prepare 6.55

* Update documentation: gam delete inboundssoassignment <SSOAssignmentSelector>

* tsv is a valid Google Doc extension

.github/workflows/build.yml

@@ -6,6 +6,10 @@ on:
   schedule:
     - cron: '37 22 * * *'
 
+permissions:
+  contents: read
+  id-token: write
+
 defaults:
   run:
     shell: bash
@@ -62,11 +66,6 @@ jobs:
             goal: build
             arch: Win32
             openssl_archs: VC-WIN32
-          - os: ubuntu-22.04
-            goal: test
-            python: "3.7"
-            jid: 8
-            arch: x86_64
           - os: ubuntu-22.04
             goal: test
             python: "3.8"
@@ -95,6 +94,13 @@ jobs:
           persist-credentials: false
           fetch-depth: 0
 
+      - id: auth
+        name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        with:
+          workload_identity_provider: projects/297925809119/locations/global/workloadIdentityPools/gha-pool/providers/gha-provider
+          service_account: github-actions-testing-for-gam@gam-project-wyo-lub-ivl.iam.gserviceaccount.com
+
       - name: Cache multiple paths
         if: matrix.goal == 'build'
         uses: actions/cache@v3
@@ -103,7 +109,7 @@ jobs:
           path: |
             bin.tar.xz
             src/cpython
-          key: gam-${{ matrix.jid }}-20230314
+          key: gam-${{ matrix.jid }}-20230405
 
       - name: Untar Cache archive
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -117,6 +123,17 @@ jobs:
         with:
           python-version: ${{ matrix.python }}
 
+      - name: Set cURL retry flag
+        run: |
+          curl_version=$(curl --version | head -n 1 | awk '{ print $2 }')
+          echo "cURL is ${curl_version}"
+          if [ "$curl_version" == "7.68.0" ]; then
+            export curl_retry="--retry 5 --retry-connrefused"
+          else
+            export curl_retry="--retry 5 --retry-all-errors"
+          fi
+          echo "curl_retry=${curl_retry}" >> $GITHUB_ENV
+
       - name: Set env variables for test
         if: matrix.goal == 'test'
         env:
@@ -148,7 +165,7 @@ jobs:
         if: runner.os == 'macOS'
         run: |
           # Install latest Rust
-          curl --retry 5 --retry-connrefused -fsS -o rust.sh https://sh.rustup.rs
+          curl $curl_retry -fsS -o rust.sh https://sh.rustup.rs
           bash ./rust.sh -y
           source $HOME/.cargo/env
           # needed for Rust to compile cryptography Python package for universal2
@@ -191,7 +208,7 @@ jobs:
             PERL=perl
             echo "MACOSX_DEPLOYMENT_TARGET=10.15" >> $GITHUB_ENV
             echo "PYTHON=${PYTHON_INSTALL_PATH}/bin/python3" >> $GITHUB_ENV
-            echo "PIP_ARGS=--no-binary=:all:" >> $GITHUB_ENV
+            #echo "PIP_ARGS=--no-binary=:all:" >> $GITHUB_ENV
           elif [[ "${RUNNER_OS}" == "Linux" ]]; then
             MAKE=make
             MAKEOPT="-j$(nproc)"
@@ -402,7 +419,7 @@ jobs:
 
       - name: Upgrade pip, wheel, etc
         run: |
-          curl --retry 5 --retry-connrefused -O https://bootstrap.pypa.io/get-pip.py
+          curl $curl_retry -O https://bootstrap.pypa.io/get-pip.py
           "${PYTHON}" get-pip.py
           "${PYTHON}" -m pip install --upgrade pip
           "${PYTHON}" -m pip install --upgrade wheel
@@ -410,8 +427,21 @@ jobs:
 
