@cloud-copilot/iam-simulate 0.1.13-1 → 0.1.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/StatementAnalysis.js +1 -1
- package/dist/cjs/StatementAnalysis.js.map +1 -1
- package/dist/cjs/action/action.js +1 -1
- package/dist/cjs/action/action.js.map +1 -1
- package/dist/cjs/condition/BaseConditionOperator.d.ts +6 -1
- package/dist/cjs/condition/BaseConditionOperator.d.ts.map +1 -1
- package/dist/cjs/condition/arn/ArnEquals.d.ts.map +1 -1
- package/dist/cjs/condition/arn/ArnEquals.js +2 -1
- package/dist/cjs/condition/arn/ArnEquals.js.map +1 -1
- package/dist/cjs/condition/arn/ArnLike.d.ts.map +1 -1
- package/dist/cjs/condition/arn/ArnLike.js +8 -40
- package/dist/cjs/condition/arn/ArnLike.js.map +1 -1
- package/dist/cjs/condition/arn/ArnNotEquals.d.ts.map +1 -1
- package/dist/cjs/condition/arn/ArnNotEquals.js +2 -1
- package/dist/cjs/condition/arn/ArnNotEquals.js.map +1 -1
- package/dist/cjs/condition/arn/ArnNotLike.d.ts.map +1 -1
- package/dist/cjs/condition/arn/ArnNotLike.js +8 -3
- package/dist/cjs/condition/arn/ArnNotLike.js.map +1 -1
- package/dist/cjs/condition/arn/arn.d.ts +12 -0
- package/dist/cjs/condition/arn/arn.d.ts.map +1 -0
- package/dist/cjs/condition/arn/arn.js +68 -0
- package/dist/cjs/condition/arn/arn.js.map +1 -0
- package/dist/cjs/condition/baseConditionperatorTests.d.ts +7 -1
- package/dist/cjs/condition/baseConditionperatorTests.d.ts.map +1 -1
- package/dist/cjs/condition/baseConditionperatorTests.js +17 -1
- package/dist/cjs/condition/baseConditionperatorTests.js.map +1 -1
- package/dist/cjs/condition/binary/BinaryEquals.d.ts.map +1 -1
- package/dist/cjs/condition/binary/BinaryEquals.js +14 -2
- package/dist/cjs/condition/binary/BinaryEquals.js.map +1 -1
- package/dist/cjs/condition/boolean/Bool.d.ts.map +1 -1
- package/dist/cjs/condition/boolean/Bool.js +36 -7
- package/dist/cjs/condition/boolean/Bool.js.map +1 -1
- package/dist/cjs/condition/condition.d.ts +39 -0
- package/dist/cjs/condition/condition.d.ts.map +1 -1
- package/dist/cjs/condition/condition.js +195 -112
- package/dist/cjs/condition/condition.js.map +1 -1
- package/dist/cjs/condition/conditionUtil.d.ts +10 -0
- package/dist/cjs/condition/conditionUtil.d.ts.map +1 -0
- package/dist/cjs/condition/conditionUtil.js +16 -0
- package/dist/cjs/condition/conditionUtil.js.map +1 -0
- package/dist/cjs/condition/date/DateEquals.d.ts.map +1 -1
- package/dist/cjs/condition/date/DateEquals.js +7 -2
- package/dist/cjs/condition/date/DateEquals.js.map +1 -1
- package/dist/cjs/condition/date/DateGreaterThan.d.ts.map +1 -1
- package/dist/cjs/condition/date/DateGreaterThan.js +7 -2
- package/dist/cjs/condition/date/DateGreaterThan.js.map +1 -1
- package/dist/cjs/condition/date/DateGreaterThanEquals.d.ts.map +1 -1
- package/dist/cjs/condition/date/DateGreaterThanEquals.js +7 -2
- package/dist/cjs/condition/date/DateGreaterThanEquals.js.map +1 -1
- package/dist/cjs/condition/date/DateLessThan.d.ts.map +1 -1
- package/dist/cjs/condition/date/DateLessThan.js +7 -2
- package/dist/cjs/condition/date/DateLessThan.js.map +1 -1
- package/dist/cjs/condition/date/DateLessThanEquals.d.ts.map +1 -1
- package/dist/cjs/condition/date/DateLessThanEquals.js +7 -2
- package/dist/cjs/condition/date/DateLessThanEquals.js.map +1 -1
- package/dist/cjs/condition/date/DateNotEquals.d.ts.map +1 -1
- package/dist/cjs/condition/date/DateNotEquals.js +11 -18
- package/dist/cjs/condition/date/DateNotEquals.js.map +1 -1
- package/dist/cjs/condition/date/date.d.ts +2 -1
- package/dist/cjs/condition/date/date.d.ts.map +1 -1
- package/dist/cjs/condition/date/date.js +20 -5
- package/dist/cjs/condition/date/date.js.map +1 -1
- package/dist/cjs/condition/ipaddress/IpAddress.d.ts.map +1 -1
- package/dist/cjs/condition/ipaddress/IpAddress.js +9 -16
- package/dist/cjs/condition/ipaddress/IpAddress.js.map +1 -1
- package/dist/cjs/condition/ipaddress/NotIpAddress.d.ts.map +1 -1
- package/dist/cjs/condition/ipaddress/NotIpAddress.js +9 -20
- package/dist/cjs/condition/ipaddress/NotIpAddress.js.map +1 -1
- package/dist/cjs/condition/ipaddress/ip.d.ts +10 -0
- package/dist/cjs/condition/ipaddress/ip.d.ts.map +1 -0
- package/dist/cjs/condition/ipaddress/ip.js +57 -0
- package/dist/cjs/condition/ipaddress/ip.js.map +1 -0
- package/dist/cjs/condition/numeric/NumericEquals.d.ts.map +1 -1
- package/dist/cjs/condition/numeric/NumericEquals.js +7 -2
- package/dist/cjs/condition/numeric/NumericEquals.js.map +1 -1
- package/dist/cjs/condition/numeric/NumericGreaterThan.d.ts.map +1 -1
- package/dist/cjs/condition/numeric/NumericGreaterThan.js +7 -2
- package/dist/cjs/condition/numeric/NumericGreaterThan.js.map +1 -1
- package/dist/cjs/condition/numeric/NumericGreaterThanEquals.d.ts.map +1 -1
- package/dist/cjs/condition/numeric/NumericGreaterThanEquals.js +7 -2
- package/dist/cjs/condition/numeric/NumericGreaterThanEquals.js.map +1 -1
- package/dist/cjs/condition/numeric/NumericLessThan.d.ts.map +1 -1
- package/dist/cjs/condition/numeric/NumericLessThan.js +7 -2
- package/dist/cjs/condition/numeric/NumericLessThan.js.map +1 -1
- package/dist/cjs/condition/numeric/NumericLessThanEquals.d.ts.map +1 -1
- package/dist/cjs/condition/numeric/NumericLessThanEquals.js +7 -2
- package/dist/cjs/condition/numeric/NumericLessThanEquals.js.map +1 -1
- package/dist/cjs/condition/numeric/NumericNotEquals.d.ts.map +1 -1
- package/dist/cjs/condition/numeric/NumericNotEquals.js +11 -18
- package/dist/cjs/condition/numeric/NumericNotEquals.js.map +1 -1
- package/dist/cjs/condition/numeric/numeric.d.ts +2 -1
- package/dist/cjs/condition/numeric/numeric.d.ts.map +1 -1
- package/dist/cjs/condition/numeric/numeric.js +18 -3
- package/dist/cjs/condition/numeric/numeric.js.map +1 -1
- package/dist/cjs/condition/string/StringEquals.d.ts.map +1 -1
- package/dist/cjs/condition/string/StringEquals.js +24 -3
- package/dist/cjs/condition/string/StringEquals.js.map +1 -1
- package/dist/cjs/condition/string/StringEqualsIgnoreCase.d.ts.map +1 -1
- package/dist/cjs/condition/string/StringEqualsIgnoreCase.js +23 -5
- package/dist/cjs/condition/string/StringEqualsIgnoreCase.js.map +1 -1
- package/dist/cjs/condition/string/StringLike.d.ts.map +1 -1
- package/dist/cjs/condition/string/StringLike.js +24 -3
- package/dist/cjs/condition/string/StringLike.js.map +1 -1
- package/dist/cjs/condition/string/StringNotEquals.d.ts.map +1 -1
- package/dist/cjs/condition/string/StringNotEquals.js +24 -3
- package/dist/cjs/condition/string/StringNotEquals.js.map +1 -1
- package/dist/cjs/condition/string/StringNotEqualsIgnoreCase.d.ts.map +1 -1
- package/dist/cjs/condition/string/StringNotEqualsIgnoreCase.js +25 -3
- package/dist/cjs/condition/string/StringNotEqualsIgnoreCase.js.map +1 -1
- package/dist/cjs/condition/string/StringNotLike.d.ts.map +1 -1
