Add Roles to GCP IAM policy lookup - EXPANDR 5945 #30477
Conversation
- Add roles to gcp_iam_project_iam_policy_get_command
content-bot
added
Contribution
content-bot
changed the base branch from
master
to
contrib/PaloAltoNetworks_EXPANDR-5945-GCP-IAM
|
Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @sapirshuker will know the proposed changes are ready to be reviewed. |
| @@ -87,6 +87,8 @@ script: | |||
| - defaultValue: '1' | |||
| description: The page number of the results to retrieve. Minimum value is 1. | |||
| name: page | |||
| - description: 'A list of roles. Must be given as a comma separated list (Ex: "roles/bigquery.admin, roles/editor, roles/owner").' | |||
There was a problem hiding this comment.
| - description: 'A list of roles. Must be given as a comma separated list (Ex: "roles/bigquery.admin, roles/editor, roles/owner").' | |
| - description: 'A comma-separated list of roles. (Ex: "roles/bigquery.admin, roles/editor, roles/owner").' |
| @@ -385,7 +385,8 @@ Retrieves the IAM access control policy for the specified folder. | |||
| | --- | --- | --- | | |||
| | folder_name | The folder name for which the policy is being requested. For example, folders/12342. | Required | | |||
| | limit | The maximum number of results to retrieve. Minimum value is 1. Default is 50. | Optional | | |||
| | page | The page number of the results to retrieve. Minimum value is 1. Default is 1. | Optional | | |||
| | page | The page number of the results to retrieve. Minimum value is 1. Default is 1. | Optional | | |||
| | roles | A comma separated list of roles. Must be given as a comma separated list (Ex: "roles/bigquery.admin, roles/editor, roles/owner"). | Optional | | |||
There was a problem hiding this comment.
| | roles | A comma separated list of roles. Must be given as a comma separated list (Ex: "roles/bigquery.admin, roles/editor, roles/owner"). | Optional | | |
| | roles | A comma-separated list of roles. (Ex: "roles/bigquery.admin, roles/editor, roles/owner"). | Optional | |
|
@sapirshuker Doc review completed. |
| - description: 'A list of roles. Must be given as a comma separated list (Ex: "roles/bigquery.admin, roles/editor, roles/owner").' | ||
| name: roles |
There was a problem hiding this comment.
| - description: 'A list of roles. Must be given as a comma separated list (Ex: "roles/bigquery.admin, roles/editor, roles/owner").' | |
| name: roles | |
| - description: 'A list of roles. Must be given as a comma separated list (Ex: "roles/bigquery.admin, roles/editor, roles/owner").' | |
| name: roles | |
| isArray: true | |
| required: false |
| if roles and bindings: | ||
| bindings_roles_only = [] | ||
| for index, entry in enumerate(bindings): | ||
| if entry["role"] in roles: |
There was a problem hiding this comment.
Please use entry.get("role")
| outputs["bindings"] = bindings[start:end] | ||
| if len(bindings) < 50: |
There was a problem hiding this comment.
What is this change? The limit default value is 50 but could be larger, why do we need to change the header?
Additionally, you check the len of the original list without paging (bindings[start:end]), is that your intention?
There was a problem hiding this comment.
The limit default value is 50 but could be larger, why do we need to change the header?
I have updated it to uselimit. The default header would come fromget_pagination_readable_messagewhich would uselimitand that would be an incorrect output when filtering by a list of roles. If this was not changed whe using!gcp-iam-project-iam-policy-get project_name="projects/target_project" roles="roles/editor,roles/owner"the example would look like:
Current page size: 50
Showing page 1 out of others that may exist.
Since there are only 2 roles ( roles/editor, roles/owner), it should be:
Current size: 2
```
> Additionally, you check the len of the original list without paging (bindings[start:end]), is that your intention?
Yes, because I would like to return all possible roles, but I could page the roles if we think a user would input over 50 roles into a list.
Packs/GCP-IAM/ReleaseNotes/1_0_21.md
Outdated
|
|
||
| ##### GCP-IAM | ||
|
|
||
| Updated the ***gcp_iam_project_iam_policy_get_command*** command, to support filtering by roles. |
There was a problem hiding this comment.
| Updated the ***gcp_iam_project_iam_policy_get_command*** command, to support filtering by roles. | |
| Updated the ***gcp-iam-project-iam-policy-get*** command, to support filtering by roles. |
| for index, entry in enumerate(bindings): | ||
| if entry["role"] in roles: | ||
| bindings_roles_only.append(bindings.pop(index)) |
There was a problem hiding this comment.
You're changing the bindings list while going through it, I don't think it's a good idea to do it like that. It could cause bugs.
