@cloud-copilot/iam-simulate 0.1.4 → 0.1.6

package/dist/esm/context_keys/findContextKeys.d.ts

@@ -0,0 +1,19 @@
+import { Policy } from "@cloud-copilot/iam-policy";
+/**
+ * Find all the context keys in a list of policies
+ *
+ * @param policies - The list of policies to search
+ * @returns The list of valid and invalid context keys found in the policies
+ */
+export declare function findContextKeys(policies: Policy[]): Promise<{
+    validKeys: string[];
+    invalidKeys: string[];
+}>;
+/**
+ * Get the context variables used in a policy
+ *
+ * @param policy - The policy to extract variables from
+ * @returns The list of variables used in the policy
+ */
+export declare function getContextKeysFromPolicy(policy: Policy): string[];
+//# sourceMappingURL=findContextKeys.d.ts.map

package/dist/esm/context_keys/findContextKeys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"findContextKeys.d.ts","sourceRoot":"","sources":["../../../src/context_keys/findContextKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,2BAA2B,CAAC;AAGnD;;;;;GAKG;AACH,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IAAE,SAAS,EAAE,MAAM,EAAE,CAAC;IAAC,WAAW,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CAqBjH;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAiBjE"}

package/dist/esm/context_keys/findContextKeys.js

@@ -0,0 +1,53 @@
+import { getVariablesFromString, isActualContextKey, normalizeContextKeyCase } from "../util.js";
+/**
+ * Find all the context keys in a list of policies
+ *
+ * @param policies - The list of policies to search
+ * @returns The list of valid and invalid context keys found in the policies
+ */
+export async function findContextKeys(policies) {
+    const rawKeys = new Set();
+    for (const policy of policies) {
+        getContextKeysFromPolicy(policy).forEach(v => rawKeys.add(v));
+    }
+    const validKeys = new Set();
+    const invalidKeys = new Set();
+    for (const key of rawKeys) {
+        const valid = await isActualContextKey(key);
+        if (valid) {
+            const normalizedKey = await normalizeContextKeyCase(key);
+            validKeys.add(normalizedKey);
+        }
+        else {
+            invalidKeys.add(key);
+        }
+    }
+    return {
+        validKeys: Array.from(validKeys),
+        invalidKeys: Array.from(invalidKeys)
+    };
+}
+/**
+ * Get the context variables used in a policy
+ *
+ * @param policy - The policy to extract variables from
+ * @returns The list of variables used in the policy
+ */
+export function getContextKeysFromPolicy(policy) {
+    const variables = [];
+    for (const statement of policy.statements()) {
+        if (statement.isResourceStatement()) {
+            statement.resources().forEach(r => {
+                variables.push(...getVariablesFromString(r.value()));
+            });
+            for (const condition of statement.conditions()) {
+                variables.push(condition.conditionKey());
+                condition.conditionValues().forEach(v => {
+                    variables.push(...getVariablesFromString(v));
+                });
+            }
+        }
+    }
+    return variables;
+}
+//# sourceMappingURL=findContextKeys.js.map

package/dist/esm/context_keys/findContextKeys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"findContextKeys.js","sourceRoot":"","sources":["../../../src/context_keys/findContextKeys.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;AAEjG;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,QAAkB;IACtD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,KAAI,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC7B,wBAAwB,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;IACtC,KAAI,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAG,KAAK,EAAE,CAAC;YACT,MAAM,aAAa,GAAG,MAAM,uBAAuB,CAAC,GAAG,CAAC,CAAC;YACzD,SAAS,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO;QACL,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;QAChC,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC;KACrC,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB,CAAC,MAAc;IACrD,MAAM,SAAS,GAAa,EAAE,CAAA;IAC9B,KAAI,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;QAC3C,IAAG,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;YACnC,SAAS,CAAC,SAAS,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;gBAChC,SAAS,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;YACtD,CAAC,CAAC,CAAA;YACF,KAAI,MAAM,SAAS,IAAI,SAAS,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC9C,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;gBACzC,SAAS,CAAC,eAAe,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;oBACtC,SAAS,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/esm/core_engine/coreSimulatorEngine.d.ts

