pub struct EventBridgeResourcePolicyProvider { /* private fields */ }Expand description
Concrete ResourcePolicyProvider backed by the in-memory
EventBridge state. Server bootstrap clone-shares it via
fakecloud_core::auth::MultiResourcePolicyProvider.
Implementations§
Source§impl EventBridgeResourcePolicyProvider
impl EventBridgeResourcePolicyProvider
pub fn new(state: SharedEventBridgeState) -> Self
Trait Implementations§
Source§impl ResourcePolicyProvider for EventBridgeResourcePolicyProvider
impl ResourcePolicyProvider for EventBridgeResourcePolicyProvider
Source§fn resource_policy(&self, service: &str, resource_arn: &str) -> Option<String>
fn resource_policy(&self, service: &str, resource_arn: &str) -> Option<String>
Fetch the resource-based policy document attached to
resource_arn on service. Both arguments are lowercase-ish
("s3", "arn:aws:s3:::my-bucket"); implementations should
match the service prefix they own and return None for
anything else so providers can be composed safely.Source§fn resource_owner_account(
&self,
_service: &str,
_resource_arn: &str,
) -> Option<String>
fn resource_owner_account( &self, _service: &str, _resource_arn: &str, ) -> Option<String>
Resolve the 12-digit account that owns
resource_arn on service,
when the ARN itself does not carry it. S3 ARNs have an empty account
field (arn:aws:s3:::bucket), so without this the dispatcher would
fall back to the caller’s account and treat every S3 request as
same-account — letting account A reach account B’s bucket without B’s
bucket policy granting it (bug-audit 2026-05-28, 5.3). Providers whose
ARNs already carry the account (SQS/SNS/Lambda/…) return None and let
the dispatcher parse it from the ARN. Default None.Source§fn public_acl_allows(
&self,
_service: &str,
_resource_arn: &str,
_action: &str,
) -> bool
fn public_acl_allows( &self, _service: &str, _resource_arn: &str, _action: &str, ) -> bool
Whether a public-read ACL on
resource_arn grants action to
an anonymous (unsigned) caller. Distinct from a bucket policy: S3
ACLs are a separate grant surface, so an object/bucket with an
AllUsers group grant is publicly readable even without a bucket
policy. action is the bare AWS action name ("GetObject",
"ListBucket", …). Read moreAuto Trait Implementations§
impl !RefUnwindSafe for EventBridgeResourcePolicyProvider
impl !UnwindSafe for EventBridgeResourcePolicyProvider
impl Freeze for EventBridgeResourcePolicyProvider
impl Send for EventBridgeResourcePolicyProvider
impl Sync for EventBridgeResourcePolicyProvider
impl Unpin for EventBridgeResourcePolicyProvider
impl UnsafeUnpin for EventBridgeResourcePolicyProvider
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more
impl<T> ErasedDestructor for Twhere
T: 'static,
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
Converts
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
Converts
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read more