davidkotnik/novafarma
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add new gcloud commands, API clients, and third-party libraries across various services.

Browse Source
This commit is contained in:
David Kotnik
2026-01-01 20:26:35 +01:00
parent 5e23cbece0
commit a19e592eb7
25221 changed files with 8324611 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/__init__.py Normal file
View File

@@ -0,0 +1,46 @@
# -*- coding: utf-8 -*- #
# Copyright 2019 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The super-group for the IAP CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.ReleaseTracks(base.ReleaseTrack.GA, base.ReleaseTrack.BETA,
base.ReleaseTrack.ALPHA)
@base.DefaultUniverseOnly
class Iap(base.Group):
"""Manage IAP policies.
Cloud Identity-Aware Proxy (Cloud IAP) controls access to your cloud
applications running on Google Cloud Platform. Cloud IAP works by
verifying user identity and context of the request to determine if a user
should be allowed to access the application.
More information on Cloud IAP can be found here:
https://cloud.google.com/iap and detailed documentation can be found here:
https://cloud.google.com/iap/docs/
"""
category = 'Identity and Security'
def Filter(self, context, args):
# TODO(b/190535352): Determine if command group works with project number
base.RequireProjectID(args)
del context, args

39
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/oauth_brands/__init__.py Normal file
View File

@@ -0,0 +1,39 @@
# -*- coding: utf-8 -*- #
# Copyright 2019 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The super-group for the IAP CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.Deprecate(
is_removed=False,
warning=(
'This command is deprecated and will be non-functional after the IAP'
' OAuth Admin APIs are turned down. Jan 19, 2026: Google will'
' discontinue support for the IAP OAuth Admin APIs. New projects will'
' not be able to use these APIs. March 19, 2026: The IAP OAuth Admin'
' APIs will be permanently shut down. Access to this feature will no'
' longer be available.'))
@base.DefaultUniverseOnly
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class Iap(base.Group):
"""Manage IAP OAuth brands."""
category = 'Identity and Security'

46
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/oauth_brands/create.yaml Normal file
View File

@@ -0,0 +1,46 @@
release_tracks: [ALPHA, BETA, GA]
help_text:
brief: |
Create a Cloud OAuth brand for the project.
description: |
*{command}* is used to create a Cloud OAuth brand for the project. The brand is 'internal only',
meaning OAuth clients created under it only accept requests from users who belong to the same
G Suite account as the project. The brand is created in unreviewed status. Your domain will not
appear on the OAuth consent screen until it is reviewed after you manually start a review
process in Google Cloud Platform Console. Note that the
'internal only' setting can be manually changed in Google Cloud Platform Console
(https://console.cloud.google.com/apis/credentials/consent). A project can only have one brand.
examples: |
To create a Cloud OAuth brand for the current project, run:
$ {command} --application_title=APPLICATION_TITLE --support_email=SUPPORT_EMAIL
To create a Cloud OAuth brand for the project PROJECT_ID, run:
$ {command} --application_title=APPLICATION_TITLE --support_email=SUPPORT_EMAIL --project=PROJECT_ID
request:
collection: iap.projects.brands
api_version: v1
arguments:
resource:
spec: !REF googlecloudsdk.command_lib.iap.resources:project
is_parent_resource: true
help_text: |
Name of the project to create a Cloud OAuth brand under.
params:
- arg_name: support_email
api_field: brand.supportEmail
required: true
help_text: |
Support email displayed on the OAuth consent screen.
- arg_name: application_title
api_field: brand.applicationTitle
required: true
help_text: |
Application name displayed on the OAuth consent screen.
output:
format: yaml

26
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/oauth_brands/describe.yaml Normal file
View File

@@ -0,0 +1,26 @@
- release_tracks: [ALPHA, BETA, GA]
help_text:
brief: |
Describe a Cloud OAuth brand.
description: |
*{command}* is used to describe a Cloud OAuth brand.
examples: |
To describe a Cloud OAuth brand with name NAME, run:
$ {command} NAME
To describe a Cloud OAuth brand with name NAME inside project PROJECT_ID, run:
$ {command} NAME --project=PROJECT_ID
request:
collection: iap.projects.brands
api_version: v1
arguments:
resource:
spec: !REF googlecloudsdk.command_lib.iap.resources:brand
arg_name: name
is_positional: true
help_text: |
Name of the Cloud OAuth brand to describe.

26
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/oauth_brands/list.yaml Normal file
View File

@@ -0,0 +1,26 @@
- release_tracks: [ALPHA, BETA, GA]
help_text:
brief: |
List Cloud OAuth brands in the project.
description: |
*{command}* is used to list the Cloud OAuth brand in the project.
examples: |
To list all Cloud OAuth brands in the current project, run:
$ {command}
To list all Cloud OAuth brands in the project PROJECT_ID, run:
$ {command} --project=PROJECT_ID
request:
collection: iap.projects.brands
api_version: v1
arguments:
resource:
spec: !REF googlecloudsdk.command_lib.iap.resources:project
is_positional: true
help_text: |
Name of the project to list Cloud OAuth brands under.

47
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/oauth_clients/__init__.py Normal file
View File

@@ -0,0 +1,47 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The super-group for the IAP CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.Deprecate(
is_removed=False,
warning=(
'This command is deprecated and will be non-functional after the IAP'
' OAuth Admin APIs are turned down. Jan 19, 2026: Google will'
' discontinue support for the IAP OAuth Admin APIs. New projects will'
' not be able to use these APIs. March 19, 2026: The IAP OAuth Admin'
' APIs will be permanently shut down. Access to this feature will no'
' longer be available.'
),
)
@base.DefaultUniverseOnly
@base.ReleaseTracks(
base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA, base.ReleaseTrack.GA
)
class Iap(base.Group):
"""Manage IAP OAuth clients.
Manage OAuth clients that are used by Cloud Identity-Aware Proxy. Note this
API cannot be used as a generic management API for all OAuth clients in your
project.
"""
category = 'Identity and Security'

36
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/oauth_clients/create.yaml Normal file
View File