@@ -1,8 +1,22 @@
 import { Policy } from "@cloud-copilot/iam-policy";
 import { EvaluationResult } from "../evaluate.js";
 import { AwsRequest } from "../request/request.js";
+import { SCPAnalysis } from "../SCPAnalysis.js";
 import { ServiceAuthorizer } from "../services/ServiceAuthorizer.js";
 import { StatementAnalysis } from "../StatementAnalysis.js";
+/**
+ * A set of service control policies for each level of an organization tree
+ */
+export interface ServiceControlPolicies {
+    /**
+     * The organization identifier for the organizational unit these policies apply to.
+     */
+    orgIdentifier: string;
+    /**
+     * The policies that apply to this organizational unit.
+     */
+    policies: Policy[];
+}
 /**
  * A reqest to authorize a service action.
  */
@@ -15,6 +29,15 @@ export interface AuthorizationRequest {
      * The identity policies that are applicable to the principal making the request.
      */
     identityPolicies: Policy[];
+    /**
+     * The service control policies that apply to the principal making the request. In
+     * order of the orgnaization hierarchy. So the root ou SCPS should be first.
+     */
+    serviceControlPolicies: ServiceControlPolicies[];
+    /**
+     * The resource policy that applies to the resource being accessed.
+     */
+    resourcePolicy: Policy | undefined;
 }
 /**
  * Authorizes a request.
@@ -41,4 +64,20 @@ export declare function getServiceAuthorizer(request: AuthorizationRequest): Ser
  * @returns an array of statement analysis results
  */
 export declare function analyzeIdentityPolicies(identityPolicies: Policy[], request: AwsRequest): StatementAnalysis[];
+/**
+ * Analyzes a set of service control policies and the statements within them.
+ *
+ * @param serviceControlPolicies the service control policies to analyze
+ * @param request the request to analyze against
+ * @returns an array of SCP analysis results
+ */
+export declare function analyzeServiceControlPolicies(serviceControlPolicies: ServiceControlPolicies[], request: AwsRequest): SCPAnalysis[];
+/**
+ * Analyze a resource policy and return the results
+ *
+ * @param resourcePolicy the resource policy to analyze
+ * @param request the request to analyze against
+ * @returns an array of statement analysis results
+ */
+export declare function analyzeResourcePolicy(resourcePolicy: Policy, request: AwsRequest): StatementAnalysis[];
 //# sourceMappingURL=coreSimulatorEngine.d.ts.map

package/dist/esm/core_engine/coreSimulatorEngine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"coreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,2BAA2B,CAAC;AAGnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAGnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AACrE,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,OAAO,EAAE,UAAU,CAAC;IAEpB;;OAEG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAA;CAC3B;AAID;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,gBAAgB,CAOzE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,iBAAiB,CAMrF;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,gBAAgB,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,UAAU,GAAG,iBAAiB,EAAE,CAe5G"}
+{"version":3,"file":"coreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,2BAA2B,CAAC;AAGnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAElD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAEnD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AACrE,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC;;OAEG;IACH,aAAa,EAAE,MAAM,CAAC;IAEtB;;OAEG;IACH,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,OAAO,EAAE,UAAU,CAAC;IAEpB;;OAEG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAE1B;;;OAGG;IACH,sBAAsB,EAAE,sBAAsB,EAAE,CAAA;IAEhD;;OAEG;IACH,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;CACpC;AAID;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,gBAAgB,CAYzE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,iBAAiB,CAMrF;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,gBAAgB,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,UAAU,GAAG,iBAAiB,EAAE,CAe5G;AAED;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAAC,sBAAsB,EAAE,sBAAsB,EAAE,EAAE,OAAO,EAAE,UAAU,GAAG,WAAW,EAAE,CAsBlI;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,iBAAiB,EAAE,CAatG"}

