@cloud-copilot/iam-simulate 0.1.12 → 0.1.14

package/dist/cjs/services/DefaultServiceAuthorizer.js

@@ -1,165 +1,129 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DefaultServiceAuthorizer = void 0;
+const util_js_1 = require("../util.js");
 /**
  * The default authorizer for services.
  */
 class DefaultServiceAuthorizer {
     authorize(request) {
-        const scpResult = this.serviceControlPolicyResult(request);
-        const identityStatementResult = this.identityStatementResult(request);
-        const resourcePolicyResult = this.resourcePolicyResult(request);
+        const scpResult = request.scpAnalysis.result;
+        const identityStatementResult = request.identityAnalysis.result;
+        const resourcePolicyResult = request.resourceAnalysis?.result;
+        const permissionBoundaryResult = request.permissionBoundaryAnalysis?.result;
         const principalAccount = request.request.principal.accountId();
         const resourceAccount = request.request.resource?.accountId();
+        const sameAccount = principalAccount === resourceAccount;
+        const baseResult = {
+            sameAccount,
+            identityAnalysis: request.identityAnalysis,
+            scpAnalysis: request.scpAnalysis,
+            resourceAnalysis: request.resourceAnalysis,
+            permissionBoundaryAnalysis: request.permissionBoundaryAnalysis
+        };
         if (scpResult !== 'Allowed') {
-            return scpResult;
+            return {
+                result: scpResult,
+                ...baseResult
+            };
         }
         if (resourcePolicyResult === 'ExplicitlyDenied' || resourcePolicyResult === 'DeniedForAccount') {
-            return 'ExplicitlyDenied';
+            return {
+                result: 'ExplicitlyDenied',
+                ...baseResult
+            };
         }
         if (identityStatementResult === 'ExplicitlyDenied') {
-            return 'ExplicitlyDenied';
+            return {
+                result: 'ExplicitlyDenied',
+                ...baseResult
+            };
+        }
+        if (permissionBoundaryResult === 'ExplicitlyDenied') {
+            return {
+                result: 'ExplicitlyDenied',
+                ...baseResult
+            };
         }
         //Same Account
         if (principalAccount === resourceAccount) {
-            if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount' || identityStatementResult === 'Allowed') {
-                return 'Allowed';
+            if (permissionBoundaryResult === 'ImplicitlyDenied') {
+                /**
+                 * If the permission boundary is an implicit deny
+                 *
+                 * If the request is from an assumed role ARN AND the resource policy allows the assumed role (session) ARN = ALLOW
+                 * If the request is from an IAM user ARN AND the resource policy allows the IAM user ARN = ALLOW
+                 * If the request is from a federated user ARN AND the resource policy allows the federated user ARN = ALLOW
+                 * The request is allowed: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
+                 */
+                if (resourcePolicyResult === 'Allowed') {
+                    const principal = request.request.principal.value();
+                    if ((0, util_js_1.isAssumedRoleArn)(principal) || (0, util_js_1.isIamUserArn)(principal) || (0, util_js_1.isFederatedUserArn)(principal)) {
+                        if (request.resourceAnalysis.allowStatements.some(statement => statement.principalMatch === 'Match')) {
+                            return {
+                                result: 'Allowed',
+                                ...baseResult
+                            };
+                        }
+                    }
+                }
+                return {
+                    result: 'ImplicitlyDenied',
+                    ...baseResult
+                };
+            }
+            /*
+              TODO: Implicit denies in identity policies
+              I think if the identity policy has an implicit deny for assumed roles or federated users,
+              then the resource policy must have the federerated or assumed role ARN exactly.
+      
+              That doesn't seem right though. I know many cases where the resource policy has the role ARN and it works
+      
+              Need to add some tests for this.
+            */
+            if (resourcePolicyResult === 'Allowed' || identityStatementResult === 'Allowed') {
+                return {
+                    result: 'Allowed',
+                    ...baseResult
+                };
             }
-            return 'ImplicitlyDenied';
+            return {
+                result: 'ImplicitlyDenied',
+                ...baseResult
+            };
         }
         //Cross Account
+        if (permissionBoundaryResult === 'ImplicitlyDenied') {
+            return {
+                result: 'ImplicitlyDenied',
+                ...baseResult
+            };
+        }
         if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount') {
             if (identityStatementResult === 'Allowed') {
-                return 'Allowed';
+                return {
+                    result: 'Allowed',
