private String getPolicy(List<String> accountIds) { Policy policy = new Policy("AuthorizedWorkerAccessPolicy"); Statement stmt = new Statement(Effect.Allow); Action action = SQSActions.SendMessage; stmt.getActions().add(action); stmt.setResources(new LinkedList<>()); for(String accountId : accountIds) { Principal principal = new Principal(accountId); stmt.getPrincipals().add(principal); } stmt.getResources().add(new Resource(getQueueARN())); policy.getStatements().add(stmt); return policy.toJson(); }
: Effect.Deny ; Statement statement = new Statement(effect);
public static String getPublicReadPolicy(String bucket_name) { Policy bucket_policy = new Policy().withStatements( new Statement(Statement.Effect.Allow) .withPrincipals(Principal.AllUsers) .withActions(S3Actions.GetObject) .withResources(new Resource( "arn:aws:s3:::" + bucket_name + "/*"))); return bucket_policy.toJson(); }
Statement statement = new Statement(Statement.Effect.Allow) .withPrincipals(Principal.AllUsers) .withActions(SQSActions.SendMessage)
private void setupQueueAndTopic() { String randomSeed = UUID.randomUUID().toString(); String queueName = "glacier-archive-transfer-" + randomSeed; String topicName = "glacier-archive-transfer-" + randomSeed; queueUrl = sqs.createQueue(new CreateQueueRequest(queueName)).getQueueUrl(); topicArn = sns.createTopic(new CreateTopicRequest(topicName)).getTopicArn(); String queueARN = sqs.getQueueAttributes(new GetQueueAttributesRequest(queueUrl).withAttributeNames("QueueArn")).getAttributes().get("QueueArn"); Policy sqsPolicy = new Policy().withStatements( new Statement(Effect.Allow) .withPrincipals(Principal.AllUsers) .withActions(SQSActions.SendMessage) .withResources(new Resource(queueARN)) .withConditions(ConditionFactory.newSourceArnCondition(topicArn))); sqs.setQueueAttributes(new SetQueueAttributesRequest(queueUrl, newAttributes("Policy", sqsPolicy.toJson()))); sns.subscribe(new SubscribeRequest(topicArn, "sqs", queueARN)); }
Policy policy = extendPolicy && policyJson != null && policyJson.length() > 0 ? Policy.fromJson(policyJson) : new Policy(); policy.getStatements().add(new Statement(Effect.Allow) .withId("topic-subscription-" + snsTopicArn) .withPrincipals(Principal.AllUsers)
: Effect.Deny ; Statement statement = new Statement(effect);
Statement statement = new Statement(null);
/** * Tests that a policy correctly assigns unique statement IDs to any added * statements without IDs yet. */ @Test public void testStatementIdAssignment() throws Exception { Policy policy = new Policy("S3PolicyId1"); policy.withStatements( new Statement(Effect.Allow).withId("0") .withPrincipals(Principal.AllUsers) .withActions(new TestAction("action1")), new Statement(Effect.Allow).withId("1") .withPrincipals(Principal.AllUsers) .withActions(new TestAction("action1")), new Statement( Effect.Deny).withPrincipals(Principal.AllUsers) .withActions(new TestAction("action2"))); assertValidStatementIds(policy); }
@Test public void testMultipleConditionKeysForConditionType() throws Exception { Policy policy = new Policy(); policy.withStatements(new Statement(Effect.Allow) .withResources(new Resource("arn:aws:sqs:us-east-1:987654321000:MyQueue")) .withPrincipals(Principal.AllUsers) .withActions(new TestAction("foo")) .withConditions( new StringCondition(StringComparisonType.StringNotLike, "key1", "foo"), new StringCondition(StringComparisonType.StringNotLike, "key1", "bar"))); policy = Policy.fromJson(policy.toJson()); assertEquals(1, policy.getStatements().size()); List<Statement> statements = new LinkedList<Statement>(policy.getStatements()); assertEquals(Effect.Allow, statements.get(0).getEffect()); assertEquals(1, statements.get(0).getActions().size()); assertEquals("foo", statements.get(0).getActions().get(0).getActionName()); assertEquals(1, statements.get(0).getConditions().size()); assertEquals("StringNotLike", statements.get(0).getConditions().get(0).getType()); assertEquals("key1", statements.get(0).getConditions().get(0).getConditionKey()); assertEquals(2, statements.get(0).getConditions().get(0).getValues().size()); assertEquals("foo", statements.get(0).getConditions().get(0).getValues().get(0)); assertEquals("bar", statements.get(0).getConditions().get(0).getValues().get(1)); }
Policy policy = new Policy("S3PolicyId1"); policy.withStatements( new Statement(Effect.Allow) .withId("0") .withPrincipals(Principal.AllUsers) .withConditions( new IpAddressCondition("192.168.143.0/24")), new Statement(Effect.Deny) .withId("1") .withPrincipals(Principal.AllUsers) .withResources(new Resource("resource")) .withConditions(new IpAddressCondition("10.1.2.0/24")), new Statement(Effect.Allow) .withId("2") .withPrincipals(Principal.AllUsers)
