iam_policy_client.go

Documentation: cloud.google.com/go/iam/apiv1

     1  // Copyright 2024 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     https://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Code generated by protoc-gen-go_gapic. DO NOT EDIT.
    16  
    17  package iam
    18  
    19  import (
    20  	"bytes"
    21  	"context"
    22  	"fmt"
    23  	"io"
    24  	"math"
    25  	"net/http"
    26  	"net/url"
    27  
    28  	iampb "cloud.google.com/go/iam/apiv1/iampb"
    29  	gax "github.com/googleapis/gax-go/v2"
    30  	"google.golang.org/api/googleapi"
    31  	"google.golang.org/api/option"
    32  	"google.golang.org/api/option/internaloption"
    33  	gtransport "google.golang.org/api/transport/grpc"
    34  	httptransport "google.golang.org/api/transport/http"
    35  	"google.golang.org/grpc"
    36  	"google.golang.org/protobuf/encoding/protojson"
    37  )
    38  
    39  var newIamPolicyClientHook clientHook
    40  
    41  // IamPolicyCallOptions contains the retry settings for each method of IamPolicyClient.
    42  type IamPolicyCallOptions struct {
    43  	SetIamPolicy       []gax.CallOption
    44  	GetIamPolicy       []gax.CallOption
    45  	TestIamPermissions []gax.CallOption
    46  }
    47  
    48  func defaultIamPolicyGRPCClientOptions() []option.ClientOption {
    49  	return []option.ClientOption{
    50  		internaloption.WithDefaultEndpoint("iam-meta-api.googleapis.com:443"),
    51  		internaloption.WithDefaultEndpointTemplate("iam-meta-api.UNIVERSE_DOMAIN:443"),
    52  		internaloption.WithDefaultMTLSEndpoint("iam-meta-api.mtls.googleapis.com:443"),
    53  		internaloption.WithDefaultUniverseDomain("googleapis.com"),
    54  		internaloption.WithDefaultAudience("https://iam-meta-api.googleapis.com/"),
    55  		internaloption.WithDefaultScopes(DefaultAuthScopes()...),
    56  		internaloption.EnableJwtWithScope(),
    57  		option.WithGRPCDialOption(grpc.WithDefaultCallOptions(
    58  			grpc.MaxCallRecvMsgSize(math.MaxInt32))),
    59  	}
    60  }
    61  
    62  func defaultIamPolicyCallOptions() *IamPolicyCallOptions {
    63  	return &IamPolicyCallOptions{
    64  		SetIamPolicy:       []gax.CallOption{},
    65  		GetIamPolicy:       []gax.CallOption{},
    66  		TestIamPermissions: []gax.CallOption{},
    67  	}
    68  }
    69  
    70  func defaultIamPolicyRESTCallOptions() *IamPolicyCallOptions {
    71  	return &IamPolicyCallOptions{
    72  		SetIamPolicy:       []gax.CallOption{},
    73  		GetIamPolicy:       []gax.CallOption{},
    74  		TestIamPermissions: []gax.CallOption{},
    75  	}
    76  }
    77  
    78  // internalIamPolicyClient is an interface that defines the methods available from IAM Meta API.
    79  type internalIamPolicyClient interface {
    80  	Close() error
    81  	setGoogleClientInfo(...string)
    82  	Connection() *grpc.ClientConn
    83  	SetIamPolicy(context.Context, *iampb.SetIamPolicyRequest, ...gax.CallOption) (*iampb.Policy, error)
    84  	GetIamPolicy(context.Context, *iampb.GetIamPolicyRequest, ...gax.CallOption) (*iampb.Policy, error)
    85  	TestIamPermissions(context.Context, *iampb.TestIamPermissionsRequest, ...gax.CallOption) (*iampb.TestIamPermissionsResponse, error)
    86  }
    87  
    88  // IamPolicyClient is a client for interacting with IAM Meta API.
    89  // Methods, except Close, may be called concurrently. However, fields must not be modified concurrently with method calls.
