=SrSSKJr SSKJr SSKJr SSKrSSKrSSKJr SSK r SSK J r SSK Jr SSKJr SS KJr SS KJr SS KJr SS KJr SS KJr SSKJr SSKJr SSK J!r" SSK#J$r$ SSK%J&r& \ R"SSSSS.5r'Sr(Sr)Sr*\(\)\*4r+Sr,Sr-\ R"\*\*\)\(S.5r.S\*4S\)4S\(4/r/S r0S!r1S"r2S#r3S$r4S1S%jr5S&r6S'r7\Rp"SS(9S2S)j5r9S*r:S+r;S3S,jrS/r?S0r@g)5zFUtility for interacting with `artifacts docker upgrade` command group.)absolute_import)division)unicode_literalsN) exceptions)ResourceExhausted) client_util) organizations) projects_api)folders) storage_api) storage_util)apis)requests)util)log) console_attrzus.zasia.zeu.)zgcr.ioz us.gcr.ioz asia.gcr.ioz eu.gcr.ioz roles/artifactregistry.repoAdminzroles/artifactregistry.writerzroles/artifactregistry.reader)zstorage.objects.getzstorage.objects.listzstorage.objects.createzstorage.objects.delete)/artifactregistry.repositories.downloadArtifacts-artifactregistry.repositories.uploadArtifacts-artifactregistry.repositories.deleteArtifactsrrrz:Too many IAM policies. Analysis cannot be fully completed.c~URSS5n[U5S:XaSRUSUS5$US-$)N:z{0}.{1}.a.appspot.comrz .appspot.com)splitlenformat)projectchunkss 8lib/googlecloudsdk/command_lib/artifacts/upgrade_util.py bucket_suffixr!XsD ==a &[A " ) )&)VAY ?? > !!cL[Un[U5nSRX#5$)Nz)//storage.googleapis.com/{0}artifacts.{1})_DOMAIN_TO_BUCKET_PREFIXr!rdomainrprefixsuffixs r bucket_resource_namer)`s' #F +&  !& 4 ; ;F KKr"c:[Un[U5nSUSU3$)Nzgs://z artifacts.)r$r!r%s r bucket_urlr+gs) #F +&  !&  6( ++r"c$SRU5$)Nz2//cloudresourcemanager.googleapis.com/projects/{0})r)rs r project_resource_namer-ms = D DW MMr"c6[UUSSUS9up4[U5$)aCGenerates an AR-equivalent IAM policy for a GCR registry. Args: domain: The domain of the GCR registry. project: The project of the GCR registry. use_analyze: If true, use AnalyzeIamPolicy to generate the policy Returns: An iam.Policy. Raises: Exception: A problem was encountered while generating the policy. F) skip_bucketfrom_ar_permissions use_analyze)iam_mappolicy_from_map)r&rr1m_s r iam_policyr6rs,     $!  r"c[R"[5nURH*nXRR UR 5 M, U$)zConverts an iam.Policy object to a map of roles to sets of users. Args: policy: An iam.Policy object Returns: A map of roles to sets of users ) collections defaultdictsetbindingsroleupdatemembers)policyrole_to_membersbindings r map_from_policyrBsA ++C0/gLL!((9! r"c [R"5n[5nUR5H6up4UR UR U[ [U55S95 M8 [USS9nURUS9$)zConverts a map of roles to sets of users to an iam.Policy object. Args: role_to_members: A map of roles to sets of users Returns: An iam.Policy. )r<r>cUR$N)r<)bs r !policy_from_map..sAFFr")key)r;) artifacts GetMessageslistitemsappendBindingtuplesortedPolicy)r@messagesr;r<r>s r r3r3s| " " $( V(&,,.md OO&/*  /H"2 3( ( ++r")maxsizecSn/nU(a-U(a [U5nO [X5n[XX45upgONU(a[U[US9upgO5U(a[U[ US9upgO[ X5n [U[ XS9upgUcSU4$[R"[5n U(aPU[SSn [H4upU RXl5n U HnXRU5 M M6 X4$UR5H!up[Un XRU 5 M# [5n[R"[5n[ Hpn Xn U Vs1sHnUR#S5(aMUiM n nU R%U5 U (dMKURU 5 UU RU 5 Mr UU4$s snf)aGenerates an AR-equivalent IAM mapping for a GCR registry. Args: domain: The domain of the GCR registry. project: The project of the GCR registry. skip_bucket: If true, get iam policy for project instead of bucket. This can be useful when the bucket doesn't exist. from_ar_permissions: If true, use AR permissions to generate roles that would not need to be added to AR since user already has equivalent access for docker commands best_effort: If true, lower the scope when encountering auth errors use_analyze: If true, use AnalyzeIamPolicy to generate the policy Returns: (map, failures) where map is a map of roles to sets of users and failures is a list of scopes that failed Raises: Exception: A problem was encountered while generating the policy. N) best_effortrzdeleted:)r-r)get_permissions_using_analyzeget_permissions_with_ancestors_AR_PERMISSIONS _PERMISSIONSr+r8r9r:_AR_PERMISSIONS_TO_ROLES intersectionaddrM_PERMISSION_TO_ROLEr= _AR_ROLES startswithdifference_update)r&rr/r0rVr1perm_to_membersfailuresresource gcs_bucketr@r> needed_permr<memberpermupgraded_members final_mapr4s r r2r2s:/ (&w/h%f6h =.!OX"@ ? #ox $B \{% ! 