Class: AWS::Core::Policy

Inherits:

Object

• Object
• AWS::Core::Policy

Defined in:

lib/aws/core/policy.rb

Overview

Represents an access policy for AWS operations and resources. For example:

policy = Policy.new do |policy|
  policy.allow(:actions => ['s3:PutObject'],
               :resources => "arn:aws:s3:::mybucket/mykey/*",
               :principals => :any
  ).where(:acl).is("public-read")
end

policy.to_json               # => '{ "Version":"2008-10-17", ...'

See Also:

• More ways to construct a policy.
• Example policies (in JSON).

Direct Known Subclasses

IAM::Policy, S3::Policy, SNS::Policy, SQS::Policy, STS::Policy

Defined Under Namespace

Classes: ConditionBlock, ConditionBuilder, OperatorBuilder, Statement

Instance Attribute Summary

• #id ⇒ String readonly

  A unique ID for the policy.

• #statements ⇒ Array readonly

  An array of policy statements.

• #version ⇒ String readonly

  The version of the policy language used in this policy object.

Class Method Summary

• .from_json(json) ⇒ Policy

  Constructs a policy from a JSON representation.

Instance Method Summary

• #==(other) ⇒ Boolean (also: #eql?)

  Returns true if the two policies are the same.

• #allow(opts = {}) ⇒ ConditionBuilder

  Convenience method for constructing a new statement with the “Allow” effect and adding it to the policy.

• #deny(opts = {}) ⇒ ConditionBuilder

  Convenience method for constructing a new statement with the “Deny” effect and adding it to the policy.

• #initialize(opts = {}) {|_self| ... } ⇒ Policy constructor

  Constructs a policy.

• #to_h ⇒ Hash

  Returns a hash representation of the policy.

• #to_json ⇒ String

  A JSON representation of the policy.

Constructor Details

#initialize(opts = {}) {|_self| ... } ⇒ Policy

Constructs a policy. There are a few different ways to build a policy:

• With hash arguments:

  Policy.new(:statements => [
    { :effect => :allow,
      :actions => :all,
      :principals => ["abc123"],
      :resources => "mybucket/mykey" 
    }
  ])
  

• From a JSON policy document:

  Policy.from_json(policy_json_string)
  

• With a block:

  Policy.new do |policy|
  
    policy.allow(
      :actions => ['s3:PutObject'],
      :resources => "arn:aws:s3:::mybucket/mykey/*",
      :principals => :any
    ).where(:acl).is("public-read")
  
  end
  

Yields:

• (_self)

Yield Parameters:

• _self (AWS::Core::Policy) —

  the object that the method was called on

# File 'lib/aws/core/policy.rb', line 78

def initialize(opts = {})
  @statements = opts.values_at(:statements, "Statement").select do |a|
    a.kind_of?(Array)
  end.flatten.map do |stmt|
    self.class::Statement.new(stmt)
  end
  
  if opts.has_key?(:id) or opts.has_key?("Id")
    @id = opts[:id] || opts["Id"]
  else
    @id = UUIDTools::UUID.timestamp_create.to_s.tr('-','')
  end
  if opts.has_key?(:version) or opts.has_key?("Version")
    @version = opts[:version] || opts["Version"]
  else
    @version = "2008-10-17"
  end
  
  yield(self) if block_given?
end

Instance Attribute Details

#id ⇒ String (readonly)

Returns A unique ID for the policy.

Returns:

• (String) —

  A unique ID for the policy.

# File 'lib/aws/core/policy.rb', line 45

def id
  @id
end

#statements ⇒ Array (readonly)

Returns An array of policy statements.

Returns:

• (Array) —

  An array of policy statements.

See Also:

• Statement

# File 'lib/aws/core/policy.rb', line 38

def statements
  @statements
end

#version ⇒ String (readonly)

Returns The version of the policy language used in this policy object.

Returns:

• (String) —

  The version of the policy language used in this policy object.

# File 'lib/aws/core/policy.rb', line 42

def version
  @version
end

Class Method Details

.from_json(json) ⇒ Policy

Constructs a policy from a JSON representation.

Returns:

• (Policy) —

  Returns a Policy object constructed by parsing the passed JSON policy.

See Also:

• #initialize

# File 'lib/aws/core/policy.rb', line 147

def self.from_json(json)
  new(JSON.parse(json))
end

Instance Method Details

#==(other) ⇒ Boolean Also known as: eql?

Returns true if the two policies are the same.

Returns:

• (Boolean) —

  Returns true if the two policies are the same.

# File 'lib/aws/core/policy.rb', line 100

def ==(other)
  if other.kind_of?(Core::Policy)
    self.hash_without_ids == other.hash_without_ids
  else
    false
  end
end

#allow(opts = {}) ⇒ ConditionBuilder

Convenience method for constructing a new statement with the “Allow” effect and adding it to the policy. For example:

policy.allow(:actions => [:put_object],
             :principals => :any,
             :resources => "mybucket/mykey/*").
  where(:acl).is("public-read")

Returns:

• (ConditionBuilder)

See Also:

• AWS::Core::Policy::Statement#initialize

# File 'lib/aws/core/policy.rb', line 220

def allow(opts = {})
  stmt = self.class::Statement.new(opts.merge(:effect => :allow))
  statements << stmt
  ConditionBuilder.new(stmt.conditions)
end

#deny(opts = {}) ⇒ ConditionBuilder

Convenience method for constructing a new statement with the “Deny” effect and adding it to the policy. For example:

policy.deny(
  :actions => [:put_object],
  :principals => :any,
  :resources => "mybucket/mykey/*"
).where(:acl).is("public-read")

Returns:

• (ConditionBuilder)

See Also:

• AWS::Core::Policy::Statement#initialize

# File 'lib/aws/core/policy.rb', line 238

def deny(opts = {})
  stmt = self.class::Statement.new(opts.merge(:effect => :deny))
  statements << stmt
  ConditionBuilder.new(stmt.conditions)
end

#to_h ⇒ Hash

Returns a hash representation of the policy. The following statements are equivalent:

policy.to_h.to_json
policy.to_json

Returns:

• (Hash)

# File 'lib/aws/core/policy.rb', line 130

def to_h
  { 
    "Version" => version,
    "Id" => id,
    "Statement" => statements.map { |st| st.to_h } 
  }
end

#to_json ⇒ String

Returns a JSON representation of the policy.

Returns:

• (String) —

  a JSON representation of the policy.

# File 'lib/aws/core/policy.rb', line 139

def to_json
  to_h.to_json
end