@cloud-copilot/iam-simulate 0.1.12 → 0.1.13-1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/SCPAnalysis.d.ts.map +1 -1
- package/dist/cjs/StatementAnalysis.d.ts +14 -0
- package/dist/cjs/StatementAnalysis.d.ts.map +1 -1
- package/dist/cjs/StatementAnalysis.js +51 -0
- package/dist/cjs/StatementAnalysis.js.map +1 -1
- package/dist/cjs/action/action.d.ts +13 -3
- package/dist/cjs/action/action.d.ts.map +1 -1
- package/dist/cjs/action/action.js +43 -21
- package/dist/cjs/action/action.js.map +1 -1
- package/dist/cjs/condition/condition.d.ts +7 -3
- package/dist/cjs/condition/condition.d.ts.map +1 -1
- package/dist/cjs/condition/condition.js +138 -27
- package/dist/cjs/condition/condition.js.map +1 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts +9 -11
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts.map +1 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.js +136 -26
- package/dist/cjs/core_engine/coreSimulatorEngine.js.map +1 -1
- package/dist/cjs/evaluate.d.ts +46 -0
- package/dist/cjs/evaluate.d.ts.map +1 -1
- package/dist/cjs/explain/displayExplainCli.d.ts +3 -0
- package/dist/cjs/explain/displayExplainCli.d.ts.map +1 -0
- package/dist/cjs/explain/displayExplainCli.js +145 -0
- package/dist/cjs/explain/displayExplainCli.js.map +1 -0
- package/dist/cjs/explain/statementExplain.d.ts +50 -0
- package/dist/cjs/explain/statementExplain.d.ts.map +1 -0
- package/dist/cjs/explain/statementExplain.js +7 -0
- package/dist/cjs/explain/statementExplain.js.map +1 -0
- package/dist/cjs/index.d.ts +1 -0
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/principal/principal.d.ts +14 -4
- package/dist/cjs/principal/principal.d.ts.map +1 -1
- package/dist/cjs/principal/principal.js +101 -33
- package/dist/cjs/principal/principal.js.map +1 -1
- package/dist/cjs/resource/resource.d.ts +13 -3
- package/dist/cjs/resource/resource.d.ts.map +1 -1
- package/dist/cjs/resource/resource.js +66 -14
- package/dist/cjs/resource/resource.js.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts +2 -34
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +43 -127
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/ServiceAuthorizer.d.ts +5 -7
- package/dist/cjs/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.d.ts +2 -4
- package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.js +4 -6
- package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js +5 -4
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/esm/SCPAnalysis.d.ts.map +1 -1
- package/dist/esm/StatementAnalysis.d.ts +14 -0
- package/dist/esm/StatementAnalysis.d.ts.map +1 -1
- package/dist/esm/StatementAnalysis.js +48 -1
- package/dist/esm/StatementAnalysis.js.map +1 -1
- package/dist/esm/action/action.d.ts +13 -3
- package/dist/esm/action/action.d.ts.map +1 -1
- package/dist/esm/action/action.js +43 -21
- package/dist/esm/action/action.js.map +1 -1
- package/dist/esm/condition/condition.d.ts +7 -3
- package/dist/esm/condition/condition.d.ts.map +1 -1
- package/dist/esm/condition/condition.js +138 -27
- package/dist/esm/condition/condition.js.map +1 -1
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts +9 -11
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts.map +1 -1
- package/dist/esm/core_engine/coreSimulatorEngine.js +136 -26
- package/dist/esm/core_engine/coreSimulatorEngine.js.map +1 -1
- package/dist/esm/evaluate.d.ts +46 -0
- package/dist/esm/evaluate.d.ts.map +1 -1
- package/dist/esm/explain/displayExplainCli.d.ts +3 -0
- package/dist/esm/explain/displayExplainCli.d.ts.map +1 -0
- package/dist/esm/explain/displayExplainCli.js +142 -0
- package/dist/esm/explain/displayExplainCli.js.map +1 -0
- package/dist/esm/explain/statementExplain.d.ts +50 -0
- package/dist/esm/explain/statementExplain.d.ts.map +1 -0
- package/dist/esm/explain/statementExplain.js +6 -0
- package/dist/esm/explain/statementExplain.js.map +1 -0
- package/dist/esm/index.d.ts +1 -0
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/principal/principal.d.ts +14 -4
- package/dist/esm/principal/principal.d.ts.map +1 -1
- package/dist/esm/principal/principal.js +101 -33
- package/dist/esm/principal/principal.js.map +1 -1
- package/dist/esm/resource/resource.d.ts +13 -3
- package/dist/esm/resource/resource.d.ts.map +1 -1
- package/dist/esm/resource/resource.js +66 -14
- package/dist/esm/resource/resource.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts +2 -34
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +43 -127
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/ServiceAuthorizer.d.ts +5 -7
- package/dist/esm/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.d.ts +2 -4
- package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.js +5 -7
- package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js +6 -5
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/package.json +2 -2
|
@@ -22,12 +22,22 @@ function convertResourceSegmentToRegex(segment) {
|
|
|
22
22
|
*/
|
|
23
23
|
export function requestMatchesStatementResources(request, statement) {
|
|
24
24
|
if (statement.isResourceStatement()) {
|
|
25
|
-
|
|
25
|
+
const { matches, explains } = requestMatchesResources(request, statement.resources());
|
|
26
|
+
if (!statement.resourceIsArray()) {
|
|
27
|
+
return { matches, details: { resources: explains[0] } };
|
|
28
|
+
}
|
|
29
|
+
return { matches, details: { resources: explains } };
|
|
30
|
+
// return requestMatchesResources(request, statement.resources());
|
|
26
31
|
}
|
|
27
32
|
else if (statement.isNotResourceStatement()) {
|
|
28
|
-
|
|
33
|
+
const { matches, explains } = requestMatchesNotResources(request, statement.notResources());
|
|
34
|
+
if (!statement.notResourceIsArray()) {
|
|
35
|
+
return { matches, details: { notResources: explains[0] } };
|
|
36
|
+
}
|
|
37
|
+
return { matches, details: { notResources: explains } };
|
|
38
|
+
// return requestMatchesNotResources(request, statement.notResources());
|
|
29
39
|
}
|
|
30
|
-
return true;
|
|
40
|
+
return { matches: true, details: {} };
|
|
31
41
|
}
|
|
32
42
|
/**
|
|
33
43
|
* Check if a request matches a set of resources.
