1 | ;
|
2 | /*!
|
3 | * Copyright 2014 Google Inc. All Rights Reserved.
|
4 | *
|
5 | * Licensed under the Apache License, Version 2.0 (the "License");
|
6 | * you may not use this file except in compliance with the License.
|
7 | * You may obtain a copy of the License at
|
8 | *
|
9 | * http://www.apache.org/licenses/LICENSE-2.0
|
10 | *
|
11 | * Unless required by applicable law or agreed to in writing, software
|
12 | * distributed under the License is distributed on an "AS IS" BASIS,
|
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14 | * See the License for the specific language governing permissions and
|
15 | * limitations under the License.
|
16 | */
|
17 | Object.defineProperty(exports, "__esModule", { value: true });
|
18 | exports.IAM = void 0;
|
19 | /*!
|
20 | * @module pubsub/iam
|
21 | */
|
22 | const promisify_1 = require("@google-cloud/promisify");
|
23 | const arrify = require("arrify");
|
24 | /**
|
25 | * [IAM (Identity and Access
|
26 | * Management)](https://cloud.google.com/pubsub/access_control) allows you to
|
27 | * set permissions on individual resources and offers a wider range of roles:
|
28 | * editor, owner, publisher, subscriber, and viewer. This gives you greater
|
29 | * flexibility and allows you to set more fine-grained access control.
|
30 | *
|
31 | * For example:
|
32 | * * Grant access on a per-topic or per-subscription basis, rather than for
|
33 | * the whole Cloud project.
|
34 | * * Grant access with limited capabilities, such as to only publish messages
|
35 | * to a topic, or to only to consume messages from a subscription, but not
|
36 | * to delete the topic or subscription.
|
37 | *
|
38 | *
|
39 | * *The IAM access control features described in this document are Beta,
|
40 | * including the API methods to get and set IAM policies, and to test IAM
|
41 | * permissions. Cloud Pub/Sub's use of IAM features is not covered by any
|
42 | * SLA or deprecation policy, and may be subject to backward-incompatible
|
43 | * changes.*
|
44 | *
|
45 | * @class
|
46 | * @param {PubSub} pubsub PubSub Object.
|
47 | * @param {string} id The name of the topic or subscription.
|
48 | *
|
49 | * @see [Access Control Overview]{@link https://cloud.google.com/pubsub/access_control}
|
50 | * @see [What is Cloud IAM?]{@link https://cloud.google.com/iam/}
|
51 | *
|
52 | * @example
|
53 | * const {PubSub} = require('@google-cloud/pubsub');
|
54 | * const pubsub = new PubSub();
|
55 | *
|
56 | * const topic = pubsub.topic('my-topic');
|
57 | * // topic.iam
|
58 | *
|
59 | * const subscription = pubsub.subscription('my-subscription');
|
60 | * // subscription.iam
|
61 | */
|
62 | class IAM {
|
63 | constructor(pubsub, id) {
|
64 | this.pubsub = pubsub;
|
65 | this.request = pubsub.request.bind(pubsub);
|
66 | this.id = id;
|
67 | }
|
68 | /**
|
69 | * @typedef {array} GetPolicyResponse
|
70 | * @property {object} 0 The policy.
|
71 | */
|
72 | /**
|
73 | * @callback GetPolicyCallback
|
74 | * @param {?Error} err Request error, if any.
|
75 | * @param {object} acl The policy.
|
76 | */
|
77 | /**
|
78 | * Get the IAM policy
|
79 | *
|
80 | * @param {object} [gaxOptions] Request configuration options, outlined
|
81 | * here: https://googleapis.github.io/gax-nodejs/interfaces/CallOptions.html.
|
82 | * @param {GetPolicyCallback} [callback] Callback function.
|
83 | * @returns {Promise<GetPolicyResponse>}
|
84 | *
|
85 | * @see [Topics: getIamPolicy API Documentation]{@link https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.topics/getIamPolicy}
|
86 | * @see [Subscriptions: getIamPolicy API Documentation]{@link https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.subscriptions/getIamPolicy}
|
87 | *
|
88 | * @example
|
89 | * const {PubSub} = require('@google-cloud/pubsub');
|
90 | * const pubsub = new PubSub();
|
91 | *
|
92 | * const topic = pubsub.topic('my-topic');
|
93 | * const subscription = topic.subscription('my-subscription');
|
94 | *
|
95 | * topic.iam.getPolicy(function(err, policy, apiResponse) {});
|
96 | *
|
97 | * subscription.iam.getPolicy(function(err, policy, apiResponse) {});
|
98 | *
|
99 | * //-
|
100 | * // If the callback is omitted, we'll return a Promise.
