npm - @cloud-copilot/iam-simulate - Versions diffs - 0.1.0 → 0.1.2 - Mend

@cloud-copilot/iam-simulate 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (239) hide show

package/dist/esm/core_engine/coreSimulatorEngine.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+import { Policy } from "@cloud-copilot/iam-policy";
+import { EvaluationResult } from "../evaluate.js";
+import { AwsRequest } from "../request/request.js";
+import { ServiceAuthorizer } from "../services/ServiceAuthorizer.js";
+import { StatementAnalysis } from "../StatementAnalysis.js";
+/**
+ * A reqest to authorize a service action.
+ */
+export interface AuthorizationRequest {
+    /**
+     * The request to authorize.
+     */
+    request: AwsRequest;
+    /**
+     * The identity policies that are applicable to the principal making the request.
+     */
+    identityPolicies: Policy[];
+}
+/**
+ * Authorizes a request.
+ *
+ * This assumes all policies have been validated and the request is fully complete and valid.
+ *
+ * @param request the request to authorize
+ * @returns the result of the authorization
+ */
+export declare function authorize(request: AuthorizationRequest): EvaluationResult;
+/**
+ * Get the appropriate service authorizer for the request. Some services have specific authorization logic in
+ * them. If there is no service specific authorizer, a default one will be used.
+ *
+ * @param request the request to get the authorizer for
+ * @returns the service authorizer for the request
+ */
+export declare function getServiceAuthorizer(request: AuthorizationRequest): ServiceAuthorizer;
+/**
+ * Analyzes a set of identity policies
+ *
+ * @param identityPolicies the identity policies to analyze
+ * @param request the request to analyze against
+ * @returns an array of statement analysis results
+ */
+export declare function analyzeIdentityPolicies(identityPolicies: Policy[], request: AwsRequest): StatementAnalysis[];
+//# sourceMappingURL=coreSimulatorEngine.d.ts.map

package/dist/esm/core_engine/coreSimulatorEngine.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"coreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,2BAA2B,CAAC;AAGnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAGnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AACrE,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,OAAO,EAAE,UAAU,CAAC;IAEpB;;OAEG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAA;CAC3B;AAID;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,gBAAgB,CAOzE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,iBAAiB,CAMrF;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,gBAAgB,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,UAAU,GAAG,iBAAiB,EAAE,CAe5G"}

package/dist/esm/core_engine/coreSimulatorEngine.js ADDED Viewed

@@ -0,0 +1,58 @@
+import { requestMatchesStatementActions } from "../action/action.js";
+import { requestMatchesConditions } from "../condition/condition.js";
+import { requestMatchesStatementResources } from "../resource/resource.js";
+import { DefaultServiceAuthorizer } from "../services/DefaultServiceAuthorizer.js";
+const serviceEngines = {};
+/**
+ * Authorizes a request.
+ *
+ * This assumes all policies have been validated and the request is fully complete and valid.
+ *
+ * @param request the request to authorize
+ * @returns the result of the authorization
+ */
+export function authorize(request) {
+    const identityAnalysis = analyzeIdentityPolicies(request.identityPolicies, request.request);
+    const serviceAuthorizer = getServiceAuthorizer(request);
+    return serviceAuthorizer.authorize({
+        request: request.request,
+        identityStatements: identityAnalysis,
+    });
+}
+/**
+ * Get the appropriate service authorizer for the request. Some services have specific authorization logic in
+ * them. If there is no service specific authorizer, a default one will be used.
+ *
+ * @param request the request to get the authorizer for
+ * @returns the service authorizer for the request
+ */
+export function getServiceAuthorizer(request) {
+    const serviceName = request.request.action.service().toLowerCase();
+    if (serviceEngines[serviceName]) {
+        return new serviceEngines[serviceName]();
+    }
+    return new DefaultServiceAuthorizer;
+}
+/**
+ * Analyzes a set of identity policies
+ *
+ * @param identityPolicies the identity policies to analyze
+ * @param request the request to analyze against
+ * @returns an array of statement analysis results
+ */
+export function analyzeIdentityPolicies(identityPolicies, request) {
+    const analysis = [];
+    for (const policy of identityPolicies) {
+        for (const statement of policy.statements()) {
+            analysis.push({
+                statement,
+                resourceMatch: requestMatchesStatementResources(request, statement),
+                actionMatch: requestMatchesStatementActions(request, statement),
+                conditionMatch: requestMatchesConditions(request, statement.conditions()),
+                principalMatch: 'Match',
+            });
+        }
+    }
+    return analysis;
+}
+//# sourceMappingURL=coreSimulatorEngine.js.map

package/dist/esm/core_engine/coreSimulatorEngine.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"coreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,8BAA8B,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AAGrE,OAAO,EAAE,gCAAgC,EAAE,MAAM,yBAAyB,CAAC;AAC3E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yCAAyC,CAAC;AAmBnF,MAAM,cAAc,GAAgD,EAAE,CAAC;AAEvE;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,OAA6B;IACrD,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5F,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;IACxD,OAAO,iBAAiB,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,kBAAkB,EAAE,gBAAgB;KACrC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA6B;IAChE,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,WAAW,EAAE,CAAC;IACnE,IAAG,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,wBAAwB,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,gBAA0B,EAAE,OAAmB;IACrF,MAAM,QAAQ,GAAwB,EAAE,CAAC;IACzC,KAAI,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACrC,KAAI,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC;gBACZ,SAAS;gBACT,aAAa,EAAE,gCAAgC,CAAC,OAAO,EAAE,SAAS,CAAC;gBACnE,WAAW,EAAE,8BAA8B,CAAC,OAAO,EAAE,SAAS,CAAC;gBAC/D,cAAc,EAAE,wBAAwB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC;gBACzE,cAAc,EAAE,OAAO;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/esm/evaluate.d.ts CHANGED Viewed

@@ -1,2 +1,2 @@
-export type EvaluationResult = 'Allowed' | 'Denied' | 'AllowedWithConditions' | 'ImplicitlyDenied';
+export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | 'AllowedWithConditions' | 'ImplicitlyDenied' | 'Unknown';
 //# sourceMappingURL=evaluate.d.ts.map

package/dist/esm/evaluate.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,~~QAAQ~~,GAAG,uBAAuB,GAAG,kBAAkB,CAAC"}
1	+ {"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,uBAAuB,GAAG,kBAAkB,GAAG,SAAS,CAAC"}

package/dist/esm/index.d.ts CHANGED Viewed

@@ -1 +1,5 @@
+export { authorize, type AuthorizationRequest } from './core_engine/coreSimulatorEngine.js';
+export { type EvaluationResult } from './evaluate.js';
+export { AwsRequestImpl, type AwsRequest } from './request/request.js';
+export { RequestContextImpl, type RequestContext } from './requestContext.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":""}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,KAAK,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAC5F,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,KAAK,UAAU,EAAE,MAAM,sBAAsB,CAAC;AACvE,OAAO,EAAE,kBAAkB,EAAE,KAAK,cAAc,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/esm/index.js CHANGED Viewed

@@ -1,2 +1,4 @@
-"use strict";
+export { authorize } from './core_engine/coreSimulatorEngine.js';
+export { AwsRequestImpl } from './request/request.js';
+export { RequestContextImpl } from './requestContext.js';
 //# sourceMappingURL=index.js.map

package/dist/esm/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":""}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAA6B,MAAM,sCAAsC,CAAC;AAE5F,OAAO,EAAE,cAAc,EAAmB,MAAM,sBAAsB,CAAC;AACvE,OAAO,EAAE,kBAAkB,EAAuB,MAAM,qBAAqB,CAAC"}

package/dist/esm/principal/principal.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { Principal } from "@cloud-copilot/iam-policy";
 import { AwsRequest } from "../request/request.js";
-type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch';
+export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch';
 /**
  * Check to see if a request matches a Principal element in an IAM policy statement
  *
@@ -27,5 +27,4 @@ export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrinc
 export declare function requestMatchesPrincipalStatement(request: AwsRequest, principalStatement: Principal): PrincipalMatchResult;
 export declare function isAssumedRoleArn(principal: string): boolean;
 export declare function roleArnFromAssumedRoleArn(assumedRoleArn: string): string;
-export {};
 //# sourceMappingURL=principal.d.ts.map

package/dist/esm/principal/principal.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA4CnD,~~KAAK~~,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;~~AAErE~~;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAWzG;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAiB/G;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,oBAAoB,CAgDzH;AAID,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED,wBAAgB,yBAAyB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKxE"}
1	+ {"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA4CnD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;AAE5E;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAWzG;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAiB/G;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,oBAAoB,CAgDzH;AAID,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED,wBAAgB,yBAAyB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKxE"}

package/dist/esm/request/request.d.ts CHANGED Viewed

@@ -2,7 +2,6 @@ import { ContextKey, RequestContext } from "../requestContext.js";
 import { RequestAction } from "./requestAction.js";
 import { RequestPrincipal } from "./requestPrincipal.js";
 import { RequestResource } from "./requestResource.js";
-import { RequestSupplementalData } from "./requestSupplementalData.js";
 /**
  * A request to be evaluated by the policy engine
  */
@@ -15,7 +14,7 @@ export interface AwsRequest {
     /**
      * The resource to be acted upon
      */
-    resource?: RequestResource;
+    resource: RequestResource;
     /**
      * The context of the request
      */
@@ -38,11 +37,16 @@ export interface AwsRequest {
 }
 export declare class AwsRequestImpl implements AwsRequest {
     readonly principalString: string;
-    readonly resourceString: string | undefined;
+    readonly resourceIdentifier: {
+        resource: string;
+        accountId: string;
+    };
     readonly actionString: string;
     readonly context: RequestContext;
-    readonly supplementalData: RequestSupplementalData;
-    constructor(principalString: string, resourceString: string | undefined, actionString: string, context: RequestContext, supplementalData: RequestSupplementalData);
+    constructor(principalString: string, resourceIdentifier: {
+        resource: string;
+        accountId: string;
+    }, actionString: string, context: RequestContext);
     get action(): RequestAction;
     get resource(): RequestResource;
     get principal(): RequestPrincipal;

package/dist/esm/request/request.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"request.d.ts","sourceRoot":"","sources":["../../../src/request/request.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,aAAa,EAAqB,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAwB,MAAM,uBAAuB,CAAC;AAC/E,OAAO,EAAE,eAAe,EAAuB,MAAM,sBAAsB,CAAC;~~AAC5E,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AAEvE~~;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,gBAAgB,CAAC;IAE5B;;OAEG;IACH,MAAM,EAAE,aAAa,CAAC;IAEtB;;OAEG;IACH,QAAQ,~~CAAC,~~EAAE,eAAe,CAAC;~~IAE3B~~;;OAEG;IACH,OAAO,EAAE,cAAc,CAAA;IAEvB;;;;;;OAMG;IACH,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAEvC;;;;;OAKG;IACH,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAAC;CAC7C;AAED,qBAAa,cAAe,YAAW,UAAU;aAEnB,eAAe,EAAE,MAAM;aACvB,~~cAAc~~,EAAE,MAAM,~~GAAG~~,SAAS;~~aAClC~~,YAAY,EAAE,MAAM;aACpB,OAAO,EAAE,cAAc;~~aACvB~~,~~gBAAgB~~,EAAE,~~uBAAuB~~;~~gBAJzC~~,~~eAAe~~,EAAE,MAAM,~~EACvB~~,~~cAAc~~,EAAE,MAAM,~~GAAG~~,~~SAAS~~,~~EAClC,~~YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,cAAc~~,EACvB,gBAAgB,EAAE,uBAAuB~~;~~IAIrE~~,IAAI,MAAM,IAAI,aAAa,CAE1B;IAED,IAAI,QAAQ,IAAI,eAAe,~~CAK9B~~;IAED,IAAI,SAAS,IAAI,gBAAgB,CAEhC;IAGM,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAKtC,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU;~~CAMnD~~"}
1	+ {"version":3,"file":"request.d.ts","sourceRoot":"","sources":["../../../src/request/request.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,aAAa,EAAqB,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAwB,MAAM,uBAAuB,CAAC;AAC/E,OAAO,EAAE,eAAe,EAAuB,MAAM,sBAAsB,CAAC;AAE5E;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,gBAAgB,CAAC;IAE5B;;OAEG;IACH,MAAM,EAAE,aAAa,CAAC;IAEtB;;OAEG;IACH,QAAQ,EAAE,eAAe,CAAC;IAE1B;;OAEG;IACH,OAAO,EAAE,cAAc,CAAA;IAEvB;;;;;;OAMG;IACH,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAEvC;;;;;OAKG;IACH,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAAC;CAC7C;AAED,qBAAa,cAAe,YAAW,UAAU;aAEnB,eAAe,EAAE,MAAM;aACvB,kBAAkB,EAAE;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAC;aACzD,YAAY,EAAE,MAAM;aACpB,OAAO,EAAE,cAAc;gBAHvB,eAAe,EAAE,MAAM,EACvB,kBAAkB,EAAE;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAC,EACzD,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,cAAc;IAInD,IAAI,MAAM,IAAI,aAAa,CAE1B;IAED,IAAI,QAAQ,IAAI,eAAe,CAE9B;IAED,IAAI,SAAS,IAAI,gBAAgB,CAEhC;IAGM,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAKtC,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU;CAOnD"}

package/dist/esm/request/request.js CHANGED Viewed

@@ -2,27 +2,23 @@ import { RequestActionImpl } from "./requestAction.js";
 import { RequestPrincipalImpl } from "./requestPrincipal.js";
 import { ResourceRequestImpl } from "./requestResource.js";
 export class AwsRequestImpl {
-    constructor(principalString, resourceString, actionString, context, supplementalData) {
+    constructor(principalString, resourceIdentifier, actionString, context) {
         this.principalString = principalString;
-        this.resourceString = resourceString;
+        this.resourceIdentifier = resourceIdentifier;
         this.actionString = actionString;
         this.context = context;
-        this.supplementalData = supplementalData;
     }
     get action() {
         return new RequestActionImpl(this.actionString);
     }
     get resource() {
-        if (this.resourceString === undefined) {
-            throw new Error('Resource is undefined');
-        }
-        return new ResourceRequestImpl(this.resourceString);
+        return new ResourceRequestImpl(this.resourceIdentifier.resource, this.resourceIdentifier.accountId);
     }
     get principal() {
         return new RequestPrincipalImpl(this.principalString);
     }
     contextKeyExists(key) {
-        return this.supplementalData.contextKeyValidForRequest(key) && this.context.contextKeyExists(key);
+        return this.context.contextKeyExists(key);
     }
     getContextKeyValue(key) {
         if (!this.contextKeyExists(key)) {

package/dist/esm/request/request.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"request.js","sourceRoot":"","sources":["../../../src/request/request.ts"],"names":[],"mappings":"AACA,OAAO,EAAiB,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAoB,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC/E,OAAO,EAAmB,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;~~AA0C5E~~,MAAM,OAAO,cAAc;IAEzB,YAA4B,eAAuB,EACvB,~~cAAkC~~,~~EAClC~~,YAAoB,EACpB,OAAuB~~,EACvB,gBAAyC~~;~~QAJzC~~,oBAAe,GAAf,eAAe,CAAQ;QACvB,~~mBAAc~~,~~GAAd~~,~~cAAc~~,~~CAAoB~~;~~QAClC~~,iBAAY,GAAZ,YAAY,CAAQ;QACpB,YAAO,GAAP,OAAO,CAAgB;~~QACvB~~,~~qBAAgB,GAAhB,gBAAgB,CAAyB;IAErE,~~CAAC;IAED,IAAI,MAAM;QACR,OAAO,IAAI,iBAAiB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAClD,CAAC;IAED,IAAI,QAAQ;QACV,~~IAAG~~,IAAI,~~CAAC~~,~~cAAc,KAAK,SAAS,EAAE,~~CAAC~~;YACrC~~,~~MAAM,~~IAAI,~~KAAK,~~CAAC,~~uBAAuB~~,CAAC,~~CAAA;QAC1C~~,~~CAAC;QACD~~,~~OAAO,~~IAAI,~~mBAAmB,~~CAAC,~~IAAI~~,CAAC,~~cAAc~~,CAAC,CAAC;~~IACtD~~,CAAC;IAED,IAAI,SAAS;QACX,OAAO,IAAI,oBAAoB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACxD,CAAC;IAGM,gBAAgB,CAAC,GAAW;QACjC,OAAO,IAAI,CAAC,~~gBAAgB,CAAC,yBAAyB,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,~~OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;~~IACpG~~,CAAC;IAGM,kBAAkB,CAAC,GAAW;QACnC,IAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,wBAAwB,GAAG,EAAE,CAAC,CAAA;QAChD,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IAC3C,CAAC;~~CACF~~"}
1	+ {"version":3,"file":"request.js","sourceRoot":"","sources":["../../../src/request/request.ts"],"names":[],"mappings":"AACA,OAAO,EAAiB,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAoB,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC/E,OAAO,EAAmB,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAyC5E,MAAM,OAAO,cAAc;IAEzB,YAA4B,eAAuB,EACvB,kBAAyD,EACzD,YAAoB,EACpB,OAAuB;QAHvB,oBAAe,GAAf,eAAe,CAAQ;QACvB,uBAAkB,GAAlB,kBAAkB,CAAuC;QACzD,iBAAY,GAAZ,YAAY,CAAQ;QACpB,YAAO,GAAP,OAAO,CAAgB;IAEnD,CAAC;IAED,IAAI,MAAM;QACR,OAAO,IAAI,iBAAiB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAClD,CAAC;IAED,IAAI,QAAQ;QACV,OAAO,IAAI,mBAAmB,CAAC,IAAI,CAAC,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC;IACtG,CAAC;IAED,IAAI,SAAS;QACX,OAAO,IAAI,oBAAoB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACxD,CAAC;IAGM,gBAAgB,CAAC,GAAW;QACjC,OAAO,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC5C,CAAC;IAGM,kBAAkB,CAAC,GAAW;QACnC,IAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,wBAAwB,GAAG,EAAE,CAAC,CAAA;QAChD,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IAC3C,CAAC;CAEF"}

package/dist/esm/request/requestResource.d.ts CHANGED Viewed

@@ -23,15 +23,21 @@ export interface RequestResource {
      * The resource of the ARN
      */
     resource(): string;
+    /**
+     * The account ID of the resource, independent of what is in the ARN
+     */
+    accountId(): string;
 }
 export declare class ResourceRequestImpl implements RequestResource {
     private readonly rawValue;
-    constructor(rawValue: string);
+    private readonly accountIdString;
+    constructor(rawValue: string, accountIdString: string);
     partition(): string;
     service(): string;
     region(): string;
     account(): string;
     resource(): string;
     value(): string;
+    accountId(): string;
 }
 //# sourceMappingURL=requestResource.d.ts.map

package/dist/esm/request/requestResource.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"requestResource.d.ts","sourceRoot":"","sources":["../../../src/request/requestResource.ts"],"names":[],"mappings":"AACA,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,KAAK,IAAI,MAAM,CAAA;IAEf;;OAEG;IACH,SAAS,IAAI,MAAM,CAAA;IAEnB;;OAEG;IACH,OAAO,IAAI,MAAM,CAAA;IAEjB;;OAEG;IACH,MAAM,IAAI,MAAM,CAAA;IAEhB;;OAEG;IACH,OAAO,IAAI,MAAM,CAAA;IAEjB;;OAEG;IACH,QAAQ,IAAI,MAAM,CAAA;~~CACnB~~;AAGD,qBAAa,mBAAoB,YAAW,eAAe;IAC7C,OAAO,CAAC,QAAQ,CAAC,QAAQ;~~gBAAR~~,QAAQ,EAAE,MAAM;~~IAE7C~~,SAAS,IAAI,MAAM;IAInB,OAAO,IAAI,MAAM;IAIjB,MAAM,IAAI,MAAM;IAIhB,OAAO,IAAI,MAAM;IAIjB,QAAQ,IAAI,MAAM;IAIlB,KAAK,IAAI,MAAM;~~CAGhB~~"}
1	+ {"version":3,"file":"requestResource.d.ts","sourceRoot":"","sources":["../../../src/request/requestResource.ts"],"names":[],"mappings":"AACA,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,KAAK,IAAI,MAAM,CAAA;IAEf;;OAEG;IACH,SAAS,IAAI,MAAM,CAAA;IAEnB;;OAEG;IACH,OAAO,IAAI,MAAM,CAAA;IAEjB;;OAEG;IACH,MAAM,IAAI,MAAM,CAAA;IAEhB;;OAEG;IACH,OAAO,IAAI,MAAM,CAAA;IAEjB;;OAEG;IACH,QAAQ,IAAI,MAAM,CAAA;IAElB;;OAEG;IACH,SAAS,IAAI,MAAM,CAAA;CACpB;AAGD,qBAAa,mBAAoB,YAAW,eAAe;IAC7C,OAAO,CAAC,QAAQ,CAAC,QAAQ;IAAU,OAAO,CAAC,QAAQ,CAAC,eAAe;gBAAlD,QAAQ,EAAE,MAAM,EAAmB,eAAe,EAAE,MAAM;IAEvF,SAAS,IAAI,MAAM;IAInB,OAAO,IAAI,MAAM;IAIjB,MAAM,IAAI,MAAM;IAIhB,OAAO,IAAI,MAAM;IAIjB,QAAQ,IAAI,MAAM;IAIlB,KAAK,IAAI,MAAM;IAIf,SAAS,IAAI,MAAM;CAGpB"}

package/dist/esm/request/requestResource.js CHANGED Viewed

@@ -1,6 +1,7 @@
 export class ResourceRequestImpl {
-    constructor(rawValue) {
+    constructor(rawValue, accountIdString) {
         this.rawValue = rawValue;
+        this.accountIdString = accountIdString;
     }
     partition() {
         return this.value().split(":").at(1);
@@ -20,5 +21,8 @@ export class ResourceRequestImpl {
     value() {
         return this.rawValue;
     }
+    accountId() {
+        return this.accountIdString;
+    }
 }
 //# sourceMappingURL=requestResource.js.map

package/dist/esm/request/requestResource.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"requestResource.js","sourceRoot":"","sources":["../../../src/request/requestResource.ts"],"names":[],"mappings":"~~AAkCA~~,MAAM,OAAO,mBAAmB;IAC9B,YAA6B,QAAgB;~~QAAhB~~,aAAQ,GAAR,QAAQ,CAAQ;~~IAAG~~,CAAC;~~IAEjD~~,SAAS;QACP,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IACvC,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IACvC,CAAC;IAED,MAAM;QACJ,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IACvC,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IACvC,CAAC;IAED,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACnD,CAAC;IAED,KAAK;QACH,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF"}
1	+ {"version":3,"file":"requestResource.js","sourceRoot":"","sources":["../../../src/request/requestResource.ts"],"names":[],"mappings":"AAuCA,MAAM,OAAO,mBAAmB;IAC9B,YAA6B,QAAgB,EAAmB,eAAuB;QAA1D,aAAQ,GAAR,QAAQ,CAAQ;QAAmB,oBAAe,GAAf,eAAe,CAAQ;IAAI,CAAC;IAE5F,SAAS;QACP,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IACvC,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IACvC,CAAC;IAED,MAAM;QACJ,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IACvC,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IACvC,CAAC;IAED,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACnD,CAAC;IAED,KAAK;QACH,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,eAAe,CAAA;IAC7B,CAAC;CACF"}

package/dist/esm/resource/resource.d.ts CHANGED Viewed

@@ -1,5 +1,13 @@
-import { Resource } from "@cloud-copilot/iam-policy";
+import { Resource, Statement } from "@cloud-copilot/iam-policy";
 import { AwsRequest } from "../request/request.js";
+/**
+ * Check if a request matches the Resource or NotResource elements of a statement.
+ *
+ * @param request the request to check
+ * @param statement the statement to check against
+ * @returns true if the request matches the resources in the statement, false otherwise
+ */
+export declare function requestMatchesStatementResources(request: AwsRequest, statement: Statement): boolean;
 /**
  * Check if a request matches a set of resources.
  *
@@ -8,5 +16,12 @@ import { AwsRequest } from "../request/request.js";
  * @returns true if the request matches any of the resources, false otherwise
  */
 export declare function requestMatchesResources(request: AwsRequest, policyResources: Resource[]): boolean;
+/**
+ * Check if a request matches a NotResource element in a policy.
+ *
+ * @param request the request to check
+ * @param policyResources the resources to check against
+ * @returns true if the request does not match any of the resources, false otherwise
+ */
 export declare function requestMatchesNotResources(request: AwsRequest, policyResources: Resource[]): boolean;
 //# sourceMappingURL=resource.d.ts.map

package/dist/esm/resource/resource.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"resource.d.ts","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;~~AACrD~~,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAmBnD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,OAAO,CAEjG;AAED,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,OAAO,CAEpG"}
1	+ {"version":3,"file":"resource.d.ts","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAmBnD;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,OAAO,CAOnG;AAGD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,OAAO,CAEjG;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,OAAO,CAEpG"}

package/dist/esm/resource/resource.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { convertIamStringToRegex } from "../util.js";
+import { convertIamStringToRegex, getResourceSegments } from "../util.js";
 //TODO: Make a check to see if the action is a wildcard only action. This will have to happen outside of these functions.
 /**
  * Convert a resource segment to a regular expression. This is without variables.
@@ -13,6 +13,22 @@ function convertResourceSegmentToRegex(segment) {
     const pattern = "^" + segment.replace(/\?/g, '.').replace(/\*/g, '.*?') + "$";
     return new RegExp(pattern, 'i');
 }
+/**
+ * Check if a request matches the Resource or NotResource elements of a statement.
+ *
+ * @param request the request to check
+ * @param statement the statement to check against
+ * @returns true if the request matches the resources in the statement, false otherwise
+ */
+export function requestMatchesStatementResources(request, statement) {
+    if (statement.isResourceStatement()) {
+        return requestMatchesResources(request, statement.resources());
+    }
+    else if (statement.isNotResourceStatement()) {
+        return requestMatchesNotResources(request, statement.notResources());
+    }
+    return true;
+}
 /**
  * Check if a request matches a set of resources.
  *
@@ -23,6 +39,13 @@ function convertResourceSegmentToRegex(segment) {
 export function requestMatchesResources(request, policyResources) {
     return policyResources.some(policyResource => singleResourceMatchesRequest(request, policyResource));
 }
+/**
+ * Check if a request matches a NotResource element in a policy.
+ *
+ * @param request the request to check
+ * @param policyResources the resources to check against
+ * @returns true if the request does not match any of the resources, false otherwise
+ */
 export function requestMatchesNotResources(request, policyResources) {
     return !requestMatchesResources(request, policyResources);
 }
@@ -69,29 +92,4 @@ function singleResourceMatchesRequest(request, policyResource) {
         throw new Error('Unknown resource type');
     }
 }
-/**
- * Splits a resource into two segments. The first segment is the product segment and the second segment is the resource id segment.
- * This could be split by a colon or a slash, so it checks for both.
- *
- * @param resource The resource to split
- * @returns a tuple with the first segment being the product segment (including the separator) and the second segment being the resource id.
- */
-function getResourceSegments(resource) {
-    const slashIndex = resource.indexOf('/');
-    const colonIndex = resource.indexOf(':');
-    let splitIndex = slashIndex;
-    if (slashIndex != -1 && colonIndex != -1) {
-        splitIndex = Math.min(slashIndex, colonIndex) + 1;
-    }
-    else if (colonIndex == -1) {
-        splitIndex = slashIndex + 1;
-    }
-    else if (slashIndex == -1) {
-        splitIndex = colonIndex + 1;
-    }
-    else {
-        throw new Error(`Unable to split resource ${resource}`);
-    }
-    return [resource.slice(0, splitIndex), resource.slice(splitIndex)];
-}
 //# sourceMappingURL=resource.js.map

package/dist/esm/resource/resource.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;~~AAErD~~,yHAAyH;AAEzH;;;;;GAKG;AACH,SAAS,6BAA6B,CAAC,OAAe;IACpD,IAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAC7E,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAmB,EAAE,eAA2B;IACtF,OAAO,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAA;AACtG,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,OAAmB,EAAE,eAA2B;IACzF,OAAO,CAAC,uBAAuB,CAAC,OAAO,EAAE,eAAe,CAAC,CAAA;AAC3D,CAAC;AAED;;;;;;GAMG;AACH,SAAS,4BAA4B,CAAC,OAAmB,EAAE,cAAwB;IACjF,IAAG,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;SAAM,IAAG,cAAc,CAAC,aAAa,EAAE,EAAE,CAAC;QACzC,IAAG,CAAC,OAAO,CAAC,QAAQ,EAAG,CAAC;YACtB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QACjC,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC;YACzF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC;YACnF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,gKAAgK;QAChK,MAAM,CAAC,aAAa,EAAE,gBAAgB,CAAC,GAAG,mBAAmB,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAA;QAExF,IAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAClD,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,iBAAiB,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;QAEzE,IAAG,CAAC,uBAAuB,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC/E,OAAO,KAAK,CAAA;QACd,CAAC;QAED,OAAO,IAAI,CAAA;IACb,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACxC,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAExC,IAAI,UAAU,GAAG,UAAU,CAAA;IAC3B,IAAG,UAAU,IAAI,CAAC,CAAC,IAAI,UAAU,IAAI,CAAC,CAAC,EAAE,CAAC;QACxC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,UAAU,CAAC,GAAG,CAAC,CAAA;IACnD,CAAC;SAAM,IAAI,UAAU,IAAI,CAAC,CAAC,EAAE,CAAC;QAC5B,UAAU,GAAG,UAAU,GAAG,CAAC,CAAA;IAC7B,CAAC;SAAM,IAAI,UAAU,IAAI,CAAC,CAAC,EAAE,CAAC;QAC5B,UAAU,GAAG,UAAU,GAAG,CAAC,CAAA;IAC7B,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAA;IACzD,CAAC;IAED,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAA;AACpE,CAAC"}
1	+ {"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAE1E,yHAAyH;AAEzH;;;;;GAKG;AACH,SAAS,6BAA6B,CAAC,OAAe;IACpD,IAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAC7E,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gCAAgC,CAAC,OAAmB,EAAE,SAAoB;IACxF,IAAG,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;QACnC,OAAO,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC;IACjE,CAAC;SAAM,IAAG,SAAS,CAAC,sBAAsB,EAAE,EAAE,CAAC;QAC7C,OAAO,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAGD;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAmB,EAAE,eAA2B;IACtF,OAAO,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAA;AACtG,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAmB,EAAE,eAA2B;IACzF,OAAO,CAAC,uBAAuB,CAAC,OAAO,EAAE,eAAe,CAAC,CAAA;AAC3D,CAAC;AAED;;;;;;GAMG;AACH,SAAS,4BAA4B,CAAC,OAAmB,EAAE,cAAwB;IACjF,IAAG,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;SAAM,IAAG,cAAc,CAAC,aAAa,EAAE,EAAE,CAAC;QACzC,IAAG,CAAC,OAAO,CAAC,QAAQ,EAAG,CAAC;YACtB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QACjC,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC;YACzF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC;YACnF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,gKAAgK;QAChK,MAAM,CAAC,aAAa,EAAE,gBAAgB,CAAC,GAAG,mBAAmB,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAA;QAExF,IAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAClD,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,iBAAiB,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;QAEzE,IAAG,CAAC,uBAAuB,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC/E,OAAO,KAAK,CAAA;QACd,CAAC;QAED,OAAO,IAAI,CAAA;IACb,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC"}

package/dist/esm/services/DefaultServiceAuthorizer.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import { EvaluationResult } from "../evaluate.js";
+import { StatementAnalysis } from "../StatementAnalysis.js";
+import { ServiceAuthorizationRequest, ServiceAuthorizer } from "./ServiceAuthorizer.js";
+export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
+    authorize(request: ServiceAuthorizationRequest): EvaluationResult;
+    identityStatementResult(request: ServiceAuthorizationRequest): EvaluationResult;
+    identityStatementAllows(statement: StatementAnalysis): boolean;
+    identityStatementUknownAllow(statement: StatementAnalysis): boolean;
+    identityStatementUknownDeny(statement: StatementAnalysis): boolean;
+    identityStatementExplicitDeny(statement: StatementAnalysis): boolean;
+}
+//# sourceMappingURL=DefaultServiceAuthorizer.d.ts.map

package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAExF,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAqBjE,uBAAuB,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAoB/E,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAU9D,4BAA4B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUnE,2BAA2B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUlE,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;CAS5E"}

package/dist/esm/services/DefaultServiceAuthorizer.js ADDED Viewed

@@ -0,0 +1,75 @@
+export class DefaultServiceAuthorizer {
+    authorize(request) {
+        const identityStatementResult = this.identityStatementResult(request);
+        const principalAccount = request.request.principal.accountId();
+        const resourceAccount = request.request.resource?.accountId();
+        /**
+         * Add checks for:
+         * * resource policies
+         * * service control policies
+         * * boundary policies
+         * * vpc endpoint policies
+         * * session policies (maybe these are just part of identity policies?)
+         */
+        if (identityStatementResult === 'Allowed') {
+            if (principalAccount === resourceAccount) {
+                return identityStatementResult;
+            }
+            return 'ImplicitlyDenied';
+        }
+        return identityStatementResult;
+    }
+    identityStatementResult(request) {
+        const explicitDeny = request.identityStatements.some(s => this.identityStatementExplicitDeny(s));
+        if (explicitDeny) {
+            return 'ExplicitlyDenied';
+        }
+        const explicitAllow = request.identityStatements.some(s => this.identityStatementAllows(s));
+        const possibleDeny = request.identityStatements.some(s => this.identityStatementUknownDeny(s));
+        if (explicitAllow) {
+            return possibleDeny ? 'Unknown' : 'Allowed';
+        }
+        const possibleAllow = request.identityStatements.some(s => this.identityStatementUknownAllow(s));
+        if (possibleAllow) {
+            return 'Unknown';
+        }
+        return 'ImplicitlyDenied';
+    }
+    identityStatementAllows(statement) {
+        if (statement.resourceMatch &&
+            statement.actionMatch &&
+            statement.conditionMatch === 'Match' &&
+            statement.statement.effect() === 'Allow') {
+            return true;
+        }
+        return false;
+    }
+    identityStatementUknownAllow(statement) {
+        if (statement.resourceMatch &&
+            statement.actionMatch &&
+            statement.conditionMatch === 'Unknown' &&
+            statement.statement.effect() === 'Allow') {
+            return true;
+        }
+        return false;
+    }
+    identityStatementUknownDeny(statement) {
+        if (statement.resourceMatch &&
+            statement.actionMatch &&
+            statement.conditionMatch === 'Unknown' &&
+            statement.statement.effect() === 'Deny') {
+            return true;
+        }
+        return false;
+    }
+    identityStatementExplicitDeny(statement) {
+        if (statement.resourceMatch &&
+            statement.actionMatch &&
+            statement.conditionMatch === 'Match' &&
+            statement.statement.effect() === 'Deny') {
+            return true;
+        }
+        return false;
+    }
+}
+//# sourceMappingURL=DefaultServiceAuthorizer.js.map

package/dist/esm/services/DefaultServiceAuthorizer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAIA,MAAM,OAAO,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,uBAAuB,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACtE,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D;;;;;;;WAOG;QACH,IAAG,uBAAuB,KAAK,SAAS,EAAE,CAAC;YACzC,IAAG,gBAAgB,KAAK,eAAe,EAAE,CAAC;gBACxC,OAAO,uBAAuB,CAAA;YAChC,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QACD,OAAO,uBAAuB,CAAC;IACjC,CAAC;IAEM,uBAAuB,CAAC,OAAoC;QACjE,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,YAAY,EAAE,CAAC;YAChB,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/F,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9C,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAEM,uBAAuB,CAAC,SAA4B;QACzD,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEM,4BAA4B,CAAC,SAA4B;QAC9D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,2BAA2B,CAAC,SAA4B;QAC7D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,6BAA6B,CAAC,SAA4B;QAC/D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/esm/services/ServiceAuthorizer.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { EvaluationResult } from "../evaluate.js";
+import { AwsRequest } from "../request/request.js";
+import { StatementAnalysis } from "../StatementAnalysis.js";
+export interface ServiceAuthorizationRequest {
+    request: AwsRequest;
+    identityStatements: StatementAnalysis[];
+}
+export interface ServiceAuthorizer {
+    authorize(request: ServiceAuthorizationRequest): EvaluationResult;
+}
+//# sourceMappingURL=ServiceAuthorizer.d.ts.map

