@Test public void testMultipleConditionKeysForConditionType() throws Exception { Policy policy = new Policy(); policy.withStatements(new Statement(Effect.Allow) .withResources(new Resource("arn:aws:sqs:us-east-1:987654321000:MyQueue")) .withPrincipals(Principal.AllUsers) .withActions(new TestAction("foo")) .withConditions( new StringCondition(StringComparisonType.StringNotLike, "key1", "foo"), new StringCondition(StringComparisonType.StringNotLike, "key1", "bar"))); policy = Policy.fromJson(policy.toJson()); assertEquals(1, policy.getStatements().size()); List<Statement> statements = new LinkedList<Statement>(policy.getStatements()); assertEquals(Effect.Allow, statements.get(0).getEffect()); assertEquals(1, statements.get(0).getActions().size()); assertEquals("foo", statements.get(0).getActions().get(0).getActionName()); assertEquals(1, statements.get(0).getConditions().size()); assertEquals("StringNotLike", statements.get(0).getConditions().get(0).getType()); assertEquals("key1", statements.get(0).getConditions().get(0).getConditionKey()); assertEquals(2, statements.get(0).getConditions().get(0).getValues().size()); assertEquals("foo", statements.get(0).getConditions().get(0).getValues().get(0)); assertEquals("bar", statements.get(0).getConditions().get(0).getValues().get(1)); }
/** * Test policy parsing when the "Effect" is not mentioned in a Statement. * The Effect must be default to "Deny" when it is not mentioned. */ @Test public void testPolicyParsingWithNoEffect() { String jsonString = "{" + "\"Statement\": [{" + "\"Action\": [" + "\"elasticmapreduce:*\"," + "\"iam:PassRole\"" + "]," + "\"Resource\": [\"*\"]" + "}]" + "}"; Policy policy = Policy.fromJson(jsonString); assertEquals(1, policy.getStatements().size()); List<Statement> statements = new LinkedList<Statement>(policy.getStatements()); assertEquals(Effect.Deny, statements.get(0).getEffect()); assertEquals(1, statements.size()); }
@Test public void testCloudHSMServicePrincipal() { String jsonString = "{" + "\"Version\":\"2008-10-17\"," + "\"Statement\":[" + "{\"Sid\":\"\"," + "\"Effect\":\"Allow\"," + "\"Principal\":{\"Service\":\"cloudhsm.amazonaws.com\"}," + "\"Action\":\"sts:AssumeRole\"}" + "]" + "}"; Policy policy = Policy.fromJson(jsonString); assertEquals(POLICY_VERSION, policy.getVersion()); List<Statement> statements = new LinkedList<Statement>(policy.getStatements()); assertEquals(1, statements.size()); assertEquals(1, statements.get(0).getActions().size()); assertEquals(Effect.Allow, statements.get(0).getEffect()); assertEquals("sts:AssumeRole", statements.get(0).getActions().get(0).getActionName()); assertEquals(0, statements.get(0).getConditions().size()); assertEquals(1, statements.get(0).getPrincipals().size()); assertEquals(Services.AWSCloudHSM.getServiceId(), statements.get(0).getPrincipals().get(0).getId()); assertEquals("Service", statements.get(0).getPrincipals().get(0).getProvider()); }
/** * This test case was written as result of the following TT * * @see TT:0030871921 * * When a service is mentioned in the principal, we always try to * figure out the service from * <code>com.amazonaws.auth.policy.Principal.Services</code> enum. For * new services introduced, if the enum is not updated, then the parsing * fails. */ @Test public void testPrincipalWithServiceNotInServicesEnum() { String jsonString = "{" + "\"Version\":\"2008-10-17\"," + "\"Statement\":[" + "{" + "\"Sid\":\"\"," + "\"Effect\":\"Allow\"," + "\"Principal\":{" + "\"Service\":\"workspaces.amazonaws.com\" " + "}," + "\"Action\":\"sts:AssumeRole\"" + "}" + "]" + "}"; Policy policy = Policy.fromJson(jsonString); assertEquals(POLICY_VERSION, policy.getVersion()); List<Statement> statements = new LinkedList<Statement>( policy.getStatements()); assertEquals(1, statements.size()); assertEquals(1, statements.get(0).getActions().size()); assertEquals(Effect.Allow, statements.get(0).getEffect()); assertEquals("sts:AssumeRole", statements.get(0).getActions().get(0) .getActionName()); assertEquals(0, statements.get(0).getConditions().size()); assertEquals(1, statements.get(0).getPrincipals().size()); assertEquals("workspaces.amazonaws.com", statements.get(0) .getPrincipals().get(0).getId()); assertEquals("Service", statements.get(0).getPrincipals().get(0) .getProvider()); }
/** * Tests that a policy correctly assigns unique statement IDs to any added * statements without IDs yet. */ @Test public void testStatementIdAssignment() throws Exception { Policy policy = new Policy("S3PolicyId1"); policy.withStatements( new Statement(Effect.Allow).withId("0") .withPrincipals(Principal.AllUsers) .withActions(new TestAction("action1")), new Statement(Effect.Allow).withId("1") .withPrincipals(Principal.AllUsers) .withActions(new TestAction("action1")), new Statement( Effect.Deny).withPrincipals(Principal.AllUsers) .withActions(new TestAction("action2"))); assertValidStatementIds(policy); }
public String subscribeQueueToTopic(String snsTopicArn, String sqsQueueUrl){ Map<String, String> queueAttributes = sqsClient.getQueueAttributes(new GetQueueAttributesRequest(sqsQueueUrl) .withAttributeNames(QueueAttributeName.QueueArn.toString())).getAttributes(); String sqsQueueArn = queueAttributes.get(QueueAttributeName.QueueArn.toString()); Policy policy = new Policy().withStatements( new Statement(Effect.Allow) .withId("topic-subscription-" + snsTopicArn) .withPrincipals(Principal.AllUsers) .withActions(SQSActions.SendMessage) .withResources(new Resource(sqsQueueArn)) .withConditions(ConditionFactory.newSourceArnCondition(snsTopicArn))); logger.debug("Policy: " + policy.toJson()); queueAttributes = new HashMap<String, String>(); queueAttributes.put(QueueAttributeName.Policy.toString(), policy.toJson()); sqsClient.setQueueAttributes(new SetQueueAttributesRequest(sqsQueueUrl, queueAttributes)); SubscribeResult subscribeResult = snsClient.subscribe(new SubscribeRequest() .withEndpoint(sqsQueueArn) .withProtocol("sqs") .withTopicArn(snsTopicArn)); return subscribeResult.getSubscriptionArn(); }
/** * Creates a <code>Statement<code> instance from the statement node. * * A statement consists of an Effect, id (optional), principal, action, resource, * and conditions. * <p> * principal is the AWS account that is making a request to access or modify one of your AWS resources. * <p> * action is the way in which your AWS resource is being accessed or modified, such as sending a message to an Amazon SQS queue, or storing an object in an Amazon S3 bucket. * <p> * resource is the AWS entity that the principal wants to access, such as an Amazon SQS queue, or an object stored in Amazon S3. * <p> * conditions are the optional constraints that specify when to allow or deny access for the principal to access your resource. Many expressive conditions are available, some specific to each service. For example, you can use date conditions to allow access to your resources only after or before a specific time. * * @param jStatement * JsonNode representing the statement. * @return a reference to the statement instance created. */ private Statement statementOf(JsonNode jStatement) { JsonNode effectNode = jStatement.get(JsonDocumentFields.STATEMENT_EFFECT); final Effect effect = isNotNull(effectNode) ? Effect.valueOf(effectNode.asText()) : Effect.Deny ; Statement statement = new Statement(effect); JsonNode id = jStatement.get(JsonDocumentFields.STATEMENT_ID); if (isNotNull(id)) { statement.setId(id.asText()); } JsonNode actionNodes = jStatement.get(JsonDocumentFields.ACTION); if (isNotNull(actionNodes)) statement.setActions(actionsOf(actionNodes)); JsonNode resourceNodes = jStatement.get(JsonDocumentFields.RESOURCE); if (isNotNull(resourceNodes)) statement.setResources(resourcesOf(resourceNodes)); JsonNode conditionNodes = jStatement.get(JsonDocumentFields.CONDITION); if (isNotNull(conditionNodes)) statement.setConditions(conditionsOf(conditionNodes)); JsonNode principalNodes = jStatement.get(JsonDocumentFields.PRINCIPAL); if (isNotNull(principalNodes)) statement.setPrincipals(principalOf(principalNodes)); return statement; }
@Test public void testNoJsonArray() { String jsonString = "{" + "\"Version\": \"2012-10-17\"," + "\"Statement\": [" + "{" + "\"Effect\": \"Allow\"," + "\"Principal\": {" + "\"AWS\": \"*\"" + "}," + "\"Action\": \"sts:AssumeRole\"," + "\"Condition\": {" + "\"IpAddress\": {" + " \"aws:SourceIp\": \"10.10.10.10/32\"" + "}" + "}" + "}" + "]" + "}" ; Policy policy = Policy.fromJson(jsonString); assertEquals(POLICY_VERSION, policy.getVersion()); List<Statement> statements = new LinkedList<Statement>(policy.getStatements()); assertEquals(1, statements.size()); assertEquals(1, statements.get(0).getActions().size()); assertEquals(Effect.Allow, statements.get(0).getEffect()); assertEquals("sts:AssumeRole", statements.get(0).getActions().get(0).getActionName()); assertEquals(1, statements.get(0).getConditions().size()); assertEquals("IpAddress", statements.get(0).getConditions().get(0).getType()); assertEquals("aws:SourceIp", statements.get(0).getConditions().get(0).getConditionKey()); assertEquals(1, statements.get(0).getConditions().get(0).getValues().size()); assertEquals("10.10.10.10/32", statements.get(0).getConditions().get(0).getValues().get(0)); assertEquals(1, statements.get(0).getPrincipals().size()); assertEquals("*", statements.get(0).getPrincipals().get(0).getId()); assertEquals("AWS", statements.get(0).getPrincipals().get(0).getProvider()); }
/** * Tests that SAML-based federated user is supported as principal. */ @Test public void testFederatedUserBySAMLProvider() { String jsonString = "{" + "\"Version\":\"2012-10-17\"," + "\"Statement\":[" + "{" + "\"Sid\":\"\"," + "\"Effect\":\"Allow\"," + "\"Principal\":{" + "\"Federated\":\"arn:aws:iam::862954416975:saml-provider/myprovider\"" + "}," + "\"Action\":\"sts:AssumeRoleWithSAML\"," + "\"Condition\":{" + "\"StringEquals\":{" + "\"SAML:aud\":\"https://signin.aws.amazon.com/saml\"" + "}" + "}" + "}" + "]" + "}"; Policy policy = Policy.fromJson(jsonString); assertEquals(POLICY_VERSION, policy.getVersion()); List<Statement> statements = new LinkedList<Statement>(policy.getStatements()); assertEquals(1, statements.size()); assertEquals(1, statements.get(0).getActions().size()); assertEquals(Effect.Allow, statements.get(0).getEffect()); assertEquals("sts:AssumeRoleWithSAML", statements.get(0).getActions().get(0).getActionName()); assertEquals(1, statements.get(0).getConditions().size()); assertEquals("StringEquals", statements.get(0).getConditions().get(0).getType()); assertEquals("SAML:aud", statements.get(0).getConditions().get(0).getConditionKey()); assertEquals(1, statements.get(0).getConditions().get(0).getValues().size()); assertEquals("https://signin.aws.amazon.com/saml", statements.get(0).getConditions().get(0).getValues().get(0)); assertEquals(1, statements.get(0).getPrincipals().size()); assertEquals("arn:aws:iam::862954416975:saml-provider/myprovider", statements.get(0).getPrincipals().get(0).getId()); assertEquals("Federated", statements.get(0).getPrincipals().get(0).getProvider()); }
