aws-sdk-v1 1.52.0

data/lib/aws/core/options/json_serializer.rb

@@ -0,0 +1,82 @@
+# Copyright 2011-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#     http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+require 'json'
+require 'base64'
+
+module AWS
+  module Core
+    module Options
+
+      # Given a hash of serialization rules, a JSONSerializer can convert
+      # a hash of request options into a JSON document.  The request options
+      # are validated before returning JSON.
+      class JSONSerializer
+
+        # @param [Hash] rules A hash of option rules to validate against.
+        # @param [String,nil] payload_param
+        def initialize rules, payload_param
+          @payload_param = payload_param
+          @rules = @payload_param ? rules[@payload_param][:members] : rules
+        end
+
+        # @return [String] Returns the name of the API operation.
+        attr_reader :operation_name
+
+        # @return [String]
+        attr_reader :namespace
+
+        # @return [Hash]
+        attr_reader :rules
+
+        # @overload serialize!(request_options)
+        #   @param [Hash] request_options A hash of already validated
+        #     request options with normalized values.
+        #   @return [String] Returns an string of the request parameters
+        #     serialized into XML.
+        def serialize request_options
+          request_options = request_options[@payload_param] if @payload_param
+          data = normalize_keys(request_options, rules)
+          if rules.any?{|k,v| v[:location] == 'body' }
+            data = data.values.first
+          end
+          JSON.pretty_generate(data)
+        end
+
+        protected
+
+        def normalize_keys values, rules
+          values.inject({}) do |h,(k,v)|
+            child_rules = rules[k]
+            child_name = child_rules[:name] || Inflection.class_name(k.to_s)
+            h.merge(child_name => normalize_value(v, child_rules))
+          end
+        end
+
+        def normalize_value value, rules
+          case rules[:type]
+          when :hash then normalize_keys(value, rules[:members])
+          when :array then value.map{|v| normalize_value(v, rules[:members]) }
+          when :map
+            value.inject({}) do |h,(k,v)|
+              h.merge(k => normalize_value(v, rules[:members]))
+            end
+          when :blob then Base64.encode64(value.read).strip
+          else value
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/aws/core/options/validator.rb

@@ -0,0 +1,155 @@
+# Copyright 2011-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#     http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+module AWS
+  module Core
+    module Options
+
+      # Given a hash of validation rules, a validator validate request
+      # options.  Validations support:
+      #
+      #   * rejecting unknown options
+      #   * ensuring presence of required options
+      #   * validating expected option types (e.g. hash, array, string,
+      #     integer, etc).
+      #
+      # After validating, a hash of request options is returned with
+      # with normalized values (with converted types).
+      class Validator
+
+        # @param [Hash] rules A hash of option rules to validate against.
+        def initialize rules
+          @rules = rules
+        end
+
+        # @return [Hash]
+        attr_reader :rules
+
+        # @overload validate!(request_options)
+        #   @param [Hash] request_options The hash of options to validate.
+        #   @raise [ArgumentError] Raised when the options do not validate.
+        #   @return [Hash]
+        def validate! request_options, rules = @rules
+
+          # Verify all required options are present.
+          rules.each_pair do |opt_name, opt_rules|
+            if opt_rules[:required]
+              unless request_options.key?(opt_name)
+                raise ArgumentError, "missing required option #{opt_name.inspect}"
+              end
+            end
+          end
+
+          request_options.inject({}) do |options, (opt_name, value)|
+
+            # Ensure this is a valid/accepted option
+            unless rules.key?(opt_name)
+              raise ArgumentError, "unexpected option #{opt_name.inspect}"
+            end
+
+            # Validate and convert the value
+            valid_value = validate_value(rules[opt_name], value, opt_name)
+
+            options.merge(opt_name => valid_value)
+
+          end
+        end
+
+        protected
+
+        # Proxies calls to the correct validation method based on the
+        # rules[:type].
+        def validate_value *args
+          send("validate_#{args.first[:type]}", *args)
+        end
+
+        # Ensures the value is a hash and validates the hash context.
+        def validate_hash rules, value, opt_name, context = nil
+          unless value.respond_to?(:to_hash)
+            format_error('hash value', opt_name, context)
+          end
+          validate!(value.to_hash, rules[:members])
+        end
+
+        def validate_map rules, value, opt_name, context = nil
+          unless value.respond_to?(:to_hash)
+            format_error('hash value', opt_name, context)
+          end
+          value.inject({}) do |values,(k,v)|
+            context = "member #{k.inspect} of :#{opt_name}"
+            values[k] = validate_value(rules[:members], v, opt_name, context)
+            values
+          end
+        end
+
+        # Ensures the value is an array (or at least enumerable) and
+        # that the yielded values are valid.
