;SrSSKJr SSKJr SSKJr SSKrSSKJr SSKJ r Sr S r S r S rS rS rSrSrSrSrSrSrSrSrSrSrSrSrSrSrSrS&Sjr S'Sjr!Sr"S r#S!r$S"r%S#r&S$r'S%r(g)(z*Smart Guardrails Recommendation Utilities.)absolute_import)division)unicode_literalsN)insight)utilaShutting down this project will immediately: - Stop all traffic and billing. - Start deleting resources. - Schedule the final deletion of the project after 30 days. - Block your access to the project. - Notify the owner of the project. Learn more about the shutdown process at https://cloud.google.com/resource-manager/docs/creating-managing-projects#shutting_down_projects zr*** HIGH-RISK CHANGE WARNING ***: If you shut down this project you risk losing data or interrupting your servicesz2. In the last 30 days we observed this project hadzAWe recommend verifying this is the correct project to shut down. avThis service account lets App Engine and Cloud Functions access essential Cloud Platform services such as Datastore. Deleting this account will break any current or future App Engine applications and Cloud Functions in this project. WARNING: You CANNOT undo this action. Do not delete this service account unless you are sure you will never use App Engine in this project.aThis service account lets Compute Engine access essential Cloud Platform services such as logging and Cloud Storage. Deleting this account will prevent instances that are running as this account from accessing Cloud Platform services. WARNING: You CANNOT undo this action. If you delete this account, instances in this project will only be able to access Cloud Platform services via custom service accounts.a:Deleting this service account (SA) will delete all associated key IDs, and will prevent the account from authenticating to any Google Cloud service API. You cannot restore or roll back this change easily. We highly recommend disabling the account first, testing for any unexpected impact, and only then deleting. z*** HIGH-RISK CHANGE WARNING ***: If you delete this SA you risk interrupting your service, as we observed it was substantially used in the last 90 daysz>We recommend verifying this is the correct account to delete. z'You are about to delete the role [{}]. z*** HIGH-RISK CHANGE WARNING ***: If you remove the role [{}], there is a high risk that you might cause interruptions because it was used in the last 90 daysz_We recommend you verify the details and replace them with less privileged roles, if necessary. zuWe recommend replacing it with the role{} [{}], in order to remove unused permissions while preserving the used one. z0google.resourcemanager.project.ChangeRiskInsightz+google.iam.serviceAccount.ChangeRiskInsightz#google.iam.policy.ChangeRiskInsightz5https://console.cloud.google.com/home/recommendationsc^^UU4SjnU$)a'Returns a function that matches an insight by policy binding. Args: member: Member string to fully match. role: Member role to fully match. Returns: A function that matches an insight object by policy binding. The returned function returns true iff both the member and the role match. cn>SnSnURRGH nURS:XdMURRR HnURS:XdMURRR HnURS:XdMURRR H_nURS:XaURR T:XaSnURS:XdMAURR T:XdM]SnMa M M GM U=(a U$)NFrisk usageAtRiskiamPolicyUtilizationmemberTrole)contentadditionalPropertieskeyvalue object_value properties string_value) gcloud_insightmatches_member matches_roleadditional_propertypfiam_prrs ?lib/googlecloudsdk/api_lib/smart_guardrails/smart_guardrails.pyMatcher,_GetIamPolicyBindingMatcher..MatchersNL-55JJ  F *$**77BBA UUm #WW))4400WW11<*_GetDeletionRiskMessage..sFgF[''//gs )r6r%lenjoin)r risk_messagereasons_prefix add_new_liner2messages r_GetDeletionRiskMessagerCs} $N 3'  >>,  EE" EE\Q  wqz JJ   | <' RWWFgF FF' .r!c[R"U5nSRX5nURUSSUS9nUHnU(dUs $U"U5(dMUs $ g)aReturns the first insight fetched by the recommender API. Args: release_track: Release track of the recommender. project_id: Project ID. insight_type: String insight type. request_filter: Optional string filter for the recommender. matcher: Matcher for the insight object. None means match all. Returns: Insight object returned by the recommender API. Returns 'None' if no matching insights were found. Returns the first insight object that matches the matcher. If no matcher, returns the first insight object fetched. z.projects/{0}/locations/global/insightTypes/{1}dN) page_sizelimitrequest_filter)r CreateClientr%List) release_track project_id insight_typerHmatcherclient parent_nameresultrs r_GetRiskInsightrSsl"    .