dZddlmZddlmZddlmZddlZddlmZddlm Z ddl m Z dd l mZddlm Zdd lmZdd lmZdd lmZdd lmZdZdZdZdZd(dZ d(dZdZdZdZdZdZ dZ!GddejDZ#dZ$dZ%dZ&dZ'd Z(d!Z)d"Z*Gd#d$ejVZ,d%Z-Gd&d'Z.y))zWs 4ZZ J00==AAC#[  7 7 E     $ $ : % '##%#* *r*c ~t||dS)zDHook to process restricted client applications input in Alpha track.v1alphaversion)$_ProcessRestrictedClientApplications) unused_refr%r&s r((ProcessRestrictedClientApplicationsAlpharEms -dC KKr*c6|jdr{|j}t|d|}|j)t j |j |_|D]'}|jjj|)|jdr{|j}t|d|}|j)t j |j |_|D]'}|jjj|)|S)zCProcess restricted client applications input for the given version.r,rAr-) rr,0_MakeRestrictedClientApplicationsFromIdentifiersgcpUserAccessBindingr GetMessagesGcpUserAccessBindingrestrictedClientApplicationsrr-)r%r&rB client_ids"restricted_client_application_refs!restricted_client_application_ref client_namess r(rCrCss% HI>>J8  6 ' '!%!1!1" .P) ;;BB +.P  CD;;L8  1 ' '!%!1!1" .P) ;;BB +.P *r*c(g}||Dcgc]}|r|}}|D]}|dk(r7 |jtj|j|?|dk(r7 |jtj|j|{t j dj dd |Scc}w#t j dj ddxYw#t j dj ddxYw) zJParse restricted client applications and return their resource references.r,rA)clientId--{}z:Unable to parse input. The input must be of type string[].r-)namearg_namez:The input is not valid for Restricted Client Applications.)rrrI ApplicationrInvalidArgumentExceptionformat)app_identifiersrTrB resource_refs identifierapp_identifiers r(rGrGs>- **J  ) * ? ?   w/;;)<  < <   w/;;;P ":: MM* % H  1*8 E #<<mmFGJ   #<<mmABJ  s B;5C5C*'C'*'Dcr|jj}|r|jj}g}|Dcgc]}|s| }}|s|S|rdnd}|D]6} tjj ||d}|j|8|Scc}w#t jdj|dxYw)z9Parse level strings and return their resource references.rr0accesscontextmanager.accessPolicies.accessLevelsparamsr2rRzjThe input must be the full identifier for the access level, such as `accessPolicies/123/accessLevels/abc`.) rH accessLevelsdryRunAccessLevelsr r9r:rrVrWr)r&param is_dry_run level_inputs level_refs level_inputrT level_refs r(_ParseLevelRefsrhs))66,++>>L*1=M++,M  ", )(!k $$** G+ii " )N  8 8 -- ! ; sB B "B'B6c ~i}i}d}|jdrW tjj|j dd}d|ji}|j|d<n~|jdrt||d ng}|jd rt||d ng}|Dcgc]}|jc} |Dcgc]}|jc} t fd  Ds tdgt fd Ds tdg r dj|d< r dj|d<t|j} | jt|j! t fd Ds t| |r-|Dcgc]}|jc}|j"_|r-|Dcgc]}|jc}|j"_|S#t j ddxYwcc}wcc}wcc}wcc}w)z0Hook to format levels and validate all policies.Npolicy#accesscontextmanager.accessPoliciesr1--policybThe input must be the full identifier for the access policy, such as `123` or `accessPolicies/123.accessPoliciesIdrF)rcrTc3.K|] }|dk(ywrN).0x level_parentss r( z ProcessLevels..s :MqQ-" "Mrc3.K|] }|dk(ywrprq)rrrsdry_run_level_parentss r(ruz ProcessLevels..s J4IqQ'* *4Irv--dry-run-levelrc3.K|] }|dk(ywrprq)rrrspolicies_valuess r(ruz ProcessLevels..!s >oQ/!$ $orv)rr r9r:GetValuerrVNamer;rhParentallConflictPolicyExceptionlistkeyssortvaluesrHr`ra) r$r%r&policies_to_checkrb policy_refredry_run_level_refsrsflags_to_complainrxrtr{s @@@r( ProcessLevelsrsb  %* h' %%++ -- !:,j !2 3E$.$;$;$=j!  ! !' *c5U3    ! !/ 2c5T2 (22z!188:z2-/AB/A!188:/AB :M : : !9+ .. J4I J J !