U h3@s`dZddlZddlZddlZddlZdZdZdZdZdZ Gdd d e Z Gd d d ej j ZdS) a6Non-API-specific IAM policy definitions For allowed roles / permissions, see: https://cloud.google.com/iam/docs/understanding-roles Example usage: .. code-block:: python # ``get_iam_policy`` returns a :class:'~google.api_core.iam.Policy`. policy = resource.get_iam_policy(requested_policy_version=3) phred = "user:phred@example.com" admin_group = "group:admins@groups.example.com" account = "serviceAccount:account-1234@accounts.example.com" policy.version = 3 policy.bindings = [ { "role": "roles/owner", "members": {phred, admin_group, account} }, { "role": "roles/editor", "members": {"allAuthenticatedUsers"} }, { "role": "roles/viewer", "members": {"allUsers"} "condition": { "title": "request_time", "description": "Requests made before 2021-01-01T00:00:00Z", "expression": "request.time < timestamp("2021-01-01T00:00:00Z")" } } ] resource.set_iam_policy(policy) Nz roles/ownerz roles/editorz roles/viewerz_Assigning to '{}' is deprecated. Use the `policy.bindings` property to modify bindings instead.zWDict access is not supported on policies with version > 1 or with conditional bindings.c@seZdZdZdS)InvalidOperationExceptionz1Raised when trying to use Policy class as a dict.N)__name__ __module__ __qualname____doc__rr7/tmp/pip-unpacked-wheel-eraazoov/google/api_core/iam.pyrMsrc@s(eZdZdZefZefZefZ d/ddZ ddZ ddZ d d Z d d Zd dZddZddZeddZejddZeddZejddZeddZejddZeddZejddZedd Zed!d"Zed#d$Zed%d&Zed'd(Zed)d*Zed+d,Z d-d.Z!dS)0Policya1IAM Policy Args: etag (Optional[str]): ETag used to identify a unique of the policy version (Optional[int]): The syntax schema version of the policy. Note: Using conditions in bindings requires the policy's version to be set to `3` or greater, depending on the versions that are currently supported. Accessing the policy using dict operations will raise InvalidOperationException when the policy's version is set to 3. Use the policy.bindings getter/setter to retrieve and modify the policy's bindings. See: IAM Policy https://cloud.google.com/iam/reference/rest/v1/Policy Policy versions https://cloud.google.com/iam/docs/policies#versions Conditions overview https://cloud.google.com/iam/docs/conditions-overview. NcCs||_||_g|_dSN)etagversion _bindings)selfr r rrr__init__rszPolicy.__init__cCs|dd|jDS)Ncss|]}|dr|dVqdS)membersroleNr).0bindingrrr zsz"Policy.__iter__..)__check_version__r rrrr__iter__wszPolicy.__iter__cCs|tt|Sr )rlenlistrrrrr__len__|szPolicy.__len__cCsL||jD]}|d|kr|dSq|td}|j||dSNrrrr)rr setappend)rkeyb new_bindingrrr __getitem__s    zPolicy.__getitem__cCsL|t|}|jD]}|d|kr||d<dSq|j||ddSr)rrr r)rrvaluerrrr __setitem__s  zPolicy.__setitem__cCs>||jD]"}|d|kr|j|dSqt|dS)Nr)rr removeKeyError)rrr rrr __delitem__s    zPolicy.__delitem__cCs,|jdk o|jdk}|s |r(ttdS)z[Raise InvalidOperationException if version is greater than 1 or policy contains conditions.N)r _contains_conditionsr_DICT_ACCESS_MSG)rZ raise_versionrrrrs zPolicy.__check_version__cCs$|jD]}|ddk rdSqdS)N conditionTF)r get)rr rrrr)s zPolicy._contains_conditionscCs|jS)aEThe policy's list of bindings. A binding is specified by a dictionary with keys: * role (str): Role that is assigned to `members`. * members (:obj:`set` of str): Specifies the identities associated to this binding. * condition (:obj:`dict` of str:str): Specifies a condition under which this binding will apply. * title (str): Title for the condition. * description (:obj:str, optional): Description of the condition. * expression: A CEL expression. Type: :obj:`list` of :obj:`dict` See: Policy versions https://cloud.google.com/iam/docs/policies#versions Conditions overview