/* * Copyright 2010-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). * You may not use this file except in compliance with the License. * A copy of the License is located at * * http://aws.amazon.com/apache2.0 * * or in the "license" file accompanying this file. This file is distributed * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either * express or implied. See the License for the specific language governing * permissions and limitations under the License. */ using System; using System.Collections.Generic; using System.Text; using Amazon.Util; using System.Globalization; namespace Amazon.Auth.AccessControlPolicy { /// <summary> /// A factory for creating conditions to be used in the policy. /// </summary> public static partial class ConditionFactory { #region Common Keys /// <summary> /// Condition key for the current time. /// <para> /// This condition key should only be used with <see cref="Amazon.Auth.AccessControlPolicy.ConditionFactory.DateComparisonType"/> enum. /// </para> /// </summary> public const string CURRENT_TIME_CONDITION_KEY = "aws:CurrentTime"; /// <summary> /// Condition key for whether or not an incoming request is using a secure /// transport to make the request (i.e. HTTPS instead of HTTP). /// <para> /// This condition key should only be used with the boolean overload of NewCondition. /// </para> /// </summary> public const string SECURE_TRANSPORT_CONDITION_KEY = "aws:SecureTransport"; /// <summary> /// Condition key for the source IP from which a request originates. /// <para> /// This condition key should only be used with <see cref="Amazon.Auth.AccessControlPolicy.ConditionFactory.IpAddressComparisonType"/> enum. /// </para> /// </summary> public const string SOURCE_IP_CONDITION_KEY = "aws:SourceIp"; /// <summary> /// Condition key for the user agent included in a request. /// <para> /// This condition key should only be used with <see cref="Amazon.Auth.AccessControlPolicy.ConditionFactory.StringComparisonType"/> /// enum. /// </para> /// </summary> public const string USER_AGENT_CONDITION_KEY = "aws:UserAgent"; /// <summary> /// Condition key for the current time, in epoch seconds. /// <para> /// This condition key should only be used with <see cref="Amazon.Auth.AccessControlPolicy.ConditionFactory.NumericComparisonType"/> enum. /// objects. /// </para> /// </summary> public const string EPOCH_TIME_CONDITION_KEY = "aws:EpochTime"; /// <summary> /// Condition key for the referrer specified by a request. /// <para> /// This condition key should only be used with <see cref="Amazon.Auth.AccessControlPolicy.ConditionFactory.StringComparisonType"/> /// objects. /// </para> /// </summary> public const string REFERRER_CONDITION_KEY = "aws:Referer"; /// <summary> /// Condition key for the Amazon Resource Name (ARN) of the source specified /// in a request. The source ARN indicates which resource is affecting the /// resource listed in your policy. For example, an SNS topic is the source /// ARN when publishing messages from the topic to an SQS queue. /// <para> /// This condition key should only be used with <see cref="Amazon.Auth.AccessControlPolicy.ConditionFactory.ArnComparisonType"/> enum. /// </para> /// </summary> public const string SOURCE_ARN_CONDITION_KEY = "aws:SourceArn"; #endregion #region ArnComparisonType /// <summary> /// Enumeration of the supported ways an ARN comparison can be evaluated. /// </summary> public enum ArnComparisonType { /// <summary>Exact matching</summary> ArnEquals, /// <summary> /// Loose case-insensitive matching of the ARN. Each of the six /// colon-delimited components of the ARN is checked separately and each /// can include a multi-character match wildcard (*) or a /// single-character match wildcard (?). /// </summary> ArnLike, /// <summary>Negated form of ArnEquals</summary> ArnNotEquals, /// <summary>Negated form of ArnLike</summary> ArnNotLike }; #endregion #region DateComparisonType /// <summary> /// Enumeration of the supported ways a date comparison can be evaluated. /// </summary> public enum DateComparisonType { DateEquals, DateGreaterThan, DateGreaterThanEquals, DateLessThan, DateLessThanEquals, DateNotEquals }; #endregion #region IpAddressComparisonType /// <summary> /// Enumeration of the supported ways an IP address comparison can be evaluated. /// </summary> public enum IpAddressComparisonType { /// <summary> /// Matches an IP address against a CIDR IP range, evaluating to true if /// the IP address