static void createDefault(final OwnerFullName ownerFullName) throws MetadataException {
   try {
     try {
       NetworkGroup net =
           Transactions.find(
               new NetworkGroup(
                   AccountFullName.getInstance(ownerFullName.getAccountNumber()),
                   NETWORK_DEFAULT_NAME));
       if (net == null) {
         create(ownerFullName, NETWORK_DEFAULT_NAME, "default group");
       }
     } catch (NoSuchElementException ex) {
       try {
         create(ownerFullName, NETWORK_DEFAULT_NAME, "default group");
       } catch (ConstraintViolationException ex1) {
       }
     } catch (TransactionException ex) {
       try {
         create(ownerFullName, NETWORK_DEFAULT_NAME, "default group");
       } catch (ConstraintViolationException ex1) {
       }
     }
   } catch (DuplicateMetadataException ex) {
   }
 }
 /**
  * Resolve Group Names / Identifiers for the given permissions.
  *
  * <p>Caller must have open transaction.
  *
  * @param permissions - The permissions to update
  * @throws MetadataException If an error occurs
  */
 public static void resolvePermissions(final Iterable<IpPermissionType> permissions)
     throws MetadataException {
   for (final IpPermissionType ipPermission : permissions) {
     if (ipPermission.getGroups() != null)
       for (final UserIdGroupPairType groupInfo : ipPermission.getGroups()) {
         if (!Strings.isNullOrEmpty(groupInfo.getSourceGroupId())) {
           final NetworkGroup networkGroup =
               NetworkGroups.lookupByGroupId(groupInfo.getSourceGroupId());
           groupInfo.setSourceUserId(networkGroup.getOwnerAccountNumber());
           groupInfo.setSourceGroupName(networkGroup.getDisplayName());
         } else if (Strings.isNullOrEmpty(groupInfo.getSourceUserId())
             || Strings.isNullOrEmpty(groupInfo.getSourceGroupName())) {
           throw new MetadataException("Group ID or User ID/Group Name required.");
         } else {
           final NetworkGroup networkGroup =
               NetworkGroups.lookup(
                   AccountFullName.getInstance(groupInfo.getSourceUserId()),
                   groupInfo.getSourceGroupName());
           groupInfo.setSourceGroupId(networkGroup.getGroupId());
         }
       }
   }
 }
  public static NetworkGroup create(
      final OwnerFullName ownerFullName, final String groupName, final String groupDescription)
      throws MetadataException {
    UserFullName userFullName = null;
    if (ownerFullName instanceof UserFullName) {
      userFullName = (UserFullName) ownerFullName;
    } else {
      try {
        Account account = Accounts.lookupAccountById(ownerFullName.getAccountNumber());
        User admin =
            Iterables.find(
                account.getUsers(),
                new Predicate<User>() {

                  @Override
                  public boolean apply(User input) {
                    return input.isAccountAdmin();
                  }
                });
        userFullName = UserFullName.getInstance(admin);
      } catch (Exception ex) {
        LOG.error(ex, ex);
        throw new NoSuchMetadataException(
            "Failed to create group because owning user could not be identified.", ex);
      }
    }

    final EntityTransaction db = Entities.get(NetworkGroup.class);
    try {
      NetworkGroup net =
          Entities.uniqueResult(
              new NetworkGroup(
                  AccountFullName.getInstance(userFullName.getAccountNumber()), groupName));
      if (net == null) {
        final NetworkGroup entity =
            Entities.persist(new NetworkGroup(userFullName, groupName, groupDescription));
        db.commit();
        return entity;
      } else {
        db.rollback();
        throw new DuplicateMetadataException(
            "Failed to create group: " + groupName + " for " + userFullName.toString());
      }
    } catch (final NoSuchElementException ex) {
      final NetworkGroup entity =
          Entities.persist(new NetworkGroup(userFullName, groupName, groupDescription));
      db.commit();
      return entity;
    } catch (final ConstraintViolationException ex) {
      Logs.exhaust().error(ex);
      db.rollback();
      throw new DuplicateMetadataException(
          "Failed to create group: " + groupName + " for " + userFullName.toString(), ex);
    } catch (final Exception ex) {
      Logs.exhaust().error(ex, ex);
      db.rollback();
      throw new MetadataException(
          "Failed to create group: " + groupName + " for " + userFullName.toString(),
          PersistenceExceptions.transform(ex));
    }
  }
    @Override
    public boolean apply(final Allocation allocInfo) throws MetadataException {
      final UserFullName ownerFullName = allocInfo.getOwnerFullName();
      final String instanceProfileArn = allocInfo.getRequest().getIamInstanceProfileArn();
      final String instanceProfileName = allocInfo.getRequest().getIamInstanceProfileName();
      if (!Strings.isNullOrEmpty(instanceProfileArn)
          || !Strings.isNullOrEmpty(instanceProfileName)) {

