SrSSKJr SSKJr SSKJr SSKrSSKJr SSKJ r SSK J r SS K Jr SSKJ r SS KJr SS KJr SS KJr SS KJr SrSrSrSrS(SjrS(SjrSrSrSrSrSr Sr!"SS\RD5r#Sr$Sr%Sr&Sr'S r(S!r)S"r*"S#S$\RV5r,S%r-"S&S'5r.g))zWs 4ZZ J00==AAC#[  7 7 E     $ $ : % '##%#* *r*cA[XSS9$)zDHook to process restricted client applications input in Alpha track.v1alphaversion)$_ProcessRestrictedClientApplications) unused_refr%r&s r((ProcessRestrictedClientApplicationsAlpharEms -d KKr*cBURS5(ayURn[USUS9nURc'[R "US9R 5UlUH(nURRRU5 M* URS5(ayURn[USUS9nURc'[R "US9R 5UlUH(nURRRU5 M* U$)zCProcess restricted client applications input for the given version.r,rAr-) rr,0_MakeRestrictedClientApplicationsFromIdentifiersgcpUserAccessBindingr GetMessagesGcpUserAccessBindingrestrictedClientApplicationsrr-)r%r&rB client_ids"restricted_client_application_refs!restricted_client_application_ref client_namess r(rCrCss+ HII>>J8  6 ' '!%!1!1" .P) ;;BB +.P  CDD;;L8  1 ' '!%!1!1" .P) ;;BB +.P *r*c:/nUbUVs/sHnU(dM UPM nnUHnUS:Xa3UR[R"US9RUS95 M<US:Xa3UR[R"US9RUS95 Mu[R "SR S5S 5e U$s snf! [R "SR S5S5e=f! [R "SR S5S5e=f) zJParse restricted client applications and return their resource references.r,rA)clientId--{}z:Unable to parse input. The input must be of type string[].r-)namearg_namez:The input is not valid for Restricted Client Applications.)rrrI ApplicationrInvalidArgumentExceptionformat)app_identifiersrTrB resource_refs identifierapp_identifiers r(rGrGs>- **J  ) * ? ?   w/;;)<  < <   w/;;;P ":: MM* % H  1*8 E #<<mmFGJ   #<<mmABJ  s! CC0C&0C2(C/2(DcURRnU(aURRn/nUVs/sH oU(dM UPM nnU(dU$U(aSOSnUH4n[RR UUSS9nURU5 M6 U$s snf! [ R"SRU5S5e=f)z9Parse level strings and return their resource references.rr0accesscontextmanager.accessPolicies.accessLevelsparamsr2rRzjThe input must be the full identifier for the access level, such as `accessPolicies/123/accessLevels/abc`.) rH accessLevelsdryRunAccessLevelsr r9r:rrVrWr)r&param is_dry_run level_inputs level_refs level_inputrT level_refs r(_ParseLevelRefsrhs))66,++>>L*1=M++,M  ", )(!k $$** G+ii " )N  8 8 -- ! ; s B B *B%%(C c ^ ^ ^ A0n0nSnURS5(aT[RRUR S5SS9nSUR50nUR5US'OAURS5(a [X$S S 9O/nURS 5(a [X$S S 9O/nUVs/sHoR5PM snm UVs/sHoR5PM snm [U 4S jT 55(d [S/5e[U 4SjT 55(d [S/5eT (aT SR5US'T (aT SR5US'[UR55n U R5 [UR!55m [U 4SjT 55(d [U 5eU(a/UVs/sHoR5PM snUR"lU(a/UVs/sHoR5PM snUR"lU$! [ R "SS5e=fs snfs snfs snfs snf)z0Hook to format levels and validate all policies.Npolicy#accesscontextmanager.accessPoliciesr1--policybThe input must be the full identifier for the access policy, such as `123` or `accessPolicies/123.accessPoliciesIdrF)rcrTc32># UH oTS:Hv M g7frN).0x level_parentss r( ProcessLevels..s :Mq-" "Mrc32># UH oTS:Hv M g7frprq)rrrsdry_run_level_parentss r(rurvs J4Iq'* *4Irw--dry-run-levelrc32># UH oTS:Hv M g7frprq)rrrspolicies_valuess r(rurv!s >o/!