@cloud-copilot/iam-simulate 0.1.24 → 0.1.25
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts +2 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +2 -2
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/KmsServiceAuthorizer.d.ts +2 -1
- package/dist/cjs/services/KmsServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/KmsServiceAuthorizer.js +4 -1
- package/dist/cjs/services/KmsServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/StsServiceAuthorizer.d.ts +2 -1
- package/dist/cjs/services/StsServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/StsServiceAuthorizer.js +1 -1
- package/dist/cjs/services/StsServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts +2 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +2 -2
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/KmsServiceAuthorizer.d.ts +2 -1
- package/dist/esm/services/KmsServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/KmsServiceAuthorizer.js +4 -1
- package/dist/esm/services/KmsServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/StsServiceAuthorizer.d.ts +2 -1
- package/dist/esm/services/StsServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/StsServiceAuthorizer.js +1 -1
- package/dist/esm/services/StsServiceAuthorizer.js.map +1 -1
- package/package.json +1 -1
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { RequestAnalysis, ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { RequestResource } from '../request/requestResource.js';
|
|
2
3
|
import { ServiceAuthorizationRequest, ServiceAuthorizer } from './ServiceAuthorizer.js';
|
|
3
4
|
/**
|
|
4
5
|
* The default authorizer for services.
|
|
@@ -12,6 +13,6 @@ export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
|
|
|
12
13
|
* @param resourceAnalysis - The resource policy analysis
|
|
13
14
|
* @returns true if the service trusts the principal's account IAM policies
|
|
14
15
|
*/
|
|
15
|
-
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
16
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis, resource: RequestResource): boolean;
|
|
16
17
|
}
|
|
17
18
|
//# sourceMappingURL=DefaultServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAE/D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAwKvE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CASX"}
|
|
@@ -92,7 +92,7 @@ class DefaultServiceAuthorizer {
|
|
|
92
92
|
|
|
93
93
|
Need to add some tests for this.
|
|
94
94
|
*/
|
|
95
|
-
const trustedAccount = this.serviceTrustsPrincipalAccount(sameAccount, request.resourceAnalysis);
|
|
95
|
+
const trustedAccount = this.serviceTrustsPrincipalAccount(sameAccount, request.resourceAnalysis, request.request.resource);
|
|
96
96
|
if (resourcePolicyResult === 'Allowed' ||
|
|
97
97
|
(trustedAccount && identityStatementResult === 'Allowed')) {
|
|
98
98
|
return {
|
|
@@ -144,7 +144,7 @@ class DefaultServiceAuthorizer {
|
|
|
144
144
|
* @param resourceAnalysis - The resource policy analysis
|
|
145
145
|
* @returns true if the service trusts the principal's account IAM policies
|
|
146
146
|
*/
|
|
147
|
-
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
147
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
|
|
148
148
|
if (sameAccount) {
|
|
149
149
|
return true;
|
|
150
150
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAEA,wCAA+E;AAG/E;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAQZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,IAAA,0BAAgB,EAAC,SAAS,CAAC;wBAC3B,IAAA,sBAAY,EAAC,SAAS,CAAC;wBACvB,IAAA,4BAAkB,EAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;YAEF,MAAM,cAAc,GAAG,IAAI,CAAC,6BAA6B,CACvD,WAAW,EACX,OAAO,CAAC,gBAAgB,EACxB,OAAO,CAAC,OAAO,CAAC,QAAQ,CACzB,CAAA;YACD,IACE,oBAAoB,KAAK,SAAS;gBAClC,CAAC,cAAc,IAAI,uBAAuB,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;WAOG;IACL,CAAC;IAED;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AA7LD,4DA6LC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { RequestResource } from '../request/requestResource.js';
|
|
2
3
|
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
3
4
|
/**
|
|
4
5
|
* The default authorizer for services.
