aws-sdk 1.0.0

data/lib/aws/policy.rb

@@ -0,0 +1,912 @@
+# Copyright 2011 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#     http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+require 'aws/inflection'
+require 'uuidtools'
+require 'date'
+
+module AWS
+
+  # Represents an access policy for S3 operations and resources.  For example:
+  #
+  #   policy = Policy.new do |policy|
+  #     policy.allow(:actions => ['s3:PutObject'],
+  #                  :resources => "arn:aws:s3:::mybucket/mykey/*",
+  #                  :principals => :any
+  #     ).where(:acl).is("public-read")
+  #   end
+  #
+  #   policy.to_json               # => '{ "Version":"2008-10-17", ...'
+  #
+  # @see #initialize More ways to construct a policy.
+  # @see http://docs.amazonwebservices.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html Example policies (in JSON).
+  class Policy
+
+    # @see Statement
+    # @return [Array] An array of policy statements.
+    attr_reader :statements
+
+    # @return [String] The version of the policy language used in this 
+    #   policy object.
+    attr_reader :version
+
+    # @return [String] A unique ID for the policy.
+    attr_reader :id
+
+    class Statement; end
+
+    # Constructs a policy.  There are a few different ways to
+    # build a policy:
+    #
+    # * With hash arguments:
+    #
+    #     Policy.new(:statements => [
+    #       { :effect => :allow,
+    #         :actions => :all,
+    #         :principals => ["abc123"],
+    #         :resources => "mybucket/mykey" 
+    #       }
+    #     ])
+    #
+    # * From a JSON policy document:
+    #
+    #     Policy.from_json(policy_json_string)
+    #
+    # * With a block:
+    #
+    #     Policy.new do |policy|
+    #
+    #       policy.allow(
+    #         :actions => ['s3:PutObject'],
+    #         :resources => "arn:aws:s3:::mybucket/mykey/*",
+    #         :principals => :any
+    #       ).where(:acl).is("public-read")
+    #
+    #     end
+    #
+    def initialize(opts = {})
+      @statements = opts.values_at(:statements, "Statement").select do |a|
+        a.kind_of?(Array)
+      end.flatten.map do |stmt|
+        self.class::Statement.new(stmt)
+      end
+
+      if opts.has_key?(:id) or opts.has_key?("Id")
+        @id = opts[:id] || opts["Id"]
+      else
+        @id = UUIDTools::UUID.timestamp_create.to_s
+      end
+      if opts.has_key?(:version) or opts.has_key?("Version")
+        @version = opts[:version] || opts["Version"]
+      else
+        @version = "2008-10-17"
+      end
+
+      yield(self) if block_given?
+    end
+
+    # @return [Boolean] Returns true if the two policies are the same.
+    def ==(other)
+      if other.kind_of?(AWS::Policy)
+        self.hash_without_ids == other.hash_without_ids
+      else
+        false
+      end
+    end
+    alias_method :eql?, :==
+
+    # Removes the ids from the policy and its statements for the purpose
+    # of comparing two policies for equivilence.
+    # @return [Hash] Returns the policy as a hash with no ids
+    # @private
+    def hash_without_ids
+      hash = self.to_h
+      hash.delete('Id')
+      hash['Statement'].each do |statement|
+        statement.delete('Sid')
+      end
+      hash
+    end
+    protected :hash_without_ids 
+
+    # Returns a hash representation of the policy; the
+    # following statements are equivalent:
+    #
+    #   policy.to_h.to_json
+    #   policy.to_json
+    #
+    # @return [Hash]
+    def to_h
+      { 
+        "Version" => version,
+        "Id" => id,
+        "Statement" => statements.map { |st| st.to_h } 
+      }
+    end
+
+    # @return [String] a JSON representation of the policy.
+    def to_json
+      to_h.to_json
+    end
+
+    # Constructs a policy from a JSON representation.
+    # @see #initialize
+    # @return [Policy] Returns a Policy object constructed by parsing
+    #   the passed JSON policy.
+    def self.from_json(json)
+      new(JSON.parse(json))
+    end
+
+    # Convenient syntax for expressing operators in statement
+    # condition blocks.  For example, the following:
+    #
+    #   policy.allow.where(:s3_prefix).not("forbidden").