    90  //
    91  // # API Overview
    92  //
    93  // Manages Identity and Access Management (IAM) policies.
    94  //
    95  // Any implementation of an API that offers access control features
    96  // implements the google.iam.v1.IAMPolicy interface.
    97  //
    98  // Data modelAccess control is applied when a principal (user or service account), takes
    99  // some action on a resource exposed by a service. Resources, identified by
   100  // URI-like names, are the unit of access control specification. Service
   101  // implementations can choose the granularity of access control and the
   102  // supported permissions for their resources.
   103  // For example one database service may allow access control to be
   104  // specified only at the Table level, whereas another might allow access control
   105  // to also be specified at the Column level.
   106  //
   107  // # Policy StructureSee google.iam.v1.Policy
   108  //
   109  // This is intentionally not a CRUD style API because access control policies
   110  // are created and deleted implicitly with the resources to which they are
   111  // attached.
   112  type IamPolicyClient struct {
   113  	// The internal transport-dependent client.
   114  	internalClient internalIamPolicyClient
   115  
   116  	// The call options for this service.
   117  	CallOptions *IamPolicyCallOptions
   118  }
   119  
   120  // Wrapper methods routed to the internal client.
   121  
   122  // Close closes the connection to the API service. The user should invoke this when
   123  // the client is no longer required.
   124  func (c *IamPolicyClient) Close() error {
   125  	return c.internalClient.Close()
   126  }
   127  
   128  // setGoogleClientInfo sets the name and version of the application in
   129  // the `x-goog-api-client` header passed on each request. Intended for
   130  // use by Google-written clients.
   131  func (c *IamPolicyClient) setGoogleClientInfo(keyval ...string) {
   132  	c.internalClient.setGoogleClientInfo(keyval...)
   133  }
   134  
   135  // Connection returns a connection to the API service.
   136  //
   137  // Deprecated: Connections are now pooled so this method does not always
   138  // return the same resource.
   139  func (c *IamPolicyClient) Connection() *grpc.ClientConn {
   140  	return c.internalClient.Connection()
   141  }
   142  
   143  // SetIamPolicy sets the access control policy on the specified resource. Replaces any
   144  // existing policy.
   145  //
   146  // Can return NOT_FOUND, INVALID_ARGUMENT, and PERMISSION_DENIED errors.
   147  func (c *IamPolicyClient) SetIamPolicy(ctx context.Context, req *iampb.SetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error) {
   148  	return c.internalClient.SetIamPolicy(ctx, req, opts...)
   149  }
   150  
   151  // GetIamPolicy gets the access control policy for a resource.
   152  // Returns an empty policy if the resource exists and does not have a policy
   153  // set.
   154  func (c *IamPolicyClient) GetIamPolicy(ctx context.Context, req *iampb.GetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error) {
   155  	return c.internalClient.GetIamPolicy(ctx, req, opts...)
   156  }
   157  
   158  // TestIamPermissions returns permissions that a caller has on the specified resource.
   159  // If the resource does not exist, this will return an empty set of
   160  // permissions, not a NOT_FOUND error.
   161  //
   162  // Note: This operation is designed to be used for building permission-aware
   163  // UIs and command-line tools, not for authorization checking. This operation
   164  // may “fail open” without warning.
   165  func (c *IamPolicyClient) TestIamPermissions(ctx context.Context, req *iampb.TestIamPermissionsRequest, opts ...gax.CallOption) (*iampb.TestIamPermissionsResponse, error) {
   166  	return c.internalClient.TestIamPermissions(ctx, req, opts...)
   167  }
   168  
   169  // iamPolicyGRPCClient is a client for interacting with IAM Meta API over gRPC transport.
   170  //
   171  // Methods, except Close, may be called concurrently. However, fields must not be modified concurrently with method calls.
   172  type iamPolicyGRPCClient struct {
   173  	// Connection pool of gRPC connections to the service.
