jlSrSSKrSSKJr SSKJr SSKJr SSK J r SSK Jr SSK J r SSK Jr SS KJr SS KJr S rS rS rSrS&SjrS&SjrSrSrSrSrSrSr"SS\ R<5rSr Sr!Sr"Sr#Sr$Sr%Sr&S r'"S!S"\ RP5r)S#r*"S$S%5r+g)'zr*) rr)0_MakeRestrictedClientApplicationsFromIdentifiersgcpUserAccessBindingr GetMessagesGcpUserAccessBindingrestrictedClientApplicationsrr*)r"r#r? client_ids"restricted_client_application_refs!restricted_client_application_ref client_namess r%r@r@ps+ HII>>J8  6 ' '!%!1!1" .P) ;;BB +.P  CDD;;L8  1 ' '!%!1!1" .P) ;;BB +.P *r'c:/nUbUVs/sHnU(dM UPM nnUHnUS:Xa3UR[R"US9RUS95 M<US:Xa3UR[R"US9RUS95 Mu[R "SR S5S 5e U$s snf! [R "SR S5S5e=f! [R "SR S5S5e=f) zJParse restricted client applications and return their resource references.r)r>)clientId--{}z:Unable to parse input. The input must be of type string[].r*)namearg_namez:The input is not valid for Restricted Client Applications.)rrrF ApplicationrInvalidArgumentExceptionformat)app_identifiersrQr? resource_refs identifierapp_identifiers r%rDrDs>- **J  ) * ? ?   w/;;)<  < <   w/;;;P ":: MM* % H  1*8 E #<<mmFGJ   #<<mmABJ  s! CC0C&0C2(C/2(DcURRnU(aURRn/nUVs/sH oU(dM UPM nnU(dU$U(aSOSnUH4n[RR UUSS9nURU5 M6 U$s snf! [ R"SRU5S5e=f)z9Parse level strings and return their resource references.rr0accesscontextmanager.accessPolicies.accessLevelsparamsr/rOzjThe input must be the full identifier for the access level, such as `accessPolicies/123/accessLevels/abc`.) rE accessLevelsdryRunAccessLevelsrr6r7rrSrTr)r#param is_dry_run level_inputs level_refs level_inputrQ level_refs r%_ParseLevelRefsres))66,++>>L*1=M++,M  ", )(!k $$** G+ii " )N  8 8 -- ! ; s B B *B%%(C c ^ ^ ^ A0n0nSnURS5(aT[RRUR S5SS9nSUR50nUR5US'OAURS5(a [X$S S 9O/nURS 5(a [X$S S 9O/nUVs/sHoR5PM snm UVs/sHoR5PM snm [U 4S jT 55(d [S/5e[U 4SjT 55(d [S/5eT (aT SR5US'T (aT SR5US'[UR55n U R5 [UR!55m [U 4SjT 55(d [U 5eU(a/UVs/sHoR5PM snUR"lU(a/UVs/sHoR5PM snUR"lU$! [ R "SS5e=fs snfs snfs snfs snf)z0Hook to format levels and validate all policies.Npolicy#accesscontextmanager.accessPoliciesr.--policybThe input must be the full identifier for the access policy, such as `123` or `accessPolicies/123.accessPoliciesIdr F)r`rTc32># UH oTS:Hv M g7frN).0x level_parentss r% ProcessLevels..s :Mq-" "Mrc32># UH oTS:Hv M g7frmrn)rorpdry_run_level_parentss r%rrrss J4Iq'* *4Irt--dry-run-levelrc32># UH oTS:Hv M g7frmrn)rorppolicies_valuess r%rrrss >o/!$ $ort)rrr6r7GetValuerrSNamer8reParentallConflictPolicyExceptionlistkeyssortvaluesrEr]r^) r!r"r#policies_to_checkr_ policy_refrbdry_run_level_refsrpflags_to_complainrvrqrys @@@r% ProcessLevelsrsh  %* h'' %%++ -- !:,j !2 3E$.$;$;$=j!  ! !' * *cU3    ! !/ 2 2cT2 (22z!88:z2-/AB/A!88:/AB :M : : : !9+ .. J4I J J J !