def _AddVpcAccessibleServicesFilter(args, req, version): """Add the particular service filter message based on specified args.""" service_restriction_config = None allowed_services = None enable_restriction = None restriction_modified = False service_perimeter_config = req.servicePerimeter.status if not service_perimeter_config: service_perimeter_config = (util.GetMessages( version=version).ServicePerimeterConfig) if args.IsSpecified('vpc_allowed_services'): allowed_services = getattr(args, 'vpc_allowed_services') restriction_modified = True if args.IsSpecified('enable_vpc_accessible_services'): enable_restriction = getattr(args, 'enable_vpc_accessible_services') restriction_modified = True if restriction_modified: service_restriction_config = getattr(service_perimeter_config, 'vpcAccessibleServices') if not service_restriction_config: service_restriction_config = (getattr( util.GetMessages(version=version), 'VpcAccessibleServices')) service_restriction_config.allowedServices = allowed_services service_restriction_config.enableRestriction = enable_restriction setattr(service_perimeter_config, 'vpcAccessibleServices', service_restriction_config) req.servicePerimeter.status = service_perimeter_config return req
def Run(self, args): client = zones_api.Client(version=self._API_VERSION) messages = util.GetMessages(version=self._API_VERSION) perimeter_ref = args.CONCEPTS.perimeter.Parse() policies.ValidateAccessPolicyArg(perimeter_ref, args) original_perimeter = client.Get(perimeter_ref) base_config = _GetBaseConfig(original_perimeter) updated_resources = repeated.ParsePrimitiveArgs( args, 'resources', lambda: base_config.resources or []) updated_restricted_services = repeated.ParsePrimitiveArgs( args, 'restricted-services', lambda: base_config.restrictedServices or []) updated_access_levels = repeated.ParsePrimitiveArgs( args, 'access-levels', lambda: base_config.accessLevels or []) base_vpc_config = base_config.vpcAccessibleServices if base_vpc_config is None: base_vpc_config = messages.VpcAccessibleServices() updated_vpc_services = repeated.ParsePrimitiveArgs( args, 'vpc-allowed-services', lambda: base_vpc_config.allowedServices or []) if args.IsSpecified('enable_vpc_accessible_services'): updated_vpc_enabled = args.enable_vpc_accessible_services elif base_config.vpcAccessibleServices is not None: updated_vpc_enabled = base_vpc_config.enableRestriction else: updated_vpc_enabled = None return client.PatchDryRunConfig( perimeter_ref, resources=updated_resources, levels=updated_access_levels, restricted_services=updated_restricted_services, vpc_allowed_services=updated_vpc_services, enable_vpc_accessible_services=updated_vpc_enabled)
def VersionedParseAccessLevels(path): """Parse a YAML representation of a list of Access Levels with basic/custom level conditions. Args: path: str, path to file containing basic/custom access levels Returns: list of Access Level objects. Raises: ParseError: if the file could not be read into the proper object """ data = yaml.load_path(path) if not data: raise ParseError(path, 'File is empty') messages = util.GetMessages(version=api_version) message_class = messages.AccessLevel try: levels = [encoding.DictToMessage(c, message_class) for c in data] except Exception as err: raise InvalidFormatError(path, six.text_type(err), message_class) _ValidateAllLevelFieldsRecognized(path, levels) return levels
def AddImplicitServiceWildcard(ref, args, req): """Add an implicit wildcard for services if they are modified. If either restricted services or unrestricted services is given, the other must also be provided as a wildcard (`*`). If neither is given, this is a no-op. Args: ref: resources.Resource, the (unused) resource args: argparse namespace, the parse arguments req: AccesscontextmanagerAccessPoliciesAccessZonesCreateRequest Returns: The modified request. """ del ref # Unused in AddImplicitServiceWildcard service_perimeter_config = req.servicePerimeter.status if not service_perimeter_config: service_perimeter_config = util.GetMessages( version='v1beta').ServicePerimeterConfig if args.IsSpecified('restricted_services'): service_perimeter_config.unrestrictedServices = ['*'] elif args.IsSpecified('unrestricted_services'): service_perimeter_config.restrictedServices = ['*'] req.servicePerimeter.status = service_perimeter_config return req
