List of usage examples for com.amazonaws.auth.policy.actions S3Actions GetObject
S3Actions GetObject
To view the source code for com.amazonaws.auth.policy.actions S3Actions GetObject.
Click Source Link
From source file:aws.example.s3.SetBucketPolicy.java
License:Open Source License
public static String getPublicReadPolicy(String bucket_name) { Policy bucket_policy = new Policy().withStatements(new Statement(Statement.Effect.Allow) .withPrincipals(Principal.AllUsers).withActions(S3Actions.GetObject) .withResources(new Resource("arn:aws:s3:::" + bucket_name + "/*"))); return bucket_policy.toJson(); }
From source file:n3phele.storage.s3.CloudStorageImpl.java
License:Open Source License
public boolean setPermissions(Repository repo, String filename, boolean isPublic) { String bucket = repo.getRoot(); Credential credential = repo.getCredential().decrypt(); AmazonS3Client s3 = new AmazonS3Client( new BasicAWSCredentials(credential.getAccount(), credential.getSecret())); String key = new S3ObjectResource(bucket, filename).getId(); boolean inserted = false; s3.setEndpoint(repo.getTarget().toString()); try {/*from ww w. j a v a2s. c o m*/ List<Statement> statements = new ArrayList<Statement>(); Policy policy = null; BucketPolicy bp = s3.getBucketPolicy(repo.getRoot()); if (bp != null && bp.getPolicyText() != null) { log.info("Policy text " + bp.getPolicyText()); policy = PolicyHelper.parse(bp.getPolicyText()); log.info("Policy object is " + (policy == null ? null : policy.toJson())); if (policy != null) { if (policy.getStatements() != null) { for (Statement statement : policy.getStatements()) { if (statement.getId().equals("n3phele")) { List<com.amazonaws.auth.policy.Resource> resources = statement.getResources(); List<com.amazonaws.auth.policy.Resource> update = new ArrayList<com.amazonaws.auth.policy.Resource>(); if (resources != null) { for (com.amazonaws.auth.policy.Resource resource : resources) { String resourceName = resource.getId(); if (resourceName.endsWith("*")) { resourceName = resourceName.substring(0, resourceName.length() - 1); } if (!(resourceName + "/").startsWith(key + "/")) { update.add(resource); } else { log.info("Removing " + resource.getId()); } } } if (isPublic && !inserted) update.add(new S3ObjectResource(repo.getRoot(), filename + "*")); if (update.size() > 0) { statement.setResources(update); statements.add(statement); } inserted = true; } else { statements.add(statement); } } } if (!inserted && isPublic) { Statement statement = new Statement(Effect.Allow); statement.setId("n3phele"); statement.setPrincipals(Arrays.asList(new Principal("*"))); statement.setActions(Arrays.asList((Action) S3Actions.GetObject)); statement.setResources(Arrays .asList((com.amazonaws.auth.policy.Resource) new S3ObjectResource(repo.getRoot(), filename + "*"))); statements.add(statement); } } } if (policy == null && isPublic) { policy = new Policy("n3phele-" + repo.getRoot()); Statement statement = new Statement(Effect.Allow); statement.setId("n3phele"); statement.setPrincipals(Arrays.asList(new Principal("*"))); statement.setActions(Arrays.asList((Action) S3Actions.GetObject)); statement.setResources(Arrays.asList( (com.amazonaws.auth.policy.Resource) new S3ObjectResource(repo.getRoot(), filename + "*"))); statements.add(statement); } if (policy != null) { if (statements.size() != 0) { policy.setStatements(statements); s3.setBucketPolicy(repo.getRoot(), policy.toJson()); log.info("Set policy " + policy.toJson()); } else { s3.deleteBucketPolicy(repo.getRoot()); } } return true; } catch (AmazonServiceException e) { log.log(Level.WARNING, "Service Error processing " + repo, e); } catch (AmazonClientException e) { log.log(Level.SEVERE, "Client Error processing " + repo, e); } catch (IllegalArgumentException e) { log.log(Level.SEVERE, "parse error ", e); log.log(Level.SEVERE, "cause", e.getCause()); } return false; }
