feat(storage): introduce IAM samples and tests for migration

Author: angelcaamal

storage/addBucketConditionalBinding.js

@@ -0,0 +1,109 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+/**
+ * This application demonstrates how to perform basic operations on bucket and
+ * file Access Control Lists with the Google Cloud Storage API.
+ *
+ * For more information, see the README.md under /storage and the documentation
+ * at https://cloud.google.com/storage/docs.
+ */
+
+function main(
+  bucketName = 'my-bucket',
+  roleName = 'roles/storage.objectViewer',
+  title = 'match-prefix',
+  description = 'Applies to objects matching a prefix',
+  expression = 'resource.name.startsWith("projects/_/buckets/bucket-name/objects/prefix-a-")',
+  members = 'user:test@example.com'
+) {
+  members = members.split(',');
+  // [START storage_add_bucket_conditional_iam_binding]
+  /**
+   * TODO(developer): Uncomment the following lines before running the sample.
+   */
+  // The ID of your GCS bucket
+  // const bucketName = 'your-unique-bucket-name';
+
+  // The role to grant
+  // const roleName = 'roles/storage.objectViewer';
+
+  // The members to grant the new role to
+  // const members = [
+  //   'user:jdoe@example.com',
+  //   'group:admins@example.com',
+  // ];
+
+  // Create a condition
+  // const title = 'Title';
+  // const description = 'Description';
+  // const expression = 'resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")';
+
+  // Imports the Google Cloud client library
+  const {Storage} = require('@google-cloud/storage');
+
+  // Creates a client
+  const storage = new Storage();
+
+  async function addBucketConditionalBinding() {
+    try {
+      // Get a reference to a Google Cloud Storage bucket
+      const bucket = storage.bucket(bucketName);
+
+      // Gets and updates the bucket's IAM policy
+      const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3});
+
+      // Set the policy's version to 3 to use condition in bindings.
+      policy.version = 3;
+
+      // Adds the new roles to the bucket's IAM policy
+      policy.bindings.push({
+        role: roleName,
+        members: members,
+        condition: {
+          title: title,
+          description: description,
+          expression: expression,
+        },
+      });
+
+      // Updates the bucket's IAM policy
+      await bucket.iam.setPolicy(policy);
+
+      console.log(
+        `Added the following member(s) with role ${roleName} to ${bucketName}:`
+      );
+
+      members.forEach(member => {
+        console.log(`  ${member}`);
+      });
+
+      console.log('with condition:');
+      console.log(`  Title: ${title}`);
+      console.log(`  Description: ${description}`);
+      console.log(`  Expression: ${expression}`);
+    } catch (error) {
+      console.error(
+        'Error executing add bucket conditional binding:',
+        error.message || error
+      );
+    }
+  }
+
+  addBucketConditionalBinding();
+  // [END storage_add_bucket_conditional_iam_binding]
+}
+main(...process.argv.slice(2));

storage/addBucketIamMember.js

@@ -0,0 +1,82 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+function main(
+  bucketName = 'my-bucket',
+  roleName = 'roles/storage.objectViewer',
+  members = 'user:test@example.com'
+) {
+  //including this logic so as to not use yargs
+  members = members.split(',');
+  // [START storage_add_bucket_iam_member]
+  /**
+   * TODO(developer): Uncomment the following lines before running the sample.
+   */
+  // The ID of your GCS bucket
+  // const bucketName = 'your-unique-bucket-name';
+
+  // The role to grant
+  // const roleName = 'roles/storage.objectViewer';
+
+  // The members to grant the new role to
+  // const members = [
+  //   'user:jdoe@example.com',
+  //   'group:admins@example.com',
+  // ];
+
+  // Imports the Google Cloud client library
+  const {Storage} = require('@google-cloud/storage');
+
+  // Creates a client
+  const storage = new Storage();
+
+  async function addBucketIamMember() {
+    try {
+      // Get a reference to a Google Cloud Storage bucket
+      const bucket = storage.bucket(bucketName);
+
+      // For more information please read:
+      // https://cloud.google.com/storage/docs/access-control/iam
+      const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3});
+
+      // Adds the new roles to the bucket's IAM policy
+      policy.bindings.push({
+        role: roleName,
+        members: members,
+      });
+
+      // Updates the bucket's IAM policy
+      await bucket.iam.setPolicy(policy);
+
+      console.log(
+        `Added the following member(s) with role ${roleName} to ${bucketName}:`
+      );
+
+      members.forEach(member => {
+        console.log(`  ${member}`);
+      });
+    } catch (error) {
+      console.error(
+        'Error executing add bucket iam member:',
+        error.message || error
+      );
+    }
+  }
+
+  addBucketIamMember();
+  // [END storage_add_bucket_iam_member]
+}
+main(...process.argv.slice(2));

