feat(Spanner): Add FGAC Samples (GoogleCloudPlatform#1766)

Author: ajupazhamayil

spanner/src/add_drop_database_role.php

@@ -52,22 +52,20 @@ function add_drop_database_role(string $instanceId, string $databaseId): void
         sprintf('GRANT ROLE %s TO ROLE %s', $roleParent, $roleChild)
     ]);
 
-    printf('Waiting for create role and grant operation to complete... %s', PHP_EOL);
+    printf('Waiting for create role and grant operation to complete...%s', PHP_EOL);
     $operation->pollUntilComplete();
 
-    printf('Created roles %s and %s and granted privileges %s', $roleParent, $roleChild, PHP_EOL);
+    printf('Created roles %s and %s and granted privileges%s', $roleParent, $roleChild, PHP_EOL);
 
     $operation = $database->updateDdlBatch([
         sprintf('REVOKE ROLE %s FROM ROLE %s', $roleParent, $roleChild),
-        sprintf('DROP ROLE %s', $roleChild),
-        sprintf('REVOKE SELECT ON TABLE Singers FROM ROLE %s', $roleParent),
-        sprintf('DROP ROLE %s', $roleParent)
+        sprintf('DROP ROLE %s', $roleChild)
     ]);
 
-    printf('Waiting for revoke role and drop role operation to complete... %s', PHP_EOL);
+    printf('Waiting for revoke role and drop role operation to complete...%s', PHP_EOL);
     $operation->pollUntilComplete();
 
-    printf('Revoked privileges and dropped roles %s and %s %s', $roleChild, $roleParent, PHP_EOL);
+    printf('Revoked privileges and dropped role %s%s', $roleChild, PHP_EOL);
 }
 // [END spanner_add_and_drop_database_role]
 

spanner/src/enable_fine_grained_access.php

@@ -0,0 +1,81 @@
+<?php
+/**
+ * Copyright 2023 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/spanner/README.md
+ */
+
+namespace Google\Cloud\Samples\Spanner;
+
+// [START spanner_enable_fine_grained_access]
+use Google\Cloud\Spanner\Admin\Database\V1\DatabaseAdminClient;
+use \Google\Cloud\Iam\V1\Binding;
+use \Google\Type\Expr;
+
+/**
+ * Enable Fine Grained Access.
+ * Example:
+ * ```
+ * enable_fine_grained_access($projectId, $instanceId, $databaseId, $iamMember, $databaseRole, $title);
+ * ```
+ *
+ * @param string $projectId The Google cloud project ID
+ * @param string $instanceId The Spanner instance ID.
+ * @param string $databaseId The Spanner database ID.
+ * @param string $iamMember The IAM member. Eg: `user:{emailid}`,
+ *        `serviceAccount:{emailid}`, `group:{emailid}`, `domain:{domain}`
+ * @param string $databaseRole The database role bound to
+ *        the IAM member.
+ * @param string $title Condition title.
+ */
+function enable_fine_grained_access(
+    string $projectId,
+    string $instanceId,
+    string $databaseId,
+    string $iamMember,
+    string $databaseRole,
+    string $title
+): void {
+    $adminClient = new DatabaseAdminClient();
+    $resource = sprintf('projects/%s/instances/%s/databases/%s', $projectId, $instanceId, $databaseId);
+    $policy = $adminClient->getIamPolicy($resource);
+
+    // IAM conditions need at least version 3
+    if ($policy->getVersion() != 3) {
+        $policy->setVersion(3);
+    }
+
+    $binding = new Binding([
+        'role' => 'roles/spanner.fineGrainedAccessUser',
+        'members' => [$iamMember],
+        'condition' => new Expr([
+            'title' => $title,
+            'expression' => sprintf("resource.name.endsWith('/databaseRoles/%s')", $databaseRole)
+        ])
+    ]);
+    $policy->setBindings([$binding]);
+    $adminClient->setIamPolicy($resource, $policy);
+
+    printf('Enabled fine-grained access in IAM' . PHP_EOL);
+}
+// [END spanner_enable_fine_grained_access]
+
+// The following 2 lines are only needed to run the samples
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

