Skip to content

Add system tests for topic/subscription IAM policy get/set methods. #1654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tseaver merged 4 commits into from
Mar 29, 2016
Merged

Add system tests for topic/subscription IAM policy get/set methods. #1654

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
21cfae6
Add system tests for topic/subscription IAM policy get/set methods.
tseaver Mar 23, 2016
e770e9e
Rename 'readers'->'viewers', 'writers'->'editors'.
tseaver Mar 29, 2016
da06d10
Use role-name constants.
tseaver Mar 29, 2016
0116b18
Assert created topic/subscription exists before use.
tseaver Mar 29, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions docs/pubsub-usage.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,12 +99,12 @@ Test permissions allowed by the current IAM policy on a topic:
.. doctest::

>>> from gcloud import pubsub
>>> from gcloud.pubsub.iam import OWNER_ROLE, WRITER_ROLE, READER_ROLE
>>> from gcloud.pubsub.iam import OWNER_ROLE, EDITOR_ROLE, VIEWER_ROLE
>>> client = pubsub.Client()
>>> topic = client.topic('topic_name')
>>> allowed = topic.check_iam_permissions(
... [READER_ROLE, WRITER_ROLE, OWNER_ROLE]) # API request
>>> allowed == [READER_ROLE, WRITER_ROLE]
... [VIEWER_ROLE, EDITOR_ROLE, OWNER_ROLE]) # API request
>>> allowed == [VIEWER_ROLE, EDITOR_ROLE]
True


Expand Down Expand Up @@ -349,11 +349,11 @@ Test permissions allowed by the current IAM policy on a subscription:
.. doctest::

>>> from gcloud import pubsub
>>> from gcloud.pubsub.iam import OWNER_ROLE, WRITER_ROLE, READER_ROLE
>>> from gcloud.pubsub.iam import OWNER_ROLE, EDITOR_ROLE, VIEWER_ROLE
>>> client = pubsub.Client()
>>> topic = client.topic('topic_name')
>>> subscription = topic.subscription('subscription_name')
>>> allowed = subscription.check_iam_permissions(
... [READER_ROLE, WRITER_ROLE, OWNER_ROLE]) # API request
>>> allowed == [READER_ROLE, WRITER_ROLE]
... [VIEWER_ROLE, EDITOR_ROLE, OWNER_ROLE]) # API request
>>> allowed == [VIEWER_ROLE, EDITOR_ROLE]
True
24 changes: 12 additions & 12 deletions gcloud/pubsub/iam.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,10 @@
OWNER_ROLE = 'roles/owner'
"""IAM permission implying all rights to an object."""

WRITER_ROLE = 'roles/writer'
EDITOR_ROLE = 'roles/editor'
"""IAM permission implying rights to modify an object."""

READER_ROLE = 'roles/reader'
VIEWER_ROLE = 'roles/viewer'
"""IAM permission implying rights to access an object without modifying it."""


Expand All @@ -40,8 +40,8 @@ def __init__(self, etag=None, version=None):
self.etag = etag
self.version = version
self.owners = set()
self.writers = set()
self.readers = set()
self.editors = set()
self.viewers = set()

@staticmethod
def user(email):
Expand Down Expand Up @@ -127,10 +127,10 @@ def from_api_repr(cls, resource):
members = set(binding['members'])
if role == OWNER_ROLE:
policy.owners = members
elif role == WRITER_ROLE:
policy.writers = members
elif role == READER_ROLE:
policy.readers = members
elif role == EDITOR_ROLE:
policy.editors = members
elif role == VIEWER_ROLE:
policy.viewers = members
else:
raise ValueError('Unknown role: %s' % (role,))
return policy
Expand All @@ -155,13 +155,13 @@ def to_api_repr(self):
bindings.append(
{'role': OWNER_ROLE, 'members': sorted(self.owners)})

if self.writers:
if self.editors:
bindings.append(
{'role': WRITER_ROLE, 'members': sorted(self.writers)})
{'role': EDITOR_ROLE, 'members': sorted(self.editors)})

if self.readers:
if self.viewers:
bindings.append(
{'role': READER_ROLE, 'members': sorted(self.readers)})
{'role': VIEWER_ROLE, 'members': sorted(self.viewers)})

if bindings:
resource['bindings'] = bindings
Expand Down
3 changes: 2 additions & 1 deletion gcloud/pubsub/subscription.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -305,8 +305,9 @@ def set_iam_policy(self, policy, client=None):
client = self._require_client(client)
path = '%s:setIamPolicy' % (self.path,)
resource = policy.to_api_repr()
wrapped = {'policy': resource}