$ $orw)rr r9r:GetValuerrVNamer;rhParentallConflictPolicyExceptionlistkeyssortvaluesrHr`ra) r$r%r&policies_to_checkrb policy_refredry_run_level_refsrsflags_to_complainryrtr|s @@@r( ProcessLevelsrsh  %* h'' %%++ -- !:,j !2 3E$.$;$;$=j!  ! !' * *cU3    ! !/ 2 2cT2 (22z!88:z2-/AB/A!88:/AB :M : : : !9+ .. J4I J J J !#4"5 66#0#3#@#@#Bi +@ ,ln'(,1134*1134/ >o > > > !"3 44",-",Q*-C)"43"4Q"43C/ *k  8 8  2 .3B*-3s#-I>I1I62I;(JI.c2U(a[R"U5O[R"SS9nUR[R"SS9R:a[ R "SS5eSR[UR55$)zVProcess the session-length argument into an acceptable form for GCSL session settings.)hoursdaysrz2The session length cannot be greater than one day.z{}s) r ParseDurationr Duration total_secondsrrVrWint)stringdurations r(ProcessSessionLengthr0s|&,e&!1F1FR1P l33;III  6 6<  c(001 22r*cfAURS5(aURS5(dURS5(a[R"SS5e[R"UR R R5RnUS:aSUR lU$US:XaSUR R l U$S UR R l U$URS 5(a[R"S S 5eSUR lU$) aHook to process GCSL session settings. When --session-length=0 make sure the sessionLengthEnabled is set to false. Throw an error if --session-reauth-method or --use-oidc-max-age are set without --session-length. Args: unused_ref: Unused args: The command line arguments req: The request object Returns: The modified request object. Raises: calliope_exceptions.InvalidArgumentException: If arguments are incorrectly set. rr,r-rzXCannot set session length on restricted client applications. Use scoped access settings.rNFTsession_reauth_methodz--session_reauth_methodz;Cannot set --session_reauth_method without --session-length) rrrVr rrHsessionSettings sessionLengthrsessionLengthEnabled)rDr%r&rs r(ProcessSessionSettingsrFs0( .// 2 ! !"G H H  8 8  $  ((   00>>m15c. * 1 FKc..C *GKc..C *  788  8 8 # G  04C, *r*c[R"S5RSU5n[R"SSU5$)Nz([a-z0-9])([A-Z])z\1_\2z_[A-Z]+c@URS5R5$)Nr)grouplower)ms r(&_CamelCase2SnakeCase..|sQWWQZ%5%5%7r*)recompilesub)rSs1s r(_CamelCase2SnakeCaserzs2 zz%&**8T:"  7 <[[U] SRSR UVs/sHnSRU5PM sn555 gs snf)NzTInvalid value for [{0}]: Ensure that the {0} resources are all from the same policy., z{0})superr__init__rWr!)selfparameter_namesp __class__s r(r ConflictPolicyException.__init__sK !41 $$*F II@1u||A@ A% AsArq)__name__ __module__ __qualname____firstlineno____doc__r__static_attributes__ __classcell__rs@r(rrs*r*rc /nUVs/sH oU(dM UPM nnUH2nUR[RRUUSS95 M4 U$s snf! [R "SR U5U5e=f)aTry to get the access level cloud resources that correspond to the `access levels`. Args: param: The parameters to pass to the resource registry access_levels: The access levels to turn into cloud resources field_name: The name of the field to use in the error message error_message: The error message to use if the access levels cannot be parsed Returns: The access level cloud resources that correspond to the `access levels`. r]r^rR)rr r9r:rrVrW)rbr field_name error_messageaccess_level_resources access_levelaccess_level_inputsaccess_level_inputs r(_TryGetAccessLevelResourcesrs'4'4| l}0 ##    " " K # 0 '  8 8 -- #  s AA.A(Bc[RRUSS9$! [R"SR U5U5e=f)aRTry to get the policy cloud resource that corresponds to the `policy`. Args: policy: The policy to turn into a cloud resource field_name: The name of the field to use in the error message error_message: The error message to use if the policy cannot be parsed Returns: The policy cloud resource that corresponds to the `policy`. rkr1rR)r r9r:rrVrW)rjrrs r(_TryGetPolicyCloudResourcersS    # #8 $   6 6 j!