@cloud-copilot/iam-simulate 0.1.22 → 0.1.24
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +155 -2
- package/dist/cjs/core_engine/{coreSimulatorEngine.d.ts → CoreSimulatorEngine.d.ts} +16 -11
- package/dist/cjs/core_engine/CoreSimulatorEngine.d.ts.map +1 -0
- package/dist/cjs/core_engine/{coreSimulatorEngine.js → CoreSimulatorEngine.js} +41 -14
- package/dist/cjs/core_engine/CoreSimulatorEngine.js.map +1 -0
- package/dist/cjs/evaluate.d.ts +28 -1
- package/dist/cjs/evaluate.d.ts.map +1 -1
- package/dist/cjs/explain/statementExplain.d.ts +9 -0
- package/dist/cjs/explain/statementExplain.d.ts.map +1 -1
- package/dist/cjs/explain/statementExplain.js.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts +9 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +26 -4
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/KmsServiceAuthorizer.d.ts +16 -0
- package/dist/cjs/services/KmsServiceAuthorizer.d.ts.map +1 -0
- package/dist/cjs/services/KmsServiceAuthorizer.js +21 -0
- package/dist/cjs/services/KmsServiceAuthorizer.js.map +1 -0
- package/dist/cjs/services/ServiceAuthorizer.d.ts +2 -1
- package/dist/cjs/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/StsServiceAuthorizer.d.ts +16 -0
- package/dist/cjs/services/StsServiceAuthorizer.d.ts.map +1 -0
- package/dist/cjs/services/StsServiceAuthorizer.js +24 -0
- package/dist/cjs/services/StsServiceAuthorizer.js.map +1 -0
- package/dist/cjs/simulation_engine/simulation.d.ts +12 -0
- package/dist/cjs/simulation_engine/simulation.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.d.ts +2 -0
- package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.js +40 -2
- package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js +11 -2
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/esm/core_engine/{coreSimulatorEngine.d.ts → CoreSimulatorEngine.d.ts} +16 -11
- package/dist/esm/core_engine/CoreSimulatorEngine.d.ts.map +1 -0
- package/dist/esm/core_engine/{coreSimulatorEngine.js → CoreSimulatorEngine.js} +40 -13
- package/dist/esm/core_engine/CoreSimulatorEngine.js.map +1 -0
- package/dist/esm/evaluate.d.ts +28 -1
- package/dist/esm/evaluate.d.ts.map +1 -1
- package/dist/esm/explain/statementExplain.d.ts +9 -0
- package/dist/esm/explain/statementExplain.d.ts.map +1 -1
- package/dist/esm/explain/statementExplain.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts +9 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +26 -4
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/KmsServiceAuthorizer.d.ts +16 -0
- package/dist/esm/services/KmsServiceAuthorizer.d.ts.map +1 -0
- package/dist/esm/services/KmsServiceAuthorizer.js +17 -0
- package/dist/esm/services/KmsServiceAuthorizer.js.map +1 -0
- package/dist/esm/services/ServiceAuthorizer.d.ts +2 -1
- package/dist/esm/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/StsServiceAuthorizer.d.ts +16 -0
- package/dist/esm/services/StsServiceAuthorizer.d.ts.map +1 -0
- package/dist/esm/services/StsServiceAuthorizer.js +20 -0
- package/dist/esm/services/StsServiceAuthorizer.js.map +1 -0
- package/dist/esm/simulation_engine/simulation.d.ts +12 -0
- package/dist/esm/simulation_engine/simulation.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.d.ts +2 -0
- package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.js +40 -2
- package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js +10 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/package.json +1 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts.map +0 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.js.map +0 -1
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts.map +0 -1
- package/dist/esm/core_engine/coreSimulatorEngine.js.map +0 -1
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import { ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
3
|
+
/**
|
|
4
|
+
* The default authorizer for services.
|
|
5
|
+
*/
|
|
6
|
+
export declare class StsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
7
|
+
/**
|
|
8
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
9
|
+
*
|
|
10
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
11
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
12
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
13
|
+
*/
|
|
14
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
15
|
+
}
|
|
16
|
+
//# sourceMappingURL=StsServiceAuthorizer.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,GAAG,OAAO;CAQjG"}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.StsServiceAuthorizer = void 0;
|
|
4
|
+
const DefaultServiceAuthorizer_js_1 = require("./DefaultServiceAuthorizer.js");
|
|
5
|
+
/**
|
|
6
|
+
* The default authorizer for services.
|
|
7
|
+
*/
|
|
8
|
+
class StsServiceAuthorizer extends DefaultServiceAuthorizer_js_1.DefaultServiceAuthorizer {
|
|
9
|
+
/**
|
|
10
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
11
|
+
*
|
|
12
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
13
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
14
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
15
|
+
*/
|
|
16
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
17
|
+
if (sameAccount && resourceAnalysis.result === 'NotApplicable') {
|
|
18
|
+
return true;
|
|
19
|
+
}
|
|
20
|
+
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
21
|
+
}
|
|
22
|
+
}
|
|
23
|
+
exports.StsServiceAuthorizer = StsServiceAuthorizer;
|
|
24
|
+
//# sourceMappingURL=StsServiceAuthorizer.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":";;;AACA,+EAAwE;AAExE;;GAEG;AACH,MAAa,oBAAqB,SAAQ,sDAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAoB,EAAE,gBAAkC;QACpF,IAAI,WAAW,IAAI,gBAAgB,CAAC,MAAM,KAAK,eAAe,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AAhBD,oDAgBC"}
|
|
@@ -19,6 +19,18 @@ export interface Simulation {
|
|
|
19
19
|
policy: any;
|
|
20
20
|
}[];
|
|
21
21
|
}[];
|
|
22
|
+
/**
|
|
23
|
+
* The resource control policies for the simulation.
|
|
24
|
+
* One per level of the OU/Account hierarchy.
|
|
25
|
+
* The default Resource Control Policy, RCPFullAWSAccess, is automatically added to the simulation.
