@cloud-copilot/iam-simulate 0.1.116 → 0.1.118
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/analysis/analyzeResults.d.ts +7 -4
- package/dist/cjs/analysis/analyzeResults.d.ts.map +1 -1
- package/dist/cjs/analysis/analyzeResults.js +41 -14
- package/dist/cjs/analysis/analyzeResults.js.map +1 -1
- package/dist/cjs/context_keys/contextKeys.d.ts.map +1 -1
- package/dist/cjs/context_keys/contextKeys.js +22 -1
- package/dist/cjs/context_keys/contextKeys.js.map +1 -1
- package/dist/esm/analysis/analyzeResults.d.ts +7 -4
- package/dist/esm/analysis/analyzeResults.d.ts.map +1 -1
- package/dist/esm/analysis/analyzeResults.js +41 -14
- package/dist/esm/analysis/analyzeResults.js.map +1 -1
- package/dist/esm/context_keys/contextKeys.d.ts.map +1 -1
- package/dist/esm/context_keys/contextKeys.js +22 -1
- package/dist/esm/context_keys/contextKeys.js.map +1 -1
- package/package.json +1 -1
|
@@ -55,7 +55,7 @@ export type RequestDenial = {
|
|
|
55
55
|
denialType: 'Explicit';
|
|
56
56
|
};
|
|
57
57
|
export type RequestGrant = {
|
|
58
|
-
policyType: 'identity';
|
|
58
|
+
policyType: 'identity' | 'pb' | 'vpce';
|
|
59
59
|
policyIdentifier: string;
|
|
60
60
|
statementId?: string | undefined;
|
|
61
61
|
statementIndex: number;
|
|
@@ -63,6 +63,12 @@ export type RequestGrant = {
|
|
|
63
63
|
policyType: 'resource';
|
|
64
64
|
statementId?: string | undefined;
|
|
65
65
|
statementIndex: number;
|
|
66
|
+
} | {
|
|
67
|
+
policyType: 'scp' | 'rcp';
|
|
68
|
+
orgIdentifier: string;
|
|
69
|
+
policyIdentifier: string;
|
|
70
|
+
statementId?: string | undefined;
|
|
71
|
+
statementIndex: number;
|
|
66
72
|
};
|
|
67
73
|
/**
|
|
68
74
|
* Find the policy statements that caused a request to be denied.
|
|
@@ -86,9 +92,6 @@ export declare function getDenialReasons(requestAnalysis: RequestAnalysis): Requ
|
|
|
86
92
|
* Find the policy statements that granted access for an allowed request.
|
|
87
93
|
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
88
94
|
*
|
|
89
|
-
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
90
|
-
* and endpoint policies can only deny (not grant).
|
|
91
|
-
*
|
|
92
95
|
* @param requestAnalysis the request analysis
|
|
93
96
|
* @returns a list of RequestGrant objects describing which policies granted access
|
|
94
97
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAEhC;;OAEG;IACH,cAAc,EAAE,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL,MAAM,MAAM,YAAY,GACpB;IACE,UAAU,EAAE,UAAU,CAAA;
|
|
1
|
+
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAEhC;;OAEG;IACH,cAAc,EAAE,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL,MAAM,MAAM,YAAY,GACpB;IACE,UAAU,EAAE,UAAU,GAAG,IAAI,GAAG,MAAM,CAAA;IACtC,gBAAgB,EAAE,MAAM,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,GACD;IACE,UAAU,EAAE,UAAU,CAAA;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,GACD;IACE,UAAU,EAAE,KAAK,GAAG,KAAK,CAAA;IACzB,aAAa,EAAE,MAAM,CAAA;IACrB,gBAAgB,EAAE,MAAM,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,CAAA;AAEL;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAAC,eAAe,EAAE,eAAe,GAAG,aAAa,EAAE,CAqClF;AAiGD;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,eAAe,EAAE,eAAe,GAAG,YAAY,EAAE,CAehF"}
|
|
@@ -122,9 +122,6 @@ function addOuPolicyDenials(analysis, policyType, overallResult, blockedBy, deni
|
|
|
122
122
|
* Find the policy statements that granted access for an allowed request.
