feat(GCS+gRPC): implement GetNativeBucketIamPolicy() (googleapis#8420)

Author: coryan

generator/generator_config.textproto

@@ -860,7 +860,6 @@ service {
   omit_stub_factory: true
   omitted_rpcs: [
     "LockBucketRetentionPolicy",
-    "GetIamPolicy",
     "SetIamPolicy",
     "TestIamPermissions",
     "DeleteNotification",

google/cloud/storage/internal/grpc_bucket_request_parser.cc

@@ -23,6 +23,7 @@
 #include "google/cloud/storage/internal/object_access_control_parser.h"
 #include "google/cloud/storage/internal/patch_builder_details.h"
 #include "google/cloud/log.h"
+#include <algorithm>
 
 namespace google {
 namespace cloud {
@@ -125,6 +126,40 @@ ListBucketsResponse GrpcBucketRequestParser::FromProto(
   return result;
 }
 
+google::iam::v1::GetIamPolicyRequest GrpcBucketRequestParser::ToProto(
+    GetBucketIamPolicyRequest const& request) {
+  google::iam::v1::GetIamPolicyRequest result;
+  result.set_resource("projects/_/buckets/" + request.bucket_name());
+  if (request.HasOption<RequestedPolicyVersion>()) {
+    result.mutable_options()->set_requested_policy_version(
+        static_cast<std::int32_t>(
+            request.GetOption<RequestedPolicyVersion>().value()));
+  }
+  return result;
+}
+
+NativeIamBinding GrpcBucketRequestParser::FromProto(
+    google::iam::v1::Binding const& b) {
+  std::vector<std::string> members{b.members().begin(), b.members().end()};
+  if (!b.has_condition()) return {b.role(), std::move(members)};
+  NativeExpression expr(b.condition().expression(), b.condition().title(),
+                        b.condition().description(), b.condition().location());
+  return {b.role(), std::move(members), std::move(expr)};
+}
+
+NativeIamPolicy GrpcBucketRequestParser::FromProto(
+    google::iam::v1::Policy const& response) {
+  std::vector<NativeIamBinding> bindings;
+  std::transform(
+      response.bindings().begin(), response.bindings().end(),
+      std::back_inserter(bindings),
+      [](google::iam::v1::Binding const& b) { return FromProto(b); });
+
+  NativeIamPolicy result(std::move(bindings), response.etag(),
+                         response.version());
+  return result;
+}
+
 StatusOr<google::storage::v2::UpdateBucketRequest>
 GrpcBucketRequestParser::ToProto(PatchBucketRequest const& request) {
   google::storage::v2::UpdateBucketRequest result;

google/cloud/storage/internal/grpc_bucket_request_parser.h

@@ -41,6 +41,11 @@ struct GrpcBucketRequestParser {
   static ListBucketsResponse FromProto(
       google::storage::v2::ListBucketsResponse const& response);
 
+  static google::iam::v1::GetIamPolicyRequest ToProto(
+      GetBucketIamPolicyRequest const& request);
+  static NativeIamBinding FromProto(google::iam::v1::Binding const& b);
+  static NativeIamPolicy FromProto(google::iam::v1::Policy const& response);
+
   static StatusOr<google::storage::v2::UpdateBucketRequest> ToProto(
       PatchBucketRequest const& request);
   static google::storage::v2::UpdateBucketRequest ToProto(

google/cloud/storage/internal/grpc_bucket_request_parser_test.cc

@@ -28,7 +28,10 @@ namespace {
 
 namespace v2 = ::google::storage::v2;
 using ::google::cloud::testing_util::IsProtoEqual;
+using ::testing::AllOf;
 using ::testing::ElementsAre;
+using ::testing::ElementsAreArray;
+using ::testing::Property;
 using ::testing::UnorderedElementsAre;
 
 TEST(GrpcBucketRequestParser, DeleteBucketMetadataAllOptions) {
@@ -212,6 +215,70 @@ TEST(GrpcBucketRequestParser, ListBucketsResponse) {
   EXPECT_THAT(names, ElementsAre("test-bucket-1", "test-bucket-2"));
 }
 
