$dZddlmZddlmZddlmZddlmZddlmZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZy)z7IAM-related helpers for working with the Cloud KMS API.)absolute_import)division)unicode_literals)base)iam_utilctj}tj}|jtj |}|j j|S)zFetch the IAM Policy attached to the EkmConfig. Args: ekm_config_name: A string name of the EkmConfig. Returns: An apitools wrapper for the IAM Policy. options_requestedPolicyVersionresource)rGetClientInstanceGetMessagesModule5CloudkmsProjectsLocationsEkmConfigGetIamPolicyRequestr!MAX_LIBRARY_IAM_SUPPORTED_VERSIONprojects_locations_ekmConfig GetIamPolicy)ekm_config_nameclientmessagesreqs *lib/googlecloudsdk/api_lib/cloudkms/iam.pyGetEkmConfigIamPolicyrs[  ! ! #&  # # %(FF%-%O%O G #  , , 9 9# >>ctj}tj}tj|_|sd}n d|vr|dz }|j ||j||}|jj|S)aSet the IAM Policy attached to the named EkmConfig to the given policy. If 'policy' has no etag specified, this will BLINDLY OVERWRITE the IAM policy! Args: ekm_config_name: A string name of the EkmConfig. policy: An apitools wrapper for the IAM Policy. update_mask: str, FieldMask represented as comma-separated field names. Returns: The IAM Policy. version,versionpolicy updateMaskr setIamPolicyRequest) rr r rrr5CloudkmsProjectsLocationsEkmConfigSetIamPolicyRequestSetIamPolicyRequestr SetIamPolicy)rr update_maskrrrs rSetEkmConfigIamPolicyr%,s  ! ! #&  # # %(==&. K #:KFF"66K71 G 2#  , , 9 9# >>rctj}t|}tj|j |||t ||dSz@Does an atomic Read-Modify-Write, adding the member to the role. bindings,etagr$)rr rrAddBindingToIamPolicyBindingr%)rmemberrolerrs rAddPolicyBindingToEkmConfigr.JsH  # # %(  1&   !1!1664H v? <CloudkmsProjectsLocationsKeyRingsCryptoKeysGetIamPolicyRequestrrr5&projects_locations_keyRings_cryptoKeysr)crypto_key_refrrrs rGetCryptoKeyIamPolicyrDsd  ! ! #&  # # %(OO%-%O%O**, P .#  6 6 C CC HHrc2tj}tj}tj|_|sd}n d|vr|dz }|j |j|j||}|jj|S)aSet the IAM Policy attached to the named CryptoKey to the given policy. If 'policy' has no etag specified, this will BLINDLY OVERWRITE the IAM policy! Args: crypto_key_ref: A resources.Resource naming the CryptoKey. policy: An apitools wrapper for the IAM Policy. update_mask: str, FieldMask represented as comma-separated field names. Returns: The IAM Policy. rrrr) rr r rrr>CloudkmsProjectsLocationsKeyRingsCryptoKeysSetIamPolicyRequestr5r"rBr#)rCrr$rrrs rSetCryptoKeyIamPolicyrGs  ! ! #&  # # %(==&. K #:KOO**,"66K71 P 2#  6 6 C CC HHrctj}tj}|j|j |j |}|j j|S)z>Return permissions that the caller has on the named CryptoKey.) permissions)r testIamPermissionsRequest)rr r DCloudkmsProjectsLocationsKeyRingsCryptoKeysTestIamPermissionsRequestr5TestIamPermissionsRequestrBTestIamPermissions)rCrIrrrs rTestCryptoKeyIamPermissionsrNsp  ! ! #&  # # %(UU**, ( B B!!C!# V $#  6 6 I I# NNrc t|||fgS)aHAdd an IAM policy binding on the CryptoKey. Does an atomic Read-Modify-Write, adding the member to the role. Args: crypto_key_ref: A resources.Resource naming the CryptoKey. member: Principal to add to the policy binding. role: List of roles to add to the policy binding. Returns: The new IAM Policy. )AddPolicyBindingsToCryptoKey)rCr,r-s rAddPolicyBindingToCryptoKeyrQs &n~6F GGrctj}t|}tj|_d}|D]*\}}tj |j|||s)d},|rt||dS|S)a`Add IAM policy bindings on the CryptoKey. Does an atomic Read-Modify-Write, adding the members to the roles. Only calls SetIamPolicy if the policy would be different. Args: crypto_key_ref: A resources.Resource naming the CryptoKey. member_roles: List of 2-tuples in the form [(member, role), ...]. Returns: The new IAM Policy. FTr(r)) rr rDrrrr*r+rG)rC member_rolesrrpolicy_was_updatedr,r-s rrPrPs} # # %(  0&==&."lfd%%h&6&6M# O == -rct|}tj|_tj|||t ||dSr0)rDrrrr1rG)rCr,r-rs r RemovePolicyBindingFromCryptoKeyrVs?  0&==&. %%ffd; f/ ;;rN)__doc__ __future__rrrgooglecloudsdk.api_lib.cloudkmsrgooglecloudsdk.command_lib.iamrrr%r.r2r8r;r=r?rDrGrNrQrPrVrrr\se>&'03?&?<<<>&><PPI&I< O H <;r