@cloud-copilot/iam-simulate 0.1.24 → 0.1.26
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/context_keys/contextKeys.d.ts.map +1 -1
- package/dist/cjs/context_keys/contextKeys.js +22 -0
- package/dist/cjs/context_keys/contextKeys.js.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts +2 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +2 -2
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/KmsServiceAuthorizer.d.ts +2 -1
- package/dist/cjs/services/KmsServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/KmsServiceAuthorizer.js +4 -1
- package/dist/cjs/services/KmsServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/StsServiceAuthorizer.d.ts +2 -1
- package/dist/cjs/services/StsServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/StsServiceAuthorizer.js +1 -1
- package/dist/cjs/services/StsServiceAuthorizer.js.map +1 -1
- package/dist/esm/context_keys/contextKeys.d.ts.map +1 -1
- package/dist/esm/context_keys/contextKeys.js +22 -0
- package/dist/esm/context_keys/contextKeys.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts +2 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +2 -2
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/KmsServiceAuthorizer.d.ts +2 -1
- package/dist/esm/services/KmsServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/KmsServiceAuthorizer.js +4 -1
- package/dist/esm/services/KmsServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/StsServiceAuthorizer.d.ts +2 -1
- package/dist/esm/services/StsServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/StsServiceAuthorizer.js +1 -1
- package/dist/esm/services/StsServiceAuthorizer.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;
|
|
1
|
+
{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAKvD;;;;;GAKG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAuBtE;AAsDD;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAGpE;AAED;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAgBjF;AAmBD;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAYrF"}
|
|
@@ -6,6 +6,8 @@ exports.normalizeContextKeyCase = normalizeContextKeyCase;
|
|
|
6
6
|
exports.typeForContextKey = typeForContextKey;
|
|
7
7
|
const iam_data_1 = require("@cloud-copilot/iam-data");
|
|
8
8
|
const globalConditionKeys_js_1 = require("../global_conditions/globalConditionKeys.js");
|
|
9
|
+
const oidcKeys = new Set(['aud', 'sub', 'email', 'oaud', 'sub']);
|
|
10
|
+
const oidcProviderPattern = /^[0-9a-zA-Z\._\-]+$/;
|
|
9
11
|
/**
|
|
10
12
|
* Check if a context key actually exists
|
|
11
13
|
*
|
|
@@ -19,6 +21,9 @@ async function isActualContextKey(key) {
|
|
|
19
21
|
if ((0, globalConditionKeys_js_1.globalConditionKeyExists)(key)) {
|
|
20
22
|
return true;
|
|
21
23
|
}
|
|
24
|
+
if (isOidcConditionKey(key)) {
|
|
25
|
+
return true;
|
|
26
|
+
}
|
|
22
27
|
const parts = key.split(':');
|
|
23
28
|
if (parts.length !== 2) {
|
|
24
29
|
return false;
|
|
@@ -102,6 +107,9 @@ async function normalizeContextKeyCase(contextKey) {
|
|
|
102
107
|
if (globalConditionKey) {
|
|
103
108
|
return replaceVariableInContextKey(globalConditionKey.key, contextKey);
|
|
104
109
|
}
|
|
110
|
+
if (isOidcConditionKey(contextKey)) {
|
|
111
|
+
return contextKey;
|
|
112
|
+
}
|
|
105
113
|
throw new Error(`Context key ${contextKey} not found`);
|
|
106
114
|
}
|
|
107
115
|
/**
|
|
@@ -138,4 +146,18 @@ async function typeForContextKey(contextKey) {
|
|
|
138
146
|
}
|
|
139
147
|
throw new Error(`Condition key ${contextKey} not found`);
|
|
140
148
|
}
|
|
149
|
+
/**
|
|
150
|
+
* Checks if a string is a valid OIDC condition key
|
|
151
|
+
*
|
|
152
|
+
* @param key the key to check
|
|
153
|
+
