@cloud-copilot/iam-simulate 0.1.12 → 0.1.13-1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/SCPAnalysis.d.ts.map +1 -1
- package/dist/cjs/StatementAnalysis.d.ts +14 -0
- package/dist/cjs/StatementAnalysis.d.ts.map +1 -1
- package/dist/cjs/StatementAnalysis.js +51 -0
- package/dist/cjs/StatementAnalysis.js.map +1 -1
- package/dist/cjs/action/action.d.ts +13 -3
- package/dist/cjs/action/action.d.ts.map +1 -1
- package/dist/cjs/action/action.js +43 -21
- package/dist/cjs/action/action.js.map +1 -1
- package/dist/cjs/condition/condition.d.ts +7 -3
- package/dist/cjs/condition/condition.d.ts.map +1 -1
- package/dist/cjs/condition/condition.js +138 -27
- package/dist/cjs/condition/condition.js.map +1 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts +9 -11
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts.map +1 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.js +136 -26
- package/dist/cjs/core_engine/coreSimulatorEngine.js.map +1 -1
- package/dist/cjs/evaluate.d.ts +46 -0
- package/dist/cjs/evaluate.d.ts.map +1 -1
- package/dist/cjs/explain/displayExplainCli.d.ts +3 -0
- package/dist/cjs/explain/displayExplainCli.d.ts.map +1 -0
- package/dist/cjs/explain/displayExplainCli.js +145 -0
- package/dist/cjs/explain/displayExplainCli.js.map +1 -0
- package/dist/cjs/explain/statementExplain.d.ts +50 -0
- package/dist/cjs/explain/statementExplain.d.ts.map +1 -0
- package/dist/cjs/explain/statementExplain.js +7 -0
- package/dist/cjs/explain/statementExplain.js.map +1 -0
- package/dist/cjs/index.d.ts +1 -0
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/principal/principal.d.ts +14 -4
- package/dist/cjs/principal/principal.d.ts.map +1 -1
- package/dist/cjs/principal/principal.js +101 -33
- package/dist/cjs/principal/principal.js.map +1 -1
- package/dist/cjs/resource/resource.d.ts +13 -3
- package/dist/cjs/resource/resource.d.ts.map +1 -1
- package/dist/cjs/resource/resource.js +66 -14
- package/dist/cjs/resource/resource.js.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts +2 -34
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +43 -127
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/ServiceAuthorizer.d.ts +5 -7
- package/dist/cjs/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.d.ts +2 -4
- package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.js +4 -6
- package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js +5 -4
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/esm/SCPAnalysis.d.ts.map +1 -1
- package/dist/esm/StatementAnalysis.d.ts +14 -0
- package/dist/esm/StatementAnalysis.d.ts.map +1 -1
- package/dist/esm/StatementAnalysis.js +48 -1
- package/dist/esm/StatementAnalysis.js.map +1 -1
- package/dist/esm/action/action.d.ts +13 -3
- package/dist/esm/action/action.d.ts.map +1 -1
- package/dist/esm/action/action.js +43 -21
- package/dist/esm/action/action.js.map +1 -1
- package/dist/esm/condition/condition.d.ts +7 -3
- package/dist/esm/condition/condition.d.ts.map +1 -1
- package/dist/esm/condition/condition.js +138 -27
- package/dist/esm/condition/condition.js.map +1 -1
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts +9 -11
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts.map +1 -1
- package/dist/esm/core_engine/coreSimulatorEngine.js +136 -26
- package/dist/esm/core_engine/coreSimulatorEngine.js.map +1 -1
- package/dist/esm/evaluate.d.ts +46 -0
- package/dist/esm/evaluate.d.ts.map +1 -1
- package/dist/esm/explain/displayExplainCli.d.ts +3 -0
- package/dist/esm/explain/displayExplainCli.d.ts.map +1 -0
- package/dist/esm/explain/displayExplainCli.js +142 -0
- package/dist/esm/explain/displayExplainCli.js.map +1 -0
- package/dist/esm/explain/statementExplain.d.ts +50 -0
- package/dist/esm/explain/statementExplain.d.ts.map +1 -0
- package/dist/esm/explain/statementExplain.js +6 -0
- package/dist/esm/explain/statementExplain.js.map +1 -0
- package/dist/esm/index.d.ts +1 -0
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/principal/principal.d.ts +14 -4
- package/dist/esm/principal/principal.d.ts.map +1 -1
- package/dist/esm/principal/principal.js +101 -33
- package/dist/esm/principal/principal.js.map +1 -1
- package/dist/esm/resource/resource.d.ts +13 -3
- package/dist/esm/resource/resource.d.ts.map +1 -1
- package/dist/esm/resource/resource.js +66 -14
- package/dist/esm/resource/resource.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts +2 -34
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +43 -127
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/ServiceAuthorizer.d.ts +5 -7
- package/dist/esm/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.d.ts +2 -4
- package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.js +5 -7
- package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js +6 -5
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/package.json +2 -2
|
@@ -10,6 +10,7 @@ const condition_js_1 = require("../condition/condition.js");
|
|
|
10
10
|
const principal_js_1 = require("../principal/principal.js");
|
|
11
11
|
const resource_js_1 = require("../resource/resource.js");
|
|
12
12
|
const DefaultServiceAuthorizer_js_1 = require("../services/DefaultServiceAuthorizer.js");
|
|
13
|
+
const StatementAnalysis_js_1 = require("../StatementAnalysis.js");
|
|
13
14
|
const serviceEngines = {};
|
|
14
15
|
/**
|
|
15
16
|
* Authorizes a request.
