fix: add preconditions and retry config support to ACL patch operatio…

…nss (googleapis#586) * add preconditions and retry config support to ACL patch operations * update existing unit tests * add unit tests * add preconditions and retry config to bucket make public/private * add preconditions and retry config to blob make public/private * update docstrings * add system tests acl with metegeneration match * revise to use permitted group email
cojenco · Sep 15, 2021 · a644136 · a644136
1 parent 12c553c
commit a644136
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 0 deletions.
diff --git a/tests/system/test_blob.py b/tests/system/test_blob.py
@@ -373,6 +373,41 @@ def test_blob_acl_w_user_project(
     assert not acl.has_entity("allUsers")
 
 
+def test_blob_acl_w_metageneration_match(
+    shared_bucket, blobs_to_delete, file_data, service_account,
+):
+    wrong_metageneration_number = 9
+    wrong_generation_number = 6
+
+    blob = shared_bucket.blob("FilePatchACL")
+    info = file_data["simple"]
+    blob.upload_from_filename(info["path"])
+    blobs_to_delete.append(blob)
+
+    # Exercise blob ACL with metageneration/generation match
+    acl = blob.acl
+    blob.reload()
+
+    with pytest.raises(exceptions.PreconditionFailed):
+        acl.save_predefined(
+            "publicRead", if_metageneration_match=wrong_metageneration_number
+        )
+        assert "READER" not in acl.all().get_roles()
+
+    acl.save_predefined("publicRead", if_metageneration_match=blob.metageneration)
+    assert "READER" in acl.all().get_roles()
+
+    blob.reload()
+    del acl.entities["allUsers"]
+
+    with pytest.raises(exceptions.PreconditionFailed):
+        acl.save(if_generation_match=wrong_generation_number)
+        assert acl.has_entity("allUsers")
+
+    acl.save(if_generation_match=blob.generation)
+    assert not acl.has_entity("allUsers")
+
+
 def test_blob_acl_upload_predefined(
     shared_bucket, blobs_to_delete, file_data, service_account,
 ):

diff --git a/tests/system/test_bucket.py b/tests/system/test_bucket.py
@@ -246,6 +246,42 @@ def test_bucket_acls_iam_w_user_project(
     with_user_project.set_iam_policy(policy)
 
 
+def test_bucket_acls_w_metageneration_match(storage_client, buckets_to_delete):
+    wrong_metageneration_number = 9
+    bucket_name = _helpers.unique_name("acl-w-metageneration-match")
+    bucket = _helpers.retry_429_503(storage_client.create_bucket)(bucket_name)
+    buckets_to_delete.append(bucket)
+
+    # Exercise bucket ACL with metageneration match
+    acl = bucket.acl
+    acl.group("cloud-developer-relations@google.com").grant_read()
+    bucket.reload()
+
+    with pytest.raises(exceptions.PreconditionFailed):
+        acl.save(if_metageneration_match=wrong_metageneration_number)
+        assert (
+            "READER"
+            not in acl.group("cloud-developer-relations@google.com").get_roles()
+        )
+
+    acl.save(if_metageneration_match=bucket.metageneration)
+    assert "READER" in acl.group("cloud-developer-relations@google.com").get_roles()
+
+    # Exercise default object ACL w/ metageneration match
+    doa = bucket.default_object_acl
+    doa.group("cloud-developer-relations@google.com").grant_owner()
+    bucket.reload()
+
+    with pytest.raises(exceptions.PreconditionFailed):
+        doa.save(if_metageneration_match=wrong_metageneration_number)
+        assert (
+            "OWNER" not in doa.group("cloud-developer-relations@google.com").get_roles()
+        )
+
+    doa.save(if_metageneration_match=bucket.metageneration)
+    assert "OWNER" in doa.group("cloud-developer-relations@google.com").get_roles()
+
+
 def test_bucket_copy_blob(
     storage_client, buckets_to_delete, blobs_to_delete, user_project,
 ):