ajdZddlZddlmZddlmZddlmZddl m Z ddl m Z ddl mZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddl m!Z!dZ"dZ#ejHjJdiZ&GddejNZ(dZ)dZ*ejHjJfdZ+Gdde,Z-y)z@Common utility functions for Developer Connect Insights Configs.N) exceptions) projects_api)common)discover_apphub)discover_artifact_configs)folders) serviceusage)apis)waiter)basename)iam_util)util)log) resources) console_io)z$roles/developerconnect.insightsAgentzroles/cloudasset.owneri Nv1ceZdZdZy)!InsightsConfigInitializationErrorz9Error initializing the Developer Connect Insights Config.N)__name__ __module__ __qualname____doc__Plib/googlecloudsdk/api_lib/developer_connect/insights_configs/insights_config.pyrr2sArrc8tj||}|dS)a\Gets the P4SA for the given project and location. If the P4SA does not exist for this project, it will be created. Otherwise, the email address of the existing P4SA will be returned. Args: project: The project to get the P4SA for. service_name: The service name to get the P4SA for. Returns: The email address of the P4SA. email)r GenerateServiceIdentity)project service_nameresponses r_GetP4SAr$6s! 1 1'< H( ' rcR|tjk(xs|tjk(S)aWhether to retry the request when receiving errors. Args: exc_type: type of the raised exception. unused_exc_value: the instance of the raise the exception. unused_exc_traceback: Traceback, traceback encapsulating the call stack at the point where the exception occurred. unused_state: RetryerState, state of the retryer. Returns: True if exception and is due to NOT_FOUND or INVALID_ARGUMENT. )apitools_exceptionsHttpBadRequestErrorHttpNotFoundError)exc_typeunused_exc_valueunused_exc_traceback unused_states r_ShouldRetryHttpErrorr-Gs, )== = < );; ;=rcXtj|}tjd|S)Ndeveloperconnect) VERSION_MAPgetr GetMessagesModule) release_track api_versions rr2r2[s$ .+   2K @@rceZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZ ddZdZdZdej0dfdZy)InsightsConfigClientz2Wrapper for Developer Connect Insights API client.ctj|}||_tjd||_t j|_|jjddt||_ ||_ d|_ y)Nr/r)r0r1r3r GetClientInstanceclientrRegistry_resource_parserRegisterApiByNamer2messagesr4 p4sa_email)selfr3r4s r__init__zInsightsConfigClient.__init__csp//-0K&D(();[IDK%..0D++,>E%m4DM"DDOrc "tj|}|j|jk(}t |j |jk(}|s,|s*t d|jd|jdtj|}|j||\}} |j| } |j| |} |j| | \} } |j| |r|j|j|d|jj|j!j#|j$|jj'|j#|j)| } |j*j,j/|S#t0j2$r>t5j6d |j$d |jd |j8dwxYw) zCreates the insight config.z'Mismatch: App Hub application project [zM] must be the same as the project where the insight config is being created [].Fmanagement_project)rappHubApplicationartifactConfigs)parentinsightsConfigIdinsightsConfigrequestInsights Config [z] already exists in project [ ] location [)rparse_app_hub_application_uri project_id projectsIdstrproject_numberrparse_artifact_configs%FindGkeWorkloadsAndGrantSAPermissionsGetArtifactConfigsFromCAISMergeArtifactConfigsBuildArtifactConfigsupdateInitServiceAccountr==DeveloperconnectProjectsLocationsInsightsConfigsCreateRequestParent RelativeNameinsightsConfigsIdInsightsConfig resource_namer9"projects_locations_insightsConfigsCreater&HttpConflictErrorrError locationsId)r?insight_config_refapp_hubuser_artifact_configsapp_hub_applicationare_projects_id_equalare_project_numbers_equaluser_artifact_configs_dictdependent_projects gke_workloadscais_artifact_configs_dictmerged_artifact_configs_dictartifact_projectsartifact_configscreate_requests rrazInsightsConfigClient.CreatemsJ<,I,II  . . 