npm - @cloud-copilot/iam-simulate - Versions diffs - 0.1.12 → 0.1.14 - Mend

@cloud-copilot/iam-simulate 0.1.12 → 0.1.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (329) hide show

package/dist/cjs/explain/statementExplain.js ADDED Viewed

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+/*
+I want to emit the policy object exactly as it was written. How do I get a structure
+that matches the policy object exactly? Should I just embed the values in the explain?
+*/
+//# sourceMappingURL=statementExplain.js.map

package/dist/cjs/explain/statementExplain.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";;AA+DA;;;EAGE"}

package/dist/cjs/index.d.ts CHANGED Viewed

@@ -2,6 +2,7 @@ export { typeForContextKey } from './context_keys/contextKeys.js';
 export { BaseConditionKeyType, isConditionKeyArray, type ConditionKeyType } from './context_keys/contextKeyTypes.js';
 export { findContextKeys } from './context_keys/findContextKeys.js';
 export { type EvaluationResult } from './evaluate.js';
+export type { ActionExplain, ConditionExplain, ConditionValueExplain, PrincipalExplain, ResourceExplain, StatementExplain } from './explain/statementExplain.js';
 export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
 export { type Simulation } from './simulation_engine/simulation.js';
 export { runSimulation } from './simulation_engine/simulationEngine.js';

package/dist/cjs/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,KAAK,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AACrH,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAClF,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,KAAK,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AACrH,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjK,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAClF,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC"}

package/dist/cjs/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,gEAAkE;AAAzD,mHAAA,iBAAiB,OAAA;AAC1B,wEAAqH;AAAtF,yHAAA,mBAAmB,OAAA;AAClD,wEAAoE;AAA3D,qHAAA,eAAe,OAAA;~~AAExB~~,qEAAkF;AAAzE,8HAAA,4BAA4B,OAAA;AAErC,+EAAwE;AAA/D,oHAAA,aAAa,OAAA;AAEtB,2FAAoF;AAA3E,gIAAA,mBAAmB,OAAA;AAC5B,qCAAiD;AAAxC,+GAAA,oBAAoB,OAAA"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,gEAAkE;AAAzD,mHAAA,iBAAiB,OAAA;AAC1B,wEAAqH;AAAtF,yHAAA,mBAAmB,OAAA;AAClD,wEAAoE;AAA3D,qHAAA,eAAe,OAAA;AAGxB,qEAAkF;AAAzE,8HAAA,4BAA4B,OAAA;AAErC,+EAAwE;AAA/D,oHAAA,aAAa,OAAA;AAEtB,2FAAoF;AAA3E,gIAAA,mBAAmB,OAAA;AAC5B,qCAAiD;AAAxC,+GAAA,oBAAoB,OAAA"}

package/dist/cjs/principal/principal.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import { Principal, Statement } from "@cloud-copilot/iam-policy";
+import { PrincipalExplain, StatementExplain } from "../explain/statementExplain.js";
 import { AwsRequest } from "../request/request.js";
-export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch';
+export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch' | 'SessionRoleMatch' | 'SessionUserMatch';
 /**
  * Check to see if a request matches a Principal element in an IAM policy statement
  *
@@ -8,7 +9,10 @@ export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch';
  * @param principal the list of principals in the Principal element of the Statement
  * @returns if the request matches the Principal element, and if so, how it matches
  */
-export declare function requestMatchesPrincipal(request: AwsRequest, principal: Principal[]): PrincipalMatchResult;
+export declare function requestMatchesPrincipal(request: AwsRequest, principal: Principal[]): {
+    matches: PrincipalMatchResult;
+    explains: PrincipalExplain[];
+};
 /**
  * Check to see if a request matches a NotPrincipal element in an IAM policy statement
  *
@@ -16,7 +20,10 @@ export declare function requestMatchesPrincipal(request: AwsRequest, principal:
  * @param notPrincipal the list of principals in the NotPrincipal element of the Statement
  * @returns
  */
-export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrincipal: Principal[]): PrincipalMatchResult;
+export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrincipal: Principal[]): {
+    matches: PrincipalMatchResult;
+    explains: PrincipalExplain[];
+};
 /**
  * Check to see if a request matches a principal statement
  *
@@ -24,9 +31,21 @@ export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrinc
  * @param principalStatement the principal statement to check the request against
  * @returns if the request matches the principal statement, and if so, how it matches
  */
-export declare function requestMatchesPrincipalStatement(request: AwsRequest, principalStatement: Principal): PrincipalMatchResult;
-export declare function isAssumedRoleArn(principal: string): boolean;
+export declare function requestMatchesPrincipalStatement(request: AwsRequest, principalStatement: Principal): PrincipalExplain;
+/**
+ * Transfrom an assumed role session ARN into a role ARN
+ *
+ * @param assumedRoleArn the assumed role session ARN
+ * @returns the role ARN for the assumed role session
+ */
 export declare function roleArnFromAssumedRoleArn(assumedRoleArn: string): string;
+/**
+ * Get a user ARN from a federated user ARN
+ *
+ * @param federatedUserArn the federated user ARN
+ * @returns the user ARN for the federated user ARN
+ */
+export declare function userArnFromFederatedUserArn(federatedUserArn: string): string;
 /**
  * Check if a request matches the Resource or NotResource elements of a statement.
  *
@@ -34,5 +53,8 @@ export declare function roleArnFromAssumedRoleArn(assumedRoleArn: string): strin
  * @param statement the statement to check against
  * @returns true if the request matches the resources in the statement, false otherwise
  */
-export declare function requestMatchesStatementPrincipals(request: AwsRequest, statement: Statement): PrincipalMatchResult;
+export declare function requestMatchesStatementPrincipals(request: AwsRequest, statement: Statement): {
+    matches: PrincipalMatchResult;
+    details: Pick<StatementExplain, 'principals' | 'notPrincipals'>;
+};
 //# sourceMappingURL=principal.d.ts.map

