@cloud-copilot/iam-simulate 0.1.4 → 0.1.6

package/dist/cjs/index.d.ts

@@ -1,6 +1,9 @@
+export { findContextKeys } from './context_keys/findContextKeys.js';
 export { type EvaluationResult } from './evaluate.js';
+export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
 export { type Simulation } from './simulation_engine/simulation.js';
 export { runSimulation } from './simulation_engine/simulationEngine.js';
 export { type SimulationOptions } from './simulation_engine/simulationOptions.js';
 export { runUnsafeSimulation } from './simulation_engine/unsafeSimulationEngine.js';
+export { isWildcardOnlyAction } from './util.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/cjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAClF,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC"}

package/dist/cjs/index.js

@@ -1,8 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.runUnsafeSimulation = exports.runSimulation = void 0;
+exports.isWildcardOnlyAction = exports.runUnsafeSimulation = exports.runSimulation = exports.allowedContextKeysForRequest = exports.findContextKeys = void 0;
+var findContextKeys_js_1 = require("./context_keys/findContextKeys.js");
+Object.defineProperty(exports, "findContextKeys", { enumerable: true, get: function () { return findContextKeys_js_1.findContextKeys; } });
+var contextKeys_js_1 = require("./simulation_engine/contextKeys.js");
+Object.defineProperty(exports, "allowedContextKeysForRequest", { enumerable: true, get: function () { return contextKeys_js_1.allowedContextKeysForRequest; } });
 var simulationEngine_js_1 = require("./simulation_engine/simulationEngine.js");
 Object.defineProperty(exports, "runSimulation", { enumerable: true, get: function () { return simulationEngine_js_1.runSimulation; } });
 var unsafeSimulationEngine_js_1 = require("./simulation_engine/unsafeSimulationEngine.js");
 Object.defineProperty(exports, "runUnsafeSimulation", { enumerable: true, get: function () { return unsafeSimulationEngine_js_1.runUnsafeSimulation; } });
+var util_js_1 = require("./util.js");
+Object.defineProperty(exports, "isWildcardOnlyAction", { enumerable: true, get: function () { return util_js_1.isWildcardOnlyAction; } });
 //# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAEA,+EAAwE;AAA/D,oHAAA,aAAa,OAAA;AAEtB,2FAAoF;AAA3E,gIAAA,mBAAmB,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,wEAAoE;AAA3D,qHAAA,eAAe,OAAA;AAExB,qEAAkF;AAAzE,8HAAA,4BAA4B,OAAA;AAErC,+EAAwE;AAA/D,oHAAA,aAAa,OAAA;AAEtB,2FAAoF;AAA3E,gIAAA,mBAAmB,OAAA;AAC5B,qCAAiD;AAAxC,+GAAA,oBAAoB,OAAA"}

package/dist/cjs/principal/principal.d.ts

@@ -1,4 +1,4 @@
-import { Principal } from "@cloud-copilot/iam-policy";
+import { Principal, Statement } from "@cloud-copilot/iam-policy";
 import { AwsRequest } from "../request/request.js";
 export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch';
 /**
@@ -27,4 +27,12 @@ export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrinc
 export declare function requestMatchesPrincipalStatement(request: AwsRequest, principalStatement: Principal): PrincipalMatchResult;
 export declare function isAssumedRoleArn(principal: string): boolean;
 export declare function roleArnFromAssumedRoleArn(assumedRoleArn: string): string;
+/**
+ * Check if a request matches the Resource or NotResource elements of a statement.
+ *
+ * @param request the request to check
+ * @param statement the statement to check against
+ * @returns true if the request matches the resources in the statement, false otherwise
+ */
+export declare function requestMatchesStatementPrincipals(request: AwsRequest, statement: Statement): PrincipalMatchResult;
 //# sourceMappingURL=principal.d.ts.map

package/dist/cjs/principal/principal.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA4CnD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;AAE5E;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAWzG;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAiB/G;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,oBAAoB,CAgDzH;AAID,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED,wBAAgB,yBAAyB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKxE"}
+{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA4CnD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;AAE5E;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAWzG;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAiB/G;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,oBAAoB,CAgDzH;AAID,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED,wBAAgB,yBAAyB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKxE;AAED;;;;;;GAMG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,oBAAoB,CAOjH"}

