def Run(self, args): iam_client = apis.GetClientInstance('iam', 'v1') messages = apis.GetMessagesModule('iam', 'v1') parent_name = iam_util.GetParentName(args.organization, args.project) if args.file: if args.title or args.description or args.stage or args.permissions: raise exceptions.ConflictingArgumentsException('file', 'others') role = iam_util.ParseYamlToRole(args.file, messages.Role) role.name = None role.etag = None else: role = messages.Role(title=args.title, description=args.description) if args.permissions: role.includedPermissions = args.permissions.split(',') if args.stage: role.stage = iam_util.StageTypeFromString(args.stage) if not role.title: role.title = args.role if not args.quiet: testing_permissions = util.GetTestingPermissions( iam_client, messages, iam_util.GetResourceReference(args.project, args.organization), role.includedPermissions) iam_util.TestingPermissionsWarning(testing_permissions) result = iam_client.organizations_roles.Create( messages.IamOrganizationsRolesCreateRequest( createRoleRequest=messages.CreateRoleRequest( role=role, roleId=args.role), parent=parent_name)) log.CreatedResource(args.role, kind='role') iam_util.SetRoleStageIfAlpha(result) return result
def GetUpdatedRole(self, args, role_name, role, iam_client, messages): """Gets the updated role from flags.""" changed_fields = [] if args.description is not None: changed_fields.append('description') role.description = args.description if args.title is not None: changed_fields.append('title') role.title = args.title if args.stage: changed_fields.append('stage') role.stage = iam_util.StageTypeFromString(args.stage) if args.permissions is not None and (args.add_permissions or args.remove_permissions): raise exceptions.ConflictingArgumentsException( '--permissions', '-add-permissions or --remove-permissions') if args.permissions is not None: changed_fields.append('includedPermissions') role.includedPermissions = args.permissions.split(',') if not args.permissions: role.includedPermissions = [] if not args.quiet: self.WarnPermissions(iam_client, messages, role.includedPermissions, args.project, args.organization) origin_role = iam_client.organizations_roles.Get( messages.IamOrganizationsRolesGetRequest(name=role_name)) if args.add_permissions or args.remove_permissions: permissions = set(origin_role.includedPermissions) changed = False newly_added_permissions = set() if args.add_permissions: for permission in args.add_permissions.split(','): if permission not in permissions: permissions.add(permission) newly_added_permissions.add(permission) changed = True if args.remove_permissions: for permission in args.remove_permissions.split(','): if permission in permissions: permissions.remove(permission) changed = True if permission in newly_added_permissions: newly_added_permissions.remove(permission) if changed: changed_fields.append('includedPermissions') role.includedPermissions = list(sorted(permissions)) if not args.quiet: self.WarnPermissions(iam_client, messages, list(newly_added_permissions), args.project, args.organization) role.etag = origin_role.etag return role, changed_fields
def SetUp(self): self.role_from_file = self.msgs.Role( description='Access to view GCP projects.', title='Viewer', etag=b'\x00', stage=iam_util.StageTypeFromString('alpha'), includedPermissions=[ 'resourcemanager.projects.get', 'resourcemanager.projects.list', ], ) self.origin_role = self.msgs.Role( description='Access to view GCP projects.', title='Viewer', stage=iam_util.StageTypeFromString('alpha'), includedPermissions=[ 'resourcemanager.projects.get', 'resourcemanager.projects.list', ], ) self.origin_role2 = self.msgs.Role( name='organizations/123/roles/viewer', description='A custom role.', title='Custom Project Creator', stage=iam_util.StageTypeFromString('beta'), includedPermissions=['resourcemanager.projects.get'], ) self.updated_role = self.msgs.Role( description='A custom role.', title='Custom Project Creator', stage=iam_util.StageTypeFromString('beta'), includedPermissions=['resourcemanager.projects.create'], ) self.res_role1 = self.msgs.Role( name='organizations/123/roles/viewer', description='Access to view GCP projects.', title='Viewer', includedPermissions=[ 'resourcemanager.projects.get', 'resourcemanager.projects.list', ], ) self.res_role2 = self.msgs.Role( name='organizations/123/roles/viewer', description='A custom role.', title='Custom Project Creator', stage=iam_util.StageTypeFromString('beta'), includedPermissions=['resourcemanager.projects.create'], ) self.role_no_permissions = self.msgs.Role( name='organizations/123/roles/viewer', description='Access to view GCP projects.', title='Viewer', stage=iam_util.StageTypeFromString('alpha'), )
