def Run(self, args): """Create service account credentials.""" file_content, is_json = _IsJsonFile(args.key_file) if is_json: cred = auth_service_account.CredentialsFromAdcDict(file_content) if args.password_file or args.prompt_for_password: raise c_exc.InvalidArgumentException( '--password-file', 'A .json service account key does not require a password.') account = cred.service_account_email if args.account and args.account != account: raise c_exc.InvalidArgumentException( 'ACCOUNT', 'The given account name does not match the account name in the key ' 'file. This argument can be omitted when using .json keys.') else: account = args.account if not account: raise c_exc.RequiredArgumentException( 'ACCOUNT', 'An account is required when using .p12 keys') password = None if args.password_file: try: with open(args.password_file) as f: password = f.read().strip() except IOError as e: raise c_exc.UnknownArgumentException('--password-file', e) elif args.prompt_for_password: password = getpass.getpass('Password: '******'Failed to activate the given service account. ' 'Please ensure provided key file is valid.') project = args.project if project: properties.PersistProperty(properties.VALUES.core.project, project) log.status.Print('Activated service account credentials for: [{0}]' .format(account))
def SetScanConfigAuth(unused_ref, args, request): """Modify request hook to set scan config details. Args: unused_ref: not used parameter to modify request hooks args: Parsed args namespace request: The partially filled request object. Returns: Request object with Authentication message filled out. """ c = wss_base.WebSecurityScannerCommand() if args.auth_type is None: if any([args.auth_user, args.auth_password, args.auth_url]): raise exceptions.RequiredArgumentException( '--auth-type', 'Required when setting authentication flags.') return request if args.auth_type == 'none': if any([args.auth_user, args.auth_password, args.auth_url]): raise exceptions.InvalidArgumentException( '--auth-type', 'No other auth flags can be set with --auth-type=none') return request if request.scanConfig is None: request.scanConfig = c.messages.ScanConfig() request.scanConfig.authentication = c.messages.Authentication() if args.auth_type == 'google': _RequireAllFlagsOrRaiseForAuthType(args, ['auth_user', 'auth_password'], 'google') request.scanConfig.authentication.googleAccount = c.messages.GoogleAccount( username=args.auth_user, password=args.auth_password) elif args.auth_type == 'custom': _RequireAllFlagsOrRaiseForAuthType( args, ['auth_user', 'auth_password', 'auth_url'], 'custom') request.scanConfig.authentication.customAccount = c.messages.CustomAccount( username=args.auth_user, password=args.auth_password, loginUrl=args.auth_url) else: raise exceptions.UnknownArgumentException('--auth-type', args.auth_type) return request
def Run(self, args): """Revoke credentials and update active account.""" accounts = args.accounts or [] if isinstance(accounts, str): accounts = [accounts] available_accounts = c_store.AvailableAccounts() unknown_accounts = set(accounts) - set(available_accounts) if unknown_accounts: raise c_exc.UnknownArgumentException('accounts', ' '.join(unknown_accounts)) if args.all: accounts = available_accounts active_account = properties.VALUES.core.account.Get() if not accounts and active_account: accounts = [active_account] if not accounts: raise c_exc.InvalidArgumentException( 'accounts', 'No credentials available to revoke.') for account in accounts: if active_account == account: properties.PersistProperty(properties.VALUES.core.account, None) if not c_store.Revoke(account, use_google_auth=not args.use_oauth2client): if account.endswith('.gserviceaccount.com'): log.warning( '[{}] appears to be a service account. Service account tokens ' 'cannot be revoked, but they will expire automatically. To ' 'prevent use of the service account token earlier than the ' 'expiration, revoke the parent service account or service ' 'account key.'.format(account)) else: log.warning( '[{}] already inactive (previously revoked?)'.format( account)) return accounts
def _GetDefaultsFromAndroidCatalog(catalog): """Builds a default dimensions dictionary using the environment catalog. Args: catalog: the Android environment catalog. Returns: A dictionary containing the default dimensions. If there is more than one dimension value marked as default (a bug), the first one found is used. Return value is formatted to be used with _ApplyLowerPriorityArgs. Raises: exceptions.UnknownArgumentException: if the default argument could not be detected from the catalog response. """ catalog_by_dimension = { 'device_ids': catalog.models, 'os_version_ids': catalog.versions, 'locales': catalog.runtimeConfiguration.locales, 'orientations': catalog.runtimeConfiguration.orientations } defaults = { 'device_ids': None, 'os_version_ids': None, 'locales': None, 'orientations': None } for dimension_name in catalog_by_dimension: for dimension in catalog_by_dimension[dimension_name]: if 'default' in dimension.tags: defaults[dimension_name] = [dimension.id] break if defaults[dimension_name] is None: raise exceptions.UnknownArgumentException( dimension_name, 'Testing service failed to provide a default argument.') return defaults