def Run(self, args): client = zones_api.Client(version=self._API_VERSION) messages = util.GetMessages(version=self._API_VERSION) perimeter_ref = args.CONCEPTS.perimeter.Parse() policies.ValidateAccessPolicyArg(perimeter_ref, args) original_perimeter = client.Get(perimeter_ref) base_config = _GetBaseConfig(original_perimeter) if _IsFieldSpecified('resources', args): updated_resources = _GetRepeatedFieldValue( args, 'resources', base_config.resources, original_perimeter.useExplicitDryRunSpec) else: updated_resources = base_config.resources if _IsFieldSpecified('restricted_services', args): updated_restricted_services = _GetRepeatedFieldValue( args, 'restricted_services', base_config.restrictedServices, original_perimeter.useExplicitDryRunSpec) else: updated_restricted_services = base_config.restrictedServices if _IsFieldSpecified('access_levels', args): updated_access_levels = _GetRepeatedFieldValue( args, 'access_levels', base_config.accessLevels, original_perimeter.useExplicitDryRunSpec) else: updated_access_levels = base_config.accessLevels base_vpc_config = base_config.vpcAccessibleServices if base_vpc_config is None: base_vpc_config = messages.VpcAccessibleServices() if _IsFieldSpecified('vpc_allowed_services', args): updated_vpc_services = _GetRepeatedFieldValue( args, 'vpc-allowed-services', base_vpc_config.allowedServices, original_perimeter.useExplicitDryRunSpec) elif base_config.vpcAccessibleServices is not None: updated_vpc_services = base_vpc_config.allowedServices else: updated_vpc_services = None if args.IsSpecified('enable_vpc_accessible_services'): updated_vpc_enabled = args.enable_vpc_accessible_services elif base_config.vpcAccessibleServices is not None: updated_vpc_enabled = base_vpc_config.enableRestriction else: updated_vpc_enabled = None # Vpc allowed services list should only be populated if enable restrictions # is set to true. if updated_vpc_enabled is None: updated_vpc_services = None elif not updated_vpc_enabled: updated_vpc_services = [] return client.PatchDryRunConfig( perimeter_ref, resources=updated_resources, levels=updated_access_levels, restricted_services=updated_restricted_services, vpc_allowed_services=updated_vpc_services, enable_vpc_accessible_services=updated_vpc_enabled, ingress_policies=perimeters.ParseUpdateDirectionalPoliciesArgs( args, 'ingress-policies'), egress_policies=perimeters.ParseUpdateDirectionalPoliciesArgs( args, 'egress-policies'))
def ParseServicePerimetersBase(path, version=None): """Parse a YAML representation of a list of Service Perimeters. Args: path: str, path to file containing service perimeters version: str, api version of ACM to use for proto messages Returns: list of Service Perimeters objects. Raises: ParseError: if the file could not be read into the proper object """ data = yaml.load_path(path) if not data: raise ParseError(path, 'File is empty') messages = util.GetMessages(version=version) message_class = messages.ServicePerimeter try: conditions = [encoding.DictToMessage(c, message_class) for c in data] except Exception as err: raise InvalidFormatError(path, six.text_type(err), message_class) _ValidateAllFieldsRecognized(path, conditions) return conditions
def VersionedParseCustomLevel(path): """Parse a YAML representation of custom level conditions. Args: path: str, path to file containing custom level expression Returns: string of CEL expression. Raises: ParseError: if the file could not be read into the proper object """ data = yaml.load_path(path) if not data: raise ParseError(path, 'File is empty') messages = util.GetMessages(version=api_version) message_class = messages.Expr try: expr = encoding.DictToMessage(data, message_class) except Exception as err: raise InvalidFormatError(path, six.text_type(err), message_class) _ValidateAllCustomFieldsRecognized(path, expr) return expr
