Using cloud-agnostics formats and documentation for permission boundary

Author: DaisyModi

iam/iam-client/src/main/java/com/salesforce/multicloudj/iam/model/CreateOptions.java

@@ -10,13 +10,33 @@
  * <p>This class provides additional options that can be set during identity creation,
  * such as path specifications, session duration limits, and permission boundaries.
  *
- * <p>Usage example:
+ * <p>Permission boundary identifiers are provider-specific and translated internally:
+ * - AWS: IAM Policy ARN format (arn:aws:iam::account:policy/name)
+ * - GCP: Organization Policy constraint name or IAM Condition expression
+ * - AliCloud: Not supported (AliCloud RAM does not have permission boundaries)
+ *
+ * <p>Usage examples by provider:
  * <pre>
- * CreateOptions options = CreateOptions.builder()
+ * // AWS Example
+ * CreateOptions awsOptions = CreateOptions.builder()
  *     .path("/foo/")
  *     .maxSessionDuration(43200) // 12 hours
  *     .permissionBoundary("arn:aws:iam::123456789012:policy/PowerUserBoundary")
  *     .build();
+ *
+ * // GCP Example (using organization policy constraint)
+ * CreateOptions gcpOptions = CreateOptions.builder()
+ *     .path("/foo/")
+ *     .maxSessionDuration(3600)  // 1 hour
+ *     .permissionBoundary("constraints/compute.restrictLoadBalancerCreationForTypes")
+ *     .build();
+ *
+ * // AliCloud Example (permission boundaries not supported)
+ * CreateOptions aliOptions = CreateOptions.builder()
+ *     .path("/foo/")
+ *     .maxSessionDuration(7200)  // 2 hours
+ *     // .permissionBoundary() - Not supported in AliCloud RAM
+ *     .build();
  * </pre>
  */
 @Getter
@@ -99,9 +119,10 @@ public Builder maxSessionDuration(Integer maxSessionDuration) {
         }
 
         /**
-         * Sets the permission boundary ARN.
+         * Sets the permission boundary policy identifier.
          *
-         * @param permissionBoundary the ARN of the policy that acts as a permissions boundary
+         * @param permissionBoundary the cloud-native identifier of the policy that acts as a permission boundary
+         *                          (AWS: policy ARN, GCP: constraint name, AliCloud: not supported)
          * @return this Builder instance
          */
         public Builder permissionBoundary(String permissionBoundary) {

iam/iam-client/src/main/java/com/salesforce/multicloudj/iam/model/TrustConfiguration.java

@@ -14,14 +14,10 @@
  * <p>This class defines which principals can assume or impersonate the identity being created,
  * along with any conditions that must be met for the trust relationship to be valid.
  *
- * <p>Usage example:
- * <pre>
- * TrustConfiguration trust = TrustConfiguration.builder()
- *     .addTrustedPrincipal("arn:aws:iam::111122223333:root")
- *     .addTrustedPrincipal("arn:aws:iam::444455556666:user/ExampleUser")
- *     .addCondition("StringEquals", "aws:RequestedRegion", "us-west-2")
- *     .build();
- * </pre>
+ * <p>Principal identifiers are accepted in their native cloud format and translated internally:
+ * - AWS: ARN format (arn:aws:iam::account:type/name)
+ * - GCP: Email format ([email protected])
+ * - AliCloud: ACS format (acs:ram::account:type/name) or account ID
  */
 @Getter
 public class TrustConfiguration {
@@ -78,7 +74,7 @@ private Builder() {
         /**
          * Adds a trusted principal to the trust configuration.
          *
-         * @param principal the principal ARN or identifier that can assume this identity
+         * @param principal the principal identifier in cloud-native format (AWS ARN, GCP email, AliCloud ACS ARN or account ID)
          * @return this Builder instance
          */
         public Builder addTrustedPrincipal(String principal) {
@@ -91,7 +87,7 @@ public Builder addTrustedPrincipal(String principal) {
         /**
          * Adds multiple trusted principals to the trust configuration.
          *
-         * @param principals the list of principal ARNs or identifiers
+         * @param principals the list of principal identifiers in cloud-native formats
          * @return this Builder instance
          */
         public Builder addTrustedPrincipals(List<String> principals) {
@@ -106,8 +102,8 @@ public Builder addTrustedPrincipals(List<String> principals) {
         /**
          * Adds a condition to the trust configuration.
          *
-         * @param operator the condition operator (e.g., "StringEquals", "IpAddress")
-         * @param key the condition key (e.g., "aws:RequestedRegion", "aws:SourceIp")
+         * @param operator the condition operator (e.g., "StringEquals", "IpAddress", "DateGreaterThan")
+         * @param key the condition key in cloud-native format (e.g., "aws:RequestedRegion", ""aws:SourceIp")
          * @param value the condition value
          * @return this Builder instance
          */

iam/iam-client/src/test/java/com/salesforce/multicloudj/iam/model/CreateOptionsTest.java

