I+(SrSSKJr SSKJr SSKJr SSKJr SSKJr SSKJr SSK r SS K J r SS K J r SS KJr \"/S Q5r\"/S Q5rSr\"SS/5r\"SSS/5r\"SSS/5rSrSrSrSrSrSrSrSrSr Sr!Sr"g) z"Helper module for the IAM command.)absolute_import)print_function)division)unicode_literals) defaultdict) namedtupleN) protojson)CommandException)storage_v1_messages) userz deleted:userserviceAccountzdeleted:serviceAccountgroupz deleted:groupdomain principal principalSetprincipalHierarchy) projectOwner projectEditor projectVieweraAssigning roles (e.g. objectCreator, legacyBucketOwner) for project convenience groups is not supported by gsutil, as it goes against the principle of least privilege. Consider creating and using more granular groups with which to assign permissions. See https://cloud.google.com/iam/docs/using-iam-securely for more information. Assigning a role to a project group can be achieved by setting the IAM policy directly (see gsutil help iam for specifics).allUsersallAuthenticatedUsers BindingsTupleis_grantbindingsBindingsDictTuplecURURVs/sHn[R"U5PM sn4$s snf)aESerializes the BindingsValueListEntry instances in a BindingsTuple. This is necessary when passing instances of BindingsTuple through Command.Apply, as apitools_messages classes are not by default pickleable. Args: bindings_tuple: A BindingsTuple instance to be serialized. Returns: A serialized BindingsTuple object. )rrr encode_message)bindings_tuplets )platform/gsutil/gslib/utils/iam_helper.pySerializeBindingsTupler"NsA  ! !0>0G0G H0G19 # #A &0G H JJ Hs >c Uup[UUVs/sH2n[R"[RR U5PM4 snS9$s snf)Nrr)rr decode_messageapitools_messagesPolicyBindingsValueListEntry)serialized_bindings_tuplerrr s r!DeserializeBindingsTupler*^sZ28 ,4!,4a%33077NN "+3! !s9A c[[5nUH*nXRRUR5 M, U$)zReformats policy bindings metadata. Args: bindings: A list of BindingsValueListEntry instances. Returns: A {role: set(members)} dictionary. )rsetroleupdatemembersr tmp_bindingsbindings r!BindingsMessageToUpdateDictr3hs7S!,g%%goo6 ch[[5nUHnXSRUS5 M U$)a Reformats policy bindings metadata. Args: bindings: List of dictionaries representing BindingsValueListEntry instances. e.g.: { "role": "some_role", "members": ["allAuthenticatedUsers", ...] } Returns: A {role: set(members)} dictionary. r-r/)rr,r.r0s r!BindingsDictToUpdateDictr6xs8S!,g!(();< r4cn[X5up#UR(+=(a UR(+$)N) DiffBindingsr)abgrantedremoveds r!IsEqualBindingsr=s,#A)7     6g&6&6"66r4c [U5n[U5n[/5n[/5n[R"U5H)upgXVRUR X655 M+ [R"U5H)upgXFRUR X&55 M+ [R"U5VV s/sH5upU (dM[ R RU[U 5S9PM7 nnn [R"U5VV s/sH5upU (dM[ R RU[U 5S9PM7 nnn [SU5[SU54$s sn nfs sn nf)aOComputes the difference between two BindingsValueListEntry lists. Args: old: The original list of BindingValuesListEntry instances new: The updated list of BindingValuesListEntry instances Returns: A pair of BindingsTuple instances, one for roles granted between old and new, and one for roles removed between old and new. r-r/TF) r3six iteritemsr. differencer&r'r(listr) oldnewtmp_oldtmp_newr;r<r-r/rms r!r8r8sQ ( ,' ' ,' ' +' ' +'w/ot M++GM:;0w/ot M++GM:;0 MM'* *&1 O551d1g5N*  MM'* *&1 O551d1g5N*   g & eW(E FF   s E;+E;$ F5+Fc~U(aE[R"U5H*up4U(d [S5eXRU5 M, O8UH2nXR X5 XR U[ 5 M4 [R"U5VVs0sHup4U(dMX4_M snn$s snnf)aPatches a diff list of BindingsValueListEntry to the base. Will remove duplicate members for any given role on a grant operation. Args: base (dict): A dictionary returned by BindingsMessageToUpdateDict or BindingsDictToUpdateDict representing a resource's current IAM policy. diff (dict): A dictionary returned by BindingsMessageToUpdateDict or BindingsDictToUpdateDict representing the IAM policy bindings to add/remove from `base`. is_grant (bool): True if `diff` should be added to `base`, False if it should be removed from `base`. Returns: A {role: set(members)} dictionary created by applying `diff` to `base`. z+Role must be specified for a grant request.)r@rAr r.difference_updateDROP_ALL)basediffrr-r/s r! PatchBindingsrOs&==. LMM j /  j""4:. j""4>2 .1]]4-@ L-@MDG-$--@ LL Ls  B9/B9cURS5(dUS- nURS5n[Vs0sHo3R5U_M nn[Vs0sHo3R5U_M nn[ Vs0sHo3R5U_M nnUSR5nUSR5<SUSR5<3nXt;aXGUS'O;Xu;aXWUS'O.Xv;aXgUS'O!X;aXXRS5uUS'US'SR U5nU(+=(a US[ ;n URS5S:XabUS<SUS<3[;a[SU-5eUS[;aUupOUS[;dU (a Un [n O[SU-5eURS5S:XaPUS<SUS<3[;a Un [n OU (aUupn U <SU <3n OpUupn [X5 U <SU<3n OVURS5S:Xa3URS5unnpU<SU<3n [X5 U <SU<3n O[SU-5eU(aU (d [S5eU RS 5Vs/sHn[U5PM n n[U 5Vs/sH nUU /S .PM nn[UUS 9$s snfs snfs snfs snfs snf) aParses an iam ch bind string to a list of binding tuples. Args: is_grant: If true, binding is to be appended to IAM policy; else, delete this binding from the policy. input_str: A string representing a member-role binding. e.g. user:foo@bar.com:objectAdmin user:foo@bar.com:objectAdmin,objectViewer user:foo@bar.com allUsers deleted:user:foo@bar.com?uid=123:objectAdmin,objectViewer deleted:serviceAccount:foo@bar.com?uid=123 Raises: CommandException in the case of invalid input. Returns: A BindingsDictTuple instance. :rz+Incorrect public member type for binding %szInvalid ch format %szMust specify a role to grant.,r?r$) countsplitPUBLIC_MEMBERSlowerTYPESDISCOURAGED_TYPESjoinr rL_check_member_type ResolveRoler,r)r input_strtokensspublic_memberstypesdiscouraged_typespossible_public_member_or_type possible_typeremoving_discouraged_typememberroles member_type project_id member_idmember_type_p1member_type_p2rHrs r!BindingStringToTupleros*    I ??3 &*89.QGGIqL..9!& 'A779a<% '->?->wwy!|->?#)!9??#4 #AY__.q 0AB-#5>F1I%.5F1I%:!AF1I"177<VAYq hhv)#+lMvay> e : ;;#(;;s#3 4#3a;q>#3% 48;E C 1qfX. ( C Hx @@u: '?j 5 CsK(K-=K2(K7 K<cfU[;a[[5eU[;a[SU-5eg)Nz$Incorrect member type for binding %s)r[r DISCOURAGED_TYPES_MSGrZ)rjr_s r!r]r]/s5%% 0 11% AIM NN r4c6U(d[$SU;aU$SU-$)Nzroles/zroles/storage.%s)rL)r-s r!r^r^6s" O  K d ""r4)#__doc__ __future__rrrr collectionsrrr@apitools.base.protorpcliter gslib.exceptionr "gslib.third_party.storage_apitoolsr r&r,rZr[rqrXrrrLr"r*r3r6r=r8rOror]r^r4r!rzs)&%'#" 0,W    K?Z,DE 2Z4LM  J   *7 !GHMBUApO#r4