@cloud-copilot/iam-simulate 0.1.4 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/dist/cjs/ConditionKeys.d.ts +19 -0
  2. package/dist/cjs/ConditionKeys.d.ts.map +1 -0
  3. package/dist/cjs/ConditionKeys.js +27 -0
  4. package/dist/cjs/ConditionKeys.js.map +1 -0
  5. package/dist/cjs/SCPAnalysis.d.ts +6 -0
  6. package/dist/cjs/SCPAnalysis.d.ts.map +1 -0
  7. package/dist/cjs/SCPAnalysis.js +3 -0
  8. package/dist/cjs/SCPAnalysis.js.map +1 -0
  9. package/dist/cjs/context_keys/findContextKeys.d.ts +19 -0
  10. package/dist/cjs/context_keys/findContextKeys.d.ts.map +1 -0
  11. package/dist/cjs/context_keys/findContextKeys.js +57 -0
  12. package/dist/cjs/context_keys/findContextKeys.js.map +1 -0
  13. package/dist/cjs/core_engine/coreSimulatorEngine.d.ts +39 -0
  14. package/dist/cjs/core_engine/coreSimulatorEngine.d.ts.map +1 -1
  15. package/dist/cjs/core_engine/coreSimulatorEngine.js +56 -0
  16. package/dist/cjs/core_engine/coreSimulatorEngine.js.map +1 -1
  17. package/dist/cjs/evaluate.d.ts +1 -0
  18. package/dist/cjs/evaluate.d.ts.map +1 -1
  19. package/dist/cjs/global_conditions/globalConditionKeys.d.ts +17 -0
  20. package/dist/cjs/global_conditions/globalConditionKeys.d.ts.map +1 -0
  21. package/dist/cjs/global_conditions/globalConditionKeys.js +296 -0
  22. package/dist/cjs/global_conditions/globalConditionKeys.js.map +1 -0
  23. package/dist/cjs/index.d.ts +3 -0
  24. package/dist/cjs/index.d.ts.map +1 -1
  25. package/dist/cjs/index.js +7 -1
  26. package/dist/cjs/index.js.map +1 -1
  27. package/dist/cjs/principal/principal.d.ts +9 -1
  28. package/dist/cjs/principal/principal.d.ts.map +1 -1
  29. package/dist/cjs/principal/principal.js +17 -0
  30. package/dist/cjs/principal/principal.js.map +1 -1
  31. package/dist/cjs/request/requestPrincipal.d.ts.map +1 -1
  32. package/dist/cjs/request/requestPrincipal.js.map +1 -1
  33. package/dist/cjs/services/DefaultServiceAuthorizer.d.ts +30 -1
  34. package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
  35. package/dist/cjs/services/DefaultServiceAuthorizer.js +93 -7
  36. package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
  37. package/dist/cjs/services/ServiceAuthorizer.d.ts +3 -0
  38. package/dist/cjs/services/ServiceAuthorizer.d.ts.map +1 -1
  39. package/dist/cjs/simulation_engine/contextKeys.d.ts +9 -1
  40. package/dist/cjs/simulation_engine/contextKeys.d.ts.map +1 -1
  41. package/dist/cjs/simulation_engine/contextKeys.js +27 -40
  42. package/dist/cjs/simulation_engine/contextKeys.js.map +1 -1
  43. package/dist/cjs/simulation_engine/simulation.d.ts +12 -1
  44. package/dist/cjs/simulation_engine/simulation.d.ts.map +1 -1
  45. package/dist/cjs/simulation_engine/simulationEngine.d.ts +15 -0
  46. package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
  47. package/dist/cjs/simulation_engine/simulationEngine.js +133 -12
  48. package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
  49. package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts +1 -1
  50. package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
  51. package/dist/cjs/simulation_engine/unsafeSimulationEngine.js +13 -4
  52. package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map +1 -1
  53. package/dist/cjs/util.d.ts +69 -0
  54. package/dist/cjs/util.d.ts.map +1 -1
  55. package/dist/cjs/util.js +166 -0
  56. package/dist/cjs/util.js.map +1 -1
  57. package/dist/esm/ConditionKeys.d.ts +19 -0
  58. package/dist/esm/ConditionKeys.d.ts.map +1 -0
  59. package/dist/esm/ConditionKeys.js +23 -0
  60. package/dist/esm/ConditionKeys.js.map +1 -0
  61. package/dist/esm/SCPAnalysis.d.ts +6 -0
  62. package/dist/esm/SCPAnalysis.d.ts.map +1 -0
  63. package/dist/esm/SCPAnalysis.js +2 -0
  64. package/dist/esm/SCPAnalysis.js.map +1 -0
  65. package/dist/esm/context_keys/findContextKeys.d.ts +19 -0
  66. package/dist/esm/context_keys/findContextKeys.d.ts.map +1 -0
  67. package/dist/esm/context_keys/findContextKeys.js +53 -0
  68. package/dist/esm/context_keys/findContextKeys.js.map +1 -0
  69. package/dist/esm/core_engine/coreSimulatorEngine.d.ts +39 -0
  70. package/dist/esm/core_engine/coreSimulatorEngine.d.ts.map +1 -1
  71. package/dist/esm/core_engine/coreSimulatorEngine.js +54 -0
  72. package/dist/esm/core_engine/coreSimulatorEngine.js.map +1 -1
  73. package/dist/esm/evaluate.d.ts +1 -0
  74. package/dist/esm/evaluate.d.ts.map +1 -1
  75. package/dist/esm/global_conditions/globalConditionKeys.d.ts +17 -0
  76. package/dist/esm/global_conditions/globalConditionKeys.d.ts.map +1 -0
  77. package/dist/esm/global_conditions/globalConditionKeys.js +290 -0
  78. package/dist/esm/global_conditions/globalConditionKeys.js.map +1 -0
  79. package/dist/esm/index.d.ts +3 -0
  80. package/dist/esm/index.d.ts.map +1 -1
  81. package/dist/esm/index.js +3 -0
  82. package/dist/esm/index.js.map +1 -1
  83. package/dist/esm/principal/principal.d.ts +9 -1
  84. package/dist/esm/principal/principal.d.ts.map +1 -1
  85. package/dist/esm/principal/principal.js +16 -0
  86. package/dist/esm/principal/principal.js.map +1 -1
