@cloud-copilot/iam-lens 0.1.2 → 0.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/cli.d.ts +3 -0
- package/dist/cjs/cli.d.ts.map +1 -0
- package/dist/cjs/cli.js +113 -0
- package/dist/cjs/cli.js.map +1 -0
- package/dist/cjs/collect/client.d.ts +33 -0
- package/dist/cjs/collect/client.d.ts.map +1 -1
- package/dist/cjs/collect/client.js +58 -71
- package/dist/cjs/collect/client.js.map +1 -1
- package/dist/cjs/collect/inMemoryClient.d.ts +6 -0
- package/dist/cjs/collect/inMemoryClient.d.ts.map +1 -0
- package/dist/cjs/collect/inMemoryClient.js +11 -0
- package/dist/cjs/collect/inMemoryClient.js.map +1 -0
- package/dist/cjs/contextKeys.d.ts +5 -0
- package/dist/cjs/contextKeys.d.ts.map +1 -0
- package/dist/cjs/contextKeys.js +111 -0
- package/dist/cjs/contextKeys.js.map +1 -0
- package/dist/cjs/principals.d.ts +19 -20
- package/dist/cjs/principals.d.ts.map +1 -1
- package/dist/cjs/principals.js +44 -7
- package/dist/cjs/principals.js.map +1 -1
- package/dist/cjs/resources.d.ts +1 -0
- package/dist/cjs/resources.d.ts.map +1 -1
- package/dist/cjs/resources.js +20 -2
- package/dist/cjs/resources.js.map +1 -1
- package/dist/cjs/simulate.d.ts +11 -0
- package/dist/cjs/simulate.d.ts.map +1 -0
- package/dist/cjs/simulate.js +121 -0
- package/dist/cjs/simulate.js.map +1 -0
- package/dist/esm/cli.d.ts +3 -0
- package/dist/esm/cli.d.ts.map +1 -0
- package/dist/esm/cli.js +111 -0
- package/dist/esm/cli.js.map +1 -0
- package/dist/esm/collect/client.d.ts +33 -0
- package/dist/esm/collect/client.d.ts.map +1 -1
- package/dist/esm/collect/client.js +47 -60
- package/dist/esm/collect/client.js.map +1 -1
- package/dist/esm/collect/inMemoryClient.d.ts +6 -0
- package/dist/esm/collect/inMemoryClient.d.ts.map +1 -0
- package/dist/esm/collect/inMemoryClient.js +8 -0
- package/dist/esm/collect/inMemoryClient.js.map +1 -0
- package/dist/esm/contextKeys.d.ts +5 -0
- package/dist/esm/contextKeys.d.ts.map +1 -0
- package/dist/esm/contextKeys.js +108 -0
- package/dist/esm/contextKeys.js.map +1 -0
- package/dist/esm/principals.d.ts +19 -20
- package/dist/esm/principals.d.ts.map +1 -1
- package/dist/esm/principals.js +37 -4
- package/dist/esm/principals.js.map +1 -1
- package/dist/esm/resources.d.ts +1 -0
- package/dist/esm/resources.d.ts.map +1 -1
- package/dist/esm/resources.js +18 -1
- package/dist/esm/resources.js.map +1 -1
- package/dist/esm/simulate.d.ts +11 -0
- package/dist/esm/simulate.d.ts.map +1 -0
- package/dist/esm/simulate.js +118 -0
- package/dist/esm/simulate.js.map +1 -0
- package/package.json +8 -2
- package/dist/cjs/util/arn.d.ts +0 -26
- package/dist/cjs/util/arn.d.ts.map +0 -1
- package/dist/cjs/util/arn.js +0 -68
- package/dist/cjs/util/arn.js.map +0 -1
- package/dist/esm/util/arn.d.ts +0 -26
- package/dist/esm/util/arn.d.ts.map +0 -1
- package/dist/esm/util/arn.js +0 -64
- package/dist/esm/util/arn.js.map +0 -1
package/dist/cjs/principals.d.ts
CHANGED
|
@@ -1,9 +1,21 @@
|
|
|
1
1
|
import { AwsIamStore } from '@cloud-copilot/iam-collect';
|
|
2
|
-
import { IamCollectClient } from './collect/client.js';
|
|
2
|
+
import { IamCollectClient, InlinePolicy, ManagedPolicy, SimulationOrgPolicies } from './collect/client.js';
|
|
3
3
|
/**
|
|
4
4
|
* Check if a principal exists in the specified AWS IAM store.
|
|
5
5
|
*/
|
|
6
6
|
export declare function principalExists(storageClient: AwsIamStore, principalArn: string): Promise<boolean>;
|
|
7
|
+
export interface PrincipalPolicies {
|
|
8
|
+
managedPolicies: ManagedPolicy[];
|
|
9
|
+
inlinePolicies: InlinePolicy[];
|
|
10
|
+
permissionBoundary: ManagedPolicy | undefined;
|
|
11
|
+
scps: SimulationOrgPolicies[];
|
|
12
|
+
rcps: SimulationOrgPolicies[];
|
|
13
|
+
groupPolicies?: {
|
|
14
|
+
group: string;
|
|
15
|
+
managedPolicies: ManagedPolicy[];
|
|
16
|
+
inlinePolicies: InlinePolicy[];
|
|
17
|
+
}[];
|
|
18
|
+
}
|
|
7
19
|
/**
|
|
8
20
|
* Get all the IAM policies for a user, including managed and inline policies, permission boundaries, and group policies.
|
|
9
21
|
*
|
|
@@ -11,18 +23,7 @@ export declare function principalExists(storageClient: AwsIamStore, principalArn
|
|
|
11
23
|
* @param principalArn the ARN of the user to get policies for
|
|
12
24
|
* @returns an object containing the managed policies, inline policies, permission boundary, and group policies
|
|
13
25
|
*/
|
|
14
|
-
export declare function getAllPoliciesForUser(collectClient: IamCollectClient, principalArn: string): Promise<
|
|
15
|
-
scps: import("./collect/client.js").SimulationOrgPolicies[];
|
|
16
|
-
rcps: import("./collect/client.js").SimulationOrgPolicies[];
|
|
17
|
-
managedPolicies: import("./collect/client.js").ManagedPolicy[];
|
|
18
|
-
inlinePolicies: import("./collect/client.js").InlinePolicy[];
|
|
19
|
-
permissionBoundary: import("./collect/client.js").ManagedPolicy | undefined;
|
|
20
|
-
groupPolicies: {
|
|
21
|
-
group: string;
|
|
22
|
-
managedPolices: import("./collect/client.js").ManagedPolicy[];
|
|
23
|
-
inlinePolicies: import("./collect/client.js").InlinePolicy[];
|
|
24
|
-
}[];
|
|
25
|
-
}>;
|
|
26
|
+
export declare function getAllPoliciesForUser(collectClient: IamCollectClient, principalArn: string): Promise<PrincipalPolicies>;
|
|
26
27
|
/**
|
|
27
28
|
* Get all the IAM policies for a role, including managed and inline policies and permission boundaries.
