@cloud-copilot/iam-simulate 0.1.102 → 0.1.104
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +22 -7
- package/dist/cjs/index.d.ts +1 -1
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/request/requestResource.d.ts +12 -0
- package/dist/cjs/request/requestResource.d.ts.map +1 -1
- package/dist/cjs/request/requestResource.js +6 -0
- package/dist/cjs/request/requestResource.js.map +1 -1
- package/dist/cjs/resource/resource.d.ts +11 -2
- package/dist/cjs/resource/resource.d.ts.map +1 -1
- package/dist/cjs/resource/resource.js +170 -8
- package/dist/cjs/resource/resource.js.map +1 -1
- package/dist/cjs/simulation_engine/contextKeys.d.ts +2 -1
- package/dist/cjs/simulation_engine/contextKeys.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/contextKeys.js +13 -8
- package/dist/cjs/simulation_engine/contextKeys.js.map +1 -1
- package/dist/cjs/simulation_engine/overallResult.d.ts +13 -0
- package/dist/cjs/simulation_engine/overallResult.d.ts.map +1 -0
- package/dist/cjs/simulation_engine/overallResult.js +35 -0
- package/dist/cjs/simulation_engine/overallResult.js.map +1 -0
- package/dist/cjs/simulation_engine/policyResources.d.ts +41 -0
- package/dist/cjs/simulation_engine/policyResources.d.ts.map +1 -0
- package/dist/cjs/simulation_engine/policyResources.js +112 -0
- package/dist/cjs/simulation_engine/policyResources.js.map +1 -0
- package/dist/cjs/simulation_engine/resourceTypes.d.ts +18 -0
- package/dist/cjs/simulation_engine/resourceTypes.d.ts.map +1 -0
- package/dist/cjs/simulation_engine/resourceTypes.js +145 -0
- package/dist/cjs/simulation_engine/resourceTypes.js.map +1 -0
- package/dist/cjs/simulation_engine/simulationEngine.d.ts +92 -14
- package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.js +74 -16
- package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/cjs/util/resourceStrings.d.ts +10 -0
- package/dist/cjs/util/resourceStrings.d.ts.map +1 -0
- package/dist/cjs/util/resourceStrings.js +81 -0
- package/dist/cjs/util/resourceStrings.js.map +1 -0
- package/dist/cjs/util.d.ts +0 -10
- package/dist/cjs/util.d.ts.map +1 -1
- package/dist/cjs/util.js +0 -25
- package/dist/cjs/util.js.map +1 -1
- package/dist/esm/index.d.ts +1 -1
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/request/requestResource.d.ts +12 -0
- package/dist/esm/request/requestResource.d.ts.map +1 -1
- package/dist/esm/request/requestResource.js +6 -0
- package/dist/esm/request/requestResource.js.map +1 -1
- package/dist/esm/resource/resource.d.ts +11 -2
- package/dist/esm/resource/resource.d.ts.map +1 -1
- package/dist/esm/resource/resource.js +169 -8
- package/dist/esm/resource/resource.js.map +1 -1
- package/dist/esm/simulation_engine/contextKeys.d.ts +2 -1
- package/dist/esm/simulation_engine/contextKeys.d.ts.map +1 -1
- package/dist/esm/simulation_engine/contextKeys.js +14 -9
- package/dist/esm/simulation_engine/contextKeys.js.map +1 -1
- package/dist/esm/simulation_engine/overallResult.d.ts +13 -0
- package/dist/esm/simulation_engine/overallResult.d.ts.map +1 -0
- package/dist/esm/simulation_engine/overallResult.js +32 -0
- package/dist/esm/simulation_engine/overallResult.js.map +1 -0
- package/dist/esm/simulation_engine/policyResources.d.ts +41 -0
- package/dist/esm/simulation_engine/policyResources.d.ts.map +1 -0
- package/dist/esm/simulation_engine/policyResources.js +106 -0
- package/dist/esm/simulation_engine/policyResources.js.map +1 -0
- package/dist/esm/simulation_engine/resourceTypes.d.ts +18 -0
- package/dist/esm/simulation_engine/resourceTypes.d.ts.map +1 -0
- package/dist/esm/simulation_engine/resourceTypes.js +141 -0
- package/dist/esm/simulation_engine/resourceTypes.js.map +1 -0
- package/dist/esm/simulation_engine/simulationEngine.d.ts +92 -14
- package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.js +75 -17
- package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/esm/util/resourceStrings.d.ts +10 -0
- package/dist/esm/util/resourceStrings.d.ts.map +1 -0
- package/dist/esm/util/resourceStrings.js +78 -0
- package/dist/esm/util/resourceStrings.js.map +1 -0
- package/dist/esm/util.d.ts +0 -10
- package/dist/esm/util.d.ts.map +1 -1
- package/dist/esm/util.js +1 -25
- package/dist/esm/util.js.map +1 -1
- package/package.json +2 -2
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAA;AAElE;;;;;GAKG;AACH,SAAS,6BAA6B,CAAC,OAAe;IACpD,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;IACvD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAC7E,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gCAAgC,CAC9C,OAAmB,EACnB,SAAoB;IAEpB,IAAI,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;QACpC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,uBAAuB,
|
|
1
|
+
{"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAA;AAElE;;;;;GAKG;AACH,SAAS,6BAA6B,CAAC,OAAe;IACpD,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;IACvD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAC7E,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gCAAgC,CAC9C,OAAmB,EACnB,SAAoB;IAEpB,IAAI,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;QACpC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,uBAAuB,CACnD,OAAO,EACP,SAAS,CAAC,SAAS,EAAE,EACrB,UAAU,EACV,SAAS,CAAC,MAAM,EAAsB,CACvC,CAAA;QACD,IAAI,CAAC,SAAS,CAAC,eAAe,EAAE,EAAE,CAAC;YACjC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAA;QACzD,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,EAAE,CAAA;IACtD,CAAC;SAAM,IAAI,SAAS,CAAC,sBAAsB,EAAE,EAAE,CAAC;QAC9C,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,0BAA0B,CACtD,OAAO,EACP,SAAS,CAAC,YAAY,EAAE,EACxB,aAAa,EACb,SAAS,CAAC,MAAM,EAAsB,CACvC,CAAA;QACD,IAAI,CAAC,SAAS,CAAC,kBAAkB,EAAE,EAAE,CAAC;YACpC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAA;QAC5D,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,YAAY,EAAE,QAAQ,EAAE,EAAE,CAAA;IACzD,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CAAA;AACvC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CACrC,OAAmB,EACnB,eAA2B,EAC3B,YAAwC,EACxC,MAAwB;IAExB,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,cAAc,EAAE,EAAE,CACtD,4BAA4B,CAAC,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,CAAC,CAC5E,CAAA;IACD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAC3D,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAA;AAC9B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CACxC,OAAmB,EACnB,eAA2B,EAC3B,YAAwC,EACxC,MAAwB;IAExB,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,cAAc,EAAE,EAAE;QACtD,MAAM,OAAO,GAAG,4BAA4B,CAAC,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,CAAC,CAAA;QAC3F,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACpB,OAAO,CAAC,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,CAAA;QACpC,CAAC;QACD,OAAO,OAAO,CAAA;IAChB,CAAC,CAAC,CAAA;IACF,MAAM,OAAO,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAC7D,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAA;AAC9B,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAiCE;AAEF;;;;;;GAMG;AACH,SAAS,4BAA4B,CACnC,OAAmB,EACnB,cAAwB,EACxB,YAAwC,EACxC,MAAwB;IAExB,0BAA0B;IAC1B,IAAI,