package/dist/cjs/principal/principal.js

@@ -5,6 +5,7 @@ exports.requestMatchesNotPrincipal = requestMatchesNotPrincipal;
 exports.requestMatchesPrincipalStatement = requestMatchesPrincipalStatement;
 exports.isAssumedRoleArn = isAssumedRoleArn;
 exports.roleArnFromAssumedRoleArn = roleArnFromAssumedRoleArn;
+exports.requestMatchesStatementPrincipals = requestMatchesStatementPrincipals;
 /**
  * Check to see if a request matches a Principal element in an IAM policy statement
  *
@@ -104,4 +105,20 @@ function roleArnFromAssumedRoleArn(assumedRoleArn) {
     const rolePathAndName = resourceParts.slice(1, -1).join('/');
     return `arn:aws:iam::${stsParts[4]}:role/${rolePathAndName}`;
 }
+/**
+ * Check if a request matches the Resource or NotResource elements of a statement.
+ *
+ * @param request the request to check
+ * @param statement the statement to check against
+ * @returns true if the request matches the resources in the statement, false otherwise
+ */
+function requestMatchesStatementPrincipals(request, statement) {
+    if (statement.isPrincipalStatement()) {
+        return requestMatchesPrincipal(request, statement.principals());
+    }
+    else if (statement.isNotPrincipalStatement()) {
+        return requestMatchesNotPrincipal(request, statement.notPrincipals());
+    }
+    throw new Error('Statement should have Principal or NotPrincipal');
+}
 //# sourceMappingURL=principal.js.map

package/dist/cjs/principal/principal.js.map

@@ -1 +1 @@
-{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":";;AAsDA,0DAWC;AASD,gEAiBC;AASD,4EAgDC;AAID,4CAEC;AAED,8DAKC;AAlHD;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,OAAmB,EAAE,SAAsB;IACjF,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IAClH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,mBAAmB,CAAA;IAC5B,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,0BAA0B,CAAC,OAAmB,EAAE,YAAyB;IACvF,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IACrH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,SAAS,CAAA;IAClB,CAAC;IAED;;;;;OAKG;IACH,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAAC,OAAmB,EAAE,kBAA6B;IACjG,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC9D,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,wBAAwB,EAAE,EAAE,CAAC;QACjD,IAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACpE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC7C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAChE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC5C,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACpE,OAAO,mBAAmB,CAAA;QAC5B,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,cAAc,EAAE,EAAE,CAAC;QACvC,IAAG,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,yBAAyB,CAAC,UAAU,CAAC,CAAA;YACrD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAM,OAAO,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,UAAU,EAAE,CAAC;gBACpF,OAAO,OAAO,CAAA;YAChB,CAAC;QACH,CAAC;QAED,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC1D,OAAO,OAAO,CAAA;QAChB,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,MAAM,mBAAmB,GAAG,wCAAwC,CAAA;AAEpE,SAAgB,gBAAgB,CAAC,SAAiB;IAChD,OAAO,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AAC5C,CAAC;AAED,SAAgB,yBAAyB,CAAC,cAAsB;IAC9D,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,aAAa,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjD,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,eAAe,EAAE,CAAA;AAC9D,CAAC"}
+{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":";;AAsDA,0DAWC;AASD,gEAiBC;AASD,4EAgDC;AAID,4CAEC;AAED,8DAKC;AASD,8EAOC;AAlID;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,OAAmB,EAAE,SAAsB;IACjF,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IAClH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,mBAAmB,CAAA;IAC5B,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,0BAA0B,CAAC,OAAmB,EAAE,YAAyB;IACvF,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IACrH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,SAAS,CAAA;IAClB,CAAC;IAED;;;;;OAKG;IACH,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAAC,OAAmB,EAAE,kBAA6B;IACjG,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC9D,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,wBAAwB,EAAE,EAAE,CAAC;QACjD,IAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACpE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC7C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAChE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC5C,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACpE,OAAO,mBAAmB,CAAA;QAC5B,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,cAAc,EAAE,EAAE,CAAC;QACvC,IAAG,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,yBAAyB,CAAC,UAAU,CAAC,CAAA;YACrD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAM,OAAO,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,UAAU,EAAE,CAAC;gBACpF,OAAO,OAAO,CAAA;YAChB,CAAC;QACH,CAAC;QAED,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC1D,OAAO,OAAO,CAAA;QAChB,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,MAAM,mBAAmB,GAAG,wCAAwC,CAAA;AAEpE,SAAgB,gBAAgB,CAAC,SAAiB;IAChD,OAAO,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AAC5C,CAAC;AAED,SAAgB,yBAAyB,CAAC,cAAsB;IAC9D,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,aAAa,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjD,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,eAAe,EAAE,CAAA;AAC9D,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,iCAAiC,CAAC,OAAmB,EAAE,SAAoB;IACzF,IAAG,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACpC,OAAO,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAA;IACjE,CAAC;SAAM,IAAG,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;QAC9C,OAAO,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC"}

