o ˷e3@sfdZddlZddlZddlZddlZdZ dZ dZ dZdZ Gdd d e Z Gd d d ej j ZdS) a6Non-API-specific IAM policy definitions For allowed roles / permissions, see: https://cloud.google.com/iam/docs/understanding-roles Example usage: .. code-block:: python # ``get_iam_policy`` returns a :class:'~google.api_core.iam.Policy`. policy = resource.get_iam_policy(requested_policy_version=3) phred = "user:phred@example.com" admin_group = "group:admins@groups.example.com" account = "serviceAccount:account-1234@accounts.example.com" policy.version = 3 policy.bindings = [ { "role": "roles/owner", "members": {phred, admin_group, account} }, { "role": "roles/editor", "members": {"allAuthenticatedUsers"} }, { "role": "roles/viewer", "members": {"allUsers"} "condition": { "title": "request_time", "description": "Requests made before 2021-01-01T00:00:00Z", "expression": "request.time < timestamp("2021-01-01T00:00:00Z")" } } ] resource.set_iam_policy(policy) Nz roles/ownerz roles/editorz roles/viewerz_Assigning to '{}' is deprecated. Use the `policy.bindings` property to modify bindings instead.zWDict access is not supported on policies with version > 1 or with conditional bindings.c@seZdZdZdS)InvalidOperationExceptionz1Raised when trying to use Policy class as a dict.N)__name__ __module__ __qualname____doc__rrJ/var/www/ideatree/venv/lib/python3.10/site-packages/google/api_core/iam.pyrMsrc@s.eZdZdZefZ efZ efZ d/ddZ ddZ ddZ d d Z d d Zd dZddZddZeddZejddZeddZejddZeddZejddZeddZejddZedd Zed!d"Zed#d$Zed%d&Zed'd(Zed)d*Zed+d,Z d-d.Z!dS)0Policya1IAM Policy Args: etag (Optional[str]): ETag used to identify a unique of the policy version (Optional[int]): The syntax schema version of the policy. Note: Using conditions in bindings requires the policy's version to be set to `3` or greater, depending on the versions that are currently supported. Accessing the policy using dict operations will raise InvalidOperationException when the policy's version is set to 3. Use the policy.bindings getter/setter to retrieve and modify the policy's bindings. See: IAM Policy https://cloud.google.com/iam/reference/rest/v1/Policy Policy versions https://cloud.google.com/iam/docs/policies#versions Conditions overview https://cloud.google.com/iam/docs/conditions-overview. NcCs||_||_g|_dSN)etagversion _bindings)selfr r rrr__init__rs zPolicy.__init__cCs|dd|jDS)Ncss |] }|dr|dVqdS)membersroleNr).0bindingrrr zsz"Policy.__iter__..)__check_version__r rrrr__iter__wzPolicy.__iter__cCs|tt|Sr )rlenlistrrrrr__len__|rzPolicy.__len__cCsL||jD]}|d|kr|dSq|td}|j||dSNrrrr)rr setappend)rkeyb new_bindingrrr __getitem__s     zPolicy.__getitem__cCsL|t|}|jD]}|d|kr||d<dSq |j||ddSr)rrr r)rr valuerrrr __setitem__s  zPolicy.__setitem__cCs:||jD]}|d|kr|j|dSqt|)Nr)rr removeKeyError)rr r!rrr __delitem__s   zPolicy.__delitem__cCs,|jduo |jdk}|s|rttdS)z[Raise InvalidOperationException if version is greater than 1 or policy contains conditions.N)r _contains_conditionsr_DICT_ACCESS_MSG)r raise_versionrrrrs zPolicy.__check_version__cCs$|jD] }|ddurdSqdS)N conditionTF)r get)rr!rrrr*s zPolicy._contains_conditionscCs|jS)aEThe policy's list of bindings. A binding is specified by a dictionary with keys: * role (str): Role that is assigned to `members`. * members (:obj:`set` of str): Specifies the identities associated to this binding. * condition (:obj:`dict` of str:str): Specifies a condition under which this binding will apply. * title (str): Title for the condition. * description (:obj:str, optional): Description of the condition. * expression: A CEL expression. Type: :obj:`list` of :obj:`dict` See: Policy versions https://cloud.google.com/iam/docs/policies#versions