+        def validate_array rules, value, opt_name, context = nil
+          unless value.respond_to?(:each)
+            format_error('enumerable value', opt_name, context)
+          end
+          values = []
+          value.each do |v|
+            context = "member #{values.size} of :#{opt_name}"
+            values << validate_value(rules[:members], v, opt_name, context)
+          end
+          values
+        end
+
+        # Ensures the value is a string.
+        def validate_string rules, value, opt_name, context = nil
+
+          unless value.respond_to?(:to_str)
+            format_error('string value', opt_name, context)
+          end
+
+          rules[:lstrip] ?
+            value.to_str.sub(/^#{rules[:lstrip]}/, '') :
+            value.to_str
+        end
+
+        # Ensures the value is a boolean.
+        def validate_boolean rules, value, opt_name, context = nil
+          unless [true, false].include?(value)
+            format_error('true or false', opt_name, context)
+          end
+          value
+        end
+
+        # Ensures the value is an integer.
+        def validate_integer rules, value, opt_name, context = nil
+          unless value.respond_to?(:to_int)
+            format_error('integer value', opt_name, context)
+          end
+          value.to_int
+        end
+
+        # Ensures the value is a timestamp.
+        def validate_timestamp rules, value, opt_name, context = nil
+          # TODO : add validation to timestamps values
+          value.to_s
+        end
+
+        def validate_blob rules, value, opt_name, context = nil
+          value
+        end
+
+        def format_error description, opt_name, context
+          context = context || "option :#{opt_name}"
+          raise ArgumentError, "expected #{description} for #{context}"
+        end
+
+      end
+    end
+  end
+end

data/lib/aws/core/options/xml_serializer.rb

@@ -0,0 +1,118 @@
+# Copyright 2011-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#     http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+require 'nokogiri'
+
+module AWS
+  module Core
+    module Options
+
+      # Given a hash of serialization rules, an XMLSerializer can convert
+      # a hash of request options into XML.  The request options are
+      # validated before returning XML.
+      class XMLSerializer
+
+        # @param [String] namespace
+        # @param [String] operation_name
+        # @param [Hash] operation
+        def initialize namespace, operation_name, operation
+          @namespace = namespace
+          @operation_name = operation_name
+          @rules = operation[:inputs]
+          @http = operation[:http]
+          @validator = Validator.new(rules)
+        end
+
+        # @return [String] Returns the name of the API operation.
+        attr_reader :operation_name
+
+        # @return [String]
+        attr_reader :namespace
+
+        # @return [Hash]
+        attr_reader :rules
+
+        # @return [Hash,nil]
+        attr_reader :http
+
+        # @return [Validator]
+        attr_reader :validator
+
+        # @overload serialize!(request_options)
+        #   @param [Hash] request_options A hash of already validated
+        #     request options with normalized values.
+        #   @return [String] Returns an string of the request parameters
+        #     serialized into XML.
+        def serialize request_options
+          if http && http[:request_payload]
+            payload = http[:request_payload]
+            root_node_name = rules[payload][:name]
+            params = request_options[payload]
+            rules = self.rules[payload][:members]
+          else
+            root_node_name = "#{operation_name}Request"
+            params = request_options
+            rules = self.rules
+          end
+          xml = Nokogiri::XML::Builder.new
+          xml.send(root_node_name, :xmlns => namespace) do |xml|
+            hash_members_xml(params, rules, xml)
+          end
+          xml.doc.root.to_xml
+        end
+
+        protected
+
+        def to_xml builder, opt_name, rules, value
+
+          xml_name = rules[:name]
+          xml_name ||= opt_name.is_a?(String) ?
+            opt_name : Inflection.class_name(opt_name.to_s)
+
+          case value
+          when Hash
+
+            builder.send(xml_name) do |builder|
+              hash_members_xml(value, rules[:members], builder)
+            end
+
+          when Array
+            builder.send(xml_name) do
+              value.each do |member_value|
+                to_xml(builder, 'member', rules[:members], member_value)
+              end
+            end
+          else builder.send(xml_name, value)
+          end
+
+        end
+
+        def hash_members_xml hash, rules, builder
+          xml_ordered_members(rules).each do |member_name|
+            if hash.key?(member_name)
+              value = hash[member_name]
+              to_xml(builder, member_name, rules[member_name], value)
+            end
+          end
+        end
+
+        def xml_ordered_members members
+          members.inject([]) do |list,(member_name, member)|
+            list << [member[:position] || 0, member_name]
+          end.sort_by(&:first).map(&:last)
+        end
+
+      end
+    end
+  end
+end

data/lib/aws/core/page_result.rb

@@ -0,0 +1,75 @@
+# Copyright 2011-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#     http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+module AWS
+  module Core
+    class PageResult < Array
+
+      # @return [Collection] Returns the collection that was used to
+      #   populated this page of results.
+      attr_reader :collection
+
+      # @return [Integer] Returns the maximum number of results per page.
+      #   The final page in a collection may return fewer than `:per_page`
+      #   items (e.g. `:per_page` is 10 and there are only 7 items).
+      attr_reader :per_page
+
+      # @return [String] An opaque token that can be passed the #page method
+      #   of the collection that returned this page of results.  This next
+      #   token behaves as a pseudo offset.  If `next_token` is `nil` then
+      #   there are no more results for the collection.
+      attr_reader :next_token
+
+      # @param [Collection] collection The collection that was used to
+      #   request this page of results.  The collection should respond to
+      #   #page and accept a :next_token option.
+      #
+      # @param [Array] items An array of result items that represent a
+      #   page of results.
+      #
+      # @param [Integer] per_page The number of requested items for this
+      #   page of results.  If the count of items is smaller than `per_page`
+      #   then this is the last page of results.
+      #
+      # @param [String] next_token (nil) A token that can be passed to the
+      #
+      def initialize collection, items, per_page, next_token
+        @collection = collection
+        @per_page = per_page
+        @next_token = next_token
+        super(items)
+      end
+
+      # @return [PageResult]
+      # @raise [RuntimeError] Raises a runtime error when called against
+      #   a collection that has no more results (i.e. #last_page? == true).
+      def next_page
+        if last_page?
+          raise 'unable to get the next page, already at the last page'
+        end
+        collection.page(:per_page => per_page, :next_token => next_token)
+      end
+
+      # @return [Boolean] Returns `true` if this is the last page of results.
+      def last_page?
+        next_token.nil?
+      end
+
+      # @return [Boolean] Returns `true` if there are more pages of results.
+      def more?
+        !!next_token
+      end
+
+    end
+  end
+end

data/lib/aws/core/policy.rb

@@ -0,0 +1,941 @@
+# Copyright 2011-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#     http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+require 'date'
+require 'json'
+
+module AWS
+  module Core
+
+    # Represents an access policy for AWS operations and resources.  For example:
+    #
+    #     policy = Policy.new
+    #     policy.allow(
+    #       :actions => ['s3:PutObject'],
+    #       :resources => "arn:aws:s3:::mybucket/mykey/*",
+    #       :principals => :any
+    #     ).where(:acl).is("public-read")
+    #
+    #     policy.to_json # => '{ "Version":"2008-10-17", ...'
+    #
+    # @see #initialize More ways to construct a policy.
+    # @see http://docs.amazonwebservices.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html Example policies (in JSON).
+    class Policy
+
+      # @see Statement
+      # @return [Array] An array of policy statements.
+      attr_reader :statements
+
+      # @return [String] The version of the policy language used in this
+      #   policy object.
+      attr_reader :version
+
+      # @return [String] A unique ID for the policy.
+      attr_reader :id
+
+      class Statement; end
+
+      # Constructs a policy.  There are a few different ways to
+      # build a policy:
+      #
+      # * With hash arguments:
+      #
+      #     Policy.new(:statements => [
+      #       {
+      #         :effect => :allow,
+      #         :actions => :all,
+      #         :principals => ["abc123"],
+      #         :resources => "mybucket/mykey"
+      #       }
+      #     ])
+      #
+      # * From a JSON policy document:
+      #
+      #     Policy.from_json(policy_json_string)
+      #
+      # * With a block:
+      #
+      #     Policy.new do |policy|
+      #       policy.allow(
+      #         :actions => ['s3:PutObject'],
+      #         :resources => "arn:aws:s3:::mybucket/mykey/*",
+      #         :principals => :any
+      #       ).where(:acl).is("public-read")
+      #     end
+      #
+      def initialize(opts = {})
+        @statements = opts.values_at(:statements, "Statement").select do |a|
+          a.kind_of?(Array)
+        end.flatten.map do |stmt|
+          self.class::Statement.new(stmt)
+        end
+
+        if opts.has_key?(:id) or opts.has_key?("Id")
+          @id = opts[:id] || opts["Id"]
+        else
+          @id = SecureRandom.uuid.tr('-','')
+        end
+        if opts.has_key?(:version) or opts.has_key?("Version")
+          @version = opts[:version] || opts["Version"]
+        else
+          @version = "2008-10-17"
+        end
+
+        yield(self) if block_given?
+      end
+
+      # @return [Boolean] Returns true if the two policies are the same.
+      def ==(other)
+        if other.kind_of?(Core::Policy)
+          self.hash_without_ids == other.hash_without_ids
+        else
+          false
+        end
+      end
+      alias_method :eql?, :==
+
+      # Removes the ids from the policy and its statements for the purpose
+      # of comparing two policies for equivilence.
