Java Policy类代码示例

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
/**
 * Check that the given IAM principal has permissions to access the KMS key.
 *
 * This is important because when an IAM principal is deleted and recreated with the same name, then the recreated
 * principal cannot access the KMS key until the key policy is regenerated -- updating the policy permissions to
 * allow the ARN of the recreated principal instead of the ID of the deleted principal.
 *
 * @param policyJson - The KMS key policy as a String
 */
protected boolean consumerPrincipalIsAnArnAndNotAnId(String policyJson) {
    try {
        Policy policy = policyReader.createPolicyFromJsonString(policyJson);
        return policy.getStatements()
                .stream()
                .anyMatch(statement ->
                        StringUtils.equals(statement.getId(), CERBERUS_CONSUMER_SID) &&
                                statement.getPrincipals()
                                        .stream()
                                        .anyMatch(principal -> awsIamRoleArnParser.isArnThatCanGoInKeyPolicy(principal.getId())));
    } catch (Exception e) {
        // if we can't deserialize we will assume policy has been corrupted manually and regenerate it
        logger.error("Failed to validate policy, did someone manually edit the kms policy?", e);
    }

    return false;
}
 

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
/**
 * Validate that the IAM principal for the CMS has permissions to schedule and cancel deletion of the KMS key.
 * @param policyJson - The KMS key policy as a String
 */
protected boolean cmsHasKeyDeletePermissions(String policyJson) {
    try {
        Policy policy = policyReader.createPolicyFromJsonString(policyJson);
        return policy.getStatements()
                .stream()
                .anyMatch(statement ->
                        StringUtils.equals(statement.getId(), CERBERUS_MANAGEMENT_SERVICE_SID) &&
                                statementAppliesToPrincipal(statement, cmsRoleArn) &&
                                statement.getEffect() == Statement.Effect.Allow &&
                                statementIncludesAction(statement, KMSActions.ScheduleKeyDeletion) &&
                                statementIncludesAction(statement, KMSActions.CancelKeyDeletion));
    } catch (Exception e) {
        logger.error("Failed to validate that CMS can delete KMS key, there may be something wrong with the policy", e);
    }

    return false;
}
 

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
public String subscribeQueueToTopic(String snsTopicArn, String sqsQueueUrl){		
       Map<String, String> queueAttributes = sqsClient.getQueueAttributes(new GetQueueAttributesRequest(sqsQueueUrl)
               .withAttributeNames(QueueAttributeName.QueueArn.toString())).getAttributes();
       String sqsQueueArn = queueAttributes.get(QueueAttributeName.QueueArn.toString());

       Policy policy = new Policy().withStatements(
               new Statement(Effect.Allow)
                   .withId("topic-subscription-" + snsTopicArn)
                   .withPrincipals(Principal.AllUsers)
                   .withActions(SQSActions.SendMessage)
                   .withResources(new Resource(sqsQueueArn))
                   .withConditions(ConditionFactory.newSourceArnCondition(snsTopicArn)));

       logger.debug("Policy: " + policy.toJson());

       queueAttributes = new HashMap<String, String>();
       queueAttributes.put(QueueAttributeName.Policy.toString(), policy.toJson());
       sqsClient.setQueueAttributes(new SetQueueAttributesRequest(sqsQueueUrl, queueAttributes));

       SubscribeResult subscribeResult =
               snsClient.subscribe(new SubscribeRequest()
                   .withEndpoint(sqsQueueArn)
                   .withProtocol("sqs")
                   .withTopicArn(snsTopicArn));
       return subscribeResult.getSubscriptionArn();
}
 

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
boolean policyChanged(String localPolicyJSON, com.amazonaws.services.identitymanagement.model.InstanceProfile remoteInstanceProfile) {
    String instanceProfileName = remoteInstanceProfile.getInstanceProfileName();
    List<Role> roles = remoteInstanceProfile.getRoles();
    Asserts.isFalse(roles.isEmpty(), "instance profile does not not have role, please check whether the role failed to add to instance profile, instanceProfileName={}",
        instanceProfileName);
    Asserts.equals(roles.size(), 1, "instance profile should only have one role, check whether it's modified not by cmn, instanceProfileName={}, roles={}",
        instanceProfileName, roles);

    Role role = roles.get(0);
    Optional<Policy> remotePolicy = AWS.iam.findRolePolicy(role.getRoleName(), role.getRoleName());
    if (!remotePolicy.isPresent()) {
        logger.warn("role policy doesn't exist, it could be due to failure of last sync, it will try to create this time, instanceProfileName={}", instanceProfileName);
        return true;
    }

