Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.8/site-packages/c7n_gcp/resources/storage.py: 86%

36 statements  

« prev     ^ index     » next       coverage.py v7.3.2, created at 2023-12-08 06:51 +0000

1# Copyright The Cloud Custodian Authors. 

2# SPDX-License-Identifier: Apache-2.0 

3from c7n.utils import type_schema 

4from c7n_gcp.actions import MethodAction 

5from c7n_gcp.provider import resources 

6from c7n_gcp.query import QueryResourceManager, TypeInfo 

7from c7n_gcp.filters import IamPolicyFilter 

8 

9 

10@resources.register('bucket') 

11class Bucket(QueryResourceManager): 

12 

13 class resource_type(TypeInfo): 

14 service = 'storage' 

15 version = 'v1' 

16 component = 'buckets' 

17 scope = 'project' 

18 enum_spec = ('list', 'items[]', {'projection': 'full'}) 

19 name = id = 'name' 

20 default_report_fields = [ 

21 "name", "timeCreated", "location", "storageClass"] 

22 asset_type = "storage.googleapis.com/Bucket" 

23 scc_type = "google.cloud.storage.Bucket" 

24 metric_key = 'resource.labels.bucket_name' 

25 urn_component = "bucket" 

26 

27 @staticmethod 

28 def get(client, resource_info): 

29 return client.execute_command( 

30 'get', {'bucket': resource_info['bucket_name']}) 

31 

32 

33@Bucket.filter_registry.register('iam-policy') 

34class BucketIamPolicyFilter(IamPolicyFilter): 

35 """ 

36 Overrides the base implementation to process bucket resources correctly. 

37 """ 

38 permissions = ('storage.buckets.getIamPolicy',) 

39 

40 def _verb_arguments(self, resource): 

41 verb_arguments = {{"bucket": resource["name"]}} 

42 return verb_arguments 

43 

44 

45@Bucket.action_registry.register('set-uniform-access') 

46class BucketLevelAccess(MethodAction): 

47 '''Uniform access disables object ACLs on a bucket. 

48 

49 Enabling this means only bucket policies (and organization bucket 

50 policies) govern access to a bucket. 

51 

52 When enabled, users can only specify bucket level IAM policies 

53 and not Object level ACL's. 

54 

55 Example Policy: 

56 

57 .. code-block:: yaml 

58 

59 policies: 

60 - name: enforce-uniform-bucket-level-access 

61 resource: gcp.bucket 

62 filters: 

63 - iamConfiguration.uniformBucketLevelAccess.enable: false 

64 actions: 

65 - type: set-uniform-access 

66 # The following is also the default 

67 state: true 

68 ''' 

69 

70 schema = type_schema('set-uniform-access', state={'type': 'boolean'}) 

71 method_spec = {'op': 'patch'} 

72 method_perm = 'update' 

73 

74 # the google docs and example on this api appear to broken. 

75 # https://cloud.google.com/storage/docs/using-uniform-bucket-level-access#rest-apis 

76 # 

77 # instead we observe the behavior gsutil interaction to effect the same. 

78 # the key seems to be the undocumented projection parameter 

79 # 

80 def get_resource_params(self, model, resource): 

81 enabled = self.data.get('state', True) 

82 return {'bucket': resource['name'], 

83 'fields': 'iamConfiguration', 

84 'projection': 'noAcl', # not documented but 

85 'body': {'iamConfiguration': {'uniformBucketLevelAccess': {'enabled': enabled}}}}