def Run(self, args):
messages = org_policies.OrgPoliciesMessages()
service = org_policies_base.OrgPoliciesService(args)
policy = service.GetOrgPolicy(
org_policies_base.GetOrgPolicyRequest(args))
if policy.booleanPolicy or (policy.listPolicy
and policy.listPolicy.allowedValues):
raise exceptions.ResourceManagerError(
'Cannot add values to a non-denied_values list policy.')
if policy.listPolicy and policy.listPolicy.allValues:
raise exceptions.ResourceManagerError(
'Cannot add values if all_values is already specified.')
if policy.listPolicy and policy.listPolicy.deniedValues:
for value in args.denied_value:
policy.listPolicy.deniedValues.append(six.text_type(value))
else:
policy.listPolicy = messages.ListPolicy(
deniedValues=args.denied_value)
return service.SetOrgPolicy(
org_policies_base.SetOrgPolicyRequest(args, policy))
def SetUp(self):
self.SelectApi('beta')
self.track = calliope_base.ReleaseTrack.BETA
list_json_patcher = mock.patch(
'googlecloudsdk.api_lib.compute.request_helper.ListJson', autospec=True)
self.addCleanup(list_json_patcher.stop)
self.list_json = list_json_patcher.start()
self.list_json.side_effect = [
resource_projector.MakeSerializable(test_resources.IMAGES +
test_resources.CENTOS_IMAGES)
]
self.all_project_requests = [
(self.compute.images, 'List',
self.messages.ComputeImagesListRequest(
project='centos-cloud')),
(self.compute.images, 'List',
self.messages.ComputeImagesListRequest(
project='cos-cloud')),
(self.compute.images, 'List',
self.messages.ComputeImagesListRequest(
project='debian-cloud')),
(self.compute.images, 'List',
self.messages.ComputeImagesListRequest(
project='fedora-coreos-cloud')),
(self.compute.images, 'List',
self.messages.ComputeImagesListRequest(
project='my-project')),
(self.compute.images, 'List',
self.messages.ComputeImagesListRequest(
project='rhel-cloud')),
(self.compute.images, 'List',
self.messages.ComputeImagesListRequest(
project='rhel-sap-cloud')),
(self.compute.images, 'List',
self.messages.ComputeImagesListRequest(
project='suse-cloud')),
(self.compute.images, 'List',
self.messages.ComputeImagesListRequest(
project='suse-sap-cloud')),
(self.compute.images, 'List',
self.messages.ComputeImagesListRequest(
project='ubuntu-os-cloud')),
(self.compute.images, 'List',
self.messages.ComputeImagesListRequest(
project='windows-cloud')),
(self.compute.images, 'List',
self.messages.ComputeImagesListRequest(
project='windows-sql-cloud')),
]
self.mocked_org_policies_client = apitools_mock.Client(
apis.GetClientClass('cloudresourcemanager',
org_policies.ORG_POLICIES_API_VERSION))
self.mocked_org_policies_client.Mock()
self.addCleanup(self.mocked_org_policies_client.Unmock)
self.org_policies_messages = org_policies.OrgPoliciesMessages()
def Run(self, args):
service = org_policies_base.OrgPoliciesService(args)
messages = org_policies.OrgPoliciesMessages()
return service.SetOrgPolicy(
org_policies_base.SetOrgPolicyRequest(
args,
org_policies.GetFileAsMessage(args.policy_file,
messages.OrgPolicy)))
def Run(self, args):
service = org_policies_base.OrgPoliciesService(args)
messages = org_policies.OrgPoliciesMessages()
return service.SetOrgPolicy(
org_policies_base.SetOrgPolicyRequest(
args,
messages.OrgPolicy(
constraint=org_policies.FormatConstraint(args.id),
booleanPolicy=messages.BooleanPolicy(enforced=True))))
def ListOrgPoliciesRequest(args):
messages = org_policies.OrgPoliciesMessages()
resource_id = org_policies_base.GetResource(args)
request = messages.ListOrgPoliciesRequest()
if args.project:
return messages.CloudresourcemanagerProjectsListOrgPoliciesRequest(
projectsId=resource_id, listOrgPoliciesRequest=request)
elif args.organization:
return messages.CloudresourcemanagerOrganizationsListOrgPoliciesRequest(
organizationsId=resource_id, listOrgPoliciesRequest=request)
return None
def ClearOrgPolicyRequest(args):
messages = org_policies.OrgPoliciesMessages()
resource_id = org_policies_base.GetResource(args)
request = messages.ClearOrgPolicyRequest(
constraint=org_policies.FormatConstraint(args.id))
if args.project:
return messages.CloudresourcemanagerProjectsClearOrgPolicyRequest(
projectsId=resource_id, clearOrgPolicyRequest=request)
elif args.organization:
return messages.CloudresourcemanagerOrganizationsClearOrgPolicyRequest(
organizationsId=resource_id, clearOrgPolicyRequest=request)
return None
def _GetPolicy(project_id):
"""Get effective org policy of given project."""
