davidkotnik/novafarma
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add new gcloud commands, API clients, and third-party libraries across various services.

Browse Source
This commit is contained in:
David Kotnik
2026-01-01 20:26:35 +01:00
parent 5e23cbece0
commit a19e592eb7
25221 changed files with 8324611 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
gcloud auth application-default login/google-cloud-sdk/lib/surface/container/binauthz/attestors/__init__.py Normal file
View File

@@ -0,0 +1,25 @@
# -*- coding: utf-8 -*- #
# Copyright 2018 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The attestor management group for Binary Authorization."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
class Attestors(base.Group):
"""Create and manage Google Binary Authorization Attestors."""

33
gcloud auth application-default login/google-cloud-sdk/lib/surface/container/binauthz/attestors/add_iam_policy_binding.yaml Normal file
View File

@@ -0,0 +1,33 @@
release_tracks: [ALPHA, BETA, GA]
help_text:
brief: Add IAM policy binding to a Binary Authorization attestor.
description: |
Add an IAM policy binding to the IAM policy of a Binary Authorization attestor. One binding consists of a member,
a role, and an optional condition.
examples: |
To add an IAM policy binding for the role of `roles/binaryauthorization.attestorsEditor` for the user `test-user@gmail.com`
on attestor `my_attestor`, run:
$ {command} my_attestor --member='user:test-user@gmail.com' --role='roles/binaryauthorization.attestorsEditor'
To add an IAM policy binding which expires at the end of the year 2018 for the role of
`roles/binaryauthorization.attestorsEditor` and the user `test-user@gmail.com` on attestor `my_attestor`, run:
$ {command} my_attestor --member='user:test-user@gmail.com' --role='roles/binaryauthorization.attestorsEditor' --condition='expression=request.time < timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2018,description=Expires at midnight on 2018-12-31'
See https://cloud.google.com/iam/docs/managing-policies for details of
policy role and member types.
iam:
enable_condition: true
policy_version: 3
get_iam_policy_version_path: options_requestedPolicyVersion
request:
collection: binaryauthorization.projects.attestors
arguments:
resource:
help_text: The Binary Authorization attestor whose IAM policy to add an IAM policy binding to.
spec: !REF googlecloudsdk.command_lib.container.resources:attestor

90
gcloud auth application-default login/google-cloud-sdk/lib/surface/container/binauthz/attestors/create.py Normal file
View File

@@ -0,0 +1,90 @@
# -*- coding: utf-8 -*- #
# Copyright 2018 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Create Attestor command."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
import textwrap
from googlecloudsdk.api_lib.container.binauthz import apis
from googlecloudsdk.api_lib.container.binauthz import attestors
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.container.binauthz import flags
DETAILED_HELP = {
'DESCRIPTION':
"""
Create an Attestor.
""",
'EXAMPLES':
"""
To create an Attestor with an existing Note `projects/my_proj/notes/my_note`:
$ {command} \
my_new_attestor
--attestation-authority-note=my_note \
--attestation-authority-note-project=my_proj \
""",
}
@base.DefaultUniverseOnly
class Create(base.CreateCommand):
r"""Create an Attestor.
"""
@classmethod
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
positional=True,
group_help='The attestor to be created.',
),
flags.GetNotePresentationSpec(
base_name='attestation-authority-note',
required=True,
positional=False,
group_help=textwrap.dedent("""\
The Container Analysis Note to which the created attestor will
be bound.
For the attestor to be able to access and use the Note,
the Note must exist and the active gcloud account (core/account)
must have the `containeranalysis.notes.listOccurrences` permission
for the Note. This can be achieved by granting the
`containeranalysis.notes.occurrences.viewer` role to the active
account for the Note resource in question.
"""),
),
)
parser.add_argument(
'--description', required=False, help='A description for the attestor')
def Run(self, args):
attestor_ref = args.CONCEPTS.attestor.Parse()
note_ref = args.CONCEPTS.attestation_authority_note.Parse()
api_version = apis.GetApiVersion(self.ReleaseTrack())
return attestors.Client(api_version).Create(
attestor_ref, note_ref, description=args.description)
# This is the user-visible help text for the command. Workaround for web
# version of help text not being generated correctly (b/319501293).
Create.detailed_help = DETAILED_HELP

