diff --git a/storage/addBucketConditionalBinding.js b/storage/addBucketConditionalBinding.js new file mode 100644 index 0000000000..db5aac9b4b --- /dev/null +++ b/storage/addBucketConditionalBinding.js @@ -0,0 +1,109 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +'use strict'; + +/** + * This application demonstrates how to perform basic operations on bucket and + * file Access Control Lists with the Google Cloud Storage API. + * + * For more information, see the README.md under /storage and the documentation + * at https://cloud.google.com/storage/docs. + */ + +function main( + bucketName = 'my-bucket', + roleName = 'roles/storage.objectViewer', + title = 'match-prefix', + description = 'Applies to objects matching a prefix', + expression = 'resource.name.startsWith("projects/_/buckets/bucket-name/objects/prefix-a-")', + members = 'user:test@example.com' +) { + members = members.split(','); + // [START storage_add_bucket_conditional_iam_binding] + /** + * TODO(developer): Uncomment the following lines before running the sample. + */ + // The ID of your GCS bucket + // const bucketName = 'your-unique-bucket-name'; + + // The role to grant + // const roleName = 'roles/storage.objectViewer'; + + // The members to grant the new role to + // const members = [ + // 'user:jdoe@example.com', + // 'group:admins@example.com', + // ]; + + // Create a condition + // const title = 'Title'; + // const description = 'Description'; + // const expression = 'resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")'; + + // Imports the Google Cloud client library + const {Storage} = require('@google-cloud/storage'); + + // Creates a client + const storage = new Storage(); + + async function addBucketConditionalBinding() { + try { + // Get a reference to a Google Cloud Storage bucket + const bucket = storage.bucket(bucketName); + + // Gets and updates the bucket's IAM policy + const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3}); + + // Set the policy's version to 3 to use condition in bindings. + policy.version = 3; + + // Adds the new roles to the bucket's IAM policy + policy.bindings.push({ + role: roleName, + members: members, + condition: { + title: title, + description: description, + expression: expression, + }, + }); + + // Updates the bucket's IAM policy + await bucket.iam.setPolicy(policy); + + console.log( + `Added the following member(s) with role ${roleName} to ${bucketName}:` + ); + + members.forEach(member => { + console.log(` ${member}`); + }); + + console.log('with condition:'); + console.log(` Title: ${title}`); + console.log(` Description: ${description}`); + console.log(` Expression: ${expression}`); + } catch (error) { + console.error( + 'Error executing add bucket conditional binding:', + error.message || error + ); + } + } + + addBucketConditionalBinding(); + // [END storage_add_bucket_conditional_iam_binding] +} +main(...process.argv.slice(2)); diff --git a/storage/addBucketIamMember.js b/storage/addBucketIamMember.js new file mode 100644 index 0000000000..a3b25c5419 --- /dev/null +++ b/storage/addBucketIamMember.js @@ -0,0 +1,82 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +'use strict'; + +function main( + bucketName = 'my-bucket', + roleName = 'roles/storage.objectViewer', + members = 'user:test@example.com' +) { + //including this logic so as to not use yargs + members = members.split(','); + // [START storage_add_bucket_iam_member] + /** + * TODO(developer): Uncomment the following lines before running the sample. + */ + // The ID of your GCS bucket + // const bucketName = 'your-unique-bucket-name'; + + // The role to grant + // const roleName = 'roles/storage.objectViewer'; + + // The members to grant the new role to + // const members = [ + // 'user:jdoe@example.com', + // 'group:admins@example.com', + // ]; + + // Imports the Google Cloud client library + const {Storage} = require('@google-cloud/storage'); + + // Creates a client + const storage = new Storage(); + + async function addBucketIamMember() { + try { + // Get a reference to a Google Cloud Storage bucket + const bucket = storage.bucket(bucketName); + + // For more information please read: + // https://cloud.google.com/storage/docs/access-control/iam + const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3}); + + // Adds the new roles to the bucket's IAM policy + policy.bindings.push({ + role: roleName, + members: members, + }); + + // Updates the bucket's IAM policy + await bucket.iam.setPolicy(policy); + + console.log( + `Added the following member(s) with role ${roleName} to ${bucketName}:` + ); + + members.forEach(member => { + console.log(` ${member}`); + }); + } catch (error) { + console.error( + 'Error executing add bucket iam member:', + error.message || error + ); + } + } + + addBucketIamMember(); + // [END storage_add_bucket_iam_member] +} +main(...process.argv.slice(2)); diff --git a/storage/removeBucketConditionalBinding.js b/storage/removeBucketConditionalBinding.js new file mode 100644 index 0000000000..12a8adf105 --- /dev/null +++ b/storage/removeBucketConditionalBinding.js @@ -0,0 +1,103 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +'use strict'; + +/** + * This application demonstrates how to perform basic operations on bucket and + * file Access Control Lists with the Google Cloud Storage API. + * + * For more information, see the README.md under /storage and the documentation + * at https://cloud.google.com/storage/docs. + */ + +function main( + bucketName = 'my-bucket', + roleName = 'roles/storage.objectViewer', + title = 'match-prefix', + description = 'Applies to objects matching a prefix', + expression = 'resource.name.startsWith("projects/_/buckets/bucket-name/objects/prefix-a-")' +) { + // [START storage_remove_bucket_conditional_iam_binding] + /** + * TODO(developer): Uncomment the following lines before running the sample. + */ + // The ID of your GCS bucket + // const bucketName = 'your-unique-bucket-name'; + + // The role to grant + // const roleName = 'roles/storage.objectViewer'; + + // The members to grant the new role to + // const members = [ + // 'user:jdoe@example.com', + // 'group:admins@example.com', + // ]; + + // Create a condition + // const title = 'Title'; + // const description = 'Description'; + // const expression = 'resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")'; + + // Imports the Google Cloud client library + const {Storage} = require('@google-cloud/storage'); + + // Creates a client + const storage = new Storage(); + + async function removeBucketConditionalBinding() { + try { + // Get a reference to a Google Cloud Storage bucket + const bucket = storage.bucket(bucketName); + + // Gets and updates the bucket's IAM policy + const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3}); + + // Set the policy's version to 3 to use condition in bindings. + policy.version = 3; + + // Finds and removes the appropriate role-member group with specific condition. + const index = policy.bindings.findIndex( + binding => + binding.role === roleName && + binding.condition && + binding.condition.title === title && + binding.condition.description === description && + binding.condition.expression === expression + ); + + const binding = policy.bindings[index]; + if (binding) { + policy.bindings.splice(index, 1); + + // Updates the bucket's IAM policy + await bucket.iam.setPolicy(policy); + + console.log('Conditional Binding was removed.'); + } else { + // No matching role-member group with specific condition were found + throw new Error('No matching binding group found.'); + } + } catch (error) { + console.error( + 'Error executing remove bucket conditional binding:', + error.message || error + ); + } + } + + removeBucketConditionalBinding(); + // [END storage_remove_bucket_conditional_iam_binding] +} +main(...process.argv.slice(2)); diff --git a/storage/removeBucketIamMember.js b/storage/removeBucketIamMember.js new file mode 100644 index 0000000000..26d3d90a20 --- /dev/null +++ b/storage/removeBucketIamMember.js @@ -0,0 +1,96 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +'use strict'; + +function main( + bucketName = 'my-bucket', + roleName = 'roles/storage.objectViewer', + members = 'user:test@example.com' +) { + members = members.split(','); + // [START storage_remove_bucket_iam_member] + /** + * TODO(developer): Uncomment the following lines before running the sample. + */ + // The ID of your GCS bucket + // const bucketName = 'your-unique-bucket-name'; + + // The role to revoke + // const roleName = 'roles/storage.objectViewer'; + + // The members to revoke the roles from + // const members = [ + // 'user:jdoe@example.com', + // 'group:admins@example.com', + // ]; + + // Imports the Google Cloud client library + const {Storage} = require('@google-cloud/storage'); + + // Creates a client + const storage = new Storage(); + + async function removeBucketIamMember() { + try { + // Get a reference to a Google Cloud Storage bucket + const bucket = storage.bucket(bucketName); + + // For more information please read: + // https://cloud.google.com/storage/docs/access-control/iam + const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3}); + + // Finds and updates the appropriate role-member group, without a condition. + const index = policy.bindings.findIndex( + binding => binding.role === roleName && !binding.condition + ); + + const role = policy.bindings[index]; + if (role) { + role.members = role.members.filter( + member => members.indexOf(member) === -1 + ); + + // Updates the policy object with the new (or empty) role-member group + if (role.members.length === 0) { + policy.bindings.splice(index, 1); + } else { + policy.bindings[index] = role; + } + + // Updates the bucket's IAM policy + await bucket.iam.setPolicy(policy); + } else { + // No matching role-member group(s) were found + throw new Error('No matching role-member group(s) found.'); + } + + console.log( + `Removed the following member(s) with role ${roleName} from ${bucketName}:` + ); + members.forEach(member => { + console.log(` ${member}`); + }); + } catch (error) { + console.error( + 'Error executing remove bucket iam member:', + error.message || error + ); + } + } + + removeBucketIamMember(); + // [END storage_remove_bucket_iam_member] +} +main(...process.argv.slice(2)); diff --git a/storage/system-test/iam.test.js b/storage/system-test/iam.test.js new file mode 100644 index 0000000000..0570b2e839 --- /dev/null +++ b/storage/system-test/iam.test.js @@ -0,0 +1,102 @@ +// Copyright 2019 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +'use strict'; + +const {Storage} = require('@google-cloud/storage'); +const {assert} = require('chai'); +const {before, after, it} = require('mocha'); +const cp = require('child_process'); +const uuid = require('uuid'); + +const execSync = cmd => cp.execSync(cmd, {encoding: 'utf-8'}); + +const storage = new Storage(); +const bucketName = `nodejs-storage-samples-${uuid.v4()}`; +const bucket = storage.bucket(bucketName); +const userEmail = 'test@example.com'; +const roleName = 'roles/storage.objectViewer'; + +// Condition +const title = 'match-prefix'; +const description = 'Applies to objects matching a prefix'; +const expression = `resource.name.startsWith("projects/_/buckets/${bucketName}/objects/prefix-a-")`; + +before(async () => { + await bucket.create(); + // UniformBucketLevelAccess must be enabled to add a conditional binding. + await bucket.setMetadata({ + iamConfiguration: { + uniformBucketLevelAccess: { + enabled: true, + }, + }, + }); +}); + +after(async () => { + await bucket.delete().catch(console.error); +}); + +it('should add multiple members to a role on a bucket', async () => { + const output = execSync( + `node addBucketIamMember.js ${bucketName} ${roleName} "user:${userEmail}"` + ); + assert.include( + output, + `Added the following member(s) with role ${roleName} to ${bucketName}:` + ); + assert.match(output, new RegExp(`user:${userEmail}`)); +}); + +it('should add conditional binding to a bucket', async () => { + const output = execSync( + `node addBucketConditionalBinding.js ${bucketName} ${roleName} '${title}' '${description}' '${expression}' "user:${userEmail}"` + ); + assert.include( + output, + `Added the following member(s) with role ${roleName} to ${bucketName}:` + ); + assert.include(output, 'with condition:'); + assert.include(output, `Title: ${title}`); + assert.include(output, `Description: ${description}`); + assert.include(output, `Expression: ${expression}`); +}); + +it('should list members of a role on a bucket', async () => { + const output = execSync(`node viewBucketIamMembers.js ${bucketName}`); + assert.match(output, new RegExp(`Bindings for bucket ${bucketName}:`)); + assert.match(output, new RegExp(`Role: ${roleName}`)); + assert.match(output, new RegExp('Members:')); + assert.match(output, new RegExp(`user:${userEmail}`)); +}); + +it('should remove multiple members from a role on a bucket', async () => { + const output = execSync( + `node removeBucketIamMember.js ${bucketName} ${roleName} "user:${userEmail}"` + ); + assert.ok( + output.includes( + `Removed the following member(s) with role ${roleName} from ${bucketName}:` + ) + ); + assert.match(output, new RegExp(`user:${userEmail}`)); +}); + +it('should remove conditional binding to a bucket', async () => { + const output = execSync( + `node removeBucketConditionalBinding.js ${bucketName} ${roleName} '${title}' '${description}' '${expression}'` + ); + assert.include(output, 'Conditional Binding was removed'); +}); diff --git a/storage/viewBucketIamMembers.js b/storage/viewBucketIamMembers.js new file mode 100644 index 0000000000..21d0d8af23 --- /dev/null +++ b/storage/viewBucketIamMembers.js @@ -0,0 +1,70 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +'use strict'; + +function main(bucketName = 'my-bucket') { + // [START storage_view_bucket_iam_members] + /** + * TODO(developer): Uncomment the following lines before running the sample. + */ + // The ID of your GCS bucket + // const bucketName = 'your-unique-bucket-name'; + + // Imports the Google Cloud client library + const {Storage} = require('@google-cloud/storage'); + + // Creates a client + const storage = new Storage(); + + async function viewBucketIamMembers() { + try { + // For more information please read: + // https://cloud.google.com/storage/docs/access-control/iam + const results = await storage + .bucket(bucketName) + .iam.getPolicy({requestedPolicyVersion: 3}); + + const bindings = results[0].bindings; + + console.log(`Bindings for bucket ${bucketName}:`); + for (const binding of bindings) { + console.log(` Role: ${binding.role}`); + console.log(' Members:'); + + const members = binding.members; + for (const member of members) { + console.log(` ${member}`); + } + + const condition = binding.condition; + if (condition) { + console.log(' Condition:'); + console.log(` Title: ${condition.title}`); + console.log(` Description: ${condition.description}`); + console.log(` Expression: ${condition.expression}`); + } + } + } catch (error) { + console.error( + 'Error executing view bucket iam members:', + error.message || error + ); + } + } + + viewBucketIamMembers(); + // [END storage_view_bucket_iam_members] +} +main(...process.argv.slice(2));