@cloud-copilot/iam-simulate 0.1.22 → 0.1.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +155 -2
- package/dist/cjs/core_engine/{coreSimulatorEngine.d.ts → CoreSimulatorEngine.d.ts} +16 -11
- package/dist/cjs/core_engine/CoreSimulatorEngine.d.ts.map +1 -0
- package/dist/cjs/core_engine/{coreSimulatorEngine.js → CoreSimulatorEngine.js} +34 -12
- package/dist/cjs/core_engine/CoreSimulatorEngine.js.map +1 -0
- package/dist/cjs/evaluate.d.ts +28 -1
- package/dist/cjs/evaluate.d.ts.map +1 -1
- package/dist/cjs/explain/statementExplain.d.ts +9 -0
- package/dist/cjs/explain/statementExplain.d.ts.map +1 -1
- package/dist/cjs/explain/statementExplain.js.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +9 -2
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/ServiceAuthorizer.d.ts +2 -1
- package/dist/cjs/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulation.d.ts +12 -0
- package/dist/cjs/simulation_engine/simulation.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.d.ts +2 -0
- package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.js +40 -2
- package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js +11 -2
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/esm/core_engine/{coreSimulatorEngine.d.ts → CoreSimulatorEngine.d.ts} +16 -11
- package/dist/esm/core_engine/CoreSimulatorEngine.d.ts.map +1 -0
- package/dist/esm/core_engine/{coreSimulatorEngine.js → CoreSimulatorEngine.js} +33 -11
- package/dist/esm/core_engine/CoreSimulatorEngine.js.map +1 -0
- package/dist/esm/evaluate.d.ts +28 -1
- package/dist/esm/evaluate.d.ts.map +1 -1
- package/dist/esm/explain/statementExplain.d.ts +9 -0
- package/dist/esm/explain/statementExplain.d.ts.map +1 -1
- package/dist/esm/explain/statementExplain.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +9 -2
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/ServiceAuthorizer.d.ts +2 -1
- package/dist/esm/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulation.d.ts +12 -0
- package/dist/esm/simulation_engine/simulation.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.d.ts +2 -0
- package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.js +40 -2
- package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js +10 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/package.json +1 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts.map +0 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.js.map +0 -1
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts.map +0 -1
- package/dist/esm/core_engine/coreSimulatorEngine.js.map +0 -1
package/README.md
CHANGED
|
@@ -1,5 +1,158 @@
|
|
|
1
1
|
# IAM Simulate
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
An AWS IAM Simulator and Policy Tester built as a Node/Typescript library.
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
The simulator currently supports these features of AWS IAM
|
|
6
|
+
|
|
7
|
+
### IAM Feature Support
|
|
8
|
+
|
|
9
|
+
- Identity Policies
|
|
10
|
+
- Resource Policies
|
|
11
|
+
- Service Control Policies
|
|
12
|
+
- Permission Boundaries
|
|
13
|
+
- All [AWS Condition Operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html)
|
|
14
|
+
- Same Account and Cross Account Requests
|
|
15
|
+
|
|
16
|
+
### Request Validation
|
|
17
|
+
|
|
18
|
+
iam-simulate will automatically validate inputs including
|
|
19
|
+
|
|
20
|
+
- IAM policies using [iam-policy](https://github.com/cloud-copilot/iam-policy)
|
|
21
|
+
- IAM Actions using [iam-data](https://github.com/cloud-copilot/iam-data)
|
|
22
|
+
- The resource ARN against allowed resource types for the action
|
|
23
|
+
- The context keys allowed for the action/resource and their types.
|
|
24
|
+
|
|
25
|
+
Currently all [global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) are allowed for all requests which is not strictly true. More validation will be added in the future.
|
|
26
|
+
|
|
27
|
+
### Explanation
|
|
28
|
+
|
|
29
|
+
iam-simulate will detail which statements were decisive in the final decision to allow or deny a request.
|
|
30
|
+
|
|
31
|
+
It will also return "explains" for each statement that was evaluated, detailing why that statement applied to the request or not.