@@ -0,0 +1,36 @@
release_tracks: [ALPHA, BETA, GA]
help_text:
brief: |
Create a Cloud IAP OAuth client in the project.
description: |
*{command}* is used to create an OAuth client in the project to be used by Cloud IAP. To call
this command, the Cloud OAuth brand for the project must exist and be set for 'internal only'.
The new client is owned by Cloud IAP.
examples: |
To create a Cloud IAP OAuth client for the current project, run:
$ {command} BRAND --display_name=DISPLAY_NAME
To create a Cloud IAP OAuth client for the project PROJECT_ID, run:
$ {command} BRAND --display_name=DISPLAY_NAME --project=PROJECT_ID
request:
collection: iap.projects.brands.identityAwareProxyClients
api_version: v1
arguments:
resource:
spec: !REF googlecloudsdk.command_lib.iap.resources:brand
is_parent_resource: true
arg_name: brand
help_text: |
Name of the Cloud OAuth brand to create a Cloud IAP OAuth client under.
params:
- arg_name: display_name
api_field: identityAwareProxyClient.displayName
required: true
help_text: |
User friendly name for the Cloud IAP OAuth client.
output:
format: yaml

28
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/oauth_clients/delete.yaml Normal file
View File

@@ -0,0 +1,28 @@
release_tracks: [ALPHA, BETA, GA]
help_text:
brief: |
Delete a Cloud IAP OAuth client.
description: |
*{command}* is used to delete a Cloud IAP OAuth client. Note this command cannot be used to
delete any other type of OAuth client in your project.
examples: |
To delete a Cloud IAP OAuth client named CLIENT for the current project and brand BRAND, run:
$ {command} CLIENT --brand=BRAND
To delete a Cloud IAP OAuth client named CLIENT for a specific project PROJECT_ID and brand
BRAND, run:
$ {command} CLIENT --brand=BRAND --project=PROJECT_ID
request:
collection: iap.projects.brands.identityAwareProxyClients
api_version: v1
arguments:
resource:
spec: !REF googlecloudsdk.command_lib.iap.resources:client
arg_name: name
is_positional: true
help_text: |
Name of the Cloud IAP OAuth client to delete.

27
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/oauth_clients/describe.yaml Normal file
View File

@@ -0,0 +1,27 @@
release_tracks: [ALPHA, BETA, GA]
help_text:
brief: |
Describe a Cloud IAP OAuth client.
description: |
*{command}* is used to describe a Cloud IAP OAuth client. Note this command cannot be used to
describe any other type of OAuth client in your project.
examples: |
To describe a Cloud IAP OAuth client for the current project, run:
$ {command} NAME
To describe a Cloud IAP OAuth client for a specific brand, run:
$ {command} NAME --brand=BRAND
request:
collection: iap.projects.brands.identityAwareProxyClients
api_version: v1
arguments:
resource:
spec: !REF googlecloudsdk.command_lib.iap.resources:client
arg_name: name
is_positional: true
help_text: |
Name of the Cloud IAP OAuth client to describe.

23
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/oauth_clients/list.yaml Normal file
View File

@@ -0,0 +1,23 @@
- release_tracks: [ALPHA, BETA, GA]
help_text:
brief: |
List Cloud IAP OAuth clients in the Cloud OAuth brand.
description: |
*{command}* is used to list Cloud IAP OAuth clients in a Cloud OAuth brand. Note this command
will not list any other type of OAuth client in your project.
examples: |
To list the Cloud IAP OAuth clients for the current project, run:
$ {command} BRAND
request:
collection: iap.projects.brands.identityAwareProxyClients
api_version: v1
arguments:
resource:
spec: !REF googlecloudsdk.command_lib.iap.resources:brand
arg_name: name
is_positional: true
help_text: |
Name of the Cloud OAuth brand to list Cloud IAP OAuth clients under.

29
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/oauth_clients/reset_secret.yaml Normal file
View File

@@ -0,0 +1,29 @@
release_tracks: [ALPHA, BETA, GA]
command_type: GENERIC
help_text:
brief: |
Reset a Cloud IAP OAuth client secret.
description: |
*{command}* is used to reset a Cloud IAP OAuth client secret. Note this command cannot be used
to reset the secret for any other type of OAuth client in your project.
examples: |
To reset a Cloud IAP OAuth client secret, run:
$ {command} NAME
To reset a Cloud IAP OAuth client secret for a specific brand, run:
$ {command} NAME --brand=BRAND
request:
collection: iap.projects.brands.identityAwareProxyClients
api_version: v1
method: resetSecret
arguments:
resource:
spec: !REF googlecloudsdk.command_lib.iap.resources:client
arg_name: name
is_positional: true
help_text: |
Name of the Cloud IAP OAuth client whose secret will be reset.

29
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/settings/__init__.py Normal file
View File

@@ -0,0 +1,29 @@
# -*- coding: utf-8 -*- #
# Copyright 2019 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The super-group for the IAP settings CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class Settings(base.Group):
"""Manage IAP settings."""
category = 'Identity and Security'

144
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/settings/get.py Normal file
View File

