{-# LANGUAGE DataKinds                   #-}
{-# LANGUAGE DeriveGeneric               #-}
{-# LANGUAGE FlexibleInstances           #-}
{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
{-# LANGUAGE LambdaCase                  #-}
{-# LANGUAGE NoImplicitPrelude           #-}
{-# LANGUAGE OverloadedStrings           #-}
{-# LANGUAGE RecordWildCards             #-}
{-# LANGUAGE TypeFamilies                #-}

{-# OPTIONS_GHC -fno-warn-unused-imports #-}

-- Module      : Network.AWS.STS.DecodeAuthorizationMessage
-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
-- License     : This Source Code Form is subject to the terms of
--               the Mozilla Public License, v. 2.0.
--               A copy of the MPL can be found in the LICENSE file or
--               you can obtain it at http://mozilla.org/MPL/2.0/.
-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
-- Stability   : experimental
-- Portability : non-portable (GHC extensions)

-- | Decodes additional information about the authorization status of a request
-- from an encoded message returned in response to an AWS request.
--
-- For example, if a user is not authorized to perform an action that he or she
-- has requested, the request returns a 'Client.UnauthorizedOperation' response
-- (an HTTP 403 response). Some AWS actions additionally return an encoded
-- message that can provide details about this authorization failure.
--
-- The message is encoded because the details of the authorization status can
-- constitute privileged information that the user who requested the action
-- should not see. To decode an authorization status message, a user must be
-- granted permissions via an IAM policy to request the 'DecodeAuthorizationMessage' ('sts:DecodeAuthorizationMessage') action.
--
-- The decoded message includes the following type of information:
--
-- Whether the request was denied due to an explicit deny or due to the
-- absence of an explicit allow. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_EvaluationLogic.html#policy-eval-denyallow Determining Whether aRequest is Allowed or Denied> in /Using IAM/.  The principal who made the
-- request. The requested action. The requested resource. The values of
-- condition keys in the context of the user's request.
--
-- <http://docs.aws.amazon.com/STS/latest/APIReference/API_DecodeAuthorizationMessage.html>
module Network.AWS.STS.DecodeAuthorizationMessage
    (
    -- * Request
      DecodeAuthorizationMessage
    -- ** Request constructor
    , decodeAuthorizationMessage
    -- ** Request lenses
    , damEncodedMessage

    -- * Response
    , DecodeAuthorizationMessageResponse
    -- ** Response constructor
    , decodeAuthorizationMessageResponse
    -- ** Response lenses
    , damrDecodedMessage
    ) where

import Network.AWS.Prelude
import Network.AWS.Request.Query
import Network.AWS.STS.Types
import qualified GHC.Exts

newtype DecodeAuthorizationMessage = DecodeAuthorizationMessage
    { _damEncodedMessage :: Text
    } deriving (Eq, Ord, Show, Monoid, IsString)

-- | 'DecodeAuthorizationMessage' constructor.
--
-- The fields accessible through corresponding lenses are:
--
-- * 'damEncodedMessage' @::@ 'Text'
--
decodeAuthorizationMessage :: Text -- ^ 'damEncodedMessage'
                           -> DecodeAuthorizationMessage
decodeAuthorizationMessage p1 = DecodeAuthorizationMessage
    { _damEncodedMessage = p1
    }

-- | The encoded message that was returned with the response.
damEncodedMessage :: Lens' DecodeAuthorizationMessage Text
damEncodedMessage =
    lens _damEncodedMessage (\s a -> s { _damEncodedMessage = a })

newtype DecodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse
    { _damrDecodedMessage :: Maybe Text
    } deriving (Eq, Ord, Show, Monoid)

-- | 'DecodeAuthorizationMessageResponse' constructor.
--
-- The fields accessible through corresponding lenses are:
--
-- * 'damrDecodedMessage' @::@ 'Maybe' 'Text'
--
decodeAuthorizationMessageResponse :: DecodeAuthorizationMessageResponse
decodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse
    { _damrDecodedMessage = Nothing
    }

-- | An XML document that contains the decoded message. For more information, see 'DecodeAuthorizationMessage'.
damrDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)
damrDecodedMessage =
    lens _damrDecodedMessage (\s a -> s { _damrDecodedMessage = a })

instance ToPath DecodeAuthorizationMessage where
    toPath = const "/"

instance ToQuery DecodeAuthorizationMessage where
    toQuery DecodeAuthorizationMessage{..} = mconcat
        [ "EncodedMessage" =? _damEncodedMessage
        ]

instance ToHeaders DecodeAuthorizationMessage

instance AWSRequest DecodeAuthorizationMessage where
    type Sv DecodeAuthorizationMessage = STS
    type Rs DecodeAuthorizationMessage = DecodeAuthorizationMessageResponse

    request  = post "DecodeAuthorizationMessage"
    response = xmlResponse

instance FromXML DecodeAuthorizationMessageResponse where
    parseXML = withElement "DecodeAuthorizationMessageResult" $ \x -> DecodeAuthorizationMessageResponse
        <$> x .@? "DecodedMessage"