u-sdk 0.6.3

Some useful SDKs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303

//! 权限策略语言
//!
//! [官方文档](https://help.aliyun.com/zh/ram/policy-language/)

use bon::Builder;
use serde::Serialize;
use serde_json;
use std::collections::HashMap;

/// Version 目前只有 "1"
#[derive(Debug, Default, Clone, Serialize, PartialEq, Eq)]
pub enum PolicyVersion {
    #[serde(rename = "1")]
    #[default]
    V1,
}

/// Effect = "Allow" | "Deny"
#[derive(Debug, Clone, Serialize, PartialEq, Eq)]
pub enum Effect {
    Allow,
    Deny,
}

/// JSON 中“可以是单值或数组”的通用包装:
/// 比如 Action 可以是 "ecs:*" 或 ["ecs:*", "oss:*"]
#[derive(Debug, Clone, Serialize, PartialEq, Eq)]
#[serde(untagged)]
pub enum OneOrMany<T> {
    One(T),
    Many(Vec<T>),
}

impl<T> From<T> for OneOrMany<T> {
    fn from(value: T) -> Self {
        OneOrMany::One(value)
    }
}

impl<T> From<Vec<T>> for OneOrMany<T> {
    fn from(values: Vec<T>) -> Self {
        OneOrMany::Many(values)
    }
}

// Policy / Statement
/// 条件值:文档要求 Number/Boolean/Date/IP 都用字符串包起来
///(例如 `"10"`、`"true"`、`"2019-08-12T17:00:00+08:00"`)
/// 用新类型方便做 From<bool/number> 等转换。
#[derive(Debug, Clone, Serialize, PartialEq, Eq, Hash)]
#[serde(transparent)]
pub struct ConditionValue(pub String);

impl From<String> for ConditionValue {
    fn from(s: String) -> Self {
        ConditionValue(s)
    }
}

impl From<&str> for ConditionValue {
    fn from(s: &str) -> Self {
        ConditionValue(s.to_owned())
    }
}

impl From<bool> for ConditionValue {
    fn from(b: bool) -> Self {
        ConditionValue(if b { "true".into() } else { "false".into() })
    }
}

impl From<i64> for ConditionValue {
    fn from(n: i64) -> Self {
        ConditionValue(n.to_string())
    }
}

impl From<u64> for ConditionValue {
    fn from(n: u64) -> Self {
        ConditionValue(n.to_string())
    }
}
/// Condition 相关别名,对应:
/// <condition_map> = { <condition_type_string> : { <condition_key_string> : <condition_value_list>, ... }, ... }
pub type ConditionOperator = String; // 比如 "StringEquals" / "IpAddress"
pub type ConditionKey = String; // 比如 "acs:SourceIp"
pub type ConditionMap =
    HashMap<ConditionOperator, HashMap<ConditionKey, OneOrMany<ConditionValue>>>;

/// 条件块 Condition Block
#[derive(Debug, Clone, Serialize, PartialEq, Eq)]
#[serde(transparent)]
pub struct ConditionBlock(pub ConditionMap);

impl ConditionBlock {
    pub fn new() -> Self {
        ConditionBlock(HashMap::new())
    }

    /// 通用插入方式:
    /// op: "StringEquals" / "IpAddress" / ...
    /// key: 条件键,例如 "acs:SourceIp"
    /// values: 单值或多值
    pub fn insert(
        &mut self,
        op: impl Into<String>,
        key: impl Into<String>,
        values: impl Into<OneOrMany<ConditionValue>>,
    ) {
        let op = op.into();
        let key = key.into();
        let entry = self.0.entry(op).or_default();
        entry.insert(key, values.into());
    }
}

impl Default for ConditionBlock {
    fn default() -> Self {
        Self::new()
    }
}

/// Condition 运算符名字常量(避免魔法字符串)
pub mod condition_ops {
    // String
    pub const STRING_EQUALS: &str = "StringEquals";
    pub const STRING_NOT_EQUALS: &str = "StringNotEquals";
    pub const STRING_EQUALS_IGNORE_CASE: &str = "StringEqualsIgnoreCase";
    pub const STRING_NOT_EQUALS_IGNORE_CASE: &str = "StringNotEqualsIgnoreCase";
    pub const STRING_LIKE: &str = "StringLike";
    pub const STRING_NOT_LIKE: &str = "StringNotLike";

    // Number
    pub const NUMERIC_EQUALS: &str = "NumericEquals";
    pub const NUMERIC_NOT_EQUALS: &str = "NumericNotEquals";
    pub const NUMERIC_LESS_THAN: &str = "NumericLessThan";
    pub const NUMERIC_LESS_THAN_EQUALS: &str = "NumericLessThanEquals";
    pub const NUMERIC_GREATER_THAN: &str = "NumericGreaterThan";
    pub const NUMERIC_GREATER_THAN_EQUALS: &str = "NumericGreaterThanEquals";

    // Date and time
    pub const DATE_EQUALS: &str = "DateEquals";
    pub const DATE_NOT_EQUALS: &str = "DateNotEquals";
    pub const DATE_LESS_THAN: &str = "DateLessThan";
    pub const DATE_LESS_THAN_EQUALS: &str = "DateLessThanEquals";
    pub const DATE_GREATER_THAN: &str = "DateGreaterThan";
    pub const DATE_GREATER_THAN_EQUALS: &str = "DateGreaterThanEquals";

