@cloud-copilot/iam-simulate 0.1.11 → 0.1.13-1

package/dist/cjs/principal/principal.js

@@ -14,14 +14,23 @@ exports.requestMatchesStatementPrincipals = requestMatchesStatementPrincipals;
  * @returns if the request matches the Principal element, and if so, how it matches
  */
 function requestMatchesPrincipal(request, principal) {
-    const matches = principal.map(principalStatement => requestMatchesPrincipalStatement(request, principalStatement));
-    if (matches.includes('Match')) {
-        return 'Match';
+    const explains = principal.map(principalStatement => requestMatchesPrincipalStatement(request, principalStatement));
+    if (explains.some(exp => exp.matches === 'Match')) {
+        return {
+            matches: 'Match',
+            explains
+        };
     }
-    if (matches.includes('AccountLevelMatch')) {
-        return 'AccountLevelMatch';
+    if (explains.some(exp => exp.matches === 'AccountLevelMatch')) {
+        return {
+            matches: 'AccountLevelMatch',
+            explains
+        };
     }
-    return 'NoMatch';
+    return {
+        matches: 'NoMatch',
+        explains
+    };
 }
 /**
  * Check to see if a request matches a NotPrincipal element in an IAM policy statement
@@ -31,20 +40,40 @@ function requestMatchesPrincipal(request, principal) {
  * @returns
  */
 function requestMatchesNotPrincipal(request, notPrincipal) {
-    const matches = notPrincipal.map(principalStatement => requestMatchesPrincipalStatement(request, principalStatement));
-    if (matches.includes('Match')) {
-        return 'NoMatch';
-    }
-    /**
-     * Need to do research on this. If there is an account level match on a NotPrincipal, does that
-     * mean it tentatively matches the NotPrincipal, or does it mean it does not match the NotPrincipal?
-     *
-     * We need to test this.
-     */
-    if (matches.includes('AccountLevelMatch')) {
-        return 'NoMatch';
+    // const matches = notPrincipal.map(principalStatement => requestMatchesPrincipalStatement(request, principalStatement))
+    const explains = notPrincipal.map(principalStatement => {
+        const explain = requestMatchesPrincipalStatement(request, principalStatement);
+        /**
+         * Need to do research on this. If there is an account level match on a NotPrincipal, does that
+         * mean it tentatively matches the NotPrincipal, or does it mean it does not match the NotPrincipal?
+         *
+         * We need to test this.
+         */
+        if (explain.matches === 'Match' || explain.matches === 'AccountLevelMatch') {
+            explain.matches = 'NoMatch';
+        }
+        else {
+            explain.matches = 'Match';
+        }
+        return explain;
+    });
+    if (explains.some(exp => exp.matches === 'Match')) {
+        return {
+            matches: 'Match',
+            explains
+        };
     }
-    return 'Match';
+    return {
+        matches: 'NoMatch',
+        explains
+    };
+    // if(matches.includes('Match')) {
+    //   return 'NoMatch'
+    // }
+    // if(matches.includes('AccountLevelMatch')) {
+    //   return 'NoMatch'
+    // }
+    // return 'Match'
 }
 /**
  * Check to see if a request matches a principal statement
@@ -56,44 +85,81 @@ function requestMatchesNotPrincipal(request, notPrincipal) {
 function requestMatchesPrincipalStatement(request, principalStatement) {
     if (principalStatement.isServicePrincipal()) {
         if (principalStatement.service() === request.principal.value()) {
-            return 'Match';
+            return {
+                matches: 'Match',
+                principal: principalStatement.value(),
+            };
         }
-        return 'NoMatch';
+        return {
+            matches: 'NoMatch',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isCanonicalUserPrincipal()) {
         if (principalStatement.canonicalUser() === request.principal.value()) {
-            return 'Match';
+            return {
+                matches: 'Match',
+                principal: principalStatement.value(),
+            };
         }
-        return 'NoMatch';
+        return {
+            matches: 'NoMatch',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isFederatedPrincipal()) {
         if (principalStatement.federated() === request.principal.value()) {
-            return 'Match';
+            return {
+                matches: 'Match',
+                principal: principalStatement.value(),
+            };
         }
-        return 'NoMatch';
+        return {
+            matches: 'NoMatch',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isWildcardPrincipal()) {
-        return 'Match';
+        return {
+            matches: 'Match',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isAccountPrincipal()) {
         if (principalStatement.accountId() === request.principal.accountId()) {
-            return 'AccountLevelMatch';
+            return {
+                matches: 'AccountLevelMatch',
+                principal: principalStatement.value(),
+            };
         }
-        return 'NoMatch';
+        return {
+            matches: 'NoMatch',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isAwsPrincipal()) {
         if (isAssumedRoleArn(request.principal.value())) {
             const sessionArn = request.principal.value();
             const roleArn = roleArnFromAssumedRoleArn(sessionArn);
             if (principalStatement.arn() === roleArn || principalStatement.arn() === sessionArn) {
-                return 'Match';
+                return {
+                    matches: 'Match',
+                    principal: principalStatement.value(),
+                    roleForSessionArn: roleArn,
+                };
             }
         }
         if (principalStatement.arn() === request.principal.value()) {
-            return 'Match';
+            return {
+                matches: 'Match',
+                principal: principalStatement.value(),
+            };
         }
     }
-    return 'NoMatch';
+    return {
+        matches: 'NoMatch',
+        principal: principalStatement.value(),
+    };
 }
 const assumedRoleArnRegex = /^arn:aws:sts::\d{12}:assumed-role\/.*$/;
 function isAssumedRoleArn(principal) {
@@ -114,10 +180,12 @@ function roleArnFromAssumedRoleArn(assumedRoleArn) {
  */
 function requestMatchesStatementPrincipals(request, statement) {
     if (statement.isPrincipalStatement()) {
-        return requestMatchesPrincipal(request, statement.principals());
+        const { matches, explains } = requestMatchesPrincipal(request, statement.principals());
+        return { matches, details: { principals: explains } };
     }
     else if (statement.isNotPrincipalStatement()) {
-        return requestMatchesNotPrincipal(request, statement.notPrincipals());
+        const { matches, explains } = requestMatchesNotPrincipal(request, statement.notPrincipals());
+        return { matches, details: { notPrincipals: explains } };
     }
     throw new Error('Statement should have Principal or NotPrincipal');
 }