|
|
@@ -22,11 +23,11 @@ const serviceEngines = {};
|
|
|
22
23
|
function authorize(request) {
|
|
23
24
|
const identityAnalysis = analyzeIdentityPolicies(request.identityPolicies, request.request);
|
|
24
25
|
const scpAnalysis = analyzeServiceControlPolicies(request.serviceControlPolicies, request.request);
|
|
26
|
+
const resourceAnalysis = analyzeResourcePolicy(request.resourcePolicy, request.request);
|
|
25
27
|
const serviceAuthorizer = getServiceAuthorizer(request);
|
|
26
|
-
const resourceAnalysis = request.resourcePolicy ? analyzeResourcePolicy(request.resourcePolicy, request.request) : [];
|
|
27
28
|
return serviceAuthorizer.authorize({
|
|
28
29
|
request: request.request,
|
|
29
|
-
|
|
30
|
+
identityAnalysis,
|
|
30
31
|
scpAnalysis,
|
|
31
32
|
resourceAnalysis
|
|
32
33
|
});
|
|
@@ -53,19 +54,45 @@ function getServiceAuthorizer(request) {
|
|
|
53
54
|
* @returns an array of statement analysis results
|
|
54
55
|
*/
|
|
55
56
|
function analyzeIdentityPolicies(identityPolicies, request) {
|
|
56
|
-
const
|
|
57
|
+
const identityAnalysis = {
|
|
58
|
+
result: 'ImplicitlyDenied',
|
|
59
|
+
allowStatements: [],
|
|
60
|
+
denyStatements: [],
|
|
61
|
+
unmatchedStatements: [],
|
|
62
|
+
};
|
|
57
63
|
for (const policy of identityPolicies) {
|
|
58
64
|
for (const statement of policy.statements()) {
|
|
59
|
-
|
|
65
|
+
const { matches: resourceMatch, details: resourceDetails } = (0, resource_js_1.requestMatchesStatementResources)(request, statement);
|
|
66
|
+
const { matches: actionMatch, details: actionDetails } = (0, action_js_1.requestMatchesStatementActions)(request, statement);
|
|
67
|
+
const { matches: conditionMatch, details: conditionDetails } = (0, condition_js_1.requestMatchesConditions)(request, statement.conditions());
|
|
68
|
+
const principalMatch = 'Match';
|
|
69
|
+
const overallMatch = (0, StatementAnalysis_js_1.statementMatches)({ actionMatch, conditionMatch, principalMatch, resourceMatch });
|
|
70
|
+
const statementAnalysis = {
|
|
60
71
|
statement,
|
|
61
|
-
resourceMatch
|
|
62
|
-
actionMatch
|
|
63
|
-
conditionMatch
|
|
64
|
-
principalMatch
|
|
65
|
-
|
|
72
|
+
resourceMatch,
|
|
73
|
+
actionMatch,
|
|
74
|
+
conditionMatch,
|
|
75
|
+
principalMatch,
|
|
76
|
+
explain: makeStatementExplain(statement, overallMatch, { ...resourceDetails, ...actionDetails, ...conditionDetails })
|
|
77
|
+
};
|
|
78
|
+
if ((0, StatementAnalysis_js_1.identityStatementExplicitDeny)(statementAnalysis)) {
|
|
79
|
+
identityAnalysis.denyStatements.push(statementAnalysis);
|
|
80
|
+
}
|
|
81
|
+
else if ((0, StatementAnalysis_js_1.identityStatementAllows)(statementAnalysis)) {
|
|
82
|
+
identityAnalysis.allowStatements.push(statementAnalysis);
|
|
83
|
+
}
|
|
84
|
+
else {
|
|
85
|
+
identityAnalysis.unmatchedStatements.push(statementAnalysis);
|
|
86
|
+
}
|
|
66
87
|
}
|
|
67
88
|
}
|
|
68
|
-
|
|
89
|
+
if (identityAnalysis.denyStatements.length > 0) {
|
|
90
|
+
identityAnalysis.result = 'ExplicitlyDenied';
|
|
91
|
+
}
|
|
92
|
+
else if (identityAnalysis.allowStatements.length > 0) {
|
|
93
|
+
identityAnalysis.result = 'Allowed';
|
|
94
|
+
}
|
|
95
|
+
return identityAnalysis;
|
|
69
96
|
}
|
|
70
97
|
/**
|
|
71
98
|
* Analyzes a set of service control policies and the statements within them.
|
|
@@ -79,22 +106,59 @@ function analyzeServiceControlPolicies(serviceControlPolicies, request) {
|
|
|
79
106
|
for (const controlPolicy of serviceControlPolicies) {
|
|
80
107
|
const ouAnalysis = {
|
|
81
108
|
orgIdentifier: controlPolicy.orgIdentifier,
|
|
82
|
-
|
|
109
|
+
result: 'ImplicitlyDenied',
|
|
110
|
+
allowStatements: [],
|
|
111
|
+
denyStatements: [],
|
|
112
|
+
unmatchedStatements: [],
|
|
83
113
|
};
|
|
84
114
|
for (const policy of controlPolicy.policies) {
|
|
85
115
|
for (const statement of policy.statements()) {
|
|
86
|
-
|
|
116
|
+
const { matches: resourceMatch, details: resourceDetails } = (0, resource_js_1.requestMatchesStatementResources)(request, statement);
|
|
117
|
+
const { matches: actionMatch, details: actionDetails } = (0, action_js_1.requestMatchesStatementActions)(request, statement);
|
|
118
|
+
const { matches: conditionMatch, details: conditionDetails } = (0, condition_js_1.requestMatchesConditions)(request, statement.conditions());
|
|
119
|
+
const principalMatch = 'Match';
|
|
120
|
+
const overallMatch = (0, StatementAnalysis_js_1.statementMatches)({ actionMatch, conditionMatch, principalMatch, resourceMatch });
|
|
121
|
+
const statementAnalysis = {
|
|
87
122
|
statement,
|
|
88
|
-
resourceMatch
|
|
89
|
-
actionMatch
|
|
90
|
-
conditionMatch
|
|
91
|
-
principalMatch
|
|
92
|
-
|
|
123
|
+
resourceMatch,
|
|
124
|
+
actionMatch,
|
|
125
|
+
conditionMatch,
|
|
126
|
+
principalMatch,
|
|
127
|
+
explain: makeStatementExplain(statement, overallMatch, { ...resourceDetails, ...actionDetails, ...conditionDetails })
|
|
128
|
+
};
|
|
129
|
+
if ((0, StatementAnalysis_js_1.identityStatementAllows)(statementAnalysis)) {
|
|
130
|
+
ouAnalysis.allowStatements.push(statementAnalysis);
|
|
131
|
+
}
|
|
132
|
+
else if ((0, StatementAnalysis_js_1.identityStatementExplicitDeny)(statementAnalysis)) {
|
|
133
|
+
ouAnalysis.denyStatements.push(statementAnalysis);
|
|
134
|
+
}
|
|
135
|
+
else {
|
|
136
|
+
ouAnalysis.unmatchedStatements.push(statementAnalysis);
|
|
137
|
+
}
|
|
93
138
|
}
|
|
94
139
|
}
|
|
140
|
+
if (ouAnalysis.denyStatements.length > 0) {
|
|
141
|
+
ouAnalysis.result = 'ExplicitlyDenied';
|
|
142
|
+
}
|
|
143
|
+
else if (ouAnalysis.allowStatements.length > 0) {
|
|
144
|
+
ouAnalysis.result = 'Allowed';
|
|
145
|
+
}
|
|
95
146
|
analysis.push(ouAnalysis);
|
|
96
147
|
}
|
|
97
|
-
|
|
148
|
+
let overallResult = 'ImplicitlyDenied';
|
|
149
|
+
if (analysis.some(ou => ou.result === 'ExplicitlyDenied')) {
|
|
150
|
+
overallResult = 'ExplicitlyDenied';
|
|
151
|
+
}
|
|
152
|
+
else if (analysis.some(ou => ou.allowStatements.length === 0)) {
|
|
153
|
+
overallResult = 'ImplicitlyDenied';
|
|
154
|
+
}
|
|
155
|
+
else if (analysis.every(ou => ou.result === 'Allowed')) {
|
|
156
|
+
overallResult = 'Allowed';
|
|
157
|
+
}
|
|
158
|
+
return {
|
|
159
|
+
result: overallResult,
|
|
160
|
+
ouAnalysis: analysis
|
|
161
|
+
};
|
|
98
162
|
}
|
|
99
163
|
/**
|
|
100
