add requested_policy_version to blob

jkwlui · jkwlui · commit 40770451b3f8 · 2019-12-19T13:16:51.000-08:00
diff --git a/storage/google/cloud/storage/blob.py b/storage/google/cloud/storage/blob.py
@@ -1456,7 +1456,7 @@ def create_resumable_upload_session(
         except resumable_media.InvalidResponse as exc:
             _raise_from_invalid_response(exc)
 
-    def get_iam_policy(self, client=None):
+    def get_iam_policy(self, client=None, requested_policy_version=None):
         """Retrieve the IAM policy for the object.
 
         .. note:
@@ -1475,6 +1475,18 @@ def get_iam_policy(self, client=None):
         :param client: Optional. The client to use.  If not passed, falls back
                        to the ``client`` stored on the current object's bucket.
 
+        :type requested_policy_version: int or ``NoneType``
+        :param requested_policy_version: Optional. The version of IAM policies to request.
+                                         If a policy with a condition is requested without
+                                         setting this, the server will return an error.
+                                         This must be set to a value of 3 to retrieve IAM
+                                         policies containing conditions. This is to prevent
+                                         client code that isn't aware of IAM conditions from
+                                         interpreting and modifying policies incorrectly.
+                                         The service might return a policy with version lower
+                                         than the one that was requested, based on the
+                                         feature syntax in the policy fetched.
+
         :rtype: :class:`google.api_core.iam.Policy`
         :returns: the policy instance, based on the resource returned from
                   the ``getIamPolicy`` API request.
@@ -1486,6 +1498,9 @@ def get_iam_policy(self, client=None):
         if self.user_project is not None:
             query_params["userProject"] = self.user_project
 
+        if requested_policy_version is not None:
+            query_params["optionsRequestedPolicyVersion"] = requested_policy_version
+
         info = client._connection.api_request(
             method="GET",
             path="%s/iam" % (self.path,),
diff --git a/storage/tests/unit/test_blob.py b/storage/tests/unit/test_blob.py
@@ -1928,7 +1928,7 @@ def test_get_iam_policy(self):
         BLOB_NAME = "blob-name"
         PATH = "/b/name/o/%s" % (BLOB_NAME,)
         ETAG = "DEADBEEF"
-        VERSION = 17
+        VERSION = 1
         OWNER1 = "user:phred@example.com"
         OWNER2 = "group:cloud-logs@google.com"
         EDITOR1 = "domain:google.com"
@@ -1973,14 +1973,53 @@ def test_get_iam_policy(self):
             },
         )
 
+    def test_get_iam_policy_w_requested_policy_version(self):
+        from google.cloud.storage.iam import STORAGE_OWNER_ROLE
+        from google.api_core.iam import Policy
+
+        BLOB_NAME = "blob-name"
+        PATH = "/b/name/o/%s" % (BLOB_NAME,)
+        ETAG = "DEADBEEF"
+        VERSION = 3
+        OWNER1 = "user:phred@example.com"
+        OWNER2 = "group:cloud-logs@google.com"
+        RETURNED = {
+            "resourceId": PATH,
+            "etag": ETAG,
+            "version": VERSION,
+            "bindings": [{"role": STORAGE_OWNER_ROLE, "members": [OWNER1, OWNER2]}],
+        }
+        after = ({"status": http_client.OK}, RETURNED)
+        EXPECTED = {
+            binding["role"]: set(binding["members"]) for binding in RETURNED["bindings"]
+        }
+        connection = _Connection(after)
+        client = _Client(connection)
+        bucket = _Bucket(client=client)
+        blob = self._make_one(BLOB_NAME, bucket=bucket)
+
+        policy = blob.get_iam_policy()
+
+        kw = connection._requested
+        self.assertEqual(len(kw), 1)
+        self.assertEqual(
+            kw[0],
+            {
+                "method": "GET",
+                "path": "%s/iam" % (PATH,),
+                "query_params": {"optionsRequestedPolicyVersion": 3},
+                "_target_object": None,
+            },
+        )
+
     def test_get_iam_policy_w_user_project(self):
         from google.api_core.iam import Policy
 
         BLOB_NAME = "blob-name"
         USER_PROJECT = "user-project-123"
         PATH = "/b/name/o/%s" % (BLOB_NAME,)
         ETAG = "DEADBEEF"
-        VERSION = 17
+        VERSION = 1
         RETURNED = {
             "resourceId": PATH,
             "etag": ETAG,
@@ -2023,7 +2062,7 @@ def test_set_iam_policy(self):
         BLOB_NAME = "blob-name"
         PATH = "/b/name/o/%s" % (BLOB_NAME,)
         ETAG = "DEADBEEF"
-        VERSION = 17
+        VERSION = 1
         OWNER1 = "user:phred@example.com"
         OWNER2 = "group:cloud-logs@google.com"
         EDITOR1 = "domain:google.com"
@@ -2074,7 +2113,7 @@ def test_set_iam_policy_w_user_project(self):
         USER_PROJECT = "user-project-123"
         PATH = "/b/name/o/%s" % (BLOB_NAME,)
         ETAG = "DEADBEEF"
-        VERSION = 17
+        VERSION = 1
         BINDINGS = []
         RETURNED = {"etag": ETAG, "version": VERSION, "bindings": BINDINGS}
         after = ({"status": http_client.OK}, RETURNED)