01  ( ( ) !)B - "--/01!,,-R 1  "&!$ +/*C*C$&@+''/0   ' ' " ]]``!((*779+==}}33#0021??A,4 aN  [[ ; ; B B C  0 0    0BBCD!!3!>!> ?@!--.b 2 s %F==AHci}|r|jD] \}}|||< |s|S|jD]?\}}|jj||jj|||<A|S)zMerges artifact configs from CAIS and user provided configs user provided configs will overwrite configs extracted from CAIS if URIs match.  projectIdurigoogleArtifactAnalysis)itemsr=ArtifactConfigGoogleArtifactAnalysis)r?artifact_configs_dictuser_provided_artifact_configsrorw config_msg build_projects rrVz)InsightsConfigClient.MergeArtifactConfigss $& 288:/#z,6$S); * ))<BBD]*.--*F*F!%!E!E%"F" +G+"3'E ('rc|j|j\}}tj|j s||fS|j ||t |fS)aFinds the GKE workloads and grants SA permissions at the folder level for management project or returns the dependent projects for non-management projects. Args: insight_config_ref: The insight config reference. app_hub_application: The app hub application. Returns: A tuple of dependent projects(based on if it is a management project or not) and gke workloads. ) GetRuntimesr_ris_management_projectrOAssignManagementPermissionsset)r?rerhrlrms rrTz:InsightsConfigClient.FindGkeWorkloadsAndGrantSAPermissionssl)-(8(8))+)%  % %&9&D&D&F G  .. $$%79LM 5- rc Zi}|D]}tj|}tj|}|D]r}tj|}|s|j }|j j||j j|j||<t|S)zQueries CAIS for artifacts associated with the gke workloads in the resources scope. Args: gke_workloads: A list of GKE workloads. Returns: A dict of artifact configs IC type. rtrv) discover_artifactsQueryCaisForAssetsGetArtifactURIsFromAssetsrvalidate_artifact_uribase_urir=rzr{rO) r?rmr| gke_workloadassets artifact_urisartifactvalidated_artifact_urirs rrUz/InsightsConfigClient.GetArtifactConfigsFromCAISs% !44\Bf(BB6Jm#(!%!;!;H!E% )224*.--*F*F#'==#G#G0;;=$H$+G+ h' $& ! rct}|s#tjjd|gfS|r|j D]}|j j }tjjd|d|jdtjxrtjdd}|r|j|j}|jj|j|jj| ||j<t|j }|j!d |D||fS) ayBuilds the artifact configs and returns the dependent projects and artifact configs. Args: merged_artifact_configs_dict: A combined dict of artifact configs IC type from CAIS and user provided configs. cais_artifact_configs_dict: A dict of artifact configs IC type from CAIS. Returns: A tuple of dependent projects and artifact configs. z*No existing artifact configurations found.z Build project [z?] will be used to extract provenance information for artifact []z+Would you like to change the build project?F) prompt_stringdefaultrtrvc3HK|]}|jjyw)N)rxru).0rs r z.6s$(H ''11(s ")rrstatusPrintvaluesrxrurwr CanPromptPromptContinuePromptForBuildProjectr=rzr{listrX)r?rornrlartifact_configrchange_build_projectrqs rrWz)InsightsConfigClient.BuildArtifactConfigssa ' jjCD  ##"9@@B/'>>HH     $$%Q (   " ))K  44_5H5HI- MM ( (#'''+}}'K'K+(L( )  %_%8%89%C88??AB( / //rcd}d}|s4tjd|d} tj|d}|s4|S#tj $r1t jjdj|YHtj$r1t jjdj|Ytj$r%}t jd|d|Yd}~d}~wwxYw) z'Prompts the user for the build project.FNz2Please enter the build project for your artifact [z]: TzPermission denied when checking build project [{}]. Please ensure your account has necessary permissions or that the project exists.z^Invalid build project ID [{}]. Please ensure it is a valid project ID (e.g., "my-project-123")z Error validating build project [)rPromptResponservalidate_build_projectr&HttpForbiddenErrorrrrformatr'rrcwarning)r? artifact_urifoundres rrz*InsightsConfigClient.PromptForBuildProject<s EM // nC !m N ##M2. ! 