|
|
123
123
|
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
124
124
|
*
|
|
125
|
-
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
126
|
-
* and endpoint policies can only deny (not grant).
|
|
127
|
-
*
|
|
128
125
|
* @param requestAnalysis the request analysis
|
|
129
126
|
* @returns a list of RequestGrant objects describing which policies granted access
|
|
130
127
|
*/
|
|
@@ -133,28 +130,58 @@ function getGrantReasons(requestAnalysis) {
|
|
|
133
130
|
return [];
|
|
134
131
|
}
|
|
135
132
|
const grantDetails = [];
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
133
|
+
addSimplePolicyGrants(requestAnalysis.identityAnalysis, 'identity', grantDetails);
|
|
134
|
+
addSimplePolicyGrants(requestAnalysis.resourceAnalysis, 'resource', grantDetails);
|
|
135
|
+
addSimplePolicyGrants(requestAnalysis.permissionBoundaryAnalysis, 'pb', grantDetails);
|
|
136
|
+
addSimplePolicyGrants(requestAnalysis.endpointAnalysis, 'vpce', grantDetails);
|
|
137
|
+
addOuPolicyGrants(requestAnalysis.scpAnalysis, 'scp', grantDetails);
|
|
138
|
+
addOuPolicyGrants(requestAnalysis.rcpAnalysis, 'rcp', grantDetails);
|
|
139
|
+
return grantDetails;
|
|
140
|
+
}
|
|
141
|
+
/**
|
|
142
|
+
* Helper for simple policy grants (identity, resource, pb, vpce).
|
|
143
|
+
*/
|
|
144
|
+
function addSimplePolicyGrants(analysis, policyType, grants) {
|
|
145
|
+
if (analysis?.result !== 'Allowed' && analysis?.result !== 'AllowedForAccount')
|
|
146
|
+
return;
|
|
147
|
+
for (const stmt of analysis.allowStatements) {
|
|
148
|
+
const sid = stmt.statement.sid();
|
|
149
|
+
if (policyType === 'resource') {
|
|
150
|
+
grants.push({
|
|
151
|
+
policyType: 'resource',
|
|
152
|
+
...(sid ? { statementId: sid } : {}),
|
|
153
|
+
statementIndex: stmt.statement.index()
|
|
154
|
+
});
|
|
155
|
+
}
|
|
156
|
+
else {
|
|
157
|
+
grants.push({
|
|
158
|
+
policyType,
|
|
141
159
|
policyIdentifier: stmt.policyId,
|
|
142
160
|
...(sid ? { statementId: sid } : {}),
|
|
143
161
|
statementIndex: stmt.statement.index()
|
|
144
162
|
});
|
|
145
163
|
}
|
|
146
164
|
}
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
165
|
+
}
|
|
166
|
+
/**
|
|
167
|
+
* Helper for OU-based policy grants (scp, rcp).
|
|
168
|
+
*/
|
|
169
|
+
function addOuPolicyGrants(analysis, policyType, grants) {
|
|
170
|
+
if (!analysis)
|
|
171
|
+
return;
|
|
172
|
+
for (const ou of analysis.ouAnalysis) {
|
|
173
|
+
if (ou.result !== 'Allowed')
|
|
174
|
+
continue;
|
|
175
|
+
for (const stmt of ou.allowStatements) {
|
|
150
176
|
const sid = stmt.statement.sid();
|
|
151
|
-
|
|
152
|
-
policyType
|
|
177
|
+
grants.push({
|
|
178
|
+
policyType,
|
|
179
|
+
orgIdentifier: ou.orgIdentifier,
|
|
180
|
+
policyIdentifier: stmt.policyId,
|
|
153
181
|
...(sid ? { statementId: sid } : {}),
|
|
154
182
|
statementIndex: stmt.statement.index()
|
|
155
183
|
});
|
|
156
184
|
}
|
|
157
185
|
}
|
|
158
|
-
return grantDetails;
|
|
159
186
|
}
|
|
160
187
|
//# sourceMappingURL=analyzeResults.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":";;AAgBA,kEAOC;
|
|
1
|
+
