public record AccessControlEntryElement()

in sources/src/main/java/com/google/solutions/jitaccess/catalog/policy/PolicyDocument.java [565:661]

• 82 lines of code
• 12 McCabe index (conditional complexity)

  public record AccessControlEntryElement(
    @JsonProperty("principal") String principal,
    @JsonProperty("allow") String allowedPermissions,
    @JsonProperty("deny") String deniedPermissions
  ) {
    static AccessControlEntryElement toYaml(@NotNull AccessControlList.Entry ace) {
      return new AccessControlEntryElement(
        String.format("%s:%s", ace.principal.type(), ace.principal.value()),
        ace instanceof AccessControlList.AllowedEntry
          ? PolicyPermission.toString(PolicyPermission.fromMask(ace.accessRights)) : null,
        ace instanceof AccessControlList.DeniedEntry
          ? PolicyPermission.toString(PolicyPermission.fromMask(ace.accessRights)) : null);
    }

    @NotNull Optional<AccessControlList.Entry> toPolicy(@NotNull IssueCollection issues) {
      //
      // Parse principal ID.
      //
      var principalId = Optional
        .ofNullable(this.principal)
        .map(s -> {
          try {
            return Optional.<PrincipalId>empty()
              .or(() -> EndUserId.parse(s))
              .or(() -> GroupId.parse(s))
              .or(() -> ClassPrincipalSet.parse(s))
              .or(() -> CloudIdentityDirectoryPrincipalSet.parse(s))
              .orElse(null);
          }
          catch (IllegalArgumentException e) {
            return null;
          }
        });

      if (principalId.isEmpty()) {
        issues.error(
          Issue.Code.ACL_INVALID_PRINCIPAL,
          "The principal '%s' is invalid",
          this.principal);
      }

      //
      // Parse access mask.
      //
      var allowedMask = Optional
        .ofNullable(this.allowedPermissions)
        .map(p -> {
          try {
            return PolicyPermission.toMask(PolicyPermission.parse(p));
          }
          catch (IllegalArgumentException e) {
            issues.error(
              Issue.Code.ACL_INVALID_PERMISSION,
              "The specified permissions are invalid: %s",
              e.getMessage());

            return null;
          }
        });

      var deniedMask = Optional
        .ofNullable(this.deniedPermissions)
        .map(p -> {
          try {
            return PolicyPermission.toMask(PolicyPermission.parse(p));
          }
          catch (IllegalArgumentException e) {
            issues.error(
              Issue.Code.ACL_INVALID_PERMISSION,
              "The specified permissions are invalid: %s",
              e.getMessage());

            return null;
          }
        });

      if (!allowedMask.isPresent() && !deniedMask.isPresent()) {
        issues.error(
          Issue.Code.ACL_INVALID_PERMISSION,
          "The access control entry for '%s' must allow or deny access",
          principalId.orElse(null));
      }
      else if (allowedMask.isPresent() == deniedMask.isPresent()) {
        issues.error(
          Issue.Code.ACL_INVALID_PERMISSION,
          "The access control entry for '%s' can either allow or deny access, but not both",
          principalId.orElse(null));
      }

      return NullaryOptional
        .ifTrue(principalId.isPresent() && (allowedMask.isPresent() ^ deniedMask.isPresent()))
        .map(() -> deniedMask.isPresent()
          ? new AccessControlList.DeniedEntry(principalId.get(), deniedMask.get())
          : new AccessControlList.AllowedEntry(principalId.get(), allowedMask.get()));

    }
  }