From source file:org.apache.usergrid.apm.service.AWSUtil.java
License:Apache License
public static String getS3IPAddressWhiteListPolicy(String s3Bucket) { Policy policy = null;//from w ww . j ava 2s . c o m IpAddressCondition[] ipAddressConditions = AWSUtil.getIPAddressRangeWhiteList(); if (ipAddressConditions != null && ipAddressConditions.length != 0) { policy = new Policy().withStatements(new Statement(Effect.Allow).withPrincipals(Principal.AllUsers) .withActions(S3Actions.PutObject, S3Actions.GetObject).withConditions(ipAddressConditions) .withResources(new S3ObjectResource(s3Bucket, "*"))); } else { policy = new Policy().withStatements(new Statement(Effect.Allow).withPrincipals(Principal.AllUsers) .withActions(S3Actions.PutObject, S3Actions.GetObject) .withResources(new S3ObjectResource(s3Bucket, "*"))); } return policy.toJson(); }
From source file:org.applicationMigrator.userManagement.UserManagementWorker.java
License:Apache License
public void grantPermissions(CreateUserRequest user, AmazonIdentityManagementClient client) { Resource resource = new Resource(BUCKET_NAME + "/" + user.getUserName() + "/*"); Statement statement = new Statement(Effect.Allow); Action deleteObjectAction = S3Actions.DeleteObject; Action getObjectaAction = S3Actions.GetObject; Action putObjectAction = S3Actions.PutObject; Collection<Action> actions = new ArrayList<Action>(); actions.add(deleteObjectAction);/* w w w . jav a2 s . co m*/ actions.add(getObjectaAction); actions.add(putObjectAction); statement.setActions(actions); Collection<Resource> resources = new ArrayList<Resource>(); resources.add(resource); statement.setResources(resources); Policy userPolicy = new Policy(); Collection<Statement> statements = new ArrayList<Statement>(); statements.add(statement); userPolicy.setStatements(statements); PutUserPolicyRequest putUserPolicyRequest = new PutUserPolicyRequest(); putUserPolicyRequest.setPolicyDocument(userPolicy.toJson()); putUserPolicyRequest.setPolicyName(new Date().getTime() + "Policy"); putUserPolicyRequest.setUserName(user.getUserName()); client.putUserPolicy(putUserPolicyRequest); }
From source file:org.finra.dm.service.impl.UploadDownloadServiceImpl.java
License:Apache License
/** * Creates a restricted policy JSON string which only allows GetObject to the given bucket name and object key, and allows Decrypt for the given key ID. * * @param s3BucketName - The S3 bucket name to restrict uploads to * @param s3Key - The S3 object key to restrict the uploads to * @param awsKmsKeyId - The KMS key ID to allow access * * @return the policy JSON string//from w ww.j a v a 2s.c o m */ @SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed. private Policy createDownloaderPolicy(String s3BucketName, String s3Key, String awsKmsKeyId) { Policy policy = new Policy(); List<Statement> statements = new ArrayList<>(); { Statement statement = new Statement(Effect.Allow); statement.setActions(Arrays.<Action>asList(S3Actions.GetObject)); statement.setResources(Arrays.asList(new Resource("arn:aws:s3:::" + s3BucketName + "/" + s3Key))); statements.add(statement); } { Statement statement = new Statement(Effect.Allow); statement.setActions(Arrays.<Action>asList(new KmsDecryptAction())); statement.setResources(Arrays.asList(new Resource(awsKmsKeyId))); statements.add(statement); } policy.setStatements(statements); return policy; }
From source file:org.finra.herd.service.impl.BusinessObjectDataServiceImpl.java
License:Apache License
