def Run(self, args): service = tags.TagValuesService() messages = tags.TagMessages() if args.RESOURCE_NAME.find('tagValues/') == 0: tag_value = args.RESOURCE_NAME else: tag_value = tag_utils.GetTagValueFromNamespacedName( args.RESOURCE_NAME).name get_iam_policy_req = ( messages.CloudresourcemanagerTagValuesGetIamPolicyRequest( resource=tag_value)) policy = service.GetIamPolicy(get_iam_policy_req) condition = iam_util.ValidateAndExtractConditionMutexRole(args) iam_util.AddBindingToIamPolicyWithCondition(messages.Binding, messages.Expr, policy, args.member, args.role, condition) set_iam_policy_request = messages.SetIamPolicyRequest(policy=policy) request = messages.CloudresourcemanagerTagValuesSetIamPolicyRequest( resource=tag_value, setIamPolicyRequest=set_iam_policy_request) result = service.SetIamPolicy(request) iam_util.LogSetIamPolicy(tag_value, 'TagValue') return result
def Run(self, args): labelkeys_service = labelmanager.LabelKeysService() labelmanager_messages = labelmanager.LabelManagerMessages() if args.IsSpecified('label_parent'): label_key = utils.GetLabelKeyFromDisplayName( args.LABEL_KEY_ID, args.label_parent) else: label_key = args.LABEL_KEY_ID get_iam_policy_req = ( labelmanager_messages.LabelmanagerLabelKeysGetIamPolicyRequest( resource=label_key)) policy = labelkeys_service.GetIamPolicy(get_iam_policy_req) condition = iam_util.ValidateAndExtractConditionMutexRole(args) iam_util.RemoveBindingFromIamPolicyWithCondition( policy, args.member, args.role, condition, args.all) set_iam_policy_request = labelmanager_messages.SetIamPolicyRequest( policy=policy) request = labelmanager_messages.LabelmanagerLabelKeysSetIamPolicyRequest( resource=label_key, setIamPolicyRequest=set_iam_policy_request) result = labelkeys_service.SetIamPolicy(request) iam_util.LogSetIamPolicy(label_key, 'LabelKey') return result
def testValidateAndExtractConditionMutex_PrimitiveRole(self): parser = util.ArgumentParser() iam_util.AddArgsForAddIamPolicyBinding(parser, add_condition=True) res = parser.parse_args([ '--role=roles/editor', '--member=user:[email protected]', '--condition=expression=expr,title=title,description=descr' ]) with self.AssertRaisesExceptionRegexp( iam_util.IamPolicyBindingInvalidError, r'.*Binding with a condition and a primitive role is not allowed.*' ): iam_util.ValidateAndExtractConditionMutexRole(res)
def Run(self, args): """This is what gets called when the user runs this command. Args: args: an argparse namespace. All the arguments that were provided to this command invocation. Returns: The specified function with its description and configured filter. """ condition = iam_util.ValidateAndExtractConditionMutexRole(args) iap_iam_ref = iap_util.ParseIapIamResource(self.ReleaseTrack(), args) return iap_iam_ref.AddIamPolicyBinding(args.member, args.role, condition)
def testValidateAndExtractConditionMutex_NonPrimitiveRole(self): parser = util.ArgumentParser() iam_util.AddArgsForAddIamPolicyBinding(parser, add_condition=True) res = parser.parse_args([ '--role=roles/non-primitive', '--member=user:[email protected]', '--condition=expression=expr,title=title,description=descr' ]) condition = iam_util.ValidateAndExtractConditionMutexRole(res) expected_condition = { 'expression': 'expr', 'title': 'title', 'description': 'descr' } self.assertEqual(condition, expected_condition)
def Run(self, args): condition = iam_util.ValidateAndExtractConditionMutexRole(args) messages = self.OrganizationsMessages() get_policy_request = ( messages.CloudresourcemanagerOrganizationsGetIamPolicyRequest( organizationsId=args.id, getIamPolicyRequest=messages.GetIamPolicyRequest())) policy = self.OrganizationsClient().GetIamPolicy(get_policy_request) iam_util.AddBindingToIamPolicyWithCondition(messages.Binding, messages.Expr, policy, args.member, args.role, condition) set_policy_request = ( messages.CloudresourcemanagerOrganizationsSetIamPolicyRequest( organizationsId=args.id, setIamPolicyRequest=messages.SetIamPolicyRequest(policy=policy))) return self.OrganizationsClient().SetIamPolicy(set_policy_request)
def _GetModifiedIamPolicyAddIamBinding(self, args, add_condition=False): """Get the IAM policy and add the specified binding to it. Args: args: an argparse namespace. add_condition: True if support condition. Returns: IAM policy. """ binding_message_type = self.method.GetMessageByName('Binding') if add_condition: condition = iam_util.ValidateAndExtractConditionMutexRole(args) policy = self._GetIamPolicy(args) condition_message_type = self.method.GetMessageByName('Expr') iam_util.AddBindingToIamPolicyWithCondition( binding_message_type, condition_message_type, policy, args.member, args.role, condition) else: policy = self._GetIamPolicy(args) iam_util.AddBindingToIamPolicy(binding_message_type, policy, args.member, args.role) return policy
def Run(self, args): service = tags.TagKeysService() messages = tags.TagMessages() if args.RESOURCE_NAME.find('tagKeys/') == 0: tag_key = args.RESOURCE_NAME else: tag_key = tag_utils.GetTagKeyFromNamespacedName( args.RESOURCE_NAME).name get_iam_policy_req = ( messages.CloudresourcemanagerTagKeysGetIamPolicyRequest( resource=tag_key)) policy = service.GetIamPolicy(get_iam_policy_req) condition = iam_util.ValidateAndExtractConditionMutexRole(args) iam_util.RemoveBindingFromIamPolicyWithCondition( policy, args.member, args.role, condition, args.all) set_iam_policy_request = messages.SetIamPolicyRequest(policy=policy) request = messages.CloudresourcemanagerTagKeysSetIamPolicyRequest( resource=tag_key, setIamPolicyRequest=set_iam_policy_request) result = service.SetIamPolicy(request) iam_util.LogSetIamPolicy(tag_key, 'TagKey') return result
def Run(self, args): project_ref = command_lib_util.ParseProject(args.id) condition = iam_util.ValidateAndExtractConditionMutexRole(args) return projects_api.AddIamPolicyBindingWithCondition( project_ref, args.member, args.role, condition)