Update build.yml

Prefix should not include anything after ENUM_
```
        name: RollbackToTargetVersionEnum
          value:
            name: ROLLBACK_TO_TARGET_VERSION_ENUM_ROLLBACK_DISABLED
              number: 1
            name: ROLLBACK_TO_TARGET_VERSION_ENUM_ROLLBACK_AND_RESTORE_IF_POSSIBLE
              number: 3
```

.github/actions/decrypt.sh

@@ -14,4 +14,5 @@ gpg --quiet --batch --yes --decrypt --passphrase="${PASSCODE}" \
     --output "${credsfile}" "${gpgfile}"
 
 tar xvvf "${credsfile}" --directory "${gampath}"
-ls -l "${gampath}"
+rm -rvf "${gpgfile}"
+rm -rvf "${credsfile}"

.github/workflows/build.yml

@@ -22,71 +22,98 @@ jobs:
   build:
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-22.04
+          - os: ubuntu-20.04
             jid: 1
             goal: build
             arch: x86_64
             openssl_archs: linux-x86_64
-          - os: [self-hosted, linux, arm64]
+          - os: [self-hosted, linux, arm64, gcp]
             jid: 2
             goal: build
             arch: aarch64
             openssl_archs: linux-aarch64
-          - os: macos-12
+          - os: ubuntu-20.04
+            jid: 3
+            goal: build
+            arch: x86_64
+            openssl_archs: linux-x86_64
+            staticx: yes
+          - os: [self-hosted, linux, arm64, gcp]
             jid: 4
             goal: build
+            arch: aarch64
+            openssl_archs: linux-aarch64
+            staticx: yes
+          - os: macos-12
+            jid: 5
+            goal: build
             arch: universal2
             openssl_archs: darwin64-x86_64 darwin64-arm64
           - os: windows-2022
-            jid: 5
+            jid: 6
             goal: build
             arch: Win64
             openssl_archs: VC-WIN64A
           - os: windows-2022
-            jid: 6
+            jid: 7
             goal: build
             arch: Win32
             openssl_archs: VC-WIN32
           - os: ubuntu-22.04
             goal: test
             python: "3.7"
-            jid: 7
-            arch: x86_64
-          - os: ubuntu-22.04
-            goal: test
-            python: "3.8"
             jid: 8
             arch: x86_64
           - os: ubuntu-22.04
             goal: test
-            python: "3.9"
+            python: "3.8"
             jid: 9
             arch: x86_64
           - os: ubuntu-22.04
             goal: test
-            python: "3.11-dev"
+            python: "3.9"
             jid: 10
             arch: x86_64
+          - os: ubuntu-22.04
+            goal: test
+            python: "3.10"
+            jid: 11
+            arch: x86_64
+          - os: ubuntu-22.04
+            goal: test
+            python: "3.12.0-alpha - 3.12"
+            jid: 12
+            arch: x86_64
 
     steps:
-      - uses: actions/checkout@master
+
+      - uses: actions/checkout@v3
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Cache multiple paths
-        uses: actions/cache@v2
+        if: matrix.goal == 'build'
+        uses: actions/cache@v3
         id: cache-python-ssl
         with:
           path: |
-            bin
-          key: gam-${{ matrix.jid }}-20220802
+            bin.tar.xz
+            src/cpython
+          key: gam-${{ matrix.jid }}-20221207
+
+      - name: Untar Cache archive
+        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
+        working-directory: ${{ github.workspace }}
+        run: |
+          tar xvvf bin.tar.xz
 
       - name: Use pre-compiled Python for testing
         if: matrix.python != ''
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python }}
 
@@ -117,17 +144,17 @@ jobs:
           sudo apt-get -qq --yes update
           sudo apt-get -qq --yes install swig libpcsclite-dev
 
-      - name: MacOS remove Homebrew
-        if: runner.os == 'macOS'
-        run: |
-          # remove everything except the libraries needed by yubikey-manager
-          brew uninstall $(brew list | grep -v 'pcre\|swig\|pcsc-lite')
+     #- name: MacOS remove Homebrew
+     #  if: runner.os == 'macOS'
+     #  run: |
+     #    # remove everything except the libraries needed by yubikey-manager
+     #    brew uninstall $(brew list | grep -v 'pcre\|swig\|pcsc-lite')
 
       - name: MacOS install tools
         if: runner.os == 'macOS'
         run: |
           # Install latest Rust
-          curl -fsS -o rust.sh https://sh.rustup.rs
+          curl --retry 5 --retry-connrefused -fsS -o rust.sh https://sh.rustup.rs
           bash ./rust.sh -y
           source $HOME/.cargo/env
           # needed for Rust to compile cryptography Python package for universal2
@@ -145,8 +172,10 @@ jobs:
           arch: ${{ matrix.arch }}
           jid: ${{ matrix.jid }}
           openssl_archs: ${{ matrix.openssl_archs }}
+          staticx: ${{ matrix.staticx }}
         run: |
           echo "We are running on ${RUNNER_OS}"
+          LD_LIBRARY_PATH="${OPENSSL_INSTALL_PATH}/lib:${PYTHON_INSTALL_PATH}/lib"
           if [[ "${arch}" == "Win64" ]]; then
             PYEXTERNALS_PATH="amd64"
             PYBUILDRELEASE_ARCH="x64"
@@ -178,21 +207,22 @@ jobs:
             MAKE=nmake
             MAKEOPT=""
             PERL="c:\strawberry\perl\bin\perl.exe"
-            echo "PYTHON=${PYTHON_INSTALL_PATH}\python.exe" >> $GITHUB_ENV
+            LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_PATH}"
+            echo "PYTHON=${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_PATH}/python.exe" >> $GITHUB_ENV
             echo "GAM_ARCHIVE_ARCH=${GAM_ARCHIVE_ARCH}" >> $GITHUB_ENV
             echo "WIX_ARCH=${WIX_ARCH}" >> $GITHUB_ENV
           fi
           echo "We'll run make with: ${MAKEOPT}"
           echo "JID=${jid}" >> $GITHUB_ENV
+          echo "staticx=${staticx}" >> $GITHUB_ENV
           echo "arch=${arch}" >> $GITHUB_ENV
+          echo "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}" >> $GITHUB_ENV
           echo "MAKE=${MAKE}" >> $GITHUB_ENV
           echo "MAKEOPT=${MAKEOPT}" >> $GITHUB_ENV
           echo "PERL=${PERL}" >> $GITHUB_ENV
           echo "PYEXTERNALS_PATH=${PYEXTERNALS_PATH}" >> $GITHUB_ENV
           echo "PYBUILDRELEASE_ARCH=${PYBUILDRELEASE_ARCH}" >> $GITHUB_ENV
           echo "openssl_archs=${openssl_archs}" >> $GITHUB_ENV
-          echo "LD_LIBRARY_PATH=${OPENSSL_INSTALL_PATH}/lib:${PYTHON_INSTALL_PATH}/lib" >> $GITHUB_ENV
-          #echo "PATH=${PATH}:${PYTHON_INSTALL_PATH}/scripts" >> $GITHUB_ENV
 
       - name: Get latest stable OpenSSL source
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -330,7 +360,7 @@ jobs:
           $env:OPENSSL_EXT_TARGET_PATH = "${env:OPENSSL_EXT_PATH}${env:PYEXTERNALS_PATH}"
           echo "Copying our OpenSSL to ${env:OPENSSL_EXT_TARGET_PATH}"
           mkdir "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\"
-          Copy-Item -Path "${env:GITHUB_WORKSPACE}/src/openssl-${env:openssl_archs}\LICENSE.txt" -Destination "${env:OPENSSL_EXT_TARGET_PATH}\LICENSE"
+          Copy-Item -Path "${env:GITHUB_WORKSPACE}/src/openssl-${env:openssl_archs}\LICENSE.txt" -Destination "${env:OPENSSL_EXT_TARGET_PATH}\LICENSE" -Verbose
           cp -v "$env:OPENSSL_INSTALL_PATH\lib\*" "${env:OPENSSL_EXT_TARGET_PATH}"
           cp -v "$env:OPENSSL_INSTALL_PATH\bin\*" "${env:OPENSSL_EXT_TARGET_PATH}"
           cp -v "$env:OPENSSL_INSTALL_PATH\include\openssl\*" "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\"
@@ -350,22 +380,10 @@ jobs:
         run: |
           cd "${env:PYTHON_SOURCE_PATH}"
           # We need out custom openssl.props which uses OpenSSL 3 DLL names
-          Copy-Item -Path "${env:GITHUB_WORKSPACE}\src\tools\openssl.props" -Destination PCBuild\
+          Copy-Item -Path "${env:GITHUB_WORKSPACE}\src\tools\openssl.props" -Destination PCBuild\ -Verbose
           echo "Building for ${env:PYBUILDRELEASE_ARCH}..."
           PCBuild\build.bat -m --pgo -c Release -p "${env:PYBUILDRELEASE_ARCH}"
 
-      - name: Windows Install Python
-        if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
-        shell: powershell
-        run: |
-          cd "${env:PYTHON_SOURCE_PATH}"
-          mkdir "${env:PYTHON_INSTALL_PATH}\lib"
-          mkdir "${env:PYTHON_INSTALL_PATH}\include"
-          Copy-Item -Path "PCBuild\${env:PYEXTERNALS_PATH}\*" "${env:PYTHON_INSTALL_PATH}\"
-          Copy-Item -Path "${env:PYTHON_SOURCE_PATH}\Lib\*" "${env:PYTHON_INSTALL_PATH}\lib\" -recurse
-          Copy-Item -Path "${env:PYTHON_SOURCE_PATH}\Include\*" "${env:PYTHON_INSTALL_PATH}\include\" -recurse
-          Copy-Item -Path "${env:PYTHON_SOURCE_PATH}\PC\*.h" "${env:PYTHON_INSTALL_PATH}\include\"
-
       - name: Mac/Linux Build Python
         if: matrix.goal == 'build' && runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         run: |
@@ -379,6 +397,9 @@ jobs:
           cd "${PYTHON_SOURCE_PATH}"
           $MAKE altinstall
           $MAKE bininstall
+          export PATH="${PATH}:${PYTHON_INSTALL_PATH}/bin"
+          echo "PATH=${PATH}" >> $GITHUB_ENV
+          echo "PATH: ${PATH}"
 
       - name: Run Python
         run: |
@@ -386,12 +407,27 @@ jobs:
 
       - name: Upgrade pip, wheel, etc
         run: |
-          curl -O https://bootstrap.pypa.io/get-pip.py
+          curl --retry 5 --retry-connrefused -O https://bootstrap.pypa.io/get-pip.py
           "${PYTHON}" get-pip.py
           "${PYTHON}" -m pip install --upgrade pip
           "${PYTHON}" -m pip install --upgrade wheel
           "${PYTHON}" -m pip install --upgrade setuptools
-    
+
+      - name: Install pip requirements
+        run: |
+             if [[ "${RUNNER_OS}" == "macOS" ]]; then
+               "${PYTHON}" -m pip install --upgrade cffi ${PIP_ARGS}
+               "${PYTHON}" -m pip download --only-binary :all: \
+                                             --dest . \
+                                             --no-cache \
+                                             --no-deps \
+                                             --platform macosx_10_15_universal2 \
+                                             cryptography
+               "${PYTHON}" -m pip install --force-reinstall --no-deps cryptography*.whl
+             fi
+             "${PYTHON}" -m pip install --upgrade -r requirements.txt ${PIP_ARGS}
+             "${PYTHON}" -m pip list
+
       - name: Install PyInstaller
         if: matrix.goal == 'build'
         run: |
@@ -402,40 +438,37 @@ jobs:
           # remove pre-compiled bootloaders so we fail if bootloader compile fails
           rm -rvf PyInstaller/bootloader/*-*/*
           cd bootloader
-          if [[ "${arch}" == "Win32" ]]; then
-            export PYINSTALLER_BUILD_ARGS="--target-arch=32bit"
-          fi
+          case "${arch}" in
+            "Win32")
+              export PYINSTALLER_BUILD_ARGS="--target-arch=32bit"
+              ;;
+            "Win64")
+              export PYINSTALLER_BUILD_ARGS="--target-arch=64bit"
+              ;;
+          esac
           echo "PyInstaller build arguments: ${PYINSTALLER_BUILD_ARGS}"
           "${PYTHON}" ./waf all $PYINSTALLER_BUILD_ARGS
-          cd ../..
+          cd ..
           echo "---- Installing PyInstaller ----"
-          "${PYTHON}" -m pip install pyinstaller
-
-      - name: Install pip requirements
-        run: |
-             if [[ "${RUNNER_OS}" == "macOS" ]]; then
-               for package in cryptography; do
-                 "${PYTHON}" -m pip install --upgrade cffi ${PIP_ARGS}
-                 "${PYTHON}" -m pip download --only-binary :all: \
-                                             --dest . \
-                                             --no-cache \
-                                             --no-deps \
-                                             --platform macosx_10_15_universal2 \
-                                             $package
-               "${PYTHON}" -m pip install --force-reinstall --no-deps $package*.whl
-               done
-               find $PYTHON_INSTALL_PATH/lib/python3.10/site-packages -type f -name "*.so" -exec du -sh "{}" \;
-             fi
-             "${PYTHON}" -m pip install --upgrade -r requirements.txt ${PIP_ARGS}
-             "${PYTHON}" -m pip list
+          "${PYTHON}" -m pip install .
 
