npm - @cloud-copilot/iam-simulate - Versions diffs - 0.1.12 → 0.1.14 - Mend

@cloud-copilot/iam-simulate 0.1.12 → 0.1.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (329) hide show

package/dist/esm/core_engine/coreSimulatorEngine.js CHANGED Viewed

@@ -3,6 +3,7 @@ import { requestMatchesConditions } from "../condition/condition.js";
 import { requestMatchesStatementPrincipals } from "../principal/principal.js";
 import { requestMatchesStatementResources } from "../resource/resource.js";
 import { DefaultServiceAuthorizer } from "../services/DefaultServiceAuthorizer.js";
+import { identityStatementAllows, identityStatementExplicitDeny, statementMatches } from "../StatementAnalysis.js";
 const serviceEngines = {};
 /**
  * Authorizes a request.
@@ -14,14 +15,16 @@ const serviceEngines = {};
  */
 export function authorize(request) {
     const identityAnalysis = analyzeIdentityPolicies(request.identityPolicies, request.request);
+    const permissionBoundaryAnalysis = analyzePermissionBoundaryPolicies(request.permissionBoundaries, request.request);
     const scpAnalysis = analyzeServiceControlPolicies(request.serviceControlPolicies, request.request);
+    const resourceAnalysis = analyzeResourcePolicy(request.resourcePolicy, request.request);
     const serviceAuthorizer = getServiceAuthorizer(request);
-    const resourceAnalysis = request.resourcePolicy ? analyzeResourcePolicy(request.resourcePolicy, request.request) : [];
     return serviceAuthorizer.authorize({
         request: request.request,
-        identityStatements: identityAnalysis,
+        identityAnalysis,
         scpAnalysis,
-        resourceAnalysis
+        resourceAnalysis,
+        permissionBoundaryAnalysis
     });
 }
 /**
@@ -32,7 +35,7 @@ export function authorize(request) {
  * @returns the service authorizer for the request
  */
 export function getServiceAuthorizer(request) {
-    const serviceName = request.request.action.service().toLowerCase();
+    const serviceName = request.request.resource.service();
     if (serviceEngines[serviceName]) {
         return new serviceEngines[serviceName]();
     }
@@ -46,19 +49,45 @@ export function getServiceAuthorizer(request) {
  * @returns an array of statement analysis results
  */
 export function analyzeIdentityPolicies(identityPolicies, request) {
-    const analysis = [];
+    const identityAnalysis = {
+        result: 'ImplicitlyDenied',
+        allowStatements: [],
+        denyStatements: [],
+        unmatchedStatements: [],
+    };
     for (const policy of identityPolicies) {
         for (const statement of policy.statements()) {
-            analysis.push({
+            const { matches: resourceMatch, details: resourceDetails } = requestMatchesStatementResources(request, statement);
+            const { matches: actionMatch, details: actionDetails } = requestMatchesStatementActions(request, statement);
+            const { matches: conditionMatch, details: conditionDetails } = requestMatchesConditions(request, statement.conditions());
+            const principalMatch = 'Match';
+            const overallMatch = statementMatches({ actionMatch, conditionMatch, principalMatch, resourceMatch });
+            const statementAnalysis = {
                 statement,
-                resourceMatch: requestMatchesStatementResources(request, statement),
-                actionMatch: requestMatchesStatementActions(request, statement),
-                conditionMatch: requestMatchesConditions(request, statement.conditions()),
-                principalMatch: 'Match',
-            });
+                resourceMatch,
+                actionMatch,
+                conditionMatch,
+                principalMatch,
+                explain: makeStatementExplain(statement, overallMatch, { ...resourceDetails, ...actionDetails, ...conditionDetails })
+            };
+            if (identityStatementExplicitDeny(statementAnalysis)) {
+                identityAnalysis.denyStatements.push(statementAnalysis);
+            }
+            else if (identityStatementAllows(statementAnalysis)) {
+                identityAnalysis.allowStatements.push(statementAnalysis);
+            }
+            else {
+                identityAnalysis.unmatchedStatements.push(statementAnalysis);
+            }
         }
     }
-    return analysis;
+    if (identityAnalysis.denyStatements.length > 0) {
+        identityAnalysis.result = 'ExplicitlyDenied';
+    }
+    else if (identityAnalysis.allowStatements.length > 0) {
+        identityAnalysis.result = 'Allowed';
+    }
+    return identityAnalysis;
 }
 /**
  * Analyzes a set of service control policies and the statements within them.
@@ -72,22 +101,59 @@ export function analyzeServiceControlPolicies(serviceControlPolicies, request) {
     for (const controlPolicy of serviceControlPolicies) {
         const ouAnalysis = {
             orgIdentifier: controlPolicy.orgIdentifier,
-            statementAnalysis: [],
+            result: 'ImplicitlyDenied',
+            allowStatements: [],
+            denyStatements: [],
+            unmatchedStatements: [],
         };
         for (const policy of controlPolicy.policies) {
             for (const statement of policy.statements()) {
-                ouAnalysis.statementAnalysis.push({
+                const { matches: resourceMatch, details: resourceDetails } = requestMatchesStatementResources(request, statement);
+                const { matches: actionMatch, details: actionDetails } = requestMatchesStatementActions(request, statement);
+                const { matches: conditionMatch, details: conditionDetails } = requestMatchesConditions(request, statement.conditions());
+                const principalMatch = 'Match';