being tested is in the condition's specified CIDR IP /// range. /// </summary> IpAddress, /// <summary> /// Negated form of IpAddress /// </summary> NotIpAddress } #endregion #region NumericComparisonType /// <summary> /// Enumeration of the supported ways a numeric comparison can be evaluated /// </summary> public enum NumericComparisonType { NumericEquals, NumericGreaterThan, NumericGreaterThanEquals, NumericLessThan, NumericLessThanEquals, NumericNotEquals }; #endregion #region StringComparisonType /// <summary> /// Enumeration of the supported ways a string comparison can be evaluated. /// </summary> public enum StringComparisonType { /// <summary> /// Case-sensitive exact string matching /// </summary> StringEquals, /// <summary> /// Case-insensitive string matching /// </summary> StringEqualsIgnoreCase, /// <summary> /// Loose case-insensitive matching. The values can include a /// multi-character match wildcard (*) or a single-character match /// wildcard (?) anywhere in the string. /// </summary> StringLike, /// <summary> /// Negated form of StringEquals. /// </summary> StringNotEquals, /// <summary> /// Negated form of StringEqualsIgnorecase. /// </summary> StringNotEqualsIgnoreCase, /// <summary> /// Negated form of StringLike. /// </summary> StringNotLike } #endregion /// <summary> /// Constructs a new access control policy condition that compares ARNs (Amazon Resource Names). /// </summary> /// <param name="key"> The access policy condition key specifying where to get the first ARN for the comparison</param> /// <param name="type">The type of comparison to perform.</param> /// <param name="value">The second ARN to compare against. When using ArnLike or ArnNotLike this may contain the /// multi-character wildcard (*) or the single-character wildcard</param> public static Condition NewCondition(ArnComparisonType type, string key, string value) { return new Condition(type.ToString(), key, value); } /// <summary> /// Constructs a new access policy condition that performs a boolean /// comparison. /// </summary> /// <param name="key">The access policy condition key specifying where to get the /// first boolean value for the comparison (ex: aws:SecureTransport).</param> /// <param name="value">The boolean to compare against.</param> public static Condition NewCondition(string key, bool value) { return new Condition("Bool", key, value.ToString().ToLowerInvariant()); } /// <summary> /// This method is deprecated. Invoking this method results in non-UTC DateTimes /// not being marshalled correctly. Use NewConditionUtc instead. /// Constructs a new access policy condition that compares the current time /// (on the AWS servers) to the specified date. /// </summary> /// <param name="type">The type of comparison to perform. For example, /// DateComparisonType.DateLessThan will cause this policy /// condition to evaluate to true if the current date is less than /// the date specified in the second argument.</param> /// <param name="date">The date to compare against.</param> [Obsolete("Invoking this method results in non-UTC DateTimes not being marshalled correctly. Use NewConditionUtc instead.", false)] public static Condition NewCondition(DateComparisonType type, DateTime date) { return new Condition(type.ToString(), CURRENT_TIME_CONDITION_KEY, date.ToString(AWSSDKUtils.ISO8601DateFormat, CultureInfo.InvariantCulture)); } /// <summary> /// Constructs a new access policy condition that compares the current time /// (on the AWS servers) to the specified date. /// </summary> /// <param name="type">The type of comparison to perform. For example, /// DateComparisonType.DateLessThan will cause this policy /// condition to evaluate to true if the current date is less than /// the date specified in the second argument.</param> /// <param name="date">The date to compare against.</param> public static Condition NewConditionUtc(DateComparisonType type, DateTime date) { return new Condition(type.ToString(), CURRENT_TIME_CONDITION_KEY, date.ToUniversalTime().ToString(AWSSDKUtils.ISO8601DateFormat, CultureInfo.InvariantCulture)); } /// <summary> /// Constructs a new access policy condition that compares the source IP /// address of the incoming request to an AWS service against the specified /// CIDR range. The condition evaluates to true (meaning the policy statement /// containing it will be applied) if the incoming source IP address is /// within that range. /// <para> /// To achieve the opposite effect (i.e. cause the condition to evaluate to /// true when the incoming source IP is <b>not</b> in the specified CIDR /// range) use the alternate constructor form and specify /// IpAddressComparisonType.NotIpAddress. /// </para> /// </summary> /// <param name="ipAddressRange">The CIDR IP range involved in the policy condition.