D(>dZddlmZddlmZddlmZddlZddlmZddlm Z ddl m Z dd l m Z d d d d Z d ddd ZdZdZdZe j$e j&j(e j*Gdde j,Ze j$e j&j0e j*Gdde j,Ze j$e j&j4Gdde j,Zy)zCommand to query activities.)absolute_import)division)unicode_literalsN) list_pager)policy_analyzer) arg_parsers)basez,Query activities on cloud resource. z Query activities with certain types of specific container resource. For --activity-type, supported values are: - serviceAccountLastAuthentication - serviceAccountKeyLastAuthentication aU To query serviceAccountKeyLastAuthentication activities of a project, run: $ {command} --activity-type=serviceAccountKeyLastAuthentication --project=project-id To query serviceAccountLastAuthentication activities of a project with no limit, run: $ {command} --activity-type=serviceAccountLastAuthentication --project=project-id --limit=unlimited To query serviceAccountLastAuthentication with filtering on certain service account, run: $ {command} --activity-type=serviceAccountLastAuthentication --project=project-id --query-filter='activities.full_resource_name="//iam.googleapis.com/projects/project-id/serviceAccounts/service-account-name@project-id.iam.gserviceaccount.com"' To query serviceAccountLastAuthentication with filtering on multiple service accounts, run: $ {command} --activity-type=serviceAccountLastAuthentication --project=project-id --query-filter='activities.full_resource_name="//iam.googleapis.com/projects/project-id/serviceAccounts/service-account-name-1@project-id.iam.gserviceaccount.com" OR activities.full_resource_name="//iam.googleapis.com/projects/project-id/serviceAccounts/service-account-name-2@project-id.iam.gserviceaccount.com" OR activities.full_resource_name="//iam.googleapis.com/projects/project-id/serviceAccounts/service-account-name-3@project-id.iam.gserviceaccount.com"' )brief DESCRIPTIONEXAMPLESz Query activities with certain types of specific container resource. For --activity-type, supported values are: - serviceAccountLastAuthentication - serviceAccountKeyLastAuthentication - dailyAuthorization a To query serviceAccountKeyLastAuthentication activities of a project, run: $ {command} --activity-type=serviceAccountKeyLastAuthentication --project=project-id To query serviceAccountLastAuthentication activities of a project with no limit, run: $ {command} --activity-type=serviceAccountLastAuthentication --project=project-id --limit=unlimited To query serviceAccountLastAuthentication with filtering on certain service account, run: $ {command} --activity-type=serviceAccountLastAuthentication --project=project-id --query-filter='activities.full_resource_name="//iam.googleapis.com/projects/project-id/serviceAccounts/service-account-name@project-id.iam.gserviceaccount.com"' To query serviceAccountLastAuthentication with filtering on multiple service accounts, run: $ {command} --activity-type=serviceAccountLastAuthentication --project=project-id --query-filter='activities.full_resource_name="//iam.googleapis.com/projects/project-id/serviceAccounts/service-account-name-1@project-id.iam.gserviceaccount.com" OR activities.full_resource_name="//iam.googleapis.com/projects/project-id/serviceAccounts/service-account-name-2@project-id.iam.gserviceaccount.com" OR activities.full_resource_name="//iam.googleapis.com/projects/project-id/serviceAccounts/service-account-name-3@project-id.iam.gserviceaccount.com"' To query dailyAuthorization activities of a project, run: $ {command} --activity-type=dailyAuthorization --project=project-id To query dailyAuthorization of a project with filtering on certain resource, permission, principal and date, run: $ {command} --activity-type=dailyAuthorization --project=project-id --query-filter='activities.activity.full_resource_name="" AND activities.activity.permission="" AND activities.activity.principal="" AND activities.activity.date=""' c|jddtddgd|jdjdtd |jd td d |jdtjdt j ddd|jdtjddddy)"Parses arguments for the commands.