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;QACpC,OAAO;YACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;YAChC,OAAO,EAAE,IAAI;SACd,CAAA;IACH,CAAC;IAED,2BAA2B;IAC3B,IAAI,OAAO,CAAC,QAAQ,EAAE,cAAc,EAAE,EAAE,CAAC;QACvC,IAAI,MAAM,KAAK,OAAO,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;YACtD,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,IAAI;aACd,CAAA;QACH,CAAC;aAAM,IAAI,MAAM,KAAK,OAAO,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;YAChE,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK,CAAC,mCAAmC;aACnD,CAAA;QACH,CAAC;aAAM,IAAI,MAAM,KAAK,MAAM,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;YAC5D,0EAA0E;YAC1E,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;aACf,CAAA;QACH,CAAC;aAAM,IAAI,MAAM,KAAK,MAAM,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;YAC/D,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,IAAI,CAAC,mCAAmC;aAClD,CAAA;QACH,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,YAAY,IAAI,MAAM,EAAE,CAAC,CAAA;IAC5F,CAAC;IAED,qDAAqD;IACrD,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,EAAE,IAAI,cAAc,CAAC,aAAa,EAAE,EAAE,CAAC;QACtE,MAAM,QAAQ,GAAG;YACf,sBAAsB,CAAC,cAAc,CAAC,SAAS,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YAChF,sBAAsB,CAAC,cAAc,CAAC,OAAO,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC5E,sBAAsB,CAAC,cAAc,CAAC,MAAM,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;YAC1E,sBAAsB,CAAC,cAAc,CAAC,OAAO,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC5E,sBAAsB,CAAC,cAAc,CAAC,QAAQ,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;SAC/E,CAAA;QAED,IAAI,YAAY,KAAK,UAAU,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACtD,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC,EAAE,CAAC;gBACxC,OAAO;oBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;oBAChC,OAAO,EAAE,IAAI;iBACd,CAAA;YACH,CAAC;QACH,CAAC;aAAM,IAAI,YAAY,KAAK,UAAU,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC5D,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,kBAAkB,CAAC,EAAE,CAAC;gBACnE,OAAO;oBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;oBAChC,OAAO,EAAE,KAAK;iBACf,CAAA;YACH,CAAC;QACH,CAAC;aAAM,IAAI,YAAY,KAAK,aAAa,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YAChE;;;;;;eAMG;YACH,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,OAAO,IAAI,CAAC,KAAK,oBAAoB,CAAC,EAAE,CAAC;gBACvE,OAAO;oBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;oBAChC,mCAAmC;oBACnC,OAAO,EAAE,IAAI;iBACd,CAAA;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO;oBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;oBAChC,mCAAmC;oBACnC,OAAO,EAAE,KAAK;iBACf,CAAA;YACH,CAAC;QACH,CAAC;aAAM,IAAI,YAAY,KAAK,aAAa,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/D;;;;;;cAME;YACF,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC,EAAE,CAAC;gBACvC,OAAO;oBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;oBAChC,mCAAmC;oBACnC,OAAO,EAAE,KAAK;iBACf,CAAA;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO;oBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;oBAChC,mCAAmC;oBACnC,OAAO,EAAE,IAAI;iBACd,CAAA;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,iDAAiD,YAAY,IAAI,MAAM,EAAE,CAAC,CAAA;QAC5F,CAAC;IACH,CAAC;IAED,IAAI,cAAc,CAAC,aAAa,EAAE,EAAE,CAAC;QACnC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YACtB,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,kCAAkC,CAAC;aAC7C,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QACjC,IAAI,CAAC,6BAA6B,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC;YAC1F,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,0BAA0B,CAAC;aACrC,CAAA;QACH,CAAC;QAED,IAAI,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACtF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,IAAI,CAAC,6BAA6B,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC;YACpF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,uBAAuB,CAAC;aAClC,CAAA;QACH,CAAC;QAED,IAAI,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACtF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,gKAAgK;QAChK,MAAM,CAAC,aAAa,EAAE,gBAAgB,CAAC,GAAG,mBAAmB,CAAC,cAAc,CAAC,CAAA;QAC7E,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YACnD,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,MAAM,iBAAiB,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;QACzE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,gBAAgB,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAA;QACvE,MAAM,kBAAkB,GAAG,gBAAgB,CAAC,gBAAgB,EAAE,OAAO,EAAE;YACrE,cAAc,EAAE,KAAK;YACrB,gBAAgB,EAAE,KAAK;SACxB,CAAC,CAAA;QACF,MAAM,gBAAgB,GACpB,cAAc,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,cAAc,CAAC,KAAK,EAAE,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;YACxF,kBAAkB,CAAA;QACpB,MAAM,aAAa,GAAG,gBAAgB,KAAK,cAAc,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAA;QAEhG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACrC,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM;gBACN,aAAa;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;YAChC,OAAO,EAAE,IAAI;YACb,aAAa;SACd,CAAA;IACH,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAA;IAC1C,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB,CACpC,YAAoB,EACpB,aAAqB;IAErB,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;QACnC,OAAO,OAAO,CAAA;IAChB,CAAC;IACD,MAAM,cAAc,GAAG,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IACtE,IAAI,YAAY,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;QACvC,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAED,MAAM,aAAa,GAAG,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IACxF,IAAI,aAAa,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;QACvC,OAAO,oBAAoB,CAAA;IAC7B,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC"}
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { ResourceType } from '@cloud-copilot/iam-data';
|
|
1
2
|
/**
|
|
2
3
|
* Get the allowed context keys for a request.
|
|
3
4
|
*
|
|
@@ -8,5 +9,5 @@
|
|
|
8
9
|
* @returns The allowed context keys for the request as lower case strings
|
|
9
10
|
* @throws error if the service or action does not exist
|
|
10
11
|
*/
|
|
11
|
-
export declare function allowedContextKeysForRequest(service: string, action: string, resource: string, bucketAbacEnabled
|
|
12
|
+
export declare function allowedContextKeysForRequest(service: string, action: string, resource: string, bucketAbacEnabled: boolean, suggestedResourceType: ResourceType | undefined): Promise<string[]>;
|
|
12
13
|
//# sourceMappingURL=contextKeys.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAA+C,YAAY,EAAE,MAAM,yBAAyB,CAAA;AAInG;;;;;;;;;GASG;AACH,wBAAsB,4BAA4B,CAChD,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,iBAAiB,EAAE,OAAO,EAC1B,qBAAqB,EAAE,YAAY,GAAG,SAAS,GAC9C,OAAO,CAAC,MAAM,EAAE,CAAC,CAsCnB"}
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { getAllGlobalConditionKeys, iamActionDetails } from '@cloud-copilot/iam-data';
|
|
2
|
-
import {
|
|
2
|
+
import { isS3BucketOrObjectArn, isWildcardOnlyAction, lowerCaseAll } from '../util.js';
|
|
3
|
+
import { getResourceTypesForAction } from './resourceTypes.js';
|
|
3
4
|
/**
|
|
4
5
|
* Get the allowed context keys for a request.
