def AddIamPolicyBinding(self, service_ref, member, role, condition):
"""Services add iam policy binding request."""
policy = self.GetIamPolicy(service_ref)
iam_util.AddBindingToIamPolicyWithCondition(self.msgs.Binding,
self.msgs.Expr, policy, member,
role, condition)
return self.SetIamPolicy(service_ref, policy)
def Run(self, args):
service = tags.TagValuesService()
messages = tags.TagMessages()
if args.RESOURCE_NAME.find('tagValues/') == 0:
tag_value = args.RESOURCE_NAME
else:
tag_value = tag_utils.GetTagValueFromNamespacedName(
args.RESOURCE_NAME).name
get_iam_policy_req = (
messages.CloudresourcemanagerTagValuesGetIamPolicyRequest(
resource=tag_value))
policy = service.GetIamPolicy(get_iam_policy_req)
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
iam_util.AddBindingToIamPolicyWithCondition(messages.Binding,
messages.Expr, policy,
args.member, args.role,
condition)
set_iam_policy_request = messages.SetIamPolicyRequest(policy=policy)
request = messages.CloudresourcemanagerTagValuesSetIamPolicyRequest(
resource=tag_value, setIamPolicyRequest=set_iam_policy_request)
result = service.SetIamPolicy(request)
iam_util.LogSetIamPolicy(tag_value, 'TagValue')
return result
def Run(self, args):
labelkeys_service = labelmanager.LabelKeysService()
labelmanager_messages = labelmanager.LabelManagerMessages()
if args.IsSpecified('label_parent'):
label_key = utils.GetLabelKeyFromDisplayName(
args.LABEL_KEY_ID, args.label_parent)
else:
label_key = args.LABEL_KEY_ID
get_iam_policy_req = (
labelmanager_messages.LabelmanagerLabelKeysGetIamPolicyRequest(
resource=label_key))
policy = labelkeys_service.GetIamPolicy(get_iam_policy_req)
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
iam_util.AddBindingToIamPolicyWithCondition(
labelmanager_messages.Binding, labelmanager_messages.Expr, policy,
args.member, args.role, condition)
set_iam_policy_request = labelmanager_messages.SetIamPolicyRequest(
policy=policy)
request = labelmanager_messages.LabelmanagerLabelKeysSetIamPolicyRequest(
resource=label_key, setIamPolicyRequest=set_iam_policy_request)
result = labelkeys_service.SetIamPolicy(request)
iam_util.LogSetIamPolicy(label_key, 'LabelKey')
return result
def testAddBindingToIamPolicyWithCondition_PromptNoneCondition(self):
self.StartPatch('googlecloudsdk.core.console.console_io.CanPrompt',
return_value=True)
actual_policy = copy.deepcopy(self.TEST_IAM_POLICY_MIX_CONDITION)
self.WriteInput('2')
iam_util.AddBindingToIamPolicyWithCondition(
self.messages.Binding,
self.messages.Expr,
policy=actual_policy,
member='user:[email protected]',
role='roles/non-primitive',
condition=None)
expected_policy = copy.deepcopy(self.TEST_IAM_POLICY_MIX_CONDITION)
expected_policy.bindings.append(
self.messages.Binding(members=['user:[email protected]'],
role='roles/non-primitive',
condition=None))
self.assertEqual(actual_policy, expected_policy)
err_message = json.loads(self.GetErr())
self.assertEqual(
err_message['prompt_string'],
('The policy contains bindings with conditions, so specifying a '
'condition is required when adding a binding. '
'Please specify a condition.'))
choices = err_message['choices']
self.assertEqual(len(choices), 3)
self.assertEqual(choices[0],
('expression=ip=whitelist_ip,title=whitelist ip,'
'description=whitelist ip description'))
self.assertEqual(choices[1], 'None')
self.assertEqual(choices[2], 'Specify a new condition')
def AddIamPolicyBindingWithCondition(models_client, model, member, role,
condition):
"""Adds IAM binding with condition to ml engine model's IAM policy."""
model_ref = ParseModel(model)
policy = models_client.GetIamPolicy(model_ref)
iam_util.AddBindingToIamPolicyWithCondition(
models_client.messages.GoogleIamV1Binding,
models_client.messages.GoogleTypeExpr, policy, member, role, condition)
return models_client.SetIamPolicy(model_ref, policy, 'bindings,etag')
def AddIamPolicyBinding(self, member, role, condition):
"""Add IAM policy binding to an IAP IAM resource."""
