@cloud-copilot/iam-simulate 0.1.22 → 0.1.24
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +155 -2
- package/dist/cjs/core_engine/{coreSimulatorEngine.d.ts → CoreSimulatorEngine.d.ts} +16 -11
- package/dist/cjs/core_engine/CoreSimulatorEngine.d.ts.map +1 -0
- package/dist/cjs/core_engine/{coreSimulatorEngine.js → CoreSimulatorEngine.js} +41 -14
- package/dist/cjs/core_engine/CoreSimulatorEngine.js.map +1 -0
- package/dist/cjs/evaluate.d.ts +28 -1
- package/dist/cjs/evaluate.d.ts.map +1 -1
- package/dist/cjs/explain/statementExplain.d.ts +9 -0
- package/dist/cjs/explain/statementExplain.d.ts.map +1 -1
- package/dist/cjs/explain/statementExplain.js.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts +9 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +26 -4
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/KmsServiceAuthorizer.d.ts +16 -0
- package/dist/cjs/services/KmsServiceAuthorizer.d.ts.map +1 -0
- package/dist/cjs/services/KmsServiceAuthorizer.js +21 -0
- package/dist/cjs/services/KmsServiceAuthorizer.js.map +1 -0
- package/dist/cjs/services/ServiceAuthorizer.d.ts +2 -1
- package/dist/cjs/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/StsServiceAuthorizer.d.ts +16 -0
- package/dist/cjs/services/StsServiceAuthorizer.d.ts.map +1 -0
- package/dist/cjs/services/StsServiceAuthorizer.js +24 -0
- package/dist/cjs/services/StsServiceAuthorizer.js.map +1 -0
- package/dist/cjs/simulation_engine/simulation.d.ts +12 -0
- package/dist/cjs/simulation_engine/simulation.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.d.ts +2 -0
- package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.js +40 -2
- package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js +11 -2
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/esm/core_engine/{coreSimulatorEngine.d.ts → CoreSimulatorEngine.d.ts} +16 -11
- package/dist/esm/core_engine/CoreSimulatorEngine.d.ts.map +1 -0
- package/dist/esm/core_engine/{coreSimulatorEngine.js → CoreSimulatorEngine.js} +40 -13
- package/dist/esm/core_engine/CoreSimulatorEngine.js.map +1 -0
- package/dist/esm/evaluate.d.ts +28 -1
- package/dist/esm/evaluate.d.ts.map +1 -1
- package/dist/esm/explain/statementExplain.d.ts +9 -0
- package/dist/esm/explain/statementExplain.d.ts.map +1 -1
- package/dist/esm/explain/statementExplain.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts +9 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +26 -4
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/KmsServiceAuthorizer.d.ts +16 -0
- package/dist/esm/services/KmsServiceAuthorizer.d.ts.map +1 -0
- package/dist/esm/services/KmsServiceAuthorizer.js +17 -0
- package/dist/esm/services/KmsServiceAuthorizer.js.map +1 -0
- package/dist/esm/services/ServiceAuthorizer.d.ts +2 -1
- package/dist/esm/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/StsServiceAuthorizer.d.ts +16 -0
- package/dist/esm/services/StsServiceAuthorizer.d.ts.map +1 -0
- package/dist/esm/services/StsServiceAuthorizer.js +20 -0
- package/dist/esm/services/StsServiceAuthorizer.js.map +1 -0
- package/dist/esm/simulation_engine/simulation.d.ts +12 -0
- package/dist/esm/simulation_engine/simulation.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.d.ts +2 -0
- package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.js +40 -2
- package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js +10 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/package.json +1 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts.map +0 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.js.map +0 -1
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts.map +0 -1
- package/dist/esm/core_engine/coreSimulatorEngine.js.map +0 -1
package/README.md
CHANGED
|
@@ -1,5 +1,158 @@
|
|
|
1
1
|
# IAM Simulate
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
An AWS IAM Simulator and Policy Tester built as a Node/Typescript library.
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
The simulator currently supports these features of AWS IAM
|
|
6
|
+
|
|
7
|
+
### IAM Feature Support
|
|
8
|
+
|
|
9
|
+
- Identity Policies
|
|
10
|
+
- Resource Policies
|
|
11
|
+
- Service Control Policies
|
|
12
|
+
- Resource Control Policies
|
|
13
|
+
- Permission Boundaries
|
|
14
|
+
- All [AWS Condition Operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html)
|
|
15
|
+
- Same Account and Cross Account Requests
|
|
16
|
+
- Custom trust behavior for IAM Trust Policies and KMS Key Policies
|
|
17
|
+
|
|
18
|
+
### Request Validation
|
|
19
|
+
|
|
20
|
+
iam-simulate will automatically validate inputs including
|
|
21
|
+
|
|
22
|
+
- IAM policies using [iam-policy](https://github.com/cloud-copilot/iam-policy)
|
|
23
|
+
- IAM Actions using [iam-data](https://github.com/cloud-copilot/iam-data)
|
|
24
|
+
- The resource ARN against allowed resource types for the action
|
|
25
|
+
- The context keys allowed for the action/resource and their types.
|
|
26
|
+
|
|
27
|
+
Currently all [global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) are allowed for all requests which is not strictly true. More validation will be added in the future.
|
|
28
|
+
|
|
29
|
+
### Explanation
|
|
30
|
+
|
|
31
|
+
iam-simulate will detail which statements were decisive in the final decision to allow or deny a request.
|
|
32
|
+
|
|
33
|
+
It will also return "explains" for each statement that was evaluated, detailing why that statement applied to the request or not.
