software.amazon.awssdk.services.kms.model.GrantConstraints Maven / Gradle / Ivy
/*
* Copyright 2015-2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
* the License. A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
* and limitations under the License.
*/
package software.amazon.awssdk.services.kms.model;
import java.io.Serializable;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.BiConsumer;
import java.util.function.Function;
import software.amazon.awssdk.annotations.Generated;
import software.amazon.awssdk.core.SdkField;
import software.amazon.awssdk.core.SdkPojo;
import software.amazon.awssdk.core.protocol.MarshallLocation;
import software.amazon.awssdk.core.protocol.MarshallingType;
import software.amazon.awssdk.core.traits.LocationTrait;
import software.amazon.awssdk.core.traits.MapTrait;
import software.amazon.awssdk.core.util.DefaultSdkAutoConstructMap;
import software.amazon.awssdk.core.util.SdkAutoConstructMap;
import software.amazon.awssdk.utils.ToString;
import software.amazon.awssdk.utils.builder.CopyableBuilder;
import software.amazon.awssdk.utils.builder.ToCopyableBuilder;
/**
*
* Use this structure to allow cryptographic operations in the grant only when the operation request includes the
* specified encryption
* context.
*
*
* AWS KMS applies the grant constraints only when the grant allows a cryptographic operation that accepts an encryption
* context as input, such as the following.
*
*
* -
*
* Encrypt
*
*
* -
*
* Decrypt
*
*
* -
*
* GenerateDataKey
*
*
* -
*
*
* -
*
* ReEncrypt
*
*
*
*
* AWS KMS does not apply the grant constraints to other operations, such as DescribeKey or
* ScheduleKeyDeletion.
*
*
*
* In a cryptographic operation, the encryption context in the decryption operation must be an exact, case-sensitive
* match for the keys and values in the encryption context of the encryption operation. Only the order of the pairs can
* vary.
*
*
* However, in a grant constraint, the key in each key-value pair is not case sensitive, but the value is case
* sensitive.
*
*
* To avoid confusion, do not use multiple encryption context pairs that differ only by case. To require a fully
* case-sensitive encryption context, use the kms:EncryptionContext: and
* kms:EncryptionContextKeys conditions in an IAM or key policy. For details, see kms:EncryptionContext: in the AWS Key Management Service Developer Guide .
*
*
*/
@Generated("software.amazon.awssdk:codegen")
public final class GrantConstraints implements SdkPojo, Serializable,
ToCopyableBuilder {
private static final SdkField> ENCRYPTION_CONTEXT_SUBSET_FIELD = SdkField
.> builder(MarshallingType.MAP)
.getter(getter(GrantConstraints::encryptionContextSubset))
.setter(setter(Builder::encryptionContextSubset))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("EncryptionContextSubset").build(),
MapTrait.builder()
.keyLocationName("key")
.valueLocationName("value")
.valueFieldInfo(
SdkField. builder(MarshallingType.STRING)
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD)
.locationName("value").build()).build()).build()).build();
private static final SdkField> ENCRYPTION_CONTEXT_EQUALS_FIELD = SdkField
.> builder(MarshallingType.MAP)
.getter(getter(GrantConstraints::encryptionContextEquals))
.setter(setter(Builder::encryptionContextEquals))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("EncryptionContextEquals").build(),
MapTrait.builder()
.keyLocationName("key")
.valueLocationName("value")
.valueFieldInfo(
SdkField. builder(MarshallingType.STRING)
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD)
.locationName("value").build()).build()).build()).build();
private static final List> SDK_FIELDS = Collections.unmodifiableList(Arrays.asList(
ENCRYPTION_CONTEXT_SUBSET_FIELD, ENCRYPTION_CONTEXT_EQUALS_FIELD));
private static final long serialVersionUID = 1L;
private final Map encryptionContextSubset;
private final Map encryptionContextEquals;
private GrantConstraints(BuilderImpl builder) {
this.encryptionContextSubset = builder.encryptionContextSubset;
this.encryptionContextEquals = builder.encryptionContextEquals;
}
/**
* Returns true if the EncryptionContextSubset property was specified by the sender (it may be empty), or false if
* the sender did not specify the value (it will be empty). For responses returned by the SDK, the sender is the AWS
* service.
*/
public boolean hasEncryptionContextSubset() {
return encryptionContextSubset != null && !(encryptionContextSubset instanceof SdkAutoConstructMap);
}
/**
*
* A list of key-value pairs that must be included in the encryption context of the cryptographic operation request.
* The grant allows the cryptographic operation only when the encryption context in the request includes the
* key-value pairs specified in this constraint, although it can include additional key-value pairs.
*
*
* Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
*
*
* You can use {@link #hasEncryptionContextSubset()} to see if a value was sent in this field.
*
*
* @return A list of key-value pairs that must be included in the encryption context of the cryptographic operation
* request. The grant allows the cryptographic operation only when the encryption context in the request
* includes the key-value pairs specified in this constraint, although it can include additional key-value
* pairs.
*/
public Map encryptionContextSubset() {
return encryptionContextSubset;
}
/**
* Returns true if the EncryptionContextEquals property was specified by the sender (it may be empty), or false if
* the sender did not specify the value (it will be empty). For responses returned by the SDK, the sender is the AWS
* service.