&AII+ ;;S^  & a  hqzz h  r!c0[R"SU5$)zReturns true if email is used as a default App Engine Service Account. Args: email: Service Account email. Returns: Returns true if the given email is default App Engine Service Account. Returns false otherwise. z8^([\w:.-]+)@appspot(\.[^.]+\.iam)?\.gserviceaccount\.com)research)emails r!_IsDefaultAppEngineServiceAccountrXs A5 r!cUSRU5:XagUSRU5:Xag[R"SU5$)aReturns true if email is used as a default Compute Engine Service Account. Args: email: Service Account email. project_number: Project number. Returns: Returns true if the given email is a default Compue Engine Service Account. Returns false otherwise. z!{0}@developer.gserviceaccount.comTz{0}@project.gserviceaccount.comz>^[0-9]+-compute@developer(\.[^.]+\.iam)?\.gserviceaccount\.com)r%rUrV)rWproject_numbers r%_IsDefaultComputeEngineServiceAccountr[sH 188HH  /66~FF  G r!cF/nURRGHnURS:XdMURRR HnURS:XdMURRR HnURS:XdMURRR HWnURS:XdMURR RHnURUR5 M MY M M GM U$)zReturns minimal roles extracted from the IAM policy binding insight. Args: gcloud_insight: Insight returned by the recommender API. Returns: A list of strings. Empty if no minimal roles were found. r r r minimalRoles) rrrrrrr.r/r1r)r minimal_rolesrrrrrs r_GetPolicyBindingMinimalRolesr_"s-+33HH&("((55@@! 55M !77''22auu..77//::%99.#kk55==d!(():):;>;3AI r!cU(a6[R[U5S::aSOSSRU55$[$)zReturns advice for policy binding deletion. Args: minimal_roles: A string list of minimal recommended roles. Returns: A string advice on safe deletion. r-r*sz, )_POLICY_BINDING_REPLACE_ADVICEr%r=r>_POLICY_BINDING_DELETE_ADVICE)r^s r_GetPolicyBindingDeletionAdvicerd8s> ) 0 0- A%3 -0H  )(r!c [X[5nU(a7SR[[ U[ [ S9[[U5/5$[$)a-Returns a risk assesment message for project deletion. Args: release_track: Release track of the recommender. project_id: Project ID. Returns: String message prompt to be displayed for project deletion. If the project deletion is high risk, the message includes the Active Assist warning. r8)rr?r@) rS_PROJECT_INSIGHT_TYPEr>_PROJECT_WARNING_MESSAGErC_PROJECT_RISK_MESSAGE_PROJECT_REASONS_PREFIX_PROJECT_ADVICEr()rKrL risk_insights rGetProjectDeletionRiskrlHsX!!6, 99 '.2  %    "!r!cH[R"U5n[U5(a[$[ X#5(a[ $SR X25n[X[US9nU(a4SR[[U[5[[U5/5$[$)a3Returns a risk assesment message for service account deletion. Args: release_track: Release track of the recommender. project_id: String project ID. service_account: Service Account email ID. Returns: String Active Assist risk warning message to be displayed in service account deletion prompt. zFtargetResources: //iam.googleapis.com/projects/{0}/serviceAccounts/{1})rHr8) project_utilGetProjectNumberrX%_SA_DELETE_APP_ENGINE_WARNING_MESSAGEr[)_SA_DELETE_COMPUTE_ENGINE_WARNING_MESSAGEr%rS_SA_INSIGHT_TYPEr>_SA_WARNING_MESSAGErC_SA_RISK_MESSAGE _SA_ADVICEr()rKrLservice_accountrZ target_filterrks rGetServiceAccountDeletionRiskrxgs 00<.&77 00*?KK 44N F>+!!1-, 99 .>? %   r!c|X"RS5S-Sn[X#5n[UU[US9nU(apSR [ U[ R U5SS9[[U555nSR[R U5U[U5/5$[R U5$) aReturns a risk assesment message for IAM policy binding deletion. Args: release_track: Release track of the recommender. project_id: String project ID. member: IAM policy binding member. member_role: IAM policy binding member role. Returns: String Active Assist risk warning message to be displayed in IAM policy binding deletion prompt. If no risk exists, then returns 'None'. :r-N)rNz{} {}F)rAr8) findr#rS_POLICY_BINDING_INSIGHT_TYPEr%rC#_POLICY_BINDING_DELETE_RISK_MESSAGErdr_r>&_POLICY_BINDING_DELETE_WARNING_MESSAGEr()rKrLr member_rolepolicy_matcherrkr?s rGetIamPolicyBindingDeletionRiskrs$ ;;s#a'* +&.vC. " , >>  / 6 6{ C ( ), 7 L 99.55kB %  0 6 6{ CCr!)r*T)NN))__doc__ __future__rrrrU"googlecloudsdk.api_lib.recommenderr#googlecloudsdk.command_lib.projectsrrnrgrhrirjrprqrsrtrur~r}rcrbrfrrr|r&r0r#r(r6rCrSrXr[r_rdrlrxrr"r!rrs1&' 6D 0 OI 2&E* O /' $ : K@D<B DCG4KO@ (, ) ">"J,Dr!