7799868035

Committed 06 Feb 2024 12:44PM UTC coverage: 75.41% (-0.01%) from 75.423%

Build # 7799868035

Build Type

Pull #121

github

Committed by

utsav-agarwal

Commit Message

fix: return error in case taxonomies fails with any error

Pull Request Pull Request #121: fix: return error in case taxonomies fails with any error

Run Details

0 of 4 new or added lines in 1 file covered. (0.0%)

8823 of 11700 relevant lines covered (75.41%)

4.28 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

3.65

/plugins/providers/dataplex/client.go

package dataplex

import (
        "context"
        "fmt"
        "strings"

        datacatalog "cloud.google.com/go/datacatalog/apiv1"
        "github.com/goto/guardian/domain"
        "google.golang.org/api/iterator"
        "google.golang.org/api/option"
        pb "google.golang.org/genproto/googleapis/cloud/datacatalog/v1"
        iampb "google.golang.org/genproto/googleapis/iam/v1"
)

type policyTagClient struct {
        policyManager    *datacatalog.PolicyTagManagerClient
        projectId        string
        taxonomyLocation string
}

func newPolicyTagClient(projectID, location string, credentialsJSON []byte) (*policyTagClient, error) {
        ctx := context.Background()
        policyManager, err := datacatalog.NewPolicyTagManagerClient(ctx, option.WithCredentialsJSON(credentialsJSON))
        if err != nil {
                return nil, err
        }
        return &policyTagClient{
                policyManager:    policyManager,
                projectId:        projectID,
                taxonomyLocation: location,
        }, nil
}

func (p *policyTagClient) GetPolicies(ctx context.Context) ([]*Policy, error) {
        taxonomies := p.policyManager.ListTaxonomies(ctx, &pb.ListTaxonomiesRequest{
                Parent: p.toParent(p.projectId, p.taxonomyLocation),
        })
        taxonomies.PageInfo().MaxSize = PageSize

        policyTags := make([]*Policy, 0)
        for {
                taxonomy, err := taxonomies.Next()
                if err != nil {
                        if err == iterator.Done {
                                break
                        }
                        return nil, err
                }
                tags := p.policyManager.ListPolicyTags(ctx, &pb.ListPolicyTagsRequest{
                        Parent: taxonomy.Name,
                })
                tags.PageInfo().MaxSize = PageSize

                for {
                        tag, err := tags.Next()
                        if err == iterator.Done {
                                break
                        }
                        policyTags = append(policyTags, &Policy{
                                Name:                tag.Name,
                                DisplayName:         tag.DisplayName,
                                Description:         tag.Description,
                                TaxonomyDisplayName: taxonomy.DisplayName,
                        })
                }
        }
        return policyTags, nil
}

func (p *policyTagClient) GrantPolicyAccess(ctx context.Context, tag *Policy, user, role string) error {
        policy, err := p.policyManager.GetIamPolicy(ctx, &iampb.GetIamPolicyRequest{
                Resource: tag.Name,
        })
        if err != nil {
                return err
        }
        usersWithGivenRole := make([]string, 0)
        for _, bind := range policy.Bindings {
                if role == bind.Role {
                        usersWithGivenRole = append(bind.Members, user)
                        for _, member := range bind.Members {
                                if member == user {
                                        return ErrPermissionAlreadyExists
                                }
                        }
                }
        }
        if len(usersWithGivenRole) == 0 {
                usersWithGivenRole = append(usersWithGivenRole, user)
        }

        _, err = p.policyManager.SetIamPolicy(ctx, &iampb.SetIamPolicyRequest{
                Resource: tag.Name,
                Policy: &iampb.Policy{Bindings: []*iampb.Binding{{
                        Role:    role,
                        Members: usersWithGivenRole,
                }}},
        })

        return err
}

func (p *policyTagClient) RevokePolicyAccess(ctx context.Context, tag *Policy, user, role string) error {
        policy, err := p.policyManager.GetIamPolicy(ctx, &iampb.GetIamPolicyRequest{
                Resource: tag.Name,
        })
        if err != nil {
                return err
        }

        usersWithGivenRole := make([]string, 0)
        for _, bind := range policy.Bindings {
                if role == bind.Role {
                        for _, member := range bind.Members {
                                if member == user {
                                        continue
                                }
                                usersWithGivenRole = append(usersWithGivenRole, member)
                        }

                        if len(usersWithGivenRole) == len(bind.Members) {
                                return ErrPermissionNotFound
                        }
                }
        }