|
|
32
|
+
|
|
33
|
+
### Features Coming Soon
|
|
34
|
+
|
|
35
|
+
- Resource Control Policies
|
|
36
|
+
- Distinct Behavior for KMS and IAM Resource Policies
|
|
37
|
+
- Session Policies
|
|
38
|
+
- Validation of Global Condition Keys for each action
|
|
39
|
+
- Automatically populating context keys from the request such as `aws:PrincipalServiceName`
|
|
40
|
+
- Support for anonymous requests
|
|
41
|
+
|
|
42
|
+
## Installation
|
|
43
|
+
|
|
44
|
+
```bash
|
|
45
|
+
npm install @cloud-copilot/iam-simulate
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
## Usage
|
|
49
|
+
|
|
50
|
+
```typescript
|
|
51
|
+
import { runSimulation, type Simulation } from '@cloud-copilot/iam-simulate'
|
|
52
|
+
|
|
53
|
+
const simulation: Simulation = {
|
|
54
|
+
identityPolicies: [
|
|
55
|
+
{
|
|
56
|
+
name: 'userpolicy',
|
|
57
|
+
policy: {
|
|
58
|
+
Version: '2012-10-17',
|
|
59
|
+
Statement: [
|
|
60
|
+
{
|
|
61
|
+
Effect: 'Allow',
|
|
62
|
+
Action: ['s3:GetObject'],
|
|
63
|
+
Resource: ['arn:aws:s3:::mybucket/*']
|
|
64
|
+
}
|
|
65
|
+
]
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
],
|
|
69
|
+
serviceControlPolicies: [
|
|
70
|
+
{
|
|
71
|
+
orgIdentifier: 'ou-12345',
|
|
72
|
+
policies: [
|
|
73
|
+
{
|
|
74
|
+
name: 'AllowAll',
|
|
75
|
+
policy: {
|
|
76
|
+
Version: '2012-10-17',
|
|
77
|
+
Statement: [
|
|
78
|
+
{
|
|
79
|
+
Effect: 'Allow',
|
|
80
|
+
Action: '*',
|
|
81
|
+
Resource: '*'
|
|
82
|
+
}
|
|
83
|
+
]
|
|
84
|
+
}
|
|
85
|
+
}
|
|
86
|
+
]
|
|
87
|
+
}
|
|
88
|
+
],
|
|
89
|
+
resourcePolicy: {
|
|
90
|
+
Version: '2012-10-17',
|
|
91
|
+
Statement: [
|
|
92
|
+
{
|
|
93
|
+
Effect: 'Allow',
|
|
94
|
+
Action: ['s3:GetObject'],
|
|
95
|
+
Resource: ['arn:aws:s3:::mybucket/*'],
|
|
96
|
+
Principal: 'aws:arn:iam::123456789012:root',
|
|
97
|
+
Condition: {
|
|
98
|
+
StringEquals: {
|
|
99
|
+
'aws:PrincipalOrgID': 'o-123456789012'
|
|
100
|
+
}
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
]
|
|
104
|
+
},
|
|
105
|
+
request: {
|
|
106
|
+
action: 's3:GetObject',
|
|
107
|
+
principal: 'arn:aws:iam::123456789012:user/username',
|
|
108
|
+
resource: {
|
|
109
|
+
accountId: '123456789012',
|
|
110
|
+
resource: 'arn:aws:s3:::mybucket/file.txt'
|
|
111
|
+
},
|
|
112
|
+
contextVariables: {
|
|
113
|
+
'aws:PrincipalOrgID': 'o-123456789012'
|
|
114
|
+
}
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
|
|
118
|
+
const result = await runSimulation(simulation, {})
|
|
119
|
+
//Check for validation errors:
|
|
120
|
+
if (result.errors) {
|
|
121
|
+
console.log(result.errors.message)
|
|
122
|
+
console.log(JSON.stringify(result.errors, null, 2))
|
|
123
|
+
}
|
|
124
|
+
|
|
125
|
+
//The simulation ran successfully
|
|
126
|
+
if (result.analysis) {
|
|
127
|
+
console.log(result.analysis.result) // 'Allowed', 'ExplicityDenied', or 'ImplicitlyDenied'
|
|
128
|
+
|
|
129
|
+
//Output the identity statements that allowed the request
|
|
130
|
+
const identityAllowExplains =
|
|
131
|
+
result?.analysis?.identityAnalysis?.allowStatements.map((s) => s.explain) || []
|
|
132
|
+
//Show which statements applied and exactly how.
|
|
133
|
+
for (const explain of identityAllowExplains) {
|
|
134
|
+
console.log(explain)
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
This would output an explain that shows how the identity statement was evaluated:
|
|
140
|
+
|
|
141
|
+
```javascript
|
|
142
|
+
{
|
|
143
|
+
effect: 'Allow',
|
|
144
|
+
identifier: '1',
|
|
145
|
+
matches: true,
|
|
146
|
+
actionMatch: true,
|
|
147
|
+
principalMatch: 'Match',
|
|
148
|
+
resourceMatch: true,
|
|
149
|
+
conditionMatch: true,
|
|
150
|
+
resources: [
|
|
151
|
+
{
|
|
152
|
+
resource: 'arn:aws:s3:::mybucket/*',
|
|
153
|
+
matches: true,
|
|
154
|
+
}
|
|
155
|
+
],
|
|
156
|
+
actions: [ { action: 's3:GetObject', matches: true } ],
|
|
157
|
+
}
|
|
158
|
+
```
|
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
import { Policy } from '@cloud-copilot/iam-policy';
|
|
2
|
-
import { IdentityAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
|
|
2
|
+
import { IdentityAnalysis, RcpAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
|
|
3
3
|
import { AwsRequest } from '../request/request.js';
|
|
4
4
|
import { ServiceAuthorizer } from '../services/ServiceAuthorizer.js';
|
|
5
5
|
/**
|
|
6
|
-
* A set of service control policies for each level of an organization tree
|
|
6
|
+
* A set of service or resource control policies for each level of an organization tree
|
|
7
7
|
*/
|
|
8
|
-
export interface
|
|
8
|
+
export interface ControlPolicies {
|
|
9
9
|
/**
|
|
10
10
|
* The organization identifier for the organizational unit these policies apply to.
|
|
11
11
|
*/
|
|
@@ -29,9 +29,14 @@ export interface AuthorizationRequest {
|
|
|
29
29
|
identityPolicies: Policy[];
|
|
30
30
|
/**
|
|
31
31
|
* The service control policies that apply to the principal making the request. In
|
|
32
|
-
* order of the orgnaization hierarchy. So the root ou
|
|
32
|
+
* order of the orgnaization hierarchy. So the root ou SCPs should be first.
|
|
33
33
|
*/
|
|
34
|
-
serviceControlPolicies:
|
|
34
|
+
serviceControlPolicies: ControlPolicies[];
|
|
35
|
+
/**
|
|
36
|
+
* The resource control policies that apply to the resource being accessed. In
|
|
37
|
+
* order of the orgnaization hierarchy. So the root ou RCPs should be first.
|
|
38
|
+
*/
|
|
39
|
+
resourceControlPolicies: ControlPolicies[];
|
|
35
40
|
/**
|
|
36
41
|
* The resource policy that applies to the resource being accessed.
