|
|
|
// Copyright 2014 Google LLC
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
package storage
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
"reflect"
|
|
|
|
|
|
|
|
"cloud.google.com/go/internal/trace"
|
|
|
|
"golang.org/x/net/context"
|
|
|
|
"google.golang.org/api/googleapi"
|
|
|
|
raw "google.golang.org/api/storage/v1"
|
|
|
|
)
|
|
|
|
|
|
|
|
// ACLRole is the level of access to grant.
|
|
|
|
type ACLRole string
|
|
|
|
|
|
|
|
const (
|
|
|
|
RoleOwner ACLRole = "OWNER"
|
|
|
|
RoleReader ACLRole = "READER"
|
|
|
|
RoleWriter ACLRole = "WRITER"
|
|
|
|
)
|
|
|
|
|
|
|
|
// ACLEntity refers to a user or group.
|
|
|
|
// They are sometimes referred to as grantees.
|
|
|
|
//
|
|
|
|
// It could be in the form of:
|
|
|
|
// "user-<userId>", "user-<email>", "group-<groupId>", "group-<email>",
|
|
|
|
// "domain-<domain>" and "project-team-<projectId>".
|
|
|
|
//
|
|
|
|
// Or one of the predefined constants: AllUsers, AllAuthenticatedUsers.
|
|
|
|
type ACLEntity string
|
|
|
|
|
|
|
|
const (
|
|
|
|
AllUsers ACLEntity = "allUsers"
|
|
|
|
AllAuthenticatedUsers ACLEntity = "allAuthenticatedUsers"
|
|
|
|
)
|
|
|
|
|
|
|
|
// ACLRule represents a grant for a role to an entity (user, group or team) for a
|
|
|
|
// Google Cloud Storage object or bucket.
|
|
|
|
type ACLRule struct {
|
|
|
|
Entity ACLEntity
|
|
|
|
EntityID string
|
|
|
|
Role ACLRole
|
|
|
|
Domain string
|
|
|
|
Email string
|
|
|
|
ProjectTeam *ProjectTeam
|
|
|
|
}
|
|
|
|
|
|
|
|
// ProjectTeam is the project team associated with the entity, if any.
|
|
|
|
type ProjectTeam struct {
|
|
|
|
ProjectNumber string
|
|
|
|
Team string
|
|
|
|
}
|
|
|
|
|
|
|
|
// ACLHandle provides operations on an access control list for a Google Cloud Storage bucket or object.
|
|
|
|
type ACLHandle struct {
|
|
|
|
c *Client
|
|
|
|
bucket string
|
|
|
|
object string
|
|
|
|
isDefault bool
|
|
|
|
userProject string // for requester-pays buckets
|
|
|
|
}
|
|
|
|
|
|
|
|
// Delete permanently deletes the ACL entry for the given entity.
|
|
|
|
func (a *ACLHandle) Delete(ctx context.Context, entity ACLEntity) (err error) {
|
|
|
|
ctx = trace.StartSpan(ctx, "cloud.google.com/go/storage.ACL.Delete")
|
|
|
|
defer func() { trace.EndSpan(ctx, err) }()
|
|
|
|
|
|
|
|
if a.object != "" {
|
|
|
|
return a.objectDelete(ctx, entity)
|
|
|
|
}
|
|
|
|
if a.isDefault {
|
|
|
|
return a.bucketDefaultDelete(ctx, entity)
|
|
|
|
}
|
|
|
|
return a.bucketDelete(ctx, entity)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set sets the role for the given entity.
|
|
|
|
func (a *ACLHandle) Set(ctx context.Context, entity ACLEntity, role ACLRole) (err error) {
|
|
|
|
ctx = trace.StartSpan(ctx, "cloud.google.com/go/storage.ACL.Set")
|
|
|
|
defer func() { trace.EndSpan(ctx, err) }()
|
|
|
|
|
|
|
|
if a.object != "" {
|
|
|
|
return a.objectSet(ctx, entity, role, false)
|
|
|
|
}
|
|
|
|
if a.isDefault {
|
|
|
|
return a.objectSet(ctx, entity, role, true)
|
|
|
|
}
|
|
|
|
return a.bucketSet(ctx, entity, role)
|
|
|
|
}
|
|
|
|
|
|
|
|
// List retrieves ACL entries.