package/dist/cjs/principal/principal.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;~~AA4CnD~~,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;~~AAE5E~~;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,oBAAoB,~~CAWzG~~;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,oBAAoB,~~CAiB/G~~;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,~~oBAAoB~~,~~CAgDzH~~;~~AAID~~,wBAAgB,~~gBAAgB~~,CAAC,~~SAAS~~,EAAE,MAAM,GAAG,~~OAAO~~,~~CAE3D~~;AAED,wBAAgB,~~yBAAyB~~,CAAC,~~cAAc~~,EAAE,MAAM,GAAG,MAAM,~~CAKxE~~;~~AAED~~;;;;;;GAMG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,oBAAoB,~~CAOjH~~"}
1	+ {"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AACpF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA6CnD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,GAAG,kBAAkB,GAAG,kBAAkB,CAAA;AAEtH;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG;IAAC,OAAO,EAAE,oBAAoB,CAAC;IAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAA;CAAC,CAkClJ;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG;IAAC,OAAO,EAAE,oBAAoB,CAAC;IAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAA;CAAC,CAyCxJ;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,gBAAgB,CA+FrH;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKxE;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAK5E;AAGD;;;;;;GAMG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG;IAAC,OAAO,EAAE,oBAAoB,CAAC;IAAC,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE,YAAY,GAAG,eAAe,CAAC,CAAA;CAAC,CAS7L"}

