gcp-platforms-auto 0.8.2__py3-none-any.whl → 0.8.4__py3-none-any.whl

gcp_platforms_auto/__init__.py

@@ -14,7 +14,9 @@ from .db import (
     Base
 )
 from .iam import (
-    check_user_has_role_in_project, 
+    check_user_has_role_in_project,
+    check_service_account_has_role_in_project,
+    check_group_has_role_in_project,
     get_projects_with_role
 )
 

gcp_platforms_auto/iam.py

@@ -1,8 +1,9 @@
 """IAM access management utilities for GCP."""
 
 import logging
+import os
 import google.cloud.logging
-from google.cloud import asset_v1, resourcemanager_v3
+from google.cloud import asset_v1
 from typing import Optional
 
 # Initialize Google Cloud Logging
@@ -14,49 +15,106 @@ logger = logging.getLogger("uvicorn")
 logger.setLevel(logging.INFO)
 
 
-def _get_identity_string(email: str) -> str:
+def check_user_has_role_in_project(
+    project_id: str,
+    user_email: str,
+    organization_id: str,
+    role: str = "roles/owner",
+    expand_groups: bool = True
+) -> bool:
     """
-    Helper function to construct the proper identity string.
-    Automatically detects if the email is a service account or user.
+    Check if a user has a specific role in a GCP project.
     
     Args:
-        email: Email address (user or service account)
+        project_id: GCP project ID (e.g., 'sky-starfi-mam-res-gcpro-1')
+        user_email: Email of the user to check (e.g., 'oshasha10@gcporg.com')
+        organization_id: GCP organization ID (e.g., '111111111111')
+        role: Role to check (e.g., 'roles/owner', 'roles/editor')
+        expand_groups: Whether to expand group memberships (default: True)
         
     Returns:
-        str: Properly formatted identity string
+        bool: True if the user has the role in the project, False otherwise
+        
+    Example:
+        >>> has_access = check_user_has_role_in_project(
+        ...     project_id='sky-starfi-mam-res-gcpro-1',
+        ...     user_email='oshasha10@gcporg.com',
+        ...     organization_id='111111111111',
+        ...     role='roles/owner'
+        ... )
     """
-    if ".gserviceaccount.com" in email.lower():
-        return f"serviceAccount:{email}"
-    else:
-        return f"user:{email}"
+    client = asset_v1.AssetServiceClient()
+    
+    # Construct the full resource name
+    scope = f"organizations/{organization_id}"
+    full_resource_name = f"//cloudresourcemanager.googleapis.com/projects/{project_id}"
+    identity = f"user:{user_email}"
+    
+    # Build the request
+    request = asset_v1.AnalyzeIamPolicyRequest(
+        analysis_query=asset_v1.IamPolicyAnalysisQuery(
+            scope=scope,
+            resource_selector=asset_v1.IamPolicyAnalysisQuery.ResourceSelector(
+                full_resource_name=full_resource_name
+            ),
+            identity_selector=asset_v1.IamPolicyAnalysisQuery.IdentitySelector(
+                identity=identity
+            ),
+            access_selector=asset_v1.IamPolicyAnalysisQuery.AccessSelector(
+                roles=[role]
+            ),
+            options=asset_v1.IamPolicyAnalysisQuery.Options(
+                expand_groups=expand_groups,
+                expand_roles=True,
+            )
+        )
+    )
+    
+    try:
+        # Execute the analysis
+        logger.info(f"Checking if user {user_email} has role {role} in project {project_id}")
+        response = client.analyze_iam_policy(request=request)
+        
+        # Check if any results were returned
+        if response.main_analysis and response.main_analysis.analysis_results:
+            logger.info(f"User {user_email} has role {role} in project {project_id}")
+            return True
+        
+        logger.info(f"User {user_email} does not have role {role} in project {project_id}")
+        return False
+        
+    except Exception as e:
+        logger.exception(f"Error analyzing IAM policy: {e}")
+        raise
 
 
-def check_user_has_role_in_project(
+def check_service_account_has_role_in_project(
     project_id: str,
-    user_email: str,
+    service_account_email: str,
     organization_id: str,
     role: str = "roles/owner",
     expand_groups: bool = True
 ) -> bool:
     """
-    Check if a user or service account has a specific role in a GCP project.
+    Check if a service account has a specific role in a GCP project.
     
