@cloud-copilot/iam-shrink 0.1.0

package/README.md

@@ -0,0 +1,187 @@
+# Shrink IAM Actions
+
+Built in the Unix philosophy, this is a small tool with two goals:
+1. Shrink IAM actions lists by creating patterns that match only the actions specified and no others.
+2. Do #1 in a way that won't make your coworkers hate you.
+
+Using Action Wildcards is not recommended, sometimes there are [IAM Limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) you can't get around. This tool helps you stay within those limits.
+
+## Getting Small While Staying Sane
+IAM Actions are camel cased into a number of words. For example:
+* `s3:GetObject` -> "Get" "Object"
+* `s3:GetObjectTagging` -> "Get" "Object" "Tagging"
+
+IAM Shrink will only replace one word at a time and will never replace part of a word. So for instance `s3:GetObject` will never get shrunk to something like `s3:*et*`. This is to balance size reduction with readability.
+
+## Use in Browser
+[https://iam.cloudcopilot.io/tools/iam-shrink](https://iam.cloudcopilot.io/tools/iam-shrink)
+
+## Use in CLI
+
+### Installation
+You can install it globally. This also works in the default AWS CloudShell!
+```bash
+npm install -g @cloud-copilot/iam-shrink
+```
+*Depending on your configuration sudo may be required to install globally.*
+
+### Help
+
+```bash
+iam-shrink --help
+```
+
+### Shrink IAM Actions
+
+#### Pass in Argument
+It's unlikely that you will pass in on the CLI a number of actions after the command name, but you can. You'll need a large number of actions for it to be pracitical, so it's mostly for automation.
+
+```bash
+Usage: iam-shrink s3:GetBucketTagging s3:GetJobTagging s3:GetObjectTagging s3:GetObjectVersionTagging s3:GetStorageLensConfigurationTagging
+# Output
+s3:Get*Tagging
+```
+
+#### Read from stdin
+If no actions are passed as arguments, the CLI will read from stdin.
+
+```bash
+cat "s3:GetBucketTagging s3:GetJobTagging s3:GetObjectTagging s3:GetObjectVersionTagging s3:GetStorageLensConfigurationTagging" | iam-shrink
+# Output
+s3:Get*Tagging
+```
+
+#### Shrink JSON input
+If the input is a valid json document, the CLI will find every instance of `Action` and `NotAction` that is an array of strings and shrink them.
+
+Given `policy.json`
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "groundstation:GetAgentConfiguration",
+        "groundstation:GetConfig",
+        "groundstation:GetDataflowEndpointGroup",
+        "groundstation:GetMinuteUsage",
+        "groundstation:GetMissionProfile",
+        "groundstation:GetSatellite",
+        "groundstation:ListConfigs",
+        "groundstation:ListContacts",
+        "groundstation:ListDataflowEndpointGroups",
+        "groundstation:ListEphemerides",
+        "groundstation:ListGroundStations",
+        "groundstation:ListMissionProfiles",
+        "groundstation:ListSatellites",
+        "groundstation:ListTagsForResource",
+        "s3:GetBucketTagging",
+        "s3:GetJobTagging",
+        "s3:GetObjectTagging",
+        "s3:GetObjectVersionTagging",
+        "s3:GetStorageLensConfigurationTagging"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Deny",
+      "NotAction": [
+        "organizations:DeleteOrganization",
+        "organizations:DeleteOrganizationalUnit",
+        "organizations:DeletePolicy",
+        "organizations:DeleteResourcePolicy",
+        "organizations:LeaveOrganization"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+```bash
+cat policy.json | iam-shrink > smaller-policy.json
+```
+
+Gives this file in `smaller-policy.json`
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "groundstation:List*",
+        "groundstation:Get*",
+        "s3:Get*Tagging"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Deny",
+      "NotAction": [
+        "organizations:Delete*",
+        "organizations:Leave*"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+### Configuring iterations
+By default, the CLI will do two iterations of shrinking. This generally does a good balance between reducing size and maintaining readability. This can be adjusted with the `--iterations` flag.
+
+Assuming the [AWS Read Only policy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ReadOnlyAccess.html) is in `readonly.json`
+
+```bash
+You can change this with the `--iterations` flag.
+
+```bash
+# Default two iterations
+cat readonly.json | iam-shrink | wc -m
+# 61305 characters
+
+# Increasing iterations
+cat readonly.json | iam-shrink --iterations=3 | wc -m
+# 45983 characters
+cat readonly.json | iam-shrink --iterations=4 | wc -m
+# 43654 characters
+cat readonly.json | iam-shrink --iterations=5 | wc -m
+# 43336 characters
+
+# Unlimited iterations until the policy cannot be further reduced
+cat readonly.json | iam-shrink --iterations=0 | wc -m
+# 43281 characters
+```
+
+If you want to shrink the policy as much as possible, you can use `--iterations=0`. This will keep shrinking the policy until it can't be reduced any further.
+
+## Use in TypeScript/Node
+
+You can use the shrink function in your own code.
+```typescript
+import { shrink } from '@cloud-copilot/iam-shrink';
+
+const actions = [
+  "s3:GetBucketTagging",
+  "s3:GetJobTagging",
+  "s3:GetObjectTagging",
+  "s3:GetObjectVersionTagging",
+  "s3:GetStorageLensConfigurationTagging"
+];
+
+const shrunk = await shrink(actions);
+console.log(shrunk);
+// [ s3:Get*Tagging ]
+```
+
+You can specify the number of iterations as well.
+```typescript
+import { shrink } from '@cloud-copilot/iam-shrink';
+
+const bigListOfActions = getBigListOfActions();
+
+const smallerList = await shrink(bigListOfActions, { iterations: 3 });
+console.log(shrunk);
+```

