in sources/src/main/java/com/google/solutions/jitaccess/catalog/policy/PolicyDocument.java [488:562]
public record GroupElement(
@JsonProperty("name") String name,
@JsonProperty("description") String description,
@JsonProperty("access") List<AccessControlEntryElement> acl,
@JsonProperty("constraints") ConstraintsElement constraints,
@JsonProperty("privileges") PrivilegesElement privileges
) {
static GroupElement toYaml(@NotNull JitGroupPolicy policy) {
return new GroupElement(
policy.name(),
policy.description(),
policy.accessControlList()
.map(acl -> acl
.entries()
.stream()
.map(AccessControlEntryElement::toYaml)
.toList())
.orElse(null),
ConstraintsElement.toYaml(policy.constraints()),
new PrivilegesElement(
policy.privileges()
.stream()
.filter(p -> p instanceof IamRoleBinding)
.map(p -> IamRoleBindingElement.toYaml((IamRoleBinding)p))
.toList()));
}
@NotNull Optional<JitGroupPolicy> toPolicy(@NotNull IssueCollection issues) {
issues.setScope(Coalesce.nonEmpty(this.name, "Unnamed group"));
var aces = Coalesce
.emptyIfNull(this.acl)
.stream()
.map(e -> e.toPolicy(issues))
.toList();
var constraints = (this.constraints != null ? this.constraints : ConstraintsElement.EMPTY)
.toPolicy(issues);
var roleBindings = Optional.ofNullable(this.privileges)
.flatMap(p -> Optional.ofNullable(p.iamRoleBindings()))
.stream()
.flatMap(b -> b.stream())
.map(b -> b.toPolicy(issues))
.toList();
return NullaryOptional
.ifTrue(
constraints.isPresent() &&
aces.stream().allMatch(Optional::isPresent) &&
roleBindings.stream().allMatch(Optional::isPresent))
.map(() -> {
try {
return new JitGroupPolicy(
this.name,
Strings.nullToEmpty(this.description),
new AccessControlList(aces.stream().map(Optional::get).toList()),
constraints.get(),
roleBindings
.stream()
.map(Optional::get)
.map(b -> (Privilege)b)
.toList());
}
catch (Exception e) {
issues.error(
Issue.Code.GROUP_INVALID,
"The group configuration is invalid: %s",
e.getMessage());
return null;
}
});
}
}