|
|
@@ -37,7 +47,9 @@ export function requestMatchesStatementResources(request, statement) {
|
|
|
37
47
|
* @returns true if the request matches any of the resources, false otherwise
|
|
38
48
|
*/
|
|
39
49
|
export function requestMatchesResources(request, policyResources) {
|
|
40
|
-
|
|
50
|
+
const explains = policyResources.map(policyResource => singleResourceMatchesRequest(request, policyResource));
|
|
51
|
+
const matches = explains.some(explain => explain.matches);
|
|
52
|
+
return { matches, explains };
|
|
41
53
|
}
|
|
42
54
|
/**
|
|
43
55
|
* Check if a request matches a NotResource element in a policy.
|
|
@@ -47,7 +59,13 @@ export function requestMatchesResources(request, policyResources) {
|
|
|
47
59
|
* @returns true if the request does not match any of the resources, false otherwise
|
|
48
60
|
*/
|
|
49
61
|
export function requestMatchesNotResources(request, policyResources) {
|
|
50
|
-
|
|
62
|
+
const explains = policyResources.map(policyResource => {
|
|
63
|
+
const explain = singleResourceMatchesRequest(request, policyResource);
|
|
64
|
+
explain.matches = !explain.matches;
|
|
65
|
+
return explain;
|
|
66
|
+
});
|
|
67
|
+
const matches = explains.some(explain => explain.matches);
|
|
68
|
+
return { matches, explains };
|
|
51
69
|
}
|
|
52
70
|
/**
|
|
53
71
|
* Check if a single resource matches a request.
|
|
@@ -58,35 +76,69 @@ export function requestMatchesNotResources(request, policyResources) {
|
|
|
58
76
|
*/
|
|
59
77
|
function singleResourceMatchesRequest(request, policyResource) {
|
|
60
78
|
if (policyResource.isAllResources()) {
|
|
61
|
-
return
|
|
79
|
+
return {
|
|
80
|
+
resource: policyResource.value(),
|
|
81
|
+
matches: true,
|
|
82
|
+
};
|
|
62
83
|
}
|
|
63
84
|
else if (policyResource.isArnResource()) {
|
|
64
85
|
if (!request.resource) {
|
|
65
|
-
return
|
|
86
|
+
return {
|
|
87
|
+
resource: policyResource.value(),
|
|
88
|
+
matches: false,
|
|
89
|
+
errors: ['Request does not have a resource'],
|
|
90
|
+
};
|
|
66
91
|
}
|
|
67
92
|
const resource = request.resource;
|
|
68
93
|
if (!convertResourceSegmentToRegex(policyResource.partition()).test(resource.partition())) {
|
|
69
|
-
return
|
|
94
|
+
return {
|
|
95
|
+
resource: policyResource.value(),
|
|
96
|
+
matches: false,
|
|
97
|
+
errors: ['Partition does not match'],
|
|
98
|
+
};
|
|
70
99
|
}
|
|
71
100
|
if (!convertResourceSegmentToRegex(policyResource.service()).test(resource.service())) {
|
|
72
|
-
return
|
|
101
|
+
return {
|
|
102
|
+
resource: policyResource.value(),
|
|
103
|
+
matches: false,
|
|
104
|
+
errors: ['Service does not match'],
|
|
105
|
+
};
|
|
73
106
|
}
|
|
74
107
|
if (!convertResourceSegmentToRegex(policyResource.region()).test(resource.region())) {
|
|
75
|
-
return
|
|
108
|
+
return {
|
|
109
|
+
resource: policyResource.value(),
|
|
110
|
+
matches: false,
|
|
111
|
+
errors: ['Region does not match'],
|
|
112
|
+
};
|
|
76
113
|
}
|
|
77
114
|
if (!convertResourceSegmentToRegex(policyResource.account()).test(resource.account())) {
|
|
78
|
-
return
|
|
115
|
+
return {
|
|
116
|
+
resource: policyResource.value(),
|
|
117
|
+
matches: false,
|
|
118
|
+
errors: ['Account does not match'],
|
|
119
|
+
};
|
|
79
120
|
}
|
|
80
121
|
//Wildcards and variables are not allowed in the product segment https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html "Incorrect wildcard usage"
|
|
81
122
|
const [policyProduct, policyResourceId] = getResourceSegments(policyResource.resource());
|
|
82
123
|
if (!resource.resource().startsWith(policyProduct)) {
|
|
83
|
-
return
|
|
124
|
+
return {
|
|
125
|
+
resource: policyResource.value(),
|
|
126
|
+
matches: false,
|
|
127
|
+
errors: ['Product does not match'],
|
|
128
|
+
};
|
|
84
129
|
}
|
|
85
130
|
const requestResourceId = resource.resource().slice(policyProduct.length);
|
|
86
131
|
if (!convertIamStringToRegex(policyResourceId, request).test(requestResourceId)) {
|
|
87
|
-
return
|
|
132
|
+
return {
|
|
133
|
+
resource: policyResource.value(),
|
|
134
|
+
matches: false,
|
|
135
|
+
errors: ['Resource does not match'],
|
|
136
|
+
};
|
|
88
137
|
}
|
|
89
|
-
return
|
|
138
|
+
return {
|
|
139
|
+
resource: policyResource.value(),
|
|
140
|
+
matches: true,
|
|
141
|
+
};
|
|
90
142
|
}
|
|
91
143
|
else {
|
|
92
144
|
throw new Error('Unknown resource type');