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":";;AAgBA,kEAOC;AAmGD,4CAqCC;AAwGD,0CAeC;AA5QD;;;;;GAKG;AACH,SAAgB,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;AAkFD;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,gBAAgB,CAAC,eAAgC;IAC/D,MAAM,OAAO,GAAoB,EAAE,CAAA;IACnC,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAA;IAC5C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,SAAS,IAAI,EAAE,CAAC,CAAA;IAE1D,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,sBAAsB,CACpB,eAAe,CAAC,0BAA0B,EAC1C,IAAI,EACJ,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,MAAM,EACN,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAC7B,QAAyD,EACzD,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,UAAU;YACV,UAAU,EAAE,UAAU;YACtB,GAAG,QAAQ;SACZ,CAAC,CAAA;IACJ,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;YAChC,OAAO,CAAC,IAAI,CAAC;gBACX,UAAU;gBACV,GAAG,QAAQ;gBACX,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;gBACtC,UAAU,EAAE,UAAU;aACvB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CACzB,QAA+C,EAC/C,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,OAAO,CAAC,IAAI,CAAC;oBACX,UAAU;oBACV,UAAU,EAAE,EAAE,CAAC,aAAa;oBAC5B,UAAU,EAAE,UAAU;oBACtB,GAAG,QAAQ;iBACZ,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC;oBACrC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;oBAChC,OAAO,CAAC,IAAI,CAAC;wBACX,UAAU;wBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;wBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;wBACtC,GAAG,QAAQ;wBACX,UAAU,EAAE,UAAU;qBACvB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,eAAe,CAAC,eAAgC;IAC9D,IAAI,eAAe,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACzC,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,YAAY,GAAmB,EAAE,CAAA;IAEvC,qBAAqB,CAAC,eAAe,CAAC,gBAAgB,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;IACjF,qBAAqB,CAAC,eAAe,CAAC,gBAAgB,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;IACjF,qBAAqB,CAAC,eAAe,CAAC,0BAA0B,EAAE,IAAI,EAAE,YAAY,CAAC,CAAA;IACrF,qBAAqB,CAAC,eAAe,CAAC,gBAAgB,EAAE,MAAM,EAAE,YAAY,CAAC,CAAA;IAC7E,iBAAiB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,YAAY,CAAC,CAAA;IACnE,iBAAiB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,YAAY,CAAC,CAAA;IAEnE,OAAO,YAAY,CAAA;AACrB,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,QAAyD,EACzD,UAAmD,EACnD,MAAsB;IAEtB,IAAI,QAAQ,EAAE,MAAM,KAAK,SAAS,IAAI,QAAQ,EAAE,MAAM,KAAK,mBAAmB;QAAE,OAAM;IACtF,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,eAAe,EAAE,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;QAChC,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC;gBACV,UAAU,EAAE,UAAU;gBACtB,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC;gBACV,UAAU;gBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,QAA+C,EAC/C,UAAyB,EACzB,MAAsB;IAEtB,IAAI,CAAC,QAAQ;QAAE,OAAM;IACrB,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;QACrC,IAAI,EAAE,CAAC,MAAM,KAAK,SAAS;YAAE,SAAQ;QACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,eAAe,EAAE,CAAC;YACtC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;YAChC,MAAM,CAAC,IAAI,CAAC;gBACV,UAAU;gBACV,aAAa,EAAE,EAAE,CAAC,aAAa;gBAC/B,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;
|
|
1
|
+
{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AA0B5D;;;;;GAKG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAOtE;AAiCD;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAGpE;AAED;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAgBjF;AAmBD;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAYrF"}
|
|
@@ -6,7 +6,28 @@ exports.normalizeContextKeyCase = normalizeContextKeyCase;
|
|
|
6
6
|
exports.typeForContextKey = typeForContextKey;
|
|
7
7
|
const iam_data_1 = require("@cloud-copilot/iam-data");
|
|
8
8
|
