diff --git a/storage/addBucketConditionalBinding.js b/storage/addBucketConditionalBinding.js new file mode 100644 index 0000000000..db5aac9b4b --- /dev/null +++ b/storage/addBucketConditionalBinding.js @@ -0,0 +1,109 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +'use strict'; + +/** + * This application demonstrates how to perform basic operations on bucket and + * file Access Control Lists with the Google Cloud Storage API. + * + * For more information, see the README.md under /storage and the documentation + * at https://cloud.google.com/storage/docs. + */ + +function main( + bucketName = 'my-bucket', + roleName = 'roles/storage.objectViewer', + title = 'match-prefix', + description = 'Applies to objects matching a prefix', + expression = 'resource.name.startsWith("projects/_/buckets/bucket-name/objects/prefix-a-")', + members = 'user:test@example.com' +) { + members = members.split(','); + // [START storage_add_bucket_conditional_iam_binding] + /** + * TODO(developer): Uncomment the following lines before running the sample. + */ + // The ID of your GCS bucket + // const bucketName = 'your-unique-bucket-name'; + + // The role to grant + // const roleName = 'roles/storage.objectViewer'; + + // The members to grant the new role to + // const members = [ + // 'user:jdoe@example.com', + // 'group:admins@example.com', + // ]; + + // Create a condition + // const title = 'Title'; + // const description = 'Description'; + // const expression = 'resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")'; + + // Imports the Google Cloud client library + const {Storage} = require('@google-cloud/storage'); + + // Creates a client + const storage = new Storage(); + + async function addBucketConditionalBinding() { + try { + // Get a reference to a Google Cloud Storage bucket + const bucket = storage.bucket(bucketName); + + // Gets and updates the bucket's IAM policy + const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3}); + + // Set the policy's version to 3 to use condition in bindings. + policy.version = 3; + + // Adds the new roles to the bucket's IAM policy + policy.bindings.push({ + role: roleName, + members: members, + condition: { + title: title, + description: description, + expression: expression, + }, + }); + + // Updates the bucket's IAM policy + await bucket.iam.setPolicy(policy); + + console.log( + `Added the following member(s) with role ${roleName} to ${bucketName}:` + ); + + members.forEach(member => { + console.log(` ${member}`); + }); + + console.log('with condition:'); + console.log(` Title: ${title}`); + console.log(` Description: ${description}`); + console.log(` Expression: ${expression}`); + } catch (error) { + console.error( + 'Error executing add bucket conditional binding:', + error.message || error + ); + } + } + + addBucketConditionalBinding(); + // [END storage_add_bucket_conditional_iam_binding] +} +main(...process.argv.slice(2)); diff --git a/storage/addBucketIamMember.js b/storage/addBucketIamMember.js new file mode 100644 index 0000000000..a3b25c5419 --- /dev/null +++ b/storage/addBucketIamMember.js @@ -0,0 +1,82 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +'use strict'; + +function main( + bucketName = 'my-bucket', + roleName = 'roles/storage.objectViewer', + members = 'user:test@example.com' +) { + //including this logic so as to not use yargs + members = members.split(','); + // [START storage_add_bucket_iam_member] + /** + * TODO(developer): Uncomment the following lines before running the sample. + */ + // The ID of your GCS bucket + // const bucketName = 'your-unique-bucket-name'; + + // The role to grant + // const roleName = 'roles/storage.objectViewer'; + + // The members to grant the new role to + // const members = [ + // 'user:jdoe@example.com', + // 'group:admins@example.com', + // ]; + + // Imports the Google Cloud client library + const {Storage} = require('@google-cloud/storage'); + + // Creates a client + const storage = new Storage(); + + async function addBucketIamMember() { + try { + // Get a reference to a Google Cloud Storage bucket + const bucket = storage.bucket(bucketName); + + // For more information please read: + // https://cloud.google.com/storage/docs/access-control/iam + const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3}); + + // Adds the new roles to the bucket's IAM policy + policy.bindings.push({ + role: roleName, + members: members, + }); + + // Updates the bucket's IAM policy + await bucket.iam.setPolicy(policy); + + console.log( + `Added the following member(s) with role ${roleName} to ${bucketName}:` + ); + + members.forEach(member => { + console.log(` ${member}`); + }); + } catch (error) { + console.error( + 'Error executing add bucket iam member:', + error.message || error + ); + } + } + + addBucketIamMember(); + // [END storage_add_bucket_iam_member] +} +main(...process.argv.slice(2)); diff --git a/storage/package.json b/storage/package.json new file mode 100644 index 0000000000..71acc18ab5 --- /dev/null +++ b/storage/package.json @@ -0,0 +1,30 @@ +{ + "name": "@google-cloud/storage-samples", + "description": "Samples for the Cloud Storage Client Library for Node.js.", + "license": "Apache-2.0", + "author": "Google Inc.", + "engines": { + "node": ">=12" + }, + "repository": "googleapis/nodejs-storage", + "private": true, + "files": [ + "*.js" + ], + "scripts": { + "cleanup": "node scripts/cleanup", + "test": "mocha system-test/*.js --timeout 800000" + }, + "dependencies": { + "@google-cloud/pubsub": "^4.0.0", + "@google-cloud/storage": "^7.19.0", + "node-fetch": "^2.6.7", + "uuid": "^8.0.0", + "yargs": "^16.0.0" + }, + "devDependencies": { + "chai": "^4.2.0", + "mocha": "^8.0.0", + "p-limit": "^3.1.0" + } +} diff --git a/storage/removeBucketConditionalBinding.js b/storage/removeBucketConditionalBinding.js new file mode 100644 index 0000000000..12a8adf105 --- /dev/null +++ b/storage/removeBucketConditionalBinding.js @@ -0,0 +1,103 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +'use strict'; + +/** + * This application demonstrates how to perform basic operations on bucket and + * file Access Control Lists with the Google Cloud Storage API. + * + * For more information, see the README.md under /storage and the documentation + * at https://cloud.google.com/storage/docs. + */ + +function main( + bucketName = 'my-bucket', + roleName = 'roles/storage.objectViewer', + title = 'match-prefix', + description = 'Applies to objects matching a prefix', + expression = 'resource.name.startsWith("projects/_/buckets/bucket-name/objects/prefix-a-")' +) { + // [START storage_remove_bucket_conditional_iam_binding] + /** + * TODO(developer): Uncomment the following lines before running the sample. + */ + // The ID of your GCS bucket + // const bucketName = 'your-unique-bucket-name'; + + // The role to grant + // const roleName = 'roles/storage.objectViewer'; + + // The members to grant the new role to + // const members = [ + // 'user:jdoe@example.com', + // 'group:admins@example.com', + // ]; + + // Create a condition + // const title = 'Title'; + // const description = 'Description'; + // const expression = 'resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")'; + + // Imports the Google Cloud client library + const {Storage} = require('@google-cloud/storage'); + + // Creates a client + const storage = new Storage(); + + async function removeBucketConditionalBinding() { + try { + // Get a reference to a Google Cloud Storage bucket + const bucket = storage.bucket(bucketName); + + // Gets and updates the bucket's IAM policy + const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3}); + + // Set the policy's version to 3 to use condition in bindings. + policy.version = 3; + + // Finds and removes the appropriate role-member group with specific condition. + const index = policy.bindings.findIndex( + binding => + binding.role === roleName && + binding.condition && + binding.condition.title === title && + binding.condition.description === description && + binding.condition.expression === expression + ); + + const binding = policy.bindings[index]; + if (binding) { + policy.bindings.splice(index, 1); + + // Updates the bucket's IAM policy + await bucket.iam.setPolicy(policy); + + console.log('Conditional Binding was removed.'); + } else { + // No matching role-member group with specific condition were found + throw new Error('No matching binding group found.'); + } + } catch (error) { + console.error( + 'Error executing remove bucket conditional binding:', + error.message || error + ); + } + } + + removeBucketConditionalBinding(); + // [END storage_remove_bucket_conditional_iam_binding] +} +main(...process.argv.slice(2)); diff --git a/storage/removeBucketIamMember.js b/storage/removeBucketIamMember.js new file mode 100644 index 0000000000..26d3d90a20 --- /dev/null +++ b/storage/removeBucketIamMember.js @@ -0,0 +1,96 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +'use strict'; + +function main( + bucketName = 'my-bucket', + roleName = 'roles/storage.objectViewer', + members = 'user:test@example.com' +) { + members = members.split(','); + // [START