@cloud-copilot/iam-simulate 0.1.118 → 0.1.120
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +15 -11
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +15 -11
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAOA,OAAO,EAGL,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACtB,MAAM,gBAAgB,CAAA;AACvB,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,+BAA+B,CAAA;AACpE,OAAO,EAAE,KAAK,2BAA2B,EAAE,KAAK,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAuEjG;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IAChE;;;;;OAKG;IACI,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAOA,OAAO,EAGL,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACtB,MAAM,gBAAgB,CAAA;AACvB,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,+BAA+B,CAAA;AACpE,OAAO,EAAE,KAAK,2BAA2B,EAAE,KAAK,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAuEjG;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IAChE;;;;;OAKG;IACI,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAyIvE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;IAUV;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,uBAAuB;CA+ChC"}
|
|
@@ -128,24 +128,28 @@ class DefaultServiceAuthorizer {
|
|
|
128
128
|
*/
|
|
129
129
|
if (resourcePolicyResult === 'Allowed') {
|
|
130
130
|
const principal = request.request.principal.value();
|
|
131
|
-
if ((0, iam_utils_1.
|
|
132
|
-
request.simulationParameters.simulationMode === 'Discovery') {
|
|
133
|
-
// Principal is a role and may match a session. Check since we are in Discovery mode.
|
|
134
|
-
if (!request.resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'Match' && statement.ignoredRoleSessionName)) {
|
|
135
|
-
blockedByLog.add('pb', 'ImplicitlyDenied');
|
|
136
|
-
}
|
|
137
|
-
}
|
|
138
|
-
else if ((0, iam_utils_1.isAssumedRoleArn)(principal) ||
|
|
131
|
+
if ((0, iam_utils_1.isAssumedRoleArn)(principal) ||
|
|
139
132
|
(0, iam_utils_1.isIamUserArn)(principal) ||
|
|
140
133
|
(0, iam_utils_1.isFederatedUserArn)(principal)) {
|
|
141
|
-
// If the
|
|
142
|
-
//
|
|
134
|
+
// If the resource policy allows the principal directly (including via a wildcard Principal),
|
|
135
|
+
// the permission boundary implicit deny does not apply for same-account requests.
|
|
143
136
|
if (!request.resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'Match')) {
|
|
144
137
|
blockedByLog.add('pb', 'ImplicitlyDenied');
|
|
145
138
|
}
|
|
146
139
|
}
|
|
140
|
+
else if ((0, iam_utils_1.isIamRoleArn)(principal)) {
|
|
141
|
+
// For IAM role ARNs, the permission boundary implicit deny is bypassed if
|
|
142
|
+
// * The resource policy grants access via a wildcard principal ("*"), or
|
|
143
|
+
// * In discovery mode when a session ARN in the resource policy was matched by ignoring the session name.
|
|
144
|
+
if (!request.resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'Match' &&
|
|
145
|
+
(statement.ignoredRoleSessionName ||
|
|
146
|
+
(statement.statement.isPrincipalStatement() &&
|
|
147
|
+
statement.statement.principals().some((p) => p.isWildcardPrincipal()))))) {
|
|
148
|
+
blockedByLog.add('pb', 'ImplicitlyDenied');
|
|
149
|
+
}
|
|
150
|
+
}
|
|
147
151
|
else {
|
|
148
|
-
//
|
|
152
|
+
// Service principals or other principal types: permission boundary implicit deny applies.
