@cloud-copilot/iam-simulate 0.1.21 → 0.1.23

package/README.md

@@ -1,5 +1,158 @@
 # IAM Simulate
 
-Do not use this library. I mean, I can't stop you, so if you want to use it, go ahead.
+An AWS IAM Simulator and Policy Tester built as a Node/Typescript library.
 
-If you use this library and end up travelling back in time 30 years, then have to make sure your parents fall in love or else you'll never be born: please don't file a ticket because my only response will be "lol, same".
+The simulator currently supports these features of AWS IAM
+
+### IAM Feature Support
+
+- Identity Policies
+- Resource Policies
+- Service Control Policies
+- Permission Boundaries
+- All [AWS Condition Operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html)
+- Same Account and Cross Account Requests
+
+### Request Validation
+
+iam-simulate will automatically validate inputs including
+
+- IAM policies using [iam-policy](https://github.com/cloud-copilot/iam-policy)
+- IAM Actions using [iam-data](https://github.com/cloud-copilot/iam-data)
+- The resource ARN against allowed resource types for the action
+- The context keys allowed for the action/resource and their types.
+
+Currently all [global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) are allowed for all requests which is not strictly true. More validation will be added in the future.
+
+### Explanation
+
+iam-simulate will detail which statements were decisive in the final decision to allow or deny a request.
+
+It will also return "explains" for each statement that was evaluated, detailing why that statement applied to the request or not.
+
+### Features Coming Soon
+
+- Resource Control Policies
+- Distinct Behavior for KMS and IAM Resource Policies
+- Session Policies
+- Validation of Global Condition Keys for each action
+- Automatically populating context keys from the request such as `aws:PrincipalServiceName`
+- Support for anonymous requests
+
+## Installation
+
+```bash
+npm install @cloud-copilot/iam-simulate
+```
+
+## Usage
+
+```typescript
+import { runSimulation, type Simulation } from '@cloud-copilot/iam-simulate'
+
+const simulation: Simulation = {
+  identityPolicies: [
+    {
+      name: 'userpolicy',
+      policy: {
+        Version: '2012-10-17',
+        Statement: [
+          {
+            Effect: 'Allow',
+            Action: ['s3:GetObject'],
+            Resource: ['arn:aws:s3:::mybucket/*']
+          }
+        ]
+      }
+    }
+  ],
+  serviceControlPolicies: [
+    {
+      orgIdentifier: 'ou-12345',
+      policies: [
+        {
+          name: 'AllowAll',
+          policy: {
+            Version: '2012-10-17',
+            Statement: [
+              {
+                Effect: 'Allow',
+                Action: '*',
+                Resource: '*'
+              }
+            ]
+          }
+        }
+      ]
+    }
+  ],
+  resourcePolicy: {
+    Version: '2012-10-17',
+    Statement: [
+      {
+        Effect: 'Allow',
+        Action: ['s3:GetObject'],
+        Resource: ['arn:aws:s3:::mybucket/*'],
+        Principal: 'aws:arn:iam::123456789012:root',
+        Condition: {
+          StringEquals: {
+            'aws:PrincipalOrgID': 'o-123456789012'
+          }
+        }
+      }
+    ]
+  },
+  request: {
+    action: 's3:GetObject',
+    principal: 'arn:aws:iam::123456789012:user/username',
+    resource: {
+      accountId: '123456789012',
+      resource: 'arn:aws:s3:::mybucket/file.txt'
+    },
+    contextVariables: {
+      'aws:PrincipalOrgID': 'o-123456789012'
+    }
+  }
+}
+
+const result = await runSimulation(simulation, {})
+//Check for validation errors:
+if (result.errors) {
+  console.log(result.errors.message)
+  console.log(JSON.stringify(result.errors, null, 2))
+}
+
+//The simulation ran successfully
+if (result.analysis) {
+  console.log(result.analysis.result) // 'Allowed', 'ExplicityDenied', or 'ImplicitlyDenied'
+
+  //Output the identity statements that allowed the request
+  const identityAllowExplains =
+    result?.analysis?.identityAnalysis?.allowStatements.map((s) => s.explain) || []
+  //Show which statements applied and exactly how.
+  for (const explain of identityAllowExplains) {
+    console.log(explain)
+  }
+}
+```
+
+This would output an explain that shows how the identity statement was evaluated:
+
+```javascript
+{
+  effect: 'Allow',
+  identifier: '1',
+  matches: true,
+  actionMatch: true,
+  principalMatch: 'Match',
+  resourceMatch: true,
+  conditionMatch: true,
+  resources: [
+    {
+      resource: 'arn:aws:s3:::mybucket/*',
+      matches: true,
+    }
+  ],
+  actions: [ { action: 's3:GetObject', matches: true } ],
+}
+```

package/dist/cjs/StatementAnalysis.d.ts

@@ -27,7 +27,7 @@ export interface StatementAnalysis {
      * Whether the Conditions matches the request.
      */
     conditionMatch: ConditionMatchResult;
-    explain?: StatementExplain;
+    explain: StatementExplain;
 }
 /**
  * Checks if a statement is an identity statement that allows the request.

