@cloud-copilot/iam-expand 0.1.0

package/README.md

@@ -0,0 +1,269 @@
+# Expand IAM Actions
+This will expand the actions of the IAM policy to show the individual actions. Useful for when you want to see the individual actions that are included in a wildcard action or are not allowed to use wildcards for security or compliance reasons.
+
+Published in ESM and CommonJS and available as a [CLI](#cli).
+
+Use this to:
+1) Expand out wildcards in actions when you are not allowed to use wildcards in your IAM policy.
+2) Get an exhaustive list of actions that are included in a policy and quickly search it for interesting actions.
+3) Investigate where dangerous or dubious actions are being used in your policies.
+
+```typescript
+import { expandIamActions } from '@cloud-copilot/iam-expand';
+
+expandIamActions('s3:Get*Tagging')
+[
+  's3:GetBucketTagging',
+  's3:GetJobTagging',
+  's3:GetObjectTagging',
+  's3:GetObjectVersionTagging',
+  's3:GetStorageLensConfigurationTagging'
+]
+
+expandIamActions(['s3:Get*Tagging', 's3:Put*Tagging'])
+[
+  's3:GetBucketTagging',
+  's3:GetJobTagging',
+  's3:GetObjectTagging',
+  's3:GetObjectVersionTagging',
+  's3:GetStorageLensConfigurationTagging',
+  's3:PutBucketTagging',
+  's3:PutJobTagging',
+  's3:PutObjectTagging',
+  's3:PutObjectVersionTagging',
+  's3:PutStorageLensConfigurationTagging'
+]
+```
+
+## API
+`expandIamActions` is the main function that will expand the actions of the IAM policy. Takes a string or array of strings and returns an array of strings that the input matches.
+
+## Only Valid Values
+`expandIamActions` intends to only return valid actual actions, if any invalid values are passed in such as an invalid format or a service/action that does not exist, they will be left out of the output. There are options to override this behavior.
+
+## Options
+`expandIamActions` takes an optional second argument that is an object with the following options:
+
+### `expandAsterik`
+By default, a single `*` not be expanded. We assume that if you want a list of all IAM actions there are other sources you will check, such as [@cloud-copilot/iam-data](https://github.com/cloud-copilot/iam-data). If you want to expand a single `*` you can set this option to `true`.
+
+```typescript
+import { expandIamActions } from '@cloud-copilot/iam-expand';
+
+//Returns the unexpanded value
+expandIamActions('*')
+['*']
+
+//Returns the expanded value
+expandIamActions('*', { expandAsterik: true })
+[
+  //Many many strings. 🫢
+]
+```
+### `expandServiceAsterik`
+By default, a service name followed by a `*` (such as `s3:*` or `lambda:*`) will not be expanded. If you want to expand these you can set this option to `true`.
+
+```typescript
+import { expandIamActions } from '@cloud-copilot/iam-expand';
+
+//Returns the unexpanded value
+expandIamActions('s3:*')
+['s3:*']
+
+//Returns the expanded value
+expandIamActions('s3:*', { expandServiceAsterik: true })
+[
+  //All the s3 actions. 🫢
+]
+```
+
+### `distinct`
+If you include multiple patterns that have overlapping matching actions, the same action will be included multiple times in the output. If you want to remove duplicates you can set this option to `true`.
+
+```typescript
+import { expandIamActions } from '@cloud-copilot/iam-expand';
+
+//Returns duplication values (s3:GetObjectTagging)
+expandIamActions(['s3:GetObject*','s3:Get*Tagging'])
+[
+  's3:GetObject',
+  's3:GetObjectAcl',
+  's3:GetObjectAttributes',
+  's3:GetObjectLegalHold',
+  's3:GetObjectRetention',
+  's3:GetObjectTagging',
+  ...
+  's3:GetObjectTagging',
+  's3:GetObjectVersionTagging',
+  's3:GetStorageLensConfigurationTagging'
+]
+
+//Duplicates removed and order maintained
+expandIamActions(['s3:GetObject*','s3:Get*Tagging'],{distinct:true})
+[
+  's3:GetObject',
+  's3:GetObjectAcl',
+  's3:GetObjectAttributes',
+  's3:GetObjectLegalHold',
+  's3:GetObjectRetention',
+  's3:GetObjectTagging',
+  's3:GetObjectTorrent',
+  's3:GetObjectVersion',
+  's3:GetObjectVersionAcl',
+  's3:GetObjectVersionAttributes',
+  's3:GetObjectVersionForReplication',
+  's3:GetObjectVersionTagging',
+  's3:GetObjectVersionTorrent',
+  's3:GetBucketTagging',
+  's3:GetJobTagging',
+  's3:GetStorageLensConfigurationTagging'
+]
+```
+
+### `sort`
+By default, the output will be sorted based on the order of the input. If you want the output to be sorted alphabetically you can set this option to `true`.