  87. package/dist/esm/request/requestPrincipal.d.ts.map +1 -1
  88. package/dist/esm/request/requestPrincipal.js.map +1 -1
  89. package/dist/esm/services/DefaultServiceAuthorizer.d.ts +30 -1
  90. package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
  91. package/dist/esm/services/DefaultServiceAuthorizer.js +93 -7
  92. package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
  93. package/dist/esm/services/ServiceAuthorizer.d.ts +3 -0
  94. package/dist/esm/services/ServiceAuthorizer.d.ts.map +1 -1
  95. package/dist/esm/simulation_engine/contextKeys.d.ts +9 -1
  96. package/dist/esm/simulation_engine/contextKeys.d.ts.map +1 -1
  97. package/dist/esm/simulation_engine/contextKeys.js +28 -40
  98. package/dist/esm/simulation_engine/contextKeys.js.map +1 -1
  99. package/dist/esm/simulation_engine/simulation.d.ts +12 -1
  100. package/dist/esm/simulation_engine/simulation.d.ts.map +1 -1
  101. package/dist/esm/simulation_engine/simulationEngine.d.ts +15 -0
  102. package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
  103. package/dist/esm/simulation_engine/simulationEngine.js +133 -13
  104. package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
  105. package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts +1 -1
  106. package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
  107. package/dist/esm/simulation_engine/unsafeSimulationEngine.js +13 -4
  108. package/dist/esm/simulation_engine/unsafeSimulationEngine.js.map +1 -1
  109. package/dist/esm/util.d.ts +69 -0
  110. package/dist/esm/util.d.ts.map +1 -1
  111. package/dist/esm/util.js +158 -0
  112. package/dist/esm/util.js.map +1 -1
  113. package/package.json +2 -2
@@ -1,6 +1,9 @@
1
+ export { findContextKeys } from './context_keys/findContextKeys.js';
1
2
  export { type EvaluationResult } from './evaluate.js';
3
+ export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
2
4
  export { type Simulation } from './simulation_engine/simulation.js';
3
5
  export { runSimulation } from './simulation_engine/simulationEngine.js';
4
6
  export { type SimulationOptions } from './simulation_engine/simulationOptions.js';
5
7
  export { runUnsafeSimulation } from './simulation_engine/unsafeSimulationEngine.js';
8
+ export { isWildcardOnlyAction } from './util.js';
6
9
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAClF,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC"}
package/dist/cjs/index.js CHANGED
@@ -1,8 +1,14 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.runUnsafeSimulation = exports.runSimulation = void 0;
3
+ exports.isWildcardOnlyAction = exports.runUnsafeSimulation = exports.runSimulation = exports.allowedContextKeysForRequest = exports.findContextKeys = void 0;
4
+ var findContextKeys_js_1 = require("./context_keys/findContextKeys.js");
5
+ Object.defineProperty(exports, "findContextKeys", { enumerable: true, get: function () { return findContextKeys_js_1.findContextKeys; } });
6
+ var contextKeys_js_1 = require("./simulation_engine/contextKeys.js");
7
+ Object.defineProperty(exports, "allowedContextKeysForRequest", { enumerable: true, get: function () { return contextKeys_js_1.allowedContextKeysForRequest; } });
4
8
  var simulationEngine_js_1 = require("./simulation_engine/simulationEngine.js");
5
9
  Object.defineProperty(exports, "runSimulation", { enumerable: true, get: function () { return simulationEngine_js_1.runSimulation; } });
6
10
  var unsafeSimulationEngine_js_1 = require("./simulation_engine/unsafeSimulationEngine.js");
7
11
  Object.defineProperty(exports, "runUnsafeSimulation", { enumerable: true, get: function () { return unsafeSimulationEngine_js_1.runUnsafeSimulation; } });
12
+ var util_js_1 = require("./util.js");
13
+ Object.defineProperty(exports, "isWildcardOnlyAction", { enumerable: true, get: function () { return util_js_1.isWildcardOnlyAction; } });
8
14
  //# sourceMappingURL=index.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAEA,+EAAwE;AAA/D,oHAAA,aAAa,OAAA;AAEtB,2FAAoF;AAA3E,gIAAA,mBAAmB,OAAA"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,wEAAoE;AAA3D,qHAAA,eAAe,OAAA;AAExB,qEAAkF;AAAzE,8HAAA,4BAA4B,OAAA;AAErC,+EAAwE;AAA/D,oHAAA,aAAa,OAAA;AAEtB,2FAAoF;AAA3E,gIAAA,mBAAmB,OAAA;AAC5B,qCAAiD;AAAxC,+GAAA,oBAAoB,OAAA"}
@@ -1,4 +1,4 @@
1
- import { Principal } from "@cloud-copilot/iam-policy";
1
+ import { Principal, Statement } from "@cloud-copilot/iam-policy";
2
2
  import { AwsRequest } from "../request/request.js";
3
3
  export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch';
4
4
  /**
@@ -27,4 +27,12 @@ export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrinc
27
27
  export declare function requestMatchesPrincipalStatement(request: AwsRequest, principalStatement: Principal): PrincipalMatchResult;
28
28
  export declare function isAssumedRoleArn(principal: string): boolean;
29
29
  export declare function roleArnFromAssumedRoleArn(assumedRoleArn: string): string;
30
+ /**
31
+ * Check if a request matches the Resource or NotResource elements of a statement.
