/** * Generates a list of condition from the Json node. * * @param conditionNodes * the condition Json node to be parsed. * @return the list of conditions. */ private List<Condition> conditionsOf(JsonNode conditionNodes) { List<Condition> conditionList = new LinkedList<Condition>(); Iterator<Map.Entry<String, JsonNode>> mapOfConditions = conditionNodes .fields(); Entry<String, JsonNode> condition; while (mapOfConditions.hasNext()) { condition = mapOfConditions.next(); convertConditionRecord(conditionList, condition.getKey(), condition.getValue()); } return conditionList; }
/** * Writes the list of conditions to the JSONGenerator. * * @param conditions * the conditions to be written. */ private void writeConditions(List<Condition> conditions) throws JsonGenerationException, IOException { Map<String, ConditionsByKey> conditionsByType = groupConditionsByTypeAndKey(conditions); writeJsonObjectStart(JsonDocumentFields.CONDITION); ConditionsByKey conditionsByKey; for (Map.Entry<String, ConditionsByKey> entry : conditionsByType .entrySet()) { conditionsByKey = conditionsByType.get(entry.getKey()); writeJsonObjectStart(entry.getKey()); for (String key : conditionsByKey.keySet()) { writeJsonArray(key, conditionsByKey.getConditionsByKey(key)); } writeJsonObjectEnd(); } writeJsonObjectEnd(); }
/** * Groups the list of <code>Condition</code>s by the condition type and * condition key. * * @param conditions * the list of conditions to be grouped * @return a map of conditions grouped by type and then key. */ private Map<String, ConditionsByKey> groupConditionsByTypeAndKey( List<Condition> conditions) { Map<String, ConditionsByKey> conditionsByType = new LinkedHashMap<String, ConditionsByKey>(); String type; String key; ConditionsByKey conditionsByKey; for (Condition condition : conditions) { type = condition.getType(); key = condition.getConditionKey(); if (!(conditionsByType.containsKey(type))) { conditionsByType.put(type, new ConditionsByKey()); } conditionsByKey = conditionsByType.get(type); conditionsByKey.addValuesToKey(key, condition.getValues()); } return conditionsByType; }
/** * Generates a condition instance for each condition type under the * Condition Json node. * * @param conditions * the complete list of conditions * @param conditionType * the condition type for the condition being created. * @param conditionNode * each condition node to be parsed. */ private void convertConditionRecord(List<Condition> conditions, String conditionType, JsonNode conditionNode) { Iterator<Map.Entry<String, JsonNode>> mapOfFields = conditionNode .fields(); List<String> values; Entry<String, JsonNode> field; JsonNode fieldValue; Iterator<JsonNode> elements; while (mapOfFields.hasNext()) { values = new LinkedList<String>(); field = mapOfFields.next(); fieldValue = field.getValue(); if (fieldValue.isArray()) { elements = fieldValue.elements(); while (elements.hasNext()) { values.add(elements.next().asText()); } } else { values.add(fieldValue.asText()); } conditions.add(new Condition().withType(conditionType) .withConditionKey(field.getKey()).withValues(values)); } }
private static Statement getListBucketStatement(String bucket, String userName) { return new Statement(Statement.Effect.Allow) .withActions( () -> "s3:ListBucket" ) .withResources(new Resource("arn:aws:s3:::" + bucket)) .withConditions( new Condition() .withType("StringEquals") .withConditionKey("s3:prefix") .withValues(userName+"/") ); }
private Boolean statementEquals(Statement statement1, Statement statement2) { List<Action> actions1 = statement1.getActions(); List<Action> actions2 = statement2.getActions(); boolean actionMatches = actions1.size() == actions2.size() && actions1.stream().allMatch(action1 -> actions2.stream().anyMatch(action2 -> action1.getActionName().equals(action2.getActionName()))); if (!actionMatches) return false; boolean effectMatches = statement1.getEffect().equals(statement2.getEffect()); if (!effectMatches) return false; List<Resource> resources1 = statement1.getResources(); List<Resource> resources2 = statement2.getResources(); boolean resourceMatches = resources1.size() == resources2.size() && resources1.stream().allMatch(resource1 -> resources2.stream().anyMatch(resource2 -> resource1.getId().equals(resource2.getId()))); if (!resourceMatches) return false; List<Condition> conditions1 = statement1.getConditions(); List<Condition> conditions2 = statement2.getConditions(); boolean conditionMatches = conditions1.size() == conditions2.size() && conditions1.stream().allMatch(condition1 -> conditions2.stream().anyMatch(condition2 -> conditionEquals(condition1, condition2))); if (!conditionMatches) return false; List<Principal> principals1 = statement1.getPrincipals(); List<Principal> principals2 = statement2.getPrincipals(); boolean principleMatches = principals1.size() == principals2.size() && principals1.stream().allMatch(principle1 -> principals2.stream().anyMatch(principal2 -> principleEquals(principle1, principal2))); if (!principleMatches) return false; return true; }
private boolean conditionEquals(Condition condition1, Condition condition2) { if (!condition1.getConditionKey().equals(condition2.getConditionKey())) return false; if (!condition1.getType().equals(condition2.getType())) return false; List<String> values2 = condition2.getValues(); if (condition1.getValues().size() != values2.size()) return false; for (String value : condition1.getValues()) { if (!values2.contains(value)) return false; } return true; }