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAE1E,yHAAyH;AAEzH;;;;;GAKG;AACH,SAAS,6BAA6B,CAAC,OAAe;IACpD,IAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAC7E,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gCAAgC,CAAC,OAAmB,EAAE,SAAoB;IACxF,IAAG,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;QACnC,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC;QACpF,IAAG,CAAC,SAAS,CAAC,eAAe,EAAE,EAAE,CAAC;YAChC,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAC,EAAC,CAAA;QACrD,CAAC;QACD,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,SAAS,EAAE,QAAQ,EAAC,EAAC,CAAA;QAChD,kEAAkE;IACpE,CAAC;SAAM,IAAG,SAAS,CAAC,sBAAsB,EAAE,EAAE,CAAC;QAC7C,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;QAC1F,IAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,EAAE,CAAC;YACnC,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAC,EAAC,CAAA;QACxD,CAAC;QACD,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,YAAY,EAAE,QAAQ,EAAC,EAAC,CAAA;QACnD,wEAAwE;IAC1E,CAAC;IACD,OAAO,EAAC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAC,CAAC;AACtC,CAAC;AAGD;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAmB,EAAE,eAA2B;IACtF,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAA;IAC7G,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IACzD,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAC,CAAA;AAC5B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAmB,EAAE,eAA2B;IACzF,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE;QACpD,MAAM,OAAO,GAAG,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAA;QACrE,OAAO,CAAC,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,CAAA;QAClC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAC,CAAA;IACF,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IACzD,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAC,CAAA;AAC5B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,4BAA4B,CAAC,OAAmB,EAAE,cAAwB;IACjF,IAAG,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;QACnC,OAAO;YACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;YAChC,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;SAAM,IAAG,cAAc,CAAC,aAAa,EAAE,EAAE,CAAC;QACzC,IAAG,CAAC,OAAO,CAAC,QAAQ,EAAG,CAAC;YACtB,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,kCAAkC,CAAC;aAC7C,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QACjC,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC;YACzF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,0BAA0B,CAAC;aACrC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC;YACnF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,uBAAuB,CAAC;aAClC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,gKAAgK;QAChK,MAAM,CAAC,aAAa,EAAE,gBAAgB,CAAC,GAAG,mBAAmB,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAA;QAExF,IAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAClD,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,MAAM,iBAAiB,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;QAEzE,IAAG,CAAC,uBAAuB,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC/E,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,yBAAyB,CAAC;aACpC,CAAA;QACH,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;YAChC,OAAO,EAAE,IAAI;SACd,CAAA;IACH,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC"}
|
|
@@ -1,41 +1,9 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import { StatementAnalysis } from "../StatementAnalysis.js";
|
|
1
|
+
import { RequestAnalysis } from "../evaluate.js";
|
|
3
2
|
import { ServiceAuthorizationRequest, ServiceAuthorizer } from "./ServiceAuthorizer.js";
|
|
4
3
|
/**
|
|
5
4
|
* The default authorizer for services.
|
|
6
5
|
*/
|
|
7
6
|
export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
|
|
8
|
-
authorize(request: ServiceAuthorizationRequest):
|
|
9
|
-
/**
|
|
10
|
-
* Determine the result of the SCP analysis.
|
|
11
|
-
*
|
|
12
|
-
* @param request The request to authorize.
|
|
13
|
-
* @returns The result of the SCP analysis.
|
|
14
|
-
*/
|
|
15
|
-
serviceControlPolicyResult(request: ServiceAuthorizationRequest): EvaluationResult;
|
|
16
|
-
/**
|
|
17
|
-
* Evaluate the identity statements to determine the result.
|
|
18
|
-
*
|
|
19
|
-
* @param request The request to authorize.
|
|
20
|
-
* @returns The result of the identity statement analysis.
|
|
21
|
-
*/
|
|
22
|
-
identityStatementResult(request: ServiceAuthorizationRequest): EvaluationResult;
|
|
23
|
-
/**
|
|
24
|
-
* Evaluate the resource policy to determine the result.
