Enum scratchstack_aspen::Resource
source · pub enum Resource {
Any,
Arn(ResourceArn),
}
Expand description
A resource in an Aspen policy.
Resource enums are immutable.
Variants§
Any
Any resource. This is specified by the wildcard character *
.
Arn(ResourceArn)
A resource specified by an ARN.
Implementations§
source§impl Resource
impl Resource
sourcepub fn is_any(&self) -> bool
pub fn is_any(&self) -> bool
If this is Resource::Any, returns true.
sourcepub fn matches(
&self,
context: &Context,
pv: PolicyVersion,
candidate: &Arn
) -> Result<bool, AspenError>
pub fn matches(
&self,
context: &Context,
pv: PolicyVersion,
candidate: &Arn
) -> Result<bool, AspenError>
Indicates whether this Resource matches the candidate Arn, given the request Context ad using variable substitution rules according to the specified PolicyVersion.
Example
let actor = Principal::from(vec![User::from_str("arn:aws:iam::123456789012:user/exampleuser").unwrap().into()]);
let s3_object_arn = Arn::from_str("arn:aws:s3:::examplebucket/exampleuser/my-object").unwrap();
let resources = vec![s3_object_arn.clone()];
let session_data = SessionData::from([("aws:username", SessionValue::from("exampleuser"))]);
let context = Context::builder()
.service("s3").api("GetObject").actor(actor).resources(resources)
.session_data(session_data).build().unwrap();
let r1 = Resource::Arn(ResourceArn::new("aws", "s3", "", "", "examplebucket/${aws:username}/*"));
let r2 = Resource::Any;
assert!(r1.matches(&context, PolicyVersion::V2012_10_17, &s3_object_arn).unwrap());
assert!(r2.matches(&context, PolicyVersion::V2012_10_17, &s3_object_arn).unwrap());
let bad_s3_object_arn = Arn::from_str("arn:aws:s3:::examplebucket/other-user/object").unwrap();
assert!(!r1.matches(&context, PolicyVersion::V2012_10_17, &bad_s3_object_arn).unwrap());
assert!(r2.matches(&context, PolicyVersion::V2012_10_17, &bad_s3_object_arn).unwrap());