g3dZddlZddlZddlZddlZdZ dZ dZ dZdZ Gdd e Z Gd d ejjZy) a6Non-API-specific IAM policy definitions For allowed roles / permissions, see: https://cloud.google.com/iam/docs/understanding-roles Example usage: .. code-block:: python # ``get_iam_policy`` returns a :class:'~google.api_core.iam.Policy`. policy = resource.get_iam_policy(requested_policy_version=3) phred = "user:phred@example.com" admin_group = "group:admins@groups.example.com" account = "serviceAccount:account-1234@accounts.example.com" policy.version = 3 policy.bindings = [ { "role": "roles/owner", "members": {phred, admin_group, account} }, { "role": "roles/editor", "members": {"allAuthenticatedUsers"} }, { "role": "roles/viewer", "members": {"allUsers"} "condition": { "title": "request_time", "description": "Requests made before 2021-01-01T00:00:00Z", "expression": "request.time < timestamp("2021-01-01T00:00:00Z")" } } ] resource.set_iam_policy(policy) Nz roles/ownerz roles/editorz roles/viewerz_Assigning to '{}' is deprecated. Use the `policy.bindings` property to modify bindings instead.zWDict access is not supported on policies with version > 1 or with conditional bindings.ceZdZdZy)InvalidOperationExceptionz1Raised when trying to use Policy class as a dict.N)__name__ __module__ __qualname____doc__P/var/www/django_project/virt/lib/python3.12/site-packages/google/api_core/iam.pyrrMs;r rceZdZdZefZ efZ efZ ddZ dZ dZ dZ dZdZd Zd Zed Zej(d Zed Zej(dZedZej(dZedZej(dZedZedZedZedZedZedZedZ dZ!y)Policya1IAM Policy Args: etag (Optional[str]): ETag used to identify a unique of the policy version (Optional[int]): The syntax schema version of the policy. Note: Using conditions in bindings requires the policy's version to be set to `3` or greater, depending on the versions that are currently supported. Accessing the policy using dict operations will raise InvalidOperationException when the policy's version is set to 3. Use the policy.bindings getter/setter to retrieve and modify the policy's bindings. See: IAM Policy https://cloud.google.com/iam/reference/rest/v1/Policy Policy versions https://cloud.google.com/iam/docs/policies#versions Conditions overview https://cloud.google.com/iam/docs/conditions-overview. Nc.||_||_g|_yN)etagversion _bindings)selfrrs r __init__zPolicy.__init__rs  r cH|jd|jDS)Nc32K|]}|ds |dyw)membersroleNr ).0bindings r z"Policy.__iter__..zsTGASTs  )__check_version__rrs r __iter__zPolicy.__iter__ws  Tt~~TTr cf|jtt|jSr)rlenlistrrs r __len__zPolicy.__len__|s$  4 ())r c|j|jD]}|d|k(s |dcS|td}|jj||dSNrrrr)rrsetappend)rkeyb new_bindings r __getitem__zPolicy.__getitem__sb   $AyC|# $ #su5  k*9%%r c|jt|}|jD]}|d|k(s ||d<y|jj||dyr$)rr&rr')rr(valuers r __setitem__zPolicy.__setitem__s\  E ~~ Gv#%%* "  su=>r c|j|jD]'}|d|k(s |jj|yt|)Nr)rrremoveKeyError)rr(r)s r __delitem__zPolicy.__delitem__sN   AyC%%a( smr c|jduxr|jdkD}|s|jrtty)z[Raise InvalidOperationException if version is greater than 1 or policy contains conditions.N)r_contains_conditionsr_DICT_ACCESS_MSG)r raise_versions r rzPolicy.__check_version__s= D0ET\\A5E D557+,<= =8r cL|jD]}|jdyy)N conditionTF)rget)rr)s r r5zPolicy._contains_conditionss, Auu[!- r c|jS)aEThe policy's list of bindings. A binding is specified by a dictionary with keys: * role (str): Role that is assigned to `members`. * members (:obj:`set` of str): Specifies the identities associated to this binding. * condition (:obj:`dict` of str:str): Specifies a condition under which this binding will apply. * title (str): Title for the condition. * description (:obj:str, optional): Description of the condition. * expression: A CEL expression. Type: :obj:`list` of :obj:`dict` See: Policy versions https://cloud.google.com/iam/docs/policies#versions Conditions overview https://cloud.google.com/iam/docs/conditions-overview. Example: .. code-block:: python USER = "user:phred@example.com" ADMIN_GROUP = "group:admins@groups.example.com" SERVICE_ACCOUNT = "serviceAccount:account-1234@accounts.example.com" CONDITION = { "title": "request_time", "description": "Requests made before 2021-01-01T00:00:00Z", # Optional "expression": "request.time < timestamp("2021-01-01T00:00:00Z")" } # Set policy's version to 3 before setting bindings containing conditions. policy.version = 3 policy.bindings = [ { "role": "roles/viewer", "members": {USER, ADMIN_GROUP, SERVICE_ACCOUNT}, "condition": CONDITION }, ... ] rrs r bindingszPolicy.bindingssd~~r c||_yrr<)rr=s r r=zPolicy.bindingss !r ct}|jD]*}|j|dD]}|j|,t |S)zLegacy access to owner role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. r )r& _OWNER_ROLESr:add frozensetrresultrmembers r ownersz Policy.ownerssS%% #D((4, # 6" # #  r cztjtjdtt ||t<y)zUpdate owners. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. rFN)warningswarn_ASSIGNMENT_DEPRECATED_MSGformat OWNER_ROLEDeprecationWarningrr-s r rFz Policy.ownerss/  & - -h CEW !Zr ct}|jD]*}|j|dD]}|j|,t |S)zLegacy access to editor role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to access bindings instead. r )r& _EDITOR_ROLESr:rArBrCs r editorszPolicy.editorsS&& #D((4, # 6" # #  r cztjtjdtt ||t<y)zUpdate editors. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. rQN)rHrIrJrK EDITOR_ROLErMrNs r rQzPolicy.editors /  & - -i E  "[r ct}|jD]*}|j|dD]}|j|,t |S)zLegacy access to viewer role. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. r )r& _VIEWER_ROLESr:rArBrCs r viewerszPolicy.viewersrRr cztjtjdtt ||t<y)zUpdate viewers. Raise InvalidOperationException if version is greater than 1 or policy contains conditions. DEPRECATED: use `policy.bindings` to modify bindings instead. rXN)rHrIrJrK VIEWER_ROLErMrNs r rXzPolicy.viewers(rUr c d|S)zFactory method for a user member. Args: email (str): E-mail for this particular user. Returns: str: A member string corresponding to the given user. zuser:r emails r userz Policy.user6s "##r c d|S)zFactory method for a service account member. Args: email (str): E-mail for this particular service account. Returns: str: A member string corresponding to the given service account. zserviceAccount:r r\s r service_accountzPolicy.service_accountBs ',--r c d|S)zFactory method for a group member. Args: email (str): An id or e-mail for this particular group. Returns: str: A member string corresponding to the given group. zgroup:r r\s r groupz Policy.groupOs #$$r c d|S)zFactory method for a domain member. Args: domain (str): The domain for this member. Returns: str: A member string corresponding to the given domain. zdomain:r )domains r rdz Policy.domain[s %&&r cy)zFactory method for a member representing all users. Returns: str: A member string representing all users. allUsersr r r r all_userszPolicy.all_usersgsr cy)zFactory method for a member representing all authenticated users. Returns: str: A member string representing all authenticated users. allAuthenticatedUsersr r r r authenticated_userszPolicy.authenticated_usersps'r c|jd}|jd}|||}|jdg|_|jD] }t|jdd|d<"|S)zFactory: create a policy from a JSON resource. Args: resource (dict): policy resource returned by ``getIamPolicy`` API. Returns: :class:`Policy`: the parsed policy rrr=rr )r:r=r&)clsresourcerrpolicyrs r from_api_reprzPolicy.from_api_repryst,,y)||F#T7#",,z26 AG!$W[[B%?!@GI  A r ci}|j|j|d<|j|j|d<|jrt|jdkDrg}|jD]P}|j d}|s|dt |d}|j d}|r||d<|j |R|r%tjd}t |||d <|S) zRender a JSON policy resource. Returns: dict: a resource to be passed to the ``setIamPolicy`` API. rrrrrr%r9)r(r=) rrrr r:sortedr'operator itemgetter)rrmr=rrr*r9r(s r to_api_reprzPolicy.to_api_reprs  99 #yyHV  << #"&,,HY  >>c$..1A5H>> 1!++i0+26?vg"WK ' K 8I 3< K0OOK0 1))&1'-hC'@$r )NN)"rrrrrLr@rTrPrZrWrrr"r+r.r2rr5propertyr=setterrFrQrX staticmethodr^r`rbrdrgrj classmethodrortr r r r r Ss*=L5 NM6 NM6 U * &?> 11f__"" ! ! ]] ! ! ! ! ^^ " " ! ! ^^ " " $ $ . . % % ' '''&r r )r collectionscollections.abcrrrHrLrTrZrJr6 ExceptionrabcMutableMappingr r r r r~si&P 4 7 7c[  X[__ + +Xr