Examples with Binding com.google.api.services.cloudresourcemanager.v3.model.Binding used on opensource projects

Example 6 with Binding

use of com.google.api.services.cloudresourcemanager.v3.model.Binding in project java-docs-samples by GoogleCloudPlatform.

the class Snippets method removeMemberFromKeyRingPolicy.

// [END kms_remove_member_from_cryptokey_policy]
// [START kms_remove_member_from_keyring_policy]
/**
 * Removes the given member from the given policy.
 */
public static Policy removeMemberFromKeyRingPolicy(String projectId, String locationId, String keyRingId, String member, String role) throws IOException {
    // Create the Cloud KMS client.
    CloudKMS kms = createAuthorizedClient();
    // The resource name of the cryptoKey
    String cryptoKey = String.format("projects/%s/locations/%s/keyRings/%s", projectId, locationId, keyRingId);
    // Get the current IAM policy and add the new account to it.
    Policy iamPolicy = getKeyRingPolicy(projectId, locationId, keyRingId);
    // Filter out the given member
    for (Binding b : iamPolicy.getBindings()) {
        if (role.equals(b.getRole()) && b.getMembers().contains(member)) {
            b.getMembers().remove(member);
            break;
        }
    }
    // Set the new IAM Policy.
    Policy newIamPolicy = kms.projects().locations().keyRings().setIamPolicy(cryptoKey, new SetIamPolicyRequest().setPolicy(iamPolicy)).execute();
    System.out.println("Response: " + newIamPolicy);
    return newIamPolicy;
}

Example 7 with Binding

use of com.google.api.services.cloudresourcemanager.v3.model.Binding in project terra-workspace-manager by DataBiosphere.

the class NotebookCloudSyncStep method doStep.

@Override
public StepResult doStep(FlightContext flightContext) throws InterruptedException, RetryException {
    FlightMap workingMap = flightContext.getWorkingMap();
    FlightUtils.validateRequiredEntries(workingMap, ControlledResourceKeys.GCP_CLOUD_CONTEXT);
    GcpCloudContext cloudContext = workingMap.get(ControlledResourceKeys.GCP_CLOUD_CONTEXT, GcpCloudContext.class);
    List<Binding> newBindings = createBindings(cloudContext, flightContext.getWorkingMap());
    AIPlatformNotebooksCow notebooks = crlService.getAIPlatformNotebooksCow();
    InstanceName instanceName = resource.toInstanceName(cloudContext.getGcpProjectId());
    try {
        Policy policy = notebooks.instances().getIamPolicy(instanceName).execute();
        // Duplicating bindings is harmless (e.g. on retry). GCP de-duplicates.
        Optional.ofNullable(policy.getBindings()).ifPresent(newBindings::addAll);
        policy.setBindings(newBindings);
        notebooks.instances().setIamPolicy(instanceName, new SetIamPolicyRequest().setPolicy(policy)).execute();
    } catch (IOException e) {
        return new StepResult(StepStatus.STEP_RESULT_FAILURE_RETRY, e);
    }
    return StepResult.getStepResultSuccess();
}

Example 8 with Binding

use of com.google.api.services.cloudresourcemanager.v3.model.Binding in project terra-workspace-manager by DataBiosphere.

the class PetSaService method enablePetServiceAccountImpersonationWithEtag.

