New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Roles to GCP IAM policy lookup - EXPANDR 5945 #30477
Add Roles to GCP IAM policy lookup - EXPANDR 5945 #30477
Conversation
- Add roles to gcp_iam_project_iam_policy_get_command
Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @sapirshuker will know the proposed changes are ready to be reviewed. |
@@ -87,6 +87,8 @@ script: | |||
- defaultValue: '1' | |||
description: The page number of the results to retrieve. Minimum value is 1. | |||
name: page | |||
- description: 'A list of roles. Must be given as a comma separated list (Ex: "roles/bigquery.admin, roles/editor, roles/owner").' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- description: 'A list of roles. Must be given as a comma separated list (Ex: "roles/bigquery.admin, roles/editor, roles/owner").' | |
- description: 'A comma-separated list of roles. (Ex: "roles/bigquery.admin, roles/editor, roles/owner").' |
@@ -385,7 +385,8 @@ Retrieves the IAM access control policy for the specified folder. | |||
| --- | --- | --- | | |||
| folder_name | The folder name for which the policy is being requested. For example, folders/12342. | Required | | |||
| limit | The maximum number of results to retrieve. Minimum value is 1. Default is 50. | Optional | | |||
| page | The page number of the results to retrieve. Minimum value is 1. Default is 1. | Optional | | |||
| page | The page number of the results to retrieve. Minimum value is 1. Default is 1. | Optional | | |||
| roles | A comma separated list of roles. Must be given as a comma separated list (Ex: "roles/bigquery.admin, roles/editor, roles/owner"). | Optional | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| roles | A comma separated list of roles. Must be given as a comma separated list (Ex: "roles/bigquery.admin, roles/editor, roles/owner"). | Optional | | |
| roles | A comma-separated list of roles. (Ex: "roles/bigquery.admin, roles/editor, roles/owner"). | Optional | |
@sapirshuker Doc review completed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- description: 'A list of roles. Must be given as a comma separated list (Ex: "roles/bigquery.admin, roles/editor, roles/owner").' | ||
name: roles |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- description: 'A list of roles. Must be given as a comma separated list (Ex: "roles/bigquery.admin, roles/editor, roles/owner").' | |
name: roles | |
- description: 'A list of roles. Must be given as a comma separated list (Ex: "roles/bigquery.admin, roles/editor, roles/owner").' | |
name: roles | |
isArray: true | |
required: false |
if roles and bindings: | ||
bindings_roles_only = [] | ||
for index, entry in enumerate(bindings): | ||
if entry["role"] in roles: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use entry.get("role")
outputs["bindings"] = bindings[start:end] | ||
if len(bindings) < 50: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is this change? The limit default value is 50 but could be larger, why do we need to change the header?
Additionally, you check the len of the original list without paging (bindings[start:end]), is that your intention?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The limit default value is 50 but could be larger, why do we need to change the header?
I have updated it to uselimit
. The default header would come fromget_pagination_readable_message
which would uselimit
and that would be an incorrect output when filtering by a list of roles. If this was not changed whe using!gcp-iam-project-iam-policy-get project_name="projects/target_project" roles="roles/editor,roles/owner"
the example would look like:
Current page size: 50
Showing page 1 out of others that may exist.
Since there are only 2 roles ( roles/editor, roles/owner
), it should be:
Current size: 2
```
> Additionally, you check the len of the original list without paging (bindings[start:end]), is that your intention?
Yes, because I would like to return all possible roles, but I could page the roles if we think a user would input over 50 roles into a list.
Packs/GCP-IAM/ReleaseNotes/1_0_21.md
Outdated
|
||
##### GCP-IAM | ||
|
||
Updated the ***gcp_iam_project_iam_policy_get_command*** command, to support filtering by roles. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the ***gcp_iam_project_iam_policy_get_command*** command, to support filtering by roles. | |
Updated the ***gcp-iam-project-iam-policy-get*** command, to support filtering by roles. |
for index, entry in enumerate(bindings): | ||
if entry["role"] in roles: | ||
bindings_roles_only.append(bindings.pop(index)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're changing the bindings list while going through it, I don't think it's a good idea to do it like that. It could cause bugs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated to retrieve index value only.