- package/dist/cjs/condition/string/StringNotLike.js +25 -3
- package/dist/cjs/condition/string/StringNotLike.js.map +1 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts +11 -6
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts.map +1 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.js +14 -4
- package/dist/cjs/core_engine/coreSimulatorEngine.js.map +1 -1
- package/dist/cjs/evaluate.d.ts +1 -0
- package/dist/cjs/evaluate.d.ts.map +1 -1
- package/dist/cjs/explain/displayExplainCli.d.ts.map +1 -1
- package/dist/cjs/explain/displayExplainCli.js +114 -10
- package/dist/cjs/explain/displayExplainCli.js.map +1 -1
- package/dist/cjs/explain/statementExplain.d.ts +2 -1
- package/dist/cjs/explain/statementExplain.d.ts.map +1 -1
- package/dist/cjs/explain/statementExplain.js.map +1 -1
- package/dist/cjs/principal/principal.d.ts +14 -2
- package/dist/cjs/principal/principal.d.ts.map +1 -1
- package/dist/cjs/principal/principal.js +51 -13
- package/dist/cjs/principal/principal.js.map +1 -1
- package/dist/cjs/resource/resource.js +3 -2
- package/dist/cjs/resource/resource.js.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +53 -5
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/ServiceAuthorizer.d.ts +1 -0
- package/dist/cjs/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulation.d.ts +4 -0
- package/dist/cjs/simulation_engine/simulation.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.js +18 -4
- package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js +5 -3
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/cjs/util.d.ts +31 -3
- package/dist/cjs/util.d.ts.map +1 -1
- package/dist/cjs/util.js +74 -32
- package/dist/cjs/util.js.map +1 -1
- package/dist/esm/StatementAnalysis.js +1 -1
- package/dist/esm/StatementAnalysis.js.map +1 -1
- package/dist/esm/action/action.js +1 -1
- package/dist/esm/action/action.js.map +1 -1
- package/dist/esm/condition/BaseConditionOperator.d.ts +6 -1
- package/dist/esm/condition/BaseConditionOperator.d.ts.map +1 -1
- package/dist/esm/condition/arn/ArnEquals.d.ts.map +1 -1
- package/dist/esm/condition/arn/ArnEquals.js +2 -1
- package/dist/esm/condition/arn/ArnEquals.js.map +1 -1
- package/dist/esm/condition/arn/ArnLike.d.ts.map +1 -1
- package/dist/esm/condition/arn/ArnLike.js +8 -40
- package/dist/esm/condition/arn/ArnLike.js.map +1 -1
- package/dist/esm/condition/arn/ArnNotEquals.d.ts.map +1 -1
- package/dist/esm/condition/arn/ArnNotEquals.js +2 -1
- package/dist/esm/condition/arn/ArnNotEquals.js.map +1 -1
- package/dist/esm/condition/arn/ArnNotLike.d.ts.map +1 -1
- package/dist/esm/condition/arn/ArnNotLike.js +8 -3
- package/dist/esm/condition/arn/ArnNotLike.js.map +1 -1
- package/dist/esm/condition/arn/arn.d.ts +12 -0
- package/dist/esm/condition/arn/arn.d.ts.map +1 -0
- package/dist/esm/condition/arn/arn.js +65 -0
- package/dist/esm/condition/arn/arn.js.map +1 -0
- package/dist/esm/condition/baseConditionperatorTests.d.ts +7 -1
- package/dist/esm/condition/baseConditionperatorTests.d.ts.map +1 -1
- package/dist/esm/condition/baseConditionperatorTests.js +17 -1
- package/dist/esm/condition/baseConditionperatorTests.js.map +1 -1
- package/dist/esm/condition/binary/BinaryEquals.d.ts.map +1 -1
- package/dist/esm/condition/binary/BinaryEquals.js +14 -2
- package/dist/esm/condition/binary/BinaryEquals.js.map +1 -1
- package/dist/esm/condition/boolean/Bool.d.ts.map +1 -1
- package/dist/esm/condition/boolean/Bool.js +37 -8
- package/dist/esm/condition/boolean/Bool.js.map +1 -1
- package/dist/esm/condition/condition.d.ts +39 -0
- package/dist/esm/condition/condition.d.ts.map +1 -1
- package/dist/esm/condition/condition.js +192 -112
- package/dist/esm/condition/condition.js.map +1 -1
- package/dist/esm/condition/conditionUtil.d.ts +10 -0
- package/dist/esm/condition/conditionUtil.d.ts.map +1 -0
- package/dist/esm/condition/conditionUtil.js +13 -0
- package/dist/esm/condition/conditionUtil.js.map +1 -0
- package/dist/esm/condition/date/DateEquals.d.ts.map +1 -1
- package/dist/esm/condition/date/DateEquals.js +7 -2
- package/dist/esm/condition/date/DateEquals.js.map +1 -1
- package/dist/esm/condition/date/DateGreaterThan.d.ts.map +1 -1
- package/dist/esm/condition/date/DateGreaterThan.js +7 -2
- package/dist/esm/condition/date/DateGreaterThan.js.map +1 -1
- package/dist/esm/condition/date/DateGreaterThanEquals.d.ts.map +1 -1
- package/dist/esm/condition/date/DateGreaterThanEquals.js +7 -2
- package/dist/esm/condition/date/DateGreaterThanEquals.js.map +1 -1
- package/dist/esm/condition/date/DateLessThan.d.ts.map +1 -1
- package/dist/esm/condition/date/DateLessThan.js +7 -2
- package/dist/esm/condition/date/DateLessThan.js.map +1 -1
- package/dist/esm/condition/date/DateLessThanEquals.d.ts.map +1 -1
- package/dist/esm/condition/date/DateLessThanEquals.js +7 -2
- package/dist/esm/condition/date/DateLessThanEquals.js.map +1 -1
- package/dist/esm/condition/date/DateNotEquals.d.ts.map +1 -1
- package/dist/esm/condition/date/DateNotEquals.js +12 -19
- package/dist/esm/condition/date/DateNotEquals.js.map +1 -1
- package/dist/esm/condition/date/date.d.ts +2 -1
- package/dist/esm/condition/date/date.d.ts.map +1 -1
- package/dist/esm/condition/date/date.js +20 -5
- package/dist/esm/condition/date/date.js.map +1 -1
- package/dist/esm/condition/ipaddress/IpAddress.d.ts.map +1 -1
- package/dist/esm/condition/ipaddress/IpAddress.js +9 -16
- package/dist/esm/condition/ipaddress/IpAddress.js.map +1 -1
- package/dist/esm/condition/ipaddress/NotIpAddress.d.ts.map +1 -1
- package/dist/esm/condition/ipaddress/NotIpAddress.js +9 -20
- package/dist/esm/condition/ipaddress/NotIpAddress.js.map +1 -1
- package/dist/esm/condition/ipaddress/ip.d.ts +10 -0
- package/dist/esm/condition/ipaddress/ip.d.ts.map +1 -0
- package/dist/esm/condition/ipaddress/ip.js +54 -0
- package/dist/esm/condition/ipaddress/ip.js.map +1 -0
- package/dist/esm/condition/numeric/NumericEquals.d.ts.map +1 -1
- package/dist/esm/condition/numeric/NumericEquals.js +7 -2
- package/dist/esm/condition/numeric/NumericEquals.js.map +1 -1
- package/dist/esm/condition/numeric/NumericGreaterThan.d.ts.map +1 -1
- package/dist/esm/condition/numeric/NumericGreaterThan.js +7 -2
- package/dist/esm/condition/numeric/NumericGreaterThan.js.map +1 -1
- package/dist/esm/condition/numeric/NumericGreaterThanEquals.d.ts.map +1 -1
- package/dist/esm/condition/numeric/NumericGreaterThanEquals.js +7 -2
- package/dist/esm/condition/numeric/NumericGreaterThanEquals.js.map +1 -1
- package/dist/esm/condition/numeric/NumericLessThan.d.ts.map +1 -1
- package/dist/esm/condition/numeric/NumericLessThan.js +7 -2
- package/dist/esm/condition/numeric/NumericLessThan.js.map +1 -1
- package/dist/esm/condition/numeric/NumericLessThanEquals.d.ts.map +1 -1