|
|
149
153
|
blockedByLog.add('pb', 'ImplicitlyDenied');
|
|
150
154
|
}
|
|
151
155
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAAA,wDAMiC;AAUjC;;;GAGG;AACH,MAAM,YAAY;IASa;IARrB,SAAS,GAAuB,IAAI,GAAG,EAAE,CAAA;IACzC,MAAM,CAAkB;IAEhC;;;;OAIG;IACH,YAA6B,UAA4B;QAA5B,eAAU,GAAV,UAAU,CAAkB;QACvD,IAAI,CAAC,MAAM,GAAG,UAAU,CAAA;IAC1B,CAAC;IAED;;;;;OAKG;IACH,GAAG,CAAC,MAAqB,EAAE,MAAwB;QACjD,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YAC1D,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;IACxB,CAAC;IAED;;;;;;OAMG;IACK,SAAS,CAAC,SAA2B;QAC3C,sCAAsC;QACtC,IAAI,IAAI,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;YACvC,OAAM;QACR,CAAC;QACD,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;YACrC,IAAI,CAAC,MAAM,GAAG,kBAAkB,CAAA;QAClC,CAAC;aAAM,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;YAC5C,IAAI,CAAC,MAAM,GAAG,kBAAkB,CAAA;QAClC,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAA;IACpB,CAAC;IAED;;;;OAIG;IACH,YAAY;QACV,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IACnC,CAAC;CACF;AAED;;GAEG;AACH,MAAa,wBAAwB;IACnC;;;;;OAKG;IACI,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAC3E,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAE7D,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAWZ;YACF,WAAW;YACX,eAAe,EAAE,OAAO,CAAC,eAAe;YACxC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;YAC9D,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;SAC3C,CAAA;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAA;QACxD,MAAM,YAAY,GAAG,IAAI,YAAY,CAAC,UAAU,CAAC,CAAA;QAEjD,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,CAAC,CAAA;QAClC,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,CAAC,CAAA;QAElC,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;QAChD,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAA;QAClD,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAA;QAClD,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;QAC5C,CAAC;QAED,cAAc;QACd,IAAI,WAAW,EAAE,CAAC;YAChB,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,IAAA,
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAAA,wDAMiC;AAUjC;;;GAGG;AACH,MAAM,YAAY;IASa;IARrB,SAAS,GAAuB,IAAI,GAAG,EAAE,CAAA;IACzC,MAAM,CAAkB;IAEhC;;;;OAIG;IACH,YAA6B,UAA4B;QAA5B,eAAU,GAAV,UAAU,CAAkB;QACvD,IAAI,CAAC,MAAM,GAAG,UAAU,CAAA;IAC1B,CAAC;IAED;;;;;OAKG;IACH,GAAG,CAAC,MAAqB,EAAE,MAAwB;QACjD,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YAC1D,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;IACxB,CAAC;IAED;;;;;;OAMG;IACK,SAAS,CAAC,SAA2B;QAC3C,sCAAsC;QACtC,IAAI,IAAI,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;YACvC,OAAM;QACR,CAAC;QACD,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;YACrC,IAAI,CAAC,MAAM,GAAG,kBAAkB,CAAA;QAClC,CAAC;aAAM,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;YAC5C,IAAI,CAAC,MAAM,GAAG,kBAAkB,CAAA;QAClC,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAA;IACpB,CAAC;IAED;;;;OAIG;IACH,YAAY;QACV,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IACnC,CAAC;CACF;AAED;;GAEG;AACH,MAAa,wBAAwB;IACnC;;;;;OAKG;IACI,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAC3E,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAE7D,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAWZ;YACF,WAAW;YACX,eAAe,EAAE,OAAO,CAAC,eAAe;YACxC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;YAC9D,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;SAC3C,CAAA;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAA;QACxD,MAAM,YAAY,GAAG,IAAI,YAAY,CAAC,UAAU,CAAC,CAAA;QAEjD,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,CAAC,CAAA;QAClC,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,CAAC,CAAA;QAElC,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;QAChD,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAA;QAClD,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAA;QAClD,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;QAC5C,CAAC;QAED,cAAc;QACd,IAAI,WAAW,EAAE,CAAC;YAChB,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,IAAA,4BAAgB,EAAC,SAAS,CAAC;wBAC3B,IAAA,wBAAY,EAAC,SAAS,CAAC;wBACvB,IAAA,8BAAkB,EAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,6FAA6F;wBAC7F,kFAAkF;wBAClF,IACE,CAAC,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC5C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