feat: implement InstanceAdminClient::GetIamPolicy (#609)

Add the function, the usual integration test, unit tests, and a simple
example.

Author: coryan

google/cloud/spanner/instance_admin_client.cc

@@ -28,6 +28,11 @@ ListInstancesRange InstanceAdminClient::ListInstances(std::string project_id,
   return conn_->ListInstances({std::move(project_id), std::move(filter)});
 }
 
+StatusOr<google::iam::v1::Policy> InstanceAdminClient::GetIamPolicy(
+    Instance const& in) {
+  return conn_->GetIamPolicy({in.FullName()});
+}
+
 StatusOr<google::iam::v1::TestIamPermissionsResponse>
 InstanceAdminClient::TestIamPermissions(Instance const& in,
                                         std::vector<std::string> permissions) {

google/cloud/spanner/instance_admin_client.h

@@ -112,6 +112,29 @@ class InstanceAdminClient {
    */
   ListInstancesRange ListInstances(std::string project_id, std::string filter);
 
+  /**
+   * Get the IAM policy in effect for the given instance.
+   *
+   * This function retrieves the IAM policy configured in the given instance,
+   * that is, which roles are enabled in the instance, and what entities are
+   * members of each role.
+   *
+   * @par Idempotency
+   * This is a read-only operation and therefore it is always treated as
+   * idempotent.
+   *
+   * @par Example
+   * @snippet samples.cc instance-get-iam-policy
+   *
+   * @see The [Cloud Spanner
+   *     documentation](https://cloud.google.com/spanner/docs/iam) for a
+   *     description of the roles and permissions supported by Cloud Spanner.
+   * @see [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions)
+   *     for an introduction to Identity and Access Management in Google Cloud
+   *     Platform.
+   */
+  StatusOr<google::iam::v1::Policy> GetIamPolicy(Instance const& in);
+
   /**
    * Get the subset of the permissions the caller has on the given instance.
    *

google/cloud/spanner/instance_admin_client_test.cc

@@ -93,6 +93,20 @@ TEST(InstanceAdminClientTest, ListInstances) {
   EXPECT_EQ(StatusCode::kPermissionDenied, begin->status().code());
 }
 
+TEST(InstanceAdminClientTest, GetIamPolicy) {
+  auto mock = std::make_shared<MockInstanceAdminConnection>();
+  EXPECT_CALL(*mock, GetIamPolicy(_))
+      .WillOnce([](InstanceAdminConnection::GetIamPolicyParams const& p) {
+        EXPECT_EQ("projects/test-project/instances/test-instance",
+                  p.instance_name);
+        return Status(StatusCode::kPermissionDenied, "uh-oh");
+      });
+
+  InstanceAdminClient client(mock);
+  auto actual = client.GetIamPolicy(Instance("test-project", "test-instance"));
+  EXPECT_EQ(StatusCode::kPermissionDenied, actual.status().code());
+}
+
 TEST(InstanceAdminClientTest, TestIamPermissions) {
   auto mock = std::make_shared<MockInstanceAdminConnection>();
   EXPECT_CALL(*mock, TestIamPermissions(_))

google/cloud/spanner/instance_admin_connection.cc

@@ -56,6 +56,14 @@ class InstanceAdminConnectionImpl : public InstanceAdminConnection {
         });
   }
 
+  StatusOr<google::iam::v1::Policy> GetIamPolicy(
+      GetIamPolicyParams p) override {
+    google::iam::v1::GetIamPolicyRequest request;
+    request.set_resource(std::move(p.instance_name));
+    grpc::ClientContext context;
+    return stub_->GetIamPolicy(context, request);
+  }
+
   StatusOr<google::iam::v1::TestIamPermissionsResponse> TestIamPermissions(
       TestIamPermissionsParams p) override {
     google::iam::v1::TestIamPermissionsRequest request;

google/cloud/spanner/instance_admin_connection.h

@@ -95,6 +95,11 @@ class InstanceAdminConnection {
     std::string filter;
   };
 
+  /// Wrap the arguments for `GetIamPolicy()`.
+  struct GetIamPolicyParams {
+    std::string instance_name;
+  };
+
   /// Wrap the arguments for `TestIamPermissions()`.
   struct TestIamPermissionsParams {
     std::string instance_name;
@@ -112,6 +117,11 @@ class InstanceAdminConnection {
    */
   virtual ListInstancesRange ListInstances(ListInstancesParams params) = 0;
 
+  /// Define the interface for a
+  /// google.spanner.v1.DatabaseAdmin.GetIamPolicy RPC.
+  virtual StatusOr<google::iam::v1::Policy> GetIamPolicy(
+      GetIamPolicyParams) = 0;
+
   /// Define the interface for a
   /// google.spanner.v1.DatabaseAdmin.TestIamPermissions RPC.
   virtual StatusOr<google::iam::v1::TestIamPermissionsResponse>

google/cloud/spanner/instance_admin_connection_test.cc

@@ -170,6 +170,58 @@ TEST(InstanceAdminConnectionTest, ListInstances_TooManyTransients) {
   EXPECT_EQ(StatusCode::kUnavailable, begin->status().code());
 }
 