       - name: Install pip requirements
         run: |
+             echo "before anything..."
+             "${PYTHON}" -m pip list
              if [[ "${RUNNER_OS}" == "macOS" ]]; then
-               "${PYTHON}" -m pip install --upgrade cffi ${PIP_ARGS}
+               # cffi is a dep of cryptography and doesn't ship
+               # a universal2 wheel so we must build one ourself :-/
+               export CFLAGS="-arch x86_64 -arch arm64"
+               export ARCHFLAGS="-arch x86_64 -arch arm64"
+               "${PYTHON}" -m pip install --upgrade --force-reinstall --no-binary :all: \
+                                 --no-cache-dir --no-deps --use-pep517 \
+                                 --use-feature=no-binary-enable-wheel-cache \
+                                 cffi 
+               echo "before cryptography..."
+               "${PYTHON}" -m pip list
+               # cryptography has a universal2 wheel but getting it installed
+               # on x86-64 MacOS is a royal pain in the keester.
                "${PYTHON}" -m pip download --only-binary :all: \
                                              --dest . \
                                              --no-cache \
@@ -419,8 +449,16 @@ jobs:
                                              --platform macosx_10_15_universal2 \
                                              cryptography
                "${PYTHON}" -m pip install --force-reinstall --no-deps cryptography*.whl
+               echo "after cryptography..."
+               "${PYTHON}" -m pip list
+               "${PYTHON}" -m pip install --upgrade --no-binary :all: -r requirements.txt
+             else
+               "${PYTHON}" -m pip install --upgrade -r requirements.txt
+               echo "after requirements..."
+               "${PYTHON}" -m pip list
+               "${PYTHON}" -m pip install --force-reinstall --no-deps --upgrade cryptography
              fi
-             "${PYTHON}" -m pip install --upgrade -r requirements.txt ${PIP_ARGS}
+             echo "after everything..."
              "${PYTHON}" -m pip list
 
       - name: Install PyInstaller
@@ -487,25 +525,6 @@ jobs:
               cp -v gam-setup.bat $gampath
           fi
 
-      - name: Basic Tests all jobs
-        run: |
-             $PYTHON -m unittest discover --start-directory ./ --pattern "*_test.py" --buffer
-             $gam version extended
-             export GAMVERSION=$($gam version simple)
-             echo "GAM Version ${GAMVERSION}"
-             echo "GAMVERSION=${GAMVERSION}" >> $GITHUB_ENV
-
-      - name: Linux/MacOS package
-        if: runner.os != 'Windows' && matrix.goal == 'build' && matrix.staticx != 'yes'
-        run: |
-          if [[ "${RUNNER_OS}" == "macOS" ]]; then
-              GAM_ARCHIVE="gam-${GAMVERSION}-macos-universal2.tar.xz"
-          elif [[ "${RUNNER_OS}" == "Linux" ]]; then
-              this_glibc_ver=$(ldd --version | awk '/ldd/{print $NF}')
-              GAM_ARCHIVE="gam-${GAMVERSION}-linux-$(arch)-glibc${this_glibc_ver}.tar.xz"
-          fi
-          tar -C dist/ --create --verbose --exclude-from "${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" --file $GAM_ARCHIVE --xz gam
-
       - name: Install StaticX
         if: matrix.staticx == 'yes'
         run: |
@@ -525,17 +544,24 @@ jobs:
           esac
           echo "ldlib=${ldlib}"
           $PYTHON -m staticx -l "${ldlib}" "${gam}" "${gam}-staticx"
-          
-      - name: Run StaticX
-        if: matrix.staticx == 'yes'
-        run: |
-          "${gam}-staticx" version extended
-          mv -v "${gam}-staticx" "${gam}"
 
-      - name: Linux package staticx
-        if: matrix.staticx == 'yes'
+      - name: Basic Tests all jobs
         run: |
-          GAM_ARCHIVE="gam-${GAMVERSION}-linux-$(uname -m)-legacy.tar.xz"
+             $PYTHON -m unittest discover --start-directory ./ --pattern "*_test.py" --buffer
+             $gam version extended
+             export GAMVERSION=$($gam version simple)
+             echo "GAM Version ${GAMVERSION}"
+             echo "GAMVERSION=${GAMVERSION}" >> $GITHUB_ENV
+
+      - name: Linux/MacOS package
+        if: runner.os != 'Windows' && matrix.goal == 'build'
+        run: |
+          if [[ "${RUNNER_OS}" == "macOS" ]]; then
+              GAM_ARCHIVE="gam-${GAMVERSION}-macos-universal2.tar.xz"
+          elif [[ "${RUNNER_OS}" == "Linux" ]]; then
+              this_glibc_ver=$(ldd --version | awk '/ldd/{print $NF}')
+              GAM_ARCHIVE="gam-${GAMVERSION}-linux-$(arch)-glibc${this_glibc_ver}.tar.xz"
+          fi
           tar -C dist/ --create --verbose --exclude-from "${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" --file $GAM_ARCHIVE --xz gam
 
