@cloud-copilot/iam-simulate 0.1.12 → 0.1.14

package/dist/esm/index.d.ts

@@ -2,6 +2,7 @@ export { typeForContextKey } from './context_keys/contextKeys.js';
 export { BaseConditionKeyType, isConditionKeyArray, type ConditionKeyType } from './context_keys/contextKeyTypes.js';
 export { findContextKeys } from './context_keys/findContextKeys.js';
 export { type EvaluationResult } from './evaluate.js';
+export type { ActionExplain, ConditionExplain, ConditionValueExplain, PrincipalExplain, ResourceExplain, StatementExplain } from './explain/statementExplain.js';
 export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
 export { type Simulation } from './simulation_engine/simulation.js';
 export { runSimulation } from './simulation_engine/simulationEngine.js';

package/dist/esm/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,KAAK,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AACrH,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAClF,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,KAAK,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AACrH,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjK,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAClF,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC"}

package/dist/esm/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAwB,mBAAmB,EAAyB,MAAM,mCAAmC,CAAC;AACrH,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AAEpE,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAElF,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AAExE,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAwB,mBAAmB,EAAyB,MAAM,mCAAmC,CAAC;AACrH,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AAGpE,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAElF,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AAExE,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC"}

package/dist/esm/principal/principal.d.ts

@@ -1,6 +1,7 @@
 import { Principal, Statement } from "@cloud-copilot/iam-policy";
+import { PrincipalExplain, StatementExplain } from "../explain/statementExplain.js";
 import { AwsRequest } from "../request/request.js";
-export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch';
+export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch' | 'SessionRoleMatch' | 'SessionUserMatch';
 /**
  * Check to see if a request matches a Principal element in an IAM policy statement
  *
@@ -8,7 +9,10 @@ export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch';
  * @param principal the list of principals in the Principal element of the Statement
  * @returns if the request matches the Principal element, and if so, how it matches
  */
-export declare function requestMatchesPrincipal(request: AwsRequest, principal: Principal[]): PrincipalMatchResult;
+export declare function requestMatchesPrincipal(request: AwsRequest, principal: Principal[]): {
+    matches: PrincipalMatchResult;
+    explains: PrincipalExplain[];
+};
 /**
  * Check to see if a request matches a NotPrincipal element in an IAM policy statement
  *
@@ -16,7 +20,10 @@ export declare function requestMatchesPrincipal(request: AwsRequest, principal:
  * @param notPrincipal the list of principals in the NotPrincipal element of the Statement
  * @returns
  */
-export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrincipal: Principal[]): PrincipalMatchResult;
+export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrincipal: Principal[]): {
+    matches: PrincipalMatchResult;
+    explains: PrincipalExplain[];
+};
 /**
  * Check to see if a request matches a principal statement
  *
@@ -24,9 +31,21 @@ export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrinc
  * @param principalStatement the principal statement to check the request against
  * @returns if the request matches the principal statement, and if so, how it matches
  */
-export declare function requestMatchesPrincipalStatement(request: AwsRequest, principalStatement: Principal): PrincipalMatchResult;
-export declare function isAssumedRoleArn(principal: string): boolean;
+export declare function requestMatchesPrincipalStatement(request: AwsRequest, principalStatement: Principal): PrincipalExplain;
+/**
+ * Transfrom an assumed role session ARN into a role ARN
+ *
+ * @param assumedRoleArn the assumed role session ARN
+ * @returns the role ARN for the assumed role session
+ */
 export declare function roleArnFromAssumedRoleArn(assumedRoleArn: string): string;
+/**
+ * Get a user ARN from a federated user ARN
+ *
+ * @param federatedUserArn the federated user ARN
+ * @returns the user ARN for the federated user ARN
+ */
+export declare function userArnFromFederatedUserArn(federatedUserArn: string): string;
 /**
  * Check if a request matches the Resource or NotResource elements of a statement.
  *
@@ -34,5 +53,8 @@ export declare function roleArnFromAssumedRoleArn(assumedRoleArn: string): strin
  * @param statement the statement to check against
  * @returns true if the request matches the resources in the statement, false otherwise
  */
-export declare function requestMatchesStatementPrincipals(request: AwsRequest, statement: Statement): PrincipalMatchResult;
+export declare function requestMatchesStatementPrincipals(request: AwsRequest, statement: Statement): {
+    matches: PrincipalMatchResult;
+    details: Pick<StatementExplain, 'principals' | 'notPrincipals'>;
+};
 //# sourceMappingURL=principal.d.ts.map