* @returns true if the key is a valid OIDC condition key
|
|
154
|
+
*/
|
|
155
|
+
function isOidcConditionKey(key) {
|
|
156
|
+
const parts = key.split(':');
|
|
157
|
+
if (parts.length !== 2) {
|
|
158
|
+
return false;
|
|
159
|
+
}
|
|
160
|
+
const [service, action] = parts;
|
|
161
|
+
return oidcKeys.has(action) && oidcProviderPattern.test(service);
|
|
162
|
+
}
|
|
141
163
|
//# sourceMappingURL=contextKeys.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":";;AAuBA,gDAuBC;AA8DD,0CAGC;AAQD,0DAgBC;AA0BD,8CAYC;AA7KD,sDAMgC;AAChC,wFAIoD;AAGpD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAA;AAChE,MAAM,mBAAmB,GAAG,qBAAqB,CAAA;AAEjD;;;;;GAKG;AACI,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAClD,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,8BAA8B,CAAC,GAAG,CAAC,CAAA;IAC5C,CAAC;IACD,IAAI,IAAA,iDAAwB,EAAC,GAAG,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,CAAA;IACb,CAAC;IACD,IAAI,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAA;IACd,CAAC;IACD,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,KAAK,CAAA;IAC/B,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,CAAC,CAAA;IACrD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,IAAA,gCAAqB,EAAC,OAAO,EAAE,GAAG,CAAC,CAAA;IAC9D,OAAO,YAAY,CAAA;AACrB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,8BAA8B,CAAC,GAAW;IACvD,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACtC,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,CAAA;IAC1C,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,aAAa,GAAG,CAAC,CAAC,CAAA;IAEzC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,SAAS,GAAG,IAAA,8DAAqC,EAAC,MAAM,CAAC,CAAA;IAC/D,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,wBAAwB,CAAC,GAAG,CAAC,CAAA;IACtD,OAAO,CAAC,CAAC,UAAU,CAAA;AACrB,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,wBAAwB,CAAC,UAAkB;IACxD,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,eAAe,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAAA;IAEhE,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,CAAC,CAAA;IACrD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,OAAO,GAAG,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;QACjE,MAAM,iBAAiB,GAAG,MAAM,IAAA,qCAA0B,EAAC,OAAO,CAAC,CAAA;QACnE,MAAM,WAAW,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAA;QACrF,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,MAAM,IAAA,iCAAsB,EAAC,OAAO,EAAE,WAAW,CAAC,CAAA;QAC3D,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,IAAA,gCAAqB,EAAC,OAAO,EAAE,UAAU,CAAC,CAAA;IAC/D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,SAAS,CAAA;IAClB,CAAC;IACD,OAAO,IAAA,iCAAsB,EAAC,OAAO,EAAE,UAAU,CAAC,CAAA;AACpD,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,eAAe,CAAC,UAAkB;IAChD,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAC1C,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,EAAE,UAAU,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAA;AAC5E,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,uBAAuB,CAAC,UAAkB;IAC9D,MAAM,UAAU,GAAG,MAAM,wBAAwB,CAAC,UAAU,CAAC,CAAA;IAC7D,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,2BAA2B,CAAC,UAAU,CAAC,GAAG,EAAE,UAAU,CAAC,CAAA;IAChE,CAAC;IAED,MAAM,kBAAkB,GAAG,IAAA,iEAAwC,EAAC,UAAU,CAAC,CAAA;IAC/E,IAAI,kBAAkB,EAAE,CAAC;QACvB,OAAO,2BAA2B,CAAC,kBAAkB,CAAC,GAAG,EAAE,UAAU,CAAC,CAAA;IACxE,CAAC;IAED,IAAI,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAAC;QACnC,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,eAAe,UAAU,YAAY,CAAC,CAAA;AACxD,CAAC;AAED;;;;;;GAMG;AACH,SAAS,2BAA2B,CAAC,OAAe,EAAE,SAAiB;IACrE,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACvC,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;QACtB,OAAO,OAAO,CAAA;IAChB,