       - name: Windows package
@@ -578,14 +604,20 @@ jobs:
                brew install gnupg
              fi
              source ../.github/actions/decrypt.sh ../.github/actions/creds.tar.xz.gpg creds.tar.xz
+             rm $gampath/oauth2service.json
              export OAUTHFILE="oauth2.txt-gam-gha-${JID}"
              echo "OAUTHFILE=${OAUTHFILE}" >> $GITHUB_ENV
              export gam_user="gam-gha-${JID}@pdl.jaylee.us"
              echo "gam_user=${gam_user}" >> $GITHUB_ENV
              $gam checkconn
-             $gam oauth info
+             $gam create signjwtserviceaccount
+             export CUSTOMER_ID="C03uzfv2s"
+             export GA_DOMAIN="pdl.jaylee.us"
+             export GA_ADMIN_EMAIL="$gam_user"
+             touch "${gampath}/enabledasa.txt"
+             #$gam oauth info
              $gam info domain
-             $gam oauth refresh
+             #$gam oauth refresh
              $gam info user
              export tstamp=$($PYTHON -c "import time; print(time.time_ns())")
              export newbase="gha_test_${JID}_${tstamp}"
@@ -597,7 +629,9 @@ jobs:
              export newou="aaaGithub Actions/${newbase}"
              
