下面列出了com.amazonaws.services.s3.model.CanonicalGrantee#com.amazonaws.services.s3.model.Grant 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
@Override
public boolean backupExistingConfigForResource(final String resourceId, final String resourceType,
Map<String, Object> clientMap, Map<String, String> ruleParams,Map<String, String> issue) throws AutoFixException {
LOGGER.debug(String.format("backing up the config for %s" , resourceId));
AmazonS3 client = (AmazonS3) clientMap.get("client");
Gson gson = new Gson();
AccessControlList bucketAcl = client.getBucketAcl(resourceId);
List<Grant> grants = bucketAcl.getGrantsAsList();
String oldConfig = gson.toJson(grants);
backupOldConfig(resourceId, BUCKET_ACL, oldConfig);
BucketPolicy bucketPolicy = client.getBucketPolicy(resourceId);
if (!Strings.isNullOrEmpty(bucketPolicy.getPolicyText())) {
backupOldConfig(resourceId, BUCKET_POLICY, bucketPolicy.getPolicyText());
}
LOGGER.debug("backup complete for " + resourceId);
return true;
}
/**
* This method is to check whether s3 bucket has read/write/full control
*
* @param grants
* @param accessTypeToCheck
* @return List<Permission>, if permissions found else empty
*/
private static Set<Permission> checkAnyGrantHasOpenToReadOrWriteAccess(List<Grant> grants, String accessTypeToCheck) {
Set<Permission> permissions = new HashSet();
for (Grant grant : grants) {
if ((PacmanRuleConstants.ANY_S3_AUTHENTICATED_USER_URI
.equalsIgnoreCase(grant.getGrantee().getIdentifier()) || PacmanRuleConstants.ALL_S3_USER_URI
.equalsIgnoreCase(grant.getGrantee().getIdentifier()))
&&
(accessTypeToCheck.contains(grant.getPermission()
.toString()) || grant.getPermission().toString()
.equalsIgnoreCase(PacmanRuleConstants.FULL_CONTROL))) {
permissions.add(grant.getPermission());
}
}
return permissions;
}
/**
* @param awsS3Client
* @param s3BucketName
* @param accessType
* @return
*/
public static Set<Permission> checkACLPermissions(AmazonS3Client awsS3Client, String s3BucketName, String accessType) {
AccessControlList bucketAcl;
Set<Permission> permissionList = new HashSet<>();
try {
bucketAcl = awsS3Client.getBucketAcl(s3BucketName);
List<Grant> grants = bucketAcl.getGrantsAsList();
if (!CollectionUtils.isNullOrEmpty(grants)) {
permissionList = checkAnyGrantHasOpenToReadOrWriteAccess(grants, accessType);
}
} catch (AmazonS3Exception s3Exception) {
logger.error("error : ", s3Exception);
throw new RuleExecutionFailedExeption(s3Exception.getMessage());
}
return permissionList;
}
public static boolean checkACLAccess(AmazonS3Client awsS3Client, String s3BucketName, String accessType) {
logger.info("inside the checkACLAccess method");
Boolean openAcces = false;
AccessControlList bucketAcl;
List<Permission> permissionList = null;
try {
bucketAcl = awsS3Client.getBucketAcl(s3BucketName);
List<Grant> grants = bucketAcl.getGrantsAsList();
// Check grants has which permission
if (!CollectionUtils.isNullOrEmpty(grants)) {
permissionList = checkAnyGrantHasOpenToReadOrWriteAccess(grants, accessType);
if (!CollectionUtils.isNullOrEmpty(permissionList)) {
openAcces = true;
}
}
} catch (AmazonS3Exception s3Exception) {
logger.error("error : ", s3Exception);
throw new RuleExecutionFailedExeption(s3Exception.getMessage());
}
return openAcces;
}
/**
* This method is to check whether s3 bucket has read/write/full control
*
* @param grants
* @param accessTypeToCheck
* @return List<Permission>, if permissions found else empty
*/
private static List<Permission> checkAnyGrantHasOpenToReadOrWriteAccess(List<Grant> grants, String accessTypeToCheck) {
List<Permission> permissions = new ArrayList<>();
for (Grant grant : grants) {
if ((PacmanRuleConstants.ANY_S3_AUTHENTICATED_USER_URI.equalsIgnoreCase(grant.getGrantee().getIdentifier()) || PacmanRuleConstants.ALL_S3_USER_URI
.equalsIgnoreCase(grant.getGrantee().getIdentifier()))
&&
(grant.getPermission().toString().contains(accessTypeToCheck) || grant.getPermission().toString()
.equalsIgnoreCase(PacmanRuleConstants.FULL_CONTROL))) {
permissions.add(grant.getPermission());
}
}
return permissions;
}
public static void getBucketAcl(String bucket_name) {
System.out.println("Retrieving ACL for bucket: " + bucket_name);
final AmazonS3 s3 = AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build();
try {
AccessControlList acl = s3.getBucketAcl(bucket_name);
List<Grant> grants = acl.getGrantsAsList();
for (Grant grant : grants) {
System.out.format(" %s: %s\n", grant.getGrantee().getIdentifier(),
grant.getPermission().toString());
}
} catch (AmazonServiceException e) {
System.err.println(e.getErrorMessage());
System.exit(1);
}
}
public static void getObjectAcl(String bucket_name, String object_key) {
System.out.println("Retrieving ACL for object: " + object_key);
System.out.println(" in bucket: " + bucket_name);
final AmazonS3 s3 = AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build();
try {
AccessControlList acl = s3.getObjectAcl(bucket_name, object_key);
List<Grant> grants = acl.getGrantsAsList();
for (Grant grant : grants) {
System.out.format(" %s: %s\n", grant.getGrantee().getIdentifier(),
grant.getPermission().toString());
}
} catch (AmazonServiceException e) {
System.err.println(e.getErrorMessage());
System.exit(1);
}
}
/**
* revokes all ACL permissions.
