@cloud-copilot/iam-simulate 0.1.11 → 0.1.13-1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/SCPAnalysis.d.ts.map +1 -1
- package/dist/cjs/StatementAnalysis.d.ts +14 -0
- package/dist/cjs/StatementAnalysis.d.ts.map +1 -1
- package/dist/cjs/StatementAnalysis.js +51 -0
- package/dist/cjs/StatementAnalysis.js.map +1 -1
- package/dist/cjs/action/action.d.ts +13 -3
- package/dist/cjs/action/action.d.ts.map +1 -1
- package/dist/cjs/action/action.js +43 -21
- package/dist/cjs/action/action.js.map +1 -1
- package/dist/cjs/condition/condition.d.ts +7 -3
- package/dist/cjs/condition/condition.d.ts.map +1 -1
- package/dist/cjs/condition/condition.js +138 -27
- package/dist/cjs/condition/condition.js.map +1 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts +9 -11
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts.map +1 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.js +136 -26
- package/dist/cjs/core_engine/coreSimulatorEngine.js.map +1 -1
- package/dist/cjs/evaluate.d.ts +46 -0
- package/dist/cjs/evaluate.d.ts.map +1 -1
- package/dist/cjs/explain/displayExplainCli.d.ts +3 -0
- package/dist/cjs/explain/displayExplainCli.d.ts.map +1 -0
- package/dist/cjs/explain/displayExplainCli.js +145 -0
- package/dist/cjs/explain/displayExplainCli.js.map +1 -0
- package/dist/cjs/explain/statementExplain.d.ts +50 -0
- package/dist/cjs/explain/statementExplain.d.ts.map +1 -0
- package/dist/cjs/explain/statementExplain.js +7 -0
- package/dist/cjs/explain/statementExplain.js.map +1 -0
- package/dist/cjs/index.d.ts +1 -0
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/principal/principal.d.ts +14 -4
- package/dist/cjs/principal/principal.d.ts.map +1 -1
- package/dist/cjs/principal/principal.js +101 -33
- package/dist/cjs/principal/principal.js.map +1 -1
- package/dist/cjs/resource/resource.d.ts +13 -3
- package/dist/cjs/resource/resource.d.ts.map +1 -1
- package/dist/cjs/resource/resource.js +66 -14
- package/dist/cjs/resource/resource.js.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts +2 -34
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +43 -127
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/ServiceAuthorizer.d.ts +5 -7
- package/dist/cjs/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.d.ts +2 -4
- package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.js +19 -8
- package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js +5 -4
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/cjs/util.js +1 -1
- package/dist/esm/SCPAnalysis.d.ts.map +1 -1
- package/dist/esm/StatementAnalysis.d.ts +14 -0
- package/dist/esm/StatementAnalysis.d.ts.map +1 -1
- package/dist/esm/StatementAnalysis.js +48 -1
- package/dist/esm/StatementAnalysis.js.map +1 -1
- package/dist/esm/action/action.d.ts +13 -3
- package/dist/esm/action/action.d.ts.map +1 -1
- package/dist/esm/action/action.js +43 -21
- package/dist/esm/action/action.js.map +1 -1
- package/dist/esm/condition/condition.d.ts +7 -3
- package/dist/esm/condition/condition.d.ts.map +1 -1
- package/dist/esm/condition/condition.js +138 -27
- package/dist/esm/condition/condition.js.map +1 -1
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts +9 -11
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts.map +1 -1
- package/dist/esm/core_engine/coreSimulatorEngine.js +136 -26
- package/dist/esm/core_engine/coreSimulatorEngine.js.map +1 -1
- package/dist/esm/evaluate.d.ts +46 -0
- package/dist/esm/evaluate.d.ts.map +1 -1
- package/dist/esm/explain/displayExplainCli.d.ts +3 -0
- package/dist/esm/explain/displayExplainCli.d.ts.map +1 -0
- package/dist/esm/explain/displayExplainCli.js +142 -0
- package/dist/esm/explain/displayExplainCli.js.map +1 -0
- package/dist/esm/explain/statementExplain.d.ts +50 -0
- package/dist/esm/explain/statementExplain.d.ts.map +1 -0
- package/dist/esm/explain/statementExplain.js +6 -0
- package/dist/esm/explain/statementExplain.js.map +1 -0
- package/dist/esm/index.d.ts +1 -0
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/principal/principal.d.ts +14 -4
- package/dist/esm/principal/principal.d.ts.map +1 -1
- package/dist/esm/principal/principal.js +101 -33
- package/dist/esm/principal/principal.js.map +1 -1
- package/dist/esm/resource/resource.d.ts +13 -3
- package/dist/esm/resource/resource.d.ts.map +1 -1
- package/dist/esm/resource/resource.js +66 -14
- package/dist/esm/resource/resource.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts +2 -34
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +43 -127
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/ServiceAuthorizer.d.ts +5 -7
- package/dist/esm/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.d.ts +2 -4
- package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.js +20 -9
- package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js +6 -5
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/esm/util.js +1 -1
- package/package.json +2 -2
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SCPAnalysis.d.ts","sourceRoot":"","sources":["../../src/SCPAnalysis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;
|
|
1
|
+
{"version":3,"file":"SCPAnalysis.d.ts","sourceRoot":"","sources":["../../src/SCPAnalysis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAI3D,MAAM,WAAW,WAAW;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,EAAE,iBAAiB,EAAE,CAAC;CACxC"}
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { Statement } from "@cloud-copilot/iam-policy";
|
|
2
2
|
import { ConditionMatchResult } from "./condition/condition.js";
|
|
3
|
+
import { StatementExplain } from "./explain/statementExplain.js";
|
|
3
4
|
import { PrincipalMatchResult } from "./principal/principal.js";
|
|
4
5
|
/**
|
|
5
6
|
* The result of analyzing a statement against a request.
|
|
@@ -22,6 +23,19 @@ export interface StatementAnalysis {
|
|
|
22
23
|
* Whether the Principal or NotPrincipal – if any – matches the request.
|
|
23
24
|
*/
|
|
24
25
|
principalMatch: PrincipalMatchResult;
|
|
26
|
+
/**
|
|
27
|
+
* Whether the Conditions matches the request.
|
|
28
|
+
*/
|
|
25
29
|
conditionMatch: ConditionMatchResult;
|
|
30
|
+
explain?: StatementExplain;
|
|
26
31
|
}
|
|
32
|
+
/**
|
|
33
|
+
* Checks if a statement is an identity statement that allows the request.
