def _DenyAllValues(self, policy, args): """Denies all values by removing old rules containing the specified condition and creating a new rule with denyAll set to True. This first searches for and removes the rules that contain the specified condition from the policy. In the case that the condition is not specified, the search is scoped to rules without conditions set. A new rule with a matching condition is created. The denyAll field on the created rule is set to True. Args: policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be updated. args: argparse.Namespace, An object that contains the values for the arguments specified in the Args method. Returns: The updated policy. """ new_policy = copy.deepcopy(policy) new_policy.spec.rules = org_policy_utils.GetNonMatchingRulesFromPolicy( new_policy, args.condition) rule_to_update, new_policy = org_policy_utils.CreateRuleOnPolicy( new_policy, args.condition) rule_to_update.denyAll = True return new_policy
def Run(self, args): """Deletes a whole policy or removes rules containing the specified condition from the policy. If --condition is not specified, then the policy is deleted using DeletePolicy. If --condition is specified, then the policy is fetched using GetPolicy. It then searches for and removes the rules that contain the specified condition from the policy. If the policy is empty after this operation and inheritFromParent is False, the policy is deleted using DeletePolicy. If not, the policy is updated using UpdatePolicy. Args: args: argparse.Namespace, An object that contains the values for the arguments specified in the Args method. Returns: If the policy is deleted, then messages.GoogleProtobufEmpty. If only a partial delete is issued, then the updated policy. """ policy_service = org_policy_service.PolicyService() org_policy_messages = org_policy_service.OrgPolicyMessages() policy_name = utils.GetPolicyNameFromArgs(args) if args.IsSpecified('condition') and args.IsSpecified('label_parent'): utils.TransformLabelDisplayNameConditionToLabelNameCondition(args) if args.condition is not None: get_request = org_policy_messages.OrgpolicyPoliciesGetRequest( name=policy_name) policy = policy_service.Get(get_request) new_policy = copy.deepcopy(policy) new_policy.spec.rules = org_policy_utils.GetNonMatchingRulesFromPolicy( policy, args.condition) if policy == new_policy: return policy if new_policy.spec.rules or new_policy.spec.inheritFromParent: update_request = org_policy_messages.OrgpolicyPoliciesPatchRequest( name=policy_name, forceUnconditionalWrite=False, googleCloudOrgpolicyV2alpha1Policy=new_policy) update_response = policy_service.Patch(update_request) log.UpdatedResource(policy_name, 'policy') return update_response delete_request = org_policy_messages.OrgpolicyPoliciesDeleteRequest( name=policy_name) delete_response = policy_service.Delete(delete_request) log.DeletedResource(policy_name, 'policy') return delete_response
def testGetNonMatchingRulesFromPolicy_NoConditionSpecified_ReturnsNonMatchingRules( self): policy = self.Policy(rule_data=[{}, { 'condition': self.CONDITION_EXPRESSION_A }, {}, { 'condition': self.CONDITION_EXPRESSION_B }]) filtered_policy = self.Policy(rule_data=[{ 'condition': self.CONDITION_EXPRESSION_A }, { 'condition': self.CONDITION_EXPRESSION_B }]) rules = utils.GetNonMatchingRulesFromPolicy(policy, None) self.assertEqual(rules, filtered_policy.spec.rules)
def UpdatePolicy(self, policy, args): """Enables enforcement by removing old rules containing the specified condition and creating a new rule with enforce set to True. This first does validation to ensure the specified action can be carried out according to the boolean policy contract. This contract states that exactly one unconditional rule has to exist on nonempty boolean policies, and that every conditional rule that exists on a boolean policy has to take the opposite enforcement value as that of the unconditional rule. This then searches for and removes the rules that contain the specified condition from the policy. In the case that the condition is not specified, the search is scoped to rules without conditions set. A new rule with a matching condition is created. The enforce field on the created rule is set to True. If the policy is empty and the condition is specified, then a new rule containing the specified condition is created. In order to comply with the boolean policy contract, a new unconditional rule is created as well with enforce set to False. Args: policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be updated. args: argparse.Namespace, An object that contains the values for the arguments specified in the Args method. Returns: The updated policy. """ if policy.spec.rules: unconditional_rules = org_policy_utils.GetMatchingRulesFromPolicy( policy, None) if not unconditional_rules: raise exceptions.BooleanPolicyValidationError( 'An unconditional enforce value does not exist on the nonempty policy.' ) unconditional_rule = unconditional_rules[0] if args.condition is None and len(policy.spec.rules) > 1: # Unconditional enforce value cannot be changed on policies with more # than one rule. if not unconditional_rule.enforce: raise exceptions.BooleanPolicyValidationError( 'Unconditional enforce value cannot be the same as a conditional enforce value on the policy.' ) # No changes needed. return policy if args.condition is not None and unconditional_rule.enforce: raise exceptions.BooleanPolicyValidationError( 'Conditional enforce value cannot be the same as the unconditional enforce value on the policy.' ) new_policy = copy.deepcopy(policy) if not new_policy.spec.rules and args.condition is not None: unconditional_rule, new_policy = org_policy_utils.CreateRuleOnPolicy( new_policy, None) unconditional_rule.enforce = False new_policy.spec.rules = org_policy_utils.GetNonMatchingRulesFromPolicy( new_policy, args.condition) rule_to_update, new_policy = org_policy_utils.CreateRuleOnPolicy( new_policy, args.condition) rule_to_update.enforce = True return new_policy