@@ -0,0 +1,144 @@
# -*- coding: utf-8 -*- #
# Copyright 2019 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Get IAP settings."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iap import util as iap_util
EXAMPLES = """\
To get the IAP setting for the resources within an organization, run:
$ {command} --organization=ORGANIZATION_ID
To get the IAP setting for the resources within a folder, run:
$ {command} --folder=FOLDER_ID
To get the IAP setting for the resources within a project, run:
$ {command} --project=PROJECT_ID
To get the IAP setting for web type resources within a project, run:
$ {command} --project=PROJECT_ID --resource-type=iap_web
To get the IAP setting for all app engine services within a project, run:
$ {command} --project=PROJECT_ID --resource-type=app-engine
To get the IAP setting for an app engine service within a project, run:
$ {command} --project=PROJECT_ID --resource-type=app-engine --service=SERVICE_ID
To get the IAP setting for an app engine service version within a project, run:
$ {command} --project=PROJECT_ID --resource-type=app-engine --service=SERVICE_ID
--version=VERSION_ID
To get the IAP setting for all backend services within a project, run:
$ {command} --project=PROJECT_ID --resource-type=backend-services
To get the IAP setting for a backend service within a project, run:
$ {command} --project=PROJECT_ID --resource-type=backend-services --service=SERVICE_ID
To get the IAP setting for a regional backend service within a project, run:
$ {command} --project=PROJECT_ID --resource-type=backend-services --service=SERVICE_ID
--region=REGION_ID
To get the IAP setting for all forwarding rules within a project, run:
$ {command} --project=PROJECT_ID --resource-type=forwarding-rule
To get the IAP setting for a forwarding rule within a project, run:
$ {command} --project=PROJECT_ID --resource-type=forwarding-rule --service=SERVICE_ID
To get the IAP setting for a regional forwarding rule within a project, run:
$ {command} --project=PROJECT_ID --resource-type=forwarding-rule --service=SERVICE_ID
--region=REGION_ID
"""
NON_GA_EXAMPLES = EXAMPLES + """\
To get the IAP setting for all Cloud Run services within a region of a project, run:
$ {command} --project=PROJECT_ID --resource-type=cloud-run --region=REGION_ID
To get the IAP setting for a Cloud Run service within a project, run:
$ {command} --project=PROJECT_ID --resource-type=cloud-run --region=REGION_ID --service=SERVICE_ID
"""
@base.ReleaseTracks(base.ReleaseTrack.GA)
@base.DefaultUniverseOnly
class Get(base.Command):
"""Get the setting for an IAP resource."""
detailed_help = {
'EXAMPLES': EXAMPLES,
}
_support_cloud_run = False
@classmethod
def Args(cls, parser):
"""Register flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddIapSettingArg(
parser, support_cloud_run=cls._support_cloud_run,
)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The IAP setting for the IAP resource.
"""
iap_setting_ref = iap_util.ParseIapSettingsResource(
self.ReleaseTrack(),
args,
self._support_cloud_run,
)
return iap_setting_ref.GetIapSetting()
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA)
class GetBeta(Get):
"""Get the setting for an IAP resource."""
detailed_help = {
'EXAMPLES': NON_GA_EXAMPLES,
}
_support_cloud_run = True

143
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/settings/set.py Normal file
View File

@@ -0,0 +1,143 @@
# -*- coding: utf-8 -*- #
# Copyright 2019 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Set IAP settings."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iap import util as iap_util
EXAMPLES = """\
To set the IAP setting for the resources within an organization, run:
$ {command} iap_settings.yaml --organization=ORGANIZATION_ID
To set the IAP setting for the resources within a folder, run:
$ {command} iap_settings.yaml --folder=FOLDER_ID
To set the IAP setting for the resources within a project, run:
$ {command} iap_settings.yaml --project=PROJECT_ID
To set the IAP setting for web type resources within a project, run:
$ {command} iap_settings.yaml --project=PROJECT_ID --resource-type=iap_web
To set the IAP setting for all app engine services within a project, run:
$ {command} iap_settings.yaml --project=PROJECT_ID --resource-type=app-engine
To set the IAP setting for an app engine service within a project, run:
$ {command} iap_settings.yaml --project=PROJECT_ID --resource-type=app-engine --service=SERVICE_ID
To set the IAP setting for an app engine service version within a project, run:
$ {command} iap_settings.yaml --project=PROJECT_ID --resource-type=app-engine --service=SERVICE_ID
--version=VERSION_ID
To set the IAP setting for all backend services within a project, run:
$ {command} iap_settings.yaml --project=PROJECT_ID --resource-type=backend-services
To set the IAP setting for a backend service within a project, run:
$ {command} iap_settings.yaml --project=PROJECT_ID --resource-type=backend-services --service=SERVICE_ID
To set the IAP setting for a region backend service within a project, run:
$ {command} iap_settings.yaml --project=PROJECT_ID --resource-type=backend-services --service=SERVICE_ID
--region=REGION_ID
To set the IAP setting for all forwarding rule within a project, run:
$ {command} iap_settings.yaml --project=PROJECT_ID --resource-type=forwarding-rule
To set the IAP setting for a forwarding rule within a project, run:
$ {command} iap_settings.yaml --project=PROJECT_ID --resource-type=forwarding-rule --service=SERVICE_ID
To set the IAP setting for a region forwarding rule within a project, run:
$ {command} iap_settings.yaml --project=PROJECT_ID --resource-type=forwarding-rule --service=SERVICE_ID
--region=REGION_ID
"""
NON_GA_EXAMPLES = EXAMPLES + """\
To set the IAP setting for the all cloud run services within a region of a project, run:
$ {command} iap_settings.yaml --project=PROJECT_ID --resource-type=cloud-run --region=REGION_ID
To set the IAP setting for a cloud run service within a project, run:
$ {command} iap_settings.yaml --project=PROJECT_ID --resource-type=cloud-run --region=REGION_ID --service=SERVICE_ID
"""
@base.ReleaseTracks(base.ReleaseTrack.GA)
@base.DefaultUniverseOnly
class Set(base.Command):
"""Set the setting for an IAP resource."""
detailed_help = {
'EXAMPLES': EXAMPLES,
}
_support_cloud_run = False
@classmethod
def Args(cls, parser):
"""Register flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddIapSettingArg(
parser, support_cloud_run=cls._support_cloud_run
)
iap_util.AddIapSettingFileArg(parser)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter
"""
iap_setting_ref = iap_util.ParseIapSettingsResource(
self.ReleaseTrack(),
args,
self._support_cloud_run,
)
return iap_setting_ref.SetIapSetting(args.setting_file)
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA)
class SetBeta(Set):
"""Set the setting for an IAP resource."""
detailed_help = {
'EXAMPLES': NON_GA_EXAMPLES,
}
_support_cloud_run = True

29
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/tcp/__init__.py Normal file
View File

@@ -0,0 +1,29 @@
# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The super-group for the IAP TCP CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class Iap(base.Group):
"""Manage IAP TCP resources."""
category = 'Identity and Security'

29
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/tcp/dest_groups/__init__.py Normal file
View File

@@ -0,0 +1,29 @@
# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The super-group for the IAP TCP DestGroup CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class Iap(base.Group):
"""Manage IAP TCP Destination Group resources."""
category = 'Identity and Security'

95
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/tcp/dest_groups/add_iam_policy_binding.py Normal file
View File

