"Fossies" - the Fresh Open Source Software Archive

Member "cri-o-1.25.1/vendor/cloud.google.com/go/storage/acl.go" (7 Oct 2022, 11501 Bytes) of package /linux/misc/cri-o-1.25.1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Go source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file.

    1 // Copyright 2014 Google LLC
    2 //
    3 // Licensed under the Apache License, Version 2.0 (the "License");
    4 // you may not use this file except in compliance with the License.
    5 // You may obtain a copy of the License at
    6 //
    7 //      http://www.apache.org/licenses/LICENSE-2.0
    8 //
    9 // Unless required by applicable law or agreed to in writing, software
   10 // distributed under the License is distributed on an "AS IS" BASIS,
   11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   12 // See the License for the specific language governing permissions and
   13 // limitations under the License.
   14 
   15 package storage
   16 
   17 import (
   18     "context"
   19     "net/http"
   20     "reflect"
   21 
   22     "cloud.google.com/go/internal/trace"
   23     "google.golang.org/api/googleapi"
   24     raw "google.golang.org/api/storage/v1"
   25     storagepb "google.golang.org/genproto/googleapis/storage/v2"
   26 )
   27 
   28 // ACLRole is the level of access to grant.
   29 type ACLRole string
   30 
   31 const (
   32     RoleOwner  ACLRole = "OWNER"
   33     RoleReader ACLRole = "READER"
   34     RoleWriter ACLRole = "WRITER"
   35 )
   36 
   37 // ACLEntity refers to a user or group.
   38 // They are sometimes referred to as grantees.
   39 //
   40 // It could be in the form of:
   41 // "user-<userId>", "user-<email>", "group-<groupId>", "group-<email>",
   42 // "domain-<domain>" and "project-team-<projectId>".
   43 //
   44 // Or one of the predefined constants: AllUsers, AllAuthenticatedUsers.
   45 type ACLEntity string
   46 
   47 const (
   48     AllUsers              ACLEntity = "allUsers"
   49     AllAuthenticatedUsers ACLEntity = "allAuthenticatedUsers"
   50 )
   51 
   52 // ACLRule represents a grant for a role to an entity (user, group or team) for a
   53 // Google Cloud Storage object or bucket.
   54 type ACLRule struct {
   55     Entity      ACLEntity
   56     EntityID    string
   57     Role        ACLRole
   58     Domain      string
   59     Email       string
   60     ProjectTeam *ProjectTeam
   61 }
   62 
   63 // ProjectTeam is the project team associated with the entity, if any.
   64 type ProjectTeam struct {
   65     ProjectNumber string
   66     Team          string
   67 }
   68 
   69 // ACLHandle provides operations on an access control list for a Google Cloud Storage bucket or object.
   70 type ACLHandle struct {
   71     c           *Client
   72     bucket      string
   73     object      string
   74     isDefault   bool
   75     userProject string // for requester-pays buckets
   76     retry       *retryConfig
   77 }
   78 
   79 // Delete permanently deletes the ACL entry for the given entity.
   80 func (a *ACLHandle) Delete(ctx context.Context, entity ACLEntity) (err error) {
   81     ctx = trace.StartSpan(ctx, "cloud.google.com/go/storage.ACL.Delete")
   82     defer func() { trace.EndSpan(ctx, err) }()
   83 
   84     if a.object != "" {
   85         return a.objectDelete(ctx, entity)
   86     }
   87     if a.isDefault {
   88         return a.bucketDefaultDelete(ctx, entity)
   89     }
   90     return a.bucketDelete(ctx, entity)
   91 }
   92 
   93 // Set sets the role for the given entity.
   94 func (a *ACLHandle) Set(ctx context.Context, entity ACLEntity, role ACLRole) (err error) {
   95     ctx = trace.StartSpan(ctx, "cloud.google.com/go/storage.ACL.Set")
   96     defer func() { trace.EndSpan(ctx, err) }()
   97 
   98     if a.object != "" {
   99         return a.objectSet(ctx, entity, role, false)
  100     }
  101     if a.isDefault {
  102         return a.objectSet(ctx, entity, role, true)
  103     }
  104     return a.bucketSet(ctx, entity, role)
  105 }
  106 
  107 // List retrieves ACL entries.