              # cleanup old runs
+             rm "${gampath}/enabledasa.txt"
              GAM_CSV_ROW_FILTER="name:regex:gha_test_${JID}_" $gam print vaultholds | $gam csv - gam delete vaulthold "id:~~holdId~~" matter "id:~~matterId~~"
+             touch "${gampath}/enabledasa.txt"
              GAM_CSV_ROW_FILTER="name:regex:gha_test_${JID}_" $gam print features | $gam csv - gam delete feature ~name
              GAM_CSV_ROW_FILTER="name:regex:^gha_test_${JID}_" $gam user $gam_user print shareddrives asadmin | $gam csv - gam user $gam_user delete shareddrive ~id nukefromorbit
              $gam print users query "gha.jid=$JID" | $gam csv - gam delete user ~primaryEmail
@@ -617,20 +651,28 @@ jobs:
              $gam user $newuser update photo https://dummyimage.com/400x600/000/fff
              $gam user $newuser get photo
              $gam user $newuser delete photo
+             $gam create alias $newalias user $newuser
              $gam create group $newgroup name "GHA $JID group" description "This is a description" isarchived true
              $gam user $gam_user sendemail recipient $newuser subject "test message $newbase" message "GHA test message"
              $gam user $gam_user sendemail recipient exchange@pdl.jaylee.us subject "test ${tstamp}" message "test message"
+             rm "${gampath}/enabledasa.txt"
              $gam user $newuser add license workspaceenterpriseplus
              $gam print privileges
-             $gam update cigroup $newgroup memberrestriction 'member.type == 1 || member.customer_id == groupCustomerId()'
+             touch "${gampath}/enabledasa.txt"
+             $gam update cigroup $newgroup security memberrestriction 'member.type == 1 || member.customer_id == groupCustomerId()'
              $gam info cigroup $newgroup
              $gam update group $newgroup add owner $gam_user
              $gam update group $newgroup add member $newuser
+             rm "${gampath}/enabledasa.txt"
              $gam create admin $newuser _GROUPS_EDITOR_ROLE CUSTOMER # condition nonsecuritygroup
+             GAM_CSV_ROW_FILTER="assignedToUser:regex:${newuser}" $gam print admins | $gam csv - gam delete admin "~roleAssignmentId"
+             touch "${gampath}/enabledasa.txt"
              $gam csv sample.csv gam create user ~~email~~ firstname "GHA Bulk" lastname ~~email~~ gha.jid $JID ou "${newou}"
              $gam csv sample.csv gam update user ~~email~~ recoveryphone 12125121110 recoveryemail jay0lee@gmail.com password random displayname "GitHub Actions Bulk ${JID}"
              $gam csv sample.csv gam update user ~~email~~ recoveryphone "" recoveryemail ""
+             rm "${gampath}/enabledasa.txt"
              $gam csv sample.csv gam user ~email add license workspaceenterpriseplus
+             touch "${gampath}/enabledasa.txt"
              $gam csv sample.csv gam user $gam_user sendemail recipient ~~email~~@pdl.jaylee.us subject "test message $newbase" message "GHA test message"
              $gam csv sample.csv gam update group $newgroup add member ~email
              $gam info group $newgroup
@@ -674,6 +716,7 @@ jobs:
              endtime=$($PYTHON -c "import datetime; print((datetime.datetime.now() + datetime.timedelta(hours=2)).strftime('%Y-%m-%dT%H:%M:%S.%f+00:00'))")
              $gam calendar $gam_user addevent summary "GHA test event" start "${starttime}" end "${endtime}" attendee $newgroup hangoutsmeet guestscanmodify true sendupdates all
              $gam calendar $gam_user printevents after -0d
+             rm "${gampath}/enabledasa.txt"
              matterid=uid:$($gam create vaultmatter name "GHA matter $newbase" description "test matter" collaborators $newuser | head -1 | cut -d ' ' -f 3)
              $gam create vaulthold matter $matterid name "GHA hold $newbase" corpus mail accounts $newuser
              $gam print vaultmatters matterstate open
@@ -681,16 +724,21 @@ jobs:
              $gam print vaultcount matter $matterid corpus mail everyone todrive
              $gam create vaultexport matter $matterid name "GHA export $newbase" corpus mail accounts $newuser use_new_export false
              $gam print exports matter $matterid | $gam csv - gam info export $matterid id:~~id~~
+             touch "${gampath}/enabledasa.txt"
              $gam csv sample.csv gam user ~email add calendar id:$newresource
              $gam delete resource $newresource
              $gam delete feature Whiteboard-$newbase
              $gam delete feature VC-$newbase
              $gam delete building $newbuilding
              $gam delete group $newgroup
-             $gam create alias $newalias user $newuser
+             rm "${gampath}/enabledasa.txt"
+             echo start
              $gam user $newuser delete license workspaceenterpriseplus
+             echo finish
+             touch "${gampath}/enabledasa.txt"
              $gam whatis $newuser
              $gam user $gam_user show tokens
+             rm "${gampath}/enabledasa.txt"
              $gam print exports matter $matterid | $gam csv - gam download export $matterid id:~~id~~
              $gam delete hold "GHA hold $newbase" matter $matterid
              $gam update matter $matterid action close
@@ -698,13 +746,14 @@ jobs:
              # shakes off vault hold on user so we can delete
              $gam print users query "email:${newuser}" orgunitpath | $gam csv - gam update user ~primaryEmail ou ~orgUnitPath
              $gam user $newuser show holds
+             export sn="$JID$JID$JID$JID-$(openssl rand -base64 32 | sed 's/[^a-zA-Z0-9]//g')"
+             $gam create device serialnumber $sn devicetype android
+             touch "${gampath}/enabledasa.txt"
              $gam delete user $newuser
              $gam print users query "gha.jid=$JID" | $gam csv - gam delete user ~primaryEmail
              $gam print mobile
              $gam print devices
              $gam print browsers
-             export sn="$JID$JID$JID$JID-$(openssl rand -base64 32 | sed 's/[^a-zA-Z0-9]//g')"
-             $gam create device serialnumber $sn devicetype android
              $gam print cros allfields orderby serialnumber
              $gam show crostelemetry storagepercentonly
              $gam report usageparameters customer
@@ -713,8 +762,10 @@ jobs:
              $gam report users fields accounts:is_less_secure_apps_access_allowed,gmail:last_imap_time,gmail:last_pop_time filters "accounts:last_login_time>2019-01-01T00:00:00.000Z" todrive
              $gam report admin start -3d todrive
              $gam print devices nopersonaldevices nodeviceusers filter "serial:$JID$JID$JID$JID-" | $gam csv - gam delete device id ~name
+             rm "${gampath}/enabledasa.txt"
              $gam print userinvitations
              $gam print userinvitations | $gam csv - gam send userinvitation ~name
+             touch "${gampath}/enabledasa.txt"
              $gam create caalevel "zzz_${newbase}" basic condition ipsubnetworks 1.1.1.1/32,2.2.2.2/32 endcondition
              $gam print caalevels
              $gam delete caalevel "zzz_${newbase}"
@@ -726,19 +777,17 @@ jobs:
              $gam user $gam_user update shareddrive "${driveid}" ou "aaaGithub Actions" # so we can delete our OU...
              $gam user $gam_user delete shareddrive "${driveid}" nukefromorbit
              echo "printer model count:"
+             ssoprofile=$($gam create inboundssoprofile name "El Goog ${newbase}" loginurl https://www.google.com logouturl https://www.google.com changepasswordurl https://www.google.com entityid ElGoog return_name_only)
+             $gam create inboundssocredential profile "id:${ssoprofile}" generate_key
+             $gam create inboundssoassignment profile "id:${ssoprofile}" orgunit "${newou}" mode SAML_SSO
+             $gam delete inboundssoassignment "orgunit:${newou}"
+             $gam delete inboundssoprofile "id:${ssoprofile}"
              $gam print printermodels | wc -l
-             #ssoprofile=$($gam create inboundssoprofile name "El Goog ${newbase}" loginurl https://www.google.com logouturl https://www.google.com changepasswordurl https://www.google.com entityid ElGoog return_name_only)
-             #$gam create inboundssocredential profile "id:${ssoprofile}" generate_key
-             #$gam create inboundssoassignment profile "id:${ssoprofile}" orgunit "${newou}" mode SAML_SSO
+             $gam print printers
+             printerid=$($gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by $(gam_user)" ou "${newou}" | grep 'id: [a-z,0-9]*$' | cut -d' ' -f3)
+             $gam info printer "$printerid"
+             $gam delete printer "$printerid"
              $gam delete ou "${newou}"
-             #$gam delete inboundssoprofile "id:${ssoprofile}"
-             #$gam print printers
-             #$gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by $(gam_user)" ou /
-             export CUSTOMER_ID="C01wfv983"
-             export GA_DOMAIN="pdl.jaylee.us"
-             touch $gampath/enabledasa.txt
-             echo "using delegated admin service account"
-             $gam print users
 
