infra/enforcement/account_keys.py - beam - Git at Google

 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to You under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.

 import datetime
 import logging
 import sys
 import yaml
 import argparse
 import os
 from typing import List, Dict, TypedDict, Optional
 from google.cloud import secretmanager
 from google.cloud import iam_admin_v1
 from google.cloud.iam_admin_v1 import types
 from sending import SendingClient

 SECRET_MANAGER_LABEL = "beam-infra-secret-manager"

 class AuthorizedUser(TypedDict):
     email: str

 class ServiceAccount(TypedDict):
     account_id: str
     display_name: str
     authorized_users: List[AuthorizedUser]

 class ServiceAccountsConfig(TypedDict):
     service_accounts: List[ServiceAccount]

 CONFIG_FILE = "config.yml"

 class AccountKeysPolicyComplianceCheck:
     def __init__(self, project_id: str, service_account_keys_file: str, logger: logging.Logger, sending_client: Optional[SendingClient] = None):
         self.project_id = project_id
         self.service_account_keys_file = service_account_keys_file
         self.logger = logger
         self.sending_client = sending_client
         self.secret_client = secretmanager.SecretManagerServiceClient()
         self.service_account_client = iam_admin_v1.IAMClient()

     def _normalize_account_email(self, account_id: str) -> str:
         """
         Normalizes the account identifier to a full email format.

         Args:
             account_id (str): The unique identifier or email of the service account.

         Returns:
             str: The full service account email address.
         """
         if "@" in account_id:
             return account_id
         else:
             return f"{account_id}@{self.project_id}.iam.gserviceaccount.com"

     def _denormalize_account_email(self, email: str) -> str:
         """
         Denormalizes the full service account email address to its unique identifier.

         Args:
             email (str): The full service account email address.

         Returns:
             str: The unique identifier for the service account.
         """
         if email.endswith(f"@{self.project_id}.iam.gserviceaccount.com"):
             return email.split("@")[0]
         return email

     def _normalize_username(self, username: str) -> str:
         """
         Normalizes the username to a consistent format.

         Args:
             username (str): The username to normalize.

         Returns:
             str: The normalized username.
         """
         if not username.startswith("user:"):
             return f"user:{username.strip().lower()}"
         return username

     def _denormalize_username(self, username: str) -> str:
         """
         Denormalizes the username from the consistent format.

         Args:
             username (str): The normalized username.

         Returns:
             str: The denormalized username.
         """
         if username.startswith("user:"):
             return username.split(":", 1)[1].strip().lower()
         return username

     def _get_all_live_service_accounts(self) -> List[str]:
         """
         Retrieves all service accounts that are currently active (not disabled) in the project.

         Returns:
             List[str]: A list of email addresses for all live service accounts.
         """
         request = types.ListServiceAccountsRequest()
         request.name = f"projects/{self.project_id}"

         try:
             accounts = self.service_account_client.list_service_accounts(request=request)
             self.logger.debug(f"Retrieved {len(accounts.accounts)} service accounts for project {self.project_id}")

             if not accounts:
                 self.logger.warning(f"No service accounts found in project {self.project_id}.")
                 return []

             return [self._normalize_account_email(account.email) for account in accounts.accounts if not account.disabled]
         except Exception as e:
             self.logger.error(f"Failed to retrieve service accounts for project {self.project_id}: {e}")
             raise

     def _get_all_live_managed_secrets(self) -> List[str]:
         """
         Retrieves the list of secrets from the Secret Manager that where created by the beam-secret-service

         Returns:
             List[str]: A list of secret ids
         """
         try:
             secrets = list(self.secret_client.list_secrets(request={"parent": f"projects/{self.project_id}"}))
             self.logger.debug(f"Retrieved {len(secrets)} secrets for project {self.project_id}")

             if not secrets:
                 self.logger.warning(f"No secrets found in project {self.project_id}.")
                 return []

             return [secret.name.split("/")[-1] for secret in secrets if "created_by" in secret.labels and secret.labels["created_by"] == SECRET_MANAGER_LABEL]
         except Exception as e:
             self.logger.error(f"Failed to retrieve secrets for project {self.project_id}: {e}")
             raise

     def _get_all_secret_authorized_users(self, secret_id: str) -> List[str]:
         """
         Retrieves a list of all users who have access to the secrets in the Secret Manager.