package/dist/cjs/principal/principal.js.map

@@ -1 +1 @@
-{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":";;AAsDA,0DAWC;AASD,gEAiBC;AASD,4EAgDC;AAID,4CAEC;AAED,8DAKC;AASD,8EAOC;AAlID;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,OAAmB,EAAE,SAAsB;IACjF,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IAClH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,mBAAmB,CAAA;IAC5B,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,0BAA0B,CAAC,OAAmB,EAAE,YAAyB;IACvF,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IACrH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,SAAS,CAAA;IAClB,CAAC;IAED;;;;;OAKG;IACH,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAAC,OAAmB,EAAE,kBAA6B;IACjG,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC9D,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,wBAAwB,EAAE,EAAE,CAAC;QACjD,IAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACpE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC7C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAChE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC5C,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACpE,OAAO,mBAAmB,CAAA;QAC5B,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,cAAc,EAAE,EAAE,CAAC;QACvC,IAAG,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,yBAAyB,CAAC,UAAU,CAAC,CAAA;YACrD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAM,OAAO,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,UAAU,EAAE,CAAC;gBACpF,OAAO,OAAO,CAAA;YAChB,CAAC;QACH,CAAC;QAED,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC1D,OAAO,OAAO,CAAA;QAChB,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,MAAM,mBAAmB,GAAG,wCAAwC,CAAA;AAEpE,SAAgB,gBAAgB,CAAC,SAAiB;IAChD,OAAO,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AAC5C,CAAC;AAED,SAAgB,yBAAyB,CAAC,cAAsB;IAC9D,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,aAAa,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjD,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,eAAe,EAAE,CAAA;AAC9D,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,iCAAiC,CAAC,OAAmB,EAAE,SAAoB;IACzF,IAAG,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACpC,OAAO,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAA;IACjE,CAAC;SAAM,IAAG,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;QAC9C,OAAO,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC"}
+{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":";;AAuDA,0DAoBC;AASD,gEAyCC;AASD,4EAqFC;AAID,4CAEC;AAED,8DAKC;AASD,8EASC;AA1MD;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,OAAmB,EAAE,SAAsB;IACjF,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IACnH,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,OAAO,CAAC,EAAE,CAAC;QACjD,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ;SACT,CAAA;IACH,CAAC;IAED,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,mBAAmB,CAAC,EAAE,CAAC;QAC7D,OAAO;YACL,OAAO,EAAE,mBAAmB;YAC5B,QAAQ;SACT,CAAA;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,SAAS;QAClB,QAAQ;KACT,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,0BAA0B,CAAC,OAAmB,EAAE,YAAyB;IACvF,wHAAwH;IACxH,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE;QACrD,MAAM,OAAO,GAAG,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAA;QAC7E;;;;;WAKG;QACH,IAAG,OAAO,CAAC,OAAO,KAAK,OAAO,IAAI,OAAO,CAAC,OAAO,KAAK,mBAAmB,EAAE,CAAC;YAC1E,OAAO,CAAC,OAAO,GAAG,SAAS,CAAA;QAC7B,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,OAAO,GAAG,OAAO,CAAA;QAC3B,CAAC;QACD,OAAO,OAAO,CAAA;IAChB,CAAC,CAAC,CAAA;IAGF,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,OAAO,CAAC,EAAE,CAAC;QACjD,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ;SACT,CAAA;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,SAAS;QAClB,QAAQ;KACT,CAAA;IAED,kCAAkC;IAClC,qBAAqB;IACrB,IAAI;IAGJ,8CAA8C;IAC9C,qBAAqB;IACrB,IAAI;IAEJ,iBAAiB;AACnB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAAC,OAAmB,EAAE,kBAA6B;IACjG,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC9D,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,wBAAwB,EAAE,EAAE,CAAC;QACjD,IAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACpE,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC7C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAChE,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC5C,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACpE,OAAO;gBACL,OAAO,EAAE,mBAAmB;gBAC5B,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,cAAc,EAAE,EAAE,CAAC;QACvC,IAAG,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,yBAAyB,CAAC,UAAU,CAAC,CAAA;YACrD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAM,OAAO,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,UAAU,EAAE,CAAC;gBACpF,OAAO;oBACL,OAAO,EAAE,OAAO;oBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;oBACrC,iBAAiB,EAAE,OAAO;iBAC3B,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC1D,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,SAAS;QAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;KACtC,CAAA;AACH,CAAC;AAED,MAAM,mBAAmB,GAAG,wCAAwC,CAAA;AAEpE,SAAgB,gBAAgB,CAAC,SAAiB;IAChD,OAAO,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AAC5C,CAAC;AAED,SAAgB,yBAAyB,CAAC,cAAsB;IAC9D,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,aAAa,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjD,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,eAAe,EAAE,CAAA;AAC9D,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,iCAAiC,CAAC,OAAmB,EAAE,SAAoB;IACzF,IAAG,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACpC,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAA;QACpF,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,UAAU,EAAE,QAAQ,EAAC,EAAC,CAAA;IACnD,CAAC;SAAM,IAAG,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;QAC9C,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,CAAA;QAC1F,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,aAAa,EAAE,QAAQ,EAAC,EAAC,CAAA;IACtD,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC"}

