jdZddlmZddlmZddlmZddlmZddlmZddlZddl Z ddl Z ddl m Z dd l mZdd lmZddlmcmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddl m!Z!ddl"m#Z#ddl$m%Z%ddl$m&Z&ddl$m'Z(ddl$m)Z)ddl$m*Z*ddl$m+Z+ddl,m-Z-ddl.m/Z/m0Z0e/e0dddddl1m2Z2ejfjhZ5dZ6d e6zZ7d!Z8d"Z9d#Z:d$Z;d%ZGd(d)ej~Z@ed*ed+Gd,d-ejZBed*ed+Gd.d/e@ZCed*ed+Gd0d1e@ZDGd2d3ejZFy)5z&Integration tests for the iam command.)absolute_import)print_function)division)unicode_literals) defaultdictN)iam)CommandException)PopulateProjectId) SkipForS3) SkipForXML)GenerationFromURI)SetBotoConfigForTest)SetEnvironmentForTest)unittest)storage_v1_messages) shim_util)UTF8)BindingsMessageToUpdateDict)BindingsDictToUpdateDict)BindingStringToTuple) DiffBindings)IsEqualBindings) PatchBindings)Retry)add_move MovedModulemockz unittest.mock)rlegacyBucketReaderzroles/storage.%sz roles/storage.legacyObjectReaderzroles/storage.objectViewerz#Description for our test condition.z.resource.type == "google.cloud.storage.Object"zTest Condition Titlec*|dgn||d}|r||d<|gS)aTGenerate the "bindings" portion of an IAM Policy dictionary. Generates list of dicts which each represent a storage_v1_messages.Policy.BindingsValueListEntry object. The list will contain a single dict which has attributes corresponding to arguments passed to this method. Args: role: (str) An IAM policy role (e.g. "roles/storage.objectViewer"). Fully specified in BindingsValueListEntry. members: (List[str]) A list of members (e.g. ["user:foo@bar.com"]). If None, bind to ["allUsers"]. Fully specified in BindingsValueListEntry. condition: (Dict) A dictionary representing the JSON used to define a binding condition, containing the keys "description", "expression", and "title". Returns: (List[Dict[str, Any]]) A Python representation of the "bindings" portion of an IAM Policy. allUsersmembersrole condition)r#r"r$bindings 'platform/gsutil/gslib/tests/test_iam.py gen_bindingr(Ds0,")*g '$GK c|jdgDcgc]}|jdd|k7s|}}|j|t|}||d<|Scc}w)aReturns a patched Python object representation of a Policy. Given replaces the original role:members binding in policy with new_policy. Args: policy: Python dict representation of a Policy instance. role: An IAM policy role (e.g. "roles/storage.objectViewer"). Fully specified in BindingsValueListEntry. new_policy: A Python dict representation of a Policy instance, with a single BindingsValueListEntry entry. Returns: A Python dict representation of the patched IAM Policy object. bindingsr#)getextenddict)policyr# new_policybr+s r' patch_bindingr3bsi J++AquuVR/@D/Ha+  //* <&& - s AAceZdZdZdZy)TestIamIntegrationz*Superclass for iam integration test cases.c&tj|dDcgc]}t|d|d}}tj|dDcgc]}t|d|d}}|jt ||ycc}wcc}w)z1Asserts two serialized policy bindings are equal.r+r"r#r!N)jsonloadsbvle assertTruer)selfar2 binding_dictexpectedresults r'assertEqualsPoliciesStringz-TestIamIntegration.assertEqualsPoliciesString}s!JJqM*55L \),<3GH5  !JJqM*55L \),<3GH5  OOOHf56s B BN)__name__ __module__ __qualname____doc__r@r%r)r'r5r5zs 2 7r)r5zTests use GS IAM model.z!XML IAM control is not supported.ceZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!y )!TestIamHelpersz"Unit tests for iam command helper.c|jtgttttdtdgi}|jtt ddgg|yzATests that Policy.bindings lists are converted to dicts properly.xyr#r"N) assertEqualrrsetr9r;r>s r'test_convert_bindings_simplez+TestIamHelpers.test_convert_bindings_simplesY04k#6FG3c3%j 12H#TsSE%B$CDhPr)cttdtddgi}tddgtddgg}tdddgtddgg}|jt |||jt ||yz>Test that role and member duplication are converted correctly.rIrJzrKN)rrMr9rLrr;r>duplicate_rolesduplicate_memberss r' test_convert_bindings_duplicatesz/TestIamHelpers.test_convert_bindings_duplicatess3c3*o 67H #u% #u%O #Sz* #u% 0A8L01BCXNr)c|jtgttttdtdgi}|jtddgdg|yrH)rLrrrMrNs r'!test_convert_bindings_dict_simplez0TestIamHelpers.test_convert_bindings_dict_simplesa-b1;s3CD3c3%j 12H u# "   r)cttdtddgi}ddgdddgdg}dddgdddgdg}|jt|||jt||yrQ)rrMrLrrSs r'%test_convert_bindings_dict_duplicatesz4TestIamHelpers.test_convert_bindings_dict_duplicatess3c3*o 67H55O:5 -o>I-.?