@cloud-copilot/iam-lens 0.1.82 → 0.1.84
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +5 -0
- package/dist/cjs/cli.js +3 -3
- package/dist/cjs/cli.js.map +1 -1
- package/dist/cjs/principalCan/resources/statements.d.ts.map +1 -1
- package/dist/cjs/principalCan/resources/statements.js +6 -2
- package/dist/cjs/principalCan/resources/statements.js.map +1 -1
- package/dist/cjs/resources.d.ts.map +1 -1
- package/dist/cjs/resources.js +3 -0
- package/dist/cjs/resources.js.map +1 -1
- package/dist/cjs/simulate/simulate.d.ts +1 -1
- package/dist/cjs/whoCan/WhoCanMainThreadWorker.d.ts.map +1 -1
- package/dist/cjs/whoCan/WhoCanMainThreadWorker.js +9 -15
- package/dist/cjs/whoCan/WhoCanMainThreadWorker.js.map +1 -1
- package/dist/cjs/whoCan/WhoCanWorker.d.ts +58 -13
- package/dist/cjs/whoCan/WhoCanWorker.d.ts.map +1 -1
- package/dist/cjs/whoCan/WhoCanWorker.js +86 -33
- package/dist/cjs/whoCan/WhoCanWorker.js.map +1 -1
- package/dist/cjs/whoCan/WhoCanWorkerThreadWorker.js +15 -14
- package/dist/cjs/whoCan/WhoCanWorkerThreadWorker.js.map +1 -1
- package/dist/cjs/whoCan/requestAnalysis.d.ts +59 -9
- package/dist/cjs/whoCan/requestAnalysis.d.ts.map +1 -1
- package/dist/cjs/whoCan/requestAnalysis.js +63 -4
- package/dist/cjs/whoCan/requestAnalysis.js.map +1 -1
- package/dist/cjs/whoCan/whoCan.d.ts +90 -1
- package/dist/cjs/whoCan/whoCan.d.ts.map +1 -1
- package/dist/cjs/whoCan/whoCan.js +6 -6
- package/dist/cjs/whoCan/whoCan.js.map +1 -1
- package/dist/esm/cli.js +3 -3
- package/dist/esm/cli.js.map +1 -1
- package/dist/esm/principalCan/resources/statements.d.ts.map +1 -1
- package/dist/esm/principalCan/resources/statements.js +6 -2
- package/dist/esm/principalCan/resources/statements.js.map +1 -1
- package/dist/esm/resources.d.ts.map +1 -1
- package/dist/esm/resources.js +3 -0
- package/dist/esm/resources.js.map +1 -1
- package/dist/esm/simulate/simulate.d.ts +1 -1
- package/dist/esm/whoCan/WhoCanMainThreadWorker.d.ts.map +1 -1
- package/dist/esm/whoCan/WhoCanMainThreadWorker.js +10 -16
- package/dist/esm/whoCan/WhoCanMainThreadWorker.js.map +1 -1
- package/dist/esm/whoCan/WhoCanWorker.d.ts +58 -13
- package/dist/esm/whoCan/WhoCanWorker.d.ts.map +1 -1
- package/dist/esm/whoCan/WhoCanWorker.js +86 -33
- package/dist/esm/whoCan/WhoCanWorker.js.map +1 -1
- package/dist/esm/whoCan/WhoCanWorkerThreadWorker.js +16 -15
- package/dist/esm/whoCan/WhoCanWorkerThreadWorker.js.map +1 -1
- package/dist/esm/whoCan/requestAnalysis.d.ts +59 -9
- package/dist/esm/whoCan/requestAnalysis.d.ts.map +1 -1
- package/dist/esm/whoCan/requestAnalysis.js +62 -4
- package/dist/esm/whoCan/requestAnalysis.js.map +1 -1
- package/dist/esm/whoCan/whoCan.d.ts +90 -1
- package/dist/esm/whoCan/whoCan.d.ts.map +1 -1
- package/dist/esm/whoCan/whoCan.js +6 -6
- package/dist/esm/whoCan/whoCan.js.map +1 -1
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -157,6 +157,11 @@ iam-lens who-can \
|
|
|
157
157
|
--resource arn:aws:dynamodb:us-east-1:555555555555:table/Books \
|
|
158
158
|
--actions dynamodb:Query dynamodb:UpdateItem
|
|
159
159
|
|
|
160
|
+
# Check a wildcard resource prefix and inspect allowed patterns
|
|
161
|
+
iam-lens who-can \
|
|
162
|
+
--resource arn:aws:s3:::my-bucket/reports/* \
|
|
163
|
+
--actions s3:GetObject
|
|
164
|
+
|
|
160
165
|
# Check all actions for a bucket
|
|
161
166
|
iam-lens who-can \
|
|
162
167
|
--resource arn:aws:s3:::my-bucket
|
package/dist/cjs/cli.js
CHANGED
|
@@ -130,16 +130,16 @@ const main = async () => {
|
|
|
130
130
|
ignoreMissingPrincipal,
|
|
131
131
|
s3AbacOverride: cli.args.s3AbacOverride
|
|
132
132
|
}, collectClient);
|
|
133
|
-
if (result.
|
|
133
|
+
if (result.resultType === 'error') {
|
|
134
134
|
console.error('Simulation Errors:');
|
|
135
135
|
console.log(JSON.stringify(result.errors, null, 2));
|
|
136
136
|
process.exit(1);
|
|
137
137
|
}
|
|
138
|
-
console.log(`Simulation Result: ${result.
|
|
138
|
+
console.log(`Simulation Result: ${result.overallResult}`);
|
|
139
139
|
if (cli.args.verbose) {
|
|
140
140
|
console.log(JSON.stringify({ request, result }, null, 2));
|
|
141
141
|
}
|
|
142
|
-
if (!(0, simulate_js_1.resultMatchesExpectation)(cli.args.expect, result.
|
|
142
|
+
if (!(0, simulate_js_1.resultMatchesExpectation)(cli.args.expect, result.overallResult)) {
|
|
143
143
|
process.exit(1);
|
|
144
144
|
}
|
|
145
145
|
}
|
package/dist/cjs/cli.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";;;AAEA,4CAO2B;AAC3B,mDAAqD;AACrD,qDAA2E;AAC3E,oEAA6D;AAC7D,kFAA2E;AAC3E,wDAAkF;AAClF,iEAA0D;AAC1D,6EAAsE;AACtE,kDAA2C;AAE3C,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE;IACtB,MAAM,GAAG,GAAG,MAAM,IAAA,uBAAiB,EACjC,UAAU,EACV;QACE,QAAQ,EAAE;YACR,WAAW,EAAE,yBAAyB;YACtC,SAAS,EAAE;gBACT,SAAS,EAAE,IAAA,oBAAc,EAAC;oBACxB,WAAW,EAAE,yEAAyE;iBACvF,CAAC;gBACF,QAAQ,EAAE,IAAA,oBAAc,EAAC;oBACvB,WAAW,EACT,4EAA4E;iBAC/E,CAAC;gBACF,eAAe,EAAE,IAAA,oBAAc,EAAC;oBAC9B,WAAW,EACT,iGAAiG;iBACpG,CAAC;gBACF,MAAM,EAAE,IAAA,oBAAc,EAAC;oBACrB,WAAW,EACT,wFAAwF;iBAC3F,CAAC;gBACF,OAAO,EAAE,IAAA,iBAAW,EAAC;oBACnB,WAAW,EACT,6JAA6J;oBAC/J,YAAY,EAAE,EAAE;iBACjB,CAAC;gBACF,OAAO,EAAE,IAAA,qBAAe,EAAC;oBACvB,WAAW,EAAE,0CAA0C;oBACvD,SAAS,EAAE,GAAG;iBACf,CAAC;gBACF,MAAM,EAAE,IAAA,kBAAY,EAAC;oBACnB,WAAW,EACT,iIAAiI;oBACnI,WAAW,EAAE,CAAC,SAAS,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,SAAS,CAAC;iBAC5E,CAAC;gBACF,sBAAsB,EAAE,IAAA,qBAAe,EAAC;oBACtC,WAAW,EACT,uIAAuI;oBACzI,SAAS,EAAE,GAAG;iBACf,CAAC;gBACF,cAAc,EAAE,IAAA,kBAAY,EAAC;oBAC3B,WAAW,EACT,6GAA6G;oBAC/G,WAAW,EAAE,CAAC,SAAS,EAAE,UAAU,CAAC;oBACpC,YAAY,EAAE,SAAS;iBACxB,CAAC;gBACF,aAAa,EAAE,IAAA,8CAAoB,EAAC;oBAClC,WAAW,EACT,iFAAiF;iBACpF,CAAC;aACH;SACF;QACD,SAAS,EAAE;YACT,WAAW,EAAE,8CAA8C;YAC3D,SAAS,EAAE;gBACT,QAAQ,EAAE,IAAA,oBAAc,EAAC;oBACvB,WAAW,EACT,+EAA+E;iBAClF,CAAC;gBACF,eAAe,EAAE,IAAA,oBAAc,EAAC;oBAC9B,WAAW,EACT,+HAA+H;iBAClI,CAAC;gBACF,OAAO,EAAE,IAAA,yBAAmB,EAAC;oBAC3B,WAAW,EACT,qGAAqG;oBACvG,YAAY,EAAE,EAAE;iBACjB,CAAC;gBACF,cAAc,EAAE,IAAA,kBAAY,EAAC;oBAC3B,WAAW,EACT,6GAA6G;oBAC/G,WAAW,EAAE,CAAC,SAAS,EAAE,UAAU,CAAC;oBACpC,YAAY,EAAE,SAAS;iBACxB,CAAC;gBACF,IAAI,EAAE,IAAA,qBAAe,EAAC;oBACpB,WAAW,EAAE,oCAAoC;oBACjD,SAAS,EAAE,GAAG;iBACf,CAAC;aACH;SACF;QACD,eAAe,EAAE;YACf,WAAW,EACT,2FAA2F;YAC7F,SAAS,EAAE;gBACT,SAAS,EAAE,IAAA,oBAAc,EAAC;oBACxB,WAAW,EAAE,+DAA+D;iBAC7E,CAAC;gBACF,iBAAiB,EAAE,IAAA,qBAAe,EAAC;oBACjC,WAAW,EAAE,2CAA2C;oBACxD,SAAS,EAAE,GAAG;iBACf,CAAC;aACH;SACF;QACD,kBAAkB,EAAE;YAClB,WAAW,EAAE,sBAAsB;YACnC,SAAS,EAAE,EAAE;SACd;KACF,EACD;QACE,cAAc,EAAE,IAAA,yBAAmB,EAAC;YAClC,WAAW,EAAE,4CAA4C;YACzD,YAAY,EAAE,EAAE;SACjB,CAAC;QACF,SAAS,EAAE,IAAA,oBAAc,EAAC;YACxB,WAAW,EAAE,qEAAqE;YAClF,YAAY,EAAE,KAAK;SACpB,CAAC;KACH,EACD;QACE,SAAS,EAAE,UAAU;QACrB,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,IAAI;QACvB,cAAc,EAAE,KAAK;QACrB,OAAO,EAAE;YACP,cAAc,EAAE,kCAAc;YAC9B,eAAe,EAAE,yBAAyB;SAC3C;KACF,CACF,CAAA;IAED,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IACrD,CAAC;IACD,MAAM,cAAc,GAAG,MAAM,IAAA,+BAAkB,EAAC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IACxE,MAAM,aAAa,GAAG,IAAA,6BAAgB,EAAC,cAAc,EAAE,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IAE1E,IAAI,GAAG,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QAClC,MAAM,EACJ,SAAS,EACT,QAAQ,EACR,eAAe,EACf,MAAM,EACN,OAAO,EACP,sBAAsB,EACtB,aAAa,EACd,GAAG,GAAG,CAAC,IAAI,CAAA;QAEZ,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,IAAA,6BAAe,EAC/C;YACE,aAAa;YACb,SAAS,EAAE,SAAU;YACrB,WAAW,EAAE,QAAQ;YACrB,eAAe,EAAE,eAAe;YAChC,MAAM,EAAE,MAAO;YACf,iBAAiB,EAAE,yBAAyB,CAAC,OAAO,CAAC;YACrD,cAAc,EAAE,QAAQ;YACxB,sBAAsB;YACtB,cAAc,EAAE,GAAG,CAAC,IAAI,CAAC,cAAc;SACxC,EACD,aAAa,CACd,CAAA;QAED,IAAI,MAAM,CAAC,
|
|
1
|
+
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";;;AAEA,4CAO2B;AAC3B,mDAAqD;AACrD,qDAA2E;AAC3E,oEAA6D;AAC7D,kFAA2E;AAC3E,wDAAkF;AAClF,iEAA0D;AAC1D,6EAAsE;AACtE,kDAA2C;AAE3C,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE;IACtB,MAAM,GAAG,GAAG,MAAM,IAAA,uBAAiB,EACjC,UAAU,EACV;QACE,QAAQ,EAAE;YACR,WAAW,EAAE,yBAAyB;YACtC,SAAS,EAAE;gBACT,SAAS,EAAE,IAAA,oBAAc,EAAC;oBACxB,WAAW,EAAE,yEAAyE;iBACvF,CAAC;gBACF,QAAQ,EAAE,IAAA,oBAAc,EAAC;oBACvB,WAAW,EACT,4EAA4E;iBAC/E,CAAC;gBACF,eAAe,EAAE,IAAA,oBAAc,EAAC;oBAC9B,WAAW,EACT,iGAAiG;iBACpG,CAAC;gBACF,MAAM,EAAE,IAAA,oBAAc,EAAC;oBACrB,WAAW,EACT,wFAAwF;iBAC3F,CAAC;gBACF,OAAO,EAAE,IAAA,iBAAW,EAAC;oBACnB,WAAW,EACT,6JAA6J;oBAC/J,YAAY,EAAE,EAAE;iBACjB,CAAC;gBACF,OAAO,EAAE,IAAA,qBAAe,EAAC;oBACvB,WAAW,EAAE,0CAA0C;oBACvD,SAAS,EAAE,GAAG;iBACf,CAAC;gBACF,MAAM,EAAE,IAAA,kBAAY,EAAC;oBACnB,WAAW,EACT,iIAAiI;oBACnI,WAAW,EAAE,CAAC,SAAS,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,SAAS,CAAC;iBAC5E,CAAC;gBACF,sBAAsB,EAAE,IAAA,qBAAe,EAAC;oBACtC,WAAW,EACT,uIAAuI;oBACzI,SAAS,EAAE,GAAG;iBACf,CAAC;gBACF,cAAc,EAAE,IAAA,kBAAY,EAAC;oBAC3B,WAAW,EACT,6GAA6G;oBAC/G,WAAW,EAAE,CAAC,SAAS,EAAE,UAAU,CAAC;oBACpC,YAAY,EAAE,SAAS;iBACxB,CAAC;gBACF,aAAa,EAAE,IAAA,8CAAoB,EAAC;oBAClC,WAAW,EACT,iFAAiF;iBACpF,CAAC;aACH;SACF;QACD,SAAS,EAAE;YACT,WAAW,EAAE,8CAA8C;YAC3D,SAAS,EAAE;gBACT,QAAQ,EAAE,IAAA,oBAAc,EAAC;oBACvB,WAAW,EACT,+EAA+E;iBAClF,CAAC;gBACF,eAAe,EAAE,IAAA,oBAAc,EAAC;oBAC9B,WAAW,EACT,+HAA+H;iBAClI,CAAC;gBACF,OAAO,EAAE,IAAA,yBAAmB,EAAC;oBAC3B,WAAW,EACT,qGAAqG;oBACvG,YAAY,EAAE,EAAE;iBACjB,CAAC;gBACF,cAAc,EAAE,IAAA,kBAAY,EAAC;oBAC3B,WAAW,EACT,6GAA6G;oBAC/G,WAAW,EAAE,CAAC,SAAS,EAAE,UAAU,CAAC;oBACpC,YAAY,EAAE,SAAS;iBACxB,CAAC;gBACF,IAAI,EAAE,IAAA,qBAAe,EAAC;oBACpB,WAAW,EAAE,oCAAoC;oBACjD,SAAS,EAAE,GAAG;iBACf,CAAC;aACH;SACF;QACD,eAAe,EAAE;YACf,WAAW,EACT,2FAA2F;YAC7F,SAAS,EAAE;gBACT,SAAS,EAAE,IAAA,oBAAc,EAAC;oBACxB,WAAW,EAAE,+DAA+D;iBAC7E,CAAC;gBACF,iBAAiB,EAAE,IAAA,qBAAe,EAAC;oBACjC,WAAW,EAAE,2CAA2C;oBACxD,SAAS,EAAE,GAAG;iBACf,CAAC;aACH;SACF;QACD,kBAAkB,EAAE;YAClB,WAAW,EAAE,sBAAsB;YACnC,SAAS,EAAE,EAAE;SACd;KACF,EACD;QACE,cAAc,EAAE,IAAA,yBAAmB,EAAC;YAClC,WAAW,EAAE,4CAA4C;YACzD,YAAY,EAAE,EAAE;SACjB,CAAC;QACF,SAAS,EAAE,IAAA,oBAAc,EAAC;YACxB,WAAW,EAAE,qEAAqE;YAClF,YAAY,EAAE,KAAK;SACpB,CAAC;KACH,EACD;QACE,SAAS,EAAE,UAAU;QACrB,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,IAAI;QACvB,cAAc,EAAE,KAAK;QACrB,OAAO,EAAE;YACP,cAAc,EAAE,kCAAc;YAC9B,eAAe,EAAE,yBAAyB;SAC3C;KACF,CACF,CAAA;IAED,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IACrD,CAAC;IACD,MAAM,cAAc,GAAG,MAAM,IAAA,+BAAkB,EAAC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IACxE,MAAM,aAAa,GAAG,IAAA,6BAAgB,EAAC,cAAc,EAAE,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IAE1E,IAAI,GAAG,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QAClC,MAAM,EACJ,SAAS,EACT,QAAQ,EACR,eAAe,EACf,MAAM,EACN,OAAO,EACP,sBAAsB,EACtB,aAAa,EACd,GAAG,GAAG,CAAC,IAAI,CAAA;QAEZ,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,IAAA,6BAAe,EAC/C;YACE,aAAa;YACb,SAAS,EAAE,SAAU;YACrB,WAAW,EAAE,QAAQ;YACrB,eAAe,EAAE,eAAe;YAChC,MAAM,EAAE,MAAO;YACf,iBAAiB,EAAE,yBAAyB,CAAC,OAAO,CAAC;YACrD,cAAc,EAAE,QAAQ;YACxB,sBAAsB;YACtB,cAAc,EAAE,GAAG,CAAC,IAAI,CAAC,cAAc;SACxC,EACD,aAAa,CACd,CAAA;QAED,IAAI,MAAM,CAAC,UAAU,KAAK,OAAO,EAAE,CAAC;YAClC,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACnC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,aAAa,EAAE,CAAC,CAAA;QACzD,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;QAC3D,CAAC;QAED,IAAI,CAAC,IAAA,sCAAwB,EAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,aAAc,CAAC,EAAE,CAAC;YACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC;SAAM,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACxC,MAAM,EAAE,QAAQ,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QACvD,IAAI,CAAC,eAAe,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1D,OAAO,CAAC,KAAK,CACX,qGAAqG,CACtG,CAAA;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAA,kBAAM,EAAC,cAAc,EAAE,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE;YAC/D,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,QAAS;YAC5B,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,OAAQ;YAC1B,eAAe,EAAE,GAAG,CAAC,IAAI,CAAC,eAAe;YACzC,cAAc,EAAE,GAAG,CAAC,IAAI,CAAC,cAAc;YACvC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI;SACpB,CAAC,CAAA;QAEF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;IAC/C,CAAC;SAAM,IAAI,GAAG,CAAC,UAAU,KAAK,eAAe,EAAE,CAAC;QAC9C,MAAM,EAAE,SAAS,EAAE,iBAAiB,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QACjD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAA;YAC5E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAA,8BAAY,EAAC,aAAa,EAAE;YAChD,SAAS,EAAE,SAAS;YACpB,iBAAiB;SAClB,CAAC,CAAA;QAEF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;IAC/C,CAAC;SAAM,IAAI,GAAG,CAAC,UAAU,KAAK,kBAAkB,EAAE,CAAC;QACjD,MAAM,WAAW,GAAG,IAAA,6BAAgB,EAAC,cAAc,EAAE,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE;YACvE,aAAa,EAAE,IAAI,2BAAe,EAAE;SACrC,CAAC,CAAA;QACF,MAAM,IAAA,0CAAkB,EAAC,WAAW,CAAC,CAAA;IACvC,CAAC;AACH,CAAC,CAAA;AAED;;;;;;GAMG;AACH,SAAS,yBAAyB,CAChC,KAA+B;IAE/B,MAAM,MAAM,GAAsC,EAAE,CAAA;IACpD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACjD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACxB,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA;QACrB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,IAAI,EAAE;KACH,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IACX,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC;KACD,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;KACd,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"statements.d.ts","sourceRoot":"","sources":["../../../../src/principalCan/resources/statements.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,MAAM,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AAGzE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAI1D,MAAM,MAAM,2BAA2B,GAAG,gBAAgB,GAAG,cAAc,GAAG,SAAS,CAAA;AAEvF;;;;;;;;;;;GAWG;AACH,wBAAsB,2BAA2B,CAC/C,SAAS,EAAE,SAAS,EACpB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,2BAA2B,CAAC,
|
|
1
|
+
{"version":3,"file":"statements.d.ts","sourceRoot":"","sources":["../../../../src/principalCan/resources/statements.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,MAAM,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AAGzE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAI1D,MAAM,MAAM,2BAA2B,GAAG,gBAAgB,GAAG,cAAc,GAAG,SAAS,CAAA;AAEvF;;;;;;;;;;;GAWG;AACH,wBAAsB,2BAA2B,CAC/C,SAAS,EAAE,SAAS,EACpB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,2BAA2B,CAAC,CAkDtC;AAgBD;;;;;;;;GAQG;AACH,wBAAgB,oCAAoC,CAAC,SAAS,EAAE,SAAS,GAAG,MAAM,CAmCjF"}
|
|
@@ -50,10 +50,14 @@ async function statementAppliesToPrincipal(statement, principalArn, client) {
|
|
|
50
50
|
const result = await (0, iam_simulate_1.runSimulation)(simulation, {
|
|
51
51
|
simulationMode: simulationRequest.simulationMode
|
|
52
52
|
});
|
|
53
|
-
if (result.
|
|
53
|
+
if (result.resultType === 'error') {
|
|
54
|
+
return 'NoMatch';
|
|
55
|
+
}
|
|
56
|
+
const analysis = result.resultType === 'single' ? result.result.analysis : undefined;
|
|
57
|
+
if (analysis?.result === 'Allowed') {
|
|
54
58
|
return 'PrincipalMatch';
|
|
55
59
|
}
|
|
56
|
-
if (
|
|
60
|
+
if (analysis?.resourceAnalysis?.result === 'AllowedForAccount') {
|
|
57
61
|
return 'AccountMatch';
|
|
58
62
|
}
|
|
59
63
|
return 'NoMatch';
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"statements.js","sourceRoot":"","sources":["../../../../src/principalCan/resources/statements.ts"],"names":[],"mappings":";;AAqBA,
|
|
1
|
+
{"version":3,"file":"statements.js","sourceRoot":"","sources":["../../../../src/principalCan/resources/statements.ts"],"names":[],"mappings":";;AAqBA,kEAsDC;AAyBD,oFAmCC;AAvID,0DAAyE;AACzE,8DAAuE;AACvE,wDAAwD;AAExD,kEAAiE;AAKjE;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,2BAA2B,CAC/C,SAAoB,EACpB,YAAoB,EACpB,MAAwB;IAExB,MAAM,gBAAgB,GAAG,IAAA,yBAAa,EAAC,YAAY,CAAC,CAAC,SAAU,CAAA;IAC/D,MAAM,cAAc,GAAG,oCAAoC,CAAC,SAAS,CAAC,CAAA;IACtE,MAAM,iBAAiB,GAAsB;QAC3C,SAAS,EAAE,YAAY;QACvB,MAAM,EAAE,iBAAiB;QACzB,eAAe,EAAE,gBAAgB;QACjC,WAAW,EAAE,SAAS;QACtB,iBAAiB,EAAE,EAAE;QACrB,cAAc,EAAE,QAAQ;KACzB,CAAA;IAED,8DAA8D;IAC9D,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,IAAA,kCAAiB,EAAC,MAAM,EAAE,iBAAiB,EAAE,KAAK,EAAE,EAAE,CAAC,CAAA;IAErF,MAAM,OAAO,GAA0B;QACrC,MAAM,EAAE,iBAAiB;QACzB,QAAQ,EAAE;YACR,QAAQ,EAAE,6EAA6E;YACvF,SAAS,EAAE,gBAAgB;SAC5B;QACD,SAAS,EAAE,YAAY;QACvB,gBAAgB,EAAE,WAAW;KAC9B,CAAA;IAED,MAAM,UAAU,GAAe;QAC7B,OAAO;QACP,gBAAgB,EAAE,EAAE;QACpB,cAAc,EAAE,cAAc,CAAC,MAAM,EAAE;QACvC,sBAAsB,EAAE,EAAE;QAC1B,uBAAuB,EAAE,EAAE;KAC5B,CAAA;IAED,MAAM,MAAM,GAAG,MAAM,IAAA,4BAAa,EAAC,UAAU,EAAE;QAC7C,cAAc,EAAE,iBAAiB,CAAC,cAAc;KACjD,CAAC,CAAA;IAEF,IAAI,MAAM,CAAC,UAAU,KAAK,OAAO,EAAE,CAAC;QAClC,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAA;IACpF,IAAI,QAAQ,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;QACnC,OAAO,gBAAgB,CAAA;IACzB,CAAC;IAED,IAAI,QAAQ,EAAE,gBAAgB,EAAE,MAAM,KAAK,mBAAmB,EAAE,CAAC;QAC/D,OAAO,cAAc,CAAA;IACvB,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,MAAM,aAAa,GAAG,IAAI,GAAG,CAC3B;IACE,kBAAkB;IAClB,sBAAsB;IACtB,oBAAoB;IACpB,uBAAuB;IACvB,mBAAmB;IACnB,YAAY;IACZ,cAAc;IACd,2BAA2B;IAC3B,mBAAmB;CACpB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAC9B,CAAA;AAED;;;;;;;;GAQG;AACH,SAAgB,oCAAoC,CAAC,SAAoB;IACvE,MAAM,YAAY,GAAG,eAAe,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAA;IACxD,MAAM,kBAAkB,GAAQ,EAAE,CAAA;IAClC,IAAI,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACrC,kBAAkB,CAAC,SAAS,GAAG,YAAY,CAAC,SAAS,CAAA;IACvD,CAAC;SAAM,IAAI,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;QAC/C,kBAAkB,CAAC,YAAY,GAAG,YAAY,CAAC,YAAY,CAAA;IAC7D,CAAC;SAAM,CAAC;QACN,kBAAkB,CAAC,SAAS,GAAG,GAAG,CAAA;IACpC,CAAC;IACD,IAAI,YAAY,CAAC,SAAS,EAAE,CAAC;QAC3B,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3D,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;gBAChE,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;oBAC1C,OAAO,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAA;gBAC9C,CAAC;YACH,CAAC;YACD,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/D,OAAO,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;YACzC,CAAC;QACH,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnD,kBAAkB,CAAC,SAAS,GAAG,YAAY,CAAC,SAAS,CAAA;QACvD,CAAC;IACH,CAAC;IAED,OAAO,IAAA,uBAAU,EAAC;QAChB,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE;YACT,MAAM,EAAE,OAAO;YACf,QAAQ,EAAE,GAAG;YACb,MAAM,EAAE,GAAG;YACX,GAAG,kBAAkB;SACtB;KACF,CAAC,CAAA;AACJ,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"resources.d.ts","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAA;AAExD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AAEtD;;;;;;GAMG;AACH,wBAAsB,uBAAuB,CAC3C,aAAa,EAAE,gBAAgB,EAC/B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,
|
|
1
|
+
{"version":3,"file":"resources.d.ts","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAA;AAExD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AAEtD;;;;;;GAMG;AACH,wBAAsB,uBAAuB,CAC3C,aAAa,EAAE,gBAAgB,EAC/B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAgB7B;AAED;;;;;;;GAOG;AACH,wBAAsB,kBAAkB,CACtC,aAAa,EAAE,gBAAgB,EAC/B,WAAW,EAAE,MAAM,EACnB,eAAe,EAAE,MAAM,GAAG,SAAS,GAClC,OAAO,CAAC,UAAU,CAAC,yBAAyB,CAAC,CAAC,CAMhD;AAED;;;;;;;GAOG;AACH,wBAAsB,4BAA4B,CAChD,aAAa,EAAE,gBAAgB,EAC/B,WAAW,EAAE,MAAM,EACnB,eAAe,EAAE,MAAM,GAAG,SAAS,GAClC,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC,CAkB1B"}
|
package/dist/cjs/resources.js
CHANGED
|
@@ -12,6 +12,9 @@ const iam_utils_1 = require("@cloud-copilot/iam-utils");
|
|
|
12
12
|
* @returns the account ID for the specified resource, or undefined if not found
|
|
13
13
|
*/
|
|
14
14
|
async function getAccountIdForResource(collectClient, resourceArn) {
|
|
15
|
+
if (!resourceArn.startsWith('arn:')) {
|
|
16
|
+
return undefined;
|
|
17
|
+
}
|
|
15
18
|
const arnParts = (0, iam_utils_1.splitArnParts)(resourceArn);
|
|
16
19
|
let accountId = arnParts.accountId;
|
|
17
20
|
if (accountId && accountId !== 'aws') {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"resources.js","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":";;AAWA,
|
|
1
|
+
{"version":3,"file":"resources.js","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":";;AAWA,0DAmBC;AAUD,gDAUC;AAUD,oEAsBC;AAjFD,wDAAwD;AAGxD;;;;;;GAMG;AACI,KAAK,UAAU,uBAAuB,CAC3C,aAA+B,EAC/B,WAAmB;IAEnB,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACpC,OAAO,SAAS,CAAA;IAClB,CAAC;IACD,MAAM,QAAQ,GAAG,IAAA,yBAAa,EAAC,WAAW,CAAC,CAAA;IAC3C,IAAI,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAA;IAClC,IAAI,SAAS,IAAI,SAAS,KAAK,KAAK,EAAE,CAAC;QACrC,OAAO,SAAS,CAAA;IAClB,CAAC;IACD,IAAI,QAAQ,CAAC,OAAO,KAAK,IAAI,IAAI,QAAQ,CAAC,YAAY,KAAK,EAAE,EAAE,CAAC;QAC9D,MAAM,UAAU,GAAG,QAAQ,CAAC,YAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;QACvD,OAAO,aAAa,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAA;IACxD,CAAC;SAAM,IAAI,QAAQ,CAAC,OAAO,KAAK,YAAY,IAAI,QAAQ,CAAC,YAAY,KAAK,UAAU,EAAE,CAAC;QACrF,OAAO,aAAa,CAAC,sBAAsB,CAAC,WAAW,CAAC,CAAA;IAC1D,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;;GAOG;AACI,KAAK,UAAU,kBAAkB,CACtC,aAA+B,EAC/B,WAAmB,EACnB,eAAmC;IAEnC,MAAM,SAAS,GAAG,eAAe,IAAI,CAAC,MAAM,uBAAuB,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC,CAAA;IAChG,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,oDAAoD,WAAW,EAAE,CAAC,CAAA;IACpF,CAAC;IACD,OAAO,aAAa,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAA;AAC3D,CAAC;AAED;;;;;;;GAOG;AACI,KAAK,UAAU,4BAA4B,CAChD,aAA+B,EAC/B,WAAmB,EACnB,eAAmC;IAEnC,2CAA2C;IAC3C,MAAM,SAAS,GAAG,eAAe,IAAI,CAAC,MAAM,uBAAuB,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC,CAAA;IAChG,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,oDAAoD,WAAW,EAAE,CAAC,CAAA;IACpF,CAAC;IACD,MAAM,cAAc,GAAG,MAAM,aAAa,CAAC,uBAAuB,CAAC,WAAW,EAAE,SAAS,CAAC,CAAA;IAC1F,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,uBAAuB,CAAC,WAAW,EAAE,SAAS,CAAC,CAAA;IACrF,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,gEAAgE;IAChE,OAAO,SAAS,CAAA;AAClB,CAAC"}
|
|
@@ -60,7 +60,7 @@ export declare function simulateRequest(simulationRequest: SimulationRequest, co
|
|
|
60
60
|
};
|
|
61
61
|
contextVariables: Record<string, string | string[]>;
|
|
62
62
|
};
|
|
63
|
-
result: import("@cloud-copilot/iam-simulate").
|
|
63
|
+
result: import("@cloud-copilot/iam-simulate").RunSimulationResults;
|
|
64
64
|
}>;
|
|
65
65
|
export declare function resultMatchesExpectation(expected: EvaluationResult | 'AnyDeny' | undefined, result: EvaluationResult): boolean;
|
|
66
66
|
//# sourceMappingURL=simulate.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"WhoCanMainThreadWorker.d.ts","sourceRoot":"","sources":["../../../src/whoCan/WhoCanMainThreadWorker.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"WhoCanMainThreadWorker.d.ts","sourceRoot":"","sources":["../../../src/whoCan/WhoCanMainThreadWorker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AACnD,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAA;AAC/E,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAC5D,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,OAAO,EAEL,oBAAoB,EAErB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AAC7D,OAAO,EAEL,qBAAqB,EACrB,cAAc,EACf,MAAM,mBAAmB,CAAA;AAE1B,wBAAgB,kCAAkC,CAChD,KAAK,EAAE,kBAAkB,CAAC,cAAc,CAAC,GAAG,uBAAuB,CAAC,cAAc,CAAC,EACnF,aAAa,EAAE,gBAAgB,EAC/B,cAAc,EAAE,cAAc,GAAG,SAAS,EAC1C,UAAU,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,aAAa,GAAG,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,KAAK,IAAI,EAC3F,mBAAmB,CAAC,EAAE,CAAC,OAAO,EAAE,oBAAoB,KAAK,OAAO,EAChE,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,gBAAgB,KAAK,IAAI,sFA0DlD"}
|
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.createMainThreadStreamingWorkQueue = createMainThreadStreamingWorkQueue;
|
|
4
|
-
const iam_simulate_1 = require("@cloud-copilot/iam-simulate");
|
|
5
4
|
const JobRunner_js_1 = require("../workers/JobRunner.js");
|
|
6
5
|
const requestAnalysis_js_1 = require("./requestAnalysis.js");
|
|
7
6
|
const WhoCanWorker_js_1 = require("./WhoCanWorker.js");
|
|
@@ -17,7 +16,7 @@ function createMainThreadStreamingWorkQueue(queue, collectClient, s3AbacOverride
|
|
|
17
16
|
}, async (result) => {
|
|
18
17
|
if (result.status === 'fulfilled') {
|
|
19
18
|
const executionResult = result.value;
|
|
20
|
-
if (executionResult.allowed) {
|
|
19
|
+
if (executionResult.type === 'allowed') {
|
|
21
20
|
// Simulation was allowed - pass through to onComplete
|
|
22
21
|
onComplete({
|
|
23
22
|
status: 'fulfilled',
|
|
@@ -33,19 +32,14 @@ function createMainThreadStreamingWorkQueue(queue, collectClient, s3AbacOverride
|
|
|
33
32
|
properties: result.properties
|
|
34
33
|
});
|
|
35
34
|
// Check if we should include deny details
|
|
36
|
-
if (denyDetailsCallback && onDenyDetail
|
|
37
|
-
const
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
const
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
principal: workItem.principal,
|
|
45
|
-
service,
|
|
46
|
-
action,
|
|
47
|
-
details: denialReasons
|
|
48
|
-
});
|
|
35
|
+
if (denyDetailsCallback && onDenyDetail) {
|
|
36
|
+
const hasDetails = executionResult.type === 'denied_single' || executionResult.type === 'denied_wildcard';
|
|
37
|
+
if (hasDetails) {
|
|
38
|
+
const lightAnalysis = (0, requestAnalysis_js_1.toLightRequestAnalysis)(executionResult);
|
|
39
|
+
const shouldInclude = denyDetailsCallback(lightAnalysis);
|
|
40
|
+
if (shouldInclude) {
|
|
41
|
+
onDenyDetail((0, requestAnalysis_js_1.convertToDenialDetails)(executionResult));
|
|
42
|
+
}
|
|
49
43
|
}
|
|
50
44
|
}
|
|
51
45
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"WhoCanMainThreadWorker.js","sourceRoot":"","sources":["../../../src/whoCan/WhoCanMainThreadWorker.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"WhoCanMainThreadWorker.js","sourceRoot":"","sources":["../../../src/whoCan/WhoCanMainThreadWorker.ts"],"names":[],"mappings":";;AAkBA,gFAgEC;AA9ED,0DAA4D;AAE5D,6DAI6B;AAE7B,uDAI0B;AAE1B,SAAgB,kCAAkC,CAChD,KAAmF,EACnF,aAA+B,EAC/B,cAA0C,EAC1C,UAA2F,EAC3F,mBAAgE,EAChE,YAAiD;IAEjD,MAAM,kBAAkB,GAAG,CAAC,CAAC,mBAAmB,CAAA;IAEhD,OAAO,IAAI,iCAAkB,CAC3B,EAAE,EACF,KAAK,IAAI,EAAE;QACT,OAAO,KAAK,CAAC,OAAO,EAAE,CAAA;IACxB,CAAC,EACD,CAAC,QAAQ,EAAE,EAAE;QACX,OAAO,IAAA,4CAA0B,EAAC,QAAQ,EAAE,aAAa,EAAE;YACzD,cAAc;YACd,kBAAkB;SACnB,CAAC,CAAA;IACJ,CAAC,EACD,KAAK,EAAE,MAAM,EAAE,EAAE;QACf,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,MAAM,eAAe,GAAG,MAAM,CAAC,KAAK,CAAA;YACpC,IAAI,eAAe,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvC,sDAAsD;gBACtD,UAAU,CAAC;oBACT,MAAM,EAAE,WAAW;oBACnB,KAAK,EAAE,eAAe,CAAC,OAAO;oBAC9B,UAAU,EAAE,MAAM,CAAC,UAAU;iBAC9B,CAAC,CAAA;YACJ,CAAC;iBAAM,CAAC;gBACN,wBAAwB;gBACxB,UAAU,CAAC;oBACT,MAAM,EAAE,WAAW;oBACnB,KAAK,EAAE,SAAS;oBAChB,UAAU,EAAE,MAAM,CAAC,UAAU;iBAC9B,CAAC,CAAA;gBAEF,0CAA0C;gBAC1C,IAAI,mBAAmB,IAAI,YAAY,EAAE,CAAC;oBACxC,MAAM,UAAU,GACd,eAAe,CAAC,IAAI,KAAK,eAAe,IAAI,eAAe,CAAC,IAAI,KAAK,iBAAiB,CAAA;oBAExF,IAAI,UAAU,EAAE,CAAC;wBACf,MAAM,aAAa,GAAG,IAAA,2CAAsB,EAAC,eAAe,CAAC,CAAA;wBAC7D,MAAM,aAAa,GAAG,mBAAmB,CAAC,aAAa,CAAC,CAAA;wBAExD,IAAI,aAAa,EAAE,CAAC;4BAClB,YAAY,CAAC,IAAA,2CAAsB,EAAC,eAAe,CAAC,CAAC,CAAA;wBACvD,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,wCAAwC;YACxC,UAAU,CAAC;gBACT,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B,CAAC,CAAA;QACJ,CAAC;IACH,CAAC,CACF,CAAA;AACH,CAAC"}
|
|
@@ -1,8 +1,8 @@
|
|
|
1
|
-
import { RequestAnalysis } from '@cloud-copilot/iam-simulate';
|
|
2
|
-
import { Job } from '@cloud-copilot/job';
|
|
1
|
+
import { type EvaluationResult, type RequestAnalysis } from '@cloud-copilot/iam-simulate';
|
|
2
|
+
import type { Job } from '@cloud-copilot/job';
|
|
3
3
|
import { IamCollectClient } from '../collect/client.js';
|
|
4
|
-
import { S3AbacOverride } from '../utils/s3Abac.js';
|
|
5
|
-
import { WhoCanAllowed } from './whoCan.js';
|
|
4
|
+
import type { S3AbacOverride } from '../utils/s3Abac.js';
|
|
5
|
+
import type { WhoCanAllowed } from './whoCan.js';
|
|
6
6
|
export interface WhoCanWorkItem {
|
|
7
7
|
resource: string | undefined;
|
|
8
8
|
resourceAccount: string | undefined;
|
|
@@ -10,24 +10,69 @@ export interface WhoCanWorkItem {
|
|
|
10
10
|
principal: string;
|
|
11
11
|
}
|
|
12
12
|
/**
|
|
13
|
-
*
|
|
14
|
-
* Contains either the allowed result or the deny analysis (but not both).
|
|
13
|
+
* Execution result when the principal is allowed access.
|
|
15
14
|
*/
|
|
16
|
-
export interface
|
|
15
|
+
export interface AllowedWhoCanExecutionResult {
|
|
16
|
+
type: 'allowed';
|
|
17
|
+
workItem: WhoCanWorkItem;
|
|
18
|
+
allowed: WhoCanAllowed;
|
|
19
|
+
}
|
|
20
|
+
/**
|
|
21
|
+
* Execution result when the principal is denied access, without detailed analysis.
|
|
22
|
+
*/
|
|
23
|
+
export interface DeniedWhoCanExecutionResult {
|
|
24
|
+
type: 'denied';
|
|
25
|
+
workItem: WhoCanWorkItem;
|
|
26
|
+
}
|
|
27
|
+
/**
|
|
28
|
+
* Execution result when the principal is denied access for a single resource pattern,
|
|
29
|
+
* with detailed analysis included.
|
|
30
|
+
*/
|
|
31
|
+
export interface DeniedSingleWhoCanExecutionResult {
|
|
32
|
+
type: 'denied_single';
|
|
33
|
+
workItem: WhoCanWorkItem;
|
|
34
|
+
analysis: RequestAnalysis;
|
|
35
|
+
}
|
|
36
|
+
/**
|
|
37
|
+
* Details about a denied resource pattern, including the analysis for why it was denied.
|
|
38
|
+
*/
|
|
39
|
+
export interface WhoCanDenyResourceDetails {
|
|
17
40
|
/**
|
|
18
|
-
* The
|
|
41
|
+
* The resource pattern that was tested.
|
|
19
42
|
*/
|
|
20
|
-
|
|
43
|
+
pattern: string;
|
|
21
44
|
/**
|
|
22
|
-
* The
|
|
23
|
-
* Only populated when collectDenyDetails is true.
|
|
45
|
+
* The type of resource for the pattern.
|
|
24
46
|
*/
|
|
25
|
-
|
|
47
|
+
resourceType: string;
|
|
26
48
|
/**
|
|
27
|
-
* The
|
|
49
|
+
* The analysis explaining why the request was denied.
|
|
28
50
|
*/
|
|
51
|
+
analysis: RequestAnalysis;
|
|
52
|
+
}
|
|
53
|
+
/**
|
|
54
|
+
* Execution result when the principal is denied access for a wildcard resource,
|
|
55
|
+
* with detailed analysis for each denied pattern.
|
|
56
|
+
*/
|
|
57
|
+
export interface DeniedWildcardWhoCanExecutionResult {
|
|
58
|
+
type: 'denied_wildcard';
|
|
29
59
|
workItem: WhoCanWorkItem;
|
|
60
|
+
overallResult: EvaluationResult;
|
|
61
|
+
deniedPatterns: WhoCanDenyResourceDetails[];
|
|
30
62
|
}
|
|
63
|
+
/**
|
|
64
|
+
* The result of executing a whoCan work item.
|
|
65
|
+
* Contains either the allowed result or the deny analysis (but not both).
|
|
66
|
+
*/
|
|
67
|
+
export type WhoCanExecutionResult = AllowedWhoCanExecutionResult | DeniedWhoCanExecutionResult | DeniedSingleWhoCanExecutionResult | DeniedWildcardWhoCanExecutionResult;
|
|
68
|
+
/**
|
|
69
|
+
* Union type for denied execution results that include detailed analysis.
|
|
70
|
+
*/
|
|
71
|
+
export type DeniedWhoCanExecutionResultWithDetails = DeniedSingleWhoCanExecutionResult | DeniedWildcardWhoCanExecutionResult;
|
|
72
|
+
/**
|
|
73
|
+
* The possible values for the `type` discriminator of a WhoCanExecutionResult.
|
|
74
|
+
*/
|
|
75
|
+
export type WhoCanExecutionResultType = WhoCanExecutionResult['type'];
|
|
31
76
|
export declare function createJobForWhoCanWorkItem(workItem: WhoCanWorkItem, collectClient: IamCollectClient, whoCanOptions: WhoCanOptions): Job<WhoCanExecutionResult, Record<string, unknown>>;
|
|
32
77
|
export interface WhoCanOptions {
|
|
33
78
|
s3AbacOverride?: S3AbacOverride;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"WhoCanWorker.d.ts","sourceRoot":"","sources":["../../../src/whoCan/WhoCanWorker.ts"],"names":[],"mappings":"AACA,OAAO,
|
|
1
|
+
{"version":3,"file":"WhoCanWorker.d.ts","sourceRoot":"","sources":["../../../src/whoCan/WhoCanWorker.ts"],"names":[],"mappings":"AACA,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,eAAe,EAErB,MAAM,6BAA6B,CAAA;AACpC,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,oBAAoB,CAAA;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAEvD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AACxD,OAAO,KAAK,EAAE,aAAa,EAAgC,MAAM,aAAa,CAAA;AAE9E,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;IAC5B,eAAe,EAAE,MAAM,GAAG,SAAS,CAAA;IACnC,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,IAAI,EAAE,SAAS,CAAA;IACf,QAAQ,EAAE,cAAc,CAAA;IACxB,OAAO,EAAE,aAAa,CAAA;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,IAAI,EAAE,QAAQ,CAAA;IACd,QAAQ,EAAE,cAAc,CAAA;CACzB;AAED;;;GAGG;AACH,MAAM,WAAW,iCAAiC;IAChD,IAAI,EAAE,eAAe,CAAA;IACrB,QAAQ,EAAE,cAAc,CAAA;IACxB,QAAQ,EAAE,eAAe,CAAA;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC;;OAEG;IACH,OAAO,EAAE,MAAM,CAAA;IACf;;OAEG;IACH,YAAY,EAAE,MAAM,CAAA;IACpB;;OAEG;IACH,QAAQ,EAAE,eAAe,CAAA;CAC1B;AAED;;;GAGG;AACH,MAAM,WAAW,mCAAmC;IAClD,IAAI,EAAE,iBAAiB,CAAA;IACvB,QAAQ,EAAE,cAAc,CAAA;IACxB,aAAa,EAAE,gBAAgB,CAAA;IAC/B,cAAc,EAAE,yBAAyB,EAAE,CAAA;CAC5C;AAED;;;GAGG;AACH,MAAM,MAAM,qBAAqB,GAC7B,4BAA4B,GAC5B,2BAA2B,GAC3B,iCAAiC,GACjC,mCAAmC,CAAA;AAEvC;;GAEG;AACH,MAAM,MAAM,sCAAsC,GAC9C,iCAAiC,GACjC,mCAAmC,CAAA;AAEvC;;GAEG;AACH,MAAM,MAAM,yBAAyB,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAA;AAErE,wBAAgB,0BAA0B,CACxC,QAAQ,EAAE,cAAc,EACxB,aAAa,EAAE,gBAAgB,EAC/B,aAAa,EAAE,aAAa,GAC3B,GAAG,CAAC,qBAAqB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAOrD;AAED,MAAM,WAAW,aAAa;IAC5B,cAAc,CAAC,EAAE,cAAc,CAAA;IAC/B,kBAAkB,CAAC,EAAE,OAAO,CAAA;CAC7B;AAED,wBAAsB,aAAa,CACjC,QAAQ,EAAE,cAAc,EACxB,aAAa,EAAE,gBAAgB,EAC/B,aAAa,EAAE,aAAa,GAC3B,OAAO,CAAC,qBAAqB,CAAC,CAsEhC"}
|
|
@@ -24,8 +24,13 @@ async function executeWhoCan(workItem, collectClient, whoCanOptions) {
|
|
|
24
24
|
simulationMode: 'Discovery',
|
|
25
25
|
s3AbacOverride: whoCanOptions.s3AbacOverride
|
|
26
26
|
}, collectClient);
|
|
27
|
-
if (discoveryResult
|
|
28
|
-
|
|
27
|
+
if (discoveryResult.result.resultType === 'error') {
|
|
28
|
+
// If discovery fails, we treat it as a denial without details (since we don't have analysis to share)
|
|
29
|
+
throw new Error('Discovery simulation failed: ' + discoveryResult.result.errors);
|
|
30
|
+
}
|
|
31
|
+
const actionType = await getActionLevel(service, serviceAction);
|
|
32
|
+
if (discoveryResult?.result.overallResult === 'Allowed') {
|
|
33
|
+
const strictResult = await (0, simulate_js_1.simulateRequest)({
|
|
29
34
|
principal,
|
|
30
35
|
resourceArn: resource,
|
|
31
36
|
resourceAccount,
|
|
@@ -34,40 +39,18 @@ async function executeWhoCan(workItem, collectClient, whoCanOptions) {
|
|
|
34
39
|
simulationMode: 'Strict',
|
|
35
40
|
s3AbacOverride: whoCanOptions.s3AbacOverride
|
|
36
41
|
}, collectClient);
|
|
37
|
-
if (result
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
workItem,
|
|
41
|
-
allowed: {
|
|
42
|
-
principal,
|
|
43
|
-
service,
|
|
44
|
-
action: serviceAction,
|
|
45
|
-
level: actionType.toLowerCase()
|
|
46
|
-
}
|
|
47
|
-
};
|
|
42
|
+
if (strictResult.result.resultType === 'error') {
|
|
43
|
+
// If discovery fails, we treat it as a denial without details (since we don't have analysis to share)
|
|
44
|
+
throw new Error('Discovery simulation failed: ' + strictResult.result.errors);
|
|
48
45
|
}
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
return {
|
|
52
|
-
workItem,
|
|
53
|
-
allowed: {
|
|
54
|
-
principal,
|
|
55
|
-
service: service,
|
|
56
|
-
action: serviceAction,
|
|
57
|
-
level: actionType.toLowerCase(),
|
|
58
|
-
conditions: discoveryResult?.result.analysis.ignoredConditions,
|
|
59
|
-
dependsOnSessionName: discoveryResult?.result.analysis.ignoredRoleSessionName
|
|
60
|
-
? true
|
|
61
|
-
: undefined
|
|
62
|
-
}
|
|
63
|
-
};
|
|
46
|
+
if (strictResult?.result.overallResult === 'Allowed') {
|
|
47
|
+
return mapSimulationResultToWhoCanExecutionResult(workItem, service, serviceAction, actionType, strictResult.result, !!whoCanOptions.collectDenyDetails);
|
|
64
48
|
}
|
|
65
49
|
}
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
};
|
|
50
|
+
else {
|
|
51
|
+
return mapSimulationResultToWhoCanExecutionResult(workItem, service, serviceAction, actionType, discoveryResult.result, !!whoCanOptions.collectDenyDetails);
|
|
52
|
+
}
|
|
53
|
+
return mapSimulationResultToWhoCanExecutionResult(workItem, service, serviceAction, actionType, discoveryResult.result, !!whoCanOptions.collectDenyDetails);
|
|
71
54
|
}
|
|
72
55
|
/**
|
|
73
56
|
* Get the action level for a specific service action, will fail if the service or action does not exist.
|
|
@@ -80,4 +63,74 @@ async function getActionLevel(service, action) {
|
|
|
80
63
|
const details = await (0, iam_data_1.iamActionDetails)(service, action);
|
|
81
64
|
return details.accessLevel;
|
|
82
65
|
}
|
|
66
|
+
function mapSimulationResultToWhoCanExecutionResult(workItem, service, action, actionType, simulationResponse, collectDenyDetails) {
|
|
67
|
+
const { principal } = workItem;
|
|
68
|
+
if (simulationResponse.overallResult === 'Allowed') {
|
|
69
|
+
// Build allowed result
|
|
70
|
+
const allowed = {
|
|
71
|
+
principal,
|
|
72
|
+
service,
|
|
73
|
+
action,
|
|
74
|
+
level: actionType.toLowerCase()
|
|
75
|
+
};
|
|
76
|
+
if (simulationResponse.resultType === 'single') {
|
|
77
|
+
const analysis = simulationResponse.result.analysis;
|
|
78
|
+
allowed.conditions = analysis.ignoredConditions;
|
|
79
|
+
allowed.dependsOnSessionName = analysis.ignoredRoleSessionName ? true : undefined;
|
|
80
|
+
}
|
|
81
|
+
else {
|
|
82
|
+
// Wildcard result - collect allowed patterns
|
|
83
|
+
const allowedPatterns = [];
|
|
84
|
+
for (const r of simulationResponse.results) {
|
|
85
|
+
if (r.analysis.result === 'Allowed') {
|
|
86
|
+
allowedPatterns.push({
|
|
87
|
+
pattern: r.resourcePattern,
|
|
88
|
+
resourceType: r.resourceType,
|
|
89
|
+
conditions: r.analysis.ignoredConditions,
|
|
90
|
+
dependsOnSessionName: r.analysis.ignoredRoleSessionName ? true : undefined
|
|
91
|
+
});
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
if (allowedPatterns.length > 0) {
|
|
95
|
+
allowed.allowedPatterns = allowedPatterns;
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
return {
|
|
99
|
+
type: 'allowed',
|
|
100
|
+
workItem,
|
|
101
|
+
allowed
|
|
102
|
+
};
|
|
103
|
+
}
|
|
104
|
+
// Denied result
|
|
105
|
+
if (!collectDenyDetails) {
|
|
106
|
+
// If we don't need to collect deny details, we can return a simple denied result without analysis
|
|
107
|
+
return {
|
|
108
|
+
type: 'denied',
|
|
109
|
+
workItem
|
|
110
|
+
};
|
|
111
|
+
}
|
|
112
|
+
if (simulationResponse.resultType === 'single') {
|
|
113
|
+
return {
|
|
114
|
+
type: 'denied_single',
|
|
115
|
+
workItem,
|
|
116
|
+
analysis: simulationResponse.result.analysis
|
|
117
|
+
};
|
|
118
|
+
}
|
|
119
|
+
else {
|
|
120
|
+
// Wildcard denial - collect denied patterns
|
|
121
|
+
const deniedPatterns = simulationResponse.results
|
|
122
|
+
.filter((r) => r.analysis.result !== 'Allowed')
|
|
123
|
+
.map((r) => ({
|
|
124
|
+
pattern: r.resourcePattern,
|
|
125
|
+
resourceType: r.resourceType,
|
|
126
|
+
analysis: r.analysis
|
|
127
|
+
}));
|
|
128
|
+
return {
|
|
129
|
+
type: 'denied_wildcard',
|
|
130
|
+
overallResult: simulationResponse.overallResult,
|
|
131
|
+
workItem,
|
|
132
|
+
deniedPatterns
|
|
133
|
+
};
|
|
134
|
+
}
|
|
135
|
+
}
|
|
83
136
|
//# sourceMappingURL=WhoCanWorker.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"WhoCanWorker.js","sourceRoot":"","sources":["../../../src/whoCan/WhoCanWorker.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"WhoCanWorker.js","sourceRoot":"","sources":["../../../src/whoCan/WhoCanWorker.ts"],"names":[],"mappings":";;AAiGA,gEAWC;AAOD,sCA0EC;AA7LD,sDAA0D;AAQ1D,yDAAyD;AAyFzD,SAAgB,0BAA0B,CACxC,QAAwB,EACxB,aAA+B,EAC/B,aAA4B;IAE5B,OAAO;QACL,UAAU,EAAE,EAAE;QACd,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;YACzB,OAAO,aAAa,CAAC,QAAQ,EAAE,aAAa,EAAE,aAAa,CAAC,CAAA;QAC9D,CAAC;KACF,CAAA;AACH,CAAC;AAOM,KAAK,UAAU,aAAa,CACjC,QAAwB,EACxB,aAA+B,EAC/B,aAA4B;IAE5B,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,QAAQ,CAAA;IACjE,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAClD,MAAM,eAAe,GAAG,MAAM,IAAA,6BAAe,EAC3C;QACE,SAAS;QACT,WAAW,EAAE,QAAQ;QACrB,eAAe,EAAE,eAAe;QAChC,MAAM;QACN,iBAAiB,EAAE,EAAE;QACrB,cAAc,EAAE,WAAW;QAC3B,cAAc,EAAE,aAAa,CAAC,cAAc;KAC7C,EACD,aAAa,CACd,CAAA;IAED,IAAI,eAAe,CAAC,MAAM,CAAC,UAAU,KAAK,OAAO,EAAE,CAAC;QAClD,sGAAsG;QACtG,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAClF,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,OAAO,EAAE,aAAa,CAAC,CAAA;IAC/D,IAAI,eAAe,EAAE,MAAM,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QACxD,MAAM,YAAY,GAAG,MAAM,IAAA,6BAAe,EACxC;YACE,SAAS;YACT,WAAW,EAAE,QAAQ;YACrB,eAAe;YACf,MAAM;YACN,iBAAiB,EAAE,EAAE;YACrB,cAAc,EAAE,QAAQ;YACxB,cAAc,EAAE,aAAa,CAAC,cAAc;SAC7C,EACD,aAAa,CACd,CAAA;QAED,IAAI,YAAY,CAAC,MAAM,CAAC,UAAU,KAAK,OAAO,EAAE,CAAC;YAC/C,sGAAsG;YACtG,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QAC/E,CAAC;QAED,IAAI,YAAY,EAAE,MAAM,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;YACrD,OAAO,0CAA0C,CAC/C,QAAQ,EACR,OAAO,EACP,aAAa,EACb,UAAU,EACV,YAAY,CAAC,MAAM,EACnB,CAAC,CAAC,aAAa,CAAC,kBAAkB,CACnC,CAAA;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,0CAA0C,CAC/C,QAAQ,EACR,OAAO,EACP,aAAa,EACb,UAAU,EACV,eAAe,CAAC,MAAM,EACtB,CAAC,CAAC,aAAa,CAAC,kBAAkB,CACnC,CAAA;IACH,CAAC;IAED,OAAO,0CAA0C,CAC/C,QAAQ,EACR,OAAO,EACP,aAAa,EACb,UAAU,EACV,eAAe,CAAC,MAAM,EACtB,CAAC,CAAC,aAAa,CAAC,kBAAkB,CACnC,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,cAAc,CAAC,OAAe,EAAE,MAAc;IAC3D,MAAM,OAAO,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IACvD,OAAO,OAAO,CAAC,WAAW,CAAA;AAC5B,CAAC;AAED,SAAS,0CAA0C,CACjD,QAAwB,EACxB,OAAe,EACf,MAAc,EACd,UAAkB,EAClB,kBAAkD,EAClD,kBAA2B;IAE3B,MAAM,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAA;IAE9B,IAAI,kBAAkB,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QACnD,uBAAuB;QACvB,MAAM,OAAO,GAAkB;YAC7B,SAAS;YACT,OAAO;YACP,MAAM;YACN,KAAK,EAAE,UAAU,CAAC,WAAW,EAAE;SAChC,CAAA;QAED,IAAI,kBAAkB,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YAC/C,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAA;YACnD,OAAO,CAAC,UAAU,GAAG,QAAQ,CAAC,iBAAiB,CAAA;YAC/C,OAAO,CAAC,oBAAoB,GAAG,QAAQ,CAAC,sBAAsB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAA;QACnF,CAAC;aAAM,CAAC;YACN,6CAA6C;YAC7C,MAAM,eAAe,GAAmC,EAAE,CAAA;YAC1D,KAAK,MAAM,CAAC,IAAI,kBAAkB,CAAC,OAAO,EAAE,CAAC;gBAC3C,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;oBACpC,eAAe,CAAC,IAAI,CAAC;wBACnB,OAAO,EAAE,CAAC,CAAC,eAAe;wBAC1B,YAAY,EAAE,CAAC,CAAC,YAAY;wBAC5B,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,iBAAiB;wBACxC,oBAAoB,EAAE,CAAC,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;qBAC3E,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;YACD,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,eAAe,GAAG,eAAe,CAAA;YAC3C,CAAC;QACH,CAAC;QAED,OAAO;YACL,IAAI,EAAE,SAAS;YACf,QAAQ;YACR,OAAO;SACR,CAAA;IACH,CAAC;IAED,gBAAgB;IAChB,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,kGAAkG;QAClG,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,QAAQ;SACT,CAAA;IACH,CAAC;IAED,IAAI,kBAAkB,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC/C,OAAO;YACL,IAAI,EAAE,eAAe;YACrB,QAAQ;YACR,QAAQ,EAAE,kBAAkB,CAAC,MAAM,CAAC,QAAQ;SAC7C,CAAA;IACH,CAAC;SAAM,CAAC;QACN,4CAA4C;QAC5C,MAAM,cAAc,GAAgC,kBAAkB,CAAC,OAAO;aAC3E,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,KAAK,SAAS,CAAC;aAC9C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACX,OAAO,EAAE,CAAC,CAAC,eAAe;YAC1B,YAAY,EAAE,CAAC,CAAC,YAAY;YAC5B,QAAQ,EAAE,CAAC,CAAC,QAAQ;SACrB,CAAC,CAAC,CAAA;QAEL,OAAO;YACL,IAAI,EAAE,iBAAiB;YACvB,aAAa,EAAE,kBAAkB,CAAC,aAAa;YAC/C,QAAQ;YACR,cAAc;SACf,CAAA;IACH,CAAC;AACH,CAAC"}
|
|
@@ -1,6 +1,5 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
const iam_simulate_1 = require("@cloud-copilot/iam-simulate");
|
|
4
3
|
const worker_threads_1 = require("worker_threads");
|
|
5
4
|
const collect_js_1 = require("../collect/collect.js");
|
|
6
5
|
const JobRunner_js_1 = require("../workers/JobRunner.js");
|
|
@@ -60,7 +59,7 @@ const jobRunner = new JobRunner_js_1.PullBasedJobRunner(concurrency, async (work
|
|
|
60
59
|
}, async (result) => {
|
|
61
60
|
if (result.status === 'fulfilled') {
|
|
62
61
|
const executionResult = result.value;
|
|
63
|
-
if (executionResult.allowed) {
|
|
62
|
+
if (executionResult.type === 'allowed') {
|
|
64
63
|
// Allowed - send result back to main thread
|
|
65
64
|
worker_threads_1.parentPort.postMessage({
|
|
66
65
|
type: 'result',
|
|
@@ -72,9 +71,19 @@ const jobRunner = new JobRunner_js_1.PullBasedJobRunner(concurrency, async (work
|
|
|
72
71
|
});
|
|
73
72
|
}
|
|
74
73
|
else {
|
|
75
|
-
//
|
|
76
|
-
|
|
77
|
-
|
|
74
|
+
// Post this so that we can count the completed simulation in the main thread.