        final String profileAccount;
        final String profileName;
        if (!Strings.isNullOrEmpty(instanceProfileArn))
          try {
            final Ern name = Ern.parse(instanceProfileArn);
            if (!(name instanceof EuareResourceName)) {
              throw new InvalidInstanceProfileMetadataException(
                  "Invalid IAM instance profile ARN: " + instanceProfileArn);
            }
            profileAccount = name.getAccount();
            profileName = ((EuareResourceName) name).getName();

          } catch (JSONException e) {
            throw new InvalidInstanceProfileMetadataException(
                "Invalid IAM instance profile ARN: " + instanceProfileArn, e);
          }
        else {
          profileAccount = ownerFullName.getAccountNumber();
          profileName = instanceProfileName;
        }

        final InstanceProfile profile;
        try {
          profile = Accounts.lookupInstanceProfileByName(profileAccount, profileName);
        } catch (AuthException e) {
          throw new InvalidInstanceProfileMetadataException(
              "Invalid IAM instance profile: " + profileAccount + "/" + profileName, e);
        }

        if (!Strings.isNullOrEmpty(instanceProfileName)
            && !instanceProfileName.equals(profile.getName())) {
          throw new InvalidInstanceProfileMetadataException(
              String.format(
                  "Invalid IAM instance profile name '%s' for ARN: %s",
                  profileName, instanceProfileArn));
        }

        try {
          final AuthContextSupplier user = allocInfo.getAuthContext();
          if (!Permissions.isAuthorized(
              PolicySpec.VENDOR_IAM,
              PolicySpec.IAM_RESOURCE_INSTANCE_PROFILE,
              Accounts.getInstanceProfileFullName(profile),
              AccountFullName.getInstance(profile.getAccountNumber()),
              PolicySpec.IAM_LISTINSTANCEPROFILES,
              user)) {
            throw new IllegalMetadataAccessException(
                String.format(
                    "Not authorized to access instance profile with ARN %s for %s",
                    profile.getInstanceProfileArn(), ownerFullName));
          }

          final Role role = profile.getRole();
          if (role != null
              && !Permissions.isAuthorized(
                  PolicySpec.VENDOR_IAM,
                  PolicySpec.IAM_RESOURCE_ROLE,
                  Accounts.getRoleFullName(role),
                  AccountFullName.getInstance(role.getAccountNumber()),
                  PolicySpec.IAM_PASSROLE,
                  user)) {
            throw new IllegalMetadataAccessException(
                String.format(
                    "Not authorized to pass role with ARN %s for %s",
                    role.getRoleArn(), ownerFullName));
          }

          if (role != null) {
            allocInfo.setInstanceProfileArn(profile.getInstanceProfileArn());
            allocInfo.setIamInstanceProfileId(profile.getInstanceProfileId());
            allocInfo.setIamRoleArn(role.getRoleArn());
          } else {
            throw new InvalidInstanceProfileMetadataException(
                "Role not found for IAM instance profile ARN: " + profile.getInstanceProfileArn());
          }
        } catch (AuthException e) {
          throw new MetadataException("IAM instance profile error", e);
        }
      }
      return true;
    }