49
gcloud auth application-default login/google-cloud-sdk/lib/surface/container/binauthz/attestors/delete.py Normal file
View File

@@ -0,0 +1,49 @@
# -*- coding: utf-8 -*- #
# Copyright 2018 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Delete Attestor command."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.container.binauthz import apis
from googlecloudsdk.api_lib.container.binauthz import attestors
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.container.binauthz import flags
@base.DefaultUniverseOnly
class Delete(base.DeleteCommand):
"""Delete an Attestor.
## EXAMPLES
To delete an existing Attestor `my_attestor`:
$ {command} my_attestor
"""
@classmethod
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
positional=True, group_help='The attestor to be deleted.'),
)
def Run(self, args):
attestor_ref = args.CONCEPTS.attestor.Parse()
api_version = apis.GetApiVersion(self.ReleaseTrack())
return attestors.Client(api_version).Delete(attestor_ref)

49
gcloud auth application-default login/google-cloud-sdk/lib/surface/container/binauthz/attestors/describe.py Normal file
View File

@@ -0,0 +1,49 @@
# -*- coding: utf-8 -*- #
# Copyright 2018 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Describe Attestor command."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.container.binauthz import apis
from googlecloudsdk.api_lib.container.binauthz import attestors
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.container.binauthz import flags
@base.DefaultUniverseOnly
class Describe(base.DescribeCommand):
"""Describe an Attestor.
## EXAMPLES
To describe an existing Attestor `my_attestor`:
$ {command} my_attestor
"""
@classmethod
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
positional=True, group_help='The attestor to describe.'),
)
def Run(self, args):
attestor_ref = args.CONCEPTS.attestor.Parse()
api_version = apis.GetApiVersion(self.ReleaseTrack())
return attestors.Client(api_version).Get(attestor_ref)

54
gcloud auth application-default login/google-cloud-sdk/lib/surface/container/binauthz/attestors/get_iam_policy.py Normal file
View File

@@ -0,0 +1,54 @@
# -*- coding: utf-8 -*- #
# Copyright 2018 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Fetch the IAM policy for an attestor."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.container.binauthz import apis
from googlecloudsdk.api_lib.container.binauthz import iam
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.container.binauthz import flags
@base.DefaultUniverseOnly
class GetIamPolicy(base.ListCommand):
"""Get the IAM policy for an attestor.
Returns an empty policy if the resource does not have an existing IAM policy
set.
## EXAMPLES
The following command gets the IAM policy for the attestor `my_attestor`:
$ {command} my_attestor
"""
@classmethod
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
positional=True,
group_help='The attestor whose IAM policy will be fetched.',
),
)
def Run(self, args):
attestor_ref = args.CONCEPTS.attestor.Parse()
api_version = apis.GetApiVersion(self.ReleaseTrack())
return iam.Client(api_version).Get(attestor_ref)

57
gcloud auth application-default login/google-cloud-sdk/lib/surface/container/binauthz/attestors/list.py Normal file
View File

@@ -0,0 +1,57 @@
# -*- coding: utf-8 -*- #
# Copyright 2018 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""List attestors command."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.container.binauthz import apis
from googlecloudsdk.api_lib.container.binauthz import attestors
from googlecloudsdk.api_lib.container.binauthz import util
from googlecloudsdk.calliope import base
@base.DefaultUniverseOnly
class List(base.ListCommand):
"""List Attestors associated with the current project.
## EXAMPLES
To list attestors:
$ {command}
To list attestors in a verbose format (including
information about public keys associated with each attestor:
$ {command} --format=yaml
"""
@classmethod
def Args(cls, parser):
parser.display_info.AddFormat("""
table[box](
name.scope().segment(3):sort=1,
{note_field}.noteReference:label=NOTE,
{note_field}.publicKeys.len():label=NUM_PUBLIC_KEYS
)
""".format(note_field='userOwnedGrafeasNote' if cls.ReleaseTrack() ==
base.ReleaseTrack.GA else 'userOwnedDrydockNote'))
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
return attestors.Client(api_version).List(
util.GetProjectRef(), page_size=args.page_size, limit=args.limit)

