forked from aws/aws-sdk-java
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathStatement.java
More file actions
398 lines (375 loc) · 15.2 KB
/
Statement.java
File metadata and controls
398 lines (375 loc) · 15.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
/*
* Copyright 2010-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package com.amazonaws.auth.policy;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.UUID;
/**
* A statement is the formal description of a single permission, and is always
* contained within a policy object.
* <p>
* A statement describes a rule for allowing or denying access to a specific AWS
* resource based on how the resource is being accessed, and who is attempting
* to access the resource. Statements can also optionally contain a list of
* conditions that specify when a statement is to be honored.
* <p>
* For example, consider a statement that:
* <ul>
* <li>allows access (the effect)
* <li>for a list of specific AWS account IDs (the principals)
* <li>when accessing an SQS queue (the resource)
* <li>using the SendMessage operation (the action)
* <li>and the request occurs before a specific date (a condition)
* </ul>
*
* <p>
* Statements takes the form: "A has permission to do B to C where D applies".
* <ul>
* <li>A is the <b>principal</b> - the AWS account that is making a request to
* access or modify one of your AWS resources.
* <li>B is the <b>action</b> - the way in which your AWS resource is being accessed or modified, such
* as sending a message to an Amazon SQS queue, or storing an object in an Amazon S3 bucket.
* <li>C is the <b>resource</b> - your AWS entity that the principal wants to access, such
* as an Amazon SQS queue, or an object stored in Amazon S3.
* <li>D is the set of <b>conditions</b> - optional constraints that specify when to allow or deny
* access for the principal to access your resource. Many expressive conditions are available,
* some specific to each service. For example you can use date conditions to allow access to
* your resources only after or before a specific time.
* </ul>
*
* <p>
* There are many resources and conditions available for use in statements, and
* you can combine them to form fine grained custom access control polices.
*/
public class Statement {
/**
* The effect is the result that you want a policy statement to return at
* evaluation time. A policy statement can either allow access or explicitly
* deny access.
*/
public static enum Effect {
Allow(), Deny();
}
private String id;
private Effect effect;
private List<Principal> principals = new ArrayList<Principal>();
private List<Action> actions = new ArrayList<Action>();
private List<Resource> resources;
private List<Condition> conditions = new ArrayList<Condition>();
/**
* Constructs a new access control policy statement with the specified
* effect.
* <p>
* Before a statement is valid and can be sent to AWS, callers must set the
* principals, resources, and actions (as well as any optional conditions)
* involved in the statement.
*
* @param effect
* The effect this statement has (allowing access or denying
* access) when all conditions, resources, principals, and
* actions are matched.
*/
public Statement(Effect effect) {
this.effect = effect;
this.id = null;
}
/**
* Returns the ID for this statement. Statement IDs serve to help keep track
* of multiple statements, and are often used to give the statement a
* meaningful, human readable name.
* <p>
* Statement IDs must be unique within a policy, but are not required to be
* globally unique.
* <p>
* If you do not explicitly assign an ID to a statement, a unique ID will be
* automatically assigned when the statement is added to a policy.
* <p>
* Developers should be careful to not use the same statement ID for
* multiple statements in the same policy. Reusing the same statement ID in
* different policies is not a problem.
*
* @return The statement ID.
*/
public String getId() {
return id;
}
/**
* Sets the ID for this statement. Statement IDs serve to help keep track of
* multiple statements, and are often used to give the statement a
* meaningful, human readable name.
* <p>
* Statement IDs must be unique within a policy, but are not required to be
* globally unique.
* <p>
* If you do not explicitly assign an ID to a statement, a unique ID will be
* automatically assigned when the statement is added to a policy.
* <p>
* Developers should be careful to not use the same statement ID for
* multiple statements in the same policy. Reusing the same statement ID in
* different policies is not a problem.
*
* @param id
* The new statement ID for this statement.
*/
public void setId(String id) {
this.id = id;
}
/**
* Sets the ID for this statement and returns the updated statement so
* multiple calls can be chained together.
* <p>
* Statement IDs serve to help keep track of multiple statements, and are
* often used to give the statement a meaningful, human readable name.
* <p>
* If you do not explicitly assign an ID to a statement, a unique ID will be
* automatically assigned when the statement is added to a policy.
* <p>
* Developers should be careful to not use the same statement ID for
* multiple statements in the same policy. Reusing the same statement ID in
* different policies is not a problem.
*
* @param id
* The new statement ID for this statement.
*/
public Statement withId(String id) {
setId(id);
return this;
}
/**
* Returns the result effect of this policy statement when it is evaluated.
* A policy statement can either allow access or explicitly
*
* @return The result effect of this policy statement.
*/
public Effect getEffect() {
return effect;
}
/**
* Sets the result effect of this policy statement when it is evaluated. A
* policy statement can either allow access or explicitly
*
* @param effect
* The result effect of this policy statement.
*/
public void setEffect(Effect effect) {
this.effect = effect;
}
/**
* Returns the list of actions to which this policy statement applies.
* Actions limit a policy statement to specific service operations that are
* being allowed or denied by the policy statement. For example, you might
* want to allow any AWS user to post messages to your SQS queue using the
* SendMessage action, but you don't want to allow those users other actions
* such as ReceiveMessage or DeleteQueue.
*
* @return The list of actions to which this policy statement applies.
