B uf3@s`dZddlZddlZddlZddlZdZdZdZdZdZ Gdd d e Z Gd d d ej j ZdS) a6Non-API-specific IAM policy definitions For allowed roles / permissions, see: https://cloud.google.com/iam/docs/understanding-roles Example usage: .. code-block:: python # ``get_iam_policy`` returns a :class:'~google.api_core.iam.Policy`. policy = resource.get_iam_policy(requested_policy_version=3) phred = "user:phred@example.com" admin_group = "group:admins@groups.example.com" account = "serviceAccount:account-1234@accounts.example.com" policy.version = 3 policy.bindings = [ { "role": "roles/owner", "members": {phred, admin_group, account} }, { "role": "roles/editor", "members": {"allAuthenticatedUsers"} }, { "role": "roles/viewer", "members": {"allUsers"} "condition": { "title": "request_time", "description": "Requests made before 2021-01-01T00:00:00Z", "expression": "request.time < timestamp("2021-01-01T00:00:00Z")" } } ] resource.set_iam_policy(policy) Nz roles/ownerz roles/editorz roles/viewerz_Assigning to '{}' is deprecated. Use the `policy.bindings` property to modify bindings instead.zWDict access is not supported on policies with version > 1 or with conditional bindings.c@seZdZdZdS)InvalidOperationExceptionz1Raised when trying to use Policy class as a dict.N)__name__ __module__ __qualname____doc__rrU/home/ankuromar296_gmail_com/myenv/lib/python3.7/site-packages/google/api_core/iam.pyrMsrc@s(eZdZdZefZefZefZ d/ddZ ddZ ddZ d d Z d d Zd dZddZddZeddZejddZeddZejddZeddZejddZeddZejddZedd Zed!d"Zed#d$Zed%d&Zed'd(Zed)d*Zed+d,Z d-d.Z!dS)0Policya1IAM Policy Args: etag (Optional[str]): ETag used to identify a unique of the policy version (Optional[int]): The syntax schema version of the policy. Note: Using conditions in bindings requires the policy's version to be set to `3` or greater, depending on the versions that are currently supported. Accessing the policy using dict operations will raise InvalidOperationException when the policy's version is set to 3. Use the policy.bindings getter/setter to retrieve and modify the policy's bindings. See: IAM Policy https://cloud.google.com/iam/reference/rest/v1/Policy Policy versions https://cloud.google.com/iam/docs/policies#versions Conditions overview https://cloud.google.com/iam/docs/conditions-overview. NcCs||_||_g|_dS)N)etagversion _bindings)selfr r rrr__init__rszPolicy.__init__cCs|dd|jDS)Ncss|]}|dr|dVqdS)membersroleNr).0bindingrrr zsz"Policy.__iter__..)__check_version__r )r rrr__iter__wszPolicy.__iter__cCs|tt|S)N)rlenlistr)r rrr__len__|szPolicy.__len__cCsL|x"|jD]}|d|kr|dSqW|td}|j||dS)Nrr)rr)rr setappend)r keyb new_bindingrrr __getitem__s     zPolicy.__getitem__cCsN|t|}x&|jD]}|d|kr||d<dSqW|j||ddS)Nrr)rr)rrr r)r rvaluerrrr __setitem__s  zPolicy.__setitem__cCs@|x*|jD] }|d|kr|j|dSqWt|dS)Nr)rr removeKeyError)r rrrrr __delitem__s    zPolicy.__delitem__cCs,|jdk o|jdk}|s |r(ttdS)z[Raise InvalidOperationException if version is greater than 1 or policy contains conditions.N)r _contains_conditionsr_DICT_ACCESS_MSG)r Z raise_versionrrrrs zPolicy.__check_version__cCs&x |jD]}|ddk rdSqWdS)N conditionTF)r get)r rrrrr%s zPolicy._contains_conditionscCs|jS)aEThe policy's list of bindings. A binding is specified by a dictionary with keys: * role (str): Role that is assigned to `members`. * members (:obj:`set` of str): Specifies the identities associated to this binding. * condition (:obj:`dict` of str:str): Specifies a condition under which this binding will apply. * title (str): Title for the condition. * description (:obj:str, optional): Description of the condition. * expression: A CEL expression. Type: :obj:`list` of :obj:`dict` See: Policy versions https://cloud.google.com/iam/docs/policies#versions Conditions overview