@cloud-copilot/iam-simulate 0.1.49 → 0.1.51
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/StatementAnalysis.d.ts +12 -1
- package/dist/cjs/StatementAnalysis.d.ts.map +1 -1
- package/dist/cjs/StatementAnalysis.js.map +1 -1
- package/dist/cjs/condition/condition.d.ts +4 -2
- package/dist/cjs/condition/condition.d.ts.map +1 -1
- package/dist/cjs/condition/condition.js +46 -7
- package/dist/cjs/condition/condition.js.map +1 -1
- package/dist/cjs/condition/ipaddress/ip.d.ts +1 -0
- package/dist/cjs/condition/ipaddress/ip.d.ts.map +1 -1
- package/dist/cjs/condition/ipaddress/ip.js +13 -0
- package/dist/cjs/condition/ipaddress/ip.js.map +1 -1
- package/dist/cjs/core_engine/CoreSimulatorEngine.d.ts +29 -4
- package/dist/cjs/core_engine/CoreSimulatorEngine.d.ts.map +1 -1
- package/dist/cjs/core_engine/CoreSimulatorEngine.js +92 -16
- package/dist/cjs/core_engine/CoreSimulatorEngine.js.map +1 -1
- package/dist/cjs/evaluate.d.ts +34 -0
- package/dist/cjs/evaluate.d.ts.map +1 -1
- package/dist/cjs/explain/statementExplain.d.ts +2 -7
- package/dist/cjs/explain/statementExplain.d.ts.map +1 -1
- package/dist/cjs/explain/statementExplain.js.map +1 -1
- package/dist/cjs/index.d.ts +3 -2
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/principal/principal.d.ts +12 -4
- package/dist/cjs/principal/principal.d.ts.map +1 -1
- package/dist/cjs/principal/principal.js +115 -56
- package/dist/cjs/principal/principal.js.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +9 -0
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/ServiceAuthorizer.d.ts +2 -0
- package/dist/cjs/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.js +11 -1
- package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/cjs/simulation_engine/simulationOptions.d.ts +3 -1
- package/dist/cjs/simulation_engine/simulationOptions.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js +5 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/esm/StatementAnalysis.d.ts +12 -1
- package/dist/esm/StatementAnalysis.d.ts.map +1 -1
- package/dist/esm/StatementAnalysis.js.map +1 -1
- package/dist/esm/condition/condition.d.ts +4 -2
- package/dist/esm/condition/condition.d.ts.map +1 -1
- package/dist/esm/condition/condition.js +46 -7
- package/dist/esm/condition/condition.js.map +1 -1
- package/dist/esm/condition/ipaddress/ip.d.ts +1 -0
- package/dist/esm/condition/ipaddress/ip.d.ts.map +1 -1
- package/dist/esm/condition/ipaddress/ip.js +13 -0
- package/dist/esm/condition/ipaddress/ip.js.map +1 -1
- package/dist/esm/core_engine/CoreSimulatorEngine.d.ts +29 -4
- package/dist/esm/core_engine/CoreSimulatorEngine.d.ts.map +1 -1
- package/dist/esm/core_engine/CoreSimulatorEngine.js +91 -16
- package/dist/esm/core_engine/CoreSimulatorEngine.js.map +1 -1
- package/dist/esm/evaluate.d.ts +34 -0
- package/dist/esm/evaluate.d.ts.map +1 -1
- package/dist/esm/explain/statementExplain.d.ts +2 -7
- package/dist/esm/explain/statementExplain.d.ts.map +1 -1
- package/dist/esm/explain/statementExplain.js.map +1 -1
- package/dist/esm/index.d.ts +3 -2
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/principal/principal.d.ts +12 -4
- package/dist/esm/principal/principal.d.ts.map +1 -1
- package/dist/esm/principal/principal.js +115 -56
- package/dist/esm/principal/principal.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +10 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/ServiceAuthorizer.d.ts +2 -0
- package/dist/esm/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.js +12 -2
- package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/esm/simulation_engine/simulationOptions.d.ts +3 -1
- package/dist/esm/simulation_engine/simulationOptions.d.ts.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js +5 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/package.json +1 -1
package/dist/cjs/evaluate.d.ts
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { Condition } from '@cloud-copilot/iam-policy';
|
|
1
2
|
import { StatementAnalysis } from './StatementAnalysis.js';
|
|
2
3
|
export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | 'ImplicitlyDenied';
|
|
3
4
|
export type ResourceEvaluationResult = 'NotApplicable' | 'Allowed' | 'ExplicitlyDenied' | 'AllowedForAccount' | 'DeniedForAccount' | 'ImplicityDenied';
|
|
@@ -41,6 +42,31 @@ export interface RcpAnalysis {
|
|
|
41
42
|
result: EvaluationResult;
|
|
42
43
|
ouAnalysis: OuRcpAnalysis[];
|
|
43
44
|
}
|
|
45
|
+
/**
|
|
46
|
+
* Conditions that were ignored during discovery mode.
|
|
47
|
+
*/
|
|
48
|
+
export interface IgnoredConditions {
|
|
49
|
+
scp: {
|
|
50
|
+
allow: Condition[];
|
|
51
|
+
deny: Condition[];
|
|
52
|
+
};
|
|
53
|
+
rcp: {
|
|
54
|
+
allow: Condition[];
|
|
55
|
+
deny: Condition[];
|
|
56
|
+
};
|
|
57
|
+
identity: {
|
|
58
|
+
allow: Condition[];
|
|
59
|
+
deny: Condition[];
|
|
60
|
+
};
|
|
61
|
+
resource: {
|
|
62
|
+
allow: Condition[];
|
|
63
|
+
deny: Condition[];
|
|
64
|
+
};
|
|
65
|
+
permissionBoundary: {
|
|
66
|
+
allow: Condition[];
|
|
67
|
+
deny: Condition[];
|
|
68
|
+
};
|
|
69
|
+
}
|
|
44
70
|
/**
|
|
45
71
|
* The analysis of a request.
|
|
46
72
|
*/
|
|
@@ -73,5 +99,13 @@ export interface RequestAnalysis {
|
|
|
73
99
|
* The result of the evaluation of the permission boundary.
|
|
74
100
|
*/
|
|
75
101
|
permissionBoundaryAnalysis?: IdentityAnalysis | undefined;
|
|
102
|
+
/**
|
|
103
|
+
* Any conditions that were ignored during discovery mode.