package/dist/cjs/StatementAnalysis.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"StatementAnalysis.d.ts","sourceRoot":"","sources":["../../src/StatementAnalysis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AACrD,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAC/D,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAE/D;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,SAAS,EAAE,SAAS,CAAA;IAEpB;;OAEG;IACH,aAAa,EAAE,OAAO,CAAA;IAEtB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAA;IAEpB;;OAEG;IACH,cAAc,EAAE,oBAAoB,CAAA;IAEpC;;OAEG;IACH,cAAc,EAAE,oBAAoB,CAAA;IAEpC,OAAO,CAAC,EAAE,gBAAgB,CAAA;CAC3B;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAU7E;AAsBD,wBAAgB,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAUnF;AAED,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,IAAI,CACZ,iBAAiB,EACjB,aAAa,GAAG,gBAAgB,GAAG,gBAAgB,GAAG,eAAe,CACtE,GACA,OAAO,CAST"}
+{"version":3,"file":"StatementAnalysis.d.ts","sourceRoot":"","sources":["../../src/StatementAnalysis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AACrD,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAC/D,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAE/D;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,SAAS,EAAE,SAAS,CAAA;IAEpB;;OAEG;IACH,aAAa,EAAE,OAAO,CAAA;IAEtB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAA;IAEpB;;OAEG;IACH,cAAc,EAAE,oBAAoB,CAAA;IAEpC;;OAEG;IACH,cAAc,EAAE,oBAAoB,CAAA;IAEpC,OAAO,EAAE,gBAAgB,CAAA;CAC1B;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAU7E;AAsBD,wBAAgB,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAUnF;AAED,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,IAAI,CACZ,iBAAiB,EACjB,aAAa,GAAG,gBAAgB,GAAG,gBAAgB,GAAG,eAAe,CACtE,GACA,OAAO,CAST"}

package/dist/cjs/core_engine/{coreSimulatorEngine.d.ts → CoreSimulatorEngine.d.ts}

@@ -1,11 +1,11 @@
 import { Policy } from '@cloud-copilot/iam-policy';
-import { IdentityAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
+import { IdentityAnalysis, RcpAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
 import { AwsRequest } from '../request/request.js';
 import { ServiceAuthorizer } from '../services/ServiceAuthorizer.js';
 /**
- * A set of service control policies for each level of an organization tree
+ * A set of service or resource control policies for each level of an organization tree
  */
-export interface ServiceControlPolicies {
+export interface ControlPolicies {
     /**
      * The organization identifier for the organizational unit these policies apply to.
      */
@@ -29,9 +29,14 @@ export interface AuthorizationRequest {
     identityPolicies: Policy[];
     /**
      * The service control policies that apply to the principal making the request. In
-     * order of the orgnaization hierarchy. So the root ou SCPS should be first.
+     * order of the orgnaization hierarchy. So the root ou SCPs should be first.
      */
-    serviceControlPolicies: ServiceControlPolicies[];
+    serviceControlPolicies: ControlPolicies[];
+    /**
+     * The resource control policies that apply to the resource being accessed. In
+     * order of the orgnaization hierarchy. So the root ou RCPs should be first.
+     */
+    resourceControlPolicies: ControlPolicies[];
     /**
      * The resource policy that applies to the resource being accessed.
      */
@@ -67,13 +72,13 @@ export declare function getServiceAuthorizer(request: AuthorizationRequest): Ser
  */
 export declare function analyzeIdentityPolicies(identityPolicies: Policy[], request: AwsRequest): IdentityAnalysis;
 /**
- * Analyzes a set of service control policies and the statements within them.
+ * Analyzes a set of service or resource control policies and the statements within them.
  *
- * @param serviceControlPolicies the service control policies to analyze
+ * @param controlPolicies the control policies to analyze
  * @param request the request to analyze against
- * @returns an array of SCP analysis results
+ * @returns an array of SCP or RCP analysis results
  */
-export declare function analyzeServiceControlPolicies(serviceControlPolicies: ServiceControlPolicies[], request: AwsRequest): ScpAnalysis;
+export declare function analyzeControlPolicies(controlPolicies: ControlPolicies[], request: AwsRequest): ScpAnalysis | RcpAnalysis;
 /**
  * Analyze a resource policy and return the results
  *
@@ -81,6 +86,6 @@ export declare function analyzeServiceControlPolicies(serviceControlPolicies: Se
  * @param request the request to analyze against
  * @returns an array of statement analysis results
  */
-export declare function analyzeResourcePolicy(resourcePolicy: Policy | undefined, request: AwsRequest): ResourceAnalysis;
+export declare function analyzeResourcePolicy(resourcePolicy: Policy | undefined, request: AwsRequest, principalHasPermissionBoundary: boolean): ResourceAnalysis;
 export declare function analyzePermissionBoundaryPolicies(permissionBoundaries: Policy[] | undefined, request: AwsRequest): IdentityAnalysis | undefined;
-//# sourceMappingURL=coreSimulatorEngine.d.ts.map
+//# sourceMappingURL=CoreSimulatorEngine.d.ts.map