32
+ *
33
+ * @param request the request to check
34
+ * @param statement the statement to check against
35
+ * @returns true if the request matches the resources in the statement, false otherwise
36
+ */
37
+ export declare function requestMatchesStatementPrincipals(request: AwsRequest, statement: Statement): PrincipalMatchResult;
30
38
  //# sourceMappingURL=principal.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA4CnD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;AAE5E;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAWzG;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAiB/G;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,oBAAoB,CAgDzH;AAID,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED,wBAAgB,yBAAyB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKxE"}
1
+ {"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA4CnD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;AAE5E;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAWzG;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAiB/G;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,oBAAoB,CAgDzH;AAID,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED,wBAAgB,yBAAyB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKxE;AAED;;;;;;GAMG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,oBAAoB,CAOjH"}
@@ -5,6 +5,7 @@ exports.requestMatchesNotPrincipal = requestMatchesNotPrincipal;
5
5
  exports.requestMatchesPrincipalStatement = requestMatchesPrincipalStatement;
6
6
  exports.isAssumedRoleArn = isAssumedRoleArn;
7
7
  exports.roleArnFromAssumedRoleArn = roleArnFromAssumedRoleArn;
8
+ exports.requestMatchesStatementPrincipals = requestMatchesStatementPrincipals;
8
9
  /**
9
10
  * Check to see if a request matches a Principal element in an IAM policy statement
10
11
  *
@@ -104,4 +105,20 @@ function roleArnFromAssumedRoleArn(assumedRoleArn) {
104
105
  const rolePathAndName = resourceParts.slice(1, -1).join('/');
105
106
  return `arn:aws:iam::${stsParts[4]}:role/${rolePathAndName}`;
106
107
  }
108
+ /**
109
+ * Check if a request matches the Resource or NotResource elements of a statement.
110
+ *
111
+ * @param request the request to check
112
+ * @param statement the statement to check against
113
+ * @returns true if the request matches the resources in the statement, false otherwise
114
+ */
115
+ function requestMatchesStatementPrincipals(request, statement) {
116
+ if (statement.isPrincipalStatement()) {
117
+ return requestMatchesPrincipal(request, statement.principals());
118
+ }
119
+ else if (statement.isNotPrincipalStatement()) {
120
+ return requestMatchesNotPrincipal(request, statement.notPrincipals());
121
+ }
122
+ throw new Error('Statement should have Principal or NotPrincipal');
123
+ }
107
124
  //# sourceMappingURL=principal.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":";;AAsDA,0DAWC;AASD,gEAiBC;AASD,4EAgDC;AAID,4CAEC;AAED,8DAKC;AAlHD;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,OAAmB,EAAE,SAAsB;IACjF,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IAClH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,mBAAmB,CAAA;IAC5B,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,0BAA0B,CAAC,OAAmB,EAAE,YAAyB;IACvF,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IACrH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,SAAS,CAAA;IAClB,CAAC;IAED;;;;;OAKG;IACH,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAAC,OAAmB,EAAE,kBAA6B;IACjG,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC9D,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,wBAAwB,EAAE,EAAE,CAAC;QACjD,IAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACpE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC7C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAChE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC5C,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACpE,OAAO,mBAAmB,CAAA;QAC5B,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,cAAc,EAAE,EAAE,CAAC;QACvC,IAAG,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,yBAAyB,CAAC,UAAU,CAAC,CAAA;YACrD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAM,OAAO,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,UAAU,EAAE,CAAC;gBACpF,OAAO,OAAO,CAAA;YAChB,CAAC;QACH,CAAC;QAED,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC1D,OAAO,OAAO,CAAA;QAChB,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,MAAM,mBAAmB,GAAG,wCAAwC,CAAA;AAEpE,SAAgB,gBAAgB,CAAC,SAAiB;IAChD,OAAO,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AAC5C,CAAC;AAED,SAAgB,yBAAyB,CAAC,cAAsB;IAC9D,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,aAAa,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjD,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,eAAe,EAAE,CAAA;AAC9D,CAAC"}
1
