Updated gam create|use project to discontinue use of the Identity-Aware Proxy (IAP) OAuth Admin APIs

Updated `gam report <ActivityApplicationName>` to display `id:<actor.profileId>` in the `emailAddress` column
when `actor.email` is empty. This typically occurs when the actor is not in your workspace.

Updated `gam <UserTypeEntity> copy drivefile` to ignore ACLs referencing deleted user/groups.

.github/workflows/build.yml

@@ -17,7 +17,7 @@ defaults:
     working-directory: src
 
 env:
-  SCRATCH_COUNTER: 4
+  SCRATCH_COUNTER: 7
   OPENSSL_CONFIG_OPTS: no-fips --api=3.0.0
   OPENSSL_INSTALL_PATH: ${{ github.workspace }}/bin/ssl
   OPENSSL_SOURCE_PATH: ${{ github.workspace }}/src/openssl
@@ -41,48 +41,57 @@ jobs:
             goal: build
             arch: x86_64
             openssl_archs: linux-x86_64
-          - os: [self-hosted, linux, arm64]
+          - os: ubuntu-24.04-arm
             jid: 3
             goal: build
             arch: aarch64
             openssl_archs: linux-aarch64
-          - os: ubuntu-22.04
+          - os: ubuntu-22.04-arm
             jid: 4
             goal: build
+            arch: aarch64
+            openssl_archs: linux-aarch64
+          - os: ubuntu-22.04
+            jid: 5
+            goal: build
             arch: x86_64
             openssl_archs: linux-x86_64
             staticx: yes
-          - os: [self-hosted, linux, arm64]
+          - os: ubuntu-22.04-arm
-            jid: 5
+            jid: 6
             goal: build
             arch: aarch64
             openssl_archs: linux-aarch64
             staticx: yes
           - os: macos-13
-            jid: 6
+            jid: 7
             goal: build
             arch: x86_64
             openssl_archs: darwin64-x86_64
           - os: macos-14
-            jid: 7
-            goal: build
-            arch: aarch64
-            openssl_archs: darwin64-arm64
-          - os: macos-15
             jid: 8
             goal: build
             arch: aarch64
             openssl_archs: darwin64-arm64
-          - os: windows-2022
+          - os: macos-15
             jid: 9
             goal: build
+            arch: aarch64
+            openssl_archs: darwin64-arm64
+          - os: windows-2022
+            jid: 10
+            goal: build
             arch: Win64
             openssl_archs: VC-WIN64A
-          - os: ubuntu-24.04
+          # disable 3.9 test for now since it's oldest and due
-            goal: test
+          # for removal in Oct 2025. We only have 13 jid accounts
-            python: "3.9"
+          # so we need this one off but can re-enable at some point
-            jid: 10
+          # if we feel the need.
-            arch: x86_64
+          #- os: ubuntu-24.04
+          #  goal: test
+          #  python: "3.9"
+          #  jid: 11
+          #  arch: x86_64
           - os: ubuntu-24.04
             goal: test
             python: "3.10"
@@ -120,7 +129,7 @@ jobs:
         with:
           path: |
             cache.tar.xz
-          key: gam-${{ matrix.jid }}-20241203
+          key: gam-${{ matrix.jid }}-20250116
 
       - name: Untar Cache archive
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -187,7 +196,7 @@ jobs:
           echo "gampath=${gampath}" >> $GITHUB_ENV
 
       - name: Install necessary Github-hosted Linux packages
-        if: runner.os == 'Linux' && runner.arch == 'X64'
+        if: runner.os == 'Linux'
         run: |
           echo "RUNNING: apt update..."
           sudo apt-get -qq --yes update
@@ -548,7 +557,6 @@ jobs:
             # https://github.com/pyinstaller/pyinstaller/issues/7102
             export PATH="$(dirname ${PYTHON}):/usr/bin"
           fi
-          #if ([ "${staticx}" != "yes" ] && [ "$RUNNER_OS" != "Windows" ]); then
           if [[ "$staticx" != "yes" ]]; then
             export PYINSTALLER_BUILD_ONEDIR=yes
           fi
@@ -594,6 +602,9 @@ jobs:
       - name: Install StaticX
         if: matrix.staticx == 'yes'
         run: |
+          sudo apt-get -qq --yes update
+          # arm64 needs to build a wheel and needs scons to build
+          sudo apt-get -qq --yes install scons
           "${PYTHON}" -m pip install --upgrade patchelf-wrapper
           "${PYTHON}" -m pip install --upgrade staticx
 
@@ -994,7 +1005,7 @@ jobs:
 
   merge:
     if: (github.event_name == 'push' || github.event_name == 'schedule')
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: build
     permissions:
       contents: write
@@ -1008,7 +1019,7 @@ jobs:
 
   publish:
     if: github.event_name == 'push'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: merge
     permissions:
       contents: write

src/GamCommands.txt

@@ -1362,6 +1362,7 @@ gam create project [admin <EmailAddress>] [project <ProjectID>]
          nokey]
 gam use project [<EmailAddress>] [<ProjectID>]
 gam use project [admin <EmailAddress>] [project <ProjectID>]
+        [appname <String>] [supportemail <EmailAddress>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
         [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
@@ -1677,6 +1678,7 @@ gam calendar <CalendarEntity> printacl [todrive <ToDriveAttribute>*]
         (range <Date> <Date>)|
         (recurrence <RRULE, EXRULE, RDATE and EXDATE line>)|
         (reminder <Number> email|popup))|
+	(resource <ResourceID>)|
         (selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>)|
         (sequence <Integer>)|
         (sharedproperty <PropertyKey> <PropertyValue>)|
@@ -1707,8 +1709,10 @@ The following attributes are equivalent:
         clearattendees|
         clearhangoutsmeet|
         (clearprivateproperty <PropertyKey>)|
+        clearresources|
         (clearsharedproperty <PropertyKey>)|
         (removeattendee <EmailAddress>)|
+        (removeresource <ResourceID>)|
         (replacedescription <RegularExpression> <String>)|
         (selectremoveattendees <UserTypeEntity>)
 