</param> public static Condition NewIpAddressCondition(string ipAddressRange) { return NewCondition(IpAddressComparisonType.IpAddress, ipAddressRange); } /// <summary> /// Constructs a new access policy condition that compares the source IP /// address of the incoming request to an AWS service against the specified /// CIDR range. When the condition evaluates to true (i.e. when the incoming /// source IP address is within the CIDR range or not) depends on the /// specified IpAddressComparisonType. /// </summary> /// <param name="type">The type of comparison to to perform.</param> /// <param name="ipAddressRange">The CIDR IP range involved in the policy condition.</param> public static Condition NewCondition(IpAddressComparisonType type, string ipAddressRange) { return new Condition(type.ToString(), SOURCE_IP_CONDITION_KEY, ipAddressRange); } /// <summary> /// Constructs a new access policy condition that compares two numbers. /// </summary> /// <param name="type">The type of comparison to perform.</param> /// <param name="key">The access policy condition key specifying where to get the /// first number for the comparison.</param> /// <param name="value">The second number to compare against.</param> public static Condition NewCondition(NumericComparisonType type, string key, string value) { return new Condition(type.ToString(), key, value); } /// <summary> /// Constructs a new access control policy condition that compares two /// strings. /// </summary> /// <param name="type">The type of comparison to perform</param> /// <param name="key">The access policy condition key specifying where to get the /// first string for the comparison (ex: aws:UserAgent). /// </param> /// <param name="value">The second string to compare against. When using /// StringComparisonType.StringLike or /// StringComparisonType.StringNotLike this may contain /// the multi-character wildcard (*) or the single-character /// wildcard (?). /// </param> public static Condition NewCondition(StringComparisonType type, string key, string value) { return new Condition(type.ToString(), key, value); } /// <summary> /// Constructs a new access policy condition that compares the Amazon /// Resource Name (ARN) of the source of an AWS resource that is modifying /// another AWS resource with the specified pattern. /// <para> /// For example, the source ARN could be an Amazon SNS topic ARN that is /// sending messages to an Amazon SQS queue. In that case, the SNS topic ARN /// would be compared the ARN pattern specified here. /// </para> /// <para> /// The endpoint pattern may optionally contain the multi-character wildcard ///* (*) or the single-character wildcard (?). Each of the six colon-delimited /// components of the ARN is checked separately and each can include a /// wildcard. /// </para> /// <code> /// Policy policy = new Policy("MyQueuePolicy"); /// policy.WithStatements(new Statement(Statement.StatementEffect.Allow) /// .WithPrincipals(new Principal("*")).WithActionIdentifiers(SQSActionIdentifiers.SendMessage) /// .WithResources(new Resource(myQueueArn)) /// .WithConditions(ConditionFactory.NewSourceArnCondition(myTopicArn))); /// </code> /// </summary> /// <param name="arnPattern">The ARN pattern against which the source ARN will be compared. /// Each of the six colon-delimited components of the ARN is /// checked separately and each can include a wildcard.</param> /// <returns>A new access control policy condition that compares the ARN of /// the source specified in an incoming request with the ARN pattern /// specified here.</returns> public static Condition NewSourceArnCondition(string arnPattern) { return NewCondition(ArnComparisonType.ArnLike, SOURCE_ARN_CONDITION_KEY, arnPattern); } /// <summary> /// Constructs a new access control policy condition that tests if the /// incoming request was sent over a secure transport (HTTPS). /// </summary> /// <returns>A new access control policy condition that tests if the incoming /// request was sent over a secure transport (HTTPS).</returns> public static Condition NewSecureTransportCondition() { return NewCondition(SECURE_TRANSPORT_CONDITION_KEY, true); } } }