From ff2084764b6c75612d04a02084f76bd715064b24 Mon Sep 17 00:00:00 2001 From: Ajay Kannan Date: Wed, 17 Feb 2016 14:16:41 -0800 Subject: [PATCH 1/7] Add IAM Policy classes --- gcloud-java-core/pom.xml | 12 + .../java/com/google/gcloud/IamPolicy.java | 530 ++++++++++++++++++ .../java/com/google/gcloud/IamPolicyTest.java | 126 +++++ .../com/google/gcloud/SerializationTest.java | 49 ++ gcloud-java-resourcemanager/pom.xml | 12 - 5 files changed, 717 insertions(+), 12 deletions(-) create mode 100644 gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java create mode 100644 gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java create mode 100644 gcloud-java-core/src/test/java/com/google/gcloud/SerializationTest.java diff --git a/gcloud-java-core/pom.xml b/gcloud-java-core/pom.xml index 3463f40b52bd..67d3af27d1a8 100644 --- a/gcloud-java-core/pom.xml +++ b/gcloud-java-core/pom.xml @@ -16,6 +16,18 @@ gcloud-java-core + + com.google.apis + google-api-services-cloudresourcemanager + v1beta1-rev10-1.21.0 + compile + + + com.google.guava + guava-jdk5 + + + com.google.auth google-auth-library-credentials diff --git a/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java b/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java new file mode 100644 index 000000000000..31099729564a --- /dev/null +++ b/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java @@ -0,0 +1,530 @@ +/* + * Copyright 2016 Google Inc. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.gcloud; + +import static com.google.common.base.Preconditions.checkNotNull; + +import com.google.common.base.Function; +import com.google.common.collect.ImmutableList; +import com.google.common.collect.Lists; + +import java.io.Serializable; +import java.util.Arrays; +import java.util.LinkedList; +import java.util.List; +import java.util.Objects; + +/** + * An Identity and Access Management (IAM) policy. It is used to specify access control policies for + * Cloud Platform resources. A Policy consists of a list of ACLs (also known as bindings in Cloud + * IAM documentation). An ACL binds a list of identities to a role, where the identities can be user + * accounts, Google groups, Google domains, and service accounts. A role is a named list of + * permissions defined by IAM. + * + * @see Policy + */ +public class IamPolicy implements Serializable { + + static final long serialVersionUID = 1114489978726897720L; + + private final List acls; + private final String etag; + private final int version; + + public static class Identity implements Serializable { + + private static final long serialVersionUID = 30811617560110848L; + + private final Type type; + private final String id; + + /** + * The types of IAM identities. + */ + public enum Type { + /** + * Represents anyone who is on the internet; with or without a Google account. + */ + ALL_USERS, + + /** + * Represents anyone who is authenticated with a Google account or a service account. + */ + ALL_AUTHENTICATED_USERS, + + /** + * Represents a specific Google account. + */ + USER, + + /** + * Represents a service account. + */ + SERVICE_ACCOUNT, + + /** + * Represents a Google group. + */ + GROUP, + + /** + * Represents all the users of a Google Apps domain name. + */ + DOMAIN + } + + Identity(Type type, String id) { + this.type = type; + this.id = id; + } + + public Type type() { + return type; + } + + /** + * Returns the string identifier for this identity. The id corresponds to: + *
    + *
  • email address (for identities of type {@code USER}, {@code SERVICE_ACCOUNT}, and + * {@code GROUP}) + *
  • domain (for identities of type {@code DOMAIN}) + *
  • null (for identities of type {@code ALL_USERS} and {@code ALL_AUTHENTICATED_USERS}) + *
+ */ + public String id() { + return id; + } + + /** + * Returns a new identity representing anyone who is on the internet; with or without a Google + * account. + */ + public static Identity allUsers() { + return new Identity(Type.ALL_USERS, null); + } + + /** + * Returns a new identity representing anyone who is authenticated with a Google account or a + * service account. + */ + public static Identity allAuthenticatedUsers() { + return new Identity(Type.ALL_AUTHENTICATED_USERS, null); + } + + /** + * Returns a new user identity. + * + * @param email An email address that represents a specific Google account. For example, + * alice@gmail.com or joe@example.com. + */ + public static Identity user(String email) { + return new Identity(Type.USER, checkNotNull(email)); + } + + /** + * Returns a new service account identity. + * + * @param email An email address that represents a service account. For example, + * my-other-app@appspot.gserviceaccount.com. + */ + public static Identity serviceAccount(String email) { + return new Identity(Type.SERVICE_ACCOUNT, checkNotNull(email)); + } + + /** + * Returns a new group identity. + * + * @param email An email address that represents a Google group. For example, + * admins@example.com. + */ + public static Identity group(String email) { + return new Identity(Type.GROUP, checkNotNull(email)); + } + + /** + * Returns a new domain identity. + * + * @param domain A Google Apps domain name that represents all the users of that domain. For + * example, google.com or example.com. + */ + public static Identity domain(String domain) { + return new Identity(Type.DOMAIN, checkNotNull(domain)); + } + + @Override + public int hashCode() { + return Objects.hash(id, type); + } + + @Override + public boolean equals(Object obj) { + if (!(obj instanceof Identity)) { + return false; + } + Identity other = (Identity) obj; + return Objects.equals(toPb(), other.toPb()); + } + + String toPb() { + switch (type) { + case ALL_USERS: + return "allUsers"; + case ALL_AUTHENTICATED_USERS: + return "allAuthenticatedUsers"; + case USER: + return "user:" + id; + case SERVICE_ACCOUNT: + return "serviceAccount:" + id; + case GROUP: + return "group:" + id; + default: + return "domain:" + id; + } + } + + static Identity fromPb(String identityStr) { + String[] info = identityStr.split(":"); + switch (info[0]) { + case "allUsers": + return allUsers(); + case "allAuthenticatedUsers": + return allAuthenticatedUsers(); + case "user": + return user(info[1]); + case "serviceAccount": + return serviceAccount(info[1]); + case "group": + return group(info[1]); + case "domain": + return domain(info[1]); + default: + throw new IllegalArgumentException("Unexpected identity type: " + info[0]); + } + } + } + + /** + * An ACL binds a list of identities to a role, where the identities can be user accounts, Google + * groups, Google domains, and service accounts. A role is a named list of permissions defined by + * IAM. + * + * @see Binding + */ + public static class Acl implements Serializable { + + private static final long serialVersionUID = 3954282899483745158L; + + private final List identities; + private final String role; + + /** + * An ACL builder. + */ + public static class Builder { + private final List members = new LinkedList<>(); + private String role; + + Builder(String role) { + this.role = role; + } + + /** + * Sets the role associated with this ACL. + */ + public Builder role(String role) { + this.role = role; + return this; + } + + /** + * Replaces the builder's list of identities with the given list. + */ + public Builder identities(List identities) { + this.members.clear(); + this.members.addAll(identities); + return this; + } + + /** + * Adds one or more identities to the list of identities associated with the ACL. + */ + public Builder addIdentity(Identity first, Identity... others) { + members.add(first); + members.addAll(Arrays.asList(others)); + return this; + } + + /** + * Removes the specified identity from the ACL. + */ + public Builder removeIdentity(Identity identity) { + members.remove(identity); + return this; + } + + public Acl build() { + return new Acl(this); + } + } + + Acl(Builder builder) { + identities = ImmutableList.copyOf(checkNotNull(builder.members)); + role = checkNotNull(builder.role); + } + + /** + * Returns the list of identities associated with this ACL. + */ + public List identities() { + return identities; + } + + /** + * Returns the role associated with this ACL. + */ + public String role() { + return role; + } + + /** + * Returns an ACL builder for the specific role type. + * + * @param role string representing the role, without the "roles/" prefix. An example of a valid + * legacy role is "viewer". An example of a valid service-specific role is + * "pubsub.publisher". + */ + public static Builder builder(String role) { + return new Builder(role); + } + + /** + * Returns an ACL for the role type and list of identities provided. + * + * @param role string representing the role, without the "roles/" prefix. An example of a valid + * legacy role is "viewer". An example of a valid service-specific role is + * "pubsub.publisher". + * @param members list of identities associated with the role. + */ + public static Acl of(String role, List members) { + return new Acl(new Builder(role).identities(members)); + } + + /** + * Returns an ACL for the role type and identities provided. + * + * @param role string representing the role, without the "roles/" prefix. An example of a valid + * legacy role is "viewer". An example of a valid service-specific role is + * "pubsub.publisher". + * @param first identity associated with the role. + * @param others any other identities associated with the role. + */ + public static Acl of(String role, Identity first, Identity... others) { + return new Acl(new Builder(role).addIdentity(first, others)); + } + + public Builder toBuilder() { + return new Builder(role).identities(identities); + } + + @Override + public int hashCode() { + return Objects.hash(identities, role); + } + + @Override + public boolean equals(Object obj) { + if (!(obj instanceof Acl)) { + return false; + } + Acl other = (Acl) obj; + return Objects.equals(toPb(), other.toPb()); + } + + com.google.api.services.cloudresourcemanager.model.Binding toPb() { + com.google.api.services.cloudresourcemanager.model.Binding bindingPb = + new com.google.api.services.cloudresourcemanager.model.Binding(); + bindingPb.setMembers(Lists.transform(identities, new Function() { + @Override + public String apply(Identity identity) { + return identity.toPb(); + } + })); + bindingPb.setRole("roles/" + role); + return bindingPb; + } + + static Acl fromPb(com.google.api.services.cloudresourcemanager.model.Binding bindingPb) { + return of( + bindingPb.getRole().substring("roles/".length()), + Lists.transform(bindingPb.getMembers(), new Function() { + @Override + public Identity apply(String memberPb) { + return Identity.fromPb(memberPb); + } + })); + } + } + + /** + * Builder for an IAM Policy. + */ + public static class Builder { + + private final List acls = new LinkedList<>(); + private String etag; + private int version; + + /** + * Replaces the builder's list of ACLs with the given list of ACLs. + */ + public Builder acls(List acls) { + this.acls.clear(); + this.acls.addAll(acls); + return this; + } + + /** + * Adds one or more ACLs to the policy. + */ + public Builder addAcl(Acl first, Acl... others) { + acls.add(first); + acls.addAll(Arrays.asList(others)); + return this; + } + + /** + * Removes the specified ACL. + */ + public Builder removeAcl(Acl acl) { + acls.remove(acl); + return this; + } + + /** + * Sets the policy's etag. + * + *

Etags are used for optimistic concurrency control as a way to help prevent simultaneous + * updates of a policy from overwriting each other. It is strongly suggested that systems make + * use of the etag in the read-modify-write cycle to perform policy updates in order to avoid + * race conditions. An etag is returned in the response to getIamPolicy, and systems are + * expected to put that etag in the request to setIamPolicy to ensure that their change will be + * applied to the same version of the policy. If no etag is provided in the call to + * setIamPolicy, then the existing policy is overwritten blindly. + */ + public Builder etag(String etag) { + this.etag = etag; + return this; + } + + /** + * Sets the version of the policy. The default version is 0. + */ + public Builder version(int version) { + this.version = version; + return this; + } + + public IamPolicy build() { + return new IamPolicy(this); + } + } + + IamPolicy(Builder builder) { + acls = ImmutableList.copyOf(builder.acls); + etag = builder.etag; + version = builder.version; + } + + /** + * The list of ACLs specified in the policy. + */ + public List acls() { + return acls; + } + + /** + * The policy's etag. + * + *

Etags are used for optimistic concurrency control as a way to help prevent simultaneous + * updates of a policy from overwriting each other. It is strongly suggested that systems make + * use of the etag in the read-modify-write cycle to perform policy updates in order to avoid + * race conditions. An etag is returned in the response to getIamPolicy, and systems are + * expected to put that etag in the request to setIamPolicy to ensure that their change will be + * applied to the same version of the policy. If no etag is provided in the call to + * setIamPolicy, then the existing policy is overwritten blindly. + */ + public String etag() { + return etag; + } + + /** + * The version of the policy. The default version is 0. + */ + public int version() { + return version; + } + + @Override + public int hashCode() { + return Objects.hash(acls, etag, version); + } + + @Override + public boolean equals(Object obj) { + if (!(obj instanceof IamPolicy)) { + return false; + } + IamPolicy other = (IamPolicy) obj; + return Objects.equals(toPb(), other.toPb()); + } + + public static Builder builder() { + return new Builder(); + } + + public Builder toBuilder() { + return new Builder().acls(acls).etag(etag).version(version); + } + + com.google.api.services.cloudresourcemanager.model.Policy toPb() { + com.google.api.services.cloudresourcemanager.model.Policy policyPb = + new com.google.api.services.cloudresourcemanager.model.Policy(); + policyPb.setBindings(Lists.transform( + acls, new Function() { + @Override + public com.google.api.services.cloudresourcemanager.model.Binding apply(Acl acl) { + return acl.toPb(); + } + })); + policyPb.setEtag(etag); + policyPb.setVersion(version); + return policyPb; + } + + static IamPolicy fromPb(com.google.api.services.cloudresourcemanager.model.Policy policyPb) { + Builder builder = new Builder(); + builder.acls(Lists.transform( + policyPb.getBindings(), + new Function() { + @Override + public Acl apply(com.google.api.services.cloudresourcemanager.model.Binding binding) { + return Acl.fromPb(binding); + } + })); + return builder.etag(policyPb.getEtag()).version(policyPb.getVersion()).build(); + } +} diff --git a/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java b/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java new file mode 100644 index 000000000000..a87a0b5f287d --- /dev/null +++ b/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java @@ -0,0 +1,126 @@ +/* + * Copyright 2015 Google Inc. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.gcloud; + +import static org.junit.Assert.assertEquals; + +import com.google.common.collect.ImmutableList; +import com.google.gcloud.IamPolicy.Acl; +import com.google.gcloud.IamPolicy.Identity; + +import org.junit.Test; + +public class IamPolicyTest { + + private static final Identity ALL_USERS = Identity.allUsers(); + private static final Identity ALL_AUTHENTICATED_USERS = Identity.allAuthenticatedUsers(); + private static final Identity USER = Identity.user("abc@gmail.com"); + private static final Identity SERVICE_ACCOUNT = + Identity.serviceAccount("service-account@gmail.com"); + private static final Identity GROUP = Identity.group("group@gmail.com"); + private static final Identity DOMAIN = Identity.domain("google.com"); + private static final Acl ACL1 = Acl.of("viewer", USER, SERVICE_ACCOUNT, ALL_USERS); + private static final Acl ACL2 = Acl.of("editor", ALL_AUTHENTICATED_USERS, GROUP, DOMAIN); + private static final IamPolicy FULL_POLICY = + IamPolicy.builder().addAcl(ACL1, ACL2).etag("etag").version(1).build(); + private static final IamPolicy SIMPLE_POLICY = IamPolicy.builder().addAcl(ACL1, ACL2).build(); + + @Test + public void testIdentityOf() { + assertEquals(Identity.Type.ALL_USERS, ALL_USERS.type()); + assertEquals(null, ALL_USERS.id()); + assertEquals(Identity.Type.ALL_AUTHENTICATED_USERS, ALL_AUTHENTICATED_USERS.type()); + assertEquals(null, ALL_AUTHENTICATED_USERS.id()); + assertEquals(Identity.Type.USER, USER.type()); + assertEquals("abc@gmail.com", USER.id()); + assertEquals(Identity.Type.SERVICE_ACCOUNT, SERVICE_ACCOUNT.type()); + assertEquals("service-account@gmail.com", SERVICE_ACCOUNT.id()); + assertEquals(Identity.Type.GROUP, GROUP.type()); + assertEquals("group@gmail.com", GROUP.id()); + assertEquals(Identity.Type.DOMAIN, DOMAIN.type()); + assertEquals("google.com", DOMAIN.id()); + } + + @Test + public void testIdentityToAndFromPb() { + assertEquals(ALL_USERS, Identity.fromPb(ALL_USERS.toPb())); + assertEquals(ALL_AUTHENTICATED_USERS, Identity.fromPb(ALL_AUTHENTICATED_USERS.toPb())); + assertEquals(USER, Identity.fromPb(USER.toPb())); + assertEquals(SERVICE_ACCOUNT, Identity.fromPb(SERVICE_ACCOUNT.toPb())); + assertEquals(GROUP, Identity.fromPb(GROUP.toPb())); + assertEquals(DOMAIN, Identity.fromPb(DOMAIN.toPb())); + } + + @Test + public void testAclBuilder() { + Acl acl = Acl.builder("owner").addIdentity(USER, GROUP).build(); + assertEquals("owner", acl.role()); + assertEquals(ImmutableList.of(USER, GROUP), acl.identities()); + acl = acl.toBuilder().role("viewer").removeIdentity(GROUP).build(); + assertEquals("viewer", acl.role()); + assertEquals(ImmutableList.of(USER), acl.identities()); + acl = acl.toBuilder().identities(ImmutableList.of(SERVICE_ACCOUNT)).build(); + assertEquals("viewer", acl.role()); + assertEquals(ImmutableList.of(SERVICE_ACCOUNT), acl.identities()); + } + + @Test + public void testAclOf() { + assertEquals("viewer", ACL1.role()); + assertEquals(ImmutableList.of(USER, SERVICE_ACCOUNT, ALL_USERS), ACL1.identities()); + Acl aclFromIdentitiesList = Acl.of("editor", ImmutableList.of(USER, SERVICE_ACCOUNT)); + assertEquals("editor", aclFromIdentitiesList.role()); + assertEquals(ImmutableList.of(USER, SERVICE_ACCOUNT), aclFromIdentitiesList.identities()); + } + + @Test + public void testAclToBuilder() { + assertEquals(ACL1, ACL1.toBuilder().build()); + } + + @Test + public void testAclToAndFromPb() { + assertEquals(ACL1, Acl.fromPb(ACL1.toPb())); + } + + @Test + public void testIamPolicyBuilder() { + assertEquals(ImmutableList.of(ACL1, ACL2), FULL_POLICY.acls()); + assertEquals("etag", FULL_POLICY.etag()); + assertEquals(1, FULL_POLICY.version()); + IamPolicy policy = FULL_POLICY.toBuilder().acls(ImmutableList.of(ACL2)).build(); + assertEquals(ImmutableList.of(ACL2), policy.acls()); + assertEquals("etag", policy.etag()); + assertEquals(1, policy.version()); + policy = SIMPLE_POLICY.toBuilder().removeAcl(ACL2).build(); + assertEquals(ImmutableList.of(ACL1), policy.acls()); + assertEquals(null, policy.etag()); + assertEquals(0, policy.version()); + } + + @Test + public void testIamPolicyToBuilder() { + assertEquals(FULL_POLICY, FULL_POLICY.toBuilder().build()); + assertEquals(SIMPLE_POLICY, SIMPLE_POLICY.toBuilder().build()); + } + + @Test + public void testToAndFromPb() { + assertEquals(FULL_POLICY, IamPolicy.fromPb(FULL_POLICY.toPb())); + assertEquals(SIMPLE_POLICY, IamPolicy.fromPb(SIMPLE_POLICY.toPb())); + } +} diff --git a/gcloud-java-core/src/test/java/com/google/gcloud/SerializationTest.java b/gcloud-java-core/src/test/java/com/google/gcloud/SerializationTest.java new file mode 100644 index 000000000000..b529b2c09ff5 --- /dev/null +++ b/gcloud-java-core/src/test/java/com/google/gcloud/SerializationTest.java @@ -0,0 +1,49 @@ +package com.google.gcloud; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotSame; + +import com.google.common.collect.ImmutableList; +import com.google.gcloud.IamPolicy.Acl; +import com.google.gcloud.IamPolicy.Identity; + +import org.junit.Test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.io.Serializable; + +public class SerializationTest { + + private static final Identity IDENTITY = Identity.user("abc@gmail.com"); + private static final Acl ACL = Acl.of("viewer", ImmutableList.of(IDENTITY)); + private static final IamPolicy POLICY = + IamPolicy.builder().acls(ImmutableList.of(ACL)).etag("etag").version(1).build(); + + @Test + public void testModelAndRequests() throws Exception { + Serializable[] objects = {IDENTITY, ACL, POLICY}; + for (Serializable obj : objects) { + Object copy = serializeAndDeserialize(obj); + assertEquals(obj, obj); + assertEquals(obj, copy); + assertNotSame(obj, copy); + assertEquals(copy, copy); + } + } + + @SuppressWarnings("unchecked") + private T serializeAndDeserialize(T obj) throws IOException, ClassNotFoundException { + ByteArrayOutputStream bytes = new ByteArrayOutputStream(); + try (ObjectOutputStream output = new ObjectOutputStream(bytes)) { + output.writeObject(obj); + } + try (ObjectInputStream input = + new ObjectInputStream(new ByteArrayInputStream(bytes.toByteArray()))) { + return (T) input.readObject(); + } + } +} diff --git a/gcloud-java-resourcemanager/pom.xml b/gcloud-java-resourcemanager/pom.xml index 1311e4dc1bb5..5e77ab48f5b5 100644 --- a/gcloud-java-resourcemanager/pom.xml +++ b/gcloud-java-resourcemanager/pom.xml @@ -21,18 +21,6 @@ gcloud-java-core ${project.version} - - com.google.apis - google-api-services-cloudresourcemanager - v1beta1-rev10-1.21.0 - compile - - - com.google.guava - guava-jdk5 - - - junit junit From 3f07b2ce044df15af9235de39d37f5827a9a6d6c Mon Sep 17 00:00:00 2001 From: Ajay Kannan Date: Thu, 18 Feb 2016 16:29:47 -0800 Subject: [PATCH 2/7] move to/fromPb functions to Resource Manager --- gcloud-java-core/pom.xml | 12 --- .../java/com/google/gcloud/IamPolicy.java | 98 +------------------ .../java/com/google/gcloud/IamPolicyTest.java | 27 +---- gcloud-java-resourcemanager/pom.xml | 12 +++ .../resourcemanager/ResourceManagerImpl.java | 94 ++++++++++++++++++ .../ResourceManagerImplTest.java | 44 +++++++++ 6 files changed, 157 insertions(+), 130 deletions(-) diff --git a/gcloud-java-core/pom.xml b/gcloud-java-core/pom.xml index 67d3af27d1a8..3463f40b52bd 100644 --- a/gcloud-java-core/pom.xml +++ b/gcloud-java-core/pom.xml @@ -16,18 +16,6 @@ gcloud-java-core - - com.google.apis - google-api-services-cloudresourcemanager - v1beta1-rev10-1.21.0 - compile - - - com.google.guava - guava-jdk5 - - - com.google.auth google-auth-library-credentials diff --git a/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java b/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java index 31099729564a..a16ab790b363 100644 --- a/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java +++ b/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java @@ -18,9 +18,7 @@ import static com.google.common.base.Preconditions.checkNotNull; -import com.google.common.base.Function; import com.google.common.collect.ImmutableList; -import com.google.common.collect.Lists; import java.io.Serializable; import java.util.Arrays; @@ -176,44 +174,7 @@ public boolean equals(Object obj) { return false; } Identity other = (Identity) obj; - return Objects.equals(toPb(), other.toPb()); - } - - String toPb() { - switch (type) { - case ALL_USERS: - return "allUsers"; - case ALL_AUTHENTICATED_USERS: - return "allAuthenticatedUsers"; - case USER: - return "user:" + id; - case SERVICE_ACCOUNT: - return "serviceAccount:" + id; - case GROUP: - return "group:" + id; - default: - return "domain:" + id; - } - } - - static Identity fromPb(String identityStr) { - String[] info = identityStr.split(":"); - switch (info[0]) { - case "allUsers": - return allUsers(); - case "allAuthenticatedUsers": - return allAuthenticatedUsers(); - case "user": - return user(info[1]); - case "serviceAccount": - return serviceAccount(info[1]); - case "group": - return group(info[1]); - case "domain": - return domain(info[1]); - default: - throw new IllegalArgumentException("Unexpected identity type: " + info[0]); - } + return Objects.equals(id, other.id()) && Objects.equals(type, other.type()); } } @@ -351,31 +312,7 @@ public boolean equals(Object obj) { return false; } Acl other = (Acl) obj; - return Objects.equals(toPb(), other.toPb()); - } - - com.google.api.services.cloudresourcemanager.model.Binding toPb() { - com.google.api.services.cloudresourcemanager.model.Binding bindingPb = - new com.google.api.services.cloudresourcemanager.model.Binding(); - bindingPb.setMembers(Lists.transform(identities, new Function() { - @Override - public String apply(Identity identity) { - return identity.toPb(); - } - })); - bindingPb.setRole("roles/" + role); - return bindingPb; - } - - static Acl fromPb(com.google.api.services.cloudresourcemanager.model.Binding bindingPb) { - return of( - bindingPb.getRole().substring("roles/".length()), - Lists.transform(bindingPb.getMembers(), new Function() { - @Override - public Identity apply(String memberPb) { - return Identity.fromPb(memberPb); - } - })); + return Objects.equals(identities, other.identities()) && Objects.equals(role, other.role()); } } @@ -489,7 +426,8 @@ public boolean equals(Object obj) { return false; } IamPolicy other = (IamPolicy) obj; - return Objects.equals(toPb(), other.toPb()); + return Objects.equals(acls, other.acls()) && Objects.equals(etag, other.etag()) + && Objects.equals(version, other.version()); } public static Builder builder() { @@ -499,32 +437,4 @@ public static Builder builder() { public Builder toBuilder() { return new Builder().acls(acls).etag(etag).version(version); } - - com.google.api.services.cloudresourcemanager.model.Policy toPb() { - com.google.api.services.cloudresourcemanager.model.Policy policyPb = - new com.google.api.services.cloudresourcemanager.model.Policy(); - policyPb.setBindings(Lists.transform( - acls, new Function() { - @Override - public com.google.api.services.cloudresourcemanager.model.Binding apply(Acl acl) { - return acl.toPb(); - } - })); - policyPb.setEtag(etag); - policyPb.setVersion(version); - return policyPb; - } - - static IamPolicy fromPb(com.google.api.services.cloudresourcemanager.model.Policy policyPb) { - Builder builder = new Builder(); - builder.acls(Lists.transform( - policyPb.getBindings(), - new Function() { - @Override - public Acl apply(com.google.api.services.cloudresourcemanager.model.Binding binding) { - return Acl.fromPb(binding); - } - })); - return builder.etag(policyPb.getEtag()).version(policyPb.getVersion()).build(); - } } diff --git a/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java b/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java index a87a0b5f287d..76a57b5fef50 100644 --- a/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java +++ b/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java @@ -55,16 +55,6 @@ public void testIdentityOf() { assertEquals("google.com", DOMAIN.id()); } - @Test - public void testIdentityToAndFromPb() { - assertEquals(ALL_USERS, Identity.fromPb(ALL_USERS.toPb())); - assertEquals(ALL_AUTHENTICATED_USERS, Identity.fromPb(ALL_AUTHENTICATED_USERS.toPb())); - assertEquals(USER, Identity.fromPb(USER.toPb())); - assertEquals(SERVICE_ACCOUNT, Identity.fromPb(SERVICE_ACCOUNT.toPb())); - assertEquals(GROUP, Identity.fromPb(GROUP.toPb())); - assertEquals(DOMAIN, Identity.fromPb(DOMAIN.toPb())); - } - @Test public void testAclBuilder() { Acl acl = Acl.builder("owner").addIdentity(USER, GROUP).build(); @@ -82,9 +72,9 @@ public void testAclBuilder() { public void testAclOf() { assertEquals("viewer", ACL1.role()); assertEquals(ImmutableList.of(USER, SERVICE_ACCOUNT, ALL_USERS), ACL1.identities()); - Acl aclFromIdentitiesList = Acl.of("editor", ImmutableList.of(USER, SERVICE_ACCOUNT)); - assertEquals("editor", aclFromIdentitiesList.role()); - assertEquals(ImmutableList.of(USER, SERVICE_ACCOUNT), aclFromIdentitiesList.identities()); + Acl aclFromList = Acl.of("editor", ImmutableList.of(USER, SERVICE_ACCOUNT)); + assertEquals("editor", aclFromList.role()); + assertEquals(ImmutableList.of(USER, SERVICE_ACCOUNT), aclFromList.identities()); } @Test @@ -92,11 +82,6 @@ public void testAclToBuilder() { assertEquals(ACL1, ACL1.toBuilder().build()); } - @Test - public void testAclToAndFromPb() { - assertEquals(ACL1, Acl.fromPb(ACL1.toPb())); - } - @Test public void testIamPolicyBuilder() { assertEquals(ImmutableList.of(ACL1, ACL2), FULL_POLICY.acls()); @@ -117,10 +102,4 @@ public void testIamPolicyToBuilder() { assertEquals(FULL_POLICY, FULL_POLICY.toBuilder().build()); assertEquals(SIMPLE_POLICY, SIMPLE_POLICY.toBuilder().build()); } - - @Test - public void testToAndFromPb() { - assertEquals(FULL_POLICY, IamPolicy.fromPb(FULL_POLICY.toPb())); - assertEquals(SIMPLE_POLICY, IamPolicy.fromPb(SIMPLE_POLICY.toPb())); - } } diff --git a/gcloud-java-resourcemanager/pom.xml b/gcloud-java-resourcemanager/pom.xml index 5e77ab48f5b5..1311e4dc1bb5 100644 --- a/gcloud-java-resourcemanager/pom.xml +++ b/gcloud-java-resourcemanager/pom.xml @@ -21,6 +21,18 @@ gcloud-java-core ${project.version} + + com.google.apis + google-api-services-cloudresourcemanager + v1beta1-rev10-1.21.0 + compile + + + com.google.guava + guava-jdk5 + + + junit junit diff --git a/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/ResourceManagerImpl.java b/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/ResourceManagerImpl.java index 4176b4e610ba..e641f3c75a31 100644 --- a/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/ResourceManagerImpl.java +++ b/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/ResourceManagerImpl.java @@ -23,8 +23,12 @@ import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; import com.google.common.collect.Iterables; +import com.google.common.collect.Lists; import com.google.common.collect.Maps; import com.google.gcloud.BaseService; +import com.google.gcloud.IamPolicy; +import com.google.gcloud.IamPolicy.Acl; +import com.google.gcloud.IamPolicy.Identity; import com.google.gcloud.Page; import com.google.gcloud.PageImpl; import com.google.gcloud.PageImpl.NextPageFetcher; @@ -189,4 +193,94 @@ public Void call() { } return ImmutableMap.copyOf(temp); } + + static String identityToPb(Identity identity) { + switch (identity.type()) { + case ALL_USERS: + return "allUsers"; + case ALL_AUTHENTICATED_USERS: + return "allAuthenticatedUsers"; + case USER: + return "user:" + identity.id(); + case SERVICE_ACCOUNT: + return "serviceAccount:" + identity.id(); + case GROUP: + return "group:" + identity.id(); + default: + return "domain:" + identity.id(); + } + } + + static Identity identityFromPb(String identityStr) { + String[] info = identityStr.split(":"); + switch (info[0]) { + case "allUsers": + return Identity.allUsers(); + case "allAuthenticatedUsers": + return Identity.allAuthenticatedUsers(); + case "user": + return Identity.user(info[1]); + case "serviceAccount": + return Identity.serviceAccount(info[1]); + case "group": + return Identity.group(info[1]); + case "domain": + return Identity.domain(info[1]); + default: + throw new IllegalArgumentException("Unexpected identity type: " + info[0]); + } + } + + static com.google.api.services.cloudresourcemanager.model.Binding aclToPb(Acl acl) { + com.google.api.services.cloudresourcemanager.model.Binding bindingPb = + new com.google.api.services.cloudresourcemanager.model.Binding(); + bindingPb.setMembers(Lists.transform(acl.identities(), new Function() { + @Override + public String apply(Identity identity) { + return identityToPb(identity); + } + })); + bindingPb.setRole("roles/" + acl.role()); + return bindingPb; + } + + static Acl aclFromPb(com.google.api.services.cloudresourcemanager.model.Binding bindingPb) { + return Acl.of( + bindingPb.getRole().substring("roles/".length()), + Lists.transform(bindingPb.getMembers(), new Function() { + @Override + public Identity apply(String memberPb) { + return identityFromPb(memberPb); + } + })); + } + + static com.google.api.services.cloudresourcemanager.model.Policy policyToPb( + final IamPolicy policy) { + com.google.api.services.cloudresourcemanager.model.Policy policyPb = + new com.google.api.services.cloudresourcemanager.model.Policy(); + policyPb.setBindings(Lists.transform(policy.acls(), + new Function() { + @Override + public com.google.api.services.cloudresourcemanager.model.Binding apply(Acl acl) { + return aclToPb(acl); + } + })); + policyPb.setEtag(policy.etag()); + policyPb.setVersion(policy.version()); + return policyPb; + } + + static IamPolicy policyFromPb( + com.google.api.services.cloudresourcemanager.model.Policy policyPb) { + IamPolicy.Builder builder = new IamPolicy.Builder(); + builder.acls(Lists.transform(policyPb.getBindings(), + new Function() { + @Override + public Acl apply(com.google.api.services.cloudresourcemanager.model.Binding binding) { + return aclFromPb(binding); + } + })); + return builder.etag(policyPb.getEtag()).version(policyPb.getVersion()).build(); + } } diff --git a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/ResourceManagerImplTest.java b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/ResourceManagerImplTest.java index 37c54718fb4a..623bf68d085c 100644 --- a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/ResourceManagerImplTest.java +++ b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/ResourceManagerImplTest.java @@ -25,6 +25,9 @@ import static org.junit.Assert.fail; import com.google.common.collect.ImmutableMap; +import com.google.gcloud.IamPolicy; +import com.google.gcloud.IamPolicy.Acl; +import com.google.gcloud.IamPolicy.Identity; import com.google.gcloud.Page; import com.google.gcloud.resourcemanager.ProjectInfo.ResourceId; import com.google.gcloud.resourcemanager.ResourceManager.ProjectField; @@ -64,6 +67,18 @@ public class ResourceManagerImplTest { .parent(PARENT) .build(); private static final Map EMPTY_RPC_OPTIONS = ImmutableMap.of(); + private static final Identity ALL_USERS = Identity.allUsers(); + private static final Identity ALL_AUTH_USERS = Identity.allAuthenticatedUsers(); + private static final Identity USER = Identity.user("abc@gmail.com"); + private static final Identity SERVICE_ACCOUNT = + Identity.serviceAccount("service-account@gmail.com"); + private static final Identity GROUP = Identity.group("group@gmail.com"); + private static final Identity DOMAIN = Identity.domain("google.com"); + private static final Acl ACL1 = Acl.of("viewer", USER, SERVICE_ACCOUNT, ALL_USERS); + private static final Acl ACL2 = Acl.of("editor", ALL_AUTH_USERS, GROUP, DOMAIN); + private static final IamPolicy FULL_POLICY = + IamPolicy.builder().addAcl(ACL1, ACL2).etag("etag").version(1).build(); + private static final IamPolicy SIMPLE_POLICY = IamPolicy.builder().addAcl(ACL1, ACL2).build(); @Rule public ExpectedException thrown = ExpectedException.none(); @@ -271,6 +286,35 @@ public void testUndelete() { } } + @Test + public void testIdentityToAndFromPb() { + assertEquals(ALL_USERS, + ResourceManagerImpl.identityFromPb(ResourceManagerImpl.identityToPb(ALL_USERS))); + assertEquals(ALL_AUTH_USERS, + ResourceManagerImpl.identityFromPb( + ResourceManagerImpl.identityToPb(ALL_AUTH_USERS))); + assertEquals(USER, ResourceManagerImpl.identityFromPb(ResourceManagerImpl.identityToPb(USER))); + assertEquals(SERVICE_ACCOUNT, + ResourceManagerImpl.identityFromPb(ResourceManagerImpl.identityToPb(SERVICE_ACCOUNT))); + assertEquals(GROUP, + ResourceManagerImpl.identityFromPb(ResourceManagerImpl.identityToPb(GROUP))); + assertEquals(DOMAIN, + ResourceManagerImpl.identityFromPb(ResourceManagerImpl.identityToPb(DOMAIN))); + } + + @Test + public void testAclToAndFromPb() { + assertEquals(ACL1, ResourceManagerImpl.aclFromPb(ResourceManagerImpl.aclToPb(ACL1))); + } + + @Test + public void testPolicyToAndFromPb() { + assertEquals(FULL_POLICY, + ResourceManagerImpl.policyFromPb(ResourceManagerImpl.policyToPb(FULL_POLICY))); + assertEquals(SIMPLE_POLICY, + ResourceManagerImpl.policyFromPb(ResourceManagerImpl.policyToPb(SIMPLE_POLICY))); + } + @Test public void testRetryableException() { ResourceManagerRpcFactory rpcFactoryMock = EasyMock.createMock(ResourceManagerRpcFactory.class); From c96469b6a135619708f08526c2f0d5cc50396c80 Mon Sep 17 00:00:00 2001 From: Ajay Kannan Date: Thu, 18 Feb 2016 17:33:13 -0800 Subject: [PATCH 3/7] variable rename to make codacy happy --- .../src/test/java/com/google/gcloud/IamPolicyTest.