/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
using System;
using System.Collections.Generic;
using System.Text;
using Amazon.Util;
using System.Globalization;
namespace Amazon.Auth.AccessControlPolicy
{
///
/// A factory for creating conditions to be used in the policy.
///
public static partial class ConditionFactory
{
#region Common Keys
///
/// Condition key for the current time.
///
/// This condition key should only be used with enum.
///
///
public const string CURRENT_TIME_CONDITION_KEY = "aws:CurrentTime";
///
/// Condition key for whether or not an incoming request is using a secure
/// transport to make the request (i.e. HTTPS instead of HTTP).
///
/// This condition key should only be used with the boolean overload of NewCondition.
///
///
public const string SECURE_TRANSPORT_CONDITION_KEY = "aws:SecureTransport";
///
/// Condition key for the source IP from which a request originates.
///
/// This condition key should only be used with enum.
///
///
public const string SOURCE_IP_CONDITION_KEY = "aws:SourceIp";
///
/// Condition key for the user agent included in a request.
///
/// This condition key should only be used with
/// enum.
///
///
public const string USER_AGENT_CONDITION_KEY = "aws:UserAgent";
///
/// Condition key for the current time, in epoch seconds.
///
/// This condition key should only be used with enum.
/// objects.
///
///
public const string EPOCH_TIME_CONDITION_KEY = "aws:EpochTime";
///
/// Condition key for the referrer specified by a request.
///
/// This condition key should only be used with
/// objects.
///
///
public const string REFERRER_CONDITION_KEY = "aws:Referer";
///
/// Condition key for the Amazon Resource Name (ARN) of the source specified
/// in a request. The source ARN indicates which resource is affecting the
/// resource listed in your policy. For example, an SNS topic is the source
/// ARN when publishing messages from the topic to an SQS queue.
///
/// This condition key should only be used with enum.
///
///
public const string SOURCE_ARN_CONDITION_KEY = "aws:SourceArn";
///
/// Condition key for the account id of the source specified
/// in a request.
///
public const string SOURCE_ACCOUNT_KEY = "aws:SourceAccount";
#endregion
#region ArnComparisonType
///
/// Enumeration of the supported ways an ARN comparison can be evaluated.
///
public enum ArnComparisonType
{
/// Exact matching
ArnEquals,
///
/// Loose case-insensitive matching of the ARN. Each of the six
/// colon-delimited components of the ARN is checked separately and each
/// can include a multi-character match wildcard (*) or a
/// single-character match wildcard (?).
///
ArnLike,
/// Negated form of ArnEquals
ArnNotEquals,
/// Negated form of ArnLike
ArnNotLike
};
#endregion
#region DateComparisonType
///
/// Enumeration of the supported ways a date comparison can be evaluated.
///
public enum DateComparisonType
{
DateEquals,
DateGreaterThan,
DateGreaterThanEquals,
DateLessThan,
DateLessThanEquals,
DateNotEquals
};
#endregion
#region IpAddressComparisonType
///
/// Enumeration of the supported ways an IP address comparison can be evaluated.
///
public enum IpAddressComparisonType
{
///
/// Matches an IP address against a CIDR IP range, evaluating to true if
/// the IP address being tested is in the condition's specified CIDR IP
/// range.
///
IpAddress,
///
/// Negated form of IpAddress
///
NotIpAddress
}
#endregion
#region NumericComparisonType
///
/// Enumeration of the supported ways a numeric comparison can be evaluated
///
public enum NumericComparisonType
{
NumericEquals,
NumericGreaterThan,
NumericGreaterThanEquals,
NumericLessThan,
NumericLessThanEquals,
NumericNotEquals
};
#endregion
#region StringComparisonType
///
/// Enumeration of the supported ways a string comparison can be evaluated.
///
public enum StringComparisonType
{
///
/// Case-sensitive exact string matching
///
StringEquals,
///
/// Case-insensitive string matching
///
StringEqualsIgnoreCase,
///
/// Loose case-insensitive matching. The values can include a
/// multi-character match wildcard (*) or a single-character match
/// wildcard (?) anywhere in the string.
///
StringLike,
///
/// Negated form of StringEquals.
///
StringNotEquals,
///
/// Negated form of StringEqualsIgnorecase.
///
StringNotEqualsIgnoreCase,
///
/// Negated form of StringLike.
///
StringNotLike
}
#endregion
///
/// Constructs a new access control policy condition that compares ARNs (Amazon Resource Names).
///
/// The access policy condition key specifying where to get the first ARN for the comparison
/// The type of comparison to perform.
/// The second ARN to compare against. When using ArnLike or ArnNotLike this may contain the
/// multi-character wildcard (*) or the single-character wildcard
public static Condition NewCondition(ArnComparisonType type, string key, string value)
{
return new Condition(type.ToString(), key, value);
}
///
/// Constructs a new access policy condition that performs a boolean
/// comparison.
///
/// The access policy condition key specifying where to get the
/// first boolean value for the comparison (ex: aws:SecureTransport).
/// The boolean to compare against.
public static Condition NewCondition(string key, bool value)
{
return new Condition("Bool", key, value.ToString().ToLowerInvariant());
}
///
/// This method is deprecated. Invoking this method results in non-UTC DateTimes
/// not being marshalled correctly. Use NewConditionUtc instead.