package/dist/cjs/request/requestPrincipal.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"requestPrincipal.d.ts","sourceRoot":"","sources":["../../../src/request/requestPrincipal.ts"],"names":[],"mappings":"AACA;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAE/B;;OAEG;IACH,KAAK,IAAI,MAAM,CAAC;IAEhB;;OAEG;IACH,SAAS,IAAI,MAAM,GAAG,SAAS,CAAC;CAEjC;AAED,qBAAa,oBAAqB,YAAW,gBAAgB;IAC/C,OAAO,CAAC,QAAQ,CAAC,QAAQ;gBAAR,QAAQ,EAAE,MAAM;IAE7C,SAAS,IAAI,MAAM,GAAG,SAAS;IAIxB,KAAK,IAAI,MAAM;CAGvB"}
+{"version":3,"file":"requestPrincipal.d.ts","sourceRoot":"","sources":["../../../src/request/requestPrincipal.ts"],"names":[],"mappings":"AACA;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAE/B;;OAEG;IACH,KAAK,IAAI,MAAM,CAAC;IAEhB;;OAEG;IACH,SAAS,IAAI,MAAM,GAAG,SAAS,CAAC;CAEjC;AAED,qBAAa,oBAAqB,YAAW,gBAAgB;IAC/C,OAAO,CAAC,QAAQ,CAAC,QAAQ;gBAAR,QAAQ,EAAE,MAAM;IAE7C,SAAS,IAAI,MAAM,GAAG,SAAS;IAIxB,KAAK,IAAI,MAAM;CAKvB"}

package/dist/cjs/request/requestPrincipal.js.map

@@ -1 +1 @@
-{"version":3,"file":"requestPrincipal.js","sourceRoot":"","sources":["../../../src/request/requestPrincipal.ts"],"names":[],"mappings":";;;AAkBA,MAAa,oBAAoB;IACF;IAA7B,YAA6B,QAAgB;QAAhB,aAAQ,GAAR,QAAQ,CAAQ;IAAG,CAAC;IAEjD,SAAS;QACP,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC;IAEM,KAAK;QACV,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF;AAVD,oDAUC"}
+{"version":3,"file":"requestPrincipal.js","sourceRoot":"","sources":["../../../src/request/requestPrincipal.ts"],"names":[],"mappings":";;;AAkBA,MAAa,oBAAoB;IACF;IAA7B,YAA6B,QAAgB;QAAhB,aAAQ,GAAR,QAAQ,CAAQ;IAAG,CAAC;IAEjD,SAAS;QACP,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC;IAEM,KAAK;QACV,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CAGF;AAZD,oDAYC"}

package/dist/cjs/services/DefaultServiceAuthorizer.d.ts

@@ -1,9 +1,38 @@
-import { EvaluationResult } from "../evaluate.js";
+import { EvaluationResult, ResourceEvaluationResult } from "../evaluate.js";
 import { StatementAnalysis } from "../StatementAnalysis.js";
 import { ServiceAuthorizationRequest, ServiceAuthorizer } from "./ServiceAuthorizer.js";
+/**
+ * The default authorizer for services.
+ */
 export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
     authorize(request: ServiceAuthorizationRequest): EvaluationResult;
+    /**
+     * Determine the result of the SCP analysis.
+     *
+     * @param request The request to authorize.
+     * @returns The result of the SCP analysis.
+     */
+    serviceControlPolicyResult(request: ServiceAuthorizationRequest): EvaluationResult;
+    /**
+     * Evaluate the identity statements to determine the result.
+     *
+     * @param request The request to authorize.
+     * @returns The result of the identity statement analysis.
+     */
     identityStatementResult(request: ServiceAuthorizationRequest): EvaluationResult;
+    /**
+     * Evaluate the resource policy to determine the result.
+     *
+     * @param request the request to authorize
+     * @returns the result of the resource policy analysis
+     */
+    resourcePolicyResult(request: ServiceAuthorizationRequest): ResourceEvaluationResult;
+    /**
+     * Checks if a statement is an identity statement that allows the request.
+     *
+     * @param statement The statement to check.
+     * @returns Whether the statement is an identity statement that allows the request.
+     */
     identityStatementAllows(statement: StatementAnalysis): boolean;
     identityStatementUknownAllow(statement: StatementAnalysis): boolean;
     identityStatementUknownDeny(statement: StatementAnalysis): boolean;

