npm - @cloud-copilot/iam-lens - Versions diffs - 0.1.44 → 0.1.45 - Mend

@cloud-copilot/iam-lens 0.1.44 → 0.1.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/dist/esm/{canWhat → principalCan}/permissionSet.js RENAMED Viewed

@@ -10,6 +10,12 @@ export class PermissionSet {
         this.effect = effect;
         this.permissions = {};
     }
+    /**
+     * Add a new permission to the set.  If the new permission overlaps with an existing one,
+     * they will be unioned together to avoid redundancy.
+     *
+     * @param newPermission the permission to add
+     */
     addPermission(newPermission) {
         if (newPermission.effect !== this.effect) {
             throw new Error(`Permission effect ${newPermission.effect} does not match PermissionSet effect ${this.effect}`);
@@ -65,18 +71,50 @@ export class PermissionSet {
         }
         this.permissions[service][action] = newPermissions;
     }
+    /**
+     * Get the permissions for a specific service and action.
+     *
+     * @param service the service to get permissions for
+     * @param action the action to get permissions for
+     * @returns the permissions that match the service and action
+     */
     getPermissions(service, action) {
         if (!this.permissions[service] || !this.permissions[service][action]) {
             return [];
         }
         return this.permissions[service][action];
     }
+    /**
+     * Check if the permission set has any permissions for a specific service
+     *
+     * @param service the service to check permissions for
+     * @returns true if the permission set has permissions for the service, false otherwise
+     */
     hasService(service) {
         return !!this.permissions[service];
     }
+    /**
+     * Check if the permission set has any permissions for a specific action
+     *
+     * @param service the service the action belongs to
+     * @param action the action to check permissions for
+     * @returns true if the permission set has permissions for the action, false otherwise
+     */
     hasAction(service, action) {
         return !!(this.permissions[service] && this.permissions[service][action]);
     }
+    /**
+     * Check if the permission set is empty (has no permissions)
+     * @returns true if the permission set is empty, false otherwise
+     */
+    isEmpty() {
+        return Object.keys(this.permissions).length === 0;
+    }
+    /**
+     * Get all the permissions in the permission set
+     *
+     * @returns a copy of all the permissions in the permission set
+     */
     getAllPermissions() {
         const allPermissions = [];
         for (const service in this.permissions) {
@@ -90,6 +128,10 @@ export class PermissionSet {
      * Return a new PermissionSet containing the intersection of this set and another.
      * Only permissions that overlap (same effect, service, action, and intersecting resources/conditions)
      * will be included.
+     *
+     * @param other The other PermissionSet to intersect with.
+     * @returns A new PermissionSet containing the intersecting permissions.
+     * @throws Error if the effects of the two PermissionSets do not match.
      */
     intersection(other) {
         if (this.effect !== other.effect) {
@@ -116,6 +158,15 @@ export class PermissionSet {
         }
         return result;
     }
+    /**
+     * Subtract a Deny PermissionSet from this Allow PermissionSet.
+     *
+     * Returns two PermissionSets: one with the remaining Allow permissions,
+     * and one with any Deny permissions that were created as a result of the subtraction.
+     *
+     * @param deny the Deny PermissionSet to subtract
+     * @returns an object containing the resulting Allow and Deny PermissionSets
+     */
     subtract(deny) {
         if (this.effect !== 'Allow' || deny.effect !== 'Deny') {
             throw new Error('Can only subtract a Deny PermissionSet from an Allow PermissionSet');
@@ -161,6 +212,27 @@ export class PermissionSet {
         }
         return { allow: allowSet, deny: denySet };
     }
+    /**
+     * Add all permissions from another PermissionSet to this one.
+     *
+     * @param others the other PermissionSet (or array of PermissionSets) to add permissions from
+     * @throws Error if the effects of the two PermissionSets do not match
+     */
+    addAll(others) {
+        if (!Array.isArray(others)) {
+            others = [others];
+        }
+        for (const other of others) {
+            if (other.effect !== this.effect) {
+                throw new Error('Cannot add PermissionSets with different effects');
+            }
+        }
+        for (const other of others) {
+            for (const perm of other.getAllPermissions()) {
+                this.addPermission(perm);
+            }
+        }
+    }
     /**
      * Deep clones the PermissionSet.
      *
@@ -212,37 +284,54 @@ export async function addPoliciesToPermissionSet(permissionSet, effect, policies
             if (effect === 'Allow' && !stmt.isAllow()) {
                 continue; // skip Deny or any other non-Allow effect
             }
-            else if (effect === 'Deny' && stmt.isAllow()) {
+            else if (effect === 'Deny' && !stmt.isDeny()) {
                 continue; // skip Allow statements if we're building a Deny set
             }
-            let statementActions;
-            if (stmt.isActionStatement()) {
-                const allActions = stmt.actions().map((a) => a.value());
-                statementActions = await expandIamActions(allActions, { expandAsterisk: true });
-            }
-            else if (stmt.isNotActionStatement()) {
-                statementActions = await invertIamActions(stmt.notActions().map((a) => a.value()));
-            }
-            else {
-                continue;
-            }
-            for (const fullAction of statementActions) {
-                const [service, actionName] = fullAction.split(':');
-                if (!service || !actionName)
-                    continue;
-                let resource = undefined;
-                let notResource = undefined;
-                if (stmt.isResourceStatement()) {
-                    resource = stmt.resources().map((r) => r.value());
-                }
-                else if (stmt.isNotResourceStatement()) {
-                    notResource = stmt.notResources().map((r) => r.value());
-                }
-                permissionSet.addPermission(new Permission(effect, service, actionName, resource, notResource, stmt.conditionMap()));
-            }
+            await addStatementToPermissionSet(stmt, permissionSet);
+        }
+    }
+}
+/**
+ * Add a single Statement to a PermissionSet, expanding it into one or more Permissions as needed.
+ *
+ * @param statement the IAM policy statement to add
+ * @param permissionSet the PermissionSet to add the statement to
+ * @returns nothing; the PermissionSet is modified in place
+ */
+export async function addStatementToPermissionSet(statement, permissionSet) {
+    const effect = statement.effect();
+    let statementActions;
+    if (statement.isActionStatement()) {
+        const allActions = statement.actions().map((a) => a.value());
+        statementActions = await expandIamActions(allActions, { expandAsterisk: true });
+    }
+    else if (statement.isNotActionStatement()) {
+        statementActions = await invertIamActions(statement.notActions().map((a) => a.value()));
+    }
+    else {
+        return;
+    }
+    for (const fullAction of statementActions) {
+        const [service, actionName] = fullAction.split(':');
+        if (!service || !actionName)
+            continue;
+        let resource = undefined;
+        let notResource = undefined;
+        if (statement.isResourceStatement()) {
+            resource = statement.resources().map((r) => r.value());
         }
+        else if (statement.isNotResourceStatement()) {
+            notResource = statement.notResources().map((r) => r.value());
+        }
+        permissionSet.addPermission(new Permission(effect, service, actionName, resource, notResource, statement.conditionMap()));
     }
 }
+/**
+ * Create a consistent key for any permission
+ *
+ * @param p the permission to create a key for
+ * @returns a string key that uniquely identifies the permission's resources and conditions
+ */
 function canonicalKey(p) {
     // Sort resource arrays so ["B","A"] == ["A","B"]
     const resources = p.resource?.slice().sort() ?? null;
@@ -262,6 +351,12 @@ function canonicalKey(p) {
     // Effect is fixed for the whole PermissionSet, so not needed in the key.
     return JSON.stringify({ resources, notResource, canonicalCond });
 }
+/**
+ * Convert a PermissionSet into an array of IAM policy statements.
+ *
+ * @param set the PermissionSet to convert
+ * @returns an array of IAM policy statements
+ */
 export function toPolicyStatements(set) {
     const buckets = new Map();
     for (const perm of set.getAllPermissions()) {

