AVAILABLE_PROJECTS_QUERY option implementation

.gitignore

@@ -45,3 +45,4 @@ test.properties
 runConfigurations/
 .metals
 .vscode
+.idea/

sources/src/main/java/com/google/solutions/jitaccess/core/adapters/ResourceManagerAdapter.java

@@ -34,10 +34,7 @@
 import jakarta.enterprise.context.ApplicationScoped;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
-import java.util.EnumSet;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Objects;
+import java.util.*;
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 
@@ -50,6 +47,8 @@ public class ResourceManagerAdapter {
   public static final String OAUTH_SCOPE = "https://www.googleapis.com/auth/cloud-platform";
   private static final int MAX_SET_IAM_POLICY_ATTEMPTS = 4;
 
+  private static final int SEARCH_PROJECTS_PAGE_SIZE = 1000;
+
   private final GoogleCredentials credentials;
 
   private CloudResourceManager createClient() throws IOException
@@ -248,6 +247,53 @@ public List<String> testIamPermissions(
     }
   }
 
+  public List<ProjectId> searchProjectIds(String query) throws NotAuthenticatedException, IOException {
+    try {
+      var client = createClient();
+
+      var response = client
+              .projects()
+              .search()
+              .setQuery(query)
+              .setPageSize(SEARCH_PROJECTS_PAGE_SIZE)
+              .execute();
+
+      ArrayList<Project> allProjects = new ArrayList<>();
+      if(response.getProjects() != null) {
+        allProjects.addAll(response.getProjects());
+      }
+
+      while(response.getNextPageToken() != null
+              && !response.getNextPageToken().isEmpty()
+              && response.getProjects() !=null
+              && response.getProjects().size() >= SEARCH_PROJECTS_PAGE_SIZE) {
+        response = client
+          .projects()
+          .search()
+          .setQuery(query)
+          .setPageToken(response.getNextPageToken())
+          .setPageSize(SEARCH_PROJECTS_PAGE_SIZE)
+          .execute();
+
+        if(response.getProjects() != null) {
+          allProjects.addAll(response.getProjects());
+        }
+      }
+
+      return allProjects.stream()
+        .map(p -> new ProjectId(p.getProjectId()))
+        .collect(Collectors.toList());
+    }
+    catch (GoogleJsonResponseException e) {
+      switch (e.getStatusCode()) {
+        case 401:
+          throw new NotAuthenticatedException("Not authenticated", e);
+        default:
+          throw (GoogleJsonResponseException) e.fillInStackTrace();
+      }
+    }
+  }
+
   //---------------------------------------------------------------------
   // Inner classes.
   //---------------------------------------------------------------------

sources/src/main/java/com/google/solutions/jitaccess/core/services/RoleDiscoveryService.java

@@ -27,6 +27,7 @@
 import com.google.solutions.jitaccess.core.AccessDeniedException;
 import com.google.solutions.jitaccess.core.AccessException;
 import com.google.solutions.jitaccess.core.adapters.AssetInventoryAdapter;
+import com.google.solutions.jitaccess.core.adapters.ResourceManagerAdapter;
 import com.google.solutions.jitaccess.core.data.ProjectId;
 import com.google.solutions.jitaccess.core.data.ProjectRole;
 import com.google.solutions.jitaccess.core.data.RoleBinding;
@@ -46,15 +47,20 @@
 public class RoleDiscoveryService {
   private final AssetInventoryAdapter assetInventoryAdapter;
 
+  private final ResourceManagerAdapter resourceManagerAdapter;
+
   private final Options options;
 
   public RoleDiscoveryService(
     AssetInventoryAdapter assetInventoryAdapter,
+    ResourceManagerAdapter resourceManagerAdapter,
     Options configuration) {
     Preconditions.checkNotNull(assetInventoryAdapter, "assetInventoryAdapter");
+    Preconditions.checkNotNull(resourceManagerAdapter, "resourceManagerAdapter");
     Preconditions.checkNotNull(configuration, "configuration");
 
     this.assetInventoryAdapter = assetInventoryAdapter;
+    this.resourceManagerAdapter = resourceManagerAdapter;
     this.options = configuration;
   }
 
