invisio v2.0

����+(WgI+����������������������@���s��d�Z�ddlmZ�ddlmZ�ddlmZ�ddlmZ�ddlmZ�ddlmZ�ddl	Z	dd	l
mZ�dd
lm
Z
�ddlmZ�eg�d��Zeg�d
��ZdZeddg�Zedddg�Zedddg�ZdZdd��Zdd��Zdd��Zdd��Zdd��Zd d!��Zd"d#��Zd$d%��Z d&d'��Z!d(d)��Z"dS�)*z"Helper module for the IAM command.�����)�absolute_import)�print_function)�division)�unicode_literals)�defaultdict)�
namedtupleN)�	protojson)�CommandException)�storage_v1_messages)
�userzdeleted:userZserviceAccountzdeleted:serviceAccount�groupz
deleted:group�domain�	principalZprincipalSetZprincipalHierarchy)ZprojectOwnerZ
projectEditorZ
projectViewera���Assigning roles (e.g. objectCreator, legacyBucketOwner) for project convenience groups is not supported by gsutil, as it goes against the principle of least privilege. Consider creating and using more granular groups with which to assign permissions. See https://cloud.google.com/iam/docs/using-iam-securely for more information. Assigning a role to a project group can be achieved by setting the IAM policy directly (see gsutil help iam for specifics).�allUsers�allAuthenticatedUsers�
BindingsTuple�is_grant�bindings�BindingsDictTuple��c�����������������C���s���|�j�dd��|�jD��fS�)aS��Serializes the BindingsValueListEntry instances in a BindingsTuple.

This is necessary when passing instances of BindingsTuple through
  Command.Apply, as apitools_messages classes are not by default pickleable.

Args:
    bindings_tuple: A BindingsTuple instance to be serialized.

Returns:
    A serialized BindingsTuple object.
  c�����������������S���s���g�|�]}t��|��qS���)r����encode_message��.0�tr���r����%/opt/gsutil/gslib/utils/iam_helper.py�
<listcomp>[��������z*SerializeBindingsTuple.<locals>.<listcomp>�r���r���)Zbindings_tupler���r���r����SerializeBindingsTupleN���s�����r���c�����������������C���s���|�\}}t�|dd��|D��d�S�)Nc�����������������S���s���g�|�]}t��tjj|��qS�r���)r����decode_message�apitools_messages�Policy�BindingsValueListEntryr���r���r���r���r���a���s
�����z,DeserializeBindingsTuple.<locals>.<listcomp>r���)r���)Zserialized_bindings_tupler���r���r���r���r����DeserializeBindingsTuple^���s������r$���c�����������������C���s(���t�t�}|�D�]}||j��|j��q|S�)z�Reformats policy bindings metadata.

Args:
    bindings: A list of BindingsValueListEntry instances.

Returns:
    A {role: set(members)} dictionary.
  )r����set�role�update�members�r���Ztmp_bindings�bindingr���r���r����BindingsMessageToUpdateDicth���s����
r+���c�����������������C���s,���t�t�}|�D�]}||d���|d���q|S�)a��Reformats policy bindings metadata.

Args:
    bindings: List of dictionaries representing BindingsValueListEntry
      instances. e.g.:
      {
        "role": "some_role",
        "members": ["allAuthenticatedUsers", ...]
      }

Returns:
    A {role: set(members)} dictionary.
  r&���r(���)r���r%���r'���r)���r���r���r����BindingsDictToUpdateDictx���s����r,���c�����������������C���s���t�|�|�\}}|j�o|j�S�)N)�DiffBindingsr���)�a�b�granted�removedr���r���r����IsEqualBindings����s����r2���c�����������������C���s����t�|��}t�|�}t�g��}t�g��}t�|�D�] \}}||��|�||����q*t�|�D�] \}}||��|�||����qVdd��t�|�D��}dd��t�|�D��}td|�td|�fS�)a]��Computes the difference between two BindingsValueListEntry lists.

Args:
    old: The original list of BindingValuesListEntry instances
    new: The updated list of BindingValuesListEntry instances

Returns:
    A pair of BindingsTuple instances, one for roles granted between old and
      new, and one for roles removed between old and new.
  c�����������������S���s(���g�|�] \}}|rt�jj|t|�d���qS��)r&���r(����r!���r"���r#����list�r����r�mr���r���r���r�������s����z DiffBindings.<locals>.<listcomp>c�����������������S���s(���g�|�] \}}|rt�jj|t|�d���qS�r3���r4���r6���r���r���r���r�������s����TF)r+����six�	iteritemsr'����
differencer���)�old�newZtmp_oldZtmp_newr0���r1���r&���r(���r���r���r���r-�������s������r-���c�����������������C���sv���|r4t��|�D�]"\}}|s"td��|�|��|��qn.|�D�](}|�|��||���|�|��|t���q8dd��t��|��D��S�)a���Patches a diff list of BindingsValueListEntry to the base.