const globalConditionKeys_js_1 = require("../global_conditions/globalConditionKeys.js");
|
|
9
|
-
const oidcKeys = new Set([
|
|
9
|
+
const oidcKeys = new Set([
|
|
10
|
+
'amr',
|
|
11
|
+
'aud',
|
|
12
|
+
'email',
|
|
13
|
+
'oaud',
|
|
14
|
+
'sub',
|
|
15
|
+
'actor',
|
|
16
|
+
'actor_id',
|
|
17
|
+
'job_workflow_ref',
|
|
18
|
+
'repository',
|
|
19
|
+
'repository_id',
|
|
20
|
+
'workflow',
|
|
21
|
+
'ref',
|
|
22
|
+
'environment',
|
|
23
|
+
'enterprise_id',
|
|
24
|
+
'app_id',
|
|
25
|
+
'user_id',
|
|
26
|
+
'id',
|
|
27
|
+
'project_id',
|
|
28
|
+
'rpst_id',
|
|
29
|
+
'google/organization_number'
|
|
30
|
+
]);
|
|
10
31
|
const oidcProviderPattern = /^[0-9a-zA-Z\._\-]+$/;
|
|
11
32
|
/**
|
|
12
33
|
* Check if a context key actually exists
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":";;AAyCA,gDAOC;AAyCD,0CAGC;AAQD,0DAgBC;AA0BD,8CAYC;AA1JD,sDAOgC;AAChC,wFAAsG;AAGtG,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC;IACvB,KAAK;IACL,KAAK;IACL,OAAO;IACP,MAAM;IACN,KAAK;IACL,OAAO;IACP,UAAU;IACV,kBAAkB;IAClB,YAAY;IACZ,eAAe;IACf,UAAU;IACV,KAAK;IACL,aAAa;IACb,eAAe;IACf,QAAQ;IACR,SAAS;IACT,IAAI;IACJ,YAAY;IACZ,SAAS;IACT,4BAA4B;CAC7B,CAAC,CAAA;AACF,MAAM,mBAAmB,GAAG,qBAAqB,CAAA;AAEjD;;;;;GAKG;AACI,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAClD,IAAI,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,IAAA,2BAAgB,EAAC,GAAG,CAAC,CAAA;IAC3C,OAAO,CAAC,CAAC,OAAO,CAAA;AAClB,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,wBAAwB,CAAC,UAAkB;IACxD,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,eAAe,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAAA;IAEhE,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,CAAC,CAAA;IACrD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,OAAO,GAAG,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;QACjE,MAAM,iBAAiB,GAAG,MAAM,IAAA,qCAA0B,EAAC,OAAO,CAAC,CAAA;QACnE,MAAM,WAAW,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAA;QACrF,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,MAAM,IAAA,iCAAsB,EAAC,OAAO,EAAE,WAAW,CAAC,CAAA;QAC3D,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,IAAA,gCAAqB,EAAC,OAAO,EAAE,UAAU,CAAC,CAAA;IAC/D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,SAAS,CAAA;IAClB,CAAC;IACD,OAAO,IAAA,iCAAsB,EAAC,OAAO,EAAE,UAAU,CAAC,CAAA;AACpD,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,eAAe,CAAC,UAAkB;IAChD,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAC1C,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,EAAE,UAAU,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAA;AAC5E,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,uBAAuB,CAAC,UAAkB;IAC9D,MAAM,UAAU,GAAG,MAAM,wBAAwB,CAAC,UAAU,CAAC,CAAA;IAC7D,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,2BAA2B,CAAC,UAAU,CAAC,GAAG,EAAE,UAAU,CAAC,CAAA;IAChE,CAAC;IAED,MAAM,kBAAkB,GAAG,IAAA,iEAAwC,EAAC,UAAU,CAAC,CAAA;IAC/E,IAAI,kBAAkB,EAAE,CAAC;QACvB,OAAO,2BAA2B,CAAC,kBAAkB,CAAC,GAAG,EAAE,UAAU,CAAC,CAAA;IACxE,CAAC;IAED,IAAI,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAAC;QACnC,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,eAAe,UAAU,YAAY,CAAC,CAAA;AACxD,CAAC;AAED;;;;;;GAMG;AACH,SAAS,2BAA2B,CAAC,OAAe,EAAE,SAAiB;IACrE,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACvC,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;QACtB,OAAO,OAAO,CAAA;IAChB,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAA;IAC3C,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IAC1C,OAAO,MAAM,GAAG,MAAM,CAAA;AACxB,