From cfa14ec0a25e56a3135fe5e9668a60f098a5cbfb Mon Sep 17 00:00:00 2001
From: Jon Wayne Parrott <jonwayne@google.com>
Date: Fri, 28 Apr 2017 10:28:10 -0700
Subject: [PATCH 1/2] Add bucket-level IAM samples

---
 storage/cloud-client/iam.py      | 97 ++++++++++++++++++++++++++++++++
 storage/cloud-client/iam_test.py | 42 ++++++++++++++
 2 files changed, 139 insertions(+)
 create mode 100644 storage/cloud-client/iam.py
 create mode 100644 storage/cloud-client/iam_test.py

diff --git a/storage/cloud-client/iam.py b/storage/cloud-client/iam.py
new file mode 100644
index 00000000000..18ec36907ff
--- /dev/null
+++ b/storage/cloud-client/iam.py
@@ -0,0 +1,97 @@
+#!/usr/bin/env python
+
+# Copyright 2017 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""This application demonstrates how to get and set IAM policies on Google
+Cloud Storage buckets.
+
+For more information, see the documentation at
+https://cloud.google.com/storage/docs/access-control/using-iam-permissions.
+"""
+
+import argparse
+import base64
+import os
+
+from google.cloud import storage
+
+
+def view_bucket_iam_members(bucket_name):
+    storage_client = storage.Client()
+    bucket = storage_client.bucket(bucket_name)
+
+    policy = bucket.get_iam_policy()
+
+    for role in policy:
+        members = policy[role]
+        print('Role: {}, Members: {}'.format(role, members))
+
+
+def add_bucket_iam_member(bucket_name, role, member):
+    storage_client = storage.Client()
+    bucket = storage_client.bucket(bucket_name)
+
+    policy = bucket.get_iam_policy()
+
+    policy[role].add(member)
+
+    bucket.set_iam_policy(policy)
+
+    print('Added {} with role {} to {}.'.format(
+        role, member, bucket_name))
+
+
+def remove_bucket_iam_member(bucket_name, role, member):
+    storage_client = storage.Client()
+    bucket = storage_client.bucket(bucket_name)
+
+    policy = bucket.get_iam_policy()
+
+    policy[role].discard(member)
+
+    bucket.set_iam_policy(policy)
+
+    print('Removed {} with role {} from {}.'.format(
+        role, member, bucket_name))
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(
+        description=__doc__,
+        formatter_class=argparse.RawDescriptionHelpFormatter)
+    parser.add_argument('bucket_name', help='Your Cloud Storage bucket name.')
+    subparsers = parser.add_subparsers(dest='command')
+
+    subparsers.add_parser(
+        'view-bucket-iam-members', help=view_bucket_iam_members.__doc__)
+
+    add_member_parser = subparsers.add_parser(
+        'add-bucket-iam-member', help=add_bucket_iam_member.__doc__)
+    add_member_parser.add_argument('role')
+    add_member_parser.add_argument('member')
+
+    remove_member_parser = subparsers.add_parser(
+        'remove-bucket-iam-member', help=remove_bucket_iam_member.__doc__)
+    remove_member_parser.add_argument('role')
+    remove_member_parser.add_argument('member')
+
+    args = parser.parse_args()
+
+    if args.command == 'view-bucket-iam-members':
+        view_bucket_iam_members(args.bucket_name)
+    elif args.command == 'add-bucket-iam-member':
+        add_bucket_iam_member(args.bucket_name, args.role, args.member)
+    elif args.command == 'remove-bucket-iam-member':
+        remove_bucket_iam_member(args.bucket_name, args.role, args.member)
diff --git a/storage/cloud-client/iam_test.py b/storage/cloud-client/iam_test.py
new file mode 100644
index 00000000000..cb6de0521b7
--- /dev/null
+++ b/storage/cloud-client/iam_test.py
@@ -0,0 +1,42 @@
+# Copyright 2017 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from google.cloud import storage
+import pytest
+
+import iam
+
+BUCKET = os.environ['CLOUD_STORAGE_BUCKET']
+MEMBER = 'group:dpebot@google.com'
+ROLE = 'roles/storage.legacyBucketReader'
+
+@pytest.fixture
+def bucket():
+    yield storage.Client().bucket(BUCKET)
+
+
+def test_view_bucket_iam_members():
+    iam.view_bucket_iam_members(BUCKET)
+
+
+def test_add_bucket_iam_member(bucket):
+    iam.add_bucket_iam_member(
+        BUCKET, ROLE, MEMBER)
+    assert MEMBER in bucket.get_iam_policy()[ROLE]
+
+
+def test_remove_bucket_iam_member(bucket):
+    iam.remove_bucket_iam_member(
+        BUCKET, ROLE, MEMBER)
+    assert MEMBER not in bucket.get_iam_policy()[ROLE]

From 412fd3903fa7a9ac65526daac96c4f82bfa874ae Mon Sep 17 00:00:00 2001
From: Jon Wayne Parrott <jonwayne@google.com>
Date: Fri, 28 Apr 2017 12:10:19 -0700
Subject: [PATCH 2/2] Address review comments

---
 storage/cloud-client/iam.py           | 6 ++----
 storage/cloud-client/iam_test.py      | 3 +++
 storage/cloud-client/requirements.txt | 4 ++--
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/storage/cloud-client/iam.py b/storage/cloud-client/iam.py
index 18ec36907ff..ba20bc1dde2 100644
--- a/storage/cloud-client/iam.py
+++ b/storage/cloud-client/iam.py
@@ -22,8 +22,6 @@
 """
 
 import argparse
-import base64
-import os
 
 from google.cloud import storage
 
@@ -50,7 +48,7 @@ def add_bucket_iam_member(bucket_name, role, member):
     bucket.set_iam_policy(policy)
 
     print('Added {} with role {} to {}.'.format(
-        role, member, bucket_name))
+         member, role, bucket_name))
 
 
 def remove_bucket_iam_member(bucket_name, role, member):
@@ -64,7 +62,7 @@ def remove_bucket_iam_member(bucket_name, role, member):
     bucket.set_iam_policy(policy)
 
     print('Removed {} with role {} from {}.'.format(
-        role, member, bucket_name))
+        member, role, bucket_name))
 
 
 if __name__ == '__main__':
diff --git a/storage/cloud-client/iam_test.py b/storage/cloud-client/iam_test.py
index cb6de0521b7..0c823afa00e 100644
--- a/storage/cloud-client/iam_test.py
+++ b/storage/cloud-client/iam_test.py
@@ -12,6 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import os
+
 from google.cloud import storage
 import pytest
 
@@ -21,6 +23,7 @@
 MEMBER = 'group:dpebot@google.com'
 ROLE = 'roles/storage.legacyBucketReader'
 
+
 @pytest.fixture
 def bucket():
     yield storage.Client().bucket(BUCKET)
diff --git a/storage/cloud-client/requirements.txt b/storage/cloud-client/requirements.txt
index 6a14b5cdf99..3e0a3ba4b82 100644
--- a/storage/cloud-client/requirements.txt
+++ b/storage/cloud-client/requirements.txt
@@ -1,2 +1,2 @@
-google-cloud-storage==1.0.0
-google-cloud-pubsub==0.24.0
+google-cloud-storage==1.1.0
+google-cloud-pubsub==0.25.0