#4"5 66#0#3#@#@#Bi +@ ,ln'(,1134*1134/ >o > > > !"3 44",-",Q*-C)"43"4Q"43C/ *k  8 8  2 .3B*-3s#-I>I1I62I;(JI.c2U(a[R"U5O[R"SS9nUR[R"SS9R:a[ R "SS5eSR[UR55$)zVProcess the session-length argument into an acceptable form for GCSL session settings.)hoursdaysrz2The session length cannot be greater than one day.z{}s) r ParseDurationr Duration total_secondsrrSrTint)stringdurations r%ProcessSessionLengthr-s|&,e&!1F1FR1P l33;III  6 6<  c(001 22r'cfAURS5(aURS5(dURS5(a[R"SS5e[R"UR R R5RnUS:aSUR lU$US:XaSUR R l U$S UR R l U$URS 5(a[R"S S 5eSUR lU$) aHook to process GCSL session settings. When --session-length=0 make sure the sessionLengthEnabled is set to false. Throw an error if --session-reauth-method or --use-oidc-max-age are set without --session-length. Args: unused_ref: Unused args: The command line arguments req: The request object Returns: The modified request object. Raises: calliope_exceptions.InvalidArgumentException: If arguments are incorrectly set. rr)r*rzXCannot set session length on restricted client applications. Use scoped access settings.rNFTsession_reauth_methodz--session_reauth_methodz;Cannot set --session_reauth_method without --session-length) rrrSr rrEsessionSettings sessionLengthrsessionLengthEnabled)rAr"r#rs r%ProcessSessionSettingsrCs0( .// 2 ! !"G H H  8 8  $  ((   00>>m15c. * 1 FKc..C *GKc..C *  788  8 8 # G  04C, *r'c[R"S5RSU5n[R"SSU5$)Nz([a-z0-9])([A-Z])z\1_\2z_[A-Z]+c@URS5R5$)Nr)grouplower)ms r%&_CamelCase2SnakeCase..ysQWWQZ%5%5%7r')recompilesub)rPs1s r%_CamelCase2SnakeCaserws2 zz%&**8T:"  7 <[[U] SRSR UVs/sHnSRU5PM sn555 gs snf)NzTInvalid value for [{0}]: Ensure that the {0} resources are all from the same policy., z{0})superr~__init__rTr)selfparameter_namesp __class__s r%r ConflictPolicyException.__init__sK !41 $$*F II@1u||A@ A% AsArn)__name__ __module__ __qualname____firstlineno____doc__r__static_attributes__ __classcell__rs@r%r~r~s*r'r~c /nUVs/sH oU(dM UPM nnUH2nUR[RRUUSS95 M4 U$s snf! [R "SR U5U5e=f)aTry to get the access level cloud resources that correspond to the `access levels`. Args: param: The parameters to pass to the resource registry access_levels: The access levels to turn into cloud resources field_name: The name of the field to use in the error message error_message: The error message to use if the access levels cannot be parsed Returns: The access level cloud resources that correspond to the `access levels`. rZr[rO)rrr6r7rrSrT)r_r field_name error_messageaccess_level_resources access_levelaccess_level_inputsaccess_level_inputs r%_TryGetAccessLevelResourcesrs'4'4| l}0 ##    " " K # 0 '  8 8 -- #  s AA.A(Bc[RRUSS9$! [R"SR U5U5e=f)aRTry to get the policy cloud resource that corresponds to the `policy`. Args: policy: The policy to turn into a cloud resource field_name: The name of the field to use in the error message error_message: The error message to use if the policy cannot be parsed Returns: The policy cloud resource that corresponds to the `policy`. rhr.rO)rr6r7rrSrT)rgrrs r%_TryGetPolicyCloudResourcersS    # #8 $   6 6 j!= s  (Ac@^^^SmSmU4SjmUU4SjnU"U5 g)z2Validates the scope in the scoped access settings.cUVs/sHn[UR5PM nn[U5[[U55:wa[R "SS5egs snf)Nrz8ScopedAccessSettings in the binding-file must be unique.)strscopelensetrrS)rrpscopess r%._ValidateScopeInScopedAccessSettingsUniqueness\_ProcessScopesInScopedAccessSettings.._ValidateScopeInScopedAccessSettingsUniquenesssX$: ;$:qc!''l$:F ; 6{c#f+&&  8 8  D '._IsClientScopeSets  //+3+A+A  2 2,(0388:#166; 122  * * ( 6 6  ( (!