|
|
26
|
+
*/
|
|
27
|
+
resourceControlPolicies: {
|
|
28
|
+
orgIdentifier: string;
|
|
29
|
+
policies: {
|
|
30
|
+
name: string;
|
|
31
|
+
policy: any;
|
|
32
|
+
}[];
|
|
33
|
+
}[];
|
|
22
34
|
resourcePolicy?: any;
|
|
23
35
|
permissionBoundaryPolicies?: {
|
|
24
36
|
name: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;QACd,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAA;YAChB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;KACpD,CAAA;IAED,gBAAgB,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;
|
|
1
|
+
{"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;QACd,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAA;YAChB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;KACpD,CAAA;IAED,gBAAgB,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;IAEjD,sBAAsB,EAAE;QACtB,aAAa,EAAE,MAAM,CAAA;QACrB,QAAQ,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAE,EAAE,CAAA;KAC1C,EAAE,CAAA;IAEH;;;;OAIG;IACH,uBAAuB,EAAE;QACvB,aAAa,EAAE,MAAM,CAAA;QACrB,QAAQ,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAE,EAAE,CAAA;KAC1C,EAAE,CAAA;IAEH,cAAc,CAAC,EAAE,GAAG,CAAA;IACpB,0BAA0B,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;CAC7D"}
|
|
@@ -5,6 +5,8 @@ import { SimulationOptions } from './simulationOptions.js';
|
|
|
5
5
|
export interface SimulationErrors {
|
|
6
6
|
identityPolicyErrors?: Record<string, ValidationError[]>;
|
|
7
7
|
seviceControlPolicyErrors?: Record<string, ValidationError[]>;
|
|
8
|
+
resourceControlPolicyErrors?: Record<string, ValidationError[]>;
|
|
9
|
+
permissionBoundaryErrors?: Record<string, ValidationError[]>;
|
|
8
10
|
resourcePolicyErrors?: ValidationError[];
|
|
9
11
|
message: string;
|
|
10
12
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,
|
|
1
|
+
{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAOL,eAAe,EAChB,MAAM,2BAA2B,CAAA;AAIlC,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAKhD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAiB1D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IACxD,yBAAyB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC7D,2BAA2B,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC/D,wBAAwB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC5D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAA;IACxC,OAAO,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,gBAAgB,CAAA;IACzB,QAAQ,CAAC,EAAE,eAAe,CAAA;IAE1B;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;;;;;;;OAQG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC9B;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAC5C,OAAO,CAAC,gBAAgB,CAAC,CAmL3B;AAED,wBAAsB,6BAA6B,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC;IACnF,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;IACrD,kBAAkB,EAAE,MAAM,EAAE,CAAA;CAC7B,CAAC,CAoCD"}
|
|
@@ -6,11 +6,25 @@ const iam_data_1 = require("@cloud-copilot/iam-data");
|
|
|
6
6
|
const iam_policy_1 = require("@cloud-copilot/iam-policy");
|
|
7
7
|
const contextKeyTypes_js_1 = require("../context_keys/contextKeyTypes.js");
|
|
8
8
|
const contextKeys_js_1 = require("../context_keys/contextKeys.js");
|
|
9
|
-
const
|
|
9
|
+
const CoreSimulatorEngine_js_1 = require("../core_engine/CoreSimulatorEngine.js");
|
|
10
10
|
const request_js_1 = require("../request/request.js");
|
|
11
11
|
const requestContext_js_1 = require("../requestContext.js");
|
|
12
12
|
const util_js_1 = require("../util.js");
|
|
13
13
|
const contextKeys_js_2 = require("./contextKeys.js");
|
|
14
|
+
const DEFAULT_RCP = {
|
|
15
|
+
name: 'RCPFullAWSAccess',
|
|
16
|
+
policy: {
|
|
17
|
+
Version: '2012-10-17',
|
|
18
|
+
Statement: [
|
|
19
|
+
{
|
|
20
|
+
Effect: 'Allow',
|
|
21
|
+
Principal: '*',
|
|
22
|
+
Action: '*',
|
|
23
|
+
Resource: '*'
|
|
24
|
+
}
|
|
25
|
+
]
|
|
26
|
+
}
|
|
27
|
+
};
|
|
14
28
|
/**
|
|
15
29
|
* Run a simulation with validation
|
|
16
30
|
*
|
|
@@ -50,6 +64,26 @@ async function runSimulation(simulation, simulationOptions) {
|
|
|
50
64
|
policies: validPolicies
|
|
51
65
|
};
|
|
52
66
|
});
|
|
67
|
+
const resourceControlPolicyErrors = {};
|
|
68
|
+
const resourceControlPolicies = simulation.resourceControlPolicies.map((rcp) => {
|
|
69
|
+
const ouId = rcp.orgIdentifier;
|
|
70
|
+
const validPolicies = [];
|
|
71
|
+
validPolicies.push((0, iam_policy_1.loadPolicy)(DEFAULT_RCP.policy));
|
|
72
|
+
rcp.policies.forEach((value) => {
|
|
73
|
+
const { name, policy } = value;
|
|
74
|
+
const validationErrors = (0, iam_policy_1.validateResourceControlPolicy)(policy);
|
|
75
|
+
if (validationErrors.length > 0) {
|
|
76
|
+
resourceControlPolicyErrors[name] = validationErrors;
|
|
77
|
+
}
|
|
78
|
+
else {
|
|
79
|
+
validPolicies.push((0, iam_policy_1.loadPolicy)(policy));
|
|
80
|
+
}
|
|
81
|
+
});
|
|
82
|
+
return {
|
|
83
|
+
orgIdentifier: ouId,
|
|
84
|
+
policies: validPolicies
|
|
85
|
+
};
|
|
86
|
+
});
|
|
53
87
|
const resourcePolicyErrors = simulation.resourcePolicy
|
|
54
88
|
? (0, iam_policy_1.validateResourcePolicy)(simulation.resourcePolicy)
|
|
55
89
|
: [];
|
|
@@ -69,13 +103,16 @@ async function runSimulation(simulation, simulationOptions) {
|
|
|
69
103
|
});
|
|
70
104
|
if (Object.keys(identityPolicyErrors).length > 0 ||
|
|
71
105
|
Object.keys(seviceControlPolicyErrors).length > 0 ||
|
|
106
|
+
Object.keys(resourceControlPolicyErrors).length > 0 ||
|
|
72
107
|
Object.keys(permissionBoundaryErrors).length > 0 ||
|
|
73
108
|
resourcePolicyErrors.length > 0) {
|
|
74
109
|
return {
|
|
75
110
|
errors: {
|
|
76
111
|
identityPolicyErrors,
|
|
77
112
|
seviceControlPolicyErrors,
|
|
113
|
+
resourceControlPolicyErrors,
|
|
78
114
|
resourcePolicyErrors,
|
|
115
|
+
permissionBoundaryErrors,
|
|
79
116
|
message: 'policy.errors'
|
|
80
117
|
}
|
|
81
118
|
};
|
|
@@ -140,13 +177,14 @@ async function runSimulation(simulation, simulationOptions) {
|
|
|
140
177
|
}
|
|
141
178
|
}
|
|
142
179
|
const { validContextValues, ignoredContextKeys } = await normalizeSimulationParameters(simulation);
|
|
143
|
-
const simulationResult = (0,
|
|
180
|
+
const simulationResult = (0, CoreSimulatorEngine_js_1.authorize)({
|
|
144
181
|
request: new request_js_1.AwsRequestImpl(simulation.request.principal, {
|
|
145
182
|
resource: simulation.request.resource.resource,
|
|
146
183
|
accountId: simulation.request.resource.accountId
|
|
147
184
|
}, simulation.request.action, new requestContext_js_1.RequestContextImpl(validContextValues)),
|
|
148
185
|
identityPolicies,
|
|
149
186
|
serviceControlPolicies,
|
|
187
|
+
resourceControlPolicies,
