'dZddlmZddlmZddlmZddlmZddlmZddl m Z ddl m Z d Z d Zd Zd Zd ZdZdZdZdZdZddgZgdZddgZddgZdgZGddej8Zy)z0Troubleshoot user permission for ssh connection.)absolute_import)division)unicode_literals)apis)ssh_troubleshooter)ssh)logcomputeiamcloudresourcemanageriapv1v3z!You need the IAM permissions {0} aThe VM has an attached service account. You need the permission iam.serviceAccounts.actAs on the project or service account. Alternatively, this permission is included in the roles/iam.serviceAccountUser role. Help for service account permission: https://cloud.google.com/iam/docs/service-accounts-actas Help for service account role: https://cloud.google.com/iam/docs/service-accounts zYou need the Compute OS Admin Login role (roles/compute.osAdminLogin) or the Compute OS Login role (roles/compute.osLogin). Help for roles: https://cloud.google.com/compute/docs/access/iam#predefinedroles zYou need permission to SSH to a private IP address: iap.tunnelInstances.accessViaIAP. Help for IAP permissions: https://cloud.google.com/iap/docs/managing-access zcompute.instances.getzcompute.instances.use)zresourcemanager.projects.getzcompute.projects.getzcompute.zoneOperations.getzcompute.globalOperations.getziam.serviceAccounts.actAsziam.serviceAccounts.getzcompute.instances.osAdminLoginzcompute.instances.osLoginz iap.tunnelInstances.accessViaIAPcXeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd Zy)UserPermissionTroubleshootera\Check user permission. Perform IAM authorization checks for the following IAM resources: instance, project, service account, IAP, and OS Login if applicable. Attributes: project: The project object. instance: The instance object. zone: str, the zone name. iap_tunnel_args: SshTunnelArgs or None if IAP Tunnel is disabled. c||_||_||_||_t j t t|_t jt t|_ t j tt|_ t jtt|_ t j tt|_t jtt|_t j t$t|_t jt$t|_d|_i|_y)NF)projectzoneinstanceiap_tunnel_argsrGetClientInstance_API_COMPUTE_CLIENT_NAME_API_CLIENT_VERSION_V1compute_clientGetMessagesModulecompute_message_API_IAM_CLIENT_NAME iam_client iam_message _API_RESOURCEMANAGER_CLIENT_NAME_API_CLIENT_VERSION_V3resourcemanager_client_v3resourcemanager_message_v3_API_IAP_CLIENT_NAME iap_client iap_messageenable_osloginissues)selfrrrrs Hlib/googlecloudsdk/command_lib/compute/user_permission_troubleshooter.py__init__z%UserPermissionTroubleshooter.__init__UsDLDIDM*D001I1GID112J2HJD,,-A-CEDO--.B.DFD%)%;%;(*@&BD"&*&<&<(*@'BD#,,-A-CEDO--.B.DFDDDKc.|j|_y)z)Validate if the user has enabled oslogin.N)_IsOsLoginEnabledr'r)s r*check_prerequisitez/UserPermissionTroubleshooter.check_prerequisitems002Dr,cy)Nr/s r*cleanup_resourcesz.UserPermissionTroubleshooter.cleanup_resourcesqs r,ctjjd|jr$|j r>t |j d<n*tjdtjdt|jj|j}|r1tjdj!||j d<|j"j$r#|j'rt(|j d<|j*r#|j-rt.|j d<tjjd jt1|j j3|j j5D]!