com.google.api.services.cloudresourcemanager.CloudResourceManager Java Examples

/**
 * Return the Projects api object used for accessing the Cloud Resource Manager Projects API.
 * @return Projects api object used for accessing the Cloud Resource Manager Projects API
 * @throws GeneralSecurityException Thrown if there's a permissions error.
 * @throws IOException Thrown if there's an IO error initializing the API object.
 */
public static synchronized Projects getProjectsApiStub()
    throws GeneralSecurityException, IOException {
  if (projectApiStub != null) {
    return projectApiStub;
  }
  HttpTransport transport;
  GoogleCredential credential;
  JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
  transport = GoogleNetHttpTransport.newTrustedTransport();
  credential = GoogleCredential.getApplicationDefault(transport, jsonFactory);
  if (credential.createScopedRequired()) {
    Collection<String> scopes = CloudResourceManagerScopes.all();
    credential = credential.createScoped(scopes);
  }
  projectApiStub = new CloudResourceManager
      .Builder(transport, jsonFactory, credential)
      .build()
      .projects();
  return projectApiStub;
}
 

@Before
public void setUp() throws IOException {
  CloudResourceManager.Projects projectsObject = mock(CloudResourceManager.Projects.class);
  CloudResourceManager.Projects.List listProjects = mock(
      CloudResourceManager.Projects.List.class);
  GCPProject.setProjectsApiStub(projectsObject);

  listProjectsResponse = new ListProjectsResponse();
  source = new LiveProjectSource(ORG);

  when(projectsObject.list()).thenReturn(listProjects);
  when(listProjects.setPageToken(null)).thenReturn(listProjects);
  when(listProjects.setPageToken(anyString())).thenReturn(listProjects);
  when(listProjects.setFilter(anyString())).thenReturn(listProjects);
  when(listProjects.execute()).thenReturn(this.listProjectsResponse);
}
 

public static void removeMember(
    CloudResourceManager crmService, String projectId, String member, String role) {
  // Gets the project's policy.
  Policy policy = getPolicy(crmService, projectId);

  // Removes the member from the role.
  List<Binding> bindings = policy.getBindings();
  Binding binding = null;
  for (Binding b : bindings) {
    if (b.getRole().equals(role)) {
      binding = b;
      break;
    }
  }
  if (binding.getMembers().contains(member)) {
    binding.getMembers().remove(member);
    if (binding.getMembers().isEmpty()) {
      policy.getBindings().remove(binding);
    }
  }

  // Sets the updated policy.
  setPolicy(crmService, projectId, policy);
}
 

public static void addBinding(
    CloudResourceManager crmService, String projectId, String member, String role) {

  // Gets the project's policy.
  Policy policy = getPolicy(crmService, projectId);

  // If binding already exists, adds member to binding.
  List<Binding> bindings = policy.getBindings();
  for (Binding b : bindings) {
    if (b.getRole().equals(role)) {
      b.getMembers().add(member);
      break;
    }
  }

  // If binding does not exist, adds binding to policy.
  Binding binding = new Binding();
  binding.setRole(role);
  binding.setMembers(Collections.singletonList(member));
  policy.getBindings().add(binding);

  // Set the updated policy
  setPolicy(crmService, projectId, policy);
}
 

public static CloudResourceManager initializeService()
    throws IOException, GeneralSecurityException {
  // Use the Application Default Credentials strategy for authentication. For more info, see:
  // https://cloud.google.com/docs/authentication/production#finding_credentials_automatically
  GoogleCredentials credential =
      GoogleCredentials.getApplicationDefault()
          .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM));

  // Creates the Cloud Resource Manager service object.
  CloudResourceManager service =
      new CloudResourceManager.Builder(
              GoogleNetHttpTransport.newTrustedTransport(),
              JacksonFactory.getDefaultInstance(),
              new HttpCredentialsAdapter(credential))
          .setApplicationName("service-accounts")
          .build();
  return service;
}
 

public static CloudResourceManager createCloudResourceManagerService()
    throws IOException, GeneralSecurityException {
  // Use the Application Default Credentials strategy for authentication. For more info, see:
  // https://cloud.google.com/docs/authentication/production#finding_credentials_automatically
  GoogleCredentials credential =
      GoogleCredentials.getApplicationDefault()
          .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM));