package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAExF,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAqBjE,uBAAuB,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAoB/E,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAU9D,4BAA4B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUnE,2BAA2B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUlE,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;CAS5E"}
+{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAC5E,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAExF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAiDxE;;;;;OAKG;IACI,0BAA0B,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAwBzF;;;;;OAKG;IACI,uBAAuB,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAoBtF;;;;;OAKG;IACI,oBAAoB,CAAC,OAAO,EAAE,2BAA2B,GAAG,wBAAwB;IAyB3F;;;;;OAKG;IACI,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAU9D,4BAA4B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUnE,2BAA2B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUlE,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;CAS5E"}

package/dist/cjs/services/DefaultServiceAuthorizer.js

@@ -1,27 +1,81 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DefaultServiceAuthorizer = void 0;
+/**
+ * The default authorizer for services.
+ */
 class DefaultServiceAuthorizer {
     authorize(request) {
+        const scpResult = this.serviceControlPolicyResult(request);
         const identityStatementResult = this.identityStatementResult(request);
+        const resourcePolicyResult = this.resourcePolicyResult(request);
         const principalAccount = request.request.principal.accountId();
         const resourceAccount = request.request.resource?.accountId();
+        if (scpResult !== 'Allowed') {
+            return scpResult;
+        }
+        if (resourcePolicyResult === 'ExplicitlyDenied' || resourcePolicyResult === 'DeniedForAccount') {
+            return 'ExplicitlyDenied';
+        }
+        if (identityStatementResult === 'ExplicitlyDenied') {
+            return 'ExplicitlyDenied';
+        }
+        //Same Account
+        if (principalAccount === resourceAccount) {
+            if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount' || identityStatementResult === 'Allowed') {
+                return 'Allowed';
+            }
+            return 'ImplicitlyDenied';
+        }
+        //Cross Account
+        if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount') {
+            if (identityStatementResult === 'Allowed') {
+                return 'Allowed';
+            }
+            return 'ImplicitlyDenied';
+        }
+        return 'ImplicitlyDenied';
         /**
          * Add checks for:
-         * * resource policies
-         * * service control policies
+         * * root user
+         * * service linked roles
+         * * resource control policies
          * * boundary policies
          * * vpc endpoint policies
          * * session policies (maybe these are just part of identity policies?)
          */
-        if (identityStatementResult === 'Allowed') {
-            if (principalAccount === resourceAccount) {
-                return identityStatementResult;
-            }
+    }
+    /**
+     * Determine the result of the SCP analysis.
+     *
+     * @param request The request to authorize.
+     * @returns The result of the SCP analysis.
+     */
+    serviceControlPolicyResult(request) {
+        const orgAllows = request.scpAnalysis.map((scpAnalysis) => {
+            return scpAnalysis.statementAnalysis.some((statement) => {
+                return this.identityStatementAllows(statement);
+            });
+        });
+        if (orgAllows.includes(false)) {
             return 'ImplicitlyDenied';
         }
-        return identityStatementResult;
+        const anyScpDeny = request.scpAnalysis.some((scpAnalysis) => {
+            return scpAnalysis.statementAnalysis.some((statement) => {
+                return this.identityStatementExplicitDeny(statement);
+            });
+        });
+        if (anyScpDeny) {
+            return 'ExplicitlyDenied';
+        }
+        return 'Allowed';
     }
+    /**
+     * Evaluate the identity statements to determine the result.
+     *
+     * @param request The request to authorize.
+     * @returns The result of the identity statement analysis.
+     */
     identityStatementResult(request) {
         const explicitDeny = request.identityStatements.some(s => this.identityStatementExplicitDeny(s));
         if (explicitDeny) {
@@ -38,6 +92,38 @@ class DefaultServiceAuthorizer {
         }
         return 'ImplicitlyDenied';
     }
+    /**
+     * Evaluate the resource policy to determine the result.
+     *
+     * @param request the request to authorize
+     * @returns the result of the resource policy analysis
+     */
+    resourcePolicyResult(request) {
+        if (!request.resourceAnalysis) {
+            return 'NotApplicable';
+        }
+        const denyStatements = request.resourceAnalysis.filter(s => this.identityStatementExplicitDeny(s));
+        if (denyStatements.some(s => s.principalMatch === 'Match')) {
+            return 'ExplicitlyDenied';
+        }
+        if (denyStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
+            return 'DeniedForAccount';
+        }
+        const allowStatements = request.resourceAnalysis.filter(s => this.identityStatementAllows(s));
+        if (allowStatements.some(s => s.principalMatch === 'Match')) {
+            return 'Allowed';
+        }
+        if (allowStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
+            return 'AllowedForAccount';
+        }
+        return 'ImplicityDenied';
+    }
+    /**
+     * Checks if a statement is an identity statement that allows the request.
+     *
+     * @param statement The statement to check.
+     * @returns Whether the statement is an identity statement that allows the request.
+     */
     identityStatementAllows(statement) {
         if (statement.resourceMatch &&
             statement.actionMatch &&

