@cloud-copilot/iam-simulate 0.1.117 → 0.1.119
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/analysis/analyzeResults.d.ts +7 -4
- package/dist/cjs/analysis/analyzeResults.d.ts.map +1 -1
- package/dist/cjs/analysis/analyzeResults.js +41 -14
- package/dist/cjs/analysis/analyzeResults.js.map +1 -1
- package/dist/esm/analysis/analyzeResults.d.ts +7 -4
- package/dist/esm/analysis/analyzeResults.d.ts.map +1 -1
- package/dist/esm/analysis/analyzeResults.js +41 -14
- package/dist/esm/analysis/analyzeResults.js.map +1 -1
- package/package.json +1 -1
|
@@ -55,7 +55,7 @@ export type RequestDenial = {
|
|
|
55
55
|
denialType: 'Explicit';
|
|
56
56
|
};
|
|
57
57
|
export type RequestGrant = {
|
|
58
|
-
policyType: 'identity';
|
|
58
|
+
policyType: 'identity' | 'pb' | 'vpce';
|
|
59
59
|
policyIdentifier: string;
|
|
60
60
|
statementId?: string | undefined;
|
|
61
61
|
statementIndex: number;
|
|
@@ -63,6 +63,12 @@ export type RequestGrant = {
|
|
|
63
63
|
policyType: 'resource';
|
|
64
64
|
statementId?: string | undefined;
|
|
65
65
|
statementIndex: number;
|
|
66
|
+
} | {
|
|
67
|
+
policyType: 'scp' | 'rcp';
|
|
68
|
+
orgIdentifier: string;
|
|
69
|
+
policyIdentifier: string;
|
|
70
|
+
statementId?: string | undefined;
|
|
71
|
+
statementIndex: number;
|
|
66
72
|
};
|
|
67
73
|
/**
|
|
68
74
|
* Find the policy statements that caused a request to be denied.
|
|
@@ -86,9 +92,6 @@ export declare function getDenialReasons(requestAnalysis: RequestAnalysis): Requ
|
|
|
86
92
|
* Find the policy statements that granted access for an allowed request.
|
|
87
93
|
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
88
94
|
*
|
|
89
|
-
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
90
|
-
* and endpoint policies can only deny (not grant).
|
|
91
|
-
*
|
|
92
95
|
* @param requestAnalysis the request analysis
|
|
93
96
|
* @returns a list of RequestGrant objects describing which policies granted access
|
|
94
97
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAEhC;;OAEG;IACH,cAAc,EAAE,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL,MAAM,MAAM,YAAY,GACpB;IACE,UAAU,EAAE,UAAU,CAAA;
|
|
1
|
+
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAEhC;;OAEG;IACH,cAAc,EAAE,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL,MAAM,MAAM,YAAY,GACpB;IACE,UAAU,EAAE,UAAU,GAAG,IAAI,GAAG,MAAM,CAAA;IACtC,gBAAgB,EAAE,MAAM,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,GACD;IACE,UAAU,EAAE,UAAU,CAAA;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,GACD;IACE,UAAU,EAAE,KAAK,GAAG,KAAK,CAAA;IACzB,aAAa,EAAE,MAAM,CAAA;IACrB,gBAAgB,EAAE,MAAM,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,CAAA;AAEL;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAAC,eAAe,EAAE,eAAe,GAAG,aAAa,EAAE,CAqClF;AAiGD;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,eAAe,EAAE,eAAe,GAAG,YAAY,EAAE,CAehF"}
|
|
@@ -122,9 +122,6 @@ function addOuPolicyDenials(analysis, policyType, overallResult, blockedBy, deni
|
|
|
122
122
|
* Find the policy statements that granted access for an allowed request.
|
|
123
123
|
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
124
124
|
*
|
|
125
|
-
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
126
|
-
* and endpoint policies can only deny (not grant).