3 3   *VM "  ! 4 4   3396-3H   N 6}oSLMMNs#=AC9AC9C9C44C9ct}g}tj}|jd|}|D]}|jr|jj s&t j|jj }|sR|jt j|jjjj|j|||fS)zGets the runtime configs. Args: app_hub: The app hub application. Returns: A tuple of runtime configs projects and gke workloads associated with the app hub application. d) page_sizerG)rrDiscoveredWorkloadsClientListworkloadReferencerwrparse_gke_deployment_uriaddProject gke_namespace gke_clusterr!rOappend)r?rfruntime_configs_projectsrmr9 workloadsworkloadrs rrz InsightsConfigClient.GetRuntimesYs #uM  6 6 8F I  ' 'x/I/I/M/M22  $ $ ( (l  !$$ LL**66>> j \*#$ $] 22rctjtj|j j j }|g}|j|j|dy)zBAssigns permissions to at the folder level for management project.TrCN) rGet projects_util ParseProjectrOrGidrYrP)r?rerf folder_numberdependent_folders rrz0InsightsConfigClient.AssignManagementPermissionssm!$$""      fRR  &%%  rc2|r|r|j|||}n|j|}tjtj|j s0|j |}|j|j|dnztjtjtj|j jj}|g}|j|j|d|j|} |r/|j j"j$j&| _|j j+| |j-} |j.j0j3| S)zUpdates the insight config.FrCT)rIrrJ)HandleArtifactConfigsGetExistingInsightsConfigrrextract_projectrEGetDependentProjectsrYrPrrrrrGrInsightsConfigMessageTyper=r^StateValueValuesEnumPENDINGstate,>"?    ,==77#'==#G#G'$H$8  %55! #@ $$#'==#G#G'$H$ %  IG  1 1    G 6-!A!A!C D    2 2    J 6- # sD AF&<%F!!F&cd|jj|j|jS)z+Creates a new insights config message type.)rrF)r=r^rrF)r?current_insights_configs rrz.InsightsConfigClient.InsightsConfigMessageTypes0 == ' '%++/?? ( rc H |jjj|jj |j S#t j$r>tjd|jd|jd|jdwxYw)zGets the insight config.r rJrLz] not found in project [rMrB) r9r`rr=:DeveloperconnectProjectsLocationsInsightsConfigsGetRequestr\r&r(rrcr]rPrd)r?res rrz.InsightsConfigClient.GetExistingInsightsConfigs  [[ ; ; ? ?--ZZ%224[ @  0 0    0BBCD,7789!--.b 2 s A AAB!c~t}|jtj|j|j D]}|j r@tj|j }|r|j|j|js\|jjss|j|jj|jD]=}|j s|jtj|j ?tt|S)z.Gets the P4SA projects for the insight config.)rrrrrErFrwrrOrxruruntimeConfigssortedr)r?insights_configprojectsrrruntime_configs rrz)InsightsConfigClient.GetDependentProjects suH LL%%o&G&GHI*::   11/2E2EF  ,,|..0 1  0 044>> _;;EEF;*88    T)).*<*<=>9 $x. !!rctj|j}|jt |||_|jst dj ||rEt|dk(r!|j|j|ddytjdy|D]4}tj|}|j|j|d6y)aGet the Developer Connect P4SA, and grant IAM roles to it. 1) First, get the P4SA for the project. Args: p4sa_project: The project to get the P4SA for. dependent_resources: The resources to grant the P4SA permissions to. management_project: Whether the resource is a management project. 2) Then grant necessary roles needed to the P4SA for updating an insight config. 3) If the app hub application is a management project, grant the P4SA permissions on the folder. 4) If the app hub application is a non management project, grant the P4SA permissions on the dependent projects. Raises: InsightsConfigInitializationError: P4SA failed to be created. Nz"Failed to get P4SA for project {}.rTz\Could not find folder number for the management project.Skipping permissions checks/binding.F) rGetApiServiceNamer4r>r$rrlenBindRolesToServiceAccountrrrr)r? p4sa_projectdependent_resourcesrDr"r! project_refs rrYz'InsightsConfigClient.InitServiceAccounts.