   174  	connPool gtransport.ConnPool
   175  
   176  	// Points back to the CallOptions field of the containing IamPolicyClient
   177  	CallOptions **IamPolicyCallOptions
   178  
   179  	// The gRPC API client.
   180  	iamPolicyClient iampb.IAMPolicyClient
   181  
   182  	// The x-goog-* metadata to be sent with each request.
   183  	xGoogHeaders []string
   184  }
   185  
   186  // NewIamPolicyClient creates a new iam policy client based on gRPC.
   187  // The returned client must be Closed when it is done being used to clean up its underlying connections.
   188  //
   189  // # API Overview
   190  //
   191  // Manages Identity and Access Management (IAM) policies.
   192  //
   193  // Any implementation of an API that offers access control features
   194  // implements the google.iam.v1.IAMPolicy interface.
   195  //
   196  // Data modelAccess control is applied when a principal (user or service account), takes
   197  // some action on a resource exposed by a service. Resources, identified by
   198  // URI-like names, are the unit of access control specification. Service
   199  // implementations can choose the granularity of access control and the
   200  // supported permissions for their resources.
   201  // For example one database service may allow access control to be
   202  // specified only at the Table level, whereas another might allow access control
   203  // to also be specified at the Column level.
   204  //
   205  // # Policy StructureSee google.iam.v1.Policy
   206  //
   207  // This is intentionally not a CRUD style API because access control policies
   208  // are created and deleted implicitly with the resources to which they are
   209  // attached.
   210  func NewIamPolicyClient(ctx context.Context, opts ...option.ClientOption) (*IamPolicyClient, error) {
   211  	clientOpts := defaultIamPolicyGRPCClientOptions()
   212  	if newIamPolicyClientHook != nil {
   213  		hookOpts, err := newIamPolicyClientHook(ctx, clientHookParams{})
   214  		if err != nil {
   215  			return nil, err
   216  		}
   217  		clientOpts = append(clientOpts, hookOpts...)
   218  	}
   219  
   220  	connPool, err := gtransport.DialPool(ctx, append(clientOpts, opts...)...)
   221  	if err != nil {
   222  		return nil, err
   223  	}
   224  	client := IamPolicyClient{CallOptions: defaultIamPolicyCallOptions()}
   225  
   226  	c := &iamPolicyGRPCClient{
   227  		connPool:        connPool,
   228  		iamPolicyClient: iampb.NewIAMPolicyClient(connPool),
   229  		CallOptions:     &client.CallOptions,
   230  	}
   231  	c.setGoogleClientInfo()
   232  
   233  	client.internalClient = c
   234  
   235  	return &client, nil
   236  }
   237  
   238  // Connection returns a connection to the API service.
   239  //
   240  // Deprecated: Connections are now pooled so this method does not always
   241  // return the same resource.
   242  func (c *iamPolicyGRPCClient) Connection() *grpc.ClientConn {
   243  	return c.connPool.Conn()
   244  }
   245  
   246  // setGoogleClientInfo sets the name and version of the application in
   247  // the `x-goog-api-client` header passed on each request. Intended for
   248  // use by Google-written clients.
   249  func (c *iamPolicyGRPCClient) setGoogleClientInfo(keyval ...string) {
   250  	kv := append([]string{"gl-go", gax.GoVersion}, keyval...)
   251  	kv = append(kv, "gapic", getVersionClient(), "gax", gax.Version, "grpc", grpc.Version)
   252  	c.xGoogHeaders = []string{"x-goog-api-client", gax.XGoogHeader(kv...)}
   253  }
   254  
   255  // Close closes the connection to the API service. The user should invoke this when
   256  // the client is no longer required.
   257  func (c *iamPolicyGRPCClient) Close() error {
   258  	return c.connPool.Close()
   259  }
   260  
   261  // Methods, except Close, may be called concurrently. However, fields must not be modified concurrently with method calls.
   262  type iamPolicyRESTClient struct {
   263  	// The http endpoint to connect to.
   264  	endpoint string
   265  
   266  	// The http client.
   267  	httpClient *http.Client
   268  
   269  	// The x-goog-* headers to be sent with each request.