+                    ...baseResult
+                };
             }
-            return 'ImplicitlyDenied';
-        }
-        return 'ImplicitlyDenied';
+            return {
+                result: 'ImplicitlyDenied',
+                ...baseResult
+            };
+        }
+        return {
+            result: 'ImplicitlyDenied',
+            ...baseResult
+        };
         /**
          * Add checks for:
+         * * session policies
+         * * resource control policies
          * * root user
          * * service linked roles
-         * * resource control policies
-         * * boundary policies
          * * vpc endpoint policies
-         * * session policies (maybe these are just part of identity policies?)
          */
     }
-    /**
-     * Determine the result of the SCP analysis.
-     *
-     * @param request The request to authorize.
-     * @returns The result of the SCP analysis.
-     */
-    serviceControlPolicyResult(request) {
-        const orgAllows = request.scpAnalysis.map((scpAnalysis) => {
-            return scpAnalysis.statementAnalysis.some((statement) => {
-                return this.identityStatementAllows(statement);
-            });
-        });
-        if (orgAllows.includes(false)) {
-            return 'ImplicitlyDenied';
-        }
-        const anyScpDeny = request.scpAnalysis.some((scpAnalysis) => {
-            return scpAnalysis.statementAnalysis.some((statement) => {
-                return this.identityStatementExplicitDeny(statement);
-            });
-        });
-        if (anyScpDeny) {
-            return 'ExplicitlyDenied';
-        }
-        return 'Allowed';
-    }
-    /**
-     * Evaluate the identity statements to determine the result.
-     *
-     * @param request The request to authorize.
-     * @returns The result of the identity statement analysis.
-     */
-    identityStatementResult(request) {
-        const explicitDeny = request.identityStatements.some(s => this.identityStatementExplicitDeny(s));
-        if (explicitDeny) {
-            return 'ExplicitlyDenied';
-        }
-        const explicitAllow = request.identityStatements.some(s => this.identityStatementAllows(s));
-        const possibleDeny = request.identityStatements.some(s => this.identityStatementUknownDeny(s));
-        if (explicitAllow) {
-            return possibleDeny ? 'Unknown' : 'Allowed';
-        }
-        const possibleAllow = request.identityStatements.some(s => this.identityStatementUknownAllow(s));
-        if (possibleAllow) {
-            return 'Unknown';
-        }
-        return 'ImplicitlyDenied';
-    }
-    /**
-     * Evaluate the resource policy to determine the result.
-     *
-     * @param request the request to authorize
-     * @returns the result of the resource policy analysis
-     */
-    resourcePolicyResult(request) {
-        if (!request.resourceAnalysis) {
-            return 'NotApplicable';
-        }
-        const denyStatements = request.resourceAnalysis.filter(s => this.identityStatementExplicitDeny(s));
-        if (denyStatements.some(s => s.principalMatch === 'Match')) {
-            return 'ExplicitlyDenied';
-        }
-        if (denyStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
-            return 'DeniedForAccount';
-        }
-        const allowStatements = request.resourceAnalysis.filter(s => this.identityStatementAllows(s));
-        if (allowStatements.some(s => s.principalMatch === 'Match')) {
-            return 'Allowed';
-        }
-        if (allowStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
-            return 'AllowedForAccount';
-        }
-        return 'ImplicityDenied';
-    }
-    /**
-     * Checks if a statement is an identity statement that allows the request.
-     *
-     * @param statement The statement to check.
-     * @returns Whether the statement is an identity statement that allows the request.
-     */
-    identityStatementAllows(statement) {
-        if (statement.resourceMatch &&
-            statement.actionMatch &&
-            statement.conditionMatch === 'Match' &&
-            statement.statement.effect() === 'Allow') {
-            return true;
-        }
-        return false;
-    }
-    identityStatementUknownAllow(statement) {
-        if (statement.resourceMatch &&
-            statement.actionMatch &&
-            statement.conditionMatch === 'Unknown' &&
-            statement.statement.effect() === 'Allow') {
-            return true;
-        }
-        return false;
-    }
-    identityStatementUknownDeny(statement) {
-        if (statement.resourceMatch &&
-            statement.actionMatch &&
-            statement.conditionMatch === 'Unknown' &&
-            statement.statement.effect() === 'Deny') {
-            return true;
-        }
-        return false;
-    }
-    identityStatementExplicitDeny(statement) {
-        if (statement.resourceMatch &&
-            statement.actionMatch &&
-            statement.conditionMatch === 'Match' &&
-            statement.statement.effect() === 'Deny') {
-            return true;
-        }
-        return false;
-    }
 }
 exports.DefaultServiceAuthorizer = DefaultServiceAuthorizer;
 //# sourceMappingURL=DefaultServiceAuthorizer.js.map