Will remove duplicate members for any given role on a grant operation.

Args:
    base (dict): A dictionary returned by BindingsMessageToUpdateDict or
      BindingsDictToUpdateDict representing a resource's current
      IAM policy.
    diff (dict): A dictionary returned by BindingsMessageToUpdateDict or
      BindingsDictToUpdateDict representing the IAM policy bindings to
      add/remove from `base`.
    is_grant (bool): True if `diff` should be added to `base`, False
      if it should be removed from `base`.

Returns:
    A {role: set(members)} dictionary created by applying `diff` to `base`.
  z+Role must be specified for a grant request.c�����������������S���s���i�|�]\}}|r||�qS�r���r���)r���r&���r(���r���r���r����
<dictcomp>����r���z!PatchBindings.<locals>.<dictcomp>)r9���r:���r	���r'����difference_update�DROP_ALL)�base�diffr���r&���r(���r���r���r����
PatchBindings����s����rC���c��������������������sz��|��d�s|d7�}|�d�}dd��tD��}dd��tD��}dd��tD��}|d����}d|d����|d����f�}||v�r�||�|d<�nN||v�r�||�|d<�n8||v�r�||�|d<�n"||v�r�||��d�\|d<�|d<�d�|�}|��o�|d�tv�}|��d�dk�rjd|d�|d�f�tv��r&td	|���nB|d�tv��r>|\��}	n*|d�tv��sR|�r\|��t}	ntd	|���n�|��d�d
k�r�d|d�|d�f�tv��r�|��t}	n>|�r�|\}
}}	d|
|f���n |\}
}}	t	|
|��d|
|f���nR|��d�dk�r$|�d�\}
}}}	d|
|f�}
t	|
|��d|
|f���ntd|���|��rD|	�sDtd
��dd��|	�d�D��}	��fdd�t
|	�D��}t|�|d�S�)a���Parses an iam ch bind string to a list of binding tuples.

Args:
    is_grant: If true, binding is to be appended to IAM policy; else, delete
              this binding from the policy.
    input_str: A string representing a member-role binding.
               e.g. user:foo@bar.com:objectAdmin
                    user:foo@bar.com:objectAdmin,objectViewer
                    user:foo@bar.com
                    allUsers
                    deleted:user:foo@bar.com?uid=123:objectAdmin,objectViewer
                    deleted:serviceAccount:foo@bar.com?uid=123

Raises:
    CommandException in the case of invalid input.

Returns:
    A BindingsDictTuple instance.
  �:c�����������������S���s���i�|�]}|����|�qS�r�����lower�r����sr���r���r���r>�������r���z(BindingStringToTuple.<locals>.<dictcomp>c�����������������S���s���i�|�]}|����|�qS�r���rE���rG���r���r���r���r>�������r���c�����������������S���s���i�|�]}|����|�qS�r���rE���rG���r���r���r���r>�������r���r���z%s:%s����z+Incorrect public member type for binding %s��������zInvalid ch format %szMust specify a role to grant.c�����������������S���s���g�|�]}t�|��qS�r���)�ResolveRole�r���r7���r���r���r���r���)��r���z(BindingStringToTuple.<locals>.<listcomp>�,c��������������������s���g�|�]}|��gd���qS�r3���r���rM�����memberr���r���r���+��r���r���)�count�split�PUBLIC_MEMBERS�TYPES�DISCOURAGED_TYPESrF����joinr	���r@����_check_member_typer%���r���)r����	input_str�tokensZpublic_members�typesZdiscouraged_typesZpossible_public_member_or_type�
possible_typeZremoving_discouraged_typeZroles�member_type�
project_idZ	member_idZmember_type_p1Zmember_type_p2r���r���rO���r����BindingStringToTuple����sh����

�
�

r^���c�����������������C���s*���|�t�v�rtt��n|�tvr&td|���d�S�)Nz$Incorrect member type for binding %s)rU���r	����DISCOURAGED_TYPES_MSGrT���)r\���rX���r���r���r���rW���/��s����
rW���c�����������������C���s���|�st�S�d|�v�r|�S�d|��S�)Nzroles/zroles/storage.%s)r@���)r&���r���r���r���rL���6��s
����rL���)#�__doc__�
__future__r���r���r���r����collectionsr���r���r9����apitools.base.protorpcliter����gslib.exceptionr	����"gslib.third_party.storage_apitoolsr
���r!���r%���rT���rU���r_���rS���r���r���r@���r���r$���r+���r,���r2���r-���rC���r^���rW���rL���r���r���r���r����<module>���s>����	�	
$!X