/** * Policies with multiple conditions that use the same comparison type must * be merged together in the JSON format, otherwise there will be two keys * with the same name and one will override the other. */ @Test public void testMultipleConditionKeysForConditionType() throws Exception { Policy policy = new Policy(); policy.withStatements(new Statement(Effect.Allow) .withResources( new Resource( "arn:aws:sqs:us-east-1:987654321000:MyQueue")) .withPrincipals(Principal.AllUsers) .withActions(new TestAction("foo")) .withConditions( new StringCondition(StringComparisonType.StringNotLike, "key1", "foo"), new StringCondition(StringComparisonType.StringNotLike, "key1", "bar"))); JsonNode jsonPolicy = Jackson.jsonNodeOf(policy.toJson()); JsonNode statementArray = jsonPolicy.get("Statement"); assertEquals(statementArray.size(),1); JsonNode conditions = statementArray.get(0).get("Condition"); assertEquals(conditions.size(),1); JsonNode stringLikeCondition = conditions.get(StringComparisonType.StringNotLike.toString()); assertTrue(stringLikeCondition.has("key1")); assertFalse(stringLikeCondition.has("key2")); assertValidStatementIds(policy); }
/** * Tests serializing a more complex policy object with multiple statements. */ @Test public void testMultipleStatements() throws Exception { Policy policy = new Policy("S3PolicyId1"); policy.withStatements( new Statement(Effect.Allow) .withPrincipals(Principal.AllUsers) .withActions(new TestAction("action1")) .withResources(new Resource("resource")) .withConditions( new IpAddressCondition("192.168.143.0/24"), new IpAddressCondition( IpAddressComparisonType.NotIpAddress, "192.168.143.188/32")), new Statement(Effect.Deny).withPrincipals(Principal.AllUsers) .withActions(new TestAction("action2")) .withResources(new Resource("resource")) .withConditions(new IpAddressCondition("10.1.2.0/24"))); JsonNode jsonPolicy = Jackson.jsonNodeOf(policy.toJson()); assertTrue(jsonPolicy.has("Id")); JsonNode statementArray = jsonPolicy.get("Statement"); assertEquals(statementArray.size(),2); assertValidStatementIds(policy); JsonNode statement; for (int i = 0; i < statementArray.size(); i++) { statement = statementArray.get(i); assertTrue(statement.has("Sid")); assertTrue(statement.has("Effect")); assertTrue(statement.has("Principal")); assertTrue(statement.has("Action")); assertTrue(statement.has("Resource")); assertTrue(statement.has("Condition")); } }
private String getPolicy(List<String> accountIds) { Policy policy = new Policy("AuthorizedWorkerAccessPolicy"); Statement stmt = new Statement(Effect.Allow); Action action = SQSActions.SendMessage; stmt.getActions().add(action); stmt.setResources(new LinkedList<>()); for(String accountId : accountIds) { Principal principal = new Principal(accountId); stmt.getPrincipals().add(principal); } stmt.getResources().add(new Resource(getQueueARN())); policy.getStatements().add(stmt); return policy.toJson(); }
/** * Adds a permission to allow the specified actions to the given KMS key id. * * @param kmsKeyId Full ARN to the kms key * @param actions List of actions * * @return This builder */ @SuppressWarnings("PMD.CloseResource") public AwsPolicyBuilder withKms(String kmsKeyId, KmsActions... actions) { Statement statement = new Statement(Effect.Allow); statement.setActions(Arrays.asList(actions)); statement.setResources(Arrays.asList(new Resource(kmsKeyId))); policy.getStatements().add(statement); return this; }
