feat: add support of public access prevention

google-cloud-storage/src/main/java/com/google/cloud/storage/BucketInfo.java

@@ -101,17 +101,42 @@ public com.google.api.services.storage.model.Bucket apply(BucketInfo bucketInfo)
   private final String locationType;
   private final Logging logging;
 
+  /**
+   * Public Access Prevention enum with expected values.
+   *
+   * @see <a
+   *     href="https://cloud.google.com/storage/docs/public-access-prevention">public-access-prevention</a>
+   */
+  public enum PublicAccessPrevention {
+    ENFORCED("enforced"),
+    /** Default value for Public Access Prevention */
+    UNSPECIFIED("unspecified");
+
+    private final String value;
+
+    PublicAccessPrevention(String value) {
+      this.value = value;
+    }
+
+    public String getValue() {
+      return value;
+    }
+  }
+
   /**
    * The Bucket's IAM Configuration.
    *
    * @see <a href="https://cloud.google.com/storage/docs/uniform-bucket-level-access">uniform
    *     bucket-level access</a>
+   * @see <a
+   *     href="https://cloud.google.com/storage/docs/public-access-prevention">public-access-prevention</a>
    */
   public static class IamConfiguration implements Serializable {
     private static final long serialVersionUID = -8671736104909424616L;
 
-    private Boolean isUniformBucketLevelAccessEnabled;
-    private Long uniformBucketLevelAccessLockedTime;
+    private final Boolean isUniformBucketLevelAccessEnabled;
+    private final Long uniformBucketLevelAccessLockedTime;
+    private final PublicAccessPrevention publicAccessPrevention;
 
     @Override
     public boolean equals(Object o) {
@@ -125,12 +150,16 @@ public boolean equals(Object o) {
 
     @Override
     public int hashCode() {
-      return Objects.hash(isUniformBucketLevelAccessEnabled, uniformBucketLevelAccessLockedTime);
+      return Objects.hash(
+          isUniformBucketLevelAccessEnabled,
+          uniformBucketLevelAccessLockedTime,
+          publicAccessPrevention);
     }
 
     private IamConfiguration(Builder builder) {
       this.isUniformBucketLevelAccessEnabled = builder.isUniformBucketLevelAccessEnabled;
       this.uniformBucketLevelAccessLockedTime = builder.uniformBucketLevelAccessLockedTime;
+      this.publicAccessPrevention = builder.publicAccessPrevention;
     }
 
     public static Builder newBuilder() {
@@ -141,6 +170,7 @@ public Builder toBuilder() {
       Builder builder = new Builder();
       builder.isUniformBucketLevelAccessEnabled = isUniformBucketLevelAccessEnabled;
       builder.uniformBucketLevelAccessLockedTime = uniformBucketLevelAccessLockedTime;
+      builder.publicAccessPrevention = publicAccessPrevention;
       return builder;
     }
 
@@ -164,6 +194,11 @@ public Long getUniformBucketLevelAccessLockedTime() {
       return uniformBucketLevelAccessLockedTime;
     }
 
+    /** Returns the Public Access Prevention. * */
+    public PublicAccessPrevention getPublicAccessPrevention() {
+      return publicAccessPrevention;
+    }
+
     Bucket.IamConfiguration toPb() {
       Bucket.IamConfiguration iamConfiguration = new Bucket.IamConfiguration();
 
@@ -176,6 +211,8 @@ Bucket.IamConfiguration toPb() {
               : new DateTime(uniformBucketLevelAccessLockedTime));
 
       iamConfiguration.setUniformBucketLevelAccess(uniformBucketLevelAccess);
+      iamConfiguration.setPublicAccessPrevention(
+          publicAccessPrevention == null ? null : publicAccessPrevention.getValue());
 
       return iamConfiguration;
     }
@@ -184,17 +221,32 @@ static IamConfiguration fromPb(Bucket.IamConfiguration iamConfiguration) {
       Bucket.IamConfiguration.UniformBucketLevelAccess uniformBucketLevelAccess =
           iamConfiguration.getUniformBucketLevelAccess();
       DateTime lockedTime = uniformBucketLevelAccess.getLockedTime();
+      String publicAccessPrevention = iamConfiguration.getPublicAccessPrevention();
+
+      PublicAccessPrevention publicAccessPreventionValue = null;
+
+      try {
+        if (publicAccessPrevention != null) {
+          publicAccessPreventionValue =
+              PublicAccessPrevention.valueOf(publicAccessPrevention.toUpperCase());
+        }
+      } catch (IllegalArgumentException ex) {
+        throw new IllegalArgumentException(
+            "IamConfiguration: Received an unexpected value of " + publicAccessPrevention);
+      }
 
       return newBuilder()
           .setIsUniformBucketLevelAccessEnabled(uniformBucketLevelAccess.getEnabled())
           .setUniformBucketLevelAccessLockedTime(lockedTime == null ? null : lockedTime.getValue())
+          .setPublicAccessPrevention(publicAccessPreventionValue)
           .build();
     }
 
