@cloud-copilot/iam-simulate 0.1.102 → 0.1.104
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +22 -7
- package/dist/cjs/index.d.ts +1 -1
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/request/requestResource.d.ts +12 -0
- package/dist/cjs/request/requestResource.d.ts.map +1 -1
- package/dist/cjs/request/requestResource.js +6 -0
- package/dist/cjs/request/requestResource.js.map +1 -1
- package/dist/cjs/resource/resource.d.ts +11 -2
- package/dist/cjs/resource/resource.d.ts.map +1 -1
- package/dist/cjs/resource/resource.js +170 -8
- package/dist/cjs/resource/resource.js.map +1 -1
- package/dist/cjs/simulation_engine/contextKeys.d.ts +2 -1
- package/dist/cjs/simulation_engine/contextKeys.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/contextKeys.js +13 -8
- package/dist/cjs/simulation_engine/contextKeys.js.map +1 -1
- package/dist/cjs/simulation_engine/overallResult.d.ts +13 -0
- package/dist/cjs/simulation_engine/overallResult.d.ts.map +1 -0
- package/dist/cjs/simulation_engine/overallResult.js +35 -0
- package/dist/cjs/simulation_engine/overallResult.js.map +1 -0
- package/dist/cjs/simulation_engine/policyResources.d.ts +41 -0
- package/dist/cjs/simulation_engine/policyResources.d.ts.map +1 -0
- package/dist/cjs/simulation_engine/policyResources.js +112 -0
- package/dist/cjs/simulation_engine/policyResources.js.map +1 -0
- package/dist/cjs/simulation_engine/resourceTypes.d.ts +18 -0
- package/dist/cjs/simulation_engine/resourceTypes.d.ts.map +1 -0
- package/dist/cjs/simulation_engine/resourceTypes.js +145 -0
- package/dist/cjs/simulation_engine/resourceTypes.js.map +1 -0
- package/dist/cjs/simulation_engine/simulationEngine.d.ts +92 -14
- package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.js +74 -16
- package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/cjs/util/resourceStrings.d.ts +10 -0
- package/dist/cjs/util/resourceStrings.d.ts.map +1 -0
- package/dist/cjs/util/resourceStrings.js +81 -0
- package/dist/cjs/util/resourceStrings.js.map +1 -0
- package/dist/cjs/util.d.ts +0 -10
- package/dist/cjs/util.d.ts.map +1 -1
- package/dist/cjs/util.js +0 -25
- package/dist/cjs/util.js.map +1 -1
- package/dist/esm/index.d.ts +1 -1
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/request/requestResource.d.ts +12 -0
- package/dist/esm/request/requestResource.d.ts.map +1 -1
- package/dist/esm/request/requestResource.js +6 -0
- package/dist/esm/request/requestResource.js.map +1 -1
- package/dist/esm/resource/resource.d.ts +11 -2
- package/dist/esm/resource/resource.d.ts.map +1 -1
- package/dist/esm/resource/resource.js +169 -8
- package/dist/esm/resource/resource.js.map +1 -1
- package/dist/esm/simulation_engine/contextKeys.d.ts +2 -1
- package/dist/esm/simulation_engine/contextKeys.d.ts.map +1 -1
- package/dist/esm/simulation_engine/contextKeys.js +14 -9
- package/dist/esm/simulation_engine/contextKeys.js.map +1 -1
- package/dist/esm/simulation_engine/overallResult.d.ts +13 -0
- package/dist/esm/simulation_engine/overallResult.d.ts.map +1 -0
- package/dist/esm/simulation_engine/overallResult.js +32 -0
- package/dist/esm/simulation_engine/overallResult.js.map +1 -0
- package/dist/esm/simulation_engine/policyResources.d.ts +41 -0
- package/dist/esm/simulation_engine/policyResources.d.ts.map +1 -0
- package/dist/esm/simulation_engine/policyResources.js +106 -0
- package/dist/esm/simulation_engine/policyResources.js.map +1 -0
- package/dist/esm/simulation_engine/resourceTypes.d.ts +18 -0
- package/dist/esm/simulation_engine/resourceTypes.d.ts.map +1 -0
- package/dist/esm/simulation_engine/resourceTypes.js +141 -0
- package/dist/esm/simulation_engine/resourceTypes.js.map +1 -0
- package/dist/esm/simulation_engine/simulationEngine.d.ts +92 -14
- package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.js +75 -17
- package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/esm/util/resourceStrings.d.ts +10 -0
- package/dist/esm/util/resourceStrings.d.ts.map +1 -0
- package/dist/esm/util/resourceStrings.js +78 -0
- package/dist/esm/util/resourceStrings.js.map +1 -0
- package/dist/esm/util.d.ts +0 -10
- package/dist/esm/util.d.ts.map +1 -1
- package/dist/esm/util.js +1 -25
- package/dist/esm/util.js.map +1 -1
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -147,16 +147,24 @@ const simulation: Simulation = {
|
|
|
147
147
|
}
|
|
148
148
|
}
|
|
149
149
|
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
150
|
+
`runSimulation` returns a discriminated union with `resultType`:
|
|
151
|
+
|
|
152
|
+
- `resultType: 'error'` includes `errors` and no simulation results.
|
|
153
|
+
- `resultType: 'single'` includes `overallResult` and a single `result`.
|
|
154
|
+
- `resultType: 'wildcard'` includes `overallResult` and `results` for each matching pattern.