       - name: Archive production artifacts
         uses: actions/upload-artifact@v3
@@ -757,7 +806,7 @@ jobs:
           tar cJvvf bin.tar.xz bin/
 
   publish:
-    if: github.event_name == 'push'
+    if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     needs: build
     steps:

src/GamCommands.txt

@@ -1595,6 +1595,7 @@ gam create inboundssoassignment (group <GroupItem> rank <Number>)|(ou|org|orguni
 	(mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled) [neverredirect]
 gam update inboundssoassignment [(group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)]
 	[(mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled)] [neverredirect]
+gam delete inboundssoassignment <SSOAssignmentSelector>
 gam info inboundssoassignment <SSOAssignmentSelector>
 gam show inboundssoassignments
 gam print inboundssoassignments [todrive]

src/cbcm-v1.1beta1.json

@@ -412,7 +412,7 @@
     }
   },
   "revision": "20201203",
-  "rootUrl": "https://www.googleapis.com/admin/directory/v1.1beta1/customer/",
+  "rootUrl": "https://admin.googleapis.com/admin/directory/v1.1beta1/customer/",
   "schemas": {
     "ChromeBrowser": {
       "id": "ChromeBrowser",

src/gam/__init__.py

@@ -7195,9 +7195,12 @@ def enable_apis():
             controlflow.invalid_argument_exit(sys.argv[i],
                                               'gam enable apis')
     GAMProjectAPIs = getGAMProjectFile('project-apis.txt').splitlines()
+    request = signjwt.get_request()
     try:
-        _, projectId = google.auth.default()
-    except google.auth.exceptions.DefaultCredentialsError as e:
+        _, projectId = google.auth.default(scopes=signjwt._IAM_SCOPES,
+                request=request)
+    except (google.auth.exceptions.DefaultCredentialsError,
+            google.auth.exceptions.RefreshError) as e:
         projectId = input('Please enter your project ID: ')
     while a_or_m not in ['a', 'm']:
         a_or_m = input('Do you want to enable projects [a]utomatically or [m]anually? (a/m): ').strip().lower()
@@ -7426,7 +7429,7 @@ def _createClientSecretsOauth2service(httpObj, projectId, login_hint):
     while True:
         print(f'''Please go to:
 