/** * Creates and returns a set of AWS credentials which can be used to access the S3 object indicated by the given business object data and storage. * * @param businessObjectDataKey Business object data key * @param createNewVersion true to create credentials for the next version up from the latest business object data, otherwise, uses specified data version * in data key./*from w ww . j a v a2 s . c om*/ * @param storageName Name of storage to access * @param isUpload true if this credential is to upload, false to download * * @return Credentials which has the permissions to perform the specified actions at the specified storage. */ private AwsCredential getBusinessObjectDataS3Credential(BusinessObjectDataKey businessObjectDataKey, Boolean createNewVersion, String storageName, boolean isUpload) { Assert.isTrue(StringUtils.isNotBlank(storageName), "storageName must be specified"); Assert.isTrue(businessObjectDataKey.getBusinessObjectDataVersion() != null || createNewVersion != null, "One of businessObjectDataVersion or createNewVersion must be specified."); Assert.isTrue( businessObjectDataKey.getBusinessObjectDataVersion() == null || !Boolean.TRUE.equals(createNewVersion), "createNewVersion must be false or unspecified when businessObjectDataVersion is specified."); /* * Choose configurations based on whether this is an upload or download operation. */ ConfigurationValue roleArnConfigurationValue; ConfigurationValue defaultSessionDurationConfigurationValue; ConfigurationValue sessionDurationConfigurationValue; S3Actions[] s3Actions; KmsActions[] kmsActions; if (isUpload) { roleArnConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_UPLOAD_ROLE_ARN; defaultSessionDurationConfigurationValue = ConfigurationValue.AWS_S3_DEFAULT_UPLOAD_SESSION_DURATION_SECS; sessionDurationConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_UPLOAD_SESSION_DURATION_SECS; s3Actions = new S3Actions[] { S3Actions.PutObject, S3Actions.DeleteObject }; kmsActions = new KmsActions[] { KmsActions.GENERATE_DATA_KEY, KmsActions.DECRYPT }; } else { roleArnConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_DOWNLOAD_ROLE_ARN; defaultSessionDurationConfigurationValue = ConfigurationValue.AWS_S3_DEFAULT_DOWNLOAD_SESSION_DURATION_SECS; sessionDurationConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_DOWNLOAD_SESSION_DURATION_SECS; s3Actions = new S3Actions[] { S3Actions.GetObject }; kmsActions = new KmsActions[] { KmsActions.DECRYPT }; } StorageEntity storageEntity = storageDaoHelper.getStorageEntity(storageName.trim()); String roleArn = storageDaoHelper.getStorageAttributeValueByName( configurationHelper.getProperty(roleArnConfigurationValue), storageEntity, true); Integer durationSeconds = storageDaoHelper.getStorageAttributeIntegerValueByName( configurationHelper.getProperty(sessionDurationConfigurationValue), storageEntity, configurationHelper.getProperty(defaultSessionDurationConfigurationValue, Integer.class)); String bucketName = storageDaoHelper.getStorageAttributeValueByName( configurationHelper.getProperty(ConfigurationValue.S3_ATTRIBUTE_NAME_BUCKET_NAME), storageEntity, true); S3KeyPrefixInformation s3KeyPrefixInformation = getS3KeyPrefixImpl(businessObjectDataKey, null, createNewVersion); /* * Policy is different based on whether this is meant for downloading or uploading. * However, both uploader and downloader requires a ListBucket at the bucket level. */ AwsPolicyBuilder awsPolicyBuilder = new AwsPolicyBuilder() .withS3Prefix(bucketName, s3KeyPrefixInformation.getS3KeyPrefix(), s3Actions) .withS3(bucketName, null, S3Actions.ListObjects); /* * Only add KMS policies if the storage specifies a KMS ID */ String kmsKeyId = getStorageKmsKeyId(storageEntity); if (kmsKeyId != null) { awsPolicyBuilder.withKms(kmsKeyId.trim(), kmsActions); } Credentials credentials = stsDao.getTemporarySecurityCredentials(awsHelper.getAwsParamsDto(), businessObjectDataKey.getNamespace(), roleArn, durationSeconds, awsPolicyBuilder.build()); AwsCredential awsCredential = new AwsCredential(); awsCredential.setAwsAccessKey(credentials.getAccessKeyId()); awsCredential.setAwsSecretKey(credentials.getSecretAccessKey()); awsCredential.setAwsSessionToken(credentials.getSessionToken()); awsCredential.setAwsSessionExpirationTime( HerdDateUtils.getXMLGregorianCalendarValue(credentials.getExpiration())); return awsCredential; }
