npm - @cloud-copilot/iam-simulate - Versions diffs - 0.1.12 → 0.1.14 - Mend

@cloud-copilot/iam-simulate 0.1.12 → 0.1.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (329) hide show

package/dist/esm/condition/arn/arn.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import { ConditionValueExplain } from "../../explain/statementExplain.js";
+import { AwsRequest } from "../../request/request.js";
+/**
+ * Checks to see if a single ARN matches in ArnLike format
+ *
+ * @param policyArn the ARN to check against
+ * @param requestArn the ARN to check
+ * @param request the request to check
+ * @returns if the ARN matches
+ */
+export declare function arnMatches(policyArn: string, requestArn: string, request: AwsRequest, expectMatch: boolean): ConditionValueExplain;
+//# sourceMappingURL=arn.d.ts.map

package/dist/esm/condition/arn/arn.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"arn.d.ts","sourceRoot":"","sources":["../../../../src/condition/arn/arn.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,mCAAmC,CAAA;AACzE,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAGrD;;;;;;;GAOG;AACH,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,OAAO,GAAG,qBAAqB,CA6DlI"}

package/dist/esm/condition/arn/arn.js ADDED Viewed

@@ -0,0 +1,65 @@
+import { convertIamString, isNotDefined, splitArnParts } from "../../util.js";
+/**
+ * Checks to see if a single ARN matches in ArnLike format
+ *
+ * @param policyArn the ARN to check against
+ * @param requestArn the ARN to check
+ * @param request the request to check
+ * @returns if the ARN matches
+ */
+export function arnMatches(policyArn, requestArn, request, expectMatch) {
+    const policyParts = splitArnParts(policyArn);
+    const requestParts = splitArnParts(requestArn);
+    // If any of the parts are missing, return false
+    if (isNotDefined(policyParts.partition) ||
+        isNotDefined(policyParts.service) ||
+        isNotDefined(policyParts.region) ||
+        isNotDefined(policyParts.accountId) ||
+        isNotDefined(policyParts.resource)) {
+        return {
+            matches: false,
+            value: policyArn,
+            errors: ['Invalid ARN']
+        };
+    }
+    const resolvedPolicyArn = [
+        'arn',
+        policyParts.partition,
+        policyParts.service,
+        policyParts.region,
+        policyParts.accountId,
+        policyParts.resource
+    ].map(part => convertIamString(part, request, { convertToRegex: false, replaceWildcards: false })).join(':');
+    const resolvedValue = resolvedPolicyArn == policyArn ? undefined : resolvedPolicyArn;
+    // If any of the parts are missing, return false
+    if (isNotDefined(requestParts.partition) ||
+        isNotDefined(requestParts.service) ||
+        isNotDefined(requestParts.region) ||
+        isNotDefined(requestParts.accountId) ||
+        isNotDefined(requestParts.resource)) {
+        return {
+            matches: false,
+            value: policyArn,
+            resolvedValue,
+            errors: [`request ARN '${requestArn}' is not a valid ARN`]
+        };
+    }
+    const allErrors = [];
+    const replaceAndMatch = (policyPart, requestPart) => {
+        const { pattern, errors } = convertIamString(policyPart, request, { replaceWildcards: true });
+        allErrors.push(...(errors || []));
+        return pattern.test(requestPart);
+    };
+    const matches = replaceAndMatch(policyParts.partition, requestParts.partition) &&
+        replaceAndMatch(policyParts.service, requestParts.service) &&
+        replaceAndMatch(policyParts.region, requestParts.region) &&
+        replaceAndMatch(policyParts.accountId, requestParts.accountId) &&
+        replaceAndMatch(policyParts.resource, requestParts.resource);
+    return {
+        matches: matches == expectMatch && allErrors.length == 0,
+        value: policyArn,
+        resolvedValue,
+        errors: allErrors.length > 0 ? allErrors : undefined
+    };
+}
+//# sourceMappingURL=arn.js.map