def ListDenyPolicies(resource_id, resource_type, release_track): """Gets the IAM Deny policies for an organization. Args: resource_id: id for the resource resource_type: what type of a resource the id represents. Either organization, project, or folder release_track: ALPHA or BETA, GA not supported Returns: The output from the ListPolicies API call for deny policies for the passed resource. """ client = GetClientInstance(release_track) messages = GetMessagesModule(release_track) policies_to_return = [] if resource_type in ['organization', 'folder', 'project']: attachment_point = 'policies/cloudresourcemanager.googleapis.com%2F{}s%2F{}/denypolicies'.format( resource_type, resource_id) policies_to_fetch = client.policies.ListPolicies( messages.IamPoliciesListPoliciesRequest( parent=attachment_point)).policies for policy_metadata in policies_to_fetch: policy = client.policies.Get( messages.IamPoliciesGetRequest(name=policy_metadata.name)) policies_to_return.append(policy) return policies_to_return raise gcloud_exceptions.UnknownArgumentException('resource_type', resource_type)
def Run(self, args): holder = base_classes.ComputeApiHolder(self.ReleaseTrack()) client = holder.client messages = holder.client.messages instance_ref = instances_flags.INSTANCE_ARG.ResolveAsResource( args, holder.resources, scope_lister=flags.GetDefaultScopeLister(holder.client)) instance = client.apitools_client.instances.Get( messages.ComputeInstancesGetRequest(**instance_ref.AsDict())) for i in instance.networkInterfaces: if i.name == args.network_interface: break else: raise exceptions.UnknownArgumentException( 'network-interface', 'Instance does not have a network interface [{}], ' 'present interfaces are [{}].'.format( args.network_interface, ', '.join([i.name for i in instance.networkInterfaces]))) request = messages.ComputeInstancesGetEffectiveFirewallsRequest( project=instance_ref.project, instance=instance_ref.instance, zone=instance_ref.zone, networkInterface=args.network_interface) res = client.apitools_client.instances.GetEffectiveFirewalls(request) org_firewall = [] network_firewall = [] org_firewall_policy = [] all_firewall_policy = [] if hasattr(res, 'firewalls'): network_firewall = firewalls_utils.SortNetworkFirewallRules( client, res.firewalls) if hasattr(res, 'firewallPolicys') and res.firewallPolicys: for fp in res.firewallPolicys: firewall_policy_rule = firewalls_utils.SortFirewallPolicyRules( client, fp.rules) if (fp.type == client.messages .InstancesGetEffectiveFirewallsResponseEffectiveFirewallPolicy .TypeValueValuesEnum.HIERARCHY): fp_response = ( client.messages .InstancesGetEffectiveFirewallsResponseEffectiveFirewallPolicy( name=fp.name, rules=firewall_policy_rule)) org_firewall_policy.append(fp_response) all_firewall_policy.append(fp_response) elif hasattr(res, 'organizationFirewalls'): for sp in res.organizationFirewalls: org_firewall_rule = firewalls_utils.SortOrgFirewallRules( client, sp.rules) org_firewall.append( client.messages .InstancesGetEffectiveFirewallsResponseOrganizationFirewallPolicy( id=sp.id, rules=org_firewall_rule)) if args.IsSpecified('format') and args.format == 'json': return client.messages.InstancesGetEffectiveFirewallsResponse( organizationFirewalls=org_firewall, firewalls=network_firewall, firewallPolicys=all_firewall_policy) result = [] for fp in org_firewall_policy: result.extend( firewalls_utils.ConvertFirewallPolicyRulesToEffectiveFwRules(fp)) for sp in org_firewall: result.extend( firewalls_utils.ConvertOrgSecurityPolicyRulesToEffectiveFwRules(sp)) result.extend( firewalls_utils.ConvertNetworkFirewallRulesToEffectiveFwRules( network_firewall)) return result
def MakeSubnetworkUpdateRequest( client, subnet_ref, include_alpha_logging, enable_private_ip_google_access=None, add_secondary_ranges=None, remove_secondary_ranges=None, enable_flow_logs=None, aggregation_interval=None, flow_sampling=None, metadata=None, set_role_active=None, drain_timeout_seconds=None, enable_private_ipv6_access=None, private_ipv6_google_access_type=None, private_ipv6_google_access_service_accounts=None): """Make the appropriate update request for the args. Args: client: GCE API client subnet_ref: Reference to a subnetwork include_alpha_logging: Include alpha-specific logging args. enable_private_ip_google_access: Enable/disable access to Google Cloud APIs from this subnet for instances without a public ip address. add_secondary_ranges: List of secondary IP ranges to add to the subnetwork for use in IP aliasing. remove_secondary_ranges: List of secondary ranges to remove from the subnetwork. enable_flow_logs: Enable/disable flow logging for this subnet. aggregation_interval: The internal at which to aggregate flow logs. flow_sampling: The sampling rate for flow logging in this subnet. metadata: Whether metadata fields should be added reported flow logs. set_role_active: Updates the role of a BACKUP subnet to ACTIVE. drain_timeout_seconds: The maximum amount of time to drain connections from the active subnet to the backup subnet with set_role_active=True. enable_private_ipv6_access: Enable/disable private IPv6 access for the subnet. private_ipv6_google_access_type: The private IPv6 google access type for the VMs in this subnet. private_ipv6_google_access_service_accounts: The service accounts can be used to selectively turn on Private IPv6 Google Access only on the VMs primary service account matching the value. Returns: response, result of sending the update request for the subnetwork """ convert_to_enum = lambda x: x.replace('-', '_').upper() if enable_private_ip_google_access is not None: google_access = ( client.messages.SubnetworksSetPrivateIpGoogleAccessRequest()) google_access.privateIpGoogleAccess = enable_private_ip_google_access google_access_request = ( client.messages.ComputeSubnetworksSetPrivateIpGoogleAccessRequest( project=subnet_ref.project, region=subnet_ref.region, subnetwork=subnet_ref.Name(), subnetworksSetPrivateIpGoogleAccessRequest=google_access)) return