package/dist/cjs/resource/resource.d.ts

@@ -1,4 +1,5 @@
 import { Resource, Statement } from "@cloud-copilot/iam-policy";
+import { ResourceExplain, StatementExplain } from "../explain/statementExplain.js";
 import { AwsRequest } from "../request/request.js";
 /**
  * Check if a request matches the Resource or NotResource elements of a statement.
@@ -7,7 +8,10 @@ import { AwsRequest } from "../request/request.js";
  * @param statement the statement to check against
  * @returns true if the request matches the resources in the statement, false otherwise
  */
-export declare function requestMatchesStatementResources(request: AwsRequest, statement: Statement): boolean;
+export declare function requestMatchesStatementResources(request: AwsRequest, statement: Statement): {
+    matches: boolean;
+    details: Pick<StatementExplain, 'resources' | 'notResources'>;
+};
 /**
  * Check if a request matches a set of resources.
  *
@@ -15,7 +19,10 @@ export declare function requestMatchesStatementResources(request: AwsRequest, st
  * @param policyResources the resources to check against
  * @returns true if the request matches any of the resources, false otherwise
  */
-export declare function requestMatchesResources(request: AwsRequest, policyResources: Resource[]): boolean;
+export declare function requestMatchesResources(request: AwsRequest, policyResources: Resource[]): {
+    matches: boolean;
+    explains: ResourceExplain[];
+};
 /**
  * Check if a request matches a NotResource element in a policy.
  *
@@ -23,5 +30,8 @@ export declare function requestMatchesResources(request: AwsRequest, policyResou
  * @param policyResources the resources to check against
  * @returns true if the request does not match any of the resources, false otherwise
  */
-export declare function requestMatchesNotResources(request: AwsRequest, policyResources: Resource[]): boolean;
+export declare function requestMatchesNotResources(request: AwsRequest, policyResources: Resource[]): {
+    matches: boolean;
+    explains: ResourceExplain[];
+};
 //# sourceMappingURL=resource.d.ts.map

package/dist/cjs/resource/resource.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resource.d.ts","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAmBnD;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,OAAO,CAOnG;AAGD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,OAAO,CAEjG;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,OAAO,CAEpG"}
+{"version":3,"file":"resource.d.ts","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AACnF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAmBnD;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE,WAAW,GAAG,cAAc,CAAC,CAAA;CAAC,CAiB7K;AAGD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,eAAe,EAAE,CAAA;CAAC,CAIzI;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,eAAe,EAAE,CAAA;CAAC,CAQ5I"}

