@Override public BlobAccess getBlobAccess(String container, String name) { AccessControlList acl = sync.getObjectACL(container, name); if (acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ)) { return BlobAccess.PUBLIC_READ; } else { return BlobAccess.PRIVATE; } }
/** * Converts a canned access control policy into the equivalent access control list. * * @param cannedAP * @param ownerId */ public static AccessControlList fromCannedAccessPolicy(CannedAccessPolicy cannedAP, String ownerId) { AccessControlList acl = new AccessControlList(); acl.setOwner(new CanonicalUser(ownerId)); // Canned access policies always allow full control to the owner. acl.addPermission(new CanonicalUserGrantee(ownerId), Permission.FULL_CONTROL); if (CannedAccessPolicy.PRIVATE == cannedAP) { // No more work to do. } else if (CannedAccessPolicy.AUTHENTICATED_READ == cannedAP) { acl.addPermission(GroupGranteeURI.AUTHENTICATED_USERS, Permission.READ); } else if (CannedAccessPolicy.PUBLIC_READ == cannedAP) { acl.addPermission(GroupGranteeURI.ALL_USERS, Permission.READ); } else if (CannedAccessPolicy.PUBLIC_READ_WRITE == cannedAP) { acl.addPermission(GroupGranteeURI.ALL_USERS, Permission.READ); acl.addPermission(GroupGranteeURI.ALL_USERS, Permission.WRITE); } return acl; }
/** * @return an unmodifiable set of grantees who have been assigned permissions in this ACL. */ public Set<Grantee> getGrantees() { Set<Grantee> grantees = Sets.newTreeSet(); for (Grant grant : getGrants()) { grantees.add(grant.getGrantee()); } return Collections.unmodifiableSet(grantees); }
public void run() { try { AccessControlList acl = getApi().getObjectACL(containerName, publicReadObjectKey); assertEquals(acl.getGrants().size(), 2); assertEquals(acl.getPermissions(GroupGranteeURI.ALL_USERS).size(), 1); assertNotNull(acl.getOwner()); String ownerId = acl.getOwner().getId(); assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL)); assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ)); } catch (Exception e) { Throwables.propagateIfPossible(e); } } });
private void checkGrants(AccessControlList acl) { String ownerId = acl.getOwner().getId(); assertEquals(acl.getGrants().size(), 4, acl.toString()); assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL), acl.toString()); assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ), acl.toString()); assertTrue(acl.hasPermission(ownerId, Permission.WRITE_ACP), acl.toString()); // EmailAddressGrantee is replaced by a CanonicalUserGrantee, so we cannot test by email addr assertTrue(acl.hasPermission(TEST_ACL_ID, Permission.READ_ACP), acl.toString()); }
public void testPrivateAclIsDefaultForBucket() throws InterruptedException, ExecutionException, TimeoutException, IOException { String bucketName = getContainerName(); try { AccessControlList acl = getApi().getBucketACL(bucketName); assertEquals(acl.getGrants().size(), 1); assertNotNull(acl.getOwner()); String ownerId = acl.getOwner().getId(); assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL)); } finally { returnContainer(bucketName); } }
String ownerId = acl.getOwner().getId(); assertEquals(acl.getGrants().size(), 1); assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL)); assertEquals(acl.getGrants().size(), 4); assertTrue(getApi().putObjectACL(containerName, objectKey, acl)); acl.revokeAllPermissions(new CanonicalUserGrantee(ownerId)); if (!ownerId.equals(TEST_ACL_ID)) acl.revokeAllPermissions(new CanonicalUserGrantee(TEST_ACL_ID)); assertEquals(acl.getGrants().size(), 1); assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ)); assertEquals(acl.getGrants().size(), 1); assertEquals(acl.getPermissions(ownerId).size(), 0); assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ), acl.toString()); } finally { returnContainer(containerName);
public void run() { try { BucketLogging newLogging = getApi().getBucketLogging(bucketName); assert newLogging !=null; AccessControlList acl = new AccessControlList(); for (Grant grant : newLogging.getTargetGrants()) { // TODO: add permission // checking features to // bucketlogging acl.addPermission(grant.getGrantee(), grant.getPermission()); } // EmailAddressGrantee is replaced by a CanonicalUserGrantee, so we cannot test by // email addr assertTrue(acl.hasPermission(StubS3AsyncClient.TEST_ACL_ID, Permission.FULL_CONTROL), acl.toString()); assertEquals(logging.getTargetBucket(), newLogging.getTargetBucket()); assertEquals(logging.getTargetPrefix(), newLogging.getTargetPrefix()); } catch (Exception e) { Throwables.propagateIfPossible(e); } } });
public void run() { try { AccessControlList acl = getApi().getBucketACL(bucketName + "eu"); assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ), acl.toString()); } catch (Exception e) { Throwables.propagateIfPossible(e); } } });
/** * @param granteeURI * @param permission * @return true if the grantee has the given permission. */ public boolean hasPermission(URI granteeURI, String permission) { return getPermissions(granteeURI).contains(permission); }
private void addGrantsToACL(AccessControlList acl) { String ownerId = acl.getOwner().getId(); acl.addPermission(GroupGranteeURI.ALL_USERS, Permission.READ); acl.addPermission(new EmailAddressGrantee(TEST_ACL_EMAIL), Permission.READ_ACP); acl.addPermission(new CanonicalUserGrantee(ownerId), Permission.WRITE_ACP); }
