How to use

AccessControlList

in

org.jclouds.s3.domain

@Override
public BlobAccess getBlobAccess(String container, String name) {
 AccessControlList acl = sync.getObjectACL(container, name);
 if (acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ)) {
   return BlobAccess.PUBLIC_READ;
 } else {
   return BlobAccess.PRIVATE;
 }
}

/**
* Converts a canned access control policy into the equivalent access control list.
* 
* @param cannedAP
* @param ownerId
*/
public static AccessControlList fromCannedAccessPolicy(CannedAccessPolicy cannedAP, String ownerId) {
 AccessControlList acl = new AccessControlList();
 acl.setOwner(new CanonicalUser(ownerId));
 // Canned access policies always allow full control to the owner.
 acl.addPermission(new CanonicalUserGrantee(ownerId), Permission.FULL_CONTROL);
 if (CannedAccessPolicy.PRIVATE == cannedAP) {
   // No more work to do.
 } else if (CannedAccessPolicy.AUTHENTICATED_READ == cannedAP) {
   acl.addPermission(GroupGranteeURI.AUTHENTICATED_USERS, Permission.READ);
 } else if (CannedAccessPolicy.PUBLIC_READ == cannedAP) {
   acl.addPermission(GroupGranteeURI.ALL_USERS, Permission.READ);
 } else if (CannedAccessPolicy.PUBLIC_READ_WRITE == cannedAP) {
   acl.addPermission(GroupGranteeURI.ALL_USERS, Permission.READ);
   acl.addPermission(GroupGranteeURI.ALL_USERS, Permission.WRITE);
 }
 return acl;
}

/**
* @return an unmodifiable set of grantees who have been assigned permissions in this ACL.
*/
public Set<Grantee> getGrantees() {
 Set<Grantee> grantees = Sets.newTreeSet();
 for (Grant grant : getGrants()) {
   grantees.add(grant.getGrantee());
 }
 return Collections.unmodifiableSet(grantees);
}

 public void run() {
   try {
    AccessControlList acl = getApi().getObjectACL(containerName, publicReadObjectKey);
    assertEquals(acl.getGrants().size(), 2);
    assertEquals(acl.getPermissions(GroupGranteeURI.ALL_USERS).size(), 1);
    assertNotNull(acl.getOwner());
    String ownerId = acl.getOwner().getId();
    assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL));
    assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ));
   } catch (Exception e) {
    Throwables.propagateIfPossible(e);
   }
 }
});

private void checkGrants(AccessControlList acl) {
 String ownerId = acl.getOwner().getId();
 assertEquals(acl.getGrants().size(), 4, acl.toString());
 assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL), acl.toString());
 assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ), acl.toString());
 assertTrue(acl.hasPermission(ownerId, Permission.WRITE_ACP), acl.toString());
 // EmailAddressGrantee is replaced by a CanonicalUserGrantee, so we cannot test by email addr
 assertTrue(acl.hasPermission(TEST_ACL_ID, Permission.READ_ACP), acl.toString());
}

public void testPrivateAclIsDefaultForBucket() throws InterruptedException, ExecutionException, TimeoutException,
   IOException {
 String bucketName = getContainerName();
 try {
   AccessControlList acl = getApi().getBucketACL(bucketName);
   assertEquals(acl.getGrants().size(), 1);
   assertNotNull(acl.getOwner());
   String ownerId = acl.getOwner().getId();
   assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL));
 } finally {
   returnContainer(bucketName);
 }
}

  String ownerId = acl.getOwner().getId();
  assertEquals(acl.getGrants().size(), 1);
  assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL));
  assertEquals(acl.getGrants().size(), 4);
  assertTrue(getApi().putObjectACL(containerName, objectKey, acl));
  acl.revokeAllPermissions(new CanonicalUserGrantee(ownerId));
  if (!ownerId.equals(TEST_ACL_ID))
   acl.revokeAllPermissions(new CanonicalUserGrantee(TEST_ACL_ID));
  assertEquals(acl.getGrants().size(), 1);
  assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ));
  assertEquals(acl.getGrants().size(), 1);
  assertEquals(acl.getPermissions(ownerId).size(), 0);
  assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ), acl.toString());
} finally {
  returnContainer(containerName);