|
|
5
6
|
*
|
|
@@ -10,21 +11,25 @@ import { getResourceTypesForAction, isS3BucketOrObjectArn, isWildcardOnlyAction,
|
|
|
10
11
|
* @returns The allowed context keys for the request as lower case strings
|
|
11
12
|
* @throws error if the service or action does not exist
|
|
12
13
|
*/
|
|
13
|
-
export async function allowedContextKeysForRequest(service, action, resource, bucketAbacEnabled) {
|
|
14
|
+
export async function allowedContextKeysForRequest(service, action, resource, bucketAbacEnabled, suggestedResourceType) {
|
|
14
15
|
const actionDetails = await iamActionDetails(service, action);
|
|
15
16
|
const actionConditionKeys = lowerCaseAll(actionDetails.conditionKeys);
|
|
16
17
|
const isWildCardOnly = await isWildcardOnlyAction(service, action);
|
|
17
18
|
if (isWildCardOnly) {
|
|
18
19
|
return [...actionConditionKeys, ...lowerCaseGlobalConditionKeys()];
|
|
19
20
|
}
|
|
20
|
-
|
|
21
|
-
if (
|
|
22
|
-
|
|
21
|
+
let resourceType = suggestedResourceType;
|
|
22
|
+
if (!resourceType) {
|
|
23
|
+
const resourceTypes = await getResourceTypesForAction(service, action, resource);
|
|
24
|
+
if (resourceTypes.length === 0) {
|
|
25
|
+
throw new Error(`No resource types found for action ${action} on service ${service}`);
|
|
26
|
+
}
|
|
27
|
+
else if (resourceTypes.length > 1) {
|
|
28
|
+
throw new Error(`Multiple resource types found for action ${action} on service ${service}`);
|
|
29
|
+
}
|
|
30
|
+
resourceType = resourceTypes[0];
|
|
23
31
|
}
|
|
24
|
-
|
|
25
|
-
throw new Error(`Multiple resource types found for action ${action} on service ${service}`);
|
|
26
|
-
}
|
|
27
|
-
const resourceTypeConditions = actionDetails.resourceTypes.find((rt) => rt.name === resourceTypes[0].key).conditionKeys;
|
|
32
|
+
const resourceTypeConditions = actionDetails.resourceTypes.find((rt) => rt.name === resourceType.key).conditionKeys;
|
|
28
33
|
const allKeys = [
|
|
29
34
|
...lowerCaseAll(resourceTypeConditions),
|
|
30
35
|
...actionConditionKeys,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,yBAAyB,EAAE,gBAAgB,
|
|
1
|
+
{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,yBAAyB,EAAE,gBAAgB,EAAgB,MAAM,yBAAyB,CAAA;AACnG,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AACtF,OAAO,EAAE,yBAAyB,EAAE,MAAM,oBAAoB,CAAA;AAE9D;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,OAAe,EACf,MAAc,EACd,QAAgB,EAChB,iBAA0B,EAC1B,qBAA+C;IAE/C,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IAC7D,MAAM,mBAAmB,GAAG,YAAY,CAAC,aAAa,CAAC,aAAa,CAAC,CAAA;IAErE,MAAM,cAAc,GAAG,MAAM,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IAClE,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,CAAC,GAAG,mBAAmB,EAAE,GAAG,4BAA4B,EAAE,CAAC,CAAA;IACpE,CAAC;IAED,IAAI,YAAY,GAAG,qBAAqB,CAAA;IACxC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,aAAa,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAA;QAChF,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,eAAe,OAAO,EAAE,CAAC,CAAA;QACvF,CAAC;aAAM,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,4CAA4C,MAAM,eAAe,OAAO,EAAE,CAAC,CAAA;QAC7F,CAAC;QACD,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,CAAA;IACjC,CAAC;IAED,MAAM,sBAAsB,GAAG,aAAa,CAAC,aAAa,CAAC,IAAI,CAC7D,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,KAAK,YAAa,CAAC,GAAG,CACrC,CAAC,aAAa,CAAA;IAEhB,MAAM,OAAO,GAAG;QACd,GAAG,YAAY,CAAC,sBAAsB,CAAC;QACvC,GAAG,mBAAmB;QACtB,GAAG,4BAA4B,EAAE;KAClC,CAAA;IAED,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,IAAI,iBAAiB,EAAE,CAAC;QAC1D,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,wDAAwD;IACxD,OAAO,OAAO,CAAC,MAAM,CACnB,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC,CACjF,CAAA;AACH,CAAC;AAED,IAAI,sBAA4C,CAAA;AAChD,SAAS,4BAA4B;IACnC,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC5B,sBAAsB,GAAG,yBAAyB,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;IAClF,CAAC;IACD,OAAO,sBAAsB,CAAA;AAC/B,CAAC"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import type { EvaluationResult } from '../evaluate.js';
|
|
2
|
+
import type { SimulationResourceResult } from './simulationEngine.js';
|
|
3
|
+
/**
|
|
4
|
+
* Calculates the overall evaluation result from multiple simulation resource results.
|
|
5
|
+
*
|
|
6
|
+
* @param results Array of simulation resource results to evaluate
|
|
7
|
+
* @returns The overall evaluation result following AWS IAM evaluation logic:
|
|
8
|
+
* - 'Allowed' if any result is allowed
|
|
9
|
+
* - 'ExplicitlyDenied' if all results are explicitly denied
|
|
10
|
+
* - 'ImplicitlyDenied' for all other cases (including empty results)
|
|
11
|
+
*/
|
|
12
|
+
export declare function calculateOverallResult(results: SimulationResourceResult[]): EvaluationResult;
|
|
13
|
+
//# sourceMappingURL=overallResult.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"overallResult.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/overallResult.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,uBAAuB,CAAA;AAErE;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,wBAAwB,EAAE,GAAG,gBAAgB,CAyB5F"}
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Calculates the overall evaluation result from multiple simulation resource results.
|
|
3
|
+
*
|
|
4
|
+
* @param results Array of simulation resource results to evaluate
|
|
5
|
+
* @returns The overall evaluation result following AWS IAM evaluation logic:
|
|
6
|
+
* - 'Allowed' if any result is allowed
|
|
7
|
+
* - 'ExplicitlyDenied' if all results are explicitly denied
|
|
8
|
+
* - 'ImplicitlyDenied' for all other cases (including empty results)
|
|
9
|
+
*/
|
|
10
|
+
export function calculateOverallResult(results) {
|
|
11
|
+
if (results.length === 0) {
|
|
12
|
+
return 'ImplicitlyDenied';
|
|
13
|
+
}
|
|
14
|
+
let hasExplicitlyDenied = false;
|
|
15
|
+
let hasImplicitlyDenied = false;
|
|
16
|
+
for (const result of results) {
|
|
17
|
+
const evaluationResult = result.analysis?.result;
|
|
18
|
+
if (evaluationResult === 'Allowed') {
|
|
19
|
+
return 'Allowed';
|
|
20
|
+
}
|
|
21
|
+
if (evaluationResult === 'ExplicitlyDenied') {
|
|
22
|
+
hasExplicitlyDenied = true;
|
|
23
|
+
continue;
|
|
24
|
+
}
|
|
25
|
+
hasImplicitlyDenied = true;
|
|
26
|
+
}
|
|
27
|
+
if (hasExplicitlyDenied && !hasImplicitlyDenied) {
|
|
28
|
+
return 'ExplicitlyDenied';
|
|
29
|
+
}
|
|
30
|
+
return 'ImplicitlyDenied';
|
|
31
|
+
}
|
|
32
|
+
//# sourceMappingURL=overallResult.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"overallResult.js","sourceRoot":"","sources":["../../../src/simulation_engine/overallResult.ts"],"names":[],"mappings":"AAGA;;;;;;;;GAQG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAmC;IACxE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAED,IAAI,mBAAmB,GAAG,KAAK,CAAA;IAC/B,IAAI,mBAAmB,GAAG,KAAK,CAAA;IAE/B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,gBAAgB,GAAG,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAA;QAChD,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACnC,OAAO,SAAS,CAAA;QAClB,CAAC;QACD,IAAI,gBAAgB,KAAK,kBAAkB,EAAE,CAAC;YAC5C,mBAAmB,GAAG,IAAI,CAAA;YAC1B,SAAQ;QACV,CAAC;QACD,mBAAmB,GAAG,IAAI,CAAA;IAC5B,CAAC;IAED,IAAI,mBAAmB,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAChD,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAED,OAAO,kBAAkB,CAAA;AAC3B,CAAC"}
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
import { ResourceType } from '@cloud-copilot/iam-data';
|
|
2
|
+
import { Statement } from '@cloud-copilot/iam-policy';
|
|
3
|
+
import { PolicyWithName } from '../core_engine/CoreSimulatorEngine.js';
|
|
4
|
+
/**
|
|
5
|
+
* Extracts matching resource strings from a set of policies for a given action and resource pattern.
