YoSrSSKJr SSKJr SSKJr SSKJr SSKJr SSKJ r SSK J r SS K J r SS K Jr SS KJr SS KJr SS KJr SSKJr SSKJr SSKJr SSKJr SSKJr SSKJr SSKJr SSKr\R@r "SS\RB5r""SS\"5r#"SS\"5r$Sr%Sr&Sr'Sr(S r)SNS!jr*S"r+S#r,SNS$jr-S%r.S&r/S'r0S(r1SNS)jr2S*r3SNS+jr4S,r5SNS-jr6S.r7S/r8SOS0jr9SPS1jr:SOS2jr;SPS3jrS6r?S7r@S8rAS9rBS:rCSPS;jrDS<rES=rFS>rGS?rHSOS@jrISArJSBrKSPSCjrLSDrMSErNSFrOSGrPSHrQSNSIjrRSJrSSKrTSLrUSMrVg)Qz9Command line processing utilities for service perimeters.)absolute_import)division)unicode_literals)encoding) acm_printer)util)apis)waiter)base)concepts)common)levels)policies) arg_utils)repeated)concept_parsers) exceptions) resources)yamlNc(^\rSrSrU4SjrSrU=r$) ParseError*cJ>[[U] SRX55 g)NzIssue parsing file [{}]: {})superr__init__format)selfpathreason __class__s Alib/googlecloudsdk/command_lib/accesscontextmanager/perimeters.pyrParseError.__init__,s! * 6==dKL__name__ __module__ __qualname____firstlineno__r__static_attributes__ __classcell__r s@r!rr*sMMr#rc(^\rSrSrU4SjrSrU=r$)InvalidMessageParseError1c >UR5Vs/sHoDRPM nn[[U]USR USR U555 gs snf)NzwThe YAML-compliant file of messages provided contains errors: {} The objects in this file can contain the fields [{}]., ) all_fieldsnamerr.rrjoinrrr message_classf valid_fieldsr s r!r!InvalidMessageParseError.__init__3sZ$1$<$<$>?$>qFF$>L? "D2   ,(?@ B@Ar$r%r,s@r!r.r.1sBBr#r.c(^\rSrSrU4SjrSrU=r$)InvalidFormatError<c >UR5Vs/sHoDRPM nn[[U]USR USR U555 gs snf)NaInvalid format: {} A service perimeter file is a YAML-formatted list of service perimeters, which are YAML objects with the fields [{}]. For example: - name: my_perimeter title: My Perimeter description: Perimeter for foo. perimeterType: PERIMETER_TYPE_REGULAR status: resources: - projects/0123456789 accessLevels: - accessPolicies/my_policy/accessLevels/my_level restrictedServices: - storage.googleapis.comr1)r2r3rr<rrr4r5s r!rInvalidFormatError.__init__>s^$1$<$<$>?$>qFF$>L? d, .06vf6:ii 6M0OP@r:r$r%r,s@r!r<r<<sPPr#r<c4UR5nU(dAURc([U5RR5UlUR$URc([U5RR5UlUR$)aReturns the appropriate config for a Service Perimeter. Args: perimeter_result: The perimeter resource. dry_run: Whether the requested config is the dry-run config or the enforced config. Returns: Either the 'status' (enforced) or the 'spec' (dry-run) Perimeter config. )Getstatustypespec)perimeter_resultdry_run perimeters r! _GetConfigrHSsv""$) i//446i   ~~I++002in >>r#c[5nUH9nUR5(dMURUR55 M; U(a7[USR SR U55[ US55eg)NzUnrecognized fields: [{}]r1r)setall_unrecognized_fieldsupdater<rr4rC)r conditionsunrecognized_fields conditions r!_ValidateAllFieldsRecognizedrPisxi((**  !B!B!DE  #**4995H+IJ Z] r#cSnSnSnSnURRnU(d[R"US9RnUR S5(a[ US5nSnUR S5(a[ US5nSnU(a=[ US5nU(d[ [R"US9S5nXClXSl[USU5 XqRlU$) zBAdd the particular service filter message based on specified args.NFversionvpc_allowed_servicesTenable_vpc_accessible_servicesvpcAccessibleServicesVpcAccessibleServices) servicePerimeterrBr GetMessagesServicePerimeterConfig IsSpecifiedgetattrallowedServicesenableRestrictionsetattr)argsreqrSservice_restriction_configallowed_servicesenable_restrictionrestriction_modifiedservice_perimeter_configs r!_AddVpcAccessibleServicesFilterrgus# 1188 ! )@@ ,--t%;< 677 'GH!