npm - @cloud-copilot/iam-lens - Versions diffs - 0.1.44 → 0.1.45 - Mend

@cloud-copilot/iam-lens 0.1.44 → 0.1.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/dist/cjs/{canWhat → principalCan}/permissionSet.js RENAMED Viewed

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.PermissionSet = void 0;
 exports.buildPermissionSetFromPolicies = buildPermissionSetFromPolicies;
 exports.addPoliciesToPermissionSet = addPoliciesToPermissionSet;
+exports.addStatementToPermissionSet = addStatementToPermissionSet;
 exports.toPolicyStatements = toPolicyStatements;
 const iam_expand_1 = require("@cloud-copilot/iam-expand");
 const permission_js_1 = require("./permission.js");
@@ -17,6 +18,12 @@ class PermissionSet {
     constructor(effect) {
         this.effect = effect;
     }
+    /**
+     * Add a new permission to the set.  If the new permission overlaps with an existing one,
+     * they will be unioned together to avoid redundancy.
+     *
+     * @param newPermission the permission to add
+     */
     addPermission(newPermission) {
         if (newPermission.effect !== this.effect) {
             throw new Error(`Permission effect ${newPermission.effect} does not match PermissionSet effect ${this.effect}`);
@@ -72,18 +79,50 @@ class PermissionSet {
         }
         this.permissions[service][action] = newPermissions;
     }
+    /**
+     * Get the permissions for a specific service and action.
+     *
+     * @param service the service to get permissions for
+     * @param action the action to get permissions for
+     * @returns the permissions that match the service and action
+     */
     getPermissions(service, action) {
         if (!this.permissions[service] || !this.permissions[service][action]) {
             return [];
         }
         return this.permissions[service][action];
     }
+    /**
+     * Check if the permission set has any permissions for a specific service
+     *
+     * @param service the service to check permissions for
+     * @returns true if the permission set has permissions for the service, false otherwise
+     */
     hasService(service) {
         return !!this.permissions[service];
     }
+    /**
+     * Check if the permission set has any permissions for a specific action
+     *
+     * @param service the service the action belongs to
+     * @param action the action to check permissions for
+     * @returns true if the permission set has permissions for the action, false otherwise
+     */
     hasAction(service, action) {
         return !!(this.permissions[service] && this.permissions[service][action]);
     }
+    /**
+     * Check if the permission set is empty (has no permissions)
+     * @returns true if the permission set is empty, false otherwise
+     */
+    isEmpty() {
+        return Object.keys(this.permissions).length === 0;
+    }
+    /**
+     * Get all the permissions in the permission set
+     *
+     * @returns a copy of all the permissions in the permission set
+     */
     getAllPermissions() {
         const allPermissions = [];
         for (const service in this.permissions) {
@@ -97,6 +136,10 @@ class PermissionSet {
      * Return a new PermissionSet containing the intersection of this set and another.
      * Only permissions that overlap (same effect, service, action, and intersecting resources/conditions)
      * will be included.
+     *
+     * @param other The other PermissionSet to intersect with.
+     * @returns A new PermissionSet containing the intersecting permissions.
+     * @throws Error if the effects of the two PermissionSets do not match.
      */
     intersection(other) {
         if (this.effect !== other.effect) {
@@ -123,6 +166,15 @@ class PermissionSet {
         }
         return result;
     }
+    /**
+     * Subtract a Deny PermissionSet from this Allow PermissionSet.
+     *
+     * Returns two PermissionSets: one with the remaining Allow permissions,
+     * and one with any Deny permissions that were created as a result of the subtraction.
+     *
+     * @param deny the Deny PermissionSet to subtract
+     * @returns an object containing the resulting Allow and Deny PermissionSets
+     */
     subtract(deny) {
         if (this.effect !== 'Allow' || deny.effect !== 'Deny') {
             throw new Error('Can only subtract a Deny PermissionSet from an Allow PermissionSet');
@@ -168,6 +220,27 @@ class PermissionSet {
         }
         return { allow: allowSet, deny: denySet };
     }
+    /**
+     * Add all permissions from another PermissionSet to this one.
+     *
+     * @param others the other PermissionSet (or array of PermissionSets) to add permissions from
+     * @throws Error if the effects of the two PermissionSets do not match
+     */
+    addAll(others) {
+        if (!Array.isArray(others)) {
+            others = [others];
+        }
+        for (const other of others) {
+            if (other.effect !== this.effect) {
+                throw new Error('Cannot add PermissionSets with different effects');
+            }
+        }
+        for (const other of others) {
+            for (const perm of other.getAllPermissions()) {
+                this.addPermission(perm);
+            }
+        }
+    }
     /**
      * Deep clones the PermissionSet.
      *
@@ -220,37 +293,54 @@ async function addPoliciesToPermissionSet(permissionSet, effect, policies) {
             if (effect === 'Allow' && !stmt.isAllow()) {
                 continue; // skip Deny or any other non-Allow effect
             }
-            else if (effect === 'Deny' && stmt.isAllow()) {
+            else if (effect === 'Deny' && !stmt.isDeny()) {
                 continue; // skip Allow statements if we're building a Deny set
             }
-            let statementActions;
-            if (stmt.isActionStatement()) {
-                const allActions = stmt.actions().map((a) => a.value());
-                statementActions = await (0, iam_expand_1.expandIamActions)(allActions, { expandAsterisk: true });
-            }
-            else if (stmt.isNotActionStatement()) {
-                statementActions = await (0, iam_expand_1.invertIamActions)(stmt.notActions().map((a) => a.value()));
-            }
-            else {
-                continue;
-            }
-            for (const fullAction of statementActions) {
-                const [service, actionName] = fullAction.split(':');
-                if (!service || !actionName)
-                    continue;
-                let resource = undefined;
-                let notResource = undefined;
-                if (stmt.isResourceStatement()) {
-                    resource = stmt.resources().map((r) => r.value());
-                }
-                else if (stmt.isNotResourceStatement()) {
-                    notResource = stmt.notResources().map((r) => r.value());
-                }
-                permissionSet.addPermission(new permission_js_1.Permission(effect, service, actionName, resource, notResource, stmt.conditionMap()));
-            }
+            await addStatementToPermissionSet(stmt, permissionSet);
+        }
+    }
+}
+/**
+ * Add a single Statement to a PermissionSet, expanding it into one or more Permissions as needed.
+ *
+ * @param statement the IAM policy statement to add
+ * @param permissionSet the PermissionSet to add the statement to
+ * @returns nothing; the PermissionSet is modified in place
+ */
+async function addStatementToPermissionSet(statement, permissionSet) {
+    const effect = statement.effect();
+    let statementActions;
+    if (statement.isActionStatement()) {
+        const allActions = statement.actions().map((a) => a.value());
+        statementActions = await (0, iam_expand_1.expandIamActions)(allActions, { expandAsterisk: true });
+    }
+    else if (statement.isNotActionStatement()) {
+        statementActions = await (0, iam_expand_1.invertIamActions)(statement.notActions().map((a) => a.value()));
+    }
+    else {
+        return;
+    }
+    for (const fullAction of statementActions) {
+        const [service, actionName] = fullAction.split(':');
+        if (!service || !actionName)
+            continue;
+        let resource = undefined;
+        let notResource = undefined;
+        if (statement.isResourceStatement()) {
+            resource = statement.resources().map((r) => r.value());
         }
+        else if (statement.isNotResourceStatement()) {
+            notResource = statement.notResources().map((r) => r.value());
+        }
+        permissionSet.addPermission(new permission_js_1.Permission(effect, service, actionName, resource, notResource, statement.conditionMap()));
     }
 }
+/**
+ * Create a consistent key for any permission
+ *
+ * @param p the permission to create a key for
+ * @returns a string key that uniquely identifies the permission's resources and conditions
+ */
 function canonicalKey(p) {
     // Sort resource arrays so ["B","A"] == ["A","B"]
     const resources = p.resource?.slice().sort() ?? null;
@@ -270,6 +360,12 @@ function canonicalKey(p) {
     // Effect is fixed for the whole PermissionSet, so not needed in the key.
     return JSON.stringify({ resources, notResource, canonicalCond });
 }
+/**
+ * Convert a PermissionSet into an array of IAM policy statements.
+ *
+ * @param set the PermissionSet to convert
+ * @returns an array of IAM policy statements
+ */
 function toPolicyStatements(set) {
     const buckets = new Map();
     for (const perm of set.getAllPermissions()) {

