def testRemoveAllowedValuesFromPolicy_ConditionSpecifiedAndMultipleMatchingEmptyRulesCreated_DeletesAll(
self):
policy = self.Policy(
rule_data=[{
'condition': self.CONDITION_EXPRESSION_A,
'allowed_values': [self.VALUE_A, self.VALUE_B]
}, {
'condition': self.CONDITION_EXPRESSION_A,
'allowed_values': [self.VALUE_C]
}, {
'condition': self.CONDITION_EXPRESSION_A,
'allowed_values': [self.VALUE_B, self.VALUE_D]
}])
args = self.parser.parse_args([
self.CONSTRAINT_A, self.VALUE_A, self.VALUE_B, self.VALUE_D,
self.CONDITION_FLAG, self.CONDITION_EXPRESSION_A,
self.RESOURCE_FLAG, self.RESOURCE_ID
])
updated_policy = self.Policy(
rule_data=[{
'condition': self.CONDITION_EXPRESSION_A,
'allowed_values': [self.VALUE_C]
}])
new_policy = utils.RemoveAllowedValuesFromPolicy(policy, args)
self.assertEqual(new_policy, updated_policy)
def _AddValues(self, policy, args):
"""Adds values to an eligible policy rule containing the specified condition.
This first searches the policy for all rules that contain the specified
condition. Then it searches for and removes the specified values from the
lists of allowed values on those rules. Any modified rule with empty lists
of allowed values and denied values after this operation is deleted. This
then checks to see if the policy already has all the specified values. If
not, it searches for all rules that contain the specified condition. In the
case that the condition is not specified, the search is scoped to rules
without conditions. If one of the rules has denyAll set to True, the policy
is returned as is. If no such rule is found, a new rule with a matching
condition is created. The list of denied values on the found or created rule
is updated to include the missing values. Duplicate values specified by the
user are pruned.
Args:
policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be
updated.
args: argparse.Namespace, An object that contains the values for the
arguments specified in the Args method.
Returns:
The updated policy.
"""
new_policy = copy.deepcopy(policy)
new_policy = utils.RemoveAllowedValuesFromPolicy(new_policy, args)
rules = org_policy_utils.GetMatchingRulesFromPolicy(
new_policy, args.condition)
missing_values = self._GetMissingDeniedValuesFromRules(
rules, args.value)
if not missing_values:
return new_policy
if not rules:
rule_to_update, new_policy = org_policy_utils.CreateRuleOnPolicy(
new_policy, args.condition)
else:
for rule in rules:
if rule.denyAll:
return new_policy
rule_to_update = rules[0]
# Unset allowAll and denyAll in case they are False.
rule_to_update.allowAll = None
rule_to_update.denyAll = None
if rule_to_update.values is None:
rule_to_update.values = self.org_policy_messages.GoogleCloudOrgpolicyV2alpha1PolicyPolicyRuleStringValues(
)
rule_to_update.values.deniedValues += list(missing_values)
return new_policy
def testRemoveAllowedValuesFromPolicy_NoMatchingRule_ThrowsError(self):
policy = self.Policy(
rule_data=[{
'condition': self.CONDITION_EXPRESSION_A
}])
args = self.parser.parse_args([
self.CONSTRAINT_A, self.VALUE_A, self.RESOURCE_FLAG,
self.RESOURCE_ID
])
new_policy = utils.RemoveAllowedValuesFromPolicy(policy, args)
self.assertEqual(new_policy, policy)
def UpdatePolicy(self, policy, args):
"""Adds (or removes) values to the list of allowed values or allow all values on the policy.
If one or more values are specified and --remove is specified, then a
workflow for removing values is used. This workflow first searches the
policy for all rules that contain the specified condition. Then it searches
for and removes the specified values from the lists of allowed values on the
rules. Any modified rule with empty lists of allowed values and denied
values after this operation is deleted.
If one or more values are specified and --remove is not specified, then a
workflow for adding values is used. This workflow first executes the remove
workflow, except it removes values from the lists of denied values instead
of the lists of allowed values. It then checks to see if the policy already
has all the specified values. If not, it searches for all rules that contain
the specified condition. In the case that the condition is not specified,
the search is scoped to rules without conditions. If one of the rules has
allowAll set to True, the policy is returned as is. If no such rule is
found, a new rule with a matching condition is created. The list of allowed
values on the found or created rule is updated to include the missing
values. Duplicate values specified by the user are pruned.
If no values are specified, then a workflow for allowing all values is used.
This workflow first searches for and removes the rules that contain the
specified condition from the policy. In the case that the condition is not
specified, the search is scoped to rules without conditions set. A new rule
with a matching condition is created. The allowAll field on the created rule
is set to True.
Args:
policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be
updated.
args: argparse.Namespace, An object that contains the values for the
arguments specified in the Args method.
Returns:
The updated policy.
"""
if not args.value:
return self._AllowAllValues(policy, args)
if args.remove:
return utils.RemoveAllowedValuesFromPolicy(policy, args)
return self._AddValues(policy, args)
def testRemoveAllowedValuesFromPolicy_RemovesValuesFromAll(self):
policy = self.Policy(rule_data=[{
'allowed_values': [self.VALUE_A, self.VALUE_D]
}, {
'allowed_values': [self.VALUE_B, self.VALUE_D]
}, {
'allowed_values':
[self.VALUE_A, self.VALUE_B, self.VALUE_C, self.VALUE_D]
}])
args = self.parser.parse_args([
self.CONSTRAINT_A, self.VALUE_B, self.VALUE_C, self.RESOURCE_FLAG,
self.RESOURCE_ID
])
updated_policy = self.Policy(rule_data=[{
'allowed_values': [self.VALUE_A, self.VALUE_D]
}, {
'allowed_values': [self.VALUE_D]
}, {
'allowed_values': [self.VALUE_A, self.VALUE_D]
}])
new_policy = utils.RemoveAllowedValuesFromPolicy(policy, args)
self.assertEqual(new_policy, updated_policy)