|
|
@@ -11,6 +12,6 @@ export declare class KmsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
|
11
12
|
* @param resourceAnalysis - The resource policy analysis
|
|
12
13
|
* @returns true if the service trusts the principal's account IAM policies
|
|
13
14
|
*/
|
|
14
|
-
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
15
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis, resource: RequestResource): boolean;
|
|
15
16
|
}
|
|
16
17
|
//# sourceMappingURL=KmsServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"KmsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,
|
|
1
|
+
{"version":3,"file":"KmsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAC/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CAQX"}
|
|
@@ -13,7 +13,10 @@ class KmsServiceAuthorizer extends DefaultServiceAuthorizer_js_1.DefaultServiceA
|
|
|
13
13
|
* @param resourceAnalysis - The resource policy analysis
|
|
14
14
|
* @returns true if the service trusts the principal's account IAM policies
|
|
15
15
|
*/
|
|
16
|
-
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
16
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
|
|
17
|
+
if (sameAccount && resource.value() == '*') {
|
|
18
|
+
return true;
|
|
19
|
+
}
|
|
17
20
|
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
18
21
|
}
|
|
19
22
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"KmsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"KmsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":";;;AAEA,+EAAwE;AAExE;;GAEG;AACH,MAAa,oBAAqB,SAAQ,sDAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,IAAI,QAAQ,CAAC,KAAK,EAAE,IAAI,GAAG,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AApBD,oDAoBC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { RequestResource } from '../request/requestResource.js';
|
|
2
3
|
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
3
4
|
/**
|
|
4
5
|
* The default authorizer for services.
|
|
@@ -11,6 +12,6 @@ export declare class StsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
|
11
12
|
* @param resourceAnalysis - The resource policy analysis
|
|
12
13
|
* @returns true if the service trusts the principal's account IAM policies
|
|
13
14
|
*/
|
|
14
|
-
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
15
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis, resource: RequestResource): boolean;
|
|
15
16
|
}
|
|
16
17
|
//# sourceMappingURL=StsServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAC/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CAQX"}
|
|
@@ -13,7 +13,7 @@ class StsServiceAuthorizer extends DefaultServiceAuthorizer_js_1.DefaultServiceA
|
|
|
13
13
|
* @param resourceAnalysis - The resource policy analysis
|
|
14
14
|
* @returns true if the service trusts the principal's account IAM policies
|
|
15
15
|
*/
|
|
16
|
-
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
16
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
|
|
17
17
|
if (sameAccount && resourceAnalysis.result === 'NotApplicable') {
|
|
18
18
|
return true;
|
|
19
19
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":";;;AAEA,+EAAwE;AAExE;;GAEG;AACH,MAAa,oBAAqB,SAAQ,sDAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,IAAI,gBAAgB,CAAC,MAAM,KAAK,eAAe,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AApBD,oDAoBC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { RequestAnalysis, ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { RequestResource } from '../request/requestResource.js';
|
|
2
3
|
import { ServiceAuthorizationRequest, ServiceAuthorizer } from './ServiceAuthorizer.js';
|
|
3
4
|
/**
|
|
4
5
|
* The default authorizer for services.
|
|
@@ -12,6 +13,6 @@ export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
|
|
|
12
13
|
* @param resourceAnalysis - The resource policy analysis
|
|
13
14
|
* @returns true if the service trusts the principal's account IAM policies
|
|
14
15
|
*/
|
|
15
|
-
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
16
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis, resource: RequestResource): boolean;
|
|
16
17
|
}
|
|
17
18
|
//# sourceMappingURL=DefaultServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAE/D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAwKvE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CASX"}
|
|
@@ -89,7 +89,7 @@ export class DefaultServiceAuthorizer {
|
|
|
89
89
|
|
|
90
90
|
Need to add some tests for this.