From source file:org.finra.herd.service.impl.StorageUnitServiceImpl.java
License:Apache License
/** * Creates and returns a set of AWS credentials which can be used to access the S3 object indicated by the given business object data and storage. * * @param businessObjectDataKey Business object data key * @param createNewVersion true to create credentials for the next version up from the latest business object data, otherwise, uses specified data version * in data key./* ww w. j a va 2s . c o m*/ * @param storageName Name of storage to access * @param isUpload true if this credential is to upload, false to download * * @return Credentials which has the permissions to perform the specified actions at the specified storage. */ private AwsCredential getBusinessObjectDataS3Credential(BusinessObjectDataKey businessObjectDataKey, Boolean createNewVersion, String storageName, boolean isUpload) { Assert.isTrue(StringUtils.isNotBlank(storageName), "storageName must be specified"); Assert.isTrue(businessObjectDataKey.getBusinessObjectDataVersion() != null || createNewVersion != null, "One of businessObjectDataVersion or createNewVersion must be specified."); Assert.isTrue( businessObjectDataKey.getBusinessObjectDataVersion() == null || !Boolean.TRUE.equals(createNewVersion), "createNewVersion must be false or unspecified when businessObjectDataVersion is specified."); /* * Choose configurations based on whether this is an upload or download operation. */ ConfigurationValue roleArnConfigurationValue; ConfigurationValue defaultSessionDurationConfigurationValue; ConfigurationValue sessionDurationConfigurationValue; S3Actions[] s3Actions; KmsActions[] kmsActions; if (isUpload) { roleArnConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_UPLOAD_ROLE_ARN; defaultSessionDurationConfigurationValue = ConfigurationValue.AWS_S3_DEFAULT_UPLOAD_SESSION_DURATION_SECS; sessionDurationConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_UPLOAD_SESSION_DURATION_SECS; s3Actions = new S3Actions[] { S3Actions.PutObject, S3Actions.DeleteObject }; kmsActions = new KmsActions[] { KmsActions.GENERATE_DATA_KEY, KmsActions.DECRYPT }; } else { roleArnConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_DOWNLOAD_ROLE_ARN; defaultSessionDurationConfigurationValue = ConfigurationValue.AWS_S3_DEFAULT_DOWNLOAD_SESSION_DURATION_SECS; sessionDurationConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_DOWNLOAD_SESSION_DURATION_SECS; s3Actions = new S3Actions[] { S3Actions.GetObject }; kmsActions = new KmsActions[] { KmsActions.DECRYPT }; } StorageEntity storageEntity = storageDaoHelper.getStorageEntity(storageName.trim()); String roleArn = storageHelper.getStorageAttributeValueByName( configurationHelper.getProperty(roleArnConfigurationValue), storageEntity, true); Integer durationSeconds = storageHelper.getStorageAttributeIntegerValueByName( configurationHelper.getProperty(sessionDurationConfigurationValue), storageEntity, configurationHelper.getProperty(defaultSessionDurationConfigurationValue, Integer.class)); String bucketName = storageHelper.getStorageAttributeValueByName( configurationHelper.getProperty(ConfigurationValue.S3_ATTRIBUTE_NAME_BUCKET_NAME), storageEntity, true); S3KeyPrefixInformation s3KeyPrefixInformation = getS3KeyPrefixImpl(businessObjectDataKey, null, storageName, createNewVersion); /* * Policy is different based on whether this is meant for downloading or uploading. * However, both uploader and downloader requires a ListBucket at the bucket level. */ AwsPolicyBuilder awsPolicyBuilder = new AwsPolicyBuilder() .withS3Prefix(bucketName, s3KeyPrefixInformation.getS3KeyPrefix(), s3Actions) .withS3(bucketName, null, S3Actions.ListObjects); /* * Only