+                const overallMatch = statementMatches({ actionMatch, conditionMatch, principalMatch, resourceMatch });
+                const statementAnalysis = {
                     statement,
-                    resourceMatch: requestMatchesStatementResources(request, statement),
-                    actionMatch: requestMatchesStatementActions(request, statement),
-                    conditionMatch: requestMatchesConditions(request, statement.conditions()),
-                    principalMatch: 'Match',
-                });
+                    resourceMatch,
+                    actionMatch,
+                    conditionMatch,
+                    principalMatch,
+                    explain: makeStatementExplain(statement, overallMatch, { ...resourceDetails, ...actionDetails, ...conditionDetails })
+                };
+                if (identityStatementAllows(statementAnalysis)) {
+                    ouAnalysis.allowStatements.push(statementAnalysis);
+                }
+                else if (identityStatementExplicitDeny(statementAnalysis)) {
+                    ouAnalysis.denyStatements.push(statementAnalysis);
+                }
+                else {
+                    ouAnalysis.unmatchedStatements.push(statementAnalysis);
+                }
             }
         }
+        if (ouAnalysis.denyStatements.length > 0) {
+            ouAnalysis.result = 'ExplicitlyDenied';
+        }
+        else if (ouAnalysis.allowStatements.length > 0) {
+            ouAnalysis.result = 'Allowed';
+        }
         analysis.push(ouAnalysis);
     }
-    return analysis;
+    let overallResult = 'ImplicitlyDenied';
+    if (analysis.some(ou => ou.result === 'ExplicitlyDenied')) {
+        overallResult = 'ExplicitlyDenied';
+    }
+    else if (analysis.some(ou => ou.allowStatements.length === 0)) {
+        overallResult = 'ImplicitlyDenied';
+    }
+    else if (analysis.every(ou => ou.result === 'Allowed')) {
+        overallResult = 'Allowed';
+    }
+    return {
+        result: overallResult,
+        ouAnalysis: analysis
+    };
 }
 /**
  * Analyze a resource policy and return the results
@@ -97,16 +163,69 @@ export function analyzeServiceControlPolicies(serviceControlPolicies, request) {
  * @returns an array of statement analysis results
  */
 export function analyzeResourcePolicy(resourcePolicy, request) {
-    const analysis = [];
+    const resourceAnalysis = {
+        result: 'NotApplicable',
+        allowStatements: [],
+        denyStatements: [],
+        unmatchedStatements: [],
+    };
+    if (!resourcePolicy) {
+        return resourceAnalysis;
+    }
+    const principalMatchOptions = ['Match', 'SessionRoleMatch', 'SessionUserMatch'];
     for (const statement of resourcePolicy.statements()) {
-        analysis.push({
+        const { matches: resourceMatch, details: resourceDetails } = requestMatchesStatementResources(request, statement);
+        const { matches: actionMatch, details: actionDetails } = requestMatchesStatementActions(request, statement);
+        const { matches: principalMatch, details: principalDetails } = requestMatchesStatementPrincipals(request, statement);
+        const { matches: conditionMatch, details: conditionDetails } = requestMatchesConditions(request, statement.conditions());
+        const overallMatch = statementMatches({ actionMatch, conditionMatch, principalMatch, resourceMatch });
+        const analysis = {
             statement,
-            resourceMatch: requestMatchesStatementResources(request, statement),
-            actionMatch: requestMatchesStatementActions(request, statement),
-            conditionMatch: requestMatchesConditions(request, statement.conditions()),
-            principalMatch: requestMatchesStatementPrincipals(request, statement),
-        });
+            resourceMatch: resourceMatch,
+            actionMatch,
+            conditionMatch,
+            principalMatch,
+            explain: makeStatementExplain(statement, overallMatch, { ...resourceDetails, ...actionDetails, ...principalDetails, ...conditionDetails })
+        };
+        if (identityStatementExplicitDeny(analysis) && analysis.principalMatch !== 'NoMatch') {
+            resourceAnalysis.denyStatements.push(analysis);
+        }
+        else if (identityStatementAllows(analysis) && analysis.principalMatch !== 'NoMatch') {
+            resourceAnalysis.allowStatements.push(analysis);
+        }
+        else {
+            resourceAnalysis.unmatchedStatements.push(analysis);
+        }
+    }
+    if (resourceAnalysis.denyStatements.some(s => principalMatchOptions.includes(s.principalMatch))) {
+        resourceAnalysis.result = 'ExplicitlyDenied';
+    }
+    else if (resourceAnalysis.denyStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
+        resourceAnalysis.result = 'DeniedForAccount';
     }
-    return analysis;
+    else if (resourceAnalysis.allowStatements.some(s => principalMatchOptions.includes(s.principalMatch))) {
+        resourceAnalysis.result = 'Allowed';
+    }
+    else if (resourceAnalysis.allowStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
+        resourceAnalysis.result = 'AllowedForAccount';
+    }
+    else {
+        resourceAnalysis.result = 'NotApplicable';
+    }
+    return resourceAnalysis;
+}
+export function analyzePermissionBoundaryPolicies(permissionBoundaries, request) {
+    if (!permissionBoundaries) {
+        return undefined;
+    }
+    return analyzeIdentityPolicies(permissionBoundaries, request);
+}
+function makeStatementExplain(statement, overallMatch, details) {
+    return {
+        effect: statement.effect(),
+        identifier: statement.sid() || statement.index().toString(),
+        matches: overallMatch,
+        ...details
+    };
 }
 //# sourceMappingURL=coreSimulatorEngine.js.map