  108 func (a *ACLHandle) List(ctx context.Context) (rules []ACLRule, err error) {
  109     ctx = trace.StartSpan(ctx, "cloud.google.com/go/storage.ACL.List")
  110     defer func() { trace.EndSpan(ctx, err) }()
  111 
  112     if a.object != "" {
  113         return a.objectList(ctx)
  114     }
  115     if a.isDefault {
  116         return a.bucketDefaultList(ctx)
  117     }
  118     return a.bucketList(ctx)
  119 }
  120 
  121 func (a *ACLHandle) bucketDefaultList(ctx context.Context) ([]ACLRule, error) {
  122     var acls *raw.ObjectAccessControls
  123     var err error
  124     req := a.c.raw.DefaultObjectAccessControls.List(a.bucket)
  125     a.configureCall(ctx, req)
  126     err = run(ctx, func() error {
  127         acls, err = req.Do()
  128         return err
  129     }, a.retry, true, setRetryHeaderHTTP(req))
  130     if err != nil {
  131         return nil, err
  132     }
  133     return toObjectACLRules(acls.Items), nil
  134 }
  135 
  136 func (a *ACLHandle) bucketDefaultDelete(ctx context.Context, entity ACLEntity) error {
  137     req := a.c.raw.DefaultObjectAccessControls.Delete(a.bucket, string(entity))
  138     a.configureCall(ctx, req)
  139 
  140     return run(ctx, func() error {
  141         return req.Do()
  142     }, a.retry, false, setRetryHeaderHTTP(req))
  143 }
  144 
  145 func (a *ACLHandle) bucketList(ctx context.Context) ([]ACLRule, error) {
  146     var acls *raw.BucketAccessControls
  147     var err error
  148     req := a.c.raw.BucketAccessControls.List(a.bucket)
  149     a.configureCall(ctx, req)
  150     err = run(ctx, func() error {
  151         acls, err = req.Do()
  152         return err
  153     }, a.retry, true, setRetryHeaderHTTP(req))
  154     if err != nil {
  155         return nil, err
  156     }
  157     return toBucketACLRules(acls.Items), nil
  158 }
  159 
  160 func (a *ACLHandle) bucketSet(ctx context.Context, entity ACLEntity, role ACLRole) error {
  161     acl := &raw.BucketAccessControl{
  162         Bucket: a.bucket,
  163         Entity: string(entity),
  164         Role:   string(role),
  165     }
  166     req := a.c.raw.BucketAccessControls.Update(a.bucket, string(entity), acl)
  167     a.configureCall(ctx, req)
  168     return run(ctx, func() error {
  169         _, err := req.Do()
  170         return err
  171     }, a.retry, false, setRetryHeaderHTTP(req))
  172 }
  173 
  174 func (a *ACLHandle) bucketDelete(ctx context.Context, entity ACLEntity) error {
  175     req := a.c.raw.BucketAccessControls.Delete(a.bucket, string(entity))
  176     a.configureCall(ctx, req)
  177     return run(ctx, func() error {
  178         return req.Do()
  179     }, a.retry, false, setRetryHeaderHTTP(req))
  180 }
  181 
  182 func (a *ACLHandle) objectList(ctx context.Context) ([]ACLRule, error) {
  183     var acls *raw.ObjectAccessControls
  184     var err error
  185     req := a.c.raw.ObjectAccessControls.List(a.bucket, a.object)
  186     a.configureCall(ctx, req)
  187     err = run(ctx, func() error {
  188         acls, err = req.Do()
  189         return err
  190     }, a.retry, true, setRetryHeaderHTTP(req))
  191     if err != nil {
  192         return nil, err
  193     }
  194     return toObjectACLRules(acls.Items), nil
  195 }
  196 
  197 func (a *ACLHandle) objectSet(ctx context.Context, entity ACLEntity, role ACLRole, isBucketDefault bool) error {
  198     type setRequest interface {
  199         Do(opts ...googleapi.CallOption) (*raw.ObjectAccessControl, error)
  200         Header() http.Header
  201     }
  202 
  203     acl := &raw.ObjectAccessControl{
  204         Bucket: a.bucket,
  205         Entity: string(entity),
  206         Role:   string(role),
  207     }