  CloudResourceManager service =
      new CloudResourceManager.Builder(
              GoogleNetHttpTransport.newTrustedTransport(),
              JacksonFactory.getDefaultInstance(),
              new HttpCredentialsAdapter(credential))
          .setApplicationName("service-accounts")
          .build();
  return service;
}
 

public static CloudResourceManager createCloudResourceManagerService()
    throws IOException, GeneralSecurityException {
  // Use the Application Default Credentials strategy for authentication. For more info, see:
  // https://cloud.google.com/docs/authentication/production#finding_credentials_automatically
  GoogleCredentials credential =
      GoogleCredentials.getApplicationDefault()
          .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM));

  CloudResourceManager service =
      new CloudResourceManager.Builder(
              GoogleNetHttpTransport.newTrustedTransport(),
              JacksonFactory.getDefaultInstance(),
              new HttpCredentialsAdapter(credential))
          .setApplicationName("service-accounts")
          .build();
  return service;
}
 

Authenticator(GoogleIdTokenVerifier googleIdTokenVerifier,
              CloudResourceManager cloudResourceManager,
              Iam iam,
              AuthenticatorConfiguration configuration,
              WaitStrategy retryWaitStrategy,
              StopStrategy retryStopStrategy) {
  this.googleIdTokenVerifier =
      Objects.requireNonNull(googleIdTokenVerifier, "googleIdTokenVerifier");
  this.cloudResourceManager =
      Objects.requireNonNull(cloudResourceManager, "cloudResourceManager");
  this.iam = Objects.requireNonNull(iam, "iam");
  this.domainWhitelist = configuration.domainWhitelist();
  this.resourceWhitelist = configuration.resourceWhitelist();
  this.allowedAudiences = configuration.allowedAudiences();
  this.retryWaitStrategy = Objects.requireNonNull(retryWaitStrategy, "retryWaitStrategy");
  this.retryStopStrategy = Objects.requireNonNull(retryStopStrategy, "retryStopStrategy");
}
 

void cacheResources() throws IOException {
  final CloudResourceManager.Projects.List request = cloudResourceManager.projects().list();

  ListProjectsResponse response;
  do {
    response = executeWithRetries(request, retryWaitStrategy, retryStopStrategy);
    if (response.getProjects() == null) {
      continue;
    }
    for (Project project : response.getProjects()) {
      final boolean access = resolveProject(project);
      logger.info("Resolved project: {}, access={}", project.getProjectId(), access);
    }
    request.setPageToken(response.getNextPageToken());
  } while (response.getNextPageToken() != null);

  logger.info("Resource cache loaded");
}
 

public static CloudResourceManager createCloudResourceManagerService()
    throws IOException, GeneralSecurityException {
  // Use the Application Default Credentials strategy for authentication. For more info, see:
  // https://cloud.google.com/docs/authentication/production#finding_credentials_automatically
  GoogleCredentials credential =
      GoogleCredentials.getApplicationDefault()
          .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM));

  CloudResourceManager service =
      new CloudResourceManager.Builder(
              GoogleNetHttpTransport.newTrustedTransport(),
              JacksonFactory.getDefaultInstance(),
              new HttpCredentialsAdapter(credential))
          .setApplicationName("service-accounts")
          .build();
  return service;
}
 

/**
 * Returns a CloudResourceManager client builder using the specified {@link
 * CloudResourceManagerOptions}.
 */
@VisibleForTesting
static CloudResourceManager.Builder newCloudResourceManagerClient(
    CloudResourceManagerOptions options) {
  Credentials credentials = options.getGcpCredential();
  if (credentials == null) {
    NullCredentialInitializer.throwNullCredentialException();
  }
  return new CloudResourceManager.Builder(
          Transport.getTransport(),
          Transport.getJsonFactory(),
          chainHttpRequestInitializer(
              credentials,
              // Do not log 404. It clutters the output and is possibly even required by the
              // caller.
              new RetryHttpRequestInitializer(ImmutableList.of(404))))
      .setApplicationName(options.getAppName())
      .setGoogleClientRequestInitializer(options.getGoogleApiTrace());
}
 