package/dist/cjs/services/DefaultServiceAuthorizer.js.map

@@ -1 +1 @@
-{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAIA,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,uBAAuB,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACtE,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D;;;;;;;WAOG;QACH,IAAG,uBAAuB,KAAK,SAAS,EAAE,CAAC;YACzC,IAAG,gBAAgB,KAAK,eAAe,EAAE,CAAC;gBACxC,OAAO,uBAAuB,CAAA;YAChC,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QACD,OAAO,uBAAuB,CAAC;IACjC,CAAC;IAEM,uBAAuB,CAAC,OAAoC;QACjE,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,YAAY,EAAE,CAAC;YAChB,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/F,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9C,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAEM,uBAAuB,CAAC,SAA4B;QACzD,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEM,4BAA4B,CAAC,SAA4B;QAC9D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,2BAA2B,CAAC,SAA4B;QAC7D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,6BAA6B,CAAC,SAA4B;QAC/D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAjFD,4DAiFC"}
+{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAIA;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,uBAAuB,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACtE,MAAM,oBAAoB,GAAG,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;QAEhE,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAE7D,IAAG,SAAS,KAAK,SAAS,EAAE,CAAC;YAC3B,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAG,oBAAoB,KAAK,kBAAkB,IAAI,oBAAoB,KAAK,kBAAkB,EAAE,CAAC;YAC9F,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,IAAG,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YAClD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,cAAc;QACd,IAAG,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACxC,IAAG,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC/H,OAAO,SAAS,CAAA;YAClB,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,eAAe;QACf,IAAG,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACtF,IAAG,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBACzC,OAAO,SAAS,CAAA;YAClB,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,OAAO,kBAAkB,CAAA;QAEzB;;;;;;;;WAQG;IACL,CAAC;IAED;;;;;OAKG;IACI,0BAA0B,CAAC,OAAoC;QACpE,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE;YACxD,OAAO,WAAW,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;gBACtD,OAAO,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAA;YAChD,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,IAAG,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7B,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;YAC1D,OAAO,WAAW,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;gBACtD,OAAO,IAAI,CAAC,6BAA6B,CAAC,SAAS,CAAC,CAAA;YACtD,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,IAAG,UAAU,EAAE,CAAC;YACd,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAED;;;;;OAKG;IACI,uBAAuB,CAAC,OAAoC;QACjE,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,YAAY,EAAE,CAAC;YAChB,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/F,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9C,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAED;;;;;OAKG;IACI,oBAAoB,CAAC,OAAoC;QAC9D,IAAG,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC;YAC7B,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,MAAM,cAAc,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;QACnG,IAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,OAAO,CAAC,EAAE,CAAC;YAC1D,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QACD,IAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EAAE,CAAC;YACtE,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,MAAM,eAAe,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9F,IAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,OAAO,CAAC,EAAE,CAAC;YAC3D,OAAO,SAAS,CAAA;QAClB,CAAC;QACD,IAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EAAE,CAAC;YACvE,OAAO,mBAAmB,CAAA;QAC5B,CAAC;QAED,OAAO,iBAAiB,CAAA;IAE1B,CAAC;IAED;;;;;OAKG;IACI,uBAAuB,CAAC,SAA4B;QACzD,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEM,4BAA4B,CAAC,SAA4B;QAC9D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,2BAA2B,CAAC,SAA4B;QAC7D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,6BAA6B,CAAC,SAA4B;QAC/D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAtLD,4DAsLC"}