152
gcloud auth application-default login/google-cloud-sdk/lib/surface/container/binauthz/attestors/public_keys/__init__.py Normal file
View File

@@ -0,0 +1,152 @@
# -*- coding: utf-8 -*- #
# Copyright 2018 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The public key management group for attestors."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
class PublicKeys(base.Group):
r"""Create and manage public keys associated with Attestation Authorities.
## BACKGROUND
PGP is an encryption standard used by Binary Authorization to create and
verify attestations. A PGP identity is encapsulated by a "key" which can be
used to sign arbitrary data and/or verify signatures to be valid. As with
other asymmetric key cryptosystems, PGP keys have a "public" part and a
"private" part.
## PGP KEY STRUCTURE
An important feature of PGP keys is that they are hierarchical: Every "PGP
key" is composed of a "primary" key pair and zero or more "subkey" pairs
certified by the primary. These key pairs are collectively known as the "PGP
key." The "public" part of this PGP key contains the public keys of all the
constituent keys as well as all associated metadata (e.g. an email address).
And, as might be expected, the "private" part of the PGP key contains all
constituent private keys and metadata.
One property of subkeys is that they may be marked as "revoked" if they are
compromised or otherwise need to be retired. This does not remove the subkey
from the PGP key but simply adds metadata indicating this revocation. The
primary key pair cannot be revoked by this same mechanism.
### COMMON KEY STRUCTURE
The most common key structure is to have the primary key pair only used to
certify subkey pairs while the subkeys are used to encrypt and sign as
necessary. This allows the PGP key as a whole to act as a durable identity
even if an encryption key is used improperly or a signing key is compromised.
## USAGE IN BINARY AUTHORIZATION
- Authorities hold a set of PGP public keys that are used to verify
attestations.
- These must be submitted in ASCII-armored format. With GPG, this is
accomplished by adding the `--armor` flag to the export command.
- If any of the public keys held by an attestor verify a given attestation,
then the attestor considers that attestation to be valid (see gcloud alpha
container binauthz attestations create help for more details).
- As a result, the compromise of any constituent private key means that the
attestor is at risk. The compromised subkey should be revoked and the PGP
key re-uploaded or removed from the attestor.
## EXAMPLES
GPG is a common tool that implements the PGP standard.
- For general `gpg` usage examples, see gcloud alpha container binauthz help.
- For more detailed and complete documentation, see the GPG manual:
https://gnupg.org/documentation/manuals.html
To get the fingerprint of the public key:
```sh
$ gpg \
--with-colons \
--with-fingerprint \
--force-v4-certs \
--list-keys \
"${ATTESTING_USER}" | grep fpr | cut --delimiter=':' --fields 10
```
To export a public key:
```sh
$ gpg \
--armor \
--export "${FINGERPRINT}" \
--output public_key1.pgp
```
To add your new key to the attestor:
```sh
$ {command} add \
--attestor my_attestor \
--pgp-public-key-file=public_key1.pgp
```
To add a subkey to your PGP key:
```sh
$ gpg \
--quick-add-key ${FINGERPRINT} \
default \
sign
... FOLLOW PROMPTS ...
```
To revoke a subkey from your PGP key:
```sh
$ gpg \
--edit-key ${FINGERPRINT}
... SNIP ...
sec rsa2048/8C124F0F782DA097
created: 2018-01-01 expires: never usage: SCEA
trust: ultimate validity: ultimate
ssb rsa3072/C9597E8F28359AE3
created: 2018-01-01 expires: never usage: E
[ultimate] (1). User <attesting_user@example.com>
gpg> key C9597E8F28359AE3
... SNIP ...
gpg> revkey
... FOLLOW PROMPTS ...
```
To update the modified PGP key on the attestor:
```sh
$ {command} update \
${FINGERPRINT} \
--attestor=my_attestor \
--pgp-public-key-file=public_key1_updated.pgp
```
To remove this new key from the attestor:
```sh
$ {command} remove \
${FINGERPRINT} \
--attestor my_attestor
```
"""