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java b/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java index 76a57b5fef50..0d4e9fbfa6c8 100644 --- a/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java +++ b/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java @@ -27,14 +27,14 @@ public class IamPolicyTest { private static final Identity ALL_USERS = Identity.allUsers(); - private static final Identity ALL_AUTHENTICATED_USERS = Identity.allAuthenticatedUsers(); + private static final Identity ALL_AUTH_USERS = Identity.allAuthenticatedUsers(); private static final Identity USER = Identity.user("abc@gmail.com"); private static final Identity SERVICE_ACCOUNT = Identity.serviceAccount("service-account@gmail.com"); private static final Identity GROUP = Identity.group("group@gmail.com"); private static final Identity DOMAIN = Identity.domain("google.com"); private static final Acl ACL1 = Acl.of("viewer", USER, SERVICE_ACCOUNT, ALL_USERS); - private static final Acl ACL2 = Acl.of("editor", ALL_AUTHENTICATED_USERS, GROUP, DOMAIN); + private static final Acl ACL2 = Acl.of("editor", ALL_AUTH_USERS, GROUP, DOMAIN); private static final IamPolicy FULL_POLICY = IamPolicy.builder().addAcl(ACL1, ACL2).etag("etag").version(1).build(); private static final IamPolicy SIMPLE_POLICY = IamPolicy.builder().addAcl(ACL1, ACL2).build(); @@ -43,8 +43,8 @@ public class IamPolicyTest { public void testIdentityOf() { assertEquals(Identity.Type.ALL_USERS, ALL_USERS.type()); assertEquals(null, ALL_USERS.id()); - assertEquals(Identity.Type.ALL_AUTHENTICATED_USERS, ALL_AUTHENTICATED_USERS.type()); - assertEquals(null, ALL_AUTHENTICATED_USERS.id()); + assertEquals(Identity.Type.ALL_AUTHENTICATED_USERS, ALL_AUTH_USERS.type()); + assertEquals(null, ALL_AUTH_USERS.id()); assertEquals(Identity.Type.USER, USER.type()); assertEquals("abc@gmail.com", USER.id()); assertEquals(Identity.Type.SERVICE_ACCOUNT, SERVICE_ACCOUNT.type()); From e44e12a2b996d1649704a9ce124f670c23bd6c7e Mon Sep 17 00:00:00 2001 From: Ajay Kannan Date: Fri, 19 Feb 2016 20:08:22 -0800 Subject: [PATCH 4/7] Make BaseIamPolicy in core and a subclass in Resource Manager --- .../{IamPolicy.java => BaseIamPolicy.java} | 245 ++++-------------- .../com/google/gcloud/BaseIamPolicyTest.java | 50 ++++ .../java/com/google/gcloud/IamPolicyTest.java | 105 -------- .../com/google/gcloud/SerializationTest.java | 49 ---- .../gcloud/resourcemanager/IamPolicy.java | 162 ++++++++++++ .../resourcemanager/ResourceManagerImpl.java | 94 ------- .../gcloud/resourcemanager/IamPolicyTest.java | 91 +++++++ .../ResourceManagerImplTest.java | 44 ---- .../resourcemanager/SerializationTest.java | 7 +- 9 files changed, 360 insertions(+), 487 deletions(-) rename gcloud-java-core/src/main/java/com/google/gcloud/{IamPolicy.java => BaseIamPolicy.java} (50%) create mode 100644 gcloud-java-core/src/test/java/com/google/gcloud/BaseIamPolicyTest.java delete mode 100644 gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java delete mode 100644 gcloud-java-core/src/test/java/com/google/gcloud/SerializationTest.java create mode 100644 gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/IamPolicy.java create mode 100644 gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/IamPolicyTest.java diff --git a/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java b/gcloud-java-core/src/main/java/com/google/gcloud/BaseIamPolicy.java similarity index 50% rename from gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java rename to gcloud-java-core/src/main/java/com/google/gcloud/BaseIamPolicy.java index a16ab790b363..bc0aed43b95d 100644 --- a/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java +++ b/gcloud-java-core/src/main/java/com/google/gcloud/BaseIamPolicy.java @@ -21,29 +21,28 @@ import com.google.common.collect.ImmutableList; import java.io.Serializable; -import java.util.Arrays; -import java.util.LinkedList; +import java.util.HashMap; import java.util.List; +import java.util.Map; import java.util.Objects; /** - * An Identity and Access Management (IAM) policy. It is used to specify access control policies for - * Cloud Platform resources. A Policy consists of a list of ACLs (also known as bindings in Cloud - * IAM documentation). An ACL binds a list of identities to a role, where the identities can be user - * accounts, Google groups, Google domains, and service accounts. A role is a named list of - * permissions defined by IAM. + * Base class for Identity and Access Management (IAM) policies. IAM policies are used to specify + * access settings for Cloud Platform resources. A Policy consists of a list of bindings. An binding + * assigns a list of identities to a role, where the identities can be user accounts, Google groups, + * Google domains, and service accounts. A role is a named list of permissions defined by IAM. * * @see Policy */ -public class IamPolicy implements Serializable { +public abstract class BaseIamPolicy implements Serializable { - static final long serialVersionUID = 1114489978726897720L; + private static final long serialVersionUID = 1114489978726897720L; - private final List acls; + private final Map> bindings; private final String etag; private final int version; - public static class Identity implements Serializable { + public static final class Identity implements Serializable { private static final long serialVersionUID = 30811617560110848L; @@ -85,7 +84,7 @@ public enum Type { DOMAIN } - Identity(Type type, String id) { + private Identity(Type type, String id) { this.type = type; this.id = id; } @@ -178,177 +177,38 @@ public boolean equals(Object obj) { } } - /** - * An ACL binds a list of identities to a role, where the identities can be user accounts, Google - * groups, Google domains, and service accounts. A role is a named list of permissions defined by - * IAM. - * - * @see Binding - */ - public static class Acl implements Serializable { - - private static final long serialVersionUID = 3954282899483745158L; - - private final List identities; - private final String role; - - /** - * An ACL builder. - */ - public static class Builder { - private final List members = new LinkedList<>(); - private String role; - - Builder(String role) { - this.role = role; - } - - /** - * Sets the role associated with this ACL. - */ - public Builder role(String role) { - this.role = role; - return this; - } - - /** - * Replaces the builder's list of identities with the given list. - */ - public Builder identities(List identities) { - this.members.clear(); - this.members.addAll(identities); - return this; - } - - /** - * Adds one or more identities to the list of identities associated with the ACL. - */ - public Builder addIdentity(Identity first, Identity... others) { - members.add(first); - members.addAll(Arrays.asList(others)); - return this; - } - - /** - * Removes the specified identity from the ACL. - */ - public Builder removeIdentity(Identity identity) { - members.remove(identity); - return this; - } - - public Acl build() { - return new Acl(this); - } - } - - Acl(Builder builder) { - identities = ImmutableList.copyOf(checkNotNull(builder.members)); - role = checkNotNull(builder.role); - } - - /** - * Returns the list of identities associated with this ACL. - */ - public List identities() { - return identities; - } - - /** - * Returns the role associated with this ACL. - */ - public String role() { - return role; - } - - /** - * Returns an ACL builder for the specific role type. - * - * @param role string representing the role, without the "roles/" prefix. An example of a valid - * legacy role is "viewer". An example of a valid service-specific role is - * "pubsub.publisher". - */ - public static Builder builder(String role) { - return new Builder(role); - } - - /** - * Returns an ACL for the role type and list of identities provided. - * - * @param role string representing the role, without the "roles/" prefix. An example of a valid - * legacy role is "viewer". An example of a valid service-specific role is - * "pubsub.publisher". - * @param members list of identities associated with the role. - */ - public static Acl of(String role, List members) { - return new Acl(new Builder(role).identities(members)); - } - - /** - * Returns an ACL for the role type and identities provided. - * - * @param role string representing the role, without the "roles/" prefix. An example of a valid - * legacy role is "viewer". An example of a valid service-specific role is - * "pubsub.publisher". - * @param first identity associated with the role. - * @param others any other identities associated with the role. - */ - public static Acl of(String role, Identity first, Identity... others) { - return new Acl(new Builder(role).addIdentity(first, others)); - } - - public Builder toBuilder() { - return new Builder(role).identities(identities); - } - - @Override - public int hashCode() { - return Objects.hash(identities, role); - } - - @Override - public boolean equals(Object obj) { - if (!(obj instanceof Acl)) { - return false; - } - Acl other = (Acl) obj; - return Objects.equals(identities, other.identities()) && Objects.equals(role, other.role()); - } - } - /** * Builder for an IAM Policy. */ - public static class Builder { + protected abstract static class BaseBuilder> { - private final List acls = new LinkedList<>(); + private final Map> bindings = new HashMap<>(); private String etag; private int version; /** - * Replaces the builder's list of ACLs with the given list of ACLs. + * Replaces the builder's list of bindings with the given list of bindings. */ - public Builder acls(List acls) { - this.acls.clear(); - this.acls.addAll(acls); - return this; + public B bindings(Map> bindings) { + this.bindings.clear(); + this.bindings.putAll(bindings); + return self(); } /** - * Adds one or more ACLs to the policy. + * Adds one or more bindings to the policy. */ - public Builder addAcl(Acl first, Acl... others) { - acls.add(first); - acls.addAll(Arrays.asList(others)); - return this; + public B addBinding(R role, List identities) { + bindings.put(role, ImmutableList.copyOf(identities)); + return self(); } /** * Removes the specified ACL. */ - public Builder removeAcl(Acl acl) { - acls.remove(acl); - return this; + public B removeBinding(R role) { + bindings.remove(role); + return self(); } /** @@ -362,35 +222,40 @@ public Builder removeAcl(Acl acl) { * applied to the same version of the policy. If no etag is provided in the call to * setIamPolicy, then the existing policy is overwritten blindly. */ - public Builder etag(String etag) { + protected B etag(String etag) { this.etag = etag; - return this; + return self(); } /** - * Sets the version of the policy. The default version is 0. + * Sets the version of the policy. The default version is 0, meaning roles that are in alpha + * (non-legacy) roles are not permitted. If the version is 1, you may use roles other than + * "owner", "editor", and "viewer". */ - public Builder version(int version) { + protected B version(int version) { this.version = version; - return this; + return self(); } - public IamPolicy build() { - return new IamPolicy(this); + @SuppressWarnings("unchecked") + private B self() { + return (B) this; } + + public abstract BaseIamPolicy build(); } - IamPolicy(Builder builder) { - acls = ImmutableList.copyOf(builder.acls); - etag = builder.etag; - version = builder.version; + protected BaseIamPolicy(BaseBuilder> builder) { + this.bindings = builder.bindings; + this.etag = builder.etag; + this.version = builder.version; } /** * The list of ACLs specified in the policy. */ - public List acls() { - return acls; + public Map> bindings() { + return bindings; } /** @@ -415,26 +280,18 @@ public int version() { return version; } - @Override - public int hashCode() { - return Objects.hash(acls, etag, version); + public int baseHashCode() { + return Objects.hash(bindings, etag, version); } - @Override - public boolean equals(Object obj) { - if (!(obj instanceof IamPolicy)) { + public boolean baseEquals(Object obj) { + if (!(obj instanceof BaseIamPolicy)) { return false; } - IamPolicy other = (IamPolicy) obj; - return Objects.equals(acls, other.acls()) && Objects.equals(etag, other.etag()) + @SuppressWarnings("rawtypes") + BaseIamPolicy other = (BaseIamPolicy) obj; + return Objects.equals(bindings, other.bindings()) + && Objects.equals(etag, other.etag()) && Objects.equals(version, other.version()); } - - public static Builder builder() { - return new Builder(); - } - - public Builder toBuilder() { - return new Builder().acls(acls).etag(etag).version(version); - } } diff --git a/gcloud-java-core/src/test/java/com/google/gcloud/BaseIamPolicyTest.java b/gcloud-java-core/src/test/java/com/google/gcloud/BaseIamPolicyTest.java new file mode 100644 index 000000000000..0c26bc806812 --- /dev/null +++ b/gcloud-java-core/src/test/java/com/google/gcloud/BaseIamPolicyTest.java @@ -0,0 +1,50 @@ +/* + * Copyright 2015 Google Inc. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.gcloud; + +import static org.junit.Assert.assertEquals; + +import com.google.gcloud.BaseIamPolicy.Identity; + +import org.junit.Test; + +public class BaseIamPolicyTest { + + private static final Identity ALL_USERS = Identity.allUsers(); + private static final Identity ALL_AUTH_USERS = Identity.allAuthenticatedUsers(); + private static final Identity USER = Identity.user("abc@gmail.com"); + private static final Identity SERVICE_ACCOUNT = + Identity.serviceAccount("service-account@gmail.com"); + private static final Identity GROUP = Identity.group("group@gmail.com"); + private static final Identity DOMAIN = Identity.domain("google.com"); + + @Test + public void testIdentityOf() { + assertEquals(Identity.Type.ALL_USERS, ALL_USERS.type()); + assertEquals(null, ALL_USERS.id()); + assertEquals(Identity.Type.ALL_AUTHENTICATED_USERS, ALL_AUTH_USERS.type()); + assertEquals(null, ALL_AUTH_USERS.id()); + assertEquals(Identity.Type.USER, USER.type()); + assertEquals("abc@gmail.com", USER.id()); + assertEquals(Identity.Type.SERVICE_ACCOUNT, SERVICE_ACCOUNT.type()); + assertEquals("service-account@gmail.com", SERVICE_ACCOUNT.id()); + assertEquals(Identity.Type.GROUP, GROUP.type()); + assertEquals("group@gmail.com", GROUP.id()); + assertEquals(Identity.Type.DOMAIN, DOMAIN.type()); + assertEquals("google.com", DOMAIN.id()); + } +} diff --git a/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java b/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java deleted file mode 100644 index 0d4e9fbfa6c8..000000000000 --- a/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java +++ /dev/null @@ -1,105 +0,0 @@ -/* - * Copyright 2015 Google Inc. All Rights Reserved. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.google.gcloud; - -import static org.junit.Assert.assertEquals; - -import com.google.common.collect.ImmutableList; -import com.google.gcloud.IamPolicy.Acl; -import com.google.gcloud.IamPolicy.Identity; - -import org.junit.Test; - -public class IamPolicyTest { - - private static final Identity ALL_USERS = Identity.allUsers(); - private static final Identity ALL_AUTH_USERS = Identity.allAuthenticatedUsers(); - private static final Identity USER = Identity.user("abc@gmail.com"); - private static final Identity SERVICE_ACCOUNT = - Identity.serviceAccount("service-account@gmail.com"); - private static final Identity GROUP = Identity.group("group@gmail.com"); - private static final Identity DOMAIN = Identity.domain("google.com"); - private static final Acl ACL1 = Acl.of("viewer", USER, SERVICE_ACCOUNT, ALL_USERS); - private static final Acl ACL2 = Acl.of("editor", ALL_AUTH_USERS, GROUP, DOMAIN); - private static final IamPolicy FULL_POLICY = - IamPolicy.builder().addAcl(ACL1, ACL2).etag("etag").version(1).build(); - private static final IamPolicy SIMPLE_POLICY = IamPolicy.builder().addAcl(ACL1, ACL2).build(); - - @Test - public void testIdentityOf() { - assertEquals(Identity.Type.ALL_USERS, ALL_USERS.type()); - assertEquals(null, ALL_USERS.id()); - assertEquals(Identity.Type.ALL_AUTHENTICATED_USERS, ALL_AUTH_USERS.type()); - assertEquals(null, ALL_AUTH_USERS.id()); - assertEquals(Identity.Type.USER, USER.type()); - assertEquals("abc@gmail.com", USER.id()); - assertEquals(Identity.Type.SERVICE_ACCOUNT, SERVICE_ACCOUNT.type()); - assertEquals("service-account@gmail.com", SERVICE_ACCOUNT.id()); - assertEquals(Identity.Type.GROUP, GROUP.type()); - assertEquals("group@gmail.com", GROUP.id()); - assertEquals(Identity.Type.DOMAIN, DOMAIN.type()); - assertEquals("google.com", DOMAIN.id()); - } - - @Test - public void testAclBuilder() { - Acl acl = Acl.builder("owner").addIdentity(USER, GROUP).build(); - assertEquals("owner", acl.role()); - assertEquals(ImmutableList.of(USER, GROUP), acl.identities()); - acl = acl.toBuilder().role("viewer").removeIdentity(GROUP).build(); - assertEquals("viewer", acl.role()); - assertEquals(ImmutableList.of(USER), acl.identities()); - acl = acl.toBuilder().identities(ImmutableList.of(SERVICE_ACCOUNT)).build(); - assertEquals("viewer", acl.role()); - assertEquals(ImmutableList.of(SERVICE_ACCOUNT), acl.identities()); - } - - @Test - public void testAclOf() { - assertEquals("viewer", ACL1.role()); - assertEquals(ImmutableList.of(USER, SERVICE_ACCOUNT, ALL_USERS), ACL1.identities()); - Acl aclFromList = Acl.of("editor", ImmutableList.of(USER, SERVICE_ACCOUNT)); - assertEquals("editor", aclFromList.role()); - assertEquals(ImmutableList.of(USER, SERVICE_ACCOUNT), aclFromList.identities()); - } - - @Test - public void testAclToBuilder() { - assertEquals(ACL1, ACL1.toBuilder().build()); - } - - @Test - public void testIamPolicyBuilder() { - assertEquals(ImmutableList.of(ACL1, ACL2), FULL_POLICY.acls()); - assertEquals("etag", FULL_POLICY.etag()); - assertEquals(1, FULL_POLICY.version()); - IamPolicy policy = FULL_POLICY.toBuilder().acls(ImmutableList.of(ACL2)).build(); - assertEquals(ImmutableList.of(ACL2), policy.acls()); - assertEquals("etag", policy.etag()); - assertEquals(1, policy.version()); - policy = SIMPLE_POLICY.toBuilder().removeAcl(ACL2).build(); - assertEquals(ImmutableList.of(ACL1), policy.acls()); - assertEquals(null, policy.etag()); - assertEquals(0, policy.version()); - } - - @Test - public void testIamPolicyToBuilder() { - assertEquals(FULL_POLICY, FULL_POLICY.toBuilder().build()); - assertEquals(SIMPLE_POLICY, SIMPLE_POLICY.toBuilder().build()); - } -} diff --git a/gcloud-java-core/src/test/java/com/google/gcloud/SerializationTest.java b/gcloud-java-core/src/test/java/com/google/gcloud/SerializationTest.java deleted file mode 100644 index b529b2c09ff5..000000000000 --- a/gcloud-java-core/src/test/java/com/google/gcloud/SerializationTest.java +++ /dev/null @@ -1,49 +0,0 @@ -package com.google.gcloud; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotSame; - -import com.google.common.collect.ImmutableList; -import com.google.gcloud.IamPolicy.Acl; -import com.google.gcloud.IamPolicy.Identity; - -import org.junit.Test; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.ObjectInputStream; -import java.io.ObjectOutputStream; -import java.io.Serializable; - -public class SerializationTest { - - private static final Identity IDENTITY = Identity.user("abc@gmail.com"); - private static final Acl ACL = Acl.of("viewer", ImmutableList.of(IDENTITY)); - private static final IamPolicy POLICY = - IamPolicy.builder().acls(ImmutableList.of(ACL)).etag("etag").version(1).build(); - - @Test - public void testModelAndRequests() throws Exception { - Serializable[] objects = {IDENTITY, ACL, POLICY}; - for (Serializable obj : objects) { - Object copy = serializeAndDeserialize(obj); - assertEquals(obj, obj); - assertEquals(obj, copy); - assertNotSame(obj, copy); - assertEquals(copy, copy); - } - } - - @SuppressWarnings("unchecked") - private T serializeAndDeserialize(T obj) throws IOException, ClassNotFoundException { - ByteArrayOutputStream bytes = new ByteArrayOutputStream(); - try (ObjectOutputStream output = new ObjectOutputStream(bytes)) { - output.writeObject(obj); - } - try (ObjectInputStream input = - new ObjectInputStream(new ByteArrayInputStream(bytes.toByteArray()))) { - return (T) input.readObject(); - } - } -} diff --git a/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/IamPolicy.java b/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/IamPolicy.java new file mode 100644 index 000000000000..ccb436fd8a2f --- /dev/null +++ b/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/IamPolicy.java @@ -0,0 +1,162 @@ +/* + * Copyright 2016 Google Inc. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.gcloud.resourcemanager; + +import com.google.common.base.Function; +import com.google.common.collect.Lists; +import com.google.gcloud.BaseIamPolicy; + +import java.io.Serializable; +import java.util.HashMap; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; +import java.util.Objects; + +/** + * Base class for Identity and Access Management (IAM) policies. IAM policies are used to specify + * access settings for Cloud Platform resources. A Policy consists of a list of bindings. An binding + * assigns a list of identities to a role, where the identities can be user accounts, Google groups, + * Google domains, and service accounts. A role is a named list of permissions defined by IAM. + * + * @see Policy + */ +public class IamPolicy extends BaseIamPolicy implements Serializable { + + private static final long serialVersionUID = -5573557282693961850L; + + /** + * Builder for an IAM Policy. + */ + protected static class Builder extends BaseBuilder { + + Builder() {} + + Builder(Map> bindings, String etag, int version) { + bindings(bindings).etag(etag).version(version); + } + + @Override + public IamPolicy build() { + return new IamPolicy(this); + } + } + + private IamPolicy(Builder builder) { + super(builder); + } + + @Override + public int hashCode() { + return baseHashCode(); + } + + @Override + public boolean equals(Object obj) { + if (!(obj instanceof IamPolicy)) { + return false; + } + IamPolicy other = (IamPolicy) obj; + return Objects.equals(bindings(), other.bindings()) + && Objects.equals(etag(), other.etag()) + && Objects.equals(version(), other.version()); + } + + public static Builder builder() { + return new Builder(); + } + + public Builder toBuilder() { + return new Builder(bindings(), etag(), version()); + } + + static String identityToPb(Identity identity) { + switch (identity.type()) { + case ALL_USERS: + return "allUsers"; + case ALL_AUTHENTICATED_USERS: + return "allAuthenticatedUsers"; + case USER: + return "user:" + identity.id(); + case SERVICE_ACCOUNT: + return "serviceAccount:" + identity.id(); + case GROUP: + return "group:" + identity.id(); + default: + return "domain:" + identity.id(); + } + } + + static Identity identityFromPb(String identityStr) { + String[] info = identityStr.split(":"); + switch (info[0]) { + case "allUsers": + return Identity.allUsers(); + case "allAuthenticatedUsers": + return Identity.allAuthenticatedUsers(); + case "user": + return Identity.user(info[1]); + case "serviceAccount": + return Identity.serviceAccount(info[1]); + case "group": + return Identity.group(info[1]); + case "domain": + return Identity.domain(info[1]); + default: + throw new IllegalArgumentException("Unexpected identity type: " + info[0]); + } + } + + com.google.api.services.cloudresourcemanager.model.Policy toPb() { + com.google.api.services.cloudresourcemanager.model.Policy policyPb = + new com.google.api.services.cloudresourcemanager.model.Policy(); + List bindingPbList = + new LinkedList<>(); + for (Map.Entry> binding : bindings().entrySet()) { + com.google.api.services.cloudresourcemanager.model.Binding bindingPb = + new com.google.api.services.cloudresourcemanager.model.Binding(); + bindingPb.setRole("roles/" + binding.getKey()); + bindingPb.setMembers(Lists.transform(binding.getValue(), new Function() { + @Override + public String apply(Identity identity) { + return identityToPb(identity); + } + })); + bindingPbList.add(bindingPb); + } + policyPb.setBindings(bindingPbList); + policyPb.setEtag(etag()); + policyPb.setVersion(version()); + return policyPb; + } + + static IamPolicy fromPb( + com.google.api.services.cloudresourcemanager.model.Policy policyPb) { + Map> bindings = new HashMap<>(); + for (com.google.api.services.cloudresourcemanager.model.Binding bindingPb : + policyPb.getBindings()) { + bindings.put(bindingPb.getRole().substring("roles/".length()), + Lists.transform(bindingPb.getMembers(), new Function() { + @Override + public Identity apply(String identityPb) { + return identityFromPb(identityPb); + } + })); + } + return new IamPolicy.Builder(bindings, policyPb.getEtag(), policyPb.getVersion()).build(); + } +} diff --git a/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/ResourceManagerImpl.java b/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/ResourceManagerImpl.java index e641f3c75a31..4176b4e610ba 100644 --- a/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/ResourceManagerImpl.java +++ b/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/ResourceManagerImpl.java @@ -23,12 +23,8 @@ import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; import com.google.common.collect.Iterables; -import com.google.common.collect.Lists; import com.google.common.collect.Maps; import com.google.gcloud.BaseService; -import com.google.gcloud.IamPolicy; -import com.google.gcloud.IamPolicy.Acl; -import com.google.gcloud.IamPolicy.Identity; import com.google.gcloud.Page; import com.google.gcloud.PageImpl; import com.google.gcloud.PageImpl.NextPageFetcher; @@ -193,94 +189,4 @@ public Void call() { } return ImmutableMap.copyOf(temp); } - - static String identityToPb(Identity identity) { - switch (identity.type()) { - case ALL_USERS: - return "allUsers"; - case ALL_AUTHENTICATED_USERS: - return "allAuthenticatedUsers"; - case USER: - return "user:" + identity.id(); - case SERVICE_ACCOUNT: - return "serviceAccount:" + identity.id(); - case GROUP: - return "group:" + identity.id(); - default: - return "domain:" + identity.id(); - } - } - - static Identity identityFromPb(String identityStr) { - String[] info = identityStr.split(":"); - switch (info[0]) { - case "allUsers": - return Identity.allUsers(); - case "allAuthenticatedUsers": - return Identity.allAuthenticatedUsers(); - case "user": - return Identity.user(info[1]); - case "serviceAccount": - return Identity.serviceAccount(info[1]); - case "group": - return Identity.group(info[1]); - case "domain": - return Identity.domain(info[1]); - default: - throw new IllegalArgumentException("Unexpected identity type: " + info[0]); - } - } - - static com.google.api.services.cloudresourcemanager.model.Binding aclToPb(Acl acl) { - com.google.api.services.cloudresourcemanager.model.Binding bindingPb = - new com.google.api.services.cloudresourcemanager.model.Binding(); - bindingPb.setMembers(Lists.transform(acl.identities(), new Function() { - @Override - public String apply(Identity identity) { - return identityToPb(identity); - } - })); - bindingPb.setRole("roles/" + acl.role()); - return bindingPb; - } - - static Acl aclFromPb(com.google.api.services.cloudresourcemanager.model.Binding bindingPb) { - return Acl.of( - bindingPb.getRole().substring("roles/".length()), - Lists.transform(bindingPb.getMembers(), new Function() { - @Override - public Identity apply(String memberPb) { - return identityFromPb(memberPb); - } - })); - } - - static com.google.api.services.cloudresourcemanager.model.Policy policyToPb( - final IamPolicy policy) { - com.google.api.services.cloudresourcemanager.model.Policy policyPb = - new com.google.api.services.cloudresourcemanager.model.Policy(); - policyPb.setBindings(Lists.transform(policy.acls(), - new Function() { - @Override - public com.google.api.services.cloudresourcemanager.model.Binding apply(Acl acl) { - return aclToPb(acl); - } - })); - policyPb.setEtag(policy.etag()); - policyPb.setVersion(policy.version()); - return policyPb; - } - - static IamPolicy policyFromPb( - com.google.api.services.cloudresourcemanager.model.Policy policyPb) { - IamPolicy.Builder builder = new IamPolicy.Builder(); - builder.acls(Lists.transform(policyPb.getBindings(), - new Function() { - @Override - public Acl apply(com.google.api.services.cloudresourcemanager.model.Binding binding) { - return aclFromPb(binding); - } - })); - return builder.etag(policyPb.getEtag()).version(policyPb.getVersion()).build(); - } } diff --git a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/IamPolicyTest.java b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/IamPolicyTest.java new file mode 100644 index 000000000000..e2f05ac8493b --- /dev/null +++ b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/IamPolicyTest.java @@ -0,0 +1,91 @@ +/* + * Copyright 2016 Google Inc. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.gcloud.resourcemanager; + +import static org.junit.Assert.assertEquals; + +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableMap; +import com.google.gcloud.BaseIamPolicy.Identity; + +import org.junit.Test; + +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +public class IamPolicyTest { + + private static final Identity ALL_USERS = Identity.allUsers(); + private static final Identity ALL_AUTH_USERS = Identity.allAuthenticatedUsers(); + private static final Identity USER = Identity.user("abc@gmail.com"); + private static final Identity SERVICE_ACCOUNT = + Identity.serviceAccount("service-account@gmail.com"); + private static final Identity GROUP = Identity.group("group@gmail.com"); + private static final Identity DOMAIN = Identity.domain("google.com"); + private static final Map> BINDINGS = ImmutableMap.of( + "viewer", + ImmutableList.of(USER, SERVICE_ACCOUNT, ALL_USERS), + "editor", + ImmutableList.of(ALL_AUTH_USERS, GROUP, DOMAIN)); + private static final IamPolicy SIMPLE_POLICY = IamPolicy.builder() + .addBinding("viewer", ImmutableList.of(USER, SERVICE_ACCOUNT, ALL_USERS)) + .addBinding("editor", ImmutableList.of(ALL_AUTH_USERS, GROUP, DOMAIN)) + .build(); + private static final IamPolicy FULL_POLICY = + new IamPolicy.Builder(SIMPLE_POLICY.bindings(), "etag", 1).build(); + + @Test + public void testIamPolicyBuilder() { + assertEquals(BINDINGS, FULL_POLICY.bindings()); + assertEquals("etag", FULL_POLICY.etag()); + assertEquals(1, FULL_POLICY.version()); + Map> editorBinding = new HashMap<>(); + editorBinding.put("editor", BINDINGS.get("editor")); + IamPolicy policy = FULL_POLICY.toBuilder().bindings(editorBinding).build(); + assertEquals(ImmutableMap.of("editor", BINDINGS.get("editor")), policy.bindings()); + assertEquals("etag", policy.etag()); + assertEquals(1, policy.version()); + policy = SIMPLE_POLICY.toBuilder().removeBinding("editor").build(); + assertEquals(ImmutableMap.of("viewer", BINDINGS.get("viewer")), policy.bindings()); + assertEquals(null, policy.etag()); + assertEquals(0, policy.version()); + } + + @Test + public void testIamPolicyToBuilder() { + assertEquals(FULL_POLICY, FULL_POLICY.toBuilder().build()); + assertEquals(SIMPLE_POLICY, SIMPLE_POLICY.toBuilder().build()); + } + + @Test + public void testIdentityToAndFromPb() { + assertEquals(ALL_USERS, IamPolicy.identityFromPb(IamPolicy.identityToPb(ALL_USERS))); + assertEquals(ALL_AUTH_USERS, IamPolicy.identityFromPb(IamPolicy.identityToPb(ALL_AUTH_USERS))); + assertEquals(USER, IamPolicy.identityFromPb(IamPolicy.identityToPb(USER))); + assertEquals( + SERVICE_ACCOUNT, IamPolicy.identityFromPb(IamPolicy.identityToPb(SERVICE_ACCOUNT))); + assertEquals(GROUP, IamPolicy.identityFromPb(IamPolicy.identityToPb(GROUP))); + assertEquals(DOMAIN, IamPolicy.identityFromPb(IamPolicy.identityToPb(DOMAIN))); + } + + @Test + public void testPolicyToAndFromPb() { + assertEquals(FULL_POLICY, IamPolicy.fromPb(FULL_POLICY.toPb())); + assertEquals(SIMPLE_POLICY, IamPolicy.fromPb(SIMPLE_POLICY.toPb())); + } +} diff --git a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/ResourceManagerImplTest.java b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/ResourceManagerImplTest.java index 623bf68d085c..37c54718fb4a 100644 --- a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/ResourceManagerImplTest.java +++ b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/ResourceManagerImplTest.java @@ -25,9 +25,6 @@ import static org.junit.Assert.fail; import com.google.common.collect.ImmutableMap; -import com.google.gcloud.IamPolicy; -import com.google.gcloud.IamPolicy.Acl; -import com.google.gcloud.IamPolicy.Identity; import com.google.gcloud.Page; import com.google.gcloud.resourcemanager.ProjectInfo.ResourceId; import com.google.gcloud.resourcemanager.ResourceManager.ProjectField; @@ -67,18 +64,6 @@ public class ResourceManagerImplTest { .parent(PARENT) .build(); private static final Map EMPTY_RPC_OPTIONS = ImmutableMap.of(); - private static final Identity ALL_USERS = Identity.allUsers(); - private static final Identity ALL_AUTH_USERS = Identity.allAuthenticatedUsers(); - private static final Identity USER = Identity.user("abc@gmail.com"); - private static final Identity SERVICE_ACCOUNT = - Identity.serviceAccount("service-account@gmail.com"); - private static final Identity GROUP = Identity.group("group@gmail.com"); - private