com.amazonaws.services.kms.model.GrantConstraints Maven / Gradle / Ivy
Show all versions of aws-java-sdk-kms Show documentation
/*
* Copyright 2019-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
* the License. A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
* and limitations under the License.
*/
package com.amazonaws.services.kms.model;
import java.io.Serializable;
import javax.annotation.Generated;
import com.amazonaws.protocol.StructuredPojo;
import com.amazonaws.protocol.ProtocolMarshaller;
/**
*
* Use this structure to allow cryptographic
* operations in the grant only when the operation request includes the specified encryption context.
*
*
* KMS applies the grant constraints only to cryptographic operations that support an encryption context, that is, all
* cryptographic operations with a symmetric KMS
* key. Grant constraints are not applied to operations that do not support an encryption context, such as
* cryptographic operations with asymmetric KMS keys and management operations, such as DescribeKey or
* RetireGrant.
*
*
*
* In a cryptographic operation, the encryption context in the decryption operation must be an exact, case-sensitive
* match for the keys and values in the encryption context of the encryption operation. Only the order of the pairs can
* vary.
*
*
* However, in a grant constraint, the key in each key-value pair is not case sensitive, but the value is case
* sensitive.
*
*
* To avoid confusion, do not use multiple encryption context pairs that differ only by case. To require a fully
* case-sensitive encryption context, use the kms:EncryptionContext: and
* kms:EncryptionContextKeys conditions in an IAM or key policy. For details, see kms:EncryptionContext: in the Key Management Service Developer Guide .
*
*
*
* @see AWS API
* Documentation
*/
@Generated("com.amazonaws:aws-java-sdk-code-generator")
public class GrantConstraints implements Serializable, Cloneable, StructuredPojo {
/**
*
* A list of key-value pairs that must be included in the encryption context of the cryptographic
* operation request. The grant allows the cryptographic operation only when the encryption context in the
* request includes the key-value pairs specified in this constraint, although it can include additional key-value
* pairs.
*
*/
private com.amazonaws.internal.SdkInternalMap encryptionContextSubset;
/**
*
* A list of key-value pairs that must match the encryption context in the cryptographic
* operation request. The grant allows the operation only when the encryption context in the request is the same
* as the encryption context specified in this constraint.
*
*/
private com.amazonaws.internal.SdkInternalMap encryptionContextEquals;
/**
*
* A list of key-value pairs that must be included in the encryption context of the cryptographic
* operation request. The grant allows the cryptographic operation only when the encryption context in the
* request includes the key-value pairs specified in this constraint, although it can include additional key-value
* pairs.
*
*
* @return A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the
* encryption context in the request includes the key-value pairs specified in this constraint, although it
* can include additional key-value pairs.
*/
public java.util.Map getEncryptionContextSubset() {
if (encryptionContextSubset == null) {
encryptionContextSubset = new com.amazonaws.internal.SdkInternalMap();
}
return encryptionContextSubset;
}
/**
*
* A list of key-value pairs that must be included in the encryption context of the cryptographic
* operation request. The grant allows the cryptographic operation only when the encryption context in the
* request includes the key-value pairs specified in this constraint, although it can include additional key-value
* pairs.
*
*
* @param encryptionContextSubset
* A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the
* encryption context in the request includes the key-value pairs specified in this constraint, although it
* can include additional key-value pairs.
*/
public void setEncryptionContextSubset(java.util.Map encryptionContextSubset) {
this.encryptionContextSubset = encryptionContextSubset == null ? null : new com.amazonaws.internal.SdkInternalMap(
encryptionContextSubset);
}
/**
*
* A list of key-value pairs that must be included in the encryption context of the cryptographic
* operation request. The grant allows the cryptographic operation only when the encryption context in the
* request includes the key-value pairs specified in this constraint, although it can include additional key-value
* pairs.
*
*
* @param encryptionContextSubset
* A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the
* encryption context in the request includes the key-value pairs specified in this constraint, although it
* can include additional key-value pairs.
* @return Returns a reference to this object so that method calls can be chained together.
*/
public GrantConstraints withEncryptionContextSubset(java.util.Map encryptionContextSubset) {
setEncryptionContextSubset(encryptionContextSubset);
return this;
}
/**
* Add a single EncryptionContextSubset entry
*
* @see GrantConstraints#withEncryptionContextSubset
* @returns a reference to this object so that method calls can be chained together.
*/
public GrantConstraints addEncryptionContextSubsetEntry(String key, String value) {
if (null == this.encryptionContextSubset) {
this.encryptionContextSubset = new com.amazonaws.internal.SdkInternalMap();
}
if (this.encryptionContextSubset.containsKey(key))
throw new IllegalArgumentException("Duplicated keys (" + key.toString() + ") are provided.");
this.encryptionContextSubset.put(key, value);
return this;
}
/**
* Removes all the entries added into EncryptionContextSubset.
