Search in sources :

Example 11 with Binding

use of org.flyte.api.v1.Binding in project java-docs-samples by GoogleCloudPlatform.

the class IamRevokeAccess method iamRevokeAccess.

// Revoke a member access to a particular secret.
public static void iamRevokeAccess(String projectId, String secretId, String member) throws IOException {
    // the "close" method on the client to safely clean up any remaining background resources.
    try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
        // Build the name from the version.
        SecretName secretName = SecretName.of(projectId, secretId);
        // Request the current IAM policy.
        Policy policy = client.getIamPolicy(GetIamPolicyRequest.newBuilder().setResource(secretName.toString()).build());
        // Search through bindings and remove matches.
        String roleToFind = "roles/secretmanager.secretAccessor";
        for (Binding binding : policy.getBindingsList()) {
            if (binding.getRole() == roleToFind && binding.getMembersList().contains(member)) {
                binding.getMembersList().remove(member);
            }
        }
        // Save the updated IAM policy.
        client.setIamPolicy(SetIamPolicyRequest.newBuilder().setResource(secretName.toString()).setPolicy(policy).build());
        System.out.printf("Updated IAM policy for %s\n", secretId);
    }
}
Also used : SecretName(com.google.cloud.secretmanager.v1.SecretName) Policy(com.google.iam.v1.Policy) Binding(com.google.iam.v1.Binding) SecretManagerServiceClient(com.google.cloud.secretmanager.v1.SecretManagerServiceClient)

Example 12 with Binding

use of org.flyte.api.v1.Binding in project java-functions by googleapis.

the class CloudFunctionsServiceClientTest method setIamPolicyTest.

@Test
public void setIamPolicyTest() throws Exception {
    Policy expectedResponse = Policy.newBuilder().setVersion(351608024).addAllBindings(new ArrayList<Binding>()).setEtag(ByteString.EMPTY).build();
    mockCloudFunctionsService.addResponse(expectedResponse);
    SetIamPolicyRequest request = SetIamPolicyRequest.newBuilder().setResource(CloudFunctionName.of("[PROJECT]", "[LOCATION]", "[FUNCTION]").toString()).setPolicy(Policy.newBuilder().build()).build();
    Policy actualResponse = client.setIamPolicy(request);
    Assert.assertEquals(expectedResponse, actualResponse);
    List<AbstractMessage> actualRequests = mockCloudFunctionsService.getRequests();
    Assert.assertEquals(1, actualRequests.size());
    SetIamPolicyRequest actualRequest = ((SetIamPolicyRequest) actualRequests.get(0));
    Assert.assertEquals(request.getResource(), actualRequest.getResource());
    Assert.assertEquals(request.getPolicy(), actualRequest.getPolicy());
    Assert.assertTrue(channelProvider.isHeaderSent(ApiClientHeaderProvider.getDefaultApiClientHeaderKey(), GaxGrpcProperties.getDefaultApiClientHeaderPattern()));
}
Also used : Policy(com.google.iam.v1.Policy) Binding(com.google.iam.v1.Binding) AbstractMessage(com.google.protobuf.AbstractMessage) SetIamPolicyRequest(com.google.iam.v1.SetIamPolicyRequest) Test(org.junit.Test)

Example 13 with Binding

use of org.flyte.api.v1.Binding in project java-functions by googleapis.

the class CloudFunctionsServiceClientTest method getIamPolicyTest.

@Test
public void getIamPolicyTest() throws Exception {
    Policy expectedResponse = Policy.newBuilder().setVersion(351608024).addAllBindings(new ArrayList<Binding>()).setEtag(ByteString.EMPTY).build();
    mockCloudFunctionsService.addResponse(expectedResponse);
    GetIamPolicyRequest request = GetIamPolicyRequest.newBuilder().setResource(CloudFunctionName.of("[PROJECT]", "[LOCATION]", "[FUNCTION]").toString()).setOptions(GetPolicyOptions.newBuilder().build()).build();
    Policy actualResponse = client.getIamPolicy(request);
    Assert.assertEquals(expectedResponse, actualResponse);
    List<AbstractMessage> actualRequests = mockCloudFunctionsService.getRequests();
    Assert.assertEquals(1, actualRequests.size());
    GetIamPolicyRequest actualRequest = ((GetIamPolicyRequest) actualRequests.get(0));
    Assert.assertEquals(request.getResource(), actualRequest.getResource());
    Assert.assertEquals(request.getOptions(), actualRequest.getOptions());
    Assert.assertTrue(channelProvider.isHeaderSent(ApiClientHeaderProvider.getDefaultApiClientHeaderKey(), GaxGrpcProperties.getDefaultApiClientHeaderPattern()));
}
Also used : Policy(com.google.iam.v1.Policy) Binding(com.google.iam.v1.Binding) AbstractMessage(com.google.protobuf.AbstractMessage) GetIamPolicyRequest(com.google.iam.v1.GetIamPolicyRequest) Test(org.junit.Test)

