\dZddlmZddlmZddlmZddlmZddlmZddlm Z ddl m Z dd l m Z dd l m Z dd l mZdd lmZdd lmZddlmZe j(e j*e j,e j.j0Gdde j2Zy)zEvaluate policy command.)absolute_import)division)unicode_literals)apis)platform_policy)base)flags)parsing)sigstore_image)util)log)yaml)Errorc&eZdZdZedZdZy)EvaluateAndSignaEvaluate a Binary Authorization platform policy and sign the results, if conformant. ## EXAMPLES To evaluate and sign a policy using its resource name: $ {command} projects/my-proj/platforms/gke/policies/my-policy --resource=$KUBERNETES_RESOURCE To evaluate the same policy using flags against multiple images: $ {command} my-policy --platform=gke --project=my-proj --image=$IMAGE1 --image=$IMAGE2 To return a modified resource with attestations added as an annotation on the input resource, without uploading attestations to the registry: $ {command} projects/my-proj/platforms/gke/policies/my-policy --resource=$KUBERNETES_RESOURCE --output-file=$MODIFIED_RESOURCE --no-upload To upload attestations using Docker credentials located in a custom directory: $ {command} projects/my-proj/platforms/gke/policies/my-policy --image=$IMAGE --use-docker-creds --docker-config-dir=$CUSTOM_DIR ctj|dtj|tj|tj|tj |y)Nzto evaluate and sign)r AddPlatformPolicyResourceArgAddEvaluationUnitArgAddNoUploadArgAddOutputFileArgAddDockerCredsArgs)parsers :lib/surface/container/binauthz/policy/evaluate_and_sign.pyArgszEvaluateAndSign.Args?sK &&v/EF v&   6" V$c|jjjj}|j dd}|dk7rt dj ||jr!|jstj d|jr!|jrtj d|jr!|jstj d|jr tj|j}ntj|j }t#j$dj'||d }|j(t+j,dj.j0j2k7r d |_|S|js|j6D]{}t9j:|}t=j>d j |t9j@|t9jB||j|j }|jrtjD||j6}tjF|jtjHjJk(rtMjN|}t=jP|j|d d d |S)N/gkezVFound unsupported platform '{}'. Currently only 'gke' platform policies are supported.z0Cannot specify --output-file without --resource.z3Cannot specify --use-docker-creds with --no-upload.z>Cannot specify --docker-config-dir without --use-docker-creds.v1TzUploading attestation for {}) image_url attestationuse_docker_credsdocker_config_dirF) overwritebinaryprivate))CONCEPTSpolicy_resource_nameParse RelativeNamesplitrformat output_fileresourcer r$ no_uploadr%r LoadResourceFileGeneratePodSpecFromImagesimagerClientEvaluateverdictrGetMessagesModuleEvaluateGkePolicyResponseVerdictValueValuesEnum CONFORMANT exit_code attestationsr AttestationToImageUrlr PrintUploadAttestationToRegistryStandardOrUrlsafeBase64DecodeAddInlineAttestationsToResourceGetResourceFileTypeResourceFileTypeYAMLrdumpWriteToFileOrStdout) selfargs policy_ref platform_id resource_objresponser#r"modified_resources rRunzEvaluateAndSign.RunGsV3399;HHJJ""3'*Ke  $$*F;$7    JJI JJ  JJL MM d&;&; JJ J  }}--dmm>!..+"88E  077 BC22&DD"22"44  / >> --  % %dmm 4  % % * * +!II&78       OrN)__name__ __module__ __qualname____doc__ staticmethodrrOrrrr!s!4%%GrrN)rS __future__rrr)googlecloudsdk.api_lib.container.binauthzrrgooglecloudsdk.callioper-googlecloudsdk.command_lib.container.binauthzr r r r googlecloudsdk.corer rgooglecloudsdk.core.exceptionsrHiddenDefaultUniverseOnly ReleaseTracks ReleaseTrackALPHACommandrrUrrrbs&':E(?AH>#$0D%%++,jdllj- jr