public void endElement(String uri, String name, String qName) { if (qName.equals("Owner")) { CanonicalUser owner = new CanonicalUser(currentId); owner.setDisplayName(currentDisplayName); acl.setOwner(owner); } else if (qName.equals("Grantee")) { if ("AmazonCustomerByEmail".equals(currentGranteeType)) { currentGrantee = new EmailAddressGrantee(currentId); } else if ("CanonicalUser".equals(currentGranteeType)) { currentGrantee = new CanonicalUserGrantee(currentId, currentDisplayName); } else if ("Group".equals(currentGranteeType)) { currentGrantee = new GroupGrantee(URI.create(currentId)); } } else if (qName.equals("Grant")) { acl.addPermission(currentGrantee, currentPermission); } else if (qName.equals("ID") || qName.equals("EmailAddress") || qName.equals("URI")) { currentId = currentOrNull(currentText); } else if (qName.equals("DisplayName")) { currentDisplayName = currentOrNull(currentText); } else if (qName.equals("Permission")) { currentPermission = currentOrNull(currentText); } currentText = new StringBuilder(); }
/** * Replace any AmazonCustomerByEmail grantees with a somewhat-arbitrary canonical user grantee, * to match S3 which substitutes each email address grantee with that user's corresponding ID. In * short, although you can PUT email address grantees, these are actually subsequently returned * by S3 as canonical user grantees. * * @param acl * @return */ protected AccessControlList sanitizeUploadedACL(AccessControlList acl) { // Replace any email address grantees with canonical user grantees, using // the acl's owner ID as the surrogate replacement. for (Grant grant : acl.getGrants()) { if (grant.getGrantee() instanceof EmailAddressGrantee) { EmailAddressGrantee emailGrantee = (EmailAddressGrantee) grant.getGrantee(); String id = emailGrantee.getEmailAddress().equals(TEST_ACL_EMAIL) ? TEST_ACL_ID : acl.getOwner().getId(); grant.setGrantee(new CanonicalUserGrantee(id, acl.getOwner().getDisplayName())); } } return acl; }
/** * Add a permission for the given group grantee. * * @param groupGranteeURI * @param permission */ public AccessControlList addPermission(URI groupGranteeURI, String permission) { return addPermission(new GroupGrantee(groupGranteeURI), permission); }
/** * @param granteeId * @return the permissions assigned to a grantee, as identified by the given ID. */ public Collection<String> getPermissions(String granteeId) { Collection<Grant> grantsForGrantee = findGrantsForGrantee(granteeId); return Collections2.transform(grantsForGrantee, new Function<Grant, String>() { public String apply(Grant g) { return g.getPermission(); } }); }
/** * Revoke a permission for the given group grantee, if this specific permission was granted. * * Note that you must be very explicit about the permissions you revoke, you cannot revoke * partial permissions and expect this class to determine the implied remaining permissions. For * example, if you revoke the {@link Permission#READ} permission from a grantee with * {@link Permission#FULL_CONTROL} access, <strong>the revocation will do nothing</strong> and * the grantee will retain full access. To change the access settings for this grantee, you must * first remove the {@link Permission#FULL_CONTROL} permission the add back the * {@link Permission#READ} permission. * * @param groupGranteeURI * @param permission */ public AccessControlList revokePermission(URI groupGranteeURI, String permission) { return revokePermission(new GroupGrantee(groupGranteeURI), permission); }
@Test public void testAccessControlListOwnerOnly() throws HttpException { String ownerId = "1a405254c932b52e5b5caaa88186bc431a1bacb9ece631f835daddaf0c47677c"; AccessControlList acl = createParser().parse(Strings2.toInputStream(aclOwnerOnly)); assertEquals(acl.getOwner().getId(), ownerId); assertEquals(acl.getOwner().getDisplayName(), "jamesmurty"); assertEquals(acl.getPermissions(ownerId).size(), 1); assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL)); assertEquals(acl.getGrants().size(), 1); assertEquals(acl.getPermissions(GroupGranteeURI.ALL_USERS).size(), 0); assertEquals(acl.getPermissions(GroupGranteeURI.AUTHENTICATED_USERS).size(), 0); assertEquals(acl.getPermissions(GroupGranteeURI.LOG_DELIVERY).size(), 0); }
private void checkGrants(AccessControlList acl) { String ownerId = acl.getOwner().getId(); assertEquals(acl.getGrants().size(), 4, acl.toString()); assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL), acl.toString()); assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ), acl.toString()); assertTrue(acl.hasPermission(ownerId, Permission.WRITE_ACP), acl.toString()); // EmailAddressGrantee is replaced by a CanonicalUserGrantee, so we cannot test by email addr assertTrue(acl.hasPermission(StubS3AsyncClient.TEST_ACL_ID, Permission.READ_ACP), acl.toString()); }
public void testPrivateAclIsDefaultForBucket() throws InterruptedException, ExecutionException, TimeoutException, IOException { String bucketName = getContainerName(); try { AccessControlList acl = getApi().getBucketACL(bucketName); assertEquals(acl.getGrants().size(), 1); assertNotNull(acl.getOwner()); String ownerId = acl.getOwner().getId(); assertTrue(acl.hasPermission(ownerId, FULL_CONTROL)); } finally { returnContainer(bucketName); } }
String ownerId = acl.getOwner().getId(); assertEquals(acl.getGrants().size(), 1); assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL)); assertEquals(acl.getGrants().size(), 4); assertTrue(getApi().putObjectACL(containerName, objectKey, acl)); acl.revokeAllPermissions(new CanonicalUserGrantee(ownerId)); if (!ownerId.equals(TEST_ACL_ID)) acl.revokeAllPermissions(new CanonicalUserGrantee(TEST_ACL_ID)); assertEquals(acl.getGrants().size(), 1); assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ)); assertEquals(acl.getGrants().size(), 1); assertEquals(acl.getPermissions(ownerId).size(), 0); assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ), acl.toString()); } finally { returnContainer(containerName);