def GenerateDryRunConfigDiff(perimeter, api_version): """Generates a diff string by comparing status with spec.""" if perimeter.spec is None and perimeter.useExplicitDryRunSpec: return 'This Service Perimeter has been marked for deletion dry-run mode.' if perimeter.status is None and perimeter.spec is None: return 'This Service Perimeter has no dry-run or enforcement mode config.' output = [] status = perimeter.status if not perimeter.useExplicitDryRunSpec: spec = status output.append('This Service Perimeter does not have an explicit ' 'dry-run mode configuration. The enforcement config ' 'will be used as the dry-run mode configuration.') else: spec = perimeter.spec if status is None: messages = util.GetMessages(version=api_version) status = messages.ServicePerimeterConfig() perimeter.status = status perimeter.spec = spec output.append(' name: {}'.format( perimeter.name[perimeter.name.rfind('/') + 1:])) output.append(' title: {}'.format(perimeter.title)) output.append(' type: {}'.format(perimeter.perimeterType or 'PERIMETER_TYPE_REGULAR')) print('\n'.join(output)) acm_printer.Print(perimeter, 'diff[format=yaml](status, spec)')
def ParseBasicLevelConditions(path): """Parse a YAML representation of basic level conditions.. Args: path: str, path to file containing basic level conditions Returns: list of Condition objects. Raises: ParseError: if the file could not be read into the proper object """ data = yaml.load_path(path) if not data: raise ParseError(path, 'File is empty') messages = util.GetMessages() message_class = messages.Condition try: conditions = [encoding.DictToMessage(c, message_class) for c in data] except Exception as err: raise InvalidFormatError(path, str(err), message_class) _ValidateAllFieldsRecognized(path, conditions) return conditions
def GetCombineFunctionEnumMapper(): return arg_utils.ChoiceEnumMapper( '--combine-function', util.GetMessages().BasicLevel.CombiningFunctionValueValuesEnum, custom_mappings={'AND': 'and', 'OR': 'or'}, required=False, help_str='For a basic level, determines how conditions are combined.', )
def GenerateDryRunConfigDiff(perimeter, api_version): """Generates a diff string by comparing status with spec.""" if perimeter.spec is None and perimeter.useExplicitDryRunSpec: return 'This Service Perimeter has been marked for deletion dry-run mode.' if perimeter.status is None and perimeter.spec is None: return 'This Service Perimeter has no dry-run or enforcement mode config.' output = [] status = perimeter.status if not perimeter.useExplicitDryRunSpec: spec = status output.append('This Service Perimeter does not have an explicit ' 'dry-run mode configuration. The enforcement config ' 'will be used as the dry-run mode configuration.') else: spec = perimeter.spec if status is None: messages = util.GetMessages(version=api_version) status = messages.ServicePerimeterConfig() output.append('name: {}'.format(perimeter.name[perimeter.name.rfind('/') + 1:])) output.append('title: {}'.format(perimeter.title)) output.append('type: {}'.format(perimeter.perimeterType or 'PERIMETER_TYPE_REGULAR')) output.extend(_CompareTopLevelField(status, spec, 'resources')) output.extend(_CompareTopLevelField(status, spec, 'restrictedServices')) output.extend(_CompareTopLevelField(status, spec, 'accessLevels')) status_vpc = status.vpcAccessibleServices spec_vpc = spec.vpcAccessibleServices output.append('vpcAccessibleServices:') if status_vpc is None and spec_vpc is None: output.append(' NONE') else: status_enabled = bool(status_vpc and status_vpc.enableRestriction) spec_enabled = bool(spec_vpc and spec_vpc.enableRestriction) output.append(' enableRestriction: {} -> {}'.format( status_enabled, spec_enabled)) if status_vpc is not None: status_vpc_services = set(status_vpc.allowedServices) else: status_vpc_services = set() if spec_vpc is not None: spec_vpc_services = set(spec_vpc.allowedServices) else: spec_vpc_services = set() output.extend( _CompareField( status_vpc_services, spec_vpc_services, 'allowedServices', line_prefix=' ')) return '\n'.join(output)
def _AddServiceFilterRestriction(args, req, version, restriction_type): """Add the particular service filter message based on specified args.""" service_restriction_config = None allowed_services = None enable_restriction = None restriction_modified = False service_perimeter_config = req.servicePerimeter.status if not service_perimeter_config: service_perimeter_config = (util.GetMessages( version=version).ServicePerimeterConfig) if args.IsSpecified(restriction_type + '_allowed_services'): allowed_services = getattr(args, restriction_type + '_allowed_services') restriction_modified = True if args.IsSpecified('enable_' + restriction_type + '_service_restriction'): enable_restriction = getattr( args, 'enable_' + restriction_type + '_service_restriction') restriction_modified = True if restriction_modified: service_restriction_config = getattr( service_perimeter_config, restriction_type + 'ServiceRestriction') if not service_restriction_config: service_restriction_config = (getattr( util.GetMessages(version=version), restriction_type.capitalize() + 'ServiceRestriction')) service_restriction_config.allowedServices = allowed_services service_restriction_config.enableRestriction = enable_restriction setattr(service_perimeter_config, restriction_type + 'ServiceRestriction', service_restriction_config) req.servicePerimeter.status = service_perimeter_config return req