package/dist/cjs/principal/principal.js CHANGED Viewed

@@ -3,9 +3,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.requestMatchesPrincipal = requestMatchesPrincipal;
 exports.requestMatchesNotPrincipal = requestMatchesNotPrincipal;
 exports.requestMatchesPrincipalStatement = requestMatchesPrincipalStatement;
-exports.isAssumedRoleArn = isAssumedRoleArn;
 exports.roleArnFromAssumedRoleArn = roleArnFromAssumedRoleArn;
+exports.userArnFromFederatedUserArn = userArnFromFederatedUserArn;
 exports.requestMatchesStatementPrincipals = requestMatchesStatementPrincipals;
+const util_js_1 = require("../util.js");
 /**
  * Check to see if a request matches a Principal element in an IAM policy statement
  *
@@ -14,14 +15,35 @@ exports.requestMatchesStatementPrincipals = requestMatchesStatementPrincipals;
  * @returns if the request matches the Principal element, and if so, how it matches
  */
 function requestMatchesPrincipal(request, principal) {
-    const matches = principal.map(principalStatement => requestMatchesPrincipalStatement(request, principalStatement));
-    if (matches.includes('Match')) {
-        return 'Match';
+    const explains = principal.map(principalStatement => requestMatchesPrincipalStatement(request, principalStatement));
+    if (explains.some(exp => exp.matches === 'Match')) {
+        return {
+            matches: 'Match',
+            explains
+        };
     }
-    if (matches.includes('AccountLevelMatch')) {
-        return 'AccountLevelMatch';
+    if (explains.some(exp => exp.matches === 'SessionUserMatch')) {
+        return {
+            matches: 'SessionUserMatch',
+            explains
+        };
     }
-    return 'NoMatch';
+    if (explains.some(exp => exp.matches === 'SessionRoleMatch')) {
+        return {
+            matches: 'SessionRoleMatch',
+            explains
+        };
+    }
+    if (explains.some(exp => exp.matches === 'AccountLevelMatch')) {
+        return {
+            matches: 'AccountLevelMatch',
+            explains
+        };
+    }
+    return {
+        matches: 'NoMatch',
+        explains
+    };
 }
 /**
  * Check to see if a request matches a NotPrincipal element in an IAM policy statement
@@ -31,20 +53,40 @@ function requestMatchesPrincipal(request, principal) {
  * @returns
  */
 function requestMatchesNotPrincipal(request, notPrincipal) {
-    const matches = notPrincipal.map(principalStatement => requestMatchesPrincipalStatement(request, principalStatement));
-    if (matches.includes('Match')) {
-        return 'NoMatch';
-    }
-    /**
-     * Need to do research on this. If there is an account level match on a NotPrincipal, does that
-     * mean it tentatively matches the NotPrincipal, or does it mean it does not match the NotPrincipal?
-     *
-     * We need to test this.
-     */
-    if (matches.includes('AccountLevelMatch')) {
-        return 'NoMatch';
+    // const matches = notPrincipal.map(principalStatement => requestMatchesPrincipalStatement(request, principalStatement))
+    const explains = notPrincipal.map(principalStatement => {
+        const explain = requestMatchesPrincipalStatement(request, principalStatement);
+        /**
+         * Need to do research on this. If there is an account level match on a NotPrincipal, does that
+         * mean it tentatively matches the NotPrincipal, or does it mean it does not match the NotPrincipal?
+         *
+         * We need to test this.
+         */
+        if (explain.matches === 'Match' || explain.matches === 'AccountLevelMatch' || explain.matches === 'SessionRoleMatch' || explain.matches === 'SessionUserMatch') {
+            explain.matches = 'NoMatch';
+        }
+        else {
+            explain.matches = 'Match';
+        }
+        return explain;
+    });
+    if (explains.some(exp => exp.matches === 'NoMatch')) {
+        return {
+            matches: 'NoMatch',
+            explains
+        };
     }
-    return 'Match';
+    return {
+        matches: 'Match',
+        explains
+    };
+    // if(matches.includes('Match')) {
+    //   return 'NoMatch'
+    // }
+    // if(matches.includes('AccountLevelMatch')) {
+    //   return 'NoMatch'
+    // }
+    // return 'Match'
 }
 /**
  * Check to see if a request matches a principal statement
@@ -56,55 +98,117 @@ function requestMatchesNotPrincipal(request, notPrincipal) {
 function requestMatchesPrincipalStatement(request, principalStatement) {
     if (principalStatement.isServicePrincipal()) {
         if (principalStatement.service() === request.principal.value()) {
-            return 'Match';
+            return {
+                matches: 'Match',
+                principal: principalStatement.value(),
+            };
         }
-        return 'NoMatch';
+        return {
+            matches: 'NoMatch',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isCanonicalUserPrincipal()) {
         if (principalStatement.canonicalUser() === request.principal.value()) {
-            return 'Match';
+            return {
+                matches: 'Match',
+                principal: principalStatement.value(),
+            };
         }
-        return 'NoMatch';
+        return {
+            matches: 'NoMatch',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isFederatedPrincipal()) {
         if (principalStatement.federated() === request.principal.value()) {
-            return 'Match';
+            return {
+                matches: 'Match',
+                principal: principalStatement.value(),
+            };
         }
-        return 'NoMatch';
+        return {
+            matches: 'NoMatch',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isWildcardPrincipal()) {
-        return 'Match';
+        return {
+            matches: 'Match',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isAccountPrincipal()) {
         if (principalStatement.accountId() === request.principal.accountId()) {
-            return 'AccountLevelMatch';
+            return {
+                matches: 'AccountLevelMatch',
+                principal: principalStatement.value(),
+            };
         }
-        return 'NoMatch';
+        return {
+            matches: 'NoMatch',
+            principal: principalStatement.value(),
+        };
     }
     if (principalStatement.isAwsPrincipal()) {
-        if (isAssumedRoleArn(request.principal.value())) {
+        if ((0, util_js_1.isAssumedRoleArn)(request.principal.value())) {
             const sessionArn = request.principal.value();
             const roleArn = roleArnFromAssumedRoleArn(sessionArn);
-            if (principalStatement.arn() === roleArn || principalStatement.arn() === sessionArn) {
-                return 'Match';
+            if (principalStatement.arn() === roleArn) {
+                return {
+                    matches: 'SessionRoleMatch',
+                    principal: principalStatement.value(),
+                    roleForSessionArn: roleArn,
+                };
+            }
+        }
+        else if ((0, util_js_1.isFederatedUserArn)(request.principal.value())) {
+            const sessionArn = request.principal.value();
+            const userArn = userArnFromFederatedUserArn(sessionArn);
+            if (principalStatement.arn() === userArn) {
+                return {
+                    matches: 'SessionUserMatch',
+                    principal: principalStatement.value(),
+                    userForSessionArn: userArn,
+                };
             }
         }
         if (principalStatement.arn() === request.principal.value()) {
-            return 'Match';
+            return {
+                matches: 'Match',
+                principal: principalStatement.value()
+            };
         }
     }
-    return 'NoMatch';
-}
-const assumedRoleArnRegex = /^arn:aws:sts::\d{12}:assumed-role\/.*$/;
-function isAssumedRoleArn(principal) {
-    return assumedRoleArnRegex.test(principal);
+    return {
+        matches: 'NoMatch',
+        principal: principalStatement.value(),
+    };
 }
+/**
+ * Transfrom an assumed role session ARN into a role ARN
+ *
+ * @param assumedRoleArn the assumed role session ARN
+ * @returns the role ARN for the assumed role session
+ */
 function roleArnFromAssumedRoleArn(assumedRoleArn) {
     const stsParts = assumedRoleArn.split(':');
     const resourceParts = stsParts.at(-1).split('/');
     const rolePathAndName = resourceParts.slice(1, -1).join('/');
     return `arn:aws:iam::${stsParts[4]}:role/${rolePathAndName}`;
 }
+/**
+ * Get a user ARN from a federated user ARN
+ *
+ * @param federatedUserArn the federated user ARN
+ * @returns the user ARN for the federated user ARN
+ */
+function userArnFromFederatedUserArn(federatedUserArn) {
+    const stsParts = federatedUserArn.split(':');
+    const resource = stsParts.at(-1);
+    const username = resource.slice(resource.indexOf('/') + 1);
+    return `arn:aws:iam::${stsParts[4]}:user/${username}`;
+}
 /**
  * Check if a request matches the Resource or NotResource elements of a statement.
  *
@@ -114,10 +218,12 @@ function roleArnFromAssumedRoleArn(assumedRoleArn) {
  */
 function requestMatchesStatementPrincipals(request, statement) {
     if (statement.isPrincipalStatement()) {
-        return requestMatchesPrincipal(request, statement.principals());
+        const { matches, explains } = requestMatchesPrincipal(request, statement.principals());
+        return { matches, details: { principals: explains } };
     }
     else if (statement.isNotPrincipalStatement()) {
-        return requestMatchesNotPrincipal(request, statement.notPrincipals());
+        const { matches, explains } = requestMatchesNotPrincipal(request, statement.notPrincipals());
+        return { matches, details: { notPrincipals: explains } };
     }
     throw new Error('Statement should have Principal or NotPrincipal');
 }