     /** Builder for {@code IamConfiguration} */
     public static class Builder {
       private Boolean isUniformBucketLevelAccessEnabled;
       private Long uniformBucketLevelAccessLockedTime;
+      private PublicAccessPrevention publicAccessPrevention;
 
       /** Deprecated in favor of setIsUniformBucketLevelAccessEnabled(). */
       @Deprecated
@@ -235,6 +287,18 @@ Builder setUniformBucketLevelAccessLockedTime(Long uniformBucketLevelAccessLocke
         return this;
       }
 
+      /**
+       * Sets the bucket's Public Access Prevention configuration. Currently supported options are
+       * {@link PublicAccessPrevention#UNSPECIFIED} or {@link PublicAccessPrevention#ENFORCED}
+       *
+       * @see <a
+       *     href="https://cloud.google.com/storage/docs/public-access-prevention">public-access-prevention</a>
+       */
+      public Builder setPublicAccessPrevention(PublicAccessPrevention publicAccessPrevention) {
+        this.publicAccessPrevention = publicAccessPrevention;
+        return this;
+      }
+
       /** Builds an {@code IamConfiguration} object */
       public IamConfiguration build() {
         return new IamConfiguration(this);

google-cloud-storage/src/test/java/com/google/cloud/storage/BucketInfoTest.java

@@ -20,6 +20,7 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
 import com.google.api.client.util.DateTime;
 import com.google.api.services.storage.model.Bucket;
@@ -76,6 +77,7 @@ public class BucketInfoTest {
       BucketInfo.IamConfiguration.newBuilder()
           .setIsUniformBucketLevelAccessEnabled(true)
           .setUniformBucketLevelAccessLockedTime(System.currentTimeMillis())
+          .setPublicAccessPrevention(BucketInfo.PublicAccessPrevention.ENFORCED)
           .build();
   private static final BucketInfo.Logging LOGGING =
       BucketInfo.Logging.newBuilder()
@@ -358,11 +360,31 @@ public void testIamConfiguration() {
         BucketInfo.IamConfiguration.newBuilder()
             .setIsUniformBucketLevelAccessEnabled(true)
             .setUniformBucketLevelAccessLockedTime(System.currentTimeMillis())
+            .setPublicAccessPrevention(BucketInfo.PublicAccessPrevention.ENFORCED)
             .build()
             .toPb();
 
     assertEquals(Boolean.TRUE, iamConfiguration.getUniformBucketLevelAccess().getEnabled());
     assertNotNull(iamConfiguration.getUniformBucketLevelAccess().getLockedTime());
+    assertEquals(
+        BucketInfo.PublicAccessPrevention.ENFORCED.getValue(),
+        iamConfiguration.getPublicAccessPrevention());
+  }
+
+  @Test
+  public void testPapValueOfIamConfiguration() {
+    try {
+      Bucket.IamConfiguration iamConfiguration = new Bucket.IamConfiguration();
+      Bucket.IamConfiguration.UniformBucketLevelAccess uniformBucketLevelAccess =
+          new Bucket.IamConfiguration.UniformBucketLevelAccess();
+      iamConfiguration.setUniformBucketLevelAccess(uniformBucketLevelAccess);
+      iamConfiguration.setPublicAccessPrevention("random-string");
+      BucketInfo.IamConfiguration.fromPb(iamConfiguration);
+      fail("Expected an IllegalArgumentException when passing in a bad");
+    } catch (IllegalArgumentException ex) {
+      // expected IllegalArgumentException because random-string does not map to an enum value
+      assertTrue(ex.getMessage().contains("random-string"));
+    }
   }
 
   @Test

google-cloud-storage/src/test/java/com/google/cloud/storage/it/ITStorageTest.java

@@ -3235,6 +3235,151 @@ public void testEnableAndDisableUniformBucketLevelAccessOnExistingBucket() throw
     }
   }
 