def AddAccessLevels(ref, args, req): """Hook to add access levels to request.""" if args.IsSpecified('access_levels'): access_levels = [] for access_level in args.access_levels: level_ref = resources.REGISTRY.Create( 'accesscontextmanager.accessPolicies.accessLevels', accessLevelsId=access_level, **ref.Parent().AsDict()) access_levels.append(level_ref.RelativeName()) service_perimeter_config = req.servicePerimeter.status if not service_perimeter_config: service_perimeter_config = ( util.GetMessages(version='v1beta').ServicePerimeterConfig) service_perimeter_config.accessLevels = access_levels req.servicePerimeter.status = service_perimeter_config return req
def AddImplicitUnrestrictedServiceWildcard(ref, args, req): """Add wildcard for unrestricted services to message. Args: ref: resources.Resource, the (unused) resource args: argparse namespace, the parse arguments req: AccesscontextmanagerAccessPoliciesAccessZonesCreateRequest Returns: The modified request. """ del ref, args # Unused in AddImplicitServiceWildcard service_perimeter_config = req.servicePerimeter.status if not service_perimeter_config: service_perimeter_config = util.GetMessages( version='v1beta').ServicePerimeterConfig service_perimeter_config.unrestrictedServices = ['*'] req.servicePerimeter.status = service_perimeter_config return req
def ParseReplaceAccessLevelsResponseBase(lro, version): """Parse the Long Running Operation response of the ReplaceAccessLevels call. Args: lro: Long Running Operation response of ReplaceAccessLevels. version: version of the API. e.g. 'v1beta', 'v1'. Returns: The replacement Access Levels created by the ReplaceAccessLevels call. Raises: ParseResponseError: if the response could not be parsed into the proper object. """ messages = util.GetMessages(version) message_class = messages.ReplaceAccessLevelsResponse try: return encoding.DictToMessage(encoding.MessageToDict(lro.response), message_class).accessLevels except Exception as err: raise ParseResponseError(six.text_type(err))
def AddImplicitUnrestrictedServiceWildcard(ref, args, req): """Add wildcard for unrestricted services to message if type is regular. Args: ref: resources.Resource, the (unused) resource args: argparse namespace, the parse arguments req: AccesscontextmanagerAccessPoliciesAccessZonesCreateRequest Returns: The modified request. """ del ref, args # Unused in AddImplicitServiceWildcard m = util.GetMessages(version='v1beta') if req.servicePerimeter.perimeterType == ( m.ServicePerimeter.PerimeterTypeValueValuesEnum.PERIMETER_TYPE_REGULAR): service_perimeter_config = req.servicePerimeter.status if not service_perimeter_config: service_perimeter_config = m.ServicePerimeterConfig service_perimeter_config.unrestrictedServices = ['*'] req.servicePerimeter.status = service_perimeter_config return req
def GetTypeEnumMapper(): return arg_utils.ChoiceEnumMapper( '--type', util.GetMessages().ServicePerimeter.PerimeterTypeValueValuesEnum, custom_mappings={ 'PERIMETER_TYPE_REGULAR': 'regular', 'PERIMETER_TYPE_BRIDGE': 'bridge' }, required=False, help_str="""\ Type of the perimeter. A *regular* perimeter allows resources within this service perimeter to import and export data amongst themselves. A project may belong to at most one regular service perimeter. A *bridge* perimeter allows resources in different regular service perimeters to import and export data between each other. A project may belong to multiple bridge service perimeters (only if it also belongs to a regular service perimeter). Both restricted and unrestricted service lists, as well as access level lists, must be empty. """, )
def ParseVersionedEgressPoliciesAlpha(path): return ParseAccessContextManagerMessages( path, util.GetMessages(version=api_version).EgressPolicy)