package/dist/esm/principal/principal.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA4CnD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;AAE5E;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAWzG;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAiB/G;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,oBAAoB,CAgDzH;AAID,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED,wBAAgB,yBAAyB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKxE;AAED;;;;;;GAMG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,oBAAoB,CAOjH"}
+{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AACpF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA6CnD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,GAAG,kBAAkB,GAAG,kBAAkB,CAAA;AAEtH;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG;IAAC,OAAO,EAAE,oBAAoB,CAAC;IAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAA;CAAC,CAkClJ;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG;IAAC,OAAO,EAAE,oBAAoB,CAAC;IAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAA;CAAC,CAyCxJ;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,gBAAgB,CA+FrH;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKxE;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAK5E;AAGD;;;;;;GAMG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG;IAAC,OAAO,EAAE,oBAAoB,CAAC;IAAC,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE,YAAY,GAAG,eAAe,CAAC,CAAA;CAAC,CAS7L"}

package/dist/esm/principal/principal.js

@@ -1,3 +1,4 @@
+import { isAssumedRoleArn, isFederatedUserArn } from "../util.js";
 /**
  * Check to see if a request matches a Principal element in an IAM policy statement
  *
@@ -6,14 +7,35 @@
  * @returns if the request matches the Principal element, and if so, how it matches
  */
 export function requestMatchesPrincipal(request, principal) {
-    const matches = principal.map(principalStatement => requestMatchesPrincipalStatement(request, principalStatement));
-    if (matches.includes('Match')) {
-        return 'Match';
+    const explains = principal.map(principalStatement => requestMatchesPrincipalStatement(request, principalStatement));
+    if (explains.some(exp => exp.matches === 'Match')) {
+        return {
+            matches: 'Match',
+            explains
+        };
     }
-    if (matches.includes('AccountLevelMatch')) {
-        return 'AccountLevelMatch';
+    if (explains.some(exp => exp.matches === 'SessionUserMatch')) {
+        return {
+            matches: 'SessionUserMatch',
+            explains
+        };
     }
-    return 'NoMatch';
+    if (explains.some(exp => exp.matches === 'SessionRoleMatch')) {
+        return {
+            matches: 'SessionRoleMatch',
+            explains
+        };
+    }
+    if (explains.some(exp => exp.matches === 'AccountLevelMatch')) {
+        return {
+            matches: 'AccountLevelMatch',
+            explains
+        };
+    }
+    return {
+        matches: 'NoMatch',
+        explains
+    };
 }
 /**
  * Check to see if a request matches a NotPrincipal element in an IAM policy statement
@@ -23,20 +45,40 @@ export function requestMatchesPrincipal(request, principal) {
  * @returns
  */
 export function requestMatchesNotPrincipal(request, notPrincipal) {
-    const matches = notPrincipal.map(principalStatement => requestMatchesPrincipalStatement(request, principalStatement));
-    if (matches.includes('Match')) {
-        return 'NoMatch';
-    }
-    /**
-     * Need to do research on this. If there is an account level match on a NotPrincipal, does that
-     * mean it tentatively matches the NotPrincipal, or does it mean it does not match the NotPrincipal?
-     *
-     * We need to test this.
-     */
-    if (matches.includes('AccountLevelMatch')) {
-        return 'NoMatch';
+    // const matches = notPrincipal.map(principalStatement => requestMatchesPrincipalStatement(request, principalStatement))
+    const explains = notPrincipal.map(principalStatement => {
+        const explain = requestMatchesPrincipalStatement(request, principalStatement);
+        /**
+         * Need to do research on this. If there is an account level match on a NotPrincipal, does that
+         * mean it tentatively matches the NotPrincipal, or does it mean it does not match the NotPrincipal?
+         *
+         * We need to test this.
+         */
+        if (explain.matches === 'Match' || explain.matches === 'AccountLevelMatch' || explain.matches === 'SessionRoleMatch' || explain.matches === 'SessionUserMatch') {
+            explain.matches = 'NoMatch';
+        }
+        else {
+            explain.matches = 'Match';
+        }
+        return explain;
+    });
+    if (explains.some(exp => exp.matches === 'NoMatch')) {
+        return {
+            matches: 'NoMatch',
+            explains
+        };
     }
-    return 'Match';
+    return {
+        matches: 'Match',
+        explains
+    };
+    // if(matches.includes('Match')) {
+    //   return 'NoMatch'
+    // }
+    // if(matches.includes('AccountLevelMatch')) {
+    //   return 'NoMatch'
+    // }
+    // return 'Match'
 }
 /**
  * Check to see if a request matches a principal statement
@@ -48,55 +90,117 @@ export function requestMatchesNotPrincipal(request, notPrincipal) {
 export function requestMatchesPrincipalStatement(request, principalStatement) {