        _, err = p.policyManager.SetIamPolicy(ctx, &iampb.SetIamPolicyRequest{
                Resource: tag.Name,
                Policy: &iampb.Policy{Bindings: []*iampb.Binding{{
                        Role:    role,
                        Members: usersWithGivenRole,
                }}},
        })
        return err
}

func (p *policyTagClient) ListAccess(ctx context.Context, resources []*domain.Resource) (domain.MapResourceAccess, error) {
        access := make(domain.MapResourceAccess)

        for _, r := range resources {
                var accessEntries []domain.AccessEntry

                switch r.Type {
                case ResourceTypeTag:
                        policy := new(Policy)
                        policy.FromDomain(r)

                        say, err := p.policyManager.GetIamPolicy(ctx, &iampb.GetIamPolicyRequest{
                                Resource: policy.Name,
                        })
                        if err != nil {
                                return nil, fmt.Errorf("getting policy-tag access entries of %q, %w", r.URN, err)
                        }

                        for _, binding := range say.Bindings {
                                for _, member := range binding.Members {
                                        accountType := ""
                                        if strings.HasPrefix(member, AccountTypeUser) {
                                                accountType = AccountTypeUser
                                        } else if strings.HasPrefix(member, AccountTypeServiceAccount) {
                                                accountType = AccountTypeServiceAccount
                                        }
                                        if len(accountType) == 0 {
                                                accessEntries = append(accessEntries, domain.AccessEntry{
                                                        AccountID:   member,
                                                        AccountType: accountType,
                                                        Permission:  binding.GetRole(),
                                                })
                                        }
                                }
                        }
                }
                if accessEntries != nil {
                        access[r.URN] = accessEntries
                }
        }
        return access, nil
}

func (p *policyTagClient) toParent(project, location string) string {
        return fmt.Sprintf("projects/%s/locations/%s", project, location)
}

func containsString(arr []string, v string) bool {
        for _, item := range arr {
                if item == v {
                        return true
                }
        }
        return false
}

