def UpdatePolicy(self, policy, args):
"""Sets the inheritFromParent field on the policy to True.
Args:
policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be
updated.
args: argparse.Namespace, An object that contains the values for the
arguments specified in the Args method.
Returns:
The updated policy.
"""
if not policy.spec.rules:
raise exceptions.OperationNotSupportedError(
'Cannot enable inherit on an empty policy. To create a policy use allow/deny, enable/disable_enforce or set_policy.'
)
if policy.spec.rules[0].enforce:
raise exceptions.OperationNotSupportedError(
'Cannot enable inherit on a boolean policy.')
new_policy = copy.deepcopy(policy)
new_policy.spec.inheritFromParent = True
return new_policy
def _AddValues(self, policy, args):
"""Adds values to an eligible policy rule containing the specified condition.
This first searches the policy for all rules that contain the specified
condition. Then it searches for and removes the specified values from the
lists of denied values on the rules. Any modified rule with empty lists of
allowed values and denied values after this operation is deleted. It then
checks to see if the policy already has all the specified values. If not, it
searches for all rules that contain the specified condition. In the case
that the condition is not specified, the search is scoped to rules without
conditions. If one of the rules has allowAll set to True, the policy is
returned as is. If no such rule is found, a new rule with a matching
condition is created. The list of allowed values on the found or created
rule is updated to include the missing values. Duplicate values specified by
the user are pruned.
Args:
policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be
updated.
args: argparse.Namespace, An object that contains the values for the
arguments specified in the Args method.
Returns:
The updated policy.
"""
new_policy = copy.deepcopy(policy)
new_policy = utils.RemoveDeniedValuesFromPolicy(new_policy, args)
rules = org_policy_utils.GetMatchingRulesFromPolicy(
new_policy, args.condition)
missing_values = self._GetMissingAllowedValuesFromRules(
rules, args.value)
if not missing_values:
return new_policy
if not rules:
rule_to_update, new_policy = org_policy_utils.CreateRuleOnPolicy(
new_policy, args.condition)
else:
for rule in rules:
if rule.allowAll:
return new_policy
elif rule.denyAll:
raise exceptions.OperationNotSupportedError(
'Values cannot be allowed if denyAll is set on the policy.'
)
rule_to_update = rules[0]
# Unset allowAll and denyAll in case they are False.
rule_to_update.allowAll = None
rule_to_update.denyAll = None
if rule_to_update.values is None:
rule_to_update.values = self.org_policy_messages.GoogleCloudOrgpolicyV2alpha1PolicyPolicyRuleStringValues(
)
rule_to_update.values.allowedValues += list(missing_values)
return new_policy
def Run(self, args):
"""Retrieves and then creates/updates a policy as needed.
The following workflow is used:
Retrieve policy through GetPolicy.
If policy exists:
Check policy to see if an update needs to be applied - it could be
the case that the policy is already in the correct state.
If policy does not need to be updated:
No action.
If new policy is empty:
Delete policy through DeletePolicy.
If policy needs to be updated:
Update policy through UpdatePolicy.
If policy does not exist:
If new policy is empty:
No action.
If new policy is not empty:
Create policy through CreatePolicy.
Note that in the case that a policy exists, an error could be thrown by the
backend if the policy is updated in between the GetPolicy request and the
UpdatePolicy request. In the case that a policy does not exist, an error
could be thrown if the policy did not initially exist but is created in
between the GetPolicy request and the CreatePolicy request.
Args:
args: argparse.Namespace, An object that contains the values for the
arguments specified in the Args method.
Returns:
The policy to return to the user after successful execution.
"""
policy = self._GetPolicy(args)
if not policy:
return self._CreatePolicy(args)
if policy.spec:
for rule in policy.spec.rules:
if rule.condition and args.command_path[-1] != 'reset':
raise exceptions.OperationNotSupportedError(
'Cannot be used to modify a conditional policy. Use set-policy instead.'
)
if self.ReleaseTrack() is base.ReleaseTrack.ALPHA:
return self._UpdateOrDeletePolicyAlpha(policy, args)
else:
return self._UpdateOrDeletePolicy(policy, args)