package/dist/esm/condition/arn/arn.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"arn.js","sourceRoot":"","sources":["../../../../src/condition/arn/arn.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAE7E;;;;;;;GAOG;AACH,MAAM,UAAU,UAAU,CAAC,SAAiB,EAAE,UAAkB,EAAE,OAAmB,EAAE,WAAoB;IACzG,MAAM,WAAW,GAAG,aAAa,CAAC,SAAS,CAAC,CAAA;IAC5C,MAAM,YAAY,GAAG,aAAa,CAAC,UAAU,CAAC,CAAA;IAC9C,gDAAgD;IAChD,IAAG,YAAY,CAAC,WAAW,CAAC,SAAS,CAAC;QACnC,YAAY,CAAC,WAAW,CAAC,OAAO,CAAC;QACjC,YAAY,CAAC,WAAW,CAAC,MAAM,CAAC;QAChC,YAAY,CAAC,WAAW,CAAC,SAAS,CAAC;QACnC,YAAY,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;QACtC,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,CAAC,aAAa,CAAC;SACxB,CAAA;IACH,CAAC;IAED,MAAM,iBAAiB,GAAG;QACxB,KAAK;QACL,WAAW,CAAC,SAAS;QACrB,WAAW,CAAC,OAAO;QACnB,WAAW,CAAC,MAAM;QAClB,WAAW,CAAC,SAAS;QACrB,WAAW,CAAC,QAAQ;KACrB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,gBAAgB,CAAC,IAAI,EAAE,OAAO,EAAE,EAAC,cAAc,EAAE,KAAK,EAAE,gBAAgB,EAAE,KAAK,EAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAE1G,MAAM,aAAa,GAAG,iBAAiB,IAAI,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,iBAAiB,CAAA;IAEpF,gDAAgD;IAChD,IAAG,YAAY,CAAC,YAAY,CAAC,SAAS,CAAC;QACpC,YAAY,CAAC,YAAY,CAAC,OAAO,CAAC;QAClC,YAAY,CAAC,YAAY,CAAC,MAAM,CAAC;QACjC,YAAY,CAAC,YAAY,CAAC,SAAS,CAAC;QACpC,YAAY,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,SAAS;YAChB,aAAa;YACb,MAAM,EAAE,CAAC,gBAAgB,UAAU,sBAAsB,CAAC;SAC3D,CAAA;IACH,CAAC;IAED,MAAM,SAAS,GAAa,EAAE,CAAA;IAC9B,MAAM,eAAe,GAAG,CAAC,UAAkB,EAAE,WAAmB,EAAW,EAAE;QAC3E,MAAM,EAAC,OAAO,EAAE,MAAM,EAAC,GAAG,gBAAgB,CAAC,UAAU,EAAE,OAAO,EAAE,EAAC,gBAAgB,EAAE,IAAI,EAAC,CAAC,CAAA;QACzF,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAA;QACjC,OAAO,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IAClC,CAAC,CAAA;IAGD,MAAM,OAAO,GAAG,eAAe,CAAC,WAAW,CAAC,SAAS,EAAE,YAAY,CAAC,SAAS,CAAC;QAC9D,eAAe,CAAC,WAAW,CAAC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC;QAC1D,eAAe,CAAC,WAAW,CAAC,MAAM,EAAE,YAAY,CAAC,MAAM,CAAC;QACxD,eAAe,CAAC,WAAW,CAAC,SAAS,EAAE,YAAY,CAAC,SAAS,CAAC;QAC9D,eAAe,CAAC,WAAW,CAAC,QAAQ,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAA;IAE5E,OAAO;QACL,OAAO,EAAE,OAAO,IAAI,WAAW,IAAI,SAAS,CAAC,MAAM,IAAI,CAAC;QACxD,KAAK,EAAE,SAAS;QAChB,aAAa;QACb,MAAM,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;KACrD,CAAA;AACH,CAAC"}

package/dist/esm/condition/baseConditionperatorTests.d.ts CHANGED Viewed

@@ -2,11 +2,17 @@ import { BaseConditionOperator } from "./BaseConditionOperator.js";
 export interface BaseOperatorTest {
     name: string;
     requestContext?: {
-        [key: string]: string;
+        [key: string]: string | string[];
     };
     policyValues: string[];
     testValue: string;
     expected: boolean;
+    explains?: {
+        value: string;
+        matches: boolean;
+        resolvedValue?: string;
+        errors?: string[];
+    }[];
 }
 export declare function testOperator(name: string, tests: BaseOperatorTest[], operator: BaseConditionOperator): void;
 //# sourceMappingURL=baseConditionperatorTests.d.ts.map

package/dist/esm/condition/baseConditionperatorTests.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"baseConditionperatorTests.d.ts","sourceRoot":"","sources":["../../../src/condition/baseConditionperatorTests.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAA;AAElE,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAA;IACZ,cAAc,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;~~IAC1C~~,YAAY,EAAE,MAAM,EAAE,CAAA;IACtB,SAAS,EAAE,MAAM,CAAA;IACjB,QAAQ,EAAE,OAAO,CAAA;~~CAClB~~;AAED,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,gBAAgB,EAAE,EAAE,QAAQ,EAAE,qBAAqB,~~QAcpG~~"}
1	+ {"version":3,"file":"baseConditionperatorTests.d.ts","sourceRoot":"","sources":["../../../src/condition/baseConditionperatorTests.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAA;AAElE,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAA;IACZ,cAAc,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,EAAE,CAAA;KAAE,CAAA;IACrD,YAAY,EAAE,MAAM,EAAE,CAAA;IACtB,SAAS,EAAE,MAAM,CAAA;IACjB,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE;QACT,KAAK,EAAE,MAAM,CAAA;QACb,OAAO,EAAE,OAAO,CAAA;QAChB,aAAa,CAAC,EAAE,MAAM,CAAA;QACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;KAClB,EAAE,CAAA;CACJ;AAED,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,gBAAgB,EAAE,EAAE,QAAQ,EAAE,qBAAqB,QA6BpG"}