|
|
37
42
|
*/
|
|
@@ -67,13 +72,13 @@ export declare function getServiceAuthorizer(request: AuthorizationRequest): Ser
|
|
|
67
72
|
*/
|
|
68
73
|
export declare function analyzeIdentityPolicies(identityPolicies: Policy[], request: AwsRequest): IdentityAnalysis;
|
|
69
74
|
/**
|
|
70
|
-
* Analyzes a set of service control policies and the statements within them.
|
|
75
|
+
* Analyzes a set of service or resource control policies and the statements within them.
|
|
71
76
|
*
|
|
72
|
-
* @param
|
|
77
|
+
* @param controlPolicies the control policies to analyze
|
|
73
78
|
* @param request the request to analyze against
|
|
74
|
-
* @returns an array of SCP analysis results
|
|
79
|
+
* @returns an array of SCP or RCP analysis results
|
|
75
80
|
*/
|
|
76
|
-
export declare function
|
|
81
|
+
export declare function analyzeControlPolicies(controlPolicies: ControlPolicies[], request: AwsRequest): ScpAnalysis | RcpAnalysis;
|
|
77
82
|
/**
|
|
78
83
|
* Analyze a resource policy and return the results
|
|
79
84
|
*
|
|
@@ -81,6 +86,6 @@ export declare function analyzeServiceControlPolicies(serviceControlPolicies: Se
|
|
|
81
86
|
* @param request the request to analyze against
|
|
82
87
|
* @returns an array of statement analysis results
|
|
83
88
|
*/
|
|
84
|
-
export declare function analyzeResourcePolicy(resourcePolicy: Policy | undefined, request: AwsRequest): ResourceAnalysis;
|
|
89
|
+
export declare function analyzeResourcePolicy(resourcePolicy: Policy | undefined, request: AwsRequest, principalHasPermissionBoundary: boolean): ResourceAnalysis;
|
|
85
90
|
export declare function analyzePermissionBoundaryPolicies(permissionBoundaries: Policy[] | undefined, request: AwsRequest): IdentityAnalysis | undefined;
|
|
86
|
-
//# sourceMappingURL=
|
|
91
|
+
//# sourceMappingURL=CoreSimulatorEngine.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"CoreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAa,MAAM,2BAA2B,CAAA;AAG7D,OAAO,EAEL,gBAAgB,EAEhB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,WAAW,EACZ,MAAM,gBAAgB,CAAA;AAGvB,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAGlD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAA;AAQpE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IAErB;;OAEG;IACH,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,OAAO,EAAE,UAAU,CAAA;IAEnB;;OAEG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAE1B;;;OAGG;IACH,sBAAsB,EAAE,eAAe,EAAE,CAAA;IAEzC;;;OAGG;IACH,uBAAuB,EAAE,eAAe,EAAE,CAAA;IAE1C;;OAEG;IACH,cAAc,EAAE,MAAM,GAAG,SAAS,CAAA;IAElC;;OAEG;IACH,oBAAoB,EAAE,MAAM,EAAE,GAAG,SAAS,CAAA;CAC3C;AAID;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,eAAe,CA+BxE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,iBAAiB,CAMrF;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,gBAAgB,EAAE,MAAM,EAAE,EAC1B,OAAO,EAAE,UAAU,GAClB,gBAAgB,CA+DlB;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,eAAe,EAAE,eAAe,EAAE,EAClC,OAAO,EAAE,UAAU,GAClB,WAAW,GAAG,WAAW,CA6E3B;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,cAAc,EAAE,MAAM,GAAG,SAAS,EAClC,OAAO,EAAE,UAAU,EACnB,8BAA8B,EAAE,OAAO,GACtC,gBAAgB,CA+GlB;AAED,wBAAgB,iCAAiC,CAC/C,oBAAoB,EAAE,MAAM,EAAE,GAAG,SAAS,EAC1C,OAAO,EAAE,UAAU,GAClB,gBAAgB,GAAG,SAAS,CAM9B"}
|
|
@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.authorize = authorize;
|
|
4
4
|
exports.getServiceAuthorizer = getServiceAuthorizer;
|
|
5
5
|
exports.analyzeIdentityPolicies = analyzeIdentityPolicies;
|
|
6
|
-
exports.
|
|
6
|
+
exports.analyzeControlPolicies = analyzeControlPolicies;
|
|
7
7
|
exports.analyzeResourcePolicy = analyzeResourcePolicy;
|
|
8
8
|
exports.analyzePermissionBoundaryPolicies = analyzePermissionBoundaryPolicies;
|
|
9
9
|
const action_js_1 = require("../action/action.js");
|
|
@@ -22,15 +22,18 @@ const serviceEngines = {};
|
|
|
22
22
|
* @returns the result of the authorization
|
|
23
23
|
*/
|
|
24
24
|
function authorize(request) {
|
|
25
|
+
const principalHasPermissionBoundary = !!request.permissionBoundaries && request.permissionBoundaries.length > 0;
|
|
25
26
|
const identityAnalysis = analyzeIdentityPolicies(request.identityPolicies, request.request);
|
|
26
27
|
const permissionBoundaryAnalysis = analyzePermissionBoundaryPolicies(request.permissionBoundaries, request.request);
|
|
27
|
-
const scpAnalysis =
|
|
28
|
-
const
|
|
28
|
+
const scpAnalysis = analyzeControlPolicies(request.serviceControlPolicies, request.request);
|
|
29
|
+
const rcpAnalysis = analyzeControlPolicies(request.resourceControlPolicies, request.request);
|
|
30
|
+
const resourceAnalysis = analyzeResourcePolicy(request.resourcePolicy, request.request, principalHasPermissionBoundary);
|
|
29
31
|
const serviceAuthorizer = getServiceAuthorizer(request);
|
|
30
32
|
return serviceAuthorizer.authorize({
|
|
31
33
|
request: request.request,
|
|
32
34
|
identityAnalysis,
|
|
33
35
|
scpAnalysis,
|
|
36
|
+
rcpAnalysis,
|
|
34
37
|
resourceAnalysis,
|
|
35
38
|
permissionBoundaryAnalysis
|
|
36
39
|
});
|
|
@@ -43,7 +46,7 @@ function authorize(request) {
|
|
|
43
46
|
* @returns the service authorizer for the request
|
|
44
47
|
*/
|
|
45
48
|
function getServiceAuthorizer(request) {
|
|
46
|
-
const serviceName = request.request.
