def _PatchIamHelperInternal(self,
storage_url,
bindings_tuples,
thread_state=None):
policy = self.GetIamHelper(storage_url, thread_state=thread_state)
(etag, bindings) = (policy.etag, policy.bindings)
# Create a backup which is untainted by any references to the original
# bindings.
orig_bindings = list(bindings)
for (is_grant, diff) in bindings_tuples:
bindings = PatchBindings(bindings, BindingsTuple(is_grant, diff))
if IsEqualBindings(bindings, orig_bindings):
self.logger.info('No changes made to %s', storage_url)
return
policy = apitools_messages.Policy(bindings=bindings, etag=etag)
# We explicitly wish for etag mismatches to raise an error and allow this
# function to error out, so we are bypassing the exception handling offered
# by IamCommand.SetIamHelper in lieu of our own handling (@Retry).
self._SetIamHelperInternal(storage_url,
policy,
thread_state=thread_state)
def test_patch_bindings_public_member_overwrite(self):
"""Tests public member vs. public member interaction."""
base = [
bvle(role='a', members=['allUsers']),
]
diff = [
bvle(role='a', members=['allAuthenticatedUsers']),
]
res = PatchBindings(base, BindingsTuple(True, diff))
self.assertTrue(IsEqualBindings(res, base + diff))
def test_patch_bindings_remove_all(self):
"""Tests removing all roles from a member."""
base = [
bvle(members=['user:[email protected]'], role='a'),
bvle(members=['user:[email protected]'], role='b'),
bvle(members=['user:[email protected]'], role='c'),
]
diff = [
bvle(members=['user:[email protected]'], role=''),
]
res = PatchBindings(base, BindingsTuple(False, diff))
self.assertEquals(res, [])
diff = [
bvle(members=['user:[email protected]'], role='a'),
bvle(members=['user:[email protected]'], role='b'),
bvle(members=['user:[email protected]'], role='c'),
]
res = PatchBindings(base, BindingsTuple(False, diff))
self.assertEquals(res, [])
def test_patch_bindings_grant(self):
"""Tests patching a grant binding."""
base = [
bvle(role='a', members=['user:[email protected]']),
bvle(role='b', members=['user:[email protected]']),
bvle(role='c', members=['user:[email protected]']),
]
diff = [
bvle(role='d', members=['user:[email protected]']),
]
expected = base + diff
res = PatchBindings(base, BindingsTuple(True, diff))
self.assertTrue(IsEqualBindings(res, expected))
def test_patch_bindings_multiple_users(self):
"""Tests expected behavior when multiple users exist."""
expected = [
bvle(members=['user:[email protected]'], role='b'),
]
base = [
bvle(members=['user:[email protected]'], role='a'),
bvle(members=['user:[email protected]', 'user:[email protected]'], role='b'),
bvle(members=['user:[email protected]'], role='c'),
]
diff = [
bvle(members=['user:[email protected]'], role='a'),
bvle(members=['user:[email protected]'], role='b'),
bvle(members=['user:[email protected]'], role='c'),
]
res = PatchBindings(base, BindingsTuple(False, diff))
self.assertTrue(IsEqualBindings(res, expected))
def test_patch_bindings_remove(self):
"""Tests patching a remove binding."""
base = [
bvle(members=['user:[email protected]'], role='a'),
bvle(members=['user:[email protected]'], role='b'),
bvle(members=['user:[email protected]'], role='c'),
]
diff = [
bvle(members=['user:[email protected]'], role='a'),
]
expected = [
bvle(members=['user:[email protected]'], role='b'),
bvle(members=['user:[email protected]'], role='c'),
]
res = PatchBindings(base, BindingsTuple(False, diff))
self.assertTrue(IsEqualBindings(res, expected))
def test_patch_bindings_grant_all_users(self):
"""Tests a public member grant."""
base = [
bvle(role='a', members=['user:[email protected]']),
bvle(role='b', members=['user:[email protected]']),
bvle(role='c', members=['user:[email protected]']),
]
diff = [
bvle(role='a', members=['allUsers']),
]
expected = [
bvle(role='a', members=['allUsers', 'user:[email protected]']),
bvle(role='b', members=['user:[email protected]']),
bvle(role='c', members=['user:[email protected]']),
]
res = PatchBindings(base, BindingsTuple(True, diff))
self.assertTrue(IsEqualBindings(res, expected))
def _PatchIamHelperInternal(self,
storage_url,
bindings_tuples,
thread_state=None):
policy = self.GetIamHelper(storage_url, thread_state=thread_state)
(etag, bindings) = (policy.etag, policy.bindings)
# If any of the bindings have conditions present, raise an exception.
# See the docstring for the IamChOnResourceWithConditionsException class
# for more details on why we raise this exception.
for binding in bindings:
if binding.condition:
message = 'Could not patch IAM policy for %s.' % storage_url
message += '\n'
message += '\n'.join(
textwrap.wrap(
'The resource had conditions present in its IAM policy bindings, '
'which is not supported by "iam ch". %s' %
IAM_CH_CONDITIONS_WORKAROUND_MSG))
raise IamChOnResourceWithConditionsException(message)
# Create a backup which is untainted by any references to the original
# bindings.
orig_bindings = list(bindings)
for (is_grant, diff) in bindings_tuples:
bindings = PatchBindings(bindings, BindingsTuple(is_grant, diff))
if IsEqualBindings(bindings, orig_bindings):
self.logger.info('No changes made to %s', storage_url)
return
policy = apitools_messages.Policy(bindings=bindings, etag=etag)
# We explicitly wish for etag mismatches to raise an error and allow this
# function to error out, so we are bypassing the exception handling offered
# by IamCommand.SetIamHelper in lieu of our own handling (@Retry).
self._SetIamHelperInternal(storage_url,
policy,
thread_state=thread_state)