feat(bigquery): Add revokeTableOrViewAccess feawture and tests

hivanalejandro · hivanalejandro · commit 58ee72a44324 · 2025-02-17T17:40:38.000Z
diff --git a/bigquery/cloud-client/src/revokeTableOrViewAccess.js b/bigquery/cloud-client/src/revokeTableOrViewAccess.js
@@ -0,0 +1,93 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+const { BigQuery } = require("@google-cloud/bigquery");
+
+/**
+ * Revokes access to a BigQuery table or view
+ * @param {Object} params - The parameters object
+ * @param {string} params.projectId - The ID of the Google Cloud project
+ * @param {string} params.datasetId - The ID of the dataset containing the table/view
+ * @param {string} params.resourceId - The ID of the table or view
+ * @param {string} [params.memberToRevoke] - Optional. Specific member to revoke access from (e.g., 'group:example@google.com')
+ * @param {string} [params.roleToRevoke='roles/bigquery.dataViewer'] - Optional. Specific role to revoke
+ * @returns {Promise<void>}
+ */
+async function revokeTableOrViewAccess({
+    projectId,
+    datasetId,
+    resourceId,
+    memberToRevoke,
+    roleToRevoke = "roles/bigquery.dataViewer",
+}) {
+    try {
+        // Create BigQuery client
+        const bigquery = new BigQuery({
+            projectId: projectId,
+        });
+
+        // Get reference to the table or view
+        const dataset = bigquery.dataset(datasetId);
+        const table = dataset.table(resourceId);
+
+        // Get current IAM policy
+        const [policy] = await table.iam.getPolicy();
+        console.log(
+            "Current IAM Policy:",
+            JSON.stringify(policy.bindings, null, 2)
+        );
+
+        // Filter bindings based on parameters
+        let newBindings = policy.bindings;
+
+        if (memberToRevoke) {
+            // Remove specific member from specific role
+            newBindings = policy.bindings
+                .map((binding) => ({
+                    ...binding,
+                    members:
+                        binding.role === roleToRevoke
+                            ? binding.members.filter((member) => member !== memberToRevoke)
+                            : binding.members,
+                }))
+                .filter((binding) => binding.members.length > 0);
+        } else {
+            // Remove all bindings for the specified role
+            newBindings = policy.bindings.filter(
+                (binding) => binding.role !== roleToRevoke
+            );
+        }
+
+        // Create new policy with updated bindings
+        const newPolicy = {
+            bindings: newBindings,
+        };
+
+        // Set the new IAM policy
+        await table.iam.setPolicy(newPolicy);
+        console.log(`Access revoked successfully for ${resourceId}`);
+
+        // Verify the changes
+        const [updatedPolicy] = await table.iam.getPolicy();
+        console.log(
+            "Updated IAM Policy:",
+            JSON.stringify(updatedPolicy.bindings, null, 2)
+        );
+    } catch (error) {
+        console.error("Error revoking access:", error);
+        throw error;
+    }
+}
+
+module.exports = { revokeTableOrViewAccess };
diff --git a/bigquery/cloud-client/test/revokeTableOrViewAccess.test.js b/bigquery/cloud-client/test/revokeTableOrViewAccess.test.js
@@ -0,0 +1,139 @@
+const { expect } = require("chai");
+const sinon = require("sinon");
+const { BigQuery } = require("@google-cloud/bigquery");
+const { revokeTableOrViewAccess } = require("../src/revokeTableOrViewAccess");
+
+describe("revokeTableOrViewAccess", () => {
+    let bigQueryStub;
+    let tableStub;
+    let constructorStub;
+
+    beforeEach(() => {
+        // Create stubs for BigQuery client and its methods
+        tableStub = {
+            iam: {
+                getPolicy: sinon.stub(),
+                setPolicy: sinon.stub(),
+            },
+        };
+
+        const datasetStub = {
+            table: sinon.stub().returns(tableStub),
+        };
+
+        bigQueryStub = {
+            dataset: sinon.stub().returns(datasetStub),
+        };
+
+        // Stub the BigQuery constructor correctly
+        constructorStub = sinon.stub(BigQuery.prototype, "constructor");
+        constructorStub.returns(bigQueryStub);
+
+        // Stub the BigQuery class itself
+        sinon.stub(BigQuery.prototype, "dataset").returns(datasetStub);
+    });
+
+    afterEach(() => {
+        sinon.restore();
+    });
+
+    it("should revoke access for a specific member and role", async () => {
+        // Setup test data
+        const testPolicy = {
+            bindings: [
+                {
+                    role: "roles/bigquery.dataViewer",
+                    members: ["group:test@google.com", "group:other@google.com"],
+                },
+            ],
+        };
+
+        const expectedNewPolicy = {
+            bindings: [
+                {
+                    role: "roles/bigquery.dataViewer",
+                    members: ["group:other@google.com"],
+                },
+            ],
+        };
+
+        // Configure stubs
+        tableStub.iam.getPolicy.resolves([testPolicy]);
+        tableStub.iam.setPolicy.resolves([]);
+
+        // Test the function
+        await revokeTableOrViewAccess({
+            projectId: "test-project",
+            datasetId: "test-dataset",
+            resourceId: "test-table",
+            memberToRevoke: "group:test@google.com",
+            roleToRevoke: "roles/bigquery.dataViewer",
+        });
+
+        // Verify the new policy was set correctly
+        sinon.assert.calledWith(
+            tableStub.iam.setPolicy,
+            sinon.match(expectedNewPolicy)
+        );
+    });
+
+    it("should revoke all access for a specific role", async () => {
+        // Setup test data
+        const testPolicy = {
+            bindings: [
+                {
+                    role: "roles/bigquery.dataViewer",
+                    members: ["group:test@google.com"],
+                },
+                {
+                    role: "roles/bigquery.dataEditor",
+                    members: ["group:editor@google.com"],
+                },
+            ],
+        };
+
+        const expectedNewPolicy = {
+            bindings: [
+                {
+                    role: "roles/bigquery.dataEditor",
+                    members: ["group:editor@google.com"],
+                },
+            ],
+        };
+
+        // Configure stubs
+        tableStub.iam.getPolicy.resolves([testPolicy]);
+        tableStub.iam.setPolicy.resolves([]);
+
+        // Test the function
+        await revokeTableOrViewAccess({
+            projectId: "test-project",
+            datasetId: "test-dataset",
+            resourceId: "test-table",
+            roleToRevoke: "roles/bigquery.dataViewer",
+        });
+
+        // Verify the new policy was set correctly
+        sinon.assert.calledWith(
+            tableStub.iam.setPolicy,
+            sinon.match(expectedNewPolicy)
+        );
+    });
+
+    it("should handle errors appropriately", async () => {
+        // Configure stub to throw an error
+        tableStub.iam.getPolicy.rejects(new Error("Test error"));
+
+        // Test the function
+        try {
+            await revokeTableOrViewAccess({
+                projectId: "test-project",
+                datasetId: "test-dataset",
+                resourceId: "test-table",
+            });
+            expect.fail("Should have thrown an error");
+        } catch (error) {
+            expect(error.message).to.equal("Test error");
+        }
+    });
+});