         Args:
             secret_id (str): The ID of the secret to check access for.
         Returns:
             List[str]: A list of email addresses for all users authorized to access the secrets.
         """
         accessor_role = "roles/secretmanager.secretAccessor"
         resource_name = self.secret_client.secret_path(self.project_id, secret_id)

         try:
             policy = self.secret_client.get_iam_policy(request={"resource": resource_name})
             self.logger.debug(f"Retrieved IAM policy for secret '{secret_id}': {policy}")

             if not policy.bindings:
                 self.logger.warning(f"No IAM bindings found for secret '{secret_id}'.")
                 return []

             authorized_users = []
             for binding in policy.bindings:
                 if binding.role == accessor_role:
                     for user in binding.members:
                         authorized_users.append(self._normalize_username(user))

             return authorized_users
         except Exception as e:
             self.logger.error(f"Failed to get IAM policy for secret '{secret_id}': {e}")
             raise

     def _read_service_account_keys(self) -> ServiceAccountsConfig:
         """
         Reads the service account keys from a YAML file and returns a list of ServiceAccount objects.

         Returns:
             List[ServiceAccount]: A list of service account declarations.
         """
         try:
             with open(self.service_account_keys_file, "r") as file:
                 keys = yaml.safe_load(file)

                 if not keys or keys.get("service_accounts") is None:
                     return {"service_accounts": []}

                 return keys
         except FileNotFoundError:
             self.logger.info(f"Service account keys file {self.service_account_keys_file} not found, starting with empty configuration")
             return {"service_accounts": []}
         except IOError as e:
             error_msg = f"Failed to read service account keys from {self.service_account_keys_file}: {e}"
             self.logger.error(error_msg)
             raise

     def _to_yaml_file(self, data: List[ServiceAccount], output_file: str, header_info: str = "") -> None:
         """
         Writes a list of dictionaries to a YAML file.
         Include the apache license header on the files

         Args:
             data: A list of dictionaries containing user permissions and details.
             output_file: The file path where the YAML output will be written.
             header_info: A string containing the header information to be included in the YAML file.
         """

         apache_license_header = """# Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to You under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
     """

         # Prepare the header with the Apache license
         header = f"{apache_license_header}\n# {header_info}\n# Generated on {datetime.datetime.now(datetime.timezone.utc).strftime('%Y-%m-%d %H:%M:%S')} UTC\n\n"

         try:
             with open(output_file, "w") as file:
                 file.write(header)
                 yaml_data = {"service_accounts": data}
                 yaml.dump(yaml_data, file, sort_keys=False, default_flow_style=False, indent=2)
             self.logger.info(f"Successfully wrote Service Account Keys policy data to {output_file}")
         except IOError as e:
             self.logger.error(f"Failed to write to {output_file}: {e}")


     def check_compliance(self) -> List[str]:
         """
         Checks the compliance of service account keys with the defined policies.

         Returns:
             List[str]: A list of compliance issue messages.
         """

         service_account_data = self._read_service_account_keys()
         file_service_accounts = service_account_data.get("service_accounts")

         if not file_service_accounts:
             file_service_accounts = []
             self.logger.info(f"No service account keys found in the {self.service_account_keys_file}.")

         compliance_issues = []

         # Check that all service accounts that exist are declared
         for service_account in self._get_all_live_service_accounts():
             if self._denormalize_account_email(service_account) not in [account["account_id"] for account in file_service_accounts]:
                 msg = f"Service account '{service_account}' is not declared in the service account keys file."
                 compliance_issues.append(msg)
                 self.logger.warning(msg)

         managed_secrets = self._get_all_live_managed_secrets()
         extracted_secrets = [f"{self._denormalize_account_email(account['account_id'])}-key" for account in file_service_accounts]

         # Check for managed secrets that are not declared
         for secret in managed_secrets:
             if secret not in extracted_secrets:
                 msg = f"Managed secret '{secret}' is not declared in the service account keys file."
                 compliance_issues.append(msg)
                 self.logger.warning(msg)

         # Check for each managed secret if it has the correct permissions
         for account in file_service_accounts:
             secret_name = f"{self._denormalize_account_email(account['account_id'])}-key"
             if secret_name not in managed_secrets:
                 # Skip accounts that don't have managed secrets
                 continue

             authorized_users = [user["email"] for user in account["authorized_users"]]
             actual_users = [self._denormalize_username(user) for user in self._get_all_secret_authorized_users(secret_name)]

             # Sort both lists for proper comparison
             authorized_users.sort()
             actual_users.sort()

             if authorized_users != actual_users:
                 msg = f"Managed secret '{account['account_id']}' does not have the correct permissions. Expected: {authorized_users}, Actual: {actual_users}"
                 compliance_issues.append(msg)
                 self.logger.warning(msg)

         return compliance_issues

     def create_announcement(self, recipient: str) -> None:
         """
         Creates an announcement about compliance issues using the SendingClient.