}tjj|#y) Nz#---- Checking user permissions ----osloginzcompute.instances.setMetadataz*compute.projects.setCommonInstanceMetadata instance_projectserviceaccountr z&User permissions: {0} issue(s) found. )r statusPrintr'_CheckOsLoginPermissionsOS_LOGIN_MESSAGEr(instance_permissionsappendproject_permissionssorted_CheckInstancePermissionsunion_CheckProjectPermissionsINSTANCE_PROJECT_MESSAGEformatjoinrserviceAccounts_CheckServiceAccountPermissionsSERVICE_ACCOUNT_MESSAGEr_CheckIapPermissions IAP_MESSAGElenkeysvalues)r)missing_instance_projectmessages r* troubleshootz)UserPermissionTroubleshooter.troubleshootts`JJ:;   & & (!1 I!!"AB  !MN &d&D&D&F&L&L %%'') *(@(G(G ((+ ,).dkk$% }}$$)M)M)O&=dkk"#  9 9 ;&dkk%JJ>EE DKK   !";;%%' jjw(r,c|jjt}dj|jj |j |jj }|jj||}|jjj|}ttt|jz S)z^Check if user miss any IAP Permissions. Returns: set, missing IAM permissions.  permissionsz,projects/{}/iap_tunnel/zones/{}/instances/{}resourcetestIamPermissionsRequest)r&TestIamPermissionsRequestiap_permissionsrErnamerrIapTestIamPermissionsRequestr%rTestIamPermissionssetrT)r) iam_requestrVrequestresponses r*rJz1UserPermissionTroubleshooter._CheckIapPermissionss ""<<#=%K=DD 499dmm&8&8:H;;[<BG!!44W=H  #h&:&:"; ;;r,c|jjt}|jjdj |j j |jjdj|}|jjj|}ttt|jz S)zoCheck whether user has service account IAM permissions. Returns: set, missing IAM permissions. rSz3projects/{project}/serviceAccounts/{serviceaccount}r)rr8rU)rrXserviceaccount_permissions3IamProjectsServiceAccountsTestIamPermissionsRequestrErrZrrGemailrprojects_serviceAccountsr\r]rT)r)r^r_r`s r*rHz*>&? ??r,cv|jt}ttt|jz S)zrCheck whether user has IAM permission on instance resource. Returns: set, missing IAM permissions. )rgr=r]rTris r*rAz6UserPermissionTroubleshooter._CheckInstancePermissionss1 ../CDH # $s8+?+?'@ @@r,c&|jj|}|jj|jj|j j||j }|jjj|S)zCall TestIamPermissions to check whether user has certain IAM permissions. Args: permissions: list, the permissions to check for the instance resource. Returns: TestPermissionsResponse, the API response from TestIamPermissions. rS)rrVtestPermissionsRequestr) rTestPermissionsRequest)ComputeInstancesTestIamPermissionsRequestrrZrrr instancesr\r)rTr^r_s r*rgz7UserPermissionTroubleshooter._ComputeTestIamPermissionss&&==>!K""LL !!##* YY MG    ( ( ; ;G DDr,cv|jt}ttt|jz S)zqCheck whether user has IAM permission on project resource. Returns: set, missing IAM permissions. )"_ResourceManagerTestIamPermissionsr?r]rTris r*rCz5UserPermissionTroubleshooter._CheckProjectPermissionss1 667JKH " #c(*>*>&? ??r,c|jj|}|jjdj|jj |}|j jj|S)zCheck whether user has IAM permission on resource manager. Args: permissions: list, the permissions to check for the project resource. Returns: set, missing IAM permissions. rSzprojects/{project})rrU) r#rX5CloudresourcemanagerProjectsTestIamPermissionsRequestrErrZr"projectsr\rps r*rrz?UserPermissionTroubleshooter._ResourceManagerTestIamPermissionss|11KKL!K--cc%,,T\\5F5F,G"-d/G  ) ) 2 2 E Eg NNr,ctj|j|jtj}t |S)zuCheck whether OS Login is enabled on the VM. Returns: boolean, indicates whether OS Login is enabled. )rFeatureEnabledInMetadatarrOSLOGIN_ENABLE_METADATA_KEYbool)r)oslogin_enableds r*r.z.UserPermissionTroubleshooter._IsOsLoginEnableds7 22 t||S%D%DFO   r,N)__name__ __module__ __qualname____doc__r+r0r3rQrJrHr;rArgrCrrr.r2r,r*rrHsJ 03   D <G$@AE$@O !r,rN)r~ __future__rrrgooglecloudsdk.api_lib.utilr"googlecloudsdk.command_lib.computer#googlecloudsdk.command_lib.util.sshrgooglecloudsdk.corer rrr r$rr!rDrIr<rKr=r?rbrhrYSshTroubleshooterrr2r,r*rs7&',A3#$#9 ?;I : 01HI  %66u!#5#G#Gu!r,