    // Boolean
    pub const BOOL: &str = "Bool";

    // IP address
    pub const IP_ADDRESS: &str = "IpAddress";
    pub const NOT_IP_ADDRESS: &str = "NotIpAddress";
    pub const IP_ADDRESS_INCLUDE_BORDER: &str = "IpAddressIncludeBorder";
    pub const NOT_IP_ADDRESS_INCLUDE_BORDER: &str = "NotIpAddressIncludeBorder";
}

/// 单条授权语句 Statement,
/// 对应语法:
/// ```txt
/// <statement> = {
///   <effect_block>,
///   <action_block>,
///   <resource_block>,
///   <condition_block?>
/// }
/// ```
#[serde_with::skip_serializing_none]
#[derive(Debug, Clone, Serialize, PartialEq, Eq)]
#[serde(rename_all = "PascalCase")]
pub struct Statement {
    pub effect: Effect,
    /// Action / NotAction 二选一(语义层面),用 validate() 做约束。
    pub action: Option<OneOrMany<String>>,
    pub not_action: Option<OneOrMany<String>>,
    pub resource: OneOrMany<String>,
    pub condition: Option<ConditionBlock>,
}

/// 整个 Policy
///
/// ```txt
/// policy = {
///   "Version": "1",
///   "Statement": [ <statement>, ... ]
/// }
/// ```
#[derive(Builder, Debug, Clone, Serialize, PartialEq, Eq)]
#[serde(rename_all = "PascalCase")]
pub struct Policy {
    #[builder(field)]
    pub statement: Vec<Statement>,
    #[builder(default)]
    pub version: PolicyVersion,
}

// 校验 Action / NotAction 约束
/// Policy 结构校验错误,只关注语法约束(Action/NotAction)
#[derive(thiserror::Error, Debug)]
pub enum PolicyValidationError {
    /// 既没有 Action 也没有 NotAction
    #[error("statement must contain either Action or NotAction")]
    MissingActionAndNotAction,
    /// 同时包含 Action 与 NotAction
    #[error("statement cannot contain both Action and NotAction")]
    BothActionAndNotActionPresent,
}

impl Statement {
    /// 校验当前语句是否满足文档要求:
    /// - Action / NotAction 必须二选一
    fn validate(&self) -> Result<(), PolicyValidationError> {
        match (&self.action, &self.not_action) {
            (None, None) => Err(PolicyValidationError::MissingActionAndNotAction),
            (Some(_), Some(_)) => Err(PolicyValidationError::BothActionAndNotActionPresent),
            _ => Ok(()),
        }
    }
}

impl<S: policy_builder::State> PolicyBuilder<S> {
    pub fn statement(mut self, stmt: Statement) -> Result<Self, PolicyValidationError> {
        stmt.validate()?;
        self.statement.push(stmt);
        Ok(self)
    }

    pub fn statements(
        mut self,
        stmts: impl IntoIterator<Item = Statement>,
    ) -> Result<Self, PolicyValidationError> {
        for stmt in stmts.into_iter() {
            stmt.validate()?;
            self.statement.push(stmt);
        }
        Ok(self)
    }
}

impl Policy {
    pub fn to_json_string(&self) -> Result<String, serde_json::Error> {
        serde_json::to_string(self)
    }

    pub fn to_json_string_pretty(&self) -> Result<String, serde_json::Error> {
        serde_json::to_string_pretty(self)
    }
}

#[test]
fn build_policy_test() {
    // Condition
    let mut cond = ConditionBlock::new();
    cond.insert(
        condition_ops::STRING_EQUALS,
        "acs:ResourceTag/team",
        ConditionValue::from("dev"),
    );
    // Statement
    let stmt = Statement {
        effect: Effect::Allow,
        action: Some(OneOrMany::One("ecs:*".to_string())),
        not_action: None,
        resource: OneOrMany::One("*".to_string()),
        condition: Some(cond),
    };
    // Policy
    let policy = Policy::builder().statement(stmt).unwrap().build();
    println!("policy json:\n{}", policy.to_json_string_pretty().unwrap());

    let mut cond = ConditionBlock::new();
    cond.insert(
        condition_ops::NUMERIC_LESS_THAN_EQUALS,
        "kms:RecoveryWindowInDays",
        ConditionValue::from(10_i64),
    );
    let stmt = Statement {
        effect: Effect::Deny,
        action: Some(OneOrMany::One("kms:DeleteSecret".to_string())),
        not_action: None,
        resource: OneOrMany::One("*".to_string()),
        condition: Some(cond),
    };
    let policy = Policy::builder().statement(stmt).unwrap().build();
    println!("policy json:\n{}", policy.to_json_string_pretty().unwrap());

    let mut cond = ConditionBlock::new();
    cond.insert(
        condition_ops::DATE_LESS_THAN,
        "acs:CurrentTime",
        ConditionValue::from("2019-08-12T17:00:00+08:00"),
    );
    let stmt = Statement {
        effect: Effect::Deny,
        action: Some(OneOrMany::One("oss:DeleteObject".to_string())),
        not_action: None,
        resource: OneOrMany::One("acs:oss:*:*:mybucket/myobject".to_string()),
        condition: Some(cond),
    };
    let s = Policy::builder().statement(stmt).unwrap().build();
    println!("policy json:\n{}", s.to_json_string_pretty().unwrap());
}