messages = org_policies.OrgPoliciesMessages()
request = messages.CloudresourcemanagerProjectsGetEffectiveOrgPolicyRequest(
projectsId=project_id,
getEffectiveOrgPolicyRequest=messages.GetEffectiveOrgPolicyRequest(
constraint=org_policies.FormatConstraint(
'compute.trustedImageProjects')))
client = org_policies.OrgPoliciesClient()
response = client.projects.GetEffectiveOrgPolicy(request)
# There are several possible policy types; the only policy type that applies
# to 'compute.trustedImageProjects' is listPolicy, so we can assume that's
# what the caller is interested in.
return response.listPolicy
def GetEffectiveOrgPolicyRequest(args):
m = org_policies.OrgPoliciesMessages()
resource_id = org_policies_base.GetResource(args)
request = m.GetEffectiveOrgPolicyRequest(
constraint=org_policies.FormatConstraint(args.id))
if args.project:
return m.CloudresourcemanagerProjectsGetEffectiveOrgPolicyRequest(
projectsId=resource_id, getEffectiveOrgPolicyRequest=request)
elif args.organization:
return m.CloudresourcemanagerOrganizationsGetEffectiveOrgPolicyRequest(
organizationsId=resource_id, getEffectiveOrgPolicyRequest=request)
elif args.folder:
return m.CloudresourcemanagerFoldersGetEffectiveOrgPolicyRequest(
foldersId=resource_id, getEffectiveOrgPolicyRequest=request)
return None
def ListAvailableOrgPolicyConstraintsRequest(args):
messages = org_policies.OrgPoliciesMessages()
resource_id = org_policies_base.GetResource(args)
request = messages.ListAvailableOrgPolicyConstraintsRequest()
if args.project:
# pylint: disable=line-too-long
return messages.CloudresourcemanagerProjectsListAvailableOrgPolicyConstraintsRequest(
projectsId=resource_id,
listAvailableOrgPolicyConstraintsRequest=request)
elif args.organization:
# pylint: disable=line-too-long
return messages.CloudresourcemanagerOrganizationsListAvailableOrgPolicyConstraintsRequest(
organizationsId=resource_id,
listAvailableOrgPolicyConstraintsRequest=request)
return None
def Run(self, args):
flags.CheckResourceFlags(args)
service = org_policies_base.OrgPoliciesService(args)
response = service.ListOrgPolicies(self.ListOrgPoliciesRequest(args))
if args.show_unset:
constraints = service.ListAvailableOrgPolicyConstraints(
self.ListAvailableOrgPolicyConstraintsRequest(args))
existing_policies = [policy.constraint for policy in response.policies]
messages = org_policies.OrgPoliciesMessages()
for constraint in constraints.constraints:
if constraint.name not in existing_policies:
response.policies.append(
messages.OrgPolicy(constraint=constraint.name))
return response.policies
def GetOrgPolicyRequest(args):
"""Constructs a resource-dependent GetOrgPolicyRequest.