add KMS policies if the storage specifies a KMS ID */ String kmsKeyId = getStorageKmsKeyId(storageEntity); if (kmsKeyId != null) { awsPolicyBuilder.withKms(kmsKeyId.trim(), kmsActions); } Credentials credentials = stsDao.getTemporarySecurityCredentials(awsHelper.getAwsParamsDto(), UUID.randomUUID().toString(), roleArn, durationSeconds, awsPolicyBuilder.build()); AwsCredential awsCredential = new AwsCredential(); awsCredential.setAwsAccessKey(credentials.getAccessKeyId()); awsCredential.setAwsSecretKey(credentials.getSecretAccessKey()); awsCredential.setAwsSessionToken(credentials.getSessionToken()); awsCredential.setAwsSessionExpirationTime( HerdDateUtils.getXMLGregorianCalendarValue(credentials.getExpiration())); return awsCredential; }
From source file:org.finra.herd.service.impl.UploadDownloadServiceImpl.java
License:Apache License
/** * Creates a restricted policy JSON string which only allows GetObject to the given bucket name and object key, and allows Decrypt for the given key ID. * * @param s3BucketName - The S3 bucket name to restrict uploads to * @param s3Key - The S3 object key to restrict the uploads to * @param awsKmsKeyId - The KMS key ID to allow access * * @return the policy JSON string/*from w w w . j ava 2 s . c om*/ */ @SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed. private Policy createDownloaderPolicy(String s3BucketName, String s3Key, String awsKmsKeyId) { return new AwsPolicyBuilder().withS3(s3BucketName, s3Key, S3Actions.GetObject) .withKms(awsKmsKeyId, KmsActions.DECRYPT).build(); }
From source file:org.finra.herd.service.impl.UploadDownloadServiceImpl.java
License:Apache License
/** * Creates a restricted policy JSON string which only allows GetObject to the given bucket name and object key, and allows Decrypt for the given key ID. * * @param s3BucketName - The S3 bucket name to restrict uploads to * @param s3Key - The S3 object key to restrict the uploads to * * @return the policy JSON string/* w ww .j a va2 s . c om*/ */ @SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed. private Policy createDownloaderPolicy(String s3BucketName, String s3Key) { return new AwsPolicyBuilder().withS3(s3BucketName, s3Key, S3Actions.GetObject).build(); }
From source file:org.finra.herd.service.impl.UploadDownloadServiceImpl.java
License:Apache License
@NamespacePermission(fields = "#downloadBusinessObjectDataStorageFileSingleInitiationRequest.businessObjectDataStorageFileKey.namespace", permissions = NamespacePermissionEnum.READ) @Override/*from w w w.jav a 2 s . com*/ public DownloadBusinessObjectDataStorageFileSingleInitiationResponse initiateDownloadSingleBusinessObjectDataStorageFile( DownloadBusinessObjectDataStorageFileSingleInitiationRequest downloadBusinessObjectDataStorageFileSingleInitiationRequest) { // Validate and trim the request. uploadDownloadHelper.validateAndTrimDownloadBusinessObjectDataStorageFileSingleInitiationRequest( downloadBusinessObjectDataStorageFileSingleInitiationRequest); // Get the business object data storage file key. BusinessObjectDataStorageFileKey businessObjectDataStorageFileKey = downloadBusinessObjectDataStorageFileSingleInitiationRequest .getBusinessObjectDataStorageFileKey(); // Retrieve and validate that the business object data exists. BusinessObjectDataKey businessObjectDataKey = getBusinessObjectDataKeyFromBusinessObjectDataStorageFileKey( businessObjectDataStorageFileKey); BusinessObjectDataEntity businessObjectDataEntity = businessObjectDataDaoHelper .getBusinessObjectDataEntity(businessObjectDataKey); // Retrieve and validate that the storage unit exists StorageUnitEntity storageUnitEntity = storageUnitDaoHelper .getStorageUnitEntity(businessObjectDataStorageFileKey.getStorageName(), businessObjectDataEntity); // Get