|
|
34
|
+
|
|
35
|
+
### Features Coming Soon
|
|
36
|
+
|
|
37
|
+
- Session Policies
|
|
38
|
+
- Validation of Global Condition Keys for each action
|
|
39
|
+
- Automatically populating context keys from the request such as `aws:PrincipalServiceName`
|
|
40
|
+
- Support for anonymous requests
|
|
41
|
+
|
|
42
|
+
## Installation
|
|
43
|
+
|
|
44
|
+
```bash
|
|
45
|
+
npm install @cloud-copilot/iam-simulate
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
## Usage
|
|
49
|
+
|
|
50
|
+
```typescript
|
|
51
|
+
import { runSimulation, type Simulation } from '@cloud-copilot/iam-simulate'
|
|
52
|
+
|
|
53
|
+
const simulation: Simulation = {
|
|
54
|
+
identityPolicies: [
|
|
55
|
+
{
|
|
56
|
+
name: 'userpolicy',
|
|
57
|
+
policy: {
|
|
58
|
+
Version: '2012-10-17',
|
|
59
|
+
Statement: [
|
|
60
|
+
{
|
|
61
|
+
Effect: 'Allow',
|
|
62
|
+
Action: ['s3:GetObject'],
|
|
63
|
+
Resource: ['arn:aws:s3:::mybucket/*']
|
|
64
|
+
}
|
|
65
|
+
]
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
],
|
|
69
|
+
serviceControlPolicies: [
|
|
70
|
+
{
|
|
71
|
+
orgIdentifier: 'ou-12345',
|
|
72
|
+
policies: [
|
|
73
|
+
{
|
|
74
|
+
name: 'AllowAll',
|
|
75
|
+
policy: {
|
|
76
|
+
Version: '2012-10-17',
|
|
77
|
+
Statement: [
|
|
78
|
+
{
|
|
79
|
+
Effect: 'Allow',
|
|
80
|
+
Action: '*',
|
|
81
|
+
Resource: '*'
|
|
82
|
+
}
|
|
83
|
+
]
|
|
84
|
+
}
|
|
85
|
+
}
|
|
86
|
+
]
|
|
87
|
+
}
|
|
88
|
+
],
|
|
89
|
+
resourcePolicy: {
|
|
90
|
+
Version: '2012-10-17',
|
|
91
|
+
Statement: [
|
|
92
|
+
{
|
|
93
|
+
Effect: 'Allow',
|
|
94
|
+
Action: ['s3:GetObject'],
|
|
95
|
+
Resource: ['arn:aws:s3:::mybucket/*'],
|
|
96
|
+
Principal: 'aws:arn:iam::123456789012:root',
|
|
97
|
+
Condition: {
|
|
98
|
+
StringEquals: {
|
|
99
|
+
'aws:PrincipalOrgID': 'o-123456789012'
|
|
100
|
+
}
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
]
|
|
104
|
+
},
|
|
105
|
+
request: {
|
|
106
|
+
action: 's3:GetObject',
|
|
107
|
+
principal: 'arn:aws:iam::123456789012:user/username',
|
|
108
|
+
resource: {
|
|
109
|
+
accountId: '123456789012',
|
|
110
|
+
resource: 'arn:aws:s3:::mybucket/file.txt'
|
|
111
|
+
},
|
|
112
|
+
contextVariables: {
|
|
113
|
+
'aws:PrincipalOrgID': 'o-123456789012'
|
|
114
|
+
}
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
|
|
118
|
+
const result = await runSimulation(simulation, {})
|
|
119
|
+
//Check for validation errors:
|
|
120
|
+
if (result.errors) {
|
|
121
|
+
console.log(result.errors.message)
|
|
122
|
+
console.log(JSON.stringify(result.errors, null, 2))
|
|
123
|
+
}
|
|
124
|
+
|
|
125
|
+
//The simulation ran successfully
|
|
126
|
+
if (result.analysis) {
|
|
127
|
+
console.log(result.analysis.result) // 'Allowed', 'ExplicityDenied', or 'ImplicitlyDenied'
|
|
128
|
+
|
|
129
|
+
//Output the identity statements that allowed the request
|
|
130
|
+
const identityAllowExplains =
|
|
131
|
+
result?.analysis?.identityAnalysis?.allowStatements.map((s) => s.explain) || []
|
|
132
|
+
//Show which statements applied and exactly how.
|
|
133
|
+
for (const explain of identityAllowExplains) {
|
|
134
|
+
console.log(explain)
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
This would output an explain that shows how the identity statement was evaluated:
|
|
140
|
+
|
|
141
|
+
```javascript
|
|
142
|
+
{
|
|
143
|
+
effect: 'Allow',
|
|
144
|
+
identifier: '1',
|
|
145
|
+
matches: true,
|
|
146
|
+
actionMatch: true,
|
|
147
|
+
principalMatch: 'Match',
|
|
148
|
+
resourceMatch: true,
|
|
149
|
+
conditionMatch: true,
|
|
150
|
+
resources: [
|
|
151
|
+
{
|
|
152
|
+
resource: 'arn:aws:s3:::mybucket/*',
|
|
153
|
+
matches: true,
|
|
154
|
+
}
|
|
155
|
+
],
|
|
156
|
+
actions: [ { action: 's3:GetObject', matches: true } ],
|
|
157
|
+
}
|
|
158
|
+
```
|
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
import { Policy } from '@cloud-copilot/iam-policy';
|
|
2
|
-
import { IdentityAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
|
|
2
|
+
import { IdentityAnalysis, RcpAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
|
|
3
3
|
import { AwsRequest } from '../request/request.js';
|
|
4
4
|
import { ServiceAuthorizer } from '../services/ServiceAuthorizer.js';
|
|
5
5
|
/**
|
|
6
|
-
* A set of service control policies for each level of an organization tree
|
|
6
|
+
* A set of service or resource control policies for each level of an organization tree
|
|
7
7
|
*/
|
|
8
|
-
export interface
|
|
8
|
+
export interface ControlPolicies {
|
|
9
9
|
/**
|
|
10
10
|
* The organization identifier for the organizational unit these policies apply to.
|
|
11
11
|
*/
|
|
@@ -29,9 +29,14 @@ export interface AuthorizationRequest {
|
|
|
29
29
|
identityPolicies: Policy[];
|
|
30
30
|
/**
|
|
31
31
|
* The service control policies that apply to the principal making the request. In
|
|
32
|
-
* order of the orgnaization hierarchy. So the root ou
|
|
32
|
+
* order of the orgnaization hierarchy. So the root ou SCPs should be first.
|
|
33
33
|
*/
|
|
34
|
-
serviceControlPolicies:
|
|
34
|
+
serviceControlPolicies: ControlPolicies[];
|
|
35
|
+
/**
|
|
36
|
+
* The resource control policies that apply to the resource being accessed. In
|
|
37
|
+
* order of the orgnaization hierarchy. So the root ou RCPs should be first.