@@ -0,0 +1,95 @@
# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Add IAM Policy Binding."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iam import iam_util
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
@base.DefaultUniverseOnly
class AddIamPolicyBinding(base.Command):
"""Add IAM policy binding to an IAP TCP Tunnel Destination Group resource.
Adds a policy binding to the IAM policy of an IAP TCP Tunnel Destination Group
resource. One binding consists of a member, a role, and an optional condition.
"""
detailed_help = {
'EXAMPLES':
"""\
To add an IAM policy binding for the role of
'roles/iap.tunnelResourceAccessor' for the user 'test-user@gmail.com'
in the group 'my-group' located in the region 'us-west1', run:
$ {command} --member='user:test-user@gmail.com'
--role='roles/iap.tunnelResourceAccessor'
--dest-group='my-group' --region='us-west1'
To add an IAM policy binding for the role of
'roles/iap.tunnelResourceAccessor' for all authenticated users in the
group 'my-group' located in the region 'us-west1', run:
$ {command} --member='allAuthenticatedUsers'
--role='roles/iap.tunnelResourceAccessor'
--dest-group='my-group' --region='us-west1'
To add an IAM policy binding which expires at the end of the year 2018
for the role of 'roles/iap.tunnelResourceAccessor' and the user
'test-user@gmail.com' in the group 'my-group' located in the region
'us-west1', run:
$ {command} --member='user:test-user@gmail.com'
--role='roles/iap.tunnelResourceAccessor'
--condition='expression=request.time <
timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2018,
description=Expires at midnight on 2018-12-31'
--dest-group='my-group' --region='us-west1'
See https://cloud.google.com/iam/docs/managing-policies for details of
policy role and member types.
""",
}
@staticmethod
def Args(parser):
"""Register flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddAddIamPolicyBindingArgs(parser)
iap_util.AddIamDestGroupArgs(parser)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter.
"""
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
iap_iam_ref = iap_util.ParseIapDestGroupResource(self.ReleaseTrack(), args)
return iap_iam_ref.AddIamPolicyBinding(args.member, args.role, condition)

82
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/tcp/dest_groups/create.py Normal file
View File

@@ -0,0 +1,82 @@
# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Create IAP TCP Destination Group."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class Create(base.Command):
"""Create the IAP TCP Destination Group resource."""
detailed_help = {
'EXAMPLES':
"""\
To create a DestGroup with name ``GROUP_NAME'', in region ``REGION''
in the current project run:
$ {command} GROUP_NAME --region=REGION
To create a DestGroup with name ``GROUP_NAME'', in region ``REGION''
with ip ranges ``CIDR1'', ``CIDR2'' in the current project run:
$ {command} GROUP_NAME --region=REGION --ip-range-list=CIDR1,CIDR2
To create a DestGroup with name ``GROUP_NAME'', in region ``REGION''
with fqdns ``FQDN1'', ``FQDN2'' in the current project run:
$ {command} GROUP_NAME --region=REGION --fqdn-list=FQDN1,FQDN2
To create a DestGroup with name ``GROUP_NAME'', in region ``REGION''
with fqdns ``FQDN1'', ``FQDN2'' and ip ranges ``CIDR1'',``CIDR2'' in
the project ``PROJECT_ID'' run:
$ {command} GROUP_NAME --region=REGION --fqdn-list=FQDN1,FQDN2
--ip-range-list=CIDR1,CIDR2 --project=PROJECT_ID
GROUP_NAME can only contain lower-case letters (a-z) and dashes (-).
""",
}
@staticmethod
def Args(parser):
"""Registers flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddDestGroupArgs(parser)
iap_util.AddDestGroupCreateIpAndFqdnArgs(parser)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter
"""
iap_setting_ref = iap_util.ParseIapDestGroupResource(
self.ReleaseTrack(), args)
return iap_setting_ref.Create(args.ip_range_list, args.fqdn_list)

67
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/tcp/dest_groups/delete.py Normal file
View File

@@ -0,0 +1,67 @@
# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Create IAP TCP Destination Group."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class Delete(base.Command):
"""Delete the IAP TCP Destination Group resource."""
detailed_help = {
'EXAMPLES':
"""\
To delete a DestGroup with name ``GROUP_NAME'', in region ``REGION''
in the current project run:
$ {command} DEST_GROUP_NAME --region=REGION
To delete a DestGroup with name ``GROUP_NAME'', in region ``REGION''
in the project ``PROJECT_ID'' run:
$ {command} DEST_GROUP_NAME --region=REGION --project=PROJECT_ID
""",
}
@staticmethod
def Args(parser):
"""Register flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddDestGroupArgs(parser)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter
"""
iap_setting_ref = iap_util.ParseIapDestGroupResource(
self.ReleaseTrack(), args)
return iap_setting_ref.Delete()

67
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/tcp/dest_groups/describe.py Normal file
View File

@@ -0,0 +1,67 @@
# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Create IAP TCP Destination Group."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class Describe(base.Command):
"""Describe the IAP TCP Destination Group resource."""
detailed_help = {
'EXAMPLES':
"""\
To get a DestGroup with name ``GROUP_NAME'', in region ``REGION'' in the
current project run:
$ {command} DEST_GROUP_NAME --region=REGION
To get a DestGroup with name ``GROUP_NAME'', in region ``REGION'' in the
project ``PROJECT'' run:
$ {command} DEST_GROUP_NAME --region=REGION --project=PROJECT
""",
}
@staticmethod
def Args(parser):
"""Register flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddDestGroupArgs(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter
"""
iap_setting_ref = iap_util.ParseIapDestGroupResource(
self.ReleaseTrack(), args)
return iap_setting_ref.Get()

78
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/tcp/dest_groups/get_iam_policy.py Normal file
View File

@@ -0,0 +1,78 @@
# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Get IAM Policy."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class GetIamPolicy(base.ListCommand):
"""Get IAM policy for an IAP TCP Destination Group resource.
*{command}* displays the IAM policy associated with an IAP TCP Destination
Group resource. If formatted as JSON, the output can be edited and used as a
policy file for set-iam-policy. The output includes an "etag" field
identifying the version emitted and allowing detection of concurrent policy
updates; see
$ {parent_command} set-iam-policy for additional details.
"""
detailed_help = {
'EXAMPLES':
"""\
To get the IAM policy for the TCP Destination Group resource with name
'my-group' and located in the region 'us-west1' within the active
project, run:
$ {command} --dest-group='my-group' --region='us-west1'
To get the IAM policy for the TCP Destination Group resource with name
'my-group' and located in the region 'us-west1' within project
'project', run:
$ {command} --dest-group='my-group' --region='us-west1'
--project='project'
""",
}
@staticmethod
def Args(parser):
"""Register flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddIamDestGroupArgs(parser)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter.
"""
iap_iam_ref = iap_util.ParseIapDestGroupResource(self.ReleaseTrack(), args)
return iap_iam_ref.GetIamPolicy()