*/
public boolean hasEncryptionContextEquals() {
return encryptionContextEquals != null && !(encryptionContextEquals instanceof SdkAutoConstructMap);
}
/**
*
* A list of key-value pairs that must match the encryption context in the cryptographic operation request. The
* grant allows the operation only when the encryption context in the request is the same as the encryption context
* specified in this constraint.
*
*
* Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
*
*
* You can use {@link #hasEncryptionContextEquals()} to see if a value was sent in this field.
*
*
* @return A list of key-value pairs that must match the encryption context in the cryptographic operation request.
* The grant allows the operation only when the encryption context in the request is the same as the
* encryption context specified in this constraint.
*/
public Map encryptionContextEquals() {
return encryptionContextEquals;
}
@Override
public Builder toBuilder() {
return new BuilderImpl(this);
}
public static Builder builder() {
return new BuilderImpl();
}
public static Class serializableBuilderClass() {
return BuilderImpl.class;
}
@Override
public int hashCode() {
int hashCode = 1;
hashCode = 31 * hashCode + Objects.hashCode(encryptionContextSubset());
hashCode = 31 * hashCode + Objects.hashCode(encryptionContextEquals());
return hashCode;
}
@Override
public boolean equals(Object obj) {
return equalsBySdkFields(obj);
}
@Override
public boolean equalsBySdkFields(Object obj) {
if (this == obj) {
return true;
}
if (obj == null) {
return false;
}
if (!(obj instanceof GrantConstraints)) {
return false;
}
GrantConstraints other = (GrantConstraints) obj;
return Objects.equals(encryptionContextSubset(), other.encryptionContextSubset())
&& Objects.equals(encryptionContextEquals(), other.encryptionContextEquals());
}
/**
* Returns a string representation of this object. This is useful for testing and debugging. Sensitive data will be
* redacted from this string using a placeholder value.
*/
@Override
public String toString() {
return ToString.builder("GrantConstraints").add("EncryptionContextSubset", encryptionContextSubset())
.add("EncryptionContextEquals", encryptionContextEquals()).build();
}
public Optional getValueForField(String fieldName, Class clazz) {
switch (fieldName) {
case "EncryptionContextSubset":
return Optional.ofNullable(clazz.cast(encryptionContextSubset()));
case "EncryptionContextEquals":
return Optional.ofNullable(clazz.cast(encryptionContextEquals()));
default:
return Optional.empty();
}
}
@Override
public List> sdkFields() {
return SDK_FIELDS;
}
private static Function getter(Function g) {
return obj -> g.apply((GrantConstraints) obj);
}
private static BiConsumer setter(BiConsumer s) {
return (obj, val) -> s.accept((Builder) obj, val);
}
public interface Builder extends SdkPojo, CopyableBuilder {
/**
*
* A list of key-value pairs that must be included in the encryption context of the cryptographic operation
* request. The grant allows the cryptographic operation only when the encryption context in the request
* includes the key-value pairs specified in this constraint, although it can include additional key-value
* pairs.
*
*
* @param encryptionContextSubset
* A list of key-value pairs that must be included in the encryption context of the cryptographic
* operation request. The grant allows the cryptographic operation only when the encryption context in
* the request includes the key-value pairs specified in this constraint, although it can include
* additional key-value pairs.
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder encryptionContextSubset(Map encryptionContextSubset);
/**
*
* A list of key-value pairs that must match the encryption context in the cryptographic operation request. The
* grant allows the operation only when the encryption context in the request is the same as the encryption
* context specified in this constraint.
*
*
* @param encryptionContextEquals
* A list of key-value pairs that must match the encryption context in the cryptographic operation
* request. The grant allows the operation only when the encryption context in the request is the same as
* the encryption context specified in this constraint.
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder encryptionContextEquals(Map encryptionContextEquals);
}
static final class BuilderImpl implements Builder {
private Map encryptionContextSubset = DefaultSdkAutoConstructMap.getInstance();
private Map encryptionContextEquals = DefaultSdkAutoConstructMap.getInstance();
private BuilderImpl() {
}
private BuilderImpl(GrantConstraints model) {
encryptionContextSubset(model.encryptionContextSubset);
encryptionContextEquals(model.encryptionContextEquals);
}
public final Map getEncryptionContextSubset() {
return encryptionContextSubset;
}
@Override
public final Builder encryptionContextSubset(Map encryptionContextSubset) {
this.encryptionContextSubset = EncryptionContextTypeCopier.copy(encryptionContextSubset);
return this;
}
public final void setEncryptionContextSubset(Map encryptionContextSubset) {
this.encryptionContextSubset = EncryptionContextTypeCopier.copy(encryptionContextSubset);
}
public final Map getEncryptionContextEquals() {
return encryptionContextEquals;
}
@Override
public final Builder encryptionContextEquals(Map encryptionContextEquals) {
this.encryptionContextEquals = EncryptionContextTypeCopier.copy(encryptionContextEquals);
return this;
}
public final void setEncryptionContextEquals(Map encryptionContextEquals) {
this.encryptionContextEquals = EncryptionContextTypeCopier.copy(encryptionContextEquals);
}
@Override
public GrantConstraints build() {
return new GrantConstraints(this);
}
@Override
public List> sdkFields() {
return SDK_FIELDS;
}
}
}