storage_remove_bucket_iam_member] + /** + * TODO(developer): Uncomment the following lines before running the sample. + */ + // The ID of your GCS bucket + // const bucketName = 'your-unique-bucket-name'; + + // The role to revoke + // const roleName = 'roles/storage.objectViewer'; + + // The members to revoke the roles from + // const members = [ + // 'user:jdoe@example.com', + // 'group:admins@example.com', + // ]; + + // Imports the Google Cloud client library + const {Storage} = require('@google-cloud/storage'); + + // Creates a client + const storage = new Storage(); + + async function removeBucketIamMember() { + try { + // Get a reference to a Google Cloud Storage bucket + const bucket = storage.bucket(bucketName); + + // For more information please read: + // https://cloud.google.com/storage/docs/access-control/iam + const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3}); + + // Finds and updates the appropriate role-member group, without a condition. + const index = policy.bindings.findIndex( + binding => binding.role === roleName && !binding.condition + ); + + const role = policy.bindings[index]; + if (role) { + role.members = role.members.filter( + member => members.indexOf(member) === -1 + ); + + // Updates the policy object with the new (or empty) role-member group + if (role.members.length === 0) { + policy.bindings.splice(index, 1); + } else { + policy.bindings[index] = role; + } + + // Updates the bucket's IAM policy + await bucket.iam.setPolicy(policy); + } else { + // No matching role-member group(s) were found + throw new Error('No matching role-member group(s) found.'); + } + + console.log( + `Removed the following member(s) with role ${roleName} from ${bucketName}:` + ); + members.forEach(member => { + console.log(` ${member}`); + }); + } catch (error) { + console.error( + 'Error executing remove bucket iam member:', + error.message || error + ); + } + } + + removeBucketIamMember(); + // [END storage_remove_bucket_iam_member] +} +main(...process.argv.slice(2)); diff --git a/storage/resources/.gitignore b/storage/resources/.gitignore new file mode 100644 index 0000000000..6738013702 --- /dev/null +++ b/storage/resources/.gitignore @@ -0,0 +1 @@ +downloaded.txt diff --git a/storage/resources/resourcesSub1/testSub1.txt b/storage/resources/resourcesSub1/testSub1.txt new file mode 100644 index 0000000000..51f4b307d5 --- /dev/null +++ b/storage/resources/resourcesSub1/testSub1.txt @@ -0,0 +1,2 @@ +Sub1 +Hello World! \ No newline at end of file diff --git a/storage/resources/test.txt b/storage/resources/test.txt new file mode 100644 index 0000000000..c57eff55eb --- /dev/null +++ b/storage/resources/test.txt @@ -0,0 +1 @@ +Hello World! \ No newline at end of file diff --git a/storage/resources/test2.txt b/storage/resources/test2.txt new file mode 100644 index 0000000000..010302410b --- /dev/null +++ b/storage/resources/test2.txt @@ -0,0 +1 @@ +Hello World 2! \ No newline at end of file diff --git a/storage/scripts/cleanup b/storage/scripts/cleanup new file mode 100644 index 0000000000..61bd73114f --- /dev/null +++ b/storage/scripts/cleanup @@ -0,0 +1,44 @@ +#!/usr/bin/env node + +// Copyright 2019 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +'use strict'; + +const {Storage} = require('@google-cloud/storage'); +const storage = new Storage(); +const NAME_REG_EXP = /^nodejs-storage-samples-[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}$/; + +storage + .getBuckets() + .then(([buckets]) => { + let promise = Promise.resolve(); + + buckets + .filter((bucket) => NAME_REG_EXP.test(bucket.name)) + .forEach((bucket) => { + promise = promise.then(() => { + return bucket.deleteFiles() + .then(() => bucket.deleteFiles(), console.error) + .then(() => { + console.log(`Deleting ${bucket.name}`); + return bucket.delete(); + }, console.error) + .catch(console.error); + }); + }); + }) + .catch((err) => { + console.error('ERROR:', err); + }); diff --git a/storage/system-test/iam.test.js b/storage/system-test/iam.test.js new file mode 100644 index 0000000000..0570b2e839 --- /dev/null +++ b/storage/system-test/iam.test.js @@ -0,0 +1,102 @@ +// Copyright 2019 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +'use strict'; + +const {Storage} = require('@google-cloud/storage'); +const {assert} = require('chai'); +const {before, after, it} = require('mocha'); +const cp = require('child_process'); +const uuid = require('uuid'); + +const execSync = cmd => cp.execSync(cmd, {encoding: 'utf-8'}); + +const storage = new Storage(); +const