/** * Converts the given <code>Policy</code> into a JSON String. * * @param policy * the policy to be converted. * @return a JSON String of the specified policy object. */ private String jsonStringOf(Policy policy) throws JsonGenerationException, IOException { generator.writeStartObject(); writeJsonKeyValue(JsonDocumentFields.VERSION, policy.getVersion()); if (isNotNull(policy.getId())) writeJsonKeyValue(JsonDocumentFields.POLICY_ID, policy.getId()); writeJsonArrayStart(JsonDocumentFields.STATEMENT); for (Statement statement : policy.getStatements()) { generator.writeStartObject(); if (isNotNull(statement.getId())) { writeJsonKeyValue(JsonDocumentFields.STATEMENT_ID, statement.getId()); } writeJsonKeyValue(JsonDocumentFields.STATEMENT_EFFECT, statement .getEffect().toString()); List<Principal> principals = statement.getPrincipals(); if (isNotNull(principals) && !principals.isEmpty()) writePrincipals(principals); List<Action> actions = statement.getActions(); if (isNotNull(actions) && !actions.isEmpty()) writeActions(actions); List<Resource> resources = statement.getResources(); if (isNotNull(resources) && !resources.isEmpty()) writeResources(resources); List<Condition> conditions = statement.getConditions(); if (isNotNull(conditions) && !conditions.isEmpty()) writeConditions(conditions); generator.writeEndObject(); } writeJsonArrayEnd(); generator.writeEndObject(); generator.flush(); return writer.toString(); }
/** * Constructs a new access policy condition that compares the Amazon * Resource Name (ARN) of the source of an AWS resource that is modifying * another AWS resource with the specified pattern. * <p> * For example, the source ARN could be an Amazon SNS topic ARN that is * sending messages to an Amazon SQS queue. In that case, the SNS topic ARN * would be compared the ARN pattern specified here. * <p> * The endpoint pattern may optionally contain the multi-character wildcard * (*) or the single-character wildcard (?). Each of the six colon-delimited * components of the ARN is checked separately and each can include a * wildcard. * * <pre class="brush: java"> * Policy policy = new Policy("MyQueuePolicy"); * policy.withStatements(new Statement("AllowSNSMessages", Effect.Allow) * .withPrincipals(new Principal("*")).withActions(SQSActions.SendMessage) * .withResources(new Resource(myQueueArn)) * .withConditions(ConditionFactory.newSourceArnCondition(myTopicArn))); * </pre> * * @param arnPattern * The ARN pattern against which the source ARN will be compared. * Each of the six colon-delimited components of the ARN is * checked separately and each can include a wildcard. * * @return A new access control policy condition that compares the ARN of * the source specified in an incoming request with the ARN pattern * specified here. */ public static Condition newSourceArnCondition(String arnPattern) { return new ArnCondition(ArnComparisonType.ArnLike, SOURCE_ARN_CONDITION_KEY, arnPattern); }
/** * Constructs a new access control policy condition that tests if the * incoming request was sent over a secure transport (HTTPS). * * @return A new access control policy condition that tests if the incoming * request was sent over a secure transport (HTTPS). */ public static Condition newSecureTransportCondition() { return new BooleanCondition(SECURE_TRANSPORT_CONDITION_KEY, true); }
/** * Constructs a new access control policy condition that tests the incoming * request's user agent field against the specified value, using the * specified comparison type. This condition can be used to allow or deny * access to a resource based on what user agent is specified in the * request. * * @param comparisonType * The type of string comparison to perform when testing an * incoming request's user agent field with the specified value. * @param value * The value against which to compare the incoming request's user * agent. * * @return A new access control policy condition that tests an incoming * request's user agent field. */ public static Condition newUserAgentCondition(StringComparisonType comparisonType, String value) { return new StringCondition(comparisonType, USER_AGENT_CONDITION_KEY, value); }
/** * Constructs a new access control policy condition that tests the incoming * request's referer field against the specified value, using the specified * comparison type. * * @param comparisonType * The type of string comparison to perform when testing an * incoming request's referer field with the specified value. * @param value * The value against which to compare the incoming request's * referer field. * * @return A new access control policy condition that tests an incoming * request's referer field. */ public static Condition newRefererCondition(StringComparisonType comparisonType, String value) { return new StringCondition(comparisonType, REFERER_CONDITION_KEY, value); }
/** * Constructs a new access policy condition that compares an Amazon S3 * canned ACL with the canned ACL specified by an incoming request. * <p> * You can use this condition to ensure that any objects uploaded to an * Amazon S3 bucket have a specific canned ACL set. * * @param cannedAcl * The Amazon S3 canned ACL to compare against. * * @return A new access control policy condition that compares the Amazon S3 * canned ACL specified in incoming requests against the value * specified. */ public static Condition newCannedACLCondition(CannedAccessControlList cannedAcl) { return new StringCondition(StringComparisonType.StringEquals, CANNED_ACL_CONDITION_KEY, cannedAcl.toString()); }