|
|
150
188
|
resourcePolicy,
|
|
151
189
|
permissionBoundaries
|
|
152
190
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"simulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":";;AA2EA,sCAsLC;AAED,sEAuCC;AA1SD,sDAA2E;AAC3E,0DAQkC;AAClC,2EAAwE;AACxE,mEAA2F;AAC3F,kFAAkF;AAElF,sDAAsD;AACtD,4DAAyD;AACzD,wCAA4E;AAC5E,qDAA+D;AAI/D,MAAM,WAAW,GAAG;IAClB,IAAI,EAAE,kBAAkB;IACxB,MAAM,EAAE;QACN,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE;YACT;gBACE,MAAM,EAAE,OAAO;gBACf,SAAS,EAAE,GAAG;gBACd,MAAM,EAAE,GAAG;gBACX,QAAQ,EAAE,GAAG;aACd;SACF;KACF;CACF,CAAA;AAkCD;;;;;;GAMG;AACI,KAAK,UAAU,aAAa,CACjC,UAAsB,EACtB,iBAA6C;IAE7C,MAAM,oBAAoB,GAAsC,EAAE,CAAA;IAClE,MAAM,gBAAgB,GAAa,EAAE,CAAA;IACrC,UAAU,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;QAC5C,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,KAAK,CAAA;QAC9B,MAAM,gBAAgB,GAAG,IAAA,mCAAsB,EAAC,MAAM,CAAC,CAAA;QACvD,IAAI,gBAAgB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACjC,gBAAgB,CAAC,IAAI,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,CAAC,CAAA;QAC3C,CAAC;aAAM,CAAC;YACN,oBAAoB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAA;QAC/C,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,yBAAyB,GAAsC,EAAE,CAAA;IACvE,MAAM,sBAAsB,GAAsB,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QAC9F,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAA;QAC9B,MAAM,aAAa,GAAa,EAAE,CAAA;QAElC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;YAC7B,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,KAAK,CAAA;YAC9B,MAAM,gBAAgB,GAAG,IAAA,yCAA4B,EAAC,MAAM,CAAC,CAAA;YAC7D,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAChC,yBAAyB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAA;YACpD,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,CAAC,CAAA;YACxC,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,aAAa;SACxB,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,2BAA2B,GAAsC,EAAE,CAAA;IACzE,MAAM,uBAAuB,GAAsB,UAAU,CAAC,uBAAuB,CAAC,GAAG,CACvF,CAAC,GAAG,EAAE,EAAE;QACN,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAA;QAC9B,MAAM,aAAa,GAAa,EAAE,CAAA;QAClC,aAAa,CAAC,IAAI,CAAC,IAAA,uBAAU,EAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAA;QAElD,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;YAC7B,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,KAAK,CAAA;YAC9B,MAAM,gBAAgB,GAAG,IAAA,0CAA6B,EAAC,MAAM,CAAC,CAAA;YAC9D,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAChC,2BAA2B,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAA;YACtD,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,CAAC,CAAA;YACxC,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,aAAa;SACxB,CAAA;IACH,CAAC,CACF,CAAA;IAED,MAAM,oBAAoB,GAAG,UAAU,CAAC,cAAc;QACpD,CAAC,CAAC,IAAA,mCAAsB,EAAC,UAAU,CAAC,cAAc,CAAC;QACnD,CAAC,CAAC,EAAE,CAAA;IAEN,MAAM,oBAAoB,GAAyB,UAAU,CAAC,0BAA0B;QACtF,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC,SAAS,CAAA;IACb,MAAM,wBAAwB,GAAsC,EAAE,CAAA;IACtE,UAAU,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE;QAChD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAA;QAC3B,MAAM,gBAAgB,GAAG,IAAA,mCAAsB,EAAC,MAAM,CAAC,CAAA;QACvD,IAAI,gBAAgB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACjC,oBAAqB,CAAC,IAAI,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,CAAC,CAAA;QAChD,CAAC;aAAM,CAAC;YACN,wBAAwB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAA;QACnD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,IACE,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,MAAM,GAAG,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,MAAM,GAAG,CAAC;QACjD,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,MAAM,GAAG,CAAC;QACnD,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC,MAAM,GAAG,CAAC;QAChD,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAC/B,CAAC;QACD,OAAO;YACL,MAAM,EAAE;gBACN,oBAAoB;gBACpB,yBAAyB;gBACzB,2BAA2B;gBAC3B,oBAAoB;gBACpB,wBAAwB;gBACxB,OAAO,EAAE,eAAe;aACzB;SACF,CAAA;IACH,CAAC;IAED,MAAM,cAAc,GAAG,UAAU,CAAC,cAAc;QAC9C,CAAC,CAAC,IAAA,uBAAU,EAAC,UAAU,CAAC,cAAc,CAAC;QACvC,CAAC,CAAC,SAAS,CAAA;IAEb,IAAI,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACrD,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,gBAAgB;aAC1B;SACF,CAAA;IACH,CAAC;IAED,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC9D,MAAM,YAAY,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,CAAC,CAAA;IACpD,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,iBAAiB;aAC3B;SACF,CAAA;IACH,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,IAAA,0BAAe,EAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IAC1D,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,gBAAgB;aAC1B;SACF,CAAA;IACH,CAAC;IAED,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAA;IACxD,MAAM,oBAAoB,GAAG,MAAM,IAAA,8BAAoB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IACxE,IAAI,YAAY,GAAuB,SAAS,CAAA;IAChD,IAAI,oBAAoB,EAAE,CAAC;QACzB,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;YACxB,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,mBAAmB;iBAC7B;aACF,CAAA;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,aAAa,GAAG,MAAM,IAAA,mCAAyB,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAA;QACnF,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,mBAAmB;iBAC7B;aACF,CAAA;QACH,CAAC;aAAM,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,yBAAyB;iBACnC;aACF,CAAA;QACH,CAAC;aAAM,CAAC;YACN,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,CAAA;QACrC,CAAC;IACH,CAAC;IAED,MAAM,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,GAAG,MAAM,6BAA6B,CAAC,UAAU,CAAC,CAAA;IAElG,MAAM,gBAAgB,GAAG,IAAA,kCAAS,EAAC;QACjC,OAAO,EAAE,IAAI,2BAAc,CACzB,UAAU,CAAC,OAAO,CAAC,SAAS,EAC5B;YACE,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;YAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;SACjD,EACD,UAAU,CAAC,OAAO,CAAC,MAAM,EACzB,IAAI,sCAAkB,CAAC,kBAAkB,CAAC,CAC3C;QACD,gBAAgB;QAChB,sBAAsB;QACtB,uBAAuB;QACvB,cAAc;QACd,oBAAoB;KACrB,CAAC,CAAA;IAEF,OAAO;QACL,QAAQ,EAAE,gBAAgB;QAC1B,kBAAkB;QAClB,YAAY;KACb,CAAA;AACH,CAAC;AAEM,KAAK,UAAU,6BAA6B,CAAC,UAAsB;IAIxE,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC9D,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAA;IACxD,MAAM,yBAAyB,GAAG,IAAI,GAAG,CACvC,MAAM,IAAA,6CAA4B,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CACjE,CAAA;IAED,4FAA4F;IAC5F,MAAM,kBAAkB,GAAsC,EAAE,CAAA;IAChE,MAAM,kBAAkB,GAAa,EAAE,CAAA;IACvC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACnE,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAA;QACtD,MAAM,YAAY,GAAG,GAAG,CAAC,WAAW,EAAE,CAAA;QACtC,IACE,yBAAyB,CAAC,GAAG,CAAC,YAAY,CAAC;YAC3C,uBAAuB,CAAC,YAAY,EAAE