[PF-702] Add testIamPermissions to storage wrapper (#96)

* add testIamPermissions to storage wrapper * spotless * Fix comment * pr comments * rename operation, pr comment
DataBiosphere · Jun 3, 2021 · da65c05 · da65c05
1 parent 5cb870d
commit da65c05
Show file tree

Hide file tree

Showing 7 changed files with 68 additions and 13 deletions.
diff --git a/google-storage/gradle.properties b/google-storage/gradle.properties
@@ -1,3 +1,3 @@
 # Please update platform to consume version updates, see here for more:
 # https://github.com/DataBiosphere/terra-cloud-resource-lib#publishing-an-update
-version = 0.12.0
+version = 0.13.0
diff --git a/google-storage/src/main/java/bio/terra/cloudres/google/storage/StorageCow.java b/google-storage/src/main/java/bio/terra/cloudres/google/storage/StorageCow.java
@@ -8,7 +8,11 @@
 import com.google.cloud.Policy;
 import com.google.cloud.WriteChannel;
 import com.google.cloud.storage.*;
+import com.google.cloud.storage.Storage.BucketSourceOption;
+import com.google.common.annotations.VisibleForTesting;
+import com.google.gson.JsonArray;
 import com.google.gson.JsonObject;
+import java.util.List;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -145,7 +149,7 @@ public boolean deleteAcl(BlobId blob, Acl.Entity entity) {
   /** See {@link Storage#setIamPolicy(String, Policy, Storage.BucketSourceOption...)}. */
   public Policy setIamPolicy(String bucket, Policy policy) {
     return operationAnnotator.executeCowOperation(
-        StorageOperation.GOOGLE_SET_IAM_POLICY,
+        StorageOperation.GOOGLE_SET_IAM_POLICY_BUCKET,
         () -> storage.setIamPolicy(bucket, policy),
         () -> {
           JsonObject request = new JsonObject();
@@ -158,11 +162,32 @@ public Policy setIamPolicy(String bucket, Policy policy) {
   /** See {@link Storage#getIamPolicy(String, Storage.BucketSourceOption...)}. */
   public Policy getIamPolicy(String bucket) {
     return operationAnnotator.executeCowOperation(
-        StorageOperation.GOOGLE_GET_IAM_POLICY,
+        StorageOperation.GOOGLE_GET_IAM_POLICY_BUCKET,
         () -> storage.getIamPolicy(bucket),
         () -> serializeBucketName(bucket));
   }
 
+  /** See {@link Storage#testIamPermissions(String, List, BucketSourceOption...)}. */
+  public List<Boolean> testIamPermissions(String bucket, List<String> permissions) {
+    return operationAnnotator.executeCowOperation(
+        StorageOperation.GOOGLE_TEST_IAM_PERMISSIONS_BUCKET,
+        () -> storage.testIamPermissions(bucket, permissions),
+        serializeTestIamPermissions(bucket, permissions));
+  }
+
+  @VisibleForTesting
+  OperationAnnotator.CowSerialize serializeTestIamPermissions(
+      String bucket, List<String> permissions) {
+    return () -> {
+      JsonObject request = new JsonObject();
+      JsonArray serializedPermissions = new JsonArray();
+      permissions.forEach(serializedPermissions::add);
+      request.add("bucket", serializeBucketName(bucket));
+      request.add("permissions", serializedPermissions);
+      return request;
+    };
+  }
+
   /** See {@link Storage#writer(BlobInfo, Storage.BlobWriteOption...)} */
   public WriteChannel writer(BlobInfo blobInfo) {
     CleanupRecorder.record(SerializeUtils.create(blobInfo.getBlobId()), clientConfig);

diff --git a/google-storage/src/main/java/bio/terra/cloudres/google/storage/StorageOperation.java b/google-storage/src/main/java/bio/terra/cloudres/google/storage/StorageOperation.java
@@ -11,14 +11,15 @@ public enum StorageOperation implements CloudOperation {
   GOOGLE_CREATE_BUCKET,
   GOOGLE_GET_ACL_BLOB,
   GOOGLE_GET_BLOB,
-  GOOGLE_GET_IAM_POLICY,
+  GOOGLE_GET_IAM_POLICY_BUCKET,
   GOOGLE_LIST_BLOB,
   GOOGLE_GET_BUCKET,
   GOOGLE_DELETE_ACL_BLOB,
   GOOGLE_DELETE_BLOB,
   GOOGLE_DELETE_BUCKET,
   GOOGLE_READ_BLOB,
-  GOOGLE_SET_IAM_POLICY,
+  GOOGLE_SET_IAM_POLICY_BUCKET,
+  GOOGLE_TEST_IAM_PERMISSIONS_BUCKET,
   GOOGLE_UPDATE_BUCKET_ACL,
   GOOGLE_UPDATE_BUCKET;
 }
diff --git a/google-storage/src/test/java/bio/terra/cloudres/google/storage/StorageCowTest.java b/google-storage/src/test/java/bio/terra/cloudres/google/storage/StorageCowTest.java
@@ -3,6 +3,7 @@
 import static bio.terra.cloudres.google.storage.StorageIntegrationUtils.*;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.junit.Assert.*;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import bio.terra.cloudres.common.cleanup.CleanupRecorder;
@@ -145,6 +146,16 @@ public void setBucketIamPolicy() throws Exception {
             .addIdentity(StorageRoles.objectCreator(), expectedIdentity)
             .build());
 
