mirror of
https://github.com/GAM-team/GAM.git
synced 2026-07-03 12:21:35 +00:00
Improve error instructions for CAA
This commit is contained in:
@@ -13,7 +13,15 @@ from gam import utils
|
|||||||
from gam.gapi import errors as gapi_errors
|
from gam.gapi import errors as gapi_errors
|
||||||
from gam.gapi import cloudresourcemanager as gapi_crm
|
from gam.gapi import cloudresourcemanager as gapi_crm
|
||||||
|
|
||||||
|
|
||||||
THROW_REASONS = [gapi_errors.ErrorReason.FOUR_O_THREE]
|
THROW_REASONS = [gapi_errors.ErrorReason.FOUR_O_THREE]
|
||||||
|
|
||||||
|
def _gen_role_error(caa):
|
||||||
|
sa_email = caa._http.credentials.signer_email
|
||||||
|
role_error = f'Please grant service account {sa_email} the Access Context Manager Editor role to your GCP organization.'
|
||||||
|
controlflow.system_error_exit(2, role_error)
|
||||||
|
|
||||||
|
|
||||||
def build():
|
def build():
|
||||||
return gam.buildGAPIServiceObject('accesscontextmanager',
|
return gam.buildGAPIServiceObject('accesscontextmanager',
|
||||||
act_as=None)
|
act_as=None)
|
||||||
@@ -23,6 +31,8 @@ def get_access_policy(caa=None):
|
|||||||
if not caa:
|
if not caa:
|
||||||
build()
|
build()
|
||||||
parent = gapi_crm.get_org_id()
|
parent = gapi_crm.get_org_id()
|
||||||
|
if not parent:
|
||||||
|
_gen_role_error(caa)
|
||||||
try:
|
try:
|
||||||
aps = gapi.get_all_pages(caa.accessPolicies(),
|
aps = gapi.get_all_pages(caa.accessPolicies(),
|
||||||
'list',
|
'list',
|
||||||
@@ -31,7 +41,7 @@ def get_access_policy(caa=None):
|
|||||||
parent=parent,
|
parent=parent,
|
||||||
fields='accessPolicies(name,title)')
|
fields='accessPolicies(name,title)')
|
||||||
except googleapiclient.errors.HttpError:
|
except googleapiclient.errors.HttpError:
|
||||||
controlflow.system_error_exit(2, 'Your service account needs the Access Context Manager Reader or Editor role for your organization.')
|
_gen_role_error(caa)
|
||||||
if not aps:
|
if not aps:
|
||||||
controlflow.system_error_exit(2, 'You don\'t seem to have any access policies. That is odd.')
|
controlflow.system_error_exit(2, 'You don\'t seem to have any access policies. That is odd.')
|
||||||
elif len(aps) == 1:
|
elif len(aps) == 1:
|
||||||
@@ -53,7 +63,7 @@ def print_access_levels():
|
|||||||
parent=ap_name,
|
parent=ap_name,
|
||||||
accessLevelFormat='CEL', fields='*')
|
accessLevelFormat='CEL', fields='*')
|
||||||
except googleapiclient.errors.HttpError:
|
except googleapiclient.errors.HttpError:
|
||||||
controlflow.system_error_exit(2, 'Your service account needs the Access Context Manager Reader or Editor role for your organization.')
|
_gen_role_error(caa)
|
||||||
for level in levels:
|
for level in levels:
|
||||||
display.print_json(level)
|
display.print_json(level)
|
||||||
print()
|
print()
|
||||||
@@ -197,8 +207,7 @@ def create_access_level():
|
|||||||
parent=ap_name,
|
parent=ap_name,
|
||||||
body=body)
|
body=body)
|
||||||
except googleapiclient.errors.HttpError:
|
except googleapiclient.errors.HttpError:
|
||||||
controlflow.system_error_exit(2, 'Your service account needs the Access Context Manager Editor role for your organization.')
|
_gen_role_error(caa)
|
||||||
|
|
||||||
|
|
||||||
def update_access_level():
|
def update_access_level():
|
||||||
caa = build()
|
caa = build()
|
||||||
@@ -229,8 +238,7 @@ def update_access_level():
|
|||||||
updateMask=updateMask,
|
updateMask=updateMask,
|
||||||
body=body)
|
body=body)
|
||||||
except googleapiclient.errors.HttpError:
|
except googleapiclient.errors.HttpError:
|
||||||
controlflow.system_error_exit(2, 'Your service account needs the Access Context Manager Editor role for your organization.')
|
_gen_role_error(caa)
|
||||||
|
|
||||||
|
|
||||||
def delete_access_level():
|
def delete_access_level():
|
||||||
caa = build()
|
caa = build()
|
||||||
@@ -244,5 +252,4 @@ def delete_access_level():
|
|||||||
'delete',
|
'delete',
|
||||||
name=name)
|
name=name)
|
||||||
except googleapiclient.errors.HttpError:
|
except googleapiclient.errors.HttpError:
|
||||||
controlflow.system_error_exit(2, 'Your service account needs the Access Context Manager Editor role for your organization.')
|
_gen_role_error(caa)
|
||||||
|
|
||||||
|
|||||||
@@ -1,16 +1,7 @@
|
|||||||
import string
|
|
||||||
import sys
|
|
||||||
|
|
||||||
import googleapiclient.errors
|
|
||||||
|
|
||||||
import gam
|
import gam
|
||||||
from gam.var import *
|
from gam.var import GC_Values, GC_CUSTOMER_ID
|
||||||
from gam import controlflow
|
from gam import controlflow
|
||||||
from gam import display
|
|
||||||
from gam import fileutils
|
|
||||||
from gam import gapi
|
from gam import gapi
|
||||||
from gam import utils
|
|
||||||
from gam.gapi import errors as gapi_errors
|
|
||||||
from gam.gapi.directory import customer as gapi_directory_customer
|
from gam.gapi.directory import customer as gapi_directory_customer
|
||||||
|
|
||||||
def build():
|
def build():
|
||||||
@@ -27,5 +18,7 @@ def get_org_id():
|
|||||||
'organizations',
|
'organizations',
|
||||||
query=query)
|
query=query)
|
||||||
if len(orgs) < 1:
|
if len(orgs) < 1:
|
||||||
controlflow.system_error_exit(2, 'Your service account needs permission to read org id')
|
# return nothing and let calling API deal with it
|
||||||
|
# since caller knows what GCP role would serve best
|
||||||
|
return
|
||||||
return orgs[0]['name']
|
return orgs[0]['name']
|
||||||
|
|||||||
Reference in New Issue
Block a user