vdZddlmZddlmZddlmZddlmZddlmZddd d Z d d d d Z dZ dZ ejejjejGddej Zejejj$ejGddej Zejejj(Gddej Zy)zCommand to query activities.)absolute_import)division)unicode_literals)policy_troubleshooter)basez%Troubleshoot the IAM Policy. z Performs a check on whether a principal is granted a permission on a resource and how that access is determined according to the resource's effective IAM policy interpretation. am To troubleshoot a permission of a principal on a resource, run: $ {command} //cloudresourcemanager.googleapis.com/projects/project-id --principal-email=my-iam-account@somedomain.com --permission=resourcemanager.projects.get See https://cloud.google.com/iam/help/allow-policies/overview for more information about IAM policies. )brief DESCRIPTIONEXAMPLESz2Troubleshoot IAM allow and deny policies. z Uses a resource's effective IAM allow policy and IAM deny policy to check whether a principal has a specific permission on the resource. aI The following command checks whether the principal ``my-user@example.com'' has the permission ``resourcemanager.projects.get'' on the project ``my-project'': $ {command} //cloudresourcemanager.googleapis.com/projects/my-project --principal-email=my-user@example.com --permission=resourcemanager.projects.get The following command checks whether the principal ``my-user@example.com'' has the ``compute.images.get'' permission on the project ``my-project''. The command also provides additional context that lets Troubleshooter evaluate conditional role bindings: $ {command} //cloudresourcemanager.googleapis.com/projects/my-project --principal-email=my-user@example.com --permission=compute.images.get --resource-name=//compute.googleapis.com/projects/my-project/zones/images/my-image' --resource-service='compute.googleapis.com' --resource-type='compute.googleapis.com/Image' --destination-ip='192.2.2.2'--destination-port=8080 --request-time='2023-01-01T00:00:00Z' c|jddtd|jdddtd |jd dd td |jd dtd|jddtd|jddtd|jddtd|jddtd|jddtdy)"Parses arguments for the commands.resourceRESOURCEzFull resource name that access is checked against. For a list of full resource name formats, see: https://cloud.google.com/iam/docs/resource-names. )metavartypehelpz--principal-emailTEMAILz{Email address that identifies the principal to check. Only Google Accounts and service accounts are supported. )requiredrrrz --permission PERMISSIONa[IAM permission to check. The permssion can be in the `v1` or `v2` format. For example, `resourcemanager.projects.get` or `cloudresourcemanager.googleapis.com/projects.get`. For a list of permissions, see https://cloud.google.com/iam/docs/permissions-reference and https://cloud.google.com/iam/docs/deny-permissions-support z--resource-serviceFzThe resource service value to use when checking conditional bindings. For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-service )rrrz--resource-typezThe resource type value to use when checking conditional bindings. For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-type z--resource-namezThe resource name value to use when checking conditional bindings. For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-name. z--request-timezThe request timestamp to use when checking conditional bindings. This string must adhere to UTC format (RFC 3339). For example,2021-01-01T00:00:00Z. For more information, see: https://tools.ietf.org/html/rfc3339 z--destination-ipznThe request destination IP address to use when checking conditional bindings. For example, `198.1.1.1`. z--destination-portzaThe request destination port to use when checking conditional bindings. For example, 8080. N) add_argumentstrintparsers :lib/surface/policy_intelligence/troubleshoot_policy/iam.py_ArgsrLsA                           c|j|j|j}|j|j}|j |j |j|j}|j|||}|j||j|j|j}|j|S)Troubleshoot the IAM Policies.)destination_ipdestination_port) request_time) resource_nameresource_service resource_type) destinationrequestr )condition_contextfull_resource_nameprincipal_email permission)GetPolicyTroubleshooterPeerrr GetPolicyTroubleshooterRequestr!GetPolicyTroubleshooterResourcer"r#r$'GetPolicyTroubleshooterConditionContext"GetPolicyTroubleshooterAccessTupler r)r*TroubleshootIAMPolicies)policy_troubleshooter_apiargsdestination_contextrequest_contextresource_contextr' access_tuples r_Runr7s1MM((,,N.LL$$M//NN&&,,&&O  GG)!#H+MM)** N, # : :< HHrc*eZdZdZeZedZdZy)TroubleshootAlpharct|yr Nrrs rArgszTroubleshootAlpha.Args  &Mrc\ttj|j|SNr7rPolicyTroubleshooterApi ReleaseTrackselfr2s rRunzTroubleshootAlpha.Run( 55d6G6G6IJD rN __name__ __module__ __qualname____doc___DETAILED_HELP detailed_help staticmethodr=rFrrr9r9s#' -rr9c*eZdZdZeZedZdZy)TroubleshootBeta)Troubleshoot IAM allow and deny policies.ct|yr;r<rs rr=zTroubleshootBeta.Argsr>rc\ttj|j|Sr@rArDs rrFzTroubleshootBeta.RunrGrNrHrPrrrRrRs#2 -rrRc*eZdZdZeZedZdZy) TroubleshootrSct|yr;r<rs rr=zTroubleshoot.Argsr>rc\ttj|j|Sr@rArDs rrFzTroubleshoot.RunrGrNrHrPrrrWrWs!1 -rrWN)rL __future__rrr*googlecloudsdk.api_lib.policy_intelligencergooglecloudsdk.callioperrMrr7 ReleaseTracksrCALPHAHiddenCommandr9BETArRGArWrPrrrcs#&'L(   *   @L^I<D%%++,   -  D%%**+ t||  ,  D%%(() 4<< * r