164
|
* Analyze a resource policy and return the results
|
|
@@ -104,16 +168,62 @@ function analyzeServiceControlPolicies(serviceControlPolicies, request) {
|
|
|
104
168
|
* @returns an array of statement analysis results
|
|
105
169
|
*/
|
|
106
170
|
function analyzeResourcePolicy(resourcePolicy, request) {
|
|
107
|
-
const
|
|
171
|
+
const resourceAnalysis = {
|
|
172
|
+
result: 'NotApplicable',
|
|
173
|
+
allowStatements: [],
|
|
174
|
+
denyStatements: [],
|
|
175
|
+
unmatchedStatements: [],
|
|
176
|
+
};
|
|
177
|
+
if (!resourcePolicy) {
|
|
178
|
+
return resourceAnalysis;
|
|
179
|
+
}
|
|
108
180
|
for (const statement of resourcePolicy.statements()) {
|
|
109
|
-
|
|
181
|
+
const { matches: resourceMatch, details: resourceDetails } = (0, resource_js_1.requestMatchesStatementResources)(request, statement);
|
|
182
|
+
const { matches: actionMatch, details: actionDetails } = (0, action_js_1.requestMatchesStatementActions)(request, statement);
|
|
183
|
+
const { matches: principalMatch, details: principalDetails } = (0, principal_js_1.requestMatchesStatementPrincipals)(request, statement);
|
|
184
|
+
const { matches: conditionMatch, details: conditionDetails } = (0, condition_js_1.requestMatchesConditions)(request, statement.conditions());
|
|
185
|
+
const overallMatch = (0, StatementAnalysis_js_1.statementMatches)({ actionMatch, conditionMatch, principalMatch, resourceMatch });
|
|
186
|
+
const analysis = {
|
|
110
187
|
statement,
|
|
111
|
-
resourceMatch:
|
|
112
|
-
actionMatch
|
|
113
|
-
conditionMatch
|
|
114
|
-
principalMatch
|
|
115
|
-
|
|
188
|
+
resourceMatch: resourceMatch,
|
|
189
|
+
actionMatch,
|
|
190
|
+
conditionMatch,
|
|
191
|
+
principalMatch,
|
|
192
|
+
explain: makeStatementExplain(statement, overallMatch, { ...resourceDetails, ...actionDetails, ...principalDetails, ...conditionDetails })
|
|
193
|
+
};
|
|
194
|
+
if ((0, StatementAnalysis_js_1.identityStatementExplicitDeny)(analysis) && analysis.principalMatch !== 'NoMatch') {
|
|
195
|
+
resourceAnalysis.denyStatements.push(analysis);
|
|
196
|
+
}
|
|
197
|
+
else if ((0, StatementAnalysis_js_1.identityStatementAllows)(analysis) && analysis.principalMatch !== 'NoMatch') {
|
|
198
|
+
resourceAnalysis.allowStatements.push(analysis);
|
|
199
|
+
}
|
|
200
|
+
else {
|
|
201
|
+
resourceAnalysis.unmatchedStatements.push(analysis);
|
|
202
|
+
}
|
|
203
|
+
}
|
|
204
|
+
if (resourceAnalysis.denyStatements.some(s => s.principalMatch === 'Match')) {
|
|
205
|
+
resourceAnalysis.result = 'ExplicitlyDenied';
|
|
116
206
|
}
|
|
117
|
-
|
|
207
|
+
else if (resourceAnalysis.denyStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
|
|
208
|
+
resourceAnalysis.result = 'DeniedForAccount';
|
|
209
|
+
}
|
|
210
|
+
else if (resourceAnalysis.allowStatements.some(s => s.principalMatch === 'Match')) {
|
|
211
|
+
resourceAnalysis.result = 'Allowed';
|
|
212
|
+
}
|
|
213
|
+
else if (resourceAnalysis.allowStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
|
|
214
|
+
resourceAnalysis.result = 'AllowedForAccount';
|
|
215
|
+
}
|
|
216
|
+
else {
|
|
217
|
+
resourceAnalysis.result = 'NotApplicable';
|
|
218
|
+
}
|
|
219
|
+
return resourceAnalysis;
|
|
220
|
+
}
|
|
221
|
+
function makeStatementExplain(statement, overallMatch, details) {
|
|
222
|
+
return {
|
|
223
|
+
effect: statement.effect(),
|
|
224
|
+
identifier: statement.sid() || statement.index().toString(),
|
|
225
|
+
matches: overallMatch,
|
|
226
|
+
...details
|
|
227
|
+
};
|
|
118
228
|
}
|
|
119
229
|
//# sourceMappingURL=coreSimulatorEngine.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"coreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":";;AA+DA,8BAYC;AASD,oDAMC;AASD,
|
|
1
|
+
{"version":3,"file":"coreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":";;AA+DA,8BAYC;AASD,oDAMC;AASD,0DA0CC;AASD,sEAyDC;AASD,sDAgDC;AAvQD,mDAAqE;AACrE,4DAAqE;AAGrE,4DAAoG;AAEpG,yDAA2E;AAC3E,yFAAmF;AAEnF,kEAAsI;AA2CtI,MAAM,cAAc,GAAgD,EAAE,CAAC;AAEvE;;;;;;;GAOG;AACH,SAAgB,SAAS,CAAC,OAA6B;IACrD,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5F,MAAM,WAAW,GAAG,6BAA6B,CAAC,OAAO,CAAC,sBAAsB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACnG,MAAM,gBAAgB,GAAG,qBAAqB,CAAC,OAAO,CAAC,cAAc,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAExF,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;IACxD,OAAO,iBAAiB,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,gBAAgB;QAChB,WAAW;QACX,gBAAgB;KACjB,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAAC,OAA6B;IAChE,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,WAAW,EAAE,CAAC;IACnE,IAAG,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,sDAAwB,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,gBAAmC,EAAE,OAAmB;IAE9F,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,kBAAkB;QAC1B,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,KAAI,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACrC,KAAI,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC3C,MAAM,EAAC,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAC,GAAG,IAAA,8CAAgC,EAAC,OAAO,EAAE,SAAS,CAAC,CAAC;YAChH,MAAM,EAAC,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAC,GAAG,IAAA,0CAA8B,EAAC,OAAO,EAAE,SAAS,CAAC,CAAC;YAC1G,MAAM,EAAC,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAC,GAAG,IAAA,uCAAwB,EAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAC;YACvH,MAAM,cAAc,GAAyB,OAAO,CAAC;YACrD,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC,EAAC,WAAW,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAC,CAAC,CAAC;YACpG,MAAM,iBAAiB,GAAsB;gBAC3C,SAAS;gBACT,aAAa;gBACb,WAAW;gBACX,cAAc;gBACd,cAAc;gBACd,OAAO,EAAE,oBAAoB,CAAC,SAAS,EAAE,YAAY,EAAE,EAAC,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAC,CAAC;aACpH,CAAA;YAED,IAAG,IAAA,oDAA6B,EAAC,iBAAiB,CAAC,EAAE,CAAC;gBACpD,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC1D,CAAC;iBAAM,IAAG,IAAA,8CAAuB,EAAC,iBAAiB,CAAC,EAAE,CAAC;gBACrD,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC3D,CAAC;iBAAM,CAAC;gBACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC/D,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAG,gBAAgB,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IAAG,gBAAgB,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtD,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;IAED,