Skip to content

Commit

Permalink
Add get, replace, and test for IAM
Browse files Browse the repository at this point in the history
  • Loading branch information
Ajay Kannan committed Mar 5, 2016
1 parent 7eb957d commit 178b297
Show file tree
Hide file tree
Showing 7 changed files with 493 additions and 13 deletions.
98 changes: 97 additions & 1 deletion ...java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/ResourceManager.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import com.google.gcloud.Service;
import com.google.gcloud.spi.ResourceManagerRpc;

import java.util.List;
import java.util.Set;

/**
Expand Down Expand Up @@ -168,7 +169,34 @@ public static ProjectListOption fields(ProjectField... fields) {
}

/**
* Creates a new project.
* The permissions associated with a Google Cloud project. These values can be used when calling
* {@link #testPermissions}.
*/
public enum Permission {
CREATE("create"),
DELETE("delete"),
GET("get"),
GET_POLICY("getIamPolicy"),
LIST("list"),
OWN("own"),
REPLACE("update"),
REPLACE_POLICY("setIamPolicy"),
SET_BILLING("setBillingAccount"),
UNDELETE("undelete");

private final String strValue;

Permission(String suffix) {
this.strValue = "resourcemanager.projects." + suffix;
}

String strValue() {
return strValue;
}
}

/**
* Create a new project.
*
* <p>Initially, the project resource is owned by its creator exclusively. The creator can later
* grant permission to others to read or update the project. Several APIs are activated
Expand Down Expand Up @@ -263,4 +291,72 @@ public static ProjectListOption fields(ProjectField... fields) {
* @throws ResourceManagerException upon failure
*/
void undelete(String projectId);

/**
* Returns the IAM access control policy for the specified project. Returns null if the resource
* does not exist or if you do not have adequate permission to view the project.
*
* @see <a
* href="https://cloud.google.com/resource-manager/reference/rest/v1beta1/projects/getIamPolicy">
* Resource Manager getIamPolicy</a>
* @throws ResourceManagerException upon failure
*/
Policy getPolicy(String projectId);

/**
* Sets the IAM access control policy for the specified project. Replaces any existing policy. The
* following constraints apply:
* <ul>
* <li>Projects currently support only <I>user:{emailid}</I> and <I>serviceAccount:{emailid}</I>
* members in a binding of a policy.
* <li>To be added as an owner, a user must be invited via Cloud Platform console and must accept
* the invitation.
* <li>Members cannot be added to more than one role in the same policy.
* <li>There must be at least one owner who has accepted the Terms of Service (ToS) agreement in
* the policy. An attempt to set a policy that removes the last ToS-accepted owner from the
* policy will fail.
* <li>Calling this method requires enabling the App Engine Admin API.
* </ul>
* Note: Removing service accounts from policies or changing their roles can render services
* completely inoperable. It is important to understand how the service account is being used
* before removing or updating its roles.
*
* It is recommended that you use the read-modify-write pattern. This pattern entails reading the
* project's current policy, updating it locally, and then sending the modified policy for
* writing. Cloud IAM solves the problem of conflicting processes simultaneously attempting to
* modify a policy by using the etag property. This property is used to verify whether the
* policy has changed since the last request. When you make a request to Cloud IAM with an etag
* value, Cloud IAM compares the etag value in the request with the existing etag value associated
* with the policy. It writes the policy only if the etag values match. If an etag is not
* provided, the policy is overwritten blindly.
*
* An example of using the read-write-modify pattern is as follows:
* <pre> {@code
* Policy currentPolicy = resourceManager.getPolicy("my-project-id");
* Policy modifiedPolicy =
* current.toBuilder().removeIdentity(Role.VIEWER, Identity.user("[email protected]"));
* Policy newPolicy = resourceManager.setPolicy("my-project-id", modified);
* }
* </pre>
*
* @see <a href=
* "https://cloud.google.com/resource-manager/reference/rest/v1beta1/projects/setIamPolicy">
* Resource Manager setIamPolicy</a>
* @throw ResourceManagerException upon failure
*/
Policy replacePolicy(String projectId, Policy newPolicy);

/**
* Returns the permissions that a caller has on the specified project. You typically don't call
* this method if you're using Google Cloud Platform directly to manage permissions. This method
* is intended for integration with your proprietary software, such as a customized graphical user
* interface. For example, the Cloud Platform Console tests IAM permissions internally to
* determine which UI should be available to the logged-in user.
*
* @see <a href=
* "https://cloud.google.com/resource-manager/reference/rest/v1beta1/projects/testIamPermissions">
* Resource Manager testIamPermissions</a>
* @throw ResourceManagerException upon failure
*/
List<Boolean> testPermissions(String projectId, List<Permission> permissions);
}
57 changes: 57 additions & 0 deletions ...-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/ResourceManagerImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.gcloud.BaseService;
import com.google.gcloud.Page;
Expand All @@ -32,6 +33,7 @@
import com.google.gcloud.spi.ResourceManagerRpc;
import com.google.gcloud.spi.ResourceManagerRpc.Tuple;

import java.util.List;
import java.util.Map;
import java.util.concurrent.Callable;

Expand Down Expand Up @@ -181,6 +183,61 @@ public Void call() {
}
}

@Override
public Policy getPolicy(final String projectId) {
try {
com.google.api.services.cloudresourcemanager.model.Policy answer =
runWithRetries(
new Callable<com.google.api.services.cloudresourcemanager.model.Policy>() {
@Override
public com.google.api.services.cloudresourcemanager.model.Policy call() {
return resourceManagerRpc.getPolicy(projectId);
}
},
options().retryParams(),
EXCEPTION_HANDLER);
return answer == null ? null : Policy.fromPb(answer);
} catch (RetryHelperException e) {
throw ResourceManagerException.translateAndThrow(e);
}
}

@Override
public Policy replacePolicy(final String projectId, final Policy newPolicy) {
try {
return Policy.fromPb(runWithRetries(
new Callable<com.google.api.services.cloudresourcemanager.model.Policy>() {
@Override
public com.google.api.services.cloudresourcemanager.model.Policy call() {
return resourceManagerRpc.replacePolicy(projectId, newPolicy.toPb());
}
}, options().retryParams(), EXCEPTION_HANDLER));
} catch (RetryHelperException e) {
throw ResourceManagerException.translateAndThrow(e);
}
}

@Override
public List<Boolean> testPermissions(final String projectId, final List<Permission> permissions) {
try {
return runWithRetries(
new Callable<List<Boolean>>() {
@Override
public List<Boolean> call() {
return resourceManagerRpc.testPermissions(projectId,
Lists.transform(permissions, new Function<Permission, String>() {
@Override
public String apply(Permission p) {
return p.strValue();
}
}));
}
}, options().retryParams(), EXCEPTION_HANDLER);
} catch (RetryHelperException e) {
throw ResourceManagerException.translateAndThrow(e);
}
}

private Map<ResourceManagerRpc.Option, ?> optionMap(Option... options) {
Map<ResourceManagerRpc.Option, Object> temp = Maps.newEnumMap(ResourceManagerRpc.Option.class);
for (Option option : options) {
Expand Down
Loading

0 comments on commit 178b297

Please sign in to comment.