@cloud-copilot/iam-policy 0.0.9 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/conditions/conditionOperation.d.ts.map +1 -1
- package/dist/cjs/conditions/conditionOperation.js +10 -3
- package/dist/cjs/conditions/conditionOperation.js.map +1 -1
- package/dist/cjs/principals/principal.d.ts +74 -1
- package/dist/cjs/principals/principal.d.ts.map +1 -1
- package/dist/cjs/principals/principal.js +15 -1
- package/dist/cjs/principals/principal.js.map +1 -1
- package/dist/cjs/validate/validate.d.ts.map +1 -1
- package/dist/cjs/validate/validate.js +62 -1
- package/dist/cjs/validate/validate.js.map +1 -1
- package/dist/esm/conditions/conditionOperation.d.ts.map +1 -1
- package/dist/esm/conditions/conditionOperation.js +10 -3
- package/dist/esm/conditions/conditionOperation.js.map +1 -1
- package/dist/esm/principals/principal.d.ts +74 -1
- package/dist/esm/principals/principal.d.ts.map +1 -1
- package/dist/esm/principals/principal.js +15 -1
- package/dist/esm/principals/principal.js.map +1 -1
- package/dist/esm/validate/validate.d.ts.map +1 -1
- package/dist/esm/validate/validate.js +62 -1
- package/dist/esm/validate/validate.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"conditionOperation.d.ts","sourceRoot":"","sources":["../../../src/conditions/conditionOperation.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,WAAW,GAAG,cAAc,GAAG,aAAa,CAAA;AAExD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,WAAW,IAAI,WAAW,GAAG,SAAS,CAAA;IAEtC;;OAEG;IACH,YAAY,IAAI,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,IAAI,OAAO,CAAA;IAErB;;OAEG;IACH,KAAK,IAAI,MAAM,CAAA;CAChB;AAID,qBAAa,sBAAuB,YAAW,kBAAkB;IACnD,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,MAAM;IAEhC,WAAW,IAAI,WAAW,GAAG,SAAS;
|
|
1
|
+
{"version":3,"file":"conditionOperation.d.ts","sourceRoot":"","sources":["../../../src/conditions/conditionOperation.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,WAAW,GAAG,cAAc,GAAG,aAAa,CAAA;AAExD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,WAAW,IAAI,WAAW,GAAG,SAAS,CAAA;IAEtC;;OAEG;IACH,YAAY,IAAI,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,IAAI,OAAO,CAAA;IAErB;;OAEG;IACH,KAAK,IAAI,MAAM,CAAA;CAChB;AAID,qBAAa,sBAAuB,YAAW,kBAAkB;IACnD,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,MAAM;IAEhC,WAAW,IAAI,WAAW,GAAG,SAAS;IAatC,UAAU,IAAI,OAAO;IAIrB,YAAY,IAAI,MAAM;IAQtB,KAAK,IAAI,MAAM;CAIvB"}
|
|
@@ -11,14 +11,21 @@ class ConditionOperationImpl {
|
|
|
11
11
|
if (!this.op.includes(':')) {
|
|
12
12
|
return undefined;
|
|
13
13
|
}
|
|
14
|
-
|
|
14
|
+
const setOp = this.op.split(':').at(0)?.toLowerCase();
|
|
15
|
+
if (setOp === 'forallvalues') {
|
|
16
|
+
return 'ForAllValues';
|
|
17
|
+
}
|
|
18
|
+
else if (setOp === 'foranyvalue') {
|
|
19
|
+
return 'ForAnyValue';
|
|
20
|
+
}
|
|
21
|
+
throw new Error(`Unknown set operator: ${setOp}`);
|
|
15
22
|
}
|
|
16
23
|
isIfExists() {
|
|
17
|
-
return this.op.endsWith('
|
|
24
|
+
return this.op.toLowerCase().endsWith('ifexists');
|
|
18
25
|
}
|
|
19
26
|
baseOperator() {
|
|
20
27
|
const base = this.op.split(':').at(-1);
|
|
21
|
-
if (base?.endsWith('
|
|
28
|
+
if (base?.toLowerCase().endsWith('ifexists')) {
|
|
22
29
|
return base.slice(0, ifExistsSlice);
|
|
23
30
|
}
|
|
24
31
|
return base;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"conditionOperation.js","sourceRoot":"","sources":["../../../src/conditions/conditionOperation.ts"],"names":[],"mappings":";;;AA2BA,MAAM,aAAa,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;AAE5C,MAAa,sBAAsB;IACJ;IAA7B,YAA6B,EAAU;QAAV,OAAE,GAAF,EAAE,CAAQ;IAAG,CAAC;IAEpC,WAAW;QAChB,IAAG,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,OAAO,SAAS,CAAA;QAClB,CAAC;QACD,
|
|
1
|
+
{"version":3,"file":"conditionOperation.js","sourceRoot":"","sources":["../../../src/conditions/conditionOperation.ts"],"names":[],"mappings":";;;AA2BA,MAAM,aAAa,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;AAE5C,MAAa,sBAAsB;IACJ;IAA7B,YAA6B,EAAU;QAAV,OAAE,GAAF,EAAE,CAAQ;IAAG,CAAC;IAEpC,WAAW;QAChB,IAAG,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,OAAO,SAAS,CAAA;QAClB,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAA;QACrD,IAAG,KAAK,KAAK,cAAc,EAAE,CAAC;YAC5B,OAAO,cAAc,CAAA;QACvB,CAAC;aAAM,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;YACnC,OAAO,aAAa,CAAA;QACtB,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,yBAAyB,KAAK,EAAE,CAAC,CAAA;IACnD,CAAC;IAEM,UAAU;QACf,OAAO,IAAI,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;IACnD,CAAC;IAEM,YAAY;QACjB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAA;QACvC,IAAG,IAAI,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,CAAA;QACrC,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAEM,KAAK;QACV,OAAO,IAAI,CAAC,EAAE,CAAA;IAChB,CAAC;CAEF;AAhCD,wDAgCC"}
|
|
@@ -1,33 +1,104 @@
|
|
|
1
1
|
export type PrincipalType = 'AWS' | 'Service' | 'Federated' | 'CanonicalUser';
|
|
2
|
+
/**
|
|
3
|
+
* A Principal in a policy statement
|
|
4
|
+
*/
|
|
2
5
|
export interface Principal {
|
|
6
|
+
/**
|
|
7
|
+
* The type of principal, such as "AWS", "Service", "Federated", "CanonicalUser"
|
|
8
|
+
*/
|
|
3
9
|
type(): PrincipalType;
|
|
10
|
+
/**
|
|
11
|
+
* The raw string of the principal
|
|
12
|
+
*/
|
|
4
13
|
value(): string;
|
|
14
|
+
/**
|
|
15
|
+
* Whether the principal is a wildcard principal: `"*"`
|
|
16
|
+
*/
|
|
5
17
|
isWildcardPrincipal(): this is WildcardPrincipal;
|
|
18
|
+
/**
|
|
19
|
+
* Whether the principal is an AWS principal
|
|
20
|
+
*/
|
|
6
21
|
isServicePrincipal(): this is ServicePrincipal;
|
|
22
|
+
/**
|
|
23
|
+
* Whether the principal is an AWS principal that is not an account or wildcard principal
|
|
24
|
+
*/
|
|
7
25
|
isAwsPrincipal(): this is AwsPrincipal;
|
|
26
|
+
/**
|
|
27
|
+
* Whether the principal is a unique id principal
|
|
28
|
+
*/
|
|
29
|
+
isUniqueIdPrincipal(): this is UniqueIdPrincipal;
|
|
30
|
+
/**
|
|
31
|
+
* Whether the principal is a federated principal
|
|
32
|
+
*/
|
|
8
33
|
isFederatedPrincipal(): this is FederatedPrincipal;
|
|
34
|
+
/**
|
|
35
|
+
* Whether the principal is a canonical user principal
|
|
36
|
+
*/
|
|
9
37
|
isCanonicalUserPrincipal(): this is CanonicalUserPrincipal;
|
|
38
|
+
/**
|
|
39
|
+
* Whether the principal is an account principal
|
|
40
|
+
*/
|
|
10
41
|
isAccountPrincipal(): this is AccountPrincipal;
|
|
11
42
|
}
|
|
43
|
+
/**
|
|
44
|
+
* A wildcard principal: `"*"`
|
|
45
|
+
*/
|
|
12
46
|
export interface WildcardPrincipal extends Principal {
|
|
47
|
+
/**
|
|
48
|
+
* The wildcard character `"*"`, this exists to differentiate between this interface and the Principal interface
|
|
49
|
+
*/
|
|
13
50
|
wildcard(): '*';
|
|
14
51
|
}
|
|
52
|
+
/**
|
|
53
|
+
* An AWS principal: `"arn:aws:iam::account-id:root"` or a 12 digit account id
|
|
54
|
+
*/
|
|
15
55
|
export interface AccountPrincipal extends Principal {
|
|
56
|
+
/**
|
|
57
|
+
* The 12 digit account id of the principal
|
|
58
|
+
*/
|
|
16
59
|
accountId(): string;
|
|
17
60
|
}
|
|
61
|
+
/**
|
|
62
|
+
* An AWS principal this is an ARN that is not an account or wildcard principal
|
|
63
|
+
*/
|
|
18
64
|
export interface AwsPrincipal extends Principal {
|
|
19
65
|
arn(): string;
|
|
20
66
|
}
|
|
67
|
+
/**
|
|
68
|
+
* An AWS principal that is a unique Id
|
|
69
|
+
* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids
|
|
70
|
+
*/
|
|
71
|
+
export interface UniqueIdPrincipal extends Principal {
|
|
72
|
+
uniqueId(): string;
|
|
73
|
+
}
|
|
74
|
+
/**
|
|
75
|
+
* An AWS principal that is a service principal: `"service"`
|
|
76
|
+
*/
|
|
21
77
|
export interface ServicePrincipal extends Principal {
|
|
78
|
+
/**
|
|
79
|
+
* The service the principal represents
|
|
80
|
+
*/
|
|
22
81
|
service(): string;
|
|
23
82
|
}
|
|
83
|
+
/**
|
|
84
|
+
* A federated principal
|
|
85
|
+
*/
|
|
24
86
|
export interface FederatedPrincipal extends Principal {
|
|
87
|
+
/**
|
|
88
|
+
* The id of the federated principal
|
|
89
|
+
*/
|
|
25
90
|
federated(): string;
|
|
26
91
|
}
|
|
92
|
+
/**
|
|
93
|
+
* A canonical user principal
|
|
94
|
+
*/
|
|
27
95
|
export interface CanonicalUserPrincipal extends Principal {
|
|
