googleapis
diff --git a/‎google-cloud-contrib/google-cloud-nio/src/test/java/com/google/cloud/storage/contrib/nio/FakeStorageRpc.java‎
Lines changed: 18 additions & 0 deletions b/‎google-cloud-contrib/google-cloud-nio/src/test/java/com/google/cloud/storage/contrib/nio/FakeStorageRpc.java‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎google-cloud-core/src/main/java/com/google/cloud/Policy.java‎
Lines changed: 3 additions & 3 deletions b/‎google-cloud-core/src/main/java/com/google/cloud/Policy.java‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎google-cloud-storage/src/main/java/com/google/cloud/storage/PolicyHelper.java‎
Lines changed: 61 additions & 0 deletions b/‎google-cloud-storage/src/main/java/com/google/cloud/storage/PolicyHelper.java‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎google-cloud-storage/src/main/java/com/google/cloud/storage/Storage.java‎
Lines changed: 58 additions & 1 deletion b/‎google-cloud-storage/src/main/java/com/google/cloud/storage/Storage.java‎
Lines changed: 58 additions & 1 deletion
diff --git a/‎google-cloud-storage/src/main/java/com/google/cloud/storage/StorageImpl.java‎
Lines changed: 61 additions & 1 deletion b/‎google-cloud-storage/src/main/java/com/google/cloud/storage/StorageImpl.java‎
Lines changed: 61 additions & 1 deletion
diff --git a/‎google-cloud-storage/src/main/java/com/google/cloud/storage/spi/v1/HttpStorageRpc.java‎
Lines changed: 29 additions & 0 deletions b/‎google-cloud-storage/src/main/java/com/google/cloud/storage/spi/v1/HttpStorageRpc.java‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎google-cloud-storage/src/main/java/com/google/cloud/storage/spi/v1/StorageRpc.java‎
Lines changed: 23 additions & 1 deletion b/‎google-cloud-storage/src/main/java/com/google/cloud/storage/spi/v1/StorageRpc.java‎
Lines changed: 23 additions & 1 deletion
@@ -19,7 +19,9 @@
 import com.google.api.services.storage.model.Bucket;
 import com.google.api.services.storage.model.BucketAccessControl;
 import com.google.api.services.storage.model.ObjectAccessControl;
+import com.google.api.services.storage.model.Policy;
 import com.google.api.services.storage.model.StorageObject;
+import com.google.api.services.storage.model.TestIamPermissionsResponse;
 import com.google.cloud.storage.Storage;
 import com.google.cloud.storage.StorageException;
 import com.google.cloud.storage.spi.v1.RpcBatch;
@@ -61,6 +63,7 @@
  *   <li>continueRewrite
  *   <li>createBatch
  *   <li>checksums, etags
+ *   <li>IAM operations</li>
  *   </ul>
  * </ul>
  */
@@ -443,4 +446,19 @@ private static boolean processedAsFolder(StorageObject so, String delimiter, Str
     folders.put(folderName, fakeFolder);
     return true;
   }
+
+  @Override
+  public Policy getIamPolicy(String bucket) {
+    throw new UnsupportedOperationException();
+  }
+
+  @Override
+  public Policy setIamPolicy(String bucket, Policy policy) {
+    throw new UnsupportedOperationException();
+  }
+
+  @Override
+  public TestIamPermissionsResponse testIamPermissions(String bucket, List<String> permissions) {
+    throw new UnsupportedOperationException();
+  }
 }
@@ -124,7 +124,8 @@ public static class Builder {
     private String etag;
     private int version;
 
-    protected Builder() {}
+    protected Builder() {
+    }
 
     protected Builder(Policy policy) {
       setBindings(policy.bindings);
@@ -202,7 +203,6 @@ public final Builder removeIdentity(Role role, Identity first, Identity... other
       return this;
     }
 