package/dist/cjs/cli.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cjs/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":""}

package/dist/cjs/cli.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const iam_data_1 = require("@cloud-copilot/iam-data");
+const cli_utils_js_1 = require("./cli_utils.js");
+const shrink_js_1 = require("./shrink.js");
+const commandName = 'iam-shrink';
+const dataPackage = '@cloud-copilot/iam-data';
+async function shrinkAandPrint(actions, shrinkOptions) {
+    try {
+        const result = await (0, shrink_js_1.shrink)(actions, shrinkOptions);
+        for (const action of result) {
+            console.log(action);
+        }
+    }
+    catch (e) {
+        console.error(e.message);
+        process.exit(1);
+    }
+}
+function printUsage() {
+    console.log('No arguments provided or input from stdin');
+    console.log('Usage:');
+    console.log(`  ${commandName} [options] [action1] [action2] ...`);
+    console.log(`  <input from stdout> | ${commandName} [options]`);
+    console.log('Shrink ActionOptions:');
+    console.log('  --iterations: How many iterations of shrinking should be executed, defaults to 2; zero or less means no limit');
+    console.log('                Example: --iterations=5');
+    console.log('                Example: --iterations=-1');
+    console.log('CLI Behavior Options:');
+    console.log('  --show-data-version: Print the version of the iam-data package being used and exit');
+    console.log('  --read-wait-ms: Millisenconds to wait for the first byte from stdin before timing out.');
+    console.log('                  Example: --read-wait-ms=10_000');
+    process.exit(1);
+}
+const args = process.argv.slice(2); // Ignore the first two elements
+const actionStrings = [];
+const optionStrings = [];
+for (const arg of args) {
+    if (arg.startsWith('--')) {
+        optionStrings.push(arg);
+    }
+    else {
+        actionStrings.push(arg);
+    }
+}
+async function run() {
+    const options = (0, cli_utils_js_1.convertOptions)(optionStrings);
+    if (options.showDataVersion) {
+        const version = await (0, iam_data_1.iamDataVersion)();
+        console.log(`${dataPackage} version: ${version}`);
+        console.log(`Data last updated: ${await (0, iam_data_1.iamDataUpdatedAt)()}`);
+        console.log(`Update with either:`);
+        console.log(`  npm update ${dataPackage}`);
+        console.log(`  npm update -g ${dataPackage}`);
+        return;
+    }
+    if (actionStrings.length === 0) {
+        //If no actions are provided, read from stdin
+        const stdInResult = await (0, cli_utils_js_1.parseStdIn)(options);
+        if (stdInResult.object) {
+            console.log(JSON.stringify(stdInResult.object, null, 2));
+            return;
+        }
+        else if (stdInResult.strings) {
+            actionStrings.push(...stdInResult.strings);
+        }
+    }
+    if (actionStrings.length > 0) {
+        await shrinkAandPrint(actionStrings, options);
+        return;
+    }
+    printUsage();
+}
+run().catch((e) => {
+    console.error(e);
+    process.exit(1);
+}).then(() => process.exit(0)).finally(() => { });
+//# sourceMappingURL=cli.js.map

