googleapis · JustinBeckwith · Jan 15, 2019 · Dec 11, 2018 · Dec 11, 2018 · Dec 14, 2018
diff --git a/samples/buckets.js b/samples/buckets.js
@@ -110,6 +110,84 @@ async function enableDefaultKMSKey(bucketName, defaultKmsKeyName) {
   // [END storage_set_bucket_default_kms_key]
 }
 
+async function enableBucketPolicyOnly(bucketName) {
+  // [START storage_enable_bucket_policy_only]
+  // Imports the Google Cloud client library
+  const {Storage} = require('@google-cloud/storage');
+
+  // Creates a client
+  const storage = new Storage();
+
+  /**
+   * TODO(developer): Uncomment the following lines before running the sample.
+   */
+  // const bucketName = 'Name of a bucket, e.g. my-bucket';
+
+  // Enables Bucket Policy Only for the bucket
+  await storage.bucket(bucketName).setMetadata({
+    iamConfiguration: {
+      bucketPolicyOnly: {
+        enabled: true,
+      },
+    },
+  });
+
+  console.log(`Bucket Policy Only was enabled for ${bucketName}.`);
+  // [END storage_enable_bucket_policy_only]
+}
+
+async function disableBucketPolicyOnly(bucketName) {
+  // [START storage_disable_bucket_policy_only]
+  // Imports the Google Cloud client library
+  const {Storage} = require('@google-cloud/storage');
+
+  // Creates a client
+  const storage = new Storage();
+
+  /**
+   * TODO(developer): Uncomment the following lines before running the sample.
+   */
+  // const bucketName = 'Name of a bucket, e.g. my-bucket';
+
+  // Disables Bucket Policy Only for the bucket
+  await storage.bucket(bucketName).setMetadata({
+    iamConfiguration: {
+      bucketPolicyOnly: {
+        enabled: false,
+      },
+    },
+  });
+
+  console.log(`Bucket Policy Only was disabled for ${bucketName}.`);
+  // [END storage_disable_bucket_policy_only]
+}
+
+async function getBucketPolicyOnly(bucketName) {
+  // [START storage_get_bucket_policy_only]
+  // Imports the Google Cloud client library
+  const {Storage} = require('@google-cloud/storage');
+
+  // Creates a client
+  const storage = new Storage();
+
+  /**
+   * TODO(developer): Uncomment the following lines before running the sample.
+   */
+  // const bucketName = 'Name of a bucket, e.g. my-bucket';
+
+  // Gets Bucket Metadata and checks if BucketPolicyOnly is enabled.
+  const [metadata] = await storage.bucket(bucketName).getMetadata();
+
+  if (metadata.hasOwnProperty('iamConfiguration')) {
+    const bucketPolicyOnly = metadata.iamConfiguration.bucketPolicyOnly;
+    console.log(`Bucket Policy Only is enabled for ${bucketName}.`);
+    console.log(`Bucket will be locked on ${bucketPolicyOnly.lockedTime}.`);
+  } else {
+    console.log(`Bucket Policy Only is not enabled for ${bucketName}.`);
+  }
+  // [END storage_get_bucket_policy_only]
+}
+
 require(`yargs`)
   .demand(1)
   .command(`create <bucket>`, `Creates a new bucket.`, {}, opts =>
@@ -122,6 +200,24 @@ require(`yargs`)
     {},
     opts => enableDefaultKMSKey(opts.bucket, opts.defaultKmsKeyName)
   )
+  .command(
+    `enable-bucket-policy-only <bucket>`,
+    `Enables Bucket Policy Only for the specified bucket.`,
+    {},
+    opts => enableBucketPolicyOnly(opts.bucket)
+  )
+  .command(
+    `disable-bucket-policy-only <bucket>`,
+    `Disables Bucket Policy Only for the specified bucket.`,
+    {},
+    opts => disableBucketPolicyOnly(opts.bucket)
+  )
+  .command(
+    `get-bucket-policy-only <bucket>`,
+    `Get Bucket Policy Only metadata for the specified bucket.`,
+    {},
+    opts => getBucketPolicyOnly(opts.bucket)
+  )
   .command(`delete <bucket>`, `Deletes a bucket.`, {}, opts =>
     deleteBucket(opts.bucket)
   )
@@ -134,6 +230,18 @@ require(`yargs`)
     `node $0 enable-default-kms-key my-bucket my-key`,
     `Sets the default KMS key for my-bucket.`
   )
+  .example(
+    `node $0 enable-bucket-policy-only my-bucket`,
+    `Enables Bucket Policy Only for my-bucket.`
+  )
+  .example(
+    `node $0 disable-bucket-policy-only my-bucket`,
+    `Disables Bucket Policy Only for my-bucket.`
+  )
+  .example(
+    `node $0 get-bucket-policy-only my-bucket`,
+    `Get Bucket Policy Only metadata for my-bucket.`
+  )
   .example(`node $0 delete my-bucket`, `Deletes a bucket named "my-bucket".`)
   .wrap(120)
   .recommendCommands()

diff --git a/samples/system-test/buckets.test.js b/samples/system-test/buckets.test.js
@@ -86,6 +86,68 @@ it(`should set a bucket's default KMS key`, async () => {
   );
 });
 
+it(`should enable a bucket's Bucket Policy Only`, async () => {
+  // Remove the following setMetadata request after prod fix is released.
+  await bucket.setMetadata(
+    {defaultObjectAcl: null},
+    {predefinedDefaultObjectAcl: 'private'}
+  );
+
+  const results = await tools.runAsyncWithIO(
+    `${cmd} enable-bucket-policy-only ${bucketName}`,
+    cwd
+  );
+  assert.strictEqual(
+    (results.stdout + results.stderr).includes(
+      `Bucket Policy Only was enabled for ${bucketName}.`
+    ),
+    true
+  );
+  const metadata = await bucket.getMetadata();
+  assert.strictEqual(
+    metadata[0].iamConfiguration.bucketPolicyOnly.enabled,
+    true
+  );
+});
+
+it(`should get a bucket's Bucket Policy Only metadata`, async () => {
+  const results = await tools.runAsyncWithIO(
+    `${cmd} get-bucket-policy-only ${bucketName}`,
+    cwd
+  );
+
+  assert.strictEqual(
+    (results.stdout + results.stderr).includes(
+      `Bucket Policy Only is enabled for ${bucketName}.`
+    ),
+    true
+  );
+  const [metadata] = await bucket.getMetadata();
+  assert.strictEqual(metadata.iamConfiguration.bucketPolicyOnly.enabled, true);
+  assert.strictEqual(
+    metadata.iamConfiguration.bucketPolicyOnly.lockedTime !== null,
+    true
+  );
+});
+
+it(`should disable a bucket's Bucket Policy Only`, async () => {
+  const results = await tools.runAsyncWithIO(
+    `${cmd} disable-bucket-policy-only ${bucketName}`,
+    cwd
+  );
+  assert.strictEqual(
+    (results.stdout + results.stderr).includes(
+      `Bucket Policy Only was disabled for ${bucketName}.`
+    ),
+    true
+  );
+  const metadata = await bucket.getMetadata();
+  assert.strictEqual(
+    metadata[0].iamConfiguration.bucketPolicyOnly.enabled,
+    false
+  );
+});
+
 it(`should delete a bucket`, async () => {
   const results = await tools.runAsyncWithIO(
     `${cmd} delete ${bucketName}`,