1 /* 2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"). 5 * You may not use this file except in compliance with the License. 6 * A copy of the License is located at 7 * 8 * http://aws.amazon.com/apache2.0 9 * 10 * or in the "license" file accompanying this file. This file is distributed 11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 * express or implied. See the License for the specific language governing 13 * permissions and limitations under the License. 14 */ 15 16 package software.amazon.awssdk.core.auth.policy; 17 18 /** 19 * A principal is an AWS account or AWS web service, which is being allowed or denied access to a 20 * resource through an access control policy. The principal is a property of the 21 * {@link Statement} object, not directly the {@link Policy} object. 22 * <p> 23 * The principal is A in the statement 24 * "A has permission to do B to C where D applies." 25 * <p> 26 * In an access control policy statement, you can set the principal to all 27 * authenticated AWS users through the {@link Principal#ALL_USERS} member. This 28 * is useful when you don't want to restrict access based on the identity of the 29 * requester, but instead on other identifying characteristics such as the 30 * requester's IP address. 31 */ 32 public class Principal { 33 34 /** 35 * Principal instance that includes all users, including anonymous users. 36 * <p> 37 * This is useful when you don't want to restrict access based on the 38 * identity of the requester, but instead on other identifying 39 * characteristics such as the requester's IP address. 40 */ 41 public static final Principal ALL_USERS = new Principal("AWS", "*"); 42 43 /** 44 * Principal instance that includes all AWS web services. 45 */ 46 public static final Principal ALL_SERVICES = new Principal("Service", "*"); 47 48 /** 49 * Principal instance that includes all the web identity providers. 50 */ 51 public static final Principal ALL_WEB_PROVIDERS = new Principal("Federated", "*"); 52 53 /** 54 * Principal instance that includes all the AWS accounts, AWS web services and web identity providers. 55 */ 56 public static final Principal ALL = new Principal("*", "*"); 57 58 private final String id; 59 private final String provider; 60 61 /** 62 * Constructs a new principal with the specified AWS web service which 63 * is being allowed or denied access to a resource through an access control 64 * policy. 65 * 66 * @param service 67 * An AWS service. 68 */ Principal(Service service)69 public Principal(Service service) { 70 if (service == null) { 71 throw new IllegalArgumentException("Null AWS service name specified"); 72 } 73 id = service.getServiceId(); 74 provider = "Service"; 75 } 76 77 78 /** 79 * Constructs a new principal with the specified AWS account ID. This method 80 * automatically strips hyphen characters found in the account Id. 81 * 82 * @param accountId 83 * An AWS account ID. 84 */ Principal(String accountId)85 public Principal(String accountId) { 86 this("AWS", accountId); 87 88 if (accountId == null) { 89 throw new IllegalArgumentException("Null AWS account ID specified"); 90 } 91 } 92 93 /** 94 * Constructs a new principal with the specified id and provider. This 95 * method automatically strips hyphen characters found in the account ID if 96 * the provider is "AWS". 97 */ Principal(String provider, String id)98 public Principal(String provider, String id) { 99 this(provider, id, provider.equals("AWS")); 100 } 101 102 /** 103 * Constructs a new principal with the specified id and provider. This 104 * method optionally strips hyphen characters found in the account Id. 105 */ Principal(String provider, String id, boolean stripHyphen)106 public Principal(String provider, String id, boolean stripHyphen) { 107 this.provider = provider; 108 this.id = stripHyphen ? 109 id.replace("-", "") : id; 110 } 111 112 /** 113 * Constructs a new principal with the specified web identity provider. 114 * 115 * @param webIdentityProvider 116 * An web identity provider. 