package/dist/cjs/resource/resource.js

@@ -27,12 +27,22 @@ function convertResourceSegmentToRegex(segment) {
  */
 function requestMatchesStatementResources(request, statement) {
     if (statement.isResourceStatement()) {
-        return requestMatchesResources(request, statement.resources());
+        const { matches, explains } = requestMatchesResources(request, statement.resources());
+        if (!statement.resourceIsArray()) {
+            return { matches, details: { resources: explains[0] } };
+        }
+        return { matches, details: { resources: explains } };
+        // return requestMatchesResources(request, statement.resources());
     }
     else if (statement.isNotResourceStatement()) {
-        return requestMatchesNotResources(request, statement.notResources());
+        const { matches, explains } = requestMatchesNotResources(request, statement.notResources());
+        if (!statement.notResourceIsArray()) {
+            return { matches, details: { notResources: explains[0] } };
+        }
+        return { matches, details: { notResources: explains } };
+        // return requestMatchesNotResources(request, statement.notResources());
     }
-    return true;
+    return { matches: true, details: {} };
 }
 /**
  * Check if a request matches a set of resources.
@@ -42,7 +52,9 @@ function requestMatchesStatementResources(request, statement) {
  * @returns true if the request matches any of the resources, false otherwise
  */
 function requestMatchesResources(request, policyResources) {
-    return policyResources.some(policyResource => singleResourceMatchesRequest(request, policyResource));
+    const explains = policyResources.map(policyResource => singleResourceMatchesRequest(request, policyResource));
+    const matches = explains.some(explain => explain.matches);
+    return { matches, explains };
 }
 /**
  * Check if a request matches a NotResource element in a policy.
@@ -52,7 +64,13 @@ function requestMatchesResources(request, policyResources) {
  * @returns true if the request does not match any of the resources, false otherwise
  */
 function requestMatchesNotResources(request, policyResources) {
-    return !requestMatchesResources(request, policyResources);
+    const explains = policyResources.map(policyResource => {
+        const explain = singleResourceMatchesRequest(request, policyResource);
+        explain.matches = !explain.matches;
+        return explain;
+    });
+    const matches = explains.some(explain => explain.matches);
+    return { matches, explains };
 }
 /**
  * Check if a single resource matches a request.
@@ -63,35 +81,69 @@ function requestMatchesNotResources(request, policyResources) {
  */
 function singleResourceMatchesRequest(request, policyResource) {
     if (policyResource.isAllResources()) {
-        return true;
+        return {
+            resource: policyResource.value(),
+            matches: true,
+        };
     }
     else if (policyResource.isArnResource()) {
         if (!request.resource) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Request does not have a resource'],
+            };
         }
         const resource = request.resource;
         if (!convertResourceSegmentToRegex(policyResource.partition()).test(resource.partition())) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Partition does not match'],
+            };
         }
         if (!convertResourceSegmentToRegex(policyResource.service()).test(resource.service())) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Service does not match'],
+            };
         }
         if (!convertResourceSegmentToRegex(policyResource.region()).test(resource.region())) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Region does not match'],
+            };
         }
         if (!convertResourceSegmentToRegex(policyResource.account()).test(resource.account())) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Account does not match'],
+            };
         }
         //Wildcards and variables are not allowed in the product segment https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html "Incorrect wildcard usage"
         const [policyProduct, policyResourceId] = (0, util_js_1.getResourceSegments)(policyResource.resource());
         if (!resource.resource().startsWith(policyProduct)) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Product does not match'],
+            };
         }
         const requestResourceId = resource.resource().slice(policyProduct.length);
         if (!(0, util_js_1.convertIamStringToRegex)(policyResourceId, request).test(requestResourceId)) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Resource does not match'],
+            };
         }
-        return true;
+        return {
+            resource: policyResource.value(),
+            matches: true,
+        };
     }
     else {
         throw new Error('Unknown resource type');