|
|
104
|
+
*/
|
|
105
|
+
ignoredConditions?: IgnoredConditions;
|
|
106
|
+
/**
|
|
107
|
+
* If the role session name was ignored during discovery mode.
|
|
108
|
+
*/
|
|
109
|
+
ignoredRoleSessionName?: boolean;
|
|
76
110
|
}
|
|
77
111
|
//# sourceMappingURL=evaluate.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,kBAAkB,CAAA;AAClF,MAAM,MAAM,wBAAwB,GAChC,eAAe,GACf,SAAS,GACT,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAClB,iBAAiB,CAAA;AAErB,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,wBAAwB,CAAA;IAChC,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IAExB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAA;IAEpB;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,0BAA0B,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAA;
|
|
1
|
+
{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AACrD,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE1D,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,kBAAkB,CAAA;AAClF,MAAM,MAAM,wBAAwB,GAChC,eAAe,GACf,SAAS,GACT,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAClB,iBAAiB,CAAA;AAErB,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,wBAAwB,CAAA;IAChC,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE;QACH,KAAK,EAAE,SAAS,EAAE,CAAA;QAClB,IAAI,EAAE,SAAS,EAAE,CAAA;KAClB,CAAA;IACD,GAAG,EAAE;QACH,KAAK,EAAE,SAAS,EAAE,CAAA;QAClB,IAAI,EAAE,SAAS,EAAE,CAAA;KAClB,CAAA;IACD,QAAQ,EAAE;QACR,KAAK,EAAE,SAAS,EAAE,CAAA;QAClB,IAAI,EAAE,SAAS,EAAE,CAAA;KAClB,CAAA;IACD,QAAQ,EAAE;QACR,KAAK,EAAE,SAAS,EAAE,CAAA;QAClB,IAAI,EAAE,SAAS,EAAE,CAAA;KAClB,CAAA;IACD,kBAAkB,EAAE;QAClB,KAAK,EAAE,SAAS,EAAE,CAAA;QAClB,IAAI,EAAE,SAAS,EAAE,CAAA;KAClB,CAAA;CACF;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IAExB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAA;IAEpB;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,0BAA0B,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAA;IAEzD;;OAEG;IACH,iBAAiB,CAAC,EAAE,iBAAiB,CAAA;IAErC;;OAEG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAA;CACjC"}
|
|
@@ -34,7 +34,7 @@ export interface ConditionExplain {
|
|
|
34
34
|
*/
|
|
35
35
|
conditionKeyValue: string;
|
|
36
36
|
/**
|
|
37
|
-
* The resolved
|
|
37
|
+
* The resolved value of the condition key
|
|
38
38
|
*/
|
|
39
39
|
resolvedConditionKeyValue?: string;
|
|
40
40
|
values: ConditionValueExplain | ConditionValueExplain[];
|
|
@@ -61,12 +61,7 @@ export interface ConditionExplain {
|
|
|
61
61
|
*/
|
|
62
62
|
failedBecauseArray?: boolean;
|
|
63
63
|
/**
|
|
64
|
-
*
|
|
65
|
-
* Caused by a set operation being used on a context key that was not an array.
|
|
66
|
-
*/
|
|
67
|
-
failedBecauseNotArray?: boolean;
|
|
68
|
-
/**
|
|
69
|
-
* Was the base operator in the condition statment not found
|
|
64
|
+
* Was the base operator in the condition statement not found
|
|
70
65
|
*/
|
|
71
66
|
missingOperator?: boolean;
|
|
72
67
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"statementExplain.d.ts","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,qBAAqB,GAC7B,OAAO,GACP,SAAS,GACT,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,CAAA;AAEtB,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,qBAAqB,CAAA;IAC9B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAA;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;OAEG;IACH,iBAAiB,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,MAAM,EAAE,qBAAqB,GAAG,qBAAqB,EAAE,CAAA;IAEvD;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAE1B;;OAEG;IACH,OAAO,EAAE,OAAO,CAAA;IAEhB;;OAEG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAE/B;;OAEG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAE9B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAE5B
|
|
1
|
+
{"version":3,"file":"statementExplain.d.ts","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,qBAAqB,GAC7B,OAAO,GACP,SAAS,GACT,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,CAAA;AAEtB,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,qBAAqB,CAAA;IAC9B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAA;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;OAEG;IACH,iBAAiB,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,MAAM,EAAE,qBAAqB,GAAG,qBAAqB,EAAE,CAAA;IAEvD;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAE1B;;OAEG;IACH,OAAO,EAAE,OAAO,CAAA;IAEhB;;OAEG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAE/B;;OAEG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAE9B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAE5B;;OAEG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,OAAO,CAAA;IACpB,aAAa,EAAE,OAAO,CAAA;IACtB,cAAc,EAAE,qBAAqB,CAAA;IACrC,cAAc,EAAE,OAAO,CAAA;IAEvB,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IACzC,UAAU,CAAC,EAAE,aAAa,GAAG,aAAa,EAAE,CAAA;IAC5C,SAAS,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAC/C,YAAY,CAAC,EAAE,eAAe,GAAG,eAAe,EAAE,CAAA;IAClD,UAAU,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IAClD,aAAa,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAA;IACrD,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;IAE/B;;;;;;;OAOG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAA;CACjC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"statementExplain.js","sourceRoot":"","sources":["../../../src/explain/statementExplain.ts"],"names":[],"mappings":";;AAkHA;;;EAGE"}
|
package/dist/cjs/index.d.ts
CHANGED
|
@@ -1,13 +1,14 @@
|
|
|
1
1
|
export { typeForContextKey } from './context_keys/contextKeys.js';
|
|
2
2
|
export { BaseConditionKeyType, isConditionKeyArray, type ConditionKeyType } from './context_keys/contextKeyTypes.js';
|
|
3