    Policy localPolicy = Policy.fromJson(localPolicyJSON);

    return policyChanged(localPolicy, remotePolicy.get());
}
 

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
@Test
public void shouldSetQueueAttributes_withPolicy() {
    // Given
    final Policy mockPolicy = mock(Policy.class);
    final String mockPolicyJson = randomString();
    when(mockPolicy.toJson()).thenReturn(mockPolicyJson);

    // When
    sqsQueueResource.setPolicy(mockPolicy);

    // Then
    final ArgumentCaptor<SetQueueAttributesRequest> captor = ArgumentCaptor
            .forClass(SetQueueAttributesRequest.class);
    verify(amazonSqsClient).setQueueAttributes(captor.capture());
    final SetQueueAttributesRequest setQueueAttributesRequest = captor.getValue();
    assertEquals(queueUrl, setQueueAttributesRequest.getQueueUrl());
    assertEquals(mockPolicyJson, setQueueAttributesRequest.getAttributes()
            .get(QueueAttributeName.Policy.toString()));
}
 

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
@Test
public void shouldSetPolicy_withPolicy() {
    // Given
    final Policy mockPolicy = mock(Policy.class);
    final String mockPolicyJson = randomString();
    when(mockPolicy.toJson()).thenReturn(mockPolicyJson);

    // When
    snsTopicResource.setPolicy(mockPolicy);

    // Then
    final ArgumentCaptor<SetTopicAttributesRequest> captor = ArgumentCaptor
            .forClass(SetTopicAttributesRequest.class);
    verify(mockAmazonSnsClient).setTopicAttributes(captor.capture());
    final SetTopicAttributesRequest setTopicAttributesRequest = captor.getValue();
    assertEquals(topicArn, setTopicAttributesRequest.getTopicArn());
    assertEquals("Policy", setTopicAttributesRequest.getAttributeName());
    assertEquals(mockPolicyJson, setTopicAttributesRequest.getAttributeValue());
}
 

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
@Test
public void shouldThrowException_onAmazonClientExceptionFromSetPolicy() {
    // Given
    final Policy mockPolicy = mock(Policy.class);
    final String mockPolicyJson = randomString();
    when(mockPolicy.toJson()).thenReturn(mockPolicyJson);
    doThrow(AmazonClientException.class).when(mockAmazonSnsClient)
            .setTopicAttributes(any(SetTopicAttributesRequest.class));

    // When
    AmazonClientException thrownException = null;
    try {
        snsTopicResource.setPolicy(mockPolicy);
    } catch (final AmazonClientException e) {
        thrownException = e;
    }

    // Then
    assertNotNull(thrownException);
}
 

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
/**
 * Converts the specified JSON string to an AWS policy object.
 *
 * For more information see, @see
 * http://docs.aws.amazon.com/AWSSdkDocsJava/latest
 * /DeveloperGuide/java-dg-access-control.html
 *
 * @param jsonString
 *            the specified JSON string representation of this AWS access
 *            control policy.
 *
 * @return An AWS policy object.
 *
 * @throws IllegalArgumentException
 *             If the specified JSON string is null or invalid and cannot be
 *             converted to an AWS policy object.
 */
public Policy createPolicyFromJsonString(String jsonString) {
    if (jsonString == null) {
        throw new IllegalArgumentException("JSON string cannot be null");
    }

    JsonNode policyNode;
    JsonNode idNode;
    JsonNode statementNodes;
    Policy policy = new Policy();
    List<Statement> statements = new LinkedList<Statement>();

    try {
        policyNode = Jackson.jsonNodeOf(jsonString);

        idNode = policyNode.get(JsonDocumentFields.POLICY_ID);
        if (isNotNull(idNode)) {
            policy.setId(idNode.asText());
        }

        statementNodes = policyNode.get(JsonDocumentFields.STATEMENT);
        if (isNotNull(statementNodes)) {
            for (JsonNode node : statementNodes) {
                statements.add(statementOf(node));
            }
        }

    } catch (Exception e) {
        String message = "Unable to generate policy object fron JSON string "
                + e.getMessage();
        throw new IllegalArgumentException(message, e);
    }
    policy.setStatements(statements);
    return policy;
}
 

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
static Policy getForUser(String bucket, String userName) {
    Statement creatingObjectsStatement = getObjectCreatingStatement(bucket, userName);
    Statement multipartUploadStatement = getMultipartUploadStatement(bucket, userName);
    Statement listBucketStatement = getListBucketStatement(bucket, userName);

    return new Policy("PerUserFileUploadingPolicy", Arrays.asList(multipartUploadStatement, creatingObjectsStatement, listBucketStatement));
}
 