package/dist/cjs/resource/resource.js.map

@@ -1 +1 @@
-{"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":";;AA2BA,4EAOC;AAUD,0DAEC;AASD,gEAEC;AAvDD,wCAA0E;AAE1E,yHAAyH;AAEzH;;;;;GAKG;AACH,SAAS,6BAA6B,CAAC,OAAe;IACpD,IAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAC7E,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAAC,OAAmB,EAAE,SAAoB;IACxF,IAAG,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;QACnC,OAAO,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC;IACjE,CAAC;SAAM,IAAG,SAAS,CAAC,sBAAsB,EAAE,EAAE,CAAC;QAC7C,OAAO,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAGD;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,OAAmB,EAAE,eAA2B;IACtF,OAAO,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAA;AACtG,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,0BAA0B,CAAC,OAAmB,EAAE,eAA2B;IACzF,OAAO,CAAC,uBAAuB,CAAC,OAAO,EAAE,eAAe,CAAC,CAAA;AAC3D,CAAC;AAED;;;;;;GAMG;AACH,SAAS,4BAA4B,CAAC,OAAmB,EAAE,cAAwB;IACjF,IAAG,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;SAAM,IAAG,cAAc,CAAC,aAAa,EAAE,EAAE,CAAC;QACzC,IAAG,CAAC,OAAO,CAAC,QAAQ,EAAG,CAAC;YACtB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QACjC,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC;YACzF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC;YACnF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,gKAAgK;QAChK,MAAM,CAAC,aAAa,EAAE,gBAAgB,CAAC,GAAG,IAAA,6BAAmB,EAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAA;QAExF,IAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAClD,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,iBAAiB,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;QAEzE,IAAG,CAAC,IAAA,iCAAuB,EAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC/E,OAAO,KAAK,CAAA;QACd,CAAC;QAED,OAAO,IAAI,CAAA;IACb,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC"}
+{"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":";;AA4BA,4EAiBC;AAUD,0DAIC;AASD,gEAQC;AAzED,wCAA0E;AAE1E,yHAAyH;AAEzH;;;;;GAKG;AACH,SAAS,6BAA6B,CAAC,OAAe;IACpD,IAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAC7E,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAAC,OAAmB,EAAE,SAAoB;IACxF,IAAG,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;QACnC,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC;QACpF,IAAG,CAAC,SAAS,CAAC,eAAe,EAAE,EAAE,CAAC;YAChC,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAC,EAAC,CAAA;QACrD,CAAC;QACD,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,SAAS,EAAE,QAAQ,EAAC,EAAC,CAAA;QAChD,kEAAkE;IACpE,CAAC;SAAM,IAAG,SAAS,CAAC,sBAAsB,EAAE,EAAE,CAAC;QAC7C,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;QAC1F,IAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,EAAE,CAAC;YACnC,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAC,EAAC,CAAA;QACxD,CAAC;QACD,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,YAAY,EAAE,QAAQ,EAAC,EAAC,CAAA;QACnD,wEAAwE;IAC1E,CAAC;IACD,OAAO,EAAC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAC,CAAC;AACtC,CAAC;AAGD;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,OAAmB,EAAE,eAA2B;IACtF,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAA;IAC7G,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IACzD,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAC,CAAA;AAC5B,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,0BAA0B,CAAC,OAAmB,EAAE,eAA2B;IACzF,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE;QACpD,MAAM,OAAO,GAAG,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAA;QACrE,OAAO,CAAC,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,CAAA;QAClC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAC,CAAA;IACF,