return checkServiceAccountUsageAuthorization(serviceAccount, principalEmail); } catch (ResponseException e) { return ServiceAccountUsageAuthorizationResult.ofErrorResponse(e.getResponse()); result.errorResponse().ifPresent(e -> { throw new ResponseException(e); }); if (result.authorized()) { logAuthorization(workflowId, serviceAccount, enforce, result.message().orElse(""), cached.get()); return; throw denialResponseException(result.message().orElse(""));
@Override public ServiceAccountUsageAuthorizationResult checkServiceAccountUsageAuthorization(String serviceAccount, String principalEmail) { final String projectId = serviceAccountProjectId(serviceAccount); final Optional<String> accessMessage = firstPresent( // Check if the principal is an admin () -> memberStatus(principalEmail, administrators) .map(status -> String.format("Principal %s is an admin %s", principalEmail, status)), // Check if the principal has been granted the service account user role in the project of the SA () -> projectPolicyAccess(projectId, principalEmail) .map(type -> String.format("Principal %s has role %s in project %s %s", principalEmail, serviceAccountUserRole, projectId, type)), // Check if the principal has been granted the service account user role on the SA itself () -> serviceAccountPolicyAccess(serviceAccount, principalEmail) .map(type -> String.format("Principal %s has role %s on service account %s %s", principalEmail, serviceAccountUserRole, serviceAccount, type))); final ServiceAccountUsageAuthorizationResultBuilder result = ServiceAccountUsageAuthorizationResult.builder() .serviceAccountProjectId(projectId) .authorized(accessMessage.isPresent()) .message(accessMessage.orElseGet(() -> denialMessage(serviceAccount, principalEmail, projectId))); return result.build(); }
private Response<TestServiceAccountUsageAuthorizationResponse> testServiceAccountUsageAuthorization( TestServiceAccountUsageAuthorizationRequest request) { final ServiceAccountUsageAuthorizationResult result = accountUsageAuthorizer.checkServiceAccountUsageAuthorization(request.serviceAccount(), request.principal()); result.errorResponse().ifPresent(e -> { throw new ResponseException(e); }); final TestServiceAccountUsageAuthorizationResponse response = new TestServiceAccountUsageAuthorizationResponseBuilder() .authorized(result.authorized()) .serviceAccount(request.serviceAccount()) .principal(request.principal()) .message(result.message()) .build(); return Response.forPayload(response); }
static ServiceAccountUsageAuthorizationResult ofErrorResponse(Response<?> response) { return builder().errorResponse(response).build(); } }
@Override public ServiceAccountUsageAuthorizationResult checkServiceAccountUsageAuthorization( String serviceAccount, String principal) { return ServiceAccountUsageAuthorizationResult.builder().authorized(true).build(); } }