package/dist/cjs/services/DefaultServiceAuthorizer.js.map

@@ -1 +1 @@
-{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAIA;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,uBAAuB,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACtE,MAAM,oBAAoB,GAAG,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;QAEhE,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAE7D,IAAG,SAAS,KAAK,SAAS,EAAE,CAAC;YAC3B,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAG,oBAAoB,KAAK,kBAAkB,IAAI,oBAAoB,KAAK,kBAAkB,EAAE,CAAC;YAC9F,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,IAAG,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YAClD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,cAAc;QACd,IAAG,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACxC,IAAG,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC/H,OAAO,SAAS,CAAA;YAClB,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,eAAe;QACf,IAAG,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACtF,IAAG,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBACzC,OAAO,SAAS,CAAA;YAClB,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,OAAO,kBAAkB,CAAA;QAEzB;;;;;;;;WAQG;IACL,CAAC;IAED;;;;;OAKG;IACI,0BAA0B,CAAC,OAAoC;QACpE,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE;YACxD,OAAO,WAAW,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;gBACtD,OAAO,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAA;YAChD,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,IAAG,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7B,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;YAC1D,OAAO,WAAW,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;gBACtD,OAAO,IAAI,CAAC,6BAA6B,CAAC,SAAS,CAAC,CAAA;YACtD,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,IAAG,UAAU,EAAE,CAAC;YACd,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAED;;;;;OAKG;IACI,uBAAuB,CAAC,OAAoC;QACjE,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,YAAY,EAAE,CAAC;YAChB,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/F,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9C,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAED;;;;;OAKG;IACI,oBAAoB,CAAC,OAAoC;QAC9D,IAAG,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC;YAC7B,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,MAAM,cAAc,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;QACnG,IAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,OAAO,CAAC,EAAE,CAAC;YAC1D,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QACD,IAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EAAE,CAAC;YACtE,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,MAAM,eAAe,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9F,IAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,OAAO,CAAC,EAAE,CAAC;YAC3D,OAAO,SAAS,CAAA;QAClB,CAAC;QACD,IAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EAAE,CAAC;YACvE,OAAO,mBAAmB,CAAA;QAC5B,CAAC;QAED,OAAO,iBAAiB,CAAA;IAE1B,CAAC;IAED;;;;;OAKG;IACI,uBAAuB,CAAC,SAA4B;QACzD,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEM,4BAA4B,CAAC,SAA4B;QAC9D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,2BAA2B,CAAC,SAA4B;QAC7D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,6BAA6B,CAAC,SAA4B;QAC/D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAtLD,4DAsLC"}
+{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AACA,wCAAgF;AAGhF;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC;QAC7C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC;QAChE,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAAmI;YACjJ,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAG,SAAS,KAAK,SAAS,EAAE,CAAC;YAC3B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAG,oBAAoB,KAAK,kBAAkB,IAAI,oBAAoB,KAAK,kBAAkB,EAAE,CAAC;YAC9F,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAG,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YAClD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAG,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAG,gBAAgB,KAAK,eAAe,EAAE,CAAC;YAExC,IAAG,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACnD;;;;;;;mBAOG;gBACH,IAAG,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACtC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IAAG,IAAA,0BAAgB,EAAC,SAAS,CAAC,IAAI,IAAA,sBAAY,EAAC,SAAS,CAAC,IAAI,IAAA,4BAAkB,EAAC,SAAS,CAAC,EAAE,CAAC;wBAC3F,IAAG,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CAAC,EAAC,CAAC;4BACnG,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAGD;;;;;;;;cAQE;YACF,IAAG,oBAAoB,KAAK,SAAS,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC/E,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAG,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAG,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACtF,IAAG,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBACzC,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;WAOG;IACL,CAAC;CACF;AArID,4DAqIC"}

package/dist/cjs/services/ServiceAuthorizer.d.ts

@@ -1,14 +1,13 @@
-import { EvaluationResult } from "../evaluate.js";
+import { IdentityAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from "../evaluate.js";
 import { AwsRequest } from "../request/request.js";
-import { SCPAnalysis } from "../SCPAnalysis.js";
-import { StatementAnalysis } from "../StatementAnalysis.js";
 export interface ServiceAuthorizationRequest {
     request: AwsRequest;
-    identityStatements: StatementAnalysis[];
-    scpAnalysis: SCPAnalysis[];
-    resourceAnalysis: StatementAnalysis[];
+    identityAnalysis: IdentityAnalysis;
+    scpAnalysis: ScpAnalysis;
+    resourceAnalysis: ResourceAnalysis;
+    permissionBoundaryAnalysis: IdentityAnalysis | undefined;
 }
 export interface ServiceAuthorizer {
-    authorize(request: ServiceAuthorizationRequest): EvaluationResult;
+    authorize(request: ServiceAuthorizationRequest): RequestAnalysis;
 }
 //# sourceMappingURL=ServiceAuthorizer.d.ts.map

package/dist/cjs/services/ServiceAuthorizer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAC;IACpB,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,WAAW,EAAE,WAAW,EAAE,CAAC;IAC3B,gBAAgB,EAAE,iBAAiB,EAAE,CAAC;CACvC;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB,CAAA;CAClE"}
+{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClG,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAEnD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAC;IACpB,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,WAAW,EAAE,WAAW,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,0BAA0B,EAAE,gBAAgB,GAAG,SAAS,CAAC;CAC1D;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe,CAAA;CACjE"}

package/dist/cjs/simulation_engine/simulation.d.ts

@@ -20,5 +20,9 @@ export interface Simulation {
         }[];
     }[];
     resourcePolicy?: any;
+    permissionBoundaryPolicies?: {
+        name: string;
+        policy: any;
+    }[];
 }
 //# sourceMappingURL=simulation.d.ts.map

