feat: Add GCS Authorized buckets list

[AbgarSim]

Add Support for Authorized GCS Buckets in Google Cloud Storage Action

This PR introduces a new parameter authorized_buckets. When configured, this parameter limits the list of selectable GCS buckets in the form UI to only those explicitly authorized. This is useful in environments where GCP credentials have access to many buckets, but data access must be restricted to specific ones per project or user group.

Motivation

In enterprise setups, the GCP service account used for Looker exports has visibility over a large number of buckets. However, not all of them are meant to be exposed in the Looker UI due to access control policies or data governance constraints.
This feature solves that by:
• Preventing unauthorized or accidental exports to non-approved buckets
• Improving UX by decluttering the bucket selection dropdown
• Making Looker actions safer and more compliant with internal security policies

Screenshot

[gemini-code-assist]

Hello @AbgarSim, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

Hello team, gemini-code-assist here with a summary of this pull request. This PR, authored by AbgarSim, introduces a new feature to the Google Cloud Storage (GCS) action: the ability to restrict the list of selectable buckets to a predefined set of "authorized buckets". The motivation behind this is to enhance security and improve the user experience in environments where the service account has access to numerous buckets, but only a subset should be available for exports via this action. This is achieved by adding a new configuration parameter for authorized buckets and implementing logic to filter the displayed buckets in the form UI and validate the selected bucket during execution.

Highlights

• New Configuration Parameter: Adds a new required parameter authorized_buckets to the GCS action configuration. This parameter accepts a semicolon-separated string of bucket names that are considered authorized for use.
• UI Bucket Filtering: Modifies the form method to fetch all accessible GCS buckets and then filter this list based on the configured authorized_buckets parameter. Only the authorized buckets will be presented to the user in the bucket selection dropdown.
• Execution-time Validation: Adds validation logic in the execute method to ensure that the bucket selected by the user is present in the configured list of authorized_buckets. If a non-authorized bucket is somehow selected (e.g., via API or a race condition), the action will fail with a bad request error.
• Error Handling: Includes error handling for scenarios where none of the configured authorized buckets are found in the GCS account accessible by the service account.

Changelog

Click here to see the changelog

• lib/actions/google/gcs/google_cloud_storage.js
  • Added authorized_buckets parameter definition to the params array (lines 41-47).
  • Implemented validation in execute to check if the selected bucket is in the authorized list (lines 53-63).
  • Modified the form method to filter the list of fetched buckets based on authorized_buckets (lines 138-143).
  • Added error handling if no authorized buckets are found (lines 144-147).
  • Updated the 'Bucket' form field options and default to use the filtered list (lines 153-156).
• src/actions/google/gcs/google_cloud_storage.ts
  • Added authorized_buckets parameter definition to the params array (lines 40-46).
  • Implemented validation in execute to check if the selected bucket is in the authorized list (lines 53-67).
  • Modified the form method to filter the list of fetched buckets based on authorized_buckets (lines 167-175).
  • Added error handling if no authorized buckets are found (lines 177-180).
  • Updated the 'Bucket' form field options and default to use the filtered list (lines 187-191).
  • Minor formatting adjustment in the 'Overwrite' field description (lines 201-202).

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

A bucket list, but not for fun,
Just GCS spots, one by one.
Filter the view,
For me and for you,
Ensuring the right job is done.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This PR adds a new authorized_buckets parameter to restrict GCS bucket selection, which is a great enhancement for security and usability. The logic in the form method to filter buckets appears correct.

However, there's a critical logical flaw in the execute method in both google_cloud_storage.js and google_cloud_storage.ts. The new authorization check is incorrectly placed within the block that handles cases where no bucket is selected, which will lead to incorrect behavior. This needs to be rectified.

My review provides specific suggestions to fix this.

Summary of Findings

• Critical Logic Error in execute Method: The primary concern is the incorrect placement of the bucket authorization check within the execute method of both JavaScript and TypeScript files. It's currently inside a conditional block that only runs when no bucket is selected, leading to selectedBucket being undefined during the authorization check. This fundamentally breaks the authorization logic for actual selected buckets.
• Inconsistent Error Handling: The new error path for an unauthorized bucket was missing response.webhookId assignment and winston.error logging. The suggested fix includes these for consistency.

Merge Readiness

This pull request introduces a very useful feature. However, due to the critical logical error identified in the execute method's authorization check, I recommend that these changes not be merged until this issue is addressed. The provided code suggestions aim to correct this flaw. Once fixed, this PR will be a solid improvement. As an AI, I am not authorized to approve pull requests; please ensure further review and approval by authorized maintainers after the changes are made.