()A)@"B % $""735L M!1A.3E0 "$; $& 8 *r#cA[XS5$)Nv1)AddVpcAccessibleServicesrefr`ras r!AddVpcAccessibleServicesGArms !$T 22r#cLAURS5(d [XS5$U$)Nvpc_accessible_servicesv1alpha)r[rgrks r!AddVpcAccessibleServicesAlpharqs)  3 4 4 *4i @@ *r#c[XU5$)z1Hook to add the VpcAccessibleServices to request.)rg)r`rarSs r!rjrjs (G <%'%jjl!!#%  Y3356+ #33:: #   7 + B B,9)": *r#c$AA[R"SS9nURRURR R :XaAURRnU(d URnS/Ul XBRlU$)aAdd wildcard for unrestricted services to message if type is regular. Args: ref: resources.Resource, the (unused) resource args: argparse namespace, the parse arguments req: AccesscontextmanagerAccessPoliciesAccessZonesCreateRequest Returns: The modified request. v1betarR*) rrYrX perimeterTypeServicePerimeterPerimeterTypeValueValuesEnumPERIMETER_TYPE_REGULARrBrZunrestrictedServices)rlr`ramrfs r!&AddImplicitUnrestrictedServiceWildcardrs 4 x(!''55LLN"33:: #!"!9!958E1": *r#c,[R"SSS9$)NrGz The ID of the service perimeter.)r3 help_text)r ResourceParameterAttributeConfigr$r#r!_GetAttributeConfigrs  2 2 "D FFr#cf[R"SS[R"5[ 5S9$)Nz5accesscontextmanager.accessPolicies.servicePerimetersrG) resource_nameaccessPoliciesIdservicePerimetersId)r ResourceSpecrGetAttributeConfigrr$r#r!_GetResourceSpecrs-   =224-/  11r#c[RRS[5SR U5SS9R U5 g)zAdd a resource argument for a service perimeter. NOTE: Must be used only if it's the only resource arg in the command. Args: parser: the parser for the command. verb: str, the verb to describe the resource, such as 'to update'. rGzThe service perimeter {}.T)requiredN)r ConceptParser ForResourcerr AddToParser)parserverbs r!AddResourceArgrsC++!((. ,![(r#c[R"S[R"US9RR SSS.SSS9$) Nz--typerRregularbridge)rPERIMETER_TYPE_BRIDGEFa~ Type of the perimeter. A *regular* perimeter allows resources within this service perimeter to import and export data amongst themselves. A project may belong to at most one regular service perimeter. A *bridge* perimeter allows resources in different regular service perimeters to import and export data between each other. A project may belong to multiple bridge service perimeters (only if it also belongs to a regular service perimeter). Both restricted and unrestricted service lists, as well as access level lists, must be empty. )custom_mappingsrhelp_str)rChoiceEnumMapperrrYrrrRs r!GetTypeEnumMapperrsJ  # # ++,H,H$-#+  r#c:Ucg[US9RU5$)aReturns the PerimeterTypeValueValuesEnum value for the given short name. Args: perimeter_type_short_name: Either 'regular' or 'bridge'. api_version: One of 'v1alpha', 'v1beta', or 'v1'. Returns: The appropriate value of type PerimeterTypeValueValuesEnum. NrR)rGetEnumForChoice)perimeter_type_short_name api_versions r! GetPerimeterTypeEnumForShortNamers*&   ++,EFGr#c8[R"S5[R"S5[US9R/nUHnUR U5 M [ U5 [U5 [U5 [X5 [U5 [X5 g)z'Add args for perimeters update command.zservice perimeterrRN) r GetDescriptionArg GetTitleArgr choice_argr _AddResources_AddRestrictedServices_AddLevelsUpdate'AddUpdateVpcAccessibleServicesGroupArgs AddEtagArg%AddUpdateDirectionalPoliciesGroupArgs)rrSr`args r!AddPerimeterUpdateArgsr(s 23 ,-(33 $ cOOF 6)&: V'8r#crUS:Xa&URSS9n[U5 [U5 g[U5 g)z.Conditional logic for VPC Accessible Services.rpzMThese flags modify the VpcAccessibleServices of this ServicePerimeter config.)helpN)add_mutually_exclusive_group*_AddSetClearVpcAccessibleServicesArgsAlpha_AddVpcRestrictionArgs)rrS mutex_groups r!rr9s@ 55 '6K /{;;'6"r#c0[X5 [X5 gN)"_AddUpdateIngressPoliciesGroupArgs!