd.users().aliases(),
                   'delete',

src/gam/auth/oauth.py

@@ -1,26 +1,42 @@
 """OAuth2.0 user credentials."""
 
 import datetime
+import ipaddress
 import json
+import multiprocessing
 import os
 import re
+from socket import gethostbyname
+import sys
+from time import sleep
 import threading
-from urllib.parse import urlencode
+from urllib.parse import urlencode, urlparse, parse_qs
+import wsgiref.simple_server
+import wsgiref.util
+import webbrowser
 
 from filelock import FileLock
 import google_auth_oauthlib.flow
 import google.oauth2.credentials
 import google.oauth2.id_token
 
+from gam import controlflow
+from gam import display
 from gam import fileutils
 from gam import transport
-from gam.var import GM_Globals
-from gam.var import GM_WINDOWS
+from gam.var import GM_Globals, GM_WINDOWS
 from gam import utils
 
-MESSAGE_CONSOLE_AUTHORIZATION_PROMPT = ('\nGo to the following link in your '
-                                        'browser:\n\n\t{url}\n')
-MESSAGE_CONSOLE_AUTHORIZATION_CODE = 'Enter verification code: '
+
+MESSAGE_CONSOLE_AUTHORIZATION_PROMPT = '''\nGo to the following link in your browser:
+
+\t{url}
+
+IMPORTANT: If you get a browser error that the site can't be reached AFTER you
+click the Allow button, copy the URL from the browser where the error occurred
+and paste that here instead.
+'''
+MESSAGE_CONSOLE_AUTHORIZATION_CODE = 'Enter verification code or browser URL: '
 MESSAGE_LOCAL_SERVER_AUTHORIZATION_PROMPT = ('\nYour browser has been opened to'
                                              ' visit:\n\n\t{url}\n\nIf your '
                                              'browser is on a different machine'
@@ -30,6 +46,8 @@ MESSAGE_LOCAL_SERVER_AUTHORIZATION_PROMPT = ('\nYour browser has been opened to'
 MESSAGE_LOCAL_SERVER_SUCCESS = ('The authentication flow has completed. You may'
                                 ' close this browser window and return to GAM.')
 
+MESSAGE_AUTHENTICATION_COMPLETE = ('\nThe authentication flow has completed.\n')
+
 
 class CredentialsError(Exception):
     """Base error class."""
@@ -295,19 +313,8 @@ class Credentials(google.oauth2.credentials.Credentials):
         if login_hint:
             flow_kwargs['login_hint'] = login_hint
 
-        # TODO: Move code for browser detection somewhere in this file so that the
-        # messaging about `nobrowser.txt` is co-located with the logic that uses it.
-        if use_console_flow:
-            flow.run_console(
-                authorization_prompt_message=
-                MESSAGE_CONSOLE_AUTHORIZATION_PROMPT,
-                authorization_code_message=MESSAGE_CONSOLE_AUTHORIZATION_CODE,
+        flow.run_dual(use_console_flow,
                 **flow_kwargs)
-        else:
-            flow.run_local_server(authorization_prompt_message=
-                                  MESSAGE_LOCAL_SERVER_AUTHORIZATION_PROMPT,
-                                  success_message=MESSAGE_LOCAL_SERVER_SUCCESS,
-                                  **flow_kwargs)
         return cls.from_google_oauth2_credentials(flow.credentials,
                                                   filename=filename)
 
@@ -516,10 +523,66 @@ class Credentials(google.oauth2.credentials.Credentials):
             http.request(revoke_uri, 'GET')
 
