DinoChiesa · May 29, 2025 00:04
diff --git a/testPortalPermissions.sh b/testPortalPermissions.sh
 #!/bin/bash

 # Ensure TOKEN, PROJECT, and ORGANIZATION_ID are set in your environment
 if [[ -z "$TOKEN" || -z "$PROJECT" || -z "$ORGANIZATION_ID" ]]; then
  echo "Error: TOKEN, PROJECT, and ORGANIZATION_ID environment variables must be exported."
  echo "Example: export TOKEN=\$(gcloud auth print-access-token)"
  echo "         export PROJECT=\"your-project-id\""
  echo "         export ORGANIZATION_ID=\"your-org-id\"" # e.g., 123456789012
  exit 1
 fi

 # Initialize counters
 total_tests_count=0
 http_200_count=0
 http_non_200_count=0

 # Function to test a list of GCP IAM permissions.
 # Globals:
 #   TOKEN: The bearer token for authorization.
 #   total_tests_count, http_200_count, http_non_200_count: Counters (modified by this function).
 # Arguments:
 #   $1 (resource_url_path): The partial URL path for the resource.
 #   $2 (permissions_to_test): A multi-line string containing the permissions.
 test_permissions() {
  local resource_url_path permissions_to_test permission old_ifs http_status CURL_OUT

  resource_url_path="$1"
  permissions_to_test="$2"
  old_ifs="$IFS" # Backup IFS

  if [[ -z "$resource_url_path" ]]; then
    echo "Usage Error (test_permissions): Resource URL path not provided."
    return 1
  fi

  if [[ -z "$permissions_to_test" ]]; then
    echo "Usage Error (test_permissions): No permissions provided to test for resource '$resource_url_path'."
    return 1
  fi

  echo "--- Starting Permission Test for Resource: $resource_url_path ---"

  IFS=$'\n' # Set IFS to newline to iterate over lines
  for permission in $permissions_to_test; do
    # Trim potential leading/trailing whitespace
    permission=$(echo "$permission" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
    if [[ -z "$permission" ]]; then # Skip empty lines
      continue
    fi

    ((total_tests_count++)) # Increment total tests counter

    echo # Blank line for readability before each test
    echo "Test #$total_tests_count: Testing permission '$permission' on resource '$resource_url_path'..."

    CURL_OUT=$(mktemp) # Create a temporary file for curl output

    # Capture HTTP status code to variable, write body to $CURL_OUT
    http_status=$(curl -s -w "%{http_code}" -o "$CURL_OUT" \
                       -H "Authorization: Bearer $TOKEN" \
                       -H "Content-Type: application/json" \
                       -X POST "https://cloudresourcemanager.googleapis.com${resource_url_path}:testIamPermissions" \
                       -d '{
        "permissions": [
          "'"$permission"'"
        ]
      }')

    curl_exit_status=$? # Capture curl's own exit status

    echo "--- Curl Response Body Start ---"
    cat "$CURL_OUT" # Display the output from the temporary file
    echo # Ensure a newline after cat if the file doesn't end with one
    echo "--- Curl Response Body End ---"
    echo "HTTP Status: $http_status"

    rm -f "$CURL_OUT" # Clean up the temporary file

    if [[ "$http_status" == "200" ]]; then
      ((http_200_count++))
    elif [[ $curl_exit_status -ne 0 ]]; then
      ((http_non_200_count++))
      printf "Error: curl command itself failed with exit status %s for permission '%s' on '%s'.\n" "$curl_exit_status" "$permission" "$resource_url_path"
    else
      ((http_non_200_count++))
      printf "Warning: Received HTTP status %s (not 200) for permission '%s' on '%s'.\n" "$http_status" "$permission" "$resource_url_path"
    fi

    echo "------------------------------------"
  done
  IFS="$old_ifs" # Restore IFS

  echo "--- Permission Test Completed for Resource: $resource_url_path ---"
  echo # Extra blank line for readability
 }

 # ====================================================================
 # --- Main Script Logic ---

 # The permissions are obtained from here: 
 #   https://cloud.google.com/iam/docs/roles-permissions/apigee#apigee.portalAdmin

 # List 1: Apigee related permissions
 apigee_permissions="apigee.entitlements.get
 apigee.organizations.get
 apigee.organizations.list
 apigee.portals.create
 apigee.portals.delete
 apigee.portals.get
 apigee.portals.list
 apigee.portals.update
 apigee.projectorganizations.get"

 # Call the function for the first list of permissions against the PROJECT
 test_permissions "/v1/projects/${PROJECT}" "$apigee_permissions"


 # List 2: Resource Manager permissions
 resourcemanager_permissions="resourcemanager.projects.get
 resourcemanager.projects.list"

 # Call the function for the second list of permissions against the ORGANIZATION
 test_permissions "/v1/organizations/${ORGANIZATION_ID}" "$resourcemanager_permissions"

 # --- Summary ---
 echo
 echo "===================================="
 echo "            Test Summary            "
 echo "===================================="
 echo "Total tests conducted: $total_tests_count"
 echo "Successful (HTTP 200): $http_200_count"
 echo "Non-200 responses:     $http_non_200_count"
 echo "===================================="
	#!/bin/bash

