IAM: Add access code snippets and tests (#1597)

Author: melaniedejong

iam/api-client/pom.xml

@@ -41,6 +41,11 @@
       <artifactId>google-api-services-iam</artifactId>
       <version>v1-rev20190704-1.30.1</version>
     </dependency>
+    <dependency>
+      <groupId>com.google.apis</groupId>
+      <artifactId>google-api-services-cloudresourcemanager</artifactId>
+      <version>v1-rev550-1.25.0</version>
+    </dependency>
     <dependency>
         <groupId>commons-cli</groupId>
         <artifactId>commons-cli</artifactId>

iam/api-client/src/main/java/com/google/iam/snippets/AddBinding.java

@@ -0,0 +1,42 @@
+/* Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.iam.snippets;
+
+// [START iam_modify_policy_add_binding]
+import com.google.api.services.cloudresourcemanager.model.Binding;
+import com.google.api.services.cloudresourcemanager.model.Policy;
+import java.util.ArrayList;
+import java.util.List;
+
+public class AddBinding {
+
+  // Adds a member to a role with no previous members.
+  public static void addBinding(Policy policy) {
+    // policy = service.Projects.GetIAmPolicy(new GetIamPolicyRequest(), your-project-id).Execute();
+
+    String role = "roles/role-to-add";
+    List<String> members = new ArrayList<String>();
+    members.add("user:[email protected]");
+
+    Binding binding = new Binding();
+    binding.setRole(role);
+    binding.setMembers(members);
+
+    policy.getBindings().add(binding);
+    System.out.println("Added binding: " + binding.toString());
+  }
+}
+// [END iam_modify_policy_add_binding]

iam/api-client/src/main/java/com/google/iam/snippets/AddMember.java

@@ -0,0 +1,45 @@
+/* Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.iam.snippets;
+
+// [START iam_modify_policy_add_member]
+import com.google.api.services.cloudresourcemanager.model.Binding;
+import com.google.api.services.cloudresourcemanager.model.Policy;
+import java.util.List;
+
+public class AddMember {
+
+  // Adds a member to a preexisting role.
+  public static void addMember(Policy policy) {
+    // policy = service.Projects.GetIAmPolicy(new GetIamPolicyRequest(), your-project-id).Execute();
+
+    String role = "roles/existing-role";
+    String member = "user:[email protected]";
+
+    List<Binding> bindings = policy.getBindings();
+
+    for (Binding b : bindings) {
+      if (b.getRole() == role) {
+        b.getMembers().add(member);
+        System.out.println("Member " + member + " added to role " + role);
+        return;
+      }
+    }
+
+    System.out.println("Role not found in policy; member not added");
+  }
+}
+// [END iam_modify_policy_add_member]

iam/api-client/src/main/java/com/google/iam/snippets/GetPolicy.java

@@ -0,0 +1,75 @@
+/* Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.iam.snippets;
+
+// [START iam_get_policy]
+import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.jackson2.JacksonFactory;
+import com.google.api.services.cloudresourcemanager.CloudResourceManager;
+import com.google.api.services.cloudresourcemanager.model.GetIamPolicyRequest;
+import com.google.api.services.cloudresourcemanager.model.Policy;
+import com.google.api.services.iam.v1.IamScopes;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Collections;
+
+public class GetPolicy {
+
+  // Gets a project's policy.
+  public static Policy getPolicy(String projectId) {
+    // projectId = "my-project-id"
+
+    Policy policy = null;
+
+    CloudResourceManager service = null;
+    try {
+      service = createCloudResourceManagerService();
+    } catch (IOException | GeneralSecurityException e) {
+      System.out.println("Unable to initialize service: \n" + e.toString());
+      return policy;
+    }
+
+    try {
+      GetIamPolicyRequest request = new GetIamPolicyRequest();
+      policy = service.projects().getIamPolicy(projectId, request).execute();
+      System.out.println("Policy retrieved: " + policy.toString());
+      return policy;
+    } catch (IOException e) {
+      System.out.println("Unable to get policy: \n" + e.toString());
+      return policy;
+    }
+  }
+
+  public static CloudResourceManager createCloudResourceManagerService()
+      throws IOException, GeneralSecurityException {
+    // Use the Application Default Credentials strategy for authentication. For more info, see:
+    // https://cloud.google.com/docs/authentication/production#finding_credentials_automatically
+    GoogleCredential credential =
+        GoogleCredential.getApplicationDefault()
+            .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM));
+
+    CloudResourceManager service =
+        new CloudResourceManager.Builder(
+                GoogleNetHttpTransport.newTrustedTransport(),
+                JacksonFactory.getDefaultInstance(),
+                credential)
+            .setApplicationName("service-accounts")
+            .build();
+    return service;
+  }
+}
+// [END iam_get_policy]