96
|
+
/**
|
|
97
|
+
* The canonical user id of the principal
|
|
98
|
+
*/
|
|
28
99
|
canonicalUser(): string;
|
|
29
100
|
}
|
|
30
|
-
export declare class PrincipalImpl implements Principal, WildcardPrincipal, AccountPrincipal, AwsPrincipal, ServicePrincipal, FederatedPrincipal, CanonicalUserPrincipal {
|
|
101
|
+
export declare class PrincipalImpl implements Principal, WildcardPrincipal, AccountPrincipal, UniqueIdPrincipal, AwsPrincipal, ServicePrincipal, FederatedPrincipal, CanonicalUserPrincipal {
|
|
31
102
|
private readonly principalType;
|
|
32
103
|
private readonly principalId;
|
|
33
104
|
constructor(principalType: PrincipalType, principalId: string);
|
|
@@ -35,12 +106,14 @@ export declare class PrincipalImpl implements Principal, WildcardPrincipal, Acco
|
|
|
35
106
|
type(): PrincipalType;
|
|
36
107
|
isWildcardPrincipal(): this is WildcardPrincipal;
|
|
37
108
|
isAccountPrincipal(): this is AccountPrincipal;
|
|
109
|
+
isUniqueIdPrincipal(): this is UniqueIdPrincipal;
|
|
38
110
|
isAwsPrincipal(): this is AwsPrincipal;
|
|
39
111
|
isServicePrincipal(): this is ServicePrincipal;
|
|
40
112
|
isFederatedPrincipal(): this is FederatedPrincipal;
|
|
41
113
|
isCanonicalUserPrincipal(): this is CanonicalUserPrincipal;
|
|
42
114
|
wildcard(): '*';
|
|
43
115
|
accountId(): string;
|
|
116
|
+
uniqueId(): string;
|
|
44
117
|
arn(): string;
|
|
45
118
|
service(): string;
|
|
46
119
|
federated(): string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principals/principal.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,aAAa,GAAG,KAAK,GAAG,SAAS,GAAG,WAAW,GAAG,eAAe,CAAA;AAE7E,MAAM,WAAW,SAAS;IACxB,IAAI,IAAI,aAAa,CAAA;
|
|
1
|
+
{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principals/principal.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,aAAa,GAAG,KAAK,GAAG,SAAS,GAAG,WAAW,GAAG,eAAe,CAAA;AAE7E;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB;;OAEG;IACH,IAAI,IAAI,aAAa,CAAA;IAErB;;OAEG;IACH,KAAK,IAAI,MAAM,CAAA;IAEf;;OAEG;IACH,mBAAmB,IAAI,IAAI,IAAI,iBAAiB,CAAA;IAEhD;;OAEG;IACH,kBAAkB,IAAI,IAAI,IAAI,gBAAgB,CAAA;IAE9C;;OAEG;IACH,cAAc,IAAI,IAAI,IAAI,YAAY,CAAA;IAEtC;;OAEG;IACH,mBAAmB,IAAI,IAAI,IAAI,iBAAiB,CAAA;IAEhD;;OAEG;IACH,oBAAoB,IAAI,IAAI,IAAI,kBAAkB,CAAA;IAElD;;OAEG;IACH,wBAAwB,IAAI,IAAI,IAAI,sBAAsB,CAAA;IAE1D;;OAEG;IACH,kBAAkB,IAAI,IAAI,IAAI,gBAAgB,CAAA;CAE/C;AAED;;GAEG;AACH,MAAM,WAAW,iBAAkB,SAAQ,SAAS;IAClD;;OAEG;IACH,QAAQ,IAAI,GAAG,CAAA;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAiB,SAAQ,SAAS;IAEjD;;OAEG;IACH,SAAS,IAAI,MAAM,CAAA;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,YAAa,SAAQ,SAAS;IAC7C,GAAG,IAAI,MAAM,CAAA;CACd;AAED;;;GAGG;AACH,MAAM,WAAW,iBAAkB,SAAQ,SAAS;IAClD,QAAQ,IAAI,MAAM,CAAA;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAiB,SAAQ,SAAS;IAEjD;;OAEG;IACH,OAAO,IAAI,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,SAAS;IACnD;;OAEG;IACH,SAAS,IAAI,MAAM,CAAA;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAuB,SAAQ,SAAS;IACvD;;OAEG;IACH,aAAa,IAAI,MAAM,CAAA;CACxB;AAMD,qBAAa,aAAc,YAAW,SAAS,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,YAAY,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,sBAAsB;IACrK,OAAO,CAAC,QAAQ,CAAC,aAAa;IAAiB,OAAO,CAAC,QAAQ,CAAC,WAAW;gBAA1D,aAAa,EAAE,aAAa,EAAmB,WAAW,EAAE,MAAM;IAExF,KAAK,IAAI,MAAM;IAIf,IAAI,IAAI,aAAa;IAIrB,mBAAmB,IAAI,IAAI,IAAI,iBAAiB;IAIhD,kBAAkB,IAAI,IAAI,IAAI,gBAAgB;IAO9C,mBAAmB,IAAI,IAAI,IAAI,iBAAiB;IAOhD,cAAc,IAAI,IAAI,IAAI,YAAY;IAQtC,kBAAkB,IAAI,IAAI,IAAI,gBAAgB;IAI9C,oBAAoB,IAAI,IAAI,IAAI,kBAAkB;IAIlD,wBAAwB,IAAI,IAAI,IAAI,sBAAsB;IAI1D,QAAQ,IAAI,GAAG;IAOf,SAAS,IAAI,MAAM;IAUnB,QAAQ,IAAI,MAAM;IAOlB,GAAG,IAAI,MAAM;IAOb,OAAO,IAAI,MAAM;IAOjB,SAAS,IAAI,MAAM;IAOnB,aAAa,IAAI,MAAM;CAO/B"}
|
|
@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.PrincipalImpl = void 0;
|
|
4
4
|
const accountIdRegex = /^[0-9]{12}$/;
|
|
5
5
|
const accountArnRegex = /^arn:.*?:iam::[0-9]{12}:root$/;
|
|
6
|
+
const uniqueIdRegex = /^A[0-9A-Z]+$/;
|
|
6
7
|
class PrincipalImpl {
|
|
7
8
|
principalType;
|
|
8
9
|
principalId;
|
|
@@ -25,11 +26,18 @@ class PrincipalImpl {
|
|
|
25
26
|
}
|
|
26
27
|
return accountIdRegex.test(this.principalId) || accountArnRegex.test(this.principalId);
|
|
27
28
|
}
|
|
29
|
+
isUniqueIdPrincipal() {
|
|
30
|
+
if (this.principalType !== 'AWS') {
|
|
31
|
+
return false;
|
|
32
|
+
}
|
|
33
|
+
return uniqueIdRegex.test(this.principalId);
|
|
34
|
+
}
|
|
28
35
|
isAwsPrincipal() {
|
|
29
36
|
if (this.principalType !== 'AWS') {
|
|
30
37
|
return false;
|
|
31
38
|
}
|
|
32
|
-
|
|
39
|
+
const anyThis = this;
|
|
40
|
+
return anyThis.principalId != "*" && !anyThis.isAccountPrincipal() && !anyThis.isUniqueIdPrincipal();
|
|
33
41
|
}
|
|
34
42
|
isServicePrincipal() {
|
|
35
43
|
return this.principalType === 'Service';
|
|
@@ -55,6 +63,12 @@ class PrincipalImpl {
|
|
|
55
63
|
}
|
|
56
64
|
return this.principalId;
|
|
57
65
|
}
|
|
66
|
+
uniqueId() {
|
|
67
|
+
if (!this.isUniqueIdPrincipal()) {
|
|
68
|
+
throw new Error('Principal is not a unique id principal, call isUniqueIdPrincipal() before calling uniqueId()');
|
|
69
|
+
}
|
|
70
|
+
return this.principalId;
|
|
71
|
+
}
|
|
58
72
|
arn() {
|
|
59
73
|
if (!this.isAwsPrincipal()) {
|
|
60
74
|
throw new Error('Principal is not an AWS principal, call isAwsPrincipal() before calling arn()');
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principals/principal.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principals/principal.ts"],"names":[],"mappings":";;;AAwHA,MAAM,cAAc,GAAG,aAAa,CAAA;AACpC,MAAM,eAAe,GAAG,+BAA+B,CAAA;AACvD,MAAM,aAAa,GAAG,cAAc,CAAA;AAEpC,MAAa,aAAa;IACK;IAA+C;IAA5E,YAA6B,aAA4B,EAAmB,WAAmB;QAAlE,kBAAa,GAAb,aAAa,CAAe;QAAmB,gBAAW,GAAX,WAAW,CAAQ;IAAG,CAAC;IAE5F,KAAK;QACV,OAAO,IAAI,CAAC,WAAW,CAAA;IACzB,CAAC;IAEM,IAAI;QACT,OAAO,IAAI,CAAC,aAAa,CAAA;IAC3B,CAAC;IAEM,mBAAmB;QACxB,OAAO,IAAI,CAAC,aAAa,KAAK,KAAK,IAAI,IAAI,CAAC,WAAW,KAAK,GAAG,CAAA;IACjE,CAAC;IAEM,kBAAkB;QACvB,IAAG,IAAI,CAAC,aAAa,KAAK,KAAK,EAAE,CAAC;YAChC,OAAO,KAAK,CAAA;QACd,CAAC;QACD,OAAO,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IACxF,CAAC;IAEM,mBAAmB;QACxB,IAAG,IAAI,CAAC,aAAa,KAAK,KAAK,EAAE,CAAC;YAChC,OAAO,KAAK,CAAA;QACd,CAAC;QACD,OAAO,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IAC7C,CAAC;IAEM,cAAc;QACnB,IAAG,IAAI,CAAC,aAAa,KAAK,KAAK,EAAE,CAAC;YAChC,OAAO,KAAK,CAAA;QACd,CAAC;QACD,MAAM,OAAO,GAAQ,IAAI,CAAA;QACzB,OAAO,OAAO,CAAC,WAAW,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAA;IACtG,CAAC;IAEM,kBAAkB;QACvB,OAAO,IAAI,CAAC,aAAa,KAAK,SAAS,CAAA;IACzC,CAAC;IAEM,oBAAoB;QACzB,OAAO,IAAI,CAAC,aAAa,KAAK,WAAW,CAAA;IAC3C,CAAC;IAEM,wBAAwB;QAC7B,OAAO,IAAI,CAAC,aAAa,KAAK,eAAe,CAAA;IAC/C,CAAC;IAEM,QAAQ;QACb,IAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,6FAA6F,CAAC,CAAA;QAChH,CAAC;QACD,OAAO,GAAG,CAAA;IACZ,CAAC;IAEM,SAAS;QACd,IAAG,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,6FAA6F,CAAC,CAAA;QAChH,CAAC;QACD,IAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;QACvC,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAA;IACzB,CAAC;IAEM,QAAQ;QACb,IAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,8FAA8F,CAAC,CAAA;QACjH,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAA;IACzB,CAAC;IAEM,GAAG;QACR,IAAG,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,+EAA+E,CAAC,CAAA;QAClG,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAA;IACzB,CAAC;IAEM,OAAO;QACZ,IAAG,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,0FAA0F,CAAC,CAAA;QAC7G,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAA;IACzB,CAAC;IAEM,SAAS;QACd,IAAG,IAAI,CAAC,aAAa,KAAK,WAAW,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,gGAAgG,CAAC,CAAA;QACnH,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAA;IACzB,CAAC;IAEM,aAAa;QAClB,IAAG,IAAI,CAAC,aAAa,KAAK,eAAe,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CAAC,6GAA6G,CAAC,CAAA;QAChI,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAA;IACzB,CAAC;CAEF;AArGD,sCAqGC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../../src/validate/validate.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAA;IACf,IAAI,EAAE,MAAM,CAAA;CACb;
|
|
1
|
+