 
+def _localhost_to_ip():
+    '''returns IPv4 or IPv6 loopback address which localhost resolves to.
+       If localhost does not resolve to valid loopback IP address then returns
+       127.0.0.1'''
+    # TODO gethostbyname() will only ever return ipv4
+    # find a way to support IPv6 here and get preferred IP
+    # note that IPv6 may be broken on some systems also :-(
+    # for now IPv4 should do.
+    local_ip = gethostbyname('localhost')
+    local_ipaddress = ipaddress.ip_address(local_ip)
+    ip4_local_range = ipaddress.ip_network('127.0.0.0/8')
+    ip6_local_range = ipaddress.ip_network('::1/128')
+    if local_ipaddress not in ip4_local_range and \
+       local_ipaddress not in ip6_local_range:
+           local_ip = '127.0.0.1'
+    return local_ip
+
+def _wait_for_http_client(d):
+    wsgi_app = google_auth_oauthlib.flow._RedirectWSGIApp(MESSAGE_LOCAL_SERVER_SUCCESS)
+    wsgiref.simple_server.WSGIServer.allow_reuse_address = False
+    # Convert hostn to IP since apparently binding to the IP
+    # reduces odds of firewall blocking us
+    local_ip = _localhost_to_ip()
+    for port in range(8080, 8099):
+        try:
+            local_server = wsgiref.simple_server.make_server(
+              local_ip,
+              port,
+              wsgi_app,
+              handler_class=wsgiref.simple_server.WSGIRequestHandler
+              )
+            break
+        except OSError:
+            pass
+    redirect_uri_format = (
+        "http://{}:{}/" if d['trailing_slash'] else "http://{}:{}"
+    )
+    # provide redirect_uri to main process so it can formulate auth_url
+    d['redirect_uri'] = redirect_uri_format.format(*local_server.server_address)
+    # wait until main process provides auth_url
+    # so we can open it in web browser.
+    while 'auth_url' not in d:
+        sleep(0.1)
+    if d['open_browser']:
+        webbrowser.open(d['auth_url'], new=1, autoraise=True)
+    local_server.handle_request()
+    authorization_response = wsgi_app.last_request_uri.replace("http", "https")
+    d['code'] = authorization_response
+    local_server.server_close()
+
+
+def _wait_for_user_input(d):
+    sys.stdin = open(0)
+    code = input(MESSAGE_CONSOLE_AUTHORIZATION_CODE)
+    d['code'] = code
+
+
 class _ShortURLFlow(google_auth_oauthlib.flow.InstalledAppFlow):
     """InstalledAppFlow which utilizes a URL shortener for authorization URLs."""
 
-    URL_SHORTENER_ENDPOINT = 'https://gam-shortn.appspot.com/create'
 
     def authorization_url(self, http=None, **kwargs):
         """Gets a shortened authorization URL."""
@@ -528,6 +591,58 @@ class _ShortURLFlow(google_auth_oauthlib.flow.InstalledAppFlow):
         return short_url, state
 
 
+    def run_dual(self,
+                use_console_flow,
+                authorization_prompt_message='',
+                console_prompt_message='',
+                web_success_message='',
+                open_browser=True,
+                redirect_uri_trailing_slash=True,
+                **kwargs):
+        mgr = multiprocessing.Manager()
+        d = mgr.dict()
+        d['trailing_slash'] = redirect_uri_trailing_slash
+        d['open_browser'] = use_console_flow
+        http_client = multiprocessing.Process(target=_wait_for_http_client,
+                                              args=(d,))
+        user_input = multiprocessing.Process(target=_wait_for_user_input,
+                                             args=(d,))
+        http_client.start()
+        # we need to wait until web server starts on avail port
+        # so we know redirect_uri to use
+        while 'redirect_uri' not in d:
+            sleep(0.1)
+        self.redirect_uri = d['redirect_uri']
+        d['auth_url'], _ = self.authorization_url(**kwargs)
+        print(MESSAGE_CONSOLE_AUTHORIZATION_PROMPT.format(url=d['auth_url']))
+        user_input.start()
+        userInput = False
+        while True:
+            sleep(0.1)
+            if not http_client.is_alive():
+                user_input.terminate()
+                break
+            elif not user_input.is_alive():
+                userInput = True
+                http_client.terminate()
+                break
+        while True:
+            code = d['code']
+            if code.startswith('http'):
+                parsed_url = urlparse(code)
+                parsed_params = parse_qs(parsed_url.query)
+                code = parsed_params.get('code', [None])[0]
+            try:
+                self.fetch_token(code=code)
+                break
+            except Exception as e:
+                if not userInput:
+                    controlflow.system_error_exit(8, str(e))
+                display.print_error(str(e))
+                _wait_for_user_input(d)
+        sys.stdout.write(MESSAGE_AUTHENTICATION_COMPLETE)
+        return self.credentials
+
 class _FileLikeThreadLock:
     """A threading.lock which has the same interface as filelock.Filelock."""
 

