/* * Copyright 2018-2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with * the License. A copy of the License is located at * * http://aws.amazon.com/apache2.0 * * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR * CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions * and limitations under the License. */ package com.amazonaws.services.kms.model; import java.io.Serializable; import javax.annotation.Generated; import com.amazonaws.protocol.StructuredPojo; import com.amazonaws.protocol.ProtocolMarshaller; /** *

* Use this structure to allow cryptographic * operations in the grant only when the operation request includes the specified encryption context. *

* KMS applies the grant constraints only to cryptographic operations that support an encryption context, that is, all * cryptographic operations with a symmetric KMS * key. Grant constraints are not applied to operations that do not support an encryption context, such as * cryptographic operations with asymmetric KMS keys and management operations, such as DescribeKey or * RetireGrant. *

* *

* In a cryptographic operation, the encryption context in the decryption operation must be an exact, case-sensitive * match for the keys and values in the encryption context of the encryption operation. Only the order of the pairs can * vary. *

* However, in a grant constraint, the key in each key-value pair is not case sensitive, but the value is case * sensitive. *

* To avoid confusion, do not use multiple encryption context pairs that differ only by case. To require a fully * case-sensitive encryption context, use the kms:EncryptionContext: and * kms:EncryptionContextKeys conditions in an IAM or key policy. For details, see kms:EncryptionContext: in the Key Management Service Developer Guide . *

* * * @see AWS API * Documentation */ @Generated("com.amazonaws:aws-java-sdk-code-generator") public class GrantConstraints implements Serializable, Cloneable, StructuredPojo { /** *

* A list of key-value pairs that must be included in the encryption context of the cryptographic * operation request. The grant allows the cryptographic operation only when the encryption context in the * request includes the key-value pairs specified in this constraint, although it can include additional key-value * pairs. *

*/ private com.amazonaws.internal.SdkInternalMap encryptionContextSubset; /** *

* A list of key-value pairs that must match the encryption context in the cryptographic * operation request. The grant allows the operation only when the encryption context in the request is the same * as the encryption context specified in this constraint. *

*/ private com.amazonaws.internal.SdkInternalMap encryptionContextEquals; /** *

* * @return A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the * encryption context in the request includes the key-value pairs specified in this constraint, although it * can include additional key-value pairs. */ public java.util.Map getEncryptionContextSubset() { if (encryptionContextSubset == null) { encryptionContextSubset = new com.amazonaws.internal.SdkInternalMap(); } return encryptionContextSubset; } /** *

* * @param encryptionContextSubset * A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the * encryption context in the request includes the key-value pairs specified in this constraint, although it * can include additional key-value pairs. * @return Returns a reference to this object so that method calls can be chained together. */ public GrantConstraints withEncryptionContextSubset(java.util.Map encryptionContextSubset) { setEncryptionContextSubset(encryptionContextSubset); return this; } /** * Add a single EncryptionContextSubset entry * * @see GrantConstraints#withEncryptionContextSubset * @returns a reference to this object so that method calls can be chained together. */ public GrantConstraints addEncryptionContextSubsetEntry(String key, String value) { if (null == this.encryptionContextSubset) { this.encryptionContextSubset = new com.amazonaws.internal.SdkInternalMap(); } if (this.encryptionContextSubset.containsKey(key)) throw new IllegalArgumentException("Duplicated keys (" + key.toString() + ") are provided."); this.encryptionContextSubset.put(key, value); return this; } /** * Removes all the entries added into EncryptionContextSubset. * * @return Returns a reference to this object so that method calls can be chained together. */ public GrantConstraints clearEncryptionContextSubsetEntries() { this.encryptionContextSubset = null; return this; } /** *

* * @return A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in * the request is the same as the encryption context specified in this constraint. */ public java.util.Map getEncryptionContextEquals() { if (encryptionContextEquals == null) { encryptionContextEquals = new com.amazonaws.internal.SdkInternalMap(); } return encryptionContextEquals; } /** *

* * @param encryptionContextEquals * A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in * the request is the same as the encryption context specified in this constraint. * @return Returns a reference to this object so that method calls can be chained together. */ public GrantConstraints withEncryptionContextEquals(java.util.Map encryptionContextEquals) { setEncryptionContextEquals(encryptionContextEquals); return this; } /** * Add a single EncryptionContextEquals entry * * @see GrantConstraints#withEncryptionContextEquals * @returns a reference to this object so that method calls can be chained together. */ public GrantConstraints addEncryptionContextEqualsEntry(String key, String value) { if (null == this.encryptionContextEquals) { this.encryptionContextEquals = new com.amazonaws.internal.SdkInternalMap(); } if (this.encryptionContextEquals.containsKey(key)) throw new IllegalArgumentException("Duplicated keys (" + key.toString() + ") are provided."); this.encryptionContextEquals.put(key, value); return this; } /** * Removes all the entries added into EncryptionContextEquals. * * @return Returns a reference to this object so that method calls can be chained together. */ public GrantConstraints clearEncryptionContextEqualsEntries() { this.encryptionContextEquals = null; return this; } /** * Returns a string representation of this object. This is useful for testing and debugging. Sensitive data will be * redacted from this string using a placeholder value. * * @return A string representation of this object. * * @see java.lang.Object#toString() */ @Override public String toString() { StringBuilder sb = new StringBuilder(); sb.append("{"); if (getEncryptionContextSubset() != null) sb.append("EncryptionContextSubset: ").append(getEncryptionContextSubset()).append(","); if (getEncryptionContextEquals() != null) sb.append("EncryptionContextEquals: ").append(getEncryptionContextEquals()); sb.append("}"); return sb.toString(); } @Override public boolean equals(Object obj) { if (this == obj) return true; if (obj == null) return false; if (obj instanceof GrantConstraints == false) return false; GrantConstraints other = (GrantConstraints) obj; if (other.getEncryptionContextSubset() == null ^ this.getEncryptionContextSubset() == null) return false; if (other.getEncryptionContextSubset() != null && other.getEncryptionContextSubset().equals(this.getEncryptionContextSubset()) == false) return false; if (other.getEncryptionContextEquals() == null ^ this.getEncryptionContextEquals() == null) return false; if (other.getEncryptionContextEquals() != null && other.getEncryptionContextEquals().equals(this.getEncryptionContextEquals()) == false) return false; return true; } @Override public int hashCode() { final int prime = 31; int hashCode = 1; hashCode = prime * hashCode + ((getEncryptionContextSubset() == null) ? 0 : getEncryptionContextSubset().hashCode()); hashCode = prime * hashCode + ((getEncryptionContextEquals() == null) ? 0 : getEncryptionContextEquals().hashCode()); return hashCode; } @Override public GrantConstraints clone() { try { return (GrantConstraints) super.clone(); } catch (CloneNotSupportedException e) { throw new IllegalStateException("Got a CloneNotSupportedException from Object.clone() " + "even though we're Cloneable!", e); } } @com.amazonaws.annotation.SdkInternalApi @Override public void marshall(ProtocolMarshaller protocolMarshaller) { com.amazonaws.services.kms.model.transform.GrantConstraintsMarshaller.getInstance().marshall(this, protocolMarshaller); } }