package/dist/esm/core_engine/coreSimulatorEngine.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"coreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,8BAA8B,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;~~AAErE~~,OAAO,~~EAAE~~,iCAAiC,EAAE,MAAM,2BAA2B,CAAC;~~AAE9E~~,OAAO,EAAE,gCAAgC,EAAE,MAAM,yBAAyB,CAAC;~~AAE3E~~,OAAO,EAAE,wBAAwB,EAAE,MAAM,yCAAyC,CAAC;~~AA6CnF~~,MAAM,cAAc,GAAgD,EAAE,CAAC;AAEvE;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,OAA6B;IACrD,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5F,MAAM,~~WAAW~~,GAAG,~~6BAA6B~~,CAAC,OAAO,CAAC,~~sBAAsB~~,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;~~IACnG~~,MAAM,~~iBAAiB~~,GAAG,~~oBAAoB~~,CAAC,OAAO,CAAC,~~CAAC;IACxD~~,~~MAAM~~,~~gBAAgB,GAAG,~~OAAO,CAAC,~~cAAc~~,CAAC,CAAC,~~CAAC~~,qBAAqB,CAAC,OAAO,CAAC,cAAc,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC,~~CAAC~~,CAAC,~~EAAE~~,CAAC;~~IAEtH~~,OAAO,iBAAiB,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,~~kBAAkB,EAAE,~~gBAAgB;~~QACpC~~,WAAW;QACX,gBAAgB;~~KACjB~~,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA6B;IAChE,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,~~MAAM~~,CAAC,OAAO,EAAE,~~CAAC,WAAW,EAAE,CAAC~~;~~IACnE~~,IAAG,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,wBAAwB,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,gBAA0B,EAAE,OAAmB;~~IACrF~~,MAAM,~~QAAQ~~,~~GAAwB~~,EAAE,~~CAAC~~;~~IACzC~~,KAAI,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACrC,KAAI,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC3C,~~QAAQ~~,~~CAAC~~,~~IAAI~~,~~CAAC;gBACZ~~,~~SAAS;gBACT,~~aAAa,EAAE,gCAAgC,CAAC,OAAO,EAAE,SAAS,CAAC;~~gBACnE~~,WAAW,EAAE,8BAA8B,CAAC,OAAO,EAAE,SAAS,CAAC;~~gBAC/D~~,cAAc,EAAE,wBAAwB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC;~~gBACzE~~,cAAc,EAAE,OAAO;~~aACxB~~,CAAC,CAAC;~~QACL~~,CAAC;IACH,CAAC;IAED,OAAO,~~QAAQ~~,CAAC;~~AAClB~~,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,6BAA6B,CAAC,sBAAgD,EAAE,OAAmB;IACjH,MAAM,QAAQ,~~GAAkB~~,EAAE,CAAC;~~IACnC~~,KAAI,MAAM,aAAa,IAAI,sBAAsB,EAAE,CAAC;QAClD,MAAM,UAAU,~~GAAgB~~;~~YAC9B~~,aAAa,EAAE,aAAa,CAAC,aAAa;YAC1C,~~iBAAiB~~,EAAE,EAAE;~~SACtB~~,CAAA;QACD,KAAI,MAAM,MAAM,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC3C,KAAI,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC3C,~~UAAU~~,~~CAAC~~,~~iBAAiB~~,~~CAAC~~,~~IAAI~~,~~CAAC;oBAChC~~,~~SAAS;oBACT~~,~~aAAa,~~EAAE,gCAAgC,CAAC,OAAO,EAAE,SAAS,CAAC;~~oBACnE~~,WAAW,EAAE,8BAA8B,CAAC,OAAO,EAAE,SAAS,CAAC;~~oBAC/D~~,cAAc,EAAE,wBAAwB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC;~~oBACzE~~,cAAc,EAAE,OAAO;~~iBACxB~~,CAAC,CAAC;~~YACL~~,CAAC;QACH,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5B,CAAC;IAED,~~OAAO~~,QAAQ,CAAC;~~AAClB~~,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CAAC,~~cAAsB~~,EAAE,OAAmB;~~IAC/E~~,MAAM,~~QAAQ~~,~~GAAwB~~,EAAE,CAAC;~~IACzC~~,KAAI,MAAM,SAAS,IAAI,cAAc,CAAC,UAAU,EAAE,EAAE,CAAC;QACnD,~~QAAQ~~,~~CAAC~~,~~IAAI~~,~~CAAC;YACZ~~,~~SAAS;YACT,~~aAAa,EAAE,gCAAgC,CAAC,OAAO,EAAE,SAAS,CAAC;~~YACnE~~,WAAW,EAAE,8BAA8B,CAAC,OAAO,EAAE,SAAS,CAAC;~~YAC/D~~,cAAc,EAAE,wBAAwB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC;~~YACzE~~,cAAc,EAAE,~~iCAAiC~~,CAAC,OAAO,EAAE,SAAS,CAAC;~~SACtE~~,CAAC,CAAC;~~IACL~~,CAAC;IAED,~~OAAO~~,QAAQ,CAAC;~~AAClB~~,CAAC"}
1	+ {"version":3,"file":"coreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,8BAA8B,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AAGrE,OAAO,EAAwB,iCAAiC,EAAE,MAAM,2BAA2B,CAAC;AAEpG,OAAO,EAAE,gCAAgC,EAAE,MAAM,yBAAyB,CAAC;AAC3E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yCAAyC,CAAC;AAEnF,OAAO,EAAE,uBAAuB,EAAE,6BAA6B,EAAqB,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAgDtI,MAAM,cAAc,GAAgD,EAAE,CAAC;AAEvE;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,OAA6B;IACrD,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5F,MAAM,0BAA0B,GAAG,iCAAiC,CAAC,OAAO,CAAC,oBAAoB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACpH,MAAM,WAAW,GAAG,6BAA6B,CAAC,OAAO,CAAC,sBAAsB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACnG,MAAM,gBAAgB,GAAG,qBAAqB,CAAC,OAAO,CAAC,cAAc,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAExF,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;IACxD,OAAO,iBAAiB,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,gBAAgB;QAChB,WAAW;QACX,gBAAgB;QAChB,0BAA0B;KAC3B,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA6B;IAChE,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAA;IACtD,IAAG,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,wBAAwB,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,gBAA0B,EAAE,OAAmB;IAErF,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,kBAAkB;QAC1B,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,KAAI,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACrC,KAAI,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC3C,MAAM,EAAC,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAC,GAAG,gCAAgC,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;YAChH,MAAM,EAAC,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAC,GAAG,8BAA8B,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;YAC1G,MAAM,EAAC,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAC,GAAG,wBAAwB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAC;YACvH,MAAM,cAAc,GAAyB,OAAO,CAAC;YACrD,MAAM,YAAY,GAAG,gBAAgB,CAAC,EAAC,WAAW,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAC,CAAC,CAAC;YACpG,MAAM,iBAAiB,GAAsB;gBAC3C,SAAS;gBACT,aAAa;gBACb,WAAW;gBACX,cAAc;gBACd,cAAc;gBACd,OAAO,EAAE,oBAAoB,CAAC,SAAS,EAAE,YAAY,EAAE,EAAC,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAC,CAAC;aACpH,CAAA;YAED,IAAG,6BAA6B,CAAC,iBAAiB,CAAC,EAAE,CAAC;gBACpD,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC1D,CAAC;iBAAM,IAAG,uBAAuB,CAAC,iBAAiB,CAAC,EAAE,CAAC;gBACrD,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC3D,CAAC;iBAAM,CAAC;gBACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC/D,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAG,gBAAgB,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IAAG,gBAAgB,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtD,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;IAED,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,6BAA6B,CAAC,sBAAgD,EAAE,OAAmB;IACjH,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,KAAI,MAAM,aAAa,IAAI,sBAAsB,EAAE,CAAC;QAClD,MAAM,UAAU,GAAkB;YAChC,aAAa,EAAE,aAAa,CAAC,aAAa;YAC1C,MAAM,EAAE,kBAAkB;YAC1B,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,EAAE;YAClB,mBAAmB,EAAE,EAAE;SACxB,CAAA;QACD,KAAI,MAAM,MAAM,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC3C,KAAI,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC3C,MAAM,EAAC,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAC,GAAG,gCAAgC,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;gBAChH,MAAM,EAAC,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAC,GAAG,8BAA8B,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;gBAC1G,MAAM,EAAC,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAC,GAAG,wBAAwB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAC;gBACvH,MAAM,cAAc,GAAyB,OAAO,CAAA;gBACpD,MAAM,YAAY,GAAG,gBAAgB,CAAC,EAAC,WAAW,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAC,CAAC,CAAC;gBACpG,MAAM,iBAAiB,GAAsB;oBAC3C,SAAS;oBACT,aAAa;oBACb,WAAW;oBACX,cAAc;oBACd,cAAc;oBACd,OAAO,EAAE,oBAAoB,CAAC,SAAS,EAAE,YAAY,EAAE,EAAC,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAC,CAAC;iBACpH,CAAA;gBAED,IAAG,uBAAuB,CAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC9C,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBACrD,CAAC;qBAAM,IAAI,6BAA6B,CAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC5D,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBACpD,CAAC;qBAAM,CAAC;oBACN,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAG,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxC,UAAU,CAAC,MAAM,GAAG,kBAAkB,CAAA;QACxC,CAAC;aAAM,IAAG,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChD,UAAU,CAAC,MAAM,GAAG,SAAS,CAAA;QAC/B,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5B,CAAC;IAED,IAAI,aAAa,GAAqB,kBAAkB,CAAA;IACxD,IAAG,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,kBAAkB,CAAC,EAAE,CAAC;QACzD,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAG,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QAC/D,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,SAAS,CAAC,EAAE,CAAC;QACzD,aAAa,GAAG,SAAS,CAAA;IAC3B,CAAC;IAED,OAAO;QACL,MAAM,EAAE,aAAa;QACrB,UAAU,EAAE,QAAQ;KACrB,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CAAC,cAAkC,EAAE,OAAmB;IAC3F,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,eAAe;QACvB,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,IAAG,CAAC,cAAc,EAAE,CAAC;QACnB,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,MAAM,qBAAqB,GAA2B,CAAC,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,CAAC,CAAC;IAExG,KAAI,MAAM,SAAS,IAAI,cAAc,CAAC,UAAU,EAAE,EAAE,CAAC;QACnD,MAAM,EAAC,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAC,GAAG,gCAAgC,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAChH,MAAM,EAAC,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAC,GAAG,8BAA8B,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAC1G,MAAM,EAAC,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAC,GAAG,iCAAiC,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QACnH,MAAM,EAAC,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAC,GAAG,wBAAwB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAC;QACvH,MAAM,YAAY,GAAG,gBAAgB,CAAC,EAAC,WAAW,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAC,CAAC,CAAC;QACpG,MAAM,QAAQ,GAAsB;YAClC,SAAS;YACT,aAAa,EAAE,aAAa;YAC5B,WAAW;YACX,cAAc;YACd,cAAc;YACd,OAAO,EAAE,oBAAoB,CAAC,SAAS,EAAE,YAAY,EAAE,EAAC,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,GAAG,gBAAgB,EAAC,CAAC;SACzI,CAAA;QACD,IAAG,6BAA6B,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACpF,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACjD,CAAC;aAAM,IAAG,uBAAuB,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACrF,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAClD,CAAC;aAAM,CAAC;YACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,IAAG,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,EAAE,CAAC;QAC/F,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IAAG,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EAAE,CAAC;QAC9F,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IAAG,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,EAAE,CAAC;QACvG,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;SAAM,IAAG,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EAAE,CAAC;QAC/F,gBAAgB,CAAC,MAAM,GAAG,mBAAmB,CAAA;IAC/C,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,MAAM,GAAG,eAAe,CAAA;IAC3C,CAAC;IAED,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAGD,MAAM,UAAU,iCAAiC,CAAC,oBAA0C,EAAE,OAAmB;IAC/G,IAAG,CAAC,oBAAoB,EAAE,CAAC;QACzB,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,uBAAuB,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAC;AAChE,CAAC;AAGD,SAAS,oBAAoB,CAAC,SAAoB,EAAE,YAAqB,EAAE,OAAkC;IAC3G,OAAO;QACL,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE;QAC1B,UAAU,EAAE,SAAS,CAAC,GAAG,EAAE,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;QAC3D,OAAO,EAAE,YAAY;QACrB,GAAG,OAAO;KACX,CAAA;AACH,CAAC"}

