File: //snap/google-cloud-cli/current/lib/googlecloudsdk/command_lib/pam/util.py
# -*- coding: utf-8 -*- #
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Utility functions for `gcloud pam` commands."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
import re
from googlecloudsdk.api_lib.util import apis
from googlecloudsdk.calliope import arg_parsers
from googlecloudsdk.calliope import base
from googlecloudsdk.core import log
from googlecloudsdk.core import yaml
def SetForceFieldInDeleteEntitlementRequest(unused_ref, unused_args, req):
"""Modify request hook to set the force field in delete entitlement requests to true."""
req.force = True
return req
def ParseEntitlementNameIntoCreateEntitlementRequest(unused_ref, args, req):
"""Modify request hook to parse the entitlement name into a CreateEntitlementRequest."""
entitlement = args.CONCEPTS.entitlement.Parse()
req.parent = entitlement.result.Parent().RelativeName()
req.entitlementId = entitlement.result.Name()
return req
def SetUpdateMaskInUpdateEntitlementRequest(unused_ref, unused_args, req):
"""Modify request hook to set the update mask field in update entitlement requests to '*'."""
req.updateMask = '*'
return req
def FormatWithdrawResponse(response, unused_args):
"""Formats the response of the withdraw command."""
modified_response = {}
if response.name:
modified_response['name'] = response.name
if not response.metadata:
return modified_response
modified_response['metadata'] = {}
properties = response.metadata.additionalProperties
for prop in properties:
if prop.key in ('apiVersion', 'createTime', 'target'):
modified_response['metadata'][prop.key] = prop.value.string_value
log.status.Print(
'Grant withdrawal initiated. The operation will complete in some time. To'
' track its status, run:\n`gcloud pam operations wait {}`\nNote that'
' the wait command requires you to have the'
' `privilegedaccessmanager.operations.get` permission on the resource.'
.format(response.name)
)
return modified_response
def GetApiVersionFromArgs(args):
"""Return API version based on args.
Args:
args: The argparse namespace.
Returns:
API version (e.g. v1alpha or v1beta).
"""
release_track = args.calliope_command.ReleaseTrack()
if release_track == base.ReleaseTrack.ALPHA:
return 'v1alpha'
if release_track == base.ReleaseTrack.BETA:
return 'v1beta'
if release_track == base.ReleaseTrack.GA:
return 'v1'
def SetRequestedPrivilegedAccessInCreateGrantRequest(unused_ref, args, req):
"""Modify request hook to populate the requestedPrivilegedAccess field in create grant requests."""
if not args.requested_resources:
return req
messages = apis.GetMessagesModule(
'privilegedaccessmanager', GetApiVersionFromArgs(args)
)
if len(args.requested_resources) > 1:
raise arg_parsers.ArgumentTypeError(
'Only one resource is supported for grant scope.'
)
for resource in args.requested_resources:
resource = resource.strip()
pattern = r'^(projects|organizations|folders)\/.+'
components = resource.split('/')
if not re.match(pattern, resource) or len(components) != 2:
raise arg_parsers.ArgumentTypeError(
'Invalid resource name: {}. Resource name must be of the form'
' (projects|organizations|folders)/<id>.'.format(resource)
)
resource_type = (
'cloudresourcemanager.googleapis.com/' + components[0].capitalize()[:-1]
)
full_name = '//cloudresourcemanager.googleapis.com/' + resource
requested_privileged_access = messages.RequestedPrivilegedAccess()
requested_privileged_access.gcpIamAccess = (
messages.RequestedPrivilegedAccessGcpIamAccess()
)
requested_privileged_access.gcpIamAccess.resourceType = resource_type
requested_privileged_access.gcpIamAccess.resource = full_name
req.grant.requestedPrivilegedAccess.append(requested_privileged_access)
return req
def LoadGrantScopeFromYaml(stream):
"""Loads a YAML document from a stream.
This function takes a stream (expected to be a list with a single string
element) and parses it as a YAML document. It returns the loaded YAML data as
a Python object (typically a list or dictionary).
Args:
stream: The stream to load from.
Returns:
The loaded YAML data.
"""
if not stream or not stream[0]:
# Return an empty list if no file is provided or the file is empty.
return []
return yaml.load(stream[0])
# TODO(b/261183749): Remove modify_request_hook when singleton resource args
# are enabled in declarative.
def UpdateSettingsResource(unused_ref, unused_args, req):
"""Modify request hook to update the resource field in settings requests."""
req.name = req.name + '/settings'
return req
def SetUpdateMaskInUpdateSettingsRequest(unused_ref, unused_args, req):
"""Modify request hook to set the update mask field in update settings requests to '*'."""
req.updateMask = '*'
return req