def Run(self, args):
iam_client = apis.GetClientInstance('iam', 'v1')
messages = apis.GetMessagesModule('iam', 'v1')
parent_name = iam_util.GetParentName(args.organization, args.project)
if args.file:
if args.title or args.description or args.stage or args.permissions:
raise exceptions.ConflictingArgumentsException('file', 'others')
role = iam_util.ParseYamlToRole(args.file, messages.Role)
role.name = None
role.etag = None
else:
role = messages.Role(title=args.title, description=args.description)
if args.permissions:
role.includedPermissions = args.permissions.split(',')
if args.stage:
role.stage = iam_util.StageTypeFromString(args.stage)
if not role.title:
role.title = args.role
if not args.quiet:
testing_permissions = util.GetTestingPermissions(
iam_client, messages,
iam_util.GetResourceReference(args.project, args.organization),
role.includedPermissions)
iam_util.TestingPermissionsWarning(testing_permissions)
result = iam_client.organizations_roles.Create(
messages.IamOrganizationsRolesCreateRequest(
createRoleRequest=messages.CreateRoleRequest(
role=role, roleId=args.role),
parent=parent_name))
log.CreatedResource(args.role, kind='role')
iam_util.SetRoleStageIfAlpha(result)
return result
def GetUpdatedRole(self, args, role_name, role, iam_client, messages):
"""Gets the updated role from flags."""
changed_fields = []
if args.description is not None:
changed_fields.append('description')
role.description = args.description
if args.title is not None:
changed_fields.append('title')
role.title = args.title
if args.stage:
changed_fields.append('stage')
role.stage = iam_util.StageTypeFromString(args.stage)
if args.permissions is not None and (args.add_permissions
or args.remove_permissions):
raise exceptions.ConflictingArgumentsException(
'--permissions', '-add-permissions or --remove-permissions')
if args.permissions is not None:
changed_fields.append('includedPermissions')
role.includedPermissions = args.permissions.split(',')
if not args.permissions:
role.includedPermissions = []
if not args.quiet:
self.WarnPermissions(iam_client, messages,
role.includedPermissions, args.project,
args.organization)
origin_role = iam_client.organizations_roles.Get(
messages.IamOrganizationsRolesGetRequest(name=role_name))
if args.add_permissions or args.remove_permissions:
permissions = set(origin_role.includedPermissions)
changed = False
newly_added_permissions = set()
if args.add_permissions:
for permission in args.add_permissions.split(','):
if permission not in permissions:
permissions.add(permission)
newly_added_permissions.add(permission)
changed = True
if args.remove_permissions:
for permission in args.remove_permissions.split(','):
if permission in permissions:
permissions.remove(permission)
changed = True
if permission in newly_added_permissions:
newly_added_permissions.remove(permission)
if changed:
changed_fields.append('includedPermissions')
role.includedPermissions = list(sorted(permissions))
if not args.quiet:
self.WarnPermissions(iam_client, messages,
list(newly_added_permissions),
args.project, args.organization)
role.etag = origin_role.etag
return role, changed_fields
def SetUp(self):
self.role_from_file = self.msgs.Role(
description='Access to view GCP projects.',
title='Viewer',
etag=b'\x00',
stage=iam_util.StageTypeFromString('alpha'),
includedPermissions=[
'resourcemanager.projects.get',
'resourcemanager.projects.list',
],
)
self.origin_role = self.msgs.Role(
description='Access to view GCP projects.',
title='Viewer',
stage=iam_util.StageTypeFromString('alpha'),
includedPermissions=[
'resourcemanager.projects.get',
'resourcemanager.projects.list',
],
)
self.origin_role2 = self.msgs.Role(
name='organizations/123/roles/viewer',
description='A custom role.',
title='Custom Project Creator',
stage=iam_util.StageTypeFromString('beta'),
includedPermissions=['resourcemanager.projects.get'],
)
self.updated_role = self.msgs.Role(
description='A custom role.',
title='Custom Project Creator',
stage=iam_util.StageTypeFromString('beta'),
includedPermissions=['resourcemanager.projects.create'],
)
self.res_role1 = self.msgs.Role(
name='organizations/123/roles/viewer',
description='Access to view GCP projects.',
title='Viewer',
includedPermissions=[
'resourcemanager.projects.get',
'resourcemanager.projects.list',
],
)
self.res_role2 = self.msgs.Role(
name='organizations/123/roles/viewer',
description='A custom role.',
title='Custom Project Creator',
stage=iam_util.StageTypeFromString('beta'),
includedPermissions=['resourcemanager.projects.create'],
)
self.role_no_permissions = self.msgs.Role(
name='organizations/123/roles/viewer',