+      # @return [Hash] Returns the policy as a hash with no ids
+      # @api private
+      def hash_without_ids
+        hash = self.to_h
+        hash.delete('Id')
+        hash['Statement'].each do |statement|
+          statement.delete('Sid')
+        end
+        hash
+      end
+      protected :hash_without_ids
+
+      # Returns a hash representation of the policy. The following
+      # statements are equivalent:
+      #
+      #     policy.to_h.to_json
+      #     policy.to_json
+      #
+      # @return [Hash]
+      def to_h
+        {
+          "Version" => version,
+          "Id" => id,
+          "Statement" => statements.map { |st| st.to_h }
+        }
+      end
+
+      # @return [String] a JSON representation of the policy.
+      def to_json
+        to_h.to_json
+      end
+
+      # Constructs a policy from a JSON representation.
+      # @see #initialize
+      # @return [Policy] Returns a Policy object constructed by parsing
+      #   the passed JSON policy.
+      def self.from_json(json)
+        new(JSON.parse(json))
+      end
+
+      # Convenient syntax for expressing operators in statement
+      # condition blocks.  For example, the following:
+      #
+      #     policy.allow.where(:s3_prefix).not("forbidden").
+      #       where(:current_time).lte(Date.today+1)
+      #
+      # is equivalent to:
+      #
+      #     conditions = Policy::ConditionBlock.new
+      #     conditions.add(:not, :s3_prefix, "forbidden")
+      #     conditions.add(:lte, :current_time, Date.today+1)
+      #     policy.allow(:conditions => conditions)
+      #
+      # @see ConditionBlock#add
+      class OperatorBuilder
+
+        # @api private
+        def initialize(condition_builder, key)
+          @condition_builder = condition_builder
+          @key = key
+        end
+
+        def method_missing(m, *values)
+          @condition_builder.conditions.add(m, @key, *values)
+          @condition_builder
+        end
+
+      end
+
+      # Convenient syntax for adding conditions to a statement.
+      # @see Policy#allow
+      # @see Policy#deny
+      class ConditionBuilder
+
+        # @return [Array] Returns an array of policy conditions.
+        attr_reader :conditions
+
+        # @api private
+        def initialize(conditions)
+          @conditions = conditions
+        end
+
+        # Adds a condition for the given key.  For example:
+        #
+        #     policy.allow(...).where(:current_time).lte(Date.today + 1)
+        #
+        # @return [OperatorBuilder]
+        def where(key, operator = nil, *values)
+          if operator
+            @conditions.add(operator, key, *values)
+            self
+          else
+            OperatorBuilder.new(self, key)
+          end
+        end
+
+      end
+
+      # Convenience method for constructing a new statement with the
+      # "Allow" effect and adding it to the policy.  For example:
+      #
+      #     policy.allow(
+      #       :actions => [:put_object],
+      #       :principals => :any,
+      #       :resources => "mybucket/mykey/*").
+      #     where(:acl).is("public-read")
+      #
+      # @option (see Statement#initialize)
+      # @see Statement#initialize
+      # @return [ConditionBuilder]
+      def allow(opts = {})
+        stmt = self.class::Statement.new(opts.merge(:effect => :allow))
+        statements << stmt
+        ConditionBuilder.new(stmt.conditions)
+      end
+
+      # Convenience method for constructing a new statement with the
+      # "Deny" effect and adding it to the policy.  For example:
+      #
+      #     policy.deny(
+      #       :actions => [:put_object],
+      #       :principals => :any,
+      #       :resources => "mybucket/mykey/*"
+      #     ).where(:acl).is("public-read")
+      #
+      # @param (see Statement#initialize)
+      # @see Statement#initialize
+      # @return [ConditionBuilder]
+      def deny(opts = {})
+        stmt = self.class::Statement.new(opts.merge(:effect => :deny))
+        statements << stmt
+        ConditionBuilder.new(stmt.conditions)
+      end
+
+      # Represents the condition block of a policy.  In JSON,
+      # condition blocks look like this:
+      #
+      #     { "StringLike": { "s3:prefix": ["photos/*", "photos.html"] } }
+      #
+      # ConditionBlock lets you specify conditions like the above
+      # example using the add method, for example:
+      #
+      #     conditions.add(:like, :s3_prefix, "photos/*", "photos.html")
+      #
+      # See the add method documentation for more details about how
+      # to specify keys and operators.
