@cloud-copilot/iam-simulate 0.1.49 → 0.1.50
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/StatementAnalysis.d.ts +12 -1
- package/dist/cjs/StatementAnalysis.d.ts.map +1 -1
- package/dist/cjs/StatementAnalysis.js.map +1 -1
- package/dist/cjs/condition/condition.d.ts +4 -2
- package/dist/cjs/condition/condition.d.ts.map +1 -1
- package/dist/cjs/condition/condition.js +46 -7
- package/dist/cjs/condition/condition.js.map +1 -1
- package/dist/cjs/condition/ipaddress/ip.d.ts +1 -0
- package/dist/cjs/condition/ipaddress/ip.d.ts.map +1 -1
- package/dist/cjs/condition/ipaddress/ip.js +13 -0
- package/dist/cjs/condition/ipaddress/ip.js.map +1 -1
- package/dist/cjs/core_engine/CoreSimulatorEngine.d.ts +29 -4
- package/dist/cjs/core_engine/CoreSimulatorEngine.d.ts.map +1 -1
- package/dist/cjs/core_engine/CoreSimulatorEngine.js +92 -16
- package/dist/cjs/core_engine/CoreSimulatorEngine.js.map +1 -1
- package/dist/cjs/evaluate.d.ts +34 -0
- package/dist/cjs/evaluate.d.ts.map +1 -1
- package/dist/cjs/explain/statementExplain.d.ts +2 -7
- package/dist/cjs/explain/statementExplain.d.ts.map +1 -1
- package/dist/cjs/explain/statementExplain.js.map +1 -1
- package/dist/cjs/principal/principal.d.ts +12 -4
- package/dist/cjs/principal/principal.d.ts.map +1 -1
- package/dist/cjs/principal/principal.js +115 -56
- package/dist/cjs/principal/principal.js.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +9 -0
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/ServiceAuthorizer.d.ts +2 -0
- package/dist/cjs/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.js +11 -1
- package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/cjs/simulation_engine/simulationOptions.d.ts +3 -1
- package/dist/cjs/simulation_engine/simulationOptions.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js +5 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/esm/StatementAnalysis.d.ts +12 -1
- package/dist/esm/StatementAnalysis.d.ts.map +1 -1
- package/dist/esm/StatementAnalysis.js.map +1 -1
- package/dist/esm/condition/condition.d.ts +4 -2
- package/dist/esm/condition/condition.d.ts.map +1 -1
- package/dist/esm/condition/condition.js +46 -7
- package/dist/esm/condition/condition.js.map +1 -1
- package/dist/esm/condition/ipaddress/ip.d.ts +1 -0
- package/dist/esm/condition/ipaddress/ip.d.ts.map +1 -1
- package/dist/esm/condition/ipaddress/ip.js +13 -0
- package/dist/esm/condition/ipaddress/ip.js.map +1 -1
- package/dist/esm/core_engine/CoreSimulatorEngine.d.ts +29 -4
- package/dist/esm/core_engine/CoreSimulatorEngine.d.ts.map +1 -1
- package/dist/esm/core_engine/CoreSimulatorEngine.js +91 -16
- package/dist/esm/core_engine/CoreSimulatorEngine.js.map +1 -1
- package/dist/esm/evaluate.d.ts +34 -0
- package/dist/esm/evaluate.d.ts.map +1 -1
- package/dist/esm/explain/statementExplain.d.ts +2 -7
- package/dist/esm/explain/statementExplain.d.ts.map +1 -1
- package/dist/esm/explain/statementExplain.js.map +1 -1
- package/dist/esm/principal/principal.d.ts +12 -4
- package/dist/esm/principal/principal.d.ts.map +1 -1
- package/dist/esm/principal/principal.js +115 -56
- package/dist/esm/principal/principal.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +10 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/ServiceAuthorizer.d.ts +2 -0
- package/dist/esm/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.js +12 -2
- package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/esm/simulation_engine/simulationOptions.d.ts +3 -1
- package/dist/esm/simulation_engine/simulationOptions.d.ts.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js +5 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulationOptions.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationOptions.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,iBAAiB;IAChC,
|
|
1
|
+
{"version":3,"file":"simulationOptions.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationOptions.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,uCAAuC,CAAA;AAEtE,MAAM,WAAW,iBAAiB;IAChC,cAAc,CAAC,EAAE,cAAc,CAAA;IAC/B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC/B"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"unsafeSimulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAGtD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAC5C,gBAAgB,
|
|
1
|
+
{"version":3,"file":"unsafeSimulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAGtD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAC5C,gBAAgB,CAsDlB"}
|
|
@@ -43,7 +43,11 @@ function runUnsafeSimulation(simulation, simulationOptions) {
|
|
|
43
43
|
serviceControlPolicies,
|
|
44
44
|
resourceControlPolicies,
|
|
45
45
|
resourcePolicy: simulation.resourcePolicy ? (0, iam_policy_1.loadPolicy)(simulation.resourcePolicy) : undefined,
|
|
46
|
-
permissionBoundaries
|
|
46
|
+
permissionBoundaries,
|
|
47
|
+
simulationParameters: {
|
|
48
|
+
simulationMode: 'Strict',
|
|
49
|
+
strictConditionKeys: new Set()
|
|
50
|
+
}
|
|
47
51
|
});
|
|
48
52
|
return analysis.result;
|
|
49
53
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"unsafeSimulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":";;AAgBA,
|
|
1
|
+
{"version":3,"file":"unsafeSimulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":";;AAgBA,kDAyDC;AAzED,0DAAsD;AACtD,kFAAkF;AAElF,sDAAsD;AACtD,4DAAyD;AAIzD;;;;;;;GAOG;AACH,SAAgB,mBAAmB,CACjC,UAAsB,EACtB,iBAA6C;IAE7C,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAC5E,IAAA,uBAAU,EAAC,CAAC,CAAC,MAAM,CAAC,CACrB,CAAA;IACD,MAAM,sBAAsB,GAAsB,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QAC9F,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAA;QAC9B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;QAElE,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,QAAQ;SACnB,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,uBAAuB,GAAsB,UAAU,CAAC,uBAAuB,CAAC,GAAG,CACvF,CAAC,GAAG,EAAE,EAAE;QACN,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAA;QAC9B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;QAElE,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,QAAQ;SACnB,CAAA;IACH,CAAC,CACF,CAAA;IAED,MAAM,oBAAoB,GACxB,UAAU,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,SAAS,CAAA;IAE1F,MAAM,cAAc,GAAG,IAAI,sCAAkB,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAA;IAClF,MAAM,OAAO,GAAG,IAAI,2BAAc,CAChC,UAAU,CAAC,OAAO,CAAC,SAAS,EAC5B;QACE,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;QAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;KACjD,EACD,UAAU,CAAC,OAAO,CAAC,MAAM,EACzB,cAAc,CACf,CAAA;IAED,MAAM,QAAQ,GAAG,IAAA,kCAAS,EAAC;QACzB,OAAO;QACP,gBAAgB;QAChB,sBAAsB;QACtB,uBAAuB;QACvB,cAAc,EAAE,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAA,uBAAU,EAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS;QAC7F,oBAAoB;QACpB,oBAAoB,EAAE;YACpB,cAAc,EAAE,QAAQ;YACxB,mBAAmB,EAAE,IAAI,GAAG,EAAE;SAC/B;KACF,CAAC,CAAA;IAEF,OAAO,QAAQ,CAAC,MAAM,CAAA;AACxB,CAAC"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { Statement } from '@cloud-copilot/iam-policy';
|
|
1
|
+
import { Condition, Statement } from '@cloud-copilot/iam-policy';
|
|
2
2
|
import { ConditionMatchResult } from './condition/condition.js';
|
|
3
3
|
import { StatementExplain } from './explain/statementExplain.js';
|
|
4
4
|
import { PrincipalMatchResult } from './principal/principal.js';
|
|
@@ -27,7 +27,18 @@ export interface StatementAnalysis {
|
|
|
27
27
|
* Whether the Conditions matches the request.
|
|
28
28
|
*/
|
|
29
29
|
conditionMatch: ConditionMatchResult;
|
|
30
|
+
/**
|
|
31
|
+
* The explain of evaluating the statement.
|
|
32
|
+
*/
|
|
30
33
|
explain: StatementExplain;
|
|
34
|
+
/**
|
|
35
|
+
* Any conditions that were ignored during discovery mode.
|
|
36
|
+
*/
|
|
37
|
+
ignoredConditions?: Condition[];
|
|
38
|
+
/**
|
|
39
|
+
* Role Session Name ignored during discovery mode.