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAA;IAC3C,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IAC1C,OAAO,MAAM,GAAG,MAAM,CAAA;AACxB,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,iBAAiB,CAAC,UAAkB;IACxD,MAAM,kBAAkB,GAAG,IAAA,iEAAwC,EAAC,UAAU,CAAC,CAAA;IAC/E,IAAI,kBAAkB,EAAE,CAAC;QACvB,OAAO,kBAAkB,CAAC,QAA4B,CAAA;IACxD,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,wBAAwB,CAAC,UAAU,CAAC,CAAA;IAC7D,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,UAAU,CAAC,IAAwB,CAAA;IAC5C,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,iBAAiB,UAAU,YAAY,CAAC,CAAA;AAC1D,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,GAAW;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAA;IACd,CAAC;IACD,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,KAAK,CAAA;IAC/B,OAAO,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;AAClE,CAAC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { RequestAnalysis, ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { RequestResource } from '../request/requestResource.js';
|
|
2
3
|
import { ServiceAuthorizationRequest, ServiceAuthorizer } from './ServiceAuthorizer.js';
|
|
3
4
|
/**
|
|
4
5
|
* The default authorizer for services.
|
|
@@ -12,6 +13,6 @@ export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
|
|
|
12
13
|
* @param resourceAnalysis - The resource policy analysis
|
|
13
14
|
* @returns true if the service trusts the principal's account IAM policies
|
|
14
15
|
*/
|
|
15
|
-
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
16
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis, resource: RequestResource): boolean;
|
|
16
17
|
}
|
|
17
18
|
//# sourceMappingURL=DefaultServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAE/D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAwKvE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CASX"}
|
|
@@ -92,7 +92,7 @@ class DefaultServiceAuthorizer {
|
|
|
92
92
|
|
|
93
93
|
Need to add some tests for this.
|
|
94
94
|
*/
|
|
95
|
-
const trustedAccount = this.serviceTrustsPrincipalAccount(sameAccount, request.resourceAnalysis);
|
|
95
|
+
const trustedAccount = this.serviceTrustsPrincipalAccount(sameAccount, request.resourceAnalysis, request.request.resource);
|
|
96
96
|
if (resourcePolicyResult === 'Allowed' ||
|
|
97
97
|
(trustedAccount && identityStatementResult === 'Allowed')) {
|
|
98
98
|
return {
|
|
@@ -144,7 +144,7 @@ class DefaultServiceAuthorizer {
|
|
|
144
144
|
* @param resourceAnalysis - The resource policy analysis
|
|
145
145
|
* @returns true if the service trusts the principal's account IAM policies
|
|
146
146
|
*/
|
|
147
|
-
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
147
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
|
|
148
148
|
if (sameAccount) {
|
|
149
149
|
return true;
|
|
150
150
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAEA,wCAA+E;AAG/E;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAQZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,IAAA,0BAAgB,EAAC,SAAS,CAAC;wBAC3B,IAAA,sBAAY,EAAC,SAAS,CAAC;wBACvB,IAAA,4BAAkB,EAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;YAEF,MAAM,cAAc,GAAG,IAAI,CAAC,6BAA6B,CACvD,WAAW,EACX,OAAO,CAAC,gBAAgB,EACxB,OAAO,CAAC,OAAO,CAAC,QAAQ,CACzB,CAAA;YACD,IACE,oBAAoB,KAAK,SAAS;gBAClC,CAAC,cAAc,IAAI,uBAAuB,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;WAOG;IACL,CAAC;IAED;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AA7LD,4DA6LC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { RequestResource } from '../request/requestResource.js';
|
|
2
3
|
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
3
4
|
/**
|
|
4
5
|
* The default authorizer for services.