{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../../src/validate/validate.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAA;IACf,IAAI,EAAE,MAAM,CAAA;CACb;AASD,wBAAgB,oBAAoB,CAAC,cAAc,EAAE,GAAG,GAAG,eAAe,EAAE,CA0C3E"}
|
|
@@ -4,6 +4,8 @@ exports.validatePolicySyntax = validatePolicySyntax;
|
|
|
4
4
|
const allowedPolicyKeys = new Set(['Version', 'Statement', 'Id']);
|
|
5
5
|
const allowedStatementKeys = new Set(['Sid', 'Effect', 'Action', 'NotAction', 'Resource', 'NotResource', 'Principal', 'NotPrincipal', 'Condition']);
|
|
6
6
|
const allowedPrincipalKeys = new Set(['AWS', 'Service', 'Federated', 'CanonicalUser']);
|
|
7
|
+
const validConditionOperatorPattern = /^[a-zA-Z0-9:]+$/;
|
|
8
|
+
const allowedSetOperators = new Set(["forallvalues", "foranyvalue"]);
|
|
7
9
|
function validatePolicySyntax(policyDocument) {
|
|
8
10
|
const allErrors = [];
|
|
9
11
|
if (typeof policyDocument !== 'object') {
|
|
@@ -29,6 +31,20 @@ function validatePolicySyntax(policyDocument) {
|
|
|
29
31
|
for (let i = 0; i < policyDocument.Statement.length; i++) {
|
|
30
32
|
allErrors.push(...validateStatement(policyDocument.Statement[i], `Statement[${i}]`));
|
|
31
33
|
}
|
|
34
|
+
const statementIdCounts = policyDocument.Statement.reduce((acc, statement) => {
|
|
35
|
+
if (statement.Sid) {
|
|
36
|
+
acc[statement.Sid] = acc[statement.Sid] ? acc[statement.Sid] + 1 : 1;
|
|
37
|
+
}
|
|
38
|
+
return acc;
|
|
39
|
+
}, {});
|
|
40
|
+
for (const [sid, count] of Object.entries(statementIdCounts)) {
|
|
41
|
+
if (count > 1) {
|
|
42
|
+
allErrors.push({
|
|
43
|
+
path: `Statement`,
|
|
44
|
+
message: `Statement Ids must be unique, found ${sid} ${count} times`
|
|
45
|
+
});
|
|
46
|
+
}
|
|
47
|
+
}
|
|
32
48
|
}
|
|
33
49
|
return allErrors;
|
|
34
50
|
}
|
|
@@ -39,6 +55,9 @@ function validateStatement(statement, path) {
|
|
|
39
55
|
if (statement.Effect !== 'Allow' && statement.Effect !== 'Deny') {
|
|
40
56
|
statementErrors.push({ path: `${path}.Effect`, message: `Effect must be present and exactly "Allow" or "Deny"` });
|
|
41
57
|
}
|
|
58
|
+
statementErrors.push(...validateOnlyOneOf(statement, path, 'Action', 'NotAction'));
|
|
59
|
+
statementErrors.push(...validateOnlyOneOf(statement, path, 'Resource', 'NotResource'));
|
|
60
|
+
statementErrors.push(...validateOnlyOneOf(statement, path, 'Principal', 'NotPrincipal'));
|
|
42
61
|
statementErrors.push(...validateTypeOrArrayOfTypeIfExists(statement.Action, `${path}.Action`, 'string'));
|
|
43
62
|
statementErrors.push(...validateTypeOrArrayOfTypeIfExists(statement.NotAction, `${path}.NotAction`, 'string'));
|
|
44
63
|
statementErrors.push(...validateResource(statement.Resource, `${path}.Resource`));
|
|
@@ -47,6 +66,7 @@ function validateStatement(statement, path) {
|
|
|
47
66
|
statementErrors.push(...validateDataTypeIfExists(statement.NotPrincipal, `${path}.NotPrincipal`, ['string', 'object']));
|
|
48
67
|
statementErrors.push(...validatePrincipal(statement.Principal, `${path}.Principal`));
|
|
49
68
|
statementErrors.push(...validatePrincipal(statement.NotPrincipal, `${path}.NotPrincipal`));
|
|
69
|
+
//TODO: If the condition key exists but there is no value, it is an error
|
|
50
70
|
statementErrors.push(...validateCondition(statement.Condition, `${path}.Condition`));
|
|
51
71
|
return statementErrors;
|
|
52
72
|
}
|
|
@@ -102,7 +122,7 @@ function validateResourceString(resourceString, path) {
|
|
|
102
122
|
}
|
|
103
123
|
function validateCondition(condition, path) {
|
|
104
124
|
const conditionErrors = [];
|
|
105
|
-
if (condition === undefined) {
|
|
125
|
+
if (condition === undefined || condition === null) {
|
|
106
126
|
return [];
|
|
107
127
|
}
|
|
108
128
|
conditionErrors.push(...validateDataTypeIfExists(condition, path, 'object'));
|
|
@@ -118,6 +138,29 @@ function validateCondition(condition, path) {
|
|
|
118
138
|
}
|
|
119
139
|
const conditionOperators = Object.keys(condition);
|
|
120
140
|
for (const operator of conditionOperators) {
|
|
141
|
+
//If not valid pattern
|
|
142
|
+
if (!validConditionOperatorPattern.test(operator)) {
|
|
143
|
+
conditionErrors.push({
|
|
144
|
+
path: `${path}.${operator}`,
|
|
145
|
+
message: `Condition operator is invalid`,
|
|
146
|
+
});
|
|
147
|
+
}
|
|
148
|
+
const splitOperator = operator.split(':');
|
|
149
|
+
if (splitOperator.length > 2) {
|
|
150
|
+
conditionErrors.push({
|
|
151
|
+
path: `${path}.${operator}`,
|
|
152
|
+
message: `Condition operator is invalid`,
|
|
153
|
+
});
|
|
154
|
+
}
|
|
155
|
+
else if (splitOperator.length === 2) {
|
|
156
|
+
const setOperator = splitOperator[0];
|
|
157
|
+
if (!allowedSetOperators.has(setOperator)) {
|
|
158
|
+
conditionErrors.push({
|
|
159
|
+
path: `${path}.${operator}`,
|
|
160
|
+
message: `Condition set operator must be either ForAllValues or ForAnyValue`,
|
|
161
|
+
});
|
|
162
|
+
}
|
|
163
|
+
}
|
|
121
164
|
conditionErrors.push(...validateDataTypeIfExists(condition[operator], `${path}.${operator}`, 'object'));
|
|
122
165
|
if (Array.isArray(condition[operator])) {
|
|
123
166
|
conditionErrors.push({
|
|
@@ -146,6 +189,12 @@ function validateKeys(object, allowedKeys, path) {
|
|
|
146
189
|
path: `${path}${key}`
|
|
147
190
|
});
|
|
148
191
|
}
|
|
192
|
+
else if (object[key] === undefined || object[key] === null) {
|
|
193
|
+
keyErrors.push({
|
|
194
|
+
message: `If present, ${key} cannot be null or undefined`,
|
|
195
|
+
path: `${path}${key}`
|
|
196
|
+
});
|
|
197
|
+
}
|
|
149
198
|
}
|
|
150
199
|
return keyErrors;
|
|
151
200
|
}
|
|
@@ -180,4 +229,16 @@ function validateDataTypeIfExists(value, path, allowedDataTypes) {
|
|
|
180
229
|
}
|
|
181
230
|
return errors;
|
|
182
231
|
}
|
|
232
|
+
function validateOnlyOneOf(value, path, firstKey, secondKey) {
|
|
233
|
+
const keys = Object.keys(value);
|
|
234
|
+
if (keys.includes(firstKey) && keys.includes(secondKey)) {
|
|
235
|
+
return [
|
|
236
|
+
{
|
|
237
|
+
message: `Only one of ${firstKey} or ${secondKey} is allowed, found both`,
|
|
238
|
+
path
|
|
239
|
+
}
|
|
240
|
+
];
|
|
241
|
+
}
|
|
242
|
+
return [];
|
|
243
|
+
}
|
|
183
244
|
//# sourceMappingURL=validate.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../../src/validate/validate.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../../src/validate/validate.ts"],"names":[],"mappings":";;AAYA,oDA0CC;AAjDD,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAE,SAAS,EAAE,WAAW,EAAE,IAAI,CAAE,CAAC,CAAA;AACnE,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE,aAAa,EAAE,WAAW,EAAE,cAAc,EAAE,WAAW,CAAC,CAAC,CAAA;AACpJ,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC,CAAA;AACvF,MAAM,6BAA6B,GAAG,iBAAiB,CAAA;AACvD,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC,CAAA;AAGpE,SAAgB,oBAAoB,CAAC,cAAmB;IACtD,MAAM,SAAS,GAAsB,EAAE,CAAA;IACvC,IAAG,OAAO,cAAc,KAAK,QAAQ,EAAE,CAAC;QACtC,OAAO,CAAC,EAAC,IAAI,EAAE,EAAE,EAAE,OAAO,EAAE,2CAA2C,OAAO,cAAc,EAAE,EAAC,CAAC,CAAA;IAClG,CAAC;SAAM,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;QACzC,OAAO,CAAC,EAAC,IAAI,EAAE,EAAE,EAAE,OAAO,EAAE,6CAA6C,EAAC,CAAC,CAAA;IAC7E,CAAC;IAED,SAAS,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,cAAc,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC,CAAA;IAEtE,SAAS,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,cAAc,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAA;IACxF,SAAS,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,cAAc,CAAC,EAAE,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAA;IAC9E,IAAG,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC;QAC7B,SAAS,CAAC,IAAI,CAAC;YACb,IAAI,EAAE,WAAW;YACjB,OAAO,EAAE,uBAAuB;SACjC,CAAC,CAAA;IACJ,CAAC;IACD,SAAS,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,cAAc,CAAC,SAAS,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAA;IACvG,IAAG,OAAO,cAAc,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5F,SAAS,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,cAAc,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC,CAAA;IAC7E,CAAC;SAAM,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,SAAS,CAAC,EAAE,CAAC;QACnD,KAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,cAAc,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACxD,SAAS,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