package/dist/esm/evaluate.d.ts CHANGED Viewed

@@ -1,3 +1,50 @@
+import { StatementAnalysis } from "./StatementAnalysis.js";
 export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | 'AllowedWithConditions' | 'ImplicitlyDenied' | 'Unknown';
 export type ResourceEvaluationResult = 'NotApplicable' | 'Allowed' | 'ExplicitlyDenied' | 'AllowedForAccount' | 'DeniedForAccount' | 'ImplicityDenied';
+export interface IdentityAnalysis {
+    result: EvaluationResult;
+    denyStatements: StatementAnalysis[];
+    allowStatements: StatementAnalysis[];
+    unmatchedStatements: StatementAnalysis[];
+}
+export interface ResourceAnalysis {
+    result: ResourceEvaluationResult;
+    denyStatements: StatementAnalysis[];
+    allowStatements: StatementAnalysis[];
+    unmatchedStatements: StatementAnalysis[];
+}
+export interface OuScpAnalysis {
+    orgIdentifier: string;
+    result: EvaluationResult;
+    denyStatements: StatementAnalysis[];
+    allowStatements: StatementAnalysis[];
+    unmatchedStatements: StatementAnalysis[];
+}
+export interface ScpAnalysis {
+    /**
+     * OU Result
+     */
+    result: EvaluationResult;
+    ouAnalysis: OuScpAnalysis[];
+}
+/**
+ * The analysis of a request.
+ */
+export interface RequestAnalysis {
+    /**
+     * The result of the evaluation.
+     */
+    result: EvaluationResult;
+    sameAccount: boolean;
+    /**
+     * The result of the evaluation of the resource policy.
+     */
+    identityAnalysis?: IdentityAnalysis;
+    /**
+     * The result of the evaluation of the resource policy.
+     */
+    resourceAnalysis?: ResourceAnalysis;
+    scpAnalysis?: ScpAnalysis;
+    permissionBoundaryAnalysis?: IdentityAnalysis | undefined;
+}
 //# sourceMappingURL=evaluate.d.ts.map

package/dist/esm/evaluate.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,uBAAuB,GAAG,kBAAkB,GAAG,SAAS,CAAC;AACzH,MAAM,MAAM,wBAAwB,GAAG,eAAe,GAAG,SAAS,GAAG,kBAAkB,GAAG,mBAAmB,GAAG,kBAAkB,GAAG,iBAAiB,CAAC"}
1	+ {"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,uBAAuB,GAAG,kBAAkB,GAAG,SAAS,CAAC;AACzH,MAAM,MAAM,wBAAwB,GAAG,eAAe,GAAG,SAAS,GAAG,kBAAkB,GAAG,mBAAmB,GAAG,kBAAkB,GAAG,iBAAiB,CAAC;AAEvJ,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,wBAAwB,CAAA;IAChC,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAC;IAEzB,WAAW,EAAE,OAAO,CAAC;IAErB;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB,0BAA0B,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAA;CAC1D"}

package/dist/esm/explain/displayExplainCli.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import { StatementExplain } from "./statementExplain.js";
+export declare function printExplain(explain: StatementExplain): void;
+//# sourceMappingURL=displayExplainCli.d.ts.map

package/dist/esm/explain/displayExplainCli.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"displayExplainCli.d.ts","sourceRoot":"","sources":["../../../src/explain/displayExplainCli.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAuMzD,wBAAgB,YAAY,CAAC,OAAO,EAAE,gBAAgB,QAmErD"}

package/dist/esm/explain/displayExplainCli.js ADDED Viewed

@@ -0,0 +1,246 @@
+const explain1 = {
+    identifier: 'Statement1',
+    matches: true,
+    effect: 'Allow',
+    actions: [
+        {
+            action: 's3:Get*',
+            matches: true
+        },
+        {
+            action: 's3:PutObject',
+            matches: false
+        }
+    ],
+    resources: [
+        {
+            resource: 'arn:aws:s3:::examplebucket/*',
+            errors: [],
+            matches: true
+        },
+        {
+            resource: 'arn:aws:s3:::examplebucket/${aws:PrincipalTag/Department}/*',
+            resolvedValue: 'arn:aws:s3:::examplebucket/Engineering/*',
+            errors: [],
+            matches: true
+        },
+        {
+            resource: 'arn:aws:s3:::examplebucket/abc/*',
+            errors: [],
+            matches: false
+        }
+    ],
+    conditions: [
+        {
+            conditionKeyValue: 'aws:SecureTransport',
+            resolvedConditionKeyValue: 'true',
+            operator: 'Bool',
+            matches: true,
+            values: {
+                value: 'true',
+                resolvedValue: 'true',
+                matches: true,
+                errors: []
+            },
+        }, {
+            conditionKeyValue: 's3:PrincipalTag/Department',
+            resolvedConditionKeyValue: 'Engineering',
+            operator: 'StringEquals',
+            matches: true,
+            values: [
+                {
+                    value: 'Engineering',
+                    resolvedValue: 'Engineering',
+                    matches: true,
+                    errors: []
+                },
+                {
+                    value: 'Quality',
+                    resolvedValue: 'Engineering',
+                    matches: false,
+                    errors: []
+                }
+            ]
+        }
+    ]
+};
+const explain2 = {
+    identifier: 'Statement2',
+    matches: true,
+    effect: 'Allow',
+    actions: [
+        {
+            action: 's3:Put*',
+            matches: true
+        }
+    ],
+    resources: [
+        {
+            resource: 'arn:aws:s3:::examplebucket/*',
+            errors: [],
+            matches: true
+        }
+    ],
+    conditions: [
+        {
+            conditionKeyValue: 's3:RequestObjectTagKeys',
+            operator: 'ForAllValues:StringLike',
+            matches: true,
+            unmatchedValues: ['Color', 'Size'],
+            values: [
+                {
+                    value: 'A*',
+                    matches: true,
+                    matchingValues: ['Apple', 'Apricot']
+                },
+                {
+                    value: 'B*',
+                    matches: true,
+                    matchingValues: ['Banana', 'Blueberry']
+                }
+            ],
+        },
+        {
+            conditionKeyValue: 's3:RequestObjectTagKeys',
+            operator: 'ForAllValues:StringNotLike',
+            matches: true,
+            unmatchedValues: ['Color', 'Size'],
+            values: [
+                {
+                    value: 'A*',
+                    matches: true,
+                    // matchingValues: ['Color', 'Size', 'Banana', 'Blueberry'],
+                    negativeMatchingValues: ['Apple', 'Apricot']
+                },
+                {
+                    value: 'B*',
+                    matches: true,
+                    // matchingValues: ['Color', 'Size', 'Apple', 'Apricot'],
+                    negativeMatchingValues: ['Banana', 'Blueberry']
+                }
+            ],
+        },
+        {
+            conditionKeyValue: 's3:RequestObjectTagKeys',
+            operator: 'ForAnyValue:StringLike',
+            matches: true,
+            unmatchedValues: ['Color', 'Size'],
+            values: [
+                {
+                    value: 'A*',
+                    matches: true,
+                    matchingValues: ['Apple', 'Apricot']
+                },
+                {
+                    value: 'B*',
+                    matches: true,
+                    matchingValues: ['Banana', 'Blueberry']
+                }
+            ],
+        },
+        {
+            conditionKeyValue: 's3:RequestObjectTagKeys',
+            operator: 'ForAnyValue:StringNotLike',
+            matches: true,
+            unmatchedValues: ['Color', 'Size'],
+            values: [
+                {
+                    value: 'A*',
+                    matches: true,
+                    matchingValues: ['Color', 'Size', 'Banana', 'Blueberry'],
+                },
+                {
+                    value: 'B*',
+                    matches: true,
+                    matchingValues: ['Color', 'Size', 'Apple', 'Apricot'],
+                }
+            ],
+        },
+        {
+            conditionKeyValue: 's3:PrincipalTag/Department',
+            resolvedConditionKeyValue: 'Engineering',
+            operator: 'StringEquals',
+            matches: true,
+            values: [
+                {
+                    value: 'Engineering',
+                    resolvedValue: 'Engineering',
+                    matches: true,
+                    errors: []
+                },
+                {
+                    value: 'Quality',
+                    resolvedValue: 'Engineering',
+                    matches: false,
+                    errors: []
+                }
+            ]
+        }
+    ]
+};
+function buffers(n) {
+    return '  '.repeat(n);
+}
+export function printExplain(explain) {
+    const buffer = '  ';
+    console.log(`{`);
+    if (explain.matches) {
+        console.log(`${buffer}// Statement ${explain.identifier} Matches`);
+    }
+    else {
+        console.log(`${buffer}// Statement ${explain.identifier} Does NOT Match`);
+    }
+    if (explain.actions && !Array.isArray(explain.actions)) {
+        const actionString = `${buffer}"Action": "${explain.actions.action}", // ${explain.actions.matches ? 'Match' : 'No Match'}`;
+    }
+    else if (explain.actions && Array.isArray(explain.actions)) {
+        console.log(`${buffer}"Action": [`);
+        for (const action of explain.actions) {
+            console.log(`${buffers(2)}"${action.action}", // ${action.matches ? 'Match' : 'No Match'}`);
+        }
+        console.log(`${buffer}]`);
+    }
+    if (explain.resources && !Array.isArray(explain.resources)) {
+        if (explain.resources.resolvedValue) {
+            console.log(`${buffer}        //${explain.resources.resolvedValue} // Resolved Value`);
+        }
+        console.log(`${buffer}"Resource": "${explain.resources.resource}", // ${explain.resources.matches ? 'Match' : 'No Match'}`);
+    }
+    else if (explain.resources && Array.isArray(explain.resources)) {
+        console.log(`${buffer}"Resource": [`);
+        for (const resource of explain.resources) {
+            let resourceLine = `${buffers(2)}"${resource.resource}", // ${resource.matches ? 'Match' : 'No Match'}`;
+            if (resource.resolvedValue) {
+                resourceLine += ` Resolved to "${resource.resolvedValue}"`;
+            }
+            console.log(resourceLine);
+        }
+        console.log(`${buffer}]`);
+    }
+    if (explain.conditions) {
+        const operators = explain.conditions.map(c => c.operator);
+        console.log(`${buffer}"Condition": {`);
+        for (const op of operators) {
+            const opConditions = explain.conditions.filter(c => c.operator === op);
+            console.log(`${buffers(2)}"${op}": {`);
+            for (const c of opConditions) {
+                if (c.values && !Array.isArray(c.values)) {
+                    console.log(`${buffers(3)}"${c.conditionKeyValue}": "${c.values.value}", // ${c.matches ? 'Match' : 'No Match'}`);
+                    // console.log(`${buffers(3)}"Value": "${c.values.value}", // ${c.values.matches ? 'Match' : 'No Match'}`)
+                }
+                else if (c.values && Array.isArray(c.values)) {
+                    console.log(`${buffers(3)}"${c.conditionKeyValue}": [`);
+                    for (const v of c.values) {
+                        console.log(`${buffers(4)}"${v.value}", // ${v.matches ? 'Match' : 'No Match'}`);
+                    }
+                    console.log(`${buffers(3)}]`);
+                }
+            }
+            console.log(`${buffers(2)}}`);
+        }
+        console.log(`${buffer}}`);
+    }
+    console.log(`}`);
+}
+printExplain(explain1);
+//# sourceMappingURL=displayExplainCli.js.map