|
|
25
|
-
*
|
|
26
|
-
* @param request the request to authorize
|
|
27
|
-
* @returns the result of the resource policy analysis
|
|
28
|
-
*/
|
|
29
|
-
resourcePolicyResult(request: ServiceAuthorizationRequest): ResourceEvaluationResult;
|
|
30
|
-
/**
|
|
31
|
-
* Checks if a statement is an identity statement that allows the request.
|
|
32
|
-
*
|
|
33
|
-
* @param statement The statement to check.
|
|
34
|
-
* @returns Whether the statement is an identity statement that allows the request.
|
|
35
|
-
*/
|
|
36
|
-
identityStatementAllows(statement: StatementAnalysis): boolean;
|
|
37
|
-
identityStatementUknownAllow(statement: StatementAnalysis): boolean;
|
|
38
|
-
identityStatementUknownDeny(statement: StatementAnalysis): boolean;
|
|
39
|
-
identityStatementExplicitDeny(statement: StatementAnalysis): boolean;
|
|
7
|
+
authorize(request: ServiceAuthorizationRequest): RequestAnalysis;
|
|
40
8
|
}
|
|
41
9
|
//# sourceMappingURL=DefaultServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAExF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;CA6KxE"}
|
|
@@ -3,35 +3,66 @@
|
|
|
3
3
|
*/
|
|
4
4
|
export class DefaultServiceAuthorizer {
|
|
5
5
|
authorize(request) {
|
|
6
|
-
const scpResult =
|
|
7
|
-
const identityStatementResult =
|
|
8
|
-
const resourcePolicyResult =
|
|
6
|
+
const scpResult = request.scpAnalysis.result;
|
|
7
|
+
const identityStatementResult = request.identityAnalysis.result;
|
|
8
|
+
const resourcePolicyResult = request.resourceAnalysis?.result;
|
|
9
9
|
const principalAccount = request.request.principal.accountId();
|
|
10
10
|
const resourceAccount = request.request.resource?.accountId();
|
|
11
|
+
const sameAccount = principalAccount === resourceAccount;
|
|
12
|
+
const baseResult = {
|
|
13
|
+
sameAccount,
|
|
14
|
+
identityAnalysis: request.identityAnalysis,
|
|
15
|
+
scpAnalysis: request.scpAnalysis,
|
|
16
|
+
resourceAnalysis: request.resourceAnalysis
|
|
17
|
+
};
|
|
11
18
|
if (scpResult !== 'Allowed') {
|
|
12
|
-
return
|
|
19
|
+
return {
|
|
20
|
+
result: scpResult,
|
|
21
|
+
...baseResult
|
|
22
|
+
};
|
|
13
23
|
}
|
|
14
24
|
if (resourcePolicyResult === 'ExplicitlyDenied' || resourcePolicyResult === 'DeniedForAccount') {
|
|
15
|
-
return
|
|
25
|
+
return {
|
|
26
|
+
result: 'ExplicitlyDenied',
|
|
27
|
+
...baseResult
|
|
28
|
+
};
|
|
16
29
|
}
|
|
17
30
|
if (identityStatementResult === 'ExplicitlyDenied') {
|
|
18
|
-
return
|
|
31
|
+
return {
|
|
32
|
+
result: 'ExplicitlyDenied',
|
|
33
|
+
...baseResult
|
|
34
|
+
};
|
|
19
35
|
}
|
|
20
36
|
//Same Account
|
|
21
37
|
if (principalAccount === resourceAccount) {
|
|
22
38
|
if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount' || identityStatementResult === 'Allowed') {
|
|
23
|
-
return
|
|
39
|
+
return {
|
|
40
|
+
result: 'Allowed',
|
|
41
|
+
...baseResult
|
|
42
|
+
};
|
|
24
43
|
}
|
|
25
|
-
return
|
|
44
|
+
return {
|
|
45
|
+
result: 'ImplicitlyDenied',
|
|
46
|
+
...baseResult
|
|
47
|
+
};
|
|
26
48
|
}
|
|
27
49
|
//Cross Account
|
|
28
50
|
if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount') {
|
|
29
51
|
if (identityStatementResult === 'Allowed') {
|
|
30
|
-
return
|
|
52
|
+
return {
|
|
53
|
+
result: 'Allowed',
|
|
54
|
+
...baseResult
|
|
55
|
+
};
|
|
31
56
|
}
|
|
32
|
-
return
|
|
33
|
-
|
|
34
|
-
|
|
57
|
+
return {
|
|
58
|
+
result: 'ImplicitlyDenied',
|
|
59
|
+
...baseResult
|
|
60
|
+
};
|
|
61
|
+
}
|
|
62
|
+
return {
|
|
63
|
+
result: 'ImplicitlyDenied',
|
|
64
|
+
...baseResult
|
|
65
|
+
};
|
|
35
66
|
/**
|
|
36
67
|
* Add checks for:
|
|
37
68
|
* * root user
|
|
@@ -42,120 +73,5 @@ export class DefaultServiceAuthorizer {
|
|
|
42
73
|
* * session policies (maybe these are just part of identity policies?)
|
|
43
74
|
*/
|
|
44
75
|
}
|
|
45
|
-
/**
|
|
46
|
-
* Determine the result of the SCP analysis.
|
|
47
|
-
*
|
|
48
|
-
* @param request The request to authorize.
|
|
49
|
-
* @returns The result of the SCP analysis.