|
|
@@ -11,6 +12,6 @@ export declare class KmsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
|
11
12
|
* @param resourceAnalysis - The resource policy analysis
|
|
12
13
|
* @returns true if the service trusts the principal's account IAM policies
|
|
13
14
|
*/
|
|
14
|
-
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
15
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis, resource: RequestResource): boolean;
|
|
15
16
|
}
|
|
16
17
|
//# sourceMappingURL=KmsServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"KmsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,
|
|
1
|
+
{"version":3,"file":"KmsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAC/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CAQX"}
|
|
@@ -13,7 +13,10 @@ class KmsServiceAuthorizer extends DefaultServiceAuthorizer_js_1.DefaultServiceA
|
|
|
13
13
|
* @param resourceAnalysis - The resource policy analysis
|
|
14
14
|
* @returns true if the service trusts the principal's account IAM policies
|
|
15
15
|
*/
|
|
16
|
-
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
16
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
|
|
17
|
+
if (sameAccount && resource.value() == '*') {
|
|
18
|
+
return true;
|
|
19
|
+
}
|
|
17
20
|
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
18
21
|
}
|
|
19
22
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"KmsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"KmsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":";;;AAEA,+EAAwE;AAExE;;GAEG;AACH,MAAa,oBAAqB,SAAQ,sDAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,IAAI,QAAQ,CAAC,KAAK,EAAE,IAAI,GAAG,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AApBD,oDAoBC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { RequestResource } from '../request/requestResource.js';
|
|
2
3
|
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
3
4
|
/**
|
|
4
5
|
* The default authorizer for services.
|
|
@@ -11,6 +12,6 @@ export declare class StsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
|
11
12
|
* @param resourceAnalysis - The resource policy analysis
|
|
12
13
|
* @returns true if the service trusts the principal's account IAM policies
|
|
13
14
|
*/
|
|
14
|
-
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
15
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis, resource: RequestResource): boolean;
|
|
15
16
|
}
|
|
16
17
|
//# sourceMappingURL=StsServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAC/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CAQX"}
|
|
@@ -13,7 +13,7 @@ class StsServiceAuthorizer extends DefaultServiceAuthorizer_js_1.DefaultServiceA
|
|
|
13
13
|
* @param resourceAnalysis - The resource policy analysis
|
|
14
14
|
* @returns true if the service trusts the principal's account IAM policies
|
|
15
15
|
*/
|
|
16
|
-
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
16
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
|
|
17
17
|
if (sameAccount && resourceAnalysis.result === 'NotApplicable') {
|
|
18
18
|
return true;
|
|
19
19
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":";;;AAEA,+EAAwE;AAExE;;GAEG;AACH,MAAa,oBAAqB,SAAQ,sDAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,IAAI,gBAAgB,CAAC,MAAM,KAAK,eAAe,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AApBD,oDAoBC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;
|
|
1
|
+
{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAKvD;;;;;GAKG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAuBtE;AAsDD;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAGpE;AAED;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAgBjF;AAmBD;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAYrF"}
|
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
import { iamConditionKeyDetails, iamConditionKeyExists, iamConditionKeysForService, iamServiceExists } from '@cloud-copilot/iam-data';
|
|
2
2
|