     if (principalStatement.isServicePrincipal()) {
         if (principalStatement.service() === request.principal.value()) {
-            return 'Match';
+            return {
+                matches: 'Match',
+                principal: principalStatement.value(),
+            };
         }
-        return 'NoMatch';
+        return {
+            matches: 'NoMatch',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isCanonicalUserPrincipal()) {
         if (principalStatement.canonicalUser() === request.principal.value()) {
-            return 'Match';
+            return {
+                matches: 'Match',
+                principal: principalStatement.value(),
+            };
         }
-        return 'NoMatch';
+        return {
+            matches: 'NoMatch',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isFederatedPrincipal()) {
         if (principalStatement.federated() === request.principal.value()) {
-            return 'Match';
+            return {
+                matches: 'Match',
+                principal: principalStatement.value(),
+            };
         }
-        return 'NoMatch';
+        return {
+            matches: 'NoMatch',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isWildcardPrincipal()) {
-        return 'Match';
+        return {
+            matches: 'Match',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isAccountPrincipal()) {
         if (principalStatement.accountId() === request.principal.accountId()) {
-            return 'AccountLevelMatch';
+            return {
+                matches: 'AccountLevelMatch',
+                principal: principalStatement.value(),
+            };
         }
-        return 'NoMatch';
+        return {
+            matches: 'NoMatch',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isAwsPrincipal()) {
         if (isAssumedRoleArn(request.principal.value())) {
             const sessionArn = request.principal.value();
             const roleArn = roleArnFromAssumedRoleArn(sessionArn);
-            if (principalStatement.arn() === roleArn || principalStatement.arn() === sessionArn) {
-                return 'Match';
+            if (principalStatement.arn() === roleArn) {
+                return {
+                    matches: 'SessionRoleMatch',
+                    principal: principalStatement.value(),
+                    roleForSessionArn: roleArn,
+                };
+            }
+        }
+        else if (isFederatedUserArn(request.principal.value())) {
+            const sessionArn = request.principal.value();
+            const userArn = userArnFromFederatedUserArn(sessionArn);
+            if (principalStatement.arn() === userArn) {
+                return {
+                    matches: 'SessionUserMatch',
+                    principal: principalStatement.value(),
+                    userForSessionArn: userArn,
+                };
             }
         }
         if (principalStatement.arn() === request.principal.value()) {
-            return 'Match';
+            return {
+                matches: 'Match',
+                principal: principalStatement.value()
+            };
         }
     }
-    return 'NoMatch';
-}
-const assumedRoleArnRegex = /^arn:aws:sts::\d{12}:assumed-role\/.*$/;
-export function isAssumedRoleArn(principal) {
-    return assumedRoleArnRegex.test(principal);
+    return {
+        matches: 'NoMatch',
+        principal: principalStatement.value(),
+    };
 }
+/**
+ * Transfrom an assumed role session ARN into a role ARN
+ *
+ * @param assumedRoleArn the assumed role session ARN
+ * @returns the role ARN for the assumed role session
+ */
 export function roleArnFromAssumedRoleArn(assumedRoleArn) {
     const stsParts = assumedRoleArn.split(':');
     const resourceParts = stsParts.at(-1).split('/');
     const rolePathAndName = resourceParts.slice(1, -1).join('/');
     return `arn:aws:iam::${stsParts[4]}:role/${rolePathAndName}`;
 }
+/**
+ * Get a user ARN from a federated user ARN
+ *
+ * @param federatedUserArn the federated user ARN
+ * @returns the user ARN for the federated user ARN
+ */
+export function userArnFromFederatedUserArn(federatedUserArn) {
+    const stsParts = federatedUserArn.split(':');
+    const resource = stsParts.at(-1);
+    const username = resource.slice(resource.indexOf('/') + 1);
+    return `arn:aws:iam::${stsParts[4]}:user/${username}`;
+}
 /**
  * Check if a request matches the Resource or NotResource elements of a statement.
  *
@@ -106,10 +210,12 @@ export function roleArnFromAssumedRoleArn(assumedRoleArn) {
  */
 export function requestMatchesStatementPrincipals(request, statement) {
     if (statement.isPrincipalStatement()) {
-        return requestMatchesPrincipal(request, statement.principals());
+        const { matches, explains } = requestMatchesPrincipal(request, statement.principals());
+        return { matches, details: { principals: explains } };
     }
     else if (statement.isNotPrincipalStatement()) {
-        return requestMatchesNotPrincipal(request, statement.notPrincipals());
+        const { matches, explains } = requestMatchesNotPrincipal(request, statement.notPrincipals());
+        return { matches, details: { notPrincipals: explains } };
     }
     throw new Error('Statement should have Principal or NotPrincipal');
 }