- package/dist/esm/condition/numeric/NumericLessThanEquals.js +7 -2
- package/dist/esm/condition/numeric/NumericLessThanEquals.js.map +1 -1
- package/dist/esm/condition/numeric/NumericNotEquals.d.ts.map +1 -1
- package/dist/esm/condition/numeric/NumericNotEquals.js +12 -19
- package/dist/esm/condition/numeric/NumericNotEquals.js.map +1 -1
- package/dist/esm/condition/numeric/numeric.d.ts +2 -1
- package/dist/esm/condition/numeric/numeric.d.ts.map +1 -1
- package/dist/esm/condition/numeric/numeric.js +18 -3
- package/dist/esm/condition/numeric/numeric.js.map +1 -1
- package/dist/esm/condition/string/StringEquals.d.ts.map +1 -1
- package/dist/esm/condition/string/StringEquals.js +25 -4
- package/dist/esm/condition/string/StringEquals.js.map +1 -1
- package/dist/esm/condition/string/StringEqualsIgnoreCase.d.ts.map +1 -1
- package/dist/esm/condition/string/StringEqualsIgnoreCase.js +24 -6
- package/dist/esm/condition/string/StringEqualsIgnoreCase.js.map +1 -1
- package/dist/esm/condition/string/StringLike.d.ts.map +1 -1
- package/dist/esm/condition/string/StringLike.js +25 -4
- package/dist/esm/condition/string/StringLike.js.map +1 -1
- package/dist/esm/condition/string/StringNotEquals.d.ts.map +1 -1
- package/dist/esm/condition/string/StringNotEquals.js +25 -4
- package/dist/esm/condition/string/StringNotEquals.js.map +1 -1
- package/dist/esm/condition/string/StringNotEqualsIgnoreCase.d.ts.map +1 -1
- package/dist/esm/condition/string/StringNotEqualsIgnoreCase.js +25 -3
- package/dist/esm/condition/string/StringNotEqualsIgnoreCase.js.map +1 -1
- package/dist/esm/condition/string/StringNotLike.d.ts.map +1 -1
- package/dist/esm/condition/string/StringNotLike.js +25 -3
- package/dist/esm/condition/string/StringNotLike.js.map +1 -1
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts +11 -6
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts.map +1 -1
- package/dist/esm/core_engine/coreSimulatorEngine.js +13 -4
- package/dist/esm/core_engine/coreSimulatorEngine.js.map +1 -1
- package/dist/esm/evaluate.d.ts +1 -0
- package/dist/esm/evaluate.d.ts.map +1 -1
- package/dist/esm/explain/displayExplainCli.d.ts.map +1 -1
- package/dist/esm/explain/displayExplainCli.js +114 -10
- package/dist/esm/explain/displayExplainCli.js.map +1 -1
- package/dist/esm/explain/statementExplain.d.ts +2 -1
- package/dist/esm/explain/statementExplain.d.ts.map +1 -1
- package/dist/esm/explain/statementExplain.js.map +1 -1
- package/dist/esm/principal/principal.d.ts +14 -2
- package/dist/esm/principal/principal.d.ts.map +1 -1
- package/dist/esm/principal/principal.js +49 -11
- package/dist/esm/principal/principal.js.map +1 -1
- package/dist/esm/resource/resource.js +4 -3
- package/dist/esm/resource/resource.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +53 -5
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/ServiceAuthorizer.d.ts +1 -0
- package/dist/esm/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulation.d.ts +4 -0
- package/dist/esm/simulation_engine/simulation.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.js +19 -5
- package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js +6 -4
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/esm/util.d.ts +31 -3
- package/dist/esm/util.d.ts.map +1 -1
- package/dist/esm/util.js +70 -31
- package/dist/esm/util.js.map +1 -1
- package/package.json +2 -2
- package/dist/cjs/SCPAnalysis.d.ts +0 -6
- package/dist/cjs/SCPAnalysis.d.ts.map +0 -1
- package/dist/cjs/SCPAnalysis.js +0 -3
- package/dist/cjs/SCPAnalysis.js.map +0 -1
- package/dist/esm/SCPAnalysis.d.ts +0 -6
- package/dist/esm/SCPAnalysis.d.ts.map +0 -1
- package/dist/esm/SCPAnalysis.js +0 -2
- package/dist/esm/SCPAnalysis.js.map +0 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"statementExplain.d.ts","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;
|
|
1
|
+
{"version":3,"file":"statementExplain.d.ts","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,OAAO,GAAG,SAAS,GAAG,mBAAmB,GAAG,kBAAkB,GAAG,kBAAkB,CAAA;IAC5F,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAA;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,CAAA;IACzB,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,MAAM,EAAE,qBAAqB,GAAG,qBAAqB,EAAE,CAAA;IACvD,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAC1B,OAAO,EAAE,OAAO,CAAA;IAChB,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAC9B,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAC5B,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAQ/B,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IACzC,UAAU,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IAC5C,SAAS,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAC/C,YAAY,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAClD,UAAU,CAAC,EAAG,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACnD,aAAa,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACrD,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;CAChC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";
|
|
1
|
+
{"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";AA+DA;;;EAGE"}
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import { Principal, Statement } from "@cloud-copilot/iam-policy";
|
|
2
2
|
import { PrincipalExplain, StatementExplain } from "../explain/statementExplain.js";
|
|
3
3
|
import { AwsRequest } from "../request/request.js";
|
|
4
|
-
export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch';
|
|
4
|
+
export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch' | 'SessionRoleMatch' | 'SessionUserMatch';
|
|
5
5
|
/**
|
|
6
6
|
* Check to see if a request matches a Principal element in an IAM policy statement
|
|
7
7
|
*
|
|
@@ -32,8 +32,20 @@ export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrinc
|
|
|
32
32
|
* @returns if the request matches the principal statement, and if so, how it matches
|
|
33
33
|
*/
|
|
34
34
|
export declare function requestMatchesPrincipalStatement(request: AwsRequest, principalStatement: Principal): PrincipalExplain;
|
|
35
|
-
|
|
35
|
+
/**
|
|
36
|
+
* Transfrom an assumed role session ARN into a role ARN
|
|
37
|
+
*
|
|
38
|
+
* @param assumedRoleArn the assumed role session ARN
|
|
39
|
+
* @returns the role ARN for the assumed role session
|
|
40
|
+
*/
|
|
36
41
|
export declare function roleArnFromAssumedRoleArn(assumedRoleArn: string): string;
|
|
42
|
+
/**
|
|
43
|
+
* Get a user ARN from a federated user ARN
|
|
44
|
+
*
|
|
45
|
+
* @param federatedUserArn the federated user ARN
|
|
46
|
+
* @returns the user ARN for the federated user ARN
|
|
47
|
+
*/
|
|
48
|
+
export declare function userArnFromFederatedUserArn(federatedUserArn: string): string;
|
|
37
49
|
/**
|
|
38
50
|
* Check if a request matches the Resource or NotResource elements of a statement.
