gcp-platforms-auto 0.8.3__py3-none-any.whl → 0.8.4__py3-none-any.whl

gcp_platforms_auto/__init__.py

@@ -14,7 +14,9 @@ from .db import (
     Base
 )
 from .iam import (
-    check_user_has_role_in_project, 
+    check_user_has_role_in_project,
+    check_service_account_has_role_in_project,
+    check_group_has_role_in_project,
     get_projects_with_role
 )
 

gcp_platforms_auto/iam.py

@@ -15,49 +15,179 @@ logger = logging.getLogger("uvicorn")
 logger.setLevel(logging.INFO)
 
 
-def _get_identity_string(email: str) -> str:
+def check_user_has_role_in_project(
+    project_id: str,
+    user_email: str,
+    organization_id: str,
+    role: str = "roles/owner",
+    expand_groups: bool = True
+) -> bool:
     """
-    Helper function to construct the proper identity string.
-    Automatically detects if the email is a service account or user.
+    Check if a user has a specific role in a GCP project.
     
     Args:
-        email: Email address (user or service account)
+        project_id: GCP project ID (e.g., 'sky-starfi-mam-res-gcpro-1')
+        user_email: Email of the user to check (e.g., 'oshasha10@gcporg.com')
+        organization_id: GCP organization ID (e.g., '111111111111')
+        role: Role to check (e.g., 'roles/owner', 'roles/editor')
+        expand_groups: Whether to expand group memberships (default: True)
         
     Returns:
-        str: Properly formatted identity string
+        bool: True if the user has the role in the project, False otherwise
+        
+    Example:
+        >>> has_access = check_user_has_role_in_project(
+        ...     project_id='sky-starfi-mam-res-gcpro-1',
+        ...     user_email='oshasha10@gcporg.com',
+        ...     organization_id='111111111111',
+        ...     role='roles/owner'
+        ... )
     """
-    if ".gserviceaccount.com" in email.lower():
-        return f"serviceAccount:{email}"
-    else:
-        return f"user:{email}"
+    client = asset_v1.AssetServiceClient()
+    
+    # Construct the full resource name
+    scope = f"organizations/{organization_id}"
+    full_resource_name = f"//cloudresourcemanager.googleapis.com/projects/{project_id}"
+    identity = f"user:{user_email}"
+    
+    # Build the request
+    request = asset_v1.AnalyzeIamPolicyRequest(
+        analysis_query=asset_v1.IamPolicyAnalysisQuery(
+            scope=scope,
+            resource_selector=asset_v1.IamPolicyAnalysisQuery.ResourceSelector(
+                full_resource_name=full_resource_name
+            ),
+            identity_selector=asset_v1.IamPolicyAnalysisQuery.IdentitySelector(
+                identity=identity
+            ),
+            access_selector=asset_v1.IamPolicyAnalysisQuery.AccessSelector(
+                roles=[role]
+            ),
+            options=asset_v1.IamPolicyAnalysisQuery.Options(
+                expand_groups=expand_groups,
+                expand_roles=True,
+            )
+        )
+    )
+    
+    try:
+        # Execute the analysis
+        logger.info(f"Checking if user {user_email} has role {role} in project {project_id}")
+        response = client.analyze_iam_policy(request=request)
+        
+        # Check if any results were returned
+        if response.main_analysis and response.main_analysis.analysis_results:
+            logger.info(f"User {user_email} has role {role} in project {project_id}")
+            return True
+        
+        logger.info(f"User {user_email} does not have role {role} in project {project_id}")
+        return False
+        
+    except Exception as e:
+        logger.exception(f"Error analyzing IAM policy: {e}")
+        raise
 
 
-def check_user_has_role_in_project(
+def check_service_account_has_role_in_project(
     project_id: str,
-    user_email: str,
+    service_account_email: str,
     organization_id: str,
     role: str = "roles/owner",
     expand_groups: bool = True
 ) -> bool:
     """
-    Check if a user or service account has a specific role in a GCP project.
+    Check if a service account has a specific role in a GCP project.
     
