libvm-ec2-perl 1.28-2build1 / usr / share / perl5 / VM / EC2 / Security / Policy.pm

This file is indexed.

/usr/share/perl5/VM/EC2/Security/Policy.pm is in libvm-ec2-perl 1.28-2build1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
package VM::EC2::Security::Policy;

=head1 NAME

VM::EC2::Security::Policy -- Simple IAM policy generator for EC2

=head1 SYNOPSIS

 my $policy = VM::EC2::Security::Policy->new;
 $policy->allow('Describe*','CreateVolume','delete_volume');
 $policy->deny('DescribeVolumes');
 print $policy->as_string;

=head1 DESCRIPTION

This is a very simple Identity and Access Management (IAM) policy
statement generator that works sufficiently well to create policies to
control access EC2 resources. It is not fully general across all AWS
services.

=head1 METHODS

This section describes the methods available to
VM::EC2::Security::Policy. You will create a new, empty, policy using
new(), grant access to EC2 actions using allow(), and deny access to
EC2 actions using deny(). When you are done, either call as_string(),
or just use the policy object in a string context, to get a
properly-formatted policy string.


allow() and deny() return the modified object, allowing you to chain
methods. For example:

 my $p = VM::EC2::Security::Policy->new
             ->allow('Describe*')
             ->deny('DescribeImages','DescribeInstances');
 print $p;

=head2 $policy = VM::EC2::Security::Policy->new()

This class method creates a new, empty policy object. The default
policy object denies all access to EC2 resources.

=head2 $policy->allow('action1','action2','action3',...)

Grant access to the listed EC2 actions. You may specify actions using
Amazon's MixedCase notation (e.g. "DescribeInstances"), or using
VM::EC2's more Perlish underscore notation
(e.g. "describe_instances"). You can find the list of actions in
L<VM::EC2>, or in the Amazon API documentation at
http://docs.amazonwebservices.com/AWSEC2/latest/APIReference/OperationList-query.html.

The "*" wildcard allows you to indicate a series of matching
operations. For example, to allow all Describe operations:

 $policy->allow('Describe*')

As described earlier, allow() returns the object, making it easy to
chain methods.

=head2 $policy->deny('action1','action2','action3',...)

Similar to allow(), but in this case denies access to certain
actions. Deny statements take precedence over allow statements.

As described earlier, deny() returns the object, making it easy to
chain methods.

=head2 $string = $policy->as_string

Converts the policy into a JSON string that can be passed to
VM::EC2->get_federation_token(), or other AWS libraries.

=head1 STRING OVERLOADING

When used in a string context, this object will interpolate into the
policy JSON string using as_string().

=head1 SEE ALSO

L<VM::EC2>
L<VM::EC2::Generic>

=head1 AUTHOR

Lincoln Stein E<lt>lincoln.stein@gmail.comE<gt>.

Copyright (c) 2011 Ontario Institute for Cancer Research

This package and its accompanying libraries is free software; you can
redistribute it and/or modify it under the terms of the GPL (either
version 1, or at your option, any later version) or the Artistic
License 2.0.  Refer to LICENSE for the full license text. In addition,
please see DISCLAIMER.txt for disclaimers of warranty.

=cut

use strict;

use JSON;
use VM::EC2;

use Carp 'croak';
use overload
    '""'     => 'as_string',
    fallback => 1;

sub new {
    my $class = shift;
    return bless {
	statements => {},
    },ref $class || $class;
}

sub allow {
    my $self = shift;
    my @actions = @_ ? @_ : '*';
    return $self->_add_statement(-effect=>'allow',
				 -actions=>\@actions);
}
sub deny {
    my $self = shift;
    my @actions = @_ ? @_ : '*';
    return $self->_add_statement(-effect=>'deny',
				 -actions=>\@actions);
}

sub _add_statement {
    my $self = shift;
    my %args = @_;
    my $effect  = $args{-effect} || 'allow';
    my $actions = $args{-action} || $args{-actions} || [];
    $actions    = [$actions] unless ref $actions && ref $actions eq 'ARRAY';
    $effect     =~ /^allow|deny$/i or croak '-effect must be "allow" or "deny"';
    foreach (@$actions) {
	s/^ec2://i;
	$self->{statements}{lc $effect}{ucfirst VM::EC2->uncanonicalize($_)}++ ;
    }
    return $self;
}

sub as_string {
    my $self = shift;
    my $st   = $self->{statements};

    my @list;
    foreach my $effect (sort keys %$st) {
        push @list, {
            Action => [map { "ec2:$_" } keys %{$st->{$effect}}],
            Effect => "\u$effect\E",
            Resource => '*',
        };
    }

    unless (@list) {
        # No statements, so deny all;
        local $self->{statements};
        $self->deny('*');
        return $self->as_string;
    }

    my $json = JSON->new();
    $json->canonical(1);

    return $json->encode({Statement => \@list});
}

1;

APT Browse - Built by Thomas Orozco.