|
|
|
|
func (a *ACLHandle) List(ctx context.Context) (rules []ACLRule, err error) {
|
|
|
|
ctx = trace.StartSpan(ctx, "cloud.google.com/go/storage.ACL.List")
|
|
|
|
defer func() { trace.EndSpan(ctx, err) }()
|
|
|
|
|
|
|
|
if a.object != "" {
|
|
|
|
return a.objectList(ctx)
|
|
|
|
}
|
|
|
|
if a.isDefault {
|
|
|
|
return a.bucketDefaultList(ctx)
|
|
|
|
}
|
|
|
|
return a.bucketList(ctx)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *ACLHandle) bucketDefaultList(ctx context.Context) ([]ACLRule, error) {
|
|
|
|
var acls *raw.ObjectAccessControls
|
|
|
|
var err error
|
|
|
|
err = runWithRetry(ctx, func() error {
|
|
|
|
req := a.c.raw.DefaultObjectAccessControls.List(a.bucket)
|
|
|
|
a.configureCall(req, ctx)
|
|
|
|
acls, err = req.Do()
|
|
|
|
return err
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return toObjectACLRules(acls.Items), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *ACLHandle) bucketDefaultDelete(ctx context.Context, entity ACLEntity) error {
|
|
|
|
return runWithRetry(ctx, func() error {
|
|
|
|
req := a.c.raw.DefaultObjectAccessControls.Delete(a.bucket, string(entity))
|
|
|
|
a.configureCall(req, ctx)
|
|
|
|
return req.Do()
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *ACLHandle) bucketList(ctx context.Context) ([]ACLRule, error) {
|
|
|
|
var acls *raw.BucketAccessControls
|
|
|
|
var err error
|
|
|
|
err = runWithRetry(ctx, func() error {
|
|
|
|
req := a.c.raw.BucketAccessControls.List(a.bucket)
|
|
|
|
a.configureCall(req, ctx)
|
|
|
|
acls, err = req.Do()
|
|
|
|
return err
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return toBucketACLRules(acls.Items), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *ACLHandle) bucketSet(ctx context.Context, entity ACLEntity, role ACLRole) error {
|
|
|
|
acl := &raw.BucketAccessControl{
|
|
|
|
Bucket: a.bucket,
|
|
|
|
Entity: string(entity),
|
|
|
|
Role: string(role),
|
|
|
|
}
|
|
|
|
err := runWithRetry(ctx, func() error {
|
|
|
|
req := a.c.raw.BucketAccessControls.Update(a.bucket, string(entity), acl)
|
|
|
|
a.configureCall(req, ctx)
|
|
|
|
_, err := req.Do()
|
|
|
|
return err
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *ACLHandle) bucketDelete(ctx context.Context, entity ACLEntity) error {
|
|
|
|
return runWithRetry(ctx, func() error {
|
|
|
|
req := a.c.raw.BucketAccessControls.Delete(a.bucket, string(entity))
|
|
|
|
a.configureCall(req, ctx)
|
|
|
|
return req.Do()
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *ACLHandle) objectList(ctx context.Context) ([]ACLRule, error) {
|
|
|
|
var acls *raw.ObjectAccessControls
|
|
|
|
var err error
|
|
|
|
err = runWithRetry(ctx, func() error {
|
|
|
|
req := a.c.raw.ObjectAccessControls.List(a.bucket, a.object)
|
|
|
|
a.configureCall(req, ctx)
|
|
|
|
acls, err = req.Do()
|
|
|
|
return err
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return toObjectACLRules(acls.Items), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *ACLHandle) objectSet(ctx context.Context, entity ACLEntity, role ACLRole, isBucketDefault bool) error {
|
|
|
|
type setRequest interface {
|
|
|
|
Do(opts ...googleapi.CallOption) (*raw.ObjectAccessControl, error)
|
|
|
|
Header() http.Header
|
|
|
|
}
|
|
|
|
|
|
|
|
acl := &raw.ObjectAccessControl{
|
|
|
|
Bucket: a.bucket,
|
|
|
|
Entity: string(entity),
|
|
|
|
Role: string(role),
|
|
|
|
}
|
|
|
|
var req setRequest
|
|
|
|
if isBucketDefault {
|
|
|
|
req = a.c.raw.DefaultObjectAccessControls.Update(a.bucket, string(entity), acl)
|
|
|
|
} else {
|
|
|
|
req = a.c.raw.ObjectAccessControls.Update(a.bucket, a.object, string(entity), acl)
|
|
|
|
}
|
|
|
|
a.configureCall(req, ctx)
|
|
|
|
return runWithRetry(ctx, func() error {
|
|
|
|
_, err := req.Do()
|
|
|
|
return err