|
|
34
|
+
*
|
|
35
|
+
* @param statement The statement to check.
|
|
36
|
+
* @returns Whether the statement is an identity statement that allows the request.
|
|
37
|
+
*/
|
|
38
|
+
export declare function identityStatementAllows(statement: StatementAnalysis): boolean;
|
|
39
|
+
export declare function identityStatementExplicitDeny(statement: StatementAnalysis): boolean;
|
|
40
|
+
export declare function statementMatches(analysis: Pick<StatementAnalysis, 'actionMatch' | 'conditionMatch' | 'principalMatch' | 'resourceMatch'>): boolean;
|
|
27
41
|
//# sourceMappingURL=StatementAnalysis.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StatementAnalysis.d.ts","sourceRoot":"","sources":["../../src/StatementAnalysis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAEhE;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,SAAS,EAAE,SAAS,CAAC;IAErB;;OAEG;IACH,aAAa,EAAE,OAAO,CAAC;IAEvB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAC;IAErB;;OAEG;IACH,cAAc,EAAE,oBAAoB,CAAA;
|
|
1
|
+
{"version":3,"file":"StatementAnalysis.d.ts","sourceRoot":"","sources":["../../src/StatementAnalysis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAEhE;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,SAAS,EAAE,SAAS,CAAC;IAErB;;OAEG;IACH,aAAa,EAAE,OAAO,CAAC;IAEvB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAC;IAErB;;OAEG;IACH,cAAc,EAAE,oBAAoB,CAAA;IAEpC;;OAEG;IACH,cAAc,EAAE,oBAAoB,CAAA;IAEpC,OAAO,CAAC,EAAE,gBAAgB,CAAA;CAC3B;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAQ7E;AAsBD,wBAAgB,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAQnF;AAED,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,IAAI,CAAC,iBAAiB,EAAE,aAAa,GAAG,gBAAgB,GAAG,gBAAgB,GAAG,eAAe,CAAC,GAAG,OAAO,CAKlJ"}
|
|
@@ -1,3 +1,54 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.identityStatementAllows = identityStatementAllows;
|
|
4
|
+
exports.identityStatementExplicitDeny = identityStatementExplicitDeny;
|
|
5
|
+
exports.statementMatches = statementMatches;
|
|
6
|
+
/**
|
|
7
|
+
* Checks if a statement is an identity statement that allows the request.
|
|
8
|
+
*
|
|
9
|
+
* @param statement The statement to check.
|
|
10
|
+
* @returns Whether the statement is an identity statement that allows the request.
|
|
11
|
+
*/
|
|
12
|
+
function identityStatementAllows(statement) {
|
|
13
|
+
if (statement.resourceMatch &&
|
|
14
|
+
statement.actionMatch &&
|
|
15
|
+
statement.conditionMatch === 'Match' &&
|
|
16
|
+
statement.statement.effect() === 'Allow') {
|
|
17
|
+
return true;
|
|
18
|
+
}
|
|
19
|
+
return false;
|
|
20
|
+
}
|
|
21
|
+
// export function identityStatementUknownAllow(statement: StatementAnalysis): boolean {
|
|
22
|
+
// if(statement.resourceMatch &&
|
|
23
|
+
// statement.actionMatch &&
|
|
24
|
+
// statement.conditionMatch === 'Unknown' &&
|
|
25
|
+
// statement.statement.effect() === 'Allow') {
|
|
26
|
+
// return true;
|
|
27
|
+
// }
|
|
28
|
+
// return false
|
|
29
|
+
// }
|
|
30
|
+
// export function identityStatementUknownDeny(statement: StatementAnalysis): boolean {
|
|
31
|
+
// if(statement.resourceMatch &&
|
|
32
|
+
// statement.actionMatch &&
|
|
33
|
+
// statement.conditionMatch === 'Unknown' &&
|
|
34
|
+
// statement.statement.effect() === 'Deny') {
|
|
35
|
+
// return true;
|
|
36
|
+
// }
|
|
37
|
+
// return false
|
|
38
|
+
// }
|
|
39
|
+
function identityStatementExplicitDeny(statement) {
|
|
40
|
+
if (statement.resourceMatch &&
|
|
41
|
+
statement.actionMatch &&
|
|
42
|
+
statement.conditionMatch === 'Match' &&
|
|
43
|
+
statement.statement.effect() === 'Deny') {
|
|
44
|
+
return true;
|
|
45
|
+
}
|
|
46
|
+
return false;
|
|
47
|
+
}
|
|
48
|
+
function statementMatches(analysis) {
|
|
49
|
+
return analysis.resourceMatch &&
|
|
50
|
+
analysis.actionMatch &&
|
|
51
|
+
analysis.conditionMatch === 'Match' &&
|
|
52
|
+
(analysis.principalMatch === 'Match' || analysis.principalMatch === 'AccountLevelMatch');
|
|
53
|
+
}
|
|
3
54
|
//# sourceMappingURL=StatementAnalysis.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StatementAnalysis.js","sourceRoot":"","sources":["../../src/StatementAnalysis.ts"],"names":[],"mappings":""}
|
|
1
|
+
{"version":3,"file":"StatementAnalysis.js","sourceRoot":"","sources":["../../src/StatementAnalysis.ts"],"names":[],"mappings":";;AA4CA,0DAQC;AAsBD,sEAQC;AAED,4CAKC;AAnDD;;;;;GAKG;AACH,SAAgB,uBAAuB,CAAC,SAA4B;IAClE,IAAG,SAAS,CAAC,aAAa;QACxB,SAAS,CAAC,WAAW;QACrB,SAAS,CAAC,cAAc,KAAK,OAAO;QACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;QACzC,OAAO,IAAI,CAAC;IAChB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,wFAAwF;AACxF,kCAAkC;AAClC,+BAA+B;AAC/B,gDAAgD;AAChD,kDAAkD;AAClD,qBAAqB;AACrB,MAAM;AACN,iBAAiB;AACjB,IAAI;AAEJ,uFAAuF;AACvF,kCAAkC;AAClC,+BAA+B;AAC/B,gDAAgD;AAChD,iDAAiD;AACjD,qBAAqB;AACrB,MAAM;AACN,iBAAiB;AACjB,IAAI;AAEJ,SAAgB,6BAA6B,CAAC,SAA4B;IACxE,IAAG,SAAS,CAAC,aAAa;QACxB,SAAS,CAAC,WAAW;QACrB,SAAS,CAAC,cAAc,KAAK,OAAO;QACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC;IAChB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,gBAAgB,CAAC,QAAwG;IACvI,OAAO,QAAQ,CAAC,aAAa;QAC3B,QAAQ,CAAC,WAAW;QACpB,QAAQ,CAAC,cAAc,KAAK,OAAO;QACnC,CAAC,QAAQ,CAAC,cAAc,KAAK,OAAO,IAAI,QAAQ,CAAC,cAAc,KAAK,mBAAmB,CAAC,CAAC;AAC7F,CAAC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { Action, Statement } from "@cloud-copilot/iam-policy";
|
|
2
|
+
import { ActionExplain, StatementExplain } from "../explain/statementExplain.js";
|
|
2
3
|
import { AwsRequest } from "../request/request.js";
|
|
3
4
|
/**
|
|
4
5
|
* Check if a request matches the Action or NotAction elements of a statement.