_AddUpdateEgressPoliciesGroupArgs)rrSs r!rrIs$V5#F4r#cUR5n[U5 UR5n[USS9 [ USS9 [ USS9 [ U5 g)z6Add args for perimeters update-dry-run-config command.F) include_setN)r_AddClearDryRunConfigArgadd_argument_grouprrrr)rupdate_dry_run_group config_groups r!"AddPerimeterUpdateDryRunConfigArgsrNsP <<>/0%88:, %059`.)additional_helprrAddPrimitiveArgsrrs r!rrds$  5r#c@^^[R"USUU4Sj5$)Nrc0>[TT5R$r)rHrrFrEsr! ParseResources..rsj)73==r#rParsePrimitiveArgsr`rErFs ``r!ParseResourcesros  $ $ K= ??r#c 8[R"USSSSSUS9 g)NrGzrestricted-serviceszrestricted servicesSERVICEz\The perimeter boundary DOES apply to these services (for example, `storage.googleapis.com`).metavarrrrrs r!rrus'   ' r#c@^^[R"USUU4Sj5$)Nrestricted_servicesc0>[TT5R$r)rHrestrictedServicesrsr!r)ParseRestrictedServices..sj)73FFr#rrs ``r!ParseRestrictedServicesrs!  $ $ !F HHr#c/SQnSnUVs/sHo3U-PM nnSn[XE/-Vs/sHo`RU5PM sn5$s snfs snf)N)remove_add_clear_rTrU)anyr[)r`list_command_prefixes list_namecommand list_args switch_namers r!_IsServiceFilterUpdateSpecifiedrsa7$)2GH2Gw"2G)H0+ y=/H I/Hs#/H I JJIJs A Ac |UR5n[R"USSSSSUS9 URSSS US 9 g) z>Add to the parser arguments for this service restriction type.rGzvpc-allowed-serviceszvpc allowed services VPC_SERVICEF)rrrz --enable-vpc-accessible-servicesNr)defaultrr)rrr add_argument)r list_help enable_helpgroups r!_AddVpcAccessibleServicesArgsrsT  # # %%   #(   r#cSnURU5nSn[R"SSU[U5S9nSn[R"SUSS 9nUR U5 UR U5 g ) z(Add args for set/clear ingress-policies.zIThese flags modify the enforced IngressPolicies of this ServicePerimeter.aPath to a file containing a list of Ingress Policies. This file contains a list of YAML-compliant objects representing Ingress Policies described in the API reference. For more information about the alpha version, see: https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimeters For more information about non-alpha versions, see: https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimetersz--set-ingress-policies YAML_FILErrrCz+Empties existing enforced Ingress Policies.z--clear-ingress-policiesrrrN)rr rParseIngressPoliciesr)rr group_helprset_ingress_policies_help_textset_ingress_policies_arg clear_ingress_policies_help_textclear_ingress_policies_args r!rrs$*  - -j 9%r!"]] )  , . 4##}} +  &&u-((/r#cSnURU5nSn[R"SSU[U5S9nSn[R"SUSS 9nUR U5 UR U5 g ) z'Add args for set/clear egress policies.zHThese flags modify the enforced EgressPolicies of this ServicePerimeter.aPath to a file containing a list of Egress Policies. This file contains a list of YAML-compliant objects representing Egress Policies described in the API reference. For more information about the alpha version, see: https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimeters For more information about non-alpha versions, see: https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimetersz--set-egress-policiesrrz*Empties existing enforced Egress Policies.z--clear-egress-policiesrrN)rr