in sources/src/main/java/com/google/solutions/jitaccess/catalog/provisioning/Provisioner.java [325:370]
static void replaceBindingsForPrincipals(
@NotNull Policy policy,
@NotNull IamPrincipalId principal,
@NotNull Collection<IamRoleBinding> newBindings
) {
var prefixedPrincipal = principal.type() + ":" + principal.value();
var policyBindings = policy.getBindings();
if (policyBindings == null) {
policyBindings = new ArrayList<>();
policy.setBindings(policyBindings);
}
//
// Remove principal from existing bindings.
//
var obsoleteBindings = new LinkedList<Binding>();
for (var existingBinding : policyBindings) {
existingBinding.getMembers().remove(prefixedPrincipal);
if (existingBinding.getMembers().isEmpty()) {
obsoleteBindings.add(existingBinding);
}
}
//
// Purge bindings for which there is no more principal left.
//
policyBindings.removeAll(obsoleteBindings);
//
// Add new bindings.
//
for (var binding : newBindings) {
var condition = Strings.isNullOrEmpty(binding.condition())
? null
: new Expr()
.setTitle(Coalesce.nonEmpty(binding.description(), "-"))
.setExpression(binding.condition());
policyBindings.add(new Binding()
.setMembers(List.of(prefixedPrincipal))
.setRole(binding.role().name())
.setCondition(condition));
}
}