+
+```typescript
+import { expandIamActions } from '@cloud-copilot/iam-expand';
+
+//By default the output is sorted based on the order of the input
+expandIamActions(['s3:Get*Tagging','ec2:*Tags'])
+[
+  's3:GetBucketTagging',
+  's3:GetJobTagging',
+  's3:GetObjectTagging',
+  's3:GetObjectVersionTagging',
+  's3:GetStorageLensConfigurationTagging',
+  'ec2:CreateTags',
+  'ec2:DeleteTags',
+  'ec2:DescribeTags'
+]
+
+//Output is sorted alphabetically
+expandIamActions(['s3:Get*Tagging','ec2:*Tags'], {sort: true})
+[
+  'ec2:CreateTags',
+  'ec2:DeleteTags',
+  'ec2:DescribeTags',
+  's3:GetBucketTagging',
+  's3:GetJobTagging',
+  's3:GetObjectTagging',
+  's3:GetObjectVersionTagging',
+  's3:GetStorageLensConfigurationTagging'
+]
+
+```
+
+### `errorOnInvalidFormat`
+By default, if an invalid format is passed in, such as:
+*  `s3Get*Tagging` (missing a separator) or
+*  `s3:Get:Tagging*` (too many separators)
+
+it will be silenty ignored and left out of the output. If you want to throw an error when an invalid format is passed in you can set this option to `true`.
+
+```typescript
+import { expandIamActions } from '@cloud-copilot/iam-expand';
+
+//Ignore invalid format
+expandIamActions('s3Get*Tagging')
+[]
+
+//Throw an error on invalid format
+expandIamActions('s3Get*Tagging', { errorOnInvalidFormat: true })
+//Uncaught Error: Invalid action format: s3Get*Tagging
+```
+
+### `errorOnMissingService`
+By default, if a service is passed in that does not exist in the IAM data, it will be silently ignored and left out of the output. If you want to throw an error when a service is passed in that does not exist you can set this option to `true`.
+
+```typescript
+import { expandIamActions } from '@cloud-copilot/iam-expand';
+
+//Ignore missing service
+expandIamActions('r2:Get*Tagging')
+[]
+
+//Throw an error on missing service
+expandIamActions('r2:Get*Tagging', { errorOnMissingService: true })
+//Uncaught Error: Service not found: r2
+```
+
+## CLI
+There is a CLI available to expand IAM Actions!
+
+### Install
+```bash
+npm install -g @cloud-copilot/iam-expand
+```
+or
+```
+yarn global add @cloud-copilot/iam-expand
+```
+
+
+
+### Simple Usage
+The simplest usage is to pass in the actions you want to expand.
+```bash
+iam-expand s3:Get* s3:*Tag*
+```
+
+You can pass in all options available through the api as dash separated flags.
+
+_Prints all matching actions for s3:Get*Tagging, s3:*Tag*, and ec2:* in alphabetical order with duplicates removed:_
+```bash
+iam-expand s3:Get*Tagging s3:*Tag* ec2:* --expand-service-asterik --distinct --sort
+```
+
+### Help
+Running the command with no options shows usage help;
+```bash
+iam-expand
+```
+
+### Read from stdin
+The CLI is able to read from stdin, and this is really meant to be abused. It essentialy greps the content for anything resembling and action and expands it. Throw anything at it and it will find all the actions it can and expand them.
+
+If no actions are passed as arguments, the CLI will read from stdin.
+
+You can echo some content:
+```bash
+echo "s3:Get*Tagging" | iam-expand
+```
+
+You can pull out part of a json file and pipe it in:
+```bash
+cat policy.json | jq '.Statement[].Action' | iam-expand
+```
+
+Or just send in the whole file:
+```bash
+cat policy.json | iam-expand
+```
+
+Or some Terraform:
+```bash
+cat main.tf | iam-expand
+```
+
+Or some CloudFormation:
+```bash
+cat template.yaml | iam-expand
+```
+
+Or even some HTML:
+```bash
+curl "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SecurityAudit.html" | iam-expand
+```
+
+Or the output of a command:
+
+This will search for all inline policies that have have
+```bash
+aws iam get-account-authorization-details --output json | iam-expand --expand-service-asterik --read-wait-time=20_000 | grep kms:DisableKey
+```
+_--expand-service-asterik makes sure kms:* is expaneded out so you can find the DisableKey action. --read-wait-time=20_000 gives the cli command more time to return it's first byte of output_
+
+Because of the likelyhood of finding an aseterik `*` in the input, the stdin option will not find or expand a single `*` even if `--expand-asterik` is passed.
+
+Please give this anything you can think of and open an issue if you see an opportunity for improvement.