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,iBAAiB,CAAC,UAAkB;IACxD,MAAM,kBAAkB,GAAG,IAAA,iEAAwC,EAAC,UAAU,CAAC,CAAA;IAC/E,IAAI,kBAAkB,EAAE,CAAC;QACvB,OAAO,kBAAkB,CAAC,IAAwB,CAAA;IACpD,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,wBAAwB,CAAC,UAAU,CAAC,CAAA;IAC7D,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,UAAU,CAAC,IAAwB,CAAA;IAC5C,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,iBAAiB,UAAU,YAAY,CAAC,CAAA;AAC1D,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,GAAW;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAA;IACd,CAAC;IACD,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,KAAK,CAAA;IAC/B,OAAO,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;AAClE,CAAC"}
|
|
@@ -55,7 +55,7 @@ export type RequestDenial = {
|
|
|
55
55
|
denialType: 'Explicit';
|
|
56
56
|
};
|
|
57
57
|
export type RequestGrant = {
|
|
58
|
-
policyType: 'identity';
|
|
58
|
+
policyType: 'identity' | 'pb' | 'vpce';
|
|
59
59
|
policyIdentifier: string;
|
|
60
60
|
statementId?: string | undefined;
|
|
61
61
|
statementIndex: number;
|
|
@@ -63,6 +63,12 @@ export type RequestGrant = {
|
|
|
63
63
|
policyType: 'resource';
|
|
64
64
|
statementId?: string | undefined;
|
|
65
65
|
statementIndex: number;
|
|
66
|
+
} | {
|
|
67
|
+
policyType: 'scp' | 'rcp';
|
|
68
|
+
orgIdentifier: string;
|
|
69
|
+
policyIdentifier: string;
|
|
70
|
+
statementId?: string | undefined;
|
|
71
|
+
statementIndex: number;
|
|
66
72
|
};
|
|
67
73
|
/**
|
|
68
74
|
* Find the policy statements that caused a request to be denied.
|
|
@@ -86,9 +92,6 @@ export declare function getDenialReasons(requestAnalysis: RequestAnalysis): Requ
|
|
|
86
92
|
* Find the policy statements that granted access for an allowed request.
|
|
87
93
|
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
88
94
|
*
|
|
89
|
-
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
90
|
-
* and endpoint policies can only deny (not grant).
|
|
91
|
-
*
|
|
92
95
|
* @param requestAnalysis the request analysis
|
|
93
96
|
* @returns a list of RequestGrant objects describing which policies granted access
|
|
94
97
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAEhC;;OAEG;IACH,cAAc,EAAE,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL,MAAM,MAAM,YAAY,GACpB;IACE,UAAU,EAAE,UAAU,CAAA;
|
|
1
|
+
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAEhC;;OAEG;IACH,cAAc,EAAE,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL,MAAM,MAAM,YAAY,GACpB;IACE,UAAU,EAAE,UAAU,GAAG,IAAI,GAAG,MAAM,CAAA;IACtC,gBAAgB,EAAE,MAAM,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,GACD;IACE,UAAU,EAAE,UAAU,CAAA;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,GACD;IACE,UAAU,EAAE,KAAK,GAAG,KAAK,CAAA;IACzB,aAAa,EAAE,MAAM,CAAA;IACrB,gBAAgB,EAAE,MAAM,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,CAAA;AAEL;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAAC,eAAe,EAAE,eAAe,GAAG,aAAa,EAAE,CAqClF;AAiGD;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,eAAe,EAAE,eAAe,GAAG,YAAY,EAAE,CAehF"}
|
|
@@ -118,9 +118,6 @@ function addOuPolicyDenials(analysis, policyType, overallResult, blockedBy, deni
|
|
|
118
118
|
* Find the policy statements that granted access for an allowed request.
|
|
119
119
|
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
120
120
|
*
|
|
121
|
-
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
122
|
-
* and endpoint policies can only deny (not grant).