	# Ensure TOKEN, PROJECT, and ORGANIZATION_ID are set in your environment
	if [[ -z "$TOKEN" \|\| -z "$PROJECT" \|\| -z "$ORGANIZATION_ID" ]]; then
	echo "Error: TOKEN, PROJECT, and ORGANIZATION_ID environment variables must be exported."
	echo "Example: export TOKEN=\$(gcloud auth print-access-token)"
	echo " export PROJECT=\"your-project-id\""
	echo " export ORGANIZATION_ID=\"your-org-id\"" # e.g., 123456789012
	exit 1
	fi

	# Initialize counters
	total_tests_count=0
	http_200_count=0
	http_non_200_count=0

	# Function to test a list of GCP IAM permissions.
	# Globals:
	# TOKEN: The bearer token for authorization.
	# total_tests_count, http_200_count, http_non_200_count: Counters (modified by this function).
	# Arguments:
	# $1 (resource_url_path): The partial URL path for the resource.
	# $2 (permissions_to_test): A multi-line string containing the permissions.
	test_permissions() {
	local resource_url_path permissions_to_test permission old_ifs http_status CURL_OUT

	resource_url_path="$1"
	permissions_to_test="$2"
	old_ifs="$IFS" # Backup IFS

	if [[ -z "$resource_url_path" ]]; then
	echo "Usage Error (test_permissions): Resource URL path not provided."
	return 1
	fi

	if [[ -z "$permissions_to_test" ]]; then
	echo "Usage Error (test_permissions): No permissions provided to test for resource '$resource_url_path'."
	return 1
	fi

	echo "--- Starting Permission Test for Resource: $resource_url_path ---"

	IFS=$'\n' # Set IFS to newline to iterate over lines
	for permission in $permissions_to_test; do
	# Trim potential leading/trailing whitespace
	permission=$(echo "$permission" \| sed 's/^[[:space:]]//;s/[[:space:]]$//')
	if [[ -z "$permission" ]]; then # Skip empty lines
	continue
	fi

	((total_tests_count++)) # Increment total tests counter

	echo # Blank line for readability before each test
	echo "Test #$total_tests_count: Testing permission '$permission' on resource '$resource_url_path'..."

	CURL_OUT=$(mktemp) # Create a temporary file for curl output

	# Capture HTTP status code to variable, write body to $CURL_OUT
	http_status=$(curl -s -w "%{http_code}" -o "$CURL_OUT" \
	-H "Authorization: Bearer $TOKEN" \
	-H "Content-Type: application/json" \
	-X POST "https://cloudresourcemanager.googleapis.com${resource_url_path}:testIamPermissions" \
	-d '{
	"permissions": [
	"'"$permission"'"
	]
	}')

	curl_exit_status=$? # Capture curl's own exit status

	echo "--- Curl Response Body Start ---"
	cat "$CURL_OUT" # Display the output from the temporary file
	echo # Ensure a newline after cat if the file doesn't end with one
	echo "--- Curl Response Body End ---"
	echo "HTTP Status: $http_status"

	rm -f "$CURL_OUT" # Clean up the temporary file

	if [[ "$http_status" == "200" ]]; then
	((http_200_count++))
	elif [[ $curl_exit_status -ne 0 ]]; then
	((http_non_200_count++))
	printf "Error: curl command itself failed with exit status %s for permission '%s' on '%s'.\n" "$curl_exit_status" "$permission" "$resource_url_path"
	else
	((http_non_200_count++))
	printf "Warning: Received HTTP status %s (not 200) for permission '%s' on '%s'.\n" "$http_status" "$permission" "$resource_url_path"
	fi

	echo "------------------------------------"
	done
	IFS="$old_ifs" # Restore IFS

	echo "--- Permission Test Completed for Resource: $resource_url_path ---"
	echo # Extra blank line for readability
	}

	# ====================================================================
	# --- Main Script Logic ---

	# The permissions are obtained from here:
	# https://cloud.google.com/iam/docs/roles-permissions/apigee#apigee.portalAdmin

	# List 1: Apigee related permissions
	apigee_permissions="apigee.entitlements.get
	apigee.organizations.get
	apigee.organizations.list
	apigee.portals.create
	apigee.portals.delete
	apigee.portals.get
	apigee.portals.list
	apigee.portals.update
	apigee.projectorganizations.get"

	# Call the function for the first list of permissions against the PROJECT
	test_permissions "/v1/projects/${PROJECT}" "$apigee_permissions"


	# List 2: Resource Manager permissions
	resourcemanager_permissions="resourcemanager.projects.get
	resourcemanager.projects.list"

	# Call the function for the second list of permissions against the ORGANIZATION
	test_permissions "/v1/organizations/${ORGANIZATION_ID}" "$resourcemanager_permissions"

	# --- Summary ---
	echo
	echo "===================================="
	echo " Test Summary "
	echo "===================================="
	echo "Total tests conducted: $total_tests_count"
	echo "Successful (HTTP 200): $http_200_count"
	echo "Non-200 responses: $http_non_200_count"
	echo "===================================="