=dZddlmZddlmZddlmZddlZddlZddlmZ ddl Z ddl m Z ddl mZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddl m!Z"ddl#m$Z$ddl%m&Z&e jdddddZ'dZ(dZ)dZ*e(e)e*fZ+dZ,dZ-e je*e*e)e(dZ.de*fde)fde(fgZ/d Z0d!Z1d"Z2d#Z3d$Z4d1d%Z5d&Z6d'Z7ejpd( d2d)Z9d*Z:d+Z; d3d,Zd/Z?d0Z@y)5zFUtility for interacting with `artifacts docker upgrade` command group.)absolute_import)division)unicode_literalsN) exceptions)ResourceExhausted) client_util) organizations) projects_api)folders) storage_api) storage_util)apis)requests)util)log) console_attrzus.zasia.zeu.)zgcr.ioz us.gcr.ioz asia.gcr.ioz eu.gcr.ioz roles/artifactregistry.repoAdminzroles/artifactregistry.writerzroles/artifactregistry.reader)zstorage.objects.getzstorage.objects.listzstorage.objects.createzstorage.objects.delete)/artifactregistry.repositories.downloadArtifacts-artifactregistry.repositories.uploadArtifacts-artifactregistry.repositories.deleteArtifactsrrrz:Too many IAM policies. Analysis cannot be fully completed.c||jdd}t|dk(rdj|d|dS|dzS)N:z{0}.{1}.a.appspot.comrz .appspot.com)splitlenformat)projectchunkss 8lib/googlecloudsdk/command_lib/artifacts/upgrade_util.py bucket_suffixr!XsD ==a &[A " ) )&)VAY ?? > !!cNt|}t|}dj||S)Nz)//storage.googleapis.com/{0}artifacts.{1})_DOMAIN_TO_BUCKET_PREFIXr!rdomainrprefixsuffixs r bucket_resource_namer)`s) #F +&  !& 4 ; ;FF KKr"c:t|}t|}d|d|S)Nzgs://z artifacts.)r$r!r%s r bucket_urlr+gs) #F +&  !&  6( ++r"c$dj|S)Nz2//cloudresourcemanager.googleapis.com/projects/{0})r)rs r project_resource_namer-ms = D DW MMr"c>t||dd|\}}t|S)aUGenerates an AR-equivalent IAM policy for a GCR registry. Args: domain: The domain of the GCR registry. project: The project of the GCR registry. use_analyze: If true, use AnalyzeIamPolicy to generate the policy Returns: An iam.Policy. Raises: Exception: A problem was encountered while generating the policy. F) skip_bucketfrom_ar_permissions use_analyze)iam_mappolicy_from_map)r&rr1m_s r iam_policyr6rs.     $!Q  r"ctjt}|jD]*}||jj |j ,|S)zConverts an iam.Policy object to a map of roles to sets of users. Args: policy: An iam.Policy object Returns: A map of roles to sets of users ) collections defaultdictsetbindingsroleupdatemembers)policyrole_to_membersbindings r map_from_policyrBsC ++C0/gGLL!((9! r"c tj}t}|jD]9\}}|j |j |t t|;t|d}|j|S)zConverts a map of roles to sets of users to an iam.Policy object. Args: role_to_members: A map of roles to sets of users Returns: An iam.Policy. )r<r>c|jSN)r<)bs r z!policy_from_map..sAFFr")key)r;) artifacts GetMessageslistitemsappendBindingtuplesortedPolicy)r@messagesr;r<r>s r r3r3s~ " " $( V(&,,.mdG OO&/*  /H"2 3( ( ++r")maxsizecd}g}|r,|r t|}n t||}t||||\}}nR|rt|t|\}}n:|rt|t |\}}n"t ||} t|t | |\}}|d|fStjt} |rP|tdd} tD]4\} } | j|| } | D]}| | j|6| |fS|jD]"\}} t|} | | j| $t}tjt}t D]a} | | } | Dchc]}|j#dr|} }| j%|| s=|j| || j| c||fScc}w)a3Generates an AR-equivalent IAM mapping for a GCR registry. Args: domain: The domain of the GCR registry. project: The project of the GCR registry. skip_bucket: If true, get iam policy for project instead of bucket. This can be useful when the bucket doesn't exist. from_ar_permissions: If true, use AR permissions to generate roles that would not need to be added to AR since user already has equivalent access for docker commands best_effort: If true, lower the scope when encountering auth errors use_analyze: If true, use AnalyzeIamPolicy to generate the policy Returns: (map, failures) where map is a map of roles to sets of users and failures is a list of scopes that failed Raises: Exception: A problem was encountered while generating the policy. N) best_effortrzdeleted:)r-r)get_permissions_using_analyzeget_permissions_with_ancestors_AR_PERMISSIONS _PERMISSIONSr+r8r9r:_AR_PERMISSIONS_TO_ROLES intersectionaddrL_PERMISSION_TO_ROLEr= _AR_ROLES startswithdifference_update)r&rr/r0rUr1perm_to_membersfailuresresource gcs_bucketr@r> needed_permr<memberpermupgraded_members final_mapr4s r r2r2s:/ (&w/h%fg6h =. !OX"@ ? #ox $B \{% ! 