|
|
123
|
-
*
|
|
124
121
|
* @param requestAnalysis the request analysis
|
|
125
122
|
* @returns a list of RequestGrant objects describing which policies granted access
|
|
126
123
|
*/
|
|
@@ -129,28 +126,58 @@ export function getGrantReasons(requestAnalysis) {
|
|
|
129
126
|
return [];
|
|
130
127
|
}
|
|
131
128
|
const grantDetails = [];
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
129
|
+
addSimplePolicyGrants(requestAnalysis.identityAnalysis, 'identity', grantDetails);
|
|
130
|
+
addSimplePolicyGrants(requestAnalysis.resourceAnalysis, 'resource', grantDetails);
|
|
131
|
+
addSimplePolicyGrants(requestAnalysis.permissionBoundaryAnalysis, 'pb', grantDetails);
|
|
132
|
+
addSimplePolicyGrants(requestAnalysis.endpointAnalysis, 'vpce', grantDetails);
|
|
133
|
+
addOuPolicyGrants(requestAnalysis.scpAnalysis, 'scp', grantDetails);
|
|
134
|
+
addOuPolicyGrants(requestAnalysis.rcpAnalysis, 'rcp', grantDetails);
|
|
135
|
+
return grantDetails;
|
|
136
|
+
}
|
|
137
|
+
/**
|
|
138
|
+
* Helper for simple policy grants (identity, resource, pb, vpce).
|
|
139
|
+
*/
|
|
140
|
+
function addSimplePolicyGrants(analysis, policyType, grants) {
|
|
141
|
+
if (analysis?.result !== 'Allowed' && analysis?.result !== 'AllowedForAccount')
|
|
142
|
+
return;
|
|
143
|
+
for (const stmt of analysis.allowStatements) {
|
|
144
|
+
const sid = stmt.statement.sid();
|
|
145
|
+
if (policyType === 'resource') {
|
|
146
|
+
grants.push({
|
|
147
|
+
policyType: 'resource',
|
|
148
|
+
...(sid ? { statementId: sid } : {}),
|
|
149
|
+
statementIndex: stmt.statement.index()
|
|
150
|
+
});
|
|
151
|
+
}
|
|
152
|
+
else {
|
|
153
|
+
grants.push({
|
|
154
|
+
policyType,
|
|
137
155
|
policyIdentifier: stmt.policyId,
|
|
138
156
|
...(sid ? { statementId: sid } : {}),
|
|
139
157
|
statementIndex: stmt.statement.index()
|
|
140
158
|
});
|
|
141
159
|
}
|
|
142
160
|
}
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
161
|
+
}
|
|
162
|
+
/**
|
|
163
|
+
* Helper for OU-based policy grants (scp, rcp).
|
|
164
|
+
*/
|
|
165
|
+
function addOuPolicyGrants(analysis, policyType, grants) {
|
|
166
|
+
if (!analysis)
|
|
167
|
+
return;
|
|
168
|
+
for (const ou of analysis.ouAnalysis) {
|
|
169
|
+
if (ou.result !== 'Allowed')
|
|
170
|
+
continue;
|
|
171
|
+
for (const stmt of ou.allowStatements) {
|
|
146
172
|
const sid = stmt.statement.sid();
|
|
147
|
-
|
|
148
|
-
policyType
|
|
173
|
+
grants.push({
|
|
174
|
+
policyType,
|
|
175
|
+
orgIdentifier: ou.orgIdentifier,
|
|
176
|
+
policyIdentifier: stmt.policyId,
|
|
149
177
|
...(sid ? { statementId: sid } : {}),
|
|
150
178
|
statementIndex: stmt.statement.index()
|
|
151
179
|
});
|
|
152
180
|
}
|
|
153
181
|
}
|
|
154
|
-
return grantDetails;
|
|
155
182
|
}
|
|
156
183
|
//# sourceMappingURL=analyzeResults.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EAQN,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;
|
|
1
|
+
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EAQN,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;AAkFD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,gBAAgB,CAAC,eAAgC;IAC/D,MAAM,OAAO,GAAoB,EAAE,CAAA;IACnC,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAA;IAC5C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,SAAS,IAAI,EAAE,CAAC,CAAA;IAE1D,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,sBAAsB,CACpB,eAAe,CAAC,0BAA0B,EAC1C,IAAI,EACJ,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,MAAM,EACN,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAC7B,QAAyD,EACzD,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,UAAU;YACV,UAAU,EAAE,UAAU;YACtB,GAAG,QAAQ;SACZ,CAAC,CAAA;IACJ,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