|
|
@@ -7,7 +8,10 @@ import { AwsRequest } from "../request/request.js";
|
|
|
7
8
|
* @param statement the statement to check against
|
|
8
9
|
* @returns true if the request matches the Action or NotAction in the statement, false otherwise
|
|
9
10
|
*/
|
|
10
|
-
export declare function requestMatchesStatementActions(request: AwsRequest, statement: Statement):
|
|
11
|
+
export declare function requestMatchesStatementActions(request: AwsRequest, statement: Statement): {
|
|
12
|
+
matches: boolean;
|
|
13
|
+
details: Pick<StatementExplain, 'actions' | 'notActions'>;
|
|
14
|
+
};
|
|
11
15
|
/**
|
|
12
16
|
* Check if a request matches a set of actions.
|
|
13
17
|
*
|
|
@@ -15,7 +19,10 @@ export declare function requestMatchesStatementActions(request: AwsRequest, stat
|
|
|
15
19
|
* @param actions the actions to check against
|
|
16
20
|
* @returns true if the request matches any of the actions, false otherwise
|
|
17
21
|
*/
|
|
18
|
-
export declare function requestMatchesActions(request: AwsRequest, actions: Action[]):
|
|
22
|
+
export declare function requestMatchesActions(request: AwsRequest, actions: Action[]): {
|
|
23
|
+
matches: boolean;
|
|
24
|
+
explains: ActionExplain[];
|
|
25
|
+
};
|
|
19
26
|
/**
|
|
20
27
|
* Check if a request does not match a set of actions.
|
|
21
28
|
*
|
|
@@ -23,5 +30,8 @@ export declare function requestMatchesActions(request: AwsRequest, actions: Acti
|
|
|
23
30
|
* @param actions the actions to check against
|
|
24
31
|
* @returns true if the request does not match any of the actions, false if the request matches any of the actions
|
|
25
32
|
*/
|
|
26
|
-
export declare function requestMatchesNotActions(request: AwsRequest, actions: Action[]):
|
|
33
|
+
export declare function requestMatchesNotActions(request: AwsRequest, actions: Action[]): {
|
|
34
|
+
matches: boolean;
|
|
35
|
+
explains: ActionExplain[];
|
|
36
|
+
};
|
|
27
37
|
//# sourceMappingURL=action.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"action.d.ts","sourceRoot":"","sources":["../../../src/action/action.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;
|
|
1
|
+
{"version":3,"file":"action.d.ts","sourceRoot":"","sources":["../../../src/action/action.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AACjF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAEnD;;;;;;GAMG;AACH,wBAAgB,8BAA8B,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,YAAY,CAAC,CAAA;CAAC,CAevK;AAiBD;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,aAAa,EAAE,CAAA;CAAC,CAI3H;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,aAAa,EAAE,CAAA;CAAC,CAS9H"}
|
|
@@ -12,10 +12,18 @@ exports.requestMatchesNotActions = requestMatchesNotActions;
|
|
|
12
12
|
*/
|
|
13
13
|
function requestMatchesStatementActions(request, statement) {
|
|
14
14
|
if (statement.isActionStatement()) {
|
|
15
|
-
|
|
15
|
+
const { matches, explains } = requestMatchesActions(request, statement.actions());
|
|
16
|
+
if (!statement.actionIsArray()) {
|
|
17
|
+
return { matches, details: { actions: explains[0] } };
|
|
18
|
+
}
|
|
19
|
+
return { matches, details: { actions: explains } };
|
|
16
20
|
}
|
|
17
21
|
else if (statement.isNotActionStatement()) {
|
|
18
|
-
|
|
22
|
+
const { matches, explains } = requestMatchesNotActions(request, statement.notActions());
|
|
23
|
+
if (!statement.notActionIsArray()) {
|
|
24
|
+
return { matches, details: { notActions: explains[0] } };
|
|
25
|
+
}
|
|
26
|
+
return { matches, details: { notActions: explains } };
|
|
19
27
|
}
|
|
20
28
|
throw new Error('Statement has neither Actions nor NotActions');
|
|
21
29
|
}
|
|
@@ -40,24 +48,9 @@ function convertActionToRegex(action) {
|
|
|
40
48
|
* @returns true if the request matches any of the actions, false otherwise
|
|
41
49
|
*/
|
|
42
50
|
function requestMatchesActions(request, actions) {
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
}
|
|
47
|
-
else if (action.isServiceAction()) {
|
|
48
|
-
if (request.action.service() != action.service()) {
|
|
49
|
-
continue;
|
|
50
|
-
}
|
|
51
|
-
const actionRegex = convertActionToRegex(action.action());
|
|
52
|
-
if (actionRegex.test(request.action.action())) {
|
|
53
|
-
return true;
|
|
54
|
-
}
|
|
55
|
-
}
|
|
56
|
-
else {
|
|
57
|
-
throw new Error('Unknown action type');
|
|
58
|
-
}
|
|
59
|
-
}
|
|
60
|
-
return false;
|
|
51
|
+
const explains = actions.map(action => requestMatchesSingleAction(request, action));
|
|
52
|
+
const matches = explains.some(explain => explain.matches);
|
|
53
|
+
return { matches, explains };
|
|
61
54
|
}
|
|
62
55
|
/**
|
|
63
56
|
* Check if a request does not match a set of actions.