         Args:
             recipient (str): The email address of the announcement recipient.
         """
         if not self.sending_client:
             raise ValueError("SendingClient is required for creating announcements")

         diff = self.check_compliance()

         if not diff:
             self.logger.info("No compliance issues found, no announcement will be created.")
             return

         title = f"Account Keys Compliance Issue Detected"
         body = f"Account keys for project {self.project_id} are not compliant with the defined policies on {self.service_account_keys_file}\n\n"
         for issue in diff:
             body += f"- {issue}\n"

         announcement = f"Dear team,\n\nThis is an automated notification about compliance issues detected in the Account Keys policy for project {self.project_id}.\n\n"
         announcement += f"We found {len(diff)} compliance issue(s) that need your attention.\n"
         announcement += f"\nPlease check the GitHub issue for detailed information and take appropriate action to resolve these compliance violations."

         self.sending_client.create_announcement(title, body, recipient, announcement)

     def print_announcement(self, recipient: str) -> None:
         """
         Prints announcement details instead of sending them (for testing purposes).
         Args:
             recipient (str): The email address of the announcement recipient.
         """
         if not self.sending_client:
             raise ValueError("SendingClient is required for printing announcements")

         diff = self.check_compliance()

         if not diff:
             self.logger.info("No compliance issues found, no announcement will be printed.")
             return

         title = f"Account Keys Compliance Issue Detected"
         body = f"Account keys for project {self.project_id} are not compliant with the defined policies on {self.service_account_keys_file}\n\n"
         for issue in diff:
             body += f"- {issue}\n"

         announcement = f"Dear team,\n\nThis is an automated notification about compliance issues detected in the Account Keys policy for project {self.project_id}.\n\n"
         announcement += f"We found {len(diff)} compliance issue(s) that need your attention.\n"
         announcement += f"\nPlease check the GitHub issue for detailed information and take appropriate action to resolve these compliance violations."

         self.sending_client.print_announcement(title, body, recipient, announcement)

     def generate_compliance(self) -> None:
         """
         Modifies the service account keys file to match the current state of service accounts and secrets.
         It will just add the non managed service accounts.
         """

         service_account_data = self._read_service_account_keys()
         file_service_accounts = service_account_data.get("service_accounts", [])

         # Ensure file_service_accounts is a list
         if file_service_accounts is None:
             file_service_accounts = []

         self.logger.info(f"Found {len(file_service_accounts)} existing service accounts in the keys file")

         # Check that all service accounts that exist are declared, if not, add them
         for service_account in self._get_all_live_service_accounts():
             if self._denormalize_account_email(service_account) not in [account["account_id"] for account in file_service_accounts]:
                 self.logger.info(f"Service account '{service_account}' is not declared in the service account keys file, adding it")
                 file_service_accounts.append({
                     "account_id": self._denormalize_account_email(service_account),
                     "display_name": service_account,
                     "authorized_users": []
                 })

         managed_secrets = self._get_all_live_managed_secrets()
         extracted_secrets = [f"{self._denormalize_account_email(account['account_id'])}-key" for account in file_service_accounts]

         # Check for managed secrets that are not declared, if not, add them
         for secret in managed_secrets:
             if secret not in extracted_secrets:
                 self.logger.info(f"Managed secret '{secret}' is not declared in the service account keys file, adding it")
                 file_service_accounts.append({
                     "account_id": secret.strip("-key"),
                     "display_name": self._normalize_account_email(secret.strip("-key")),
                     "authorized_users": []
                 })

         # Check for each managed secret if it has the correct permissions
         for account in file_service_accounts:
             secret_name = f"{self._denormalize_account_email(account['account_id'])}-key"
             if secret_name not in managed_secrets:
                 continue

             authorized_users = sorted([user["email"] for user in account["authorized_users"]])

             if not authorized_users:
                 self.logger.info(f"Managed secret '{account}' is new, skipping permission check")
                 continue

             actual_users_normalized = sorted(self._get_all_secret_authorized_users(secret_name))
             actual_users = sorted([self._denormalize_username(user) for user in actual_users_normalized])

             if authorized_users != actual_users:
                 self.logger.info(f"Managed secret '{account}' does not have the correct permissions, updating it")
                 account["authorized_users"] = [{"email": user} for user in actual_users]

