Struct LambdaResourcePolicyProvider 

pub struct LambdaResourcePolicyProvider { /* private fields */ }

Concrete ResourcePolicyProvider backed by the in-memory crate::state::LambdaState. Server bootstrap clone-shares it via fakecloud_core::auth::MultiResourcePolicyProvider alongside the S3 and SNS providers.

Implementations

impl LambdaResourcePolicyProvider

pub fn new(state: SharedLambdaState) -> Self

pub fn shared(state: SharedLambdaState) -> Arc<dyn ResourcePolicyProvider>

Convenience constructor returning an Arc<dyn ResourcePolicyProvider> so bootstrap can push it directly into a MultiResourcePolicyProvider.

Trait Implementations

impl ResourcePolicyProvider for LambdaResourcePolicyProvider

fn resource_policy(&self, service: &str, resource_arn: &str) -> Option<String>

Fetch the resource-based policy document attached to resource_arn on service. Both arguments are lowercase-ish ("s3", "arn:aws:s3:::my-bucket"); implementations should match the service prefix they own and return None for anything else so providers can be composed safely.

fn resource_owner_account( &self, _service: &str, _resource_arn: &str, ) -> Option<String>

Resolve the 12-digit account that owns resource_arn on service, when the ARN itself does not carry it. S3 ARNs have an empty account field (arn:aws:s3:::bucket), so without this the dispatcher would fall back to the caller’s account and treat every S3 request as same-account — letting account A reach account B’s bucket without B’s bucket policy granting it (bug-audit 2026-05-28, 5.3). Providers whose ARNs already carry the account (SQS/SNS/Lambda/…) return None and let the dispatcher parse it from the ARN. Default None.