static final Identity DOMAIN = Identity.domain("google.com"); - private static final Acl ACL1 = Acl.of("viewer", USER, SERVICE_ACCOUNT, ALL_USERS); - private static final Acl ACL2 = Acl.of("editor", ALL_AUTH_USERS, GROUP, DOMAIN); - private static final IamPolicy FULL_POLICY = - IamPolicy.builder().addAcl(ACL1, ACL2).etag("etag").version(1).build(); - private static final IamPolicy SIMPLE_POLICY = IamPolicy.builder().addAcl(ACL1, ACL2).build(); @Rule public ExpectedException thrown = ExpectedException.none(); @@ -286,35 +271,6 @@ public void testUndelete() { } } - @Test - public void testIdentityToAndFromPb() { - assertEquals(ALL_USERS, - ResourceManagerImpl.identityFromPb(ResourceManagerImpl.identityToPb(ALL_USERS))); - assertEquals(ALL_AUTH_USERS, - ResourceManagerImpl.identityFromPb( - ResourceManagerImpl.identityToPb(ALL_AUTH_USERS))); - assertEquals(USER, ResourceManagerImpl.identityFromPb(ResourceManagerImpl.identityToPb(USER))); - assertEquals(SERVICE_ACCOUNT, - ResourceManagerImpl.identityFromPb(ResourceManagerImpl.identityToPb(SERVICE_ACCOUNT))); - assertEquals(GROUP, - ResourceManagerImpl.identityFromPb(ResourceManagerImpl.identityToPb(GROUP))); - assertEquals(DOMAIN, - ResourceManagerImpl.identityFromPb(ResourceManagerImpl.identityToPb(DOMAIN))); - } - - @Test - public void testAclToAndFromPb() { - assertEquals(ACL1, ResourceManagerImpl.aclFromPb(ResourceManagerImpl.aclToPb(ACL1))); - } - - @Test - public void testPolicyToAndFromPb() { - assertEquals(FULL_POLICY, - ResourceManagerImpl.policyFromPb(ResourceManagerImpl.policyToPb(FULL_POLICY))); - assertEquals(SIMPLE_POLICY, - ResourceManagerImpl.policyFromPb(ResourceManagerImpl.policyToPb(SIMPLE_POLICY))); - } - @Test public void testRetryableException() { ResourceManagerRpcFactory rpcFactoryMock = EasyMock.createMock(ResourceManagerRpcFactory.class); diff --git a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/SerializationTest.java b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/SerializationTest.java index 497de880254a..1049f40f5f17 100644 --- a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/SerializationTest.java +++ b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/SerializationTest.java @@ -19,7 +19,9 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotSame; +import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; +import com.google.gcloud.BaseIamPolicy.Identity; import com.google.gcloud.PageImpl; import com.google.gcloud.RetryParams; @@ -53,6 +55,9 @@ public class SerializationTest { ResourceManager.ProjectGetOption.fields(ResourceManager.ProjectField.NAME); private static final ResourceManager.ProjectListOption PROJECT_LIST_OPTION = ResourceManager.ProjectListOption.filter("name:*"); + private static final Identity IDENTITY = Identity.user("abc@gmail.com"); + private static final IamPolicy POLICY = + IamPolicy.builder().addBinding("viewer", ImmutableList.of(IDENTITY)).build(); @Test public void testServiceOptions() throws Exception { @@ -70,7 +75,7 @@ public void testServiceOptions() throws Exception { @Test public void testModelAndRequests() throws Exception { Serializable[] objects = {PARTIAL_PROJECT_INFO, FULL_PROJECT_INFO, PROJECT, PAGE_RESULT, - PROJECT_GET_OPTION, PROJECT_LIST_OPTION}; + PROJECT_GET_OPTION, PROJECT_LIST_OPTION, IDENTITY, POLICY}; for (Serializable obj : objects) { Object copy = serializeAndDeserialize(obj); assertEquals(obj, obj); From ee78b22a2656517681ab157aecd1667fdb384a4e Mon Sep 17 00:00:00 2001 From: Ajay Kannan Date: Mon, 22 Feb 2016 09:51:53 -0800 Subject: [PATCH 5/7] Fix equals, javadoc, bindings representation, and address other comments. --- .../java/com/google/gcloud/BaseIamPolicy.java | 297 ------------------ .../java/com/google/gcloud/IamPolicy.java | 213 +++++++++++++ .../main/java/com/google/gcloud/Identity.java | 208 ++++++++++++ .../java/com/google/gcloud/IamPolicyTest.java | 173 ++++++++++ .../java/com/google/gcloud/IdentityTest.java | 110 +++++++ .../gcloud/resourcemanager/IamPolicy.java | 162 ---------- .../google/gcloud/resourcemanager/Policy.java | 122 +++++++ .../gcloud/resourcemanager/IamPolicyTest.java | 91 ------ .../gcloud/resourcemanager/PolicyTest.java | 37 ++- .../resourcemanager/SerializationTest.java | 12 +- 10 files changed, 852 insertions(+), 573 deletions(-) delete mode 100644 gcloud-java-core/src/main/java/com/google/gcloud/BaseIamPolicy.java create mode 100644 gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java create mode 100644 gcloud-java-core/src/main/java/com/google/gcloud/Identity.java create mode 100644 gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java create mode 100644 gcloud-java-core/src/test/java/com/google/gcloud/IdentityTest.java delete mode 100644 gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/IamPolicy.java create mode 100644 gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/Policy.java delete mode 100644 gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/IamPolicyTest.java rename gcloud-java-core/src/test/java/com/google/gcloud/BaseIamPolicyTest.java => gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/PolicyTest.java (55%) diff --git a/gcloud-java-core/src/main/java/com/google/gcloud/BaseIamPolicy.java b/gcloud-java-core/src/main/java/com/google/gcloud/BaseIamPolicy.java deleted file mode 100644 index bc0aed43b95d..000000000000 --- a/gcloud-java-core/src/main/java/com/google/gcloud/BaseIamPolicy.java +++ /dev/null @@ -1,297 +0,0 @@ -/* - * Copyright 2016 Google Inc. All Rights Reserved. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.google.gcloud; - -import static com.google.common.base.Preconditions.checkNotNull; - -import com.google.common.collect.ImmutableList; - -import java.io.Serializable; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Objects; - -/** - * Base class for Identity and Access Management (IAM) policies. IAM policies are used to specify - * access settings for Cloud Platform resources. A Policy consists of a list of bindings. An binding - * assigns a list of identities to a role, where the identities can be user accounts, Google groups, - * Google domains, and service accounts. A role is a named list of permissions defined by IAM. - * - * @see Policy - */ -public abstract class BaseIamPolicy implements Serializable { - - private static final long serialVersionUID = 1114489978726897720L; - - private final Map> bindings; - private final String etag; - private final int version; - - public static final class Identity implements Serializable { - - private static final long serialVersionUID = 30811617560110848L; - - private final Type type; - private final String id; - - /** - * The types of IAM identities. - */ - public enum Type { - /** - * Represents anyone who is on the internet; with or without a Google account. - */ - ALL_USERS, - - /** - * Represents anyone who is authenticated with a Google account or a service account. - */ - ALL_AUTHENTICATED_USERS, - - /** - * Represents a specific Google account. - */ - USER, - - /** - * Represents a service account. - */ - SERVICE_ACCOUNT, - - /** - * Represents a Google group. - */ - GROUP, - - /** - * Represents all the users of a Google Apps domain name. - */ - DOMAIN - } - - private Identity(Type type, String id) { - this.type = type; - this.id = id; - } - - public Type type() { - return type; - } - - /** - * Returns the string identifier for this identity. The id corresponds to: - *

    - *
  • email address (for identities of type {@code USER}, {@code SERVICE_ACCOUNT}, and - * {@code GROUP}) - *
  • domain (for identities of type {@code DOMAIN}) - *
  • null (for identities of type {@code ALL_USERS} and {@code ALL_AUTHENTICATED_USERS}) - *
- */ - public String id() { - return id; - } - - /** - * Returns a new identity representing anyone who is on the internet; with or without a Google - * account. - */ - public static Identity allUsers() { - return new Identity(Type.ALL_USERS, null); - } - - /** - * Returns a new identity representing anyone who is authenticated with a Google account or a - * service account. - */ - public static Identity allAuthenticatedUsers() { - return new Identity(Type.ALL_AUTHENTICATED_USERS, null); - } - - /** - * Returns a new user identity. - * - * @param email An email address that represents a specific Google account. For example, - * alice@gmail.com or joe@example.com. - */ - public static Identity user(String email) { - return new Identity(Type.USER, checkNotNull(email)); - } - - /** - * Returns a new service account identity. - * - * @param email An email address that represents a service account. For example, - * my-other-app@appspot.gserviceaccount.com. - */ - public static Identity serviceAccount(String email) { - return new Identity(Type.SERVICE_ACCOUNT, checkNotNull(email)); - } - - /** - * Returns a new group identity. - * - * @param email An email address that represents a Google group. For example, - * admins@example.com. - */ - public static Identity group(String email) { - return new Identity(Type.GROUP, checkNotNull(email)); - } - - /** - * Returns a new domain identity. - * - * @param domain A Google Apps domain name that represents all the users of that domain. For - * example, google.com or example.com. - */ - public static Identity domain(String domain) { - return new Identity(Type.DOMAIN, checkNotNull(domain)); - } - - @Override - public int hashCode() { - return Objects.hash(id, type); - } - - @Override - public boolean equals(Object obj) { - if (!(obj instanceof Identity)) { - return false; - } - Identity other = (Identity) obj; - return Objects.equals(id, other.id()) && Objects.equals(type, other.type()); - } - } - - /** - * Builder for an IAM Policy. - */ - protected abstract static class BaseBuilder> { - - private final Map> bindings = new HashMap<>(); - private String etag; - private int version; - - /** - * Replaces the builder's list of bindings with the given list of bindings. - */ - public B bindings(Map> bindings) { - this.bindings.clear(); - this.bindings.putAll(bindings); - return self(); - } - - /** - * Adds one or more bindings to the policy. - */ - public B addBinding(R role, List identities) { - bindings.put(role, ImmutableList.copyOf(identities)); - return self(); - } - - /** - * Removes the specified ACL. - */ - public B removeBinding(R role) { - bindings.remove(role); - return self(); - } - - /** - * Sets the policy's etag. - * - *

Etags are used for optimistic concurrency control as a way to help prevent simultaneous - * updates of a policy from overwriting each other. It is strongly suggested that systems make - * use of the etag in the read-modify-write cycle to perform policy updates in order to avoid - * race conditions. An etag is returned in the response to getIamPolicy, and systems are - * expected to put that etag in the request to setIamPolicy to ensure that their change will be - * applied to the same version of the policy. If no etag is provided in the call to - * setIamPolicy, then the existing policy is overwritten blindly. - */ - protected B etag(String etag) { - this.etag = etag; - return self(); - } - - /** - * Sets the version of the policy. The default version is 0, meaning roles that are in alpha - * (non-legacy) roles are not permitted. If the version is 1, you may use roles other than - * "owner", "editor", and "viewer". - */ - protected B version(int version) { - this.version = version; - return self(); - } - - @SuppressWarnings("unchecked") - private B self() { - return (B) this; - } - - public abstract BaseIamPolicy build(); - } - - protected BaseIamPolicy(BaseBuilder> builder) { - this.bindings = builder.bindings; - this.etag = builder.etag; - this.version = builder.version; - } - - /** - * The list of ACLs specified in the policy. - */ - public Map> bindings() { - return bindings; - } - - /** - * The policy's etag. - * - *

Etags are used for optimistic concurrency control as a way to help prevent simultaneous - * updates of a policy from overwriting each other. It is strongly suggested that systems make - * use of the etag in the read-modify-write cycle to perform policy updates in order to avoid - * race conditions. An etag is returned in the response to getIamPolicy, and systems are - * expected to put that etag in the request to setIamPolicy to ensure that their change will be - * applied to the same version of the policy. If no etag is provided in the call to - * setIamPolicy, then the existing policy is overwritten blindly. - */ - public String etag() { - return etag; - } - - /** - * The version of the policy. The default version is 0. - */ - public int version() { - return version; - } - - public int baseHashCode() { - return Objects.hash(bindings, etag, version); - } - - public boolean baseEquals(Object obj) { - if (!(obj instanceof BaseIamPolicy)) { - return false; - } - @SuppressWarnings("rawtypes") - BaseIamPolicy other = (BaseIamPolicy) obj; - return Objects.equals(bindings, other.bindings()) - && Objects.equals(etag, other.etag()) - && Objects.equals(version, other.version()); - } -} diff --git a/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java b/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java new file mode 100644 index 000000000000..ed9dcf9503c7 --- /dev/null +++ b/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java @@ -0,0 +1,213 @@ +/* + * Copyright 2016 Google Inc. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.gcloud; + +import static com.google.common.base.Preconditions.checkArgument; + +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; + +import java.io.Serializable; +import java.util.Arrays; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Objects; +import java.util.Set; + +/** + * Base class for Identity and Access Management (IAM) policies. IAM policies are used to specify + * access settings for Cloud Platform resources. A policy is a map of bindings. A binding assigns + * a set of identities to a role, where the identities can be user accounts, Google groups, Google + * domains, and service accounts. A role is a named list of permissions defined by IAM. + * + * @param the data type of roles (should be serializable) + * @see Policy + */ +public abstract class IamPolicy implements Serializable { + + private static final long serialVersionUID = 1114489978726897720L; + + private final Map> bindings; + private final String etag; + private final Integer version; + + /** + * Builder for an IAM Policy. + * + * @param the data type of roles + * @param the subclass extending this abstract builder + */ + public abstract static class Builder> { + + private final Map> bindings = new HashMap<>(); + private String etag; + private Integer version; + + protected Builder() {} + + /** + * Replaces the builder's map of bindings with the given map of bindings. + */ + public final B bindings(Map> bindings) { + this.bindings.clear(); + for (Map.Entry> binding : bindings.entrySet()) { + this.bindings.put(binding.getKey(), new HashSet(binding.getValue())); + } + return self(); + } + + /** + * Adds a binding to the policy. + */ + public final B addBinding(R role, Set identities) { + checkArgument(!bindings.containsKey(role), + "The policy already contains a binding with the role " + role.toString()); + bindings.put(role, new HashSet(identities)); + return self(); + } + + /** + * Adds a binding to the policy. + */ + public final B addBinding(R role, Identity first, Identity... others) { + checkArgument(!bindings.containsKey(role), + "The policy already contains a binding with the role " + role.toString()); + HashSet identities = new HashSet<>(); + identities.add(first); + identities.addAll(Arrays.asList(others)); + bindings.put(role, identities); + return self(); + } + + /** + * Removes the binding associated with the specified role. + */ + public final B removeBinding(R role) { + bindings.remove(role); + return self(); + } + + /** + * Adds one or more identities to an existing binding. + */ + public final B addIdentity(R role, Identity first, Identity... others) { + Set identities = bindings.get(role); + identities.add(first); + identities.addAll(Arrays.asList(others)); + return self(); + } + + /** + * Removes one or more identities from an existing binding. + */ + public final B removeIdentity(R role, Identity first, Identity... others) { + bindings.get(role).remove(first); + bindings.get(role).removeAll(Arrays.asList(others)); + return self(); + } + + /** + * Sets the policy's etag. + * + *

Etags are used for optimistic concurrency control as a way to help prevent simultaneous + * updates of a policy from overwriting each other. It is strongly suggested that systems make + * use of the etag in the read-modify-write cycle to perform policy updates in order to avoid + * race conditions. An etag is returned in the response to getIamPolicy, and systems are + * expected to put that etag in the request to setIamPolicy to ensure that their change will be + * applied to the same version of the policy. If no etag is provided in the call to + * setIamPolicy, then the existing policy is overwritten blindly. + */ + protected final B etag(String etag) { + this.etag = etag; + return self(); + } + + /** + * Sets the version of the policy. The default version is 0, meaning only the "owner", "editor", + * and "viewer" roles are permitted. If the version is 1, you may also use other roles. + */ + protected final B version(Integer version) { + this.version = version; + return self(); + } + + @SuppressWarnings("unchecked") + private B self() { + return (B) this; + } + + public abstract IamPolicy build(); + } + + protected IamPolicy(Builder> builder) { + ImmutableMap.Builder> bindingsBuilder = ImmutableMap.builder(); + for (Map.Entry> binding : builder.bindings.entrySet()) { + bindingsBuilder.put(binding.getKey(), ImmutableSet.copyOf(binding.getValue())); + } + this.bindings = bindingsBuilder.build(); + this.etag = builder.etag; + this.version = builder.version; + } + + /** + * The map of bindings that comprises the policy. + */ + public Map> bindings() { + return bindings; + } + + /** + * The policy's etag. + * + *