package/dist/cjs/core_engine/CoreSimulatorEngine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CoreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAa,MAAM,2BAA2B,CAAA;AAG7D,OAAO,EAEL,gBAAgB,EAEhB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,WAAW,EACZ,MAAM,gBAAgB,CAAA;AAGvB,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAGlD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAA;AAQpE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IAErB;;OAEG;IACH,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,OAAO,EAAE,UAAU,CAAA;IAEnB;;OAEG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAE1B;;;OAGG;IACH,sBAAsB,EAAE,eAAe,EAAE,CAAA;IAEzC;;;OAGG;IACH,uBAAuB,EAAE,eAAe,EAAE,CAAA;IAE1C;;OAEG;IACH,cAAc,EAAE,MAAM,GAAG,SAAS,CAAA;IAElC;;OAEG;IACH,oBAAoB,EAAE,MAAM,EAAE,GAAG,SAAS,CAAA;CAC3C;AAID;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,eAAe,CA+BxE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,iBAAiB,CAMrF;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,gBAAgB,EAAE,MAAM,EAAE,EAC1B,OAAO,EAAE,UAAU,GAClB,gBAAgB,CA+DlB;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,eAAe,EAAE,eAAe,EAAE,EAClC,OAAO,EAAE,UAAU,GAClB,WAAW,GAAG,WAAW,CA6E3B;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,cAAc,EAAE,MAAM,GAAG,SAAS,EAClC,OAAO,EAAE,UAAU,EACnB,8BAA8B,EAAE,OAAO,GACtC,gBAAgB,CA+GlB;AAED,wBAAgB,iCAAiC,CAC/C,oBAAoB,EAAE,MAAM,EAAE,GAAG,SAAS,EAC1C,OAAO,EAAE,UAAU,GAClB,gBAAgB,GAAG,SAAS,CAM9B"}

package/dist/cjs/core_engine/{coreSimulatorEngine.js → CoreSimulatorEngine.js}

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.authorize = authorize;
 exports.getServiceAuthorizer = getServiceAuthorizer;
 exports.analyzeIdentityPolicies = analyzeIdentityPolicies;
-exports.analyzeServiceControlPolicies = analyzeServiceControlPolicies;
+exports.analyzeControlPolicies = analyzeControlPolicies;
 exports.analyzeResourcePolicy = analyzeResourcePolicy;
 exports.analyzePermissionBoundaryPolicies = analyzePermissionBoundaryPolicies;
 const action_js_1 = require("../action/action.js");
@@ -22,15 +22,18 @@ const serviceEngines = {};
  * @returns the result of the authorization
  */
 function authorize(request) {
+    const principalHasPermissionBoundary = !!request.permissionBoundaries && request.permissionBoundaries.length > 0;
     const identityAnalysis = analyzeIdentityPolicies(request.identityPolicies, request.request);
     const permissionBoundaryAnalysis = analyzePermissionBoundaryPolicies(request.permissionBoundaries, request.request);
-    const scpAnalysis = analyzeServiceControlPolicies(request.serviceControlPolicies, request.request);
-    const resourceAnalysis = analyzeResourcePolicy(request.resourcePolicy, request.request);
+    const scpAnalysis = analyzeControlPolicies(request.serviceControlPolicies, request.request);
+    const rcpAnalysis = analyzeControlPolicies(request.resourceControlPolicies, request.request);
+    const resourceAnalysis = analyzeResourcePolicy(request.resourcePolicy, request.request, principalHasPermissionBoundary);
     const serviceAuthorizer = getServiceAuthorizer(request);
     return serviceAuthorizer.authorize({
         request: request.request,
         identityAnalysis,
         scpAnalysis,
+        rcpAnalysis,
         resourceAnalysis,
         permissionBoundaryAnalysis
     });
@@ -43,7 +46,7 @@ function authorize(request) {
  * @returns the service authorizer for the request
  */
 function getServiceAuthorizer(request) {
-    const serviceName = request.request.resource.service();
+    const serviceName = request.request.action.service();
     if (serviceEngines[serviceName]) {
         return new serviceEngines[serviceName]();
     }
@@ -103,15 +106,15 @@ function analyzeIdentityPolicies(identityPolicies, request) {
     return identityAnalysis;
 }
 /**
- * Analyzes a set of service control policies and the statements within them.
+ * Analyzes a set of service or resource control policies and the statements within them.
  *
- * @param serviceControlPolicies the service control policies to analyze
+ * @param controlPolicies the control policies to analyze
  * @param request the request to analyze against
- * @returns an array of SCP analysis results
+ * @returns an array of SCP or RCP analysis results
  */
-function analyzeServiceControlPolicies(serviceControlPolicies, request) {
+function analyzeControlPolicies(controlPolicies, request) {
     const analysis = [];
-    for (const controlPolicy of serviceControlPolicies) {
+    for (const controlPolicy of controlPolicies) {
         const ouAnalysis = {
             orgIdentifier: controlPolicy.orgIdentifier,
             result: 'ImplicitlyDenied',
@@ -180,7 +183,7 @@ function analyzeServiceControlPolicies(serviceControlPolicies, request) {
  * @param request the request to analyze against
  * @returns an array of statement analysis results
  */
-function analyzeResourcePolicy(resourcePolicy, request) {
+function analyzeResourcePolicy(resourcePolicy, request, principalHasPermissionBoundary) {
     const resourceAnalysis = {
         result: 'NotApplicable',
         allowStatements: [],
@@ -198,7 +201,26 @@ function analyzeResourcePolicy(resourcePolicy, request) {
     for (const statement of resourcePolicy.statements()) {
         const { matches: resourceMatch, details: resourceDetails } = (0, resource_js_1.requestMatchesStatementResources)(request, statement);
         const { matches: actionMatch, details: actionDetails } = (0, action_js_1.requestMatchesStatementActions)(request, statement);
-        const { matches: principalMatch, details: principalDetails } = (0, principal_js_1.requestMatchesStatementPrincipals)(request, statement);
+        let { matches: principalMatch, details: principalDetails } = (0, principal_js_1.requestMatchesStatementPrincipals)(request, statement);
+        const permissionBoundaryDetails = {};
+        /**
+         * "Don't use resource-based policy statements that include a NotPrincipal policy element with a
+         * Deny effect for IAM users or roles that have a permissions boundary policy attached.
+         * The NotPrincipal element with a Deny effect will always deny any IAM principal that
+         * has a permissions boundary policy attached, regardless of the values specified in the
+         * NotPrincipal element. This causes some IAM users or roles that would otherwise have access
+         * to the resource to lose access. We recommend changing your resource-based policy statements
+         * to use the condition operator ArnNotEquals with the aws:PrincipalArn context key to limit
+         * access instead of the NotPrincipal element. For information about permissions boundaries, see
+         * Permissions boundaries for IAM entities."
+         * https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
+         */
+        if (principalHasPermissionBoundary &&
+            statement.isNotPrincipalStatement() &&
+            statement.effect() === 'Deny') {
+            principalMatch = 'Match';
+            permissionBoundaryDetails.denyBecauseNpInRpAndPb = true;
+        }
         const { matches: conditionMatch, details: conditionDetails } = (0, condition_js_1.requestMatchesConditions)(request, statement.conditions());
         const overallMatch = (0, StatementAnalysis_js_1.statementMatches)({
             actionMatch,
@@ -259,4 +281,4 @@ function makeStatementExplain(statement, overallMatch, actionMatch, principalMat
         ...details
     };
 }
-//# sourceMappingURL=coreSimulatorEngine.js.map
+//# sourceMappingURL=CoreSimulatorEngine.js.map