#4"5 66#0#3#@#@#Bi +@ ,ln'(,1134*1134/ >o > > !"3 44",-",Q*-C)"43"4Q"43C/ *k  8 8  2 .3B*-3s#0H#:H>I I8I #H;c*|rtj|ntjd}|jtjdjkDrt j dddjt|jS)zVProcess the session-length argument into an acceptable form for GCSL session settings.)hoursdaysrz2The session length cannot be greater than one day.z{}s) r ParseDurationr Duration total_secondsrrVrWint)stringdurations r(ProcessSessionLengthr0s|&,e&!1F1FR1P l33;III  6 6<  c(001 22r*c2~|jdr|jds|jdrtjddtj|j j jj}|dkrd|j _|S|dk(rd|j j _ |Sd |j j _ |S|jd rtjd d d|j _|S) aHook to process GCSL session settings. When --session-length=0 make sure the sessionLengthEnabled is set to false. Throw an error if --session-reauth-method or --use-oidc-max-age are set without --session-length. Args: unused_ref: Unused args: The command line arguments req: The request object Returns: The modified request object. Raises: calliope_exceptions.InvalidArgumentException: If arguments are incorrectly set. rr,r-rzXCannot set session length on restricted client applications. Use scoped access settings.rNFTsession_reauth_methodz--session_reauth_methodz;Cannot set --session_reauth_method without --session-length) rrrVr rrHsessionSettings sessionLengthrsessionLengthEnabled)rDr%r&rs r(ProcessSessionSettingsrFs"( ./ 2 ! !"G H  8 8  $  ((   00>>m15c. * 1 FKc..C *GKc..C *  78  8 8 # G  04C, *r*c|tjdjd|}tjdd|S)Nz([a-z0-9])([A-Z])z\1_\2z_[A-Z]+c@|jdjS)Nr)grouplower)ms r(z&_CamelCase2SnakeCase..|sQWWQZ%5%5%7r*)recompilesub)rSs1s r(_CamelCase2SnakeCaserzs2 zz%&**8T:"  7 <._ValidateScopeInScopedAccessSettingsUniquenesssX$: ;$:qc!''l$:F ; 6{c#f+&&  8 8  D '._IsClientScopeSetsY    3 3 )1)?)?00*& . 1668 / 49 r*c|jr|jjstjddy)Nrz;ScopedAccessSettings in the binding-file must have a scope.)r clientScoperrV)scoped_access_settingrs r(-_ValidateScopeInScopedAccessSettingIsNotEmptyz[_ProcessScopesInScopedAccessSettings.._ValidateScopeInScopedAccessSettingIsNotEmptysC & &.?##/// 8 8  G /r*c`|jj}||D] }| yN)rHscopedAccessSettings)r&rrrrs r(_Startz4_ProcessScopesInScopedAccessSettings.._Starts2 55JJ23IJ!734IJ"8r*Nrq)r&rrrrs @@@r($_ProcessScopesInScopedAccessSettingsrs! K  +r*c2dfdfd}||y)z._IsAccessSettingsSetsB  #11/B  #((* !# &+ r*cT|s|stjddyy)NrzhScopedAccessSettings in the binding-file must have at least one of activeSettings or dryRunSettings set.)rrV)rdry_run_settingsrs r(@_ValidateAccessSettingsInScopedAccessSettingAtLeastOneIsNotEmptyzv_ProcessAccessSettingsInScopedAccessSettings.._ValidateAccessSettingsInScopedAccessSettingAtLeastOneIsNotEmptys=  09M: 8 8  3 : 0r*cz|jj}|D]}|j|j!yr)rHractiveSettingsdryRunSettings)r&rrrs r(rz<_ProcessAccessSettingsInScopedAccessSettings.._Starts: 55JJ!7F  . .  . ."8r*Nrq)r&rrrs @@r(,_ProcessAccessSettingsInScopedAccessSettingsrs   +r*c<dddfd}|||y)z8Process the access levels in the scoped access settings.c ||z}|rw|Dcgc]}|jc}tfdDs t||r7r4|jdjk7rtdg|zyyyycc}w)zEValidate that the access levels and policy belong to the same policy.c3.K|] }|dk(ywrprq)rrrsaccess_level_resources_parentss r(ruzc_ProcessAccessLevelsInScopedAccessSettings.._ValidateBelongsToSamePolicy..7s$1a -a0 01rvrrlN)r~rrr;)rdry_run_access_level_resourcespolicy_resourcercombined_access_levelrsrs @r(_ValidateBelongsToSamePolicyzP_ProcessAccessLevelsInScopedAccessSettings.._ValidateBelongsToSamePolicy(s !??4(3!((*3($1&o66 ,**,/2??AB&zl_&DEE B- (sBcZ|r$|Dcgc]}|jc}|_yycc}w)aFReplace the access levels in the scoped access settings with relative names. For example, { 'activeSettings': { 'accessLevels': [ 'accessPolicies/123/accessLevels/access_level_1' ] } } is replaced with: { 'activeSettings': { 'accessLevels': [ access_level_resources.RelativeName() ] } } Args: access_settings: The access settings to replace the access levels in. access_level_resources: The access level resources to replace the access levels with. N)r;r`)rrrss r(5_ReplaceAccessLevelsInAccessSettingsWithRelativeNameszi_ProcessAccessLevelsInScopedAccessSettings.._ReplaceAccessLevelsInAccessSettingsWithRelativeNamesHs5>$:&$:q!.. $:&o"&s(cV|sind|ji}g}|rt||dd}|S)aGet the access level resources from the scoped access settings. Args: policy_resource: The policy resource access_levels: The access levels to turn into cloud resources. For example, ['accessPolicies/123/accessLevels/access_level_1'] Returns: The access level cloud resources that correspond to the `access levels`. For example, ['https://accesscontextmanager.googleapis.com/v1/accessPolicies/123/accessLevels/access_level_1'] rnz binding-filezAccess levels in ScopedAccessSettings must contain the full identifier. For example: `accessPolicies/123/accessLevels/access_level_1)r}r)rrrbrs r(_GetAccessLevelResourceszL_ProcessAccessLevelsInScopedAccessSettings.._GetAccessLevelResourceslsN  /"6"6"8 9  :    =   "!r*cd}|jdrt|jddd}|jj}g}g}|D]}g}|j rG|j j r1 ||j j }|j|dg}|jrG|jj r1 ||jj }|j|d |||dg |j | |j| |||dgg} |jj r  ||jj } | s  ||jj}  || |gdy#tj$rYCwxYw#tj$rY._Starts O )2 -- !  2o!55JJ$&!,.)!7!  . .#22??!9 2AANN"  &,,-CA-FG(*$  . .#22??)A  ! 0 0 = =* & .44 *1 - # (     <  . .0F<  . .0NE"8P!%-  %'! ,, (@ S55BB) % ) (@ S55HH) %!%%8 ! 9 9   ! 9 9   s$F3F7F43F47G  G Nrq)r%r&rrrrs @@@r(*_ProcessAccessLevelsInScopedAccessSettingsr%s(F@"H">Wr sr*c0ddfd}||y)z;Process the session settings in the scoped access settings.cH|y|jtjddtj|jj }|t jdj kDrtjdd|dkrtjddy)NrzISessionSettings within ScopedAccessSettings must include a sessionlength.rrzJSessionLength within ScopedAccessSettings must not be greater than one dayrzDSessionLength within ScopedAccessSettings must not be less than zero)rrrVr rrr r)rrs r(_ValidateSessionSettingszO_ProcessSessionSettingsInScopedAccessSettings.._ValidateSessionSettingss %%-  8 8    ((&&m --15CCC  8 8      8 8   r*c|jtjd}t||jr&|jj j |_n8tjdjj j |_|j=tj|jj}|dkDrd|_nd|_|jd|_ yy)Nv1r@rTF) sessionReauthMethodrrI isinstanceSessionSettings"SessionReauthMethodValueValuesEnumLOGINrr rrr useOidcMaxAge)r v1_messagesrs r( _InferEmptySessionSettingsFieldszW_ProcessSessionSettingsInScopedAccessSettings.._InferEmptySessionSettingsFieldss++3$$T*k $k&A&A B  ' ' J J P P ,04/?