package/dist/esm/principal/principal.js.map

@@ -1 +1 @@
-{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AA+CA;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAmB,EAAE,SAAsB;IACjF,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IAClH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,mBAAmB,CAAA;IAC5B,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAmB,EAAE,YAAyB;IACvF,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IACrH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,SAAS,CAAA;IAClB,CAAC;IAED;;;;;OAKG;IACH,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gCAAgC,CAAC,OAAmB,EAAE,kBAA6B;IACjG,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC9D,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,wBAAwB,EAAE,EAAE,CAAC;QACjD,IAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACpE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC7C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAChE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC5C,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACpE,OAAO,mBAAmB,CAAA;QAC5B,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,cAAc,EAAE,EAAE,CAAC;QACvC,IAAG,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,yBAAyB,CAAC,UAAU,CAAC,CAAA;YACrD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAM,OAAO,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,UAAU,EAAE,CAAC;gBACpF,OAAO,OAAO,CAAA;YAChB,CAAC;QACH,CAAC;QAED,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC1D,OAAO,OAAO,CAAA;QAChB,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,MAAM,mBAAmB,GAAG,wCAAwC,CAAA;AAEpE,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAChD,OAAO,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AAC5C,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,cAAsB;IAC9D,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,aAAa,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjD,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,eAAe,EAAE,CAAA;AAC9D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iCAAiC,CAAC,OAAmB,EAAE,SAAoB;IACzF,IAAG,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACpC,OAAO,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAA;IACjE,CAAC;SAAM,IAAG,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;QAC9C,OAAO,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC"}
+{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AA8ClE;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAmB,EAAE,SAAsB;IACjF,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IACnH,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,OAAO,CAAC,EAAE,CAAC;QACjD,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ;SACT,CAAA;IACH,CAAC;IAED,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,kBAAkB,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,OAAO,EAAE,kBAAkB;YAC3B,QAAQ;SACT,CAAA;IACH,CAAC;IAED,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,kBAAkB,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,OAAO,EAAE,kBAAkB;YAC3B,QAAQ;SACT,CAAA;IACH,CAAC;IAED,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,mBAAmB,CAAC,EAAE,CAAC;QAC7D,OAAO;YACL,OAAO,EAAE,mBAAmB;YAC5B,QAAQ;SACT,CAAA;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,SAAS;QAClB,QAAQ;KACT,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAmB,EAAE,YAAyB;IACvF,wHAAwH;IACxH,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE;QACrD,MAAM,OAAO,GAAG,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAA;QAC7E;;;;;WAKG;QACH,IAAG,OAAO,CAAC,OAAO,KAAK,OAAO,IAAI,OAAO,CAAC,OAAO,KAAK,mBAAmB,IAAI,OAAO,CAAC,OAAO,KAAK,kBAAkB,IAAI,OAAO,CAAC,OAAO,KAAK,kBAAkB,EAAE,CAAC;YAC9J,OAAO,CAAC,OAAO,GAAG,SAAS,CAAA;QAC7B,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,OAAO,GAAG,OAAO,CAAA;QAC3B,CAAC;QACD,OAAO,OAAO,CAAA;IAChB,CAAC,CAAC,CAAA;IAGF,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,EAAE,CAAC;QACnD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,QAAQ;SACT,CAAA;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,OAAO;QAChB,QAAQ;KACT,CAAA;IAED,kCAAkC;IAClC,qBAAqB;IACrB,IAAI;IAGJ,8CAA8C;IAC9C,qBAAqB;IACrB,IAAI;IAEJ,iBAAiB;AACnB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gCAAgC,CAAC,OAAmB,EAAE,kBAA6B;IACjG,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC9D,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,wBAAwB,EAAE,EAAE,CAAC;QACjD,IAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACpE,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC7C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAChE,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC5C,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACpE,OAAO;gBACL,OAAO,EAAE,mBAAmB;gBAC5B,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,cAAc,EAAE,EAAE,CAAC;QACvC,IAAG,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,yBAAyB,CAAC,UAAU,CAAC,CAAA;YACrD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAM,OAAO,EAAE,CAAC;gBACzC,OAAO;oBACL,OAAO,EAAE,kBAAkB;oBAC3B,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;oBACrC,iBAAiB,EAAE,OAAO;iBAC3B,CAAA;YACH,CAAC;QACH,CAAC;aAAM,IAAG,kBAAkB,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YACxD,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,2BAA2B,CAAC,UAAU,CAAC,CAAA;YACvD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,EAAE,CAAC;gBACxC,OAAO;oBACL,OAAO,EAAE,kBAAkB;oBAC3B,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;oBACrC,iBAAiB,EAAE,OAAO;iBAC3B,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC1D,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,SAAS;QAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;KACtC,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,yBAAyB,CAAC,cAAsB;IAC9D,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,aAAa,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjD,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,eAAe,EAAE,CAAA;AAC9D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,gBAAwB;IAClE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAA;IACjC,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;IAC1D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,QAAQ,EAAE,CAAA;AACvD,CAAC;AAGD;;;;;;GAMG;AACH,MAAM,UAAU,iCAAiC,CAAC,OAAmB,EAAE,SAAoB;IACzF,IAAG,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACpC,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAA;QACpF,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,UAAU,EAAE,QAAQ,EAAC,EAAC,CAAA;IACnD,CAAC;SAAM,IAAG,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;QAC9C,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,CAAA;QAC1F,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,aAAa,EAAE,QAAQ,EAAC,EAAC,CAAA;IACtD,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC"}

package/dist/esm/resource/resource.d.ts

@@ -1,4 +1,5 @@
 import { Resource, Statement } from "@cloud-copilot/iam-policy";
+import { ResourceExplain, StatementExplain } from "../explain/statementExplain.js";
 import { AwsRequest } from "../request/request.js";
 /**
  * Check if a request matches the Resource or NotResource elements of a statement.
@@ -7,7 +8,10 @@ import { AwsRequest } from "../request/request.js";
  * @param statement the statement to check against
  * @returns true if the request matches the resources in the statement, false otherwise
  */
-export declare function requestMatchesStatementResources(request: AwsRequest, statement: Statement): boolean;
+export declare function requestMatchesStatementResources(request: AwsRequest, statement: Statement): {
+    matches: boolean;
+    details: Pick<StatementExplain, 'resources' | 'notResources'>;
+};
 /**
  * Check if a request matches a set of resources.
  *
@@ -15,7 +19,10 @@ export declare function requestMatchesStatementResources(request: AwsRequest, st
  * @param policyResources the resources to check against
  * @returns true if the request matches any of the resources, false otherwise
  */
-export declare function requestMatchesResources(request: AwsRequest, policyResources: Resource[]): boolean;
+export declare function requestMatchesResources(request: AwsRequest, policyResources: Resource[]): {
+    matches: boolean;
+    explains: ResourceExplain[];
+};
 /**
  * Check if a request matches a NotResource element in a policy.
  *
@@ -23,5 +30,8 @@ export declare function requestMatchesResources(request: AwsRequest, policyResou
  * @param policyResources the resources to check against
  * @returns true if the request does not match any of the resources, false otherwise
  */
-export declare function requestMatchesNotResources(request: AwsRequest, policyResources: Resource[]): boolean;
+export declare function requestMatchesNotResources(request: AwsRequest, policyResources: Resource[]): {
+    matches: boolean;
+    explains: ResourceExplain[];
+};
 //# sourceMappingURL=resource.d.ts.map

