Skip to content

Commit

Permalink
Add support for Bucket Policy Only (#1596)
Browse files Browse the repository at this point in the history 
* Add support for Bucket Policy Only

* Update system test

* slim down whitespace.

* Fix IAM modification for readability

* Remove unnecessary reload calls
  • Loading branch information
@jdpedrie @dwsupplee
jdpedrie authored and dwsupplee committed Feb 6, 2019
1 parent 58685c0 commit 8b93fb8
Show file tree
Hide file tree
Showing 4 changed files with 192 additions and 23 deletions.
9 changes: 7 additions & 2 deletions Storage/src/Bucket.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -252,11 +252,11 @@ public function exists()
* `"projectPrivate"`, and `"publicRead"`.
* @type array $metadata The full list of available options are outlined
* at the [JSON API docs](https://cloud.google.com/storage/docs/json_api/v1/objects/insert#request-body).
* @type array $metadata['metadata'] User-provided metadata, in key/value pairs.
* @type array $metadata.metadata User-provided metadata, in key/value pairs.
* @type string $encryptionKey A base64 encoded AES-256 customer-supplied
* encryption key. If you would prefer to manage encryption
* utilizing the Cloud Key Management Service (KMS) please use the
* $metadata['kmsKeyName'] setting. Please note if using KMS the
* `$metadata.kmsKeyName` setting. Please note if using KMS the
* key ring must use the same location as the bucket.
* @type string $encryptionKeySHA256 Base64 encoded SHA256 hash of the
* customer-supplied encryption key. This value will be calculated
Expand Down Expand Up @@ -839,6 +839,11 @@ public function delete(array $options = [])
* @type int $retentionPolicy.retentionPeriod Specifies the duration
* that objects need to be retained, in seconds. Retention
* duration must be greater than zero and less than 100 years.
* @type array $iamConfiguration The bucket's IAM configuration.
* @type bool $iamConfiguration.bucketPolicyOnly.enabled If set and
* true, access checks only use bucket-level IAM policies or
* above. When enabled, requests attempting to view or manipulate
* ACLs will fail with error code 400.
* }
* @return array
*/
Expand Down
76 changes: 55 additions & 21 deletions Storage/src/Connection/ServiceDefinition/storage-v1.json
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
{
"kind": "discovery#restDescription",
"etag": "\"-iA1DTNe4s-I6JZXPt1t1Ypy8IU/jLupXEh5MvYeA2ibX_aBxLuxU28\"",
"etag": "\"J3WqvAcMk4eQjJXvfSI4Yr8VouA/DmyEBWot3HQKPyHnL5ZWMvY99pg\"",
"discoveryVersion": "v1",
"id": "storage:v1",
"name": "storage",
"version": "v1",
"revision": "20180118",
"revision": "20181217",
"title": "Cloud Storage JSON API",
"description": "Stores and retrieves potentially large, immutable data objects.",
"ownerDomain": "google.com",
Expand Down Expand Up @@ -60,12 +60,12 @@
},
"quotaUser": {
"type": "string",
"description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters. Overrides userIp if both are provided.",
"description": "An opaque string that represents a user for quota purposes. Must not exceed 40 characters.",
"location": "query"
},
"userIp": {
"type": "string",
"description": "IP address of the site where the request originates. Use this if you want to enforce per-user limits.",
"description": "Deprecated. Please use quotaUser instead.",
"location": "query"
}
},
Expand Down Expand Up @@ -155,7 +155,7 @@
},
"defaultEventBasedHold": {
"type": "boolean",
"description": "Defines the default value for Event-Based hold on newly created objects in this bucket. Event-Based hold is a way to retain objects indefinitely until an event occurs, signified by the hold's release. After being released, such objects will be subject to bucket-level retention (if any). One sample use case of this flag is for banks to hold loan documents for at least 3 years after loan is paid in full. Here bucket-level retention is 3 years and the event is loan being paid in full. In this example these objects will be held intact for any number of years until the event has occurred (hold is released) and then 3 more years after that. Objects under Event-Based hold cannot be deleted, overwritten or archived until the hold is removed."
