samples(storage): IAM conditions samples (GoogleCloudPlatform#1018)

Author: jkwlui

storage/composer.json

@@ -1,12 +1,13 @@
 {
     "require": {
-        "google/cloud-storage": "^1.14.0",
+        "google/cloud-storage": "^1.18.0",
         "paragonie/random_compat": "^2.0",
         "symfony/console": " ^3.0"
     },
     "autoload": {
         "files": [
             "src/add_bucket_acl.php",
+            "src/add_bucket_conditional_iam_binding.php",
             "src/add_bucket_default_acl.php",
             "src/add_bucket_iam_member.php",
             "src/add_bucket_label.php",

storage/src/add_bucket_conditional_iam_binding.php

@@ -0,0 +1,74 @@
+
+/**
+ * Copyright 2020 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/master/storage/README.md
+ */
+
+namespace Google\Cloud\Samples\Storage;
+
+# [START add_bucket_conditional_iam_binding]
+use Google\Cloud\Storage\StorageClient;
+
+/**
+ * Adds a conditional IAM binding to a bucket's IAM policy.
+ *
+ * @param string $bucketName the name of your Cloud Storage bucket.
+ * @param string $role the role that will be given to members in this binding.
+ * @param string[] $members the member(s) that is associated to this binding.
+ * @param string $title condition's title
+ * @param string $description condition's description
+ * @param string $expression the condition specified in CEL expression language.
+ *
+ * To see how to express a condition in CEL, visit:
+ * @see https://cloud.google.com/storage/docs/access-control/iam#conditions.
+ *
+ * @return void
+ */
+function add_bucket_conditional_iam_binding($bucketName, $role, $members, $title, $description, $expression)
+{
+    $storage = new StorageClient();
+    $bucket = $storage->bucket($bucketName);
+
+    $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]);
+
+    $policy['version'] = 3;
+
+    $policy['bindings'][] = [
+        'role' => $role,
+        'members' => $members,
+        'condition' => [
+            'title' => $title,
+            'description' => $description,
+            'expression' => $expression,
+        ],
+    ];
+
+    $bucket->iam()->setPolicy($policy);
+
+    printf('Added the following member(s) with role %s to %s:' . PHP_EOL, $role, $bucketName);
+    foreach ($members as $member) {
+        printf('    %s' . PHP_EOL, $member);
+    }
+    printf('with condition:' . PHP_EOL);
+    printf('    Title: %s' . PHP_EOL, $title);
+    printf('    Description: %s' . PHP_EOL, $description);
+    printf('    Expression: %s' . PHP_EOL, $expression);
+}
+# [END add_bucket_conditional_iam_binding]

storage/src/add_bucket_iam_member.php

@@ -31,25 +31,29 @@
  *
  * @param string $bucketName the name of your Cloud Storage bucket.
  * @param string $role the role you want to add a given member to.
- * @param string $member the member you want to give the new role for the Cloud
+ * @param string[] $members the member(s) you want to give the new role for the Cloud
  * Storage bucket.
  *
  * @return void
  */
-function add_bucket_iam_member($bucketName, $role, $member)
+function add_bucket_iam_member($bucketName, $role, $members)
 {
     $storage = new StorageClient();
     $bucket = $storage->bucket($bucketName);
 
-    $policy = $bucket->iam()->policy();
+    $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]);
+    $policy['version'] = 3;
 
     $policy['bindings'][] = [
         'role' => $role,
-        'members' => [$member]
+        'members' => $members
     ];
 
     $bucket->iam()->setPolicy($policy);
 
-    printf('User %s added to role %s for bucket %s' . PHP_EOL, $member, $role, $bucketName);
+    printf('Added the following member(s) to role %s for bucket %s' . PHP_EOL, $role, $bucketName);
+    foreach ($members as $member) {
+        printf('    %s' . PHP_EOL, $member);
+    }
 }
 # [END add_bucket_iam_member]

storage/src/remove_bucket_iam_member.php

@@ -24,7 +24,6 @@
 namespace Google\Cloud\Samples\Storage;
 
 # [START remove_bucket_iam_member]
-use Google\Cloud\Core\Iam\PolicyBuilder;
 use Google\Cloud\Storage\StorageClient;
 
 /**
@@ -40,11 +39,30 @@ function remove_bucket_iam_member($bucketName, $role, $member)
 {
     $storage = new StorageClient();
     $bucket = $storage->bucket($bucketName);
-    $policy = $bucket->iam()->policy();
-    $policyBuilder = new PolicyBuilder($policy);
-    $policyBuilder->removeBinding($role, [$member]);
+    $iam = $bucket->iam();
+    $policy = $iam->policy(['requestedPolicyVersion' => 3]);
+    $policy['version'] = 3;
 
