b/317922302 Enable usage without SCC subscription (#239)

Add alternate catalog implementation that uses `effectiveIamPolicies.batchGet` instead of `analyzeIamPolicy` to analyze role bindings. This implementation won't be subject to the upcoming pricing changes [1] for the Policy Analyzer API and can be used without an SCC subscription. Using this catalog requires the following configuration options: ``` RESOURCE_CATALOG: AssetInventory # <-- enables the Asset Inventory API-based implementation RESOURCE_CUSTOMER_ID: C00xxxxx # <-- Cloud Identity/Workspace customer ID ``` Unless these configuration options are present, the application uses the Policy Analyzer API as before. The Asset Inventory API-based implementation is subject to the following limitations: 1. It only considers direct group memberships when analyzing role bindings. Indirect group memberships are ignored. 2. The auto-completer returns all projects managed by the application, not only those accessible by the user (same behavior as when using the `AVAILABLE_PROJECTS_QUERY` options). [1] https://cloud.google.com/policy-intelligence/docs/billing-questions#pricing-changes
GoogleCloudPlatform · Jan 4, 2024 · 7fa3f24 · 7fa3f24
1 parent 1babf82
commit 7fa3f24
Show file tree

Hide file tree

Showing 39 changed files with 1,514 additions and 112 deletions.
diff --git a/sources/src/main/java/com/google/solutions/jitaccess/core/QuotaExceededException.java b/sources/src/main/java/com/google/solutions/jitaccess/core/QuotaExceededException.java
@@ -0,0 +1,28 @@
+//
+// Copyright 2023 Google LLC
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package com.google.solutions.jitaccess.core;
+
+public class QuotaExceededException extends AccessException {
+  public QuotaExceededException(String message, Exception inner) {
+    super(message, inner);
+  }
+}
diff --git a/sources/src/main/java/com/google/solutions/jitaccess/core/ThrowingCompletableFuture.java b/sources/src/main/java/com/google/solutions/jitaccess/core/ThrowingCompletableFuture.java
@@ -0,0 +1,55 @@
+//
+// Copyright 2024 Google LLC
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package com.google.solutions.jitaccess.core;
+
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.Executor;
+
+/**
+ * Completable future for a supplier that can throw a checked exception.
+ */
+public class ThrowingCompletableFuture {
+  /**
+   * Function that can throw a checked exception.
+   */
+  @FunctionalInterface
+  public interface ThrowingSupplier<T> {
+    T supply() throws Exception;
+  }
+
+  public static <T> CompletableFuture<T> submit(
+    ThrowingSupplier<T> supplier,
+    Executor executor
+  ) {
+    var future = new CompletableFuture<T>();
+    executor.execute(() -> {
+      try {
+        future.complete(supplier.supply());
+      }
+      catch (Exception e) {
+        future.completeExceptionally(e);
+      }
+    });
+
+    return future;
+  }
+}
diff --git a/sources/src/main/java/com/google/solutions/jitaccess/core/catalog/EntitlementSet.java b/sources/src/main/java/com/google/solutions/jitaccess/core/catalog/EntitlementSet.java
@@ -23,7 +23,6 @@
 
 import com.google.common.base.Preconditions;
 
-import java.util.List;
 import java.util.Set;
 import java.util.SortedSet;
 import java.util.TreeSet;

diff --git a/...s/src/main/java/com/google/solutions/jitaccess/core/catalog/RegexJustificationPolicy.java b/...s/src/main/java/com/google/solutions/jitaccess/core/catalog/RegexJustificationPolicy.java
@@ -24,7 +24,6 @@
 import com.google.common.base.Preconditions;
 import com.google.common.base.Strings;
 import com.google.solutions.jitaccess.core.UserId;
-import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.inject.Singleton;
 
 import java.util.regex.Pattern;

diff --git a/sources/src/main/java/com/google/solutions/jitaccess/core/catalog/TokenSigner.java b/sources/src/main/java/com/google/solutions/jitaccess/core/catalog/TokenSigner.java
@@ -26,7 +26,6 @@
 import com.google.solutions.jitaccess.core.AccessException;
 import com.google.solutions.jitaccess.core.UserId;
 import com.google.solutions.jitaccess.core.clients.IamCredentialsClient;
-import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.inject.Singleton;
 
 import java.io.IOException;