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,6BAA6B,CAAC,sBAAgD,EAAE,OAAmB;IACjH,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,KAAI,MAAM,aAAa,IAAI,sBAAsB,EAAE,CAAC;QAClD,MAAM,UAAU,GAAkB;YAChC,aAAa,EAAE,aAAa,CAAC,aAAa;YAC1C,MAAM,EAAE,kBAAkB;YAC1B,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,EAAE;YAClB,mBAAmB,EAAE,EAAE;SACxB,CAAA;QACD,KAAI,MAAM,MAAM,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC3C,KAAI,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC3C,MAAM,EAAC,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAC,GAAG,IAAA,8CAAgC,EAAC,OAAO,EAAE,SAAS,CAAC,CAAC;gBAChH,MAAM,EAAC,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAC,GAAG,IAAA,0CAA8B,EAAC,OAAO,EAAE,SAAS,CAAC,CAAC;gBAC1G,MAAM,EAAC,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAC,GAAG,IAAA,uCAAwB,EAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAC;gBACvH,MAAM,cAAc,GAAyB,OAAO,CAAA;gBACpD,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC,EAAC,WAAW,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAC,CAAC,CAAC;gBACpG,MAAM,iBAAiB,GAAsB;oBAC3C,SAAS;oBACT,aAAa;oBACb,WAAW;oBACX,cAAc;oBACd,cAAc;oBACd,OAAO,EAAE,oBAAoB,CAAC,SAAS,EAAE,YAAY,EAAE,EAAC,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAC,CAAC;iBACpH,CAAA;gBAED,IAAG,IAAA,8CAAuB,EAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC9C,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBACrD,CAAC;qBAAM,IAAI,IAAA,oDAA6B,EAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC5D,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBACpD,CAAC;qBAAM,CAAC;oBACN,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAG,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxC,UAAU,CAAC,MAAM,GAAG,kBAAkB,CAAA;QACxC,CAAC;aAAM,IAAG,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChD,UAAU,CAAC,MAAM,GAAG,SAAS,CAAA;QAC/B,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5B,CAAC;IAED,IAAI,aAAa,GAAqB,kBAAkB,CAAA;IACxD,IAAG,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,kBAAkB,CAAC,EAAE,CAAC;QACzD,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAG,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QAC/D,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,SAAS,CAAC,EAAE,CAAC;QACzD,aAAa,GAAG,SAAS,CAAA;IAC3B,CAAC;IAED,OAAO;QACL,MAAM,EAAE,aAAa;QACrB,UAAU,EAAE,QAAQ;KACrB,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,qBAAqB,CAAC,cAA2C,EAAE,OAAmB;IACpG,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,eAAe;QACvB,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,IAAG,CAAC,cAAc,EAAE,CAAC;QACnB,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,KAAI,MAAM,SAAS,IAAI,cAAc,CAAC,UAAU,EAAE,EAAE,CAAC;QACnD,MAAM,EAAC,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAC,GAAG,IAAA,8CAAgC,EAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAChH,MAAM,EAAC,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAC,GAAG,IAAA,0CAA8B,EAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAC1G,MAAM,EAAC,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAC,GAAG,IAAA,gDAAiC,EAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QACnH,MAAM,EAAC,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAC,GAAG,IAAA,uCAAwB,EAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAC;QACvH,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC,EAAC,WAAW,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAC,CAAC,CAAC;QACpG,MAAM,QAAQ,GAAsB;YAClC,SAAS;YACT,aAAa,EAAE,aAAa;YAC5B,WAAW;YACX,cAAc;YACd,cAAc;YACd,OAAO,EAAE,oBAAoB,CAAC,SAAS,EAAE,YAAY,EAAE,EAAC,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,GAAG,gBAAgB,EAAC,CAAC;SACzI,CAAA;QACD,IAAG,IAAA,oDAA6B,EAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACpF,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACjD,CAAC;aAAM,IAAG,IAAA,8CAAuB,EAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACrF,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAClD,CAAC;aAAM,CAAC;YACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,IAAG,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,OAAO,CAAC,EAAE,CAAC;QAC3E,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IAAG,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EAAE,CAAC;QAC9F,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IAAG,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,OAAO,CAAC,EAAE,CAAC;QACnF,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;SAAM,IAAG,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EAAE,CAAC;QAC/F,gBAAgB,CAAC,MAAM,GAAG,mBAAmB,CAAA;IAC/C,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,MAAM,GAAG,eAAe,CAAA;IAC3C,CAAC;IAED,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED,SAAS,oBAAoB,CAAC,SAAoB,EAAE,YAAqB,EAAE,OAAkC;IAC3G,OAAO;QACL,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE;QAC1B,UAAU,EAAE,SAAS,CAAC,GAAG,EAAE,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;QAC3D,OAAO,EAAE,YAAY;QACrB,GAAG,OAAO;KACX,CAAA;AACH,CAAC"}
|
package/dist/cjs/evaluate.d.ts
CHANGED
|
@@ -1,3 +1,49 @@
|
|
|
1
|
+
import { StatementAnalysis } from "./StatementAnalysis.js";
|
|
1
2
|
export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | 'AllowedWithConditions' | 'ImplicitlyDenied' | 'Unknown';
|
|
2
3
|
export type ResourceEvaluationResult = 'NotApplicable' | 'Allowed' | 'ExplicitlyDenied' | 'AllowedForAccount' | 'DeniedForAccount' | 'ImplicityDenied';
|
|
4
|
+
export interface IdentityAnalysis {
|
|
5
|
+
result: EvaluationResult;
|
|
6
|
+
denyStatements: StatementAnalysis[];
|
|
7
|
+
allowStatements: StatementAnalysis[];
|
|
8
|
+
unmatchedStatements: StatementAnalysis[];
|
|
9
|
+
}
|
|
10
|
+
export interface ResourceAnalysis {
|
|
11
|
+
result: ResourceEvaluationResult;
|
|
12
|
+
denyStatements: StatementAnalysis[];
|
|
13
|
+
allowStatements: StatementAnalysis[];
|
|
14
|
+
unmatchedStatements: StatementAnalysis[];
|
|
15
|
+
}
|
|
16
|
+
export interface OuScpAnalysis {
|
|
17
|
+
orgIdentifier: string;
|
|
18
|
+
result: EvaluationResult;
|
|
19
|
+
denyStatements: StatementAnalysis[];
|
|
20
|
+
allowStatements: StatementAnalysis[];
|
|
21
|
+
unmatchedStatements: StatementAnalysis[];
|
|
22
|
+
}
|
|
23
|
+
export interface ScpAnalysis {
|
|
24
|
+
/**
|
|
25
|
+
* OU Result
|
|
26
|
+
*/
|
|
27
|
+
result: EvaluationResult;
|
|
28
|
+
ouAnalysis: OuScpAnalysis[];
|
|
29
|
+
}
|
|
30
|
+
/**
|
|
31
|
+
* The analysis of a request.