,yBAAyB,CAAC,EAChE,CAAC;YACD,MAAM,aAAa,GAAG,MAAM,IAAA,kCAAiB,EAAC,YAAY,CAAC,CAAA;YAC3D,MAAM,aAAa,GAAG,MAAM,IAAA,wCAAuB,EAAC,GAAG,CAAC,CAAA;YAExD,IAAI,IAAA,wCAAmB,EAAC,aAAa,CAAC,EAAE,CAAC;gBACvC,kBAAkB,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAA;YACpD,CAAC;iBAAM,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,kBAAkB,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YAC9C,CAAC;iBAAM,CAAC;gBACN,kBAAkB,CAAC,aAAa,CAAC,GAAG,KAAK,CAAA;YAC3C,CAAC;QACH,CAAC;aAAM,CAAC;YACN,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAC9B,CAAC;IACH,CAAC;IAED,OAAO;QACL,kBAAkB;QAClB,kBAAkB;KACnB,CAAA;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,uBAAuB,CAAC,YAAoB,EAAE,gBAA6B;IAClF,MAAM,eAAe,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACjD,IAAI,eAAe,KAAK,CAAC,CAAC,EAAE,CAAC;QAC3B,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,GAAG,CAAC,CAAC,CAAA;IACzD,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;QACxC,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAChC,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"unsafeSimulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAGtD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAC5C,gBAAgB,
|
|
1
|
+
{"version":3,"file":"unsafeSimulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAGtD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAC5C,gBAAgB,CAkDlB"}
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.runUnsafeSimulation = runUnsafeSimulation;
|
|
4
4
|
const iam_policy_1 = require("@cloud-copilot/iam-policy");
|
|
5
|
-
const
|
|
5
|
+
const CoreSimulatorEngine_js_1 = require("../core_engine/CoreSimulatorEngine.js");
|
|
6
6
|
const request_js_1 = require("../request/request.js");
|
|
7
7
|
const requestContext_js_1 = require("../requestContext.js");
|
|
8
8
|
/**
|
|
@@ -23,16 +23,25 @@ function runUnsafeSimulation(simulation, simulationOptions) {
|
|
|
23
23
|
policies: policies
|
|
24
24
|
};
|
|
25
25
|
});
|
|
26
|
+
const resourceControlPolicies = simulation.resourceControlPolicies.map((rcp) => {
|
|
27
|
+
const ouId = rcp.orgIdentifier;
|
|
28
|
+
const policies = rcp.policies.map((val) => (0, iam_policy_1.loadPolicy)(val.policy));
|
|
29
|
+
return {
|
|
30
|
+
orgIdentifier: ouId,
|
|
31
|
+
policies: policies
|
|
32
|
+
};
|
|
33
|
+
});
|
|
26
34
|
const permissionBoundaries = simulation.permissionBoundaryPolicies?.map((val) => (0, iam_policy_1.loadPolicy)(val.policy)) ?? undefined;
|
|
27
35
|
const requestContext = new requestContext_js_1.RequestContextImpl(simulation.request.contextVariables);
|
|
28
36
|
const request = new request_js_1.AwsRequestImpl(simulation.request.principal, {
|
|
29
37
|
resource: simulation.request.resource.resource,
|
|
30
38
|
accountId: simulation.request.resource.accountId
|
|
31
39
|
}, simulation.request.action, requestContext);
|
|
32
|
-
const analysis = (0,
|
|
40
|
+
const analysis = (0, CoreSimulatorEngine_js_1.authorize)({
|
|
33
41
|
request,
|
|
34
42
|
identityPolicies,
|
|
35
43
|
serviceControlPolicies,
|
|
44
|
+
resourceControlPolicies,
|
|
36
45
|
resourcePolicy: simulation.resourcePolicy ? (0, iam_policy_1.loadPolicy)(simulation.resourcePolicy) : undefined,
|
|
37
46
|
permissionBoundaries
|
|
38
47
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"unsafeSimulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":";;AAgBA,
|
|
1
|
+
{"version":3,"file":"unsafeSimulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":";;AAgBA,kDAqDC;AArED,0DAAsD;AACtD,kFAAkF;AAElF,sDAAsD;AACtD,4DAAyD;AAIzD;;;;;;;GAOG;AACH,SAAgB,mBAAmB,CACjC,UAAsB,EACtB,iBAA6C;IAE7C,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAC5E,IAAA,uBAAU,EAAC,CAAC,CAAC,MAAM,CAAC,CACrB,CAAA;IACD,MAAM,sBAAsB,GAAsB,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QAC9F,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAA;QAC9B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;QAElE,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,QAAQ;SACnB,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,uBAAuB,GAAsB,UAAU,CAAC,uBAAuB,CAAC,GAAG,CACvF,CAAC,GAAG,EAAE,EAAE;QACN,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAA;QAC9B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;QAElE,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,QAAQ;SACnB,CAAA;IACH,CAAC,CACF,CAAA;IAED,MAAM,oBAAoB,GACxB,UAAU,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,SAAS,CAAA;IAE1F,MAAM,cAAc,GAAG,IAAI,sCAAkB,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAA;IAClF,MAAM,OAAO,GAAG,IAAI,2BAAc,CAChC,UAAU,CAAC,OAAO,CAAC,SAAS,EAC5B;QACE,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;QAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;KACjD,EACD,UAAU,CAAC,OAAO,CAAC,MAAM,EACzB,cAAc,CACf,CAAA;IAED,MAAM,QAAQ,GAAG,IAAA,kCAAS,EAAC;QACzB,OAAO;QACP,gBAAgB;QAChB,sBAAsB;QACtB,uBAAuB;QACvB,cAAc,EAAE,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAA,uBAAU,EAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS;QAC7F,oBAAoB;KACrB,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAC,MAAM,CAAA;AACxB,CAAC"}
|
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
import { Policy } from '@cloud-copilot/iam-policy';
|
|
2
|
-
import { IdentityAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
|
|
2
|
+
import { IdentityAnalysis, RcpAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
|
|
3
3
|
import { AwsRequest } from '../request/request.js';
|
|
4
4
|
import { ServiceAuthorizer } from '../services/ServiceAuthorizer.js';
|
|
5
5
|
/**
|
|
6
|
-
* A set of service control policies for each level of an organization tree
|
|
6
|
+
* A set of service or resource control policies for each level of an organization tree
|
|
7
7
|
*/
|
|
8
|
-
export interface
|
|
8
|
+
export interface ControlPolicies {
|
|
9
9
|
/**
|
|
10
10
|
* The organization identifier for the organizational unit these policies apply to.
|
|
11
11
|
*/
|
|
@@ -29,9 +29,14 @@ export interface AuthorizationRequest {
|
|
|
29
29
|
identityPolicies: Policy[];
|
|
30
30
|
/**
|
|
31
31
|
* The service control policies that apply to the principal making the request. In
|
|
32
|
-
* order of the orgnaization hierarchy. So the root ou
|
|
32
|
+
* order of the orgnaization hierarchy. So the root ou SCPs should be first.
|
|
33
33
|
*/
|
|
34
|
-
serviceControlPolicies:
|
|
34
|
+
serviceControlPolicies: ControlPolicies[];
|
|
35
|
+
/**
|
|
36
|
+
* The resource control policies that apply to the resource being accessed. In
|
|
37
|
+
* order of the orgnaization hierarchy. So the root ou RCPs should be first.