++D,<,<=L  |dj|} |rtj|}ntj|}|j |||ryt j jdj|||tjxr&tjdj||}|st jdy|rMtj} tj| j|||tj ||ntj"|||t j jdj||y#t$j&$rt jd|||YywxYw) aPrompts to bind the role to the service account in project level if missing. If the console cannot prompt, a warning is logged instead. Args: sa_email: The service account email to bind the role to. resource_ref: The resource to bind the role to. role: The role to bind if missing. management_project: Whether the resource is a management project. reason: Extra information to print explaining why the binding is necessary. serviceAccount:{}Nz2 Service account [{}] is missing the role [{}]. {}z, Bind the role [{}] to service account [{}]?)rz0Manual binding of above role will be necessary. z8Successfully bound the role [{}] to service account [{}]zYour account does not have permission to check or bind IAM policies to resource [%s]. If the deployment fails, ensure [%s] has the role [%s] before retrying.)rr GetIamPolicyrHasRoleBindingrrrrrrrFoldersMessagesrAddBindingToIamPolicyBinding SetIamPolicyAddIamPolicyBindingr&r) r?rrrrDrmember iam_policybindr=s rrz.InsightsConfigClient.PromptToBindRoleIfMissing]sl! ' ' 1F/ )),7 !..|<  Z4 8 jj @ G Gf   ! ! # (A(AGNNH )d  GH **,&&   j&$  \:6((vtD jj D K KH   1 1  kk4     s AE.BE.BE..+FFcDtfd|jDS)zReturns whether the given SA has the given role bound in given policy. Args: iam_policy: The IAM policy to check. sa_email: The service account to check. role: The role to check for. c3zK|]2}dj|jvxr|jk(4yw)rN)rmembersr)rbrrs rrz6InsightsConfigClient.HasRoleBinding..s=$A ""8, 9LaffnL$s8;)anybindings)r?rrrs ``rrz#InsightsConfigClient.HasRoleBindings% $$ rcN|jj|jdS)zKConverts an operation to a resource that can be used with `waiter.WaitFor`.z1securesourcemanager.projects.locations.operations)r;ParseRelativeNamer)r? operations rGetOperationRefz$InsightsConfigClient.GetOperationRefs'  2 2K MMrTiX)secondsc"|r?tj|jj|jj}n)tj |jj}tj ||||jdzS)aWaits for a Developer Connect operation to complete. Polls the Developer Connect Insights Operation service until the operation completes, fails, or max_wait_seconds elapses. Args: operation_ref: a resource reference created by GetOperationRef describing the operation. message: a message to display to the user while they wait. has_result: If True, the function will return the target of the operation (i.e. the InsightConfig) when it completes. If False, nothing will be returned (useful for Delete operations). max_wait: The time to wait for the operation to complete before returning. Returns: A resource reference to the target of the operation if has_result is True, otherwise None. i) max_wait_ms)r CloudOperationPollerr9r`projects_locations_operationsCloudOperationPollerNoResourcesWaitForr)r? operation_refmessage has_resultmax_waitpollers rWaitForOperationz%InsightsConfigClient.WaitForOperationsw2** ++ 8 8 ++ 3 3f 55 ++ 3 3f >> wH4D4Dt4K rN))rrrrr@rarVrTrUrWrrrrrrrrrYrrrrdatetime timedeltarrrrr6r6`s:BH(2 6!890v:$3L 1f0d "&+LZ(FH?B M!x!!#. %rr6).rrapitools.base.pyrr&+googlecloudsdk.api_lib.cloudresourcemanagerr(googlecloudsdk.api_lib.developer_connectr9googlecloudsdk.api_lib.developer_connect.insights_configsrrr'googlecloudsdk.api_lib.resource_managerrgooglecloudsdk.api_lib.servicesr googlecloudsdk.api_lib.utilr r googlecloudsdk.callioper ,googlecloudsdk.command_lib.developer_connectrgooglecloudsdk.command_lib.iamr#googlecloudsdk.command_lib.projectsrrgooglecloudsdk.corerrgooglecloudsdk.core.consolerr_MAX_WAIT_TIME_IN_MS ReleaseTrackALPHAr0 InternalErrorrr$r-r2objectr6rrrr(s G>D;Uu;8,.(=3E*#)2  !T B (@(@B"=(%)$5$5$;$;A u 6u r