@cloud-copilot/iam-simulate 0.1.40 → 0.1.42
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/core_engine/CoreSimulatorEngine.d.ts +3 -3
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +15 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/StsServiceAuthorizer.d.ts +3 -1
- package/dist/cjs/services/StsServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/StsServiceAuthorizer.js +15 -0
- package/dist/cjs/services/StsServiceAuthorizer.js.map +1 -1
- package/dist/esm/core_engine/CoreSimulatorEngine.d.ts +3 -3
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +16 -2
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/StsServiceAuthorizer.d.ts +3 -1
- package/dist/esm/services/StsServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/StsServiceAuthorizer.js +15 -0
- package/dist/esm/services/StsServiceAuthorizer.js.map +1 -1
- package/package.json +2 -2
|
@@ -16,7 +16,7 @@ export interface ControlPolicies {
|
|
|
16
16
|
policies: Policy[];
|
|
17
17
|
}
|
|
18
18
|
/**
|
|
19
|
-
* A
|
|
19
|
+
* A request to authorize a service action.
|
|
20
20
|
*/
|
|
21
21
|
export interface AuthorizationRequest {
|
|
22
22
|
/**
|
|
@@ -29,12 +29,12 @@ export interface AuthorizationRequest {
|
|
|
29
29
|
identityPolicies: Policy[];
|
|
30
30
|
/**
|
|
31
31
|
* The service control policies that apply to the principal making the request. In
|
|
32
|
-
* order of the
|
|
32
|
+
* order of the organization hierarchy. So the root ou SCPs should be first.
|
|
33
33
|
*/
|
|
34
34
|
serviceControlPolicies: ControlPolicies[];
|
|
35
35
|
/**
|
|
36
36
|
* The resource control policies that apply to the resource being accessed. In
|
|
37
|
-
* order of the
|
|
37
|
+
* order of the organization hierarchy. So the root ou RCPs should be first.
|
|
38
38
|
*/
|
|
39
39
|
resourceControlPolicies: ControlPolicies[];
|
|
40
40
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAC/D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAuLvE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CASX"}
|
|
@@ -54,6 +54,20 @@ class DefaultServiceAuthorizer {
|
|
|
54
54
|
...baseResult
|
|
55
55
|
};
|
|
56
56
|
}
|
|
57
|
+
// Service Principals
|
|
58
|
+
if ((0, iam_utils_1.isServicePrincipal)(request.request.principal.value())) {
|
|
59
|
+
// Service principals are allowed if the resource policy allows them
|
|
60
|
+
if (resourcePolicyResult === 'Allowed') {
|
|
61
|
+
return {
|
|
62
|
+
result: 'Allowed',
|
|
63
|
+
...baseResult
|
|
64
|
+
};
|
|
65
|
+
}
|
|
66
|
+
return {
|
|
67
|
+
result: 'ImplicitlyDenied',
|
|
68
|
+
...baseResult
|
|
69
|
+
};
|
|
70
|
+
}
|
|
57
71
|
//Same Account
|
|
58
72
|
if (principalAccount === resourceAccount) {
|
|
59
73
|
if (permissionBoundaryResult === 'ImplicitlyDenied') {
|
|
@@ -86,7 +100,7 @@ class DefaultServiceAuthorizer {
|
|
|
86
100
|
/*
|
|
87
101
|
TODO: Implicit denies in identity policies
|
|
88
102
|
I think if the identity policy has an implicit deny for assumed roles or federated users,
|
|
89
|
-
then the resource policy must have the
|
|
103
|
+
then the resource policy must have the federated or assumed role ARN exactly.