package/dist/cjs/cli.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cjs/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":""}

package/dist/cjs/cli.js

@@ -0,0 +1,76 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const iam_data_1 = require("@cloud-copilot/iam-data");
+const cli_utils_js_1 = require("./cli_utils.js");
+const expand_js_1 = require("./expand.js");
+const commandName = 'iam-expand';
+function expandAndPrint(actionStrings, options) {
+    try {
+        const result = (0, expand_js_1.expandIamActions)(actionStrings, options);
+        for (const action of result) {
+            console.log(action);
+        }
+    }
+    catch (e) {
+        console.error(e.message);
+        process.exit(1);
+    }
+}
+function printUsage() {
+    console.log('No arguments provided or input from stdin.');
+    console.log('Usage:');
+    console.log(`  ${commandName} [options] [action1] [action2] ...`);
+    console.log(`  <input from stdout> | ${commandName} [options]`);
+    console.log('Action Expanding Options:');
+    console.log('  --distinct: Remove duplicate actions');
+    console.log('  --sort: Sort the actions');
+    console.log('  --expand-asterik: Expand the * action to all actions');
+    console.log('  --expand-service-asterik: Expand service:* to all actions for that service');
+    console.log('  --error-on-missing-service: Throw an error if a service is not found');
+    console.log('  --error-on-invalid-format: Throw an error if the action string is not in the correct format');
+    console.log('  --invalid-action-behavior: What to do when an invalid action is encountered:');
+    console.log('    --invalid-action-behavior=remove: Remove the invalid action');
+    console.log('    --invalid-action-behavior=include: Include the invalid action');
+    console.log('    --invalid-action-behavior=error: Throw an error if an invalid action is encountered');
+    console.log('CLI Behavior Options:');
+    console.log('  --show-data-version: Print the version of the iam-data package being used and exit');
+    console.log('  --read-wait-time: Millisenconds to wait for input from stdin before timing out.');
+    console.log('                    Example: --read-wait-time=10_000');
+    process.exit(1);
+}
+const args = process.argv.slice(2); // Ignore the first two elements
+const actionStrings = [];
+const optionStrings = [];
+for (const arg of args) {
+    if (arg.startsWith('--')) {
+        optionStrings.push(arg);
+    }
+    else {
+        actionStrings.push(arg);
+    }
+}
+async function run() {
+    const options = (0, cli_utils_js_1.convertOptions)(optionStrings);
+    if (options.showDataVersion) {
+        console.log(`@cloud-copilot/iam-data version: ${(0, iam_data_1.iamDataVersion)()}`);
+        return;
+    }
+    if (actionStrings.length === 0) {
+        const otherActions = await (0, cli_utils_js_1.parseStdInActions)(options);
+        if (otherActions.length > 0 && options.expandAsterik) {
+            console.warn('Notice: --expand-asterik is not supported when reading from stdin, ignoring.');
+        }
+        actionStrings.push(...otherActions);
+    }
+    if (actionStrings.length > 0) {
+        expandAndPrint(actionStrings, options);
+        return;
+    }
+    printUsage();
+}
+run().catch((e) => {
+    console.error(e);
+    process.exit(1);
+}).then(() => process.exit(0)).finally(() => { });
+//# sourceMappingURL=cli.js.map

