search

taers232c / GAMADV-XTD3

Command line tool to manage Google Workspace
703 stars 87 forks source link

[BUG?] info user quick vs info user quick formatjson #293

Closed jay-eleven closed 2 years ago

jay-eleven commented 2 years ago

Hi Ross!

According to documentation:

quick - Equivalent to noaliases nobuildingnames nogroups nolicenses noschemas

And this "seems" to work as expected:

gam info user x@x.com quick

User: x@x.com
  Settings:
    First Name: xxx
    Last Name: xxx
    Full Name: xxx
    Languages: en+
    Is a Super Admin: False
    Is Delegated Admin: False
    2-step enrolled: True
    2-step enforced: False
    Has Agreed to Terms: True
    IP Whitelisted: False
    Account Suspended: False
    Is Archived: False
    Must Change Password: False
    Google Unique ID: xxxxxxxxxx
    Customer ID: xxxxxxxxxx
    Mailbox is setup: True
    Included in GAL: True
    Creation Time: 2014-05-27T10:52:46Z
    Last login time: 2022-08-17T17:57:08Z
    Google Org Unit Path: /
    Recovery Email: xxxx@gmail.com
    Recovery Phone: +xxxxxxxxxx
  Gender:
    type: female
  Other Emails:

However, when the formatjson option is added, quick returns custom schemas, defeating the quick option partially:

gam info user x@x.com quick formatjson

{"customSchemas": {"some_name": {"some_attribute": [{"type": "work", "value": "un:xxx"}]}}, 
"emails": [{"address": "x@x.com", "primary": true}, {"address": "x@x.com.test-google-a.com"}, {"address": "yy@x.com"}],
"aliases": ["yy@x.com"],
"languages": [{"languageCode": "en", "preference": "preferred"}], 
"nonEditableAliases": ["xxx@x.com.test-google-a.com"],
"gender": {"type": "female"},"agreedToTerms": true, "archived": false, "changePasswordAtNextLogin": false, "creationTime": "2014-05-27T10:52:46Z", "customerId": "xxxxx", "id": "xxxxxx", "includeInGlobalAddressList": true, "ipWhitelisted": false, "isAdmin": false, "isDelegatedAdmin": false, "isEnforcedIn2Sv": false, "isEnrolledIn2Sv": true, "isMailboxSetup": true, "lastLoginTime": "2022-08-17T17:57:08Z", "name": {"familyName": "xxx", "fullName": "xxx", "givenName": "xxxx"}, "orgUnitPath": "/", "primaryEmail": "x@x.com", "recoveryEmail": "xxxx@gmail.com", "recoveryPhone": "+xxxxx", "suspended": false}

The workaround is to specify the noschemas option, in addition to quick.

Upon closer inspection, besides customSchemas, formatjson shows data that was previously hidden like emails[], aliases[], languages[] and nonEditableAliases[].

So it looks like formatjson displays more information. Is this done on purpose?

taers232c commented 2 years ago

quick should definitely set projection basic; I'll fix this languages is in normal mode and formatjson emails is in normal mode and formatjson I'll fix quick formatjson to not include 'aliases', 'nonEditableAliases'

On Wed, Aug 17, 2022 at 3:38 PM Jay @.***> wrote:

Hi Ross!

According to documentation https://github.com/taers232c/GAMADV-XTD3/wiki/Users#display-information-about-users :

quick - Equivalent to noaliases nobuildingnames nogroups nolicenses noschemas

And this "seems" to work as expected:

gam info user @.*** quick

User: @. Settings: First Name: xxx Last Name: xxx Full Name: xxx Languages: en+ Is a Super Admin: False Is Delegated Admin: False 2-step enrolled: True 2-step enforced: False Has Agreed to Terms: True IP Whitelisted: False Account Suspended: False Is Archived: False Must Change Password: False Google Unique ID: xxxxxxxxxx Customer ID: xxxxxxxxxx Mailbox is setup: True Included in GAL: True Creation Time: 2014-05-27T10:52:46Z Last login time: 2022-08-17T17:57:08Z Google Org Unit Path: / Recovery Email: @. Recovery Phone: +xxxxxxxxxx Gender: type: female Other Emails:

However, when the formatjson option is added, quick returns custom schemas, defeating the quick option partially:

gam info user @.*** quick formatjson

{"customSchemas": {"some_name": {"some_attribute": [{"type": "work", "value": "un:xxx"}]}}, "emails": [{"address": @.", "primary": true}, {"address": @."}], "languages": [{"languageCode": "en", "preference": "preferred"}], "nonEditableAliases": @."], "gender": {"type": "female"},"agreedToTerms": true, "archived": false, "changePasswordAtNextLogin": false, "creationTime": "2014-05-27T10:52:46Z", "customerId": "xxxxx", "id": "xxxxxx", "includeInGlobalAddressList": true, "ipWhitelisted": false, "isAdmin": false, "isDelegatedAdmin": false, "isEnforcedIn2Sv": false, "isEnrolledIn2Sv": true, "isMailboxSetup": true, "lastLoginTime": "2022-08-17T17:57:08Z", "name": {"familyName": "xxx", "fullName": "xxx", "givenName": "xxxx"}, "orgUnitPath": "/", "primaryEmail": @.", "recoveryEmail": @.***", "recoveryPhone": "+xxxxx", "suspended": false}

Upon closer inspection, besides customSchemas, formatjson shows data that was previously hidden like emails[], languages[] and nonEditableAliases[].

The workaround is to specify the noschemas option, in addition to quick, to force gam to use projection=basic instead of projection=full.

So it looks like formatjson displays more information. Is this done on purpose?

— Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/293, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL6KLZ6VV2RCCR3KYADVZVSX3ANCNFSM563E4REA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Ross Scroggs @.***

jay-eleven commented 2 years ago

Awesome, thanks Ross!

A couple of things:

One, specifying groups will make an extra API call:

send: b'GET /admin/directory/v1/groups?userKey=jay...

but no groups will be shown. JSON looks like this "groups": []. I think something is not working properly when extracting groups because gam user jay print groups doesn't work either. 😅

Two, if I understand correctly, the purpose of quick is to control extra API calls. Here's a table that details those:

item gam info user(s) option projection extra API calls
misc user attributes - basic no
emails[] - basic no
languages[] - basic no
nonEditableAddresses[] - basic no
aliases[] aliases basic no, but less data is transferred
customSchemas[] schemas full no, but less data is transferred
buildingNames buildingnames - yes, 1
groups groups - yes, 1
licenses licenses - yes, 1 (batched)

Let me know if you think it's useful and I'll add it to the documentation.

GAMADV-XTD3 6.25.13 - https://github.com/taers232c/GAMADV-XTD3 - pyinstaller

taers232c commented 2 years ago

Do this for a user that you know is in some groups: gam config debug_level 1 user @.*** show groups

Are the groups shown?

On Fri, Aug 19, 2022 at 4:40 PM Jay @.***> wrote:

Awesome, thanks Ross!

A couple of things:

One, specifying groups will make an extra API call:

send: b'GET /admin/directory/v1/groups?userKey=jay...

but no groups will be shown. JSON looks like this "groups": []. I think something is not working properly when extracting groups because gam user jay print groups doesn't work either. 😅

Two, if I understand correctly, the purpose of quick is to control extra API calls. Here's a table that details those: item gam info user(s) option projection extra API calls misc user attributes - basic no emails[] - basic no languages[] - basic no nonEditableAddresses[] - basic no aliases[] noaliases basic no, but less data is transferred customSchemas[] noschemas full no, but less data is transferred buildingNames nobuildingnames - yes, 1 groups nogroups - yes, 1 licenses nolicenses - yes, 1 (batched)

Let me know if you think it's useful and I'll add it to the documentation https://github.com/taers232c/GAMADV-XTD3/wiki/Users#display-information-about-multiple-users .

GAMADV-XTD3 6.25.13 - https://github.com/taers232c/GAMADV-XTD3 - pyinstaller

— Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/293#issuecomment-1221171654, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYLZ36YIJRVOM4JXZB2DV2ALNJANCNFSM563E4REA . You are receiving this because you commented.Message ID: @.***>

-- Ross Scroggs @.***

jay-eleven commented 2 years ago

Oooohhhhh... I see what is going on.

gam show groups API call: send: b'GET /admin/directory/v1/groups?userKey=jay%40x.com&orderBy=email&fields=nextPageToken%2Cgroups%28email%29&prettyPrint=true&alt=json

gam print groups API call: send: b'GET /admin/directory/v1/groups?orderBy=email&fields=nextPageToken%2Cgroups%28email%29&customer=xxxxx&prettyPrint=true&alt=json

gam print groups injects the customer parameter but gam show groups doesn't.