package/dist/cjs/simulation_engine/simulation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAC;YACjB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;KACrD,CAAA;IAED,gBAAgB,EAAE;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAC,EAAE,CAAC;IAChD,sBAAsB,EAAE;QACtB,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAC,EAAE,CAAA;KACxC,EAAE,CAAC;IACJ,cAAc,CAAC,EAAE,GAAG,CAAC;CACtB"}
+{"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAC;YACjB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;KACrD,CAAA;IAED,gBAAgB,EAAE;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAC,EAAE,CAAC;IAChD,sBAAsB,EAAE;QACtB,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAC,EAAE,CAAA;KACxC,EAAE,CAAC;IACJ,cAAc,CAAC,EAAE,GAAG,CAAA;IACpB,0BAA0B,CAAC,EAAG;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAC,EAAE,CAAA;CAC5D"}

package/dist/cjs/simulation_engine/simulationEngine.d.ts

@@ -1,5 +1,5 @@
 import { ValidationError } from "@cloud-copilot/iam-policy";
-import { EvaluationResult } from "../evaluate.js";
+import { RequestAnalysis } from "../evaluate.js";
 import { Simulation } from "./simulation.js";
 import { SimulationOptions } from "./simulationOptions.js";
 export interface SimulationErrors {
@@ -10,9 +10,7 @@ export interface SimulationErrors {
 }
 export interface SimulationResult {
     errors?: SimulationErrors;
-    result?: {
-        evaluationResult: EvaluationResult;
-    };
+    analysis?: RequestAnalysis;
 }
 /**
  * Run a simulation with validation

package/dist/cjs/simulation_engine/simulationEngine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAoG,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAI9J,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAKlD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IACzD,yBAAyB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IAC9D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAC;IACzC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B,MAAM,CAAC,EAAE;QACP,gBAAgB,EAAE,gBAAgB,CAAA;KACnC,CAAA;CACF;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA+HpI;AAED,wBAAsB,6BAA6B,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CA0BtH"}
+{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAoG,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAI9J,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAKjD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IACzD,yBAAyB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IAC9D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAC;IACzC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B,QAAQ,CAAC,EAAE,eAAe,CAAA;CAC3B;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA2IpI;AAED,wBAAsB,6BAA6B,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CA0BtH"}

package/dist/cjs/simulation_engine/simulationEngine.js

@@ -51,8 +51,21 @@ async function runSimulation(simulation, simulationOptions) {
         };
     });
     const resourcePolicyErrors = simulation.resourcePolicy ? (0, iam_policy_1.validateResourcePolicy)(simulation.resourcePolicy) : [];
+    const permissionBoundaries = simulation.permissionBoundaryPolicies ? [] : undefined;
+    const permissionBoundaryErrors = {};
+    simulation.permissionBoundaryPolicies?.map((pb) => {
+        const { name, policy } = pb;
+        const validationErrors = (0, iam_policy_1.validateIdentityPolicy)(policy);
+        if (validationErrors.length == 0) {
+            permissionBoundaries.push((0, iam_policy_1.loadPolicy)(policy));
+        }
+        else {
+            permissionBoundaryErrors[name] = validationErrors;
+        }
+    });
     if (Object.keys(identityPolicyErrors).length > 0 ||
         Object.keys(seviceControlPolicyErrors).length > 0 ||
+        Object.keys(permissionBoundaryErrors).length > 0 ||
         resourcePolicyErrors.length > 0) {
         return {
             errors: {
@@ -124,12 +137,11 @@ async function runSimulation(simulation, simulationOptions) {
         }, simulation.request.action, new requestContext_js_1.RequestContextImpl(contextValues)),
         identityPolicies,
         serviceControlPolicies,
-        resourcePolicy
+        resourcePolicy,
+        permissionBoundaries
     });
     return {
-        result: {
-            evaluationResult: simulationResult
-        }
+        analysis: simulationResult
     };
 }
 async function normalizeSimulationParameters(simulation) {