       - name: Build GAM with PyInstaller
         if: matrix.goal != 'test'
         run: |
-             export gampath="./dist/gam"
+             if [[ "${staticx}" == "yes" ]]; then
+               export distpath="./dist/gam"
+               export gampath="${distpath}"
+             else
+               export distpath="./dist"
+               export gampath="${distpath}/gam"
+             fi
              mkdir -p -v "${gampath}"
              if [[ "${RUNNER_OS}" == "macOS" ]]; then
                export gampath=$($PYTHON -c "import os; print(os.path.realpath('$gampath'))")
+             elif [[ "${RUNNER_OS}" == "Windows" ]]; then
+               # Work around issue where PyInstaller picks up python3.dll from other Python versions
+               # https://github.com/pyinstaller/pyinstaller/issues/7102
+               export PATH="/usr/bin"
              else
                export gampath=$(realpath "${gampath}")
              fi
@@ -443,8 +476,22 @@ jobs:
              echo "gampath=${gampath}" >> $GITHUB_ENV
              echo "gam=${gam}" >> $GITHUB_ENV
              echo -e "GAM: ${gam}\nGAMPATH: ${gampath}"
-             "${PYTHON}" -m PyInstaller --clean --distpath="${gampath}" gam.spec
+             # TEMP force everything back to one file.
+             export PYINSTALLER_BUILD_ONEFILE="yes"
+             export distpath="./dist/gam"
+             export gampath="${distpath}"
+             "${PYTHON}" -m PyInstaller --clean --noconfirm --distpath="${distpath}" gam.spec
  
+      - name: Copy extra package files
+        if: matrix.goal == 'build'
+        run: |
+          cp -v roots.pem $gampath
+          cp -v LICENSE $gampath
+          cp -v GamCommands.txt $gampath
+          if [[ "${RUNNER_OS}" == "Windows" ]]; then
+              cp -v gam-setup.bat $gampath
+          fi
+
       - name: Basic Tests all jobs
         run: |
              $PYTHON -m unittest discover --start-directory ./ --pattern "*_test.py" --buffer
@@ -454,10 +501,8 @@ jobs:
              echo "GAMVERSION=${GAMVERSION}" >> $GITHUB_ENV
 
       - name: Linux/MacOS package
-        if: runner.os != 'Windows' && matrix.goal == 'build'
+        if: runner.os != 'Windows' && matrix.goal == 'build' && matrix.staticx != 'yes'
         run: |
-          cp -v LICENSE $gampath
-          cp -v GamCommands.txt $gampath
           if [[ "${RUNNER_OS}" == "macOS" ]]; then
               GAM_ARCHIVE="gam-${GAMVERSION}-macos-universal2.tar.xz"
           elif [[ "${RUNNER_OS}" == "Linux" ]]; then
@@ -466,14 +511,14 @@ jobs:
           fi
           tar -C dist/ --create --verbose --exclude-from "${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" --file $GAM_ARCHIVE --xz gam
 
-      - name: Linux 64-bit install patchelf/staticx
-        if: runner.os == 'Linux' && contains(runner.arch, '64') && matrix.goal != 'test'
+      - name: Install StaticX
+        if: matrix.staticx == 'yes'
         run: |
           "${PYTHON}" -m pip install --upgrade patchelf-wrapper
           "${PYTHON}" -m pip install --upgrade staticx
 
-      - name: Linux 64-bit Make Static
-        if: runner.os == 'Linux' && contains(runner.arch, '64') && matrix.goal != 'test'
+      - name: Make StaticX
+        if: matrix.staticx == 'yes'
         run: |
           case $RUNNER_ARCH in
             X64)
@@ -486,14 +531,14 @@ jobs:
           echo "ldlib=${ldlib}"
           $PYTHON -m staticx -l "${ldlib}" "${gam}" "${gam}-staticx"
           
-      - name: Linux Run StaticX-ed
-        if: runner.os == 'Linux' && contains(runner.arch, '64') && matrix.goal != 'test'
+      - name: Run StaticX
+        if: matrix.staticx == 'yes'
         run: |
           "${gam}-staticx" version extended
           mv -v "${gam}-staticx" "${gam}"
 
       - name: Linux package staticx
-        if: runner.os == 'Linux' && contains(runner.arch, '64') && matrix.goal != 'test'
+        if: matrix.staticx == 'yes'
         run: |
           GAM_ARCHIVE="gam-${GAMVERSION}-linux-$(uname -m)-legacy.tar.xz"
           tar -C dist/ --create --verbose --exclude-from "${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" --file $GAM_ARCHIVE --xz gam
@@ -501,9 +546,6 @@ jobs:
       - name: Windows package
         if: runner.os == 'Windows' && matrix.goal != 'test'
         run: |
-          cp -v LICENSE $gampath
-          cp -v GamCommands.txt $gampath
-          cp -v gam-setup.bat $gampath
           cd dist/
           GAM_ARCHIVE="../gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.zip"
           /c/Program\ Files/7-Zip/7z.exe a -tzip $GAM_ARCHIVE gam "-xr@${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" -bb3
@@ -540,7 +582,7 @@ jobs:
              if [[ "${RUNNER_OS}" == "macOS" ]]; then
                brew install gnupg
              fi
-             source ../.github/actions/decrypt.sh ../.github/actions/creds.tar.gpg creds.tar
+             source ../.github/actions/decrypt.sh ../.github/actions/creds.tar.xz.gpg creds.tar.xz
              export OAUTHFILE="oauth2.txt-gam-gha-${JID}"
              echo "OAUTHFILE=${OAUTHFILE}" >> $GITHUB_ENV
              export gam_user="gam-gha-${JID}@pdl.jaylee.us"
@@ -550,20 +592,33 @@ jobs:
              $gam info domain
              $gam oauth refresh
              $gam info user
-             #$gam info user $gam_user grouptree
              export tstamp=$($PYTHON -c "import time; print(time.time_ns())")
-             export newbase=gha_test_$JID_$tstamp
-             export newuser=$newbase@pdl.jaylee.us
-             export newgroup=$newbase-group@pdl.jaylee.us
-             export newalias=$newbase-alias@pdl.jaylee.us
-             export newbuilding=$newbase-building
-             export newresource=$newbase-resource
+             export newbase="gha_test_${JID}_${tstamp}"
+             export newuser="${newbase}@pdl.jaylee.us"
+             export newgroup="${newbase}-group@pdl.jaylee.us"
+             export newalias="${newbase}-alias@pdl.jaylee.us"
+             export newbuilding="${newbase}-building"
+             export newresource="${newbase}-resource"
+             export newou="aaaGithub Actions/${newbase}"
+             
+             # cleanup old runs
+             GAM_CSV_ROW_FILTER="name:regex:gha_test_${JID}_" $gam print vaultholds | $gam csv - gam delete vaulthold "id:~~holdId~~" matter "id:~~matterId~~"
+             GAM_CSV_ROW_FILTER="name:regex:gha_test_${JID}_" $gam print features | $gam csv - gam delete feature ~name
+             GAM_CSV_ROW_FILTER="name:regex:^gha_test_${JID}_" $gam user $gam_user print shareddrives asadmin | $gam csv - gam user $gam_user delete shareddrive ~id nukefromorbit
+             $gam print users query "gha.jid=$JID" | $gam csv - gam delete user ~primaryEmail
+             GAM_CSV_ROW_FILTER="name:regex:^gha_test_${JID}_" $gam print ous fromparent "aaaGithub Actions" | $gam csv - gam delete ou ~orgUnitId
+             GAM_CSV_ROW_FILTER="groupKey.id:regex:^gha_test_${JID}_" $gam print cigroups | $gam csv - gam delete cigroup ~groupKey.id
+             GAM_CSV_ROW_FILTER="resourceId:regex:^gha_test_${JID}_" $gam print resources | $gam csv - gam delete resource ~resourceId
+             GAM_CSV_ROW_FILTER="buildingId:regex:^gha_test_${JID}_" $gam print buildings | $gam csv - gam delete building ~buildingId
+             
+             echo "Creating OrgUnit ${newou}"
+             $gam create ou "${newou}"
              export GAM_THREADS=5
              echo email > sample.csv;
              for i in {1..10}; do
                echo "${newbase}-bulkuser-$i" >> sample.csv;
              done
-             $gam create user $newuser firstname GHA lastname $JID password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB-
+             $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random ou "${newou}" recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB-
              $gam user $newuser update photo https://dummyimage.com/400x600/000/fff
              $gam user $newuser get photo
              $gam user $newuser delete photo
@@ -577,8 +632,8 @@ jobs:
              $gam update group $newgroup add owner $gam_user
              $gam update group $newgroup add member $newuser
              $gam create admin $newuser _GROUPS_EDITOR_ROLE CUSTOMER # condition nonsecuritygroup
-             $gam csv sample.csv gam create user ~~email~~ firstname "GHA Bulk" lastname ~~email~~ gha.jid $JID
-             $gam csv sample.csv gam update user ~~email~~ recoveryphone 12125121110 recoveryemail jay0lee@gmail.com password random
+             $gam csv sample.csv gam create user ~~email~~ firstname "GHA Bulk" lastname ~~email~~ gha.jid $JID ou "${newou}"
+             $gam csv sample.csv gam update user ~~email~~ recoveryphone 12125121110 recoveryemail jay0lee@gmail.com password random displayname "GitHub Actions Bulk ${JID}"
              $gam csv sample.csv gam update user ~~email~~ recoveryphone "" recoveryemail ""
              $gam csv sample.csv gam user ~email add license workspaceenterpriseplus
              $gam csv sample.csv gam user $gam_user sendemail recipient ~~email~~@pdl.jaylee.us subject "test message $newbase" message "GHA test message"
@@ -608,8 +663,8 @@ jobs:
              $gam users "$newbase-bulkuser-7 $newbase-bulkuser-8 $newbase-bulkuser-9" modify messages query in:anywhere maxtomodify 99999 addlabel IMPORTANT addlabel STARRED doit
              $gam user $newuser delete label --ALL_LABELS--
              GAM_CSV_ROW_FILTER="name:regex:gha-test-${JID}" $gam print features | $gam csv - gam delete feature ~name
-             $gam create feature name Whiteboard-$newbase
              $gam create feature name VC-$newbase
+             $gam create feature name Whiteboard-$newbase
              $gam create building "My Building - $newbase" id $newbuilding floors 1,2,3,4,5,6,7,8,9,10,11,12,14,15 description "No 13th floor here..."
              $gam create resource $newresource "Resource Calendar $tstamp" capacity 25 features Whiteboard-$newbase,VC-$newbase building $newbuilding floor 15 type Room
              $gam info resource $newresource
@@ -645,8 +700,9 @@ jobs:
              $gam delete hold "GHA hold $newbase" matter $matterid
              $gam update matter $matterid action close
              $gam update matter $matterid action delete
-             #$gam delete user $newuser
-             #$gam undelete user $newuser
+             # shakes off vault hold on user so we can delete
+             $gam print users query "email:${newuser}" orgunitpath | $gam csv - gam update user ~primaryEmail ou ~orgUnitPath
+             $gam user $newuser show holds
              $gam delete user $newuser
              $gam print users query "gha.jid=$JID" | $gam csv - gam delete user ~primaryEmail
              $gam print mobile
@@ -662,44 +718,76 @@ jobs:
              $gam report users fields accounts:is_less_secure_apps_access_allowed,gmail:last_imap_time,gmail:last_pop_time filters "accounts:last_login_time>2019-01-01T00:00:00.000Z" todrive
              $gam report admin start -3d todrive
              $gam print devices nopersonaldevices nodeviceusers filter "serial:$JID$JID$JID$JID-" | $gam csv - gam delete device id ~name
-             #$gam print userinvitations
-             #$gam print userinvitations | $gam csv - gam send userinvitation ~name
+             $gam print userinvitations
+             $gam print userinvitations | $gam csv - gam send userinvitation ~name
              $gam create caalevel "zzz_${newbase}" basic condition ipsubnetworks 1.1.1.1/32,2.2.2.2/32 endcondition
              $gam print caalevels
              $gam delete caalevel "zzz_${newbase}"
              driveid=$($gam user $gam_user add shareddrive "${newbase}" | awk '{print $NF}')
              echo "Created shared drive ${driveid}"
              $gam user $gam_user add drivefile localfile gam.py parentid "${driveid}"
-             $gam user $gam_user update shareddrive "${driveid}" ou "id:03ph8a2z1t2ph5z"
+             $gam user $gam_user update shareddrive "${driveid}" ou "${newou}"
              $gam user $gam_user show shareddrives asadmin
+             $gam user $gam_user update shareddrive "${driveid}" ou "aaaGithub Actions" # so we can delete our OU...
              $gam user $gam_user delete shareddrive "${driveid}" nukefromorbit
              echo "printer model count:"
              $gam print printermodels | wc -l
+             #ssoprofile=$($gam create inboundssoprofile name "El Goog ${newbase}" loginurl https://www.google.com logouturl https://www.google.com changepasswordurl https://www.google.com entityid ElGoog return_name_only)
+             #$gam create inboundssocredential profile "id:${ssoprofile}" generate_key
+             #$gam create inboundssoassignment profile "id:${ssoprofile}" orgunit "${newou}" mode SAML_SSO
+             $gam delete ou "${newou}"
+             #$gam delete inboundssoprofile "id:${ssoprofile}"
              #$gam print printers
              #$gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by $(gam_user)" ou /
-             #export CUSTOMER_ID="C01wfv983"
-             #export GA_DOMAIN="pdl.jaylee.us"
-             #touch $gampath/enabledasa.txt
-             #echo "using delegated admin service account"
-             #$gam print users
-
-     # - name: Upload to Google Drive, build only.
-     #   if: github.event_name == 'push' && matrix.goal != 'test'
-     #   run: |
-     #        ls gam-$GAMVERSION-*
-     #        for gamfile in gam-$GAMVERSION-*; do
-     #          echo "Uploading file ${gamfile} to Google Drive..."
-     #          fileid=$($gam user $gam_user add drivefile localfile $gamfile drivefilename $GAMVERSION-${GITHUB_SHA:0:7}-$gamfile parentid 1N2zbO33qzUQFsGM49-m9AQC1ijzd_ru1 returnidonly)
-     #          echo "file uploaded as ${fileid}, setting ACL..."
-     #          $gam user $gam_user add drivefileacl $fileid anyone role reader withlink
-     #        done
+             export CUSTOMER_ID="C01wfv983"
+             export GA_DOMAIN="pdl.jaylee.us"
+             touch $gampath/enabledasa.txt
+             echo "using delegated admin service account"
+             $gam print users
 