   270  	xGoogHeaders []string
   271  
   272  	// Points back to the CallOptions field of the containing IamPolicyClient
   273  	CallOptions **IamPolicyCallOptions
   274  }
   275  
   276  // NewIamPolicyRESTClient creates a new iam policy rest client.
   277  //
   278  // # API Overview
   279  //
   280  // Manages Identity and Access Management (IAM) policies.
   281  //
   282  // Any implementation of an API that offers access control features
   283  // implements the google.iam.v1.IAMPolicy interface.
   284  //
   285  // Data modelAccess control is applied when a principal (user or service account), takes
   286  // some action on a resource exposed by a service. Resources, identified by
   287  // URI-like names, are the unit of access control specification. Service
   288  // implementations can choose the granularity of access control and the
   289  // supported permissions for their resources.
   290  // For example one database service may allow access control to be
   291  // specified only at the Table level, whereas another might allow access control
   292  // to also be specified at the Column level.
   293  //
   294  // # Policy StructureSee google.iam.v1.Policy
   295  //
   296  // This is intentionally not a CRUD style API because access control policies
   297  // are created and deleted implicitly with the resources to which they are
   298  // attached.
   299  func NewIamPolicyRESTClient(ctx context.Context, opts ...option.ClientOption) (*IamPolicyClient, error) {
   300  	clientOpts := append(defaultIamPolicyRESTClientOptions(), opts...)
   301  	httpClient, endpoint, err := httptransport.NewClient(ctx, clientOpts...)
   302  	if err != nil {
   303  		return nil, err
   304  	}
   305  
   306  	callOpts := defaultIamPolicyRESTCallOptions()
   307  	c := &iamPolicyRESTClient{
   308  		endpoint:    endpoint,
   309  		httpClient:  httpClient,
   310  		CallOptions: &callOpts,
   311  	}
   312  	c.setGoogleClientInfo()
   313  
   314  	return &IamPolicyClient{internalClient: c, CallOptions: callOpts}, nil
   315  }
   316  
   317  func defaultIamPolicyRESTClientOptions() []option.ClientOption {
   318  	return []option.ClientOption{
   319  		internaloption.WithDefaultEndpoint("https://iam-meta-api.googleapis.com"),
   320  		internaloption.WithDefaultEndpointTemplate("https://iam-meta-api.UNIVERSE_DOMAIN"),
   321  		internaloption.WithDefaultMTLSEndpoint("https://iam-meta-api.mtls.googleapis.com"),
   322  		internaloption.WithDefaultUniverseDomain("googleapis.com"),
   323  		internaloption.WithDefaultAudience("https://iam-meta-api.googleapis.com/"),
   324  		internaloption.WithDefaultScopes(DefaultAuthScopes()...),
   325  	}
   326  }
   327  
   328  // setGoogleClientInfo sets the name and version of the application in
   329  // the `x-goog-api-client` header passed on each request. Intended for
   330  // use by Google-written clients.
   331  func (c *iamPolicyRESTClient) setGoogleClientInfo(keyval ...string) {
   332  	kv := append([]string{"gl-go", gax.GoVersion}, keyval...)
   333  	kv = append(kv, "gapic", getVersionClient(), "gax", gax.Version, "rest", "UNKNOWN")
   334  	c.xGoogHeaders = []string{"x-goog-api-client", gax.XGoogHeader(kv...)}
   335  }
   336  
   337  // Close closes the connection to the API service. The user should invoke this when
   338  // the client is no longer required.
   339  func (c *iamPolicyRESTClient) Close() error {
   340  	// Replace httpClient with nil to force cleanup.
   341  	c.httpClient = nil
   342  	return nil
   343  }
   344  
   345  // Connection returns a connection to the API service.
   346  //
   347  // Deprecated: This method always returns nil.