package/dist/cjs/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";;;AAEA,sDAAyD;AACzD,iDAAmE;AACnE,2CAAwE;AAExE,MAAM,WAAW,GAAG,YAAY,CAAA;AAEhC,SAAS,cAAc,CAAC,aAAuB,EAAE,OAAyC;IACxF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAA,4BAAgB,EAAC,aAAa,EAAE,OAAO,CAAC,CAAA;QACvD,KAAK,MAAM,MAAM,IAAI,MAAM,EAAE,CAAC;YAC5B,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACrB,CAAC;IACH,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA;QACxB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC;AACH,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAA;IACzD,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACrB,OAAO,CAAC,GAAG,CAAC,KAAK,WAAW,oCAAoC,CAAC,CAAA;IACjE,OAAO,CAAC,GAAG,CAAC,2BAA2B,WAAW,YAAY,CAAC,CAAA;IAC/D,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAA;IACxC,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAA;IACrD,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAA;IACzC,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAA;IACrE,OAAO,CAAC,GAAG,CAAC,8EAA8E,CAAC,CAAA;IAC3F,OAAO,CAAC,GAAG,CAAC,wEAAwE,CAAC,CAAA;IACrF,OAAO,CAAC,GAAG,CAAC,+FAA+F,CAAC,CAAA;IAC5G,OAAO,CAAC,GAAG,CAAC,gFAAgF,CAAC,CAAA;IAC7F,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAA;IAC9E,OAAO,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAA;IAChF,OAAO,CAAC,GAAG,CAAC,yFAAyF,CAAC,CAAA;IACtG,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;IACpC,OAAO,CAAC,GAAG,CAAC,sFAAsF,CAAC,CAAA;IACnG,OAAO,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAA;IAChG,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAA;IACnE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC;AAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,gCAAgC;AACpE,MAAM,aAAa,GAAa,EAAE,CAAA;AAClC,MAAM,aAAa,GAAa,EAAE,CAAA;AAElC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,IAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;SAAM,CAAC;QACN,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,OAAO,GAAG,IAAA,6BAAc,EAAC,aAAa,CAAC,CAAA;IAC7C,IAAG,OAAO,CAAC,eAAe,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,oCAAoC,IAAA,yBAAc,GAAE,EAAE,CAAC,CAAA;QACnE,OAAM;IACR,CAAC;IAED,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,YAAY,GAAG,MAAM,IAAA,gCAAiB,EAAC,OAAO,CAAC,CAAA;QACrD,IAAG,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;YACpD,OAAO,CAAC,IAAI,CAAC,8EAA8E,CAAC,CAAA;QAC9F,CAAC;QACD,aAAa,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAA;IACrC,CAAC;IAED,IAAG,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,cAAc,CAAC,aAAa,EAAE,OAAO,CAAC,CAAA;QACtC,OAAM;IACR,CAAC;IAED,UAAU,EAAE,CAAA;AACd,CAAC;AAED,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IAChB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA"}

package/dist/cjs/cli_utils.d.ts

@@ -0,0 +1,27 @@
+import { ExpandIamActionsOptions } from "./expand.js";
+interface CliOptions extends ExpandIamActionsOptions {
+    showDataVersion: boolean;
+    readWaitTime: string;
+}
+/**
+ * Convert a dash-case string to camelCase
+ * @param str the string to convert
+ * @returns the camelCase string
+ */
+export declare function dashToCamelCase(str: string): string;
+/**
+ * Convert an array of option strings to an object
+ *
+ * @param optionArgs the array of option strings to convert
+ * @returns the object representation of the options
+ */
+export declare function convertOptions(optionArgs: string[]): Partial<CliOptions>;
+export declare function extractActionsFromLineOfInput(line: string): string[];
+/**
+ * Parse the actions from stdin
+ *
+ * @returns an array of strings from stdin
+ */
+export declare function parseStdInActions(options: Partial<CliOptions>): Promise<string[]>;
+export {};
+//# sourceMappingURL=cli_utils.d.ts.map

package/dist/cjs/cli_utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli_utils.d.ts","sourceRoot":"","sources":["../../src/cli_utils.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,uBAAuB,EAAyB,MAAM,aAAa,CAAC;AAG7E,UAAU,UAAW,SAAQ,uBAAuB;IAClD,eAAe,EAAE,OAAO,CAAA;IACxB,YAAY,EAAE,MAAM,CAAA;CACrB;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAyBxE;AAGD,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAMpE;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAWvF"}