package/dist/esm/resource/resource.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resource.d.ts","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAmBnD;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,OAAO,CAOnG;AAGD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,OAAO,CAEjG;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,OAAO,CAEpG"}
+{"version":3,"file":"resource.d.ts","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AACnF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAmBnD;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE,WAAW,GAAG,cAAc,CAAC,CAAA;CAAC,CAiB7K;AAGD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,eAAe,EAAE,CAAA;CAAC,CAIzI;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,eAAe,EAAE,CAAA;CAAC,CAQ5I"}

package/dist/esm/resource/resource.js

@@ -1,4 +1,4 @@
-import { convertIamStringToRegex, getResourceSegments } from "../util.js";
+import { convertIamString, getResourceSegments } from "../util.js";
 //TODO: Make a check to see if the action is a wildcard only action. This will have to happen outside of these functions.
 /**
  * Convert a resource segment to a regular expression. This is without variables.
@@ -22,12 +22,22 @@ function convertResourceSegmentToRegex(segment) {
  */
 export function requestMatchesStatementResources(request, statement) {
     if (statement.isResourceStatement()) {
-        return requestMatchesResources(request, statement.resources());
+        const { matches, explains } = requestMatchesResources(request, statement.resources());
+        if (!statement.resourceIsArray()) {
+            return { matches, details: { resources: explains[0] } };
+        }
+        return { matches, details: { resources: explains } };
+        // return requestMatchesResources(request, statement.resources());
     }
     else if (statement.isNotResourceStatement()) {
-        return requestMatchesNotResources(request, statement.notResources());
+        const { matches, explains } = requestMatchesNotResources(request, statement.notResources());
+        if (!statement.notResourceIsArray()) {
+            return { matches, details: { notResources: explains[0] } };
+        }
+        return { matches, details: { notResources: explains } };
+        // return requestMatchesNotResources(request, statement.notResources());
     }
-    return true;
+    return { matches: true, details: {} };
 }
 /**
  * Check if a request matches a set of resources.
@@ -37,7 +47,9 @@ export function requestMatchesStatementResources(request, statement) {
  * @returns true if the request matches any of the resources, false otherwise
  */
 export function requestMatchesResources(request, policyResources) {
-    return policyResources.some(policyResource => singleResourceMatchesRequest(request, policyResource));
+    const explains = policyResources.map(policyResource => singleResourceMatchesRequest(request, policyResource));
+    const matches = explains.some(explain => explain.matches);
+    return { matches, explains };
 }
 /**
  * Check if a request matches a NotResource element in a policy.
@@ -47,7 +59,13 @@ export function requestMatchesResources(request, policyResources) {
  * @returns true if the request does not match any of the resources, false otherwise
  */
 export function requestMatchesNotResources(request, policyResources) {
-    return !requestMatchesResources(request, policyResources);
+    const explains = policyResources.map(policyResource => {
+        const explain = singleResourceMatchesRequest(request, policyResource);
+        explain.matches = !explain.matches;
+        return explain;
+    });
+    const matches = !explains.some(explain => !explain.matches);
+    return { matches, explains };
 }
 /**
  * Check if a single resource matches a request.
@@ -58,35 +76,70 @@ export function requestMatchesNotResources(request, policyResources) {
  */
 function singleResourceMatchesRequest(request, policyResource) {
     if (policyResource.isAllResources()) {
-        return true;
+        return {
+            resource: policyResource.value(),
+            matches: true,
+        };
     }
     else if (policyResource.isArnResource()) {
         if (!request.resource) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Request does not have a resource'],
+            };
         }
         const resource = request.resource;
         if (!convertResourceSegmentToRegex(policyResource.partition()).test(resource.partition())) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Partition does not match'],
+            };
         }
         if (!convertResourceSegmentToRegex(policyResource.service()).test(resource.service())) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Service does not match'],
+            };
         }
         if (!convertResourceSegmentToRegex(policyResource.region()).test(resource.region())) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Region does not match'],
+            };
         }
         if (!convertResourceSegmentToRegex(policyResource.account()).test(resource.account())) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Account does not match'],
+            };
         }
         //Wildcards and variables are not allowed in the product segment https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html "Incorrect wildcard usage"
         const [policyProduct, policyResourceId] = getResourceSegments(policyResource.resource());
         if (!resource.resource().startsWith(policyProduct)) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Product does not match'],
+            };
         }
         const requestResourceId = resource.resource().slice(policyProduct.length);
-        if (!convertIamStringToRegex(policyResourceId, request).test(requestResourceId)) {
-            return false;
+        const { pattern, errors } = convertIamString(policyResourceId, request);
+        if (!pattern.test(requestResourceId)) {
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Resource does not match'],
+            };
         }
-        return true;
+        return {
+            resource: policyResource.value(),
+            matches: true,
+        };
     }
     else {
         throw new Error('Unknown resource type');

