1# -*- coding: utf-8 -*- #
2# Copyright 2017 Google LLC. All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8#    http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15"""Command to add denied values to an Organization Policy list policy."""
16
17from __future__ import absolute_import
18from __future__ import division
19from __future__ import unicode_literals
20
21from googlecloudsdk.api_lib.resource_manager import exceptions
22from googlecloudsdk.api_lib.resource_manager import org_policies
23from googlecloudsdk.calliope import base
24from googlecloudsdk.command_lib.resource_manager import org_policies_base
25from googlecloudsdk.command_lib.resource_manager import org_policies_flags as flags
26import six
27
28
29@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
30                    base.ReleaseTrack.GA)
31class Deny(base.Command):
32  r"""Add values to an Organization Policy denied_values list policy.
33
34  Adds one or more values to the specified Organization Policy denied_values
35  list policy associated with the specified resource.
36
37  ## EXAMPLES
38
39  The following command adds `devEnv` and `prodEnv` to an Organization Policy
40  denied_values list policy for constraint `serviceuser.services`
41  on project `foo-project`:
42
43    $ {command} serviceuser.services --project=foo-project devEnv prodEnv
44  """
45
46  @staticmethod
47  def Args(parser):
48    flags.AddIdArgToParser(parser)
49    flags.AddParentResourceFlagsToParser(parser)
50    base.Argument(
51        'denied_value',
52        metavar='DENIED_VALUE',
53        nargs='+',
54        help='The values to add to the denied_values list policy.',
55    ).AddToParser(parser)
56
57  # TODO(b/73831954):consider refactoring
58  def Run(self, args):
59    messages = org_policies.OrgPoliciesMessages()
60    service = org_policies_base.OrgPoliciesService(args)
61
62    policy = service.GetOrgPolicy(org_policies_base.GetOrgPolicyRequest(args))
63
64    if policy.booleanPolicy or (policy.listPolicy and
65                                policy.listPolicy.allowedValues):
66      raise exceptions.ResourceManagerError(
67          'Cannot add values to a non-denied_values list policy.')
68
69    if policy.listPolicy and policy.listPolicy.allValues:
70      raise exceptions.ResourceManagerError(
71          'Cannot add values if all_values is already specified.')
72
73    if policy.listPolicy and policy.listPolicy.deniedValues:
74      for value in args.denied_value:
75        policy.listPolicy.deniedValues.append(six.text_type(value))
76    else:
77      policy.listPolicy = messages.ListPolicy(deniedValues=args.denied_value)
78
79    if policy.restoreDefault:
80      policy.restoreDefault = None
81
82    return service.SetOrgPolicy(
83        org_policies_base.SetOrgPolicyRequest(args, policy))
84