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IACzD,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAC,CAAA;AAC5B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,4BAA4B,CAAC,OAAmB,EAAE,cAAwB;IACjF,IAAG,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;QACnC,OAAO;YACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;YAChC,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;SAAM,IAAG,cAAc,CAAC,aAAa,EAAE,EAAE,CAAC;QACzC,IAAG,CAAC,OAAO,CAAC,QAAQ,EAAG,CAAC;YACtB,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,kCAAkC,CAAC;aAC7C,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QACjC,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC;YACzF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,0BAA0B,CAAC;aACrC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC;YACnF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,uBAAuB,CAAC;aAClC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,gKAAgK;QAChK,MAAM,CAAC,aAAa,EAAE,gBAAgB,CAAC,GAAG,IAAA,6BAAmB,EAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAA;QAExF,IAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAClD,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,MAAM,iBAAiB,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;QAEzE,IAAG,CAAC,IAAA,iCAAuB,EAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC/E,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,yBAAyB,CAAC;aACpC,CAAA;QACH,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;YAChC,OAAO,EAAE,IAAI;SACd,CAAA;IACH,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC"}

package/dist/cjs/services/DefaultServiceAuthorizer.d.ts

@@ -1,41 +1,9 @@
-import { EvaluationResult, ResourceEvaluationResult } from "../evaluate.js";
-import { StatementAnalysis } from "../StatementAnalysis.js";
+import { RequestAnalysis } from "../evaluate.js";
 import { ServiceAuthorizationRequest, ServiceAuthorizer } from "./ServiceAuthorizer.js";
 /**
  * The default authorizer for services.
  */
 export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
-    authorize(request: ServiceAuthorizationRequest): EvaluationResult;
-    /**
-     * Determine the result of the SCP analysis.
-     *
-     * @param request The request to authorize.
-     * @returns The result of the SCP analysis.
-     */
-    serviceControlPolicyResult(request: ServiceAuthorizationRequest): EvaluationResult;
-    /**
-     * Evaluate the identity statements to determine the result.
-     *
-     * @param request The request to authorize.
-     * @returns The result of the identity statement analysis.
-     */
-    identityStatementResult(request: ServiceAuthorizationRequest): EvaluationResult;
-    /**
-     * Evaluate the resource policy to determine the result.
-     *
-     * @param request the request to authorize
-     * @returns the result of the resource policy analysis
-     */
-    resourcePolicyResult(request: ServiceAuthorizationRequest): ResourceEvaluationResult;
-    /**
-     * Checks if a statement is an identity statement that allows the request.
-     *
-     * @param statement The statement to check.
-     * @returns Whether the statement is an identity statement that allows the request.
-     */
-    identityStatementAllows(statement: StatementAnalysis): boolean;
-    identityStatementUknownAllow(statement: StatementAnalysis): boolean;
-    identityStatementUknownDeny(statement: StatementAnalysis): boolean;
-    identityStatementExplicitDeny(statement: StatementAnalysis): boolean;
+    authorize(request: ServiceAuthorizationRequest): RequestAnalysis;
 }
 //# sourceMappingURL=DefaultServiceAuthorizer.d.ts.map

