Add support G-Suite group whose members have ADMIN access to registrar console

After this CL, "support" accounts (accounts that are part of the "support" G-Suite group) will the same access to the registrar console as GCP "admins". However, they don't won't have access to the GCP project itself. We could give them their own Role in the future (say SUPPORT) and give them different access than "admins", but right now we don't need it and YAGNI or something :) NOTE: we identify users by their email (they need to be logged in to a google account). I don't know if that's best practice, since I guess different google accounts might have the same email address. However, G-Suite groups' membership is by email so there's not much we can do about it if we want to use G-Suite groups. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=220804273
2025-05-14 00:17:20 +02:00 · 2018-11-09 08:11:26 -08:00 · 2018-11-09 08:11:26 -08:00 · 557984bb75
commit 557984bb75
parent 783c010ab4
15 changed files with 285 additions and 25 deletions
--- a/java/google/registry/groups/DirectoryGroupsConnection.java
+++ b/java/google/registry/groups/DirectoryGroupsConnection.java
@ -46,6 +46,22 @@ public class DirectoryGroupsConnection implements GroupsConnection {
  private static final String MEMBER_NOT_FOUND_MSG = "Resource Not Found: memberKey";
  private static final String MEMBER_ALREADY_EXISTS_MSG = "Member already exists.";

+  /**
+   * All possible errors from {@link Directory.Members#get} when an email doesn't belong to a group.
+   *
+   * <p>See {@link #isMemberOfGroup} for details.
+   *
+   * <p>TODO(b/119220829): remove once we transition to using hasMember
+   *
+   * <p>TODO(b/119221854): update error messages if and when they change
+   */
+  private static final ImmutableSet<String> ERROR_MESSAGES_MEMBER_NOT_FOUND =
+      ImmutableSet.of(
+          // The given email corresponds to an actual account, but isn't part of this group
+          "Resource Not Found: memberKey",
+          // There's no account corresponding to this email
+          "Missing required field: memberKey");
+
  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
  private static final Groups defaultGroupPermissions = getDefaultGroupPermissions();

@ -163,4 +179,45 @@ public class DirectoryGroupsConnection implements GroupsConnection {
      }
    }
  }
+
+  @Override
+  public boolean isMemberOfGroup(String memberEmail, String groupKey) {
+    // We're using "get" instead of "hasMember" because "hasMember" fails for emails that don't
+    // belong to the G-Suite domain.
+    //
+    // "get" fails for users that aren't part of the group, but it also might fail for other
+    // reasons (no access, group doesn't exist etc.).
+    // Which error is caused by "user isn't in that group" isn't documented, and was found using
+    // trial and error.
+    //
+    // TODO(b/119221676): transition to using hasMember
+    //
+    // Documentation for the API of "get":
+    // https://developers.google.com/admin-sdk/directory/v1/reference/members/get
+    //
+    // Documentation for the API of "hasMember":
+    // https://developers.google.com/admin-sdk/directory/v1/reference/members/hasMember
+    try {
+      Directory.Members.Get getRequest = directory.members().get(groupKey, memberEmail);
+      Member getReply = getRequest.execute();
+      logger.atInfo().log(
+          "%s is a member of the group %s. Got reply: %s", memberEmail, groupKey, getReply);
+      return true;
+    } catch (GoogleJsonResponseException e) {
+      if (ERROR_MESSAGES_MEMBER_NOT_FOUND.contains(e.getDetails().getMessage())) {
+        // This means the "get" request failed because the email wasn't part of the group.
+        // This is expected behavior for any visitor that isn't a support group member.
+        logger.atInfo().log(
+            "%s isn't a member of the group %s. Got reply %s",
+            memberEmail, groupKey, e.getMessage());
+        return false;
+      }
+      // If we got here - we had an unexpected error. Rethrow.
+      throw new RuntimeException(
+          String.format("Error checking whether %s is in group %s", memberEmail, groupKey), e);
+    } catch (IOException e) {
+      throw new RuntimeException(
+          String.format("Error checking whether %s is in group %s", memberEmail, groupKey), e);
+    }
+  }
 }