in sources/src/main/java/com/google/solutions/jitaccess/catalog/policy/PolicyDocument.java [664:718]
public record ConstraintsElement(
@JsonProperty("join") List<ConstraintElement> join,
@JsonProperty("approve") List<ConstraintElement> approve
) {
private static final ConstraintsElement EMPTY = new ConstraintsElement(null, null);
static @Nullable ConstraintsElement toYaml(@NotNull Map<Policy.ConstraintClass, Collection<Constraint>> constraints) {
return constraints.isEmpty() ? null : new ConstraintsElement(
Coalesce.emptyIfNull(constraints.get(Policy.ConstraintClass.JOIN))
.stream()
.map(ConstraintElement::toYaml)
.toList(),
Coalesce.emptyIfNull(constraints.get(Policy.ConstraintClass.APPROVE))
.stream()
.map(ConstraintElement::toYaml)
.toList());
}
@NotNull Optional<Map<Policy.ConstraintClass, Collection<Constraint>>> toPolicy(@NotNull IssueCollection issues) {
var join = Coalesce.emptyIfNull(this.join)
.stream()
.map(e -> e.toPolicy(issues))
.toList();
var approve = Coalesce.emptyIfNull(this.approve)
.stream()
.map(e -> e.toPolicy(issues))
.toList();
//
// Check for redundant expiry constraints.
//
if (join.stream()
.filter(Optional::isPresent)
.filter(c -> c.get() instanceof ExpiryConstraint)
.count() > 1) {
issues.error(Issue.Code.CONSTRAINT_INVALID_EXPIRY, "More than one expiry constraints found");
return Optional.empty();
}
if (approve.stream()
.filter(Optional::isPresent)
.anyMatch(c -> c.get() instanceof ExpiryConstraint)) {
issues.error(Issue.Code.CONSTRAINT_INVALID_EXPIRY, "Expiry constraints can only be used as join-constraint");
return Optional.empty();
}
return NullaryOptional
.ifTrue(
join.stream().allMatch(Optional::isPresent) &&
approve.stream().allMatch(Optional::isPresent))
.map(() -> Map.of(
Policy.ConstraintClass.JOIN, join.stream().map(Optional::get).toList(),
Policy.ConstraintClass.APPROVE, approve.stream().map(Optional::get).toList()));
}
}