package/dist/cjs/principalCan/permissionSet.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permissionSet.js","sourceRoot":"","sources":["../../../src/principalCan/permissionSet.ts"],"names":[],"mappings":";;;AA0SA,wEAQC;AAED,gEAgBC;AASD,kEA+BC;AA0CD,gDA4BC;AAlbD,0DAA8E;AAE9E,mDAA8D;AAE9D;;;;GAIG;AACH,MAAa,aAAa;IAGI;IAFpB,WAAW,GAAiD,EAAE,CAAA;IAEtE,YAA4B,MAAwB;QAAxB,WAAM,GAAN,MAAM,CAAkB;IAAG,CAAC;IAExD;;;;;OAKG;IACI,aAAa,CAAC,aAAyB;QAC5C,IAAI,aAAa,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CACb,qBAAqB,aAAa,CAAC,MAAM,wCAAwC,IAAI,CAAC,MAAM,EAAE,CAC/F,CAAA;QACH,CAAC;QAED,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,CAAA;QACrC,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAA;QACnC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,CAAA;QAChC,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YACvC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE,CAAA;QACxC,CAAC;QACD,MAAM,mBAAmB,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAA;QAC7D,IAAI,mBAAmB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrC,mBAAmB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;YACvC,OAAM;QACR,CAAC;QAED,IAAI,gBAAgB,GAAG,KAAK,CAAA;QAC5B,IAAI,kBAAkB,GAAG,KAAK,CAAA;QAC9B,IAAI,KAAK,GAA2B,mBAAmB,CAAC,CAAC,CAAC,CAAA;QAC1D,IAAI,IAAI,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;QACvC,MAAM,cAAc,GAAiB,EAAE,CAAA;QACvC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,aAAa,CAAC,CAAA;YAC9C,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC7B,MAAM,iBAAiB,GAAG,WAAW,CAAC,CAAC,CAAC,CAAA;gBACxC,IAAI,iBAAiB,IAAI,KAAK,EAAE,CAAC;oBAC/B,wFAAwF;oBACxF,OAAM;gBACR,CAAC;gBACD,IAAI,iBAAiB,IAAI,aAAa,EAAE,CAAC;oBACvC,gBAAgB,GAAG,IAAI,CAAA;oBACvB,kFAAkF;gBACpF,CAAC;qBAAM,CAAC;oBACN,mEAAmE;oBACnE,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;oBACtC,kBAAkB,GAAG,IAAI,CAAA;gBAC3B,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAC5B,CAAC;YACD,KAAK,GAAG,IAAI,CAAC,KAAK,EAAE,CAAA;QACtB,CAAC;QAED,IAAI,gBAAgB,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5C,2FAA2F;YAC3F,cAAc,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;QACpC,CAAC;aAAM,IAAI,CAAC,gBAAgB,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACpD,2FAA2F;YAC3F,cAAc,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;QACpC,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,GAAG,cAAc,CAAA;IACpD,CAAC;IAED;;;;;;OAMG;IACI,cAAc,CAAC,OAAe,EAAE,MAAc;QACnD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YACrE,OAAO,EAAE,CAAA;QACX,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAA;IAC1C,CAAC;IAED;;;;;OAKG;IACI,UAAU,CAAC,OAAe;QAC/B,OAAO,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;IACpC,CAAC;IAED;;;;;;OAMG;IACI,SAAS,CAAC,OAAe,EAAE,MAAc;QAC9C,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAA;IAC3E,CAAC;IAED;;;OAGG;IACI,OAAO;QACZ,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,MAAM,KAAK,CAAC,CAAA;IACnD,CAAC;IAED;;;;OAIG;IACI,iBAAiB;QACtB,MAAM,cAAc,GAAiB,EAAE,CAAA;QACvC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACvC,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC/C,cAAc,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAA;YAC3D,CAAC;QACH,CAAC;QACD,OAAO,cAAc,CAAA;IACvB,CAAC;IAED;;;;;;;;OAQG;IACI,YAAY,CAAC,KAAoB;QACtC,IAAI,IAAI,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAA;QAC3E,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAE7C,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC;gBAAE,SAAQ;YAExC,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAC5D,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC;oBAAE,SAAQ;gBAE/C,MAAM,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;gBAC5D,MAAM,gBAAgB,GAAG,KAAK,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;gBAE9D,KAAK,MAAM,cAAc,IAAI,eAAe,EAAE,CAAC;oBAC7C,KAAK,MAAM,eAAe,IAAI,gBAAgB,EAAE,CAAC;wBAC/C,MAAM,EAAE,GAAG,cAAc,CAAC,YAAY,CAAC,eAAe,CAAC,CAAA;wBACvD,IAAI,EAAE,EAAE,CAAC;4BACP,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC,CAAA;wBAC1B,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAA;IACf,CAAC;IAED;;;;;;;;OAQG;IACI,QAAQ,CAAC,IAAmB;QACjC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YACtD,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAA;QACvF,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,OAAO,CAAC,CAAA;QAC3C,MAAM,OAAO,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,CAAA;QAEzC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9B,4DAA4D;gBAC5D,0EAA0E;gBAC1E,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,CAAA;gBACnE,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;oBAC5D,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAA;gBACnF,CAAC;gBACD,SAAQ;YACV,CAAC;YAED,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAC5D,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,CAAC;oBACrC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;wBACnC,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,CAAA;oBACpC,CAAC;oBACD,yEAAyE;oBACzE,sEAAsE;oBACtE,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAA;oBACjF,SAAQ;gBACV,CAAC;gBAED,MAAM,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;gBAC5D,MAAM,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;gBAE5D,KAAK,MAAM,cAAc,IAAI,eAAe,EAAE,CAAC;oBAC7C,KAAK,MAAM,cAAc,IAAI,eAAe,EAAE,CAAC;wBAC7C,MAAM,UAAU,GAAG,cAAc,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAA;wBAC1D,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;4BAC9B,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;gCAC5B,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,CAAA;4BAC9B,CAAC;iCAAM,CAAC;gCACN,OAAO,CAAC,aAAa,CAAC,IAAI,CAAC,CAAA;4BAC7B,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,CAAA;IAC3C,CAAC;IAED;;;;;OAKG;IACI,MAAM,CAAC,MAAuC;QACnD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3B,MAAM,GAAG,CAAC,MAAM,CAAC,CAAA;QACnB,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAA;YACrE,CAAC;QACH,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,iBAAiB,EAAE,EAAE,CAAC;gBAC7C,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAA;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK;QACH,MAAM,KAAK,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAC5C,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACvC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,CAAA;YAC/B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC/C,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAA;YAC7E,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;CACF;AAzQD,sCAyQC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACI,KAAK,UAAU,8BAA8B,CAClD,MAAwB,EACxB,QAAkB;IAElB,2DAA2D;IAC3D,MAAM,aAAa,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,CAAA;IAC/C,MAAM,0BAA0B,CAAC,aAAa,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAA;IACjE,OAAO,aAAa,CAAA;AACtB,CAAC;AAEM,KAAK,UAAU,0BAA0B,CAC9C,aAA4B,EAC5B,MAAwB,EACxB,QAAkB;IAElB,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,qEAAqE;QACrE,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YACvC,IAAI,MAAM,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC1C,SAAQ,CAAC,0CAA0C;YACrD,CAAC;iBAAM,IAAI,MAAM,KAAK,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;gBAC/C,SAAQ,CAAC,qDAAqD;YAChE,CAAC;YACD,MAAM,2BAA2B,CAAC,IAAI,EAAE,aAAa,CAAC,CAAA;QACxD,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,2BAA2B,CAC/C,SAAoB,EACpB,aAA4B;IAE5B,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,EAAsB,CAAA;IACrD,IAAI,gBAA0B,CAAA;IAC9B,IAAI,SAAS,CAAC,iBAAiB,EAAE,EAAE,CAAC;QAClC,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAA;QAC5D,gBAAgB,GAAG,MAAM,IAAA,6BAAgB,EAAC,UAAU,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAA;IACjF,CAAC;SAAM,IAAI,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC5C,gBAAgB,GAAG,MAAM,IAAA,6BAAgB,EAAC,SAAS,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;IACzF,CAAC;SAAM,CAAC;QACN,OAAM;IACR,CAAC;IAED,KAAK,MAAM,UAAU,IAAI,gBAAgB,EAAE,CAAC;QAC1C,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACnD,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU;YAAE,SAAQ;QAErC,IAAI,QAAQ,GAAyB,SAAS,CAAA;QAC9C,IAAI,WAAW,GAAyB,SAAS,CAAA;QACjD,IAAI,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;YACpC,QAAQ,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAA;QACxD,CAAC;aAAM,IAAI,SAAS,CAAC,sBAAsB,EAAE,EAAE,CAAC;YAC9C,WAAW,GAAG,SAAS,CAAC,YAAY,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAA;QAC9D,CAAC;QAED,aAAa,CAAC,aAAa,CACzB,IAAI,0BAAU,CAAC,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAC7F,CAAA;IACH,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,YAAY,CAAC,CAAa;IACjC,iDAAiD;IACjD,MAAM,SAAS,GAAG,CAAC,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,IAAI,CAAA;IACpD,MAAM,WAAW,GAAG,CAAC,CAAC,WAAW,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,IAAI,CAAA;IAEzD,4DAA4D;IAC5D,0EAA0E;IAC1E,MAAM,aAAa,GAAG,CAAC,CAAC,UAAU;QAChC,CAAC,CAAC,IAAI,CAAC,SAAS,CACZ,MAAM,CAAC,WAAW,CAChB,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC;aACzB,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;aACtC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YACjB,EAAE;YACF,MAAM,CAAC,WAAW,CAChB,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;iBACf,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;iBACtC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CACvC;SACF,CAAC,CACL,CACF;QACH,CAAC,CAAC,IAAI,CAAA;IAER,yEAAyE;IACzE,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC,CAAA;AAClE,CAAC;AAED;;;;;GAKG;AACH,SAAgB,kBAAkB,CAAC,GAAkB;IACnD,MAAM,OAAO,GAAG,IAAI,GAAG,EAGpB,CAAA;IAEH,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,iBAAiB,EAAE,EAAE,CAAC;QAC3C,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,CAAA;QAC9B,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI;YACjC,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,QAAS,CAAC,CAAC,CAAC,CAAC,SAAS;YACpD,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,WAAY,CAAC,CAAC,CAAC,CAAC,SAAS;YAC7D,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YACnD,OAAO,EAAE,EAAE;SACZ,CAAA;QACD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,CAAA;QACrD,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IAC1B,CAAC;IAED,mDAAmD;IACnD,MAAM,UAAU,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACnD,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE;QAC9E,QAAQ,EAAE,CAAC,CAAC,GAAG;QACf,WAAW,EAAE,CAAC,CAAC,MAAM;QACrB,SAAS,EAAE,CAAC,CAAC,IAAI;KAClB,CAAC,CAAC,CAAA;IAEH,OAAO,UAAU,CAAA;AACnB,CAAC"}