package/dist/cjs/cli_utils.js

@@ -0,0 +1,69 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.dashToCamelCase = dashToCamelCase;
+exports.convertOptions = convertOptions;
+exports.extractActionsFromLineOfInput = extractActionsFromLineOfInput;
+exports.parseStdInActions = parseStdInActions;
+const expand_js_1 = require("./expand.js");
+const stdin_js_1 = require("./stdin.js");
+/**
+ * Convert a dash-case string to camelCase
+ * @param str the string to convert
+ * @returns the camelCase string
+ */
+function dashToCamelCase(str) {
+    str = str.substring(2);
+    return str.replace(/-([a-z])/g, (g) => g[1].toUpperCase());
+}
+/**
+ * Convert an array of option strings to an object
+ *
+ * @param optionArgs the array of option strings to convert
+ * @returns the object representation of the options
+ */
+function convertOptions(optionArgs) {
+    const options = {};
+    for (const option of optionArgs) {
+        let key = option;
+        let value = true;
+        if (option.includes('=')) {
+            [key, value] = option.split('=');
+        }
+        options[dashToCamelCase(key)] = value;
+    }
+    if (typeof (options.invalidActionBehavior) === 'string') {
+        const behaviorString = options.invalidActionBehavior;
+        const cleanedInput = behaviorString.charAt(0).toUpperCase() + behaviorString.slice(1).toLowerCase();
+        const behavior = expand_js_1.InvalidActionBehavior[cleanedInput];
+        if (behavior) {
+            options.invalidActionBehavior = behavior;
+        }
+        else {
+            delete options['invalidActionBehavior'];
+        }
+    }
+    return options;
+}
+const actionPattern = /\:?([a-zA-Z0-9]+:[a-zA-Z0-9*]+)/g;
+function extractActionsFromLineOfInput(line) {
+    const matches = line.matchAll(actionPattern);
+    return Array.from(matches)
+        .filter((match) => !match[0].startsWith('arn:') && !match[0].startsWith(':'))
+        .map((match) => match[1]);
+}
+/**
+ * Parse the actions from stdin
+ *
+ * @returns an array of strings from stdin
+ */
+async function parseStdInActions(options) {
+    const delay = options.readWaitTime ? parseInt(options.readWaitTime.replaceAll(/\D/g, '')) : undefined;
+    const data = await (0, stdin_js_1.readStdin)(delay);
+    if (data.length === 0) {
+        return [];
+    }
+    const lines = data.split('\n');
+    const actions = lines.flatMap(line => extractActionsFromLineOfInput(line));
+    return actions;
+}
+//# sourceMappingURL=cli_utils.js.map

package/dist/cjs/cli_utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli_utils.js","sourceRoot":"","sources":["../../src/cli_utils.ts"],"names":[],"mappings":";;AAcA,0CAGC;AAQD,wCAyBC;AAGD,sEAMC;AAOD,8CAWC;AA5ED,2CAA6E;AAC7E,yCAAuC;AAOvC;;;;GAIG;AACH,SAAgB,eAAe,CAAC,GAAW;IACzC,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;IACtB,OAAO,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;GAKG;AACH,SAAgB,cAAc,CAAC,UAAoB;IACjD,MAAM,OAAO,GAAqC,EAAE,CAAE;IAEtD,KAAI,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;QAC/B,IAAI,GAAG,GAAW,MAAM,CAAA;QACxB,IAAI,KAAK,GAAqB,IAAI,CAAA;QAClC,IAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,CAAC,GAAG,EAAC,KAAK,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACjC,CAAC;QAED,OAAO,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,CAAA;IACvC,CAAC;IAED,IAAG,OAAM,CAAC,OAAO,CAAC,qBAAqB,CAAC,KAAK,QAAQ,EAAE,CAAC;QACtD,MAAM,cAAc,GAAG,OAAO,CAAC,qBAA+B,CAAA;QAC9D,MAAM,YAAY,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACpG,MAAM,QAAQ,GAAG,iCAAqB,CAAC,YAAkD,CAAC,CAAC;QAC3F,IAAG,QAAQ,EAAE,CAAC;YACZ,OAAO,CAAC,qBAAqB,GAAG,QAAQ,CAAA;QAC1C,CAAC;aAAM,CAAC;YACN,OAAO,OAAO,CAAC,uBAAuB,CAAC,CAAA;QACzC,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,MAAM,aAAa,GAAG,kCAAkC,CAAC;AACzD,SAAgB,6BAA6B,CAAC,IAAY;IACxD,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAA;IAE5C,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC;SACb,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;SAC5E,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;AACvC,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,iBAAiB,CAAC,OAA4B;IAClE,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IACrG,MAAM,IAAI,GAAG,MAAM,IAAA,oBAAS,EAAC,KAAK,CAAC,CAAA;IACnC,IAAG,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE9B,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,6BAA6B,CAAC,IAAI,CAAC,CAAC,CAAA;IAC1E,OAAO,OAAO,CAAA;AAChB,CAAC"}