+    StorageCow testUserCow = StorageIntegrationUtils.testUserStorageCow();
+    // StorageRoles.objectCreator() does grant storage.objects.create, but not storage.objects.get
+    List<String> expectedPermissions =
+        ImmutableList.of("storage.objects.create", "storage.objects.get");
+    List<Boolean> testedPermissions =
+        testUserCow.testIamPermissions(bucketName, expectedPermissions);
+    assertEquals(2, testedPermissions.size());
+    assertTrue(testedPermissions.get(0));
+    assertFalse(testedPermissions.get(1));
+
     Policy postUpdatePolicy = storageCow.getIamPolicy(bucketName);
     assertThat(
         postUpdatePolicy.getBindings().get(StorageRoles.objectCreator()),
@@ -174,4 +185,14 @@ public void blobWriter() throws Exception {
                         .bucketName(blobId.getBucket()))));
     assertTrue(storageCow.delete(blobId));
   }
+
+  @Test
+  public void serializeTestIamPermissions() {
+    StorageCow storageCow = StorageIntegrationUtils.defaultStorageCow();
+    String bucket = "my-bucket";
+    List<String> permissions = ImmutableList.of("storage.objects.create", "storage.objects.get");
+    assertEquals(
+        "{\"bucket\":{\"bucket_name\":\"my-bucket\"},\"permissions\":[\"storage.objects.create\",\"storage.objects.get\"]}",
+        storageCow.serializeTestIamPermissions(bucket, permissions).serializeRequest().toString());
+  }
 }
diff --git a/google-storage/src/test/java/bio/terra/cloudres/google/storage/StorageIntegrationUtils.java b/google-storage/src/test/java/bio/terra/cloudres/google/storage/StorageIntegrationUtils.java
@@ -25,15 +25,23 @@ class StorageIntegrationUtils {
   private StorageIntegrationUtils() {}
 
   static StorageCow defaultStorageCow() {
-    return new StorageCow(IntegrationUtils.DEFAULT_CLIENT_CONFIG, defaultStorageOptions());
-  }
-
-  static StorageOptions defaultStorageOptions() {
     ServiceAccountCredentials googleCredentials =
         IntegrationCredentials.getAdminGoogleCredentialsOrDie();
+    return new StorageCow(
+        IntegrationUtils.DEFAULT_CLIENT_CONFIG, buildStorageOptions(googleCredentials));
+  }
+
+  static StorageCow testUserStorageCow() {
+    ServiceAccountCredentials userCredentials =
+        IntegrationCredentials.getUserGoogleCredentialsOrDie();
+    return new StorageCow(
+        IntegrationUtils.DEFAULT_CLIENT_CONFIG, buildStorageOptions(userCredentials));
+  }
+
+  static StorageOptions buildStorageOptions(ServiceAccountCredentials credentials) {
     return StorageOptions.newBuilder()
-        .setCredentials(googleCredentials)
-        .setProjectId(googleCredentials.getProjectId())
+        .setCredentials(credentials)
+        .setProjectId(credentials.getProjectId())
         .build();
   }
 

diff --git a/platform/build.gradle b/platform/build.gradle
@@ -19,7 +19,7 @@ dependencies {
     api group: 'bio.terra.cloud-resource-lib', name: 'google-iam', version: '0.10.0'
     api group: 'bio.terra.cloud-resource-lib', name: 'google-notebooks', version: '0.8.0'
     api group: 'bio.terra.cloud-resource-lib', name: 'google-serviceusage', version: '0.10.0'
-    api group: 'bio.terra.cloud-resource-lib', name: 'google-storage', version: '0.12.0'
+    api group: 'bio.terra.cloud-resource-lib', name: 'google-storage', version: '0.13.0'
   }
 }
 

diff --git a/platform/gradle.properties b/platform/gradle.properties
@@ -1 +1 @@
-version = 0.1.0
+version = 0.2.0