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

resp = client.connection.api_request(
method='POST', path=path, data=resource)
method='POST', path=path, data=wrapped)
return Policy.from_api_repr(resp)

def check_iam_permissions(self, permissions, client=None):
Expand Down
52 changes: 26 additions & 26 deletions gcloud/pubsub/test_iam.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,8 @@ def test_ctor_defaults(self):
self.assertEqual(policy.etag, None)
self.assertEqual(policy.version, None)
self.assertEqual(list(policy.owners), [])
self.assertEqual(list(policy.writers), [])
self.assertEqual(list(policy.readers), [])
self.assertEqual(list(policy.editors), [])
self.assertEqual(list(policy.viewers), [])

def test_ctor_explicit(self):
VERSION = 17
Expand All @@ -39,8 +39,8 @@ def test_ctor_explicit(self):
self.assertEqual(policy.etag, ETAG)
self.assertEqual(policy.version, VERSION)
self.assertEqual(list(policy.owners), [])
self.assertEqual(list(policy.writers), [])
self.assertEqual(list(policy.readers), [])
self.assertEqual(list(policy.editors), [])
self.assertEqual(list(policy.viewers), [])

def test_user(self):
EMAIL = '[email protected]'
Expand Down Expand Up @@ -83,33 +83,33 @@ def test_from_api_repr_only_etag(self):
self.assertEqual(policy.etag, 'ACAB')
self.assertEqual(policy.version, None)
self.assertEqual(list(policy.owners), [])
self.assertEqual(list(policy.writers), [])
self.assertEqual(list(policy.readers), [])
self.assertEqual(list(policy.editors), [])
self.assertEqual(list(policy.viewers), [])

def test_from_api_repr_complete(self):
from gcloud.pubsub.iam import OWNER_ROLE, WRITER_ROLE, READER_ROLE
from gcloud.pubsub.iam import OWNER_ROLE, EDITOR_ROLE, VIEWER_ROLE
OWNER1 = 'user:[email protected]'
OWNER2 = 'group:[email protected]'
WRITER1 = 'domain:google.com'
WRITER2 = 'user:[email protected]'
READER1 = 'serviceAccount:[email protected]'
READER2 = 'user:[email protected]'
EDITOR1 = 'domain:google.com'
EDITOR2 = 'user:[email protected]'
VIEWER1 = 'serviceAccount:[email protected]'
VIEWER2 = 'user:[email protected]'
RESOURCE = {
'etag': 'DEADBEEF',
'version': 17,
'bindings': [
{'role': OWNER_ROLE, 'members': [OWNER1, OWNER2]},
{'role': WRITER_ROLE, 'members': [WRITER1, WRITER2]},
{'role': READER_ROLE, 'members': [READER1, READER2]},
{'role': EDITOR_ROLE, 'members': [EDITOR1, EDITOR2]},
{'role': VIEWER_ROLE, 'members': [VIEWER1, VIEWER2]},
],
}
klass = self._getTargetClass()
policy = klass.from_api_repr(RESOURCE)
self.assertEqual(policy.etag, 'DEADBEEF')
self.assertEqual(policy.version, 17)
self.assertEqual(sorted(policy.owners), [OWNER2, OWNER1])
self.assertEqual(sorted(policy.writers), [WRITER1, WRITER2])
self.assertEqual(sorted(policy.readers), [READER1, READER2])
self.assertEqual(sorted(policy.editors), [EDITOR1, EDITOR2])
self.assertEqual(sorted(policy.viewers), [VIEWER1, VIEWER2])

def test_from_api_repr_bad_role(self):
BOGUS1 = 'user:[email protected]'
Expand All @@ -134,27 +134,27 @@ def test_to_api_repr_only_etag(self):
self.assertEqual(policy.to_api_repr(), {'etag': 'DEADBEEF'})