package/dist/cjs/expand.d.ts

@@ -0,0 +1,69 @@
+export declare enum InvalidActionBehavior {
+    Remove = "Remove",
+    Error = "Error",
+    Include = "Include"
+}
+/**
+ * Options for the expand function
+ *
+ */
+export interface ExpandIamActionsOptions {
+    /**
+     * If true, a single `*` will be expanded to all actions for all services
+     * If false, a single `*` will be returned as is
+     * Default: false
+     */
+    expandAsterik: boolean;
+    /**
+     * If true, `service:*` will be expanded to all actions for that service
+     * If false, `service:*` will be returned as is
+     * Default: false
+     */
+    expandServiceAsterik: boolean;
+    /**
+     * If true, an error will be thrown if the action string is not in the correct format
+     * If false, an empty array will be returned
+     * Default: false
+     */
+    errorOnInvalidFormat: boolean;
+    /**
+     * If true, an error will be thrown if the service in the action string does not exist
+     * If false, an empty array will be returned
+     * Default: false
+     */
+    errorOnMissingService: boolean;
+    /**
+     * If true, only unique values will be returned, while maintaining order
+     * If false, all values will be returned, even if they are duplicates
+     * Default: false
+     */
+    distinct: boolean;
+    /**
+     * The behavior to use when an invalid action is encountered without wildcards
+     * @{InvalidActionBehavior.Remove} will remove the invalid action from the output
+     * @{InvalidActionBehavior.Error} will throw an error if an invalid action is encountered
+     * @{InvalidActionBehavior.Include} will include the invalid action in the output
+     *
+     * Default: InvalidActionBehavior.Remove
+     */
+    invalidActionBehavior: InvalidActionBehavior;
+    /**
+     * If true, the returned array will be sorted
+     * If false, the returned array will be in the order they were expanded
+     * Default: false
+     */
+    sort: boolean;
+}
+/**
+ * Expands an IAM action string that contains wildcards.
+ * If the action string contains no wildcards, it is returned as is.
+ * @see {@link ExpandIamActionsOptions} for options to customize behavior
+ *
+ * If any options are set to throw an error, the function will throw an error if validation fails for a single value.
+ *
+ * @param actionStringOrStrings An IAM action or array IAM action(s) that may contain wildcards
+ * @param overrideOptions Options to override the default behavior
+ * @returns An array of expanded action strings flattend to a single array
+ */
+export declare function expandIamActions(actionStringOrStrings: string | string[], overrideOptions?: Partial<ExpandIamActionsOptions>): string[];
+//# sourceMappingURL=expand.d.ts.map

package/dist/cjs/expand.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"expand.d.ts","sourceRoot":"","sources":["../../src/expand.ts"],"names":[],"mappings":"AAEA,oBAAY,qBAAqB;IAC/B,MAAM,WAAW;IACjB,KAAK,UAAU;IACf,OAAO,YAAY;CACpB;AAED;;;GAGG;AACH,MAAM,WAAW,uBAAuB;IACtC;;;;OAIG;IACH,aAAa,EAAE,OAAO,CAAA;IAEtB;;;;OAIG;IACH,oBAAoB,EAAE,OAAO,CAAA;IAE7B;;;;OAIG;IACH,oBAAoB,EAAE,OAAO,CAAA;IAE7B;;;;OAIG;IACH,qBAAqB,EAAE,OAAO,CAAA;IAE9B;;;;OAIG;IACH,QAAQ,EAAE,OAAO,CAAA;IAGjB;;;;;;;OAOG;IACH,qBAAqB,EAAE,qBAAqB,CAAA;IAE5C;;;;OAIG;IACH,IAAI,EAAE,OAAO,CAAA;CACd;AAcD;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,qBAAqB,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,eAAe,CAAC,EAAE,OAAO,CAAC,uBAAuB,CAAC,GAAG,MAAM,EAAE,CA8FvI"}