117 */ Principal(WebIdentityProvider webIdentityProvider)118 public Principal(WebIdentityProvider webIdentityProvider) { 119 if (webIdentityProvider == null) { 120 throw new IllegalArgumentException("Null web identity provider specified"); 121 } 122 this.id = webIdentityProvider.getWebIdentityProvider(); 123 provider = "Federated"; 124 } 125 126 /** 127 * Returns the provider for this principal, which indicates in what group of 128 * users this principal resides. 129 * 130 * @return The provider for this principal. 131 */ getProvider()132 public String getProvider() { 133 return provider; 134 } 135 136 /** 137 * Returns the unique ID for this principal. 138 * 139 * @return The unique ID for this principal. 140 */ getId()141 public String getId() { 142 return id; 143 } 144 145 @Override hashCode()146 public int hashCode() { 147 int prime = 31; 148 int hashCode = 1; 149 150 hashCode = prime * hashCode + provider.hashCode(); 151 hashCode = prime * hashCode + id.hashCode(); 152 return hashCode; 153 } 154 155 @Override equals(Object principal)156 public boolean equals(Object principal) { 157 if (this == principal) { 158 return true; 159 } 160 161 if (principal == null) { 162 return false; 163 } 164 165 if (principal instanceof Principal == false) { 166 return false; 167 } 168 169 Principal other = (Principal) principal; 170 171 if (this.getProvider().equals(other.getProvider()) 172 && this.getId().equals(other.getId())) { 173 return true; 174 } 175 176 return false; 177 } 178 179 /** 180 * The services who have the right to do the assume the role 181 * action. The AssumeRole action returns a set of temporary security 182 * credentials that you can use to access resources that are defined in the 183 * role's policy. The returned credentials consist of an Access Key ID, a 184 * Secret Access Key, and a security token. 185 */ 186 public enum Service { 187 188 AWSDataPipeline("datapipeline.amazonaws.com"), 189 AmazonElasticTranscoder("elastictranscoder.amazonaws.com"), 190 AmazonEC2("ec2.amazonaws.com"), 191 AWSOpsWorks("opsworks.amazonaws.com"), 192 AWSCloudHSM("cloudhsm.amazonaws.com"), 193 AllServices("*"); 194 private String serviceId; 195 196 /** 197 * The service which has the right to assume the role. 198 */ Service(String serviceId)199 Service(String serviceId) { 200 this.serviceId = serviceId; 201 } 202 203 /** 204 * Construct the Services object from a string representing the service id. 205 */ fromString(String serviceId)206 public static Service fromString(String serviceId) { 207 if (serviceId != null) { 208 for (Service s : Service.values()) { 209 if (s.getServiceId().equalsIgnoreCase(serviceId)) { 210 return s; 211 } 212 } 213 } 214 215 return null; 216 } 217 getServiceId()218 public String getServiceId() { 219 return serviceId; 220 } 221 222 223 } 224 225 /** 226 * Web identity providers, such as Login with Amazon, Facebook, or Google. 227 */ 228 public enum WebIdentityProvider { 229 230 Facebook("graph.facebook.com"), 231 Google("accounts.google.com"), 232 Amazon("www.amazon.com"), 233 AllProviders("*"); 234 235 private String webIdentityProvider; 236 237 /** 238 * The web identity provider which has the right to assume the role. 239 */ WebIdentityProvider(String webIdentityProvider)240 WebIdentityProvider(String webIdentityProvider) { 241 this.webIdentityProvider = webIdentityProvider; 242 } 243 244 /** 245 * Construct the Services object from a string representing web identity provider. 246 */ fromString(String webIdentityProvider)247 public static WebIdentityProvider fromString(String webIdentityProvider) { 248 if (webIdentityProvider != null) { 249 for (WebIdentityProvider provider : WebIdentityProvider.values()) { 250 if (provider.getWebIdentityProvider().equalsIgnoreCase(webIdentityProvider)) { 251 return provider; 252 } 253 } 254 } 255 256 return null; 257 } 258 getWebIdentityProvider()259 public String getWebIdentityProvider() { 260 return webIdentityProvider; 261 } 262 263 264 } 265 266 267 } 268