|
|
49
|
+
const serviceName = request.request.action.service();
|
|
47
50
|
if (serviceEngines[serviceName]) {
|
|
48
51
|
return new serviceEngines[serviceName]();
|
|
49
52
|
}
|
|
@@ -103,15 +106,15 @@ function analyzeIdentityPolicies(identityPolicies, request) {
|
|
|
103
106
|
return identityAnalysis;
|
|
104
107
|
}
|
|
105
108
|
/**
|
|
106
|
-
* Analyzes a set of service control policies and the statements within them.
|
|
109
|
+
* Analyzes a set of service or resource control policies and the statements within them.
|
|
107
110
|
*
|
|
108
|
-
* @param
|
|
111
|
+
* @param controlPolicies the control policies to analyze
|
|
109
112
|
* @param request the request to analyze against
|
|
110
|
-
* @returns an array of SCP analysis results
|
|
113
|
+
* @returns an array of SCP or RCP analysis results
|
|
111
114
|
*/
|
|
112
|
-
function
|
|
115
|
+
function analyzeControlPolicies(controlPolicies, request) {
|
|
113
116
|
const analysis = [];
|
|
114
|
-
for (const controlPolicy of
|
|
117
|
+
for (const controlPolicy of controlPolicies) {
|
|
115
118
|
const ouAnalysis = {
|
|
116
119
|
orgIdentifier: controlPolicy.orgIdentifier,
|
|
117
120
|
result: 'ImplicitlyDenied',
|
|
@@ -180,7 +183,7 @@ function analyzeServiceControlPolicies(serviceControlPolicies, request) {
|
|
|
180
183
|
* @param request the request to analyze against
|
|
181
184
|
* @returns an array of statement analysis results
|
|
182
185
|
*/
|
|
183
|
-
function analyzeResourcePolicy(resourcePolicy, request) {
|
|
186
|
+
function analyzeResourcePolicy(resourcePolicy, request, principalHasPermissionBoundary) {
|
|
184
187
|
const resourceAnalysis = {
|
|
185
188
|
result: 'NotApplicable',
|
|
186
189
|
allowStatements: [],
|
|
@@ -198,7 +201,26 @@ function analyzeResourcePolicy(resourcePolicy, request) {
|
|
|
198
201
|
for (const statement of resourcePolicy.statements()) {
|
|
199
202
|
const { matches: resourceMatch, details: resourceDetails } = (0, resource_js_1.requestMatchesStatementResources)(request, statement);
|
|
200
203
|
const { matches: actionMatch, details: actionDetails } = (0, action_js_1.requestMatchesStatementActions)(request, statement);
|
|
201
|
-
|
|
204
|
+
let { matches: principalMatch, details: principalDetails } = (0, principal_js_1.requestMatchesStatementPrincipals)(request, statement);
|
|
205
|
+
const permissionBoundaryDetails = {};
|
|
206
|
+
/**
|
|
207
|
+
* "Don't use resource-based policy statements that include a NotPrincipal policy element with a
|
|
208
|
+
* Deny effect for IAM users or roles that have a permissions boundary policy attached.
|
|
209
|
+
* The NotPrincipal element with a Deny effect will always deny any IAM principal that
|
|
210
|
+
* has a permissions boundary policy attached, regardless of the values specified in the
|
|
211
|
+
* NotPrincipal element. This causes some IAM users or roles that would otherwise have access
|
|
212
|
+
* to the resource to lose access. We recommend changing your resource-based policy statements
|
|
213
|
+
* to use the condition operator ArnNotEquals with the aws:PrincipalArn context key to limit
|
|
214
|
+
* access instead of the NotPrincipal element. For information about permissions boundaries, see
|
|
215
|
+
* Permissions boundaries for IAM entities."
|
|
216
|
+
* https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
|
|
217
|
+
*/
|
|
218
|
+
if (principalHasPermissionBoundary &&
|
|
219
|
+
statement.isNotPrincipalStatement() &&
|
|
220
|
+
statement.effect() === 'Deny') {
|
|
221
|
+
principalMatch = 'Match';
|
|
222
|
+
permissionBoundaryDetails.denyBecauseNpInRpAndPb = true;
|
|
223
|
+
}
|
|
202
224
|
const { matches: conditionMatch, details: conditionDetails } = (0, condition_js_1.requestMatchesConditions)(request, statement.conditions());
|
|
203
225
|
const overallMatch = (0, StatementAnalysis_js_1.statementMatches)({
|
|
204
226
|
actionMatch,
|
|
@@ -259,4 +281,4 @@ function makeStatementExplain(statement, overallMatch, actionMatch, principalMat
|
|
|
259
281
|
...details
|
|
260
282
|
};
|
|
261
283
|
}
|
|
262
|
-
//# sourceMappingURL=
|
|
284
|
+
//# sourceMappingURL=CoreSimulatorEngine.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"CoreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":";;AAuFA,8BA+BC;AASD,oDAMC;AASD,0DAkEC;AASD,wDAgFC;AASD,sDAmHC;AAED,8EASC;AA/aD,mDAAoE;AACpE,4DAA0F;AAW1F,4DAAmG;AAEnG,yDAA0E;AAC1E,yFAAkF;AAElF,kEAKgC;AAsDhC,MAAM,cAAc,GAAgD,EAAE,CAAA;AAEtE;;;;;;;GAOG;AACH,SAAgB,SAAS,CAAC,OAA6B;IACrD,MAAM,8BAA8B,GAClC,CAAC,CAAC,OAAO,CAAC,oBAAoB,IAAI,OAAO,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC,CAAA;IAC3E,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAA;IAC3F,MAAM,0BAA0B,GAAG,iCAAiC,CAClE,OAAO,CAAC,oBAAoB,EAC5B,OAAO,CAAC,OAAO,CAChB,CAAA;IACD,MAAM,WAAW,GAAG,sBAAsB,CACxC,OAAO,CAAC,sBAAsB,EAC9B,OAAO,CAAC,OAAO,CACD,CAAA;IAChB,MAAM,WAAW,GAAG,sBAAsB,CACxC,OAAO,CAAC,uBAAuB,EAC/B,OAAO,CAAC,OAAO,CACD,CAAA;IAChB,MAAM,gBAAgB,GAAG,qBAAqB,CAC5C,OAAO,CAAC,cAAc,EACtB,OAAO,CAAC,OAAO,EACf,8BAA8B,CAC/B,CAAA;IAED,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAA;IACvD,OAAO,iBAAiB,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,gBAAgB;QAChB,WAAW;QACX,WAAW;QACX,gBAAgB;QAChB,0BAA0B;KAC3B,CAAC,CAAA;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAAC,OAA6B;IAChE,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAA;IACpD,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAA;IAC1C,CAAC;IACD,OAAO,IAAI,sDAAwB,EAAE,CAAA;AACvC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CACrC,gBAA0B,EAC1B,OAAmB;IAEnB,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,kBAAkB;QAC1B,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC5C,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,IAAA,8CAAgC,EAC3F,OAAO,EACP,SAAS,CACV,CAAA;YACD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,IAAA,0CAA8B,EACrF,OAAO,EACP,SAAS,CACV,CAAA;YACD,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,uCAAwB,EACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;YACD,MAAM,cAAc,GAAyB,OAAO,CAAA;YACpD,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC;gBACpC,WAAW;gBACX,cAAc;gBACd,cAAc;gBACd,aAAa;aACd,CAAC,CAAA;YACF,MAAM,iBAAiB,GAAsB;gBAC3C,SAAS;gBACT,aAAa;gBACb,WAAW;gBACX,cAAc;gBACd,cAAc;gBACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,CAC9D;aACF,CAAA;YAED,IAAI,IAAA,oDAA6B,EAAC,iBAAiB,CAAC,EAAE,CAAC;gBACrD,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YACzD,CAAC;iBAAM,IAAI,IAAA,8CAAuB,EAAC,iBAAiB,CAAC,EAAE,CAAC;gBACtD,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YAC1D,CAAC;iBAAM,CAAC;gBACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,gBAAgB,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IAAI,gBAAgB,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvD,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,sBAAsB,CACpC,eAAkC,EAClC,OAAmB;IAEnB,MAAM,QAAQ,GAAoB,EAAE,CAAA;IACpC,KAAK,MAAM,aAAa,IAAI,eAAe,EAAE,CAAC;QAC5C,MAAM,UAAU,GAAkB;YAChC,aAAa,EAAE,aAAa,CAAC,aAAa;YAC1C,MAAM,EAAE,kBAAkB;YAC1B,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,EAAE;YAClB,mBAAmB,EAAE,EAAE;SACxB,CAAA;QACD,KAAK,MAAM,MAAM,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC5C,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC5C,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GACxD,IAAA,8CAAgC,EAAC,OAAO,EAAE,SAAS,CAAC,CAAA;gBACtD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,IAAA,0CAA8B,EACrF,OAAO,EACP,SAAS,CACV,CAAA;gBACD,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,uCAAwB,EACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;gBACD,MAAM,cAAc,GAAyB,OAAO,CAAA;gBACpD,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC;oBACpC,WAAW;oBACX,cAAc;oBACd,cAAc;oBACd,aAAa;iBACd,CAAC,CAAA;gBACF,MAAM,iBAAiB,GAAsB;oBAC3C,SAAS;oBACT,aAAa;oBACb,WAAW;oBACX,cAAc;oBACd,cAAc;oBACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,CAC9D;iBACF,CAAA;gBAED,IAAI,IAAA,8CAAuB,EAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC/C,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACpD,CAAC;qBAAM,IAAI,IAAA,oDAA6B,EAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC5D,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACnD,CAAC;qBAAM,CAAC;oBACN,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACxD,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzC,UAAU,CAAC,MAAM,GAAG,kBAAkB,CAAA;QACxC,CAAC;aAAM,IAAI,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjD,UAAU,CAAC,MAAM,GAAG,SAAS,CAAA;QAC/B,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAC3B,CAAC;IAED,IAAI,aAAa,GAAqB,kBAAkB,CAAA;IACxD,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,kBAAkB,CAAC,EAAE,CAAC;QAC5D,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QAClE,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,SAAS,CAAC,EAAE,CAAC;QAC3D,aAAa,GAAG,SAAS,CAAA;IAC3B,CAAC;IAED,OAAO;QACL,MAAM,EAAE,aAAa;QACrB,UAAU,EAAE,QAAQ;KACrB,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,qBAAqB,CACnC,cAAkC,EAClC,OAAmB,EACnB,8BAAuC;IAEvC,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,eAAe;QACvB,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO,gBAAgB,CAAA;IACzB,CAAC;IAED,MAAM,qBAAqB,GAA2B;QACpD,OAAO;QACP,kBAAkB;QAClB,kBAAkB;KACnB,CAAA;IAED,KAAK,MAAM,SAAS,IAAI,cAAc,CAAC,UAAU,EAAE,EAAE,CAAC;QACpD,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,IAAA,8CAAgC,EAC3F,OAAO,EACP,SAAS,CACV,CAAA;QACD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,IAAA,0CAA8B,EACrF,OAAO,EACP,SAAS,CACV,CAAA;QACD,IAAI,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,gDAAiC,EAC5F,OAAO,EACP,SAAS,CACV,CAAA;QAED,MAAM,yBAAyB,GAAqD,EAAE,CAAA;QAEtF;;;;;;;;;;;WAWG;QACH,IACE,8BAA8B;YAC9B,SAAS,CAAC,uBAAuB,EAAE;YACnC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAC7B,CAAC;YACD,cAAc,GAAG,OAAO,CAAA;YACxB,yBAAyB,CAAC,sBAAsB,GAAG,IAAI,CAAA;QACzD,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,uCAAwB,EACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;QACD,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC;YACpC,WAAW;YACX,cAAc;YACd,cAAc;YACd,aAAa;SACd,CAAC,CAAA;QACF,MAAM,QAAQ,GAAsB;YAClC,SAAS;YACT,aAAa,EAAE,aAAa;YAC5B,WAAW;YACX,cAAc;YACd,cAAc;YACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,GAAG,gBAAgB,EAAE,CACnF;SACF,CAAA;QACD,IAAI,IAAA,oDAA6B,EAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACrF,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAChD,CAAC;aAAM,IAAI,IAAA,8CAAuB,EAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACtF,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACjD,CAAC;aAAM,CAAC;YACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAED,IACE,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,EAC7F,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IACL,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EACrF,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IACL,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,EAC9F,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;SAAM,IACL,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EACtF,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,mBAAmB,CAAA;IAC/C,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,MAAM,GAAG,eAAe,CAAA;IAC3C,CAAC;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED,SAAgB,iCAAiC,CAC/C,oBAA0C,EAC1C,OAAmB;IAEnB,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,uBAAuB,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAA;AAC/D,CAAC;AAED,SAAS,oBAAoB,CAC3B,SAAoB,EACpB,YAAqB,EACrB,WAAoB,EACpB,cAAqC,EACrC,aAAsB,EACtB,cAAoC,EACpC,OAAkC;IAElC,OAAO;QACL,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE;QAC1B,UAAU,EAAE,SAAS,CAAC,GAAG,EAAE,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;QAC3D,OAAO,EAAE,YAAY;QACrB,WAAW;QACX,cAAc;QACd,aAAa;QACb,cAAc,EAAE,cAAc,KAAK,OAAO;QAC1C,GAAG,OAAO;KACX,CAAA;AACH,CAAC"}
|
package/dist/cjs/evaluate.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { StatementAnalysis } from './StatementAnalysis.js';
|
|
2
|
-
export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | '
|
|
2
|
+
export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | 'ImplicitlyDenied';
|
|
3
3
|
export type ResourceEvaluationResult = 'NotApplicable' | 'Allowed' | 'ExplicitlyDenied' | 'AllowedForAccount' | 'DeniedForAccount' | 'ImplicityDenied';
|
|
4
4
|
export interface IdentityAnalysis {
|
|
5
5
|
result: EvaluationResult;
|
|
@@ -27,6 +27,20 @@ export interface ScpAnalysis {
|
|
|
27
27
|
result: EvaluationResult;
|
|
28
28
|
ouAnalysis: OuScpAnalysis[];
|
|
29
29
|
}
|
|
30
|
+
export interface OuRcpAnalysis {
|
|
31
|
+
orgIdentifier: string;
|
|
32
|
+
result: EvaluationResult;
|
|
33
|
+
denyStatements: StatementAnalysis[];
|
|
34
|
+
allowStatements: StatementAnalysis[];
|
|
35
|
+
unmatchedStatements: StatementAnalysis[];
|
|
36
|
+
}
|
|
37
|
+
export interface RcpAnalysis {
|
|
38
|
+
/**
|
|
39
|
+
* OU Result
|
|
40
|
+
*/
|
|
41
|
+
result: EvaluationResult;
|
|
42
|
+
ouAnalysis: OuRcpAnalysis[];
|
|
43
|
+
}
|
|
30
44
|
/**
|
|
31
45
|
* The analysis of a request.
|
|
32
46
|
*/
|
|
@@ -35,6 +49,9 @@ export interface RequestAnalysis {
|
|
|
35
49
|
* The result of the evaluation.
|
|
36
50
|
*/
|
|
37
51
|
result: EvaluationResult;
|
|
52
|
+
/**
|
|
53
|
+
* Whether the principal and the resource are in the same account.
|
|
54
|
+
*/
|
|
38
55
|
sameAccount: boolean;
|
|
39
56
|
/**
|
|
40
57
|
* The result of the evaluation of the resource policy.
|
|
@@ -44,7 +61,17 @@ export interface RequestAnalysis {
|
|
|
44
61
|
* The result of the evaluation of the resource policy.
