Skip to content

Commit 972ee48

Browse files
bpopadiukbpopadiuk
committed
add IAM policy setters
1 parent c62eabb commit 972ee48

1 file changed

Lines changed: 52 additions & 2 deletions

File tree

google/apistore.go

Lines changed: 52 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,14 +60,16 @@ func (c *APIStore) AddReader(bucket, object, entity string) error {
6060
return err
6161
}
6262

63-
// AddBucketReader adds a reader of the bucket
63+
// AddBucketReader updates the bucket ACL to add entity as a reader on the bucket
64+
// The bucket must be in fine-grained access control mode, or this will produce an error
6465
func (c *APIStore) AddBucketReader(bucket, entity string) error {
6566
ac := &storage.BucketAccessControl{Entity: entity, Role: "READER"}
6667
_, err := c.service.BucketAccessControls.Insert(bucket, ac).Do()
6768
return err
6869
}
6970

70-
// AddBucketWriter adds a writer of the bucket
71+
// AddBucketWriter updates the bucket ACL to add entity as a writer on the bucket
72+
// The bucket must be in fine-grained access control mode, or this will produce an error
7173
func (c *APIStore) AddBucketWriter(bucket, entity string) error {
7274
ac := &storage.BucketAccessControl{Entity: entity, Role: "WRITER"}
7375
_, err := c.service.BucketAccessControls.Insert(bucket, ac).Do()
@@ -85,3 +87,51 @@ func (c *APIStore) SetBucketAgeLifecycle(name string, days int64) error {
8587
_, err := c.service.Buckets.Patch(name, bucket).Do()
8688
return err
8789
}
90+
91+
// GrantObjectViewer updates the IAM policy on the bucket to grant member the roles/storage.objectViewer role
92+
// The existing policy attributes on the bucket are preserved
93+
func (c *APIStore) GrantObjectViewer(bucket, member string) error {
94+
return c.grantRole(bucket, member, "roles/storage.objectViewer")
95+
}
96+
97+
// GrantObjectCreator updates the IAM policy on the bucket to grant member the roles/storage.objectCreator role
98+
// The existing policy attributes on the bucket are preserved
99+
func (c *APIStore) GrantObjectCreator(bucket, member string) error {
100+
return c.grantRole(bucket, member, "roles/storage.objectCreator")
101+
}
102+
103+
// GrantObjectAdmin updates the IAM policy on the bucket to grant member the roles/storage.objectAdmin role
104+
// The existing policy attributes on the bucket are preserved
105+
func (c *APIStore) GrantObjectAdmin(bucket, member string) error {
106+
return c.grantRole(bucket, member, "roles/storage.objectAdmin")
107+
}
108+
109+
func (c *APIStore) grantRole(bucket, member, role string) error {
110+
existingPolicy, err := c.service.Buckets.GetIamPolicy(bucket).Do()
111+
if err != nil {
112+
return err
113+
}
114+
115+
var added bool
116+
for _, b := range existingPolicy.Bindings {
117+
if b.Role == role {
118+
for _, m := range b.Members {
119+
if m == member {
120+
// already granted
121+
return nil
122+
}
123+
}
124+
b.Members = append(b.Members, member)
125+
added = true
126+
}
127+
}
128+
129+
if !added {
130+
b := new(storage.PolicyBindings)
131+
b.Role = role
132+
b.Members = append(b.Members, member)
133+
existingPolicy.Bindings = append(existingPolicy.Bindings, b)
134+
}
135+
_, err = c.service.Buckets.SetIamPolicy(bucket, existingPolicy).Do()
136+
return err
137+
}

0 commit comments

Comments
 (0)