;wBAC5C,CAAC;oBACH,CAAC;yBAAM,IAAI,IAAA,wBAAY,EAAC,SAAS,CAAC,EAAE,CAAC;wBACnC,0EAA0E;wBAC1E,yEAAyE;wBACzE,0GAA0G;wBAC1G,IACE,CAAC,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC5C,CAAC,SAAS,EAAE,EAAE,CACZ,SAAS,CAAC,cAAc,KAAK,OAAO;4BACpC,CAAC,SAAS,CAAC,sBAAsB;gCAC/B,CAAC,SAAS,CAAC,SAAS,CAAC,oBAAoB,EAAE;oCACzC,SAAS,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,mBAAmB,EAAE,CAAC,CAAC,CAAC,CAC9E,EACD,CAAC;4BACD,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;wBAC5C,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,0FAA0F;wBAC1F,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;oBAC5C,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,iGAAiG;oBACjG,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;gBAC5C,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,eAAe;YACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;YAC5C,CAAC;QACH,CAAC;QAED,MAAM,cAAc,GAAG,YAAY,CAAC,YAAY,EAAE,CAAA;QAClD,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChC,UAAU,CAAC,SAAS,GAAG,cAAc,CAAA;QACvC,CAAC;QAED,OAAO;YACL,MAAM,EAAE,YAAY,CAAC,SAAS,EAAE;YAChC,GAAG,UAAU;SACd,CAAA;QAED;;;;WAIG;IACL,CAAC;IAED;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACK,uBAAuB,CAAC,OAAoC;QAClE,MAAM,aAAa,GAAG,OAAO,CAAC,eAAe,EAAE,MAAM,CAAA;QACrD,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAE7D,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,IAAI,aAAa,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;YACjD,OAAO,aAAa,CAAA;QACtB,CAAC;QAED,qBAAqB;QACrB,IAAI,IAAA,8BAAkB,EAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC1D,oEAAoE;YACpE,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;gBACvC,OAAO,SAAS,CAAA;YAClB,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,cAAc;QACd,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,cAAc,GAAG,IAAI,CAAC,6BAA6B,CACvD,WAAW,EACX,OAAO,CAAC,gBAAgB,EACxB,OAAO,CAAC,OAAO,CAAC,QAAQ,CACzB,CAAA;YACD,IACE,oBAAoB,KAAK,SAAS;gBAClC,CAAC,cAAc,IAAI,uBAAuB,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,OAAO,SAAS,CAAA;YAClB,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,eAAe;QACf,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO,SAAS,CAAA;YAClB,CAAC;QACH,CAAC;QAED,OAAO,kBAAkB,CAAA;IAC3B,CAAC;CACF;AAnOD,4DAmOC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAOA,OAAO,EAGL,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACtB,MAAM,gBAAgB,CAAA;AACvB,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,+BAA+B,CAAA;AACpE,OAAO,EAAE,KAAK,2BAA2B,EAAE,KAAK,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAuEjG;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IAChE;;;;;OAKG;IACI,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAOA,OAAO,EAGL,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACtB,MAAM,gBAAgB,CAAA;AACvB,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,+BAA+B,CAAA;AACpE,OAAO,EAAE,KAAK,2BAA2B,EAAE,KAAK,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAuEjG;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IAChE;;;;;OAKG;IACI,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAyIvE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;IAUV;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,uBAAuB;CA+ChC"}
|
|
@@ -126,24 +126,28 @@ export class DefaultServiceAuthorizer {
|
|
|
126
126
|
*/
|
|
127
127
|
if (resourcePolicyResult === 'Allowed') {
|
|
128
128
|
const principal = request.request.principal.value();
|
|
129
|
-
if (
|
|
130
|
-
request.simulationParameters.simulationMode === 'Discovery') {
|
|
131
|
-
// Principal is a role and may match a session. Check since we are in Discovery mode.
|
|
132
|
-
if (!request.resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'Match' && statement.ignoredRoleSessionName)) {
|
|
133
|
-
blockedByLog.add('pb', 'ImplicitlyDenied');
|
|
134
|
-
}
|
|
135
|
-
}
|
|
136
|
-
else if (isAssumedRoleArn(principal) ||
|
|
129
|
+
if (isAssumedRoleArn(principal) ||
|
|
137
130
|
isIamUserArn(principal) ||
|
|
138
131
|
isFederatedUserArn(principal)) {
|
|
139
|
-
// If the
|
|
140
|
-
//
|
|
132
|
+
// If the resource policy allows the principal directly (including via a wildcard Principal),
|
|
133
|
+
// the permission boundary implicit deny does not apply for same-account requests.