|
|
155
|
+
|
|
156
|
+
const response = await runSimulation(simulation, {})
|
|
157
|
+
//Check for validation errors (errors are returned at the response level):
|
|
158
|
+
if (response.resultType === 'error') {
|
|
159
|
+
console.log(response.errors.message)
|
|
160
|
+
console.log(JSON.stringify(response.errors, null, 2))
|
|
155
161
|
}
|
|
156
162
|
|
|
157
163
|
//The simulation ran successfully
|
|
158
|
-
if (
|
|
159
|
-
|
|
164
|
+
if (response.resultType === 'single') {
|
|
165
|
+
const result = response.result
|
|
166
|
+
console.log(response.overallResult) // 'Allowed', 'ExplicitlyDenied', or 'ImplicitlyDenied'
|
|
167
|
+
console.log(result.analysis?.result)
|
|
160
168
|
|
|
161
169
|
//Output the identity statements that allowed the request
|
|
162
170
|
const identityAllowExplains =
|
|
@@ -166,6 +174,13 @@ if (result.analysis) {
|
|
|
166
174
|
console.log(explain)
|
|
167
175
|
}
|
|
168
176
|
}
|
|
177
|
+
|
|
178
|
+
if (response.resultType === 'wildcard') {
|
|
179
|
+
console.log(response.overallResult)
|
|
180
|
+
for (const result of response.results) {
|
|
181
|
+
console.log(result.resourcePattern, result.analysis?.result)
|
|
182
|
+
}
|
|
183
|
+
}
|
|
169
184
|
```
|
|
170
185
|
|
|
171
186
|
This would output an explain that shows how the identity statement was evaluated:
|
package/dist/cjs/index.d.ts
CHANGED
|
@@ -8,7 +8,7 @@ export type { ActionExplain, ConditionExplain, ConditionValueExplain, ExplainPri
|
|
|
8
8
|
export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
|
|
9
9
|
export type { Simulation, SimulationIdentityPolicy, SimulationOrgPolicies } from './simulation_engine/simulation.js';
|
|
10
10
|
export { runSimulation } from './simulation_engine/simulationEngine.js';
|
|
11
|
-
export type { SimulationErrors,
|
|
11
|
+
export type { ErrorSimulationResult, RunSimulationResults, SimulationErrors, SimulationResourceResult, SimulationResultType, SingleResourceSimulationResult, SuccessfulRunSimulationResults, WildcardResourceSimulationResults, WildcardSimulationResourceResult } from './simulation_engine/simulationEngine.js';
|
|
12
12
|
export type { SimulationOptions } from './simulation_engine/simulationOptions.js';
|
|
13
13
|
export { runUnsafeSimulation } from './simulation_engine/unsafeSimulationEngine.js';
|
|
14
14
|
export { isWildcardOnlyAction } from './util.js';
|
package/dist/cjs/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EACV,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EAChB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EACV,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EAChB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,EAChB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,8BAA8B,EAC9B,iCAAiC,EACjC,gCAAgC,EACjC,MAAM,yCAAyC,CAAA;AAChD,YAAY,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|
package/dist/cjs/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,kEAIqC;AAHnC,qHAAA,gBAAgB,OAAA;AAIlB,gEAAiE;AAAxD,mHAAA,iBAAiB,OAAA;AAC1B,wEAI0C;AAFxC,yHAAA,mBAAmB,OAAA;AAGrB,wEAAmE;AAA1D,qHAAA,eAAe,OAAA;AAiBxB,qEAAiF;AAAxE,8HAAA,4BAA4B,OAAA;AAMrC,+EAAuE;AAA9D,oHAAA,aAAa,OAAA;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,kEAIqC;AAHnC,qHAAA,gBAAgB,OAAA;AAIlB,gEAAiE;AAAxD,mHAAA,iBAAiB,OAAA;AAC1B,wEAI0C;AAFxC,yHAAA,mBAAmB,OAAA;AAGrB,wEAAmE;AAA1D,qHAAA,eAAe,OAAA;AAiBxB,qEAAiF;AAAxE,8HAAA,4BAA4B,OAAA;AAMrC,+EAAuE;AAA9D,oHAAA,aAAa,OAAA;AAatB,2FAAmF;AAA1E,gIAAA,mBAAmB,OAAA;AAC5B,qCAAgD;AAAvC,+GAAA,oBAAoB,OAAA"}
|
|
@@ -27,6 +27,16 @@ export interface RequestResource {
|
|
|
27
27
|
* The account ID of the resource, independent of what is in the ARN
|
|
28
28
|
*/
|
|
29
29
|
accountId(): string;
|
|
30
|
+
/**
|
|
31
|
+
* Checks if this resource represents all resources (i.e., the wildcard "*")
|
|
32
|
+
* @returns true if the resource is "*", false otherwise
|
|
33
|
+
*/
|
|
34
|
+
isAllResources(): boolean;
|
|
35
|
+
/**
|
|
36
|
+
* Checks if this resource contains any wildcard characters
|
|
37
|
+
* @returns true if the resource contains "*", false otherwise
|
|
38
|
+
*/
|
|
39
|
+
hasWildcards(): boolean;
|
|
30
40
|
}
|
|
31
41
|
export declare class ResourceRequestImpl implements RequestResource {
|
|
32
42
|
private readonly rawValue;
|
|
@@ -39,5 +49,7 @@ export declare class ResourceRequestImpl implements RequestResource {
|
|
|
39
49
|
resource(): string;
|
|
40
50
|
value(): string;
|
|
41
51
|
accountId(): string;
|
|
52
|
+
isAllResources(): boolean;
|
|
53
|
+
hasWildcards(): boolean;
|
|
42
54
|
}
|
|
43
55
|
//# sourceMappingURL=requestResource.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"requestResource.d.ts","sourceRoot":"","sources":["../../../src/request/requestResource.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,KAAK,IAAI,MAAM,CAAA;IAEf;;OAEG;IACH,SAAS,IAAI,MAAM,CAAA;IAEnB;;OAEG;IACH,OAAO,IAAI,MAAM,CAAA;IAEjB;;OAEG;IACH,MAAM,IAAI,MAAM,CAAA;IAEhB;;OAEG;IACH,OAAO,IAAI,MAAM,CAAA;IAEjB;;OAEG;IACH,QAAQ,IAAI,MAAM,CAAA;IAElB;;OAEG;IACH,SAAS,IAAI,MAAM,CAAA;
|
|
1
|
+
{"version":3,"file":"requestResource.d.ts","sourceRoot":"","sources":["../../../src/request/requestResource.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,KAAK,IAAI,MAAM,CAAA;IAEf;;OAEG;IACH,SAAS,IAAI,MAAM,CAAA;IAEnB;;OAEG;IACH,OAAO,IAAI,MAAM,CAAA;IAEjB;;OAEG;IACH,MAAM,IAAI,MAAM,CAAA;IAEhB;;OAEG;IACH,OAAO,IAAI,MAAM,CAAA;IAEjB;;OAEG;IACH,QAAQ,IAAI,MAAM,CAAA;IAElB;;OAEG;IACH,SAAS,IAAI,MAAM,CAAA;IAEnB;;;OAGG;IACH,cAAc,IAAI,OAAO,CAAA;IAEzB;;;OAGG;IACH,YAAY,IAAI,OAAO,CAAA;CACxB;AAED,qBAAa,mBAAoB,YAAW,eAAe;IAEvD,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,eAAe;gBADf,QAAQ,EAAE,MAAM,EAChB,eAAe,EAAE,MAAM;IAG1C,SAAS,IAAI,MAAM;IAInB,OAAO,IAAI,MAAM;IAIjB,MAAM,IAAI,MAAM;IAIhB,OAAO,IAAI,MAAM;IAIjB,QAAQ,IAAI,MAAM;IAIlB,KAAK,IAAI,MAAM;IAIf,SAAS,IAAI,MAAM;IAInB,cAAc,IAAI,OAAO;IAIzB,YAAY,IAAI,OAAO;CAGxB"}