     Args:
-        user_email: Email of the user or service account to check
-                   (e.g., 'oshasha10@gcporg.com' or 'my-sa@project.iam.gserviceaccount.com')
-        role: Role to check (e.g., 'roles/owner', 'roles/editor')
         project_id: GCP project ID (e.g., 'sky-starfi-mam-res-gcpro-1')
+        service_account_email: Email of the service account to check
+                              (e.g., 'my-sa@project.iam.gserviceaccount.com')
         organization_id: GCP organization ID (e.g., '111111111111')
+        role: Role to check (e.g., 'roles/owner', 'roles/editor')
         expand_groups: Whether to expand group memberships (default: True)
         
     Returns:
-        bool: True if the user/service account has the role in the project, False otherwise
+        bool: True if the service account has the role in the project, False otherwise
         
     Example:
-        >>> has_access = check_user_has_role_in_project(
-        ...     user_email='oshasha10@gcporg.com',
-        ...     role='roles/owner',
+        >>> has_access = check_service_account_has_role_in_project(
         ...     project_id='sky-starfi-mam-res-gcpro-1',
+        ...     service_account_email='my-sa@project.iam.gserviceaccount.com',
+        ...     organization_id='111111111111',
+        ...     role='roles/owner'
         ... )
     """
     client = asset_v1.AssetServiceClient()
@@ -64,7 +122,7 @@ def check_user_has_role_in_project(
     # Construct the full resource name
     scope = f"organizations/{organization_id}"
     full_resource_name = f"//cloudresourcemanager.googleapis.com/projects/{project_id}"
-    identity = _get_identity_string(user_email)
+    identity = f"serviceAccount:{service_account_email}"
     
     # Build the request
     request = asset_v1.AnalyzeIamPolicyRequest(
@@ -82,23 +140,21 @@ def check_user_has_role_in_project(
             options=asset_v1.IamPolicyAnalysisQuery.Options(
                 expand_groups=expand_groups,
                 expand_roles=True,
-                # expand_resources=True
             )
         )
     )
     
     try:
         # Execute the analysis
-        logger.info(f"Checking if {user_email} has role {role} in project {project_id}")
+        logger.info(f"Checking if service account {service_account_email} has role {role} in project {project_id}")
         response = client.analyze_iam_policy(request=request)
         
         # Check if any results were returned
-        # If the user has the role, there will be analysis results
         if response.main_analysis and response.main_analysis.analysis_results:
-            logger.info(f"{user_email} has role {role} in project {project_id}")
+            logger.info(f"Service account {service_account_email} has role {role} in project {project_id}")
             return True
         
-        logger.info(f"{user_email} does not have role {role} in project {project_id}")
+        logger.info(f"Service account {service_account_email} does not have role {role} in project {project_id}")
         return False
         
     except Exception as e:
@@ -106,47 +162,112 @@ def check_user_has_role_in_project(
         raise
 
 
-def _get_all_folders_recursive(parent: str, folders_client) -> list:
+def check_group_has_role_in_project(
+    project_id: str,
+    group_email: str,
+    organization_id: str,
+    role: str = "roles/owner",
+    expand_groups: bool = True
+) -> bool:
     """
-    Recursively get all folders under a parent (organization or folder).
+    Check if a group has a specific role in a GCP project.
     
     Args:
-        parent: Parent resource (e.g., 'organizations/123' or 'folders/456')
-        folders_client: FoldersClient instance
+        project_id: GCP project ID (e.g., 'sky-starfi-mam-res-gcpro-1')
+        group_email: Email of the group to check (e.g., 'dev-team@gcporg.com')
+        organization_id: GCP organization ID (e.g., '111111111111')
+        role: Role to check (e.g., 'roles/owner', 'roles/editor')
+        expand_groups: Whether to expand group memberships (default: True)
         