Etags are used for optimistic concurrency control as a way to help prevent simultaneous + * updates of a policy from overwriting each other. It is strongly suggested that systems make + * use of the etag in the read-modify-write cycle to perform policy updates in order to avoid + * race conditions. An etag is returned in the response to getIamPolicy, and systems are + * expected to put that etag in the request to setIamPolicy to ensure that their change will be + * applied to the same version of the policy. If no etag is provided in the call to + * setIamPolicy, then the existing policy is overwritten blindly. + */ + public String etag() { + return etag; + } + + /** + * Sets the version of the policy. The default version is 0, meaning only the "owner", "editor", + * and "viewer" roles are permitted. If the version is 1, you may also use other roles. + */ + public Integer version() { + return version; + } + + @Override + public final int hashCode() { + return Objects.hash(getClass(), bindings, etag, version); + } + + @Override + public final boolean equals(Object obj) { + if (obj == null || !getClass().equals(obj.getClass())) { + return false; + } + @SuppressWarnings("rawtypes") + IamPolicy other = (IamPolicy) obj; + return Objects.equals(bindings, other.bindings()) + && Objects.equals(etag, other.etag()) + && Objects.equals(version, other.version()); + } +} diff --git a/gcloud-java-core/src/main/java/com/google/gcloud/Identity.java b/gcloud-java-core/src/main/java/com/google/gcloud/Identity.java new file mode 100644 index 000000000000..0513916cc8b4 --- /dev/null +++ b/gcloud-java-core/src/main/java/com/google/gcloud/Identity.java @@ -0,0 +1,208 @@ +/* + * Copyright 2016 Google Inc. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.gcloud; + +import static com.google.common.base.Preconditions.checkNotNull; + +import java.io.Serializable; +import java.util.Objects; + +/** + * An identity in an {@link IamPolicy}. + */ +public final class Identity implements Serializable { + + private static final long serialVersionUID = -8181841964597657446L; + + private final Type type; + private final String id; + + /** + * The types of IAM identities. + */ + public enum Type { + + /** + * Represents anyone who is on the internet; with or without a Google account. + */ + ALL_USERS, + + /** + * Represents anyone who is authenticated with a Google account or a service account. + */ + ALL_AUTHENTICATED_USERS, + + /** + * Represents a specific Google account. + */ + USER, + + /** + * Represents a service account. + */ + SERVICE_ACCOUNT, + + /** + * Represents a Google group. + */ + GROUP, + + /** + * Represents all the users of a Google Apps domain name. + */ + DOMAIN + } + + private Identity(Type type, String id) { + this.type = type; + this.id = id; + } + + public Type type() { + return type; + } + + /** + * Returns the string identifier for this identity. The id corresponds to: + *

    + *
  • email address (for identities of type {@code USER}, {@code SERVICE_ACCOUNT}, and + * {@code GROUP}) + *
  • domain (for identities of type {@code DOMAIN}) + *
  • null (for identities of type {@code ALL_USERS} and {@code ALL_AUTHENTICATED_USERS}) + *
+ */ + public String id() { + return id; + } + + /** + * Returns a new identity representing anyone who is on the internet; with or without a Google + * account. + */ + public static Identity allUsers() { + return new Identity(Type.ALL_USERS, null); + } + + /** + * Returns a new identity representing anyone who is authenticated with a Google account or a + * service account. + */ + public static Identity allAuthenticatedUsers() { + return new Identity(Type.ALL_AUTHENTICATED_USERS, null); + } + + /** + * Returns a new user identity. + * + * @param email An email address that represents a specific Google account. For example, + * alice@gmail.com or joe@example.com. + */ + public static Identity user(String email) { + return new Identity(Type.USER, checkNotNull(email)); + } + + /** + * Returns a new service account identity. + * + * @param email An email address that represents a service account. For example, + * my-other-app@appspot.gserviceaccount.com. + */ + public static Identity serviceAccount(String email) { + return new Identity(Type.SERVICE_ACCOUNT, checkNotNull(email)); + } + + /** + * Returns a new group identity. + * + * @param email An email address that represents a Google group. For example, + * admins@example.com. + */ + public static Identity group(String email) { + return new Identity(Type.GROUP, checkNotNull(email)); + } + + /** + * Returns a new domain identity. + * + * @param domain A Google Apps domain name that represents all the users of that domain. For + * example, google.com or example.com. + */ + public static Identity domain(String domain) { + return new Identity(Type.DOMAIN, checkNotNull(domain)); + } + + @Override + public int hashCode() { + return Objects.hash(id, type); + } + + @Override + public boolean equals(Object obj) { + if (!(obj instanceof Identity)) { + return false; + } + Identity other = (Identity) obj; + return Objects.equals(id, other.id()) && Objects.equals(type, other.type()); + } + + /** + * Returns the string value associated with the identity. Used primarily for converting from + * {@code Identity} objects to strings for protobuf-generated policies. + */ + public String strValue() { + switch (type) { + case ALL_USERS: + return "allUsers"; + case ALL_AUTHENTICATED_USERS: + return "allAuthenticatedUsers"; + case USER: + return "user:" + id; + case SERVICE_ACCOUNT: + return "serviceAccount:" + id; + case GROUP: + return "group:" + id; + case DOMAIN: + return "domain:" + id; + default: + throw new IllegalArgumentException("Unexpected identity type: " + type); + } + } + + /** + * Converts a string to an {@code Identity}. Used primarily for converting protobuf-generated + * policy identities to {@code Identity} objects. + */ + public static Identity valueOf(String identityStr) { + String[] info = identityStr.split(":"); + switch (info[0]) { + case "allUsers": + return Identity.allUsers(); + case "allAuthenticatedUsers": + return Identity.allAuthenticatedUsers(); + case "user": + return Identity.user(info[1]); + case "serviceAccount": + return Identity.serviceAccount(info[1]); + case "group": + return Identity.group(info[1]); + case "domain": + return Identity.domain(info[1]); + default: + throw new IllegalArgumentException("Unexpected identity type: " + info[0]); + } + } +} diff --git a/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java b/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java new file mode 100644 index 000000000000..b77b5e2df7fa --- /dev/null +++ b/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java @@ -0,0 +1,173 @@ +/* + * Copyright 2016 Google Inc. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.gcloud; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotEquals; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; + +import org.junit.Test; + +import java.util.Map; +import java.util.Set; + +public class IamPolicyTest { + + private static final Identity ALL_USERS = Identity.allUsers(); + private static final Identity ALL_AUTH_USERS = Identity.allAuthenticatedUsers(); + private static final Identity USER = Identity.user("abc@gmail.com"); + private static final Identity SERVICE_ACCOUNT = + Identity.serviceAccount("service-account@gmail.com"); + private static final Identity GROUP = Identity.group("group@gmail.com"); + private static final Identity DOMAIN = Identity.domain("google.com"); + private static final Map> BINDINGS = ImmutableMap.of( + "viewer", + ImmutableSet.of(USER, SERVICE_ACCOUNT, ALL_USERS), + "editor", + ImmutableSet.of(ALL_AUTH_USERS, GROUP, DOMAIN)); + private static final PolicyImpl SIMPLE_POLICY = PolicyImpl.builder() + .addBinding("viewer", ImmutableSet.of(USER, SERVICE_ACCOUNT, ALL_USERS)) + .addBinding("editor", ImmutableSet.of(ALL_AUTH_USERS, GROUP, DOMAIN)) + .build(); + private static final PolicyImpl FULL_POLICY = + new PolicyImpl.Builder(SIMPLE_POLICY.bindings(), "etag", 1).build(); + + static class PolicyImpl extends IamPolicy { + + static class Builder extends IamPolicy.Builder { + + private Builder() {} + + private Builder(Map> bindings, String etag, Integer version) { + bindings(bindings).etag(etag).version(version); + } + + @Override + public PolicyImpl build() { + return new PolicyImpl(this); + } + } + + PolicyImpl(Builder builder) { + super(builder); + } + + Builder toBuilder() { + return new Builder(bindings(), etag(), version()); + } + + static Builder builder() { + return new Builder(); + } + } + + @Test + public void testBuilder() { + assertEquals(BINDINGS, FULL_POLICY.bindings()); + assertEquals("etag", FULL_POLICY.etag()); + assertEquals(1, FULL_POLICY.version().intValue()); + Map> editorBinding = + ImmutableMap.>builder().put("editor", BINDINGS.get("editor")).build(); + PolicyImpl policy = FULL_POLICY.toBuilder().bindings(editorBinding).build(); + assertEquals(editorBinding, policy.bindings()); + assertEquals("etag", policy.etag()); + assertEquals(1, policy.version().intValue()); + policy = SIMPLE_POLICY.toBuilder().removeBinding("editor").build(); + assertEquals(ImmutableMap.of("viewer", BINDINGS.get("viewer")), policy.bindings()); + assertEquals(null, policy.etag()); + assertEquals(null, policy.version()); + policy = policy.toBuilder() + .removeIdentity("viewer", USER, ALL_USERS) + .addIdentity("viewer", DOMAIN, GROUP) + .build(); + assertEquals(ImmutableMap.of("viewer", ImmutableSet.of(SERVICE_ACCOUNT, DOMAIN, GROUP)), + policy.bindings()); + assertEquals(null, policy.etag()); + assertEquals(null, policy.version()); + policy = PolicyImpl.builder().addBinding("owner", USER, SERVICE_ACCOUNT).build(); + assertEquals( + ImmutableMap.of("owner", ImmutableSet.of(USER, SERVICE_ACCOUNT)), policy.bindings()); + assertEquals(null, policy.etag()); + assertEquals(null, policy.version()); + try { + SIMPLE_POLICY.toBuilder().addBinding("viewer", USER); + fail("Should have failed due to duplicate role."); + } catch (IllegalArgumentException e) { + assertEquals("The policy already contains a binding with the role viewer", e.getMessage()); + } + try { + SIMPLE_POLICY.toBuilder().addBinding("editor", ImmutableSet.of(USER)); + fail("Should have failed due to duplicate role."); + } catch (IllegalArgumentException e) { + assertEquals("The policy already contains a binding with the role editor", e.getMessage()); + } + } + + @Test + public void testEqualsHashCode() { + assertNotEquals(FULL_POLICY, null); + PolicyImpl emptyPolicy = PolicyImpl.builder().build(); + AnotherPolicyImpl anotherPolicy = new AnotherPolicyImpl.Builder().build(); + assertNotEquals(emptyPolicy, anotherPolicy); + assertNotEquals(emptyPolicy.hashCode(), anotherPolicy.hashCode()); + assertNotEquals(FULL_POLICY, SIMPLE_POLICY); + assertNotEquals(FULL_POLICY.hashCode(), SIMPLE_POLICY.hashCode()); + PolicyImpl copy = SIMPLE_POLICY.toBuilder().build(); + assertEquals(SIMPLE_POLICY, copy); + assertEquals(SIMPLE_POLICY.hashCode(), copy.hashCode()); + } + + @Test + public void testBindings() { + assertTrue(PolicyImpl.builder().build().bindings().isEmpty()); + assertEquals(BINDINGS, SIMPLE_POLICY.bindings()); + } + + @Test + public void testEtag() { + assertNull(SIMPLE_POLICY.etag()); + assertEquals("etag", FULL_POLICY.etag()); + } + + @Test + public void testVersion() { + assertNull(SIMPLE_POLICY.version()); + assertEquals(null, SIMPLE_POLICY.version()); + } + + static class AnotherPolicyImpl extends IamPolicy { + + static class Builder extends IamPolicy.Builder { + + private Builder() {} + + @Override + public AnotherPolicyImpl build() { + return new AnotherPolicyImpl(this); + } + } + + AnotherPolicyImpl(Builder builder) { + super(builder); + } + } +} diff --git a/gcloud-java-core/src/test/java/com/google/gcloud/IdentityTest.java b/gcloud-java-core/src/test/java/com/google/gcloud/IdentityTest.java new file mode 100644 index 000000000000..7abbc98521a0 --- /dev/null +++ b/gcloud-java-core/src/test/java/com/google/gcloud/IdentityTest.java @@ -0,0 +1,110 @@ +/* + * Copyright 2016 Google Inc. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.gcloud; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.fail; + +import org.junit.Test; + +public class IdentityTest { + + private static final Identity ALL_USERS = Identity.allUsers(); + private static final Identity ALL_AUTH_USERS = Identity.allAuthenticatedUsers(); + private static final Identity USER = Identity.user("abc@gmail.com"); + private static final Identity SERVICE_ACCOUNT = + Identity.serviceAccount("service-account@gmail.com"); + private static final Identity GROUP = Identity.group("group@gmail.com"); + private static final Identity DOMAIN = Identity.domain("google.com"); + + @Test + public void testAllUsers() { + assertEquals(Identity.Type.ALL_USERS, ALL_USERS.type()); + assertNull(ALL_USERS.id()); + } + + @Test + public void testAllAuthenticatedUsers() { + assertEquals(Identity.Type.ALL_AUTHENTICATED_USERS, ALL_AUTH_USERS.type()); + assertNull(ALL_AUTH_USERS.id()); + } + + @Test + public void testUser() { + assertEquals(Identity.Type.USER, USER.type()); + assertEquals("abc@gmail.com", USER.id()); + try { + Identity.user(null); + fail("Should have thrown exception due to null email address."); + } catch (NullPointerException e) { + // expected + } + } + + @Test + public void testServiceAccount() { + assertEquals(Identity.Type.SERVICE_ACCOUNT, SERVICE_ACCOUNT.type()); + assertEquals("service-account@gmail.com", SERVICE_ACCOUNT.id()); + try { + Identity.serviceAccount(null); + fail("Should have thrown exception due to null email address."); + } catch (NullPointerException e) { + // expected + } + } + + @Test + public void testGroup() { + assertEquals(Identity.Type.GROUP, GROUP.type()); + assertEquals("group@gmail.com", GROUP.id()); + try { + Identity.group(null); + fail("Should have thrown exception due to null email address."); + } catch (NullPointerException e) { + // expected + } + } + + @Test + public void testDomain() { + assertEquals(Identity.Type.DOMAIN, DOMAIN.type()); + assertEquals("google.com", DOMAIN.id()); + try { + Identity.domain(null); + fail("Should have thrown exception due to null domain."); + } catch (NullPointerException e) { + // expected + } + } + + @Test + public void testIdentityToAndFromPb() { + compareIdentities(ALL_USERS, Identity.valueOf(ALL_USERS.strValue())); + compareIdentities(ALL_AUTH_USERS, Identity.valueOf(ALL_AUTH_USERS.strValue())); + compareIdentities(USER, Identity.valueOf(USER.strValue())); + compareIdentities(SERVICE_ACCOUNT, Identity.valueOf(SERVICE_ACCOUNT.strValue())); + compareIdentities(GROUP, Identity.valueOf(GROUP.strValue())); + compareIdentities(DOMAIN, Identity.valueOf(DOMAIN.strValue())); + } + + private void compareIdentities(Identity expected, Identity actual) { + assertEquals(expected, actual); + assertEquals(expected.type(), actual.type()); + assertEquals(expected.id(), actual.id()); + } +} diff --git a/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/IamPolicy.java b/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/IamPolicy.java deleted file mode 100644 index ccb436fd8a2f..000000000000 --- a/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/IamPolicy.java +++ /dev/null @@ -1,162 +0,0 @@ -/* - * Copyright 2016 Google Inc. All Rights Reserved. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.google.gcloud.resourcemanager; - -import com.google.common.base.Function; -import com.google.common.collect.Lists; -import com.google.gcloud.BaseIamPolicy; - -import java.io.Serializable; -import java.util.HashMap; -import java.util.LinkedList; -import java.util.List; -import java.util.Map; -import java.util.Objects; - -/** - * Base class for Identity and Access Management (IAM) policies. IAM policies are used to specify - * access settings for Cloud Platform resources. A Policy consists of a list of bindings. An binding - * assigns a list of identities to a role, where the identities can be user accounts, Google groups, - * Google domains, and service accounts. A role is a named list of permissions defined by IAM. - * - * @see Policy - */ -public class IamPolicy extends BaseIamPolicy implements Serializable { - - private static final long serialVersionUID = -5573557282693961850L; - - /** - * Builder for an IAM Policy. - */ - protected static class Builder extends BaseBuilder { - - Builder() {} - - Builder(Map> bindings, String etag, int version) { - bindings(bindings).etag(etag).version(version); - } - - @Override - public IamPolicy build() { - return new IamPolicy(this); - } - } - - private IamPolicy(Builder builder) { - super(builder); - } - - @Override - public int hashCode() { - return baseHashCode(); - } - - @Override - public boolean equals(Object obj) { - if (!