@@ -4448,7 +4452,7 @@ gam report <ActivityApplicationName> [todrive <ToDriveAttribute>*]
         [event|events <EventNameList>] [ip <String>]
         [groupidfilter <String>]
         [maxactivities <Number>] [maxevents <Number>] [maxresults <Number>]
-        [countsonly [summary] [eventrowfilter]]
+        [countsonly [bydate|summary] [eventrowfilter]]
         (addcsvdata <FieldName> <String>)* [shownoactivities]
 
 <CustomerServiceName> ::=
@@ -6572,6 +6576,8 @@ gam <UserTypeEntity> copy drivefile <DriveFileEntity>
         [copysubfolderpermissions [<Boolean>]]
         [copysubfolderinheritedpermissions [<Boolean>]]
         [copysubfoldernoniheritedpermissions never|always|syncallfolders|syncupdatedfolders]
+        [copypermissionroles <DriveFileACLRoleList>]
+        [copypermissiontypes <DriveFileACLTypeList>]
         [excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
         (mappermissionsdomain <DomainName> <DomainName>)*
         [copysheetprotectedranges [<Boolean>]]

src/GamUpdate.txt

@@ -1,3 +1,46 @@
+7.03.00
+
+Updated `gam create|use project` to discontinue use of the `Identity-Aware Proxy (IAP) OAuth Admin APIs`
+that are being deprecated by Google. You will see a set of instructions detailing how to
+configure the Oauth Consent screen and create the Oauth client.
+
+Added options `copypermissionroles <DriveFileACLRoleList>` and `copypermissiontypes <DriveFileACLTypeList>`
+to `gam <UserTypeEntity> copy drivefile` that provide more control over what permissions are copied
+from the source files/folders to the destination files/folders.
+
+7.02.11
+
+Updated `gam report <ActivityApplicationName>` to display `id:<actor.profileId>` in the `emailAddress` column
+when `actor.email` is empty. This typically occurs when the actor is not in your workspace.
+
+Updated `gam <UserTypeEntity> copy drivefile` to ignore ACLs referencing deleted user/groups.
+
+7.02.10
+
+Added option `bydate` to `gam report <ActivityApplicationName> ... countsonly` that provides an additional display option.
+* `countsonly` - Display a row per user across all dates with all event counts on one row
+* `countsonly bydate` - Display a row per user per date for all dates with any events with all events counts on the row
+* `countsonly summary` - Display a row per event with counts for each event summarized across users and dates
+
+7.02.09
+
+Added option `clearresources` to `<EventUpdateAttribute>` for use in `gam <UserTypeEntity> update events`
+that allows clearing all resources from a user's calendar events. For example, to clear all resources from a user's future events:
+```
+gam user user@domain.com update events primary matchfield attendeespattern @resource.calendar.google.com after now clearresources
+```
+
+Added option `resource <ResourceID>` to `<EventAttribute>` for use in `gam <UserTypeEntity> create|update events`
+that adds a resource to an event.
+
+Added option `removeresource <ResourceID>` to `<EventUpdateAttribute>` for use in `gam <UserTypeEntity> update events`
+that removes a resource from an event.
+
+7.02.08
+
+Fixed bug in `gam print|show chromepolicies` that caused a trap when neither
+`ou|orgunit <OrgUnitItem>` nor `group <GroupItem>` was specified.
+
 7.02.07
 
 Updated `gam delete|update chromepolicy` to display the `<AppID>` or `<PrinterID>` (if specified)

src/gam/__init__.py

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """
 
 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.02.07'
+__version__ = '7.03.00'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 #pylint: disable=wrong-import-position
@@ -4727,7 +4727,7 @@ def clearServiceCache(service):
 
 DISCOVERY_URIS = [googleapiclient.discovery.V1_DISCOVERY_URI, googleapiclient.discovery.V2_DISCOVERY_URI]
 
-# Used for API.CLOUDRESOURCEMANAGER, API.SERVICEUSAGE, API.IAM, API.IAP
+# Used for API.CLOUDRESOURCEMANAGER, API.SERVICEUSAGE, API.IAM
 def getAPIService(api, httpObj):
   api, version, v2discovery = API.getVersion(api)
   return googleapiclient.discovery.build(api, version, http=httpObj, cache_discovery=False,
@@ -11395,21 +11395,10 @@ def _createOauth2serviceJSON(httpObj, projectInfo, svcAcctInfo, create_key=True)
   _grantRotateRights(iam, projectInfo['projectId'], sa_email, sa_email)
   return True
 
-def setGAMProjectConsentScreen(httpObj, projectId, appInfo):
-  sys.stdout.write(Msg.SETTING_GAM_PROJECT_CONSENT_SCREEN)
-  iap = getAPIService(API.IAP, httpObj)
-  try:
-    callGAPI(iap.projects().brands(), 'create',
-             throwReasons=[GAPI.ALREADY_EXISTS, GAPI.INVALID_ARGUMENT],
-             parent=f'projects/{projectId}', body=appInfo)
-  except (GAPI.invalidArgument, GAPI.alreadyExists):
-    pass
-
 def _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo, svcAcctInfo, create_key=True):
   def _checkClientAndSecret(csHttpObj, client_id, client_secret):
     post_data = {'client_id': client_id, 'client_secret': client_secret,
                  'code': 'ThisIsAnInvalidCodeOnlyBeingUsedToTestIfClientAndSecretAreValid',
-#                 'redirect_uri': 'urn:ietf:wg:oauth:2.0:oob', 'grant_type': 'authorization_code'}
                  'redirect_uri': 'http://127.0.0.1:8080', 'grant_type': 'authorization_code'}
     _, content = csHttpObj.request(API.GOOGLE_OAUTH2_TOKEN_ENDPOINT, 'POST', urlencode(post_data),
                                    headers={'Content-type': 'application/x-www-form-urlencoded'})
@@ -11434,16 +11423,14 @@ def _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo,
 
