Struct ResourceArn

pub struct ResourceArn { /* private fields */ }

An Amazon Resource Name (ARN) statement in an IAM Aspen policy.

This is used to match scratchstack_arn::Arn objects from a resource statement in the IAM Aspen policy language. For example, an ResourceArn created from arn:aws*:ec2:us-*-?:123456789012:instance/i-* would match the following Arn objects:

• arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0
• arn:aws-us-gov:ec2:us-west-2:123456789012:instance/i-1234567890abcdef0

Patterns are similar to glob statements with a few differences:

• The * character matches any number of characters, including none, within a single segment of the ARN.
• The ? character matches any single character within a single segment of the ARN.

ResourceArn objects are immutable.

Implementations

impl ResourceArn

pub fn new( partition: &str, service: &str, region: &str, account_id: &str, resource: &str, ) -> Self

Create a new ARN pattern from the specified components.

• partition - The partition the resource is in.
• service - The service the resource belongs to.
• region - The region the resource is in.
• account_id - The account ID the resource belongs to.
• resource - The resource name.

pub fn partition_pattern(&self) -> &str

Retrieve the partition string pattern.

pub fn service_pattern(&self) -> &str

Retrieve the service string pattern.

pub fn region_pattern(&self) -> &str

Retrieve the region string pattern.

pub fn account_id_pattern(&self) -> &str

Retrieve the account ID string pattern.

pub fn resource_pattern(&self) -> &str

Retrieve the resource name string pattern.

pub fn matches( &self, context: &Context, pv: PolicyVersion, candidate: &Arn, ) -> Result<bool, AspenError>

Indicates whether this ResourceArn matches the candidate Arn, given the request Context ad using variable substitution rules according to the specified PolicyVersion.

Example

let actor = Principal::from(vec![User::from_str("arn:aws:iam::123456789012:user/exampleuser").unwrap().into()]);
let s3_object_arn = Arn::from_str("arn:aws:s3:::examplebucket/exampleuser/my-object").unwrap();
let resources = vec![s3_object_arn.clone()];
let session_data = SessionData::from([("aws:username", SessionValue::from("exampleuser"))]);
let context = Context::builder()
    .service("s3").api("GetObject").actor(actor).resources(resources)
    .session_data(session_data).build().unwrap();
let resource_arn = ResourceArn::new("aws", "s3", "", "", "examplebucket/${aws:username}/*");
assert!(resource_arn.matches(&context, PolicyVersion::V2012_10_17, &s3_object_arn).unwrap());

let bad_s3_object_arn = Arn::from_str("arn:aws:s3:::examplebucket/other-user/object").unwrap();
assert!(!resource_arn.matches(&context, PolicyVersion::V2012_10_17, &bad_s3_object_arn).unwrap());

Trait Implementations

impl Clone for ResourceArn

fn clone(&self) -> ResourceArn

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for ResourceArn

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Display for ResourceArn

fn fmt(&self, f: &mut Formatter<'_>) -> FmtResult

Formats the value using the given formatter.

impl FromStr for ResourceArn

fn from_str(s: &str) -> Result<Self, Self::Err>

Create an ResourceArn from a string.

type Err = AspenError

The associated error which can be returned from parsing.

impl Hash for ResourceArn

fn hash<__H: Hasher>(&self, state: &mut __H)

Feeds this value into the given Hasher.

fn hash_slice<H>(data: &[Self], state: &mut H)

where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher.

impl PartialEq for ResourceArn

fn eq(&self, other: &ResourceArn) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Eq for ResourceArn

impl StructuralPartialEq for ResourceArn