private static Boolean iamPermissionsAllow(
final AuthContextSupplier authContext,
final String[] requiredActions,
final String resourceType,
final String resourceId,
final long resourceAllocationSize) {
/* IAM checks: Is the user allowed within the account? */
// the Permissions.isAuthorized() handles the default deny for each action.
boolean iamAllow = true; // Evaluate each iam action required, all must be allowed
for (String action : requiredActions) {
// Any deny overrides an allow
// Note: explicitly set resourceOwnerAccount to null here, otherwise iam will reject even if
// the ACL checks
// were valid, let ACLs handle cross-account access.
iamAllow &=
Permissions.isAuthorized(
PolicySpec.VENDOR_S3, resourceType, resourceId, null, action, authContext)
&& Permissions.canAllocate(
PolicySpec.VENDOR_S3,
resourceType,
resourceId,
action,
authContext,
resourceAllocationSize);
}
return iamAllow;
}