3
|
export { findContextKeys } from './context_keys/findContextKeys.js';
|
|
4
|
-
export {
|
|
4
|
+
export type { SimulationMode } from './core_engine/CoreSimulatorEngine.js';
|
|
5
|
+
export type { EvaluationResult } from './evaluate.js';
|
|
5
6
|
export type { ActionExplain, ConditionExplain, ConditionValueExplain, ExplainPrincipalMatch, PrincipalExplain, ResourceExplain, StatementExplain } from './explain/statementExplain.js';
|
|
6
7
|
export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
|
|
7
8
|
export type { Simulation, SimulationIdentityPolicy, SimulationOrgPolicies } from './simulation_engine/simulation.js';
|
|
8
9
|
export { runSimulation } from './simulation_engine/simulationEngine.js';
|
|
9
10
|
export type { SimulationErrors, SimulationResult } from './simulation_engine/simulationEngine.js';
|
|
10
|
-
export {
|
|
11
|
+
export type { SimulationOptions } from './simulation_engine/simulationOptions.js';
|
|
11
12
|
export { runUnsafeSimulation } from './simulation_engine/unsafeSimulationEngine.js';
|
|
12
13
|
export { isWildcardOnlyAction } from './util.js';
|
|
13
14
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/cjs/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AACrD,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,yCAAyC,CAAA;AACjG,YAAY,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|
package/dist/cjs/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,gEAAiE;AAAxD,mHAAA,iBAAiB,OAAA;AAC1B,wEAI0C;AAFxC,yHAAA,mBAAmB,OAAA;AAGrB,wEAAmE;AAA1D,qHAAA,eAAe,OAAA;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,gEAAiE;AAAxD,mHAAA,iBAAiB,OAAA;AAC1B,wEAI0C;AAFxC,yHAAA,mBAAmB,OAAA;AAGrB,wEAAmE;AAA1D,qHAAA,eAAe,OAAA;AAYxB,qEAAiF;AAAxE,8HAAA,4BAA4B,OAAA;AAMrC,+EAAuE;AAA9D,oHAAA,aAAa,OAAA;AAGtB,2FAAmF;AAA1E,gIAAA,mBAAmB,OAAA;AAC5B,qCAAgD;AAAvC,+GAAA,oBAAoB,OAAA"}
|
|
@@ -1,6 +1,11 @@
|
|
|
1
1
|
import { Principal, Statement } from '@cloud-copilot/iam-policy';
|
|
2
|
+
import { SimulationParameters } from '../core_engine/CoreSimulatorEngine.js';
|
|
2
3
|
import { PrincipalExplain, StatementExplain } from '../explain/statementExplain.js';
|
|
3
4
|
import { AwsRequest } from '../request/request.js';
|
|
5
|
+
interface PrincipalAnalysis {
|
|
6
|
+
explain: PrincipalExplain;
|
|
7
|
+
ignoredRoleSessionName?: boolean;
|
|
8
|
+
}
|
|
4
9
|
export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch' | 'SessionRoleMatch' | 'SessionUserMatch';
|
|
5
10
|
/**
|
|
6
11
|
* Check to see if a request matches a Principal element in an IAM policy statement
|
|
@@ -9,9 +14,10 @@ export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch' | '
|
|
|
9
14
|
* @param principal the list of principals in the Principal element of the Statement
|
|
10
15
|
* @returns if the request matches the Principal element, and if so, how it matches
|
|
11
16
|
*/
|
|
12
|
-
export declare function requestMatchesPrincipal(request: AwsRequest, principal: Principal[]): {
|
|
17
|
+
export declare function requestMatchesPrincipal(request: AwsRequest, principal: Principal[], simulationParameters: SimulationParameters): {
|
|
13
18
|
matches: PrincipalMatchResult;
|
|
14
19
|
explains: PrincipalExplain[];
|
|
20
|
+
ignoredRoleSessionName?: boolean;
|
|
15
21
|
};
|
|
16
22
|
/**
|
|
17
23
|
* Check to see if a request matches a NotPrincipal element in an IAM policy statement
|
|
@@ -20,7 +26,7 @@ export declare function requestMatchesPrincipal(request: AwsRequest, principal:
|
|
|
20
26
|
* @param notPrincipal the list of principals in the NotPrincipal element of the Statement
|
|
21
27
|
* @returns
|
|
22
28
|
*/
|
|
23
|
-
export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrincipal: Principal[]): {
|
|
29
|
+
export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrincipal: Principal[], simulationParameters: SimulationParameters): {
|
|
24
30
|
matches: PrincipalMatchResult;
|
|
25
31
|
explains: PrincipalExplain[];
|
|
26
32
|
};
|
|
@@ -31,7 +37,7 @@ export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrinc
|
|
|
31
37
|
* @param principalStatement the principal statement to check the request against
|
|
32
38
|
* @returns if the request matches the principal statement, and if so, how it matches
|
|
33
39
|
*/
|
|
34
|
-
export declare function requestMatchesPrincipalStatement(request: AwsRequest, principalStatement: Principal):
|
|
40
|
+
export declare function requestMatchesPrincipalStatement(request: AwsRequest, principalStatement: Principal, simulationParameters: SimulationParameters): PrincipalAnalysis;
|
|
35
41
|
/**
|
|
36
42
|
* Get a user ARN from a federated user ARN
|
|
37
43
|
*
|
|
@@ -46,8 +52,10 @@ export declare function userArnFromFederatedUserArn(federatedUserArn: string): s
|
|
|
46
52
|
* @param statement the statement to check against
|
|
47
53
|
* @returns true if the request matches the resources in the statement, false otherwise
|
|
48
54
|
*/
|
|
49
|
-
export declare function requestMatchesStatementPrincipals(request: AwsRequest, statement: Statement): {
|
|
55
|
+
export declare function requestMatchesStatementPrincipals(request: AwsRequest, statement: Statement, simulationParameters: SimulationParameters): {
|
|
50
56
|
matches: PrincipalMatchResult;
|
|
51
57
|
details: Pick<StatementExplain, 'principals' | 'notPrincipals'>;
|
|
58
|
+
ignoredRoleSessionName?: boolean;
|
|
52
59
|
};
|
|
60
|
+
export {};
|
|
53
61
|
//# sourceMappingURL=principal.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AAMhE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAA;AACnF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;
