T|dZddlmZddlmZddlmZddlZddlmZddl m Z ddl m Z dd l m Z d Zd Zd Zd Zy)zUtilities necessary to augment images statuses with org policy. AugmentImagesStatus function in this module call OrgPolicy and augment images status if the policy requires it. )absolute_import)division)unicode_literalsN) exceptions) org_policies)log) resourcesc#XKtjt|}g}t||}|M|D]G}|ddk7r|t ||j |dj ||r|?d|d<|In |D]}||xsgD]}tj|yw)aSets images status to 'BLOCKED_BY_POLICY' as specified by OrgPolicy. Get OrgPolicy for the project and set images status to BLOCKED_BY_POLICY if the policy exists and blocks the image. If no policy exists, all images are allowed. NOTE: This function sends requests to OrgPolicy API. Args: resource_registry: resources.Registry, Resource registry project_id: str, Project in which image will be used images: Iterable[Dict], The images (in dict form) to set the status on Yields: Images (in dict form) with status set to BLOCKED_BY_POLICY as specified by OrgPolicy. Raises: exceptions.GetPolicyError if OrgPolicy call failed or returned malformed data. NstatusREADYselfLinkBLOCKED_BY_POLICY) copydeepcopylist_GetPolicyNoThrow _IsAllowedParseprojectrinfo)resource_registry project_idimageserrors_collectedpolicyimageerrors 7lib/googlecloudsdk/command_lib/compute/images/policy.pyAugmentImagesStatusr!s4 ==f && Z)9 :&  xG # ''--eJ.?@HH. 0 -h  k %2%eHHUO&sB(B*c tj}|j||jtjd}tj }|j j|}|jS)z*Get effective org policy of given project.zcompute.trustedImageProjects) constraint) projectsIdgetEffectiveOrgPolicyRequest) rOrgPoliciesMessages8CloudresourcemanagerProjectsGetEffectiveOrgPolicyRequestGetEffectiveOrgPolicyRequestFormatConstraintOrgPoliciesClientprojectsGetEffectiveOrgPolicy listPolicy)rmessagesrequestclientresponses r _GetPolicyr0_s  - - /(  M M#+#H#H!22,.$I$/ N 0'  ) ) +& __ 2 27 ;(   c| t|S#tj$r}|j|Yd}~yd}~wwxYw)z7Call GetPolicy and handle possible errors from backend.N)r0apitools_exceptions HttpErrorappend)rerrors_to_propagatees rrros; j !!  & &q!  s ;6;c|j|jjury|j|jjuryd}|jsd} |jD]}|j |d |j |dj|jvrd} d} |jD]}|j |d |j |dj|jvrd} |xr| S#tj$r}|j|d}Yd}~d}~wwxYw#tj$r}d}|j|Yd}~ed}~wwxYw)z,Decides if project is allowed within policy.TFzcompute.projects) collectionN) allValuesAllValuesValueValuesEnumALLOWDENY allowedValuesParseRelativeNamer RelativeNamer InvalidResourceExceptionr5 deniedValues)rrrr6 is_allowedproject_recordr7 is_denieds rrr|sw 88>>>  6::??? *   J  ..)).:LM/ %  ''3|~9M9M Nj)  --)).:LM. %  ''3|~9L9L Mi  %I %1  + +q!J   + +"Iq!!"s0#D /#D= D:D55D:=E-E((E-)__doc__ __future__rrrrapitools.base.pyrr3'googlecloudsdk.api_lib.resource_managerrgooglecloudsdk.corerr rr0rrr1rrLs9 '' >@#);|  )&r1