|
|
39
51
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AACpF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;
|
|
1
|
+
{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AACpF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA6CnD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,GAAG,kBAAkB,GAAG,kBAAkB,CAAA;AAEtH;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG;IAAC,OAAO,EAAE,oBAAoB,CAAC;IAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAA;CAAC,CAkClJ;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG;IAAC,OAAO,EAAE,oBAAoB,CAAC;IAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAA;CAAC,CAyCxJ;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,gBAAgB,CA+FrH;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKxE;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAK5E;AAGD;;;;;;GAMG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG;IAAC,OAAO,EAAE,oBAAoB,CAAC;IAAC,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE,YAAY,GAAG,eAAe,CAAC,CAAA;CAAC,CAS7L"}
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { isAssumedRoleArn, isFederatedUserArn } from "../util.js";
|
|
1
2
|
/**
|
|
2
3
|
* Check to see if a request matches a Principal element in an IAM policy statement
|
|
3
4
|
*
|
|
@@ -13,6 +14,18 @@ export function requestMatchesPrincipal(request, principal) {
|
|
|
13
14
|
explains
|
|
14
15
|
};
|
|
15
16
|
}
|
|
17
|
+
if (explains.some(exp => exp.matches === 'SessionUserMatch')) {
|
|
18
|
+
return {
|
|
19
|
+
matches: 'SessionUserMatch',
|
|
20
|
+
explains
|
|
21
|
+
};
|
|
22
|
+
}
|
|
23
|
+
if (explains.some(exp => exp.matches === 'SessionRoleMatch')) {
|
|
24
|
+
return {
|
|
25
|
+
matches: 'SessionRoleMatch',
|
|
26
|
+
explains
|
|
27
|
+
};
|
|
28
|
+
}
|
|
16
29
|
if (explains.some(exp => exp.matches === 'AccountLevelMatch')) {
|
|
17
30
|
return {
|
|
18
31
|
matches: 'AccountLevelMatch',
|
|
@@ -41,7 +54,7 @@ export function requestMatchesNotPrincipal(request, notPrincipal) {
|
|
|
41
54
|
*
|
|
42
55
|
* We need to test this.
|
|
43
56
|
*/
|
|
44
|
-
if (explain.matches === 'Match' || explain.matches === 'AccountLevelMatch') {
|
|
57
|
+
if (explain.matches === 'Match' || explain.matches === 'AccountLevelMatch' || explain.matches === 'SessionRoleMatch' || explain.matches === 'SessionUserMatch') {
|
|
45
58
|
explain.matches = 'NoMatch';
|
|
46
59
|
}
|
|
47
60
|
else {
|
|
@@ -49,14 +62,14 @@ export function requestMatchesNotPrincipal(request, notPrincipal) {
|
|
|
49
62
|
}
|
|
50
63
|
return explain;
|
|
51
64
|
});
|
|
52
|
-
if (explains.some(exp => exp.matches === '
|
|
65
|
+
if (explains.some(exp => exp.matches === 'NoMatch')) {
|
|
53
66
|
return {
|
|
54
|
-
matches: '
|
|
67
|
+
matches: 'NoMatch',
|
|
55
68
|
explains
|
|
56
69
|
};
|
|
57
70
|
}
|
|
58
71
|
return {
|
|
59
|
-
matches: '
|
|
72
|
+
matches: 'Match',
|
|
60
73
|
explains
|
|
61
74
|
};
|
|
62
75
|
// if(matches.includes('Match')) {
|
|
@@ -133,18 +146,29 @@ export function requestMatchesPrincipalStatement(request, principalStatement) {
|
|
|
133
146
|
if (isAssumedRoleArn(request.principal.value())) {
|
|
134
147
|
const sessionArn = request.principal.value();
|
|
135
148
|
const roleArn = roleArnFromAssumedRoleArn(sessionArn);
|
|
136
|
-
if (principalStatement.arn() === roleArn
|
|
149
|
+
if (principalStatement.arn() === roleArn) {
|
|
137
150
|
return {
|
|
138
|
-
matches: '
|
|
151
|
+
matches: 'SessionRoleMatch',
|
|
139
152
|
principal: principalStatement.value(),
|
|
140
153
|
roleForSessionArn: roleArn,
|
|
141
154
|
};
|
|
142
155
|
}
|
|
143
156
|
}
|
|
157
|
+
else if (isFederatedUserArn(request.principal.value())) {
|
|
158
|
+
const sessionArn = request.principal.value();
|
|
159
|
+
const userArn = userArnFromFederatedUserArn(sessionArn);
|
|
160
|
+
if (principalStatement.arn() === userArn) {
|
|
161
|
+
return {
|
|
162
|
+
matches: 'SessionUserMatch',
|
|
163
|
+
principal: principalStatement.value(),
|
|
164
|
+
userForSessionArn: userArn,
|
|
165
|
+
};
|
|
166
|
+
}
|
|
167
|
+
}
|
|
144
168
|
if (principalStatement.arn() === request.principal.value()) {
|
|
145
169
|
return {
|
|
146
170
|
matches: 'Match',
|
|
147
|
-
principal: principalStatement.value()
|
|
171
|
+
principal: principalStatement.value()
|
|
148
172
|
};
|
|
149
173
|
}
|
|
150
174
|
}
|
|
@@ -153,16 +177,30 @@ export function requestMatchesPrincipalStatement(request, principalStatement) {
|
|
|
153
177
|
principal: principalStatement.value(),
|
|
154
178
|
};
|
|
155
179
|
}
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
180
|
+
/**
|
|
181
|
+
* Transfrom an assumed role session ARN into a role ARN
|
|
182
|
+
*
|
|
183
|
+
* @param assumedRoleArn the assumed role session ARN
|
|
184
|
+
* @returns the role ARN for the assumed role session
|
|
185
|
+
*/
|
|
160
186
|
export function roleArnFromAssumedRoleArn(assumedRoleArn) {
|
|
161
187
|
const stsParts = assumedRoleArn.split(':');
|
|
162
188
|
const resourceParts = stsParts.at(-1).split('/');
|
|
163
189
|
const rolePathAndName = resourceParts.slice(1, -1).join('/');
|
|
164
190
|
return `arn:aws:iam::${stsParts[4]}:role/${rolePathAndName}`;
|
|
165
191
|
}
|
|
192
|
+
/**
|
|
193
|
+
* Get a user ARN from a federated user ARN
|
|
194
|
+
*
|
|
195
|
+
* @param federatedUserArn the federated user ARN
|
|
196
|
+
* @returns the user ARN for the federated user ARN
|
|
197
|
+
*/
|
|
198
|
+
export function userArnFromFederatedUserArn(federatedUserArn) {
|
|
199
|
+
const stsParts = federatedUserArn.split(':');
|
|
200
|
+
const resource = stsParts.at(-1);
|
|
201
|
+
const username = resource.slice(resource.indexOf('/') + 1);
|
|
202
|
+
return `arn:aws:iam::${stsParts[4]}:user/${username}`;
|
|
203
|
+
}
|
|
166
204
|
/**
|
|
167
205
|
* Check if a request matches the Resource or NotResource elements of a statement.
|
|
168
206
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AA8ClE;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAmB,EAAE,SAAsB;IACjF,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IACnH,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,OAAO,CAAC,EAAE,CAAC;QACjD,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ;SACT,CAAA;IACH,CAAC;IAED,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,kBAAkB,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,OAAO,EAAE,kBAAkB;YAC3B,QAAQ;SACT,CAAA;IACH,CAAC;IAED,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,kBAAkB,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,OAAO,EAAE,kBAAkB;YAC3B,QAAQ;SACT,CAAA;IACH,CAAC;IAED,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,mBAAmB,CAAC,EAAE,CAAC;QAC7D,OAAO;YACL,OAAO,EAAE,mBAAmB;YAC5B,QAAQ;SACT,CAAA;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,SAAS;QAClB,QAAQ;KACT,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAmB,EAAE,YAAyB;IACvF,wHAAwH;IACxH,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE;QACrD,MAAM,OAAO,GAAG,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAA;QAC7E;;;;;WAKG;QACH,IAAG,OAAO,CAAC,OAAO,KAAK,OAAO,IAAI,OAAO,CAAC,OAAO,KAAK,mBAAmB,IAAI,OAAO,CAAC,OAAO,KAAK,kBAAkB,IAAI,OAAO,CAAC,OAAO,KAAK,kBAAkB,EAAE,CAAC;YAC9J,OAAO,CAAC,OAAO,GAAG,SAAS,CAAA;QAC7B,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,OAAO,GAAG,OAAO,CAAA;QAC3B,CAAC;QACD,OAAO,OAAO,CAAA;IAChB,CAAC,CAAC,CAAA;IAGF,IAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,EAAE,CAAC;QACnD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,QAAQ;SACT,CAAA;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,OAAO;QAChB,QAAQ;KACT,CAAA;IAED,kCAAkC;IAClC,qBAAqB;IACrB,IAAI;IAGJ,8CAA8C;IAC9C,qBAAqB;IACrB,IAAI;IAEJ,iBAAiB;AACnB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gCAAgC,CAAC,OAAmB,EAAE,kBAA6B;IACjG,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC9D,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,wBAAwB,EAAE,EAAE,CAAC;QACjD,IAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACpE,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC7C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAChE,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC5C,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACpE,OAAO;gBACL,OAAO,EAAE,mBAAmB;gBAC5B,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;IAED,IAAG,kBAAkB,CAAC,cAAc,EAAE,EAAE,CAAC;QACvC,IAAG,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,yBAAyB,CAAC,UAAU,CAAC,CAAA;YACrD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAM,OAAO,EAAE,CAAC;gBACzC,OAAO;oBACL,OAAO,EAAE,kBAAkB;oBAC3B,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;oBACrC,iBAAiB,EAAE,OAAO;iBAC3B,CAAA;YACH,CAAC;QACH,CAAC;aAAM,IAAG,kBAAkB,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YACxD,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,2BAA2B,CAAC,UAAU,CAAC,CAAA;YACvD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,EAAE,CAAC;gBACxC,OAAO;oBACL,OAAO,EAAE,kBAAkB;oBAC3B,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;oBACrC,iBAAiB,EAAE,OAAO;iBAC3B,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC1D,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC,CAAA;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,SAAS;QAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;KACtC,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,yBAAyB,CAAC,cAAsB;IAC9D,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,aAAa,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjD,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,eAAe,EAAE,CAAA;AAC9D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,gBAAwB;IAClE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAA;IACjC,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;IAC1D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,QAAQ,EAAE,CAAA;AACvD,CAAC;AAGD;;;;;;GAMG;AACH,MAAM,UAAU,iCAAiC,CAAC,OAAmB,EAAE,SAAoB;IACzF,IAAG,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACpC,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAA;QACpF,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,UAAU,EAAE,QAAQ,EAAC,EAAC,CAAA;IACnD,CAAC;SAAM,IAAG,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;QAC9C,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,CAAA;QAC1F,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,aAAa,EAAE,QAAQ,EAAC,EAAC,CAAA;IACtD,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { convertIamString, getResourceSegments } from "../util.js";
|
|
2
2
|
//TODO: Make a check to see if the action is a wildcard only action. This will have to happen outside of these functions.