|
|
1
|
+
{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAA;AAMhE,OAAO,EAAE,oBAAoB,EAAE,MAAM,uCAAuC,CAAA;AAC5E,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAA;AACnF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAElD,UAAU,iBAAiB;IACzB,OAAO,EAAE,gBAAgB,CAAA;IACzB,sBAAsB,CAAC,EAAE,OAAO,CAAA;CACjC;AAgBD,MAAM,MAAM,oBAAoB,GAC5B,OAAO,GACP,SAAS,GACT,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,CAAA;AAEtB;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,SAAS,EAAE,EACtB,oBAAoB,EAAE,oBAAoB,GACzC;IACD,OAAO,EAAE,oBAAoB,CAAA;IAC7B,QAAQ,EAAE,gBAAgB,EAAE,CAAA;IAC5B,sBAAsB,CAAC,EAAE,OAAO,CAAA;CACjC,CAoDA;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,UAAU,EACnB,YAAY,EAAE,SAAS,EAAE,EACzB,oBAAoB,EAAE,oBAAoB,GACzC;IAAE,OAAO,EAAE,oBAAoB,CAAC;IAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAA;CAAE,CAwCjE;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAC9C,OAAO,EAAE,UAAU,EACnB,kBAAkB,EAAE,SAAS,EAC7B,oBAAoB,EAAE,oBAAoB,GACzC,iBAAiB,CAyJnB;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAK5E;AAED;;;;;;GAMG;AACH,wBAAgB,iCAAiC,CAC/C,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,SAAS,EACpB,oBAAoB,EAAE,oBAAoB,GACzC;IACD,OAAO,EAAE,oBAAoB,CAAA;IAC7B,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE,YAAY,GAAG,eAAe,CAAC,CAAA;IAC/D,sBAAsB,CAAC,EAAE,OAAO,CAAA;CACjC,CAiBA"}
|
|
@@ -13,9 +13,11 @@ const iam_utils_1 = require("@cloud-copilot/iam-utils");
|
|
|
13
13
|
* @param principal the list of principals in the Principal element of the Statement
|
|
14
14
|
* @returns if the request matches the Principal element, and if so, how it matches
|
|
15
15
|
*/
|
|
16
|
-
function requestMatchesPrincipal(request, principal) {
|
|
17
|
-
const
|
|
18
|
-
|
|
16
|
+
function requestMatchesPrincipal(request, principal, simulationParameters) {
|
|
17
|
+
const analyses = principal.map((principalStatement) => requestMatchesPrincipalStatement(request, principalStatement, simulationParameters));
|
|
18
|
+
const explains = analyses.map((a) => a.explain);
|
|
19
|
+
// First check if any principal match without ignoring the role session name
|
|
20
|
+
if (analyses.some((anys) => anys.explain.matches === 'Match' && !anys.ignoredRoleSessionName)) {
|
|
19
21
|
return {
|
|
20
22
|
matches: 'Match',
|
|
21
23
|
explains
|
|
@@ -33,6 +35,15 @@ function requestMatchesPrincipal(request, principal) {
|
|
|
33
35
|
explains
|
|
34
36
|
};
|
|
35
37
|
}
|
|
38
|
+
// If there was a match, ignoring the role session name, and the simulation mode is Discovery,
|
|
39
|
+
if (simulationParameters.simulationMode === 'Discovery' &&
|
|
40
|
+
analyses.some((any) => any.explain.matches === 'Match' && any.ignoredRoleSessionName)) {
|
|
41
|
+
return {
|
|
42
|
+
matches: 'Match',
|
|
43
|
+
explains,
|
|
44
|
+
ignoredRoleSessionName: true // This matched one role session, but it was ignored
|
|
45
|
+
};
|
|
46
|
+
}
|
|
36
47
|
if (explains.some((exp) => exp.matches === 'AccountLevelMatch')) {
|
|
37
48
|
return {
|
|
38
49
|
matches: 'AccountLevelMatch',
|
|
@@ -51,44 +62,38 @@ function requestMatchesPrincipal(request, principal) {
|
|
|
51
62
|
* @param notPrincipal the list of principals in the NotPrincipal element of the Statement
|
|
52
63
|
* @returns
|
|
53
64
|
*/
|
|
54
|
-
function requestMatchesNotPrincipal(request, notPrincipal) {
|
|
65
|
+
function requestMatchesNotPrincipal(request, notPrincipal, simulationParameters) {
|
|
55
66
|
// const matches = notPrincipal.map(principalStatement => requestMatchesPrincipalStatement(request, principalStatement))
|
|
56
|
-
const
|
|
57
|
-
const
|
|
67
|
+
const analyses = notPrincipal.map((principalStatement) => {
|
|
68
|
+
const analysis = requestMatchesPrincipalStatement(request, principalStatement, simulationParameters);
|
|
58
69
|
/**
|
|
59
70
|
* Need to do research on this. If there is an account level match on a NotPrincipal, does that
|
|
60
71
|
* mean it tentatively matches the NotPrincipal, or does it mean it does not match the NotPrincipal?
|
|
61
72
|
*
|
|
62
73
|
* We need to test this.
|
|
63
74
|
*/
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
explain.matches === '
|
|
67
|
-
explain.matches === '
|
|
68
|
-
explain.matches
|
|
75
|
+
// Invert the match result for NotPrincipal
|
|
76
|
+
if (analysis.explain.matches === 'Match' ||
|
|
77
|
+
analysis.explain.matches === 'AccountLevelMatch' ||
|
|
78
|
+
analysis.explain.matches === 'SessionRoleMatch' ||
|
|
79
|
+
analysis.explain.matches === 'SessionUserMatch') {
|
|
80
|
+
analysis.explain.matches = 'NoMatch';
|
|
69
81
|
}
|
|
70
82
|
else {
|
|
71
|
-
explain.matches = 'Match';
|
|
83
|
+
analysis.explain.matches = 'Match';
|
|
72
84
|
}
|
|
73
|
-
return
|
|
85
|
+
return analysis;
|
|
74
86
|
});
|
|
75
|
-
if (
|
|
87
|
+
if (analyses.some((exp) => exp.explain.matches === 'NoMatch')) {
|
|
76
88
|
return {
|
|
77
89
|
matches: 'NoMatch',
|
|
78
|
-
explains
|
|
90
|
+
explains: analyses.map((a) => a.explain)
|
|
79
91
|
};
|
|
80
92
|
}
|
|
81
93
|
return {
|
|
82
94
|
matches: 'Match',
|
|
83
|
-
explains
|
|
95
|
+
explains: analyses.map((a) => a.explain)
|
|
84
96
|
};
|
|
85
|
-
// if(matches.includes('Match')) {
|
|
86
|
-
// return 'NoMatch'
|
|
87
|
-
// }
|
|
88
|
-
// if(matches.includes('AccountLevelMatch')) {
|
|
89
|
-
// return 'NoMatch'
|
|
90
|
-
// }
|
|
91
|
-
// return 'Match'
|
|
92
97
|
}
|
|
93
98
|
/**
|
|
94
99
|
* Check to see if a request matches a principal statement
|
|