package/dist/esm/principalCan/permissionSet.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permissionSet.js","sourceRoot":"","sources":["../../../src/principalCan/permissionSet.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAA;AAE9E,OAAO,EAAE,UAAU,EAAoB,MAAM,iBAAiB,CAAA;AAE9D;;;;GAIG;AACH,MAAM,OAAO,aAAa;IAGxB,YAA4B,MAAwB;QAAxB,WAAM,GAAN,MAAM,CAAkB;QAF5C,gBAAW,GAAiD,EAAE,CAAA;IAEf,CAAC;IAExD;;;;;OAKG;IACI,aAAa,CAAC,aAAyB;QAC5C,IAAI,aAAa,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CACb,qBAAqB,aAAa,CAAC,MAAM,wCAAwC,IAAI,CAAC,MAAM,EAAE,CAC/F,CAAA;QACH,CAAC;QAED,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,CAAA;QACrC,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAA;QACnC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,CAAA;QAChC,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YACvC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE,CAAA;QACxC,CAAC;QACD,MAAM,mBAAmB,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAA;QAC7D,IAAI,mBAAmB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrC,mBAAmB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;YACvC,OAAM;QACR,CAAC;QAED,IAAI,gBAAgB,GAAG,KAAK,CAAA;QAC5B,IAAI,kBAAkB,GAAG,KAAK,CAAA;QAC9B,IAAI,KAAK,GAA2B,mBAAmB,CAAC,CAAC,CAAC,CAAA;QAC1D,IAAI,IAAI,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;QACvC,MAAM,cAAc,GAAiB,EAAE,CAAA;QACvC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,aAAa,CAAC,CAAA;YAC9C,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC7B,MAAM,iBAAiB,GAAG,WAAW,CAAC,CAAC,CAAC,CAAA;gBACxC,IAAI,iBAAiB,IAAI,KAAK,EAAE,CAAC;oBAC/B,wFAAwF;oBACxF,OAAM;gBACR,CAAC;gBACD,IAAI,iBAAiB,IAAI,aAAa,EAAE,CAAC;oBACvC,gBAAgB,GAAG,IAAI,CAAA;oBACvB,kFAAkF;gBACpF,CAAC;qBAAM,CAAC;oBACN,mEAAmE;oBACnE,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;oBACtC,kBAAkB,GAAG,IAAI,CAAA;gBAC3B,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAC5B,CAAC;YACD,KAAK,GAAG,IAAI,CAAC,KAAK,EAAE,CAAA;QACtB,CAAC;QAED,IAAI,gBAAgB,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5C,2FAA2F;YAC3F,cAAc,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;QACpC,CAAC;aAAM,IAAI,CAAC,gBAAgB,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACpD,2FAA2F;YAC3F,cAAc,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;QACpC,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,GAAG,cAAc,CAAA;IACpD,CAAC;IAED;;;;;;OAMG;IACI,cAAc,CAAC,OAAe,EAAE,MAAc;QACnD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YACrE,OAAO,EAAE,CAAA;QACX,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAA;IAC1C,CAAC;IAED;;;;;OAKG;IACI,UAAU,CAAC,OAAe;QAC/B,OAAO,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;IACpC,CAAC;IAED;;;;;;OAMG;IACI,SAAS,CAAC,OAAe,EAAE,MAAc;QAC9C,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAA;IAC3E,CAAC;IAED;;;OAGG;IACI,OAAO;QACZ,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,MAAM,KAAK,CAAC,CAAA;IACnD,CAAC;IAED;;;;OAIG;IACI,iBAAiB;QACtB,MAAM,cAAc,GAAiB,EAAE,CAAA;QACvC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACvC,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC/C,cAAc,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAA;YAC3D,CAAC;QACH,CAAC;QACD,OAAO,cAAc,CAAA;IACvB,CAAC;IAED;;;;;;;;OAQG;IACI,YAAY,CAAC,KAAoB;QACtC,IAAI,IAAI,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAA;QAC3E,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAE7C,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC;gBAAE,SAAQ;YAExC,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAC5D,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC;oBAAE,SAAQ;gBAE/C,MAAM,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;gBAC5D,MAAM,gBAAgB,GAAG,KAAK,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;gBAE9D,KAAK,MAAM,cAAc,IAAI,eAAe,EAAE,CAAC;oBAC7C,KAAK,MAAM,eAAe,IAAI,gBAAgB,EAAE,CAAC;wBAC/C,MAAM,EAAE,GAAG,cAAc,CAAC,YAAY,CAAC,eAAe,CAAC,CAAA;wBACvD,IAAI,EAAE,EAAE,CAAC;4BACP,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC,CAAA;wBAC1B,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAA;IACf,CAAC;IAED;;;;;;;;OAQG;IACI,QAAQ,CAAC,IAAmB;QACjC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YACtD,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAA;QACvF,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,OAAO,CAAC,CAAA;QAC3C,MAAM,OAAO,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,CAAA;QAEzC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9B,4DAA4D;gBAC5D,0EAA0E;gBAC1E,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,CAAA;gBACnE,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;oBAC5D,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAA;gBACnF,CAAC;gBACD,SAAQ;YACV,CAAC;YAED,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAC5D,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,CAAC;oBACrC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;wBACnC,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,CAAA;oBACpC,CAAC;oBACD,yEAAyE;oBACzE,sEAAsE;oBACtE,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAA;oBACjF,SAAQ;gBACV,CAAC;gBAED,MAAM,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;gBAC5D,MAAM,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;gBAE5D,KAAK,MAAM,cAAc,IAAI,eAAe,EAAE,CAAC;oBAC7C,KAAK,MAAM,cAAc,IAAI,eAAe,EAAE,CAAC;wBAC7C,MAAM,UAAU,GAAG,cAAc,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAA;wBAC1D,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;4BAC9B,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;gCAC5B,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,CAAA;4BAC9B,CAAC;iCAAM,CAAC;gCACN,OAAO,CAAC,aAAa,CAAC,IAAI,CAAC,CAAA;4BAC7B,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,CAAA;IAC3C,CAAC;IAED;;;;;OAKG;IACI,MAAM,CAAC,MAAuC;QACnD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3B,MAAM,GAAG,CAAC,MAAM,CAAC,CAAA;QACnB,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAA;YACrE,CAAC;QACH,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,iBAAiB,EAAE,EAAE,CAAC;gBAC7C,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAA;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK;QACH,MAAM,KAAK,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAC5C,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACvC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,CAAA;YAC/B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC/C,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAA;YAC7E,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,MAAwB,EACxB,QAAkB;IAElB,2DAA2D;IAC3D,MAAM,aAAa,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,CAAA;IAC/C,MAAM,0BAA0B,CAAC,aAAa,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAA;IACjE,OAAO,aAAa,CAAA;AACtB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,aAA4B,EAC5B,MAAwB,EACxB,QAAkB;IAElB,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,qEAAqE;QACrE,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YACvC,IAAI,MAAM,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC1C,SAAQ,CAAC,0CAA0C;YACrD,CAAC;iBAAM,IAAI,MAAM,KAAK,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;gBAC/C,SAAQ,CAAC,qDAAqD;YAChE,CAAC;YACD,MAAM,2BAA2B,CAAC,IAAI,EAAE,aAAa,CAAC,CAAA;QACxD,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,SAAoB,EACpB,aAA4B;IAE5B,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,EAAsB,CAAA;IACrD,IAAI,gBAA0B,CAAA;IAC9B,IAAI,SAAS,CAAC,iBAAiB,EAAE,EAAE,CAAC;QAClC,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAA;QAC5D,gBAAgB,GAAG,MAAM,gBAAgB,CAAC,UAAU,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAA;IACjF,CAAC;SAAM,IAAI,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC5C,gBAAgB,GAAG,MAAM,gBAAgB,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;IACzF,CAAC;SAAM,CAAC;QACN,OAAM;IACR,CAAC;IAED,KAAK,MAAM,UAAU,IAAI,gBAAgB,EAAE,CAAC;QAC1C,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACnD,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU;YAAE,SAAQ;QAErC,IAAI,QAAQ,GAAyB,SAAS,CAAA;QAC9C,IAAI,WAAW,GAAyB,SAAS,CAAA;QACjD,IAAI,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;YACpC,QAAQ,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAA;QACxD,CAAC;aAAM,IAAI,SAAS,CAAC,sBAAsB,EAAE,EAAE,CAAC;YAC9C,WAAW,GAAG,SAAS,CAAC,YAAY,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAA;QAC9D,CAAC;QAED,aAAa,CAAC,aAAa,CACzB,IAAI,UAAU,CAAC,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAC7F,CAAA;IACH,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,YAAY,CAAC,CAAa;IACjC,iDAAiD;IACjD,MAAM,SAAS,GAAG,CAAC,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,IAAI,CAAA;IACpD,MAAM,WAAW,GAAG,CAAC,CAAC,WAAW,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,IAAI,CAAA;IAEzD,4DAA4D;IAC5D,0EAA0E;IAC1E,MAAM,aAAa,GAAG,CAAC,CAAC,UAAU;QAChC,CAAC,CAAC,IAAI,CAAC,SAAS,CACZ,MAAM,CAAC,WAAW,CAChB,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC;aACzB,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;aACtC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YACjB,EAAE;YACF,MAAM,CAAC,WAAW,CAChB,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;iBACf,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;iBACtC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CACvC;SACF,CAAC,CACL,CACF;QACH,CAAC,CAAC,IAAI,CAAA;IAER,yEAAyE;IACzE,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC,CAAA;AAClE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAkB;IACnD,MAAM,OAAO,GAAG,IAAI,GAAG,EAGpB,CAAA;IAEH,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,iBAAiB,EAAE,EAAE,CAAC;QAC3C,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,CAAA;QAC9B,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI;YACjC,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,QAAS,CAAC,CAAC,CAAC,CAAC,SAAS;YACpD,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,WAAY,CAAC,CAAC,CAAC,CAAC,SAAS;YAC7D,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YACnD,OAAO,EAAE,EAAE;SACZ,CAAA;QACD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,CAAA;QACrD,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IAC1B,CAAC;IAED,mDAAmD;IACnD,MAAM,UAAU,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACnD,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE;QAC9E,QAAQ,EAAE,CAAC,CAAC,GAAG;QACf,WAAW,EAAE,CAAC,CAAC,MAAM;QACrB,SAAS,EAAE,CAAC,CAAC,IAAI;KAClB,CAAC,CAAC,CAAA;IAEH,OAAO,UAAU,CAAA;AACnB,CAAC"}