https://cloud.google.com/iam/docs/conditions-overview. Example: .. code-block:: python USER = "user:phred@example.com" ADMIN_GROUP = "group:admins@groups.example.com" SERVICE_ACCOUNT = "serviceAccount:account-1234@accounts.example.com" CONDITION = { "title": "request_time", "description": "Requests made before 2021-01-01T00:00:00Z", # Optional "expression": "request.time < timestamp("2021-01-01T00:00:00Z")" } # Set policy's version to 3 before setting bindings containing conditions. policy.version = 3 policy.bindings = [ { "role": "roles/viewer", "members": {USER, ADMIN_GROUP, SERVICE_ACCOUNT}, "condition": CONDITION }, ... ] )r )r rrrbindingss2zPolicy.bindingscCs ||_dS)N)r )r r)rrrr)scCs>t}x.|jD]$}x||dD]}||q WqWt|S)zLegacy access to owner role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. r)r _OWNER_ROLESr(add frozenset)r resultrmemberrrrownerss  z Policy.ownerscCs ttdtt||t<dS)zUpdate owners. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. r/N)warningswarn_ASSIGNMENT_DEPRECATED_MSGformat OWNER_ROLEDeprecationWarning)r rrrrr/scCs>t}x.|jD]$}x||dD]}||q WqWt|S)zLegacy access to editor role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. r)r _EDITOR_ROLESr(r+r,)r r-rr.rrreditorss  zPolicy.editorscCs ttdtt||t<dS)zUpdate editors. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. r7N)r0r1r2r3 EDITOR_ROLEr5)r rrrrr7 s cCs>t}x.|jD]$}x||dD]}||q WqWt|S)zLegacy access to viewer role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. r)r _VIEWER_ROLESr(r+r,)r r-rr.rrrviewerss  zPolicy.viewerscCs ttdtt||t<dS)zUpdate viewers. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. r:N)r0r1r2r3 VIEWER_ROLEr5)r rrrrr:(s cCs d|fS)zFactory method for a user member. Args: email (str): E-mail for this particular user. Returns: str: A member string corresponding to the given user. zuser:%sr)emailrrruser6s z Policy.usercCs d|fS)zFactory method for a service account member. Args: email (str): E-mail for this particular service account. Returns: str: A member string corresponding to the given service account. zserviceAccount:%sr)r<rrrservice_accountBs zPolicy.service_accountcCs d|fS)zFactory method for a group member. Args: email (str): An id or e-mail for this particular group. Returns: str: A member string corresponding to the given group. zgroup:%sr)r<rrrgroupOs z Policy.groupcCs d|fS)zFactory method for a domain member. Args: domain (str): The domain for this member. Returns: str: A member string corresponding to the given domain. z domain:%sr)domainrrrr@[s z Policy.domaincCsdS)zFactory method for a member representing all users. Returns: str: A member string representing all users. ZallUsersrrrrr all_usersgszPolicy.all_userscCsdS)zFactory method for a member representing all authenticated users. Returns: str: A member string representing all authenticated users. ZallAuthenticatedUsersrrrrrauthenticated_userspszPolicy.authenticated_userscCsT|d}|d}|||}|dg|_x"|jD]}t|dd|d<q4W|S)zFactory: create a policy from a JSON resource. Args: resource (dict): policy resource returned by ``getIamPolicy`` API. Returns: :class:`Policy`: the parsed policy r r r)rr)r(r)r)clsresourcer r policyrrrr from_api_reprys    zPolicy.from_api_reprcCsi}|jdk r|j|d<|jdk r,|j|d<|jrt|jdkrg}xN|jD]D}|d}|rL|dt|d}|d}|r||d<||qLW|rtd}t||d |d <|S) zRender a JSON policy resource. Returns: dict: a resource to be passed to the ``setIamPolicy`` API. Nr r rrr)rrr')rr)) r r r rr(sortedroperator itemgetter)r rDr)rrrr'rrrr to_api_reprs&        zPolicy.to_api_repr)NN)"rrrrr4r*r8r6r;r9rrrrr r#rr%propertyr)setterr/r7r: staticmethodr=r>r?r@rArB classmethodrFrJrrrrr Ss8    4    r )r collectionscollections.abcrHr0r4r8r;r2r& ExceptionrabcMutableMappingr rrrr4s