151
gcloud auth application-default login/google-cloud-sdk/lib/surface/container/binauthz/attestors/public_keys/add.py Normal file
View File

@@ -0,0 +1,151 @@
# -*- coding: utf-8 -*- #
# Copyright 2018 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Add Attestor public key command."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
import textwrap
from googlecloudsdk.api_lib.container.binauthz import apis
from googlecloudsdk.api_lib.container.binauthz import attestors
from googlecloudsdk.api_lib.container.binauthz import kms
from googlecloudsdk.calliope import arg_parsers
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.container.binauthz import exceptions
from googlecloudsdk.command_lib.container.binauthz import flags
from googlecloudsdk.command_lib.container.binauthz import pkix
@base.DefaultUniverseOnly
@base.ReleaseTracks(base.ReleaseTrack.GA, base.ReleaseTrack.BETA,
base.ReleaseTrack.ALPHA)
class Add(base.Command):
r"""Add a public key to an Attestor.
## EXAMPLES
To add a new KMS public key to an existing Attestor `my_attestor`:
$ {command} \
--attestor=my_attestor \
--keyversion-project=foo \
--keyversion-location=us-west1 \
--keyversion-keyring=aring \
--keyversion-key=akey \
--keyversion=1
To add a new PGP public key to an existing Attestor `my_attestor`:
$ {command} \
--attestor=my_attestor \
--pgp-public-key-file=my_key.pub
"""
@classmethod
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
required=True,
positional=False,
group_help=(
'The attestor to which the public key should be added.'),
),
)
parser.add_argument(
'--comment', help='The comment describing the public key.')
key_group = parser.add_mutually_exclusive_group(required=True)
pgp_group = key_group.add_group(help='PGP key definition')
pgp_group.add_argument(
'--pgp-public-key-file',
type=arg_parsers.FileContents(),
help='The path to the file containing the '
'ASCII-armored PGP public key to add.')
kms_group = key_group.add_group(help='Cloud KMS key definition')
flags.AddConcepts(
kms_group,
flags.GetCryptoKeyVersionPresentationSpec(
base_name='keyversion',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Cloud KMS (Key Management Service) CryptoKeyVersion whose
public key will be added to the attestor.""")),
)
pkix_group = key_group.add_group(help='PKIX key definition')
pkix_group.add_argument(
'--pkix-public-key-file',
required=True,
type=arg_parsers.FileContents(),
help='The path to the file containing the PKIX public key to add.')
pkix_group.add_argument(
'--pkix-public-key-algorithm',
choices=pkix.GetAlgorithmMapper().choices,
required=True,
help=textwrap.dedent("""\
The signing algorithm of the associated key. This will be used to
verify the signatures associated with this key."""))
parser.add_argument(
'--public-key-id-override',
type=str,
help=textwrap.dedent("""\
If provided, the ID to replace the default API-generated one. All IDs
must be valid URIs as defined by RFC 3986
(https://tools.ietf.org/html/rfc3986).
When creating Attestations to be verified by this key, one must always
provide this custom ID as the public key ID."""))
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestors_client = attestors.Client(api_version)
attestor_ref = args.CONCEPTS.attestor.Parse()
if args.pgp_public_key_file and args.public_key_id_override:
raise exceptions.InvalidArgumentError(
'--public-key-id-override may not be used with old-style PGP keys')
if args.keyversion:
key_resource = args.CONCEPTS.keyversion.Parse()
public_key = kms.Client().GetPublicKey(key_resource.RelativeName())
return attestors_client.AddPkixKey(
attestor_ref,
pkix_pubkey_content=public_key.pem,
pkix_sig_algorithm=attestors_client.ConvertFromKmsSignatureAlgorithm(
public_key.algorithm),
id_override=(args.public_key_id_override or
kms.GetKeyUri(key_resource)),
comment=args.comment)
elif args.pkix_public_key_file:
alg_mapper = pkix.GetAlgorithmMapper(api_version)
return attestors_client.AddPkixKey(
attestor_ref,
pkix_pubkey_content=args.pkix_public_key_file,
pkix_sig_algorithm=alg_mapper.GetEnumForChoice(
args.pkix_public_key_algorithm),
id_override=args.public_key_id_override,
comment=args.comment)
else:
# TODO(b/71700164): Validate the contents of the public key file.
return attestors_client.AddPgpKey(
attestor_ref,
pgp_pubkey_content=args.pgp_public_key_file,
comment=args.comment)