/// Constructs a new access policy condition that compares the current time
/// (on the AWS servers) to the specified date.
///
/// The type of comparison to perform. For example,
/// DateComparisonType.DateLessThan will cause this policy
/// condition to evaluate to true if the current date is less than
/// the date specified in the second argument.
/// The date to compare against.
[Obsolete("Invoking this method results in non-UTC DateTimes not being marshalled correctly. Use NewConditionUtc instead.", false)]
public static Condition NewCondition(DateComparisonType type, DateTime date)
{
return new Condition(type.ToString(), CURRENT_TIME_CONDITION_KEY, date.ToString(AWSSDKUtils.ISO8601DateFormat, CultureInfo.InvariantCulture));
}
///
/// Constructs a new access policy condition that compares the current time
/// (on the AWS servers) to the specified date.
///
/// The type of comparison to perform. For example,
/// DateComparisonType.DateLessThan will cause this policy
/// condition to evaluate to true if the current date is less than
/// the date specified in the second argument.
/// The date to compare against.
public static Condition NewConditionUtc(DateComparisonType type, DateTime date)
{
return new Condition(type.ToString(), CURRENT_TIME_CONDITION_KEY, date.ToUniversalTime().ToString(AWSSDKUtils.ISO8601DateFormat, CultureInfo.InvariantCulture));
}
///
/// Constructs a new access policy condition that compares the source IP
/// address of the incoming request to an AWS service against the specified
/// CIDR range. The condition evaluates to true (meaning the policy statement
/// containing it will be applied) if the incoming source IP address is
/// within that range.
///
/// To achieve the opposite effect (i.e. cause the condition to evaluate to
/// true when the incoming source IP is not in the specified CIDR
/// range) use the alternate constructor form and specify
/// IpAddressComparisonType.NotIpAddress.
///
///
/// The CIDR IP range involved in the policy condition.
public static Condition NewIpAddressCondition(string ipAddressRange)
{
return NewCondition(IpAddressComparisonType.IpAddress, ipAddressRange);
}
///
/// Constructs a new access policy condition that compares the source IP
/// address of the incoming request to an AWS service against the specified
/// CIDR range. When the condition evaluates to true (i.e. when the incoming
/// source IP address is within the CIDR range or not) depends on the
/// specified IpAddressComparisonType.
///
/// The type of comparison to to perform.
/// The CIDR IP range involved in the policy condition.
public static Condition NewCondition(IpAddressComparisonType type, string ipAddressRange)
{
return new Condition(type.ToString(), SOURCE_IP_CONDITION_KEY, ipAddressRange);
}
///
/// Constructs a new access policy condition that compares two numbers.
///
/// The type of comparison to perform.
/// The access policy condition key specifying where to get the
/// first number for the comparison.
/// The second number to compare against.
public static Condition NewCondition(NumericComparisonType type, string key, string value)
{
return new Condition(type.ToString(), key, value);
}
///
/// Constructs a new access control policy condition that compares two
/// strings.
///
/// The type of comparison to perform
/// The access policy condition key specifying where to get the
/// first string for the comparison (ex: aws:UserAgent).
///
/// The second string to compare against. When using
/// StringComparisonType.StringLike or
/// StringComparisonType.StringNotLike this may contain
/// the multi-character wildcard (*) or the single-character
/// wildcard (?).
///
public static Condition NewCondition(StringComparisonType type, string key, string value)
{
return new Condition(type.ToString(), key, value);
}
///
/// Constructs a new access policy condition that compares the Amazon
/// Resource Name (ARN) of the source of an AWS resource that is modifying
/// another AWS resource with the specified pattern.
///
/// For example, the source ARN could be an Amazon SNS topic ARN that is
/// sending messages to an Amazon SQS queue. In that case, the SNS topic ARN
/// would be compared the ARN pattern specified here.
///
///
/// The endpoint pattern may optionally contain the multi-character wildcard
///* (*) or the single-character wildcard (?). Each of the six colon-delimited
/// components of the ARN is checked separately and each can include a
/// wildcard.
///
///
/// Policy policy = new Policy("MyQueuePolicy");
/// policy.WithStatements(new Statement(Statement.StatementEffect.Allow)
/// .WithPrincipals(new Principal("*")).WithActionIdentifiers(SQSActionIdentifiers.SendMessage)
/// .WithResources(new Resource(myQueueArn))
/// .WithConditions(ConditionFactory.NewSourceArnCondition(myTopicArn)));
///
///
/// The ARN pattern against which the source ARN will be compared.
/// Each of the six colon-delimited components of the ARN is
/// checked separately and each can include a wildcard.
/// A new access control policy condition that compares the ARN of
/// the source specified in an incoming request with the ARN pattern
/// specified here.
public static Condition NewSourceArnCondition(string arnPattern)
{
return NewCondition(ArnComparisonType.ArnLike, SOURCE_ARN_CONDITION_KEY, arnPattern);
}
///
/// Constructs a new access control policy condition that tests if the
/// incoming request was sent over a secure transport (HTTPS).
///
/// A new access control policy condition that tests if the incoming
/// request was sent over a secure transport (HTTPS).
public static Condition NewSecureTransportCondition()
{
return NewCondition(SECURE_TRANSPORT_CONDITION_KEY, true);
}
}
}