,CAAA;QACtF,CAAC;QACD,MAAM,iBAAiB,GAAG,cAAc,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,GAA2B,EAAE,SAAc,EAAE,EAAE;YACxG,IAAG,SAAS,CAAC,GAAG,EAAE,CAAC;gBACjB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;YACtE,CAAC;YACD,OAAO,GAAG,CAAA;QACZ,CAAC,EAAE,EAA4B,CAAC,CAAA;QAChC,KAAI,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAS,iBAAiB,CAAC,EAAE,CAAC;YACpE,IAAG,KAAK,GAAG,CAAC,EAAE,CAAC;gBACb,SAAS,CAAC,IAAI,CAAC;oBACb,IAAI,EAAE,WAAW;oBACjB,OAAO,EAAE,uCAAuC,GAAG,IAAI,KAAK,QAAQ;iBACrE,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,SAAS,iBAAiB,CAAC,SAAc,EAAE,IAAY;IACrD,MAAM,eAAe,GAAsB,EAAE,CAAA;IAC7C,eAAe,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,SAAS,EAAE,oBAAoB,EAAE,IAAI,CAAC,CAAC,CAAA;IAC5E,eAAe,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,IAAI,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAA;IACzF,IAAG,SAAS,CAAC,MAAM,KAAK,OAAO,IAAI,SAAS,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/D,eAAe,CAAC,IAAI,CAAC,EAAC,IAAI,EAAE,GAAG,IAAI,SAAS,EAAE,OAAO,EAAE,sDAAsD,EAAC,CAAC,CAAA;IACjH,CAAC;IAED,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAA;IAClF,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC,CAAA;IACtF,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,SAAS,EAAE,IAAI,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC,CAAA;IAExF,eAAe,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,SAAS,CAAC,MAAM,EAAE,GAAG,IAAI,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAA;IACxG,eAAe,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,IAAI,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAA;IAE9G,eAAe,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,SAAS,CAAC,QAAQ,EAAE,GAAG,IAAI,WAAW,CAAC,CAAC,CAAA;IACjF,eAAe,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,SAAS,CAAC,WAAW,EAAE,GAAG,IAAI,cAAc,CAAC,CAAC,CAAA;IAEvF,eAAe,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,IAAI,YAAY,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAA;IACjH,eAAe,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,SAAS,CAAC,YAAY,EAAE,GAAG,IAAI,eAAe,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAA;IACvH,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,IAAI,YAAY,CAAC,CAAC,CAAA;IACpF,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,SAAS,CAAC,YAAY,EAAE,GAAG,IAAI,eAAe,CAAC,CAAC,CAAA;IAE1F,yEAAyE;IACzE,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,IAAI,YAAY,CAAC,CAAC,CAAA;IACpF,OAAO,eAAe,CAAA;AAExB,CAAC;AAED,SAAS,iBAAiB,CAAC,SAAc,EAAE,IAAY;IACrD,MAAM,eAAe,GAAsB,EAAE,CAAA;IAE7C,IAAG,SAAS,KAAK,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC5D,OAAO,EAAE,CAAA;IACX,CAAC;IACD,IAAG,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QACjC,eAAe,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,SAAS,EAAE,oBAAoB,EAAE,IAAI,CAAC,CAAC,CAAA;QAC5E,eAAe,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,IAAI,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAA;QAClG,eAAe,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAA;QAC1G,eAAe,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,IAAI,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAA;QAC9G,eAAe,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,SAAS,CAAC,aAAa,EAAE,GAAG,IAAI,gBAAgB,EAAE,QAAQ,CAAC,CAAC,CAAA;IACxH,CAAC;IAED,OAAO,eAAe,CAAA;AAExB,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAa,EAAE,IAAY;IACnD,IAAG,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,EAAE,CAAA;IACX,CAAC;IACD,IAAG,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAChC,OAAO,sBAAsB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;IAC/C,CAAC;SAAM,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnC,MAAM,cAAc,GAAsB,EAAE,CAAA;QAC5C,KAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACxC,cAAc,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;QAC9E,CAAC;QACD,OAAO,cAAc,CAAA;IACvB,CAAC;IACD,OAAO;QACL;YACE,IAAI;YACJ,OAAO,EAAE,sCAAsC;SAChD;KACF,CAAA;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,cAAmB,EAAE,IAAY;IAC/D,IAAG,cAAc,KAAK,GAAG,EAAE,CAAC;QAC1B,OAAO,EAAE,CAAA;IACX,CAAC;IACD,MAAM,KAAK,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACvC,IAAG,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,EAAE,CAAC;QAC5C,OAAO;YACL;gBACE,IAAI;gBACJ,OAAO,EAAE,yDAAyD;aACnE;SACF,CAAA;IACH,CAAC;IAED,OAAO,EAAE,CAAA;AAEX,CAAC;AAED,SAAS,iBAAiB,CAAC,SAAc,EAAE,IAAY;IACrD,MAAM,eAAe,GAAsB,EAAE,CAAA;IAC7C,IAAG,SAAS,KAAK,SAAS,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;QACjD,OAAO,EAAE,CAAA;IACX,CAAC;IACD,eAAe,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,SAAS,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAA;IAC5E,IAAG,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,eAAe,CAAA;IACxB,CAAC;SAAM,IAAI,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QACpC,eAAe,CAAC,IAAI,CAAC;YACnB,OAAO,EAAE,6CAA6C;YACtD,IAAI;SACL,CAAC,CAAA;QACF,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,MAAM,kBAAkB,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IACjD,KAAI,MAAM,QAAQ,IAAI,kBAAkB,EAAE,CAAC;QACzC,sBAAsB;QACtB,IAAG,CAAC,6BAA6B,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjD,eAAe,CAAC,IAAI,CAAC;gBACnB,IAAI,EAAE,GAAG,IAAI,IAAI,QAAQ,EAAE;gBAC3B,OAAO,EAAE,+BAA+B;aACzC,CAAC,CAAA;QACJ,CAAC;QACD,MAAM,aAAa,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACzC,IAAG,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5B,eAAe,CAAC,IAAI,CAAC;gBACnB,IAAI,EAAE,GAAG,IAAI,IAAI,QAAQ,EAAE;gBAC3B,OAAO,EAAE,+BAA+B;aACzC,CAAC,CAAA;QACJ,CAAC;aAAM,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtC,MAAM,WAAW,GAAG,aAAa,CAAC,CAAC,CAAC,CAAA;YACpC,IAAG,CAAC,mBAAmB,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;gBACzC,eAAe,CAAC,IAAI,CAAC;oBACnB,IAAI,EAAE,GAAG,IAAI,IAAI,QAAQ,EAAE;oBAC3B,OAAO,EAAE,mEAAmE;iBAC7E,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,eAAe,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,GAAG,IAAI,IAAI,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAA;QACvG,IAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACtC,eAAe,CAAC,IAAI,CAAC;gBACnB,OAAO,EAAE,sDAAsD;gBAC/D,IAAI,EAAE,GAAG,IAAI,IAAI,QAAQ,EAAE;aAC5B,CAAC,CAAA;QACJ,CAAC;QAED,IAAG,OAAO,SAAS,CAAC,QAAQ,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YAClF,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAA;YACtD,KAAI,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;gBAC/B,eAAe,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,IAAI,IAAI,QAAQ,IAAI,GAAG,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAA;YAC9H,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC;AAED,SAAS,YAAY,CAAC,MAAW,EAAE,WAAwB,EAAE,IAAY;IACvE,MAAM,SAAS,GAAsB,EAAE,CAAA;IACvC,IAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QACd,IAAI,GAAG,GAAG,IAAI,GAAG,CAAA;IACnB,CAAC;IAED,KAAI,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACrC,IAAG,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,SAAS,CAAC,IAAI,CAAC;gBACb,OAAO,EAAE,eAAe,GAAG,EAAE;gBAC7B,IAAI,EAAE,GAAG,IAAI,GAAG,GAAG,EAAE;aACtB,CAAC,CAAA;QACJ,CAAC;aAAM,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;YAC7D,SAAS,CAAC,IAAI,CAAC;gBACb,OAAO,EAAE,eAAe,GAAG,8BAA8B;gBACzD,IAAI,EAAE,GAAG,IAAI,GAAG,GAAG,EAAE;aACtB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,SAAS,iCAAiC,CAAC,KAAU,EAAE,IAAY,EAAE,YAA6C;IAChH,IAAG,KAAK,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO,EAAE,CAAA;IACX,CAAC;IAED,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAE,YAAY,CAAE,CAAA;IAC5E,MAAM,iBAAiB,GAAsB,EAAE,CAAA;IAC/C,IAAG,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,wBAAwB,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,CAAC,CAAA;IAC5D,CAAC;SAAM,CAAC;QACN,KAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,iBAAiB,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC,CAAA;QAC9F,CAAC;IACH,CAAC;IAED,OAAO,iBAAiB,CAAA;AAC1B,CAAC;AAED,SAAS,wBAAwB,CAAC,KAAU,EAAE,IAAY,EAAE,gBAAiD;IAC3G,IAAG,KAAK,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO,EAAE,CAAA;IACX,CAAC;IAED,gBAAgB,GAAG,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAE,gBAAgB,CAAE,CAAA;IAC5F,MAAM,MAAM,GAAsB,EAAE,CAAA;IACpC,MAAM,aAAa,GAAG,OAAO,KAAK,CAAA;IAClC,IAAG,CAAC,gBAAgB,CAAC,QAAQ,CAAC,aAA+B,CAAC,EAAE,CAAC;QAC/D,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,mBAAmB,aAAa,wBAAwB,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAC9F,IAAI;SACL,CAAC,CAAA;IACJ,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAU,EAAE,IAAY,EAAE,QAAgB,EAAE,SAAiB;IACtF,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC/B,IAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACvD,OAAO;YACL;gBACE,OAAO,EAAE,eAAe,QAAQ,OAAO,SAAS,yBAAyB;gBACzE,IAAI;aACL;SACF,CAAA;IACH,CAAC;IAED,OAAO,EAAE,CAAA;AACX,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"conditionOperation.d.ts","sourceRoot":"","sources":["../../../src/conditions/conditionOperation.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,WAAW,GAAG,cAAc,GAAG,aAAa,CAAA;AAExD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,WAAW,IAAI,WAAW,GAAG,SAAS,CAAA;IAEtC;;OAEG;IACH,YAAY,IAAI,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,IAAI,OAAO,CAAA;IAErB;;OAEG;IACH,KAAK,IAAI,MAAM,CAAA;CAChB;AAID,qBAAa,sBAAuB,YAAW,kBAAkB;IACnD,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,MAAM;IAEhC,WAAW,IAAI,WAAW,GAAG,SAAS;