@(Kr)ctddgg}|jtgg|jt||y)z)Tests an easy case of identical bindings.rIrJrKNr9r:r)r;r+s r'test_equality_bindings_literalz-TestIamHelpers.test_equality_bindings_literals9#u-.HOOOB+,OOOHh78r)ctdddgg}|dz}tddgtddgg}|jt|||jt||y)z7Tests bindings equality when duplicate roles are added.rIrJrKNr\)r;r+ bindings2 bindings3s r'"test_equality_bindings_extra_rolesz1TestIamHelpers.test_equality_bindings_extra_rolesse#Sz23H1 I #u% #u%I OOOHi89OOOHi89r)ctddgg}tg|\}}|j|j||j|jgy)z4Tests simple grant behavior of Policy.bindings diff.rIrJrKNr9rrLr+r;r>grantedremoveds r'test_diff_bindings_add_rolez*TestIamHelpers.test_diff_bindings_add_rolesP#u-.H%b(3WgW%%x0W%%r*r)ctddgg}t|g\}}|j|jg|j|j|y)z5Tests simple remove behavior of Policy.bindings diff.rIrJrKNrdres r'test_diff_bindings_drop_rolez+TestIamHelpers.test_diff_bindings_drop_rolesP#u-.H%h3WgW%%r*W%%x0r)ctddgg}tddgg}t||\}}|j|j||j|j|y)z,Tests expected behavior of switching a role.rIrJrKr<r2Nrdr;oldnewrfrgs r'test_diff_bindings_swap_rolez+TestIamHelpers.test_diff_bindings_swap_rolea S3% ( )C S3% ( )C%c3/WgW%%s+W%%s+r)ctddgg}tdddgg}tddgg}t||\}}|j|j||j|jgy)z5Tests expected behavior of adding a member to a role.rIrJrKrRNrdr;rmrnr>rfrgs r'test_diff_bindings_add_memberz,TestIamHelpers.test_diff_bindings_add_memberst S3% ( )C S3* - .C#u-.H%c3/WgW%%x0W%%r*r)ctdddgg}tddgg}tddgg}t||\}}|j|jg|j|j|y)z9Tests expected behavior of dropping a member from a role.rIrRrJrKNrdrrs r'test_diff_bindings_drop_memberz-TestIamHelpers.test_diff_bindings_drop_memberst S3* - .C S3% ( )C#u-.H%c3/WgW%%r*W%%x0r)ctddgg}tddgg}t||\}}|j|j||j|j|y)z8Tests expected behavior of switching a member in a role.rIrRrKrJNrdrls r'test_diff_bindings_swap_memberz-TestIamHelpers.test_diff_bindings_swap_memberrpr)ctddgtddgtddgg}t|}tddgg}t|}t||z}t||d}|j||y) zTests patching a grant binding.r<user:foo@bar.comrKr2cdTNr9rrrL)r; base_listbase diff_listdiffr>ress r'test_patch_bindings_grantz(TestIamHelpers.test_patch_bindings_grants # 234 # 234 # 234I 'y 1D # 234I 'y 1D*9y+@AH dD )CS(#r)c ttdgdtdgdtdgdg}ttdgdg}ttdgdtdgdg}t||d}|j||y)z Tests patching a remove binding.ryr<r!r2rzFNrr9rrLr;r~rr>rs r'test_patch_bindings_removez)TestIamHelpers.test_patch_bindings_removes & ()4 ()4 ()4( D ' ()4( D+ ()4 ()4,H dE *CS(#r)cxttdgdtdgdtdgdg}ttdgdg}t||d}|j|ittdgdtdgdtdgdg}t||d}|j|iy) z'Tests removing all roles from a member.ryr<r!r2rzr,FNr)r;r~rrs r'test_patch_bindings_remove_allz-TestIamHelpers.test_patch_bindings_remove_all%s & ()4 ()4 ()4( D ' ()3( D dE *CS" & ()4 ()4 ()4( D dE *CS"r)c<ttdgdg}ttdgdtddgdtdgdg}ttdgdtdgdtdgdg}t||d}|j||y) z2Tests expected behavior when multiple users exist.zuser:fii@bar.comr2r!ryr<rzFNr)r;r>r~rrs r'"test_patch_bindings_multiple_usersz1TestIamHelpers.test_patch_bindings_multiple_users;s* ()4,H ' ()4 (*<=CH ()4( D ' ()4 ()4 ()4( D dE *CS(#r)c<ttddgtddgtddgg}ttddgg}ttdddgtddgtddgg}t||d}|j||y) zTests a public member grant.r<ryrKr2rzr TNrrs r'#test_patch_bindings_grant_all_usersz2TestIamHelpers.test_patch_bindings_grant_all_usersMs & # 234 # 234 # 234( D ' # |,( D+ # ,>?