|
|
38
|
+
*/
|
|
39
|
+
resourceControlPolicies: ControlPolicies[];
|
|
35
40
|
/**
|
|
36
41
|
* The resource policy that applies to the resource being accessed.
|
|
37
42
|
*/
|
|
@@ -67,13 +72,13 @@ export declare function getServiceAuthorizer(request: AuthorizationRequest): Ser
|
|
|
67
72
|
*/
|
|
68
73
|
export declare function analyzeIdentityPolicies(identityPolicies: Policy[], request: AwsRequest): IdentityAnalysis;
|
|
69
74
|
/**
|
|
70
|
-
* Analyzes a set of service control policies and the statements within them.
|
|
75
|
+
* Analyzes a set of service or resource control policies and the statements within them.
|
|
71
76
|
*
|
|
72
|
-
* @param
|
|
77
|
+
* @param controlPolicies the control policies to analyze
|
|
73
78
|
* @param request the request to analyze against
|
|
74
|
-
* @returns an array of SCP analysis results
|
|
79
|
+
* @returns an array of SCP or RCP analysis results
|
|
75
80
|
*/
|
|
76
|
-
export declare function
|
|
81
|
+
export declare function analyzeControlPolicies(controlPolicies: ControlPolicies[], request: AwsRequest): ScpAnalysis | RcpAnalysis;
|
|
77
82
|
/**
|
|
78
83
|
* Analyze a resource policy and return the results
|
|
79
84
|
*
|
|
@@ -81,6 +86,6 @@ export declare function analyzeServiceControlPolicies(serviceControlPolicies: Se
|
|
|
81
86
|
* @param request the request to analyze against
|
|
82
87
|
* @returns an array of statement analysis results
|
|
83
88
|
*/
|
|
84
|
-
export declare function analyzeResourcePolicy(resourcePolicy: Policy | undefined, request: AwsRequest): ResourceAnalysis;
|
|
89
|
+
export declare function analyzeResourcePolicy(resourcePolicy: Policy | undefined, request: AwsRequest, principalHasPermissionBoundary: boolean): ResourceAnalysis;
|
|
85
90
|
export declare function analyzePermissionBoundaryPolicies(permissionBoundaries: Policy[] | undefined, request: AwsRequest): IdentityAnalysis | undefined;
|
|
86
|
-
//# sourceMappingURL=
|
|
91
|
+
//# sourceMappingURL=CoreSimulatorEngine.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"CoreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAa,MAAM,2BAA2B,CAAA;AAG7D,OAAO,EAEL,gBAAgB,EAEhB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,WAAW,EACZ,MAAM,gBAAgB,CAAA;AAGvB,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAIlD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAA;AASpE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IAErB;;OAEG;IACH,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,OAAO,EAAE,UAAU,CAAA;IAEnB;;OAEG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAE1B;;;OAGG;IACH,sBAAsB,EAAE,eAAe,EAAE,CAAA;IAEzC;;;OAGG;IACH,uBAAuB,EAAE,eAAe,EAAE,CAAA;IAE1C;;OAEG;IACH,cAAc,EAAE,MAAM,GAAG,SAAS,CAAA;IAElC;;OAEG;IACH,oBAAoB,EAAE,MAAM,EAAE,GAAG,SAAS,CAAA;CAC3C;AAOD;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,eAAe,CA+BxE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,iBAAiB,CAMrF;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,gBAAgB,EAAE,MAAM,EAAE,EAC1B,OAAO,EAAE,UAAU,GAClB,gBAAgB,CA+DlB;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,eAAe,EAAE,eAAe,EAAE,EAClC,OAAO,EAAE,UAAU,GAClB,WAAW,GAAG,WAAW,CA6E3B;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,cAAc,EAAE,MAAM,GAAG,SAAS,EAClC,OAAO,EAAE,UAAU,EACnB,8BAA8B,EAAE,OAAO,GACtC,gBAAgB,CA+GlB;AAED,wBAAgB,iCAAiC,CAC/C,oBAAoB,EAAE,MAAM,EAAE,GAAG,SAAS,EAC1C,OAAO,EAAE,UAAU,GAClB,gBAAgB,GAAG,SAAS,CAM9B"}
|
|
@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.authorize = authorize;
|
|
4
4
|
exports.getServiceAuthorizer = getServiceAuthorizer;
|
|
5
5
|
exports.analyzeIdentityPolicies = analyzeIdentityPolicies;
|
|
6
|
-
exports.
|
|
6
|
+
exports.analyzeControlPolicies = analyzeControlPolicies;
|
|
7
7
|
exports.analyzeResourcePolicy = analyzeResourcePolicy;
|
|
8
8
|
exports.analyzePermissionBoundaryPolicies = analyzePermissionBoundaryPolicies;
|
|
9
9
|
const action_js_1 = require("../action/action.js");
|
|
@@ -11,8 +11,13 @@ const condition_js_1 = require("../condition/condition.js");
|
|
|
11
11
|
const principal_js_1 = require("../principal/principal.js");
|
|
12
12
|
const resource_js_1 = require("../resource/resource.js");
|
|
13
13
|
const DefaultServiceAuthorizer_js_1 = require("../services/DefaultServiceAuthorizer.js");
|
|
14
|
+
const KmsServiceAuthorizer_js_1 = require("../services/KmsServiceAuthorizer.js");
|
|
15
|
+
const StsServiceAuthorizer_js_1 = require("../services/StsServiceAuthorizer.js");
|
|
14
16
|
const StatementAnalysis_js_1 = require("../StatementAnalysis.js");
|
|
15
|
-
const serviceEngines = {
|
|
17
|
+
const serviceEngines = {
|
|
18
|
+
kms: KmsServiceAuthorizer_js_1.KmsServiceAuthorizer,
|
|
19
|
+
sts: StsServiceAuthorizer_js_1.StsServiceAuthorizer
|
|
20
|
+
};
|
|
16
21
|
/**
|
|
17
22
|
* Authorizes a request.