client.MakeRequests([ (client.apitools_client.subnetworks, 'SetPrivateIpGoogleAccess', google_access_request) ]) elif add_secondary_ranges is not None: subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] for secondary_range in add_secondary_ranges: for range_name, ip_cidr_range in sorted( six.iteritems(secondary_range)): subnetwork.secondaryIpRanges.append( client.messages.SubnetworkSecondaryRange( rangeName=range_name, ipCidrRange=ip_cidr_range)) return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif remove_secondary_ranges is not None: subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] for name in remove_secondary_ranges[0]: if name not in [r.rangeName for r in subnetwork.secondaryIpRanges]: raise calliope_exceptions.UnknownArgumentException( 'remove-secondary-ranges', 'Subnetwork does not have a range {}, ' 'present ranges are {}.'.format( name, [r.rangeName for r in subnetwork.secondaryIpRanges])) subnetwork.secondaryIpRanges = [ r for r in subnetwork.secondaryIpRanges if r.rangeName not in remove_secondary_ranges[0] ] cleared_fields = [] if not subnetwork.secondaryIpRanges: cleared_fields.append('secondaryIpRanges') with client.apitools_client.IncludeFields(cleared_fields): return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif (enable_flow_logs is not None or aggregation_interval is not None or flow_sampling is not None or metadata is not None): subnetwork = client.messages.Subnetwork() original_subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] subnetwork.fingerprint = original_subnetwork.fingerprint if include_alpha_logging: log_config = client.messages.SubnetworkLogConfig( enable=enable_flow_logs) if aggregation_interval is not None: log_config.aggregationInterval = ( flags.GetLoggingAggregationIntervalArgAlpha( client.messages).GetEnumForChoice(aggregation_interval) ) if flow_sampling is not None: log_config.flowSampling = flow_sampling if metadata is not None: log_config.metadata = flags.GetLoggingMetadataArgAlpha( client.messages).GetEnumForChoice(metadata) subnetwork.logConfig = log_config else: log_config = client.messages.SubnetworkLogConfig( enable=enable_flow_logs) if aggregation_interval is not None: log_config.aggregationInterval = flags.GetLoggingAggregationIntervalArg( client.messages).GetEnumForChoice(aggregation_interval) if flow_sampling is not None: log_config.flowSampling = flow_sampling if metadata is not None: log_config.metadata = flags.GetLoggingMetadataArg( client.messages).GetEnumForChoice(metadata) subnetwork.logConfig = log_config return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif (private_ipv6_google_access_type is not None or private_ipv6_google_access_service_accounts is not None): subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] cleared_fields = [] if private_ipv6_google_access_type is not None: subnetwork.privateIpv6GoogleAccess = ( client.messages.Subnetwork. PrivateIpv6GoogleAccessValueValuesEnum( ConvertPrivateIpv6GoogleAccess( convert_to_enum(private_ipv6_google_access_type)))) if private_ipv6_google_access_service_accounts is not None: subnetwork.privateIpv6GoogleAccessServiceAccounts = ( private_ipv6_google_access_service_accounts) if not private_ipv6_google_access_service_accounts: cleared_fields.append('privateIpv6GoogleAccessServiceAccounts') with client.apitools_client.IncludeFields(cleared_fields): return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif enable_private_ipv6_access is not None: subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] subnetwork.enablePrivateV6Access = enable_private_ipv6_access subnetwork.privateIpv6GoogleAccess = None return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif set_role_active is not None: subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] subnetwork.role = client.messages.Subnetwork.RoleValueValuesEnum.ACTIVE patch_request = client.messages.ComputeSubnetworksPatchRequest( project=subnet_ref.project, subnetwork=subnet_ref.subnetwork, region=subnet_ref.region, subnetworkResource=subnetwork, drainTimeoutSeconds=drain_timeout_seconds) return client.MakeRequests([(client.apitools_client.subnetworks, 'Patch', patch_request)]) return client.MakeRequests([])
def Run(self, args): holder = base_classes.ComputeApiHolder(self.ReleaseTrack()) client = holder.client.apitools_client messages = holder.client.messages resources = holder.resources instance_ref = instances_flags.INSTANCE_ARG.ResolveAsResource( args, holder.resources, scope_lister=flags.GetDefaultScopeLister(holder.client)) instance = client.instances.Get( messages.ComputeInstancesGetRequest(**instance_ref.AsDict())) for i in instance.networkInterfaces: if i.name == args.network_interface: fingerprint = i.fingerprint break else: raise exceptions.UnknownArgumentException( 'network-interface', 'Instance does not have a network interface [{}], ' 'present interfaces are [{}].'