@ # 234 # 234,H dD )CS(#r)ctddgg}t|}tddgg}t|}t||d}|j|t||zy)z2Tests public member vs. public member interaction.r<r rKallAuthenticatedUsersTNr|)r;r}r~rrrs r'+test_patch_bindings_public_member_overwritez:TestIamHelpers.test_patch_bindings_public_member_overwrite`sm # |,I 'y 1D # 789I 'y 1D dD )CS5i)6KLMr)ctdd\}}|jt|d|jdgdd|y)z-Tests parsing single role (case insensitive).Tzallusers:adminr roles/storage.adminr!NbsttrLlenassertInr;_r+s r'$test_valid_public_member_single_rolez3TestIamHelpers.test_valid_public_member_single_rolensE/0MQS]A&MM<%r)c|jt5tddddd|jt5tddddd|jt5tddddd|jt5tdddddy#1swYxYw#1swYjxYw#1swYLxYw#1swYyxYw)zDTests that an error is raised when no role is specified for a grant.Tr Nryzuser:foo@bar.com:z"deleted:user:foo@bar.com?uid=1234: assertRaisesr rr;s r'test_grant_no_role_errorz'TestIamHelpers.test_grant_no_role_errorws  + , 4 -  + , 4#$ -  + , 4$% -  + , 456 - , - , , , , , , ,s/ B* B6* C C*B36B?C Cctdd\}}|jt|d|jdgdd||j||ftddtdd\}}|jt|dy) z;Tests parsing a -d allUsers or -d user:foo@bar.com request.Fr rr,r!z allUsers:ryNr)r;is_grantr+rs r'test_remove_all_rolesz$TestIamHelpers.test_remove_all_roless z2XxS]A&MMzlB7Bh)4{+CD 23MQS]A&r)ctdd\}}|jt|d|jdgdd||jdgdd||jdgdd||jdgd d|y ) z2Tests parsing of multiple roles bound to one user.TzallUsers:a,b,c,roles/customr roles/storage.ar!zroles/storage.bzroles/storage.cz roles/customNrrs r'test_valid_multiple_rolesz(TestIamHelpers.test_valid_multiple_roless<=MQS]A&MM<! MM<! MM<! MMzlNCXNr)ctdd\}}|jt|d|jdgdd||jdgdd|y) z0Tests parsing of custom roles bound to one user.Tz,user:foo@bar.com:roles/custom1,roles/custom2r_ryz roles/custom1r!z roles/custom2Nrrs r'test_valid_custom_rolesz&TestIamHelpers.test_valid_custom_rolessgMNMQS]A&MM&' MM&'r)ctdd\}}|jt|d|jdgdd|y)z(Tests member parsing (case insensitive).TzUser:foo@bar.com:adminrryrr!Nrrs r'test_valid_memberz TestIamHelpers.test_valid_membersF78MQS]A&MM*+)   r)ctdd\}}|jt|d|jdgdd|tdd\}}|jt|d|jdgd d|tdd \}}|jt|d |jd gd d||jd gd d|y)z0Tests deleted member parsing (case insensitive).Fz Deleted:User:foo@bar.com?uid=123rz deleted:user:foo@bar.com?uid=123r,r!Tz&deleted:User:foo@bar.com?uid=123:adminrzAdeleted:user:foo@bar.com?query=param,uid=123?uid=456:admin,admin2r_z4deleted:user:foo@bar.com?query=param,uid=123?uid=456zroles/storage.admin2Nrrs r'test_valid_deleted_memberz(TestIamHelpers.test_valid_deleted_members BCMQS]A&MM67GHMQS]A&MM:;)     KMMQ S]A&MMNO)     MMNO*   r)ctdd\}}|jt|d|jdgdd|y)z'Tests that duplicate roles are ignored.Tz allUsers:a,arr rr!Nrrs r'test_duplicate_rolesz#TestIamHelpers.test_duplicate_rolessD~.MQS]A&MM<!r)ctdd\}}|jt|d|jdgdd|tdd\}}|jt|d|jdgdd|y) z4Tests that project convenience roles can be removed.FprojectViewer:123424:adminrzprojectViewer:123424rr!r,Nrrs r'(test_removing_project_convenience_groupsz7TestIamHelpers.test_removing_project_convenience_groupss <=MQS]A&MM./)     67MQS]A&MM56CXNr)cp|jt5tdddddy#1swYyxYw)z5Tests that project convenience roles cannot be added.TrNrrs r'&test_adding_project_convenience_groupsz5TestIamHelpers.test_adding_project_convenience_groupss(  + , 4-. - , ,s ,5c|jt5tddddd|jt5tddddd|jt5tddddd|jt5tddddd|jt5tddddd|jt5tdddddy#1swYxYw#1swYxYw#1swYxYw#1swYxYw#1swYdxYw#1swYyxYw) zTests invalid input handling.Tznon_valid_public_member:roleNznon_valid_type:id:rolezuser:rz deleted:userzdeleted:not_a_typezdeleted:user:foo@no_uid_suffixrrs r'test_invalid_inputz!TestIamHelpers.test_invalid_inputs  + , 4/0 -  + , 4)* -  + , 4 -  + , 4  -  + , 4%& -  + , 412 - , - , , , , , , , , , , ,sG C> D * D D"> D.( D:>D DD"D+.D7:EcH|jt5tddddd|jt5tddddd|jt5tdddddy#1swY^xYw#1swY@xYw#1swYyxYw)z+Tests invalid input due to too many colons.TzallUsers:some_id:some_roleNzuser:foo@bar.com:r:nonsensez,deleted:user:foo@bar.com?uid=1234:r:nonsenserrs r'test_invalid_n_argsz"TestIamHelpers.test_invalid_n_argssy  + , 4-. -  + , 4./ -  + , 4?@ - , - , , , , ,s# B B * BB  BB!N)"rArBrCrDrOrVrXrZr]rbrhrjrorsrurwrrrrrrrrrrrrrrrrrrr%r)r'rFrFs+P OL(9 :+1,+1,$ $$,$$$& N 7 'O$ > O/ 3Ar)rFceZdZdZfdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZxZS) TestIamChz%Integration tests for iam ch command.c<tt| |j|_|j|_|j |jd|_|j |jd|_|jdd|jjgd|_ |jdd|jjgd|_ |jdd|jjgd|_ d|_d |_y) Nfoo bucket_uricontentsbarrr-T return_stdoutryzuser:bar@foo.com)superrsetUp CreateBucketbucketbucket2 CreateObjectobjectobject2 RunGsUtiluribucket_iam_stringobject_iam_stringobject2_iam_stringuseruser2r; __class__s r'rzTestIamCh.setUps )T "##%DK$$&DL##t{{V#LDK$$ f$MDL!