|
|
50
|
-
*/
|
|
51
|
-
serviceControlPolicyResult(request) {
|
|
52
|
-
const orgAllows = request.scpAnalysis.map((scpAnalysis) => {
|
|
53
|
-
return scpAnalysis.statementAnalysis.some((statement) => {
|
|
54
|
-
return this.identityStatementAllows(statement);
|
|
55
|
-
});
|
|
56
|
-
});
|
|
57
|
-
if (orgAllows.includes(false)) {
|
|
58
|
-
return 'ImplicitlyDenied';
|
|
59
|
-
}
|
|
60
|
-
const anyScpDeny = request.scpAnalysis.some((scpAnalysis) => {
|
|
61
|
-
return scpAnalysis.statementAnalysis.some((statement) => {
|
|
62
|
-
return this.identityStatementExplicitDeny(statement);
|
|
63
|
-
});
|
|
64
|
-
});
|
|
65
|
-
if (anyScpDeny) {
|
|
66
|
-
return 'ExplicitlyDenied';
|
|
67
|
-
}
|
|
68
|
-
return 'Allowed';
|
|
69
|
-
}
|
|
70
|
-
/**
|
|
71
|
-
* Evaluate the identity statements to determine the result.
|
|
72
|
-
*
|
|
73
|
-
* @param request The request to authorize.
|
|
74
|
-
* @returns The result of the identity statement analysis.
|
|
75
|
-
*/
|
|
76
|
-
identityStatementResult(request) {
|
|
77
|
-
const explicitDeny = request.identityStatements.some(s => this.identityStatementExplicitDeny(s));
|
|
78
|
-
if (explicitDeny) {
|
|
79
|
-
return 'ExplicitlyDenied';
|
|
80
|
-
}
|
|
81
|
-
const explicitAllow = request.identityStatements.some(s => this.identityStatementAllows(s));
|
|
82
|
-
const possibleDeny = request.identityStatements.some(s => this.identityStatementUknownDeny(s));
|
|
83
|
-
if (explicitAllow) {
|
|
84
|
-
return possibleDeny ? 'Unknown' : 'Allowed';
|
|
85
|
-
}
|
|
86
|
-
const possibleAllow = request.identityStatements.some(s => this.identityStatementUknownAllow(s));
|
|
87
|
-
if (possibleAllow) {
|
|
88
|
-
return 'Unknown';
|
|
89
|
-
}
|
|
90
|
-
return 'ImplicitlyDenied';
|
|
91
|
-
}
|
|
92
|
-
/**
|
|
93
|
-
* Evaluate the resource policy to determine the result.
|
|
94
|
-
*
|
|
95
|
-
* @param request the request to authorize
|
|
96
|
-
* @returns the result of the resource policy analysis
|
|
97
|
-
*/
|
|
98
|
-
resourcePolicyResult(request) {
|
|
99
|
-
if (!request.resourceAnalysis) {
|
|
100
|
-
return 'NotApplicable';
|
|
101
|
-
}
|
|
102
|
-
const denyStatements = request.resourceAnalysis.filter(s => this.identityStatementExplicitDeny(s));
|
|
103
|
-
if (denyStatements.some(s => s.principalMatch === 'Match')) {
|
|
104
|
-
return 'ExplicitlyDenied';
|
|
105
|
-
}
|
|
106
|
-
if (denyStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
|
|
107
|
-
return 'DeniedForAccount';
|
|
108
|
-
}
|
|
109
|
-
const allowStatements = request.resourceAnalysis.filter(s => this.identityStatementAllows(s));
|
|
110
|
-
if (allowStatements.some(s => s.principalMatch === 'Match')) {
|
|
111
|
-
return 'Allowed';
|
|
112
|
-
}
|
|
113
|
-
if (allowStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
|
|
114
|
-
return 'AllowedForAccount';
|
|
115
|
-
}
|
|
116
|
-
return 'ImplicityDenied';
|
|
117
|
-
}
|
|
118
|
-
/**
|
|
119
|
-
* Checks if a statement is an identity statement that allows the request.
|
|
120
|
-
*
|
|
121
|
-
* @param statement The statement to check.
|
|
122
|
-
* @returns Whether the statement is an identity statement that allows the request.