@@ -97,59 +102,77 @@ function requestMatchesNotPrincipal(request, notPrincipal) {
|
|
|
97
102
|
* @param principalStatement the principal statement to check the request against
|
|
98
103
|
* @returns if the request matches the principal statement, and if so, how it matches
|
|
99
104
|
*/
|
|
100
|
-
function requestMatchesPrincipalStatement(request, principalStatement) {
|
|
105
|
+
function requestMatchesPrincipalStatement(request, principalStatement, simulationParameters) {
|
|
101
106
|
if (principalStatement.isServicePrincipal()) {
|
|
102
107
|
if (principalStatement.service() === request.principal.value()) {
|
|
103
108
|
return {
|
|
104
|
-
|
|
105
|
-
|
|
109
|
+
explain: {
|
|
110
|
+
matches: 'Match',
|
|
111
|
+
principal: principalStatement.value()
|
|
112
|
+
}
|
|
106
113
|
};
|
|
107
114
|
}
|
|
108
115
|
return {
|
|
109
|
-
|
|
110
|
-
|
|
116
|
+
explain: {
|
|
117
|
+
matches: 'NoMatch',
|
|
118
|
+
principal: principalStatement.value()
|
|
119
|
+
}
|
|
111
120
|
};
|
|
112
121
|
}
|
|
113
122
|
if (principalStatement.isCanonicalUserPrincipal()) {
|
|
114
123
|
if (principalStatement.canonicalUser() === request.principal.value()) {
|
|
115
124
|
return {
|
|
116
|
-
|
|
117
|
-
|
|
125
|
+
explain: {
|
|
126
|
+
matches: 'Match',
|
|
127
|
+
principal: principalStatement.value()
|
|
128
|
+
}
|
|
118
129
|
};
|
|
119
130
|
}
|
|
120
131
|
return {
|
|
121
|
-
|
|
122
|
-
|
|
132
|
+
explain: {
|
|
133
|
+
matches: 'NoMatch',
|
|
134
|
+
principal: principalStatement.value()
|
|
135
|
+
}
|
|
123
136
|
};
|
|
124
137
|
}
|
|
125
138
|
if (principalStatement.isFederatedPrincipal()) {
|
|
126
139
|
if (principalStatement.federated() === request.principal.value()) {
|
|
127
140
|
return {
|
|
128
|
-
|
|
129
|
-
|
|
141
|
+
explain: {
|
|
142
|
+
matches: 'Match',
|
|
143
|
+
principal: principalStatement.value()
|
|
144
|
+
}
|
|
130
145
|
};
|
|
131
146
|
}
|
|
132
147
|
return {
|
|
133
|
-
|
|
134
|
-
|
|
148
|
+
explain: {
|
|
149
|
+
matches: 'NoMatch',
|
|
150
|
+
principal: principalStatement.value()
|
|
151
|
+
}
|
|
135
152
|
};
|
|
136
153
|
}
|
|
137
154
|
if (principalStatement.isWildcardPrincipal()) {
|
|
138
155
|
return {
|
|
139
|
-
|
|
140
|
-
|
|
156
|
+
explain: {
|
|
157
|
+
matches: 'Match',
|
|
158
|
+
principal: principalStatement.value()
|
|
159
|
+
}
|
|
141
160
|
};
|
|
142
161
|
}
|
|
143
162
|
if (principalStatement.isAccountPrincipal()) {
|
|
144
163
|
if (principalStatement.accountId() === request.principal.accountId()) {
|
|
145
164
|
return {
|
|
146
|
-
|
|
147
|
-
|
|
165
|
+
explain: {
|
|
166
|
+
matches: 'AccountLevelMatch',
|
|
167
|
+
principal: principalStatement.value()
|
|
168
|
+
}
|
|
148
169
|
};
|
|
149
170
|
}
|
|
150
171
|
return {
|
|
151
|
-
|
|
152
|
-
|
|
172
|
+
explain: {
|
|
173
|
+
matches: 'NoMatch',
|
|
174
|
+
principal: principalStatement.value()
|
|
175
|
+
}
|
|
153
176
|
};
|
|
154
177
|
}
|
|
155
178
|
if (principalStatement.isAwsPrincipal()) {
|
|
@@ -158,33 +181,69 @@ function requestMatchesPrincipalStatement(request, principalStatement) {
|
|
|
158
181
|
const roleArn = (0, iam_utils_1.convertAssumedRoleArnToRoleArn)(sessionArn);
|
|
159
182
|
if (principalStatement.arn() === roleArn) {
|
|
160
183
|
return {
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
184
|
+
explain: {
|
|
185
|
+
matches: 'SessionRoleMatch',
|
|
186
|
+
principal: principalStatement.value(),
|
|
187
|
+
roleForSessionArn: roleArn
|
|
188
|
+
}
|
|
164
189
|
};
|
|
165
190
|
}
|
|
166
191
|
}
|
|
167
192
|
else if ((0, iam_utils_1.isFederatedUserArn)(request.principal.value())) {
|
|
193
|
+
// TODO: This is wrong, have to receive the User ARN from the request
|
|
168
194
|
const sessionArn = request.principal.value();
|
|
169
195
|
const userArn = userArnFromFederatedUserArn(sessionArn);
|
|
170
196
|
if (principalStatement.arn() === userArn) {
|
|
171
197
|
return {
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
198
|
+
explain: {
|
|
199
|
+
matches: 'SessionUserMatch',
|
|
200
|
+
principal: principalStatement.value(),
|
|
201
|
+
userForSessionArn: userArn
|
|
202
|
+
}
|
|
175
203
|
};
|
|
176
204
|
}
|
|
177
205
|
}
|
|
178
206
|
if (principalStatement.arn() === request.principal.value()) {
|
|
179
207
|
return {
|
|
180
|
-
|
|
181
|
-
|
|
208
|
+
explain: {
|
|
209
|
+
matches: 'Match',
|
|
210
|
+
principal: principalStatement.value()
|
|
211
|
+
}
|
|
182
212
|
};
|
|
183
213
|
}
|
|
214
|
+
/*
|
|
215
|
+
If:
|
|
216
|
+
- The simulation mode is Discovery
|
|
217
|
+
- The principal in the statement is an assumed role ARN
|
|
218
|
+
- The principal in the request is a Role or assumed role ARN
|
|
219
|
+
- The base role ARN of the principal in the request matches the base role ARN in the statement
|
|
220
|
+
Then:
|
|
221
|
+
- Return a Match for the principal
|
|
222
|
+
- Indicate that the role session name was ignored for evaluation purposes
|
|
223
|
+
*/
|
|
224
|
+
if (simulationParameters.simulationMode === 'Discovery' &&
|
|
225
|
+
(0, iam_utils_1.isAssumedRoleArn)(principalStatement.arn())) {
|
|
226
|
+
const principalRoleArn = (0, iam_utils_1.convertAssumedRoleArnToRoleArn)(principalStatement.arn());
|
|
227
|
+
let requestRoleArn = request.principal.value();
|
|
228
|
+
if ((0, iam_utils_1.isAssumedRoleArn)(requestRoleArn)) {
|
|
229
|
+
requestRoleArn = (0, iam_utils_1.convertAssumedRoleArnToRoleArn)(requestRoleArn);
|
|
230
|
+
}
|
|
231
|
+
if (principalRoleArn === requestRoleArn) {
|
|
232
|
+
return {
|
|
233
|
+
explain: {
|
|
234
|
+
matches: 'Match',
|
|
235
|
+