package/dist/esm/core_engine/coreSimulatorEngine.js

@@ -1,5 +1,6 @@
 import { requestMatchesStatementActions } from "../action/action.js";
 import { requestMatchesConditions } from "../condition/condition.js";
+import { requestMatchesStatementPrincipals } from "../principal/principal.js";
 import { requestMatchesStatementResources } from "../resource/resource.js";
 import { DefaultServiceAuthorizer } from "../services/DefaultServiceAuthorizer.js";
 const serviceEngines = {};
@@ -13,10 +14,14 @@ const serviceEngines = {};
  */
 export function authorize(request) {
     const identityAnalysis = analyzeIdentityPolicies(request.identityPolicies, request.request);
+    const scpAnalysis = analyzeServiceControlPolicies(request.serviceControlPolicies, request.request);
     const serviceAuthorizer = getServiceAuthorizer(request);
+    const resourceAnalysis = request.resourcePolicy ? analyzeResourcePolicy(request.resourcePolicy, request.request) : [];
     return serviceAuthorizer.authorize({
         request: request.request,
         identityStatements: identityAnalysis,
+        scpAnalysis,
+        resourceAnalysis
     });
 }
 /**
@@ -55,4 +60,53 @@ export function analyzeIdentityPolicies(identityPolicies, request) {
     }
     return analysis;
 }
+/**
+ * Analyzes a set of service control policies and the statements within them.
+ *
+ * @param serviceControlPolicies the service control policies to analyze
+ * @param request the request to analyze against
+ * @returns an array of SCP analysis results
+ */
+export function analyzeServiceControlPolicies(serviceControlPolicies, request) {
+    const analysis = [];
+    for (const controlPolicy of serviceControlPolicies) {
+        const ouAnalysis = {
+            orgIdentifier: controlPolicy.orgIdentifier,
+            statementAnalysis: [],
+        };
+        for (const policy of controlPolicy.policies) {
+            for (const statement of policy.statements()) {
+                ouAnalysis.statementAnalysis.push({
+                    statement,
+                    resourceMatch: requestMatchesStatementResources(request, statement),
+                    actionMatch: requestMatchesStatementActions(request, statement),
+                    conditionMatch: requestMatchesConditions(request, statement.conditions()),
+                    principalMatch: 'Match',
+                });
+            }
+        }
+        analysis.push(ouAnalysis);
+    }
+    return analysis;
+}
+/**
+ * Analyze a resource policy and return the results
+ *
+ * @param resourcePolicy the resource policy to analyze
+ * @param request the request to analyze against
+ * @returns an array of statement analysis results
+ */
+export function analyzeResourcePolicy(resourcePolicy, request) {
+    const analysis = [];
+    for (const statement of resourcePolicy.statements()) {
+        analysis.push({
+            statement,
+            resourceMatch: requestMatchesStatementResources(request, statement),
+            actionMatch: requestMatchesStatementActions(request, statement),
+            conditionMatch: requestMatchesConditions(request, statement.conditions()),
+            principalMatch: requestMatchesStatementPrincipals(request, statement),
+        });
+    }
+    return analysis;
+}
 //# sourceMappingURL=coreSimulatorEngine.js.map

