Get-GSGroupMembers doesn't take Group ID as Identity #249
Comments
|
Thanks for pointing this out, @Ephesoft-Stitus !! Checking to see if there's a different property on the request object that needs to be filled instead if the ID is passed, as the documentation on Google's side explicitly states that either the email or unique ID should be acceptable: https://developers.google.com/admin-sdk/directory/v1/reference/members/list |
|
Found the issue, working on a fix now! Same fix will be applied to other Group functions as well where applicable. Thanks for raising this, @Ephesoft-Stitus ! |
|
hey @Ephesoft-Stitus - sorry on the delay here, this has become a bigger fix than anticipated due to Group IDs also being strings, so the same method of testing if the value passed is an email or an ID as we do with Users isn't applicable (we do that currently by testing if the value is able to be cast as a Issue source: Email name parts (e.g. I initially tried approaching this using a new I tried nesting try/catch statements, but I feel it not only adds to code complexity unnecessarily, but also elongates the overall completion time of the function since you'd be literally retrying the same API call underneath the hood if the first attempt with My current thought is to add a switch parameter to the Group functions to block the appending of the domain and try with whatever was passed as-is. This would effectively allow you to state that you know you are either passing full email addresses or IDs to the Thoughts? |
|
Hi Nate,
No worries for the delay, I know how busy life can be.
It sounds like we need a way to classify a string as a group ID with some
certainty and only attempt lookup using the group ID (without postfixing
the email domain) if the string is classified as a group ID. This way we
reduce the probability of the string being an email address and of hitting
the API multiple times for a single lookup (or lookup failure).
I have a few hundred groups and all of them have these attributes in the
group ID:
- 15 characters in length
- Alphanumeric
- All alpha characters are lowercase
- First two characters are numeric
I can match all of my groups with this regex: \d{2}([a-z]|\d)*
I reached out to my GSuite account executive to see if I can get validation
about these assumptions and perhaps some more information on the group ID
scheme. I'll let you know what I find out.
Thanks,
…--Shaun
On Sat, Dec 28, 2019 at 1:26 PM Nate Ferrell ***@***.***> wrote:
hey @Ephesoft-Stitus <https://github.com/Ephesoft-Stitus> - sorry on the
delay here, this has become a bigger fix than anticipated due to Group IDs
also being strings, so the same method of testing if the value passed is an
email or an ID as we do with Users isn't applicable (we do that currently
by testing if the value is able to be cast as a long integer).
Issue source: Email name parts (e.g. mike instead of ***@***.***) are
accepted for convenience via the function automatically appending the
Domain to the value if it is not recognized as an ID and does not have an
@ in the string. This is an incredibly convenient feature of PSGSuite
that I'd like to not break. Since Group IDs aren't easily identified, we
run into this issue.
I initially tried approaching this using a new Id parameter and parameter
sets (e.g. Email vs Id), but some of the group functions have multiple
parameter sets already, making that approach not too feasible.
I tried nesting try/catch statements, but I feel it not only adds to code
complexity unnecessarily, but also elongates the overall completion time of
the function since you'd be literally retrying the same API call underneath
the hood if the first attempt with Domain appended failed to confirm if
it was actually an ID that was passed. For example, if you do actually pass
a non-existent email/ID to the function, it would need to try and fail
twice before returning.
------------------------------
My current thought is to add a switch parameter to the Group functions to
block the appending of the domain and try with whatever was passed as-is.
This would effectively allow you to state that you know you are either
passing full email addresses or IDs to the Identity / Email parameter and
to not attempt to resolve the address if @ is not found in the value.
Current suggested parameter name is DoNotResolve.
Thoughts?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#249>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMEFYQ6NVBBBVIZEXVVCAA3Q26Y6XANCNFSM4JL2FQWQ>
.