package/dist/cjs/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";;AAAA,sDAA0E;AAC1E,iDAA2D;AAC3D,2CAAmD;AAEnD,MAAM,WAAW,GAAG,YAAY,CAAA;AAChC,MAAM,WAAW,GAAG,yBAAyB,CAAA;AAE7C,KAAK,UAAU,eAAe,CAAC,OAAiB,EAAE,aAAqC;IACrF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAM,EAAC,OAAO,EAAE,aAAa,CAAC,CAAA;QACnD,KAAK,MAAM,MAAM,IAAI,MAAM,EAAE,CAAC;YAC5B,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACrB,CAAC;IACH,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA;QACxB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC;AACH,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAA;IACxD,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACrB,OAAO,CAAC,GAAG,CAAC,KAAK,WAAW,oCAAoC,CAAC,CAAA;IACjE,OAAO,CAAC,GAAG,CAAC,2BAA2B,WAAW,YAAY,CAAC,CAAA;IAC/D,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;IACpC,OAAO,CAAC,GAAG,CAAC,iHAAiH,CAAC,CAAA;IAC9H,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAA;IACtD,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAA;IACvD,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;IACpC,OAAO,CAAC,GAAG,CAAC,sFAAsF,CAAC,CAAA;IACnG,OAAO,CAAC,GAAG,CAAC,0FAA0F,CAAC,CAAA;IACvG,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAA;IAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC;AAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,gCAAgC;AACpE,MAAM,aAAa,GAAa,EAAE,CAAA;AAClC,MAAM,aAAa,GAAa,EAAE,CAAA;AAElC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,IAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;SAAM,CAAC;QACN,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,OAAO,GAAG,IAAA,6BAAc,EAAC,aAAa,CAAC,CAAA;IAC7C,IAAG,OAAO,CAAC,eAAe,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,MAAM,IAAA,yBAAc,GAAE,CAAA;QACtC,OAAO,CAAC,GAAG,CAAC,GAAG,WAAW,aAAa,OAAO,EAAE,CAAC,CAAA;QACjD,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,IAAA,2BAAgB,GAAE,EAAE,CAAC,CAAA;QAC7D,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAA;QAClC,OAAO,CAAC,GAAG,CAAC,gBAAgB,WAAW,EAAE,CAAC,CAAA;QAC1C,OAAO,CAAC,GAAG,CAAC,mBAAmB,WAAW,EAAE,CAAC,CAAA;QAC7C,OAAM;IACR,CAAC;IAED,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,6CAA6C;QAC7C,MAAM,WAAW,GAAG,MAAM,IAAA,yBAAU,EAAC,OAAO,CAAC,CAAA;QAC7C,IAAG,WAAW,CAAC,MAAM,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;YACxD,OAAM;QACR,CAAC;aAAM,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YAC/B,aAAa,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,OAAO,CAAC,CAAA;QAC5C,CAAC;IACH,CAAC;IAED,IAAG,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,eAAe,CAAC,aAAa,EAAE,OAAO,CAAC,CAAA;QAC7C,OAAM;IACR,CAAC;IAED,UAAU,EAAE,CAAA;AAEd,CAAC;AAED,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IAChB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA"}