|
|
32
|
+
*/
|
|
33
|
+
export interface RequestAnalysis {
|
|
34
|
+
/**
|
|
35
|
+
* The result of the evaluation.
|
|
36
|
+
*/
|
|
37
|
+
result: EvaluationResult;
|
|
38
|
+
sameAccount: boolean;
|
|
39
|
+
/**
|
|
40
|
+
* The result of the evaluation of the resource policy.
|
|
41
|
+
*/
|
|
42
|
+
identityAnalysis?: IdentityAnalysis;
|
|
43
|
+
/**
|
|
44
|
+
* The result of the evaluation of the resource policy.
|
|
45
|
+
*/
|
|
46
|
+
resourceAnalysis?: ResourceAnalysis;
|
|
47
|
+
scpAnalysis?: ScpAnalysis;
|
|
48
|
+
}
|
|
3
49
|
//# sourceMappingURL=evaluate.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,uBAAuB,GAAG,kBAAkB,GAAG,SAAS,CAAC;AACzH,MAAM,MAAM,wBAAwB,GAAG,eAAe,GAAG,SAAS,GAAG,kBAAkB,GAAG,mBAAmB,GAAG,kBAAkB,GAAG,iBAAiB,CAAC"}
|
|
1
|
+
{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,uBAAuB,GAAG,kBAAkB,GAAG,SAAS,CAAC;AACzH,MAAM,MAAM,wBAAwB,GAAG,eAAe,GAAG,SAAS,GAAG,kBAAkB,GAAG,mBAAmB,GAAG,kBAAkB,GAAG,iBAAiB,CAAC;AAEvJ,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,wBAAwB,CAAA;IAChC,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAC;IAEzB,WAAW,EAAE,OAAO,CAAC;IAErB;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC,WAAW,CAAC,EAAE,WAAW,CAAA;CAC1B"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"displayExplainCli.d.ts","sourceRoot":"","sources":["../../../src/explain/displayExplainCli.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAyFzD,wBAAgB,YAAY,CAAC,OAAO,EAAE,gBAAgB,QAmErD"}
|
|
@@ -0,0 +1,145 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.printExplain = printExplain;
|
|
4
|
+
const explain1 = {
|
|
5
|
+
// request: {
|
|
6
|
+
// action: 's3:GetObject',
|
|
7
|
+
// principal: 'arn:aws:iam::123456789012:user/Bob',
|
|
8
|
+
// resource: 'arn:aws:s3:::examplebucket/123.txt',
|
|
9
|
+
// context: {
|
|
10
|
+
// 'aws:SecureTransport': 'true',
|
|
11
|
+
// 's3:ExistingObjectTag/Department': 'Engineering',
|
|
12
|
+
// 'aws:PrincipalTag/Department': 'Engineering'
|
|
13
|
+
// }
|
|
14
|
+
// },
|
|
15
|
+
identifier: 'Statement1',
|
|
16
|
+
matches: true,
|
|
17
|
+
effect: 'Allow',
|
|
18
|
+
actions: [
|
|
19
|
+
{
|
|
20
|
+
action: 's3:Get*',
|
|
21
|
+
matches: true
|
|
22
|
+
},
|
|
23
|
+
{
|
|
24
|
+
action: 's3:PutObject',
|
|
25
|
+
matches: false
|
|
26
|
+
}
|
|
27
|
+
],
|
|
28
|
+
resources: [
|
|
29
|
+
{
|
|
30
|
+
resource: 'arn:aws:s3:::examplebucket/*',
|
|
31
|
+
errors: [],
|
|
32
|
+
matches: true
|
|
33
|
+
},
|
|
34
|
+
{
|
|
35
|
+
resource: 'arn:aws:s3:::examplebucket/${aws:PrincipalTag/Department}/*',
|
|
36
|
+
resolvedValue: 'arn:aws:s3:::examplebucket/Engineering/*',
|
|
37
|
+
errors: [],
|
|
38
|
+
matches: true
|
|
39
|
+
},
|
|
40
|
+
{
|
|
41
|
+
resource: 'arn:aws:s3:::examplebucket/abc/*',
|
|
42
|
+
errors: [],
|
|
43
|
+
matches: false
|
|
44
|
+
}
|
|
45
|
+
],
|
|
46
|
+
conditions: [
|
|
47
|
+
{
|
|
48
|
+
conditionKeyValue: 'aws:SecureTransport',
|
|
49
|
+
resolvedConditionKeyValue: 'true',
|
|
50
|
+
operator: 'Bool',
|
|
51
|
+
matches: true,
|
|
52
|
+
values: {
|
|
53
|
+
value: 'true',
|
|
54
|
+
resolvedValue: 'true',
|
|
55
|
+
matches: true,
|
|
56
|
+
errors: []
|
|
57
|
+
},
|
|
58
|
+
}, {
|
|
59
|
+
conditionKeyValue: 's3:PrincipalTag/Department',
|
|
60
|
+
resolvedConditionKeyValue: 'Engineering',
|
|
61
|
+
operator: 'StringEquals',
|
|
62
|
+
matches: true,
|
|
63
|
+
values: [
|
|
64
|
+
{
|
|
65
|
+
value: 'Engineering',
|
|
66
|
+
resolvedValue: 'Engineering',
|
|
67
|
+
matches: true,
|
|
68
|
+
errors: []
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
value: 'Quality',
|
|
72
|
+
resolvedValue: 'Engineering',
|
|
73
|
+
matches: false,
|
|
74
|
+
errors: []
|
|
75
|
+
}
|
|
76
|
+
]
|
|
77
|
+
}
|
|
78
|
+
]
|
|
79
|
+
};
|
|
80
|
+
function buffers(n) {
|
|
81
|
+
return ' '.repeat(n);
|
|
82
|
+
}
|
|
83
|
+
function printExplain(explain) {
|
|
84
|
+
const buffer = ' ';
|
|
85
|
+
console.log(`{`);
|
|
86
|
+
if (explain.matches) {
|
|
87
|
+
console.log(`${buffer}// Statement ${explain.identifier} Matches`);
|
|
88
|
+
}
|
|
89
|
+
else {
|
|
90
|
+
console.log(`${buffer}// Statement ${explain.identifier} Does NOT Match`);
|
|
91
|
+
}
|
|
92
|
+
if (explain.actions && !Array.isArray(explain.actions)) {
|
|
93
|
+
const actionString = `${buffer}"Action": "${explain.actions.action}", // ${explain.actions.matches ? 'Match' : 'No Match'}`;
|
|
94
|
+
}
|
|
95
|
+
else if (explain.actions && Array.isArray(explain.actions)) {
|
|
96
|
+
console.log(`${buffer}"Action": [`);
|
|
97
|
+
for (const action of explain.actions) {
|
|
98
|
+
console.log(`${buffers(2)}"${action.action}", // ${action.matches ? 'Match' : 'No Match'}`);
|
|
99
|
+
}
|
|
100
|
+
console.log(`${buffer}]`);
|
|
101
|
+
}
|
|
102
|
+
if (explain.resources && !Array.isArray(explain.resources)) {
|
|
103
|
+
if (explain.resources.resolvedValue) {
|
|
104
|
+
console.log(`${buffer} //${explain.resources.resolvedValue} // Resolved Value`);