storage/package.json

@@ -0,0 +1,30 @@
+{
+  "name": "@google-cloud/storage-samples",
+  "description": "Samples for the Cloud Storage Client Library for Node.js.",
+  "license": "Apache-2.0",
+  "author": "Google Inc.",
+  "engines": {
+    "node": ">=12"
+  },
+  "repository": "googleapis/nodejs-storage",
+  "private": true,
+  "files": [
+    "*.js"
+  ],
+  "scripts": {
+    "cleanup": "node scripts/cleanup",
+    "test": "mocha system-test/*.js --timeout 800000"
+  },
+  "dependencies": {
+    "@google-cloud/pubsub": "^4.0.0",
+    "@google-cloud/storage": "^7.19.0",
+    "node-fetch": "^2.6.7",
+    "uuid": "^8.0.0",
+    "yargs": "^16.0.0"
+  },
+  "devDependencies": {
+    "chai": "^4.2.0",
+    "mocha": "^8.0.0",
+    "p-limit": "^3.1.0"
+  }
+}

storage/removeBucketConditionalBinding.js

@@ -0,0 +1,103 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+/**
+ * This application demonstrates how to perform basic operations on bucket and
+ * file Access Control Lists with the Google Cloud Storage API.
+ *
+ * For more information, see the README.md under /storage and the documentation
+ * at https://cloud.google.com/storage/docs.
+ */
+
+function main(
+  bucketName = 'my-bucket',
+  roleName = 'roles/storage.objectViewer',
+  title = 'match-prefix',
+  description = 'Applies to objects matching a prefix',
+  expression = 'resource.name.startsWith("projects/_/buckets/bucket-name/objects/prefix-a-")'
+) {
+  // [START storage_remove_bucket_conditional_iam_binding]
+  /**
+   * TODO(developer): Uncomment the following lines before running the sample.
+   */
+  // The ID of your GCS bucket
+  // const bucketName = 'your-unique-bucket-name';
+
+  // The role to grant
+  // const roleName = 'roles/storage.objectViewer';
+
+  // The members to grant the new role to
+  // const members = [
+  //   'user:jdoe@example.com',
+  //   'group:admins@example.com',
+  // ];
+
+  // Create a condition
+  // const title = 'Title';
+  // const description = 'Description';
+  // const expression = 'resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")';
+
+  // Imports the Google Cloud client library
+  const {Storage} = require('@google-cloud/storage');
+
+  // Creates a client
+  const storage = new Storage();
+
+  async function removeBucketConditionalBinding() {
+    try {
+      // Get a reference to a Google Cloud Storage bucket
+      const bucket = storage.bucket(bucketName);
+
+      // Gets and updates the bucket's IAM policy
+      const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3});
+
+      // Set the policy's version to 3 to use condition in bindings.
+      policy.version = 3;
+
+      // Finds and removes the appropriate role-member group with specific condition.
+      const index = policy.bindings.findIndex(
+        binding =>
+          binding.role === roleName &&
+          binding.condition &&
+          binding.condition.title === title &&
+          binding.condition.description === description &&
+          binding.condition.expression === expression
+      );
+
+      const binding = policy.bindings[index];
+      if (binding) {
+        policy.bindings.splice(index, 1);
+
+        // Updates the bucket's IAM policy
+        await bucket.iam.setPolicy(policy);
+
+        console.log('Conditional Binding was removed.');
+      } else {
+        // No matching role-member group with specific condition were found
+        throw new Error('No matching binding group found.');
+      }
+    } catch (error) {
+      console.error(
+        'Error executing remove bucket conditional binding:',
+        error.message || error
+      );
+    }
+  }
+
+  removeBucketConditionalBinding();
+  // [END storage_remove_bucket_conditional_iam_binding]
+}
+main(...process.argv.slice(2));