   if not enableGAMProjectAPIs(httpObj, projectInfo['projectId'], login_hint, False):
     return
-  if appInfo:
+  sys.stdout.write(Msg.SETTING_GAM_PROJECT_CONSENT_SCREEN_CREATING_CLIENT)
-    setGAMProjectConsentScreen(httpObj, projectInfo['projectId'], appInfo)
+  console_url = f'https://console.cloud.google.com/auth/clients?project={projectInfo["projectId"]}&authuser={login_hint}'
-  console_url = f'https://console.cloud.google.com/apis/credentials/oauthclient?project={projectInfo["projectId"]}&authuser={login_hint}'
   csHttpObj = getHttpObj()
   while True:
-    sys.stdout.write(Msg.CREATE_PROJECT_INSTRUCTIONS.format(console_url))
+    sys.stdout.write(Msg.CREATE_CLIENT_INSTRUCTIONS.format(console_url, appInfo['applicationTitle'], appInfo['supportEmail']))
     client_id = readStdin(Msg.ENTER_YOUR_CLIENT_ID).strip()
     if not client_id:
       client_id = readStdin('').strip()
-    sys.stdout.write(Msg.GO_BACK_TO_YOUR_BROWSER_AND_COPY_YOUR_CLIENT_SECRET_VALUE)
     client_secret = readStdin(Msg.ENTER_YOUR_CLIENT_SECRET).strip()
     if not client_secret:
       client_secret = readStdin('').strip()
@@ -11451,7 +11438,6 @@ def _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo,
     if client_valid:
       break
     sys.stdout.write('\n')
-# Deleted: "redirect_uris": ["http://localhost", "urn:ietf:wg:oauth:2.0:oob"],
   cs_data = f'''{{
     "installed": {{
         "auth_provider_x509_cert_url": "{API.GOOGLE_AUTH_PROVIDER_X509_CERT_URL}",
@@ -11464,7 +11450,6 @@ def _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo,
     }}
 }}'''
   writeFile(GC.Values[GC.CLIENT_SECRETS_JSON], cs_data, continueOnError=False)
-  sys.stdout.write(Msg.GO_BACK_TO_YOUR_BROWSER_AND_CLICK_OK_TO_CLOSE_THE_OAUTH_CLIENT_POPUP)
   sys.stdout.write(Msg.TRUST_GAM_CLIENT_ID.format(GAM, client_id))
   readStdin('')
   if not _createOauth2serviceJSON(httpObj, projectInfo, svcAcctInfo, create_key):
@@ -11590,7 +11575,7 @@ def _getLoginHintProjectInfo(createCmd):
         _checkProjectName(projectInfo['name'])
       elif _getSvcAcctInfo(myarg, svcAcctInfo):
         pass
-      elif createCmd and _getAppInfo(myarg, appInfo):
+      elif _getAppInfo(myarg, appInfo):
         pass
       elif myarg in {'algorithm', 'localkeysize', 'validityhours', 'yubikey'}:
         Cmd.Backup()
@@ -11874,14 +11859,15 @@ def doCreateProject():
 
 # gam use project [<EmailAddress>] [<ProjectID>]
 # gam use project [admin <EmailAddress>] [project <ProjectID>]
+#	[appname <String>] [supportemail <EmailAddress>]
 #	[saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>] [sadescription <ServiceAccountDescription>]
 #	[(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
 #	 (localkeysize 1024|2048|4096 [validityhours <Number>])|
 #	 (yubikey yubikey_pin yubikey_slot AUTHENTICATION yubikey_serialnumber <String>)]
 def doUseProject():
   _checkForExistingProjectFiles([GC.Values[GC.OAUTH2SERVICE_JSON], GC.Values[GC.CLIENT_SECRETS_JSON]])
-  _, httpObj, login_hint, _, projectInfo, svcAcctInfo, create_key = _getLoginHintProjectInfo(False)
+  _, httpObj, login_hint, appInfo, projectInfo, svcAcctInfo, create_key = _getLoginHintProjectInfo(False)
-  _createClientSecretsOauth2service(httpObj, login_hint, {}, projectInfo, svcAcctInfo, create_key)
+  _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo, svcAcctInfo, create_key)
 