rParseEgressPoliciesr)rrrrset_egress_policies_help_textset_egress_policies_argclear_egress_policies_help_textclear_egress_policies_args r!rrs$*  - -j 9%r !MM ( { + - 3""mm * %%e,''.r#cSn[R"SSU[S5S9nSn[R"SUSS 9nURU5 URU5 g ) z/Add args for set/clear vpc accessible services.aPath to a file containing a VpcAccessibleServices object. This file contains a YAML-compliant object representing VpcAccessibleServices described in the API reference. For more information about the alpha version, see: https://cloud.google.com/access-context-manager/docs/reference/rest/v1alpha/accessPolicies.servicePerimeters For more information about non-alpha versions, see: https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies.servicePerimetersz--set-vpc-accessible-servicesrrprz0Empties existing enforced VpcAccessibleServices.z--clear-vpc-accessible-servicesrrN)r rParseVpcAccessibleServicesr)r%set_vpc_accessible_services_help_textset_vpc_accessible_services_arg'clear_vpc_accessible_services_help_text!clear_vpc_accessible_services_args r!rrsqr(%)MM% 0 %i 0 %!9*'+mm' 2 '# "--f5#//7r#cURSS5n[USU-5n[USU-S5nU(agUbUS4$g) zcReturn values for clear_/set_ vpc-accessible-services command line args, and whether they were set.-_rset_N)NTT)NFreplacer\r`arg_nameunderscored_nameclearrs r!$ParseUpdateVpcAccessibleServicesArgsrsT%%c3/ $#33 4% v 00$ 7$   : r#cURSS5n[USU-5n[USU-S5nU(a/$UbU$g)zHReturn values for clear_/set_ ingress/egress-policies command line args.rrrrNrrs r!"ParseUpdateDirectionalPoliciesArgsr! sQ%%c3/ $#33 4% v 00$ 7$ I  K r#c^^[U5(aM[TT5n[USS5c3[[R"SU5S5"5n[ USU5 UU4Sjn[ R"USU5$)z,Parse service restriction related arguments.rVNaccesscontextmanagerrWcD>[[TT5S5R$)NrV)r\rHr]rsr! FetchAllowed)ParseVpcRestriction..FetchAllowed&s# #W- !!01r#rT)rrHr\r GetMessagesModuler_rr)r`rErSrFconfigrestriction_messager%s ` ` r!ParseVpcRestrictionr*s~$T**(' 2Fv.5=#  !7 A !#%f-/BC1  $ $T+A< PPr#c2[R"XSS9S$)z7Parse a YAML representation of a single message object.F)is_listr)r )ParseAccessContextManagerMessagesFromYaml)rr6s r!_ParseSingleMessageFromFiler..s$  9 9 5  r#c^U4SjnU$)zKReturns a function that parses a VpcAccessibleServices message from a file.cV>[R"TS9n[XR5$NrR)rrYr.rW)rmessagesrs r!_Parse*ParseVpcAccessibleServices.._Parse:s$ 4H &t-K-K LLr#r$)rr3s` r!rr7sM -r#c[USSS9 g)zAAdd arguments related to the VPC Accessible Services to 'parser'.zZServices allowed to be called within the Perimeter when VPC Accessible Services is enabledzWhen specified restrict API calls within the Service Perimeter to the set of vpc allowed services. To disable use '--no-enable-vpc-accessible-services'.)rrrN)rrs r!rrAs +B Dr#c(URSSSSS9 g)Nz--etagetagaThe etag for the version of the Access Policy that this operation is to be performed on. If, at the time of the operation, the etag for the Access Policy stored in Access Context Manager is different from the specified etag, then the commit operation will not be performed and the call will fail. If etag is not provided, the operation will be performed as if a valid etag is provided.)rrr)rr6s r!rrLs# )  *r#c 8[R"USSSSSUS9 g)NrGz access-levelsz access levelsLEVELzAn intra-perimeter request must satisfy these access levels (for example, `MY_LEVEL`; must be in the same access policy as this perimeter) to be allowed.rrrs r!rrZs)   & r#cZ[RU[RS9R$)N collection)rParser COLLECTIONr~) level_names r!