+ {"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":";;AAsDA,0DAWC;AASD,gEAiBC;AASD,4EAgDC;AAID,4CAEC;AAED,8DAKC;AASD,8EAOC;AAlID;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,OAAmB,EAAE,SAAsB;IACjF,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IAClH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,mBAAmB,CAAA;IAC5B,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,0BAA0B,CAAC,OAAmB,EAAE,YAAyB;IACvF,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IACrH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,SAAS,CAAA;IAClB,CAAC;IAED;;;;;OAKG;IACH,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAAC,OAAmB,EAAE,kBAA6B;IACjG,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC9D,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,wBAAwB,EAAE,EAAE,CAAC;QACjD,IAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACpE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC7C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAChE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC5C,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACpE,OAAO,mBAAmB,CAAA;QAC5B,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,cAAc,EAAE,EAAE,CAAC;QACvC,IAAG,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,yBAAyB,CAAC,UAAU,CAAC,CAAA;YACrD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAM,OAAO,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,UAAU,EAAE,CAAC;gBACpF,OAAO,OAAO,CAAA;YAChB,CAAC;QACH,CAAC;QAED,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC1D,OAAO,OAAO,CAAA;QAChB,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,MAAM,mBAAmB,GAAG,wCAAwC,CAAA;AAEpE,SAAgB,gBAAgB,CAAC,SAAiB;IAChD,OAAO,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AAC5C,CAAC;AAED,SAAgB,yBAAyB,CAAC,cAAsB;IAC9D,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,aAAa,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjD,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,eAAe,EAAE,CAAA;AAC9D,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,iCAAiC,CAAC,OAAmB,EAAE,SAAoB;IACzF,IAAG,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACpC,OAAO,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAA;IACjE,CAAC;SAAM,IAAG,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;QAC9C,OAAO,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC"}
@@ -1 +1 @@
1
- {"version":3,"file":"requestPrincipal.d.ts","sourceRoot":"","sources":["../../../src/request/requestPrincipal.ts"],"names":[],"mappings":"AACA;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAE/B;;OAEG;IACH,KAAK,IAAI,MAAM,CAAC;IAEhB;;OAEG;IACH,SAAS,IAAI,MAAM,GAAG,SAAS,CAAC;CAEjC;AAED,qBAAa,oBAAqB,YAAW,gBAAgB;IAC/C,OAAO,CAAC,QAAQ,CAAC,QAAQ;gBAAR,QAAQ,EAAE,MAAM;IAE7C,SAAS,IAAI,MAAM,GAAG,SAAS;IAIxB,KAAK,IAAI,MAAM;CAGvB"}
1
+ {"version":3,"file":"requestPrincipal.d.ts","sourceRoot":"","sources":["../../../src/request/requestPrincipal.ts"],"names":[],"mappings":"AACA;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAE/B;;OAEG;IACH,KAAK,IAAI,MAAM,CAAC;IAEhB;;OAEG;IACH,SAAS,IAAI,MAAM,GAAG,SAAS,CAAC;CAEjC;AAED,qBAAa,oBAAqB,YAAW,gBAAgB;IAC/C,OAAO,CAAC,QAAQ,CAAC,QAAQ;gBAAR,QAAQ,EAAE,MAAM;IAE7C,SAAS,IAAI,MAAM,GAAG,SAAS;IAIxB,KAAK,IAAI,MAAM;CAKvB"}
@@ -1 +1 @@
1
- {"version":3,"file":"requestPrincipal.js","sourceRoot":"","sources":["../../../src/request/requestPrincipal.ts"],"names":[],"mappings":";;;AAkBA,MAAa,oBAAoB;IACF;IAA7B,YAA6B,QAAgB;QAAhB,aAAQ,GAAR,QAAQ,CAAQ;IAAG,CAAC;IAEjD,SAAS;QACP,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC;IAEM,KAAK;QACV,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF;AAVD,oDAUC"}
1
+ {"version":3,"file":"requestPrincipal.js","sourceRoot":"","sources":["../../../src/request/requestPrincipal.ts"],"names":[],"mappings":";;;AAkBA,MAAa,oBAAoB;IACF;IAA7B,YAA6B,QAAgB;QAAhB,aAAQ,GAAR,QAAQ,CAAQ;IAAG,CAAC;IAEjD,SAAS;QACP,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC;IAEM,KAAK;QACV,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CAGF;AAZD,oDAYC"}
@@ -1,9 +1,38 @@
1
- import { EvaluationResult } from "../evaluate.js";
1
+ import { EvaluationResult, ResourceEvaluationResult } from "../evaluate.js";
2
2
  import { StatementAnalysis } from "../StatementAnalysis.js";
3
3
  import { ServiceAuthorizationRequest, ServiceAuthorizer } from "./ServiceAuthorizer.js";
4
+ /**
5
+ * The default authorizer for services.
6
+ */
4
7
  export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
5
8
  authorize(request: ServiceAuthorizationRequest): EvaluationResult;
9
+ /**
10
+ * Determine the result of the SCP analysis.
11
+ *
12
+ * @param request The request to authorize.
13
+ * @returns The result of the SCP analysis.
14
+ */
15
+ serviceControlPolicyResult(request: ServiceAuthorizationRequest): EvaluationResult;
16
+ /**
17
+ * Evaluate the identity statements to determine the result.
18
+ *
19
+ * @param request The request to authorize.
20
+ * @returns The result of the identity statement analysis.
21
+ */
6
22
  identityStatementResult(request: ServiceAuthorizationRequest): EvaluationResult;
23
+ /**
24
+ * Evaluate the resource policy to determine the result.
25
+ *
26
+ * @param request the request to authorize
27
+ * @returns the result of the resource policy analysis
28
+ */
29
+ resourcePolicyResult(request: ServiceAuthorizationRequest): ResourceEvaluationResult;
30
+ /**
31
+ * Checks if a statement is an identity statement that allows the request.
32
+ *
33
+ * @param statement The statement to check.
34
+ * @returns Whether the statement is an identity statement that allows the request.
