class Google::Cloud::Storage::Policy::Binding

# Binding

Value object associating members and an optional condition with a role.

@see cloud.google.com/iam/docs/overview Cloud IAM Overview

@attr [String] role Role that is assigned to members. For example,

`roles/viewer`, `roles/editor`, or `roles/owner`. Required.

@attr [Array<String>] members Specifies the identities requesting

access for a Cloud Platform resource. members can have the
following values. Required.

* `allUsers`: A special identifier that represents anyone who is on
  the internet; with or without a Google account.
* `allAuthenticatedUsers`: A special identifier that represents
   anyone who is authenticated with a Google account or a service
   account.
* `user:{emailid}`: An email address that represents a specific
  Google account. For example, `alice@example.com`.
* `serviceAccount:{emailid}`: An email address that represents a
  service account. For example, `my-other-app@appspot.gserviceaccount.com`.
* `group:{emailid}`: An email address that represents a Google group.
  For example, `admins@example.com`.
* `domain:{domain}`: The G Suite domain (primary) that represents
  all the users of that domain. For example, `google.com` or
  `example.com`. Required.

@attr [Google::Cloud::Storage::Policy::Condition, nil] condition The

condition that is associated with this binding, or `nil` if there is
no condition. NOTE: An unsatisfied condition will not allow user
access via current binding. Different bindings, including their
conditions, are examined independently.

@example

require "google/cloud/storage"

storage = Google::Cloud::Storage.new
bucket = storage.bucket "my-bucket"

policy = bucket.policy requested_policy_version: 3
policy.bindings.each do |binding|
  puts binding.role
end

@example Updating a Policy from version 1 to version 3:

require "google/cloud/storage"

storage = Google::Cloud::Storage.new
bucket = storage.bucket "my-bucket"

bucket.uniform_bucket_level_access = true

bucket.policy requested_policy_version: 3 do |p|
  p.version # the value is 1
  p.version = 3 # Must be explicitly set to opt-in to support for conditions.

  expr = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"
  p.bindings.insert({
                      role: "roles/storage.admin",
                      members: ["user:owner@example.com"],
                      condition: {
                        title: "my-condition",
                        description: "description of condition",
                        expression: expr
                      }
                    })
end

Attributes

condition[R]
members[R]
role[R]

Public Class Methods

new(role:, members:, condition: nil) click to toggle source

Creates a Binding object.

@param [String] role Role that is assigned to members. For example,

`roles/viewer`, `roles/editor`, or `roles/owner`. Required.

@param [Array<String>] members Specifies the identities requesting

access for a Cloud Platform resource. members can have the
following values. Required.

* `allUsers`: A special identifier that represents anyone who is on
  the internet; with or without a Google account.
* `allAuthenticatedUsers`: A special identifier that represents
   anyone who is authenticated with a Google account or a service
   account.
* `user:{emailid}`: An email address that represents a specific
  Google account. For example, `alice@example.com`.
* `serviceAccount:{emailid}`: An email address that represents a
  service account. For example, `my-other-app@appspot.gserviceaccount.com`.
* `group:{emailid}`: An email address that represents a Google group.
  For example, `admins@example.com`.
* `domain:{domain}`: The G Suite domain (primary) that represents
  all the users of that domain. For example, `google.com` or
  `example.com`. Required.

@param [Google::Cloud::Storage::Policy::Condition] condition The

condition that is associated with this binding. NOTE: An unsatisfied
condition will not allow user access via current binding. Different
bindings, including their conditions, are examined independently.
Optional.
# File lib/google/cloud/storage/policy/binding.rb, line 126
def initialize role:, members:, condition: nil
  @role = String role

  @members = Array members
  raise ArgumentError, "members is empty, must be provided" if @members.empty?

  condition = Condition.new(**condition) if condition.is_a? Hash
  if condition && !(condition.is_a? Condition)
    raise ArgumentError, "expected Condition, not #{condition.inspect}"
  end
  @condition = condition
end

Public Instance Methods

<=>(other) click to toggle source

@private

# File lib/google/cloud/storage/policy/binding.rb, line 204
def <=> other
  return nil unless other.is_a? Binding

  ret = role <=> other.role
  return ret unless ret.zero?
  ret = members <=> other.members
  return ret unless ret.zero?
  condition&.to_gapi <=> other.condition&.to_gapi
end
condition=(new_condition) click to toggle source

Sets the condition for the binding.

@param [Google::Cloud::Storage::Policy::Condition] new_condition The

condition that is associated with this binding. NOTE: An unsatisfied
condition will not allow user access via current binding. Different
bindings, including their conditions, are examined independently.
Optional.

@overload condition=(title:, description: nil, expression:)

@param [String] title Used to identify the condition. Required.
@param [String] description Used to document the condition. Optional.
@param [String] expression Defines an attribute-based logic
  expression using a subset of the Common Expression Language (CEL).
  The condition expression can contain multiple statements, each uses
  one attributes, and statements are combined using logic operators,
  following CEL language specification. Required.
# File lib/google/cloud/storage/policy/binding.rb, line 194
def condition= new_condition
  new_condition = Condition.new(**new_condition) if new_condition.is_a? Hash
  if new_condition && !new_condition.is_a?(Condition)
    raise ArgumentError, "expected Condition, not #{new_condition.inspect}"
  end
  @condition = new_condition
end
eql?(other) click to toggle source

@private

# File lib/google/cloud/storage/policy/binding.rb, line 216
def eql? other
  role.eql?(other.role) &&
    members.eql?(other.members) &&
    condition&.to_gapi.eql?(other.condition&.to_gapi)
end
hash() click to toggle source

@private

# File lib/google/cloud/storage/policy/binding.rb, line 224
def hash
  [
    @role,
    @members,
    @condition&.to_gapi
  ].hash
end
members=(new_members) click to toggle source

Sets the members for the binding.

@param [Array<String>] new_members Specifies the identities requesting

access for a Cloud Platform resource. members can have the
following values. Required.

* `allUsers`: A special identifier that represents anyone who is on
  the internet; with or without a Google account.
* `allAuthenticatedUsers`: A special identifier that represents
   anyone who is authenticated with a Google account or a service
   account.
* `user:{emailid}`: An email address that represents a specific
  Google account. For example, `alice@example.com`.
* `serviceAccount:{emailid}`: An email address that represents a
  service account. For example, `my-other-app@appspot.gserviceaccount.com`.
* `group:{emailid}`: An email address that represents a Google group.
  For example, `admins@example.com`.
* `domain:{domain}`: The G Suite domain (primary) that represents
  all the users of that domain. For example, `google.com` or
  `example.com`. Required.
# File lib/google/cloud/storage/policy/binding.rb, line 171
def members= new_members
  new_members = Array new_members
  raise ArgumentError, "members is empty, must be provided" if new_members.empty?
  @members = new_members
end
role=(new_role) click to toggle source

Sets the role for the binding.

@param [String] new_role Role that is assigned to members. For example,

`roles/viewer`, `roles/editor`, or `roles/owner`. Required.
# File lib/google/cloud/storage/policy/binding.rb, line 145
def role= new_role
  @role = String new_role
end
to_gapi() click to toggle source

@private

# File lib/google/cloud/storage/policy/binding.rb, line 234
def to_gapi
  params = {
    role: @role,
    members: @members,
    condition: @condition&.to_gapi
  }.delete_if { |_, v| v.nil? }
  Google::Apis::StorageV1::Policy::Binding.new(**params)
end