%(--/#&++0 r'c>UR(a!T"URR5(d[R"SS5eg)Nrz;ScopedAccessSettings in the binding-file must have a scope.)r clientScoperrS)scoped_access_settingrs r%-_ValidateScopeInScopedAccessSettingIsNotEmpty[_ProcessScopesInScopedAccessSettings.._ValidateScopeInScopedAccessSettingIsNotEmptysH & &.?##//// 8 8  G /r'cd>URRnT"U5 UH nT"U5 M gN)rEscopedAccessSettings)r#rrrrs r%_Start4_ProcessScopesInScopedAccessSettings.._Starts2 55JJ23IJ!734IJ"8r'Nrn)r#rrrrs @@@r%$_ProcessScopesInScopedAccessSettingsrs!:K  +r'c6^^SmU4SjmU4SjnU"U5 g)z._IsAccessSettingsSet sC  #11/B  #((* ! & &+ r'cj>T"U5(d%T"U5(d[R"SS5egg)NrzhScopedAccessSettings in the binding-file must have at least one of activeSettings or dryRunSettings set.)rrS)rdry_run_settingsrs r%@_ValidateAccessSettingsInScopedAccessSettingAtLeastOneIsNotEmptyv_ProcessAccessSettingsInScopedAccessSettings.._ValidateAccessSettingsInScopedAccessSettingAtLeastOneIsNotEmptysE  0 09M:: 8 8  3 : 0r'c~>URRnUH nT"URUR5 M" gr)rEractiveSettingsdryRunSettings)r#rrrs r%r<_ProcessAccessSettingsInScopedAccessSettings.._Start$s: 55JJ!7F  . .  . ."8r'Nrn)r#rrrs @@r%,_ProcessAccessSettingsInScopedAccessSettingsr s   +r'c<^^^SmSmSmUUU4SjnU"X5 g)z8Process the access levels in the scoped access settings.c:^X-nU(aUVs/sHoUR5PM snm[U4SjT55(d [U5eU(a=T(a5UR5TSR5:wa[S/U-5eggggs snf)zEValidate that the access levels and policy belong to the same policy.c34># UH nUTS:Hv M g7frmrn)rorpaccess_level_resources_parentss r%rrc_ProcessAccessLevelsInScopedAccessSettings.._ValidateBelongsToSamePolicy..As#1a -a0 01srriN)r|r}r~r8)rdry_run_access_level_resourcespolicy_resourcercombined_access_levelrprs @r%_ValidateBelongsToSamePolicyP_ProcessAccessLevelsInScopedAccessSettings.._ValidateBelongsToSamePolicy2s ?4(3((*3($1&o66 ,**,/2??AB&zl_&DEE B- (sBchU(a&UVs/sHo"R5PM snUlggs snf)aReplace the access levels in the scoped access settings with relative names. For example, { 'activeSettings': { 'accessLevels': [ 'accessPolicies/123/accessLevels/access_level_1' ] } } is replaced with: { 'activeSettings': { 'accessLevels': [ access_level_resources.RelativeName() ] } } Args: access_settings: The access settings to replace the access levels in. access_level_resources: The access level resources to replace the access levels with. N)r8r])rrrps r%5_ReplaceAccessLevelsInAccessSettingsWithRelativeNamesi_ProcessAccessLevelsInScopedAccessSettings.._ReplaceAccessLevelsInAccessSettingsWithRelativeNamesRs3>$:&$:q.. $:&o"&s/cjU(d0OSUR50n/nU(a[UUSS5nU$)aGet the access level resources from the scoped access settings. Args: policy_resource: The policy resource access_levels: The access levels to turn into cloud resources. For example, ['accessPolicies/123/accessLevels/access_level_1'] Returns: The access level cloud resources that correspond to the `access levels`. For example, ['https://accesscontextmanager.googleapis.com/v1/accessPolicies/123/accessLevels/access_level_1'] rkz binding-filezAccess levels in