|
|
38
|
+
*/
|
|
39
|
+
resourceControlPolicies: ControlPolicies[];
|
|
35
40
|
/**
|
|
36
41
|
* The resource policy that applies to the resource being accessed.
|
|
37
42
|
*/
|
|
@@ -67,13 +72,13 @@ export declare function getServiceAuthorizer(request: AuthorizationRequest): Ser
|
|
|
67
72
|
*/
|
|
68
73
|
export declare function analyzeIdentityPolicies(identityPolicies: Policy[], request: AwsRequest): IdentityAnalysis;
|
|
69
74
|
/**
|
|
70
|
-
* Analyzes a set of service control policies and the statements within them.
|
|
75
|
+
* Analyzes a set of service or resource control policies and the statements within them.
|
|
71
76
|
*
|
|
72
|
-
* @param
|
|
77
|
+
* @param controlPolicies the control policies to analyze
|
|
73
78
|
* @param request the request to analyze against
|
|
74
|
-
* @returns an array of SCP analysis results
|
|
79
|
+
* @returns an array of SCP or RCP analysis results
|
|
75
80
|
*/
|
|
76
|
-
export declare function
|
|
81
|
+
export declare function analyzeControlPolicies(controlPolicies: ControlPolicies[], request: AwsRequest): ScpAnalysis | RcpAnalysis;
|
|
77
82
|
/**
|
|
78
83
|
* Analyze a resource policy and return the results
|
|
79
84
|
*
|
|
@@ -81,6 +86,6 @@ export declare function analyzeServiceControlPolicies(serviceControlPolicies: Se
|
|
|
81
86
|
* @param request the request to analyze against
|
|
82
87
|
* @returns an array of statement analysis results
|
|
83
88
|
*/
|
|
84
|
-
export declare function analyzeResourcePolicy(resourcePolicy: Policy | undefined, request: AwsRequest): ResourceAnalysis;
|
|
89
|
+
export declare function analyzeResourcePolicy(resourcePolicy: Policy | undefined, request: AwsRequest, principalHasPermissionBoundary: boolean): ResourceAnalysis;
|
|
85
90
|
export declare function analyzePermissionBoundaryPolicies(permissionBoundaries: Policy[] | undefined, request: AwsRequest): IdentityAnalysis | undefined;
|
|
86
|
-
//# sourceMappingURL=
|
|
91
|
+
//# sourceMappingURL=CoreSimulatorEngine.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"CoreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAa,MAAM,2BAA2B,CAAA;AAG7D,OAAO,EAEL,gBAAgB,EAEhB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,WAAW,EACZ,MAAM,gBAAgB,CAAA;AAGvB,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAIlD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAA;AASpE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IAErB;;OAEG;IACH,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,OAAO,EAAE,UAAU,CAAA;IAEnB;;OAEG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAE1B;;;OAGG;IACH,sBAAsB,EAAE,eAAe,EAAE,CAAA;IAEzC;;;OAGG;IACH,uBAAuB,EAAE,eAAe,EAAE,CAAA;IAE1C;;OAEG;IACH,cAAc,EAAE,MAAM,GAAG,SAAS,CAAA;IAElC;;OAEG;IACH,oBAAoB,EAAE,MAAM,EAAE,GAAG,SAAS,CAAA;CAC3C;AAOD;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,eAAe,CA+BxE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,iBAAiB,CAMrF;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,gBAAgB,EAAE,MAAM,EAAE,EAC1B,OAAO,EAAE,UAAU,GAClB,gBAAgB,CA+DlB;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,eAAe,EAAE,eAAe,EAAE,EAClC,OAAO,EAAE,UAAU,GAClB,WAAW,GAAG,WAAW,CA6E3B;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,cAAc,EAAE,MAAM,GAAG,SAAS,EAClC,OAAO,EAAE,UAAU,EACnB,8BAA8B,EAAE,OAAO,GACtC,gBAAgB,CA+GlB;AAED,wBAAgB,iCAAiC,CAC/C,oBAAoB,EAAE,MAAM,EAAE,GAAG,SAAS,EAC1C,OAAO,EAAE,UAAU,GAClB,gBAAgB,GAAG,SAAS,CAM9B"}
|
|
@@ -3,8 +3,13 @@ import { requestMatchesConditions } from '../condition/condition.js';
|
|
|
3
3
|
import { requestMatchesStatementPrincipals } from '../principal/principal.js';
|
|
4
4
|
import { requestMatchesStatementResources } from '../resource/resource.js';
|
|
5
5
|
import { DefaultServiceAuthorizer } from '../services/DefaultServiceAuthorizer.js';
|
|
6
|
+
import { KmsServiceAuthorizer } from '../services/KmsServiceAuthorizer.js';
|
|
7
|
+
import { StsServiceAuthorizer } from '../services/StsServiceAuthorizer.js';
|
|
6
8
|
import { identityStatementAllows, identityStatementExplicitDeny, statementMatches } from '../StatementAnalysis.js';
|
|
7
|
-
const serviceEngines = {
|
|
9
|
+
const serviceEngines = {
|
|
10
|
+
kms: KmsServiceAuthorizer,
|
|
11
|
+
sts: StsServiceAuthorizer
|
|
12
|
+
};
|
|
8
13
|
/**
|
|
9
14
|
* Authorizes a request.
|
|
10
15
|
*
|
|
@@ -14,15 +19,18 @@ const serviceEngines = {};
|
|
|
14
19
|
* @returns the result of the authorization
|
|
15
20
|
*/
|
|
16
21
|
export function authorize(request) {
|
|
22
|
+
const principalHasPermissionBoundary = !!request.permissionBoundaries && request.permissionBoundaries.length > 0;
|
|
17
23
|
const identityAnalysis = analyzeIdentityPolicies(request.identityPolicies, request.request);
|
|
18
24
|
const permissionBoundaryAnalysis = analyzePermissionBoundaryPolicies(request.permissionBoundaries, request.request);
|
|
19
|
-
const scpAnalysis =
|
|
20
|
-
const
|
|
25
|
+
const scpAnalysis = analyzeControlPolicies(request.serviceControlPolicies, request.request);
|
|
26
|
+
const rcpAnalysis = analyzeControlPolicies(request.resourceControlPolicies, request.request);
|
|
27
|
+
const resourceAnalysis = analyzeResourcePolicy(request.resourcePolicy, request.request, principalHasPermissionBoundary);
|
|
21
28
|
const serviceAuthorizer = getServiceAuthorizer(request);
|
|
22
29
|
return serviceAuthorizer.authorize({
|
|
23
30
|
request: request.request,
|
|
24
31
|
identityAnalysis,
|
|
25
32
|
scpAnalysis,
|
|
33
|
+
rcpAnalysis,
|
|
26
34
|
resourceAnalysis,
|
|
27
35
|
permissionBoundaryAnalysis
|
|
28
36
|
});
|
|
@@ -35,7 +43,7 @@ export function authorize(request) {
|
|
|
35
43
|
* @returns the service authorizer for the request
|
|
36
44
|
*/
|
|
37
45
|
export function getServiceAuthorizer(request) {
|
|
38
|
-
const serviceName = request.request.