/**
 * Returns the project number or throws an error if the project does not exist or has other
 * access errors.
 */
private static long getProjectNumber(
    String projectId, CloudResourceManager crmClient, BackOff backoff, Sleeper sleeper)
    throws IOException {
  CloudResourceManager.Projects.Get getProject = crmClient.projects().get(projectId);
  try {
    Project project =
        ResilientOperation.retry(
            ResilientOperation.getGoogleRequestCallable(getProject),
            backoff,
            RetryDeterminer.SOCKET_ERRORS,
            IOException.class,
            sleeper);
    return project.getProjectNumber();
  } catch (Exception e) {
    throw new IOException("Unable to get project number", e);
  }
}
 

private static void setPolicy(CloudResourceManager crmService, String projectId, Policy policy) {
  // Sets the project's policy by calling the
  // Cloud Resource Manager Projects API.
  try {
    SetIamPolicyRequest request = new SetIamPolicyRequest();
    request.setPolicy(policy);
    crmService.projects().setIamPolicy(projectId, request).execute();
  } catch (IOException e) {
    System.out.println("Unable to set policy: \n" + e.toString());
  }
}
 

public static Policy getPolicy(CloudResourceManager crmService, String projectId) {
  // Gets the project's policy by calling the
  // Cloud Resource Manager Projects API.
  Policy policy = null;
  try {
    GetIamPolicyRequest request = new GetIamPolicyRequest();
    policy = crmService.projects().getIamPolicy(projectId, request).execute();
  } catch (IOException e) {
    System.out.println("Unable to get policy: \n" + e.toString());
  }
  return policy;
}
 

public static void main(String[] args) {
  // TODO: Replace with your project ID.
  String projectId = "your-project";
  // TODO: Replace with the ID of your member in the form "member:[email protected]"
  String member = "your-member";
  // The role to be granted.
  String role = "roles/logging.logWriter";

  // Initializes the Cloud Resource Manager service.
  CloudResourceManager crmService = null;
  try {
    crmService = initializeService();
  } catch (IOException | GeneralSecurityException e) {
    System.out.println("Unable to initialize service: \n" + e.toString());
  }

  // Grants your member the "Log writer" role for your project.
  addBinding(crmService, projectId, member, role);

  // Get the project's policy and print all members with the "Log Writer" role
  Policy policy = getPolicy(crmService, projectId);
  Binding binding = null;
  List<Binding> bindings = policy.getBindings();
  for (Binding b : bindings) {
    if (b.getRole().equals(role)) {
      binding = b;
      break;
    }
  }
  System.out.println("Role: " + binding.getRole());
  System.out.print("Members: ");
  for (String m : binding.getMembers()) {
    System.out.print("[" + m + "] ");
  }
  System.out.println();

  // Removes member from the "Log writer" role.
  removeMember(crmService, projectId, member, role);
}
 

/**
 * Returns the project number or throws an exception if the project does not exist or has other
 * access exceptions.
 */
private static long getProjectNumber(String projectId, CloudResourceManager crmClient)
    throws IOException {
  return getProjectNumber(
      projectId,
      crmClient,
      BackOffAdapter.toGcpBackOff(BACKOFF_FACTORY.backoff()),
      Sleeper.DEFAULT);
}
 

@Override
public Projects newProjectsApi(Credential credential) {
  Preconditions.checkNotNull(transportCache, "transportCache is null");
  HttpTransport transport = transportCache.getUnchecked(GoogleApi.CLOUDRESOURCE_MANAGER_API);
  Preconditions.checkNotNull(transport, "transport is null");
  Preconditions.checkNotNull(jsonFactory, "jsonFactory is null");

  CloudResourceManager resourceManager =
      new CloudResourceManager.Builder(transport, jsonFactory, credential)
          .setApplicationName(CloudToolsInfo.USER_AGENT).build();
  return resourceManager.projects();
}
 