|
|
90
104
|
|
|
91
105
|
That doesn't seem right though. I know many cases where the resource policy has the role ARN and it works
|
|
92
106
|
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAAA,
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAAA,wDAKiC;AAKjC;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAQZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,qBAAqB;QACrB,IAAI,IAAA,8BAAkB,EAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC1D,oEAAoE;YACpE,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;gBACvC,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,IAAA,4BAAgB,EAAC,SAAS,CAAC;wBAC3B,IAAA,wBAAY,EAAC,SAAS,CAAC;wBACvB,IAAA,8BAAkB,EAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;YAEF,MAAM,cAAc,GAAG,IAAI,CAAC,6BAA6B,CACvD,WAAW,EACX,OAAO,CAAC,gBAAgB,EACxB,OAAO,CAAC,OAAO,CAAC,QAAQ,CACzB,CAAA;YACD,IACE,oBAAoB,KAAK,SAAS;gBAClC,CAAC,cAAc,IAAI,uBAAuB,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;WAOG;IACL,CAAC;IAED;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AA5MD,4DA4MC"}
|
|
@@ -1,10 +1,12 @@
|
|
|
1
|
-
import { ResourceAnalysis } from '../evaluate.js';
|
|
1
|
+
import { RequestAnalysis, ResourceAnalysis } from '../evaluate.js';
|
|
2
2
|
import { RequestResource } from '../request/requestResource.js';
|
|
3
3
|
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
4
|
+
import { ServiceAuthorizationRequest } from './ServiceAuthorizer.js';
|
|
4
5
|
/**
|
|
5
6
|
* The default authorizer for services.
|
|
6
7
|
*/
|
|
7
8
|
export declare class StsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
9
|
+
authorize(request: ServiceAuthorizationRequest): RequestAnalysis;
|
|
8
10
|
/**
|
|
9
11
|
* Determines if the service trusts the principal's Account's IAM policies
|
|
10
12
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAC/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AACxE,OAAO,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAA;AAEpE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAUvE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CAeX"}
|
|
@@ -6,6 +6,15 @@ const DefaultServiceAuthorizer_js_1 = require("./DefaultServiceAuthorizer.js");
|
|
|
6
6
|
* The default authorizer for services.
|
|
7
7
|
*/
|
|
8
8
|
class StsServiceAuthorizer extends DefaultServiceAuthorizer_js_1.DefaultServiceAuthorizer {
|
|
9
|
+
authorize(request) {
|
|
10
|
+
if (request.request.action.value().toLowerCase() === 'sts:getcalleridentity') {
|
|
11
|
+
return {
|
|
12
|
+
result: 'Allowed',
|
|
13
|
+
sameAccount: true
|
|
14
|
+
};
|
|
15
|
+
}
|
|
16
|
+
return super.authorize(request);
|
|
17
|
+
}
|
|
9
18
|
/**
|
|
10
19
|
* Determines if the service trusts the principal's Account's IAM policies
|
|
11
20
|
*
|
|
@@ -14,9 +23,15 @@ class StsServiceAuthorizer extends DefaultServiceAuthorizer_js_1.DefaultServiceA
|
|
|
14
23
|
* @returns true if the service trusts the principal's account IAM policies
|
|
15
24
|
*/
|
|
16
25
|
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
|
|
26
|
+
//If there is no resource policy, the service trusts the principal's account IAM policies
|
|
17
27
|
if (sameAccount && resourceAnalysis.result === 'NotApplicable') {
|
|
18
28
|
return true;
|
|
19
29
|
}
|
|
30
|
+
/*
|
|
31
|
+
If there is a resource policy, for instance a role trust policy,
|
|
32
|
+
the trust policy must explicitly allow the principal's account,
|
|
33
|
+
even if the principal and resource are in the same account.
|
|
34
|
+
*/
|
|
20
35
|
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
21
36
|
}
|
|
22
37
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":";;;AAEA,+EAAwE;
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":";;;AAEA,+EAAwE;AAGxE;;GAEG;AACH,MAAa,oBAAqB,SAAQ,sDAAwB;IACzD,SAAS,CAAC,OAAoC;QACnD,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,KAAK,uBAAuB,EAAE,CAAC;YAC7E,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,WAAW,EAAE,IAAI;aAClB,CAAA;QACH,CAAC;QACD,OAAO,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACjC,CAAC;IAED;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,yFAAyF;QACzF,IAAI,WAAW,IAAI,gBAAgB,CAAC,MAAM,KAAK,eAAe,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAA;QACb,CAAC;QAED;;;;UAIE;QACF,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AArCD,oDAqCC"}
|
|
@@ -16,7 +16,7 @@ export interface ControlPolicies {
|
|
|
16
16
|
policies: Policy[];
|
|
17
17
|
}
|
|
18
18
|
/**
|
|
19
|
-
* A
|
|
19
|
+
* A request to authorize a service action.