         # Remove duplicates based on account_id
         seen_accounts = set()
         deduplicated_accounts = []
         for account in file_service_accounts:
             if account["account_id"] not in seen_accounts:
                 seen_accounts.add(account["account_id"])
                 deduplicated_accounts.append(account)
             else:
                 self.logger.info(f"Removing duplicate entry for account '{account['account_id']}'")

         self._to_yaml_file(deduplicated_accounts, self.service_account_keys_file, header_info="Service Account Keys")

 def config_process() -> Dict[str, str]:
     with open(CONFIG_FILE, "r") as file:
         config = yaml.safe_load(file)

     if not config:
         raise ValueError("Configuration file is empty or invalid.")

     config_res = dict()

     config_res["project_id"] = config.get("project_id", "apache-beam-testing")
     config_res["logging_level"] = config.get("logging", {}).get("level", "INFO")
     config_res["logging_format"] = config.get("logging", {}).get("format", "[%(asctime)s] %(levelname)s: %(message)s")
     config_res["service_account_keys_file"] = config.get("service_account_keys_file", "../keys/keys.yaml")
     config_res["action"] = config.get("action", "check")

     # SendingClient configuration
     config_res["github_token"] = os.getenv("GITHUB_TOKEN", "")
     config_res["github_repo"] = os.getenv("GITHUB_REPOSITORY", "apache/beam")
     config_res["smtp_server"] = os.getenv("SMTP_SERVER", "")
     config_res["smtp_port"] = os.getenv("SMTP_PORT", 587)
     config_res["email"] = os.getenv("EMAIL_ADDRESS", "")
     config_res["password"] = os.getenv("EMAIL_PASSWORD", "")
     config_res["recipient"] = os.getenv("EMAIL_RECIPIENT", "")

     return config_res

 def main():
     # Parse command line arguments
     parser = argparse.ArgumentParser(description="Account Keys Compliance Checker")
     parser.add_argument("--action", choices=["check", "announce", "print", "generate"],
                        help="Action to perform: check compliance, create announcement, print announcement, or generate new compliance")
     args = parser.parse_args()

     config = config_process()

     # Command line argument takes precedence over config file
     action = args.action if args.action else config.get("action", "check")

     logging.basicConfig(level=getattr(logging, config["logging_level"].upper(), logging.INFO),
                         format=config["logging_format"])
     logger = logging.getLogger("AccountKeysPolicyComplianceCheck")

     # Create SendingClient if needed for announcement actions
     sending_client = None
     if action in ["announce", "print"]:
         try:
             # Provide default values for testing, especially for print action
             github_token = config["github_token"] or "dummy-token"
             github_repo = config["github_repo"] or "dummy/repo"
             smtp_server = config["smtp_server"] or "dummy-server"
             smtp_port = int(config["smtp_port"]) if config["smtp_port"] else 587
             email = config["email"] or "dummy@example.com"
             password = config["password"] or "dummy-password"

             sending_client = SendingClient(
                 logger=logger,
                 github_token=github_token,
                 github_repo=github_repo,
                 smtp_server=smtp_server,
                 smtp_port=smtp_port,
                 email=email,
                 password=password
             )
         except Exception as e:
             logger.error(f"Failed to initialize SendingClient: {e}")
             return 1

     logger.info(f"Starting Account Keys policy compliance check with action: {action}")
     account_keys_checker = AccountKeysPolicyComplianceCheck(config["project_id"], config["service_account_keys_file"], logger, sending_client)

     try:
         if action == "check":
             compliance_issues = account_keys_checker.check_compliance()
             if compliance_issues:
                 logger.warning("Account Keys policy compliance issues found:")
                 for issue in compliance_issues:
                     logger.warning(issue)
             else:
                 logger.info("Account Keys policy is compliant.")
         elif action == "announce":
             logger.info("Creating announcement for compliance violations...")
             recipient = config["recipient"] or "admin@example.com"
             account_keys_checker.create_announcement(recipient)
         elif action == "print":
             logger.info("Printing announcement for compliance violations...")
             recipient = config["recipient"] or "admin@example.com"
             account_keys_checker.print_announcement(recipient)
         elif action == "generate":
             logger.info("Generating new compliance based on current Account Keys policy...")
             account_keys_checker.generate_compliance()
         else:
             logger.error(f"Unknown action: {action}")
             return 1
     except Exception as e:
         logger.error(f"Error executing action '{action}': {e}")
         return 1

     return 0

 if __name__ == "__main__":
     sys.exit(main())
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to You under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	import datetime
	import logging
	import sys
	import yaml
	import argparse
	import os
	from typing import List, Dict, TypedDict, Optional
	from google.cloud import secretmanager
	from google.cloud import iam_admin_v1
	from google.cloud.iam_admin_v1 import types
	from sending import SendingClient