|
|
40
|
+
*/
|
|
41
|
+
ignoredRoleSessionName?: boolean;
|
|
31
42
|
}
|
|
32
43
|
/**
|
|
33
44
|
* Checks if a statement is an identity statement that allows the request.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StatementAnalysis.d.ts","sourceRoot":"","sources":["../../src/StatementAnalysis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;
|
|
1
|
+
{"version":3,"file":"StatementAnalysis.d.ts","sourceRoot":"","sources":["../../src/StatementAnalysis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AAChE,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAC/D,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAE/D;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,SAAS,EAAE,SAAS,CAAA;IAEpB;;OAEG;IACH,aAAa,EAAE,OAAO,CAAA;IAEtB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAA;IAEpB;;OAEG;IACH,cAAc,EAAE,oBAAoB,CAAA;IAEpC;;OAEG;IACH,cAAc,EAAE,oBAAoB,CAAA;IAEpC;;OAEG;IACH,OAAO,EAAE,gBAAgB,CAAA;IAEzB;;OAEG;IACH,iBAAiB,CAAC,EAAE,SAAS,EAAE,CAAA;IAE/B;;OAEG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAA;CACjC;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAU7E;AAsBD,wBAAgB,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAUnF;AAED,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,IAAI,CACZ,iBAAiB,EACjB,aAAa,GAAG,gBAAgB,GAAG,gBAAgB,GAAG,eAAe,CACtE,GACA,OAAO,CAST"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"StatementAnalysis.js","sourceRoot":"","sources":["../../src/StatementAnalysis.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"StatementAnalysis.js","sourceRoot":"","sources":["../../src/StatementAnalysis.ts"],"names":[],"mappings":"AAmDA;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB,CAAC,SAA4B;IAClE,IACE,SAAS,CAAC,aAAa;QACvB,SAAS,CAAC,WAAW;QACrB,SAAS,CAAC,cAAc,KAAK,OAAO;QACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EACxC,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,wFAAwF;AACxF,kCAAkC;AAClC,+BAA+B;AAC/B,gDAAgD;AAChD,kDAAkD;AAClD,qBAAqB;AACrB,MAAM;AACN,iBAAiB;AACjB,IAAI;AAEJ,uFAAuF;AACvF,kCAAkC;AAClC,+BAA+B;AAC/B,gDAAgD;AAChD,iDAAiD;AACjD,qBAAqB;AACrB,MAAM;AACN,iBAAiB;AACjB,IAAI;AAEJ,MAAM,UAAU,6BAA6B,CAAC,SAA4B;IACxE,IACE,SAAS,CAAC,aAAa;QACvB,SAAS,CAAC,WAAW;QACrB,SAAS,CAAC,cAAc,KAAK,OAAO;QACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EACvC,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,QAGC;IAED,OAAO,CACL,QAAQ,CAAC,aAAa;QACtB,QAAQ,CAAC,WAAW;QACpB,QAAQ,CAAC,cAAc,KAAK,OAAO;QACnC,CAAC,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAC7E,QAAQ,CAAC,cAAc,CACxB,CACF,CAAA;AACH,CAAC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { Condition } from '@cloud-copilot/iam-policy';
|
|
2
|
+
import { SimulationParameters } from '../core_engine/CoreSimulatorEngine.js';
|
|
2
3
|
import { ConditionExplain, StatementExplain } from '../explain/statementExplain.js';
|
|
3
4
|
import { AwsRequest } from '../request/request';
|
|
4
5
|
import { ContextKey } from '../requestContext.js';
|
|
@@ -11,9 +12,10 @@ export type ConditionMatchResult = 'Match' | 'NoMatch';
|
|
|
11
12
|
* @param conditions the conditions to test
|
|
12
13
|
* @returns Match if all conditions match, NoMatch if any do not. Also returns all the details of the evaluation
|
|
13
14
|
*/
|
|
14
|
-
export declare function requestMatchesConditions(request: AwsRequest, conditions: Condition[]): {
|
|
15
|
+
export declare function requestMatchesConditions(request: AwsRequest, conditions: Condition[], statementType: 'Allow' | 'Deny', simulationParameters: SimulationParameters): {
|
|
15
16
|
matches: ConditionMatchResult;
|
|
16
17
|
details: Pick<StatementExplain, 'conditions'>;
|
|
18
|
+
ignoredConditions?: Condition[];
|
|
17
19
|
};
|
|
18
20
|
/**
|
|
19
21
|
* Checks to see if a single condition matches a request
|
|
@@ -22,7 +24,7 @@ export declare function requestMatchesConditions(request: AwsRequest, conditions
|
|
|
22
24
|
* @param condition the condition to test
|
|
23
25
|
* @returns the result of evaluating the condition
|
|
24
26
|
*/
|
|
25
|
-
export declare function singleConditionMatchesRequest(request: AwsRequest, condition: Condition): ConditionExplain;
|
|
27
|
+
export declare function singleConditionMatchesRequest(request: AwsRequest, condition: Condition, simulationParameters: SimulationParameters): ConditionExplain;
|
|
26
28
|
export declare function singleValueMatch(request: AwsRequest, condition: Condition, baseOperation: BaseConditionOperator, keyValue: ContextKey | undefined): ConditionExplain;
|
|
27
29
|
/**
|
|
28
30
|
* Tests a condition with a ForAllValues set operator
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"condition.d.ts","sourceRoot":"","sources":["../../../src/condition/condition.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AACrD,OAAO,EACL,gBAAgB,EAEhB,gBAAgB,EACjB,MAAM,gCAAgC,CAAA;AACvC,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAC/C,OAAO,EAAE,UAAU,EAAkB,MAAM,sBAAsB,CAAA;AAKjE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAA;AAuBlE,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,CAAA;
|
|
1
|
+
{"version":3,"file":"condition.d.ts","sourceRoot":"","sources":["../../../src/condition/condition.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AACrD,OAAO,EAAE,oBAAoB,EAAE,MAAM,uCAAuC,CAAA;AAC5E,OAAO,EACL,gBAAgB,EAEhB,gBAAgB,EACjB,MAAM,gCAAgC,CAAA;AACvC,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAC/C,OAAO,EAAE,UAAU,EAAkB,MAAM,sBAAsB,CAAA;AAKjE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAA;AAuBlE,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,CAAA;AAyCtD;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,UAAU,EACnB,UAAU,EAAE,SAAS,EAAE,EACvB,aAAa,EAAE,OAAO,GAAG,MAAM,EAC/B,oBAAoB,EAAE,oBAAoB,GACzC;IACD,OAAO,EAAE,oBAAoB,CAAA;IAC7B,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE,YAAY,CAAC,CAAA;IAC7C,iBAAiB,CAAC,EAAE,SAAS,EAAE,CAAA;CAChC,CAsCA;AAsBD;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,SAAS,EACpB,oBAAoB,EAAE,oBAAoB,GACzC,gBAAgB,CAyBlB;AA0BD,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,SAAS,EACpB,aAAa,EAAE,qBAAqB,EACpC,QAAQ,EAAE,UAAU,GAAG,SAAS,GAC/B,gBAAgB,CAkElB;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,SAAS,EACpB,QAAQ,EAAE,UAAU,GAAG,SAAS,EAChC,aAAa,EAAE,qBAAqB,GACnC,gBAAgB,CAyFlB;AAED;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,SAAS,EACpB,QAAQ,EAAE,UAAU,GAAG,SAAS,EAChC,aAAa,EAAE,qBAAqB,GACnC,gBAAgB,CAiFlB"}
|
|
@@ -63,16 +63,55 @@ for (const operator of allOperators) {
|
|
|
63
63
|
* @param conditions the conditions to test
|
|
64
64
|
* @returns Match if all conditions match, NoMatch if any do not. Also returns all the details of the evaluation
|
|
65
65
|
*/
|
|
66
|
-
export function requestMatchesConditions(request, conditions) {
|
|
67
|
-
const results = conditions.map((condition) =>
|
|
68
|
-
|
|
66
|
+
export function requestMatchesConditions(request, conditions, statementType, simulationParameters) {
|
|
67
|
+
const results = conditions.map((condition) => ({
|
|
68
|
+
condition,
|
|
69
|
+
explain: singleConditionMatchesRequest(request, condition, simulationParameters)
|
|
70
|
+
}));
|
|
71
|
+
const isIgnored = (c) => {
|
|
72
|
+
if (simulationParameters.simulationMode !== 'Discovery') {
|
|
73
|
+
return false;
|
|
74
|
+
}
|
|
75
|
+
if (simulationParameters.strictConditionKeys.has(c.condition.conditionKey().toLowerCase())) {
|
|
76
|
+
return false;
|
|
77
|
+
}
|
|
78
|
+
// In Allows we ignore conditions that do not match
|
|
79
|
+
if (statementType.toLowerCase() === 'allow') {
|
|
80
|
+
return !c.explain.matches;
|
|
81
|
+
}
|
|
82
|
+
// In Denies we ignore conditions that do match
|
|
83
|
+
if (statementType.toLowerCase() === 'deny') {
|
|
84
|
+
return c.explain.matches;
|
|
85
|
+
}
|
|
86
|
+
throw new Error(`Unexpected condition explain result in discovery mode, statementType: ${statementType}`);
|
|
87
|
+
};
|
|
88
|
+
const nonMatch = results.filter((r) => !isIgnored(r)).some((result) => !result.explain.matches);
|
|
89
|
+
const ignoredMatches = results
|
|
90
|
+
.filter((r) => isIgnored(r))
|
|
91
|
+
.some((result) => result.explain.matches);
|
|
69
92
|
return {
|
|
70
|
-
matches: nonMatch ? 'NoMatch' : 'Match',
|
|
93
|
+
matches: nonMatch || ignoredMatches ? 'NoMatch' : 'Match',
|
|
71
94
|
details: {
|
|
72
|
-
conditions: results.length == 0 ? undefined : results
|
|
73
|
-
}
|
|
95
|
+
conditions: results.length == 0 ? undefined : results.map((r) => r.explain)
|
|
96
|
+
},
|
|
97
|
+
ignoredConditions: ignoredConditions(results, isIgnored)
|
|
74
98
|
};
|
|
75
99
|
}
|
|
100
|
+
/**
|
|
101
|
+
* Get the list of conditions that were ignored during discovery mode, if any
|
|
102
|
+
*
|
|
103
|
+
* @param conditions the conditions that were evaluated with their explains
|
|
104
|
+
* @param statementType whether the statement is an allow or deny statement
|
|
105
|
+
* @param simulationParameters the general parameters for the simulation
|
|
106
|
+