     Args:
-        user_email: Email of the user or service account to check
-                   (e.g., 'oshasha10@gcporg.com' or 'my-sa@project.iam.gserviceaccount.com')
+        project_id: GCP project ID (e.g., 'sky-starfi-mam-res-gcpro-1')
+        service_account_email: Email of the service account to check
+                              (e.g., 'my-sa@project.iam.gserviceaccount.com')
+        organization_id: GCP organization ID (e.g., '111111111111')
         role: Role to check (e.g., 'roles/owner', 'roles/editor')
+        expand_groups: Whether to expand group memberships (default: True)
+        
+    Returns:
+        bool: True if the service account has the role in the project, False otherwise
+        
+    Example:
+        >>> has_access = check_service_account_has_role_in_project(
+        ...     project_id='sky-starfi-mam-res-gcpro-1',
+        ...     service_account_email='my-sa@project.iam.gserviceaccount.com',
+        ...     organization_id='111111111111',
+        ...     role='roles/owner'
+        ... )
+    """
+    client = asset_v1.AssetServiceClient()
+    
+    # Construct the full resource name
+    scope = f"organizations/{organization_id}"
+    full_resource_name = f"//cloudresourcemanager.googleapis.com/projects/{project_id}"
+    identity = f"serviceAccount:{service_account_email}"
+    
+    # Build the request
+    request = asset_v1.AnalyzeIamPolicyRequest(
+        analysis_query=asset_v1.IamPolicyAnalysisQuery(
+            scope=scope,
+            resource_selector=asset_v1.IamPolicyAnalysisQuery.ResourceSelector(
+                full_resource_name=full_resource_name
+            ),
+            identity_selector=asset_v1.IamPolicyAnalysisQuery.IdentitySelector(
+                identity=identity
+            ),
+            access_selector=asset_v1.IamPolicyAnalysisQuery.AccessSelector(
+                roles=[role]
+            ),
+            options=asset_v1.IamPolicyAnalysisQuery.Options(
+                expand_groups=expand_groups,
+                expand_roles=True,
+            )
+        )
+    )
+    
+    try:
+        # Execute the analysis
+        logger.info(f"Checking if service account {service_account_email} has role {role} in project {project_id}")
+        response = client.analyze_iam_policy(request=request)
+        
+        # Check if any results were returned
+        if response.main_analysis and response.main_analysis.analysis_results:
+            logger.info(f"Service account {service_account_email} has role {role} in project {project_id}")
+            return True
+        
+        logger.info(f"Service account {service_account_email} does not have role {role} in project {project_id}")
+        return False
+        
+    except Exception as e:
+        logger.exception(f"Error analyzing IAM policy: {e}")
+        raise
+
+
+def check_group_has_role_in_project(
+    project_id: str,
+    group_email: str,
+    organization_id: str,
+    role: str = "roles/owner",
+    expand_groups: bool = True
+) -> bool:
+    """
+    Check if a group has a specific role in a GCP project.
+    
+    Args:
         project_id: GCP project ID (e.g., 'sky-starfi-mam-res-gcpro-1')
+        group_email: Email of the group to check (e.g., 'dev-team@gcporg.com')
         organization_id: GCP organization ID (e.g., '111111111111')
+        role: Role to check (e.g., 'roles/owner', 'roles/editor')
         expand_groups: Whether to expand group memberships (default: True)
         
     Returns:
-        bool: True if the user/service account has the role in the project, False otherwise
+        bool: True if the group has the role in the project, False otherwise
         
     Example:
-        >>> has_access = check_user_has_role_in_project(
-        ...     user_email='oshasha10@gcporg.com',
-        ...     role='roles/owner',
+        >>> has_access = check_group_has_role_in_project(
         ...     project_id='sky-starfi-mam-res-gcpro-1',
+        ...     group_email='dev-team@gcporg.com',
+        ...     organization_id='111111111111',
+        ...     role='roles/owner'
         ... )
     """
     client = asset_v1.AssetServiceClient()
@@ -65,7 +195,7 @@ def check_user_has_role_in_project(
     # Construct the full resource name
     scope = f"organizations/{organization_id}"
     full_resource_name = f"//cloudresourcemanager.googleapis.com/projects/{project_id}"
-    identity = _get_identity_string(user_email)
+    identity = f"group:{group_email}"
     