	SECRET_MANAGER_LABEL = "beam-infra-secret-manager"

	class AuthorizedUser(TypedDict):
	email: str

	class ServiceAccount(TypedDict):
	account_id: str
	display_name: str
	authorized_users: List[AuthorizedUser]

	class ServiceAccountsConfig(TypedDict):
	service_accounts: List[ServiceAccount]

	CONFIG_FILE = "config.yml"

	class AccountKeysPolicyComplianceCheck:
	def __init__(self, project_id: str, service_account_keys_file: str, logger: logging.Logger, sending_client: Optional[SendingClient] = None):
	self.project_id = project_id
	self.service_account_keys_file = service_account_keys_file
	self.logger = logger
	self.sending_client = sending_client
	self.secret_client = secretmanager.SecretManagerServiceClient()
	self.service_account_client = iam_admin_v1.IAMClient()

	def _normalize_account_email(self, account_id: str) -> str:
	"""
	Normalizes the account identifier to a full email format.

	Args:
	account_id (str): The unique identifier or email of the service account.

	Returns:
	str: The full service account email address.
	"""
	if "@" in account_id:
	return account_id
	else:
	return f"{account_id}@{self.project_id}.iam.gserviceaccount.com"

	def _denormalize_account_email(self, email: str) -> str:
	"""
	Denormalizes the full service account email address to its unique identifier.

	Args:
	email (str): The full service account email address.

	Returns:
	str: The unique identifier for the service account.
	"""
	if email.endswith(f"@{self.project_id}.iam.gserviceaccount.com"):
	return email.split("@")[0]
	return email

	def _normalize_username(self, username: str) -> str:
	"""
	Normalizes the username to a consistent format.

	Args:
	username (str): The username to normalize.

	Returns:
	str: The normalized username.
	"""
	if not username.startswith("user:"):
	return f"user:{username.strip().lower()}"
	return username

	def _denormalize_username(self, username: str) -> str:
	"""
	Denormalizes the username from the consistent format.

	Args:
	username (str): The normalized username.

	Returns:
	str: The denormalized username.
	"""
	if username.startswith("user:"):
	return username.split(":", 1)[1].strip().lower()
	return username

	def _get_all_live_service_accounts(self) -> List[str]:
	"""
	Retrieves all service accounts that are currently active (not disabled) in the project.

	Returns:
	List[str]: A list of email addresses for all live service accounts.
	"""
	request = types.ListServiceAccountsRequest()
	request.name = f"projects/{self.project_id}"

	try:
	accounts = self.service_account_client.list_service_accounts(request=request)
	self.logger.debug(f"Retrieved {len(accounts.accounts)} service accounts for project {self.project_id}")

	if not accounts:
	self.logger.warning(f"No service accounts found in project {self.project_id}.")
	return []

	return [self._normalize_account_email(account.email) for account in accounts.accounts if not account.disabled]
	except Exception as e:
	self.logger.error(f"Failed to retrieve service accounts for project {self.project_id}: {e}")
	raise

	def _get_all_live_managed_secrets(self) -> List[str]:
	"""
	Retrieves the list of secrets from the Secret Manager that where created by the beam-secret-service

	Returns:
	List[str]: A list of secret ids
	"""
	try:
	secrets = list(self.secret_client.list_secrets(request={"parent": f"projects/{self.project_id}"}))
	self.logger.debug(f"Retrieved {len(secrets)} secrets for project {self.project_id}")

	if not secrets:
	self.logger.warning(f"No secrets found in project {self.project_id}.")
	return []

	return [secret.name.split("/")[-1] for secret in secrets if "created_by" in secret.labels and secret.labels["created_by"] == SECRET_MANAGER_LABEL]
	except Exception as e:
	self.logger.error(f"Failed to retrieve secrets for project {self.project_id}: {e}")
	raise

	def _get_all_secret_authorized_users(self, secret_id: str) -> List[str]:
	"""
	Retrieves a list of all users who have access to the secrets in the Secret Manager.

