@cloud-copilot/iam-simulate 0.1.23 → 0.1.24
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/cjs/core_engine/CoreSimulatorEngine.d.ts.map +1 -1
- package/dist/cjs/core_engine/CoreSimulatorEngine.js +8 -3
- package/dist/cjs/core_engine/CoreSimulatorEngine.js.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts +9 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +17 -2
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/KmsServiceAuthorizer.d.ts +16 -0
- package/dist/cjs/services/KmsServiceAuthorizer.d.ts.map +1 -0
- package/dist/cjs/services/KmsServiceAuthorizer.js +21 -0
- package/dist/cjs/services/KmsServiceAuthorizer.js.map +1 -0
- package/dist/cjs/services/StsServiceAuthorizer.d.ts +16 -0
- package/dist/cjs/services/StsServiceAuthorizer.d.ts.map +1 -0
- package/dist/cjs/services/StsServiceAuthorizer.js +24 -0
- package/dist/cjs/services/StsServiceAuthorizer.js.map +1 -0
- package/dist/esm/core_engine/CoreSimulatorEngine.d.ts.map +1 -1
- package/dist/esm/core_engine/CoreSimulatorEngine.js +8 -3
- package/dist/esm/core_engine/CoreSimulatorEngine.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts +9 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +17 -2
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/KmsServiceAuthorizer.d.ts +16 -0
- package/dist/esm/services/KmsServiceAuthorizer.d.ts.map +1 -0
- package/dist/esm/services/KmsServiceAuthorizer.js +17 -0
- package/dist/esm/services/KmsServiceAuthorizer.js.map +1 -0
- package/dist/esm/services/StsServiceAuthorizer.d.ts +16 -0
- package/dist/esm/services/StsServiceAuthorizer.d.ts.map +1 -0
- package/dist/esm/services/StsServiceAuthorizer.js +20 -0
- package/dist/esm/services/StsServiceAuthorizer.js.map +1 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -9,9 +9,11 @@ The simulator currently supports these features of AWS IAM
|
|
|
9
9
|
- Identity Policies
|
|
10
10
|
- Resource Policies
|
|
11
11
|
- Service Control Policies
|
|
12
|
+
- Resource Control Policies
|
|
12
13
|
- Permission Boundaries
|
|
13
14
|
- All [AWS Condition Operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html)
|
|
14
15
|
- Same Account and Cross Account Requests
|
|
16
|
+
- Custom trust behavior for IAM Trust Policies and KMS Key Policies
|
|
15
17
|
|
|
16
18
|
### Request Validation
|
|
17
19
|
|
|
@@ -32,8 +34,6 @@ It will also return "explains" for each statement that was evaluated, detailing
|
|
|
32
34
|
|
|
33
35
|
### Features Coming Soon
|
|
34
36
|
|
|
35
|
-
- Resource Control Policies
|
|
36
|
-
- Distinct Behavior for KMS and IAM Resource Policies
|
|
37
37
|
- Session Policies
|
|
38
38
|
- Validation of Global Condition Keys for each action
|
|
39
39
|
- Automatically populating context keys from the request such as `aws:PrincipalServiceName`
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"CoreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAa,MAAM,2BAA2B,CAAA;AAG7D,OAAO,EAEL,gBAAgB,EAEhB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,WAAW,EACZ,MAAM,gBAAgB,CAAA;AAGvB,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;
|
|
1
|
+
{"version":3,"file":"CoreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAa,MAAM,2BAA2B,CAAA;AAG7D,OAAO,EAEL,gBAAgB,EAEhB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,WAAW,EACZ,MAAM,gBAAgB,CAAA;AAGvB,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAIlD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAA;AASpE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IAErB;;OAEG;IACH,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,OAAO,EAAE,UAAU,CAAA;IAEnB;;OAEG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAE1B;;;OAGG;IACH,sBAAsB,EAAE,eAAe,EAAE,CAAA;IAEzC;;;OAGG;IACH,uBAAuB,EAAE,eAAe,EAAE,CAAA;IAE1C;;OAEG;IACH,cAAc,EAAE,MAAM,GAAG,SAAS,CAAA;IAElC;;OAEG;IACH,oBAAoB,EAAE,MAAM,EAAE,GAAG,SAAS,CAAA;CAC3C;AAOD;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,eAAe,CA+BxE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,iBAAiB,CAMrF;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,gBAAgB,EAAE,MAAM,EAAE,EAC1B,OAAO,EAAE,UAAU,GAClB,gBAAgB,CA+DlB;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,eAAe,EAAE,eAAe,EAAE,EAClC,OAAO,EAAE,UAAU,GAClB,WAAW,GAAG,WAAW,CA6E3B;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,cAAc,EAAE,MAAM,GAAG,SAAS,EAClC,OAAO,EAAE,UAAU,EACnB,8BAA8B,EAAE,OAAO,GACtC,gBAAgB,CA+GlB;AAED,wBAAgB,iCAAiC,CAC/C,oBAAoB,EAAE,MAAM,EAAE,GAAG,SAAS,EAC1C,OAAO,EAAE,UAAU,GAClB,gBAAgB,GAAG,SAAS,CAM9B"}
|
|
@@ -11,8 +11,13 @@ const condition_js_1 = require("../condition/condition.js");
|
|
|
11
11
|
const principal_js_1 = require("../principal/principal.js");
|
|
12
12
|
const resource_js_1 = require("../resource/resource.js");
|
|
13
13
|
const DefaultServiceAuthorizer_js_1 = require("../services/DefaultServiceAuthorizer.js");
|
|
14
|
+
const KmsServiceAuthorizer_js_1 = require("../services/KmsServiceAuthorizer.js");
|
|
15
|
+
const StsServiceAuthorizer_js_1 = require("../services/StsServiceAuthorizer.js");
|
|
14
16
|
const StatementAnalysis_js_1 = require("../StatementAnalysis.js");
|
|
15
|
-
const serviceEngines = {
|
|
17
|
+
const serviceEngines = {
|
|
18
|
+
kms: KmsServiceAuthorizer_js_1.KmsServiceAuthorizer,
|
|
19
|
+
sts: StsServiceAuthorizer_js_1.StsServiceAuthorizer
|
|
20
|
+
};
|
|
16
21
|
/**
|
|
17
22
|
* Authorizes a request.