+    #     where(:current_time).lte(Date.today+1)
+    #
+    # is equivalent to:
+    #
+    #   conditions = Policy::ConditionBlock.new
+    #   conditions.add(:not, :s3_prefix, "forbidden")
+    #   conditions.add(:lte, :current_time, Date.today+1)
+    #   policy.allow(:conditions => conditions)
+    #
+    # @see ConditionBlock#add
+    class OperatorBuilder
+
+      # @private
+      def initialize(condition_builder, key)
+        @condition_builder = condition_builder
+        @key = key
+      end
+
+      def method_missing(m, *values)
+        @condition_builder.conditions.add(m, @key, *values)
+        @condition_builder
+      end
+
+    end
+
+    # Convenient syntax for adding conditions to a statement.
+    # @see Policy#allow
+    # @see Policy#deny
+    class ConditionBuilder
+
+      # @return [Array] Returns an array of policy conditions.
+      attr_reader :conditions
+
+      # @private
+      def initialize(conditions)
+        @conditions = conditions
+      end
+
+      # Adds a condition for the given key.  For example:
+      #
+      #   policy.allow(...).where(:current_time).lte(Date.today + 1)
+      #
+      # @return [OperatorBuilder]
+      def where(key, operator = nil, *values)
+        if operator
+          @conditions.add(operator, key, *values)
+          self
+        else
+          OperatorBuilder.new(self, key)
+        end
+      end
+
+    end
+
+    # Convenience method for constructing a new statement with the
+    # "Allow" effect and adding it to the policy.  For example:
+    #
+    #     policy.allow(:actions => [:put_object],
+    #                  :principals => :any,
+    #                  :resources => "mybucket/mykey/*").
+    #       where(:acl).is("public-read")
+    #
+    # @option (see Statement#initialize)
+    # @see Statement#initialize
+    # @return [ConditionBuilder]
+    def allow(opts = {})
+      stmt = self.class::Statement.new(opts.merge(:effect => :allow))
+      statements << stmt
+      ConditionBuilder.new(stmt.conditions)
+    end
+
+    # Convenience method for constructing a new statement with the
+    # "Deny" effect and adding it to the policy.  For example:
+    #
+    #   policy.deny(
+    #     :actions => [:put_object],
+    #     :principals => :any,
+    #     :resources => "mybucket/mykey/*"
+    #   ).where(:acl).is("public-read")
+    #
+    # @param (see Statement#initialize)
+    # @see Statement#initialize
+    # @return [ConditionBuilder]
+    def deny(opts = {})
+      stmt = self.class::Statement.new(opts.merge(:effect => :deny))
+      statements << stmt
+      ConditionBuilder.new(stmt.conditions)
+    end
+
+    # Represents the condition block of a policy.  In JSON,
+    # condition blocks look like this:
+    #
+    #   { "StringLike": { "s3:prefix": ["photos/*", "photos.html"] } }
+    #
+    # ConditionBlock lets you specify conditions like the above
+    # example using the add method, for example:
+    #
+    #   conditions.add(:like, :s3_prefix, "photos/*", "photos.html")
+    #
+    # See the add method documentation for more details about how
+    # to specify keys and operators.
+    #
+    # This class also provides a convenient way to query a
+    # condition block to see what operators, keys, and values it
+    # has.  For example, consider the following condition block
+    # (in JSON):
+    #
+    #   {
+    #     "StringEquals": {
+    #       "s3:prefix": "photos/index.html"
+    #     },
+    #     "DateEquals": {
+    #       "aws:CurrentTime": ["2010-10-12", "2011-01-02"]
+    #     },
+    #     "NumericEquals": {
+    #       "s3:max-keys": 10
+    #     }
+    #   }
+    #
+    # You can get access to the condition data using #[], #keys,
+    # #operators, and #values -- for example:
+    #
+    #   conditions["DateEquals"]["aws:CurrentTime"].values
+    #     # => ["2010-10-12", "2011-01-02"]
+    #
+    # You can also perform more sophisticated queries, like this
+    # one:
+    #
+    #   conditions[:is].each do |equality_conditions|
+    #     equality_conditions.keys.each do |key|
+    #       puts("#{key} may be any of: " +
+    #            equality_conditions[key].values.join(" ")
+    #     end
+    #   end
+    #
+    # This would print the following lines:
+    #
+    #   s3:prefix may be any of: photos/index.html
+    #   aws:CurrentTime may be any of: 2010-10-12 2011-01-02
+    #   s3:max-keys may be any of: 10