import { getGlobalConditionKeyWithOrWithoutPrefix, getVariableGlobalConditionKeyByPrefix, globalConditionKeyExists } from '../global_conditions/globalConditionKeys.js';
|
|
3
|
+
const oidcKeys = new Set(['aud', 'sub', 'email', 'oaud', 'sub']);
|
|
4
|
+
const oidcProviderPattern = /^[0-9a-zA-Z\._\-]+$/;
|
|
3
5
|
/**
|
|
4
6
|
* Check if a context key actually exists
|
|
5
7
|
*
|
|
@@ -13,6 +15,9 @@ export async function isActualContextKey(key) {
|
|
|
13
15
|
if (globalConditionKeyExists(key)) {
|
|
14
16
|
return true;
|
|
15
17
|
}
|
|
18
|
+
if (isOidcConditionKey(key)) {
|
|
19
|
+
return true;
|
|
20
|
+
}
|
|
16
21
|
const parts = key.split(':');
|
|
17
22
|
if (parts.length !== 2) {
|
|
18
23
|
return false;
|
|
@@ -96,6 +101,9 @@ export async function normalizeContextKeyCase(contextKey) {
|
|
|
96
101
|
if (globalConditionKey) {
|
|
97
102
|
return replaceVariableInContextKey(globalConditionKey.key, contextKey);
|
|
98
103
|
}
|
|
104
|
+
if (isOidcConditionKey(contextKey)) {
|
|
105
|
+
return contextKey;
|
|
106
|
+
}
|
|
99
107
|
throw new Error(`Context key ${contextKey} not found`);
|
|
100
108
|
}
|
|
101
109
|
/**
|
|
@@ -132,4 +140,18 @@ export async function typeForContextKey(contextKey) {
|
|
|
132
140
|
}
|
|
133
141
|
throw new Error(`Condition key ${contextKey} not found`);
|
|
134
142
|
}
|
|
143
|
+
/**
|
|
144
|
+
* Checks if a string is a valid OIDC condition key
|
|
145
|
+
*
|
|
146
|
+
* @param key the key to check
|
|
147
|
+
* @returns true if the key is a valid OIDC condition key
|
|
148
|
+
*/
|
|
149
|
+
function isOidcConditionKey(key) {
|
|
150
|
+
const parts = key.split(':');
|
|
151
|
+
if (parts.length !== 2) {
|
|
152
|
+
return false;
|
|
153
|
+
}
|
|
154
|
+
const [service, action] = parts;
|
|
155
|
+
return oidcKeys.has(action) && oidcProviderPattern.test(service);
|
|
156
|
+
}
|
|
135
157
|
//# sourceMappingURL=contextKeys.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,sBAAsB,EACtB,qBAAqB,EACrB,0BAA0B,EAC1B,gBAAgB,EACjB,MAAM,yBAAyB,CAAA;AAChC,OAAO,EACL,wCAAwC,EACxC,qCAAqC,EACrC,wBAAwB,EACzB,MAAM,6CAA6C,CAAA;AAGpD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAClD,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,8BAA8B,CAAC,GAAG,CAAC,CAAA;IAC5C,CAAC;IACD,IAAI,wBAAwB,CAAC,GAAG,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,CAAA;IACb,CAAC;IACD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAA;IACd,CAAC;IACD,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,KAAK,CAAA;IAC/B,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,CAAA;
|
|
1
|
+
{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/context_keys/contextKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,sBAAsB,EACtB,qBAAqB,EACrB,0BAA0B,EAC1B,gBAAgB,EACjB,MAAM,yBAAyB,CAAA;AAChC,OAAO,EACL,wCAAwC,EACxC,qCAAqC,EACrC,wBAAwB,EACzB,MAAM,6CAA6C,CAAA;AAGpD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAA;AAChE,MAAM,mBAAmB,GAAG,qBAAqB,CAAA;AAEjD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAClD,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,8BAA8B,CAAC,GAAG,CAAC,CAAA;IAC5C,CAAC;IACD,IAAI,wBAAwB,CAAC,GAAG,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,CAAA;IACb,CAAC;IACD,IAAI,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAA;IACd,CAAC;IACD,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,KAAK,CAAA;IAC/B,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,CAAA;IACrD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,qBAAqB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;IAC9D,OAAO,YAAY,CAAA;AACrB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,8BAA8B,CAAC,GAAW;IACvD,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACtC,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,aAAa,CAAC,CAAA;IAC1C,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,aAAa,GAAG,CAAC,CAAC,CAAA;IAEzC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,SAAS,GAAG,qCAAqC,CAAC,MAAM,CAAC,CAAA;IAC/D,