99
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/tcp/dest_groups/list.py Normal file
View File

@@ -0,0 +1,99 @@
# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Create IAP TCP Destination Group."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class List(base.ListCommand):
"""Lists the IAP TCP Destination Group resource."""
detailed_help = {
'EXAMPLES':
"""\
To list all Destination Groups in the current project run:
$ {command}
To list all Destination Groups in region ``REGION'' in the current
project run:
$ {command} --region=REGION
To limit the results returned by the server to be at most ``PAGE_SIZE'',
run:
$ {command} --page-size=PAGE_SIZE
To list at most `5` Destination Groups sorted alphabetically by project
ID, run:
$ {command} --sort-by=projectId --limit=5
To list all Destination Groups in the project ``PROJECT'' run:
$ {command} --project=PROJECT
To list all Destination Groups that have cidr ``CIDR'' run:
$ {command} --filter="cidrs=CIDR"
To list all Destination Groups that have FQDN ``FQDN'' run:
$ {command} --filter="fqdns=FQDN"
To list all Destination Groups that have name ``NAME'' run:
$ {command} --filter="name=NAME"
""",
}
@staticmethod
def Args(parser):
"""Registers flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddDestGroupListRegionArgs(parser)
# Remove unsupported default List flags.
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: An argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter
"""
iap_setting_ref = iap_util.ParseIapDestGroupResourceWithNoGroupId(
self.ReleaseTrack(), args)
results_to_yield = iap_setting_ref.List(args.page_size, args.limit)
# The List method will return a generator to yield the next values. If we
# return it directly, it will work with gcloud but the Displayer class in
# calliope won't be able to apply any filters to it.
# So we will make it a litst first before returning.
return list(results_to_yield)

100
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/tcp/dest_groups/remove_iam_policy_binding.py Normal file
View File

@@ -0,0 +1,100 @@
# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Remove IAM Policy Binding."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iam import iam_util
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class RemoveIamPolicyBinding(base.Command):
"""Remove IAM policy binding from an IAP TCP Destination Group resource.
Removes a policy binding from the IAM policy of an IAP TCP Destination Group
resource. One binding consists of a member, a role and an optional condition.
"""
detailed_help = {
'EXAMPLES':
"""\
To remove an IAM policy binding for the role of
'roles/iap.tunnelResourceAccessor' for the user 'test-user@gmail.com'
in the group 'my-group' located in the region 'us-west1', run:
$ {command} --member='user:test-user@gmail.com'
--role='roles/iap.tunnelResourceAccessor' --dest-group='my-group'
--region='us-west1'
To remove an IAM policy binding for the role of
'roles/iap.tunnelResourceAccessor' from all authenticated users in the
group 'my-group' located in the region 'us-west1', run:
$ {command} --member='allAuthenticatedUsers'
--role='roles/iap.tunnelResourceAccessor' --dest-group='my-group'
--region='us-west1'
To remove an IAM policy binding which expires at the end of the year
2018 for the role of 'roles/iap.tunnelResourceAccessor' for the user
'test-user@gmail.com' in the group 'my-group' located in the region
'us-west1', run:
$ {command} --member='user:test-user@gmail.com'
--role='roles/iap.tunnelResourceAccessor'
--condition='expression=request.time < timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2018, description=Expires at midnight on 2018-12-31'
--dest-group='my-group' --region='us-west1'
To remove all IAM policy bindings regardless of the condition for the
role of 'roles/iap.tunnelResourceAccessor' and for the user
'test-user@gmail.com' in the group 'my-group' located in the region
'us-west1', run:
$ {command} --member='user:test-user@gmail.com'
--role='roles/iap.tunnelResourceAccessor' --dest-group='my-group'
--region='us-west1'
See https://cloud.google.com/iam/docs/managing-policies for details of
policy role and member types.
""",
}
@staticmethod
def Args(parser):
"""Registers flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddRemoveIamPolicyBindingArgs(parser)
iap_util.AddIamDestGroupArgs(parser)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""Handles the execution when users run this command.
Args:
args: An argparse namespace. All the arguments that were provided to this
command invocation.
"""
condition = iam_util.ValidateAndExtractCondition(args)
iap_iam_ref = iap_util.ParseIapDestGroupResource(self.ReleaseTrack(), args)
iap_iam_ref.RemoveIamPolicyBinding(args.member, args.role, condition,
args.all)

80
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/tcp/dest_groups/set_iam_policy.py Normal file
View File

@@ -0,0 +1,80 @@
# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Set IAM Policy."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class SetIamPolicy(base.Command):
"""Set the IAM policy for an IAP TCP Destination Group resource.
This command replaces the existing IAM policy for an IAP TCP Destination Group
resource, given a file encoded in JSON or YAML that contains the IAM policy.
If the given policy file specifies an "etag" value, then the replacement will
succeed only if the policy already in place matches that etag. (An etag
obtained via $ {parent_command} get-iam-policy will prevent the replacement if
the policy for the resource has been subsequently updated.) A policy file that
does not contain an etag value will replace any existing policy for the
resource.
"""
detailed_help = {
'EXAMPLES':
"""\
To set the IAM policy for the TCP Destination Group resource within
the active project in the group 'my-group' located in the region
'us-west1', run:
$ {command} POLICY_FILE --dest-group=='my-group' --region='us-west1'
To set the IAM policy for the TCP Destination Group resource within
project PROJECT_ID in the group 'my-group' located in the region
'us-west1', run:
$ {command} POLICY_FILE --project=PROJECT_ID --dest-group=='my-group'
--region='us-west1'
""",
}
@staticmethod
def Args(parser):
"""Register flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddIAMPolicyFileArg(parser)
iap_util.AddIamDestGroupArgs(parser)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter.
"""
iap_iam_ref = iap_util.ParseIapDestGroupResource(self.ReleaseTrack(), args)
return iap_iam_ref.SetIamPolicy(args.policy_file)