package/dist/cjs/principal/principal.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":";;~~AAsDA~~,~~0DAWC~~;AASD,~~gEAiBC~~;AASD,~~4EAgDC~~;~~AAID~~,~~4CAEC~~;~~AAED~~,~~8DAKC~~;~~AASD~~,~~8EAOC~~;~~AAlID~~;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,OAAmB,EAAE,SAAsB;IACjF,MAAM,~~OAAO~~,GAAG,SAAS,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;~~IAClH~~,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;~~QAC7B~~,OAAO,OAAO,CAAA;~~IAChB~~,CAAC;IAED,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;~~QACzC~~,OAAO,mBAAmB,CAAA;~~IAC5B~~,CAAC;IAED,OAAO,SAAS,CAAA;~~AAClB~~,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,0BAA0B,CAAC,OAAmB,EAAE,YAAyB;IACvF,MAAM,~~OAAO~~,GAAG,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,~~CAAC~~,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,~~CAAC,~~CAAA;~~IACrH~~,IAAG,OAAO,CAAC,~~QAAQ~~,CAAC,OAAO,CAAC,EAAE,CAAC;~~QAC7B~~,OAAO,SAAS,CAAA;~~IAClB~~,CAAC;~~IAED;;;;;OAKG~~;~~IACH~~,~~IAAG~~,OAAO,CAAC,QAAQ,CAAC,~~mBAAmB~~,CAAC,EAAE,CAAC;~~QACzC~~,OAAO,SAAS,CAAA;~~IAClB~~,CAAC;IAED,OAAO,OAAO,CAAA;~~AAChB~~,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAAC,OAAmB,EAAE,kBAA6B;IACjG,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC9D,OAAO,OAAO,CAAA;~~QAChB~~,CAAC;QACD,OAAO,SAAS,CAAA;~~IAClB~~,CAAC;IAED,IAAG,kBAAkB,CAAC,wBAAwB,EAAE,EAAE,CAAC;QACjD,IAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACpE,OAAO,OAAO,CAAA;~~QAChB~~,CAAC;QACD,OAAO,SAAS,CAAA;~~IAClB~~,CAAC;IAED,IAAG,kBAAkB,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC7C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAChE,OAAO,OAAO,CAAA;~~QAChB~~,CAAC;QACD,OAAO,SAAS,CAAA;~~IAClB~~,CAAC;IAED,IAAG,kBAAkB,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC5C,OAAO,OAAO,CAAA;~~IAChB~~,CAAC;IAED,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACpE,OAAO,mBAAmB,CAAA;~~QAC5B~~,CAAC;QACD,OAAO,SAAS,CAAA;~~IAClB~~,CAAC;IAED,IAAG,kBAAkB,CAAC,cAAc,EAAE,EAAE,CAAC;QACvC,IAAG,~~gBAAgB~~,~~CAAC~~,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,yBAAyB,CAAC,UAAU,CAAC,CAAA;YACrD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAM,OAAO,~~IAAI~~,~~kBAAkB,~~CAAC,~~GAAG~~,EAAE,~~KAAK~~,~~UAAU~~,EAAE,CAAC;~~gBACpF~~,~~OAAO~~,OAAO,CAAA;~~YAChB~~,CAAC;QACH,CAAC;~~QAED~~,IAAG,~~kBAAkB~~,CAAC,~~GAAG~~,~~EAAE~~,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;~~YAC1D~~,OAAO,OAAO,~~CAAA~~;~~QAChB~~,CAAC~~;IACH~~,~~CAAC~~;~~IAED~~,OAAO,~~SAAS,~~CAAA;~~AAClB~~,CAAC;~~AAED~~,~~MAAM~~,~~mBAAmB~~,GAAG,~~wCAAwC~~,~~CAAA;AAEpE~~,~~SAAgB~~,~~gBAAgB~~,CAAC,~~SAAiB~~;~~IAChD~~,OAAO,~~mBAAmB~~,CAAC,~~IAAI~~,CAAC,SAAS,CAAC,CAAA;~~AAC5C~~,CAAC;AAED,SAAgB,yBAAyB,CAAC,cAAsB;IAC9D,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,aAAa,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjD,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,eAAe,EAAE,CAAA;AAC9D,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,iCAAiC,CAAC,OAAmB,EAAE,SAAoB;IACzF,IAAG,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACpC,OAAO,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAA;~~IACjE~~,CAAC;SAAM,IAAG,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;QAC9C,OAAO,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,~~CAAC~~;~~IACxE~~,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC"}
1	+ {"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":";;AAwDA,0DAkCC;AASD,gEAyCC;AASD,4EA+FC;AAQD,8DAKC;AAQD,kEAKC;AAUD,8EASC;AA9RD,wCAAkE;AA8ClE;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,OAAmB,EAAE,SAAsB;IACjF,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IACnH,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,OAAO,CAAC,EAAE,CAAC;QACjD,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ;SACT,CAAA;IACH,CAAC;IAED,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,kBAAkB,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,OAAO,EAAE,kBAAkB;YAC3B,QAAQ;SACT,CAAA;IACH,CAAC;IAED,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,kBAAkB,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,OAAO,EAAE,kBAAkB;YAC3B,QAAQ;SACT,CAAA;IACH,CAAC;IAED,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,mBAAmB,CAAC,EAAE,CAAC;QAC7D,OAAO;YACL,OAAO,EAAE,mBAAmB;YAC5B,QAAQ;SACT,CAAA;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,SAAS;QAClB,QAAQ;KACT,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,0BAA0B,CAAC,OAAmB,EAAE,YAAyB;IACvF,wHAAwH;IACxH,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE;QACrD,MAAM,OAAO,GAAG,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAA;QAC7E;;;;;WAKG;QACH,IAAG,OAAO,CAAC,OAAO,KAAK,OAAO,IAAI,OAAO,CAAC,OAAO,KAAK,mBAAmB,IAAI,OAAO,CAAC,OAAO,KAAK,kBAAkB,IAAI,OAAO,CAAC,OAAO,KAAK,kBAAkB,EAAE,CAAC;YAC9J,OAAO,CAAC,OAAO,GAAG,SAAS,CAAA;QAC7B,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,OAAO,GAAG,OAAO,CAAA;QAC3B,CAAC;QACD,OAAO,OAAO,CAAA;IAChB,CAAC,CAAC,CAAA;IAGF,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,EAAE,CAAC;QACnD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,QAAQ;SACT,CAAA;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,OAAO;QAChB,QAAQ;KACT,CAAA;IAED,kCAAkC;IAClC,qBAAqB;IACrB,IAAI;IAGJ,8CAA8C;IAC9C,qBAAqB;IACrB,IAAI;IAEJ,iBAAiB;AACnB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAAC,OAAmB,EAAE,kBAA6B;IACjG,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC9D,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,wBAAwB,EAAE,EAAE,CAAC;QACjD,IAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACpE,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC7C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAChE,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC5C,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACpE,OAAO;gBACL,OAAO,EAAE,mBAAmB;gBAC5B,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,cAAc,EAAE,EAAE,CAAC;QACvC,IAAG,IAAA,0BAAgB,EAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,yBAAyB,CAAC,UAAU,CAAC,CAAA;YACrD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAM,OAAO,EAAE,CAAC;gBACzC,OAAO;oBACL,OAAO,EAAE,kBAAkB;oBAC3B,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;oBACrC,iBAAiB,EAAE,OAAO;iBAC3B,CAAA;YACH,CAAC;QACH,CAAC;aAAM,IAAG,IAAA,4BAAkB,EAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YACxD,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,2BAA2B,CAAC,UAAU,CAAC,CAAA;YACvD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,EAAE,CAAC;gBACxC,OAAO;oBACL,OAAO,EAAE,kBAAkB;oBAC3B,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;oBACrC,iBAAiB,EAAE,OAAO;iBAC3B,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC1D,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,SAAS;QAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;KACtC,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,yBAAyB,CAAC,cAAsB;IAC9D,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,aAAa,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjD,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,eAAe,EAAE,CAAA;AAC9D,CAAC;AAED;;;;;GAKG;AACH,SAAgB,2BAA2B,CAAC,gBAAwB;IAClE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAA;IACjC,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;IAC1D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,QAAQ,EAAE,CAAA;AACvD,CAAC;AAGD;;;;;;GAMG;AACH,SAAgB,iCAAiC,CAAC,OAAmB,EAAE,SAAoB;IACzF,IAAG,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACpC,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAA;QACpF,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,UAAU,EAAE,QAAQ,EAAC,EAAC,CAAA;IACnD,CAAC;SAAM,IAAG,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;QAC9C,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,CAAA;QAC1F,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,aAAa,EAAE,QAAQ,EAAC,EAAC,CAAA;IACtD,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC"}