+  private Bucket generatePublicAccessPreventionBucket(String bucketName, boolean enforced) {
+    return storage.create(
+        Bucket.newBuilder(bucketName)
+            .setIamConfiguration(
+                BucketInfo.IamConfiguration.newBuilder()
+                    .setPublicAccessPrevention(
+                        enforced
+                            ? BucketInfo.PublicAccessPrevention.ENFORCED
+                            : BucketInfo.PublicAccessPrevention.UNSPECIFIED)
+                    .build())
+            .build());
+  }
+
+  @Test
+  public void testEnforcedPublicAccessPreventionOnBucket() throws Exception {
+    String papBucket = RemoteStorageHelper.generateBucketName();
+    try {
+      Bucket bucket = generatePublicAccessPreventionBucket(papBucket, true);
+      // Making bucket public should fail.
+      try {
+        storage.setIamPolicy(
+            papBucket,
+            Policy.newBuilder()
+                .setVersion(3)
+                .setBindings(
+                    ImmutableList.<com.google.cloud.Binding>of(
+                        com.google.cloud.Binding.newBuilder()
+                            .setRole("roles/storage.objectViewer")
+                            .addMembers("allUsers")
+                            .build()))
+                .build());
+        fail("pap: expected adding allUsers policy to bucket should fail");
+      } catch (StorageException storageException) {
+        // Creating a bucket with roles/storage.objectViewer is not
+        // allowed when publicAccessPrevention is enabled.
+        assertEquals(storageException.getCode(), 412);
+      }
+
+      // Making object public via ACL should fail.
+      try {
+        // Create a public object
+        bucket.create(
+            "pap-test-object",
+            "".getBytes(),
+            Bucket.BlobTargetOption.predefinedAcl(Storage.PredefinedAcl.PUBLIC_READ));
+        fail("pap: expected adding allUsers ACL to object should fail");
+      } catch (StorageException storageException) {
+        // Creating an object with allUsers roles/storage.viewer permission
+        // is not allowed. When Public Access Prevention is enabled.
+        assertEquals(storageException.getCode(), 412);
+      }
+    } finally {
+      RemoteStorageHelper.forceDelete(storage, papBucket, 1, TimeUnit.MINUTES);
+    }
+  }
+
+  @Test
+  public void testUnspecifiedPublicAccessPreventionOnBucket() throws Exception {
+    String papBucket = RemoteStorageHelper.generateBucketName();
+    try {
+      Bucket bucket = generatePublicAccessPreventionBucket(papBucket, false);
+
+      // Now, making object public or making bucket public should succeed.
+      try {
+        // Create a public object
+        bucket.create(
+            "pap-test-object",
+            "".getBytes(),
+            Bucket.BlobTargetOption.predefinedAcl(Storage.PredefinedAcl.PUBLIC_READ));
+      } catch (StorageException storageException) {
+        fail("pap: expected adding allUsers ACL to object to succeed");
+      }
+
+      // Now, making bucket public should succeed.
+      try {
+        storage.setIamPolicy(
+            papBucket,
+            Policy.newBuilder()
+                .setVersion(3)
+                .setBindings(
+                    ImmutableList.<com.google.cloud.Binding>of(
+                        com.google.cloud.Binding.newBuilder()
+                            .setRole("roles/storage.objectViewer")
+                            .addMembers("allUsers")
+                            .build()))
+                .build());
+      } catch (StorageException storageException) {
+        fail("pap: expected adding allUsers policy to bucket to succeed");
+      }
+    } finally {
+      RemoteStorageHelper.forceDelete(storage, papBucket, 1, TimeUnit.MINUTES);
+    }
+  }
+
+  @Test
+  public void testUBLAWithPublicAccessPreventionOnBucket() throws Exception {
+    String papBucket = RemoteStorageHelper.generateBucketName();
+    try {
+      Bucket bucket = generatePublicAccessPreventionBucket(papBucket, false);
+      assertEquals(
+          bucket.getIamConfiguration().getPublicAccessPrevention(),
+          BucketInfo.PublicAccessPrevention.UNSPECIFIED);
+      assertFalse(bucket.getIamConfiguration().isUniformBucketLevelAccessEnabled());
+      assertFalse(bucket.getIamConfiguration().isBucketPolicyOnlyEnabled());
+
+      // Update PAP setting to ENFORCED and should not affect UBLA setting.
+      bucket
+          .toBuilder()
+          .setIamConfiguration(
+              bucket
+                  .getIamConfiguration()
+                  .toBuilder()
+                  .setPublicAccessPrevention(BucketInfo.PublicAccessPrevention.ENFORCED)
+                  .build())
+          .build()
+          .update();
+      bucket = storage.get(papBucket, Storage.BucketGetOption.fields(BucketField.IAMCONFIGURATION));
+      assertEquals(
+          bucket.getIamConfiguration().getPublicAccessPrevention(),
+          BucketInfo.PublicAccessPrevention.ENFORCED);
+      assertFalse(bucket.getIamConfiguration().isUniformBucketLevelAccessEnabled());
+      assertFalse(bucket.getIamConfiguration().isBucketPolicyOnlyEnabled());
+
+      // Updating UBLA should not affect PAP setting.
+      bucket =
+          bucket
+              .toBuilder()
+              .setIamConfiguration(
+                  bucket
+                      .getIamConfiguration()
+                      .toBuilder()
+                      .setIsUniformBucketLevelAccessEnabled(true)
+                      .build())
+              .build()
+              .update();
+      assertTrue(bucket.getIamConfiguration().isUniformBucketLevelAccessEnabled());
+      assertTrue(bucket.getIamConfiguration().isBucketPolicyOnlyEnabled());
+      assertEquals(
+          bucket.getIamConfiguration().getPublicAccessPrevention(),
+          BucketInfo.PublicAccessPrevention.ENFORCED);
+    } finally {
+      RemoteStorageHelper.forceDelete(storage, papBucket, 1, TimeUnit.MINUTES);
+    }
+  }
+
   @Test
   public void testUploadUsingSignedURL() throws Exception {
     String blobName = "test-signed-url-upload";