package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAC5E,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAExF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAiDxE;;;;;OAKG;IACI,0BAA0B,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAwBzF;;;;;OAKG;IACI,uBAAuB,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAoBtF;;;;;OAKG;IACI,oBAAoB,CAAC,OAAO,EAAE,2BAA2B,GAAG,wBAAwB;IAyB3F;;;;;OAKG;IACI,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAU9D,4BAA4B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUnE,2BAA2B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUlE,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;CAS5E"}
+{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAExF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;CA6KxE"}

package/dist/cjs/services/DefaultServiceAuthorizer.js

@@ -6,35 +6,66 @@ exports.DefaultServiceAuthorizer = void 0;
  */
 class DefaultServiceAuthorizer {
     authorize(request) {
-        const scpResult = this.serviceControlPolicyResult(request);
-        const identityStatementResult = this.identityStatementResult(request);
-        const resourcePolicyResult = this.resourcePolicyResult(request);
+        const scpResult = request.scpAnalysis.result;
+        const identityStatementResult = request.identityAnalysis.result;
+        const resourcePolicyResult = request.resourceAnalysis?.result;
         const principalAccount = request.request.principal.accountId();
         const resourceAccount = request.request.resource?.accountId();
+        const sameAccount = principalAccount === resourceAccount;
+        const baseResult = {
+            sameAccount,
+            identityAnalysis: request.identityAnalysis,
+            scpAnalysis: request.scpAnalysis,
+            resourceAnalysis: request.resourceAnalysis
+        };
         if (scpResult !== 'Allowed') {
-            return scpResult;
+            return {
+                result: scpResult,
+                ...baseResult
+            };
         }
         if (resourcePolicyResult === 'ExplicitlyDenied' || resourcePolicyResult === 'DeniedForAccount') {
-            return 'ExplicitlyDenied';
+            return {
+                result: 'ExplicitlyDenied',
+                ...baseResult
+            };
         }
         if (identityStatementResult === 'ExplicitlyDenied') {
-            return 'ExplicitlyDenied';
+            return {
+                result: 'ExplicitlyDenied',
+                ...baseResult
+            };
         }
         //Same Account
         if (principalAccount === resourceAccount) {
             if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount' || identityStatementResult === 'Allowed') {
-                return 'Allowed';
+                return {
+                    result: 'Allowed',
+                    ...baseResult
+                };
             }
-            return 'ImplicitlyDenied';
+            return {
+                result: 'ImplicitlyDenied',
+                ...baseResult
+            };
         }
         //Cross Account
         if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount') {
             if (identityStatementResult === 'Allowed') {
-                return 'Allowed';
+                return {
+                    result: 'Allowed',
+                    ...baseResult
+                };
             }
-            return 'ImplicitlyDenied';
-        }
-        return 'ImplicitlyDenied';
+            return {
+                result: 'ImplicitlyDenied',
+                ...baseResult
+            };
+        }
+        return {
+            result: 'ImplicitlyDenied',
+            ...baseResult
+        };
         /**
          * Add checks for:
          * * root user
@@ -45,121 +76,6 @@ class DefaultServiceAuthorizer {
          * * session policies (maybe these are just part of identity policies?)
          */
     }
-    /**
-     * Determine the result of the SCP analysis.
-     *
-     * @param request The request to authorize.
-     * @returns The result of the SCP analysis.
-     */
-    serviceControlPolicyResult(request) {
-        const orgAllows = request.scpAnalysis.map((scpAnalysis) => {