|
|
123
|
-
*/
|
|
124
|
-
identityStatementAllows(statement) {
|
|
125
|
-
if (statement.resourceMatch &&
|
|
126
|
-
statement.actionMatch &&
|
|
127
|
-
statement.conditionMatch === 'Match' &&
|
|
128
|
-
statement.statement.effect() === 'Allow') {
|
|
129
|
-
return true;
|
|
130
|
-
}
|
|
131
|
-
return false;
|
|
132
|
-
}
|
|
133
|
-
identityStatementUknownAllow(statement) {
|
|
134
|
-
if (statement.resourceMatch &&
|
|
135
|
-
statement.actionMatch &&
|
|
136
|
-
statement.conditionMatch === 'Unknown' &&
|
|
137
|
-
statement.statement.effect() === 'Allow') {
|
|
138
|
-
return true;
|
|
139
|
-
}
|
|
140
|
-
return false;
|
|
141
|
-
}
|
|
142
|
-
identityStatementUknownDeny(statement) {
|
|
143
|
-
if (statement.resourceMatch &&
|
|
144
|
-
statement.actionMatch &&
|
|
145
|
-
statement.conditionMatch === 'Unknown' &&
|
|
146
|
-
statement.statement.effect() === 'Deny') {
|
|
147
|
-
return true;
|
|
148
|
-
}
|
|
149
|
-
return false;
|
|
150
|
-
}
|
|
151
|
-
identityStatementExplicitDeny(statement) {
|
|
152
|
-
if (statement.resourceMatch &&
|
|
153
|
-
statement.actionMatch &&
|
|
154
|
-
statement.conditionMatch === 'Match' &&
|
|
155
|
-
statement.statement.effect() === 'Deny') {
|
|
156
|
-
return true;
|
|
157
|
-
}
|
|
158
|
-
return false;
|
|
159
|
-
}
|
|
160
76
|
}
|
|
161
77
|
//# sourceMappingURL=DefaultServiceAuthorizer.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,OAAO,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC;QAC7C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC;QAChE,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAE7D,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAAoG;YAClH,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;SAC3C,CAAA;QAED,IAAG,SAAS,KAAK,SAAS,EAAE,CAAC;YAC3B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAG,oBAAoB,KAAK,kBAAkB,IAAI,oBAAoB,KAAK,kBAAkB,EAAE,CAAC;YAC9F,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAG,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YAClD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAG,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACxC,IAAG,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC/H,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAG,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACtF,IAAG,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBACzC,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;;WAQG;IACL,CAAC;CA8FF"}
|
|
@@ -1,14 +1,12 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { IdentityAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from "../evaluate.js";
|
|
2
2
|
import { AwsRequest } from "../request/request.js";
|
|
3
|
-
import { SCPAnalysis } from "../SCPAnalysis.js";
|
|
4
|
-
import { StatementAnalysis } from "../StatementAnalysis.js";
|
|
5
3
|
export interface ServiceAuthorizationRequest {
|
|
6
4
|
request: AwsRequest;
|
|
7
|
-
|
|
8
|
-
scpAnalysis:
|
|
9
|
-
resourceAnalysis:
|
|
5
|
+
identityAnalysis: IdentityAnalysis;
|
|
6
|
+
scpAnalysis: ScpAnalysis;
|
|
7
|
+
resourceAnalysis: ResourceAnalysis;
|
|
10
8
|
}
|
|
11
9
|
export interface ServiceAuthorizer {
|
|
12
|
-
authorize(request: ServiceAuthorizationRequest):
|
|
10
|
+
authorize(request: ServiceAuthorizationRequest): RequestAnalysis;
|
|
13
11
|
}
|
|
14
12
|
//# sourceMappingURL=ServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,
|
|
1
|
+
{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClG,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAEnD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAC;IACpB,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,WAAW,EAAE,WAAW,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,CAAC;CACpC;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe,CAAA;CACjE"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { ValidationError } from "@cloud-copilot/iam-policy";
|
|
2
|
-
import {
|
|
2
|
+
import { RequestAnalysis } from "../evaluate.js";
|
|
3
3
|
import { Simulation } from "./simulation.js";
|
|
4
4
|
import { SimulationOptions } from "./simulationOptions.js";
|
|
5
5
|
export interface SimulationErrors {
|
|
@@ -10,9 +10,7 @@ export interface SimulationErrors {
|
|
|
10
10
|
}
|
|
11
11
|
export interface SimulationResult {
|
|
12
12
|
errors?: SimulationErrors;
|
|
13
|
-
|
|
14
|
-
evaluationResult: EvaluationResult;
|
|
15
|
-
};
|
|
13
|
+
analysis?: RequestAnalysis;
|
|
16
14
|
}
|
|
17
15
|
/**
|
|
18
16
|
* Run a simulation with validation
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,
|
|
1
|
+
{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAsH,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAIhL,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAKjD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IACzD,yBAAyB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IAC9D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAC;IACzC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B,QAAQ,CAAC,EAAE,eAAe,CAAA;CAC3B;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA6HpI;AAED,wBAAsB,6BAA6B,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CA0BtH"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { iamActionExists, iamServiceExists } from "@cloud-copilot/iam-data";
|
|
2
|
-
import {
|
|
2
|
+
import { loadAnnotatedPolicy, validateIdentityPolicy, validateResourcePolicy, validateServiceControlPolicy } from "@cloud-copilot/iam-policy";
|
|
3
3
|
import { isConditionKeyArray } from "../context_keys/contextKeyTypes.js";
|
|
4
4
|
import { normalizeContextKeyCase, typeForContextKey } from "../context_keys/contextKeys.js";
|
|
5
5
|
import { authorize } from "../core_engine/coreSimulatorEngine.js";
|
|
@@ -21,7 +21,7 @@ export async function runSimulation(simulation, simulationOptions) {
|
|
|
21
21
|
const { name, policy } = value;
|
|
22
22
|
const validationErrors = validateIdentityPolicy(policy);
|
|
23
23
|
if (validationErrors.length == 0) {
|
|
24
|
-
identityPolicies.push(
|
|
24
|
+
identityPolicies.push(loadAnnotatedPolicy(policy));
|
|
25
25
|
}
|
|
26
26
|
else {
|
|
27
27
|
identityPolicyErrors[name] = validationErrors;
|
|
@@ -38,7 +38,7 @@ export async function runSimulation(simulation, simulationOptions) {
|
|
|
38
38
|
seviceControlPolicyErrors[name] = validationErrors;
|
|
39
39
|
}
|
|
40
40
|
else {
|
|
41
|
-
validPolicies.push(
|
|
41
|
+
validPolicies.push(loadAnnotatedPolicy(policy));
|
|
42
42
|
}
|
|
43
43
|
});
|
|
44
44
|
return {
|
|
@@ -59,7 +59,7 @@ export async function runSimulation(simulation, simulationOptions) {
|
|
|
59
59
|
}
|
|
60
60
|
};
|
|
61
61
|
}
|
|
62
|
-
const resourcePolicy = simulation.resourcePolicy ?