|
|
3
3
|
/**
|
|
4
4
|
* Convert a resource segment to a regular expression. This is without variables.
|
|
@@ -64,7 +64,7 @@ export function requestMatchesNotResources(request, policyResources) {
|
|
|
64
64
|
explain.matches = !explain.matches;
|
|
65
65
|
return explain;
|
|
66
66
|
});
|
|
67
|
-
const matches = explains.some(explain => explain.matches);
|
|
67
|
+
const matches = !explains.some(explain => !explain.matches);
|
|
68
68
|
return { matches, explains };
|
|
69
69
|
}
|
|
70
70
|
/**
|
|
@@ -128,7 +128,8 @@ function singleResourceMatchesRequest(request, policyResource) {
|
|
|
128
128
|
};
|
|
129
129
|
}
|
|
130
130
|
const requestResourceId = resource.resource().slice(policyProduct.length);
|
|
131
|
-
|
|
131
|
+
const { pattern, errors } = convertIamString(policyResourceId, request);
|
|
132
|
+
if (!pattern.test(requestResourceId)) {
|
|
132
133
|
return {
|
|
133
134
|
resource: policyResource.value(),
|
|
134
135
|
matches: false,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"resource.js","sourceRoot":"","sources":["../../../src/resource/resource.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEnE,yHAAyH;AAEzH;;;;;GAKG;AACH,SAAS,6BAA6B,CAAC,OAAe;IACpD,IAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAC7E,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gCAAgC,CAAC,OAAmB,EAAE,SAAoB;IACxF,IAAG,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;QACnC,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC;QACpF,IAAG,CAAC,SAAS,CAAC,eAAe,EAAE,EAAE,CAAC;YAChC,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAC,EAAC,CAAA;QACrD,CAAC;QACD,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,SAAS,EAAE,QAAQ,EAAC,EAAC,CAAA;QAChD,kEAAkE;IACpE,CAAC;SAAM,IAAG,SAAS,CAAC,sBAAsB,EAAE,EAAE,CAAC;QAC7C,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;QAC1F,IAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,EAAE,CAAC;YACnC,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAC,EAAC,CAAA;QACxD,CAAC;QACD,OAAO,EAAC,OAAO,EAAE,OAAO,EAAE,EAAC,YAAY,EAAE,QAAQ,EAAC,EAAC,CAAA;QACnD,wEAAwE;IAC1E,CAAC;IACD,OAAO,EAAC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAC,CAAC;AACtC,CAAC;AAGD;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAmB,EAAE,eAA2B;IACtF,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAA;IAC7G,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IACzD,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAC,CAAA;AAC5B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAmB,EAAE,eAA2B;IACzF,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE;QACpD,MAAM,OAAO,GAAG,4BAA4B,CAAC,OAAO,EAAE,cAAc,CAAC,CAAA;QACrE,OAAO,CAAC,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,CAAA;QAClC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAC,CAAA;IACF,MAAM,OAAO,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAC3D,OAAO,EAAC,OAAO,EAAE,QAAQ,EAAC,CAAA;AAC5B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,4BAA4B,CAAC,OAAmB,EAAE,cAAwB;IACjF,IAAG,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;QACnC,OAAO;YACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;YAChC,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;SAAM,IAAG,cAAc,CAAC,aAAa,EAAE,EAAE,CAAC;QACzC,IAAG,CAAC,OAAO,CAAC,QAAQ,EAAG,CAAC;YACtB,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,kCAAkC,CAAC;aAC7C,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QACjC,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC;YACzF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,0BAA0B,CAAC;aACrC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC;YACnF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,uBAAuB,CAAC;aAClC,CAAA;QACH,CAAC;QAED,IAAG,CAAC,6BAA6B,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACrF,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,gKAAgK;QAChK,MAAM,CAAC,aAAa,EAAE,gBAAgB,CAAC,GAAG,mBAAmB,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAA;QAExF,IAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAClD,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,wBAAwB,CAAC;aACnC,CAAA;QACH,CAAC;QAED,MAAM,iBAAiB,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;QACzE,MAAM,EAAC,OAAO,EAAE,MAAM,EAAC,GAAG,gBAAgB,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAA;QAErE,IAAG,CAAC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACpC,OAAO;gBACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,CAAC,yBAAyB,CAAC;aACpC,CAAA;QACH,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,cAAc,CAAC,KAAK,EAAE;YAChC,OAAO,EAAE,IAAI;SACd,CAAA;IACH,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEjD,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAExF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;CAoIxE"}
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { isAssumedRoleArn, isFederatedUserArn, isIamUserArn } from "../util.js";
|
|
1
2
|
/**
|
|
2
3
|
* The default authorizer for services.
|
|
3
4
|
*/
|
|
@@ -6,6 +7,7 @@ export class DefaultServiceAuthorizer {
|
|
|
6
7
|
const scpResult = request.scpAnalysis.result;
|
|
7
8
|
const identityStatementResult = request.identityAnalysis.result;
|
|
8
9
|
const resourcePolicyResult = request.resourceAnalysis?.result;
|
|
10
|
+
const permissionBoundaryResult = request.permissionBoundaryAnalysis?.result;
|
|
9
11
|
const principalAccount = request.request.principal.accountId();
|
|
10
12
|
const resourceAccount = request.request.resource?.accountId();
|
|
11
13
|
const sameAccount = principalAccount === resourceAccount;
|
|
@@ -13,7 +15,8 @@ export class DefaultServiceAuthorizer {
|
|
|
13
15
|
sameAccount,
|
|
14
16
|
identityAnalysis: request.identityAnalysis,
|
|
15
17
|
scpAnalysis: request.scpAnalysis,
|
|
16
|
-
resourceAnalysis: request.resourceAnalysis
|
|
18
|
+
resourceAnalysis: request.resourceAnalysis,
|
|
19
|
+
permissionBoundaryAnalysis: request.permissionBoundaryAnalysis
|
|
17
20
|
};
|
|
18
21
|
if (scpResult !== 'Allowed') {
|
|
19
22
|
return {
|
|
@@ -33,9 +36,49 @@ export class DefaultServiceAuthorizer {
|
|
|
33
36
|
...baseResult
|
|
34
37
|
};
|
|
35
38
|
}
|
|
39
|
+
if (permissionBoundaryResult === 'ExplicitlyDenied') {
|
|
40
|
+
return {
|
|
41
|
+
result: 'ExplicitlyDenied',
|
|
42
|
+
...baseResult
|
|
43
|
+
};
|
|
44
|
+
}
|
|
36
45
|
//Same Account
|
|
37
46
|
if (principalAccount === resourceAccount) {
|
|
38
|
-
if (
|
|
47
|
+
if (permissionBoundaryResult === 'ImplicitlyDenied') {
|
|
48
|
+
/**
|
|
49
|
+
* If the permission boundary is an implicit deny
|
|
50
|
+
*
|
|
51
|
+
* If the request is from an assumed role ARN AND the resource policy allows the assumed role (session) ARN = ALLOW
|
|
52
|
+
* If the request is from an IAM user ARN AND the resource policy allows the IAM user ARN = ALLOW
|
|
53
|
+
* If the request is from a federated user ARN AND the resource policy allows the federated user ARN = ALLOW
|
|
54
|
+
* The request is allowed: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
|
|
55
|
+
*/
|
|
56
|
+
if (resourcePolicyResult === 'Allowed') {
|
|
57
|
+
const principal = request.request.principal.value();
|
|
58
|
+
if (isAssumedRoleArn(principal) || isIamUserArn(principal) || isFederatedUserArn(principal)) {
|
|
59
|
+
if (request.resourceAnalysis.allowStatements.some(statement => statement.principalMatch === 'Match')) {
|
|
60
|
+
return {
|
|
61
|
+
result: 'Allowed',
|
|
62
|
+
...baseResult
|
|
63
|
+
};
|
|
64
|
+
}
|
|
65
|
+
}
|
|
66
|
+
}
|
|
67
|
+
return {
|
|
68
|
+
result: 'ImplicitlyDenied',
|
|
69
|
+
...baseResult
|
|
70
|
+
};
|
|
71
|
+
}
|
|
72
|
+
/*
|
|
73
|
+
TODO: Implicit denies in identity policies
|
|
74
|
+
I think if the identity policy has an implicit deny for assumed roles or federated users,
|
|
75
|
+
then the resource policy must have the federerated or assumed role ARN exactly.