|
|
18
23
|
*
|
|
@@ -46,7 +51,7 @@ function authorize(request) {
|
|
|
46
51
|
* @returns the service authorizer for the request
|
|
47
52
|
*/
|
|
48
53
|
function getServiceAuthorizer(request) {
|
|
49
|
-
const serviceName = request.request.action.service();
|
|
54
|
+
const serviceName = request.request.action.service().toLowerCase();
|
|
50
55
|
if (serviceEngines[serviceName]) {
|
|
51
56
|
return new serviceEngines[serviceName]();
|
|
52
57
|
}
|
|
@@ -259,7 +264,7 @@ function analyzeResourcePolicy(resourcePolicy, request, principalHasPermissionBo
|
|
|
259
264
|
resourceAnalysis.result = 'AllowedForAccount';
|
|
260
265
|
}
|
|
261
266
|
else {
|
|
262
|
-
resourceAnalysis.result = '
|
|
267
|
+
resourceAnalysis.result = 'ImplicityDenied';
|
|
263
268
|
}
|
|
264
269
|
return resourceAnalysis;
|
|
265
270
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"CoreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"CoreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":";;AA4FA,8BA+BC;AASD,oDAMC;AASD,0DAkEC;AASD,wDAgFC;AASD,sDAmHC;AAED,8EASC;AApbD,mDAAoE;AACpE,4DAA0F;AAW1F,4DAAmG;AAEnG,yDAA0E;AAC1E,yFAAkF;AAClF,iFAA0E;AAE1E,iFAA0E;AAC1E,kEAKgC;AAsDhC,MAAM,cAAc,GAAgD;IAClE,GAAG,EAAE,8CAAoB;IACzB,GAAG,EAAE,8CAAoB;CAC1B,CAAA;AAED;;;;;;;GAOG;AACH,SAAgB,SAAS,CAAC,OAA6B;IACrD,MAAM,8BAA8B,GAClC,CAAC,CAAC,OAAO,CAAC,oBAAoB,IAAI,OAAO,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC,CAAA;IAC3E,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAA;IAC3F,MAAM,0BAA0B,GAAG,iCAAiC,CAClE,OAAO,CAAC,oBAAoB,EAC5B,OAAO,CAAC,OAAO,CAChB,CAAA;IACD,MAAM,WAAW,GAAG,sBAAsB,CACxC,OAAO,CAAC,sBAAsB,EAC9B,OAAO,CAAC,OAAO,CACD,CAAA;IAChB,MAAM,WAAW,GAAG,sBAAsB,CACxC,OAAO,CAAC,uBAAuB,EAC/B,OAAO,CAAC,OAAO,CACD,CAAA;IAChB,MAAM,gBAAgB,GAAG,qBAAqB,CAC5C,OAAO,CAAC,cAAc,EACtB,OAAO,CAAC,OAAO,EACf,8BAA8B,CAC/B,CAAA;IAED,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAA;IACvD,OAAO,iBAAiB,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,gBAAgB;QAChB,WAAW;QACX,WAAW;QACX,gBAAgB;QAChB,0BAA0B;KAC3B,CAAC,CAAA;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAAC,OAA6B;IAChE,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,WAAW,EAAE,CAAA;IAClE,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAA;IAC1C,CAAC;IACD,OAAO,IAAI,sDAAwB,EAAE,CAAA;AACvC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CACrC,gBAA0B,EAC1B,OAAmB;IAEnB,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,kBAAkB;QAC1B,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC5C,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,IAAA,8CAAgC,EAC3F,OAAO,EACP,SAAS,CACV,CAAA;YACD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,IAAA,0CAA8B,EACrF,OAAO,EACP,SAAS,CACV,CAAA;YACD,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,uCAAwB,EACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;YACD,MAAM,cAAc,GAAyB,OAAO,CAAA;YACpD,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC;gBACpC,WAAW;gBACX,cAAc;gBACd,cAAc;gBACd,aAAa;aACd,CAAC,CAAA;YACF,MAAM,iBAAiB,GAAsB;gBAC3C,SAAS;gBACT,aAAa;gBACb,WAAW;gBACX,cAAc;gBACd,cAAc;gBACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,CAC9D;aACF,CAAA;YAED,IAAI,IAAA,oDAA6B,EAAC,iBAAiB,CAAC,EAAE,CAAC;gBACrD,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YACzD,CAAC;iBAAM,IAAI,IAAA,8CAAuB,EAAC,iBAAiB,CAAC,EAAE,CAAC;gBACtD,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YAC1D,CAAC;iBAAM,CAAC;gBACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,gBAAgB,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IAAI,gBAAgB,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvD,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,sBAAsB,CACpC,eAAkC,EAClC,OAAmB;IAEnB,MAAM,QAAQ,GAAoB,EAAE,CAAA;IACpC,KAAK,MAAM,aAAa,IAAI,eAAe,EAAE,CAAC;QAC5C,MAAM,UAAU,GAAkB;YAChC,aAAa,EAAE,aAAa,CAAC,aAAa;YAC1C,MAAM,EAAE,kBAAkB;YAC1B,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,EAAE;YAClB,mBAAmB,EAAE,EAAE;SACxB,CAAA;QACD,KAAK,MAAM,MAAM,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC5C,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC5C,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GACxD,IAAA,8CAAgC,EAAC,OAAO,EAAE,SAAS,CAAC,CAAA;gBACtD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,IAAA,0CAA8B,EACrF,OAAO,EACP,SAAS,CACV,CAAA;gBACD,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,uCAAwB,EACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;gBACD,MAAM,cAAc,GAAyB,OAAO,CAAA;gBACpD,