package/dist/cjs/services/ServiceAuthorizer.d.ts

@@ -1,9 +1,12 @@
 import { EvaluationResult } from "../evaluate.js";
 import { AwsRequest } from "../request/request.js";
+import { SCPAnalysis } from "../SCPAnalysis.js";
 import { StatementAnalysis } from "../StatementAnalysis.js";
 export interface ServiceAuthorizationRequest {
     request: AwsRequest;
     identityStatements: StatementAnalysis[];
+    scpAnalysis: SCPAnalysis[];
+    resourceAnalysis: StatementAnalysis[];
 }
 export interface ServiceAuthorizer {
     authorize(request: ServiceAuthorizationRequest): EvaluationResult;

package/dist/cjs/services/ServiceAuthorizer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAC;IACpB,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;CACzC;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB,CAAA;CAClE"}
+{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAC;IACpB,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,WAAW,EAAE,WAAW,EAAE,CAAC;IAC3B,gBAAgB,EAAE,iBAAiB,EAAE,CAAC;CACvC;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB,CAAA;CAClE"}

package/dist/cjs/simulation_engine/contextKeys.d.ts

@@ -1,3 +1,11 @@
+/**
+ * Get the allowed context keys for a request.
+ *
+ * @param service The service the action belongs to
+ * @param action The action to get the allowed context keys for
+ * @param resource The resource the action is being performed on
+ * @returns The allowed context keys for the request as lower case strings
+ * @throws error if the service or action does not exist
+ */
 export declare function allowedContextKeysForRequest(service: string, action: string, resource: string): Promise<string[]>;
-export declare function convertPatternToRegex(pattern: string): string;
 //# sourceMappingURL=contextKeys.d.ts.map

package/dist/cjs/simulation_engine/contextKeys.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"AAEA,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CA4BvH;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAsB7D"}
+{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"AAIA;;;;;;;;GAQG;AACH,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAyBvH"}