|
|
127
|
-
*
|
|
128
125
|
* @param requestAnalysis the request analysis
|
|
129
126
|
* @returns a list of RequestGrant objects describing which policies granted access
|
|
130
127
|
*/
|
|
@@ -133,28 +130,58 @@ function getGrantReasons(requestAnalysis) {
|
|
|
133
130
|
return [];
|
|
134
131
|
}
|
|
135
132
|
const grantDetails = [];
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
133
|
+
addSimplePolicyGrants(requestAnalysis.identityAnalysis, 'identity', grantDetails);
|
|
134
|
+
addSimplePolicyGrants(requestAnalysis.resourceAnalysis, 'resource', grantDetails);
|
|
135
|
+
addSimplePolicyGrants(requestAnalysis.permissionBoundaryAnalysis, 'pb', grantDetails);
|
|
136
|
+
addSimplePolicyGrants(requestAnalysis.endpointAnalysis, 'vpce', grantDetails);
|
|
137
|
+
addOuPolicyGrants(requestAnalysis.scpAnalysis, 'scp', grantDetails);
|
|
138
|
+
addOuPolicyGrants(requestAnalysis.rcpAnalysis, 'rcp', grantDetails);
|
|
139
|
+
return grantDetails;
|
|
140
|
+
}
|
|
141
|
+
/**
|
|
142
|
+
* Helper for simple policy grants (identity, resource, pb, vpce).
|
|
143
|
+
*/
|
|
144
|
+
function addSimplePolicyGrants(analysis, policyType, grants) {
|
|
145
|
+
if (analysis?.result !== 'Allowed' && analysis?.result !== 'AllowedForAccount')
|
|
146
|
+
return;
|
|
147
|
+
for (const stmt of analysis.allowStatements) {
|
|
148
|
+
const sid = stmt.statement.sid();
|
|
149
|
+
if (policyType === 'resource') {
|
|
150
|
+
grants.push({
|
|
151
|
+
policyType: 'resource',
|
|
152
|
+
...(sid ? { statementId: sid } : {}),
|
|
153
|
+
statementIndex: stmt.statement.index()
|
|
154
|
+
});
|
|
155
|
+
}
|
|
156
|
+
else {
|
|
157
|
+
grants.push({
|
|
158
|
+
policyType,
|
|
141
159
|
policyIdentifier: stmt.policyId,
|
|
142
160
|
...(sid ? { statementId: sid } : {}),
|
|
143
161
|
statementIndex: stmt.statement.index()
|
|
144
162
|
});
|
|
145
163
|
}
|
|
146
164
|
}
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
165
|
+
}
|
|
166
|
+
/**
|
|
167
|
+
* Helper for OU-based policy grants (scp, rcp).
|
|
168
|
+
*/
|
|
169
|
+
function addOuPolicyGrants(analysis, policyType, grants) {
|
|
170
|
+
if (!analysis)
|
|
171
|
+
return;
|
|
172
|
+
for (const ou of analysis.ouAnalysis) {
|
|
173
|
+
if (ou.result !== 'Allowed')
|
|
174
|
+
continue;
|
|
175
|
+
for (const stmt of ou.allowStatements) {
|
|
150
176
|
const sid = stmt.statement.sid();
|
|
151
|
-
|
|
152
|
-
policyType
|
|
177
|
+
grants.push({
|
|
178
|
+
policyType,
|
|
179
|
+
orgIdentifier: ou.orgIdentifier,
|
|
180
|
+
policyIdentifier: stmt.policyId,
|
|
153
181
|
...(sid ? { statementId: sid } : {}),
|
|
154
182
|
statementIndex: stmt.statement.index()
|
|
155
183
|
});
|
|
156
184
|
}
|
|
157
185
|
}
|
|
158
|
-
return grantDetails;
|
|
159
186
|
}
|
|
160
187
|
//# sourceMappingURL=analyzeResults.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":";;AAgBA,kEAOC;
|
|
1
|
+
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":";;AAgBA,kEAOC;AAmGD,4CAqCC;AAwGD,0CAeC;AA5QD;;;;;GAKG;AACH,SAAgB,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;AAkFD;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,gBAAgB,CAAC,eAAgC;IAC/D,MAAM,OAAO,GAAoB,EAAE,CAAA;IACnC,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAA;IAC5C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,SAAS,IAAI,EAAE,CAAC,CAAA;IAE1D,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,sBAAsB,CACpB,eAAe,CAAC,0BAA0B,EAC1C,IAAI,EACJ,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,MAAM,EACN,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAC7B,QAAyD,EACzD,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,UAAU;YACV,UAAU,EAAE,UAAU;YACtB,GAAG,QAAQ;SACZ,CAAC,CAAA;IACJ,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;YAChC,OAAO,CAAC,IAAI,CAAC;gBACX,UAAU;gBACV,GAAG,QAAQ;gBACX,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;gBACtC,UAAU,EAAE,UAAU;aACvB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CACzB,QAA+C,EAC/C,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,OAAO,CAAC,IAAI,CAAC;oBACX,UAAU;oBACV,UAAU,EAAE,EAAE,CAAC,aAAa;oBAC5B,UAAU,EAAE,UAAU;oBACtB,GAAG,QAAQ;iBACZ,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC;oBACrC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;oBAChC,OAAO,CAAC,IAAI,CAAC;wBACX,UAAU;wBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;wBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;wBACtC,GAAG,QAAQ;wBACX,UAAU,EAAE,UAAU;qBACvB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,eAAe,CAAC,eAAgC;IAC9D,IAAI,eAAe,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACzC,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,YAAY,GAAmB,EAAE,CAAA;IAEvC,qBAAqB,CAAC,eAAe,CAAC,gBAAgB,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;IACjF,qBAAqB,CAAC,eAAe,CAAC,gBAAgB,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;IACjF,qBAAqB,CAAC,eAAe,CAAC,0BAA0B,EAAE,IAAI,EAAE,YAAY,CAAC,CAAA;IACrF,qBAAqB,CAAC,eAAe,CAAC,gBAAgB,EAAE,MAAM,EAAE,YAAY,CAAC,CAAA;IAC7E,iBAAiB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,YAAY,CAAC,CAAA;IACnE,iBAAiB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,YAAY,CAAC,CAAA;IAEnE,OAAO,YAAY,CAAA;AACrB,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,QAAyD,EACzD,UAAmD,EACnD,MAAsB;IAEtB,IAAI,QAAQ,EAAE,MAAM,KAAK,SAAS,IAAI,QAAQ,EAAE,MAAM,KAAK,mBAAmB;QAAE,OAAM;IACtF,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,eAAe,EAAE,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;QAChC,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC;gBACV,UAAU,EAAE,UAAU;gBACtB,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC;gBACV,UAAU;gBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,QAA+C,EAC/C,UAAyB,EACzB,MAAsB;IAEtB,IAAI,CAAC,QAAQ;QAAE,OAAM;IACrB,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;QACrC,IAAI,EAAE,CAAC,MAAM,KAAK,SAAS;YAAE,SAAQ;QACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,eAAe,EAAE,CAAC;YACtC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;YAChC,MAAM,CAAC,IAAI,CAAC;gBACV,UAAU;gBACV,aAAa,EAAE,EAAE,CAAC,aAAa;gBAC/B,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC"}
|
|
@@ -55,7 +55,7 @@ export type RequestDenial = {
|
|
|
55
55
|
denialType: 'Explicit';
|
|
56
56
|
};
|
|
57
57
|
export type RequestGrant = {
|
|
58
|
-
policyType: 'identity';
|
|
58
|
+
policyType: 'identity' | 'pb' | 'vpce';
|
|
59
59
|
policyIdentifier: string;
|
|
60
60
|
statementId?: string | undefined;
|
|
61
61
|
statementIndex: number;
|
|
@@ -63,6 +63,12 @@ export type RequestGrant = {
|
|
|
63
63
|
policyType: 'resource';
|
|
64
64
|
statementId?: string | undefined;
|
|
65
65
|
statementIndex: number;
|
|
66
|
+
} | {
|
|
67
|
+
policyType: 'scp' | 'rcp';
|
|
68
|
+
orgIdentifier: string;
|
|
69
|
+
policyIdentifier: string;
|
|
70
|
+
statementId?: string | undefined;
|
|
71
|
+
statementIndex: number;
|
|
66
72
|
};
|
|
67
73
|
/**
|
|
68
74
|
* Find the policy statements that caused a request to be denied.
|
|
@@ -86,9 +92,6 @@ export declare function getDenialReasons(requestAnalysis: RequestAnalysis): Requ
|
|
|
86
92
|
* Find the policy statements that granted access for an allowed request.
|
|
87
93
|
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
88
94
|
*
|
|
89
|
-
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
90
|
-
* and endpoint policies can only deny (not grant).
