From 35be7f09038c439cebfe7e46384791eb63947271 Mon Sep 17 00:00:00 2001
From: Roy Lane <rlane@mitre.org>
Date: Mon, 10 Feb 2025 19:07:31 -0500
Subject: [PATCH] policy_api: handle non-conforming group ids (e.g., actual
 group name) (#578)

---
 scubagoggles/policy_api.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/scubagoggles/policy_api.py b/scubagoggles/policy_api.py
index 265a2887..c4fb1895 100644
--- a/scubagoggles/policy_api.py
+++ b/scubagoggles/policy_api.py
@@ -615,7 +615,14 @@ def _reduce(self, policies: Iterable):
             if 'group' in policy['policyQuery']:
                 group_id = policy['policyQuery']['group']
                 group_id = group_id.removeprefix('groups/')
-                group_name = self._group_id_map[group_id]
+                # NOTE: the get() handles the case where Google returns
+                # something that doesn't conform to their documented format
+                # (i.e., 'groups/<group-id>').  For example, Google will
+                # return "WORKSPACE_ALL_ADMIN_GROUP" as a value in some
+                # cases.  If the group id value doesn't conform to the
+                # expected format, the value is kept as received as the
+                # group name.
+                group_name = self._group_id_map.get(group_id, group_id)
                 orgunit_name += f' (group "{group_name}")'
 
             # The setting has two layers in the policies dictionary.  Depending