description='Access to view GCP projects.',
title='Viewer',
stage=iam_util.StageTypeFromString('alpha'),
)
def testCreateWithFile(self):
role = self.msgs.Role(
description='Access to delete GCP projects.',
title='Viewer',
stage=iam_util.StageTypeFromString('alpha'),
includedPermissions=[
'resourcemanager.projects.list',
'resourcemanager.projects.get',
'resourcemanager.projects.delete'
],
)
role_res = self.msgs.Role(
name='organizations/1/roles/viewer',
description='Access to delete GCP projects.',
title='Viewer',
includedPermissions=[
'resourcemanager.projects.list',
'resourcemanager.projects.get',
'resourcemanager.projects.delete'
],
)
self.client.organizations_roles.Create.Expect(
request=self.msgs.IamOrganizationsRolesCreateRequest(
createRoleRequest=self.msgs.CreateRoleRequest(role=role,
roleId='viewer'),
parent='organizations/1'),
response=role_res)
in_file = self.Touch(self.temp_path,
contents='title: "Viewer"\n'
'description: "Access to delete GCP projects."\n'
'stage: "alpha"\n'
'includedPermissions:\n'
'- resourcemanager.projects.list\n'
'- resourcemanager.projects.get\n'
'- resourcemanager.projects.delete')
result = self.Run(
'iam roles create viewer --organization 1 --file={0} --quiet'.
format(in_file))
self.assertEqual(result, role_res)
self.AssertOutputContains('stage: ALPHA')
def GetUpdatedRole(self, role_name, role, description, title, stage,
permissions, add_permissions, remove_permissions,
iam_client, messages):
"""Gets the updated role from flags."""
changed_fields = []
if description is not None:
changed_fields.append('description')
role.description = description
if title is not None:
changed_fields.append('title')
role.title = title
if stage:
changed_fields.append('stage')
role.stage = iam_util.StageTypeFromString(stage)
if permissions is not None and (add_permissions or remove_permissions):
raise exceptions.ConflictingArgumentsException(
'--permissions', '-add-permissions or --remove-permissions')
if permissions is not None:
changed_fields.append('includedPermissions')
role.includedPermissions = permissions.split(',')
if not permissions:
role.includedPermissions = []
origin_role = iam_client.organizations_roles.Get(
messages.IamOrganizationsRolesGetRequest(name=role_name))
if add_permissions or remove_permissions:
permissions = set(origin_role.includedPermissions)
changed = False
if add_permissions:
for permission in add_permissions.split(','):
if permission not in permissions:
permissions.add(permission)
changed = True
if remove_permissions:
for permission in remove_permissions.split(','):
if permission in permissions:
permissions.remove(permission)
changed = True
if changed:
changed_fields.append('includedPermissions')
role.includedPermissions = list(permissions)
role.etag = origin_role.etag
return role, changed_fields
def testCreateWithFlags(self):
role = self.msgs.Role(
description='Access to delete GCP projects.',
title='Viewer',
stage=iam_util.StageTypeFromString('alpha'),
includedPermissions=[
'resourcemanager.projects.list',
'resourcemanager.projects.get',
'resourcemanager.projects.delete'
],
)
role_res = self.msgs.Role(
name='organizations/1/roles/viewer',
description='Access to delete GCP projects.',
title='Viewer',
includedPermissions=[
'resourcemanager.projects.list',
'resourcemanager.projects.get',
'resourcemanager.projects.delete'
],
)
self.client.organizations_roles.Create.Expect(
request=self.msgs.IamOrganizationsRolesCreateRequest(
createRoleRequest=self.msgs.CreateRoleRequest(role=role,
roleId='viewer'),
parent='organizations/1'),
response=role_res)
result = self.Run('iam roles create viewer --organization 1 --quiet '
'--permissions resourcemanager.projects.list,'
'resourcemanager.projects.get,'
'resourcemanager.projects.delete --stage alpha '
'--title Viewer '
'--description="Access to delete GCP projects." ')
self.assertEqual(result, role_res)
self.AssertOutputContains('stage: ALPHA')
def testDeleteRoles(self):
self.client.organizations_roles.Delete.Expect(
request=self.msgs.IamOrganizationsRolesDeleteRequest(
name='organizations/819542162391/roles/customEditor'),
response=self.msgs.Role(
name='organizations/819542162391/roles/customEditor',
description='A customEditor role.',
includedPermissions=[
'resourcemanager.projects.create',
'resourcemanager.projects.delete'
],
stage=iam_util.StageTypeFromString('alpha'),
title='Custom Project Editor'))
self.Run('iam roles delete --organization 819542162391 customEditor')
self.AssertOutputContains('name: organizations/819542162391/'
'roles/customEditor')
self.AssertOutputContains('title: Custom Project Editor')
self.AssertOutputContains('description: A customEditor role.')
