I+(dZddlmZddlmZddlmZddlmZddlmZddlmZddl Z dd l m Z dd l m Z dd lmZegd Zegd ZdZeddgZedddgZedddgZdZdZdZdZdZdZdZdZdZ dZ!dZ"y) z"Helper module for the IAM command.)absolute_import)print_function)division)unicode_literals) defaultdict) namedtupleN) protojson)CommandException)storage_v1_messages) userz deleted:userserviceAccountzdeleted:serviceAccountgroupz deleted:groupdomain principal principalSetprincipalHierarchy) projectOwner projectEditor projectVieweraAssigning roles (e.g. objectCreator, legacyBucketOwner) for project convenience groups is not supported by gsutil, as it goes against the principle of least privilege. Consider creating and using more granular groups with which to assign permissions. See https://cloud.google.com/iam/docs/using-iam-securely for more information. Assigning a role to a project group can be achieved by setting the IAM policy directly (see gsutil help iam for specifics).allUsersallAuthenticatedUsers BindingsTupleis_grantbindingsBindingsDictTuplec~|j|jDcgc]}tj|c}fScc}w)aSSerializes the BindingsValueListEntry instances in a BindingsTuple. This is necessary when passing instances of BindingsTuple through Command.Apply, as apitools_messages classes are not by default pickleable. Args: bindings_tuple: A BindingsTuple instance to be serialized. Returns: A serialized BindingsTuple object. )rrr encode_message)bindings_tuplets )platform/gsutil/gslib/utils/iam_helper.pySerializeBindingsTupler"NsA  ! !0>0G0G H0G19 # #A &0G H JJ Hs:c |\}}t||Dcgc]0}tjtjj |2c}Scc}w)Nrr)rr decode_messageapitools_messagesPolicyBindingsValueListEntry)serialized_bindings_tuplerrr s r!DeserializeBindingsTupler*^s\28X ,4!,4a%33077NN "+3! !s5A ctt}|D]*}||jj|j,|S)zReformats policy bindings metadata. Args: bindings: A list of BindingsValueListEntry instances. Returns: A {role: set(members)} dictionary. )rsetroleupdatemembersr tmp_bindingsbindings r!BindingsMessageToUpdateDictr3hs9S!,g%%goo6 cftt}|D]}||dj|d|S)aReformats policy bindings metadata. Args: bindings: List of dictionaries representing BindingsValueListEntry instances. e.g.: { "role": "some_role", "members": ["allAuthenticatedUsers", ...] } Returns: A {role: set(members)} dictionary. r-r/)rr,r.r0s r!BindingsDictToUpdateDictr6xs:S!,g!(();< r4cXt||\}}|j xr |j S)N) DiffBindingsr)abgrantedremoveds r!IsEqualBindingsr=s0#Aq)7G     6g&6&6"66r4c t|}t|}tg}tg}tj|D]+\}}||j|j ||-tj|D]+\}}||j|j ||-tj|D cgc]1\}} | r*t j j|t| 3}}} tj|D cgc]1\}} | r*t j j|t| 3}}} td|td|fScc} }wcc} }w)a]Computes the difference between two BindingsValueListEntry lists. Args: old: The original list of BindingValuesListEntry instances new: The updated list of BindingValuesListEntry instances Returns: A pair of BindingsTuple instances, one for roles granted between old and new, and one for roles removed between old and new. r-r/TF) r3six iteritemsr. differencer&r'r(listr) oldnewtmp_oldtmp_newr;r<r-r/rms r!r8r8sY ( ,' ' ,' ' +' ' +'w/otW DM++GDM:;0w/otW DM++GDM:;0 MM'* *&1a 551d1g5N*  MM'* *&1a 551d1g5N*   g & eW(E FF   s 6E-6E3cZ|r?tj|D]&\}}|s td||j|(n9|D]4}||j ||||j |t 6tj|Dcic] \}}|s || c}}Scc}}w)aPatches a diff list of BindingsValueListEntry to the base. Will remove duplicate members for any given role on a grant operation. Args: base (dict): A dictionary returned by BindingsMessageToUpdateDict or BindingsDictToUpdateDict representing a resource's current IAM policy. diff (dict): A dictionary returned by BindingsMessageToUpdateDict or BindingsDictToUpdateDict representing the IAM policy bindings to add/remove from `base`. is_grant (bool): True if `diff` should be added to `base`, False if it should be removed from `base`. Returns: A {role: set(members)} dictionary created by applying `diff` to `base`. z+Role must be specified for a grant request.)r@rAr r.difference_updateDROP_ALL)basediffrr-r/s r! PatchBindingsrOs&==.w LMM 4j /  4j""4:. 4j""4>2 .1]]4-@ L-@MD'G$--@ LL Ls  B'B'c|jds|dz }|jd}tDcic]}|j|}}tDcic]}|j|}}t Dcic]}|j|}}|dj}|djd|dj}||vr |||d<n;||vr |||d<n.||vr |||d<n!||vr||jd\|d<|d<dj |}| xr |dt v} |jddk(rV|dd|dtvrtd|z|dtvr|\} } n|dtvs| r |} t} ntd|z|jddk(rF|dd|dtvr |} t} n}| r|\} } } | d| } nm|\} }} t| || d|} nS|jddk(r1|jd\}}}} |d|} t| || d|} ntd|z|r | s td| jd Dcgc] }t|} }t| Dcgc]}|| gd  }}t|| Scc}wcc}wcc}wcc}wcc}w) aParses an iam ch bind string to a list of binding tuples. Args: is_grant: If true, binding is to be appended to IAM policy; else, delete this binding from the policy. input_str: A string representing a member-role binding. e.g. user:foo@bar.com:objectAdmin user:foo@bar.com:objectAdmin,objectViewer user:foo@bar.com allUsers deleted:user:foo@bar.com?uid=123:objectAdmin,objectViewer deleted:serviceAccount:foo@bar.com?uid=123 Raises: CommandException in the case of invalid input. Returns: A BindingsDictTuple instance. :rz+Incorrect public member type for binding %szInvalid ch format %szMust specify a role to grant.,r?r$) countsplitPUBLIC_MEMBERSlowerTYPESDISCOURAGED_TYPESjoinr rL_check_member_type ResolveRoler,r)r input_strtokensspublic_memberstypesdiscouraged_typespossible_public_member_or_type possible_typeremoving_discouraged_typememberroles member_type project_id member_idmember_type_p1member_type_p2rHrs r!BindingStringToTupleros*   I ??3 &*89.QAGGIqL..9!& 'A1779a<% '->?->qwwy!|->?#)!9??#4 #AY__.q 0AB-#~5=>F1I%.45F1I%)::!"@AF1I"=177<VAYq hhv)#+lMvay> e : ;;#(;;s#3 4#3a;q>#3% 48;E C 1qfX. ( C Hx @@u: '?j 5 CsJ)J.4J3,J8 J=c^|tvrtt|tvrtd|zy)Nz$Incorrect member type for binding %s)r[r DISCOURAGED_TYPES_MSGrZ)rjr_s r!r]r]/s5%% 0 11% AIM NN r4c(|stSd|vr|Sd|zS)Nzroles/zroles/storage.%s)rL)r-s r!r^r^6s" O  K d ""r4)#__doc__ __future__rrrr collectionsrrr@apitools.base.protorpcliter gslib.exceptionr "gslib.third_party.storage_apitoolsr r&r,rZr[rqrXrrrLr"r*r3r6r=r8rOror]r^r4r!rzs)&%'#" 0,W    K?Z,DE 2Z4LM  J   *7 !GHMBUApO#r4