|
|
@@ -29,6 +29,12 @@ class ResourceRequestImpl {
|
|
|
29
29
|
accountId() {
|
|
30
30
|
return this.accountIdString;
|
|
31
31
|
}
|
|
32
|
+
isAllResources() {
|
|
33
|
+
return this.value() === '*';
|
|
34
|
+
}
|
|
35
|
+
hasWildcards() {
|
|
36
|
+
return this.value().includes('*');
|
|
37
|
+
}
|
|
32
38
|
}
|
|
33
39
|
exports.ResourceRequestImpl = ResourceRequestImpl;
|
|
34
40
|
//# sourceMappingURL=requestResource.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"requestResource.js","sourceRoot":"","sources":["../../../src/request/requestResource.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"requestResource.js","sourceRoot":"","sources":["../../../src/request/requestResource.ts"],"names":[],"mappings":";;;AAiDA,MAAa,mBAAmB;IAEX;IACA;IAFnB,YACmB,QAAgB,EAChB,eAAuB;QADvB,aAAQ,GAAR,QAAQ,CAAQ;QAChB,oBAAe,GAAf,eAAe,CAAQ;IACvC,CAAC;IAEJ,SAAS;QACP,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IACvC,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IACvC,CAAC;IAED,MAAM;QACJ,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IACvC,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IACvC,CAAC;IAED,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACnD,CAAC;IAED,KAAK;QACH,OAAO,IAAI,CAAC,QAAQ,CAAA;IACtB,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,eAAe,CAAA;IAC7B,CAAC;IAED,cAAc;QACZ,OAAO,IAAI,CAAC,KAAK,EAAE,KAAK,GAAG,CAAA;IAC7B,CAAC;IAED,YAAY;QACV,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;IACnC,CAAC;CACF;AAzCD,kDAyCC"}
|
|
@@ -19,7 +19,7 @@ export declare function requestMatchesStatementResources(request: AwsRequest, st
|
|
|
19
19
|
* @param policyResources the resources to check against
|
|
20
20
|
* @returns true if the request matches any of the resources, false otherwise
|
|
21
21
|
*/
|
|
22
|
-
export declare function requestMatchesResources(request: AwsRequest, policyResources: Resource[]): {
|
|
22
|
+
export declare function requestMatchesResources(request: AwsRequest, policyResources: Resource[], resourceType: 'Resource' | 'NotResource', effect: 'Allow' | 'Deny'): {
|
|
23
23
|
matches: boolean;
|
|
24
24
|
explains: ResourceExplain[];
|
|
25
25
|
};
|
|
@@ -30,8 +30,17 @@ export declare function requestMatchesResources(request: AwsRequest, policyResou
|
|
|
30
30
|
* @param policyResources the resources to check against
|
|
31
31
|
* @returns true if the request does not match any of the resources, false otherwise
|
|
32
32
|
*/
|
|
33
|
-
export declare function requestMatchesNotResources(request: AwsRequest, policyResources: Resource[]): {
|
|
33
|
+
export declare function requestMatchesNotResources(request: AwsRequest, policyResources: Resource[], resourceType: 'Resource' | 'NotResource', effect: 'Allow' | 'Deny'): {
|
|
34
34
|
matches: boolean;
|
|
35
35
|
explains: ResourceExplain[];
|
|
36
36
|
};
|
|
37
|
+
/**
|
|
38
|
+
* Determines if the policy string is equal to, a subset of, a superset of,
|
|
39
|
+
* or has no overlap with the request string.
|
|
40
|
+
*
|
|
41
|
+
* @param policyString the policy string to use
|
|
42
|
+
* @param requestString the request string to compare to the policy string
|
|
43
|
+
* @returns 'equal' if the strings are equal, 'subset' if the policy string is a subset of the request string, 'superset' if the policy string is a superset of the request string, or 'none' if there is no overlap
|
|
44
|
+
*/
|
|
45
|
+
export declare function resourcePatternOverlap(policyString: string, requestString: string): 'equal' | 'policy_is_subset' | 'policy_is_superset' | 'none';
|
|
37
46
|
//# sourceMappingURL=resource.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"resource.d.ts","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AAC/D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAA;AAClF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAiBlD;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAC9C,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,SAAS,GACnB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE,WAAW,GAAG,cAAc,CAAC,CAAA;CAAE,
|
|
1
|
+
{"version":3,"file":"resource.d.ts","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AAC/D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAA;AAClF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAiBlD;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAC9C,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,SAAS,GACnB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE,WAAW,GAAG,cAAc,CAAC,CAAA;CAAE,CAyBrF;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,UAAU,EACnB,eAAe,EAAE,QAAQ,EAAE,EAC3B,YAAY,EAAE,UAAU,GAAG,aAAa,EACxC,MAAM,EAAE,OAAO,GAAG,MAAM,GACvB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,eAAe,EAAE,CAAA;CAAE,CAMnD;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,UAAU,EACnB,eAAe,EAAE,QAAQ,EAAE,EAC3B,YAAY,EAAE,UAAU,GAAG,aAAa,EACxC,MAAM,EAAE,OAAO,GAAG,MAAM,GACvB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,eAAe,EAAE,CAAA;CAAE,CAUnD;AA8OD;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CACpC,YAAY,EAAE,MAAM,EACpB,aAAa,EAAE,MAAM,GACpB,OAAO,GAAG,kBAAkB,GAAG,oBAAoB,GAAG,MAAM,CAe9D"}
|
|
@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.requestMatchesStatementResources = requestMatchesStatementResources;
|
|
4
4
|
exports.requestMatchesResources = requestMatchesResources;
|
|
5
5
|
exports.requestMatchesNotResources = requestMatchesNotResources;
|
|
6
|
+
exports.resourcePatternOverlap = resourcePatternOverlap;
|
|
6
7
|
const util_js_1 = require("../util.js");
|
|
7
8
|
/**
|
|
8
9
|
* Convert a resource segment to a regular expression. This is without variables.