   348  func (c *iamPolicyRESTClient) Connection() *grpc.ClientConn {
   349  	return nil
   350  }
   351  func (c *iamPolicyGRPCClient) SetIamPolicy(ctx context.Context, req *iampb.SetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error) {
   352  	hds := []string{"x-goog-request-params", fmt.Sprintf("%s=%v", "resource", url.QueryEscape(req.GetResource()))}
   353  
   354  	hds = append(c.xGoogHeaders, hds...)
   355  	ctx = gax.InsertMetadataIntoOutgoingContext(ctx, hds...)
   356  	opts = append((*c.CallOptions).SetIamPolicy[0:len((*c.CallOptions).SetIamPolicy):len((*c.CallOptions).SetIamPolicy)], opts...)
   357  	var resp *iampb.Policy
   358  	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
   359  		var err error
   360  		resp, err = c.iamPolicyClient.SetIamPolicy(ctx, req, settings.GRPC...)
   361  		return err
   362  	}, opts...)
   363  	if err != nil {
   364  		return nil, err
   365  	}
   366  	return resp, nil
   367  }
   368  
   369  func (c *iamPolicyGRPCClient) GetIamPolicy(ctx context.Context, req *iampb.GetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error) {
   370  	hds := []string{"x-goog-request-params", fmt.Sprintf("%s=%v", "resource", url.QueryEscape(req.GetResource()))}
   371  
   372  	hds = append(c.xGoogHeaders, hds...)
   373  	ctx = gax.InsertMetadataIntoOutgoingContext(ctx, hds...)
   374  	opts = append((*c.CallOptions).GetIamPolicy[0:len((*c.CallOptions).GetIamPolicy):len((*c.CallOptions).GetIamPolicy)], opts...)
   375  	var resp *iampb.Policy
   376  	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
   377  		var err error
   378  		resp, err = c.iamPolicyClient.GetIamPolicy(ctx, req, settings.GRPC...)
   379  		return err
   380  	}, opts...)
   381  	if err != nil {
   382  		return nil, err
   383  	}
   384  	return resp, nil
   385  }
   386  
   387  func (c *iamPolicyGRPCClient) TestIamPermissions(ctx context.Context, req *iampb.TestIamPermissionsRequest, opts ...gax.CallOption) (*iampb.TestIamPermissionsResponse, error) {
   388  	hds := []string{"x-goog-request-params", fmt.Sprintf("%s=%v", "resource", url.QueryEscape(req.GetResource()))}
   389  
   390  	hds = append(c.xGoogHeaders, hds...)
   391  	ctx = gax.InsertMetadataIntoOutgoingContext(ctx, hds...)
   392  	opts = append((*c.CallOptions).TestIamPermissions[0:len((*c.CallOptions).TestIamPermissions):len((*c.CallOptions).TestIamPermissions)], opts...)
   393  	var resp *iampb.TestIamPermissionsResponse
   394  	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
   395  		var err error
   396  		resp, err = c.iamPolicyClient.TestIamPermissions(ctx, req, settings.GRPC...)
   397  		return err
   398  	}, opts...)
   399  	if err != nil {
   400  		return nil, err
   401  	}
   402  	return resp, nil
   403  }
   404  
   405  // SetIamPolicy sets the access control policy on the specified resource. Replaces any
   406  // existing policy.
   407  //
   408  // Can return NOT_FOUND, INVALID_ARGUMENT, and PERMISSION_DENIED errors.
   409  func (c *iamPolicyRESTClient) SetIamPolicy(ctx context.Context, req *iampb.SetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error) {
   410  	m := protojson.MarshalOptions{AllowPartial: true, UseEnumNumbers: true}
   411  	jsonReq, err := m.Marshal(req)
   412  	if err != nil {
   413  		return nil, err
   414  	}
   415  
   416  	baseUrl, err := url.Parse(c.endpoint)
   417  	if err != nil {
   418  		return nil, err
   419  	}
   420  	baseUrl.Path += fmt.Sprintf("/v1/%v:setIamPolicy", req.GetResource())
   421  
   422  	params := url.Values{}
   423  	params.Add("$alt", "json;enum-encoding=int")
   424  
   425  	baseUrl.RawQuery = params.Encode()
   426  
   427  	// Build HTTP headers from client and context metadata.
