@cloud-copilot/iam-lens 0.1.74 → 0.1.76

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (39) hide show
  1. package/dist/cjs/principalCan/permission.d.ts +50 -6
  2. package/dist/cjs/principalCan/permission.d.ts.map +1 -1
  3. package/dist/cjs/principalCan/permission.js +449 -353
  4. package/dist/cjs/principalCan/permission.js.map +1 -1
  5. package/dist/cjs/principalCan/permissionSet.d.ts.map +1 -1
  6. package/dist/cjs/principalCan/permissionSet.js +29 -11
  7. package/dist/cjs/principalCan/permissionSet.js.map +1 -1
  8. package/dist/cjs/principalCan/principalCan.d.ts.map +1 -1
  9. package/dist/cjs/principalCan/principalCan.js +87 -8
  10. package/dist/cjs/principalCan/principalCan.js.map +1 -1
  11. package/dist/cjs/principalCan/resources/resourceTypes/s3Buckets.d.ts +4 -0
  12. package/dist/cjs/principalCan/resources/resourceTypes/s3Buckets.d.ts.map +1 -1
  13. package/dist/cjs/principalCan/resources/resourceTypes/s3Buckets.js +59 -0
  14. package/dist/cjs/principalCan/resources/resourceTypes/s3Buckets.js.map +1 -1
  15. package/dist/cjs/principalCan/resources/statements.d.ts.map +1 -1
  16. package/dist/cjs/principalCan/resources/statements.js +3 -0
  17. package/dist/cjs/principalCan/resources/statements.js.map +1 -1
  18. package/dist/cjs/utils/stringOrFileArgument.d.ts +4 -4
  19. package/dist/cjs/utils/stringOrFileArgument.d.ts.map +1 -1
  20. package/dist/esm/principalCan/permission.d.ts +50 -6
  21. package/dist/esm/principalCan/permission.d.ts.map +1 -1
  22. package/dist/esm/principalCan/permission.js +446 -353
  23. package/dist/esm/principalCan/permission.js.map +1 -1
  24. package/dist/esm/principalCan/permissionSet.d.ts.map +1 -1
  25. package/dist/esm/principalCan/permissionSet.js +29 -11
  26. package/dist/esm/principalCan/permissionSet.js.map +1 -1
  27. package/dist/esm/principalCan/principalCan.d.ts.map +1 -1
  28. package/dist/esm/principalCan/principalCan.js +89 -10
  29. package/dist/esm/principalCan/principalCan.js.map +1 -1
  30. package/dist/esm/principalCan/resources/resourceTypes/s3Buckets.d.ts +4 -0
  31. package/dist/esm/principalCan/resources/resourceTypes/s3Buckets.d.ts.map +1 -1
  32. package/dist/esm/principalCan/resources/resourceTypes/s3Buckets.js +58 -0
  33. package/dist/esm/principalCan/resources/resourceTypes/s3Buckets.js.map +1 -1
  34. package/dist/esm/principalCan/resources/statements.d.ts.map +1 -1
  35. package/dist/esm/principalCan/resources/statements.js +3 -0
  36. package/dist/esm/principalCan/resources/statements.js.map +1 -1
  37. package/dist/esm/utils/stringOrFileArgument.d.ts +4 -4
  38. package/dist/esm/utils/stringOrFileArgument.d.ts.map +1 -1
  39. package/package.json +1 -1
package/dist/cjs/principalCan/permission.d.ts CHANGED
@@ -38,15 +38,41 @@ export declare class Permission {
38
38
  intersection(other: Permission): Permission | undefined;
39
39
  /**
40
40
  * Subtract a Deny permission from this Allow permission.
41
- * Returns an array of resulting Allow permissions (may be empty if fully denied).
41
+ *
42
+ * Returns the resulting permissions, this can be:
43
+ * - An empty array if the Allow is fully denied by the Deny
44
+ * - A modified Allow permission or multiple Allow permissions
45
+ * - It could also return the original Allow and Deny permission if subtraction cannot be expressed purely in Allow statements
46
+ *
47
+ * @param other the Deny permission to subtract
42
48
  */
43
49
  subtract(other: Permission): Permission[];
44
- /**
45
- * Handle subtraction when the Deny permission has multiple conditions.
46
- * Creates separate Allow permissions for each inverted condition.
47
- */
48
- private subtractWithMultipleConditions;
49
50
  }
51
+ /**
52
+ * Attempt to union two sets of permission conditions.
53
+ *
54
+ * If the conditions can be merged into a single block that allows all cases allowed by either,
55
+ * returns the merged conditions. If they cannot be merged cleanly (e.g., differing operators
56
+ * or incompatible numeric boundaries), returns null.
57
+ *
58
+ * @param a First set of conditions
59
+ * @param b Second set of conditions
60
+ * @returns Merged conditions or null if they cannot be merged
61
+ */
62
+ export declare function unionConditions(a: Record<string, Record<string, string[]>>, b: Record<string, Record<string, string[]>>): Record<string, Record<string, string[]>> | null;
63
+ /**
64
+ * Intersect two sets of permission conditions.
65
+ *
66
+ * Attempt to find the intersection of two sets of IAM condition clauses. This will
67
+ * combine condition operators and context keys, retaining only values that satisfy
68
+ * both sets of conditions. If the intersection is empty or cannot be expressed
69
+ * cleanly, returns null.