|
|
18
23
|
*
|
|
@@ -22,15 +27,18 @@ const serviceEngines = {};
|
|
|
22
27
|
* @returns the result of the authorization
|
|
23
28
|
*/
|
|
24
29
|
function authorize(request) {
|
|
30
|
+
const principalHasPermissionBoundary = !!request.permissionBoundaries && request.permissionBoundaries.length > 0;
|
|
25
31
|
const identityAnalysis = analyzeIdentityPolicies(request.identityPolicies, request.request);
|
|
26
32
|
const permissionBoundaryAnalysis = analyzePermissionBoundaryPolicies(request.permissionBoundaries, request.request);
|
|
27
|
-
const scpAnalysis =
|
|
28
|
-
const
|
|
33
|
+
const scpAnalysis = analyzeControlPolicies(request.serviceControlPolicies, request.request);
|
|
34
|
+
const rcpAnalysis = analyzeControlPolicies(request.resourceControlPolicies, request.request);
|
|
35
|
+
const resourceAnalysis = analyzeResourcePolicy(request.resourcePolicy, request.request, principalHasPermissionBoundary);
|
|
29
36
|
const serviceAuthorizer = getServiceAuthorizer(request);
|
|
30
37
|
return serviceAuthorizer.authorize({
|
|
31
38
|
request: request.request,
|
|
32
39
|
identityAnalysis,
|
|
33
40
|
scpAnalysis,
|
|
41
|
+
rcpAnalysis,
|
|
34
42
|
resourceAnalysis,
|
|
35
43
|
permissionBoundaryAnalysis
|
|
36
44
|
});
|
|
@@ -43,7 +51,7 @@ function authorize(request) {
|
|
|
43
51
|
* @returns the service authorizer for the request
|
|
44
52
|
*/
|
|
45
53
|
function getServiceAuthorizer(request) {
|
|
46
|
-
const serviceName = request.request.
|
|
54
|
+
const serviceName = request.request.action.service().toLowerCase();
|
|
47
55
|
if (serviceEngines[serviceName]) {
|
|
48
56
|
return new serviceEngines[serviceName]();
|
|
49
57
|
}
|
|
@@ -103,15 +111,15 @@ function analyzeIdentityPolicies(identityPolicies, request) {
|
|
|
103
111
|
return identityAnalysis;
|
|
104
112
|
}
|
|
105
113
|
/**
|
|
106
|
-
* Analyzes a set of service control policies and the statements within them.
|
|
114
|
+
* Analyzes a set of service or resource control policies and the statements within them.
|
|
107
115
|
*
|
|
108
|
-
* @param
|
|
116
|
+
* @param controlPolicies the control policies to analyze
|
|
109
117
|
* @param request the request to analyze against
|
|
110
|
-
* @returns an array of SCP analysis results
|
|
118
|
+
* @returns an array of SCP or RCP analysis results
|
|
111
119
|
*/
|
|
112
|
-
function
|
|
120
|
+
function analyzeControlPolicies(controlPolicies, request) {
|
|
113
121
|
const analysis = [];
|
|
114
|
-
for (const controlPolicy of
|
|
122
|
+
for (const controlPolicy of controlPolicies) {
|
|
115
123
|
const ouAnalysis = {
|
|
116
124
|
orgIdentifier: controlPolicy.orgIdentifier,
|
|
117
125
|
result: 'ImplicitlyDenied',
|
|
@@ -180,7 +188,7 @@ function analyzeServiceControlPolicies(serviceControlPolicies, request) {
|
|
|
180
188
|
* @param request the request to analyze against
|
|
181
189
|
* @returns an array of statement analysis results
|
|
182
190
|
*/
|
|
183
|
-
function analyzeResourcePolicy(resourcePolicy, request) {
|
|
191
|
+
function analyzeResourcePolicy(resourcePolicy, request, principalHasPermissionBoundary) {
|
|
184
192
|
const resourceAnalysis = {
|
|
185
193
|
result: 'NotApplicable',
|
|
186
194
|
allowStatements: [],
|
|
@@ -198,7 +206,26 @@ function analyzeResourcePolicy(resourcePolicy, request) {
|
|
|
198
206
|
for (const statement of resourcePolicy.statements()) {
|
|
199
207
|
const { matches: resourceMatch, details: resourceDetails } = (0, resource_js_1.requestMatchesStatementResources)(request, statement);
|
|
200
208
|
const { matches: actionMatch, details: actionDetails } = (0, action_js_1.requestMatchesStatementActions)(request, statement);
|
|
201
|
-
|
|
209
|
+
let { matches: principalMatch, details: principalDetails } = (0, principal_js_1.requestMatchesStatementPrincipals)(request, statement);
|
|
210
|
+
const permissionBoundaryDetails = {};
|
|
211
|
+
/**
|
|
212
|
+
* "Don't use resource-based policy statements that include a NotPrincipal policy element with a
|
|
213
|
+
* Deny effect for IAM users or roles that have a permissions boundary policy attached.
|
|
214
|
+
* The NotPrincipal element with a Deny effect will always deny any IAM principal that
|
|
215
|
+
* has a permissions boundary policy attached, regardless of the values specified in the
|
|
216
|
+
* NotPrincipal element. This causes some IAM users or roles that would otherwise have access
|
|
217
|
+
* to the resource to lose access. We recommend changing your resource-based policy statements
|
|
218
|
+
* to use the condition operator ArnNotEquals with the aws:PrincipalArn context key to limit
|
|
219
|
+
* access instead of the NotPrincipal element. For information about permissions boundaries, see
|
|
220
|
+
* Permissions boundaries for IAM entities."