*
* @return Returns a reference to this object so that method calls can be chained together.
*/
public GrantConstraints clearEncryptionContextSubsetEntries() {
this.encryptionContextSubset = null;
return this;
}
/**
*
* A list of key-value pairs that must match the encryption context in the cryptographic
* operation request. The grant allows the operation only when the encryption context in the request is the same
* as the encryption context specified in this constraint.
*
*
* @return A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in
* the request is the same as the encryption context specified in this constraint.
*/
public java.util.Map getEncryptionContextEquals() {
if (encryptionContextEquals == null) {
encryptionContextEquals = new com.amazonaws.internal.SdkInternalMap();
}
return encryptionContextEquals;
}
/**
*
* A list of key-value pairs that must match the encryption context in the cryptographic
* operation request. The grant allows the operation only when the encryption context in the request is the same
* as the encryption context specified in this constraint.
*
*
* @param encryptionContextEquals
* A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in
* the request is the same as the encryption context specified in this constraint.
*/
public void setEncryptionContextEquals(java.util.Map encryptionContextEquals) {
this.encryptionContextEquals = encryptionContextEquals == null ? null : new com.amazonaws.internal.SdkInternalMap(
encryptionContextEquals);
}
/**
*
* A list of key-value pairs that must match the encryption context in the cryptographic
* operation request. The grant allows the operation only when the encryption context in the request is the same
* as the encryption context specified in this constraint.
*
*
* @param encryptionContextEquals
* A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in
* the request is the same as the encryption context specified in this constraint.
* @return Returns a reference to this object so that method calls can be chained together.
*/
public GrantConstraints withEncryptionContextEquals(java.util.Map encryptionContextEquals) {
setEncryptionContextEquals(encryptionContextEquals);
return this;
}
/**
* Add a single EncryptionContextEquals entry
*
* @see GrantConstraints#withEncryptionContextEquals
* @returns a reference to this object so that method calls can be chained together.
*/
public GrantConstraints addEncryptionContextEqualsEntry(String key, String value) {
if (null == this.encryptionContextEquals) {
this.encryptionContextEquals = new com.amazonaws.internal.SdkInternalMap();
}
if (this.encryptionContextEquals.containsKey(key))
throw new IllegalArgumentException("Duplicated keys (" + key.toString() + ") are provided.");
this.encryptionContextEquals.put(key, value);
return this;
}
/**
* Removes all the entries added into EncryptionContextEquals.
*
* @return Returns a reference to this object so that method calls can be chained together.
*/
public GrantConstraints clearEncryptionContextEqualsEntries() {
this.encryptionContextEquals = null;
return this;
}
/**
* Returns a string representation of this object. This is useful for testing and debugging. Sensitive data will be
* redacted from this string using a placeholder value.
*
* @return A string representation of this object.
*
* @see java.lang.Object#toString()
*/
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
sb.append("{");
if (getEncryptionContextSubset() != null)
sb.append("EncryptionContextSubset: ").append(getEncryptionContextSubset()).append(",");
if (getEncryptionContextEquals() != null)
sb.append("EncryptionContextEquals: ").append(getEncryptionContextEquals());
sb.append("}");
return sb.toString();
}
@Override
public boolean equals(Object obj) {
if (this == obj)
return true;
if (obj == null)
return false;
if (obj instanceof GrantConstraints == false)
return false;
GrantConstraints other = (GrantConstraints) obj;
if (other.getEncryptionContextSubset() == null ^ this.getEncryptionContextSubset() == null)
return false;
if (other.getEncryptionContextSubset() != null && other.getEncryptionContextSubset().equals(this.getEncryptionContextSubset()) == false)
return false;
if (other.getEncryptionContextEquals() == null ^ this.getEncryptionContextEquals() == null)
return false;
if (other.getEncryptionContextEquals() != null && other.getEncryptionContextEquals().equals(this.getEncryptionContextEquals()) == false)
return false;
return true;
}
@Override
public int hashCode() {
final int prime = 31;
int hashCode = 1;
hashCode = prime * hashCode + ((getEncryptionContextSubset() == null) ? 0 : getEncryptionContextSubset().hashCode());
hashCode = prime * hashCode + ((getEncryptionContextEquals() == null) ? 0 : getEncryptionContextEquals().hashCode());
return hashCode;
}
@Override
public GrantConstraints clone() {
try {
return (GrantConstraints) super.clone();
} catch (CloneNotSupportedException e) {
throw new IllegalStateException("Got a CloneNotSupportedException from Object.clone() " + "even though we're Cloneable!", e);
}
}
@com.amazonaws.annotation.SdkInternalApi
@Override
public void marshall(ProtocolMarshaller protocolMarshaller) {
com.amazonaws.services.kms.model.transform.GrantConstraintsMarshaller.getInstance().marshall(this, protocolMarshaller);
}
}