package/dist/esm/condition/baseConditionperatorTests.js CHANGED Viewed

@@ -10,7 +10,23 @@ export function testOperator(name, tests, operator) {
                 //When the condition is evaluated
                 const result = operator.matches(request, test.testValue, test.policyValues);
                 //Then the result should be as expected
-                expect(result).toBe(test.expected);
+                expect(result.matches).toBe(test.expected);
+                if (test.explains) {
+                    for (const explain of test.explains) {
+                        const found = result.explains.find(e => e.value === explain.value);
+                        expect(found, `Missing explain for ${explain.value}`).toBeDefined();
+                        expect(found?.matches, `${explain.value} match`).toBe(explain.matches);
+                        if (explain.resolvedValue) {
+                            expect(found?.resolvedValue, `${explain.value} resolved value`).toBe(explain.resolvedValue);
+                        }
+                        else {
+                            expect(found?.resolvedValue, `${explain.value} resolved value to be undefined`).toBeUndefined();
+                        }
+                        if (explain.errors) {
+                            expect(found?.errors, `${explain.value} errors`).toEqual(explain.errors.sort());
+                        }
+                    }
+                }
             });
         }
     });

package/dist/esm/condition/baseConditionperatorTests.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"baseConditionperatorTests.js","sourceRoot":"","sources":["../../../src/condition/baseConditionperatorTests.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;~~AAWzD~~,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,KAAyB,EAAE,QAA+B;IACnG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE;QAClB,KAAI,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACxB,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE;gBACjB,mBAAmB;gBACnB,MAAM,OAAO,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAC,QAAQ,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAC,EAAE,EAAE,EAAE,IAAI,kBAAkB,CAAC,IAAI,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC,CAAA;gBAC5H,iCAAiC;gBACjC,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC,CAAA;gBAE3E,uCAAuC;gBACvC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;~~YACpC~~,CAAC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC"}
1	+ {"version":3,"file":"baseConditionperatorTests.js","sourceRoot":"","sources":["../../../src/condition/baseConditionperatorTests.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AAiBzD,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,KAAyB,EAAE,QAA+B;IACnG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE;QAClB,KAAI,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACxB,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE;gBACjB,mBAAmB;gBACnB,MAAM,OAAO,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAC,QAAQ,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAC,EAAE,EAAE,EAAE,IAAI,kBAAkB,CAAC,IAAI,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC,CAAA;gBAC5H,iCAAiC;gBACjC,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC,CAAA;gBAE3E,uCAAuC;gBACvC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;gBAC1C,IAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACjB,KAAI,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;wBACnC,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK,CAAC,CAAA;wBAClE,MAAM,CAAC,KAAK,EAAE,uBAAuB,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,WAAW,EAAE,CAAA;wBACnE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;wBACtE,IAAG,OAAO,CAAC,aAAa,EAAE,CAAC;4BACzB,MAAM,CAAC,KAAK,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC,KAAK,iBAAiB,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAA;wBAC7F,CAAC;6BAAM,CAAC;4BACN,MAAM,CAAC,KAAK,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC,KAAK,iCAAiC,CAAC,CAAC,aAAa,EAAE,CAAA;wBACjG,CAAC;wBACD,IAAG,OAAO,CAAC,MAAM,EAAE,CAAC;4BAClB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,KAAK,SAAS,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAA;wBACjF,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC"}

package/dist/esm/condition/binary/BinaryEquals.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"BinaryEquals.d.ts","sourceRoot":"","sources":["../../../../src/condition/binary/BinaryEquals.ts"],"names":[],"mappings":"~~AAAA~~,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;~~AAEpE~~;;;GAGG;AACH,eAAO,MAAM,YAAY,EAAE,~~qBAO1B~~,CAAA"}
1	+ {"version":3,"file":"BinaryEquals.d.ts","sourceRoot":"","sources":["../../../../src/condition/binary/BinaryEquals.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AAGpE;;;GAGG;AACH,eAAO,MAAM,YAAY,EAAE,qBAmB1B,CAAA"}

package/dist/esm/condition/binary/BinaryEquals.js CHANGED Viewed

@@ -1,3 +1,4 @@
+import { resolvedValue } from "../conditionUtil.js";
 /**
  * For Binary we don't really have the ability to accept binary
  * values right now, so just do a string match.
@@ -5,9 +6,20 @@
 export const BinaryEquals = {
     name: 'BinaryEquals',
     matches: (request, keyValue, policyValues) => {
-        return policyValues.includes(keyValue);
+        const explains = policyValues.map((policyValue) => {
+            return {
+                value: policyValue,
+                matches: policyValue === keyValue,
+                resolvedValue: resolvedValue(policyValue, request),
+            };
+        });
+        return {
+            matches: explains.some((explain) => explain.matches),
+            explains
+        };
     },
     allowsVariables: true,
-    allowsWildcards: false
+    allowsWildcards: false,
+    isNegative: false
 };
 //# sourceMappingURL=BinaryEquals.js.map