-{console_url}
+  {console_url}
 
 1. Choose "Desktop App" or "Other" for "Application type".
 2. Enter a desired value for "Name" or leave as is.
@@ -7465,6 +7468,24 @@ def _createClientSecretsOauth2service(httpObj, projectId, login_hint):
     fileutils.write_file(GC_Values[GC_CLIENT_SECRETS_JSON],
                          cs_data,
                          continue_on_error=False)
+    print(f'''
+Now it's important to mark the GAM Client ID as trusted by your Workspace instance.
+
+1. Please go to:
+
+  https://admin.google.com/ac/owl/list?tab=configuredApps
+
+2. Click on: Add app > OAuth App Name Or Client ID.
+3. Enter the following Client ID value:
+
+  {client_id}
+
+4. Search for the ID, select the GAM app, check the box and press Select.
+5. Keep the default scope or select a preferred scope that includes your GAM admin.
+6. Press Continue
+7. Select Trusted radio button, Continue and Finish.
+''')
+    input('Press Enter when complete.')
     print('That\'s it! Your GAM Project is created and ready to use.')
 
 
@@ -7944,11 +7965,13 @@ def create_signjwt_serviceaccount():
             'key_type': 'signjwt',
             'token_uri': 'https://oauth2.googleapis.com/token'
             }
+    request = signjwt.get_request()
     try:
-        creds, sa_info['project_id'] = google.auth.default()
-    except google.auth.exceptions.DefaultCredentialsError as e:
+        creds, sa_info['project_id'] = google.auth.default(scopes=signjwt._IAM_SCOPES,
+                request=request)
+    except (google.auth.exceptions.DefaultCredentialsError,
+            google.auth.exceptions.RefreshError) as e:
         controlflow.system_error_exit(2, e)
-    request = transport.create_request()
     creds.refresh(request)
     sa_info['client_email'] = creds.service_account_email
     oa2 = buildGAPIObjectNoAuthentication('oauth2')
@@ -7958,8 +7981,7 @@ def create_signjwt_serviceaccount():
     fileutils.write_file(GC_Values[GC_OAUTH2SERVICE_JSON],
                           sa_output,
                           continue_on_error=False)
-
-
+    
 def doCreateOrRotateServiceAccountKeys(iam=None,
                                        project_id=None,
                                        client_email=None,
@@ -11855,6 +11877,8 @@ def ProcessGAMCommand(args):
                 gapi_cloudidentity_inboundsso.delete_profile()
             elif argument in ['inboundssocredential', 'inboundssocredentials']:
                 gapi_cloudidentity_inboundsso.delete_credentials()
+            elif argument in ['inboundssoassignment', 'inboundssoassignments']:
+                gapi_cloudidentity_inboundsso.delete_assignment()
             elif argument == 'resource':
                 gapi_directory_resource.deleteResourceCalendar()
             elif argument == 'mobile':

src/gam/__main__.py

@@ -22,25 +22,33 @@ For more information, see https://jaylee.us/gam
 """
 
 import sys
-from multiprocessing import freeze_support
-from multiprocessing import set_start_method
-
-from gam import controlflow
-import gam
-
 
+# Note that this file (and only this file) should remain compatible
+# with older Python versions so we can return a meaningful error
+# instead of a syntax error.
 def main():
+    required_ver = (3, 8, 0)
+    if sys.version_info[:3] < required_ver:
+        err_result = ('ERROR: GAM requires Python %s.%s.%s or newer. You are '
+                'running %s.%s.%s. Please upgrade your Python version '
+                'or use one of the binary GAM downloads.\n' %
+                (required_ver[0],
+                 required_ver[1],
+                 required_ver[2],
+                 sys.version_info[0],
+                 sys.version_info[1],
+                 sys.version_info[2]))
+        sys.stderr.write(err_result)
+        sys.exit(5)
+    from multiprocessing import freeze_support
     freeze_support()
     if sys.platform == 'darwin':
         # https://bugs.python.org/issue33725 in Python 3.8.0 seems
         # to break parallel operations with errors about extra -b
         # command line arguments
+        from multiprocessing import set_start_method
         set_start_method('fork')
-    if sys.version_info[0] < 3 or sys.version_info[1] < 7:
-        controlflow.system_error_exit(
-            5,
-            f'GAM requires Python 3.7 or newer. You are running %s.%s.%s. Please upgrade your Python version or use one of the binary GAM downloads.'
-            % sys.version_info[:3])
+    import gam
     sys.exit(gam.ProcessGAMCommand(sys.argv))
 