package/dist/esm/explain/displayExplainCli.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"displayExplainCli.js","sourceRoot":"","sources":["../../../src/explain/displayExplainCli.ts"],"names":[],"mappings":"AAEA,MAAM,QAAQ,GAAqB;IACjC,UAAU,EAAE,YAAY;IACxB,OAAO,EAAE,IAAI;IAEb,MAAM,EAAE,OAAO;IACf,OAAO,EAAE;QACP;YACE,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,IAAI;SACd;QACD;YACE,MAAM,EAAE,cAAc;YACtB,OAAO,EAAE,KAAK;SACf;KACF;IAED,SAAS,EAAE;QACT;YACE,QAAQ,EAAE,8BAA8B;YACxC,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,IAAI;SACd;QACD;YACE,QAAQ,EAAE,6DAA6D;YACvE,aAAa,EAAE,0CAA0C;YACzD,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,IAAI;SACd;QACD;YACE,QAAQ,EAAE,kCAAkC;YAC5C,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,KAAK;SACf;KACF;IAED,UAAU,EAAE;QACV;YACE,iBAAiB,EAAE,qBAAqB;YACxC,yBAAyB,EAAE,MAAM;YACjC,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,IAAI;YACb,MAAM,EAAC;gBACH,KAAK,EAAE,MAAM;gBACb,aAAa,EAAE,MAAM;gBACrB,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,EAAE;aACb;SACF,EAAE;YACD,iBAAiB,EAAE,4BAA4B;YAC/C,yBAAyB,EAAE,aAAa;YACxC,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,IAAI;YACb,MAAM,EAAE;gBACN;oBACE,KAAK,EAAE,aAAa;oBACpB,aAAa,EAAE,aAAa;oBAC5B,OAAO,EAAE,IAAI;oBACb,MAAM,EAAE,EAAE;iBACX;gBACD;oBACE,KAAK,EAAE,SAAS;oBAChB,aAAa,EAAE,aAAa;oBAC5B,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,EAAE;iBACX;aACF;SACF;KACF;CACF,CAAA;AAGD,MAAM,QAAQ,GAAqB;IACjC,UAAU,EAAE,YAAY;IACxB,OAAO,EAAE,IAAI;IAEb,MAAM,EAAE,OAAO;IACf,OAAO,EAAE;QACP;YACE,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,IAAI;SACd;KACF;IAED,SAAS,EAAE;QACT;YACE,QAAQ,EAAE,8BAA8B;YACxC,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,IAAI;SACd;KACF;IAED,UAAU,EAAE;QACV;YACE,iBAAiB,EAAE,yBAAyB;YAC5C,QAAQ,EAAE,yBAAyB;YACnC,OAAO,EAAE,IAAI;YACb,eAAe,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC;YAClC,MAAM,EAAC;gBACL;oBACE,KAAK,EAAE,IAAI;oBACX,OAAO,EAAE,IAAI;oBACb,cAAc,EAAE,CAAC,OAAO,EAAE,SAAS,CAAC;iBACrC;gBACD;oBACE,KAAK,EAAE,IAAI;oBACX,OAAO,EAAE,IAAI;oBACb,cAAc,EAAE,CAAC,QAAQ,EAAE,WAAW,CAAC;iBACxC;aAEF;SACF;QACD;YACE,iBAAiB,EAAE,yBAAyB;YAC5C,QAAQ,EAAE,4BAA4B;YACtC,OAAO,EAAE,IAAI;YACb,eAAe,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC;YAClC,MAAM,EAAC;gBACL;oBACE,KAAK,EAAE,IAAI;oBACX,OAAO,EAAE,IAAI;oBACb,4DAA4D;oBAC5D,sBAAsB,EAAE,CAAC,OAAO,EAAE,SAAS,CAAC;iBAC7C;gBACD;oBACE,KAAK,EAAE,IAAI;oBACX,OAAO,EAAE,IAAI;oBACb,yDAAyD;oBACzD,sBAAsB,EAAE,CAAC,QAAQ,EAAE,WAAW,CAAC;iBAChD;aAEF;SACF;QACD;YACE,iBAAiB,EAAE,yBAAyB;YAC5C,QAAQ,EAAE,wBAAwB;YAClC,OAAO,EAAE,IAAI;YACb,eAAe,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC;YAClC,MAAM,EAAC;gBACL;oBACE,KAAK,EAAE,IAAI;oBACX,OAAO,EAAE,IAAI;oBACb,cAAc,EAAE,CAAC,OAAO,EAAE,SAAS,CAAC;iBACrC;gBACD;oBACE,KAAK,EAAE,IAAI;oBACX,OAAO,EAAE,IAAI;oBACb,cAAc,EAAE,CAAC,QAAQ,EAAE,WAAW,CAAC;iBACxC;aAEF;SACF;QACD;YACE,iBAAiB,EAAE,yBAAyB;YAC5C,QAAQ,EAAE,2BAA2B;YACrC,OAAO,EAAE,IAAI;YACb,eAAe,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC;YAClC,MAAM,EAAC;gBACL;oBACE,KAAK,EAAE,IAAI;oBACX,OAAO,EAAE,IAAI;oBACb,cAAc,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,CAAC;iBACzD;gBACD;oBACE,KAAK,EAAE,IAAI;oBACX,OAAO,EAAE,IAAI;oBACb,cAAc,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC;iBACtD;aAEF;SACF;QACD;YACE,iBAAiB,EAAE,4BAA4B;YAC/C,yBAAyB,EAAE,aAAa;YACxC,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,IAAI;YACb,MAAM,EAAE;gBACN;oBACE,KAAK,EAAE,aAAa;oBACpB,aAAa,EAAE,aAAa;oBAC5B,OAAO,EAAE,IAAI;oBACb,MAAM,EAAE,EAAE;iBACX;gBACD;oBACE,KAAK,EAAE,SAAS;oBAChB,aAAa,EAAE,aAAa;oBAC5B,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,EAAE;iBACX;aACF;SACF;KACF;CACF,CAAA;AAED,SAAS,OAAO,CAAC,CAAS;IACxB,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;AACvB,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,OAAyB;IACpD,MAAM,MAAM,GAAG,IAAI,CAAA;IAEnB,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAEhB,IAAG,OAAO,CAAC,OAAO,EAAE,CAAC;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,gBAAgB,OAAO,CAAC,UAAU,UAAU,CAAC,CAAA;IACpE,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,gBAAgB,OAAO,CAAC,UAAU,iBAAiB,CAAC,CAAA;IAC3E,CAAC;IAED,IAAG,OAAO,CAAC,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACtD,MAAM,YAAY,GAAG,GAAG,MAAM,cAAc,OAAO,CAAC,OAAO,CAAC,MAAM,SAAS,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,CAAA;IAC7H,CAAC;SAAM,IAAG,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,aAAa,CAAC,CAAA;QACnC,KAAI,MAAM,MAAM,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,MAAM,SAAS,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAA;QAC7F,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,IAAG,OAAO,CAAC,SAAS,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QAC1D,IAAG,OAAO,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,aAAa,OAAO,CAAC,SAAS,CAAC,aAAa,oBAAoB,CAAC,CAAA;QACxF,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,gBAAgB,OAAO,CAAC,SAAS,CAAC,QAAQ,SAAS,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAA;IAC7H,CAAC;SAAM,IAAG,OAAO,CAAC,SAAS,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QAChE,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,eAAe,CAAC,CAAA;QACrC,KAAI,MAAM,QAAQ,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACxC,IAAI,YAAY,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC,QAAQ,SAAS,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,CAAA;YACvG,IAAG,QAAQ,CAAC,aAAa,EAAE,CAAC;gBAC1B,YAAY,IAAI,iBAAiB,QAAQ,CAAC,aAAa,GAAG,CAAA;YAC5D,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QAC3B,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,IAAG,OAAO,CAAC,UAAU,EAAE,CAAC;QACtB,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAA;QACzD,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,gBAAgB,CAAC,CAAA;QACtC,KAAI,MAAM,EAAE,IAAI,SAAS,EAAE,CAAC;YAC1B,MAAM,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,EAAE,CAAC,CAAA;YACtE,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAA;YACtC,KAAI,MAAM,CAAC,IAAI,YAAY,EAAG,CAAC;gBAC7B,IAAG,CAAC,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;oBACxC,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,iBAAiB,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAA;oBACjH,0GAA0G;gBAC5G,CAAC;qBAAM,IAAG,CAAC,CAAC,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC9C,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,iBAAiB,MAAM,CAAC,CAAA;oBACvD,KAAI,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;wBACxB,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAA;oBAClF,CAAC;oBACD,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;gBAC/B,CAAC;YACH,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;QAC/B,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,GAAG,CAAC,CAAA;IAE3B,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;AAGlB,CAAC;AAED,YAAY,CAAC,QAAQ,CAAC,CAAA"}