= s  (Ac@^^^SmSmU4SjmUU4SjnU"U5 g)z2Validates the scope in the scoped access settings.cUVs/sHn[UR5PM nn[U5[[U55:wa[R "SS5egs snf)Nrz8ScopedAccessSettings in the binding-file must be unique.)strscopelensetrrV)rrsscopess r(._ValidateScopeInScopedAccessSettingsUniqueness\_ProcessScopesInScopedAccessSettings.._ValidateScopeInScopedAccessSettingsUniquenesssX$: ;$:qc!''l$:F ; 6{c#f+&&  8 8  D '._IsClientScopeSetsZ    3 3 )1)?)?00*& . 1668 / 4 49 r*c>UR(a!T"URR5(d[R"SS5eg)Nrz;ScopedAccessSettings in the binding-file must have a scope.)r clientScoperrV)scoped_access_settingrs r(-_ValidateScopeInScopedAccessSettingIsNotEmpty[_ProcessScopesInScopedAccessSettings.._ValidateScopeInScopedAccessSettingIsNotEmptysH & &.?##//// 8 8  G /r*cd>URRnT"U5 UH nT"U5 M gN)rHscopedAccessSettings)r&rrrrs r(_Start4_ProcessScopesInScopedAccessSettings.._Starts2 55JJ23IJ!734IJ"8r*Nrq)r&rrrrs @@@r($_ProcessScopesInScopedAccessSettingsrs! K  +r*c6^^SmU4SjmU4SjnU"U5 g)z._IsAccessSettingsSetsC  #11/B  #((* ! & &+ r*cj>T"U5(d%T"U5(d[R"SS5egg)NrzhScopedAccessSettings in the binding-file must have at least one of activeSettings or dryRunSettings set.)rrV)rdry_run_settingsrs r(@_ValidateAccessSettingsInScopedAccessSettingAtLeastOneIsNotEmptyv_ProcessAccessSettingsInScopedAccessSettings.._ValidateAccessSettingsInScopedAccessSettingAtLeastOneIsNotEmptysE  0 09M:: 8 8  3 : 0r*c~>URRnUH nT"URUR5 M" gr)rHractiveSettingsdryRunSettings)r&rrrs r(r<_ProcessAccessSettingsInScopedAccessSettings.._Starts: 55JJ!7F  . .  . ."8r*Nrq)r&rrrs @@r(,_ProcessAccessSettingsInScopedAccessSettingsrs   +r*c<^^^SmSmSmUUU4SjnU"X5 g)z8Process the access levels in the scoped access settings.c:^X-nU(aUVs/sHoUR5PM snm[U4SjT55(d [U5eU(a=T(a5UR5TSR5:wa[S/U-5eggggs snf)zEValidate that the access levels and policy belong to the same policy.c34># UH nUTS:Hv M g7frprq)rrrsaccess_level_resources_parentss r(ruc_ProcessAccessLevelsInScopedAccessSettings.._ValidateBelongsToSamePolicy..7s#1a -a0 01srrlN)rrrr;)rdry_run_access_level_resourcespolicy_resourcercombined_access_levelrsrs @r(_ValidateBelongsToSamePolicyP_ProcessAccessLevelsInScopedAccessSettings.._ValidateBelongsToSamePolicy(s ?4(3((*3($1&o66 ,**,/2??AB&zl_&DEE B- (sBchU(a&UVs/sHo"R5PM snUlggs snf)aReplace the access levels in the scoped access settings with relative names. For example, { 'activeSettings': { 'accessLevels': [ 'accessPolicies/123/accessLevels/access_level_1' ] } } is replaced with: { 'activeSettings': { 'accessLevels': [ access_level_resources.RelativeName() ] } } Args: access_settings: The access settings to replace the access levels in. access_level_resources: The access level resources to replace the access levels with. N)r;r`)rrrss r(5_ReplaceAccessLevelsInAccessSettingsWithRelativeNamesi_ProcessAccessLevelsInScopedAccessSettings.._ReplaceAccessLevelsInAccessSettingsWithRelativeNamesHs3>$:&$:q.. $:&o"&s/cjU(d0OSUR50n/nU(a[UUSS5nU$)aGet the access level resources from the scoped access settings. Args: policy_resource: The policy resource access_levels: The access levels to turn into cloud resources. For example, ['accessPolicies/123/accessLevels/access_level_1'] Returns: The access level cloud resources that correspond to the `access levels`. For example, ['https://accesscontextmanager.googleapis.com/v1/accessPolicies/123/accessLevels/access_level_1'] rnz binding-filezAccess levels in ScopedAccessSettings must contain the full identifier. For example: `accessPolicies/123/accessLevels/access_level_1)r~r)rrrbrs r(_GetAccessLevelResourcesL_ProcessAccessLevelsInScopedAccessSettings.._GetAccessLevelResourceslsN  /"6"6"8 9  :    =   "!r*c>SnURS5(a[URS5SS5nURRn/n/nUHn/nUR (aKUR R (a0T "X&R R 5nURUS5 /nUR(aLURR (a1T "UURR 5nURUS5 T "UUUS/5 T "UR U5 T "URU5 M T "UUUS/5 /n URR (aT "X!RR 5n U (dT "X!RR5n T "UU U/SQ5 g![Ra NHf=f![Ra N>f=f)Nrjrmrr)rrrz) rrr}rHrrr`rrrrVra) r%r&rraccess_level_resources_sample%dry_run_access_level_resources_samplerrrglobal_access_level_resourcesrrrs r(r:_ProcessAccessLevelsInScopedAccessSettings.._StartsO ))2 -- !  2o!55JJ$&!,.)!7!  . .#22??!9 AANN"  &,,-CA-FG(*$  . .#22??)A  ! 0 0 = =* & .44 *1 - # (     <  . .0F<  . .0NE"8P!%-  %'! ,, (@ 55BB) % ) (@ 55HH) %!%%8 ! 9 9   ! 9 9   s$2GGGGG10G1Nrq)r%r&rrrrs @@@r(*_ProcessAccessLevelsInScopedAccessSettingsr %s&F@"H">Wr r*c2^^SmSmUU4SjnU"U5 g)z;Process the session settings in the scoped access settings.cTUcgURc[R"SS5e[R"UR5R nU[ R"SS9R :a[R"SS5eUS:a[R"SS5eg)NrzISessionSettings within ScopedAccessSettings must include a sessionlength.rrzJSessionLength within ScopedAccessSettings must not be greater than one dayrzDSessionLength within ScopedAccessSettings must not be less than zero)rrrVr rrr r)rrs r(_ValidateSessionSettingsO_ProcessSessionSettingsInScopedAccessSettings.._ValidateSessionSettingss %%-  8 8    ((&&m --15CCC  8 8      8 8   r*cURc[R"S5n[XR5(a&URR R UlO9[R"S5RR R UlURc?[R"UR5RnUS:aSUlOSUlURcSUl gg)Nv1r@rTF) sessionReauthMethodrrI isinstanceSessionSettings"SessionReauthMethodValueValuesEnumLOGINrr rrr useOidcMaxAge)r v1_messagesrs r( _InferEmptySessionSettingsFieldsW_ProcessSessionSettingsInScopedAccessSettings.._InferEmptySessionSettingsFieldss++3$$T*k $&A&A B B  ' ' J J P P ,04/?/? 