def testCreateWithFile(self): role = self.msgs.Role( description='Access to delete GCP projects.', title='Viewer', stage=iam_util.StageTypeFromString('alpha'), includedPermissions=[ 'resourcemanager.projects.list', 'resourcemanager.projects.get', 'resourcemanager.projects.delete' ], ) role_res = self.msgs.Role( name='organizations/1/roles/viewer', description='Access to delete GCP projects.', title='Viewer', includedPermissions=[ 'resourcemanager.projects.list', 'resourcemanager.projects.get', 'resourcemanager.projects.delete' ], ) self.client.organizations_roles.Create.Expect( request=self.msgs.IamOrganizationsRolesCreateRequest( createRoleRequest=self.msgs.CreateRoleRequest(role=role, roleId='viewer'), parent='organizations/1'), response=role_res) in_file = self.Touch(self.temp_path, contents='title: "Viewer"\n' 'description: "Access to delete GCP projects."\n' 'stage: "alpha"\n' 'includedPermissions:\n' '- resourcemanager.projects.list\n' '- resourcemanager.projects.get\n' '- resourcemanager.projects.delete') result = self.Run( 'iam roles create viewer --organization 1 --file={0} --quiet'. format(in_file)) self.assertEqual(result, role_res) self.AssertOutputContains('stage: ALPHA')
def GetUpdatedRole(self, role_name, role, description, title, stage, permissions, add_permissions, remove_permissions, iam_client, messages): """Gets the updated role from flags.""" changed_fields = [] if description is not None: changed_fields.append('description') role.description = description if title is not None: changed_fields.append('title') role.title = title if stage: changed_fields.append('stage') role.stage = iam_util.StageTypeFromString(stage) if permissions is not None and (add_permissions or remove_permissions): raise exceptions.ConflictingArgumentsException( '--permissions', '-add-permissions or --remove-permissions') if permissions is not None: changed_fields.append('includedPermissions') role.includedPermissions = permissions.split(',') if not permissions: role.includedPermissions = [] origin_role = iam_client.organizations_roles.Get( messages.IamOrganizationsRolesGetRequest(name=role_name)) if add_permissions or remove_permissions: permissions = set(origin_role.includedPermissions) changed = False if add_permissions: for permission in add_permissions.split(','): if permission not in permissions: permissions.add(permission) changed = True if remove_permissions: for permission in remove_permissions.split(','): if permission in permissions: permissions.remove(permission) changed = True if changed: changed_fields.append('includedPermissions') role.includedPermissions = list(permissions) role.etag = origin_role.etag return role, changed_fields
def testCreateWithFlags(self): role = self.msgs.Role( description='Access to delete GCP projects.', title='Viewer', stage=iam_util.StageTypeFromString('alpha'), includedPermissions=[ 'resourcemanager.projects.list', 'resourcemanager.projects.get', 'resourcemanager.projects.delete' ], ) role_res = self.msgs.Role( name='organizations/1/roles/viewer', description='Access to delete GCP projects.', title='Viewer', includedPermissions=[ 'resourcemanager.projects.list', 'resourcemanager.projects.get', 'resourcemanager.projects.delete' ], ) self.client.organizations_roles.Create.Expect( request=self.msgs.IamOrganizationsRolesCreateRequest( createRoleRequest=self.msgs.CreateRoleRequest(role=role, roleId='viewer'), parent='organizations/1'), response=role_res) result = self.Run('iam roles create viewer --organization 1 --quiet ' '--permissions resourcemanager.projects.list,' 'resourcemanager.projects.get,' 'resourcemanager.projects.delete --stage alpha ' '--title Viewer ' '--description="Access to delete GCP projects." ') self.assertEqual(result, role_res) self.AssertOutputContains('stage: ALPHA')
