b/433111438 Add backoff/retry logic for updating group settings (#730)

jpassing · web-flow · commit 0511ac8a08d5 · 2025-07-21T10:25:31.000+10:00
Updating group settings can fail intermittelty for newly created
groups. This didn't use to happen much in the past, but is now
happening more frequently.

Add backoff/retry logic to compensate.
diff --git a/sources/src/main/java/com/google/solutions/jitaccess/apis/clients/CloudIdentityGroupsClient.java b/sources/src/main/java/com/google/solutions/jitaccess/apis/clients/CloudIdentityGroupsClient.java
@@ -54,6 +54,7 @@ public class CloudIdentityGroupsClient {
   private static final int SEARCH_PAGE_SIZE = 1000;
   public static final String LABEL_DISCUSSION_FORUM = "cloudidentity.googleapis.com/groups.discussion_forum";
   public static final String LABEL_SECURITY = "cloudidentity.googleapis.com/groups.security";
+  private static final int MAX_GROUP_SETTINGS_PATCH_ATTEMPTS = 5;
 
   private final @NotNull Options options;
   private final @NotNull GoogleCredentials credentials;
@@ -147,6 +148,54 @@ private static void translateAndThrowApiException(
     }
   }
 
+
+  /**
+   * Update group settings to restrictive defaults.
+   */
+  private void restrictGroupSettings(@NotNull GroupId emailAddress) throws IOException {
+    var settingsClient = createSettingsClient();
+
+    //
+    // The group settings API is prone to fail for newly created groups.
+    //
+    for (int attempt = 0; attempt < MAX_GROUP_SETTINGS_PATCH_ATTEMPTS; attempt++) {
+      try {
+        settingsClient
+          .groups()
+          .update(emailAddress.email, this.RESTRICTED_SETTINGS)
+          .execute();
+
+        //
+        // Successful update -> quit loop.
+        //
+        return;
+      }
+      catch (GoogleJsonResponseException e) {
+        if (
+          e.getStatusCode() == 404 ||
+          e.getStatusCode() == 400 &&
+          e.getDetails() != null &&
+          e.getDetails().getErrors() != null &&
+          e.getDetails().getErrors()
+            .stream()
+            .anyMatch(err -> e.getMessage() != null && err.getMessage().contains("INVALID_GAIA_GROUP"))) {
+
+          //
+          // This is most likely an intermittent error.
+          //
+          try {
+            Thread.sleep(200);
+          }
+          catch (InterruptedException ignored) {
+          }
+        }
+        else {
+          throw (GoogleJsonResponseException) e.fillInStackTrace();
+        }
+      }
+    }
+  }
+
   //---------------------------------------------------------------------
   // Manage groups.
   //---------------------------------------------------------------------
@@ -323,10 +372,7 @@ public enum GroupType {
       //
       // Lock down group settings.
       //
-      createSettingsClient()
-        .groups()
-        .update(emailAddress.email, this.RESTRICTED_SETTINGS)
-        .execute();
+      restrictGroupSettings(emailAddress);
 
       return groupKey;
     }