.format( args.network_interface, ', '.join([i.name for i in instance.networkInterfaces]))) network_uri = None if getattr(args, 'network', None) is not None: network_uri = resources.Parse( args.network, { 'project': instance_ref.project }, collection='compute.networks').SelfLink() subnetwork_uri = None if getattr(args, 'subnetwork', None) is not None: region = api_utils.ZoneNameToRegionName(instance_ref.zone) subnetwork_uri = resources.Parse( args.subnetwork, { 'project': instance_ref.project, 'region': region }, collection='compute.subnetworks').SelfLink() patch_network_interface = messages.NetworkInterface( aliasIpRanges=( alias_ip_range_utils.CreateAliasIpRangeMessagesFromString( messages, True, args.aliases)), network=network_uri, subnetwork=subnetwork_uri, networkIP=getattr(args, 'private_network_ip', None), fingerprint=fingerprint) request = messages.ComputeInstancesUpdateNetworkInterfaceRequest( project=instance_ref.project, instance=instance_ref.instance, zone=instance_ref.zone, networkInterface=args.network_interface, networkInterfaceResource=patch_network_interface) cleared_fields = [] if not patch_network_interface.aliasIpRanges: cleared_fields.append('aliasIpRanges') with client.IncludeFields(cleared_fields): operation = client.instances.UpdateNetworkInterface(request) operation_ref = holder.resources.Parse( operation.selfLink, collection='compute.zoneOperations') operation_poller = poller.Poller(client.instances) return waiter.WaitFor( operation_poller, operation_ref, 'Updating network interface [{0}] of instance [{1}]'.format( args.network_interface, instance_ref.Name()))
def Run(self, args): """Revoke credentials and update active account.""" accounts = args.accounts or [] if isinstance(accounts, str): accounts = [accounts] available_accounts = c_store.AvailableAccounts() unknown_accounts = set(accounts) - set(available_accounts) if unknown_accounts: raise c_exc.UnknownArgumentException( 'accounts', ' '.join(unknown_accounts)) if args.all: accounts = available_accounts active_account = properties.VALUES.core.account.Get() if not accounts and active_account: accounts = [active_account] if not accounts: raise c_exc.InvalidArgumentException( 'accounts', 'No credentials available to revoke.') for account in accounts: if active_account == account: properties.PersistProperty(properties.VALUES.core.account, None) # External account and external account user credentials cannot be # revoked. # Detect these type of credentials to show a more user friendly message # on revocation calls. # Note that impersonated external account credentials will appear like # service accounts. These will end with gserviceaccount.com and will be # handled the same way service account credentials are handled. try: creds = c_store.Load( account, prevent_refresh=True, use_google_auth=True) except creds_exceptions.Error: # Ignore all errors. These will be properly handled in the subsequent # Revoke call. creds = None if not c_store.Revoke(account): if account.endswith('.gserviceaccount.com'): log.warning( '[{}] appears to be a service account. Service account tokens ' 'cannot be revoked, but they will expire automatically. To ' 'prevent use of the service account token earlier than the ' 'expiration, delete or disable the parent service account.' .format(account)) elif c_creds.IsExternalAccountCredentials(creds): log.warning( '[{}] appears to be an external account. External account ' 'tokens cannot be revoked, but they will expire automatically.' .format(account)) elif c_creds.IsExternalAccountUserCredentials(creds): log.warning( '[{}] appears to be an external account user. External account ' 'user tokens cannot be revoked, but they will expire ' 'automatically.'.format(account)) else: log.warning( '[{}] already inactive (previously revoked?)'.format(account)) return accounts
def Run(self, args): """Create service account credentials.""" try: private_key = open(args.key_file, 'rb').read() except IOError as e: raise c_exc.BadFileException(e) json_key = None try: json_key = json.loads(private_key) except ValueError: pass account = None if json_key: if args.password_file or args.prompt_for_password: raise c_exc.InvalidArgumentException( '--password-file', 'A .json service account key does not require a password.') account = json_key.get('client_email', None) if not account: raise c_exc.ToolException( 'The .json key file is not in a valid format.') if args.account and args.account != account: raise c_exc.InvalidArgumentException( 'ACCOUNT', 'The given account name does not match the account name in the key ' 'file. This argument can be omitted when using .json keys.') cred = service_account.ServiceAccountCredentials( service_account_id=json_key['client_id'], service_account_email=json_key['client_email'], private_key_id=json_key['private_key_id'], private_key_pkcs8_text=json_key['private_key'], scopes=config.CLOUDSDK_SCOPES, user_agent=config.CLOUDSDK_USER_AGENT) else: account = args.account if not account: raise c_exc.RequiredArgumentException( 'ACCOUNT', 'An account is required when using .p12 keys') password = None if args.password_file: try: password = open(args.password_file).read().strip() except IOError as e: raise c_exc.UnknownArgumentException('--password-file', e) if args.prompt_for_password: password = getpass.getpass('Password: '******'CLOUDSDK_PYTHON_SITEPACKAGES'): raise c_exc.ToolException( ('PyOpenSSL is not available. If you have already installed ' 'PyOpenSSL, you will need to enable site packages by ' 'setting the environment variable CLOUDSDK_PYTHON_SITEPACKAGES ' 'to 1. If that does not work, see ' 'https://developers.google.com/cloud/sdk/crypto for details.')) else: raise c_exc.ToolException( ('PyOpenSSL is not available. See ' 'https://developers.google.com/cloud/sdk/crypto for details.')) if password: cred = client.SignedJwtAssertionCredentials( service_account_name=account, private_key=private_key, scope=config.CLOUDSDK_SCOPES, private_key_password=password, user_agent=config.CLOUDSDK_USER_AGENT) else: cred = client.SignedJwtAssertionCredentials( service_account_name=account, private_key=private_key, scope=config.CLOUDSDK_SCOPES, user_agent=config.CLOUDSDK_USER_AGENT) try: c_store.Refresh(cred) except c_store.RefreshError: log.error( 'Failed to activate the given service account. Please ensure the ' 'key is valid and that you have provided the correct account name.') raise c_store.Store(cred, account) properties.PersistProperty(properties.VALUES.core.account, account) project = args.project if project: properties.PersistProperty(properties.VALUES.core.project, project) log.status.Print('Activated service account credentials for: [{0}]' .format(account)) return cred
