Struct scratchstack_aspen::ResourceArn
source · pub struct ResourceArn { /* private fields */ }
Expand description
An Amazon Resource Name (ARN) statement in an IAM Aspen policy.
This is used to match scratchstack_arn::Arn objects from a resource statement in the IAM Aspen policy language. For example,
an ResourceArn created from arn:aws*:ec2:us-*-?:123456789012:instance/i-*
would match the following Arn
objects:
arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0
arn:aws-us-gov:ec2:us-west-2:123456789012:instance/i-1234567890abcdef0
Patterns are similar to glob statements with a few differences:
- The
*
character matches any number of characters, including none, within a single segment of the ARN. - The
?
character matches any single character within a single segment of the ARN.
ResourceArn objects are immutable.
Implementations§
source§impl ResourceArn
impl ResourceArn
sourcepub fn new(
partition: &str,
service: &str,
region: &str,
account_id: &str,
resource: &str
) -> Self
pub fn new(
partition: &str,
service: &str,
region: &str,
account_id: &str,
resource: &str
) -> Self
Create a new ARN pattern from the specified components.
partition
- The partition the resource is in.service
- The service the resource belongs to.region
- The region the resource is in.account_id
- The account ID the resource belongs to.resource
- The resource name.
sourcepub fn partition_pattern(&self) -> &str
pub fn partition_pattern(&self) -> &str
Retrieve the partition string pattern.
sourcepub fn service_pattern(&self) -> &str
pub fn service_pattern(&self) -> &str
Retrieve the service string pattern.
sourcepub fn region_pattern(&self) -> &str
pub fn region_pattern(&self) -> &str
Retrieve the region string pattern.
sourcepub fn account_id_pattern(&self) -> &str
pub fn account_id_pattern(&self) -> &str
Retrieve the account ID string pattern.
sourcepub fn resource_pattern(&self) -> &str
pub fn resource_pattern(&self) -> &str
Retrieve the resource name string pattern.
sourcepub fn matches(
&self,
context: &Context,
pv: PolicyVersion,
candidate: &Arn
) -> Result<bool, AspenError>
pub fn matches(
&self,
context: &Context,
pv: PolicyVersion,
candidate: &Arn
) -> Result<bool, AspenError>
Indicates whether this ResourceArn matches the candidate Arn, given the request Context ad using variable substitution rules according to the specified PolicyVersion.
Example
let actor = Principal::from(vec![User::from_str("arn:aws:iam::123456789012:user/exampleuser").unwrap().into()]);
let s3_object_arn = Arn::from_str("arn:aws:s3:::examplebucket/exampleuser/my-object").unwrap();
let resources = vec![s3_object_arn.clone()];
let session_data = SessionData::from([("aws:username", SessionValue::from("exampleuser"))]);
let context = Context::builder()
.service("s3").api("GetObject").actor(actor).resources(resources)
.session_data(session_data).build().unwrap();
let resource_arn = ResourceArn::new("aws", "s3", "", "", "examplebucket/${aws:username}/*");
assert!(resource_arn.matches(&context, PolicyVersion::V2012_10_17, &s3_object_arn).unwrap());
let bad_s3_object_arn = Arn::from_str("arn:aws:s3:::examplebucket/other-user/object").unwrap();
assert!(!resource_arn.matches(&context, PolicyVersion::V2012_10_17, &bad_s3_object_arn).unwrap());
Trait Implementations§
source§impl Clone for ResourceArn
impl Clone for ResourceArn
source§fn clone(&self) -> ResourceArn
fn clone(&self) -> ResourceArn
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source
. Read moresource§impl Debug for ResourceArn
impl Debug for ResourceArn
source§impl Display for ResourceArn
impl Display for ResourceArn
source§impl FromStr for ResourceArn
impl FromStr for ResourceArn
§type Err = AspenError
type Err = AspenError
source§impl Hash for ResourceArn
impl Hash for ResourceArn
source§impl PartialEq<ResourceArn> for ResourceArn
impl PartialEq<ResourceArn> for ResourceArn
source§fn eq(&self, other: &ResourceArn) -> bool
fn eq(&self, other: &ResourceArn) -> bool
self
and other
values to be equal, and is used
by ==
.