(obj instanceof IamPolicy)) { - return false; - } - IamPolicy other = (IamPolicy) obj; - return Objects.equals(bindings(), other.bindings()) - && Objects.equals(etag(), other.etag()) - && Objects.equals(version(), other.version()); - } - - public static Builder builder() { - return new Builder(); - } - - public Builder toBuilder() { - return new Builder(bindings(), etag(), version()); - } - - static String identityToPb(Identity identity) { - switch (identity.type()) { - case ALL_USERS: - return "allUsers"; - case ALL_AUTHENTICATED_USERS: - return "allAuthenticatedUsers"; - case USER: - return "user:" + identity.id(); - case SERVICE_ACCOUNT: - return "serviceAccount:" + identity.id(); - case GROUP: - return "group:" + identity.id(); - default: - return "domain:" + identity.id(); - } - } - - static Identity identityFromPb(String identityStr) { - String[] info = identityStr.split(":"); - switch (info[0]) { - case "allUsers": - return Identity.allUsers(); - case "allAuthenticatedUsers": - return Identity.allAuthenticatedUsers(); - case "user": - return Identity.user(info[1]); - case "serviceAccount": - return Identity.serviceAccount(info[1]); - case "group": - return Identity.group(info[1]); - case "domain": - return Identity.domain(info[1]); - default: - throw new IllegalArgumentException("Unexpected identity type: " + info[0]); - } - } - - com.google.api.services.cloudresourcemanager.model.Policy toPb() { - com.google.api.services.cloudresourcemanager.model.Policy policyPb = - new com.google.api.services.cloudresourcemanager.model.Policy(); - List bindingPbList = - new LinkedList<>(); - for (Map.Entry> binding : bindings().entrySet()) { - com.google.api.services.cloudresourcemanager.model.Binding bindingPb = - new com.google.api.services.cloudresourcemanager.model.Binding(); - bindingPb.setRole("roles/" + binding.getKey()); - bindingPb.setMembers(Lists.transform(binding.getValue(), new Function() { - @Override - public String apply(Identity identity) { - return identityToPb(identity); - } - })); - bindingPbList.add(bindingPb); - } - policyPb.setBindings(bindingPbList); - policyPb.setEtag(etag()); - policyPb.setVersion(version()); - return policyPb; - } - - static IamPolicy fromPb( - com.google.api.services.cloudresourcemanager.model.Policy policyPb) { - Map> bindings = new HashMap<>(); - for (com.google.api.services.cloudresourcemanager.model.Binding bindingPb : - policyPb.getBindings()) { - bindings.put(bindingPb.getRole().substring("roles/".length()), - Lists.transform(bindingPb.getMembers(), new Function() { - @Override - public Identity apply(String identityPb) { - return identityFromPb(identityPb); - } - })); - } - return new IamPolicy.Builder(bindings, policyPb.getEtag(), policyPb.getVersion()).build(); - } -} diff --git a/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/Policy.java b/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/Policy.java new file mode 100644 index 000000000000..09cbfa1db554 --- /dev/null +++ b/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/Policy.java @@ -0,0 +1,122 @@ +/* + * Copyright 2016 Google Inc. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.gcloud.resourcemanager; + +import com.google.common.annotations.VisibleForTesting; +import com.google.common.base.Function; +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Lists; +import com.google.gcloud.IamPolicy; +import com.google.gcloud.Identity; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; +import java.util.Set; + +/** + * An Identity and Access Management (IAM) policy for a project. IAM policies are used to specify + * access settings for Cloud Platform resources. A policy is a map of bindings. A binding assigns + * a set of identities to a role, where the identities can be user accounts, Google groups, Google + * domains, and service accounts. A role is a named list of permissions defined by IAM. Policies set + * at the project level control access both to the project and to resources associated with the + * project. + * + * @see Policy + */ +public class Policy extends IamPolicy { + + private static final long serialVersionUID = -5573557282693961850L; + + /** + * Builder for an IAM Policy. + */ + public static class Builder extends IamPolicy.Builder { + + private Builder() {} + + @VisibleForTesting + Builder(Map> bindings, String etag, Integer version) { + bindings(bindings).etag(etag).version(version); + } + + @Override + public Policy build() { + return new Policy(this); + } + } + + private Policy(Builder builder) { + super(builder); + } + + public static Builder builder() { + return new Builder(); + } + + public Builder toBuilder() { + return new Builder(bindings(), etag(), version()); + } + + com.google.api.services.cloudresourcemanager.model.Policy toPb() { + com.google.api.services.cloudresourcemanager.model.Policy policyPb = + new com.google.api.services.cloudresourcemanager.model.Policy(); + List bindingPbList = + new LinkedList<>(); + for (Map.Entry> binding : bindings().entrySet()) { + com.google.api.services.cloudresourcemanager.model.Binding bindingPb = + new com.google.api.services.cloudresourcemanager.model.Binding(); + bindingPb.setRole("roles/" + binding.getKey()); + bindingPb.setMembers( + Lists.transform( + new ArrayList<>(binding.getValue()), + new Function() { + @Override + public String apply(Identity identity) { + return identity.strValue(); + } + })); + bindingPbList.add(bindingPb); + } + policyPb.setBindings(bindingPbList); + policyPb.setEtag(etag()); + policyPb.setVersion(version()); + return policyPb; + } + + static Policy fromPb( + com.google.api.services.cloudresourcemanager.model.Policy policyPb) { + Map> bindings = new HashMap<>(); + for (com.google.api.services.cloudresourcemanager.model.Binding bindingPb : + policyPb.getBindings()) { + bindings.put( + bindingPb.getRole().substring("roles/".length()), + ImmutableSet.copyOf( + Lists.transform( + bindingPb.getMembers(), + new Function() { + @Override + public Identity apply(String identityPb) { + return Identity.valueOf(identityPb); + } + }))); + } + return new Policy.Builder(bindings, policyPb.getEtag(), policyPb.getVersion()).build(); + } +} diff --git a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/IamPolicyTest.java b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/IamPolicyTest.java deleted file mode 100644 index e2f05ac8493b..000000000000 --- a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/IamPolicyTest.java +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Copyright 2016 Google Inc. All Rights Reserved. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.google.gcloud.resourcemanager; - -import static org.junit.Assert.assertEquals; - -import com.google.common.collect.ImmutableList; -import com.google.common.collect.ImmutableMap; -import com.google.gcloud.BaseIamPolicy.Identity; - -import org.junit.Test; - -import java.util.HashMap; -import java.util.List; -import java.util.Map; - -public class IamPolicyTest { - - private static final Identity ALL_USERS = Identity.allUsers(); - private static final Identity ALL_AUTH_USERS = Identity.allAuthenticatedUsers(); - private static final Identity USER = Identity.user("abc@gmail.com"); - private static final Identity SERVICE_ACCOUNT = - Identity.serviceAccount("service-account@gmail.com"); - private static final Identity GROUP = Identity.group("group@gmail.com"); - private static final Identity DOMAIN = Identity.domain("google.com"); - private static final Map> BINDINGS = ImmutableMap.of( - "viewer", - ImmutableList.of(USER, SERVICE_ACCOUNT, ALL_USERS), - "editor", - ImmutableList.of(ALL_AUTH_USERS, GROUP, DOMAIN)); - private static final IamPolicy SIMPLE_POLICY = IamPolicy.builder() - .addBinding("viewer", ImmutableList.of(USER, SERVICE_ACCOUNT, ALL_USERS)) - .addBinding("editor", ImmutableList.of(ALL_AUTH_USERS, GROUP, DOMAIN)) - .build(); - private static final IamPolicy FULL_POLICY = - new IamPolicy.Builder(SIMPLE_POLICY.bindings(), "etag", 1).build(); - - @Test - public void testIamPolicyBuilder() { - assertEquals(BINDINGS, FULL_POLICY.bindings()); - assertEquals("etag", FULL_POLICY.etag()); - assertEquals(1, FULL_POLICY.version()); - Map> editorBinding = new HashMap<>(); - editorBinding.put("editor", BINDINGS.get("editor")); - IamPolicy policy = FULL_POLICY.toBuilder().bindings(editorBinding).build(); - assertEquals(ImmutableMap.of("editor", BINDINGS.get("editor")), policy.bindings()); - assertEquals("etag", policy.etag()); - assertEquals(1, policy.version()); - policy = SIMPLE_POLICY.toBuilder().removeBinding("editor").build(); - assertEquals(ImmutableMap.of("viewer", BINDINGS.get("viewer")), policy.bindings()); - assertEquals(null, policy.etag()); - assertEquals(0, policy.version()); - } - - @Test - public void testIamPolicyToBuilder() { - assertEquals(FULL_POLICY, FULL_POLICY.toBuilder().build()); - assertEquals(SIMPLE_POLICY, SIMPLE_POLICY.toBuilder().build()); - } - - @Test - public void testIdentityToAndFromPb() { - assertEquals(ALL_USERS, IamPolicy.identityFromPb(IamPolicy.identityToPb(ALL_USERS))); - assertEquals(ALL_AUTH_USERS, IamPolicy.identityFromPb(IamPolicy.identityToPb(ALL_AUTH_USERS))); - assertEquals(USER, IamPolicy.identityFromPb(IamPolicy.identityToPb(USER))); - assertEquals( - SERVICE_ACCOUNT, IamPolicy.identityFromPb(IamPolicy.identityToPb(SERVICE_ACCOUNT))); - assertEquals(GROUP, IamPolicy.identityFromPb(IamPolicy.identityToPb(GROUP))); - assertEquals(DOMAIN, IamPolicy.identityFromPb(IamPolicy.identityToPb(DOMAIN))); - } - - @Test - public void testPolicyToAndFromPb() { - assertEquals(FULL_POLICY, IamPolicy.fromPb(FULL_POLICY.toPb())); - assertEquals(SIMPLE_POLICY, IamPolicy.fromPb(SIMPLE_POLICY.toPb())); - } -} diff --git a/gcloud-java-core/src/test/java/com/google/gcloud/BaseIamPolicyTest.java b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/PolicyTest.java similarity index 55% rename from gcloud-java-core/src/test/java/com/google/gcloud/BaseIamPolicyTest.java rename to gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/PolicyTest.java index 0c26bc806812..3383eebf470c 100644 --- a/gcloud-java-core/src/test/java/com/google/gcloud/BaseIamPolicyTest.java +++ b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/PolicyTest.java @@ -1,5 +1,5 @@ /* - * Copyright 2015 Google Inc. All Rights Reserved. + * Copyright 2016 Google Inc. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -14,15 +14,16 @@ * limitations under the License. */ -package com.google.gcloud; +package com.google.gcloud.resourcemanager; import static org.junit.Assert.assertEquals; -import com.google.gcloud.BaseIamPolicy.Identity; +import com.google.common.collect.ImmutableSet; +import com.google.gcloud.Identity; import org.junit.Test; -public class BaseIamPolicyTest { +public class PolicyTest { private static final Identity ALL_USERS = Identity.allUsers(); private static final Identity ALL_AUTH_USERS = Identity.allAuthenticatedUsers(); @@ -31,20 +32,22 @@ public class BaseIamPolicyTest { Identity.serviceAccount("service-account@gmail.com"); private static final Identity GROUP = Identity.group("group@gmail.com"); private static final Identity DOMAIN = Identity.domain("google.com"); + private static final Policy SIMPLE_POLICY = Policy.builder() + .addBinding("viewer", ImmutableSet.of(USER, SERVICE_ACCOUNT, ALL_USERS)) + .addBinding("editor", ImmutableSet.of(ALL_AUTH_USERS, GROUP, DOMAIN)) + .build(); + private static final Policy FULL_POLICY = + new Policy.Builder(SIMPLE_POLICY.bindings(), "etag", 1).build(); @Test - public void testIdentityOf() { - assertEquals(Identity.Type.ALL_USERS, ALL_USERS.type()); - assertEquals(null, ALL_USERS.id()); - assertEquals(Identity.Type.ALL_AUTHENTICATED_USERS, ALL_AUTH_USERS.type()); - assertEquals(null, ALL_AUTH_USERS.id()); - assertEquals(Identity.Type.USER, USER.type()); - assertEquals("abc@gmail.com", USER.id()); - assertEquals(Identity.Type.SERVICE_ACCOUNT, SERVICE_ACCOUNT.type()); - assertEquals("service-account@gmail.com", SERVICE_ACCOUNT.id()); - assertEquals(Identity.Type.GROUP, GROUP.type()); - assertEquals("group@gmail.com", GROUP.id()); - assertEquals(Identity.Type.DOMAIN, DOMAIN.type()); - assertEquals("google.com", DOMAIN.id()); + public void testIamPolicyToBuilder() { + assertEquals(FULL_POLICY, FULL_POLICY.toBuilder().build()); + assertEquals(SIMPLE_POLICY, SIMPLE_POLICY.toBuilder().build()); + } + + @Test + public void testPolicyToAndFromPb() { + assertEquals(FULL_POLICY, Policy.fromPb(FULL_POLICY.toPb())); + assertEquals(SIMPLE_POLICY, Policy.fromPb(SIMPLE_POLICY.toPb())); } } diff --git a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/SerializationTest.java b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/SerializationTest.java index 1049f40f5f17..99c0fd7572c0 100644 --- a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/SerializationTest.java +++ b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/SerializationTest.java @@ -19,9 +19,9 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotSame; -import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; -import com.google.gcloud.BaseIamPolicy.Identity; +import com.google.common.collect.ImmutableSet; +import com.google.gcloud.Identity; import com.google.gcloud.PageImpl; import com.google.gcloud.RetryParams; @@ -55,9 +55,9 @@ public class SerializationTest { ResourceManager.ProjectGetOption.fields(ResourceManager.ProjectField.NAME); private static final ResourceManager.ProjectListOption PROJECT_LIST_OPTION = ResourceManager.ProjectListOption.filter("name:*"); - private static final Identity IDENTITY = Identity.user("abc@gmail.com"); - private static final IamPolicy POLICY = - IamPolicy.builder().addBinding("viewer", ImmutableList.of(IDENTITY)).build(); + private static final Policy POLICY = Policy.builder() + .addBinding("viewer", ImmutableSet.of(Identity.user("abc@gmail.com"))) + .build(); @Test public void testServiceOptions() throws Exception { @@ -75,7 +75,7 @@ public void testServiceOptions() throws Exception { @Test public void testModelAndRequests() throws Exception { Serializable[] objects = {PARTIAL_PROJECT_INFO, FULL_PROJECT_INFO, PROJECT, PAGE_RESULT, - PROJECT_GET_OPTION, PROJECT_LIST_OPTION, IDENTITY, POLICY}; + PROJECT_GET_OPTION, PROJECT_LIST_OPTION, POLICY}; for (Serializable obj : objects) { Object copy = serializeAndDeserialize(obj); assertEquals(obj, obj); From 08295eeca633772ebab9dafab62aa2cc1e8ad627 Mon Sep 17 00:00:00 2001 From: Ajay Kannan Date: Thu, 25 Feb 2016 09:13:01 -0800 Subject: [PATCH 6/7] Document exceptions and satisfy codacy's demands. --- .../java/com/google/gcloud/IamPolicy.java | 15 +++++++ .../java/com/google/gcloud/IdentityTest.java | 45 +++++++++---------- 2 files changed, 35 insertions(+), 25 deletions(-) diff --git a/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java b/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java index ed9dcf9503c7..73c3e3fec6ac 100644 --- a/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java +++ b/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java @@ -58,6 +58,9 @@ public abstract static class Builder> { private String etag; private Integer version; + /** + * Constructor for IAM Policy builder. + */ protected Builder() {} /** @@ -73,6 +76,8 @@ public final B bindings(Map> bindings) { /** * Adds a binding to the policy. + * + * @throws IllegalArgumentException if the policy already contains a binding with the same role */ public final B addBinding(R role, Set identities) { checkArgument(!bindings.containsKey(role), @@ -83,6 +88,8 @@ public final B addBinding(R role, Set identities) { /** * Adds a binding to the policy. + * + * @throws IllegalArgumentException if the policy already contains a binding with the same role */ public final B addBinding(R role, Identity first, Identity... others) { checkArgument(!bindings.containsKey(role), @@ -104,8 +111,12 @@ public final B removeBinding(R role) { /** * Adds one or more identities to an existing binding. + * + * @throws IllegalArgumentException if the policy doesn't contain a binding with the specified + * role */ public final B addIdentity(R role, Identity first, Identity... others) { + checkArgument(bindings.containsKey(role), "The policy doesn't contain the specified role."); Set identities = bindings.get(role); identities.add(first); identities.addAll(Arrays.asList(others)); @@ -114,8 +125,12 @@ public final B addIdentity(R role, Identity first, Identity... others) { /** * Removes one or more identities from an existing binding. + * + * @throws IllegalArgumentException if the policy doesn't contain a binding with the specified + * role */ public final B removeIdentity(R role, Identity first, Identity... others) { + checkArgument(bindings.containsKey(role), "The policy doesn't contain the specified role."); bindings.get(role).remove(first); bindings.get(role).removeAll(Arrays.asList(others)); return self(); diff --git a/gcloud-java-core/src/test/java/com/google/gcloud/IdentityTest.java b/gcloud-java-core/src/test/java/com/google/gcloud/IdentityTest.java index 7abbc98521a0..828f1c839431 100644 --- a/gcloud-java-core/src/test/java/com/google/gcloud/IdentityTest.java +++ b/gcloud-java-core/src/test/java/com/google/gcloud/IdentityTest.java @@ -18,7 +18,6 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNull; -import static org.junit.Assert.fail; import org.junit.Test; @@ -48,48 +47,44 @@ public void testAllAuthenticatedUsers() { public