	Args:
	secret_id (str): The ID of the secret to check access for.
	Returns:
	List[str]: A list of email addresses for all users authorized to access the secrets.
	"""
	accessor_role = "roles/secretmanager.secretAccessor"
	resource_name = self.secret_client.secret_path(self.project_id, secret_id)

	try:
	policy = self.secret_client.get_iam_policy(request={"resource": resource_name})
	self.logger.debug(f"Retrieved IAM policy for secret '{secret_id}': {policy}")

	if not policy.bindings:
	self.logger.warning(f"No IAM bindings found for secret '{secret_id}'.")
	return []

	authorized_users = []
	for binding in policy.bindings:
	if binding.role == accessor_role:
	for user in binding.members:
	authorized_users.append(self._normalize_username(user))

	return authorized_users
	except Exception as e:
	self.logger.error(f"Failed to get IAM policy for secret '{secret_id}': {e}")
	raise

	def _read_service_account_keys(self) -> ServiceAccountsConfig:
	"""
	Reads the service account keys from a YAML file and returns a list of ServiceAccount objects.

	Returns:
	List[ServiceAccount]: A list of service account declarations.
	"""
	try:
	with open(self.service_account_keys_file, "r") as file:
	keys = yaml.safe_load(file)

	if not keys or keys.get("service_accounts") is None:
	return {"service_accounts": []}

	return keys
	except FileNotFoundError:
	self.logger.info(f"Service account keys file {self.service_account_keys_file} not found, starting with empty configuration")
	return {"service_accounts": []}
	except IOError as e:
	error_msg = f"Failed to read service account keys from {self.service_account_keys_file}: {e}"
	self.logger.error(error_msg)
	raise

	def _to_yaml_file(self, data: List[ServiceAccount], output_file: str, header_info: str = "") -> None:
	"""
	Writes a list of dictionaries to a YAML file.
	Include the apache license header on the files

	Args:
	data: A list of dictionaries containing user permissions and details.
	output_file: The file path where the YAML output will be written.
	header_info: A string containing the header information to be included in the YAML file.
	"""

	apache_license_header = """# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to You under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	"""

	# Prepare the header with the Apache license
	header = f"{apache_license_header}\n# {header_info}\n# Generated on {datetime.datetime.now(datetime.timezone.utc).strftime('%Y-%m-%d %H:%M:%S')} UTC\n\n"

	try:
	with open(output_file, "w") as file:
	file.write(header)
	yaml_data = {"service_accounts": data}
	yaml.dump(yaml_data, file, sort_keys=False, default_flow_style=False, indent=2)
	self.logger.info(f"Successfully wrote Service Account Keys policy data to {output_file}")
	except IOError as e:
	self.logger.error(f"Failed to write to {output_file}: {e}")


	def check_compliance(self) -> List[str]:
	"""
	Checks the compliance of service account keys with the defined policies.

	Returns:
	List[str]: A list of compliance issue messages.
	"""

	service_account_data = self._read_service_account_keys()
	file_service_accounts = service_account_data.get("service_accounts")

	if not file_service_accounts:
	file_service_accounts = []
	self.logger.info(f"No service account keys found in the {self.service_account_keys_file}.")

	compliance_issues = []

	# Check that all service accounts that exist are declared
	for service_account in self._get_all_live_service_accounts():
	if self._denormalize_account_email(service_account) not in [account["account_id"] for account in file_service_accounts]:
	msg = f"Service account '{service_account}' is not declared in the service account keys file."
	compliance_issues.append(msg)
	self.logger.warning(msg)

	managed_secrets = self._get_all_live_managed_secrets()
	extracted_secrets = [f"{self._denormalize_account_email(account['account_id'])}-key" for account in file_service_accounts]

	# Check for managed secrets that are not declared
	for secret in managed_secrets:
	if secret not in extracted_secrets:
	msg = f"Managed secret '{secret}' is not declared in the service account keys file."
	compliance_issues.append(msg)
	self.logger.warning(msg)

	# Check for each managed secret if it has the correct permissions
	for account in file_service_accounts:
	secret_name = f"{self._denormalize_account_email(account['account_id'])}-key"
	if secret_name not in managed_secrets:
	# Skip accounts that don't have managed secrets
	continue

	authorized_users = [user["email"] for user in account["authorized_users"]]
	actual_users = [self._denormalize_username(user) for user in self._get_all_secret_authorized_users(secret_name)]

	# Sort both lists for proper comparison
	authorized_users.sort()
	actual_users.sort()

	if authorized_users != actual_users:
	msg = f"Managed secret '{account['account_id']}' does not have the correct permissions. Expected: {authorized_users}, Actual: {actual_users}"
	compliance_issues.append(msg)
	self.logger.warning(msg)

	return compliance_issues

	def create_announcement(self, recipient: str) -> None:
	"""
	Creates an announcement about compliance issues using the SendingClient.