"description": "The default value for event-based hold on newly created objects in this bucket. Event-based hold is a way to retain objects indefinitely until an event occurs, signified by the hold's release. After being released, such objects will be subject to bucket-level retention (if any). One sample use case of this flag is for banks to hold loan documents for at least 3 years after loan is paid in full. Here, bucket-level retention is 3 years and the event is loan being paid in full. In this example, these objects will be held intact for any number of years until the event has occurred (event-based hold on the object is released) and then 3 more years after that. That means retention duration of the objects begins from the moment event-based hold transitioned from true to false. Objects under event-based hold cannot be deleted, overwritten or archived until the hold is removed."
},
"defaultObjectAcl": {
"type": "array",
Expand All @@ -166,18 +166,38 @@
},
"encryption": {
"type": "object",
"description": "Encryption configuration used by default for newly inserted objects, when no encryption config is specified.",
"description": "Encryption configuration for a bucket.",
"properties": {
"defaultKmsKeyName": {
"type": "string",
"description": "A Cloud KMS key that will be used to encrypt objects inserted into this bucket, if no encryption method is specified. Limited availability; usable only by enabled projects."
"description": "A Cloud KMS key that will be used to encrypt objects inserted into this bucket, if no encryption method is specified."
}
}
},
"etag": {
"type": "string",
"description": "HTTP 1.1 Entity tag for the bucket."
},
"iamConfiguration": {
"type": "object",
"description": "The bucket's IAM configuration.",
"properties": {
"bucketPolicyOnly": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "If set, access checks only use bucket-level IAM policies or above."
},
"lockedTime": {
"type": "string",
"description": "The deadline time for changing iamConfiguration.bucketPolicyOnly.enabled from true to false in RFC 3339 format. iamConfiguration.bucketPolicyOnly.enabled may be changed from true to false until the locked time, after which the field is immutable.",
"format": "date-time"
}
}
}
}
},
"id": {
"type": "string",
"description": "The ID of the bucket. For buckets, the id and name properties are the same."
Expand Down Expand Up @@ -237,6 +257,10 @@
"type": "boolean",
"description": "Relevant only for versioned objects. If the value is true, this condition matches live objects; if the value is false, it matches archived objects."
},
"matchesPattern": {
"type": "string",
"description": "A regular expression that satisfies the RE2 syntax. This condition is satisfied when the name of the object matches the RE2 pattern. Note: This feature is currently in the \"Early Access\" launch stage and is only available to a whitelisted set of users; that means that this feature may be changed in backward-incompatible ways and that it is not guaranteed to be released."
},
"matchesStorageClass": {
"type": "array",
"description": "Objects having any of the storage classes specified by this condition will be matched. Values include MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, and DURABLE_REDUCED_AVAILABILITY.",
Expand Down Expand Up @@ -309,11 +333,11 @@
},
"retentionPolicy": {
"type": "object",
"description": "Defines the retention policy for a bucket. The Retention policy enforces a minimum retention time for all objects contained in the bucket, based on their creation time. Any attempt to overwrite or delete objects younger than the retention period will result in a PERMISSION_DENIED error. An unlocked retention policy can be modified or removed from the bucket via the UpdateBucketMetadata RPC. A locked retention policy cannot be removed or shortened in duration for the lifetime of the bucket. Attempting to remove or decrease period of a locked retention policy will result in a PERMISSION_DENIED error.",
"description": "The bucket's retention policy. The retention policy enforces a minimum retention time for all objects contained in the bucket, based on their creation time. Any attempt to overwrite or delete objects younger than the retention period will result in a PERMISSION_DENIED error. An unlocked retention policy can be modified or removed from the bucket via a storage.buckets.update operation. A locked retention policy cannot be removed or shortened in duration for the lifetime of the bucket. Attempting to remove or decrease period of a locked retention policy will result in a PERMISSION_DENIED error.",
"properties": {
"effectiveTime": {
"type": "string",
"description": "The time from which policy was enforced and effective. RFC 3339 format.",
"description": "Server-determined value that indicates the time from which policy was enforced and effective. This value is in RFC 3339 format.",
"format": "date-time"
},
"isLocked": {
Expand All @@ -322,7 +346,7 @@
},
"retentionPeriod": {
"type": "string",