       - name: Archive production artifacts
-        uses: actions/upload-artifact@v2
-        if: github.event_name == 'push' && matrix.goal != 'test'
+        uses: actions/upload-artifact@v3
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal != 'test'
         with:
           name: gam-binaries
           path: |
             src/*.tar.xz
             src/*.zip
             src/*.msi
+
+      - name: Tar Cache archive
+        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
+        working-directory: ${{ github.workspace }}
+        run: |
+          tar cJvvf bin.tar.xz bin/
+
+  publish:
+    if: github.event_name == 'push'
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+
+      - name: VirusTotal Scan
+        uses: crazy-max/ghaction-virustotal@v3
+        with:
+          vt_api_key: ${{ secrets.VT_API_KEY }}
+          files: |
+            gam-binaries/*
+
+      - uses: "marvinpinto/action-automatic-releases@latest"
+        name: Publish draft release
+        with:
+          repo_token: "${{ secrets.GITHUB_TOKEN }}"
+          automatic_release_tag: latest
+          prerelease: false
+          draft: true
+          files: |
+            gam-binaries/*

.github/workflows/get-roots.yml

@@ -0,0 +1,36 @@
+name: Check for Google Root CA Updates
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '23 23 * * *'
+
+defaults:
+  run:
+    shell: bash
+    working-directory: src
+
+jobs:
+  check-apis:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+        with:
+          persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token
+          fetch-depth: 0 # otherwise, you will failed to push refs to dest repo
+
+      - name: Check for updates
+        run: curl -o ./roots.pem -vvvv https://pki.goog/roots.pem
+
+      - name: Commit file
+        run: |
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+          git add roots.pem
+          git diff --quiet && git diff --staged --quiet || git commit -am '[ci skip] Updated roots.pem'
+
+      - name: Push changes
+        uses: ad-m/github-push-action@master
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }} 

src/GamCommands.txt

@@ -1548,6 +1548,44 @@ gam print group-members|groups-members [todrive]
 	[roles <GroupRoleList>] [membernames] [fields <MembersFieldNameList>]
 	[includederivedmembership]
 
+<SSOProfileDisplayName> ::= <String>
+<SSOProfileName> ::= id:inboundSamlSsoProfiles/<String>
+<SSOProfileItem> ::= <SSOProfileDisplayName>|<SSOProfileName>
+<SSOProfileItemList> ::= "<SSOProfileItem>(,<SSOProfileItem>)*"
+
+gam create inboundssoprofile [name <SSOProfileDisplayName>]
+	[entityid <String>] [loginurl <URL>] [logouturl <URL>] [changepasswordurl <URL>]
+	[returnnameonly]
+gam update inboundssoprofile <SSOProfileItem>
+	[entityid <String>] [loginurl <URL>] [logouturl <URL>] [changepasswordurl <URL>]
+	[returnnameonly]
+gam delete inboundssoprofile <SSOProfileItem>
+gam info inboundssoprofile <SSOProfileItem>
+gam show inboundssoprofiles
+gam print inboundssoprofiles [todrive]
+
+<SSOCredentialsName> ::= [id:]inboundSamlSsoProfiles/<String>/idpCredentials/<String>
+
+gam create inboundssocredential profile <SSOProfileItem>
+	(pemfile <FileName>)|(generatekey [keysize 1024|2048|4096]) [replaceolddest]
+gam delete inboundssocredential <SSOCredentialsName>
+gam show inboundssocredentials [profile|profiles <SSOProfileItemList>]
+gam print inboundssocredentials [profile|profiles <SSOProfileItemList>] [todrive]
+
+<SSOAssignmentSelector> ::=
+	groups/<String> |
+	group:<EmailAddress> |
+	orgunits/<String> |
+	orgunit:<OrgUnitPath>
+
+gam create inboundssoassignment (group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)
+	(mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled) [neverredirect]
+gam update inboundssoassignment [(group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)]
+	[(mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled)] [neverredirect]
+gam info inboundssoassignment <SSOAssignmentSelector>
+gam show inboundssoassignments
+gam print inboundssoassignments [todrive]
+
 gam send userinvitation <EmailAddress>
 gam cancel userinvitation <EmailAddress>
 gam check userinvitation|isinvitable <EmailAddress>

src/gam.spec

@@ -1,55 +1,110 @@
-# -*- mode: python -*-
+# -*- mode: python ; coding: utf-8 -*-
+from os import getenv
+from sys import platform
 
-import sys
-
-import importlib
 from PyInstaller.utils.hooks import copy_metadata
 
-# dynamically determine where httplib2/cacerts.txt lives
-proot = os.path.dirname(importlib.import_module('httplib2').__file__)
-extra_files = [(os.path.join(proot, 'cacerts.txt'), 'httplib2')]
 
+extra_files = []
 extra_files += copy_metadata('google-api-python-client')
 extra_files += [('cbcm-v1.1beta1.json', '.')]
 extra_files += [('contactdelegation-v1.json', '.')]
 extra_files += [('admin-directory_v1.1beta1.json', '.')]
-
+extra_files += [('roots.pem', '.')]
 hidden_imports = [
      'gam.auth.yubikey',
      ]
-
-a = Analysis(['gam/__main__.py'],
-             hiddenimports=hidden_imports,
-             hookspath=None,
-             excludes=['FixTk', 'tcl', 'tk', '_tkinter', 'tkinter', 'Tkinter'],
-             datas=extra_files,
-             runtime_hooks=None)
-
+a = Analysis(
+    ['gam/__main__.py'],
+    pathex=[],
+    binaries=[],
+    datas=extra_files,
+    hiddenimports=hidden_imports,
+    hookspath=[],
+    hooksconfig={},
+    runtime_hooks=[],
+    excludes=[],
+    win_no_prefer_redirects=False,
+    win_private_assemblies=False,
+    cipher=None,
+    noarchive=False,
+)
 for d in a.datas:
     if 'pyconfig' in d[0]:
         a.datas.remove(d)
         break
-
-
-pyz = PYZ(a.pure)
-
-
-if sys.platform == "darwin":
-     target_arch="universal2"
+pyz = PYZ(a.pure,
+          a.zipped_data,
+          cipher=None)
+# requires Python 3.10+ but no one should be compiling
+# GAM with older versions anyway
+match platform:
+    case "darwin":
+        target_arch = "universal2"
+        strip = True
+    case "win32":
+        target_arch = None
+        strip = False
+    case _:
+        target_arch = None
+        strip = True
+name = 'gam'
+debug = False
+bootloader_ignore_signals = False
+upx = False
+console = True
+disable_windowed_traceback = False
+argv_emulation = False
+codesign_identity = None
+entitlements_file = None
+if getenv('PYINSTALLER_BUILD_ONEFILE') == 'yes':
+    # Build one file
+    exe = EXE(
+              pyz,
+              a.scripts,
+              a.binaries,
+              a.zipfiles,
+              a.datas,
+              [],
+              name=name,
+              debug=debug,
+              bootloader_ignore_signals=bootloader_ignore_signals,
+              strip=strip,
+              upx=upx,
+              console=console,
+              disable_windowed_traceback=disable_windowed_traceback,
+              argv_emulation=argv_emulation,
+              target_arch=target_arch,
+              codesign_identity=codesign_identity,
+              entitlements_file=entitlements_file,
+              )
 else:
-     target_arch=None
+    # Build one folder
+    exe = EXE(
+              pyz,
+              a.scripts,
+              [],
+              exclude_binaries=True,
+              name=name,
+              debug=debug,
+              bootloader_ignore_signals=bootloader_ignore_signals,
+              strip=strip,
+              upx=upx,
+              console=console,
+              disable_windowed_traceback=disable_windowed_traceback,
+              argv_emulation=argv_emulation,
+              target_arch=target_arch,
+              codesign_identity=codesign_identity,
+              entitlements_file=entitlements_file,
+              )
+    coll = COLLECT(
+        exe,
+        a.binaries,
+        a.zipfiles,
+        a.datas,
+        strip=strip,
+        upx=upx,
+        upx_exclude=[],
+        name=name,
+        )
 
-# use strip on all non-Windows platforms
-strip = not sys.platform == 'win32'
-
-exe = EXE(pyz,
-          a.scripts,
-          a.binaries,
-          a.zipfiles,
-          a.datas,
-          name='gam',
-          debug=False,
-          strip=strip,
-          upx=False,
-          target_arch=target_arch,
-          console=True)

src/gam.wxs

@@ -55,6 +55,9 @@
       <Component Id="gamcommands_txt" Guid="58ff9c45-a7c9-4e22-8845-a9a92610c1f3">
         <File Name="gamcommands.txt" KeyPath="yes" />
       </Component>
+      <Component Id="roots_pem" Guid="18ff9c45-a3c9-4e22-8445-a8a92610c1f3">
+        <File Name="roots.pem" KeyPath="yes" />
+      </Component>
     </ComponentGroup>
   </Fragment>
 

src/gam/__init__.py

@@ -65,6 +65,7 @@ from gam.gapi import chromemanagement as gapi_chromemanagement
 from gam.gapi import chromepolicy as gapi_chromepolicy
 from gam.gapi.cloudidentity import devices as gapi_cloudidentity_devices
 from gam.gapi.cloudidentity import groups as gapi_cloudidentity_groups
+from gam.gapi.cloudidentity import inboundsso as gapi_cloudidentity_inboundsso
 from gam.gapi.cloudidentity import orgunits as gapi_cloudidentity_orgunits
 from gam.gapi.cloudidentity import userinvitations as gapi_cloudidentity_userinvitations
 from gam.gapi import contactdelegation as gapi_contactdelegation
@@ -553,9 +554,12 @@ def SetGlobalVariables():
                       'debug.gam',
                       filePresentValue=4,
                       fileAbsentValue=0)
+    _getOldSignalFile(GC_LOW_MEMORY, 'lowmemory.txt')
     _getOldSignalFile(GC_NO_BROWSER, 'nobrowser.txt')
     _getOldSignalFile(GC_NO_TDEMAIL, 'notdemail.txt')
-    _getOldSignalFile(GC_OAUTH_BROWSER, 'oauthbrowser.txt')
+    # oauthbrowser.txt is deprecated as we now always
+    # use the localhost flow.
+    #_getOldSignalFile(GC_OAUTH_BROWSER, 'oauthbrowser.txt')
     #  _getOldSignalFile(GC_NO_CACHE, u'nocache.txt')
     #  _getOldSignalFile(GC_CACHE_DISCOVERY_ONLY, u'allcache.txt', filePresentValue=False, fileAbsentValue=True)
     _getOldSignalFile(GC_NO_CACHE,
@@ -631,27 +635,28 @@ TIME_OFFSET_UNITS = [('day', 86400), ('hour', 3600), ('minute', 60),
 