spanner/src/list_database_roles.php

@@ -0,0 +1,58 @@
+<?php
+/**
+ * Copyright 2023 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/spanner/README.md
+ */
+
+namespace Google\Cloud\Samples\Spanner;
+
+// [START spanner_list_database_roles]
+use Google\Cloud\Spanner\Admin\Database\V1\DatabaseAdminClient;
+
+/**
+ * List Database roles in the given database.
+ * Example:
+ * ```
+ * list_database_roles($projectId, $instanceId, $databaseId);
+ * ```
+ *
+ * @param string $projectId The Google cloud project ID
+ * @param string $instanceId The Spanner instance ID.
+ * @param string $databaseId The Spanner database ID.
+ */
+function list_database_roles(
+    string $projectId,
+    string $instanceId,
+    string $databaseId
+): void {
+    $adminClient = new DatabaseAdminClient();
+    $resource = sprintf('projects/%s/instances/%s/databases/%s', $projectId, $instanceId, $databaseId);
+
+    $roles = $adminClient->listDatabaseRoles($resource);
+    printf('List of Database roles:' . PHP_EOL);
+    foreach ($roles as $role) {
+        printf($role->getName() . PHP_EOL);
+    }
+}
+// [END spanner_list_database_roles]
+
+// The following 2 lines are only needed to run the samples
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

spanner/src/read_data_with_database_role.php

@@ -0,0 +1,55 @@
+<?php
+/**
+ * Copyright 2023 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/spanner/README.md
+ */
+
+namespace Google\Cloud\Samples\Spanner;
+
+// [START spanner_read_data_with_database_role]
+use Google\Cloud\Spanner\SpannerClient;
+
+/**
+ * Read database with a database role.
+ * Example:
+ * ```
+ * read_data_with_database_role($instanceId, $databaseId);
+ * ```
+ *
+ * @param string $instanceId The Spanner instance ID.
+ * @param string $databaseId The Spanner database ID.
+ */
+function read_data_with_database_role(string $instanceId, string $databaseId): void
+{
+    $spanner = new SpannerClient();
+    $databaseRole = 'new_parent';
+    $instance = $spanner->instance($instanceId);
+    $database = $instance->database($databaseId, ['databaseRole' => $databaseRole]);
+    $results = $database->execute('SELECT * FROM Singers');
+
+    foreach ($results as $row) {
+        printf('SingerId: %s, Firstname: %s, LastName: %s' . PHP_EOL, $row['SingerId'], $row['FirstName'], $row['LastName']);
+    }
+}
+// [END spanner_read_data_with_database_role]
+
+// The following 2 lines are only needed to run the samples
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

spanner/test/spannerTest.php

@@ -24,6 +24,9 @@
 use Google\Cloud\TestUtils\TestTrait;
 use PHPUnitRetry\RetryTrait;
 use PHPUnit\Framework\TestCase;
+use Google\Auth\ApplicationDefaultCredentials;
+use GuzzleHttp\Client;
+use GuzzleHttp\HandlerStack;
 
 /**
  * @retryAttempts 3
@@ -95,6 +98,12 @@ class spannerTest extends TestCase
     /** @var InstanceConfiguration $customInstanceConfig */
     protected static $customInstanceConfig;
 
+    /** @var string $databaseRole */
+    protected static $databaseRole;
+
+    /** @var string serviceAccountEmail */
+    protected static $serviceAccountEmail = null;
+
     public static function setUpBeforeClass(): void
     {
         self::checkProjectEnvVars();
@@ -126,6 +135,7 @@ public static function setUpBeforeClass(): void
         self::$baseConfigId = 'nam7';
         self::$customInstanceConfigId = 'custom-' . time() . rand();
         self::$customInstanceConfig = $spanner->instanceConfiguration(self::$customInstanceConfigId);
+        self::$databaseRole = 'new_parent';
     }
 