package/dist/esm/core_engine/coreSimulatorEngine.js.map

@@ -1 +1 @@
-{"version":3,"file":"coreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,8BAA8B,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AAGrE,OAAO,EAAE,gCAAgC,EAAE,MAAM,yBAAyB,CAAC;AAC3E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yCAAyC,CAAC;AAmBnF,MAAM,cAAc,GAAgD,EAAE,CAAC;AAEvE;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,OAA6B;IACrD,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5F,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;IACxD,OAAO,iBAAiB,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,kBAAkB,EAAE,gBAAgB;KACrC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA6B;IAChE,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,WAAW,EAAE,CAAC;IACnE,IAAG,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,wBAAwB,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,gBAA0B,EAAE,OAAmB;IACrF,MAAM,QAAQ,GAAwB,EAAE,CAAC;IACzC,KAAI,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACrC,KAAI,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC;gBACZ,SAAS;gBACT,aAAa,EAAE,gCAAgC,CAAC,OAAO,EAAE,SAAS,CAAC;gBACnE,WAAW,EAAE,8BAA8B,CAAC,OAAO,EAAE,SAAS,CAAC;gBAC/D,cAAc,EAAE,wBAAwB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC;gBACzE,cAAc,EAAE,OAAO;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
+{"version":3,"file":"coreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,8BAA8B,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AAErE,OAAO,EAAE,iCAAiC,EAAE,MAAM,2BAA2B,CAAC;AAE9E,OAAO,EAAE,gCAAgC,EAAE,MAAM,yBAAyB,CAAC;AAE3E,OAAO,EAAE,wBAAwB,EAAE,MAAM,yCAAyC,CAAC;AA6CnF,MAAM,cAAc,GAAgD,EAAE,CAAC;AAEvE;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,OAA6B;IACrD,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5F,MAAM,WAAW,GAAG,6BAA6B,CAAC,OAAO,CAAC,sBAAsB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACnG,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,qBAAqB,CAAC,OAAO,CAAC,cAAc,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAEtH,OAAO,iBAAiB,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,kBAAkB,EAAE,gBAAgB;QACpC,WAAW;QACX,gBAAgB;KACjB,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA6B;IAChE,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,WAAW,EAAE,CAAC;IACnE,IAAG,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,wBAAwB,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,gBAA0B,EAAE,OAAmB;IACrF,MAAM,QAAQ,GAAwB,EAAE,CAAC;IACzC,KAAI,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACrC,KAAI,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC;gBACZ,SAAS;gBACT,aAAa,EAAE,gCAAgC,CAAC,OAAO,EAAE,SAAS,CAAC;gBACnE,WAAW,EAAE,8BAA8B,CAAC,OAAO,EAAE,SAAS,CAAC;gBAC/D,cAAc,EAAE,wBAAwB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC;gBACzE,cAAc,EAAE,OAAO;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,6BAA6B,CAAC,sBAAgD,EAAE,OAAmB;IACjH,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,KAAI,MAAM,aAAa,IAAI,sBAAsB,EAAE,CAAC;QAClD,MAAM,UAAU,GAAgB;YAC9B,aAAa,EAAE,aAAa,CAAC,aAAa;YAC1C,iBAAiB,EAAE,EAAE;SACtB,CAAA;QACD,KAAI,MAAM,MAAM,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC3C,KAAI,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC3C,UAAU,CAAC,iBAAiB,CAAC,IAAI,CAAC;oBAChC,SAAS;oBACT,aAAa,EAAE,gCAAgC,CAAC,OAAO,EAAE,SAAS,CAAC;oBACnE,WAAW,EAAE,8BAA8B,CAAC,OAAO,EAAE,SAAS,CAAC;oBAC/D,cAAc,EAAE,wBAAwB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC;oBACzE,cAAc,EAAE,OAAO;iBACxB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5B,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CAAC,cAAsB,EAAE,OAAmB;IAC/E,MAAM,QAAQ,GAAwB,EAAE,CAAC;IACzC,KAAI,MAAM,SAAS,IAAI,cAAc,CAAC,UAAU,EAAE,EAAE,CAAC;QACnD,QAAQ,CAAC,IAAI,CAAC;YACZ,SAAS;YACT,aAAa,EAAE,gCAAgC,CAAC,OAAO,EAAE,SAAS,CAAC;YACnE,WAAW,EAAE,8BAA8B,CAAC,OAAO,EAAE,SAAS,CAAC;YAC/D,cAAc,EAAE,wBAAwB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC;YACzE,cAAc,EAAE,iCAAiC,CAAC,OAAO,EAAE,SAAS,CAAC;SACtE,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/esm/evaluate.d.ts

@@ -1,2 +1,3 @@
 export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | 'AllowedWithConditions' | 'ImplicitlyDenied' | 'Unknown';
+export type ResourceEvaluationResult = 'NotApplicable' | 'Allowed' | 'ExplicitlyDenied' | 'AllowedForAccount' | 'DeniedForAccount' | 'ImplicityDenied';
 //# sourceMappingURL=evaluate.d.ts.map

package/dist/esm/evaluate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,uBAAuB,GAAG,kBAAkB,GAAG,SAAS,CAAC"}
+{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,uBAAuB,GAAG,kBAAkB,GAAG,SAAS,CAAC;AACzH,MAAM,MAAM,wBAAwB,GAAG,eAAe,GAAG,SAAS,GAAG,kBAAkB,GAAG,mBAAmB,GAAG,kBAAkB,GAAG,iBAAiB,CAAC"}