98
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/tcp/dest_groups/update.py Normal file
View File

@@ -0,0 +1,98 @@
# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Create IAP TCP Destination Group."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class Update(base.Command):
"""Update the IAP TCP Destination Group resource."""
detailed_help = {
"EXAMPLES":
"""\
To update a DestGroup with name ``GROUP_NAME'', in region ``REGION''
with ip ranges ``CIDR1'', ``CIDR2'' in the current project run:
$ {command} DEST_GROUP_NAME --region=REGION --ip-range-list=CIDR1,CIDR2
To update a DestGroup with name ``GROUP_NAME'', in region ``REGION''
with fqdns ``FQDN1'', ``FQDN2'' in the current project run:
$ {command} DEST_GROUP_NAME --region=REGION --fqdn-list=FQDN1,FQDN2
To update a DestGroup with name ``GROUP_NAME'', in region ``REGION''
with fqdns ``FQDN1'', ``FQDN2'' and ip ranges ``CIDR1'', ``CIDR2'' in
the project ``PROJECT_ID'' run:
$ {command} DEST_GROUP_NAME --region=REGION --fqdn-list=FQDN1,FQDN2
--ip-range-list=CIDR1,CIDR2 --project=PROJECT_ID
To clear the fqdn list in a DestGroup with name ``GROUP_NAME'', in
region ``REGION'' in the current project run:
$ {command} DEST_GROUP_NAME --region=REGION --fqdn-list=""
To clear the ip range list in a DestGroup with name ``GROUP_NAME'', in
region ``REGION'' in the current project run:
$ {command} DEST_GROUP_NAME --region=REGION --ip-range-list=""
""",
}
@staticmethod
def Args(parser):
"""Registers flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddDestGroupArgs(parser)
iap_util.AddDestGroupUpdateIpAndFqdnArgs(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter
Raises:
ValueError: If both ip-range-list and fqdn-list are not provided
"""
iap_setting_ref = iap_util.ParseIapDestGroupResource(
self.ReleaseTrack(), args)
update_mask = ""
if args.IsSpecified("ip_range_list") and args.IsSpecified("fqdn_list"):
update_mask = "*"
elif args.IsSpecified("ip_range_list"):
update_mask = "cidrs"
elif args.IsSpecified("fqdn_list"):
update_mask = "fqdns"
else:
raise ValueError(
"The flags --fqdn-list or --ip-range-list must be provided.")
return iap_setting_ref.Update(args.ip_range_list, args.fqdn_list,
update_mask)

40
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/web/__init__.py Normal file
View File

@@ -0,0 +1,40 @@
# -*- coding: utf-8 -*- #
# Copyright 2019 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The super-group for the IAP web CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.ReleaseTracks(base.ReleaseTrack.GA, base.ReleaseTrack.BETA,
base.ReleaseTrack.ALPHA)
class Web(base.Group):
"""Manage IAP web policies.
Cloud Identity-Aware Proxy (Cloud IAP) controls access to your cloud
applications running on Google Cloud Platform. Cloud IAP works by
verifying user identity and context of the request to determine if a user
should be allowed to access the application.
More information on Cloud IAP can be found here:
https://cloud.google.com/iap and detailed documentation can be found here:
https://cloud.google.com/iap/docs/
"""
category = 'Identity and Security'

124
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/web/add_iam_policy_binding.py Normal file
View File

@@ -0,0 +1,124 @@
# -*- coding: utf-8 -*- #
# Copyright 2019 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Add IAM Policy Binding."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iam import iam_util
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(base.ReleaseTrack.GA)
@base.DefaultUniverseOnly
class AddIamPolicyBinding(base.Command):
"""Add IAM policy binding to an IAP IAM resource.
Adds a policy binding to the IAM policy of an IAP IAM resource. One binding
consists of a member, a role, and an optional condition.
See $ {parent_command} get-iam-policy for examples of how to specify an IAP
IAM resource.
"""
detailed_help = {
'EXAMPLES':
"""\
See $ {parent_command} get-iam-policy for examples of how to specify
an IAP IAM resource.
To add an IAM policy binding for the role of 'roles/editor' for the
user 'test-user@gmail.com' on IAP IAM resource IAP_IAM_RESOURCE,
run:
$ {command} --resource-type=IAP_IAM_RESOURCE --member='user:test-user@gmail.com'
--role='roles/editor'
To add an IAM policy binding for the role of 'roles/editor' for the
user 'test-user@gmail.com' on regional IAP IAM resource
IAP_IAM_RESOURCE, run:
$ {command} --resource-type=IAP_IAM_RESOURCE --member='user:test-user@gmail.com'
--role='roles/editor' --region=REGION
To add an IAM policy binding for the role of 'roles/editor' for all
authenticated users on IAP IAM resource IAP_IAM_RESOURCE,
run:
$ {command} --resource-type=IAP_IAM_RESOURCE --member='allAuthenticatedUsers'
--role='roles/editor'
To add an IAM policy binding which expires at the end of the year 2018
for the role of 'roles/browser' and the user 'test-user@gmail.com' on
IAP IAM resource IAP_IAM_RESOURCE, run:
$ {command} --resource-type=IAP_IAM_RESOURCE --member='user:test-user@gmail.com'
--role='roles/browser' --condition='expression=request.time <
timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2018,
description=Expires at midnight on 2018-12-31'
See https://cloud.google.com/iam/docs/managing-policies for details of
policy role and member types.
""",
}
_support_cloud_run = False
@classmethod
def Args(cls, parser):
"""Register flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddIapIamResourceArgs(
parser,
support_cloud_run=cls._support_cloud_run,
)
iap_util.AddAddIamPolicyBindingArgs(parser)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter.
"""
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
iap_iam_ref = iap_util.ParseIapIamResource(
self.ReleaseTrack(),
args,
self._support_cloud_run,
)
return iap_iam_ref.AddIamPolicyBinding(args.member, args.role, condition)
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA)
class AddIamPolicyBindingAlpha(AddIamPolicyBinding):
"""Add IAM policy binding to an IAP IAM resource.
Adds a policy binding to the IAM policy of an IAP IAM resource. One binding
consists of a member, a role, and an optional condition.
See $ {parent_command} get-iam-policy for examples of how to specify an IAP
IAM resource.
"""
_support_cloud_run = True