|
|
62
|
+
const resourcePolicy = simulation.resourcePolicy ? loadAnnotatedPolicy(simulation.resourcePolicy) : undefined;
|
|
63
63
|
if (simulation.request.action.split(":").length != 2) {
|
|
64
64
|
return {
|
|
65
65
|
errors: {
|
|
@@ -123,9 +123,7 @@ export async function runSimulation(simulation, simulationOptions) {
|
|
|
123
123
|
resourcePolicy
|
|
124
124
|
});
|
|
125
125
|
return {
|
|
126
|
-
|
|
127
|
-
evaluationResult: simulationResult
|
|
128
|
-
}
|
|
126
|
+
analysis: simulationResult
|
|
129
127
|
};
|
|
130
128
|
}
|
|
131
129
|
export async function normalizeSimulationParameters(simulation) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC5E,OAAO,
|
|
1
|
+
{"version":3,"file":"simulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC5E,OAAO,EAAmB,mBAAmB,EAAE,sBAAsB,EAAE,sBAAsB,EAAE,4BAA4B,EAAmB,MAAM,2BAA2B,CAAC;AAChL,OAAO,EAAE,mBAAmB,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,EAAE,uBAAuB,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AAC5F,OAAO,EAAE,SAAS,EAA0B,MAAM,uCAAuC,CAAC;AAE1F,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAC7E,OAAO,EAAE,4BAA4B,EAAE,MAAM,kBAAkB,CAAC;AAgBhE;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,UAAsB,EAAE,iBAA6C;IACvG,MAAM,oBAAoB,GAAsC,EAAE,CAAC;IACnE,MAAM,gBAAgB,GAAsB,EAAE,CAAC;IAC/C,UAAU,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;QAC5C,MAAM,EAAC,IAAI,EAAE,MAAM,EAAC,GAAG,KAAK,CAAC;QAC7B,MAAM,gBAAgB,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;QACxD,IAAG,gBAAgB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAChC,gBAAgB,CAAC,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC,CAAC;QACrD,CAAC;aAAM,CAAC;YACN,oBAAoB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,yBAAyB,GAAsC,EAAE,CAAC;IACxE,MAAM,sBAAsB,GAA6B,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACrG,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC;QAC/B,MAAM,aAAa,GAAsB,EAAE,CAAC;QAE5C,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;YAC7B,MAAM,EAAC,IAAI,EAAE,MAAM,EAAC,GAAG,KAAK,CAAC;YAC7B,MAAM,gBAAgB,GAAG,4BAA4B,CAAC,MAAM,CAAC,CAAC;YAC9D,IAAG,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,yBAAyB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC;YACrD,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC,CAAC;YAClD,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,aAAa;SACxB,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,oBAAoB,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,sBAAsB,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAEhH,IAAG,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,MAAM,GAAG,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,MAAM,GAAG,CAAC;QACjD,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO;YACL,MAAM,EAAE;gBACN,oBAAoB;gBACpB,yBAAyB;gBACzB,oBAAoB;gBACpB,OAAO,EAAE,eAAe;aACzB;SACF,CAAA;IACH,CAAC;IAED,MAAM,cAAc,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,mBAAmB,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAE9G,IAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACpD,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,gBAAgB;aAC1B;SACF,CAAA;IACH,CAAC;IAED,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACrD,IAAG,CAAC,YAAY,EAAE,CAAC;QACjB,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,iBAAiB;aAC3B;SACF,CAAA;IACH,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3D,IAAG,CAAC,WAAW,EAAE,CAAC;QAChB,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,gBAAgB;aAC1B;SACF,CAAA;IACH,CAAC;IAED,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IACzD,MAAM,oBAAoB,GAAG,MAAM,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACzE,IAAG,oBAAoB,EAAE,CAAC;QACxB,IAAG,WAAW,KAAK,GAAG,EAAE,CAAC;YACvB,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,mBAAmB;iBAC7B;aACF,CAAA;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,aAAa,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;QACpF,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,mBAAmB;iBAC7B;aAEF,CAAA;QACH,CAAC;aAAM,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,yBAAyB;iBACnC;aACF,CAAA;QACH,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,6BAA6B,CAAC,UAAU,CAAC,CAAC;IAEtE,MAAM,gBAAgB,GAAG,SAAS,CAAC;QACjC,OAAO,EAAE,IAAI,cAAc,CACzB,UAAU,CAAC,OAAO,CAAC,SAAS,EAC5B;YACE,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;YAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;SACjD,EACD,UAAU,CAAC,OAAO,CAAC,MAAM,EACzB,IAAI,kBAAkB,CAAC,aAAa,CAAC,CACtC;QACD,gBAAgB;QAChB,sBAAsB;QACtB,cAAc;KACf,CAAC,CAAA;IAEF,OAAO;QACL,QAAQ,EAAE,gBAAgB;KAC3B,CAAA;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,6BAA6B,CAAC,UAAsB;IACxE,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IACzD,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC,MAAM,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAA;IAE3G,4FAA4F;IAC5F,MAAM,kBAAkB,GAAsC,EAAE,CAAC;IACjE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACnE,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACvD,MAAM,YAAY,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