/? 0 /<._StartsU 55JJ #   ))99 /0&'78$r*Nrq)r&rrrs @@r(-_ProcessSessionSettingsInScopedAccessSettingsr s2-4 9 +r*c(dfd}||||S)zEHook to process and validate scoped access settings from the request.c||jdxs|jd}|rtjddy)Nr-r,rzThe binding-file cannot be specified at the same time as `--restricted-client-application-names` or `--restricted-client-application-client-ids`.)rrrV)r%legacy_prca_fields_specifieds r(D_ValidateRestrictedClientApplicationNamesAndClientIdsAreNotSpecifiedziProcessScopedAccessSettings.._ValidateRestrictedClientApplicationNamesAndClientIdsAreNotSpecified.sT$(#;#;-$$N ! !"L M!$  8 8  ; $r*c~|jds|S|t|t|t||t ||S)Nr)rrrrr )rDr%r&rs r(rz+ProcessScopedAccessSettings.._Start<sH  # #N 3 jHN(-05.tS91#6 Jr*rq)rDr%r&rrs @r(ProcessScopedAccessSettingsr+s    D# &&r*ceZdZfdZxZS)InvalidFormatErrorcLtt| |dj|y)NaInvalid format: {} A binding-file is a YAML-formatted file containing a single gcpUserAccessBinding. For example: scopedAccessSettings: - scope: clientScope: restrictedClientApplication: name: Cloud Console activeSettings: accessLevels: - accessPolicies/123/accessLevels/access_level_1 dryRunSettings: accessLevels: - accessPolicies/123/accessLevels/dry_run_access_level_1 - scope: clientScope: restrictedClientApplication: clientId: my_client_id.google.com activeSettings: accessLevels: - accessPolicies/123/accessLevels/access_level_2 dryRunSetting: accessLevels: - accessPolicies/123/accessLevels/dry_run_access_level_2 )rrrrW)rpathreasonrs r(rzInvalidFormatError.__init__Ns+ d,  O2 &  9r*)rrrrrrs@r(rrLs   r*rcdfd}|S)zParse a GcpUserAccessBinding from a YAML file. Args: api_version: str, the API version to use for parsing the messages Returns: A function that parses a GcpUserAccessBinding from a file. cLt|dkDrtjddy)Nrz --input-filez{The input file contains more than one GcpUserAccessBinding. Please specify only one GcpUserAccessBinding in the input file.)rrrV)bindingss r(#_ValidateSingleGcpUserAccessBindingzUParseGcpUserAccessBindingFromBindingFile.._ValidateSingleGcpUserAccessBinding{s/ 8}q  8 8  L r*ctj|tjjd}|t ||dj |dS)NrAFr)r )ParseAccessContextManagerMessagesFromYamlrrIrJ&GcpUserAccessBindingStructureValidatorValidate)rrr api_versions r(2_ParseVersionedGcpUserAccessBindingFromBindingFilezdParseGcpUserAccessBindingFromBindingFile.._ParseVersionedGcpUserAccessBindingFromBindingFilesV?? d{3HH%H(1*4!=FFH A;r*rq)rr rs` @r((ParseGcpUserAccessBindingFromBindingFiler!qs <;r*cLeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z y ) rzGValidates a GcpUserAccessBinding structure against unrecognized fields.c ||_||_yr)rgcp_user_access_binding)rrr$s r(rz/GcpUserAccessBindingStructureValidator.