+      #
+      # This class also provides a convenient way to query a
+      # condition block to see what operators, keys, and values it
+      # has.  For example, consider the following condition block
+      # (in JSON):
+      #
+      #   {
+      #     "StringEquals": {
+      #       "s3:prefix": "photos/index.html"
+      #     },
+      #     "DateEquals": {
+      #       "aws:CurrentTime": ["2010-10-12", "2011-01-02"]
+      #     },
+      #     "NumericEquals": {
+      #       "s3:max-keys": 10
+      #     }
+      #   }
+      #
+      # You can get access to the condition data using #[], #keys,
+      # #operators, and #values -- for example:
+      #
+      #   conditions["DateEquals"]["aws:CurrentTime"].values
+      #     # => ["2010-10-12", "2011-01-02"]
+      #
+      # You can also perform more sophisticated queries, like this
+      # one:
+      #
+      #   conditions[:is].each do |equality_conditions|
+      #     equality_conditions.keys.each do |key|
+      #       puts("#{key} may be any of: " +
+      #            equality_conditions[key].values.join(" ")
+      #     end
+      #   end
+      #
+      # This would print the following lines:
+      #
+      #   s3:prefix may be any of: photos/index.html
+      #   aws:CurrentTime may be any of: 2010-10-12 2011-01-02
+      #   s3:max-keys may be any of: 10
+      #
+      class ConditionBlock
+
+        # @api private
+        def initialize(conditions = {})
+          # filter makes a copy
+          @conditions = filter_conditions(conditions)
+        end
+
+        # Adds a condition to the block.  This method defines a
+        # convenient set of abbreviations for operators based on the
+        # type of value passed in.  For example:
+        #
+        #   conditions.add(:is, :secure_transport, true)
+        #
+        # Maps to:
+        #
+        #   { "Bool": { "aws:SecureTransport": true } }
+        #
+        # While:
+        #
+        #   conditions.add(:is, :s3_prefix, "photos/")
+        #
+        # Maps to:
+        #
+        #   { "StringEquals": { "s3:prefix": "photos/" } }
+        #
+        # The following list shows which operators are accepted as
+        # symbols and how they are represented in the JSON policy:
+        #
+        # * `:is` (StringEquals, NumericEquals, DateEquals, or Bool)
+        # * `:like` (StringLike)
+        # * `:not_like` (StringNotLike)
+        # * `:not` (StringNotEquals, NumericNotEquals, or DateNotEquals)
+        # * `:greater_than`, `:gt` (NumericGreaterThan or DateGreaterThan)
+        # * `:greater_than_equals`, `:gte`
+        #   (NumericGreaterThanEquals or DateGreaterThanEquals)
+        # * `:less_than`, `:lt` (NumericLessThan or DateLessThan)
+        # * `:less_than_equals`, `:lte`
+        #   (NumericLessThanEquals or DateLessThanEquals)
+        # * `:is_ip_address` (IpAddress)
+        # * `:not_ip_address` (NotIpAddress)
+        # * `:is_arn` (ArnEquals)
+        # * `:not_arn` (ArnNotEquals)
+        # * `:is_arn_like` (ArnLike)
+        # * `:not_arn_like` (ArnNotLike)
+        #
+        # @param [Symbol or String] operator The operator used to
+        #   compare the key with the value.  See above for valid
+        #   values and their interpretations.
+        #
+        # @param [Symbol or String] key The key to compare.  Symbol
+        #   keys are inflected to match AWS conventions.  By
+        #   default, the key is assumed to be in the "aws"
+        #   namespace, but if you prefix the symbol name with "s3_"
+        #   it will be sent in the "s3" namespace.  For example,
+        #   `:s3_prefix` is sent as "s3:prefix" while
+        #   `:secure_transport` is sent as "aws:SecureTransport".
+        #   See
+        #   http://docs.amazonwebservices.com/AmazonS3/latest/dev/UsingResOpsConditions.html
+        #   for a list of the available keys for each action in S3.
+        #
+        # @param [Mixed] values The value to compare against.
+        #   This can be:
+        #   * a String
+        #   * a number
+        #   * a Date, DateTime, or Time
+        #   * a boolean value
+        #   This method does not attempt to validate that the values
+        #   are valid for the operators or keys they are used with.
+        #
+        def add(operator, key, *values)
+          if operator.kind_of?(Symbol)
+            converted_values = values.map { |v| convert_value(v) }
+          else
+            converted_values = values
+          end
+          operator = translate_operator(operator, values.first)
+          op = (@conditions[operator] ||= {})
+          raise "duplicate #{operator} conditions for #{key}" if op[key]
+          op[translate_key(key)] = converted_values
+        end
+
+        # @api private
+        def to_h
+          @conditions
+        end
+
+        # Filters the conditions described in the block, returning a
+        # new ConditionBlock that contains only the matching
+        # conditions.  Each argument is matched against either the
+        # keys or the operators in the block, and you can specify
+        # the key or operator in any way that's valid for the #add
+        # method.  Some examples:
+        #
+        #   # all conditions using the StringLike operator
+        #   conditions["StringLike"]
+        #
+        #   # all conditions using StringEquals, DateEquals, NumericEquals, or Bool
+        #   conditions[:is]
+        #
+        #   # all conditions on the s3:prefix key
+        #   conditions["s3:prefix"]
+        #
+        #   # all conditions on the aws:CurrentTime key
+        #   conditions[:current_time]
+        #
+        # Multiple conditions are ANDed together, so the following
+        # are equivalent:
+        #
+        #   conditions[:s3_prefix][:is]
+        #   conditions[:is][:s3_prefix]
+        #   conditions[:s3_prefix, :is]
+        #
+        # @see #add
+        # @return [ConditionBlock] A new set of conditions filtered by the
+        #   given conditions.