@@ -56,7 +56,7 @@ public void testCreateOptionsBuilderIndividualFields() {
         assertEquals(Integer.valueOf(7200), durationOptions.getMaxSessionDuration());
         assertNull(durationOptions.getPermissionBoundary());
 
-        // Test permissionBoundary only
+        // Test permissionBoundary only (AWS example)
         CreateOptions boundaryOptions = CreateOptions.builder()
             .permissionBoundary("arn:aws:iam::123456789012:policy/DeveloperBoundary")
             .build();
@@ -219,4 +219,40 @@ public void testCreateOptionsBuilderOverwriteValues() {
         assertEquals(Integer.valueOf(7200), options.getMaxSessionDuration());
         assertEquals("arn:aws:iam::123456789012:policy/SecondBoundary", options.getPermissionBoundary());
     }
+
+    @Test
+    public void testCreateOptionsBuilderProviderSpecificExamples() {
+        // AWS Example
+        CreateOptions awsOptions = CreateOptions.builder()
+            .path("/foo/")
+            .maxSessionDuration(43200) // 12 hours
+            .permissionBoundary("arn:aws:iam::123456789012:policy/PowerUserBoundary")
+            .build();
+
+        assertEquals("/foo/", awsOptions.getPath());
+        assertEquals(Integer.valueOf(43200), awsOptions.getMaxSessionDuration());
+        assertEquals("arn:aws:iam::123456789012:policy/PowerUserBoundary", awsOptions.getPermissionBoundary());
+
+        // GCP Example
+        CreateOptions gcpOptions = CreateOptions.builder()
+            .path("/foo/")
+            .maxSessionDuration(3600) // 1 hour
+            .permissionBoundary("constraints/compute.restrictLoadBalancerCreationForTypes")
+            .build();
+
+        assertEquals("/foo/", gcpOptions.getPath());
+        assertEquals(Integer.valueOf(3600), gcpOptions.getMaxSessionDuration());
+        assertEquals("constraints/compute.restrictLoadBalancerCreationForTypes", gcpOptions.getPermissionBoundary());
+
+        // AliCloud Example (permission boundaries not supported)
+        CreateOptions aliOptions = CreateOptions.builder()
+            .path("/foo/")
+            .maxSessionDuration(7200) // 2 hours
+            // Permission boundaries not supported in AliCloud RAM
+            .build();
+
+        assertEquals("/foo/", aliOptions.getPath());
+        assertEquals(Integer.valueOf(7200), aliOptions.getMaxSessionDuration());
+        assertNull(aliOptions.getPermissionBoundary()); // AliCloud doesn't support permission boundaries
+    }
 }

iam/iam-client/src/test/java/com/salesforce/multicloudj/iam/model/TrustConfigurationTest.java

@@ -127,6 +127,7 @@ public void testTrustConfigurationBuilderGcpServiceAccount() {
         TrustConfiguration trustConfig = TrustConfiguration.builder()
             .addTrustedPrincipal("[email protected]")
             .addTrustedPrincipal("[email protected]")
+            .addCondition("expression", "location", "resource.name.startsWith('projects/my-project/zones/us-west')")
             .build();
 
         List<String> expectedPrincipals = Arrays.asList(
@@ -135,13 +136,18 @@ public void testTrustConfigurationBuilderGcpServiceAccount() {
         );
 
         assertEquals(expectedPrincipals, trustConfig.getTrustedPrincipals());
+
+        Map<String, Map<String, Object>> conditions = trustConfig.getConditions();
+        assertTrue(conditions.containsKey("expression"));
+        assertEquals("resource.name.startsWith('projects/my-project/zones/us-west')", conditions.get("expression").get("location"));
     }
 
     @Test
     public void testTrustConfigurationBuilderAliCloudPrincipals() {
         TrustConfiguration trustConfig = TrustConfiguration.builder()
             .addTrustedPrincipal("1234567890123456")  // AliCloud account ID
             .addTrustedPrincipal("acs:ram::1234567890123456:user/AliUser")  // AliCloud RAM user
+            .addCondition("StringEquals", "acs:CurrentRegion", "us-west-1")
             .build();
 
         List<String> expectedPrincipals = Arrays.asList(
@@ -150,6 +156,10 @@ public void testTrustConfigurationBuilderAliCloudPrincipals() {
         );
 
         assertEquals(expectedPrincipals, trustConfig.getTrustedPrincipals());
+
+        Map<String, Map<String, Object>> conditions = trustConfig.getConditions();
+        assertTrue(conditions.containsKey("StringEquals"));
+        assertEquals("us-west-1", conditions.get("StringEquals").get("acs:CurrentRegion"));
     }
 
     @Test