principal: principalStatement.value()
|
|
236
|
+
},
|
|
237
|
+
ignoredRoleSessionName: true // This is a role session math with the session name ignored
|
|
238
|
+
};
|
|
239
|
+
}
|
|
240
|
+
}
|
|
184
241
|
}
|
|
185
242
|
return {
|
|
186
|
-
|
|
187
|
-
|
|
243
|
+
explain: {
|
|
244
|
+
matches: 'NoMatch',
|
|
245
|
+
principal: principalStatement.value()
|
|
246
|
+
}
|
|
188
247
|
};
|
|
189
248
|
}
|
|
190
249
|
/**
|
|
@@ -206,13 +265,13 @@ function userArnFromFederatedUserArn(federatedUserArn) {
|
|
|
206
265
|
* @param statement the statement to check against
|
|
207
266
|
* @returns true if the request matches the resources in the statement, false otherwise
|
|
208
267
|
*/
|
|
209
|
-
function requestMatchesStatementPrincipals(request, statement) {
|
|
268
|
+
function requestMatchesStatementPrincipals(request, statement, simulationParameters) {
|
|
210
269
|
if (statement.isPrincipalStatement()) {
|
|
211
|
-
const { matches, explains } = requestMatchesPrincipal(request, statement.principals());
|
|
212
|
-
return { matches, details: { principals: explains } };
|
|
270
|
+
const { matches, explains, ignoredRoleSessionName } = requestMatchesPrincipal(request, statement.principals(), simulationParameters);
|
|
271
|
+
return { matches, details: { principals: explains }, ignoredRoleSessionName };
|
|
213
272
|
}
|
|
214
273
|
else if (statement.isNotPrincipalStatement()) {
|
|
215
|
-
const { matches, explains } = requestMatchesNotPrincipal(request, statement.notPrincipals());
|
|
274
|
+
const { matches, explains } = requestMatchesNotPrincipal(request, statement.notPrincipals(), simulationParameters);
|
|
216
275
|
return { matches, details: { notPrincipals: explains } };
|
|
217
276
|
}
|
|
218
277
|
throw new Error('Statement should have Principal or NotPrincipal');
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":";;AA2CA,0DA4DC;AASD,gEA4CC;AASD,4EA6JC;AAQD,kEAKC;AASD,8EAyBC;AAhXD,wDAIiC;AA+BjC;;;;;;GAMG;AACH,SAAgB,uBAAuB,CACrC,OAAmB,EACnB,SAAsB,EACtB,oBAA0C;IAM1C,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,kBAAkB,EAAE,EAAE,CACpD,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,CAAC,CACpF,CAAA;IAED,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA;IAE/C,4EAA4E;IAC5E,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,CAAC;QAC9F,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ;SACT,CAAA;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,kBAAkB,CAAC,EAAE,CAAC;QAC/D,OAAO;YACL,OAAO,EAAE,kBAAkB;YAC3B,QAAQ;SACT,CAAA;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,kBAAkB,CAAC,EAAE,CAAC;QAC/D,OAAO;YACL,OAAO,EAAE,kBAAkB;YAC3B,QAAQ;SACT,CAAA;IACH,CAAC;IAED,8FAA8F;IAC9F,IACE,oBAAoB,CAAC,cAAc,KAAK,WAAW;QACnD,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO,IAAI,GAAG,CAAC,sBAAsB,CAAC,EACrF,CAAC;QACD,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ;YACR,sBAAsB,EAAE,IAAI,CAAC,oDAAoD;SAClF,CAAA;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,mBAAmB,CAAC,EAAE,CAAC;QAChE,OAAO;YACL,OAAO,EAAE,mBAAmB;YAC5B,QAAQ;SACT,CAAA;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,SAAS;QAClB,QAAQ;KACT,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,0BAA0B,CACxC,OAAmB,EACnB,YAAyB,EACzB,oBAA0C;IAE1C,wHAAwH;IACxH,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,kBAAkB,EAAE,EAAE;QACvD,MAAM,QAAQ,GAAG,gCAAgC,CAC/C,OAAO,EACP,kBAAkB,EAClB,oBAAoB,CACrB,CAAA;QACD;;;;;WAKG;QAEH,2CAA2C;QAC3C,IACE,QAAQ,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO;YACpC,QAAQ,CAAC,OAAO,CAAC,OAAO,KAAK,mBAAmB;YAChD,QAAQ,CAAC,OAAO,CAAC,OAAO,KAAK,kBAAkB;YAC/C,QAAQ,CAAC,OAAO,CAAC,OAAO,KAAK,kBAAkB,EAC/C,CAAC;YACD,QAAQ,CAAC,OAAO,CAAC,OAAO,GAAG,SAAS,CAAA;QACtC,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,OAAO,CAAC,OAAO,GAAG,OAAO,CAAA;QACpC,CAAC;QACD,OAAO,QAAQ,CAAA;IACjB,CAAC,CAAC,CAAA;IAEF,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,KAAK,SAAS,CAAC,EAAE,CAAC;QAC9D,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;SACzC,CAAA;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,OAAO;QAChB,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;KACzC,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAC9C,OAAmB,EACnB,kBAA6B,EAC7B,oBAA0C;IAE1C,IAAI,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC5C,IAAI,kBAAkB,CAAC,OAAO,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC/D,OAAO;gBACL,OAAO,EAAE;oBACP,OAAO,EAAE,OAAO;oBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;iBACtC;aACF,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE;gBACP,OAAO,EAAE,SAAS;gBAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC;SACF,CAAA;IACH,CAAC;IAED,IAAI,kBAAkB,CAAC,wBAAwB,EAAE,EAAE,CAAC;QAClD,IAAI,kBAAkB,CAAC,aAAa,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACrE,OAAO;gBACL,OAAO,EAAE;oBACP,OAAO,EAAE,OAAO;oBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;iBACtC;aACF,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE;gBACP,OAAO,EAAE,SAAS;gBAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC;SACF,CAAA;IACH,CAAC;IAED,IAAI,kBAAkB,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC9C,IAAI,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACjE,OAAO;gBACL,OAAO,EAAE;oBACP,OAAO,EAAE,OAAO;oBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;iBACtC;aACF,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE;gBACP,OAAO,EAAE,SAAS;gBAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC;SACF,CAAA;IACH,CAAC;IAED,IAAI,kBAAkB,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC7C,OAAO;YACL,OAAO,EAAE;gBACP,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC;SACF,CAAA;IACH,CAAC;