package/dist/esm/condition/binary/BinaryEquals.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"BinaryEquals.js","sourceRoot":"","sources":["../../../../src/condition/binary/BinaryEquals.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAA0B;IACjD,IAAI,EAAE,cAAc;IACpB,OAAO,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE;QAC3C,~~OAAO~~,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;~~IACzC~~,CAAC;IACD,eAAe,EAAE,IAAI;IACrB,eAAe,EAAE,KAAK;~~CACvB~~,CAAA"}
1	+ {"version":3,"file":"BinaryEquals.js","sourceRoot":"","sources":["../../../../src/condition/binary/BinaryEquals.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEpD;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAA0B;IACjD,IAAI,EAAE,cAAc;IACpB,OAAO,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE;QAC3C,MAAM,QAAQ,GAA4B,YAAY,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE;YACzE,OAAO;gBACL,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,WAAW,KAAK,QAAQ;gBACjC,aAAa,EAAE,aAAa,CAAC,WAAW,EAAE,OAAO,CAAC;aACnD,CAAA;QACH,CAAC,CAAC,CAAA;QAEF,OAAO;YACL,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;YACpD,QAAQ;SACT,CAAA;IACH,CAAC;IACD,eAAe,EAAE,IAAI;IACrB,eAAe,EAAE,KAAK;IACtB,UAAU,EAAE,KAAK;CAClB,CAAA"}

package/dist/esm/condition/boolean/Bool.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"Bool.d.ts","sourceRoot":"","sources":["../../../../src/condition/boolean/Bool.ts"],"names":[],"mappings":"~~AACA~~,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AAEpE,eAAO,MAAM,IAAI,EAAE,~~qBAclB~~,CAAA"}
1	+ {"version":3,"file":"Bool.d.ts","sourceRoot":"","sources":["../../../../src/condition/boolean/Bool.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AAEpE,eAAO,MAAM,IAAI,EAAE,qBAiDlB,CAAA"}

package/dist/esm/condition/boolean/Bool.js CHANGED Viewed

@@ -1,17 +1,46 @@
-import { convertIamStringToRegex } from "../../util.js";
+import { convertIamString } from "../../util.js";
 export const Bool = {
     name: 'Bool',
     matches: (request, keyValue, policyValues) => {
-        return policyValues.some(policyValue => {
-            const pattern = convertIamStringToRegex(policyValue, request, { replaceWildcards: false });
-            const lowercasePattern = pattern.source.toLowerCase();
-            if (lowercasePattern != '^true$' && lowercasePattern != '^false$') {
-                return false;
+        const explains = policyValues.map(policyValue => {
+            const { pattern, errors } = convertIamString(policyValue, request, { replaceWildcards: false });
+            if (errors && errors.length > 0) {
+                return {
+                    value: policyValue,
+                    matches: false,
+                    errors
+                };
             }
-            return new RegExp(pattern, 'i').test(keyValue);
+            const resolvedValue = convertIamString(policyValue, request, { replaceWildcards: false, convertToRegex: false });
+            const lowercaseResolvedValue = resolvedValue.toLowerCase();
+            if (lowercaseResolvedValue != 'true' && lowercaseResolvedValue != 'false') {
+                return {
+                    matches: false,
+                    value: policyValue,
+                    errors: ['Invalid boolean pattern'],
+                    resolvedValue: resolvedValue == policyValue ? undefined : resolvedValue
+                };
+            }
+            if (keyValue.toLowerCase() != 'true' && keyValue.toLowerCase() != 'false') {
+                return {
+                    matches: false,
+                    value: policyValue,
+                    errors: [`request value '${keyValue}' is not a boolean`],
+                };
+            }
+            return {
+                matches: new RegExp(pattern, 'i').test(keyValue),
+                value: policyValue,
+                resolvedValue: resolvedValue == policyValue ? undefined : resolvedValue
+            };
         });
+        return {
+            matches: explains.some(explain => explain.matches),
+            explains
+        };
     },
     allowsVariables: true,
-    allowsWildcards: false
+    allowsWildcards: false,
+    isNegative: false
 };
 //# sourceMappingURL=Bool.js.map