src/gam/auth/oauth_test.py

@@ -189,6 +189,7 @@ class CredentialsTest(unittest.TestCase):
         with self.assertRaises(oauth.InvalidCredentialsFileError):
             oauth.Credentials.from_credentials_file(self.fake_filename)
 
+    @unittest.skip('disabled for oob fixes')
     @patch.object(oauth._ShortURLFlow, 'from_client_config')
     def test_from_client_secrets_console_flow(self, mock_flow):
         flow_creds = google.oauth2.credentials.Credentials(
@@ -211,6 +212,7 @@ class CredentialsTest(unittest.TestCase):
         self.assertEqual(flow_creds.client_secret, creds.client_secret)
         self.assertEqual(flow_creds.id_token, creds.id_token)
 
+    @unittest.skip('disabled for oob fixes')
     @patch.object(oauth._ShortURLFlow, 'from_client_config')
     def test_from_client_secrets_local_server_flow(self, mock_flow):
         flow_creds = google.oauth2.credentials.Credentials(
@@ -233,6 +235,7 @@ class CredentialsTest(unittest.TestCase):
         self.assertEqual(flow_creds.client_secret, creds.client_secret)
         self.assertEqual(flow_creds.id_token, creds.id_token)
 
+    @unittest.skip('disabled for oob fixes')
     @patch.object(oauth._ShortURLFlow, 'from_client_config')
     def test_from_client_secrets_uses_login_hint(self, mock_flow):
         flow_creds = google.oauth2.credentials.Credentials(

src/gam/gapi/cloudidentity/devices.py

@@ -51,13 +51,30 @@ def create():
     print(f'Created device {result["response"]["name"]}')
 
 
-def _get_device_name():
-    name = sys.argv[3]
+def _parse_action(action):
+    kwargs = {}
+    i = 3
+    name = sys.argv[i]
     if name == 'id':
-        name = sys.argv[4]
+        i += 1
+        name = sys.argv[i]
+    i += 1
     if not name.startswith('devices/'):
         name = f'devices/{name}'
-    return name
+    customer = _get_device_customerid()
+    # bah, inconsistencies in API
+    if action == 'delete':
+        kwargs['customer'] = customer
+    else:
+        kwargs['body'] = {'customer': customer}
+    while i < len(sys.argv):
+        myarg = sys.argv[i].lower().replace('_', '')
+        if action == 'wipe' and myarg == 'removeresetlock':
+            kwargs['body']['removeResetLock'] = True
+            i += 1
+        else:
+            controlflow.invalid_argument_exit(sys.argv[i], f'gam {action} device')
+    return name, kwargs
 
 
 def info():
@@ -80,14 +97,7 @@ def info():
 def _generic_action(action, device_user=False):
     ci = gapi_cloudidentity.build_dwd()
     customer = _get_device_customerid()
-    name = _get_device_name()
-
-    # bah, inconsistencies in API
-    if action == 'delete':
-        kwargs = {'customer': customer}
-    else:
-        kwargs = {'body': {'customer': customer}}
-
+    name, kwargs = _parse_action(action)
     if device_user:
         endpoint = ci.devices().deviceUsers()
     else:

src/gam/gapi/directory/roleassignments.py

@@ -10,6 +10,9 @@ from gam.gapi.directory import orgunits as gapi_directory_orgunits
 from gam.gapi.directory import roles as gapi_directory_roles
 