package/dist/cjs/expand.js

@@ -0,0 +1,118 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InvalidActionBehavior = void 0;
+exports.expandIamActions = expandIamActions;
+const iam_data_1 = require("@cloud-copilot/iam-data");
+var InvalidActionBehavior;
+(function (InvalidActionBehavior) {
+    InvalidActionBehavior["Remove"] = "Remove";
+    InvalidActionBehavior["Error"] = "Error";
+    InvalidActionBehavior["Include"] = "Include";
+})(InvalidActionBehavior || (exports.InvalidActionBehavior = InvalidActionBehavior = {}));
+const defaultOptions = {
+    expandAsterik: false,
+    expandServiceAsterik: false,
+    errorOnInvalidFormat: false,
+    errorOnMissingService: false,
+    invalidActionBehavior: InvalidActionBehavior.Remove,
+    distinct: false,
+    sort: false
+};
+const allAsteriksPattern = /^\*+$/i;
+/**
+ * Expands an IAM action string that contains wildcards.
+ * If the action string contains no wildcards, it is returned as is.
+ * @see {@link ExpandIamActionsOptions} for options to customize behavior
+ *
+ * If any options are set to throw an error, the function will throw an error if validation fails for a single value.
+ *
+ * @param actionStringOrStrings An IAM action or array IAM action(s) that may contain wildcards
+ * @param overrideOptions Options to override the default behavior
+ * @returns An array of expanded action strings flattend to a single array
+ */
+function expandIamActions(actionStringOrStrings, overrideOptions) {
+    const options = { ...defaultOptions, ...overrideOptions };
+    if (!actionStringOrStrings) {
+        //Just in case the user passes in null or undefined
+        return [];
+    }
+    if (Array.isArray(actionStringOrStrings)) {
+        let allMatches = actionStringOrStrings.flatMap(actionString => expandIamActions(actionString, options));
+        if (options.distinct) {
+            const aSet = new Set();
+            allMatches = allMatches.filter((value) => {
+                if (aSet.has(value)) {
+                    return false;
+                }
+                aSet.add(value);
+                return true;
+            });
+        }
+        if (options.sort) {
+            allMatches.sort();
+        }
+        return allMatches;
+    }
+    const actionString = actionStringOrStrings.trim();
+    if (actionString.match(allAsteriksPattern)) {
+        if (options.expandAsterik) {
+            //If that's really what you want...
+            return (0, iam_data_1.iamServiceKeys)().flatMap(service => (0, iam_data_1.iamActionsForService)(service).map(action => `${service}:${action}`));
+        }
+        return ['*'];
+    }
+    if (!actionString.includes(':')) {
+        if (options.errorOnInvalidFormat) {
+            throw new Error(`Invalid action format: ${actionString}`);
+        }
+        return [];
+    }
+    const parts = actionString.split(':');
+    if (parts.length !== 2) {
+        if (options.errorOnInvalidFormat) {
+            throw new Error(`Invalid action format: ${actionString}`);
+        }
+        return [];
+    }
+    const [service, wildcardActions] = parts.map(part => part.toLowerCase());
+    if (!(0, iam_data_1.iamServiceExists)(service)) {
+        if (options.errorOnMissingService) {
+            throw new Error(`Service not found: ${service}`);
+        }
+        return [];
+    }
+    if (wildcardActions.match(allAsteriksPattern)) {
+        if (options.expandServiceAsterik) {
+            return (0, iam_data_1.iamActionsForService)(service).map(action => `${service}:${action}`);
+        }
+        return [`${service}:*`];
+    }
+    if (!actionString.includes('*')) {
+        const actionExists = (0, iam_data_1.iamActionExists)(service, wildcardActions);
+        if (actionExists) {
+            return [actionString];
+        }
+        if (options.invalidActionBehavior === InvalidActionBehavior.Remove) {
+            return [];
+        }
+        else if (options.invalidActionBehavior === InvalidActionBehavior.Include) {
+            return [actionString];
+        }
+        else if (options.invalidActionBehavior === InvalidActionBehavior.Error) {
+            throw new Error(`Invalid action: ${actionString}`);
+        }
+        else {
+            //This should never happen
+            throw new Error(`Invalid invalidActionBehavior: ${options.invalidActionBehavior}`);
+        }
+    }
+    const allActions = (0, iam_data_1.iamActionsForService)(service);
+    const pattern = "^" + wildcardActions.replace(/\*/g, '.*?') + "$";
+    const regex = new RegExp(pattern, 'i');
+    const matchingActions = allActions.filter(action => regex.test(action)).map(action => `${service}:${action}`);
+    if (options.sort) {
+        matchingActions.sort();
+    }
+    return matchingActions;
+}
+//# sourceMappingURL=expand.js.map