package/dist/esm/{canWhat/canWhat.d.ts → principalCan/principalCan.d.ts} RENAMED Viewed

@@ -2,7 +2,7 @@ import { IamCollectClient } from '../collect/client.js';
 /**
  * Input for the can-what command.
  */
-export interface CanWhatInput {
+export interface PrincipalCanInput {
     /**
      * The ARN of the principal to check permissions for.
      */
@@ -19,8 +19,8 @@ export interface CanWhatInput {
  * @param input the input containing the principal and options.
  * @returns A promise that resolves to the permissions the principal can perform, or void if the implementation is incomplete.
  */
-export declare function canWhat(collectClient: IamCollectClient, input: CanWhatInput): Promise<{
+export declare function principalCan(collectClient: IamCollectClient, input: PrincipalCanInput): Promise<{
     Version: string;
     Statement: any[];
 }>;
-//# sourceMappingURL=canWhat.d.ts.map
+//# sourceMappingURL=principalCan.d.ts.map

package/dist/esm/principalCan/principalCan.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"principalCan.d.ts","sourceRoot":"","sources":["../../../src/principalCan/principalCan.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAUvD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,SAAS,EAAE,MAAM,CAAA;IAEjB;;OAEG;IACH,iBAAiB,EAAE,OAAO,CAAA;CAC3B;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,aAAa,EAAE,gBAAgB,EAAE,KAAK,EAAE,iBAAiB;;;GAwF3F"}

package/dist/esm/{canWhat/canWhat.js → principalCan/principalCan.js} RENAMED Viewed

