feat: add remove conditional iam binding (GoogleCloudPlatform#1045)

frankyn · web-flow · commit 34cb3b4ba235 · 2020-03-18T21:16:07.000Z
diff --git a/storage/composer.json b/storage/composer.json
@@ -61,6 +61,7 @@
             "src/release_event_based_hold.php",
             "src/release_temporary_hold.php",
             "src/remove_bucket_iam_member.php",
+            "src/remove_bucket_conditional_iam_binding.php",
             "src/remove_bucket_label.php",
             "src/remove_retention_policy.php",
             "src/rotate_encryption_key.php",
diff --git a/storage/src/remove_bucket_conditional_iam_binding.php b/storage/src/remove_bucket_conditional_iam_binding.php
@@ -0,0 +1,73 @@
+<?php
+/**
+ * Copyright 2020 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/master/storage/README.md
+ */
+
+namespace Google\Cloud\Samples\Storage;
+
+# [START storage_remove_bucket_conditional_iam_binding]
+use Google\Cloud\Storage\StorageClient;
+
+/**
+ * Removes a conditional IAM binding from a bucket's IAM policy.
+ *
+ * @param string $bucketName the name of your Cloud Storage bucket.
+ * @param string $role the role that will be given to members in this binding.
+ * @param string $title condition's title
+ * @param string $description condition's description
+ * @param string $expression the condition specified in CEL expression language.
+ *
+ * To see how to express a condition in CEL, visit:
+ * @see https://cloud.google.com/storage/docs/access-control/iam#conditions.
+ *
+ * @return void
+ */
+function remove_bucket_conditional_iam_binding($bucketName, $role, $members, $title, $description, $expression)
+{
+    $storage = new StorageClient();
+    $bucket = $storage->bucket($bucketName);
+
+    $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]);
+
+    $policy['version'] = 3;
+
+    $key_of_conditional_binding = null;
+    foreach ($policy['bindings'] as $key => $binding) {
+        if ($binding['role'] == $role && $binding['condition'] != null) {
+            $condition = $binding['condition'];
+            if ($condition['title'] == $title
+                 && $condition['description'] == description
+                 && $condition['expression'] == expression) {
+                $key_of_conditional_binding = $key;
+                break;
+            }
+        }
+    }
+
+    if ($key_of_conditional_binding != null) {
+        unset($policy['bindings'][$key_of_conditional_binding]);
+        $bucket->iam()->setPolicy($policy);
+        print('Conditional Binding was removed.' . PHP_EOL);
+    } else {
+        print('No matching conditional binding found.' . PHP_EOL);
+    }
+}
+# [END storage_remove_bucket_conditional_iam_binding]
diff --git a/storage/storage.php b/storage/storage.php
@@ -269,12 +269,15 @@
 
 <info>php %command.full_name% my-bucket --role my-role --remove-member user:test@email.com</info>
 
+<info>php %command.full_name% my-bucket --role my-role --remove-binding --title cond-title --description cond-description --expression cond-expression</info>
+
 EOF
     )
     ->addArgument('bucket', InputArgument::REQUIRED, 'The bucket that you want to change IAM for. ')
     ->addOption('role', null, InputOption::VALUE_REQUIRED, 'The new role to add to a bucket. ')
     ->addOption('add-member', null, InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY, "The new member(s) to add with the new role to the bucket. ")
     ->addOption('remove-member', null, InputOption::VALUE_REQUIRED, 'The member to remove from a role for a bucket. ')
+    ->addOption('remove-binding', null, InputOption::VALUE_NONE, 'Remove conditional policy')
     ->addOption('title', null, InputOption::VALUE_REQUIRED, 'Optional. A title for the condition, if --expression is used. ')
     ->addOption('description', null, InputOption::VALUE_REQUIRED, 'Optional. A description for the condition, if --expression is used. ')
     ->addOption('expression', null, InputOption::VALUE_REQUIRED, 'Add the role/members pair with an IAM condition expression. ')
@@ -283,6 +286,7 @@
         $role = $input->getOption('role');
         $members = $input->getOption('add-member');
         $removeMember = $input->getOption('remove-member');
+        $removeBinding = $input->getOption('remove-binding');
         $expression = $input->getOption('expression');
         $title = $input->getOption('title');
         $description = $input->getOption('description');
@@ -301,6 +305,20 @@
                 throw new InvalidArgumentException('Must provide role as an option.');
             }
             remove_bucket_iam_member($bucketName, $role, $removeMember);
+        } elseif ($removeBinding) {
+            if (!$role) {
+                throw new InvalidArgumentException('Must provide role as an option.');
+            }
+            if (!$title) {
+                throw new InvalidArgumentException('Must provide title as an option.');
+            }
+            if (!$description) {
+                throw new InvalidArgumentException('Must provide description as an option.');
+            }
+            if (!$expression) {
+                throw new InvalidArgumentException('Must provide expression as an option.');
+            }
+            remove_bucket_conditional_iam_binding($bucket_name, $role, $title, $description, $expression);
         } else {
             view_bucket_iam_members($bucketName);
         }
diff --git a/storage/test/IamCommandTest.php b/storage/test/IamCommandTest.php
@@ -214,4 +214,45 @@ public function testRemoveBucketIamMember()
         }
         $this->assertFalse($foundRoleMember);
     }
+
+    /**
+     * @depends testAddBucketConditionalIamBinding
+     * @depends testListIamMembers
+     */
+    public function testRemoveBucketConditionalIamBinding()
+    {
+        $role = 'roles/storage.objectViewer';
+        $title = 'always true';
+        $description = 'this condition is always true';
+        $expression = '1 < 2';
+        $output = $this->runCommand('iam', [
+            'bucket' => self::$bucket,
+            '--role' => 'roles/storage.objectViewer',
+            '--remove-binding' => true,
+            '--title' => $title,
+            '--description' => $description,
+            '--expression' => $expression
+        ]);
+
+        $outputString = sprintf('Conditional Binding was removed.');
+
+        $this->assertStringContainsString($outputString, $output);
+
+        $foundBinding = false;
+        $policy = self::$storage->bucket(self::$bucket)->iam()->policy([
+            'requestedPolicyVersion' => 3
+        ]);
+        foreach ($policy['bindings'] as $binding) {
+            if ($binding['role'] == $role && $binding['condition'] != null) {
+                $condition = $binding['condition'];
+                if ($condition['title'] == $title
+                     && $condition['description'] == $description
+                     && $condition['expression'] == $expression) {
+                    $foundRoleMember = true;
+                    break;
+                }
+            }
+        }
+        $this->assertFalse($foundBinding);
+    }
 }