@Test
public void shouldBuildCloudResourceManager() {
  final CloudResourceManager cloudResourceManager = new DefaultAuthenticatorFactory()
      .buildCloudResourceManager(httpTransport, jsonFactory, googleCredential, "test");
  assertThat(cloudResourceManager.getRequestFactory().getTransport(), is(httpTransport));
  assertThat(cloudResourceManager.getJsonFactory(), is(jsonFactory));
  assertThat(cloudResourceManager.getRequestFactory().getInitializer(), is(googleCredential));
  assertThat(cloudResourceManager.getApplicationName(), is("test"));
}
 

@Override
CloudResourceManager buildCloudResourceManager(HttpTransport httpTransport,
                                               JsonFactory jsonFactory,
                                               GoogleCredential credential,
                                               String service) {
  return cloudResourceManager;
}
 

Authenticator(GoogleIdTokenVerifier googleIdTokenVerifier,
              CloudResourceManager cloudResourceManager,
              Iam iam,
              AuthenticatorConfiguration configuration) {
  this(googleIdTokenVerifier, cloudResourceManager, iam, configuration,
      DEFAULT_RETRY_WAIT_STRATEGY,
      DEFAULT_RETRY_STOP_STRATEGY);
}
 

Impl(Iam iam, CloudResourceManager crm, Directory directory, String serviceAccountUserRole,
     AuthorizationPolicy authorizationPolicy, WaitStrategy waitStrategy, StopStrategy retryStopStrategy,
     String message, List<String> administrators, List<String> blacklist) {
  this.iam = Objects.requireNonNull(iam, "iam");
  this.crm = Objects.requireNonNull(crm, "crm");
  this.directory = Objects.requireNonNull(directory, "directory");
  this.serviceAccountUserRole = Objects.requireNonNull(serviceAccountUserRole, "serviceAccountUserRole");
  this.authorizationPolicy = Objects.requireNonNull(authorizationPolicy, "authorizationPolicy");
  this.waitStrategy = Objects.requireNonNull(waitStrategy, "waitStrategy");
  this.retryStopStrategy = Objects.requireNonNull(retryStopStrategy, "retryStopStrategy");
  this.message = Objects.requireNonNull(message, "message");
  this.administrators = Objects.requireNonNull(administrators, "administrators");
  this.blacklist = Objects.requireNonNull(blacklist, "blacklist");
}
 

@VisibleForTesting
CloudResourceManager buildCloudResourceManager(HttpTransport httpTransport,
                                               JsonFactory jsonFactory,
                                               GoogleCredential credential,
                                               String service) {
  return new CloudResourceManager.Builder(httpTransport, jsonFactory, credential)
      .setApplicationName(service)
      .build();
}
 

@Before
public void setUp() throws GeneralSecurityException, IOException {
  GCPProject.setProjectsApiStub(projectsObject);

  CloudResourceManager.Projects.List emptyList = mock(CloudResourceManager.Projects.List.class);
  ListProjectsResponse emptyListProjectResponse = new ListProjectsResponse();

  when(projectsObject.list()).thenReturn(listProjects);
  when(listProjects.setPageToken(anyString())).thenReturn(emptyList);
  when(listProjects.setPageToken(null)).thenReturn(listProjects);
  when(listProjects.setFilter(anyString())).thenReturn(listProjects);

  when(emptyList.setPageToken(null)).thenReturn(emptyList);
  when(emptyList.setPageToken(anyString())).thenReturn(emptyList);
  when(emptyList.setFilter(anyString())).thenReturn(emptyList);

  when(emptyList.execute()).thenReturn(emptyListProjectResponse
      .setNextPageToken("maybe halt?")
      .setProjects(new ArrayList<Project>(0)));

  when(objectList.setPageToken(anyString())).thenReturn(objectList);
  when(objectList.setPageToken(null)).thenReturn(objectList);
  when(objectList.setPrefix(anyString())).thenReturn(objectList);

  when(objects.list(anyString())).thenReturn(objectList);
  when(objects.get(anyString(), anyString())).thenReturn(objectGet);
  when(gcs.objects()).thenReturn(objects);

  when(buckets.get(anyString())).thenReturn(bucketGet);
  when(gcs.buckets()).thenReturn(buckets);

  when(this.projectsObject.getIamPolicy(anyString(), any(GetIamPolicyRequest.class)))
      .thenReturn(this.getIamPolicy);