;YAChC,OAAO,CAAC,IAAI,CAAC;gBACX,UAAU;gBACV,GAAG,QAAQ;gBACX,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;gBACtC,UAAU,EAAE,UAAU;aACvB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CACzB,QAA+C,EAC/C,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,OAAO,CAAC,IAAI,CAAC;oBACX,UAAU;oBACV,UAAU,EAAE,EAAE,CAAC,aAAa;oBAC5B,UAAU,EAAE,UAAU;oBACtB,GAAG,QAAQ;iBACZ,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC;oBACrC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;oBAChC,OAAO,CAAC,IAAI,CAAC;wBACX,UAAU;wBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;wBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;wBACtC,GAAG,QAAQ;wBACX,UAAU,EAAE,UAAU;qBACvB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,eAAgC;IAC9D,IAAI,eAAe,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACzC,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,YAAY,GAAmB,EAAE,CAAA;IAEvC,qBAAqB,CAAC,eAAe,CAAC,gBAAgB,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;IACjF,qBAAqB,CAAC,eAAe,CAAC,gBAAgB,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;IACjF,qBAAqB,CAAC,eAAe,CAAC,0BAA0B,EAAE,IAAI,EAAE,YAAY,CAAC,CAAA;IACrF,qBAAqB,CAAC,eAAe,CAAC,gBAAgB,EAAE,MAAM,EAAE,YAAY,CAAC,CAAA;IAC7E,iBAAiB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,YAAY,CAAC,CAAA;IACnE,iBAAiB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,YAAY,CAAC,CAAA;IAEnE,OAAO,YAAY,CAAA;AACrB,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,QAAyD,EACzD,UAAmD,EACnD,MAAsB;IAEtB,IAAI,QAAQ,EAAE,MAAM,KAAK,SAAS,IAAI,QAAQ,EAAE,MAAM,KAAK,mBAAmB;QAAE,OAAM;IACtF,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,eAAe,EAAE,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;QAChC,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC;gBACV,UAAU,EAAE,UAAU;gBACtB,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC;gBACV,UAAU;gBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,QAA+C,EAC/C,UAAyB,EACzB,MAAsB;IAEtB,IAAI,CAAC,QAAQ;QAAE,OAAM;IACrB,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;QACrC,IAAI,EAAE,CAAC,MAAM,KAAK,SAAS;YAAE,SAAQ;QACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,eAAe,EAAE,CAAC;YACtC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;YAChC,MAAM,CAAC,IAAI,CAAC;gBACV,UAAU;gBACV,aAAa,EAAE,EAAE,CAAC,aAAa;gBAC/B,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;
|
|
1
|
+
{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AA0B5D;;;;;GAKG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAOtE;AAiCD;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAGpE;AAED;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAgBjF;AAmBD;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAYrF"}
|
|
@@ -1,7 +1,28 @@
|
|
|
1
1
|
import { findConditionKey, iamConditionKeyDetails, iamConditionKeyExists, iamConditionKeysForService, iamServiceExists } from '@cloud-copilot/iam-data';
|
|
2
2
|
import { getGlobalConditionKeyWithOrWithoutPrefix } from '../global_conditions/globalConditionKeys.js';
|
|
3
3
|
import {} from './contextKeyTypes.js';
|
|
4
|
-
const oidcKeys = new Set([
|
|
4
|
+
const oidcKeys = new Set([
|
|
5
|
+
'amr',
|
|
6
|
+
'aud',
|
|
7
|
+
'email',
|
|
8
|
+
'oaud',
|
|
9
|
+
'sub',
|
|
10
|
+
'actor',
|
|
11
|
+
'actor_id',
|
|
12
|
+
'job_workflow_ref',
|
|
13
|
+
'repository',
|
|
14
|
+
'repository_id',
|
|
15
|
+
'workflow',
|
|
16
|
+
'ref',
|
|
17
|
+
'environment',
|
|
18
|
+
'enterprise_id',
|
|
19
|
+
'app_id',
|
|
20
|
+
'user_id',
|
|
21
|
+
'id',
|
|
22
|
+
'project_id',
|
|
23
|
+
'rpst_id',
|
|
24
|
+
'google/organization_number'
|
|
25
|
+
]);
|
|
5
26
|
const oidcProviderPattern = /^[0-9a-zA-Z\._\-]+$/;
|
|
6
27
|
/**
|
|
7
28
|
* Check if a context key actually exists
