Add getIamPolicy functionality to GCP cloudresourcemanager module (go…

…ogle#427) * Add projects.getIamPolicy functionality to GCP cloudresourcemanager module
jonathan-greig · Jan 13, 2022 · 8e06dd0 · 8e06dd0
1 parent c5f4d5e
commit 8e06dd0
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 0 deletions.
diff --git a/libcloudforensics/providers/gcp/internal/cloudresourcemanager.py b/libcloudforensics/providers/gcp/internal/cloudresourcemanager.py
@@ -136,3 +136,31 @@ def DeleteResource(self, name: str) -> Dict[str, Any]:
     response = common.ExecuteRequest(resource_client, 'delete', request)[0]
     logger.info("Resource {0:s} was set for deletion.".format(name))
     return response
+
+  def GetIamPolicy(self, name: str) -> Dict[str, Any]:
+    """Get IAM policy bindings for a resource.
+
+    Args:
+      name (str): a resource identifier in the format
+        resource_type/resource_number e.g. projects/123456789012 where
+        project_type is one of projects, folders or organizations.
+
+    Returns:
+      Dict[str, Any]: The policy bindings for the resource.
+
+    Raises:
+      TypeError: if an invalid resource type is provided.
+    """
+    resource_type = name.split('/')[0]
+    if resource_type not in self.RESOURCE_TYPES:
+      raise TypeError('Invalid resource type "{0:s}", resource must be one of '
+          '"projects", "folders" or "organizations" provided in the format '
+          '"resource_type/resource_number".'.format(name))
+    service = self.GrmApi()
+    resource_client = getattr(service, resource_type)()
+    request = {'resource': name}
+    # Safe to unpack
+    response = common.ExecuteRequest(
+        resource_client, 'getIamPolicy', request)[0]
+
+    return response
diff --git a/tests/providers/gcp/gcp_mocks.py b/tests/providers/gcp/gcp_mocks.py
@@ -955,3 +955,23 @@
 		"user_email": "fake-user-email@test.com"
 	}]
 }
+
+MOCK_IAM_POLICY = {
+  "version": 1,
+  "etag": "bm90X2V0YWc=",
+  "bindings": [
+    {
+      "role": "roles/cloudbuild.builds.builder",
+      "members": [
+        "serviceAccount:012345678901@cloudbuild.gserviceaccount.com"
+      ]
+    },
+    {
+      "role": "roles/owner",
+      "members": [
+        "serviceAccount:fake_sa@fake-project.iam.gserviceaccount.com",
+        "user:fakeaccount@fakedomain.com"
+      ]
+    }
+  ]
+}
diff --git a/tests/providers/gcp/internal/test_cloudresourcemanager.py b/tests/providers/gcp/internal/test_cloudresourcemanager.py
@@ -99,3 +99,34 @@ def testGetProjectAncestry(self, _, mock_execute_request):
             'updateTime': '2020-01-01T00:00:00.000Z'
           }
         ])
+
+  @typing.no_type_check
+  @mock.patch('libcloudforensics.providers.gcp.internal.common.ExecuteRequest')
+  @mock.patch('libcloudforensics.providers.gcp.internal.cloudresourcemanager.GoogleCloudResourceManager.GrmApi')
+  def testGetIamPolicy(self, mock_grm_api, mock_execute_request):
+    """Validates the GetIamPolicy function"""
+    mock_execute_request.return_value = [gcp_mocks.MOCK_IAM_POLICY]
+    mock_resource_client = mock_grm_api.return_value.projects.return_value
+    response = gcp_mocks.FAKE_CLOUD_RESOURCE_MANAGER.GetIamPolicy(
+        'projects/000000000000')
+    mock_execute_request.assert_called_with(mock_resource_client,
+        'getIamPolicy', {'resource': 'projects/000000000000'})
+    self.assertEqual(response, {
+        "version": 1,
+        "etag": "bm90X2V0YWc=",
+        "bindings": [
+          {
+            "role": "roles/cloudbuild.builds.builder",
+            "members": [
+              "serviceAccount:012345678901@cloudbuild.gserviceaccount.com"
+            ]
+          },
+          {
+            "role": "roles/owner",
+            "members": [
+              "serviceAccount:fake_sa@fake-project.iam.gserviceaccount.com",
+              "user:fakeaccount@fakedomain.com"
+            ]
+          }
+        ]
+      })