* @returns an array of ignored conditions, or undefined if there are none
|
|
107
|
+
*/
|
|
108
|
+
function ignoredConditions(conditions, isIgnored) {
|
|
109
|
+
const ignoredConditions = conditions.filter(isIgnored);
|
|
110
|
+
if (ignoredConditions.length > 0) {
|
|
111
|
+
return ignoredConditions.map((r) => r.condition);
|
|
112
|
+
}
|
|
113
|
+
return undefined;
|
|
114
|
+
}
|
|
76
115
|
/**
|
|
77
116
|
* Checks to see if a single condition matches a request
|
|
78
117
|
*
|
|
@@ -80,7 +119,7 @@ export function requestMatchesConditions(request, conditions) {
|
|
|
80
119
|
* @param condition the condition to test
|
|
81
120
|
* @returns the result of evaluating the condition
|
|
82
121
|
*/
|
|
83
|
-
export function singleConditionMatchesRequest(request, condition) {
|
|
122
|
+
export function singleConditionMatchesRequest(request, condition, simulationParameters) {
|
|
84
123
|
const key = condition.conditionKey();
|
|
85
124
|
const baseOperation = baseOperations[condition.operation().baseOperator().toLowerCase()];
|
|
86
125
|
const keyExists = request.contextKeyExists(key);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"condition.js","sourceRoot":"","sources":["../../../src/condition/condition.ts"],"names":[],"mappings":"AAOA,OAAO,EAAc,cAAc,EAAE,MAAM,sBAAsB,CAAA;AACjE,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAA;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAA;AAEhD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACvD,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAA;AACxC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,iCAAiC,CAAA;AACvE,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAA;AACrD,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAA;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAA;AACvD,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAA;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAA;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAA;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAA;AACpE,OAAO,EAAE,wBAAwB,EAAE,MAAM,uCAAuC,CAAA;AAChF,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAA;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,oCAAoC,CAAA;AAC3E,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAA;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAA;AAC7D,OAAO,EAAE,yBAAyB,EAAE,MAAM,uCAAuC,CAAA;AACjF,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAA;AAIzD,MAAM,YAAY,GAAG;IACnB,YAAY;IACZ,eAAe;IACf,sBAAsB;IACtB,yBAAyB;IACzB,UAAU;IACV,aAAa;IACb,aAAa;IACb,gBAAgB;IAChB,eAAe;IACf,gBAAgB;IAChB,kBAAkB;IAClB,wBAAwB;IACxB,UAAU;IACV,aAAa;IACb,YAAY;IACZ,kBAAkB;IAClB,eAAe;IACf,qBAAqB;IACrB,IAAI;IACJ,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,OAAO;IACP,SAAS;IACT,UAAU;IACV,YAAY;CACb,CAAA;AAED,MAAM,cAAc,GAA6C,EAAE,CAAA;AACnE,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;IACpC,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,GAAG,QAAQ,CAAA;AACxD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,wBAAwB,CACtC,OAAmB,EACnB,UAAuB;IAEvB,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,6BAA6B,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAA;IAChG,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IAE1D,OAAO;QACL,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO;QACvC,OAAO,EAAE;YACP,UAAU,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO;SACtD;KACF,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,6BAA6B,CAC3C,OAAmB,EACnB,SAAoB;IAEpB,MAAM,GAAG,GAAG,SAAS,CAAC,YAAY,EAAE,CAAA;IACpC,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC,YAAY,EAAE,CAAC,WAAW,EAAE,CAAC,CAAA;IACxF,MAAM,SAAS,GAAG,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAA;IAC/C,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IAExE,IACE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,IAAI,MAAM;QACrD,SAAS,CAAC,SAAS,EAAE,CAAC,YAAY,EAAE,EAAE,WAAW,EAAE,IAAI,MAAM,EAC7D,CAAC;QACD,OAAO,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC,CAAA;IACvC,CAAC;IAED,IAAI,SAAS,CAAC,SAAS,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;QACxC,MAAM,WAAW,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC,WAAW,EAAE,CAAA;QACvD,IAAI,WAAW,KAAK,aAAa,EAAE,CAAC;YAClC,OAAO,gBAAgB,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAA;QACtE,CAAC;aAAM,IAAI,WAAW,KAAK,cAAc,EAAE,CAAC;YAC1C,OAAO,iBAAiB,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAA;QACvE,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,yBAAyB,WAAW,EAAE,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAED,OAAO,gBAAgB,CAAC,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,QAAQ,CAAC,CAAA;AACtE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,QAAQ,CAAC,SAAoB,EAAE,SAAkB;IACxD,MAAM,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAA;IAC9C,MAAM,eAAe,GAA4B,SAAS,CAAC,eAAe,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACzF,OAAO;YACL,KAAK;YACL,OAAO,EAAE,KAAK,CAAC,WAAW,EAAE,KAAK,SAAS;SAC3C,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,OAAO;QACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;QACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;QAC3C,MAAM,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC;QACvE,OAAO,EAAE,eAAe,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC;KACxD,CAAA;AACH,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,OAAmB,EACnB,SAAoB,EACpB,aAAoC,EACpC,QAAgC;IAEhC,MAAM,aAAa,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC,YAAY,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACxF,IAAI,SAAS,CAAC,SAAS,EAAE,CAAC,UAAU,EAAE,IAAI,aAAa,EAAE,CAAC;QACxD,+CAA+C;QAC/C,sFAAsF;QACtF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,aAAa,GAA4B,SAAS,CAAC,eAAe,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACzF,KAAK;gBACL,OAAO,EAAE,IAAI;aACd,CAAC,CAAC,CAAA;YACH,OAAO;gBACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;gBACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;gBAC3C,MAAM,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;gBACnE,OAAO,EAAE,IAAI;gBACb,qBAAqB,EAAE,IAAI;gBAC3B,yBAAyB,EAAE,QAAQ;aACpC,CAAA;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC;QAC3C,gDAAgD;QAChD,2CAA2C;QAC3C,MAAM,aAAa,GAA4B,SAAS,CAAC,eAAe,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACzF,KAAK;YACL,OAAO,EAAE,KAAK;SACf,CAAC,CAAC,CAAA;QACH,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;YACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;YAC3C,MAAM,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;YACnE,OAAO,EAAE,KAAK;YACd,oBAAoB,EAAE,CAAC,QAAQ;YAC/B,kBAAkB,EAAE,QAAQ,EAAE,YAAY,EAAE;SAC7C,CAAA;IACH,CAAC;IAED,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,aAAa,GAA4B,SAAS,CAAC,eAAe,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACzF,KAAK;YACL,OAAO,EAAE,KAAK;SACf,CAAC,CAAC,CAAA;QAEH,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;YACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;YAC3C,MAAM,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;YACnE,OAAO,EAAE,KAAK;YACd,eAAe,EAAE,IAAI;SACtB,CAAA;IACH,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC,OAAO,CACjD,OAAO,EACP,QAAQ,CAAC,KAAK,EACd,SAAS,CAAC,eAAe,EAAE,CAC5B,CAAA;IAED,OAAO;QACL,OAAO;QACP,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;QACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;QAC3C,MAAM,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QACzD,yBAAyB,EAAE,QAAQ,CAAC,KAAK;KAC1C,CAAA;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAC/B,OAAmB,EACnB,SAAoB,EACpB,QAAgC,EAChC,aAAoC;IAEpC,MAAM,qBAAqB,GAA4B,SAAS;SAC7D,eAAe,EAAE;SACjB,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACf,KAAK;QACL,OAAO,EAAE,IAAI;KACd,CAAC,CAAC,CAAA;IACL,MAAM,wBAAwB,GAA4B,SAAS;SAChE,eAAe,EAAE;SACjB,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACf,KAAK;QACL,OAAO,EAAE,KAAK;KACf,CAAC,CAAC,CAAA;IAEL,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;YACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;YAC3C,MAAM,EAAE,qBAAqB;YAC7B,OAAO,EAAE,IAAI;YACb,qBAAqB,EAAE,IAAI;SAC5B,CAAA;IACH,CAAC;IAED,wEAAwE;IACxE,IAAI,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC;QAC7B,QAAQ,GAAG,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;IAChE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAA;IAC9D,CAAC;IAED,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;YACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;YAC3C,MAAM,EAAE,wBAAwB;YAChC,OAAO,EAAE,KAAK;YACd,eAAe,EAAE,IAAI;SACtB,CAAA;IACH,CAAC;IAED,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QAClD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC,OAAO,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,eAAe,EAAE,CAAC,CAAA;QAChG,OAAO;YACL,YAAY,EAAE,KAAK;YACnB,OAAO;YACP,QAAQ;SACT,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,aAAa,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,CAAA;IACjF,MAAM,YAAY,GAAG,CAAC,aAAa,CAAA;IACnC,MAAM,eAAe,GAAa,EAAE,CAAA;IAEpC,MAAM,QAAQ,GAA0C,EAAE,CAAA;IAC1D,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;QACzC,IAAI,CAAC,aAAa,CAAC,UAAU,