package/dist/esm/global_conditions/globalConditionKeys.d.ts

@@ -0,0 +1,17 @@
+import { ConditionKeyType } from "../ConditionKeys.js";
+interface GlobalConditionKey {
+    key: string;
+    category: string;
+    dataType: ConditionKeyType;
+}
+export declare function getGlobalConditionKey(key: string): GlobalConditionKey | undefined;
+export declare function globalConditionKeyExists(key: string): boolean;
+export declare function getGlobalConditionKeysByCategory(category: string): GlobalConditionKey[];
+/**
+ * Get all the global condition keys as lower case strings
+ *
+ * @returns a list of all the global condition keys
+ */
+export declare function allGlobalConditionKeys(): string[];
+export {};
+//# sourceMappingURL=globalConditionKeys.d.ts.map

package/dist/esm/global_conditions/globalConditionKeys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"globalConditionKeys.d.ts","sourceRoot":"","sources":["../../../src/global_conditions/globalConditionKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAEvD,UAAU,kBAAkB;IAC1B,GAAG,EAAE,MAAM,CAAA;IACX,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,gBAAgB,CAAA;CAC3B;AAyRD,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,kBAAkB,GAAG,SAAS,CAEjF;AAED,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAE7D;AAED,wBAAgB,gCAAgC,CAAC,QAAQ,EAAE,MAAM,GAAG,kBAAkB,EAAE,CAEvF;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,EAAE,CAEjD"}

