private ResponseException denialResponseException(String message) { return new ResponseException(Response.forStatus(FORBIDDEN.withReasonPhrase(message))); }
return checkServiceAccountUsageAuthorization(serviceAccount, principalEmail); } catch (ResponseException e) { return ServiceAccountUsageAuthorizationResult.ofErrorResponse(e.getResponse()); result.errorResponse().ifPresent(e -> { throw new ResponseException(e); });
if (t != null) { if (t instanceof ResponseException) { response = ((ResponseException) t).getResponse(); } else { response = Response.forStatus(INTERNAL_SERVER_ERROR }); } catch (ResponseException e) { return completedFuture(e.<T>getResponse() .withHeader(X_REQUEST_ID, requestId)); } catch (Throwable t) {
private Optional<String> projectPolicyAccess(String projectId, String principalEmail) { final com.google.api.services.cloudresourcemanager.model.Policy policy = getProjectPolicy(projectId) .orElseThrow(() -> new ResponseException(Response.forStatus( BAD_REQUEST.withReasonPhrase("Project does not exist: " + projectId)))); final List<String> members = emptyListIfNull(policy.getBindings()).stream() .filter(binding -> serviceAccountUserRole.equals(binding.getRole())) .flatMap(binding -> emptyListIfNull(binding.getMembers()).stream()) .collect(toList()); return memberStatus(principalEmail, members); }
public void authorizeWorkflowAction(AuthContext ac, WorkflowId workflowId) { final Optional<Workflow> workflowOpt; try { workflowOpt = storage.workflow(workflowId); } catch (IOException e) { throw new RuntimeException(e); } final Workflow workflow = workflowOpt.orElseThrow(() -> new ResponseException( Response.forStatus(Status.NOT_FOUND.withReasonPhrase("workflow not found")))); authorizeWorkflowAction(ac, workflow); }
private Optional<String> serviceAccountPolicyAccess(String serviceAccount, String principalEmail) { final com.google.api.services.iam.v1.model.Policy policy = getServiceAccountPolicy(serviceAccount) .orElseThrow(() -> new ResponseException(Response.forStatus( BAD_REQUEST.withReasonPhrase("Service account does not exist: " + serviceAccount)))); final List<String> members = emptyListIfNull(policy.getBindings()).stream() .filter(binding -> serviceAccountUserRole.equals(binding.getRole())) .flatMap(binding -> emptyListIfNull(binding.getMembers()).stream()) .collect(toList()); return memberStatus(principalEmail, members); }
throw new ResponseException(Response.forStatus(Status.BAD_REQUEST .withReasonPhrase("Authorization token must be of type Bearer"))); googleIdToken = authenticator.authenticate(authHeader.substring(BEARER_PREFIX.length())); } catch (IllegalArgumentException e) { throw new ResponseException(Response.forStatus(Status.BAD_REQUEST .withReasonPhrase("Failed to parse Authorization token")), e); throw new ResponseException(Response.forStatus(Status.UNAUTHORIZED .withReasonPhrase("Authorization token is invalid")));
private String lookupServiceAccountProjectId(String email) { try { final ServiceAccount serviceAccount = retry(() -> iam.projects().serviceAccounts().get("projects/-/serviceAccounts/" + email).execute()); return serviceAccount.getProjectId(); } catch (ExecutionException e) { final Throwable cause = e.getCause(); if (cause instanceof GoogleJsonResponseException && ((GoogleJsonResponseException) cause).getStatusCode() == 404) { log.debug("Service account {} doesn't exist", email, e); throw new ResponseException(Response.forStatus( BAD_REQUEST.withReasonPhrase("Service account does not exist: " + email))); } throw new RuntimeException(e); } catch (RetryException e) { throw new RuntimeException(e); } }
try { workflow = storage.workflow(workflowId) .orElseThrow(() -> new ResponseException( Response.forStatus(Status.NOT_FOUND.withReasonPhrase("workflow not found")))); } catch (IOException e) {
private Response<TestServiceAccountUsageAuthorizationResponse> testServiceAccountUsageAuthorization( TestServiceAccountUsageAuthorizationRequest request) { final ServiceAccountUsageAuthorizationResult result = accountUsageAuthorizer.checkServiceAccountUsageAuthorization(request.serviceAccount(), request.principal()); result.errorResponse().ifPresent(e -> { throw new ResponseException(e); }); final TestServiceAccountUsageAuthorizationResponse response = new TestServiceAccountUsageAuthorizationResponseBuilder() .authorized(result.authorized()) .serviceAccount(request.serviceAccount()) .principal(request.principal()) .message(result.message()) .build(); return Response.forPayload(response); }