package/dist/esm/resource/resource.js.map

@@ -1 +1 @@
-{"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAE1E,yHAAyH;AAEzH;;;;;GAKG;AACH,SAAS,6BAA6B,CAAC,OAAe;IACpD,IAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAC7E,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gCAAgC,CAAC,OAAmB,EAAE,SAAoB;IACxF,IAAG,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;QACnC,OAAO,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC;IACjE,CAAC;SAAM,IAAG,SAAS,CAAC,sBAAsB,EAAE,EAAE,CAAC;QAC7C,OAAO,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAGD;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAmB,EAAE,eAA2B;IACtF,OAAO,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAA;AACtG,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAmB,EAAE,eAA2B;IACzF,OAAO,CAAC,uBAAuB,CAAC,OAAO,EAAE,eAAe,CAAC,CAAA;AAC3D,CAAC;AAED;;;;;;GAMG;AACH,SAAS,4BAA4B,CAAC,OAAmB,EAAE,cAAwB;IACjF,IAAG,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;SAAM,IAAG,cAAc,CAAC,aAAa,EAAE,EAAE,CAAC;QACzC,IAAG,CAAC,OAAO,CAAC,QAAQ,EAAG,CAAC;YACtB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QACjC,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC;YACzF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC;YACnF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,gKAAgK;QAChK,MAAM,CAAC,aAAa,EAAE,gBAAgB,CAAC,GAAG,mBAAmB,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAA;QAExF,IAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAClD,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,iBAAiB,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;QAEzE,IAAG,CAAC,uBAAuB,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC/E,OAAO,KAAK,CAAA;QACd,CAAC;QAED,OAAO,IAAI,CAAA;IACb,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC"}
+{"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEnE,yHAAyH;AAEzH;;;;;GAKG;AACH,SAAS,6BAA6B,CAAC,OAAe;IACpD,IAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAC7E,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gCAAgC,CAAC,OAAmB,EAAE,SAAoB;IACxF,IAAG,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;QACnC,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC;QACpF,IAAG,CAAC,SAAS,CAAC,eAAe,EAAE,EAAE,CAAC;YAChC,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAC,EAAC,CAAA;QACrD,CAAC;QACD,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,SAAS,EAAE,QAAQ,EAAC,EAAC,CAAA;QAChD,kEAAkE;IACpE,CAAC;SAAM,IAAG,SAAS,CAAC,sBAAsB,EAAE,EAAE,CAAC;QAC7C,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;QAC1F,IAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,EAAE,CAAC;YACnC,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAC,EAAC,CAAA;QACxD,CAAC;QACD,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,YAAY,EAAE,QAAQ,EAAC,EAAC,CAAA;QACnD,wEAAwE;IAC1E,CAAC;IACD,OAAO,EAAC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAC,CAAC;AACtC,CAAC;AAGD;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAmB,EAAE,eAA2B;IACtF,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAA;IAC7G,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IACzD,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAC,CAAA;AAC5B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAmB,EAAE,eAA2B;IACzF,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE;QACpD,MAAM,OAAO,GAAG,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAA;QACrE,OAAO,CAAC,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,CAAA;QAClC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAC,CAAA;IACF,MAAM,OAAO,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAC3D,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAC,CAAA;AAC5B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,4BAA4B,CAAC,OAAmB,EAAE,cAAwB;IACjF,IAAG,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;QACnC,OAAO;YACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;YAChC,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;SAAM,IAAG,cAAc,CAAC,aAAa,EAAE,EAAE,CAAC;QACzC,IAAG,CAAC,OAAO,CAAC,QAAQ,EAAG,CAAC;YACtB,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,kCAAkC,CAAC;aAC7C,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QACjC,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC;YACzF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,0BAA0B,CAAC;aACrC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC;YACnF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,uBAAuB,CAAC;aAClC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,gKAAgK;QAChK,MAAM,CAAC,aAAa,EAAE,gBAAgB,CAAC,GAAG,mBAAmB,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAA;QAExF,IAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAClD,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,MAAM,iBAAiB,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;QACzE,MAAM,EAAC,OAAO,EAAE,MAAM,EAAC,GAAG,gBAAgB,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAA;QAErE,IAAG,CAAC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACpC,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,yBAAyB,CAAC;aACpC,CAAA;QACH,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;YAChC,OAAO,EAAE,IAAI;SACd,CAAA;IACH,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC"}