ScopedAccessSettings must contain the full identifier. For example: `accessPolicies/123/accessLevels/access_level_1)r{r)rr r_rs r%_GetAccessLevelResourcesL_ProcessAccessLevelsInScopedAccessSettings.._GetAccessLevelResourcesvsN  /"6"6"8 9  :    =   "!r'c>SnURS5(a[URS5SS5nURRn/n/nUHn/nUR (aKUR R (a0T "X&R R 5nURUS5 /nUR(aLURR (a1T "UURR 5nURUS5 T "UUUS/5 T "UR U5 T "URU5 M T "UUUS/5 /n URR (aT "X!RR 5n U (dT "X!RR5n T "UU U/SQ5 g![Ra NHf=f![Ra N>f=f)Nrgrjrr)rrrw) rrrzrErrr]rrrrSr^) r"r#rraccess_level_resources_sample%dry_run_access_level_resources_samplerrrglobal_access_level_resourcesrrrs r%r:_ProcessAccessLevelsInScopedAccessSettings.._StartsO ))2 -- !  2o!55JJ$&!,.)!7!  . .#22??!9 AANN"  &,,-CA-FG(*$  . .#22??)A  ! 0 0 = =* & .44 *1 - # (     <  . .0F<  . .0NE"8P!%-  %'! ,, (@ 55BB) % ) (@ 55HH) %!%%8 ! 9 9   ! 9 9   s$2GGGGG10G1Nrn)r"r#rrrrs @@@r%*_ProcessAccessLevelsInScopedAccessSettingsr /s&F@"H">Wr r'c2^^SmSmUU4SjnU"U5 g)z;Process the session settings in the scoped access settings.cTUcgURc[R"SS5e[R"UR5R nU[ R"SS9R :a[R"SS5eUS:a[R"SS5eg)NrzISessionSettings within ScopedAccessSettings must include a sessionlength.rrzJSessionLength within ScopedAccessSettings must not be greater than one dayrzDSessionLength within ScopedAccessSettings must not be less than zero)rrrSr rrr r)rrs r%_ValidateSessionSettingsO_ProcessSessionSettingsInScopedAccessSettings.._ValidateSessionSettingss %%-  8 8    ((&&m --15CCC  8 8      8 8   r'cURc[R"S5n[XR5(a&URR R UlO9[R"S5RR R UlURc?[R"UR5RnUS:aSUlOSUlURcSUl gg)Nv1r=rTF) sessionReauthMethodrrF isinstanceSessionSettings"SessionReauthMethodValueValuesEnumLOGINrr rrr useOidcMaxAge)r v1_messagesrs r% _InferEmptySessionSettingsFieldsW_ProcessSessionSettingsInScopedAccessSettings.._InferEmptySessionSettingsFields s++3$$T*k $&A&A B B  ' ' J J P P ,04/?/? 0 /<URRnUHEnUR(dMURRnU(dM5T"U5 T"U5 MG gr)rErrr)r#rsrrrs r%r=_ProcessSessionSettingsInScopedAccessSettings.._Start'sU 55JJ #   ))99 /0&'78$r'Nrn)r#rrrs @@r%-_ProcessSessionSettingsInScopedAccessSettingsrs2-4 9 +r'cfUR(aURR(dgSnURRGHhnUR(dMURR(dM4[ URRSS5(dM\Sn[ US5(a-UR S5(a[R"SS5eUR(aURR(d[R"SS 5eUR(a2URR(a[R"SS 5eUR(dGM6URR(dGMT[R"SS 5e U(ax[RRR R#5(a@[ US 5(a.UR S 5(d[R"SS 5egggg)z"Validate restricted project scope.NFrT group_keyz --group-keyz\Restricted project scope cannot be used with --group-key; use --federated-principal instead.rz?Restricted project scope must have active session settings set.zMRestricted project scope cannot be used with access levels in activeSettings.zMRestricted project scope cannot be used with access levels in dryRunSettings.federated_principalzOWhen using a restricted project scope, --federated-principal must be specified.)rErrrgetattrrrrrSrrr]rrr1r2 enable_gcslGetBool)r"r#has_restricted_projectsass r%_ValidateRestrictedProjectScoper'5s  " "  % % : :    % % : :c II ! ! ! CII))+> E E# { # #(@(@(M(M!::  .    