@@ -1,7 +1,9 @@
 import { loadPolicy } from '@cloud-copilot/iam-policy';
 import { shrinkJsonDocument } from '@cloud-copilot/iam-shrink';
+import { splitArnParts } from '@cloud-copilot/iam-utils';
 import { getAllPoliciesForPrincipal } from '../principals.js';
-import { addPoliciesToPermissionSet, buildPermissionSetFromPolicies, toPolicyStatements } from './permissionSet.js';
+import { addPoliciesToPermissionSet, buildPermissionSetFromPolicies, PermissionSet, toPolicyStatements } from './permissionSet.js';
+import { s3BucketsSameAccount } from './resources/resourceTypes/s3Buckets.js';
 /**
  * Get what actions a principal can perform based on their policies.
  *
@@ -9,11 +11,13 @@ import { addPoliciesToPermissionSet, buildPermissionSetFromPolicies, toPolicySta
  * @param input the input containing the principal and options.
  * @returns A promise that resolves to the permissions the principal can perform, or void if the implementation is incomplete.
  */
-export async function canWhat(collectClient, input) {
+export async function principalCan(collectClient, input) {
     const { principal } = input;
     if (!principal) {
         throw new Error('Principal must be provided for can-what command');
     }
+    const principalArnParts = splitArnParts(principal);
+    const principalAccountId = principalArnParts.accountId;
     const principalPolicies = await getAllPoliciesForPrincipal(collectClient, principal);
     const identityPolicies = [
         ...principalPolicies.managedPolicies,
@@ -24,6 +28,13 @@ export async function canWhat(collectClient, input) {
     const allowedPermissions = await buildPermissionSetFromPolicies('Allow', identityPolicies);
     const identityDenyPermissions = await buildPermissionSetFromPolicies('Deny', identityPolicies);
     let finalPermissions = allowedPermissions;
+    /*********** Start Buckets *************/
+    const resourceDenyPermissions = new PermissionSet('Deny');
+    const { allows: bucketAllows, denies: bucketDenies } = await s3BucketsSameAccount(collectClient, principal);
+    finalPermissions.addAll(bucketAllows);
+    resourceDenyPermissions.addAll(bucketDenies);
+    /*********** End Buckets *************/
+    // TODO: There is a slight wrinkle where same account resource policies can override implicit denies from Permission Boundaries.
     if (principalPolicies.permissionBoundary) {
         const boundaryPolicy = loadPolicy(principalPolicies.permissionBoundary.policy);
         const boundaryPermissions = await buildPermissionSetFromPolicies('Allow', [boundaryPolicy]);
@@ -48,6 +59,8 @@ export async function canWhat(collectClient, input) {
     for (const rcpAllow of rcpAllowsByLevel) {
         finalPermissions = finalPermissions.intersection(rcpAllow);
     }
+    //Put together all the denies
+    principalAccountDenyPermissions.addAll(resourceDenyPermissions);
     const permissionsAfterDeny = finalPermissions.subtract(principalAccountDenyPermissions);
     finalPermissions = permissionsAfterDeny.allow;
     const deniedPermissions = permissionsAfterDeny.deny;
@@ -62,4 +75,4 @@ export async function canWhat(collectClient, input) {
     }
     return policyDocument;
 }
-//# sourceMappingURL=canWhat.js.map
+//# sourceMappingURL=principalCan.js.map

package/dist/esm/principalCan/principalCan.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"principalCan.js","sourceRoot":"","sources":["../../../src/principalCan/principalCan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAA;AAExD,OAAO,EAAE,0BAA0B,EAAE,MAAM,kBAAkB,CAAA;AAC7D,OAAO,EACL,0BAA0B,EAC1B,8BAA8B,EAC9B,aAAa,EACb,kBAAkB,EACnB,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EAAE,oBAAoB,EAAE,MAAM,wCAAwC,CAAA;AAiB7E;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,aAA+B,EAAE,KAAwB;IAC1F,MAAM,EAAE,SAAS,EAAE,GAAG,KAAK,CAAA;IAE3B,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,iBAAiB,GAAG,aAAa,CAAC,SAAS,CAAC,CAAA;IAClD,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,SAAU,CAAA;IAEvD,MAAM,iBAAiB,GAAG,MAAM,0BAA0B,CAAC,aAAa,EAAE,SAAS,CAAC,CAAA;IAEpF,MAAM,gBAAgB,GAAG;QACvB,GAAG,iBAAiB,CAAC,eAAe;QACpC,GAAG,iBAAiB,CAAC,cAAc;QACnC,GAAG,CAAC,iBAAiB,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;QACxF,GAAG,CAAC,iBAAiB,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;KACxF,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAA;IAE5C,MAAM,kBAAkB,GAAG,MAAM,8BAA8B,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAA;IAC1F,MAAM,uBAAuB,GAAG,MAAM,8BAA8B,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAA;IAE9F,IAAI,gBAAgB,GAAG,kBAAkB,CAAA;IAEzC,yCAAyC;IACzC,MAAM,uBAAuB,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,CAAA;IAEzD,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,oBAAoB,CAC/E,aAAa,EACb,SAAS,CACV,CAAA;IAED,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IACrC,uBAAuB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IAE5C,uCAAuC;IAEvC,gIAAgI;IAChI,IAAI,iBAAiB,CAAC,kBAAkB,EAAE,CAAC;QACzC,MAAM,cAAc,GAAG,UAAU,CAAC,iBAAiB,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAA;QAC9E,MAAM,mBAAmB,GAAG,MAAM,8BAA8B,CAAC,OAAO,EAAE,CAAC,cAAc,CAAC,CAAC,CAAA;QAC3F,gBAAgB,GAAG,kBAAkB,CAAC,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACzE,CAAC;IAED,MAAM,gBAAgB,GAAoB,EAAE,CAAA;IAC5C,MAAM,gBAAgB,GAAoB,EAAE,CAAA;IAE5C,KAAK,MAAM,KAAK,IAAI,iBAAiB,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,WAAW,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;QACvE,gBAAgB,CAAC,IAAI,CAAC,MAAM,8BAA8B,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAA;QACjF,MAAM,0BAA0B,CAAC,uBAAuB,EAAE,MAAM,EAAE,WAAW,CAAC,CAAA;IAChF,CAAC;IAED,MAAM,+BAA+B,GAAG,uBAAuB,CAAC,KAAK,EAAE,CAAA;IACvE,KAAK,MAAM,KAAK,IAAI,iBAAiB,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,WAAW,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;QACvE,gBAAgB,CAAC,IAAI,CAAC,MAAM,8BAA8B,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAA;QACjF,MAAM,0BAA0B,CAAC,+BAA+B,EAAE,MAAM,EAAE,WAAW,CAAC,CAAA;IACxF,CAAC;IAED,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;QACxC,gBAAgB,GAAG,gBAAgB,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;IAC5D,CAAC;IAED,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;QACxC,gBAAgB,GAAG,gBAAgB,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;IAC5D,CAAC;IAED,6BAA6B;IAC7B,+BAA+B,CAAC,MAAM,CAAC,uBAAuB,CAAC,CAAA;IAE/D,MAAM,oBAAoB,GAAG,gBAAgB,CAAC,QAAQ,CAAC,+BAA+B,CAAC,CAAA;IACvF,gBAAgB,GAAG,oBAAoB,CAAC,KAAK,CAAA;IAC7C,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,IAAI,CAAA;IAEnD,MAAM,eAAe,GAAG,kBAAkB,CAAC,gBAAgB,CAAC,CAAA;IAC5D,MAAM,cAAc,GAAG,kBAAkB,CAAC,iBAAiB,CAAC,CAAA;IAE5D,MAAM,cAAc,GAAG;QACrB,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE,CAAC,GAAG,eAAe,EAAE,GAAG,cAAc,CAAC;KACnD,CAAA;IAED,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;QAC5B,MAAM,kBAAkB,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,EAAE,cAAc,CAAC,CAAA;IAC7D,CAAC;IAED,OAAO,cAAc,CAAA;AACvB,CAAC"}