|
|
221
|
+
* https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
|
|
222
|
+
*/
|
|
223
|
+
if (principalHasPermissionBoundary &&
|
|
224
|
+
statement.isNotPrincipalStatement() &&
|
|
225
|
+
statement.effect() === 'Deny') {
|
|
226
|
+
principalMatch = 'Match';
|
|
227
|
+
permissionBoundaryDetails.denyBecauseNpInRpAndPb = true;
|
|
228
|
+
}
|
|
202
229
|
const { matches: conditionMatch, details: conditionDetails } = (0, condition_js_1.requestMatchesConditions)(request, statement.conditions());
|
|
203
230
|
const overallMatch = (0, StatementAnalysis_js_1.statementMatches)({
|
|
204
231
|
actionMatch,
|
|
@@ -237,7 +264,7 @@ function analyzeResourcePolicy(resourcePolicy, request) {
|
|
|
237
264
|
resourceAnalysis.result = 'AllowedForAccount';
|
|
238
265
|
}
|
|
239
266
|
else {
|
|
240
|
-
resourceAnalysis.result = '
|
|
267
|
+
resourceAnalysis.result = 'ImplicityDenied';
|
|
241
268
|
}
|
|
242
269
|
return resourceAnalysis;
|
|
243
270
|
}
|
|
@@ -259,4 +286,4 @@ function makeStatementExplain(statement, overallMatch, actionMatch, principalMat
|
|
|
259
286
|
...details
|
|
260
287
|
};
|
|
261
288
|
}
|
|
262
|
-
//# sourceMappingURL=
|
|
289
|
+
//# sourceMappingURL=CoreSimulatorEngine.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"CoreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":";;AA4FA,8BA+BC;AASD,oDAMC;AASD,0DAkEC;AASD,wDAgFC;AASD,sDAmHC;AAED,8EASC;AApbD,mDAAoE;AACpE,4DAA0F;AAW1F,4DAAmG;AAEnG,yDAA0E;AAC1E,yFAAkF;AAClF,iFAA0E;AAE1E,iFAA0E;AAC1E,kEAKgC;AAsDhC,MAAM,cAAc,GAAgD;IAClE,GAAG,EAAE,8CAAoB;IACzB,GAAG,EAAE,8CAAoB;CAC1B,CAAA;AAED;;;;;;;GAOG;AACH,SAAgB,SAAS,CAAC,OAA6B;IACrD,MAAM,8BAA8B,GAClC,CAAC,CAAC,OAAO,CAAC,oBAAoB,IAAI,OAAO,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC,CAAA;IAC3E,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAA;IAC3F,MAAM,0BAA0B,GAAG,iCAAiC,CAClE,OAAO,CAAC,oBAAoB,EAC5B,OAAO,CAAC,OAAO,CAChB,CAAA;IACD,MAAM,WAAW,GAAG,sBAAsB,CACxC,OAAO,CAAC,sBAAsB,EAC9B,OAAO,CAAC,OAAO,CACD,CAAA;IAChB,MAAM,WAAW,GAAG,sBAAsB,CACxC,OAAO,CAAC,uBAAuB,EAC/B,OAAO,CAAC,OAAO,CACD,CAAA;IAChB,MAAM,gBAAgB,GAAG,qBAAqB,CAC5C,OAAO,CAAC,cAAc,EACtB,OAAO,CAAC,OAAO,EACf,8BAA8B,CAC/B,CAAA;IAED,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAA;IACvD,OAAO,iBAAiB,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,gBAAgB;QAChB,WAAW;QACX,WAAW;QACX,gBAAgB;QAChB,0BAA0B;KAC3B,CAAC,CAAA;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAAC,OAA6B;IAChE,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,WAAW,EAAE,CAAA;IAClE,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAA;IAC1C,CAAC;IACD,OAAO,IAAI,sDAAwB,EAAE,CAAA;AACvC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CACrC,gBAA0B,EAC1B,OAAmB;IAEnB,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,kBAAkB;QAC1B,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC5C,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,IAAA,8CAAgC,EAC3F,OAAO,EACP,SAAS,CACV,CAAA;YACD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,IAAA,0CAA8B,EACrF,OAAO,EACP,SAAS,CACV,CAAA;YACD,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,uCAAwB,EACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;YACD,MAAM,cAAc,GAAyB,OAAO,CAAA;YACpD,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC;gBACpC,WAAW;gBACX,cAAc;gBACd,cAAc;gBACd,aAAa;aACd,CAAC,CAAA;YACF,MAAM,iBAAiB,GAAsB;gBAC3C,SAAS;gBACT,aAAa;gBACb,WAAW;gBACX,cAAc;gBACd,cAAc;gBACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,CAC9D;aACF,CAAA;YAED,IAAI,IAAA,oDAA6B,EAAC,iBAAiB,CAAC,EAAE,CAAC;gBACrD,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YACzD,CAAC;iBAAM,IAAI,IAAA,8CAAuB,EAAC,iBAAiB,CAAC,EAAE,CAAC;gBACtD,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YAC1D,CAAC;iBAAM,CAAC;gBACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,gBAAgB,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IAAI,gBAAgB,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvD,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,sBAAsB,CACpC,eAAkC,EAClC,OAAmB;IAEnB,MAAM,QAAQ,GAAoB,EAAE,CAAA;IACpC,KAAK,MAAM,aAAa,IAAI,eAAe,EAAE,CAAC;QAC5C,MAAM,UAAU,GAAkB;YAChC,aAAa,EAAE,aAAa,CAAC,aAAa;YAC1C,MAAM,EAAE,kBAAkB;YAC1B,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,EAAE;YAClB,mBAAmB,EAAE,EAAE;SACxB,CAAA;QACD,KAAK,MAAM,MAAM,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC5C,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC5C,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GACxD,IAAA,8CAAgC,EAAC,OAAO,EAAE,SAAS,CAAC,CAAA;gBACtD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,IAAA,0CAA8B,EACrF,OAAO,EACP,SAAS,CACV,CAAA;gBACD,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,uCAAwB,EACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;gBACD,MAAM,cAAc,GAAyB,OAAO,CAAA;gBACpD,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC;oBACpC,WAAW;oBACX,cAAc;oBACd,cAAc;oBACd,aAAa;iBACd,CAAC,CAAA;gBACF,MAAM,iBAAiB,GAAsB;oBAC3C,SAAS;oBACT,aAAa;oBACb,WAAW;oBACX,cAAc;oBACd,cAAc;oBACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,CAC9D;iBACF,CAAA;gBAED,IAAI,IAAA,8CAAuB,EAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC/C,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACpD,CAAC;qBAAM,IAAI,IAAA,oDAA6B,EAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC5D,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACnD,CAAC;qBAAM,CAAC;oBACN,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACxD,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzC,UAAU,CAAC,MAAM,GAAG,kBAAkB,CAAA;QACxC,CAAC;aAAM,IAAI,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjD,UAAU,CAAC,MAAM,GAAG,SAAS,CAAA;QAC/B,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAC3B,CAAC;IAED,IAAI,aAAa,GAAqB,kBAAkB,CAAA;IACxD,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,kBAAkB,CAAC,EAAE,CAAC;QAC5D,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QAClE,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,SAAS,CAAC,EAAE,CAAC;QAC3D,aAAa,GAAG,SAAS,CAAA;IAC3B,CAAC;IAED,OAAO;QACL,MAAM,EAAE,aAAa;QACrB,UAAU,EAAE,QAAQ;KACrB,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,qBAAqB,CACnC,cAAkC,EAClC,OAAmB,EACnB,8BAAuC;IAEvC,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,eAAe;QACvB,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO,gBAAgB,CAAA;IACzB,CAAC;IAED,MAAM,qBAAqB,GAA2B;QACpD,OAAO;QACP,kBAAkB;QAClB,kBAAkB;KACnB,CAAA;IAED,KAAK,MAAM,SAAS,IAAI,cAAc,CAAC,UAAU,EAAE,EAAE,CAAC;QACpD,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,IAAA,8CAAgC,EAC3F,OAAO,EACP,SAAS,CACV,CAAA;QACD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,IAAA,0CAA8B,EACrF,OAAO,EACP,SAAS,CACV,CAAA;QACD,IAAI,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,gDAAiC,EAC5F,OAAO,EACP,SAAS,CACV,CAAA;QAED,MAAM,yBAAyB,GAAqD,EAAE,CAAA;QAEtF;;;;;;;;;;;WAWG;QACH,IACE,8BAA8B;YAC9B,SAAS,CAAC,uBAAuB,EAAE;YACnC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAC7B,CAAC;YACD,cAAc,GAAG,OAAO,CAAA;YACxB,yBAAyB,CAAC,sBAAsB,GAAG,IAAI,CAAA;QACzD,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,uCAAwB,EACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;QACD,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC;YACpC,WAAW;YACX,cAAc;YACd,cAAc;YACd,aAAa;SACd,CAAC,CAAA;QACF,MAAM,QAAQ,GAAsB;YAClC,SAAS;YACT,aAAa,EAAE,aAAa;YAC5B,WAAW;YACX,cAAc;YACd,cAAc;YACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,GAAG,gBAAgB,EAAE,CACnF;SACF,CAAA;QACD,IAAI,IAAA,oDAA6B,EAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACrF,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAChD,CAAC;aAAM,IAAI,IAAA,8CAAuB,EAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACtF,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACjD,CAAC;aAAM,CAAC;YACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAED,IACE,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,EAC7F,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IACL,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EACrF,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IACL,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,EAC9F,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;SAAM,IACL,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EACtF,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,mBAAmB,CAAA;IAC/C,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,MAAM,GAAG,iBAAiB,CAAA;IAC7C,CAAC;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED,SAAgB,iCAAiC,CAC/C,oBAA0C,EAC1C,OAAmB;IAEnB,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,uBAAuB,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAA;AAC/D,CAAC;AAED,SAAS,oBAAoB,CAC3B,SAAoB,EACpB,YAAqB,EACrB,WAAoB,EACpB,cAAqC,EACrC,aAAsB,EACtB,cAAoC,EACpC,OAAkC;IAElC,OAAO;QACL,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE;QAC1B,UAAU,EAAE,SAAS,CAAC,GAAG,EAAE,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;QAC3D,OAAO,EAAE,YAAY;QACrB,WAAW;QACX,cAAc;QACd,aAAa;QACb,cAAc,EAAE,cAAc,KAAK,OAAO;QAC1C,GAAG,OAAO;KACX,CAAA;AACH,CAAC"}
|
package/dist/cjs/evaluate.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { StatementAnalysis } from './StatementAnalysis.js';
|
|
2
|
-
export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | '
|
|
2
|
+
export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | 'ImplicitlyDenied';
|
|
3
3
|
export type ResourceEvaluationResult = 'NotApplicable' | 'Allowed' | 'ExplicitlyDenied' | 'AllowedForAccount' | 'DeniedForAccount' | 'ImplicityDenied';
|
|
4
4
|
export interface IdentityAnalysis {
|
|
5
5
|
result: EvaluationResult;
|
|
@@ -27,6 +27,20 @@ export interface ScpAnalysis {
|
|
|
27
27
|
result: EvaluationResult;
|
|
28
28
|
ouAnalysis: OuScpAnalysis[];
|
|
29
29
|
}
|
|
30
|
+
export interface OuRcpAnalysis {
|
|
31
|
+
orgIdentifier: string;
|
|
32
|
+
result: EvaluationResult;
|
|
33
|
+
denyStatements: StatementAnalysis[];
|
|
34
|
+
allowStatements: StatementAnalysis[];
|
|
35
|
+
unmatchedStatements: StatementAnalysis[];
|
|
36
|
+
}
|
|
37
|
+
export interface RcpAnalysis {
|
|
38
|
+
/**
|
|
39
|
+
* OU Result
|
|
40
|
+
*/
|
|
41
|
+
result: EvaluationResult;
|
|
42
|
+
ouAnalysis: OuRcpAnalysis[];
|
|
43
|
+
}
|
|
30
44
|
/**
|
|
31
45
|
* The analysis of a request.
|
|
32
46
|
*/
|
|
@@ -35,6 +49,9 @@ export interface RequestAnalysis {
|
|
|
35
49
|
* The result of the evaluation.
|
|
36
50
|
*/
|
|
37
51
|
result: EvaluationResult;
|
|
52
|
+
/**
|
|
53
|
+
* Whether the principal and the resource are in the same account.
|
|
54
|
+
*/
|
|
38
55
|
sameAccount: boolean;
|
|
39
56
|
/**
|
|
40
57
|
* The result of the evaluation of the resource policy.
|
|
@@ -44,7 +61,17 @@ export interface RequestAnalysis {
|
|
|
44
61
|
* The result of the evaluation of the resource policy.
