#!/usr/bin/env python
#
# Copyright 2019 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

"""Invokes Asset Inventory API to export resources, and IAM policies.

For more information on the Cloud Asset Inventory API see:
https://cloud.google.com/resource-manager/docs/cloud-asset-inventory/overview

"""

from __future__ import print_function

import argparse
import logging
import pprint

from concurrent import futures

from google.cloud.exceptions import GoogleCloudError
from google.cloud import asset_v1


class Clients(object):
    """Holds API client objects."""

    _cloudasset = None

    @classmethod
    def cloudasset(cls):
        if cls._cloudasset:
            return cls._cloudasset
        cls._cloudasset = asset_v1.AssetServiceClient()
        return cls._cloudasset


def export_to_gcs(parent, gcs_destination, content_type, asset_types):
    """Exports assets to GCS destination.

    Invoke either the cloudasset.organizations.exportAssets or
    cloudasset.projects.exportAssets method depending on if parent is a project
    or organization.
    Args:
        parent: Either `project/<project-id>` or `organization/<organization#>`.
        gcs_destination: GCS uri to export to.
        content_type: Either `RESOURCE` or `IAM_POLICY` or
        None/`CONTENT_TYPE_UNSPECIFIED` for just asset names.
        asset_types: None for all asset types or a list of asset names to
        export.
    Returns:
        The result of the successfully completed export operation.
    """
    output_config = asset_v1.types.OutputConfig()
    output_config.gcs_destination.uri = gcs_destination
    operation = Clients.cloudasset().export_assets(
        {'parent': parent,
         'output_config': output_config,
         'content_type': content_type,
         'asset_types': asset_types})
    return operation.result()


def export_to_gcs_content_types(parent, gcs_destination, content_types,
                                asset_types):
    """Export each asset type into a GCS object with the GCS prefix.

    Will call `export_to_gcs concurrently` to perform an export, once for each
    content_type.

    Args:
        parent: Project id or organization number.
        gcs_destination: GCS object prefix to export to (gs://bucket/prefix)
        content_types: List of [RESOURCE, NAME, IAM_POLICY, NAME] to export.
        Defaults to [RESOURCE, NAME, IAM_POLICY]
        asset_types: List of asset_types to export. Supply `None` to get
        everything.
    Returns:
        A dict of content_types and export result objects.

    """

    logging.info('performing export from %s to %s of content_types %s',
                 parent, gcs_destination, str(content_types))
    if asset_types == ['*']:
        asset_types = None
    if content_types is None:
        content_types = ['RESOURCE', 'IAM_POLICY']
    with futures.ThreadPoolExecutor(max_workers=3) as executor:
        export_futures = {
            executor.submit(export_to_gcs, parent, '{}/{}.json'.format(
                gcs_destination, content_type), content_type, asset_types):
            content_type
            for content_type in content_types
        }
    operation_results = {}
    for future in futures.as_completed(export_futures):
        try:
            content_type = export_futures[future]
            operation_results[content_type] = future.result()
        except GoogleCloudError:
            content_type = export_futures[future]
            logging.exception('Error exporting %s', content_type)
            raise
    logging.info('export results: %s', pprint.pformat(operation_results))
    return operation_results


def add_argparse_args(ap, required=False):
    """Configure the `argparse.ArgumentParser`."""
    ap.formatter_class = argparse.RawTextHelpFormatter
    # pylint: disable=line-too-long
    ap.description = (
        'Exports google cloud organization or project assets '
        'to a gcs bucket or bigquery. See:\n'
        'https://cloud.google.com/resource-manager/docs/cloud-asset-inventory/overview\n\n'
        'This MUST be run with a service account owned by a project with the '
        'Cloud Asset API enabled. The gcloud generated user credentials'
        ' do not work. This requires:\n\n'
        '1. Enable the Cloud Asset Inventory API on a project ('
        'https://console.cloud.google.com/apis/api/cloudasset.googleapis.com/overview)\n'
        '  2. Create a service account owned by this project\n'
        '  3. Give the service account roles/cloudasset.viewer at the organization layer\n'
        '  4. Run on a GCE instance started with this service account,\n'
        '   or download the private key and set GOOGLE_APPLICATION_CREDENTIALS to the file name\n'
        '  5. Run this command.\n\n'
        'If the GCS bucket being written to is owned by a different project then'
        ' the project that you enabled the API on, then you must also grant the'
        ' "service-<project-id>@gcp-sa-cloudasset.iam.gserviceaccount.com" account'
        ' objectAdmin privileges to the bucket:\n'
        'gsutil iam ch serviceAccount:service-<project-id>@gcp-sa-cloudasset.iam.gserviceaccount.com:objectAdmin '
        'gs://<bucket>\n'
        '\n\n')
    ap.add_argument(
        '--parent',
        required=required,
        help=('Organization number (organizations/123)'
              'or project id (projects/id) or number (projects/123).'))

    ap.add_argument(
        '--gcs-destination', help='URL of the gcs file to write to.',
        required=required)

    def content_types_argument(string):
        valid_content_types = [
            'CONTENT_TYPE_UNSPECIFIED', 'RESOURCE', 'IAM_POLICY'
        ]
        content_types = [x.strip() for x in string.split(',')]
        for content_type in content_types:
            if content_type not in valid_content_types:
                raise argparse.ArgumentTypeError(
                    'invalid content_type {}'.format(content_type))
        return content_types

    ap.add_argument(
        '--content-types',
        help=('Type content to output for each asset a comma seperated list '
              ' of `CONTENT_TYPE_UNSPECIFIED`, `RESOURCE`, `IAM_POLICY` '
              'defaults to `RESOURCE, IAM_POLICY`.'),
        type=content_types_argument,
        default='RESOURCE, IAM_POLICY',
        nargs='?')

    ap.add_argument(
        '--asset-types',
        help=('Comma separated list of asset types to export such as '
              '"google.compute.Firewall,google.compute.HealthCheck"'
              ' default is `*` for everything'),
        type=lambda x: [y.strip() for y in x.split(',')],
        nargs='?')


def main():
    logging.basicConfig()
    logging.getLogger().setLevel(logging.INFO)
    ap = argparse.ArgumentParser(formatter_class=argparse.RawTextHelpFormatter)
    add_argparse_args(ap, required=True)
    args = ap.parse_args()
    logging.info('Exporting assets.')
    export_result = export_to_gcs_content_types(
        args.parent,
        args.gcs_destination,
        args.content_types,
        asset_types=args.asset_types.split(',') if args.asset_types else None)
    logging.info('Export results %s.', pprint.pformat(export_result))


if __name__ == '__main__':
    main()