|
|
28
29
|
*
|
|
@@ -30,11 +31,9 @@ export declare function getAllPoliciesForUser(collectClient: IamCollectClient, p
|
|
|
30
31
|
* @param principalArn the ARN of the role to get policies for
|
|
31
32
|
* @returns an object containing the managed policies, inline policies, and permission boundary
|
|
32
33
|
*/
|
|
33
|
-
export declare function getAllPoliciesForRole(collectClient: IamCollectClient, principalArn: string): Promise<
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
permissionBoundary: import("./collect/client.js").ManagedPolicy | undefined;
|
|
39
|
-
}>;
|
|
34
|
+
export declare function getAllPoliciesForRole(collectClient: IamCollectClient, principalArn: string): Promise<PrincipalPolicies>;
|
|
35
|
+
export declare function getAllPoliciesForPrincipal(collectClient: IamCollectClient, principalArn: string): Promise<PrincipalPolicies>;
|
|
36
|
+
export declare function isArnPrincipal(principal: string): boolean;
|
|
37
|
+
export declare function isServicePrincipal(principal: string): boolean;
|
|
38
|
+
export declare function isServiceLinkedRole(principal: string): boolean;
|
|
40
39
|
//# sourceMappingURL=principals.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"principals.d.ts","sourceRoot":"","sources":["../../src/principals.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;
|
|
1
|
+
{"version":3,"file":"principals.d.ts","sourceRoot":"","sources":["../../src/principals.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAQxD,OAAO,EACL,gBAAgB,EAChB,YAAY,EACZ,aAAa,EACb,qBAAqB,EACtB,MAAM,qBAAqB,CAAA;AAE5B;;GAEG;AACH,wBAAsB,eAAe,CACnC,aAAa,EAAE,WAAW,EAC1B,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC,CAIlB;AAED,MAAM,WAAW,iBAAiB;IAChC,eAAe,EAAE,aAAa,EAAE,CAAA;IAChC,cAAc,EAAE,YAAY,EAAE,CAAA;IAC9B,kBAAkB,EAAE,aAAa,GAAG,SAAS,CAAA;IAC7C,IAAI,EAAE,qBAAqB,EAAE,CAAA;IAC7B,IAAI,EAAE,qBAAqB,EAAE,CAAA;IAC7B,aAAa,CAAC,EAAE;QACd,KAAK,EAAE,MAAM,CAAA;QACb,eAAe,EAAE,aAAa,EAAE,CAAA;QAChC,cAAc,EAAE,YAAY,EAAE,CAAA;KAC/B,EAAE,CAAA;CACJ;AAED;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CACzC,aAAa,EAAE,gBAAgB,EAC/B,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,iBAAiB,CAAC,CA2B5B;AAED;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CACzC,aAAa,EAAE,gBAAgB,EAC/B,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,iBAAiB,CAAC,CAgB5B;AAED,wBAAsB,0BAA0B,CAC9C,aAAa,EAAE,gBAAgB,EAC/B,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,iBAAiB,CAAC,CAqB5B;AAED,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAEzD;AAED,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE7D;AAED,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAG9D"}
|
package/dist/cjs/principals.js
CHANGED
|
@@ -3,12 +3,16 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.principalExists = principalExists;
|
|
4
4
|
exports.getAllPoliciesForUser = getAllPoliciesForUser;
|
|
5
5
|
exports.getAllPoliciesForRole = getAllPoliciesForRole;
|
|
6
|
-
|
|
6
|
+
exports.getAllPoliciesForPrincipal = getAllPoliciesForPrincipal;
|
|
7
|
+
exports.isArnPrincipal = isArnPrincipal;
|
|
8
|
+
exports.isServicePrincipal = isServicePrincipal;
|
|
9
|
+
exports.isServiceLinkedRole = isServiceLinkedRole;
|
|
10
|
+
const iam_utils_1 = require("@cloud-copilot/iam-utils");
|
|
7
11
|
/**
|
|
8
12
|
* Check if a principal exists in the specified AWS IAM store.
|
|
9
13
|
*/
|
|
10
14
|
async function principalExists(storageClient, principalArn) {
|
|
11
|
-
const accountId = (0,
|
|
15
|
+
const accountId = (0, iam_utils_1.splitArnParts)(principalArn).accountId;
|
|
12
16
|
const principalData = await storageClient.getResourceMetadata(accountId, principalArn, 'metadata');
|
|
13
17
|
return !!principalData;
|
|
14
18
|
}
|
|
@@ -20,7 +24,7 @@ async function principalExists(storageClient, principalArn) {
|
|
|
20
24
|
* @returns an object containing the managed policies, inline policies, permission boundary, and group policies
|
|
21
25
|
*/
|
|
22
26
|
async function getAllPoliciesForUser(collectClient, principalArn) {
|
|
23
|
-
const accountId = (0,
|
|
27
|
+
const accountId = (0, iam_utils_1.splitArnParts)(principalArn).accountId;
|
|
24
28
|
const managedPolicies = await collectClient.getManagedPoliciesForUser(principalArn);
|
|
25
29
|
const inlinePolicies = await collectClient.getInlinePoliciesForUser(principalArn);
|
|
26
30
|
const permissionBoundary = await collectClient.getPermissionsBoundaryForUser(principalArn);
|
|
@@ -33,7 +37,7 @@ async function getAllPoliciesForUser(collectClient, principalArn) {
|
|
|
33
37
|
const groupInlinePolicies = await collectClient.getInlinePoliciesForGroup(group);
|
|
34
38
|
groupPolicies.push({
|
|
35
39
|
group,
|
|
36
|
-
|
|
40
|
+
managedPolicies: groupManagedPolicies,
|
|
37
41
|
inlinePolicies: groupInlinePolicies
|
|
38
42
|
});
|
|
39
43
|
}
|
|
@@ -54,8 +58,8 @@ async function getAllPoliciesForUser(collectClient, principalArn) {
|
|
|
54
58
|
* @returns an object containing the managed policies, inline policies, and permission boundary
|
|
55
59
|
*/
|
|
56
60
|
async function getAllPoliciesForRole(collectClient, principalArn) {
|
|
57
|
-
const accountId = (0,
|
|
58
|
-
const
|
|
61
|
+
const accountId = (0, iam_utils_1.splitArnParts)(principalArn).accountId;
|
|
62
|
+
const managedPolicies = await collectClient.getManagedPoliciesForRole(principalArn);
|
|
59
63
|
const inlinePolicies = await collectClient.getInlinePoliciesForRole(principalArn);
|
|
60
64
|
const permissionBoundary = await collectClient.getPermissionsBoundaryForRole(principalArn);
|
|
61
65
|
const scps = await collectClient.getScpHierarchyForAccount(accountId);
|
|
@@ -63,9 +67,42 @@ async function getAllPoliciesForRole(collectClient, principalArn) {
|
|
|
63
67
|
return {
|
|
64
68
|
scps,
|
|
65
69
|
rcps,
|
|
66
|
-
|
|
70
|
+
managedPolicies,
|
|
67
71
|
inlinePolicies,
|
|
68
72
|
permissionBoundary
|
|
69
73
|
};
|
|
70
74
|
}
|
|
75
|
+
async function getAllPoliciesForPrincipal(collectClient, principalArn) {
|
|
76
|
+
if (isServicePrincipal(principalArn)) {
|
|
77
|
+
return {
|
|
78
|
+
scps: [],
|
|
79
|
+
rcps: [],
|
|
80
|
+
managedPolicies: [],
|
|
81
|
+
inlinePolicies: [],
|
|
82
|
+
permissionBoundary: undefined,
|
|
83
|
+
groupPolicies: []
|
|