^^UE4;;??,K:>,@D!^^UE4;;??,K:>,@D"nneUDLL-@@**DJJ JJt-- .0D ,7H78 9 :5;._Check19sy~~ tT !DII - d22 2DKKOO -1./ 1f  ! ! '0 /8r)cjddjjgd}jddjjgd}j j |j j |y)Nrr-Tr)rrrrr@r)rrr;s r'_Check2z9TestIamCh.test_patch_multithreaded_error.._Check2Hs..% )H7;)=>>5%9I9I*J8<*> %%d&<&<>OP %%d&<&<&8:r)NrAssertionErrorr;r,r.s` r'test_patch_multithreaded_errorz(TestIamCh.test_patch_multithreaded_error6sI >3 94 9 >3:4: I Ir)cjddgddddgtdgi}|jtj|dd|jtj|dt|j tj|dt|j tj|ddy)Nr+r rr!ryzserviceAccount:bar@foo.com)rrr7r r)r; test_policys r'test_assert_haszTestIamCh.test_assert_hasVs"|) +,HI(  K NN4::k*J8MNNN4::k*,>')TZZ ,j:NOTZZ ,.@*,r)ctj|}td|jdgD}||vr |||dvryt d|d|d|)axAsserts a member has permission for role. Given an IAM policy, check if the specified member is bound to the specified role. Does not check group inheritence -- that is, if checking against the [{'member': ['allUsers'], 'role': X}] policy, this function will still raise an exception when testing for any member other than 'allUsers' against role X. This function does not invoke the TestIamPolicy endpoints to smartly check IAM policy resolution. This function is simply to assert the expected IAM policy is returned, not whether or not the IAM policy is being invoked as expected. Args: policy: Policy object as formatted by IamCommand._GetIam() member: A member string (e.g. 'user:foo@bar.com'). role: A fully specified role (e.g. 'roles/storage.admin') Raises: AssertionError if member is not bound to role. c3*K|] }|d|f yw)r#Nr%).0ps r' z&TestIamCh.assertHas..sG,FqQvYN,Fsr+r"NMember 'z' does not have permission ' ' in policy )r7r8r/r-r0)r;r0memberr#r+s r'rzTestIamCh.assertHashsb.ZZ FGFJJz2,FGGH x 8D>), , (.f> ??r)cp |j|||td|d|d|#t$rYywxYw)z9Functions as logical compliment of TestIamCh.assertHas().r;z' has permission 'r<N)rr0)r;r0r=r#s r'rzTestIamCh.assertHasNosJA nnVVT* *0$@ AA    s ) 55)rArBrCrDrrrrrrrrrrrrrrrrrrrr"r%r2r5rr __classcell__rs@r'rr s.$".  ., G G I OJ"G I G GJ +J* H HP,H,@,$?>Ar)rceZdZdZfdZdZdZdZdZdZ dZ e jd d Z e jd d Zd Zd ZdZdZdZdZdZdZdZdZdZdZdZdZxZS) TestIamSetz&Integration tests for iam set command.ctt| tt|_tt |_ttdtzgtttd|_ |j|_|j!|_|j%dd|jj&gd|_|j+|j(j-t.|_t3t5j6|j(t|j |_|j+t5j:|j8j-t.|_t5j6|j(|_|j>d jA|jd |j+t5j:|j>|_!|jEd |_#|j%dd|jFj&gd|_$|j+|jHj-t.|_%t3t5j6|jHt |j|_&|j+t5j:|jLj-t.|_'y) Nr )title description expression)r"r$rr-Trr r+rfoobar)(rrBrr(rpublic_bucket_read_bindingrpublic_object_read_bindingIAM_OBJECT_VIEWER_ROLEr TEST_CONDITION_TITLETEST_CONDITION_DESCRIPTION&TEST_CONDITION_EXPR_RESOURCE_IS_OBJECT-project_viewer_objectviewer_with_cond_bindingrrCreateVersionedBucketversioned_bucketrrrr rrold_bucket_iam_pathr3r7r8new_bucket_iam_policyr new_bucket_iam_path(new_bucket_policy_with_conditions_policyappend&new_bucket_policy_with_conditions_pathrrrold_object_iam_pathnew_object_iam_policynew_object_iam_pathrs r'rzTestIamSet.setUps~ *d!#&12F&GD#&12F&GD#9D$&7&99:)5@ : D6##%DK 668D"^^UE4;;??,K:>,@D#22''..t4 3 6D "/ 4))*,@ ''")D $22D667>>tD 3 FD 59JJ 5 D111*=DD ::1=?262E2EDIIJ3F3LD/##X#6DK!