+    #
+    class ConditionBlock
+
+      # @private
+      def initialize(conditions = {})
+        # filter makes a copy
+        @conditions = filter_conditions(conditions)
+      end
+
+      # Adds a condition to the block.  This method defines a
+      # convenient set of abbreviations for operators based on the
+      # type of value passed in.  For example:
+      #
+      #   conditions.add(:is, :secure_transport, true)
+      #
+      # Maps to:
+      #
+      #   { "Bool": { "aws:SecureTransport": true } }
+      #
+      # While:
+      #
+      #   conditions.add(:is, :s3_prefix, "photos/")
+      #
+      # Maps to:
+      #
+      #   { "StringEquals": { "s3:prefix": "photos/" } }
+      #
+      # The following list shows which operators are accepted as
+      # symbols and how they are represented in the JSON policy:
+      #
+      # * +:is+ (StringEquals, NumericEquals, DateEquals, or Bool)
+      # * +:like+ (StringLike)
+      # * +:not_like+ (StringNotLike)
+      # * +:not+ (StringNotEquals, NumericNotEquals, or DateNotEquals)
+      # * +:greater_than+, +:gt+ (NumericGreaterThan or DateGreaterThan)
+      # * +:greater_than_equals+, +:gte+
+      #   (NumericGreaterThanEquals or DateGreaterThanEquals)
+      # * +:less_than+, +:lt+ (NumericLessThan or DateLessThan)
+      # * +:less_than_equals+, +:lte+
+      #   (NumericLessThanEquals or DateLessThanEquals)
+      # * +:is_ip_address+ (IpAddress)
+      # * +:not_ip_address+ (NotIpAddress)
+      # * +:is_arn+ (ArnEquals)
+      # * +:not_arn+ (ArnNotEquals)
+      # * +:is_arn_like+ (ArnLike)
+      # * +:not_arn_like+ (ArnNotLike)
+      #
+      # @param [Symbol or String] operator The operator used to
+      #   compare the key with the value.  See above for valid
+      #   values and their interpretations.
+      #
+      # @param [Symbol or String] key The key to compare.  Symbol
+      #   keys are inflected to match AWS conventions.  By
+      #   default, the key is assumed to be in the "aws"
+      #   namespace, but if you prefix the symbol name with "s3_"
+      #   it will be sent in the "s3" namespace.  For example,
+      #   +:s3_prefix+ is sent as "s3:prefix" while
+      #   +:secure_transport+ is sent as "aws:SecureTransport".
+      #   See
+      #   http://docs.amazonwebservices.com/AmazonS3/latest/dev/UsingResOpsConditions.html
+      #   for a list of the available keys for each action in S3.
+      #
+      # @param value The value to compare against.
+      #   This can be:
+      #   * a String
+      #   * a number
+      #   * a Date, DateTime, or Time
+      #   * a boolean value
+      #   This method does not attempt to validate that the values
+      #   are valid for the operators or keys they are used with.
+      def add(operator, key, *values)
+        if operator.kind_of?(Symbol)
+          converted_values = values.map { |v| convert_value(v) }
+        else
+          converted_values = values
+        end
+        operator = translate_operator(operator, values.first)
+        op = (@conditions[operator] ||= {})
+        raise "duplicate #{operator} conditions for #{key}" if op[key]
+        op[translate_key(key)] = converted_values
+      end
+
+      # @private
+      def to_h
+        @conditions
+      end
+
+      # Filters the conditions described in the block, returning a
+      # new ConditionBlock that contains only the matching
+      # conditions.  Each argument is matched against either the
+      # keys or the operators in the block, and you can specify
+      # the key or operator in any way that's valid for the #add
+      # method.  Some examples:
+      #
+      #   # all conditions using the StringLike operator
+      #   conditions["StringLike"]
+      #
+      #   # all conditions using StringEquals, DateEquals, NumericEquals, or Bool
+      #   conditions[:is]
+      #
+      #   # all conditions on the s3:prefix key
+      #   conditions["s3:prefix"]
+      #
+      #   # all conditions on the aws:CurrentTime key
+      #   conditions[:current_time]
+      #
+      # Multiple conditions are ANDed together, so the following
+      # are equivalent:
+      #
+      #   conditions[:s3_prefix][:is]
+      #   conditions[:is][:s3_prefix]
+      #   conditions[:s3_prefix, :is]
+      #
+      # @see #add
+      # @return [ConditionBlock] A new set of conditions filtered by the
+      #   given conditions.
