All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.amazonaws.auth.policy.Statement Maven / Gradle / Ivy

Go to download

The AWS SDK for Java - Core module holds the classes that are used by the individual service clients to interact with Amazon Web Services. Users need to depend on aws-java-sdk artifact for accessing individual client classes.

There is a newer version: 1.12.778
Show newest version
/*
 * Copyright 2010-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License").
 * You may not use this file except in compliance with the License.
 * A copy of the License is located at
 *
 *  http://aws.amazon.com/apache2.0
 *
 * or in the "license" file accompanying this file. This file is distributed
 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
 * express or implied. See the License for the specific language governing
 * permissions and limitations under the License.
 */
package com.amazonaws.auth.policy;

import com.amazonaws.util.PolicyUtils;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;

/**
 * A statement is the formal description of a single permission, and is always
 * contained within a policy object.
 * 

* A statement describes a rule for allowing or denying access to a specific AWS * resource based on how the resource is being accessed, and who is attempting * to access the resource. Statements can also optionally contain a list of * conditions that specify when a statement is to be honored. *

* For example, consider a statement that: *

    *
  • allows access (the effect) *
  • for a list of specific AWS account IDs (the principals) *
  • when accessing an SQS queue (the resource) *
  • using the SendMessage operation (the action) *
  • and the request occurs before a specific date (a condition) *
* *

* Statements takes the form: "A has permission to do B to C where D applies". *

    *
  • A is the principal - the AWS account that is making a request to * access or modify one of your AWS resources. *
  • B is the action - the way in which your AWS resource is being accessed or modified, such * as sending a message to an Amazon SQS queue, or storing an object in an Amazon S3 bucket. *
  • C is the resource - your AWS entity that the principal wants to access, such * as an Amazon SQS queue, or an object stored in Amazon S3. *
  • D is the set of conditions - optional constraints that specify when to allow or deny * access for the principal to access your resource. Many expressive conditions are available, * some specific to each service. For example you can use date conditions to allow access to * your resources only after or before a specific time. *
* *

* There are many resources and conditions available for use in statements, and * you can combine them to form fine grained custom access control polices. */ public class Statement { /** * The effect is the result that you want a policy statement to return at * evaluation time. A policy statement can either allow access or explicitly * deny access. */ public static enum Effect { Allow(), Deny(); } private String id; private Effect effect; private List principals = new ArrayList(); private List actions = new ArrayList(); private List resources; private List conditions = new ArrayList(); /** * Constructs a new access control policy statement with the specified * effect. *

* Before a statement is valid and can be sent to AWS, callers must set the * principals, resources, and actions (as well as any optional conditions) * involved in the statement. * * @param effect * The effect this statement has (allowing access or denying * access) when all conditions, resources, principals, and * actions are matched. */ public Statement(Effect effect) { this.effect = effect; this.id = null; } /** * Returns the ID for this statement. Statement IDs serve to help keep track * of multiple statements, and are often used to give the statement a * meaningful, human readable name. *

* Statement IDs must be unique within a policy, but are not required to be * globally unique. *

* If you do not explicitly assign an ID to a statement, a unique ID will be * automatically assigned when the statement is added to a policy. *

* Developers should be careful to not use the same statement ID for * multiple statements in the same policy. Reusing the same statement ID in * different policies is not a problem. * * @return The statement ID. */ public String getId() { return id; } /** * Sets the ID for this statement. Statement IDs serve to help keep track of * multiple statements, and are often used to give the statement a * meaningful, human readable name. *

* Statement IDs must be unique within a policy, but are not required to be * globally unique. *

* If you do not explicitly assign an ID to a statement, a unique ID will be * automatically assigned when the statement is added to a policy. *

* Developers should be careful to not use the same statement ID for * multiple statements in the same policy. Reusing the same statement ID in * different policies is not a problem. * * @param id * The new statement ID for this statement. */ public void setId(String id) { this.id = id; } /** * Sets the ID for this statement and returns the updated statement so * multiple calls can be chained together. *

* Statement IDs serve to help keep track of multiple statements, and are * often used to give the statement a meaningful, human readable name. *

* If you do not explicitly assign an ID to a statement, a unique ID will be * automatically assigned when the statement is added to a policy. *

* Developers should be careful to not use the same statement ID for * multiple statements in the same policy. Reusing the same statement ID in * different policies is not a problem. * * @param id * The new statement ID for this statement. */ public Statement withId(String id) { setId(id); return this; } /** * Returns the result effect of this policy statement when it is evaluated. * A policy statement can either allow access or explicitly * * @return The result effect of this policy statement. */ public Effect getEffect() { return effect; } /** * Sets the result effect of this policy statement when it is evaluated. A * policy statement can either allow access or explicitly * * @param effect * The result effect of this policy statement. */ public void setEffect(Effect effect) { this.effect = effect; } /** * Returns the list of actions to which this policy statement applies. * Actions limit a policy statement to specific service operations that are * being allowed or denied by the policy statement. For example, you might * want to allow any AWS user to post messages to your SQS queue using the * SendMessage action, but you don't want to allow those users other actions * such as ReceiveMessage or DeleteQueue. * * @return The list of actions to which this policy statement applies. */ public List getActions() { return actions; } /** * Sets the list of actions to which this policy statement applies. Actions * limit a policy statement to specific service operations that are being * allowed or denied by the policy statement. For example, you might want to * allow any AWS user to post messages to your SQS queue using the * SendMessage action, but you don't want to allow those users other actions * such as ReceiveMessage or DeleteQueue. * * @param actions * The list of actions to which this policy statement applies. */ public void setActions(Collection actions) { this.actions = new ArrayList(actions); } /** * Sets the list of actions to which this policy statement applies and * returns this updated Statement object so that additional method calls can * be chained together. *