84
|
+
};
|
|
85
|
+
}
|
|
86
|
+
if ((0, iam_utils_1.isIamUserArn)(principalArn)) {
|
|
87
|
+
return getAllPoliciesForUser(collectClient, principalArn);
|
|
88
|
+
}
|
|
89
|
+
else if ((0, iam_utils_1.isIamRoleArn)(principalArn)) {
|
|
90
|
+
return getAllPoliciesForRole(collectClient, principalArn);
|
|
91
|
+
}
|
|
92
|
+
else if ((0, iam_utils_1.isAssumedRoleArn)(principalArn)) {
|
|
93
|
+
const roleArn = (0, iam_utils_1.convertAssumedRoleArnToRoleArn)(principalArn);
|
|
94
|
+
return getAllPoliciesForRole(collectClient, roleArn);
|
|
95
|
+
}
|
|
96
|
+
throw new Error(`Unsupported principal type: ${principalArn}`);
|
|
97
|
+
}
|
|
98
|
+
function isArnPrincipal(principal) {
|
|
99
|
+
return principal.startsWith('arn:');
|
|
100
|
+
}
|
|
101
|
+
function isServicePrincipal(principal) {
|
|
102
|
+
return !isArnPrincipal(principal) && principal.endsWith('amazonaws.com');
|
|
103
|
+
}
|
|
104
|
+
function isServiceLinkedRole(principal) {
|
|
105
|
+
const arnParts = (0, iam_utils_1.splitArnParts)(principal);
|
|
106
|
+
return isArnPrincipal(principal) && !!arnParts.resourcePath?.startsWith('aws-service-role/');
|
|
107
|
+
}
|
|
71
108
|
//# sourceMappingURL=principals.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"principals.js","sourceRoot":"","sources":["../../src/principals.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"principals.js","sourceRoot":"","sources":["../../src/principals.ts"],"names":[],"mappings":";;AAkBA,0CAOC;AAsBD,sDA8BC;AASD,sDAmBC;AAED,gEAwBC;AAED,wCAEC;AAED,gDAEC;AAED,kDAGC;AA/ID,wDAMiC;AAQjC;;GAEG;AACI,KAAK,UAAU,eAAe,CACnC,aAA0B,EAC1B,YAAoB;IAEpB,MAAM,SAAS,GAAG,IAAA,yBAAa,EAAC,YAAY,CAAC,CAAC,SAAU,CAAA;IACxD,MAAM,aAAa,GAAG,MAAM,aAAa,CAAC,mBAAmB,CAAC,SAAS,EAAE,YAAY,EAAE,UAAU,CAAC,CAAA;IAClG,OAAO,CAAC,CAAC,aAAa,CAAA;AACxB,CAAC;AAeD;;;;;;GAMG;AACI,KAAK,UAAU,qBAAqB,CACzC,aAA+B,EAC/B,YAAoB;IAEpB,MAAM,SAAS,GAAG,IAAA,yBAAa,EAAC,YAAY,CAAC,CAAC,SAAU,CAAA;IAExD,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC,yBAAyB,CAAC,YAAY,CAAC,CAAA;IACnF,MAAM,cAAc,GAAG,MAAM,aAAa,CAAC,wBAAwB,CAAC,YAAY,CAAC,CAAA;IACjF,MAAM,kBAAkB,GAAG,MAAM,aAAa,CAAC,6BAA6B,CAAC,YAAY,CAAC,CAAA;IAC1F,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAA;IACjE,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAA;IACrE,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAA;IACrE,MAAM,aAAa,GAAG,EAAE,CAAA;IACxB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,oBAAoB,GAAG,MAAM,aAAa,CAAC,0BAA0B,CAAC,KAAK,CAAC,CAAA;QAClF,MAAM,mBAAmB,GAAG,MAAM,aAAa,CAAC,yBAAyB,CAAC,KAAK,CAAC,CAAA;QAChF,aAAa,CAAC,IAAI,CAAC;YACjB,KAAK;YACL,eAAe,EAAE,oBAAoB;YACrC,cAAc,EAAE,mBAAmB;SACpC,CAAC,CAAA;IACJ,CAAC;IACD,OAAO;QACL,IAAI;QACJ,IAAI;QACJ,eAAe;QACf,cAAc;QACd,kBAAkB;QAClB,aAAa;KACd,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,qBAAqB,CACzC,aAA+B,EAC/B,YAAoB;IAEpB,MAAM,SAAS,GAAG,IAAA,yBAAa,EAAC,YAAY,CAAC,CAAC,SAAU,CAAA;IAExD,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC,yBAAyB,CAAC,YAAY,CAAC,CAAA;IACnF,MAAM,cAAc,GAAG,MAAM,aAAa,CAAC,wBAAwB,CAAC,YAAY,CAAC,CAAA;IACjF,MAAM,kBAAkB,GAAG,MAAM,aAAa,CAAC,6BAA6B,CAAC,YAAY,CAAC,CAAA;IAC1F,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAA;IACrE,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAA;IAErE,OAAO;QACL,IAAI;QACJ,IAAI;QACJ,eAAe;QACf,cAAc;QACd,kBAAkB;KACnB,CAAA;AACH,CAAC;AAEM,KAAK,UAAU,0BAA0B,CAC9C,aAA+B,EAC/B,YAAoB;IAEpB,IAAI,kBAAkB,CAAC,YAAY,CAAC,EAAE,CAAC;QACrC,OAAO;YACL,IAAI,EAAE,EAAE;YACR,IAAI,EAAE,EAAE;YACR,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,EAAE;YAClB,kBAAkB,EAAE,SAAS;YAC7B,aAAa,EAAE,EAAE;SAClB,CAAA;IACH,CAAC;IAED,IAAI,IAAA,wBAAY,EAAC,YAAY,CAAC,EAAE,CAAC;QAC/B,OAAO,qBAAqB,CAAC,aAAa,EAAE,YAAY,CAAC,CAAA;IAC3D,CAAC;SAAM,IAAI,IAAA,wBAAY,EAAC,YAAY,CAAC,EAAE,CAAC;QACtC,OAAO,qBAAqB,CAAC,aAAa,EAAE,YAAY,CAAC,CAAA;IAC3D,CAAC;SAAM,IAAI,IAAA,4BAAgB,EAAC,YAAY,CAAC,EAAE,CAAC;QAC1C,MAAM,OAAO,GAAG,IAAA,0CAA8B,EAAC,YAAY,CAAC,CAAA;QAC5D,OAAO,qBAAqB,CAAC,aAAa,EAAE,OAAO,CAAC,CAAA;IACtD,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,+BAA+B,YAAY,EAAE,CAAC,CAAA;AAChE,CAAC;AAED,SAAgB,cAAc,CAAC,SAAiB;IAC9C,OAAO,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;AACrC,CAAC;AAED,SAAgB,kBAAkB,CAAC,SAAiB;IAClD,OAAO,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAA;AAC1E,CAAC;AAED,SAAgB,mBAAmB,CAAC,SAAiB;IACnD,MAAM,QAAQ,GAAG,IAAA,yBAAa,EAAC,SAAS,CAAC,CAAA;IACzC,OAAO,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,YAAY,EAAE,UAAU,CAAC,mBAAmB,CAAC,CAAA;AAC9F,CAAC"}
|
package/dist/cjs/resources.d.ts
CHANGED
|
@@ -16,4 +16,5 @@ export declare function getAccountIdForResource(collectClient: IamCollectClient,
|
|
|
16
16
|
* @returns an array of resource control policies for the specified resource
|
|
17
17
|
*/
|
|
18
18
|
export declare function getRcpsForResource(collectClient: IamCollectClient, resourceArn: string): Promise<Simulation['resourceControlPolicies']>;
|
|
19
|
+
export declare function getResourcePolicyForResource(collectClient: IamCollectClient, resourceArn: string): Promise<any | undefined>;
|
|
19
20
|
//# sourceMappingURL=resources.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"resources.d.ts","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAA;
|
|
1
|
+
{"version":3,"file":"resources.d.ts","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAA;AAExD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AAEtD;;;;;;GAMG;AACH,wBAAsB,uBAAuB,CAC3C,aAAa,EAAE,gBAAgB,EAC/B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAc7B;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,aAAa,EAAE,gBAAgB,EAC/B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,UAAU,CAAC,yBAAyB,CAAC,CAAC,CAMhD;AAED,wBAAsB,4BAA4B,CAChD,aAAa,EAAE,gBAAgB,EAC/B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC,CAkB1B"}
|
package/dist/cjs/resources.js
CHANGED
|
@@ -2,7 +2,8 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.getAccountIdForResource = getAccountIdForResource;
|
|
4
4
|
exports.getRcpsForResource = getRcpsForResource;
|
|
5
|
-
|
|
5
|
+
exports.getResourcePolicyForResource = getResourcePolicyForResource;
|
|
6
|
+
const iam_utils_1 = require("@cloud-copilot/iam-utils");
|
|
6
7
|
/**
|
|
7
8
|
* Get the account ID for a given resource ARN. Lookup index if necessary to find the account ID.