^^UE4;;??,K:>,@D#22''..t4 3 6D "/ 4))*,@ ''")D $22D667>>tD 3 FDr)c|j|jd}tddg5|jddd|j|j gd }|j d |d d d y #1swYy xYw) zEEnsures that the seek-ahead iterator is being used with iam commands.foobarr)GSUtiltask_estimation_threshold1)r\task_estimation_forceTruerrrMT)rz,Estimated work for this command: objects: 1 N)rrrrrYrr)r; gsutil_objectrs r'test_seek_ahead_iamzTestIamSet.test_seek_ahead_iams%%/8&:M KJL M~~ t779J9J Kf mmCVL  M M Ms ?A33A<c|jdd|j|jj|jjgdd}|j d|y)zCTests that failure is thrown when buckets and objects are provided.rrMTrrr N)rrYrrrrrs r'#test_set_mix_of_buckets_and_objectsz.TestIamSet.test_set_mix_of_buckets_and_objectssV^^ ud.. +/,- /F  MM$f-r)cl|jdd|jdgdd}|jd|y) z9Tests that failure is thrown when a file url is provided.rrMrTrrrN)rrYrrs r'test_set_file_urlzTestIamSet.test_set_file_urls? ^^ t//1BCF MM"F+r)cttddfd}ttddfd}||y)z5Ensures invalid content returns error on input check.r'rr(cjd}jdd|jjgdd}jrdnd }j ||y) NsbadIamr rrMTrrzFound invalid JSON/YAMLArgumentException)r rrrrr)inpathr error_messager;s r'r,z7TestIamSet.test_set_invalid_iam_bucket.._Check1sh""I"6f~~ueVT[[__E,0./1f2218K mmM6*r)cjdddjjgdd}jrdnd}j ||y) NrrMznonexistent/pathTrrzNo such file or directoryri)rrrrrrrkr;s r'r.z7TestIamSet.test_set_invalid_iam_bucket.._Check2sY~~ %+T[[__ =f 2238K mmM6*r)Nr/r1s` r'test_set_invalid_iam_bucketz&TestIamSet.test_set_invalid_iam_bucketsI >3+4+ >3+4+ I Ir)cZjddjgdd}jrdnd}j||jdddjzgdd}jrd nd }j||t t d d fd }|y)z3Ensures that invalid bucket names returns an error.rr-Trrrr r not foundrr'r(cvjgddd}jrdnd}j||y)N)rr-zgs://*Trrz"must match a single cloud resourcer )rrrrms r'_Checkz2TestIamSet.test_get_invalid_bucket.._Check%sG~~6,0./1f22<8J mmM6*r)N)rrrrrr0)r;rrkrrs` r'test_get_invalid_bucketz"TestIamSet.test_get_invalid_buckets ^^UE4+G+GH*.,-/F00&6HMM-( ^^ y4#?#??@F 00!6OMM-(  >3+4+ Hr)c"|jdddd|j|jjg|jdd|jjgd}|jdddd|j|jjg|jdd|jjgd}|j |j ||j|jdtj|d y ) z&Tests setting a valid IAM on a bucket.rrM-er,r-Trrr+N) rrSrrrQr@rrrHr7r8r;set_iam_stringreset_iam_strings r'test_set_valid_iam_bucketz$TestIamSet.test_set_valid_iam_bucket2sNN tR!9!94;;??KM^^UE4;;??$C26$8NNN tR!9!94;;??KM~~ueT[[__&E48&: ##D$:$:"6*D,D,D  ~~ueT[[__&E48&: ##D$:$:"6*D,D,D  ^^UE4;;??$C26$8NNN ud >"6*D,D,D  ~~ueT[[__&E48&: ##D$:$:"6*D,D,D  ^^ ud >"6*D,D,D  +/,- /F00A6MMM-(r)cJ|j|jd}|j|jd}|j|j|jdt|}|j|j|jdt|}||||fS)zCreates two versioned objects and return references to all versions. Returns: A four-tuple (a, b, a*, b*) of storage_uri.BucketStorageUri instances. rrrsnew_foo)r object_namergs_idempotent_generationsnew_bar)rrPrurigen)r;old_gsutil_objectold_gsutil_object2ragsutil_object2s r'_create_multiple_objectsz#TestIamSet._create_multiple_objectss))T5J5J39*;**d6K6K4:+<%%((%11!'(9!: &$Nnn )>>?%O ##NOD##D$:$:NKr)c|j\}}}}|jdddd|j|jjg|jdd|jgd}|jdd|jgd}|j |||j |jdtj|d |jdd|jgd}|jdd|jgd}|j |||j |j|y ) rrrrMrr-Trrr+Nrrs r'1test_set_valid_iam_multithreaded_multiple_objectsz$Nnn )>>?%O ##NOD##D$:$:NKr)cl|j\}}}}|jddd|j|jjg|jdd|j gd}|jdd|j gd}|jdd|j gd}|jdd|j gd}|j |||j |||j |||j|jdtj|dy ) z4Tests set IAM policy on all versions of all objects.rrMz-rar-Trrr+N) rrrYrPrrr@rrIr7r8) r;rrrarrwrset_iam_string_oldset_iam_string_old2s r'0test_set_valid_iam_multiple_objects_all_versionsz;TestIamSet.test_set_valid_iam_multiple_objects_all_versions sL446*MNN ueT55t7L7L7P7P^^ }99:$$PNnn ~::;4%QO (==>(.. )>>?) ##NOD##N4FG##N4GHMM$11!4**^,Z8:r)c 8|j}|j}|jdddd|j|jd|jz|jgdd}|j rd nd }|j |||jdd |jgd }|jdd |jgd }|j |jd tj|d|j|j|y)aTests fail-fast behavior of iam set. We initialize two buckets (bucket, bucket2) and attempt to set both along with a third, non-existent bucket in between, self.nonexistent_bucket_name. We want to ensure 1.) Bucket "bucket" IAM policy has been set appropriately, 2.) Bucket self.nonexistent_bucket_name has caused an error, and 3.) gsutil has exited and "bucket2"'s IAM policy is unaltered. rrMrur,rTrrrprr-rrr+N) rrrSrrrrrHr7r8r@rr;rrrrkrwrs r'test_set_errorzTestIamSet.test_set_error$s   F!G ^^ udB 8 8&**D000'+++/,- /F00!6OMM-(^^UE6::$>26$8NnneUGKK%@37%9O MM$11!4**^,Z8: ##D$:$:OLr)c "|j}|j}|jddd|j|jd|jz|jgdd}|j rdnd }|j |||jdd |jgd }|jdd |jgd }|j |jd tj|d |j||y)aQTests ignoring failure behavior of iam set. Similar to TestIamSet.test_set_error, except here we want to ensure 1.) Bucket "bucket" IAM