"description": "Specifies the duration that objects need to be retained. Retention duration must be greater than zero and less than 100 years. Note that enforcement of retention periods less than a day is not guaranteed. Such periods should only be used for testing purposes.",
"description": "The duration in seconds that objects need to be retained. Retention duration must be greater than zero and less than 100 years. Note that enforcement of retention periods less than a day is not guaranteed. Such periods should only be used for testing purposes.",
"format": "int64"
}
}
Expand Down Expand Up @@ -565,7 +589,7 @@
},
"name": {
"type": "string",
"description": "The source object's name. The source object's bucket is implicitly the destination bucket.",
"description": "The source object's name. All source objects must reside in the same bucket.",
"annotations": {
"required": [
"storage.objects.compose"
Expand Down Expand Up @@ -743,7 +767,7 @@
},
"eventBasedHold": {
"type": "boolean",
"description": "Defines the Event-Based hold for an object. Event-Based hold is a way to retain objects indefinitely until an event occurs, signified by the hold's release. After being released, such objects will be subject to bucket-level retention (if any). One sample use case of this flag is for banks to hold loan documents for at least 3 years after loan is paid in full. Here bucket-level retention is 3 years and the event is loan being paid in full. In this example these objects will be held intact for any number of years until the event has occurred (hold is released) and then 3 more years after that."
"description": "Whether an object is under event-based hold. Event-based hold is a way to retain objects until an event occurs, which is signified by the hold's release (i.e. this value is set to false). After being released (set to false), such objects will be subject to bucket-level retention (if any). One sample use case of this flag is for banks to hold loan documents for at least 3 years after loan is paid in full. Here, bucket-level retention is 3 years and the event is the loan being paid in full. In this example, these objects will be held intact for any number of years until the event has occurred (event-based hold on the object is released) and then 3 more years after that. That means retention duration of the objects begins from the moment event-based hold transitioned from true to false."
},
"generation": {
"type": "string",
Expand All @@ -761,7 +785,7 @@
},
"kmsKeyName": {
"type": "string",
"description": "Cloud KMS Key used to encrypt this object, if the object is encrypted by such a key. Limited availability; usable only by enabled projects."
"description": "Cloud KMS Key used to encrypt this object, if the object is encrypted by such a key."
},
"md5Hash": {
"type": "string",
Expand Down Expand Up @@ -804,7 +828,7 @@
},
"retentionExpirationTime": {
"type": "string",
"description": "Specifies the earliest time that the object's retention period expires. This value is server-determined and is in RFC 3339 format. Note 1: This field is not provided for objects with an active Event-Based hold, since retention expiration is unknown until the hold is removed. Note 2: This value can be provided even when TemporaryHold is set (so that the user can reason about policy without having to first unset the TemporaryHold).",
"description": "A server-determined value that specifies the earliest time that the object's retention period expires. This value is in RFC 3339 format. Note 1: This field is not provided for objects with an active event-based hold, since retention expiration is unknown until the hold is removed. Note 2: This value can be provided even when temporary hold is set (so that the user can reason about policy without having to first unset the temporary hold).",
"format": "date-time"
},
"selfLink": {
Expand All @@ -822,7 +846,7 @@
},
"temporaryHold": {
"type": "boolean",
"description": "Defines the temporary hold for an object. This flag is used to enforce a temporary hold on an object. While it is set to true, the object is protected against deletion and overwrites. A common use case of this flag is regulatory investigations where objects need to be retained while the investigation is ongoing."
"description": "Whether an object is under temporary hold. While this flag is set to true, the object is protected against deletion and overwrites. A common use case of this flag is regulatory investigations where objects need to be retained while the investigation is ongoing. Note that unlike event-based hold, temporary hold does not impact retention expiration time of an object."