 # gam update project [[admin] <EmailAddress>] [<ProjectIDEntity>]
 def doUpdateProject():
@@ -13090,13 +13076,13 @@ def _checkDataRequiredServices(result, tryDate, dataRequiredServices, parameterS
 #  0: Backup to earlier date
 #  1: Data available
   oneDay = datetime.timedelta(days=1)
-  warnings = result.get('warnings', [])
+  dataWarnings = result.get('warnings', [])
   usageReports = result.get('usageReports', [])
   # move to day before if we don't have at least one usageReport with parameters
   if not usageReports or not usageReports[0].get('parameters', []):
     tryDateTime = datetime.datetime.strptime(tryDate, YYYYMMDD_FORMAT)-oneDay
     return (0, tryDateTime.strftime(YYYYMMDD_FORMAT), None)
-  for warning in warnings:
+  for warning in dataWarnings:
     if warning['code'] == 'PARTIAL_DATA_AVAILABLE':
       for app in warning['data']:
         if app['key'] == 'application' and app['value'] != 'docs' and app['value'] in dataRequiredServices:
@@ -13521,7 +13507,7 @@ REPORT_ACTIVITIES_TIME_OBJECTS = {'time'}
 #	[event|events <EventNameList>] [ip <String>]
 #	[groupidfilter <String>]
 #	[maxactivities <Number>] [maxevents <Number>] [maxresults <Number>]
-#	[countsonly [summary] [eventrowfilter]]
+#	[countsonly [bydate|summary] [eventrowfilter]]
 #	(addcsvdata <FieldName> <String>)* [shownoactivities]
 # gam report users|user [todrive <ToDriveAttribute>*]
 #	[(user all|<UserItem>)|(orgunit|org|ou <OrgUnitPath> [showorgunit])|(select <UserTypeEntity>)]
@@ -13794,8 +13780,8 @@ def doReport():
   filterTimes = {}
   maxActivities = maxEvents = 0
   maxResults = 1000
-  aggregateByDate = aggregateByUser = convertMbToGb = countsOnly = eventRowFilter = exitUserLoop = \
+  aggregateByDate = aggregateByUser = convertMbToGb = countsOnly = countsByDate = countsSummary = \
-    noAuthorizedApps = normalizeUsers = select = summary = userCustomerRange = False
+    eventRowFilter = exitUserLoop = noAuthorizedApps = normalizeUsers = select = userCustomerRange = False
   limitDateChanges = -1
   allVerifyUser = userKey = 'all'
   cd = orgUnit = orgUnitId = None
@@ -13893,8 +13879,10 @@ def doReport():
       actorIpAddress = getString(Cmd.OB_STRING)
     elif activityReports and myarg == 'countsonly':
       countsOnly = True
+    elif activityReports and myarg == 'bydate':
+      countsByDate = True
     elif activityReports and myarg == 'summary':
-      summary = True
+      countsSummary = True
     elif activityReports and myarg == 'eventrowfilter':
       eventRowFilter = True
     elif activityReports and myarg == 'groupidfilter':
@@ -13928,6 +13916,8 @@ def doReport():
       unknownArgumentExit()
   if aggregateByDate and aggregateByUser:
     usageErrorExit(Msg.ARE_MUTUALLY_EXCLUSIVE.format('aggregateByDate', 'aggregateByUser'))
+  if countsOnly and countsByDate and countsSummary:
+    usageErrorExit(Msg.ARE_MUTUALLY_EXCLUSIVE.format('bydate', 'summary'))
   parameters = ','.join(parameters) if parameters else None
   if usageReports and not includeServices:
     includeServices = set(fullDataServices)
@@ -14144,8 +14134,12 @@ def doReport():
       pageMessage = getPageMessage()
       users = [normalizeEmailAddressOrUID(userKey)]
       orgUnitId = None
+    zeroEventCounts = {}
     if not eventNames:
       eventNames.append(None)
+    else:
+      for eventName in eventNames:
+        zeroEventCounts[eventName] = 0
     i = 0
     count = len(users)
     for user in users:
@@ -14177,9 +14171,22 @@ def doReport():
           accessErrorExit(None)
         for activity in feed:
           events = activity.pop('events')
-          actor = activity['actor'].get('email', activity['actor'].get('key', UNKNOWN))
+          actor = activity['actor'].get('email')
+          if not actor:
+            actor = 'id:'+activity['actor'].get('profileId', UNKNOWN)
           if showOrgUnit:
             activity['actor']['orgUnitPath'] = userOrgUnits.get(actor, UNKNOWN)
+          if countsOnly and countsByDate:
+            eventTime = activity.get('id', {}).get('time', UNKNOWN)
+            if eventTime != UNKNOWN:
+              try:
+                eventTime, _ = iso8601.parse_date(eventTime)
+              except (iso8601.ParseError, OverflowError):
+                eventTime = UNKNOWN
+            if eventTime != UNKNOWN:
+              eventDate = eventTime.strftime(YYYYMMDD_FORMAT)
+            else:
+              eventDate = UNKNOWN
           if not countsOnly or eventRowFilter:
             activity_row = flattenJSON(activity, timeObjects=REPORT_ACTIVITIES_TIME_OBJECTS)
             purge_parameters = True
@@ -14230,18 +14237,32 @@ def doReport():
                 if numEvents >= maxEvents > 0:
                   break
               elif csvPF.CheckRowTitles(row):
-                if not summary:
+                eventName = event['name']
+                if not countsSummary:
                   eventCounts.setdefault(actor, {})
-                  eventCounts[actor].setdefault(event['name'], 0)
+                  if not countsByDate:
-                  eventCounts[actor][event['name']] += 1
+                    eventCounts[actor].setdefault(eventName, 0)
+                    eventCounts[actor][eventName] += 1
+                  else:
+                    eventCounts[actor].setdefault(eventDate, {})
+                    eventCounts[actor][eventDate].setdefault(eventName, 0)
+                    eventCounts[actor][eventDate][eventName] += 1
                 else:
-                  eventCounts.setdefault(event['name'], 0)
+                  eventCounts.setdefault(eventName, 0)
-                  eventCounts[event['name']] += 1
+                  eventCounts[eventName] += 1
-          elif not summary:
+          elif not countsSummary:
             eventCounts.setdefault(actor, {})
-            for event in events:
+            if not countsByDate:
-              eventCounts[actor].setdefault(event['name'], 0)
+              for event in events:
-              eventCounts[actor][event['name']] += 1
+                eventName = event['name']
+                eventCounts[actor].setdefault(eventName, 0)
+                eventCounts[actor][eventName] += 1
+            else:
+              for event in events:
+                eventName = event['name']
+                eventCounts[actor].setdefault(eventDate, {})
+                eventCounts[actor][eventDate].setdefault(eventName, 0)
+                eventCounts[actor][eventDate][eventName] += 1
           else:
             for event in events:
               eventCounts.setdefault(event['name'], 0)
@@ -14256,31 +14277,46 @@ def doReport():
     else:
       if eventRowFilter:
         csvPF.SetRowFilter([], GC.Values[GC.CSV_OUTPUT_ROW_FILTER_MODE])
-      if not summary:
+      if not countsSummary:
-        csvPF.SetTitles('emailAddress')
+        titles = ['emailAddress']
+        if countsOnly and countsByDate:
+          titles.append('date')
+        csvPF.SetTitles(titles)
+        csvPF.SetSortTitles(titles)
         if addCSVData:
           csvPF.AddTitles(sorted(addCSVData.keys()))
         if eventCounts:
-          for actor, events in iter(eventCounts.items()):
+          if not countsByDate:
-            row = {'emailAddress': actor}
+            for actor, events in iter(eventCounts.items()):
-            for event, count in iter(events.items()):
+              row = {'emailAddress': actor}
-              row[event] = count
+              row.update(zeroEventCounts)
-            if addCSVData:
+              for event, count in iter(events.items()):
-              row.update(addCSVData)
+                row[event] = count
-            csvPF.WriteRowTitles(row)
+              if addCSVData:
+                row.update(addCSVData)
+              csvPF.WriteRowTitles(row)
+          else:
+            for actor, eventDates in iter(eventCounts.items()):
+              for eventDate, events in iter(eventDates.items()):
+                row = {'emailAddress': actor, 'date': eventDate}
+                row.update(zeroEventCounts)
+                for event, count in iter(events.items()):
+                  row[event] = count
+                if addCSVData:
+                  row.update(addCSVData)
+                csvPF.WriteRowTitles(row)
         elif showNoActivities:
           row = {'emailAddress': 'NoActivities'}
           if addCSVData:
             row.update(addCSVData)
             csvPF.WriteRow(row)
-        csvPF.SetSortTitles(['emailAddress'])
       else:
         csvPF.SetTitles(['event', 'count'])
         if addCSVData:
           csvPF.AddTitles(sorted(addCSVData.keys()))
         if eventCounts:
-          for event in sorted(eventCounts):
+          for event, count in sorted(iter(eventCounts.items())):
-            row = {'event': event, 'count': eventCounts[event]}
+            row = {'event': event, 'count': count}
             if addCSVData:
               row.update(addCSVData)
             csvPF.WriteRow(row)
@@ -28349,7 +28385,7 @@ def doPrintShowChromePolicies():
   if csvPF:
     csvPF.SetNoEscapeChar(True)
   FJQC = FormatJSONQuoteChar(csvPF)
-  app_id = groupEmail = orgUnit = printer_id = None
+  app_id = groupEmail = orgUnit = printer_id = targetResource = None
   showPolicies = CHROME_POLICY_SHOW_ALL
   psFilters = []
   while Cmd.ArgumentsRemaining():
@@ -38327,6 +38363,7 @@ def _getCalendarEventAttribute(myarg, body, parameters, function):
           for subfield in subfields:
             body.pop(subfield, None)
 