|
|
6
|
+
*
|
|
7
|
+
* @param policies Array of policies to search through (undefined entries are skipped)
|
|
8
|
+
* @param action The action to match against policy statements
|
|
9
|
+
* @param resourceType The resource type to filter resource strings by
|
|
10
|
+
* @param resourceArnPattern The resource ARN pattern to match against
|
|
11
|
+
* @returns Array of unique resource strings that match the criteria
|
|
12
|
+
*/
|
|
13
|
+
export declare function getMatchingResourceStringsForPolicies(policies: (PolicyWithName | undefined)[], action: string, resourceType: ResourceType, resourceArnPattern: string): string[];
|
|
14
|
+
/**
|
|
15
|
+
* Extracts resource strings from a single policy statement that allows the specified action.
|
|
16
|
+
*
|
|
17
|
+
* @param statement The policy statement to analyze
|
|
18
|
+
* @param action The action to check if the statement allows
|
|
19
|
+
* @param resourceType The resource type to filter by
|
|
20
|
+
* @param resourceArnPattern The resource ARN pattern to match
|
|
21
|
+
* @returns Array of resource strings from the statement, or empty array if statement doesn't allow the action
|
|
22
|
+
*/
|
|
23
|
+
export declare function getResourceStringsFromStatement(statement: Statement, action: string, resourceType: ResourceType, resourceArnPattern: string): string[];
|
|
24
|
+
/**
|
|
25
|
+
* Extracts resource strings from a statement's Resource or NotResource elements that match the given criteria.
|
|
26
|
+
*
|
|
27
|
+
* @param statement The policy statement to analyze
|
|
28
|
+
* @param resourceType The resource type to filter by
|
|
29
|
+
* @param resourceArnPattern The resource ARN pattern to check for overlap
|
|
30
|
+
* @returns Array of matching resource strings, or ['*'] for certain NotResource cases
|
|
31
|
+
*/
|
|
32
|
+
export declare function statementResourceStringsForResourceTypeAndPattern(statement: Statement, resourceType: ResourceType, resourceArnPattern: string): string[];
|
|
33
|
+
/**
|
|
34
|
+
* Determines if a policy statement allows the specified action.
|
|
35
|
+
*
|
|
36
|
+
* @param statement The policy statement to check
|
|
37
|
+
* @param action The action to test against the statement
|
|
38
|
+
* @returns true if the statement allows the action, false otherwise
|
|
39
|
+
*/
|
|
40
|
+
export declare function statementAllowsAction(statement: Statement, action: string): boolean;
|
|
41
|
+
//# sourceMappingURL=policyResources.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"policyResources.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/policyResources.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAA;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AAErD,OAAO,EAAE,cAAc,EAAE,MAAM,uCAAuC,CAAA;AAItE;;;;;;;;GAQG;AACH,wBAAgB,qCAAqC,CACnD,QAAQ,EAAE,CAAC,cAAc,GAAG,SAAS,CAAC,EAAE,EACxC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,YAAY,EAC1B,kBAAkB,EAAE,MAAM,GACzB,MAAM,EAAE,CAmBV;AAED;;;;;;;;GAQG;AACH,wBAAgB,+BAA+B,CAC7C,SAAS,EAAE,SAAS,EACpB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,YAAY,EAC1B,kBAAkB,EAAE,MAAM,GACzB,MAAM,EAAE,CASV;AAED;;;;;;;GAOG;AACH,wBAAgB,iDAAiD,CAC/D,SAAS,EAAE,SAAS,EACpB,YAAY,EAAE,YAAY,EAC1B,kBAAkB,EAAE,MAAM,GACzB,MAAM,EAAE,CA4BV;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAkBnF"}
|
|
@@ -0,0 +1,106 @@
|
|
|
1
|
+
import { actionMatchesPattern, resourceArnWithWildcardsToRegex } from '@cloud-copilot/iam-utils';
|
|
2
|
+
import { resourceArnsOverlap } from '../util/resourceStrings.js';
|
|
3
|
+
import { resourceStringMatchesResourceTypePattern } from './resourceTypes.js';
|
|
4
|
+
/**
|
|
5
|
+
* Extracts matching resource strings from a set of policies for a given action and resource pattern.
|
|
6
|
+
*
|
|
7
|
+
* @param policies Array of policies to search through (undefined entries are skipped)
|
|
8
|
+
* @param action The action to match against policy statements
|
|
9
|
+
* @param resourceType The resource type to filter resource strings by
|
|
10
|
+
* @param resourceArnPattern The resource ARN pattern to match against
|
|
11
|
+
* @returns Array of unique resource strings that match the criteria
|
|
12
|
+
*/
|
|
13
|
+
export function getMatchingResourceStringsForPolicies(policies, action, resourceType, resourceArnPattern) {
|
|
14
|
+
const resourceStrings = new Set();
|
|
15
|
+
for (const policy of policies) {
|
|
16
|
+
if (!policy) {
|
|
17
|
+
continue;
|
|
18
|
+
}
|
|
19
|
+
for (const statement of policy.statements()) {
|
|
20
|
+
const stmtResourceStrings = getResourceStringsFromStatement(statement, action, resourceType, resourceArnPattern);
|
|
21
|
+
for (const rs of stmtResourceStrings) {
|
|
22
|
+
resourceStrings.add(rs);
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
}
|
|
26
|
+
return Array.from(resourceStrings);
|
|
27
|
+
}
|
|
28
|
+
/**
|
|
29
|
+
* Extracts resource strings from a single policy statement that allows the specified action.
|
|
30
|
+
*
|
|
31
|
+
* @param statement The policy statement to analyze
|
|
32
|
+
* @param action The action to check if the statement allows
|
|
33
|
+
* @param resourceType The resource type to filter by
|
|
34
|
+
* @param resourceArnPattern The resource ARN pattern to match
|
|
35
|
+
* @returns Array of resource strings from the statement, or empty array if statement doesn't allow the action
|
|
36
|
+
*/
|
|
37
|
+
export function getResourceStringsFromStatement(statement, action, resourceType, resourceArnPattern) {
|
|
38
|
+
if (statementAllowsAction(statement, action)) {
|
|
39
|
+
return statementResourceStringsForResourceTypeAndPattern(statement, resourceType, resourceArnPattern);
|
|
40
|
+
}
|
|
41
|
+
return [];
|
|
42
|
+
}
|
|
43
|
+
/**
|
|
44
|
+
* Extracts resource strings from a statement's Resource or NotResource elements that match the given criteria.
|
|
45
|
+
*
|
|
46
|
+
* @param statement The policy statement to analyze
|
|
47
|
+
* @param resourceType The resource type to filter by
|
|
48
|
+
* @param resourceArnPattern The resource ARN pattern to check for overlap
|
|
49
|
+
* @returns Array of matching resource strings, or ['*'] for certain NotResource cases
|
|
50
|
+
*/
|
|
51
|
+
export function statementResourceStringsForResourceTypeAndPattern(statement, resourceType, resourceArnPattern) {
|
|
52
|
+
if (statement.isResourceStatement() && statement.isAllow()) {
|
|
53
|
+
const resourceStrings = [];
|
|
54
|
+
for (const stmtResource of statement.resources()) {
|
|
55
|
+
if (resourceStringMatchesResourceTypePattern(stmtResource.value(), resourceType.arn)) {
|
|
56
|
+
if (resourceArnsOverlap(resourceArnPattern, stmtResource.value())) {
|
|
57
|
+
resourceStrings.push(stmtResource.value());
|
|
58
|
+
}
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
return resourceStrings;
|
|
62
|
+
}
|
|
63
|
+
if (statement.isNotResourceStatement() && statement.isAllow()) {
|
|
64
|
+
for (const stmtNotResource of statement.notResources()) {
|
|
65
|
+
// If any NotResource string equals or is a superset of the resource type pattern, then the statement does not apply to the string. Otherwise, it should return the string '*'
|
|
66
|
+
if (stmtNotResource.value() === resourceArnPattern ||
|
|
67
|
+
isResourceArnSuperset(stmtNotResource.value(), resourceArnPattern)) {
|
|
68
|
+
return [];
|
|
69
|
+
}
|
|
70
|
+
}
|
|
71
|
+
return ['*'];
|
|
72
|
+
}
|
|
73
|
+
// If it's a statement that has no Resource or NotResource such as a trust policy, just return the original pattern
|
|
74
|
+
return [resourceArnPattern];
|
|
75
|
+
}
|
|
76
|
+
/**
|
|
77
|
+
* Determines if a policy statement allows the specified action.