 
 def getLocalGoogleTimeOffset(testLocation='admin.googleapis.com'):
-    localUTC = datetime.datetime.now(datetime.timezone.utc)
-    try:
-        # we disable SSL verify so we can still get time even if clock
-        # is way off. This could be spoofed / MitM but we'll fail for those
-        # situations everywhere else but here.
-        badhttp = transport.create_http()
-        badhttp.disable_ssl_certificate_validation = True
-        googleUTC = dateutil.parser.parse(
-            badhttp.request('https://' + testLocation, 'HEAD')[0]['date'])
-    except (httplib2.ServerNotFoundError, RuntimeError, ValueError) as e:
-        controlflow.system_error_exit(4, str(e))
-    offset = remainder = int(abs((localUTC - googleUTC).total_seconds()))
-    timeoff = []
-    for tou in TIME_OFFSET_UNITS:
-        uval, remainder = divmod(remainder, tou[1])
-        if uval:
-            timeoff.append(f'{uval} {tou[0]}{"s" if uval != 1 else ""}')
-    if not timeoff:
-        timeoff.append('less than 1 second')
-    nicetime = ', '.join(timeoff)
-    return (offset, nicetime)
+    # Try with http first, if time is close (<MAX_LOCAL_GOOGLE_TIME_OFFSET seconds),
+    # retry with https
+    badhttp = transport.create_http()
+    for prot in ['http', 'https']:
+        localUTC = datetime.datetime.now(datetime.timezone.utc)
+        try:
+            googleUTC = dateutil.parser.parse(
+                badhttp.request(f'{prot}://' + testLocation, 'HEAD')[0]['date'])
+        except (httplib2.ServerNotFoundError, RuntimeError, ValueError) as e:
+            controlflow.system_error_exit(4, str(e))
+        offset = remainder = int(abs((localUTC - googleUTC).total_seconds()))
+        if offset < MAX_LOCAL_GOOGLE_TIME_OFFSET and prot == 'http':
+            continue
+        timeoff = []
+        for tou in TIME_OFFSET_UNITS:
+            uval, remainder = divmod(remainder, tou[1])
+            if uval:
+                timeoff.append(f'{uval} {tou[0]}{"s" if uval != 1 else ""}')
+        if not timeoff:
+            timeoff.append('less than 1 second')
+        nicetime = ', '.join(timeoff)
+        return (offset, nicetime)
 
 
 def doGAMCheckForUpdates(forceCheck=False):
@@ -1309,34 +1314,38 @@ def doCheckServiceAccount(users):
             3,
             'Invalid private key in oauth2service.json. Please delete the file and then\nrecreate with "gam create project" or "gam use project"'
         )
-    print(
-        'Checking key age. Google recommends rotating keys on a routine basis...'
+    key_type = GM_Globals[GM_OAUTH2SERVICE_JSON_DATA].get('key_type', 'default')
+    if key_type == 'yubikey':
+        printPassFail('Skipping age check. YubiKey rotation not necessary.', test_pass)
+    else:
+        print(
+            'Checking key age. Google recommends rotating keys on a routine basis...'
     )
-    try:
-        iam = buildGAPIServiceObject('iam', None)
-        project = GM_Globals[GM_OAUTH2SERVICE_ACCOUNT_CLIENT_ID]
-        key_id = GM_Globals[GM_OAUTH2SERVICE_JSON_DATA]['private_key_id']
-        name = f'projects/-/serviceAccounts/{project}/keys/{key_id}'
-        key = gapi.call(iam.projects().serviceAccounts().keys(),
-                        'get',
-                        name=name,
-                        throw_reasons=[gapi_errors.ErrorReason.FOUR_O_THREE])
-        key_created = dateutil.parser.parse(
-            key['validAfterTime'], ignoretz=True)
-        key_age = datetime.datetime.now() - key_created
-        key_days = key_age.days
-        if key_days > 30:
-            print(
-                'Your key is old. Recommend running "gam rotate sakey" to get a new key'
-            )
+        try:
+            iam = buildGAPIServiceObject('iam', None)
+            project = GM_Globals[GM_OAUTH2SERVICE_ACCOUNT_CLIENT_ID]
+            key_id = GM_Globals[GM_OAUTH2SERVICE_JSON_DATA]['private_key_id']
+            name = f'projects/-/serviceAccounts/{project}/keys/{key_id}'
+            key = gapi.call(iam.projects().serviceAccounts().keys(),
+                            'get',
+                            name=name,
+                            throw_reasons=[gapi_errors.ErrorReason.FOUR_O_THREE])
+            key_created = dateutil.parser.parse(
+                key['validAfterTime'], ignoretz=True)
+            key_age = datetime.datetime.now() - key_created
+            key_days = key_age.days
+            if key_days > 30:
+                print(
+                    'Your key is old. Recommend running "gam rotate sakey" to get a new key'
+                )
+                key_age_result = test_warn
+            else:
+                key_age_result = test_pass
+        except googleapiclient.errors.HttpError:
             key_age_result = test_warn
-        else:
-            key_age_result = test_pass
-    except googleapiclient.errors.HttpError:
-        key_age_result = test_warn
-        key_days = 'UNKNOWN'
-        print('Unable to check key age, please run "gam update project"')
-    printPassFail(f'Key is {key_days} days old', key_age_result)
+            key_days = 'UNKNOWN'
+            print('Unable to check key age, please run "gam update project"')
+        printPassFail(f'Key is {key_days} days old', key_age_result)
     if not check_scopes:
         for _, scopes in list(API_SCOPE_MAPPING.items()):
             for scope in scopes:
@@ -4468,15 +4477,7 @@ def getImap(users):
                            soft_errors=True,
                            userId='me')
         if result:
-            enabled = result['enabled']
-            if enabled:
-                print(
-                    f'User: {user}, IMAP Enabled: {enabled}, autoExpunge: {result["autoExpunge"]}, expungeBehavior: {result["expungeBehavior"]}, maxFolderSize: {result["maxFolderSize"]}{currentCount(i, count)}'
-                )
-            else:
-                print(
-                    f'User: {user}, IMAP Enabled: {enabled}{currentCount(i, count)}'
-                )
+            display.print_json(result)
 
 
 def doPop(users):
@@ -6573,6 +6574,15 @@ def getUserAttributes(i, cd, updateCmd):
             body.setdefault('name', {})
             body['name']['familyName'] = sys.argv[i + 1]
             i += 2
+        elif myarg in ['displayname']:
+            body.setdefault('name', {})
+            body['name']['displayName'] = sys.argv[i + 1]
+            # sigh, the API is wonky. If we set just displayName
+            # we get an error. But if we also "set" fullName which is
+            # really just a concat of first/last name and can't be set
+            # then it works. Go figure.
+            body['name']['fullName'] = sys.argv[i+1]
+            i += 2
         elif myarg in ['username', 'email', 'primaryemail'] and updateCmd:
             body['primaryEmail'] = normalizeEmailAddressOrUID(sys.argv[i + 1],
                                                               noUid=True)
@@ -7129,7 +7139,7 @@ def getCRMService(login_hint):
         scopes,
         'online',
         login_hint=login_hint,
-        use_console_flow=not GC_Values[GC_OAUTH_BROWSER])
+        open_browser=not GC_Values[GC_NO_BROWSER])
     httpc = transport.AuthorizedHttp(creds, transport.create_http())
     return getService('cloudresourcemanager', httpc), httpc
 
@@ -7285,7 +7295,7 @@ def _createClientSecretsOauth2service(httpObj, projectId, login_hint):
             'code':
                 'ThisIsAnInvalidCodeOnlyBeingUsedToTestIfClientAndSecretAreValid',
             'redirect_uri':
-                'urn:ietf:wg:oauth:2.0:oob',
+                'http://127.0.0.1:8080/',
             'grant_type':
                 'authorization_code'
         }
@@ -7722,7 +7732,7 @@ def doUpdateProjects():
         _grantRotateRights(iam, sa_email, sa_email)
 
 
-def _generatePrivateKeyAndPublicCert(client_id, key_size):
+def _generatePrivateKeyAndPublicCert(client_id, key_size, b64enc_pub=True):
     print(' Generating new private key...')
     private_key = rsa.generate_private_key(public_exponent=65537,
                                            key_size=key_size,
@@ -7766,6 +7776,8 @@ def _generatePrivateKeyAndPublicCert(client_id, key_size):
                                backend=default_backend())
     public_cert_pem = certificate.public_bytes(
         serialization.Encoding.PEM).decode()
+    if not b64enc_pub:
+        return private_pem, public_cert_pem
     publicKeyData = base64.b64encode(public_cert_pem.encode())
     if isinstance(publicKeyData, bytes):
         publicKeyData = publicKeyData.decode()
@@ -7896,6 +7908,7 @@ def doCreateOrRotateServiceAccountKeys(iam=None,
         yk = yubikey.YubiKey(new_data)
         if 'yubikey_serial_number' not in new_data:
             new_data['yubikey_serial_number'] = yk.get_serial_number()
+            yk = yubikey.YubiKey(new_data)
         if 'yubikey_slot' not in new_data:
             new_data['yubikey_slot'] = 'AUTHENTICATION'
         publicKeyData = yk.get_certificate()
@@ -8931,10 +8944,16 @@ def doGetUserInfo(user_email=None):
                      customFieldMask=customFieldMask,
                      viewType=viewType)
     print(f'User: {user["primaryEmail"]}')
-    if 'name' in user and 'givenName' in user['name']:
-        print(f'First Name: {user["name"]["givenName"]}')
-    if 'name' in user and 'familyName' in user['name']:
-        print(f'Last Name: {user["name"]["familyName"]}')
+    if 'name' in user:
+        names = {
+                  'givenName': 'First Name',
+                  'familyName': 'Last Name',
+                  'fullName': 'Full Name',
+                  'displayName': 'Display Name',
+                }
+        for field, description in names.items():
+            if field in user['name']:
+                print(f'{description}: {user["name"][field]}')
     if 'languages' in user:
         print(f"Languages: {_formatLanguagesList(user['languages'], ',')}")
     if 'isAdmin' in user:
@@ -9479,7 +9498,7 @@ def doUndeleteUser():
     i = 4
     while i < len(sys.argv):
         myarg = sys.argv[i].lower()
-        if myarg in ['ou', 'org']:
+        if myarg in ['ou', 'org', 'orgunit']:
             orgUnit = gapi_directory_orgunits.makeOrgUnitPathAbsolute(
                 sys.argv[i + 1])
             i += 2
@@ -9642,6 +9661,7 @@ USER_ARGUMENT_TO_PROPERTY_MAP = {
     'changepasswordatnextlogin': ['changePasswordAtNextLogin',],
     'creationtime': ['creationTime',],
     'deletiontime': ['deletionTime',],
+    'displayname': ['displayName',],
     'email': ['emails',],
     'emails': ['emails',],
     'externalid': ['externalIds',],
@@ -9683,6 +9703,7 @@ USER_ARGUMENT_TO_PROPERTY_MAP = {
     'location': ['locations',],
     'locations': ['locations',],
     'name': [
+        'name.displayName',
         'name.givenName',
         'name.familyName',
         'name.fullName',
@@ -10180,7 +10201,7 @@ def getUsersToModify(entity_type=None,
             'org_ns',
             'ou_susp',
             'org_susp',
-    ]:
+            ]:
         if entity_type in ['ou_ns', 'org_ns']:
             checkSuspended = False
         elif entity_type in ['ou_susp', 'org_susp']:
@@ -10543,7 +10564,7 @@ def doRequestOAuth(login_hint=None, scopes=None):
             access_type='offline',
             login_hint=login_hint,
             credentials_file=GC_Values[GC_OAUTH2_TXT],
-            use_console_flow=not GC_Values[GC_OAUTH_BROWSER])
+            open_browser=not GC_Values[GC_NO_BROWSER])
         creds.write()
     except gam.auth.oauth.InvalidClientSecretsFileError:
         controlflow.system_error_exit(14, missing_client_secrets_message)
@@ -10585,6 +10606,11 @@ OAUTH2_SCOPES = [
         'subscopes': ['readonly'],
         'scopes': 'https://www.googleapis.com/auth/cloud-identity.groups'
     },
+    {
+        'name': 'Cloud Identity - Inbound SSO Settings',
+        'subscopes': ['readonly'],
+        'scopes': 'https://www.googleapis.com/auth/cloud-identity.inboundsso',
+    },
     {
         'name': 'Cloud Identity - OrgUnits',
         'subscopes': ['readonly'],
@@ -11241,7 +11267,7 @@ def run_batch(items):
                 )
                 pool.close()
                 pool.join()
-                pool = mp_pool(num_worker_threads, init_gam_worker, maxtasksperchild=200, initargs=(1,))
+                pool = mp_pool(num_worker_threads, init_gam_worker, maxtasksperchild=200, initargs=(l,))
                 sys.stderr.write(
                     'commit-batch - running processes finished, proceeding\n')
                 continue
@@ -11414,6 +11440,8 @@ def ProcessGAMCommand(args):
             i, encoding = getCharSet(i + 1)
             f = fileutils.open_file(filename, encoding=encoding)
             csvFile = csv.DictReader(f)
+            if not csvFile.fieldnames:
+                controlflow.system_error_exit(0, f'CSV file {filename} is empty')
             if (i == len(sys.argv)) or (sys.argv[i].lower() !=
                                         'gam') or (i + 1 == len(sys.argv)):
                 controlflow.system_error_exit(
@@ -11463,7 +11491,13 @@ def ProcessGAMCommand(args):
                 gapi_cloudidentity_groups.create()
             elif argument in ['nickname', 'alias']:
                 doCreateAlias()
-            elif argument in ['org', 'ou']:
+            elif argument in ['inboundssoprofile', 'inboundssoprofiles']:
+                gapi_cloudidentity_inboundsso.create_profile()
+            elif argument in ['inboundssocredential', 'inboundssocredentials']:
+                gapi_cloudidentity_inboundsso.create_credentials()
+            elif argument in ['inboundssoassignment', 'inboundssoassignments']:
+                gapi_cloudidentity_inboundsso.create_assignment()
+            elif argument in ['org', 'orgunit', 'ou']:
                 gapi_directory_orgunits.create()
             elif argument == 'resource':
                 gapi_directory_resource.createResourceCalendar()
@@ -11535,10 +11569,14 @@ def ProcessGAMCommand(args):
                 gapi_cloudidentity_groups.update()
             elif argument in ['nickname', 'alias']:
                 doUpdateAlias()
-            elif argument in ['ou', 'org']:
+            elif argument in ['ou', 'org', 'orgunit']:
                 gapi_directory_orgunits.update()
             elif argument == 'resource':
                 gapi_directory_resource.updateResourceCalendar()
+            elif argument in ['inboundssoprofile', 'inboundssoprofiles']:
+                gapi_cloudidentity_inboundsso.update_profile()
+            elif argument in ['inboundssoassignment', 'inboundssoasignments']:
+                gapi_cloudidentity_inboundsso.update_assignment()
             elif argument == 'cros':
                 gapi_directory_cros.doUpdateCros()
             elif argument == 'mobile':
@@ -11600,7 +11638,11 @@ def ProcessGAMCommand(args):
                 doGetAliasInfo()
             elif argument == 'instance':
                 gapi_directory_customer.doGetCustomerInfo()
-            elif argument in ['org', 'ou']:
+            elif argument in ['inboundssoprofile', 'inboundssoprofiles']:
+                gapi_cloudidentity_inboundsso.info_profile()
+            elif argument in ['inboundssoassignment', 'inboundssoassignments']:
+                gapi_cloudidentity_inboundsso.info_assignment()
+            elif argument in ['ou', 'org', 'orgunit']:
                 gapi_directory_orgunits.info()
             elif argument == 'resource':
                 gapi_directory_resource.getResourceCalendarInfo()
@@ -11675,8 +11717,12 @@ def ProcessGAMCommand(args):
                 gapi_cloudidentity_groups.delete()
             elif argument in ['nickname', 'alias']:
                 doDeleteAlias()
-            elif argument == 'org':
+            elif argument in ['ou', 'org', 'orgunit']:
                 gapi_directory_orgunits.delete()
+            elif argument in ['inboundssoprofile', 'inboundssoprofiles']:
+                gapi_cloudidentity_inboundsso.delete_profile()
+            elif argument in ['inboundssocredential', 'inboundssocredentials']:
+                gapi_cloudidentity_inboundsso.delete_credentials()
             elif argument == 'resource':
                 gapi_directory_resource.deleteResourceCalendar()
             elif argument == 'mobile':
@@ -11768,6 +11814,12 @@ def ProcessGAMCommand(args):
                 gapi_directory_groups.print_members()
             elif argument in ['cigroupmembers', 'cigroupsmembers']:
                 gapi_cloudidentity_groups.print_members()
+            elif argument in ['inboundssoprofile', 'inboundssoprofiles']:
+                gapi_cloudidentity_inboundsso.print_show_profiles()
+            elif argument in ['inboundssocredential', 'inboundssocredentials']:
+                gapi_cloudidentity_inboundsso.print_show_credentials()
+            elif argument in ['inboundssoassignment', 'inboundssoassignments']:
+                gapi_cloudidentity_inboundsso.print_show_assignments()
             elif argument in ['orgs', 'ous']:
                 gapi_directory_orgunits.print_()
             elif argument == 'privileges':
@@ -11868,6 +11920,12 @@ def ProcessGAMCommand(args):
                 gapi_licensing.show()
             elif argument in ['project', 'projects']:
                 doPrintShowProjects(False)
+            elif argument in ['inboundssoprofile', 'inboundssoprofiles']:
+                gapi_cloudidentity_inboundsso.print_show_profiles('show')
+            elif argument in ['inboundssocredential', 'inboundssocredentials']:
+                gapi_cloudidentity_inboundsso.print_show_credentials('show')
+            elif argument in ['inboundssoassignment', 'inboundssoassignments']:
+                gapi_cloudidentity_inboundsso.print_show_assignments('show')
             elif argument in ['sakey', 'sakeys']:
                 doShowServiceAccountKeys()
             elif argument in ['browsertoken', 'browsertokens']:
@@ -12008,6 +12066,7 @@ def ProcessGAMCommand(args):
             action = sys.argv[2].lower().replace('_', '')
             if action == 'resetpiv':
                 yk = yubikey.YubiKey()
+                yk.serial_number = yk.get_serial_number()
                 yk.reset_piv()
             sys.exit(0)
         users = getUsersToModify()