+  cd = None
   if function == 'insert' and myarg in {'id', 'eventid'}:
     body['id'] = getEventID()
   elif function == 'import' and myarg == 'icaluid':
@@ -38407,6 +38444,17 @@ def _getCalendarEventAttribute(myarg, body, parameters, function):
       if responseStatus is not None:
         addAttendee['responseStatus'] = responseStatus
       parameters['attendees'].append(addAttendee)
+  elif function == 'update' and myarg == 'clearresources':
+    parameters['clearResources'] = True
+  elif myarg == 'resource':
+    if cd is None:
+      cd = buildGAPIObject(API.DIRECTORY)
+    parameters['attendees'].append({'email': _validateResourceId(cd, getString(Cmd.OB_RESOURCE_ID), 0, 0, True),
+                                    'responseStatus': 'accepted', 'resource': True})
+  elif myarg == 'removeresource':
+    if cd is None:
+      cd = buildGAPIObject(API.DIRECTORY)
+    parameters['removeAttendees'].add(_validateResourceId(cd, getString(Cmd.OB_RESOURCE_ID), 0, 0, True))
   elif myarg == 'json':
     jsonData = getJSON(EVENT_JSON_CLEAR_FIELDS)
     if function == 'insert':
@@ -38716,7 +38764,7 @@ def _validateCalendarGetEvents(origUser, user, origCal, calId, j, jcount, calend
 
 def _getCalendarCreateImportUpdateEventOptions(function, entityType):
   body = {}
-  parameters = {'clearAttendees': False, 'replaceMode': False,
+  parameters = {'clearAttendees': False, 'replaceMode': False, 'clearResources': False,
                 'attendees': [], 'removeAttendees': set(),
                 'replaceDescription': [], 'sendUpdates': 'none',
                 'csvPF': None, 'FJQC': FormatJSONQuoteChar(None), 'showDayOfWeek': False}
@@ -38827,7 +38875,7 @@ def _updateCalendarEvents(origUser, user, origCal, calIds, count, calendarEventE
   updateFieldList = []
   if parameters['replaceDescription']:
     updateFieldList.append('description')
-  if not parameters['replaceMode'] and (parameters['attendees'] or parameters['removeAttendees']):
+  if not parameters['replaceMode'] and (parameters['attendees'] or parameters['removeAttendees'] or parameters['clearResources']):
     updateFieldList.append('attendees')
   updateFields = ','.join(updateFieldList)
   if 'attendees' not in updateFieldList:
@@ -38878,6 +38926,8 @@ def _updateCalendarEvents(origUser, user, origCal, calIds, count, calendarEventE
               body['attendees'] = []
             if parameters['removeAttendees']:
               body['attendees'] = [attendee for attendee in body['attendees'] if attendee['email'].lower() not in parameters['removeAttendees']]
+            if parameters['clearResources']:
+              body['attendees'] = [attendee for attendee in body['attendees'] if not attendee['email'].lower().endswith('@resource.calendar.google.com')]
         event = callGAPI(cal.events(), 'patch',
                          throwReasons=GAPI.CALENDAR_THROW_REASONS+[GAPI.NOT_FOUND, GAPI.DELETED, GAPI.FORBIDDEN,
                                                                    GAPI.INVALID, GAPI.REQUIRED, GAPI.TIME_RANGE_EMPTY, GAPI.EVENT_DURATION_EXCEEDS_LIMIT,
@@ -39627,18 +39677,19 @@ def doCalendarsPrintShowSettings(calIds):
   if csvPF:
     csvPF.writeCSVfile('Calendar Settings')
 