35
+ */
7
36
  identityStatementAllows(statement: StatementAnalysis): boolean;
8
37
  identityStatementUknownAllow(statement: StatementAnalysis): boolean;
9
38
  identityStatementUknownDeny(statement: StatementAnalysis): boolean;
@@ -1 +1 @@
1
- {"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAExF,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAqBjE,uBAAuB,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAoB/E,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAU9D,4BAA4B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUnE,2BAA2B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUlE,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;CAS5E"}
1
+ {"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAC5E,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAExF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAiDxE;;;;;OAKG;IACI,0BAA0B,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAwBzF;;;;;OAKG;IACI,uBAAuB,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAoBtF;;;;;OAKG;IACI,oBAAoB,CAAC,OAAO,EAAE,2BAA2B,GAAG,wBAAwB;IAyB3F;;;;;OAKG;IACI,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAU9D,4BAA4B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUnE,2BAA2B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUlE,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;CAS5E"}
@@ -1,27 +1,81 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.DefaultServiceAuthorizer = void 0;
4
+ /**
5
+ * The default authorizer for services.
6
+ */
4
7
  class DefaultServiceAuthorizer {
5
8
  authorize(request) {
9
+ const scpResult = this.serviceControlPolicyResult(request);
6
10
  const identityStatementResult = this.identityStatementResult(request);
11
+ const resourcePolicyResult = this.resourcePolicyResult(request);
7
12
  const principalAccount = request.request.principal.accountId();
8
13
  const resourceAccount = request.request.resource?.accountId();
14
+ if (scpResult !== 'Allowed') {
15
+ return scpResult;
16
+ }
17
+ if (resourcePolicyResult === 'ExplicitlyDenied' || resourcePolicyResult === 'DeniedForAccount') {
18
+ return 'ExplicitlyDenied';
19
+ }
20
+ if (identityStatementResult === 'ExplicitlyDenied') {
21
+ return 'ExplicitlyDenied';
22
+ }
23
+ //Same Account
24
+ if (principalAccount === resourceAccount) {
25
+ if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount' || identityStatementResult === 'Allowed') {
26
+ return 'Allowed';
27
+ }
28
+ return 'ImplicitlyDenied';
29
+ }
30
+ //Cross Account
31
+ if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount') {
32
+ if (identityStatementResult === 'Allowed') {
33
+ return 'Allowed';
34
+ }
35
+ return 'ImplicitlyDenied';
36
+ }
37
+ return 'ImplicitlyDenied';
9
38
  /**
10
39
  * Add checks for:
11
- * * resource policies
12
- * * service control policies
40
+ * * root user
41
+ * * service linked roles
42
+ * * resource control policies
13
43
  * * boundary policies
14
44
  * * vpc endpoint policies
15
45
  * * session policies (maybe these are just part of identity policies?)
16
46
  */
17
- if (identityStatementResult === 'Allowed') {
18
- if (principalAccount === resourceAccount) {
19
- return identityStatementResult;
20
- }
47
+ }
48
+ /**
49
+ * Determine the result of the SCP analysis.
50
+ *
51
+ * @param request The request to authorize.
52
+ * @returns The result of the SCP analysis.
53
+ */
54
+ serviceControlPolicyResult(request) {
55
+ const orgAllows = request.scpAnalysis.map((scpAnalysis) => {
56
+ return scpAnalysis.statementAnalysis.some((statement) => {
57
+ return this.identityStatementAllows(statement);
58
+ });
59
+ });
60
+ if (orgAllows.includes(false)) {
21
61
  return 'ImplicitlyDenied';
22
62
  }
23
- return identityStatementResult;
63
+ const anyScpDeny = request.scpAnalysis.some((scpAnalysis) => {
64
+ return scpAnalysis.statementAnalysis.some((statement) => {
65
+ return this.identityStatementExplicitDeny(statement);
66
+ });
67
+ });
68
+ if (anyScpDeny) {
69
+ return 'ExplicitlyDenied';
70
+ }
71
+ return 'Allowed';
24
72
  }
73
+ /**
74
+ * Evaluate the identity statements to determine the result.
75
+ *
76
+ * @param request The request to authorize.
77
+ * @returns The result of the identity statement analysis.
78
+ */
25
79
  identityStatementResult(request) {
26
80
  const explicitDeny = request.identityStatements.some(s => this.identityStatementExplicitDeny(s));
27
81
  if (explicitDeny) {
@@ -38,6 +92,38 @@ class DefaultServiceAuthorizer {
38
92
  }
39
93
  return 'ImplicitlyDenied';
40
94
  }
95
+ /**
96
+ * Evaluate the resource policy to determine the result.
97
+ *
98
+ * @param request the request to authorize
99
+ * @returns the result of the resource policy analysis
100
+ */
101
+ resourcePolicyResult(request) {
102
+ if (!request.resourceAnalysis) {
103
+ return 'NotApplicable';
104
+ }
105
+ const denyStatements = request.resourceAnalysis.filter(s => this.identityStatementExplicitDeny(s));
106
+ if (denyStatements.some(s => s.principalMatch === 'Match')) {
107
+ return 'ExplicitlyDenied';
108
+ }
109
+ if (denyStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
110
+ return 'DeniedForAccount';
111
+ }
112
+ const allowStatements = request.resourceAnalysis.filter(s => this.identityStatementAllows(s));
113
+ if (allowStatements.some(s => s.principalMatch === 'Match')) {
114
+ return 'Allowed';
115
+ }
116
+ if (allowStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
117
+ return 'AllowedForAccount';
118
+ }
119
+ return 'ImplicityDenied';
120
+ }
121
+ /**
122
+ * Checks if a statement is an identity statement that allows the request.