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,wBAAwB,CAAC,GAAG,CAAC,CAAA;IACtD,OAAO,CAAC,CAAC,UAAU,CAAA;AACrB,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,wBAAwB,CAAC,UAAkB;IACxD,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,eAAe,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAAA;IAEhE,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,CAAA;IACrD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,OAAO,GAAG,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;QACjE,MAAM,iBAAiB,GAAG,MAAM,0BAA0B,CAAC,OAAO,CAAC,CAAA;QACnE,MAAM,WAAW,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAA;QACrF,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,MAAM,sBAAsB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAA;QAC3D,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAA;IAC/D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,SAAS,CAAA;IAClB,CAAC;IACD,OAAO,sBAAsB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAA;AACpD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAAC,UAAkB;IAChD,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAC1C,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,EAAE,UAAU,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAA;AAC5E,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,UAAkB;IAC9D,MAAM,UAAU,GAAG,MAAM,wBAAwB,CAAC,UAAU,CAAC,CAAA;IAC7D,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,2BAA2B,CAAC,UAAU,CAAC,GAAG,EAAE,UAAU,CAAC,CAAA;IAChE,CAAC;IAED,MAAM,kBAAkB,GAAG,wCAAwC,CAAC,UAAU,CAAC,CAAA;IAC/E,IAAI,kBAAkB,EAAE,CAAC;QACvB,OAAO,2BAA2B,CAAC,kBAAkB,CAAC,GAAG,EAAE,UAAU,CAAC,CAAA;IACxE,CAAC;IAED,IAAI,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAAC;QACnC,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,eAAe,UAAU,YAAY,CAAC,CAAA;AACxD,CAAC;AAED;;;;;;GAMG;AACH,SAAS,2BAA2B,CAAC,OAAe,EAAE,SAAiB;IACrE,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACvC,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;QACtB,OAAO,OAAO,CAAA;IAChB,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAA;IAC3C,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IAC1C,OAAO,MAAM,GAAG,MAAM,CAAA;AACxB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,UAAkB;IACxD,MAAM,kBAAkB,GAAG,wCAAwC,CAAC,UAAU,CAAC,CAAA;IAC/E,IAAI,kBAAkB,EAAE,CAAC;QACvB,OAAO,kBAAkB,CAAC,QAA4B,CAAA;IACxD,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,wBAAwB,CAAC,UAAU,CAAC,CAAA;IAC7D,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,UAAU,CAAC,IAAwB,CAAA;IAC5C,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,iBAAiB,UAAU,YAAY,CAAC,CAAA;AAC1D,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,GAAW;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAA;IACd,CAAC;IACD,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,KAAK,CAAA;IAC/B,OAAO,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;AAClE,CAAC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { RequestAnalysis, ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { RequestResource } from '../request/requestResource.js';
|
|
2
3
|
import { ServiceAuthorizationRequest, ServiceAuthorizer } from './ServiceAuthorizer.js';
|
|
3
4
|
/**
|
|
4
5
|
* The default authorizer for services.
|
|
@@ -12,6 +13,6 @@ export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
|
|
|
12
13
|
* @param resourceAnalysis - The resource policy analysis
|
|
13
14
|
* @returns true if the service trusts the principal's account IAM policies
|
|
14
15
|
*/
|
|
15
|
-
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
16
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis, resource: RequestResource): boolean;
|
|
16
17
|
}
|
|
17
18
|
//# sourceMappingURL=DefaultServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAE/D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAwKvE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CASX"}
|
|
@@ -89,7 +89,7 @@ export class DefaultServiceAuthorizer {
|
|
|
89
89
|
|
|
90
90
|
Need to add some tests for this.
