@cloud-copilot/iam-simulate 0.1.5 → 0.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/ConditionKeys.d.ts +19 -0
- package/dist/cjs/ConditionKeys.d.ts.map +1 -0
- package/dist/cjs/ConditionKeys.js +27 -0
- package/dist/cjs/ConditionKeys.js.map +1 -0
- package/dist/cjs/SCPAnalysis.d.ts +6 -0
- package/dist/cjs/SCPAnalysis.d.ts.map +1 -0
- package/dist/cjs/SCPAnalysis.js +3 -0
- package/dist/cjs/SCPAnalysis.js.map +1 -0
- package/dist/cjs/context_keys/findContextKeys.d.ts +19 -0
- package/dist/cjs/context_keys/findContextKeys.d.ts.map +1 -0
- package/dist/cjs/context_keys/findContextKeys.js +57 -0
- package/dist/cjs/context_keys/findContextKeys.js.map +1 -0
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts +39 -0
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts.map +1 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.js +56 -0
- package/dist/cjs/core_engine/coreSimulatorEngine.js.map +1 -1
- package/dist/cjs/evaluate.d.ts +1 -0
- package/dist/cjs/evaluate.d.ts.map +1 -1
- package/dist/cjs/global_conditions/globalConditionKeys.d.ts +9 -1
- package/dist/cjs/global_conditions/globalConditionKeys.d.ts.map +1 -1
- package/dist/cjs/global_conditions/globalConditionKeys.js +78 -50
- package/dist/cjs/global_conditions/globalConditionKeys.js.map +1 -1
- package/dist/cjs/index.d.ts +4 -0
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js +10 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/principal/principal.d.ts +9 -1
- package/dist/cjs/principal/principal.d.ts.map +1 -1
- package/dist/cjs/principal/principal.js +17 -0
- package/dist/cjs/principal/principal.js.map +1 -1
- package/dist/cjs/request/requestPrincipal.d.ts.map +1 -1
- package/dist/cjs/request/requestPrincipal.js.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts +30 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +93 -7
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/ServiceAuthorizer.d.ts +3 -0
- package/dist/cjs/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/contextKeys.d.ts +9 -1
- package/dist/cjs/simulation_engine/contextKeys.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/contextKeys.js +27 -40
- package/dist/cjs/simulation_engine/contextKeys.js.map +1 -1
- package/dist/cjs/simulation_engine/simulation.d.ts +12 -1
- package/dist/cjs/simulation_engine/simulation.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.d.ts +15 -0
- package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.js +126 -15
- package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js +13 -4
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/cjs/util.d.ts +69 -0
- package/dist/cjs/util.d.ts.map +1 -1
- package/dist/cjs/util.js +166 -0
- package/dist/cjs/util.js.map +1 -1
- package/dist/esm/ConditionKeys.d.ts +19 -0
- package/dist/esm/ConditionKeys.d.ts.map +1 -0
- package/dist/esm/ConditionKeys.js +23 -0
- package/dist/esm/ConditionKeys.js.map +1 -0
- package/dist/esm/SCPAnalysis.d.ts +6 -0
- package/dist/esm/SCPAnalysis.d.ts.map +1 -0
- package/dist/esm/SCPAnalysis.js +2 -0
- package/dist/esm/SCPAnalysis.js.map +1 -0
- package/dist/esm/context_keys/findContextKeys.d.ts +19 -0
- package/dist/esm/context_keys/findContextKeys.d.ts.map +1 -0
- package/dist/esm/context_keys/findContextKeys.js +53 -0
- package/dist/esm/context_keys/findContextKeys.js.map +1 -0
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts +39 -0
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts.map +1 -1
- package/dist/esm/core_engine/coreSimulatorEngine.js +54 -0
- package/dist/esm/core_engine/coreSimulatorEngine.js.map +1 -1
- package/dist/esm/evaluate.d.ts +1 -0
- package/dist/esm/evaluate.d.ts.map +1 -1
- package/dist/esm/global_conditions/globalConditionKeys.d.ts +9 -1
- package/dist/esm/global_conditions/globalConditionKeys.d.ts.map +1 -1
- package/dist/esm/global_conditions/globalConditionKeys.js +76 -50
- package/dist/esm/global_conditions/globalConditionKeys.js.map +1 -1
- package/dist/esm/index.d.ts +4 -0
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js +4 -0
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/principal/principal.d.ts +9 -1
- package/dist/esm/principal/principal.d.ts.map +1 -1
- package/dist/esm/principal/principal.js +16 -0
- package/dist/esm/principal/principal.js.map +1 -1
- package/dist/esm/request/requestPrincipal.d.ts.map +1 -1
- package/dist/esm/request/requestPrincipal.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts +30 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +93 -7
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/ServiceAuthorizer.d.ts +3 -0
- package/dist/esm/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/simulation_engine/contextKeys.d.ts +9 -1