|
|
45
62
|
*/
|
|
46
63
|
resourceAnalysis?: ResourceAnalysis;
|
|
64
|
+
/**
|
|
65
|
+
* The result of the evaluation of the SCPs
|
|
66
|
+
*/
|
|
47
67
|
scpAnalysis?: ScpAnalysis;
|
|
68
|
+
/**
|
|
69
|
+
* The result of the evaluation of the RCPs
|
|
70
|
+
*/
|
|
71
|
+
rcpAnalysis?: RcpAnalysis;
|
|
72
|
+
/**
|
|
73
|
+
* The result of the evaluation of the permission boundary.
|
|
74
|
+
*/
|
|
48
75
|
permissionBoundaryAnalysis?: IdentityAnalysis | undefined;
|
|
49
76
|
}
|
|
50
77
|
//# sourceMappingURL=evaluate.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D,MAAM,MAAM,gBAAgB,
|
|
1
|
+
{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,kBAAkB,CAAA;AAClF,MAAM,MAAM,wBAAwB,GAChC,eAAe,GACf,SAAS,GACT,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAClB,iBAAiB,CAAA;AAErB,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,wBAAwB,CAAA;IAChC,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IAExB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAA;IAEpB;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,0BAA0B,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAA;CAC1D"}
|
|
@@ -85,5 +85,14 @@ export interface StatementExplain {
|
|
|
85
85
|
principals?: PrincipalExplain | PrincipalExplain[];
|
|
86
86
|
notPrincipals?: PrincipalExplain | PrincipalExplain[];
|
|
87
87
|
conditions?: ConditionExplain[];
|
|
88
|
+
/**
|
|
89
|
+
* The statement was denied because the resource policy has a NotPrincipal in a Deny
|
|
90
|
+
* statement and the principal has a Permission Boundary.
|
|
91
|
+
*
|
|
92
|
+
* This will always resolve to to Deny.
|
|
93
|
+
*
|
|
94
|
+
* https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
|
|
95
|
+
*/
|
|
96
|
+
denyBecauseNpInRpAndPb?: boolean;
|
|
88
97
|
}
|
|
89
98
|
//# sourceMappingURL=statementExplain.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"statementExplain.d.ts","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,qBAAqB,GAC7B,OAAO,GACP,SAAS,GACT,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,CAAA;AAEtB,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,qBAAqB,CAAA;IAC9B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAA;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;OAEG;IACH,iBAAiB,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,MAAM,EAAE,qBAAqB,GAAG,qBAAqB,EAAE,CAAA;IAEvD;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAE1B;;OAEG;IACH,OAAO,EAAE,OAAO,CAAA;IAEhB;;OAEG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAE/B;;OAEG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAE9B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAE5B;;;OAGG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B;;OAEG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,OAAO,CAAA;IACpB,aAAa,EAAE,OAAO,CAAA;IACtB,cAAc,EAAE,qBAAqB,CAAA;IACrC,cAAc,EAAE,OAAO,CAAA;IAEvB,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IACzC,UAAU,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IAC5C,SAAS,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAC/C,YAAY,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAClD,UAAU,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IAClD,aAAa,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACrD,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;
|
|
1
|
+
{"version":3,"file":"statementExplain.d.ts","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,qBAAqB,GAC7B,OAAO,GACP,SAAS,GACT,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,CAAA;AAEtB,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,qBAAqB,CAAA;IAC9B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAA;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;OAEG;IACH,iBAAiB,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,MAAM,EAAE,qBAAqB,GAAG,qBAAqB,EAAE,CAAA;IAEvD;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAE1B;;OAEG;IACH,OAAO,EAAE,OAAO,CAAA;IAEhB;;OAEG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAE/B;;OAEG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAE9B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAE5B;;;OAGG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B;;OAEG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,OAAO,CAAA;IACpB,aAAa,EAAE,OAAO,CAAA;IACtB,cAAc,EAAE,qBAAqB,CAAA;IACrC,cAAc,EAAE,OAAO,CAAA;IAEvB,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IACzC,UAAU,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IAC5C,SAAS,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAC/C,YAAY,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAClD,UAAU,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IAClD,aAAa,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACrD,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;IAE/B;;;;;;;OAOG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAA;CACjC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";;AAuHA;;;EAGE"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAEhD,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAEhD,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;CA8JxE"}
|
|
@@ -8,6 +8,7 @@ const util_js_1 = require("../util.js");
|
|
|
8
8
|
class DefaultServiceAuthorizer {
|
|
9
9
|
authorize(request) {
|
|
10
10
|
const scpResult = request.scpAnalysis.result;
|
|
11
|
+
const rcpResult = request.rcpAnalysis.result;
|
|
11
12
|
const identityStatementResult = request.identityAnalysis.result;
|
|
12
13
|
const resourcePolicyResult = request.resourceAnalysis?.result;
|
|
13
14
|
const permissionBoundaryResult = request.permissionBoundaryAnalysis?.result;
|
|
@@ -18,6 +19,7 @@ class DefaultServiceAuthorizer {
|
|
|
18
19
|
sameAccount,
|
|
19
20
|
identityAnalysis: request.identityAnalysis,
|
|
20
21
|
scpAnalysis: request.scpAnalysis,
|
|
22
|
+
rcpAnalysis: request.rcpAnalysis,
|
|
21
23
|
resourceAnalysis: request.resourceAnalysis,
|
|
22
24
|
