Java Statement类代码示例

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
/**
 * Validate that the IAM principal for the CMS has permissions to schedule and cancel deletion of the KMS key.
 * @param policyJson - The KMS key policy as a String
 */
protected boolean cmsHasKeyDeletePermissions(String policyJson) {
    try {
        Policy policy = policyReader.createPolicyFromJsonString(policyJson);
        return policy.getStatements()
                .stream()
                .anyMatch(statement ->
                        StringUtils.equals(statement.getId(), CERBERUS_MANAGEMENT_SERVICE_SID) &&
                                statementAppliesToPrincipal(statement, cmsRoleArn) &&
                                statement.getEffect() == Statement.Effect.Allow &&
                                statementIncludesAction(statement, KMSActions.ScheduleKeyDeletion) &&
                                statementIncludesAction(statement, KMSActions.CancelKeyDeletion));
    } catch (Exception e) {
        logger.error("Failed to validate that CMS can delete KMS key, there may be something wrong with the policy", e);
    }

    return false;
}
 

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
/**
 * Generates the standard KMS key policy statement for the Cerberus Management Service
 */
protected Statement generateStandardCMSPolicyStatement() {
    Statement cmsStatement = new Statement(Statement.Effect.Allow);
    cmsStatement.withId(CERBERUS_MANAGEMENT_SERVICE_SID);
    cmsStatement.withPrincipals(new Principal(AWS_PROVIDER, cmsRoleArn, false));
    cmsStatement.withActions(
            KMSActions.Encrypt,
            KMSActions.Decrypt,
            KMSActions.ReEncryptFrom,
            KMSActions.ReEncryptTo,
            KMSActions.GenerateDataKey,
            KMSActions.GenerateDataKeyWithoutPlaintext,
            KMSActions.GenerateRandom,
            KMSActions.DescribeKey,
            KMSActions.ScheduleKeyDeletion,
            KMSActions.CancelKeyDeletion);
    cmsStatement.withResources(new Resource("*"));

    return cmsStatement;
}
 

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
public String subscribeQueueToTopic(String snsTopicArn, String sqsQueueUrl){		
       Map<String, String> queueAttributes = sqsClient.getQueueAttributes(new GetQueueAttributesRequest(sqsQueueUrl)
               .withAttributeNames(QueueAttributeName.QueueArn.toString())).getAttributes();
       String sqsQueueArn = queueAttributes.get(QueueAttributeName.QueueArn.toString());

       Policy policy = new Policy().withStatements(
               new Statement(Effect.Allow)
                   .withId("topic-subscription-" + snsTopicArn)
                   .withPrincipals(Principal.AllUsers)
                   .withActions(SQSActions.SendMessage)
                   .withResources(new Resource(sqsQueueArn))
                   .withConditions(ConditionFactory.newSourceArnCondition(snsTopicArn)));

       logger.debug("Policy: " + policy.toJson());

       queueAttributes = new HashMap<String, String>();
       queueAttributes.put(QueueAttributeName.Policy.toString(), policy.toJson());
       sqsClient.setQueueAttributes(new SetQueueAttributesRequest(sqsQueueUrl, queueAttributes));

       SubscribeResult subscribeResult =
               snsClient.subscribe(new SubscribeRequest()
                   .withEndpoint(sqsQueueArn)
                   .withProtocol("sqs")
                   .withTopicArn(snsTopicArn));
       return subscribeResult.getSubscriptionArn();
}
 

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
/**
 * Converts the specified JSON string to an AWS policy object.
 *
 * For more information see, @see
 * http://docs.aws.amazon.com/AWSSdkDocsJava/latest
 * /DeveloperGuide/java-dg-access-control.html
 *
 * @param jsonString
 *            the specified JSON string representation of this AWS access
 *            control policy.
 *
 * @return An AWS policy object.
 *
 * @throws IllegalArgumentException
 *             If the specified JSON string is null or invalid and cannot be
 *             converted to an AWS policy object.
 */
public Policy createPolicyFromJsonString(String jsonString) {
    if (jsonString == null) {
        throw new IllegalArgumentException("JSON string cannot be null");
    }