package/dist/esm/services/ServiceAuthorizer.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAC;IACpB,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;CACzC;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB,CAAA;CAClE"}

package/dist/esm/services/ServiceAuthorizer.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=ServiceAuthorizer.js.map

package/dist/esm/services/ServiceAuthorizer.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"ServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":""}

package/dist/esm/simulation_engine/contextKeys.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export declare function allowedContextKeysForRequest(service: string, action: string, resource: string): Promise<string[]>;
+export declare function convertPatternToRegex(pattern: string): string;
+//# sourceMappingURL=contextKeys.d.ts.map

package/dist/esm/simulation_engine/contextKeys.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"AAEA,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CA4BvH;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAsB7D"}

package/dist/esm/simulation_engine/contextKeys.js ADDED Viewed

@@ -0,0 +1,49 @@
+import { iamActionDetails, iamResourceTypeDetails } from "@cloud-copilot/iam-data";
+export async function allowedContextKeysForRequest(service, action, resource) {
+    const actionDetails = await iamActionDetails(service, action);
+    const actionConditionKeys = actionDetails.conditionKeys;
+    if (actionDetails.resourceTypes.length === 0) {
+        return actionConditionKeys;
+    }
+    const matchingResourceTypes = [];
+    for (const rt of actionDetails.resourceTypes) {
+        const resourceType = await iamResourceTypeDetails(service, rt.name);
+        const pattern = convertPatternToRegex(resourceType.arn);
+        const match = resource.match(new RegExp(pattern));
+        if (match) {
+            matchingResourceTypes.push(resourceType);
+        }
+    }
+    if (matchingResourceTypes.length != 1) {
+        const matchNames = matchingResourceTypes.map(rt => rt.key).join(", ");
+        throw new Error(`found ${matchingResourceTypes.length} matching resource types for ${resource}: ${matchNames}`);
+    }
+    console.log(matchingResourceTypes[0].key);
+    return [
+        ...matchingResourceTypes[0].conditionKeys,
+        ...actionConditionKeys
+    ];
+}
+export function convertPatternToRegex(pattern) {
+    const regex = pattern.replace(/\$\{.*?\}/g, (match) => {
+        const name = match.substring(2, match.length - 1);
+        const camelName = name.at(0)?.toLowerCase() + name.substring(1);
+        return `(?<${camelName}>(.*?))`;
+    });
+    return `^${regex}$`;
+    // const parts = pattern.split('/')
+    // const lastPart = parts[parts.length - 1]
+    // const modifiedParts = parts.map((part) => {
+    //   if (part.startsWith('${') && part.endsWith('}')) {
+    //     const name = part.substring(2, part.length - 1)
+    //     const camelName = name.at(0)?.toLowerCase() + name.substring(1)
+    //     if (part === lastPart) {
+    //       return `(?<${camelName}>(.*))`
+    //     }
+    //     return `(?<${camelName}>([^\/]+))`
+    //   }
+    //   return part
+    // })
+    // return modifiedParts.join('\/')
+}
+//# sourceMappingURL=contextKeys.js.map

package/dist/esm/simulation_engine/contextKeys.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,sBAAsB,EAAgB,MAAM,yBAAyB,CAAC;AAEjG,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAAC,OAAe,EAAE,MAAc,EAAE,QAAgB;IAClG,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC9D,MAAM,mBAAmB,GAAG,aAAa,CAAC,aAAa,CAAC;IACxD,IAAG,aAAa,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5C,OAAO,mBAAmB,CAAA;IAC5B,CAAC;IAED,MAAM,qBAAqB,GAAmB,EAAE,CAAC;IACjD,KAAI,MAAM,EAAE,IAAI,aAAa,CAAC,aAAa,EAAE,CAAC;QAC5C,MAAM,YAAY,GAAG,MAAM,sBAAsB,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;QACpE,MAAM,OAAO,GAAG,qBAAqB,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAClD,IAAG,KAAK,EAAE,CAAC;YACT,qBAAqB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,IAAG,qBAAqB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACrC,MAAM,UAAU,GAAG,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtE,MAAM,IAAI,KAAK,CAAC,SAAS,qBAAqB,CAAC,MAAM,gCAAgC,QAAQ,KAAK,UAAU,EAAE,CAAC,CAAC;IAClH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAE1C,OAAO;QACL,GAAG,qBAAqB,CAAC,CAAC,CAAC,CAAC,aAAa;QACzC,GAAG,mBAAmB;KACvB,CAAA;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,OAAe;IACnD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE;QACpD,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;QAC/D,OAAO,MAAM,SAAS,SAAS,CAAA;IACjC,CAAC,CAAC,CAAA;IACF,OAAO,IAAI,KAAK,GAAG,CAAA;IAEnB,mCAAmC;IACnC,2CAA2C;IAC3C,8CAA8C;IAC9C,uDAAuD;IACvD,sDAAsD;IACtD,sEAAsE;IACtE,+BAA+B;IAC/B,uCAAuC;IACvC,QAAQ;IACR,yCAAyC;IACzC,MAAM;IACN,gBAAgB;IAChB,KAAK;IACL,kCAAkC;AACpC,CAAC"}