|
|
1
|
+
{"version":3,"file":"conditionOperation.d.ts","sourceRoot":"","sources":["../../../src/conditions/conditionOperation.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,WAAW,GAAG,cAAc,GAAG,aAAa,CAAA;AAExD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,WAAW,IAAI,WAAW,GAAG,SAAS,CAAA;IAEtC;;OAEG;IACH,YAAY,IAAI,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,IAAI,OAAO,CAAA;IAErB;;OAEG;IACH,KAAK,IAAI,MAAM,CAAA;CAChB;AAID,qBAAa,sBAAuB,YAAW,kBAAkB;IACnD,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,MAAM;IAEhC,WAAW,IAAI,WAAW,GAAG,SAAS;IAatC,UAAU,IAAI,OAAO;IAIrB,YAAY,IAAI,MAAM;IAQtB,KAAK,IAAI,MAAM;CAIvB"}
|
|
@@ -7,14 +7,21 @@ export class ConditionOperationImpl {
|
|
|
7
7
|
if (!this.op.includes(':')) {
|
|
8
8
|
return undefined;
|
|
9
9
|
}
|
|
10
|
-
|
|
10
|
+
const setOp = this.op.split(':').at(0)?.toLowerCase();
|
|
11
|
+
if (setOp === 'forallvalues') {
|
|
12
|
+
return 'ForAllValues';
|
|
13
|
+
}
|
|
14
|
+
else if (setOp === 'foranyvalue') {
|
|
15
|
+
return 'ForAnyValue';
|
|
16
|
+
}
|
|
17
|
+
throw new Error(`Unknown set operator: ${setOp}`);
|
|
11
18
|
}
|
|
12
19
|
isIfExists() {
|
|
13
|
-
return this.op.endsWith('
|
|
20
|
+
return this.op.toLowerCase().endsWith('ifexists');
|
|
14
21
|
}
|
|
15
22
|
baseOperator() {
|
|
16
23
|
const base = this.op.split(':').at(-1);
|
|
17
|
-
if (base?.endsWith('
|
|
24
|
+
if (base?.toLowerCase().endsWith('ifexists')) {
|
|
18
25
|
return base.slice(0, ifExistsSlice);
|
|
19
26
|
}
|
|
20
27
|
return base;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"conditionOperation.js","sourceRoot":"","sources":["../../../src/conditions/conditionOperation.ts"],"names":[],"mappings":"AA2BA,MAAM,aAAa,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;AAE5C,MAAM,OAAO,sBAAsB;IACjC,YAA6B,EAAU;QAAV,OAAE,GAAF,EAAE,CAAQ;IAAG,CAAC;IAEpC,WAAW;QAChB,IAAG,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,OAAO,SAAS,CAAA;QAClB,CAAC;QACD,
|
|
1
|
+
{"version":3,"file":"conditionOperation.js","sourceRoot":"","sources":["../../../src/conditions/conditionOperation.ts"],"names":[],"mappings":"AA2BA,MAAM,aAAa,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;AAE5C,MAAM,OAAO,sBAAsB;IACjC,YAA6B,EAAU;QAAV,OAAE,GAAF,EAAE,CAAQ;IAAG,CAAC;IAEpC,WAAW;QAChB,IAAG,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,OAAO,SAAS,CAAA;QAClB,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAA;QACrD,IAAG,KAAK,KAAK,cAAc,EAAE,CAAC;YAC5B,OAAO,cAAc,CAAA;QACvB,CAAC;aAAM,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;YACnC,OAAO,aAAa,CAAA;QACtB,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,yBAAyB,KAAK,EAAE,CAAC,CAAA;IACnD,CAAC;IAEM,UAAU;QACf,OAAO,IAAI,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;IACnD,CAAC;IAEM,YAAY;QACjB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAA;QACvC,IAAG,IAAI,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,CAAA;QACrC,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAEM,KAAK;QACV,OAAO,IAAI,CAAC,EAAE,CAAA;IAChB,CAAC;CAEF"}
|
|
@@ -1,33 +1,104 @@
|
|
|
1
1
|
export type PrincipalType = 'AWS' | 'Service' | 'Federated' | 'CanonicalUser';
|
|
2
|
+
/**
|
|
3
|
+
* A Principal in a policy statement
|
|
4
|
+
*/
|
|
2
5
|
export interface Principal {
|
|
6
|
+
/**
|
|
7
|
+
* The type of principal, such as "AWS", "Service", "Federated", "CanonicalUser"
|
|
8
|
+
*/
|
|
3
9
|
type(): PrincipalType;
|
|
10
|
+
/**
|
|
11
|
+
* The raw string of the principal
|
|
12
|
+
*/
|
|
4
13
|
value(): string;
|
|
14
|
+
/**
|
|
15
|
+
* Whether the principal is a wildcard principal: `"*"`
|
|
16
|
+
*/
|
|
5
17
|
isWildcardPrincipal(): this is WildcardPrincipal;
|
|
18
|
+
/**
|
|
19
|
+
* Whether the principal is an AWS principal
|
|
20
|
+
*/
|
|
6
21
|
isServicePrincipal(): this is ServicePrincipal;
|
|
22
|
+
/**
|
|
23
|
+
* Whether the principal is an AWS principal that is not an account or wildcard principal
|
|
24
|
+
*/
|
|
7
25
|
isAwsPrincipal(): this is AwsPrincipal;
|
|
26
|
+
/**
|
|
27
|
+
* Whether the principal is a unique id principal
|
|
28
|
+
*/
|
|
29
|
+
isUniqueIdPrincipal(): this is UniqueIdPrincipal;
|
|
30
|
+
/**
|
|
31
|
+
* Whether the principal is a federated principal
|
|
32
|
+
*/
|
|
8
33
|
isFederatedPrincipal(): this is FederatedPrincipal;
|
|
34
|
+
/**
|
|
35
|
+
* Whether the principal is a canonical user principal
|
|
36
|
+
*/
|
|
9
37
|
isCanonicalUserPrincipal(): this is CanonicalUserPrincipal;
|
|
38
|
+
/**
|
|
39
|
+
* Whether the principal is an account principal
|
|
40
|
+
*/
|
|
10
41
|
isAccountPrincipal(): this is AccountPrincipal;
|
|
11
42
|
}
|
|
43
|
+
/**
|
|
44
|
+
* A wildcard principal: `"*"`
|
|
45
|
+
*/
|
|
12
46
|
export interface WildcardPrincipal extends Principal {
|
|
47
|
+
/**
|
|
48
|
+
* The wildcard character `"*"`, this exists to differentiate between this interface and the Principal interface
|
|
49
|
+
*/
|
|
13
50
|
wildcard(): '*';
|
|
14
51
|
}
|
|
52
|
+
/**
|
|
53
|
+
* An AWS principal: `"arn:aws:iam::account-id:root"` or a 12 digit account id
|
|
54
|
+
*/
|
|
15
55
|
export interface AccountPrincipal extends Principal {
|
|
56
|
+
/**
|
|
57
|
+
* The 12 digit account id of the principal
|
|
58
|
+
*/
|
|
16
59
|
accountId(): string;
|
|
17
60
|
}
|
|
61
|
+
/**
|
|
62
|
+
* An AWS principal this is an ARN that is not an account or wildcard principal
|
|
63
|
+
*/
|
|
18
64
|
export interface AwsPrincipal extends Principal {
|
|
19
65
|
arn(): string;
|
|
20
66
|
}
|
|
67
|
+
/**
|
|
68
|
+
* An AWS principal that is a unique Id
|
|
69
|
+
* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids
|
|
70
|
+
*/
|
|
71
|
+
export interface UniqueIdPrincipal extends Principal {
|
|
72
|
+
uniqueId(): string;
|
|
73
|
+
}
|
|
74
|
+
/**
|
|
75
|
+
* An AWS principal that is a service principal: `"service"`
|
|
76
|
+
*/
|
|
21
77
|
export interface ServicePrincipal extends Principal {
|
|
78
|
+
/**
|
|
79
|
+
* The service the principal represents
|
|
80
|
+
*/
|
|
22
81
|
service(): string;
|
|
23
82
|
}
|
|
83
|
+
/**
|
|
84
|
+
* A federated principal
|
|
85
|
+
*/
|
|
24
86
|
export interface FederatedPrincipal extends Principal {
|
|
87
|
+
/**
|
|
88
|
+
* The id of the federated principal
|
|
89
|
+
*/
|
|
25
90
|
federated(): string;
|
|
26
91
|
}
|
|
92
|
+
/**
|
|
93
|
+
* A canonical user principal
|
|
94
|
+
*/
|
|
27
95
|
export interface CanonicalUserPrincipal extends Principal {
|
|
96
|
+
/**
|
|
97
|
+
* The canonical user id of the principal
|
|
98
|
+
*/
|
|
28
99
|
canonicalUser(): string;
|
|
29
100
|
}
|
|
30
|
-
export declare class PrincipalImpl implements Principal, WildcardPrincipal, AccountPrincipal, AwsPrincipal, ServicePrincipal, FederatedPrincipal, CanonicalUserPrincipal {
|
|
101
|
+
export declare class PrincipalImpl implements Principal, WildcardPrincipal, AccountPrincipal, UniqueIdPrincipal, AwsPrincipal, ServicePrincipal, FederatedPrincipal, CanonicalUserPrincipal {
|
|
31
102
|
private readonly principalType;
|
|
32
103
|
private readonly principalId;
|
|
33
104
|
constructor(principalType: PrincipalType, principalId: string);
|
|
@@ -35,12 +106,14 @@ export declare class PrincipalImpl implements Principal, WildcardPrincipal, Acco
