in sources/src/main/java/com/google/solutions/jitaccess/catalog/policy/PolicyDocument.java [928:984]
public record IamRoleBindingElement(
// union {
@JsonProperty("project") String project,
@JsonProperty("resource") String resource,
// }
@JsonProperty("role") String role,
@JsonProperty("description") String description,
@JsonProperty("condition") String condition
) {
static IamRoleBindingElement toYaml(@NotNull IamRoleBinding binding) {
return new IamRoleBindingElement(
null,
binding.resource().path(),
binding.role().name(),
binding.description(),
binding.condition());
}
@NotNull Optional<IamRoleBinding> toPolicy(@NotNull IssueCollection issues) {
if (!MoreStrings.isNullOrBlank(this.project) && !MoreStrings.isNullOrBlank((this.resource))) {
issues.error(
Issue.Code.PRIVILEGE_DUPLICATE_RESOURCE_ID,
"The binding can be either for a project or resource, but not both");
return Optional.empty();
}
var resourceId = Optional.<ResourceId>empty()
.or(() -> ProjectId.parse(this.project))
.or(() -> ProjectId.parse(this.resource))
.or(() -> FolderId.parse(this.resource))
.or(() -> OrganizationId.parse(this.resource));
if (resourceId.isEmpty()) {
issues.error(
Issue.Code.PRIVILEGE_INVALID_RESOURCE_ID,
"The resource ID '%s' does not match the format " +
"projects/ID, folders/ID, or organizations/ID",
Coalesce.nonEmpty(this.project, this.resource));
}
var role = IamRole.parse(this.role);
if (role.isEmpty()) {
issues.error(
Issue.Code.PRIVILEGE_INVALID_ROLE,
"The IAM role '%s' is invalid",
this.role);
}
return NullaryOptional
.ifTrue(resourceId.isPresent() && role.isPresent())
.map(() -> new IamRoleBinding(
resourceId.get(),
role.get(),
this.description,
this.condition));
}
}