package/dist/cjs/simulation_engine/simulationEngine.js.map

@@ -1 +1 @@
-{"version":3,"file":"simulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":";;AAkCA,sCA+HC;AAED,sEA0BC;AA7LD,sDAA4E;AAC5E,0DAA8J;AAC9J,2EAAyE;AACzE,mEAA4F;AAC5F,kFAA0F;AAE1F,sDAAuD;AACvD,4DAA0D;AAC1D,wCAA6E;AAC7E,qDAAgE;AAkBhE;;;;;;GAMG;AACI,KAAK,UAAU,aAAa,CAAC,UAAsB,EAAE,iBAA6C;IACvG,MAAM,oBAAoB,GAAsC,EAAE,CAAC;IACnE,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,UAAU,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;QAC5C,MAAM,EAAC,IAAI,EAAE,MAAM,EAAC,GAAG,KAAK,CAAC;QAC7B,MAAM,gBAAgB,GAAG,IAAA,mCAAsB,EAAC,MAAM,CAAC,CAAC;QACxD,IAAG,gBAAgB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAChC,gBAAgB,CAAC,IAAI,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,CAAC,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,oBAAoB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,yBAAyB,GAAsC,EAAE,CAAC;IACxE,MAAM,sBAAsB,GAA6B,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACrG,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC;QAC/B,MAAM,aAAa,GAAa,EAAE,CAAC;QAEnC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;YAC7B,MAAM,EAAC,IAAI,EAAE,MAAM,EAAC,GAAG,KAAK,CAAC;YAC7B,MAAM,gBAAgB,GAAG,IAAA,yCAA4B,EAAC,MAAM,CAAC,CAAC;YAC9D,IAAG,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,yBAAyB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC;YACrD,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,CAAC,CAAC;YACzC,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,aAAa;SACxB,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,oBAAoB,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAA,mCAAsB,EAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAEhH,IAAG,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,MAAM,GAAG,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,MAAM,GAAG,CAAC;QACjD,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO;YACL,MAAM,EAAE;gBACN,oBAAoB;gBACpB,yBAAyB;gBACzB,oBAAoB;gBACpB,OAAO,EAAE,eAAe;aACzB;SACF,CAAA;IACH,CAAC;IAED,MAAM,cAAc,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAA,uBAAU,EAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAErG,IAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACpD,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,gBAAgB;aAC1B;SACF,CAAA;IACH,CAAC;IAED,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,YAAY,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,CAAC,CAAC;IACrD,IAAG,CAAC,YAAY,EAAE,CAAC;QACjB,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,iBAAiB;aAC3B;SACF,CAAA;IACH,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,IAAA,0BAAe,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3D,IAAG,CAAC,WAAW,EAAE,CAAC;QAChB,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,gBAAgB;aAC1B;SACF,CAAA;IACH,CAAC;IAED,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IACzD,MAAM,oBAAoB,GAAG,MAAM,IAAA,8BAAoB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACzE,IAAG,oBAAoB,EAAE,CAAC;QACxB,IAAG,WAAW,KAAK,GAAG,EAAE,CAAC;YACvB,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,mBAAmB;iBAC7B;aACF,CAAA;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,aAAa,GAAG,MAAM,IAAA,mCAAyB,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;QACpF,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,mBAAmB;iBAC7B;aAEF,CAAA;QACH,CAAC;aAAM,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,yBAAyB;iBACnC;aACF,CAAA;QACH,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,6BAA6B,CAAC,UAAU,CAAC,CAAC;IAEtE,MAAM,gBAAgB,GAAG,IAAA,kCAAS,EAAC;QACjC,OAAO,EAAE,IAAI,2BAAc,CACzB,UAAU,CAAC,OAAO,CAAC,SAAS,EAC5B;YACE,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;YAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;SACjD,EACD,UAAU,CAAC,OAAO,CAAC,MAAM,EACzB,IAAI,sCAAkB,CAAC,aAAa,CAAC,CACtC;QACD,gBAAgB;QAChB,sBAAsB;QACtB,cAAc;KACf,CAAC,CAAA;IAEF,OAAO;QACL,MAAM,EAAE;YACN,gBAAgB,EAAE,gBAAgB;SACnC;KACF,CAAA;AACH,CAAC;AAEM,KAAK,UAAU,6BAA6B,CAAC,UAAsB;IACxE,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IACzD,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC,MAAM,IAAA,6CAA4B,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAA;IAE3G,4FAA4F;IAC5F,MAAM,kBAAkB,GAAsC,EAAE,CAAC;IACjE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACnE,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACvD,MAAM,YAAY,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QACvC,IAAI,yBAAyB,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,uBAAuB,CAAC,YAAY,EAAE,yBAAyB,CAAC,EAAE,CAAC;YAEpH,MAAM,aAAa,GAAG,MAAM,IAAA,kCAAiB,EAAC,YAAY,CAAC,CAAC;YAC5D,MAAM,aAAa,GAAG,MAAM,IAAA,wCAAuB,EAAC,GAAG,CAAC,CAAC;YAEzD,IAAG,IAAA,wCAAmB,EAAC,aAAa,CAAC,EAAE,CAAC;gBACtC,kBAAkB,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;YACrD,CAAC;iBAAM,IAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC/B,kBAAkB,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC/C,CAAC;iBAAM,CAAC;gBACN,kBAAkB,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC;YAC5C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,kBAAkB,CAAA;AAC3B,CAAC;AAED,SAAS,uBAAuB,CAAC,YAAoB,EAAE,gBAA6B;IAClF,MAAM,eAAe,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAClD,IAAG,eAAe,KAAK,CAAC,CAAC,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,GAAG,CAAC,CAAC,CAAC;IAC1D,KAAI,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;QACvC,IAAG,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC"}