package/dist/esm/principalCan/resources/actions.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Get the actions for a resource type in a service.
+ *
+ * @param service the service to get actions for
+ * @param resourceType the resource type to get the actions for
+ * @returns the actions that can be performed on the resource type
+ */
+export declare function actionsForResourceType(service: string, resourceType: string): Promise<string[]>;
+//# sourceMappingURL=actions.d.ts.map

package/dist/esm/principalCan/resources/actions.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../../../../src/principalCan/resources/actions.ts"],"names":[],"mappings":"AAMA;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,qBAgBjF"}

package/dist/esm/principalCan/resources/actions.js ADDED Viewed

@@ -0,0 +1,24 @@
+import { iamActionDetails, iamActionsForService, iamResourceTypeExists } from '@cloud-copilot/iam-data';
+/**
+ * Get the actions for a resource type in a service.
+ *
+ * @param service the service to get actions for
+ * @param resourceType the resource type to get the actions for
+ * @returns the actions that can be performed on the resource type
+ */
+export async function actionsForResourceType(service, resourceType) {
+    const resourceTypeExists = await iamResourceTypeExists(service, resourceType);
+    if (!resourceTypeExists) {
+        throw new Error(`Resource type ${resourceType} does not exist in service ${service}`);
+    }
+    const actions = await iamActionsForService(service);
+    const matchingAction = [];
+    for (const action of actions) {
+        const actionDetails = await iamActionDetails(service, action);
+        if (actionDetails?.resourceTypes?.some((rt) => rt.name === resourceType)) {
+            matchingAction.push(action);
+        }
+    }
+    return matchingAction;
+}
+//# sourceMappingURL=actions.js.map

package/dist/esm/principalCan/resources/actions.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"actions.js","sourceRoot":"","sources":["../../../../src/principalCan/resources/actions.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,qBAAqB,EACtB,MAAM,yBAAyB,CAAA;AAEhC;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,OAAe,EAAE,YAAoB;IAChF,MAAM,kBAAkB,GAAG,MAAM,qBAAqB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAA;IAC7E,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,iBAAiB,YAAY,8BAA8B,OAAO,EAAE,CAAC,CAAA;IACvF,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,CAAA;IAEnD,MAAM,cAAc,GAAa,EAAE,CAAA;IACnC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;QAC7D,IAAI,aAAa,EAAE,aAAa,EAAE,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,CAAC,EAAE,CAAC;YACzE,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,cAAc,CAAA;AACvB,CAAC"}

package/dist/esm/principalCan/resources/resourceTypes/s3Buckets.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import { IamCollectClient } from '../../../collect/client.js';
+import { PermissionSet } from '../../permissionSet.js';
+/**
+ * Get the permission sets for S3 buckets in the same account as the principal.
+ *
+ * @param collectClient the IAM collect client to use for retrieving policies and resources
+ * @param principal the ARN of the principal to check
+ * @returns the Allow and Deny permission sets for S3 buckets in the same account as the principal
+ */
+export declare function s3BucketsSameAccount(collectClient: IamCollectClient, principal: string): Promise<{
+    allows: PermissionSet[];
+    denies: PermissionSet[];
+}>;
+//# sourceMappingURL=s3Buckets.d.ts.map

package/dist/esm/principalCan/resources/resourceTypes/s3Buckets.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"s3Buckets.d.ts","sourceRoot":"","sources":["../../../../../src/principalCan/resources/resourceTypes/s3Buckets.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAA;AAE7D,OAAO,EAA+B,aAAa,EAAE,MAAM,wBAAwB,CAAA;AAInF;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,aAAa,EAAE,gBAAgB,EAC/B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;IAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IAAC,MAAM,EAAE,aAAa,EAAE,CAAA;CAAE,CAAC,CA+D/D"}

package/dist/esm/principalCan/resources/resourceTypes/s3Buckets.js ADDED Viewed

@@ -0,0 +1,61 @@
+import { loadPolicy } from '@cloud-copilot/iam-policy';
+import { splitArnParts } from '@cloud-copilot/iam-utils';
+import { Permission } from '../../permission.js';
+import { addStatementToPermissionSet, PermissionSet } from '../../permissionSet.js';
+import { actionsForResourceType } from '../actions.js';
+import { statementAppliesToPrincipal } from '../statements.js';
+/**
+ * Get the permission sets for S3 buckets in the same account as the principal.
+ *
+ * @param collectClient the IAM collect client to use for retrieving policies and resources
+ * @param principal the ARN of the principal to check
+ * @returns the Allow and Deny permission sets for S3 buckets in the same account as the principal
+ */
+export async function s3BucketsSameAccount(collectClient, principal) {
+    const principalArnParts = splitArnParts(principal);
+    const principalAccountId = principalArnParts.accountId;
+    const allBuckets = await collectClient.listResources(principalAccountId, 's3', 'bucket', undefined);
+    const bucketActions = await actionsForResourceType('s3', 'bucket');
+    const objectActions = await actionsForResourceType('s3', 'object');
+    const s3Actions = [...bucketActions, ...objectActions];
+    const bucketAllowPermissionSets = [];
+    const bucketDenyPermissionSets = [];
+    for (const bucket of allBuckets) {
+        const bucketPolicy = await collectClient.getResourcePolicyForArn(bucket, principalAccountId);
+        if (bucketPolicy) {
+            const loadedPolicy = loadPolicy(bucketPolicy);
+            if (loadedPolicy) {
+                const bucketArns = [bucket, `${bucket}/*`];
+                const bucketAllowPerimeter = new PermissionSet('Allow');
+                const bucketDenyPerimeter = new PermissionSet('Deny');
+                for (const action of s3Actions) {
+                    bucketAllowPerimeter.addPermission(new Permission('Allow', 's3', action, bucketArns, undefined, undefined));
+                    bucketDenyPerimeter.addPermission(new Permission('Deny', 's3', action, bucketArns, undefined, undefined));
+                }
+                const allowPermissionSet = new PermissionSet('Allow');
+                const denyPermissionSet = new PermissionSet('Deny');
+                for (const statement of loadedPolicy.statements()) {
+                    const applies = await statementAppliesToPrincipal(statement, principal, collectClient);
+                    if (applies === 'PrincipalMatch') {
+                        if (statement.isAllow()) {
+                            await addStatementToPermissionSet(statement, allowPermissionSet);
+                        }
+                        else {
+                            await addStatementToPermissionSet(statement, denyPermissionSet);
+                        }
+                    }
+                }
+                const effectiveAllows = allowPermissionSet.intersection(bucketAllowPerimeter);
+                const effectiveDenies = denyPermissionSet.intersection(bucketDenyPerimeter);
+                if (!effectiveAllows.isEmpty()) {
+                    bucketAllowPermissionSets.push(effectiveAllows);
+                }
+                if (!effectiveDenies.isEmpty()) {
+                    bucketDenyPermissionSets.push(effectiveDenies);
+                }
+            }
+        }
+    }
+    return { allows: bucketAllowPermissionSets, denies: bucketDenyPermissionSets };
+}
+//# sourceMappingURL=s3Buckets.js.map