Example 14 with Binding

use of org.flyte.api.v1.Binding in project java-storage by googleapis.

the class ITStorageTest method ensureKmsKeyRingIamPermissionsForTests.

private static void ensureKmsKeyRingIamPermissionsForTests(IAMPolicyGrpc.IAMPolicyBlockingStub iamStub, String projectId, String location, String keyRingName) throws StatusRuntimeException {
    ServiceAccount serviceAccount = storage.getServiceAccount(projectId);
    String kmsKeyRingResourcePath = KeyRingName.of(projectId, location, keyRingName).toString();
    Binding binding = Binding.newBuilder().setRole("roles/cloudkms.cryptoKeyEncrypterDecrypter").addMembers("serviceAccount:" + serviceAccount.getEmail()).build();
    com.google.iam.v1.Policy policy = com.google.iam.v1.Policy.newBuilder().addBindings(binding).build();
    SetIamPolicyRequest setIamPolicyRequest = SetIamPolicyRequest.newBuilder().setResource(kmsKeyRingResourcePath).setPolicy(policy).build();
    requestParamsHeader.put(requestParamsKey, "parent=" + kmsKeyRingResourcePath);
    iamStub = MetadataUtils.attachHeaders(iamStub, requestParamsHeader);
    try {
        iamStub.setIamPolicy(setIamPolicyRequest);
    } catch (StatusRuntimeException e) {
        if (log.isLoggable(Level.WARNING)) {
            log.log(Level.WARNING, "Unable to set IAM policy: {0}", e.getMessage());
        }
    }
}
Also used : Binding(com.google.iam.v1.Binding) ServiceAccount(com.google.cloud.storage.ServiceAccount) SetIamPolicyRequest(com.google.iam.v1.SetIamPolicyRequest) StatusRuntimeException(io.grpc.StatusRuntimeException)

Example 15 with Binding

use of org.flyte.api.v1.Binding in project java-storage by googleapis.

the class ITStorageTest method testBucketPolicyV3.