package/dist/cjs/simulation_engine/contextKeys.js

@@ -1,53 +1,40 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.allowedContextKeysForRequest = allowedContextKeysForRequest;
-exports.convertPatternToRegex = convertPatternToRegex;
 const iam_data_1 = require("@cloud-copilot/iam-data");
+const globalConditionKeys_js_1 = require("../global_conditions/globalConditionKeys.js");
+const util_js_1 = require("../util.js");
+/**
+ * Get the allowed context keys for a request.
+ *
+ * @param service The service the action belongs to
+ * @param action The action to get the allowed context keys for
+ * @param resource The resource the action is being performed on
+ * @returns The allowed context keys for the request as lower case strings
+ * @throws error if the service or action does not exist
+ */
 async function allowedContextKeysForRequest(service, action, resource) {
     const actionDetails = await (0, iam_data_1.iamActionDetails)(service, action);
-    const actionConditionKeys = actionDetails.conditionKeys;
-    if (actionDetails.resourceTypes.length === 0) {
-        return actionConditionKeys;
+    const actionConditionKeys = (0, util_js_1.lowerCaseAll)(actionDetails.conditionKeys);
+    const isWildCardOnly = await (0, util_js_1.isWildcardOnlyAction)(service, action);
+    if (isWildCardOnly) {
+        return [
+            ...actionConditionKeys,
+            ...(0, globalConditionKeys_js_1.allGlobalConditionKeys)()
+        ];
     }
-    const matchingResourceTypes = [];
-    for (const rt of actionDetails.resourceTypes) {
-        const resourceType = await (0, iam_data_1.iamResourceTypeDetails)(service, rt.name);
-        const pattern = convertPatternToRegex(resourceType.arn);
-        const match = resource.match(new RegExp(pattern));
-        if (match) {
-            matchingResourceTypes.push(resourceType);
-        }
+    const resourceTypes = await (0, util_js_1.getResourceTypesForAction)(service, action, resource);
+    if (resourceTypes.length === 0) {
+        throw new Error(`No resource types found for action ${action} on service ${service}`);
     }
-    if (matchingResourceTypes.length != 1) {
-        const matchNames = matchingResourceTypes.map(rt => rt.key).join(", ");
-        throw new Error(`found ${matchingResourceTypes.length} matching resource types for ${resource}: ${matchNames}`);
+    else if (resourceTypes.length > 1) {
+        throw new Error(`Multiple resource types found for action ${action} on service ${service}`);
     }
-    console.log(matchingResourceTypes[0].key);
+    const resourceTypeConditions = actionDetails.resourceTypes.find(rt => rt.name === resourceTypes[0].key).conditionKeys;
     return [
-        ...matchingResourceTypes[0].conditionKeys,
-        ...actionConditionKeys
+        ...(0, util_js_1.lowerCaseAll)(resourceTypeConditions),
+        ...actionConditionKeys,
+        ...(0, globalConditionKeys_js_1.allGlobalConditionKeys)()
     ];
 }
-function convertPatternToRegex(pattern) {
-    const regex = pattern.replace(/\$\{.*?\}/g, (match) => {
-        const name = match.substring(2, match.length - 1);
-        const camelName = name.at(0)?.toLowerCase() + name.substring(1);
-        return `(?<${camelName}>(.*?))`;
-    });
-    return `^${regex}$`;
-    // const parts = pattern.split('/')
-    // const lastPart = parts[parts.length - 1]
-    // const modifiedParts = parts.map((part) => {
-    //   if (part.startsWith('${') && part.endsWith('}')) {
-    //     const name = part.substring(2, part.length - 1)
-    //     const camelName = name.at(0)?.toLowerCase() + name.substring(1)
-    //     if (part === lastPart) {
-    //       return `(?<${camelName}>(.*))`
-    //     }
-    //     return `(?<${camelName}>([^\/]+))`
-    //   }
-    //   return part
-    // })
-    // return modifiedParts.join('\/')
-}
 //# sourceMappingURL=contextKeys.js.map

package/dist/cjs/simulation_engine/contextKeys.js.map

@@ -1 +1 @@
-{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":";;AAEA,oEA4BC;AAED,sDAsBC;AAtDD,sDAAiG;AAE1F,KAAK,UAAU,4BAA4B,CAAC,OAAe,EAAE,MAAc,EAAE,QAAgB;IAClG,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC9D,MAAM,mBAAmB,GAAG,aAAa,CAAC,aAAa,CAAC;IACxD,IAAG,aAAa,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5C,OAAO,mBAAmB,CAAA;IAC5B,CAAC;IAED,MAAM,qBAAqB,GAAmB,EAAE,CAAC;IACjD,KAAI,MAAM,EAAE,IAAI,aAAa,CAAC,aAAa,EAAE,CAAC;QAC5C,MAAM,YAAY,GAAG,MAAM,IAAA,iCAAsB,EAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;QACpE,MAAM,OAAO,GAAG,qBAAqB,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAClD,IAAG,KAAK,EAAE,CAAC;YACT,qBAAqB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,IAAG,qBAAqB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACrC,MAAM,UAAU,GAAG,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtE,MAAM,IAAI,KAAK,CAAC,SAAS,qBAAqB,CAAC,MAAM,gCAAgC,QAAQ,KAAK,UAAU,EAAE,CAAC,CAAC;IAClH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAE1C,OAAO;QACL,GAAG,qBAAqB,CAAC,CAAC,CAAC,CAAC,aAAa;QACzC,GAAG,mBAAmB;KACvB,CAAA;AACH,CAAC;AAED,SAAgB,qBAAqB,CAAC,OAAe;IACnD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE;QACpD,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;QAC/D,OAAO,MAAM,SAAS,SAAS,CAAA;IACjC,CAAC,CAAC,CAAA;IACF,OAAO,IAAI,KAAK,GAAG,CAAA;IAEnB,mCAAmC;IACnC,2CAA2C;IAC3C,8CAA8C;IAC9C,uDAAuD;IACvD,sDAAsD;IACtD,sEAAsE;IACtE,+BAA+B;IAC/B,uCAAuC;IACvC,QAAQ;IACR,yCAAyC;IACzC,MAAM;IACN,gBAAgB;IAChB,KAAK;IACL,kCAAkC;AACpC,CAAC"}
+{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":";;AAaA,oEAyBC;AAtCD,sDAA2D;AAC3D,wFAAqF;AACrF,wCAA2F;AAE3F;;;;;;;;GAQG;AACI,KAAK,UAAU,4BAA4B,CAAC,OAAe,EAAE,MAAc,EAAE,QAAgB;IAClG,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC9D,MAAM,mBAAmB,GAAG,IAAA,sBAAY,EAAC,aAAa,CAAC,aAAa,CAAC,CAAC;IAEtE,MAAM,cAAc,GAAG,MAAM,IAAA,8BAAoB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACnE,IAAG,cAAc,EAAE,CAAC;QAClB,OAAO;YACL,GAAG,mBAAmB;YACtB,GAAG,IAAA,+CAAsB,GAAE;SAC5B,CAAA;IACH,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,IAAA,mCAAyB,EAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IACjF,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,eAAe,OAAO,EAAE,CAAC,CAAA;IACvF,CAAC;SAAM,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,4CAA4C,MAAM,eAAe,OAAO,EAAE,CAAC,CAAA;IAC7F,CAAC;IACD,MAAM,sBAAsB,GAAG,aAAa,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,KAAK,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,CAAE,CAAC,aAAa,CAAA;IAEtH,OAAO;QACL,GAAG,IAAA,sBAAY,EAAC,sBAAsB,CAAC;QACvC,GAAG,mBAAmB;QACtB,GAAG,IAAA,+CAAsB,GAAE;KAC5B,CAAA;AACH,CAAC"}