src/gam/auth/oauth.py

@@ -272,6 +272,7 @@ class Credentials(google.oauth2.credentials.Credentials):
                             access_type='offline',
                             login_hint=None,
                             filename=None,
+                            open_browser=True,
                             use_console_flow=False):
         """Runs an OAuth Flow from client secrets to generate credentials.
 
@@ -291,8 +292,11 @@ class Credentials(google.oauth2.credentials.Credentials):
       login_hint: String, The email address that will be displayed on the Google
         login page as a hint for the user to login to the correct account.
       filename: String, the path to a file to use to save the credentials.
-      use_console_flow: Boolean, True if the authentication flow should be run
-        strictly from a console; False to launch a browser for authentication.
+      use_console_flow: OBSOLETE: Boolean, True if the authentication flow
+        should be run strictly from a console; False to launch a browser
+        for authentication.
+      open_browser: Boolean: whether or not GAM should try to open the browser
+        automatically.
 
     Returns:
       Credentials
@@ -312,12 +316,11 @@ class Credentials(google.oauth2.credentials.Credentials):
         flow = _ShortURLFlow.from_client_config(client_config,
                                                 scopes,
                                                 autogenerate_code_verifier=True)
-        flow_kwargs = {'access_type': access_type}
+        flow_kwargs = {'access_type': access_type,
+                       'open_browser': open_browser}
         if login_hint:
             flow_kwargs['login_hint'] = login_hint
-
-        flow.run_dual(use_console_flow,
-                **flow_kwargs)
+        flow.run_dual(**flow_kwargs)
         return cls.from_google_oauth2_credentials(flow.credentials,
                                                   filename=filename)
 
@@ -328,6 +331,7 @@ class Credentials(google.oauth2.credentials.Credentials):
                                  access_type='offline',
                                  login_hint=None,
                                  credentials_file=None,
+                                 open_browser=True,
                                  use_console_flow=False):
         """Runs an OAuth Flow from secrets stored on disk to generate credentials.
 
@@ -348,8 +352,11 @@ class Credentials(google.oauth2.credentials.Credentials):
         login page as a hint for the user to login to the correct account.
       credentials_file: String, the path to a file to use to save the
         credentials.
-      use_console_flow: Boolean, True if the authentication flow should be run
-        strictly from a console; False to launch a browser for authentication.
+      use_console_flow: OBSOLETE: Boolean, True if the authentication flow
+        should be run strictly from a console; False to launch a browser for
+        authentication.
+      open_browser: Boolean, whether or not GAM should try to open the browser
+        directly.
 
     Raises:
       InvalidClientSecretsFileError: If the client secrets file cannot be
@@ -378,14 +385,13 @@ class Credentials(google.oauth2.credentials.Credentials):
             raise InvalidClientSecretsFileFormatError(
                 f'Could not extract Client ID or Client Secret from file {client_secrets_file}'
             )
-
         return cls.from_client_secrets(client_id,
                                        client_secret,
                                        scopes,
                                        access_type=access_type,
                                        login_hint=login_hint,
                                        filename=credentials_file,
-                                       use_console_flow=use_console_flow)
+                                       open_browser=open_browser)
 
     def _fetch_id_token_data(self):
         """Fetches verification details from Google for the OAuth2.0 token.
@@ -482,7 +488,11 @@ class Credentials(google.oauth2.credentials.Credentials):
     def _locked_refresh(self, request):
         """Refreshes the credential's access token while the file lock is held."""
         assert self._lock.is_locked
-        super().refresh(request)
+        try:
+            super().refresh(request)
+        except google.auth.exceptions.RefreshError as e:
+            controlflow.system_error_exit(9, str(e))
+
 
     def write(self):
         """Writes credentials to disk."""
@@ -595,7 +605,6 @@ class _ShortURLFlow(google_auth_oauthlib.flow.InstalledAppFlow):
 
 
     def run_dual(self,
-                use_console_flow,
                 authorization_prompt_message='',
                 console_prompt_message='',
                 web_success_message='',
@@ -605,7 +614,7 @@ class _ShortURLFlow(google_auth_oauthlib.flow.InstalledAppFlow):
         mgr = multiprocessing.Manager()
         d = mgr.dict()
         d['trailing_slash'] = redirect_uri_trailing_slash
-        d['open_browser'] = use_console_flow
+        d['open_browser'] = open_browser
         http_client = multiprocessing.Process(target=_wait_for_http_client,
                                               args=(d,))
         user_input = multiprocessing.Process(target=_wait_for_user_input,

src/gam/auth/yubikey.py

@@ -8,7 +8,7 @@ from threading import Timer
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import padding
 from smartcard.Exceptions import CardConnectionException
-from ykman.device import connect_to_device
+from ykman.device import list_all_devices
 from ykman.piv import generate_self_signed_certificate, \
                       generate_chuid
 from yubikit.piv import DEFAULT_MANAGEMENT_KEY, \
@@ -20,11 +20,14 @@ from yubikit.piv import DEFAULT_MANAGEMENT_KEY, \
                         OBJECT_ID, \
                         SLOT, \
                         TOUCH_POLICY
-from yubikit.core.smartcard import ApduError
+from yubikit.core.smartcard import ApduError, \
+                                   SmartCardConnection
 from gam import controlflow
 
+
 class YubiKey():
 
+
     def __init__(self, service_account_info=None):
         self.key_type = None
         self.slot = None
@@ -46,12 +49,16 @@ class YubiKey():
             self.pin = service_account_info.get('yubikey_pin')
             self.key_id = service_account_info.get('private_key_id')
 
+
     def _connect(self):
         try:
-            conn, _, _ = connect_to_device(self.serial_number)
+            devices = list_all_devices()
+            for (device, info) in devices:
+                if info.serial == self.serial_number:
+                    return device.open_connection(SmartCardConnection)
         except CardConnectionException as err:
             controlflow.system_error_exit(9, f'YubiKey - {err}')
-        return conn
+
 
     def get_certificate(self):
         try:
@@ -79,11 +86,22 @@ class YubiKey():
 
     def get_serial_number(self):
         try:
-            _, _, info = connect_to_device(self.serial_number)
-            return info.serial
+            devices = list_all_devices()
+            if self.serial_number:
+                for (device, info) in devices:
+                    if info.serial == self.serial_number:
+                        return info.serial
+                msg = f'Could not find YubiKey with serial {self.serial_number}'
+                controlflow.system_error_exit(3, msg)
+            if len(devices) > 1:
+                serials = ', '.join([str(info.serial) for (_, info) in devices])
+                msg = f'Multiple YubiKeys connected. Specify yubikey_serial_number and one of {serials}'
+                controlflow.system_error_exit(4, msg)
+            return devices[0][1].serial
         except ValueError as err:
             controlflow.system_error_exit(9, f'YubiKey - {err}')
 
+
     def reset_piv(self):
         '''Resets YubiKey PIV app and generates new key for GAM to use.'''
         reply = str(input('This will wipe all PIV keys and configuration from your YubiKey. Are you sure? (y/N) ').lower().strip())
@@ -95,7 +113,9 @@ class YubiKey():
                 piv = PivSession(conn)
                 piv.reset()
                 rnd = SystemRandom()
-                pin_puk_chars = string.ascii_letters + string.digits + string.punctuation
+                pin_puk_chars = string.ascii_letters + \
+                                string.digits + \
+                                string.punctuation
                 new_puk = ''.join(rnd.choice(pin_puk_chars) for _ in range(8))
                 new_pin = ''.join(rnd.choice(pin_puk_chars) for _ in range(8))
                 piv.change_puk('12345678', new_puk)
@@ -155,3 +175,4 @@ class YubiKey():
         if 'mplock' in globals():
             mplock.release()
         return signed
+

src/gam/controlflow.py

@@ -34,7 +34,7 @@ def missing_argument_exit(argument, command):
     """Indicate that the argument is missing for the command.
 
   Args:
-    argument: the missingagrument
+    argument: the missing argument
     command: the base GAM command
   """
     system_error_exit(2, f'missing argument {argument} for "{command}"')

src/gam/gapi/__init__.py

@@ -1,6 +1,8 @@
 """Methods related to execution of GAPI requests."""
 