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;YACvD,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;QACjD,CAAC;aAAM,IAAI,aAAa,CAAC,UAAU,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;YAC5D,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;QACjD,CAAC;QACD,KAAK,MAAM,OAAO,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC5C,IAAI,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YACxC,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG;oBACxB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,OAAO,EAAE,YAAY;iBACtB,CAAA;gBACD,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YACtC,CAAC;YACD,IAAI,OAAO,CAAC,OAAO,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC;gBACjD,UAAU,CAAC,cAAc,GAAG,UAAU,CAAC,cAAc,IAAI,EAAE,CAAA;gBAC3D,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;YAC3D,CAAC;iBAAM,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,aAAa,CAAC,UAAU,EAAE,CAAC;gBACxD,UAAU,CAAC,sBAAsB,GAAG,UAAU,CAAC,sBAAsB,IAAI,EAAE,CAAA;gBAC3E,UAAU,CAAC,sBAAsB,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;YACnE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;QACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;QAC3C,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;QAC/B,OAAO,EAAE,YAAY;QACrB,eAAe;KAChB,CAAA;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAmB,EACnB,SAAoB,EACpB,QAAgC,EAChC,aAAoC;IAEpC,MAAM,mBAAmB,GAA4B,SAAS,CAAC,eAAe,EAAE,CAAC,GAAG,CAClF,CAAC,KAAK,EAAE,EAAE,CACR,CAAC;QACC,KAAK;QACL,OAAO,EAAE,KAAK;KACf,CAA0B,CAC9B,CAAA;IAED,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;YACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;YAC3C,MAAM,EAAE,mBAAmB;YAC3B,OAAO,EAAE,KAAK;YACd,oBAAoB,EAAE,IAAI;SAC3B,CAAA;QACD,mBAAmB;IACrB,CAAC;IAED,wEAAwE;IACxE,IAAI,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC;QAC7B,QAAQ,GAAG,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;IAChE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAA;IAC9D,CAAC;IAED,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;YACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;YAC3C,MAAM,EAAE,mBAAmB;YAC3B,OAAO,EAAE,KAAK;YACd,eAAe,EAAE,IAAI;SACtB,CAAA;IACH,CAAC;IAED,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QAClD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC,OAAO,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,eAAe,EAAE,CAAC,CAAA;QAChG,OAAO;YACL,YAAY,EAAE,KAAK;YACnB,OAAO;YACP,QAAQ;SACT,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,YAAY,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAA;IAC/E,MAAM,eAAe,GAAa,EAAE,CAAA;IAEpC,MAAM,QAAQ,GAA0C,EAAE,CAAA;IAC1D,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;QACzC,IAAI,CAAC,aAAa,CAAC,UAAU,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;YACvD,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;QACjD,CAAC;aAAM,IAAI,aAAa,CAAC,UAAU,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;YAC5D,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;QACjD,CAAC;QACD,KAAK,MAAM,OAAO,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC5C,IAAI,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YACxC,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG;oBACxB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,OAAO,EAAE,YAAY;iBACtB,CAAA;gBACD,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YACtC,CAAC;YACD,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBACpB,UAAU,CAAC,cAAc,GAAG,UAAU,CAAC,cAAc,IAAI,EAAE,CAAA;gBAC3D,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;YAC3D,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;QACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;QAC3C,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;QAC/B,OAAO,EAAE,YAAY;QACrB,eAAe;KAChB,CAAA;AACH,CAAC"}
|
|
1
|
+
{"version":3,"file":"condition.js","sourceRoot":"","sources":["../../../src/condition/condition.ts"],"names":[],"mappings":"AAQA,OAAO,EAAc,cAAc,EAAE,MAAM,sBAAsB,CAAA;AACjE,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAA;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAA;AAEhD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACvD,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAA;AACxC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,iCAAiC,CAAA;AACvE,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAA;AACrD,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAA;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAA;AACvD,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAA;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAA;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAA;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAA;AACpE,OAAO,EAAE,wBAAwB,EAAE,MAAM,uCAAuC,CAAA;AAChF,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAA;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,oCAAoC,CAAA;AAC3E,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAA;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAA;AAC7D,OAAO,EAAE,yBAAyB,EAAE,MAAM,uCAAuC,CAAA;AACjF,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAA;AAIzD,MAAM,YAAY,GAAG;IACnB,YAAY;IACZ,eAAe;IACf,sBAAsB;IACtB,yBAAyB;IACzB,UAAU;IACV,aAAa;IACb,aAAa;IACb,gBAAgB;IAChB,eAAe;IACf,gBAAgB;IAChB,kBAAkB;IAClB,wBAAwB;IACxB,UAAU;IACV,aAAa;IACb,YAAY;IACZ,kBAAkB;IAClB,eAAe;IACf,qBAAqB;IACrB,IAAI;IACJ,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,OAAO;IACP,SAAS;IACT,UAAU;IACV,YAAY;CACb,CAAA;AAED,MAAM,cAAc,GAA6C,EAAE,CAAA;AACnE,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;IACpC,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,GAAG,QAAQ,CAAA;AACxD,CAAC;AAOD;;;;;;GAMG;AACH,MAAM,UAAU,wBAAwB,CACtC,OAAmB,EACnB,UAAuB,EACvB,aAA+B,EAC/B,oBAA0C;IAM1C,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAC7C,SAAS;QACT,OAAO,EAAE,6BAA6B,CAAC,OAAO,EAAE,SAAS,EAAE,oBAAoB,CAAC;KACjF,CAAC,CAAC,CAAA;IAEH,MAAM,SAAS,GAAG,CAAC,CAAsB,EAAW,EAAE;QACpD,IAAI,oBAAoB,CAAC,cAAc,KAAK,WAAW,EAAE,CAAC;YACxD,OAAO,KAAK,CAAA;QACd,CAAC;QACD,IAAI,oBAAoB,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAC3F,OAAO,KAAK,CAAA;QACd,CAAC;QACD,mDAAmD;QACnD,IAAI,aAAa,CAAC,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;YAC5C,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAA;QAC3B,CAAC;QACD,+CAA+C;QAC/C,IAAI,aAAa,CAAC,WAAW,EAAE,KAAK,MAAM,EAAE,CAAC;YAC3C,OAAO,CAAC,CAAC,OAAO,CAAC,OAAO,CAAA;QAC1B,CAAC;QACD,MAAM,IAAI,KAAK,CACb,yEAAyE,aAAa,EAAE,CACzF,CAAA;IACH,CAAC,CAAA;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAC/F,MAAM,cAAc,GAAG,OAAO;SAC3B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;SAC3B,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAE3C,OAAO;QACL,OAAO,EAAE,QAAQ,IAAI,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAE,OAAgC;QACnF,OAAO,EAAE;YACP,UAAU,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;SAC5E;QACD,iBAAiB,EAAE,iBAAiB,CAAC,OAAO,EAAE,SAAS,CAAC;KACzD,CAAA;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,iBAAiB,CACxB,UAAiC,EACjC,SAA8C;IAE9C,MAAM,iBAAiB,GAAG,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;IACtD,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;IAClD,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,6BAA6B,CAC3C,OAAmB,EACnB,SAAoB,EACpB,oBAA0C;IAE1C,MAAM,GAAG,GAAG,SAAS,CAAC,YAAY,EAAE,CAAA;IACpC,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC,YAAY,EAAE,CAAC,WAAW,EAAE,CAAC,CAAA;IACxF,MAAM,SAAS,GAAG,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAA;IAC/C,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IAExE,IACE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,IAAI,MAAM;QACrD,SAAS,CAAC,SAAS,EAAE,CAAC,YAAY,EAAE,EAAE,WAAW,EAAE,IAAI,MAAM,EAC7D,CAAC;QACD,OAAO,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC,CAAA;IACvC,CAAC;IAED,IAAI,SAAS,CAAC,SAAS,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;QACxC,MAAM,WAAW,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC,WAAW,EAAE,CAAA;QACvD,IAAI,WAAW,KAAK,aAAa,EAAE,CAAC;YAClC,OAAO,gBAAgB,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAA;QACtE,CAAC;aAAM,IAAI,WAAW,KAAK,cAAc,EAAE,CAAC;YAC1C,OAAO,iBAAiB,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAA;QACvE,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,yBAAyB,WAAW,EAAE,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAED,OAAO,gBAAgB,CAAC,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,QAAQ,CAAC,CAAA;AACtE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,QAAQ,CAAC,SAAoB,EAAE,SAAkB;IACxD,MAAM,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAA;IAC9C,MAAM,eAAe,GAA4B,SAAS,CAAC,eAAe,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACzF,OAAO;YACL,KAAK;YACL,OAAO,EAAE,KAAK,CAAC,WAAW,EAAE,KAAK,SAAS;SAC3C,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,OAAO;QACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;QACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;QAC3C,MAAM,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC;QACvE,OAAO,EAAE,eAAe,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC;KACxD,CAAA;AACH,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,OAAmB,EACnB,SAAoB,EACpB,aAAoC,EACpC,QAAgC;IAEhC,MAAM,aAAa,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC,YAAY,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACxF,IAAI,SAAS,CAAC,SAAS,EAAE,CAAC,UAAU,EAAE,IAAI,aAAa,EAAE,CAAC;QACxD,+CAA+C;QAC/C,sFAAsF;QACtF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,aAAa,GAA4B,SAAS,CAAC,eAAe,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACzF,KAAK;gBACL,OAAO,EAAE,IAAI;aACd,CAAC,CAAC,CAAA;YACH,OAAO;gBACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;gBACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;gBAC3C,MAAM,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;gBACnE,OAAO,EAAE,IAAI;gBACb,qBAAqB,EAAE,IAAI;gBAC3B,yBAAyB,EAAE,QAAQ;aACpC,CAAA;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC;QAC3C,gDAAgD;QAChD,2CAA2C;QAC3C,MAAM,aAAa,GAA4B,SAAS,CAAC,eAAe,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACzF,KAAK;YACL,OAAO,EAAE,KAAK;SACf,CAAC,CAAC,CAAA;QACH,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;YACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;YAC3C,MAAM,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;YACnE,OAAO,EAAE,KAAK;YACd,oBAAoB,EAAE,CAAC,QAAQ;YAC/B,kBAAkB,EAAE,QAAQ,EAAE,YAAY,EAAE;SAC7C,CAAA;IACH,CAAC;IAED,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,aAAa,GAA4B,SAAS,CAAC,eAAe,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACzF,KAAK;YACL,OAAO,EAAE,KAAK;SACf,CAAC,CAAC,CAAA;QAEH,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;YACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;YAC3C,MAAM,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;YACnE,OAAO,EAAE,KAAK;YACd,eAAe,EAAE,IAAI;SACtB,CAAA;IACH,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC,OAAO,CACjD,OAAO,EACP,QAAQ,CAAC,KAAK,EACd,SAAS,CAAC,eAAe,EAAE,CAC5B,CAAA;IAED,OAAO;QACL,OAAO;QACP,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;QACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;QAC3C,MAAM,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QACzD,yBAAyB,EAAE,QAAQ,CAAC,KAAK;KAC1C,CAAA;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAC/B,OAAmB,EACnB,SAAoB,EACpB,QAAgC,EAChC,aAAoC;IAEpC,MAAM,qBAAqB,GAA4B,SAAS;SAC7D,eAAe,EAAE;SACjB,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACf,KAAK;QACL,OAAO,EAAE,IAAI;KACd,CAAC,CAAC,CAAA;IACL,MAAM,wBAAwB,GAA4B,SAAS;SAChE,eAAe,EAAE;SACjB,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACf,KAAK;QACL,OAAO,EAAE,KAAK;KACf,CAAC,CAAC,CAAA;IAEL,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;YACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;YAC3C,MAAM,EAAE,qBAAqB;YAC7B,OAAO,EAAE,IAAI;YACb,qBAAqB,EAAE,IAAI;SAC5B,CAAA;IACH,CAAC;IAED,wEAAwE;IACxE,IAAI,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC;QAC7B,QAAQ,GAAG,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;IAChE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAA;IAC9D,CAAC;IAED,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;YACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;YAC3C,MAAM,EAAE,wBAAwB;YAChC,OAAO,EAAE,KAAK;YACd,eAAe,EAAE,IAAI;SACtB,CAAA;IACH,CAAC;IAED,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QAClD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC,OAAO,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,eAAe,EAAE,CAAC,CAAA;QAChG,OAAO;YACL,YAAY,EAAE,KAAK;YACnB,OAAO;YACP,QAAQ;SACT,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,aAAa,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,CAAA;IACjF,MAAM,YAAY,GAAG,CAAC,aAAa,CAAA;IACnC,MAAM,eAAe,GAAa,EAAE,CAAA;IAEpC,MAAM,QAAQ,GAA0C,EAAE,CAAA;IAC1D,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;QACzC,IAAI,CAAC,aAAa,CAAC,UAAU,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;YACvD,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;QACjD,CAAC;aAAM,IAAI,aAAa,CAAC,UAAU,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;YAC5D,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;QACjD,CAAC;QACD,KAAK,MAAM,OAAO,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC5C,IAAI,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YACxC,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG;oBACxB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,OAAO,EAAE,YAAY;iBACtB,CAAA;gBACD,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YACtC,CAAC;YACD,IAAI,OAAO,CAAC,OAAO,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC;gBACjD,UAAU,CAAC,cAAc,GAAG,UAAU,CAAC,cAAc,IAAI,EAAE,CAAA;gBAC3D,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;YAC3D,CAAC;iBAAM,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,aAAa,CAAC,UAAU,EAAE,CAAC;gBACxD,UAAU,CAAC,sBAAsB,GAAG,UAAU,CAAC,sBAAsB,IAAI,EAAE,CAAA;gBAC3E,UAAU,CAAC,sBAAsB,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;YACnE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;QACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;QAC3C,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;QAC/B,OAAO,EAAE,YAAY;QACrB,eAAe;KAChB,CAAA;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAmB,EACnB,SAAoB,EACpB,QAAgC,EAChC,aAAoC;IAEpC,MAAM,mBAAmB,GAA4B,SAAS,CAAC,eAAe,EAAE,CAAC,GAAG,CAClF,CAAC,KAAK,EAAE,EAAE,CACR,CAAC;QACC,KAAK;QACL,OAAO,EAAE,KAAK;KACf,CAA0B,CAC9B,CAAA;IAED,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;YACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;YAC3C,MAAM,EAAE,mBAAmB;YAC3B,OAAO,EAAE,KAAK;YACd,oBAAoB,EAAE,IAAI;SAC3B,CAAA;QACD,mBAAmB;IACrB,CAAC;IAED,wEAAwE;IACxE,IAAI,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC;QAC7B,QAAQ,GAAG,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;IAChE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAA;IAC9D,CAAC;IAED,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;YACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;YAC3C,MAAM,EAAE,mBAAmB;YAC3B,OAAO,EAAE,KAAK;YACd,eAAe,EAAE,IAAI;SACtB,CAAA;IACH,CAAC;IAED,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QAClD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC,OAAO,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,eAAe,EAAE,CAAC,CAAA;QAChG,OAAO;YACL,YAAY,EAAE,KAAK;YACnB,OAAO;YACP,QAAQ;SACT,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,YAAY,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAA;IAC/E,MAAM,eAAe,GAAa,EAAE,CAAA;IAEpC,MAAM,QAAQ,GAA0C,EAAE,CAAA;IAC1D,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;QACzC,IAAI,CAAC,aAAa,CAAC,UAAU,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;YACvD,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;QACjD,CAAC;aAAM,IAAI,aAAa,CAAC,UAAU,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;YAC5D,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;QACjD,CAAC;QACD,KAAK,MAAM,OAAO,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC5C,IAAI,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YACxC,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG;oBACxB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,OAAO,EAAE,YAAY;iBACtB,CAAA;gBACD,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YACtC,CAAC;YACD,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBACpB,UAAU,CAAC,cAAc,GAAG,UAAU,CAAC,cAAc,IAAI,EAAE,CAAA;gBAC3D,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;YAC3D,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,SAAS,CAAC,SAAS,EAAE,CAAC,KAAK,EAAE;QACvC,iBAAiB,EAAE,SAAS,CAAC,YAAY,EAAE;QAC3C,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;QAC/B,OAAO,EAAE,YAAY;QACrB,eAAe;KAChB,CAAA;AACH,CAAC"}
|
|
@@ -4,6 +4,7 @@ import { ConditionValueExplain } from '../../explain/statementExplain.js';
|
|
|
4
4
|
*
|
|
5
5
|
* @param policyValue - The CIDR block to check against.
|
|
6
6
|
* @param requestValue - The IP address to check.
|
|
7
|
+
* @param expectInCidr - If true, the function checks if the request value is within the CIDR block; if false, it checks if it is outside.
|
|
7
8
|
* @returns An object explaining the result.
|
|
8
9
|
*/
|
|
9
10
|
export declare function checkIfIpAddress(policyValue: string, requestValue: string, expectInCidr: boolean): ConditionValueExplain;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ip.d.ts","sourceRoot":"","sources":["../../../../src/condition/ipaddress/ip.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,mCAAmC,CAAA;AAIzE
|
|
1
|
+
{"version":3,"file":"ip.d.ts","sourceRoot":"","sources":["../../../../src/condition/ipaddress/ip.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,mCAAmC,CAAA;AAIzE;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAC9B,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,EACpB,YAAY,EAAE,OAAO,GACpB,qBAAqB,CA6DvB"}
|
|
@@ -5,6 +5,7 @@ import { isIpInCidrV6, isValidIpCidrV6, isValidIpV6 } from './ipv6.js';
|
|
|
5
5
|
*
|
|
6
6
|
* @param policyValue - The CIDR block to check against.
|
|
7
7
|
* @param requestValue - The IP address to check.
|
|
8
|
+
* @param expectInCidr - If true, the function checks if the request value is within the CIDR block; if false, it checks if it is outside.
|
|
8
9
|
* @returns An object explaining the result.