 public void run() {
   try {
    BucketLogging newLogging = getApi().getBucketLogging(bucketName);
    assert newLogging !=null;
    AccessControlList acl = new AccessControlList();
    for (Grant grant : newLogging.getTargetGrants()) { // TODO: add permission
      // checking features to
      // bucketlogging
      acl.addPermission(grant.getGrantee(), grant.getPermission());
    }
    // EmailAddressGrantee is replaced by a CanonicalUserGrantee, so we cannot test by
    // email addr
    assertTrue(acl.hasPermission(StubS3AsyncClient.TEST_ACL_ID, Permission.FULL_CONTROL), acl.toString());
    assertEquals(logging.getTargetBucket(), newLogging.getTargetBucket());
    assertEquals(logging.getTargetPrefix(), newLogging.getTargetPrefix());
   } catch (Exception e) {
    Throwables.propagateIfPossible(e);
   }
 }
});

 public void run() {
   try {
    AccessControlList acl = getApi().getBucketACL(bucketName + "eu");
    assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ), acl.toString());
   } catch (Exception e) {
    Throwables.propagateIfPossible(e);
   }
 }
});

/**
* @param granteeURI
* @param permission
* @return true if the grantee has the given permission.
*/
public boolean hasPermission(URI granteeURI, String permission) {
 return getPermissions(granteeURI).contains(permission);
}

private void addGrantsToACL(AccessControlList acl) {
 String ownerId = acl.getOwner().getId();
 acl.addPermission(GroupGranteeURI.ALL_USERS, Permission.READ);
 acl.addPermission(new EmailAddressGrantee(TEST_ACL_EMAIL), Permission.READ_ACP);
 acl.addPermission(new CanonicalUserGrantee(ownerId), Permission.WRITE_ACP);
}

public void endElement(String uri, String name, String qName) {
 if (qName.equals("Owner")) {
   CanonicalUser owner = new CanonicalUser(currentId);
   owner.setDisplayName(currentDisplayName);
   acl.setOwner(owner);
 } else if (qName.equals("Grantee")) {
   if ("AmazonCustomerByEmail".equals(currentGranteeType)) {
    currentGrantee = new EmailAddressGrantee(currentId);
   } else if ("CanonicalUser".equals(currentGranteeType)) {
    currentGrantee = new CanonicalUserGrantee(currentId, currentDisplayName);
   } else if ("Group".equals(currentGranteeType)) {
    currentGrantee = new GroupGrantee(URI.create(currentId));
   }
 } else if (qName.equals("Grant")) {
   acl.addPermission(currentGrantee, currentPermission);
 }
 else if (qName.equals("ID") || qName.equals("EmailAddress") || qName.equals("URI")) {
   currentId = currentOrNull(currentText);
 } else if (qName.equals("DisplayName")) {
   currentDisplayName = currentOrNull(currentText);
 } else if (qName.equals("Permission")) {
   currentPermission = currentOrNull(currentText);
 }
 currentText = new StringBuilder();
}

/**
* Replace any AmazonCustomerByEmail grantees with a somewhat-arbitrary canonical user grantee,
* to match S3 which substitutes each email address grantee with that user's corresponding ID. In
* short, although you can PUT email address grantees, these are actually subsequently returned
* by S3 as canonical user grantees.
* 
* @param acl
* @return
*/
protected AccessControlList sanitizeUploadedACL(AccessControlList acl) {
 // Replace any email address grantees with canonical user grantees, using
 // the acl's owner ID as the surrogate replacement.
 for (Grant grant : acl.getGrants()) {
   if (grant.getGrantee() instanceof EmailAddressGrantee) {
    EmailAddressGrantee emailGrantee = (EmailAddressGrantee) grant.getGrantee();
    String id = emailGrantee.getEmailAddress().equals(TEST_ACL_EMAIL) ? TEST_ACL_ID : acl.getOwner().getId();
    grant.setGrantee(new CanonicalUserGrantee(id, acl.getOwner().getDisplayName()));
   }
 }
 return acl;
}