+import os.path
 import sys
+from tempfile import TemporaryDirectory
 
 import googleapiclient.errors
 import google.auth.exceptions
@@ -10,7 +12,8 @@ from gam import controlflow
 from gam import display
 from gam.gapi import errors
 from gam import transport
-from gam.var import (GM_Globals, GM_CURRENT_API_SCOPES, GM_CURRENT_API_USER,
+from gam.var import (GC_Values, GM_Globals,
+                     GM_CURRENT_API_SCOPES, GM_CURRENT_API_USER,
                      GM_EXTRA_ARGS_DICT, GM_OAUTH2SERVICE_ACCOUNT_CLIENT_ID,
                      MAX_RESULTS_API_EXCEPTIONS, MESSAGE_API_ACCESS_CONFIG,
                      MESSAGE_API_ACCESS_DENIED, MESSAGE_SERVICE_NOT_APPLICABLE)
@@ -238,8 +241,13 @@ def process_page(page, items, all_items, total_items, page_message, message_attr
         page_items = page.get(items, [])
         num_page_items = len(page_items)
         total_items += num_page_items
-        if all_items is not None:
+        if type(all_items) is list:
             all_items.extend(page_items)
+        elif all_items is not None:
+            i = len(all_items)
+            for item in page_items:
+                all_items[str(i)] = item
+                i += 1
     else:
         page_token = None
         num_page_items = 0
@@ -273,6 +281,7 @@ def finalize_page_message(page_message):
         sys.stderr.write('\r\n')
         sys.stderr.flush()
 
+
 def get_all_pages(service,
                   function,
                   items='items',
@@ -341,13 +350,14 @@ def get_all_pages(service,
         page_token, total_items = process_page(page, items, all_items, total_items, page_message, message_attribute)
         if not page_token:
             finalize_page_message(page_message)
+            if type(all_items) is not list:
+                all_items = all_items.values()
             return all_items
         if page_args_in_body:
             kwargs['body']['pageToken'] = page_token
         else:
             kwargs['pageToken'] = page_token
 
-
 # TODO: Make this private once all execution related items that use this method
 # have been brought into this file
 def handle_oauth_token_error(e, soft_errors):

src/gam/gapi/chromemanagement.py

@@ -286,7 +286,8 @@ def printShowCrosTelemetry(mode):
             device['storageInfo']['percentDiskUsed'] = 100 - device['storageInfo']['percentDiskFree']
         for cpuStatusReport in device.get('cpuStatusReport', []):
             for tempInfo in cpuStatusReport.pop('cpuTemperatureInfo', []):
-                cpuStatusReport[f"cpuTemperatureInfo.{tempInfo['label'].strip()}"] = tempInfo['temperatureCelsius']
+                if 'temperatureCelsius' in tempInfo:
+                    cpuStatusReport[f"cpuTemperatureInfo.{tempInfo['label'].strip()}"] = tempInfo['temperatureCelsius']
         if showOrgUnitPath:
             orgUnitId = device.get('orgUnitId')
             if orgUnitId not in orgUnitIdPathMap:

src/gam/gapi/chromepolicy.py

@@ -167,7 +167,7 @@ def build_schemas(svc=None, sfilter=None):
                     for an_enum in schema['definition']['enumType']:
                         if an_enum['name'] == type_name:
                             setting_dict['enums'] = [enum['name'] for enum in an_enum['value']]
-                            setting_dict['enum_prefix'] = utils.commonprefix(setting_dict['enums'])
+                            setting_dict['enum_prefix'] = utils.commonprefix(setting_dict['enums'], True)
                             prefix_len = len(setting_dict['enum_prefix'])
                             setting_dict['enums'] = [enum[prefix_len:] for enum \
                                                      in setting_dict['enums'] \

src/gam/gapi/cloudidentity/devices.py

@@ -80,7 +80,7 @@ def _parse_action(action):
 def info():
     ci = gapi_cloudidentity.build_dwd()
     customer = _get_device_customerid()
-    name = _get_device_name()
+    _, name = _get_deviceuser_name()
     device = gapi.call(ci.devices(), 'get', name=name, customer=customer)
     device_users = gapi.get_all_pages(ci.devices().deviceUsers(), 'list',
         'deviceUsers', parent=name, customer=customer)

src/gam/gapi/cloudidentity/groups.py

@@ -217,6 +217,7 @@ def print_():
     gapi_directory_customer.setTrueCustomerId()
     parent = f'customers/{GC_Values[GC_CUSTOMER_ID]}'
     usemember = None
+    query = None
     memberDelimiter = '\n'
     todrive = False
     titles = []
@@ -235,6 +236,9 @@ def print_():
         elif myarg == 'delimiter':
             memberDelimiter = sys.argv[i + 1]
             i += 2
+        elif myarg == 'query':
+            query = sys.argv[i + 1]
+            i += 2
         elif myarg == 'sortheaders':
             sortHeaders = True
             i += 1
@@ -314,14 +318,20 @@ def print_():
             if entity['relationType'] == 'DIRECT':
                 entityList.append(gapi.call(ci.groups(), 'get', name=entity['group']))
     else:
+        if query:
+            method = 'search'
+            kwargs = {'query': query}
+        else:
+            method = 'list'
+            kwargs = {'parent': parent}
         entityList = gapi.get_all_pages(ci.groups(),
-                                        'list',
+                                        method,
                                         'groups',
                                         page_message=page_message,
                                         message_attribute=['groupKey', 'id'],
-                                        parent=parent,
                                         view='FULL',
-                                        pageSize=500)
+                                        pageSize=500,
+                                        **kwargs)
     i = 0
     count = len(entityList)
     for groupEntity in entityList:
@@ -935,6 +945,12 @@ def group_email_to_id(ci, group, i=0, count=0):
         return None
 
 
+def group_id_to_email(ci, group_id):
+    return gapi.call(ci.groups(),
+                         'get',
+                         fields='groupKey/id',
+                         name=group_id).get('groupKey', {}).get('id')
+
 def membership_email_to_id(ci, parent, membership, i=0, count=0):
     membership = gam.normalizeEmailAddressOrUID(membership)
     try:

src/gam/gapi/cloudidentity/inboundsso.py

@@ -0,0 +1,538 @@
+"""Methods related to Cloud Identity Inbound (Google as SP) SAML SSO"""
+from datetime import datetime
+import re
+import sys
+
+import dateutil.parser
+import googleapiclient
+
+import gam
+from gam.var import GC_CUSTOMER_ID, GC_Values, MY_CUSTOMER
+from gam import controlflow
+from gam import display
+from gam import fileutils
+from gam import gapi
+from gam import utils
+from gam.gapi import errors as gapi_errors
+from gam.gapi import cloudidentity as gapi_cloudidentity
+from gam.gapi import directory as gapi_directory
+from gam.gapi.cloudidentity import groups as gapi_cloudidentity_groups
+from gam.gapi.directory import orgunits as gapi_directory_orgunits
+
+'''returns customer in the format inboundsso requires'''
+def get_sso_customer():
+    customer = GC_Values[GC_CUSTOMER_ID]
+    return f'customers/{customer}'
+
+
+'''returns org unit in the format inboundsso requires'''
+def get_orgunit_id(orgunit):
+    ou_id = gapi_directory_orgunits.getOrgUnitId(orgunit)[1]
+    if ou_id.startswith('id:'):
+        ou_id = ou_id[3:]
+    return f'orgUnits/{ou_id}'
+
+
+'''build Cloud Identity API'''
+def build():
+    return gapi_cloudidentity.build('cloudidentity_beta')
+
+
+'''parse cmd for profile create/update'''
+def parse_profile(body, i):
+    name_only = False
+    while i < len(sys.argv):
+        myarg = sys.argv[i].lower().replace('_', '')
+        if myarg == 'name':
+            body['displayName'] = sys.argv[i+1]
+            i += 2
+        elif myarg == 'entityid':
+            body.setdefault('idpConfig', {})['entityId'] = sys.argv[i+1]
+            i += 2
+        elif myarg == 'returnnameonly':
+            name_only = True
+            i += 1
+        elif myarg == 'loginurl':
+            body.setdefault('idpConfig', {})['singleSignOnServiceUri'] = sys.argv[i+1]
+            i += 2
+        elif myarg == 'logouturl':
+            body.setdefault('idpConfig', {})['logoutRedirectUri'] = sys.argv[i+1]
+            i += 2
+        elif myarg == 'changepasswordurl':
+            body.setdefault('idpConfig', {})['changePasswordUri'] = sys.argv[i+1]
+            i += 2
+        else:
+            controlflow.invalid_argument_exit(myarg, 'gam create/update inboundssoprofile')
+    return (name_only, body)
+
+
+'''convert profile nice names to unique ID'''
+def profile_displayname_to_name(displayName, ci=None):
+    if displayName.lower().startswith('id:') or displayName.lower().startswith('uid:'):
+        displayName = displayName.split(':', 1)[1]
+        if not displayName.startswith('inboundSamlSsoProfiles/'):
+            displayName = f'inboundSamlSsoProfiles/{displayName}'
+        return displayName
+    if not ci:
+        ci = build()
+    customer = get_sso_customer()
+    _filter = f'customer=="{customer}"'
+    profiles = gapi.get_all_pages(ci.inboundSamlSsoProfiles(),
+                                  'list',
+                                  'inboundSamlSsoProfiles',
+                                  filter=_filter)
+    matches = []
+    for profile in profiles:
+        if displayName.lower() == profile.get('displayName', '').lower():
+            matches.append(profile)
+    if len(matches) == 1:
+        return matches[0]['name']
+    if len(matches) == 0:
+        controlflow.system_error_exit(3, f'No Inbound SSO profile matches the name {displayName}')
+    else:
+        err_text = f'Multiple profiles match {displayName}:\n\n'
+        for m in matches:
+            err_text += f'  {m["name"]}  {m["displayName"]}\n'
+        controlflow.system_error_exit(3, err_text)
+
+
+'''get an assignment based on target'''
+def assignment_by_target(target, ci=None):
+    if not ci:
+        ci = build()
+    group_pattern = r'^groups/[^/]+$'
+    ou_pattern = r'^orgUnits/[^/]+$'
+    if re.match(group_pattern, target):
+        target_type = 'targetGroup'
+    elif re.match(ou_pattern, target):
+        target_type = 'targetOrgUnit'
+    elif target.lower().startswith('group:'):
+        target_type = 'targetGroup'
+        group_email = target[6:]
+        target = gapi_cloudidentity_groups.group_email_to_id(
+                    ci,
+                    group_email)
+    elif target.lower().startswith('orgunit:'):
+        target_type = 'targetOrgUnit'
+        ou_name = target[8:]
+        target = get_orgunit_id(ou_name)
+    else:
+        controlflow.system_error_exit(3, 'assignments should be prefixed with ' +
+                                         'group:, groups/, orgunit: or orgunits/')
+    customer = get_sso_customer()
+    _filter = f'customer=="{customer}"'
+    assignments = gapi.get_all_pages(ci.inboundSsoAssignments(),
+                                     'list',
+                                     'inboundSsoAssignments',
+                                     filter=_filter)
+    for assignment in assignments:
+        if target_type in assignment and assignment[target_type] == target:
+            return assignment
+    controlflow.system_error_exit(3, f'No SSO profile assigned to {target_type} {target}')
+
+
+'''gam create inboundssoprofile'''
+def create_profile():
+    ci = build()
+    body = {
+          'customer': get_sso_customer(),
+          'displayName': 'SSO Profile'
+          }
+    name_only, body = parse_profile(body, 3)
+    result = gapi.call(ci.inboundSamlSsoProfiles(),
+                       'create',
+                       body=body)
+    if result.get('done'):
+        if name_only:
+            print(result['response']['name'])
+        else:
+            print(f'Created profile {result["response"]["name"]}')
+            display.print_json(result['response'])
+    else:
+        controlflow.system_error_exit(3, 'Create did not finish {result}')
+
+
+'''gam print inboundssoprofiles'''
+def print_show_profiles(action='print'):
+    customer = get_sso_customer()
+    _filter = f'customer=="{customer}"'
+    ci = build()
+    todrive = False
+    i = 3
+    while i < len(sys.argv):
+        myarg = sys.argv[i].lower().replace('_', '')
+        if myarg == 'todrive':
+            todrive = True
+            i += 1
+        else:
+            controlflow.invalid_argument_exit(myarg, f'gam {action} inboundssoprofiles')
+
+    profiles = gapi.get_all_pages(ci.inboundSamlSsoProfiles(),
+                                  'list',
+                                  'inboundSamlSsoProfiles',
+                                  filter=_filter)
+    if action == 'show':
+        for profile in profiles:
+            display.print_json(profile)
+            print()
+    elif action == 'print':
+        csv_rows = []
+        titles = []
+        for profile in profiles:
+            row = utils.flatten_json(profile)
+            for item in row:
+                if item not in titles:
+                    titles.append(item)
+            csv_rows.append(row)
+        display.write_csv_file(csv_rows,
+                               titles,
+                               'Inbound SSO Profiles',
+                               todrive)
+
+
+'''gam update inboundssoprofile'''
+def update_profile():
+    ci = build()
+    name = profile_displayname_to_name(sys.argv[3], ci)
+    body = {}
+    name_only, body = parse_profile(body, 4)
+    updateMask = ','.join(body.keys())
+    result = gapi.call(ci.inboundSamlSsoProfiles(),
+                       'patch',
+                       name=name,
+                       updateMask=updateMask,
+                       body=body)
+    if name_only:
+        print(result['response']['name'])
+    else:
+        display.print_json(result)
+
+
+'''gam info inboundssoprofile'''
+def info_profile(return_only=False, displayName=None, ci=None):
+    if not ci:
+        ci = build()
+    if not displayName:
+        displayName = sys.argv[3]
+    name = profile_displayname_to_name(displayName, ci)
+    result = gapi.call(ci.inboundSamlSsoProfiles(),
+                       'get',
+                       name=name)
+    if return_only:
+        return result
+    display.print_json(result)
+
+'''gam delete inboundssoprofile'''
+def delete_profile():
+    ci = build()
+    name = profile_displayname_to_name(sys.argv[3], ci)
+    result = gapi.call(ci.inboundSamlSsoProfiles(),
+                       'delete',
+                       name=name)
+    if result.get('done'):
+        print(f'Deleted profile {name}.')
+    else:
+        controlflow.system_error_exit(3, 'Delete did not finish: {result}')
+
+
+'''gam create inboundssocredentials'''
+def create_credentials():
+    allowed_sizes = [1024, 2048, 4096]
+    ci = build()
+    parent = None
+    generate_key = False
+    key_size = 2048
+    pemData = None
+    replace_oldest = False
+    i = 3
+    while i < len(sys.argv):
+        myarg = sys.argv[i].lower().replace('_', '')
+        if myarg == 'profile':
+            parent = sys.argv[i+1]
+            parent = profile_displayname_to_name(parent, ci)
+            i += 2
+        elif myarg == 'pemfile':
+            pemfile = sys.argv[i+1]
+            pemData = fileutils.read_file(pemfile)
+            i += 2
+        elif myarg == 'generatekey':
+            generate_key = True
+            i += 1
+        elif myarg == 'replaceoldest':
+            replace_oldest = True
+            i += 1
+        elif myarg == 'keysize':
+            key_size = int(sys.argv[i+1])
+            if key_size not in allowed_sizes:
+                controlflow.expected_argument_exit('key_size',
+                                                   allowed_sizes,
+                                                   key_size)
+            i += 2
+        else:
+            controlflow.invalid_argument_exit(myarg, 'gam create inboundssocredential')
+    if not parent:
+        controlflow.missing_argument_exit('profile', 'gam create inboundssocredential')
+    if replace_oldest:
+        fields='nextPageToken,idpCredentials(name,updateTime)'
+        current_creds = gapi.get_all_pages(
+                ci.inboundSamlSsoProfiles().idpCredentials(),
+                'list',
+                'idpCredentials',
+                parent=parent,
+                fields=fields)
+        if len(current_creds) == 2:
+            oldest_key = min(current_creds,
+                             key=lambda x:x['updateTime'])
+            print(' deleting older key...')
+            delete_credentials(ci=ci,
+                               name=oldest_key['name'])
+        else:
+            print(' profile has {len(current_creds)} credentials. We only replace if there are 2.')
+    if generate_key:
+        privKey, pemData = gam._generatePrivateKeyAndPublicCert('GAM',
+                                                                key_size,
+                                                                b64enc_pub=False)
+        timestamp = datetime.now().strftime('%Y%m%d-%I%M%S')
+        priv_file = f'privatekey-{timestamp}.pem'
+        pub_file = f'publiccert-{timestamp}.pem'
+        fileutils.write_file(priv_file, privKey)
+        print(f' Wrote private key data to {priv_file}')
+        fileutils.write_file(pub_file, pemData)
+        print(f' Wrote public certificate to {pub_file}')
+    if not pemData:
+        controlflow.system_error_exit(3, 'You must either specify "pemfile <filename>" or "generate_key"')
+    body = {
+            'pemData': pemData,
+           }
+    result = gapi.call(ci.inboundSamlSsoProfiles().idpCredentials(),
+                       'add',
+                       parent=parent,
+                       body=body)
+    if result.get('done'):
+       print(f'Created credential {result["response"]["name"]}')
+       display.print_json(result['response'])
+    else:
+        controlflow.system_error_exit(3, 'Create did not finish {result}')
+
+
+'''gam delete inboundssocredential'''
+def delete_credentials(ci=None, name=None):
+    if not ci:
+        ci = build()
+    if not name:
+        name = sys.argv[3]
+    result = gapi.call(ci.inboundSamlSsoProfiles().idpCredentials(),
+                       'delete',
+                       name=name)
+    if result.get('done'):
+        print(f'Deleted credential {name}')
+    else:
+        controlflow.system_error_exit(3, 'Delete did not finish {result}')
+
+
+'''gam print inboundssocredentials'''
+def print_show_credentials(action='print'):
+    ci = build()
+    todrive = False
+    i = 3
+    profiles = []
+    while i < len(sys.argv):
+        myarg = sys.argv[i].lower().replace('_', '')
+        if myarg in ['profile', 'profiles']:
+            profiles = [profile_displayname_to_name(profile, ci)
+                            for profile in sys.argv[i+1].split(',')]
+            i += 2
+        elif myarg == 'todrive':
+            todrive = True
+            i += 1
+        else:
+            controlflow.invalid_argument_exit(myarg, f'gam {action} inboundssocredentials')
+    if not profiles:
+        customer = get_sso_customer()
+        _filter = f'customer=="{customer}"'
+        profiles = gapi.get_all_pages(ci.inboundSamlSsoProfiles(),
+                                      'list',
+                                      'inboundSamlSsoProfiles',
+                                      fields='inboundSamlSsoProfiles/name',
+                                      filter=_filter)
+        profiles = [p['name'] for p in profiles]
+    if action == 'print':
+        titles = []
+        csv_rows = []
+    credentials = []
+    for profile in profiles:
+        results = gapi.get_all_pages(ci.inboundSamlSsoProfiles().idpCredentials(),
+                                     'list',
+                                     'idpCredentials',
+                                     parent=profile)
+        credentials.extend(results)
+    if action == 'show':
+        for c in credentials:
+            display.print_json(c)
+            print()
+    elif action == 'print':
+        for c in credentials:
+            csv_row = utils.flatten_json(c)
+            for item in csv_row:
+                if item not in titles:
+                    titles.append(item)
+            csv_rows.append(csv_row)
+        display.write_csv_file(csv_rows,
+                               titles,
+                               'Inbound SSO Credentials',
+                               todrive)
+
+'''parse command for create/update inboundssoassignment'''
+def parse_assignment(body, i, ci):
+    while i < len(sys.argv):
+        myarg = sys.argv[i].lower().replace('_', '')
+        if myarg == 'rank':
+            body['rank'] = int(sys.argv[i+1])
+            i += 2
+        elif myarg == 'mode':
+            mode_choices = \
+                gapi.get_enum_values_minus_unspecified(
+                    ci._rootDesc['schemas']['InboundSsoAssignment']['properties']['ssoMode']['enum'])
+            body['ssoMode'] = sys.argv[i+1].upper()
+            if body['ssoMode'] not in mode_choices:
+                controlflow.expected_argument_exit('mode',
+                                                   ', '.join(mode_choices),
+                                                   sys.argv[i+1])
+            i += 2
+        elif myarg == 'profile':
+            profile_name = profile_displayname_to_name(
+                    sys.argv[i+1],
+                    ci)
+            body['samlSsoInfo'] = {
+                    'inboundSamlSsoProfile': profile_name
+                    }
+            i += 2
+        elif myarg == 'neverredirect':
+            body['signInBehavior'] = {
+                    'redirectCondition': 'NEVER'
+                    }
+            i += 1
+        elif myarg == 'group':
+            group = sys.argv[i+1]
+            body['targetGroup'] = gapi_cloudidentity_groups.group_email_to_id(
+                    ci,
+                    group)
+            i += 2
+        elif myarg in ['ou', 'org', 'orgunit']:
+            body['targetOrgUnit'] = get_orgunit_id(sys.argv[i+1])
+            i += 2
+        else:
+            controlflow.invalid_argument_exit(myarg, 'gam create/update inboundssoassignment')
+    return body
+
+
+def update_assignment_target_names(assignment, ci, cd):
+    if 'targetGroup' in assignment:
+        assignment['targetGroupEmail'] = \
+            gapi_cloudidentity_groups.group_id_to_email(ci,
+                                                        assignment['targetGroup'])
+    elif 'targetOrgUnit' in assignment:
+        ou_id = assignment['targetOrgUnit'].split('/')[1]
+        assignment['targetOrgUnitPath'] = \
+            gapi_directory_orgunits.orgunit_from_orgunitid(f'id:{ou_id}', cd)
+
+
+'''gam create inboundssoassignment'''
+def create_assignment():
+    ci = build()
+    cd = gapi_directory.build()
+    body = {
+            'customer': get_sso_customer(),
+           }
+    body = parse_assignment(body, 3, ci)
+    result = gapi.call(ci.inboundSsoAssignments(),
+                       'create',
+                       body=body)
+    if result.get('done'):
+       print(f'Created assignment {result["response"]["name"]}')
+       update_assignment_target_names(result['response'], ci, cd)
+       display.print_json(result['response'])
+    else:
+        controlflow.system_error_exit(3, 'Create did not finish {result}')
+
+
+def get_assignment_name(name):
+  if name.startswith('id:') or name.startswith('uid:'):
+    name = name.split(':', 1)[1]
+  if not name.startswith('inboundSsoAssignments/'):
+    name = f'inboundSsoAssignments/{name}'
+  return name
+
+
+'''gam update inboundssoassignment'''
+def update_assignment():
+    ci = build()
+    cd = gapi_directory.build()
+    name = get_assignment_name(sys.argv[3])
+    body = parse_assignment({}, 4, ci)
+    updateMask = ','.join(list(body.keys()))
+    result = gapi.call(ci.inboundSsoAssignments(),
+                       'patch',
+                       name=name,
+                       updateMask=updateMask,
+                       body=body)
+    if result.get('done'):
+       print(f'Updated assignment {result["response"]["name"]}')
+       update_assignment_target_names(result['response'], ci, cd)
+       display.print_json(result['response'])
+    else:
+        controlflow.system_error_exit(3, 'Update did not finish {result}')
+
+
+'''gam info inboundssoassignment'''
+def info_assignment():
+    ci = build()
+    cd = gapi_directory.build()
+    assignment = assignment_by_target(sys.argv[3], ci)
+    update_assignment_target_names(assignment, ci, cd)
+    profile = assignment.get('samlSsoInfo', {}).get('inboundSamlSsoProfile')
+    if profile:
+        assignment['samlSsoInfo']['inboundSamlSsoProfile'] = \
+            info_profile(return_only=True, displayName=f'id:{profile}', ci=ci)
+    display.print_json(assignment)
+
+
+'''gam print inboundssoassignments'''
+def print_show_assignments(action='print'):
+    ci = build()
+    cd = gapi_directory.build()
+    customer = get_sso_customer()
+    _filter = f'customer=="{customer}"'
+    todrive = False
+    i = 3
+    while i < len(sys.argv):
+        myarg = sys.argv[i].lower().replace('_', '')
+        if myarg == 'todrive':
+            todrive = True
+            i += 1
+        else:
+            controlflow.invalid_argument_exit(myarg,
+                                              f'gam {action} inboundssoassignments')
+    assignments = gapi.get_all_pages(ci.inboundSsoAssignments(),
+                                     'list',
+                                     'inboundSsoAssignments',
+                                     filter=_filter)
+    if action == 'show':
+        for assignment in assignments:
+            update_assignment_target_names(assignment, ci, cd)
+            display.print_json(assignment)
+            print()
+    elif action == 'print':
+        titles = []
+        csv_rows = []
+        for assignment in assignments:
+            update_assignment_target_names(assignment, ci, cd)
+            csv_row = utils.flatten_json(assignment)
+            for item in csv_row:
+                if item not in titles:
+                    titles.append(item)
+            csv_rows.append(csv_row)
+        display.write_csv_file(csv_rows,
+                               titles,
+                               'Inbound SSO Assignments',
+                               todrive)

src/gam/gapi/cloudresourcemanager.py

@@ -13,12 +13,14 @@ def get_org_id():
     gapi_directory_customer.setTrueCustomerId()
     crm = build()
     query = f'directorycustomerid:{GC_Values[GC_CUSTOMER_ID]}'
-    orgs = gapi.get_all_pages(crm.organizations(),
+    results = gapi.call(crm.organizations(),
                      'search',
-                     'organizations',
+                     pageSize=1,
+                     fields='organizations/name',
                      query=query)
-    if len(orgs) < 1:
+    orgs = results.get('organizations')
+    if not orgs:
         # return nothing and let calling API deal with it
         # since caller knows what GCP role would serve best
         return 
-    return orgs[0]['name']
+    return orgs[0].get('name')

