Copyright 2016 Google LLC Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Package iam supports the resource-specific operations of Google Cloud IAM (Identity and Access Management) for the Google Cloud Libraries. See https://cloud.google.com/iam for more about IAM. Users of the Google Cloud Libraries will typically not use this package directly. Instead they will begin with some resource that supports IAM, like a pubsub topic, and call its IAM method to get a Handle for that resource.
package iam

import (
	
	
	

	gax 
	pb 
	
	
	
)
client abstracts the IAMPolicy API to allow multiple implementations.
type client interface {
	Get(ctx context.Context, resource string) (*pb.Policy, error)
	Set(ctx context.Context, resource string, p *pb.Policy) error
	Test(ctx context.Context, resource string, perms []string) ([]string, error)
	GetWithVersion(ctx context.Context, resource string, requestedPolicyVersion int32) (*pb.Policy, error)
}
grpcClient implements client for the standard gRPC-based IAMPolicy service.
type grpcClient struct {
	c pb.IAMPolicyClient
}

var withRetry = gax.WithRetry(func() gax.Retryer {
	return gax.OnCodes([]codes.Code{
		codes.DeadlineExceeded,
		codes.Unavailable,
	}, gax.Backoff{
		Initial:    100 * time.Millisecond,
		Max:        60 * time.Second,
		Multiplier: 1.3,
	})
})

func ( *grpcClient) ( context.Context,  string) (*pb.Policy, error) {
	return .GetWithVersion(, , 1)
}

func ( *grpcClient) ( context.Context,  string,  int32) (*pb.Policy, error) {
	var  *pb.Policy
	 := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "resource", ))
	 = insertMetadata(, )

	 := gax.Invoke(, func( context.Context,  gax.CallSettings) error {
		var  error
		,  = .c.GetIamPolicy(, &pb.GetIamPolicyRequest{
			Resource: ,
			Options: &pb.GetPolicyOptions{
				RequestedPolicyVersion: ,
			},
		})
		return 
	}, withRetry)
	if  != nil {
		return nil, 
	}
	return , nil
}

func ( *grpcClient) ( context.Context,  string,  *pb.Policy) error {
	 := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "resource", ))
	 = insertMetadata(, )

	return gax.Invoke(, func( context.Context,  gax.CallSettings) error {
		,  := .c.SetIamPolicy(, &pb.SetIamPolicyRequest{
			Resource: ,
			Policy:   ,
		})
		return 
	}, withRetry)
}

func ( *grpcClient) ( context.Context,  string,  []string) ([]string, error) {
	var  *pb.TestIamPermissionsResponse
	 := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "resource", ))
	 = insertMetadata(, )