@@ -1221,7 +1221,7 @@ def update_time_format(data: Union[dict, list], keys: list) -> list: | |||
|
|||
def generate_iam_policy_command_output(response: dict, resource_name: str = None, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add the roles arg to the doc string
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if entry["role"] in roles: | ||
bindings_roles_only.append(bindings.pop(index)) | ||
|
||
bindings = bindings_roles_only |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you don't have any results after filtering, what happens?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Update role input description - Pop to index - remove explicit conditional
…ANDR-5945-GCP-IAM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey, thanks for making the changes!
Awesome! Let's add some unit tests for this functionality.
Also, I notice that the generate_iam_policy_command_output
function is being called from 7 different places. Will changing the readable header have an impact on every call where len(bindings) < limit
is true? Just wondering if this is what you intended, because I think it might affect other commands too.
There are only 3 places that use
I have updated the readable header to work for all of them if they do not have more than the limit (which would mean it has less than 1 page). I would have liked to not affect those commands, but this change does work for any paging output with minimal changes to trying to avoid affecting the other commands. Also, @sapirshuker do I need to make changes to the Flake8 errors that were previously existing? |
Hi @BigEasyJ , we haven’t heard from you in a while. |
Sorry, I was expecting a meeting fro the demo, also @sapirshuker I'm unsure what additional unit tests are needed as I have updated the unit test primarily in question. |
…ANDR-5945-GCP-IAM
…ANDR-5945-GCP-IAM
Hey, @BigEasyJ |
Hey @BigEasyJ |
Hi @sapirshuker I was out on Friday and not in on Sundays, I will get back to you as soon as I can. |
For the Reviewer: Successfully created a pipeline in Gitlab with url: https://code.pan.run/xsoar/content/-/pipelines/6908138 |
…ANDR-5945-GCP-IAM
Build failed due to a known issue CIAC-6419 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey please see my comments
@@ -2959,8 +2970,8 @@ def gcp_iam_service_account_generate_access_token_command(client: Client, args: | |||
CommandResults: outputs, readable outputs and raw response for XSOAR. | |||
|
|||
""" | |||
service_account_email = args['service_account_email'] | |||
lifetime = args['lifetime'] | |||
service_account_email = args.get('service_account_email', '') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
did you do it on purpose?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great!
735db7a
into
demisto:contrib/PaloAltoNetworks_EXPANDR-5945-GCP-IAM
* Add Roles to GCP IAM policy lookup - EXPANDR 5945 (demisto#30477) * Update gcp_iam_project_iam_policy_get_command - Add roles to gcp_iam_project_iam_policy_get_command * Remove Prints * Update header * Update MD header * Add release notes and metadata * Some of the suggested changes * Update role - Update role input description - Pop to index - remove explicit conditional * Update unit test, docker, and header verbiage * Update header * Flake8 fixes * Update release note * revert changes --------- Co-authored-by: John <40349459+BigEasyJ@users.noreply.github.com> Co-authored-by: sapirshuker <sshuker@paloaltonetworks.com> Co-authored-by: Sapir Shuker <49246861+sapirshuker@users.noreply.github.com>
* Add Roles to GCP IAM policy lookup - EXPANDR 5945 (#30477) * Update gcp_iam_project_iam_policy_get_command - Add roles to gcp_iam_project_iam_policy_get_command * Remove Prints * Update header * Update MD header * Add release notes and metadata * Some of the suggested changes * Update role - Update role input description - Pop to index - remove explicit conditional * Update unit test, docker, and header verbiage * Update header * Flake8 fixes * Update release note * revert changes --------- Co-authored-by: John <40349459+BigEasyJ@users.noreply.github.com> Co-authored-by: sapirshuker <sshuker@paloaltonetworks.com> Co-authored-by: Sapir Shuker <49246861+sapirshuker@users.noreply.github.com>
Contributing to Cortex XSOAR Content
Make sure to register your contribution by filling the contribution registration form
The Pull Request will be reviewed only after the contribution registration form is filled.
Status
Related Issues
EXPANDR-5945
Description
Updated the gcp_iam_project_iam_policy_get_command command to support filtering by roles.
Must have