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC;oBACpC,WAAW;oBACX,cAAc;oBACd,cAAc;oBACd,aAAa;iBACd,CAAC,CAAA;gBACF,MAAM,iBAAiB,GAAsB;oBAC3C,SAAS;oBACT,aAAa;oBACb,WAAW;oBACX,cAAc;oBACd,cAAc;oBACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,CAC9D;iBACF,CAAA;gBAED,IAAI,IAAA,8CAAuB,EAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC/C,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACpD,CAAC;qBAAM,IAAI,IAAA,oDAA6B,EAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC5D,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACnD,CAAC;qBAAM,CAAC;oBACN,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACxD,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzC,UAAU,CAAC,MAAM,GAAG,kBAAkB,CAAA;QACxC,CAAC;aAAM,IAAI,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjD,UAAU,CAAC,MAAM,GAAG,SAAS,CAAA;QAC/B,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAC3B,CAAC;IAED,IAAI,aAAa,GAAqB,kBAAkB,CAAA;IACxD,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,kBAAkB,CAAC,EAAE,CAAC;QAC5D,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QAClE,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,SAAS,CAAC,EAAE,CAAC;QAC3D,aAAa,GAAG,SAAS,CAAA;IAC3B,CAAC;IAED,OAAO;QACL,MAAM,EAAE,aAAa;QACrB,UAAU,EAAE,QAAQ;KACrB,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,qBAAqB,CACnC,cAAkC,EAClC,OAAmB,EACnB,8BAAuC;IAEvC,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,eAAe;QACvB,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO,gBAAgB,CAAA;IACzB,CAAC;IAED,MAAM,qBAAqB,GAA2B;QACpD,OAAO;QACP,kBAAkB;QAClB,kBAAkB;KACnB,CAAA;IAED,KAAK,MAAM,SAAS,IAAI,cAAc,CAAC,UAAU,EAAE,EAAE,CAAC;QACpD,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,IAAA,8CAAgC,EAC3F,OAAO,EACP,SAAS,CACV,CAAA;QACD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,IAAA,0CAA8B,EACrF,OAAO,EACP,SAAS,CACV,CAAA;QACD,IAAI,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,gDAAiC,EAC5F,OAAO,EACP,SAAS,CACV,CAAA;QAED,MAAM,yBAAyB,GAAqD,EAAE,CAAA;QAEtF;;;;;;;;;;;WAWG;QACH,IACE,8BAA8B;YAC9B,SAAS,CAAC,uBAAuB,EAAE;YACnC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAC7B,CAAC;YACD,cAAc,GAAG,OAAO,CAAA;YACxB,yBAAyB,CAAC,sBAAsB,GAAG,IAAI,CAAA;QACzD,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,IAAA,uCAAwB,EACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;QACD,MAAM,YAAY,GAAG,IAAA,uCAAgB,EAAC;YACpC,WAAW;YACX,cAAc;YACd,cAAc;YACd,aAAa;SACd,CAAC,CAAA;QACF,MAAM,QAAQ,GAAsB;YAClC,SAAS;YACT,aAAa,EAAE,aAAa;YAC5B,WAAW;YACX,cAAc;YACd,cAAc;YACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,GAAG,gBAAgB,EAAE,CACnF;SACF,CAAA;QACD,IAAI,IAAA,oDAA6B,EAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACrF,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAChD,CAAC;aAAM,IAAI,IAAA,8CAAuB,EAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACtF,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACjD,CAAC;aAAM,CAAC;YACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAED,IACE,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,EAC7F,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IACL,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EACrF,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IACL,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,EAC9F,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;SAAM,IACL,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EACtF,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,mBAAmB,CAAA;IAC/C,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,MAAM,GAAG,iBAAiB,CAAA;IAC7C,CAAC;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED,SAAgB,iCAAiC,CAC/C,oBAA0C,EAC1C,OAAmB;IAEnB,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,uBAAuB,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAA;AAC/D,CAAC;AAED,SAAS,oBAAoB,CAC3B,SAAoB,EACpB,YAAqB,EACrB,WAAoB,EACpB,cAAqC,EACrC,aAAsB,EACtB,cAAoC,EACpC,OAAkC;IAElC,OAAO;QACL,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE;QAC1B,UAAU,EAAE,SAAS,CAAC,GAAG,EAAE,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;QAC3D,OAAO,EAAE,YAAY;QACrB,WAAW;QACX,cAAc;QACd,aAAa;QACb,cAAc,EAAE,cAAc,KAAK,OAAO;QAC1C,GAAG,OAAO;KACX,CAAA;AACH,CAAC"}
|
|
@@ -1,9 +1,17 @@
|
|
|
1
|
-
import { RequestAnalysis } from '../evaluate.js';
|
|
1
|
+
import { RequestAnalysis, ResourceAnalysis } from '../evaluate.js';
|
|
2
2
|
import { ServiceAuthorizationRequest, ServiceAuthorizer } from './ServiceAuthorizer.js';
|
|
3
3
|
/**
|
|
4
4
|
* The default authorizer for services.