package/dist/cjs/core_engine/CoreSimulatorEngine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"CoreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":";;AAuFA,8BA+BC;AASD,oDAMC;AASD,0DAkEC;AASD,wDAgFC;AASD,sDAmHC;AAED,8EASC;AA/aD,mDAAoE;AACpE,4DAA0F;AAW1F,4DAAmG;AAEnG,yDAA0E;AAC1E,yFAAkF;AAElF,kEAKgC;AAsDhC,MAAM,cAAc,GAAgD,EAAE,CAAA;AAEtE;;;;;;;GAOG;AACH,SAAgB,SAAS,CAAC,OAA6B;IACrD,MAAM,8BAA8B,GAClC,CAAC,CAAC,OAAO,CAAC,oBAAoB,IAAI,OAAO,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC,CAAA;IAC3E,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAA;IAC3F,MAAM,0BAA0B,GAAG,iCAAiC,CAClE,OAAO,CAAC,oBAAoB,EAC5B,OAAO,CAAC,OAAO,CAChB,CAAA;IACD,MAAM,WAAW,GAAG,sBAAsB,CACxC,OAAO,CAAC,sBAAsB,EAC9B,OAAO,CAAC,OAAO,CACD,CAAA;IAChB,MAAM,WAAW,GAAG,sBAAsB,CACxC,OAAO,CAAC,uBAAuB,EAC/B,OAAO,CAAC,OAAO,CACD,CAAA;IAChB,MAAM,gBAAgB,GAAG,qBAAqB,CAC5C,OAAO,CAAC,cAAc,EACtB,OAAO,CAAC,OAAO,EACf,8BAA8B,CAC/B,CAAA;IAED,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAA;IACvD,OAAO,iBAAiB,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,gBAAgB;QAChB,WAAW;QACX,WAAW;QACX,gBAAgB;QAChB,0BAA0B;KAC3B,CAAC,CAAA;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAAC,OAA6B;IAChE,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAA;IACpD,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAA;IAC1C,CAAC;IACD,OAAO,IAAI,sDAAwB,EAAE,CAAA;AACvC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CACrC,gBAA0B,EAC1B,OAAmB;IAEnB,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,kBAAkB;QAC1B,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC5C,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,IAAA,8CAAgC,EAC3F,OAAO,EACP,SAAS,CACV,CAAA;YACD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,IAAA,0CAA8B,EACrF,OAAO,EACP,SAAS,CACV,CAAA;YACD,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,uCAAwB,EACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;YACD,MAAM,cAAc,GAAyB,OAAO,CAAA;YACpD,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC;gBACpC,WAAW;gBACX,cAAc;gBACd,cAAc;gBACd,aAAa;aACd,CAAC,CAAA;YACF,MAAM,iBAAiB,GAAsB;gBAC3C,SAAS;gBACT,aAAa;gBACb,WAAW;gBACX,cAAc;gBACd,cAAc;gBACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,CAC9D;aACF,CAAA;YAED,IAAI,IAAA,oDAA6B,EAAC,iBAAiB,CAAC,EAAE,CAAC;gBACrD,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YACzD,CAAC;iBAAM,IAAI,IAAA,8CAAuB,EAAC,iBAAiB,CAAC,EAAE,CAAC;gBACtD,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YAC1D,CAAC;iBAAM,CAAC;gBACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,gBAAgB,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IAAI,gBAAgB,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvD,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,sBAAsB,CACpC,eAAkC,EAClC,OAAmB;IAEnB,MAAM,QAAQ,GAAoB,EAAE,CAAA;IACpC,KAAK,MAAM,aAAa,IAAI,eAAe,EAAE,CAAC;QAC5C,MAAM,UAAU,GAAkB;YAChC,aAAa,EAAE,aAAa,CAAC,aAAa;YAC1C,MAAM,EAAE,kBAAkB;YAC1B,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,EAAE;YAClB,mBAAmB,EAAE,EAAE;SACxB,CAAA;QACD,KAAK,MAAM,MAAM,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC5C,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC5C,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GACxD,IAAA,8CAAgC,EAAC,OAAO,EAAE,SAAS,CAAC,CAAA;gBACtD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,IAAA,0CAA8B,EACrF,OAAO,EACP,SAAS,CACV,CAAA;gBACD,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,uCAAwB,EACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;gBACD,MAAM,cAAc,GAAyB,OAAO,CAAA;gBACpD,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC;oBACpC,WAAW;oBACX,cAAc;oBACd,cAAc;oBACd,aAAa;iBACd,CAAC,CAAA;gBACF,MAAM,iBAAiB,GAAsB;oBAC3C,SAAS;oBACT,aAAa;oBACb,WAAW;oBACX,cAAc;oBACd,cAAc;oBACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,CAC9D;iBACF,CAAA;gBAED,IAAI,IAAA,8CAAuB,EAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC/C,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACpD,CAAC;qBAAM,IAAI,IAAA,oDAA6B,EAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC5D,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACnD,CAAC;qBAAM,CAAC;oBACN,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACxD,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzC,UAAU,CAAC,MAAM,GAAG,kBAAkB,CAAA;QACxC,CAAC;aAAM,IAAI,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjD,UAAU,CAAC,MAAM,GAAG,SAAS,CAAA;QAC/B,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAC3B,CAAC;IAED,IAAI,aAAa,GAAqB,kBAAkB,CAAA;IACxD,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,kBAAkB,CAAC,EAAE,CAAC;QAC5D,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QAClE,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,SAAS,CAAC,EAAE,CAAC;QAC3D,aAAa,GAAG,SAAS,CAAA;IAC3B,CAAC;IAED,OAAO;QACL,MAAM,EAAE,aAAa;QACrB,UAAU,EAAE,QAAQ;KACrB,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,qBAAqB,CACnC,cAAkC,EAClC,OAAmB,EACnB,8BAAuC;IAEvC,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,eAAe;QACvB,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO,gBAAgB,CAAA;IACzB,CAAC;IAED,MAAM,qBAAqB,GAA2B;QACpD,OAAO;QACP,kBAAkB;QAClB,kBAAkB;KACnB,CAAA;IAED,KAAK,MAAM,SAAS,IAAI,cAAc,CAAC,UAAU,EAAE,EAAE,CAAC;QACpD,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,IAAA,8CAAgC,EAC3F,OAAO,EACP,SAAS,CACV,CAAA;QACD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,IAAA,0CAA8B,EACrF,OAAO,EACP,SAAS,CACV,CAAA;QACD,IAAI,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,gDAAiC,EAC5F,OAAO,EACP,SAAS,CACV,CAAA;QAED,MAAM,yBAAyB,GAAqD,EAAE,CAAA;QAEtF;;;;;;;;;;;WAWG;QACH,IACE,8BAA8B;YAC9B,SAAS,CAAC,uBAAuB,EAAE;YACnC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAC7B,CAAC;YACD,cAAc,GAAG,OAAO,CAAA;YACxB,yBAAyB,CAAC,sBAAsB,GAAG,IAAI,CAAA;QACzD,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,uCAAwB,EACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;QACD,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC;YACpC,WAAW;YACX,cAAc;YACd,cAAc;YACd,aAAa;SACd,CAAC,CAAA;QACF,MAAM,QAAQ,GAAsB;YAClC,SAAS;YACT,aAAa,EAAE,aAAa;YAC5B,WAAW;YACX,cAAc;YACd,cAAc;YACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,GAAG,gBAAgB,EAAE,CACnF;SACF,CAAA;QACD,IAAI,IAAA,oDAA6B,EAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACrF,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAChD,CAAC;aAAM,IAAI,IAAA,8CAAuB,EAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACtF,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACjD,CAAC;aAAM,CAAC;YACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAED,IACE,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,EAC7F,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IACL,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EACrF,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IACL,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,EAC9F,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;SAAM,IACL,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EACtF,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,mBAAmB,CAAA;IAC/C,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,MAAM,GAAG,eAAe,CAAA;IAC3C,CAAC;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED,SAAgB,iCAAiC,CAC/C,oBAA0C,EAC1C,OAAmB;IAEnB,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,uBAAuB,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAA;AAC/D,CAAC;AAED,SAAS,oBAAoB,CAC3B,SAAoB,EACpB,YAAqB,EACrB,WAAoB,EACpB,cAAqC,EACrC,aAAsB,EACtB,cAAoC,EACpC,OAAkC;IAElC,OAAO;QACL,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE;QAC1B,UAAU,EAAE,SAAS,CAAC,GAAG,EAAE,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;QAC3D,OAAO,EAAE,YAAY;QACrB,WAAW;QACX,cAAc;QACd,aAAa;QACb,cAAc,EAAE,cAAc,KAAK,OAAO;QAC1C,GAAG,OAAO;KACX,CAAA;AACH,CAAC"}