|
|
91
|
-
*
|
|
92
95
|
* @param requestAnalysis the request analysis
|
|
93
96
|
* @returns a list of RequestGrant objects describing which policies granted access
|
|
94
97
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAEhC;;OAEG;IACH,cAAc,EAAE,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL,MAAM,MAAM,YAAY,GACpB;IACE,UAAU,EAAE,UAAU,CAAA;
|
|
1
|
+
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAEhC;;OAEG;IACH,cAAc,EAAE,MAAM,CAAA;IAEtB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL,MAAM,MAAM,YAAY,GACpB;IACE,UAAU,EAAE,UAAU,GAAG,IAAI,GAAG,MAAM,CAAA;IACtC,gBAAgB,EAAE,MAAM,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,GACD;IACE,UAAU,EAAE,UAAU,CAAA;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,GACD;IACE,UAAU,EAAE,KAAK,GAAG,KAAK,CAAA;IACzB,aAAa,EAAE,MAAM,CAAA;IACrB,gBAAgB,EAAE,MAAM,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB,CAAA;AAEL;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAAC,eAAe,EAAE,eAAe,GAAG,aAAa,EAAE,CAqClF;AAiGD;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,eAAe,EAAE,eAAe,GAAG,YAAY,EAAE,CAehF"}
|
|
@@ -118,9 +118,6 @@ function addOuPolicyDenials(analysis, policyType, overallResult, blockedBy, deni
|
|
|
118
118
|
* Find the policy statements that granted access for an allowed request.
|
|
119
119
|
* Analyzes the RequestAnalysis and returns the specific grants that allowed the request.
|
|
120
120
|
*
|
|
121
|
-
* Only identity and resource policies can grant access. SCPs, RCPs, permission boundaries,
|
|
122
|
-
* and endpoint policies can only deny (not grant).
|
|
123
|
-
*
|
|
124
121
|
* @param requestAnalysis the request analysis
|
|
125
122
|
* @returns a list of RequestGrant objects describing which policies granted access
|
|
126
123
|
*/
|
|
@@ -129,28 +126,58 @@ export function getGrantReasons(requestAnalysis) {
|
|
|
129
126
|
return [];
|
|
130
127
|
}
|
|
131
128
|
const grantDetails = [];
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
129
|
+
addSimplePolicyGrants(requestAnalysis.identityAnalysis, 'identity', grantDetails);
|
|
130
|
+
addSimplePolicyGrants(requestAnalysis.resourceAnalysis, 'resource', grantDetails);
|
|
131
|
+
addSimplePolicyGrants(requestAnalysis.permissionBoundaryAnalysis, 'pb', grantDetails);
|
|
132
|
+
addSimplePolicyGrants(requestAnalysis.endpointAnalysis, 'vpce', grantDetails);
|
|
133
|
+
addOuPolicyGrants(requestAnalysis.scpAnalysis, 'scp', grantDetails);
|
|
134
|
+
addOuPolicyGrants(requestAnalysis.rcpAnalysis, 'rcp', grantDetails);
|
|
135
|
+
return grantDetails;
|
|
136
|
+
}
|
|
137
|
+
/**
|
|
138
|
+
* Helper for simple policy grants (identity, resource, pb, vpce).
|
|
139
|
+
*/
|
|
140
|
+
function addSimplePolicyGrants(analysis, policyType, grants) {
|
|
141
|
+
if (analysis?.result !== 'Allowed' && analysis?.result !== 'AllowedForAccount')
|
|
142
|
+
return;
|
|
143
|
+
for (const stmt of analysis.allowStatements) {
|
|
144
|
+
const sid = stmt.statement.sid();
|
|
145
|
+
if (policyType === 'resource') {
|
|
146
|
+
grants.push({
|
|
147
|
+
policyType: 'resource',
|
|
148
|
+
...(sid ? { statementId: sid } : {}),
|
|
149
|
+
statementIndex: stmt.statement.index()
|
|
150
|
+
});
|
|
151
|
+
}
|
|
152
|
+
else {
|
|
153
|
+
grants.push({
|
|
154
|
+
policyType,
|
|
137
155
|
policyIdentifier: stmt.policyId,
|
|
138
156
|
...(sid ? { statementId: sid } : {}),
|
|
139
157
|
statementIndex: stmt.statement.index()
|
|
140
158
|
});
|
|
141
159
|
}
|
|
142
160
|
}
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
161
|
+
}
|
|
162
|
+
/**
|
|
163
|
+
* Helper for OU-based policy grants (scp, rcp).