package/dist/esm/principalCan/resources/resourceTypes/s3Buckets.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"s3Buckets.js","sourceRoot":"","sources":["../../../../../src/principalCan/resources/resourceTypes/s3Buckets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAA;AAExD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAA;AAChD,OAAO,EAAE,2BAA2B,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAA;AACnF,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAA;AACtD,OAAO,EAAE,2BAA2B,EAAE,MAAM,kBAAkB,CAAA;AAE9D;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,aAA+B,EAC/B,SAAiB;IAEjB,MAAM,iBAAiB,GAAG,aAAa,CAAC,SAAS,CAAC,CAAA;IAClD,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,SAAU,CAAA;IAEvD,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC,aAAa,CAClD,kBAAkB,EAClB,IAAI,EACJ,QAAQ,EACR,SAAS,CACV,CAAA;IAED,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;IAClE,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;IAElE,MAAM,SAAS,GAAG,CAAC,GAAG,aAAa,EAAE,GAAG,aAAa,CAAC,CAAA;IAEtD,MAAM,yBAAyB,GAAoB,EAAE,CAAA;IACrD,MAAM,wBAAwB,GAAoB,EAAE,CAAA;IAEpD,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;QAChC,MAAM,YAAY,GAAG,MAAM,aAAa,CAAC,uBAAuB,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAA;QAC5F,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,YAAY,GAAG,UAAU,CAAC,YAAY,CAAC,CAAA;YAC7C,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,UAAU,GAAG,CAAC,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,CAAA;gBAC1C,MAAM,oBAAoB,GAAG,IAAI,aAAa,CAAC,OAAO,CAAC,CAAA;gBACvD,MAAM,mBAAmB,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,CAAA;gBACrD,KAAK,MAAM,MAAM,IAAI,SAAS,EAAE,CAAC;oBAC/B,oBAAoB,CAAC,aAAa,CAChC,IAAI,UAAU,CAAC,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC,CACxE,CAAA;oBACD,mBAAmB,CAAC,aAAa,CAC/B,IAAI,UAAU,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC,CACvE,CAAA;gBACH,CAAC;gBAED,MAAM,kBAAkB,GAAG,IAAI,aAAa,CAAC,OAAO,CAAC,CAAA;gBACrD,MAAM,iBAAiB,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,CAAA;gBAEnD,KAAK,MAAM,SAAS,IAAI,YAAY,CAAC,UAAU,EAAE,EAAE,CAAC;oBAClD,MAAM,OAAO,GAAG,MAAM,2BAA2B,CAAC,SAAS,EAAE,SAAS,EAAE,aAAa,CAAC,CAAA;oBACtF,IAAI,OAAO,KAAK,gBAAgB,EAAE,CAAC;wBACjC,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;4BACxB,MAAM,2BAA2B,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAA;wBAClE,CAAC;6BAAM,CAAC;4BACN,MAAM,2BAA2B,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAA;wBACjE,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,MAAM,eAAe,GAAG,kBAAkB,CAAC,YAAY,CAAC,oBAAoB,CAAC,CAAA;gBAC7E,MAAM,eAAe,GAAG,iBAAiB,CAAC,YAAY,CAAC,mBAAmB,CAAC,CAAA;gBAC3E,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC/B,yBAAyB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;gBACjD,CAAC;gBACD,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC/B,wBAAwB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;gBAChD,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,yBAAyB,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAA;AAChF,CAAC"}

package/dist/esm/principalCan/resources/statements.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import { Policy, Statement } from '@cloud-copilot/iam-policy';
+import { IamCollectClient } from '../../collect/client.js';
+export type StatementPrincipalMatchType = 'PrincipalMatch' | 'AccountMatch' | 'NoMatch';
+/**
+ * Checks to see if a statement applies to a principal by running a simulation.
+ *
+ * If the principal is a match return 'PrincipalMatch'
+ * If the account is a match return 'AccountMatch'
+ * Otherwise return 'NoMatch'
+ *
+ * @param statement the statement to check
+ * @param principalArn the arn of the principal to check
+ * @param client the IAM collect client to use for retrieving principal information
+ * @returns Whether the statement applies to the principal
+ */
+export declare function statementAppliesToPrincipal(statement: Statement, principalArn: string, client: IamCollectClient): Promise<StatementPrincipalMatchType>;
+/**
+ * Makes a policy that captures the principal and principal conditions from a statement
+ * and allows all actions on all resources.
+ *
+ * The conditions returned are only those that relate to the principal.
+ *
+ * @param statement the statement to extract the principal from
+ * @returns
+ */
+export declare function makePrincipalOnlyPolicyFromStatement(statement: Statement): Policy;
+//# sourceMappingURL=statements.d.ts.map

package/dist/esm/principalCan/resources/statements.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"statements.d.ts","sourceRoot":"","sources":["../../../../src/principalCan/resources/statements.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,MAAM,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AAGzE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAI1D,MAAM,MAAM,2BAA2B,GAAG,gBAAgB,GAAG,cAAc,GAAG,SAAS,CAAA;AAEvF;;;;;;;;;;;GAWG;AACH,wBAAsB,2BAA2B,CAC/C,SAAS,EAAE,SAAS,EACpB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,2BAA2B,CAAC,CA2CtC;AAeD;;;;;;;;GAQG;AACH,wBAAgB,oCAAoC,CAAC,SAAS,EAAE,SAAS,GAAG,MAAM,CAiCjF"}