package/dist/esm/global_conditions/globalConditionKeys.js

@@ -0,0 +1,290 @@
+const globalConditionKeys = [
+    {
+        key: "aws:PrincipalArn",
+        category: "principal",
+        dataType: "ARN"
+    },
+    {
+        key: "aws:PrincipalAccount",
+        category: "principal",
+        dataType: "String"
+    },
+    {
+        key: "aws:PrincipalOrgPaths",
+        category: "principal",
+        dataType: "ArrayOfString"
+    },
+    {
+        key: "aws:PrincipalOrgID",
+        category: "principal",
+        dataType: "String"
+    },
+    {
+        key: "aws:PrincipalTag/tag-key",
+        category: "principal",
+        dataType: "String"
+    },
+    {
+        key: "aws:PrincipalIsAWSService",
+        category: "principal",
+        dataType: "Bool"
+    },
+    {
+        key: "aws:PrincipalServiceName",
+        category: "principal",
+        dataType: "String"
+    },
+    {
+        key: "aws:PrincipalServiceNamesList",
+        category: "principal",
+        dataType: "ArrayOfString"
+    },
+    {
+        key: "aws:PrincipalType",
+        category: "principal",
+        dataType: "String"
+    },
+    {
+        key: "aws:userid",
+        category: "principal",
+        dataType: "String"
+    },
+    {
+        key: "aws:username",
+        category: "principal",
+        dataType: "String"
+    },
+    {
+        key: "aws:AssumedRoot",
+        category: "session",
+        dataType: "String",
+    },
+    {
+        key: "aws:FederatedProvider",
+        category: "session",
+        dataType: "String",
+    },
+    {
+        key: "aws:TokenIssueTime",
+        category: "session",
+        dataType: "Date",
+    },
+    {
+        key: "aws:MultiFactorAuthAge",
+        category: "session",
+        dataType: "Numeric",
+    },
+    {
+        key: "aws:MultiFactorAuthPresent",
+        category: "session",
+        dataType: "Bool",
+    },
+    {
+        key: "aws:ChatbotSourceArn",
+        category: "session",
+        dataType: "ARN",
+    },
+    {
+        key: "aws:Ec2InstanceSourceVpc",
+        category: "session",
+        dataType: "String",
+    },
+    {
+        key: "aws:Ec2InstanceSourcePrivateIPv4",
+        category: "session",
+        dataType: "IPAddress",
+    },
+    {
+        key: "aws:SourceIdentity",
+        category: "session",
+        dataType: "String",
+    },
+    {
+        key: "ec2:RoleDelivery",
+        category: "session",
+        dataType: "Numeric",
+    },
+    {
+        key: "ec2:SourceInstanceArn",
+        category: "session",
+        dataType: "ARN",
+    },
+    {
+        key: "glue:RoleAssumedBy",
+        category: "session",
+        dataType: "String",
+    },
+    {
+        key: "glue:CredentialIssuingService",
+        category: "session",
+        dataType: "String",
+    },
+    {
+        key: "lambda:SourceFunctionArn",
+        category: "session",
+        dataType: "ARN",
+    },
+    {
+        key: "ssm:SourceInstanceArn",
+        category: "session",
+        dataType: "ARN",
+    },
+    {
+        key: "identitystore:UserId",
+        category: "session",
+        dataType: "String",
+    },
+    {
+        key: "aws:SourceIp",
+        category: "network",
+        dataType: "IPAddress",
+    },
+    {
+        key: "aws:SourceVpc",
+        category: "network",
+        dataType: "String",
+    },
+    {
+        key: "aws:SourceVpce",
+        category: "network",
+        dataType: "String",
+    },
+    {
+        key: "aws:VpcSourceIp  ",
+        category: "network",
+        dataType: "IPAddress",
+    },
+    {
+        key: "aws:ResourceAccount",
+        category: "resource",
+        dataType: "String",
+    },
+    {
+        key: "aws:ResourceOrgID",
+        category: "resource",
+        dataType: "String",
+    },
+    {
+        key: "aws:ResourceOrgPaths",
+        category: "resource",
+        dataType: "ArrayOfString",
+    },
+    {
+        key: "aws:ResourceTag/tag-key",
+        category: "resource",
+        dataType: "String",
+    },
+    {
+        key: "aws:CalledVia",
+        category: "request",
+        dataType: "ArrayOfString",
+    },
+    {
+        key: "aws:CalledViaFirst",
+        category: "request",
+        dataType: "String",
+    },
+    {
+        key: "aws:CalledViaLast",
+        category: "request",
+        dataType: "String",
+    },
+    {
+        key: "aws:ViaAWSService",
+        category: "request",
+        dataType: "Bool",
+    },
+    {
+        key: "aws:CurrentTime",
+        category: "request",
+        dataType: "Date",
+    },
+    {
+        key: "aws:EpochTime",
+        category: "request",
+        dataType: "Date", //Can Also be Numeric...
+    },
+    {
+        key: "aws:referer",
+        category: "request",
+        dataType: "String",
+    },
+    {
+        key: "aws:RequestedRegion",
+        category: "request",
+        dataType: "String",
+    },
+    {
+        key: "aws:RequestTag/tag-key",
+        category: "request",
+        dataType: "String",
+    },
+    {
+        key: "aws:TagKeys",
+        category: "request",
+        dataType: "ArrayOfString",
+    },
+    {
+        key: "aws:SecureTransport",
+        category: "request",
+        dataType: "Bool",
+    },
+    {
+        key: "aws:SourceArn",
+        category: "request",
+        dataType: "ARN",
+    },
+    {
+        key: "aws:SourceAccount",
+        category: "request",
+        dataType: "String",
+    },
+    {
+        key: "aws:SourceOwner",
+        category: "request",
+        dataType: "String",
+    },
+    {
+        key: "aws:SourceOrgPaths",
+        category: "request",
+        dataType: "ArrayOfString",
+    },
+    {
+        key: "aws:SourceOrgID",
+        category: "request",
+        dataType: "String",
+    },
+    {
+        key: "aws:UserAgent",
+        category: "request",
+        dataType: "String",
+    }
+];
+const keysByName = globalConditionKeys.reduce((acc, key) => {
+    acc[key.key.toLowerCase()] = key;
+    return acc;
+}, {});
+const keysByCategory = globalConditionKeys.reduce((acc, key) => {
+    const lowerCategory = key.category.toLowerCase();
+    acc[lowerCategory] = acc[lowerCategory] || [];
+    acc[lowerCategory].push(key);
+    return acc;
+}, {});
+export function getGlobalConditionKey(key) {
+    return keysByName[key.toLowerCase()];
+}
+export function globalConditionKeyExists(key) {
+    return !!getGlobalConditionKey(key);
+}
+export function getGlobalConditionKeysByCategory(category) {
+    return keysByCategory[category.toLowerCase()] || [];
+}
+/**
+ * Get all the global condition keys as lower case strings
+ *
+ * @returns a list of all the global condition keys
+ */
+export function allGlobalConditionKeys() {
+    return Object.keys(keysByCategory);
+}
+//# sourceMappingURL=globalConditionKeys.js.map