* Actions limit a policy statement to specific service operations that are * being allowed or denied by the policy statement. For example, you might * want to allow any AWS user to post messages to your SQS queue using the * SendMessage action, but you don't want to allow those users other actions * such as ReceiveMessage or DeleteQueue. * * @param actions * The list of actions to which this statement applies. * * @return The updated Statement object so that additional method calls can * be chained together. */ public Statement withActions(Action... actions) { setActions(Arrays.asList(actions)); return this; } /** * Returns the resources associated with this policy statement. Resources * are what a policy statement is allowing or denying access to, such as an * Amazon SQS queue or an Amazon SNS topic. *

* Note that some services allow only one resource to be specified per * policy statement. * * @return The resources associated with this policy statement. */ public List getResources() { return resources; } /** * Sets the resources associated with this policy statement. Resources are * what a policy statement is allowing or denying access to, such as an * Amazon SQS queue or an Amazon SNS topic. *

* Note that some services allow only one resource to be specified per * policy statement. * * @param resources * The resources associated with this policy statement. * @throws IllegalArgumentException * If the list of resources contains both a Resource and a NotResource */ public void setResources(Collection resources) { List resourceList = new ArrayList(resources); PolicyUtils.validateResourceList(resourceList); this.resources = resourceList; } /** * Sets the resources associated with this policy statement and returns this * updated Statement object so that additional method calls can be chained * together. *

* Resources are what a policy statement is allowing or denying access to, * such as an Amazon SQS queue or an Amazon SNS topic. *

* Note that some services allow only one resource to be specified per * policy statement. * * @param resources * The resources associated with this policy statement. * * @return The updated Statement object so that additional method calls can * be chained together. */ public Statement withResources(Resource... resources) { setResources(Arrays.asList(resources)); return this; } /** * Returns the conditions associated with this policy statement. Conditions * allow policy statements to be conditionally evaluated based on the many * available condition types. *

* For example, a statement that allows access to an Amazon SQS queue could * use a condition to only apply the effect of that statement for requests * that are made before a certain date, or that originate from a range of IP * addresses. *

* When multiple conditions are included in a single statement, all * conditions must evaluate to true in order for the statement to take * effect. * * @return The conditions associated with this policy statement. */ public List getConditions() { return conditions; } /** * Sets the conditions associated with this policy statement. Conditions * allow policy statements to be conditionally evaluated based on the many * available condition types. *

* For example, a statement that allows access to an Amazon SQS queue could * use a condition to only apply the effect of that statement for requests * that are made before a certain date, or that originate from a range of IP * addresses. *

* Multiple conditions can be included in a single statement, and all * conditions must evaluate to true in order for the statement to take * effect. * * @param conditions * The conditions associated with this policy statement. */ public void setConditions(List conditions) { this.conditions = conditions; } /** * Sets the conditions associated with this policy statement, and returns * this updated Statement object so that additional method calls can be * chained together. *

* Conditions allow policy statements to be conditionally evaluated based on * the many available condition types. *

* For example, a statement that allows access to an Amazon SQS queue could * use a condition to only apply the effect of that statement for requests * that are made before a certain date, or that originate from a range of IP * addresses. *

* Multiple conditions can be included in a single statement, and all * conditions must evaluate to true in order for the statement to take * effect. * * @param conditions * The conditions associated with this policy statement. * * @return The updated Statement object so that additional method calls can * be chained together. */ public Statement withConditions(Condition... conditions) { setConditions(Arrays.asList(conditions)); return this; } /** * Returns the principals associated with this policy statement, indicating * which AWS accounts are affected by this policy statement. * * @return The list of principals associated with this policy statement. */ public List getPrincipals() { return principals; } /** * Sets the principals associated with this policy statement, indicating * which AWS accounts are affected by this policy statement. *

* If you don't want to restrict your policy to specific users, you can use * {@link Principal#AllUsers} to apply the policy to any user trying to * access your resource. * * @param principals * The list of principals associated with this policy statement. */ public void setPrincipals(Collection principals) { this.principals = new ArrayList(principals); } /** * Sets the principals associated with this policy statement, indicating * which AWS accounts are affected by this policy statement. *

* If you don't want to restrict your policy to specific users, you can use * {@link Principal#AllUsers} to apply the policy to any user trying to * access your resource. * * @param principals * The list of principals associated with this policy statement. */ public void setPrincipals(Principal... principals) { setPrincipals(new ArrayList(Arrays.asList(principals))); } /** * Sets the principals associated with this policy statement, and returns * this updated Statement object. Principals control which AWS accounts are * affected by this policy statement. *

* If you don't want to restrict your policy to specific users, you can use * {@link Principal#AllUsers} to apply the policy to any user trying to * access your resource. * * @param principals * The list of principals associated with this policy statement. * * @return The updated Statement object so that additional method calls can * be chained together. */ public Statement withPrincipals(Principal... principals) { setPrincipals(principals); return this; } }





© 2015 - 2024 Weber Informatics LLC | Privacy Policy