<?php
/**
* Copyright 2016 Google Inc. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
namespace Google\Cloud\Core\Iam;
/**
* IAM Manager
*
* This class is not meant to be used directly. It should be accessed
* through other objects which support IAM.
*
* Policies can be created using the {@see Google\Cloud\Core\Iam\PolicyBuilder}
* to help ensure their validity.
*
* Example:
* ```
* // IAM policies are obtained via resources which implement IAM.
* // In this example, we'll use PubSub topics to demonstrate
* // how IAM policies are managed.
*
* use Google\Cloud\PubSub\PubSubClient;
*
* $pubsub = new PubSubClient();
* $topic = $pubsub->topic('my-new-topic');
*
* $iam = $topic->iam();
* ```
*/
class Iam
{
/**
* @var IamConnectionInterface
*/
private $connection;
/**
* @var string
*/
private $resource;
/**
* @var array
*/
private $policy;
/**
* @var array
*/
private $args;
/**
* @var array
*/
private $options;
/**
* @param IamConnectionInterface $connection
* @param string $resource
* @param array $options [optional] {
* Configuration Options
*
* @type string|null $parent The parent request parameter for the policy.
* If set, policy data will be sent as `request.{$parent}`.
* Otherwise, policy will be sent in request root. **Defaults to**
* `policy`.
* @type array $args Arbitrary data to be sent with the request.
* }
* @access private
*/
public function __construct(IamConnectionInterface $connection, $resource, array $options = [])
{
$options += [
'parent' => 'policy',
'args' => []
];
$this->connection = $connection;
$this->resource = $resource;
$this->options = $options;
}
/**
* Get the existing IAM policy for this resource.
*
* If a policy has already been retrieved from the API, it will be returned.
* To fetch a fresh copy of the policy, use
* {@see Google\Cloud\Core\Iam\Iam::reload()}.
*
* Example:
* ```
* $policy = $iam->policy();
* ```
*
* @param array $options Configuration Options
* @param int $options['requestedPolicyVersion'] Specify the policy version to
* request from the server. Please see
* [policy versioning](https://cloud.google.com/iam/docs/policies#versions)
* for more information.
* @return array An array of policy data
*/
public function policy(array $options = [])
{
if (!$this->policy) {
$this->reload($options);
}
return $this->policy;
}
/**
* Set the IAM policy for this resource.
*
* Bindings with invalid roles, or non-existent members will raise a server
* error.
*
* Example:
* ```
* $oldPolicy = $iam->policy();
* $oldPolicy['bindings'][0]['members'] = 'user:test@example.com';
*
* $policy = $iam->setPolicy($oldPolicy);
* ```
*
* @param array|PolicyBuilder $policy The new policy, as an array or an
* instance of {@see Google\Cloud\Core\Iam\PolicyBuilder}.
* @param array $options Configuration Options
* @return array An array of policy data
* @throws \InvalidArgumentException If the given policy is not an array or PolicyBuilder.
*/
public function setPolicy($policy, array $options = [])
{
if ($policy instanceof PolicyBuilder) {
$policy = $policy->result();
}
if (!is_array($policy)) {
throw new \InvalidArgumentException('Given policy data must be an array or an instance of PolicyBuilder.');
}
$request = [];
if ($this->options['parent']) {
$parent = $this->options['parent'];
$request[$parent] = $policy;
} else {
$request = $policy;
}
return $this->policy = $this->connection->setPolicy([
'resource' => $this->resource
] + $request + $options + $this->options['args']);
}
/**
* Test if the current user has the given permissions on this resource.
*
* Invalid permissions will raise a BadRequestException.
*
* Example:
* ```
* $allowedPermissions = $iam->testPermissions([
* 'pubsub.topics.publish',
* 'pubsub.topics.attachSubscription'
* ]);
* ```
*
* @param array $permissions A list of permissions to test
* @param array $options Configuration Options
* @return array A subset of $permissions, with only those allowed included.
*/
public function testPermissions(array $permissions, array $options = [])
{
$res = $this->connection->testPermissions([
'permissions' => $permissions,
'resource' => $this->resource
] + $options + $this->options['args']);
return (isset($res['permissions'])) ? $res['permissions'] : [];
}
/**
* Refresh the IAM policy for this resource.
*
* Example:
* ```
* $policy = $iam->reload();
* ```
*
* @param array $options Configuration Options
* @return array An array of policy data
*/
public function reload(array $options = [])
{
return $this->policy = $this->connection->getPolicy([
'resource' => $this->resource
] + $options + $this->options['args']);
}
}