s'9'9'I'I!::  M    2 2 ? ?!::       2 2 ? ? ?!::    ;;D//;;CCEE , - -d6N6N 77"::    7 -Fr'c(^SmU4SjnU"XU5$)zEHook to process and validate scoped access settings from the request.cURS5=(d URS5nU(a[R"SS5eg)Nr*r)rzThe binding-file cannot be specified at the same time as `--restricted-client-application-names` or `--restricted-client-application-client-ids`.)rrrS)r"legacy_prca_fields_specifieds r%D_ValidateRestrictedClientApplicationNamesAndClientIdsAreNotSpecifiediProcessScopedAccessSettings.._ValidateRestrictedClientApplicationNamesAndClientIdsAreNotSpecifiedpsT$(#;#;-$$N ! !"L M!$  8 8  ; $r'c>AURS5(dU$T"U5 [U5 [X5 [U5 [ X5 [ U5 U$)Nr)rrr'rr r)rAr"r#r+s r%r+ProcessScopedAccessSettings.._Start~sQ  # #N 3 3 jHN(-#D.05.t91#6 Jr'rn)rAr"r#rr+s @r%ProcessScopedAccessSettingsr/ms    # &&r'c(^\rSrSrU4SjrSrU=r$)InvalidFormatErroricL>[[U] USRU55 g)NaInvalid format: {} A binding-file is a YAML-formatted file containing a single gcpUserAccessBinding. For example: scopedAccessSettings: - scope: clientScope: restrictedClientApplication: name: Cloud Console activeSettings: accessLevels: - accessPolicies/123/accessLevels/access_level_1 dryRunSettings: accessLevels: - accessPolicies/123/accessLevels/dry_run_access_level_1 - scope: clientScope: restrictedClientApplication: clientId: my_client_id.google.com activeSettings: accessLevels: - accessPolicies/123/accessLevels/access_level_2 dryRunSetting: accessLevels: - accessPolicies/123/accessLevels/dry_run_access_level_2 )rr1rrT)rpathreasonrs r%rInvalidFormatError.__init__s+ d,  O2 &  9r'rn)rrrrrrrrs@r%r1r1s   r'r1c^^SmUU4SjnU$)zParse a GcpUserAccessBinding from a YAML file. Args: api_version: str, the API version to use for parsing the messages Returns: A function that parses a GcpUserAccessBinding from a file. cP[U5S:a[R"SS5eg)Nrz --input-filez{The input file contains more than one GcpUserAccessBinding. Please specify only one GcpUserAccessBinding in the input file.)rrrS)bindingss r%#_ValidateSingleGcpUserAccessBindingUParseGcpUserAccessBindingFromBindingFile.._ValidateSingleGcpUserAccessBindings/ 8}q  8 8  L r'c>[R"U[R"TS9RS5nT"U5 [ XST5R 5 US$)Nr>Fr)r)ParseAccessContextManagerMessagesFromYamlrrFrG&GcpUserAccessBindingStructureValidatorValidate)r3r8r9 api_versions r%2_ParseVersionedGcpUserAccessBindingFromBindingFiledParseGcpUserAccessBindingFromBindingFile.._ParseVersionedGcpUserAccessBindingFromBindingFilesW?? d{3HH%H(1* qk;hj A;r'rn)r?r@r9s` @r%(ParseGcpUserAccessBindingFromBindingFilerBs <;r'cZ\rSrSrSrSrSrSrSrSr Sr S r S r S r S rS rSrg)r=izGValidates a GcpUserAccessBinding structure against unrecognized fields.c(XlX lX0lgr)r3gcp_user_access_bindingr?)rr3rEr?s r%r/GcpUserAccessBindingStructureValidator.__init__sI#: "r'cURUR5 URURR5 g)z-Validates the GcpUserAccessBinding structure.N)3_ValidateAllFieldsRecognizedForGcpUserAccessBindingrE_ValidateScopedAccessSettingsr)rs r%r>/GcpUserAccessBindingStructureValidator.Validates8<< $$ && $$99r'cU(a[[U55HinXnURU5 URUR5 UR UR 5 UR UR5 Mk gg)z-Validates the ScopedAccessSettings structure.N)ranger_ValidateAllFieldsRecognized_ValidateAccessScoper_ValidateAccessSettingsrr)rscoped_access_settings_listirs r%rIDGcpUserAccessBindingStructureValidator._ValidateScopedAccessSettingssv"S456!!">? $$%;%J%JK $$%;%J%JK 7#r'clU(a-URU5 URUR5 gg)z$Validates the AccessScope structure.N)rM_ValidateClientScoper)r access_scopes r%rN;GcpUserAccessBindingStructureValidator._ValidateAccessScopes, '' 5  8 89r'c6U(aURU5 URUR5 [RR R R5(a.