def Run(self, args): holder = base_classes.ComputeApiHolder(self.ReleaseTrack()) client = holder.client.apitools_client messages = holder.client.messages resources = holder.resources instance_ref = instances_flags.INSTANCE_ARG.ResolveAsResource( args, holder.resources, scope_lister=flags.GetDefaultScopeLister(holder.client)) instance = client.instances.Get( messages.ComputeInstancesGetRequest(**instance_ref.AsDict())) for i in instance.networkInterfaces: if i.name == args.network_interface: fingerprint = i.fingerprint break else: raise exceptions.UnknownArgumentException( 'network-interface', 'Instance does not have a network interface [{}], ' 'present interfaces are [{}].'.format( args.network_interface, ', '.join([i.name for i in instance.networkInterfaces]))) network_uri = None if getattr(args, 'network', None) is not None: network_uri = resources.Parse( args.network, { 'project': instance_ref.project }, collection='compute.networks').SelfLink() subnetwork_uri = None if getattr(args, 'subnetwork', None) is not None: region = api_utils.ZoneNameToRegionName(instance_ref.zone) subnetwork_uri = resources.Parse( args.subnetwork, { 'project': instance_ref.project, 'region': region }, collection='compute.subnetworks').SelfLink() stack_type = getattr(args, 'stack_type', None) if stack_type is not None: stack_type_enum = ( messages.NetworkInterface.StackTypeValueValuesEnum(stack_type)) ipv6_network_tier = getattr(args, 'ipv6_network_tier', None) ipv6_access_configs = [] if ipv6_network_tier is not None: # If provide IPv6 network tier then set IPv6 access config in request. ipv6_access_config = messages.AccessConfig( name=constants.DEFAULT_IPV6_ACCESS_CONFIG_NAME, type=messages.AccessConfig.TypeValueValuesEnum.DIRECT_IPV6) ipv6_access_config.networkTier = ( messages.AccessConfig.NetworkTierValueValuesEnum( ipv6_network_tier)) ipv6_access_configs = [ipv6_access_config] patch_network_interface = messages.NetworkInterface( aliasIpRanges=( alias_ip_range_utils.CreateAliasIpRangeMessagesFromString( messages, True, args.aliases)), network=network_uri, subnetwork=subnetwork_uri, networkIP=getattr(args, 'private_network_ip', None), stackType=stack_type_enum, ipv6AccessConfigs=ipv6_access_configs, fingerprint=fingerprint) else: patch_network_interface = messages.NetworkInterface( aliasIpRanges=( alias_ip_range_utils.CreateAliasIpRangeMessagesFromString( messages, True, args.aliases)), network=network_uri, subnetwork=subnetwork_uri, networkIP=getattr(args, 'private_network_ip', None), fingerprint=fingerprint) request = messages.ComputeInstancesUpdateNetworkInterfaceRequest( project=instance_ref.project, instance=instance_ref.instance, zone=instance_ref.zone, networkInterface=args.network_interface, networkInterfaceResource=patch_network_interface) cleared_fields = [] if not patch_network_interface.aliasIpRanges: cleared_fields.append('aliasIpRanges') with client.IncludeFields(cleared_fields): operation = client.instances.UpdateNetworkInterface(request) operation_ref = holder.resources.Parse( operation.selfLink, collection='compute.zoneOperations') operation_poller = poller.Poller(client.instances) return waiter.WaitFor( operation_poller, operation_ref, 'Updating network interface [{0}] of instance [{1}]'.format( args.network_interface, instance_ref.Name()))
def MakeSubnetworkUpdateRequest( client, subnet_ref, enable_private_ip_google_access=None, add_secondary_ranges=None, add_secondary_ranges_with_reserved_internal_range=None, remove_secondary_ranges=None, enable_flow_logs=None, aggregation_interval=None, flow_sampling=None, metadata=None, filter_expr=None, metadata_fields=None, set_new_purpose=None, set_role_active=None, drain_timeout_seconds=None, private_ipv6_google_access_type=None, stack_type=None, ipv6_access_type=None, ): """Make the appropriate update request for the args. Args: client: GCE API client subnet_ref: Reference to a subnetwork enable_private_ip_google_access: Enable/disable access to Google Cloud APIs from this subnet for instances without a public ip address. add_secondary_ranges: List of secondary IP ranges to add to the subnetwork for use in IP aliasing. add_secondary_ranges_with_reserved_internal_range: List of secondary IP ranges that are associated with InternalRange resources. remove_secondary_ranges: List of secondary ranges to remove from the subnetwork. enable_flow_logs: Enable/disable flow logging for this subnet. aggregation_interval: The internal at which to aggregate flow logs. flow_sampling: The sampling rate for flow logging in this subnet. metadata: Whether metadata fields should be added reported flow logs. filter_expr: custom CEL expression for filtering flow logs metadata_fields: custom metadata fields to be added to flow logs set_new_purpose: Update the purpose of the subnet. set_role_active: Updates the role of a BACKUP subnet to ACTIVE. drain_timeout_seconds: The maximum amount of time to drain connections from the active subnet to the backup subnet with set_role_active=True. private_ipv6_google_access_type: The private IPv6 google access type for the VMs in this subnet. stack_type: The stack type for this subnet. ipv6_access_type: The IPv6 access type for this subnet. Returns: response, result of sending the update request for the subnetwork """ convert_to_enum = lambda x: x.replace('-', '_').upper() if enable_private_ip_google_access is not None: google_access = ( client.messages.SubnetworksSetPrivateIpGoogleAccessRequest()) google_access.privateIpGoogleAccess = enable_private_ip_google_access google_access_request = ( client.messages.ComputeSubnetworksSetPrivateIpGoogleAccessRequest( project=subnet_ref.project, region=subnet_ref.region, subnetwork=subnet_ref.Name(), subnetworksSetPrivateIpGoogleAccessRequest=google_access)) return client.MakeRequests([ (client.apitools_client.subnetworks, 'SetPrivateIpGoogleAccess', google_access_request) ]) elif (add_secondary_ranges is not None or add_secondary_ranges_with_reserved_internal_range is not None): subnetwork = client.messages.Subnetwork() original_subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] subnetwork.secondaryIpRanges = original_subnetwork.secondaryIpRanges subnetwork.fingerprint = original_subnetwork.fingerprint subnetwork.secondaryIpRanges.extend( CreateSecondaryRanges( client, add_secondary_ranges, add_secondary_ranges_with_reserved_internal_range)) return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif remove_secondary_ranges is not None: subnetwork = client.messages.Subnetwork() original_subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] subnetwork.secondaryIpRanges = original_subnetwork.secondaryIpRanges subnetwork.fingerprint = original_subnetwork.fingerprint for name in remove_secondary_ranges[0]: if name not in [r.rangeName for r in subnetwork.secondaryIpRanges]: raise calliope_exceptions.UnknownArgumentException( 'remove-secondary-ranges', 'Subnetwork does not have a range {}, ' 'present ranges are {}.'.format( name, [r.rangeName for r in subnetwork.secondaryIpRanges])) subnetwork.secondaryIpRanges = [ r for r in original_subnetwork.secondaryIpRanges if r.rangeName not in remove_secondary_ranges[0] ] cleared_fields = [] if not subnetwork.secondaryIpRanges: cleared_fields.append('secondaryIpRanges') with client.apitools_client.IncludeFields(cleared_fields): return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif (enable_flow_logs is not None or aggregation_interval is not None or flow_sampling is not None or metadata is not None or filter_expr is not None or metadata_fields is not None): subnetwork = client.messages.Subnetwork() original_subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] subnetwork.fingerprint = original_subnetwork.fingerprint log_config = client.messages.SubnetworkLogConfig( enable=enable_flow_logs) if aggregation_interval is not None: log_config.aggregationInterval = flags.GetLoggingAggregationIntervalArg( client.messages).GetEnumForChoice(aggregation_interval) if flow_sampling is not None: log_config.flowSampling = flow_sampling if metadata is not None: log_config.metadata = flags.GetLoggingMetadataArg( client.messages).GetEnumForChoice(metadata) if filter_expr is not None: log_config.filterExpr = filter_expr if metadata_fields is not None: log_config.metadataFields = metadata_fields subnetwork.logConfig = log_config return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif private_ipv6_google_access_type is not None: subnetwork = client.messages.Subnetwork() original_subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] subnetwork.fingerprint = original_subnetwork.fingerprint subnetwork.privateIpv6GoogleAccess = ( client.messages.Subnetwork.PrivateIpv6GoogleAccessValueValuesEnum( ConvertPrivateIpv6GoogleAccess( convert_to_enum(private_ipv6_google_access_type)))) return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif set_new_purpose is not None: subnetwork = client.messages.Subnetwork() original_subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] subnetwork.fingerprint = original_subnetwork.fingerprint subnetwork.purpose = client.messages.Subnetwork.PurposeValueValuesEnum( set_new_purpose) return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif set_role_active is not None: subnetwork = client.messages.Subnetwork() original_subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] subnetwork.fingerprint = original_subnetwork.fingerprint subnetwork.role = client.messages.Subnetwork.RoleValueValuesEnum.ACTIVE patch_request = client.messages.ComputeSubnetworksPatchRequest( project=subnet_ref.project, subnetwork=subnet_ref.subnetwork, region=subnet_ref.region, subnetworkResource=subnetwork, drainTimeoutSeconds=drain_timeout_seconds) return client.MakeRequests([(client.apitools_client.subnetworks, 'Patch', patch_request)]) elif stack_type is not None: subnetwork = client.messages.Subnetwork() original_subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] subnetwork.fingerprint = original_subnetwork.fingerprint subnetwork.stackType = ( client.messages.Subnetwork.StackTypeValueValuesEnum(stack_type)) if ipv6_access_type is not None: subnetwork.ipv6AccessType = ( client.messages.Subnetwork.Ipv6AccessTypeValueValuesEnum( ipv6_access_type)) return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) return client.MakeRequests([])