+      def [](*args)
+        filtered = @conditions
+        args.each do |filter|
+          type = valid_operator?(filter) ? nil : :key
+          filtered = filter_conditions(filtered) do |op, key, value|
+            (match, type) = match_triple(filter, type, op, key, value)
+            match
+          end
+        end
+        self.class.new(filtered)
+      end
+
+      # @return [Array] Returns an array of operators used in this block.
+      def operators
+        @conditions.keys
+      end
+
+      # @return [Array] Returns an array of unique keys used in the block.
+      def keys
+        @conditions.values.map do |keys|
+          keys.keys if keys
+        end.compact.flatten.uniq
+      end
+
+      # Returns all values used in the block.  Note that the
+      # values may not all be from the same condition; for example:
+      #
+      #   conditions.add(:like, :user_agent, "mozilla", "explorer")
+      #   conditions.add(:lt, :s3_max_keys, 12)
+      #   conditions.values # => ["mozilla", "explorer", 12]
+      #
+      # @return [Array] Returns an array of values used in this condition block.
+      def values
+        @conditions.values.map do |keys|
+          keys.values
+        end.compact.flatten
+      end
+
+      # @private
+      protected
+      def match_triple(filter, type, op, key, value)
+        value = [value].flatten.first
+        if type
+          target = (type == :operator ? op : key)
+          match = send("match_#{type}", filter, target, value)
+        else
+          if match_operator(filter, op, value)
+            match = true
+            type = :operator
+          elsif match_key(filter, key)
+            match = true
+            type = :key
+          else
+            match = false
+          end
+        end
+        [match, type]
+      end
+
+      # @private
+      protected
+      def match_operator(filter, op, value)
+        # dates are the only values that don't come back as native types in JSON
+        # but where we use the type as a cue to the operator translation
+        value = Date.today if op =~ /^Date/
+        translate_operator(filter, value) == op
+      end
+
+      # @private
+      protected
+      def match_key(filter, key, value = nil)
+        translate_key(filter) == key
+      end
+
+      # @private
+      protected
+      def filter_conditions(conditions = @conditions)
+        conditions.inject({}) do |m, (op, keys)|
+          m[op] = keys.inject({}) do |m2, (key, value)|
+            m2[key] = value if !block_given? or yield(op, key, value)
+            m2
+          end
+          m.delete(op) if m[op].empty?
+          m
+        end
+      end
+
+      # @private
+      protected
+      def translate_key(key)
+        if key.kind_of?(Symbol)
+          if key.to_s =~ /^s3_(.*)$/
+            s3_name = $1
+            if s3_name == "version_id" or
+                s3_name == "location_constraint"
+              s3_name = Inflection.class_name(s3_name)
+            else
+              s3_name.tr!('_', '-')
+            end
+            "s3:#{s3_name}"
+          else
+            "aws:#{Inflection.class_name(key.to_s)}"
+          end
+        else
+          key
+        end
+      end
+
+      # @private
+      MODIFIERS = {
+        /_ignoring_case$/ => "IgnoreCase",
+        /_equals$/ => "Equals"
+      }
+
+      # @private
+      protected
+      def valid_operator?(operator)
+        translate_operator(operator, "")
+        true
+      rescue ArgumentError => e
+        false
+      end
+
+      # @private
+      protected
+      def translate_operator(operator, example_value)
+        return operator if operator.kind_of?(String)
+
+        original_operator = operator
+        (operator, opts) = strip_modifiers(operator)
+
+        raise ArgumentError.new("unrecognized operator #{original_operator}") unless
+          respond_to?("translate_#{operator}", true)
+        send("translate_#{operator}", example_value, opts)
+      end
+
+      # @private
+      protected
+      def translate_is(example, opts)
+        return "Bool" if type_notation(example) == "Bool"
+        base_translate(example, "Equals", opts[:ignore_case])
+      end
+
+      # @private
+      protected
+      def translate_not(example, opts)
+        base_translate(example, "NotEquals", opts[:ignore_case])
+      end
+
+      # @private
+      protected
+      def translate_like(example, opts)
+        base_translate(example, "Like")
+      end
+
+      # @private
+      protected
+      def translate_not_like(example, opts)
+        base_translate(example, "NotLike")
+      end
+
+      # @private
+      protected
+      def translate_less_than(example, opts)
+        base_translate(example, "LessThan", opts[:equals])
+      end