|
|
|
35
106
|
type(): PrincipalType;
|
|
36
107
|
isWildcardPrincipal(): this is WildcardPrincipal;
|
|
37
108
|
isAccountPrincipal(): this is AccountPrincipal;
|
|
109
|
+
isUniqueIdPrincipal(): this is UniqueIdPrincipal;
|
|
38
110
|
isAwsPrincipal(): this is AwsPrincipal;
|
|
39
111
|
isServicePrincipal(): this is ServicePrincipal;
|
|
40
112
|
isFederatedPrincipal(): this is FederatedPrincipal;
|
|
41
113
|
isCanonicalUserPrincipal(): this is CanonicalUserPrincipal;
|
|
42
114
|
wildcard(): '*';
|
|
43
115
|
accountId(): string;
|
|
116
|
+
uniqueId(): string;
|
|
44
117
|
arn(): string;
|
|
45
118
|
service(): string;
|
|
46
119
|
federated(): string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principals/principal.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,aAAa,GAAG,KAAK,GAAG,SAAS,GAAG,WAAW,GAAG,eAAe,CAAA;AAE7E,MAAM,WAAW,SAAS;IACxB,IAAI,IAAI,aAAa,CAAA;
|
|
1
|
+
{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principals/principal.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,aAAa,GAAG,KAAK,GAAG,SAAS,GAAG,WAAW,GAAG,eAAe,CAAA;AAE7E;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB;;OAEG;IACH,IAAI,IAAI,aAAa,CAAA;IAErB;;OAEG;IACH,KAAK,IAAI,MAAM,CAAA;IAEf;;OAEG;IACH,mBAAmB,IAAI,IAAI,IAAI,iBAAiB,CAAA;IAEhD;;OAEG;IACH,kBAAkB,IAAI,IAAI,IAAI,gBAAgB,CAAA;IAE9C;;OAEG;IACH,cAAc,IAAI,IAAI,IAAI,YAAY,CAAA;IAEtC;;OAEG;IACH,mBAAmB,IAAI,IAAI,IAAI,iBAAiB,CAAA;IAEhD;;OAEG;IACH,oBAAoB,IAAI,IAAI,IAAI,kBAAkB,CAAA;IAElD;;OAEG;IACH,wBAAwB,IAAI,IAAI,IAAI,sBAAsB,CAAA;IAE1D;;OAEG;IACH,kBAAkB,IAAI,IAAI,IAAI,gBAAgB,CAAA;CAE/C;AAED;;GAEG;AACH,MAAM,WAAW,iBAAkB,SAAQ,SAAS;IAClD;;OAEG;IACH,QAAQ,IAAI,GAAG,CAAA;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAiB,SAAQ,SAAS;IAEjD;;OAEG;IACH,SAAS,IAAI,MAAM,CAAA;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,YAAa,SAAQ,SAAS;IAC7C,GAAG,IAAI,MAAM,CAAA;CACd;AAED;;;GAGG;AACH,MAAM,WAAW,iBAAkB,SAAQ,SAAS;IAClD,QAAQ,IAAI,MAAM,CAAA;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAiB,SAAQ,SAAS;IAEjD;;OAEG;IACH,OAAO,IAAI,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,SAAS;IACnD;;OAEG;IACH,SAAS,IAAI,MAAM,CAAA;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAuB,SAAQ,SAAS;IACvD;;OAEG;IACH,aAAa,IAAI,MAAM,CAAA;CACxB;AAMD,qBAAa,aAAc,YAAW,SAAS,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,YAAY,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,sBAAsB;IACrK,OAAO,CAAC,QAAQ,CAAC,aAAa;IAAiB,OAAO,CAAC,QAAQ,CAAC,WAAW;gBAA1D,aAAa,EAAE,aAAa,EAAmB,WAAW,EAAE,MAAM;IAExF,KAAK,IAAI,MAAM;IAIf,IAAI,IAAI,aAAa;IAIrB,mBAAmB,IAAI,IAAI,IAAI,iBAAiB;IAIhD,kBAAkB,IAAI,IAAI,IAAI,gBAAgB;IAO9C,mBAAmB,IAAI,IAAI,IAAI,iBAAiB;IAOhD,cAAc,IAAI,IAAI,IAAI,YAAY;IAQtC,kBAAkB,IAAI,IAAI,IAAI,gBAAgB;IAI9C,oBAAoB,IAAI,IAAI,IAAI,kBAAkB;IAIlD,wBAAwB,IAAI,IAAI,IAAI,sBAAsB;IAI1D,QAAQ,IAAI,GAAG;IAOf,SAAS,IAAI,MAAM;IAUnB,QAAQ,IAAI,MAAM;IAOlB,GAAG,IAAI,MAAM;IAOb,OAAO,IAAI,MAAM;IAOjB,SAAS,IAAI,MAAM;IAOnB,aAAa,IAAI,MAAM;CAO/B"}
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
const accountIdRegex = /^[0-9]{12}$/;
|
|
2
2
|
const accountArnRegex = /^arn:.*?:iam::[0-9]{12}:root$/;
|
|
3
|
+
const uniqueIdRegex = /^A[0-9A-Z]+$/;
|
|
3
4
|
export class PrincipalImpl {
|
|
4
5
|
constructor(principalType, principalId) {
|
|
5
6
|
this.principalType = principalType;
|
|
@@ -20,11 +21,18 @@ export class PrincipalImpl {
|
|
|
20
21
|
}
|
|
21
22
|
return accountIdRegex.test(this.principalId) || accountArnRegex.test(this.principalId);
|
|
22
23
|
}
|
|
24
|
+
isUniqueIdPrincipal() {
|
|
25
|
+
if (this.principalType !== 'AWS') {
|
|
26
|
+
return false;
|
|
27
|
+
}
|
|
28
|
+
return uniqueIdRegex.test(this.principalId);
|
|
29
|
+
}
|
|
23
30
|
isAwsPrincipal() {
|
|
24
31
|
if (this.principalType !== 'AWS') {
|
|
25
32
|
return false;
|
|
26
33
|
}
|
|
27
|
-
|
|
34
|
+
const anyThis = this;
|
|
35
|
+
return anyThis.principalId != "*" && !anyThis.isAccountPrincipal() && !anyThis.isUniqueIdPrincipal();
|
|
28
36
|
}
|
|
29
37
|
isServicePrincipal() {
|
|
30
38
|
return this.principalType === 'Service';
|
|
@@ -50,6 +58,12 @@ export class PrincipalImpl {
|
|
|
50
58
|
}
|
|
51
59
|
return this.principalId;
|
|
52
60
|
}
|
|
61
|
+
uniqueId() {
|
|
62
|
+
if (!this.isUniqueIdPrincipal()) {
|
|
63
|
+
throw new Error('Principal is not a unique id principal, call isUniqueIdPrincipal() before calling uniqueId()');
|
|
64
|
+
}
|
|
65
|
+
return this.principalId;
|
|
66
|
+
}
|
|
53
67
|
arn() {
|
|
54
68
|
if (!this.isAwsPrincipal()) {
|
|
55
69
|
throw new Error('Principal is not an AWS principal, call isAwsPrincipal() before calling arn()');
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principals/principal.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principals/principal.ts"],"names":[],"mappings":"AAwHA,MAAM,cAAc,GAAG,aAAa,CAAA;AACpC,MAAM,eAAe,GAAG,+BAA+B,CAAA;AACvD,MAAM,aAAa,GAAG,cAAc,CAAA;AAEpC,MAAM,OAAO,aAAa;IACxB,YAA6B,aAA4B,EAAmB,WAAmB;QAAlE,kBAAa,GAAb,aAAa,CAAe;QAAmB,gBAAW,GAAX,WAAW,CAAQ;IAAG,CAAC;IAE5F,KAAK;QACV,OAAO,IAAI,CAAC,WAAW,CAAA;IACzB,CAAC;IAEM,IAAI;QACT,OAAO,IAAI,CAAC,aAAa,CAAA;IAC3B,CAAC;IAEM,mBAAmB;QACxB,OAAO,IAAI,CAAC,aAAa,KAAK,KAAK,IAAI,IAAI,CAAC,WAAW,KAAK,GAAG,CAAA;IACjE,CAAC;IAEM,kBAAkB;QACvB,IAAG,IAAI,CAAC,aAAa,KAAK,KAAK,EAAE,CAAC;YAChC,OAAO,KAAK,CAAA;QACd,CAAC;QACD,OAAO,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IACxF,CAAC;IAEM,mBAAmB;QACxB,IAAG,IAAI,CAAC,aAAa,KAAK,KAAK,EAAE,CAAC;YAChC,OAAO,KAAK,CAAA;QACd,CAAC;QACD,OAAO,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IAC7C,CAAC;IAEM,cAAc;QACnB,IAAG,IAAI,CAAC,aAAa,KAAK,KAAK,EAAE,CAAC;YAChC,OAAO,KAAK,CAAA;QACd,CAAC;QACD,MAAM,OAAO,GAAQ,IAAI,CAAA;QACzB,OAAO,OAAO,CAAC,WAAW,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAA;IACtG,CAAC;IAEM,kBAAkB;QACvB,OAAO,IAAI,CAAC,aAAa,KAAK,SAAS,CAAA;IACzC,CAAC;IAEM,oBAAoB;QACzB,OAAO,IAAI,CAAC,aAAa,KAAK,WAAW,CAAA;IAC3C,CAAC;IAEM,wBAAwB;QAC7B,OAAO,IAAI,CAAC,aAAa,KAAK,eAAe,CAAA;IAC/C,CAAC;IAEM,QAAQ;QACb,IAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,6FAA6F,CAAC,CAAA;QAChH,CAAC;QACD,OAAO,GAAG,CAAA;IACZ,CAAC;IAEM,SAAS;QACd,IAAG,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,6FAA6F,CAAC,CAAA;QAChH,CAAC;QACD,IAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;QACvC,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAA;IACzB,CAAC;IAEM,QAAQ;QACb,IAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,8FAA8F,CAAC,CAAA;QACjH,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAA;IACzB,CAAC;IAEM,GAAG;QACR,IAAG,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,+EAA+E,CAAC,CAAA;QAClG,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAA;IACzB,CAAC;IAEM,OAAO;QACZ,IAAG,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,0FAA0F,CAAC,CAAA;QAC7G,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAA;IACzB,CAAC;IAEM,SAAS;QACd,IAAG,IAAI,CAAC,aAAa,KAAK,WAAW,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,gGAAgG,CAAC,CAAA;QACnH,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAA;IACzB,CAAC;IAEM,aAAa;QAClB,IAAG,IAAI,CAAC,aAAa,KAAK,eAAe,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CAAC,6GAA6G,CAAC,CAAA;QAChI,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAA;IACzB,CAAC;CAEF"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../../src/validate/validate.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAA;IACf,IAAI,EAAE,MAAM,CAAA;CACb;
|
|
1
|
+
{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../../src/validate/validate.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAA;IACf,IAAI,EAAE,MAAM,CAAA;CACb;AASD,wBAAgB,oBAAoB,CAAC,cAAc,EAAE,GAAG,GAAG,eAAe,EAAE,CA0C3E"}
|
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
const allowedPolicyKeys = new Set(['Version', 'Statement', 'Id']);
|
|
2
2
|
const allowedStatementKeys = new Set(['Sid', 'Effect', 'Action', 'NotAction', 'Resource', 'NotResource', 'Principal', 'NotPrincipal', 'Condition']);
|
|
3
3
|
const allowedPrincipalKeys = new Set(['AWS', 'Service', 'Federated', 'CanonicalUser']);
|
|
4
|
+
const validConditionOperatorPattern = /^[a-zA-Z0-9:]+$/;
|
|
5
|
+
const allowedSetOperators = new Set(["forallvalues", "foranyvalue"]);
|
|
4
6
|
export function validatePolicySyntax(policyDocument) {
|
|
5
7
|