package/dist/esm/condition/boolean/Bool.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"Bool.js","sourceRoot":"","sources":["../../../../src/condition/boolean/Bool.ts"],"names":[],"mappings":"~~AAAA~~,OAAO,EAAE,~~uBAAuB~~,EAAE,MAAM,eAAe,CAAC;~~AAGxD~~,MAAM,CAAC,MAAM,IAAI,GAA0B;IACzC,IAAI,EAAE,MAAM;IACZ,OAAO,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE;~~QAC3C~~,~~OAAO~~,YAAY,CAAC,~~IAAI~~,CAAC,WAAW,CAAC,EAAE;~~YACrC~~,MAAM,OAAO,GAAG,~~uBAAuB~~,CAAC,WAAW,EAAE,OAAO,EAAE,EAAC,gBAAgB,EAAE,KAAK,EAAC,CAAC,CAAA;~~YACxF~~,MAAM,~~gBAAgB~~,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAA;~~YACrD~~,IAAG,~~gBAAgB~~,IAAI,~~QAAQ~~,IAAI,~~gBAAgB~~,IAAI,SAAS,EAAE,CAAC;~~gBACjE~~,OAAO,KAAK,CAAA;~~YACd~~,CAAC;~~YACD~~,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;~~QAChD~~,CAAC,CAAC,CAAA;~~IACJ~~,CAAC;IACD,eAAe,EAAE,IAAI;IACrB,eAAe,EAAE,KAAK;~~CACvB~~,CAAA"}
1	+ {"version":3,"file":"Bool.js","sourceRoot":"","sources":["../../../../src/condition/boolean/Bool.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAGjD,MAAM,CAAC,MAAM,IAAI,GAA0B;IACzC,IAAI,EAAE,MAAM;IACZ,OAAO,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE;QAE3C,MAAM,QAAQ,GAA4B,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE;YACvE,MAAM,EAAC,OAAO,EAAE,MAAM,EAAC,GAAG,gBAAgB,CAAC,WAAW,EAAE,OAAO,EAAE,EAAC,gBAAgB,EAAE,KAAK,EAAC,CAAC,CAAA;YAC3F,IAAG,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,OAAO;oBACL,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,KAAK;oBACd,MAAM;iBACP,CAAA;YACH,CAAC;YAED,MAAM,aAAa,GAAG,gBAAgB,CAAC,WAAW,EAAE,OAAO,EAAE,EAAC,gBAAgB,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK,EAAC,CAAC,CAAA;YAC9G,MAAM,sBAAsB,GAAG,aAAa,CAAC,WAAW,EAAE,CAAA;YAE1D,IAAG,sBAAsB,IAAI,MAAM,IAAI,sBAAsB,IAAI,OAAO,EAAE,CAAC;gBACzE,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,WAAW;oBAClB,MAAM,EAAE,CAAC,yBAAyB,CAAC;oBACnC,aAAa,EAAE,aAAa,IAAI,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,aAAa;iBACxE,CAAA;YACH,CAAC;YAED,IAAG,QAAQ,CAAC,WAAW,EAAE,IAAI,MAAM,IAAI,QAAQ,CAAC,WAAW,EAAE,IAAI,OAAO,EAAE,CAAC;gBACzE,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,WAAW;oBAClB,MAAM,EAAE,CAAC,kBAAkB,QAAQ,oBAAoB,CAAC;iBACzD,CAAA;YACH,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAChD,KAAK,EAAE,WAAW;gBAClB,aAAa,EAAE,aAAa,IAAI,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,aAAa;aACxE,CAAA;QACH,CAAC,CAAC,CAAA;QAEF,OAAO;YACL,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;YAClD,QAAQ;SACT,CAAA;IACH,CAAC;IACD,eAAe,EAAE,IAAI;IACrB,eAAe,EAAE,KAAK;IACtB,UAAU,EAAE,KAAK;CAClB,CAAA"}

