in sources/src/main/java/com/google/solutions/jitaccess/catalog/legacy/ProjectRole.java [192:243]
static Optional<EligibilityCondition> parse(@Nullable Expr bindingCondition) {
if (bindingCondition == null ||
Strings.isNullOrEmpty(bindingCondition.getExpression()) ||
bindingCondition.getExpression().isBlank()) {
return Optional.empty();
}
//
// Break the condition into clauses and check if one the clauses
// marks this as an eligible role.
//
// Any remaining clauses make up the resource condition.
//
var clauses = new IamCondition(bindingCondition.getExpression()).splitAnd();
var jitEligible = clauses
.stream()
.anyMatch(c -> matches(c.toString(), JIT_CONDITION_PATTERN));
var mpaEligible = clauses
.stream()
.anyMatch(c -> matches(c.toString(), MPA_CONDITION_PATTERN));
var resourceConditionClauses = clauses
.stream()
.filter(c -> !matches(c.toString(), JIT_CONDITION_PATTERN))
.filter(c -> !matches(c.toString(), MPA_CONDITION_PATTERN))
.collect(Collectors.toList());
String resourceCondition;
try {
resourceCondition = resourceConditionClauses.isEmpty()
? null
: IamCondition.and(resourceConditionClauses).reformat().toString();
}
catch (IllegalArgumentException invalidCel) {
return Optional.empty();
}
if (jitEligible) {
return Optional.of(new EligibilityCondition(
bindingCondition.getExpression(),
ActivationType.JIT,
resourceCondition));
}
else if (mpaEligible) {
return Optional.of(new EligibilityCondition(
bindingCondition.getExpression(),
ActivationType.MPA,
resourceCondition));
}
else {
return Optional.empty();
}
}