     Returns:
-        list: List of all folder resource names
+        bool: True if the group has the role in the project, False otherwise
+        
+    Example:
+        >>> has_access = check_group_has_role_in_project(
+        ...     project_id='sky-starfi-mam-res-gcpro-1',
+        ...     group_email='dev-team@gcporg.com',
+        ...     organization_id='111111111111',
+        ...     role='roles/owner'
+        ... )
     """
-    all_folders = []
+    client = asset_v1.AssetServiceClient()
+    
+    # Construct the full resource name
+    scope = f"organizations/{organization_id}"
+    full_resource_name = f"//cloudresourcemanager.googleapis.com/projects/{project_id}"
+    identity = f"group:{group_email}"
+    
+    # Build the request
+    request = asset_v1.AnalyzeIamPolicyRequest(
+        analysis_query=asset_v1.IamPolicyAnalysisQuery(
+            scope=scope,
+            resource_selector=asset_v1.IamPolicyAnalysisQuery.ResourceSelector(
+                full_resource_name=full_resource_name
+            ),
+            identity_selector=asset_v1.IamPolicyAnalysisQuery.IdentitySelector(
+                identity=identity
+            ),
+            access_selector=asset_v1.IamPolicyAnalysisQuery.AccessSelector(
+                roles=[role]
+            ),
+            options=asset_v1.IamPolicyAnalysisQuery.Options(
+                expand_groups=expand_groups,
+                expand_roles=True,
+            )
+        )
+    )
     
     try:
-        request = resourcemanager_v3.ListFoldersRequest(parent=parent)
-        folders = folders_client.list_folders(request=request)
-        
-        for folder in folders:
-            folder_name = folder.name  # Format: folders/123
-            all_folders.append(folder_name)
-            logger.info(f"Found folder: {folder_name}")
-            
-            # Recursively get subfolders
-            subfolders = _get_all_folders_recursive(folder_name, folders_client)
-            all_folders.extend(subfolders)
-            
+        # Execute the analysis
+        logger.info(f"Checking if group {group_email} has role {role} in project {project_id}")
+        response = client.analyze_iam_policy(request=request)
+        
+        # Check if any results were returned
+        if response.main_analysis and response.main_analysis.analysis_results:
+            logger.info(f"Group {group_email} has role {role} in project {project_id}")
+            return True
+        
+        logger.info(f"Group {group_email} does not have role {role} in project {project_id}")
+        return False
+        
     except Exception as e:
-        logger.warning(f"Error listing folders under {parent}: {e}")
-    
-    return all_folders
+        logger.exception(f"Error analyzing IAM policy: {e}")
+        raise
+
+
+def _get_all_service_projects(base_paths, prefix):
+    service_projects = []
+
+    for path in base_paths:
+        logger.info(f"[INFO] Searching for projects under: {path}")
+
+        for root, _, _ in os.walk(path):
+            if root == path:
+                continue
+
+            for _, _, projects in os.walk(root):
+                for project in projects:
+                    if not project.endswith(".yaml"):
+                        continue
+                    if project.startswith(prefix):
+                        service_projects.append(project.split('.')[0])
+                    else:
+                        service_projects.append(f"{prefix}-{project.split('.')[0]}")
+
+    return list(set(service_projects))
 
 
 def get_projects_with_role(
     user_email: str,
     organization_id: str,
     role: str = "roles/owner",
-    expand_groups: bool = True
+    expand_groups: bool = True,
+    project_prefix: Optional[str] = None,
+    projects_base_paths: Optional[list] = []
 ) -> list:
     """
     Get all projects where a user or service account has a specific role.
-    Searches recursively through all folders in the organization.
+    Searches for all service projects in the organization.
     
     Args:
         user_email: Email of the user or service account to check
@@ -168,27 +289,12 @@ def get_projects_with_role(
     logger.info(f"Fetching all projects in organization {organization_id} (including folders)")
     
     try:
-        # Initialize clients
-        projects_client = resourcemanager_v3.ProjectsClient()
-        folders_client = resourcemanager_v3.FoldersClient()
-        
-        # Get all folders recursively
-        org_parent = f"organizations/{organization_id}"
-        all_folders = _get_all_folders_recursive(org_parent, folders_client)
-        logger.info(f"Found {len(all_folders)} folder(s) in organization")
-        
-        # Create list of all parents to search (organization + all folders)
-        parents_to_search = [org_parent] + all_folders
-        
-        # Collect all projects from all parents
-        all_projects = []
-        for parent in parents_to_search:
-            request = resourcemanager_v3.ListProjectsRequest(parent=parent)
-            projects = projects_client.list_projects(request=request)
-            for project in projects:
-                all_projects.append(project.project_id)
-        
-        logger.info(f"Found {len(all_projects)} total project(s) across organization and folders")
+        all_projects = _get_all_service_projects(
+            base_paths=projects_base_paths, 
+            prefix=project_prefix
+        )
+        
+        logger.info(f"Found {len(all_projects)} total service project(s) across organization {organization_id}")
         