package/dist/cjs/evaluate.d.ts

@@ -1,5 +1,5 @@
 import { StatementAnalysis } from './StatementAnalysis.js';
-export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | 'AllowedWithConditions' | 'ImplicitlyDenied' | 'Unknown';
+export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | 'ImplicitlyDenied';
 export type ResourceEvaluationResult = 'NotApplicable' | 'Allowed' | 'ExplicitlyDenied' | 'AllowedForAccount' | 'DeniedForAccount' | 'ImplicityDenied';
 export interface IdentityAnalysis {
     result: EvaluationResult;
@@ -27,6 +27,20 @@ export interface ScpAnalysis {
     result: EvaluationResult;
     ouAnalysis: OuScpAnalysis[];
 }
+export interface OuRcpAnalysis {
+    orgIdentifier: string;
+    result: EvaluationResult;
+    denyStatements: StatementAnalysis[];
+    allowStatements: StatementAnalysis[];
+    unmatchedStatements: StatementAnalysis[];
+}
+export interface RcpAnalysis {
+    /**
+     * OU Result
+     */
+    result: EvaluationResult;
+    ouAnalysis: OuRcpAnalysis[];
+}
 /**
  * The analysis of a request.
  */
@@ -35,6 +49,9 @@ export interface RequestAnalysis {
      * The result of the evaluation.
      */
     result: EvaluationResult;
+    /**
+     * Whether the principal and the resource are in the same account.
+     */
     sameAccount: boolean;
     /**
      * The result of the evaluation of the resource policy.
@@ -44,7 +61,17 @@ export interface RequestAnalysis {
      * The result of the evaluation of the resource policy.
      */
     resourceAnalysis?: ResourceAnalysis;
+    /**
+     * The result of the evaluation of the SCPs
+     */
     scpAnalysis?: ScpAnalysis;
+    /**
+     * The result of the evaluation of the RCPs
+     */
+    rcpAnalysis?: RcpAnalysis;
+    /**
+     * The result of the evaluation of the permission boundary.
+     */
     permissionBoundaryAnalysis?: IdentityAnalysis | undefined;
 }
 //# sourceMappingURL=evaluate.d.ts.map

package/dist/cjs/evaluate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D,MAAM,MAAM,gBAAgB,GACxB,SAAS,GACT,kBAAkB,GAClB,uBAAuB,GACvB,kBAAkB,GAClB,SAAS,CAAA;AACb,MAAM,MAAM,wBAAwB,GAChC,eAAe,GACf,SAAS,GACT,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAClB,iBAAiB,CAAA;AAErB,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,wBAAwB,CAAA;IAChC,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IAExB,WAAW,EAAE,OAAO,CAAA;IAEpB;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB,0BAA0B,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAA;CAC1D"}
+{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,kBAAkB,CAAA;AAClF,MAAM,MAAM,wBAAwB,GAChC,eAAe,GACf,SAAS,GACT,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAClB,iBAAiB,CAAA;AAErB,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,wBAAwB,CAAA;IAChC,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IAExB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAA;IAEpB;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,0BAA0B,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAA;CAC1D"}

package/dist/cjs/explain/statementExplain.d.ts

@@ -85,5 +85,14 @@ export interface StatementExplain {
     principals?: PrincipalExplain | PrincipalExplain[];
     notPrincipals?: PrincipalExplain | PrincipalExplain[];
     conditions?: ConditionExplain[];
+    /**
+     * The statement was denied because the resource policy has a NotPrincipal in a Deny
+     * statement and the principal has a Permission Boundary.
+     *
+     * This will always resolve to to Deny.
+     *
+     * https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
+     */
+    denyBecauseNpInRpAndPb?: boolean;
 }
 //# sourceMappingURL=statementExplain.d.ts.map

package/dist/cjs/explain/statementExplain.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"statementExplain.d.ts","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,qBAAqB,GAC7B,OAAO,GACP,SAAS,GACT,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,CAAA;AAEtB,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,qBAAqB,CAAA;IAC9B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAA;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;OAEG;IACH,iBAAiB,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,MAAM,EAAE,qBAAqB,GAAG,qBAAqB,EAAE,CAAA;IAEvD;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAE1B;;OAEG;IACH,OAAO,EAAE,OAAO,CAAA;IAEhB;;OAEG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAE/B;;OAEG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAE9B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAE5B;;;OAGG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B;;OAEG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,OAAO,CAAA;IACpB,aAAa,EAAE,OAAO,CAAA;IACtB,cAAc,EAAE,qBAAqB,CAAA;IACrC,cAAc,EAAE,OAAO,CAAA;IAEvB,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IACzC,UAAU,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IAC5C,SAAS,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAC/C,YAAY,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAClD,UAAU,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IAClD,aAAa,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACrD,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;CAChC"}
+{"version":3,"file":"statementExplain.d.ts","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,qBAAqB,GAC7B,OAAO,GACP,SAAS,GACT,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,CAAA;AAEtB,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,qBAAqB,CAAA;IAC9B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAA;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;OAEG;IACH,iBAAiB,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,MAAM,EAAE,qBAAqB,GAAG,qBAAqB,EAAE,CAAA;IAEvD;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAE1B;;OAEG;IACH,OAAO,EAAE,OAAO,CAAA;IAEhB;;OAEG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAE/B;;OAEG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAE9B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAE5B;;;OAGG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B;;OAEG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,OAAO,CAAA;IACpB,aAAa,EAAE,OAAO,CAAA;IACtB,cAAc,EAAE,qBAAqB,CAAA;IACrC,cAAc,EAAE,OAAO,CAAA;IAEvB,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IACzC,UAAU,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IAC5C,SAAS,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAC/C,YAAY,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAClD,UAAU,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IAClD,aAAa,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACrD,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;IAE/B;;;;;;;OAOG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAA;CACjC"}