|
|
5
5
|
*/
|
|
6
6
|
export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
|
|
7
7
|
authorize(request: ServiceAuthorizationRequest): RequestAnalysis;
|
|
8
|
+
/**
|
|
9
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
10
|
+
*
|
|
11
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
12
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
13
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
14
|
+
*/
|
|
15
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
8
16
|
}
|
|
9
17
|
//# sourceMappingURL=DefaultServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAElE,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAuKvE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,GAAG,OAAO;CASjG"}
|
|
@@ -92,7 +92,9 @@ class DefaultServiceAuthorizer {
|
|
|
92
92
|
|
|
93
93
|
Need to add some tests for this.
|
|
94
94
|
*/
|
|
95
|
-
|
|
95
|
+
const trustedAccount = this.serviceTrustsPrincipalAccount(sameAccount, request.resourceAnalysis);
|
|
96
|
+
if (resourcePolicyResult === 'Allowed' ||
|
|
97
|
+
(trustedAccount && identityStatementResult === 'Allowed')) {
|
|
96
98
|
return {
|
|
97
99
|
result: 'Allowed',
|
|
98
100
|
...baseResult
|
|
@@ -129,12 +131,25 @@ class DefaultServiceAuthorizer {
|
|
|
129
131
|
/**
|
|
130
132
|
* Add checks for:
|
|
131
133
|
* * root user - can override resource policies for most resource types
|
|
134
|
+
* * service linked roles - ignore SCPs and RCPs
|
|
132
135
|
* * session policies
|
|
133
|
-
* * service linked roles
|
|
134
136
|
* * vpc endpoint policies
|
|
135
137
|
* * organization APIs and delegated admin policy
|
|
136
138
|
*/
|
|
137
139
|
}
|
|
140
|
+
/**
|
|
141
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
142
|
+
*
|
|
143
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
144
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
145
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
146
|
+
*/
|
|
147
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
148
|
+
if (sameAccount) {
|
|
149
|
+
return true;
|
|
150
|
+
}
|
|
151
|
+
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
152
|
+
}
|
|
138
153
|
}
|
|
139
154
|
exports.DefaultServiceAuthorizer = DefaultServiceAuthorizer;
|
|
140
155
|
//# sourceMappingURL=DefaultServiceAuthorizer.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AACA,wCAA+E;AAG/E;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAQZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,IAAA,0BAAgB,EAAC,SAAS,CAAC;wBAC3B,IAAA,sBAAY,EAAC,SAAS,CAAC;wBACvB,IAAA,4BAAkB,EAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AACA,wCAA+E;AAG/E;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAQZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,IAAA,0BAAgB,EAAC,SAAS,CAAC;wBAC3B,IAAA,sBAAY,EAAC,SAAS,CAAC;wBACvB,IAAA,4BAAkB,EAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;YAEF,MAAM,cAAc,GAAG,IAAI,CAAC,6BAA6B,CACvD,WAAW,EACX,OAAO,CAAC,gBAAgB,CACzB,CAAA;YACD,IACE,oBAAoB,KAAK,SAAS;gBAClC,CAAC,cAAc,IAAI,uBAAuB,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;WAOG;IACL,CAAC;IAED;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAoB,EAAE,gBAAkC;QACpF,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AAxLD,4DAwLC"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import { ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
3
|
+
/**
|
|
4
|
+
* The default authorizer for services.
|
|
5
|
+
*/
|
|
6
|
+
export declare class KmsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
7
|
+
/**
|
|
8
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
9
|
+
*
|
|
10
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
11
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
12
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
13
|
+
*/
|
|
14
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
15
|
+
}
|
|
16
|
+
//# sourceMappingURL=KmsServiceAuthorizer.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"KmsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,GAAG,OAAO;CAKjG"}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.KmsServiceAuthorizer = void 0;
|
|
4
|
+
const DefaultServiceAuthorizer_js_1 = require("./DefaultServiceAuthorizer.js");
|
|
5
|
+
/**
|
|
6
|
+
* The default authorizer for services.
|
|
7
|
+
*/
|
|
8
|
+
class KmsServiceAuthorizer extends DefaultServiceAuthorizer_js_1.DefaultServiceAuthorizer {
|
|
9
|
+
/**
|
|
10
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
11
|
+
*
|
|
12
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
13
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
14
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
15
|
+
*/
|
|
16
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
17
|
+
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
18
|
+
}
|
|
19
|
+
}
|
|
20
|
+
exports.KmsServiceAuthorizer = KmsServiceAuthorizer;
|
|
21
|
+
//# sourceMappingURL=KmsServiceAuthorizer.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"KmsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":";;;AACA,+EAAwE;AAExE;;GAEG;AACH,MAAa,oBAAqB,SAAQ,sDAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAoB,EAAE,gBAAkC;QACpF,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AAbD,oDAaC"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import { ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
3
|
+
/**
|
|
4
|
+
* The default authorizer for services.
|
|
5
|
+
*/
|
|
6
|
+
export declare class StsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
7
|
+
/**
|
|
8
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
9
|
+
*
|
|
10
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
11
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
12
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
13
|
+
*/
|
|
14
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
15
|
+
}
|
|
16
|
+
//# sourceMappingURL=StsServiceAuthorizer.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,GAAG,OAAO;CAQjG"}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.StsServiceAuthorizer = void 0;
|
|
4
|
+
const DefaultServiceAuthorizer_js_1 = require("./DefaultServiceAuthorizer.js");
|
|
5
|
+
/**
|
|
6
|
+
* The default authorizer for services.