+        def [](*args)
+          filtered = @conditions
+          args.each do |filter|
+            type = valid_operator?(filter) ? nil : :key
+            filtered = filter_conditions(filtered) do |op, key, value|
+              (match, type) = match_triple(filter, type, op, key, value)
+              match
+            end
+          end
+          self.class.new(filtered)
+        end
+
+        # @return [Array] Returns an array of operators used in this block.
+        def operators
+          @conditions.keys
+        end
+
+        # @return [Array] Returns an array of unique keys used in the block.
+        def keys
+          @conditions.values.map do |keys|
+            keys.keys if keys
+          end.compact.flatten.uniq
+        end
+
+        # Returns all values used in the block.  Note that the
+        # values may not all be from the same condition; for example:
+        #
+        #   conditions.add(:like, :user_agent, "mozilla", "explorer")
+        #   conditions.add(:lt, :s3_max_keys, 12)
+        #   conditions.values # => ["mozilla", "explorer", 12]
+        #
+        # @return [Array] Returns an array of values used in this condition block.
+        def values
+          @conditions.values.map do |keys|
+            keys.values
+          end.compact.flatten
+        end
+
+        # @api private
+        protected
+        def match_triple(filter, type, op, key, value)
+          value = [value].flatten.first
+          if type
+            target = (type == :operator ? op : key)
+            match = send("match_#{type}", filter, target, value)
+          else
+            if match_operator(filter, op, value)
+              match = true
+              type = :operator
+            elsif match_key(filter, key)
+              match = true
+              type = :key
+            else
+              match = false
+            end
+          end
+          [match, type]
+        end
+
+        # @api private
+        protected
+        def match_operator(filter, op, value)
+          # dates are the only values that don't come back as native types in JSON
+          # but where we use the type as a cue to the operator translation
+          value = Date.today if op =~ /^Date/
+          translate_operator(filter, value) == op
+        end
+
+        # @api private
+        protected
+        def match_key(filter, key, value = nil)
+          translate_key(filter) == key
+        end
+
+        # @api private
+        protected
+        def filter_conditions(conditions = @conditions)
+          conditions.inject({}) do |m, (op, keys)|
+            m[op] = keys.inject({}) do |m2, (key, value)|
+              m2[key] = value if !block_given? or yield(op, key, value)
+              m2
+            end
+            m.delete(op) if m[op].empty?
+            m
+          end
+        end
+
+        # @api private
+        protected
+        def translate_key(key)
+          if key.kind_of?(Symbol)
+            if key.to_s =~ /^s3_(.*)$/
+              s3_name = $1
+              if s3_name == "version_id" or
+                  s3_name == "location_constraint"
+                s3_name = Inflection.class_name(s3_name)
+              else
+                s3_name.tr!('_', '-')
+              end
+              "s3:#{s3_name}"
+            else
+              "aws:#{Inflection.class_name(key.to_s)}"
+            end
+          else
+            key
+          end
+        end
+
+        # @api private
+        MODIFIERS = {
+          /_ignoring_case$/ => "IgnoreCase",
+          /_equals$/ => "Equals"
+        }
+
+        # @api private
+        protected
+        def valid_operator?(operator)
+          translate_operator(operator, "")
+          true
+        rescue ArgumentError => e
+          false
+        end
+
+        # @api private
+        protected
+        def translate_operator(operator, example_value)
+          return operator if operator.kind_of?(String)
+
+          original_operator = operator
+          (operator, opts) = strip_modifiers(operator)
+
+          raise ArgumentError.new("unrecognized operator #{original_operator}") unless
+            respond_to?("translate_#{operator}", true)
+          send("translate_#{operator}", example_value, opts)
+        end
+
+        # @api private
+        protected
+        def translate_is(example, opts)
+          return "Bool" if type_notation(example) == "Bool"
+          base_translate(example, "Equals", opts[:ignore_case])
+        end
+
+        # @api private
+        protected
+        def translate_not(example, opts)
+          base_translate(example, "NotEquals", opts[:ignore_case])
+        end
+
+        # @api private
+        protected
+        def translate_like(example, opts)
+          base_translate(example, "Like")
+        end
+
+        # @api private
+        protected
+        def translate_not_like(example, opts)
+          base_translate(example, "NotLike")
+        end
+
+        # @api private
+        protected
+        def translate_less_than(example, opts)
+          base_translate(example, "LessThan", opts[:equals])
+        end
+        alias_method :translate_lt, :translate_less_than
+
+        # @api private
+        protected
+        def translate_lte(example, opts)
+          translate_less_than(example, { :equals => "Equals" })