+TEST(GrpcBucketRequestParser, GetIamPolicyRequest) {
+  google::iam::v1::GetIamPolicyRequest expected;
+  ASSERT_TRUE(google::protobuf::TextFormat::ParseFromString(
+      R"pb(
+        resource: "projects/_/buckets/test-bucket"
+        options { requested_policy_version: 3 }
+      )pb",
+      &expected));
+
+  GetBucketIamPolicyRequest req("test-bucket");
+  req.set_multiple_options(
+      RequestedPolicyVersion(3), UserProject("test-user-project"),
+      QuotaUser("test-quota-user"), UserIp("test-user-ip"));
+  auto const actual = GrpcBucketRequestParser::ToProto(req);
+  EXPECT_THAT(actual, IsProtoEqual(expected));
+}
+
+TEST(GrpcBucketRequestParser, NativeIamPolicy) {
+  google::iam::v1::Policy input;
+  ASSERT_TRUE(google::protobuf::TextFormat::ParseFromString(
+      R"pb(
+        version: 7
+        bindings {
+          role: "role/test.only"
+          members: "test-1"
+          members: "test-2"
+          condition {
+            expression: "test-expression"
+            title: "test-title"
+            description: "test-description"
+            location: "test-location"
+          }
+        }
+        bindings { role: "role/another.test.only" members: "test-3" }
+        etag: "test-etag"
+      )pb",
+      &input));
+
+  auto const actual = GrpcBucketRequestParser::FromProto(input);
+  EXPECT_EQ(7, actual.version());
+  EXPECT_EQ("test-etag", actual.etag());
+  NativeIamBinding b0(
+      "role/test.only", {"test-1", "test-2"},
+      {"test-expression", "test-title", "test-description", "test-location"});
+  NativeIamBinding b1("role/another.test.only", {"test-3"});
+
+  auto match_expr = [](NativeExpression const& e) {
+    return AllOf(Property(&NativeExpression::expression, e.expression()),
+                 Property(&NativeExpression::title, e.title()),
+                 Property(&NativeExpression::description, e.description()),
+                 Property(&NativeExpression::location, e.location()));
+  };
+  auto match_binding = [&](NativeIamBinding const& b) {
+    return AllOf(
+        Property(&NativeIamBinding::role, b.role()),
+        Property(&NativeIamBinding::members, ElementsAreArray(b.members())),
+        Property(&NativeIamBinding::has_condition, b.has_condition()));
+  };
+  ASSERT_THAT(actual.bindings(),
+              ElementsAre(match_binding(b0), match_binding(b1)));
+  ASSERT_TRUE(actual.bindings()[0].has_condition());
+  ASSERT_THAT(actual.bindings()[0].condition(), match_expr(b0.condition()));
+}
+
 TEST(GrpcBucketRequestParser, PatchBucketRequestAllOptions) {
   google::storage::v2::UpdateBucketRequest expected;
   ASSERT_TRUE(google::protobuf::TextFormat::ParseFromString(

google/cloud/storage/internal/grpc_client.cc

@@ -212,14 +212,34 @@ StatusOr<BucketMetadata> GrpcClient::PatchBucket(
   return GrpcBucketMetadataParser::FromProto(*response);
 }
 
+// TODO(#5929) - remove after decommission is completed
+#include "google/cloud/internal/disable_deprecation_warnings.inc"
+
 StatusOr<IamPolicy> GrpcClient::GetBucketIamPolicy(
-    GetBucketIamPolicyRequest const&) {
-  return Status(StatusCode::kUnimplemented, __func__);
+    GetBucketIamPolicyRequest const& request) {
+  auto proto = GrpcBucketRequestParser::ToProto(request);
+  grpc::ClientContext context;
+  ApplyQueryParameters(context, request);
+  auto response = stub_->GetIamPolicy(context, proto);
+  if (!response) return std::move(response).status();
+  IamBindings bindings;
+  for (auto const& b : response->bindings()) {
+    bindings.AddMembers(b.role(), std::set<std::string>(b.members().begin(),
+                                                        b.members().end()));
+  }
+  return IamPolicy{response->version(), std::move(bindings), response->etag()};
 }
 
+#include "google/cloud/internal/diagnostics_pop.inc"
+
 StatusOr<NativeIamPolicy> GrpcClient::GetNativeBucketIamPolicy(
-    GetBucketIamPolicyRequest const&) {
-  return Status(StatusCode::kUnimplemented, __func__);
+    GetBucketIamPolicyRequest const& request) {
+  auto proto = GrpcBucketRequestParser::ToProto(request);
+  grpc::ClientContext context;
+  ApplyQueryParameters(context, request);
+  auto response = stub_->GetIamPolicy(context, proto);
+  if (!response) return std::move(response).status();
+  return GrpcBucketRequestParser::FromProto(*response);
 }
 
 StatusOr<IamPolicy> GrpcClient::SetBucketIamPolicy(

google/cloud/storage/internal/grpc_client_test.cc

@@ -204,6 +204,46 @@ TEST_F(GrpcClientTest, PatchBucket) {
   EXPECT_EQ(response.status(), PermanentError());
 }
 