|
|
7
|
+
*/
|
|
8
|
+
class StsServiceAuthorizer extends DefaultServiceAuthorizer_js_1.DefaultServiceAuthorizer {
|
|
9
|
+
/**
|
|
10
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
11
|
+
*
|
|
12
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
13
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
14
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
15
|
+
*/
|
|
16
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
17
|
+
if (sameAccount && resourceAnalysis.result === 'NotApplicable') {
|
|
18
|
+
return true;
|
|
19
|
+
}
|
|
20
|
+
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
21
|
+
}
|
|
22
|
+
}
|
|
23
|
+
exports.StsServiceAuthorizer = StsServiceAuthorizer;
|
|
24
|
+
//# sourceMappingURL=StsServiceAuthorizer.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":";;;AACA,+EAAwE;AAExE;;GAEG;AACH,MAAa,oBAAqB,SAAQ,sDAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAoB,EAAE,gBAAkC;QACpF,IAAI,WAAW,IAAI,gBAAgB,CAAC,MAAM,KAAK,eAAe,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AAhBD,oDAgBC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"CoreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAa,MAAM,2BAA2B,CAAA;AAG7D,OAAO,EAEL,gBAAgB,EAEhB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,WAAW,EACZ,MAAM,gBAAgB,CAAA;AAGvB,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;
|
|
1
|
+
{"version":3,"file":"CoreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAa,MAAM,2BAA2B,CAAA;AAG7D,OAAO,EAEL,gBAAgB,EAEhB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,WAAW,EACZ,MAAM,gBAAgB,CAAA;AAGvB,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAIlD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAA;AASpE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IAErB;;OAEG;IACH,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,OAAO,EAAE,UAAU,CAAA;IAEnB;;OAEG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAE1B;;;OAGG;IACH,sBAAsB,EAAE,eAAe,EAAE,CAAA;IAEzC;;;OAGG;IACH,uBAAuB,EAAE,eAAe,EAAE,CAAA;IAE1C;;OAEG;IACH,cAAc,EAAE,MAAM,GAAG,SAAS,CAAA;IAElC;;OAEG;IACH,oBAAoB,EAAE,MAAM,EAAE,GAAG,SAAS,CAAA;CAC3C;AAOD;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,eAAe,CA+BxE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,iBAAiB,CAMrF;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,gBAAgB,EAAE,MAAM,EAAE,EAC1B,OAAO,EAAE,UAAU,GAClB,gBAAgB,CA+DlB;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,eAAe,EAAE,eAAe,EAAE,EAClC,OAAO,EAAE,UAAU,GAClB,WAAW,GAAG,WAAW,CA6E3B;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,cAAc,EAAE,MAAM,GAAG,SAAS,EAClC,OAAO,EAAE,UAAU,EACnB,8BAA8B,EAAE,OAAO,GACtC,gBAAgB,CA+GlB;AAED,wBAAgB,iCAAiC,CAC/C,oBAAoB,EAAE,MAAM,EAAE,GAAG,SAAS,EAC1C,OAAO,EAAE,UAAU,GAClB,gBAAgB,GAAG,SAAS,CAM9B"}
|
|
@@ -3,8 +3,13 @@ import { requestMatchesConditions } from '../condition/condition.js';
|
|
|
3
3
|
import { requestMatchesStatementPrincipals } from '../principal/principal.js';
|
|
4
4
|
import { requestMatchesStatementResources } from '../resource/resource.js';
|
|
5
5
|
import { DefaultServiceAuthorizer } from '../services/DefaultServiceAuthorizer.js';
|
|
6
|
+
import { KmsServiceAuthorizer } from '../services/KmsServiceAuthorizer.js';
|
|
7
|
+
import { StsServiceAuthorizer } from '../services/StsServiceAuthorizer.js';
|
|
6
8
|
import { identityStatementAllows, identityStatementExplicitDeny, statementMatches } from '../StatementAnalysis.js';
|
|
7
|
-
const serviceEngines = {
|
|
9
|
+
const serviceEngines = {
|
|
10
|
+
kms: KmsServiceAuthorizer,
|
|
11
|
+
sts: StsServiceAuthorizer
|
|
12
|
+
};
|
|
8
13
|
/**
|
|
9
14
|
* Authorizes a request.