_GetLevelIdFromLevelNamerAhs!  v/@/@ A P PPr#c Ucg/nUH]nURS5(aURU5 M,UR[R[R XS95 M_ U$)zGReturns the FULL Access Level names, prepending Policy ID if necessary.NzaccessPolicies/)rr~)rrrrrr?) level_ids policy_idfinal_level_idsls r!ExpandLevelNamesIfNecessaryrGlsl / a||%&&Q //)  OP  r#cZ^^UU4Sjn[R"USU5n[XR5$)zProcess repeated level changes.cn>[TT5RVs/sHn[U5PM sn$s snfr)rHrrA)rFrFrEs r! GetLevelIds ParseLevels..GetLevelIds~s=,g6CC CA !#C  s2r|)rrrG)r`rErDrFrJrCs ` ` r! ParseLevelsrL{s) ))$M) $Y ::r#c^U4SjnU$)NcT>[U[R"TS9R5$r1)!ParseAccessContextManagerMessagesrrY IngressPolicyrrs r!ParseVersionedIngressPolicies;ParseIngressPolicies..ParseVersionedIngressPoliciess' ,  -;; ==r#r$)rrRs` r!rrs= '&r#c^U4SjnU$)NcT>[U[R"TS9R5$r1)rOrrY EgressPolicyrQs r!ParseVersionedEgressPolicies9ParseEgressPolicies..ParseVersionedEgressPoliciess' ,  -:: </B>B B3 !B..B3c[USS9$ry)ParseReplaceServicePerimetersResponseBaselro unused_argss r!*ParseReplaceServicePerimetersResponseAlpharqs 23 JJr#c[USS9$rtrlrns r!'ParseReplaceServicePerimetersResponseGArss 23 EEr#c:[R"US9n[RR UR SS9n[ R"URURU5n[R"XCSRUR555$)aParse the Long Running Operation response of the ReplaceServicePerimeters call. Args: lro: Long Running Operation response of ReplaceServicePerimeters. version: version of the API. e.g. 'v1beta', 'v1'. Returns: The replacement Service Perimeters created by the ReplaceServicePerimeters call. Raises: ParseResponseError: if the response could not be parsed into the proper object. rRzaccesscontextmanager.operationsr<z5Waiting for Replace Service Perimeters operation [{}])r GetClientrrr>r3r BulkAPIOperationPoller accessPolicies_servicePerimeters operationsr WaitForrName)rorSclient operation_refpollers r!rmrms >>' *&$$** hh<+>-  ( ( --v/@/@- Q&  =DD      !!r#c URcUR(agURcURcg/nURnUR(dUnURS5 O URnUc$[R "US9nUR 5nX0lX@lURSRURURRS5S-S55 URS RUR55 URS RUR=(d S 55 [S RU55 [R"US 5 g)z6Generates a diff string by comparing status with spec.NzAThis Service Perimeter has been marked for deletion dry-run mode.zAThis Service Perimeter has no dry-run or enforcement mode config.zThis Service Perimeter does not have an explicit dry-run mode configuration. The enforcement config will be used as the dry-run mode configuration.rRz name: {}/z title: {}z type: {}r zdiff[format=yaml](status, spec))rDuseExplicitDryRunSpecrBrrrYrZrr3rfindtitlerprintr4rPrint)rGroutputrBrDr2s r!GenerateDryRunConfigDiffrsC^^ ? ? N).."8 N &   &  ( ( D MMDE >>D ^ 4H  , , .F.-- ##INN9>>3G3G3L344546%789-- $$Y__56-- ##I$;$;%=$<>? & I@Ar#r)T)F)W__doc__ __future__rrrapitools.base.pyr+googlecloudsdk.api_lib.accesscontextmanagerrrgooglecloudsdk.api_lib.utilr r googlecloudsdk.callioper googlecloudsdk.calliope.conceptsr /googlecloudsdk.command_lib.accesscontextmanagerr rr$googlecloudsdk.command_lib.util.apisr$googlecloudsdk.command_lib.util.argsr(googlecloudsdk.command_lib.util.conceptsrgooglecloudsdk.corerrrr^rErrorrr.r<rHrPrgrmrqrjrwrzrvrrrrrrrrrrrrrrrrrrrrrr!r*r.rrrrrArGrLrr rOrgrirerqrsrmrr$r#r!rs@&'%C<,.(5BBD:9D*)$   M!!MBzBPP.,   F3  = ;@ , 0F 1 ) 4G"9" # 5 '? HK$0:/:8<  Q(D * Q  ;'&4=8:KF!6Br#