package/dist/cjs/{canWhat/canWhat.d.ts → principalCan/principalCan.d.ts} RENAMED Viewed

@@ -2,7 +2,7 @@ import { IamCollectClient } from '../collect/client.js';
 /**
  * Input for the can-what command.
  */
-export interface CanWhatInput {
+export interface PrincipalCanInput {
     /**
      * The ARN of the principal to check permissions for.
      */
@@ -19,8 +19,8 @@ export interface CanWhatInput {
  * @param input the input containing the principal and options.
  * @returns A promise that resolves to the permissions the principal can perform, or void if the implementation is incomplete.
  */
-export declare function canWhat(collectClient: IamCollectClient, input: CanWhatInput): Promise<{
+export declare function principalCan(collectClient: IamCollectClient, input: PrincipalCanInput): Promise<{
     Version: string;
     Statement: any[];
 }>;
-//# sourceMappingURL=canWhat.d.ts.map
+//# sourceMappingURL=principalCan.d.ts.map

package/dist/cjs/principalCan/principalCan.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"principalCan.d.ts","sourceRoot":"","sources":["../../../src/principalCan/principalCan.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAUvD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,SAAS,EAAE,MAAM,CAAA;IAEjB;;OAEG;IACH,iBAAiB,EAAE,OAAO,CAAA;CAC3B;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,aAAa,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB;;;GAwF3F"}

package/dist/cjs/{canWhat/canWhat.js → principalCan/principalCan.js} RENAMED Viewed

@@ -1,10 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.canWhat = canWhat;
+exports.principalCan = principalCan;
 const iam_policy_1 = require("@cloud-copilot/iam-policy");
 const iam_shrink_1 = require("@cloud-copilot/iam-shrink");
+const iam_utils_1 = require("@cloud-copilot/iam-utils");
 const principals_js_1 = require("../principals.js");
 const permissionSet_js_1 = require("./permissionSet.js");
+const s3Buckets_js_1 = require("./resources/resourceTypes/s3Buckets.js");
 /**
  * Get what actions a principal can perform based on their policies.
  *
@@ -12,11 +14,13 @@ const permissionSet_js_1 = require("./permissionSet.js");
  * @param input the input containing the principal and options.
  * @returns A promise that resolves to the permissions the principal can perform, or void if the implementation is incomplete.
  */
-async function canWhat(collectClient, input) {
+async function principalCan(collectClient, input) {
     const { principal } = input;
     if (!principal) {
         throw new Error('Principal must be provided for can-what command');
     }
+    const principalArnParts = (0, iam_utils_1.splitArnParts)(principal);
+    const principalAccountId = principalArnParts.accountId;
     const principalPolicies = await (0, principals_js_1.getAllPoliciesForPrincipal)(collectClient, principal);
     const identityPolicies = [
         ...principalPolicies.managedPolicies,
@@ -27,6 +31,13 @@ async function canWhat(collectClient, input) {
     const allowedPermissions = await (0, permissionSet_js_1.buildPermissionSetFromPolicies)('Allow', identityPolicies);
     const identityDenyPermissions = await (0, permissionSet_js_1.buildPermissionSetFromPolicies)('Deny', identityPolicies);
     let finalPermissions = allowedPermissions;
+    /*********** Start Buckets *************/
+    const resourceDenyPermissions = new permissionSet_js_1.PermissionSet('Deny');
+    const { allows: bucketAllows, denies: bucketDenies } = await (0, s3Buckets_js_1.s3BucketsSameAccount)(collectClient, principal);
+    finalPermissions.addAll(bucketAllows);
+    resourceDenyPermissions.addAll(bucketDenies);
+    /*********** End Buckets *************/
+    // TODO: There is a slight wrinkle where same account resource policies can override implicit denies from Permission Boundaries.
     if (principalPolicies.permissionBoundary) {
         const boundaryPolicy = (0, iam_policy_1.loadPolicy)(principalPolicies.permissionBoundary.policy);
         const boundaryPermissions = await (0, permissionSet_js_1.buildPermissionSetFromPolicies)('Allow', [boundaryPolicy]);
@@ -51,6 +62,8 @@ async function canWhat(collectClient, input) {
     for (const rcpAllow of rcpAllowsByLevel) {
         finalPermissions = finalPermissions.intersection(rcpAllow);
     }
+    //Put together all the denies
+    principalAccountDenyPermissions.addAll(resourceDenyPermissions);
     const permissionsAfterDeny = finalPermissions.subtract(principalAccountDenyPermissions);
     finalPermissions = permissionsAfterDeny.allow;
     const deniedPermissions = permissionsAfterDeny.deny;
@@ -65,4 +78,4 @@ async function canWhat(collectClient, input) {
     }
     return policyDocument;
 }
-//# sourceMappingURL=canWhat.js.map
+//# sourceMappingURL=principalCan.js.map