*/
public List<Action> getActions() {
return actions;
}
/**
* Sets the list of actions to which this policy statement applies. Actions
* limit a policy statement to specific service operations that are being
* allowed or denied by the policy statement. For example, you might want to
* allow any AWS user to post messages to your SQS queue using the
* SendMessage action, but you don't want to allow those users other actions
* such as ReceiveMessage or DeleteQueue.
*
* @param actions
* The list of actions to which this policy statement applies.
*/
public void setActions(Collection<Action> actions) {
this.actions = new ArrayList<Action>(actions);
}
/**
* Sets the list of actions to which this policy statement applies and
* returns this updated Statement object so that additional method calls can
* be chained together.
* <p>
* Actions limit a policy statement to specific service operations that are
* being allowed or denied by the policy statement. For example, you might
* want to allow any AWS user to post messages to your SQS queue using the
* SendMessage action, but you don't want to allow those users other actions
* such as ReceiveMessage or DeleteQueue.
*
* @param actions
* The list of actions to which this statement applies.
*
* @return The updated Statement object so that additional method calls can
* be chained together.
*/
public Statement withActions(Action... actions) {
setActions(Arrays.asList(actions));
return this;
}
/**
* Returns the resources associated with this policy statement. Resources
* are what a policy statement is allowing or denying access to, such as an
* Amazon SQS queue or an Amazon SNS topic.
* <p>
* Note that some services allow only one resource to be specified per
* policy statement.
*
* @return The resources associated with this policy statement.
*/
public List<Resource> getResources() {
return resources;
}
/**
* Sets the resources associated with this policy statement. Resources are
* what a policy statement is allowing or denying access to, such as an
* Amazon SQS queue or an Amazon SNS topic.
* <p>
* Note that some services allow only one resource to be specified per
* policy statement.
*
* @param resources
* The resources associated with this policy statement.
*/
public void setResources(Collection<Resource> resources) {
this.resources = new ArrayList<Resource>(resources);
}
/**
* Sets the resources associated with this policy statement and returns this
* updated Statement object so that additional method calls can be chained
* together.
* <p>
* Resources are what a policy statement is allowing or denying access to,
* such as an Amazon SQS queue or an Amazon SNS topic.
* <p>
* Note that some services allow only one resource to be specified per
* policy statement.
*
* @param resources
* The resources associated with this policy statement.
*
* @return The updated Statement object so that additional method calls can
* be chained together.
*/
public Statement withResources(Resource... resources) {
setResources(Arrays.asList(resources));
return this;
}
/**
* Returns the conditions associated with this policy statement. Conditions
* allow policy statements to be conditionally evaluated based on the many
* available condition types.
* <p>
* For example, a statement that allows access to an Amazon SQS queue could
* use a condition to only apply the effect of that statement for requests
* that are made before a certain date, or that originate from a range of IP
* addresses.
* <p>
* When multiple conditions are included in a single statement, all
* conditions must evaluate to true in order for the statement to take
* effect.
*
* @return The conditions associated with this policy statement.
*/
public List<Condition> getConditions() {
return conditions;
}
/**
* Sets the conditions associated with this policy statement. Conditions
* allow policy statements to be conditionally evaluated based on the many
* available condition types.
* <p>
* For example, a statement that allows access to an Amazon SQS queue could
* use a condition to only apply the effect of that statement for requests
* that are made before a certain date, or that originate from a range of IP
* addresses.
* <p>
* Multiple conditions can be included in a single statement, and all
* conditions must evaluate to true in order for the statement to take
* effect.
*
* @param conditions
* The conditions associated with this policy statement.
*/
public void setConditions(List<Condition> conditions) {
this.conditions = conditions;
}
/**
* Sets the conditions associated with this policy statement, and returns
* this updated Statement object so that additional method calls can be
* chained together.
* <p>
* Conditions allow policy statements to be conditionally evaluated based on
* the many available condition types.
* <p>
* For example, a statement that allows access to an Amazon SQS queue could
* use a condition to only apply the effect of that statement for requests
* that are made before a certain date, or that originate from a range of IP
* addresses.
* <p>
* Multiple conditions can be included in a single statement, and all
* conditions must evaluate to true in order for the statement to take
* effect.
*
* @param conditions
* The conditions associated with this policy statement.
*
* @return The updated Statement object so that additional method calls can
* be chained together.
*/
public Statement withConditions(Condition... conditions) {
setConditions(Arrays.asList(conditions));
return this;
}
/**
* Returns the principals associated with this policy statement, indicating
* which AWS accounts are affected by this policy statement.
*
* @return The list of principals associated with this policy statement.
*/
public List<Principal> getPrincipals() {
return principals;
}
/**
* Sets the principals associated with this policy statement, indicating
* which AWS accounts are affected by this policy statement.
* <p>
* If you don't want to restrict your policy to specific users, you can use
* {@link Principal#AllUsers} to apply the policy to any user trying to
* access your resource.
*
* @param principals
* The list of principals associated with this policy statement.
*/
public void setPrincipals(Collection<Principal> principals) {
this.principals = new ArrayList<Principal>(principals);
}
/**
* Sets the principals associated with this policy statement, and returns
* this updated Statement object. Principals control which AWS accounts are
* affected by this policy statement.
* <p>
* If you don't want to restrict your policy to specific users, you can use
* {@link Principal#AllUsers} to apply the policy to any user trying to
* access your resource.
*
* @param principals
* The list of principals associated with this policy statement.
*
* @return The updated Statement object so that additional method calls can
* be chained together.
*/
public Statement withPrincipals(Principal... principals) {
setPrincipals(Arrays.asList(principals));
return this;
}
}