scratchstack_aspen/principal/
mod.rs

1mod aws;
2mod specified;
3
4pub use {
5    aws::AwsPrincipal,
6    specified::{SpecifiedPrincipal, SpecifiedPrincipalBuilder, SpecifiedPrincipalBuilderError},
7};
8
9use {
10    crate::display_json,
11    log::debug,
12    scratchstack_aws_principal::Principal as PrincipalActor,
13    serde::{
14        de::{self, value::MapAccessDeserializer, Deserializer, MapAccess, Unexpected, Visitor},
15        ser::Serializer,
16        Deserialize, Serialize,
17    },
18    std::fmt::{Formatter, Result as FmtResult},
19};
20
21/// A principal statement in an Aspen policy.
22///
23/// Principal enums are immutable.
24#[derive(Clone, Debug, Eq, PartialEq)]
25pub enum Principal {
26    /// Any principal (wildcard: `*`)
27    Any,
28
29    /// A set of principals specified by a source and a list of identifiers for that source.
30    Specified(SpecifiedPrincipal),
31}
32
33impl Principal {
34    /// Indicates whether this [Principal] is [Principal::Any].
35    #[inline]
36    pub fn is_any(&self) -> bool {
37        matches!(self, Principal::Any)
38    }
39
40    /// If this [Principal] is [Principal::Specified], returns the [SpecifiedPrincipal]. Otherwise returns `None`.
41    #[inline]
42    pub fn specified(&self) -> Option<&SpecifiedPrincipal> {
43        match self {
44            Principal::Any => None,
45            Principal::Specified(sp) => Some(sp),
46        }
47    }
48
49    /// Indicates whether this [Principal] matches an identity from the [PrincipalActor].
50    pub fn matches(&self, actor: &PrincipalActor) -> bool {
51        match self {
52            Self::Any => true,
53            Self::Specified(specified_principal) => specified_principal.matches(actor),
54        }
55    }
56}
57
58impl From<SpecifiedPrincipal> for Principal {
59    fn from(sp: SpecifiedPrincipal) -> Self {
60        Self::Specified(sp)
61    }
62}
63
64struct PrincipalVisitor {}
65
66impl<'de> Visitor<'de> for PrincipalVisitor {
67    type Value = Principal;
68
69    fn expecting(&self, f: &mut Formatter) -> FmtResult {
70        write!(f, "map of principal types to values or \"*\"")
71    }
72
73    fn visit_str<E>(self, v: &str) -> Result<Self::Value, E>
74    where
75        E: de::Error,
76    {
77        if v == "*" {
78            Ok(Principal::Any)
79        } else {
80            return Err(E::invalid_value(Unexpected::Str(v), &self));
81        }
82    }
83
84    fn visit_map<A>(self, access: A) -> Result<Self::Value, A::Error>
85    where
86        A: MapAccess<'de>,
87    {
88        let deserializer = MapAccessDeserializer::new(access);
89        match SpecifiedPrincipal::deserialize(deserializer) {
90            Ok(pm) => Ok(Principal::Specified(pm)),
91            Err(e) => {
92                debug!("Failed to deserialize statement: {:?}", e);
93                Err(e)
94            }
95        }
96    }
97}
98
99impl<'de> Deserialize<'de> for Principal {
100    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
101    where
102        D: Deserializer<'de>,
103    {
104        deserializer.deserialize_any(PrincipalVisitor {})
105    }
106}
107
108impl Serialize for Principal {
109    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
110    where
111        S: Serializer,
112    {
113        match self {
114            Self::Any => serializer.serialize_str("*"),
115            Self::Specified(specified) => specified.serialize(serializer),
116        }
117    }
118}
119
120display_json!(Principal);
121
122#[cfg(test)]
123mod tests {
124    use {
125        crate::{AwsPrincipal, Principal, SpecifiedPrincipal},
126        indoc::indoc,
127        pretty_assertions::assert_eq,
128        std::str::FromStr,
129    };
130
131    #[test_log::test]
132    fn test_any() {
133        assert!(Principal::Any.is_any());
134        assert!(Principal::Any.specified().is_none());
135    }
136
137    #[test_log::test]
138    fn test_formatting() {
139        let aws_principal = vec![
140            AwsPrincipal::from_str("123456789012").unwrap(),
141            AwsPrincipal::from_str("arn:aws:iam::123456789012:role/test").unwrap(),
142        ];
143        let p1 = Principal::Any;
144        let p2 = Principal::Specified(SpecifiedPrincipal::builder().aws(aws_principal).build().unwrap());
145
146        assert_eq!(format!("{p1}"), r#""*""#);
147        assert_eq!(
148            format!("{p2}"),
149            indoc! { r#"
150            {
151                "AWS": [
152                    "123456789012",
153                    "arn:aws:iam::123456789012:role/test"
154                ]
155            }"#}
156        )
157    }
158}