package/dist/cjs/resource/resource.d.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { Resource, Statement } from "@cloud-copilot/iam-policy";
+import { ResourceExplain, StatementExplain } from "../explain/statementExplain.js";
 import { AwsRequest } from "../request/request.js";
 /**
  * Check if a request matches the Resource or NotResource elements of a statement.
@@ -7,7 +8,10 @@ import { AwsRequest } from "../request/request.js";
  * @param statement the statement to check against
  * @returns true if the request matches the resources in the statement, false otherwise
  */
-export declare function requestMatchesStatementResources(request: AwsRequest, statement: Statement): boolean;
+export declare function requestMatchesStatementResources(request: AwsRequest, statement: Statement): {
+    matches: boolean;
+    details: Pick<StatementExplain, 'resources' | 'notResources'>;
+};
 /**
  * Check if a request matches a set of resources.
  *
@@ -15,7 +19,10 @@ export declare function requestMatchesStatementResources(request: AwsRequest, st
  * @param policyResources the resources to check against
  * @returns true if the request matches any of the resources, false otherwise
  */
-export declare function requestMatchesResources(request: AwsRequest, policyResources: Resource[]): boolean;
+export declare function requestMatchesResources(request: AwsRequest, policyResources: Resource[]): {
+    matches: boolean;
+    explains: ResourceExplain[];
+};
 /**
  * Check if a request matches a NotResource element in a policy.
  *
@@ -23,5 +30,8 @@ export declare function requestMatchesResources(request: AwsRequest, policyResou
  * @param policyResources the resources to check against
  * @returns true if the request does not match any of the resources, false otherwise
  */
-export declare function requestMatchesNotResources(request: AwsRequest, policyResources: Resource[]): boolean;
+export declare function requestMatchesNotResources(request: AwsRequest, policyResources: Resource[]): {
+    matches: boolean;
+    explains: ResourceExplain[];
+};
 //# sourceMappingURL=resource.d.ts.map

