From 56e367aa257b216d0f8ea527ff49f0fa1a08b19f Mon Sep 17 00:00:00 2001 From: Sam Levenick Date: Wed, 11 Dec 2019 23:07:31 +0000 Subject: [PATCH] Handle deleted: prefix when deduplicating IAM member map Signed-off-by: Modular Magician --- google/iam.go | 17 ++++++++++++++--- google/iam_test.go | 29 +++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/google/iam.go b/google/iam.go index e36c37f71f8..1e2be59faa6 100644 --- a/google/iam.go +++ b/google/iam.go @@ -232,10 +232,21 @@ func createIamBindingsMap(bindings []*cloudresourcemanager.Binding) map[iamBindi // is case sensitive // isn't // so let's lowercase the value and leave the type alone - pieces := strings.SplitN(m, ":", 2) - if len(pieces) > 1 { - pieces[1] = strings.ToLower(pieces[1]) + // since Dec '19 members can be prefixed with "deleted:" to indicate the principal + // has been deleted + var pieces []string + if strings.HasPrefix(m, "deleted:") { + pieces = strings.SplitN(m, ":", 3) + if len(pieces) > 2 { + pieces[2] = strings.ToLower(pieces[2]) + } + } else { + pieces = strings.SplitN(m, ":", 2) + if len(pieces) > 1 { + pieces[1] = strings.ToLower(pieces[1]) + } } + m = strings.Join(pieces, ":") // Add the member diff --git a/google/iam_test.go b/google/iam_test.go index e4e57aeb33d..7c1ac3ba4b4 100644 --- a/google/iam_test.go +++ b/google/iam_test.go @@ -489,6 +489,35 @@ func TestIamCreateIamBindingsMap(t *testing.T) { {"role-3", conditionKey{}}: {"user-3": {}}, }, }, + { + input: []*cloudresourcemanager.Binding{ + { + Role: "role-1", + Members: []string{"deleted:serviceAccount:user-1", "user-2"}, + }, + { + Role: "role-2", + Members: []string{"deleted:user:user-1"}, + }, + { + Role: "role-1", + Members: []string{"serviceAccount:user-3"}, + }, + { + Role: "role-2", + Members: []string{"user-2"}, + }, + { + Role: "role-3", + Members: []string{"user-3"}, + }, + }, + expect: map[iamBindingKey]map[string]struct{}{ + {"role-1", conditionKey{}}: {"deleted:serviceAccount:user-1": {}, "user-2": {}, "serviceAccount:user-3": {}}, + {"role-2", conditionKey{}}: {"deleted:user:user-1": {}, "user-2": {}}, + {"role-3", conditionKey{}}: {"user-3": {}}, + }, + }, } for _, tc := range testCases {