|
|
@@ -26,14 +27,14 @@ function convertResourceSegmentToRegex(segment) {
|
|
|
26
27
|
*/
|
|
27
28
|
function requestMatchesStatementResources(request, statement) {
|
|
28
29
|
if (statement.isResourceStatement()) {
|
|
29
|
-
const { matches, explains } = requestMatchesResources(request, statement.resources());
|
|
30
|
+
const { matches, explains } = requestMatchesResources(request, statement.resources(), 'Resource', statement.effect());
|
|
30
31
|
if (!statement.resourceIsArray()) {
|
|
31
32
|
return { matches, details: { resources: explains[0] } };
|
|
32
33
|
}
|
|
33
34
|
return { matches, details: { resources: explains } };
|
|
34
35
|
}
|
|
35
36
|
else if (statement.isNotResourceStatement()) {
|
|
36
|
-
const { matches, explains } = requestMatchesNotResources(request, statement.notResources());
|
|
37
|
+
const { matches, explains } = requestMatchesNotResources(request, statement.notResources(), 'NotResource', statement.effect());
|
|
37
38
|
if (!statement.notResourceIsArray()) {
|
|
38
39
|
return { matches, details: { notResources: explains[0] } };
|
|
39
40
|
}
|
|
@@ -48,8 +49,8 @@ function requestMatchesStatementResources(request, statement) {
|
|
|
48
49
|
* @param policyResources the resources to check against
|
|
49
50
|
* @returns true if the request matches any of the resources, false otherwise
|
|
50
51
|
*/
|
|
51
|
-
function requestMatchesResources(request, policyResources) {
|
|
52
|
-
const explains = policyResources.map((policyResource) => singleResourceMatchesRequest(request, policyResource));
|
|
52
|
+
function requestMatchesResources(request, policyResources, resourceType, effect) {
|
|
53
|
+
const explains = policyResources.map((policyResource) => singleResourceMatchesRequest(request, policyResource, resourceType, effect));
|
|
53
54
|
const matches = explains.some((explain) => explain.matches);
|
|
54
55
|
return { matches, explains };
|
|
55
56
|
}
|
|
@@ -60,9 +61,9 @@ function requestMatchesResources(request, policyResources) {
|
|
|
60
61
|
* @param policyResources the resources to check against
|
|
61
62
|
* @returns true if the request does not match any of the resources, false otherwise
|
|
62
63
|
*/
|
|
63
|
-
function requestMatchesNotResources(request, policyResources) {
|
|
64
|
+
function requestMatchesNotResources(request, policyResources, resourceType, effect) {
|
|
64
65
|
const explains = policyResources.map((policyResource) => {
|
|
65
|
-
const explain = singleResourceMatchesRequest(request, policyResource);
|
|
66
|
+
const explain = singleResourceMatchesRequest(request, policyResource, resourceType, effect);
|
|
66
67
|
if (!explain.errors) {
|
|
67
68
|
explain.matches = !explain.matches;
|
|
68
69
|
}
|
|
@@ -71,6 +72,40 @@ function requestMatchesNotResources(request, policyResources) {
|
|
|
71
72
|
const matches = !explains.some((explain) => !explain.matches);
|
|
72
73
|
return { matches, explains };
|
|
73
74
|
}
|
|
75
|
+
/*
|
|
76
|
+
Specifications for **request resource** wildcards:
|
|
77
|
+
- Asterisks (*) can be used to match any sequence of characters (including an empty sequence)
|
|
78
|
+
- Asterisks can appear in any segment of the ARN (partition, service, region, account, resource)
|
|
79
|
+
- Asterisks are not greedy, and can be followed or preceded by other characters in the same segment
|
|
80
|
+
- Existing rules of matching wildcard segments in ARNs still apply
|
|
81
|
+
- Question marks (?) are not supported in the request resource ARN
|
|
82
|
+
|
|
83
|
+
If the string in the policy is the same as the resolved string after variable substitution, it is a match
|
|
84
|
+
|
|
85
|
+
For an Allow/Resource Statement:
|
|
86
|
+
- If the resolved string matches the request resource, it is a match
|
|
87
|
+
- If the resolved string is a superset of the request resource, it is a match
|
|
88
|
+
- If the resolved string is a subset of the request resource, it is a match
|
|
89
|
+
- If there is no overlap at all between the resolved string and the request resource, it is not a match
|
|
90
|
+
|
|
91
|
+
For a Deny/Resource Statement:
|
|
92
|
+
- If the resolved string matches the request resource, it is a match
|
|
93
|
+
- If the resolved string is a superset of the request resource, it is a match
|
|
94
|
+
- If the resolved string is a subset of the request resource, it is not a match
|
|
95
|
+
- If there is no overlap at all between the resolved string and the request resource, it is not a match
|
|
96
|
+
|
|
97
|
+
For an Allow/NotResource Statement:
|
|
98
|
+
- If the resolved string matches the request resource, it is not a match
|
|
99
|
+
- If the resolved string is a superset of the request resource, it is not a match
|
|
100
|
+
- If the resolved string is a subset of the request resource, it is a match
|
|
101
|
+
- If there is no overlap at all between the resolved string and the request resource, it is a match
|
|
102
|
+
|
|
103
|
+
For a Deny/NotResource Statement:
|
|
104
|
+
- If the resolved string matches the request resource, it is not a match
|
|
105
|
+
- If the resolved string is a superset of the request resource, it is not a match
|
|
106
|
+
- If the resolved string is a subset of the request resource, it is not a match
|
|
107
|
+
- If there is no overlap at all between the resolved string and the request resource, it is a match
|
|
108
|
+
*/
|
|
74
109
|
/**
|
|
75
110
|
* Check if a single resource matches a request.
|
|
76
111
|
*
|
|
@@ -78,14 +113,119 @@ function requestMatchesNotResources(request, policyResources) {
|
|
|
78
113
|
* @param policyResource the resource to check against
|
|
79
114
|
* @returns true if the request matches the resource, false otherwise
|
|
80
115
|
*/
|
|
81
|
-
function singleResourceMatchesRequest(request, policyResource) {
|
|
116
|
+
function singleResourceMatchesRequest(request, policyResource, resourceType, effect) {
|
|
117
|
+
// Policy is all resources
|
|
82
118
|
if (policyResource.isAllResources()) {
|
|
83
119
|
return {
|
|
84
120
|
resource: policyResource.value(),
|
|
85
121
|
matches: true
|
|
86
122
|
};
|
|
87
123
|
}
|
|
88
|
-
|
|
124
|
+
// Request is all resources
|
|
125
|
+
if (request.resource?.isAllResources()) {
|
|
126
|
+
if (effect === 'Allow' && resourceType === 'Resource') {
|
|
127
|
+
return {
|
|
128
|
+
resource: policyResource.value(),
|
|
129
|
+
matches: true
|
|
130
|
+
};
|
|
131
|
+
}
|
|
132
|
+
else if (effect === 'Allow' && resourceType === 'NotResource') {
|
|
133
|
+
return {
|
|
134
|
+
resource: policyResource.value(),
|
|
135
|
+
matches: false // This gets inverted in the caller
|
|
136
|
+
};
|
|
137
|
+
}
|
|
138
|
+
else if (effect === 'Deny' && resourceType === 'Resource') {
|
|
139
|
+
// This is a Deny statement that is not all resources, so it's not a match