@Test
public void testBucketPolicyV3() {
    // Enable Uniform Bucket-Level Access
    storage.update(BucketInfo.newBuilder(BUCKET).setIamConfiguration(BucketInfo.IamConfiguration.newBuilder().setIsUniformBucketLevelAccessEnabled(true).build()).build());
    String projectId = remoteStorageHelper.getOptions().getProjectId();
    Storage.BucketSourceOption[] bucketOptions = new Storage.BucketSourceOption[] { Storage.BucketSourceOption.requestedPolicyVersion(3) };
    Identity projectOwner = Identity.projectOwner(projectId);
    Identity projectEditor = Identity.projectEditor(projectId);
    Identity projectViewer = Identity.projectViewer(projectId);
    List<com.google.cloud.Binding> bindingsWithoutPublicRead = ImmutableList.of(com.google.cloud.Binding.newBuilder().setRole(StorageRoles.legacyBucketOwner().toString()).setMembers(ImmutableList.of(projectEditor.strValue(), projectOwner.strValue())).build(), com.google.cloud.Binding.newBuilder().setRole(StorageRoles.legacyBucketReader().toString()).setMembers(ImmutableList.of(projectViewer.strValue())).build());
    List<com.google.cloud.Binding> bindingsWithPublicRead = ImmutableList.of(com.google.cloud.Binding.newBuilder().setRole(StorageRoles.legacyBucketReader().toString()).setMembers(ImmutableList.of(projectViewer.strValue())).build(), com.google.cloud.Binding.newBuilder().setRole(StorageRoles.legacyBucketOwner().toString()).setMembers(ImmutableList.of(projectEditor.strValue(), projectOwner.strValue())).build(), com.google.cloud.Binding.newBuilder().setRole(StorageRoles.legacyObjectReader().toString()).setMembers(ImmutableList.of("allUsers")).build());
    List<com.google.cloud.Binding> bindingsWithConditionalPolicy = ImmutableList.of(com.google.cloud.Binding.newBuilder().setRole(StorageRoles.legacyBucketReader().toString()).setMembers(ImmutableList.of(projectViewer.strValue())).build(), com.google.cloud.Binding.newBuilder().setRole(StorageRoles.legacyBucketOwner().toString()).setMembers(ImmutableList.of(projectEditor.strValue(), projectOwner.strValue())).build(), com.google.cloud.Binding.newBuilder().setRole(StorageRoles.legacyObjectReader().toString()).setMembers(ImmutableList.of("serviceAccount:storage-python@spec-test-ruby-samples.iam.gserviceaccount.com")).setCondition(Condition.newBuilder().setTitle("Title").setDescription("Description").setExpression("resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")").build()).build());
    // Validate getting policy.
    Policy currentPolicy = storage.getIamPolicy(BUCKET, bucketOptions);
    assertEquals(bindingsWithoutPublicRead, currentPolicy.getBindingsList());
    // Validate updating policy.
    List<com.google.cloud.Binding> currentBindings = new ArrayList(currentPolicy.getBindingsList());
    currentBindings.add(com.google.cloud.Binding.newBuilder().setRole(StorageRoles.legacyObjectReader().getValue()).addMembers(Identity.allUsers().strValue()).build());
    Policy updatedPolicy = storage.setIamPolicy(BUCKET, currentPolicy.toBuilder().setBindings(currentBindings).build(), bucketOptions);
    assertTrue(bindingsWithPublicRead.size() == updatedPolicy.getBindingsList().size() && bindingsWithPublicRead.containsAll(updatedPolicy.getBindingsList()));
    // Remove a member
    List<com.google.cloud.Binding> updatedBindings = new ArrayList(updatedPolicy.getBindingsList());
    for (int i = 0; i < updatedBindings.size(); i++) {
        com.google.cloud.Binding binding = updatedBindings.get(i);
        if (binding.getRole().equals(StorageRoles.legacyObjectReader().toString())) {
            List<String> members = new ArrayList(binding.getMembers());
            members.remove(Identity.allUsers().strValue());
            updatedBindings.set(i, binding.toBuilder().setMembers(members).build());
            break;
        }
    }
    Policy revertedPolicy = storage.setIamPolicy(BUCKET, updatedPolicy.toBuilder().setBindings(updatedBindings).build(), bucketOptions);
    assertEquals(bindingsWithoutPublicRead, revertedPolicy.getBindingsList());
    assertTrue(bindingsWithoutPublicRead.size() == revertedPolicy.getBindingsList().size() && bindingsWithoutPublicRead.containsAll(revertedPolicy.getBindingsList()));
    // Add Conditional Policy
    List<com.google.cloud.Binding> conditionalBindings = new ArrayList(revertedPolicy.getBindingsList());
    conditionalBindings.add(com.google.cloud.Binding.newBuilder().setRole(StorageRoles.legacyObjectReader().toString()).addMembers("serviceAccount:storage-python@spec-test-ruby-samples.iam.gserviceaccount.com").setCondition(Condition.newBuilder().setTitle("Title").setDescription("Description").setExpression("resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")").build()).build());
    Policy conditionalPolicy = storage.setIamPolicy(BUCKET, revertedPolicy.toBuilder().setBindings(conditionalBindings).setVersion(3).build(), bucketOptions);
    assertTrue(bindingsWithConditionalPolicy.size() == conditionalPolicy.getBindingsList().size() && bindingsWithConditionalPolicy.containsAll(conditionalPolicy.getBindingsList()));
    // Remove Conditional Policy
    conditionalPolicy = storage.setIamPolicy(BUCKET, conditionalPolicy.toBuilder().setBindings(updatedBindings).setVersion(3).build(), bucketOptions);
    // Validate testing permissions.
    List<Boolean> expectedPermissions = ImmutableList.of(true, true);
    assertEquals(expectedPermissions, storage.testIamPermissions(BUCKET, ImmutableList.of("storage.buckets.getIamPolicy", "storage.buckets.setIamPolicy"), bucketOptions));
    // Disable Uniform Bucket-Level Access
    storage.update(BucketInfo.newBuilder(BUCKET).setIamConfiguration(BucketInfo.IamConfiguration.newBuilder().setIsUniformBucketLevelAccessEnabled(false).build()).build());
}
Also used : Binding(com.google.iam.v1.Binding) Policy(com.google.cloud.Policy) ArrayList(java.util.ArrayList) Identity(com.google.cloud.Identity) AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean) Test(org.junit.Test)

Aggregations

Binding (com.google.iam.v1.Binding)104 Policy (com.google.iam.v1.Policy)101 Test (org.junit.Test)87 AbstractMessage (com.google.protobuf.AbstractMessage)82 SetIamPolicyRequest (com.google.iam.v1.SetIamPolicyRequest)47 GetIamPolicyRequest (com.google.iam.v1.GetIamPolicyRequest)43 ResourceName (com.google.api.resourcenames.ResourceName)32 ByteString (com.google.protobuf.ByteString)32 Node (org.flyte.api.v1.Node)8 CryptoKeyName (com.google.cloud.kms.v1.CryptoKeyName)6 KeyManagementServiceClient (com.google.cloud.kms.v1.KeyManagementServiceClient)6 MockIAMPolicy (com.google.iam.v1.MockIAMPolicy)6 TaskNode (org.flyte.api.v1.TaskNode)6 Binding (org.kie.workbench.common.dmn.api.definition.v1_1.Binding)6 Test (org.junit.jupiter.api.Test)5 SecretManagerServiceClient (com.google.cloud.secretmanager.v1.SecretManagerServiceClient)4 SecretName (com.google.cloud.secretmanager.v1.SecretName)4 ArrayList (java.util.ArrayList)4 Binding (org.flyte.api.v1.Binding)4 WorkflowTemplate (org.flyte.api.v1.WorkflowTemplate)4