  208     var req setRequest
  209     if isBucketDefault {
  210         req = a.c.raw.DefaultObjectAccessControls.Update(a.bucket, string(entity), acl)
  211     } else {
  212         req = a.c.raw.ObjectAccessControls.Update(a.bucket, a.object, string(entity), acl)
  213     }
  214     a.configureCall(ctx, req)
  215     return run(ctx, func() error {
  216         _, err := req.Do()
  217         return err
  218     }, a.retry, false, setRetryHeaderHTTP(req))
  219 }
  220 
  221 func (a *ACLHandle) objectDelete(ctx context.Context, entity ACLEntity) error {
  222     req := a.c.raw.ObjectAccessControls.Delete(a.bucket, a.object, string(entity))
  223     a.configureCall(ctx, req)
  224     return run(ctx, func() error {
  225         return req.Do()
  226     }, a.retry, false, setRetryHeaderHTTP(req))
  227 }
  228 
  229 func (a *ACLHandle) configureCall(ctx context.Context, call interface{ Header() http.Header }) {
  230     vc := reflect.ValueOf(call)
  231     vc.MethodByName("Context").Call([]reflect.Value{reflect.ValueOf(ctx)})
  232     if a.userProject != "" {
  233         vc.MethodByName("UserProject").Call([]reflect.Value{reflect.ValueOf(a.userProject)})
  234     }
  235     setClientHeader(call.Header())
  236 }
  237 
  238 func toObjectACLRules(items []*raw.ObjectAccessControl) []ACLRule {
  239     var rs []ACLRule
  240     for _, item := range items {
  241         rs = append(rs, toObjectACLRule(item))
  242     }
  243     return rs
  244 }
  245 
  246 func toObjectACLRulesFromProto(items []*storagepb.ObjectAccessControl) []ACLRule {
  247     var rs []ACLRule
  248     for _, item := range items {
  249         rs = append(rs, toObjectACLRuleFromProto(item))
  250     }
  251     return rs
  252 }
  253 
  254 func toBucketACLRules(items []*raw.BucketAccessControl) []ACLRule {
  255     var rs []ACLRule
  256     for _, item := range items {
  257         rs = append(rs, toBucketACLRule(item))
  258     }
  259     return rs
  260 }
  261 
  262 func toBucketACLRulesFromProto(items []*storagepb.BucketAccessControl) []ACLRule {
  263     var rs []ACLRule
  264     for _, item := range items {
  265         rs = append(rs, toBucketACLRuleFromProto(item))
  266     }
  267     return rs
  268 }
  269 
  270 func toObjectACLRule(a *raw.ObjectAccessControl) ACLRule {
  271     return ACLRule{
  272         Entity:      ACLEntity(a.Entity),
  273         EntityID:    a.EntityId,
  274         Role:        ACLRole(a.Role),
  275         Domain:      a.Domain,
  276         Email:       a.Email,
  277         ProjectTeam: toObjectProjectTeam(a.ProjectTeam),
  278     }
  279 }
  280 
  281 func toObjectACLRuleFromProto(a *storagepb.ObjectAccessControl) ACLRule {
  282     return ACLRule{
  283         Entity:      ACLEntity(a.GetEntity()),
  284         EntityID:    a.GetEntityId(),
  285         Role:        ACLRole(a.GetRole()),
  286         Domain:      a.GetDomain(),
  287         Email:       a.GetEmail(),
  288         ProjectTeam: toProjectTeamFromProto(a.GetProjectTeam()),
  289     }
  290 }
  291 
  292 func toBucketACLRule(a *raw.BucketAccessControl) ACLRule {
  293     return ACLRule{
  294         Entity:      ACLEntity(a.Entity),
  295         EntityID:    a.EntityId,
  296         Role:        ACLRole(a.Role),
  297         Domain:      a.Domain,
  298         Email:       a.Email,
  299         ProjectTeam: toBucketProjectTeam(a.ProjectTeam),
  300     }
  301 }
  302 
  303 func toBucketACLRuleFromProto(a *storagepb.BucketAccessControl) ACLRule {
  304     return ACLRule{
  305         Entity:      ACLEntity(a.GetEntity()),
  306         EntityID:    a.GetEntityId(),
  307         Role:        ACLRole(a.GetRole()),
  308         Domain:      a.GetDomain(),
