private boolean checkIamOrS3Statement(String roleName, AmazonIdentityManagement client, String s) throws Exception { GetRolePolicyRequest getRolePolicyRequest = new GetRolePolicyRequest(); getRolePolicyRequest.setRoleName(roleName); getRolePolicyRequest.setPolicyName(s); GetRolePolicyResult rolePolicy = client.getRolePolicy(getRolePolicyRequest); String decode = URLDecoder.decode(rolePolicy.getPolicyDocument(), "UTF-8"); JsonNode object = JsonUtil.readTree(decode); JsonNode statement = object.get("Statement"); for (int i = 0; i < statement.size(); i++) { JsonNode action = statement.get(i).get("Action"); for (int j = 0; j < action.size(); j++) { String actionEntry = action.get(j).textValue().replaceAll(" ", "").toLowerCase(); if ("iam:createrole".equals(actionEntry) || "iam:*".equals(actionEntry)) { LOGGER.info("Role has able to operate on iam resources: {}.", action.get(j)); return true; } } } return false; }
private String fetchMainPolicy(String roleName, AmazonIdentityManagementClient iamClient) { return Optional.of(new GetRolePolicyRequest().withRoleName(roleName).withPolicyName(roleName)) .map(iamClient::getRolePolicy) .map(GetRolePolicyResult::getPolicyDocument) .map(PolicyProviderImpl::urlDecode) .orElse(EMPTY_JSON); }
public Optional<Policy> findRolePolicy(String roleName, String policyName) { logger.info("find role policy, roleName={}, policyName={}", roleName, policyName); try { GetRolePolicyResult result = iam.getRolePolicy(new GetRolePolicyRequest() .withRoleName(roleName) .withPolicyName(policyName)); String policyJSON = Encodings.decodeURL(result.getPolicyDocument()); return Optional.of(Policy.fromJson(policyJSON)); } catch (NoSuchEntityException e) { return Optional.empty(); } }
@Override public boolean load(GetRolePolicyRequest request) { return load(request, null); }
@Override public boolean load(GetRolePolicyRequest request, ResultCapture<GetRolePolicyResult> extractor) { return resource.load(request, extractor); }
/** * Makes a call to the service to load this resource's attributes if they * are not loaded yet. * The following request parameters will be populated from the data of this * <code>RolePolicy</code> resource, and any conflicting parameter value set * in the request will be overridden: * <ul> * <li> * <b><code>RoleName</code></b> * - mapped from the <code>RoleName</code> identifier. * </li> * <li> * <b><code>PolicyName</code></b> * - mapped from the <code>Name</code> identifier. * </li> * </ul> * * <p> * * @return Returns {@code true} if the resource is not yet loaded when this * method was invoked, which indicates that a service call has been * made to retrieve the attributes. * @see GetRolePolicyRequest */ boolean load(GetRolePolicyRequest request);
/** * Makes a call to the service to load this resource's attributes if they * are not loaded yet, and use a ResultCapture to retrieve the low-level * client response * The following request parameters will be populated from the data of this * <code>RolePolicy</code> resource, and any conflicting parameter value set * in the request will be overridden: * <ul> * <li> * <b><code>RoleName</code></b> * - mapped from the <code>RoleName</code> identifier. * </li> * <li> * <b><code>PolicyName</code></b> * - mapped from the <code>Name</code> identifier. * </li> * </ul> * * <p> * * @return Returns {@code true} if the resource is not yet loaded when this * method was invoked, which indicates that a service call has been * made to retrieve the attributes. * @see GetRolePolicyRequest */ boolean load(GetRolePolicyRequest request, ResultCapture<GetRolePolicyResult> extractor);