-def _validateResourceId(resourceId, i, count):
+def _validateResourceId(cd, resourceId, i, count, exitOnNotFound):
-  cd = buildGAPIObject(API.DIRECTORY)
   try:
     return callGAPI(cd.resources().calendars(), 'get',
                     throwReasons=[GAPI.BAD_REQUEST, GAPI.RESOURCE_NOT_FOUND, GAPI.FORBIDDEN],
                     customer=GC.Values[GC.CUSTOMER_ID], calendarResourceId=resourceId, fields='resourceEmail')['resourceEmail']
   except (GAPI.badRequest, GAPI.resourceNotFound, GAPI.forbidden):
+    if exitOnNotFound:
+      entityDoesNotExistExit(Ent.RESOURCE_CALENDAR, resourceId, i, count)
     checkEntityAFDNEorAccessErrorExit(cd, Ent.RESOURCE_CALENDAR, resourceId, i, count)
     return None
 
-def _normalizeResourceIdGetRuleIds(resourceId, i, count, ACLScopeEntity, showAction=True):
+def _normalizeResourceIdGetRuleIds(cd, resourceId, i, count, ACLScopeEntity, showAction=True):
-  calId = _validateResourceId(resourceId, i, count)
+  calId = _validateResourceId(cd, resourceId, i, count, False)
   if not calId:
     return (None, None, 0)
   if ACLScopeEntity['dict']:
@@ -39656,23 +39707,25 @@ def _normalizeResourceIdGetRuleIds(resourceId, i, count, ACLScopeEntity, showAct
 # gam resources <ResourceEntity> create calendaracls <CalendarACLRole> <CalendarACLScopeEntity> [sendnotifications <Boolean>]
 def doResourceCreateCalendarACLs(entityList):
   cal = buildGAPIObject(API.CALENDAR)
+  cd = buildGAPIObject(API.DIRECTORY)
   role, ACLScopeEntity, sendNotifications = getCalendarCreateUpdateACLsOptions(True)
   i = 0
   count = len(entityList)
   for resourceId in entityList:
     i += 1
-    calId, ruleIds, jcount = _normalizeResourceIdGetRuleIds(resourceId, i, count, ACLScopeEntity)
+    calId, ruleIds, jcount = _normalizeResourceIdGetRuleIds(cd, resourceId, i, count, ACLScopeEntity)
     if jcount == 0:
       continue
     _createCalendarACLs(cal, Ent.RESOURCE_CALENDAR, calId, i, count, role, ruleIds, jcount, sendNotifications)
 
 def _resourceUpdateDeleteCalendarACLs(entityList, function, ACLScopeEntity, role, sendNotifications):
   cal = buildGAPIObject(API.CALENDAR)
+  cd = buildGAPIObject(API.DIRECTORY)
   i = 0
   count = len(entityList)
   for resourceId in entityList:
     i += 1
-    calId, ruleIds, jcount = _normalizeResourceIdGetRuleIds(resourceId, i, count, ACLScopeEntity)
+    calId, ruleIds, jcount = _normalizeResourceIdGetRuleIds(cd, resourceId, i, count, ACLScopeEntity)
     if jcount == 0:
       continue
     _updateDeleteCalendarACLs(cal, function, Ent.RESOURCE_CALENDAR, calId, i, count, role, ruleIds, jcount, sendNotifications)
@@ -39695,13 +39748,14 @@ def doResourceDeleteCalendarACLs(entityList):
 #	[formatjson]
 def doResourceInfoCalendarACLs(entityList):
   cal = buildGAPIObject(API.CALENDAR)
+  cd = buildGAPIObject(API.DIRECTORY)
   ACLScopeEntity = getCalendarSiteACLScopeEntity()
   FJQC = _getCalendarInfoACLOptions()
   i = 0
   count = len(entityList)
   for resourceId in entityList:
     i += 1
-    calId, ruleIds, jcount = _normalizeResourceIdGetRuleIds(resourceId, i, count, ACLScopeEntity, showAction=not FJQC.formatJSON)
+    calId, ruleIds, jcount = _normalizeResourceIdGetRuleIds(cd, resourceId, i, count, ACLScopeEntity, showAction=not FJQC.formatJSON)
     if jcount == 0:
       continue
     _infoCalendarACLs(cal, resourceId, Ent.RESOURCE_CALENDAR, calId, i, count, ruleIds, jcount, FJQC)
@@ -39720,12 +39774,13 @@ def doResourceInfoCalendarACLs(entityList):
 #	[formatjson]
 def doResourcePrintShowCalendarACLs(entityList):
   cal = buildGAPIObject(API.CALENDAR)
+  cd = buildGAPIObject(API.DIRECTORY)
   csvPF, FJQC, noSelfOwner, addCSVData = _getCalendarPrintShowACLOptions(['resourceId', 'resourceEmail'])
   i = 0
   count = len(entityList)
   for resourceId in entityList:
     i += 1
-    calId = _validateResourceId(resourceId, i, count)
+    calId = _validateResourceId(cd, resourceId, i, count, False)
     if not calId:
       continue
     _printShowCalendarACLs(cal, resourceId, Ent.RESOURCE_CALENDAR, calId, i, count, csvPF, FJQC, noSelfOwner, addCSVData)
@@ -58813,6 +58868,8 @@ def initCopyMoveOptions(copyCmd):
     'fileMimeTypes': set(),
     'notMimeTypes': False,
     'copySubFilesOwnedBy': None,
+    'copyPermissionRoles': set(DRIVEFILE_ACL_ROLES_MAP.values()),
+    'copyPermissionTypes': set(DRIVEFILE_ACL_PERMISSION_TYPES),
     }
 