|
101 | * //-
|
102 | * topic.iam.getPolicy().then(function(data) {
|
103 | * const policy = data[0];
|
104 | * const apiResponse = data[1];
|
105 | * });
|
106 | */
|
107 | getPolicy(optsOrCallback, callback) {
|
108 | const gaxOpts = typeof optsOrCallback === 'object' ? optsOrCallback : {};
|
109 | callback = typeof optsOrCallback === 'function' ? optsOrCallback : callback;
|
110 | const reqOpts = {
|
111 | resource: this.id,
|
112 | };
|
113 | this.request({
|
114 | client: 'SubscriberClient',
|
115 | method: 'getIamPolicy',
|
116 | reqOpts,
|
117 | gaxOpts,
|
118 | }, callback);
|
119 | }
|
120 | /**
|
121 | * @typedef {array} SetPolicyResponse
|
122 | * @property {object} 0 The policy.
|
123 | */
|
124 | /**
|
125 | * @callback SetPolicyCallback
|
126 | * @param {?Error} err Request error, if any.
|
127 | * @param {object} acl The policy.
|
128 | */
|
129 | /**
|
130 | * Set the IAM policy
|
131 | *
|
132 | * @throws {Error} If no policy is provided.
|
133 | *
|
134 | * @param {object} policy The [policy](https://cloud.google.com/pubsub/docs/reference/rest/v1/Policy).
|
135 | * @param {array} [policy.bindings] Bindings associate members with roles.
|
136 | * @param {Array<object>} [policy.rules] Rules to be applied to the policy.
|
137 | * @param {string} [policy.etag] Etags are used to perform a read-modify-write.
|
138 | * @param {object} [gaxOptions] Request configuration options, outlined
|
139 | * here: https://googleapis.github.io/gax-nodejs/interfaces/CallOptions.html.
|
140 | * @param {SetPolicyCallback} callback Callback function.
|
141 | * @returns {Promise<SetPolicyResponse>}
|
142 | *
|
143 | * @see [Topics: setIamPolicy API Documentation]{@link https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.topics/setIamPolicy}
|
144 | * @see [Subscriptions: setIamPolicy API Documentation]{@link https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.subscriptions/setIamPolicy}
|
145 | * @see [Policy]{@link https://cloud.google.com/pubsub/docs/reference/rest/v1/Policy}
|
146 | *
|
147 | * @example
|
148 | * const {PubSub} = require('@google-cloud/pubsub');
|
149 | * const pubsub = new PubSub();
|
150 | *
|
151 | * const topic = pubsub.topic('my-topic');
|
152 | * const subscription = topic.subscription('my-subscription');
|
153 | *
|
154 | * const myPolicy = {
|
155 | * bindings: [
|
156 | * {
|
157 | * role: 'roles/pubsub.subscriber',
|
158 | * members:
|
159 | * ['serviceAccount:myotherproject@appspot.gserviceaccount.com']
|
160 | * }
|
161 | * ]
|
162 | * };
|
163 | *
|
164 | * topic.iam.setPolicy(myPolicy, function(err, policy, apiResponse) {});
|
165 | *
|
166 | * subscription.iam.setPolicy(myPolicy, function(err, policy, apiResponse)
|
167 | * {});
|
168 | *
|
169 | * //-
|
170 | * // If the callback is omitted, we'll return a Promise.
|
171 | * //-
|
172 | * topic.iam.setPolicy(myPolicy).then(function(data) {
|
173 | * const policy = data[0];
|
174 | * const apiResponse = data[1];
|
175 | * });
|
176 | */
|
177 | setPolicy(policy, optsOrCallback, callback) {
|
178 | if (!(typeof policy === 'object')) {
|
179 | throw new Error('A policy object is required.');
|
180 | }
|
181 | const gaxOpts = typeof optsOrCallback === 'object' ? optsOrCallback : {};
|
182 | callback = typeof optsOrCallback === 'function' ? optsOrCallback : callback;
|
183 | const reqOpts = {
|
184 | resource: this.id,
|
185 | policy,
|
186 | };
|
187 | this.request({
|
188 | client: 'SubscriberClient',
|
189 | method: 'setIamPolicy',
|
190 | reqOpts,
|
191 | gaxOpts,
|
192 | }, callback);
|
193 | }
|
194 | /**
|
195 | * @callback TestIamPermissionsCallback
|
196 | * @param {?Error} err Request error, if any.
|
197 | * @param {TestIamPermissionsAPIResponse} permissions A subset of permissions that the caller is allowed.
|
198 | * @param {PermissionsResponse} apiResponse The full API response.
|
199 | */
|
200 | /**
|
201 | * @typedef {array} TestIamPermissionsResponse
|
202 | * @property {object[]} 0 A subset of permissions that the caller is allowed.