iam/api-client/src/main/java/com/google/iam/snippets/RemoveMember.java

@@ -0,0 +1,51 @@
+/* Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.iam.snippets;
+
+// [START iam_modify_policy_remove_member]
+import com.google.api.services.cloudresourcemanager.model.Binding;
+import com.google.api.services.cloudresourcemanager.model.Policy;
+import java.util.List;
+
+public class RemoveMember {
+
+  // Removes member from a role; removes binding if binding contains 0 members.
+  public static void removeMember(Policy policy) {
+    // policy = service.Projects.GetIAmPolicy(new GetIamPolicyRequest(), your-project-id).Execute();
+
+    String role = "roles/existing-role";
+    String member = "user:[email protected]";
+
+    List<Binding> bindings = policy.getBindings();
+
+    for (Binding b : bindings) {
+      if (b.getRole() == role) {
+        if (b.getMembers().contains(member)) {
+          b.getMembers().remove(member);
+          System.out.println("Member " + member + " removed from " + role);
+        }
+        if (b.getMembers().size() == 0) {
+          policy.getBindings().remove(b);
+        }
+        return;
+      }
+    }
+
+    System.out.println("Role not found in policy; member not removed");
+    return;
+  }
+}
+// [END iam_modify_policy_remove_member]

iam/api-client/src/main/java/com/google/iam/snippets/SetPolicy.java

@@ -0,0 +1,73 @@
+/* Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.iam.snippets;
+
+// [START iam_set_policy]
+import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.jackson2.JacksonFactory;
+import com.google.api.services.cloudresourcemanager.CloudResourceManager;
+import com.google.api.services.cloudresourcemanager.model.Policy;
+import com.google.api.services.cloudresourcemanager.model.SetIamPolicyRequest;
+import com.google.api.services.iam.v1.IamScopes;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Collections;
+
+public class SetPolicy {
+
+  // Sets a project's policy.
+  public static void setPolicy(Policy policy, String projectId) {
+    // policy = service.Projects.GetIAmPolicy(new GetIamPolicyRequest(), your-project-id).Execute();
+    // projectId = "my-project-id"
+
+    CloudResourceManager service = null;
+    try {
+      service = createCloudResourceManagerService();
+    } catch (IOException | GeneralSecurityException e) {
+      System.out.println("Unable to initialize service: \n" + e.toString());
+      return;
+    }
+
+    try {
+      SetIamPolicyRequest request = new SetIamPolicyRequest();
+      request.setPolicy(policy);
+      Policy response = service.projects().setIamPolicy(projectId, request).execute();
+      System.out.println("Policy set: " + response.toString());
+    } catch (IOException e) {
+      System.out.println("Unable to set policy: \n" + e.toString());
+    }
+  }
+
+  public static CloudResourceManager createCloudResourceManagerService()
+      throws IOException, GeneralSecurityException {
+    // Use the Application Default Credentials strategy for authentication. For more info, see:
+    // https://cloud.google.com/docs/authentication/production#finding_credentials_automatically
+    GoogleCredential credential =
+        GoogleCredential.getApplicationDefault()
+            .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM));
+
+    CloudResourceManager service =
+        new CloudResourceManager.Builder(
+                GoogleNetHttpTransport.newTrustedTransport(),
+                JacksonFactory.getDefaultInstance(),
+                credential)
+            .setApplicationName("service-accounts")
+            .build();
+    return service;
+  }
+}
+// [END iam_set_policy]

iam/api-client/src/main/java/com/google/iam/snippets/TestPermissions.java

@@ -0,0 +1,81 @@
+/* Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.iam.snippets;
+
+// [START iam-test-permissions]
+import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.jackson2.JacksonFactory;
+import com.google.api.services.cloudresourcemanager.CloudResourceManager;
+import com.google.api.services.cloudresourcemanager.model.TestIamPermissionsRequest;
+import com.google.api.services.cloudresourcemanager.model.TestIamPermissionsResponse;
+import com.google.api.services.iam.v1.IamScopes;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+public class TestPermissions {
+
+  // Tests if the caller has the listed permissions.
+  public static void testPermissions(String projectId) {
+    // projectId = "my-project-id"
+
+    CloudResourceManager service = null;
+    try {
+      service = createCloudResourceManagerService();
+    } catch (IOException | GeneralSecurityException e) {
+      System.out.println("Unable to initialize service: \n" + e.toString());
+      return;
+    }
+
+    List<String> permissionsList =
+        Arrays.asList("resourcemanager.projects.get", "resourcemanager.projects.delete");
+
+    TestIamPermissionsRequest requestBody =
+        new TestIamPermissionsRequest().setPermissions(permissionsList);
+    try {
+      TestIamPermissionsResponse testIamPermissionsResponse =
+          service.projects().testIamPermissions(projectId, requestBody).execute();
+
+      System.out.println(
+          "Of the permissions listed in the request, the caller has the following: "
+              + testIamPermissionsResponse.getPermissions().toString());
+    } catch (IOException e) {
+      System.out.println("Unable to test permissions: \n" + e.toString());
+    }
+  }
+
+  public static CloudResourceManager createCloudResourceManagerService()
+      throws IOException, GeneralSecurityException {
+    // Use the Application Default Credentials strategy for authentication. For more info, see:
+    // https://cloud.google.com/docs/authentication/production#finding_credentials_automatically
+    GoogleCredential credential =
+        GoogleCredential.getApplicationDefault()
+            .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM));
+
+    CloudResourceManager service =
+        new CloudResourceManager.Builder(
+                GoogleNetHttpTransport.newTrustedTransport(),
+                JacksonFactory.getDefaultInstance(),
+                credential)
+            .setApplicationName("service-accounts")
+            .build();
+    return service;
+  }
+}
+// [END iam-test-permissions]