package/dist/esm/condition/condition.d.ts CHANGED Viewed

@@ -1,6 +1,49 @@
 import { Condition } from '@cloud-copilot/iam-policy';
+import { ConditionExplain, StatementExplain } from '../explain/statementExplain.js';
 import { AwsRequest } from '../request/request';
-export type ConditionMatchResult = 'Match' | 'NoMatch' | 'Unknown';
-export declare function requestMatchesConditions(request: AwsRequest, conditions: Condition[]): ConditionMatchResult;
-export declare function singleConditionMatchesRequest(request: AwsRequest, condition: Condition): ConditionMatchResult;
+import { ContextKey } from '../requestContext.js';
+import { BaseConditionOperator } from './BaseConditionOperator.js';
+export type ConditionMatchResult = 'Match' | 'NoMatch';
+/**
+ * Evaluate a set of conditions against a request
+ *
+ * @param request the request to test
+ * @param conditions the conditions to test
+ * @returns Match if all conditions match, NoMatch if any do not. Also returns all the details of the evaluation
+ */
+export declare function requestMatchesConditions(request: AwsRequest, conditions: Condition[]): {
+    matches: ConditionMatchResult;
+    details: Pick<StatementExplain, 'conditions'>;
+};
+/**
+ * Checks to see if a single condition matches a request
+ *
+ * @param request the request to test
+ * @param condition the condition to test
+ * @returns the result of evaluating the condition
+ */
+export declare function singleConditionMatchesRequest(request: AwsRequest, condition: Condition): ConditionExplain;
+export declare function singleValueMatch(request: AwsRequest, condition: Condition, baseOperation: BaseConditionOperator, keyValue: ContextKey | undefined): ConditionExplain;
+/**
+ * Tests a condition with a ForAllValues set operator
+ *
+ * @param request the request to test
+ * @param condition the condition with ForAllValues set operator
+ * @param keyExists whether the key exists in the request
+ * @param keyValue the value of the key in the request
+ * @param baseOperation the base operation to test the key against
+ * @returns the result of evaluating the ForAllValues set operator
+ */
+export declare function forAllValuesMatch(request: AwsRequest, condition: Condition, keyValue: ContextKey | undefined, baseOperation: BaseConditionOperator): ConditionExplain;
+/**
+ * Test a condition with a ForAnyValue set operator
+ *
+ * @param request the request to test
+ * @param condition the condition with ForAnyValue set operator
+ * @param keyExists whether the key exists in the request
+ * @param keyValue the value of the key in the request
+ * @param baseOperation the base operation to test the key against
+ * @returns the result of evaluating the ForAnyValue set operator
+ */
+export declare function forAnyValueMatch(request: AwsRequest, condition: Condition, keyValue: ContextKey | undefined, baseOperation: BaseConditionOperator): ConditionExplain;
 //# sourceMappingURL=condition.d.ts.map

package/dist/esm/condition/condition.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"condition.d.ts","sourceRoot":"","sources":["../../../src/condition/condition.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;~~AA4BhD~~,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,~~GAAG,SAAS,~~CAAA;~~AAiBlE~~,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,oBAAoB,~~CAW3G~~;AAED,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,~~oBAAoB~~,~~CAiE7G~~"}
1	+ {"version":3,"file":"condition.d.ts","sourceRoot":"","sources":["../../../src/condition/condition.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAyB,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAC3G,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAKlD,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAuBnE,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,CAAA;AAiBtD;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG;IAAE,OAAO,EAAE,oBAAoB,CAAC;IAAC,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE,YAAY,CAAC,CAAA;CAAE,CASvK;AAED;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,gBAAgB,CAuBzG;AA0BD,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,SAAS,EACpB,aAAa,EAAE,qBAAqB,EACpC,QAAQ,EAAE,UAAU,GAAG,SAAS,GAAG,gBAAgB,CA8CnF;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,SAAS,EACpB,QAAQ,EAAE,UAAU,GAAG,SAAS,EAChC,aAAa,EAAE,qBAAqB,GAAG,gBAAgB,CA+ExF;AAED;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,SAAS,EACpB,QAAQ,EAAE,UAAU,GAAG,SAAS,EAChC,aAAa,EAAE,qBAAqB,GAAG,gBAAgB,CAiEvF"}