|
|
@@ -67,6 +60,35 @@ function requestMatchesActions(request, actions) {
|
|
|
67
60
|
* @returns true if the request does not match any of the actions, false if the request matches any of the actions
|
|
68
61
|
*/
|
|
69
62
|
function requestMatchesNotActions(request, actions) {
|
|
70
|
-
|
|
63
|
+
const explains = actions.map(action => {
|
|
64
|
+
const explain = requestMatchesSingleAction(request, action);
|
|
65
|
+
explain.matches = !explain.matches;
|
|
66
|
+
return explain;
|
|
67
|
+
});
|
|
68
|
+
const matches = explains.some(explain => explain.matches);
|
|
69
|
+
return { matches, explains };
|
|
70
|
+
}
|
|
71
|
+
function requestMatchesSingleAction(request, action) {
|
|
72
|
+
if (action.isWildcardAction()) {
|
|
73
|
+
return {
|
|
74
|
+
action: action.value(),
|
|
75
|
+
matches: true,
|
|
76
|
+
};
|
|
77
|
+
}
|
|
78
|
+
else if (action.isServiceAction()) {
|
|
79
|
+
if (request.action.service() != action.service()) {
|
|
80
|
+
return {
|
|
81
|
+
action: action.value(),
|
|
82
|
+
matches: false,
|
|
83
|
+
};
|
|
84
|
+
}
|
|
85
|
+
const actionRegex = convertActionToRegex(action.action());
|
|
86
|
+
const matches = actionRegex.test(request.action.action());
|
|
87
|
+
return {
|
|
88
|
+
action: action.value(),
|
|
89
|
+
matches
|
|
90
|
+
};
|
|
91
|
+
}
|
|
92
|
+
throw new Error('Unknown action type');
|
|
71
93
|
}
|
|
72
94
|
//# sourceMappingURL=action.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"action.js","sourceRoot":"","sources":["../../../src/action/action.ts"],"names":[],"mappings":";;AAWA,
|
|
1
|
+
{"version":3,"file":"action.js","sourceRoot":"","sources":["../../../src/action/action.ts"],"names":[],"mappings":";;AAWA,wEAeC;AAwBD,sDAIC;AASD,4DASC;AApED;;;;;;GAMG;AACH,SAAgB,8BAA8B,CAAC,OAAmB,EAAE,SAAoB;IACtF,IAAG,SAAS,CAAC,iBAAiB,EAAE,EAAE,CAAC;QACjC,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,qBAAqB,CAAC,OAAO,EAAE,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC;QAChF,IAAG,CAAC,SAAS,CAAC,aAAa,EAAE,EAAE,CAAC;YAC9B,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAC,EAAC,CAAC;QACpD,CAAC;QACD,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,OAAO,EAAE,QAAQ,EAAC,EAAC,CAAC;IACjD,CAAC;SAAM,IAAI,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC5C,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,wBAAwB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAC;QACtF,IAAG,CAAC,SAAS,CAAC,gBAAgB,EAAE,EAAE,CAAC;YACjC,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAC,EAAC,CAAC;QACvD,CAAC;QACD,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,UAAU,EAAE,QAAQ,EAAC,EAAC,CAAC;IACpD,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;AAClE,CAAC;AAED;;;;;GAKG;AACH,SAAS,oBAAoB,CAAC,MAAc;IAC1C,IAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAC5E,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAGD;;;;;;GAMG;AACH,SAAgB,qBAAqB,CAAC,OAAmB,EAAE,OAAiB;IAC1E,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,0BAA0B,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;IACpF,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC1D,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAC,CAAC;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,wBAAwB,CAAC,OAAmB,EAAE,OAAiB;IAC7E,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE;QACpC,MAAM,OAAO,GAAG,0BAA0B,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;QAC3D,OAAO,CAAC,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,CAAA;QAClC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC1D,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAC,CAAC;AAC7B,CAAC;AAED,SAAS,0BAA0B,CAAC,OAAmB,EAAE,MAAc;IACrE,IAAI,MAAM,CAAC,gBAAgB,EAAE,EAAE,CAAC;QAC9B,OAAO;YACL,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE;YACtB,OAAO,EAAE,IAAI;SACd,CAAA;IACH,CAAC;SAAM,IAAG,MAAM,CAAC,eAAe,EAAE,EAAE,CAAC;QACnC,IAAG,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;YAChD,OAAO;gBACL,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE;gBACtB,OAAO,EAAE,KAAK;aACf,CAAA;QACH,CAAC;QACD,MAAM,WAAW,GAAG,oBAAoB,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QAC1D,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAA;QACzD,OAAO;YACL,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE;YACtB,OAAO;SACR,CAAA;IACH,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;AACzC,CAAC"}
|
|
@@ -1,6 +1,10 @@
|
|
|
1
1
|
import { Condition } from '@cloud-copilot/iam-policy';
|
|
2
|
+
import { ConditionExplain, StatementExplain } from '../explain/statementExplain.js';
|
|
2
3
|
import { AwsRequest } from '../request/request';
|
|
3
|
-
export type ConditionMatchResult = 'Match' | 'NoMatch'
|
|
4
|
-
export declare function requestMatchesConditions(request: AwsRequest, conditions: Condition[]):
|
|
5
|
-
|
|
4
|
+
export type ConditionMatchResult = 'Match' | 'NoMatch';
|
|
5
|
+
export declare function requestMatchesConditions(request: AwsRequest, conditions: Condition[]): {
|
|
6
|
+
matches: ConditionMatchResult;
|
|
7
|
+
details: Pick<StatementExplain, 'conditions'>;
|
|
8
|
+
};
|
|
9
|
+
export declare function singleConditionMatchesRequest(request: AwsRequest, condition: Condition): ConditionExplain;
|
|
6
10
|
//# sourceMappingURL=condition.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"condition.d.ts","sourceRoot":"","sources":["../../../src/condition/condition.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AA4BhD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,
|
|
1
|
+