    JsonNode policyNode;
    JsonNode idNode;
    JsonNode statementNodes;
    Policy policy = new Policy();
    List<Statement> statements = new LinkedList<Statement>();

    try {
        policyNode = Jackson.jsonNodeOf(jsonString);

        idNode = policyNode.get(JsonDocumentFields.POLICY_ID);
        if (isNotNull(idNode)) {
            policy.setId(idNode.asText());
        }

        statementNodes = policyNode.get(JsonDocumentFields.STATEMENT);
        if (isNotNull(statementNodes)) {
            for (JsonNode node : statementNodes) {
                statements.add(statementOf(node));
            }
        }

    } catch (Exception e) {
        String message = "Unable to generate policy object fron JSON string "
                + e.getMessage();
        throw new IllegalArgumentException(message, e);
    }
    policy.setStatements(statements);
    return policy;
}
 

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
/**
 * Creates a <code>Statement<code> instance from the statement node.
 *
 * A statement consists of an Effect, id (optional), principal, action, resource,
 * and conditions.
 * <p>
 * principal is the AWS account that is making a request to access or modify one of your AWS resources.
 * <p>
 * action is the way in which your AWS resource is being accessed or modified, such as sending a message to an Amazon SQS queue, or storing an object in an Amazon S3 bucket.
 * <p>
 * resource is the AWS entity that the principal wants to access, such as an Amazon SQS queue, or an object stored in Amazon S3.
 * <p>
 * conditions are the optional constraints that specify when to allow or deny access for the principal to access your resource. Many expressive conditions are available, some specific to each service. For example, you can use date conditions to allow access to your resources only after or before a specific time.
 *
 * @param jStatement
 *            JsonNode representing the statement.
 * @return a reference to the statement instance created.
 */
private Statement statementOf(JsonNode jStatement) {

    JsonNode effectNode = jStatement.get(JsonDocumentFields.STATEMENT_EFFECT);

    final Effect effect = isNotNull(effectNode)
                               ? Effect.valueOf(effectNode.asText())
                               : Effect.Deny ;

    Statement statement = new Statement(effect);

    JsonNode id = jStatement.get(JsonDocumentFields.STATEMENT_ID);
    if (isNotNull(id)) {
        statement.setId(id.asText());
    }

    JsonNode actionNodes = jStatement.get(JsonDocumentFields.ACTION);
    if (isNotNull(actionNodes))
        statement.setActions(actionsOf(actionNodes));

    JsonNode resourceNodes = jStatement.get(JsonDocumentFields.RESOURCE);
    if (isNotNull(resourceNodes))
        statement.setResources(resourcesOf(resourceNodes));

    JsonNode conditionNodes = jStatement.get(JsonDocumentFields.CONDITION);
    if (isNotNull(conditionNodes))
        statement.setConditions(conditionsOf(conditionNodes));

    JsonNode principalNodes = jStatement.get(JsonDocumentFields.PRINCIPAL);
    if (isNotNull(principalNodes))
        statement.setPrincipals(principalOf(principalNodes));

    return statement;
}
 

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
static Policy getForUser(String bucket, String userName) {
    Statement creatingObjectsStatement = getObjectCreatingStatement(bucket, userName);
    Statement multipartUploadStatement = getMultipartUploadStatement(bucket, userName);
    Statement listBucketStatement = getListBucketStatement(bucket, userName);

    return new Policy("PerUserFileUploadingPolicy", Arrays.asList(multipartUploadStatement, creatingObjectsStatement, listBucketStatement));
}
 

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
private static Statement getObjectCreatingStatement(String bucket, String userName) {
    return new Statement(Statement.Effect.Allow)
            .withActions(
                    () -> "s3:PutObject",
                    () -> "s3:GetObject"
            )
            .withResources(new Resource("arn:aws:s3:::" + bucket + "/" + userName + "/*"));
}
 

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
private static Statement getListBucketStatement(String bucket, String userName) {
    return new Statement(Statement.Effect.Allow)
            .withActions(
                    () -> "s3:ListBucket"
            )
            .withResources(new Resource("arn:aws:s3:::" + bucket))
            .withConditions(
                    new Condition()
                            .withType("StringEquals")
                            .withConditionKey("s3:prefix")
                            .withValues(userName+"/")
            );
}
 