|
|
140
|
+
return {
|
|
141
|
+
resource: policyResource.value(),
|
|
142
|
+
matches: false
|
|
143
|
+
};
|
|
144
|
+
}
|
|
145
|
+
else if (effect === 'Deny' && resourceType === 'NotResource') {
|
|
146
|
+
return {
|
|
147
|
+
resource: policyResource.value(),
|
|
148
|
+
matches: true // This gets inverted in the caller
|
|
149
|
+
};
|
|
150
|
+
}
|
|
151
|
+
throw new Error(`Unknown Resource Type and Effect Combination: ${resourceType} ${effect}`);
|
|
152
|
+
}
|
|
153
|
+
// Request contains wildcards but neither is a full *
|
|
154
|
+
if (request.resource.hasWildcards() && policyResource.isArnResource()) {
|
|
155
|
+
const overlaps = [
|
|
156
|
+
resourcePatternOverlap(policyResource.partition(), request.resource.partition()),
|
|
157
|
+
resourcePatternOverlap(policyResource.service(), request.resource.service()),
|
|
158
|
+
resourcePatternOverlap(policyResource.region(), request.resource.region()),
|
|
159
|
+
resourcePatternOverlap(policyResource.account(), request.resource.account()),
|
|
160
|
+
resourcePatternOverlap(policyResource.resource(), request.resource.resource())
|
|
161
|
+
];
|
|
162
|
+
if (resourceType === 'Resource' && effect === 'Allow') {
|
|
163
|
+
if (overlaps.every((o) => o !== 'none')) {
|
|
164
|
+
return {
|
|
165
|
+
resource: policyResource.value(),
|
|
166
|
+
matches: true
|
|
167
|
+
};
|
|
168
|
+
}
|
|
169
|
+
}
|
|
170
|
+
else if (resourceType === 'Resource' && effect === 'Deny') {
|
|
171
|
+
if (overlaps.some((o) => o === 'none' || o === 'policy_is_subset')) {
|
|
172
|
+
return {
|
|
173
|
+
resource: policyResource.value(),
|
|
174
|
+
matches: false
|
|
175
|
+
};
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
else if (resourceType === 'NotResource' && effect === 'Allow') {
|
|
179
|
+
/*
|
|
180
|
+
* For an Allow/NotResource Statement:
|
|
181
|
+
- If the resolved string matches the request resource, it is not a match
|
|
182
|
+
- If the resolved string is a superset of the request resource, it is not a match
|
|
183
|
+
- If the resolved string is a subset of the request resource, it is a match
|
|
184
|
+
- If there is no overlap at all between the resolved string and the request resource, it is a match
|
|
185
|
+
*/
|
|
186
|
+
if (overlaps.every((o) => o === 'equal' || o === 'policy_is_superset')) {
|
|
187
|
+
return {
|
|
188
|
+
resource: policyResource.value(),
|
|
189
|
+
// This gets inverted in the caller
|
|
190
|
+
matches: true
|
|
191
|
+
};
|
|
192
|
+
}
|
|
193
|
+
else {
|
|
194
|
+
return {
|
|
195
|
+
resource: policyResource.value(),
|
|
196
|
+
// This gets inverted in the caller
|
|
197
|
+
matches: false
|
|
198
|
+
};
|
|
199
|
+
}
|
|
200
|
+
}
|
|
201
|
+
else if (resourceType === 'NotResource' && effect === 'Deny') {
|
|
202
|
+
/*
|
|
203
|
+
For a Deny/NotResource Statement:
|
|
204
|
+
- If the resolved string matches the request resource, it is not a match
|
|
205
|
+
- If the resolved string is a superset of the request resource, it is not a match
|
|
206
|
+
- If the resolved string is a subset of the request resource, it is not a match
|
|
207
|
+
- If there is no overlap at all between the resolved string and the request resource, it is a match
|
|
208
|
+
*/
|
|
209
|
+
if (overlaps.some((o) => o === 'none')) {
|
|
210
|
+
return {
|
|
211
|
+
resource: policyResource.value(),
|
|
212
|
+
// This gets inverted in the caller
|
|
213
|
+
matches: false
|
|
214
|
+
};
|
|
215
|
+
}
|
|
216
|
+
else {
|
|
217
|
+
return {
|
|
218
|
+
resource: policyResource.value(),
|
|
219
|
+
// This gets inverted in the caller
|
|
220
|
+
matches: true
|
|
221
|
+
};
|
|
222
|
+
}
|
|
223
|
+
}
|
|
224
|
+
else {
|
|
225
|
+
throw new Error(`Unknown Resource Type and Effect Combination: ${resourceType} ${effect}`);
|
|
226
|
+
}
|
|
227
|
+
}
|
|
228
|
+
if (policyResource.isArnResource()) {
|
|
89
229
|
if (!request.resource) {
|
|
90
230
|
return {
|
|
91
231
|
resource: policyResource.value(),
|
|
@@ -158,4 +298,26 @@ function singleResourceMatchesRequest(request, policyResource) {
|
|
|
158
298
|
throw new Error('Unknown resource type');
|
|
159
299
|
}
|
|
160
300
|
}
|
|
301
|
+
/**
|
|
302
|
+
* Determines if the policy string is equal to, a subset of, a superset of,
|
|
303
|
+
* or has no overlap with the request string.
|
|
304
|
+
*
|
|
305
|
+
* @param policyString the policy string to use
|
|
306
|
+
* @param requestString the request string to compare to the policy string
|
|
307
|
+
* @returns 'equal' if the strings are equal, 'subset' if the policy string is a subset of the request string, 'superset' if the policy string is a superset of the request string, or 'none' if there is no overlap
|
|
308
|
+
*/
|
|
309
|
+
function resourcePatternOverlap(policyString, requestString) {
|
|
310
|
+
if (policyString === requestString) {
|
|
311
|
+
return 'equal';
|
|
312
|
+
}
|
|
313
|
+
const requestPattern = '^' + requestString.replace(/\*/g, '.*?') + '$';
|
|
314
|
+
if (policyString.match(requestPattern)) {
|
|
315
|
+
return 'policy_is_subset';
|
|
316
|
+
}
|
|
317
|
+
const policyPattern = '^' + policyString.replace(/\?/g, '.').replace(/\*/g, '.*?') + '$';
|
|
318
|
+
if (requestString.match(policyPattern)) {
|
|
319
|
+
return 'policy_is_superset';
|
|
320
|
+
}
|
|
321
|
+
return 'none';
|
|
322
|
+
}
|
|
161
323
|
//# sourceMappingURL=resource.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":";;AA0BA,
|
|
1
|
+
{"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":";;AA0BA,4EA4BC;AASD,0DAWC;AASD,gEAeC;AAsPD,wDAkBC;AAvWD,wCAAkE;AAElE;;;;;GAKG;AACH,SAAS,6BAA6B,CAAC,OAAe;IACpD,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;IACvD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAC7E,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAC9C,OAAmB,EACnB,SAAoB;IAEpB,IAAI,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;QACpC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,uBAAuB,CACnD,OAAO,EACP,SAAS,CAAC,SAAS,EAAE,EACrB,UAAU,EACV,SAAS,CAAC,MAAM,EAAsB,CACvC,CAAA;QACD,IAAI,CAAC,SAAS,CAAC,eAAe,EAAE,EAAE,CAAC;YACjC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAA;QACzD,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,EAAE,CAAA;IACtD,CAAC;SAAM,IAAI,SAAS,CAAC,sBAAsB,EAAE,EAAE,CAAC;QAC9C,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,0BAA0B,CACtD,OAAO,EACP,SAAS,CAAC,YAAY,EAAE,EACxB,aAAa,EACb,SAAS,CAAC,MAAM,EAAsB,CACvC,CAAA;QACD,IAAI,CAAC,SAAS,CAAC,kBAAkB,EAAE,EAAE,CAAC;YACpC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAA;QAC5D,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,YAAY,EAAE,QAAQ,EAAE,EAAE,CAAA;IACzD,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CAAA;AACvC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CACrC,OAAmB,EACnB,eAA2B,EAC3B,YAAwC,EACxC,MAAwB;IAExB,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