-            return scpAnalysis.statementAnalysis.some((statement) => {
-                return this.identityStatementAllows(statement);
-            });
-        });
-        if (orgAllows.includes(false)) {
-            return 'ImplicitlyDenied';
-        }
-        const anyScpDeny = request.scpAnalysis.some((scpAnalysis) => {
-            return scpAnalysis.statementAnalysis.some((statement) => {
-                return this.identityStatementExplicitDeny(statement);
-            });
-        });
-        if (anyScpDeny) {
-            return 'ExplicitlyDenied';
-        }
-        return 'Allowed';
-    }
-    /**
-     * Evaluate the identity statements to determine the result.
-     *
-     * @param request The request to authorize.
-     * @returns The result of the identity statement analysis.
-     */
-    identityStatementResult(request) {
-        const explicitDeny = request.identityStatements.some(s => this.identityStatementExplicitDeny(s));
-        if (explicitDeny) {
-            return 'ExplicitlyDenied';
-        }
-        const explicitAllow = request.identityStatements.some(s => this.identityStatementAllows(s));
-        const possibleDeny = request.identityStatements.some(s => this.identityStatementUknownDeny(s));
-        if (explicitAllow) {
-            return possibleDeny ? 'Unknown' : 'Allowed';
-        }
-        const possibleAllow = request.identityStatements.some(s => this.identityStatementUknownAllow(s));
-        if (possibleAllow) {
-            return 'Unknown';
-        }
-        return 'ImplicitlyDenied';
-    }
-    /**
-     * Evaluate the resource policy to determine the result.
-     *
-     * @param request the request to authorize
-     * @returns the result of the resource policy analysis
-     */
-    resourcePolicyResult(request) {
-        if (!request.resourceAnalysis) {
-            return 'NotApplicable';
-        }
-        const denyStatements = request.resourceAnalysis.filter(s => this.identityStatementExplicitDeny(s));
-        if (denyStatements.some(s => s.principalMatch === 'Match')) {
-            return 'ExplicitlyDenied';
-        }
-        if (denyStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
-            return 'DeniedForAccount';
-        }
-        const allowStatements = request.resourceAnalysis.filter(s => this.identityStatementAllows(s));
-        if (allowStatements.some(s => s.principalMatch === 'Match')) {
-            return 'Allowed';
-        }
-        if (allowStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
-            return 'AllowedForAccount';
-        }
-        return 'ImplicityDenied';
-    }
-    /**
-     * Checks if a statement is an identity statement that allows the request.
-     *
-     * @param statement The statement to check.
-     * @returns Whether the statement is an identity statement that allows the request.
-     */
-    identityStatementAllows(statement) {
-        if (statement.resourceMatch &&
-            statement.actionMatch &&
-            statement.conditionMatch === 'Match' &&
-            statement.statement.effect() === 'Allow') {
-            return true;
-        }
-        return false;
-    }
-    identityStatementUknownAllow(statement) {
-        if (statement.resourceMatch &&
-            statement.actionMatch &&
-            statement.conditionMatch === 'Unknown' &&
-            statement.statement.effect() === 'Allow') {
-            return true;
-        }
-        return false;
-    }
-    identityStatementUknownDeny(statement) {
-        if (statement.resourceMatch &&
-            statement.actionMatch &&
-            statement.conditionMatch === 'Unknown' &&
-            statement.statement.effect() === 'Deny') {
-            return true;
-        }
-        return false;
-    }
-    identityStatementExplicitDeny(statement) {
-        if (statement.resourceMatch &&
-            statement.actionMatch &&
-            statement.conditionMatch === 'Match' &&
-            statement.statement.effect() === 'Deny') {
-            return true;
-        }
-        return false;
-    }
 }
 exports.DefaultServiceAuthorizer = DefaultServiceAuthorizer;
 //# sourceMappingURL=DefaultServiceAuthorizer.js.map