package/dist/cjs/cli_utils.d.ts

@@ -0,0 +1,30 @@
+import { ShrinkOptions } from "./shrink.js";
+interface CliOptions extends ShrinkOptions {
+    showDataVersion: boolean;
+    readWaitMs: string;
+}
+/**
+ * Convert a dash-case string to camelCase
+ * @param str the string to convert
+ * @returns the camelCase string
+ */
+export declare function dashToCamelCase(str: string): string;
+/**
+ * Convert an array of option strings to an object
+ *
+ * @param optionArgs the array of option strings to convert
+ * @returns the object representation of the options
+ */
+export declare function convertOptions(optionArgs: string[]): Partial<CliOptions>;
+export declare function extractActionsFromLineOfInput(line: string): string[];
+/**
+ * Parse the actions from stdin
+ *
+ * @returns an array of strings from stdin
+ */
+export declare function parseStdIn(options: Partial<CliOptions>): Promise<{
+    strings?: string[];
+    object?: any;
+}>;
+export {};
+//# sourceMappingURL=cli_utils.d.ts.map

package/dist/cjs/cli_utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli_utils.d.ts","sourceRoot":"","sources":["../../src/cli_utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAI5C,UAAU,UAAW,SAAQ,aAAa;IACxC,eAAe,EAAE,OAAO,CAAA;IACxB,UAAU,EAAE,MAAM,CAAA;CACnB;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAwBxE;AAGD,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAMpE;AAED;;;;GAIG;AACH,wBAAsB,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC,GAAG,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IAAC,MAAM,CAAC,EAAE,GAAG,CAAA;CAAC,CAAC,CAgB1G"}

package/dist/cjs/cli_utils.js

@@ -0,0 +1,75 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.dashToCamelCase = dashToCamelCase;
+exports.convertOptions = convertOptions;
+exports.extractActionsFromLineOfInput = extractActionsFromLineOfInput;
+exports.parseStdIn = parseStdIn;
+const shrink_file_js_1 = require("./shrink_file.js");
+const stdin_js_1 = require("./stdin.js");
+/**
+ * Convert a dash-case string to camelCase
+ * @param str the string to convert
+ * @returns the camelCase string
+ */
+function dashToCamelCase(str) {
+    str = str.substring(2);
+    return str.replace(/-([a-z])/g, (g) => g[1].toUpperCase());
+}
+/**
+ * Convert an array of option strings to an object
+ *
+ * @param optionArgs the array of option strings to convert
+ * @returns the object representation of the options
+ */
+function convertOptions(optionArgs) {
+    const options = {};
+    for (const option of optionArgs) {
+        let key = option;
+        let value = true;
+        if (option.includes('=')) {
+            [key, value] = option.split('=');
+        }
+        options[dashToCamelCase(key)] = value;
+    }
+    if (options.iterations) {
+        const iterationNumber = parseInt(options.iterations);
+        if (isNaN(iterationNumber)) {
+            delete options.iterations;
+        }
+        else if (iterationNumber <= 0) {
+            options.iterations = Infinity;
+        }
+        else {
+            options.iterations = iterationNumber;
+        }
+    }
+    return options;
+}
+const actionPattern = /\:?([a-zA-Z0-9-]+:[a-zA-Z0-9*]+)/g;
+function extractActionsFromLineOfInput(line) {
+    const matches = line.matchAll(actionPattern);
+    return Array.from(matches)
+        .filter((match) => !match[0].startsWith('arn:') && !match[0].startsWith(':'))
+        .map((match) => match[1]);
+}
+/**
+ * Parse the actions from stdin
+ *
+ * @returns an array of strings from stdin
+ */
+async function parseStdIn(options) {
+    const delay = options.readWaitMs ? parseInt(options.readWaitMs.replaceAll(/\D/g, '')) : undefined;
+    const data = await (0, stdin_js_1.readStdin)(delay);
+    if (data.length === 0) {
+        return {};
+    }
+    try {
+        const object = await (0, shrink_file_js_1.shrinkJsonDocument)(options, JSON.parse(data));
+        return { object };
+    }
+    catch (err) { }
+    const lines = data.split('\n');
+    const actions = lines.flatMap(line => extractActionsFromLineOfInput(line));
+    return { strings: actions };
+}
+//# sourceMappingURL=cli_utils.js.map

