@cloud-copilot/iam-simulate 0.1.109 → 0.1.111
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/analysis/analyzeResults.d.ts +31 -3
- package/dist/cjs/analysis/analyzeResults.d.ts.map +1 -1
- package/dist/cjs/analysis/analyzeResults.js +50 -5
- package/dist/cjs/analysis/analyzeResults.js.map +1 -1
- package/dist/cjs/index.d.ts +1 -1
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js +2 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/esm/analysis/analyzeResults.d.ts +31 -3
- package/dist/esm/analysis/analyzeResults.d.ts.map +1 -1
- package/dist/esm/analysis/analyzeResults.js +49 -5
- package/dist/esm/analysis/analyzeResults.js.map +1 -1
- package/dist/esm/index.d.ts +1 -1
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js +1 -1
- package/dist/esm/index.js.map +1 -1
- package/package.json +1 -1
|
@@ -40,14 +40,30 @@ export type RequestDenial = {
|
|
|
40
40
|
*/
|
|
41
41
|
policyIdentifier?: string;
|
|
42
42
|
/**
|
|
43
|
-
* The statement ID (
|
|
43
|
+
* The statement ID (Sid) of the denying policy statement, if present. This corresponds
|
|
44
|
+
* to the Sid field in the AWS IAM policy statement and may be absent if the statement
|
|
45
|
+
* does not define a Sid.
|
|
44
46
|
*/
|
|
45
|
-
statementId
|
|
47
|
+
statementId?: string | undefined;
|
|
48
|
+
/**
|
|
49
|
+
* The 1-based index of the denying statement within the policy, if applicable. This is useful when the statement does not have a Sid.
|
|
50
|
+
*/
|
|
51
|
+
statementIndex: number;
|
|
46
52
|
/**
|
|
47
53
|
* The type of denial.
|
|
48
54
|
*/
|
|
49
55
|
denialType: 'Explicit';
|
|
50
56
|
};
|
|
57
|
+
export type RequestGrant = {
|
|
58
|
+
policyType: 'identity';
|
|
59
|
+
policyIdentifier: string;
|
|
60
|
+
statementId?: string | undefined;
|
|
61
|
+
statementIndex: number;
|
|
62
|
+
} | {
|
|
63
|
+
policyType: 'resource';
|
|
64
|
+
statementId?: string | undefined;
|
|
65
|
+
statementIndex: number;
|
|
66
|
+
};
|
|
51
67
|
/**
|
|
52
68
|
* Find the policy statements that caused a request to be denied.
|
|
53
69
|
* Analyzes the RequestAnalysis and returns the specific reasons why the request was denied.
|
|
@@ -59,10 +75,22 @@ export type RequestDenial = {
|
|
|
59
75
|
* For an explicit denial, it returns:
|
|
60
76
|
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
61
77
|
* - the policy identifier, if applicable for a managed policy or an SCP
|
|
62
|
-
* - the statement ID (
|
|
78
|
+
* - the statement ID (Sid), if the denying statement has one
|
|
79
|
+
* - the statement index (1-based) of the denying statement
|
|
63
80
|
*
|
|
64
81
|
* @param requestAnalysis the request analysis
|
|
65
82
|
* @returns a list of RequestDenial objects describing the reasons for denial
|
|
66
83
|
*/
|
|
67
84
|
export declare function getDenialReasons(requestAnalysis: RequestAnalysis): RequestDenial[];
|
|
85
|
+
/**
|
|
86
|
+
* Find the policy statements that granted access for an allowed request.
|
|
87
|
+
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
88
|
+
*
|
|
89
|
+
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
90
|
+
* and endpoint policies can only deny (not grant).
|
|
91
|
+
*
|
|
92
|
+
* @param requestAnalysis the request analysis
|
|
93
|
+
* @returns a list of RequestGrant objects describing which policies granted access
|
|
94
|
+
*/
|
|
95
|
+
export declare function getGrantReasons(requestAnalysis: RequestAnalysis): RequestGrant[];
|
|
68
96
|
//# sourceMappingURL=analyzeResults.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,
|
|
1
|
+
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAEhC;;OAEG;IACH,cAAc,EAAE,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL,MAAM,MAAM,YAAY,GACpB;IACE,UAAU,EAAE,UAAU,CAAA;IACtB,gBAAgB,EAAE,MAAM,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,GACD;IACE,UAAU,EAAE,UAAU,CAAA;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,CAAA;AAEL;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAAC,eAAe,EAAE,eAAe,GAAG,aAAa,EAAE,CAqClF;AAiGD;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,eAAe,EAAE,eAAe,GAAG,YAAY,EAAE,CAkChF"}
|
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.isAllowedByIdentityPolicies = isAllowedByIdentityPolicies;
|
|
4
4
|
exports.getDenialReasons = getDenialReasons;
|
|
5
|
+
exports.getGrantReasons = getGrantReasons;
|
|
5
6
|
/**
|
|
6
7
|
* Analyze a RequestAnalysis to see if the request was allowed by identity policies.
|
|
7
8
|
*
|
|
@@ -26,7 +27,8 @@ function isAllowedByIdentityPolicies(requestAnalysis) {
|
|
|
26
27
|
* For an explicit denial, it returns:
|
|
27
28
|
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
28
29
|
* - the policy identifier, if applicable for a managed policy or an SCP
|
|
29
|
-
* - the statement ID (
|
|
30
|
+
* - the statement ID (Sid), if the denying statement has one
|
|
31
|
+
* - the statement index (1-based) of the denying statement
|
|
30
32
|
*
|
|
31
33
|
* @param requestAnalysis the request analysis
|
|
32
34
|
* @returns a list of RequestDenial objects describing the reasons for denial
|
|
@@ -63,11 +65,13 @@ function addSimplePolicyDenials(analysis, policyType, overallResult, blockedBy,
|
|
|
63
65
|
else if (analysis.result === 'ExplicitlyDenied' &&
|
|
64
66
|
(isBlocking || overallResult === 'ExplicitlyDenied')) {
|
|
65
67
|
for (const stmt of analysis.denyStatements) {
|
|
68
|
+
const sid = stmt.statement.sid();
|
|
66
69
|
denials.push({
|
|
67
70
|
policyType,
|
|
68
71
|
...blocking,
|
|
69
72
|
policyIdentifier: stmt.policyId,
|
|
70
|
-
statementId:
|
|
73
|
+
...(sid ? { statementId: sid } : {}),
|
|
74
|
+
statementIndex: stmt.statement.index(),
|
|
71
75
|
denialType: 'Explicit'
|
|
72
76
|
});
|
|
73
77
|
}
|
|
@@ -100,16 +104,57 @@ function addOuPolicyDenials(analysis, policyType, overallResult, blockedBy, deni
|
|
|
100
104
|
for (const ou of analysis.ouAnalysis) {
|
|
101
105
|
if (ou.result === 'ExplicitlyDenied') {
|
|
102
106
|
for (const stmt of ou.denyStatements) {
|
|
107
|
+
const sid = stmt.statement.sid();
|
|
103
108
|
denials.push({
|
|
104
109
|
policyType,
|
|
105
110
|
policyIdentifier: stmt.policyId,
|
|
106
|
-
statementId:
|
|
107
|
-
|
|
108
|
-
...blocking
|
|
111
|
+
...(sid ? { statementId: sid } : {}),
|
|
112
|
+
statementIndex: stmt.statement.index(),
|
|
113
|
+
...blocking,
|
|
114
|
+
denialType: 'Explicit'
|
|
109
115
|
});
|
|
110
116
|
}
|
|
111
117
|
}
|
|
112
118
|
}
|
|
113
119
|
}
|
|
114
120
|
}
|
|
121
|
+
/**
|
|
122
|
+
* Find the policy statements that granted access for an allowed request.
|
|
123
|
+
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
124
|
+
*
|
|
125
|
+
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
126
|
+
* and endpoint policies can only deny (not grant).
|
|
127
|
+
*
|
|
128
|
+
* @param requestAnalysis the request analysis
|
|
129
|
+
* @returns a list of RequestGrant objects describing which policies granted access
|
|
130
|
+
*/
|
|
131
|
+
function getGrantReasons(requestAnalysis) {
|
|
132
|
+
if (requestAnalysis.result !== 'Allowed') {
|
|
133
|
+
return [];
|
|
134
|
+
}
|
|
135
|
+
const grantDetails = [];
|
|
136
|
+
if (requestAnalysis.identityAnalysis?.result === 'Allowed') {
|
|
137
|
+
for (const stmt of requestAnalysis.identityAnalysis.allowStatements) {
|
|
138
|
+
const sid = stmt.statement.sid();
|
|
139
|
+
grantDetails.push({
|
|
140
|
+
policyType: 'identity',
|
|
141
|
+
policyIdentifier: stmt.policyId,
|
|
142
|
+
...(sid ? { statementId: sid } : {}),
|
|
143
|
+
statementIndex: stmt.statement.index()
|
|
144
|
+
});
|
|
145
|
+
}
|
|
146
|
+
}
|
|
147
|
+
if (requestAnalysis.resourceAnalysis?.result === 'Allowed' ||
|
|
148
|
+
requestAnalysis.resourceAnalysis?.result === 'AllowedForAccount') {
|
|
149
|
+
for (const stmt of requestAnalysis.resourceAnalysis.allowStatements) {
|
|
150
|
+
const sid = stmt.statement.sid();
|
|
151
|
+
grantDetails.push({
|
|
152
|
+
policyType: 'resource',
|
|
153
|
+
...(sid ? { statementId: sid } : {}),
|
|
154
|
+
statementIndex: stmt.statement.index()
|
|
155
|
+
});
|
|
156
|
+
}
|
|
157
|
+
}
|
|
158
|
+
return grantDetails;
|
|
159
|
+
}
|
|
115
160
|
//# sourceMappingURL=analyzeResults.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":";;AAgBA,kEAOC;
|
|
1
|
+
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":";;AAgBA,kEAOC;AA4FD,4CAqCC;AA2GD,0CAkCC;AA3RD;;;;;GAKG;AACH,SAAgB,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;AA2ED;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,gBAAgB,CAAC,eAAgC;IAC/D,MAAM,OAAO,GAAoB,EAAE,CAAA;IACnC,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAA;IAC5C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,SAAS,IAAI,EAAE,CAAC,CAAA;IAE1D,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,sBAAsB,CACpB,eAAe,CAAC,0BAA0B,EAC1C,IAAI,EACJ,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,MAAM,EACN,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAC7B,QAAyD,EACzD,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,UAAU;YACV,UAAU,EAAE,UAAU;YACtB,GAAG,QAAQ;SACZ,CAAC,CAAA;IACJ,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;YAChC,OAAO,CAAC,IAAI,CAAC;gBACX,UAAU;gBACV,GAAG,QAAQ;gBACX,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;gBACtC,UAAU,EAAE,UAAU;aACvB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CACzB,QAA+C,EAC/C,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,OAAO,CAAC,IAAI,CAAC;oBACX,UAAU;oBACV,UAAU,EAAE,EAAE,CAAC,aAAa;oBAC5B,UAAU,EAAE,UAAU;oBACtB,GAAG,QAAQ;iBACZ,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC;oBACrC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;oBAChC,OAAO,CAAC,IAAI,CAAC;wBACX,UAAU;wBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;wBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;wBACtC,GAAG,QAAQ;wBACX,UAAU,EAAE,UAAU;qBACvB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,eAAe,CAAC,eAAgC;IAC9D,IAAI,eAAe,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACzC,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,YAAY,GAAmB,EAAE,CAAA;IAEvC,IAAI,eAAe,CAAC,gBAAgB,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;QAC3D,KAAK,MAAM,IAAI,IAAI,eAAe,CAAC,gBAAgB,CAAC,eAAe,EAAE,CAAC;YACpE,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;YAChC,YAAY,CAAC,IAAI,CAAC;gBAChB,UAAU,EAAE,UAAU;gBACtB,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,IACE,eAAe,CAAC,gBAAgB,EAAE,MAAM,KAAK,SAAS;QACtD,eAAe,CAAC,gBAAgB,EAAE,MAAM,KAAK,mBAAmB,EAChE,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,eAAe,CAAC,gBAAgB,CAAC,eAAe,EAAE,CAAC;YACpE,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;YAChC,YAAY,CAAC,IAAI,CAAC;gBAChB,UAAU,EAAE,UAAU;gBACtB,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAA;AACrB,CAAC"}
|
package/dist/cjs/index.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export { getDenialReasons, type DenialPolicyType, type RequestDenial } from './analysis/analyzeResults.js';
|
|
1
|
+
export { getDenialReasons, getGrantReasons, type DenialPolicyType, type RequestGrant, type RequestDenial } from './analysis/analyzeResults.js';
|
|
2
2
|
export { typeForContextKey } from './context_keys/contextKeys.js';
|
|
3
3
|
export { isConditionKeyArray, type BaseConditionKeyType, type ConditionKeyType } from './context_keys/contextKeyTypes.js';
|
|
4
4
|
export { findContextKeys } from './context_keys/findContextKeys.js';
|
package/dist/cjs/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,mBAAmB,EACnB,KAAK,oBAAoB,EACzB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EAChB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,EAChB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,8BAA8B,EAC9B,iCAAiC,EACjC,gCAAgC,EACjC,MAAM,yCAAyC,CAAA;AAChD,YAAY,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,KAAK,gBAAgB,EACrB,KAAK,YAAY,EACjB,KAAK,aAAa,EACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,mBAAmB,EACnB,KAAK,oBAAoB,EACzB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EAChB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,EAChB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,8BAA8B,EAC9B,iCAAiC,EACjC,gCAAgC,EACjC,MAAM,yCAAyC,CAAA;AAChD,YAAY,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|
package/dist/cjs/index.js
CHANGED
|
@@ -1,8 +1,9 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.isWildcardOnlyAction = exports.runUnsafeSimulation = exports.runSimulation = exports.allowedContextKeysForRequest = exports.findContextKeys = exports.isConditionKeyArray = exports.typeForContextKey = exports.getDenialReasons = void 0;
|
|
3
|
+
exports.isWildcardOnlyAction = exports.runUnsafeSimulation = exports.runSimulation = exports.allowedContextKeysForRequest = exports.findContextKeys = exports.isConditionKeyArray = exports.typeForContextKey = exports.getGrantReasons = exports.getDenialReasons = void 0;
|
|
4
4
|
var analyzeResults_js_1 = require("./analysis/analyzeResults.js");
|
|
5
5
|
Object.defineProperty(exports, "getDenialReasons", { enumerable: true, get: function () { return analyzeResults_js_1.getDenialReasons; } });
|
|
6
|
+
Object.defineProperty(exports, "getGrantReasons", { enumerable: true, get: function () { return analyzeResults_js_1.getGrantReasons; } });
|
|
6
7
|
var contextKeys_js_1 = require("./context_keys/contextKeys.js");
|
|
7
8
|
Object.defineProperty(exports, "typeForContextKey", { enumerable: true, get: function () { return contextKeys_js_1.typeForContextKey; } });
|
|
8
9
|
var contextKeyTypes_js_1 = require("./context_keys/contextKeyTypes.js");
|
package/dist/cjs/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,kEAMqC;AALnC,qHAAA,gBAAgB,OAAA;AAChB,oHAAA,eAAe,OAAA;AAKjB,gEAAiE;AAAxD,mHAAA,iBAAiB,OAAA;AAC1B,wEAI0C;AAHxC,yHAAA,mBAAmB,OAAA;AAIrB,wEAAmE;AAA1D,qHAAA,eAAe,OAAA;AAkBxB,qEAAiF;AAAxE,8HAAA,4BAA4B,OAAA;AAMrC,+EAAuE;AAA9D,oHAAA,aAAa,OAAA;AAatB,2FAAmF;AAA1E,gIAAA,mBAAmB,OAAA;AAC5B,qCAAgD;AAAvC,+GAAA,oBAAoB,OAAA"}
|
|
@@ -40,14 +40,30 @@ export type RequestDenial = {
|
|
|
40
40
|
*/
|
|
41
41
|
policyIdentifier?: string;
|
|
42
42
|
/**
|
|
43
|
-
* The statement ID (
|
|
43
|
+
* The statement ID (Sid) of the denying policy statement, if present. This corresponds
|
|
44
|
+
* to the Sid field in the AWS IAM policy statement and may be absent if the statement
|
|
45
|
+
* does not define a Sid.
|
|
44
46
|
*/
|
|
45
|
-
statementId
|
|
47
|
+
statementId?: string | undefined;
|
|
48
|
+
/**
|
|
49
|
+
* The 1-based index of the denying statement within the policy, if applicable. This is useful when the statement does not have a Sid.
|
|
50
|
+
*/
|
|
51
|
+
statementIndex: number;
|
|
46
52
|
/**
|
|
47
53
|
* The type of denial.
|
|
48
54
|
*/
|
|
49
55
|
denialType: 'Explicit';
|
|
50
56
|
};
|
|
57
|
+
export type RequestGrant = {
|
|
58
|
+
policyType: 'identity';
|
|
59
|
+
policyIdentifier: string;
|
|
60
|
+
statementId?: string | undefined;
|
|
61
|
+
statementIndex: number;
|
|
62
|
+
} | {
|
|
63
|
+
policyType: 'resource';
|
|
64
|
+
statementId?: string | undefined;
|
|
65
|
+
statementIndex: number;
|
|
66
|
+
};
|
|
51
67
|
/**
|
|
52
68
|
* Find the policy statements that caused a request to be denied.
|
|
53
69
|
* Analyzes the RequestAnalysis and returns the specific reasons why the request was denied.
|
|
@@ -59,10 +75,22 @@ export type RequestDenial = {
|
|
|
59
75
|
* For an explicit denial, it returns:
|
|
60
76
|
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
61
77
|
* - the policy identifier, if applicable for a managed policy or an SCP
|
|
62
|
-
* - the statement ID (
|
|
78
|
+
* - the statement ID (Sid), if the denying statement has one
|
|
79
|
+
* - the statement index (1-based) of the denying statement
|
|
63
80
|
*
|
|
64
81
|
* @param requestAnalysis the request analysis
|
|
65
82
|
* @returns a list of RequestDenial objects describing the reasons for denial
|
|
66
83
|
*/
|
|
67
84
|
export declare function getDenialReasons(requestAnalysis: RequestAnalysis): RequestDenial[];
|
|
85
|
+
/**
|
|
86
|
+
* Find the policy statements that granted access for an allowed request.
|
|
87
|
+
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
88
|
+
*
|
|
89
|
+
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
90
|
+
* and endpoint policies can only deny (not grant).
|
|
91
|
+
*
|
|
92
|
+
* @param requestAnalysis the request analysis
|
|
93
|
+
* @returns a list of RequestGrant objects describing which policies granted access
|
|
94
|
+
*/
|
|
95
|
+
export declare function getGrantReasons(requestAnalysis: RequestAnalysis): RequestGrant[];
|
|
68
96
|
//# sourceMappingURL=analyzeResults.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,
|
|
1
|
+
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAEhC;;OAEG;IACH,cAAc,EAAE,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL,MAAM,MAAM,YAAY,GACpB;IACE,UAAU,EAAE,UAAU,CAAA;IACtB,gBAAgB,EAAE,MAAM,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,GACD;IACE,UAAU,EAAE,UAAU,CAAA;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,CAAA;AAEL;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAAC,eAAe,EAAE,eAAe,GAAG,aAAa,EAAE,CAqClF;AAiGD;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,eAAe,EAAE,eAAe,GAAG,YAAY,EAAE,CAkChF"}
|
|
@@ -23,7 +23,8 @@ export function isAllowedByIdentityPolicies(requestAnalysis) {
|
|
|
23
23
|
* For an explicit denial, it returns:
|
|
24
24
|
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
25
25
|
* - the policy identifier, if applicable for a managed policy or an SCP
|
|
26
|
-
* - the statement ID (
|
|
26
|
+
* - the statement ID (Sid), if the denying statement has one
|
|
27
|
+
* - the statement index (1-based) of the denying statement
|
|
27
28
|
*
|
|
28
29
|
* @param requestAnalysis the request analysis
|
|
29
30
|
* @returns a list of RequestDenial objects describing the reasons for denial
|
|
@@ -60,11 +61,13 @@ function addSimplePolicyDenials(analysis, policyType, overallResult, blockedBy,
|
|
|
60
61
|
else if (analysis.result === 'ExplicitlyDenied' &&
|
|
61
62
|
(isBlocking || overallResult === 'ExplicitlyDenied')) {
|
|
62
63
|
for (const stmt of analysis.denyStatements) {
|
|
64
|
+
const sid = stmt.statement.sid();
|
|
63
65
|
denials.push({
|
|
64
66
|
policyType,
|
|
65
67
|
...blocking,
|
|
66
68
|
policyIdentifier: stmt.policyId,
|
|
67
|
-
statementId:
|
|
69
|
+
...(sid ? { statementId: sid } : {}),
|
|
70
|
+
statementIndex: stmt.statement.index(),
|
|
68
71
|
denialType: 'Explicit'
|
|
69
72
|
});
|
|
70
73
|
}
|
|
@@ -97,16 +100,57 @@ function addOuPolicyDenials(analysis, policyType, overallResult, blockedBy, deni
|
|
|
97
100
|
for (const ou of analysis.ouAnalysis) {
|
|
98
101
|
if (ou.result === 'ExplicitlyDenied') {
|
|
99
102
|
for (const stmt of ou.denyStatements) {
|
|
103
|
+
const sid = stmt.statement.sid();
|
|
100
104
|
denials.push({
|
|
101
105
|
policyType,
|
|
102
106
|
policyIdentifier: stmt.policyId,
|
|
103
|
-
statementId:
|
|
104
|
-
|
|
105
|
-
...blocking
|
|
107
|
+
...(sid ? { statementId: sid } : {}),
|
|
108
|
+
statementIndex: stmt.statement.index(),
|
|
109
|
+
...blocking,
|
|
110
|
+
denialType: 'Explicit'
|
|
106
111
|
});
|
|
107
112
|
}
|
|
108
113
|
}
|
|
109
114
|
}
|
|
110
115
|
}
|
|
111
116
|
}
|
|
117
|
+
/**
|
|
118
|
+
* Find the policy statements that granted access for an allowed request.
|
|
119
|
+
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
120
|
+
*
|
|
121
|
+
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
122
|
+
* and endpoint policies can only deny (not grant).
|
|
123
|
+
*
|
|
124
|
+
* @param requestAnalysis the request analysis
|
|
125
|
+
* @returns a list of RequestGrant objects describing which policies granted access
|
|
126
|
+
*/
|
|
127
|
+
export function getGrantReasons(requestAnalysis) {
|
|
128
|
+
if (requestAnalysis.result !== 'Allowed') {
|
|
129
|
+
return [];
|
|
130
|
+
}
|
|
131
|
+
const grantDetails = [];
|
|
132
|
+
if (requestAnalysis.identityAnalysis?.result === 'Allowed') {
|
|
133
|
+
for (const stmt of requestAnalysis.identityAnalysis.allowStatements) {
|
|
134
|
+
const sid = stmt.statement.sid();
|
|
135
|
+
grantDetails.push({
|
|
136
|
+
policyType: 'identity',
|
|
137
|
+
policyIdentifier: stmt.policyId,
|
|
138
|
+
...(sid ? { statementId: sid } : {}),
|
|
139
|
+
statementIndex: stmt.statement.index()
|
|
140
|
+
});
|
|
141
|
+
}
|
|
142
|
+
}
|
|
143
|
+
if (requestAnalysis.resourceAnalysis?.result === 'Allowed' ||
|
|
144
|
+
requestAnalysis.resourceAnalysis?.result === 'AllowedForAccount') {
|
|
145
|
+
for (const stmt of requestAnalysis.resourceAnalysis.allowStatements) {
|
|
146
|
+
const sid = stmt.statement.sid();
|
|
147
|
+
grantDetails.push({
|
|
148
|
+
policyType: 'resource',
|
|
149
|
+
...(sid ? { statementId: sid } : {}),
|
|
150
|
+
statementIndex: stmt.statement.index()
|
|
151
|
+
});
|
|
152
|
+
}
|
|
153
|
+
}
|
|
154
|
+
return grantDetails;
|
|
155
|
+
}
|
|
112
156
|
//# sourceMappingURL=analyzeResults.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EAQN,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;
|
|
1
|
+
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EAQN,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;AA2ED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,gBAAgB,CAAC,eAAgC;IAC/D,MAAM,OAAO,GAAoB,EAAE,CAAA;IACnC,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAA;IAC5C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,SAAS,IAAI,EAAE,CAAC,CAAA;IAE1D,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,sBAAsB,CACpB,eAAe,CAAC,0BAA0B,EAC1C,IAAI,EACJ,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,MAAM,EACN,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAC7B,QAAyD,EACzD,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,UAAU;YACV,UAAU,EAAE,UAAU;YACtB,GAAG,QAAQ;SACZ,CAAC,CAAA;IACJ,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;YAChC,OAAO,CAAC,IAAI,CAAC;gBACX,UAAU;gBACV,GAAG,QAAQ;gBACX,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;gBACtC,UAAU,EAAE,UAAU;aACvB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CACzB,QAA+C,EAC/C,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,OAAO,CAAC,IAAI,CAAC;oBACX,UAAU;oBACV,UAAU,EAAE,EAAE,CAAC,aAAa;oBAC5B,UAAU,EAAE,UAAU;oBACtB,GAAG,QAAQ;iBACZ,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC;oBACrC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;oBAChC,OAAO,CAAC,IAAI,CAAC;wBACX,UAAU;wBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;wBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;wBACtC,GAAG,QAAQ;wBACX,UAAU,EAAE,UAAU;qBACvB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAAC,eAAgC;IAC9D,IAAI,eAAe,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACzC,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,YAAY,GAAmB,EAAE,CAAA;IAEvC,IAAI,eAAe,CAAC,gBAAgB,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;QAC3D,KAAK,MAAM,IAAI,IAAI,eAAe,CAAC,gBAAgB,CAAC,eAAe,EAAE,CAAC;YACpE,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;YAChC,YAAY,CAAC,IAAI,CAAC;gBAChB,UAAU,EAAE,UAAU;gBACtB,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,IACE,eAAe,CAAC,gBAAgB,EAAE,MAAM,KAAK,SAAS;QACtD,eAAe,CAAC,gBAAgB,EAAE,MAAM,KAAK,mBAAmB,EAChE,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,eAAe,CAAC,gBAAgB,CAAC,eAAe,EAAE,CAAC;YACpE,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;YAChC,YAAY,CAAC,IAAI,CAAC;gBAChB,UAAU,EAAE,UAAU;gBACtB,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAA;AACrB,CAAC"}
|
package/dist/esm/index.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export { getDenialReasons, type DenialPolicyType, type RequestDenial } from './analysis/analyzeResults.js';
|
|
1
|
+
export { getDenialReasons, getGrantReasons, type DenialPolicyType, type RequestGrant, type RequestDenial } from './analysis/analyzeResults.js';
|
|
2
2
|
export { typeForContextKey } from './context_keys/contextKeys.js';
|
|
3
3
|
export { isConditionKeyArray, type BaseConditionKeyType, type ConditionKeyType } from './context_keys/contextKeyTypes.js';
|
|
4
4
|
export { findContextKeys } from './context_keys/findContextKeys.js';
|
package/dist/esm/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,mBAAmB,EACnB,KAAK,oBAAoB,EACzB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EAChB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,EAChB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,8BAA8B,EAC9B,iCAAiC,EACjC,gCAAgC,EACjC,MAAM,yCAAyC,CAAA;AAChD,YAAY,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,KAAK,gBAAgB,EACrB,KAAK,YAAY,EACjB,KAAK,aAAa,EACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,mBAAmB,EACnB,KAAK,oBAAoB,EACzB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EAChB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,EAChB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,8BAA8B,EAC9B,iCAAiC,EACjC,gCAAgC,EACjC,MAAM,yCAAyC,CAAA;AAChD,YAAY,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|
package/dist/esm/index.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export { getDenialReasons } from './analysis/analyzeResults.js';
|
|
1
|
+
export { getDenialReasons, getGrantReasons } from './analysis/analyzeResults.js';
|
|
2
2
|
export { typeForContextKey } from './context_keys/contextKeys.js';
|
|
3
3
|
export { isConditionKeyArray } from './context_keys/contextKeyTypes.js';
|
|
4
4
|
export { findContextKeys } from './context_keys/findContextKeys.js';
|
package/dist/esm/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,eAAe,EAIhB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,mBAAmB,EAGpB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AAkBnE,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AAMjF,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AAavE,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|