0 /<URRnUHEnUR(dMURRnU(dM5T"U5 T"U5 MG gr)rHrrr)r&rsrrrs r(r=_ProcessSessionSettingsInScopedAccessSettings.._StartsU 55JJ #   ))99 /0&'78$r*Nrq)r&rrrs @@r(-_ProcessSessionSettingsInScopedAccessSettingsrs2-4 9 +r*c(^SmU4SjnU"XU5$)zEHook to process and validate scoped access settings from the request.cURS5=(d URS5nU(a[R"SS5eg)Nr-r,rzThe binding-file cannot be specified at the same time as `--restricted-client-application-names` or `--restricted-client-application-client-ids`.)rrrV)r%legacy_prca_fields_specifieds r(D_ValidateRestrictedClientApplicationNamesAndClientIdsAreNotSpecifiediProcessScopedAccessSettings.._ValidateRestrictedClientApplicationNamesAndClientIdsAreNotSpecified.sT$(#;#;-$$N ! !"L M!$  8 8  ; $r*c>AURS5(dU$T"U5 [U5 [U5 [X5 [ U5 U$)Nr)rrrr r)rDr%r&r#s r(r+ProcessScopedAccessSettings.._Start<sI  # #N 3 3 jHN(-05.t91#6 Jr*rq)rDr%r&rr#s @r(ProcessScopedAccessSettingsr'+s    # &&r*c(^\rSrSrU4SjrSrU=r$)InvalidFormatErroriLcL>[[U] USRU55 g)NaInvalid format: {} A binding-file is a YAML-formatted file containing a single gcpUserAccessBinding. For example: scopedAccessSettings: - scope: clientScope: restrictedClientApplication: name: Cloud Console activeSettings: accessLevels: - accessPolicies/123/accessLevels/access_level_1 dryRunSettings: accessLevels: - accessPolicies/123/accessLevels/dry_run_access_level_1 - scope: clientScope: restrictedClientApplication: clientId: my_client_id.google.com activeSettings: accessLevels: - accessPolicies/123/accessLevels/access_level_2 dryRunSetting: accessLevels: - accessPolicies/123/accessLevels/dry_run_access_level_2 )rr)rrW)rpathreasonrs r(rInvalidFormatError.__init__Ns+ d,  O2 &  9r*rq)rrrrrrrrs@r(r)r)Ls   r*r)c^^SmUU4SjnU$)zParse a GcpUserAccessBinding from a YAML file. Args: api_version: str, the API version to use for parsing the messages Returns: A function that parses a GcpUserAccessBinding from a file. cP[U5S:a[R"SS5eg)Nrz --input-filez{The input file contains more than one GcpUserAccessBinding. Please specify only one GcpUserAccessBinding in the input file.)rrrV)bindingss r(#_ValidateSingleGcpUserAccessBindingUParseGcpUserAccessBindingFromBindingFile.._ValidateSingleGcpUserAccessBinding{s/ 8}q  8 8  L r*c>[R"U[R"TS9RS5nT"U5 [ XS5R 5 US$)NrAFr)r )ParseAccessContextManagerMessagesFromYamlrrIrJ&GcpUserAccessBindingStructureValidatorValidate)r+r0r1 api_versions r(2_ParseVersionedGcpUserAccessBindingFromBindingFiledParseGcpUserAccessBindingFromBindingFile.._ParseVersionedGcpUserAccessBindingFromBindingFilesT?? d{3HH%H(1*4!=FFH A;r*rq)r7r8r1s` @r((ParseGcpUserAccessBindingFromBindingFiler:qs <;r*cT\rSrSrSrSrSrSrSrSr Sr S r S r S r S rS rg)r5izGValidates a GcpUserAccessBinding structure against unrecognized fields.cXlX lgr)r+gcp_user_access_binding)rr+r=s r(r/GcpUserAccessBindingStructureValidator.