|
|
46
|
+
const serviceName = request.request.action.service().toLowerCase();
|
|
39
47
|
if (serviceEngines[serviceName]) {
|
|
40
48
|
return new serviceEngines[serviceName]();
|
|
41
49
|
}
|
|
@@ -95,15 +103,15 @@ export function analyzeIdentityPolicies(identityPolicies, request) {
|
|
|
95
103
|
return identityAnalysis;
|
|
96
104
|
}
|
|
97
105
|
/**
|
|
98
|
-
* Analyzes a set of service control policies and the statements within them.
|
|
106
|
+
* Analyzes a set of service or resource control policies and the statements within them.
|
|
99
107
|
*
|
|
100
|
-
* @param
|
|
108
|
+
* @param controlPolicies the control policies to analyze
|
|
101
109
|
* @param request the request to analyze against
|
|
102
|
-
* @returns an array of SCP analysis results
|
|
110
|
+
* @returns an array of SCP or RCP analysis results
|
|
103
111
|
*/
|
|
104
|
-
export function
|
|
112
|
+
export function analyzeControlPolicies(controlPolicies, request) {
|
|
105
113
|
const analysis = [];
|
|
106
|
-
for (const controlPolicy of
|
|
114
|
+
for (const controlPolicy of controlPolicies) {
|
|
107
115
|
const ouAnalysis = {
|
|
108
116
|
orgIdentifier: controlPolicy.orgIdentifier,
|
|
109
117
|
result: 'ImplicitlyDenied',
|
|
@@ -172,7 +180,7 @@ export function analyzeServiceControlPolicies(serviceControlPolicies, request) {
|
|
|
172
180
|
* @param request the request to analyze against
|
|
173
181
|
* @returns an array of statement analysis results
|
|
174
182
|
*/
|
|
175
|
-
export function analyzeResourcePolicy(resourcePolicy, request) {
|
|
183
|
+
export function analyzeResourcePolicy(resourcePolicy, request, principalHasPermissionBoundary) {
|
|
176
184
|
const resourceAnalysis = {
|
|
177
185
|
result: 'NotApplicable',
|
|
178
186
|
allowStatements: [],
|
|
@@ -190,7 +198,26 @@ export function analyzeResourcePolicy(resourcePolicy, request) {
|
|
|
190
198
|
for (const statement of resourcePolicy.statements()) {
|
|
191
199
|
const { matches: resourceMatch, details: resourceDetails } = requestMatchesStatementResources(request, statement);
|
|
192
200
|
const { matches: actionMatch, details: actionDetails } = requestMatchesStatementActions(request, statement);
|
|
193
|
-
|
|
201
|
+
let { matches: principalMatch, details: principalDetails } = requestMatchesStatementPrincipals(request, statement);
|
|
202
|
+
const permissionBoundaryDetails = {};
|
|
203
|
+
/**
|
|
204
|
+
* "Don't use resource-based policy statements that include a NotPrincipal policy element with a
|
|
205
|
+
* Deny effect for IAM users or roles that have a permissions boundary policy attached.
|
|
206
|
+
* The NotPrincipal element with a Deny effect will always deny any IAM principal that
|
|
207
|
+
* has a permissions boundary policy attached, regardless of the values specified in the
|
|
208
|
+
* NotPrincipal element. This causes some IAM users or roles that would otherwise have access
|
|
209
|
+
* to the resource to lose access. We recommend changing your resource-based policy statements
|
|
210
|
+
* to use the condition operator ArnNotEquals with the aws:PrincipalArn context key to limit
|
|
211
|
+
* access instead of the NotPrincipal element. For information about permissions boundaries, see
|
|
212
|
+
* Permissions boundaries for IAM entities."
|
|
213
|
+
* https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
|
|
214
|
+
*/
|
|
215
|
+
if (principalHasPermissionBoundary &&
|
|
216
|
+
statement.isNotPrincipalStatement() &&
|
|
217
|
+
statement.effect() === 'Deny') {
|
|
218
|
+
principalMatch = 'Match';
|
|
219
|
+
permissionBoundaryDetails.denyBecauseNpInRpAndPb = true;
|
|
220
|
+
}
|
|
194
221
|
const { matches: conditionMatch, details: conditionDetails } = requestMatchesConditions(request, statement.conditions());
|
|
195
222
|
const overallMatch = statementMatches({
|
|
196
223
|
actionMatch,
|
|
@@ -229,7 +256,7 @@ export function analyzeResourcePolicy(resourcePolicy, request) {
|
|
|
229
256
|
resourceAnalysis.result = 'AllowedForAccount';
|
|
230
257
|
}
|
|
231
258
|
else {
|
|
232
|
-
resourceAnalysis.result = '
|
|
259
|
+
resourceAnalysis.result = 'ImplicityDenied';
|
|
233
260
|
}
|
|
234
261
|
return resourceAnalysis;
|
|
235
262
|
}
|
|
@@ -251,4 +278,4 @@ function makeStatementExplain(statement, overallMatch, actionMatch, principalMat
|
|
|
251
278
|
...details
|
|
252
279
|
};
|
|
253
280
|
}
|
|
254
|
-
//# sourceMappingURL=
|
|
281
|
+
//# sourceMappingURL=CoreSimulatorEngine.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"CoreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,8BAA8B,EAAE,MAAM,qBAAqB,CAAA;AACpE,OAAO,EAAwB,wBAAwB,EAAE,MAAM,2BAA2B,CAAA;AAW1F,OAAO,EAAwB,iCAAiC,EAAE,MAAM,2BAA2B,CAAA;AAEnG,OAAO,EAAE,gCAAgC,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yCAAyC,CAAA;AAClF,OAAO,EAAE,oBAAoB,EAAE,MAAM,qCAAqC,CAAA;AAE1E,OAAO,EAAE,oBAAoB,EAAE,MAAM,qCAAqC,CAAA;AAC1E,OAAO,EACL,uBAAuB,EACvB,6BAA6B,EAE7B,gBAAgB,EACjB,MAAM,yBAAyB,CAAA;AAsDhC,MAAM,cAAc,GAAgD;IAClE,GAAG,EAAE,oBAAoB;IACzB,GAAG,EAAE,oBAAoB;CAC1B,CAAA;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,OAA6B;IACrD,MAAM,8BAA8B,GAClC,CAAC,CAAC,OAAO,CAAC,oBAAoB,IAAI,OAAO,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC,CAAA;IAC3E,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAA;IAC3F,MAAM,0BAA0B,GAAG,iCAAiC,CAClE,OAAO,CAAC,oBAAoB,EAC5B,OAAO,CAAC,OAAO,CAChB,CAAA;IACD,MAAM,WAAW,GAAG,sBAAsB,CACxC,OAAO,CAAC,sBAAsB,EAC9B,OAAO,CAAC,OAAO,CACD,CAAA;IAChB,MAAM,WAAW,GAAG,sBAAsB,CACxC,OAAO,CAAC,uBAAuB,EAC/B,OAAO,CAAC,OAAO,CACD,CAAA;IAChB,MAAM,gBAAgB,GAAG,qBAAqB,CAC5C,OAAO,CAAC,cAAc,EACtB,OAAO,CAAC,OAAO,EACf,8BAA8B,CAC/B,CAAA;IAED,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAA;IACvD,OAAO,iBAAiB,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,gBAAgB;QAChB,WAAW;QACX,WAAW;QACX,gBAAgB;QAChB,0BAA0B;KAC3B,CAAC,CAAA;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA6B;IAChE,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,WAAW,EAAE,CAAA;IAClE,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAA;IAC1C,CAAC;IACD,OAAO,IAAI,wBAAwB,EAAE,CAAA;AACvC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CACrC,gBAA0B,EAC1B,OAAmB;IAEnB,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,kBAAkB;QAC1B,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC5C,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,gCAAgC,CAC3F,OAAO,EACP,SAAS,CACV,CAAA;YACD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,8BAA8B,CACrF,OAAO,EACP,SAAS,CACV,CAAA;YACD,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,wBAAwB,CACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;YACD,MAAM,cAAc,GAAyB,OAAO,CAAA;YACpD,MAAM,YAAY,GAAG,gBAAgB,CAAC;gBACpC,WAAW;gBACX,cAAc;gBACd,