storage: add bucket policy only samples (GoogleCloudPlatform#858)

Author: frankyn

storage/README.md

@@ -41,6 +41,7 @@ This simple command-line application demonstrates how to invoke Google Cloud Sto
     object-acl          Manage the ACL for Cloud Storage objects
     objects             Manage Cloud Storage objects
     requester-pays      Manage Cloud Storage requester pays buckets and objects
+    bucket-policy-only  Manage Cloud Storage bucket policy only buckets
     ```
 6. Run `php storage.php COMMAND --help` to print information about the usage of each command.
 

storage/composer.json

@@ -18,11 +18,13 @@
             "src/delete_bucket_default_acl.php",
             "src/delete_object.php",
             "src/delete_object_acl.php",
+            "src/disable_bucket_policy_only.php",
             "src/disable_default_event_based_hold.php",
             "src/disable_requester_pays.php",
             "src/download_encrypted_object.php",
             "src/download_file_requester_pays.php",
             "src/download_object.php",
+            "src/enable_bucket_policy_only.php",
             "src/enable_default_event_based_hold.php",
             "src/enable_default_kms_key.php",
             "src/enable_requester_pays.php",
@@ -32,6 +34,7 @@
             "src/get_bucket_default_acl.php",
             "src/get_bucket_default_acl_for_entity.php",
             "src/get_bucket_labels.php",
+            "src/get_bucket_policy_only.php",
             "src/get_object_acl.php",
             "src/get_object_acl_for_entity.php",
             "src/get_requester_pays_status.php",

storage/src/disable_bucket_policy_only.php

@@ -0,0 +1,49 @@
+
+/**
+ * Copyright 2019 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/master/storage/README.md
+ */
+
+namespace Google\Cloud\Samples\Storage;
+
+# [START storage_disable_bucket_policy_only]
+use Google\Cloud\Storage\StorageClient;
+
+/**
+ * Enable Bucket Policy Only.
+ *
+ * @param string $bucketName Name of your Google Cloud Storage bucket.
+ *
+ * @return void
+ */
+function disable_bucket_policy_only($bucketName)
+{
+    $storage = new StorageClient();
+    $bucket = $storage->bucket($bucketName);
+    $bucket->update([
+        'iamConfiguration' => [
+            'bucketPolicyOnly' => [
+              'enabled' => false
+            ]
+        ]
+    ]);
+    printf('Bucket Policy Only was disabled for %s' . PHP_EOL, $bucketName);
+}
+# [END storage_disable_bucket_policy_only]

storage/src/enable_bucket_policy_only.php

@@ -0,0 +1,49 @@
+
+/**
+ * Copyright 2019 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/master/storage/README.md
+ */
+
+namespace Google\Cloud\Samples\Storage;
+
+# [START storage_enable_bucket_policy_only]
+use Google\Cloud\Storage\StorageClient;
+
+/**
+ * Enable Bucket Policy Only.
+ *
+ * @param string $bucketName Name of your Google Cloud Storage bucket.
+ *
+ * @return void
+ */
+function enable_bucket_policy_only($bucketName)
+{
+    $storage = new StorageClient();
+    $bucket = $storage->bucket($bucketName);
+    $bucket->update([
+        'iamConfiguration' => [
+            'bucketPolicyOnly' => [
+              'enabled' => true
+            ]
+        ]
+    ]);
+    printf('Bucket Policy Only was enabled for %s' . PHP_EOL, $bucketName);
+}
+# [END storage_enable_bucket_policy_only]

storage/src/get_bucket_policy_only.php

@@ -0,0 +1,49 @@
+
+/**
+ * Copyright 2019 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/master/storage/README.md
+ */
+
+namespace Google\Cloud\Samples\Storage;
+
+# [START storage_get_bucket_policy_only]
+use Google\Cloud\Storage\StorageClient;
+
+/**
+ * Enable Bucket Policy Only.
+ *
+ * @param string $bucketName Name of your Google Cloud Storage bucket.
+ *
+ * @return void
+ */
+function get_bucket_policy_only($bucketName)
+{
+    $storage = new StorageClient();
+    $bucket = $storage->bucket($bucketName);
+    $bucketInformation = $bucket->info();
+    $bucketPolicyOnly = $bucketInformation['iamConfiguration']['bucketPolicyOnly'];
+    if ($bucketPolicyOnly['enabled']) {
+        printf('Bucket Policy Only is enabled for %s' . PHP_EOL, $bucketName);
+        printf('Bucket Policy Only will be locked on %s' . PHP_EOL, $bucketPolicyOnly['LockedTime']);
+    } else {
+        printf('Bucket Policy Only is disabled for %s' . PHP_EOL, $bucketName);
+    }
+}
+# [END storage_get_bucket_policy_only]

storage/storage.php

@@ -402,6 +402,32 @@
         }
     });
 