|
|
141
134
|
if (!request.resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'Match')) {
|
|
142
135
|
blockedByLog.add('pb', 'ImplicitlyDenied');
|
|
143
136
|
}
|
|
144
137
|
}
|
|
138
|
+
else if (isIamRoleArn(principal)) {
|
|
139
|
+
// For IAM role ARNs, the permission boundary implicit deny is bypassed if
|
|
140
|
+
// * The resource policy grants access via a wildcard principal ("*"), or
|
|
141
|
+
// * In discovery mode when a session ARN in the resource policy was matched by ignoring the session name.
|
|
142
|
+
if (!request.resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'Match' &&
|
|
143
|
+
(statement.ignoredRoleSessionName ||
|
|
144
|
+
(statement.statement.isPrincipalStatement() &&
|
|
145
|
+
statement.statement.principals().some((p) => p.isWildcardPrincipal()))))) {
|
|
146
|
+
blockedByLog.add('pb', 'ImplicitlyDenied');
|
|
147
|
+
}
|
|
148
|
+
}
|
|
145
149
|
else {
|
|
146
|
-
//
|
|
150
|
+
// Service principals or other principal types: permission boundary implicit deny applies.
|
|
147
151
|
blockedByLog.add('pb', 'ImplicitlyDenied');
|
|
148
152
|
}
|
|
149
153
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,kBAAkB,EACnB,MAAM,0BAA0B,CAAA;AACjC,OAAO,EAKN,MAAM,gBAAgB,CAAA;AACvB,OAAO,EAAwB,MAAM,+BAA+B,CAAA;AACpE,OAAO,EAA4D,MAAM,wBAAwB,CAAA;AAEjG;;;GAGG;AACH,MAAM,YAAY;IAIhB;;;;OAIG;IACH,YAA6B,UAA4B;QAA5B,eAAU,GAAV,UAAU,CAAkB;QARjD,cAAS,GAAuB,IAAI,GAAG,EAAE,CAAA;QAS/C,IAAI,CAAC,MAAM,GAAG,UAAU,CAAA;IAC1B,CAAC;IAED;;;;;OAKG;IACH,GAAG,CAAC,MAAqB,EAAE,MAAwB;QACjD,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YAC1D,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;IACxB,CAAC;IAED;;;;;;OAMG;IACK,SAAS,CAAC,SAA2B;QAC3C,sCAAsC;QACtC,IAAI,IAAI,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;YACvC,OAAM;QACR,CAAC;QACD,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;YACrC,IAAI,CAAC,MAAM,GAAG,kBAAkB,CAAA;QAClC,CAAC;aAAM,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;YAC5C,IAAI,CAAC,MAAM,GAAG,kBAAkB,CAAA;QAClC,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAA;IACpB,CAAC;IAED;;;;OAIG;IACH,YAAY;QACV,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IACnC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,wBAAwB;IACnC;;;;;OAKG;IACI,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAC3E,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAE7D,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAWZ;YACF,WAAW;YACX,eAAe,EAAE,OAAO,CAAC,eAAe;YACxC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;YAC9D,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;SAC3C,CAAA;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAA;QACxD,MAAM,YAAY,GAAG,IAAI,YAAY,CAAC,UAAU,CAAC,CAAA;QAEjD,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,CAAC,CAAA;QAClC,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,CAAC,CAAA;QAElC,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;QAChD,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAA;QAClD,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAA;QAClD,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;QAC5C,CAAC;QAED,cAAc;QACd,IAAI,WAAW,EAAE,CAAC;YAChB,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,kBAAkB,EACnB,MAAM,0BAA0B,CAAA;AACjC,OAAO,EAKN,MAAM,gBAAgB,CAAA;AACvB,OAAO,EAAwB,MAAM,+BAA+B,CAAA;AACpE,OAAO,EAA4D,MAAM,wBAAwB,CAAA;AAEjG;;;GAGG;AACH,MAAM,YAAY;IAIhB;;;;OAIG;IACH,YAA6B,UAA4B;QAA5B,eAAU,GAAV,UAAU,CAAkB;QARjD,cAAS,GAAuB,IAAI,GAAG,EAAE,CAAA;QAS/C,IAAI,CAAC,MAAM,GAAG,UAAU,CAAA;IAC1B,CAAC;IAED;;;;;OAKG;IACH,GAAG,CAAC,MAAqB,EAAE,MAAwB;QACjD,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YAC1D,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;IACxB,CAAC;IAED;;;;;;OAMG;IACK,SAAS,CAAC,SAA2B;QAC3C,sCAAsC;QACtC,IAAI,IAAI,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;YACvC,OAAM;QACR,CAAC;QACD,