def _DenyAllValues(self, policy, args): """Denies all values by removing old rules containing the specified condition and creating a new rule with denyAll set to True. This first searches for and removes the rules that contain the specified condition from the policy. In the case that the condition is not specified, the search is scoped to rules without conditions set. A new rule with a matching condition is created. The denyAll field on the created rule is set to True. Args: policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be updated. args: argparse.Namespace, An object that contains the values for the arguments specified in the Args method. Returns: The updated policy. """ new_policy = copy.deepcopy(policy) new_policy.spec.rules = org_policy_utils.GetNonMatchingRulesFromPolicy( new_policy, args.condition) rule_to_update, new_policy = org_policy_utils.CreateRuleOnPolicy( new_policy, args.condition) rule_to_update.denyAll = True return new_policy
def UpdatePolicy(self, policy, args): """Updates the policy for tests. If --condition is specified, an empty policy is returned. If --condition is not specified, this first checks if there are any rules on the policy. If there are, the policy is returned as is. If not, a new rule with the specified condition is added. Args: policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be updated. args: argparse.Namespace, An object that contains the values for the arguments specified in the Args method. Returns: The updated policy. """ new_policy = copy.deepcopy(policy) if args.condition is None: new_policy.spec.rules = [] new_policy.spec.inheritFromParent = False new_policy.spec.reset = False return new_policy if new_policy.spec.rules: return new_policy _, new_policy = org_policy_utils.CreateRuleOnPolicy( new_policy, args.condition) return new_policy
def _AddValues(self, policy, args): """Adds values to an eligible policy rule containing the specified condition. This first searches the policy for all rules that contain the specified condition. Then it searches for and removes the specified values from the lists of denied values on the rules. Any modified rule with empty lists of allowed values and denied values after this operation is deleted. It then checks to see if the policy already has all the specified values. If not, it searches for all rules that contain the specified condition. In the case that the condition is not specified, the search is scoped to rules without conditions. If one of the rules has allowAll set to True, the policy is returned as is. If no such rule is found, a new rule with a matching condition is created. The list of allowed values on the found or created rule is updated to include the missing values. Duplicate values specified by the user are pruned. Args: policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be updated. args: argparse.Namespace, An object that contains the values for the arguments specified in the Args method. Returns: The updated policy. """ new_policy = copy.deepcopy(policy) new_policy = utils.RemoveDeniedValuesFromPolicy(new_policy, args) rules = org_policy_utils.GetMatchingRulesFromPolicy( new_policy, args.condition) missing_values = self._GetMissingAllowedValuesFromRules( rules, args.value) if not missing_values: return new_policy if not rules: rule_to_update, new_policy = org_policy_utils.CreateRuleOnPolicy( new_policy, args.condition) else: for rule in rules: if rule.allowAll: return new_policy elif rule.denyAll: raise exceptions.OperationNotSupportedError( 'Values cannot be allowed if denyAll is set on the policy.' ) rule_to_update = rules[0] # Unset allowAll and denyAll in case they are False. rule_to_update.allowAll = None rule_to_update.denyAll = None if rule_to_update.values is None: rule_to_update.values = self.org_policy_messages.GoogleCloudOrgpolicyV2alpha1PolicyPolicyRuleStringValues( ) rule_to_update.values.allowedValues += list(missing_values) return new_policy
def testCreateRuleOnPolicy_NoConditionSpecified_CreatesRule(self): policy = self.Policy(rule_data=[{'condition': self.CONDITION_EXPRESSION_A}]) updated_policy = self.Policy(rule_data=[{ 'condition': self.CONDITION_EXPRESSION_A }, {}]) rule, returned_policy = utils.CreateRuleOnPolicy(policy, None) self.assertIsNotNone(rule) self.assertIsNone(rule.condition) self.assertEqual(returned_policy, updated_policy)
def UpdatePolicy(self, policy, args): """Enables enforcement by removing old rules containing the specified condition and creating a new rule with enforce set to True. This first does validation to ensure the specified action can be carried out according to the boolean policy contract. This contract states that exactly one unconditional rule has to exist on nonempty boolean policies, and that every conditional rule that exists on a boolean policy has to take the opposite enforcement value as that of the unconditional rule. This then searches for and removes the rules that contain the specified condition from the policy. In the case that the condition is not specified, the search is scoped to rules without conditions set. A new rule with a matching condition is created. The enforce field on the created rule is set to True. If the policy is empty and the condition is specified, then a new rule containing the specified condition is created. In order to comply with the boolean policy contract, a new unconditional rule is created as well with enforce set to False. Args: policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be updated. args: argparse.Namespace, An object that contains the values for the arguments specified in the Args method. Returns: The updated policy. """ if policy.spec.rules: unconditional_rules = org_policy_utils.GetMatchingRulesFromPolicy( policy, None) if not unconditional_rules: raise exceptions.BooleanPolicyValidationError( 'An unconditional enforce value does not exist on the nonempty policy.' ) unconditional_rule = unconditional_rules[0] if args.condition is None and len(policy.spec.rules) > 1: # Unconditional enforce value cannot be changed on policies with more # than one rule. if not unconditional_rule.enforce: raise exceptions.BooleanPolicyValidationError( 'Unconditional enforce value cannot be the same as a conditional enforce value on the policy.' ) # No changes needed. return policy if args.condition is not None and unconditional_rule.enforce: raise exceptions.BooleanPolicyValidationError( 'Conditional enforce value cannot be the same as the unconditional enforce value on the policy.' ) new_policy = copy.deepcopy(policy) if not new_policy.spec.rules and args.condition is not None: unconditional_rule, new_policy = org_policy_utils.CreateRuleOnPolicy( new_policy, None) unconditional_rule.enforce = False new_policy.spec.rules = org_policy_utils.GetNonMatchingRulesFromPolicy( new_policy, args.condition) rule_to_update, new_policy = org_policy_utils.CreateRuleOnPolicy( new_policy, args.condition) rule_to_update.enforce = True return new_policy