--activity-typeT serviceAccountLastAuthentication#serviceAccountKeyLastAuthenticationType of the activities. requiredtypechoiceshelpr --project8The project ID or number to query the activities. rr--query-filteraFilter on activities, separated by "OR" if multiple filters are specified. At most 10 filter restrictions are supported in the query-filter. e.g. --query-filter='activities.full_resource_name="//iam.googleapis.com/projects/project-id/serviceAccounts/service-account-name-1@project-id.iam.gserviceaccount.com" OR activities.full_resource_name="//iam.googleapis.com/projects/project-id/serviceAccounts/service-account-name-2@project-id.iam.gserviceaccount.com"'rdefaultr--limit unlimited`Max number of query result. Default to be 1000 and max to be unlimited, i.e., --limit=unlimited. --page-sizeKMax page size for each http response. Default to be 500 and max to be 1000.N add_argumentstradd_mutually_exclusive_groupr BoundedIntsysmaxsizeparsers 1lib/surface/policy_intelligence/query_activity.py_Argsr3cs  , /    %%t%4AA  B    [     ! !!S[[D A m     ! !!T * X c|jddtgdd|jdjdtd |jd td d |jdtjdt j ddd |jdtjdddd y)rrT)rrdailyAuthorizationrrrrrrrraFilter on activities. For last authentication activities, this field is separated by "OR" if multiple filters are specified. At most 10 filter restrictions are supported in the query-filter. e.g. --query-filter='activities.full_resource_name="//iam.googleapis.com/projects/project-id/serviceAccounts/service-account-name-1@project-id.iam.gserviceaccount.com" OR activities.full_resource_name="//iam.googleapis.com/projects/project-id/serviceAccounts/service-account-name-2@project-id.iam.gserviceaccount.com"' For daily authorization activities, this field is separated by "OR" and "AND". At most 10 filter restrictions per layer and at most 2 layers are supported in the query-filter. e.g. --query-filter='activities.activity.date="2022-01-01" AND activities.activity.permission="spanner.databases.list" AND (activities.activity.principal="principal_1@your-organization.com" OR activities.activity.principal="principal_2@your-organization.com")'rr r!r"r$r%r&r'r(Nr)r0s r2 _ArgsAlphar7s     %%t%4AA  B    Q     ! !!S[[D A m     ! !!T * X r4c 8tj\}}dj|j|j}|j ||j }|j|}tj||d|jd|jdS)Nz/projects/{0}/locations/global/activityTypes/{1})parentfilterQuery activitiespageSize)method batch_sizefieldlimitbatch_size_attribute) rGetClientAndMessagesformatproject activity_typeBPolicyanalyzerProjectsLocationsActivityTypesActivitiesQueryRequest query_filter/ProjectsLocationsActivityTypesActivitiesServicer YieldFromList page_sizerA)argspolicy_analyzer_clientmessagesquery_activity_parentquery_activity_requestpolicy_analyzer_services r2_RunrRs%4%I%I%K"(KRR llD&&(#ff "4+<+<g>2bb  ! !   JJ% ''r4c*eZdZdZeZedZdZy)QueryActivityAlpha#Query activities on cloud resource.ct|yrN)r7r0s r2ArgszQueryActivityAlpha.Argss vr4ct|SNrRselfrLs r2RunzQueryActivityAlpha.Run :r4N) __name__ __module__ __qualname____doc___DETAILED_HELP_ALPHA detailed_help staticmethodrXr^r4r2rTrTs#,&-r4rTc*eZdZdZeZedZdZy)QueryActivityBetarUct|yrWr3r0s r2rXzQueryActivityBeta.Args  &Mr4ct|SrZr[r\s r2r^zQueryActivityBeta.Runr_r4N r`rarbrc_DETAILED_HELPrerfrXr^rgr4r2riris#, -r4ric*eZdZdZeZedZdZy)QueryActivityGArUct|yrWrkr0s r2rXzQueryActivityGA.Argsrlr4ct|SrZr[r\s r2r^zQueryActivityGA.Runr_r4Nrnrgr4r2rqrqs!+ -r4rq)rc __future__rrrr.apitools.base.pyr*googlecloudsdk.api_lib.policy_intelligencergooglecloudsdk.callioperr rordr3r7rR ReleaseTracks ReleaseTrackALPHAHiddenCommandrTBETAriGArqrgr4r2rs"#&' 'F/(   @   %P"J&R'$D%%++,   - D%%**+   , D%%(() dll * r4