cAAc;gBACd,aAAa;aACd,CAAC,CAAA;YACF,MAAM,iBAAiB,GAAsB;gBAC3C,SAAS;gBACT,aAAa;gBACb,WAAW;gBACX,cAAc;gBACd,cAAc;gBACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,CAC9D;aACF,CAAA;YAED,IAAI,6BAA6B,CAAC,iBAAiB,CAAC,EAAE,CAAC;gBACrD,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YACzD,CAAC;iBAAM,IAAI,uBAAuB,CAAC,iBAAiB,CAAC,EAAE,CAAC;gBACtD,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YAC1D,CAAC;iBAAM,CAAC;gBACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,gBAAgB,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IAAI,gBAAgB,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvD,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CACpC,eAAkC,EAClC,OAAmB;IAEnB,MAAM,QAAQ,GAAoB,EAAE,CAAA;IACpC,KAAK,MAAM,aAAa,IAAI,eAAe,EAAE,CAAC;QAC5C,MAAM,UAAU,GAAkB;YAChC,aAAa,EAAE,aAAa,CAAC,aAAa;YAC1C,MAAM,EAAE,kBAAkB;YAC1B,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,EAAE;YAClB,mBAAmB,EAAE,EAAE;SACxB,CAAA;QACD,KAAK,MAAM,MAAM,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC5C,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC5C,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GACxD,gCAAgC,CAAC,OAAO,EAAE,SAAS,CAAC,CAAA;gBACtD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,8BAA8B,CACrF,OAAO,EACP,SAAS,CACV,CAAA;gBACD,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,wBAAwB,CACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;gBACD,MAAM,cAAc,GAAyB,OAAO,CAAA;gBACpD,MAAM,YAAY,GAAG,gBAAgB,CAAC;oBACpC,WAAW;oBACX,cAAc;oBACd,cAAc;oBACd,aAAa;iBACd,CAAC,CAAA;gBACF,MAAM,iBAAiB,GAAsB;oBAC3C,SAAS;oBACT,aAAa;oBACb,WAAW;oBACX,cAAc;oBACd,cAAc;oBACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,CAC9D;iBACF,CAAA;gBAED,IAAI,uBAAuB,CAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC/C,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACpD,CAAC;qBAAM,IAAI,6BAA6B,CAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC5D,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACnD,CAAC;qBAAM,CAAC;oBACN,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACxD,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzC,UAAU,CAAC,MAAM,GAAG,kBAAkB,CAAA;QACxC,CAAC;aAAM,IAAI,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjD,UAAU,CAAC,MAAM,GAAG,SAAS,CAAA;QAC/B,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAC3B,CAAC;IAED,IAAI,aAAa,GAAqB,kBAAkB,CAAA;IACxD,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,kBAAkB,CAAC,EAAE,CAAC;QAC5D,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QAClE,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,SAAS,CAAC,EAAE,CAAC;QAC3D,aAAa,GAAG,SAAS,CAAA;IAC3B,CAAC;IAED,OAAO;QACL,MAAM,EAAE,aAAa;QACrB,UAAU,EAAE,QAAQ;KACrB,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CACnC,cAAkC,EAClC,OAAmB,EACnB,8BAAuC;IAEvC,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,eAAe;QACvB,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO,gBAAgB,CAAA;IACzB,CAAC;IAED,MAAM,qBAAqB,GAA2B;QACpD,OAAO;QACP,kBAAkB;QAClB,kBAAkB;KACnB,CAAA;IAED,KAAK,MAAM,SAAS,IAAI,cAAc,CAAC,UAAU,EAAE,EAAE,CAAC;QACpD,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,gCAAgC,CAC3F,OAAO,EACP,SAAS,CACV,CAAA;QACD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,8BAA8B,CACrF,OAAO,EACP,SAAS,CACV,CAAA;QACD,IAAI,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,iCAAiC,CAC5F,OAAO,EACP,SAAS,CACV,CAAA;QAED,MAAM,yBAAyB,GAAqD,EAAE,CAAA;QAEtF;;;;;;;;;;;WAWG;QACH,IACE,8BAA8B;YAC9B,SAAS,CAAC,uBAAuB,EAAE;YACnC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAC7B,CAAC;YACD,cAAc,GAAG,OAAO,CAAA;YACxB,yBAAyB,CAAC,sBAAsB,GAAG,IAAI,CAAA;QACzD,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,wBAAwB,CACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;QACD,MAAM,YAAY,GAAG,gBAAgB,CAAC;YACpC,WAAW;YACX,cAAc;YACd,cAAc;YACd,aAAa;SACd,CAAC,CAAA;QACF,MAAM,QAAQ,GAAsB;YAClC,SAAS;YACT,aAAa,EAAE,aAAa;YAC5B,WAAW;YACX,cAAc;YACd,cAAc;YACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,GAAG,gBAAgB,EAAE,CACnF;SACF,CAAA;QACD,IAAI,6BAA6B,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACrF,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAChD,CAAC;aAAM,IAAI,uBAAuB,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACtF,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACjD,CAAC;aAAM,CAAC;YACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAED,IACE,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,EAC7F,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IACL,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EACrF,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IACL,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,EAC9F,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;SAAM,IACL,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EACtF,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,mBAAmB,CAAA;IAC/C,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,MAAM,GAAG,iBAAiB,CAAA;IAC7C,CAAC;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED,MAAM,UAAU,iCAAiC,CAC/C,oBAA0C,EAC1C,OAAmB;IAEnB,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,uBAAuB,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAA;AAC/D,CAAC;AAED,SAAS,oBAAoB,CAC3B,SAAoB,EACpB,YAAqB,EACrB,WAAoB,EACpB,cAAqC,EACrC,aAAsB,EACtB,cAAoC,EACpC,OAAkC;IAElC,OAAO;QACL,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE;QAC1B,UAAU,EAAE,SAAS,CAAC,GAAG,EAAE,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;QAC3D,OAAO,EAAE,YAAY;QACrB,WAAW;QACX,cAAc;QACd,aAAa;QACb,cAAc,EAAE,cAAc,KAAK,OAAO;QAC1C,GAAG,OAAO;KACX,CAAA;AACH,CAAC"}
|
package/dist/esm/evaluate.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { StatementAnalysis } from './StatementAnalysis.js';
|
|
2
|
-
export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | '
|
|
2
|
+
export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | 'ImplicitlyDenied';
|
|
3
3
|
export type ResourceEvaluationResult = 'NotApplicable' | 'Allowed' | 'ExplicitlyDenied' | 'AllowedForAccount' | 'DeniedForAccount' | 'ImplicityDenied';
|
|
4
4
|
export interface IdentityAnalysis {
|
|
5
5
|
result: EvaluationResult;
|
|
@@ -27,6 +27,20 @@ export interface ScpAnalysis {
|
|
|
27
27
|
result: EvaluationResult;
|
|
28
28
|
ouAnalysis: OuScpAnalysis[];
|
|
29
29
|
}
|
|
30
|
+
export interface OuRcpAnalysis {
|
|
31
|
+
orgIdentifier: string;
|
|
32
|
+
result: EvaluationResult;
|
|
33
|
+
denyStatements: StatementAnalysis[];
|
|
34
|
+
allowStatements: StatementAnalysis[];
|
|
35
|
+
unmatchedStatements: StatementAnalysis[];
|
|
36
|
+
}
|
|
37
|
+
export interface RcpAnalysis {
|
|
38
|
+
/**
|
|
39
|
+
* OU Result
|
|
40
|
+
*/
|
|
41
|
+
result: EvaluationResult;
|
|
42
|
+
ouAnalysis: OuRcpAnalysis[];
|
|
43
|
+
}
|
|
30
44
|
/**
|
|
31
45
|
* The analysis of a request.
