def _DenyAllValues(self, policy, args):
"""Denies all values by removing old rules containing the specified condition and creating a new rule with denyAll set to True.
This first searches for and removes the rules that contain the specified
condition from the policy. In the case that the condition is not specified,
the search is scoped to rules without conditions set. A new rule with a
matching condition is created. The denyAll field on the created rule is set
to True.
Args:
policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be
updated.
args: argparse.Namespace, An object that contains the values for the
arguments specified in the Args method.
Returns:
The updated policy.
"""
new_policy = copy.deepcopy(policy)
new_policy.spec.rules = org_policy_utils.GetNonMatchingRulesFromPolicy(
new_policy, args.condition)
rule_to_update, new_policy = org_policy_utils.CreateRuleOnPolicy(
new_policy, args.condition)
rule_to_update.denyAll = True
return new_policy
def UpdatePolicy(self, policy, args):
"""Updates the policy for tests.
If --condition is specified, an empty policy is returned.
If --condition is not specified, this first checks if there are any rules on
the policy. If there are, the policy is returned as is. If not, a new rule
with the specified condition is added.
Args:
policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be
updated.
args: argparse.Namespace, An object that contains the values for the
arguments specified in the Args method.
Returns:
The updated policy.
"""
new_policy = copy.deepcopy(policy)
if args.condition is None:
new_policy.spec.rules = []
new_policy.spec.inheritFromParent = False
new_policy.spec.reset = False
return new_policy
if new_policy.spec.rules:
return new_policy
_, new_policy = org_policy_utils.CreateRuleOnPolicy(
new_policy, args.condition)
return new_policy
def _AddValues(self, policy, args):
"""Adds values to an eligible policy rule containing the specified condition.
This first searches the policy for all rules that contain the specified
condition. Then it searches for and removes the specified values from the
lists of denied values on the rules. Any modified rule with empty lists of
allowed values and denied values after this operation is deleted. It then
checks to see if the policy already has all the specified values. If not, it
searches for all rules that contain the specified condition. In the case
that the condition is not specified, the search is scoped to rules without
conditions. If one of the rules has allowAll set to True, the policy is
returned as is. If no such rule is found, a new rule with a matching
condition is created. The list of allowed values on the found or created
rule is updated to include the missing values. Duplicate values specified by
the user are pruned.
Args:
policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be
updated.
args: argparse.Namespace, An object that contains the values for the
arguments specified in the Args method.
Returns:
The updated policy.
"""
new_policy = copy.deepcopy(policy)
new_policy = utils.RemoveDeniedValuesFromPolicy(new_policy, args)
rules = org_policy_utils.GetMatchingRulesFromPolicy(
new_policy, args.condition)
missing_values = self._GetMissingAllowedValuesFromRules(
rules, args.value)
if not missing_values:
return new_policy
if not rules:
rule_to_update, new_policy = org_policy_utils.CreateRuleOnPolicy(
new_policy, args.condition)
else:
for rule in rules:
if rule.allowAll:
return new_policy
elif rule.denyAll:
raise exceptions.OperationNotSupportedError(
'Values cannot be allowed if denyAll is set on the policy.'
)
rule_to_update = rules[0]
# Unset allowAll and denyAll in case they are False.
rule_to_update.allowAll = None
rule_to_update.denyAll = None
if rule_to_update.values is None:
rule_to_update.values = self.org_policy_messages.GoogleCloudOrgpolicyV2alpha1PolicyPolicyRuleStringValues(
)
rule_to_update.values.allowedValues += list(missing_values)
return new_policy
def testCreateRuleOnPolicy_NoConditionSpecified_CreatesRule(self):
policy = self.Policy(rule_data=[{'condition': self.CONDITION_EXPRESSION_A}])
updated_policy = self.Policy(rule_data=[{
'condition': self.CONDITION_EXPRESSION_A
}, {}])
rule, returned_policy = utils.CreateRuleOnPolicy(policy, None)
self.assertIsNotNone(rule)
self.assertIsNone(rule.condition)
self.assertEqual(returned_policy, updated_policy)
def UpdatePolicy(self, policy, args):
"""Enables enforcement by removing old rules containing the specified condition and creating a new rule with enforce set to True.
This first does validation to ensure the specified action can be carried out
according to the boolean policy contract. This contract states that exactly
one unconditional rule has to exist on nonempty boolean policies, and that
every conditional rule that exists on a boolean policy has to take the
opposite enforcement value as that of the unconditional rule.
This then searches for and removes the rules that contain the specified
condition from the policy. In the case that the condition is not specified,
the search is scoped to rules without conditions set. A new rule with a
matching condition is created. The enforce field on the created rule is set
to True.
If the policy is empty and the condition is specified, then a new rule
containing the specified condition is created. In order to comply with the
boolean policy contract, a new unconditional rule is created as well with
enforce set to False.
Args:
policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be
updated.
args: argparse.Namespace, An object that contains the values for the
arguments specified in the Args method.
Returns:
The updated policy.
"""
if policy.spec.rules:
unconditional_rules = org_policy_utils.GetMatchingRulesFromPolicy(
policy, None)
if not unconditional_rules:
raise exceptions.BooleanPolicyValidationError(
'An unconditional enforce value does not exist on the nonempty policy.'
)
unconditional_rule = unconditional_rules[0]
if args.condition is None and len(policy.spec.rules) > 1:
# Unconditional enforce value cannot be changed on policies with more
# than one rule.
if not unconditional_rule.enforce:
raise exceptions.BooleanPolicyValidationError(
'Unconditional enforce value cannot be the same as a conditional enforce value on the policy.'
)
# No changes needed.
return policy
if args.condition is not None and unconditional_rule.enforce:
raise exceptions.BooleanPolicyValidationError(
'Conditional enforce value cannot be the same as the unconditional enforce value on the policy.'
)
new_policy = copy.deepcopy(policy)
if not new_policy.spec.rules and args.condition is not None:
unconditional_rule, new_policy = org_policy_utils.CreateRuleOnPolicy(
new_policy, None)
unconditional_rule.enforce = False
new_policy.spec.rules = org_policy_utils.GetNonMatchingRulesFromPolicy(
new_policy, args.condition)
rule_to_update, new_policy = org_policy_utils.CreateRuleOnPolicy(
new_policy, args.condition)
rule_to_update.enforce = True
return new_policy