|
|
78
|
+
*
|
|
79
|
+
* @param statement The policy statement to check
|
|
80
|
+
* @param action The action to test against the statement
|
|
81
|
+
* @returns true if the statement allows the action, false otherwise
|
|
82
|
+
*/
|
|
83
|
+
export function statementAllowsAction(statement, action) {
|
|
84
|
+
if (statement.isActionStatement() && statement.isAllow()) {
|
|
85
|
+
for (const stmtAction of statement.actions()) {
|
|
86
|
+
if (actionMatchesPattern(action, stmtAction.value())) {
|
|
87
|
+
return true;
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
return false;
|
|
91
|
+
}
|
|
92
|
+
else if (statement.isNotActionStatement() && statement.isAllow()) {
|
|
93
|
+
for (const stmtAction of statement.notActions()) {
|
|
94
|
+
if (actionMatchesPattern(action, stmtAction.value())) {
|
|
95
|
+
return false;
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
return true;
|
|
99
|
+
}
|
|
100
|
+
return false;
|
|
101
|
+
}
|
|
102
|
+
function isResourceArnSuperset(arnSuperset, arnSubset) {
|
|
103
|
+
const regexSuperset = resourceArnWithWildcardsToRegex(arnSuperset);
|
|
104
|
+
return regexSuperset.test(arnSubset);
|
|
105
|
+
}
|
|
106
|
+
//# sourceMappingURL=policyResources.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"policyResources.js","sourceRoot":"","sources":["../../../src/simulation_engine/policyResources.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,oBAAoB,EAAE,+BAA+B,EAAE,MAAM,0BAA0B,CAAA;AAEhG,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAChE,OAAO,EAAE,wCAAwC,EAAE,MAAM,oBAAoB,CAAA;AAE7E;;;;;;;;GAQG;AACH,MAAM,UAAU,qCAAqC,CACnD,QAAwC,EACxC,MAAc,EACd,YAA0B,EAC1B,kBAA0B;IAE1B,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAA;IACzC,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,SAAQ;QACV,CAAC;QACD,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC5C,MAAM,mBAAmB,GAAG,+BAA+B,CACzD,SAAS,EACT,MAAM,EACN,YAAY,EACZ,kBAAkB,CACnB,CAAA;YACD,KAAK,MAAM,EAAE,IAAI,mBAAmB,EAAE,CAAC;gBACrC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;AACpC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,+BAA+B,CAC7C,SAAoB,EACpB,MAAc,EACd,YAA0B,EAC1B,kBAA0B;IAE1B,IAAI,qBAAqB,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,CAAC;QAC7C,OAAO,iDAAiD,CACtD,SAAS,EACT,YAAY,EACZ,kBAAkB,CACnB,CAAA;IACH,CAAC;IACD,OAAO,EAAE,CAAA;AACX,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iDAAiD,CAC/D,SAAoB,EACpB,YAA0B,EAC1B,kBAA0B;IAE1B,IAAI,SAAS,CAAC,mBAAmB,EAAE,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;QAC3D,MAAM,eAAe,GAAa,EAAE,CAAA;QACpC,KAAK,MAAM,YAAY,IAAI,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACjD,IAAI,wCAAwC,CAAC,YAAY,CAAC,KAAK,EAAE,EAAE,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrF,IAAI,mBAAmB,CAAC,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;oBAClE,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC,CAAA;gBAC5C,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,IAAI,SAAS,CAAC,sBAAsB,EAAE,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;QAC9D,KAAK,MAAM,eAAe,IAAI,SAAS,CAAC,YAAY,EAAE,EAAE,CAAC;YACvD,8KAA8K;YAC9K,IACE,eAAe,CAAC,KAAK,EAAE,KAAK,kBAAkB;gBAC9C,qBAAqB,CAAC,eAAe,CAAC,KAAK,EAAE,EAAE,kBAAkB,CAAC,EAClE,CAAC;gBACD,OAAO,EAAE,CAAA;YACX,CAAC;QACH,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,CAAA;IACd,CAAC;IAED,mHAAmH;IACnH,OAAO,CAAC,kBAAkB,CAAC,CAAA;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CAAC,SAAoB,EAAE,MAAc;IACxE,IAAI,SAAS,CAAC,iBAAiB,EAAE,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;QACzD,KAAK,MAAM,UAAU,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;YAC7C,IAAI,oBAAoB,CAAC,MAAM,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;gBACrD,OAAO,IAAI,CAAA;YACb,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;SAAM,IAAI,SAAS,CAAC,oBAAoB,EAAE,IAAI,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;QACnE,KAAK,MAAM,UAAU,IAAI,SAAS,CAAC,UAAU,EAAE,EAAE,CAAC;YAChD,IAAI,oBAAoB,CAAC,MAAM,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;gBACrD,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,qBAAqB,CAAC,WAAmB,EAAE,SAAiB;IACnE,MAAM,aAAa,GAAG,+BAA+B,CAAC,WAAW,CAAC,CAAA;IAClE,OAAO,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AACtC,CAAC"}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
import { ResourceType } from '@cloud-copilot/iam-data';
|
|
2
|
+
/**
|
|
3
|
+
* Checks to see if a resource string ARN matches a resource pattern from the Service Authorization Reference
|
|
4
|
+
*
|
|
5
|
+
* @param resourceString
|
|
6
|
+
* @param resourcePattern
|
|
7
|
+
*/
|
|
8
|
+
export declare function resourceStringMatchesResourceTypePattern(resourceString: string, resourcePattern: string): boolean;
|
|
9
|
+
/**
|
|
10
|
+
* Get the the possible resource types for an action and resource
|
|
11
|
+
*
|
|
12
|
+
* @param service the service the action belongs to
|
|
13
|
+
* @param action the action to get the resource type for
|
|
14
|
+
* @param resource the resource type matching the action, if any
|
|
15
|
+
* @throws an error if the service or action does not exist, or if the action is a wildcard only action
|
|
16
|
+
*/
|
|
17
|
+
export declare function getResourceTypesForAction(service: string, action: string, resource: string): Promise<ResourceType[]>;
|
|
18
|
+
//# sourceMappingURL=resourceTypes.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resourceTypes.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/resourceTypes.ts"],"names":[],"mappings":"AAAA,OAAO,EAA4C,YAAY,EAAE,MAAM,yBAAyB,CAAA;AAGhG;;;;;GAKG;AACH,wBAAgB,wCAAwC,CACtD,cAAc,EAAE,MAAM,EACtB,eAAe,EAAE,MAAM,GACtB,OAAO,CA2GT;AAqCD;;;;;;;GAOG;AACH,wBAAsB,yBAAyB,CAC7C,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,YAAY,EAAE,CAAC,CAkBzB"}
|
|
@@ -0,0 +1,141 @@
|
|
|
1
|
+
import { iamActionDetails, iamResourceTypeDetails } from '@cloud-copilot/iam-data';
|
|
2
|
+
import { convertResourcePatternToRegex, splitArnParts } from '../util.js';
|
|
3
|
+
/**
|
|
4
|
+
* Checks to see if a resource string ARN matches a resource pattern from the Service Authorization Reference
|
|
5
|
+
*
|
|
6
|
+
* @param resourceString
|
|
7
|
+
* @param resourcePattern
|
|
8
|
+
*/
|
|
9
|
+
export function resourceStringMatchesResourceTypePattern(resourceString, resourcePattern) {
|
|
10
|
+
if (resourceString === '*') {
|
|
11
|
+
return true;
|
|
12
|
+
}
|
|
13
|
+
const resourceParts = splitArnParts(resourceString);
|
|
14
|
+
const patternParts = splitArnParts(resourcePattern);
|
|
15
|
+
if (!resourceComponentMatchesResourceTypeComponent(resourceParts.partition, patternParts.partition)) {
|
|
16
|
+
return false;
|
|
17
|
+
}
|
|
18
|
+
if (!resourceComponentMatchesResourceTypeComponent(resourceParts.service, patternParts.service)) {
|
|
19
|
+
return false;
|
|
20
|
+
}
|
|
21
|
+
if (!resourceComponentMatchesResourceTypeComponent(resourceParts.region, patternParts.region)) {
|
|
22
|
+
return false;
|
|
23
|
+
}
|
|
24
|
+
if (!resourceComponentMatchesResourceTypeComponent(resourceParts.accountId, patternParts.accountId)) {
|
|
25
|
+
return false;
|
|
26
|
+
}
|
|
27
|
+
const [resourceResourcePartsSegments, resourceResourceParts] = splitResourceTypeComponent(resourceParts.resource);
|
|
28
|
+
const [patternResourcePartsSegments, patternResourceParts] = splitResourceTypeComponent(patternParts.resource);
|
|
29
|
+
// If there are more segments in the resource than the pattern, it cannot match,
|
|
30
|
+
// unless the final pattern component is a variable (e.g. ${ObjectName}) which
|
|
31
|
+
// can span multiple segments (like S3 object keys with slashes).