-
     /**
      * Sets the policy's etag.
      *
@@ -214,7 +214,7 @@ public final Builder removeIdentity(Role role, Identity first, Identity... other
      * applied to the same version of the policy.  If no etag is provided in the call to
      * setIamPolicy, then the existing policy is overwritten blindly.
      */
-    protected final Builder setEtag(String etag) {
+    public final Builder setEtag(String etag) {
       this.etag = etag;
       return this;
     }
 
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2017 Google Inc. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.cloud.storage;
+
+import com.google.api.services.storage.model.Policy.Bindings;
+import com.google.cloud.Identity;
+import com.google.cloud.Policy;
+import com.google.cloud.Role;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * Helper for converting between the Policy model provided by the API and the Policy model provided
+ * by this library.
+ */
+class PolicyHelper {
+
+  static Policy convertFromApiPolicy(com.google.api.services.storage.model.Policy apiPolicy) {
+    Policy.Builder policyBuilder = Policy.newBuilder();
+    for (Bindings binding : apiPolicy.getBindings()) {
+      for (String member : binding.getMembers()) {
+        policyBuilder.addIdentity(Role.of(binding.getRole()), Identity.valueOf(member));
+      }
+    }
+    return policyBuilder.setEtag(apiPolicy.getEtag()).build();
+  }
+
+  static com.google.api.services.storage.model.Policy convertToApiPolicy(Policy policy) {
+    List<Bindings> bindings = new ArrayList<>(policy.getBindings().size());
+    for (Map.Entry<Role, Set<Identity>> entry : policy.getBindings().entrySet()) {
+      List<String> members = new ArrayList<>(entry.getValue().size());
+      for (Identity identity : entry.getValue()) {
+        members.add(identity.strValue());
+      }
+      bindings.add(new Bindings().setMembers(members).setRole(entry.getKey().getValue()));
+    }
+    return new com.google.api.services.storage.model.Policy()
+        .setBindings(bindings)
+        .setEtag(policy.getEtag());
+  }
+
+  private PolicyHelper() {
+    // Intentionally left blank.
+  }
+}
@@ -24,6 +24,8 @@
 import com.google.auth.ServiceAccountSigner.SigningException;
 import com.google.cloud.FieldSelector;
 import com.google.cloud.FieldSelector.Helper;
+import com.google.cloud.GcpLaunchStage;
+import com.google.cloud.Policy;
 import com.google.cloud.ReadChannel;
 import com.google.cloud.Service;
 import com.google.cloud.WriteChannel;
@@ -34,7 +36,6 @@
 import com.google.common.collect.Iterables;
 import com.google.common.collect.Lists;
 import com.google.common.io.BaseEncoding;
-
 import java.io.InputStream;
 import java.io.Serializable;
 import java.net.URL;
@@ -2369,4 +2370,60 @@ public static Builder newBuilder() {
    * @throws StorageException upon failure
    */
   List<Acl> listAcls(BlobId blob);
+
+  /**
+   * Gets the IAM policy for the provided bucket.
+   *
+   * <p>Example of getting the IAM policy for a bucket.
+   * <pre> {@code
+   * String bucketName = "my_unique_bucket";
+   * Policy policy = storage.getIamPolicy(bucketName);
+   * }</pre>
+   *
+   * @throws StorageException upon failure
+   */
+  @GcpLaunchStage.Alpha
+  Policy getIamPolicy(String bucket);
+
+  /**
+   * Updates the IAM policy on the specified bucket.
+   *
+   * <p>Example of updating the IAM policy on a bucket.
+   * <pre>{@code
+   * // We want to make all objects in our bucket publicly readable.
+   * String bucketName = "my_unique_bucket";
+   * Policy currentPolicy = storage.getIamPolicy(bucketName);
+   * Policy updatedPolicy =
+   *     storage.setIamPolicy(
+   *         bucketName,
+   *         currentPolicy.toBuilder()
+   *             .addIdentity(StorageRoles.objectViewer(), Identity.allUsers())
+   *             .build());
+   * }</pre>
+   *
+   * @throws StorageException upon failure
+   */
+  @GcpLaunchStage.Alpha
+  Policy setIamPolicy(String bucket, Policy policy);
+
+  /**
+   * Tests whether the caller holds the permissions on the specified bucket. Returns a list of
+   * booleans in the same placement and order in which the permissions were specified.
+   *
+   * <p>Example of testing permissions on a bucket.
+   * <pre> {@code
+   * String bucketName = "my_unique_bucket";
+   * List<Boolean> response =
+   *     storage.testIamPermissions(
+   *         bucket,
+   *         ImmutableList.of("storage.buckets.get", "storage.buckets.getIamPolicy"));
+   * for (boolean hasPermission : response) {
+   *   // Do something with permission test response
+   * }
+   * }</pre>
+   *
+   * @throws StorageException upon failure
+   */
+  @GcpLaunchStage.Alpha
+  List<Boolean> testIamPermissions(String bucket, List<String> permissions);
 }
@@ -17,6 +17,8 @@
 package com.google.cloud.storage;
 