|
203 | * @property {PermissionsResponse} 1 The full API response.
|
204 | */
|
205 | /**
|
206 | * @typedef {string[]} PermissionsResponse
|
207 | * A subset of TestPermissionsRequest.permissions that the caller is allowed.
|
208 | * @see https://cloud.google.com/pubsub/docs/reference/rpc/google.iam.v1#google.iam.v1.TestIamPermissionsRequest
|
209 | */
|
210 | /**
|
211 | * Test a set of permissions for a resource.
|
212 | *
|
213 | * Permissions with wildcards such as `*` or `storage.*` are not allowed.
|
214 | *
|
215 | * @throws {Error} If permissions are not provided.
|
216 | *
|
217 | * @param {string|string[]} permissions The permission(s) to test for.
|
218 | * @param {object} [gaxOptions] Request configuration options, outlined
|
219 | * here: https://googleapis.github.io/gax-nodejs/interfaces/CallOptions.html.
|
220 | * @param {TestIamPermissionsCallback} [callback] Callback function.
|
221 | * @returns {Promise<TestIamPermissionsResponse>}
|
222 | *
|
223 | * @see [Topics: testIamPermissions API Documentation]{@link https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.topics/testIamPermissions}
|
224 | * @see [Subscriptions: testIamPermissions API Documentation]{@link https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.subscriptions/testIamPermissions}
|
225 | * @see [Permissions Reference]{@link https://cloud.google.com/pubsub/access_control#permissions}
|
226 | *
|
227 | * @example
|
228 | * const {PubSub} = require('@google-cloud/pubsub');
|
229 | * const pubsub = new PubSub();
|
230 | *
|
231 | * const topic = pubsub.topic('my-topic');
|
232 | * const subscription = topic.subscription('my-subscription');
|
233 | *
|
234 | * //-
|
235 | * // Test a single permission.
|
236 | * //-
|
237 | * const test = 'pubsub.topics.update';
|
238 | *
|
239 | * topic.iam.testPermissions(test, function(err, permissions, apiResponse) {
|
240 | * console.log(permissions);
|
241 | * // {
|
242 | * // "pubsub.topics.update": true
|
243 | * // }
|
244 | * });
|
245 | *
|
246 | * //-
|
247 | * // Test several permissions at once.
|
248 | * //-
|
249 | * const tests = [
|
250 | * 'pubsub.subscriptions.consume',
|
251 | * 'pubsub.subscriptions.update'
|
252 | * ];
|
253 | *
|
254 | * subscription.iam.testPermissions(tests, function(err, permissions) {
|
255 | * console.log(permissions);
|
256 | * // {
|
257 | * // "pubsub.subscriptions.consume": true,
|
258 | * // "pubsub.subscriptions.update": false
|
259 | * // }
|
260 | * });
|
261 | *
|
262 | * //-
|
263 | * // If the callback is omitted, we'll return a Promise.
|
264 | * //-
|
265 | * topic.iam.testPermissions(test).then(function(data) {
|
266 | * const permissions = data[0];
|
267 | * const apiResponse = data[1];
|
268 | * });
|
269 | */
|
270 | testPermissions(permissions, optsOrCallback, callback) {
|
271 | if (!Array.isArray(permissions) && !(typeof permissions === 'string')) {
|
272 | throw new Error('Permissions are required.');
|
273 | }
|
274 | const gaxOpts = typeof optsOrCallback === 'object' ? optsOrCallback : {};
|
275 | callback = typeof optsOrCallback === 'function' ? optsOrCallback : callback;
|
276 | const reqOpts = {
|
277 | resource: this.id,
|
278 | permissions: arrify(permissions),
|
279 | };
|
280 | this.request({
|
281 | client: 'SubscriberClient',
|
282 | method: 'testIamPermissions',
|
283 | reqOpts,
|
284 | gaxOpts,
|
285 | }, (err, resp) => {
|
286 | if (err) {
|
287 | callback(err, null, resp);
|
288 | return;
|
289 | }
|
290 | const availablePermissions = arrify(resp.permissions);
|
291 | const permissionHash = permissions.reduce((acc, permission) => {
|
292 | acc[permission] = availablePermissions.indexOf(permission) > -1;
|
293 | return acc;
|
294 | }, {});
|
295 | callback(null, permissionHash, resp);
|
296 | });
|
297 | }
|
298 | }
|
299 | exports.IAM = IAM;
|
300 | /*! Developer Documentation
|
301 | *
|
302 | * All async methods (except for streams) will return a Promise in the event
|
303 | * that a callback is omitted.
|
304 | */
|
305 | promisify_1.promisifyAll(IAM);
|
306 | //# sourceMappingURL=iam.js.map |
\ | No newline at end of file |