package/dist/cjs/explain/statementExplain.js.map

@@ -1 +1 @@
-{"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";;AA6GA;;;EAGE"}
+{"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";;AAuHA;;;EAGE"}

package/dist/cjs/index.d.ts

@@ -4,8 +4,9 @@ export { findContextKeys } from './context_keys/findContextKeys.js';
 export { type EvaluationResult } from './evaluate.js';
 export type { ActionExplain, ConditionExplain, ConditionValueExplain, ExplainPrincipalMatch, PrincipalExplain, ResourceExplain, StatementExplain } from './explain/statementExplain.js';
 export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
-export { type Simulation } from './simulation_engine/simulation.js';
+export type { Simulation } from './simulation_engine/simulation.js';
 export { runSimulation } from './simulation_engine/simulationEngine.js';
+export type { SimulationErrors, SimulationResult } from './simulation_engine/simulationEngine.js';
 export { type SimulationOptions } from './simulation_engine/simulationOptions.js';
 export { runUnsafeSimulation } from './simulation_engine/unsafeSimulationEngine.js';
 export { isWildcardOnlyAction } from './util.js';

package/dist/cjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAA;AACrD,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAA;AACnE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAA;AACrD,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EAAE,UAAU,EAAE,MAAM,mCAAmC,CAAA;AACnE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,yCAAyC,CAAA;AACjG,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}

package/dist/cjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,gEAAiE;AAAxD,mHAAA,iBAAiB,OAAA;AAC1B,wEAI0C;AAFxC,yHAAA,mBAAmB,OAAA;AAGrB,wEAAmE;AAA1D,qHAAA,eAAe,OAAA;AAWxB,qEAAiF;AAAxE,8HAAA,4BAA4B,OAAA;AAErC,+EAAuE;AAA9D,oHAAA,aAAa,OAAA;AAEtB,2FAAmF;AAA1E,gIAAA,mBAAmB,OAAA;AAC5B,qCAAgD;AAAvC,+GAAA,oBAAoB,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,gEAAiE;AAAxD,mHAAA,iBAAiB,OAAA;AAC1B,wEAI0C;AAFxC,yHAAA,mBAAmB,OAAA;AAGrB,wEAAmE;AAA1D,qHAAA,eAAe,OAAA;AAWxB,qEAAiF;AAAxE,8HAAA,4BAA4B,OAAA;AAErC,+EAAuE;AAA9D,oHAAA,aAAa,OAAA;AAGtB,2FAAmF;AAA1E,gIAAA,mBAAmB,OAAA;AAC5B,qCAAgD;AAAvC,+GAAA,oBAAoB,OAAA"}

package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAEhD,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;CAqJxE"}
+{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAEhD,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;CA8JxE"}

package/dist/cjs/services/DefaultServiceAuthorizer.js

@@ -8,6 +8,7 @@ const util_js_1 = require("../util.js");
 class DefaultServiceAuthorizer {
     authorize(request) {
         const scpResult = request.scpAnalysis.result;
+        const rcpResult = request.rcpAnalysis.result;
         const identityStatementResult = request.identityAnalysis.result;
         const resourcePolicyResult = request.resourceAnalysis?.result;
         const permissionBoundaryResult = request.permissionBoundaryAnalysis?.result;
@@ -18,6 +19,7 @@ class DefaultServiceAuthorizer {
             sameAccount,
             identityAnalysis: request.identityAnalysis,
             scpAnalysis: request.scpAnalysis,
+            rcpAnalysis: request.rcpAnalysis,
             resourceAnalysis: request.resourceAnalysis,
             permissionBoundaryAnalysis: request.permissionBoundaryAnalysis
         };
@@ -27,6 +29,12 @@ class DefaultServiceAuthorizer {
                 ...baseResult
             };
         }
+        if (rcpResult !== 'Allowed') {
+            return {
+                result: rcpResult,
+                ...baseResult
+            };
+        }
         if (resourcePolicyResult === 'ExplicitlyDenied' ||
             resourcePolicyResult === 'DeniedForAccount') {
             return {
@@ -120,9 +128,8 @@ class DefaultServiceAuthorizer {
         };
         /**
          * Add checks for:
+         * * root user - can override resource policies for most resource types
          * * session policies
-         * * resource control policies
-         * * root user
          * * service linked roles
          * * vpc endpoint policies
          * * organization APIs and delegated admin policy

package/dist/cjs/services/DefaultServiceAuthorizer.js.map

@@ -1 +1 @@
-{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AACA,wCAA+E;AAG/E;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAOZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,IAAA,0BAAgB,EAAC,SAAS,CAAC;wBAC3B,IAAA,sBAAY,EAAC,SAAS,CAAC;wBACvB,IAAA,4BAAkB,EAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;YACF,IAAI,oBAAoB,KAAK,SAAS,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAChF,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;;WAQG;IACL,CAAC;CACF;AAtJD,4DAsJC"}
+{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AACA,wCAA+E;AAG/E;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAQZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,IAAA,0BAAgB,EAAC,SAAS,CAAC;wBAC3B,IAAA,sBAAY,EAAC,SAAS,CAAC;wBACvB,IAAA,4BAAkB,EAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;YACF,IAAI,oBAAoB,KAAK,SAAS,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAChF,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;WAOG;IACL,CAAC;CACF;AA/JD,4DA+JC"}