resource_ref = self._Parse()
policy = self._GetIamPolicy(resource_ref)
iam_util.AddBindingToIamPolicyWithCondition(self.messages.Binding,
self.messages.Expr, policy,
member, role, condition)
self._SetIamPolicy(resource_ref, policy)
def AddIamPolicyBindingWithCondition(project_ref,
member,
role,
condition,
api_version=DEFAULT_API_VERSION):
"""Add iam binding with condition to project_ref's iam policy."""
messages = projects_util.GetMessages(api_version)
policy = GetIamPolicy(project_ref, api_version=api_version)
iam_util.AddBindingToIamPolicyWithCondition(messages.Binding, messages.Expr,
policy, member, role, condition)
return SetIamPolicy(project_ref, policy, api_version=api_version)
def testAddBindingToIamPolicyWithCondition_NoPrompt(self):
actual_policy = copy.deepcopy(self.TEST_IAM_POLICY_MIX_CONDITION)
iam_util.AddBindingToIamPolicyWithCondition(
self.messages.Binding,
self.messages.Expr,
policy=actual_policy,
member='user:[email protected]',
role='roles/non-primitive',
condition=self.TEST_CONDITION)
expected_policy = copy.deepcopy(self.TEST_IAM_POLICY_MIX_CONDITION)
expected_policy.bindings[0].members.append('user:[email protected]')
self.assertEqual(actual_policy, expected_policy)
self.AssertErrNotContains(
'Adding binding with condition to a policy without condition')
def testAddBindingToIamPolicyWithCondition_Existing(self):
actual_policy = copy.deepcopy(self.TEST_IAM_POLICY_NONE_CONDITION)
# when user does not specify --condition
iam_util.AddBindingToIamPolicyWithCondition(
self.messages.Binding,
self.messages.Expr,
policy=actual_policy,
member='user:[email protected]',
role='roles/owner',
condition=None)
expected_policy = copy.deepcopy(self.TEST_IAM_POLICY_NONE_CONDITION)
expected_policy.bindings[0].members.append('user:[email protected]')
self.assertEqual(actual_policy, expected_policy)
self.AssertErrNotContains('Adding binding with condition to a policy')
def testAddBindingToIamPolicyWithCondition_SpecifyNoneCondition(self):
actual_policy = copy.deepcopy(self.TEST_IAM_POLICY_MIX_CONDITION)
iam_util.AddBindingToIamPolicyWithCondition(
self.messages.Binding,
self.messages.Expr,
policy=actual_policy,
member='user:[email protected]',
role='roles/non-primitive',
condition=self.TEST_CONDITION_NONE)
expected_policy = copy.deepcopy(self.TEST_IAM_POLICY_MIX_CONDITION)
expected_policy.bindings.append(
self.messages.Binding(members=['user:[email protected]'],
role='roles/non-primitive',
condition=None))
self.assertEqual(actual_policy, expected_policy)
self.AssertErrNotContains(
'The policy contains bindings with conditions')
def testAddBindingToIamPolicyWithCondition_ErrorWhenCannotPrompt(self):
self.StartPatch('googlecloudsdk.core.console.console_io.CanPrompt',
return_value=False)
with self.AssertRaisesExceptionMatches(
iam_util.IamPolicyBindingIncompleteError,
'Adding a binding without specifying a condition to a '
'policy containing conditions is prohibited in non-interactive '
'mode. Run the command again with `--condition=None`'):
actual_policy = copy.deepcopy(self.TEST_IAM_POLICY_MIX_CONDITION)
iam_util.AddBindingToIamPolicyWithCondition(
self.messages.Binding,
self.messages.Expr,
policy=actual_policy,
member='user:[email protected]',
role='roles/owner',
condition=None)
def testAddBindingToIamPolicyWithCondition_NewCondition(self):
actual_policy = copy.deepcopy(self.TEST_IAM_POLICY_MIX_CONDITION)
iam_util.AddBindingToIamPolicyWithCondition(
self.messages.Binding,
self.messages.Expr,
policy=actual_policy,
member='user:[email protected]',
role='roles/tester',
condition=self.TEST_CONDITION_NEW)
expected_policy = copy.deepcopy(self.TEST_IAM_POLICY_MIX_CONDITION)
expected_policy.bindings.append(
self.messages.Binding(members=['user:[email protected]'],
role='roles/tester',
condition=self.messages.Expr(
expression='ip=blacklist_ip',
title='blacklist ip',
description='blacklist ip description',
)))
self.assertEqual(actual_policy, expected_policy)
self.AssertErrNotContains(
'Adding binding with condition to a policy without condition')