permissionBoundaryAnalysis: request.permissionBoundaryAnalysis
|
|
23
25
|
};
|
|
@@ -27,6 +29,12 @@ class DefaultServiceAuthorizer {
|
|
|
27
29
|
...baseResult
|
|
28
30
|
};
|
|
29
31
|
}
|
|
32
|
+
if (rcpResult !== 'Allowed') {
|
|
33
|
+
return {
|
|
34
|
+
result: rcpResult,
|
|
35
|
+
...baseResult
|
|
36
|
+
};
|
|
37
|
+
}
|
|
30
38
|
if (resourcePolicyResult === 'ExplicitlyDenied' ||
|
|
31
39
|
resourcePolicyResult === 'DeniedForAccount') {
|
|
32
40
|
return {
|
|
@@ -120,9 +128,8 @@ class DefaultServiceAuthorizer {
|
|
|
120
128
|
};
|
|
121
129
|
/**
|
|
122
130
|
* Add checks for:
|
|
131
|
+
* * root user - can override resource policies for most resource types
|
|
123
132
|
* * session policies
|
|
124
|
-
* * resource control policies
|
|
125
|
-
* * root user
|
|
126
133
|
* * service linked roles
|
|
127
134
|
* * vpc endpoint policies
|
|
128
135
|
* * organization APIs and delegated admin policy
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AACA,wCAA+E;AAG/E;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AACA,wCAA+E;AAG/E;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAQZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,IAAA,0BAAgB,EAAC,SAAS,CAAC;wBAC3B,IAAA,sBAAY,EAAC,SAAS,CAAC;wBACvB,IAAA,4BAAkB,EAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;YACF,IAAI,oBAAoB,KAAK,SAAS,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAChF,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;WAOG;IACL,CAAC;CACF;AA/JD,4DA+JC"}
|
|
@@ -1,10 +1,11 @@
|
|
|
1
|
-
import { IdentityAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
|
|
1
|
+
import { IdentityAnalysis, RcpAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
|
|
2
2
|
import { AwsRequest } from '../request/request.js';
|
|
3
3
|
export interface ServiceAuthorizationRequest {
|
|
4
4
|
request: AwsRequest;
|
|
5
5
|
identityAnalysis: IdentityAnalysis;
|
|
6
6
|
scpAnalysis: ScpAnalysis;
|
|
7
7
|
resourceAnalysis: ResourceAnalysis;
|
|
8
|
+
rcpAnalysis: RcpAnalysis;
|
|
8
9
|
permissionBoundaryAnalysis: IdentityAnalysis | undefined;
|
|
9
10
|
}
|
|
10
11
|
export interface ServiceAuthorizer {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,
|
|
1
|
+
{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,WAAW,EACZ,MAAM,gBAAgB,CAAA;AACvB,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAElD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAA;IACnB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,WAAW,EAAE,WAAW,CAAA;IACxB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,WAAW,EAAE,WAAW,CAAA;IACxB,0BAA0B,EAAE,gBAAgB,GAAG,SAAS,CAAA;CACzD;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe,CAAA;CACjE"}
|
|
@@ -19,6 +19,18 @@ export interface Simulation {
|
|
|
19
19
|
policy: any;
|
|
20
20
|
}[];
|
|
21
21
|
}[];
|
|
22
|
+
/**
|
|
23
|
+
* The resource control policies for the simulation.
|
|
24
|
+
* One per level of the OU/Account hierarchy.
|
|
25
|
+
* The default Resource Control Policy, RCPFullAWSAccess, is automatically added to the simulation.
|
|
26
|
+
*/
|
|
27
|
+
resourceControlPolicies: {
|
|
28
|
+
orgIdentifier: string;
|
|
29
|
+
policies: {
|
|
30
|
+
name: string;
|
|
31
|
+
policy: any;
|
|
32
|
+
}[];
|
|
33
|
+
}[];
|
|
22
34
|
resourcePolicy?: any;
|
|
23
35
|
permissionBoundaryPolicies?: {
|
|
24
36
|
name: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;QACd,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAA;YAChB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;KACpD,CAAA;IAED,gBAAgB,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;
|
|
1
|
+
{"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;QACd,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAA;YAChB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;KACpD,CAAA;IAED,gBAAgB,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;IAEjD,sBAAsB,EAAE;QACtB,aAAa,EAAE,MAAM,CAAA;QACrB,QAAQ,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAE,EAAE,CAAA;KAC1C,EAAE,CAAA;IAEH;;;;OAIG;IACH,uBAAuB,EAAE;QACvB,aAAa,EAAE,MAAM,CAAA;QACrB,QAAQ,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAE,EAAE,CAAA;KAC1C,EAAE,CAAA;IAEH,cAAc,CAAC,EAAE,GAAG,CAAA;IACpB,0BAA0B,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;CAC7D"}
|
|
@@ -5,6 +5,8 @@ import { SimulationOptions } from './simulationOptions.js';
|
|
|
5
5
|
export interface SimulationErrors {
|
|
6
6
|
identityPolicyErrors?: Record<string, ValidationError[]>;
|
|
7
7
|
seviceControlPolicyErrors?: Record<string, ValidationError[]>;
|
|
8
|
+
resourceControlPolicyErrors?: Record<string, ValidationError[]>;
|
|
9
|
+
permissionBoundaryErrors?: Record<string, ValidationError[]>;
|
|
8
10
|
resourcePolicyErrors?: ValidationError[];
|
|
9
11
|
message: string;
|
|
10
12
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,
|
|
1
|
+
{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAOL,eAAe,EAChB,MAAM,2BAA2B,CAAA;AAIlC,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAKhD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAiB1D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IACxD,yBAAyB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC7D,2BAA2B,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC/D,wBAAwB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC5D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAA;IACxC,OAAO,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,gBAAgB,CAAA;IACzB,QAAQ,CAAC,EAAE,eAAe,CAAA;IAE1B;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;;;;;;;OAQG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC9B;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAC5C,OAAO,CAAC,gBAAgB,CAAC,CAmL3B;AAED,wBAAsB,6BAA6B,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC;IACnF,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;IACrD,kBAAkB,EAAE,MAAM,EAAE,CAAA;CAC7B,CAAC,CAoCD"}
|