@Test public void testPrincipals() throws IOException { Policy policy = new Policy(); policy.withStatements(new Statement(Effect.Allow) .withResources(new Resource("resource")) .withPrincipals(new Principal("accountId1"), new Principal("accountId2")) policy.withStatements(new Statement(Effect.Allow) .withResources(new Resource("resource")) .withPrincipals(new Principal(Services.AmazonEC2), policy.withStatements(new Statement(Effect.Allow).withResources(new Resource("resource")) .withPrincipals(Principal.All) .withActions(new TestAction("action"))); policy.withStatements(new Statement(Effect.Allow) .withResources(new Resource("resource")) .withPrincipals(Principal.AllUsers, Principal.AllServices,
new Statement(Effect.Allow) .withId("topic-subscription-" + snsTopicArn) .withPrincipals(Principal.AllUsers)
private static Policy buildSNSPolicy(ARN topicARN, List<String> allAccountIds) { Statement statement = new Statement(Statement.Effect.Allow).withActions(SNSActions.Publish); statement.setPrincipals(allAccountIds.stream().map(Principal::new).collect(Collectors.toList())); statement.setResources(Collections.singletonList(new Resource(topicARN.arn))); return new Policy("allow-remote-account-send", Collections.singletonList(statement)); }
private static Policy buildSNSPolicy(ARN topicARN, List<String> allAccountIds) { Statement statement = new Statement(Statement.Effect.Allow).withActions(SNSActions.Publish); statement.setPrincipals(allAccountIds.stream().map(Principal::new).collect(Collectors.toList())); statement.setResources(Collections.singletonList(new Resource(topicARN.arn))); return new Policy("allow-remote-account-send", Collections.singletonList(statement)); }
private String getPolicy(List<String> accountIds) { Policy policy = new Policy("AuthorizedWorkerAccessPolicy"); Statement stmt = new Statement(Effect.Allow); Action action = SQSActions.SendMessage; stmt.getActions().add(action); stmt.setResources(new LinkedList<>()); for(String accountId : accountIds) { Principal principal = new Principal(accountId); stmt.getPrincipals().add(principal); } stmt.getResources().add(new Resource(getQueueARN())); policy.getStatements().add(stmt); return policy.toJson(); }
private static Policy buildSQSPolicy(ARN queue, ARN topic) { Statement statement = new Statement(Statement.Effect.Allow).withActions(SQSActions.SendMessage); statement.setPrincipals(Principal.All); statement.setResources(Collections.singletonList(new Resource(queue.arn))); statement.setConditions(Collections.singletonList( new Condition().withType("ArnEquals").withConditionKey("aws:SourceArn").withValues(topic.arn) )); return new Policy("allow-sns-topic-send", Collections.singletonList(statement)); }
/** * This policy allows messages to be sent from an SNS topic. */ public static Policy buildSQSPolicy(ARN queue, ARN topic) { Statement snsStatement = new Statement(Statement.Effect.Allow).withActions(SQSActions.SendMessage); snsStatement.setPrincipals(Principal.All); snsStatement.setResources(Collections.singletonList(new Resource(queue.getArn()))); snsStatement.setConditions(Collections.singletonList( new Condition().withType("ArnEquals").withConditionKey("aws:SourceArn").withValues(topic.getArn()) )); return new Policy("allow-sns-send", Collections.singletonList(snsStatement)); } }
private QueueConfig setupSQS(String sqsQueueName) { QueueConfig config = new QueueConfig(); CreateQueueRequest request = new CreateQueueRequest().withQueueName(sqsQueueName); CreateQueueResult result = sqsClient.createQueue(request); config.sqsQueueURL = result.getQueueUrl(); GetQueueAttributesRequest qRequest = new GetQueueAttributesRequest().withQueueUrl(config.sqsQueueURL) .withAttributeNames("QueueArn"); GetQueueAttributesResult qResult = sqsClient.getQueueAttributes(qRequest); config.sqsQueueARN = qResult.getAttributes().get("QueueArn"); Policy sqsPolicy = new Policy().withStatements(new Statement(Effect.Allow).withPrincipals(Principal.AllUsers) .withActions(SQSActions.SendMessage).withResources(new Resource(config.sqsQueueARN))); Map<String, String> queueAttributes = new HashMap<String, String>(); queueAttributes.put("Policy", sqsPolicy.toJson()); sqsClient.setQueueAttributes(new SetQueueAttributesRequest(config.sqsQueueURL, queueAttributes)); return config; }
private void setupQueueAndTopic() { String randomSeed = UUID.randomUUID().toString(); String queueName = "glacier-archive-transfer-" + randomSeed; String topicName = "glacier-archive-transfer-" + randomSeed; queueUrl = sqs.createQueue(new CreateQueueRequest(queueName)).getQueueUrl(); topicArn = sns.createTopic(new CreateTopicRequest(topicName)).getTopicArn(); String queueARN = sqs.getQueueAttributes(new GetQueueAttributesRequest(queueUrl).withAttributeNames("QueueArn")).getAttributes().get("QueueArn"); Policy sqsPolicy = new Policy().withStatements( new Statement(Effect.Allow) .withPrincipals(Principal.AllUsers) .withActions(SQSActions.SendMessage) .withResources(new Resource(queueARN)) .withConditions(ConditionFactory.newSourceArnCondition(topicArn))); sqs.setQueueAttributes(new SetQueueAttributesRequest(queueUrl, newAttributes("Policy", sqsPolicy.toJson()))); sns.subscribe(new SubscribeRequest(topicArn, "sqs", queueARN)); }