package/dist/esm/services/DefaultServiceAuthorizer.d.ts

@@ -1,41 +1,9 @@
-import { EvaluationResult, ResourceEvaluationResult } from "../evaluate.js";
-import { StatementAnalysis } from "../StatementAnalysis.js";
+import { RequestAnalysis } from "../evaluate.js";
 import { ServiceAuthorizationRequest, ServiceAuthorizer } from "./ServiceAuthorizer.js";
 /**
  * The default authorizer for services.
  */
 export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
-    authorize(request: ServiceAuthorizationRequest): EvaluationResult;
-    /**
-     * Determine the result of the SCP analysis.
-     *
-     * @param request The request to authorize.
-     * @returns The result of the SCP analysis.
-     */
-    serviceControlPolicyResult(request: ServiceAuthorizationRequest): EvaluationResult;
-    /**
-     * Evaluate the identity statements to determine the result.
-     *
-     * @param request The request to authorize.
-     * @returns The result of the identity statement analysis.
-     */
-    identityStatementResult(request: ServiceAuthorizationRequest): EvaluationResult;
-    /**
-     * Evaluate the resource policy to determine the result.
-     *
-     * @param request the request to authorize
-     * @returns the result of the resource policy analysis
-     */
-    resourcePolicyResult(request: ServiceAuthorizationRequest): ResourceEvaluationResult;
-    /**
-     * Checks if a statement is an identity statement that allows the request.
-     *
-     * @param statement The statement to check.
-     * @returns Whether the statement is an identity statement that allows the request.
-     */
-    identityStatementAllows(statement: StatementAnalysis): boolean;
-    identityStatementUknownAllow(statement: StatementAnalysis): boolean;
-    identityStatementUknownDeny(statement: StatementAnalysis): boolean;
-    identityStatementExplicitDeny(statement: StatementAnalysis): boolean;
+    authorize(request: ServiceAuthorizationRequest): RequestAnalysis;
 }
 //# sourceMappingURL=DefaultServiceAuthorizer.d.ts.map

package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAC5E,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAExF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAiDxE;;;;;OAKG;IACI,0BAA0B,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAwBzF;;;;;OAKG;IACI,uBAAuB,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAoBtF;;;;;OAKG;IACI,oBAAoB,CAAC,OAAO,EAAE,2BAA2B,GAAG,wBAAwB;IAyB3F;;;;;OAKG;IACI,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAU9D,4BAA4B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUnE,2BAA2B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUlE,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;CAS5E"}
+{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEjD,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAExF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;CAoIxE"}