policy has been set appropriately, 2.) Bucket self.nonexistent_bucket_name has caused an error, BUT 3.) gsutil has continued and "bucket2"'s IAM policy has been set as well. rrMr$rTrrrpr r-rrr+N) rrrSrrrrrHr7r8r@rs r'test_set_force_errorzTestIamSet.test_set_force_errorJs   F!G ^^ udD44fjjD000'+++/,- /F00!6HMM-(^^UE6::$>26$8NnneUGKK%@37%9O MM$11!4**^,Z8: ##NODr)cttddfd}ttddfd}||y)aTests fail-fast behavior of multithreaded iam set. This is testing gsutil iam set with the -m and -r flags present in invocation. N.B.: Currently, (-m, -r) behaves identically to (-m, -fr) and (-fr,). However, (-m, -fr) and (-fr,) behavior is not as expected due to name_expansion.NameExpansionIterator.next raising problematic e.g. 404 or 403 errors. More details on this issue can be found in comments in commands.iam.IamCommand._SetIam. Thus, the following command gsutil -m iam set -fr gs://bad_bucket gs://good_bucket will NOT set policies on objects in gs://good_bucket due to an error when iterating over gs://bad_bucket. r'rr(c jddddjdjzjjgdd}j rd nd }j ||y) NrrrMrrTrrrpr)rrYrrrrrrms r'r,z8TestIamSet.test_set_multithreaded_error.._Check1so~~ udD$<$< d22 2DKKOO-1./ 1f '+&>&>{0 mmM6*r)cVjjd}jjd}jdd|jgd}jdd|jgd}j ||j j |y)Nr[rrr-Tr)rrrrr@r)rarrwrr;s r'r.z8TestIamSet.test_set_multithreaded_error.._Check2s''4;;1:(3 +4 + >3 N4 N I Ir)c|j|jd}|j}|jdd|j|g|jdd|gd}|jdddt j |d |j|g|jdd|gd}|j|j||j|jd t j |d y ) z'Tests setting a valid IAM on an object.r[rrrMr-Trrurrr+N) rrrrrYr7r8rWr@rrrIr;ra lookup_urirwrxs r',test_set_valid_iam_single_unversioned_objectz7TestIamSet.test_set_valid_iam_single_unversioned_objects%%/8&:M""JNNE5$":":JGH^^UE:$>26$8NNN ud >"6*D,D,Dj~~ueZ&@48&: ##D$:$:26$8NNN ud >"6*D,D,Dj~~ueZ&@48&: ##D$:$:26$8NNN ueT2t'?'?LN~~ueZ&@48&: ##D$:$:26$8NNN ueT2t'?'?LN~~ueZ&@48&: ##D$:$:B+DYY/88@A  128&22:>3@AK M  K K   K K#B#A)BB#B B##B,c ^tddg5tddd5|jdddgd }d j|jd }|j d j tjd|ddddddy#1swYxYw#1swYyxYw)Nrrr`rrrr-z gs://bucketTrrrzSGcloud Storage Command: {} storage buckets get-iam-policy --format=json gs://bucketrrs r'#test_shim_translates_iam_get_bucketz/TestIamShim.test_shim_translates_iam_get_buckets GHJ K 6<)"  ??55-2H>B+DYY/88@A  *+1622:>,@AK M  K K   K Krc ^tddg5tddd5|jdgdd }d j|jd }|j d j tjd|ddddddy#1swYxYw#1swYyxYw) Nrrr`rrr)rM policy-file gs://b/o1 gs://b/o2TrrrzgGcloud Storage Command: {} storage objects set-iam-policy --format=json gs://b/o1 gs://b/o2 policy-filerrs r'#test_shim_translates_iam_set_objectz/TestIamShim.test_shim_translates_iam_set_objects GHJ K 6<)"  ?? C#+%YY/88@A  >?Ev22:>@@AK M  K K   K Krc ^tddg5tddd5|jdgdd }d j|jd }|j d j tjd|ddddddy#1swYxYw#1swYyxYw) Nrrr`rrr)rMrgs://b1gs://b2TrrrzcGcloud Storage Command: {} storage buckets set-iam-policy --format=json gs://b1 gs://b2 policy-filerrs r'#test_shim_translates_iam_set_bucketz/TestIamShim.test_shim_translates_iam_set_bucket's GHJ K 6<)"  ?? ?#+%YY/88@A  :;A622:><@AK M  K K   K Krc ^tddg5tddd5|jdgdd }d j|jd }|j d j tjd|ddddddy#1swYxYw#1swYyxYw) Nrrr`rrr)rMrrrz gs://b2/oTrrrzqGcloud Storage Command: {} storage objects set-iam-policy --format=json --recursive gs://b1 gs://b2/o policy-filerrs r'Ctest_shim_translates_iam_set_mix_of_bucket_and_objects_if_recursivezOTestIamShim.test_shim_translates_iam_set_mix_of_bucket_and_objects_if_recursive8s GHJ K 6<)"  ?? G#+%YY/88@A  HIO22:>J@AK M  K K   K Krc tddg5tddd5|jtd5|j dgddddddddddy#1swYxYw#1swYxYw#1swYyxYw) Nrrr`rrz/Cannot operate on a mix of buckets and objects.r)rMrgs://bgs://b/o)rrassertRaisesRegexr rrs r'6test_shim_raises_for_iam_set_mix_of_bucket_and_objectszBTestIamShim.test_shim_raises_for_iam_set_mix_of_bucket_and_objectsIs GHJ K 6<)"  # #  =? //%!M N?   K K ??    