|
|
20
20
|
*/
|
|
21
21
|
export interface AuthorizationRequest {
|
|
22
22
|
/**
|
|
@@ -29,12 +29,12 @@ export interface AuthorizationRequest {
|
|
|
29
29
|
identityPolicies: Policy[];
|
|
30
30
|
/**
|
|
31
31
|
* The service control policies that apply to the principal making the request. In
|
|
32
|
-
* order of the
|
|
32
|
+
* order of the organization hierarchy. So the root ou SCPs should be first.
|
|
33
33
|
*/
|
|
34
34
|
serviceControlPolicies: ControlPolicies[];
|
|
35
35
|
/**
|
|
36
36
|
* The resource control policies that apply to the resource being accessed. In
|
|
37
|
-
* order of the
|
|
37
|
+
* order of the organization hierarchy. So the root ou RCPs should be first.
|
|
38
38
|
*/
|
|
39
39
|
resourceControlPolicies: ControlPolicies[];
|
|
40
40
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAC/D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAuLvE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CASX"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { isAssumedRoleArn, isFederatedUserArn, isIamUserArn } from '@cloud-copilot/iam-utils';
|
|
1
|
+
import { isAssumedRoleArn, isFederatedUserArn, isIamUserArn, isServicePrincipal } from '@cloud-copilot/iam-utils';
|
|
2
2
|
/**
|
|
3
3
|
* The default authorizer for services.
|
|
4
4
|
*/
|
|
@@ -51,6 +51,20 @@ export class DefaultServiceAuthorizer {
|
|
|
51
51
|
...baseResult
|
|
52
52
|
};
|
|
53
53
|
}
|
|
54
|
+
// Service Principals
|
|
55
|
+
if (isServicePrincipal(request.request.principal.value())) {
|
|
56
|
+
// Service principals are allowed if the resource policy allows them
|
|
57
|
+
if (resourcePolicyResult === 'Allowed') {
|
|
58
|
+
return {
|
|
59
|
+
result: 'Allowed',
|
|
60
|
+
...baseResult
|
|
61
|
+
};
|
|
62
|
+
}
|
|
63
|
+
return {
|
|
64
|
+
result: 'ImplicitlyDenied',
|
|
65
|
+
...baseResult
|
|
66
|
+
};
|
|
67
|
+
}
|
|
54
68
|
//Same Account
|
|
55
69
|
if (principalAccount === resourceAccount) {
|
|
56
70
|
if (permissionBoundaryResult === 'ImplicitlyDenied') {
|
|
@@ -83,7 +97,7 @@ export class DefaultServiceAuthorizer {
|
|
|
83
97
|
/*
|
|
84
98
|
TODO: Implicit denies in identity policies
|
|
85
99
|
I think if the identity policy has an implicit deny for assumed roles or federated users,
|
|
86
|
-
then the resource policy must have the
|
|
100
|
+
then the resource policy must have the federated or assumed role ARN exactly.
|
|
87
101
|
|
|
88
102
|
That doesn't seem right though. I know many cases where the resource policy has the role ARN and it works
|
|
89
103
|
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,kBAAkB,EACnB,MAAM,0BAA0B,CAAA;AAKjC;;GAEG;AACH,MAAM,OAAO,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAQZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,qBAAqB;QACrB,IAAI,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC1D,oEAAoE;YACpE,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;gBACvC,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,gBAAgB,CAAC,SAAS,CAAC;wBAC3B,YAAY,CAAC,SAAS,CAAC;wBACvB,kBAAkB,CAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;YAEF,MAAM,cAAc,GAAG,IAAI,CAAC,6BAA6B,CACvD,WAAW,EACX,OAAO,CAAC,gBAAgB,EACxB,OAAO,CAAC,OAAO,CAAC,QAAQ,CACzB,CAAA;YACD,IACE,oBAAoB,KAAK,SAAS;gBAClC,CAAC,cAAc,IAAI,uBAAuB,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;WAOG;IACL,CAAC;IAED;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF"}
|
|
@@ -1,10 +1,12 @@
|
|
|
1
|
-
import { ResourceAnalysis } from '../evaluate.js';
|
|
1
|
+
import { RequestAnalysis, ResourceAnalysis } from '../evaluate.js';
|
|
2
2
|
import { RequestResource } from '../request/requestResource.js';
|
|
3
3
|
import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
4
|
+
import { ServiceAuthorizationRequest } from './ServiceAuthorizer.js';
|
|
4
5
|
/**
|
|
5
6
|
* The default authorizer for services.