123
+ *
124
+ * @param statement The statement to check.
125
+ * @returns Whether the statement is an identity statement that allows the request.
126
+ */
41
127
  identityStatementAllows(statement) {
42
128
  if (statement.resourceMatch &&
43
129
  statement.actionMatch &&
@@ -1 +1 @@
1
- {"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAIA,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,uBAAuB,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACtE,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D;;;;;;;WAOG;QACH,IAAG,uBAAuB,KAAK,SAAS,EAAE,CAAC;YACzC,IAAG,gBAAgB,KAAK,eAAe,EAAE,CAAC;gBACxC,OAAO,uBAAuB,CAAA;YAChC,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QACD,OAAO,uBAAuB,CAAC;IACjC,CAAC;IAEM,uBAAuB,CAAC,OAAoC;QACjE,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,YAAY,EAAE,CAAC;YAChB,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/F,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9C,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAEM,uBAAuB,CAAC,SAA4B;QACzD,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEM,4BAA4B,CAAC,SAA4B;QAC9D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,2BAA2B,CAAC,SAA4B;QAC7D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,6BAA6B,CAAC,SAA4B;QAC/D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAjFD,4DAiFC"}
1
+ {"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAIA;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,uBAAuB,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACtE,MAAM,oBAAoB,GAAG,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;QAEhE,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAE7D,IAAG,SAAS,KAAK,SAAS,EAAE,CAAC;YAC3B,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAG,oBAAoB,KAAK,kBAAkB,IAAI,oBAAoB,KAAK,kBAAkB,EAAE,CAAC;YAC9F,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,IAAG,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YAClD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,cAAc;QACd,IAAG,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACxC,IAAG,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC/H,OAAO,SAAS,CAAA;YAClB,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,eAAe;QACf,IAAG,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACtF,IAAG,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBACzC,OAAO,SAAS,CAAA;YAClB,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,OAAO,kBAAkB,CAAA;QAEzB;;;;;;;;WAQG;IACL,CAAC;IAED;;;;;OAKG;IACI,0BAA0B,CAAC,OAAoC;QACpE,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE;YACxD,OAAO,WAAW,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;gBACtD,OAAO,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAA;YAChD,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,IAAG,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7B,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;YAC1D,OAAO,WAAW,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;gBACtD,OAAO,IAAI,CAAC,6BAA6B,CAAC,SAAS,CAAC,CAAA;YACtD,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,IAAG,UAAU,EAAE,CAAC;YACd,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAED;;;;;OAKG;IACI,uBAAuB,CAAC,OAAoC;QACjE,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,YAAY,EAAE,CAAC;YAChB,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/F,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9C,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAED;;;;;OAKG;IACI,oBAAoB,CAAC,OAAoC;QAC9D,IAAG,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC;YAC7B,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,MAAM,cAAc,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;QACnG,IAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,OAAO,CAAC,EAAE,CAAC;YAC1D,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QACD,IAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EAAE,CAAC;YACtE,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,MAAM,eAAe,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9F,IAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,OAAO,CAAC,EAAE,CAAC;YAC3D,OAAO,SAAS,CAAA;QAClB,CAAC;QACD,IAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EAAE,CAAC;YACvE,OAAO,mBAAmB,CAAA;QAC5B,CAAC;QAED,OAAO,iBAAiB,CAAA;IAE1B,CAAC;IAED;;;;;OAKG;IACI,uBAAuB,CAAC,SAA4B;QACzD,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEM,4BAA4B,CAAC,SAA4B;QAC9D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,2BAA2B,CAAC,SAA4B;QAC7D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,6BAA6B,CAAC,SAA4B;QAC/D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAtLD,4DAsLC"}
@@ -1,9 +1,12 @@
1
1
  import { EvaluationResult } from "../evaluate.js";
2
2
  import { AwsRequest } from "../request/request.js";
3
+ import { SCPAnalysis } from "../SCPAnalysis.js";
3
4
  import { StatementAnalysis } from "../StatementAnalysis.js";
4
5
  export interface ServiceAuthorizationRequest {
5
6
  request: AwsRequest;
6
7
  identityStatements: StatementAnalysis[];
8
+ scpAnalysis: SCPAnalysis[];
9
+ resourceAnalysis: StatementAnalysis[];
7
10
  }
8
11
  export interface ServiceAuthorizer {
9
12
  authorize(request: ServiceAuthorizationRequest): EvaluationResult;
@@ -1 +1 @@
1
- {"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAC;IACpB,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;CACzC;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB,CAAA;CAClE"}
1
+ {"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAC;IACpB,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,WAAW,EAAE,WAAW,EAAE,CAAC;IAC3B,gBAAgB,EAAE,iBAAiB,EAAE,CAAC;CACvC;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB,CAAA;CAClE"}
@@ -1,3 +1,11 @@
1
+ /**
2
+ * Get the allowed context keys for a request.