|
|
10
15
|
*
|
|
@@ -38,7 +43,7 @@ export function authorize(request) {
|
|
|
38
43
|
* @returns the service authorizer for the request
|
|
39
44
|
*/
|
|
40
45
|
export function getServiceAuthorizer(request) {
|
|
41
|
-
const serviceName = request.request.action.service();
|
|
46
|
+
const serviceName = request.request.action.service().toLowerCase();
|
|
42
47
|
if (serviceEngines[serviceName]) {
|
|
43
48
|
return new serviceEngines[serviceName]();
|
|
44
49
|
}
|
|
@@ -251,7 +256,7 @@ export function analyzeResourcePolicy(resourcePolicy, request, principalHasPermi
|
|
|
251
256
|
resourceAnalysis.result = 'AllowedForAccount';
|
|
252
257
|
}
|
|
253
258
|
else {
|
|
254
|
-
resourceAnalysis.result = '
|
|
259
|
+
resourceAnalysis.result = 'ImplicityDenied';
|
|
255
260
|
}
|
|
256
261
|
return resourceAnalysis;
|
|
257
262
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"CoreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,8BAA8B,EAAE,MAAM,qBAAqB,CAAA;AACpE,OAAO,EAAwB,wBAAwB,EAAE,MAAM,2BAA2B,CAAA;AAW1F,OAAO,EAAwB,iCAAiC,EAAE,MAAM,2BAA2B,CAAA;AAEnG,OAAO,EAAE,gCAAgC,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yCAAyC,CAAA;
|
|
1
|
+
{"version":3,"file":"CoreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,8BAA8B,EAAE,MAAM,qBAAqB,CAAA;AACpE,OAAO,EAAwB,wBAAwB,EAAE,MAAM,2BAA2B,CAAA;AAW1F,OAAO,EAAwB,iCAAiC,EAAE,MAAM,2BAA2B,CAAA;AAEnG,OAAO,EAAE,gCAAgC,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yCAAyC,CAAA;AAClF,OAAO,EAAE,oBAAoB,EAAE,MAAM,qCAAqC,CAAA;AAE1E,OAAO,EAAE,oBAAoB,EAAE,MAAM,qCAAqC,CAAA;AAC1E,OAAO,EACL,uBAAuB,EACvB,6BAA6B,EAE7B,gBAAgB,EACjB,MAAM,yBAAyB,CAAA;AAsDhC,MAAM,cAAc,GAAgD;IAClE,GAAG,EAAE,oBAAoB;IACzB,GAAG,EAAE,oBAAoB;CAC1B,CAAA;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,OAA6B;IACrD,MAAM,8BAA8B,GAClC,CAAC,CAAC,OAAO,CAAC,oBAAoB,IAAI,OAAO,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC,CAAA;IAC3E,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAA;IAC3F,MAAM,0BAA0B,GAAG,iCAAiC,CAClE,OAAO,CAAC,oBAAoB,EAC5B,OAAO,CAAC,OAAO,CAChB,CAAA;IACD,MAAM,WAAW,GAAG,sBAAsB,CACxC,OAAO,CAAC,sBAAsB,EAC9B,OAAO,CAAC,OAAO,CACD,CAAA;IAChB,MAAM,WAAW,GAAG,sBAAsB,CACxC,OAAO,CAAC,uBAAuB,EAC/B,OAAO,CAAC,OAAO,CACD,CAAA;IAChB,MAAM,gBAAgB,GAAG,qBAAqB,CAC5C,OAAO,CAAC,cAAc,EACtB,OAAO,CAAC,OAAO,EACf,8BAA8B,CAC/B,CAAA;IAED,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAA;IACvD,OAAO,iBAAiB,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,gBAAgB;QAChB,WAAW;QACX,WAAW;QACX,gBAAgB;QAChB,0BAA0B;KAC3B,CAAC,CAAA;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA6B;IAChE,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,WAAW,EAAE,CAAA;IAClE,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAA;IAC1C,CAAC;IACD,OAAO,IAAI,wBAAwB,EAAE,CAAA;AACvC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CACrC,gBAA0B,EAC1B,OAAmB;IAEnB,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,kBAAkB;QAC1B,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC5C,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,gCAAgC,CAC3F,OAAO,EACP,SAAS,CACV,CAAA;YACD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,8BAA8B,CACrF,OAAO,EACP,SAAS,CACV,CAAA;YACD,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,wBAAwB,CACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;YACD,MAAM,cAAc,GAAyB,OAAO,CAAA;YACpD,MAAM,YAAY,GAAG,gBAAgB,CAAC;gBACpC,WAAW;gBACX,cAAc;gBACd,cAAc;gBACd,aAAa;aACd,CAAC,CAAA;YACF,MAAM,iBAAiB,GAAsB;gBAC3C,SAAS;gBACT,aAAa;gBACb,WAAW;gBACX,cAAc;gBACd,cAAc;gBACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,CAC9D;aACF,CAAA;YAED,IAAI,6BAA6B,CAAC,iBAAiB,CAAC,EAAE,CAAC;gBACrD,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YACzD,CAAC;iBAAM,IAAI,uBAAuB,CAAC,iBAAiB,CAAC,EAAE,CAAC;gBACtD,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YAC1D,CAAC;iBAAM,CAAC;gBACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,gBAAgB,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IAAI,gBAAgB,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvD,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CACpC,eAAkC,EAClC,OAAmB;IAEnB,MAAM,QAAQ,GAAoB,EAAE,CAAA;IACpC,KAAK,MAAM,aAAa,IAAI,eAAe,EAAE,CAAC;QAC5C,MAAM,UAAU,GAAkB;YAChC,aAAa,EAAE,aAAa,CAAC,aAAa;YAC1C,MAAM,EAAE,kBAAkB;YAC1B,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,EAAE;YAClB,mBAAmB,EAAE,EAAE;SACxB,CAAA;QACD,KAAK,MAAM,MAAM,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC5C,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC5C,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GACxD,gCAAgC,CAAC,OAAO,EAAE,SAAS,CAAC,CAAA;gBACtD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,8BAA8B,CACrF,OAAO,EACP,SAAS,CACV,CAAA;gBACD,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