Represents a statement in a policy.
@return [Array] Returns an array of statement actions included
by this policy statement.
@return [Array] Returns an array of conditions for this policy.
@return [String] Returns the statement effect, either “Allow” or
"Deny"
@return [Array] Returns an array of actions excluded by this
policy statement.
@return [Array] Returns an array of principals.
@return [Array] Returns an array of resources affected by this
policy statement.
@return [String] Returns the statement id
Constructs a new statement.
@option opts [String] :sid The statement ID. This is optional; if
omitted, a UUID will be generated for the statement.
@option opts [String] :effect The statement effect, which must be either
"Allow" or "Deny". @see Policy#allow @see Policy#deny
@option opts [String or array of strings] :principals The account(s)
affected by the statement. These should be AWS account IDs.
@option opts :actions The action or actions affected by
the statement. These can be symbols or strings. If they are strings, you can use wildcard character "*" to match zero or more characters in the action name. Symbols are expected to match methods of S3::Client.
@option opts :#excluded_actions Action or actions which are
explicitly not affected by this statement. As with +:actions+, these may be symbols or strings.
@option opts [String or array of strings] :resources The
resource(s) affected by the statement. These can be expressed as ARNs (e.g. +arn:aws:s3:::mybucket/mykey+) or you may omit the +arn:aws:s3:::+ prefix and just give the path as +bucket_name/key+. You may use the wildcard character "*" to match zero or more characters in the resource name.
@option opts [ConditionBlock or Hash] :conditions
Additional conditions that narrow the effect of the statement. It's typically more convenient to use the ConditionBuilder instance returned from Policy#allow or Policy#deny to add conditions to a statement.
@see S3::Client
# File lib/aws/core/policy.rb, line 746 def initialize(opts = {}) self.sid = UUIDTools::UUID.timestamp_create.to_s.tr('-','') self.conditions = ConditionBlock.new parse_options(opts) yield(self) if block_given? end
Convenience method to add to the list of actions explicitly not affected by this statement.
# File lib/aws/core/policy.rb, line 765 def exclude_actions(*actions) self.excluded_actions ||= [] self.excluded_actions.push(*actions) end
Convenience method to add to the list of actions affected by this statement.
# File lib/aws/core/policy.rb, line 757 def include_actions(*actions) self.actions ||= [] self.actions.push(*actions) end
@private
# File lib/aws/core/policy.rb, line 772 def to_h stmt = { "Sid" => sid, "Effect" => Inflection.class_name(effect.to_s), "Principal" => principals_hash, "Resource" => resource_arns, "Condition" => (conditions.to_h if conditions) } stmt.delete("Condition") if !conditions || conditions.to_h.empty? stmt.delete("Principal") unless principals_hash if !translated_actions || translated_actions.empty? stmt["NotAction"] = translated_excluded_actions else stmt["Action"] = translated_actions end stmt end
# File lib/aws/core/policy.rb, line 841 def coerce_array_option(attr, value) if value.kind_of?(Array) send("#{attr}=", value) else send("#{attr}=", [value]) end end
# File lib/aws/core/policy.rb, line 811 def parse_action_option(value) coerce_array_option(:actions, value) end
# File lib/aws/core/policy.rb, line 836 def parse_condition_option(value) self.conditions = ConditionBlock.new(value) end
# File lib/aws/core/policy.rb, line 801 def parse_effect_option(value) self.effect = value end
# File lib/aws/core/policy.rb, line 816 def parse_not_action_option(value) coerce_array_option(:excluded_actions, value) end
# File lib/aws/core/policy.rb, line 791 def parse_options(options) options.each do |name, value| name = Inflection.ruby_name(name.to_s) name.sub!(%rs$/,'') send("parse_#{name}_option", value) if respond_to?("parse_#{name}_option", true) end end
# File lib/aws/core/policy.rb, line 822 def parse_principal_option(value) if value and value.kind_of?(Hash) value = value["AWS"] || [] end coerce_array_option(:principals, value) end
# File lib/aws/core/policy.rb, line 831 def parse_resource_option(value) coerce_array_option(:resources, value) end
# File lib/aws/core/policy.rb, line 806 def parse_sid_option(value) self.sid = value end
# File lib/aws/core/policy.rb, line 850 def principals_hash return nil unless principals { "AWS" => principals.map do |principal| principal == :any ? "*" : principal end } end
# File lib/aws/core/policy.rb, line 906 def resource_arn resource resource.to_s end
# File lib/aws/core/policy.rb, line 895 def resource_arns return nil unless resources resources.map do |resource| case resource when :any then "*" else resource_arn(resource) end end end
# File lib/aws/core/policy.rb, line 859 def translate_action(action) case action when String then action when :any then '*' when Symbol if self.class == Core::Policy::Statement msg = 'symbolized action names are only accepted by service ' + 'specific policies (e.g. AWS::S3::Policy)' raise ArgumentError, msg end unless self.class::ACTION_MAPPING.has_key?(action) raise ArgumentError, "unrecognized action: #{action}" end self.class::ACTION_MAPPING[action] end end
# File lib/aws/core/policy.rb, line 881 def translated_actions return nil unless actions actions.map do |action| translate_action(action) end end
# File lib/aws/core/policy.rb, line 889 def translated_excluded_actions return nil unless excluded_actions excluded_actions.map { |a| translate_action(a) } end