  309         Email:       a.GetEmail(),
  310         ProjectTeam: toProjectTeamFromProto(a.GetProjectTeam()),
  311     }
  312 }
  313 
  314 func toRawObjectACL(rules []ACLRule) []*raw.ObjectAccessControl {
  315     if len(rules) == 0 {
  316         return nil
  317     }
  318     r := make([]*raw.ObjectAccessControl, 0, len(rules))
  319     for _, rule := range rules {
  320         r = append(r, rule.toRawObjectAccessControl("")) // bucket name unnecessary
  321     }
  322     return r
  323 }
  324 
  325 func toProtoObjectACL(rules []ACLRule) []*storagepb.ObjectAccessControl {
  326     if len(rules) == 0 {
  327         return nil
  328     }
  329     r := make([]*storagepb.ObjectAccessControl, 0, len(rules))
  330     for _, rule := range rules {
  331         r = append(r, rule.toProtoObjectAccessControl("")) // bucket name unnecessary
  332     }
  333     return r
  334 }
  335 
  336 func toRawBucketACL(rules []ACLRule) []*raw.BucketAccessControl {
  337     if len(rules) == 0 {
  338         return nil
  339     }
  340     r := make([]*raw.BucketAccessControl, 0, len(rules))
  341     for _, rule := range rules {
  342         r = append(r, rule.toRawBucketAccessControl("")) // bucket name unnecessary
  343     }
  344     return r
  345 }
  346 
  347 func toProtoBucketACL(rules []ACLRule) []*storagepb.BucketAccessControl {
  348     if len(rules) == 0 {
  349         return nil
  350     }
  351     r := make([]*storagepb.BucketAccessControl, 0, len(rules))
  352     for _, rule := range rules {
  353         r = append(r, rule.toProtoBucketAccessControl())
  354     }
  355     return r
  356 }
  357 
  358 func (r ACLRule) toRawBucketAccessControl(bucket string) *raw.BucketAccessControl {
  359     return &raw.BucketAccessControl{
  360         Bucket: bucket,
  361         Entity: string(r.Entity),
  362         Role:   string(r.Role),
  363         // The other fields are not settable.
  364     }
  365 }
  366 
  367 func (r ACLRule) toRawObjectAccessControl(bucket string) *raw.ObjectAccessControl {
  368     return &raw.ObjectAccessControl{
  369         Bucket: bucket,
  370         Entity: string(r.Entity),
  371         Role:   string(r.Role),
  372         // The other fields are not settable.
  373     }
  374 }
  375 
  376 func (r ACLRule) toProtoObjectAccessControl(bucket string) *storagepb.ObjectAccessControl {
  377     return &storagepb.ObjectAccessControl{
  378         Entity: string(r.Entity),
  379         Role:   string(r.Role),
  380         // The other fields are not settable.
  381     }
  382 }
  383 
  384 func (r ACLRule) toProtoBucketAccessControl() *storagepb.BucketAccessControl {
  385     return &storagepb.BucketAccessControl{
  386         Entity: string(r.Entity),
  387         Role:   string(r.Role),
  388         // The other fields are not settable.
  389     }
  390 }
  391 
  392 func toBucketProjectTeam(p *raw.BucketAccessControlProjectTeam) *ProjectTeam {
  393     if p == nil {
  394         return nil
  395     }
  396     return &ProjectTeam{
  397         ProjectNumber: p.ProjectNumber,
  398         Team:          p.Team,
  399     }
  400 }
  401 
  402 func toProjectTeamFromProto(p *storagepb.ProjectTeam) *ProjectTeam {
  403     if p == nil {
  404         return nil
  405     }
  406     return &ProjectTeam{
  407         ProjectNumber: p.GetProjectNumber(),
  408         Team:          p.GetTeam(),
  409     }
  410 }
  411 
  412 func toObjectProjectTeam(p *raw.ObjectAccessControlProjectTeam) *ProjectTeam {
  413     if p == nil {
  414         return nil
  415     }
  416     return &ProjectTeam{
  417         ProjectNumber: p.ProjectNumber,
  418         Team:          p.Team,
  419     }
  420 }