0 $B \:;% ! >++C0/6q9!<=G5 T$$_[%ABg&!!&)6 H $$',,.mdG t $DD  )/ U%%c*)dd#G"B'Qj)Aq'GB ./ G$ dO7# H  Cs F<7F<ctj|}g}d}tt|jD]7\}}t |} |rt t|| }nt t|| }n|jr|jjstd|jj D} dj#| } |st%j&| d| } t)j*} t,j.j1| j3ddd | t5j6t8}|jj:D]}|jst%j&t<|j>j@|st%j&d t9}|j>jBD]}tE|r|jG|!|jHD]3}|jJD]"}|jL}||jO|$5||fS#tj$r;|j| |s|t|jdz k(rd|fcYcSYRwxYw) z?Returns a map of permissions to members using AnalyzeIamPolicy. project_idNrc34K|]}|jywrE)cause).0errs r z0get_permissions_using_analyze..*sO'N#))'Ns zVEncountered errors when analyzing IAM policy. This may result in incomplete bindings: zWarning:red z)Conditional IAM binding is not supported.)(crm GetAncestry enumeratereversedancestorresource_from_ancestoranalyze_iam_policyrXrYapitools_exceptionsHttpForbiddenErrorrMr fullyExplored mainAnalysisrKnonCriticalErrorsjoin ar_exceptionsArtifactRegistryErrorrGetConsoleAttrrstatusPrintColorizer8r9r:analysisResults_ANALYSIS_NOT_FULLY_EXPLORED iamBinding conditionr>is_conveniencer\accessControlListsaccesses permissionr=)rrcr0rUancestryrbanalysisnumryscopeerrors error_msg warning_msgconraresultr>rfaclaccessrgs r rVrVsL__ 0( ( ( (*;*;!<=mc8 "8 ,E  %oxG%lHeD >$   x'<'<'J'J Ox'<'<'N'NO OF &!I   / / :: !!*  -  % % 'CJJ Z67q FG++C0/%%55f     / /0L MM "".{  / / 5 eG##++   kk& , ((LL&  $$W-!)#6, ( ""[  1 1ooe  H%%&* *X~ + s %H>>AJ  J cp|jdxs$|jdxs|jdS)Nz projectOwner:zprojectEditor:zprojectViewer:)r_)ss r rrOs7ll?#( & '( & 'r"cPt|||\}}t|||\}}|||zfSrE)recursive_get_rolesget_permissions)rl permissionsrdrUrolesrbperms perm_failuress r rWrWWs9( KL/%(e[I% =( ((r"ctj|}tjt}|rwt j jtjj|jD]*}||jj|j,g}t|j D](}g} |j"j$dk(r3tjt'j(|j}n|j"j$dk(r4t+j|j"j,j}nZ|j"j$dk(rAt/j0j|j"j,j}|D]*}||jj|j,+||fS#t2j4$rg|j7|j"j$dz|j"j,z|s|j"j$dk(rd|fcYcSYwxYw)z]Returns a map of roles to members for the given project + ancestors (and bucket if provided).rkrfolder organizationzs/N)rurvr8r9r:r StorageClient GetIamPolicyr BucketReferenceFromUrlr;r<r=r>rxry resourceIdtype projects_util ParseProjectr idr Clientr|r}rM) rlrUrdrr@rArbrcr;s r rr_s __ 3(++C0/!!# l22:::F G    gll#**7??;   (8,,-hH    ! !Y .##  & &z 2 (     # #x /''(;(;(>(>?HH    # #~ 5  " / /0C0C0F0F G P P ' %,,W__=.* ( ""  1 1ooh))..58K8K8N8NNO     ! !Y .X~ / sD"G00A2I*)I*c0g}tjt}tjdd}|j D]\}}|Dcgc]}t |r|}}|j|} ttjddjj| j} |D]} | | vs|| j|||fScc}w#tj$r} |j||s| Yd} ~ d} ~ wwxYw)aReturns a map of permissions to members for the given roles. Args: permissions: The permissions to look for. All other permissions are ignored. role_map: A map of roles to members. best_effort: If true, warn instead of failing on auth errors. Returns: (map, failures) where map is a map of permissions to members and failures is a list of roles that failed iamv1)nameN)r8r9r:rGetMessagesModulerLrIamRolesGetRequestGetClientInstancerGetincludedPermissionsr|r}rMr=) rrole_maprUrbpermission_map iam_messagesr<r>r4requestrole_permissionseps r rrs (**3/.''t4,~~'mdG!;'Q):q'G;--4-8G    - 5W    q  )!(&  !!%<  1 1ood  s% CC6AC##D6DDcltj}|j}tj} |j |j |||S#t j$r*}|jdk(rtjdd}~wt$rtjdwxYw)a0Calls AnalyzeIamPolicy for the given resource. Args: permissions: for the access selector resource: for the resource selector scope: for the scope Returns: An CloudassetAnalyzeIamPolicyResponse. Raises: ResourceExhausted: If the request fails due to analyzeIamPolicy quota. )(analysisQuery_accessSelector_permissions/analysisQuery_resourceSelector_fullResourceNamerizzInsufficient quota for AnalyzeIamPolicy. Use --no-use-analyze-iam to generate IAM policies without using AnalyzeIamPolicy.N) asset GetClientrrJAnalyzeIamPolicy!CloudassetAnalyzeIamPolicyRequestr| HttpError status_coderrr)rrcrclientservicerRrs r r{r{s ?? & II'    (  # #225@rshM&'>8H=EK;67,FE#40:00 21 ) )'7 +  ,j++"#%) -7@4g>4kBA "L, N 4  ,0T"  W#Wt=#@;?)"#J""J$N9r"