 import static com.google.cloud.RetryHelper.runWithRetries;
+import static com.google.cloud.storage.PolicyHelper.convertFromApiPolicy;
+import static com.google.cloud.storage.PolicyHelper.convertToApiPolicy;
 import static com.google.cloud.storage.spi.v1.StorageRpc.Option.DELIMITER;
 import static com.google.cloud.storage.spi.v1.StorageRpc.Option.IF_GENERATION_MATCH;
 import static com.google.cloud.storage.spi.v1.StorageRpc.Option.IF_GENERATION_NOT_MATCH;
@@ -35,11 +37,13 @@
 import com.google.api.services.storage.model.BucketAccessControl;
 import com.google.api.services.storage.model.ObjectAccessControl;
 import com.google.api.services.storage.model.StorageObject;
+import com.google.api.services.storage.model.TestIamPermissionsResponse;
 import com.google.auth.ServiceAccountSigner;
 import com.google.cloud.BaseService;
 import com.google.cloud.BatchResult;
 import com.google.cloud.PageImpl;
 import com.google.cloud.PageImpl.NextPageFetcher;
+import com.google.cloud.Policy;
 import com.google.cloud.ReadChannel;
 import com.google.cloud.RetryHelper.RetryHelperException;
 import com.google.cloud.storage.Acl.Entity;
@@ -49,14 +53,14 @@
 import com.google.common.base.Function;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Iterables;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
 import com.google.common.hash.Hashing;
 import com.google.common.io.BaseEncoding;
 import com.google.common.net.UrlEscapers;
 import com.google.common.primitives.Ints;
-
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
 import java.io.UnsupportedEncodingException;
@@ -68,6 +72,7 @@
 import java.util.EnumMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.Callable;
 import java.util.concurrent.TimeUnit;
 
@@ -855,6 +860,61 @@ public List<ObjectAccessControl> call() {
     }
   }
 
+  @Override
+  public Policy getIamPolicy(final String bucket) {
+    try {
+      return convertFromApiPolicy(
+          runWithRetries(new Callable<com.google.api.services.storage.model.Policy>() {
+            @Override
+            public com.google.api.services.storage.model.Policy call() {
+              return storageRpc.getIamPolicy(bucket);
+            }
+          }, getOptions().getRetrySettings(), EXCEPTION_HANDLER, getOptions().getClock()));
+    } catch (RetryHelperException e) {
+      throw StorageException.translateAndThrow(e);
+    }
+  }
+
+  @Override
+  public Policy setIamPolicy(final String bucket, final Policy policy) {
+    try {
+      return convertFromApiPolicy(
+          runWithRetries(new Callable<com.google.api.services.storage.model.Policy>() {
+            @Override
+            public com.google.api.services.storage.model.Policy call() {
+              return storageRpc.setIamPolicy(bucket, convertToApiPolicy(policy));
+            }
+          }, getOptions().getRetrySettings(), EXCEPTION_HANDLER, getOptions().getClock()));
+    } catch (RetryHelperException e) {
+      throw StorageException.translateAndThrow(e);
+    }
+  }
+
+  @Override
+  public List<Boolean> testIamPermissions(final String bucket, final List<String> permissions) {
+    try {
+      TestIamPermissionsResponse response = runWithRetries(
+          new Callable<TestIamPermissionsResponse>() {
+            @Override
+            public TestIamPermissionsResponse call() {
+              return storageRpc.testIamPermissions(bucket, permissions);
+            }
+          }, getOptions().getRetrySettings(), EXCEPTION_HANDLER, getOptions().getClock());
+      final Set<String> heldPermissions =
+          response.getPermissions() != null
+              ? ImmutableSet.copyOf(response.getPermissions())
+              : ImmutableSet.<String>of();
+      return Lists.transform(permissions, new Function<String, Boolean>() {
+        @Override
+        public Boolean apply(String permission) {
+          return heldPermissions.contains(permission);
+        }
+      });
+    } catch (RetryHelperException e) {
+      throw StorageException.translateAndThrow(e);
+    }
+  }
+
   private static <T> void addToOptionMap(StorageRpc.Option option, T defaultValue,
       Map<StorageRpc.Option, Object> map) {
     addToOptionMap(option, option, defaultValue, map);
 