--
*Shaun Titus* | *EPHESOFT*
Operations Architect
(949) 335-5335
Web <https://ephesoft.com/> | LinkedIn
<https://www.linkedin.com/company/ephesoft-inc/> | Twitter
<https://twitter.com/Ephesoft>
|
|
It might work out if we're able to tighten up that RegEx a bit, I'll do some testing as well |
|
Just as a reference to tighten the RegEx I found that |
|
The question is does that match any email name parts for groups? on mobile, but something like... $null -eq (Get-GSGroup | Where-Object {$_.Email.Split('@')[0] -cmatch '\d{2}([a-z]|\d){13}'}) |
|
In my use-case, I have no conflicts, so your test returns True. Will this apply to everyone all the time? ... there is that rule of absolutes. |
|
Mine returns
@WJurecki - This would apply to all -GSGroup functions, but only in the instance where someone passes just the email name part as the group ID. For what it's worth, we've run the same risk on the user side for a while now, but the is a smaller likelihood that someone would give a user an email address that's a @Ephesoft-Stitus @WJurecki - Thoughts on going the RegEx route given that it will always work as intended if the full email is passed? Or worth avoiding considering we've already proven that the RegEx route would still match false positives of actual emails? |
|
I think the RegEx route would be a very acceptable solution because as you point out, passing a full email address always works. (Honestly I have always passed full email addresses and have never depended on the domain being added to what I passed.) |
|
Tightened the RegEx up a little bit more and have narrowed it down to 1 unavoidable match against my 2313 groups now, still matching 100% of Ids as well: |
|
Full pattern to avoid appending |
|
That looks like it will work. There are a couple minor things about the RegEx. In the capture before the In the domain name itself you are using For a final RegEx of Obviously there are other cases where this won't detect invalid domain names (starting or ending with a |
|
fair call outs! RegEx for email address verification can vary a bit, but definitely valid points. I've updated the code on my end with the final RegEx you provided =] Side note - testing #216 as well right now, hoping to have all of these rolled out by tonight at some point 🙂 |
## 2.35.0 - 2019-12-29 * [Issue #216](#216) - _Thank you, [@WJurecki](https://github.com/WJurecki)!_ * Added `Add-GSSheetValues` to use the native `Append()` method instead of `BatchUpdate()` to prevent needing to calculate the last row like you do with `Export-GSSheet`. Since the input for this method has additional options and the output differs from what `Export-GSSheet` outputs, this has been moved to a unique function to prevent introducing breaking changes to `Export-GSSheet`. * [Issue #221](#221) * Added: `Invoke-GSUserOffboarding` function to wrap common offboarding tasks for ease of access management automation. * [Issue #248](#248) * Fixed `Get-GSSheetInfo` so it no longer defaults `-IncludeGridData` to `$true` if not specified in `$PSBoundParameters`. * [Issue #249](#249) * Updated private function `Resolve-Email` with new `IsGroup` switch, then cleaned up all `*-GSGroup*` functions to use it so that Group ID's are respected based on RegEx match. * [Issue #252](#252) * Added: `Archived` parameter to `Update-GSUser` to enable setting of Archived User licenses. * Miscellaneous * Swapped instances of `Get-StoragePath` for `Get-ConfigurationPath` in `Import-SpecificConfiguration` and `Set-PSGSuiteConfig` to avoid alias related issues with PowerShell 4.0
|
Alright @Ephesoft-Stitus - Updates have been pushed out in v2.35.0 that should allow this to work as intended! Please let me know if you hit any issues. |
|
Thanks @scrthq - I missed the updated in late December as I was travelling. Just checking back on this now as I realized I hadn't seen an update in a long time. This is really, really, great and should significantly improve performance for my use case. |
|
@Ephesoft-Stitus No problem! |
Get-GSGroupMembers Identity parameter help states:
However, passing the group ID to the command results in a 404 because the key isn't found. It only works with passing the email of the group as the identity.
This does not work
Result:
This does work:
The text was updated successfully, but these errors were encountered: