@cloud-copilot/iam-lens 0.1.83 → 0.1.85
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +5 -0
- package/dist/cjs/cli.js +3 -3
- package/dist/cjs/cli.js.map +1 -1
- package/dist/cjs/principalCan/resources/statements.d.ts.map +1 -1
- package/dist/cjs/principalCan/resources/statements.js +6 -2
- package/dist/cjs/principalCan/resources/statements.js.map +1 -1
- package/dist/cjs/resources.d.ts.map +1 -1
- package/dist/cjs/resources.js +3 -0
- package/dist/cjs/resources.js.map +1 -1
- package/dist/cjs/simulate/simulate.d.ts +1 -1
- package/dist/cjs/whoCan/WhoCanMainThreadWorker.d.ts.map +1 -1
- package/dist/cjs/whoCan/WhoCanMainThreadWorker.js +9 -15
- package/dist/cjs/whoCan/WhoCanMainThreadWorker.js.map +1 -1
- package/dist/cjs/whoCan/WhoCanWorker.d.ts +58 -13
- package/dist/cjs/whoCan/WhoCanWorker.d.ts.map +1 -1
- package/dist/cjs/whoCan/WhoCanWorker.js +86 -33
- package/dist/cjs/whoCan/WhoCanWorker.js.map +1 -1
- package/dist/cjs/whoCan/WhoCanWorkerThreadWorker.js +15 -14
- package/dist/cjs/whoCan/WhoCanWorkerThreadWorker.js.map +1 -1
- package/dist/cjs/whoCan/requestAnalysis.d.ts +59 -9
- package/dist/cjs/whoCan/requestAnalysis.d.ts.map +1 -1
- package/dist/cjs/whoCan/requestAnalysis.js +63 -4
- package/dist/cjs/whoCan/requestAnalysis.js.map +1 -1
- package/dist/cjs/whoCan/whoCan.d.ts +90 -1
- package/dist/cjs/whoCan/whoCan.d.ts.map +1 -1
- package/dist/cjs/whoCan/whoCan.js +6 -6
- package/dist/cjs/whoCan/whoCan.js.map +1 -1
- package/dist/esm/cli.js +3 -3
- package/dist/esm/cli.js.map +1 -1
- package/dist/esm/principalCan/resources/statements.d.ts.map +1 -1
- package/dist/esm/principalCan/resources/statements.js +6 -2
- package/dist/esm/principalCan/resources/statements.js.map +1 -1
- package/dist/esm/resources.d.ts.map +1 -1
- package/dist/esm/resources.js +3 -0
- package/dist/esm/resources.js.map +1 -1
- package/dist/esm/simulate/simulate.d.ts +1 -1
- package/dist/esm/whoCan/WhoCanMainThreadWorker.d.ts.map +1 -1
- package/dist/esm/whoCan/WhoCanMainThreadWorker.js +10 -16
- package/dist/esm/whoCan/WhoCanMainThreadWorker.js.map +1 -1
- package/dist/esm/whoCan/WhoCanWorker.d.ts +58 -13
- package/dist/esm/whoCan/WhoCanWorker.d.ts.map +1 -1
- package/dist/esm/whoCan/WhoCanWorker.js +86 -33
- package/dist/esm/whoCan/WhoCanWorker.js.map +1 -1
- package/dist/esm/whoCan/WhoCanWorkerThreadWorker.js +16 -15
- package/dist/esm/whoCan/WhoCanWorkerThreadWorker.js.map +1 -1
- package/dist/esm/whoCan/requestAnalysis.d.ts +59 -9
- package/dist/esm/whoCan/requestAnalysis.d.ts.map +1 -1
- package/dist/esm/whoCan/requestAnalysis.js +62 -4
- package/dist/esm/whoCan/requestAnalysis.js.map +1 -1
- package/dist/esm/whoCan/whoCan.d.ts +90 -1
- package/dist/esm/whoCan/whoCan.d.ts.map +1 -1
- package/dist/esm/whoCan/whoCan.js +6 -6
- package/dist/esm/whoCan/whoCan.js.map +1 -1
- package/package.json +2 -2
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"WhoCanMainThreadWorker.js","sourceRoot":"","sources":["../../../src/whoCan/WhoCanMainThreadWorker.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"WhoCanMainThreadWorker.js","sourceRoot":"","sources":["../../../src/whoCan/WhoCanMainThreadWorker.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAE5D,OAAO,EACL,sBAAsB,EAEtB,sBAAsB,EACvB,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EACL,0BAA0B,EAG3B,MAAM,mBAAmB,CAAA;AAE1B,MAAM,UAAU,kCAAkC,CAChD,KAAmF,EACnF,aAA+B,EAC/B,cAA0C,EAC1C,UAA2F,EAC3F,mBAAgE,EAChE,YAAiD;IAEjD,MAAM,kBAAkB,GAAG,CAAC,CAAC,mBAAmB,CAAA;IAEhD,OAAO,IAAI,kBAAkB,CAC3B,EAAE,EACF,KAAK,IAAI,EAAE;QACT,OAAO,KAAK,CAAC,OAAO,EAAE,CAAA;IACxB,CAAC,EACD,CAAC,QAAQ,EAAE,EAAE;QACX,OAAO,0BAA0B,CAAC,QAAQ,EAAE,aAAa,EAAE;YACzD,cAAc;YACd,kBAAkB;SACnB,CAAC,CAAA;IACJ,CAAC,EACD,KAAK,EAAE,MAAM,EAAE,EAAE;QACf,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,MAAM,eAAe,GAAG,MAAM,CAAC,KAAK,CAAA;YACpC,IAAI,eAAe,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvC,sDAAsD;gBACtD,UAAU,CAAC;oBACT,MAAM,EAAE,WAAW;oBACnB,KAAK,EAAE,eAAe,CAAC,OAAO;oBAC9B,UAAU,EAAE,MAAM,CAAC,UAAU;iBAC9B,CAAC,CAAA;YACJ,CAAC;iBAAM,CAAC;gBACN,wBAAwB;gBACxB,UAAU,CAAC;oBACT,MAAM,EAAE,WAAW;oBACnB,KAAK,EAAE,SAAS;oBAChB,UAAU,EAAE,MAAM,CAAC,UAAU;iBAC9B,CAAC,CAAA;gBAEF,0CAA0C;gBAC1C,IAAI,mBAAmB,IAAI,YAAY,EAAE,CAAC;oBACxC,MAAM,UAAU,GACd,eAAe,CAAC,IAAI,KAAK,eAAe,IAAI,eAAe,CAAC,IAAI,KAAK,iBAAiB,CAAA;oBAExF,IAAI,UAAU,EAAE,CAAC;wBACf,MAAM,aAAa,GAAG,sBAAsB,CAAC,eAAe,CAAC,CAAA;wBAC7D,MAAM,aAAa,GAAG,mBAAmB,CAAC,aAAa,CAAC,CAAA;wBAExD,IAAI,aAAa,EAAE,CAAC;4BAClB,YAAY,CAAC,sBAAsB,CAAC,eAAe,CAAC,CAAC,CAAA;wBACvD,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,wCAAwC;YACxC,UAAU,CAAC;gBACT,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B,CAAC,CAAA;QACJ,CAAC;IACH,CAAC,CACF,CAAA;AACH,CAAC"}
|
|
@@ -1,8 +1,8 @@
|
|
|
1
|
-
import { RequestAnalysis } from '@cloud-copilot/iam-simulate';
|
|
2
|
-
import { Job } from '@cloud-copilot/job';
|
|
1
|
+
import { type EvaluationResult, type RequestAnalysis } from '@cloud-copilot/iam-simulate';
|
|
2
|
+
import type { Job } from '@cloud-copilot/job';
|
|
3
3
|
import { IamCollectClient } from '../collect/client.js';
|
|
4
|
-
import { S3AbacOverride } from '../utils/s3Abac.js';
|
|
5
|
-
import { WhoCanAllowed } from './whoCan.js';
|
|
4
|
+
import type { S3AbacOverride } from '../utils/s3Abac.js';
|
|
5
|
+
import type { WhoCanAllowed } from './whoCan.js';
|
|
6
6
|
export interface WhoCanWorkItem {
|
|
7
7
|
resource: string | undefined;
|
|
8
8
|
resourceAccount: string | undefined;
|
|
@@ -10,24 +10,69 @@ export interface WhoCanWorkItem {
|
|
|
10
10
|
principal: string;
|
|
11
11
|
}
|
|
12
12
|
/**
|
|
13
|
-
*
|
|
14
|
-
* Contains either the allowed result or the deny analysis (but not both).
|
|
13
|
+
* Execution result when the principal is allowed access.
|
|
15
14
|
*/
|
|
16
|
-
export interface
|
|
15
|
+
export interface AllowedWhoCanExecutionResult {
|
|
16
|
+
type: 'allowed';
|
|
17
|
+
workItem: WhoCanWorkItem;
|
|
18
|
+
allowed: WhoCanAllowed;
|
|
19
|
+
}
|
|
20
|
+
/**
|
|
21
|
+
* Execution result when the principal is denied access, without detailed analysis.
|
|
22
|
+
*/
|
|
23
|
+
export interface DeniedWhoCanExecutionResult {
|
|
24
|
+
type: 'denied';
|
|
25
|
+
workItem: WhoCanWorkItem;
|
|
26
|
+
}
|
|
27
|
+
/**
|
|
28
|
+
* Execution result when the principal is denied access for a single resource pattern,
|
|
29
|
+
* with detailed analysis included.
|
|
30
|
+
*/
|
|
31
|
+
export interface DeniedSingleWhoCanExecutionResult {
|
|
32
|
+
type: 'denied_single';
|
|
33
|
+
workItem: WhoCanWorkItem;
|
|
34
|
+
analysis: RequestAnalysis;
|
|
35
|
+
}
|
|
36
|
+
/**
|
|
37
|
+
* Details about a denied resource pattern, including the analysis for why it was denied.
|
|
38
|
+
*/
|
|
39
|
+
export interface WhoCanDenyResourceDetails {
|
|
17
40
|
/**
|
|
18
|
-
* The
|
|
41
|
+
* The resource pattern that was tested.
|
|
19
42
|
*/
|
|
20
|
-
|
|
43
|
+
pattern: string;
|
|
21
44
|
/**
|
|
22
|
-
* The
|
|
23
|
-
* Only populated when collectDenyDetails is true.
|
|
45
|
+
* The type of resource for the pattern.
|
|
24
46
|
*/
|
|
25
|
-
|
|
47
|
+
resourceType: string;
|
|
26
48
|
/**
|
|
27
|
-
* The
|
|
49
|
+
* The analysis explaining why the request was denied.
|
|
28
50
|
*/
|
|
51
|
+
analysis: RequestAnalysis;
|
|
52
|
+
}
|
|
53
|
+
/**
|
|
54
|
+
* Execution result when the principal is denied access for a wildcard resource,
|
|
55
|
+
* with detailed analysis for each denied pattern.
|
|
56
|
+
*/
|
|
57
|
+
export interface DeniedWildcardWhoCanExecutionResult {
|
|
58
|
+
type: 'denied_wildcard';
|
|
29
59
|
workItem: WhoCanWorkItem;
|
|
60
|
+
overallResult: EvaluationResult;
|
|
61
|
+
deniedPatterns: WhoCanDenyResourceDetails[];
|
|
30
62
|
}
|
|
63
|
+
/**
|
|
64
|
+
* The result of executing a whoCan work item.
|
|
65
|
+
* Contains either the allowed result or the deny analysis (but not both).
|
|
66
|
+
*/
|
|
67
|
+
export type WhoCanExecutionResult = AllowedWhoCanExecutionResult | DeniedWhoCanExecutionResult | DeniedSingleWhoCanExecutionResult | DeniedWildcardWhoCanExecutionResult;
|
|
68
|
+
/**
|
|
69
|
+
* Union type for denied execution results that include detailed analysis.
|
|
70
|
+
*/
|
|
71
|
+
export type DeniedWhoCanExecutionResultWithDetails = DeniedSingleWhoCanExecutionResult | DeniedWildcardWhoCanExecutionResult;
|
|
72
|
+
/**
|
|
73
|
+
* The possible values for the `type` discriminator of a WhoCanExecutionResult.
|
|
74
|
+
*/
|
|
75
|
+
export type WhoCanExecutionResultType = WhoCanExecutionResult['type'];
|
|
31
76
|
export declare function createJobForWhoCanWorkItem(workItem: WhoCanWorkItem, collectClient: IamCollectClient, whoCanOptions: WhoCanOptions): Job<WhoCanExecutionResult, Record<string, unknown>>;
|
|
32
77
|
export interface WhoCanOptions {
|
|
33
78
|
s3AbacOverride?: S3AbacOverride;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"WhoCanWorker.d.ts","sourceRoot":"","sources":["../../../src/whoCan/WhoCanWorker.ts"],"names":[],"mappings":"AACA,OAAO,
|
|
1
|
+
{"version":3,"file":"WhoCanWorker.d.ts","sourceRoot":"","sources":["../../../src/whoCan/WhoCanWorker.ts"],"names":[],"mappings":"AACA,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,eAAe,EAErB,MAAM,6BAA6B,CAAA;AACpC,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,oBAAoB,CAAA;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAEvD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AACxD,OAAO,KAAK,EAAE,aAAa,EAAgC,MAAM,aAAa,CAAA;AAE9E,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;IAC5B,eAAe,EAAE,MAAM,GAAG,SAAS,CAAA;IACnC,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,IAAI,EAAE,SAAS,CAAA;IACf,QAAQ,EAAE,cAAc,CAAA;IACxB,OAAO,EAAE,aAAa,CAAA;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,IAAI,EAAE,QAAQ,CAAA;IACd,QAAQ,EAAE,cAAc,CAAA;CACzB;AAED;;;GAGG;AACH,MAAM,WAAW,iCAAiC;IAChD,IAAI,EAAE,eAAe,CAAA;IACrB,QAAQ,EAAE,cAAc,CAAA;IACxB,QAAQ,EAAE,eAAe,CAAA;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC;;OAEG;IACH,OAAO,EAAE,MAAM,CAAA;IACf;;OAEG;IACH,YAAY,EAAE,MAAM,CAAA;IACpB;;OAEG;IACH,QAAQ,EAAE,eAAe,CAAA;CAC1B;AAED;;;GAGG;AACH,MAAM,WAAW,mCAAmC;IAClD,IAAI,EAAE,iBAAiB,CAAA;IACvB,QAAQ,EAAE,cAAc,CAAA;IACxB,aAAa,EAAE,gBAAgB,CAAA;IAC/B,cAAc,EAAE,yBAAyB,EAAE,CAAA;CAC5C;AAED;;;GAGG;AACH,MAAM,MAAM,qBAAqB,GAC7B,4BAA4B,GAC5B,2BAA2B,GAC3B,iCAAiC,GACjC,mCAAmC,CAAA;AAEvC;;GAEG;AACH,MAAM,MAAM,sCAAsC,GAC9C,iCAAiC,GACjC,mCAAmC,CAAA;AAEvC;;GAEG;AACH,MAAM,MAAM,yBAAyB,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAA;AAErE,wBAAgB,0BAA0B,CACxC,QAAQ,EAAE,cAAc,EACxB,aAAa,EAAE,gBAAgB,EAC/B,aAAa,EAAE,aAAa,GAC3B,GAAG,CAAC,qBAAqB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAOrD;AAED,MAAM,WAAW,aAAa;IAC5B,cAAc,CAAC,EAAE,cAAc,CAAA;IAC/B,kBAAkB,CAAC,EAAE,OAAO,CAAA;CAC7B;AAED,wBAAsB,aAAa,CACjC,QAAQ,EAAE,cAAc,EACxB,aAAa,EAAE,gBAAgB,EAC/B,aAAa,EAAE,aAAa,GAC3B,OAAO,CAAC,qBAAqB,CAAC,CAsEhC"}
|
|
@@ -20,8 +20,13 @@ export async function executeWhoCan(workItem, collectClient, whoCanOptions) {
|
|
|
20
20
|
simulationMode: 'Discovery',
|
|
21
21
|
s3AbacOverride: whoCanOptions.s3AbacOverride
|
|
22
22
|
}, collectClient);
|
|
23
|
-
if (discoveryResult
|
|
24
|
-
|
|
23
|
+
if (discoveryResult.result.resultType === 'error') {
|
|
24
|
+
// If discovery fails, we treat it as a denial without details (since we don't have analysis to share)
|
|
25
|
+
throw new Error('Discovery simulation failed: ' + discoveryResult.result.errors);
|
|
26
|
+
}
|
|
27
|
+
const actionType = await getActionLevel(service, serviceAction);
|
|
28
|
+
if (discoveryResult?.result.overallResult === 'Allowed') {
|
|
29
|
+
const strictResult = await simulateRequest({
|
|
25
30
|
principal,
|
|
26
31
|
resourceArn: resource,
|
|
27
32
|
resourceAccount,
|
|
@@ -30,40 +35,18 @@ export async function executeWhoCan(workItem, collectClient, whoCanOptions) {
|
|
|
30
35
|
simulationMode: 'Strict',
|
|
31
36
|
s3AbacOverride: whoCanOptions.s3AbacOverride
|
|
32
37
|
}, collectClient);
|
|
33
|
-
if (result
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
workItem,
|
|
37
|
-
allowed: {
|
|
38
|
-
principal,
|
|
39
|
-
service,
|
|
40
|
-
action: serviceAction,
|
|
41
|
-
level: actionType.toLowerCase()
|
|
42
|
-
}
|
|
43
|
-
};
|
|
38
|
+
if (strictResult.result.resultType === 'error') {
|
|
39
|
+
// If discovery fails, we treat it as a denial without details (since we don't have analysis to share)
|
|
40
|
+
throw new Error('Discovery simulation failed: ' + strictResult.result.errors);
|
|
44
41
|
}
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
return {
|
|
48
|
-
workItem,
|
|
49
|
-
allowed: {
|
|
50
|
-
principal,
|
|
51
|
-
service: service,
|
|
52
|
-
action: serviceAction,
|
|
53
|
-
level: actionType.toLowerCase(),
|
|
54
|
-
conditions: discoveryResult?.result.analysis.ignoredConditions,
|
|
55
|
-
dependsOnSessionName: discoveryResult?.result.analysis.ignoredRoleSessionName
|
|
56
|
-
? true
|
|
57
|
-
: undefined
|
|
58
|
-
}
|
|
59
|
-
};
|
|
42
|
+
if (strictResult?.result.overallResult === 'Allowed') {
|
|
43
|
+
return mapSimulationResultToWhoCanExecutionResult(workItem, service, serviceAction, actionType, strictResult.result, !!whoCanOptions.collectDenyDetails);
|
|
60
44
|
}
|
|
61
45
|
}
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
};
|
|
46
|
+
else {
|
|
47
|
+
return mapSimulationResultToWhoCanExecutionResult(workItem, service, serviceAction, actionType, discoveryResult.result, !!whoCanOptions.collectDenyDetails);
|
|
48
|
+
}
|
|
49
|
+
return mapSimulationResultToWhoCanExecutionResult(workItem, service, serviceAction, actionType, discoveryResult.result, !!whoCanOptions.collectDenyDetails);
|
|
67
50
|
}
|
|
68
51
|
/**
|
|
69
52
|
* Get the action level for a specific service action, will fail if the service or action does not exist.
|
|
@@ -76,4 +59,74 @@ async function getActionLevel(service, action) {
|
|
|
76
59
|
const details = await iamActionDetails(service, action);
|
|
77
60
|
return details.accessLevel;
|
|
78
61
|
}
|
|
62
|
+
function mapSimulationResultToWhoCanExecutionResult(workItem, service, action, actionType, simulationResponse, collectDenyDetails) {
|
|
63
|
+
const { principal } = workItem;
|
|
64
|
+
if (simulationResponse.overallResult === 'Allowed') {
|
|
65
|
+
// Build allowed result
|
|
66
|
+
const allowed = {
|
|
67
|
+
principal,
|
|
68
|
+
service,
|
|
69
|
+
action,
|
|
70
|
+
level: actionType.toLowerCase()
|
|
71
|
+
};
|
|
72
|
+
if (simulationResponse.resultType === 'single') {
|
|
73
|
+
const analysis = simulationResponse.result.analysis;
|
|
74
|
+
allowed.conditions = analysis.ignoredConditions;
|
|
75
|
+
allowed.dependsOnSessionName = analysis.ignoredRoleSessionName ? true : undefined;
|
|
76
|
+
}
|
|
77
|
+
else {
|
|
78
|
+
// Wildcard result - collect allowed patterns
|
|
79
|
+
const allowedPatterns = [];
|
|
80
|
+
for (const r of simulationResponse.results) {
|
|
81
|
+
if (r.analysis.result === 'Allowed') {
|
|
82
|
+
allowedPatterns.push({
|
|
83
|
+
pattern: r.resourcePattern,
|
|
84
|
+
resourceType: r.resourceType,
|
|
85
|
+
conditions: r.analysis.ignoredConditions,
|
|
86
|
+
dependsOnSessionName: r.analysis.ignoredRoleSessionName ? true : undefined
|
|
87
|
+
});
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
if (allowedPatterns.length > 0) {
|
|
91
|
+
allowed.allowedPatterns = allowedPatterns;
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
return {
|
|
95
|
+
type: 'allowed',
|
|
96
|
+
workItem,
|
|
97
|
+
allowed
|
|
98
|
+
};
|
|
99
|
+
}
|
|
100
|
+
// Denied result
|
|
101
|
+
if (!collectDenyDetails) {
|
|
102
|
+
// If we don't need to collect deny details, we can return a simple denied result without analysis
|
|
103
|
+
return {
|
|
104
|
+
type: 'denied',
|
|
105
|
+
workItem
|
|
106
|
+
};
|
|
107
|
+
}
|
|
108
|
+
if (simulationResponse.resultType === 'single') {
|
|
109
|
+
return {
|
|
110
|
+
type: 'denied_single',
|
|
111
|
+
workItem,
|
|
112
|
+
analysis: simulationResponse.result.analysis
|
|
113
|
+
};
|
|
114
|
+
}
|
|
115
|
+
else {
|
|
116
|
+
// Wildcard denial - collect denied patterns
|
|
117
|
+
const deniedPatterns = simulationResponse.results
|
|
118
|
+
.filter((r) => r.analysis.result !== 'Allowed')
|
|
119
|
+
.map((r) => ({
|
|
120
|
+
pattern: r.resourcePattern,
|
|
121
|
+
resourceType: r.resourceType,
|
|
122
|
+
analysis: r.analysis
|
|
123
|
+
}));
|
|
124
|
+
return {
|
|
125
|
+
type: 'denied_wildcard',
|
|
126
|
+
overallResult: simulationResponse.overallResult,
|
|
127
|
+
workItem,
|
|
128
|
+
deniedPatterns
|
|
129
|
+
};
|
|
130
|
+
}
|
|
131
|
+
}
|
|
79
132
|
//# sourceMappingURL=WhoCanWorker.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"WhoCanWorker.js","sourceRoot":"","sources":["../../../src/whoCan/WhoCanWorker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;
|
|
1
|
+
{"version":3,"file":"WhoCanWorker.js","sourceRoot":"","sources":["../../../src/whoCan/WhoCanWorker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAQ1D,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAA;AAyFzD,MAAM,UAAU,0BAA0B,CACxC,QAAwB,EACxB,aAA+B,EAC/B,aAA4B;IAE5B,OAAO;QACL,UAAU,EAAE,EAAE;QACd,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;YACzB,OAAO,aAAa,CAAC,QAAQ,EAAE,aAAa,EAAE,aAAa,CAAC,CAAA;QAC9D,CAAC;KACF,CAAA;AACH,CAAC;AAOD,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAwB,EACxB,aAA+B,EAC/B,aAA4B;IAE5B,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,QAAQ,CAAA;IACjE,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAClD,MAAM,eAAe,GAAG,MAAM,eAAe,CAC3C;QACE,SAAS;QACT,WAAW,EAAE,QAAQ;QACrB,eAAe,EAAE,eAAe;QAChC,MAAM;QACN,iBAAiB,EAAE,EAAE;QACrB,cAAc,EAAE,WAAW;QAC3B,cAAc,EAAE,aAAa,CAAC,cAAc;KAC7C,EACD,aAAa,CACd,CAAA;IAED,IAAI,eAAe,CAAC,MAAM,CAAC,UAAU,KAAK,OAAO,EAAE,CAAC;QAClD,sGAAsG;QACtG,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAClF,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,OAAO,EAAE,aAAa,CAAC,CAAA;IAC/D,IAAI,eAAe,EAAE,MAAM,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QACxD,MAAM,YAAY,GAAG,MAAM,eAAe,CACxC;YACE,SAAS;YACT,WAAW,EAAE,QAAQ;YACrB,eAAe;YACf,MAAM;YACN,iBAAiB,EAAE,EAAE;YACrB,cAAc,EAAE,QAAQ;YACxB,cAAc,EAAE,aAAa,CAAC,cAAc;SAC7C,EACD,aAAa,CACd,CAAA;QAED,IAAI,YAAY,CAAC,MAAM,CAAC,UAAU,KAAK,OAAO,EAAE,CAAC;YAC/C,sGAAsG;YACtG,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QAC/E,CAAC;QAED,IAAI,YAAY,EAAE,MAAM,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;YACrD,OAAO,0CAA0C,CAC/C,QAAQ,EACR,OAAO,EACP,aAAa,EACb,UAAU,EACV,YAAY,CAAC,MAAM,EACnB,CAAC,CAAC,aAAa,CAAC,kBAAkB,CACnC,CAAA;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,0CAA0C,CAC/C,QAAQ,EACR,OAAO,EACP,aAAa,EACb,UAAU,EACV,eAAe,CAAC,MAAM,EACtB,CAAC,CAAC,aAAa,CAAC,kBAAkB,CACnC,CAAA;IACH,CAAC;IAED,OAAO,0CAA0C,CAC/C,QAAQ,EACR,OAAO,EACP,aAAa,EACb,UAAU,EACV,eAAe,CAAC,MAAM,EACtB,CAAC,CAAC,aAAa,CAAC,kBAAkB,CACnC,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,cAAc,CAAC,OAAe,EAAE,MAAc;IAC3D,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IACvD,OAAO,OAAO,CAAC,WAAW,CAAA;AAC5B,CAAC;AAED,SAAS,0CAA0C,CACjD,QAAwB,EACxB,OAAe,EACf,MAAc,EACd,UAAkB,EAClB,kBAAkD,EAClD,kBAA2B;IAE3B,MAAM,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAA;IAE9B,IAAI,kBAAkB,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QACnD,uBAAuB;QACvB,MAAM,OAAO,GAAkB;YAC7B,SAAS;YACT,OAAO;YACP,MAAM;YACN,KAAK,EAAE,UAAU,CAAC,WAAW,EAAE;SAChC,CAAA;QAED,IAAI,kBAAkB,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YAC/C,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAA;YACnD,OAAO,CAAC,UAAU,GAAG,QAAQ,CAAC,iBAAiB,CAAA;YAC/C,OAAO,CAAC,oBAAoB,GAAG,QAAQ,CAAC,sBAAsB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAA;QACnF,CAAC;aAAM,CAAC;YACN,6CAA6C;YAC7C,MAAM,eAAe,GAAmC,EAAE,CAAA;YAC1D,KAAK,MAAM,CAAC,IAAI,kBAAkB,CAAC,OAAO,EAAE,CAAC;gBAC3C,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;oBACpC,eAAe,CAAC,IAAI,CAAC;wBACnB,OAAO,EAAE,CAAC,CAAC,eAAe;wBAC1B,YAAY,EAAE,CAAC,CAAC,YAAY;wBAC5B,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,iBAAiB;wBACxC,oBAAoB,EAAE,CAAC,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;qBAC3E,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;YACD,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,eAAe,GAAG,eAAe,CAAA;YAC3C,CAAC;QACH,CAAC;QAED,OAAO;YACL,IAAI,EAAE,SAAS;YACf,QAAQ;YACR,OAAO;SACR,CAAA;IACH,CAAC;IAED,gBAAgB;IAChB,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,kGAAkG;QAClG,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,QAAQ;SACT,CAAA;IACH,CAAC;IAED,IAAI,kBAAkB,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC/C,OAAO;YACL,IAAI,EAAE,eAAe;YACrB,QAAQ;YACR,QAAQ,EAAE,kBAAkB,CAAC,MAAM,CAAC,QAAQ;SAC7C,CAAA;IACH,CAAC;SAAM,CAAC;QACN,4CAA4C;QAC5C,MAAM,cAAc,GAAgC,kBAAkB,CAAC,OAAO;aAC3E,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,KAAK,SAAS,CAAC;aAC9C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACX,OAAO,EAAE,CAAC,CAAC,eAAe;YAC1B,YAAY,EAAE,CAAC,CAAC,YAAY;YAC5B,QAAQ,EAAE,CAAC,CAAC,QAAQ;SACrB,CAAC,CAAC,CAAA;QAEL,OAAO;YACL,IAAI,EAAE,iBAAiB;YACvB,aAAa,EAAE,kBAAkB,CAAC,aAAa;YAC/C,QAAQ;YACR,cAAc;SACf,CAAA;IACH,CAAC;AACH,CAAC"}
|
|
@@ -1,9 +1,8 @@
|
|
|
1
|
-
import { getDenialReasons } from '@cloud-copilot/iam-simulate';
|
|
2
1
|
import { parentPort, workerData } from 'worker_threads';
|
|
3
2
|
import { getCollectClient } from '../collect/collect.js';
|
|
4
3
|
import { PullBasedJobRunner } from '../workers/JobRunner.js';
|
|
5
4
|
import { SharedArrayBufferWorkerCache } from '../workers/SharedArrayBufferWorkerCache.js';
|
|
6
|
-
import { toLightRequestAnalysis } from './requestAnalysis.js';
|
|
5
|
+
import { convertToDenialDetails, toLightRequestAnalysis } from './requestAnalysis.js';
|
|
7
6
|
import { executeWhoCan } from './WhoCanWorker.js';
|
|
8
7
|
if (!parentPort) {
|
|
9
8
|
throw new Error('Must be run as a worker thread');
|
|
@@ -58,7 +57,7 @@ const jobRunner = new PullBasedJobRunner(concurrency, async (workerId) => {
|
|
|
58
57
|
}, async (result) => {
|
|
59
58
|
if (result.status === 'fulfilled') {
|
|
60
59
|
const executionResult = result.value;
|
|
61
|
-
if (executionResult.allowed) {
|
|
60
|
+
if (executionResult.type === 'allowed') {
|
|
62
61
|
// Allowed - send result back to main thread
|
|
63
62
|
parentPort.postMessage({
|
|
64
63
|
type: 'result',
|
|
@@ -70,9 +69,19 @@ const jobRunner = new PullBasedJobRunner(concurrency, async (workerId) => {
|
|
|
70
69
|
});
|
|
71
70
|
}
|
|
72
71
|
else {
|
|
73
|
-
//
|
|
74
|
-
|
|
75
|
-
|
|
72
|
+
// Post this so that we can count the completed simulation in the main thread.
|
|
73
|
+
parentPort.postMessage({
|
|
74
|
+
type: 'result',
|
|
75
|
+
result: {
|
|
76
|
+
status: 'fulfilled',
|
|
77
|
+
value: undefined,
|
|
78
|
+
properties: result.properties
|
|
79
|
+
}
|
|
80
|
+
});
|
|
81
|
+
// Check if we should include deny details
|
|
82
|
+
const hasDetails = executionResult.type === 'denied_single' || executionResult.type === 'denied_wildcard';
|
|
83
|
+
if (collectDenyDetails && hasDetails) {
|
|
84
|
+
const lightAnalysis = toLightRequestAnalysis(executionResult);
|
|
76
85
|
const checkId = denyDetailsCheckId++;
|
|
77
86
|
// Send check request to main thread
|
|
78
87
|
parentPort.postMessage({
|
|
@@ -87,17 +96,9 @@ const jobRunner = new PullBasedJobRunner(concurrency, async (workerId) => {
|
|
|
87
96
|
});
|
|
88
97
|
if (shouldInclude) {
|
|
89
98
|
// Get full denial reasons and send to main thread
|
|
90
|
-
const denialReasons = getDenialReasons(executionResult.denyAnalysis);
|
|
91
|
-
const { workItem } = executionResult;
|
|
92
|
-
const [service, action] = workItem.action.split(':');
|
|
93
99
|
parentPort.postMessage({
|
|
94
100
|
type: 'denyDetailsResult',
|
|
95
|
-
denyDetail:
|
|
96
|
-
principal: workItem.principal,
|
|
97
|
-
service,
|
|
98
|
-
action,
|
|
99
|
-
details: denialReasons
|
|
100
|
-
}
|
|
101
|
+
denyDetail: convertToDenialDetails(executionResult)
|
|
101
102
|
});
|
|
102
103
|
}
|
|
103
104
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"WhoCanWorkerThreadWorker.js","sourceRoot":"","sources":["../../../src/whoCan/WhoCanWorkerThreadWorker.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"WhoCanWorkerThreadWorker.js","sourceRoot":"","sources":["../../../src/whoCan/WhoCanWorkerThreadWorker.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AAExD,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAC5D,OAAO,EAAE,4BAA4B,EAAE,MAAM,4CAA4C,CAAA;AACzF,OAAO,EAAE,sBAAsB,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAA;AACrF,OAAO,EAAE,aAAa,EAAyC,MAAM,mBAAmB,CAAA;AAExF,IAAI,CAAC,UAAU,EAAE,CAAC;IAChB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;AACnD,CAAC;AAED,kCAAkC;AAClC,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,SAAS,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAClF,UAMC,CAAA;AAEH,MAAM,YAAY,GAAuC,EAAE,CAAA;AAE3D,oEAAoE;AACpE,IAAI,kBAAkB,GAAG,CAAC,CAAA;AAC1B,MAAM,wBAAwB,GAAqD,EAAE,CAAA;AAErF,UAAU,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,GAAG,EAAE,EAAE;IAC/B,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,IAAI,GAAG,CAAC,QAAQ,IAAI,YAAY,EAAE,CAAC;QACxD,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QACpC,OAAO,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACnC,CAAC;SAAM,IAAI,GAAG,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QACxC,SAAS,CAAC,mBAAmB,EAAE,CAAA;IACjC,CAAC;SAAM,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QACrC,SAAS,CAAC,aAAa,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE;YAClC,UAAW,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAA;QAC/C,CAAC,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,GAAG,CAAC,IAAI,KAAK,wBAAwB,EAAE,CAAC;QACjD,yEAAyE;QACzE,MAAM,OAAO,GAAG,GAAG,CAAC,OAAiB,CAAA;QACrC,MAAM,SAAS,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAA;QACnD,IAAI,SAAS,EAAE,CAAC;YACd,SAAS,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;YAC5B,OAAO,wBAAwB,CAAC,OAAO,CAAC,CAAA;QAC1C,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAA;AAEF,MAAM,aAAa,GAAG,gBAAgB,CAAC,cAAc,EAAE,SAAS,EAAE;IAChE,aAAa,EAAE,IAAI,4BAA4B,CAAC,UAAU,CAAC;CAC5D,CAAC,CAAA;AAEF,MAAM,SAAS,GAAG,IAAI,kBAAkB,CAKtC,WAAW,EACX,KAAK,EAAE,QAAQ,EAAE,EAAE;IACjB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,UAAW,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC,CAAA;QAC1D,YAAY,CAAC,QAAQ,CAAC,GAAG,OAAO,CAAA;IAClC,CAAC,CAAC,CAAA;AACJ,CAAC,EACD,CAAC,WAAW,EAAE,EAAE;IACd,OAAO;QACL,UAAU,EAAE,EAAE;QACd,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;YACzB,OAAO,aAAa,CAAC,WAAW,EAAE,aAAa,EAAE;gBAC/C,cAAc;gBACd,kBAAkB;aACnB,CAAC,CAAA;QACJ,CAAC;KACF,CAAA;AACH,CAAC,EACD,KAAK,EAAE,MAAM,EAAE,EAAE;IACf,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,MAAM,eAAe,GAAG,MAAM,CAAC,KAAK,CAAA;QAEpC,IAAI,eAAe,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACvC,4CAA4C;YAC5C,UAAW,CAAC,WAAW,CAAC;gBACtB,IAAI,EAAE,QAAQ;gBACd,MAAM,EAAE;oBACN,MAAM,EAAE,WAAW;oBACnB,KAAK,EAAE,eAAe,CAAC,OAAO;oBAC9B,UAAU,EAAE,MAAM,CAAC,UAAU;iBAC9B;aACF,CAAC,CAAA;QACJ,CAAC;aAAM,CAAC;YACN,8EAA8E;YAC9E,UAAW,CAAC,WAAW,CAAC;gBACtB,IAAI,EAAE,QAAQ;gBACd,MAAM,EAAE;oBACN,MAAM,EAAE,WAAW;oBACnB,KAAK,EAAE,SAAS;oBAChB,UAAU,EAAE,MAAM,CAAC,UAAU;iBAC9B;aACF,CAAC,CAAA;YAEF,0CAA0C;YAC1C,MAAM,UAAU,GACd,eAAe,CAAC,IAAI,KAAK,eAAe,IAAI,eAAe,CAAC,IAAI,KAAK,iBAAiB,CAAA;YAExF,IAAI,kBAAkB,IAAI,UAAU,EAAE,CAAC;gBACrC,MAAM,aAAa,GAAG,sBAAsB,CAAC,eAAe,CAAC,CAAA;gBAC7D,MAAM,OAAO,GAAG,kBAAkB,EAAE,CAAA;gBAEpC,oCAAoC;gBACpC,UAAW,CAAC,WAAW,CAAC;oBACtB,IAAI,EAAE,kBAAkB;oBACxB,OAAO;oBACP,QAAQ,EAAE,eAAe,CAAC,QAAQ;oBAClC,aAAa;iBACd,CAAC,CAAA;gBAEF,qCAAqC;gBACrC,MAAM,aAAa,GAAG,MAAM,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,EAAE;oBAC3D,wBAAwB,CAAC,OAAO,CAAC,GAAG,OAAO,CAAA;gBAC7C,CAAC,CAAC,CAAA;gBAEF,IAAI,aAAa,EAAE,CAAC;oBAClB,kDAAkD;oBAClD,UAAW,CAAC,WAAW,CAAC;wBACtB,IAAI,EAAE,mBAAmB;wBACzB,UAAU,EAAE,sBAAsB,CAAC,eAAe,CAAC;qBACpD,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,4BAA4B;QAC5B,UAAW,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;IACrD,CAAC;AACH,CAAC,CACF,CAAA"}
|
|
@@ -1,11 +1,13 @@
|
|
|
1
|
-
import { RequestAnalysis } from '@cloud-copilot/iam-simulate';
|
|
1
|
+
import { type EvaluationResult, type RequestAnalysis } from '@cloud-copilot/iam-simulate';
|
|
2
|
+
import type { DeniedWhoCanExecutionResultWithDetails } from './WhoCanWorker.js';
|
|
3
|
+
import type { WhoCanDenyDetail } from './whoCan.js';
|
|
2
4
|
/**
|
|
3
|
-
* A
|
|
4
|
-
*
|
|
5
|
+
* A lightweight representation of RequestAnalysis containing only the result fields
|
|
6
|
+
* of the various policy analyses (identity, resource, SCP, RCP, permission boundary).
|
|
5
7
|
*/
|
|
6
|
-
export interface
|
|
8
|
+
export interface LightResourceAnalysis {
|
|
7
9
|
result: RequestAnalysis['result'];
|
|
8
|
-
sameAccount
|
|
10
|
+
sameAccount?: boolean;
|
|
9
11
|
identityAnalysis?: Pick<NonNullable<RequestAnalysis['identityAnalysis']>, 'result'>;
|
|
10
12
|
resourceAnalysis?: Pick<NonNullable<RequestAnalysis['resourceAnalysis']>, 'result'>;
|
|
11
13
|
scpAnalysis?: Pick<NonNullable<RequestAnalysis['scpAnalysis']>, 'result'>;
|
|
@@ -13,10 +15,58 @@ export interface LightRequestAnalysis {
|
|
|
13
15
|
permissionBoundaryAnalysis?: Pick<NonNullable<RequestAnalysis['permissionBoundaryAnalysis']>, 'result'>;
|
|
14
16
|
}
|
|
15
17
|
/**
|
|
16
|
-
*
|
|
18
|
+
* A LightResourceAnalysis extended with resource pattern and type information.
|
|
19
|
+
* Used for wildcard resource analyses to provide details on each matched pattern.
|
|
20
|
+
*/
|
|
21
|
+
export interface LightResourceAnalysisWithPattern extends LightResourceAnalysis {
|
|
22
|
+
/**
|
|
23
|
+
* The specific resource pattern that was analyzed, most likely found in a policy statement's Resource field. This is used to provide more granular details in wildcard resource analyses, where multiple patterns may match the requested resource.
|
|
24
|
+
*/
|
|
25
|
+
pattern: string;
|
|
26
|
+
/**
|
|
27
|
+
* The resource type that was tested.
|
|
28
|
+
*/
|
|
29
|
+
resourceType: string;
|
|
30
|
+
}
|
|
31
|
+
/**
|
|
32
|
+
* A light request analysis for a single resource.
|
|
33
|
+
*/
|
|
34
|
+
export interface SingleResourceLightRequestAnalysis extends LightResourceAnalysis {
|
|
35
|
+
type: 'single';
|
|
36
|
+
overallResult: EvaluationResult;
|
|
37
|
+
}
|
|
38
|
+
/**
|
|
39
|
+
* A light request analysis for a wildcard resource with multiple patterns.
|
|
40
|
+
* Used for wildcard resource analyses to provide details on each matched pattern.
|
|
41
|
+
*/
|
|
42
|
+
export interface WildcardResourceLightRequestAnalysis {
|
|
43
|
+
type: 'wildcard';
|
|
44
|
+
/**
|
|
45
|
+
* The overall result of the wildcard resource analysis, which is typically a combination of the results of the individual pattern analyses. This provides a high-level summary of whether the requested action is allowed or denied across all matched patterns, while the individual pattern analyses provide more granular details.
|
|
46
|
+
*/
|
|
47
|
+
overallResult: EvaluationResult;
|
|
48
|
+
/**
|
|
49
|
+
* The details of the analyses for each matched resource pattern/resource type pair.
|
|
50
|
+
*/
|
|
51
|
+
patterns: LightResourceAnalysisWithPattern[];
|
|
52
|
+
}
|
|
53
|
+
/**
|
|
54
|
+
* A light version of RequestAnalysis containing only the result and sameAccount fields,
|
|
55
|
+
* along with the result fields of the various analyses.
|
|
56
|
+
*/
|
|
57
|
+
export type LightRequestAnalysis = SingleResourceLightRequestAnalysis | WildcardResourceLightRequestAnalysis;
|
|
58
|
+
/**
|
|
59
|
+
* Convert a full RequestAnalysis to a LightRequestAnalysis.
|
|
60
|
+
*
|
|
61
|
+
* @param executionResult - The denied execution result containing the RequestAnalysis to convert
|
|
62
|
+
* @returns A LightRequestAnalysis with only the essential fields
|
|
63
|
+
*/
|
|
64
|
+
export declare function toLightRequestAnalysis(executionResult: DeniedWhoCanExecutionResultWithDetails): LightRequestAnalysis;
|
|
65
|
+
/**
|
|
66
|
+
* Gets the denial reasons for a denied SimulationResult.
|
|
17
67
|
*
|
|
18
|
-
* @param
|
|
19
|
-
* @returns
|
|
68
|
+
* @param executionResult - The denied execution result containing the RequestAnalysis with denial reasons
|
|
69
|
+
* @returns A WhoCanDenyDetail object containing the denial reasons and other details to be returned to the user
|
|
20
70
|
*/
|
|
21
|
-
export declare function
|
|
71
|
+
export declare function convertToDenialDetails(executionResult: DeniedWhoCanExecutionResultWithDetails): WhoCanDenyDetail;
|
|
22
72
|
//# sourceMappingURL=requestAnalysis.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"requestAnalysis.d.ts","sourceRoot":"","sources":["../../../src/whoCan/requestAnalysis.ts"],"names":[],"mappings":"AAAA,OAAO,
|
|
1
|
+
{"version":3,"file":"requestAnalysis.d.ts","sourceRoot":"","sources":["../../../src/whoCan/requestAnalysis.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACrB,MAAM,6BAA6B,CAAA;AACpC,OAAO,KAAK,EAAE,sCAAsC,EAAE,MAAM,mBAAmB,CAAA;AAC/E,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AAEnD;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,eAAe,CAAC,QAAQ,CAAC,CAAA;IACjC,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB,gBAAgB,CAAC,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,kBAAkB,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAA;IACnF,gBAAgB,CAAC,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,kBAAkB,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAA;IACnF,WAAW,CAAC,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAA;IACzE,WAAW,CAAC,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAA;IACzE,0BAA0B,CAAC,EAAE,IAAI,CAC/B,WAAW,CAAC,eAAe,CAAC,4BAA4B,CAAC,CAAC,EAC1D,QAAQ,CACT,CAAA;CACF;AAED;;;GAGG;AACH,MAAM,WAAW,gCAAiC,SAAQ,qBAAqB;IAC7E;;OAEG;IACH,OAAO,EAAE,MAAM,CAAA;IACf;;OAEG;IACH,YAAY,EAAE,MAAM,CAAA;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,kCAAmC,SAAQ,qBAAqB;IAC/E,IAAI,EAAE,QAAQ,CAAA;IACd,aAAa,EAAE,gBAAgB,CAAA;CAChC;AAED;;;GAGG;AACH,MAAM,WAAW,oCAAoC;IACnD,IAAI,EAAE,UAAU,CAAA;IAEhB;;OAEG;IACH,aAAa,EAAE,gBAAgB,CAAA;IAE/B;;OAEG;IACH,QAAQ,EAAE,gCAAgC,EAAE,CAAA;CAC7C;AAED;;;GAGG;AACH,MAAM,MAAM,oBAAoB,GAC5B,kCAAkC,GAClC,oCAAoC,CAAA;AA0BxC;;;;;GAKG;AACH,wBAAgB,sBAAsB,CACpC,eAAe,EAAE,sCAAsC,GACtD,oBAAoB,CAqBtB;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CACpC,eAAe,EAAE,sCAAsC,GACtD,gBAAgB,CA0BlB"}
|
|
@@ -1,10 +1,11 @@
|
|
|
1
|
+
import { getDenialReasons } from '@cloud-copilot/iam-simulate';
|
|
1
2
|
/**
|
|
2
|
-
* Convert a
|
|
3
|
+
* Convert a RequestAnalysis to a LightResourceAnalysis.