def MakeSubnetworkUpdateRequest(client, subnet_ref, enable_private_ip_google_access=None, add_secondary_ranges=None, remove_secondary_ranges=None, enable_flow_logs=None, aggregation_interval=None, flow_sampling=None, metadata=None, set_role_active=None, drain_timeout_seconds=None): """Make the appropriate update request for the args. Args: client: GCE API client subnet_ref: Reference to a subnetwork enable_private_ip_google_access: Enable/disable access to Google Cloud APIs from this subnet for instances without a public ip address. add_secondary_ranges: List of secondary IP ranges to add to the subnetwork for use in IP aliasing. remove_secondary_ranges: List of secondary ranges to remove from the subnetwork. enable_flow_logs: Enable/disable flow logging for this subnet. aggregation_interval: The internal at which to aggregate flow logs. flow_sampling: The sampling rate for flow logging in this subnet. metadata: Whether metadata fields should be added reported flow logs. set_role_active: Updates the role of a BACKUP subnet to ACTIVE. drain_timeout_seconds: The maximum amount of time to drain connections from the active subnet to the backup subnet with set_role_active=True. Returns: response, result of sending the update request for the subnetwork """ convert_to_enum = lambda x: x.replace('-', '_').upper() if enable_private_ip_google_access is not None: google_access = ( client.messages.SubnetworksSetPrivateIpGoogleAccessRequest()) google_access.privateIpGoogleAccess = enable_private_ip_google_access google_access_request = ( client.messages.ComputeSubnetworksSetPrivateIpGoogleAccessRequest( project=subnet_ref.project, region=subnet_ref.region, subnetwork=subnet_ref.Name(), subnetworksSetPrivateIpGoogleAccessRequest=google_access)) return client.MakeRequests([ (client.apitools_client.subnetworks, 'SetPrivateIpGoogleAccess', google_access_request) ]) elif add_secondary_ranges is not None: subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] for secondary_range in add_secondary_ranges: for range_name, ip_cidr_range in sorted( six.iteritems(secondary_range)): subnetwork.secondaryIpRanges.append( client.messages.SubnetworkSecondaryRange( rangeName=range_name, ipCidrRange=ip_cidr_range)) return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif remove_secondary_ranges is not None: subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] for name in remove_secondary_ranges[0]: if name not in [r.rangeName for r in subnetwork.secondaryIpRanges]: raise calliope_exceptions.UnknownArgumentException( 'remove-secondary-ranges', 'Subnetwork does not have a range {}, ' 'present ranges are {}.'.format( name, [r.rangeName for r in subnetwork.secondaryIpRanges])) subnetwork.secondaryIpRanges = [ r for r in subnetwork.secondaryIpRanges if r.rangeName not in remove_secondary_ranges[0] ] cleared_fields = [] if not subnetwork.secondaryIpRanges: cleared_fields.append('secondaryIpRanges') with client.apitools_client.IncludeFields(cleared_fields): return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif enable_flow_logs is not None: subnetwork = client.messages.Subnetwork() subnetwork.fingerprint = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0].fingerprint subnetwork.enableFlowLogs = enable_flow_logs return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif aggregation_interval is not None: subnetwork = client.messages.Subnetwork() subnetwork.fingerprint = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0].fingerprint subnetwork.aggregationInterval = ( client.messages.Subnetwork.AggregationIntervalValueValuesEnum( convert_to_enum(aggregation_interval))) return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif flow_sampling is not None: subnetwork = client.messages.Subnetwork() subnetwork.fingerprint = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0].fingerprint subnetwork.flowSampling = flow_sampling return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif metadata is not None: subnetwork = client.messages.Subnetwork() subnetwork.fingerprint = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0].fingerprint subnetwork.metadata = client.messages.Subnetwork.MetadataValueValuesEnum( convert_to_enum(metadata)) return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif set_role_active is not None: subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] subnetwork.role = client.messages.Subnetwork.RoleValueValuesEnum.ACTIVE patch_request = client.messages.ComputeSubnetworksPatchRequest( project=subnet_ref.project, subnetwork=subnet_ref.subnetwork, region=subnet_ref.region, subnetworkResource=subnetwork, drainTimeoutSeconds=drain_timeout_seconds) return client.MakeRequests([(client.apitools_client.subnetworks, 'Patch', patch_request)]) return client.MakeRequests([])
def MakeSubnetworkUpdateRequest(client, subnet_ref, enable_private_ip_google_access=None, add_secondary_ranges=None, remove_secondary_ranges=None, enable_flow_logs=None): """Make the appropriate update request for the args. Args: client: GCE API client subnet_ref: Reference to a subnetwork enable_private_ip_google_access: Enable/disable access to Google Cloud APIs from this subnet for instances without a public ip address. add_secondary_ranges: List of secondary IP ranges to add to the subnetwork for use in IP aliasing. remove_secondary_ranges: List of secondary ranges to remove from the subnetwork. enable_flow_logs: Enable/disable flow logging for this subnet. Returns: response, result of sending the update request for the subnetwork """ if enable_private_ip_google_access is not None: google_access = ( client.messages.SubnetworksSetPrivateIpGoogleAccessRequest()) google_access.privateIpGoogleAccess = enable_private_ip_google_access google_access_request = ( client.messages.ComputeSubnetworksSetPrivateIpGoogleAccessRequest( project=subnet_ref.project, region=subnet_ref.region, subnetwork=subnet_ref.Name(), subnetworksSetPrivateIpGoogleAccessRequest=google_access)) return client.MakeRequests([ (client.apitools_client.subnetworks, 'SetPrivateIpGoogleAccess', google_access_request) ]) elif add_secondary_ranges is not None: subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] for secondary_range in add_secondary_ranges: for range_name, ip_cidr_range in sorted( secondary_range.iteritems()): subnetwork.secondaryIpRanges.append( client.messages.SubnetworkSecondaryRange( rangeName=range_name, ipCidrRange=ip_cidr_range)) return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif remove_secondary_ranges is not None: subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] for name in remove_secondary_ranges[0]: if name not in [r.rangeName for r in subnetwork.secondaryIpRanges]: raise exceptions.UnknownArgumentException( 'remove-secondary-ranges', 'Subnetwork does not have a range {}, ' 'present ranges are {}.'