+        end
+
+        # @api private
+        protected
+        def translate_greater_than(example, opts)
+          base_translate(example, "GreaterThan", opts[:equals])
+        end
+        alias_method :translate_gt, :translate_greater_than
+
+        # @api private
+        protected
+        def translate_gte(example, opts)
+          translate_greater_than(example, { :equals => "Equals" })
+        end
+
+        # @api private
+        protected
+        def translate_is_ip_address(example, opts)
+          "IpAddress"
+        end
+
+        # @api private
+        protected
+        def translate_not_ip_address(example, opts)
+          "NotIpAddress"
+        end
+
+        # @api private
+        protected
+        def translate_is_arn(example, opts)
+          "ArnEquals"
+        end
+
+        # @api private
+        protected
+        def translate_not_arn(example, opts)
+          "ArnNotEquals"
+        end
+
+        # @api private
+        protected
+        def translate_is_arn_like(example, opts)
+          "ArnLike"
+        end
+
+        # @api private
+        protected
+        def translate_not_arn_like(example, opts)
+          "ArnNotLike"
+        end
+
+        # @api private
+        protected
+        def base_translate(example, base_operator, *modifiers)
+          "#{type_notation(example)}#{base_operator}#{modifiers.join}"
+        end
+
+        # @api private
+        protected
+        def type_notation(example)
+          case example
+          when String
+            "String"
+          when Numeric
+            "Numeric"
+          when Time, Date
+            "Date"
+          when true, false
+            "Bool"
+          end
+        end
+
+        # @api private
+        protected
+        def convert_value(value)
+          case value
+          when DateTime, Time
+            Time.parse(value.to_s).iso8601
+          when Date
+            value.strftime("%Y-%m-%d")
+          else
+            value
+          end
+        end
+
+        # @api private
+        protected
+        def strip_modifiers(operator)
+          opts = {}
+          MODIFIERS.each do |(regex, mod)|
+            ruby_name = Inflection.ruby_name(mod).to_sym
+            opts[ruby_name] = ""
+            if operator.to_s =~ regex
+              opts[ruby_name] = mod
+              operator = operator.to_s.sub(regex, '').to_sym
+            end
+          end
+          [operator, opts]
+        end
+
+      end
+
+      # Represents a statement in a policy.
+      #
+      # @see Policy#allow
+      # @see Policy#deny
+      class Statement
+
+        # @return [String] Returns the statement id
+        attr_accessor :sid
+
+        # @return [String] Returns the statement effect, either "Allow" or
+        #   "Deny"
+        attr_accessor :effect
+
+        # @return [Array] Returns an array of principals.
+        attr_accessor :principals
+
+        # @return [Array] Returns an array of statement actions included
+        #   by this policy statement.
+        attr_accessor :actions
+
+        # @return [Array] Returns an array of actions excluded by this
+        #   policy statement.
+        attr_accessor :excluded_actions
+
+        # @return [Array] Returns an array of resources affected by this
+        #   policy statement.
+        attr_accessor :resources
+
+        # @return [Array] Returns an array of conditions for this policy.
+        attr_accessor :conditions
+
+        attr_accessor :excluded_resources
+
+        # Constructs a new statement.
+        #
+        # @option opts [String] :sid The statement ID.  This is optional; if
+        #   omitted, a UUID will be generated for the statement.
+        # @option opts [String] :effect The statement effect, which must be either
+        #   "Allow" or "Deny".
+        #   @see Policy#allow
+        #   @see Policy#deny
+        # @option opts [String or array of strings] :principals The account(s)
+        #   affected by the statement.  These should be AWS account IDs.
+        # @option opts :actions The action or actions affected by
+        #   the statement.  These can be symbols or strings.  If
+        #   they are strings, you can use wildcard character "*"
+        #   to match zero or more characters in the action name.
+        #   Symbols are expected to match methods of S3::Client.
+        # @option opts :excluded_actions Action or actions which are
+        #   explicitly not affected by this statement.  As with
+        #   `:actions`, these may be symbols or strings.
+        # @option opts [String or array of strings] :resources The
+        #   resource(s) affected by the statement.  These can be
+        #   expressed as ARNs (e.g. `arn:aws:s3:::mybucket/mykey`)
+        #   or you may omit the `arn:aws:s3:::` prefix and just give
+        #   the path as `bucket_name/key`.  You may use the wildcard
+        #   character "*" to match zero or more characters in the
+        #   resource name.
+        # @option opts [ConditionBlock or Hash] :conditions
+        #   Additional conditions that narrow the effect of the
+        #   statement.  It's typically more convenient to use the
+        #   ConditionBuilder instance returned from Policy#allow or
+        #   Policy#deny to add conditions to a statement.