const allErrors = [];
|
|
6
8
|
if (typeof policyDocument !== 'object') {
|
|
@@ -26,6 +28,20 @@ export function validatePolicySyntax(policyDocument) {
|
|
|
26
28
|
for (let i = 0; i < policyDocument.Statement.length; i++) {
|
|
27
29
|
allErrors.push(...validateStatement(policyDocument.Statement[i], `Statement[${i}]`));
|
|
28
30
|
}
|
|
31
|
+
const statementIdCounts = policyDocument.Statement.reduce((acc, statement) => {
|
|
32
|
+
if (statement.Sid) {
|
|
33
|
+
acc[statement.Sid] = acc[statement.Sid] ? acc[statement.Sid] + 1 : 1;
|
|
34
|
+
}
|
|
35
|
+
return acc;
|
|
36
|
+
}, {});
|
|
37
|
+
for (const [sid, count] of Object.entries(statementIdCounts)) {
|
|
38
|
+
if (count > 1) {
|
|
39
|
+
allErrors.push({
|
|
40
|
+
path: `Statement`,
|
|
41
|
+
message: `Statement Ids must be unique, found ${sid} ${count} times`
|
|
42
|
+
});
|
|
43
|
+
}
|
|
44
|
+
}
|
|
29
45
|
}
|
|
30
46
|
return allErrors;
|
|
31
47
|
}
|
|
@@ -36,6 +52,9 @@ function validateStatement(statement, path) {
|
|
|
36
52
|
if (statement.Effect !== 'Allow' && statement.Effect !== 'Deny') {
|
|
37
53
|
statementErrors.push({ path: `${path}.Effect`, message: `Effect must be present and exactly "Allow" or "Deny"` });
|
|
38
54
|
}
|
|
55
|
+
statementErrors.push(...validateOnlyOneOf(statement, path, 'Action', 'NotAction'));
|
|
56
|
+
statementErrors.push(...validateOnlyOneOf(statement, path, 'Resource', 'NotResource'));
|
|
57
|
+
statementErrors.push(...validateOnlyOneOf(statement, path, 'Principal', 'NotPrincipal'));
|
|
39
58
|
statementErrors.push(...validateTypeOrArrayOfTypeIfExists(statement.Action, `${path}.Action`, 'string'));
|
|
40
59
|
statementErrors.push(...validateTypeOrArrayOfTypeIfExists(statement.NotAction, `${path}.NotAction`, 'string'));
|
|
41
60
|
statementErrors.push(...validateResource(statement.Resource, `${path}.Resource`));
|
|
@@ -44,6 +63,7 @@ function validateStatement(statement, path) {
|
|
|
44
63
|
statementErrors.push(...validateDataTypeIfExists(statement.NotPrincipal, `${path}.NotPrincipal`, ['string', 'object']));
|
|
45
64
|
statementErrors.push(...validatePrincipal(statement.Principal, `${path}.Principal`));
|
|
46
65
|
statementErrors.push(...validatePrincipal(statement.NotPrincipal, `${path}.NotPrincipal`));
|
|
66
|
+
//TODO: If the condition key exists but there is no value, it is an error
|
|
47
67
|
statementErrors.push(...validateCondition(statement.Condition, `${path}.Condition`));
|
|
48
68
|
return statementErrors;
|
|
49
69
|
}
|
|
@@ -99,7 +119,7 @@ function validateResourceString(resourceString, path) {
|
|
|
99
119
|
}
|
|
100
120
|
function validateCondition(condition, path) {
|
|
101
121
|
const conditionErrors = [];
|
|
102
|
-
if (condition === undefined) {
|
|
122
|
+
if (condition === undefined || condition === null) {
|
|
103
123
|
return [];
|
|
104
124
|
}
|
|
105
125
|
conditionErrors.push(...validateDataTypeIfExists(condition, path, 'object'));
|
|
@@ -115,6 +135,29 @@ function validateCondition(condition, path) {
|
|
|
115
135
|
}
|
|
116
136
|
const conditionOperators = Object.keys(condition);
|
|
117
137
|
for (const operator of conditionOperators) {
|
|
138
|
+
//If not valid pattern
|
|
139
|
+
if (!validConditionOperatorPattern.test(operator)) {
|
|
140
|
+
conditionErrors.push({
|
|
141
|
+
path: `${path}.${operator}`,
|
|
142
|
+
message: `Condition operator is invalid`,
|
|
143
|
+
});
|
|
144
|
+
}
|
|
145
|
+
const splitOperator = operator.split(':');
|
|
146
|
+
if (splitOperator.length > 2) {
|
|
147
|
+
conditionErrors.push({
|
|
148
|
+
path: `${path}.${operator}`,
|
|
149
|
+
message: `Condition operator is invalid`,
|
|
150
|
+
});
|
|
151
|
+
}
|
|
152
|
+
else if (splitOperator.length === 2) {
|
|
153
|
+
const setOperator = splitOperator[0];
|
|
154
|
+
if (!allowedSetOperators.has(setOperator)) {
|
|
155
|
+
conditionErrors.push({
|
|
156
|
+
path: `${path}.${operator}`,
|
|
157
|
+
message: `Condition set operator must be either ForAllValues or ForAnyValue`,
|
|
158
|
+
});
|
|
159
|
+
}
|
|
160
|
+
}
|
|
118
161
|
conditionErrors.push(...validateDataTypeIfExists(condition[operator], `${path}.${operator}`, 'object'));
|
|
119
162
|
if (Array.isArray(condition[operator])) {
|
|
120
163
|
conditionErrors.push({
|
|
@@ -143,6 +186,12 @@ function validateKeys(object, allowedKeys, path) {
|
|
|
143
186
|
path: `${path}${key}`
|
|
144
187
|
});
|
|
145
188
|
}
|
|
189
|
+
else if (object[key] === undefined || object[key] === null) {
|
|
190
|
+
keyErrors.push({
|
|
191
|
+
message: `If present, ${key} cannot be null or undefined`,
|
|
192
|
+
path: `${path}${key}`
|
|
193
|
+
});
|
|
194
|
+
}
|
|
146
195
|
}
|
|
147
196
|
return keyErrors;
|
|
148
197
|
}
|
|
@@ -177,4 +226,16 @@ function validateDataTypeIfExists(value, path, allowedDataTypes) {
|
|
|
177
226
|
}
|
|
178
227
|
return errors;
|
|
179
228
|
}
|
|
229
|
+
function validateOnlyOneOf(value, path, firstKey, secondKey) {
|
|
230
|
+
const keys = Object.keys(value);
|
|
231
|
+
if (keys.includes(firstKey) && keys.includes(secondKey)) {
|
|
232
|
+
return [
|
|
233
|
+
{
|
|
234
|
+
message: `Only one of ${firstKey} or ${secondKey} is allowed, found both`,
|
|
235
|
+
path
|
|
236
|
+
}
|
|
237
|
+
];
|
|
238
|
+
}
|
|
239
|
+
return [];
|
|
240
|
+
}
|
|
180
241
|
//# sourceMappingURL=validate.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../../src/validate/validate.ts"],"names":[],"mappings":"AAKA,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAE,SAAS,EAAE,WAAW,EAAE,IAAI,CAAE,CAAC,CAAA;AACnE,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE,aAAa,EAAE,WAAW,EAAE,cAAc,EAAE,WAAW,CAAC,CAAC,CAAA;AACpJ,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC,CAAA;
|
|
1
|
+
{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../../src/validate/validate.ts"],"names":[],"mappings":"AAKA,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAE,SAAS,EAAE,WAAW,EAAE,IAAI,CAAE,CAAC,CAAA;AACnE,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE,aAAa,EAAE,WAAW,EAAE,cAAc,EAAE,WAAW,CAAC,CAAC,CAAA;AACpJ,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC,CAAA;AACvF,MAAM,6BAA6B,GAAG,iBAAiB,CAAA;AACvD,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC,CAAA;AAGpE,MAAM,UAAU,oBAAoB,CAAC,cAAmB;IACtD,MAAM,SAAS,GAAsB,EAAE,CAAA;IACvC,IAAG,OAAO,cAAc,KAAK,QAAQ,EAAE,CAAC;QACtC,OAAO,CAAC,EAAC,IAAI,EAAE,EAAE,EAAE,OAAO,EAAE,2CAA2C,OAAO,cAAc,EAAE,EAAC,CAAC,CAAA;IAClG,CAAC;SAAM,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;QACzC,OAAO,CAAC,EAAC,IAAI,EAAE,EAAE,EAAE,OAAO,EAAE,6CAA6C,EAAC,CAAC,CAAA;IAC7E,CAAC;IAED,SAAS,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,cAAc,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC,CAAA;IAEtE,SAAS,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,cAAc,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAA;IACxF,SAAS,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,cAAc,CAAC,EAAE,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAA;IAC9E,IAAG,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC;QAC7B,SAAS,CAAC,IAAI,CAAC;YACb,IAAI,EAAE,WAAW;YACjB,OAAO,EAAE,uBAAuB;SACjC,CAAC,CAAA;IACJ,CAAC;IACD,SAAS,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,cAAc,CAAC,SAAS,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAA;IACvG,IAAG,OAAO,cAAc,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5F,SAAS,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,cAAc,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC,CAAA;IAC7E,CAAC;SAAM,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,SAAS,CAAC,EAAE,CAAC;QACnD,KAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,cAAc,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACxD,SAAS,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,CAAA;QACtF,CAAC;QACD,MAAM,iBAAiB,GAAG,cAAc,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,GAA2B,EAAE,SAAc,EAAE,EAAE;YACxG,IAAG,SAAS,CAAC,GAAG,EAAE,CAAC;gBACjB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;YACtE,CAAC;YACD,OAAO,GAAG,CAAA;QACZ,CAAC,EAAE,EAA4B,CAAC,CAAA;QAChC,KAAI,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAS,iBAAiB,CAAC,EAAE,CAAC;YACpE,IAAG,KAAK,GAAG,CAAC,EAAE,CAAC;gBACb,SAAS,CAAC,IAAI,CAAC;oBACb,IAAI,EAAE,WAAW;oBACjB,OAAO,EAAE,uCAAuC,GAAG,IAAI,KAAK,QAAQ;iBACrE,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,SAAS,iBAAiB,CAAC,SAAc,EAAE,IAAY;IACrD,MAAM,eAAe,GAAsB,EAAE,CAAA;IAC7C,eAAe,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,SAAS,EAAE,oBAAoB,EAAE,IAAI,CAAC,CAAC,CAAA;IAC5E,eAAe,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,IAAI,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAA;IACzF,IAAG,SAAS,CAAC,MAAM,KAAK,OAAO,IAAI,SAAS,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/D,eAAe,CAAC,IAAI,CAAC,EAAC,IAAI,EAAE,GAAG,IAAI,SAAS,EAAE,OAAO,EAAE,sDAAsD,EAAC,CAAC,CAAA;IACjH,CAAC;IAED,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAA;IAClF,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC,CAAA;IACtF,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,SAAS,EAAE,IAAI,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC,CAAA;IAExF,eAAe,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,SAAS,CAAC,MAAM,EAAE,GAAG,IAAI,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAA;IACxG,eAAe,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,IAAI,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAA;IAE9G,eAAe,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,SAAS,CAAC,QAAQ,EAAE,GAAG,IAAI,WAAW,CAAC,CAAC,CAAA;IACjF,eAAe,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,SAAS,CAAC,WAAW,EAAE,GAAG,IAAI,cAAc,CAAC,CAAC,CAAA;IAEvF,eAAe,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,IAAI,YAAY,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAA;IACjH,eAAe,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,SAAS,CAAC,YAAY,EAAE,GAAG,IAAI,eAAe,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAA;IACvH,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,IAAI,YAAY,CAAC,CAAC,CAAA;IACpF,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,SAAS,CAAC,YAAY,EAAE,GAAG,IAAI,eAAe,CAAC,CAAC,CAAA;IAE1F,yEAAyE;IACzE,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,IAAI,YAAY,CAAC,CAAC,CAAA;IACpF,OAAO,eAAe,CAAA;AAExB,CAAC;AAED,SAAS,iBAAiB,CAAC,SAAc,EAAE,IAAY;IACrD,MAAM,eAAe,GAAsB,EAAE,CAAA;IAE7C,IAAG,SAAS,KAAK,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC5D,OAAO,EAAE,CAAA;IACX,CAAC;IACD,IAAG,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QACjC,eAAe,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,SAAS,EAAE,oBAAoB,EAAE,IAAI,CAAC,CAAC,CAAA;QAC5E,eAAe,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,IAAI,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAA;QAClG,eAAe,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAA;QAC1G,eAAe,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,IAAI,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAA;QAC9G,eAAe,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,SAAS,CAAC,aAAa,EAAE,GAAG,IAAI,gBAAgB,EAAE,QAAQ,CAAC,CAAC,CAAA;IACxH,CAAC;IAED,OAAO,eAAe,CAAA;AAExB,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAa,EAAE,IAAY;IACnD,IAAG,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,EAAE,CAAA;IACX,CAAC;IACD,IAAG,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAChC,OAAO,sBAAsB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;IAC/C,CAAC;SAAM,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnC,MAAM,cAAc,GAAsB,EAAE,CAAA;QAC5C,KAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACxC,cAAc,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;QAC9E,CAAC;QACD,OAAO,cAAc,CAAA;IACvB,CAAC;IACD,OAAO;QACL;YACE,IAAI;YACJ,OAAO,EAAE,sCAAsC;SAChD;KACF,CAAA;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,cAAmB,EAAE,IAAY;IAC/D,IAAG,cAAc,KAAK,GAAG,EAAE,CAAC;QAC1B,OAAO,EAAE,CAAA;IACX,CAAC;IACD,MAAM,KAAK,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACvC,IAAG,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,EAAE,CAAC;QAC5C,OAAO;YACL;gBACE,IAAI;gBACJ,OAAO,EAAE,yDAAyD;aACnE;SACF,CAAA;IACH,CAAC;IAED,OAAO,EAAE,CAAA;AAEX,CAAC;AAED,SAAS,iBAAiB,CAAC,SAAc,EAAE,IAAY;IACrD,MAAM,eAAe,GAAsB,EAAE,CAAA;IAC7C,IAAG,SAAS,KAAK,SAAS,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;QACjD,OAAO,EAAE,CAAA;IACX,CAAC;IACD,eAAe,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,SAAS,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAA;IAC5E,IAAG,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,eAAe,CAAA;IACxB,CAAC;SAAM,IAAI,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QACpC,eAAe,CAAC,IAAI,CAAC;YACnB,OAAO,EAAE,6CAA6C;YACtD,IAAI;SACL,CAAC,CAAA;QACF,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,MAAM,kBAAkB,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IACjD,KAAI,MAAM,QAAQ,IAAI,kBAAkB,EAAE,CAAC;QACzC,sBAAsB;QACtB,IAAG,CAAC,6BAA6B,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjD,eAAe,CAAC,IAAI,CAAC;gBACnB,IAAI,EAAE,GAAG,IAAI,IAAI,QAAQ,EAAE;gBAC3B,OAAO,EAAE,+BAA+B;aACzC,CAAC,CAAA;QACJ,CAAC;QACD,MAAM,aAAa,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACzC,IAAG,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5B,eAAe,CAAC,IAAI,CAAC;gBACnB,IAAI,EAAE,GAAG,IAAI,IAAI,QAAQ,EAAE;gBAC3B,OAAO,EAAE,+BAA+B;aACzC,CAAC,CAAA;QACJ,CAAC;aAAM,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtC,MAAM,WAAW,GAAG,aAAa,CAAC,CAAC,CAAC,CAAA;YACpC,IAAG,CAAC,mBAAmB,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;gBACzC,eAAe,CAAC,IAAI,CAAC;oBACnB,IAAI,EAAE,GAAG,IAAI,IAAI,QAAQ,EAAE;oBAC3B,OAAO,EAAE,mEAAmE;iBAC7E,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,eAAe,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,GAAG,IAAI,IAAI,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAA;QACvG,IAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACtC,eAAe,CAAC,IAAI,CAAC;gBACnB,OAAO,EAAE,sDAAsD;gBAC/D,IAAI,EAAE,GAAG,IAAI,IAAI,QAAQ,EAAE;aAC5B,CAAC,CAAA;QACJ,CAAC;QAED,IAAG,OAAO,SAAS,CAAC,QAAQ,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YAClF,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAA;YACtD,KAAI,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;gBAC/B,eAAe,CAAC,IAAI,CAAC,GAAG,iCAAiC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,IAAI,IAAI,QAAQ,IAAI,GAAG,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAA;YAC9H,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC;AAED,SAAS,YAAY,CAAC,MAAW,EAAE,WAAwB,EAAE,IAAY;IACvE,MAAM,SAAS,GAAsB,EAAE,CAAA;IACvC,IAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QACd,IAAI,GAAG,GAAG,IAAI,GAAG,CAAA;IACnB,CAAC;IAED,KAAI,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACrC,IAAG,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,SAAS,CAAC,IAAI,CAAC;gBACb,OAAO,EAAE,eAAe,GAAG,EAAE;gBAC7B,IAAI,EAAE,GAAG,IAAI,GAAG,GAAG,EAAE;aACtB,CAAC,CAAA;QACJ,CAAC;aAAM,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;YAC7D,SAAS,CAAC,IAAI,CAAC;gBACb,OAAO,EAAE,eAAe,GAAG,8BAA8B;gBACzD,IAAI,EAAE,GAAG,IAAI,GAAG,GAAG,EAAE;aACtB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,SAAS,iCAAiC,CAAC,KAAU,EAAE,IAAY,EAAE,YAA6C;IAChH,IAAG,KAAK,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO,EAAE,CAAA;IACX,CAAC;IAED,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAE,YAAY,CAAE,CAAA;IAC5E,MAAM,iBAAiB,GAAsB,EAAE,CAAA;IAC/C,IAAG,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,wBAAwB,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,CAAC,CAAA;IAC5D,CAAC;SAAM,CAAC;QACN,KAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,iBAAiB,CAAC,IAAI,CAAC,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC,CAAA;QAC9F,CAAC;IACH,CAAC;IAED,OAAO,iBAAiB,CAAA;AAC1B,CAAC;AAED,SAAS,wBAAwB,CAAC,KAAU,EAAE,IAAY,EAAE,gBAAiD;IAC3G,IAAG,KAAK,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO,EAAE,CAAA;IACX,CAAC;IAED,gBAAgB,GAAG,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAE,gBAAgB,CAAE,CAAA;IAC5F,MAAM,MAAM,GAAsB,EAAE,CAAA;IACpC,MAAM,aAAa,GAAG,OAAO,KAAK,CAAA;IAClC,IAAG,CAAC,gBAAgB,CAAC,QAAQ,CAAC,aAA+B,CAAC,EAAE,CAAC;QAC/D,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,mBAAmB,aAAa,wBAAwB,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAC9F,IAAI;SACL,CAAC,CAAA;IACJ,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAU,EAAE,IAAY,EAAE,QAAgB,EAAE,SAAiB;IACtF,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC/B,IAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACvD,OAAO;YACL;gBACE,OAAO,EAAE,eAAe,QAAQ,OAAO,SAAS,yBAAyB;gBACzE,IAAI;aACL;SACF,CAAA;IACH,CAAC;IAED,OAAO,EAAE,CAAA;AACX,CAAC"}
|