{"version":3,"file":"condition.d.ts","sourceRoot":"","sources":["../../../src/condition/condition.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAyB,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAC3G,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AA4BhD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,CAAA;AAiBtD,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG;IAAE,OAAO,EAAE,oBAAoB,CAAC;IAAC,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE,YAAY,CAAC,CAAA;CAAE,CAiBvK;AAED,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,gBAAgB,CAuKzG"}
|
|
@@ -42,15 +42,21 @@ for (const operator of allOperators) {
|
|
|
42
42
|
}
|
|
43
43
|
function requestMatchesConditions(request, conditions) {
|
|
44
44
|
const results = conditions.map(condition => singleConditionMatchesRequest(request, condition));
|
|
45
|
-
const unknowns = results.filter(result => result === 'Unknown')
|
|
46
|
-
if
|
|
47
|
-
|
|
48
|
-
}
|
|
49
|
-
const
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
45
|
+
// const unknowns = results.filter(result => result === 'Unknown')
|
|
46
|
+
// if(unknowns.length > 0) {
|
|
47
|
+
// return 'Unknown'
|
|
48
|
+
// }
|
|
49
|
+
const nonMatch = results.some(result => !result.matches);
|
|
50
|
+
return {
|
|
51
|
+
matches: nonMatch ? 'NoMatch' : 'Match',
|
|
52
|
+
details: {
|
|
53
|
+
conditions: results
|
|
54
|
+
}
|
|
55
|
+
};
|
|
56
|
+
// if(noMatches.length > 0 ) {
|
|
57
|
+
// return
|
|
58
|
+
// }
|
|
59
|
+
// return 'Match'
|
|
54
60
|
}
|
|
55
61
|
function singleConditionMatchesRequest(request, condition) {
|
|
56
62
|
const key = condition.conditionKey();
|
|
@@ -65,59 +71,164 @@ function singleConditionMatchesRequest(request, condition) {
|
|
|
65
71
|
const setOperator = condition.operation().setOperator();
|
|
66
72
|
if (setOperator === 'ForAnyValue') {
|
|
67
73
|
if (!keyExists || !keyValue || !keyValue.isArrayValue()) {
|
|
68
|
-
return
|
|
74
|
+
return {
|
|
75
|
+
operator: condition.operation().value(),
|
|
76
|
+
conditionKeyValue: condition.conditionKey(),
|
|
77
|
+
values: [],
|
|
78
|
+
matches: false,
|
|
79
|
+
failedBecauseMissing: !keyExists || !keyValue,
|
|
80
|
+
failedBecauseNotArray: keyValue && !keyValue.isArrayValue()
|
|
81
|
+
};
|
|
82
|
+
// return 'NoMatch'
|
|
69
83
|
}
|
|
70
84
|
if (!baseOperation) {
|
|
71
|
-
return
|
|
85
|
+
//TODO: This should return a nomatch rather than throw an error
|
|
86
|
+
// throw new Error(`Unknown base operation: ${condition.operation().baseOperator()}`)
|
|
87
|
+
return {
|
|
88
|
+
operator: condition.operation().value(),
|
|
89
|
+
conditionKeyValue: condition.conditionKey(),
|
|
90
|
+
values: [],
|
|
91
|
+
matches: false,
|
|
92
|
+
missingOperator: true
|
|
93
|
+
};
|
|
72
94
|
}
|
|
73
95
|
//Do the loop
|
|
74
96
|
const anyMatch = keyValue.values.some(value => {
|
|
75
97
|
return baseOperation(request, value, policyValues);
|
|
76
98
|
});
|
|
77
|
-
return
|
|
99
|
+
return {
|
|
100
|
+
operator: condition.operation().value(),
|
|
101
|
+
conditionKeyValue: condition.conditionKey(),
|
|
102
|
+
values: [],
|
|
103
|
+
matches: anyMatch
|
|
104
|
+
};
|
|
105
|
+
// return anyMatch ? 'Match' : 'NoMatch'
|
|
78
106
|
}
|
|
79
107
|
else if (setOperator === 'ForAllValues') {
|
|
80
108
|
if (!keyExists) {
|
|
81
|
-
return
|
|
109
|
+
return {
|
|
110
|
+
operator: condition.operation().value(),
|
|
111
|
+
conditionKeyValue: condition.conditionKey(),
|
|
112
|
+
values: [],
|
|
113
|
+
matches: true,
|
|
114
|
+
matchedBecauseMissing: true
|
|
115
|
+
};
|
|
116
|
+
// return 'Match'
|
|
82
117
|
}
|
|
83
118
|
if (!keyValue || !keyValue.isArrayValue()) {
|
|
84
|
-
return
|
|
119
|
+
return {
|
|
120
|
+
operator: condition.operation().value(),
|
|
121
|
+
conditionKeyValue: condition.conditionKey(),
|
|
122
|
+
values: [],
|
|
123
|
+
matches: false,
|
|
124
|
+
failedBecauseMissing: !keyValue,
|
|
125
|
+
failedBecauseNotArray: !!keyValue && !keyValue.isArrayValue()
|
|
126
|
+
};
|
|
127
|
+
// return 'NoMatch'
|
|
85
128
|
}
|
|
86
129
|
if (!baseOperation) {
|
|
87
|
-
return
|
|
130
|
+
//TODO: This should return a nomatch rather than throw an error
|
|
131
|
+
return {
|
|
132
|
+
operator: condition.operation().value(),
|
|
133
|
+
conditionKeyValue: condition.conditionKey(),
|
|
134
|
+
values: [],
|
|
135
|
+
matches: false,
|
|
136
|
+
missingOperator: true
|
|
137
|
+
};
|
|
88
138
|
}
|
|
89
139
|
//Do the loop
|
|
90
140
|
const anyNotMatch = keyValue.values.some(value => {
|
|
141
|
+
//TODO: Need to add explains for each value
|
|
91
142
|
return !baseOperation(request, value, policyValues);
|
|
92
143
|
});
|
|
93
|
-
return
|
|
144
|
+
return {
|
|
145
|
+
operator: condition.operation().value(),
|
|
146
|
+
conditionKeyValue: condition.conditionKey(),
|
|
147
|
+
values: [],
|
|
148
|
+
matches: !anyNotMatch
|
|
149
|
+
};
|
|
150
|
+
//return anyNotMatch ? 'NoMatch' : 'Match'
|
|
94
151
|
}
|
|
95
152
|
else {
|
|
96
153
|
throw new Error(`Unknown set operator: ${setOperator}`);
|
|
97
154
|
}
|
|
98
155
|
}
|
|
99
|
-
|
|
156
|
+
const isNotOperator = condition.operation().baseOperator().toLowerCase().includes('not');
|
|
157
|
+
if (condition.operation().isIfExists() || isNotOperator) {
|
|
100
158
|
//Check if it exists, return true if it doesn't
|
|
101
159
|
//Double check what happens here if the key is not a valid key or is of the wrong type
|
|
102
160
|
if (!keyExists) {
|
|
103
|
-
return
|
|
161
|
+
return {
|
|
162
|
+
operator: condition.operation().value(),
|
|
163
|
+
conditionKeyValue: condition.conditionKey(),
|
|
164
|
+
values: [],
|
|
165
|
+
matches: true,
|
|
166
|
+
matchedBecauseMissing: true
|
|
167
|
+
};
|
|
168
|
+
// return 'Match'
|
|
104
169
|
}
|
|
105
170
|
}
|
|
106
171
|
if (!keyValue || !keyValue.isStringValue()) {
|
|
107
172
|
//Set operator is required for a multi-value key
|
|
108
|
-
return
|
|
173
|
+
return {
|
|
174
|
+
operator: condition.operation().value(),
|
|
175
|
+
conditionKeyValue: condition.conditionKey(),
|
|
176
|
+
values: [],
|
|
177
|
+
matches: false,
|
|
178
|
+
failedBecauseMissing: !keyValue,
|
|
179
|
+
failedBecauseArray: keyValue?.isArrayValue(),
|
|
180
|
+
};
|
|
181
|
+
// return 'NoMatch'
|
|
109
182
|
}
|
|
110
183
|
if (!baseOperation) {
|
|
111
|
-
return
|
|
184
|
+
//TODO: This should return a nomatch rather than throw an error
|
|
185
|
+
// throw new Error(`Unknown base operation: ${condition.operation().baseOperator()}`)
|
|
186
|
+
return {
|
|
187
|
+
operator: condition.operation().value(),
|
|
188
|
+
conditionKeyValue: condition.conditionKey(),
|
|
189
|
+
values: [],
|
|
190
|
+
matches: false,
|
|
191
|
+
missingOperator: true
|
|
192
|
+
};
|
|
193
|
+
}
|
|
194
|
+
const valueExplains = policyValues.map(value => {
|
|
195
|
+
const valueMatch = baseOperation(request, keyValue.value, [value]);
|
|
196
|
+
const explain = {
|
|
197
|
+
value,
|
|
198
|
+
matches: valueMatch
|
|
199
|
+
};
|
|
200
|
+
if (isNotOperator) {
|
|
201
|
+
explain.negativeMatchingValues = [value];
|
|
202
|
+
}
|
|
203
|
+
else {
|
|
204
|
+
explain.matchingValues = [value];
|
|
205
|
+
}
|
|
206
|
+
return explain;
|
|
207
|
+
});
|
|
208
|
+
let matches = valueExplains.some(explain => explain.matches);
|
|
209
|
+
if (isNotOperator) {
|
|
210
|
+
matches = valueExplains.every(explain => explain.matches);
|
|
112
211
|
}
|
|
113
|
-
|
|
114
|
-
|
|
212
|
+
return {
|
|
213
|
+
operator: condition.operation().value(),
|
|
214
|
+
conditionKeyValue: condition.conditionKey(),
|
|
215
|
+
values: valueExplains,
|
|
216
|
+
matches
|
|
217
|
+
};
|
|
115
218
|
}
|
|
116
219
|
function testNull(condition, keyExists) {
|
|
117
|
-
const
|
|
118
|
-
|
|
119
|
-
return
|
|
120
|
-
|
|
121
|
-
|
|
220
|
+
const goalValue = keyExists ? 'false' : 'true';
|
|
221
|
+
const conditionValues = condition.conditionValues().map(value => {
|
|
222
|
+
return {
|
|
223
|
+
value,
|
|
224
|
+
matches: value.toLowerCase() === goalValue
|
|
225
|
+
};
|
|
226
|
+
});
|
|
227
|
+
return {
|
|
228
|
+
operator: condition.operation().value(),
|
|
229
|
+
conditionKeyValue: condition.conditionKey(),
|
|
230
|
+
values: conditionValues,
|
|
231
|
+
matches: conditionValues.some(value => value.matches)
|
|
232
|
+
};
|
|
122
233
|
}
|
|
123
234
|
//# sourceMappingURL=condition.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"condition.js","sourceRoot":"","sources":["../../../src/condition/condition.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"condition.js","sourceRoot":"","sources":["../../../src/condition/condition.ts"],"names":[],"mappings":";;AA+CA,4DAiBC;AAED,sEAuKC;AAtOD,qDAA+C;AAC/C,iDAA2C;AAC3C,2DAAqD;AACrD,uDAAiD;AAEjD,8DAAwD;AACxD,+CAAyC;AACzC,wDAAkD;AAClD,kEAA4D;AAC5D,8EAAwE;AACxE,4DAAsD;AACtD,wEAAkE;AAClE,8DAAwD;AACxD,2DAAqD;AACrD,iEAA2D;AAC3D,iEAA2D;AAC3D,2EAAqE;AACrE,uFAAiF;AACjF,qEAA+D;AAC/D,uEAAiE;AACjE,8DAAwD;AACxD,kFAA4E;AAC5E,0DAAoD;AACpD,oEAA8D;AAC9D,wFAAkF;AAClF,gEAA0D;AAI1D,MAAM,YAAY,GAAG;IACnB,8BAAY,EAAE,oCAAe,EAAE,kDAAsB,EAAE,wDAAyB,EAAE,0BAAU,EAAE,gCAAa;IAC3G,gCAAa,EAAE,sCAAgB,EAAE,oCAAe,EAAE,sCAAgB,EAAE,0CAAkB,EAAE,sDAAwB;IAChH,0BAAU,EAAE,gCAAa,EAAE,8BAAY,EAAE,0CAAkB,EAAE,oCAAe,EAAE,gDAAqB;IACnG,cAAI;IACJ,8BAAY;IACZ,wBAAS,EAAE,8BAAY;IACvB,oBAAO,EAAE,wBAAS,EAAE,0BAAU,EAAE,8BAAY;CAC7C,CAAA;AAED,MAAM,cAAc,GAA6C,EAAE,CAAA;AACnE,KAAI,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;IACnC,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,GAAG,QAAQ,CAAA;AACxD,CAAC;AAED,SAAgB,wBAAwB,CAAC,OAAmB,EAAE,UAAuB;IACnF,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,6BAA6B,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAA;IAC9F,kEAAkE;IAClE,4BAA4B;IAC5B,qBAAqB;IACrB,IAAI;IACJ,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IACxD,OAAO;QACL,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO;QACvC,OAAO,EAAE;YACP,UAAU,EAAE,OAAO;SACpB;KACF,CAAA;IACD,8BAA8B;IAC9B,WAAW;IACX,IAAI;IACJ,iBAAiB;AACnB,CAAC;AAED,SAAgB,6BAA6B,CAAC,OAAmB,EAAE,SAAoB;IACrF,MAAM,GAAG,GAAG,SAAS,CAAC,YAAY,EAAE,CAAA;IACpC,MAAM,YAAY,GAAG,SAAS,CAAC,eAAe,EAAE,CAAA;IAChD,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC,YAAY,EAAE,CAAC,WAAW,EAAE,CAAC,EAAE,OAAO,CAAA;IACjG,MAAM,SAAS,GAAG,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAA;IAC/C,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IAExE,IAAG,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,IAAI,MAAM,IAAI,SAAS,CAAC,SAAS,EAAE,CAAC,YAAY,EAAE,EAAE,WAAW,EAAE,IAAI,MAAM,EAAE,CAAC;QAC1H,OAAO,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC,CAAA;IACvC,CAAC;IAED,IAAG,SAAS,CAAC,SAAS,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;QACvC,MAAM,WAAW,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC,WAAW,EAAE,CAAA;QACvD,IAAG,WAAW,KAAK,aAAa,EAAE,CAAC;YACjC,IAAG,CAAC,SAAS,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,EAAE,CAAC;gBACvD,OAAO;oBACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;oBACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;oBAC3C,MAAM,EAAE,EAAE;oBACV,OAAO,EAAE,KAAK;oBACd,oBAAoB,EAAE,CAAC,SAAS,IAAI,CAAC,QAAQ;oBAC7C,qBAAqB,EAAE,QAAQ,