package/dist/cjs/cli_utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli_utils.js","sourceRoot":"","sources":["../../src/cli_utils.ts"],"names":[],"mappings":";;AAcA,0CAGC;AAQD,wCAwBC;AAGD,sEAMC;AAOD,gCAgBC;AAhFD,qDAAsD;AACtD,yCAAuC;AAOvC;;;;GAIG;AACH,SAAgB,eAAe,CAAC,GAAW;IACzC,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;IACtB,OAAO,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;GAKG;AACH,SAAgB,cAAc,CAAC,UAAoB;IACjD,MAAM,OAAO,GAA8C,EAAE,CAAE;IAE/D,KAAI,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;QAC/B,IAAI,GAAG,GAAW,MAAM,CAAA;QACxB,IAAI,KAAK,GAAqB,IAAI,CAAA;QAClC,IAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,CAAC,GAAG,EAAC,KAAK,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACjC,CAAC;QAED,OAAO,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,CAAA;IACvC,CAAC;IACD,IAAG,OAAO,CAAC,UAAU,EAAE,CAAC;QACtB,MAAM,eAAe,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAoB,CAAC,CAAA;QAC9D,IAAG,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC;YAC1B,OAAO,OAAO,CAAC,UAAU,CAAA;QAC3B,CAAC;aAAM,IAAG,eAAe,IAAI,CAAC,EAAE,CAAC;YAC/B,OAAO,CAAC,UAAU,GAAG,QAAQ,CAAA;QAC/B,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,UAAU,GAAG,eAAe,CAAA;QACtC,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,MAAM,aAAa,GAAG,mCAAmC,CAAC;AAC1D,SAAgB,6BAA6B,CAAC,IAAY;IACxD,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAA;IAE5C,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC;SACb,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;SAC5E,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;AACvC,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,UAAU,CAAC,OAA4B;IAC3D,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IACjG,MAAM,IAAI,GAAG,MAAM,IAAA,oBAAS,EAAC,KAAK,CAAC,CAAA;IACnC,IAAG,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,CAAA;IACX,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,mCAAkB,EAAC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAA;QAClE,OAAO,EAAC,MAAM,EAAC,CAAA;IACjB,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC,CAAA,CAAC;IAGrB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,6BAA6B,CAAC,IAAI,CAAC,CAAC,CAAA;IAC1E,OAAO,EAAC,OAAO,EAAE,OAAO,EAAC,CAAA;AAC3B,CAAC"}

package/dist/cjs/errors.d.ts

@@ -0,0 +1,13 @@
+export declare class ShrinkValidationError extends Error {
+    readonly desiredPatterns: string[];
+    readonly errorMatch: string;
+    /**
+     * Capture a validation error from a shrink operation
+     *
+     * @param desiredPatterns the patterns the user wanted to shrink
+     * @param excludedPatterns the patterns the user wanted to exclude
+     * @param errorMatch the undesired match that triggered the bug
+     */
+    constructor(desiredPatterns: string[], errorMatch: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/cjs/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAmCA,qBAAa,qBAAsB,SAAQ,KAAK;aAQlB,eAAe,EAAE,MAAM,EAAE;aAAkB,UAAU,EAAE,MAAM;IAPzF;;;;;;OAMG;gBACyB,eAAe,EAAE,MAAM,EAAE,EAAkB,UAAU,EAAE,MAAM;CAO1F"}