QACvC,IAAI,yBAAyB,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,uBAAuB,CAAC,YAAY,EAAE,yBAAyB,CAAC,EAAE,CAAC;YAEpH,MAAM,aAAa,GAAG,MAAM,iBAAiB,CAAC,YAAY,CAAC,CAAC;YAC5D,MAAM,aAAa,GAAG,MAAM,uBAAuB,CAAC,GAAG,CAAC,CAAC;YAEzD,IAAG,mBAAmB,CAAC,aAAa,CAAC,EAAE,CAAC;gBACtC,kBAAkB,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;YACrD,CAAC;iBAAM,IAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC/B,kBAAkB,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC/C,CAAC;iBAAM,CAAC;gBACN,kBAAkB,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC;YAC5C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,kBAAkB,CAAA;AAC3B,CAAC;AAED,SAAS,uBAAuB,CAAC,YAAoB,EAAE,gBAA6B;IAClF,MAAM,eAAe,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAClD,IAAG,eAAe,KAAK,CAAC,CAAC,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,GAAG,CAAC,CAAC,CAAC;IAC1D,KAAI,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;QACvC,IAAG,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"unsafeSimulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,gBAAgB,
|
|
1
|
+
{"version":3,"file":"unsafeSimulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,gBAAgB,CAyB3H"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { loadAnnotatedPolicy } from "@cloud-copilot/iam-policy";
|
|
2
2
|
import { authorize } from "../core_engine/coreSimulatorEngine.js";
|
|
3
3
|
import { AwsRequestImpl } from "../request/request.js";
|
|
4
4
|
import { RequestContextImpl } from "../requestContext.js";
|
|
@@ -11,10 +11,10 @@ import { RequestContextImpl } from "../requestContext.js";
|
|
|
11
11
|
* @returns The result of the simulation.
|
|
12
12
|
*/
|
|
13
13
|
export function runUnsafeSimulation(simulation, simulationOptions) {
|
|
14
|
-
const identityPolicies = Object.values(simulation.identityPolicies).map(p =>
|
|
14
|
+
const identityPolicies = Object.values(simulation.identityPolicies).map(p => loadAnnotatedPolicy(p.policy));
|
|
15
15
|
const serviceControlPolicies = simulation.serviceControlPolicies.map((scp) => {
|
|
16
16
|
const ouId = scp.orgIdentifier;
|
|
17
|
-
const policies = scp.policies.map(val =>
|
|
17
|
+
const policies = scp.policies.map(val => loadAnnotatedPolicy(val.policy));
|
|
18
18
|
return {
|
|
19
19
|
orgIdentifier: ouId,
|
|
20
20
|
policies: policies
|
|
@@ -25,11 +25,12 @@ export function runUnsafeSimulation(simulation, simulationOptions) {
|
|
|
25
25
|
resource: simulation.request.resource.resource,
|
|
26
26
|
accountId: simulation.request.resource.accountId,
|
|
27
27
|
}, simulation.request.action, requestContext);
|
|
28
|
-
|
|
28
|
+
const analysis = authorize({
|
|
29
29
|
request,
|
|
30
30
|
identityPolicies,
|
|
31
31
|
serviceControlPolicies,
|
|
32
|
-
resourcePolicy: simulation.resourcePolicy ?
|
|
32
|
+
resourcePolicy: simulation.resourcePolicy ? loadAnnotatedPolicy(simulation.resourcePolicy) : undefined
|
|
33
33
|
});
|
|
34
|
+
return analysis.result;
|
|
34
35
|
}
|
|
35
36
|
//# sourceMappingURL=unsafeSimulationEngine.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"unsafeSimulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"unsafeSimulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,SAAS,EAA0B,MAAM,uCAAuC,CAAC;AAE1F,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAI1D;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CAAC,UAAsB,EAAE,iBAA6C;IACvG,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,mBAAmB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IAC5G,MAAM,sBAAsB,GAA6B,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACrG,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC;QAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,mBAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;QAE1E,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,QAAQ;SACnB,CAAA;IACH,CAAC,CAAC,CAAA;IACF,MAAM,cAAc,GAAG,IAAI,kBAAkB,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAA;IAClF,MAAM,OAAO,GAAG,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE;QAC/D,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;QAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;KACjD,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IAE9C,MAAM,QAAQ,GAAG,SAAS,CAAC;QACzB,OAAO;QACP,gBAAgB;QAChB,sBAAsB;QACtB,cAAc,EAAE,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,mBAAmB,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS;KACvG,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC,MAAM,CAAC;AACzB,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cloud-copilot/iam-simulate",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.13-1",
|
|
4
4
|
"description": "Simulate evaluation of AWS IAM policies",
|
|
5
5
|
"repository": {
|
|
6
6
|
"type": "git",
|
|
@@ -40,6 +40,6 @@
|
|
|
40
40
|
},
|
|
41
41
|
"dependencies": {
|
|
42
42
|
"@cloud-copilot/iam-data": ">=0.8.0 <1.0.0",
|
|
43
|
-
"@cloud-copilot/iam-policy": "
|
|
43
|
+
"@cloud-copilot/iam-policy": "0.1.5-2"
|
|
44
44
|
}
|
|
45
45
|
}
|