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE;iBAC5D,CAAA;gBACD,mBAAmB;YACrB,CAAC;YAED,IAAG,CAAC,aAAa,EAAE,CAAC;gBAClB,+DAA+D;gBAC/D,qFAAqF;gBACrF,OAAO;oBACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;oBACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;oBAC3C,MAAM,EAAE,EAAE;oBACV,OAAO,EAAE,KAAK;oBACd,eAAe,EAAE,IAAI;iBACtB,CAAA;YACH,CAAC;YACD,aAAa;YACb,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE;gBAC5C,OAAO,aAAa,CAAC,OAAO,EAAE,KAAK,EAAE,YAAY,CAAC,CAAA;YACpD,CAAC,CAAC,CAAA;YAEF,OAAO;gBACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;gBACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;gBAC3C,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,QAAQ;aAClB,CAAA;YACD,wCAAwC;QAC1C,CAAC;aAAM,IAAI,WAAW,KAAK,cAAc,EAAE,CAAC;YAC1C,IAAG,CAAC,SAAS,EAAE,CAAC;gBACd,OAAO;oBACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;oBACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;oBAC3C,MAAM,EAAE,EAAE;oBACV,OAAO,EAAE,IAAI;oBACb,qBAAqB,EAAE,IAAI;iBAC5B,CAAA;gBACD,iBAAiB;YACnB,CAAC;YACD,IAAG,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,EAAE,CAAC;gBACzC,OAAO;oBACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;oBACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;oBAC3C,MAAM,EAAE,EAAE;oBACV,OAAO,EAAE,KAAK;oBACd,oBAAoB,EAAE,CAAC,QAAQ;oBAC/B,qBAAqB,EAAE,CAAC,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE;iBAC9D,CAAA;gBACD,mBAAmB;YACrB,CAAC;YACD,IAAG,CAAC,aAAa,EAAE,CAAC;gBAClB,+DAA+D;gBAC/D,OAAO;oBACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;oBACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;oBAC3C,MAAM,EAAE,EAAE;oBACV,OAAO,EAAE,KAAK;oBACd,eAAe,EAAE,IAAI;iBACtB,CAAA;YACH,CAAC;YACD,aAAa;YACb,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE;gBAC/C,2CAA2C;gBAC3C,OAAO,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,EAAE,YAAY,CAAC,CAAA;YACrD,CAAC,CAAC,CAAA;YAEF,OAAO;gBACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;gBACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;gBAC3C,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,CAAC,WAAW;aACtB,CAAA;YACD,0CAA0C;QAC5C,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,yBAAyB,WAAW,EAAE,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAGD,MAAM,aAAa,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC,YAAY,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACxF,IAAG,SAAS,CAAC,SAAS,EAAE,CAAC,UAAU,EAAE,IAAI,aAAa,EAAE,CAAC;QACvD,+CAA+C;QAC/C,sFAAsF;QACtF,IAAG,CAAC,SAAS,EAAE,CAAC;YACd,OAAO;gBACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;gBACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;gBAC3C,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,IAAI;gBACb,qBAAqB,EAAE,IAAI;aAC5B,CAAA;YACD,iBAAiB;QACnB,CAAC;IACH,CAAC;IAED,IAAG,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC;QAC1C,gDAAgD;QAChD,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;YACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;YAC3C,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,KAAK;YACd,oBAAoB,EAAE,CAAC,QAAQ;YAC/B,kBAAkB,EAAE,QAAQ,EAAE,YAAY,EAAE;SAC7C,CAAA;QACD,mBAAmB;IACrB,CAAC;IAED,IAAG,CAAC,aAAa,EAAE,CAAC;QAClB,+DAA+D;QAC/D,qFAAqF;QACrF,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;YACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;YAC3C,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,KAAK;YACd,eAAe,EAAE,IAAI;SACtB,CAAA;IACH,CAAC;IAED,MAAM,aAAa,GAAG,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE;QAC7C,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,CAAA;QAClE,MAAM,OAAO,GAAyB;YACpC,KAAK;YACL,OAAO,EAAE,UAAU;SACpB,CAAA;QACD,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,CAAC,sBAAsB,GAAG,CAAC,KAAK,CAAC,CAAA;QAC1C,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,cAAc,GAAG,CAAC,KAAK,CAAC,CAAA;QAClC,CAAC;QACD,OAAO,OAAO,CAAA;IAChB,CAAC,CAAC,CAAA;IAEF,IAAI,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAE5D,IAAG,aAAa,EAAE,CAAC;QACjB,OAAO,GAAG,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAC3D,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;QACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;QAC3C,MAAM,EAAE,aAAa;QACrB,OAAO;KACR,CAAA;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,SAAoB,EAAE,SAAkB;IACxD,MAAM,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAA;IAC9C,MAAM,eAAe,GAA4B,SAAS,CAAC,eAAe,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE;QACvF,OAAO;YACL,KAAK;YACL,OAAO,EAAE,KAAK,CAAC,WAAW,EAAE,KAAK,SAAS;SAC3C,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,OAAO;QACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;QACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;QAC3C,MAAM,EAAE,eAAe;QACvB,OAAO,EAAE,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC;KACtD,CAAA;AACH,CAAC"}
|
|
@@ -1,9 +1,7 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import {
|
|
1
|
+
import { AnnotatedPolicy } from "@cloud-copilot/iam-policy";
|
|
2
|
+
import { IdentityAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from "../evaluate.js";
|
|
3
3
|
import { AwsRequest } from "../request/request.js";
|
|
4
|
-
import { SCPAnalysis } from "../SCPAnalysis.js";
|
|
5
4
|
import { ServiceAuthorizer } from "../services/ServiceAuthorizer.js";
|
|
6
|
-
import { StatementAnalysis } from "../StatementAnalysis.js";
|
|
7
5
|
/**
|
|
8
6
|
* A set of service control policies for each level of an organization tree
|
|
9
7
|
*/
|
|
@@ -15,7 +13,7 @@ export interface ServiceControlPolicies {
|
|
|
15
13
|
/**
|
|
16
14
|
* The policies that apply to this organizational unit.