[US5(aURUR5 gggg)z(Validates the AccessScopeType structure.rN) rM$_ValidateRestrictedClientApplicationrrr1r2r#r$r_ValidateProjectr)rrs r%rT;GcpUserAccessBindingStructureValidator._ValidateClientScopes '' 5 //  2 2    2 2 > > F F H Hl$788 l<<=9 I r'c6U(aURU5 gg)z+Validates the RestrictedClientApplications.NrM)rrestricted_client_applications r%rXKGcpUserAccessBindingStructureValidator._ValidateRestrictedClientApplications$ ''(EF%r'c6U(aURU5 gg)zValidates the Project.Nr\)rrestricted_projects r%rY7GcpUserAccessBindingStructureValidator._ValidateProjects ''(:;r'c6U(aURU5 gg)zValidate the SessionSettings.Nr\)rrs r%r?GcpUserAccessBindingStructureValidator._ValidateSessionSettings s ''(89r'clU(a-URU5 URUR5 gg)z'Validates the AccessSettings structure.N)rMrr)rrs r%rO>GcpUserAccessBindingStructureValidator._ValidateAccessSettingss, ''8 ##O$C$CDr'c >S/n[5n/nURU:waURS5 URU:waURS5 URbURS5 UR (aURS5 [ US5(aURbURS5 URbURS5 UR(aURS 5 UR5(aURUR55 U(ab[URS R[UR 5R"S R%U5S R%U555eg) adValidates that all fields in the GcpUserAccessBinding are recognized. Note:Because ScopedAccessSettings is the only field supported in the GcpUserAccessBinding, a custom validation is required. Args: gcp_user_access_binding: The GcpUserAccessBinding to validate Raises: InvalidFormatError: if the GcpUserAccessBinding contains unrecognized fields rr]r^NgroupKeyrPrrrHz@"{}" contains unrecognized fields: [{}]. Valid fields are: [{}].r)rr]addr^rgrPrrrrHall_unrecognized_fieldsupdater1r3rTtyperErr)rrE valid_fieldsunrecognized_fields empty_lists r%rHZGcpUserAccessBindingStructureValidator._ValidateAllFieldsRecognizedForGcpUserAccessBindings_++L%J++z9n-11Z?23''3j)##f%'55 # - - 9k*..:/0;;<=6688  ! 9 9 ;  )) L 64//099ii+,ii %  r'c [UR55n[U5nUR5Vs/sHoDRPM nnUR S:Xa[ RRRR5(dJSU;aURS5 [US5(a"UR(aURS5 U(aa[UR SR#UR SR%['U55SR%['U5555egs snf)zValidates that all fields in the message are recognized. Args: message: object to validate Raises: InvalidFormatError: if the message contains unrecognized fields ClientScoperz?"{}" contains unrecognized fields: [{}]. Valid fields are: [{}]rN)rrirk all_fieldsrPrrr1r2r#r$removerrrhr1r3rTrsorted)rmessageunrecognized_fields_set message_typefvalid_fields_lists r%rMCGcpUserAccessBindingStructureValidator._ValidateAllFieldsRecognizedHs "'"A"A"CD=L)5)@)@)BC)BA)BC -    5 5 A A I I K K "3 3  " "#6 7 7/ 0 0W5N5N ! % %&9 :  )) K 6##ii678ii012  DsE)r?rEr3N)rrrrrrr>rIrNrTrXrYrrOrHrMrrnr'r%r=r=s@O# L: >G < : E 0dr'r=r),rrapitools.base.pyr+googlecloudsdk.api_lib.accesscontextmanagerrgooglecloudsdk.callioperr/googlecloudsdk.command_lib.accesscontextmanagerrgooglecloudsdk.corecore_exceptionsrrgooglecloudsdk.core.utilr r r&r,r;rBr@rDrerrrrrErrorr~rrrrr rr'r/ParseFileErrorr1rBr=rnr'r%rsC %<EB=*)1* , > ,L , `(,(VQQr'