package/dist/esm/global_conditions/globalConditionKeys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"globalConditionKeys.js","sourceRoot":"","sources":["../../../src/global_conditions/globalConditionKeys.ts"],"names":[],"mappings":"AAQA,MAAM,mBAAmB,GAAyB;IAChD;QACE,GAAG,EAAE,kBAAkB;QACvB,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,KAAK;KAChB;IACD;QACE,GAAG,EAAE,sBAAsB;QAC3B,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,uBAAuB;QAC5B,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,eAAe;KAC1B;IACD;QACE,GAAG,EAAE,oBAAoB;QACzB,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,0BAA0B;QAC/B,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,2BAA2B;QAChC,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,GAAG,EAAE,0BAA0B;QAC/B,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,+BAA+B;QACpC,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,eAAe;KAC1B;IACD;QACE,GAAG,EAAE,mBAAmB;QACxB,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,YAAY;QACjB,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,cAAc;QACnB,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;KACnB;IAED;QACE,GAAG,EAAE,iBAAiB;QACtB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,uBAAuB;QAC5B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,oBAAoB;QACzB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,GAAG,EAAE,wBAAwB;QAC7B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,GAAG,EAAE,4BAA4B;QACjC,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,GAAG,EAAE,sBAAsB;QAC3B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,KAAK;KAChB;IACD;QACE,GAAG,EAAE,0BAA0B;QAC/B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,kCAAkC;QACvC,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,WAAW;KACtB;IACD;QACE,GAAG,EAAE,oBAAoB;QACzB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,kBAAkB;QACvB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,GAAG,EAAE,uBAAuB;QAC5B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,KAAK;KAChB;IACD;QACE,GAAG,EAAE,oBAAoB;QACzB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,+BAA+B;QACpC,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,0BAA0B;QAC/B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,KAAK;KAChB;IACD;QACE,GAAG,EAAE,uBAAuB;QAC5B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,KAAK;KAChB;IACD;QACE,GAAG,EAAE,sBAAsB;QAC3B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IAED;QACE,GAAG,EAAE,cAAc;QACnB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,WAAW;KACtB;IACD;QACE,GAAG,EAAE,eAAe;QACpB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,gBAAgB;QACrB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,mBAAmB;QACxB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,WAAW;KACtB;IAED;QACE,GAAG,EAAE,qBAAqB;QAC1B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,mBAAmB;QACxB,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,sBAAsB;QAC3B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,eAAe;KAC1B;IACD;QACE,GAAG,EAAE,yBAAyB;QAC9B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IAED;QACE,GAAG,EAAE,eAAe;QACpB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,eAAe;KAC1B;IACD;QACE,GAAG,EAAE,oBAAoB;QACzB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,mBAAmB;QACxB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,mBAAmB;QACxB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,GAAG,EAAE,iBAAiB;QACtB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,GAAG,EAAE,eAAe;QACpB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,MAAM,EAAE,wBAAwB;KAC3C;IACD;QACE,GAAG,EAAE,aAAa;QAClB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,qBAAqB;QAC1B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,wBAAwB;QAC7B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,aAAa;QAClB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,eAAe;KAC1B;IACD;QACE,GAAG,EAAE,qBAAqB;QAC1B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,GAAG,EAAE,eAAe;QACpB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,KAAK;KAChB;IACD;QACE,GAAG,EAAE,mBAAmB;QACxB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,iBAAiB;QACtB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,oBAAoB;QACzB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,eAAe;KAC1B;IACD;QACE,GAAG,EAAE,iBAAiB;QACtB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,eAAe;QACpB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;CACF,CAAA;AAED,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;IACzD,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,GAAG,GAAG,CAAC;IACjC,OAAO,GAAG,CAAC;AACb,CAAC,EAAE,EAAwC,CAAC,CAAC;AAE7C,MAAM,cAAc,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;IAC7D,MAAM,aAAa,GAAG,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IACjD,GAAG,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;IAC9C,GAAG,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7B,OAAO,GAAG,CAAC;AACb,CAAC,EAAE,EAA0C,CAAC,CAAC;AAE/C,MAAM,UAAU,qBAAqB,CAAC,GAAW;IAC/C,OAAO,UAAU,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,GAAW;IAClD,OAAO,CAAC,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,gCAAgC,CAAC,QAAgB;IAC/D,OAAO,cAAc,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;AACtD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,sBAAsB;IACpC,OAAO,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;AACrC,CAAC"}