|
|
8
9
|
*
|
|
@@ -11,7 +12,7 @@ const arn_js_1 = require("./util/arn.js");
|
|
|
11
12
|
* @returns the account ID for the specified resource, or undefined if not found
|
|
12
13
|
*/
|
|
13
14
|
async function getAccountIdForResource(collectClient, resourceArn) {
|
|
14
|
-
const arnParts = (0,
|
|
15
|
+
const arnParts = (0, iam_utils_1.splitArnParts)(resourceArn);
|
|
15
16
|
let accountId = arnParts.accountId;
|
|
16
17
|
if (accountId) {
|
|
17
18
|
return accountId;
|
|
@@ -40,4 +41,21 @@ async function getRcpsForResource(collectClient, resourceArn) {
|
|
|
40
41
|
}
|
|
41
42
|
return collectClient.getRcpHierarchyForAccount(accountId);
|
|
42
43
|
}
|
|
44
|
+
async function getResourcePolicyForResource(collectClient, resourceArn) {
|
|
45
|
+
//TODO: Should this return a policy object?
|
|
46
|
+
const accountId = await getAccountIdForResource(collectClient, resourceArn);
|
|
47
|
+
if (!accountId) {
|
|
48
|
+
throw new Error(`Unable to determine account ID for resource ARN: ${resourceArn}`);
|
|
49
|
+
}
|
|
50
|
+
const resourcePolicy = await collectClient.getResourcePolicyForArn(resourceArn, accountId);
|
|
51
|
+
if (resourcePolicy) {
|
|
52
|
+
return resourcePolicy;
|
|
53
|
+
}
|
|
54
|
+
const ramPolicy = await collectClient.getRamSharePolicyForArn(resourceArn, accountId);
|
|
55
|
+
if (ramPolicy) {
|
|
56
|
+
return ramPolicy;
|
|
57
|
+
}
|
|
58
|
+
//TODO: there should be more here for things like glue resources
|
|
59
|
+
return undefined;
|
|
60
|
+
}
|
|
43
61
|
//# sourceMappingURL=resources.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"resources.js","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":";;AAWA,0DAiBC;AASD,gDASC;
|
|
1
|
+
{"version":3,"file":"resources.js","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":";;AAWA,0DAiBC;AASD,gDASC;AAED,oEAqBC;AApED,wDAAwD;AAGxD;;;;;;GAMG;AACI,KAAK,UAAU,uBAAuB,CAC3C,aAA+B,EAC/B,WAAmB;IAEnB,MAAM,QAAQ,GAAG,IAAA,yBAAa,EAAC,WAAW,CAAC,CAAA;IAC3C,IAAI,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAA;IAClC,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,SAAS,CAAA;IAClB,CAAC;IACD,IAAI,QAAQ,CAAC,OAAO,KAAK,IAAI,IAAI,QAAQ,CAAC,YAAY,KAAK,EAAE,EAAE,CAAC;QAC9D,MAAM,UAAU,GAAG,QAAQ,CAAC,YAAa,CAAA;QACzC,OAAO,aAAa,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAA;IACxD,CAAC;SAAM,IAAI,QAAQ,CAAC,OAAO,KAAK,YAAY,IAAI,QAAQ,CAAC,YAAY,KAAK,UAAU,EAAE,CAAC;QACrF,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAa,CAAA;QACpC,OAAO,aAAa,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAA;IACpD,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,kBAAkB,CACtC,aAA+B,EAC/B,WAAmB;IAEnB,MAAM,SAAS,GAAG,MAAM,uBAAuB,CAAC,aAAa,EAAE,WAAW,CAAC,CAAA;IAC3E,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,oDAAoD,WAAW,EAAE,CAAC,CAAA;IACpF,CAAC;IACD,OAAO,aAAa,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAA;AAC3D,CAAC;AAEM,KAAK,UAAU,4BAA4B,CAChD,aAA+B,EAC/B,WAAmB;IAEnB,2CAA2C;IAC3C,MAAM,SAAS,GAAG,MAAM,uBAAuB,CAAC,aAAa,EAAE,WAAW,CAAC,CAAA;IAC3E,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,oDAAoD,WAAW,EAAE,CAAC,CAAA;IACpF,CAAC;IACD,MAAM,cAAc,GAAG,MAAM,aAAa,CAAC,uBAAuB,CAAC,WAAW,EAAE,SAAS,CAAC,CAAA;IAC1F,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,uBAAuB,CAAC,WAAW,EAAE,SAAS,CAAC,CAAA;IACrF,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,gEAAgE;IAChE,OAAO,SAAS,CAAA;AAClB,CAAC"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import { IamCollectClient } from './collect/client.js';
|
|
2
|
+
import { ContextKeys } from './contextKeys.js';
|
|
3
|
+
export interface SimulationRequest {
|
|
4
|
+
resourceArn: string;
|
|
5
|
+
resourceAccount: string | undefined;
|
|
6
|
+
action: string;
|
|
7
|
+
principal: string;
|
|
8
|
+
customContextKeys: ContextKeys;
|
|
9
|
+
}
|
|
10
|
+
export declare function simulateRequest(simulationRequest: SimulationRequest, collectClient: IamCollectClient): Promise<import("@cloud-copilot/iam-simulate").SimulationResult>;
|
|
11
|
+
//# sourceMappingURL=simulate.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"simulate.d.ts","sourceRoot":"","sources":["../../src/simulate.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gBAAgB,EAAyB,MAAM,qBAAqB,CAAA;AAC7E,OAAO,EAAE,WAAW,EAAqB,MAAM,kBAAkB,CAAA;AAQjE,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAA;IACnB,eAAe,EAAE,MAAM,GAAG,SAAS,CAAA;IACnC,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,EAAE,MAAM,CAAA;IAEjB,iBAAiB,EAAE,WAAW,CAAA;CAC/B;AAED,wBAAsB,eAAe,CACnC,iBAAiB,EAAE,iBAAiB,EACpC,aAAa,EAAE,gBAAgB,mEAsEhC"}
|
|
@@ -0,0 +1,121 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.simulateRequest = simulateRequest;
|
|
4
|
+
const iam_data_1 = require("@cloud-copilot/iam-data");
|
|
5
|
+
const iam_simulate_1 = require("@cloud-copilot/iam-simulate");
|
|
6
|
+
const iam_utils_1 = require("@cloud-copilot/iam-utils");
|
|
7
|
+
const contextKeys_js_1 = require("./contextKeys.js");
|
|
8
|
+
const principals_js_1 = require("./principals.js");
|
|
9
|
+
const resources_js_1 = require("./resources.js");
|
|
10
|
+
async function simulateRequest(simulationRequest, collectClient) {
|
|
11
|
+
simulationRequest.resourceAccount =
|
|
12
|
+
simulationRequest.resourceAccount ||
|
|
13
|
+
(await (0, resources_js_1.getAccountIdForResource)(collectClient, simulationRequest.resourceArn));
|
|
14
|
+
if (!simulationRequest.resourceAccount) {
|
|
15
|
+
throw new Error(`Unable to find account ID for resource ${simulationRequest.resourceArn}`);
|
|
16
|
+
}
|
|
17
|
+
const actionParts = simulationRequest.action.split(':');
