feat: add remove conditional binding sample (#3107)

* feat: add remove conditional binding sample

* fix iam test fixture

* fix silly mistake of removing all bindings

* fix ubla test

* address feedback

* revert changes to tests

Author: frankyn

storage/cloud-client/iam_test.py

@@ -22,24 +22,27 @@
 import storage_add_bucket_iam_member
 import storage_add_bucket_conditional_iam_binding
 import storage_view_bucket_iam_members
+import storage_remove_bucket_conditional_iam_binding
 
 MEMBER = "group:[email protected]"
 ROLE = "roles/storage.legacyBucketReader"
 
 CONDITION_TITLE = "match-prefix"
 CONDITION_DESCRIPTION = "Applies to objects matching a prefix"
-CONDITION_EXPRESSION = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"
+CONDITION_EXPRESSION = (
+    'resource.name.startsWith("projects/_/buckets/bucket-name/objects/prefix-a-")'
+)
 
 
 @pytest.fixture
 def bucket():
     bucket = None
     while bucket is None or bucket.exists():
+        storage_client = storage.Client()
         bucket_name = "test-iam-{}".format(uuid.uuid4())
-        bucket = storage.Client().bucket(bucket_name)
-    bucket.create()
-    bucket.iam_configuration.uniform_bucket_level_access_enabled = True
-    bucket.patch()
+        bucket = storage_client.bucket(bucket_name)
+        bucket.iam_configuration.uniform_bucket_level_access_enabled = True
+    storage_client.create_bucket(bucket)
     yield bucket
     time.sleep(3)
     bucket.delete(force=True)
@@ -66,16 +69,17 @@ def test_add_bucket_conditional_iam_binding(bucket):
         CONDITION_TITLE,
         CONDITION_DESCRIPTION,
         CONDITION_EXPRESSION,
-        {MEMBER}
+        {MEMBER},
     )
     policy = bucket.get_iam_policy(requested_policy_version=3)
     assert any(
-        binding["role"] == ROLE and
-        binding["members"] == {MEMBER} and
-        binding["condition"] == {
+        binding["role"] == ROLE
+        and binding["members"] == {MEMBER}
+        and binding["condition"]
+        == {
             "title": CONDITION_TITLE,
             "description": CONDITION_DESCRIPTION,
-            "expression": CONDITION_EXPRESSION
+            "expression": CONDITION_EXPRESSION,
         }
         for binding in policy.bindings
     )
@@ -89,3 +93,20 @@ def test_remove_bucket_iam_member(bucket):
         binding["role"] == ROLE and MEMBER in binding["members"]
         for binding in policy.bindings
     )
+
+
+def test_remove_bucket_conditional_iam_binding(bucket):
+    storage_remove_bucket_conditional_iam_binding.remove_bucket_conditional_iam_binding(
+        bucket.name, ROLE, CONDITION_TITLE, CONDITION_DESCRIPTION, CONDITION_EXPRESSION
+    )
+
+    policy = bucket.get_iam_policy(requested_policy_version=3)
+    condition = {
+        "title": CONDITION_TITLE,
+        "description": CONDITION_DESCRIPTION,
+        "expression": CONDITION_EXPRESSION,
+    }
+    assert not any(
+        (binding["role"] == ROLE and binding.get("condition") == condition)
+        for binding in policy.bindings
+    )

storage/cloud-client/storage_remove_bucket_conditional_iam_binding.py

@@ -0,0 +1,67 @@
+#!/usr/bin/env python
+
+# Copyright 2020 Google LLC. All Rights Reserved
+#
+# Licensed under the Apache License, Version 2.0 (the 'License');
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import sys
+
+# [START storage_remove_bucket_conditional_iam_binding]
+from google.cloud import storage
+
+
+def remove_bucket_conditional_iam_binding(
+    bucket_name, role, title, description, expression
+):
+    """Remove a conditional IAM binding from a bucket's IAM policy."""
+    # bucket_name = "your-bucket-name"
+    # role = "IAM role, e.g. roles/storage.objectViewer"
+    # title = "Condition title."
+    # description = "Condition description."
+    # expression = "Condition expression."
+
+    storage_client = storage.Client()
+    bucket = storage_client.bucket(bucket_name)
+
+    policy = bucket.get_iam_policy(requested_policy_version=3)
+
+    # Set the policy's version to 3 to use condition in bindings.
+    policy.version = 3
+
+    condition = {
+        "title": title,
+        "description": description,
+        "expression": expression,
+    }
+    policy.bindings = [
+        binding
+        for binding in policy.bindings
+        if not (binding["role"] == role and binding.get("condition") == condition)
+    ]
+
+    bucket.set_iam_policy(policy)
+
+    print("Conditional Binding was removed.")
+
+
+# [END storage_remove_bucket_conditional_iam_binding]
+
+
+if __name__ == "__main__":
+    remove_bucket_conditional_iam_binding(
+        bucket_name=sys.argv[1],
+        role=sys.argv[2],
+        title=sys.argv[3],
+        description=sys.argv[4],
+        expression=sys.argv[5],
+    )