60
gcloud auth application-default login/google-cloud-sdk/lib/surface/container/binauthz/attestors/public_keys/remove.py Normal file
View File

@@ -0,0 +1,60 @@
# -*- coding: utf-8 -*- #
# Copyright 2018 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Remove Attestor public key command."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.container.binauthz import apis
from googlecloudsdk.api_lib.container.binauthz import attestors
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.container.binauthz import flags
@base.DefaultUniverseOnly
class Remove(base.Command):
r"""Remove a public key from an Attestor.
## EXAMPLES
To remove a public key from the Attestor `my_attestor`:
$ {command} 0638AADD940361EA2D7F14C58C124F0E663DA097 \
--attestor=my_attestor
"""
@classmethod
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
required=True,
positional=False,
group_help=(
'The attestor from which the public key should be removed.'),
),
)
parser.add_argument(
'public_key_id',
help='The ID of the public key to remove.')
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestors_client = attestors.Client(api_version)
attestor_ref = args.CONCEPTS.attestor.Parse()
attestors_client.RemoveKey(attestor_ref, pubkey_id=args.public_key_id)

116
gcloud auth application-default login/google-cloud-sdk/lib/surface/container/binauthz/attestors/public_keys/update.py Normal file
View File

@@ -0,0 +1,116 @@
# -*- coding: utf-8 -*- #
# Copyright 2018 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Update Attestor public key command."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.container.binauthz import apis
from googlecloudsdk.api_lib.container.binauthz import attestors
from googlecloudsdk.calliope import arg_parsers
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.container.binauthz import flags
@base.DefaultUniverseOnly
@base.ReleaseTracks(base.ReleaseTrack.BETA, base.ReleaseTrack.GA)
class Update(base.UpdateCommand):
r"""Update a public key on an Attestor.
## EXAMPLES
To update a PGP public key on an existing Attestor `my_attestor`:
$ {command} \
0638AADD940361EA2D7F14C58C124F0E663DA097 \
--attestor=my_attestor \
--pgp-public-key-file=my_key.pub
"""
@classmethod
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
required=True,
positional=False,
group_help=(
'The attestor on which the public key should be updated.'),
),
)
parser.add_argument(
'public_key_id',
help='The ID of the public key to update.')
parser.add_argument(
'--pgp-public-key-file',
type=arg_parsers.FileContents(),
help='The path to a file containing the '
'updated ASCII-armored PGP public key.')
parser.add_argument(
'--comment', help='The comment describing the public key.')
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestors_client = attestors.Client(api_version)
attestor_ref = args.CONCEPTS.attestor.Parse()
# TODO(b/71700164): Validate the contents of the public key file.
return attestors_client.UpdateKey(
attestor_ref,
args.public_key_id,
pgp_pubkey_content=args.pgp_public_key_file,
comment=args.comment)
@base.ReleaseTracks(base.ReleaseTrack.ALPHA)
class UpdateAlpha(base.UpdateCommand):
"""Update a public key on an Attestor."""
@classmethod
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
required=True,
positional=False,
group_help=(
'The attestor on which the public key should be updated.'),
),
)
parser.add_argument(
'public_key_id',
help='The ID of the public key to update.')
parser.add_argument(
'--pgp-public-key-file',
type=arg_parsers.FileContents(),
help='The path to a file containing the '
'updated ASCII-armored PGP public key.')
parser.add_argument(
'--comment', help='The comment describing the public key.')
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestors_client = attestors.Client(api_version)
attestor_ref = args.CONCEPTS.attestor.Parse()
# TODO(b/71700164): Validate the contents of the public key file.
return attestors_client.UpdateKey(
attestor_ref,
args.public_key_id,
pgp_pubkey_content=args.pgp_public_key_file,
comment=args.comment)

33
gcloud auth application-default login/google-cloud-sdk/lib/surface/container/binauthz/attestors/remove_iam_policy_binding.yaml Normal file
View File