def test_to_api_repr_full(self):
from gcloud.pubsub.iam import OWNER_ROLE, WRITER_ROLE, READER_ROLE
from gcloud.pubsub.iam import OWNER_ROLE, EDITOR_ROLE, VIEWER_ROLE
OWNER1 = 'group:[email protected]'
OWNER2 = 'user:[email protected]'
WRITER1 = 'domain:google.com'
WRITER2 = 'user:[email protected]'
READER1 = 'serviceAccount:[email protected]'
READER2 = 'user:[email protected]'
EDITOR1 = 'domain:google.com'
EDITOR2 = 'user:[email protected]'
VIEWER1 = 'serviceAccount:[email protected]'
VIEWER2 = 'user:[email protected]'
EXPECTED = {
'etag': 'DEADBEEF',
'version': 17,
'bindings': [
{'role': OWNER_ROLE, 'members': [OWNER1, OWNER2]},
{'role': WRITER_ROLE, 'members': [WRITER1, WRITER2]},
{'role': READER_ROLE, 'members': [READER1, READER2]},
{'role': EDITOR_ROLE, 'members': [EDITOR1, EDITOR2]},
{'role': VIEWER_ROLE, 'members': [VIEWER1, VIEWER2]},
],
}
policy = self._makeOne('DEADBEEF', 17)
policy.owners.add(OWNER1)
policy.owners.add(OWNER2)
policy.writers.add(WRITER1)
policy.writers.add(WRITER2)
policy.readers.add(READER1)
policy.readers.add(READER2)
policy.editors.add(EDITOR1)
policy.editors.add(EDITOR2)
policy.viewers.add(VIEWER1)
policy.viewers.add(VIEWER2)
self.assertEqual(policy.to_api_repr(), EXPECTED)
62 changes: 32 additions & 30 deletions gcloud/pubsub/test_subscription.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -485,20 +485,20 @@ def test_delete_w_alternate_client(self):
self.assertEqual(req['path'], '/%s' % SUB_PATH)

def test_get_iam_policy_w_bound_client(self):
from gcloud.pubsub.iam import OWNER_ROLE, WRITER_ROLE, READER_ROLE
from gcloud.pubsub.iam import OWNER_ROLE, EDITOR_ROLE, VIEWER_ROLE
OWNER1 = 'user:[email protected]'
OWNER2 = 'group:[email protected]'
WRITER1 = 'domain:google.com'
WRITER2 = 'user:[email protected]'
READER1 = 'serviceAccount:[email protected]'
READER2 = 'user:[email protected]'
EDITOR1 = 'domain:google.com'
EDITOR2 = 'user:[email protected]'
VIEWER1 = 'serviceAccount:[email protected]'
VIEWER2 = 'user:[email protected]'
POLICY = {
'etag': 'DEADBEEF',
'version': 17,
'bindings': [
{'role': OWNER_ROLE, 'members': [OWNER1, OWNER2]},
{'role': WRITER_ROLE, 'members': [WRITER1, WRITER2]},
{'role': READER_ROLE, 'members': [READER1, READER2]},
{'role': EDITOR_ROLE, 'members': [EDITOR1, EDITOR2]},
{'role': VIEWER_ROLE, 'members': [VIEWER1, VIEWER2]},
],
}
PROJECT = 'PROJECT'
Expand All @@ -517,8 +517,8 @@ def test_get_iam_policy_w_bound_client(self):
self.assertEqual(policy.etag, 'DEADBEEF')
self.assertEqual(policy.version, 17)
self.assertEqual(sorted(policy.owners), [OWNER2, OWNER1])
self.assertEqual(sorted(policy.writers), [WRITER1, WRITER2])
self.assertEqual(sorted(policy.readers), [READER1, READER2])
self.assertEqual(sorted(policy.editors), [EDITOR1, EDITOR2])
self.assertEqual(sorted(policy.viewers), [VIEWER1, VIEWER2])

self.assertEqual(len(conn._requested), 1)
req = conn._requested[0]
Expand Down Expand Up @@ -547,8 +547,8 @@ def test_get_iam_policy_w_alternate_client(self):
self.assertEqual(policy.etag, 'ACAB')
self.assertEqual(policy.version, None)
self.assertEqual(sorted(policy.owners), [])
self.assertEqual(sorted(policy.writers), [])
self.assertEqual(sorted(policy.readers), [])
self.assertEqual(sorted(policy.editors), [])
self.assertEqual(sorted(policy.viewers), [])

self.assertEqual(len(conn1._requested), 0)
self.assertEqual(len(conn2._requested), 1)
Expand All @@ -557,21 +557,21 @@ def test_get_iam_policy_w_alternate_client(self):
self.assertEqual(req['path'], '/%s' % PATH)

