feat(storage): add support for bucket ip filter

Author: ddelgrosso1

google/cloud/storage/bucket_ip_filter.cc

@@ -0,0 +1,110 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/storage/bucket_ip_filter.h"
+#include "google/cloud/internal/ios_flags_saver.h"
+#include <iostream>
+
+namespace google {
+namespace cloud {
+namespace storage {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+
+bool operator==(BucketIpFilterPublicNetworkSource const& lhs,
+                BucketIpFilterPublicNetworkSource const& rhs) {
+  return lhs.allowed_ip_cidr_ranges == rhs.allowed_ip_cidr_ranges;
+}
+
+bool operator!=(BucketIpFilterPublicNetworkSource const& lhs,
+                BucketIpFilterPublicNetworkSource const& rhs) {
+  return !(lhs == rhs);
+}
+
+std::ostream& operator<<(std::ostream& os,
+                         BucketIpFilterPublicNetworkSource const& rhs) {
+  os << "BucketIpFilterPublicNetworkSource={allowed_ip_cidr_ranges=[";
+  char const* sep = "";
+  for (auto const& r : rhs.allowed_ip_cidr_ranges) {
+    os << sep << r;
+    sep = ", ";
+  }
+  return os << "]}";
+}
+
+bool operator==(BucketIpFilterVpcNetworkSource const& lhs,
+                BucketIpFilterVpcNetworkSource const& rhs) {
+  return std::tie(lhs.network, lhs.allowed_ip_cidr_ranges) ==
+         std::tie(rhs.network, rhs.allowed_ip_cidr_ranges);
+}
+
+bool operator!=(BucketIpFilterVpcNetworkSource const& lhs,
+                BucketIpFilterVpcNetworkSource const& rhs) {
+  return !(lhs == rhs);
+}
+
+std::ostream& operator<<(std::ostream& os,
+                         BucketIpFilterVpcNetworkSource const& rhs) {
+  os << "BucketIpFilterVpcNetworkSource={network=" << rhs.network
+     << ", allowed_ip_cidr_ranges=[";
+  char const* sep = "";
+  for (auto const& r : rhs.allowed_ip_cidr_ranges) {
+    os << sep << r;
+    sep = ", ";
+  }
+  return os << "]}";
+}
+
+bool operator==(BucketIpFilter const& lhs, BucketIpFilter const& rhs) {
+  return std::tie(lhs.allow_all_service_agent_access, lhs.allow_cross_org_vpcs,
+                  lhs.mode, lhs.public_network_source,
+                  lhs.vpc_network_sources) ==
+         std::tie(rhs.allow_all_service_agent_access, rhs.allow_cross_org_vpcs,
+                  rhs.mode, rhs.public_network_source, rhs.vpc_network_sources);
+}
+
+bool operator!=(BucketIpFilter const& lhs, BucketIpFilter const& rhs) {
+  return !(lhs == rhs);
+}
+
+std::ostream& operator<<(std::ostream& os, BucketIpFilter const& rhs) {
+  google::cloud::internal::IosFlagsSaver save_format(os);
+  os << "BucketIpFilter={";
+  os << "mode=" << rhs.mode.value_or("") << ", ";
+  if (rhs.allow_all_service_agent_access) {
+    os << "allow_all_service_agent_access=" << std::boolalpha
+       << *rhs.allow_all_service_agent_access << ", ";
+  }
+  if (rhs.allow_cross_org_vpcs) {
+    os << "allow_cross_org_vpcs=" << std::boolalpha << *rhs.allow_cross_org_vpcs
+       << ", ";
+  }
+  if (rhs.public_network_source) {
+    os << "public_network_source=" << *rhs.public_network_source << ", ";
+  }
+  if (rhs.vpc_network_sources) {
+    os << "vpc_network_sources=[";
+    char const* sep = "";
+    for (auto const& r : *rhs.vpc_network_sources) {
+      os << sep << r;
+      sep = ", ";
+    }
+    os << "]";
+  }
+  return os << "}";
+}
+
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace storage
+}  // namespace cloud
+}  // namespace google