__init__s I#: r*cURUR5 URURR5 g)z-Validates the GcpUserAccessBinding structure.N)3_ValidateAllFieldsRecognizedForGcpUserAccessBindingr=_ValidateScopedAccessSettingsr)rs r(r6/GcpUserAccessBindingStructureValidator.Validates8<< $$ && $$99r*cU(a[[U55HinXnURU5 URUR5 UR UR 5 UR UR5 Mk gg)z-Validates the ScopedAccessSettings structure.N)ranger_ValidateAllFieldsRecognized_ValidateAccessScoper_ValidateAccessSettingsrr)rscoped_access_settings_listirs r(rADGcpUserAccessBindingStructureValidator._ValidateScopedAccessSettingssv"S456!!">? $$%;%J%JK $$%;%J%JK 7#r*clU(a-URU5 URUR5 gg)z$Validates the AccessScope structure.N)rE_ValidateClientScoper)r access_scopes r(rF;GcpUserAccessBindingStructureValidator._ValidateAccessScopes, '' 5  8 89r*clU(a-URU5 URUR5 gg)z(Validates the AccessScopeType structure.N)rE$_ValidateRestrictedClientApplicationr)rrs r(rL;GcpUserAccessBindingStructureValidator._ValidateClientScopes/ '' 5 //  2 2r*c6U(aURU5 gg)z+Validates the RestrictedClientApplications.NrE)rrestricted_client_applications r(rPKGcpUserAccessBindingStructureValidator._ValidateRestrictedClientApplications$ ''(EF%r*c6U(aURU5 gg)zValidate the SessionSettings.NrS)rrs r(r?GcpUserAccessBindingStructureValidator._ValidateSessionSettingss ''(89r*clU(a-URU5 URUR5 gg)z'Validates the AccessSettings structure.N)rErr)rrs r(rG>GcpUserAccessBindingStructureValidator._ValidateAccessSettingss, ''8 ##O$C$CDr*c >S/n[5n/nURU:waURS5 URU:waURS5 URbURS5 UR (aURS5 [ US5(aURbURS5 URbURS5 UR(aURS 5 UR5(aURUR55 U(ab[URS R[UR 5R"S R%U5S R%U555eg) adValidates that all fields in the GcpUserAccessBinding are recognized. Note:Because ScopedAccessSettings is the only field supported in the GcpUserAccessBinding, a custom validation is required. Args: gcp_user_access_binding: The GcpUserAccessBinding to validate Raises: InvalidFormatError: if the GcpUserAccessBinding contains unrecognized fields rr`raNgroupKeyrSrrrKz@"{}" contains unrecognized fields: [{}]. Valid fields are: [{}].r)rr`addrar[rShasattrrrrKall_unrecognized_fieldsupdater)r+rWtyper=rr!)rr= valid_fieldsunrecognized_fields empty_lists r(r@ZGcpUserAccessBindingStructureValidator._ValidateAllFieldsRecognizedForGcpUserAccessBindings_++L%J++z9n-11Z?23''3j)##f%'55 # - - 9k*..:/0;;<=6688  ! 9 9 ;  )) L 64//099ii+,ii %  r*c ZUR5(a[U5nUR5Vs/sHo3RPM nn[ UR SR URSRUR55SRU555egs snf)zValidates that all fields in the message are recognized. Args: message: object to validate Raises: InvalidFormatError: if the message contains unrecognized fields z?"{}" contains unrecognized fields: [{}]. Valid fields are: [{}]rN) r^r` all_fieldsrSr)r+rWrr!)rmessage message_typefras r(rECGcpUserAccessBindingStructureValidator._ValidateAllFieldsRecognizeds&&((']l&2&=&=&?@&?ff&?l@  )) K 6##ii779:ii %  )@sB()r=r+N)rrrrrrr6rArFrLrPrrGr@rErrqr*r(r5r5s;O;L: G : E 0dr*r5r)/r __future__rrrrapitools.base.pyr+googlecloudsdk.api_lib.accesscontextmanagerrgooglecloudsdk.callioperr/googlecloudsdk.command_lib.accesscontextmanagerr googlecloudsdk.corecore_exceptionsr r googlecloudsdk.core.utilr r r)r/r>rErCrGrhrrrrrErrorrrrrrr rr'ParseFileErrorr)r:r5rqr*r(rusC&' %<EB=*)1* , > ,L , `(,(V