package/dist/cjs/resource/resource.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"resource.d.ts","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAmBnD;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,OAAO,~~CAOnG~~;AAGD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,OAAO,~~CAEjG~~;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,OAAO,~~CAEpG~~"}
1	+ {"version":3,"file":"resource.d.ts","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AACnF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAmBnD;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE,WAAW,GAAG,cAAc,CAAC,CAAA;CAAC,CAiB7K;AAGD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,eAAe,EAAE,CAAA;CAAC,CAIzI;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,eAAe,EAAE,CAAA;CAAC,CAQ5I"}

package/dist/cjs/resource/resource.js CHANGED Viewed

@@ -27,12 +27,22 @@ function convertResourceSegmentToRegex(segment) {
  */
 function requestMatchesStatementResources(request, statement) {
     if (statement.isResourceStatement()) {
-        return requestMatchesResources(request, statement.resources());
+        const { matches, explains } = requestMatchesResources(request, statement.resources());
+        if (!statement.resourceIsArray()) {
+            return { matches, details: { resources: explains[0] } };
+        }
+        return { matches, details: { resources: explains } };
+        // return requestMatchesResources(request, statement.resources());
     }
     else if (statement.isNotResourceStatement()) {
-        return requestMatchesNotResources(request, statement.notResources());
+        const { matches, explains } = requestMatchesNotResources(request, statement.notResources());
+        if (!statement.notResourceIsArray()) {
+            return { matches, details: { notResources: explains[0] } };
+        }
+        return { matches, details: { notResources: explains } };
+        // return requestMatchesNotResources(request, statement.notResources());
     }
-    return true;
+    return { matches: true, details: {} };
 }
 /**
  * Check if a request matches a set of resources.
@@ -42,7 +52,9 @@ function requestMatchesStatementResources(request, statement) {
  * @returns true if the request matches any of the resources, false otherwise
  */
 function requestMatchesResources(request, policyResources) {
-    return policyResources.some(policyResource => singleResourceMatchesRequest(request, policyResource));
+    const explains = policyResources.map(policyResource => singleResourceMatchesRequest(request, policyResource));
+    const matches = explains.some(explain => explain.matches);
+    return { matches, explains };
 }
 /**
  * Check if a request matches a NotResource element in a policy.
@@ -52,7 +64,13 @@ function requestMatchesResources(request, policyResources) {
  * @returns true if the request does not match any of the resources, false otherwise
  */
 function requestMatchesNotResources(request, policyResources) {
-    return !requestMatchesResources(request, policyResources);
+    const explains = policyResources.map(policyResource => {
+        const explain = singleResourceMatchesRequest(request, policyResource);
+        explain.matches = !explain.matches;
+        return explain;
+    });
+    const matches = !explains.some(explain => !explain.matches);
+    return { matches, explains };
 }
 /**
  * Check if a single resource matches a request.
@@ -63,35 +81,70 @@ function requestMatchesNotResources(request, policyResources) {
  */
 function singleResourceMatchesRequest(request, policyResource) {
     if (policyResource.isAllResources()) {
-        return true;
+        return {
+            resource: policyResource.value(),
+            matches: true,
+        };
     }
     else if (policyResource.isArnResource()) {
         if (!request.resource) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Request does not have a resource'],
+            };
         }
         const resource = request.resource;
         if (!convertResourceSegmentToRegex(policyResource.partition()).test(resource.partition())) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Partition does not match'],
+            };
         }
         if (!convertResourceSegmentToRegex(policyResource.service()).test(resource.service())) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Service does not match'],
+            };
         }
         if (!convertResourceSegmentToRegex(policyResource.region()).test(resource.region())) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Region does not match'],
+            };
         }
         if (!convertResourceSegmentToRegex(policyResource.account()).test(resource.account())) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Account does not match'],
+            };
         }
         //Wildcards and variables are not allowed in the product segment https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html "Incorrect wildcard usage"
         const [policyProduct, policyResourceId] = (0, util_js_1.getResourceSegments)(policyResource.resource());
         if (!resource.resource().startsWith(policyProduct)) {
-            return false;
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Product does not match'],
+            };
         }
         const requestResourceId = resource.resource().slice(policyProduct.length);
-        if (!(0, util_js_1.convertIamStringToRegex)(policyResourceId, request).test(requestResourceId)) {
-            return false;
+        const { pattern, errors } = (0, util_js_1.convertIamString)(policyResourceId, request);
+        if (!pattern.test(requestResourceId)) {
+            return {
+                resource: policyResource.value(),
+                matches: false,
+                errors: ['Resource does not match'],
+            };
         }
-        return true;
+        return {
+            resource: policyResource.value(),
+            matches: true,
+        };
     }
     else {
         throw new Error('Unknown resource type');

