def testBindingInPolicy(self):
self.assertTrue(
iam_util.BindingInPolicy(self.TEST_IAM_POLICY,
'user:[email protected]', 'roles/owner'))
self.assertFalse(
iam_util.BindingInPolicy(self.TEST_IAM_POLICY,
'user:[email protected]',
'roles/owner'))
self.assertFalse(
iam_util.BindingInPolicy(self.TEST_IAM_POLICY,
'user:[email protected]',
'roles/not_owner'))
def AddOrRemoveIamPolicyBinding(self, service_ref, add_binding=True,
member=None, role=None):
"""Add or remove the given IAM policy binding to the provided service.
If no members or role are provided, set the IAM policy to the current IAM
policy. This is useful for checking whether the authenticated user has
the appropriate permissions for setting policies.
Args:
service_ref: str, The service to which to add the IAM policy.
add_binding: bool, Whether to add to or remove from the IAM policy.
member: str, One of the users for which the binding applies.
role: str, The role to grant the provided members.
Returns:
A google.iam.v1.TestIamPermissionsResponse.
"""
messages = self.messages_module
oneplatform_service = resource_name_conversion.K8sToOnePlatform(
service_ref, self._region)
policy = self._GetIamPolicy(oneplatform_service)
# Don't modify bindings if not member or roles provided
if member and role:
if add_binding:
iam_util.AddBindingToIamPolicy(messages.Binding, policy, member, role)
elif iam_util.BindingInPolicy(policy, member, role):
iam_util.RemoveBindingFromIamPolicy(policy, member, role)
request = messages.RunProjectsLocationsServicesSetIamPolicyRequest(
resource=six.text_type(oneplatform_service),
setIamPolicyRequest=messages.SetIamPolicyRequest(policy=policy))
result = self._op_client.projects_locations_services.SetIamPolicy(request)
return result
def RemoveFunctionIamPolicyBindingIfFound(
function_resource_name,
member='allUsers',
role='roles/cloudfunctions.invoker'):
"""Removes the specified policy binding if it is found."""
client = GetApiClientInstance()
messages = client.MESSAGES_MODULE
policy = GetFunctionIamPolicy(function_resource_name)
if iam_util.BindingInPolicy(policy, member, role):
iam_util.RemoveBindingFromIamPolicy(policy, member, role)
client.projects_locations_functions.SetIamPolicy(
messages.CloudfunctionsProjectsLocationsFunctionsSetIamPolicyRequest(
resource=function_resource_name,
setIamPolicyRequest=messages.SetIamPolicyRequest(policy=policy)))
return True
else:
return False
def _AddBinding(project, account, role):
"""Adds a binding.
Args:
project: (str) Project name.
account: (str) User account.
role: (str) Role.
"""
crm_client = apis.GetClientInstance('cloudresourcemanager', 'v1')
policy = crm_client.projects.GetIamPolicy(
CRM_MESSAGE_MODULE.CloudresourcemanagerProjectsGetIamPolicyRequest(
resource=project))
if not iam_util.BindingInPolicy(policy, account, role):
iam_util.AddBindingToIamPolicy(CRM_MESSAGE_MODULE.Binding, policy, account,
role)
req = CRM_MESSAGE_MODULE.CloudresourcemanagerProjectsSetIamPolicyRequest(
resource=project,
setIamPolicyRequest=CRM_MESSAGE_MODULE.SetIamPolicyRequest(
policy=policy))
crm_client.projects.SetIamPolicy(req)