+TEST_F(GrpcClientTest, GetBucketIamPolicy) {
+  auto mock = std::make_shared<testing::MockStorageStub>();
+  EXPECT_CALL(*mock, GetIamPolicy)
+      .WillOnce([this](grpc::ClientContext& context,
+                       google::iam::v1::GetIamPolicyRequest const& request) {
+        auto metadata = GetMetadata(context);
+        EXPECT_THAT(metadata, UnorderedElementsAre(
+                                  Pair("x-goog-quota-user", "test-quota-user"),
+                                  Pair("x-goog-fieldmask", "field1,field2")));
+        EXPECT_THAT(request.resource(), "projects/_/buckets/test-bucket");
+        return PermanentError();
+      });
+  auto client = CreateTestClient(mock);
+  auto response = client->GetBucketIamPolicy(
+      GetBucketIamPolicyRequest("test-bucket")
+          .set_multiple_options(Fields("field1,field2"),
+                                QuotaUser("test-quota-user")));
+  EXPECT_EQ(response.status(), PermanentError());
+}
+
+TEST_F(GrpcClientTest, GetNativeBucketIamPolicy) {
+  auto mock = std::make_shared<testing::MockStorageStub>();
+  EXPECT_CALL(*mock, GetIamPolicy)
+      .WillOnce([this](grpc::ClientContext& context,
+                       google::iam::v1::GetIamPolicyRequest const& request) {
+        auto metadata = GetMetadata(context);
+        EXPECT_THAT(metadata, UnorderedElementsAre(
+                                  Pair("x-goog-quota-user", "test-quota-user"),
+                                  Pair("x-goog-fieldmask", "field1,field2")));
+        EXPECT_THAT(request.resource(), "projects/_/buckets/test-bucket");
+        return PermanentError();
+      });
+  auto client = CreateTestClient(mock);
+  auto response = client->GetNativeBucketIamPolicy(
+      GetBucketIamPolicyRequest("test-bucket")
+          .set_multiple_options(Fields("field1,field2"),
+                                QuotaUser("test-quota-user")));
+  EXPECT_EQ(response.status(), PermanentError());
+}
+
 TEST_F(GrpcClientTest, InsertObjectMedia) {
   auto mock = std::make_shared<testing::MockStorageStub>();
   EXPECT_CALL(*mock, WriteObject)

google/cloud/storage/internal/storage_auth_decorator.cc

@@ -62,6 +62,14 @@ StatusOr<google::storage::v2::ListBucketsResponse> StorageAuth::ListBuckets(
   return child_->ListBuckets(context, request);
 }
 
+StatusOr<google::iam::v1::Policy> StorageAuth::GetIamPolicy(
+    grpc::ClientContext& context,
+    google::iam::v1::GetIamPolicyRequest const& request) {
+  auto status = auth_->ConfigureContext(context);
+  if (!status.ok()) return status;
+  return child_->GetIamPolicy(context, request);
+}
+
 StatusOr<google::storage::v2::Bucket> StorageAuth::UpdateBucket(
     grpc::ClientContext& context,
     google::storage::v2::UpdateBucketRequest const& request) {

google/cloud/storage/internal/storage_auth_decorator.h

@@ -54,6 +54,10 @@ class StorageAuth : public StorageStub {
       grpc::ClientContext& context,
       google::storage::v2::ListBucketsRequest const& request) override;
 
+  StatusOr<google::iam::v1::Policy> GetIamPolicy(
+      grpc::ClientContext& context,
+      google::iam::v1::GetIamPolicyRequest const& request) override;
+
   StatusOr<google::storage::v2::Bucket> UpdateBucket(
       grpc::ClientContext& context,
       google::storage::v2::UpdateBucketRequest const& request) override;

google/cloud/storage/internal/storage_logging_decorator.cc

@@ -80,6 +80,17 @@ StatusOr<google::storage::v2::ListBucketsResponse> StorageLogging::ListBuckets(
       context, request, __func__, tracing_options_);
 }
 
+StatusOr<google::iam::v1::Policy> StorageLogging::GetIamPolicy(
+    grpc::ClientContext& context,
+    google::iam::v1::GetIamPolicyRequest const& request) {
+  return google::cloud::internal::LogWrapper(
+      [this](grpc::ClientContext& context,
+             google::iam::v1::GetIamPolicyRequest const& request) {
+        return child_->GetIamPolicy(context, request);
+      },
+      context, request, __func__, tracing_options_);
+}
+
 StatusOr<google::storage::v2::Bucket> StorageLogging::UpdateBucket(
     grpc::ClientContext& context,
     google::storage::v2::UpdateBucketRequest const& request) {

google/cloud/storage/internal/storage_logging_decorator.h

@@ -54,6 +54,10 @@ class StorageLogging : public StorageStub {
       grpc::ClientContext& context,
       google::storage::v2::ListBucketsRequest const& request) override;
 
