%SrSSKJr SSKJr SSKJr SSKJr SSKJr SSK J r SSK J r "S S 5r "S S 5rS rSrSrSrSrSrSrSrSrSrSrg)z Utils for Fleet scopes commands.)absolute_import)division)unicode_literals)encoding)client) labels_util) exceptionsc6\rSrSrSrSrSrSrSrSr Sr g ) ScopeLogViewConditionzHelper class for creating a scope log view iam condition. This class defines a `get` object method that can be used by the iam util lib to get the iam condition spec. cXlX lgN project_idscope_id)selfrrs =lib/googlecloudsdk/command_lib/container/fleet/scopes/util.py__init__ScopeLogViewCondition.__init__!s  OMcU$rrs r__iter__ScopeLogViewCondition.__iter__&s Krc[er) StopIterationrs r__next__ScopeLogViewCondition.__next__)s rcg)NTrrs r IsSpecified!ScopeLogViewCondition.IsSpecified-s rc US:XagUS:XaSRUR5$US:XaQSURSURSURS URSURSURS 3 $g) Ntitlezconditional log view access descriptionzlog view access for scope {} expressionzresource.name == "projects/z+/locations/global/buckets/fleet-o11y-scope-z/views/fleet-o11y-scope-z.-k8s_container" || resource.name == "projects/z -k8s_pod")formatrr)rcondition_specs rgetScopeLogViewCondition.get0s *& + 2 24== AA% ((STXTaTaSbbz{|I|I{JJ((STXTaTaSbbz{|I|I{JJS T&rrN) __name__ __module__ __qualname____firstlineno____doc__rrrr!r)__static_attributes__rrrr r s    rr c\rSrSrSrSrSrg)AppOperatorBinding?zHelper class for containing a principal with their project-level IAM role, fleet scope-level role, and fleet scope RBAC role. cLXlX lX0lX@lXPlX`lgr) principal overall_rolescope_rrb_rolescope_iam_roleproject_iam_rolelog_view_access)rr5r6r7r8r9r:s rrAppOperatorBinding.__init__Cs-N%))-*r)r:r6r5r9r8r7N)r+r,r-r.r/rr0rrrr2r2?s +rr2c2AAURS-UlU$)zSet parent collection with location for created resources. Args: ref: reference to the scope object. args: command line arguments. request: API request to be issued Returns: modified request z /locations/-)parentrefargsrequests rSetParentCollectionrBYs 4>>N2'. .rcTAAURbUR(dSUlU$)Nname) updateMaskr>s rCheckUpdateArgumentsrFis( 4 w'9'9G .rc/nURR5n[R"U5n[R R U5n[R "URURUR5nURUR55nURURRRUR 5R#5nU(aUR%S5 URURRR&UR(5R#5n U (aUR%S5 U(d)URRUR5S9n U $UR+UR5XSR-U55$)zAdd namespace labels to update request. Args: ref: reference to the scope object. args: command line arguments. Returns: response labelsnamespace_labels)rD,)calliope_command ReleaseTrackr FleetClientrDiffFromUpdateArgsupdate_namespace_labelsremove_namespace_labelsclear_namespace_labelsGetScope RelativeNameApplymessagesScope LabelsValuerH GetOrNoneappendNamespaceLabelsValuenamespaceLabels UpdateScopejoin) r?r@mask release_track fleetclient labels_diffnamespace_labels_diff current_scope new_labelsnew_namespace_labelsresponses r"HandleNamespaceLabelsUpdateRequestrhpsy $''446-""=1+  //5+%** "" "" !! &&s'7'7'9:-    ,,m.B.B IK KK/44  55##IKKK"# ##))s/?/?/A)BH O   *CHHTN rc@AURR5n[R"U5n[R "UR S9nURURRRS5R5nXbRl U$)zAdd namespace labels to create request. Args: ref: reference to the scope object. args: command line arguments. request: API request to be issued Returns: modified request ) additionsN)rKrLrrMrrNrIrUrVrWr[rYscoper\)r?r@rAr`rarc ns_labelss r"HandleNamespaceLabelsCreateRequestrms ''446-""=1+%**T5J5JK#))  55t IK #,-- .rcU(a8URS5(aU$URS5(aSU-$SU-$U(aURS5(aU$SU-$[R"S5e)aReturns Iam member for the specified RBAC user/group. Args: user: user email, principal or None group: group email, principal set or None Returns: an Iam member, e.g., "user:person@google.com" or "group:people@google.com" Raises: a core.Error, if both user and group are None z principal://zgserviceaccount.comzserviceAccount:zuser:zprincipalSet://zgroup:z&User or group is required in the args.) startswithendswithr Error)usergroups rIamMemberFromRbacrts{  ~&& k }}*++  %% T>  )** l e . rchUS:XagUS:XagUS:XagU(ag[R"S5e)zReturns Iam scope role (scope-level) based on the specified RBAC role. Args: role: RBAC role Returns: a scope-related Iam role, e.g., "roles/gkehub.scopeEditor" Raises: a core.Error, if the role is not admin, edit, or view adminroles/gkehub.scopeAdmineditroles/gkehub.scopeEditorviewroles/gkehub.scopeViewer:Role is required to be admin, edit, view or a custom role.r rqroles rIamScopeLevelScopeRoleFromRbacrs> W_ $ v~ % v~ % %B rc /SQ$)z4Returns all valid Iam scope roles at scope level. )rwryr{rrrrAllIamScopeLevelScopeRolesrs  rchUS:XagUS:XagUS:XagU(ag[R"S5e)zReturns Iam scope role (project-level) based on the specified RBAC role. Args: role: RBAC role Returns: a scope-related Iam role, e.g., "roles/gkehub.scopeEditorProjectLevel" Raises: a core.Error, if the role is not admin, edit, or view rv$roles/gkehub.scopeEditorProjectLevelrxrz$roles/gkehub.scopeViewerProjectLevelz,Role is required to be admin, edit, or view.r}r~s r IamProjectLevelScopeRoleFromRbacrs> W_ 1 v~ 1 v~ 1 14 rc SS/$)z6Returns all valid Iam scope roles at project level. rrrrrrAllIamProjectLevelScopeRolesrs-, rcRUR(a UR$[[R"U5S5S:Xag[[R"U5S5S:Xag[[R"U5S5S:Xag[R "S5e) zReturns the RBAC role string from the specifiedRBAC role message. Args: role: RBAC role Returns: RBAC role string (admin, edit, or view) Raises: a core.Error, if the role is not admin, edit, or view predefinedRoleADMINrvEDITrxVIEWrzr|) customRolestrrMessageToPyValuer rqr~s rScopeRbacRoleStringrs __ ?? 8 $ $T *+; <=H  8 $ $T *+; <=G  8 $ $T *+; <=G B rcXUS:XaUS:XagUS:XaUS:XagUS:H=(a US:H$)zDReturns true if the specified RBAC role and scope IAM role match. rvrwTrxryrzr{r) rbac_roler8s rRbacAndScopeIamRolesMatchr4s@'n0II &^/II  f  M3M!MMrN)r/ __future__rrrapitools.base.pyr&googlecloudsdk.api_lib.container.fleetr$googlecloudsdk.command_lib.util.argsrgooglecloudsdk.corer r r2rBrFrhrmrtrrrrrrrrrrsm'&'%9<*""J++4  .b.8262Nr