def test_policy_to_pb_w_condition():
from google.iam.v1 import policy_pb2
from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE
VERSION = 3
ETAG = b"ETAG"
members = ["serviceAccount:[email protected]", "user:[email protected]"]
condition = {
"title": "request_time",
"description": "Requests made before 2021-01-01T00:00:00Z",
"expression": 'request.time < timestamp("2021-01-01T00:00:00Z")',
}
policy = _make_policy(ETAG, VERSION)
policy.bindings = [{
"role": BIGTABLE_ADMIN_ROLE,
"members": set(members),
"condition": condition
}]
expected = policy_pb2.Policy(
etag=ETAG,
version=VERSION,
bindings=[
policy_pb2.Binding(
role=BIGTABLE_ADMIN_ROLE,
members=sorted(members),
condition=condition,
)
],
)
assert policy.to_pb() == expected
def to_pb(self):
"""Render a protobuf message.
Returns:
google.iam.policy_pb2.Policy: a message to be passed to the
``set_iam_policy`` gRPC API.
"""
return policy_pb2.Policy(
etag=self.etag,
version=self.version or 0,
bindings=[
policy_pb2.Binding(role=role, members=sorted(self[role]))
for role in self
],
)
def to_pb(self):
"""Render a protobuf message.
Returns:
google.iam.policy_pb2.Policy: a message to be passed to the
``set_iam_policy`` gRPC API.
"""
return policy_pb2.Policy(
etag=self.etag,
version=self.version or 0,
bindings=[
policy_pb2.Binding(
role=binding["role"],
members=sorted(binding["members"]),
condition=binding.get("condition"),
) for binding in self.bindings if binding["members"]
],
)
def test_policy_to_pb_explicit():
from google.iam.v1 import policy_pb2
from google.cloud.bigtable.policy import BIGTABLE_ADMIN_ROLE
VERSION = 1
ETAG = b"ETAG"
members = ["serviceAccount:[email protected]", "user:[email protected]"]
policy = _make_policy(ETAG, VERSION)
policy[BIGTABLE_ADMIN_ROLE] = members
expected = policy_pb2.Policy(
etag=ETAG,
version=VERSION,
bindings=[
policy_pb2.Binding(role=BIGTABLE_ADMIN_ROLE,
members=sorted(members))
],
)
assert policy.to_pb() == expected
def init_iam_policy(cls, metadata, context):
role_mapping = {
"READER": "roles/storage.legacyBucketReader",
"WRITER": "roles/storage.legacyBucketWriter",
"OWNER": "roles/storage.legacyBucketOwner",
}
bindings = []
for entry in metadata.acl:
legacy_role = entry.role
if legacy_role is None or entry.entity is None:
utils.error.invalid("ACL entry", context)
role = role_mapping.get(legacy_role)
if role is None:
utils.error.invalid("Legacy role %s" % legacy_role, context)
bindings.append(policy_pb2.Binding(role=role, members=[entry.entity]))
return policy_pb2.Policy(
version=1,
bindings=bindings,
etag=datetime.datetime.now().isoformat().encode("utf-8"),
)
def add_user_to_source(source_name):
"""Gives a user findingsEditor permission to the source."""
user_email = "*****@*****.**"
# [START securitycenter_set_source_iam]
from google.cloud import securitycenter
from google.iam.v1 import policy_pb2
client = securitycenter.SecurityCenterClient()
# source_name is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"
# Get the old policy so we can do an incremental update.
old_policy = client.get_iam_policy(request={"resource": source_name})
print("Old Policy: {}".format(old_policy))
# Setup a new IAM binding.
binding = policy_pb2.Binding()
binding.role = "roles/securitycenter.findingsEditor"
# user_email is an e-mail address known to Cloud IAM (e.g. a gmail address).
# user_mail = [email protected]
binding.members.append("user:{}".format(user_email))
# Setting the e-tag avoids over-write existing policy
updated = client.set_iam_policy(
request={
"resource": source_name,
"policy": {
"etag": old_policy.etag,
"bindings": [binding]
},
})
print("Updated Policy: {}".format(updated))
# [END securitycenter_set_source_iam]
return binding, updated
