Skip to content

Commit c438ba1

Browse files
melaniedejongengelke
melaniedejong
authored and
engelke
committed
IAM: Added test_permissions function and tests (#2431)
* Added test_permissions function and tests for this doc: https://cloud.google.com/iam/docs/testing-permissions * Adding access tests Adding back tests that were accidentally removed in a previous commit * Lint * Lint Adding newlines at end of files * Lint * Lint
1 parent 339459e commit c438ba1

File tree

2 files changed

+37
-4
lines changed

2 files changed

+37
-4
lines changed

iam/api-client/access.py

Lines changed: 33 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,3 @@
1-
# !/usr/bin/env python
2-
#
31
# Copyright 2018 Google LLC
42
#
53
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -31,7 +29,6 @@
3129
def get_policy(project_id):
3230
"""Gets IAM policy for a project."""
3331

34-
# pylint: disable=no-member
3532
credentials = service_account.Credentials.from_service_account_file(
3633
filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
3734
scopes=['https://www.googleapis.com/auth/cloud-platform'])
@@ -84,7 +81,6 @@ def modify_policy_remove_member(policy, role, member):
8481
def set_policy(project_id, policy):
8582
"""Sets IAM policy for a project."""
8683

87-
# pylint: disable=no-member
8884
credentials = service_account.Credentials.from_service_account_file(
8985
filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
9086
scopes=['https://www.googleapis.com/auth/cloud-platform'])
@@ -99,6 +95,32 @@ def set_policy(project_id, policy):
9995
return policy
10096
# [END iam_set_policy]
10197

98+
# [START iam_test_permissions]
99+
100+
101+
def test_permissions(project_id):
102+
"""Tests IAM permissions of the caller"""
103+
104+
credentials = service_account.Credentials.from_service_account_file(
105+
filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
106+
scopes=['https://www.googleapis.com/auth/cloud-platform'])
107+
service = googleapiclient.discovery.build(
108+
'cloudresourcemanager', 'v1', credentials=credentials)
109+
110+
permissions = {
111+
"permissions": [
112+
"resourcemanager.projects.get",
113+
"resourcemanager.projects.delete"
114+
]
115+
}
116+
117+
request = service.projects().testIamPermissions(
118+
resource=project_id, body=permissions)
119+
returnedPermissions = request.execute()
120+
print(returnedPermissions)
121+
return returnedPermissions
122+
# [END iam_test_permissions]
123+
102124

103125
def main():
104126
parser = argparse.ArgumentParser(
@@ -140,6 +162,11 @@ def main():
140162
set_parser.add_argument('project_id')
141163
set_parser.add_argument('policy')
142164

165+
# Test permissions
166+
test_permissions_parser = subparsers.add_parser(
167+
'test_permissions', help=get_policy.__doc__)
168+
test_permissions_parser.add_argument('project_id')
169+
143170
args = parser.parse_args()
144171

145172
if args.command == 'get':
@@ -152,6 +179,8 @@ def main():
152179
modify_policy_remove_member(args.policy, args.role, args.member)
153180
elif args.command == 'add_binding':
154181
modify_policy_add_role(args.policy, args.role, args.member)
182+
elif args.command == 'test_permissions':
183+
test_permissions(args.project_id)
155184

156185

157186
if __name__ == '__main__':

iam/api-client/access_test.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,10 @@ def test_access(capsys):
5050
out, _ = capsys.readouterr()
5151
assert u'etag' in out
5252

53+
access.test_permissions(project_id)
54+
out, _ = capsys.readouterr()
55+
assert u'permissions' in out
56+
5357
# deleting the service account created above
5458
service_accounts.delete_service_account(
5559
email)

0 commit comments

Comments
 (0)