 

src/gam/auth/__init__.py

@@ -5,6 +5,7 @@ import os
 
 from google.auth.jwt import Credentials as JWTCredentials
 
+import gam
 from gam import utils
 
 from gam.auth import oauth
@@ -30,6 +31,9 @@ def get_admin_credentials_filename():
         return GC_Values[GC_OAUTH2SERVICE_JSON] if GC_Values[GC_OAUTH2SERVICE_JSON] else _FN_OAUTH2SERVICE_JSON
     return GC_Values[GC_OAUTH2_TXT] if GC_Values[GC_OAUTH2_TXT] else _FN_OAUTH2_TXT
 
+APIS_NEEDING_ACCESS_TOKEN = {
+    'cbcm': ['https://www.googleapis.com/auth/admin.directory.device.chromebrowsers']
+    }
 
 def get_admin_credentials(api=None):
     """Gets oauth.Credentials that are authenticated as the domain's admin user."""
@@ -39,7 +43,12 @@ def get_admin_credentials(api=None):
     with open(credential_file) as f:
         creds_data = json.load(f)
     # Validate that enable DASA matches content of authorization file
-    if GC_Values[GC_ENABLE_DASA] and 'key_type' in creds_data:
+    if GC_Values[GC_ENABLE_DASA] and creds_data.get('type') == 'service_account':
+        if api in APIS_NEEDING_ACCESS_TOKEN:
+            return gam.getSvcAcctCredentials(scopes=APIS_NEEDING_ACCESS_TOKEN[api],
+                                             act_as=None,
+                                             api=None,
+                                             force_oauth=True)
         audience = f'https://{api}.googleapis.com/'
         key_type = creds_data.get('key_type', 'default')
         if key_type == 'default':

src/gam/auth/signjwt.py

@@ -14,6 +14,13 @@ from gam.var import GM_Globals, GM_CACHE_DIR
 
 _DEFAULT_TOKEN_LIFETIME_SECS = 3600  # 1 hour in seconds
 _GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token"
+_IAM_SCOPES = ['https://www.googleapis.com/auth/iam']
+
+# Some Workforce Identity Federation endpoints such as GitHub Actions
+# only allow TLS 1.2 as of April 2023.
+def get_request():
+    httpc = transport.create_http(override_min_tls='TLSv1_2')
+    return transport.create_request(httpc)
 
 
 class JWTCredentials(google.auth.jwt.Credentials):
@@ -73,9 +80,12 @@ class SignJwt(google.auth.crypt.Signer):
 
     def sign(self, message):
         ''' Call IAM Credentials SignJWT API to get our signed JWT '''
+        request = get_request()
         try:
-            credentials, _ = google.auth.default()
-        except google.auth.exceptions.DefaultCredentialsError as e:
+            credentials, _ = google.auth.default(scopes=_IAM_SCOPES,
+                    request=request)
+        except (google.auth.exceptions.DefaultCredentialsError,
+                google.auth.exceptions.RefreshError) as e:
             controlflow.system_error_exit(2, e)
         httpObj = transport.AuthorizedHttp(
                 credentials,

src/gam/gapi/cloudidentity/inboundsso.py

@@ -35,7 +35,7 @@ def get_orgunit_id(orgunit):
 
 '''build Cloud Identity API'''
 def build():
-    return gapi_cloudidentity.build('cloudidentity_beta')
+    return gapi_cloudidentity.build('cloudidentity')
 
 
 '''parse cmd for profile create/update'''
@@ -484,6 +484,16 @@ def update_assignment():
         controlflow.system_error_exit(3, 'Update did not finish {result}')
 
 
+'''gam delete inboundssoassignment'''
+def delete_assignment():
+    ci = build()
+    assignment = assignment_by_target(sys.argv[3], ci).get('name')
+    print(f'Deleting Inbound SSO Assignmnet {assignment}...')
+    gapi.call(ci.inboundSsoAssignments(),
+              'delete',
+              name=assignment)
+
+
 '''gam info inboundssoassignment'''
 def info_assignment():
     ci = build()

src/gam/transport.py

@@ -9,6 +9,8 @@ from gam.var import GC_TLS_MAX_VERSION
 from gam.var import GC_TLS_MIN_VERSION
 from gam.var import GC_Values
 
