dZddlmZddlmZddlmZddlmZddlm Z ddl m Z ddl mZd gZd gZd gZd ZddZdZy )z$Helpers for testing IAM permissions.)absolute_import)division)unicode_literals)iam) projects_api)base) exceptionsz cloudkms.cryptoKeys.setIamPolicyz'privateca.certificateAuthorities.createzprivateca.certificates.createcdt|t|z }|rtj||y)zDRaises an exception if the expected permissions are not all present.)resourcemissing_permissionsN)setr InsufficientPermissionException)actual_permissionsexpected_permissionsr diffs /lib/googlecloudsdk/command_lib/privateca/iam.py_CheckAllPermissionsr(s: ! "S);%< <$  4 4t 55 Ncttj|tjtd|r4tt j |tjtdyy)a-Ensures that the current user has the required permissions to create a CA. Args: project_ref: The project where the new CA will be created. kms_key_ref: optional, The KMS key that will be used by the CA. Raises: InsufficientPermissionException: If the user is missing permissions. projectzKMS keyN)rrTestIamPermissions!_CA_CREATE_PERMISSIONS_ON_PROJECT permissionskms_iamTestCryptoKeyIamPermissions_CA_CREATE_PERMISSIONS_ON_KEY) project_ref kms_key_refs r*CheckCreateCertificateAuthorityPermissionsr1sZ%% 8::E+'4++ 6 88C %y2rc.tjd}tjd}|jj |j |j |jt}t|jtdy)zEnsures that the current user can issue a certificate from the given Pool. Args: issuing_ca_pool_ref: The CA pool that will create the certificate. Raises: InsufficientPermissionException: If the user is missing permissions. v1) api_version)r)r testIamPermissionsRequestz issuing CAN) privateca_baseGetClientInstanceGetMessagesModuleprojects_locations_caPoolsr:PrivatecaProjectsLocationsCaPoolsTestIamPermissionsRequest RelativeNameTestIamPermissionsRequest*_CERTIFICATE_CREATE_PERMISSIONS_ON_CA_POOLrr)issuing_ca_pool_refclientmessages test_responses r!CheckCreateCertificatePermissionsr0Fs  + + =&  - -$ ?(33FFII&335$,$F$FD%G%FJGH- }00A<Qr)N)__doc__ __future__rrrgooglecloudsdk.api_lib.cloudkmsrr+googlecloudsdk.api_lib.cloudresourcemanagerr googlecloudsdk.api_lib.privatecarr$$googlecloudsdk.command_lib.privatecar rrr+rrr0rrr8sU+&':DC;'! .%! /N-N*52*Qr