Google's documentation, mentions the customer parameter is required when you want to list all groups in a multi-domain GWS account. This is not mentioned, but when a reseller is accessing resold domains, customer or domain is mandatory, otherwise there is no way to access the resold customer's data. And this is exactly what was going on here. I was using my reseller credentials to access resold customer data and gam show groups didn't work but gam print groups did work. Turns out gam info user also uses the same gam show groups API call and doesn't work when accessing resold customers. Can you please fix gam show groups to inject the customer parameter? 😇

taers232c commented 2 years ago

I'm working on this. Thanks for pointing it out.

@.***

On Aug 19, 2022, at 6:00 PM, Jay @.***> wrote:

Oooohhhhh... I see what is going on.

gam show groups API call: send: b'GET /admin/directory/v1/groups?userKey=jay%40x.com&orderBy=email&fields=nextPageToken%2Cgroups%28email%29&prettyPrint=true&alt=json

gam print groups API call: send: b'GET /admin/directory/v1/groups?orderBy=email&fields=nextPageToken%2Cgroups%28email%29&customer=xxxxx&prettyPrint=true&alt=json

gam print groups injects the customer parameter but gam show groups doesn't.

Google's documentation https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups/list?apix_params=%7B%22domain%22%3A%22shuttlecloud.com%22%7D#query-parameters, mentions the customer parameter is required when you want to list all domains in a multi-domain GWS account. This is not mentioned, but when a reseller is accessing resold domains, customer or domain is mandatory, otherwise there is no way to access the resold customer's data. And this is exactly what was going on here. I was using my reseller credentials to access resold customer data and gam show groups didn't work but gam print groups did work. Turns out gam info user also uses the same gam show groups API call and doesn't work when accessing resold customers. Can you please fix gam show groups to inject the customer parameter? 😇

— Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/293#issuecomment-1221194383, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYLZKJXXGFWEMEK34TCDV2AU3VANCNFSM563E4REA. You are receiving this because you commented.

taers232c commented 2 years ago

Are you available for a Meet session?

taers232c commented 2 years ago

Go here: https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups/list Put one of your customer IDs in customer Put a valid email address in userKey Click execute

What happens?

This generates an error for normal accounts

Should I be putting channel_customer_id in customer; it's blank for non resellers

jay-eleven commented 2 years ago

Interesting! If I put one of my customer Ids in customer and a valid address or an numeric ID (that belongs to groups) in userKey, the HTTP GET built by the Google tool is GET https://admin.googleapis.com/admin/directory/v1/groups?customer=xxxxx&userKey=jay%40x.com HTTP/1.1 (exactly the same as gam) and the result I get is this fantastic error:

{
  "error": {
    "code": 400,
    "message": "Bad Request",
    "errors": [
      {
        "message": "Bad Request",
        "domain": "global",
        "reason": "badRequest"
      }
    ]
  }
}

If I remove the userKey, all the customer groups are shown.

channel_customer_id ONLY works in the Cloud Channel API. The regular customer_id should be used here.

taers232c commented 2 years ago

Send a Meet/Zoom invitation

On Sat, Aug 20, 2022 at 12:05 PM Jay @.***> wrote:

Interesting! If I put one of my customer Ids in customer and a valid address or an numeric ID (that belongs to groups) in userKey, the HTTP GET built is GET https://admin.googleapis.com/admin/directory/v1/groups?customer=xxxxx&userKey=jay%40x.com&key=[YOUR_API_KEY] HTTP/1.1 and the result I get is this:

{ "error": { "code": 400, "message": "Bad Request", "errors": [ { "message": "Bad Request", "domain": "global", "reason": "badRequest" } ] } }

If I remove the userKey, all the customer groups are shown.

channel_customer_id ONLY works in the Cloud Channel API. The regular customer_id should be used here.

— Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/293#issuecomment-1221388178, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL73JNLADSZMSWEK3XLV2EUAVANCNFSM563E4REA . You are receiving this because you commented.Message ID: @.***>

-- Ross Scroggs @.***

jay-eleven commented 2 years ago

To join the video meeting, click this link: https://meet.google.com/xxx-xxxx-xxx

taers232c commented 2 years ago

https://github.com/taers232c/GAMADV-XTD3/wiki/GamUpdates

https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Group-Membership

Test and report.

Thanks

jay-eleven commented 2 years ago

This works! Thanks Ross!