package/dist/cjs/principalCan/principalCan.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"principalCan.js","sourceRoot":"","sources":["../../../src/principalCan/principalCan.ts"],"names":[],"mappings":";;AAmCA,oCAwFC;AA3HD,0DAAsD;AACtD,0DAA8D;AAC9D,wDAAwD;AAExD,oDAA6D;AAC7D,yDAK2B;AAC3B,yEAA6E;AAiB7E;;;;;;GAMG;AACI,KAAK,UAAU,YAAY,CAAC,aAA+B,EAAE,KAAwB;IAC1F,MAAM,EAAE,SAAS,EAAE,GAAG,KAAK,CAAA;IAE3B,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,iBAAiB,GAAG,IAAA,yBAAa,EAAC,SAAS,CAAC,CAAA;IAClD,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,SAAU,CAAA;IAEvD,MAAM,iBAAiB,GAAG,MAAM,IAAA,0CAA0B,EAAC,aAAa,EAAE,SAAS,CAAC,CAAA;IAEpF,MAAM,gBAAgB,GAAG;QACvB,GAAG,iBAAiB,CAAC,eAAe;QACpC,GAAG,iBAAiB,CAAC,cAAc;QACnC,GAAG,CAAC,iBAAiB,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;QACxF,GAAG,CAAC,iBAAiB,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;KACxF,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAA;IAE5C,MAAM,kBAAkB,GAAG,MAAM,IAAA,iDAA8B,EAAC,OAAO,EAAE,gBAAgB,CAAC,CAAA;IAC1F,MAAM,uBAAuB,GAAG,MAAM,IAAA,iDAA8B,EAAC,MAAM,EAAE,gBAAgB,CAAC,CAAA;IAE9F,IAAI,gBAAgB,GAAG,kBAAkB,CAAA;IAEzC,yCAAyC;IACzC,MAAM,uBAAuB,GAAG,IAAI,gCAAa,CAAC,MAAM,CAAC,CAAA;IAEzD,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,IAAA,mCAAoB,EAC/E,aAAa,EACb,SAAS,CACV,CAAA;IAED,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IACrC,uBAAuB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IAE5C,uCAAuC;IAEvC,gIAAgI;IAChI,IAAI,iBAAiB,CAAC,kBAAkB,EAAE,CAAC;QACzC,MAAM,cAAc,GAAG,IAAA,uBAAU,EAAC,iBAAiB,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAA;QAC9E,MAAM,mBAAmB,GAAG,MAAM,IAAA,iDAA8B,EAAC,OAAO,EAAE,CAAC,cAAc,CAAC,CAAC,CAAA;QAC3F,gBAAgB,GAAG,kBAAkB,CAAC,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACzE,CAAC;IAED,MAAM,gBAAgB,GAAoB,EAAE,CAAA;IAC5C,MAAM,gBAAgB,GAAoB,EAAE,CAAA;IAE5C,KAAK,MAAM,KAAK,IAAI,iBAAiB,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,WAAW,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;QACvE,gBAAgB,CAAC,IAAI,CAAC,MAAM,IAAA,iDAA8B,EAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAA;QACjF,MAAM,IAAA,6CAA0B,EAAC,uBAAuB,EAAE,MAAM,EAAE,WAAW,CAAC,CAAA;IAChF,CAAC;IAED,MAAM,+BAA+B,GAAG,uBAAuB,CAAC,KAAK,EAAE,CAAA;IACvE,KAAK,MAAM,KAAK,IAAI,iBAAiB,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,WAAW,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;QACvE,gBAAgB,CAAC,IAAI,CAAC,MAAM,IAAA,iDAA8B,EAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAA;QACjF,MAAM,IAAA,6CAA0B,EAAC,+BAA+B,EAAE,MAAM,EAAE,WAAW,CAAC,CAAA;IACxF,CAAC;IAED,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;QACxC,gBAAgB,GAAG,gBAAgB,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;IAC5D,CAAC;IAED,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;QACxC,gBAAgB,GAAG,gBAAgB,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;IAC5D,CAAC;IAED,6BAA6B;IAC7B,+BAA+B,CAAC,MAAM,CAAC,uBAAuB,CAAC,CAAA;IAE/D,MAAM,oBAAoB,GAAG,gBAAgB,CAAC,QAAQ,CAAC,+BAA+B,CAAC,CAAA;IACvF,gBAAgB,GAAG,oBAAoB,CAAC,KAAK,CAAA;IAC7C,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,IAAI,CAAA;IAEnD,MAAM,eAAe,GAAG,IAAA,qCAAkB,EAAC,gBAAgB,CAAC,CAAA;IAC5D,MAAM,cAAc,GAAG,IAAA,qCAAkB,EAAC,iBAAiB,CAAC,CAAA;IAE5D,MAAM,cAAc,GAAG;QACrB,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE,CAAC,GAAG,eAAe,EAAE,GAAG,cAAc,CAAC;KACnD,CAAA;IAED,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;QAC5B,MAAM,IAAA,+BAAkB,EAAC,EAAE,UAAU,EAAE,CAAC,EAAE,EAAE,cAAc,CAAC,CAAA;IAC7D,CAAC;IAED,OAAO,cAAc,CAAA;AACvB,CAAC"}

package/dist/cjs/principalCan/resources/actions.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Get the actions for a resource type in a service.
+ *
+ * @param service the service to get actions for
+ * @param resourceType the resource type to get the actions for
+ * @returns the actions that can be performed on the resource type
+ */
+export declare function actionsForResourceType(service: string, resourceType: string): Promise<string[]>;
+//# sourceMappingURL=actions.d.ts.map

package/dist/cjs/principalCan/resources/actions.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../../../../src/principalCan/resources/actions.ts"],"names":[],"mappings":"AAMA;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,qBAgBjF"}

package/dist/cjs/principalCan/resources/actions.js ADDED Viewed

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.actionsForResourceType = actionsForResourceType;
+const iam_data_1 = require("@cloud-copilot/iam-data");
+/**
+ * Get the actions for a resource type in a service.
+ *
+ * @param service the service to get actions for
+ * @param resourceType the resource type to get the actions for
+ * @returns the actions that can be performed on the resource type
+ */
+async function actionsForResourceType(service, resourceType) {
+    const resourceTypeExists = await (0, iam_data_1.iamResourceTypeExists)(service, resourceType);
+    if (!resourceTypeExists) {
+        throw new Error(`Resource type ${resourceType} does not exist in service ${service}`);
+    }
+    const actions = await (0, iam_data_1.iamActionsForService)(service);
+    const matchingAction = [];
+    for (const action of actions) {
+        const actionDetails = await (0, iam_data_1.iamActionDetails)(service, action);
+        if (actionDetails?.resourceTypes?.some((rt) => rt.name === resourceType)) {
+            matchingAction.push(action);
+        }
+    }
+    return matchingAction;
+}
+//# sourceMappingURL=actions.js.map

package/dist/cjs/principalCan/resources/actions.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"actions.js","sourceRoot":"","sources":["../../../../src/principalCan/resources/actions.ts"],"names":[],"mappings":";;AAaA,wDAgBC;AA7BD,sDAIgC;AAEhC;;;;;;GAMG;AACI,KAAK,UAAU,sBAAsB,CAAC,OAAe,EAAE,YAAoB;IAChF,MAAM,kBAAkB,GAAG,MAAM,IAAA,gCAAqB,EAAC,OAAO,EAAE,YAAY,CAAC,CAAA;IAC7E,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,iBAAiB,YAAY,8BAA8B,OAAO,EAAE,CAAC,CAAA;IACvF,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,IAAA,+BAAoB,EAAC,OAAO,CAAC,CAAA;IAEnD,MAAM,cAAc,GAAa,EAAE,CAAA;IACnC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAA;QAC7D,IAAI,aAAa,EAAE,aAAa,EAAE,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,CAAC,EAAE,CAAC;YACzE,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,cAAc,CAAA;AACvB,CAAC"}