|
|
45
62
|
*/
|
|
46
63
|
resourceAnalysis?: ResourceAnalysis;
|
|
64
|
+
/**
|
|
65
|
+
* The result of the evaluation of the SCPs
|
|
66
|
+
*/
|
|
47
67
|
scpAnalysis?: ScpAnalysis;
|
|
68
|
+
/**
|
|
69
|
+
* The result of the evaluation of the RCPs
|
|
70
|
+
*/
|
|
71
|
+
rcpAnalysis?: RcpAnalysis;
|
|
72
|
+
/**
|
|
73
|
+
* The result of the evaluation of the permission boundary.
|
|
74
|
+
*/
|
|
48
75
|
permissionBoundaryAnalysis?: IdentityAnalysis | undefined;
|
|
49
76
|
}
|
|
50
77
|
//# sourceMappingURL=evaluate.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D,MAAM,MAAM,gBAAgB,
|
|
1
|
+
{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,kBAAkB,CAAA;AAClF,MAAM,MAAM,wBAAwB,GAChC,eAAe,GACf,SAAS,GACT,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAClB,iBAAiB,CAAA;AAErB,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,wBAAwB,CAAA;IAChC,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IAExB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAA;IAEpB;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,0BAA0B,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAA;CAC1D"}
|
|
@@ -85,5 +85,14 @@ export interface StatementExplain {
|
|
|
85
85
|
principals?: PrincipalExplain | PrincipalExplain[];
|
|
86
86
|
notPrincipals?: PrincipalExplain | PrincipalExplain[];
|
|
87
87
|
conditions?: ConditionExplain[];
|
|
88
|
+
/**
|
|
89
|
+
* The statement was denied because the resource policy has a NotPrincipal in a Deny
|
|
90
|
+
* statement and the principal has a Permission Boundary.
|
|
91
|
+
*
|
|
92
|
+
* This will always resolve to to Deny.
|
|
93
|
+
*
|
|
94
|
+
* https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
|
|
95
|
+
*/
|
|
96
|
+
denyBecauseNpInRpAndPb?: boolean;
|
|
88
97
|
}
|
|
89
98
|
//# sourceMappingURL=statementExplain.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"statementExplain.d.ts","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,qBAAqB,GAC7B,OAAO,GACP,SAAS,GACT,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,CAAA;AAEtB,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,qBAAqB,CAAA;IAC9B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAA;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;OAEG;IACH,iBAAiB,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,MAAM,EAAE,qBAAqB,GAAG,qBAAqB,EAAE,CAAA;IAEvD;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAE1B;;OAEG;IACH,OAAO,EAAE,OAAO,CAAA;IAEhB;;OAEG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAE/B;;OAEG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAE9B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAE5B;;;OAGG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B;;OAEG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,OAAO,CAAA;IACpB,aAAa,EAAE,OAAO,CAAA;IACtB,cAAc,EAAE,qBAAqB,CAAA;IACrC,cAAc,EAAE,OAAO,CAAA;IAEvB,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IACzC,UAAU,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IAC5C,SAAS,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAC/C,YAAY,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAClD,UAAU,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IAClD,aAAa,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACrD,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;
|
|
1
|
+
{"version":3,"file":"statementExplain.d.ts","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,qBAAqB,GAC7B,OAAO,GACP,SAAS,GACT,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,CAAA;AAEtB,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,qBAAqB,CAAA;IAC9B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAA;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;OAEG;IACH,iBAAiB,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,MAAM,EAAE,qBAAqB,GAAG,qBAAqB,EAAE,CAAA;IAEvD;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAE1B;;OAEG;IACH,OAAO,EAAE,OAAO,CAAA;IAEhB;;OAEG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAE/B;;OAEG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAE9B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAE5B;;;OAGG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B;;OAEG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,OAAO,CAAA;IACpB,aAAa,EAAE,OAAO,CAAA;IACtB,cAAc,EAAE,qBAAqB,CAAA;IACrC,cAAc,EAAE,OAAO,CAAA;IAEvB,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IACzC,UAAU,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IAC5C,SAAS,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAC/C,YAAY,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAClD,UAAU,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IAClD,aAAa,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACrD,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;IAE/B;;;;;;;OAOG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAA;CACjC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";;AAuHA;;;EAGE"}
|
|
@@ -1,9 +1,17 @@
|
|
|
1
|
-
import { RequestAnalysis } from '../evaluate.js';
|
|
1
|
+
import { RequestAnalysis, ResourceAnalysis } from '../evaluate.js';
|
|
2
2
|
import { ServiceAuthorizationRequest, ServiceAuthorizer } from './ServiceAuthorizer.js';
|
|
3
3
|
/**
|
|
4
4
|
* The default authorizer for services.
|
|
5
5
|
*/
|
|
6
6
|
export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
|
|
7
7
|
authorize(request: ServiceAuthorizationRequest): RequestAnalysis;
|
|
8
|
+
/**
|
|
9
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
10
|
+
*
|
|
11
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
12
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
13
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
14
|
+
*/
|
|
15
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
8
16
|
}
|
|
9
17
|
//# sourceMappingURL=DefaultServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAElE,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAuKvE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,GAAG,OAAO;CASjG"}
|
|
@@ -8,6 +8,7 @@ const util_js_1 = require("../util.js");
|
|
|
8
8
|
class DefaultServiceAuthorizer {
|
|
9
9
|
authorize(request) {
|
|
10
10
|
const scpResult = request.scpAnalysis.result;
|
|
11
|
+
const rcpResult = request.rcpAnalysis.result;
|
|
11
12
|
const identityStatementResult = request.identityAnalysis.result;
|
|
12
13
|
const resourcePolicyResult = request.resourceAnalysis?.result;
|
|
13
14
|
const permissionBoundaryResult = request.permissionBoundaryAnalysis?.result;
|
|
@@ -18,6 +19,7 @@ class DefaultServiceAuthorizer {
|
|
|
18
19
|
sameAccount,
|
|
19
20
|
identityAnalysis: request.identityAnalysis,
|
|
20
21
|
scpAnalysis: request.scpAnalysis,
|
|
22
|
+
rcpAnalysis: request.rcpAnalysis,
|
|
21
23
|
resourceAnalysis: request.resourceAnalysis,
|
|
22
24
|
permissionBoundaryAnalysis: request.permissionBoundaryAnalysis
|
|
23
25
|
};
|
|
@@ -27,6 +29,12 @@ class DefaultServiceAuthorizer {
|
|
|
27
29
|
...baseResult
|
|
28
30
|
};
|
|
29
31
|
}
|
|
32
|
+
if (rcpResult !== 'Allowed') {
|
|
33
|
+
return {
|
|
34
|
+
result: rcpResult,
|
|
35
|
+
...baseResult
|
|
36
|
+
};
|
|
37
|
+
}
|
|
30
38
|
if (resourcePolicyResult === 'ExplicitlyDenied' ||
|
|
31
39
|
resourcePolicyResult === 'DeniedForAccount') {
|
|
32
40
|
return {
|
|
@@ -84,7 +92,9 @@ class DefaultServiceAuthorizer {
|
|
|
84
92
|
|
|
85
93
|
Need to add some tests for this.