package/dist/cjs/resource/resource.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":";;~~AA2BA~~,~~4EAOC~~;AAUD,~~0DAEC~~;AASD,~~gEAEC~~;~~AAvDD~~,~~wCAA0E~~;~~AAE1E~~,yHAAyH;AAEzH;;;;;GAKG;AACH,SAAS,6BAA6B,CAAC,OAAe;IACpD,IAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAC7E,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAAC,OAAmB,EAAE,SAAoB;IACxF,IAAG,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;QACnC,OAAO,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC;~~IACjE~~,CAAC;SAAM,IAAG,SAAS,CAAC,sBAAsB,EAAE,EAAE,CAAC;QAC7C,OAAO,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;~~IACvE~~,CAAC;IACD,OAAO,IAAI,CAAC;~~AACd~~,CAAC;AAGD;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,OAAmB,EAAE,eAA2B;IACtF,~~OAAO~~,eAAe,CAAC,~~IAAI~~,CAAC,cAAc,CAAC,EAAE,CAAC,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAA;~~AACtG~~,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,0BAA0B,CAAC,OAAmB,EAAE,eAA2B;IACzF,OAAO,CAAC,~~uBAAuB~~,CAAC,OAAO,EAAE,~~eAAe~~,CAAC,CAAA;~~AAC3D~~,CAAC;AAED;;;;;;GAMG;AACH,SAAS,4BAA4B,CAAC,OAAmB,EAAE,cAAwB;IACjF,IAAG,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;~~IACd~~,CAAC;SAAM,IAAG,cAAc,CAAC,aAAa,EAAE,EAAE,CAAC;QACzC,IAAG,CAAC,OAAO,CAAC,QAAQ,EAAG,CAAC;YACtB,OAAO,KAAK,~~CAAA~~;~~QACd~~,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QACjC,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC;YACzF,OAAO,KAAK,CAAA;~~QACd~~,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO,KAAK,CAAA;~~QACd~~,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC;YACnF,OAAO,KAAK,CAAA;~~QACd~~,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO,KAAK,CAAA;~~QACd~~,CAAC;QAED,gKAAgK;QAChK,MAAM,CAAC,aAAa,EAAE,gBAAgB,CAAC,GAAG,IAAA,6BAAmB,EAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAA;QAExF,IAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAClD,OAAO,KAAK,CAAA;~~QACd~~,CAAC;QAED,MAAM,iBAAiB,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;~~QAEzE~~,~~IAAG~~,~~CAAC~~,IAAA,~~iCAAuB~~,EAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;~~YAC/E~~,OAAO,KAAK,CAAA;~~QACd~~,CAAC;QAED,OAAO,IAAI,CAAA;~~IACb~~,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC"}
1	+ {"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":";;AA4BA,4EAiBC;AAUD,0DAIC;AASD,gEAQC;AAzED,wCAAmE;AAEnE,yHAAyH;AAEzH;;;;;GAKG;AACH,SAAS,6BAA6B,CAAC,OAAe;IACpD,IAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAC7E,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAAC,OAAmB,EAAE,SAAoB;IACxF,IAAG,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;QACnC,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC;QACpF,IAAG,CAAC,SAAS,CAAC,eAAe,EAAE,EAAE,CAAC;YAChC,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAC,EAAC,CAAA;QACrD,CAAC;QACD,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,SAAS,EAAE,QAAQ,EAAC,EAAC,CAAA;QAChD,kEAAkE;IACpE,CAAC;SAAM,IAAG,SAAS,CAAC,sBAAsB,EAAE,EAAE,CAAC;QAC7C,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;QAC1F,IAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,EAAE,CAAC;YACnC,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAC,EAAC,CAAA;QACxD,CAAC;QACD,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,YAAY,EAAE,QAAQ,EAAC,EAAC,CAAA;QACnD,wEAAwE;IAC1E,CAAC;IACD,OAAO,EAAC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAC,CAAC;AACtC,CAAC;AAGD;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,OAAmB,EAAE,eAA2B;IACtF,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAA;IAC7G,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IACzD,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAC,CAAA;AAC5B,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,0BAA0B,CAAC,OAAmB,EAAE,eAA2B;IACzF,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE;QACpD,MAAM,OAAO,GAAG,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAA;QACrE,OAAO,CAAC,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,CAAA;QAClC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAC,CAAA;IACF,MAAM,OAAO,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAC3D,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAC,CAAA;AAC5B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,4BAA4B,CAAC,OAAmB,EAAE,cAAwB;IACjF,IAAG,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;QACnC,OAAO;YACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;YAChC,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;SAAM,IAAG,cAAc,CAAC,aAAa,EAAE,EAAE,CAAC;QACzC,IAAG,CAAC,OAAO,CAAC,QAAQ,EAAG,CAAC;YACtB,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,kCAAkC,CAAC;aAC7C,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QACjC,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC;YACzF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,0BAA0B,CAAC;aACrC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC;YACnF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,uBAAuB,CAAC;aAClC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,gKAAgK;QAChK,MAAM,CAAC,aAAa,EAAE,gBAAgB,CAAC,GAAG,IAAA,6BAAmB,EAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAA;QAExF,IAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAClD,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,MAAM,iBAAiB,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;QACzE,MAAM,EAAC,OAAO,EAAE,MAAM,EAAC,GAAG,IAAA,0BAAgB,EAAC,gBAAgB,EAAE,OAAO,CAAC,CAAA;QAErE,IAAG,CAAC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACpC,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,yBAAyB,CAAC;aACpC,CAAA;QACH,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;YAChC,OAAO,EAAE,IAAI;SACd,CAAA;IACH,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC"}