+{"version":3,"file":"simulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":";;AAgCA,sCA2IC;AAED,sEA0BC;AAvMD,sDAA4E;AAC5E,0DAA8J;AAC9J,2EAAyE;AACzE,mEAA4F;AAC5F,kFAA0F;AAE1F,sDAAuD;AACvD,4DAA0D;AAC1D,wCAA6E;AAC7E,qDAAgE;AAgBhE;;;;;;GAMG;AACI,KAAK,UAAU,aAAa,CAAC,UAAsB,EAAE,iBAA6C;IACvG,MAAM,oBAAoB,GAAsC,EAAE,CAAC;IACnE,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,UAAU,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;QAC5C,MAAM,EAAC,IAAI,EAAE,MAAM,EAAC,GAAG,KAAK,CAAC;QAC7B,MAAM,gBAAgB,GAAG,IAAA,mCAAsB,EAAC,MAAM,CAAC,CAAC;QACxD,IAAG,gBAAgB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAChC,gBAAgB,CAAC,IAAI,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,CAAC,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,oBAAoB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,yBAAyB,GAAsC,EAAE,CAAC;IACxE,MAAM,sBAAsB,GAA6B,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACrG,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC;QAC/B,MAAM,aAAa,GAAa,EAAE,CAAC;QAEnC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;YAC7B,MAAM,EAAC,IAAI,EAAE,MAAM,EAAC,GAAG,KAAK,CAAC;YAC7B,MAAM,gBAAgB,GAAG,IAAA,yCAA4B,EAAC,MAAM,CAAC,CAAC;YAC9D,IAAG,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,yBAAyB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC;YACrD,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,CAAC,CAAC;YACzC,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,aAAa;SACxB,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,oBAAoB,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAA,mCAAsB,EAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAEhH,MAAM,oBAAoB,GAAyB,UAAU,CAAC,0BAA0B,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAC1G,MAAM,wBAAwB,GAAsC,EAAE,CAAC;IACvE,UAAU,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE;QAChD,MAAM,EAAC,IAAI,EAAE,MAAM,EAAC,GAAG,EAAE,CAAC;QAC1B,MAAM,gBAAgB,GAAG,IAAA,mCAAsB,EAAC,MAAM,CAAC,CAAC;QACxD,IAAG,gBAAgB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAChC,oBAAqB,CAAC,IAAI,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,CAAC,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,wBAAwB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC;QACpD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,IAAG,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,MAAM,GAAG,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,MAAM,GAAG,CAAC;QACjD,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC,MAAM,GAAG,CAAC;QAChD,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO;YACL,MAAM,EAAE;gBACN,oBAAoB;gBACpB,yBAAyB;gBACzB,oBAAoB;gBACpB,OAAO,EAAE,eAAe;aACzB;SACF,CAAA;IACH,CAAC;IAED,MAAM,cAAc,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAA,uBAAU,EAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAErG,IAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACpD,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,gBAAgB;aAC1B;SACF,CAAA;IACH,CAAC;IAED,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,YAAY,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,CAAC,CAAC;IACrD,IAAG,CAAC,YAAY,EAAE,CAAC;QACjB,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,iBAAiB;aAC3B;SACF,CAAA;IACH,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,IAAA,0BAAe,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3D,IAAG,CAAC,WAAW,EAAE,CAAC;QAChB,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,gBAAgB;aAC1B;SACF,CAAA;IACH,CAAC;IAED,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IACzD,MAAM,oBAAoB,GAAG,MAAM,IAAA,8BAAoB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACzE,IAAG,oBAAoB,EAAE,CAAC;QACxB,IAAG,WAAW,KAAK,GAAG,EAAE,CAAC;YACvB,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,mBAAmB;iBAC7B;aACF,CAAA;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,aAAa,GAAG,MAAM,IAAA,mCAAyB,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;QACpF,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,mBAAmB;iBAC7B;aAEF,CAAA;QACH,CAAC;aAAM,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,yBAAyB;iBACnC;aACF,CAAA;QACH,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,6BAA6B,CAAC,UAAU,CAAC,CAAC;IAEtE,MAAM,gBAAgB,GAAG,IAAA,kCAAS,EAAC;QACjC,OAAO,EAAE,IAAI,2BAAc,CACzB,UAAU,CAAC,OAAO,CAAC,SAAS,EAC5B;YACE,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;YAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;SACjD,EACD,UAAU,CAAC,OAAO,CAAC,MAAM,EACzB,IAAI,sCAAkB,CAAC,aAAa,CAAC,CACtC;QACD,gBAAgB;QAChB,sBAAsB;QACtB,cAAc;QACd,oBAAoB;KACrB,CAAC,CAAA;IAEF,OAAO;QACL,QAAQ,EAAE,gBAAgB;KAC3B,CAAA;AACH,CAAC;AAEM,KAAK,UAAU,6BAA6B,CAAC,UAAsB;IACxE,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IACzD,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC,MAAM,IAAA,6CAA4B,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAA;IAE3G,4FAA4F;IAC5F,MAAM,kBAAkB,GAAsC,EAAE,CAAC;IACjE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACnE,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACvD,MAAM,YAAY,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QACvC,IAAI,yBAAyB,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,uBAAuB,CAAC,YAAY,EAAE,yBAAyB,CAAC,EAAE,CAAC;YAEpH,MAAM,aAAa,GAAG,MAAM,IAAA,kCAAiB,EAAC,YAAY,CAAC,CAAC;YAC5D,MAAM,aAAa,GAAG,MAAM,IAAA,wCAAuB,EAAC,GAAG,CAAC,CAAC;YAEzD,IAAG,IAAA,wCAAmB,EAAC,aAAa,CAAC,EAAE,CAAC;gBACtC,kBAAkB,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;YACrD,CAAC;iBAAM,IAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC/B,kBAAkB,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC/C,CAAC;iBAAM,CAAC;gBACN,kBAAkB,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC;YAC5C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,kBAAkB,CAAA;AAC3B,CAAC;AAED,SAAS,uBAAuB,CAAC,YAAoB,EAAE,gBAA6B;IAClF,MAAM,eAAe,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAClD,IAAG,eAAe,KAAK,CAAC,CAAC,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,GAAG,CAAC,CAAC,CAAC;IAC1D,KAAI,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;QACvC,IAAG,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC"}

