Add IAM methods for buckets. (#3309)

tseaver · lukesneeringer · commit df9de90d0270 · 2017-04-19T08:17:29.000-07:00
* Add role / permission constants for storage IAM.
* Add IAM methods for buckets.
diff --git a/storage/google/cloud/storage/bucket.py b/storage/google/cloud/storage/bucket.py
@@ -26,6 +26,7 @@
 from google.cloud._helpers import _NOW
 from google.cloud._helpers import _rfc3339_to_datetime
 from google.cloud.exceptions import NotFound
+from google.cloud.iam import Policy
 from google.cloud.iterator import HTTPIterator
 from google.cloud.storage._helpers import _PropertyMixin
 from google.cloud.storage._helpers import _scalar_property
@@ -803,6 +804,83 @@ def disable_website(self):
         """
         return self.configure_website(None, None)
 
+    def get_iam_policy(self, client=None):
+        """Retrieve the IAM policy for the bucket.
+
+        See:
+        https://cloud.google.com/storage/docs/json_api/v1/buckets/getIamPolicy
+
+        :type client: :class:`~google.cloud.storage.client.Client` or
+                      ``NoneType``
+        :param client: Optional. The client to use.  If not passed, falls back
+                       to the ``client`` stored on the current bucket.
+
+        :rtype: :class:`google.cloud.iam.Policy`
+        :returns: the policy instance, based on the resource returned from
+                  the ``getIamPolicy`` API request.
+        """
+        client = self._require_client(client)
+        info = client._connection.api_request(
+            method='GET',
+            path='%s/iam' % (self.path,),
+            _target_object=None)
+        return Policy.from_api_repr(info)
+
+    def set_iam_policy(self, policy, client=None):
+        """Update the IAM policy for the bucket.
+
+        See:
+        https://cloud.google.com/storage/docs/json_api/v1/buckets/setIamPolicy
+
+        :type policy: :class:`google.cloud.iam.Policy`
+        :param policy: policy instance used to update bucket's IAM policy.
+
+        :type client: :class:`~google.cloud.storage.client.Client` or
+                      ``NoneType``
+        :param client: Optional. The client to use.  If not passed, falls back
+                       to the ``client`` stored on the current bucket.
+
+        :rtype: :class:`google.cloud.iam.Policy`
+        :returns: the policy instance, based on the resource returned from
+                  the ``setIamPolicy`` API request.
+        """
+        client = self._require_client(client)
+        resource = policy.to_api_repr()
+        resource['resourceId'] = self.path
+        info = client._connection.api_request(
+            method='PUT',
+            path='%s/iam' % (self.path,),
+            data=resource,
+            _target_object=None)
+        return Policy.from_api_repr(info)
+
+    def test_iam_permissions(self, permissions, client=None):
+        """API call:  test permissions
+
+        See:
+        https://cloud.google.com/storage/docs/json_api/v1/buckets/testIamPermissions
+
+        :type permissions: list of string
+        :param permissions: the permissions to check
+
+        :type client: :class:`~google.cloud.storage.client.Client` or
+                      ``NoneType``
+        :param client: Optional. The client to use.  If not passed, falls back
+                       to the ``client`` stored on the current bucket.
+
+        :rtype: list of string
+        :returns: the permissions returned by the ``testIamPermissions`` API
+                  request.
+        """
+        client = self._require_client(client)
+        query = {'permissions': permissions}
+        path = '%s/iam/testPermissions' % (self.path,)
+        resp = client._connection.api_request(
+            method='GET',
+            path=path,
+            query_params=query)
+        return resp.get('permissions', [])
+
     def make_public(self, recursive=False, future=False, client=None):
         """Make a bucket public.
 
