@cloud-copilot/iam-simulate 0.1.108 → 0.1.110
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/analysis/analyzeResults.d.ts +31 -3
- package/dist/cjs/analysis/analyzeResults.d.ts.map +1 -1
- package/dist/cjs/analysis/analyzeResults.js +46 -5
- package/dist/cjs/analysis/analyzeResults.js.map +1 -1
- package/dist/cjs/index.d.ts +1 -1
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js +2 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/esm/analysis/analyzeResults.d.ts +31 -3
- package/dist/esm/analysis/analyzeResults.d.ts.map +1 -1
- package/dist/esm/analysis/analyzeResults.js +45 -5
- package/dist/esm/analysis/analyzeResults.js.map +1 -1
- package/dist/esm/index.d.ts +1 -1
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js +1 -1
- package/dist/esm/index.js.map +1 -1
- package/package.json +3 -3
|
@@ -40,14 +40,30 @@ export type RequestDenial = {
|
|
|
40
40
|
*/
|
|
41
41
|
policyIdentifier?: string;
|
|
42
42
|
/**
|
|
43
|
-
* The statement ID (
|
|
43
|
+
* The statement ID (Sid) of the denying policy statement, if present. This corresponds
|
|
44
|
+
* to the Sid field in the AWS IAM policy statement and may be absent if the statement
|
|
45
|
+
* does not define a Sid.
|
|
44
46
|
*/
|
|
45
|
-
statementId
|
|
47
|
+
statementId?: string | undefined;
|
|
48
|
+
/**
|
|
49
|
+
* The 1-based index of the denying statement within the policy, if applicable. This is useful when the statement does not have a Sid.
|
|
50
|
+
*/
|
|
51
|
+
statementIndex: number;
|
|
46
52
|
/**
|
|
47
53
|
* The type of denial.
|
|
48
54
|
*/
|
|
49
55
|
denialType: 'Explicit';
|
|
50
56
|
};
|
|
57
|
+
export type RequestGrant = {
|
|
58
|
+
policyType: 'identity';
|
|
59
|
+
policyIdentifier: string;
|
|
60
|
+
statementId?: string | undefined;
|
|
61
|
+
statementIndex: number;
|
|
62
|
+
} | {
|
|
63
|
+
policyType: 'resource';
|
|
64
|
+
statementId?: string | undefined;
|
|
65
|
+
statementIndex: number;
|
|
66
|
+
};
|
|
51
67
|
/**
|
|
52
68
|
* Find the policy statements that caused a request to be denied.
|
|
53
69
|
* Analyzes the RequestAnalysis and returns the specific reasons why the request was denied.
|
|
@@ -59,10 +75,22 @@ export type RequestDenial = {
|
|
|
59
75
|
* For an explicit denial, it returns:
|
|
60
76
|
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
61
77
|
* - the policy identifier, if applicable for a managed policy or an SCP
|
|
62
|
-
* - the statement ID (
|
|
78
|
+
* - the statement ID (Sid), if the denying statement has one
|
|
79
|
+
* - the statement index (1-based) of the denying statement
|
|
63
80
|
*
|
|
64
81
|
* @param requestAnalysis the request analysis
|
|
65
82
|
* @returns a list of RequestDenial objects describing the reasons for denial
|
|
66
83
|
*/
|
|
67
84
|
export declare function getDenialReasons(requestAnalysis: RequestAnalysis): RequestDenial[];
|
|
85
|
+
/**
|
|
86
|
+
* Find the policy statements that granted access for an allowed request.
|
|
87
|
+
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
88
|
+
*
|
|
89
|
+
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
90
|
+
* and endpoint policies can only deny (not grant).
|
|
91
|
+
*
|
|
92
|
+
* @param requestAnalysis the request analysis
|
|
93
|
+
* @returns a list of RequestGrant objects describing which policies granted access
|
|
94
|
+
*/
|
|
95
|
+
export declare function getGrantReasons(requestAnalysis: RequestAnalysis): RequestGrant[];
|
|
68
96
|
//# sourceMappingURL=analyzeResults.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,
|
|
1
|
+
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAEhC;;OAEG;IACH,cAAc,EAAE,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL,MAAM,MAAM,YAAY,GACpB;IACE,UAAU,EAAE,UAAU,CAAA;IACtB,gBAAgB,EAAE,MAAM,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,GACD;IACE,UAAU,EAAE,UAAU,CAAA;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,CAAA;AAEL;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAAC,eAAe,EAAE,eAAe,GAAG,aAAa,EAAE,CAqClF;AA+FD;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,eAAe,EAAE,eAAe,GAAG,YAAY,EAAE,CAgChF"}
|
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.isAllowedByIdentityPolicies = isAllowedByIdentityPolicies;
|
|
4
4
|
exports.getDenialReasons = getDenialReasons;
|
|
5
|
+
exports.getGrantReasons = getGrantReasons;
|
|
5
6
|
/**
|
|
6
7
|
* Analyze a RequestAnalysis to see if the request was allowed by identity policies.
|
|
7
8
|
*
|
|
@@ -26,7 +27,8 @@ function isAllowedByIdentityPolicies(requestAnalysis) {
|
|
|
26
27
|
* For an explicit denial, it returns:
|
|
27
28
|
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
28
29
|
* - the policy identifier, if applicable for a managed policy or an SCP
|
|
29
|
-
* - the statement ID (
|
|
30
|
+
* - the statement ID (Sid), if the denying statement has one
|
|
31
|
+
* - the statement index (1-based) of the denying statement
|
|
30
32
|
*
|
|
31
33
|
* @param requestAnalysis the request analysis
|
|
32
34
|
* @returns a list of RequestDenial objects describing the reasons for denial
|
|
@@ -67,7 +69,8 @@ function addSimplePolicyDenials(analysis, policyType, overallResult, blockedBy,
|
|
|
67
69
|
policyType,
|
|
68
70
|
...blocking,
|
|
69
71
|
policyIdentifier: stmt.policyId,
|
|
70
|
-
statementId: stmt.statement.sid()
|
|
72
|
+
statementId: stmt.statement.sid(),
|
|
73
|
+
statementIndex: stmt.statement.index(),
|
|
71
74
|
denialType: 'Explicit'
|
|
72
75
|
});
|
|
73
76
|
}
|
|
@@ -103,13 +106,51 @@ function addOuPolicyDenials(analysis, policyType, overallResult, blockedBy, deni
|
|
|
103
106
|
denials.push({
|
|
104
107
|
policyType,
|
|
105
108
|
policyIdentifier: stmt.policyId,
|
|
106
|
-
statementId: stmt.statement.sid()
|
|
107
|
-
|
|
108
|
-
...blocking
|
|
109
|
+
statementId: stmt.statement.sid(),
|
|
110
|
+
statementIndex: stmt.statement.index(),
|
|
111
|
+
...blocking,
|
|
112
|
+
denialType: 'Explicit'
|
|
109
113
|
});
|
|
110
114
|
}
|
|
111
115
|
}
|
|
112
116
|
}
|
|
113
117
|
}
|
|
114
118
|
}
|
|
119
|
+
/**
|
|
120
|
+
* Find the policy statements that granted access for an allowed request.
|
|
121
|
+
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
122
|
+
*
|
|
123
|
+
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
124
|
+
* and endpoint policies can only deny (not grant).
|
|
125
|
+
*
|
|
126
|
+
* @param requestAnalysis the request analysis
|
|
127
|
+
* @returns a list of RequestGrant objects describing which policies granted access
|
|
128
|
+
*/
|
|
129
|
+
function getGrantReasons(requestAnalysis) {
|
|
130
|
+
if (requestAnalysis.result !== 'Allowed') {
|
|
131
|
+
return [];
|
|
132
|
+
}
|
|
133
|
+
const grantDetails = [];
|
|
134
|
+
if (requestAnalysis.identityAnalysis?.result === 'Allowed') {
|
|
135
|
+
for (const stmt of requestAnalysis.identityAnalysis.allowStatements) {
|
|
136
|
+
grantDetails.push({
|
|
137
|
+
policyType: 'identity',
|
|
138
|
+
policyIdentifier: stmt.policyId,
|
|
139
|
+
statementId: stmt.statement.sid(),
|
|
140
|
+
statementIndex: stmt.statement.index()
|
|
141
|
+
});
|
|
142
|
+
}
|
|
143
|
+
}
|
|
144
|
+
if (requestAnalysis.resourceAnalysis?.result === 'Allowed' ||
|
|
145
|
+
requestAnalysis.resourceAnalysis?.result === 'AllowedForAccount') {
|
|
146
|
+
for (const stmt of requestAnalysis.resourceAnalysis.allowStatements) {
|
|
147
|
+
grantDetails.push({
|
|
148
|
+
policyType: 'resource',
|
|
149
|
+
statementId: stmt.statement.sid(),
|
|
150
|
+
statementIndex: stmt.statement.index()
|
|
151
|
+
});
|
|
152
|
+
}
|
|
153
|
+
}
|
|
154
|
+
return grantDetails;
|
|
155
|
+
}
|
|
115
156
|
//# sourceMappingURL=analyzeResults.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":";;AAgBA,kEAOC;
|
|
1
|
+
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":";;AAgBA,kEAOC;AA4FD,4CAqCC;AAyGD,0CAgCC;AAvRD;;;;;GAKG;AACH,SAAgB,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;AA2ED;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,gBAAgB,CAAC,eAAgC;IAC/D,MAAM,OAAO,GAAoB,EAAE,CAAA;IACnC,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAA;IAC5C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,SAAS,IAAI,EAAE,CAAC,CAAA;IAE1D,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,sBAAsB,CACpB,eAAe,CAAC,0BAA0B,EAC1C,IAAI,EACJ,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,MAAM,EACN,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAC7B,QAAyD,EACzD,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,UAAU;YACV,UAAU,EAAE,UAAU;YACtB,GAAG,QAAQ;SACZ,CAAC,CAAA;IACJ,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3C,OAAO,CAAC,IAAI,CAAC;gBACX,UAAU;gBACV,GAAG,QAAQ;gBACX,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;gBACjC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;gBACtC,UAAU,EAAE,UAAU;aACvB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CACzB,QAA+C,EAC/C,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,OAAO,CAAC,IAAI,CAAC;oBACX,UAAU;oBACV,UAAU,EAAE,EAAE,CAAC,aAAa;oBAC5B,UAAU,EAAE,UAAU;oBACtB,GAAG,QAAQ;iBACZ,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC;oBACrC,OAAO,CAAC,IAAI,CAAC;wBACX,UAAU;wBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;wBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;wBACjC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;wBACtC,GAAG,QAAQ;wBACX,UAAU,EAAE,UAAU;qBACvB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,eAAe,CAAC,eAAgC;IAC9D,IAAI,eAAe,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACzC,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,YAAY,GAAmB,EAAE,CAAA;IAEvC,IAAI,eAAe,CAAC,gBAAgB,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;QAC3D,KAAK,MAAM,IAAI,IAAI,eAAe,CAAC,gBAAgB,CAAC,eAAe,EAAE,CAAC;YACpE,YAAY,CAAC,IAAI,CAAC;gBAChB,UAAU,EAAE,UAAU;gBACtB,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;gBACjC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,IACE,eAAe,CAAC,gBAAgB,EAAE,MAAM,KAAK,SAAS;QACtD,eAAe,CAAC,gBAAgB,EAAE,MAAM,KAAK,mBAAmB,EAChE,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,eAAe,CAAC,gBAAgB,CAAC,eAAe,EAAE,CAAC;YACpE,YAAY,CAAC,IAAI,CAAC;gBAChB,UAAU,EAAE,UAAU;gBACtB,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;gBACjC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAA;AACrB,CAAC"}
|
package/dist/cjs/index.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export { getDenialReasons, type DenialPolicyType, type RequestDenial } from './analysis/analyzeResults.js';
|
|
1
|
+
export { getDenialReasons, getGrantReasons, type DenialPolicyType, type RequestGrant, type RequestDenial } from './analysis/analyzeResults.js';
|
|
2
2
|
export { typeForContextKey } from './context_keys/contextKeys.js';
|
|
3
3
|
export { isConditionKeyArray, type BaseConditionKeyType, type ConditionKeyType } from './context_keys/contextKeyTypes.js';
|
|
4
4
|
export { findContextKeys } from './context_keys/findContextKeys.js';
|
package/dist/cjs/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,mBAAmB,EACnB,KAAK,oBAAoB,EACzB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EAChB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,EAChB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,8BAA8B,EAC9B,iCAAiC,EACjC,gCAAgC,EACjC,MAAM,yCAAyC,CAAA;AAChD,YAAY,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,KAAK,gBAAgB,EACrB,KAAK,YAAY,EACjB,KAAK,aAAa,EACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,mBAAmB,EACnB,KAAK,oBAAoB,EACzB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EAChB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,EAChB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,8BAA8B,EAC9B,iCAAiC,EACjC,gCAAgC,EACjC,MAAM,yCAAyC,CAAA;AAChD,YAAY,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|
package/dist/cjs/index.js
CHANGED
|
@@ -1,8 +1,9 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.isWildcardOnlyAction = exports.runUnsafeSimulation = exports.runSimulation = exports.allowedContextKeysForRequest = exports.findContextKeys = exports.isConditionKeyArray = exports.typeForContextKey = exports.getDenialReasons = void 0;
|
|
3
|
+
exports.isWildcardOnlyAction = exports.runUnsafeSimulation = exports.runSimulation = exports.allowedContextKeysForRequest = exports.findContextKeys = exports.isConditionKeyArray = exports.typeForContextKey = exports.getGrantReasons = exports.getDenialReasons = void 0;
|
|
4
4
|
var analyzeResults_js_1 = require("./analysis/analyzeResults.js");
|
|
5
5
|
Object.defineProperty(exports, "getDenialReasons", { enumerable: true, get: function () { return analyzeResults_js_1.getDenialReasons; } });
|
|
6
|
+
Object.defineProperty(exports, "getGrantReasons", { enumerable: true, get: function () { return analyzeResults_js_1.getGrantReasons; } });
|
|
6
7
|
var contextKeys_js_1 = require("./context_keys/contextKeys.js");
|
|
7
8
|
Object.defineProperty(exports, "typeForContextKey", { enumerable: true, get: function () { return contextKeys_js_1.typeForContextKey; } });
|
|
8
9
|
var contextKeyTypes_js_1 = require("./context_keys/contextKeyTypes.js");
|
package/dist/cjs/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,kEAMqC;AALnC,qHAAA,gBAAgB,OAAA;AAChB,oHAAA,eAAe,OAAA;AAKjB,gEAAiE;AAAxD,mHAAA,iBAAiB,OAAA;AAC1B,wEAI0C;AAHxC,yHAAA,mBAAmB,OAAA;AAIrB,wEAAmE;AAA1D,qHAAA,eAAe,OAAA;AAkBxB,qEAAiF;AAAxE,8HAAA,4BAA4B,OAAA;AAMrC,+EAAuE;AAA9D,oHAAA,aAAa,OAAA;AAatB,2FAAmF;AAA1E,gIAAA,mBAAmB,OAAA;AAC5B,qCAAgD;AAAvC,+GAAA,oBAAoB,OAAA"}
|
|
@@ -40,14 +40,30 @@ export type RequestDenial = {
|
|
|
40
40
|
*/
|
|
41
41
|
policyIdentifier?: string;
|
|
42
42
|
/**
|
|
43
|
-
* The statement ID (
|
|
43
|
+
* The statement ID (Sid) of the denying policy statement, if present. This corresponds
|
|
44
|
+
* to the Sid field in the AWS IAM policy statement and may be absent if the statement
|
|
45
|
+
* does not define a Sid.
|
|
44
46
|
*/
|
|
45
|
-
statementId
|
|
47
|
+
statementId?: string | undefined;
|
|
48
|
+
/**
|
|
49
|
+
* The 1-based index of the denying statement within the policy, if applicable. This is useful when the statement does not have a Sid.
|
|
50
|
+
*/
|
|
51
|
+
statementIndex: number;
|
|
46
52
|
/**
|
|
47
53
|
* The type of denial.
|
|
48
54
|
*/
|
|
49
55
|
denialType: 'Explicit';
|
|
50
56
|
};
|
|
57
|
+
export type RequestGrant = {
|
|
58
|
+
policyType: 'identity';
|
|
59
|
+
policyIdentifier: string;
|
|
60
|
+
statementId?: string | undefined;
|
|
61
|
+
statementIndex: number;
|
|
62
|
+
} | {
|
|
63
|
+
policyType: 'resource';
|
|
64
|
+
statementId?: string | undefined;
|
|
65
|
+
statementIndex: number;
|
|
66
|
+
};
|
|
51
67
|
/**
|
|
52
68
|
* Find the policy statements that caused a request to be denied.
|
|
53
69
|
* Analyzes the RequestAnalysis and returns the specific reasons why the request was denied.
|
|
@@ -59,10 +75,22 @@ export type RequestDenial = {
|
|
|
59
75
|
* For an explicit denial, it returns:
|
|
60
76
|
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
61
77
|
* - the policy identifier, if applicable for a managed policy or an SCP
|
|
62
|
-
* - the statement ID (
|
|
78
|
+
* - the statement ID (Sid), if the denying statement has one
|
|
79
|
+
* - the statement index (1-based) of the denying statement
|
|
63
80
|
*
|
|
64
81
|
* @param requestAnalysis the request analysis
|
|
65
82
|
* @returns a list of RequestDenial objects describing the reasons for denial
|
|
66
83
|
*/
|
|
67
84
|
export declare function getDenialReasons(requestAnalysis: RequestAnalysis): RequestDenial[];
|
|
85
|
+
/**
|
|
86
|
+
* Find the policy statements that granted access for an allowed request.
|
|
87
|
+
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
88
|
+
*
|
|
89
|
+
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
90
|
+
* and endpoint policies can only deny (not grant).
|
|
91
|
+
*
|
|
92
|
+
* @param requestAnalysis the request analysis
|
|
93
|
+
* @returns a list of RequestGrant objects describing which policies granted access
|
|
94
|
+
*/
|
|
95
|
+
export declare function getGrantReasons(requestAnalysis: RequestAnalysis): RequestGrant[];
|
|
68
96
|
//# sourceMappingURL=analyzeResults.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,
|
|
1
|
+
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAEhC;;OAEG;IACH,cAAc,EAAE,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL,MAAM,MAAM,YAAY,GACpB;IACE,UAAU,EAAE,UAAU,CAAA;IACtB,gBAAgB,EAAE,MAAM,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,GACD;IACE,UAAU,EAAE,UAAU,CAAA;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,CAAA;AAEL;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAAC,eAAe,EAAE,eAAe,GAAG,aAAa,EAAE,CAqClF;AA+FD;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,eAAe,EAAE,eAAe,GAAG,YAAY,EAAE,CAgChF"}
|
|
@@ -23,7 +23,8 @@ export function isAllowedByIdentityPolicies(requestAnalysis) {
|
|
|
23
23
|
* For an explicit denial, it returns:
|
|
24
24
|
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
25
25
|
* - the policy identifier, if applicable for a managed policy or an SCP
|
|
26
|
-
* - the statement ID (
|
|
26
|
+
* - the statement ID (Sid), if the denying statement has one
|
|
27
|
+
* - the statement index (1-based) of the denying statement
|
|
27
28
|
*
|
|
28
29
|
* @param requestAnalysis the request analysis
|
|
29
30
|
* @returns a list of RequestDenial objects describing the reasons for denial
|
|
@@ -64,7 +65,8 @@ function addSimplePolicyDenials(analysis, policyType, overallResult, blockedBy,
|
|
|
64
65
|
policyType,
|
|
65
66
|
...blocking,
|
|
66
67
|
policyIdentifier: stmt.policyId,
|
|
67
|
-
statementId: stmt.statement.sid()
|
|
68
|
+
statementId: stmt.statement.sid(),
|
|
69
|
+
statementIndex: stmt.statement.index(),
|
|
68
70
|
denialType: 'Explicit'
|
|
69
71
|
});
|
|
70
72
|
}
|
|
@@ -100,13 +102,51 @@ function addOuPolicyDenials(analysis, policyType, overallResult, blockedBy, deni
|
|
|
100
102
|
denials.push({
|
|
101
103
|
policyType,
|
|
102
104
|
policyIdentifier: stmt.policyId,
|
|
103
|
-
statementId: stmt.statement.sid()
|
|
104
|
-
|
|
105
|
-
...blocking
|
|
105
|
+
statementId: stmt.statement.sid(),
|
|
106
|
+
statementIndex: stmt.statement.index(),
|
|
107
|
+
...blocking,
|
|
108
|
+
denialType: 'Explicit'
|
|
106
109
|
});
|
|
107
110
|
}
|
|
108
111
|
}
|
|
109
112
|
}
|
|
110
113
|
}
|
|
111
114
|
}
|
|
115
|
+
/**
|
|
116
|
+
* Find the policy statements that granted access for an allowed request.
|
|
117
|
+
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
118
|
+
*
|
|
119
|
+
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
120
|
+
* and endpoint policies can only deny (not grant).
|
|
121
|
+
*
|
|
122
|
+
* @param requestAnalysis the request analysis
|
|
123
|
+
* @returns a list of RequestGrant objects describing which policies granted access
|
|
124
|
+
*/
|
|
125
|
+
export function getGrantReasons(requestAnalysis) {
|
|
126
|
+
if (requestAnalysis.result !== 'Allowed') {
|
|
127
|
+
return [];
|
|
128
|
+
}
|
|
129
|
+
const grantDetails = [];
|
|
130
|
+
if (requestAnalysis.identityAnalysis?.result === 'Allowed') {
|
|
131
|
+
for (const stmt of requestAnalysis.identityAnalysis.allowStatements) {
|
|
132
|
+
grantDetails.push({
|
|
133
|
+
policyType: 'identity',
|
|
134
|
+
policyIdentifier: stmt.policyId,
|
|
135
|
+
statementId: stmt.statement.sid(),
|
|
136
|
+
statementIndex: stmt.statement.index()
|
|
137
|
+
});
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
if (requestAnalysis.resourceAnalysis?.result === 'Allowed' ||
|
|
141
|
+
requestAnalysis.resourceAnalysis?.result === 'AllowedForAccount') {
|
|
142
|
+
for (const stmt of requestAnalysis.resourceAnalysis.allowStatements) {
|
|
143
|
+
grantDetails.push({
|
|
144
|
+
policyType: 'resource',
|
|
145
|
+
statementId: stmt.statement.sid(),
|
|
146
|
+
statementIndex: stmt.statement.index()
|
|
147
|
+
});
|
|
148
|
+
}
|
|
149
|
+
}
|
|
150
|
+
return grantDetails;
|
|
151
|
+
}
|
|
112
152
|
//# sourceMappingURL=analyzeResults.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EAQN,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;
|
|
1
|
+
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EAQN,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;AA2ED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,gBAAgB,CAAC,eAAgC;IAC/D,MAAM,OAAO,GAAoB,EAAE,CAAA;IACnC,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAA;IAC5C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,SAAS,IAAI,EAAE,CAAC,CAAA;IAE1D,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,sBAAsB,CACpB,eAAe,CAAC,0BAA0B,EAC1C,IAAI,EACJ,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,MAAM,EACN,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAC7B,QAAyD,EACzD,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,UAAU;YACV,UAAU,EAAE,UAAU;YACtB,GAAG,QAAQ;SACZ,CAAC,CAAA;IACJ,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3C,OAAO,CAAC,IAAI,CAAC;gBACX,UAAU;gBACV,GAAG,QAAQ;gBACX,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;gBACjC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;gBACtC,UAAU,EAAE,UAAU;aACvB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CACzB,QAA+C,EAC/C,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,OAAO,CAAC,IAAI,CAAC;oBACX,UAAU;oBACV,UAAU,EAAE,EAAE,CAAC,aAAa;oBAC5B,UAAU,EAAE,UAAU;oBACtB,GAAG,QAAQ;iBACZ,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC;oBACrC,OAAO,CAAC,IAAI,CAAC;wBACX,UAAU;wBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;wBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;wBACjC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;wBACtC,GAAG,QAAQ;wBACX,UAAU,EAAE,UAAU;qBACvB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAAC,eAAgC;IAC9D,IAAI,eAAe,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACzC,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,YAAY,GAAmB,EAAE,CAAA;IAEvC,IAAI,eAAe,CAAC,gBAAgB,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;QAC3D,KAAK,MAAM,IAAI,IAAI,eAAe,CAAC,gBAAgB,CAAC,eAAe,EAAE,CAAC;YACpE,YAAY,CAAC,IAAI,CAAC;gBAChB,UAAU,EAAE,UAAU;gBACtB,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;gBACjC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,IACE,eAAe,CAAC,gBAAgB,EAAE,MAAM,KAAK,SAAS;QACtD,eAAe,CAAC,gBAAgB,EAAE,MAAM,KAAK,mBAAmB,EAChE,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,eAAe,CAAC,gBAAgB,CAAC,eAAe,EAAE,CAAC;YACpE,YAAY,CAAC,IAAI,CAAC;gBAChB,UAAU,EAAE,UAAU;gBACtB,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;gBACjC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAA;AACrB,CAAC"}
|
package/dist/esm/index.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export { getDenialReasons, type DenialPolicyType, type RequestDenial } from './analysis/analyzeResults.js';
|
|
1
|
+
export { getDenialReasons, getGrantReasons, type DenialPolicyType, type RequestGrant, type RequestDenial } from './analysis/analyzeResults.js';
|
|
2
2
|
export { typeForContextKey } from './context_keys/contextKeys.js';
|
|
3
3
|
export { isConditionKeyArray, type BaseConditionKeyType, type ConditionKeyType } from './context_keys/contextKeyTypes.js';
|
|
4
4
|
export { findContextKeys } from './context_keys/findContextKeys.js';
|
package/dist/esm/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,mBAAmB,EACnB,KAAK,oBAAoB,EACzB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EAChB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,EAChB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,8BAA8B,EAC9B,iCAAiC,EACjC,gCAAgC,EACjC,MAAM,yCAAyC,CAAA;AAChD,YAAY,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,KAAK,gBAAgB,EACrB,KAAK,YAAY,EACjB,KAAK,aAAa,EACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,mBAAmB,EACnB,KAAK,oBAAoB,EACzB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EAChB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,EAChB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,8BAA8B,EAC9B,iCAAiC,EACjC,gCAAgC,EACjC,MAAM,yCAAyC,CAAA;AAChD,YAAY,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|
package/dist/esm/index.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export { getDenialReasons } from './analysis/analyzeResults.js';
|
|
1
|
+
export { getDenialReasons, getGrantReasons } from './analysis/analyzeResults.js';
|
|
2
2
|
export { typeForContextKey } from './context_keys/contextKeys.js';
|
|
3
3
|
export { isConditionKeyArray } from './context_keys/contextKeyTypes.js';
|
|
4
4
|
export { findContextKeys } from './context_keys/findContextKeys.js';
|
package/dist/esm/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,eAAe,EAIhB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,mBAAmB,EAGpB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AAkBnE,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AAMjF,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AAavE,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cloud-copilot/iam-simulate",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.110",
|
|
4
4
|
"description": "Simulate evaluation of AWS IAM policies",
|
|
5
5
|
"repository": {
|
|
6
6
|
"type": "git",
|
|
@@ -43,10 +43,10 @@
|
|
|
43
43
|
"@semantic-release/npm": "^13.1.4",
|
|
44
44
|
"@semantic-release/release-notes-generator": "^14.0.3",
|
|
45
45
|
"@types/node": "^22.5.0",
|
|
46
|
-
"@vitest/coverage-v8": "^
|
|
46
|
+
"@vitest/coverage-v8": "^4.0.18",
|
|
47
47
|
"semantic-release": "^25.0.3",
|
|
48
48
|
"typescript": "^5.5.4",
|
|
49
|
-
"vitest": "^
|
|
49
|
+
"vitest": "^4.0.18"
|
|
50
50
|
},
|
|
51
51
|
"dependencies": {
|
|
52
52
|
"@cloud-copilot/iam-data": ">=0.15.202511222 <1.0.0",
|