|
|
32
|
+
if (resourceResourcePartsSegments > patternResourcePartsSegments) {
|
|
33
|
+
const lastPatternComponent = patternResourceParts.at(-1);
|
|
34
|
+
if (!isResourceTypeVariable(lastPatternComponent) || patternResourcePartsSegments === 1) {
|
|
35
|
+
return false;
|
|
36
|
+
}
|
|
37
|
+
}
|
|
38
|
+
// If there are fewer segments with contents in the resource than the pattern, and the last segment of the resource
|
|
39
|
+
// does not end with a wildcard, it cannot match
|
|
40
|
+
if (resourceResourceParts.length < patternResourceParts.length &&
|
|
41
|
+
!resourceResourceParts.at(-1)?.endsWith('*')) {
|
|
42
|
+
return false;
|
|
43
|
+
}
|
|
44
|
+
const compareLen = Math.min(resourceResourceParts.length, patternResourceParts.length);
|
|
45
|
+
for (let i = 0; i < compareLen; i++) {
|
|
46
|
+
const resourceComponent = resourceResourceParts[i];
|
|
47
|
+
const isLastPattern = i === patternResourceParts.length - 1;
|
|
48
|
+
const patternComponent = patternResourceParts[i];
|
|
49
|
+
if (!patternComponent) {
|
|
50
|
+
return false;
|
|
51
|
+
}
|
|
52
|
+
if (isResourceTypeVariable(patternComponent)) {
|
|
53
|
+
if (isLastPattern &&
|
|
54
|
+
resourceResourcePartsSegments > patternResourcePartsSegments &&
|
|
55
|
+
patternResourcePartsSegments > 1) {
|
|
56
|
+
// Variable at the end can absorb additional segments.
|
|
57
|
+
return true;
|
|
58
|
+
}
|
|
59
|
+
if (isLastPattern && resourceComponent?.endsWith('*')) {
|
|
60
|
+
// If the resource component ends with a wildcard, it matches everything after
|
|
61
|
+
break;
|
|
62
|
+
}
|
|
63
|
+
// These match anything, move along.
|
|
64
|
+
continue;
|
|
65
|
+
}
|
|
66
|
+
if (!resourceComponent) {
|
|
67
|
+
return false;
|
|
68
|
+
}
|
|
69
|
+
const resourceComponentPattern = '^' + resourceComponent.replace(/\?/g, '.').replace(/\*/g, '.*?') + '$';
|
|
70
|
+
const regex = new RegExp(resourceComponentPattern);
|
|
71
|
+
const match = patternComponent.match(regex);
|
|
72
|
+
if (match) {
|
|
73
|
+
if (isLastPattern && resourceComponent.endsWith('*')) {
|
|
74
|
+
// If the resource component ends with a wildcard, it matches everything after
|
|
75
|
+
break;
|
|
76
|
+
}
|
|
77
|
+
continue;
|
|
78
|
+
}
|
|
79
|
+
else {
|
|
80
|
+
return false;
|
|
81
|
+
}
|
|
82
|
+
}
|
|
83
|
+
/*
|
|
84
|
+
Matching resource types.
|
|
85
|
+
If the pattern has a slash or colon in the resource portion, those need to exist in the pattern.
|
|
86
|
+
If the pattern ends with a wildcard, that matches everything.
|
|
87
|
+
*/
|
|
88
|
+
return true;
|
|
89
|
+
}
|
|
90
|
+
function splitResourceTypeComponent(component) {
|
|
91
|
+
const parts = component?.split(/[:/]/) ?? [];
|
|
92
|
+
return [parts.length, parts.filter((p) => p && p !== '')];
|
|
93
|
+
}
|
|
94
|
+
function resourceComponentMatchesResourceTypeComponent(resourceComponent, resourceTypeComponent) {
|
|
95
|
+
if (resourceTypeComponent === '*' || resourceTypeComponent === resourceComponent) {
|
|
96
|
+
return true;
|
|
97
|
+
}
|
|
98
|
+
if (!resourceComponent || !resourceTypeComponent) {
|
|
99
|
+
return false;
|
|
100
|
+
}
|
|
101
|
+
if (isResourceTypeVariable(resourceTypeComponent)) {
|
|
102
|
+
// If the entire component is a single variable, it matches anything
|
|
103
|
+
return true;
|
|
104
|
+
}
|
|
105
|
+
const pattern = convertResourcePatternToRegex(resourceTypeComponent);
|
|
106
|
+
const regex = new RegExp(pattern);
|
|
107
|
+
const match = resourceComponent.match(regex);
|
|
108
|
+
return !!match;
|
|
109
|
+
}
|
|
110
|
+
function isResourceTypeVariable(component) {
|
|
111
|
+
if (!component) {
|
|
112
|
+
return false;
|
|
113
|
+
}
|
|
114
|
+
return component.match(/^\$\{[0-9a-zA-Z]+\}$/) !== null;
|
|
115
|
+
}
|
|
116
|
+
/**
|
|
117
|
+
* Get the the possible resource types for an action and resource
|
|
118
|
+
*
|
|
119
|
+
* @param service the service the action belongs to
|
|
120
|
+
* @param action the action to get the resource type for
|
|
121
|
+
* @param resource the resource type matching the action, if any
|
|
122
|
+
* @throws an error if the service or action does not exist, or if the action is a wildcard only action
|
|
123
|
+
*/
|
|
124
|
+
export async function getResourceTypesForAction(service, action, resource) {
|
|
125
|
+
const actionDetails = await iamActionDetails(service, action);
|
|
126
|
+
if (actionDetails.resourceTypes.length === 0) {
|
|
127
|
+
throw new Error(`${service}:${action} does not have any resource types`);
|
|
128
|
+
}
|
|
129
|
+
const matchingResourceTypes = [];
|
|
130
|
+
for (const rt of actionDetails.resourceTypes) {
|
|
131
|
+
const resourceType = await iamResourceTypeDetails(service, rt.name);
|
|
132
|
+
// const pattern = convertResourcePatternToRegex(resourceType.arn)
|
|
133
|
+
// const match = resource.match(new RegExp(pattern))
|
|
134
|
+
const match = resourceStringMatchesResourceTypePattern(resource, resourceType.arn);
|
|
135
|
+
if (match) {
|
|
136
|
+
matchingResourceTypes.push(resourceType);
|
|
137
|
+
}
|
|
138
|
+
}
|
|
139
|
+
return matchingResourceTypes;
|
|
140
|
+
}
|
|
141
|
+