package/dist/cjs/services/DefaultServiceAuthorizer.d.ts CHANGED Viewed

@@ -1,41 +1,9 @@
-import { EvaluationResult, ResourceEvaluationResult } from "../evaluate.js";
-import { StatementAnalysis } from "../StatementAnalysis.js";
+import { RequestAnalysis } from "../evaluate.js";
 import { ServiceAuthorizationRequest, ServiceAuthorizer } from "./ServiceAuthorizer.js";
 /**
  * The default authorizer for services.
  */
 export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
-    authorize(request: ServiceAuthorizationRequest): EvaluationResult;
-    /**
-     * Determine the result of the SCP analysis.
-     *
-     * @param request The request to authorize.
-     * @returns The result of the SCP analysis.
-     */
-    serviceControlPolicyResult(request: ServiceAuthorizationRequest): EvaluationResult;
-    /**
-     * Evaluate the identity statements to determine the result.
-     *
-     * @param request The request to authorize.
-     * @returns The result of the identity statement analysis.
-     */
-    identityStatementResult(request: ServiceAuthorizationRequest): EvaluationResult;
-    /**
-     * Evaluate the resource policy to determine the result.
-     *
-     * @param request the request to authorize
-     * @returns the result of the resource policy analysis
-     */
-    resourcePolicyResult(request: ServiceAuthorizationRequest): ResourceEvaluationResult;
-    /**
-     * Checks if a statement is an identity statement that allows the request.
-     *
-     * @param statement The statement to check.
-     * @returns Whether the statement is an identity statement that allows the request.
-     */
-    identityStatementAllows(statement: StatementAnalysis): boolean;
-    identityStatementUknownAllow(statement: StatementAnalysis): boolean;
-    identityStatementUknownDeny(statement: StatementAnalysis): boolean;
-    identityStatementExplicitDeny(statement: StatementAnalysis): boolean;
+    authorize(request: ServiceAuthorizationRequest): RequestAnalysis;
 }
 //# sourceMappingURL=DefaultServiceAuthorizer.d.ts.map

package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,~~gBAAgB~~,EAAE,~~wBAAwB,EAAE,~~MAAM,gBAAgB,CAAC;~~AAC5E~~,OAAO,EAAE,~~iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,~~2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAExF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,~~gBAAgB~~;IAiDxE;;;;;OAKG;IACI,0BAA0B,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAwBzF;;;;;OAKG;IACI,uBAAuB,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAoBtF;;;;;OAKG;IACI,oBAAoB,CAAC,OAAO,EAAE,2BAA2B,GAAG,wBAAwB;IAyB3F;;;;;OAKG;IACI,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAU9D,4BAA4B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUnE,2BAA2B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUlE,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;CAS5E"}
1	+ {"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEjD,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAExF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;CAoIxE"}