package/dist/cjs/errors.js

@@ -0,0 +1,56 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ShrinkValidationError = void 0;
+const bugBaseUrl = 'https://github.com/cloud-copilot/iam-shrink/issues/new';
+/**
+ * The title of the bug report
+ * @param errorMatch The undesired match
+ * @returns the title of the bug report
+ */
+function bugTitle(errorMatch) {
+    return `Bug: ShrinkValidationError. ${errorMatch}`;
+}
+/**
+ * The body of the bug report
+ *
+ * @param errorMatch The undesired match
+ * @param desiredPatterns The desired patterns
+ * @param excludedPatterns The excluded patterns
+ * @returns the body of the bug report
+ */
+function bugBody(errorMatch, desiredPatterns) {
+    return `${errorMatch} while shrinking patterns ${JSON.stringify(desiredPatterns)}`;
+}
+/**
+ * Get the full url of the full bug report
+ *
+ * @param desiredPatterns The desired patterns
+ * @param excludedPatterns The excluded patterns
+ * @param errorMatch The undesired match that caused the bug
+ * @returns the full url to create a new bug report
+ */
+function bugUrl(desiredPatterns, errorMatch) {
+    return `${bugBaseUrl}?labels=bug&title=${encodeURIComponent(bugTitle(errorMatch))}&body=${encodeURIComponent(bugBody(errorMatch, desiredPatterns))}`;
+}
+class ShrinkValidationError extends Error {
+    desiredPatterns;
+    errorMatch;
+    /**
+     * Capture a validation error from a shrink operation
+     *
+     * @param desiredPatterns the patterns the user wanted to shrink
+     * @param excludedPatterns the patterns the user wanted to exclude
+     * @param errorMatch the undesired match that triggered the bug
+     */
+    constructor(desiredPatterns, errorMatch) {
+        super([
+            `@cloud-copilot/iam-shrink has failed validation and this is a bug.`,
+            `Please file a bug at ${bugUrl(desiredPatterns, errorMatch)}`,
+        ].join("\n"));
+        this.desiredPatterns = desiredPatterns;
+        this.errorMatch = errorMatch;
+        this.name = "ShrinkValidationError"; // Set the name of the error
+    }
+}
+exports.ShrinkValidationError = ShrinkValidationError;
+//# sourceMappingURL=errors.js.map

package/dist/cjs/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":";;;AAAA,MAAM,UAAU,GAAG,wDAAwD,CAAA;AAE3E;;;;GAIG;AACH,SAAS,QAAQ,CAAC,UAAkB;IAClC,OAAO,+BAA+B,UAAU,EAAE,CAAC;AACrD,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,OAAO,CAAC,UAAkB,EAAE,eAAyB;IAC5D,OAAO,GAAG,UAAU,6BAA6B,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,EAAE,CAAC;AACrF,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,MAAM,CAAC,eAAyB,EAAE,UAAkB;IAC3D,OAAO,GAAG,UAAU,qBAAqB,kBAAkB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,SAAS,kBAAkB,CAAC,OAAO,CAAC,UAAU,EAAE,eAAe,CAAC,CAAC,EAAE,CAAC;AACvJ,CAAC;AAED,MAAa,qBAAsB,SAAQ,KAAK;IAQlB;IAA2C;IAPvE;;;;;;OAMG;IACH,YAA4B,eAAyB,EAAkB,UAAkB;QACvF,KAAK,CAAC;YACJ,oEAAoE;YACpE,wBAAwB,MAAM,CAAC,eAAe,EAAE,UAAU,CAAC,EAAE;SAC9D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAJY,oBAAe,GAAf,eAAe,CAAU;QAAkB,eAAU,GAAV,UAAU,CAAQ;QAKvF,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC,CAAC,4BAA4B;IACnE,CAAC;CACF;AAfD,sDAeC"}

package/dist/cjs/index.d.ts

@@ -0,0 +1,3 @@
+export { shrink } from './shrink.js';
+export { shrinkJsonDocument } from './shrink_file.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/cjs/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/cjs/index.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.shrinkJsonDocument = exports.shrink = void 0;
+var shrink_js_1 = require("./shrink.js");
+Object.defineProperty(exports, "shrink", { enumerable: true, get: function () { return shrink_js_1.shrink; } });
+var shrink_file_js_1 = require("./shrink_file.js");
+Object.defineProperty(exports, "shrinkJsonDocument", { enumerable: true, get: function () { return shrink_file_js_1.shrinkJsonDocument; } });
+//# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,yCAAqC;AAA5B,mGAAA,MAAM,OAAA;AACf,mDAAsD;AAA7C,oHAAA,kBAAkB,OAAA"}