|
|
18
|
+
const service = actionParts[0];
|
|
19
|
+
const serviceAction = actionParts[1];
|
|
20
|
+
const actionDetails = await (0, iam_data_1.iamActionDetails)(service, serviceAction);
|
|
21
|
+
if (!actionDetails) {
|
|
22
|
+
throw new Error(`Unable to find action details for ${simulationRequest.action}`);
|
|
23
|
+
}
|
|
24
|
+
if (actionDetails.isWildcardOnly) {
|
|
25
|
+
simulationRequest.resourceAccount = (0, iam_utils_1.splitArnParts)(simulationRequest.principal).accountId;
|
|
26
|
+
}
|
|
27
|
+
//Lookup the principal policies
|
|
28
|
+
const principalPolicies = await (0, principals_js_1.getAllPoliciesForPrincipal)(collectClient, simulationRequest.principal);
|
|
29
|
+
const resourcePolicy = await (0, resources_js_1.getResourcePolicyForResource)(collectClient, simulationRequest.resourceArn);
|
|
30
|
+
const resourceRcps = await (0, resources_js_1.getRcpsForResource)(collectClient, simulationRequest.resourceArn);
|
|
31
|
+
const context = await (0, contextKeys_js_1.createContextKeys)(collectClient, simulationRequest, simulationRequest.customContextKeys);
|
|
32
|
+
const applicableScps = (0, principals_js_1.isServiceLinkedRole)(simulationRequest.principal)
|
|
33
|
+
? []
|
|
34
|
+
: principalPolicies.scps;
|
|
35
|
+
const simulation = {
|
|
36
|
+
request: {
|
|
37
|
+
action: simulationRequest.action,
|
|
38
|
+
resource: {
|
|
39
|
+
resource: simulationRequest.resourceArn,
|
|
40
|
+
accountId: simulationRequest.resourceAccount
|
|
41
|
+
},
|
|
42
|
+
principal: simulationRequest.principal,
|
|
43
|
+
contextVariables: context
|
|
44
|
+
},
|
|
45
|
+
identityPolicies: prepareIdentityPolicies(simulationRequest.principal, principalPolicies),
|
|
46
|
+
serviceControlPolicies: applicableScps,
|
|
47
|
+
resourceControlPolicies: rcpsForRequest(simulationRequest.principal, actionDetails.isWildcardOnly, resourceRcps, principalPolicies.scps),
|
|
48
|
+
resourcePolicy: resourcePolicy,
|
|
49
|
+
permissionBoundaryPolicies: preparePermissionBoundary(principalPolicies)
|
|
50
|
+
};
|
|
51
|
+
const result = await (0, iam_simulate_1.runSimulation)(simulation, {});
|
|
52
|
+
return result;
|
|
53
|
+
}
|
|
54
|
+
function rcpsForRequest(principalArn, actionIsWildcard, resourceRcps, principalRcps) {
|
|
55
|
+
if ((0, principals_js_1.isServiceLinkedRole)(principalArn)) {
|
|
56
|
+
return [];
|
|
57
|
+
}
|
|
58
|
+
let theRcps = resourceRcps;
|
|
59
|
+
if (actionIsWildcard) {
|
|
60
|
+
theRcps = principalRcps;
|
|
61
|
+
}
|
|
62
|
+
return theRcps.map((rcp) => {
|
|
63
|
+
rcp.orgIdentifier;
|
|
64
|
+
return {
|
|
65
|
+
orgIdentifier: rcp.orgIdentifier,
|
|
66
|
+
policies: rcp.policies.filter((policy) => {
|
|
67
|
+
return !policy.name.toLowerCase().endsWith('rcpfullawsaccess');
|
|
68
|
+
})
|
|
69
|
+
};
|
|
70
|
+
});
|
|
71
|
+
}
|
|
72
|
+
function prepareIdentityPolicies(principalArn, principalPolicies) {
|
|
73
|
+
//Collect unique managed policies
|
|
74
|
+
const uniqueIdentityPolicies = {};
|
|
75
|
+
principalPolicies.managedPolicies.forEach((policy) => {
|
|
76
|
+
if (!uniqueIdentityPolicies[policy.arn]) {
|
|
77
|
+
uniqueIdentityPolicies[policy.arn] = {
|
|
78
|
+
name: policy.arn,
|
|
79
|
+
policy: policy.policy
|
|
80
|
+
};
|
|
81
|
+
}
|
|
82
|
+
});
|
|
83
|
+
principalPolicies.groupPolicies?.forEach((groupPolicy) => {
|
|
84
|
+
groupPolicy.managedPolicies.forEach((policy) => {
|
|
85
|
+
if (!uniqueIdentityPolicies[policy.arn]) {
|
|
86
|
+
uniqueIdentityPolicies[policy.arn] = {
|
|
87
|
+
name: policy.arn,
|
|
88
|
+
policy: policy.policy
|
|
89
|
+
};
|
|
90
|
+
}
|
|
91
|
+
});
|
|
92
|
+
});
|
|
93
|
+
const identityPolicies = Object.values(uniqueIdentityPolicies);
|
|
94
|
+
principalPolicies.inlinePolicies.forEach((policy) => {
|
|
95
|
+
identityPolicies.push({
|
|
96
|
+
name: `${principalArn}#${policy.name}`,
|
|
97
|
+
policy: policy.policy
|
|
98
|
+
});
|
|
99
|
+
});
|
|
100
|
+
principalPolicies.groupPolicies?.forEach((groupPolicy) => {
|
|
101
|
+
groupPolicy.inlinePolicies.forEach((policy) => {
|
|
102
|
+
identityPolicies.push({
|
|
103
|
+
name: `${groupPolicy.group}#${policy.name}`,
|
|
104
|
+
policy: policy.policy
|
|
105
|
+
});
|
|
106
|
+
});
|
|
107
|
+
});
|
|
108
|
+
return identityPolicies;
|
|
109
|
+
}
|
|
110
|
+
function preparePermissionBoundary(principalPolicies) {
|
|
111
|
+
if (principalPolicies.permissionBoundary) {
|
|
112
|
+
return [
|
|
113
|
+
{
|
|
114
|
+
name: principalPolicies.permissionBoundary.arn,
|
|
115
|
+
policy: principalPolicies.permissionBoundary.policy
|
|
116
|
+
}
|
|
117
|
+
];
|
|
118
|
+
}
|
|
119
|
+
return undefined;
|
|
120
|
+
}
|
|
121
|
+
//# sourceMappingURL=simulate.