the storage file entity and ensure it exists. StorageFileEntity storageFileEntity = storageFileDaoHelper.getStorageFileEntity(storageUnitEntity, businessObjectDataStorageFileKey.getFilePath(), businessObjectDataKey); // Get S3 bucket access parameters. StorageEntity storageEntity = storageFileEntity.getStorageUnit().getStorage(); // Retrieve the storage related information. String s3BucketName = storageHelper.getStorageBucketName(storageEntity); String s3ObjectKey = businessObjectDataStorageFileKey.getFilePath(); // Create an AWS policy builder. AwsPolicyBuilder awsPolicyBuilder = new AwsPolicyBuilder().withS3(s3BucketName, s3ObjectKey, S3Actions.GetObject); // Get the storage kms key id. String storageKmsKeyId = storageHelper.getStorageAttributeValueByName( configurationHelper.getProperty(ConfigurationValue.S3_ATTRIBUTE_NAME_KMS_KEY_ID), storageEntity, false, true); /* * Only add KMS policies if the storage specifies a KMS ID */ if (storageKmsKeyId != null) { awsPolicyBuilder.withKms(storageKmsKeyId.trim(), KmsActions.DECRYPT); } // Create a sessionId. String sessionId = UUID.randomUUID().toString(); // Get the temporary credentials. Credentials downloaderCredentials = getDownloaderCredentials(storageEntity, sessionId, awsPolicyBuilder); // Generate a pre-signed URL. Date expiration = downloaderCredentials.getExpiration(); S3FileTransferRequestParamsDto s3BucketAccessParams = storageHelper.getS3BucketAccessParams(storageEntity); String preSignedUrl = s3Dao.generateGetObjectPresignedUrl(s3BucketName, s3ObjectKey, expiration, s3BucketAccessParams); // Convert the business object format entity to the business object format model object BusinessObjectFormat businessObjectFormat = businessObjectFormatHelper .createBusinessObjectFormatFromEntity(businessObjectDataEntity.getBusinessObjectFormat()); // Create a business object data storage file key for the download business object data storage file single initiation response. BusinessObjectDataStorageFileKey businessObjectDataStorageFileKeyForResponse = new BusinessObjectDataStorageFileKey( businessObjectFormat.getNamespace(), businessObjectFormat.getBusinessObjectDefinitionName(), businessObjectFormat.getBusinessObjectFormatUsage(), businessObjectFormat.getBusinessObjectFormatFileType(), businessObjectFormat.getBusinessObjectFormatVersion(), businessObjectDataEntity.getPartitionValue(), businessObjectDataHelper.getSubPartitionValues(businessObjectDataEntity), businessObjectDataEntity.getVersion(), storageUnitEntity.getStorageName(), storageFileEntity.getPath()); // Create the download business object data storage file single initiation response. DownloadBusinessObjectDataStorageFileSingleInitiationResponse downloadBusinessObjectDataStorageFileSingleInitiationResponse = new DownloadBusinessObjectDataStorageFileSingleInitiationResponse(); downloadBusinessObjectDataStorageFileSingleInitiationResponse .setBusinessObjectDataStorageFileKey(businessObjectDataStorageFileKeyForResponse); downloadBusinessObjectDataStorageFileSingleInitiationResponse.setAwsS3BucketName(s3BucketName); downloadBusinessObjectDataStorageFileSingleInitiationResponse .setAwsAccessKey(downloaderCredentials.getAccessKeyId()); downloadBusinessObjectDataStorageFileSingleInitiationResponse .setAwsSecretKey(downloaderCredentials.getSecretAccessKey()); downloadBusinessObjectDataStorageFileSingleInitiationResponse .setAwsSessionToken(downloaderCredentials.getSessionToken()); downloadBusinessObjectDataStorageFileSingleInitiationResponse .setAwsSessionExpirationTime(HerdDateUtils.getXMLGregorianCalendarValue(expiration)); downloadBusinessObjectDataStorageFileSingleInitiationResponse.setPreSignedUrl(preSignedUrl); // Return the download business object data storage file single initiation response. return downloadBusinessObjectDataStorageFileSingleInitiationResponse; }