IAED,IAAI,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC5C,IAAI,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACrE,OAAO;gBACL,OAAO,EAAE;oBACP,OAAO,EAAE,mBAAmB;oBAC5B,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;iBACtC;aACF,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE;gBACP,OAAO,EAAE,SAAS;gBAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;aACtC;SACF,CAAA;IACH,CAAC;IAED,IAAI,kBAAkB,CAAC,cAAc,EAAE,EAAE,CAAC;QACxC,IAAI,IAAA,4BAAgB,EAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAChD,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,IAAA,0CAA8B,EAAC,UAAU,CAAC,CAAA;YAC1D,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,EAAE,CAAC;gBACzC,OAAO;oBACL,OAAO,EAAE;wBACP,OAAO,EAAE,kBAAkB;wBAC3B,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;wBACrC,iBAAiB,EAAE,OAAO;qBAC3B;iBACF,CAAA;YACH,CAAC;QACH,CAAC;aAAM,IAAI,IAAA,8BAAkB,EAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YACzD,qEAAqE;YACrE,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,2BAA2B,CAAC,UAAU,CAAC,CAAA;YACvD,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,EAAE,CAAC;gBACzC,OAAO;oBACL,OAAO,EAAE;wBACP,OAAO,EAAE,kBAAkB;wBAC3B,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;wBACrC,iBAAiB,EAAE,OAAO;qBAC3B;iBACF,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC3D,OAAO;gBACL,OAAO,EAAE;oBACP,OAAO,EAAE,OAAO;oBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;iBACtC;aACF,CAAA;QACH,CAAC;QAED;;;;;;;;;UASE;QACF,IACE,oBAAoB,CAAC,cAAc,KAAK,WAAW;YACnD,IAAA,4BAAgB,EAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC,EAC1C,CAAC;YACD,MAAM,gBAAgB,GAAG,IAAA,0CAA8B,EAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC,CAAA;YACjF,IAAI,cAAc,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC9C,IAAI,IAAA,4BAAgB,EAAC,cAAc,CAAC,EAAE,CAAC;gBACrC,cAAc,GAAG,IAAA,0CAA8B,EAAC,cAAc,CAAC,CAAA;YACjE,CAAC;YAED,IAAI,gBAAgB,KAAK,cAAc,EAAE,CAAC;gBACxC,OAAO;oBACL,OAAO,EAAE;wBACP,OAAO,EAAE,OAAO;wBAChB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;qBACtC;oBACD,sBAAsB,EAAE,IAAI,CAAC,4DAA4D;iBAC1F,CAAA;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE;YACP,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,kBAAkB,CAAC,KAAK,EAAE;SACtC;KACF,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,2BAA2B,CAAC,gBAAwB;IAClE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAA;IACjC,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;IAC1D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,QAAQ,EAAE,CAAA;AACvD,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,iCAAiC,CAC/C,OAAmB,EACnB,SAAoB,EACpB,oBAA0C;IAM1C,IAAI,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACrC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,sBAAsB,EAAE,GAAG,uBAAuB,CAC3E,OAAO,EACP,SAAS,CAAC,UAAU,EAAE,EACtB,oBAAoB,CACrB,CAAA;QACD,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,sBAAsB,EAAE,CAAA;IAC/E,CAAC;SAAM,IAAI,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;QAC/C,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,0BAA0B,CACtD,OAAO,EACP,SAAS,CAAC,aAAa,EAAE,EACzB,oBAAoB,CACrB,CAAA;QACD,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,EAAE,CAAA;IAC1D,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAC/D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEvF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IAChE;;;;;OAKG;IACI,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAwMvE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CASX"}
|
|
@@ -87,6 +87,15 @@ class DefaultServiceAuthorizer {
|
|
|
87
87
|
*/
|
|
88
88
|
if (resourcePolicyResult === 'Allowed') {
|
|
89
89
|
const principal = request.request.principal.value();
|
|
90
|
+
if ((0, iam_utils_1.isIamRoleArn)(principal) &&
|
|
91
|
+
request.simulationParameters.simulationMode === 'Discovery') {
|
|
92
|
+
if (request.resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'Match' && statement.ignoredRoleSessionName)) {
|
|
93
|
+
return {
|
|
94
|
+
result: 'Allowed',
|
|
95
|
+
...baseResult
|
|
96
|
+
};
|
|
97
|
+
}
|
|
98
|
+
}
|
|
90
99
|
if ((0, iam_utils_1.isAssumedRoleArn)(principal) ||
|
|
91
100
|
(0, iam_utils_1.isIamUserArn)(principal) ||
|
|
92
101
|
(0, iam_utils_1.isFederatedUserArn)(principal)) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAAA,
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAAA,wDAMiC;AAKjC;;GAEG;AACH,MAAa,wBAAwB;IACnC;;;;;OAKG;IACI,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAA;QAC5C,MAAM,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAA;QAC/D,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAA;QAC7D,MAAM,wBAAwB,GAAG,OAAO,CAAC,0BAA0B,EAAE,MAAM,CAAA;QAE3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D,MAAM,WAAW,GAAG,gBAAgB,KAAK,eAAe,CAAA;QAExD,MAAM,UAAU,GAQZ;YACF,WAAW;YACX,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;SAC/D,CAAA;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IACE,oBAAoB,KAAK,kBAAkB;YAC3C,oBAAoB,KAAK,kBAAkB,EAC3C,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,qBAAqB;QACrB,IAAI,IAAA,8BAAkB,EAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC1D,oEAAoE;YACpE,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;gBACvC,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,cAAc;QACd,IAAI,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACzC,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;gBACpD;;;;;;;mBAOG;gBACH,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;oBACnD,IACE,IAAA,wBAAY,EAAC,SAAS,CAAC;wBACvB,OAAO,CAAC,oBAAoB,CAAC,cAAc,KAAK,WAAW,EAC3D,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CACZ,SAAS,CAAC,cAAc,KAAK,