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"simulate.js","sourceRoot":"","sources":["../../src/simulate.ts"],"names":[],"mappings":";;AAqBA,0CAwEC;AA7FD,sDAA0D;AAC1D,8DAAuE;AACvE,wDAAwD;AAExD,qDAAiE;AACjE,mDAAoG;AACpG,iDAIuB;AAWhB,KAAK,UAAU,eAAe,CACnC,iBAAoC,EACpC,aAA+B;IAE/B,iBAAiB,CAAC,eAAe;QAC/B,iBAAiB,CAAC,eAAe;YACjC,CAAC,MAAM,IAAA,sCAAuB,EAAC,aAAa,EAAE,iBAAiB,CAAC,WAAW,CAAC,CAAC,CAAA;IAE/E,IAAI,CAAC,iBAAiB,CAAC,eAAe,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,0CAA0C,iBAAiB,CAAC,WAAW,EAAE,CAAC,CAAA;IAC5F,CAAC;IAED,MAAM,WAAW,GAAG,iBAAiB,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACvD,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAA;IAC9B,MAAM,aAAa,GAAG,WAAW,CAAC,CAAC,CAAC,CAAA;IACpC,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,EAAE,aAAa,CAAC,CAAA;IACpE,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,qCAAqC,iBAAiB,CAAC,MAAM,EAAE,CAAC,CAAA;IAClF,CAAC;IAED,IAAI,aAAa,CAAC,cAAc,EAAE,CAAC;QACjC,iBAAiB,CAAC,eAAe,GAAG,IAAA,yBAAa,EAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,SAAU,CAAA;IAC3F,CAAC;IAED,+BAA+B;IAC/B,MAAM,iBAAiB,GAAG,MAAM,IAAA,0CAA0B,EACxD,aAAa,EACb,iBAAiB,CAAC,SAAS,CAC5B,CAAA;IAED,MAAM,cAAc,GAAG,MAAM,IAAA,2CAA4B,EACvD,aAAa,EACb,iBAAiB,CAAC,WAAW,CAC9B,CAAA;IAED,MAAM,YAAY,GAAG,MAAM,IAAA,iCAAkB,EAAC,aAAa,EAAE,iBAAiB,CAAC,WAAW,CAAC,CAAA;IAE3F,MAAM,OAAO,GAAG,MAAM,IAAA,kCAAiB,EACrC,aAAa,EACb,iBAAiB,EACjB,iBAAiB,CAAC,iBAAiB,CACpC,CAAA;IAED,MAAM,cAAc,GAAG,IAAA,mCAAmB,EAAC,iBAAiB,CAAC,SAAS,CAAC;QACrE,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC,iBAAiB,CAAC,IAAI,CAAA;IAE1B,MAAM,UAAU,GAAe;QAC7B,OAAO,EAAE;YACP,MAAM,EAAE,iBAAiB,CAAC,MAAM;YAChC,QAAQ,EAAE;gBACR,QAAQ,EAAE,iBAAiB,CAAC,WAAW;gBACvC,SAAS,EAAE,iBAAiB,CAAC,eAAe;aAC7C;YACD,SAAS,EAAE,iBAAiB,CAAC,SAAS;YACtC,gBAAgB,EAAE,OAAO;SAC1B;QACD,gBAAgB,EAAE,uBAAuB,CAAC,iBAAiB,CAAC,SAAS,EAAE,iBAAiB,CAAC;QACzF,sBAAsB,EAAE,cAAc;QACtC,uBAAuB,EAAE,cAAc,CACrC,iBAAiB,CAAC,SAAS,EAC3B,aAAa,CAAC,cAAc,EAC5B,YAAY,EACZ,iBAAiB,CAAC,IAAI,CACvB;QACD,cAAc,EAAE,cAAc;QAC9B,0BAA0B,EAAE,yBAAyB,CAAC,iBAAiB,CAAC;KACzE,CAAA;IAED,MAAM,MAAM,GAAG,MAAM,IAAA,4BAAa,EAAC,UAAU,EAAE,EAAE,CAAC,CAAA;IAElD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,cAAc,CACrB,YAAoB,EACpB,gBAAyB,EACzB,YAAqC,EACrC,aAAsC;IAEtC,IAAI,IAAA,mCAAmB,EAAC,YAAY,CAAC,EAAE,CAAC;QACtC,OAAO,EAAE,CAAA;IACX,CAAC;IAED,IAAI,OAAO,GAAG,YAAY,CAAA;IAE1B,IAAI,gBAAgB,EAAE,CAAC;QACrB,OAAO,GAAG,aAAa,CAAA;IACzB,CAAC;IAED,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACzB,GAAG,CAAC,aAAa,CAAA;QACjB,OAAO;YACL,aAAa,EAAE,GAAG,CAAC,aAAa;YAChC,QAAQ,EAAE,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE;gBACvC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAA;YAChE,CAAC,CAAC;SACH,CAAA;IACH,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,uBAAuB,CAC9B,YAAoB,EACpB,iBAAoC;IAEpC,iCAAiC;IACjC,MAAM,sBAAsB,GAAkD,EAAE,CAAA;IAChF,iBAAiB,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE;QACnD,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,sBAAsB,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG;gBACnC,IAAI,EAAE,MAAM,CAAC,GAAG;gBAChB,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,CAAA;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IACF,iBAAiB,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC,WAAW,EAAE,EAAE;QACvD,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE;YAC7C,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxC,sBAAsB,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG;oBACnC,IAAI,EAAE,MAAM,CAAC,GAAG;oBAChB,MAAM,EAAE,MAAM,CAAC,MAAM;iBACtB,CAAA;YACH,CAAC;QACH,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAA;IAE9D,iBAAiB,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE;QAClD,gBAAgB,CAAC,IAAI,CAAC;YACpB,IAAI,EAAE,GAAG,YAAY,IAAI,MAAM,CAAC,IAAI,EAAE;YACtC,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,iBAAiB,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC,WAAW,EAAE,EAAE;QACvD,WAAW,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE;YAC5C,gBAAgB,CAAC,IAAI,CAAC;gBACpB,IAAI,EAAE,GAAG,WAAW,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,EAAE;gBAC3C,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED,SAAS,yBAAyB,CAChC,iBAAoC;IAEpC,IAAI,iBAAiB,CAAC,kBAAkB,EAAE,CAAC;QACzC,OAAO;YACL;gBACE,IAAI,EAAE,iBAAiB,CAAC,kBAAkB,CAAC,GAAG;gBAC9C,MAAM,EAAE,iBAAiB,CAAC,kBAAkB,CAAC,MAAM;aACpD;SACF,CAAA;IACH,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":""}
|
package/dist/esm/cli.js
ADDED
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
import { parseCliArguments } from '@cloud-copilot/cli';
|
|
3
|
+
import { getCollectClient, loadCollectConfigs } from './collect/collect.js';
|
|
4
|
+
import { simulateRequest } from './simulate.js';
|
|
5
|
+
const main = async () => {
|
|
6
|
+
// const version = await iamLensVersion()
|
|
7
|
+
const cli = parseCliArguments('iam-lens', {
|
|
8
|
+
simulate: {
|
|
9
|
+
description: 'Simulate an IAM request',
|
|
10
|
+
options: {
|
|
11
|
+
principal: {
|
|
12
|
+
type: 'string',
|
|
13
|
+
values: 'single',
|
|
14
|
+
description: 'The principal to simulate. Can be a user, role, session, or AWS service'
|
|
15
|
+
},
|
|
16
|
+
resource: {
|
|
17
|
+
type: 'string',
|
|
18
|
+
values: 'single',
|
|
19
|
+
description: 'The ARN of the resource to simulate access to. Ignore for wildcard actions'
|
|
20
|
+
},
|
|
21
|
+
resourceAccountId: {
|
|
22
|
+
type: 'string',
|
|
23
|
+
values: 'single',
|
|
24
|
+
description: 'The account ID of the resource, only required if it cannot be determined from the resource ARN. Ignore for wildcard actions'
|
|
25
|
+
},
|
|
26
|
+
action: {
|
|
27
|
+
type: 'string',
|
|
28
|
+
values: 'single',
|
|
29
|
+
description: 'The action to simulate; must be a valid IAM service and action such as `s3:GetObject`'
|
|
30
|
+
},
|
|
31
|
+
context: {
|
|
32
|
+
type: 'string',
|
|
33
|
+
values: 'multiple',
|
|
34
|
+
description: 'The context keys to use for the simulation. Keys are formatted as key=value. Multiple values can be separated by commas (key=value1,value2,value3)'
|
|
35
|
+
},
|
|
36
|
+
verbose: {
|
|
37
|
+
type: 'boolean',
|
|
38
|
+
description: 'Enable verbose output for the simulation',
|
|
39
|
+
character: 'v'
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
}, {
|
|
44
|
+
collectConfigs: {
|
|
45
|
+
type: 'string',
|
|
46
|
+
description: 'The iam-collect configuration files to use',