package/dist/cjs/principalCan/resources/resourceTypes/s3Buckets.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import { IamCollectClient } from '../../../collect/client.js';
+import { PermissionSet } from '../../permissionSet.js';
+/**
+ * Get the permission sets for S3 buckets in the same account as the principal.
+ *
+ * @param collectClient the IAM collect client to use for retrieving policies and resources
+ * @param principal the ARN of the principal to check
+ * @returns the Allow and Deny permission sets for S3 buckets in the same account as the principal
+ */
+export declare function s3BucketsSameAccount(collectClient: IamCollectClient, principal: string): Promise<{
+    allows: PermissionSet[];
+    denies: PermissionSet[];
+}>;
+//# sourceMappingURL=s3Buckets.d.ts.map

package/dist/cjs/principalCan/resources/resourceTypes/s3Buckets.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"s3Buckets.d.ts","sourceRoot":"","sources":["../../../../../src/principalCan/resources/resourceTypes/s3Buckets.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAA;AAE7D,OAAO,EAA+B,aAAa,EAAE,MAAM,wBAAwB,CAAA;AAInF;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,aAAa,EAAE,gBAAgB,EAC/B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;IAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IAAC,MAAM,EAAE,aAAa,EAAE,CAAA;CAAE,CAAC,CA+D/D"}

package/dist/cjs/principalCan/resources/resourceTypes/s3Buckets.js ADDED Viewed

@@ -0,0 +1,64 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.s3BucketsSameAccount = s3BucketsSameAccount;
+const iam_policy_1 = require("@cloud-copilot/iam-policy");
+const iam_utils_1 = require("@cloud-copilot/iam-utils");
+const permission_js_1 = require("../../permission.js");
+const permissionSet_js_1 = require("../../permissionSet.js");
+const actions_js_1 = require("../actions.js");
+const statements_js_1 = require("../statements.js");
+/**
+ * Get the permission sets for S3 buckets in the same account as the principal.
+ *
+ * @param collectClient the IAM collect client to use for retrieving policies and resources
+ * @param principal the ARN of the principal to check
+ * @returns the Allow and Deny permission sets for S3 buckets in the same account as the principal
+ */
+async function s3BucketsSameAccount(collectClient, principal) {
+    const principalArnParts = (0, iam_utils_1.splitArnParts)(principal);
+    const principalAccountId = principalArnParts.accountId;
+    const allBuckets = await collectClient.listResources(principalAccountId, 's3', 'bucket', undefined);
+    const bucketActions = await (0, actions_js_1.actionsForResourceType)('s3', 'bucket');
+    const objectActions = await (0, actions_js_1.actionsForResourceType)('s3', 'object');
+    const s3Actions = [...bucketActions, ...objectActions];
+    const bucketAllowPermissionSets = [];
+    const bucketDenyPermissionSets = [];
+    for (const bucket of allBuckets) {
+        const bucketPolicy = await collectClient.getResourcePolicyForArn(bucket, principalAccountId);
+        if (bucketPolicy) {
+            const loadedPolicy = (0, iam_policy_1.loadPolicy)(bucketPolicy);
+            if (loadedPolicy) {
+                const bucketArns = [bucket, `${bucket}/*`];
+                const bucketAllowPerimeter = new permissionSet_js_1.PermissionSet('Allow');
+                const bucketDenyPerimeter = new permissionSet_js_1.PermissionSet('Deny');
+                for (const action of s3Actions) {
+                    bucketAllowPerimeter.addPermission(new permission_js_1.Permission('Allow', 's3', action, bucketArns, undefined, undefined));
+                    bucketDenyPerimeter.addPermission(new permission_js_1.Permission('Deny', 's3', action, bucketArns, undefined, undefined));
+                }
+                const allowPermissionSet = new permissionSet_js_1.PermissionSet('Allow');
+                const denyPermissionSet = new permissionSet_js_1.PermissionSet('Deny');
+                for (const statement of loadedPolicy.statements()) {
+                    const applies = await (0, statements_js_1.statementAppliesToPrincipal)(statement, principal, collectClient);
+                    if (applies === 'PrincipalMatch') {
+                        if (statement.isAllow()) {
+                            await (0, permissionSet_js_1.addStatementToPermissionSet)(statement, allowPermissionSet);
+                        }
+                        else {
+                            await (0, permissionSet_js_1.addStatementToPermissionSet)(statement, denyPermissionSet);
+                        }
+                    }
+                }
+                const effectiveAllows = allowPermissionSet.intersection(bucketAllowPerimeter);
+                const effectiveDenies = denyPermissionSet.intersection(bucketDenyPerimeter);
+                if (!effectiveAllows.isEmpty()) {
+                    bucketAllowPermissionSets.push(effectiveAllows);
+                }
+                if (!effectiveDenies.isEmpty()) {
+                    bucketDenyPermissionSets.push(effectiveDenies);
+                }
+            }
+        }
+    }
+    return { allows: bucketAllowPermissionSets, denies: bucketDenyPermissionSets };
+}
+//# sourceMappingURL=s3Buckets.js.map