/** * Adds a permission to allow the specified actions to the given bucket and s3 object key. The permission will allow the given actions only to the specified * object key. If object key is null, the permission is applied to the bucket itself. * * @param bucketName S3 bucket name * @param objectKey S3 object key * @param actions List of actions to allow * * @return This builder */ @SuppressWarnings("PMD.CloseResource") public AwsPolicyBuilder withS3(String bucketName, String objectKey, S3Actions... actions) { Statement statement = new Statement(Effect.Allow); statement.setActions(Arrays.asList(actions)); String resource = "arn:aws:s3:::" + bucketName; if (objectKey != null) { resource += "/" + objectKey; } statement.setResources(Arrays.asList(new Resource(resource))); policy.getStatements().add(statement); return this; }
@Test public void testPrincipals() { Policy policy = new Policy(); policy.withStatements(new Statement(Effect.Allow) .withResources(new Resource("resource")) .withPrincipals(new Principal("accountId1"), new Principal("accountId2")) .withActions(new TestAction("action"))); policy = Policy.fromJson(policy.toJson()); assertEquals(1, policy.getStatements().size()); List<Statement> statements = new LinkedList<Statement>(policy.getStatements()); assertEquals(Effect.Allow, statements.get(0).getEffect()); assertEquals("action", statements.get(0).getActions().get(0).getActionName()); assertEquals("resource", statements.get(0).getResources().get(0).getId()); assertEquals(2, statements.get(0).getPrincipals().size()); assertEquals("AWS", statements.get(0).getPrincipals().get(0).getProvider()); assertEquals("accountId1", statements.get(0).getPrincipals().get(0).getId()); assertEquals("AWS", statements.get(0).getPrincipals().get(1).getProvider()); assertEquals("accountId2", statements.get(0).getPrincipals().get(1).getId()); policy = new Policy(); policy.withStatements(new Statement(Effect.Allow).withResources(new Resource("resource")).withPrincipals(new Principal(Services.AmazonEC2), new Principal(Services.AmazonElasticTranscoder)) .withActions(new TestAction("action"))); policy = Policy.fromJson(policy.toJson()); assertEquals(1, policy.getStatements().size()); statements = new LinkedList<Statement>(policy.getStatements()); assertEquals(Effect.Allow, statements.get(0).getEffect()); assertEquals(1, statements.get(0).getActions().size()); assertEquals("action", statements.get(0).getActions().get(0).getActionName()); assertEquals(2, statements.get(0).getPrincipals().size()); assertEquals("Service", statements.get(0).getPrincipals().get(0).getProvider()); assertEquals(Services.AmazonEC2.getServiceId(), statements.get(0).getPrincipals().get(0).getId()); assertEquals("Service", statements.get(0).getPrincipals().get(1).getProvider()); assertEquals(Services.AmazonElasticTranscoder.getServiceId(), statements.get(0).getPrincipals().get(1).getId()); policy = new Policy(); policy.withStatements(new Statement(Effect.Allow).withResources(new Resource("resource")).withPrincipals(Principal.All) .withActions(new TestAction("action"))); policy = Policy.fromJson(policy.toJson()); assertEquals(1, policy.getStatements().size()); statements = new LinkedList<Statement>(policy.getStatements()); assertEquals(Effect.Allow, statements.get(0).getEffect()); assertEquals(1, statements.get(0).getActions().size()); assertEquals("action", statements.get(0).getActions().get(0).getActionName()); assertEquals(1, statements.get(0).getPrincipals().size()); assertEquals(Principal.All, statements.get(0).getPrincipals().get(0)); policy = new Policy(); policy.withStatements(new Statement(Effect.Allow).withResources(new Resource("resource")).withPrincipals(Principal.AllUsers, Principal.AllServices, Principal.AllWebProviders) .withActions(new TestAction("action"))); policy = Policy.fromJson(policy.toJson()); assertEquals(1, policy.getStatements().size()); statements = new LinkedList<Statement>(policy.getStatements()); assertEquals(Effect.Allow, statements.get(0).getEffect()); assertEquals(1, statements.get(0).getActions().size()); assertEquals("action", statements.get(0).getActions().get(0).getActionName()); assertEquals(3, statements.get(0).getPrincipals().size()); assertThat(statements.get(0).getPrincipals(), contains(Principal.AllUsers, Principal.AllServices, Principal.AllWebProviders)); }
