-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Storage: add 'bucket_policy_only' IAM property #7066
Changes from 9 commits
0867ce4
849dee6
f4fb246
877c49d
5e40ee3
d7cd74a
6814a4f
3b43092
693838f
dc281af
c071753
924d112
c84f099
86e5ab5
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -272,6 +272,82 @@ def from_api_repr(cls, resource): | |
return instance | ||
|
||
|
||
class IAMConfiguration(dict): | ||
"""Map a bucket's IAM configuration. | ||
|
||
:type bucket: :class:`Bucket` | ||
:params bucket: Bucket for which this instance is the policy. | ||
|
||
:type enabled: bool | ||
:params enabled: (optional) whether the IAM-only policy is enabled for the bucket. | ||
|
||
:type locked_time: :class:`datetime.datetime` | ||
:params locked_time: (optional) When the bucket's IAM-only policy was ehabled. This value should normally only be set by the back-end API. | ||
""" | ||
|
||
def __init__(self, bucket, enabled=False, locked_time=None): | ||
data = {"bucketPolicyOnly": {"enabled": enabled}} | ||
if locked_time is not None: | ||
data["bucketPolicyOnly"]["lockedTime"] = _datetime_to_rfc3339(locked_time) | ||
super(IAMConfiguration, self).__init__(data) | ||
self._bucket = bucket | ||
|
||
@classmethod | ||
def from_api_repr(cls, resource, bucket): | ||
"""Factory: construct instance from resource. | ||
|
||
:type bucket: :class:`Bucket` | ||
:params bucket: Bucket for which this instance is the policy. | ||
|
||
:type resource: dict | ||
:param resource: mapping as returned from API call. | ||
|
||
:rtype: :class:`IAMConfiguration` | ||
:returns: Instance created from resource. | ||
""" | ||
instance = cls(bucket) | ||
instance.update(resource) | ||
return instance | ||
|
||
@property | ||
def bucket(self): | ||
"""Bucket for which this instance is the policy. | ||
|
||
:rtype: :class:`Bucket` | ||
:returns: the instance's bucket. | ||
""" | ||
return self._bucket | ||
|
||
@property | ||
def bucket_policy_only(self): | ||
"""Is the bucket configured to allow only IAM policy? | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. From discovery document. "If set, access checks only use bucket-level IAM policies or above." There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
|
||
:rtype: bool | ||
:returns: whether the bucket is configured to allow only IAM. | ||
""" | ||
bpo = self.get("bucketPolicyOnly", {}) | ||
return bpo.get("enabled", False) | ||
|
||
@bucket_policy_only.setter | ||
def bucket_policy_only(self, value): | ||
bpo = self.setdefault("bucketPolicyOnly", {}) | ||
bpo["enabled"] = bool(value) | ||
self.bucket._patch_property("iamConfiguration", self) | ||
|
||
@property | ||
def locked_time(self): | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hi @tseaver, I just realized this isn't scoped according to I'm writing samples and I missed this during review. I'm thinking it should have the following pattern.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
"""When was the bucket configured to allow only IAM policy? | ||
|
||
:rtype: Union[:class:`datetime.datetime`, None] | ||
:returns: (readonly) the time the bucket's IAM-only policy was set. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Use discovery document description for lockedTime: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
""" | ||
bpo = self.get("bucketPolicyOnly", {}) | ||
stamp = bpo.get("lockedTime") | ||
if stamp is not None: | ||
stamp = _rfc3339_to_datetime(stamp) | ||
return stamp | ||
|
||
|
||
class Bucket(_PropertyMixin): | ||
"""A class representing a Bucket on Cloud Storage. | ||
|
||
|
@@ -1134,6 +1210,16 @@ def id(self): | |
""" | ||
return self._properties.get("id") | ||
|
||
@property | ||
def iam_configuration(self): | ||
"""Retrieve IAM configuration for this bucket. | ||
|
||
:rtype: :class:`IAMConfiguration` | ||
:returns: an instance for managing the bucket's IAM configuration. | ||
""" | ||
info = self._properties.get("iamConfiguration", {}) | ||
return IAMConfiguration.from_api_repr(info, self) | ||
|
||
@property | ||
def lifecycle_rules(self): | ||
"""Retrieve or set lifecycle rules configured for this bucket. | ||
|
This comment was marked as spam.
Sorry, something went wrong.
This comment was marked as spam.
Sorry, something went wrong.
This comment was marked as spam.
Sorry, something went wrong.
This comment was marked as spam.
Sorry, something went wrong.
This comment was marked as spam.
Sorry, something went wrong.
This comment was marked as spam.
Sorry, something went wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
3b43092