package/dist/esm/condition/condition.js CHANGED Viewed

@@ -36,22 +36,33 @@ const baseOperations = {};
 for (const operator of allOperators) {
     baseOperations[operator.name.toLowerCase()] = operator;
 }
+/**
+ * Evaluate a set of conditions against a request
+ *
+ * @param request the request to test
+ * @param conditions the conditions to test
+ * @returns Match if all conditions match, NoMatch if any do not. Also returns all the details of the evaluation
+ */
 export function requestMatchesConditions(request, conditions) {
     const results = conditions.map(condition => singleConditionMatchesRequest(request, condition));
-    const unknowns = results.filter(result => result === 'Unknown');
-    if (unknowns.length > 0) {
-        return 'Unknown';
-    }
-    const noMatches = results.filter(result => result === 'NoMatch');
-    if (noMatches.length > 0) {
-        return 'NoMatch';
-    }
-    return 'Match';
+    const nonMatch = results.some(result => !result.matches);
+    return {
+        matches: nonMatch ? 'NoMatch' : 'Match',
+        details: {
+            conditions: results
+        }
+    };
 }
+/**
+ * Checks to see if a single condition matches a request
+ *
+ * @param request the request to test
+ * @param condition the condition to test
+ * @returns the result of evaluating the condition
+ */
 export function singleConditionMatchesRequest(request, condition) {
     const key = condition.conditionKey();
-    const policyValues = condition.conditionValues();
-    const baseOperation = baseOperations[condition.operation().baseOperator().toLowerCase()]?.matches;
+    const baseOperation = baseOperations[condition.operation().baseOperator().toLowerCase()];
     const keyExists = request.contextKeyExists(key);
     const keyValue = keyExists ? request.getContextKeyValue(key) : undefined;
     if (condition.operation().value().toLowerCase() == 'null' || condition.operation().baseOperator()?.toLowerCase() == 'null') {
@@ -60,60 +71,240 @@ export function singleConditionMatchesRequest(request, condition) {
     if (condition.operation().setOperator()) {
         const setOperator = condition.operation().setOperator();
         if (setOperator === 'ForAnyValue') {
-            if (!keyExists || !keyValue || !keyValue.isArrayValue()) {
-                return 'NoMatch';
-            }
-            if (!baseOperation) {
-                return 'Unknown';
-            }
-            //Do the loop
-            const anyMatch = keyValue.values.some(value => {
-                return baseOperation(request, value, policyValues);
-            });
-            return anyMatch ? 'Match' : 'NoMatch';
+            return forAnyValueMatch(request, condition, keyValue, baseOperation);
         }
         else if (setOperator === 'ForAllValues') {
-            if (!keyExists) {
-                return 'Match';
-            }
-            if (!keyValue || !keyValue.isArrayValue()) {
-                return 'NoMatch';
-            }
-            if (!baseOperation) {
-                return 'Unknown';
-            }
-            //Do the loop
-            const anyNotMatch = keyValue.values.some(value => {
-                return !baseOperation(request, value, policyValues);
-            });
-            return anyNotMatch ? 'NoMatch' : 'Match';
+            return forAllValuesMatch(request, condition, keyValue, baseOperation);
         }
         else {
             throw new Error(`Unknown set operator: ${setOperator}`);
         }
     }
-    if (condition.operation().isIfExists() || condition.operation().baseOperator().toLowerCase().includes('not')) {
+    return singleValueMatch(request, condition, baseOperation, keyValue);
+}
+/**
+ * Tests a condition with a null operator
+ *
+ * @param condition the condition to test
+ * @param keyExists whether the key exists in the request
+ * @returns the result of evaluating the null operator
+ */
+function testNull(condition, keyExists) {
+    const goalValue = keyExists ? 'false' : 'true';
+    const conditionValues = condition.conditionValues().map(value => {
+        return {
+            value,
+            matches: value.toLowerCase() === goalValue
+        };
+    });
+    return {
+        operator: condition.operation().value(),
+        conditionKeyValue: condition.conditionKey(),
+        values: conditionValues,
+        matches: conditionValues.some(value => value.matches)
+    };
+}
+export function singleValueMatch(request, condition, baseOperation, keyValue) {
+    const isNotOperator = condition.operation().baseOperator().toLowerCase().includes('not');
+    if (condition.operation().isIfExists() || isNotOperator) {
         //Check if it exists, return true if it doesn't
         //Double check what happens here if the key is not a valid key or is of the wrong type
-        if (!keyExists) {
-            return 'Match';
+        if (!keyValue) {
+            return {
+                operator: condition.operation().value(),
+                conditionKeyValue: condition.conditionKey(),
+                values: [],
+                matches: true,
+                matchedBecauseMissing: true
+            };
         }
     }
     if (!keyValue || !keyValue.isStringValue()) {
         //Set operator is required for a multi-value key
-        return 'NoMatch';
+        return {
+            operator: condition.operation().value(),
+            conditionKeyValue: condition.conditionKey(),
+            values: [],
+            matches: false,
+            failedBecauseMissing: !keyValue,
+            failedBecauseArray: keyValue?.isArrayValue(),
+        };
     }
     if (!baseOperation) {
-        return 'Unknown';
+        return {
+            operator: condition.operation().value(),
+            conditionKeyValue: condition.conditionKey(),
+            values: [],
+            matches: false,
+            missingOperator: true
+        };
     }
-    const matches = baseOperation(request, keyValue.value, policyValues);
-    return matches ? 'Match' : 'NoMatch';
+    const { matches, explains } = baseOperation.matches(request, keyValue.value, condition.conditionValues());
+    return {
+        matches,
+        operator: condition.operation().value(),
+        conditionKeyValue: condition.conditionKey(),
+        values: condition.valueIsArray() ? explains : explains[0]
+    };
 }
-function testNull(condition, keyExists) {