package/dist/cjs/services/ServiceAuthorizer.d.ts

@@ -1,10 +1,11 @@
-import { IdentityAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
+import { IdentityAnalysis, RcpAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
 import { AwsRequest } from '../request/request.js';
 export interface ServiceAuthorizationRequest {
     request: AwsRequest;
     identityAnalysis: IdentityAnalysis;
     scpAnalysis: ScpAnalysis;
     resourceAnalysis: ResourceAnalysis;
+    rcpAnalysis: RcpAnalysis;
     permissionBoundaryAnalysis: IdentityAnalysis | undefined;
 }
 export interface ServiceAuthorizer {

package/dist/cjs/services/ServiceAuthorizer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AACjG,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAElD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAA;IACnB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,WAAW,EAAE,WAAW,CAAA;IACxB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,0BAA0B,EAAE,gBAAgB,GAAG,SAAS,CAAA;CACzD;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe,CAAA;CACjE"}
+{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,WAAW,EACZ,MAAM,gBAAgB,CAAA;AACvB,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAElD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAA;IACnB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,WAAW,EAAE,WAAW,CAAA;IACxB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,WAAW,EAAE,WAAW,CAAA;IACxB,0BAA0B,EAAE,gBAAgB,GAAG,SAAS,CAAA;CACzD;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe,CAAA;CACjE"}

package/dist/cjs/simulation_engine/simulation.d.ts

@@ -19,6 +19,18 @@ export interface Simulation {
             policy: any;
         }[];
     }[];
+    /**
+     * The resource control policies for the simulation.
+     * One per level of the OU/Account hierarchy.
+     * The default Resource Control Policy, RCPFullAWSAccess, is automatically added to the simulation.
+     */
+    resourceControlPolicies: {
+        orgIdentifier: string;
+        policies: {
+            name: string;
+            policy: any;
+        }[];
+    }[];
     resourcePolicy?: any;
     permissionBoundaryPolicies?: {
         name: string;

package/dist/cjs/simulation_engine/simulation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;QACd,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAA;YAChB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;KACpD,CAAA;IAED,gBAAgB,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;IACjD,sBAAsB,EAAE;QACtB,aAAa,EAAE,MAAM,CAAA;QACrB,QAAQ,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAE,EAAE,CAAA;KAC1C,EAAE,CAAA;IACH,cAAc,CAAC,EAAE,GAAG,CAAA;IACpB,0BAA0B,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;CAC7D"}
+{"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;QACd,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAA;YAChB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;KACpD,CAAA;IAED,gBAAgB,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;IAEjD,sBAAsB,EAAE;QACtB,aAAa,EAAE,MAAM,CAAA;QACrB,QAAQ,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAE,EAAE,CAAA;KAC1C,EAAE,CAAA;IAEH;;;;OAIG;IACH,uBAAuB,EAAE;QACvB,aAAa,EAAE,MAAM,CAAA;QACrB,QAAQ,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAE,EAAE,CAAA;KAC1C,EAAE,CAAA;IAEH,cAAc,CAAC,EAAE,GAAG,CAAA;IACpB,0BAA0B,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;CAC7D"}

package/dist/cjs/simulation_engine/simulationEngine.d.ts

@@ -5,12 +5,21 @@ import { SimulationOptions } from './simulationOptions.js';
 export interface SimulationErrors {
     identityPolicyErrors?: Record<string, ValidationError[]>;
     seviceControlPolicyErrors?: Record<string, ValidationError[]>;
+    resourceControlPolicyErrors?: Record<string, ValidationError[]>;
+    permissionBoundaryErrors?: Record<string, ValidationError[]>;
     resourcePolicyErrors?: ValidationError[];
     message: string;
 }
 export interface SimulationResult {
     errors?: SimulationErrors;
     analysis?: RequestAnalysis;
+    /**
+     * The resource type that was used for the simulation, if applicable.
+     *
+     * Will only be present if the request passes validation to reach the policy
+     * evaluation stage and the action is not a wildcard-only action.
+     */
+    resourceType?: string;
     /**
      * Any context keys provided in the request that were filtered out before
      * policy evaluation because they do not apply to the action/resource type.

package/dist/cjs/simulation_engine/simulationEngine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAML,eAAe,EAChB,MAAM,2BAA2B,CAAA;AAIlC,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAKhD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IACxD,yBAAyB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC7D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAA;IACxC,OAAO,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,gBAAgB,CAAA;IACzB,QAAQ,CAAC,EAAE,eAAe,CAAA;IAE1B;;;;;;;;OAQG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC9B;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAC5C,OAAO,CAAC,gBAAgB,CAAC,CAqJ3B;AAED,wBAAsB,6BAA6B,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC;IACnF,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;IACrD,kBAAkB,EAAE,MAAM,EAAE,CAAA;CAC7B,CAAC,CAoCD"}
+{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAOL,eAAe,EAChB,MAAM,2BAA2B,CAAA;AAIlC,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAKhD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAiB1D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IACxD,yBAAyB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC7D,2BAA2B,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC/D,wBAAwB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC5D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAA;IACxC,OAAO,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,gBAAgB,CAAA;IACzB,QAAQ,CAAC,EAAE,eAAe,CAAA;IAE1B;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;;;;;;;OAQG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC9B;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAC5C,OAAO,CAAC,gBAAgB,CAAC,CAmL3B;AAED,wBAAsB,6BAA6B,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC;IACnF,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;IACrD,kBAAkB,EAAE,MAAM,EAAE,CAAA;CAC7B,CAAC,CAoCD"}