-    $bucket->iam()->setPolicy($policyBuilder->result());
-    printf('User %s removed from role %s for bucket %s' . PHP_EOL, $member, $role, $bucketName);
+    foreach ($policy['bindings'] as $i => $binding) {
+        // This example only removes member from bindings without a condition.
+        if ($binding['role'] == $role && !isset($binding['condition'])) {
+            $key = array_search($member, $binding['members']);
+            if ($key !== false) {
+                unset($binding['members'][$key]);
+
+                // If the last member is removed from the binding, clean up
+                // the binding.
+                if (count($binding['members']) == 0) {
+                    unset($policy['bindings'][$i]);
+                }
+
+                $iam->setPolicy($policy);
+                printf('User %s removed from role %s for bucket %s' . PHP_EOL, $member, $role, $bucketName);
+                return;
+            }
+        }
+    }
+
+    throw new \RuntimeException('No matching role-member group(s) found.');
 }
 # [END remove_bucket_iam_member]

storage/src/view_bucket_iam_members.php

@@ -38,7 +38,7 @@ function view_bucket_iam_members($bucketName)
     $storage = new StorageClient();
     $bucket = $storage->bucket($bucketName);
 
-    $policy = $bucket->iam()->policy();
+    $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]);
 
     printf('Printing Bucket IAM members for Bucket: %s' . PHP_EOL, $bucketName);
     printf(PHP_EOL);
@@ -49,6 +49,14 @@ function view_bucket_iam_members($bucketName)
         foreach ($binding['members'] as $member) {
             printf('  %s' . PHP_EOL, $member);
         }
+
+        if (isset($binding['condition'])) {
+            $condition = $binding['condition'];
+            printf('  with condition:' . PHP_EOL);
+            printf('    Title: %s' . PHP_EOL, $condition['title']);
+            printf('    Description: %s' . PHP_EOL, $condition['description']);
+            printf('    Expression: %s' . PHP_EOL, $condition['expression']);
+        }
         printf(PHP_EOL);
     }
 }

storage/storage.php

@@ -265,26 +265,37 @@
 
 php %command.full_name% my-bucket
 
-php %command.full_name% my-bucket --role my-role --add-member user/test@email.com
+php %command.full_name% my-bucket --role my-role --add-member user:[email protected] --add-member user:test2@email.com
 
-php %command.full_name% my-bucket --role my-role --remove-member user/[email protected]
+php %command.full_name% my-bucket --role my-role --remove-member user:[email protected]
 
 EOF
     )
     ->addArgument('bucket', InputArgument::REQUIRED, 'The bucket that you want to change IAM for. ')
     ->addOption('role', null, InputOption::VALUE_REQUIRED, 'The new role to add to a bucket. ')
-    ->addOption('add-member', null, InputOption::VALUE_REQUIRED, 'The new member to add with the new role to the bucket. ')
+    ->addOption('add-member', null, InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY, "The new member(s) to add with the new role to the bucket. ")
     ->addOption('remove-member', null, InputOption::VALUE_REQUIRED, 'The member to remove from a role for a bucket. ')
+    ->addOption('title', null, InputOption::VALUE_REQUIRED, 'Optional. A title for the condition, if --expression is used. ')
+    ->addOption('description', null, InputOption::VALUE_REQUIRED, 'Optional. A description for the condition, if --expression is used. ')
+    ->addOption('expression', null, InputOption::VALUE_REQUIRED, 'Add the role/members pair with an IAM condition expression. ')
     ->setCode(function ($input, $output) {
         $bucketName = $input->getArgument('bucket');
         $role = $input->getOption('role');
-        $addMember = $input->getOption('add-member');
+        $members = $input->getOption('add-member');
         $removeMember = $input->getOption('remove-member');
-        if ($addMember) {
+        $expression = $input->getOption('expression');
+        $title = $input->getOption('title');
+        $description = $input->getOption('description');
+        if ($members) {
             if (!$role) {
                 throw new InvalidArgumentException('Must provide role as an option.');
             }
-            add_bucket_iam_member($bucketName, $role, $addMember);
+
+            if ($expression) {
+                add_bucket_conditional_iam_binding($bucketName, $role, $members, $title, $description, $expression);
+            } else {
+                add_bucket_iam_member($bucketName, $role, $members);
+            }
         } elseif ($removeMember) {
             if (!$role) {
                 throw new InvalidArgumentException('Must provide role as an option.');