|
|
9
10
|
*/
|
|
10
11
|
export function checkIfIpAddress(policyValue, requestValue, expectInCidr) {
|
|
@@ -26,6 +27,12 @@ export function checkIfIpAddress(policyValue, requestValue, expectInCidr) {
|
|
|
26
27
|
value: policyValue
|
|
27
28
|
};
|
|
28
29
|
}
|
|
30
|
+
if (isValidIpV4(policyValue)) {
|
|
31
|
+
return {
|
|
32
|
+
matches: isValidIpV4(requestValue) && (policyValue === requestValue) == expectInCidr,
|
|
33
|
+
value: policyValue
|
|
34
|
+
};
|
|
35
|
+
}
|
|
29
36
|
if (isValidIpCidrV6(policyValue)) {
|
|
30
37
|
if (isValidIpV4(requestValue)) {
|
|
31
38
|
return {
|
|
@@ -45,6 +52,12 @@ export function checkIfIpAddress(policyValue, requestValue, expectInCidr) {
|
|
|
45
52
|
value: policyValue
|
|
46
53
|
};
|
|
47
54
|
}
|
|
55
|
+
if (isValidIpV6(policyValue)) {
|
|
56
|
+
return {
|
|
57
|
+
matches: isValidIpV6(requestValue) && (policyValue === requestValue) == expectInCidr,
|
|
58
|
+
value: policyValue
|
|
59
|
+
};
|
|
60
|
+
}
|
|
48
61
|
return {
|
|
49
62
|
matches: false,
|
|
50
63
|
value: policyValue,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ip.js","sourceRoot":"","sources":["../../../../src/condition/ipaddress/ip.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AACpE,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AAEtE
|
|
1
|
+
{"version":3,"file":"ip.js","sourceRoot":"","sources":["../../../../src/condition/ipaddress/ip.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AACpE,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AAEtE;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAC9B,WAAmB,EACnB,YAAoB,EACpB,YAAqB;IAErB,IAAI,aAAa,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,IAAI,WAAW,CAAC,YAAY,CAAC,EAAE,CAAC;YAC9B,OAAO;gBACL,OAAO,EAAE,KAAK,IAAI,YAAY;gBAC9B,KAAK,EAAE,WAAW;aACnB,CAAA;QACH,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE,CAAC;YAC/B,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,WAAW;aACnB,CAAA;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,YAAY,CAAC,YAAY,EAAE,WAAW,CAAC,IAAI,YAAY;YAChE,KAAK,EAAE,WAAW;SACnB,CAAA;IACH,CAAC;IAED,IAAI,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,OAAO,EAAE,WAAW,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,KAAK,YAAY,CAAC,IAAI,YAAY;YACpF,KAAK,EAAE,WAAW;SACnB,CAAA;IACH,CAAC;IAED,IAAI,eAAe,CAAC,WAAW,CAAC,EAAE,CAAC;QACjC,IAAI,WAAW,CAAC,YAAY,CAAC,EAAE,CAAC;YAC9B,OAAO;gBACL,OAAO,EAAE,KAAK,IAAI,YAAY;gBAC9B,KAAK,EAAE,WAAW;aACnB,CAAA;QACH,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE,CAAC;YAC/B,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,WAAW;gBAClB,MAAM,EAAE,CAAC,kBAAkB,YAAY,4BAA4B,CAAC;aACrE,CAAA;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,YAAY,CAAC,YAAY,EAAE,WAAW,CAAC,IAAI,YAAY;YAChE,KAAK,EAAE,WAAW;SACnB,CAAA;IACH,CAAC;IAED,IAAI,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,OAAO,EAAE,WAAW,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,KAAK,YAAY,CAAC,IAAI,YAAY;YACpF,KAAK,EAAE,WAAW;SACnB,CAAA;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,WAAW;QAClB,MAAM,EAAE,CAAC,GAAG,WAAW,4BAA4B,CAAC;KACrD,CAAA;AACH,CAAC"}
|
|
@@ -2,6 +2,27 @@ import { Policy } from '@cloud-copilot/iam-policy';
|
|
|
2
2
|
import { IdentityAnalysis, RcpAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
|
|
3
3
|
import { AwsRequest } from '../request/request.js';
|
|
4
4
|
import { ServiceAuthorizer } from '../services/ServiceAuthorizer.js';
|
|
5
|
+
export declare const validSimulationModes: readonly ["Strict", "Discovery"];
|
|
6
|
+
/**
|
|
7
|
+
* The mode of simulation for the core engine.
|
|
8
|
+
* - Strict: Simulates the request as if it were being made in a real AWS environment.
|
|
9
|
+
* - Discovery: Simulates the request but discovers under what conditions it would be allowed.
|
|
10
|
+
*/
|
|
11
|
+
export type SimulationMode = (typeof validSimulationModes)[number];
|
|
12
|
+
/**
|
|
13
|
+
* Meta parameters for the simulation engine.
|
|
14
|
+
*/
|
|
15
|
+
export interface SimulationParameters {
|
|
16
|
+
/**
|
|
17
|
+
* The simulation mode to use for the request.
|
|
18
|
+
*/
|
|
19
|
+
simulationMode: SimulationMode;
|
|
20
|
+
/**
|
|
21
|
+
* Condition keys that should be evaluated strictly in the simulation. Used only in Discovery mode.
|
|
22
|
+
* In Strict mode, all condition keys are evaluated strictly
|
|
23
|
+
*/
|
|
24
|
+
strictConditionKeys: Set<string>;
|
|
25
|
+
}
|
|
5
26
|
/**
|
|
6
27
|
* A set of service or resource control policies for each level of an organization tree
|
|
7
28
|
*/
|
|
@@ -45,6 +66,10 @@ export interface AuthorizationRequest {
|
|
|
45
66
|
* The permission boundaries that apply to the principal making the request.
|
|
46
67
|
*/
|
|
47
68
|
permissionBoundaries: Policy[] | undefined;
|
|
69
|
+
/**
|
|
70
|
+
* The simulation parameters for the request.
|
|
71
|
+
*/
|
|
72
|
+
simulationParameters: SimulationParameters;
|
|
48
73
|
}
|
|
49
74
|
/**
|
|
50
75
|
* Authorizes a request.
|
|
@@ -70,7 +95,7 @@ export declare function getServiceAuthorizer(request: AuthorizationRequest): Ser
|
|
|
70
95
|
* @param request the request to analyze against
|
|
71
96
|
* @returns an array of statement analysis results
|
|
72
97
|
*/
|
|
73
|
-
export declare function analyzeIdentityPolicies(identityPolicies: Policy[], request: AwsRequest): IdentityAnalysis;
|
|
98
|
+
export declare function analyzeIdentityPolicies(identityPolicies: Policy[], request: AwsRequest, simulationParameters: SimulationParameters): IdentityAnalysis;
|
|
74
99
|
/**
|
|
75
100
|
* Analyzes a set of service or resource control policies and the statements within them.
