aws-cdk-lib/aws-s3/lib/bucket-grants.js

Version 2 of the AWS Cloud Development Kit library

"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.BucketGrants=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var perms=()=>{var tmp=require("./perms");return perms=()=>tmp,tmp},aws_iam_1=()=>{var tmp=require("../../aws-iam");return aws_iam_1=()=>tmp,tmp},iam=()=>{var tmp=require("../../aws-iam/lib/grant");return iam=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp},cxapi=()=>{var tmp=require("../../cx-api/index");return cxapi=()=>tmp,tmp};class BucketGrants{bucket;encryptedResource;policyResource;static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_s3.BucketGrants",version:"2.233.0"};static fromBucket(bucket){try{jsiiDeprecationWarnings().aws_cdk_lib_interfaces_aws_s3_IBucketRef(bucket)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromBucket),error}return new BucketGrants(bucket,iam().GrantableResources.isEncryptedResource(bucket)?bucket:void 0,iam().GrantableResources.isResourceWithPolicy(bucket)?bucket:void 0)}constructor(bucket,encryptedResource,policyResource){this.bucket=bucket,this.encryptedResource=encryptedResource,this.policyResource=policyResource}read(identity,objectsKeyPattern="*"){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(identity)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.read),error}return this.grant(identity,perms().BUCKET_READ_ACTIONS,perms().KEY_READ_ACTIONS,this.bucket.bucketRef.bucketArn,this.arnForObjects(objectsKeyPattern))}write(identity,objectsKeyPattern="*",allowedActionPatterns=[]){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(identity)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.write),error}const grantedWriteActions=allowedActionPatterns.length>0?allowedActionPatterns:this.writeActions;return this.grant(identity,grantedWriteActions,perms().KEY_WRITE_ACTIONS,this.bucket.bucketRef.bucketArn,this.arnForObjects(objectsKeyPattern))}delete(grantee,objectsKeyPattern="*"){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.delete),error}return this.grant(grantee,perms().BUCKET_DELETE_ACTIONS,[],this.arnForObjects(objectsKeyPattern))}publicAccess(keyPrefix="*",...allowedActions){if(this.bucket.disallowPublicAccess)throw new(core_1()).ValidationError("Cannot grant public access when 'blockPublicPolicy' is enabled",this.bucket);return allowedActions=allowedActions.length>0?allowedActions:["s3:GetObject"],this.grant(new(aws_iam_1()).AnyPrincipal,allowedActions,[],this.arnForObjects(keyPrefix))}put(identity,objectsKeyPattern="*"){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(identity)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.put),error}return this.grant(identity,this.putActions,perms().KEY_WRITE_ACTIONS,this.arnForObjects(objectsKeyPattern))}putAcl(identity,objectsKeyPattern="*"){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(identity)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.putAcl),error}return this.grant(identity,perms().BUCKET_PUT_ACL_ACTIONS,[],this.arnForObjects(objectsKeyPattern))}readWrite(identity,objectsKeyPattern="*"){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(identity)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.readWrite),error}const bucketActions=perms().BUCKET_READ_ACTIONS.concat(this.writeActions),keyActions=[...new Set([...perms().KEY_READ_ACTIONS,...perms().KEY_WRITE_ACTIONS])];return this.grant(identity,bucketActions,keyActions,this.bucket.bucketRef.bucketArn,this.arnForObjects(objectsKeyPattern))}get putActions(){return core_1().FeatureFlags.of(this.bucket).isEnabled(cxapi().S3_GRANT_WRITE_WITHOUT_ACL)?perms().BUCKET_PUT_ACTIONS:perms().LEGACY_BUCKET_PUT_ACTIONS}get writeActions(){return[...perms().BUCKET_DELETE_ACTIONS,...this.putActions]}replicationPermission(identity,props){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(identity),jsiiDeprecationWarnings().aws_cdk_lib_aws_s3_GrantReplicationPermissionProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.replicationPermission),error}if(props.destinations.length===0)throw new(core_1()).ValidationError("At least one destination bucket must be specified in the destinations array",this.bucket);let result=this.grant(identity,["s3:GetReplicationConfiguration","s3:ListBucket"],[],core_1().Lazy.string({produce:()=>this.bucket.bucketRef.bucketArn}));const g1=this.grant(identity,["s3:GetObjectVersionForReplication","s3:GetObjectVersionAcl","s3:GetObjectVersionTagging"],[],core_1().Lazy.string({produce:()=>this.arnForObjects("*")}));result=result.combine(g1);const destinationBuckets=props.destinations.map(destination=>destination.bucket);if(destinationBuckets.length>0){const bucketActions=["s3:ReplicateObject","s3:ReplicateDelete","s3:ReplicateTags","s3:ObjectOwnerOverrideToBucketOwner"],g2=this.policyResource?aws_iam_1().Grant.addToPrincipalOrResource({actions:bucketActions,grantee:identity,resourceArns:destinationBuckets.map(bucket=>core_1().Lazy.string({produce:()=>bucket.arnForObjects("*")})),resource:this.policyResource}):aws_iam_1().Grant.addToPrincipal({actions:bucketActions,grantee:identity,resourceArns:destinationBuckets.map(bucket=>core_1().Lazy.string({produce:()=>bucket.arnForObjects("*")}))});result=result.combine(g2)}props.destinations.forEach(destination=>{const g=destination.encryptionKey?.grantEncrypt(identity);g!==void 0&&(result=result.combine(g))});const grantOnKeyResult=this.encryptedResource?.grantOnKey(identity,"kms:Decrypt");return grantOnKeyResult?.grant&&(result=result.combine(grantOnKeyResult.grant)),result}grant(grantee,bucketActions,keyActions,resourceArn,...otherResourceArns){const resources=[resourceArn,...otherResourceArns],result=this.policyResource?aws_iam_1().Grant.addToPrincipalOrResource({actions:bucketActions,grantee,resourceArns:resources,resource:this.policyResource}):aws_iam_1().Grant.addToPrincipal({actions:bucketActions,grantee,resourceArns:resources});return keyActions.length>0&&this.encryptedResource?.grantOnKey(grantee,...keyActions),result}arnForObjects(keyPattern){return`${this.bucket.bucketRef.bucketArn}/${keyPattern}`}}exports.BucketGrants=BucketGrants;