package/dist/cjs/expand.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"expand.js","sourceRoot":"","sources":["../../src/expand.ts"],"names":[],"mappings":";;;AA0FA,4CA8FC;AAxLD,sDAAiH;AAEjH,IAAY,qBAIX;AAJD,WAAY,qBAAqB;IAC/B,0CAAiB,CAAA;IACjB,wCAAe,CAAA;IACf,4CAAmB,CAAA;AACrB,CAAC,EAJW,qBAAqB,qCAArB,qBAAqB,QAIhC;AA6DD,MAAM,cAAc,GAA4B;IAC9C,aAAa,EAAE,KAAK;IACpB,oBAAoB,EAAE,KAAK;IAC3B,oBAAoB,EAAE,KAAK;IAC3B,qBAAqB,EAAE,KAAK;IAC5B,qBAAqB,EAAE,qBAAqB,CAAC,MAAM;IACnD,QAAQ,EAAE,KAAK;IACf,IAAI,EAAE,KAAK;CACZ,CAAA;AAED,MAAM,kBAAkB,GAAG,QAAQ,CAAA;AAEnC;;;;;;;;;;GAUG;AACH,SAAgB,gBAAgB,CAAC,qBAAwC,EAAE,eAAkD;IAC3H,MAAM,OAAO,GAAG,EAAC,GAAG,cAAc,EAAE,GAAG,eAAe,EAAC,CAAA;IAEvD,IAAG,CAAC,qBAAqB,EAAE,CAAC;QAC1B,mDAAmD;QACnD,OAAO,EAAE,CAAA;IACX,CAAC;IAED,IAAG,KAAK,CAAC,OAAO,CAAC,qBAAqB,CAAC,EAAE,CAAC;QACxC,IAAI,UAAU,GAAG,qBAAqB,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,gBAAgB,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAA;QACvG,IAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;YACpB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAA;YAC9B,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;gBACvC,IAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;oBACnB,OAAO,KAAK,CAAA;gBACd,CAAC;gBACD,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;gBACf,OAAO,IAAI,CAAA;YACb,CAAC,CAAC,CAAA;QACJ,CAAC;QACD,IAAG,OAAO,CAAC,IAAI,EAAE,CAAC;YAChB,UAAU,CAAC,IAAI,EAAE,CAAA;QACnB,CAAC;QACD,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,MAAM,YAAY,GAAG,qBAAqB,CAAC,IAAI,EAAE,CAAA;IAEjD,IAAG,YAAY,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC1C,IAAG,OAAO,CAAC,aAAa,EAAE,CAAC;YACzB,mCAAmC;YACnC,OAAO,IAAA,yBAAc,GAAE,CAAC,OAAO,CAC7B,OAAO,CAAC,EAAE,CAAC,IAAA,+BAAoB,EAAC,OAAO,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,OAAO,IAAI,MAAM,EAAE,CAAC,CAC/E,CAAA;QACH,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,CAAA;IACd,CAAC;IAED,IAAG,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,IAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,0BAA0B,YAAY,EAAE,CAAC,CAAA;QAC3D,CAAC;QACD,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACrC,IAAG,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,IAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,0BAA0B,YAAY,EAAE,CAAC,CAAA;QAC3D,CAAC;QACD,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,CAAC,OAAO,EAAE,eAAe,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAA;IACxE,IAAG,CAAC,IAAA,2BAAgB,EAAC,OAAO,CAAC,EAAE,CAAC;QAC9B,IAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAA;QAClD,CAAC;QACD,OAAO,EAAE,CAAA;IACX,CAAC;IAED,IAAG,eAAe,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC7C,IAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;YAChC,OAAO,IAAA,+BAAoB,EAAC,OAAO,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,OAAO,IAAI,MAAM,EAAE,CAAC,CAAA;QAC5E,CAAC;QACD,OAAO,CAAC,GAAG,OAAO,IAAI,CAAC,CAAA;IACzB,CAAC;IAED,IAAG,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,YAAY,GAAG,IAAA,0BAAe,EAAC,OAAO,EAAE,eAAe,CAAC,CAAA;QAC9D,IAAG,YAAY,EAAE,CAAC;YAChB,OAAO,CAAC,YAAY,CAAC,CAAA;QACvB,CAAC;QACD,IAAG,OAAO,CAAC,qBAAqB,KAAK,qBAAqB,CAAC,MAAM,EAAE,CAAC;YAClE,OAAO,EAAE,CAAA;QACX,CAAC;aAAM,IAAG,OAAO,CAAC,qBAAqB,KAAK,qBAAqB,CAAC,OAAO,EAAE,CAAC;YAC1E,OAAO,CAAC,YAAY,CAAC,CAAA;QACvB,CAAC;aAAM,IAAG,OAAO,CAAC,qBAAqB,KAAK,qBAAqB,CAAC,KAAK,EAAE,CAAC;YACxE,MAAM,IAAI,KAAK,CAAC,mBAAmB,YAAY,EAAE,CAAC,CAAA;QACpD,CAAC;aAAM,CAAC;YACN,0BAA0B;YAC1B,MAAM,IAAI,KAAK,CAAC,kCAAkC,OAAO,CAAC,qBAAqB,EAAE,CAAC,CAAA;QACpF,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,IAAA,+BAAoB,EAAC,OAAO,CAAC,CAAA;IAChD,MAAM,OAAO,GAAG,GAAG,GAAG,eAAe,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IACjE,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;IACtC,MAAM,eAAe,GAAG,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,OAAO,IAAI,MAAM,EAAE,CAAC,CAAA;IAC7G,IAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QAChB,eAAe,CAAC,IAAI,EAAE,CAAA;IACxB,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/cjs/index.d.ts

@@ -0,0 +1,2 @@
+export * from './expand.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/cjs/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC"}