//# sourceMappingURL=resourceTypes.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resourceTypes.js","sourceRoot":"","sources":["../../../src/simulation_engine/resourceTypes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,sBAAsB,EAAgB,MAAM,yBAAyB,CAAA;AAChG,OAAO,EAAE,6BAA6B,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AAEzE;;;;;GAKG;AACH,MAAM,UAAU,wCAAwC,CACtD,cAAsB,EACtB,eAAuB;IAEvB,IAAI,cAAc,KAAK,GAAG,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,aAAa,GAAG,aAAa,CAAC,cAAc,CAAC,CAAA;IACnD,MAAM,YAAY,GAAG,aAAa,CAAC,eAAe,CAAC,CAAA;IAEnD,IACE,CAAC,6CAA6C,CAAC,aAAa,CAAC,SAAS,EAAE,YAAY,CAAC,SAAS,CAAC,EAC/F,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,CAAC,6CAA6C,CAAC,aAAa,CAAC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC;QAChG,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,CAAC,6CAA6C,CAAC,aAAa,CAAC,MAAM,EAAE,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9F,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IACE,CAAC,6CAA6C,CAAC,aAAa,CAAC,SAAS,EAAE,YAAY,CAAC,SAAS,CAAC,EAC/F,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,CAAC,6BAA6B,EAAE,qBAAqB,CAAC,GAAG,0BAA0B,CACvF,aAAa,CAAC,QAAQ,CACvB,CAAA;IACD,MAAM,CAAC,4BAA4B,EAAE,oBAAoB,CAAC,GAAG,0BAA0B,CACrF,YAAY,CAAC,QAAQ,CACtB,CAAA;IAED,gFAAgF;IAChF,8EAA8E;IAC9E,iEAAiE;IACjE,IAAI,6BAA6B,GAAG,4BAA4B,EAAE,CAAC;QACjE,MAAM,oBAAoB,GAAG,oBAAoB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAA;QACxD,IAAI,CAAC,sBAAsB,CAAC,oBAAoB,CAAC,IAAI,4BAA4B,KAAK,CAAC,EAAE,CAAC;YACxF,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,mHAAmH;IACnH,gDAAgD;IAChD,IACE,qBAAqB,CAAC,MAAM,GAAG,oBAAoB,CAAC,MAAM;QAC1D,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,GAAG,CAAC,EAC5C,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,qBAAqB,CAAC,MAAM,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAA;IACtF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,iBAAiB,GAAG,qBAAqB,CAAC,CAAC,CAAC,CAAA;QAClD,MAAM,aAAa,GAAG,CAAC,KAAK,oBAAoB,CAAC,MAAM,GAAG,CAAC,CAAA;QAC3D,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAA;QAEhD,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAI,sBAAsB,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC7C,IACE,aAAa;gBACb,6BAA6B,GAAG,4BAA4B;gBAC5D,4BAA4B,GAAG,CAAC,EAChC,CAAC;gBACD,sDAAsD;gBACtD,OAAO,IAAI,CAAA;YACb,CAAC;YACD,IAAI,aAAa,IAAI,iBAAiB,EAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtD,8EAA8E;gBAC9E,MAAK;YACP,CAAC;YAED,oCAAoC;YACpC,SAAQ;QACV,CAAC;QAED,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,wBAAwB,GAC5B,GAAG,GAAG,iBAAiB,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;QACzE,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,wBAAwB,CAAC,CAAA;QAClD,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QAC3C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,aAAa,IAAI,iBAAiB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrD,8EAA8E;gBAC9E,MAAK;YACP,CAAC;YACD,SAAQ;QACV,CAAC;aAAM,CAAC;YACN,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IACD;;;;MAIE;IAEF,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,0BAA0B,CAAC,SAA6B;IAC/D,MAAM,KAAK,GAAG,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAA;IAC5C,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;AAC3D,CAAC;AAED,SAAS,6CAA6C,CACpD,iBAAqC,EACrC,qBAAyC;IAEzC,IAAI,qBAAqB,KAAK,GAAG,IAAI,qBAAqB,KAAK,iBAAiB,EAAE,CAAC;QACjF,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,CAAC,iBAAiB,IAAI,CAAC,qBAAqB,EAAE,CAAC;QACjD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,sBAAsB,CAAC,qBAAqB,CAAC,EAAE,CAAC;QAClD,oEAAoE;QACpE,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,OAAO,GAAG,6BAA6B,CAAC,qBAAqB,CAAC,CAAA;IACpE,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,CAAA;IACjC,MAAM,KAAK,GAAG,iBAAiB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAC5C,OAAO,CAAC,CAAC,KAAK,CAAA;AAChB,CAAC;AAED,SAAS,sBAAsB,CAAC,SAA6B;IAC3D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,KAAK,CAAA;IACd,CAAC;IACD,OAAO,SAAS,CAAC,KAAK,CAAC,sBAAsB,CAAC,KAAK,IAAI,CAAA;AACzD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,OAAe,EACf,MAAc,EACd,QAAgB;IAEhB,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IAC7D,IAAI,aAAa,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,IAAI,MAAM,mCAAmC,CAAC,CAAA;IAC1E,CAAC;IAED,MAAM,qBAAqB,GAAmB,EAAE,CAAA;IAChD,KAAK,MAAM,EAAE,IAAI,aAAa,CAAC,aAAa,EAAE,CAAC;QAC7C,MAAM,YAAY,GAAG,MAAM,sBAAsB,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,CAAA;QACnE,kEAAkE;QAClE,oDAAoD;QACpD,MAAM,KAAK,GAAG,wCAAwC,CAAC,QAAQ,EAAE,YAAY,CAAC,GAAG,CAAC,CAAA;QAClF,IAAI,KAAK,EAAE,CAAC;YACV,qBAAqB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QAC1C,CAAC;IACH,CAAC;IAED,OAAO,qBAAqB,CAAA;AAC9B,CAAC"}
|
|
@@ -1,5 +1,6 @@
|
|
|
1
|
+
import { ResourceType } from '@cloud-copilot/iam-data';
|
|
1
2
|
import { ValidationError } from '@cloud-copilot/iam-policy';
|
|
2
|
-
import { RequestAnalysis } from '../evaluate.js';
|
|
3
|
+
import { EvaluationResult, RequestAnalysis } from '../evaluate.js';
|
|
3
4
|
import { Simulation } from './simulation.js';
|
|
4
5
|
import { SimulationOptions } from './simulationOptions.js';
|
|
5
6
|
export interface SimulationErrors {
|
|
@@ -12,16 +13,11 @@ export interface SimulationErrors {
|
|
|
12
13
|
vpcEndpointErrors?: Record<string, ValidationError[]>;
|
|
13
14
|
message: string;
|
|
14
15
|
}
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
*
|
|
21
|
-
* Will only be present if the request passes validation to reach the policy
|
|
22
|
-
* evaluation stage and the action is not a wildcard-only action.
|
|
23
|
-
*/
|
|
24
|
-
resourceType?: string;
|
|
16
|
+
/**
|
|
17
|
+
* Result of evaluating a single resource simulation, containing the analysis and any ignored context keys.
|
|
18
|
+
*/
|
|
19
|
+
export interface SimulationResourceResult {
|
|
20
|
+
analysis: RequestAnalysis;
|
|
25
21
|
/**
|
|
26
22
|
* Any context keys provided in the request that were filtered out before
|
|
27
23
|
* policy evaluation because they do not apply to the action/resource type.
|
|
@@ -33,15 +29,97 @@ export interface SimulationResult {
|
|
|
33
29
|
*/
|
|
34
30
|
ignoredContextKeys?: string[];
|
|
35
31
|
}
|
|
32
|
+
/**
|
|
33
|
+
* Extended simulation resource result that includes resource type and pattern information
|
|
34
|
+
* for wildcard resource simulations.