def test_set_iam_policy_w_bound_client(self):
from gcloud.pubsub.iam import OWNER_ROLE, WRITER_ROLE, READER_ROLE
from gcloud.pubsub.iam import OWNER_ROLE, EDITOR_ROLE, VIEWER_ROLE
from gcloud.pubsub.iam import Policy
OWNER1 = 'group:[email protected]'
OWNER2 = 'user:[email protected]'
WRITER1 = 'domain:google.com'
WRITER2 = 'user:[email protected]'
READER1 = 'serviceAccount:[email protected]'
READER2 = 'user:[email protected]'
EDITOR1 = 'domain:google.com'
EDITOR2 = 'user:[email protected]'
VIEWER1 = 'serviceAccount:[email protected]'
VIEWER2 = 'user:[email protected]'
POLICY = {
'etag': 'DEADBEEF',
'version': 17,
'bindings': [
{'role': OWNER_ROLE, 'members': [OWNER1, OWNER2]},
{'role': WRITER_ROLE, 'members': [WRITER1, WRITER2]},
{'role': READER_ROLE, 'members': [READER1, READER2]},
{'role': EDITOR_ROLE, 'members': [EDITOR1, EDITOR2]},
{'role': VIEWER_ROLE, 'members': [VIEWER1, VIEWER2]},
],
}
RESPONSE = POLICY.copy()
Expand All @@ -590,24 +590,24 @@ def test_set_iam_policy_w_bound_client(self):
policy = Policy('DEADBEEF', 17)
policy.owners.add(OWNER1)
policy.owners.add(OWNER2)
policy.writers.add(WRITER1)
policy.writers.add(WRITER2)
policy.readers.add(READER1)
policy.readers.add(READER2)
policy.editors.add(EDITOR1)
policy.editors.add(EDITOR2)
policy.viewers.add(VIEWER1)
policy.viewers.add(VIEWER2)

new_policy = subscription.set_iam_policy(policy)

self.assertEqual(new_policy.etag, 'ABACABAF')
self.assertEqual(new_policy.version, 18)
self.assertEqual(sorted(new_policy.owners), [OWNER1, OWNER2])
self.assertEqual(sorted(new_policy.writers), [WRITER1, WRITER2])
self.assertEqual(sorted(new_policy.readers), [READER1, READER2])
self.assertEqual(sorted(new_policy.editors), [EDITOR1, EDITOR2])
self.assertEqual(sorted(new_policy.viewers), [VIEWER1, VIEWER2])

self.assertEqual(len(conn._requested), 1)
req = conn._requested[0]
self.assertEqual(req['method'], 'POST')
self.assertEqual(req['path'], '/%s' % PATH)
self.assertEqual(req['data'], POLICY)
self.assertEqual(req['data'], {'policy': POLICY})

def test_set_iam_policy_w_alternate_client(self):
from gcloud.pubsub.iam import Policy
Expand All @@ -631,23 +631,24 @@ def test_set_iam_policy_w_alternate_client(self):
self.assertEqual(new_policy.etag, 'ACAB')
self.assertEqual(new_policy.version, None)
self.assertEqual(sorted(new_policy.owners), [])
self.assertEqual(sorted(new_policy.writers), [])
self.assertEqual(sorted(new_policy.readers), [])
self.assertEqual(sorted(new_policy.editors), [])
self.assertEqual(sorted(new_policy.viewers), [])

self.assertEqual(len(conn1._requested), 0)
self.assertEqual(len(conn2._requested), 1)
req = conn2._requested[0]
self.assertEqual(req['method'], 'POST')
self.assertEqual(req['path'], '/%s' % PATH)
self.assertEqual(req['data'], {})
self.assertEqual(req['data'], {'policy': {}})

def test_check_iam_permissions_w_bound_client(self):
from gcloud.pubsub.iam import OWNER_ROLE, EDITOR_ROLE, VIEWER_ROLE
PROJECT = 'PROJECT'
TOPIC_NAME = 'topic_name'
SUB_NAME = 'sub_name'
PATH = 'projects/%s/subscriptions/%s:testIamPermissions' % (
PROJECT, SUB_NAME)
ROLES = ['roles/reader', 'roles/writer', 'roles/owner']
ROLES = [VIEWER_ROLE, EDITOR_ROLE, OWNER_ROLE]
REQUESTED = {
'permissions': ROLES,
}
Expand All @@ -669,12 +670,13 @@ def test_check_iam_permissions_w_bound_client(self):
self.assertEqual(req['data'], REQUESTED)

def test_check_iam_permissions_w_alternate_client(self):
from gcloud.pubsub.iam import OWNER_ROLE, EDITOR_ROLE, VIEWER_ROLE
PROJECT = 'PROJECT'
TOPIC_NAME = 'topic_name'
SUB_NAME = 'sub_name'
PATH = 'projects/%s/subscriptions/%s:testIamPermissions' % (
PROJECT, SUB_NAME)
ROLES = ['roles/reader', 'roles/writer', 'roles/owner']
ROLES = [VIEWER_ROLE, EDITOR_ROLE, OWNER_ROLE]
REQUESTED = {
'permissions': ROLES,
}
Expand Down
Loading