 DUPLICATE_FILE_CHOICES = {
@@ -58901,6 +58958,20 @@ def getCopyMoveOptions(myarg, copyMoveOptions):
         copyMoveOptions['copyFileInheritedPermissions'] = getBoolean()
       elif myarg == 'copyfilenoninheritedpermissions':
         copyMoveOptions['copyFileNonInheritedPermissions'] = COPY_NONINHERITED_PERMISSIONS_ALWAYS if getBoolean() else COPY_NONINHERITED_PERMISSIONS_NEVER
+      elif myarg == 'copypermissionroles':
+        copyMoveOptions['copyPermissionRoles'] = set()
+        for prole in getString(Cmd.OB_PERMISSION_ROLE_LIST).lower().replace(',', ' ').split():
+          if prole in DRIVEFILE_ACL_ROLES_MAP:
+            copyMoveOptions['copyPermissionRoles'].add(DRIVEFILE_ACL_ROLES_MAP[prole])
+          else:
+            invalidChoiceExit(prole, DRIVEFILE_ACL_ROLES_MAP, True)
+      elif myarg == 'copypermissiontypes':
+        copyMoveOptions['copyPermissionTypes'] = set()
+        for ptype in getString(Cmd.OB_PERMISSION_TYPE_LIST).lower().replace(',', ' ').split():
+          if ptype in DRIVEFILE_ACL_PERMISSION_TYPES:
+            copyMoveOptions['copyPermissionTypes'].add(ptype)
+          else:
+            invalidChoiceExit(ptype, DRIVEFILE_ACL_PERMISSION_TYPES, True)
       elif myarg == 'copysheetprotectedranges':
         if getBoolean():
           copyMoveOptions['copySheetProtectedRangesInheritedPermissions'] = True
@@ -59014,15 +59085,20 @@ def _copyPermissions(drive, user, i, count, j, jcount,
   def isPermissionCopyable(kvList, permission):
     role = permission['role']
     emailAddress = permission.get('emailAddress', '')
+    permissionType = permission['type']
     domain = ''
     if copyMoveOptions['excludePermissionsFromDomains'] or copyMoveOptions['includePermissionsFromDomains']:
-      if permission['type'] in {'group', 'user'}:
+      if permissionType in {'group', 'user'}:
         atLoc = emailAddress.find('@')
         if atLoc > 0:
           domain = emailAddress[atLoc+1:]
-      elif permission['type'] == 'domain':
+      elif permissionType == 'domain':
         domain = permission.get('domain', '')
-    if permission['inherited'] and not copyMoveOptions[copyInherited]:
+    if role not in copyMoveOptions['copyPermissionRoles']:
+      notCopiedMessage = f'role {role} not selected'
+    elif permissionType not in copyMoveOptions['copyPermissionTypes']:
+      notCopiedMessage = f'type {permissionType} not selected'
+    elif permission['inherited'] and not copyMoveOptions[copyInherited]:
       notCopiedMessage = 'inherited not selected'
     elif not permission['inherited'] and copyMoveOptions[copyNonInherited] == COPY_NONINHERITED_PERMISSIONS_NEVER:
       notCopiedMessage = 'noninherited not selected'
@@ -59038,8 +59114,8 @@ def _copyPermissions(drive, user, i, count, j, jcount,
       notCopiedMessage = f'domain {domain} excluded'
     elif domain and copyMoveOptions['includePermissionsFromDomains'] and domain not in copyMoveOptions['includePermissionsFromDomains']:
       notCopiedMessage = f'domain {domain} not included'
-    elif permission.pop('deleted', False):
+    elif permission.pop('deleted', False) or (permissionType in {'group', 'user'} and not emailAddress):
-      notCopiedMessage = f"{permission['type']} {permission['emailAddress']} deleted"
+      notCopiedMessage = f"{permissionType} deleted or has blank email address"
     elif ((copyInherited == 'copySheetProtectedRangesInheritedPermissions' and copyMoveOptions[copyInherited]) or
           (copyNonInherited == 'copySheetProtectedRangesNonInheritedPermissions' and
            copyMoveOptions[copyNonInherited] != COPY_NONINHERITED_PERMISSIONS_NEVER)):
@@ -59477,6 +59553,8 @@ copyReturnItemMap = {
 #	[copysubfolderpermissions [<Boolean>]]
 #	[copysubfolderinheritedpermissions [<Boolean>]]
 #	[copysubfoldernoniheritedpermissions never|always|syncallfolders|syncupdatedfolders]
+#	[copypermissionroles <DriveFileACLRoleList>]
+#	[copypermissiontypes <DriveFileACLTypeList>]
 #	[excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
 #	(mappermissionsdomain <DomainName> <DomainName>)*
 #	[copysheetprotectedranges [<Boolean>]]
@@ -60291,6 +60369,8 @@ def _updateMoveFilePermissions(drive, user, i, count,
 #	[copysubfolderpermissions [<Boolean>]]
 #	[copysubfolderinheritedpermissions [<Boolean>]]
 #	[copysubfoldernoniheritedpermissions never|always|syncallfolders|syncupdatedfolders]
+#	[copypermissionroles <DriveFileACLRoleList>]
+#	[copypermissiontypes <DriveFileACLTypeList>]
 #	[synctopfoldernoniheritedpermissions [<Boolean>]] [syncsubfoldernoninheritedpermissions [<Boolean>]]
 #	[excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
 #	(mappermissionsdomain <DomainName> <DomainName>)*
@@ -67554,10 +67634,10 @@ def updatePhoto(users):
     body = {'photoData': base64.urlsafe_b64encode(image_data).decode(UTF8)}
     try:
       callGAPI(cd.users().photos(), 'update',
-               throwReasons=[GAPI.USER_NOT_FOUND, GAPI.FORBIDDEN, GAPI.INVALID_INPUT],
+               throwReasons=[GAPI.USER_NOT_FOUND, GAPI.FORBIDDEN, GAPI.INVALID_INPUT, GAPI.CONDITION_NOT_MET],
                userKey=user, body=body, fields='')
       entityActionPerformed([Ent.USER, user, Ent.PHOTO, filename], i, count)
-    except GAPI.invalidInput as e:
+    except (GAPI.invalidInput, GAPI.conditionNotMet) as e:
       entityActionFailedWarning([Ent.USER, user, Ent.PHOTO, filename], str(e), i, count)
     except (GAPI.userNotFound, GAPI.forbidden):
       entityUnknownWarning(Ent.USER, user, i, count)