__init__sDI#:D r*c|j|j|j|jjy)z-Validates the GcpUserAccessBinding structure.N)3_ValidateAllFieldsRecognizedForGcpUserAccessBindingr$_ValidateScopedAccessSettingsr)rs r(rz/GcpUserAccessBindingStructureValidator.Validates8<< $$ && $$99r*c |rtt|D]i}||}|j||j|j|j |j |j |jkyy)z-Validates the ScopedAccessSettings structure.N)ranger_ValidateAllFieldsRecognized_ValidateAccessScoper_ValidateAccessSettingsrr)rscoped_access_settings_listirs r(r'zDGcpUserAccessBindingStructureValidator._ValidateScopedAccessSettingssx"S456!!">? $$%;%J%JK $$%;%J%JK 7#r*cb|r-|j||j|jyy)z$Validates the AccessScope structure.N)r*_ValidateClientScoper)r access_scopes r(r+z;GcpUserAccessBindingStructureValidator._ValidateAccessScopes, '' 5  8 89r*cb|r-|j||j|jyy)z(Validates the AccessScopeType structure.N)r*$_ValidateRestrictedClientApplicationr)rrs r(r0z;GcpUserAccessBindingStructureValidator._ValidateClientScopes/ '' 5 //  2 2r*c,|r|j|yy)z+Validates the RestrictedClientApplications.Nr*)rrestricted_client_applications r(r3zKGcpUserAccessBindingStructureValidator._ValidateRestrictedClientApplications$ ''(EF%r*c,|r|j|yy)zValidate the SessionSettings.Nr5)rrs r(rz?GcpUserAccessBindingStructureValidator._ValidateSessionSettingss ''(89r*cb|r-|j||j|jyy)z'Validates the AccessSettings structure.N)r*rr)rrs r(r,z>GcpUserAccessBindingStructureValidator._ValidateAccessSettingss, ''8 ##O$C$CDr*c dg}t}g}|j|k7r|jd|j|k7r|jd|j|jd|j r|jdt |dr|j|jd|j|jd|jr|jd |jr|j|j|rbt|jd jt|j j"d j%|d j%|y) aValidates that all fields in the GcpUserAccessBinding are recognized. Note:Because ScopedAccessSettings is the only field supported in the GcpUserAccessBinding, a custom validation is required. Args: gcp_user_access_binding: The GcpUserAccessBinding to validate Raises: InvalidFormatError: if the GcpUserAccessBinding contains unrecognized fields rr`raNgroupKeyrSrrrKz@"{}" contains unrecognized fields: [{}]. Valid fields are: [{}].r)rr`addrar:rShasattrrrrKall_unrecognized_fieldsupdaterrrWtyper$rr!)rr$ valid_fieldsunrecognized_fields empty_lists r(r&zZGcpUserAccessBindingStructureValidator._ValidateAllFieldsRecognizedForGcpUserAccessBindingsY++L%J++z9n-11Z?23''3j)##f%'5 # - - 9k*..:/0;;<=668  ! 9 9 ;  )) L 64//099ii+,ii %  r*c L|jrt|}|jDcgc]}|j}}t |j dj |jdj|jdj|ycc}w)zValidates that all fields in the message are recognized. Args: message: object to validate Raises: InvalidFormatError: if the message contains unrecognized fields z?"{}" contains unrecognized fields: [{}]. Valid fields are: [{}]rN) r=r? all_fieldsrSrrrWrr!)rmessage message_typefr@s r(r*zCGcpUserAccessBindingStructureValidator._ValidateAllFieldsRecognizeds&&(']l&2&=&=&?@&?aff&?l@  )) K 6##ii779:ii %  )@sB!N)rrrrrrr'r+r0r3rr,r&r*rqr*r(rrs;O;L: G : E 0dr*rr)/r __future__rrrrapitools.base.pyr+googlecloudsdk.api_lib.accesscontextmanagerrgooglecloudsdk.callioperr/googlecloudsdk.command_lib.accesscontextmanagerr googlecloudsdk.corecore_exceptionsr r googlecloudsdk.core.utilr r r)r/r>rErCrGrhrrrrrErrorrrrrrrr rParseFileErrorrr!rrqr*r(rRsC&' %<EB=*)1* , > ,L , `(,(V