package/dist/cjs/principalCan/resources/resourceTypes/s3Buckets.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"s3Buckets.js","sourceRoot":"","sources":["../../../../../src/principalCan/resources/resourceTypes/s3Buckets.ts"],"names":[],"mappings":";;AAeA,oDAkEC;AAjFD,0DAAsD;AACtD,wDAAwD;AAExD,uDAAgD;AAChD,6DAAmF;AACnF,8CAAsD;AACtD,oDAA8D;AAE9D;;;;;;GAMG;AACI,KAAK,UAAU,oBAAoB,CACxC,aAA+B,EAC/B,SAAiB;IAEjB,MAAM,iBAAiB,GAAG,IAAA,yBAAa,EAAC,SAAS,CAAC,CAAA;IAClD,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,SAAU,CAAA;IAEvD,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC,aAAa,CAClD,kBAAkB,EAClB,IAAI,EACJ,QAAQ,EACR,SAAS,CACV,CAAA;IAED,MAAM,aAAa,GAAG,MAAM,IAAA,mCAAsB,EAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;IAClE,MAAM,aAAa,GAAG,MAAM,IAAA,mCAAsB,EAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;IAElE,MAAM,SAAS,GAAG,CAAC,GAAG,aAAa,EAAE,GAAG,aAAa,CAAC,CAAA;IAEtD,MAAM,yBAAyB,GAAoB,EAAE,CAAA;IACrD,MAAM,wBAAwB,GAAoB,EAAE,CAAA;IAEpD,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;QAChC,MAAM,YAAY,GAAG,MAAM,aAAa,CAAC,uBAAuB,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAA;QAC5F,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,YAAY,GAAG,IAAA,uBAAU,EAAC,YAAY,CAAC,CAAA;YAC7C,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,UAAU,GAAG,CAAC,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,CAAA;gBAC1C,MAAM,oBAAoB,GAAG,IAAI,gCAAa,CAAC,OAAO,CAAC,CAAA;gBACvD,MAAM,mBAAmB,GAAG,IAAI,gCAAa,CAAC,MAAM,CAAC,CAAA;gBACrD,KAAK,MAAM,MAAM,IAAI,SAAS,EAAE,CAAC;oBAC/B,oBAAoB,CAAC,aAAa,CAChC,IAAI,0BAAU,CAAC,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC,CACxE,CAAA;oBACD,mBAAmB,CAAC,aAAa,CAC/B,IAAI,0BAAU,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC,CACvE,CAAA;gBACH,CAAC;gBAED,MAAM,kBAAkB,GAAG,IAAI,gCAAa,CAAC,OAAO,CAAC,CAAA;gBACrD,MAAM,iBAAiB,GAAG,IAAI,gCAAa,CAAC,MAAM,CAAC,CAAA;gBAEnD,KAAK,MAAM,SAAS,IAAI,YAAY,CAAC,UAAU,EAAE,EAAE,CAAC;oBAClD,MAAM,OAAO,GAAG,MAAM,IAAA,2CAA2B,EAAC,SAAS,EAAE,SAAS,EAAE,aAAa,CAAC,CAAA;oBACtF,IAAI,OAAO,KAAK,gBAAgB,EAAE,CAAC;wBACjC,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;4BACxB,MAAM,IAAA,8CAA2B,EAAC,SAAS,EAAE,kBAAkB,CAAC,CAAA;wBAClE,CAAC;6BAAM,CAAC;4BACN,MAAM,IAAA,8CAA2B,EAAC,SAAS,EAAE,iBAAiB,CAAC,CAAA;wBACjE,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,MAAM,eAAe,GAAG,kBAAkB,CAAC,YAAY,CAAC,oBAAoB,CAAC,CAAA;gBAC7E,MAAM,eAAe,GAAG,iBAAiB,CAAC,YAAY,CAAC,mBAAmB,CAAC,CAAA;gBAC3E,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC/B,yBAAyB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;gBACjD,CAAC;gBACD,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC/B,wBAAwB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;gBAChD,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,yBAAyB,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAA;AAChF,CAAC"}

package/dist/cjs/principalCan/resources/statements.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import { Policy, Statement } from '@cloud-copilot/iam-policy';
+import { IamCollectClient } from '../../collect/client.js';
+export type StatementPrincipalMatchType = 'PrincipalMatch' | 'AccountMatch' | 'NoMatch';
+/**
+ * Checks to see if a statement applies to a principal by running a simulation.
+ *
+ * If the principal is a match return 'PrincipalMatch'
+ * If the account is a match return 'AccountMatch'
+ * Otherwise return 'NoMatch'
+ *
+ * @param statement the statement to check
+ * @param principalArn the arn of the principal to check
+ * @param client the IAM collect client to use for retrieving principal information
+ * @returns Whether the statement applies to the principal
+ */
+export declare function statementAppliesToPrincipal(statement: Statement, principalArn: string, client: IamCollectClient): Promise<StatementPrincipalMatchType>;
+/**
+ * Makes a policy that captures the principal and principal conditions from a statement
+ * and allows all actions on all resources.
+ *
+ * The conditions returned are only those that relate to the principal.
+ *
+ * @param statement the statement to extract the principal from
+ * @returns
+ */
+export declare function makePrincipalOnlyPolicyFromStatement(statement: Statement): Policy;
+//# sourceMappingURL=statements.d.ts.map

package/dist/cjs/principalCan/resources/statements.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"statements.d.ts","sourceRoot":"","sources":["../../../../src/principalCan/resources/statements.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,MAAM,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AAGzE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAI1D,MAAM,MAAM,2BAA2B,GAAG,gBAAgB,GAAG,cAAc,GAAG,SAAS,CAAA;AAEvF;;;;;;;;;;;GAWG;AACH,wBAAsB,2BAA2B,CAC/C,SAAS,EAAE,SAAS,EACpB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,2BAA2B,CAAC,CA2CtC;AAeD;;;;;;;;GAQG;AACH,wBAAgB,oCAAoC,CAAC,SAAS,EAAE,SAAS,GAAG,MAAM,CAiCjF"}

package/dist/cjs/principalCan/resources/statements.js ADDED Viewed

@@ -0,0 +1,113 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.statementAppliesToPrincipal = statementAppliesToPrincipal;
+exports.makePrincipalOnlyPolicyFromStatement = makePrincipalOnlyPolicyFromStatement;
+const iam_policy_1 = require("@cloud-copilot/iam-policy");
+const iam_simulate_1 = require("@cloud-copilot/iam-simulate");
+const iam_utils_1 = require("@cloud-copilot/iam-utils");
+const contextKeys_js_1 = require("../../simulate/contextKeys.js");
+/**
+ * Checks to see if a statement applies to a principal by running a simulation.
+ *
+ * If the principal is a match return 'PrincipalMatch'
+ * If the account is a match return 'AccountMatch'
+ * Otherwise return 'NoMatch'
+ *
+ * @param statement the statement to check
+ * @param principalArn the arn of the principal to check
+ * @param client the IAM collect client to use for retrieving principal information
+ * @returns Whether the statement applies to the principal
+ */
+async function statementAppliesToPrincipal(statement, principalArn, client) {
+    const principalAccount = (0, iam_utils_1.splitArnParts)(principalArn).accountId;
+    const resourcePolicy = makePrincipalOnlyPolicyFromStatement(statement);
+    const simulationRequest = {
+        principal: principalArn,
+        action: 's3:ListBucket',
+        resourceAccount: principalAccount,
+        resourceArn: undefined,
+        customContextKeys: {},
+        simulationMode: 'Strict'
+    };
+    const contextKeys = await (0, contextKeys_js_1.createContextKeys)(client, simulationRequest, 's3', {});
+    const request = {
+        action: 's3:ListBucket',
+        resource: {
+            resource: 'arn:aws:s3:::example-bucket',
+            accountId: principalAccount
+        },
+        principal: principalArn,
+        contextVariables: contextKeys
+    };
+    const simulation = {
+        request,
+        identityPolicies: [],
+        resourcePolicy: resourcePolicy.toJSON(),
+        serviceControlPolicies: [],
+        resourceControlPolicies: []
+    };
+    const result = await (0, iam_simulate_1.runSimulation)(simulation, {
+        simulationMode: simulationRequest.simulationMode
+    });
+    if (result.analysis?.result === 'Allowed') {
+        return 'PrincipalMatch';
+    }
+    if (result.analysis?.resourceAnalysis?.result === 'AllowedForAccount') {
+        return 'AccountMatch';
+    }
+    return 'NoMatch';
+}
+const principalKeys = new Set([
+    'aws:PrincipalArn',
+    'aws:PrincipalAccount',
+    'aws:PrincipalOrgId',
+    'aws:PrincipalOrgPaths',
+    'aws:PrincipalType',
+    'aws:userid',
+    'aws:username',
+    'aws:PrincipalIsAWSService'
+].map((k) => k.toLowerCase()));
+/**
+ * Makes a policy that captures the principal and principal conditions from a statement
+ * and allows all actions on all resources.
+ *
+ * The conditions returned are only those that relate to the principal.
+ *
+ * @param statement the statement to extract the principal from
+ * @returns
+ */
+function makePrincipalOnlyPolicyFromStatement(statement) {
+    const rawStatement = structuredClone(statement.toJSON());
+    const rawStatementValues = {};
+    if (statement.isPrincipalStatement()) {
+        rawStatementValues.Principal = rawStatement.Principal;
+    }
+    else if (statement.isNotPrincipalStatement()) {
+        rawStatementValues.NotPrincipal = rawStatement.NotPrincipal;
+    }
+    if (rawStatement.Condition) {
+        for (const operator of Object.keys(rawStatement.Condition)) {
+            for (const key of Object.keys(rawStatement.Condition[operator])) {
+                if (!principalKeys.has(key.toLowerCase())) {
+                    delete rawStatement.Condition[operator][key];
+                }
+            }
+            if (Object.keys(rawStatement.Condition[operator]).length === 0) {
+                delete rawStatement.Condition[operator];
+            }
+        }
+        if (Object.keys(rawStatement.Condition).length > 0) {
+            rawStatementValues.Condition = rawStatement.Condition;
+        }
+    }
+    return (0, iam_policy_1.loadPolicy)({
+        Version: '2012-10-17',
+        Statement: {
+            Effect: 'Allow',
+            Resource: '*',
+            Action: '*',
+            ...rawStatementValues
+        }
+    });
+}
+//# sourceMappingURL=statements.js.map