|
|
76
|
+
|
|
77
|
+
That doesn't seem right though. I know many cases where the resource policy has the role ARN and it works
|
|
78
|
+
|
|
79
|
+
Need to add some tests for this.
|
|
80
|
+
*/
|
|
81
|
+
if (resourcePolicyResult === 'Allowed' || identityStatementResult === 'Allowed') {
|
|
39
82
|
return {
|
|
40
83
|
result: 'Allowed',
|
|
41
84
|
...baseResult
|
|
@@ -47,6 +90,12 @@ export class DefaultServiceAuthorizer {
|
|
|
47
90
|
};
|
|
48
91
|
}
|
|
49
92
|
//Cross Account
|
|
93
|
+
if (permissionBoundaryResult === 'ImplicitlyDenied') {
|
|
94
|
+
return {
|
|
95
|
+
result: 'ImplicitlyDenied',
|
|
96
|
+
...baseResult
|
|
97
|
+
};
|
|
98
|
+
}
|
|
50
99
|
if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount') {
|
|
51
100
|
if (identityStatementResult === 'Allowed') {
|
|
52
101
|
return {
|
|
@@ -65,12 +114,11 @@ export class DefaultServiceAuthorizer {
|
|
|
65
114
|
};
|
|
66
115
|
/**
|
|
67
116
|
* Add checks for:
|
|
117
|
+
* * session policies
|
|
118
|
+
* * resource control policies
|
|
68
119
|
* * root user
|
|
69
120
|
* * service linked roles
|
|
70
|
-
* * resource control policies
|
|
71
|
-
* * boundary policies
|
|
72
121
|
* * vpc endpoint policies
|
|
73
|
-
* * session policies (maybe these are just part of identity policies?)
|
|
74
122
|
*/
|
|
75
123
|
}
|
|
76
124
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAGhF;;GAEG;AACH,MAAM,OAAO,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC;QAC7C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC;QAChE,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAAmI;YACjJ,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAG,SAAS,KAAK,SAAS,EAAE,CAAC;YAC3B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAG,oBAAoB,KAAK,kBAAkB,IAAI,oBAAoB,KAAK,kBAAkB,EAAE,CAAC;YAC9F,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAG,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YAClD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAG,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAG,gBAAgB,KAAK,eAAe,EAAE,CAAC;YAExC,IAAG,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACnD;;;;;;;mBAOG;gBACH,IAAG,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACtC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IAAG,gBAAgB,CAAC,SAAS,CAAC,IAAI,YAAY,CAAC,SAAS,CAAC,IAAI,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;wBAC3F,IAAG,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CAAC,EAAC,CAAC;4BACnG,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAGD;;;;;;;;cAQE;YACF,IAAG,oBAAoB,KAAK,SAAS,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC/E,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAG,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAG,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACtF,IAAG,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBACzC,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;WAOG;IACL,CAAC;CACF"}
|
|
@@ -5,6 +5,7 @@ export interface ServiceAuthorizationRequest {
|
|
|
5
5
|
identityAnalysis: IdentityAnalysis;
|
|
6
6
|
scpAnalysis: ScpAnalysis;
|
|
7
7
|
resourceAnalysis: ResourceAnalysis;
|
|
8
|
+
permissionBoundaryAnalysis: IdentityAnalysis | undefined;
|
|
8
9
|
}
|
|
9
10
|
export interface ServiceAuthorizer {
|
|
10
11
|
authorize(request: ServiceAuthorizationRequest): RequestAnalysis;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClG,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAEnD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAC;IACpB,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,WAAW,EAAE,WAAW,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClG,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAEnD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAC;IACpB,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,WAAW,EAAE,WAAW,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,0BAA0B,EAAE,gBAAgB,GAAG,SAAS,CAAC;CAC1D;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe,CAAA;CACjE"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAC;YACjB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;KACrD,CAAA;IAED,gBAAgB,EAAE;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAC,EAAE,CAAC;IAChD,sBAAsB,EAAE;QACtB,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAC,EAAE,CAAA;KACxC,EAAE,CAAC;IACJ,cAAc,CAAC,EAAE,GAAG,CAAC;
|
|
1
|
+
{"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAC;YACjB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;KACrD,CAAA;IAED,gBAAgB,EAAE;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAC,EAAE,CAAC;IAChD,sBAAsB,EAAE;QACtB,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAC,EAAE,CAAA;KACxC,EAAE,CAAC;IACJ,cAAc,CAAC,EAAE,GAAG,CAAA;IACpB,0BAA0B,CAAC,EAAG;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAC,EAAE,CAAA;CAC5D"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,
|
|
1
|
+
{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAoG,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAI9J,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAKjD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IACzD,yBAAyB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IAC9D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAC;IACzC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B,QAAQ,CAAC,EAAE,eAAe,CAAA;CAC3B;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA2IpI;AAED,wBAAsB,6BAA6B,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CA0BtH"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { iamActionExists, iamServiceExists } from "@cloud-copilot/iam-data";
|
|
2
|
-
import {
|
|
2
|
+
import { loadPolicy, validateIdentityPolicy, validateResourcePolicy, validateServiceControlPolicy } from "@cloud-copilot/iam-policy";
|
|
3
3
|
import { isConditionKeyArray } from "../context_keys/contextKeyTypes.js";
|
|
4
4
|
import { normalizeContextKeyCase, typeForContextKey } from "../context_keys/contextKeys.js";
|
|
5
5
|
import { authorize } from "../core_engine/coreSimulatorEngine.js";
|
|
@@ -21,7 +21,7 @@ export async function runSimulation(simulation, simulationOptions) {
|
|
|
21
21
|
const { name, policy } = value;
|
|
22
22
|
const validationErrors = validateIdentityPolicy(policy);
|
|
23
23
|
if (validationErrors.length == 0) {
|
|
24
|
-
identityPolicies.push(
|
|
24
|
+
identityPolicies.push(loadPolicy(policy));
|
|
25
25
|
}
|
|
26
26
|
else {
|
|
27
27
|
identityPolicyErrors[name] = validationErrors;
|
|
@@ -38,7 +38,7 @@ export async function runSimulation(simulation, simulationOptions) {
|
|
|
38
38
|
seviceControlPolicyErrors[name] = validationErrors;
|
|
39
39
|
}
|
|
40
40
|
else {
|
|
41
|
-
validPolicies.push(
|
|
41
|
+
validPolicies.push(loadPolicy(policy));
|
|
42
42
|
}
|
|
43
43
|
});
|
|
44
44
|
return {
|
|
@@ -47,8 +47,21 @@ export async function runSimulation(simulation, simulationOptions) {
|
|
|
47
47
|
};
|
|
48
48
|
});
|
|
49
49
|
const resourcePolicyErrors = simulation.resourcePolicy ? validateResourcePolicy(simulation.resourcePolicy) : [];
|
|
50
|
+
const permissionBoundaries = simulation.permissionBoundaryPolicies ? [] : undefined;
|
|
51
|
+
const permissionBoundaryErrors = {};
|
|
52
|
+
simulation.permissionBoundaryPolicies?.map((pb) => {
|
|
53
|
+
const { name, policy } = pb;
|
|
54
|
+
const validationErrors = validateIdentityPolicy(policy);
|
|
55
|
+
if (validationErrors.length == 0) {
|
|
56
|
+
permissionBoundaries.push(loadPolicy(policy));
|
|
57
|
+
}
|
|
58
|
+
else {
|
|
59
|
+
permissionBoundaryErrors[name] = validationErrors;
|
|
60
|
+
}
|
|
61
|
+
});
|
|
50
62
|
if (Object.keys(identityPolicyErrors).length > 0 ||
|
|
51
63
|
Object.keys(seviceControlPolicyErrors).length > 0 ||
|
|
64
|
+
Object.keys(permissionBoundaryErrors).length > 0 ||
|
|
52
65
|
resourcePolicyErrors.length > 0) {
|
|
53
66
|
return {
|
|
54
67
|
errors: {
|
|
@@ -59,7 +72,7 @@ export async function runSimulation(simulation, simulationOptions) {
|
|
|
59
72
|
}
|
|
60
73
|
};
|
|
61
74
|
}
|
|
62
|
-
const resourcePolicy = simulation.resourcePolicy ?