+  StatusOr<google::iam::v1::Policy> GetIamPolicy(
+      grpc::ClientContext& context,
+      google::iam::v1::GetIamPolicyRequest const& request) override;
+
   StatusOr<google::storage::v2::Bucket> UpdateBucket(
       grpc::ClientContext& context,
       google::storage::v2::UpdateBucketRequest const& request) override;

google/cloud/storage/internal/storage_metadata_decorator.cc

@@ -61,6 +61,13 @@ StatusOr<google::storage::v2::ListBucketsResponse> StorageMetadata::ListBuckets(
   return child_->ListBuckets(context, request);
 }
 
+StatusOr<google::iam::v1::Policy> StorageMetadata::GetIamPolicy(
+    grpc::ClientContext& context,
+    google::iam::v1::GetIamPolicyRequest const& request) {
+  SetMetadata(context, {});
+  return child_->GetIamPolicy(context, request);
+}
+
 StatusOr<google::storage::v2::Bucket> StorageMetadata::UpdateBucket(
     grpc::ClientContext& context,
     google::storage::v2::UpdateBucketRequest const& request) {

google/cloud/storage/internal/storage_metadata_decorator.h

@@ -50,6 +50,10 @@ class StorageMetadata : public StorageStub {
       grpc::ClientContext& context,
       google::storage::v2::ListBucketsRequest const& request) override;
 
+  StatusOr<google::iam::v1::Policy> GetIamPolicy(
+      grpc::ClientContext& context,
+      google::iam::v1::GetIamPolicyRequest const& request) override;
+
   StatusOr<google::storage::v2::Bucket> UpdateBucket(
       grpc::ClientContext& context,
       google::storage::v2::UpdateBucketRequest const& request) override;

google/cloud/storage/internal/storage_round_robin.cc

@@ -44,6 +44,12 @@ StorageRoundRobin::ListBuckets(
   return Child()->ListBuckets(context, request);
 }
 
+StatusOr<google::iam::v1::Policy> StorageRoundRobin::GetIamPolicy(
+    grpc::ClientContext& context,
+    google::iam::v1::GetIamPolicyRequest const& request) {
+  return Child()->GetIamPolicy(context, request);
+}
+
 StatusOr<google::storage::v2::Bucket> StorageRoundRobin::UpdateBucket(
     grpc::ClientContext& context,
     google::storage::v2::UpdateBucketRequest const& request) {

google/cloud/storage/internal/storage_round_robin.h

@@ -47,6 +47,10 @@ class StorageRoundRobin : public StorageStub {
       grpc::ClientContext& context,
       google::storage::v2::ListBucketsRequest const& request) override;
 
+  StatusOr<google::iam::v1::Policy> GetIamPolicy(
+      grpc::ClientContext& context,
+      google::iam::v1::GetIamPolicyRequest const& request) override;
+
   StatusOr<google::storage::v2::Bucket> UpdateBucket(
       grpc::ClientContext& context,
       google::storage::v2::UpdateBucketRequest const& request) override;

google/cloud/storage/internal/storage_round_robin_test.cc

@@ -147,6 +147,25 @@ TEST(StorageRoundRobinTest, ListBuckets) {
   }
 }
 
+TEST(StorageRoundRobinTest, GetIamPolicy) {
+  auto mocks = MakeMocks();
+  InSequence sequence;
+  for (int i = 0; i != kRepeats; ++i) {
+    for (auto& m : mocks) {
+      EXPECT_CALL(*m, GetIamPolicy)
+          .WillOnce(Return(Status(StatusCode::kPermissionDenied, "uh-oh")));
+    }
+  }
+
+  StorageRoundRobin under_test(AsPlainStubs(mocks));
+  for (size_t i = 0; i != kRepeats * mocks.size(); ++i) {
+    grpc::ClientContext context;
+    google::iam::v1::GetIamPolicyRequest request;
+    auto response = under_test.GetIamPolicy(context, request);
+    EXPECT_THAT(response, StatusIs(StatusCode::kPermissionDenied));
+  }
+}
+
 TEST(StorageRoundRobinTest, UpdateBucket) {
   auto mocks = MakeMocks();
   InSequence sequence;

google/cloud/storage/internal/storage_stub.cc

@@ -75,6 +75,17 @@ DefaultStorageStub::ListBuckets(
   return response;
 }
 
+StatusOr<google::iam::v1::Policy> DefaultStorageStub::GetIamPolicy(
+    grpc::ClientContext& client_context,
+    google::iam::v1::GetIamPolicyRequest const& request) {
+  google::iam::v1::Policy response;
+  auto status = grpc_stub_->GetIamPolicy(&client_context, request, &response);
+  if (!status.ok()) {
+    return google::cloud::MakeStatusFromRpcError(status);
+  }
+  return response;
+}
+
 StatusOr<google::storage::v2::Bucket> DefaultStorageStub::UpdateBucket(
     grpc::ClientContext& client_context,
     google::storage::v2::UpdateBucketRequest const& request) {