/**
* Add a permission for the given group grantee.
* 
* @param groupGranteeURI
* @param permission
*/
public AccessControlList addPermission(URI groupGranteeURI, String permission) {
 return addPermission(new GroupGrantee(groupGranteeURI), permission);
}

/**
* @param granteeId
* @return the permissions assigned to a grantee, as identified by the given ID.
*/
public Collection<String> getPermissions(String granteeId) {
 Collection<Grant> grantsForGrantee = findGrantsForGrantee(granteeId);
 return Collections2.transform(grantsForGrantee, new Function<Grant, String>() {
   public String apply(Grant g) {
    return g.getPermission();
   }
 });
}

/**
* Revoke a permission for the given group grantee, if this specific permission was granted.
* 
* Note that you must be very explicit about the permissions you revoke, you cannot revoke
* partial permissions and expect this class to determine the implied remaining permissions. For
* example, if you revoke the {@link Permission#READ} permission from a grantee with
* {@link Permission#FULL_CONTROL} access, <strong>the revocation will do nothing</strong> and
* the grantee will retain full access. To change the access settings for this grantee, you must
* first remove the {@link Permission#FULL_CONTROL} permission the add back the
* {@link Permission#READ} permission.
* 
* @param groupGranteeURI
* @param permission
*/
public AccessControlList revokePermission(URI groupGranteeURI, String permission) {
 return revokePermission(new GroupGrantee(groupGranteeURI), permission);
}

@Test
public void testAccessControlListOwnerOnly() throws HttpException {
 String ownerId = "1a405254c932b52e5b5caaa88186bc431a1bacb9ece631f835daddaf0c47677c";
 AccessControlList acl = createParser().parse(Strings2.toInputStream(aclOwnerOnly));
 assertEquals(acl.getOwner().getId(), ownerId);
 assertEquals(acl.getOwner().getDisplayName(), "jamesmurty");
 assertEquals(acl.getPermissions(ownerId).size(), 1);
 assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL));
 assertEquals(acl.getGrants().size(), 1);
 assertEquals(acl.getPermissions(GroupGranteeURI.ALL_USERS).size(), 0);
 assertEquals(acl.getPermissions(GroupGranteeURI.AUTHENTICATED_USERS).size(), 0);
 assertEquals(acl.getPermissions(GroupGranteeURI.LOG_DELIVERY).size(), 0);
}

private void checkGrants(AccessControlList acl) {
 String ownerId = acl.getOwner().getId();
 assertEquals(acl.getGrants().size(), 4, acl.toString());
 assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL), acl.toString());
 assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ), acl.toString());
 assertTrue(acl.hasPermission(ownerId, Permission.WRITE_ACP), acl.toString());
 // EmailAddressGrantee is replaced by a CanonicalUserGrantee, so we cannot test by email addr
 assertTrue(acl.hasPermission(StubS3AsyncClient.TEST_ACL_ID, Permission.READ_ACP), acl.toString());
}

public void testPrivateAclIsDefaultForBucket() throws InterruptedException, ExecutionException, TimeoutException,
   IOException {
 String bucketName = getContainerName();
 try {
   AccessControlList acl = getApi().getBucketACL(bucketName);
   assertEquals(acl.getGrants().size(), 1);
   assertNotNull(acl.getOwner());
   String ownerId = acl.getOwner().getId();
   assertTrue(acl.hasPermission(ownerId, FULL_CONTROL));
 } finally {
   returnContainer(bucketName);
 }
}

  String ownerId = acl.getOwner().getId();
  assertEquals(acl.getGrants().size(), 1);
  assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL));
  assertEquals(acl.getGrants().size(), 4);
  assertTrue(getApi().putObjectACL(containerName, objectKey, acl));
  acl.revokeAllPermissions(new CanonicalUserGrantee(ownerId));
  if (!ownerId.equals(TEST_ACL_ID))
   acl.revokeAllPermissions(new CanonicalUserGrantee(TEST_ACL_ID));
  assertEquals(acl.getGrants().size(), 1);
  assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ));
  assertEquals(acl.getGrants().size(), 1);
  assertEquals(acl.getPermissions(ownerId).size(), 0);
  assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ), acl.toString());
} finally {
  returnContainer(containerName);