void testUser() { assertEquals(Identity.Type.USER, USER.type()); assertEquals("abc@gmail.com", USER.id()); - try { - Identity.user(null); - fail("Should have thrown exception due to null email address."); - } catch (NullPointerException e) { - // expected - } + } + + @Test(expected = NullPointerException.class) + public void testUserNullEmail() { + Identity.user(null); } @Test public void testServiceAccount() { assertEquals(Identity.Type.SERVICE_ACCOUNT, SERVICE_ACCOUNT.type()); assertEquals("service-account@gmail.com", SERVICE_ACCOUNT.id()); - try { - Identity.serviceAccount(null); - fail("Should have thrown exception due to null email address."); - } catch (NullPointerException e) { - // expected - } + } + + @Test(expected = NullPointerException.class) + public void testServiceAccountNullEmail() { + Identity.serviceAccount(null); } @Test public void testGroup() { assertEquals(Identity.Type.GROUP, GROUP.type()); assertEquals("group@gmail.com", GROUP.id()); - try { - Identity.group(null); - fail("Should have thrown exception due to null email address."); - } catch (NullPointerException e) { - // expected - } + } + + @Test(expected = NullPointerException.class) + public void testGroupNullEmail() { + Identity.group(null); } @Test public void testDomain() { assertEquals(Identity.Type.DOMAIN, DOMAIN.type()); assertEquals("google.com", DOMAIN.id()); - try { - Identity.domain(null); - fail("Should have thrown exception due to null domain."); - } catch (NullPointerException e) { - // expected - } + } + + @Test(expected = NullPointerException.class) + public void testDomainNullId() { + Identity.domain(null); } @Test From 7d87d3ce92d781a5c3fbb204f1e99ba9ff500ef4 Mon Sep 17 00:00:00 2001 From: Ajay Kannan Date: Fri, 26 Feb 2016 08:05:10 -0800 Subject: [PATCH 7/7] Use enum for legacy roles, add input checks --- .../java/com/google/gcloud/IamPolicy.java | 50 +++++++++++++---- .../main/java/com/google/gcloud/Identity.java | 39 +++++++++---- .../java/com/google/gcloud/IamPolicyTest.java | 29 ++++++---- .../google/gcloud/resourcemanager/Policy.java | 56 ++++++++++++++++--- .../gcloud/resourcemanager/PolicyTest.java | 4 +- .../resourcemanager/SerializationTest.java | 2 +- 6 files changed, 137 insertions(+), 43 deletions(-) diff --git a/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java b/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java index 73c3e3fec6ac..748eaba2ab4c 100644 --- a/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java +++ b/gcloud-java-core/src/main/java/com/google/gcloud/IamPolicy.java @@ -23,8 +23,11 @@ import java.io.Serializable; import java.util.Arrays; +import java.util.Collection; import java.util.HashMap; import java.util.HashSet; +import java.util.LinkedList; +import java.util.List; import java.util.Map; import java.util.Objects; import java.util.Set; @@ -65,8 +68,14 @@ protected Builder() {} /** * Replaces the builder's map of bindings with the given map of bindings. + * + * @throws IllegalArgumentException if the provided map is null or contain any null values */ public final B bindings(Map> bindings) { + checkArgument(bindings != null, "The provided map of bindings cannot be null."); + for (Map.Entry> binding : bindings.entrySet()) { + verifyBinding(binding.getKey(), binding.getValue()); + } this.bindings.clear(); for (Map.Entry> binding : bindings.entrySet()) { this.bindings.put(binding.getKey(), new HashSet(binding.getValue())); @@ -78,10 +87,12 @@ public final B bindings(Map> bindings) { * Adds a binding to the policy. * * @throws IllegalArgumentException if the policy already contains a binding with the same role + * or if the role or any identities are null */ public final B addBinding(R role, Set identities) { + verifyBinding(role, identities); checkArgument(!bindings.containsKey(role), - "The policy already contains a binding with the role " + role.toString()); + "The policy already contains a binding with the role " + role.toString() + "."); bindings.put(role, new HashSet(identities)); return self(); } @@ -90,15 +101,23 @@ public final B addBinding(R role, Set identities) { * Adds a binding to the policy. * * @throws IllegalArgumentException if the policy already contains a binding with the same role + * or if the role or any identities are null */ public final B addBinding(R role, Identity first, Identity... others) { - checkArgument(!bindings.containsKey(role), - "The policy already contains a binding with the role " + role.toString()); HashSet identities = new HashSet<>(); identities.add(first); identities.addAll(Arrays.asList(others)); - bindings.put(role, identities); - return self(); + return addBinding(role, identities); + } + + private void verifyBinding(R role, Collection identities) { + checkArgument(role != null, "The role cannot be null."); + verifyIdentities(identities); + } + + private void verifyIdentities(Collection identities) { + checkArgument(identities != null, "A role cannot be assigned to a null set of identities."); + checkArgument(!identities.contains(null), "Null identities are not permitted."); } /** @@ -113,13 +132,16 @@ public final B removeBinding(R role) { * Adds one or more identities to an existing binding. * * @throws IllegalArgumentException if the policy doesn't contain a binding with the specified - * role + * role or any identities are null */ public final B addIdentity(R role, Identity first, Identity... others) { - checkArgument(bindings.containsKey(role), "The policy doesn't contain the specified role."); - Set identities = bindings.get(role); - identities.add(first); - identities.addAll(Arrays.asList(others)); + checkArgument(bindings.containsKey(role), + "The policy doesn't contain the role " + role.toString() + "."); + List toAdd = new LinkedList<>(); + toAdd.add(first); + toAdd.addAll(Arrays.asList(others)); + verifyIdentities(toAdd); + bindings.get(role).addAll(toAdd); return self(); } @@ -130,7 +152,8 @@ public final B addIdentity(R role, Identity first, Identity... others) { * role */ public final B removeIdentity(R role, Identity first, Identity... others) { - checkArgument(bindings.containsKey(role), "The policy doesn't contain the specified role."); + checkArgument(bindings.containsKey(role), + "The policy doesn't contain the role " + role.toString() + "."); bindings.get(role).remove(first); bindings.get(role).removeAll(Arrays.asList(others)); return self(); @@ -179,6 +202,11 @@ protected IamPolicy(Builder> builder) { this.version = builder.version; } + /** + * Returns a builder containing the properties of this IAM Policy. + */ + public abstract Builder> toBuilder(); + /** * The map of bindings that comprises the policy. */ diff --git a/gcloud-java-core/src/main/java/com/google/gcloud/Identity.java b/gcloud-java-core/src/main/java/com/google/gcloud/Identity.java index 0513916cc8b4..d1644198f759 100644 --- a/gcloud-java-core/src/main/java/com/google/gcloud/Identity.java +++ b/gcloud-java-core/src/main/java/com/google/gcloud/Identity.java @@ -18,11 +18,26 @@ import static com.google.common.base.Preconditions.checkNotNull; +import com.google.common.base.CaseFormat; + import java.io.Serializable; import java.util.Objects; /** - * An identity in an {@link IamPolicy}. + * An identity in an {@link IamPolicy}. The following types of identities are permitted in IAM + * policies: + *
    + *
  • Google account + *
  • Service account + *
  • Google group + *
  • Google Apps domain + *
+ * + *

There are also two special identities that represent all users and all Google-authenticated + * accounts. + * + * @see Concepts + * related to identity */ public final class Identity implements Serializable { @@ -82,7 +97,8 @@ public Type type() { *

  • email address (for identities of type {@code USER}, {@code SERVICE_ACCOUNT}, and * {@code GROUP}) *
  • domain (for identities of type {@code DOMAIN}) - *
  • null (for identities of type {@code ALL_USERS} and {@code ALL_AUTHENTICATED_USERS}) + *
  • {@code null} (for identities of type {@code ALL_USERS} and + * {@code ALL_AUTHENTICATED_USERS}) * */ public String id() { @@ -178,7 +194,7 @@ public String strValue() { case DOMAIN: return "domain:" + id; default: - throw new IllegalArgumentException("Unexpected identity type: " + type); + throw new IllegalStateException("Unexpected identity type: " + type); } } @@ -188,21 +204,22 @@ public String strValue() { */ public static Identity valueOf(String identityStr) { String[] info = identityStr.split(":"); - switch (info[0]) { - case "allUsers": + Type type = Type.valueOf(CaseFormat.LOWER_CAMEL.to(CaseFormat.UPPER_UNDERSCORE, info[0])); + switch (type) { + case ALL_USERS: return Identity.allUsers(); - case "allAuthenticatedUsers": + case ALL_AUTHENTICATED_USERS: return Identity.allAuthenticatedUsers(); - case "user": + case USER: return Identity.user(info[1]); - case "serviceAccount": + case SERVICE_ACCOUNT: return Identity.serviceAccount(info[1]); - case "group": + case GROUP: return Identity.group(info[1]); - case "domain": + case DOMAIN: return Identity.domain(info[1]); default: - throw new IllegalArgumentException("Unexpected identity type: " + info[0]); + throw new IllegalStateException("Unexpected identity type " + type); } } } diff --git a/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java b/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java index b77b5e2df7fa..db0935c4766d 100644 --- a/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java +++ b/gcloud-java-core/src/test/java/com/google/gcloud/IamPolicyTest.java @@ -18,6 +18,7 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotEquals; +import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; @@ -71,7 +72,8 @@ public PolicyImpl build() { super(builder); } - Builder toBuilder() { + @Override + public Builder toBuilder() { return new Builder(bindings(), etag(), version()); } @@ -93,38 +95,38 @@ public void testBuilder() { assertEquals(1, policy.version().intValue()); policy = SIMPLE_POLICY.toBuilder().removeBinding("editor").build(); assertEquals(ImmutableMap.of("viewer", BINDINGS.get("viewer")), policy.bindings()); - assertEquals(null, policy.etag()); - assertEquals(null, policy.version()); + assertNull(policy.etag()); + assertNull(policy.version()); policy = policy.toBuilder() .removeIdentity("viewer", USER, ALL_USERS) .addIdentity("viewer", DOMAIN, GROUP) .build(); assertEquals(ImmutableMap.of("viewer", ImmutableSet.of(SERVICE_ACCOUNT, DOMAIN, GROUP)), policy.bindings()); - assertEquals(null, policy.etag()); - assertEquals(null, policy.version()); + assertNull(policy.etag()); + assertNull(policy.version()); policy = PolicyImpl.builder().addBinding("owner", USER, SERVICE_ACCOUNT).build(); assertEquals( ImmutableMap.of("owner", ImmutableSet.of(USER, SERVICE_ACCOUNT)), policy.bindings()); - assertEquals(null, policy.etag()); - assertEquals(null, policy.version()); + assertNull(policy.etag()); + assertNull(policy.version()); try { SIMPLE_POLICY.toBuilder().addBinding("viewer", USER); fail("Should have failed due to duplicate role."); } catch (IllegalArgumentException e) { - assertEquals("The policy already contains a binding with the role viewer", e.getMessage()); + assertEquals("The policy already contains a binding with the role viewer.", e.getMessage()); } try { SIMPLE_POLICY.toBuilder().addBinding("editor", ImmutableSet.of(USER)); fail("Should have failed due to duplicate role."); } catch (IllegalArgumentException e) { - assertEquals("The policy already contains a binding with the role editor", e.getMessage()); + assertEquals("The policy already contains a binding with the role editor.", e.getMessage()); } } @Test public void testEqualsHashCode() { - assertNotEquals(FULL_POLICY, null); + assertNotNull(FULL_POLICY); PolicyImpl emptyPolicy = PolicyImpl.builder().build(); AnotherPolicyImpl anotherPolicy = new AnotherPolicyImpl.Builder().build(); assertNotEquals(emptyPolicy, anotherPolicy); @@ -151,7 +153,7 @@ public void testEtag() { @Test public void testVersion() { assertNull(SIMPLE_POLICY.version()); - assertEquals(null, SIMPLE_POLICY.version()); + assertEquals(1, FULL_POLICY.version().intValue()); } static class AnotherPolicyImpl extends IamPolicy { @@ -169,5 +171,10 @@ public AnotherPolicyImpl build() { AnotherPolicyImpl(Builder builder) { super(builder); } + + @Override + public Builder toBuilder() { + return new Builder(); + } } } diff --git a/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/Policy.java b/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/Policy.java index 09cbfa1db554..0d7118dcbbd7 100644 --- a/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/Policy.java +++ b/gcloud-java-resourcemanager/src/main/java/com/google/gcloud/resourcemanager/Policy.java @@ -17,6 +17,7 @@ package com.google.gcloud.resourcemanager; import com.google.common.annotations.VisibleForTesting; +import com.google.common.base.CaseFormat; import com.google.common.base.Function; import com.google.common.collect.ImmutableSet; import com.google.common.collect.Lists; @@ -40,19 +41,59 @@ * * @see Policy */ -public class Policy extends IamPolicy { +public class Policy extends IamPolicy { private static final long serialVersionUID = -5573557282693961850L; + /** + * Represents legacy roles in an IAM Policy. + */ + public enum Role { + + /** + * Permissions for read-only actions that preserve state. + */ + VIEWER("roles/viewer"), + + /** + * All viewer permissions and permissions for actions that modify state. + */ + EDITOR("roles/editor"), + + /** + * All editor permissions and permissions for the following actions: + *
      + *
    • Manage access control for a resource. + *
    • Set up billing (for a project). + *
    + */ + OWNER("roles/owner"); + + private String strValue; + + private Role(String strValue) { + this.strValue = strValue; + } + + String strValue() { + return strValue; + } + + static Role fromStr(String roleStr) { + return Role.valueOf(CaseFormat.LOWER_CAMEL.to( + CaseFormat.UPPER_UNDERSCORE, roleStr.substring("roles/".length()))); + } + } + /** * Builder for an IAM Policy. */ - public static class Builder extends IamPolicy.Builder { + public static class Builder extends IamPolicy.Builder { private Builder() {} @VisibleForTesting - Builder(Map> bindings, String etag, Integer version) { + Builder(Map> bindings, String etag, Integer version) { bindings(bindings).etag(etag).version(version); } @@ -70,6 +111,7 @@ public static Builder builder() { return new Builder(); } + @Override public Builder toBuilder() { return new Builder(bindings(), etag(), version()); } @@ -79,10 +121,10 @@ com.google.api.services.cloudresourcemanager.model.Policy toPb() { new com.google.api.services.cloudresourcemanager.model.Policy(); List bindingPbList = new LinkedList<>(); - for (Map.Entry> binding : bindings().entrySet()) { + for (Map.Entry> binding : bindings().entrySet()) { com.google.api.services.cloudresourcemanager.model.Binding bindingPb = new com.google.api.services.cloudresourcemanager.model.Binding(); - bindingPb.setRole("roles/" + binding.getKey()); + bindingPb.setRole(binding.getKey().strValue()); bindingPb.setMembers( Lists.transform( new ArrayList<>(binding.getValue()), @@ -102,11 +144,11 @@ public String apply(Identity identity) { static Policy fromPb( com.google.api.services.cloudresourcemanager.model.Policy policyPb) { - Map> bindings = new HashMap<>(); + Map> bindings = new HashMap<>(); for (com.google.api.services.cloudresourcemanager.model.Binding bindingPb : policyPb.getBindings()) { bindings.put( - bindingPb.getRole().substring("roles/".length()), + Role.fromStr(bindingPb.getRole()), ImmutableSet.copyOf( Lists.transform( bindingPb.getMembers(), diff --git a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/PolicyTest.java b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/PolicyTest.java index 3383eebf470c..05d1b85bdbed 100644 --- a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/PolicyTest.java +++ b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/PolicyTest.java @@ -33,8 +33,8 @@ public class PolicyTest { private static final Identity GROUP = Identity.group("group@gmail.com"); private static final Identity DOMAIN = Identity.domain("google.com"); private static final Policy SIMPLE_POLICY = Policy.builder() - .addBinding("viewer", ImmutableSet.of(USER, SERVICE_ACCOUNT, ALL_USERS)) - .addBinding("editor", ImmutableSet.of(ALL_AUTH_USERS, GROUP, DOMAIN)) + .addBinding(Policy.Role.VIEWER, ImmutableSet.of(USER, SERVICE_ACCOUNT, ALL_USERS)) + .addBinding(Policy.Role.EDITOR, ImmutableSet.of(ALL_AUTH_USERS, GROUP, DOMAIN)) .build(); private static final Policy FULL_POLICY = new Policy.Builder(SIMPLE_POLICY.bindings(), "etag", 1).build(); diff --git a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/SerializationTest.java b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/SerializationTest.java index 99c0fd7572c0..35b72ae1713f 100644 --- a/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/SerializationTest.java +++ b/gcloud-java-resourcemanager/src/test/java/com/google/gcloud/resourcemanager/SerializationTest.java @@ -56,7 +56,7 @@ public class SerializationTest { private static final ResourceManager.ProjectListOption PROJECT_LIST_OPTION = ResourceManager.ProjectListOption.filter("name:*"); private static final Policy POLICY = Policy.builder() - .addBinding("viewer", ImmutableSet.of(Identity.user("abc@gmail.com"))) + .addBinding(Policy.Role.VIEWER, ImmutableSet.of(Identity.user("abc@gmail.com"))) .build(); @Test