diff --git a/storage/google/cloud/storage/iam.py b/storage/google/cloud/storage/iam.py
@@ -0,0 +1,86 @@
+# Copyright 2017 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Storage API IAM policy definitions
+
+For allowed roles / permissions, see:
+https://cloud.google.com/storage/docs/access-control/iam
+"""
+
+# Storage-specific IAM roles
+
+STORAGE_OBJECT_CREATOR_ROLE = 'roles/storage.objectCreator'
+"""Role implying rights to create objects, but not delete or overwrite them."""
+
+STORAGE_OBJECT_VIEWER_ROLE = 'roles/storage.objectViewer'
+"""Role implying rights to view object properties, excluding ACLs."""
+
+STORAGE_OBJECT_ADMIN_ROLE = 'roles/storage.objectViewer'
+"""Role implying full control of objects."""
+
+STORAGE_ADMIN_ROLE = 'roles/storage.admin'
+"""Role implying full control of objects and buckets."""
+
+STORAGE_VIEWER_ROLE = 'Viewer'
+"""Can list buckets."""
+
+STORAGE_EDITOR_ROLE = 'Editor'
+"""Can create, list, and delete buckets."""
+
+STORAGE_OWNER_ROLE = 'Owners'
+"""Can create, list, and delete buckets."""
+
+
+# Storage-specific permissions
+
+STORAGE_BUCKETS_CREATE = 'storage.buckets.create'
+"""Permission: create buckets."""
+
+STORAGE_BUCKETS_DELETE = 'storage.buckets.delete'
+"""Permission: delete buckets."""
+
+STORAGE_BUCKETS_GET = 'storage.buckets.get'
+"""Permission: read bucket metadata, excluding ACLs."""
+
+STORAGE_BUCKETS_GET_IAM_POLICY = 'storage.buckets.getIamPolicy'
+"""Permission: read bucket ACLs."""
+
+STORAGE_BUCKETS_LIST = 'storage.buckets.list'
+"""Permission: list buckets."""
+
+STORAGE_BUCKETS_SET_IAM_POLICY = 'storage.buckets.setIamPolicy'
+"""Permission: update bucket ACLs."""
+
+STORAGE_BUCKETS_UPDATE = 'storage.buckets.list'
+"""Permission: update buckets, excluding ACLS."""
+
+STORAGE_OBJECTS_CREATE = 'storage.objects.create'
+"""Permission: add new objects to a bucket."""
+
+STORAGE_OBJECTS_DELETE = 'storage.objects.delete'
+"""Permission: delete objects."""
+
+STORAGE_OBJECTS_GET = 'storage.objects.get'
+"""Permission: read object data / metadata, excluding ACLs."""
+
+STORAGE_OBJECTS_GET_IAM_POLICY = 'storage.objects.getIamPolicy'
+"""Permission: read object ACLs."""
+
+STORAGE_OBJECTS_LIST = 'storage.objects.list'
+"""Permission: list objects in a bucket."""
+
+STORAGE_OBJECTS_SET_IAM_POLICY = 'storage.objects.setIamPolicy'
+"""Permission: update object ACLs."""
+
+STORAGE_OBJECTS_UPDATE = 'storage.objects.update'
+"""Permission: update object metadat, excluding ACLs."""
diff --git a/storage/tests/unit/test_bucket.py b/storage/tests/unit/test_bucket.py
@@ -866,6 +866,135 @@ def test_disable_website(self):
         bucket.disable_website()
         self.assertEqual(bucket._properties, UNSET)
 