package/dist/esm/principalCan/resources/statements.js ADDED Viewed

@@ -0,0 +1,109 @@
+import { loadPolicy } from '@cloud-copilot/iam-policy';
+import { runSimulation } from '@cloud-copilot/iam-simulate';
+import { splitArnParts } from '@cloud-copilot/iam-utils';
+import { createContextKeys } from '../../simulate/contextKeys.js';
+/**
+ * Checks to see if a statement applies to a principal by running a simulation.
+ *
+ * If the principal is a match return 'PrincipalMatch'
+ * If the account is a match return 'AccountMatch'
+ * Otherwise return 'NoMatch'
+ *
+ * @param statement the statement to check
+ * @param principalArn the arn of the principal to check
+ * @param client the IAM collect client to use for retrieving principal information
+ * @returns Whether the statement applies to the principal
+ */
+export async function statementAppliesToPrincipal(statement, principalArn, client) {
+    const principalAccount = splitArnParts(principalArn).accountId;
+    const resourcePolicy = makePrincipalOnlyPolicyFromStatement(statement);
+    const simulationRequest = {
+        principal: principalArn,
+        action: 's3:ListBucket',
+        resourceAccount: principalAccount,
+        resourceArn: undefined,
+        customContextKeys: {},
+        simulationMode: 'Strict'
+    };
+    const contextKeys = await createContextKeys(client, simulationRequest, 's3', {});
+    const request = {
+        action: 's3:ListBucket',
+        resource: {
+            resource: 'arn:aws:s3:::example-bucket',
+            accountId: principalAccount
+        },
+        principal: principalArn,
+        contextVariables: contextKeys
+    };
+    const simulation = {
+        request,
+        identityPolicies: [],
+        resourcePolicy: resourcePolicy.toJSON(),
+        serviceControlPolicies: [],
+        resourceControlPolicies: []
+    };
+    const result = await runSimulation(simulation, {
+        simulationMode: simulationRequest.simulationMode
+    });
+    if (result.analysis?.result === 'Allowed') {
+        return 'PrincipalMatch';
+    }
+    if (result.analysis?.resourceAnalysis?.result === 'AllowedForAccount') {
+        return 'AccountMatch';
+    }
+    return 'NoMatch';
+}
+const principalKeys = new Set([
+    'aws:PrincipalArn',
+    'aws:PrincipalAccount',
+    'aws:PrincipalOrgId',
+    'aws:PrincipalOrgPaths',
+    'aws:PrincipalType',
+    'aws:userid',
+    'aws:username',
+    'aws:PrincipalIsAWSService'
+].map((k) => k.toLowerCase()));
+/**
+ * Makes a policy that captures the principal and principal conditions from a statement
+ * and allows all actions on all resources.
+ *
+ * The conditions returned are only those that relate to the principal.
+ *
+ * @param statement the statement to extract the principal from
+ * @returns
+ */
+export function makePrincipalOnlyPolicyFromStatement(statement) {
+    const rawStatement = structuredClone(statement.toJSON());
+    const rawStatementValues = {};
+    if (statement.isPrincipalStatement()) {
+        rawStatementValues.Principal = rawStatement.Principal;
+    }
+    else if (statement.isNotPrincipalStatement()) {
+        rawStatementValues.NotPrincipal = rawStatement.NotPrincipal;
+    }
+    if (rawStatement.Condition) {
+        for (const operator of Object.keys(rawStatement.Condition)) {
+            for (const key of Object.keys(rawStatement.Condition[operator])) {
+                if (!principalKeys.has(key.toLowerCase())) {
+                    delete rawStatement.Condition[operator][key];
+                }
+            }
+            if (Object.keys(rawStatement.Condition[operator]).length === 0) {
+                delete rawStatement.Condition[operator];
+            }
+        }
+        if (Object.keys(rawStatement.Condition).length > 0) {
+            rawStatementValues.Condition = rawStatement.Condition;
+        }
+    }
+    return loadPolicy({
+        Version: '2012-10-17',
+        Statement: {
+            Effect: 'Allow',
+            Resource: '*',
+            Action: '*',
+            ...rawStatementValues
+        }
+    });
+}
+//# sourceMappingURL=statements.js.map

package/dist/esm/principalCan/resources/statements.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"statements.js","sourceRoot":"","sources":["../../../../src/principalCan/resources/statements.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAqB,MAAM,2BAA2B,CAAA;AACzE,OAAO,EAAE,aAAa,EAAc,MAAM,6BAA6B,CAAA;AACvE,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAA;AAExD,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AAKjE;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,SAAoB,EACpB,YAAoB,EACpB,MAAwB;IAExB,MAAM,gBAAgB,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC,SAAU,CAAA;IAC/D,MAAM,cAAc,GAAG,oCAAoC,CAAC,SAAS,CAAC,CAAA;IACtE,MAAM,iBAAiB,GAAsB;QAC3C,SAAS,EAAE,YAAY;QACvB,MAAM,EAAE,eAAe;QACvB,eAAe,EAAE,gBAAgB;QACjC,WAAW,EAAE,SAAS;QACtB,iBAAiB,EAAE,EAAE;QACrB,cAAc,EAAE,QAAQ;KACzB,CAAA;IAED,MAAM,WAAW,GAAG,MAAM,iBAAiB,CAAC,MAAM,EAAE,iBAAiB,EAAE,IAAI,EAAE,EAAE,CAAC,CAAA;IAEhF,MAAM,OAAO,GAA0B;QACrC,MAAM,EAAE,eAAe;QACvB,QAAQ,EAAE;YACR,QAAQ,EAAE,6BAA6B;YACvC,SAAS,EAAE,gBAAgB;SAC5B;QACD,SAAS,EAAE,YAAY;QACvB,gBAAgB,EAAE,WAAW;KAC9B,CAAA;IAED,MAAM,UAAU,GAAe;QAC7B,OAAO;QACP,gBAAgB,EAAE,EAAE;QACpB,cAAc,EAAE,cAAc,CAAC,MAAM,EAAE;QACvC,sBAAsB,EAAE,EAAE;QAC1B,uBAAuB,EAAE,EAAE;KAC5B,CAAA;IAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE;QAC7C,cAAc,EAAE,iBAAiB,CAAC,cAAc;KACjD,CAAC,CAAA;IAEF,IAAI,MAAM,CAAC,QAAQ,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO,gBAAgB,CAAA;IACzB,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,EAAE,gBAAgB,EAAE,MAAM,KAAK,mBAAmB,EAAE,CAAC;QACtE,OAAO,cAAc,CAAA;IACvB,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,MAAM,aAAa,GAAG,IAAI,GAAG,CAC3B;IACE,kBAAkB;IAClB,sBAAsB;IACtB,oBAAoB;IACpB,uBAAuB;IACvB,mBAAmB;IACnB,YAAY;IACZ,cAAc;IACd,2BAA2B;CAC5B,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAC9B,CAAA;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,oCAAoC,CAAC,SAAoB;IACvE,MAAM,YAAY,GAAG,eAAe,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAA;IACxD,MAAM,kBAAkB,GAAQ,EAAE,CAAA;IAClC,IAAI,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACrC,kBAAkB,CAAC,SAAS,GAAG,YAAY,CAAC,SAAS,CAAA;IACvD,CAAC;SAAM,IAAI,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;QAC/C,kBAAkB,CAAC,YAAY,GAAG,YAAY,CAAC,YAAY,CAAA;IAC7D,CAAC;IACD,IAAI,YAAY,CAAC,SAAS,EAAE,CAAC;QAC3B,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3D,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;gBAChE,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;oBAC1C,OAAO,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAA;gBAC9C,CAAC;YACH,CAAC;YACD,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/D,OAAO,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;YACzC,CAAC;QACH,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnD,kBAAkB,CAAC,SAAS,GAAG,YAAY,CAAC,SAAS,CAAA;QACvD,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;QAChB,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE;YACT,MAAM,EAAE,OAAO;YACf,QAAQ,EAAE,GAAG;YACb,MAAM,EAAE,GAAG;YACX,GAAG,kBAAkB;SACtB;KACF,CAAC,CAAA;AACJ,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cloud-copilot/iam-lens",
-  "version": "0.1.44",
+  "version": "0.1.45",
   "description": "Visibility in IAM in and across AWS accounts",
   "keywords": [
     "aws",