src/gam/gapi/directory/customer.py

@@ -21,36 +21,36 @@ def doGetCustomerInfo():
                               'get',
                               customerKey=customer_id)
     print(f'Customer ID: {customer_info["id"]}')
-    print(f'Primary Domain: {customer_info["customerDomain"]}')
+    fields = 'domains(creationTime,domainName,isPrimary,verified)'
     try:
-        result = gapi.call(
+        domains = gapi.call(
             cd.domains(),
-            'get',
+            'list',
+            fields=fields,
             customer=customer_id,
-            domainName=customer_info['customerDomain'],
-            fields='verified',
-            throw_reasons=[gapi.errors.ErrorReason.DOMAIN_NOT_FOUND])
+            throw_reasons=[gapi.errors.ErrorReason.DOMAIN_NOT_FOUND]).get('domains', [])
+        for domain in domains:
+            if domain.get('isPrimary'):
+                primary_domain = domain
+                break
+        else:
+            primary_domain = {}
     except gapi.errors.GapiDomainNotFoundError:
-        result = {'verified': False}
-    print(f'Primary Domain Verified: {result["verified"]}')
-    # If customer has changed primary domain customerCreationTime is date
-    # of current primary being added, not customer create date.
-    # We should also get all domains and use oldest date
-    customer_creation = customer_info['customerCreationTime']
-    date_format = '%Y-%m-%dT%H:%M:%S.%fZ'
-    oldest = datetime.datetime.strptime(customer_creation, date_format)
-    domains = gapi.get_items(cd.domains(),
-                             'list',
-                             'domains',
-                             customer=customer_id,
-                             fields='domains(creationTime)')
+        primary_domain = {}
+    print(f'Primary Domain: {primary_domain.get("domainName", "Unknown")}')
+    print(f'Primary Domain Verified: {primary_domain.get("verified", "Unknown")}')
+    # we'll assume creation time is time of oldest domain customer has
+    oldest = 'Unknown' 
     for domain in domains:
         creation_timestamp = int(domain['creationTime']) / 1000
         domain_creation = datetime.datetime.fromtimestamp(creation_timestamp)
-        if domain_creation < oldest:
+        if oldest == 'Unknown' or domain_creation < oldest:
             oldest = domain_creation
-    print(f'Customer Creation Time: {oldest.strftime(date_format)}')
-    customer_language = customer_info.get('language', 'Unset (defaults to en)')
+    if oldest != 'Unknown':
+        date_format = '%Y-%m-%dT%H:%M:%S.%fZ'
+        oldest = oldest.strftime(date_format)
+    print(f'Customer Creation Time: {oldest}')
+    customer_language = customer_info.get('language', 'Unset or Unknown (defaults to en)')
     print(f'Default Language: {customer_language}')
     if 'postalAddress' in customer_info:
         print('Address:')
@@ -59,7 +59,7 @@ def doGetCustomerInfo():
                 print(f' {field}: {customer_info["postalAddress"][field]}')
     if 'phoneNumber' in customer_info:
         print(f'Phone: {customer_info["phoneNumber"]}')
-    print(f'Admin Secondary Email: {customer_info["alternateEmail"]}')
+    print(f'Admin Secondary Email: {customer_info.get("alternateEmail", "Unknown")}')
     user_counts_map = {
         'accounts:num_users': 'Total Users',
         'accounts:gsuite_basic_total_licenses': 'G Suite Basic Licenses',

src/gam/gapi/directory/groups.py

@@ -189,7 +189,7 @@ def info(group_name=None):
             pass
     print('')
     print('Group Settings:')
-    for key, value in list(basic_info.items()):
+    for key, value in sorted(list(basic_info.items())):
         if (key in ['kind', 'etag']) or ((key == 'aliases') and
                                          (not getAliases)):
             continue
@@ -199,7 +199,7 @@ def info(group_name=None):
                 print(f'  {val}')
         else:
             print(f' {key}: {value}')
-    for key, value in list(settings.items()):
+    for key, value in sorted(list(settings.items())):
         if key in ['kind', 'etag', 'description', 'email', 'name']:
             continue
         print(f' {key}: {value}')
@@ -1217,6 +1217,8 @@ GROUP_SETTINGS_LIST_PATTERN = re.compile(r'([A-Z][A-Z_]+[A-Z]?)')
 def getGroupAttrValue(myarg, value, gs_object, gs_body, function):
     if myarg == 'collaborative':
         myarg = 'enablecollaborativeinbox'
+    elif myarg == 'gal':
+        myarg = 'includeinglobaladdresslist'
     for (attrib,
          params) in list(gs_object['schemas']['Groups']['properties'].items()):
         if attrib in ['kind', 'etag', 'email']:

src/gam/gapi/directory/users.py

@@ -2,6 +2,7 @@ import sys
 from time import sleep
 
 import gam
+from gam import controlflow
 from gam import display
 from gam import gapi
 from gam.gapi import directory as gapi_directory
@@ -18,7 +19,7 @@ def delete():
                   userKey=user_email,
                   throw_reasons=[gapi_errors.ErrorReason.CONDITION_NOT_MET])
     except gam.gapi.errors.GapiConditionNotMetError as err:
-        display.print_error(
+        controlflow.system_error_exit(3,
             f'{err} The user {user_email} may be (or have recently been) on Google Vault Hold and thus not eligible for deletion. You can check holds with "gam user <email> show vaultholds".'
         )
 

src/gam/gapi/reports.py

@@ -426,6 +426,7 @@ def showReport():
         titles = ['name', 'value', 'client_id']
         csvRows = []
         auth_apps = list()
+        usage = list(usage)
         for item in usage[0]['parameters']:
             if 'name' not in item:
                 continue

src/gam/gapi/vault.py

@@ -11,6 +11,7 @@ from gam import controlflow
 from gam import display
 from gam import fileutils
 from gam import gapi
+from gam.gapi import errors as gapi_errors
 from gam.gapi import storage as gapi_storage
 from gam.gapi import directory as gapi_directory
 from gam.gapi.directory import orgunits as gapi_directory_orgunits
@@ -336,9 +337,9 @@ def print_count():
         _validate_query(query, query_discovery)
         body['query'] = query
         operation = gapi.call(v.matters(), 'count', matterId=matterId, body=body)
-    print(f'Watching operation {operation["name"]}...')
+    sys.stderr.write(f'Watching operation {operation["name"]}...\n')
     while not operation.get('done'):
-        print(f' operation {operation["name"]} is not done yet. Checking again in {operation_wait} seconds')
+        sys.stderr.write(f' operation {operation["name"]} is not done yet. Checking again in {operation_wait} seconds\n')
         sleep(operation_wait)
         operation = gapi.call(v.operations(), 'get', name=operation['name'])
     response = operation.get('response', {})
@@ -682,18 +683,23 @@ def showHoldsForUsers(users):
     v = buildGAPIObject()
     matterIds = _getAllMatterIds(v)
     matterHolds = {}
+    fields = 'holds(holdId,name,accounts(accountId,email),orgUnit),nextPageToken'
     for matterId in matterIds:
-        matterHolds[matterId] = gapi.get_all_pages(v.matters().holds(),
-                                                   'list',
-                                                   'holds',
-                                                   fields='holds(holdId,name,accounts(accountId,email),orgUnit),nextPageToken',
-                                                   matterId=matterId)
+        try:
+            matterHolds[matterId] = gapi.get_all_pages(v.matters().holds(),
+                                                       'list',
+                                                       'holds',
+                                                       fields=fields,
+                                                       throw_reasons=[gapi_errors.ErrorReason.FOUR_O_O],
+                                                       matterId=matterId)
+        except googleapiclient.errors.HttpError:
+            continue
     totalHolds = 0
     for user in users:
         user = user.lower()
         orgUnits = gapi_directory_orgunits._getAllParentOrgUnitsForUser(user, cd)
-        for matterId in matterIds:
-            for hold in matterHolds[matterId]:
+        for matterId, holds in matterHolds.items():
+            for hold in holds:
                 if 'orgUnit' in hold:
                     orgUnitId = hold['orgUnit'].get('orgUnitId')
                     if orgUnitId in orgUnits:
@@ -976,10 +982,14 @@ def printHolds():
     for matterId in matterIds:
         i += 1
         sys.stderr.write(f'Retrieving holds for matter {matterId} ({i}/{matter_count})\n')
-        holds = gapi.get_all_pages(v.matters().holds(),
+        try:
+            holds = gapi.get_all_pages(v.matters().holds(),
                                    'list',
                                    'holds',
+                                   throw_reasons=[gapi_errors.ErrorReason.FOUR_O_O],
                                    matterId=matterId)
+        except googleapiclient.errors.HttpError:
+            continue
         for hold in holds:
             display.add_row_titles_to_csv_file(
                 utils.flatten_json(hold, flattened={'matterId': matterId}),

src/gam/utils.py

@@ -96,9 +96,13 @@ class _DeHTMLParser(HTMLParser):
                       re.sub(r'\n +', '\n', ''.join(self.__text))).strip()
 
 
-def commonprefix(m):
+def commonprefix(m, checkEnum=False):
     '''Given a list of strings m, return string which is prefix common to all'''
     s1 = min(m)
+    if checkEnum:
+        loc = s1.find('ENUM_')
+        if loc > 0:
+            return s1[:loc+5]
     s2 = max(m)
     for i, c in enumerate(s1):
         if c != s2[i]:

src/gam/var.py

@@ -8,7 +8,7 @@ import platform
 import re
 
 GAM_AUTHOR = 'Jay Lee <jay0lee@gmail.com>'
-GAM_VERSION = '6.24'
+GAM_VERSION = '6.31'
 GAM_LICENSE = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 GAM_URL = 'https://jaylee.us/gam'
@@ -127,6 +127,16 @@ SKUS = {
         'aliases': ['gwetlu', 'workspaceeducationupgrade'],
         'displayName': 'Google Workspace for Education: Teaching and Learning Upgrade'
     },
+    '1010390001': {
+        'product': '101039',
+        'aliases': ['assuredcontrols'],
+        'displayName': 'Assured Controls',
+    },
+    '1010400001': {
+        'product': '101040',
+        'aliases': ['beyondcorp', 'beyondcorpenterprise', 'bce'],
+        'displayName': 'Beyond Corp Enterprise',
+    },
     'Google-Apps': {
         'product': 'Google-Apps',
         'aliases': ['standard', 'free'],
@@ -206,7 +216,7 @@ SKUS = {
     },
     '1010020030': {
         'product': 'Google-Apps',
-        'aliases': ['workspacefrontline', 'workspacefrontlineworker'],
+        'aliases': ['wsflw', 'workspacefrontline', 'workspacefrontlineworker'],
         'displayName': 'Workspace Frontline'
     },
     '1010340002': {
@@ -290,6 +300,8 @@ PRODUCTID_NAME_MAPPINGS = {
     '101035': 'Cloud Search',
     '101036': 'Google Meet Global Dialing',
     '101037': 'G Suite Workspace for Education',
+    '101039': 'Assured Controls',
+    '101040': 'Beyond Corp',
     'Google-Apps': 'Google Workspace',
     'Google-Chrome-Device-Management': 'Google Chrome Device Management',
     'Google-Drive-storage': 'Google Drive Storage',
@@ -648,6 +660,7 @@ MACOS_CODENAMES = {
         },
     11: 'Big Sur',
     12: 'Monterey',
+    13: 'Ventura',
     }
 
 _MICROSOFT_FORMATS_LIST = [{
@@ -1202,6 +1215,7 @@ _DEFAULT_CHARSET = UTF8
 _FN_CLIENT_SECRETS_JSON = 'client_secrets.json'
 _FN_OAUTH2SERVICE_JSON = 'oauth2service.json'
 _FN_OAUTH2_TXT = 'oauth2.txt'
+_FN_ROOTS_PEM = 'roots.pem'
 #
 GM_Globals = {
     GM_SYSEXITRC: 0,
@@ -1269,6 +1283,9 @@ GC_ENABLE_DASA = 'enabledasa'
 # and doRequestOAuth prints a link and waits for the verification code when
 # oauth2.txt is being created
 GC_NO_BROWSER = 'no_browser'
+# If low memory is True, GAM tries to save RAM by writing pages to disk
+# temporarily
+GC_LOW_MEMORY = 'low_memory'
 # If no_tdemail is True, writeCSVfile won't send an email
 GC_NO_TDEMAIL = 'no_tdemail'
 # oauth_browser forces usage of web server OAuth flow that proved problematic.
@@ -1324,6 +1341,7 @@ GC_Defaults = {
     GC_DOMAIN: '',
     GC_DRIVE_DIR: '',
     GC_ENABLE_DASA: False,
+    GC_LOW_MEMORY: False,
     GC_NO_BROWSER: False,
     GC_NO_TDEMAIL: False,
     GC_NO_CACHE: False,
@@ -1343,7 +1361,7 @@ GC_Defaults = {
     GC_CSV_ROW_DROP_FILTER: '',
     GC_TLS_MIN_VERSION: TLS_MIN,
     GC_TLS_MAX_VERSION: None,
-    GC_CA_FILE: None,
+    GC_CA_FILE: _FN_ROOTS_PEM,
 }
 
 GC_Values = {}
@@ -1408,6 +1426,9 @@ GC_VAR_INFO = {
     GC_ENABLE_DASA: {
         GC_VAR_TYPE: GC_TYPE_BOOLEAN
     },
+    GC_LOW_MEMORY: {
+        GC_VAR_TYPE: GC_TYPE_BOOLEAN
+    },
     GC_NO_BROWSER: {
         GC_VAR_TYPE: GC_TYPE_BOOLEAN
     },

src/requirements.txt

@@ -10,4 +10,4 @@ importlib.metadata; python_version < '3.8'
 passlib>=1.7.2
 pathvalidate
 python-dateutil
-yubikey-manager>=4.0.0
+yubikey-manager>=5.0

src/setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = GAM for Google Workspace
-version = 6.0.23
+version = attr: gam.var.GAM_VERSION
 description = Command line management for Google Workspaces
 long_description = file: readme.md
 long_description_content_type = text/markdown
@@ -37,6 +37,9 @@ install_requires =
     yubikey-manager >= 4.0.0
     pathvalidate
 
+[options.package_data]
+* = *.pem
+
 # used during pip install .[test]
 [options.extras_require]
 test = pre-commit