*
* @param awsS3Client the aws S 3 client
* @param s3BucketName the s 3 bucket name
*/
private void revokeACLPublicPermission(AmazonS3Client awsS3Client, String s3BucketName) {
AccessControlList bucketAcl;
try {
bucketAcl = awsS3Client.getBucketAcl(s3BucketName);
List<Grant> grants = bucketAcl.getGrantsAsList();
if (!CollectionUtils.isNullOrEmpty(grants)) {
for (Grant grant : grants) {
if ((PacmanSdkConstants.ANY_S3_AUTHENTICATED_USER_URI
.equalsIgnoreCase(grant.getGrantee().getIdentifier())
|| PacmanSdkConstants.ALL_S3_USER_URI.equalsIgnoreCase(grant.getGrantee().getIdentifier()))
&&
(grant.getPermission().toString().equalsIgnoreCase(PacmanSdkConstants.READ_ACCESS) || (grant
.getPermission().toString().equalsIgnoreCase(PacmanSdkConstants.WRITE_ACCESS)
|| (grant.getPermission().toString()
.equalsIgnoreCase(PacmanSdkConstants.READ_ACP_ACCESS)
|| (grant.getPermission().toString()
.equalsIgnoreCase(PacmanSdkConstants.WRITE_ACP_ACCESS)
|| grant.getPermission().toString()
.equalsIgnoreCase(PacmanSdkConstants.FULL_CONTROL)))))) {
bucketAcl.revokeAllPermissions(grant.getGrantee());
}
}
awsS3Client.setBucketAcl(s3BucketName, bucketAcl);
}
} catch (AmazonS3Exception s3Exception) {
LOGGER.error(String.format("AmazonS3Exception in revokeACLPublicPermission: %s", s3Exception.getMessage()));
throw new RuleEngineRunTimeException(s3Exception);
}
}
@Override
public void prepareCommit() throws Exception {
logger.info("prepareCommit");
if (!validS3Sink) {
// check if bucket exist
if (!s3Client.doesBucketExist(bucketName)) {
System.out.println("bucket does not exist.");
logger.info("Bucket does not Exist");
s3Client.createBucket(bucketName);
}
logger.info("Bucket Exist");
/*
* BucketVersioningConfiguration configuration = new
* BucketVersioningConfiguration( bucketVersionConfig);
* SetBucketVersioningConfigurationRequest request = new
* SetBucketVersioningConfigurationRequest( bucketName, configuration);
* s3Client.setBucketVersioningConfiguration(request);
*/
AccessControlList acl = s3Client.getBucketAcl(bucketName);
List<Permission> permissions = new ArrayList<Permission>();
for (Grant grant : acl.getGrants()) {
permissions.add(grant.getPermission());
}
if (permissions.contains(Permission.FullControl) || permissions.contains(Permission.Write)) {
validS3Sink = true;
}
} else {
validS3Sink = true;
}
logger.info("validS3Sink = " + validS3Sink);
System.out.println("validS3Sink = " + validS3Sink);
}
private AccessControlList getAcl(final AmazonS3 s3Client) {
ArrayList<Grant> grantCollection = new ArrayList<>();
// Grant the account owner full control.
Grant grant1 = new Grant(new CanonicalGrantee(s3Client.getS3AccountOwner().getId()), Permission.FullControl);
grantCollection.add(grant1);
// Save grants by replacing all current ACL grants with the two we just created.
AccessControlList bucketAcl = new AccessControlList();
bucketAcl.grantAllPermissions(grantCollection.toArray(new Grant[0]));
return bucketAcl;
}