feat(storage): insert object acl

brianquinlan · brianquinlan · commit 5735afefb153 · 2026-04-02T15:28:24.000-07:00
diff --git a/pkgs/google_cloud_storage/lib/src/client.dart b/pkgs/google_cloud_storage/lib/src/client.dart
@@ -24,6 +24,7 @@ import 'bucket.dart';
 import 'bucket_metadata_json.dart';
 import 'bucket_metadata_patch_builder.dart'
     show BucketMetadataPatchBuilderJsonEncodable;
+import 'common_json.dart';
 import 'default_http_client_web.dart'
     if (dart.library.io) 'default_http_client_vm.dart';
 import 'default_project_id_web.dart'
@@ -585,6 +586,66 @@ final class Storage {
     } while (nextPageToken != null);
   }
 
+  /// Creates a new ACL entry on the specified [[Google Cloud Storage object].
+  ///
+  /// This operation is not idempotent.
+  ///
+  /// If the bucket has uniform bucket-level access enabled, this operation
+  /// will fail with [BadRequestException].
+  ///
+  /// Throws [NotFoundException] if the object does not exist.
+  ///
+  /// [entity] specifies the entity holding the permission. Supported formats:
+  /// - `user-emailAddress`
+  /// - `group-emailAddress`
+  /// - `domain-domain`
+  /// - `project-team-projectNumber`
+  /// - `allUsers`
+  /// - `allAuthenticatedUsers`
+  ///
+  /// For example:
+  /// - The user `liz@example.com` would be `"user-liz@example.com"`.
+  /// - The group `example@googlegroups.com` would be
+  ///   `"group-example@googlegroups.com"`.
+  /// - To refer to all members of the domain `example.com`, the entity would
+  ///   be `"domain-example.com"`.
+  ///
+  /// [role] specifies the access permission for the entity. There are two roles
+  /// that can be assigned to an object:
+  /// 1. `READER` can get an object, though the `acl` property will not be
+  ///    revealed.
+  /// 2. `OWNER` are `READER`s, and they can get the `acl` property, update the
+  ///    object's metadata, and call all [ObjectAccessControl]-related methods
+  ///    on the object. The owner of an object is always an `OWNER`.
+  ///
+  /// See [API reference docs](https://cloud.google.com/storage/docs/json_api/v1/objectAccessControls/insert).
+  ///
+  /// [Google Cloud Storage object]: https://docs.cloud.google.com/storage/docs/objects
+
+  Future<ObjectAccessControl> insertObjectAcl(
+    String bucket,
+    String object,
+    String entity,
+    String role, {
+    RetryRunner retry = defaultRetry,
+  }) => retry.run(() async {
+    final serviceClient = await _serviceClient;
+    final url = _requestUrl([
+      'storage',
+      'v1',
+      'b',
+      bucket,
+      'o',
+      object,
+      'acl',
+    ], {});
+    final j = await serviceClient.post(
+      url,
+      body: _JsonEncodableWrapper({'entity': entity, 'role': role}),
+    );
+    return objectAccessControlFromJson(j as Map<String, Object?>)!;
+  }, isIdempotent: false);
+
   /// Information about a [Google Cloud Storage object].
   ///
   /// This operation is read-only and always idempotent.
diff --git a/pkgs/google_cloud_storage/test/insert_object_acl_test.dart b/pkgs/google_cloud_storage/test/insert_object_acl_test.dart
@@ -0,0 +1,221 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import 'package:google_cloud_storage/google_cloud_storage.dart';
+import 'package:http/http.dart' as http;
+import 'package:http/testing.dart';
+import 'package:test/test.dart';
+
+import 'test_utils.dart';
+
+void main() async {
+  late Storage storage;
+
+  group('insert object acl', () {
+    group('google-cloud', tags: ['google-cloud', 'no-ulba'], () {
+      setUp(() {
+        storage = Storage();
+      });
+
+      tearDown(() => storage.close());
+
+      test('success', () async {
+        final bucketName = await createBucketWithTearDown(
+          storage,
+          'ins_obj_acl_ok',
+          metadata: BucketMetadata(
+            iamConfiguration: BucketIamConfiguration(
+              uniformBucketLevelAccess: UniformBucketLevelAccess(
+                enabled: false,
+              ),
+            ),
+          ),
+        );
+
+        await storage.uploadObjectFromString(
+          bucketName,
+          'object.txt',
+          'Hello World!',
+          ifGenerationMatch: BigInt.zero,
+        );
+
+        final acl = await storage.insertObjectAcl(
+          bucketName,
+          'object.txt',
+          'user-daenerysstone.938939@gmail.com',
+          'READER',
+        );
+
+        expect(acl.entity, 'user-daenerysstone.938939@gmail.com');
+        expect(acl.role, 'READER');
+
+        final metadata = await storage.objectMetadata(