@@ -48,7 +48,9 @@
 import com.google.api.services.storage.model.ComposeRequest.SourceObjects.ObjectPreconditions;
 import com.google.api.services.storage.model.ObjectAccessControl;
 import com.google.api.services.storage.model.Objects;
+import com.google.api.services.storage.model.Policy;
 import com.google.api.services.storage.model.StorageObject;
+import com.google.api.services.storage.model.TestIamPermissionsResponse;
 import com.google.cloud.BaseServiceException;
 import com.google.cloud.HttpTransportOptions;
 import com.google.cloud.storage.StorageException;
@@ -834,4 +836,31 @@ public List<ObjectAccessControl> listAcls(String bucket, String object, Long gen
       throw translate(ex);
     }
   }
+
+  @Override
+  public Policy getIamPolicy(String bucket) {
+    try {
+      return storage.buckets().getIamPolicy(bucket).execute();
+    } catch (IOException ex) {
+      throw translate(ex);
+    }
+  }
+
+  @Override
+  public Policy setIamPolicy(String bucket, Policy policy) {
+    try {
+      return storage.buckets().setIamPolicy(bucket, policy).execute();
+    } catch (IOException ex) {
+      throw translate(ex);
+    }
+  }
+
+  @Override
+  public TestIamPermissionsResponse testIamPermissions(String bucket, List<String> permissions) {
+    try {
+      return storage.buckets().testIamPermissions(bucket, permissions).execute();
+    } catch (IOException ex) {
+      throw translate(ex);
+    }
+  }
 }
@@ -19,10 +19,11 @@
 import com.google.api.services.storage.model.Bucket;
 import com.google.api.services.storage.model.BucketAccessControl;
 import com.google.api.services.storage.model.ObjectAccessControl;
+import com.google.api.services.storage.model.Policy;
 import com.google.api.services.storage.model.StorageObject;
+import com.google.api.services.storage.model.TestIamPermissionsResponse;
 import com.google.cloud.ServiceRpc;
 import com.google.cloud.storage.StorageException;
-
 import java.io.InputStream;
 import java.util.List;
 import java.util.Map;
@@ -427,4 +428,25 @@ void write(String uploadId, byte[] toWrite, int toWriteOffset, long destOffset,
    * @throws StorageException upon failure
    */
   List<ObjectAccessControl> listAcls(String bucket, String object, Long generation);
+
+  /**
+   * Returns the IAM policy for the specified bucket.
+   *
+   * @throws StorageException upon failure
+   */
+  Policy getIamPolicy(String bucket);
+
+  /**
+   * Updates the IAM policy for the specified bucket.
+   *
+   * @throws StorageException upon failure
+   */
+  Policy setIamPolicy(String bucket, Policy policy);
+
+  /**
+   * Tests whether the caller holds the specified permissions for the specified bucket.
+   *
+   * @throws StorageException upon failure
+   */
+  TestIamPermissionsResponse testIamPermissions(String bucket, List<String> permissions);
 }