def _DenyAllValues(self, policy, args):
"""Denies all values by removing old rules containing the specified condition and creating a new rule with denyAll set to True.
This first searches for and removes the rules that contain the specified
condition from the policy. In the case that the condition is not specified,
the search is scoped to rules without conditions set. A new rule with a
matching condition is created. The denyAll field on the created rule is set
to True.
Args:
policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be
updated.
args: argparse.Namespace, An object that contains the values for the
arguments specified in the Args method.
Returns:
The updated policy.
"""
new_policy = copy.deepcopy(policy)
new_policy.spec.rules = org_policy_utils.GetNonMatchingRulesFromPolicy(
new_policy, args.condition)
rule_to_update, new_policy = org_policy_utils.CreateRuleOnPolicy(
new_policy, args.condition)
rule_to_update.denyAll = True
return new_policy
def Run(self, args):
"""Deletes a whole policy or removes rules containing the specified condition from the policy.
If --condition is not specified, then the policy is deleted using
DeletePolicy.
If --condition is specified, then the policy is fetched using GetPolicy. It
then searches for and removes the rules that contain the specified condition
from the policy. If the policy is empty after this operation and
inheritFromParent is False, the policy is deleted using DeletePolicy. If
not, the policy is updated using UpdatePolicy.
Args:
args: argparse.Namespace, An object that contains the values for the
arguments specified in the Args method.
Returns:
If the policy is deleted, then messages.GoogleProtobufEmpty. If only
a partial delete is issued, then the updated policy.
"""
policy_service = org_policy_service.PolicyService()
org_policy_messages = org_policy_service.OrgPolicyMessages()
policy_name = utils.GetPolicyNameFromArgs(args)
if args.IsSpecified('condition') and args.IsSpecified('label_parent'):
utils.TransformLabelDisplayNameConditionToLabelNameCondition(args)
if args.condition is not None:
get_request = org_policy_messages.OrgpolicyPoliciesGetRequest(
name=policy_name)
policy = policy_service.Get(get_request)
new_policy = copy.deepcopy(policy)
new_policy.spec.rules = org_policy_utils.GetNonMatchingRulesFromPolicy(
policy, args.condition)
if policy == new_policy:
return policy
if new_policy.spec.rules or new_policy.spec.inheritFromParent:
update_request = org_policy_messages.OrgpolicyPoliciesPatchRequest(
name=policy_name,
forceUnconditionalWrite=False,
googleCloudOrgpolicyV2alpha1Policy=new_policy)
update_response = policy_service.Patch(update_request)
log.UpdatedResource(policy_name, 'policy')
return update_response
delete_request = org_policy_messages.OrgpolicyPoliciesDeleteRequest(
name=policy_name)
delete_response = policy_service.Delete(delete_request)
log.DeletedResource(policy_name, 'policy')
return delete_response
def testGetNonMatchingRulesFromPolicy_NoConditionSpecified_ReturnsNonMatchingRules(
self):
policy = self.Policy(rule_data=[{}, {
'condition': self.CONDITION_EXPRESSION_A
}, {}, {
'condition': self.CONDITION_EXPRESSION_B
}])
filtered_policy = self.Policy(rule_data=[{
'condition': self.CONDITION_EXPRESSION_A
}, {
'condition': self.CONDITION_EXPRESSION_B
}])
rules = utils.GetNonMatchingRulesFromPolicy(policy, None)
self.assertEqual(rules, filtered_policy.spec.rules)
def UpdatePolicy(self, policy, args):
"""Enables enforcement by removing old rules containing the specified condition and creating a new rule with enforce set to True.
This first does validation to ensure the specified action can be carried out
according to the boolean policy contract. This contract states that exactly
one unconditional rule has to exist on nonempty boolean policies, and that
every conditional rule that exists on a boolean policy has to take the
opposite enforcement value as that of the unconditional rule.
This then searches for and removes the rules that contain the specified
condition from the policy. In the case that the condition is not specified,
the search is scoped to rules without conditions set. A new rule with a
matching condition is created. The enforce field on the created rule is set
to True.
If the policy is empty and the condition is specified, then a new rule
containing the specified condition is created. In order to comply with the
boolean policy contract, a new unconditional rule is created as well with
enforce set to False.
Args:
policy: messages.GoogleCloudOrgpolicyV2alpha1Policy, The policy to be
updated.
args: argparse.Namespace, An object that contains the values for the
arguments specified in the Args method.
Returns:
The updated policy.
"""
if policy.spec.rules:
unconditional_rules = org_policy_utils.GetMatchingRulesFromPolicy(
policy, None)
if not unconditional_rules:
raise exceptions.BooleanPolicyValidationError(
'An unconditional enforce value does not exist on the nonempty policy.'
)
unconditional_rule = unconditional_rules[0]
if args.condition is None and len(policy.spec.rules) > 1:
# Unconditional enforce value cannot be changed on policies with more
# than one rule.
if not unconditional_rule.enforce:
raise exceptions.BooleanPolicyValidationError(
'Unconditional enforce value cannot be the same as a conditional enforce value on the policy.'
)
# No changes needed.
return policy
if args.condition is not None and unconditional_rule.enforce:
raise exceptions.BooleanPolicyValidationError(
'Conditional enforce value cannot be the same as the unconditional enforce value on the policy.'
)
new_policy = copy.deepcopy(policy)
if not new_policy.spec.rules and args.condition is not None:
unconditional_rule, new_policy = org_policy_utils.CreateRuleOnPolicy(
new_policy, None)
unconditional_rule.enforce = False
new_policy.spec.rules = org_policy_utils.GetNonMatchingRulesFromPolicy(
new_policy, args.condition)
rule_to_update, new_policy = org_policy_utils.CreateRuleOnPolicy(
new_policy, args.condition)
rule_to_update.enforce = True
return new_policy