Args:
args: Command line arguments.
Returns:
Resource-dependent GetOrgPolicyRequest.
"""
messages = org_policies.OrgPoliciesMessages()
request = messages.GetOrgPolicyRequest(
constraint=org_policies.FormatConstraint(args.id))
resource_id = GetResource(args)
if args.project:
return messages.CloudresourcemanagerProjectsGetOrgPolicyRequest(
projectsId=resource_id, getOrgPolicyRequest=request)
elif args.organization:
return messages.CloudresourcemanagerOrganizationsGetOrgPolicyRequest(
organizationsId=resource_id, getOrgPolicyRequest=request)
return None
def Run(self, args):
flags.CheckResourceFlags(args)
messages = org_policies.OrgPoliciesMessages()
service = org_policies_base.OrgPoliciesService(args)
policy = service.GetOrgPolicy(org_policies_base.GetOrgPolicyRequest(args))
if policy.booleanPolicy or (
policy.listPolicy and
(policy.listPolicy.deniedValues or policy.listPolicy.allValues)):
raise exceptions.ResourceManagerError(
'Cannot add values to a non-allowed_values list policy.')
if policy.listPolicy and policy.listPolicy.allowedValues:
for value in args.allowed_value:
policy.listPolicy.allowedValues.append(unicode(value))
else:
policy.listPolicy = messages.ListPolicy(allowedValues=args.allowed_value)
return service.SetOrgPolicy(
org_policies_base.SetOrgPolicyRequest(args, policy))
def SetOrgPolicyRequest(args, policy):
"""Constructs a resource-dependent SetOrgPolicyRequest.
Args:
args: Command line arguments.
policy: OrgPolicy for resource-dependent SetOrgPolicyRequest.
Returns:
Resource-dependent SetOrgPolicyRequest.
"""
messages = org_policies.OrgPoliciesMessages()
resource_id = GetResource(args)
request = messages.SetOrgPolicyRequest(policy=policy)
if args.project:
return messages.CloudresourcemanagerProjectsSetOrgPolicyRequest(
projectsId=resource_id, setOrgPolicyRequest=request)
elif args.organization:
return messages.CloudresourcemanagerOrganizationsSetOrgPolicyRequest(
organizationsId=resource_id, setOrgPolicyRequest=request)
return None
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.resource_manager import org_policies
from googlecloudsdk.core import properties
from tests.lib import e2e_base
from tests.lib import test_case
messages = org_policies.OrgPoliciesMessages()
TEST_ORGANIZATION_ID = '1054311078602'
TEST_CONSTRAINT = 'constraints/compute.disableSerialPortAccess'
class OrgPoliciesIntegrationTest(e2e_base.WithServiceAuth):
def SetUp(self):
properties.VALUES.core.user_output_enabled.Set(False)
def GetIntegrationTestOrgPolicy(self):
return messages.OrgPolicy(
constraint=TEST_CONSTRAINT,
booleanPolicy=messages.BooleanPolicy(enforced=True))
def AssertOrgPoliciesEqual(self, expected, policy):
class OrgPoliciesUnitTestBase(cli_test_base.CliTestBase,
sdk_test_base.WithFakeAuth):
"""Base class for all Org Policies unit tests with fake auth and mocks."""