google/cloud/storage/bucket_ip_filter.h

@@ -0,0 +1,82 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_STORAGE_BUCKET_IP_FILTER_H
+#define GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_STORAGE_BUCKET_IP_FILTER_H
+
+#include "google/cloud/storage/version.h"
+#include "absl/types/optional.h"
+#include <iosfwd>
+#include <string>
+#include <vector>
+
+namespace google {
+namespace cloud {
+namespace storage {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+
+/**
+ * Defines a public network source for the bucket IP filter.
+ */
+struct BucketIpFilterPublicNetworkSource {
+  std::vector<std::string> allowed_ip_cidr_ranges;
+};
+
+bool operator==(BucketIpFilterPublicNetworkSource const& lhs,
+                BucketIpFilterPublicNetworkSource const& rhs);
+bool operator!=(BucketIpFilterPublicNetworkSource const& lhs,
+                BucketIpFilterPublicNetworkSource const& rhs);
+
+std::ostream& operator<<(std::ostream& os,
+                         BucketIpFilterPublicNetworkSource const& rhs);
+
+/**
+ * Defines a VPC network source for the bucket IP filter.
+ */
+struct BucketIpFilterVpcNetworkSource {
+  std::string network;
+  std::vector<std::string> allowed_ip_cidr_ranges;
+};
+
+bool operator==(BucketIpFilterVpcNetworkSource const& lhs,
+                BucketIpFilterVpcNetworkSource const& rhs);
+bool operator!=(BucketIpFilterVpcNetworkSource const& lhs,
+                BucketIpFilterVpcNetworkSource const& rhs);
+
+std::ostream& operator<<(std::ostream& os,
+                         BucketIpFilterVpcNetworkSource const& rhs);
+
+/**
+ * The IP filtering configuration for a Bucket.
+ */
+struct BucketIpFilter {
+  absl::optional<bool> allow_all_service_agent_access;
+  absl::optional<bool> allow_cross_org_vpcs;
+  absl::optional<std::string> mode;
+  absl::optional<BucketIpFilterPublicNetworkSource> public_network_source;
+  absl::optional<std::vector<BucketIpFilterVpcNetworkSource>>
+      vpc_network_sources;
+};
+
+bool operator==(BucketIpFilter const& lhs, BucketIpFilter const& rhs);
+bool operator!=(BucketIpFilter const& lhs, BucketIpFilter const& rhs);
+
+std::ostream& operator<<(std::ostream& os, BucketIpFilter const& rhs);
+
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace storage
+}  // namespace cloud
+}  // namespace google
+
+#endif  // GOOGLE_CLOUD_CPP_GOOGLE_CLOUD_STORAGE_BUCKET_IP_FILTER_H

google/cloud/storage/bucket_ip_filter_test.cc

@@ -0,0 +1,75 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "google/cloud/storage/bucket_ip_filter.h"
+#include "google/cloud/testing_util/is_proto_equal.h"
+#include <gmock/gmock.h>
+
+namespace google {
+namespace cloud {
+namespace storage {
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace {
+
+TEST(BucketIpFilterTest, PublicNetworkSource) {
+  BucketIpFilterPublicNetworkSource source;
+  source.allowed_ip_cidr_ranges.push_back("1.2.3.4/32");
+  source.allowed_ip_cidr_ranges.push_back("5.6.7.8/32");
+
+  BucketIpFilterPublicNetworkSource copy = source;
+  EXPECT_EQ(source, copy);
+
+  copy.allowed_ip_cidr_ranges.pop_back();
+  EXPECT_NE(source, copy);
+}
+
+TEST(BucketIpFilterTest, VpcNetworkSource) {
+  BucketIpFilterVpcNetworkSource source;
+  source.network = "projects/p/global/networks/n";
+  source.allowed_ip_cidr_ranges.push_back("1.2.3.4/32");
+  source.allowed_ip_cidr_ranges.push_back("5.6.7.8/32");
+
+  BucketIpFilterVpcNetworkSource copy = source;
+  EXPECT_EQ(source, copy);
+
+  copy.network = "changed";
+  EXPECT_NE(source, copy);
+}
+
+TEST(BucketIpFilterTest, IpFilter) {
+  BucketIpFilter filter;
+  filter.mode = "Enabled";
+  filter.allow_all_service_agent_access = true;
+  filter.allow_cross_org_vpcs = true;
+  filter.public_network_source =
+      BucketIpFilterPublicNetworkSource{{"1.2.3.4/32"}};
+  filter.vpc_network_sources =
+      absl::make_optional<std::vector<BucketIpFilterVpcNetworkSource>>(
+          {BucketIpFilterVpcNetworkSource{"projects/p/global/networks/n",
+                                          {"5.6.7.8/32"}},
+           BucketIpFilterVpcNetworkSource{"projects/p/global/networks/m",
+                                          {"9.0.1.2/32"}}});
+
+  BucketIpFilter copy = filter;
+  EXPECT_EQ(filter, copy);
+
+  copy.mode = "Disabled";
+  EXPECT_NE(filter, copy);
+}
+
+}  // namespace
+GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
+}  // namespace storage
+}  // namespace cloud
+}  // namespace google

google/cloud/storage/bucket_metadata.cc

@@ -96,6 +96,7 @@ bool operator==(BucketMetadata const& lhs, BucketMetadata const& rhs) {
          && lhs.etag_ == rhs.etag_                                          //
          && lhs.hierarchical_namespace_ == rhs.hierarchical_namespace_      //
          && lhs.iam_configuration_ == rhs.iam_configuration_                //
+         && lhs.ip_filter_ == rhs.ip_filter_                                //
          && lhs.id_ == rhs.id_                                              //
          && lhs.kind_ == rhs.kind_                                          //
          && lhs.labels_ == rhs.labels_                                      //
@@ -164,6 +165,10 @@ std::ostream& operator<<(std::ostream& os, BucketMetadata const& rhs) {
     os << ", iam_configuration=" << rhs.iam_configuration();
   }
 
+  if (rhs.has_ip_filter()) {
+    os << ", ip_filter=" << rhs.ip_filter();
+  }
+
   os << ", id=" << rhs.id() << ", kind=" << rhs.kind();
 
   for (auto const& kv : rhs.labels_) {
@@ -402,6 +407,51 @@ BucketMetadataPatchBuilder::ResetIamConfiguration() {
   return *this;
 }
 
+BucketMetadataPatchBuilder& BucketMetadataPatchBuilder::SetIpFilter(
+    BucketIpFilter const& v) {
+  internal::PatchBuilder ip_filter;
+  if (v.mode.has_value()) {
+    ip_filter.SetStringField("mode", *v.mode);
+  }
+  if (v.allow_all_service_agent_access.has_value()) {
+    ip_filter.SetBoolField("allowAllServiceAgentAccess",
+                           *v.allow_all_service_agent_access);
+  }
+  if (v.allow_cross_org_vpcs.has_value()) {
+    ip_filter.SetBoolField("allowCrossOrgVpcs", *v.allow_cross_org_vpcs);
+  }
+  if (v.public_network_source.has_value()) {
+    internal::PatchBuilder public_network_source;
+    auto array = nlohmann::json::array();
+    for (auto const& r : v.public_network_source->allowed_ip_cidr_ranges) {
+      array.emplace_back(r);
+    }
+    public_network_source.SetArrayField("allowedIpCidrRanges", array.dump());
+    ip_filter.AddSubPatch("publicNetworkSource", public_network_source);
+  }
+  if (v.vpc_network_sources.has_value()) {
+    auto array = nlohmann::json::array();
+    for (auto const& r : *v.vpc_network_sources) {
+      nlohmann::json vpc_network_source;
+      vpc_network_source["network"] = r.network;
+      auto allowed_ips = nlohmann::json::array();
+      for (auto const& ip : r.allowed_ip_cidr_ranges) {
+        allowed_ips.emplace_back(ip);
+      }
+      vpc_network_source["allowedIpCidrRanges"] = allowed_ips;
+      array.emplace_back(vpc_network_source);
+    }
+    ip_filter.SetArrayField("vpcNetworkSources", array.dump());
+  }
+  impl_.AddSubPatch("ipFilter", ip_filter);
+  return *this;
+}
+
+BucketMetadataPatchBuilder& BucketMetadataPatchBuilder::ResetIpFilter() {
+  impl_.RemoveField("ipFilter");
+  return *this;
+}
+
 BucketMetadataPatchBuilder&
 BucketMetadataPatchBuilder::SetHierarchicalNamespace(
     BucketHierarchicalNamespace const& v) {

google/cloud/storage/bucket_metadata.h

@@ -23,6 +23,7 @@
 #include "google/cloud/storage/bucket_encryption.h"
 #include "google/cloud/storage/bucket_hierarchical_namespace.h"
 #include "google/cloud/storage/bucket_iam_configuration.h"
+#include "google/cloud/storage/bucket_ip_filter.h"
 #include "google/cloud/storage/bucket_lifecycle.h"
 #include "google/cloud/storage/bucket_logging.h"
 #include "google/cloud/storage/bucket_object_retention.h"
@@ -269,6 +270,23 @@ class BucketMetadata {
   }
   ///@}
 
+  /// @name Accessors and modifiers for the IP filter configuration.
+  ///@{
+  bool has_ip_filter() const { return ip_filter_.has_value(); }
+  BucketIpFilter const& ip_filter() const { return *ip_filter_; }
+  absl::optional<BucketIpFilter> const& ip_filter_as_optional() const {
+    return ip_filter_;
+  }
+  BucketMetadata& set_ip_filter(BucketIpFilter v) {
+    ip_filter_ = std::move(v);
+    return *this;
+  }
+  BucketMetadata& reset_ip_filter() {
+    ip_filter_.reset();
+    return *this;
+  }
+  ///@}
+
   /// Return the bucket id.
   std::string const& id() const { return id_; }
 
@@ -664,6 +682,7 @@ class BucketMetadata {
   std::string etag_;
   absl::optional<BucketHierarchicalNamespace> hierarchical_namespace_;
   absl::optional<BucketIamConfiguration> iam_configuration_;
+  absl::optional<BucketIpFilter> ip_filter_;
   std::string id_;
   std::string kind_;
   std::map<std::string, std::string> labels_;
@@ -742,6 +761,9 @@ class BucketMetadataPatchBuilder {
       BucketIamConfiguration const& v);
   BucketMetadataPatchBuilder& ResetIamConfiguration();
 
+  BucketMetadataPatchBuilder& SetIpFilter(BucketIpFilter const& v);
+  BucketMetadataPatchBuilder& ResetIpFilter();
+
   /// Sets a new hierarchical namespace configuration.
   BucketMetadataPatchBuilder& SetHierarchicalNamespace(
       BucketHierarchicalNamespace const& v);