   428  	hds := []string{"x-goog-request-params", fmt.Sprintf("%s=%v", "resource", url.QueryEscape(req.GetResource()))}
   429  
   430  	hds = append(c.xGoogHeaders, hds...)
   431  	hds = append(hds, "Content-Type", "application/json")
   432  	headers := gax.BuildHeaders(ctx, hds...)
   433  	opts = append((*c.CallOptions).SetIamPolicy[0:len((*c.CallOptions).SetIamPolicy):len((*c.CallOptions).SetIamPolicy)], opts...)
   434  	unm := protojson.UnmarshalOptions{AllowPartial: true, DiscardUnknown: true}
   435  	resp := &iampb.Policy{}
   436  	e := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
   437  		if settings.Path != "" {
   438  			baseUrl.Path = settings.Path
   439  		}
   440  		httpReq, err := http.NewRequest("POST", baseUrl.String(), bytes.NewReader(jsonReq))
   441  		if err != nil {
   442  			return err
   443  		}
   444  		httpReq = httpReq.WithContext(ctx)
   445  		httpReq.Header = headers
   446  
   447  		httpRsp, err := c.httpClient.Do(httpReq)
   448  		if err != nil {
   449  			return err
   450  		}
   451  		defer httpRsp.Body.Close()
   452  
   453  		if err = googleapi.CheckResponse(httpRsp); err != nil {
   454  			return err
   455  		}
   456  
   457  		buf, err := io.ReadAll(httpRsp.Body)
   458  		if err != nil {
   459  			return err
   460  		}
   461  
   462  		if err := unm.Unmarshal(buf, resp); err != nil {
   463  			return err
   464  		}
   465  
   466  		return nil
   467  	}, opts...)
   468  	if e != nil {
   469  		return nil, e
   470  	}
   471  	return resp, nil
   472  }
   473  
   474  // GetIamPolicy gets the access control policy for a resource.
   475  // Returns an empty policy if the resource exists and does not have a policy
   476  // set.
   477  func (c *iamPolicyRESTClient) GetIamPolicy(ctx context.Context, req *iampb.GetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error) {
   478  	m := protojson.MarshalOptions{AllowPartial: true, UseEnumNumbers: true}
   479  	jsonReq, err := m.Marshal(req)
   480  	if err != nil {
   481  		return nil, err
   482  	}
   483  
   484  	baseUrl, err := url.Parse(c.endpoint)
   485  	if err != nil {
   486  		return nil, err
   487  	}
   488  	baseUrl.Path += fmt.Sprintf("/v1/%v:getIamPolicy", req.GetResource())
   489  
   490  	params := url.Values{}
   491  	params.Add("$alt", "json;enum-encoding=int")
   492  
   493  	baseUrl.RawQuery = params.Encode()
   494  
   495  	// Build HTTP headers from client and context metadata.
   496  	hds := []string{"x-goog-request-params", fmt.Sprintf("%s=%v", "resource", url.QueryEscape(req.GetResource()))}
   497  
   498  	hds = append(c.xGoogHeaders, hds...)
   499  	hds = append(hds, "Content-Type", "application/json")
   500  	headers := gax.BuildHeaders(ctx, hds...)
   501  	opts = append((*c.CallOptions).GetIamPolicy[0:len((*c.CallOptions).GetIamPolicy):len((*c.CallOptions).GetIamPolicy)], opts...)