	Args:
	recipient (str): The email address of the announcement recipient.
	"""
	if not self.sending_client:
	raise ValueError("SendingClient is required for creating announcements")

	diff = self.check_compliance()

	if not diff:
	self.logger.info("No compliance issues found, no announcement will be created.")
	return

	title = f"Account Keys Compliance Issue Detected"
	body = f"Account keys for project {self.project_id} are not compliant with the defined policies on {self.service_account_keys_file}\n\n"
	for issue in diff:
	body += f"- {issue}\n"

	announcement = f"Dear team,\n\nThis is an automated notification about compliance issues detected in the Account Keys policy for project {self.project_id}.\n\n"
	announcement += f"We found {len(diff)} compliance issue(s) that need your attention.\n"
	announcement += f"\nPlease check the GitHub issue for detailed information and take appropriate action to resolve these compliance violations."

	self.sending_client.create_announcement(title, body, recipient, announcement)

	def print_announcement(self, recipient: str) -> None:
	"""
	Prints announcement details instead of sending them (for testing purposes).
	Args:
	recipient (str): The email address of the announcement recipient.
	"""
	if not self.sending_client:
	raise ValueError("SendingClient is required for printing announcements")

	diff = self.check_compliance()

	if not diff:
	self.logger.info("No compliance issues found, no announcement will be printed.")
	return

	title = f"Account Keys Compliance Issue Detected"
	body = f"Account keys for project {self.project_id} are not compliant with the defined policies on {self.service_account_keys_file}\n\n"
	for issue in diff:
	body += f"- {issue}\n"

	announcement = f"Dear team,\n\nThis is an automated notification about compliance issues detected in the Account Keys policy for project {self.project_id}.\n\n"
	announcement += f"We found {len(diff)} compliance issue(s) that need your attention.\n"
	announcement += f"\nPlease check the GitHub issue for detailed information and take appropriate action to resolve these compliance violations."

	self.sending_client.print_announcement(title, body, recipient, announcement)

	def generate_compliance(self) -> None:
	"""
	Modifies the service account keys file to match the current state of service accounts and secrets.
	It will just add the non managed service accounts.
	"""

	service_account_data = self._read_service_account_keys()
	file_service_accounts = service_account_data.get("service_accounts", [])

	# Ensure file_service_accounts is a list
	if file_service_accounts is None:
	file_service_accounts = []

	self.logger.info(f"Found {len(file_service_accounts)} existing service accounts in the keys file")

	# Check that all service accounts that exist are declared, if not, add them
	for service_account in self._get_all_live_service_accounts():
	if self._denormalize_account_email(service_account) not in [account["account_id"] for account in file_service_accounts]:
	self.logger.info(f"Service account '{service_account}' is not declared in the service account keys file, adding it")
	file_service_accounts.append({
	"account_id": self._denormalize_account_email(service_account),
	"display_name": service_account,
	"authorized_users": []
	})

	managed_secrets = self._get_all_live_managed_secrets()
	extracted_secrets = [f"{self._denormalize_account_email(account['account_id'])}-key" for account in file_service_accounts]

	# Check for managed secrets that are not declared, if not, add them
	for secret in managed_secrets:
	if secret not in extracted_secrets:
	self.logger.info(f"Managed secret '{secret}' is not declared in the service account keys file, adding it")
	file_service_accounts.append({
	"account_id": secret.strip("-key"),
	"display_name": self._normalize_account_email(secret.strip("-key")),
	"authorized_users": []
	})

	# Check for each managed secret if it has the correct permissions
	for account in file_service_accounts:
	secret_name = f"{self._denormalize_account_email(account['account_id'])}-key"
	if secret_name not in managed_secrets:
	continue

	authorized_users = sorted([user["email"] for user in account["authorized_users"]])

	if not authorized_users:
	self.logger.info(f"Managed secret '{account}' is new, skipping permission check")
	continue

	actual_users_normalized = sorted(self._get_all_secret_authorized_users(secret_name))
	actual_users = sorted([self._denormalize_username(user) for user in actual_users_normalized])

	if authorized_users != actual_users:
	self.logger.info(f"Managed secret '{account}' does not have the correct permissions, updating it")
	account["authorized_users"] = [{"email": user} for user in actual_users]