+    def test_get_iam_policy(self):
+        from google.cloud.storage.iam import STORAGE_OWNER_ROLE
+        from google.cloud.storage.iam import STORAGE_EDITOR_ROLE
+        from google.cloud.storage.iam import STORAGE_VIEWER_ROLE
+        from google.cloud.iam import Policy
+
+        NAME = 'name'
+        PATH = '/b/%s' % (NAME,)
+        ETAG = 'DEADBEEF'
+        VERSION = 17
+        OWNER1 = 'user:phred@example.com'
+        OWNER2 = 'group:cloud-logs@google.com'
+        EDITOR1 = 'domain:google.com'
+        EDITOR2 = 'user:phred@example.com'
+        VIEWER1 = 'serviceAccount:1234-abcdef@service.example.com'
+        VIEWER2 = 'user:phred@example.com'
+        RETURNED = {
+            'resourceId': PATH,
+            'etag': ETAG,
+            'version': VERSION,
+            'bindings': [
+                {'role': STORAGE_OWNER_ROLE, 'members': [OWNER1, OWNER2]},
+                {'role': STORAGE_EDITOR_ROLE, 'members': [EDITOR1, EDITOR2]},
+                {'role': STORAGE_VIEWER_ROLE, 'members': [VIEWER1, VIEWER2]},
+            ],
+        }
+        EXPECTED = {
+            binding['role']: set(binding['members'])
+            for binding in RETURNED['bindings']}
+        connection = _Connection(RETURNED)
+        client = _Client(connection, None)
+        bucket = self._make_one(client=client, name=NAME)
+
+        policy = bucket.get_iam_policy()
+
+        self.assertIsInstance(policy, Policy)
+        self.assertEqual(policy.etag, RETURNED['etag'])
+        self.assertEqual(policy.version, RETURNED['version'])
+        self.assertEqual(dict(policy), EXPECTED)
+
+        kw = connection._requested
+        self.assertEqual(len(kw), 1)
+        self.assertEqual(kw[0]['method'], 'GET')
+        self.assertEqual(kw[0]['path'], '%s/iam' % (PATH,))
+
+    def test_set_iam_policy(self):
+        import operator
+        from google.cloud.storage.iam import STORAGE_OWNER_ROLE
+        from google.cloud.storage.iam import STORAGE_EDITOR_ROLE
+        from google.cloud.storage.iam import STORAGE_VIEWER_ROLE
+        from google.cloud.iam import Policy
+
+        NAME = 'name'
+        PATH = '/b/%s' % (NAME,)
+        ETAG = 'DEADBEEF'
+        VERSION = 17
+        OWNER1 = 'user:phred@example.com'
+        OWNER2 = 'group:cloud-logs@google.com'
+        EDITOR1 = 'domain:google.com'
+        EDITOR2 = 'user:phred@example.com'
+        VIEWER1 = 'serviceAccount:1234-abcdef@service.example.com'
+        VIEWER2 = 'user:phred@example.com'
+        BINDINGS = [
+            {'role': STORAGE_OWNER_ROLE, 'members': [OWNER1, OWNER2]},
+            {'role': STORAGE_EDITOR_ROLE, 'members': [EDITOR1, EDITOR2]},
+            {'role': STORAGE_VIEWER_ROLE, 'members': [VIEWER1, VIEWER2]},
+        ]
+        RETURNED = {
+            'etag': ETAG,
+            'version': VERSION,
+            'bindings': BINDINGS,
+        }
+        policy = Policy()
+        for binding in BINDINGS:
+            policy[binding['role']] = binding['members']
+
+        connection = _Connection(RETURNED)
+        client = _Client(connection, None)
+        bucket = self._make_one(client=client, name=NAME)
+
+        returned = bucket.set_iam_policy(policy)
+
+        self.assertEqual(returned.etag, ETAG)
+        self.assertEqual(returned.version, VERSION)
+        self.assertEqual(dict(returned), dict(policy))
+
+        kw = connection._requested
+        self.assertEqual(len(kw), 1)
+        self.assertEqual(kw[0]['method'], 'PUT')
+        self.assertEqual(kw[0]['path'], '%s/iam' % (PATH,))
+        sent = kw[0]['data']
+        self.assertEqual(sent['resourceId'], PATH)
+        self.assertEqual(len(sent['bindings']), len(BINDINGS))
+        key = operator.itemgetter('role')
+        for found, expected in zip(
+            sorted(sent['bindings'], key=key),
+            sorted(BINDINGS, key=key)):
+            self.assertEqual(found['role'], expected['role'])
+            self.assertEqual(
+                sorted(found['members']), sorted(expected['members']))
+
+    def test_test_iam_permissions(self):
+        from google.cloud.storage.iam import STORAGE_OBJECTS_LIST
+        from google.cloud.storage.iam import STORAGE_BUCKETS_GET
+        from google.cloud.storage.iam import STORAGE_BUCKETS_UPDATE
+
+        NAME = 'name'
+        PATH = '/b/%s' % (NAME,)
+        PERMISSIONS = [
+            STORAGE_OBJECTS_LIST,
+            STORAGE_BUCKETS_GET,
+            STORAGE_BUCKETS_UPDATE,
+        ]
+        ALLOWED = PERMISSIONS[1:]
+        RETURNED = {'permissions': ALLOWED}
+        connection = _Connection(RETURNED)
+        client = _Client(connection, None)
+        bucket = self._make_one(client=client, name=NAME)
+
+        allowed = bucket.test_iam_permissions(PERMISSIONS)
+
+        self.assertEqual(allowed, ALLOWED)
+
+        kw = connection._requested
+        self.assertEqual(len(kw), 1)
+        self.assertEqual(kw[0]['method'], 'GET')
+        self.assertEqual(kw[0]['path'], '%s/iam/testPermissions' % (PATH,))
+        self.assertEqual(kw[0]['query_params'], {'permissions': PERMISSIONS})
+
     def test_make_public_defaults(self):
         from google.cloud.storage.acl import _ACLEntity
 
diff --git a/storage/tests/unit/test_iam.py b/storage/tests/unit/test_iam.py
@@ -0,0 +1,22 @@
+# Copyright 2017 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import unittest
+
+
+class Test_constants(unittest.TestCase):
+
+    def test_ctor_defaults(self):
+        from google.cloud.storage.iam import STORAGE_ADMIN_ROLE
+        role = STORAGE_ADMIN_ROLE