|
|
105
|
+
}
|
|
106
|
+
console.log(`${buffer}"Resource": "${explain.resources.resource}", // ${explain.resources.matches ? 'Match' : 'No Match'}`);
|
|
107
|
+
}
|
|
108
|
+
else if (explain.resources && Array.isArray(explain.resources)) {
|
|
109
|
+
console.log(`${buffer}"Resource": [`);
|
|
110
|
+
for (const resource of explain.resources) {
|
|
111
|
+
let resourceLine = `${buffers(2)}"${resource.resource}", // ${resource.matches ? 'Match' : 'No Match'}`;
|
|
112
|
+
if (resource.resolvedValue) {
|
|
113
|
+
resourceLine += ` Resolved to "${resource.resolvedValue}"`;
|
|
114
|
+
}
|
|
115
|
+
console.log(resourceLine);
|
|
116
|
+
}
|
|
117
|
+
console.log(`${buffer}]`);
|
|
118
|
+
}
|
|
119
|
+
if (explain.conditions) {
|
|
120
|
+
const operators = explain.conditions.map(c => c.operator);
|
|
121
|
+
console.log(`${buffer}"Condition": {`);
|
|
122
|
+
for (const op of operators) {
|
|
123
|
+
const opConditions = explain.conditions.filter(c => c.operator === op);
|
|
124
|
+
console.log(`${buffers(2)}"${op}": {`);
|
|
125
|
+
for (const c of opConditions) {
|
|
126
|
+
if (c.values && !Array.isArray(c.values)) {
|
|
127
|
+
console.log(`${buffers(3)}"${c.conditionKeyValue}": "${c.values.value}", // ${c.matches ? 'Match' : 'No Match'}`);
|
|
128
|
+
// console.log(`${buffers(3)}"Value": "${c.values.value}", // ${c.values.matches ? 'Match' : 'No Match'}`)
|
|
129
|
+
}
|
|
130
|
+
else if (c.values && Array.isArray(c.values)) {
|
|
131
|
+
console.log(`${buffers(3)}"${c.conditionKeyValue}": [`);
|
|
132
|
+
for (const v of c.values) {
|
|
133
|
+
console.log(`${buffers(4)}"${v.value}", // ${v.matches ? 'Match' : 'No Match'}`);
|
|
134
|
+
}
|
|
135
|
+
console.log(`${buffers(3)}]`);
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
console.log(`${buffers(2)}}`);
|
|
139
|
+
}
|
|
140
|
+
console.log(`${buffer}}`);
|
|
141
|
+
}
|
|
142
|
+
console.log(`}`);
|
|
143
|
+
}
|
|
144
|
+
printExplain(explain1);
|
|
145
|
+
//# sourceMappingURL=displayExplainCli.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"displayExplainCli.js","sourceRoot":"","sources":["../../../src/explain/displayExplainCli.ts"],"names":[],"mappings":";;AAyFA,oCAmEC;AA1JD,MAAM,QAAQ,GAAqB;IACjC,aAAa;IACb,4BAA4B;IAC5B,qDAAqD;IACrD,oDAAoD;IACpD,eAAe;IACf,qCAAqC;IACrC,wDAAwD;IACxD,mDAAmD;IACnD,MAAM;IACN,KAAK;IAEL,UAAU,EAAE,YAAY;IACxB,OAAO,EAAE,IAAI;IAEb,MAAM,EAAE,OAAO;IACf,OAAO,EAAE;QACP;YACE,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,IAAI;SACd;QACD;YACE,MAAM,EAAE,cAAc;YACtB,OAAO,EAAE,KAAK;SACf;KACF;IAED,SAAS,EAAE;QACT;YACE,QAAQ,EAAE,8BAA8B;YACxC,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,IAAI;SACd;QACD;YACE,QAAQ,EAAE,6DAA6D;YACvE,aAAa,EAAE,0CAA0C;YACzD,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,IAAI;SACd;QACD;YACE,QAAQ,EAAE,kCAAkC;YAC5C,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,KAAK;SACf;KACF;IAID,UAAU,EAAE;QACV;YACE,iBAAiB,EAAE,qBAAqB;YACxC,yBAAyB,EAAE,MAAM;YACjC,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,IAAI;YACb,MAAM,EAAC;gBACH,KAAK,EAAE,MAAM;gBACb,aAAa,EAAE,MAAM;gBACrB,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,EAAE;aACb;SACF,EAAE;YACD,iBAAiB,EAAE,4BAA4B;YAC/C,yBAAyB,EAAE,aAAa;YACxC,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,IAAI;YACb,MAAM,EAAE;gBACN;oBACE,KAAK,EAAE,aAAa;oBACpB,aAAa,EAAE,aAAa;oBAC5B,OAAO,EAAE,IAAI;oBACb,MAAM,EAAE,EAAE;iBACX;gBACD;oBACE,KAAK,EAAE,SAAS;oBAChB,aAAa,EAAE,aAAa;oBAC5B,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,EAAE;iBACX;aACF;SACF;KACF;CACF,CAAA;AAED,SAAS,OAAO,CAAC,CAAS;IACxB,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;AACvB,CAAC;AAED,SAAgB,YAAY,CAAC,OAAyB;IACpD,MAAM,MAAM,GAAG,IAAI,CAAA;IAEnB,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAEhB,IAAG,OAAO,CAAC,OAAO,EAAE,CAAC;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,gBAAgB,OAAO,CAAC,UAAU,UAAU,CAAC,CAAA;IACpE,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,gBAAgB,OAAO,CAAC,UAAU,iBAAiB,CAAC,CAAA;IAC3E,CAAC;IAED,IAAG,OAAO,CAAC,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACtD,MAAM,YAAY,GAAG,GAAG,MAAM,cAAc,OAAO,CAAC,OAAO,CAAC,MAAM,SAAS,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,CAAA;IAC7H,CAAC;SAAM,IAAG,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,aAAa,CAAC,CAAA;QACnC,KAAI,MAAM,MAAM,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,MAAM,SAAS,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAA;QAC7F,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,IAAG,OAAO,CAAC,SAAS,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QAC1D,IAAG,OAAO,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,aAAa,OAAO,CAAC,SAAS,CAAC,aAAa,oBAAoB,CAAC,CAAA;QACxF,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,gBAAgB,OAAO,CAAC,SAAS,CAAC,QAAQ,SAAS,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAA;IAC7H,CAAC;SAAM,IAAG,OAAO,CAAC,SAAS,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QAChE,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