package/dist/esm/index.d.ts

@@ -1,6 +1,9 @@
+export { findContextKeys } from './context_keys/findContextKeys.js';
 export { type EvaluationResult } from './evaluate.js';
+export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
 export { type Simulation } from './simulation_engine/simulation.js';
 export { runSimulation } from './simulation_engine/simulationEngine.js';
 export { type SimulationOptions } from './simulation_engine/simulationOptions.js';
 export { runUnsafeSimulation } from './simulation_engine/unsafeSimulationEngine.js';
+export { isWildcardOnlyAction } from './util.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAClF,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC"}

package/dist/esm/index.js

@@ -1,3 +1,6 @@
+export { findContextKeys } from './context_keys/findContextKeys.js';
+export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
 export { runSimulation } from './simulation_engine/simulationEngine.js';
 export { runUnsafeSimulation } from './simulation_engine/unsafeSimulationEngine.js';
+export { isWildcardOnlyAction } from './util.js';
 //# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AAExE,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AAEpE,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAElF,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AAExE,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC"}

package/dist/esm/principal/principal.d.ts

@@ -1,4 +1,4 @@
-import { Principal } from "@cloud-copilot/iam-policy";
+import { Principal, Statement } from "@cloud-copilot/iam-policy";
 import { AwsRequest } from "../request/request.js";
 export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch';
 /**
@@ -27,4 +27,12 @@ export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrinc
 export declare function requestMatchesPrincipalStatement(request: AwsRequest, principalStatement: Principal): PrincipalMatchResult;
 export declare function isAssumedRoleArn(principal: string): boolean;
 export declare function roleArnFromAssumedRoleArn(assumedRoleArn: string): string;
+/**
+ * Check if a request matches the Resource or NotResource elements of a statement.
+ *
+ * @param request the request to check
+ * @param statement the statement to check against
+ * @returns true if the request matches the resources in the statement, false otherwise
+ */
+export declare function requestMatchesStatementPrincipals(request: AwsRequest, statement: Statement): PrincipalMatchResult;
 //# sourceMappingURL=principal.d.ts.map

package/dist/esm/principal/principal.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA4CnD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;AAE5E;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAWzG;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAiB/G;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,oBAAoB,CAgDzH;AAID,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED,wBAAgB,yBAAyB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKxE"}
+{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA4CnD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;AAE5E;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAWzG;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAiB/G;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,oBAAoB,CAgDzH;AAID,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED,wBAAgB,yBAAyB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKxE;AAED;;;;;;GAMG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,oBAAoB,CAOjH"}

package/dist/esm/principal/principal.js

@@ -97,4 +97,20 @@ export function roleArnFromAssumedRoleArn(assumedRoleArn) {
     const rolePathAndName = resourceParts.slice(1, -1).join('/');
     return `arn:aws:iam::${stsParts[4]}:role/${rolePathAndName}`;
 }
+/**
+ * Check if a request matches the Resource or NotResource elements of a statement.
+ *
+ * @param request the request to check
+ * @param statement the statement to check against
+ * @returns true if the request matches the resources in the statement, false otherwise
+ */
+export function requestMatchesStatementPrincipals(request, statement) {
+    if (statement.isPrincipalStatement()) {
+        return requestMatchesPrincipal(request, statement.principals());
+    }
+    else if (statement.isNotPrincipalStatement()) {
+        return requestMatchesNotPrincipal(request, statement.notPrincipals());
+    }
+    throw new Error('Statement should have Principal or NotPrincipal');
+}
 //# sourceMappingURL=principal.js.map