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;YACrC,IAAI,CAAC,MAAM,GAAG,kBAAkB,CAAA;QAClC,CAAC;aAAM,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;YAC5C,IAAI,CAAC,MAAM,GAAG,kBAAkB,CAAA;QAClC,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAA;IACpB,CAAC;IAED;;;;OAIG;IACH,YAAY;QACV,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IACnC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,wBAAwB;IACnC;;;;;OAKG;IACI,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAC3E,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAE7D,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAWZ;YACF,WAAW;YACX,eAAe,EAAE,OAAO,CAAC,eAAe;YACxC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;YAC9D,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;SAC3C,CAAA;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAA;QACxD,MAAM,YAAY,GAAG,IAAI,YAAY,CAAC,UAAU,CAAC,CAAA;QAEjD,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,CAAC,CAAA;QAClC,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,CAAC,CAAA;QAElC,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;QAChD,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAA;QAClD,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAA;QAClD,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;QAC5C,CAAC;QAED,cAAc;QACd,IAAI,WAAW,EAAE,CAAC;YAChB,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,gBAAgB,CAAC,SAAS,CAAC;wBAC3B,YAAY,CAAC,SAAS,CAAC;wBACvB,kBAAkB,CAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,6FAA6F;wBAC7F,kFAAkF;wBAClF,IACE,CAAC,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC5C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;wBAC5C,CAAC;oBACH,CAAC;yBAAM,IAAI,YAAY,CAAC,SAAS,CAAC,EAAE,CAAC;wBACnC,0EAA0E;wBAC1E,yEAAyE;wBACzE,0GAA0G;wBAC1G,IACE,CAAC,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC5C,CAAC,SAAS,EAAE,EAAE,CACZ,SAAS,CAAC,cAAc,KAAK,OAAO;4BACpC,CAAC,SAAS,CAAC,sBAAsB;gCAC/B,CAAC,SAAS,CAAC,SAAS,CAAC,oBAAoB,EAAE;oCACzC,SAAS,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,mBAAmB,EAAE,CAAC,CAAC,CAAC,CAC9E,EACD,CAAC;4BACD,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;wBAC5C,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,0FAA0F;wBAC1F,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;oBAC5C,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,iGAAiG;oBACjG,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;gBAC5C,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,eAAe;YACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;YAC5C,CAAC;QACH,CAAC;QAED,MAAM,cAAc,GAAG,YAAY,CAAC,YAAY,EAAE,CAAA;QAClD,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChC,UAAU,CAAC,SAAS,GAAG,cAAc,CAAA;QACvC,CAAC;QAED,OAAO;YACL,MAAM,EAAE,YAAY,CAAC,SAAS,EAAE;YAChC,GAAG,UAAU;SACd,CAAA;QAED;;;;WAIG;IACL,CAAC;IAED;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACK,uBAAuB,CAAC,OAAoC;QAClE,MAAM,aAAa,GAAG,OAAO,CAAC,eAAe,EAAE,MAAM,CAAA;QACrD,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAE7D,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,IAAI,aAAa,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;YACjD,OAAO,aAAa,CAAA;QACtB,CAAC;QAED,qBAAqB;QACrB,IAAI,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC1D,oEAAoE;YACpE,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;gBACvC,OAAO,SAAS,CAAA;YAClB,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,cAAc;QACd,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,cAAc,GAAG,IAAI,CAAC,6BAA6B,CACvD,WAAW,EACX,OAAO,CAAC,gBAAgB,EACxB,OAAO,CAAC,OAAO,CAAC,QAAQ,CACzB,CAAA;YACD,IACE,oBAAoB,KAAK,SAAS;gBAClC,CAAC,cAAc,IAAI,uBAAuB,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,OAAO,SAAS,CAAA;YAClB,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,eAAe;QACf,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO,SAAS,CAAA;YAClB,CAAC;QACH,CAAC;QAED,OAAO,kBAAkB,CAAA;IAC3B,CAAC;CACF"}
|