package/dist/cjs/package.json

@@ -0,0 +1,3 @@
+{
+    "type": "commonjs"
+}

package/dist/cjs/shrink.d.ts

@@ -0,0 +1,131 @@
+export interface ShrinkOptions {
+    iterations: number;
+}
+/**
+ * Shrink the list of desired patterns minus the excluded patterns to the smallest list of patterns
+ * that still includes the actions you want and only the actions you want.
+ *
+ * This will create a Target Set of actions that match the patterns in {@link desiredPatterns}, and do
+ * not match any pattern in {@link excludedPatterns}.
+ *
+ * It will then derive the list of wildcard patterns that match the Target Set and no other actions.
+ *
+ * @param desiredPatterns the list of patterns you want to include, e.g. ['s3:Get*', 's3:PutObject', 's3:*Tag*']
+ * @param iterations the number of iterations to run the shrink operations
+ * @returns the smallest list of patterns that will match only the actions specified by desiredPatterns and not match any of the excludedPatterns or any actions not specified by desiredPatterns.
+ */
+export declare function shrink(desiredPatterns: string[], shrinkOptions?: Partial<ShrinkOptions>): Promise<string[]>;
+/**
+ * Map an array of service:action strings to just the action
+ *
+ * @param actions the array of service:action strings such as ['s3:GetObject', 'ec2:DescribeInstances']
+ * @returns an array of just the action strings such as ['GetObject', 'DescribeInstances']
+ */
+export declare function mapActions(actions: string[]): string[];
+/**
+ * Groups an array of service:action strings by service
+ *
+ * Returns a map of service to an object with two arrays: withService and withoutService
+ * * withService contains the full service:action strings
+ * * withoutService contains just the action strings
+ *
+ * @param actions the array of service:action strings such as ['s3:GetObject', 'ec2:DescribeInstances']
+ * @returns a map of service to an object with two arrays: withService and withoutService
+ */
+export declare function groupActionsByService(actions: string[]): Map<string, {
+    withService: string[];
+    withoutService: string[];
+}>;
+/**
+ * Shrink a list of desired actions to the smallest number of patterns that match the desired actions
+ * from the possible actions and no other actions.
+ *
+ * @param desiredActions the list of actions you want to include
+ * @param possibleActions the list of actions that are possible
+ * @param iterations the number of iterations to run the shrink operations
+ * @returns the smallest list of patterns that when compared to possibleActions will match only the desiredActions and no others
+ */
+export declare function shrinkResolvedList(desiredActions: string[], possibleActions: string[], iterations: number): string[];
+/**
+ * Shrink the list of desired actions for while excluding the undesired actions
+ *
+ * @param desiredActions the list of actions you want to include, can be a mix of full actions and wildcards
+ * @param undesiredActions the list of actions you want to exclude no matter what
+ * @param deep if true, will shrink based on all common sequences, otherwise will only shrink based on the most common sequence
+ * @returns the smallest list of actions that will match only the desiredActions and not match any of the undesiredActions or any actions not specified by desiredActions.
+ */
+export declare function shrinkIteration(desiredActions: string[], undesiredActions: string[], deep: boolean): string[];
+/**
+ * Reduces a singele action into a smaller number of parts by replace one part at a time with an asterisk
+ * and validating that there are no undesired actions that match the new action
+ *
+ * @param desiredAction the action to reduce
+ * @param sequence the sequence to reduce the action by
+ * @param undesiredActions the list of actions that should not match the reduced action
+ * @returns the reduced action with as many parts replaced with asterisks as possible while still matching the desired actions and not matching any of the undesired actions
+ */
+export declare function reduceAction(desiredAction: string, sequence: string, undesiredActions: string[]): string;
+/**
+ * Consolidate multile consecutive asterisks into a single asterisk
+ *