def testDeleteRoles(self): self.client.organizations_roles.Delete.Expect( request=self.msgs.IamOrganizationsRolesDeleteRequest( name='organizations/819542162391/roles/customEditor'), response=self.msgs.Role( name='organizations/819542162391/roles/customEditor', description='A customEditor role.', includedPermissions=[ 'resourcemanager.projects.create', 'resourcemanager.projects.delete' ], stage=iam_util.StageTypeFromString('alpha'), title='Custom Project Editor')) self.Run('iam roles delete --organization 819542162391 customEditor') self.AssertOutputContains('name: organizations/819542162391/' 'roles/customEditor') self.AssertOutputContains('title: Custom Project Editor') self.AssertOutputContains('description: A customEditor role.') self.AssertOutputContains('stage: ALPHA') self.AssertOutputContains('includedPermissions:') self.AssertOutputContains('resourcemanager.projects.create') self.AssertOutputContains('resourcemanager.projects.delete')
def Run(self, args): client, messages = util.GetClientAndMessages() parent_name = iam_util.GetParentName(args.organization, args.project) if args.file: role = iam_util.ParseYamlToRole(args.file, messages.Role) role.name = None role.etag = None else: role = messages.Role(title=args.title, description=args.description) if args.permissions: role.includedPermissions = args.permissions.split(',') if args.stage: role.stage = iam_util.StageTypeFromString(args.stage) if not role.title: role.title = args.role if not args.quiet: permissions_helper = util.PermissionsHelper( client, messages, iam_util.GetResourceReference(args.project, args.organization), role.includedPermissions) api_diabled_permissions = permissions_helper.GetApiDisabledPermissons( ) iam_util.ApiDisabledPermissionsWarning(api_diabled_permissions) testing_permissions = permissions_helper.GetTestingPermissions() iam_util.TestingPermissionsWarning(testing_permissions) result = client.organizations_roles.Create( messages.IamOrganizationsRolesCreateRequest( createRoleRequest=messages.CreateRoleRequest(role=role, roleId=args.role), parent=parent_name)) log.CreatedResource(args.role, kind='role') iam_util.SetRoleStageIfAlpha(result) return result
def testReplyingYesToTestingPermissionsWarning(self): self.WriteInput('y\n') role = self.msgs.Role( description='Access to delete GCP projects.', title='Viewer', stage=iam_util.StageTypeFromString('alpha'), includedPermissions=[ 'resourcemanager.projects.list', 'resourcemanager.projects.get', 'resourcemanager.projects.delete' ], ) role_res = self.msgs.Role( name='organizations/1/roles/viewer', description='Access to delete GCP projects.', title='Viewer', includedPermissions=[ 'resourcemanager.projects.list', 'resourcemanager.projects.get', 'resourcemanager.projects.delete' ], ) self.client.permissions.QueryTestablePermissions.Expect( request=self.msgs.QueryTestablePermissionsRequest( fullResourceName= '//cloudresourcemanager.googleapis.com/organizations/1', pageSize=1000), response=self.msgs.QueryTestablePermissionsResponse( permissions=[ self.msgs.Permission( name='resourcemanager.projects.list', customRolesSupportLevel=self.msgs.Permission. CustomRolesSupportLevelValueValuesEnum.TESTING), self.msgs.Permission(name='resourcemanager.projects.get', apiDisabled=True), ], nextPageToken=None)) self.client.organizations_roles.Create.Expect( request=self.msgs.IamOrganizationsRolesCreateRequest( createRoleRequest=self.msgs.CreateRoleRequest(role=role, roleId='viewer'), parent='organizations/1'), response=role_res) result = self.Run('iam roles create viewer --organization 1 ' '--permissions resourcemanager.projects.list,' 'resourcemanager.projects.get,' 'resourcemanager.projects.delete --stage alpha ' '--title Viewer ' '--description="Access to delete GCP projects." ') self.assertEqual(result, role_res) self.AssertOutputContains('stage: ALPHA') self.AssertErrContains( 'Note: permissions [resourcemanager.projects.list] are in ' '\'TESTING\' stage') self.AssertErrContains( 'API is not enabled for permissions: [resourcemanager.projects.get]' )