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
public FederatedUserCredentials getFederatedTokenFor(String username) {
    Policy policy = DefaultS3FolderPolicy.getForUser(bucket, username);
    GetFederationTokenRequest getFederationTokenRequest = new GetFederationTokenRequest()
            .withName(username)
            .withDurationSeconds(TEMPORARY_CREDENTIALS_VALIDITY)
            .withPolicy(policy.toJson());
    GetFederationTokenResult federationTokenResult = tokenService.getFederationToken(getFederationTokenRequest);
    return new FederatedUserCredentials(region, bucket, username, federationTokenResult.getCredentials());
}
 

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
private String getPolicy(List<String> accountIds) {
	Policy policy = new Policy("AuthorizedWorkerAccessPolicy");
	Statement stmt = new Statement(Effect.Allow);
	Action action = SQSActions.SendMessage;
	stmt.getActions().add(action);
	stmt.setResources(new LinkedList<>());
	for(String accountId : accountIds) {
		Principal principal = new Principal(accountId);
		stmt.getPrincipals().add(principal);
	}
	stmt.getResources().add(new Resource(getQueueARN()));
	policy.getStatements().add(stmt);
	return policy.toJson();
}
 

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
/**
 * Overwrite the policy statement for CMS with the standard statement. Add the standard statement for CMS
 * to the policy if it did not already exist.
 *
 * @param policyJson - The KMS key policy in JSON format
 * @return - The updated JSON KMS policy containing a regenerated statement for CMS
 */
protected String overwriteCMSPolicy(String policyJson) {
    Policy policy = policyReader.createPolicyFromJsonString(policyJson);
    removeStatementFromPolicy(policy, CERBERUS_MANAGEMENT_SERVICE_SID);
    Collection<Statement> statements = policy.getStatements();
    statements.add(generateStandardCMSPolicyStatement());
    return policy.toJson();
}
 

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
protected void removeStatementFromPolicy(Policy policy, String statementId) {
    Collection<Statement> existingStatements = policy.getStatements();
    List<Statement> policyStatementsExcludingConsumer = existingStatements.stream()
            .filter(statement -> ! StringUtils.equals(statement.getId(), statementId))
            .collect(Collectors.toList());
    policyStatementsExcludingConsumer.add(generateStandardCMSPolicyStatement());
    policy.setStatements(policyStatementsExcludingConsumer);
}
 

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
public String generateStandardKmsPolicy(String iamRoleArn) {
    Policy kmsPolicy = new Policy();

    Statement rootUserStatement = new Statement(Statement.Effect.Allow);
    rootUserStatement.withId("Root User Has All Actions");
    rootUserStatement.withPrincipals(new Principal(AWS_PROVIDER, rootUserArn, false));
    rootUserStatement.withActions(KMSActions.AllKMSActions);
    rootUserStatement.withResources(new Resource("*"));

    Statement keyAdministratorStatement = new Statement(Statement.Effect.Allow);
    keyAdministratorStatement.withId("Admin Role Has All Actions");
    keyAdministratorStatement.withPrincipals(new Principal(AWS_PROVIDER, adminRoleArn, false));
    keyAdministratorStatement.withActions(KMSActions.AllKMSActions);
    keyAdministratorStatement.withResources(new Resource("*"));

    Statement instanceUsageStatement = generateStandardCMSPolicyStatement();

    Statement iamRoleUsageStatement = new Statement(Statement.Effect.Allow);
    iamRoleUsageStatement.withId(CERBERUS_CONSUMER_SID);
    iamRoleUsageStatement.withPrincipals(
            new Principal(AWS_PROVIDER, iamRoleArn, false));
    iamRoleUsageStatement.withActions(KMSActions.Decrypt);
    iamRoleUsageStatement.withResources(new Resource("*"));

    kmsPolicy.withStatements(rootUserStatement,
            keyAdministratorStatement,
            instanceUsageStatement,
            iamRoleUsageStatement);

    return kmsPolicy.toJson();
}
 

import com.amazonaws.auth.policy.Policy; //导入依赖的package包/类
@Test
public void test_that_generateStandardCMSPolicyStatement_returns_a_valid_statement() {

    Statement result = kmsPolicyService.generateStandardCMSPolicyStatement();
    assertEquals(KmsPolicyService.CERBERUS_MANAGEMENT_SERVICE_SID, result.getId());
    assertEquals(Statement.Effect.Allow, result.getEffect());
    assertTrue(kmsPolicyService.cmsHasKeyDeletePermissions(new Policy().withStatements(result).toJson()));
}