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *ACLHandle) objectDelete(ctx context.Context, entity ACLEntity) error {
|
|
|
|
return runWithRetry(ctx, func() error {
|
|
|
|
req := a.c.raw.ObjectAccessControls.Delete(a.bucket, a.object, string(entity))
|
|
|
|
a.configureCall(req, ctx)
|
|
|
|
return req.Do()
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *ACLHandle) configureCall(call interface{ Header() http.Header }, ctx context.Context) {
|
|
|
|
vc := reflect.ValueOf(call)
|
|
|
|
vc.MethodByName("Context").Call([]reflect.Value{reflect.ValueOf(ctx)})
|
|
|
|
if a.userProject != "" {
|
|
|
|
vc.MethodByName("UserProject").Call([]reflect.Value{reflect.ValueOf(a.userProject)})
|
|
|
|
}
|
|
|
|
setClientHeader(call.Header())
|
|
|
|
}
|
|
|
|
|
|
|
|
func toObjectACLRules(items []*raw.ObjectAccessControl) []ACLRule {
|
|
|
|
var rs []ACLRule
|
|
|
|
for _, item := range items {
|
|
|
|
rs = append(rs, toObjectACLRule(item))
|
|
|
|
}
|
|
|
|
return rs
|
|
|
|
}
|
|
|
|
|
|
|
|
func toBucketACLRules(items []*raw.BucketAccessControl) []ACLRule {
|
|
|
|
var rs []ACLRule
|
|
|
|
for _, item := range items {
|
|
|
|
rs = append(rs, toBucketACLRule(item))
|
|
|
|
}
|
|
|
|
return rs
|
|
|
|
}
|
|
|
|
|
|
|
|
func toObjectACLRule(a *raw.ObjectAccessControl) ACLRule {
|
|
|
|
return ACLRule{
|
|
|
|
Entity: ACLEntity(a.Entity),
|
|
|
|
EntityID: a.EntityId,
|
|
|
|
Role: ACLRole(a.Role),
|
|
|
|
Domain: a.Domain,
|
|
|
|
Email: a.Email,
|
|
|
|
ProjectTeam: toObjectProjectTeam(a.ProjectTeam),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func toBucketACLRule(a *raw.BucketAccessControl) ACLRule {
|
|
|
|
return ACLRule{
|
|
|
|
Entity: ACLEntity(a.Entity),
|
|
|
|
EntityID: a.EntityId,
|
|
|
|
Role: ACLRole(a.Role),
|
|
|
|
Domain: a.Domain,
|
|
|
|
Email: a.Email,
|
|
|
|
ProjectTeam: toBucketProjectTeam(a.ProjectTeam),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func toRawObjectACL(rules []ACLRule) []*raw.ObjectAccessControl {
|
|
|
|
if len(rules) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
r := make([]*raw.ObjectAccessControl, 0, len(rules))
|
|
|
|
for _, rule := range rules {
|
|
|
|
r = append(r, rule.toRawObjectAccessControl("")) // bucket name unnecessary
|
|
|
|
}
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
|
|
|
|
func toRawBucketACL(rules []ACLRule) []*raw.BucketAccessControl {
|
|
|
|
if len(rules) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
r := make([]*raw.BucketAccessControl, 0, len(rules))
|
|
|
|
for _, rule := range rules {
|
|
|
|
r = append(r, rule.toRawBucketAccessControl("")) // bucket name unnecessary
|
|
|
|
}
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r ACLRule) toRawBucketAccessControl(bucket string) *raw.BucketAccessControl {
|
|
|
|
return &raw.BucketAccessControl{
|
|
|
|
Bucket: bucket,
|
|
|
|
Entity: string(r.Entity),
|
|
|
|
Role: string(r.Role),
|
|
|
|
// The other fields are not settable.
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r ACLRule) toRawObjectAccessControl(bucket string) *raw.ObjectAccessControl {
|
|
|
|
return &raw.ObjectAccessControl{
|
|
|
|
Bucket: bucket,
|
|
|
|
Entity: string(r.Entity),
|
|
|
|
Role: string(r.Role),
|
|
|
|
// The other fields are not settable.
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func toBucketProjectTeam(p *raw.BucketAccessControlProjectTeam) *ProjectTeam {
|
|
|
|
if p == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return &ProjectTeam{
|
|
|
|
ProjectNumber: p.ProjectNumber,
|
|
|
|
Team: p.Team,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func toObjectProjectTeam(p *raw.ObjectAccessControlProjectTeam) *ProjectTeam {
|
|
|
|
if p == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return &ProjectTeam{
|
|
|
|
ProjectNumber: p.ProjectNumber,
|
|
|
|
Team: p.Team,
|
|
|
|
}
|
|
|
|
}
|