|
|
35
|
+
*/
|
|
36
|
+
export interface WildcardSimulationResourceResult extends SimulationResourceResult {
|
|
37
|
+
/**
|
|
38
|
+
* The resource type that was used for the simulation, if applicable.
|
|
39
|
+
*
|
|
40
|
+
* Will only be present if the request passes validation to reach the policy
|
|
41
|
+
* evaluation stage and the action is not a wildcard-only action.
|
|
42
|
+
*/
|
|
43
|
+
resourceType: string;
|
|
44
|
+
/**
|
|
45
|
+
* The resource pattern that was used for the simulation, if applicable. If a wildcard
|
|
46
|
+
* resource was provided and multiple simulations were run, this will indicate the
|
|
47
|
+
* specific resource string that was simulated.
|
|
48
|
+
*/
|
|
49
|
+
resourcePattern: string;
|
|
50
|
+
}
|
|
51
|
+
/**
|
|
52
|
+
* Simulation result indicating that errors prevented the simulation from running.
|
|
53
|
+
*/
|
|
54
|
+
export interface ErrorSimulationResult {
|
|
55
|
+
resultType: 'error';
|
|
56
|
+
/**
|
|
57
|
+
* Errors in the simulation input that prevented the simulation from being run.
|
|
58
|
+
*/
|
|
59
|
+
errors: SimulationErrors;
|
|
60
|
+
}
|
|
61
|
+
/**
|
|
62
|
+
* Simulation result for a single resource (non-wildcard) evaluation.
|
|
63
|
+
*/
|
|
64
|
+
export interface SingleResourceSimulationResult {
|
|
65
|
+
/**
|
|
66
|
+
* A single resource simulation result.
|
|
67
|
+
*/
|
|
68
|
+
resultType: 'single';
|
|
69
|
+
/**
|
|
70
|
+
* The overall result of the one simulation that was run.
|
|
71
|
+
*/
|
|
72
|
+
overallResult: EvaluationResult;
|
|
73
|
+
/**
|
|
74
|
+
* The detailed result of the simulation that was run and the request analysis
|
|
75
|
+
*/
|
|
76
|
+
result: SimulationResourceResult;
|
|
77
|
+
}
|
|
78
|
+
/**
|
|
79
|
+
* Simulation results for wildcard resource evaluations, containing multiple individual results.
|
|
80
|
+
*/
|
|
81
|
+
export interface WildcardResourceSimulationResults {
|
|
82
|
+
/**
|
|
83
|
+
* Whether a wildcard was detected in the resource ARN of the request and the
|
|
84
|
+
* simulation was not a wildcard-only action, which can cause multiple simulations to be run.
|
|
85
|
+
*/
|
|
86
|
+
resultType: 'wildcard';
|
|
87
|
+
/**
|
|
88
|
+
* The overall result of the simulation, calculated based on the results of individual simulations if
|
|
89
|
+
* multiple were run.
|
|
90
|
+
*/
|
|
91
|
+
overallResult: EvaluationResult;
|
|
92
|
+
/**
|
|
93
|
+
* The results of the simulation or simulations that were run.
|
|
94
|
+
* If it is a wildcard only action or the resource ARN contains no wildcards, this will contain a single result.
|
|
95
|
+
* If the resource ARN contains a wildcard and the action is not a wildcard-only action, this may contain no
|
|
96
|
+
* results, or one result for each matching pattern found in the provided identity and resource policies.
|
|
97
|
+
*/
|
|
98
|
+
results: WildcardSimulationResourceResult[];
|
|
99
|
+
}
|
|
100
|
+
/**
|
|
101
|
+
* The result of running a simulation.
|
|
102
|
+
* Can be an error, a single result, or a wildcard result.
|
|
103
|
+
* Discriminated by the `resultType` field.
|
|
104
|
+
*/
|
|
105
|
+
export type RunSimulationResults = ErrorSimulationResult | SingleResourceSimulationResult | WildcardResourceSimulationResults;
|
|
106
|
+
/**
|
|
107
|
+
* Union type representing successful simulation results (excluding error cases).
|
|
108
|
+
*/
|
|
109
|
+
export type SuccessfulRunSimulationResults = SingleResourceSimulationResult | WildcardResourceSimulationResults;
|
|
110
|
+
/**
|
|
111
|
+
* Discriminant type for the different kinds of simulation results.
|
|
112
|
+
*/
|
|
113
|
+
export type SimulationResultType = RunSimulationResults['resultType'];
|
|
36
114
|
/**
|
|
37
115
|
* Run a simulation with validation
|
|
38
116
|
*
|
|
39
117
|
* @param simulation The simulation to run
|
|
40
118
|
* @param simulationOptions Options for the simulation
|
|
41
|
-
* @returns
|
|
119
|
+
* @returns The results of the simulation, or errors if the simulation could not be run
|
|
42
120
|
*/
|
|
43
|
-
export declare function runSimulation(simulation: Simulation, simulationOptions: Partial<SimulationOptions>): Promise<
|
|
44
|
-
export declare function normalizeSimulationParameters(simulation: Simulation): Promise<{
|
|
121
|
+
export declare function runSimulation(simulation: Simulation, simulationOptions: Partial<SimulationOptions>): Promise<RunSimulationResults>;
|
|
122
|
+
export declare function normalizeSimulationParameters(simulation: Simulation, suggestedResourceType: ResourceType | undefined): Promise<{
|
|
45
123
|
validContextValues: Record<string, string | string[]>;
|
|
46
124
|
ignoredContextKeys: string[];
|
|
47
125
|
}>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAqC,YAAY,EAAE,MAAM,yBAAyB,CAAA;AACzF,OAAO,EAOL,eAAe,EAChB,MAAM,2BAA2B,CAAA;AAYlC,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAQlE,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAiB1D,MAAM,WAAW,gBAAgB;IAC/B,mBAAmB,CAAC,EAAE,eAAe,EAAE,CAAA;IACvC,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IACxD,0BAA0B,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC9D,2BAA2B,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC/D,wBAAwB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC5D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAA;IACxC,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IACrD,OAAO,EAAE,MAAM,CAAA;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,eAAe,CAAA;IAEzB;;;;;;;;OAQG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC9B;AAED;;;GAGG;AACH,MAAM,WAAW,gCAAiC,SAAQ,wBAAwB;IAChF;;;;;OAKG;IACH,YAAY,EAAE,MAAM,CAAA;IAEpB;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAA;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,UAAU,EAAE,OAAO,CAAA;IAEnB;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC7C;;OAEG;IACH,UAAU,EAAE,QAAQ,CAAA;IAEpB;;OAEG;IACH,aAAa,EAAE,gBAAgB,CAAA;IAE/B;;OAEG;IACH,MAAM,EAAE,wBAAwB,CAAA;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,iCAAiC;IAChD;;;OAGG;IACH,UAAU,EAAE,UAAU,CAAA;IAEtB;;;OAGG;IACH,aAAa,EAAE,gBAAgB,CAAA;IAE/B;;;;;OAKG;IACH,OAAO,EAAE,gCAAgC,EAAE,CAAA;CAC5C;AAED;;;;GAIG;AACH,MAAM,MAAM,oBAAoB,GAC5B,qBAAqB,GACrB,8BAA8B,GAC9B,iCAAiC,CAAA;AAErC;;GAEG;AACH,MAAM,MAAM,8BAA8B,GACtC,8BAA8B,GAC9B,iCAAiC,CAAA;AAErC;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAA;AAErE;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAC5C,OAAO,CAAC,oBAAoB,CAAC,CA0T/B;AAED,wBAAsB,6BAA6B,CACjD,UAAU,EAAE,UAAU,EACtB,qBAAqB,EAAE,YAAY,GAAG,SAAS,GAC9C,OAAO,CAAC;IACT,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;IACrD,kBAAkB,EAAE,MAAM,EAAE,CAAA;CAC7B,CAAC,CA0CD"}
|