in tools/iam-permissions-copier/iam.py [0:0]
def run(filename, dry_run, map_file, org_id, verify_permissions):
org_id = org_id if org_id else look_for_gcloud_org()
if not map_file:
click.secho(
( 'Notice: No manual mapper provided. To provide one '
'set the --map-file parameter.\n' ),
fg="yellow",
)
if not filename:
click.secho(
( 'Notice: No filename provided. To provide one set the '
'--filename parameter. Fetching inventory file...\n' ),
fg="yellow",
)
manual_map = parse_csv(map_file) if map_file else {}
assets = []
asset_types = []
file_to_open = filename if filename else cai.fetch_cai_file(org_id)
f = open(file_to_open)
cai_data = json.load(f)
for resource in ALL_RESOURCES_IN_PROCESSING_ORDER:
filter_resources = list(
filter(
lambda r: resource.ASSET_TYPE == r["assetType"],
cai_data,
)
)
click.secho(
"Processing {count} resources of type {type}...".format(
count=len(filter_resources), type=resource.ASSET_TYPE
),
fg="blue",
)
new_assets = []
for res in filter_resources:
for binding in res["policy"]["bindings"]:
for member in binding["members"]:
should_fix_member = should_keep_fix(
member, manual_map, binding["members"]
)
if should_fix_member is not None:
asset = {
"type": resource.ASSET_TYPE.split(
"googleapis.com/"
)[1],
"mapping_type": should_fix_member[1],
"resource": res["resource"],
"role": binding["role"],
"old_member": member,
"new_member": should_fix_member[0],
}
new_assets.append(asset)
assets.extend(new_assets)
# storing assets with the coresponding resource class to process later on
if len(new_assets) > 0:
asset_types.append((resource, new_assets))
click.secho(
"Found {count} tainted iam permissions on resource {type}... \n".format(
count=len(new_assets), type=resource.ASSET_TYPE
),
fg="yellow",
)
click.secho(
"{count} total permissions to be copied".format(count=len(assets)),
fg="green",
bg="black",
)
for a in assets:
table_output(*a.values())
if dry_run:
click.secho(
"RUNNING AS DRY RUN. NO ACTUAL PERMISSIONS WILL BE TOUCHED.",
fg="black",
bg="green",
)
else:
click.secho(
( '\n\nThis operation will copy the tainted iam permissions. '
'There is no reversal operation. \n' ),
fg="red",
)
if click.confirm("Are you sure you want to execute?"):
execute_iam_copy(asset_types, dry_run, verify_permissions)