,wBAAwB,CACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;gBACD,MAAM,cAAc,GAAyB,OAAO,CAAA;gBACpD,MAAM,YAAY,GAAG,gBAAgB,CAAC;oBACpC,WAAW;oBACX,cAAc;oBACd,cAAc;oBACd,aAAa;iBACd,CAAC,CAAA;gBACF,MAAM,iBAAiB,GAAsB;oBAC3C,SAAS;oBACT,aAAa;oBACb,WAAW;oBACX,cAAc;oBACd,cAAc;oBACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,CAC9D;iBACF,CAAA;gBAED,IAAI,uBAAuB,CAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC/C,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACpD,CAAC;qBAAM,IAAI,6BAA6B,CAAC,iBAAiB,CAAC,EAAE,CAAC;oBAC5D,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACnD,CAAC;qBAAM,CAAC;oBACN,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;gBACxD,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzC,UAAU,CAAC,MAAM,GAAG,kBAAkB,CAAA;QACxC,CAAC;aAAM,IAAI,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjD,UAAU,CAAC,MAAM,GAAG,SAAS,CAAA;QAC/B,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAC3B,CAAC;IAED,IAAI,aAAa,GAAqB,kBAAkB,CAAA;IACxD,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,kBAAkB,CAAC,EAAE,CAAC;QAC5D,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QAClE,aAAa,GAAG,kBAAkB,CAAA;IACpC,CAAC;SAAM,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,SAAS,CAAC,EAAE,CAAC;QAC3D,aAAa,GAAG,SAAS,CAAA;IAC3B,CAAC;IAED,OAAO;QACL,MAAM,EAAE,aAAa;QACrB,UAAU,EAAE,QAAQ;KACrB,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CACnC,cAAkC,EAClC,OAAmB,EACnB,8BAAuC;IAEvC,MAAM,gBAAgB,GAAqB;QACzC,MAAM,EAAE,eAAe;QACvB,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;KACxB,CAAA;IAED,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO,gBAAgB,CAAA;IACzB,CAAC;IAED,MAAM,qBAAqB,GAA2B;QACpD,OAAO;QACP,kBAAkB;QAClB,kBAAkB;KACnB,CAAA;IAED,KAAK,MAAM,SAAS,IAAI,cAAc,CAAC,UAAU,EAAE,EAAE,CAAC;QACpD,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,gCAAgC,CAC3F,OAAO,EACP,SAAS,CACV,CAAA;QACD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,8BAA8B,CACrF,OAAO,EACP,SAAS,CACV,CAAA;QACD,IAAI,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,iCAAiC,CAC5F,OAAO,EACP,SAAS,CACV,CAAA;QAED,MAAM,yBAAyB,GAAqD,EAAE,CAAA;QAEtF;;;;;;;;;;;WAWG;QACH,IACE,8BAA8B;YAC9B,SAAS,CAAC,uBAAuB,EAAE;YACnC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAC7B,CAAC;YACD,cAAc,GAAG,OAAO,CAAA;YACxB,yBAAyB,CAAC,sBAAsB,GAAG,IAAI,CAAA;QACzD,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,wBAAwB,CACrF,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,CACvB,CAAA;QACD,MAAM,YAAY,GAAG,gBAAgB,CAAC;YACpC,WAAW;YACX,cAAc;YACd,cAAc;YACd,aAAa;SACd,CAAC,CAAA;QACF,MAAM,QAAQ,GAAsB;YAClC,SAAS;YACT,aAAa,EAAE,aAAa;YAC5B,WAAW;YACX,cAAc;YACd,cAAc;YACd,OAAO,EAAE,oBAAoB,CAC3B,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,aAAa,EACb,cAAc,EACd,EAAE,GAAG,eAAe,EAAE,GAAG,aAAa,EAAE,GAAG,gBAAgB,EAAE,GAAG,gBAAgB,EAAE,CACnF;SACF,CAAA;QACD,IAAI,6BAA6B,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACrF,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAChD,CAAC;aAAM,IAAI,uBAAuB,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACtF,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACjD,CAAC;aAAM,CAAC;YACN,gBAAgB,CAAC,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAED,IACE,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,EAC7F,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IACL,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EACrF,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9C,CAAC;SAAM,IACL,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,EAC9F,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAA;IACrC,CAAC;SAAM,IACL,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EACtF,CAAC;QACD,gBAAgB,CAAC,MAAM,GAAG,mBAAmB,CAAA;IAC/C,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,MAAM,GAAG,iBAAiB,CAAA;IAC7C,CAAC;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED,MAAM,UAAU,iCAAiC,CAC/C,oBAA0C,EAC1C,OAAmB;IAEnB,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,uBAAuB,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAA;AAC/D,CAAC;AAED,SAAS,oBAAoB,CAC3B,SAAoB,EACpB,YAAqB,EACrB,WAAoB,EACpB,cAAqC,EACrC,aAAsB,EACtB,cAAoC,EACpC,OAAkC;IAElC,OAAO;QACL,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE;QAC1B,UAAU,EAAE,SAAS,CAAC,GAAG,EAAE,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;QAC3D,OAAO,EAAE,YAAY;QACrB,WAAW;QACX,cAAc;QACd,aAAa;QACb,cAAc,EAAE,cAAc,KAAK,OAAO;QAC1C,GAAG,OAAO;KACX,CAAA;AACH,CAAC"}
|
|
@@ -1,9 +1,17 @@
|
|
|
1
|
-
import { RequestAnalysis } from '../evaluate.js';
|
|
1
|
+
import { RequestAnalysis, ResourceAnalysis } from '../evaluate.js';
|
|
2
2
|
import { ServiceAuthorizationRequest, ServiceAuthorizer } from './ServiceAuthorizer.js';
|
|
3
3
|
/**
|
|
4
4
|
* The default authorizer for services.