|
|
17
15
|
*/
|
|
18
|
-
policies:
|
|
16
|
+
policies: AnnotatedPolicy[];
|
|
19
17
|
}
|
|
20
18
|
/**
|
|
21
19
|
* A reqest to authorize a service action.
|
|
@@ -28,7 +26,7 @@ export interface AuthorizationRequest {
|
|
|
28
26
|
/**
|
|
29
27
|
* The identity policies that are applicable to the principal making the request.
|
|
30
28
|
*/
|
|
31
|
-
identityPolicies:
|
|
29
|
+
identityPolicies: AnnotatedPolicy[];
|
|
32
30
|
/**
|
|
33
31
|
* The service control policies that apply to the principal making the request. In
|
|
34
32
|
* order of the orgnaization hierarchy. So the root ou SCPS should be first.
|
|
@@ -37,7 +35,7 @@ export interface AuthorizationRequest {
|
|
|
37
35
|
/**
|
|
38
36
|
* The resource policy that applies to the resource being accessed.
|
|
39
37
|
*/
|
|
40
|
-
resourcePolicy:
|
|
38
|
+
resourcePolicy: AnnotatedPolicy | undefined;
|
|
41
39
|
}
|
|
42
40
|
/**
|
|
43
41
|
* Authorizes a request.
|
|
@@ -47,7 +45,7 @@ export interface AuthorizationRequest {
|
|
|
47
45
|
* @param request the request to authorize
|
|
48
46
|
* @returns the result of the authorization
|
|
49
47
|
*/
|
|
50
|
-
export declare function authorize(request: AuthorizationRequest):
|
|
48
|
+
export declare function authorize(request: AuthorizationRequest): RequestAnalysis;
|
|
51
49
|
/**
|
|
52
50
|
* Get the appropriate service authorizer for the request. Some services have specific authorization logic in
|
|
53
51
|
* them. If there is no service specific authorizer, a default one will be used.
|
|
@@ -63,7 +61,7 @@ export declare function getServiceAuthorizer(request: AuthorizationRequest): Ser
|
|
|
63
61
|
* @param request the request to analyze against
|
|
64
62
|
* @returns an array of statement analysis results
|
|
65
63
|
*/
|
|
66
|
-
export declare function analyzeIdentityPolicies(identityPolicies:
|
|
64
|
+
export declare function analyzeIdentityPolicies(identityPolicies: AnnotatedPolicy[], request: AwsRequest): IdentityAnalysis;
|
|
67
65
|
/**
|
|
68
66
|
* Analyzes a set of service control policies and the statements within them.
|
|
69
67
|
*
|
|
@@ -71,7 +69,7 @@ export declare function analyzeIdentityPolicies(identityPolicies: Policy[], requ
|
|
|
71
69
|
* @param request the request to analyze against
|
|
72
70
|
* @returns an array of SCP analysis results
|
|
73
71
|
*/
|
|
74
|
-
export declare function analyzeServiceControlPolicies(serviceControlPolicies: ServiceControlPolicies[], request: AwsRequest):
|
|
72
|
+
export declare function analyzeServiceControlPolicies(serviceControlPolicies: ServiceControlPolicies[], request: AwsRequest): ScpAnalysis;
|
|
75
73
|
/**
|
|
76
74
|
* Analyze a resource policy and return the results
|
|
77
75
|
*
|
|
@@ -79,5 +77,5 @@ export declare function analyzeServiceControlPolicies(serviceControlPolicies: Se
|
|
|
79
77
|
* @param request the request to analyze against
|
|
80
78
|
* @returns an array of statement analysis results
|
|
81
79
|
*/
|
|
82
|
-
export declare function analyzeResourcePolicy(resourcePolicy:
|
|
80
|
+
export declare function analyzeResourcePolicy(resourcePolicy: AnnotatedPolicy | undefined, request: AwsRequest): ResourceAnalysis;
|
|
83
81
|
//# sourceMappingURL=coreSimulatorEngine.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"coreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"coreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAa,MAAM,2BAA2B,CAAC;AAGvE,OAAO,EAAoB,gBAAgB,EAAiB,eAAe,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAGnI,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAGnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AAGrE;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC;;OAEG;IACH,aAAa,EAAE,MAAM,CAAC;IAEtB;;OAEG;IACH,QAAQ,EAAE,eAAe,EAAE,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,OAAO,EAAE,UAAU,CAAC;IAEpB;;OAEG;IACH,gBAAgB,EAAE,eAAe,EAAE,CAAA;IAEnC;;;OAGG;IACH,sBAAsB,EAAE,sBAAsB,EAAE,CAAA;IAEhD;;OAEG;IACH,cAAc,EAAE,eAAe,GAAG,SAAS,CAAC;CAC7C;AAID;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,eAAe,CAYxE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,iBAAiB,CAMrF;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,gBAAgB,EAAE,eAAe,EAAE,EAAE,OAAO,EAAE,UAAU,GAAG,gBAAgB,CA0ClH;AAED;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAAC,sBAAsB,EAAE,sBAAsB,EAAE,EAAE,OAAO,EAAE,UAAU,GAAG,WAAW,CAyDhI;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,cAAc,EAAE,eAAe,GAAG,SAAS,EAAE,OAAO,EAAE,UAAU,GAAG,gBAAgB,CAgDxH"}
|