|
|
47
|
+
values: 'multiple'
|
|
48
|
+
},
|
|
49
|
+
partition: {
|
|
50
|
+
type: 'string',
|
|
51
|
+
description: 'The AWS partition to use (aws, aws-cn, aws-us-gov). Defaults to aws.',
|
|
52
|
+
values: 'single'
|
|
53
|
+
}
|
|
54
|
+
}, {
|
|
55
|
+
envPrefix: 'IAM_LENS',
|
|
56
|
+
showHelpIfNoArgs: true,
|
|
57
|
+
requireSubcommand: true
|
|
58
|
+
// version: version
|
|
59
|
+
});
|
|
60
|
+
if (cli.args.collectConfigs.length === 0) {
|
|
61
|
+
cli.args.collectConfigs.push('./iam-collect.jsonc');
|
|
62
|
+
}
|
|
63
|
+
const thePartition = cli.args.partition || 'aws';
|
|
64
|
+
if (cli.subcommand === 'simulate') {
|
|
65
|
+
const collectConfigs = await loadCollectConfigs(cli.args.collectConfigs);
|
|
66
|
+
const collectClient = getCollectClient(collectConfigs, thePartition);
|
|
67
|
+
const { principal, resource, resourceAccountId, action, context } = cli.args;
|
|
68
|
+
const contextKeys = convertContextKeysToMap(context);
|
|
69
|
+
const result = await simulateRequest({
|
|
70
|
+
principal: principal,
|
|
71
|
+
resourceArn: resource,
|
|
72
|
+
resourceAccount: resourceAccountId,
|
|
73
|
+
action: action,
|
|
74
|
+
customContextKeys: contextKeys
|
|
75
|
+
}, collectClient);
|
|
76
|
+
console.log(`Simulation Result: ${result.analysis?.result}`);
|
|
77
|
+
if (cli.args.verbose) {
|
|
78
|
+
console.log(JSON.stringify(result, null, 2));
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
};
|
|
82
|
+
main()
|
|
83
|
+
.catch((e) => {
|
|
84
|
+
console.error(e);
|
|
85
|
+
process.exit(1);
|
|
86
|
+
})
|
|
87
|
+
.then(() => { })
|
|
88
|
+
.finally(() => { });
|
|
89
|
+
/**
|
|
90
|
+
* Convert the context keys from the CLI arguments into a map.
|
|
91
|
+
*
|
|
92
|
+
* @param contextKeys the context keys from the CLI arguments, formatted as key=value1,value2,...
|
|
93
|
+
* @returns a map of context keys where each key is associated with a single value or an array of values
|
|
94
|
+
*/
|
|
95
|
+
function convertContextKeysToMap(contextKeys) {
|
|
96
|
+
const contextMap = {};
|
|
97
|
+
for (const key of contextKeys) {
|
|
98
|
+
const [keyName, value] = key.split('=');
|
|
99
|
+
if (value) {
|
|
100
|
+
const values = value.split(',');
|
|
101
|
+
if (values.length > 1) {
|
|
102
|
+
contextMap[keyName] = values;
|
|
103
|
+
}
|
|
104
|
+
else {
|
|
105
|
+
contextMap[keyName] = values[0];
|
|
106
|
+
}
|
|
107
|
+
}
|
|
108
|
+
}
|
|
109
|
+
return contextMap;
|
|
110
|
+
}
|
|
111
|
+
//# sourceMappingURL=cli.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AACtD,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AAE3E,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAA;AAE/C,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE;IACtB,yCAAyC;IACzC,MAAM,GAAG,GAAG,iBAAiB,CAC3B,UAAU,EACV;QACE,QAAQ,EAAE;YACR,WAAW,EAAE,yBAAyB;YACtC,OAAO,EAAE;gBACP,SAAS,EAAE;oBACT,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,yEAAyE;iBACvF;gBACD,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,4EAA4E;iBAC/E;gBACD,iBAAiB,EAAE;oBACjB,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,6HAA6H;iBAChI;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,uFAAuF;iBAC1F;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oJAAoJ;iBACvJ;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,SAAS;oBACf,WAAW,EAAE,0CAA0C;oBACvD,SAAS,EAAE,GAAG;iBACf;aACF;SACF;KACF,EACD;QACE,cAAc,EAAE;YACd,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,4CAA4C;YACzD,MAAM,EAAE,UAAU;SACnB;QACD,SAAS,EAAE;YACT,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,sEAAsE;YACnF,MAAM,EAAE,QAAQ;SACjB;KACF,EACD;QACE,SAAS,EAAE,UAAU;QACrB,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,IAAI;QACvB,mBAAmB;KACpB,CACF,CAAA;IAED,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IACrD,CAAC;IACD,MAAM,YAAY,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,KAAK,CAAA;IAEhD,IAAI,GAAG,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QAClC,MAAM,cAAc,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACxE,MAAM,aAAa,GAAG,gBAAgB,CAAC,cAAc,EAAE,YAAY,CAAC,CAAA;QAEpE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QAC5E,MAAM,WAAW,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAA;QAEpD,MAAM,MAAM,GAAG,MAAM,eAAe,CAClC;YACE,SAAS,EAAE,SAAU;YACrB,WAAW,EAAE,QAAS;YACtB,eAAe,EAAE,iBAAiB;YAClC,MAAM,EAAE,MAAO;YACf,iBAAiB,EAAE,WAAW;SAC/B,EACD,aAAa,CACd,CAAA;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;QAC5D,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;QAC9C,CAAC;IACH,CAAC;AACH,CAAC,CAAA;AAED,IAAI,EAAE;KACH,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IACX,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC;KACD,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;KACd,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA;AAEpB;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,WAAqB;IACpD,MAAM,UAAU,GAAsC,EAAE,CAAA;IACxD,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACvC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC/B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAA;YAC9B,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAA;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAA;AACnB,CAAC"}
|
|
@@ -233,6 +233,39 @@ export declare class IamCollectClient {
|
|
|
233
233
|
* @returns the metadata for the organization
|
|
234
234
|
*/
|
|
235
235
|
getOrganizationMetadata(organizationId: string): Promise<OrganizationMetadata>;
|
|
236
|
+
/**
|
|
237
|
+
* Gets the resource policy for a given resource ARN and account.