@@ -0,0 +1,33 @@
release_tracks: [ALPHA, BETA, GA]
help_text:
brief: Remove IAM policy binding of a Binary Authorization attestor.
description: |
Remove an IAM policy binding from the IAM policy of a Binary Authorization attestor. One binding consists of a
member, a role, and an optional condition.
examples: |
To remove an IAM policy binding for the role of `roles/binaryauthorization.attestorsEditor` for the user `test-user@gmail.com`
on attestor `my_attestor`, run:
$ {command} my_attestor --member='user:test-user@gmail.com' --role='roles/binaryauthorization.attestorsEditor'
To remove an IAM policy binding which expires at the end of the year 2018 for the role of
`roles/binaryauthorization.attestorsEditor` and the user `test-user@gmail.com` on attestor `my_attestor`, run:
$ {command} my_attestor --member='user:test-user@gmail.com' --role='roles/binaryauthorization.attestorsEditor' --condition='expression=request.time < timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2018,description=Expires at midnight on 2018-12-31'
See https://cloud.google.com/iam/docs/managing-policies for details of
policy role and member types.
iam:
enable_condition: true
policy_version: 3
get_iam_policy_version_path: options_requestedPolicyVersion
request:
collection: binaryauthorization.projects.attestors
arguments:
resource:
help_text: The Binary Authorization attestor whose IAM policy to remove an IAM policy binding from.
spec: !REF googlecloudsdk.command_lib.container.resources:attestor

66
gcloud auth application-default login/google-cloud-sdk/lib/surface/container/binauthz/attestors/set_iam_policy.py Normal file
View File

@@ -0,0 +1,66 @@
# -*- coding: utf-8 -*- #
# Copyright 2018 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Set the IAM policy for an attestor."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.container.binauthz import apis
from googlecloudsdk.api_lib.container.binauthz import iam
from googlecloudsdk.api_lib.container.binauthz import util
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iam import iam_util
@base.DefaultUniverseOnly
class SetIamPolicy(base.Command):
"""Set the IAM policy for an attestor.
See https://cloud.google.com/iam/docs/managing-policies for details of
the policy file format and contents.
## EXAMPLES
The following command will read an IAM policy defined in a JSON file
'iam_policy.json' and set it for the attestor `my_attestor`:
$ {command} my_attestor iam_policy.json
"""
# The above text is based on output of
# iam_util.GetDetailedHelpForSetIamPolicy.
@classmethod
def Args(cls, parser):
parser.add_argument(
'attestor_name',
help=('The name of the attestor '
'whose IAM policy will be '
'updated.'))
parser.add_argument(
'policy_file',
help=('The JSON or YAML '
'file containing the IAM policy.'))
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
client = iam.Client(api_version)
attestor_ref = util.GetAttestorRef(args.attestor_name)
policy, _ = iam_util.ParseYamlOrJsonPolicyFile(args.policy_file,
client.messages.IamPolicy)
result = client.Set(attestor_ref, policy)
iam_util.LogSetIamPolicy(attestor_ref.Name(), 'attestor')
return result

55
gcloud auth application-default login/google-cloud-sdk/lib/surface/container/binauthz/attestors/update.py Normal file
View File

@@ -0,0 +1,55 @@
# -*- coding: utf-8 -*- #
# Copyright 2018 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Update Attestor command."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.container.binauthz import apis
from googlecloudsdk.api_lib.container.binauthz import attestors
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.container.binauthz import flags
@base.DefaultUniverseOnly
class Update(base.UpdateCommand):
r"""Update an existing Attestor.
## EXAMPLES
To update an existing Attestor `my_attestor`:
$ {command} my_attestor \
--description="my new attestor description"
"""
@classmethod
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
positional=True, group_help='The attestor to update.'),
)
parser.add_argument(
'--description',
required=False,
help='The new description for the attestor')
def Run(self, args):
attestor_ref = args.CONCEPTS.attestor.Parse()
api_version = apis.GetApiVersion(self.ReleaseTrack())
return attestors.Client(api_version).Update(
attestor_ref, description=args.description)