+TEST(InstanceAdminConnectionTest, GetIamPolicy_Success) {
+  std::string const expected_name =
+      "projects/test-project/instances/test-instance";
+
+  auto mock = std::make_shared<spanner_testing::MockInstanceAdminStub>();
+  EXPECT_CALL(*mock, GetIamPolicy(_, _))
+      .WillOnce(
+          Invoke([&expected_name](grpc::ClientContext&,
+                                  giam::GetIamPolicyRequest const& request) {
+            EXPECT_EQ(expected_name, request.resource());
+            return Status(StatusCode::kUnavailable, "try-again");
+          }))
+      .WillOnce(
+          Invoke([&expected_name](grpc::ClientContext&,
+                                  giam::GetIamPolicyRequest const& request) {
+            EXPECT_EQ(expected_name, request.resource());
+            giam::Policy response;
+            auto& binding = *response.add_bindings();
+            binding.set_role("roles/spanner.databaseReader");
+            binding.add_members("user:[email protected]");
+            return response;
+          }));
+
+  auto conn = MakeTestConnection(mock);
+  auto actual = conn->GetIamPolicy({expected_name});
+  ASSERT_STATUS_OK(actual);
+  ASSERT_EQ(1, actual->bindings_size());
+  EXPECT_EQ("roles/spanner.databaseReader", actual->bindings(0).role());
+  ASSERT_EQ(1, actual->bindings(0).members_size());
+  ASSERT_EQ("user:[email protected]", actual->bindings(0).members(0));
+}
+
+TEST(InstanceAdminConnectionTest, GetIamPolicy_PermanentFailure) {
+  auto mock = std::make_shared<spanner_testing::MockInstanceAdminStub>();
+  EXPECT_CALL(*mock, GetIamPolicy(_, _))
+      .WillOnce(Return(Status(StatusCode::kPermissionDenied, "uh-oh")));
+
+  auto conn = MakeTestConnection(mock);
+  auto actual = conn->GetIamPolicy({"test-instance-name"});
+  EXPECT_EQ(StatusCode::kPermissionDenied, actual.status().code());
+}
+
+TEST(InstanceAdminConnectionTest, GetIamPolicy_TooManyTransients) {
+  auto mock = std::make_shared<spanner_testing::MockInstanceAdminStub>();
+  EXPECT_CALL(*mock, GetIamPolicy(_, _))
+      .WillRepeatedly(Return(Status(StatusCode::kUnavailable, "try-again")));
+
+  auto conn = MakeTestConnection(mock);
+  auto actual = conn->GetIamPolicy({"test-instance-name"});
+  EXPECT_EQ(StatusCode::kUnavailable, actual.status().code());
+}
+
 TEST(InstanceAdminConnectionTest, TestIamPermissions_Success) {
   std::string const expected_name =
       "projects/test-project/instances/test-instance";

google/cloud/spanner/integration_tests/instance_admin_integration_test.cc

@@ -71,6 +71,11 @@ TEST(InstanceAdminClient, InstanceIam) {
   Instance in(project_id, instance_id);
 
   InstanceAdminClient client(MakeInstanceAdminConnection());
+
+  auto actual_policy = client.GetIamPolicy(in);
+  ASSERT_STATUS_OK(actual_policy);
+  EXPECT_FALSE(actual_policy->etag().empty());
+
   auto actual = client.TestIamPermissions(
       in, {"spanner.databases.list", "spanner.databases.get"});
   ASSERT_STATUS_OK(actual);

google/cloud/spanner/internal/instance_admin_retry.cc

@@ -85,6 +85,18 @@ StatusOr<gcsa::ListInstancesResponse> InstanceAdminRetry::ListInstances(
       context, request, __func__);
 }
 
+StatusOr<google::iam::v1::Policy> InstanceAdminRetry::GetIamPolicy(
+    grpc::ClientContext& context,
+    google::iam::v1::GetIamPolicyRequest const& request) {
+  return RetryLoop(
+      retry_policy_->clone(), backoff_policy_->clone(), true,
+      [this](grpc::ClientContext& context,
+             giam::GetIamPolicyRequest const& request) {
+        return child_->GetIamPolicy(context, request);
+      },
+      context, request, __func__);
+}
+
 StatusOr<giam::TestIamPermissionsResponse>
 InstanceAdminRetry::TestIamPermissions(
     grpc::ClientContext& context,

google/cloud/spanner/internal/instance_admin_retry.h

@@ -54,6 +54,9 @@ class InstanceAdminRetry : public InstanceAdminStub {
       grpc::ClientContext&,
       google::spanner::admin::instance::v1::ListInstancesRequest const&)
       override;
+  StatusOr<google::iam::v1::Policy> GetIamPolicy(
+      grpc::ClientContext&,
+      google::iam::v1::GetIamPolicyRequest const&) override;
   StatusOr<google::iam::v1::TestIamPermissionsResponse> TestIamPermissions(
       grpc::ClientContext&,
       google::iam::v1::TestIamPermissionsRequest const&) override;

google/cloud/spanner/internal/instance_admin_stub.cc

@@ -59,6 +59,17 @@ class DefaultInstanceAdminStub : public InstanceAdminStub {
     return response;
   }
 
+  StatusOr<giam::Policy> GetIamPolicy(
+      grpc::ClientContext& context,
+      giam::GetIamPolicyRequest const& request) override {
+    giam::Policy response;
+    auto status = instance_admin_->GetIamPolicy(&context, request, &response);
+    if (!status.ok()) {
+      return grpc_utils::MakeStatusFromRpcError(status);
+    }
+    return response;
+  }
+
   StatusOr<giam::TestIamPermissionsResponse> TestIamPermissions(
       grpc::ClientContext& context,
       giam::TestIamPermissionsRequest const& request) override {