3
+ *
4
+ * @param service The service the action belongs to
5
+ * @param action The action to get the allowed context keys for
6
+ * @param resource The resource the action is being performed on
7
+ * @returns The allowed context keys for the request as lower case strings
8
+ * @throws error if the service or action does not exist
9
+ */
1
10
  export declare function allowedContextKeysForRequest(service: string, action: string, resource: string): Promise<string[]>;
2
- export declare function convertPatternToRegex(pattern: string): string;
3
11
  //# sourceMappingURL=contextKeys.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"AAEA,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CA4BvH;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAsB7D"}
1
+ {"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"AAIA;;;;;;;;GAQG;AACH,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAyBvH"}
@@ -1,53 +1,40 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.allowedContextKeysForRequest = allowedContextKeysForRequest;
4
- exports.convertPatternToRegex = convertPatternToRegex;
5
4
  const iam_data_1 = require("@cloud-copilot/iam-data");
5
+ const globalConditionKeys_js_1 = require("../global_conditions/globalConditionKeys.js");
6
+ const util_js_1 = require("../util.js");
7
+ /**
8
+ * Get the allowed context keys for a request.
9
+ *
10
+ * @param service The service the action belongs to
11
+ * @param action The action to get the allowed context keys for
12
+ * @param resource The resource the action is being performed on
13
+ * @returns The allowed context keys for the request as lower case strings
14
+ * @throws error if the service or action does not exist
15
+ */
6
16
  async function allowedContextKeysForRequest(service, action, resource) {
7
17
  const actionDetails = await (0, iam_data_1.iamActionDetails)(service, action);
8
- const actionConditionKeys = actionDetails.conditionKeys;
9
- if (actionDetails.resourceTypes.length === 0) {
10
- return actionConditionKeys;
18
+ const actionConditionKeys = (0, util_js_1.lowerCaseAll)(actionDetails.conditionKeys);
19
+ const isWildCardOnly = await (0, util_js_1.isWildcardOnlyAction)(service, action);
20
+ if (isWildCardOnly) {
21
+ return [
22
+ ...actionConditionKeys,
23
+ ...(0, globalConditionKeys_js_1.allGlobalConditionKeys)()
24
+ ];
11
25
  }
12
- const matchingResourceTypes = [];
13
- for (const rt of actionDetails.resourceTypes) {
14
- const resourceType = await (0, iam_data_1.iamResourceTypeDetails)(service, rt.name);
15
- const pattern = convertPatternToRegex(resourceType.arn);
16
- const match = resource.match(new RegExp(pattern));
17
- if (match) {
18
- matchingResourceTypes.push(resourceType);
19
- }
26
+ const resourceTypes = await (0, util_js_1.getResourceTypesForAction)(service, action, resource);
27
+ if (resourceTypes.length === 0) {
28
+ throw new Error(`No resource types found for action ${action} on service ${service}`);
20
29
  }
21
- if (matchingResourceTypes.length != 1) {
22
- const matchNames = matchingResourceTypes.map(rt => rt.key).join(", ");
23
- throw new Error(`found ${matchingResourceTypes.length} matching resource types for ${resource}: ${matchNames}`);
30
+ else if (resourceTypes.length > 1) {
31
+ throw new Error(`Multiple resource types found for action ${action} on service ${service}`);
24
32
  }
25
- console.log(matchingResourceTypes[0].key);
33
+ const resourceTypeConditions = actionDetails.resourceTypes.find(rt => rt.name === resourceTypes[0].key).conditionKeys;
26
34
  return [
27
- ...matchingResourceTypes[0].conditionKeys,
28
- ...actionConditionKeys
35
+ ...(0, util_js_1.lowerCaseAll)(resourceTypeConditions),
36
+ ...actionConditionKeys,
37
+ ...(0, globalConditionKeys_js_1.allGlobalConditionKeys)()
29
38
  ];
30
39
  }
31
- function convertPatternToRegex(pattern) {
32
- const regex = pattern.replace(/\$\{.*?\}/g, (match) => {
33
- const name = match.substring(2, match.length - 1);
34
- const camelName = name.at(0)?.toLowerCase() + name.substring(1);
35
- return `(?<${camelName}>(.*?))`;
36
- });
37
- return `^${regex}$`;
38
- // const parts = pattern.split('/')
39
- // const lastPart = parts[parts.length - 1]
40
- // const modifiedParts = parts.map((part) => {
41
- // if (part.startsWith('${') && part.endsWith('}')) {
42
- // const name = part.substring(2, part.length - 1)
43
- // const camelName = name.at(0)?.toLowerCase() + name.substring(1)
44
- // if (part === lastPart) {
45
- // return `(?<${camelName}>(.*))`
46
- // }
47
- // return `(?<${camelName}>([^\/]+))`
48
- // }
49
- // return part
50
- // })
51
- // return modifiedParts.join('\/')
52
- }
53
40