/**
 * Grant a user's proxy group permission to impersonate their pet service account in a given
 * workspace. Unlike other operations, this does not run as a flight because it only requires one
 * write operation. If the user's pet SA does not exist, this will create it. This operation is
 * idempotent.
 *
 * <p>The provided workspace must have a GCP context.
 *
 * <p>This method does not authenticate that the user should have access to impersonate their pet
 * SA, callers should validate this first.
 *
 * <p>userToEnableEmail is separate from token because of RevokePetUsagePermissionStep.undoStep().
 * If User A removes B from workspace, userToEnableEmail is B and token is from A's userRequest.
 *
 * @param workspaceUuid ID of the workspace to enable pet SA in
 * @param userToEnableEmail The user whose proxy group will be granted permission.
 * @param userReq Auth info for calling SAM. Do not use userReq.getEmail() here; it will return
 *     the caller's email, but there's no guarantee whether that will be an end-user email or a
 *     pet SA email.
 * @param eTag GCP eTag which must match the pet SA's current policy. If null, this is ignored.
 * @return The new IAM policy on the user's pet service account, or empty if the eTag value
 *     provided is non-null and does not match current IAM policy on the pet SA.
 */
public Optional<Policy> enablePetServiceAccountImpersonationWithEtag(UUID workspaceUuid, String userToEnableEmail, AuthenticatedUserRequest userReq, @Nullable String eTag) {
    String projectId = gcpCloudContextService.getRequiredGcpProject(workspaceUuid);
    Optional<ServiceAccountName> maybePetSaName = getUserPetSa(projectId, userToEnableEmail, userReq);
    // If the pet SA does not exist and no eTag is specified, create the pet SA and continue.
    if (maybePetSaName.isEmpty()) {
        if (eTag == null) {
            String saEmail = SamRethrow.onInterrupted(() -> samService.getOrCreatePetSaEmail(gcpCloudContextService.getRequiredGcpProject(workspaceUuid), userReq.getRequiredToken()), "enablePet");
            maybePetSaName = Optional.of(ServiceAccountName.builder().projectId(projectId).email(saEmail).build());
        } else {
            // so return empty optional.
            return Optional.empty();
        }
    }
    // Pet name is populated above, so it's always safe to unwrap here.
    ServiceAccountName petSaName = maybePetSaName.get();
    String proxyGroupEmail = SamRethrow.onInterrupted(() -> samService.getProxyGroupEmail(userToEnableEmail, userReq.getRequiredToken()), "enablePet");
    String targetMember = "group:" + proxyGroupEmail;
    try {
        Policy saPolicy = crlService.getIamCow().projects().serviceAccounts().getIamPolicy(petSaName).execute();
        // clobbering other changes.
        if (eTag != null && !saPolicy.getEtag().equals(eTag)) {
            logger.warn("GCP IAM policy eTag did not match expected value when granting pet SA access for user {} in workspace {}. This is normal for Step retries.", userToEnableEmail, workspaceUuid);
            return Optional.empty();
        }
        // See if the user is already on the policy. If so, return the policy. This avoids
        // calls to set the IAM policy that have a rate limit.
        Optional<Binding> serviceAccountUserBinding = findServiceAccountUserBinding(saPolicy);
        if (serviceAccountUserBinding.isPresent() && serviceAccountUserBinding.get().getMembers().contains(targetMember)) {
            logger.info("user {} is already enabled on petSA {}", userToEnableEmail, petSaName.email());
            return Optional.of(saPolicy);
        } else if (serviceAccountUserBinding.isPresent()) {
            // If a binding exists for the ServiceAccountUser role but the proxy group is not a member,
            // add it.
            serviceAccountUserBinding.get().getMembers().add(targetMember);
        } else {
            // Otherwise, create the ServiceAccountUser role binding.
            Binding newBinding = new Binding().setRole(SERVICE_ACCOUNT_USER_ROLE).setMembers(ImmutableList.of(targetMember));
            // If no bindings exist, getBindings() returns null instead of an empty list.
            if (saPolicy.getBindings() != null) {
                saPolicy.getBindings().add(newBinding);
            } else {
                List<Binding> bindingList = new ArrayList<>();
                bindingList.add(newBinding);
                saPolicy.setBindings(bindingList);
            }
        }
        SetIamPolicyRequest request = new SetIamPolicyRequest().setPolicy(saPolicy);
        return Optional.of(crlService.getIamCow().projects().serviceAccounts().setIamPolicy(petSaName, request).execute());
    } catch (IOException e) {
        return handleProxyUpdateError(e, "enabling");
    }
}

Example 9 with Binding

use of com.google.api.services.cloudresourcemanager.v3.model.Binding in project terra-workspace-manager by DataBiosphere.

the class PetSaService method disablePetServiceAccountImpersonationWithEtag.