|
|
91
91
|
*/
|
|
92
|
-
const trustedAccount = this.serviceTrustsPrincipalAccount(sameAccount, request.resourceAnalysis);
|
|
92
|
+
const trustedAccount = this.serviceTrustsPrincipalAccount(sameAccount, request.resourceAnalysis, request.request.resource);
|
|
93
93
|
if (resourcePolicyResult === 'Allowed' ||
|
|
94
94
|
(trustedAccount && identityStatementResult === 'Allowed')) {
|
|
95
95
|
return {
|
|
@@ -141,7 +141,7 @@ export class DefaultServiceAuthorizer {
|
|
|
141
141
|
* @param resourceAnalysis - The resource policy analysis
|
|
142
142
|
* @returns true if the service trusts the principal's account IAM policies
|
|
143
143
|
*/
|
|
144
|
-
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
144
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
|
|
145
145
|
if (sameAccount) {
|
|
146
146
|
return true;
|
|
147
147
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AAG/E;;GAEG;AACH,MAAM,OAAO,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAQZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,gBAAgB,CAAC,SAAS,CAAC;wBAC3B,YAAY,CAAC,SAAS,CAAC;wBACvB,kBAAkB,CAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;YAEF,MAAM,cAAc,GAAG,IAAI,CAAC,6BAA6B,CACvD,WAAW,EACX,OAAO,CAAC,gBAAgB,EACxB,OAAO,CAAC,OAAO,CAAC,QAAQ,CACzB,CAAA;YACD,IACE,oBAAoB,KAAK,SAAS;gBAClC,CAAC,cAAc,IAAI,uBAAuB,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;WAOG;IACL,CAAC;IAED;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { RequestResource } from '../request/requestResource.js';
|
|
2
3
|
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
3
4
|
/**
|
|
4
5
|
* The default authorizer for services.
|
|
@@ -11,6 +12,6 @@ export declare class KmsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
|
11
12
|
* @param resourceAnalysis - The resource policy analysis
|
|
12
13
|
* @returns true if the service trusts the principal's account IAM policies
|
|
13
14
|
*/
|
|
14
|
-
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
15
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis, resource: RequestResource): boolean;
|
|
15
16
|
}
|
|
16
17
|
//# sourceMappingURL=KmsServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"KmsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,
|
|
1
|
+
{"version":3,"file":"KmsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAC/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CAQX"}
|
|
@@ -10,7 +10,10 @@ export class KmsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
|
10
10
|
* @param resourceAnalysis - The resource policy analysis
|
|
11
11
|
* @returns true if the service trusts the principal's account IAM policies
|
|
12
12
|
*/
|
|
13
|
-
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
13
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
|
|
14
|
+
if (sameAccount && resource.value() == '*') {
|
|
15
|
+
return true;
|
|
16
|
+
}
|
|
14
17
|
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
15
18
|
}
|
|
16
19
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"KmsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"KmsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/KmsServiceAuthorizer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,MAAM,OAAO,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,IAAI,QAAQ,CAAC,KAAK,EAAE,IAAI,GAAG,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { ResourceAnalysis } from '../evaluate.js';
|
|
2
|
+
import { RequestResource } from '../request/requestResource.js';
|
|
2
3
|
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
3
4
|
/**
|
|
4
5
|
* The default authorizer for services.
|
|
@@ -11,6 +12,6 @@ export declare class StsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
|
11
12
|
* @param resourceAnalysis - The resource policy analysis
|
|
12
13
|
* @returns true if the service trusts the principal's account IAM policies
|
|
13
14
|
*/
|
|
14
|
-
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis): boolean;
|
|
15
|
+
serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis, resource: RequestResource): boolean;
|
|
15
16
|
}
|
|
16
17
|
//# sourceMappingURL=StsServiceAuthorizer.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAC/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CAQX"}
|
|
@@ -10,7 +10,7 @@ export class StsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
|
10
10
|
* @param resourceAnalysis - The resource policy analysis
|
|
11
11
|
* @returns true if the service trusts the principal's account IAM policies
|
|
12
12
|
*/
|
|
13
|
-
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis) {
|
|
13
|
+
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
|
|
14
14
|
if (sameAccount && resourceAnalysis.result === 'NotApplicable') {
|
|
15
15
|
return true;
|
|
16
16
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAExE;;GAEG;AACH,MAAM,OAAO,oBAAqB,SAAQ,wBAAwB;IAChE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,IAAI,gBAAgB,CAAC,MAAM,KAAK,eAAe,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF"}
|