K Ks9A:A.A" A.A:"A+ 'A..A7 3A::Bc ^tddg5tddd5|jdgdd }d j|jd }|j d j tjd|ddddddy#1swYxYw#1swYyxYw) Nrrr`rrr)rMruzabc=rrTrrrzfGcloud Storage Command: {} storage buckets set-iam-policy --format=json --etag abc= gs://b policy-filerrs r'/test_shim_translates_iam_set_handles_valid_etagz;TestIamShim.test_shim_translates_iam_set_handles_valid_etagVs GHJ K 6<)"  ?? A#+%YY/88@A  =>Df22:>?@AK M  K K   K Krc ^tddg5tddd5|jdgdd }d j|jd }|j d j tjd|ddddddy#1swYxYw#1swYyxYw) Nrrr`rrr)rMrur,rrTrrrzbGcloud Storage Command: {} storage buckets set-iam-policy --format=json --etag= gs://b policy-filerrs r'/test_shim_translates_iam_set_handles_empty_etagz;TestIamShim.test_shim_translates_iam_set_handles_empty_etaggs GHJ K 6<)"  ?? =#+%YY/88@A  9:@&22:>;@AK M  K K   K Krctddg5tddd5|jdgdd }d j|jd }|j d |ddddddy#1swYxYw#1swYyxYw) Nrrr`rrr)rrr rTrrwarningz|The shim maps iam ch commands to several gcloud storage commands, which cannot be determined without running gcloud storage.)rrrrrr)r;r warning_liness r',test_shim_warns_with_dry_run_mode_for_iam_chz8TestIamShim.test_shim_warns_with_dry_run_mode_for_iam_chxs GHJ K 6<)"  ??5+M>B+D "2";";I"FG   J    K K   K Ks#BAA5$B5A> :BB NTc8tj||||||S)N)envinputrrtext)rcall)r;commandrstdinrrrs r' _get_run_callzTestIamShim._get_run_calls& 99W ""   r)cdddgddddgdddgdgi}dddgddddgdgi}td g5tjgd tj| }tjgd }|j ||g|j _td dd5|jdgdddd|j|j j|j|jtjddddddg|jtjddddddgtj|dgdddy#1swYxYw#1swYyxYw)Nr+zpreserved-roler rKroles/storage.modified-roleuser:deleted-user@example.comzroles/storage.deleted-rolerrrrrrr`rrr)r#allAuthenticatedUsers:modified-rolerrrzallUsers:deleted-rolerstoragebucketsget-iam-policygs://b/ --format=jsonset-iam-policy-T sort_keysrr subprocessCompletedProcessr7r  _FAKE_CONFIG_GET_ACCOUNT_PROCESS_mock_subprocess_run side_effectrrrLcall_args_list_MOCK_CONFIG_GET_ACCOUNT_CALLrrr)r;original_policyr1 get_process set_processs r'4test_iam_ch_adds_updates_and_deletes_bucket_policiesz@TestIamShim.test_iam_ch_adds_updates_and_deletes_bucket_policiess$"| 2"$CD 1"|   O $"| 2/<  J GH I//a ?(CEk//RAFk  / /k/d+ !6<)"      t00??  , ,   // ;Y)9o     // ;  $(::jD#I  K B # J I   J Is%A/E+E4B"E+E( $E++E4c"dddgdgi}dddgdgi}ddddgdgi}ddddgdgi}tdg5tjgdtj| }tjgdtj| }tjgd }|j ||||g|j _td d d 5|jdgdddd|j|j j|j|jtjd dddddg|jtjd dddddgtj|d|jtjd dddddg|jtjd dddddgtj|dgdddy#1swYxYw#1swYyxYw)Nr+rzuser:test-user1@example.comrKzuser:test-user2@example.comrrrrrr`rrr)rrrrrrrzgs://b1/rrrTrr zgs://b2/r )r;original_policy1original_policy2 new_policy1 new_policy2 get_process1 get_process2rs r'5test_iam_ch_updates_bucket_policies_for_multiple_urlszATestIamShim.test_iam_ch_updates_bucket_policies_for_multiple_urlssp156   156   1/1NO  K 1/1NO  K GH I00a 3C(DFl00a 3C(DFl//RAFk  / /{  /d+ !6<)"    O Q   t00??  , ,   // ;Y):     // ;  $(::kT#J  L   // ;Y):     // ;  $(::kT#J  L'B ' J I   J Is%BHG8$D H8H =HHc~dddgdgi}ddddgdgi}tdg5tjgdtjdd d g }tjgdtj| }tjgd }|j |||g|j _td dd5|jdgdddd|j|j j|j|jtjdddddg|jtjddddddg|jtjddddddgtj|dgdddy#1swYxYw#1swYyxYw)Nr+rr rKrrrr cloud_objecturltyperrr`rrrrrrrls--jsonobjectsrrrrTrr r )r;rr1 ls_processrrs r'#test_iam_ch_updates_object_policiesz/TestIamShim.test_iam_ch_updates_object_policiess1"|  O 1/<  J GH I..B:;6:jj:D;IC1B2734j //a ?(CEk//RAFk  / /[ /d+ !6<)"   L N   t00??  , ,   // ;Y      // ;Y):     // ;  $(::jD#I  KB + J I   J Is%BF3?F'C F3'F0 ,F33F<cHdddgdgi}tdg5tjgdtjddd d d d d dd d d d g}tjgdtj|}tjgd}|j |g||gdzz|j _tddd5|jdgdddd|j|j j|j|jtjddddddg|jtjddddd dg|jtjddddd dgt j" |jtjddddd dg|jtjddddd dgt j" gdddy#1swY1xYw#1swYyxYw)!Nr+z modified-roler rKrrz gs://b/dir/prefixr!z gs://b/dir/:r z gs://b/dir2/z gs://b/dir2/orrr'r`rrr)rrrrrr%r&rrr'rrrrr )rr r r7r rrrrrrLrrrrrrANY)r;rr(rrs r'Etest_iam_ch_expands_urls_with_recursion_and_ignores_container_headerszQTestIamShim.test_iam_ch_expands_urls_with_recursion_and_ignores_container_headersPsr #"|  O GH I..B:;6:jj:G;CC1;I;I31;I;C31;J;I31 B2 734j//a ?