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,gBAAgB,EAChB,sBAAsB,EACtB,qBAAqB,EACrB,0BAA0B,EAC1B,gBAAgB,EACjB,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAAE,wCAAwC,EAAE,MAAM,6CAA6C,CAAA;AACtG,OAAO,EAAyB,MAAM,sBAAsB,CAAA;AAE5D,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,
|
|
1
|
+
{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,gBAAgB,EAChB,sBAAsB,EACtB,qBAAqB,EACrB,0BAA0B,EAC1B,gBAAgB,EACjB,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAAE,wCAAwC,EAAE,MAAM,6CAA6C,CAAA;AACtG,OAAO,EAAyB,MAAM,sBAAsB,CAAA;AAE5D,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC;IACvB,KAAK;IACL,KAAK;IACL,OAAO;IACP,MAAM;IACN,KAAK;IACL,OAAO;IACP,UAAU;IACV,kBAAkB;IAClB,YAAY;IACZ,eAAe;IACf,UAAU;IACV,KAAK;IACL,aAAa;IACb,eAAe;IACf,QAAQ;IACR,SAAS;IACT,IAAI;IACJ,YAAY;IACZ,SAAS;IACT,4BAA4B;CAC7B,CAAC,CAAA;AACF,MAAM,mBAAmB,GAAG,qBAAqB,CAAA;AAEjD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAClD,IAAI,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAAA;IAC3C,OAAO,CAAC,CAAC,OAAO,CAAA;AAClB,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,wBAAwB,CAAC,UAAkB;IACxD,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,eAAe,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAAA;IAEhE,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,CAAA;IACrD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,OAAO,GAAG,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;QACjE,MAAM,iBAAiB,GAAG,MAAM,0BAA0B,CAAC,OAAO,CAAC,CAAA;QACnE,MAAM,WAAW,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAA;QACrF,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,MAAM,sBAAsB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAA;QAC3D,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAA;IAC/D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,SAAS,CAAA;IAClB,CAAC;IACD,OAAO,sBAAsB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAA;AACpD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAAC,UAAkB;IAChD,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAC1C,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,EAAE,UAAU,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAA;AAC5E,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,UAAkB;IAC9D,MAAM,UAAU,GAAG,MAAM,wBAAwB,CAAC,UAAU,CAAC,CAAA;IAC7D,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,2BAA2B,CAAC,UAAU,CAAC,GAAG,EAAE,UAAU,CAAC,CAAA;IAChE,CAAC;IAED,MAAM,kBAAkB,GAAG,wCAAwC,CAAC,UAAU,CAAC,CAAA;IAC/E,IAAI,kBAAkB,EAAE,CAAC;QACvB,OAAO,2BAA2B,CAAC,kBAAkB,CAAC,GAAG,EAAE,UAAU,CAAC,CAAA;IACxE,CAAC;IAED,IAAI,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAAC;QACnC,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,eAAe,UAAU,YAAY,CAAC,CAAA;AACxD,CAAC;AAED;;;;;;GAMG;AACH,SAAS,2BAA2B,CAAC,OAAe,EAAE,SAAiB;IACrE,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACvC,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;QACtB,OAAO,OAAO,CAAA;IAChB,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAA;IAC3C,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IAC1C,OAAO,MAAM,GAAG,MAAM,CAAA;AACxB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,UAAkB;IACxD,MAAM,kBAAkB,GAAG,wCAAwC,CAAC,UAAU,CAAC,CAAA;IAC/E,IAAI,kBAAkB,EAAE,CAAC;QACvB,OAAO,kBAAkB,CAAC,IAAwB,CAAA;IACpD,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,wBAAwB,CAAC,UAAU,CAAC,CAAA;IAC7D,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,UAAU,CAAC,IAAwB,CAAA;IAC5C,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,iBAAiB,UAAU,YAAY,CAAC,CAAA;AAC1D,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,GAAW;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAA;IACd,CAAC;IACD,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,KAAK,CAAA;IAC/B,OAAO,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;AAClE,CAAC"}
|