-    const lowerCaseValues = condition.conditionValues().map(value => value.toLowerCase());
-    if (keyExists) {
-        return lowerCaseValues.includes('false') ? 'Match' : 'NoMatch';
+/**
+ * Tests a condition with a ForAllValues set operator
+ *
+ * @param request the request to test
+ * @param condition the condition with ForAllValues set operator
+ * @param keyExists whether the key exists in the request
+ * @param keyValue the value of the key in the request
+ * @param baseOperation the base operation to test the key against
+ * @returns the result of evaluating the ForAllValues set operator
+ */
+export function forAllValuesMatch(request, condition, keyValue, baseOperation) {
+    if (!keyValue) {
+        return {
+            operator: condition.operation().value(),
+            conditionKeyValue: condition.conditionKey(),
+            values: [],
+            matches: true,
+            matchedBecauseMissing: true
+        };
+        // return 'Match'
+    }
+    if (!keyValue || !keyValue.isArrayValue()) {
+        return {
+            operator: condition.operation().value(),
+            conditionKeyValue: condition.conditionKey(),
+            values: [],
+            matches: false,
+            failedBecauseMissing: !keyValue,
+            failedBecauseNotArray: !!keyValue && !keyValue.isArrayValue()
+        };
+        // return 'NoMatch'
+    }
+    if (!baseOperation) {
+        //TODO: This should return a nomatch rather than throw an error
+        return {
+            operator: condition.operation().value(),
+            conditionKeyValue: condition.conditionKey(),
+            values: [],
+            matches: false,
+            missingOperator: true
+        };
+    }
+    const valueExplains = keyValue.values.map(value => {
+        const { matches, explains } = baseOperation.matches(request, value, condition.conditionValues());
+        return {
+            requestValue: value,
+            matches,
+            explains
+        };
+    });
+    const anyNonMatches = valueExplains.some(valueExplain => !valueExplain.matches);
+    const overallMatch = !anyNonMatches;
+    const unmatchedValues = [];
+    const explains = {};
+    for (const valueExplain of valueExplains) {
+        if (!baseOperation.isNegative && !valueExplain.matches) {
+            unmatchedValues.push(valueExplain.requestValue);
+        }
+        else if (baseOperation.isNegative && valueExplain.matches) {
+            unmatchedValues.push(valueExplain.requestValue);
+        }
+        for (const explain of valueExplain.explains) {
+            let theExplain = explains[explain.value];
+            if (!theExplain) {
+                explains[explain.value] = {
+                    value: explain.value,
+                    matches: overallMatch
+                };
+                theExplain = explains[explain.value];
+            }
+            if (explain.matches && !baseOperation.isNegative) {
+                theExplain.matchingValues = theExplain.matchingValues || [];
+                theExplain.matchingValues.push(valueExplain.requestValue);
+            }
+            else if (!explain.matches && baseOperation.isNegative) {
+                theExplain.negativeMatchingValues = theExplain.negativeMatchingValues || [];
+                theExplain.negativeMatchingValues.push(valueExplain.requestValue);
+            }
+        }
+    }
+    return {
+        operator: condition.operation().value(),
+        conditionKeyValue: condition.conditionKey(),
+        values: Object.values(explains),
+        matches: overallMatch,
+        unmatchedValues
+    };
+}
+/**
+ * Test a condition with a ForAnyValue set operator
+ *
+ * @param request the request to test
+ * @param condition the condition with ForAnyValue set operator
+ * @param keyExists whether the key exists in the request
+ * @param keyValue the value of the key in the request
+ * @param baseOperation the base operation to test the key against
+ * @returns the result of evaluating the ForAnyValue set operator
+ */
+export function forAnyValueMatch(request, condition, keyValue, baseOperation) {
+    if (!keyValue || !keyValue.isArrayValue()) {
+        return {
+            operator: condition.operation().value(),
+            conditionKeyValue: condition.conditionKey(),
+            values: [],
+            matches: false,
+            failedBecauseMissing: !keyValue,
+            failedBecauseNotArray: keyValue && !keyValue.isArrayValue()
+        };
+        // return 'NoMatch'
+    }
+    if (!baseOperation) {
+        return {
+            operator: condition.operation().value(),
+            conditionKeyValue: condition.conditionKey(),
+            values: [],
+            matches: false,
+            missingOperator: true
+        };
+    }
+    const valueExplains = keyValue.values.map(value => {
+        const { matches, explains } = baseOperation.matches(request, value, condition.conditionValues());
+        return {
+            requestValue: value,
+            matches,
+            explains
+        };
+    });
+    const overallMatch = valueExplains.some(valueExplain => valueExplain.matches);
+    const unmatchedValues = [];
+    const explains = {};
+    for (const valueExplain of valueExplains) {
+        if (!baseOperation.isNegative && !valueExplain.matches) {
+            unmatchedValues.push(valueExplain.requestValue);
+        }
+        else if (baseOperation.isNegative && valueExplain.matches) {
+            unmatchedValues.push(valueExplain.requestValue);
+        }
+        for (const explain of valueExplain.explains) {
+            let theExplain = explains[explain.value];
+            if (!theExplain) {
+                explains[explain.value] = {
+                    value: explain.value,
+                    matches: overallMatch
+                };
+                theExplain = explains[explain.value];
+            }
+            if (explain.matches) {
+                theExplain.matchingValues = theExplain.matchingValues || [];
+                theExplain.matchingValues.push(valueExplain.requestValue);
+            }
+        }
     }
-    return lowerCaseValues.includes('true') ? 'Match' : 'NoMatch';
+    return {
+        operator: condition.operation().value(),
+        conditionKeyValue: condition.conditionKey(),
+        values: Object.values(explains),
+        matches: overallMatch,
+        unmatchedValues
+    };
 }
 //# sourceMappingURL=condition.js.map