|
|
75
|
+
const resourcePolicy = simulation.resourcePolicy ? loadPolicy(simulation.resourcePolicy) : undefined;
|
|
63
76
|
if (simulation.request.action.split(":").length != 2) {
|
|
64
77
|
return {
|
|
65
78
|
errors: {
|
|
@@ -120,7 +133,8 @@ export async function runSimulation(simulation, simulationOptions) {
|
|
|
120
133
|
}, simulation.request.action, new RequestContextImpl(contextValues)),
|
|
121
134
|
identityPolicies,
|
|
122
135
|
serviceControlPolicies,
|
|
123
|
-
resourcePolicy
|
|
136
|
+
resourcePolicy,
|
|
137
|
+
permissionBoundaries
|
|
124
138
|
});
|
|
125
139
|
return {
|
|
126
140
|
analysis: simulationResult
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC5E,OAAO,
|
|
1
|
+
{"version":3,"file":"simulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC5E,OAAO,EAAE,UAAU,EAAU,sBAAsB,EAAE,sBAAsB,EAAE,4BAA4B,EAAmB,MAAM,2BAA2B,CAAC;AAC9J,OAAO,EAAE,mBAAmB,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,EAAE,uBAAuB,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AAC5F,OAAO,EAAE,SAAS,EAA0B,MAAM,uCAAuC,CAAC;AAE1F,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAC7E,OAAO,EAAE,4BAA4B,EAAE,MAAM,kBAAkB,CAAC;AAgBhE;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,UAAsB,EAAE,iBAA6C;IACvG,MAAM,oBAAoB,GAAsC,EAAE,CAAC;IACnE,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,UAAU,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;QAC5C,MAAM,EAAC,IAAI,EAAE,MAAM,EAAC,GAAG,KAAK,CAAC;QAC7B,MAAM,gBAAgB,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;QACxD,IAAG,gBAAgB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAChC,gBAAgB,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,oBAAoB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,yBAAyB,GAAsC,EAAE,CAAC;IACxE,MAAM,sBAAsB,GAA6B,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACrG,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC;QAC/B,MAAM,aAAa,GAAa,EAAE,CAAC;QAEnC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;YAC7B,MAAM,EAAC,IAAI,EAAE,MAAM,EAAC,GAAG,KAAK,CAAC;YAC7B,MAAM,gBAAgB,GAAG,4BAA4B,CAAC,MAAM,CAAC,CAAC;YAC9D,IAAG,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,yBAAyB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC;YACrD,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;YACzC,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,aAAa;SACxB,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,oBAAoB,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,sBAAsB,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAEhH,MAAM,oBAAoB,GAAyB,UAAU,CAAC,0BAA0B,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAC1G,MAAM,wBAAwB,GAAsC,EAAE,CAAC;IACvE,UAAU,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE;QAChD,MAAM,EAAC,IAAI,EAAE,MAAM,EAAC,GAAG,EAAE,CAAC;QAC1B,MAAM,gBAAgB,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;QACxD,IAAG,gBAAgB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAChC,oBAAqB,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,wBAAwB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC;QACpD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,IAAG,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,MAAM,GAAG,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,MAAM,GAAG,CAAC;QACjD,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC,MAAM,GAAG,CAAC;QAChD,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO;YACL,MAAM,EAAE;gBACN,oBAAoB;gBACpB,yBAAyB;gBACzB,oBAAoB;gBACpB,OAAO,EAAE,eAAe;aACzB;SACF,CAAA;IACH,CAAC;IAED,MAAM,cAAc,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAErG,IAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACpD,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,gBAAgB;aAC1B;SACF,CAAA;IACH,CAAC;IAED,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACrD,IAAG,CAAC,YAAY,EAAE,CAAC;QACjB,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,iBAAiB;aAC3B;SACF,CAAA;IACH,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3D,IAAG,CAAC,WAAW,EAAE,CAAC;QAChB,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,gBAAgB;aAC1B;SACF,CAAA;IACH,CAAC;IAED,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IACzD,MAAM,oBAAoB,GAAG,MAAM,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACzE,IAAG,oBAAoB,EAAE,CAAC;QACxB,IAAG,WAAW,KAAK,GAAG,EAAE,CAAC;YACvB,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,mBAAmB;iBAC7B;aACF,CAAA;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,aAAa,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;QACpF,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,mBAAmB;iBAC7B;aAEF,CAAA;QACH,CAAC;aAAM,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,yBAAyB;iBACnC;aACF,CAAA;QACH,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,6BAA6B,CAAC,UAAU,CAAC,CAAC;IAEtE,MAAM,gBAAgB,GAAG,SAAS,CAAC;QACjC,OAAO,EAAE,IAAI,cAAc,CACzB,UAAU,CAAC,OAAO,CAAC,SAAS,EAC5B;YACE,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;YAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;SACjD,EACD,UAAU,CAAC,OAAO,CAAC,MAAM,EACzB,IAAI,kBAAkB,CAAC,aAAa,CAAC,CACtC;QACD,gBAAgB;QAChB,sBAAsB;QACtB,cAAc;QACd,oBAAoB;KACrB,CAAC,CAAA;IAEF,OAAO;QACL,QAAQ,EAAE,gBAAgB;KAC3B,CAAA;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,6BAA6B,CAAC,UAAsB;IACxE,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IACzD,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC,MAAM,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAA;IAE3G,4FAA4F;IAC5F,MAAM,kBAAkB,GAAsC,EAAE,CAAC;IACjE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACnE,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACvD,MAAM,YAAY,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QACvC,IAAI,yBAAyB,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,uBAAuB,CAAC,YAAY,EAAE,yBAAyB,CAAC,EAAE,CAAC;YAEpH,MAAM,aAAa,GAAG,MAAM,iBAAiB,CAAC,YAAY,CAAC,CAAC;YAC5D,MAAM,aAAa,GAAG,MAAM,uBAAuB,CAAC,GAAG,CAAC,CAAC;YAEzD,IAAG,mBAAmB,CAAC,aAAa,CAAC,EAAE,CAAC;gBACtC,kBAAkB,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;YACrD,CAAC;iBAAM,IAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC/B,kBAAkB,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC/C,CAAC;iBAAM,CAAC;gBACN,kBAAkB,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC;YAC5C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,kBAAkB,CAAA;AAC3B,CAAC;AAED,SAAS,uBAAuB,CAAC,YAAoB,EAAE,gBAA6B;IAClF,MAAM,eAAe,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAClD,IAAG,eAAe,KAAK,CAAC,CAAC,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,GAAG,CAAC,CAAC,CAAC;IAC1D,KAAI,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;QACvC,IAAG,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"unsafeSimulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,gBAAgB,
|
|
1
|
+
{"version":3,"file":"unsafeSimulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,gBAAgB,CA6B3H"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { loadPolicy } from "@cloud-copilot/iam-policy";
|
|
2
2
|
import { authorize } from "../core_engine/coreSimulatorEngine.js";
|
|
3
3
|
import { AwsRequestImpl } from "../request/request.js";
|
|
4
4
|
import { RequestContextImpl } from "../requestContext.js";
|
|
@@ -11,15 +11,16 @@ import { RequestContextImpl } from "../requestContext.js";
|
|
|
11
11
|
* @returns The result of the simulation.