},
"timeCreated": {
"type": "string",
Expand Down Expand Up @@ -1247,7 +1271,7 @@
"id": "storage.bucketAccessControls.patch",
"path": "b/{bucket}/acl/{entity}",
"httpMethod": "PATCH",
"description": "Updates an ACL entry on the specified bucket. This method supports patch semantics.",
"description": "Patches an ACL entry on the specified bucket.",
"parameters": {
"bucket": {
"type": "string",
Expand Down Expand Up @@ -1644,7 +1668,7 @@
"id": "storage.buckets.patch",
"path": "b/{bucket}",
"httpMethod": "PATCH",
"description": "Updates a bucket. Changes to the bucket will be readable immediately after writing, but configuration changes may take time to propagate. This method supports patch semantics.",
"description": "Patches a bucket. Changes to the bucket will be readable immediately after writing, but configuration changes may take time to propagate.",
"parameters": {
"bucket": {
"type": "string",
Expand Down Expand Up @@ -2078,7 +2102,7 @@
"id": "storage.defaultObjectAccessControls.patch",
"path": "b/{bucket}/defaultObjectAcl/{entity}",
"httpMethod": "PATCH",
"description": "Updates a default object ACL entry on the specified bucket. This method supports patch semantics.",
"description": "Patches a default object ACL entry on the specified bucket.",
"parameters": {
"bucket": {
"type": "string",
Expand Down Expand Up @@ -2484,7 +2508,7 @@
"id": "storage.objectAccessControls.patch",
"path": "b/{bucket}/o/{object}/acl/{entity}",
"httpMethod": "PATCH",
"description": "Updates an ACL entry on the specified object. This method supports patch semantics.",
"description": "Patches an ACL entry on the specified object.",
"parameters": {
"bucket": {
"type": "string",
Expand Down Expand Up @@ -2596,7 +2620,7 @@
"parameters": {
"destinationBucket": {
"type": "string",
"description": "Name of the bucket in which to store the new object.",
"description": "Name of the bucket containing the source objects. The destination object is stored in this bucket.",
"required": true,
"location": "path"
},
Expand Down Expand Up @@ -3044,7 +3068,7 @@
},
"kmsKeyName": {
"type": "string",
"description": "Resource name of the Cloud KMS key, of the form projects/my-project/locations/global/keyRings/my-kr/cryptoKeys/my-key, that will be used to encrypt the object. Overrides the object metadata's kms_key_name value, if any. Limited availability; usable only by enabled projects.",
"description": "Resource name of the Cloud KMS key, of the form projects/my-project/locations/global/keyRings/my-kr/cryptoKeys/my-key, that will be used to encrypt the object. Overrides the object metadata's kms_key_name value, if any.",
"location": "query"
},
"name": {
Expand Down Expand Up @@ -3140,6 +3164,11 @@
"description": "Returns results in a directory-like mode. items will contain only objects whose names, aside from the prefix, do not contain delimiter. Objects whose names, aside from the prefix, contain delimiter will have their name, truncated after the delimiter, returned in prefixes. Duplicate prefixes are omitted.",
"location": "query"
},
"includeTrailingDelimiter": {
"type": "boolean",
"description": "If true, objects that end in exactly one instance of delimiter will have their metadata included in items in addition to prefixes.",
"location": "query"
},
"maxResults": {
"type": "integer",
"description": "Maximum number of items plus prefixes to return in a single page of responses. As duplicate prefixes are omitted, fewer total results may be returned than requested. The service will use this parameter or 1,000 items, whichever is smaller.",
Expand Down Expand Up @@ -3677,6 +3706,11 @@
"description": "Returns results in a directory-like mode. items will contain only objects whose names, aside from the prefix, do not contain delimiter. Objects whose names, aside from the prefix, contain delimiter will have their name, truncated after the delimiter, returned in prefixes. Duplicate prefixes are omitted.",
"location": "query"
},
"includeTrailingDelimiter": {
"type": "boolean",
"description": "If true, objects that end in exactly one instance of delimiter will have their metadata included in items in addition to prefixes.",
"location": "query"
},
"maxResults": {
"type": "integer",
"description": "Maximum number of items plus prefixes to return in a single page of responses. As duplicate prefixes are omitted, fewer total results may be returned than requested. The service will use this parameter or 1,000 items, whichever is smaller.",
Expand Down
Loading

0 comments on commit 8b93fb8

Please sign in to comment.