  //# sourceMappingURL=contextKeys.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":";;AAEA,oEA4BC;AAED,sDAsBC;AAtDD,sDAAiG;AAE1F,KAAK,UAAU,4BAA4B,CAAC,OAAe,EAAE,MAAc,EAAE,QAAgB;IAClG,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC9D,MAAM,mBAAmB,GAAG,aAAa,CAAC,aAAa,CAAC;IACxD,IAAG,aAAa,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5C,OAAO,mBAAmB,CAAA;IAC5B,CAAC;IAED,MAAM,qBAAqB,GAAmB,EAAE,CAAC;IACjD,KAAI,MAAM,EAAE,IAAI,aAAa,CAAC,aAAa,EAAE,CAAC;QAC5C,MAAM,YAAY,GAAG,MAAM,IAAA,iCAAsB,EAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;QACpE,MAAM,OAAO,GAAG,qBAAqB,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAClD,IAAG,KAAK,EAAE,CAAC;YACT,qBAAqB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,IAAG,qBAAqB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACrC,MAAM,UAAU,GAAG,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtE,MAAM,IAAI,KAAK,CAAC,SAAS,qBAAqB,CAAC,MAAM,gCAAgC,QAAQ,KAAK,UAAU,EAAE,CAAC,CAAC;IAClH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAE1C,OAAO;QACL,GAAG,qBAAqB,CAAC,CAAC,CAAC,CAAC,aAAa;QACzC,GAAG,mBAAmB;KACvB,CAAA;AACH,CAAC;AAED,SAAgB,qBAAqB,CAAC,OAAe;IACnD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE;QACpD,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;QAC/D,OAAO,MAAM,SAAS,SAAS,CAAA;IACjC,CAAC,CAAC,CAAA;IACF,OAAO,IAAI,KAAK,GAAG,CAAA;IAEnB,mCAAmC;IACnC,2CAA2C;IAC3C,8CAA8C;IAC9C,uDAAuD;IACvD,sDAAsD;IACtD,sEAAsE;IACtE,+BAA+B;IAC/B,uCAAuC;IACvC,QAAQ;IACR,yCAAyC;IACzC,MAAM;IACN,gBAAgB;IAChB,KAAK;IACL,kCAAkC;AACpC,CAAC"}
1
+ {"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":";;AAaA,oEAyBC;AAtCD,sDAA2D;AAC3D,wFAAqF;AACrF,wCAA2F;AAE3F;;;;;;;;GAQG;AACI,KAAK,UAAU,4BAA4B,CAAC,OAAe,EAAE,MAAc,EAAE,QAAgB;IAClG,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC9D,MAAM,mBAAmB,GAAG,IAAA,sBAAY,EAAC,aAAa,CAAC,aAAa,CAAC,CAAC;IAEtE,MAAM,cAAc,GAAG,MAAM,IAAA,8BAAoB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACnE,IAAG,cAAc,EAAE,CAAC;QAClB,OAAO;YACL,GAAG,mBAAmB;YACtB,GAAG,IAAA,+CAAsB,GAAE;SAC5B,CAAA;IACH,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,IAAA,mCAAyB,EAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IACjF,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,eAAe,OAAO,EAAE,CAAC,CAAA;IACvF,CAAC;SAAM,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,4CAA4C,MAAM,eAAe,OAAO,EAAE,CAAC,CAAA;IAC7F,CAAC;IACD,MAAM,sBAAsB,GAAG,aAAa,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,KAAK,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,CAAE,CAAC,aAAa,CAAA;IAEtH,OAAO;QACL,GAAG,IAAA,sBAAY,EAAC,sBAAsB,CAAC;QACvC,GAAG,mBAAmB;QACtB,GAAG,IAAA,+CAAsB,GAAE;KAC5B,CAAA;AACH,CAAC"}
@@ -8,6 +8,17 @@ export interface Simulation {
8
8
  };
9
9
  contextVariables: Record<string, string | string[]>;
10
10
  };
11
- identityPolicies: Record<string, any>[];
11
+ identityPolicies: {
12
+ name: string;
13
+ policy: any;
14
+ }[];
15
+ serviceControlPolicies: {
16
+ orgIdentifier: string;
17
+ policies: {
18
+ name: string;
19
+ policy: any;
20
+ }[];
21
+ }[];
22
+ resourcePolicy?: any;
12
23
  }
13
24
  //# sourceMappingURL=simulation.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAC;YACjB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;KACrD,CAAA;IAED,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;CACzC"}
1
+ {"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAC;YACjB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;KACrD,CAAA;IAED,gBAAgB,EAAE;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAC,EAAE,CAAC;IAChD,sBAAsB,EAAE;QACtB,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAC,EAAE,CAAA;KACxC,EAAE,CAAC;IACJ,cAAc,CAAC,EAAE,GAAG,CAAC;CACtB"}
@@ -1,11 +1,26 @@
1
1
  import { ValidationError } from "@cloud-copilot/iam-policy";
2
+ import { EvaluationResult } from "../evaluate.js";
2
3
  import { Simulation } from "./simulation.js";
3
4
  import { SimulationOptions } from "./simulationOptions.js";
4
5
  export interface SimulationErrors {
5
6
  identityPolicyErrors?: Record<string, ValidationError[]>;
7
+ seviceControlPolicyErrors?: Record<string, ValidationError[]>;
8
+ resourcePolicyErrors?: ValidationError[];
6
9
  message: string;
7
10
  }
8
11
  export interface SimulationResult {
12
+ errors?: SimulationErrors;
13
+ result?: {
14
+ evaluationResult: EvaluationResult;
15
+ };
9
16
  }
17
+ /**
18
+ * Run a simulation with validation
19
+ *
20
+ * @param simulation The simulation to run
21
+ * @param simulationOptions Options for the simulation
22
+ * @returns
23
+ */
10
24
  export declare function runSimulation(simulation: Simulation, simulationOptions: Partial<SimulationOptions>): Promise<SimulationResult>;
25
+ export declare function normalizeSimulationParameters(simulation: Simulation): Promise<Record<string, string | string[]>>;
11
26
  //# sourceMappingURL=simulationEngine.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAwB,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAClF,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;CAEhC;AAED,wBAAsB,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAmCpI"}
1
+ {"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAoG,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAG9J,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAKlD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IACzD,yBAAyB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IAC9D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAC;IACzC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B,MAAM,CAAC,EAAE;QACP,gBAAgB,EAAE,gBAAgB,CAAA;KACnC,CAAA;CACF;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA+HpI;AAED,wBAAsB,6BAA6B,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CA0BtH"}