+$application->add(new Command('bucket-policy-only'))
+    ->setDescription('Manage Cloud Storage bucket policy only buckets.')
+    ->setHelp(<<
+The %command.name% command manages Cloud Storage bucket policy only buckets.
+
+php %command.full_name% --help
+
+EOF
+    )
+    ->addArgument('bucket', InputArgument::REQUIRED, 'The Cloud Storage Bucket Policy Only bucket name')
+    ->addOption('enable', null, InputOption::VALUE_NONE, 'Enable Bucket Policy Only on a Cloud Storage bucket')
+    ->addOption('disable', null, InputOption::VALUE_NONE, 'Disable Bucket Policy Only on a Cloud Storage bucket')
+    ->addOption('get', null, InputOption::VALUE_NONE, 'Get Bucket Policy Only on a Cloud Storage bucekt')
+    ->setCode(function ($input, $output) {
+        $bucketName = $input->getArgument('bucket');
+        if ($input->getOption('enable')) {
+            enable_bucket_policy_only($bucketName);
+        } elseif ($input->getOption('disable')) {
+            disable_bucket_policy_only($bucketName);
+        } elseif ($input->getOption('get')) {
+            get_bucket_policy_only($bucketName);
+        } else {
+            throw new \Exception('You must provide --enable, --disable, or --get with a bucket name.');
+        }
+    });
+
 $application->add(new Command('enable-default-kms-key'))
     ->setDescription('Enable default KMS encryption for a bucket.')
     ->setHelp(<<

storage/test/BucketPolicyOnlyCommandTest.php

@@ -0,0 +1,124 @@
+
+/**
+ * Copyright 2019 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Google\Cloud\Samples\Storage\Tests;
+
+use Google\Cloud\Storage\StorageClient;
+use Symfony\Component\Console\Tester\CommandTester;
+
+/**
+ * Unit Tests for BucketPolicyOnlyCommand.
+ */
+class BucketPolicyOnlyCommandTest extends \PHPUnit_Framework_TestCase
+{
+    protected static $hasCredentials;
+    protected $commandTester;
+    protected $storage;
+    protected $bucket;
+
+    public static function setUpBeforeClass()
+    {
+        $path = getenv('GOOGLE_APPLICATION_CREDENTIALS');
+        self::$hasCredentials = $path && file_exists($path) &&
+            filesize($path) > 0;
+    }
+
+    public function setUp()
+    {
+        // Sleep to avoid the rate limit for creating/deleting.
+        sleep(5 + rand(2, 4));
+        $application = require __DIR__ . '/../storage.php';
+        $this->commandTester = new CommandTester($application->get('bucket-policy-only'));
+        $this->storage = new StorageClient();
+        if (!self::$hasCredentials) {
+            $this->markTestSkipped('No application credentials were found.');
+        }
+
+        // Append random because tests for multiple PHP versions were running at the same time.
+        $bucketName = 'php-bucket-policy-only-' . time() . '-' . rand(1000, 9999);
+        $this->bucket = $this->storage->createBucket($bucketName);
+    }
+
+    public function tearDown()
+    {
+        $this->bucket->delete();
+    }
+
+    public function testEnableBucketPolicyOnly()
+    {
+        $this->commandTester->execute(
+          [
+              'bucket' => $this->bucket->name(),
+              '--enable' => true,
+          ],
+          ['interactive' => false]
+        );
+        $outputString = <<
+Bucket Policy Only was enabled for {$this->bucket->name()}
+
+EOF;
+        $this->expectOutputString($outputString);
+        $this->bucket->reload();
+        $bucketInformation = $this->bucket->info();
+        $bucketPolicyOnly = $bucketInformation['iamConfiguration']['bucketPolicyOnly'];
+        $this->assertTrue($bucketPolicyOnly['enabled']);
+    }
+
+    /** @depends testEnableBucketPolicyOnly */
+    public function testDisableBucketPolicyOnly()
+    {
+        $this->commandTester->execute(
+          [
+              'bucket' => $this->bucket->name(),
+              '--disable' => true,
+          ],
+          ['interactive' => false]
+        );
+
+        $outputString = <<
+Bucket Policy Only was disabled for {$this->bucket->name()}
+
+EOF;
+        $this->expectOutputString($outputString);
+        $this->bucket->reload();
+        $bucketInformation = $this->bucket->info();
+        $bucketPolicyOnly = $bucketInformation['iamConfiguration']['bucketPolicyOnly'];
+        $this->assertFalse($bucketPolicyOnly['enabled']);
+    }
+
+    /** @depends testDisableBucketPolicyOnly */
+    public function testGetBucketPolicyOnly()
+    {
+        $this->commandTester->execute(
+          [
+              'bucket' => $this->bucket->name(),
+              '--get' => true,
+          ],
+          ['interactive' => false]
+        );
+
+        $outputString = <<
+Bucket Policy Only is disabled for {$this->bucket->name()}
+
+EOF;
+        $this->expectOutputString($outputString);
+        $this->bucket->reload();
+        $bucketInformation = $this->bucket->info();
+        $bucketPolicyOnly = $bucketInformation['iamConfiguration']['bucketPolicyOnly'];
+        $this->assertFalse($bucketPolicyOnly['enabled']);
+    }
+}

storage/test/IamCommandTest.php

@@ -18,6 +18,7 @@
 namespace Google\Cloud\Samples\Storage\Tests;
 
 use Google\Cloud\Samples\Storage\IamCommand;
+use Google\Cloud\Core\Iam\PolicyBuilder;
 use Google\Cloud\Storage\StorageClient;
 use Symfony\Component\Console\Tester\CommandTester;
 
@@ -59,6 +60,18 @@ public function testAddBucketIamMember()
         $bucket = $this->bucket;
         $role = 'roles/storage.objectViewer';
         $user = $this->user;
+
+        // clean up bucket IAM policy
+        $policy = $this->storage->bucket($bucket)->iam()->policy();
+        foreach ($policy['bindings'] as $binding) {
+            if ($binding['role'] == $role && in_array($user, $binding['members'])) {
+                $policyBuilder = new PolicyBuilder($policy);
+                $policyBuilder->removeBinding($role, [$user]);
+                $this->storage->bucket($bucket)->iam()->setPolicy($policyBuilder->result());
+                break;
+            }
+        }
+
         $this->commandTester->execute(
             [
                 'bucket' => $bucket,