|
|
91
91
|
*/
|
|
92
|
-
const trustedAccount = this.serviceTrustsPrincipalAccount(sameAccount, request.resourceAnalysis);
|
|
92
|
+
const trustedAccount = this.serviceTrustsPrincipalAccount(sameAccount, request.resourceAnalysis, request.request.resource);
|
|
93
93
|
if (resourcePolicyResult === 'Allowed' ||
|
|
94
94
|
(trustedAccount && identityStatementResult === 'Allowed')) {
|
|
95
95
|
return {
|
|
@@ -141,7 +141,7 @@ export class DefaultServiceAuthorizer {
|
|
|
141
141
|
* @param resourceAnalysis - The resource policy analysis
|
|
142
142
|
* @returns true if the service trusts the principal's account IAM policies
|
|
143
143
|
*/
|
|
144
|
-
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
144
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
|
|
145
145
|
if (sameAccount) {
|
|
146
146
|
return true;
|
|
147
147
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AAG/E;;GAEG;AACH,MAAM,OAAO,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAQZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,gBAAgB,CAAC,SAAS,CAAC;wBAC3B,YAAY,CAAC,SAAS,CAAC;wBACvB,kBAAkB,CAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;YAEF,MAAM,cAAc,GAAG,IAAI,CAAC,6BAA6B,CACvD,WAAW,EACX,OAAO,CAAC,gBAAgB,EACxB,OAAO,CAAC,OAAO,CAAC,QAAQ,CACzB,CAAA;YACD,IACE,oBAAoB,KAAK,SAAS;gBAClC,CAAC,cAAc,IAAI,uBAAuB,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;WAOG;IACL,CAAC;IAED;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { RequestResource } from '../request/requestResource.js';
|
|
2
3
|
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
3
4
|
/**
|
|
4
5
|
* The default authorizer for services.
|
|
@@ -11,6 +12,6 @@ export declare class KmsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
|
11
12
|
* @param resourceAnalysis - The resource policy analysis
|
|
12
13
|
* @returns true if the service trusts the principal's account IAM policies
|
|
13
14
|
*/
|
|
14
|
-
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
15
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis, resource: RequestResource): boolean;
|
|
15
16
|
}
|
|
16
17
|
//# sourceMappingURL=KmsServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"KmsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,
|
|
1
|
+
{"version":3,"file":"KmsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAC/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CAQX"}
|
|
@@ -10,7 +10,10 @@ export class KmsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
|
10
10
|
* @param resourceAnalysis - The resource policy analysis
|
|
11
11
|
* @returns true if the service trusts the principal's account IAM policies
|
|
12
12
|
*/
|
|
13
|
-
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
13
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
|
|
14
|
+
if (sameAccount && resource.value() == '*') {
|
|
15
|
+
return true;
|
|
16
|
+
}
|
|
14
17
|
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
15
18
|
}
|
|
16
19
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"KmsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"KmsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,MAAM,OAAO,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,IAAI,QAAQ,CAAC,KAAK,EAAE,IAAI,GAAG,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { RequestResource } from '../request/requestResource.js';
|
|
2
3
|
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
3
4
|
/**
|
|
4
5
|
* The default authorizer for services.
|
|
@@ -11,6 +12,6 @@ export declare class StsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
|
11
12
|
* @param resourceAnalysis - The resource policy analysis
|
|
12
13
|
* @returns true if the service trusts the principal's account IAM policies
|
|
13
14
|
*/
|
|
14
|
-
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
15
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis, resource: RequestResource): boolean;
|
|
15
16
|
}
|
|
16
17
|
//# sourceMappingURL=StsServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAC/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CAQX"}
|
|
@@ -10,7 +10,7 @@ export class StsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
|
10
10
|
* @param resourceAnalysis - The resource policy analysis
|
|
11
11
|
* @returns true if the service trusts the principal's account IAM policies
|
|
12
12
|
*/
|
|
13
|
-
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
13
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
|
|
14
14
|
if (sameAccount && resourceAnalysis.result === 'NotApplicable') {
|
|
15
15
|
return true;
|
|
16
16
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,MAAM,OAAO,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,IAAI,gBAAgB,CAAC,MAAM,KAAK,eAAe,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF"}
|