|
|
76
101
|
*
|
|
@@ -78,7 +103,7 @@ export declare function analyzeIdentityPolicies(identityPolicies: Policy[], requ
|
|
|
78
103
|
* @param request the request to analyze against
|
|
79
104
|
* @returns an array of SCP or RCP analysis results
|
|
80
105
|
*/
|
|
81
|
-
export declare function analyzeControlPolicies(controlPolicies: ControlPolicies[], request: AwsRequest): ScpAnalysis | RcpAnalysis;
|
|
106
|
+
export declare function analyzeControlPolicies(controlPolicies: ControlPolicies[], request: AwsRequest, simulationParameters: SimulationParameters): ScpAnalysis | RcpAnalysis;
|
|
82
107
|
/**
|
|
83
108
|
* Analyze a resource policy and return the results
|
|
84
109
|
*
|
|
@@ -86,6 +111,6 @@ export declare function analyzeControlPolicies(controlPolicies: ControlPolicies[
|
|
|
86
111
|
* @param request the request to analyze against
|
|
87
112
|
* @returns an array of statement analysis results
|
|
88
113
|
*/
|
|
89
|
-
export declare function analyzeResourcePolicy(resourcePolicy: Policy | undefined, request: AwsRequest, principalHasPermissionBoundary: boolean): ResourceAnalysis;
|
|
90
|
-
export declare function analyzePermissionBoundaryPolicies(permissionBoundaries: Policy[] | undefined, request: AwsRequest): IdentityAnalysis | undefined;
|
|
114
|
+
export declare function analyzeResourcePolicy(resourcePolicy: Policy | undefined, request: AwsRequest, principalHasPermissionBoundary: boolean, simulationParameters: SimulationParameters): ResourceAnalysis;
|
|
115
|
+
export declare function analyzePermissionBoundaryPolicies(permissionBoundaries: Policy[] | undefined, request: AwsRequest, simulationParameters: SimulationParameters): IdentityAnalysis | undefined;
|
|
91
116
|
//# sourceMappingURL=CoreSimulatorEngine.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"CoreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,
|
|
1
|
+
{"version":3,"file":"CoreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/CoreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAa,MAAM,EAAa,MAAM,2BAA2B,CAAA;AAGxE,OAAO,EAEL,gBAAgB,EAGhB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,WAAW,EACZ,MAAM,gBAAgB,CAAA;AAGvB,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAKlD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAA;AASpE,eAAO,MAAM,oBAAoB,kCAAmC,CAAA;AAEpE;;;;GAIG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,OAAO,oBAAoB,CAAC,CAAC,MAAM,CAAC,CAAA;AAElE;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,cAAc,EAAE,cAAc,CAAA;IAE9B;;;OAGG;IACH,mBAAmB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAA;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,aAAa,EAAE,MAAM,CAAA;IAErB;;OAEG;IACH,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,OAAO,EAAE,UAAU,CAAA;IAEnB;;OAEG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAE1B;;;OAGG;IACH,sBAAsB,EAAE,eAAe,EAAE,CAAA;IAEzC;;;OAGG;IACH,uBAAuB,EAAE,eAAe,EAAE,CAAA;IAE1C;;OAEG;IACH,cAAc,EAAE,MAAM,GAAG,SAAS,CAAA;IAElC;;OAEG;IACH,oBAAoB,EAAE,MAAM,EAAE,GAAG,SAAS,CAAA;IAE1C;;OAEG;IACH,oBAAoB,EAAE,oBAAoB,CAAA;CAC3C;AAQD;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,eAAe,CAiExE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,iBAAiB,CAMrF;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,gBAAgB,EAAE,MAAM,EAAE,EAC1B,OAAO,EAAE,UAAU,EACnB,oBAAoB,EAAE,oBAAoB,GACzC,gBAAgB,CAuElB;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,eAAe,EAAE,eAAe,EAAE,EAClC,OAAO,EAAE,UAAU,EACnB,oBAAoB,EAAE,oBAAoB,GACzC,WAAW,GAAG,WAAW,CAsF3B;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,cAAc,EAAE,MAAM,GAAG,SAAS,EAClC,OAAO,EAAE,UAAU,EACnB,8BAA8B,EAAE,OAAO,EACvC,oBAAoB,EAAE,oBAAoB,GACzC,gBAAgB,CAyHlB;AAED,wBAAgB,iCAAiC,CAC/C,oBAAoB,EAAE,MAAM,EAAE,GAAG,SAAS,EAC1C,OAAO,EAAE,UAAU,EACnB,oBAAoB,EAAE,oBAAoB,GACzC,gBAAgB,GAAG,SAAS,CAM9B"}
|
|
@@ -7,6 +7,7 @@ import { IamServiceAuthorizer } from '../services/IamServiceAuthorizer.js';
|
|
|
7
7
|
import { KmsServiceAuthorizer } from '../services/KmsServiceAuthorizer.js';
|
|
8
8
|
import { StsServiceAuthorizer } from '../services/StsServiceAuthorizer.js';
|
|
9
9
|
import { identityStatementAllows, identityStatementExplicitDeny, statementMatches } from '../StatementAnalysis.js';
|
|
10
|
+
export const validSimulationModes = ['Strict', 'Discovery'];
|
|
10
11
|
const serviceEngines = {
|
|
11
12
|
kms: KmsServiceAuthorizer,
|
|
12
13
|
sts: StsServiceAuthorizer,
|
|
@@ -22,20 +23,27 @@ const serviceEngines = {
|
|
|
22
23
|
*/
|
|
23
24
|
export function authorize(request) {
|
|
24
25
|
const principalHasPermissionBoundary = !!request.permissionBoundaries && request.permissionBoundaries.length > 0;
|
|
25
|
-
const
|
|
26
|
-
const
|
|
27
|
-
const
|
|
28
|
-
const
|
|
29
|
-
const
|
|
26
|
+
const simulationParameters = request.simulationParameters;
|
|
27
|
+
const identityAnalysis = analyzeIdentityPolicies(request.identityPolicies, request.request, simulationParameters);
|
|
28
|
+
const permissionBoundaryAnalysis = analyzePermissionBoundaryPolicies(request.permissionBoundaries, request.request, simulationParameters);
|
|
29
|
+
const scpAnalysis = analyzeControlPolicies(request.serviceControlPolicies, request.request, simulationParameters);
|
|
30
|
+
const rcpAnalysis = analyzeControlPolicies(request.resourceControlPolicies, request.request, simulationParameters);
|
|
31
|
+
const resourceAnalysis = analyzeResourcePolicy(request.resourcePolicy, request.request, principalHasPermissionBoundary, simulationParameters);
|
|
30
32
|
const serviceAuthorizer = getServiceAuthorizer(request);
|
|
31
|
-
|
|
33
|
+
const result = serviceAuthorizer.authorize({
|
|
32
34
|
request: request.request,
|
|
33
35
|
identityAnalysis,
|
|
34
36
|
scpAnalysis,
|
|
35
37
|
rcpAnalysis,
|
|
36
38
|
resourceAnalysis,
|
|
37
|
-
permissionBoundaryAnalysis
|
|
39
|
+
permissionBoundaryAnalysis,
|
|
40
|
+
simulationParameters
|
|
38
41
|
});
|
|
42
|
+
if (simulationParameters.simulationMode === 'Discovery') {
|
|
43
|
+
result.ignoredConditions = ignoredConditionsAnalysis(scpAnalysis, rcpAnalysis, identityAnalysis, resourceAnalysis, permissionBoundaryAnalysis);
|
|
44
|
+
result.ignoredRoleSessionName = roleSessionNameIgnored(scpAnalysis, rcpAnalysis, identityAnalysis, resourceAnalysis, permissionBoundaryAnalysis);
|
|
45
|
+
}
|
|
46
|
+
return result;
|
|
39
47
|
}
|
|
40
48
|
/**
|
|
41
49
|
* Get the appropriate service authorizer for the request. Some services have specific authorization logic in
|
|
@@ -58,7 +66,7 @@ export function getServiceAuthorizer(request) {
|
|
|
58
66
|
* @param request the request to analyze against
|
|
59
67
|
* @returns an array of statement analysis results
|
|
60
68
|
*/
|
|
61
|
-
export function analyzeIdentityPolicies(identityPolicies, request) {
|
|
69
|
+
export function analyzeIdentityPolicies(identityPolicies, request, simulationParameters) {
|
|
62
70
|
const identityAnalysis = {
|
|
63
71
|
result: 'ImplicitlyDenied',
|
|
64
72
|
allowStatements: [],
|
|
@@ -69,7 +77,7 @@ export function analyzeIdentityPolicies(identityPolicies, request) {
|
|
|
69
77
|
for (const statement of policy.statements()) {
|
|
70
78
|
const { matches: resourceMatch, details: resourceDetails } = requestMatchesStatementResources(request, statement);
|
|
71
79
|
const { matches: actionMatch, details: actionDetails } = requestMatchesStatementActions(request, statement);
|
|
72
|
-
const { matches: conditionMatch, details: conditionDetails } = requestMatchesConditions(request, statement.conditions());
|
|
80
|
+
const { matches: conditionMatch, details: conditionDetails, ignoredConditions } = requestMatchesConditions(request, statement.conditions(), statement.effect(), simulationParameters);
|
|
73
81
|
const principalMatch = 'Match';
|
|
74
82
|
const overallMatch = statementMatches({
|
|
75
83
|
actionMatch,
|
|
@@ -83,6 +91,7 @@ export function analyzeIdentityPolicies(identityPolicies, request) {
|
|
|
83
91
|
actionMatch,
|
|
84
92
|
conditionMatch,
|
|
85
93
|
principalMatch,
|
|
94
|
+
ignoredConditions,
|
|
86
95
|
explain: makeStatementExplain(statement, overallMatch, actionMatch, principalMatch, resourceMatch, conditionMatch, { ...resourceDetails, ...actionDetails, ...conditionDetails })
|
|
87
96
|
};
|
|
88
97
|
if (identityStatementExplicitDeny(statementAnalysis)) {
|
|
@@ -111,7 +120,7 @@ export function analyzeIdentityPolicies(identityPolicies, request) {
|
|
|
111
120
|
* @param request the request to analyze against
|
|
112
121
|
* @returns an array of SCP or RCP analysis results
|
|
113
122
|
*/
|
|
114
|
-
export function analyzeControlPolicies(controlPolicies, request) {
|
|
123
|
+
export function analyzeControlPolicies(controlPolicies, request, simulationParameters) {
|
|
115
124