70
+ *
71
+ * @param conditionsA First set of conditions
72
+ * @param conditionsB Second set of conditions
73
+ * @returns Intersected conditions or null if intersection is empty or cannot be expressed
74
+ */
75
+ export declare function intersectConditions(a: Record<string, Record<string, string[]>>, b: Record<string, Record<string, string[]>>): Record<string, Record<string, string[]>> | null;
50
76
  /**
51
77
  * Returns a new PermissionConditions object with all operator and context keys lowercased.
52
78
  */
@@ -59,4 +85,22 @@ export declare function normalizeConditionKeys(conds: PermissionConditions): Per
59
85
  * @return a new set of inverted conditions
60
86
  */
61
87
  export declare function invertConditions(conds: Record<string, Record<string, string[]>>): Record<string, Record<string, string[]>>;
88
+ /**
89
+ * Apply Deny conditions to an Allow permission.
90
+ *
91
+ * A Deny permission with conditions (whether multiple operators or multiple keys under one
92
+ * operator) acts as an AND, meaning the Allow needs to escape ANY one of them (OR when inverted).
93
+ * Each condition key-value pair is inverted and creates a separate Allow permission.
94
+ *
95
+ * It is possible for any given condition to fully deny the Allow, in which case
96
+ * that condition will produce no resulting Allow permission. The result is an array
97
+ * of Allow permissions that apply after each Deny condition is applied.
98
+ *
99
+ * This may result in multiple Allow permission or an empty array if all are denied.
100
+ *
101
+ * @param allow the Allow permission
102
+ * @param deny the Deny permission
103
+ * @returns an array of resulting Allow permissions after applying Deny conditions
104
+ */
105
+ export declare function applyDenyConditionsToAllow(allow: Permission, deny: Permission): Permission[];
62
106
  //# sourceMappingURL=permission.d.ts.map
package/dist/cjs/principalCan/permission.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"permission.d.ts","sourceRoot":"","sources":["../../../src/principalCan/permission.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,OAAO,GAAG,MAAM,CAAA;AAE/C,MAAM,MAAM,oBAAoB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAA;AAU3E;;;;;;GAMG;AACH,qBAAa,UAAU;aAEH,MAAM,EAAE,gBAAgB;aACxB,OAAO,EAAE,MAAM;aACf,MAAM,EAAE,MAAM;aACd,QAAQ,EAAE,MAAM,EAAE,GAAG,SAAS;aAC9B,WAAW,EAAE,MAAM,EAAE,GAAG,SAAS;aACjC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,GAAG,SAAS;gBALhE,MAAM,EAAE,gBAAgB,EACxB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAAE,GAAG,SAAS,EAC9B,WAAW,EAAE,MAAM,EAAE,GAAG,SAAS,EACjC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,GAAG,SAAS;IASlF;;;OAGG;IACI,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO;IAyH3C;;;;;OAKG;IACI,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,UAAU,EAAE;IAiE7C;;;;;;;OAOG;IACI,YAAY,CAAC,KAAK,EAAE,UAAU,GAAG,UAAU,GAAG,SAAS;IAkL9D;;;OAGG;IACI,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,UAAU,EAAE;IA+YhD;;;OAGG;IACH,OAAO,CAAC,8BAA8B;CAqFvC;AAmKD;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,oBAAoB,GAAG,oBAAoB,CAWxF;AA+BD;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,GAC9C,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAqB1C"}
1
+ {"version":3,"file":"permission.d.ts","sourceRoot":"","sources":["../../../src/principalCan/permission.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,OAAO,GAAG,MAAM,CAAA;AAE/C,MAAM,MAAM,oBAAoB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAA;AAU3E;;;;;;GAMG;AACH,qBAAa,UAAU;aAEH,MAAM,EAAE,gBAAgB;aACxB,OAAO,EAAE,MAAM;aACf,MAAM,EAAE,MAAM;aACd,QAAQ,EAAE,MAAM,EAAE,GAAG,SAAS;aAC9B,WAAW,EAAE,MAAM,EAAE,GAAG,SAAS;aACjC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,GAAG,SAAS;gBALhE,MAAM,EAAE,gBAAgB,EACxB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAAE,GAAG,SAAS,EAC9B,WAAW,EAAE,MAAM,EAAE,GAAG,SAAS,EACjC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,GAAG,SAAS;IASlF;;;OAGG;IACI,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO;IAyH3C;;;;;OAKG;IACI,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,UAAU,EAAE;IAiE7C;;;;;;;OAOG;IACI,YAAY,CAAC,KAAK,EAAE,UAAU,GAAG,UAAU,GAAG,SAAS;IAkL9D;;;;;;;;;OASG;IACI,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,UAAU,EAAE;CAyZjD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAC7B,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,EAC3C,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,GAC1C,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,GAAG,IAAI,CAmHjD;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,mBAAmB,CACjC,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,EAC3C,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,GAC1C,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,GAAG,IAAI,CA0DjD;AAkID;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,oBAAoB,GAAG,oBAAoB,CAWxF;AA+BD;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,GAC9C,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAqB1C;AAqCD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,GAAG,UAAU,EAAE,CAiC5F"}