def _GetOrganization(domain):
"""Get the organization for the given domain.
The current user must have permission to list the organization.
Args:
domain: str, the domain (e.g. 'example.com') to look up the organization of,
or None to just list the organizations for the current account.
Returns:
resources.Resource, a reference to a cloudresourcemanager.organizations
resource
Raises:
DefaultPolicyResolutionError: if the number of organizations matching the
given domain is not exactly 1, or searching organizations fails.
"""
filter_ = 'domain:' + domain
try:
orgs = list(organizations.Client().List(filter_=filter_, limit=2))
except Exception as err:
raise DefaultPolicyResolutionError(
'Unable to resolve organization for domain [{}]: {}'.format(
domain, err))
if not orgs:
raise DefaultPolicyResolutionError(
'No matching organizations found for domain [{}].'.format(domain))
elif len(orgs) > 1:
raise DefaultPolicyResolutionError(
'Found more than one organization for domain [{}].\n{}'.format(
domain, orgs))
return resources.REGISTRY.Parse(
orgs[0].name, collection='cloudresourcemanager.organizations')
def Run(self, args):
org_id = org_utils.GetOrganizationId(args.id)
if org_id:
return organizations.Client().SetIamPolicy(org_id,
args.policy_file)
else:
raise org_utils.UnknownOrganizationError(args.id)
def GetAncestorsIamPolicy(folder_id):
"""Gets IAM policies for given folder and its ancestors."""
policies = []
resource = GetFolder(folder_id)
try:
while resource is not None:
resource_id = resource.name.split('/')[1]
policies.append({
'type': 'folder',
'id': resource_id,
'policy': GetIamPolicy(resource_id),
})
parent_id = resource.parent.split('/')[1]
if resource.parent.startswith('folder'):
resource = GetFolder(parent_id)
else:
policies.append({
'type':
'organization',
'id':
resource_id,
'policy':
organizations.Client().GetIamPolicy(parent_id),
})
resource = None
except api_exceptions.HttpForbiddenError:
raise exceptions.AncestorsIamPolicyAccessDeniedError(
'User is not permitted to access IAM policy for one or more of the'
' ancestors')
return policies
def GetIamPolicyWithAncestors(project_id):
"""Get IAM policy for given project and its ancestors.
Args:
project_id: project id
Returns:
IAM policy for given project and its ancestors
"""
iam_policies = []
ancestry = projects_api.GetAncestry(project_id)
try:
for resource in ancestry.ancestor:
resource_type = resource.resourceId.type
resource_id = resource.resourceId.id
# this is the given project
if resource_type == 'project':
project_ref = ParseProject(project_id)
iam_policies.append({
'type':
'project',
'id':
project_id,
'policy':
projects_api.GetIamPolicy(project_ref)
})
if resource_type == 'folder':
iam_policies.append({
'type': resource_type,
'id': resource_id,
'policy': folders.GetIamPolicy(resource_id)
})
if resource_type == 'organization':
iam_policies.append({
'type':
resource_type,
'id':
resource_id,
'policy':
organizations.Client().GetIamPolicy(resource_id),
})
return iam_policies
except HttpForbiddenError:
raise exceptions.AncestorsIamPolicyAccessDeniedError(
'User is not permitted to access IAM policy for one or more of the'
' ancestors')
def Get(organization_ref):
"""Get Organization information.
Args:
organization_ref: Identifier for the organization (e.g., organization/12345)
Returns:
Organization object
Example:
{
organizationOwner: {
directoryCustomerId: A08w1n5gg
}
}
"""
client = organizations.Client()
return client.organizations.Get(
client.MESSAGES_MODULE.CloudresourcemanagerOrganizationsGetRequest(
organizationsId=organization_ref.organization_id))
def GetOrganization(org_argument):
"""Get the Organization object for the provided Organization argument.
Returns the organization object for a given organization ID or will search
for and return the organization object associated with the given domain name.
Args:
org_argument: The value of the organization argument.
Returns:
An object representing an organization, or None if the organization could
not be determined.
"""
orgs_client = organizations.Client()
org_id = StripOrgPrefix(org_argument)
if org_id.isdigit():
return orgs_client.Get(org_id)
else:
return orgs_client.GetByDomain(org_id)
def ConvertOrgIdToObfuscatedCustomerId(org_id):
"""Convert organization id to obfuscated customer id.
Args:
org_id: organization id
Returns:
Obfuscated customer id
Example:
org_id: 12345
organization_obj:
{
owner: {
directoryCustomerId: A08w1n5gg
}
}
"""
organization_obj = organizations.Client().Get(org_id)
return organization_obj.owner.directoryCustomerId
def GetOrganizationId(org_argument):
"""Get the Organization ID for the provided Organization argument.
Numeric values will be returned, values like 'organizations/123456789' will
return '123456789' and a value like 'example.com' will search for the
organization ID associated with that domain.
Args:
org_argument: The value of the organization argument.
Returns:
A string containing the numeric organization ID, or None if the
organization ID could not be determined.
"""
orgs_client = organizations.Client()
org_id = StripOrgPrefix(org_argument)
if org_id.isdigit():
return org_id
else:
org_object = orgs_client.GetByDomain(org_id)
if org_object:
return StripOrgPrefix(org_object.name)
else:
return None
def Run(self, args):
"""Run the list command."""
orgs_client = organizations.Client()
return orgs_client.List(limit=args.limit, page_size=args.page_size)
def GetIamPolicyWithAncestors(project_id, include_deny, release_track):
"""Get IAM policy for given project and its ancestors.
Args:
project_id: project id
include_deny: boolean that represents if we should show the deny policies in
addition to the grants
release_track: which release track, include deny is only supported for ALPHA
or BETA
Returns:
IAM policy for given project and its ancestors
"""
iam_policies = []
ancestry = projects_api.GetAncestry(project_id)
try:
for resource in ancestry.ancestor:
resource_type = resource.resourceId.type
resource_id = resource.resourceId.id
# this is the given project
if resource_type == 'project':
project_ref = ParseProject(project_id)
iam_policies.append({
'type':
'project',
'id':
project_id,
'policy':
projects_api.GetIamPolicy(project_ref)
})
if include_deny:
deny_policies = policies.ListDenyPolicies(
project_id, 'project', release_track)
for deny_policy in deny_policies:
iam_policies.append({
'type': 'project',
'id': project_id,
'policy': deny_policy
})
if resource_type == 'folder':
iam_policies.append({
'type': resource_type,
'id': resource_id,
'policy': folders.GetIamPolicy(resource_id)
})
if include_deny:
deny_policies = policies.ListDenyPolicies(
resource_id, 'folder', release_track)
for deny_policy in deny_policies:
iam_policies.append({
'type': 'folder',
'id': resource_id,
'policy': deny_policy
})
if resource_type == 'organization':
iam_policies.append({
'type':
resource_type,
'id':
resource_id,
'policy':
organizations.Client().GetIamPolicy(resource_id),
})
if include_deny:
deny_policies = policies.ListDenyPolicies(
resource_id, 'organization', release_track)
for deny_policy in deny_policies:
iam_policies.append({
'type': 'organization',
'id': resource_id,
'policy': deny_policy
})
return iam_policies
except HttpForbiddenError:
raise exceptions.AncestorsIamPolicyAccessDeniedError(
'User is not permitted to access IAM policy for one or more of the'
' ancestors')
def Run(self, args): return organizations.Client().GetIamPolicy(args.id)