+ * @param wildcardAction the action to collapse
+ * @returns the action with consecutive asterisks collapsed into a single asterisk
+ */
+export declare function collapseAsterisks(wildcardAction: string): string;
+/**
+ * Convert a wildcard action into a regular expression
+ *
+ * @param wildcardAction the wildcard action to convert
+ * @returns a regular expression that will match the wildcard action
+ */
+export declare function regexForWildcardAction(wildcardAction: string): RegExp;
+/**
+ * Checks to see if a wildcard action matches any of the strings in a list
+ *
+ * @param wildcardAction the wildcard action to check
+ * @param strings the list of strings to check against
+ * @returns true if the wildcard action matches any of the strings
+ */
+export declare function wildcardActionMatchesAnyString(wildcardAction: string, strings: string[]): boolean;
+/**
+ * Split an IAM Action into parts based on capital letters and asterisks
+ * For a new part to start there must be a transition from a lowercase letter to an uppercase letter or an asterisk
+ * For example :
+ * * "CreateAccessPointForObjectLambda" would be split into ["Create", "Access", "Point", "For", "Object", "Lambda"]
+ * * "*ObjectTagging*" would be split into ["*", "Object", "Tagging", "*"]
+ *
+ * @param input the IAM Action to split
+ * @returns the parts of the IAM Action
+ */
+export declare function splitActionIntoParts(input: string): string[];
+/**
+ * Given a list of strings and a list of strings those parts are in, count the number of times each part appears in the strings
+ *
+ * @param substrings the sub strings to count
+ * @param actions the list of strings to count the substrings in
+ * @returns Returns a map of the substring to the number of times it appears in the actions
+ */
+export declare function countSubstrings(substrings: string[], actions: string[]): Map<string, number>;
+/**
+ * Finds all the the common sequences in a list of actions strings and counts their frequency and length.
+ *
+ * @param actions the list of actions to find common sequences in
+ * @returns an array of objects with the sequence, frequency, and length of the common sequences
+ */
+export declare function findCommonSequences(actions: string[]): {
+    sequence: string;
+    frequency: number;
+    length: number;
+}[];
+/**
+ * Consolidates overlapping wildcards into their most general form
+ *
+ * For example:
+ *   ['*Object', 'Object*', '*Object*'] will be consolidated into ['*Object*']
+ *   ['Get*', '*Get*'] will be consolidated into ['*Get*']
+ *
+ * @param patterns the list of patterns to consolidate
+ * @returns the consolidated list of patterns
+ */
+export declare function consolidateWildcardPatterns(patterns: string[]): string[];
+//# sourceMappingURL=shrink.d.ts.map

package/dist/cjs/shrink.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shrink.d.ts","sourceRoot":"","sources":["../../src/shrink.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAA;CACnB;AAQD;;;;;;;;;;;;GAYG;AACH,wBAAsB,MAAM,CAAC,eAAe,EAAE,MAAM,EAAE,EAAE,aAAa,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CA4BjH;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAEtD;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,MAAM,EAAE;IAAC,WAAW,EAAE,MAAM,EAAE,CAAC;IAAC,cAAc,EAAE,MAAM,EAAE,CAAA;CAAC,CAAC,CAYvH;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,cAAc,EAAE,MAAM,EAAE,EAAE,eAAe,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,CAkCpH;AAED;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,cAAc,EAAE,MAAM,EAAE,EAAE,gBAAgB,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,GAAG,MAAM,EAAE,CAmB7G;AAED;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAAC,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,GAAG,MAAM,CAqExG;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAEhE;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAIrE;AAED;;;;;;GAMG;AACH,wBAAgB,8BAA8B,CAAC,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,OAAO,CAQjG;AAED;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,CAK5D;AAGD;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAc5F;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,EAAE,CAchH;AAED;;;;;;;;;GASG;AACH,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAkBxE"}