fix(gcp): allow org-level discovery when Projects.List returns zero results

[knakul853]

Summary

Fix GCP Organization Provider failing with no projects available for organization discovery when the SA cannot list projects via cloudresourcemanager.Projects.List.

Regression: Introduced in #719 (commit 334ae91), which added an unconditional empty-projects guard that blocked org-level Asset API discovery.

Fix: Separate the two code paths:

• Configured project_ids → strict validation, hard error if empty after resolution
• No configured projects → Projects.List failure is a warning, provider falls back to org-level Asset API (organizations/{id} scope)

Closes #738

Test plan

• TestNewOrganizationProvider_NoProjectsListedFallsBackToOrgLevel — org-level path with no project listing
• TestNewOrganizationProvider_ConfiguredProjectsStillValidated — explicit project_ids still validated
• TestSplitAndCleanProjectList / TestProjectScopeAllowsAsset* — existing tests pass
• Manual test with affected customer config (Unity org 257001958474) — provider creates successfully, discovers 631 assets via org-level Asset API

Reference

• Slack: https://projectdiscoveryhq.slack.com/archives/C05J80AEYJY/p1773063698481909

🤖 Generated with Claude Code

[neo-by-projectdiscovery-dev]

Neo - PR Security Review

No security issues found

Highlights

• Changes error handling in GCP organization provider to allow fallback to org-level Asset API when Projects.List returns zero results
• Maintains strict validation for explicitly configured project_ids while enabling org-level discovery when no projects are configured
• Authorization is enforced by GCP IAM on every API call, preventing unauthorized access regardless of the error handling changes

Hardening Notes

• Consider adding validation to ensure organizationID follows GCP's expected format (numeric string) in newOrganizationProvider around line 625, e.g., if !isNumeric(organizationID) { return nil, errkit.New("organization_id must be numeric") }. This would catch configuration errors earlier rather than waiting for GCP API errors.
• In OrganizationProvider.Resources() at line 427, consider sanitizing the organizationID before string concatenation (e.g., validate it contains only digits) to make the code more defensive, even though GCP API validates it server-side.

_{Comment @pdneo help for available commands. · Open in Neo}

[coderabbitai]

Walkthrough

This PR defers Cloud Resource Manager service creation to specific code paths and improves project validation workflow. When configured projects are provided, they're resolved using enrichWithProjectNumbers(). Invalid projects trigger an error. The "no configured projects" path now logs warnings instead of failing immediately, enabling fallback to organization-level discovery.

Changes

Cohort / File(s)	Summary
Project Resolution & Service Initialization pkg/providers/gcp/gcp.go	Deferred Cloud Resource Manager service creation, added project enrichment workflow via enrichWithProjectNumbers(), introduced validation to ensure valid projects remain after resolution, converted error-on-no-projects to non-fatal warning logs enabling organizational fallback.
Test Coverage for New Behaviors pkg/providers/gcp/gcp_test.go	Added two tests: one verifying fallback to organization-level discovery when project listing yields no results, and another confirming that empty configured project IDs fall back gracefully without error.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 Projects now resolve with care and grace,
Enriched and validated in their place,
When configured IDs lead astray,
Organization-level saves the day!
Resource managers freed with deferred delight,
Fallback logic blooming ever bright! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main fix: allowing org-level discovery when Projects.List returns zero results, which directly corresponds to the primary change in the changeset.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/gcp-org-no-project-list

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/providers/gcp/gcp.go (1)

765-780: ⚠️ Potential issue | 🟠 Major

Configured-project validation never rejects unresolved IDs.

projectScope.enrichWithProjectNumbers() in pkg/providers/gcp/gcp.go Lines 1104-1127 only augments the scope; it never removes entries whose Projects.Get lookup fails. Because Line 776 then copies scope.listIDs() back into projects, the new check at Lines 778-780 is effectively unreachable for any non-empty project_ids input. An all-invalid or inaccessible configured list will still create a provider and only fail later during asset discovery.

Suggested fix

resolvedIDs := make([]string, 0, len(ps.orderedIDs))
resolvedAllowedIDs := make(map[string]struct{}, len(ps.orderedIDs))
resolvedAllowedNumbers := make(map[string]struct{}, len(ps.orderedIDs))

for _, id := range ps.orderedIDs {
	project, err := manager.Projects.Get(id).Context(ctx).Do()
	if err != nil {
		if firstErr == nil {
			firstErr = err
		}
		continue
	}
	if project.ProjectId == "" {
		continue
	}

	resolvedIDs = append(resolvedIDs, project.ProjectId)
	resolvedAllowedIDs[project.ProjectId] = struct{}{}

	if project.ProjectNumber != 0 {
		number := strconv.FormatInt(project.ProjectNumber, 10)
		resolvedAllowedNumbers[number] = struct{}{}
	}
}

ps.orderedIDs = resolvedIDs
ps.allowedIDs = resolvedAllowedIDs
ps.allowedNumbers = resolvedAllowedNumbers

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/providers/gcp/gcp.go` around lines 765 - 780, The project-scope
enrichment currently only augments entries and doesn't remove IDs that fail
lookup, so update projectScope.enrichWithProjectNumbers to filter out unresolved
projects: iterate ps.orderedIDs, call
manager.Projects.Get(id).Context(ctx).Do(), skip entries that return an error or
have empty ProjectId, and build new slices/maps (resolvedIDs,
resolvedAllowedIDs, resolvedAllowedNumbers) and then assign them back to
ps.orderedIDs, ps.allowedIDs, ps.allowedNumbers; preserve recording the first
lookup error (firstErr) for reporting but do not retain failed IDs in the scope
so that listIDs() returns only resolved project IDs and the subsequent
empty-check works as intended.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/providers/gcp/gcp_test.go`:
- Around line 11-57: The tests currently call newOrganizationProvider() against
real GCP calls and use empty project_ids which get normalized to nil by
getProjectIDsFromOptions(), so they don't exercise the configured-project
validation; update the tests to inject a mocked client factory (or replace the
client creation hook used by newOrganizationProvider) that simulates
Projects.List returning empty/invalid results and add a case with a non-empty
invalid "project_ids" string to force the configured-project validation path;
specifically, modify
TestNewOrganizationProvider_ConfiguredProjectsStillValidated to provide a mocked
factory that returns no projects for the given IDs and assert that
newOrganizationProvider returns the expected validation error, and keep
TestNewOrganizationProvider_NoProjectsListedFallsBackToOrgLevel using a mocked
factory that returns an error or empty list but with organization_id and no
project_ids to verify org-level behavior.

---

Outside diff comments:
In `@pkg/providers/gcp/gcp.go`:
- Around line 765-780: The project-scope enrichment currently only augments
entries and doesn't remove IDs that fail lookup, so update
projectScope.enrichWithProjectNumbers to filter out unresolved projects: iterate
ps.orderedIDs, call manager.Projects.Get(id).Context(ctx).Do(), skip entries
that return an error or have empty ProjectId, and build new slices/maps
(resolvedIDs, resolvedAllowedIDs, resolvedAllowedNumbers) and then assign them
back to ps.orderedIDs, ps.allowedIDs, ps.allowedNumbers; preserve recording the
first lookup error (firstErr) for reporting but do not retain failed IDs in the
scope so that listIDs() returns only resolved project IDs and the subsequent
empty-check works as intended.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 46cc71e6-3fb0-4da2-9fda-7b3abdac0c6b

📥 Commits

Reviewing files that changed from the base of the PR and between 862e4c5 and 2fc68df.

📒 Files selected for processing (2)

• pkg/providers/gcp/gcp.go
• pkg/providers/gcp/gcp_test.go