package/dist/cjs/canWhat/canWhat.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"canWhat.d.ts","sourceRoot":"","sources":["../../../src/canWhat/canWhat.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AASvD;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B;;OAEG;IACH,SAAS,EAAE,MAAM,CAAA;IAEjB;;OAEG;IACH,iBAAiB,EAAE,OAAO,CAAA;CAC3B;AAED;;;;;;GAMG;AACH,wBAAsB,OAAO,CAAC,aAAa,EAAE,gBAAgB,EAAE,KAAK,EAAE,YAAY;;;GAoEjF"}

package/dist/cjs/canWhat/canWhat.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"canWhat.js","sourceRoot":"","sources":["../../../src/canWhat/canWhat.ts"],"names":[],"mappings":";;AAiCA,0BAoEC;AArGD,0DAAsD;AACtD,0DAA8D;AAE9D,oDAA6D;AAC7D,yDAK2B;AAiB3B;;;;;;GAMG;AACI,KAAK,UAAU,OAAO,CAAC,aAA+B,EAAE,KAAmB;IAChF,MAAM,EAAE,SAAS,EAAE,GAAG,KAAK,CAAA;IAE3B,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,iBAAiB,GAAG,MAAM,IAAA,0CAA0B,EAAC,aAAa,EAAE,SAAS,CAAC,CAAA;IAEpF,MAAM,gBAAgB,GAAG;QACvB,GAAG,iBAAiB,CAAC,eAAe;QACpC,GAAG,iBAAiB,CAAC,cAAc;QACnC,GAAG,CAAC,iBAAiB,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;QACxF,GAAG,CAAC,iBAAiB,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;KACxF,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAA;IAE5C,MAAM,kBAAkB,GAAG,MAAM,IAAA,iDAA8B,EAAC,OAAO,EAAE,gBAAgB,CAAC,CAAA;IAC1F,MAAM,uBAAuB,GAAG,MAAM,IAAA,iDAA8B,EAAC,MAAM,EAAE,gBAAgB,CAAC,CAAA;IAE9F,IAAI,gBAAgB,GAAG,kBAAkB,CAAA;IAEzC,IAAI,iBAAiB,CAAC,kBAAkB,EAAE,CAAC;QACzC,MAAM,cAAc,GAAG,IAAA,uBAAU,EAAC,iBAAiB,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAA;QAC9E,MAAM,mBAAmB,GAAG,MAAM,IAAA,iDAA8B,EAAC,OAAO,EAAE,CAAC,cAAc,CAAC,CAAC,CAAA;QAC3F,gBAAgB,GAAG,kBAAkB,CAAC,YAAY,CAAC,mBAAmB,CAAC,CAAA;IACzE,CAAC;IAED,MAAM,gBAAgB,GAAoB,EAAE,CAAA;IAC5C,MAAM,gBAAgB,GAAoB,EAAE,CAAA;IAE5C,KAAK,MAAM,KAAK,IAAI,iBAAiB,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,WAAW,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;QACvE,gBAAgB,CAAC,IAAI,CAAC,MAAM,IAAA,iDAA8B,EAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAA;QACjF,MAAM,IAAA,6CAA0B,EAAC,uBAAuB,EAAE,MAAM,EAAE,WAAW,CAAC,CAAA;IAChF,CAAC;IAED,MAAM,+BAA+B,GAAG,uBAAuB,CAAC,KAAK,EAAE,CAAA;IACvE,KAAK,MAAM,KAAK,IAAI,iBAAiB,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,WAAW,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;QACvE,gBAAgB,CAAC,IAAI,CAAC,MAAM,IAAA,iDAA8B,EAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAA;QACjF,MAAM,IAAA,6CAA0B,EAAC,+BAA+B,EAAE,MAAM,EAAE,WAAW,CAAC,CAAA;IACxF,CAAC;IAED,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;QACxC,gBAAgB,GAAG,gBAAgB,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;IAC5D,CAAC;IAED,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;QACxC,gBAAgB,GAAG,gBAAgB,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;IAC5D,CAAC;IAED,MAAM,oBAAoB,GAAG,gBAAgB,CAAC,QAAQ,CAAC,+BAA+B,CAAC,CAAA;IACvF,gBAAgB,GAAG,oBAAoB,CAAC,KAAK,CAAA;IAC7C,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,IAAI,CAAA;IAEnD,MAAM,eAAe,GAAG,IAAA,qCAAkB,EAAC,gBAAgB,CAAC,CAAA;IAC5D,MAAM,cAAc,GAAG,IAAA,qCAAkB,EAAC,iBAAiB,CAAC,CAAA;IAE5D,MAAM,cAAc,GAAG;QACrB,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE,CAAC,GAAG,eAAe,EAAE,GAAG,cAAc,CAAC;KACnD,CAAA;IAED,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;QAC5B,MAAM,IAAA,+BAAkB,EAAC,EAAE,UAAU,EAAE,CAAC,EAAE,EAAE,cAAc,CAAC,CAAA;IAC7D,CAAC;IAED,OAAO,cAAc,CAAA;AACvB,CAAC"}

package/dist/cjs/canWhat/permission.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"permission.d.ts","sourceRoot":"","sources":["../../../src/canWhat/permission.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,OAAO,GAAG,MAAM,CAAA;AAE/C,MAAM,MAAM,oBAAoB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAA;AAU3E;;;;;;GAMG;AACH,qBAAa,UAAU;aAEH,MAAM,EAAE,gBAAgB;aACxB,OAAO,EAAE,MAAM;aACf,MAAM,EAAE,MAAM;aACd,QAAQ,EAAE,MAAM,EAAE,GAAG,SAAS;aAC9B,WAAW,EAAE,MAAM,EAAE,GAAG,SAAS;aACjC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,GAAG,SAAS;gBALhE,MAAM,EAAE,gBAAgB,EACxB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAAE,GAAG,SAAS,EAC9B,WAAW,EAAE,MAAM,EAAE,GAAG,SAAS,EACjC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,GAAG,SAAS;IASlF;;;OAGG;IACI,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO;IAyH3C;;;;;OAKG;IACI,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,UAAU,EAAE;IAiE7C;;;;OAIG;IACI,YAAY,CAAC,KAAK,EAAE,UAAU,GAAG,UAAU,GAAG,SAAS;IAkL9D;;;OAGG;IACI,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,UAAU,EAAE;CA6HjD;AAmKD;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,oBAAoB,GAAG,oBAAoB,CAWxF;AA+BD;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,GAC9C,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAqB1C"}