src/gam/gamlib/glapi.py

@@ -71,7 +71,6 @@ GROUPSMIGRATION = 'groupsmigration'
 GROUPSSETTINGS = 'groupssettings'
 IAM = 'iam'
 IAM_CREDENTIALS = 'iamcredentials'
-IAP = 'iap'
 KEEP = 'keep'
 LICENSING = 'licensing'
 LOOKERSTUDIO = 'datastudio'
@@ -185,7 +184,6 @@ PROJECT_APIS = [
   'groupsmigration.googleapis.com',
   'groupssettings.googleapis.com',
   'iam.googleapis.com',
-  'iap.googleapis.com',
   'keep.googleapis.com',
   'licensing.googleapis.com',
   'meet.googleapis.com',
@@ -250,7 +248,6 @@ _INFO = {
   GROUPSSETTINGS: {'name': 'Groups Settings API', 'version': 'v1', 'v2discovery': True},
   IAM: {'name': 'Identity and Access Management API', 'version': 'v1', 'v2discovery': True},
   IAM_CREDENTIALS: {'name': 'Identity and Access Management Credentials API', 'version': 'v1', 'v2discovery': True},
-  IAP: {'name': 'Cloud Identity-Aware Proxy API', 'version': 'v1', 'v2discovery': True},
   KEEP: {'name': 'Keep API', 'version': 'v1', 'v2discovery': True},
   LICENSING: {'name': 'License Manager API', 'version': 'v1', 'v2discovery': True},
   LOOKERSTUDIO: {'name': 'Looker Studio API', 'version': 'v1', 'v2discovery': True, 'localjson': True},

src/gam/gamlib/glmsgs.py

@@ -40,21 +40,43 @@ sign in as {0} and accept the Terms of Service (ToS). As soon as you've accepted
 
 PROJECT_STILL_BEING_CREATED_SLEEPING = 'Project still being created. Sleeping {0} seconds\n'
 FAILED_TO_CREATE_PROJECT = 'Failed to create project: {0}\n'
-SETTING_GAM_PROJECT_CONSENT_SCREEN = 'Setting GAM project consent screen...\n'
+SETTING_GAM_PROJECT_CONSENT_SCREEN_CREATING_CLIENT = 'Setting GAM project consent screen, creating client...\n'
-CREATE_PROJECT_INSTRUCTIONS = '''
+CREATE_CLIENT_INSTRUCTIONS = '''
 Please go to:
 
   {0}
 
-1. Choose "Desktop App" or "Other" for "Application type".
+ 1. If "+ CREATE CLIENT" is on the screen, skip to step 14
-2. Enter "GAM" or another desired value for "Name".
+ 2. Click "GET STARTED"
-3. Click the blue "Create" button.
+ 3. Under "App Information", enter {1} or another value in "App name *"
-4. Copy your "Client ID" value that shows on the next page.
+ 4. Under "App Information", enter {2} in "User support email *"
+ 5. Click "NEXT"
+ 6. Under "Audience", choose INTERNAL
+ 7. Click "NEXT"
+ 8. Under, "Contact Information", enter an email address in "Email addresses *"
+ 9. Click "NEXT"
+10. Under "Finish", click "I agree to the Google API Services: User Data Policy."
+11. Click "CONTINUE"
+12. Click "CREATE"
+13. Click "Clients" in the left-hand column
+14. Click "+ CREATE CLIENT"
+15. Choose "Desktop App" for "Application type"
+16. Enter {1} or another value in "Name *"
+17. Click "Create"
+18. Under "Name", click your client name
+19. Copy the "Client ID" value under "Additional information"
+20. Paste it at the "Enter your Client ID: " prompt in your terminal
+21. Press return/enter in your terminal
+22. Switch back to the browser
+23. Copy the "Client secret" value under "Client Secrets"
+24. Paste it at the "Enter your Client Secret: " prompt in your terminal
+25. Press return/enter in your terminal
+26. Switch back to the browser
+27. Click "CANCEL"
+28. These steps are complete
 '''
 ENTER_YOUR_CLIENT_ID = '\nEnter your Client ID: '
-GO_BACK_TO_YOUR_BROWSER_AND_COPY_YOUR_CLIENT_SECRET_VALUE = '\n5. Go back to your browser and copy your "Client Secret" value.\n'
 ENTER_YOUR_CLIENT_SECRET = '\nEnter your Client Secret: '
-GO_BACK_TO_YOUR_BROWSER_AND_CLICK_OK_TO_CLOSE_THE_OAUTH_CLIENT_POPUP = '\n6. Go back to your browser and click OK to close the "OAuth client" popup if it\'s still open.\n'
 IS_NOT_A_VALID_CLIENT_ID = '''
 
 {0}
@@ -78,12 +100,12 @@ Please go to:
 
   https://admin.google.com/ac/owl/list?tab=configuredApps
 
-1. Click on: Configure new app > OAuth App Name Or Client ID.
+1. Click on: Configure new app
-2. Enter the following Client ID value:
+2. Enter the following Client ID value in Search for app:
 
   {1}
 
-3. Press Search, select the {0} app, press Select, check the box and press Select.
+3. Press Search, select the {0} app, click
 4. Keep the default scope or select a preferred scope that includes your GAM admin.
 5. Press Continue
 6. Select Trusted radio button, press Continue and Finish.