Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify if IAM policy validation is needed when received from API #1175

Closed
1 task done
frankyn opened this issue Dec 13, 2021 · 0 comments · Fixed by #1177
Closed
1 task done

Verify if IAM policy validation is needed when received from API #1175

frankyn opened this issue Dec 13, 2021 · 0 comments · Fixed by #1177
Assignees
@BenWhitehead @frankyn
Labels
api: storage Issues related to the googleapis/java-storage API. priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Milestone
Remove client sid...

Comments

@frankyn
Copy link
Member

frankyn commented Dec 13, 2021
edited

IllegalStateException in PolicyHelper.java:

We should replace with a warning potentially; the part that isn't clear is that it's converting IAM policy from Apiary to Manual representation which we need to be careful about.

Cases check:

  • Is it possible to have an empty storage bucket bindings list while having inherited permissions from project level? Yes.

Prerequesites

  1. Grant roles/storage.admin to your user account and service account principals.
  2. Create a standard class type bucket in any region (will occur for both UBLA and Fine Grained buckets)
  3. Remove default Viewer, Editor, and Owner principal assignments on the new bucket

Reproductions

Using https://developers.google.com/oauthplayground/:

Request / Response
GET /storage/v1/b/iam-issue-1175/iam HTTP/1.1
Host: storage.googleapis.com
Content-length: 0
Authorization: X
HTTP/1.1 200 OK
Content-length: 118
Content-location: https://storage.googleapis.com/storage/v1/b/iam-issue-1175/iam
Expires: Mon, 13 Dec 2021 19:28:04 GMT
Vary: Origin,X-Origin
Cache-control: private, max-age=0, must-revalidate, no-transform
Etag: CAQ=
X-guploader-uploadid: ADPycdtqlzOMYDU_dsPGQi7e0DthKx5_AL40IL6aHnDf8Fi3YBRihhNpOc6-RHCulknFYxowRkir_Khdkg5mNqP5NLSTbQK-QQ
Date: Mon, 13 Dec 2021 19:28:04 GMT
Content-type: application/json; charset=UTF-8
{
  "resourceId": "projects/_/buckets/iam-issue-1175", 
  "kind": "storage#policy", 
  "version": 1, 
  "etag": "CAQ="
}

Using Java Storage client

@Test
  public void testGetIamPolicy() {
    Storage client = StorageOptions.getDefaultInstance().getService();
    client.getIamPolicy("iam-issue-1175");
  }

/*
java.lang.IllegalStateException: Missing required bindings.

	at com.google.cloud.storage.PolicyHelper.convertFromApiPolicy(PolicyHelper.java:54)
	at com.google.cloud.storage.Retrying.run(Retrying.java:52)
	at com.google.cloud.storage.StorageImpl.run(StorageImpl.java:1374)
	at com.google.cloud.storage.StorageImpl.getIamPolicy(StorageImpl.java:1316)
	at com.google.cloud.storage.it.ITIamPolicy.testGetIamPolicy(ITIamPolicy.java:12)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
	at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
	at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
	at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
	at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:69)
	at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:33)
	at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:235)
	at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:54)
*/

related bug: #1159
@product-auto-label product-auto-label bot added the api: storage Issues related to the googleapis/java-storage API. label Dec 13, 2021
@BenWhitehead BenWhitehead added type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. priority: p2 Moderately-important priority. Fix may not be included in next release. labels Dec 13, 2021
@frankyn frankyn mentioned this issue Dec 14, 2021
Merged
3 tasks
gcf-merge-on-green bot pushed a commit that referenced this issue Dec 14, 2021
@frankyn
fix: do not cause a failure when encountering no bindings (#1177)
16c2aef 
Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:
- [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/java-storage/issues/new/choose) before writing your code!  That way we can discuss the change, evaluate designs, and agree on the general idea
- [x] Ensure the tests and linter pass
- [x] Appropriate docs were updated (if necessary)

Fixes #1175  ☕️
@frankyn frankyn added this to the Remove client side validation milestone Dec 14, 2021
frankyn added a commit that referenced this issue Feb 12, 2022
@frankyn
fix: do not cause a failure when encountering no bindings (#1177)
2731a23 
Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:
- [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/java-storage/issues/new/choose) before writing your code!  That way we can discuss the change, evaluate designs, and agree on the general idea
- [x] Ensure the tests and linter pass
- [x] Appropriate docs were updated (if necessary)

Fixes #1175  ☕️
frankyn added a commit that referenced this issue Feb 12, 2022
@frankyn
fix: do not cause a failure when encountering no bindings (#1177)
5630e0c 
Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:
- [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/java-storage/issues/new/choose) before writing your code!  That way we can discuss the change, evaluate designs, and agree on the general idea
- [x] Ensure the tests and linter pass
- [x] Appropriate docs were updated (if necessary)

Fixes #1175  ☕️
frankyn added a commit that referenced this issue Feb 12, 2022
@frankyn
fix: do not cause a failure when encountering no bindings (#1177)
8d22604 
Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:
- [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/java-storage/issues/new/choose) before writing your code!  That way we can discuss the change, evaluate designs, and agree on the general idea
- [x] Ensure the tests and linter pass
- [x] Appropriate docs were updated (if necessary)

Fixes #1175  ☕️
BenWhitehead pushed a commit that referenced this issue Feb 15, 2022
@frankyn
fix: do not cause a failure when encountering no bindings (#1177) (#1248
9698550 
)

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:
- [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/java-storage/issues/new/choose) before writing your code!  That way we can discuss the change, evaluate designs, and agree on the general idea
- [x] Ensure the tests and linter pass
- [x] Appropriate docs were updated (if necessary)

Fixes #1175  ☕️
frankyn added a commit that referenced this issue Feb 15, 2022
@frankyn
fix: do not cause a failure when encountering no bindings (#1177)
5cccbb6 
Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:
- [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/java-storage/issues/new/choose) before writing your code!  That way we can discuss the change, evaluate designs, and agree on the general idea
- [x] Ensure the tests and linter pass
- [x] Appropriate docs were updated (if necessary)

Fixes #1175  ☕️
frankyn added a commit that referenced this issue Feb 15, 2022
@frankyn
fix: cherry pick #1177 (#1255)
5e3c72d 
Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:
- [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/java-storage/issues/new/choose) before writing your code!  That way we can discuss the change, evaluate designs, and agree on the general idea
- [x] Ensure the tests and linter pass
- [x] Appropriate docs were updated (if necessary)

Fixes #1175  ☕️
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BenWhitehead BenWhitehead

@frankyn frankyn

Labels
api: storage Issues related to the googleapis/java-storage API. priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
Remove client side validation
Development

Successfully merging a pull request may close this issue.

fix: do not cause a failure when encountering no bindings googleapis/java-storage
2 participants
@BenWhitehead @frankyn