feat(storage): add Cloud Storage bucket IP filtering samples

[salilg-eng]

This PR add PHP code samples demonstrating how to manage IP filtering for Cloud Storage buckets.

What's included:

• Snippets for getting, enabling, disabling, listing, and deleting bucket IP filtering rules.
• A full lifecycle integration test (IpFilterTest.php) to cover the new snippets.

Note on enable_ip_filtering.php:
I set the mode to Disabled by default in the snippet (with an accompanying comment). If we actually set it to Enabled during the automated tests, we risk locking the test runner out of the bucket and causing permission failures during the cleanup phase. Users can easily flip it to Enabled when adapting the code for their own use.

[snippet-bot]

Here is the summary of changes.

You are about to add 5 region tags.

• storage/src/delete_ip_filtering_rules.php:26, tag storage_delete_ip_filtering_rules
• storage/src/disable_ip_filtering.php:26, tag storage_disable_ip_filtering
• storage/src/enable_ip_filtering.php:26, tag storage_enable_ip_filtering
• storage/src/get_ip_filtering.php:26, tag storage_get_ip_filtering
• storage/src/list_buckets_ip_filtering.php:26, tag storage_list_buckets_ip_filtering

---

This comment is generated by snippet-bot.
If you find problems with this result, please file an issue at:
https://github.com/googleapis/repo-automation-bots/issues.
To update this comment, add snippet-bot:force-run label or use the checkbox below:

• Refresh this comment

[gemini-code-assist]

Code Review

This pull request introduces PHP code samples and integration tests for managing Cloud Storage bucket IP filtering rules, including enabling, disabling, retrieving, listing, and deleting rules. The review feedback highlights a critical issue where enabling IP filtering in the sample locks out the test runner, causing tests to fail silently; it is recommended to set the mode to 'Disabled' during testing. Additionally, the feedback suggests avoiding redundant API updates when no rules are modified, and using null coalescing operators to prevent PHP warnings on potentially missing array keys.

[gemini-code-assist]

In the PR description, you mentioned: 'I set the mode to Disabled by default in the snippet (with an accompanying comment)'. However, in the actual code, the mode is set to 'Enabled'.

Because the test runner's IP is not in the allowed range (1.2.3.0/24), setting the mode to 'Enabled' will immediately lock out the test runner. This causes the subsequent $bucket->reload() on line 1295 of the test to throw a 403 error, which is caught by the catch block, effectively skipping almost all of the lifecycle assertions (get, disable, list, delete).

Please update the mode to 'Disabled' in the snippet as intended, and update the corresponding test assertions in storageTest.php (lines 1297 and 1305) to expect 'Disabled' instead of 'Enabled'.

        // Set to 'Enabled' to enforce the IP filters.
        // We use 'Disabled' here to prevent locking out the test runner.
        'mode' => 'Disabled',

[gemini-code-assist]

If the IP range '1.2.3.0/24' is not present in the allowed ranges, or if allowedIpCidrRanges is not set, calling $bucket->update() is redundant and wastes an API call.

We can optimize this by tracking whether any changes were actually made, and only calling $bucket->update() if $updated is true.

    $updated = false;
    if (isset($ipFilter['publicNetworkSource']['allowedIpCidrRanges'])) {
        $ranges = $ipFilter['publicNetworkSource']['allowedIpCidrRanges'];
        $filteredRanges = array_filter($ranges, function ($range) {
            return $range !== '1.2.3.0/24';
        });
        if (count($ranges) !== count($filteredRanges)) {
            $ipFilter['publicNetworkSource']['allowedIpCidrRanges'] = array_values($filteredRanges);
            $updated = true;
        }
    }

    if ($updated) {
        $bucket->update(['ipFilter' => $ipFilter]);
        printf('Specific IP filtering rules deleted for bucket %s' . PHP_EOL, $bucketName);
    } else {
        printf('No matching IP filtering rules found to delete for bucket %s.' . PHP_EOL, $bucketName);
    }

[gemini-code-assist]

The key allowAllServiceAgentAccess might not be present in the $ipFilter array if it is not set or returned by the API. Accessing an undefined array key will trigger a PHP warning (which can be promoted to an exception in strict environments).

Using the null coalescing operator ?? provides a safe fallback.

    printf('Allow All Service Agent Access: %s' . PHP_EOL, var_export($ipFilter['allowAllServiceAgentAccess'] ?? false, true));

[gemini-code-assist]

The key allowCrossOrgVpcs might not be present in the $ipFilter array if it is not set or returned by the API. Accessing an undefined array key will trigger a PHP warning.

Using the null coalescing operator ?? provides a safe fallback.

    printf('Allow Cross Organization VPCs Access: %s' . PHP_EOL, var_export($ipFilter['allowCrossOrgVpcs'] ?? false, true));

[gemini-code-assist]

If enable_ip_filtering.php is updated to use 'mode' => 'Disabled' to prevent locking out the test runner, this assertion should be updated to expect 'Disabled'.

            $this->assertEquals('Disabled', $info['ipFilter']['mode']);

[gemini-code-assist]

If enable_ip_filtering.php is updated to use 'mode' => 'Disabled', this assertion should be updated to expect 'Mode: Disabled'.

            $this->assertStringContainsString('Mode: Disabled', $output);