Conditions overview https://cloud.google.com/iam/docs/conditions-overview. Example: .. code-block:: python USER = "user:phred@example.com" ADMIN_GROUP = "group:admins@groups.example.com" SERVICE_ACCOUNT = "serviceAccount:account-1234@accounts.example.com" CONDITION = { "title": "request_time", "description": "Requests made before 2021-01-01T00:00:00Z", # Optional "expression": "request.time < timestamp("2021-01-01T00:00:00Z")" } # Set policy's version to 3 before setting bindings containing conditions. policy.version = 3 policy.bindings = [ { "role": "roles/viewer", "members": {USER, ADMIN_GROUP, SERVICE_ACCOUNT}, "condition": CONDITION }, ... ] r rrrrbindingss2zPolicy.bindingscCs ||_dSr r/)rr0rrrr0s cC6t}|jD]}||dD]}||qqt|S)zLegacy access to owner role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. r)r _OWNER_ROLESr.add frozensetrresultrmemberrrrowners   z Policy.ownerscC ttdtt||t<dS)zUpdate owners. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. r8N)warningswarn_ASSIGNMENT_DEPRECATED_MSGformat OWNER_ROLEDeprecationWarningrr$rrrr8s  cCr1)zLegacy access to editor role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. r)r _EDITOR_ROLESr.r3r4r5rrreditorsr9zPolicy.editorscCr:)zUpdate editors. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. rCN)r;r<r=r> EDITOR_ROLEr@rArrrrC    cCr1)zLegacy access to viewer role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. r)r _VIEWER_ROLESr.r3r4r5rrrviewersr9zPolicy.viewerscCr:)zUpdate viewers. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. rGN)r;r<r=r> VIEWER_ROLEr@rArrrrG(rEcC d|fS)zFactory method for a user member. Args: email (str): E-mail for this particular user. Returns: str: A member string corresponding to the given user. zuser:%sremailrrruser6 z Policy.usercCrI)zFactory method for a service account member. Args: email (str): E-mail for this particular service account. Returns: str: A member string corresponding to the given service account. zserviceAccount:%srrJrrrservice_accountBs zPolicy.service_accountcCrI)zFactory method for a group member. Args: email (str): An id or e-mail for this particular group. Returns: str: A member string corresponding to the given group. zgroup:%srrJrrrgroupOrMz Policy.groupcCrI)zFactory method for a domain member. Args: domain (str): The domain for this member. Returns: str: A member string corresponding to the given domain. z domain:%sr)domainrrrrP[rMz Policy.domaincCdS)zFactory method for a member representing all users. Returns: str: A member string representing all users. allUsersrrrrr all_usersgzPolicy.all_userscCrQ)zFactory method for a member representing all authenticated users. Returns: str: A member string representing all authenticated users. allAuthenticatedUsersrrrrrauthenticated_usersprTzPolicy.authenticated_userscCsP|d}|d}|||}|dg|_|jD] }t|dd|d<q|S)zFactory: create a policy from a JSON resource. Args: resource (dict): policy resource returned by ``getIamPolicy`` API. Returns: :class:`Policy`: the parsed policy r r r0rr)r.r0r)clsresourcer r policyrrrr from_api_reprys   zPolicy.from_api_reprcCsi}|jdur |j|d<|jdur|j|d<|jrWt|jdkrWg}|jD]"}|d}|rG|dt|d}|d}|rB||d<||q%|rWtd}t||d |d <|S) zRender a JSON policy resource. Returns: dict: a resource to be passed to the ``setIamPolicy`` API. Nr r rrrrr-)r r0) r r r rr.sortedroperator itemgetter)rrXr0rrr"r-r rrr to_api_reprs(         zPolicy.to_api_repr)NN)"rrrrr?r2rDrBrHrFrrrr#r%r(rr*propertyr0setterr8rCrG staticmethodrLrNrOrPrSrV classmethodrZr^rrrrr Ss^    3               r )r collectionscollections.abcr\r;r?rDrHr=r+ ExceptionrabcMutableMappingr rrrrs (