+          bucketName,
+          'object.txt',
+          projection: 'full',
+        );
+        print(metadata.acl);
+        final testUserRoles = [
+          for (var i in metadata.acl ?? <ObjectAccessControl>[])
+            if (i.entity == 'user-daenerysstone.938939@gmail.com')
+              (i.entity, i.role),
+        ];
+        expect(testUserRoles, [
+          ('user-daenerysstone.938939@gmail.com', 'READER'),
+        ]);
+      });
+
+      test('reader then owner', () async {
+        final bucketName = await createBucketWithTearDown(
+          storage,
+          'ins_obj_acl_ok',
+          metadata: BucketMetadata(
+            iamConfiguration: BucketIamConfiguration(
+              uniformBucketLevelAccess: UniformBucketLevelAccess(
+                enabled: false,
+              ),
+            ),
+          ),
+        );
+
+        await storage.uploadObjectFromString(
+          bucketName,
+          'object.txt',
+          'Hello World!',
+          ifGenerationMatch: BigInt.zero,
+        );
+
+        await storage.insertObjectAcl(
+          bucketName,
+          'object.txt',
+          'user-daenerysstone.938939@gmail.com',
+          'READER',
+        );
+        await storage.insertObjectAcl(
+          bucketName,
+          'object.txt',
+          'user-daenerysstone.938939@gmail.com',
+          'OWNER',
+        );
+
+        final metadata = await storage.objectMetadata(
+          bucketName,
+          'object.txt',
+          projection: 'full',
+        );
+
+        final testUserRoles = [
+          for (var i in metadata.acl ?? <ObjectAccessControl>[])
+            if (i.entity == 'user-daenerysstone.938939@gmail.com')
+              (i.entity, i.role),
+        ];
+        expect(testUserRoles, [
+          ('user-daenerysstone.938939@gmail.com', 'OWNER'),
+        ]);
+      });
+
+      test('owner then reader', () async {
+        final bucketName = await createBucketWithTearDown(
+          storage,
+          'ins_obj_acl_ok',
+          metadata: BucketMetadata(
+            iamConfiguration: BucketIamConfiguration(
+              uniformBucketLevelAccess: UniformBucketLevelAccess(
+                enabled: false,
+              ),
+            ),
+          ),
+        );
+
+        await storage.uploadObjectFromString(
+          bucketName,
+          'object.txt',
+          'Hello World!',
+          ifGenerationMatch: BigInt.zero,
+        );
+
+        await storage.insertObjectAcl(
+          bucketName,
+          'object.txt',
+          'user-daenerysstone.938939@gmail.com',
+          'OWNER',
+        );
+        await storage.insertObjectAcl(
+          bucketName,
+          'object.txt',
+          'user-daenerysstone.938939@gmail.com',
+          'READER',
+        );
+
+        final metadata = await storage.objectMetadata(
+          bucketName,
+          'object.txt',
+          projection: 'full',
+        );
+
+        final testUserRoles = [
+          for (var i in metadata.acl ?? <ObjectAccessControl>[])
+            if (i.entity == 'user-daenerysstone.938939@gmail.com')
+              (i.entity, i.role),
+        ];
+        expect(testUserRoles, [
+          ('user-daenerysstone.938939@gmail.com', 'READER'),
+        ]);
+      });
+
+      test('not found', () async {
+        final bucketName = await createBucketWithTearDown(
+          storage,
+          'ins_obj_acl_not_found',
+        );
+
+        final bucketMetadata = await storage.bucketMetadata(
+          bucketName,
+          projection: 'full',
+        );
+        final entity = bucketMetadata.acl!.first.entity!;
+
+        expect(
+          () => storage.insertObjectAcl(
+            bucketName,
+            'non-existent.txt',
+            entity,
+            'READER',
+          ),
+          throwsA(isA<NotFoundException>()),
+        );
+      });
+    });
+
+    test('non-idempotent transport failure', () async {
+      var count = 0;
+      final mockClient = MockClient((request) async {
+        count++;
+        if (count == 1) {
+          throw http.ClientException('Some transport failure');
+        } else {
+          throw StateError('Unexpected call count: $count');
+        }
+      });
+
+      final storage = Storage(client: mockClient, projectId: 'fake project');
+
+      await expectLater(
+        storage.insertObjectAcl('bucket', 'object', 'entity', 'role'),
+        throwsA(isA<http.ClientException>()),
+      );
+      expect(count, 1);
+    });
+  });
+}