.format( name, [r.rangeName for r in subnetwork.secondaryIpRanges])) subnetwork.secondaryIpRanges = [ r for r in subnetwork.secondaryIpRanges if r.rangeName not in remove_secondary_ranges[0] ] cleared_fields = [] if not subnetwork.secondaryIpRanges: cleared_fields.append('secondaryIpRanges') with client.apitools_client.IncludeFields(cleared_fields): return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif enable_flow_logs is not None: subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] subnetwork.enableFlowLogs = enable_flow_logs return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) return client.MakeRequests([])
def MakeSubnetworkUpdateRequest(client, subnet_ref, enable_private_ip_google_access=None, add_secondary_ranges=None, remove_secondary_ranges=None): """Make the appropriate update request for the args.""" if enable_private_ip_google_access is not None: google_access = ( client.messages.SubnetworksSetPrivateIpGoogleAccessRequest()) google_access.privateIpGoogleAccess = enable_private_ip_google_access google_access_request = ( client.messages.ComputeSubnetworksSetPrivateIpGoogleAccessRequest( project=subnet_ref.project, region=subnet_ref.region, subnetwork=subnet_ref.Name(), subnetworksSetPrivateIpGoogleAccessRequest=google_access)) return client.MakeRequests([ (client.apitools_client.subnetworks, 'SetPrivateIpGoogleAccess', google_access_request) ]) elif add_secondary_ranges is not None: subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] for secondary_range in add_secondary_ranges: for range_name, ip_cidr_range in sorted( secondary_range.iteritems()): subnetwork.secondaryIpRanges.append( client.messages.SubnetworkSecondaryRange( rangeName=range_name, ipCidrRange=ip_cidr_range)) return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) elif remove_secondary_ranges is not None: subnetwork = client.MakeRequests([ (client.apitools_client.subnetworks, 'Get', client.messages.ComputeSubnetworksGetRequest( **subnet_ref.AsDict())) ])[0] for name in remove_secondary_ranges[0]: if name not in [r.rangeName for r in subnetwork.secondaryIpRanges]: raise exceptions.UnknownArgumentException( 'remove-secondary-ranges', 'Subnetwork does not have a range {}, ' 'present ranges are {}.'.format( name, [r.rangeName for r in subnetwork.secondaryIpRanges])) subnetwork.secondaryIpRanges = [ r for r in subnetwork.secondaryIpRanges if r.rangeName not in remove_secondary_ranges[0] ] cleared_fields = [] if not subnetwork.secondaryIpRanges: cleared_fields.append('secondaryIpRanges') with client.apitools_client.IncludeFields(cleared_fields): return client.MakeRequests( [CreateSubnetworkPatchRequest(client, subnet_ref, subnetwork)]) return client.MakeRequests([])
def Run(self, args): """Create service account credentials.""" try: private_key = open(args.key_file, 'rb').read() except IOError as e: raise c_exc.BadFileException(e) json_key = None try: json_key = json.loads(private_key) except ValueError: pass if json_key and (args.password_file or args.prompt_for_password): raise c_exc.InvalidArgumentException( '--password-file', 'A .json service account key does not require a password.') password = None if args.password_file: try: password = open(args.password_file).read().strip() except IOError as e: raise c_exc.UnknownArgumentException('--password-file', e) if args.prompt_for_password: password = getpass.getpass('Password: '******'CLOUDSDK_PYTHON_SITEPACKAGES'): raise c_exc.ToolException( ('PyOpenSSL is not available. If you have already installed ' 'PyOpenSSL, you will need to enable site packages by ' 'setting the environment variable CLOUDSDK_PYTHON_SITEPACKAGES to ' '1. If that does not work, see ' 'https://developers.google.com/cloud/sdk/crypto for details ' 'or consider using .json private key instead.')) else: raise c_exc.ToolException( ('PyOpenSSL is not available. See ' 'https://developers.google.com/cloud/sdk/crypto for details ' 'or consider using .json private key instead.')) if json_key: cred = service_account.ServiceAccountCredentials( service_account_id=json_key['client_id'], service_account_email=json_key['client_email'], private_key_id=json_key['private_key_id'], private_key_pkcs8_text=json_key['private_key'], scopes=config.CLOUDSDK_SCOPES, user_agent=config.CLOUDSDK_USER_AGENT) elif password: cred = client.SignedJwtAssertionCredentials( service_account_name=args.account, private_key=private_key, scope=config.CLOUDSDK_SCOPES, private_key_password=password, user_agent=config.CLOUDSDK_USER_AGENT) else: cred = client.SignedJwtAssertionCredentials( service_account_name=args.account, private_key=private_key, scope=config.CLOUDSDK_SCOPES, user_agent=config.CLOUDSDK_USER_AGENT) c_store.Store(cred, args.account) properties.PersistProperty(properties.VALUES.core.account, args.account) project = args.project if project: properties.PersistProperty(properties.VALUES.core.project, project) return cred