|
|
12
12
|
*/
|
|
13
13
|
export function runUnsafeSimulation(simulation, simulationOptions) {
|
|
14
|
-
const identityPolicies = Object.values(simulation.identityPolicies).map(p =>
|
|
14
|
+
const identityPolicies = Object.values(simulation.identityPolicies).map(p => loadPolicy(p.policy));
|
|
15
15
|
const serviceControlPolicies = simulation.serviceControlPolicies.map((scp) => {
|
|
16
16
|
const ouId = scp.orgIdentifier;
|
|
17
|
-
const policies = scp.policies.map(val =>
|
|
17
|
+
const policies = scp.policies.map(val => loadPolicy(val.policy));
|
|
18
18
|
return {
|
|
19
19
|
orgIdentifier: ouId,
|
|
20
20
|
policies: policies
|
|
21
21
|
};
|
|
22
22
|
});
|
|
23
|
+
const permissionBoundaries = simulation.permissionBoundaryPolicies?.map(val => loadPolicy(val.policy)) ?? undefined;
|
|
23
24
|
const requestContext = new RequestContextImpl(simulation.request.contextVariables);
|
|
24
25
|
const request = new AwsRequestImpl(simulation.request.principal, {
|
|
25
26
|
resource: simulation.request.resource.resource,
|
|
@@ -29,7 +30,8 @@ export function runUnsafeSimulation(simulation, simulationOptions) {
|
|
|
29
30
|
request,
|
|
30
31
|
identityPolicies,
|
|
31
32
|
serviceControlPolicies,
|
|
32
|
-
resourcePolicy: simulation.resourcePolicy ?
|
|
33
|
+
resourcePolicy: simulation.resourcePolicy ? loadPolicy(simulation.resourcePolicy) : undefined,
|
|
34
|
+
permissionBoundaries
|
|
33
35
|
});
|
|
34
36
|
return analysis.result;
|
|
35
37
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"unsafeSimulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"unsafeSimulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AACvD,OAAO,EAAE,SAAS,EAA0B,MAAM,uCAAuC,CAAC;AAE1F,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAI1D;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CAAC,UAAsB,EAAE,iBAA6C;IACvG,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IACnG,MAAM,sBAAsB,GAA6B,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACrG,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC;QAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;QAEjE,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,QAAQ;SACnB,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,oBAAoB,GAAG,UAAU,CAAC,0BAA0B,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,SAAS,CAAC;IAEpH,MAAM,cAAc,GAAG,IAAI,kBAAkB,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAA;IAClF,MAAM,OAAO,GAAG,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE;QAC/D,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;QAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;KACjD,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IAE9C,MAAM,QAAQ,GAAG,SAAS,CAAC;QACzB,OAAO;QACP,gBAAgB;QAChB,sBAAsB;QACtB,cAAc,EAAE,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS;QAC7F,oBAAoB;KACrB,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC,MAAM,CAAC;AACzB,CAAC"}
|
package/dist/esm/util.d.ts
CHANGED
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
import { ResourceType } from '@cloud-copilot/iam-data';
|
|
2
2
|
import { AwsRequest } from './request/request.js';
|
|
3
|
-
interface StringReplaceOptions {
|
|
3
|
+
export interface StringReplaceOptions {
|
|
4
4
|
replaceWildcards: boolean;
|
|
5
|
+
convertToRegex: boolean;
|
|
5
6
|
}
|
|
6
7
|
/**
|
|
7
8
|
* This will convert a string to a regex that can be used to match against a string.
|
|
@@ -11,7 +12,14 @@ interface StringReplaceOptions {
|
|
|
11
12
|
* @param requestContext the request context to get the variable values from
|
|
12
13
|
* @returns a regex that can be used to match against a string
|
|
13
14
|
*/
|
|
14
|
-
export declare function
|
|
15
|
+
export declare function convertIamString(value: string, request: AwsRequest, replaceOptions: {
|
|
16
|
+
replaceWildcards?: boolean;
|
|
17
|
+
convertToRegex: false;
|
|
18
|
+
}): string;
|
|
19
|
+
export declare function convertIamString(value: string, request: AwsRequest, replaceOptions?: Partial<StringReplaceOptions>): {
|
|
20
|
+
pattern: RegExp;
|
|
21
|
+
errors?: string[];
|
|
22
|
+
};
|
|
15
23
|
export interface ArnParts {
|
|
16
24
|
partition: string | undefined;
|
|
17
25
|
service: string | undefined;
|
|
@@ -89,5 +97,25 @@ export declare function lowerCaseAll(strings: string[]): string[];
|
|
|
89
97
|
* @returns the variables in the string, if any
|
|
90
98
|
*/
|
|
91
99
|
export declare function getVariablesFromString(value: string): string[];
|
|
92
|
-
|
|
100
|
+
/**
|
|
101
|
+
* Tests if a principal string is an assumed role ARN
|
|
102
|
+
*
|
|
103
|
+
* @param principal the principal string to test
|
|
104
|
+
* @returns true if the principal is an assumed role ARN, false otherwise
|
|
105
|
+
*/
|
|
106
|
+
export declare function isAssumedRoleArn(principal: string): boolean;
|
|
107
|
+
/**
|
|
108
|
+
* Test if a principal string is an IAM user ARN
|
|
109
|
+
*
|
|
110
|
+
* @param principal the principal string to test
|
|
111
|
+
* @returns true if the principal is an IAM user ARN, false otherwise
|
|
112
|
+
*/
|
|
113
|
+
export declare function isIamUserArn(principal: string): boolean;
|
|
114
|
+
/**
|
|
115
|
+
* Test if a principal string is a federated user ARN
|
|
116
|
+
*
|
|
117
|
+
* @param principal the principal string to test
|
|
118
|
+
* @returns true if the principal is a federated user ARN, false otherwise
|
|
119
|
+
*/
|
|
120
|
+
export declare function isFederatedUserArn(principal: string): boolean;
|
|
93
121
|
//# sourceMappingURL=util.d.ts.map
|
package/dist/esm/util.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../../src/util.ts"],"names":[],"mappings":"AAAA,OAAO,EAA4C,YAAY,EAAE,MAAM,yBAAyB,CAAA;AAChG,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAIjD,
|
|
1
|
+
{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../../src/util.ts"],"names":[],"mappings":"AAAA,OAAO,EAA4C,YAAY,EAAE,MAAM,yBAAyB,CAAA;AAChG,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAIjD,MAAM,WAAW,oBAAoB;IACnC,gBAAgB,EAAE,OAAO,CAAA;IACzB,cAAc,EAAE,OAAO,CAAA;CACxB;AAOD;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE;IAAC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAAC,cAAc,EAAE,KAAK,CAAA;CAAC,GAAG,MAAM,CAAC;AAClJ,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,oBAAoB,CAAC,GAAG;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAAC,CAAC;AA4H3J,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAA;IAC7B,OAAO,EAAE,MAAM,GAAG,SAAS,CAAA;IAC3B,MAAM,EAAE,MAAM,GAAG,SAAS,CAAA;IAC1B,SAAS,EAAE,MAAM,GAAG,SAAS,CAAA;IAC7B,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;IAC5B,YAAY,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,YAAY,EAAE,MAAM,GAAG,SAAS,CAAA;CACjC;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,QAAQ,CAyBnD;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAgBtE;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,SAAS,GAAG,KAAK,IAAI,CAAC,CAE7D;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,SAAS,GAAG,KAAK,IAAI,SAAS,CAExE;AAED;;;;;;;GAOG;AACH,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAG5F;AAED;;;;;;;GAOG;AACH,wBAAsB,yBAAyB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAiB1H;AAED;;;;;GAKG;AACH,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAOrE;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAExD;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,CAY9D;AAID;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE3D;AAID;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAEvD;AAID;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE7D"}
|