def Run(self, args):
service = tags.TagValuesService()
messages = tags.TagMessages()
if args.RESOURCE_NAME.find('tagValues/') == 0:
tag_value = args.RESOURCE_NAME
else:
tag_value = tag_utils.GetTagValueFromNamespacedName(
args.RESOURCE_NAME).name
get_iam_policy_req = (
messages.CloudresourcemanagerTagValuesGetIamPolicyRequest(
resource=tag_value))
policy = service.GetIamPolicy(get_iam_policy_req)
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
iam_util.AddBindingToIamPolicyWithCondition(messages.Binding,
messages.Expr, policy,
args.member, args.role,
condition)
set_iam_policy_request = messages.SetIamPolicyRequest(policy=policy)
request = messages.CloudresourcemanagerTagValuesSetIamPolicyRequest(
resource=tag_value, setIamPolicyRequest=set_iam_policy_request)
result = service.SetIamPolicy(request)
iam_util.LogSetIamPolicy(tag_value, 'TagValue')
return result
def Run(self, args):
labelkeys_service = labelmanager.LabelKeysService()
labelmanager_messages = labelmanager.LabelManagerMessages()
if args.IsSpecified('label_parent'):
label_key = utils.GetLabelKeyFromDisplayName(
args.LABEL_KEY_ID, args.label_parent)
else:
label_key = args.LABEL_KEY_ID
get_iam_policy_req = (
labelmanager_messages.LabelmanagerLabelKeysGetIamPolicyRequest(
resource=label_key))
policy = labelkeys_service.GetIamPolicy(get_iam_policy_req)
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
iam_util.RemoveBindingFromIamPolicyWithCondition(
policy, args.member, args.role, condition, args.all)
set_iam_policy_request = labelmanager_messages.SetIamPolicyRequest(
policy=policy)
request = labelmanager_messages.LabelmanagerLabelKeysSetIamPolicyRequest(
resource=label_key, setIamPolicyRequest=set_iam_policy_request)
result = labelkeys_service.SetIamPolicy(request)
iam_util.LogSetIamPolicy(label_key, 'LabelKey')
return result
def testValidateAndExtractConditionMutex_PrimitiveRole(self):
parser = util.ArgumentParser()
iam_util.AddArgsForAddIamPolicyBinding(parser, add_condition=True)
res = parser.parse_args([
'--role=roles/editor', '--member=user:[email protected]',
'--condition=expression=expr,title=title,description=descr'
])
with self.AssertRaisesExceptionRegexp(
iam_util.IamPolicyBindingInvalidError,
r'.*Binding with a condition and a primitive role is not allowed.*'
):
iam_util.ValidateAndExtractConditionMutexRole(res)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter.
"""
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
iap_iam_ref = iap_util.ParseIapIamResource(self.ReleaseTrack(), args)
return iap_iam_ref.AddIamPolicyBinding(args.member, args.role, condition)
def testValidateAndExtractConditionMutex_NonPrimitiveRole(self):
parser = util.ArgumentParser()
iam_util.AddArgsForAddIamPolicyBinding(parser, add_condition=True)
res = parser.parse_args([
'--role=roles/non-primitive', '--member=user:[email protected]',
'--condition=expression=expr,title=title,description=descr'
])
condition = iam_util.ValidateAndExtractConditionMutexRole(res)
expected_condition = {
'expression': 'expr',
'title': 'title',
'description': 'descr'
}
self.assertEqual(condition, expected_condition)
def Run(self, args):
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
messages = self.OrganizationsMessages()
get_policy_request = (
messages.CloudresourcemanagerOrganizationsGetIamPolicyRequest(
organizationsId=args.id,
getIamPolicyRequest=messages.GetIamPolicyRequest()))
policy = self.OrganizationsClient().GetIamPolicy(get_policy_request)
iam_util.AddBindingToIamPolicyWithCondition(messages.Binding, messages.Expr,
policy, args.member, args.role,
condition)
set_policy_request = (
messages.CloudresourcemanagerOrganizationsSetIamPolicyRequest(
organizationsId=args.id,
setIamPolicyRequest=messages.SetIamPolicyRequest(policy=policy)))
return self.OrganizationsClient().SetIamPolicy(set_policy_request)
def _GetModifiedIamPolicyAddIamBinding(self, args, add_condition=False):
"""Get the IAM policy and add the specified binding to it.
Args:
args: an argparse namespace.
add_condition: True if support condition.
Returns:
IAM policy.
"""
binding_message_type = self.method.GetMessageByName('Binding')
if add_condition:
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
policy = self._GetIamPolicy(args)
condition_message_type = self.method.GetMessageByName('Expr')
iam_util.AddBindingToIamPolicyWithCondition(
binding_message_type, condition_message_type, policy,
args.member, args.role, condition)
else:
policy = self._GetIamPolicy(args)
iam_util.AddBindingToIamPolicy(binding_message_type, policy,
args.member, args.role)
return policy
def Run(self, args):
service = tags.TagKeysService()
messages = tags.TagMessages()
if args.RESOURCE_NAME.find('tagKeys/') == 0:
tag_key = args.RESOURCE_NAME
else:
tag_key = tag_utils.GetTagKeyFromNamespacedName(
args.RESOURCE_NAME).name
get_iam_policy_req = (
messages.CloudresourcemanagerTagKeysGetIamPolicyRequest(
resource=tag_key))
policy = service.GetIamPolicy(get_iam_policy_req)
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
iam_util.RemoveBindingFromIamPolicyWithCondition(
policy, args.member, args.role, condition, args.all)
set_iam_policy_request = messages.SetIamPolicyRequest(policy=policy)
request = messages.CloudresourcemanagerTagKeysSetIamPolicyRequest(
resource=tag_key, setIamPolicyRequest=set_iam_policy_request)
result = service.SetIamPolicy(request)
iam_util.LogSetIamPolicy(tag_key, 'TagKey')
return result
def Run(self, args):
project_ref = command_lib_util.ParseProject(args.id)
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
return projects_api.AddIamPolicyBindingWithCondition(
project_ref, args.member, args.role, condition)