1	package dataplex
2
3	import (
4	"context"
5	"fmt"
6	"strings"
7
8	datacatalog "cloud.google.com/go/datacatalog/apiv1"
9	"github.com/goto/guardian/domain"
10	"google.golang.org/api/iterator"
11	"google.golang.org/api/option"
12	pb "google.golang.org/genproto/googleapis/cloud/datacatalog/v1"
13	iampb "google.golang.org/genproto/googleapis/iam/v1"
14	)
15
16	type policyTagClient struct {
17	policyManager *datacatalog.PolicyTagManagerClient
18	projectId string
19	taxonomyLocation string
20	}
21
22	func newPolicyTagClient(projectID, location string, credentialsJSON []byte) (*policyTagClient, error) {	×
23	ctx := context.Background()	×
24	policyManager, err := datacatalog.NewPolicyTagManagerClient(ctx, option.WithCredentialsJSON(credentialsJSON))	×
25	if err != nil {	×
26	return nil, err	×
27	}	×
28	return &policyTagClient{	×
29	policyManager: policyManager,	×
30	projectId: projectID,	×
31	taxonomyLocation: location,	×
32	}, nil	×
33	}
34
35	func (p policyTagClient) GetPolicies(ctx context.Context) ([]Policy, error) {	×
36	taxonomies := p.policyManager.ListTaxonomies(ctx, &pb.ListTaxonomiesRequest{	×
37	Parent: p.toParent(p.projectId, p.taxonomyLocation),	×
38	})	×
39	taxonomies.PageInfo().MaxSize = PageSize	×
40		×
41	policyTags := make([]*Policy, 0)	×
42	for {	×
43	taxonomy, err := taxonomies.Next()	×
NEW 44	if err != nil {	×
NEW 45	if err == iterator.Done {	×
NEW 46	break	×
47	}
NEW 48	return nil, err	×
49	}
50	tags := p.policyManager.ListPolicyTags(ctx, &pb.ListPolicyTagsRequest{	×
51	Parent: taxonomy.Name,	×
52	})	×
53	tags.PageInfo().MaxSize = PageSize	×
54		×
55	for {	×
56	tag, err := tags.Next()	×
57	if err == iterator.Done {	×
58	break	×
59	}
60	policyTags = append(policyTags, &Policy{	×
61	Name: tag.Name,	×
62	DisplayName: tag.DisplayName,	×
63	Description: tag.Description,	×
64	TaxonomyDisplayName: taxonomy.DisplayName,	×
65	})	×
66	}
67	}
68	return policyTags, nil	×
69	}
70
71	func (p policyTagClient) GrantPolicyAccess(ctx context.Context, tag Policy, user, role string) error {	×
72	policy, err := p.policyManager.GetIamPolicy(ctx, &iampb.GetIamPolicyRequest{	×
73	Resource: tag.Name,	×
74	})	×
75	if err != nil {	×
76	return err	×
77	}	×
78	usersWithGivenRole := make([]string, 0)	×
79	for _, bind := range policy.Bindings {	×
80	if role == bind.Role {	×
81	usersWithGivenRole = append(bind.Members, user)	×
82	for _, member := range bind.Members {	×
83	if member == user {	×
84	return ErrPermissionAlreadyExists	×
85	}	×
86	}
87	}
88	}
89	if len(usersWithGivenRole) == 0 {	×
90	usersWithGivenRole = append(usersWithGivenRole, user)	×
91	}	×
92
93	_, err = p.policyManager.SetIamPolicy(ctx, &iampb.SetIamPolicyRequest{	×
94	Resource: tag.Name,	×
95	Policy: &iampb.Policy{Bindings: []*iampb.Binding{{	×
96	Role: role,	×
97	Members: usersWithGivenRole,	×
98	}}},	×
99	})	×
100		×
101	return err	×
102	}
103
104	func (p policyTagClient) RevokePolicyAccess(ctx context.Context, tag Policy, user, role string) error {	×
105	policy, err := p.policyManager.GetIamPolicy(ctx, &iampb.GetIamPolicyRequest{	×
106	Resource: tag.Name,	×
107	})	×
108	if err != nil {	×
109	return err	×
110	}	×
111
112	usersWithGivenRole := make([]string, 0)	×
113	for _, bind := range policy.Bindings {	×
114	if role == bind.Role {	×
115	for _, member := range bind.Members {	×
116	if member == user {	×
117	continue	×
118	}
119	usersWithGivenRole = append(usersWithGivenRole, member)	×
120	}
121
122	if len(usersWithGivenRole) == len(bind.Members) {	×
123	return ErrPermissionNotFound	×
124	}	×
125	}
126	}
127
128	_, err = p.policyManager.SetIamPolicy(ctx, &iampb.SetIamPolicyRequest{	×
129	Resource: tag.Name,	×
130	Policy: &iampb.Policy{Bindings: []*iampb.Binding{{	×
131	Role: role,	×
132	Members: usersWithGivenRole,	×
133	}}},	×
134	})	×
135	return err	×
136	}
137
138	func (p policyTagClient) ListAccess(ctx context.Context, resources []domain.Resource) (domain.MapResourceAccess, error) {	×
139	access := make(domain.MapResourceAccess)	×
140		×
141	for _, r := range resources {	×
142	var accessEntries []domain.AccessEntry	×
143		×
144	switch r.Type {	×
145	case ResourceTypeTag:	×
146	policy := new(Policy)	×
147	policy.FromDomain(r)	×
148		×
149	say, err := p.policyManager.GetIamPolicy(ctx, &iampb.GetIamPolicyRequest{	×
150	Resource: policy.Name,	×
151	})	×
152	if err != nil {	×
153	return nil, fmt.Errorf("getting policy-tag access entries of %q, %w", r.URN, err)	×
154	}	×
155
156	for _, binding := range say.Bindings {	×
157	for _, member := range binding.Members {	×
158	accountType := ""	×
159	if strings.HasPrefix(member, AccountTypeUser) {	×
160	accountType = AccountTypeUser	×
161	} else if strings.HasPrefix(member, AccountTypeServiceAccount) {	×
162	accountType = AccountTypeServiceAccount	×
163	}	×
164	if len(accountType) == 0 {	×
165	accessEntries = append(accessEntries, domain.AccessEntry{	×
166	AccountID: member,	×
167	AccountType: accountType,	×
168	Permission: binding.GetRole(),	×
169	})	×
170	}	×
171	}
172	}
173	}
174	if accessEntries != nil {	×
175	access[r.URN] = accessEntries	×
176	}	×
177	}
178	return access, nil	×
179	}
180
181	func (p *policyTagClient) toParent(project, location string) string {	×
182	return fmt.Sprintf("projects/%s/locations/%s", project, location)	×
183	}	×
184
185	func containsString(arr []string, v string) bool {	1✔
186	for _, item := range arr {	2✔
187	if item == v {	2✔
188	return true	1✔
189	}	1✔
190	}
191	return false	×
192	}

goto / guardian / 7799868035

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous