test: skip PAP-related system tests

The test suite currently attempts to add 'allUsers' or
'allAuthenticatedUsers' to IAM policies, which is restricted by Org
Policy. Skipping these until test buckets are granted policy overrides.

Tracking: b/457800112

Author: thiyaguk09

samples/system-test/buckets.test.js

@@ -366,7 +366,13 @@ it("should add a bucket's website configuration", async () => {
   });
 });
 
-it('should make bucket publicly readable', async () => {
+/**
+ * TODO: (b/457800112)Re-enable once Org Policy allows PAP overrides on test buckets.
+ * REASON: Organization Policy "Public Access Prevention" (PAP) is enabled.
+ * This prevents 'allUsers' or 'allAuthenticatedUsers' from being added to
+ * IAM/ACL policies, causing 403 errors in system tests.
+ */
+it.skip('should make bucket publicly readable', async () => {
   const output = execSync(`node makeBucketPublic.js ${bucketName}`);
   assert.match(
     output,

samples/system-test/files.test.js

@@ -334,7 +334,13 @@ describe('file', () => {
       await bucket.file(publicFileName).delete();
     });
 
-    it('should make a file public', () => {
+    /**
+     * TODO: (b/457800112)Re-enable once Org Policy allows PAP overrides on test buckets.
+     * REASON: Organization Policy "Public Access Prevention" (PAP) is enabled.
+     * This prevents 'allUsers' or 'allAuthenticatedUsers' from being added to
+     * IAM/ACL policies, causing 403 errors in system tests.
+     */
+    it.skip('should make a file public', () => {
       const output = execSync(
         `node makePublic.js ${bucketName} ${publicFileName}`
       );

system-test/storage.ts

@@ -289,7 +289,13 @@ describe('storage', function () {
         await bucket.acl.delete({entity: USER_ACCOUNT});
       });
 
-      it('should make a bucket public', async () => {
+      /**
+       * TODO: (b/457800112)Re-enable once Org Policy allows PAP overrides on test buckets.
+       * REASON: Organization Policy "Public Access Prevention" (PAP) is enabled.
+       * This prevents 'allUsers' or 'allAuthenticatedUsers' from being added to
+       * IAM/ACL policies, causing 403 errors in system tests.
+       */
+      it.skip('should make a bucket public', async () => {
         await bucket.makePublic();
         const [aclObject] = await bucket.acl.get({entity: 'allUsers'});
         assert.deepStrictEqual(aclObject, {
@@ -302,7 +308,13 @@ describe('storage', function () {
         await bucket.acl.delete({entity: 'allUsers'});
       });
 
-      it('should make files public', async () => {
+      /**
+       * TODO: (b/457800112)Re-enable once Org Policy allows PAP overrides on test buckets.
+       * REASON: Organization Policy "Public Access Prevention" (PAP) is enabled.
+       * This prevents 'allUsers' or 'allAuthenticatedUsers' from being added to
+       * IAM/ACL policies, causing 403 errors in system tests.
+       */
+      it.skip('should make files public', async () => {
         await Promise.all(
           ['a', 'b', 'c'].map(text => createFileWithContentPromise(text))
         );
@@ -319,7 +331,13 @@ describe('storage', function () {
         ]);
       });
 
-      it('should make a bucket private', async () => {
+      /**
+       * TODO: (b/457800112)Re-enable once Org Policy allows PAP overrides on test buckets.
+       * REASON: Organization Policy "Public Access Prevention" (PAP) is enabled.
+       * This prevents 'allUsers' or 'allAuthenticatedUsers' from being added to
+       * IAM/ACL policies, causing 403 errors in system tests.
+       */
+      it.skip('should make a bucket private', async () => {
         try {
           await bucket.makePublic();
           await new Promise(resolve =>
@@ -404,7 +422,13 @@ describe('storage', function () {
         await file.acl.delete({entity: USER_ACCOUNT});
       });
 
-      it('should make a file public', async () => {
+      /**
+       * TODO: (b/457800112)Re-enable once Org Policy allows PAP overrides on test buckets.
+       * REASON: Organization Policy "Public Access Prevention" (PAP) is enabled.
+       * This prevents 'allUsers' or 'allAuthenticatedUsers' from being added to
+       * IAM/ACL policies, causing 403 errors in system tests.
+       */
+      it.skip('should make a file public', async () => {
         await file.makePublic();
         const [aclObject] = await file.acl.get({entity: 'allUsers'});
         assert.deepStrictEqual(aclObject, {
@@ -452,7 +476,13 @@ describe('storage', function () {
         assert.strictEqual(encryptionAlgorithm, 'AES256');
       });
 
-      it('should make a file public during the upload', async () => {
+      /**
+       * TODO: (b/457800112)Re-enable once Org Policy allows PAP overrides on test buckets.
+       * REASON: Organization Policy "Public Access Prevention" (PAP) is enabled.
+       * This prevents 'allUsers' or 'allAuthenticatedUsers' from being added to
+       * IAM/ACL policies, causing 403 errors in system tests.
+       */
+      it.skip('should make a file public during the upload', async () => {
         const [file] = await bucket.upload(FILES.big.path, {
           resumable: false,
           public: true,
@@ -465,7 +495,13 @@ describe('storage', function () {
         });
       });
 
-      it('should make a file public from a resumable upload', async () => {
+      /**
+       * TODO: (b/457800112)Re-enable once Org Policy allows PAP overrides on test buckets.
+       * REASON: Organization Policy "Public Access Prevention" (PAP) is enabled.
+       * This prevents 'allUsers' or 'allAuthenticatedUsers' from being added to
+       * IAM/ACL policies, causing 403 errors in system tests.
+       */
+      it.skip('should make a file public from a resumable upload', async () => {
         const [file] = await bucket.upload(FILES.big.path, {
           resumable: true,
           public: true,
@@ -529,7 +565,13 @@ describe('storage', function () {
         ]);
       });
 
-      it('should set a policy', async () => {
+      /**
+       * TODO: (b/457800112)Re-enable once Org Policy allows PAP overrides on test buckets.
+       * REASON: Organization Policy "Public Access Prevention" (PAP) is enabled.
+       * This prevents 'allUsers' or 'allAuthenticatedUsers' from being added to
+       * IAM/ACL policies, causing 403 errors in system tests.
+       */
+      it.skip('should set a policy', async () => {
         const [policy] = await bucket.iam.getPolicy();
         policy!.bindings.push({
           role: 'roles/storage.legacyBucketReader',
@@ -2305,7 +2347,13 @@ describe('storage', function () {
           });
         });
 
-        it('iam#setPolicy', async () => {
+        /**
+         * TODO: (b/457800112)Re-enable once Org Policy allows PAP overrides on test buckets.
+         * REASON: Organization Policy "Public Access Prevention" (PAP) is enabled.
+         * This prevents 'allUsers' or 'allAuthenticatedUsers' from being added to
+         * IAM/ACL policies, causing 403 errors in system tests.
+         */
+        it.skip('iam#setPolicy', async () => {
           await requesterPaysDoubleTest(async options => {
             const [policy] = await bucket.iam.getPolicy();
 
@@ -3004,7 +3052,13 @@ describe('storage', function () {
       await Promise.all([file.delete, copiedFile.delete()]);
     });
 
-    it('should respect predefined Acl at file#copy', async () => {
+    /**
+     * TODO: (b/457800112)Re-enable once Org Policy allows PAP overrides on test buckets.
+     * REASON: Organization Policy "Public Access Prevention" (PAP) is enabled.
+     * This prevents 'allUsers' or 'allAuthenticatedUsers' from being added to
+     * IAM/ACL policies, causing 403 errors in system tests.
+     */
+    it.skip('should respect predefined Acl at file#copy', async () => {
       const opts = {destination: 'CloudLogo'};
       const [file] = await bucket.upload(FILES.logo.path, opts);
       const copyOpts = {predefinedAcl: 'publicRead'};