def main()

in blueprints/cloud-operations/iam-delegated-role-grants/audit.py [0:0]

• 18 lines of code
• 8 McCabe index (conditional complexity)

def main(file):
  """Verify that the set of GCP roles in FILE does not include the
  permission setIamPolicy at project, folder or organization level

  This program authenticates against GCP using default application
  credentials to query project and organization level roles.

  """
  clean_roles = [x.rstrip(" \n") for x in file]
  roles = (x for x in clean_roles if x)

  allok = True
  for role in roles:
    try:
      permissions = set(get_role_permissions(role))
    except Error as e:
      print(f"WARNING: can't read {role}: {e}")
      allok = False
    else:
      matched_sensitive_permissions = SENSITIVE_PERMISSIONS & permissions
      if matched_sensitive_permissions:
        print(f"WARNING: {role} contains {matched_sensitive_permissions}")
        allok = False
      else:
        print(f"{role} ok")

  exit(0 if allok else 1)