  GCSFilesSource.setStorageApiStub(gcs);
  this.checkedSource = new GCSFilesSource(BUCKET, ORG_ID);
}
 

@Before
public void setUp() throws GeneralSecurityException, IOException {
  GCPProject.setProjectsApiStub(projectsObject);

  CloudResourceManager.Projects.List emptyList = mock(CloudResourceManager.Projects.List.class);
  ListProjectsResponse emptyListProjectResponse = new ListProjectsResponse();

  when(projectsObject.list()).thenReturn(listProjects);
  when(listProjects.setPageToken(anyString())).thenReturn(emptyList);
  when(listProjects.setPageToken(null)).thenReturn(listProjects);
  when(listProjects.setFilter(anyString())).thenReturn(listProjects);

  when(emptyList.setPageToken(null)).thenReturn(emptyList);
  when(emptyList.setPageToken(anyString())).thenReturn(emptyList);
  when(emptyList.setFilter(anyString())).thenReturn(emptyList);

  when(emptyList.execute()).thenReturn(emptyListProjectResponse
      .setNextPageToken("maybe halt?")
      .setProjects(new ArrayList<Project>(0)));

  when(objectList.setPageToken(anyString())).thenReturn(objectList);
  when(objectList.setPageToken(null)).thenReturn(objectList);
  when(objectList.setPrefix(anyString())).thenReturn(objectList);

  when(objects.list(anyString())).thenReturn(objectList);
  when(objects.get(anyString(), anyString())).thenReturn(objectGet);
  when(gcs.objects()).thenReturn(objects);

  when(buckets.get(anyString())).thenReturn(bucketGet);
  when(gcs.buckets()).thenReturn(buckets);

  when(this.projectsObject.getIamPolicy(anyString(), any(GetIamPolicyRequest.class)))
      .thenReturn(this.getIamPolicy);

  GCSFilesSource.setStorageApiStub(gcs);
  this.checkedSource = new GCSFilesSource(BUCKET, ORG_ID);
}
 

@Before
public void setUp() throws GeneralSecurityException, IOException {
  GCPProject.setProjectsApiStub(projectsObject);

  CloudResourceManager.Projects.List emptyList = mock(CloudResourceManager.Projects.List.class);
  ListProjectsResponse emptyListProjectResponse = new ListProjectsResponse();

  when(projectsObject.list()).thenReturn(listProjects);
  when(listProjects.setPageToken(anyString())).thenReturn(emptyList);
  when(listProjects.setPageToken(null)).thenReturn(listProjects);
  when(listProjects.setFilter(anyString())).thenReturn(listProjects);

  when(emptyList.setPageToken(null)).thenReturn(emptyList);
  when(emptyList.setPageToken(anyString())).thenReturn(emptyList);
  when(emptyList.setFilter(anyString())).thenReturn(emptyList);

  when(emptyList.execute()).thenReturn(emptyListProjectResponse
      .setNextPageToken("maybe halt?")
      .setProjects(new ArrayList<Project>(0)));

  when(objectList.setPageToken(anyString())).thenReturn(objectList);
  when(objectList.setPageToken(null)).thenReturn(objectList);
  when(objectList.setPrefix(anyString())).thenReturn(objectList);

  when(objects.list(anyString())).thenReturn(objectList);
  when(objects.get(anyString(), anyString())).thenReturn(objectGet);
  when(gcs.objects()).thenReturn(objects);

  when(buckets.get(anyString())).thenReturn(bucketGet);
  when(gcs.buckets()).thenReturn(buckets);

  when(this.projectsObject.getIamPolicy(anyString(), any(GetIamPolicyRequest.class)))
      .thenReturn(this.getIamPolicy);