|
|
238
|
+
*
|
|
239
|
+
* @param resourceArn The ARN of the resource.
|
|
240
|
+
* @param accountId The ID of the account.
|
|
241
|
+
* @returns The resource policy, or undefined if not found.
|
|
242
|
+
*/
|
|
243
|
+
getResourcePolicyForArn(resourceArn: string, accountId: string): Promise<any | undefined>;
|
|
244
|
+
/**
|
|
245
|
+
* Gets the RAM share policy for a given resource ARN and account.
|
|
246
|
+
*
|
|
247
|
+
* @param resourceArn The ARN of the resource.
|
|
248
|
+
* @param accountId The ID of the account.
|
|
249
|
+
* @returns The RAM share policy, or undefined if not found.
|
|
250
|
+
*/
|
|
251
|
+
getRamSharePolicyForArn(resourceArn: string, accountId: string): Promise<any | undefined>;
|
|
252
|
+
/**
|
|
253
|
+
* Gets the tags for a given resource ARN and account.
|
|
254
|
+
*
|
|
255
|
+
* @param resourceArn The ARN of the resource.
|
|
256
|
+
* @param accountId The ID of the account.
|
|
257
|
+
* @returns The tags as a record, or undefined if not found.
|
|
258
|
+
*/
|
|
259
|
+
getTagsForResource(resourceArn: string, accountId: string): Promise<Record<string, string>>;
|
|
260
|
+
/**
|
|
261
|
+
* Gets a unique ID for an IAM resource based on its ARN and account ID.
|
|
262
|
+
* Used specifically for IAM Users and Roles
|
|
263
|
+
*
|
|
264
|
+
* @param resourceArn the ARN of the IAM resource
|
|
265
|
+
* @param accountId the ID of the account the resource belongs to
|
|
266
|
+
* @returns a unique ID for the resource, or undefined if not found
|
|
267
|
+
*/
|
|
268
|
+
getUniqueIdForIamResource(resourceArn: string): Promise<string | undefined>;
|
|
236
269
|
}
|
|
237
270
|
export {};
|
|
238
271
|
//# sourceMappingURL=client.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/collect/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAIxD,MAAM,WAAW,qBAAqB;IACpC,aAAa,EAAE,MAAM,CAAA;IACrB,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;CAC1C;AAED,UAAU,eAAe;IACvB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,kBAAkB,EAAE,MAAM,CAAA;IAC1B,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;CAChB;AAOD,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAOD,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAED,UAAU,UAAU;IAClB,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,EAAE,CAAA;IACd,IAAI,EAAE,MAAM,EAAE,CAAA;CACf;AAED,KAAK,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;AAc7C,UAAU,cAAc;IACtB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAA;IAC1B,IAAI,EAAE,MAAM,EAAE,CAAA;IACd,IAAI,EAAE,MAAM,EAAE,CAAA;CACf;AAED,KAAK,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAA;AAE9C,KAAK,aAAa,GAAG,MAAM,GAAG,MAAM,CAAA;AAEpC,UAAU,oBAAoB;IAC5B,EAAE,EAAE,MAAM,CAAA;IACV,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,MAAM,CAAA;IACd,cAAc,EAAE,MAAM,CAAA;IACtB,aAAa,EAAE,MAAM,CAAA;IACrB,QAAQ,EAAE;QACR,yBAAyB,CAAC,EAAE,OAAO,CAAA;QACnC,aAAa,CAAC,EAAE,OAAO,CAAA;QACvB,uBAAuB,CAAC,EAAE,OAAO,CAAA;QACjC,sBAAsB,CAAC,EAAE,OAAO,CAAA;QAChC,UAAU,CAAC,EAAE,OAAO,CAAA;KACrB,CAAA;CACF;
|
|
1
|
+
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/collect/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAIxD,MAAM,WAAW,qBAAqB;IACpC,aAAa,EAAE,MAAM,CAAA;IACrB,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;CAC1C;AAED,UAAU,eAAe;IACvB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,kBAAkB,EAAE,MAAM,CAAA;IAC1B,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;CAChB;AAOD,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAOD,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAED,UAAU,UAAU;IAClB,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,EAAE,CAAA;IACd,IAAI,EAAE,MAAM,EAAE,CAAA;CACf;AAED,KAAK,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;AAc7C,UAAU,cAAc;IACtB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAA;IAC1B,IAAI,EAAE,MAAM,EAAE,CAAA;IACd,IAAI,EAAE,MAAM,EAAE,CAAA;CACf;AAED,KAAK,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAA;AAE9C,KAAK,aAAa,GAAG,MAAM,GAAG,MAAM,CAAA;AAEpC,UAAU,oBAAoB;IAC5B,EAAE,EAAE,MAAM,CAAA;IACV,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,MAAM,CAAA;IACd,cAAc,EAAE,MAAM,CAAA;IACtB,aAAa,EAAE,MAAM,CAAA;IACrB,QAAQ,EAAE;QACR,yBAAyB,CAAC,EAAE,OAAO,CAAA;QACnC,aAAa,CAAC,EAAE,OAAO,CAAA;QACvB,uBAAuB,CAAC,EAAE,OAAO,CAAA;QACjC,sBAAsB,CAAC,EAAE,OAAO,CAAA;QAChC,UAAU,CAAC,EAAE,OAAO,CAAA;KACrB,CAAA;CACF;AAQD,qBAAa,gBAAgB;IACf,OAAO,CAAC,aAAa;gBAAb,aAAa,EAAE,WAAW;IAE9C;;;;OAIG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKxD;;;;OAIG;IACG,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU7D;;;;OAIG;IACG,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAIpF;;;;;OAKG;IACG,+BAA+B,CACnC,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAuCnC;;;;;OAKG;IACG,6BAA6B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAkBzE;;;;OAIG;IACG,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAU5E;;;;;OAKG;IACG,4BAA4B,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAM5F;;;;OAIG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAIhE;;;;;OAKG;IACG,wBAAwB,CAC5B,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,SAAS,EAAE,CAAC;IAkBvB;;;;OAIG;IACG,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAI/D;;;;OAIG;IACG,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAI7D;;;;;;OAMG;IACG,YAAY,CAChB,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,aAAa,EACzB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,SAAS,CAAC;IAoBrB;;;;OAIG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAIhE;;;;OAIG;IACG,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAIpF;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAI/E;;;;;;OAMG;IACG,wBAAwB,CAC5B,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,SAAS,EAAE,CAAC;IAavB;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAI/E;;;;OAIG;IACG,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAMxE;;;;OAIG;IACG,qBAAqB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAS5E;;;;OAIG;IACG,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IASzE;;;;OAIG;IACG,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBpE,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAiBpF;;;;OAIG;IACG,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAalE,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,SAAS,CAAC;IAU/E;;;;;OAKG;IACG,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAgBxF;;;;OAIG;IACG,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAW1D;;;;;OAKG;IACG,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBtE,yBAAyB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAapE,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBpE,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAalE,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAgBxF;;;;;OAKG;IACG,uBAAuB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAOpF;;;;;;OAMG;IACG,uBAAuB,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;IAS/F;;;;;;OAMG;IACG,uBAAuB,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;IAQ/F;;;;;;OAMG;IACG,kBAAkB,CACtB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAQlC;;;;;;;OAOG;IACG,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;CASlF"}
|