package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"unsafeSimulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,gBAAgB,CAuB3H"}
+{"version":3,"file":"unsafeSimulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,gBAAgB,CA6B3H"}

package/dist/cjs/simulation_engine/unsafeSimulationEngine.js

@@ -23,16 +23,19 @@ function runUnsafeSimulation(simulation, simulationOptions) {
             policies: policies
         };
     });
+    const permissionBoundaries = simulation.permissionBoundaryPolicies?.map(val => (0, iam_policy_1.loadPolicy)(val.policy)) ?? undefined;
     const requestContext = new requestContext_js_1.RequestContextImpl(simulation.request.contextVariables);
     const request = new request_js_1.AwsRequestImpl(simulation.request.principal, {
         resource: simulation.request.resource.resource,
         accountId: simulation.request.resource.accountId,
     }, simulation.request.action, requestContext);
-    return (0, coreSimulatorEngine_js_1.authorize)({
+    const analysis = (0, coreSimulatorEngine_js_1.authorize)({
         request,
         identityPolicies,
         serviceControlPolicies,
-        resourcePolicy: simulation.resourcePolicy ? (0, iam_policy_1.loadPolicy)(simulation.resourcePolicy) : undefined
+        resourcePolicy: simulation.resourcePolicy ? (0, iam_policy_1.loadPolicy)(simulation.resourcePolicy) : undefined,
+        permissionBoundaries
     });
+    return analysis.result;
 }
 //# sourceMappingURL=unsafeSimulationEngine.js.map

package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map

@@ -1 +1 @@
-{"version":3,"file":"unsafeSimulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":";;AAgBA,kDAuBC;AAvCD,0DAAuD;AACvD,kFAA0F;AAE1F,sDAAuD;AACvD,4DAA0D;AAI1D;;;;;;;GAOG;AACH,SAAgB,mBAAmB,CAAC,UAAsB,EAAE,iBAA6C;IACvG,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAA,uBAAU,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IACnG,MAAM,sBAAsB,GAA6B,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACrG,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC;QAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;QAEjE,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,QAAQ;SACnB,CAAA;IACH,CAAC,CAAC,CAAA;IACF,MAAM,cAAc,GAAG,IAAI,sCAAkB,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAA;IAClF,MAAM,OAAO,GAAG,IAAI,2BAAc,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE;QAC/D,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;QAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;KACjD,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IAE9C,OAAO,IAAA,kCAAS,EAAC;QACf,OAAO;QACP,gBAAgB;QAChB,sBAAsB;QACtB,cAAc,EAAE,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAA,uBAAU,EAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS;KAC9F,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"unsafeSimulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":";;AAgBA,kDA6BC;AA7CD,0DAAuD;AACvD,kFAA0F;AAE1F,sDAAuD;AACvD,4DAA0D;AAI1D;;;;;;;GAOG;AACH,SAAgB,mBAAmB,CAAC,UAAsB,EAAE,iBAA6C;IACvG,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAA,uBAAU,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IACnG,MAAM,sBAAsB,GAA6B,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACrG,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC;QAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;QAEjE,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,QAAQ;SACnB,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,oBAAoB,GAAG,UAAU,CAAC,0BAA0B,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,SAAS,CAAC;IAEpH,MAAM,cAAc,GAAG,IAAI,sCAAkB,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAA;IAClF,MAAM,OAAO,GAAG,IAAI,2BAAc,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE;QAC/D,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;QAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;KACjD,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IAE9C,MAAM,QAAQ,GAAG,IAAA,kCAAS,EAAC;QACzB,OAAO;QACP,gBAAgB;QAChB,sBAAsB;QACtB,cAAc,EAAE,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAA,uBAAU,EAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS;QAC7F,oBAAoB;KACrB,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC,MAAM,CAAC;AACzB,CAAC"}