|
|
6
7
|
*/
|
|
7
8
|
export declare class StsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
9
|
+
authorize(request: ServiceAuthorizationRequest): RequestAnalysis;
|
|
8
10
|
/**
|
|
9
11
|
* Determines if the service trusts the principal's Account's IAM policies
|
|
10
12
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAC/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AACxE,OAAO,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAA;AAEpE;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,wBAAwB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAUvE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CAeX"}
|
|
@@ -3,6 +3,15 @@ import { DefaultServiceAuthorizer } from './DefaultServiceAuthorizer.js';
|
|
|
3
3
|
* The default authorizer for services.
|
|
4
4
|
*/
|
|
5
5
|
export class StsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
6
|
+
authorize(request) {
|
|
7
|
+
if (request.request.action.value().toLowerCase() === 'sts:getcalleridentity') {
|
|
8
|
+
return {
|
|
9
|
+
result: 'Allowed',
|
|
10
|
+
sameAccount: true
|
|
11
|
+
};
|
|
12
|
+
}
|
|
13
|
+
return super.authorize(request);
|
|
14
|
+
}
|
|
6
15
|
/**
|
|
7
16
|
* Determines if the service trusts the principal's Account's IAM policies
|
|
8
17
|
*
|
|
@@ -11,9 +20,15 @@ export class StsServiceAuthorizer extends DefaultServiceAuthorizer {
|
|
|
11
20
|
* @returns true if the service trusts the principal's account IAM policies
|
|
12
21
|
*/
|
|
13
22
|
serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
|
|
23
|
+
//If there is no resource policy, the service trusts the principal's account IAM policies
|
|
14
24
|
if (sameAccount && resourceAnalysis.result === 'NotApplicable') {
|
|
15
25
|
return true;
|
|
16
26
|
}
|
|
27
|
+
/*
|
|
28
|
+
If there is a resource policy, for instance a role trust policy,
|
|
29
|
+
the trust policy must explicitly allow the principal's account,
|
|
30
|
+
even if the principal and resource are in the same account.
|
|
31
|
+
*/
|
|
17
32
|
return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
|
|
18
33
|
}
|
|
19
34
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;
|
|
1
|
+
{"version":3,"file":"StsServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/StsServiceAuthorizer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAA;AAGxE;;GAEG;AACH,MAAM,OAAO,oBAAqB,SAAQ,wBAAwB;IACzD,SAAS,CAAC,OAAoC;QACnD,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,KAAK,uBAAuB,EAAE,CAAC;YAC7E,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,WAAW,EAAE,IAAI;aAClB,CAAA;QACH,CAAC;QACD,OAAO,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACjC,CAAC;IAED;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,yFAAyF;QACzF,IAAI,WAAW,IAAI,gBAAgB,CAAC,MAAM,KAAK,eAAe,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAA;QACb,CAAC;QAED;;;;UAIE;QACF,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cloud-copilot/iam-simulate",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.42",
|
|
4
4
|
"description": "Simulate evaluation of AWS IAM policies",
|
|
5
5
|
"repository": {
|
|
6
6
|
"type": "git",
|
|
@@ -51,7 +51,7 @@
|
|
|
51
51
|
"dependencies": {
|
|
52
52
|
"@cloud-copilot/iam-data": ">=0.8.0 <1.0.0",
|
|
53
53
|
"@cloud-copilot/iam-policy": "^0.1.7",
|
|
54
|
-
"@cloud-copilot/iam-utils": "^0.1.
|
|
54
|
+
"@cloud-copilot/iam-utils": "^0.1.7"
|
|
55
55
|
},
|
|
56
56
|
"prettier": "@cloud-copilot/prettier-config",
|
|
57
57
|
"release": {
|