	 := gax.Invoke(, func( context.Context,  gax.CallSettings) error {
		var  error
		,  = .c.TestIamPermissions(, &pb.TestIamPermissionsRequest{
			Resource:    ,
			Permissions: ,
		})
		return 
	}, withRetry)
	if  != nil {
		return nil, 
	}
	return .Permissions, nil
}
A Handle provides IAM operations for a resource.
type Handle struct {
	c        client
	resource string
}
A Handle3 provides IAM operations for a resource. It is similar to a Handle, but provides access to newer IAM features (e.g., conditions).
type Handle3 struct {
	c        client
	resource string
	version  int32
}
InternalNewHandle is for use by the Google Cloud Libraries only. InternalNewHandle returns a Handle for resource. The conn parameter refers to a server that must support the IAMPolicy service.
func ( grpc.ClientConnInterface,  string) *Handle {
	return InternalNewHandleGRPCClient(pb.NewIAMPolicyClient(), )
}
InternalNewHandleGRPCClient is for use by the Google Cloud Libraries only. InternalNewHandleClient returns a Handle for resource using the given grpc service that implements IAM as a mixin
func ( pb.IAMPolicyClient,  string) *Handle {
	return InternalNewHandleClient(&grpcClient{c: }, )
}
InternalNewHandleClient is for use by the Google Cloud Libraries only. InternalNewHandleClient returns a Handle for resource using the given client implementation.
func ( client,  string) *Handle {
	return &Handle{
		c:        ,
		resource: ,
	}
}
V3 returns a Handle3, which is like Handle except it sets requestedPolicyVersion to 3 when retrieving a policy and policy.version to 3 when storing a policy.
func ( *Handle) () *Handle3 {
	return &Handle3{
		c:        .c,
		resource: .resource,
		version:  3,
	}
}
Policy retrieves the IAM policy for the resource.
func ( *Handle) ( context.Context) (*Policy, error) {
	,  := .c.Get(, .resource)
	if  != nil {
		return nil, 
	}
	return &Policy{InternalProto: }, nil
}
SetPolicy replaces the resource's current policy with the supplied Policy. If policy was created from a prior call to Get, then the modification will only succeed if the policy has not changed since the Get.
func ( *Handle) ( context.Context,  *Policy) error {
	return .c.Set(, .resource, .InternalProto)
}
TestPermissions returns the subset of permissions that the caller has on the resource.
func ( *Handle) ( context.Context,  []string) ([]string, error) {
	return .c.Test(, .resource, )
}
A RoleName is a name representing a collection of permissions.
type RoleName string
Common role names.
const (
	Owner  RoleName = "roles/owner"
	Editor RoleName = "roles/editor"
	Viewer RoleName = "roles/viewer"
)
AllUsers is a special member that denotes all users, even unauthenticated ones.
	AllUsers = "allUsers"
AllAuthenticatedUsers is a special member that denotes all authenticated users.
	AllAuthenticatedUsers = "allAuthenticatedUsers"
)
A Policy is a list of Bindings representing roles granted to members. The zero Policy is a valid policy with no bindings.
TODO(jba): when type aliases are available, put Policy into an internal package and provide an exported alias here.
This field is exported for use by the Google Cloud Libraries only. It may become unexported in a future release.
	InternalProto *pb.Policy
}
Members returns the list of members with the supplied role. The return value should not be modified. Use Add and Remove to modify the members of a role.
func ( *Policy) ( RoleName) []string {
	 := .binding()
	if  == nil {
		return nil
	}
	return .Members
}
HasRole reports whether member has role r.
func ( *Policy) ( string,  RoleName) bool {
	return memberIndex(, .binding()) >= 0
}
Add adds member member to role r if it is not already present. A new binding is created if there is no binding for the role.
func ( *Policy) ( string,  RoleName) {
	 := .binding()
	if  == nil {
		if .InternalProto == nil {
			.InternalProto = &pb.Policy{}
		}
		.InternalProto.Bindings = append(.InternalProto.Bindings, &pb.Binding{
			Role:    string(),
			Members: []string{},
		})
		return
	}
	if memberIndex(, ) < 0 {
		.Members = append(.Members, )
		return
	}
}
Remove removes member from role r if it is present.
func ( *Policy) ( string,  RoleName) {
	 := .bindingIndex()
	if  < 0 {
		return
	}
	 := .InternalProto.Bindings
	 := []
	 := memberIndex(, )
	if  < 0 {
		return
Order doesn't matter for bindings or members, so to remove, move the last item into the removed spot and shrink the slice.
Remove binding.
		 := len() - 1
		[] = []
		[] = nil
		.InternalProto.Bindings = [:]
		return
Remove member. TODO(jba): worry about multiple copies of m?
	 := len(.Members) - 1
	.Members[] = .Members[]
	.Members[] = ""
	.Members = .Members[:]
}
Roles returns the names of all the roles that appear in the Policy.
func ( *Policy) () []RoleName {
	if .InternalProto == nil {
		return nil
	}
	var  []RoleName
	for ,  := range .InternalProto.Bindings {
		 = append(, RoleName(.Role))
	}
	return 
}
binding returns the Binding for the suppied role, or nil if there isn't one.
func ( *Policy) ( RoleName) *pb.Binding {
	 := .bindingIndex()
	if  < 0 {
		return nil
	}
	return .InternalProto.Bindings[]
}

func ( *Policy) ( RoleName) int {
	if .InternalProto == nil {
		return -1
	}
	for ,  := range .InternalProto.Bindings {
		if .Role == string() {
			return 
		}
	}
	return -1
}
memberIndex returns the index of m in b's Members, or -1 if not found.
func ( string,  *pb.Binding) int {
	if  == nil {
		return -1
	}
	for ,  := range .Members {
		if  ==  {
			return 
		}
	}
	return -1
}
insertMetadata inserts metadata into the given context
func ( context.Context,  ...metadata.MD) context.Context {
	,  := metadata.FromOutgoingContext()
	 = .Copy()
	for ,  := range  {
		for ,  := range  {
			[] = append([], ...)
		}
	}
	return metadata.NewOutgoingContext(, )
}
A Policy3 is a list of Bindings representing roles granted to members. The zero Policy3 is a valid policy with no bindings. It is similar to a Policy, except a Policy3 provides direct access to the list of Bindings. The policy version is always set to 3.
type Policy3 struct {
	etag     []byte
	Bindings []*pb.Binding
}
Policy retrieves the IAM policy for the resource. requestedPolicyVersion is always set to 3.
func ( *Handle3) ( context.Context) (*Policy3, error) {
	,  := .c.GetWithVersion(, .resource, .version)
	if  != nil {
		return nil, 
	}
	return &Policy3{
		Bindings: .Bindings,
		etag:     .Etag,
	}, nil
}
SetPolicy replaces the resource's current policy with the supplied Policy. If policy was created from a prior call to Get, then the modification will only succeed if the policy has not changed since the Get.
func ( *Handle3) ( context.Context,  *Policy3) error {
	return .c.Set(, .resource, &pb.Policy{
		Bindings: .Bindings,
		Etag:     .etag,
		Version:  .version,
	})
}
TestPermissions returns the subset of permissions that the caller has on the resource.
func ( *Handle3) ( context.Context,  []string) ([]string, error) {
	return .c.Test(, .resource, )