package/dist/cjs/util.d.ts

@@ -1,7 +1,8 @@
 import { ResourceType } from '@cloud-copilot/iam-data';
 import { AwsRequest } from './request/request.js';
-interface StringReplaceOptions {
+export interface StringReplaceOptions {
     replaceWildcards: boolean;
+    convertToRegex: boolean;
 }
 /**
  * This will convert a string to a regex that can be used to match against a string.
@@ -11,7 +12,14 @@ interface StringReplaceOptions {
  * @param requestContext the request context to get the variable values from
  * @returns a regex that can be used to match against a string
  */
-export declare function convertIamStringToRegex(value: string, request: AwsRequest, replaceOptions?: Partial<StringReplaceOptions>): RegExp;
+export declare function convertIamString(value: string, request: AwsRequest, replaceOptions: {
+    replaceWildcards?: boolean;
+    convertToRegex: false;
+}): string;
+export declare function convertIamString(value: string, request: AwsRequest, replaceOptions?: Partial<StringReplaceOptions>): {
+    pattern: RegExp;
+    errors?: string[];
+};
 export interface ArnParts {
     partition: string | undefined;
     service: string | undefined;
@@ -89,5 +97,25 @@ export declare function lowerCaseAll(strings: string[]): string[];
  * @returns the variables in the string, if any
  */
 export declare function getVariablesFromString(value: string): string[];
-export {};
+/**
+ * Tests if a principal string is an assumed role ARN
+ *
+ * @param principal the principal string to test
+ * @returns true if the principal is an assumed role ARN, false otherwise
+ */
+export declare function isAssumedRoleArn(principal: string): boolean;
+/**
+ * Test if a principal string is an IAM user ARN
+ *
+ * @param principal the principal string to test
+ * @returns true if the principal is an IAM user ARN, false otherwise
+ */
+export declare function isIamUserArn(principal: string): boolean;
+/**
+ * Test if a principal string is a federated user ARN
+ *
+ * @param principal the principal string to test
+ * @returns true if the principal is a federated user ARN, false otherwise
+ */
+export declare function isFederatedUserArn(principal: string): boolean;
 //# sourceMappingURL=util.d.ts.map

package/dist/cjs/util.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../../src/util.ts"],"names":[],"mappings":"AAAA,OAAO,EAA4C,YAAY,EAAE,MAAM,yBAAyB,CAAA;AAChG,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAIjD,UAAU,oBAAoB;IAC5B,gBAAgB,EAAE,OAAO,CAAA;CAC1B;AAMD;;;;;;;GAOG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,oBAAoB,CAAC,GAAG,MAAM,CA4DlI;AA8CD,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAA;IAC7B,OAAO,EAAE,MAAM,GAAG,SAAS,CAAA;IAC3B,MAAM,EAAE,MAAM,GAAG,SAAS,CAAA;IAC1B,SAAS,EAAE,MAAM,GAAG,SAAS,CAAA;IAC7B,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;IAC5B,YAAY,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,YAAY,EAAE,MAAM,GAAG,SAAS,CAAA;CACjC;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,QAAQ,CAyBnD;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAgBtE;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,SAAS,GAAG,KAAK,IAAI,CAAC,CAE7D;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,SAAS,GAAG,KAAK,IAAI,SAAS,CAExE;AAED;;;;;;;GAOG;AACH,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAG5F;AAED;;;;;;;GAOG;AACH,wBAAsB,yBAAyB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAiB1H;AAED;;;;;GAKG;AACH,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAOrE;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAExD;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,CAY9D"}
+{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../../src/util.ts"],"names":[],"mappings":"AAAA,OAAO,EAA4C,YAAY,EAAE,MAAM,yBAAyB,CAAA;AAChG,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAIjD,MAAM,WAAW,oBAAoB;IACnC,gBAAgB,EAAE,OAAO,CAAA;IACzB,cAAc,EAAE,OAAO,CAAA;CACxB;AAOD;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE;IAAC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAAC,cAAc,EAAE,KAAK,CAAA;CAAC,GAAG,MAAM,CAAC;AAClJ,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,oBAAoB,CAAC,GAAG;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAAC,CAAC;AA4H3J,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAA;IAC7B,OAAO,EAAE,MAAM,GAAG,SAAS,CAAA;IAC3B,MAAM,EAAE,MAAM,GAAG,SAAS,CAAA;IAC1B,SAAS,EAAE,MAAM,GAAG,SAAS,CAAA;IAC7B,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;IAC5B,YAAY,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,YAAY,EAAE,MAAM,GAAG,SAAS,CAAA;CACjC;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,QAAQ,CAyBnD;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAgBtE;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,SAAS,GAAG,KAAK,IAAI,CAAC,CAE7D;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,SAAS,GAAG,KAAK,IAAI,SAAS,CAExE;AAED;;;;;;;GAOG;AACH,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAG5F;AAED;;;;;;;GAOG;AACH,wBAAsB,yBAAyB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAiB1H;AAED;;;;;GAKG;AACH,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAOrE;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAExD;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,CAY9D;AAID;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE3D;AAID;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAEvD;AAID;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE7D"}