|
|
5
5
|
*/
|
|
6
6
|
export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
|
|
7
7
|
authorize(request: ServiceAuthorizationRequest): RequestAnalysis;
|
|
8
|
+
/**
|
|
9
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
10
|
+
*
|
|
11
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
12
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
13
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
14
|
+
*/
|
|
15
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
8
16
|
}
|
|
9
17
|
//# sourceMappingURL=DefaultServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAElE,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAuKvE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,GAAG,OAAO;CASjG"}
|
|
@@ -89,7 +89,9 @@ export class DefaultServiceAuthorizer {
|
|
|
89
89
|
|
|
90
90
|
Need to add some tests for this.
|
|
91
91
|
*/
|
|
92
|
-
|
|
92
|
+
const trustedAccount = this.serviceTrustsPrincipalAccount(sameAccount, request.resourceAnalysis);
|
|
93
|
+
if (resourcePolicyResult === 'Allowed' ||
|
|
94
|
+
(trustedAccount && identityStatementResult === 'Allowed')) {
|
|
93
95
|
return {
|
|
94
96
|
result: 'Allowed',
|
|
95
97
|
...baseResult
|
|
@@ -126,11 +128,24 @@ export class DefaultServiceAuthorizer {
|
|
|
126
128
|
/**
|
|
127
129
|
* Add checks for:
|
|
128
130
|
* * root user - can override resource policies for most resource types
|
|
131
|
+
* * service linked roles - ignore SCPs and RCPs
|
|
129
132
|
* * session policies
|
|
130
|
-
* * service linked roles
|
|
131
133
|
* * vpc endpoint policies
|
|
132
134
|
* * organization APIs and delegated admin policy
|
|
133
135
|
*/
|
|
134
136
|
}
|
|
137
|
+
/**
|
|
138
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
139
|
+
*
|
|
140
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
141
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
142
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
143
|
+
*/
|
|
144
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
145
|
+
if (sameAccount) {
|
|
146
|
+
return true;
|
|
147
|
+
}
|
|
148
|
+
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
149
|
+
}
|
|
135
150
|
}
|
|
136
151
|
//# sourceMappingURL=DefaultServiceAuthorizer.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AAG/E;;GAEG;AACH,MAAM,OAAO,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAQZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,gBAAgB,CAAC,SAAS,CAAC;wBAC3B,YAAY,CAAC,SAAS,CAAC;wBACvB,kBAAkB,CAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AAG/E;;GAEG;AACH,MAAM,OAAO,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAQZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,gBAAgB,CAAC,SAAS,CAAC;wBAC3B,YAAY,CAAC,SAAS,CAAC;wBACvB,kBAAkB,CAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;YAEF,MAAM,cAAc,GAAG,IAAI,CAAC,6BAA6B,CACvD,WAAW,EACX,OAAO,CAAC,gBAAgB,CACzB,CAAA;YACD,IACE,oBAAoB,KAAK,SAAS;gBAClC,CAAC,cAAc,IAAI,uBAAuB,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;WAOG;IACL,CAAC;IAED;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAoB,EAAE,gBAAkC;QACpF,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import { ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
3
|
+
/**
|
|
4
|
+
* The default authorizer for services.
|
|
5
|
+
*/
|
|
6
|
+
export declare class KmsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
7
|
+
/**
|
|
8
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
9
|
+
*
|
|
10
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
11
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
12
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
13
|
+
*/
|
|
14
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
15
|
+
}
|
|
16
|
+
//# sourceMappingURL=KmsServiceAuthorizer.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"KmsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,GAAG,OAAO;CAKjG"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
2
|
+
/**
|
|
3
|
+
* The default authorizer for services.
|
|
4
|
+
*/
|
|
5
|
+
export class KmsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
6
|
+
/**
|
|
7
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
8
|
+
*
|
|
9
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
10
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
11
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
12
|
+
*/
|
|
13
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
14
|
+
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
15
|
+
}
|
|
16
|
+
}
|
|
17
|
+
//# sourceMappingURL=KmsServiceAuthorizer.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"KmsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,MAAM,OAAO,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAoB,EAAE,gBAAkC;QACpF,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import { ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
3
|
+
/**
|
|
4
|
+
* The default authorizer for services.
|
|
5
|
+
*/
|
|
6
|
+
export declare class StsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
7
|
+
/**
|
|
8
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
9
|
+
*
|
|
10
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
11
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
12
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
13
|
+
*/
|
|
14
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
15
|
+
}
|
|
16
|
+
//# sourceMappingURL=StsServiceAuthorizer.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,GAAG,OAAO;CAQjG"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
2
|
+
/**
|
|
3
|
+
* The default authorizer for services.
|
|
4
|
+
*/
|
|
5
|
+
export class StsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
6
|
+
/**
|
|
7
|
+
* Determines if the service trusts the principal's Account's IAM policies
|
|
8
|
+
*
|
|
9
|
+
* @param sameAccount - If the principal and resource are in the same account
|
|
10
|
+
* @param resourceAnalysis - The resource policy analysis
|
|
11
|
+
* @returns true if the service trusts the principal's account IAM policies
|
|
12
|
+
*/
|
|
13
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
14
|
+
if (sameAccount && resourceAnalysis.result === 'NotApplicable') {
|
|
15
|
+
return true;
|
|
16
|
+
}
|
|
17
|
+
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
18
|
+
}
|
|
19
|
+
}
|
|
20
|
+
//# sourceMappingURL=StsServiceAuthorizer.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,MAAM,OAAO,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAAC,WAAoB,EAAE,gBAAkC;QACpF,IAAI,WAAW,IAAI,gBAAgB,CAAC,MAAM,KAAK,eAAe,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF"}
|