novafarma/gcloud auth application-default login/google-cloud-sdk/lib/surface/policy_intelligence/troubleshoot_policy/iam.py

# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to query activities."""

from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals

from googlecloudsdk.api_lib.policy_intelligence import policy_troubleshooter
from googlecloudsdk.calliope import base

_DETAILED_HELP = {
    'brief': """Troubleshoot the IAM Policy.
        """,
    'DESCRIPTION': """\
      Performs a check on whether a principal is granted a
      permission on a resource and how that access is determined according to
      the resource's effective IAM policy interpretation.
        """,
    'EXAMPLES': """\
    To troubleshoot a permission of a principal on a resource, run:

      $ {command} //cloudresourcemanager.googleapis.com/projects/project-id \
      --principal-email=my-iam-account@somedomain.com \
      --permission=resourcemanager.projects.get

    See https://cloud.google.com/iam/help/allow-policies/overview for more
    information about IAM policies.
      """,
}

_DETAILED_HELP = {
    'brief': """Troubleshoot IAM allow and deny policies.
        """,
    'DESCRIPTION': """\
      Uses a resource's effective IAM allow policy and IAM deny policy to
      check whether a principal has a specific permission on the resource.
        """,
    'EXAMPLES': """\
      The following command checks whether the principal ``my-user@example.com''
      has the permission ``resourcemanager.projects.get'' on the project
      ``my-project'':

        $ {command} //cloudresourcemanager.googleapis.com/projects/my-project
        --principal-email=my-user@example.com
        --permission=resourcemanager.projects.get

      The following command checks whether the principal ``my-user@example.com''
      has the ``compute.images.get'' permission on the project
      ``my-project''. The command also provides additional context that lets
      Troubleshooter evaluate conditional role bindings:

        $ {command} //cloudresourcemanager.googleapis.com/projects/my-project \
        --principal-email=my-user@example.com \
        --permission=compute.images.get \
        --resource-name=//compute.googleapis.com/projects/my-project/zones/images/my-image'\
        --resource-service='compute.googleapis.com' \
        --resource-type='compute.googleapis.com/Image' \
        --destination-ip='192.2.2.2'--destination-port=8080 --request-time='2023-01-01T00:00:00Z'
      """,
}


def _Args(parser):
  """Parses arguments for the commands."""
  parser.add_argument(
      'resource',
      metavar='RESOURCE',
      type=str,
      help="""Full resource name that access is checked against.
      For a list of full resource name formats, see: https://cloud.google.com/iam/docs/resource-names.
      """,
  )
  parser.add_argument(
      '--principal-email',
      required=True,
      metavar='EMAIL',
      type=str,
      help="""Email address that identifies the principal to check. Only Google Accounts and
      service accounts are supported.
      """,
  )
  parser.add_argument(
      '--permission',
      required=True,
      metavar='PERMISSION',
      type=str,
      help="""IAM permission to check. The permssion can be in the `v1` or `v2`
      format. For example, `resourcemanager.projects.get` or
      `cloudresourcemanager.googleapis.com/projects.get`.
      For a list of permissions, see https://cloud.google.com/iam/docs/permissions-reference and https://cloud.google.com/iam/docs/deny-permissions-support
      """,
  )
  parser.add_argument(
      '--resource-service',
      required=False,
      type=str,
      help="""The resource service value to use when checking conditional bindings.
      For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-service
      """,
  )
  parser.add_argument(
      '--resource-type',
      required=False,
      type=str,
      help="""The resource type value to use when checking conditional bindings.
      For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-type
      """,
  )
  parser.add_argument(
      '--resource-name',
      required=False,
      type=str,
      help="""The resource name value to use when checking conditional bindings.
      For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-name.
      """,
  )
  parser.add_argument(
      '--request-time',
      required=False,
      type=str,
      help="""The request timestamp to use when checking conditional bindings. This string must adhere to UTC format
      (RFC 3339). For example,2021-01-01T00:00:00Z. For more information, see:
      https://tools.ietf.org/html/rfc3339
      """,
  )
  parser.add_argument(
      '--destination-ip',
      required=False,
      type=str,
      help="""The request destination IP address to use when checking conditional bindings. For example, `198.1.1.1`.
      """,
  )
  parser.add_argument(
      '--destination-port',
      required=False,
      type=int,
      help="""The request destination port to use when checking conditional bindings. For example, 8080.
      """,
  )


def _Run(policy_troubleshooter_api, args):
  """Troubleshoot the IAM Policies."""
  destination_context = policy_troubleshooter_api.GetPolicyTroubleshooterPeer(
      destination_ip=args.destination_ip,
      destination_port=args.destination_port,
  )
  request_context = policy_troubleshooter_api.GetPolicyTroubleshooterRequest(
      request_time=args.request_time
  )
  resource_context = policy_troubleshooter_api.GetPolicyTroubleshooterResource(
      resource_name=args.resource_name,
      resource_service=args.resource_service,
      resource_type=args.resource_type,
  )
  condition_context = (
      policy_troubleshooter_api.GetPolicyTroubleshooterConditionContext(
          destination=destination_context,
          request=request_context,
          resource=resource_context,
      )
  )
  access_tuple = policy_troubleshooter_api.GetPolicyTroubleshooterAccessTuple(
      condition_context=condition_context,
      full_resource_name=args.resource,
      principal_email=args.principal_email,
      permission=args.permission,
  )
  return policy_troubleshooter_api.TroubleshootIAMPolicies(access_tuple)


@base.ReleaseTracks(base.ReleaseTrack.ALPHA)
@base.Hidden
class TroubleshootAlpha(base.Command):
  """Troubleshoot the IAM Policies."""

  detailed_help = _DETAILED_HELP

  @staticmethod
  def Args(parser):
    """Parses arguments for the commands."""
    _Args(parser)

  def Run(self, args):
    return _Run(
        policy_troubleshooter.PolicyTroubleshooterApi(self.ReleaseTrack()), args
    )


@base.ReleaseTracks(base.ReleaseTrack.BETA)
@base.Hidden
class TroubleshootBeta(base.Command):
  """Troubleshoot IAM allow and deny policies."""

  detailed_help = _DETAILED_HELP

  @staticmethod
  def Args(parser):
    """Parses arguments for the commands."""
    _Args(parser)

  def Run(self, args):
    return _Run(
        policy_troubleshooter.PolicyTroubleshooterApi(self.ReleaseTrack()), args
    )


@base.ReleaseTracks(base.ReleaseTrack.GA)
class Troubleshoot(base.Command):
  """Troubleshoot IAM allow and deny policies."""

  detailed_help = _DETAILED_HELP

  @staticmethod
  def Args(parser):
    """Parses arguments for the commands."""
    _Args(parser)

  def Run(self, args):
    return _Run(
        policy_troubleshooter.PolicyTroubleshooterApi(self.ReleaseTrack()), args
    )