+# Bump default retries
+#httplib2.RETRIES = 5
 
 def create_http(cache=None,
                 timeout=None,

src/gam/var.py

@@ -8,7 +8,7 @@ import platform
 import re
 
 GAM_AUTHOR = 'Jay Lee <jay0lee@gmail.com>'
-GAM_VERSION = '6.52'
+GAM_VERSION = '6.55'
 GAM_LICENSE = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 GAM_URL = 'https://jaylee.us/gam'
@@ -62,6 +62,21 @@ SKUS = {
         'aliases': ['cloudsearch'],
         'displayName': 'Google Cloud Search',
     },
+    '1010380001': {
+        'product': '101038',
+        'aliases': ['appsheetcore'],
+        'displayName': 'AppSheet Core',
+    },
+    '1010380002': {
+        'product': '101038',
+        'aliases': ['appsheetstandard', 'appsheetenterprisestandard'],
+        'displayName': 'AppSheet Enterprise Standard',
+    },
+    '1010380003': {
+        'product': '101038',
+        'aliases': ['appsheetplus', 'appsheetenterpriseplus'],
+        'displayName': 'AppSheet Enterprise Plus',
+    },
     '1010310002': {
         'product': '101031',
         'aliases': ['gsefe', 'e4e', 'gsuiteenterpriseeducation'],
@@ -300,6 +315,7 @@ PRODUCTID_NAME_MAPPINGS = {
     '101035': 'Cloud Search',
     '101036': 'Google Meet Global Dialing',
     '101037': 'G Suite Workspace for Education',
+    '101038': 'AppSheet',
     '101039': 'Assured Controls',
     '101040': 'Beyond Corp',
     'Google-Apps': 'Google Workspace',
@@ -641,7 +657,7 @@ GOOGLEDOC_VALID_EXTENSIONS_MAP = {
         '.docx', '.html', '.odt', '.pdf', '.rtf', '.txt', '.zip'
     ],
     MIMETYPE_GA_PRESENTATION: ['.pdf', '.pptx', '.odp', '.txt'],
-    MIMETYPE_GA_SPREADSHEET: ['.csv', '.ods', '.pdf', '.xlsx', '.zip'],
+    MIMETYPE_GA_SPREADSHEET: ['.csv', '.ods', '.pdf', '.tsv', '.xlsx', '.zip'],
 }
 
 MACOS_CODENAMES = {
@@ -1331,7 +1347,7 @@ GC_TLS_MAX_VERSION = 'tls_max_ver'
 # Path to certificate authority file for validating TLS hosts
 GC_CA_FILE = 'ca_file'
 
-TLS_MIN = 'TLSv1_3' if hasattr(ssl.SSLContext(), 'minimum_version') else None
+TLS_MIN = 'TLSv1_3'
 GC_Defaults = {
     GC_ADMIN_EMAIL: '',
     GC_AUTO_BATCH_MIN: 0,

src/requirements.txt

@@ -6,7 +6,6 @@ google-auth-httplib2
 google-auth-oauthlib>=0.4.1
 google-auth>=2.3.2
 httplib2>=0.17.0
-importlib.metadata; python_version < '3.8'
 passlib>=1.7.2
 pathvalidate
 python-dateutil

src/setup.cfg

@@ -13,15 +13,15 @@ keywords = google, oauth2, gsuite, google-apps, google-admin-sdk, google-drive,
 classifiers =
     Programming Language :: Python :: 3
     Programming Language :: Python :: 3 :: Only
-    Programming Language :: Python :: 3.7
     Programming Language :: Python :: 3.8
     Programming Language :: Python :: 3.9
     Programming Language :: Python :: 3.10
+    Programming Language :: Python :: 3.11
     License :: OSI Approved :: Apache License
 
 [options]
 packages = find:
-python_requires = >= 3.7
+python_requires = >= 3.8
 install_requires =
     cryptography
     distro; sys_platform == 'linux'
@@ -31,11 +31,10 @@ install_requires =
     google-auth-oauthlib >= 0.4.6
     google-auth >= 2.3.3
     httplib2 >= 0.20.2
-    importlib.metadata; python_version < '3.8'
     passlib >= 1.7.4
-    python-dateutil
-    yubikey-manager >= 4.0.0
     pathvalidate
+    python-dateutil
+    yubikey-manager >= 5.0
 
 [options.package_data]
 * = *.pem