|
const analysis = [];
|
|
116
125
|
for (const controlPolicy of controlPolicies) {
|
|
117
126
|
const ouAnalysis = {
|
|
@@ -125,7 +134,7 @@ export function analyzeControlPolicies(controlPolicies, request) {
|
|
|
125
134
|
for (const statement of policy.statements()) {
|
|
126
135
|
const { matches: resourceMatch, details: resourceDetails } = requestMatchesStatementResources(request, statement);
|
|
127
136
|
const { matches: actionMatch, details: actionDetails } = requestMatchesStatementActions(request, statement);
|
|
128
|
-
const { matches: conditionMatch, details: conditionDetails } = requestMatchesConditions(request, statement.conditions());
|
|
137
|
+
const { matches: conditionMatch, details: conditionDetails, ignoredConditions } = requestMatchesConditions(request, statement.conditions(), statement.effect(), simulationParameters);
|
|
129
138
|
const principalMatch = 'Match';
|
|
130
139
|
const overallMatch = statementMatches({
|
|
131
140
|
actionMatch,
|
|
@@ -139,6 +148,7 @@ export function analyzeControlPolicies(controlPolicies, request) {
|
|
|
139
148
|
actionMatch,
|
|
140
149
|
conditionMatch,
|
|
141
150
|
principalMatch,
|
|
151
|
+
ignoredConditions,
|
|
142
152
|
explain: makeStatementExplain(statement, overallMatch, actionMatch, principalMatch, resourceMatch, conditionMatch, { ...resourceDetails, ...actionDetails, ...conditionDetails })
|
|
143
153
|
};
|
|
144
154
|
if (identityStatementAllows(statementAnalysis)) {
|
|
@@ -182,7 +192,7 @@ export function analyzeControlPolicies(controlPolicies, request) {
|
|
|
182
192
|
* @param request the request to analyze against
|
|
183
193
|
* @returns an array of statement analysis results
|
|
184
194
|
*/
|
|
185
|
-
export function analyzeResourcePolicy(resourcePolicy, request, principalHasPermissionBoundary) {
|
|
195
|
+
export function analyzeResourcePolicy(resourcePolicy, request, principalHasPermissionBoundary, simulationParameters) {
|
|
186
196
|
const resourceAnalysis = {
|
|
187
197
|
result: 'NotApplicable',
|
|
188
198
|
allowStatements: [],
|
|
@@ -200,7 +210,7 @@ export function analyzeResourcePolicy(resourcePolicy, request, principalHasPermi
|
|
|
200
210
|
for (const statement of resourcePolicy.statements()) {
|
|
201
211
|
const { matches: resourceMatch, details: resourceDetails } = requestMatchesStatementResources(request, statement);
|
|
202
212
|
const { matches: actionMatch, details: actionDetails } = requestMatchesStatementActions(request, statement);
|
|
203
|
-
let { matches: principalMatch, details: principalDetails } = requestMatchesStatementPrincipals(request, statement);
|
|
213
|
+
let { matches: principalMatch, details: principalDetails, ignoredRoleSessionName } = requestMatchesStatementPrincipals(request, statement, simulationParameters);
|
|
204
214
|
const permissionBoundaryDetails = {};
|
|
205
215
|
/**
|
|
206
216
|
* "Don't use resource-based policy statements that include a NotPrincipal policy element with a
|
|
@@ -220,7 +230,7 @@ export function analyzeResourcePolicy(resourcePolicy, request, principalHasPermi
|
|
|
220
230
|
principalMatch = 'Match';
|
|
221
231
|
permissionBoundaryDetails.denyBecauseNpInRpAndPb = true;
|
|
222
232
|
}
|
|
223
|
-
const { matches: conditionMatch, details: conditionDetails } = requestMatchesConditions(request, statement.conditions());
|
|
233
|
+
const { matches: conditionMatch, details: conditionDetails, ignoredConditions } = requestMatchesConditions(request, statement.conditions(), statement.effect(), simulationParameters);
|
|
224
234
|
const overallMatch = statementMatches({
|
|
225
235
|
actionMatch,
|
|
226
236
|
conditionMatch,
|
|
@@ -233,6 +243,8 @@ export function analyzeResourcePolicy(resourcePolicy, request, principalHasPermi
|
|
|
233
243
|
actionMatch,
|
|
234
244
|
conditionMatch,
|
|
235
245
|
principalMatch,
|
|
246
|
+
ignoredConditions,
|
|
247
|
+
ignoredRoleSessionName,
|
|
236
248
|
explain: makeStatementExplain(statement, overallMatch, actionMatch, principalMatch, resourceMatch, conditionMatch, { ...resourceDetails, ...actionDetails, ...principalDetails, ...conditionDetails })
|
|
237
249
|
};
|
|
238
250
|
if (identityStatementExplicitDeny(analysis) && analysis.principalMatch !== 'NoMatch') {
|
|
@@ -262,11 +274,11 @@ export function analyzeResourcePolicy(resourcePolicy, request, principalHasPermi
|
|
|
262
274
|
}
|
|
263
275
|
return resourceAnalysis;
|
|
264
276
|
}
|
|
265
|
-
export function analyzePermissionBoundaryPolicies(permissionBoundaries, request) {
|
|
277
|
+
export function analyzePermissionBoundaryPolicies(permissionBoundaries, request, simulationParameters) {
|
|
266
278
|
if (!permissionBoundaries || permissionBoundaries.length === 0) {
|
|
267
279
|
return undefined;
|
|
268
280
|
}
|
|
269
|
-
return analyzeIdentityPolicies(permissionBoundaries, request);
|
|
281
|
+
return analyzeIdentityPolicies(permissionBoundaries, request, simulationParameters);
|
|
270
282
|
}
|
|
271
283
|
function makeStatementExplain(statement, overallMatch, actionMatch, principalMatch, resourceMatch, conditionMatch, details) {
|
|
272
284
|
return {
|
|
@@ -280,4 +292,67 @@ function makeStatementExplain(statement, overallMatch, actionMatch, principalMat
|
|
|
280
292
|
...details
|
|
281
293
|
};
|
|
282
294
|
}
|
|
295
|
+
/**
|
|
296
|
+
* Create an analysis of the ignored conditions in all statements.
|
|
297
|
+
*
|
|
298
|
+
* @param scpAnalysis the SCP analysis
|
|
299
|
+
* @param rcpAnalysis the RCP analysis
|
|
300
|
+
* @param identityAnalysis the identity analysis
|
|
301
|
+
* @param resourceAnalysis the resource analysis
|
|
302
|
+
* @param permissionBoundaryAnalysis the permission boundary analysis (optional)
|
|
303
|
+
* @returns an object containing the ignored conditions for each analysis
|
|
304
|
+
*/
|
|
305
|
+
function ignoredConditionsAnalysis(scpAnalysis, rcpAnalysis, identityAnalysis, resourceAnalysis, permissionBoundaryAnalysis) {
|
|
306
|
+
return {
|
|
307
|
+
scp: mapIgnoredConditions(scpAnalysis.ouAnalysis),
|
|
308
|
+
rcp: mapIgnoredConditions(rcpAnalysis.ouAnalysis),
|
|
309
|
+
identity: mapIgnoredConditions([identityAnalysis]),
|
|
310
|
+
resource: mapIgnoredConditions([resourceAnalysis]),
|
|
311
|
+
permissionBoundary: mapIgnoredConditions(permissionBoundaryAnalysis ? [permissionBoundaryAnalysis] : [])
|
|
312
|
+
};
|
|
313
|
+
}
|
|
314
|
+
/**
|
|
315
|
+
* Get all of the ignored conditions from a set of analyses.
|
|
316
|
+
*
|
|
317
|
+
* @param analyses the analyses to map ignored conditions from
|
|
318
|
+
* @returns the ignored conditions for allow and deny statements
|
|
319
|
+
*/
|
|
320
|
+
function mapIgnoredConditions(analyses) {
|
|
321
|
+
const allow = [];
|
|
322
|
+
const deny = [];
|
|
323
|
+
const allStatements = analyses.flatMap((analysis) => [
|
|
324
|
+
...analysis.allowStatements,
|
|
325
|
+
...analysis.denyStatements,
|
|
326
|
+
...analysis.unmatchedStatements
|
|
327
|
+
]);
|
|
328
|
+
for (const statement of allStatements) {
|
|
329
|
+
if (statement.ignoredConditions && statement.ignoredConditions.length > 0) {
|
|
330
|
+
if (statement.statement.isAllow()) {
|
|
331
|
+
allow.push(...statement.ignoredConditions);
|
|
332
|
+
}
|
|
333
|
+
else {
|
|
334
|
+
deny.push(...statement.ignoredConditions);
|
|
335
|
+
}
|
|
336
|
+
}
|
|
337
|
+
}
|
|
338
|
+
return { allow, deny };
|
|
339
|
+
}
|
|
340
|
+
/**
|
|
341
|
+
* Checks all analyses to see if any of them have statements that ignore the role session name.
|
|
342
|
+
*
|
|
343
|
+
* @param scpAnalysis the SCP analysis
|
|
344
|
+
* @param rcpAnalysis the RCP analysis
|
|
345
|
+
* @param identityAnalysis the identity analysis
|
|
346
|
+
* @param resourceAnalysis the resource analysis
|
|
347
|
+
* @param permissionBoundaryAnalysis the permission boundary analysis (optional)
|
|
348
|
+
* @returns true if any analysis has statements that ignore the role session name, false otherwise
|
|
349
|
+
*/
|
|
350
|
+
function roleSessionNameIgnored(scpAnalysis, rcpAnalysis, identityAnalysis, resourceAnalysis, permissionBoundaryAnalysis) {
|
|
351
|
+
return (scpAnalysis.ouAnalysis.some((ou) => ou.allowStatements.some((s) => s.ignoredRoleSessionName)) ||
|
|
352
|
+
rcpAnalysis.ouAnalysis.some((ou) => ou.allowStatements.some((s) => s.ignoredRoleSessionName)) ||
|
|
353
|
+
identityAnalysis.allowStatements.some((s) => s.ignoredRoleSessionName) ||
|
|
354
|
+
resourceAnalysis.allowStatements.some((s) => s.ignoredRoleSessionName) ||
|
|
355
|
+
permissionBoundaryAnalysis?.allowStatements.some((s) => s.ignoredRoleSessionName) ||
|
|
356
|
+
false);
|
|
357
|
+
}
|
|
283
358
|
//# sourceMappingURL=CoreSimulatorEngine.js.map
|