|
|
86
94
|
*/
|
|
87
|
-
|
|
95
|
+
const trustedAccount = this.serviceTrustsPrincipalAccount(sameAccount, request.resourceAnalysis);
|
|
96
|
+
if (resourcePolicyResult === 'Allowed' ||
|
|
97
|
+
(trustedAccount && identityStatementResult === 'Allowed')) {
|
|
88
98
|
return {
|
|
89
99
|
result: 'Allowed',
|
|
90
100
|
...baseResult
|
|
@@ -120,14 +130,26 @@ class DefaultServiceAuthorizer {
|
|
|
120
130
|
};
|
|
121
131
|
/**
|
|
122
132
|
* Add checks for:
|
|
133
|
+
* * root user - can override resource policies for most resource types
|
|
134
|
+
* * service linked roles - ignore SCPs and RCPs
|
|
123
135
|
* * session policies
|
|
124
|
-
* * resource control policies
|
|
125
|
-
* * root user
|
|
126
|
-
* * service linked roles
|
|
127
136
|
* * vpc endpoint policies
|
|
128
137
|
* * organization APIs and delegated admin policy
|
|
129
138
|
*/
|
|
130
139
|
}
|
|
140
|
+
/**
|
|
141
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
142
|
+
*
|
|
143
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
144
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
145
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
146
|
+
*/
|
|
147
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
148
|
+
if (sameAccount) {
|
|
149
|
+
return true;
|
|
150
|
+
}
|
|
151
|
+
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
152
|
+
}
|
|
131
153
|
}
|
|
132
154
|
exports.DefaultServiceAuthorizer = DefaultServiceAuthorizer;
|
|
133
155
|
//# sourceMappingURL=DefaultServiceAuthorizer.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AACA,wCAA+E;AAG/E;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AACA,wCAA+E;AAG/E;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAQZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,IAAA,0BAAgB,EAAC,SAAS,CAAC;wBAC3B,IAAA,sBAAY,EAAC,SAAS,CAAC;wBACvB,IAAA,4BAAkB,EAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;YAEF,MAAM,cAAc,GAAG,IAAI,CAAC,6BAA6B,CACvD,WAAW,EACX,OAAO,CAAC,gBAAgB,CACzB,CAAA;YACD,IACE,oBAAoB,KAAK,SAAS;gBAClC,CAAC,cAAc,IAAI,uBAAuB,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;WAOG;IACL,CAAC;IAED;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAoB,EAAE,gBAAkC;QACpF,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AAxLD,4DAwLC"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import { ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
3
|
+
/**
|
|
4
|
+
* The default authorizer for services.
|
|
5
|
+
*/
|
|
6
|
+
export declare class KmsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
7
|
+
/**
|
|
8
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
9
|
+
*
|
|
10
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
11
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
12
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
13
|
+
*/
|
|
14
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
15
|
+
}
|
|
16
|
+
//# sourceMappingURL=KmsServiceAuthorizer.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"KmsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,GAAG,OAAO;CAKjG"}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.KmsServiceAuthorizer = void 0;
|
|
4
|
+
const DefaultServiceAuthorizer_js_1 = require("./DefaultServiceAuthorizer.js");
|
|
5
|
+
/**
|
|
6
|
+
* The default authorizer for services.
|
|
7
|
+
*/
|
|
8
|
+
class KmsServiceAuthorizer extends DefaultServiceAuthorizer_js_1.DefaultServiceAuthorizer {
|
|
9
|
+
/**
|
|
10
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
11
|
+
*
|
|
12
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
13
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
14
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
15
|
+
*/
|
|
16
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
17
|
+
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
18
|
+
}
|
|
19
|
+
}
|
|
20
|
+
exports.KmsServiceAuthorizer = KmsServiceAuthorizer;
|
|
21
|
+
//# sourceMappingURL=KmsServiceAuthorizer.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"KmsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":";;;AACA,+EAAwE;AAExE;;GAEG;AACH,MAAa,oBAAqB,SAAQ,sDAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAoB,EAAE,gBAAkC;QACpF,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AAbD,oDAaC"}
|
|
@@ -1,10 +1,11 @@
|
|
|
1
|
-
import { IdentityAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
|
|
1
|
+
import { IdentityAnalysis, RcpAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
|
|
2
2
|
import { AwsRequest } from '../request/request.js';
|
|
3
3
|
export interface ServiceAuthorizationRequest {
|
|
4
4
|
request: AwsRequest;
|
|
5
5
|
identityAnalysis: IdentityAnalysis;
|
|
6
6
|
scpAnalysis: ScpAnalysis;
|
|
7
7
|
resourceAnalysis: ResourceAnalysis;
|
|
8
|
+
rcpAnalysis: RcpAnalysis;
|
|
8
9
|
permissionBoundaryAnalysis: IdentityAnalysis | undefined;
|
|
9
10
|
}
|
|
10
11
|
export interface ServiceAuthorizer {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,
|
|
1
|
+
{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,WAAW,EACZ,MAAM,gBAAgB,CAAA;AACvB,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAElD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAA;IACnB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,WAAW,EAAE,WAAW,CAAA;IACxB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,WAAW,EAAE,WAAW,CAAA;IACxB,0BAA0B,EAAE,gBAAgB,GAAG,SAAS,CAAA;CACzD;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe,CAAA;CACjE"}
|