OAAO,IAAI,SAAS,CAAC,sBAAsB,CAC3E,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;oBAED,IACE,IAAA,4BAAgB,EAAC,SAAS,CAAC;wBAC3B,IAAA,wBAAY,EAAC,SAAS,CAAC;wBACvB,IAAA,8BAAkB,EAAC,SAAS,CAAC,EAC7B,CAAC;wBACD,IACE,OAAO,CAAC,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,OAAO,CACpD,EACD,CAAC;4BACD,OAAO;gCACL,MAAM,EAAE,SAAS;gCACjB,GAAG,UAAU;6BACd,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YAED;;;;;;;;cAQE;YAEF,MAAM,cAAc,GAAG,IAAI,CAAC,6BAA6B,CACvD,WAAW,EACX,OAAO,CAAC,gBAAgB,EACxB,OAAO,CAAC,OAAO,CAAC,QAAQ,CACzB,CAAA;YACD,IACE,oBAAoB,KAAK,SAAS;gBAClC,CAAC,cAAc,IAAI,uBAAuB,KAAK,SAAS,CAAC,EACzD,CAAC;gBACD,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,eAAe;QACf,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACvF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC1C,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,GAAG,UAAU;iBACd,CAAA;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,GAAG,UAAU;SACd,CAAA;QAED;;;;;;;WAOG;IACL,CAAC;IAED;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAoB,EACpB,gBAAkC,EAClC,QAAyB;QAEzB,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAC1C,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,cAAc,KAAK,mBAAmB,CAChE,CAAA;IACH,CAAC;CACF;AAnOD,4DAmOC"}
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { SimulationParameters } from '../core_engine/CoreSimulatorEngine.js';
|
|
1
2
|
import { IdentityAnalysis, RcpAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js';
|
|
2
3
|
import { AwsRequest } from '../request/request.js';
|
|
3
4
|
export interface ServiceAuthorizationRequest {
|
|
@@ -7,6 +8,7 @@ export interface ServiceAuthorizationRequest {
|
|
|
7
8
|
resourceAnalysis: ResourceAnalysis;
|
|
8
9
|
rcpAnalysis: RcpAnalysis;
|
|
9
10
|
permissionBoundaryAnalysis: IdentityAnalysis | undefined;
|
|
11
|
+
simulationParameters: SimulationParameters;
|
|
10
12
|
}
|
|
11
13
|
export interface ServiceAuthorizer {
|
|
12
14
|
authorize(request: ServiceAuthorizationRequest): RequestAnalysis;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,WAAW,EACZ,MAAM,gBAAgB,CAAA;AACvB,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAElD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAA;IACnB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,WAAW,EAAE,WAAW,CAAA;IACxB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,WAAW,EAAE,WAAW,CAAA;IACxB,0BAA0B,EAAE,gBAAgB,GAAG,SAAS,CAAA;
|
|
1
|
+
{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,uCAAuC,CAAA;AAC5E,OAAO,EACL,gBAAgB,EAChB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,WAAW,EACZ,MAAM,gBAAgB,CAAA;AACvB,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAElD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAA;IACnB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,WAAW,EAAE,WAAW,CAAA;IACxB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,WAAW,EAAE,WAAW,CAAA;IACxB,0BAA0B,EAAE,gBAAgB,GAAG,SAAS,CAAA;IACxD,oBAAoB,EAAE,oBAAoB,CAAA;CAC3C;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe,CAAA;CACjE"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAOL,eAAe,EAChB,MAAM,2BAA2B,CAAA;
|
|
1
|
+
{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAOL,eAAe,EAChB,MAAM,2BAA2B,CAAA;AASlC,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAKhD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAiB1D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IACxD,0BAA0B,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC9D,2BAA2B,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC/D,wBAAwB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IAC5D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAA;IACxC,OAAO,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,gBAAgB,CAAA;IACzB,QAAQ,CAAC,EAAE,eAAe,CAAA;IAE1B;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;;;;;;;OAQG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC9B;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,UAAU,EAAE,UAAU,EACtB,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAC5C,OAAO,CAAC,gBAAgB,CAAC,CAkM3B;AAED,wBAAsB,6BAA6B,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC;IACnF,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;IACrD,kBAAkB,EAAE,MAAM,EAAE,CAAA;CAC7B,CAAC,CAoCD"}
|
|
@@ -177,6 +177,12 @@ async function runSimulation(simulation, simulationOptions) {
|
|
|
177
177
|
}
|
|
178
178
|
}
|
|
179
179
|
const { validContextValues, ignoredContextKeys } = await normalizeSimulationParameters(simulation);
|
|
180
|
+
const simulationMode = CoreSimulatorEngine_js_1.validSimulationModes.includes(simulationOptions.simulationMode)
|
|
181
|
+
? simulationOptions.simulationMode
|
|
182
|
+
: 'Strict';
|
|
183
|
+
const strictConditionKeys = simulationMode === 'Discovery'
|
|
184
|
+
? new Set(simulationOptions.strictConditionKeys?.map((k) => k.toLowerCase()) || [])
|
|
185
|
+
: new Set();
|
|
180
186
|
const simulationResult = (0, CoreSimulatorEngine_js_1.authorize)({
|
|
181
187
|
request: new request_js_1.AwsRequestImpl(simulation.request.principal, {
|
|
182
188
|
resource: simulation.request.resource.resource,
|
|
@@ -186,7 +192,11 @@ async function runSimulation(simulation, simulationOptions) {
|
|
|
186
192
|
serviceControlPolicies,
|
|
187
193
|
resourceControlPolicies,
|
|
188
194
|
resourcePolicy,
|
|
189
|
-
permissionBoundaries
|
|
195
|
+
permissionBoundaries,
|
|
196
|
+
simulationParameters: {
|
|
197
|
+
simulationMode: simulationMode,
|
|
198
|
+
strictConditionKeys: strictConditionKeys
|
|
199
|
+
}
|
|
190
200
|
});
|
|
191
201
|
return {
|
|
192
202
|
analysis: simulationResult,
|