PROJECT_ARG = ['--project', 'test-project']
ORG_ARG = ['--organization', 'test-org']
FOLDER_ARG = ['--folder', 'test-folder']
WRONG_ARG = ['--No-SuCh-FlAg', 'no-such-flag']
messages = org_policies.OrgPoliciesMessages()
VALUE_ZERO = 'valueZero'
VALUE_A = 'valueA'
VALUE_B = 'valueB'
ORIGINAL_VALUES = [VALUE_ZERO]
NEW_VALUES = [VALUE_ZERO, VALUE_A, VALUE_B]
WHITELIST_CONSTRAINT = 'constraints/goodService.betterWhitelist'
BLACKLIST_CONSTRAINT = 'constraints/goodService.betterBlacklist'
TEST_CONSTRAINT = 'constraints/goodService.betterFeatureOne'
def SetUp(self):
mock_client = self._SetUpMockCrmClient(
org_policies.ORG_POLICIES_API_VERSION)
self.mock_projects = mock_client.projects
self.mock_organizations = mock_client.organizations
self.mock_folders = mock_client.folders
def _SetUpMockCrmClient(self, version):
client = mock.Client(
apis.GetClientClass('cloudresourcemanager', version),
real_client=apis.GetClientInstance(
'cloudresourcemanager', version, no_http=True))
client.Mock()
self.addCleanup(client.Unmock)
return client
def RunOrgPolicies(self, *command):
return self.Run(['beta', 'resource-manager', 'org-policies'] +
list(command))
def ExpectedSetRequest(self, arg, policy):
msg = self.messages
if arg == self.PROJECT_ARG:
return msg.CloudresourcemanagerProjectsSetOrgPolicyRequest(
projectsId=self.PROJECT_ARG[1],
setOrgPolicyRequest=msg.SetOrgPolicyRequest(policy=policy))
elif arg == self.ORG_ARG:
return msg.CloudresourcemanagerOrganizationsSetOrgPolicyRequest(
organizationsId=self.ORG_ARG[1],
setOrgPolicyRequest=msg.SetOrgPolicyRequest(policy=policy))
elif arg == self.FOLDER_ARG:
return msg.CloudresourcemanagerFoldersSetOrgPolicyRequest(
foldersId=self.FOLDER_ARG[1],
setOrgPolicyRequest=msg.SetOrgPolicyRequest(policy=policy))
def ExpectedGetRequest(self, arg, constraint):
msg = self.messages
if arg == self.PROJECT_ARG:
return msg.CloudresourcemanagerProjectsGetOrgPolicyRequest(
projectsId=self.PROJECT_ARG[1],
getOrgPolicyRequest=msg.GetOrgPolicyRequest(constraint=constraint))
elif arg == self.ORG_ARG:
return msg.CloudresourcemanagerOrganizationsGetOrgPolicyRequest(
organizationsId=self.ORG_ARG[1],
getOrgPolicyRequest=msg.GetOrgPolicyRequest(constraint=constraint))
elif arg == self.FOLDER_ARG:
return msg.CloudresourcemanagerFoldersGetOrgPolicyRequest(
foldersId=self.FOLDER_ARG[1],
getOrgPolicyRequest=msg.GetOrgPolicyRequest(constraint=constraint))
def TestPolicy(self):
return self.messages.OrgPolicy(
constraint=self.TEST_CONSTRAINT,
booleanPolicy=self.messages.BooleanPolicy(enforced=True))
def WhitelistPolicy(self, allowed_values):
return self.messages.OrgPolicy(
constraint=self.WHITELIST_CONSTRAINT,
listPolicy=self.messages.ListPolicy(allowedValues=allowed_values))
def AllowAllPolicy(self):
return self.messages.OrgPolicy(
constraint=self.WHITELIST_CONSTRAINT,
listPolicy=self.messages.ListPolicy(
allValues=self.messages.ListPolicy.AllValuesValueValuesEnum.ALLOW))
def BlacklistPolicy(self, denied_values):
return self.messages.OrgPolicy(
constraint=self.BLACKLIST_CONSTRAINT,
listPolicy=self.messages.ListPolicy(deniedValues=denied_values))
def DenyAllPolicy(self):
return self.messages.OrgPolicy(
constraint=self.BLACKLIST_CONSTRAINT,
listPolicy=self.messages.ListPolicy(
allValues=self.messages.ListPolicy.AllValuesValueValuesEnum.DENY))