76
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/web/disable.py Normal file
View File

@@ -0,0 +1,76 @@
# -*- coding: utf-8 -*- #
# Copyright 2019 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Disable Identity-Aware Proxy."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(
base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA, base.ReleaseTrack.GA
)
@base.DefaultUniverseOnly
class Disable(base.Command):
"""Disable Cloud Identity-Aware Proxy (Cloud IAP) on an IAP resource.
This command disables Cloud Identity-Aware Proxy on an IAP resource. Disabling
IAP does not clear the OAuth 2.0 credentials.
"""
detailed_help = {
'EXAMPLES':
"""\
To disable IAP on an App Engine application, run:
$ {command} --resource-type=app-engine
To disable IAP on a global backend service, run:
$ {command} --resource-type=backend-services --service=SERVICE_ID
To disable IAP on a region backend service, run:
$ {command} --resource-type=backend-services --service=SERVICE_ID
--region=REGION
""",
}
@classmethod
def Args(cls, parser):
"""Register flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddIapResourceArgs(parser)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter.
"""
iap_ref = iap_util.ParseIapResource(self.ReleaseTrack(), args)
return iap_ref.Disable()

82
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/web/enable.py Normal file
View File

@@ -0,0 +1,82 @@
# -*- coding: utf-8 -*- #
# Copyright 2019 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Enable Identity-Aware Proxy."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(
base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA, base.ReleaseTrack.GA
)
@base.DefaultUniverseOnly
class Enable(base.Command):
"""Enable Cloud Identity-Aware Proxy (Cloud IAP) on an IAP resource.
This command enables Cloud Identity-Aware Proxy on an IAP resource. OAuth 2.0
credentials must be set, or must have been previously set, to enable IAP.
"""
detailed_help = {
'EXAMPLES':
"""\
To enable IAP on an App Engine application, run:
$ {command} --resource-type=app-engine
--oauth2-client-id=CLIENT_ID --oauth2-client-secret=SECRET
To enable IAP on a global backend service, run:
$ {command} --resource-type=backend-services
--oauth2-client-id=CLIENT_ID --oauth2-client-secret=SECRET
--service=SERVICE_ID
To enable IAP on a region backend service, run:
$ {command} --resource-type=backend-services
--oauth2-client-id=CLIENT_ID --oauth2-client-secret=SECRET
--service=SERVICE_ID --region=REGION
""",
}
@classmethod
def Args(cls, parser):
"""Register flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddIapResourceArgs(parser)
iap_util.AddOauthClientArgs(parser)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter.
"""
iap_ref = iap_util.ParseIapResource(self.ReleaseTrack(), args)
return iap_ref.Enable(args.oauth2_client_id, args.oauth2_client_secret)

132
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/web/get_iam_policy.py Normal file
View File

@@ -0,0 +1,132 @@
# -*- coding: utf-8 -*- #
# Copyright 2019 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Get IAM Policy."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(base.ReleaseTrack.GA)
@base.DefaultUniverseOnly
class GetIamPolicy(base.ListCommand):
"""Get IAM policy for an IAP IAM resource.
*{command}* displays the IAM policy associated with an IAP IAM
resource. If formatted as JSON, the output can be edited and used as a policy
file for set-iam-policy. The output includes an "etag" field
identifying the version emitted and allowing detection of
concurrent policy updates; see
$ {parent_command} set-iam-policy for additional details.
"""
detailed_help = {
'EXAMPLES':
"""\
To get the IAM policy for the web accesses to the IAP protected
resources within the active project,
run:
$ {command}
To get the IAM policy for the web accesses to the IAP protected
resources within a project, run:
$ {command} --project=PROJECT_ID
To get the IAM policy for the web accesses to the IAP protected
resources within an App Engine application, run:
$ {command} --resource-type=app-engine
To get the IAM policy for the web accesses to the IAP protected
resources within an App Engine service, run:
$ {command} --resource-type=app-engine --service=SERVICE_ID
To get the IAM policy for the web accesses to the IAP protected
resources within an App Engine service version, run:
$ {command} --resource-type=app-engine --service=SERVICE_ID
--version=VERSION
To get the IAM policy for the web accesses to the IAP protected
resources within all backend services, run:
$ {command} --resource-type=backend-services
To get the IAM policy for the web accesses to the IAP protected
resources within a backend service, run:
$ {command} --resource-type=backend-services --service=SERVICE_ID
To get the IAM policy for the web accesses to the IAP protected
resources within a regional backend service, run:
$ {command} --resource-type=backend-services --service=SERVICE_ID
--region=REGION
""",
}
_support_cloud_run = False
@classmethod
def Args(cls, parser):
"""Register flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddIapIamResourceArgs(
parser,
support_cloud_run=cls._support_cloud_run,
)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter.
"""
iap_iam_ref = iap_util.ParseIapIamResource(
self.ReleaseTrack(),
args,
self._support_cloud_run)
return iap_iam_ref.GetIamPolicy()
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA)
class GetIamPolicyAlpha(GetIamPolicy):
"""Get IAM policy for an IAP IAM resource.
*{command}* displays the IAM policy associated with an IAP IAM
resource. If formatted as JSON, the output can be edited and used as a policy
file for set-iam-policy. The output includes an "etag" field
identifying the version emitted and allowing detection of
concurrent policy updates; see
$ {parent_command} set-iam-policy for additional details.
"""
_support_cloud_run = True

133
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/web/remove_iam_policy_binding.py Normal file
View File