	# Remove duplicates based on account_id
	seen_accounts = set()
	deduplicated_accounts = []
	for account in file_service_accounts:
	if account["account_id"] not in seen_accounts:
	seen_accounts.add(account["account_id"])
	deduplicated_accounts.append(account)
	else:
	self.logger.info(f"Removing duplicate entry for account '{account['account_id']}'")

	self._to_yaml_file(deduplicated_accounts, self.service_account_keys_file, header_info="Service Account Keys")

	def config_process() -> Dict[str, str]:
	with open(CONFIG_FILE, "r") as file:
	config = yaml.safe_load(file)

	if not config:
	raise ValueError("Configuration file is empty or invalid.")

	config_res = dict()

	config_res["project_id"] = config.get("project_id", "apache-beam-testing")
	config_res["logging_level"] = config.get("logging", {}).get("level", "INFO")
	config_res["logging_format"] = config.get("logging", {}).get("format", "[%(asctime)s] %(levelname)s: %(message)s")
	config_res["service_account_keys_file"] = config.get("service_account_keys_file", "../keys/keys.yaml")
	config_res["action"] = config.get("action", "check")

	# SendingClient configuration
	config_res["github_token"] = os.getenv("GITHUB_TOKEN", "")
	config_res["github_repo"] = os.getenv("GITHUB_REPOSITORY", "apache/beam")
	config_res["smtp_server"] = os.getenv("SMTP_SERVER", "")
	config_res["smtp_port"] = os.getenv("SMTP_PORT", 587)
	config_res["email"] = os.getenv("EMAIL_ADDRESS", "")
	config_res["password"] = os.getenv("EMAIL_PASSWORD", "")
	config_res["recipient"] = os.getenv("EMAIL_RECIPIENT", "")

	return config_res

	def main():
	# Parse command line arguments
	parser = argparse.ArgumentParser(description="Account Keys Compliance Checker")
	parser.add_argument("--action", choices=["check", "announce", "print", "generate"],
	help="Action to perform: check compliance, create announcement, print announcement, or generate new compliance")
	args = parser.parse_args()

	config = config_process()

	# Command line argument takes precedence over config file
	action = args.action if args.action else config.get("action", "check")

	logging.basicConfig(level=getattr(logging, config["logging_level"].upper(), logging.INFO),
	format=config["logging_format"])
	logger = logging.getLogger("AccountKeysPolicyComplianceCheck")

	# Create SendingClient if needed for announcement actions
	sending_client = None
	if action in ["announce", "print"]:
	try:
	# Provide default values for testing, especially for print action
	github_token = config["github_token"] or "dummy-token"
	github_repo = config["github_repo"] or "dummy/repo"
	smtp_server = config["smtp_server"] or "dummy-server"
	smtp_port = int(config["smtp_port"]) if config["smtp_port"] else 587
	email = config["email"] or "dummy@example.com"
	password = config["password"] or "dummy-password"

	sending_client = SendingClient(
	logger=logger,
	github_token=github_token,
	github_repo=github_repo,
	smtp_server=smtp_server,
	smtp_port=smtp_port,
	email=email,
	password=password
	)
	except Exception as e:
	logger.error(f"Failed to initialize SendingClient: {e}")
	return 1

	logger.info(f"Starting Account Keys policy compliance check with action: {action}")
	account_keys_checker = AccountKeysPolicyComplianceCheck(config["project_id"], config["service_account_keys_file"], logger, sending_client)

	try:
	if action == "check":
	compliance_issues = account_keys_checker.check_compliance()
	if compliance_issues:
	logger.warning("Account Keys policy compliance issues found:")
	for issue in compliance_issues:
	logger.warning(issue)
	else:
	logger.info("Account Keys policy is compliant.")
	elif action == "announce":
	logger.info("Creating announcement for compliance violations...")
	recipient = config["recipient"] or "admin@example.com"
	account_keys_checker.create_announcement(recipient)
	elif action == "print":
	logger.info("Printing announcement for compliance violations...")
	recipient = config["recipient"] or "admin@example.com"
	account_keys_checker.print_announcement(recipient)
	elif action == "generate":
	logger.info("Generating new compliance based on current Account Keys policy...")
	account_keys_checker.generate_compliance()
	else:
	logger.error(f"Unknown action: {action}")
	return 1
	except Exception as e:
	logger.error(f"Error executing action '{action}': {e}")
	return 1

	return 0

	if __name__ == "__main__":
	sys.exit(main())