Represents an access policy for AWS operations and resources. For example:
policy = Policy.new do |policy| policy.allow(:actions => ['s3:PutObject'], :resources => "arn:aws:s3:::mybucket/mykey/*", :principals => :any ).where(:acl).is("public-read") end policy.to_json # => '{ "Version":"2008-10-17", ...'
@see initialize More ways to construct a policy. @see docs.amazonwebservices.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html Example policies (in JSON).
@return [String] A unique ID for the policy.
@see Statement @return [Array] An array of policy statements.
@return [String] The version of the policy language used in this
policy object.
Constructs a policy from a JSON representation. @see initialize @return [Policy] Returns a Policy object constructed by parsing
the passed JSON policy.
# File lib/aws/core/policy.rb, line 146 def self.from_json(json) new(JSON.parse(json)) end
Constructs a policy. There are a few different ways to build a policy:
With hash arguments:
Policy.new(:statements => [ { :effect => :allow, :actions => :all, :principals => ["abc123"], :resources => "mybucket/mykey" } ])
From a JSON policy document:
Policy.from_json(policy_json_string)
With a block:
Policy.new do |policy| policy.allow( :actions => ['s3:PutObject'], :resources => "arn:aws:s3:::mybucket/mykey/*", :principals => :any ).where(:acl).is("public-read") end
# File lib/aws/core/policy.rb, line 77 def initialize(opts = {}) @statements = opts.values_at(:statements, "Statement").select do |a| a.kind_of?(Array) end.flatten.map do |stmt| self.class::Statement.new(stmt) end if opts.has_key?(:id) or opts.has_key?("Id") @id = opts[:id] || opts["Id"] else @id = UUIDTools::UUID.timestamp_create.to_s.tr('-','') end if opts.has_key?(:version) or opts.has_key?("Version") @version = opts[:version] || opts["Version"] else @version = "2008-10-17" end yield(self) if block_given? end
@return [Boolean] Returns true if the two policies are the same.
# File lib/aws/core/policy.rb, line 99 def ==(other) if other.kind_of?(Core::Policy) self.hash_without_ids == other.hash_without_ids else false end end
Convenience method for constructing a new statement with the “Allow” effect and adding it to the policy. For example:
policy.allow(:actions => [:put_object], :principals => :any, :resources => "mybucket/mykey/*"). where(:acl).is("public-read")
@option (see Statement#initialize) @see Statement#initialize @return [ConditionBuilder]
# File lib/aws/core/policy.rb, line 219 def allow(opts = {}) stmt = self.class::Statement.new(opts.merge(:effect => :allow)) statements << stmt ConditionBuilder.new(stmt.conditions) end
Convenience method for constructing a new statement with the “Deny” effect and adding it to the policy. For example:
policy.deny( :actions => [:put_object], :principals => :any, :resources => "mybucket/mykey/*" ).where(:acl).is("public-read")
@param (see Statement#initialize) @see Statement#initialize @return [ConditionBuilder]
# File lib/aws/core/policy.rb, line 237 def deny(opts = {}) stmt = self.class::Statement.new(opts.merge(:effect => :deny)) statements << stmt ConditionBuilder.new(stmt.conditions) end
Returns a hash representation of the policy. The following statements are equivalent:
policy.to_h.to_json policy.to_json
@return [Hash]
# File lib/aws/core/policy.rb, line 129 def to_h { "Version" => version, "Id" => id, "Statement" => statements.map { |st| st.to_h } } end
@return [String] a JSON representation of the policy.
# File lib/aws/core/policy.rb, line 138 def to_json to_h.to_json end
Removes the ids from the policy and its statements for the purpose of comparing two policies for equivilence. @return [Hash] Returns the policy as a hash with no ids @private
# File lib/aws/core/policy.rb, line 112 def hash_without_ids hash = self.to_h hash.delete('Id') hash['Statement'].each do |statement| statement.delete('Sid') end hash end