(CEk//RAFk  0 0* =  $q ( ) + !6<)"    I K   t00??  , ,   // ;Yi     // ;Y)>?     // ;  $(88  -   // ;Y)?O     // ;  $(88  -/ B  = J I,  - J Is%B1HH D&H H HH!ctdg5tjgdd}tjgdd}||g|j_t dd d 5|j td5|jd gd ddd|j|jjd ddddddy#1swY@xYw#1swYxYw#1swYyxYw)Nrrrrr An error.rrrr`rrrr$r_) rr r rrrrr rrL call_count)r;get_account_processr(s r'test_iam_ch_raises_ls_errorz'TestIamShim.test_iam_ch_raises_ls_errors GH I&77a(@B..B:;6ACj0CJ.Od+ 6<)"  # #$4k B //N PC 22==qA  J IC B    J Is<AC"C6C  .C9C" C CC C""C+c <tdg5tjgdd}tjgdtjdddg}tjgdd }|||g|j _td d d 5|jtd 5|jdgdddd|j|j jdddddddy#1swY@xYw#1swYxYw#1swYyxYw)Nrrrrrr r!rr/r0r`rrrr$r' rr r r7r rrrrr rrLr1)r;r2r(rs r'test_iam_ch_raises_get_errorz(TestIamShim.test_iam_ch_raises_get_errors GH I&77a(@B..B:;6:jj:D;IC1B2734j //R;<7BDk z;/d+ !6<)"  # #$4k B //N PC 22==qA ! J I(C B   ! J Is<BDD&C:;.D)D:D ?DD DDc ntdg5tjgdd}tjgdtjdddg}tjgdd}tjgd d }||||g|j _td d d5|jtd 5|jdgdddd|j|j jdddddddy#1swY@xYw#1swYxYw#1swYyxYw)Nrrrrrr r!z{"bindings": []}rr/r0r`rrrr$rr5)r;r2r(rrs r'test_iam_ch_raises_set_errorz(TestIamShim.test_iam_ch_raises_set_errors8 GH I&77a(@B..B:;6:jj:D;IC1B2734j //R;<7IKk//R;<7BDk z; /d+ !6<)"  # #$4k B //N PC 22==qA ' J I.C B   ' J Is<BD+(D?D.DD+D DD( $D++D4c dddgdgi}ddddgdgi}tdg5tjgdd }tjgdd }|j||g|j_t d d d 5|jdgddd}ddd|j|jj|j|jtjd ddddg|jtjd ddddggdjjd}|j!d||j!d |dddy#1swYxYw#1swYyxYw)Nr+rr rKrrrr/r0Another error.r`rrrrr$rrrTdebugrrr%r&rrrerror)rr r rrrrrrLrrrrrrrr)r;rr1r( ls_process2r error_liness r'!test_iam_ch_continues_on_ls_errorz-TestIamShim.test_iam_ch_continues_on_ls_errors1"|  O 1/<  J GH I..B:;6ACj//R;<7GIk  / /[/d+ !6<)"  ??53 23>B+D   t00??  , ,   // ;Y      // ;Y   B  II.77@Ak mmK- mm$k2O J I   J Is%AE5=E)C E5)E2 .E55E>cdddgdgi}ddddgdgi}tdg5tjgdtjdd d g }tjgd d }tjgd d}|j |||g|j _tddd5|jdgdd d}ddd|j|j j|j|jtjdddddg|jtjddddddg|jtjdddddggdj!j"d}|j%d ||j%d|dddy#1swYxYw#1swYyxYw) Nr+rr rKrrrrr r!rrr/r0r:r`rrrr;Tr<rr%r&r'rrrrr>rr r r7r rrrrrrLrrrrrrrr)r;rr1r(rr?rr@s r'"test_iam_ch_continues_on_get_errorz.TestIamShim.test_iam_ch_continues_on_get_errors"1"|  O 1/<  J GH I..B:;6:jj:E;IC1B2734j //R;<7BDk//R;<7GIk  / /[ /d+ !6<)"  ??53 23>B+D   t00??  , ,   // ;Y      // ;Y);     // ;Y   B II.77@Ak mmK- mm$k2c J I"  # J Is%B G-GC4GG GGcdddgdgi}ddddgdgi}tdg5tjgdtjdd d g }tjgdtj| }tjgd d }tjgd d}|j ||||g|j _tddd5|jdgdd d}ddd|j|j j|j|jtjdddddg|jtjddddddg|jtjddddddgtj|d |jtjddddd!ggd"j!j"d#}|j%d ||j%d|dddy#1swY?xYw#1swYyxYw)$Nr+rr rKrrrrr r!rrr/r0r:r`rrrr;Tr<rr%r&r'rrrrrr rrr>rC) r;rr1r(rrr?rr@s r'"test_iam_ch_continues_on_set_errorz.TestIamShim.test_iam_ch_continues_on_set_errorWs1"|  O 1/<  J GH I..B:;6:jj:E;IC1B2734j //a ?(CEk//R;<7BDk//R;<7GIk  / /[ {/d+ !6<)"  ??53 23>B +D   t00??  , ,   // ;Y      // ;Y);     // ;  $(::jD#I  K   // ;Y   'B 2II.77@Ak mmK- mm$k2u J I(  ) J Is%B9H;H.1D4H;.H8 3H;;I)&rArBrCr r rrrrrrpatchrr IamCommandMockrrrrrrrrrr,PIPErrrr)r-r3r6r8rArDrFr%r)r'rrs%@Z%@%@ !$<&>""+$)) +) + +J 75  #::S^^\ytyy{C MD M::S^^\ytyy{C MD M::S^^\ytyy{CMDM ::S^^\ytyy{CMDM ::S^^\ytyy{CMDM ::S^^\ytyy{C OD O::S^^\ytyy{CMDM ::S^^\ytyy{CMDM ::S^^\ytyy{CD$%??%??  6 pH T5 nF PB$B4B:43l>3@G3r)r)NN)GrD __future__rrrr collectionsrr7osr gslib.commandsrgslib.exceptionr gslib.project_idr gslib.tests.testcaseteststestcase)gslib.tests.testcase.integration_testcaser r gslib.tests.utilr rrrr"gslib.third_party.storage_apitoolsrapitools_messages gslib.utilsrgslib.utils.constantsrgslib.utils.iam_helperrrrrrrrgslib.utils.retry_utilrsixrr six.movesrPolicyBindingsValueListEntryr9rrrrJrLrMrKr(r3GsUtilIntegrationTestCaser5GsUtilUnitTestCaserFrrBShimUnitTestBaserr%r)r'rcs-&%'# ,.''?@812%W!&>;?/20(%VV_ 56663),GG95B4'-<0 7;; 7  $% /0{AX00{A1&{A|  $% /0CA"CA1&CAL  $% /0R :#R :1&R :ju 3(++u 3r)