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
private String getPolicy(List<String> accountIds) {
	Policy policy = new Policy("AuthorizedWorkerAccessPolicy");
	Statement stmt = new Statement(Effect.Allow);
	Action action = SQSActions.SendMessage;
	stmt.getActions().add(action);
	stmt.setResources(new LinkedList<>());
	for(String accountId : accountIds) {
		Principal principal = new Principal(accountId);
		stmt.getPrincipals().add(principal);
	}
	stmt.getResources().add(new Resource(getQueueARN()));
	policy.getStatements().add(stmt);
	return policy.toJson();
}
 

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
/**
 * Overwrite the policy statement for CMS with the standard statement. Add the standard statement for CMS
 * to the policy if it did not already exist.
 *
 * @param policyJson - The KMS key policy in JSON format
 * @return - The updated JSON KMS policy containing a regenerated statement for CMS
 */
protected String overwriteCMSPolicy(String policyJson) {
    Policy policy = policyReader.createPolicyFromJsonString(policyJson);
    removeStatementFromPolicy(policy, CERBERUS_MANAGEMENT_SERVICE_SID);
    Collection<Statement> statements = policy.getStatements();
    statements.add(generateStandardCMSPolicyStatement());
    return policy.toJson();
}
 

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
protected void removeStatementFromPolicy(Policy policy, String statementId) {
    Collection<Statement> existingStatements = policy.getStatements();
    List<Statement> policyStatementsExcludingConsumer = existingStatements.stream()
            .filter(statement -> ! StringUtils.equals(statement.getId(), statementId))
            .collect(Collectors.toList());
    policyStatementsExcludingConsumer.add(generateStandardCMSPolicyStatement());
    policy.setStatements(policyStatementsExcludingConsumer);
}
 

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
/**
 * Validates that the given KMS key policy statement applies to the given principal
 */
protected boolean statementAppliesToPrincipal(Statement statement, String principalArn) {

    return statement.getPrincipals()
            .stream()
            .anyMatch(principal ->
                    StringUtils.equals(principal.getId(), principalArn));
}
 

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
/**
 * Validates that the given KMS key policy statement includes the given action
 */
protected boolean statementIncludesAction(Statement statement, Action action) {

    return statement.getActions()
            .stream()
            .anyMatch(statementAction ->
                    StringUtils.equals(statementAction.getActionName(), action.getActionName()));
}
 

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
public String generateStandardKmsPolicy(String iamRoleArn) {
    Policy kmsPolicy = new Policy();

    Statement rootUserStatement = new Statement(Statement.Effect.Allow);
    rootUserStatement.withId("Root User Has All Actions");
    rootUserStatement.withPrincipals(new Principal(AWS_PROVIDER, rootUserArn, false));
    rootUserStatement.withActions(KMSActions.AllKMSActions);
    rootUserStatement.withResources(new Resource("*"));

    Statement keyAdministratorStatement = new Statement(Statement.Effect.Allow);
    keyAdministratorStatement.withId("Admin Role Has All Actions");
    keyAdministratorStatement.withPrincipals(new Principal(AWS_PROVIDER, adminRoleArn, false));
    keyAdministratorStatement.withActions(KMSActions.AllKMSActions);
    keyAdministratorStatement.withResources(new Resource("*"));

    Statement instanceUsageStatement = generateStandardCMSPolicyStatement();

    Statement iamRoleUsageStatement = new Statement(Statement.Effect.Allow);
    iamRoleUsageStatement.withId(CERBERUS_CONSUMER_SID);
    iamRoleUsageStatement.withPrincipals(
            new Principal(AWS_PROVIDER, iamRoleArn, false));
    iamRoleUsageStatement.withActions(KMSActions.Decrypt);
    iamRoleUsageStatement.withResources(new Resource("*"));

    kmsPolicy.withStatements(rootUserStatement,
            keyAdministratorStatement,
            instanceUsageStatement,
            iamRoleUsageStatement);

    return kmsPolicy.toJson();
}
 

import com.amazonaws.auth.policy.Statement; //导入依赖的package包/类
@Test
public void test_that_generateStandardCMSPolicyStatement_returns_a_valid_statement() {

    Statement result = kmsPolicyService.generateStandardCMSPolicyStatement();
    assertEquals(KmsPolicyService.CERBERUS_MANAGEMENT_SERVICE_SID, result.getId());
    assertEquals(Statement.Effect.Allow, result.getEffect());
    assertTrue(kmsPolicyService.cmsHasKeyDeletePermissions(new Policy().withStatements(result).toJson()));
}