,cAAc,EAAE,EAAE,CACtD,4BAA4B,CAAC,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,CAAC,CAC5E,CAAA;IACD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAC3D,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAA;AAC9B,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,0BAA0B,CACxC,OAAmB,EACnB,eAA2B,EAC3B,YAAwC,EACxC,MAAwB;IAExB,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,cAAc,EAAE,EAAE;QACtD,MAAM,OAAO,GAAG,4BAA4B,CAAC,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,CAAC,CAAA;QAC3F,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACpB,OAAO,CAAC,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,CAAA;QACpC,CAAC;QACD,OAAO,OAAO,CAAA;IAChB,CAAC,CAAC,CAAA;IACF,MAAM,OAAO,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAC7D,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAA;AAC9B,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAiCE;AAEF;;;;;;GAMG;AACH,SAAS,4BAA4B,CACnC,OAAmB,EACnB,cAAwB,EACxB,YAAwC,EACxC,MAAwB;IAExB,0BAA0B;IAC1B,IAAI,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;QACpC,OAAO;YACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;YAChC,OAAO,EAAE,IAAI;SACd,CAAA;IACH,CAAC;IAED,2BAA2B;IAC3B,IAAI,OAAO,CAAC,QAAQ,EAAE,cAAc,EAAE,EAAE,CAAC;QACvC,IAAI,MAAM,KAAK,OAAO,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;YACtD,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,IAAI;aACd,CAAA;QACH,CAAC;aAAM,IAAI,MAAM,KAAK,OAAO,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;YAChE,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK,CAAC,mCAAmC;aACnD,CAAA;QACH,CAAC;aAAM,IAAI,MAAM,KAAK,MAAM,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;YAC5D,0EAA0E;YAC1E,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;aACf,CAAA;QACH,CAAC;aAAM,IAAI,MAAM,KAAK,MAAM,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;YAC/D,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,IAAI,CAAC,mCAAmC;aAClD,CAAA;QACH,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,YAAY,IAAI,MAAM,EAAE,CAAC,CAAA;IAC5F,CAAC;IAED,qDAAqD;IACrD,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,EAAE,IAAI,cAAc,CAAC,aAAa,EAAE,EAAE,CAAC;QACtE,MAAM,QAAQ,GAAG;YACf,sBAAsB,CAAC,cAAc,CAAC,SAAS,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YAChF,sBAAsB,CAAC,cAAc,CAAC,OAAO,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC5E,sBAAsB,CAAC,cAAc,CAAC,MAAM,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;YAC1E,sBAAsB,CAAC,cAAc,CAAC,OAAO,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC5E,sBAAsB,CAAC,cAAc,CAAC,QAAQ,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;SAC/E,CAAA;QAED,IAAI,YAAY,KAAK,UAAU,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACtD,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC,EAAE,CAAC;gBACxC,OAAO;oBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;oBAChC,OAAO,EAAE,IAAI;iBACd,CAAA;YACH,CAAC;QACH,CAAC;aAAM,IAAI,YAAY,KAAK,UAAU,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC5D,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,kBAAkB,CAAC,EAAE,CAAC;gBACnE,OAAO;oBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;oBAChC,OAAO,EAAE,KAAK;iBACf,CAAA;YACH,CAAC;QACH,CAAC;aAAM,IAAI,YAAY,KAAK,aAAa,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YAChE;;;;;;eAMG;YACH,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,OAAO,IAAI,CAAC,KAAK,oBAAoB,CAAC,EAAE,CAAC;gBACvE,OAAO;oBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;oBAChC,mCAAmC;oBACnC,OAAO,EAAE,IAAI;iBACd,CAAA;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO;oBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;oBAChC,mCAAmC;oBACnC,OAAO,EAAE,KAAK;iBACf,CAAA;YACH,CAAC;QACH,CAAC;aAAM,IAAI,YAAY,KAAK,aAAa,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/D;;;;;;cAME;YACF,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC,EAAE,CAAC;gBACvC,OAAO;oBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;oBAChC,mCAAmC;oBACnC,OAAO,EAAE,KAAK;iBACf,CAAA;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO;oBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;oBAChC,mCAAmC;oBACnC,OAAO,EAAE,IAAI;iBACd,CAAA;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,iDAAiD,YAAY,IAAI,MAAM,EAAE,CAAC,CAAA;QAC5F,CAAC;IACH,CAAC;IAED,IAAI,cAAc,CAAC,aAAa,EAAE,EAAE,CAAC;QACnC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YACtB,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,kCAAkC,CAAC;aAC7C,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QACjC,IAAI,CAAC,6BAA6B,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC;YAC1F,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,0BAA0B,CAAC;aACrC,CAAA;QACH,CAAC;QAED,IAAI,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACtF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,IAAI,CAAC,6BAA6B,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC;YACpF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,uBAAuB,CAAC;aAClC,CAAA;QACH,CAAC;QAED,IAAI,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACtF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,gKAAgK;QAChK,MAAM,CAAC,aAAa,EAAE,gBAAgB,CAAC,GAAG,IAAA,6BAAmB,EAAC,cAAc,CAAC,CAAA;QAC7E,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YACnD,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,MAAM,iBAAiB,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;QACzE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,IAAA,0BAAgB,EAAC,gBAAgB,EAAE,OAAO,CAAC,CAAA;QACvE,MAAM,kBAAkB,GAAG,IAAA,0BAAgB,EAAC,gBAAgB,EAAE,OAAO,EAAE;YACrE,cAAc,EAAE,KAAK;YACrB,gBAAgB,EAAE,KAAK;SACxB,CAAC,CAAA;QACF,MAAM,gBAAgB,GACpB,cAAc,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,cAAc,CAAC,KAAK,EAAE,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;YACxF,kBAAkB,CAAA;QACpB,MAAM,aAAa,GAAG,gBAAgB,KAAK,cAAc,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAA;QAEhG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACrC,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM;gBACN,aAAa;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;YAChC,OAAO,EAAE,IAAI;YACb,aAAa;SACd,CAAA;IACH,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAA;IAC1C,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,sBAAsB,CACpC,YAAoB,EACpB,aAAqB;IAErB,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;QACnC,OAAO,OAAO,CAAA;IAChB,CAAC;IACD,MAAM,cAAc,GAAG,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IACtE,IAAI,YAAY,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;QACvC,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAED,MAAM,aAAa,GAAG,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IACxF,IAAI,aAAa,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;QACvC,OAAO,oBAAoB,CAAA;IAC7B,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC"}
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { ResourceType } from '@cloud-copilot/iam-data';
|
|
1
2
|
/**
|
|
2
3
|
* Get the allowed context keys for a request.