def Run(self, args):
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
messages = self.OrganizationsMessages()
get_policy_request = (
messages.CloudresourcemanagerOrganizationsGetIamPolicyRequest(
organizationsId=args.id,
getIamPolicyRequest=messages.GetIamPolicyRequest()))
policy = self.OrganizationsClient().GetIamPolicy(get_policy_request)
iam_util.AddBindingToIamPolicyWithCondition(messages.Binding, messages.Expr,
policy, args.member, args.role,
condition)
set_policy_request = (
messages.CloudresourcemanagerOrganizationsSetIamPolicyRequest(
organizationsId=args.id,
setIamPolicyRequest=messages.SetIamPolicyRequest(policy=policy)))
return self.OrganizationsClient().SetIamPolicy(set_policy_request)
def testAddBindingToIamPolicyWithCondition_PromptNewCondition(self):
self.StartPatch('googlecloudsdk.core.console.console_io.CanPrompt',
return_value=True)
actual_policy = copy.deepcopy(self.TEST_IAM_POLICY_MIX_CONDITION)
self.WriteInput('3')
self.WriteInput(
('expression=ip=whitelist_ip,title=whitelist ip,description='
'whitelist ip description'))
iam_util.AddBindingToIamPolicyWithCondition(
self.messages.Binding,
self.messages.Expr,
policy=actual_policy,
member='user:[email protected]',
role='roles/non-primitive',
condition=None)
expected_policy = copy.deepcopy(self.TEST_IAM_POLICY_MIX_CONDITION)
expected_policy.bindings[0].members.append('user:[email protected]')
self.assertEqual(actual_policy, expected_policy)
err_message = self.GetErr().split('\n', 1)
first_prompt_json = json.loads(err_message[0])
self.assertEqual(
first_prompt_json['prompt_string'],
('The policy contains bindings with conditions, so specifying a '
'condition is required when adding a binding. '
'Please specify a condition.'))
first_prompt_choices = first_prompt_json['choices']
self.assertEqual(len(first_prompt_choices), 3)
self.assertEqual(first_prompt_choices[0],
('expression=ip=whitelist_ip,title=whitelist ip,'
'description=whitelist ip description'))
self.assertEqual(first_prompt_choices[1], 'None')
self.assertEqual(first_prompt_choices[2], 'Specify a new condition')
self.assertEqual(
err_message[1],
'{"ux": "PROMPT_RESPONSE", "message": "Condition is either `None` or a '
'list of key=value pairs. If not `None`, `expression` and `title` are '
'required keys.\\nExample: --condition=expression=[expression],'
'title=[title],description=[description].\\nSpecify the condition: "}'
)
def testAddBindingToIamPolicyWithCondition_WARNING(self):
actual_policy = copy.deepcopy(self.TEST_IAM_POLICY_NONE_CONDITION)
iam_util.AddBindingToIamPolicyWithCondition(
self.messages.Binding,
self.messages.Expr,
policy=actual_policy,
member='user:[email protected]',
role='roles/owner',
condition=self.TEST_CONDITION)
expected_policy = copy.deepcopy(self.TEST_IAM_POLICY_NONE_CONDITION)
expected_policy.bindings.append(
self.messages.Binding(members=['user:[email protected]'],
role='roles/owner',
condition=self.messages.Expr(
expression='ip=whitelist-ip',
title='whitelist ip',
description='whitelist ip description')))
self.AssertErrMatches(
'WARNING: Adding binding with condition to a policy without condition '
'will change the behavior of add-iam-policy-binding and '
'remove-iam-policy-binding commands.')
self.assertEqual(actual_policy, expected_policy)
def _GetModifiedIamPolicyAddIamBinding(self, args, add_condition=False):
"""Get the IAM policy and add the specified binding to it.
Args:
args: an argparse namespace.
add_condition: True if support condition.
Returns:
IAM policy.
"""
binding_message_type = self.method.GetMessageByName('Binding')
if add_condition:
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
policy = self._GetIamPolicy(args)
condition_message_type = self.method.GetMessageByName('Expr')
iam_util.AddBindingToIamPolicyWithCondition(
binding_message_type, condition_message_type, policy,
args.member, args.role, condition)
else:
policy = self._GetIamPolicy(args)
iam_util.AddBindingToIamPolicy(binding_message_type, policy,
args.member, args.role)
return policy