|
|
164
|
+
*/
|
|
165
|
+
function addOuPolicyGrants(analysis, policyType, grants) {
|
|
166
|
+
if (!analysis)
|
|
167
|
+
return;
|
|
168
|
+
for (const ou of analysis.ouAnalysis) {
|
|
169
|
+
if (ou.result !== 'Allowed')
|
|
170
|
+
continue;
|
|
171
|
+
for (const stmt of ou.allowStatements) {
|
|
146
172
|
const sid = stmt.statement.sid();
|
|
147
|
-
|
|
148
|
-
policyType
|
|
173
|
+
grants.push({
|
|
174
|
+
policyType,
|
|
175
|
+
orgIdentifier: ou.orgIdentifier,
|
|
176
|
+
policyIdentifier: stmt.policyId,
|
|
149
177
|
...(sid ? { statementId: sid } : {}),
|
|
150
178
|
statementIndex: stmt.statement.index()
|
|
151
179
|
});
|
|
152
180
|
}
|
|
153
181
|
}
|
|
154
|
-
return grantDetails;
|
|
155
182
|
}
|
|
156
183
|
//# sourceMappingURL=analyzeResults.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EAQN,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;
|
|
1
|
+
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EAQN,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;AAkFD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,gBAAgB,CAAC,eAAgC;IAC/D,MAAM,OAAO,GAAoB,EAAE,CAAA;IACnC,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAA;IAC5C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,SAAS,IAAI,EAAE,CAAC,CAAA;IAE1D,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,sBAAsB,CACpB,eAAe,CAAC,0BAA0B,EAC1C,IAAI,EACJ,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,MAAM,EACN,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAC7B,QAAyD,EACzD,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,UAAU;YACV,UAAU,EAAE,UAAU;YACtB,GAAG,QAAQ;SACZ,CAAC,CAAA;IACJ,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;YAChC,OAAO,CAAC,IAAI,CAAC;gBACX,UAAU;gBACV,GAAG,QAAQ;gBACX,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;gBACtC,UAAU,EAAE,UAAU;aACvB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CACzB,QAA+C,EAC/C,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,OAAO,CAAC,IAAI,CAAC;oBACX,UAAU;oBACV,UAAU,EAAE,EAAE,CAAC,aAAa;oBAC5B,UAAU,EAAE,UAAU;oBACtB,GAAG,QAAQ;iBACZ,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC;oBACrC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;oBAChC,OAAO,CAAC,IAAI,CAAC;wBACX,UAAU;wBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;wBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;wBACtC,GAAG,QAAQ;wBACX,UAAU,EAAE,UAAU;qBACvB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,eAAgC;IAC9D,IAAI,eAAe,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACzC,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,YAAY,GAAmB,EAAE,CAAA;IAEvC,qBAAqB,CAAC,eAAe,CAAC,gBAAgB,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;IACjF,qBAAqB,CAAC,eAAe,CAAC,gBAAgB,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;IACjF,qBAAqB,CAAC,eAAe,CAAC,0BAA0B,EAAE,IAAI,EAAE,YAAY,CAAC,CAAA;IACrF,qBAAqB,CAAC,eAAe,CAAC,gBAAgB,EAAE,MAAM,EAAE,YAAY,CAAC,CAAA;IAC7E,iBAAiB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,YAAY,CAAC,CAAA;IACnE,iBAAiB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,YAAY,CAAC,CAAA;IAEnE,OAAO,YAAY,CAAA;AACrB,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,QAAyD,EACzD,UAAmD,EACnD,MAAsB;IAEtB,IAAI,QAAQ,EAAE,MAAM,KAAK,SAAS,IAAI,QAAQ,EAAE,MAAM,KAAK,mBAAmB;QAAE,OAAM;IACtF,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,eAAe,EAAE,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;QAChC,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC;gBACV,UAAU,EAAE,UAAU;gBACtB,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC;gBACV,UAAU;gBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,QAA+C,EAC/C,UAAyB,EACzB,MAAsB;IAEtB,IAAI,CAAC,QAAQ;QAAE,OAAM;IACrB,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;QACrC,IAAI,EAAE,CAAC,MAAM,KAAK,SAAS;YAAE,SAAQ;QACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,eAAe,EAAE,CAAC;YACtC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAA;YAChC,MAAM,CAAC,IAAI,CAAC;gBACV,UAAU;gBACV,aAAa,EAAE,EAAE,CAAC,aAAa;gBAC/B,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;aACvC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC"}
|