     public function testCreateInstance()
@@ -932,10 +942,50 @@ public function testDmlReturningDelete()
     public function testAddDropDatabaseRole()
     {
         $output = $this->runFunctionSnippet('add_drop_database_role');
-        $this->assertStringContainsString('Waiting for create role and grant operation to complete... ' . PHP_EOL, $output);
-        $this->assertStringContainsString('Created roles new_parent and new_child and granted privileges ' . PHP_EOL, $output);
-        $this->assertStringContainsString('Waiting for revoke role and drop role operation to complete... ' . PHP_EOL, $output);
-        $this->assertStringContainsString('Revoked privileges and dropped roles new_child and new_parent ' . PHP_EOL, $output);
+        $this->assertStringContainsString('Waiting for create role and grant operation to complete...' . PHP_EOL, $output);
+        $this->assertStringContainsString('Created roles new_parent and new_child and granted privileges' . PHP_EOL, $output);
+        $this->assertStringContainsString('Waiting for revoke role and drop role operation to complete...' . PHP_EOL, $output);
+        $this->assertStringContainsString('Revoked privileges and dropped role new_child' . PHP_EOL, $output);
+    }
+
+    /**
+     * @depends testAddDropDatabaseRole
+     */
+    public function testListDatabaseRoles()
+    {
+        $output = $this->runFunctionSnippet('list_database_roles', [
+            self::$projectId,
+            self::$instanceId,
+            self::$databaseId
+        ]);
+        $this->assertStringContainsString(sprintf('databaseRoles/%s', self::$databaseRole), $output);
+    }
+
+    /**
+     * @depends testAddDropDatabaseRole
+     * @depends testInsertDataWithDml
+     */
+    public function testReadDataWithDatabaseRole()
+    {
+        $output = $this->runFunctionSnippet('read_data_with_database_role');
+        $this->assertStringContainsString('SingerId: 10, Firstname: Virginia, LastName: Watson', $output);
+    }
+
+    /**
+     * depends testAddDropDatabaseRole
+     */
+    public function testEnableFineGrainedAccess()
+    {
+        self::$serviceAccountEmail = $this->createServiceAccount(str_shuffle('testSvcAcnt'));
+        $output = $this->runFunctionSnippet('enable_fine_grained_access', [
+            self::$projectId,
+            self::$instanceId,
+            self::$databaseId,
+            sprintf('serviceAccount:%s', self::$serviceAccountEmail),
+            self::$databaseRole,
+            'DatabaseRoleBindingTitle'
+        ]);
+        $this->assertStringContainsString('Enabled fine-grained access in IAM', $output);
     }
 
     /**
@@ -1029,6 +1079,49 @@ private function runFunctionSnippet($sampleName, $params = [])
         );
     }
 
+    private function createServiceAccount($serviceAccountId)
+    {
+        $client = self::getIamHttpClient();
+        // make the request
+        $response = $client->post('/v1/projects/' . self::$projectId . '/serviceAccounts', [
+            'json' => [
+                'accountId' => $serviceAccountId,
+                'serviceAccount' => [
+                    'displayName' => 'Test Service Account',
+                    'description' => 'This account should be deleted automatically after the unit tests complete.'
+                ]
+            ]
+        ]);
+
+        return json_decode($response->getBody())->email;
+    }
+
+    public static function deleteServiceAccount($serviceAccountEmail)
+    {
+        $client = self::getIamHttpClient();
+        // make the request
+        $client->delete('/v1/projects/' . self::$projectId . '/serviceAccounts/' . $serviceAccountEmail);
+    }
+
+    private static function getIamHttpClient()
+    {
+        // TODO: When this method is exposed in googleapis/google-cloud-php, remove the use of the following
+        $scopes = ['https://www.googleapis.com/auth/cloud-platform'];
+
+        // create middleware
+        $middleware = ApplicationDefaultCredentials::getMiddleware($scopes);
+        $stack = HandlerStack::create();
+        $stack->push($middleware);
+
+        // create the HTTP client
+        $client = new Client([
+            'handler' => $stack,
+            'base_uri' => 'https://iam.googleapis.com',
+            'auth' => 'google_auth'  // authorize all requests
+        ]);
+        return $client;
+    }
+
     public static function tearDownAfterClass(): void
     {
         if (self::$instance->exists()) {// Clean up database
@@ -1042,5 +1135,8 @@ public static function tearDownAfterClass(): void
         if (self::$customInstanceConfig->exists()) {
             self::$customInstanceConfig->delete();
         }
+        if (!is_null(self::$serviceAccountEmail)) {
+            self::deleteServiceAccount(self::$serviceAccountEmail);
+        }
     }
 }