,eAAe,CAAC,CAAA;QACrC,KAAI,MAAM,QAAQ,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACxC,IAAI,YAAY,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC,QAAQ,SAAS,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,CAAA;YACvG,IAAG,QAAQ,CAAC,aAAa,EAAE,CAAC;gBAC1B,YAAY,IAAI,iBAAiB,QAAQ,CAAC,aAAa,GAAG,CAAA;YAC5D,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QAC3B,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,IAAG,OAAO,CAAC,UAAU,EAAE,CAAC;QACtB,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAA;QACzD,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,gBAAgB,CAAC,CAAA;QACtC,KAAI,MAAM,EAAE,IAAI,SAAS,EAAE,CAAC;YAC1B,MAAM,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,EAAE,CAAC,CAAA;YACtE,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAA;YACtC,KAAI,MAAM,CAAC,IAAI,YAAY,EAAG,CAAC;gBAC7B,IAAG,CAAC,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;oBACxC,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,iBAAiB,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAA;oBACjH,0GAA0G;gBAC5G,CAAC;qBAAM,IAAG,CAAC,CAAC,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC9C,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,iBAAiB,MAAM,CAAC,CAAA;oBACvD,KAAI,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;wBACxB,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAA;oBAClF,CAAC;oBACD,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;gBAC/B,CAAC;YACH,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;QAC/B,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,GAAG,CAAC,CAAA;IAE3B,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;AAGlB,CAAC;AAED,YAAY,CAAC,QAAQ,CAAC,CAAA"}
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
export interface ActionExplain {
|
|
2
|
+
action: string;
|
|
3
|
+
matches: boolean;
|
|
4
|
+
}
|
|
5
|
+
export interface ResourceExplain {
|
|
6
|
+
resource: string;
|
|
7
|
+
resolvedValue?: string;
|
|
8
|
+
errors?: string[];
|
|
9
|
+
matches: boolean;
|
|
10
|
+
}
|
|
11
|
+
export interface PrincipalExplain {
|
|
12
|
+
principal: string;
|
|
13
|
+
matches: 'Match' | 'NoMatch' | 'AccountLevelMatch';
|
|
14
|
+
roleForSessionArn?: string;
|
|
15
|
+
errors?: string[];
|
|
16
|
+
}
|
|
17
|
+
export interface ConditionValueExplain {
|
|
18
|
+
value: string;
|
|
19
|
+
resolvedValue?: string;
|
|
20
|
+
matches: boolean;
|
|
21
|
+
matchingValues?: string[];
|
|
22
|
+
negativeMatchingValues?: string[];
|
|
23
|
+
errors?: string[];
|
|
24
|
+
}
|
|
25
|
+
export interface ConditionExplain {
|
|
26
|
+
operator: string;
|
|
27
|
+
conditionKeyValue: string;
|
|
28
|
+
resolvedConditionKeyValue?: string;
|
|
29
|
+
values: ConditionValueExplain | ConditionValueExplain[];
|
|
30
|
+
unmatchedValues?: string[];
|
|
31
|
+
matches: boolean;
|
|
32
|
+
matchedBecauseMissing?: boolean;
|
|
33
|
+
failedBecauseMissing?: boolean;
|
|
34
|
+
failedBecauseArray?: boolean;
|
|
35
|
+
failedBecauseNotArray?: boolean;
|
|
36
|
+
missingOperator?: boolean;
|
|
37
|
+
}
|
|
38
|
+
export interface StatementExplain {
|
|
39
|
+
matches: boolean;
|
|
40
|
+
identifier: string;
|
|
41
|
+
effect: string;
|
|
42
|
+
actions?: ActionExplain | ActionExplain[];
|
|
43
|
+
notActions?: ActionExplain | ActionExplain[];
|
|
44
|
+
resources?: ResourceExplain | ResourceExplain[];
|
|
45
|
+
notResources?: ResourceExplain | ResourceExplain[];
|
|
46
|
+
principals?: PrincipalExplain | PrincipalExplain[];
|
|
47
|
+
notPrincipals?: PrincipalExplain | PrincipalExplain[];
|
|
48
|
+
conditions?: ConditionExplain[];
|
|
49
|
+
}
|
|
50
|
+
//# sourceMappingURL=statementExplain.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"statementExplain.d.ts","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;IAClD,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAA;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,CAAA;IACzB,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,MAAM,EAAE,qBAAqB,GAAG,qBAAqB,EAAE,CAAA;IACvD,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAC1B,OAAO,EAAE,OAAO,CAAA;IAChB,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAC9B,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAC5B,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAQ/B,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IACzC,UAAU,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IAC5C,SAAS,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAC/C,YAAY,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAClD,UAAU,CAAC,EAAG,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACnD,aAAa,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACrD,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;CAChC"}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
/*
|
|
4
|
+
I want to emit the policy object exactly as it was written. How do I get a structure
|
|
5
|
+
that matches the policy object exactly? Should I just embed the values in the explain?