@@ -0,0 +1,133 @@
# -*- coding: utf-8 -*- #
# Copyright 2019 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Remove IAM Policy Binding."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iam import iam_util
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(base.ReleaseTrack.GA)
@base.DefaultUniverseOnly
class RemoveIamPolicyBinding(base.Command):
"""Remove IAM policy binding from an IAP IAM resource.
Removes a policy binding from the IAM policy of an IAP IAM resource. One
binding consists of a member, a role and an optional condition.
See $ {parent_command} get-iam-policy for examples of how to
specify an IAP IAM resource.
"""
detailed_help = {
'EXAMPLES':
"""\
See $ {parent_command} get-iam-policy for examples of how to specify
an IAP IAM resource.
To remove an IAM policy binding for the role of 'roles/editor' for the
user 'test-user@gmail.com' on IAP IAM resource IAP_IAM_RESOURCE, run:
$ {command} --resource-type=IAP_IAM_RESOURCE --member='user:test-user@gmail.com'
--role='roles/editor'
To remove an IAM policy binding for the role of 'roles/editor' for the
user 'test-user@gmail.com' on regional IAP IAM resource
IAP_IAM_RESOURCE, run:
$ {command} --resource-type=IAP_IAM_RESOURCE --member='user:test-user@gmail.com'
--role='roles/editor' --region=REGION
To remove an IAM policy binding for the role of 'roles/editor' from
all authenticated users on IAP IAM resource IAP_IAM_RESOURCE,run:
$ {command} --resource-type=IAP_IAM_RESOURCE --member='allAuthenticatedUsers'
--role='roles/editor'
To remove an IAM policy binding with a condition of
expression='request.time < timestamp("2019-01-01T00:00:00Z")',
title='expires_end_of_2018', and description='Expires at midnight on
2018-12-31' for the role of 'roles/browser' for the user
'test-user@gmail.com' on IAP IAM resource IAP_IAM_RESOURCE,
run:
$ {command} --resource-type=IAP_IAM_RESOURCE --member='user:test-user@gmail.com'
--role='roles/browser' --condition='expression=request.time <
timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2018,
description=Expires at midnight on 2018-12-31'
To remove all IAM policy bindings regardless of the condition for the
role of 'roles/browser' and for the user 'test-user@gmail.com' on IAP
IAM resource IAP_IAM_RESOURCE, run:
$ {command} --resource-type=IAP_IAM_RESOURCE --member='user:test-user@gmail.com'
--role='roles/browser' --all
See https://cloud.google.com/iam/docs/managing-policies for details of
policy role and member types.
""",
}
_support_cloud_run = False
@classmethod
def Args(cls, parser):
"""Register flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddIapIamResourceArgs(
parser,
support_cloud_run=cls._support_cloud_run,
)
iap_util.AddRemoveIamPolicyBindingArgs(parser)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter.
"""
condition = iam_util.ValidateAndExtractCondition(args)
iap_iam_ref = iap_util.ParseIapIamResource(
self.ReleaseTrack(),
args,
self._support_cloud_run,
)
return iap_iam_ref.RemoveIamPolicyBinding(args.member, args.role, condition,
args.all)
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA)
class RemoveIamPolicyBindingAlpha(RemoveIamPolicyBinding):
"""Remove IAM policy binding from an IAP IAM resource.
Removes a policy binding from the IAM policy of an IAP IAM resource. One
binding consists of a member, a role and an optional condition.
See $ {parent_command} get-iam-policy for examples of how to
specify an IAP IAM resource.
"""
_support_cloud_run = True

139
gcloud auth application-default login/google-cloud-sdk/lib/surface/iap/web/set_iam_policy.py Normal file
View File

@@ -0,0 +1,139 @@
# -*- coding: utf-8 -*- #
# Copyright 2019 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Set IAM Policy."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iap import util as iap_util
@base.ReleaseTracks(base.ReleaseTrack.GA)
@base.DefaultUniverseOnly
class SetIamPolicy(base.Command):
"""Set the IAM policy for an IAP IAM resource.
This command replaces the existing IAM policy for an IAP IAM resource, given
a file encoded in JSON or YAML that contains the IAM policy. If the given
policy file specifies an "etag" value, then the replacement will succeed only
if the policy already in place matches that etag. (An etag obtained via
$ {parent_command} get-iam-policy will prevent the replacement if
the policy for the resource has been subsequently updated.) A policy
file that does not contain an etag value will replace any existing policy for
the resource.
"""
detailed_help = {
'EXAMPLES':
"""\
To set the IAM policy for the web accesses to the IAP protected
resources within the active project,
run:
$ {command} POLICY_FILE
To set the IAM policy for the web accesses to the IAP protected
resources within a project, run:
$ {command} POLICY_FILE --project=PROJECT_ID
To set the IAM policy for the web accesses to the IAP protected
resources within an App Engine application, run:
$ {command} POLICY_FILE --resource-type=app-engine
To set the IAM policy for the web accesses to the IAP protected
resources within an App Engine service, run:
$ {command} POLICY_FILE --resource-type=app-engine
--service=SERVICE_ID
To set the IAM policy for the web accesses to the IAP protected
resources within an App Engine service version, run:
$ {command} POLICY_FILE --resource-type=app-engine
--service=SERVICE_ID --version=VERSION
To set the IAM policy for the web accesses to the IAP protected
resources within all backend services, run:
$ {command} POLICY_FILE --resource-type=backend-services
To set the IAM policy for the web accesses to the IAP protected
resources within a backend service, run:
$ {command} POLICY_FILE --resource-type=backend-services
--service=SERVICE_ID
To set the IAM policy for the web accesses to the IAP protected
resources within a regional backend service, run:
$ {command} POLICY_FILE --resource-type=backend-services
--service=SERVICE_ID --region=REGION
""",
}
_support_cloud_run = False
@classmethod
def Args(cls, parser):
"""Register flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
iap_util.AddIapIamResourceArgs(
parser,
support_cloud_run=cls._support_cloud_run
)
iap_util.AddIAMPolicyFileArg(parser)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter.
"""
iap_iam_ref = iap_util.ParseIapIamResource(
self.ReleaseTrack(),
args,
self._support_cloud_run,
)
return iap_iam_ref.SetIamPolicy(args.policy_file)
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA)
class SetIamPolicyAlpha(SetIamPolicy):
"""Set the IAM policy for an IAP IAM resource.
This command replaces the existing IAM policy for an IAP IAM resource, given
a file encoded in JSON or YAML that contains the IAM policy. If the given
policy file specifies an "etag" value, then the replacement will succeed only
if the policy already in place matches that etag. (An etag obtained via
$ {parent_command} get-iam-policy will prevent the replacement if
the policy for the resource has been subsequently updated.) A policy
file that does not contain an etag value will replace any existing policy for
the resource.
"""
_support_cloud_run = True