package/dist/cjs/simulation_engine/simulation.d.ts

@@ -8,6 +8,17 @@ export interface Simulation {
         };
         contextVariables: Record<string, string | string[]>;
     };
-    identityPolicies: Record<string, any>[];
+    identityPolicies: {
+        name: string;
+        policy: any;
+    }[];
+    serviceControlPolicies: {
+        orgIdentifier: string;
+        policies: {
+            name: string;
+            policy: any;
+        }[];
+    }[];
+    resourcePolicy?: any;
 }
 //# sourceMappingURL=simulation.d.ts.map

package/dist/cjs/simulation_engine/simulation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAC;YACjB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;KACrD,CAAA;IAED,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;CACzC"}
+{"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAC;YACjB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;KACrD,CAAA;IAED,gBAAgB,EAAE;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAC,EAAE,CAAC;IAChD,sBAAsB,EAAE;QACtB,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAC,EAAE,CAAA;KACxC,EAAE,CAAC;IACJ,cAAc,CAAC,EAAE,GAAG,CAAC;CACtB"}

package/dist/cjs/simulation_engine/simulationEngine.d.ts

@@ -1,11 +1,26 @@
 import { ValidationError } from "@cloud-copilot/iam-policy";
+import { EvaluationResult } from "../evaluate.js";
 import { Simulation } from "./simulation.js";
 import { SimulationOptions } from "./simulationOptions.js";
 export interface SimulationErrors {
     identityPolicyErrors?: Record<string, ValidationError[]>;
+    seviceControlPolicyErrors?: Record<string, ValidationError[]>;
+    resourcePolicyErrors?: ValidationError[];
     message: string;
 }
 export interface SimulationResult {
+    errors?: SimulationErrors;
+    result?: {
+        evaluationResult: EvaluationResult;
+    };
 }
+/**
+ * Run a simulation with validation
+ *
+ * @param simulation The simulation to run
+ * @param simulationOptions Options for the simulation
+ * @returns
+ */
 export declare function runSimulation(simulation: Simulation, simulationOptions: Partial<SimulationOptions>): Promise<SimulationResult>;
+export declare function normalizeSimulationParameters(simulation: Simulation): Promise<Record<string, string | string[]>>;
 //# sourceMappingURL=simulationEngine.d.ts.map

package/dist/cjs/simulation_engine/simulationEngine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAwB,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAClF,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;CAEhC;AAED,wBAAsB,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAmCpI"}
+{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAoG,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAG9J,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAKlD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IACzD,yBAAyB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IAC9D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAC;IACzC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B,MAAM,CAAC,EAAE;QACP,gBAAgB,EAAE,gBAAgB,CAAA;KACnC,CAAA;CACF;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA+HpI;AAED,wBAAsB,6BAA6B,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CA0BtH"}