package/dist/cjs/principalCan/resources/statements.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"statements.js","sourceRoot":"","sources":["../../../../src/principalCan/resources/statements.ts"],"names":[],"mappings":";;AAqBA,kEA+CC;AAwBD,oFAiCC;AA7HD,0DAAyE;AACzE,8DAAuE;AACvE,wDAAwD;AAExD,kEAAiE;AAKjE;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,2BAA2B,CAC/C,SAAoB,EACpB,YAAoB,EACpB,MAAwB;IAExB,MAAM,gBAAgB,GAAG,IAAA,yBAAa,EAAC,YAAY,CAAC,CAAC,SAAU,CAAA;IAC/D,MAAM,cAAc,GAAG,oCAAoC,CAAC,SAAS,CAAC,CAAA;IACtE,MAAM,iBAAiB,GAAsB;QAC3C,SAAS,EAAE,YAAY;QACvB,MAAM,EAAE,eAAe;QACvB,eAAe,EAAE,gBAAgB;QACjC,WAAW,EAAE,SAAS;QACtB,iBAAiB,EAAE,EAAE;QACrB,cAAc,EAAE,QAAQ;KACzB,CAAA;IAED,MAAM,WAAW,GAAG,MAAM,IAAA,kCAAiB,EAAC,MAAM,EAAE,iBAAiB,EAAE,IAAI,EAAE,EAAE,CAAC,CAAA;IAEhF,MAAM,OAAO,GAA0B;QACrC,MAAM,EAAE,eAAe;QACvB,QAAQ,EAAE;YACR,QAAQ,EAAE,6BAA6B;YACvC,SAAS,EAAE,gBAAgB;SAC5B;QACD,SAAS,EAAE,YAAY;QACvB,gBAAgB,EAAE,WAAW;KAC9B,CAAA;IAED,MAAM,UAAU,GAAe;QAC7B,OAAO;QACP,gBAAgB,EAAE,EAAE;QACpB,cAAc,EAAE,cAAc,CAAC,MAAM,EAAE;QACvC,sBAAsB,EAAE,EAAE;QAC1B,uBAAuB,EAAE,EAAE;KAC5B,CAAA;IAED,MAAM,MAAM,GAAG,MAAM,IAAA,4BAAa,EAAC,UAAU,EAAE;QAC7C,cAAc,EAAE,iBAAiB,CAAC,cAAc;KACjD,CAAC,CAAA;IAEF,IAAI,MAAM,CAAC,QAAQ,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO,gBAAgB,CAAA;IACzB,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,EAAE,gBAAgB,EAAE,MAAM,KAAK,mBAAmB,EAAE,CAAC;QACtE,OAAO,cAAc,CAAA;IACvB,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,MAAM,aAAa,GAAG,IAAI,GAAG,CAC3B;IACE,kBAAkB;IAClB,sBAAsB;IACtB,oBAAoB;IACpB,uBAAuB;IACvB,mBAAmB;IACnB,YAAY;IACZ,cAAc;IACd,2BAA2B;CAC5B,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAC9B,CAAA;AAED;;;;;;;;GAQG;AACH,SAAgB,oCAAoC,CAAC,SAAoB;IACvE,MAAM,YAAY,GAAG,eAAe,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAA;IACxD,MAAM,kBAAkB,GAAQ,EAAE,CAAA;IAClC,IAAI,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACrC,kBAAkB,CAAC,SAAS,GAAG,YAAY,CAAC,SAAS,CAAA;IACvD,CAAC;SAAM,IAAI,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;QAC/C,kBAAkB,CAAC,YAAY,GAAG,YAAY,CAAC,YAAY,CAAA;IAC7D,CAAC;IACD,IAAI,YAAY,CAAC,SAAS,EAAE,CAAC;QAC3B,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3D,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;gBAChE,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;oBAC1C,OAAO,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAA;gBAC9C,CAAC;YACH,CAAC;YACD,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/D,OAAO,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;YACzC,CAAC;QACH,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnD,kBAAkB,CAAC,SAAS,GAAG,YAAY,CAAC,SAAS,CAAA;QACvD,CAAC;IACH,CAAC;IAED,OAAO,IAAA,uBAAU,EAAC;QAChB,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE;YACT,MAAM,EAAE,OAAO;YACf,QAAQ,EAAE,GAAG;YACb,MAAM,EAAE,GAAG;YACX,GAAG,kBAAkB;SACtB;KACF,CAAC,CAAA;AACJ,CAAC"}