@@ -108,44 +114,52 @@ public Options getOptions() {
   public Set<ProjectId> listAvailableProjects(
     UserId user
   ) throws AccessException, IOException {
-    //
-    // NB. To reliably find projects, we have to let the Asset API consider
-    // inherited role bindings by using the "expand resources" flag. This
-    // flag causes the API to return *all* resources for which an IAM binding
-    // applies.
-    //
-    // The risk here is that the list of resources grows so large that we're hitting
-    // the limits of the API, in which case it starts truncating results. To
-    // mitigate this risk, filter on a permission that:
-    //
-    // - only applies to projects, and has no meaning on descendent resources
-    // - represents the lowest level of access to a project.
-    //
-    var analysisResult = this.assetInventoryAdapter.findAccessibleResourcesByUser(
-      this.options.scope,
-      user,
-      Optional.of("resourcemanager.projects.get"),
-      Optional.empty(),
-      true);
-
-    //
-    // Consider permanent and eligible bindings.
-    //
-    var roleBindings = findRoleBindings(
-      analysisResult,
-      condition -> condition == null ||
-        JitConstraints.isJitAccessConstraint(condition) ||
-        JitConstraints.isMultiPartyApprovalConstraint(condition),
-      evalResult -> evalResult == null ||
-        "TRUE".equalsIgnoreCase(evalResult) ||
-        "CONDITIONAL".equalsIgnoreCase(evalResult));
-
-    return roleBindings
-      .stream()
-      .map(b -> ProjectId.fromFullResourceName(b.fullResourceName))
-      .collect(Collectors.toSet());
+    if(this.options.availableProjectsQuery == null) {
+      //
+      // NB. To reliably find projects, we have to let the Asset API consider
+      // inherited role bindings by using the "expand resources" flag. This
+      // flag causes the API to return *all* resources for which an IAM binding
+      // applies.
+      //
+      // The risk here is that the list of resources grows so large that we're hitting
+      // the limits of the API, in which case it starts truncating results. To
+      // mitigate this risk, filter on a permission that:
+      //
+      // - only applies to projects, and has no meaning on descendent resources
+      // - represents the lowest level of access to a project.
+      //
+      var analysisResult = this.assetInventoryAdapter.findAccessibleResourcesByUser(
+        this.options.scope,
+        user,
+        Optional.of("resourcemanager.projects.get"),
+        Optional.empty(),
+        true);
+
+      //
+      // Consider permanent and eligible bindings.
+      //
+      var roleBindings = findRoleBindings(
+        analysisResult,
+        condition -> condition == null ||
+          JitConstraints.isJitAccessConstraint(condition) ||
+          JitConstraints.isMultiPartyApprovalConstraint(condition),
+        evalResult -> evalResult == null ||
+          "TRUE".equalsIgnoreCase(evalResult) ||
+          "CONDITIONAL".equalsIgnoreCase(evalResult));
+
+      return roleBindings
+        .stream()
+        .map(b -> ProjectId.fromFullResourceName(b.fullResourceName))
+        .collect(Collectors.toSet());
+      }
+    else {
+      // Used as alternative option if availableProjectsQuery is set and the main approach with Asset API is not working fast enough.
+      return new HashSet<>(resourceManagerAdapter.searchProjectIds(this.options.availableProjectsQuery));
+    }
   }
 
+
+
   /**
    * List eligible role bindings for the given user.
    */
@@ -352,11 +366,24 @@ public static class Options {
      */
     public final String scope;
 
+    /**
+     * In some cases listing all available projects is not working fast enough and times out,
+     * so this method is available as alternative.
+     * The format is the same as Google Resource Manager API requires for the query parameter, for example:
+     * - parent:folders/{folder_id}
+     * - parent:organizations/{organization_id}
+     * (https://cloud.google.com/resource-manager/reference/rest/v3/projects/search#query-parameters)
+     */
+    public final String availableProjectsQuery;
+
     /**
      * Search inherited IAM policies
      */
-    public Options(String scope) {
+    public Options(String scope, String availableProjectsQuery) {
       this.scope = scope;
+      this.availableProjectsQuery = availableProjectsQuery;
     }
+
+
   }
 }

sources/src/main/java/com/google/solutions/jitaccess/web/RuntimeConfiguration.java

@@ -68,6 +68,9 @@ public RuntimeConfiguration(Function<String, String> readSetting) {
     this.maxNumberOfJitRolesPerSelfApproval = new IntSetting(
       List.of("ACTIVATION_REQUEST_MAX_ROLES"),
       10);
+    this.availableProjectsQuery = new StringSetting(
+      List.of("AVAILABLE_PROJECTS_QUERY"),
+      null);
 
     //
     // Backend service id (Cloud Run only).
@@ -197,6 +200,15 @@ public RuntimeConfiguration(Function<String, String> readSetting) {
    */
   public final IntSetting maxNumberOfJitRolesPerSelfApproval;
 
+  /**
+   * In some cases listing all available projects is not working fast enough and times out,
+   * so this method is available as alternative.
+   * The format is the same as Google Resource Manager API requires for the query parameter, for example:
+   * - parent:folders/{folder_id}
+   * - parent:organizations/{organization_id}
+   */
+  public final StringSetting availableProjectsQuery;
+
   public boolean isSmtpConfigured() {
     var requiredSettings = List.of(smtpHost, smtpPort, smtpSenderName, smtpSenderAddress);
     return requiredSettings.stream().allMatch(s -> s.isValid());

sources/src/main/java/com/google/solutions/jitaccess/web/RuntimeEnvironment.java

@@ -260,7 +260,11 @@ public GoogleCredentials getApplicationCredentials() {
 
   @Produces
   public RoleDiscoveryService.Options getRoleDiscoveryServiceOptions() {
-    return new RoleDiscoveryService.Options(this.configuration.scope.getValue());
+    return new RoleDiscoveryService.Options(
+            this.configuration.scope.getValue(),
+            this.configuration.availableProjectsQuery.isValid() ?
+                this.configuration.availableProjectsQuery.getValue() : null
+    );
   }
 
   @Produces