|
|
32
46
|
*/
|
|
@@ -35,6 +49,9 @@ export interface RequestAnalysis {
|
|
|
35
49
|
* The result of the evaluation.
|
|
36
50
|
*/
|
|
37
51
|
result: EvaluationResult;
|
|
52
|
+
/**
|
|
53
|
+
* Whether the principal and the resource are in the same account.
|
|
54
|
+
*/
|
|
38
55
|
sameAccount: boolean;
|
|
39
56
|
/**
|
|
40
57
|
* The result of the evaluation of the resource policy.
|
|
@@ -44,7 +61,17 @@ export interface RequestAnalysis {
|
|
|
44
61
|
* The result of the evaluation of the resource policy.
|
|
45
62
|
*/
|
|
46
63
|
resourceAnalysis?: ResourceAnalysis;
|
|
64
|
+
/**
|
|
65
|
+
* The result of the evaluation of the SCPs
|
|
66
|
+
*/
|
|
47
67
|
scpAnalysis?: ScpAnalysis;
|
|
68
|
+
/**
|
|
69
|
+
* The result of the evaluation of the RCPs
|
|
70
|
+
*/
|
|
71
|
+
rcpAnalysis?: RcpAnalysis;
|
|
72
|
+
/**
|
|
73
|
+
* The result of the evaluation of the permission boundary.
|
|
74
|
+
*/
|
|
48
75
|
permissionBoundaryAnalysis?: IdentityAnalysis | undefined;
|
|
49
76
|
}
|
|
50
77
|
//# sourceMappingURL=evaluate.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D,MAAM,MAAM,gBAAgB,
|
|
1
|
+
{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,kBAAkB,CAAA;AAClF,MAAM,MAAM,wBAAwB,GAChC,eAAe,GACf,SAAS,GACT,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAClB,iBAAiB,CAAA;AAErB,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,wBAAwB,CAAA;IAChC,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IAExB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAA;IAEpB;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,0BAA0B,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAA;CAC1D"}
|
|
@@ -85,5 +85,14 @@ export interface StatementExplain {
|
|
|
85
85
|
principals?: PrincipalExplain | PrincipalExplain[];
|
|
86
86
|
notPrincipals?: PrincipalExplain | PrincipalExplain[];
|
|
87
87
|
conditions?: ConditionExplain[];
|
|
88
|
+
/**
|
|
89
|
+
* The statement was denied because the resource policy has a NotPrincipal in a Deny
|
|
90
|
+
* statement and the principal has a Permission Boundary.
|
|
91
|
+
*
|
|
92
|
+
* This will always resolve to to Deny.
|
|
93
|
+
*
|
|
94
|
+
* https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
|
|
95
|
+
*/
|
|
96
|
+
denyBecauseNpInRpAndPb?: boolean;
|
|
88
97
|
}
|
|
89
98
|
//# sourceMappingURL=statementExplain.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"statementExplain.d.ts","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,qBAAqB,GAC7B,OAAO,GACP,SAAS,GACT,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,CAAA;AAEtB,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,qBAAqB,CAAA;IAC9B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAA;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;OAEG;IACH,iBAAiB,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,MAAM,EAAE,qBAAqB,GAAG,qBAAqB,EAAE,CAAA;IAEvD;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAE1B;;OAEG;IACH,OAAO,EAAE,OAAO,CAAA;IAEhB;;OAEG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAE/B;;OAEG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAE9B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAE5B;;;OAGG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B;;OAEG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,OAAO,CAAA;IACpB,aAAa,EAAE,OAAO,CAAA;IACtB,cAAc,EAAE,qBAAqB,CAAA;IACrC,cAAc,EAAE,OAAO,CAAA;IAEvB,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IACzC,UAAU,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IAC5C,SAAS,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAC/C,YAAY,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAClD,UAAU,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IAClD,aAAa,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACrD,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;
|
|
1
|
+
{"version":3,"file":"statementExplain.d.ts","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,qBAAqB,GAC7B,OAAO,GACP,SAAS,GACT,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,CAAA;AAEtB,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,qBAAqB,CAAA;IAC9B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAA;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;OAEG;IACH,iBAAiB,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,MAAM,EAAE,qBAAqB,GAAG,qBAAqB,EAAE,CAAA;IAEvD;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAE1B;;OAEG;IACH,OAAO,EAAE,OAAO,CAAA;IAEhB;;OAEG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAE/B;;OAEG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAE9B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAE5B;;;OAGG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B;;OAEG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,OAAO,CAAA;IACpB,aAAa,EAAE,OAAO,CAAA;IACtB,cAAc,EAAE,qBAAqB,CAAA;IACrC,cAAc,EAAE,OAAO,CAAA;IAEvB,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IACzC,UAAU,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IAC5C,SAAS,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAC/C,YAAY,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAClD,UAAU,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IAClD,aAAa,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACrD,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;IAE/B;;;;;;;OAOG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAA;CACjC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";
|
|
1
|
+
{"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";AAuHA;;;EAGE"}
|
|
@@ -1,9 +1,17 @@
|
|
|
1
|
-
import { RequestAnalysis } from '../evaluate.js';
|
|
1
|
+
import { RequestAnalysis, ResourceAnalysis } from '../evaluate.js';
|
|
2
2
|
import { ServiceAuthorizationRequest, ServiceAuthorizer } from './ServiceAuthorizer.js';
|
|
3
3
|
/**
|
|
4
4
|
* The default authorizer for services.
|
|
5
5
|
*/
|
|
6
6
|
export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
|
|
7
7
|
authorize(request: ServiceAuthorizationRequest): RequestAnalysis;
|
|
8
|
+
/**
|
|
9
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
10
|
+
*
|
|
11
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
12
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
13
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
14
|
+
*/
|
|
15
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
8
16
|
}
|
|
9
17
|
//# sourceMappingURL=DefaultServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAElE,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAuKvE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,GAAG,OAAO;CASjG"}
|