|
|
3
4
|
*
|
|
4
|
-
* @param analysis
|
|
5
|
-
* @returns
|
|
5
|
+
* @param analysis - The full RequestAnalysis to convert
|
|
6
|
+
* @returns A LightResourceAnalysis with only the essential result fields
|
|
6
7
|
*/
|
|
7
|
-
|
|
8
|
+
function toLightResourceAnalysis(analysis) {
|
|
8
9
|
return {
|
|
9
10
|
result: analysis.result,
|
|
10
11
|
sameAccount: analysis.sameAccount,
|
|
@@ -21,4 +22,61 @@ export function toLightRequestAnalysis(analysis) {
|
|
|
21
22
|
: undefined
|
|
22
23
|
};
|
|
23
24
|
}
|
|
25
|
+
/**
|
|
26
|
+
* Convert a full RequestAnalysis to a LightRequestAnalysis.
|
|
27
|
+
*
|
|
28
|
+
* @param executionResult - The denied execution result containing the RequestAnalysis to convert
|
|
29
|
+
* @returns A LightRequestAnalysis with only the essential fields
|
|
30
|
+
*/
|
|
31
|
+
export function toLightRequestAnalysis(executionResult) {
|
|
32
|
+
if (executionResult.type === 'denied_single') {
|
|
33
|
+
return {
|
|
34
|
+
type: 'single',
|
|
35
|
+
overallResult: executionResult.analysis.result,
|
|
36
|
+
...toLightResourceAnalysis(executionResult.analysis)
|
|
37
|
+
};
|
|
38
|
+
}
|
|
39
|
+
// Wildcard case
|
|
40
|
+
const patterns = executionResult.deniedPatterns.map((details) => ({
|
|
41
|
+
pattern: details.pattern,
|
|
42
|
+
resourceType: details.resourceType,
|
|
43
|
+
...toLightResourceAnalysis(details.analysis)
|
|
44
|
+
}));
|
|
45
|
+
return {
|
|
46
|
+
type: 'wildcard',
|
|
47
|
+
overallResult: executionResult.overallResult,
|
|
48
|
+
patterns
|
|
49
|
+
};
|
|
50
|
+
}
|
|
51
|
+
/**
|
|
52
|
+
* Gets the denial reasons for a denied SimulationResult.
|
|
53
|
+
*
|
|
54
|
+
* @param executionResult - The denied execution result containing the RequestAnalysis with denial reasons
|
|
55
|
+
* @returns A WhoCanDenyDetail object containing the denial reasons and other details to be returned to the user
|
|
56
|
+
*/
|
|
57
|
+
export function convertToDenialDetails(executionResult) {
|
|
58
|
+
const { principal, action } = executionResult.workItem;
|
|
59
|
+
const [service, actionName] = action.split(':');
|
|
60
|
+
if (executionResult.type === 'denied_single') {
|
|
61
|
+
return {
|
|
62
|
+
type: 'single',
|
|
63
|
+
principal,
|
|
64
|
+
service,
|
|
65
|
+
action: actionName,
|
|
66
|
+
details: getDenialReasons(executionResult.analysis)
|
|
67
|
+
};
|
|
68
|
+
}
|
|
69
|
+
// Wildcard case
|
|
70
|
+
return {
|
|
71
|
+
type: 'wildcard',
|
|
72
|
+
principal,
|
|
73
|
+
service,
|
|
74
|
+
action: actionName,
|
|
75
|
+
deniedResources: executionResult.deniedPatterns.map((pattern) => ({
|
|
76
|
+
pattern: pattern.pattern,
|
|
77
|
+
resourceType: pattern.resourceType,
|
|
78
|
+
details: getDenialReasons(pattern.analysis)
|
|
79
|
+
}))
|
|
80
|
+
};
|
|
81
|
+
}
|
|
24
82
|
//# sourceMappingURL=requestAnalysis.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"requestAnalysis.js","sourceRoot":"","sources":["../../../src/whoCan/requestAnalysis.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"requestAnalysis.js","sourceRoot":"","sources":["../../../src/whoCan/requestAnalysis.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAGjB,MAAM,6BAA6B,CAAA;AAsEpC;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,QAAyB;IACxD,OAAO;QACL,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;YACzC,CAAC,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,gBAAgB,CAAC,MAAM,EAAE;YAC9C,CAAC,CAAC,SAAS;QACb,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;YACzC,CAAC,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,gBAAgB,CAAC,MAAM,EAAE;YAC9C,CAAC,CAAC,SAAS;QACb,WAAW,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,SAAS;QACvF,WAAW,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,SAAS;QACvF,0BAA0B,EAAE,QAAQ,CAAC,0BAA0B;YAC7D,CAAC,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,0BAA0B,CAAC,MAAM,EAAE;YACxD,CAAC,CAAC,SAAS;KACd,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CACpC,eAAuD;IAEvD,IAAI,eAAe,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QAC7C,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,aAAa,EAAE,eAAe,CAAC,QAAQ,CAAC,MAAM;YAC9C,GAAG,uBAAuB,CAAC,eAAe,CAAC,QAAQ,CAAC;SACrD,CAAA;IACH,CAAC;IAED,gBAAgB;IAChB,MAAM,QAAQ,GAAG,eAAe,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAChE,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,GAAG,uBAAuB,CAAC,OAAO,CAAC,QAAQ,CAAC;KAC7C,CAAC,CAAC,CAAA;IAEH,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,aAAa,EAAE,eAAe,CAAC,aAAa;QAC5C,QAAQ;KACT,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CACpC,eAAuD;IAEvD,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,eAAe,CAAC,QAAQ,CAAA;IACtD,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAE/C,IAAI,eAAe,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QAC7C,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,SAAS;YACT,OAAO;YACP,MAAM,EAAE,UAAU;YAClB,OAAO,EAAE,gBAAgB,CAAC,eAAe,CAAC,QAAQ,CAAC;SACpD,CAAA;IACH,CAAC;IAED,gBAAgB;IAChB,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,SAAS;QACT,OAAO;QACP,MAAM,EAAE,UAAU;QAClB,eAAe,EAAE,eAAe,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAChE,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,OAAO,EAAE,gBAAgB,CAAC,OAAO,CAAC,QAAQ,CAAC;SAC5C,CAAC,CAAC;KACJ,CAAA;AACH,CAAC"}
|