|
|
75
|
+
worker_threads_1.parentPort.postMessage({
|
|
76
|
+
type: 'result',
|
|
77
|
+
result: {
|
|
78
|
+
status: 'fulfilled',
|
|
79
|
+
value: undefined,
|
|
80
|
+
properties: result.properties
|
|
81
|
+
}
|
|
82
|
+
});
|
|
83
|
+
// Check if we should include deny details
|
|
84
|
+
const hasDetails = executionResult.type === 'denied_single' || executionResult.type === 'denied_wildcard';
|
|
85
|
+
if (collectDenyDetails && hasDetails) {
|
|
86
|
+
const lightAnalysis = (0, requestAnalysis_js_1.toLightRequestAnalysis)(executionResult);
|
|
78
87
|
const checkId = denyDetailsCheckId++;
|
|
79
88
|
// Send check request to main thread
|
|
80
89
|
worker_threads_1.parentPort.postMessage({
|
|
@@ -89,17 +98,9 @@ const jobRunner = new JobRunner_js_1.PullBasedJobRunner(concurrency, async (work
|
|
|
89
98
|
});
|
|
90
99
|
if (shouldInclude) {
|
|
91
100
|
// Get full denial reasons and send to main thread
|
|
92
|
-
const denialReasons = (0, iam_simulate_1.getDenialReasons)(executionResult.denyAnalysis);
|
|
93
|
-
const { workItem } = executionResult;
|
|
94
|
-
const [service, action] = workItem.action.split(':');
|
|
95
101
|
worker_threads_1.parentPort.postMessage({
|
|
96
102
|
type: 'denyDetailsResult',
|
|
97
|
-
denyDetail:
|
|
98
|
-
principal: workItem.principal,
|
|
99
|
-
service,
|
|
100
|
-
action,
|
|
101
|
-
details: denialReasons
|
|
102
|
-
}
|
|
103
|
+
denyDetail: (0, requestAnalysis_js_1.convertToDenialDetails)(executionResult)
|
|
103
104
|
});
|
|
104
105
|
}
|
|
105
106
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"WhoCanWorkerThreadWorker.js","sourceRoot":"","sources":["../../../src/whoCan/WhoCanWorkerThreadWorker.ts"],"names":[],"mappings":";;AAEA,
|
|
1
|
+
{"version":3,"file":"WhoCanWorkerThreadWorker.js","sourceRoot":"","sources":["../../../src/whoCan/WhoCanWorkerThreadWorker.ts"],"names":[],"mappings":";;AAEA,mDAAuD;AACvD,sDAAwD;AAExD,0DAA4D;AAC5D,gGAAyF;AACzF,6DAAqF;AACrF,uDAAwF;AAExF,IAAI,CAAC,2BAAU,EAAE,CAAC;IAChB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;AACnD,CAAC;AAED,kCAAkC;AAClC,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,SAAS,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAClF,2BAMC,CAAA;AAEH,MAAM,YAAY,GAAuC,EAAE,CAAA;AAE3D,oEAAoE;AACpE,IAAI,kBAAkB,GAAG,CAAC,CAAA;AAC1B,MAAM,wBAAwB,GAAqD,EAAE,CAAA;AAErF,2BAAU,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,GAAG,EAAE,EAAE;IAC/B,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,IAAI,GAAG,CAAC,QAAQ,IAAI,YAAY,EAAE,CAAC;QACxD,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QACpC,OAAO,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACnC,CAAC;SAAM,IAAI,GAAG,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QACxC,SAAS,CAAC,mBAAmB,EAAE,CAAA;IACjC,CAAC;SAAM,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QACrC,SAAS,CAAC,aAAa,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE;YAClC,2BAAW,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAA;QAC/C,CAAC,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,GAAG,CAAC,IAAI,KAAK,wBAAwB,EAAE,CAAC;QACjD,yEAAyE;QACzE,MAAM,OAAO,GAAG,GAAG,CAAC,OAAiB,CAAA;QACrC,MAAM,SAAS,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAA;QACnD,IAAI,SAAS,EAAE,CAAC;YACd,SAAS,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;YAC5B,OAAO,wBAAwB,CAAC,OAAO,CAAC,CAAA;QAC1C,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAA;AAEF,MAAM,aAAa,GAAG,IAAA,6BAAgB,EAAC,cAAc,EAAE,SAAS,EAAE;IAChE,aAAa,EAAE,IAAI,8DAA4B,CAAC,2BAAU,CAAC;CAC5D,CAAC,CAAA;AAEF,MAAM,SAAS,GAAG,IAAI,iCAAkB,CAKtC,WAAW,EACX,KAAK,EAAE,QAAQ,EAAE,EAAE;IACjB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,2BAAW,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC,CAAA;QAC1D,YAAY,CAAC,QAAQ,CAAC,GAAG,OAAO,CAAA;IAClC,CAAC,CAAC,CAAA;AACJ,CAAC,EACD,CAAC,WAAW,EAAE,EAAE;IACd,OAAO;QACL,UAAU,EAAE,EAAE;QACd,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;YACzB,OAAO,IAAA,+BAAa,EAAC,WAAW,EAAE,aAAa,EAAE;gBAC/C,cAAc;gBACd,kBAAkB;aACnB,CAAC,CAAA;QACJ,CAAC;KACF,CAAA;AACH,CAAC,EACD,KAAK,EAAE,MAAM,EAAE,EAAE;IACf,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,MAAM,eAAe,GAAG,MAAM,CAAC,KAAK,CAAA;QAEpC,IAAI,eAAe,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACvC,4CAA4C;YAC5C,2BAAW,CAAC,WAAW,CAAC;gBACtB,IAAI,EAAE,QAAQ;gBACd,MAAM,EAAE;oBACN,MAAM,EAAE,WAAW;oBACnB,KAAK,EAAE,eAAe,CAAC,OAAO;oBAC9B,UAAU,EAAE,MAAM,CAAC,UAAU;iBAC9B;aACF,CAAC,CAAA;QACJ,CAAC;aAAM,CAAC;YACN,8EAA8E;YAC9E,2BAAW,CAAC,WAAW,CAAC;gBACtB,IAAI,EAAE,QAAQ;gBACd,MAAM,EAAE;oBACN,MAAM,EAAE,WAAW;oBACnB,KAAK,EAAE,SAAS;oBAChB,UAAU,EAAE,MAAM,CAAC,UAAU;iBAC9B;aACF,CAAC,CAAA;YAEF,0CAA0C;YAC1C,MAAM,UAAU,GACd,eAAe,CAAC,IAAI,KAAK,eAAe,IAAI,eAAe,CAAC,IAAI,KAAK,iBAAiB,CAAA;YAExF,IAAI,kBAAkB,IAAI,UAAU,EAAE,CAAC;gBACrC,MAAM,aAAa,GAAG,IAAA,2CAAsB,EAAC,eAAe,CAAC,CAAA;gBAC7D,MAAM,OAAO,GAAG,kBAAkB,EAAE,CAAA;gBAEpC,oCAAoC;gBACpC,2BAAW,CAAC,WAAW,CAAC;oBACtB,IAAI,EAAE,kBAAkB;oBACxB,OAAO;oBACP,QAAQ,EAAE,eAAe,CAAC,QAAQ;oBAClC,aAAa;iBACd,CAAC,CAAA;gBAEF,qCAAqC;gBACrC,MAAM,aAAa,GAAG,MAAM,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,EAAE;oBAC3D,wBAAwB,CAAC,OAAO,CAAC,GAAG,OAAO,CAAA;gBAC7C,CAAC,CAAC,CAAA;gBAEF,IAAI,aAAa,EAAE,CAAC;oBAClB,kDAAkD;oBAClD,2BAAW,CAAC,WAAW,CAAC;wBACtB,IAAI,EAAE,mBAAmB;wBACzB,UAAU,EAAE,IAAA,2CAAsB,EAAC,eAAe,CAAC;qBACpD,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,4BAA4B;QAC5B,2BAAW,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;IACrD,CAAC;AACH,CAAC,CACF,CAAA"}
|