0 $B \:% ! >++C0/6q9!<=G5 $$_%ABg&!!&)6  $$',,.md t $D  )/ U%%c*)d#G"B'Qj)Aq'GB ./ G$ dO7# H  Cs )GGc[R"US9n/nSn[[UR55H9upx[ U5n U(a[ [X5nO[ [X5n O UR(aURR(d[SURR 55n SR#U 5n U(d[$R&"U 5eSU 3n [(R*"5n [,R.R1U R3SS5S U 35 [4R6"[85nURR:HnUR(d[$R&"[<5eUR>R@bU(d[$R&"S 5e[95nUR>RBH&n[EU5(aMURGU5 M( URHH6nURJH#nURLnUUROU5 M% M8 M X4$![RaB URU 5 U(deU[UR5S- :XaSU4ss $GMf=f) z?Returns a map of permissions to members using AnalyzeIamPolicy. project_idNrc38# UHoRv M g7frE)cause).0errs r 0get_permissions_using_analyze..*sO'N))'Ns zVEncountered errors when analyzing IAM policy. This may result in incomplete bindings: zWarning:red z)Conditional IAM binding is not supported.)(crm GetAncestry enumeratereversedancestorresource_from_ancestoranalyze_iam_policyrYrZapitools_exceptionsHttpForbiddenErrorrNr fullyExplored mainAnalysisrLnonCriticalErrorsjoin ar_exceptionsArtifactRegistryErrorrGetConsoleAttrrstatusPrintColorizer8r9r:analysisResults_ANALYSIS_NOT_FULLY_EXPLORED iamBinding conditionr>is_conveniencer]accessControlListsaccesses permissionr=)rrdr0rVancestryrcanalysisnumr{scopeerrors error_msg warning_msgconrbresultr>rgaclaccessrhs r rWrWsG__ 0( ( ( (*;*;!<=mc "8 ,E  %oxG%lHD >$   x'<'<'J'J Ox'<'<'N'NO OF &!I   / / :: !!*  -  % % 'CJJ Z67q FG++C0/%%55f     / /0L MM "".{  / / 5 eG##++    kk& , ((LL&  $$W-!)#6,  ""[  1 1ooe  H%%&* *X~ + s(I++A KKcURS5=(d) URS5=(d URS5$)Nz projectOwner:zprojectEditor:zprojectViewer:)r`)ss r rrOs7ll?#( & '( & 'r"cF[XU5upE[XU5upgXeU-4$rE)recursive_get_rolesget_permissions)rm permissionsrerVrolesrcperms perm_failuress r rXrXWs/( L/%([I% =( ((r"c[R"US9n[R"[5nU(ay[ R "5R[RRU55RH*nXERRUR5 M, /n[UR 5GH1n/nUR"R$S:Xa5[R"[&R("U55RnOUR"R$S:Xa5[*R"UR"R,5RnO\UR"R$S:XaB[.R0"5RUR"R,5RnUH*nXERRUR5 M, GM4 XF4$![2R4an UR7UR"R$S-UR"R,-5 U(deUR"R$S:XaSU4ss $GMf=f)z]Returns a map of roles to members for the given project + ancestors (and bucket if provided).rlrfolder organizationzs/N)rwrxr8r9r:r StorageClient GetIamPolicyr BucketReferenceFromUrlr;r<r=r>rzr{ resourceIdtype projects_util ParseProjectr idr Clientr~rrN) rmrVrerr@rArcrdr;s r rr_s __ 3(++C0/!!# l22:::F G    ll#**7??;   (8,,-hH    ! !Y .##  & &z 2 (     # #x /''(;(;(>(>?HH    # #~ 5  " / /0C0C0F0F G P P ' %,,W__=.*  ""  1 1ooh))..58K8K8N8NNO     ! !Y .X~ / s D*G??A9JJcV/n[R"[5n[R"SS5nUR 5HupgUVs/sHn[ U5(aMUPM nnURUS9n [[R"SS5RRU 5R5n UHn X;dM XLRU5 M M XC4$s snf![Ra%n URU5 U(dU eSn A MSn A ff=f)aqReturns a map of permissions to members for the given roles. Args: permissions: The permissions to look for. All other permissions are ignored. role_map: A map of roles to members. best_effort: If true, warn instead of failing on auth errors. Returns: (map, failures) where map is a map of permissions to members and failures is a list of roles that failed iamv1)nameN)r8r9r:rGetMessagesModulerMrIamRolesGetRequestGetClientInstancerGetincludedPermissionsr~rrNr=) rrole_maprVrcpermission_map iam_messagesr<r>r4requestrole_permissionseps r rrs(**3/.''t4,~~'md!;'Q):q'G;--4-8G    - 5W     )!(&  !!%<  1 1ood  s% C*%C*=AC//D(D##D(ct[R"5nURn[R"5nUR UR UUUS95$![ Ra,nURS:Xa[R"S5eeSnAf[a [R"S5ef=f)aCalls AnalyzeIamPolicy for the given resource. Args: permissions: for the access selector resource: for the resource selector scope: for the scope Returns: An CloudassetAnalyzeIamPolicyResponse. Raises: ResourceExhausted: If the request fails due to analyzeIamPolicy quota. )(analysisQuery_accessSelector_permissions/analysisQuery_resourceSelector_fullResourceNamerizzInsufficient quota for AnalyzeIamPolicy. Use --no-use-analyze-iam to generate IAM policies without using AnalyzeIamPolicy.N) asset GetClientrrKAnalyzeIamPolicy!CloudassetAnalyzeIamPolicyRequestr~ HttpError status_coderrr)rrdrclientservicerSrs r r}r}s ?? & II'    (  # #225@rsbM&'>8H=EK;67,FE#4%00 21 ) )'7 +  !++"#%) -7@4g>4kBA "L, N 4  ,0 T"  W#Wt=#@;?)"#J""J$N9r"