     # Build the request
     request = asset_v1.AnalyzeIamPolicyRequest(
@@ -83,23 +213,21 @@ def check_user_has_role_in_project(
             options=asset_v1.IamPolicyAnalysisQuery.Options(
                 expand_groups=expand_groups,
                 expand_roles=True,
-                # expand_resources=True
             )
         )
     )
     
     try:
         # Execute the analysis
-        logger.info(f"Checking if {user_email} has role {role} in project {project_id}")
+        logger.info(f"Checking if group {group_email} has role {role} in project {project_id}")
         response = client.analyze_iam_policy(request=request)
         
         # Check if any results were returned
-        # If the user has the role, there will be analysis results
         if response.main_analysis and response.main_analysis.analysis_results:
-            logger.info(f"{user_email} has role {role} in project {project_id}")
+            logger.info(f"Group {group_email} has role {role} in project {project_id}")
             return True
         
-        logger.info(f"{user_email} does not have role {role} in project {project_id}")
+        logger.info(f"Group {group_email} does not have role {role} in project {project_id}")
         return False
         
     except Exception as e:

{gcp_platforms_auto-0.8.3.dist-info → gcp_platforms_auto-0.8.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: gcp_platforms_auto
-Version: 0.8.3
+Version: 0.8.4
 Summary: A brief description of your package
 Author-email: ofir4858 <ofirshasha10@gmail.com>
 License: MIT

gcp_platforms_auto-0.8.4.dist-info/RECORD

@@ -0,0 +1,9 @@
+gcp_platforms_auto/__init__.py,sha256=pKouDuMclA8r93k5H9TjGbxNsFwqIYfymjO-owuGGws,526
+gcp_platforms_auto/db.py,sha256=jE5nwmqVHcxT4m6-meUgUz4V4DM8M_sMmeTpvKr2Z2Y,8768
+gcp_platforms_auto/git.py,sha256=NnLDfRzzrzbm9yekepc-qgu8ejYmjNxQ4VDlW46gG2o,5508
+gcp_platforms_auto/iam.py,sha256=wnMZ_jl2YM5dLY8LqtPfEyh_0Osqs1ypsxakJGmwHVw,11614
+gcp_platforms_auto/models.py,sha256=mVg8NKV25kqdTuazqenAp7Ay03N5D8GIh3F_TWP0zyI,853
+gcp_platforms_auto-0.8.4.dist-info/METADATA,sha256=UU0EYfRtyhRgQW_1867j05FBs16hAAan5w_UWKQn15w,600
+gcp_platforms_auto-0.8.4.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+gcp_platforms_auto-0.8.4.dist-info/top_level.txt,sha256=4q-ofPMmvBaTnIbAzs-Wp_OwheAVxxmJ1fW9vl3-kyE,19
+gcp_platforms_auto-0.8.4.dist-info/RECORD,,

gcp_platforms_auto-0.8.3.dist-info/RECORD

@@ -1,9 +0,0 @@
-gcp_platforms_auto/__init__.py,sha256=MhphRLBFhpZSik83woVgJi3NpyGjBRZ4RyOcXu8dqAk,443
-gcp_platforms_auto/db.py,sha256=jE5nwmqVHcxT4m6-meUgUz4V4DM8M_sMmeTpvKr2Z2Y,8768
-gcp_platforms_auto/git.py,sha256=NnLDfRzzrzbm9yekepc-qgu8ejYmjNxQ4VDlW46gG2o,5508
-gcp_platforms_auto/iam.py,sha256=GLjZ3HBbpbpLLSkOc60QEwdLWTc3GqWS45PrvT_-d5I,6655
-gcp_platforms_auto/models.py,sha256=mVg8NKV25kqdTuazqenAp7Ay03N5D8GIh3F_TWP0zyI,853
-gcp_platforms_auto-0.8.3.dist-info/METADATA,sha256=EnenLVPNmfEpeXU5yH-zifof3U4OwUScBbYlvT7fv5E,600
-gcp_platforms_auto-0.8.3.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-gcp_platforms_auto-0.8.3.dist-info/top_level.txt,sha256=4q-ofPMmvBaTnIbAzs-Wp_OwheAVxxmJ1fW9vl3-kyE,19
-gcp_platforms_auto-0.8.3.dist-info/RECORD,,