+      alias_method :translate_lt, :translate_less_than
+
+      # @private
+      protected
+      def translate_lte(example, opts)
+        translate_less_than(example, { :equals => "Equals" })
+      end
+
+      # @private
+      protected
+      def translate_greater_than(example, opts)
+        base_translate(example, "GreaterThan", opts[:equals])
+      end
+      alias_method :translate_gt, :translate_greater_than
+
+      # @private
+      protected
+      def translate_gte(example, opts)
+        translate_greater_than(example, { :equals => "Equals" })
+      end
+
+      # @private
+      protected
+      def translate_is_ip_address(example, opts)
+        "IpAddress"
+      end
+
+      # @private
+      protected
+      def translate_not_ip_address(example, opts)
+        "NotIpAddress"
+      end
+
+      # @private
+      protected
+      def translate_is_arn(example, opts)
+        "ArnEquals"
+      end
+
+      # @private
+      protected
+      def translate_not_arn(example, opts)
+        "ArnNotEquals"
+      end
+
+      # @private
+      protected
+      def translate_is_arn_like(example, opts)
+        "ArnLike"
+      end
+
+      # @private
+      protected
+      def translate_not_arn_like(example, opts)
+        "ArnNotLike"
+      end
+
+      # @private
+      protected
+      def base_translate(example, base_operator, *modifiers)
+        "#{type_notation(example)}#{base_operator}#{modifiers.join}"
+      end
+
+      # @private
+      protected
+      def type_notation(example)
+        case example
+        when String
+          "String"
+        when Numeric
+          "Numeric"
+        when Time, Date
+          "Date"
+        when true, false
+          "Bool"
+        end
+      end
+
+      # @private
+      protected
+      def convert_value(value)
+        case value
+        when DateTime, Time
+          Time.parse(value.to_s).iso8601
+        when Date
+          value.strftime("%Y-%m-%d")
+        else
+          value
+        end
+      end
+
+      # @private
+      protected
+      def strip_modifiers(operator)
+        opts = {}
+        MODIFIERS.each do |(regex, mod)|
+          ruby_name = Inflection.ruby_name(mod).to_sym
+          opts[ruby_name] = ""
+          if operator.to_s =~ regex
+            opts[ruby_name] = mod
+            operator = operator.to_s.sub(regex, '').to_sym
+          end
+        end
+        [operator, opts]
+      end
+
+    end
+
+    # Represents a statement in a policy.
+    #
+    # @see Policy#allow
+    # @see Policy#deny
+    class Statement
+
+      # @return [String] Returns the statement id
+      attr_accessor :sid
+
+      # @return [String] Returns the statement effect, either "Allow" or
+      #   "Deny"
+      attr_accessor :effect
+
+      # @return [Array] Returns an array of principals.
+      attr_accessor :principals
+
+      # @return [Array] Returns an array of statement actions included
+      #   by this policy statement.
+      attr_accessor :actions
+
+      # @return [Array] Returns an array of actions excluded by this
+      #   policy statement.
+      attr_accessor :excluded_actions
+
+      # @return [Array] Returns an array of resources affected by this
+      #   policy statement.
+      attr_accessor :resources
+
+      # @return [Array] Returns an array of conditions for this policy.
+      attr_accessor :conditions
+
+      # Constructs a new statement.
+      #
+      # @option opts [String] :sid The statement ID.  This is optional; if
+      #   omitted, a UUID will be generated for the statement.
+      # @option opts [String] :effect The statement effect, which must be either
+      #   "Allow" or "Deny".
+      #   @see Policy#allow
+      #   @see Policy#deny
+      # @option opts [String or array of strings] :principals The account(s)
+      #   affected by the statement.  These should be AWS account IDs.
+      # @option opts :actions The action or actions affected by
+      #   the statement.  These can be symbols or strings.  If
+      #   they are strings, you can use wildcard character "*"
+      #   to match zero or more characters in the action name.
+      #   Symbols are expected to match methods of S3::Client.
+      # @option opts :excluded_actions Action or actions which are
+      #   explicitly not affected by this statement.  As with
+      #   +:actions+, these may be symbols or strings.
+      # @option opts [String or array of strings] :resources The
+      #   resource(s) affected by the statement.  These can be
+      #   expressed as ARNs (e.g. +arn:aws:s3:::mybucket/mykey+)
+      #   or you may omit the +arn:aws:s3:::+ prefix and just give
+      #   the path as +bucket_name/key+.  You may use the wildcard
+      #   character "*" to match zero or more characters in the
+      #   resource name.