|
|
3
4
|
*
|
|
@@ -8,5 +9,5 @@
|
|
|
8
9
|
* @returns The allowed context keys for the request as lower case strings
|
|
9
10
|
* @throws error if the service or action does not exist
|
|
10
11
|
*/
|
|
11
|
-
export declare function allowedContextKeysForRequest(service: string, action: string, resource: string, bucketAbacEnabled
|
|
12
|
+
export declare function allowedContextKeysForRequest(service: string, action: string, resource: string, bucketAbacEnabled: boolean, suggestedResourceType: ResourceType | undefined): Promise<string[]>;
|
|
12
13
|
//# sourceMappingURL=contextKeys.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAA+C,YAAY,EAAE,MAAM,yBAAyB,CAAA;AAInG;;;;;;;;;GASG;AACH,wBAAsB,4BAA4B,CAChD,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,iBAAiB,EAAE,OAAO,EAC1B,qBAAqB,EAAE,YAAY,GAAG,SAAS,GAC9C,OAAO,CAAC,MAAM,EAAE,CAAC,CAsCnB"}
|
|
@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.allowedContextKeysForRequest = allowedContextKeysForRequest;
|
|
4
4
|
const iam_data_1 = require("@cloud-copilot/iam-data");
|
|
5
5
|
const util_js_1 = require("../util.js");
|
|
6
|
+
const resourceTypes_js_1 = require("./resourceTypes.js");
|
|
6
7
|
/**
|
|
7
8
|
* Get the allowed context keys for a request.
|
|
8
9
|
*
|
|
@@ -13,21 +14,25 @@ const util_js_1 = require("../util.js");
|
|
|
13
14
|
* @returns The allowed context keys for the request as lower case strings
|
|
14
15
|
* @throws error if the service or action does not exist
|
|
15
16
|
*/
|
|
16
|
-
async function allowedContextKeysForRequest(service, action, resource, bucketAbacEnabled) {
|
|
17
|
+
async function allowedContextKeysForRequest(service, action, resource, bucketAbacEnabled, suggestedResourceType) {
|
|
17
18
|
const actionDetails = await (0, iam_data_1.iamActionDetails)(service, action);
|
|
18
19
|
const actionConditionKeys = (0, util_js_1.lowerCaseAll)(actionDetails.conditionKeys);
|
|
19
20
|
const isWildCardOnly = await (0, util_js_1.isWildcardOnlyAction)(service, action);
|
|
20
21
|
if (isWildCardOnly) {
|
|
21
22
|
return [...actionConditionKeys, ...lowerCaseGlobalConditionKeys()];
|
|
22
23
|
}
|
|
23
|
-
|
|
24
|
-
if (
|
|
25
|
-
|
|
24
|
+
let resourceType = suggestedResourceType;
|
|
25
|
+
if (!resourceType) {
|
|
26
|
+
const resourceTypes = await (0, resourceTypes_js_1.getResourceTypesForAction)(service, action, resource);
|
|
27
|
+
if (resourceTypes.length === 0) {
|
|
28
|
+
throw new Error(`No resource types found for action ${action} on service ${service}`);
|
|
29
|
+
}
|
|
30
|
+
else if (resourceTypes.length > 1) {
|
|
31
|
+
throw new Error(`Multiple resource types found for action ${action} on service ${service}`);
|
|
32
|
+
}
|
|
33
|
+
resourceType = resourceTypes[0];
|
|
26
34
|
}
|
|
27
|
-
|
|
28
|
-
throw new Error(`Multiple resource types found for action ${action} on service ${service}`);
|
|
29
|
-
}
|
|
30
|
-
const resourceTypeConditions = actionDetails.resourceTypes.find((rt) => rt.name === resourceTypes[0].key).conditionKeys;
|
|
35
|
+
const resourceTypeConditions = actionDetails.resourceTypes.find((rt) => rt.name === resourceType.key).conditionKeys;
|
|
31
36
|
const allKeys = [
|
|
32
37
|
...(0, util_js_1.lowerCaseAll)(resourceTypeConditions),
|
|
33
38
|
...actionConditionKeys,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":";;AAcA,oEA4CC;AA1DD,sDAAmG;AACnG,wCAAsF;AACtF,yDAA8D;AAE9D;;;;;;;;;GASG;AACI,KAAK,UAAU,4BAA4B,CAChD,OAAe,EACf,MAAc,EACd,QAAgB,EAChB,iBAA0B,EAC1B,qBAA+C;IAE/C,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IAC7D,MAAM,mBAAmB,GAAG,IAAA,sBAAY,EAAC,aAAa,CAAC,aAAa,CAAC,CAAA;IAErE,MAAM,cAAc,GAAG,MAAM,IAAA,8BAAoB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IAClE,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,CAAC,GAAG,mBAAmB,EAAE,GAAG,4BAA4B,EAAE,CAAC,CAAA;IACpE,CAAC;IAED,IAAI,YAAY,GAAG,qBAAqB,CAAA;IACxC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,aAAa,GAAG,MAAM,IAAA,4CAAyB,EAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAA;QAChF,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,eAAe,OAAO,EAAE,CAAC,CAAA;QACvF,CAAC;aAAM,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,4CAA4C,MAAM,eAAe,OAAO,EAAE,CAAC,CAAA;QAC7F,CAAC;QACD,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,CAAA;IACjC,CAAC;IAED,MAAM,sBAAsB,GAAG,aAAa,CAAC,aAAa,CAAC,IAAI,CAC7D,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,KAAK,YAAa,CAAC,GAAG,CACrC,CAAC,aAAa,CAAA;IAEhB,MAAM,OAAO,GAAG;QACd,GAAG,IAAA,sBAAY,EAAC,sBAAsB,CAAC;QACvC,GAAG,mBAAmB;QACtB,GAAG,4BAA4B,EAAE;KAClC,CAAA;IAED,IAAI,CAAC,IAAA,+BAAqB,EAAC,QAAQ,CAAC,IAAI,iBAAiB,EAAE,CAAC;QAC1D,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,wDAAwD;IACxD,OAAO,OAAO,CAAC,MAAM,CACnB,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC,CACjF,CAAA;AACH,CAAC;AAED,IAAI,sBAA4C,CAAA;AAChD,SAAS,4BAA4B;IACnC,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC5B,sBAAsB,GAAG,IAAA,oCAAyB,GAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;IAClF,CAAC;IACD,OAAO,sBAAsB,CAAA;AAC/B,CAAC"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import type { EvaluationResult } from '../evaluate.js';
|
|
2
|
+
import type { SimulationResourceResult } from './simulationEngine.js';
|
|
3
|
+
/**
|
|
4
|
+
* Calculates the overall evaluation result from multiple simulation resource results.
|
|
5
|
+
*
|
|
6
|
+
* @param results Array of simulation resource results to evaluate
|
|
7
|
+
* @returns The overall evaluation result following AWS IAM evaluation logic:
|
|
8
|
+
* - 'Allowed' if any result is allowed
|
|
9
|
+
* - 'ExplicitlyDenied' if all results are explicitly denied
|
|
10
|
+
* - 'ImplicitlyDenied' for all other cases (including empty results)
|
|
11
|
+
*/
|
|
12
|
+
export declare function calculateOverallResult(results: SimulationResourceResult[]): EvaluationResult;
|
|
13
|
+
//# sourceMappingURL=overallResult.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"overallResult.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/overallResult.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,uBAAuB,CAAA;AAErE;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,wBAAwB,EAAE,GAAG,gBAAgB,CAyB5F"}
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.calculateOverallResult = calculateOverallResult;
|
|
4
|
+
/**
|
|
5
|
+
* Calculates the overall evaluation result from multiple simulation resource results.