/**
 * Revoke the permission to impersonate a pet service account granted by {@code
 * enablePetServiceAccountImpersonation}. Unlike other operations, this does not run in a flight
 * because it only requires one write operation. This operation is idempotent.
 *
 * <p>This method requires a user's pet service account email as input. As a transitive
 * dependency, this also means the provided workspace must have a GCP context.
 *
 * <p>This method does not authenticate that the user should have access to impersonate their pet
 * SA, callers should validate this first.
 *
 * @param workspaceUuid ID of the workspace to disable pet SA in
 * @param userToDisableEmail The user losing access to pet SA
 * @param userRequest This request's token will be used to authenticate SAM requests
 * @param eTag GCP eTag which must match the pet SA's current policy. If null, this is ignored.
 */
public Optional<Policy> disablePetServiceAccountImpersonationWithEtag(UUID workspaceUuid, String userToDisableEmail, AuthenticatedUserRequest userRequest, @Nullable String eTag) {
    String proxyGroupEmail = SamRethrow.onInterrupted(() -> samService.getProxyGroupEmail(userToDisableEmail, userRequest.getRequiredToken()), "disablePet");
    String targetMember = "group:" + proxyGroupEmail;
    String projectId = gcpCloudContextService.getRequiredGcpProject(workspaceUuid);
    try {
        Optional<ServiceAccountName> userToDisablePetSA = getUserPetSa(projectId, userToDisableEmail, userRequest);
        if (userToDisablePetSA.isEmpty()) {
            return Optional.empty();
        }
        Policy saPolicy = crlService.getIamCow().projects().serviceAccounts().getIamPolicy(userToDisablePetSA.get()).execute();
        // clobbering other changes.
        if (eTag != null && !saPolicy.getEtag().equals(eTag)) {
            logger.warn("GCP IAM policy eTag did not match expected value when revoking pet SA access for user {} in workspace {}. This is normal for Step retries.", userToDisableEmail, workspaceUuid);
            return Optional.empty();
        }
        // If the member is already not on the policy, we are done
        // This handles the case where there are no bindings at all, so we don't
        // need to worry about null binding later in the logic.
        Optional<Binding> bindingToModify = findServiceAccountUserBinding(saPolicy);
        if (bindingToModify.isEmpty() || !bindingToModify.get().getMembers().contains(targetMember)) {
            return Optional.empty();
        }
        bindingToModify.get().getMembers().remove(targetMember);
        SetIamPolicyRequest request = new SetIamPolicyRequest().setPolicy(saPolicy);
        return Optional.of(crlService.getIamCow().projects().serviceAccounts().setIamPolicy(userToDisablePetSA.get(), request).execute());
    } catch (IOException e) {
        return handleProxyUpdateError(e, "disabling");
    }
}

Example 10 with Binding

use of com.google.api.services.cloudresourcemanager.v3.model.Binding in project java-docs-samples by GoogleCloudPlatform.

the class Hl7v2StoreSetIamPolicy method hl7v2StoreSetIamPolicy.

public static void hl7v2StoreSetIamPolicy(String hl7v2StoreName) throws IOException {
    // String hl7v2StoreName =
    // String.format(
    // HL7v2_NAME, "your-project-id", "your-region-id", "your-dataset-id", "your-hl7v2-id");
    // Initialize the client, which will be used to interact with the service.
    CloudHealthcare client = createClient();
    // Configure the IAMPolicy to apply to the store.
    // For more information on understanding IAM roles, see the following:
    // https://cloud.google.com/iam/docs/understanding-roles
    Binding binding = new Binding().setRole("roles/healthcare.hl7V2Consumer").setMembers(Arrays.asList("domain:google.com"));
    Policy policy = new Policy().setBindings(Arrays.asList(binding));
    SetIamPolicyRequest policyRequest = new SetIamPolicyRequest().setPolicy(policy);
    // Create request and configure any parameters.
    Hl7V2Stores.SetIamPolicy request = client.projects().locations().datasets().hl7V2Stores().setIamPolicy(hl7v2StoreName, policyRequest);
    // Execute the request and process the results.
    Policy updatedPolicy = request.execute();
    System.out.println("HL7v2 policy has been updated: " + updatedPolicy.toPrettyString());
}