         # Filter projects where user has the specified role
         matching_projects = []

{gcp_platforms_auto-0.8.2.dist-info → gcp_platforms_auto-0.8.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: gcp_platforms_auto
-Version: 0.8.2
+Version: 0.8.4
 Summary: A brief description of your package
 Author-email: ofir4858 <ofirshasha10@gmail.com>
 License: MIT
@@ -13,7 +13,6 @@ Requires-Dist: requests
 Requires-Dist: pyjwt
 Requires-Dist: google-cloud-logging
 Requires-Dist: google-cloud-asset
-Requires-Dist: google-cloud-resource-manager
 Requires-Dist: gitpython
 Requires-Dist: sqlalchemy
 Requires-Dist: pg8000

gcp_platforms_auto-0.8.4.dist-info/RECORD

@@ -0,0 +1,9 @@
+gcp_platforms_auto/__init__.py,sha256=pKouDuMclA8r93k5H9TjGbxNsFwqIYfymjO-owuGGws,526
+gcp_platforms_auto/db.py,sha256=jE5nwmqVHcxT4m6-meUgUz4V4DM8M_sMmeTpvKr2Z2Y,8768
+gcp_platforms_auto/git.py,sha256=NnLDfRzzrzbm9yekepc-qgu8ejYmjNxQ4VDlW46gG2o,5508
+gcp_platforms_auto/iam.py,sha256=wnMZ_jl2YM5dLY8LqtPfEyh_0Osqs1ypsxakJGmwHVw,11614
+gcp_platforms_auto/models.py,sha256=mVg8NKV25kqdTuazqenAp7Ay03N5D8GIh3F_TWP0zyI,853
+gcp_platforms_auto-0.8.4.dist-info/METADATA,sha256=UU0EYfRtyhRgQW_1867j05FBs16hAAan5w_UWKQn15w,600
+gcp_platforms_auto-0.8.4.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+gcp_platforms_auto-0.8.4.dist-info/top_level.txt,sha256=4q-ofPMmvBaTnIbAzs-Wp_OwheAVxxmJ1fW9vl3-kyE,19
+gcp_platforms_auto-0.8.4.dist-info/RECORD,,

gcp_platforms_auto-0.8.2.dist-info/RECORD

@@ -1,9 +0,0 @@
-gcp_platforms_auto/__init__.py,sha256=MhphRLBFhpZSik83woVgJi3NpyGjBRZ4RyOcXu8dqAk,443
-gcp_platforms_auto/db.py,sha256=jE5nwmqVHcxT4m6-meUgUz4V4DM8M_sMmeTpvKr2Z2Y,8768
-gcp_platforms_auto/git.py,sha256=NnLDfRzzrzbm9yekepc-qgu8ejYmjNxQ4VDlW46gG2o,5508
-gcp_platforms_auto/iam.py,sha256=BFf4LitUXzHrDETZHO_sf2zw6XGrR9a_Vg-TBIqE77k,7671
-gcp_platforms_auto/models.py,sha256=mVg8NKV25kqdTuazqenAp7Ay03N5D8GIh3F_TWP0zyI,853
-gcp_platforms_auto-0.8.2.dist-info/METADATA,sha256=_Kn33l2ax-3uMpd3x96La8euXPO3wqv0xKpD25KUT1s,645
-gcp_platforms_auto-0.8.2.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-gcp_platforms_auto-0.8.2.dist-info/top_level.txt,sha256=4q-ofPMmvBaTnIbAzs-Wp_OwheAVxxmJ1fW9vl3-kyE,19
-gcp_platforms_auto-0.8.2.dist-info/RECORD,,