+      # @option opts [ConditionBlock or Hash] :conditions
+      #   Additional conditions that narrow the effect of the
+      #   statement.  It's typically more convenient to use the
+      #   ConditionBuilder instance returned from Policy#allow or
+      #   Policy#deny to add conditions to a statement.
+      # @see S3::Client
+      def initialize(opts = {})
+        self.sid = UUIDTools::UUID.timestamp_create.to_s
+        self.conditions = ConditionBlock.new
+
+        parse_options(opts)
+
+        yield(self) if block_given?
+      end
+
+      # Convenience method to add to the list of actions affected
+      # by this statement.
+      def include_actions(*actions)
+        self.actions ||= []
+        self.actions.push(*actions)
+      end
+      alias_method :include_action, :include_actions
+
+      # Convenience method to add to the list of actions
+      # explicitly not affected by this statement.
+      def exclude_actions(*actions)
+        self.excluded_actions ||= []
+        self.excluded_actions.push(*actions)
+      end
+      alias_method :exclude_action, :exclude_actions
+
+      # @private
+      def to_h
+        stmt = {
+          "Sid" => sid,
+          "Effect" => Inflection.class_name(effect.to_s),
+          "Principal" => principals_hash,
+          "Resource" => resource_arns,
+          "Condition" => (conditions.to_h if conditions)
+        }
+        if !translated_actions || translated_actions.empty?
+          stmt["NotAction"] = translated_excluded_actions
+        else
+          stmt["Action"] = translated_actions
+        end
+        stmt
+      end
+
+      protected
+      def parse_options(options)
+        options.each do |name, value|
+          name = Inflection.ruby_name(name.to_s)
+          name.sub!(/s$/,'')
+          send("parse_#{name}_option", value) if
+            respond_to?("parse_#{name}_option", true)
+        end
+      end
+
+      protected
+      def parse_effect_option(value)
+        self.effect = value
+      end
+
+      protected
+      def parse_sid_option(value)
+        self.sid = value
+      end
+
+      protected
+      def parse_action_option(value)
+        coerce_array_option(:actions, value)
+      end
+
+      protected
+      def parse_not_action_option(value)
+        coerce_array_option(:excluded_actions, value)
+      end
+      alias_method :parse_excluded_action_option, :parse_not_action_option
+
+      protected
+      def parse_principal_option(value)
+        if value and value.kind_of?(Hash)
+          value = value["AWS"] || []
+        end
+
+        coerce_array_option(:principals, value)
+      end
+
+      protected
+      def parse_resource_option(value)
+        coerce_array_option(:resources, value)
+      end
+
+      protected
+      def parse_condition_option(value)
+        self.conditions = ConditionBlock.new(value)
+      end
+
+      protected
+      def coerce_array_option(attr, value)
+        if value.kind_of?(Array)
+          send("#{attr}=", value)
+        else
+          send("#{attr}=", [value])
+        end
+      end
+
+      protected
+      def principals_hash
+        return nil unless principals
+        { "AWS" =>
+          principals.map do |principal|
+            principal == :any ? "*" : principal
+          end }
+      end
+
+      protected
+      def translate_action(action)
+        case action
+        when String then action
+        when :any   then '*'
+        when Symbol
+
+          if self.class == AWS::Policy::Statement
+            msg = 'symbolized action names are only accepted by service ' +
+            'specific policies (e.g. AWS::S3::Policy)'
+            raise ArgumentError, msg
+          end
+
+          unless self.class::ACTION_MAPPING.has_key?(action)
+            raise ArgumentError, "unrecognized action: #{action}"
+          end
+
+          self.class::ACTION_MAPPING[action]
+
+        end
+      end
+
+      protected
+      def translated_actions
+        return nil unless actions
+        actions.map do |action|
+          translate_action(action)
+        end
+      end
+
+      protected
+      def translated_excluded_actions
+        return nil unless excluded_actions
+        excluded_actions.map { |a| translate_action(a) }
+      end
+
+      protected
+      def resource_arns
+        return nil unless resources
+        resources.map do |resource| 
+          case resource
+          when :any    then "*"
+          else resource_arn(resource)
+          end
+        end
+      end
+
+      protected
+      def resource_arn resource
+        resource.to_s
+      end
+
+    end
+
+  end
+
+end