+        # @see S3::Client
+        def initialize(opts = {})
+          self.sid = SecureRandom.uuid.tr('-','')
+          self.conditions = ConditionBlock.new
+
+          parse_options(opts)
+
+          yield(self) if block_given?
+        end
+
+        # Convenience method to add to the list of actions affected
+        # by this statement.
+        def include_actions(*actions)
+          self.actions ||= []
+          self.actions.push(*actions)
+        end
+        alias_method :include_action, :include_actions
+
+        # Convenience method to add to the list of actions
+        # explicitly not affected by this statement.
+        def exclude_actions(*actions)
+          self.excluded_actions ||= []
+          self.excluded_actions.push(*actions)
+        end
+        alias_method :exclude_action, :exclude_actions
+
+        # @api private
+        def to_h
+          stmt = {
+            "Sid" => sid,
+            "Effect" => Inflection.class_name(effect.to_s),
+            "Principal" => principals_hash,
+            "Resource" => (resource_arns if resource_arns),
+            "NotResource" => (excluded_resource_arns if excluded_resource_arns),
+            "Condition" => (conditions.to_h if conditions)
+          }
+          stmt.delete("Condition") if !conditions || conditions.to_h.empty?
+          stmt.delete("Principal") unless principals_hash
+          stmt.delete("Resource") unless resource_arns
+          stmt.delete("NotResource") unless excluded_resource_arns
+          if !translated_actions || translated_actions.empty?
+            stmt["NotAction"] = translated_excluded_actions
+          else
+            stmt["Action"] = translated_actions
+          end
+          stmt
+        end
+
+        protected
+        def parse_options(options)
+          options.each do |name, value|
+            name = Inflection.ruby_name(name.to_s)
+            name.sub!(/s$/,'')
+            send("parse_#{name}_option", value) if
+              respond_to?("parse_#{name}_option", true)
+          end
+        end
+
+        protected
+        def parse_effect_option(value)
+          self.effect = value
+        end
+
+        protected
+        def parse_sid_option(value)
+          self.sid = value
+        end
+
+        protected
+        def parse_action_option(value)
+          coerce_array_option(:actions, value)
+        end
+
+        protected
+        def parse_not_action_option(value)
+          coerce_array_option(:excluded_actions, value)
+        end
+        alias_method :parse_excluded_action_option, :parse_not_action_option
+
+        protected
+        def parse_principal_option(value)
+          if value and value.kind_of?(Hash)
+            value = value["AWS"] || []
+          end
+
+          coerce_array_option(:principals, value)
+        end
+
+        protected
+        def parse_resource_option(value)
+          coerce_array_option(:resources, value)
+        end
+
+        def parse_not_resource_option(value)
+          coerce_array_option(:excluded_resources, value)
+        end
+        alias_method :parse_excluded_resource_option, :parse_not_resource_option
+
+        protected
+        def parse_condition_option(value)
+          self.conditions = ConditionBlock.new(value)
+        end
+
+        protected
+        def coerce_array_option(attr, value)
+          if value.kind_of?(Array)
+            send("#{attr}=", value)
+          else
+            send("#{attr}=", [value])
+          end
+        end
+
+        protected
+        def principals_hash
+          return nil unless principals
+          { "AWS" =>
+            principals.map do |principal|
+              principal == :any ? "*" : principal
+            end }
+        end
+
+        protected
+        def translate_action(action)
+          case action
+          when String then action
+          when :any   then '*'
+          when Symbol
+
+            if self.class == Core::Policy::Statement
+              msg = 'symbolized action names are only accepted by service ' +
+              'specific policies (e.g. AWS::S3::Policy)'
+              raise ArgumentError, msg
+            end
+
+            unless self.class::ACTION_MAPPING.has_key?(action)
+              raise ArgumentError, "unrecognized action: #{action}"
+            end
+
+            self.class::ACTION_MAPPING[action]
+
+          end
+        end
+
+        protected
+        def translated_actions
+          return nil unless actions
+          actions.map do |action|
+            translate_action(action)
+          end
+        end
+
+        protected
+        def translated_excluded_actions
+          return nil unless excluded_actions
+          excluded_actions.map { |a| translate_action(a) }
+        end
+
+        protected
+        def resource_arns
+          return nil unless resources
+          resources.map do |resource|
+            case resource
+            when :any    then "*"
+            else resource_arn(resource)
+            end
+          end
+        end
+
+        protected
+        def resource_arn resource
+          resource.to_s
+        end
+
+        protected
+        def excluded_resource_arns
+          return nil unless excluded_resources
+          excluded_resources.map do |excluded_resource|
+            case excluded_resource
+            when :any    then "*"
+            else excluded_resource_arn(excluded_resource)
+            end
+          end
+        end
+
+        protected
+        def excluded_resource_arn excluded_resource
+          excluded_resource.to_s
+        end
+
+      end
+
+    end
+  end
+end