There was a problem hiding this comment.
Updated to retrieve index value only.
| @@ -1221,7 +1221,7 @@ def update_time_format(data: Union[dict, list], keys: list) -> list: | |||
|
|
|||
| def generate_iam_policy_command_output(response: dict, resource_name: str = None, | |||
There was a problem hiding this comment.
Please add the roles arg to the doc string
| if entry["role"] in roles: | ||
| bindings_roles_only.append(bindings.pop(index)) | ||
|
|
||
| bindings = bindings_roles_only |
There was a problem hiding this comment.
If you don't have any results after filtering, what happens?
- Update role input description - Pop to index - remove explicit conditional
…ANDR-5945-GCP-IAM
There was a problem hiding this comment.
Hey, thanks for making the changes!
Awesome! Let's add some unit tests for this functionality.
Also, I notice that the generate_iam_policy_command_output function is being called from 7 different places. Will changing the readable header have an impact on every call where len(bindings) < limit is true? Just wondering if this is what you intended, because I think it might affect other commands too.
There are only 3 places that use
I have updated the readable header to work for all of them if they do not have more than the limit (which would mean it has less than 1 page). I would have liked to not affect those commands, but this change does work for any paging output with minimal changes to trying to avoid affecting the other commands. Also, @sapirshuker do I need to make changes to the Flake8 errors that were previously existing? |
content-bot
added
Community
Contribution Form Filled
|
Hi @BigEasyJ , we haven’t heard from you in a while. |
|
Sorry, I was expecting a meeting fro the demo, also @sapirshuker I'm unsure what additional unit tests are needed as I have updated the unit test primarily in question. |
…ANDR-5945-GCP-IAM
…ANDR-5945-GCP-IAM
|
Hey, @BigEasyJ |
|
Hey @BigEasyJ |
|
Hi @sapirshuker I was out on Friday and not in on Sundays, I will get back to you as soon as I can. |
sapirshuker
added
the
ready-for-instance-test
|
For the Reviewer: Successfully created a pipeline in Gitlab with url: https://code.pan.run/xsoar/content/-/pipelines/6908138 |
sapirshuker
added
ready-for-instance-test
…ANDR-5945-GCP-IAM
|
Build failed due to a known issue CIAC-6419 |
| @@ -2959,8 +2970,8 @@ def gcp_iam_service_account_generate_access_token_command(client: Client, args: | |||
| CommandResults: outputs, readable outputs and raw response for XSOAR. | |||
|
|
|||
| """ | |||
| service_account_email = args['service_account_email'] | |||
| lifetime = args['lifetime'] | |||
| service_account_email = args.get('service_account_email', '') | |||
There was a problem hiding this comment.
did you do it on purpose?
sapirshuker
merged commit 735db7a
into
demisto:contrib/PaloAltoNetworks_EXPANDR-5945-GCP-IAM
* Add Roles to GCP IAM policy lookup - EXPANDR 5945 (demisto#30477) * Update gcp_iam_project_iam_policy_get_command - Add roles to gcp_iam_project_iam_policy_get_command * Remove Prints * Update header * Update MD header * Add release notes and metadata * Some of the suggested changes * Update role - Update role input description - Pop to index - remove explicit conditional * Update unit test, docker, and header verbiage * Update header * Flake8 fixes * Update release note * revert changes --------- Co-authored-by: John <40349459+BigEasyJ@users.noreply.github.com> Co-authored-by: sapirshuker <sshuker@paloaltonetworks.com> Co-authored-by: Sapir Shuker <49246861+sapirshuker@users.noreply.github.com>
* Add Roles to GCP IAM policy lookup - EXPANDR 5945 (#30477) * Update gcp_iam_project_iam_policy_get_command - Add roles to gcp_iam_project_iam_policy_get_command * Remove Prints * Update header * Update MD header * Add release notes and metadata * Some of the suggested changes * Update role - Update role input description - Pop to index - remove explicit conditional * Update unit test, docker, and header verbiage * Update header * Flake8 fixes * Update release note * revert changes --------- Co-authored-by: John <40349459+BigEasyJ@users.noreply.github.com> Co-authored-by: sapirshuker <sshuker@paloaltonetworks.com> Co-authored-by: Sapir Shuker <49246861+sapirshuker@users.noreply.github.com>
Contributing to Cortex XSOAR Content
Make sure to register your contribution by filling the contribution registration form
The Pull Request will be reviewed only after the contribution registration form is filled.
Status
Related Issues
EXPANDR-5945
Description
Updated the gcp_iam_project_iam_policy_get_command command to support filtering by roles.
Must have