self.AssertOutputContains('stage: ALPHA')
self.AssertOutputContains('includedPermissions:')
self.AssertOutputContains('resourcemanager.projects.create')
self.AssertOutputContains('resourcemanager.projects.delete')
def Run(self, args):
client, messages = util.GetClientAndMessages()
parent_name = iam_util.GetParentName(args.organization, args.project)
if args.file:
role = iam_util.ParseYamlToRole(args.file, messages.Role)
role.name = None
role.etag = None
else:
role = messages.Role(title=args.title,
description=args.description)
if args.permissions:
role.includedPermissions = args.permissions.split(',')
if args.stage:
role.stage = iam_util.StageTypeFromString(args.stage)
if not role.title:
role.title = args.role
if not args.quiet:
permissions_helper = util.PermissionsHelper(
client, messages,
iam_util.GetResourceReference(args.project, args.organization),
role.includedPermissions)
api_diabled_permissions = permissions_helper.GetApiDisabledPermissons(
)
iam_util.ApiDisabledPermissionsWarning(api_diabled_permissions)
testing_permissions = permissions_helper.GetTestingPermissions()
iam_util.TestingPermissionsWarning(testing_permissions)
result = client.organizations_roles.Create(
messages.IamOrganizationsRolesCreateRequest(
createRoleRequest=messages.CreateRoleRequest(role=role,
roleId=args.role),
parent=parent_name))
log.CreatedResource(args.role, kind='role')
iam_util.SetRoleStageIfAlpha(result)
return result
def testReplyingYesToTestingPermissionsWarning(self):
self.WriteInput('y\n')
role = self.msgs.Role(
description='Access to delete GCP projects.',
title='Viewer',
stage=iam_util.StageTypeFromString('alpha'),
includedPermissions=[
'resourcemanager.projects.list',
'resourcemanager.projects.get',
'resourcemanager.projects.delete'
],
)
role_res = self.msgs.Role(
name='organizations/1/roles/viewer',
description='Access to delete GCP projects.',
title='Viewer',
includedPermissions=[
'resourcemanager.projects.list',
'resourcemanager.projects.get',
'resourcemanager.projects.delete'
],
)
self.client.permissions.QueryTestablePermissions.Expect(
request=self.msgs.QueryTestablePermissionsRequest(
fullResourceName=
'//cloudresourcemanager.googleapis.com/organizations/1',
pageSize=1000),
response=self.msgs.QueryTestablePermissionsResponse(
permissions=[
self.msgs.Permission(
name='resourcemanager.projects.list',
customRolesSupportLevel=self.msgs.Permission.
CustomRolesSupportLevelValueValuesEnum.TESTING),
self.msgs.Permission(name='resourcemanager.projects.get',
apiDisabled=True),
],
nextPageToken=None))
self.client.organizations_roles.Create.Expect(
request=self.msgs.IamOrganizationsRolesCreateRequest(
createRoleRequest=self.msgs.CreateRoleRequest(role=role,
roleId='viewer'),
parent='organizations/1'),
response=role_res)
result = self.Run('iam roles create viewer --organization 1 '
'--permissions resourcemanager.projects.list,'
'resourcemanager.projects.get,'
'resourcemanager.projects.delete --stage alpha '
'--title Viewer '
'--description="Access to delete GCP projects." ')
self.assertEqual(result, role_res)
self.AssertOutputContains('stage: ALPHA')
self.AssertErrContains(
'Note: permissions [resourcemanager.projects.list] are in '
'\'TESTING\' stage')
self.AssertErrContains(
'API is not enabled for permissions: [resourcemanager.projects.get]'
)
