in samtranslator/swagger/swagger.py [0:0]
def _add_ip_resource_policy_for_method(self, ip_list, conditional, resource_list): # type: ignore[no-untyped-def]
"""
This method generates a policy statement to grant/deny specific IP address ranges access to the API method and
appends it to the swagger under `x-amazon-apigateway-policy`
:raises InvalidDocumentException: If the conditional passed in does not match the allowed values.
"""
if not ip_list:
return
if not isinstance(ip_list, list):
ip_list = [ip_list]
if conditional not in ["IpAddress", "NotIpAddress"]:
raise InvalidDocumentException(
[InvalidTemplateException("Conditional must be one of {}".format(["IpAddress", "NotIpAddress"]))]
)
self.resource_policy["Version"] = "2012-10-17"
allow_statement = Py27Dict()
allow_statement["Effect"] = "Allow"
allow_statement["Action"] = "execute-api:Invoke"
allow_statement["Resource"] = resource_list
allow_statement["Principal"] = "*"
deny_statement = Py27Dict()
deny_statement["Effect"] = "Deny"
deny_statement["Action"] = "execute-api:Invoke"
deny_statement["Resource"] = resource_list
deny_statement["Principal"] = "*"
deny_statement["Condition"] = {conditional: {"aws:SourceIp": ip_list}}
if self.resource_policy.get("Statement") is None:
self.resource_policy["Statement"] = [allow_statement, deny_statement]
else:
statement = self.resource_policy["Statement"]
if not isinstance(statement, list):
statement = [statement]
if allow_statement not in statement:
statement.extend([allow_statement])
if deny_statement not in statement:
statement.extend([deny_statement])
self.resource_policy["Statement"] = statement