|
|
6
|
+
*
|
|
7
|
+
* @param results Array of simulation resource results to evaluate
|
|
8
|
+
* @returns The overall evaluation result following AWS IAM evaluation logic:
|
|
9
|
+
* - 'Allowed' if any result is allowed
|
|
10
|
+
* - 'ExplicitlyDenied' if all results are explicitly denied
|
|
11
|
+
* - 'ImplicitlyDenied' for all other cases (including empty results)
|
|
12
|
+
*/
|
|
13
|
+
function calculateOverallResult(results) {
|
|
14
|
+
if (results.length === 0) {
|
|
15
|
+
return 'ImplicitlyDenied';
|
|
16
|
+
}
|
|
17
|
+
let hasExplicitlyDenied = false;
|
|
18
|
+
let hasImplicitlyDenied = false;
|
|
19
|
+
for (const result of results) {
|
|
20
|
+
const evaluationResult = result.analysis?.result;
|
|
21
|
+
if (evaluationResult === 'Allowed') {
|
|
22
|
+
return 'Allowed';
|
|
23
|
+
}
|
|
24
|
+
if (evaluationResult === 'ExplicitlyDenied') {
|
|
25
|
+
hasExplicitlyDenied = true;
|
|
26
|
+
continue;
|
|
27
|
+
}
|
|
28
|
+
hasImplicitlyDenied = true;
|
|
29
|
+
}
|
|
30
|
+
if (hasExplicitlyDenied && !hasImplicitlyDenied) {
|
|
31
|
+
return 'ExplicitlyDenied';
|
|
32
|
+
}
|
|
33
|
+
return 'ImplicitlyDenied';
|
|
34
|
+
}
|
|
35
|
+
//# sourceMappingURL=overallResult.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"overallResult.js","sourceRoot":"","sources":["../../../src/simulation_engine/overallResult.ts"],"names":[],"mappings":";;AAYA,wDAyBC;AAlCD;;;;;;;;GAQG;AACH,SAAgB,sBAAsB,CAAC,OAAmC;IACxE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAED,IAAI,mBAAmB,GAAG,KAAK,CAAA;IAC/B,IAAI,mBAAmB,GAAG,KAAK,CAAA;IAE/B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,gBAAgB,GAAG,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAA;QAChD,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACnC,OAAO,SAAS,CAAA;QAClB,CAAC;QACD,IAAI,gBAAgB,KAAK,kBAAkB,EAAE,CAAC;YAC5C,mBAAmB,GAAG,IAAI,CAAA;YAC1B,SAAQ;QACV,CAAC;QACD,mBAAmB,GAAG,IAAI,CAAA;IAC5B,CAAC;IAED,IAAI,mBAAmB,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAChD,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAED,OAAO,kBAAkB,CAAA;AAC3B,CAAC"}
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
import { ResourceType } from '@cloud-copilot/iam-data';
|
|
2
|
+
import { Statement } from '@cloud-copilot/iam-policy';
|
|
3
|
+
import { PolicyWithName } from '../core_engine/CoreSimulatorEngine.js';
|
|
4
|
+
/**
|
|
5
|
+
* Extracts matching resource strings from a set of policies for a given action and resource pattern.
|
|
6
|
+
*
|
|
7
|
+
* @param policies Array of policies to search through (undefined entries are skipped)
|
|
8
|
+
* @param action The action to match against policy statements
|
|
9
|
+
* @param resourceType The resource type to filter resource strings by
|
|
10
|
+
* @param resourceArnPattern The resource ARN pattern to match against
|
|
11
|
+
* @returns Array of unique resource strings that match the criteria
|
|
12
|
+
*/
|
|
13
|
+
export declare function getMatchingResourceStringsForPolicies(policies: (PolicyWithName | undefined)[], action: string, resourceType: ResourceType, resourceArnPattern: string): string[];
|
|
14
|
+
/**
|
|
15
|
+
* Extracts resource strings from a single policy statement that allows the specified action.
|
|
16
|
+
*
|
|
17
|
+
* @param statement The policy statement to analyze
|
|
18
|
+
* @param action The action to check if the statement allows
|
|
19
|
+
* @param resourceType The resource type to filter by
|
|
20
|
+
* @param resourceArnPattern The resource ARN pattern to match
|
|
21
|
+
* @returns Array of resource strings from the statement, or empty array if statement doesn't allow the action
|
|
22
|
+
*/
|
|
23
|
+
export declare function getResourceStringsFromStatement(statement: Statement, action: string, resourceType: ResourceType, resourceArnPattern: string): string[];
|
|
24
|
+
/**
|
|
25
|
+
* Extracts resource strings from a statement's Resource or NotResource elements that match the given criteria.
|
|
26
|
+
*
|
|
27
|
+
* @param statement The policy statement to analyze
|
|
28
|
+
* @param resourceType The resource type to filter by
|
|
29
|
+
* @param resourceArnPattern The resource ARN pattern to check for overlap
|
|
30
|
+
* @returns Array of matching resource strings, or ['*'] for certain NotResource cases
|
|
31
|
+
*/
|
|
32
|
+
export declare function statementResourceStringsForResourceTypeAndPattern(statement: Statement, resourceType: ResourceType, resourceArnPattern: string): string[];
|
|
33
|
+
/**
|
|
34
|
+
* Determines if a policy statement allows the specified action.
|
|
35
|
+
*
|
|
36
|
+
* @param statement The policy statement to check
|
|
37
|
+
* @param action The action to test against the statement
|
|
38
|
+
* @returns true if the statement allows the action, false otherwise
|
|
39
|
+
*/
|
|
40
|
+
export declare function statementAllowsAction(statement: Statement, action: string): boolean;
|
|
41
|
+
//# sourceMappingURL=policyResources.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"policyResources.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/policyResources.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAA;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AAErD,OAAO,EAAE,cAAc,EAAE,MAAM,uCAAuC,CAAA;AAItE;;;;;;;;GAQG;AACH,wBAAgB,qCAAqC,CACnD,QAAQ,EAAE,CAAC,cAAc,GAAG,SAAS,CAAC,EAAE,EACxC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,YAAY,EAC1B,kBAAkB,EAAE,MAAM,GACzB,MAAM,EAAE,CAmBV;AAED;;;;;;;;GAQG;AACH,wBAAgB,+BAA+B,CAC7C,SAAS,EAAE,SAAS,EACpB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,YAAY,EAC1B,kBAAkB,EAAE,MAAM,GACzB,MAAM,EAAE,CASV;AAED;;;;;;;GAOG;AACH,wBAAgB,iDAAiD,CAC/D,SAAS,EAAE,SAAS,EACpB,YAAY,EAAE,YAAY,EAC1B,kBAAkB,EAAE,MAAM,GACzB,MAAM,EAAE,CA4BV;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAkBnF"}
|