 
+SECURITY_GROUP_CONDITION = "api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group'"
+NONSECURITY_GROUP_CONDITION = f'!{SECURITY_GROUP_CONDITION}'
+
 def create():
     cd = gapi_directory.build()
     user = gam.normalizeEmailAddressOrUID(sys.argv[3])
@@ -24,9 +27,9 @@ def create():
             cd = gapi_directory.build_beta()
             body['condition'] = sys.argv[i+1]
             if body['condition'] == 'securitygroup':
-                body['condition'] = "api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group'"
+                body['condition'] = SECURITY_GROUP_CONDITION
             elif body['condition'] == 'nonsecuritygroup':
-                body['condition'] = "!api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group'"
+                body['condition'] = NONSECURITY_GROUP_CONDITION
             i += 2
         else:
             controlflow.invalid_argument_exit(sys.argv[i], 'gam create admin')
@@ -111,9 +114,13 @@ def print_():
                 admin_attrib[
                     'orgUnit'] = gapi_directory_orgunits.orgunit_from_orgunitid(
                         value, cd)
+            elif key == 'condition':
+                if value == SECURITY_GROUP_CONDITION:
+                    value = 'securitygroup'
+                elif value == NONSECURITY_GROUP_CONDITION:
+                    value = 'nonsecuritygroup'
             if key not in titles:
                 titles.append(key)
             admin_attrib[key] = value
         csvRows.append(admin_attrib)
     display.write_csv_file(csvRows, titles, 'Admins', todrive)
-

src/gam/gapi/vault.py

@@ -200,12 +200,13 @@ def createExport():
     showConfidentialModeContent = None  # default to not even set
     matterId = None
     query = None
+    useNewExport = None
     body = {'exportOptions': {}}
     i = 3
     while i < len(sys.argv):
         myarg = sys.argv[i].lower().replace('_', '')
         if myarg == 'matter':
-            matterId = getMatterItem(v, sys.argv[i + 1])
+            matterId = getMatterItem(v, sys.argv[i + 1], state='OPEN')
             body['matterId'] = matterId
             i += 2
         elif myarg == 'name':
@@ -213,6 +214,9 @@ def createExport():
             i += 2
         elif myarg in QUERY_ARGS:
             query, i = _build_query(query, myarg, i, query_discovery)
+        elif myarg == 'usenewexport':
+            useNewExport = gam.getBoolean(sys.argv[i+1], myarg)
+            i += 2
         elif myarg in ['format']:
             export_format = sys.argv[i + 1].upper()
             if export_format not in allowed_formats:
@@ -262,6 +266,9 @@ def createExport():
         if showConfidentialModeContent is not None:
             body['exportOptions'][options_field][
                 'showConfidentialModeContent'] = showConfidentialModeContent
+        if useNewExport is not None:
+            body['exportOptions'][options_field][
+                'useNewExport'] = useNewExport
     results = gapi.call(v.matters().exports(),
                         'create',
                         matterId=matterId,
@@ -547,7 +554,7 @@ def convertHoldNameToID(v, nameOrID, matterId):
         f'in matter {matterId}')
 
 
-def convertMatterNameToID(v, nameOrID):
+def convertMatterNameToID(v, nameOrID, state=None):
     nameOrID = nameOrID.lower()
     cg = UID_PATTERN.match(nameOrID)
     if cg:
@@ -557,6 +564,7 @@ def convertMatterNameToID(v, nameOrID):
                                  'list',
                                  'matters',
                                  view='BASIC',
+                                 state=state,
                                  fields=fields)
     for matter in matters:
         if matter['name'].lower() == nameOrID:
@@ -564,8 +572,8 @@ def convertMatterNameToID(v, nameOrID):
     return None
 
 
-def getMatterItem(v, nameOrID):
-    matterId = convertMatterNameToID(v, nameOrID)
+def getMatterItem(v, nameOrID, state=None):
+    matterId = convertMatterNameToID(v, nameOrID, state=state)
     if not matterId:
         controlflow.system_error_exit(4, f'could not find matter {nameOrID}')
     return matterId

src/gam/var.py

@@ -8,7 +8,7 @@ import platform
 import re
 
 GAM_AUTHOR = 'Jay Lee <jay0lee@gmail.com>'
-GAM_VERSION = '6.15'
+GAM_VERSION = '6.17'
 GAM_LICENSE = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 GAM_URL = 'https://git.io/gam'
@@ -42,7 +42,7 @@ FN_EXTRA_ARGS_TXT = 'extra-args.txt'
 FN_LAST_UPDATE_CHECK_TXT = 'lastupdatecheck.txt'
 MY_CUSTOMER = 'my_customer'
 # See https://support.google.com/drive/answer/37603
-MAX_GOOGLE_SHEET_CELLS = 5000000
+MAX_GOOGLE_SHEET_CELLS = 10000000
 MAX_LOCAL_GOOGLE_TIME_OFFSET = 30
 
 SKUS = {