@Test public void testMultipleStatements() throws Exception { Policy policy = new Policy("S3PolicyId1"); policy.withStatements( new Statement(Effect.Allow) .withId("0") .withPrincipals(Principal.AllUsers) .withActions(new TestAction("action1")) .withResources(new Resource("resource")) .withConditions( new IpAddressCondition("192.168.143.0/24"), new IpAddressCondition(IpAddressComparisonType.NotIpAddress, "192.168.143.188/32")), new Statement(Effect.Deny) .withId("1") .withPrincipals(Principal.AllUsers) .withActions(new TestAction("action2")) .withResources(new Resource("resource")) .withConditions(new IpAddressCondition("10.1.2.0/24"))); policy = Policy.fromJson(policy.toJson()); assertEquals(2, policy.getStatements().size()); assertEquals("S3PolicyId1", policy.getId()); List<Statement> statements = new LinkedList<Statement>(policy.getStatements()); assertEquals(Effect.Allow, statements.get(0).getEffect()); assertEquals("0", statements.get(0).getId()); assertEquals(1, statements.get(0).getPrincipals().size()); assertEquals("*", statements.get(0).getPrincipals().get(0).getId()); assertEquals("AWS", statements.get(0).getPrincipals().get(0).getProvider()); assertEquals(1, statements.get(0).getResources().size()); assertEquals("resource", statements.get(0).getResources().get(0).getId()); assertEquals(1, statements.get(0).getActions().size()); assertEquals("action1", statements.get(0).getActions().get(0).getActionName()); assertEquals(2, statements.get(0).getConditions().size()); assertEquals("IpAddress", statements.get(0).getConditions().get(0).getType()); assertEquals(ConditionFactory.SOURCE_IP_CONDITION_KEY, statements.get(0).getConditions().get(0).getConditionKey()); assertEquals(1, statements.get(0).getConditions().get(0).getValues().size()); assertEquals("192.168.143.0/24", statements.get(0).getConditions().get(0).getValues().get(0)); assertEquals("NotIpAddress", statements.get(0).getConditions().get(1).getType()); assertEquals(1, statements.get(0).getConditions().get(1).getValues().size()); assertEquals("192.168.143.188/32", statements.get(0).getConditions().get(1).getValues().get(0)); assertEquals(ConditionFactory.SOURCE_IP_CONDITION_KEY, statements.get(1).getConditions().get(0).getConditionKey()); assertEquals(Effect.Deny, statements.get(1).getEffect()); assertEquals("1", statements.get(1).getId()); assertEquals(1, statements.get(1).getPrincipals().size()); assertEquals("*", statements.get(1).getPrincipals().get(0).getId()); assertEquals("AWS", statements.get(1).getPrincipals().get(0).getProvider()); assertEquals(1, statements.get(1).getResources().size()); assertEquals("resource", statements.get(1).getResources().get(0).getId()); assertEquals(1, statements.get(1).getActions().size()); assertEquals("action2", statements.get(1).getActions().get(0).getActionName()); assertEquals(1, statements.get(1).getConditions().size()); assertEquals("IpAddress", statements.get(1).getConditions().get(0).getType()); assertEquals(ConditionFactory.SOURCE_IP_CONDITION_KEY, statements.get(0).getConditions().get(0).getConditionKey()); assertEquals(1, statements.get(0).getConditions().get(0).getValues().size()); assertEquals("10.1.2.0/24", statements.get(1).getConditions().get(0).getValues().get(0)); }