   502  	unm := protojson.UnmarshalOptions{AllowPartial: true, DiscardUnknown: true}
   503  	resp := &iampb.Policy{}
   504  	e := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
   505  		if settings.Path != "" {
   506  			baseUrl.Path = settings.Path
   507  		}
   508  		httpReq, err := http.NewRequest("POST", baseUrl.String(), bytes.NewReader(jsonReq))
   509  		if err != nil {
   510  			return err
   511  		}
   512  		httpReq = httpReq.WithContext(ctx)
   513  		httpReq.Header = headers
   514  
   515  		httpRsp, err := c.httpClient.Do(httpReq)
   516  		if err != nil {
   517  			return err
   518  		}
   519  		defer httpRsp.Body.Close()
   520  
   521  		if err = googleapi.CheckResponse(httpRsp); err != nil {
   522  			return err
   523  		}
   524  
   525  		buf, err := io.ReadAll(httpRsp.Body)
   526  		if err != nil {
   527  			return err
   528  		}
   529  
   530  		if err := unm.Unmarshal(buf, resp); err != nil {
   531  			return err
   532  		}
   533  
   534  		return nil
   535  	}, opts...)
   536  	if e != nil {
   537  		return nil, e
   538  	}
   539  	return resp, nil
   540  }
   541  
   542  // TestIamPermissions returns permissions that a caller has on the specified resource.
   543  // If the resource does not exist, this will return an empty set of
   544  // permissions, not a NOT_FOUND error.
   545  //
   546  // Note: This operation is designed to be used for building permission-aware
   547  // UIs and command-line tools, not for authorization checking. This operation
   548  // may “fail open” without warning.
   549  func (c *iamPolicyRESTClient) TestIamPermissions(ctx context.Context, req *iampb.TestIamPermissionsRequest, opts ...gax.CallOption) (*iampb.TestIamPermissionsResponse, error) {
   550  	m := protojson.MarshalOptions{AllowPartial: true, UseEnumNumbers: true}
   551  	jsonReq, err := m.Marshal(req)
   552  	if err != nil {
   553  		return nil, err
   554  	}
   555  
   556  	baseUrl, err := url.Parse(c.endpoint)
   557  	if err != nil {
   558  		return nil, err
   559  	}
   560  	baseUrl.Path += fmt.Sprintf("/v1/%v:testIamPermissions", req.GetResource())
   561  
   562  	params := url.Values{}
   563  	params.Add("$alt", "json;enum-encoding=int")
   564  
   565  	baseUrl.RawQuery = params.Encode()
   566  
   567  	// Build HTTP headers from client and context metadata.
   568  	hds := []string{"x-goog-request-params", fmt.Sprintf("%s=%v", "resource", url.QueryEscape(req.GetResource()))}
   569  
   570  	hds = append(c.xGoogHeaders, hds...)
   571  	hds = append(hds, "Content-Type", "application/json")
   572  	headers := gax.BuildHeaders(ctx, hds...)
   573  	opts = append((*c.CallOptions).TestIamPermissions[0:len((*c.CallOptions).TestIamPermissions):len((*c.CallOptions).TestIamPermissions)], opts...)
   574  	unm := protojson.UnmarshalOptions{AllowPartial: true, DiscardUnknown: true}
   575  	resp := &iampb.TestIamPermissionsResponse{}
   576  	e := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
   577  		if settings.Path != "" {
   578  			baseUrl.Path = settings.Path
   579  		}
   580  		httpReq, err := http.NewRequest("POST", baseUrl.String(), bytes.NewReader(jsonReq))
   581  		if err != nil {
   582  			return err
   583  		}
   584  		httpReq = httpReq.WithContext(ctx)
   585  		httpReq.Header = headers
   586  
   587  		httpRsp, err := c.httpClient.Do(httpReq)
   588  		if err != nil {
   589  			return err
   590  		}
   591  		defer httpRsp.Body.Close()
   592  
   593  		if err = googleapi.CheckResponse(httpRsp); err != nil {
   594  			return err
   595  		}
   596  
   597  		buf, err := io.ReadAll(httpRsp.Body)
   598  		if err != nil {
   599  			return err
   600  		}
   601  
   602  		if err := unm.Unmarshal(buf, resp); err != nil {
   603  			return err
   604  		}
   605  
   606  		return nil
   607  	}, opts...)
   608  	if e != nil {
   609  		return nil, e
   610  	}
   611  	return resp, nil
   612  }
   613
View as plain text