package/dist/esm/explain/statementExplain.d.ts ADDED Viewed

@@ -0,0 +1,51 @@
+export interface ActionExplain {
+    action: string;
+    matches: boolean;
+}
+export interface ResourceExplain {
+    resource: string;
+    resolvedValue?: string;
+    errors?: string[];
+    matches: boolean;
+}
+export interface PrincipalExplain {
+    principal: string;
+    matches: 'Match' | 'NoMatch' | 'AccountLevelMatch' | 'SessionRoleMatch' | 'SessionUserMatch';
+    roleForSessionArn?: string;
+    userForSessionArn?: string;
+    errors?: string[];
+}
+export interface ConditionValueExplain {
+    value: string;
+    resolvedValue?: string;
+    matches: boolean;
+    matchingValues?: string[];
+    negativeMatchingValues?: string[];
+    errors?: string[];
+}
+export interface ConditionExplain {
+    operator: string;
+    conditionKeyValue: string;
+    resolvedConditionKeyValue?: string;
+    values: ConditionValueExplain | ConditionValueExplain[];
+    unmatchedValues?: string[];
+    matches: boolean;
+    matchedBecauseMissing?: boolean;
+    failedBecauseMissing?: boolean;
+    failedBecauseArray?: boolean;
+    failedBecauseNotArray?: boolean;
+    missingOperator?: boolean;
+}
+export interface StatementExplain {
+    matches: boolean;
+    identifier: string;
+    effect: string;
+    actions?: ActionExplain | ActionExplain[];
+    notActions?: ActionExplain | ActionExplain[];
+    resources?: ResourceExplain | ResourceExplain[];
+    notResources?: ResourceExplain | ResourceExplain[];
+    principals?: PrincipalExplain | PrincipalExplain[];
+    notPrincipals?: PrincipalExplain | PrincipalExplain[];
+    conditions?: ConditionExplain[];
+}
+//# sourceMappingURL=statementExplain.d.ts.map

package/dist/esm/explain/statementExplain.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"statementExplain.d.ts","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,OAAO,GAAG,SAAS,GAAG,mBAAmB,GAAG,kBAAkB,GAAG,kBAAkB,CAAA;IAC5F,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAA;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,CAAA;IACzB,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,MAAM,EAAE,qBAAqB,GAAG,qBAAqB,EAAE,CAAA;IACvD,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAC1B,OAAO,EAAE,OAAO,CAAA;IAChB,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAC9B,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAC5B,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAQ/B,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IACzC,UAAU,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IAC5C,SAAS,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAC/C,YAAY,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAClD,UAAU,CAAC,EAAG,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACnD,aAAa,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACrD,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;CAChC"}

package/dist/esm/explain/statementExplain.js ADDED Viewed

@@ -0,0 +1,6 @@
+export {};
+/*
+I want to emit the policy object exactly as it was written. How do I get a structure
+that matches the policy object exactly? Should I just embed the values in the explain?
+*/
+//# sourceMappingURL=statementExplain.js.map

package/dist/esm/explain/statementExplain.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";AA+DA;;;EAGE"}