  GCSFilesSource.setStorageApiStub(gcs);
  this.checkedSource = new GCSFilesSource(BUCKET, ORG_ID);
}
 

private void mockAncestryResponse(Project project, ResourceId... ancestors) throws IOException {
  final CloudResourceManager.Projects.GetAncestry ancestry = mock(CloudResourceManager.Projects.GetAncestry.class);
  doReturn(ancestryResponse(ancestors)).when(ancestry).execute();
  when(cloudResourceManager.projects().getAncestry(eq(project.getProjectId()), any()))
      .thenReturn(ancestry);
}
 

static ServiceAccountUsageAuthorizer create(String serviceAccountUserRole,
                                            AuthorizationPolicy authorizationPolicy,
                                            GoogleCredentials credentials,
                                            String gsuiteUserEmail,
                                            String serviceName,
                                            String message,
                                            List<String> administrators,
                                            List<String> blacklist) {

  final HttpTransport httpTransport;
  try {
    httpTransport = GoogleNetHttpTransport.newTrustedTransport();
  } catch (GeneralSecurityException | IOException e) {
    throw new RuntimeException(e);
  }

  final JsonFactory jsonFactory = Utils.getDefaultJsonFactory();

  final CloudResourceManager crm = new CloudResourceManager.Builder(
      httpTransport, jsonFactory, new HttpCredentialsAdapter(credentials.createScoped(IamScopes.all())))
      .setApplicationName(serviceName)
      .build();

  final Iam iam = new Iam.Builder(
      httpTransport, jsonFactory, new HttpCredentialsAdapter(credentials.createScoped(IamScopes.all())))
      .setApplicationName(serviceName)
      .build();

  final GoogleCredential directoryCredential = new ManagedServiceAccountKeyCredential.Builder(iam)
      .setServiceAccountId(ServiceAccounts.serviceAccountEmail(credentials))
      .setServiceAccountUser(gsuiteUserEmail)
      .setServiceAccountScopes(Set.of(ADMIN_DIRECTORY_GROUP_MEMBER_READONLY))
      .build();

  final Directory directory = new Directory.Builder(httpTransport, jsonFactory, directoryCredential)
      .setApplicationName(serviceName)
      .build();

  return new Impl(iam, crm, directory, serviceAccountUserRole, authorizationPolicy,
      Impl.DEFAULT_WAIT_STRATEGY, Impl.DEFAULT_RETRY_STOP_STRATEGY, message, administrators, blacklist);
}
 

/**
 * Returns whether a given user is a member of the organization.
 *
 * @param userId the user's ID (typically his organization email address).
 * @return whether a given user is a member of the organization.
 */
public final Boolean isOrganizationMember(final String userId) {
    // Try to grab membership information from the cache.
    Boolean isMember = this.authCache.getIfPresent(userId);

    // If we have previously validated this user as a member of the organization, return.
    if (isMember != null && isMember) {
        LOGGER.debug("{} is an organization member (cache hit).", userId);
        return true;
    }

    LOGGER.debug("No entry in cache for {}. Hitting the Resource Manager API.", userId);

    // At this point, either we've never validated this user as a member of the organization, or we've tried to but they weren't.
    // Hence we perform the validation process afresh by getting the list of organizations for which the user is a member.

    final Credential credential = this.loadCredential(userId);

    if (credential == null) {
        return false;
    }

    final CloudResourceManager crm = new CloudResourceManager.Builder(HTTP_TRANSPORT, JSON_FACTORY, credential)
            .setApplicationName(this.authFlow.getClientId())
            .build();

    final List<Organization> organizations;

    try {
        organizations = crm.organizations().list().execute().getOrganizations();
    } catch (final IOException ex) {
        throw new UncheckedIOException(ex);
    }

    // Check whether the current organization is in the list of the user's organizations.
    isMember = organizations != null
            && organizations.stream().anyMatch(org -> this.organizationId.equals(org.getOrganizationId()));

    // If we've successfully validated this user as a member of the organization, put this information in the cache.
    if (isMember) {
        LOGGER.debug("{} has been verified as an organization member. Caching.", userId);
        this.authCache.put(userId, true);
    } else {
        LOGGER.debug("{} couldn't be verified as an organization member.");
    }
    return isMember;
}