https://cloud.google.com/iam/docs/conditions-overview. Example: .. code-block:: python USER = "user:phred@example.com" ADMIN_GROUP = "group:admins@groups.example.com" SERVICE_ACCOUNT = "serviceAccount:account-1234@accounts.example.com" CONDITION = { "title": "request_time", "description": "Requests made before 2021-01-01T00:00:00Z", # Optional "expression": "request.time < timestamp("2021-01-01T00:00:00Z")" } # Set policy's version to 3 before setting bindings containing conditions. policy.version = 3 policy.bindings = [ { "role": "roles/viewer", "members": {USER, ADMIN_GROUP, SERVICE_ACCOUNT}, "condition": CONDITION }, ... ] r rrrrbindingss2zPolicy.bindingscCs ||_dSr r-)rr.rrrr.scCs6t}|jD] }||dD]}||qq t|S)zLegacy access to owner role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. r)r _OWNER_ROLESr,add frozensetrresultrmemberrrrownerss  z Policy.ownerscCs ttdtt||t<dS)zUpdate owners. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. r5N)warningswarn_ASSIGNMENT_DEPRECATED_MSGformat OWNER_ROLEDeprecationWarningrr#rrrr5s  cCs6t}|jD] }||dD]}||qq t|S)zLegacy access to editor role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. r)r _EDITOR_ROLESr,r0r1r2rrreditorss  zPolicy.editorscCs ttdtt||t<dS)zUpdate editors. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. r>N)r6r7r8r9 EDITOR_ROLEr;r<rrrr> s  cCs6t}|jD] }||dD]}||qq t|S)zLegacy access to viewer role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. r)r _VIEWER_ROLESr,r0r1r2rrrviewerss  zPolicy.viewerscCs ttdtt||t<dS)zUpdate viewers. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. rAN)r6r7r8r9 VIEWER_ROLEr;r<rrrrA(s  cCs d|fS)zFactory method for a user member. Args: email (str): E-mail for this particular user. Returns: str: A member string corresponding to the given user. zuser:%sremailrrruser6s z Policy.usercCs d|fS)zFactory method for a service account member. Args: email (str): E-mail for this particular service account. Returns: str: A member string corresponding to the given service account. zserviceAccount:%srrCrrrservice_accountBs zPolicy.service_accountcCs d|fS)zFactory method for a group member. Args: email (str): An id or e-mail for this particular group. Returns: str: A member string corresponding to the given group. zgroup:%srrCrrrgroupOs z Policy.groupcCs d|fS)zFactory method for a domain member. Args: domain (str): The domain for this member. Returns: str: A member string corresponding to the given domain. z domain:%sr)domainrrrrH[s z Policy.domaincCsdS)zFactory method for a member representing all users. Returns: str: A member string representing all users. ZallUsersrrrrr all_usersgszPolicy.all_userscCsdS)zFactory method for a member representing all authenticated users. Returns: str: A member string representing all authenticated users. ZallAuthenticatedUsersrrrrrauthenticated_userspszPolicy.authenticated_userscCsP|d}|d}|||}|dg|_|jD]}t|dd|d<q2|S)zFactory: create a policy from a JSON resource. Args: resource (dict): policy resource returned by ``getIamPolicy`` API. Returns: :class:`Policy`: the parsed policy r r r.rr)r,r.r)clsresourcer r policyrrrr from_api_reprys    zPolicy.from_api_reprcCsi}|jdk r|j|d<|jdk r,|j|d<|jrt|jdkrg}|jD]D}|d}|rJ|dt|d}|d}|r||d<||qJ|rtd}t||d |d <|S) zRender a JSON policy resource. Returns: dict: a resource to be passed to the ``setIamPolicy`` API. Nr r rrrrr+)rr.) r r r rr,sortedroperator itemgetter)rrLr.rrr!r+rrrr to_api_reprs&         zPolicy.to_api_repr)NN)"rrrrr:r/r?r=rBr@rrrr"r$r'rr)propertyr.setterr5r>rA staticmethodrErFrGrHrIrJ classmethodrNrRrrrrr SsV    3              r )r collectionscollections.abcrPr6r:r?rBr8r* ExceptionrabcMutableMappingr rrrrs(