bucketName = `nodejs-storage-samples-${uuid.v4()}`; +const bucket = storage.bucket(bucketName); +const userEmail = 'test@example.com'; +const roleName = 'roles/storage.objectViewer'; + +// Condition +const title = 'match-prefix'; +const description = 'Applies to objects matching a prefix'; +const expression = `resource.name.startsWith("projects/_/buckets/${bucketName}/objects/prefix-a-")`; + +before(async () => { + await bucket.create(); + // UniformBucketLevelAccess must be enabled to add a conditional binding. + await bucket.setMetadata({ + iamConfiguration: { + uniformBucketLevelAccess: { + enabled: true, + }, + }, + }); +}); + +after(async () => { + await bucket.delete().catch(console.error); +}); + +it('should add multiple members to a role on a bucket', async () => { + const output = execSync( + `node addBucketIamMember.js ${bucketName} ${roleName} "user:${userEmail}"` + ); + assert.include( + output, + `Added the following member(s) with role ${roleName} to ${bucketName}:` + ); + assert.match(output, new RegExp(`user:${userEmail}`)); +}); + +it('should add conditional binding to a bucket', async () => { + const output = execSync( + `node addBucketConditionalBinding.js ${bucketName} ${roleName} '${title}' '${description}' '${expression}' "user:${userEmail}"` + ); + assert.include( + output, + `Added the following member(s) with role ${roleName} to ${bucketName}:` + ); + assert.include(output, 'with condition:'); + assert.include(output, `Title: ${title}`); + assert.include(output, `Description: ${description}`); + assert.include(output, `Expression: ${expression}`); +}); + +it('should list members of a role on a bucket', async () => { + const output = execSync(`node viewBucketIamMembers.js ${bucketName}`); + assert.match(output, new RegExp(`Bindings for bucket ${bucketName}:`)); + assert.match(output, new RegExp(`Role: ${roleName}`)); + assert.match(output, new RegExp('Members:')); + assert.match(output, new RegExp(`user:${userEmail}`)); +}); + +it('should remove multiple members from a role on a bucket', async () => { + const output = execSync( + `node removeBucketIamMember.js ${bucketName} ${roleName} "user:${userEmail}"` + ); + assert.ok( + output.includes( + `Removed the following member(s) with role ${roleName} from ${bucketName}:` + ) + ); + assert.match(output, new RegExp(`user:${userEmail}`)); +}); + +it('should remove conditional binding to a bucket', async () => { + const output = execSync( + `node removeBucketConditionalBinding.js ${bucketName} ${roleName} '${title}' '${description}' '${expression}'` + ); + assert.include(output, 'Conditional Binding was removed'); +}); diff --git a/storage/system-test/test_9d800329-00da-4cdd-9a3e-7ac6743d5813.txt b/storage/system-test/test_9d800329-00da-4cdd-9a3e-7ac6743d5813.txt new file mode 100644 index 0000000000..e69de29bb2 diff --git a/storage/viewBucketIamMembers.js b/storage/viewBucketIamMembers.js new file mode 100644 index 0000000000..21d0d8af23 --- /dev/null +++ b/storage/viewBucketIamMembers.js @@ -0,0 +1,70 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +'use strict'; + +function main(bucketName = 'my-bucket') { + // [START storage_view_bucket_iam_members] + /** + * TODO(developer): Uncomment the following lines before running the sample. + */ + // The ID of your GCS bucket + // const bucketName = 'your-unique-bucket-name'; + + // Imports the Google Cloud client library + const {Storage} = require('@google-cloud/storage'); + + // Creates a client + const storage = new Storage(); + + async function viewBucketIamMembers() { + try { + // For more information please read: + // https://cloud.google.com/storage/docs/access-control/iam + const results = await storage + .bucket(bucketName) + .iam.getPolicy({requestedPolicyVersion: 3}); + + const bindings = results[0].bindings; + + console.log(`Bindings for bucket ${bucketName}:`); + for (const binding of bindings) { + console.log(` Role: ${binding.role}`); + console.log(' Members:'); + + const members = binding.members; + for (const member of members) { + console.log(` ${member}`); + } + + const condition = binding.condition; + if (condition) { + console.log(' Condition:'); + console.log(` Title: ${condition.title}`); + console.log(` Description: ${condition.description}`); + console.log(` Expression: ${condition.expression}`); + } + } + } catch (error) { + console.error( + 'Error executing view bucket iam members:', + error.message || error + ); + } + } + + viewBucketIamMembers(); + // [END storage_view_bucket_iam_members] +} +main(...process.argv.slice(2));