|
|
6
|
+
*/
|
|
7
|
+
//# sourceMappingURL=statementExplain.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";;AA8DA;;;EAGE"}
|
package/dist/cjs/index.d.ts
CHANGED
|
@@ -2,6 +2,7 @@ export { typeForContextKey } from './context_keys/contextKeys.js';
|
|
|
2
2
|
export { BaseConditionKeyType, isConditionKeyArray, type ConditionKeyType } from './context_keys/contextKeyTypes.js';
|
|
3
3
|
export { findContextKeys } from './context_keys/findContextKeys.js';
|
|
4
4
|
export { type EvaluationResult } from './evaluate.js';
|
|
5
|
+
export type { ActionExplain, ConditionExplain, ConditionValueExplain, PrincipalExplain, ResourceExplain, StatementExplain } from './explain/statementExplain.js';
|
|
5
6
|
export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
|
|
6
7
|
export { type Simulation } from './simulation_engine/simulation.js';
|
|
7
8
|
export { runSimulation } from './simulation_engine/simulationEngine.js';
|
package/dist/cjs/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,KAAK,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AACrH,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAClF,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,KAAK,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AACrH,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjK,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAClF,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC"}
|
package/dist/cjs/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,gEAAkE;AAAzD,mHAAA,iBAAiB,OAAA;AAC1B,wEAAqH;AAAtF,yHAAA,mBAAmB,OAAA;AAClD,wEAAoE;AAA3D,qHAAA,eAAe,OAAA;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,gEAAkE;AAAzD,mHAAA,iBAAiB,OAAA;AAC1B,wEAAqH;AAAtF,yHAAA,mBAAmB,OAAA;AAClD,wEAAoE;AAA3D,qHAAA,eAAe,OAAA;AAGxB,qEAAkF;AAAzE,8HAAA,4BAA4B,OAAA;AAErC,+EAAwE;AAA/D,oHAAA,aAAa,OAAA;AAEtB,2FAAoF;AAA3E,gIAAA,mBAAmB,OAAA;AAC5B,qCAAiD;AAAxC,+GAAA,oBAAoB,OAAA"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { Principal, Statement } from "@cloud-copilot/iam-policy";
|
|
2
|
+
import { PrincipalExplain, StatementExplain } from "../explain/statementExplain.js";
|
|
2
3
|
import { AwsRequest } from "../request/request.js";
|
|
3
4
|
export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch';
|
|
4
5
|
/**
|
|
@@ -8,7 +9,10 @@ export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch';
|
|
|
8
9
|
* @param principal the list of principals in the Principal element of the Statement
|
|
9
10
|
* @returns if the request matches the Principal element, and if so, how it matches
|
|
10
11
|
*/
|
|
11
|
-
export declare function requestMatchesPrincipal(request: AwsRequest, principal: Principal[]):
|
|
12
|
+
export declare function requestMatchesPrincipal(request: AwsRequest, principal: Principal[]): {
|
|
13
|
+
matches: PrincipalMatchResult;
|
|
14
|
+
explains: PrincipalExplain[];
|
|
15
|
+
};
|
|
12
16
|
/**
|
|
13
17
|
* Check to see if a request matches a NotPrincipal element in an IAM policy statement
|
|
14
18
|
*
|
|
@@ -16,7 +20,10 @@ export declare function requestMatchesPrincipal(request: AwsRequest, principal:
|
|
|
16
20
|
* @param notPrincipal the list of principals in the NotPrincipal element of the Statement
|
|
17
21
|
* @returns
|
|
18
22
|
*/
|
|
19
|
-
export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrincipal: Principal[]):
|
|
23
|
+
export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrincipal: Principal[]): {
|
|
24
|
+
matches: PrincipalMatchResult;
|
|
25
|
+
explains: PrincipalExplain[];
|
|
26
|
+
};
|
|
20
27
|
/**
|
|
21
28
|
* Check to see if a request matches a principal statement
|
|
22
29
|
*
|
|
@@ -24,7 +31,7 @@ export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrinc
|
|
|
24
31
|
* @param principalStatement the principal statement to check the request against
|
|
25
32
|
* @returns if the request matches the principal statement, and if so, how it matches
|
|
26
33
|
*/
|
|
27
|
-
export declare function requestMatchesPrincipalStatement(request: AwsRequest, principalStatement: Principal):
|
|
34
|
+
export declare function requestMatchesPrincipalStatement(request: AwsRequest, principalStatement: Principal): PrincipalExplain;
|
|
28
35
|
export declare function isAssumedRoleArn(principal: string): boolean;
|
|
29
36
|
export declare function roleArnFromAssumedRoleArn(assumedRoleArn: string): string;
|
|
30
37
|
/**
|
|
@@ -34,5 +41,8 @@ export declare function roleArnFromAssumedRoleArn(assumedRoleArn: string): strin
|
|
|
34
41
|
* @param statement the statement to check against
|
|
35
42
|
* @returns true if the request matches the resources in the statement, false otherwise
|
|
36
43
|
*/
|
|
37
|
-
export declare function requestMatchesStatementPrincipals(request: AwsRequest, statement: Statement):
|
|
44
|
+
export declare function requestMatchesStatementPrincipals(request: AwsRequest, statement: Statement): {
|
|
45
|
+
matches: PrincipalMatchResult;
|
|
46
|
+
details: Pick<StatementExplain, 'principals' | 'notPrincipals'>;
|
|
47
|
+
};
|
|
38
48
|
//# sourceMappingURL=principal.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA4CnD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;AAE5E;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,oBAAoB,
|
|
1
|
+
{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AACpF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA4CnD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;AAE5E;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG;IAAC,OAAO,EAAE,oBAAoB,CAAC;IAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAA;CAAC,CAoBlJ;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG;IAAC,OAAO,EAAE,oBAAoB,CAAC;IAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAA;CAAC,CAyCxJ;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,gBAAgB,CAqFrH;AAID,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED,wBAAgB,yBAAyB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKxE;AAED;;;;;;GAMG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG;IAAC,OAAO,EAAE,oBAAoB,CAAC;IAAC,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE,YAAY,GAAG,eAAe,CAAC,CAAA;CAAC,CAS7L"}
|