- package/dist/esm/simulation_engine/contextKeys.d.ts.map +1 -1
- package/dist/esm/simulation_engine/contextKeys.js +28 -40
- package/dist/esm/simulation_engine/contextKeys.js.map +1 -1
- package/dist/esm/simulation_engine/simulation.d.ts +12 -1
- package/dist/esm/simulation_engine/simulation.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.d.ts +15 -0
- package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.js +126 -16
- package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js +13 -4
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/esm/util.d.ts +69 -0
- package/dist/esm/util.d.ts.map +1 -1
- package/dist/esm/util.js +158 -0
- package/dist/esm/util.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
export type BaseConditionKeyType = 'String' | 'ARN' | 'Numeric' | 'Bool' | 'Date' | 'IPAddress' | 'Binary';
|
|
2
|
+
export type ArrayConditionKeyType = `ArrayOf${BaseConditionKeyType}`;
|
|
3
|
+
export type ConditionKeyType = BaseConditionKeyType | ArrayConditionKeyType;
|
|
4
|
+
/**
|
|
5
|
+
* Check if a condition key is an array types
|
|
6
|
+
*
|
|
7
|
+
* @param key the condition key type to check
|
|
8
|
+
* @returns true if the key is an array type, otherwise false
|
|
9
|
+
*/
|
|
10
|
+
export declare function isConditionKeyArray(key: ConditionKeyType): key is ArrayConditionKeyType;
|
|
11
|
+
/**
|
|
12
|
+
* Get the BaseConditionKeyType from an ArrayConditionKeyType
|
|
13
|
+
*
|
|
14
|
+
* @param key the ArrayConditionKeyType to get the base type from
|
|
15
|
+
* @returns the base type of the array key
|
|
16
|
+
* @throws if the key is not an array type
|
|
17
|
+
*/
|
|
18
|
+
export declare function getBaseConditionKeyType(key: ArrayConditionKeyType): BaseConditionKeyType;
|
|
19
|
+
//# sourceMappingURL=ConditionKeys.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ConditionKeys.d.ts","sourceRoot":"","sources":["../../src/ConditionKeys.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,oBAAoB,GAAG,QAAQ,GAAG,KAAK,GAAG,SAAS,GAAG,MAAM,GAAG,MAAM,GAAG,WAAW,GAAG,QAAQ,CAAA;AAC1G,MAAM,MAAM,qBAAqB,GAAG,UAAU,oBAAoB,EAAE,CAAA;AACpE,MAAM,MAAM,gBAAgB,GAAG,oBAAoB,GAAG,qBAAqB,CAAA;AAE3E;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,gBAAgB,GAAG,GAAG,IAAI,qBAAqB,CAEvF;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,qBAAqB,GAAG,oBAAoB,CAKxF"}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.isConditionKeyArray = isConditionKeyArray;
|
|
4
|
+
exports.getBaseConditionKeyType = getBaseConditionKeyType;
|
|
5
|
+
/**
|
|
6
|
+
* Check if a condition key is an array types
|
|
7
|
+
*
|
|
8
|
+
* @param key the condition key type to check
|
|
9
|
+
* @returns true if the key is an array type, otherwise false
|
|
10
|
+
*/
|
|
11
|
+
function isConditionKeyArray(key) {
|
|
12
|
+
return key.startsWith('ArrayOf');
|
|
13
|
+
}
|
|
14
|
+
/**
|
|
15
|
+
* Get the BaseConditionKeyType from an ArrayConditionKeyType
|
|
16
|
+
*
|
|
17
|
+
* @param key the ArrayConditionKeyType to get the base type from
|
|
18
|
+
* @returns the base type of the array key
|
|
19
|
+
* @throws if the key is not an array type
|
|
20
|
+
*/
|
|
21
|
+
function getBaseConditionKeyType(key) {
|
|
22
|
+
if (!isConditionKeyArray(key)) {
|
|
23
|
+
throw new Error(`Expected ArrayConditionType, got ${key}`);
|
|
24
|
+
}
|
|
25
|
+
return key.slice(7);
|
|
26
|
+
}
|
|
27
|
+
//# sourceMappingURL=ConditionKeys.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ConditionKeys.js","sourceRoot":"","sources":["../../src/ConditionKeys.ts"],"names":[],"mappings":";;AAUA,kDAEC;AASD,0DAKC;AAtBD;;;;;GAKG;AACH,SAAgB,mBAAmB,CAAC,GAAqB;IACvD,OAAO,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,CAAA;AAClC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,GAA0B;IAChE,IAAG,CAAC,mBAAmB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,oCAAoC,GAAG,EAAE,CAAC,CAAA;IAC5D,CAAC;IACD,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,CAAyB,CAAA;AAC7C,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"SCPAnalysis.d.ts","sourceRoot":"","sources":["../../src/SCPAnalysis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,WAAW,WAAW;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,EAAE,iBAAiB,EAAE,CAAC;CACxC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"SCPAnalysis.js","sourceRoot":"","sources":["../../src/SCPAnalysis.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
import { Policy } from "@cloud-copilot/iam-policy";
|
|
2
|
+
/**
|
|
3
|
+
* Find all the context keys in a list of policies
|
|
4
|
+
*
|
|
5
|
+
* @param policies - The list of policies to search
|
|
6
|
+
* @returns The list of valid and invalid context keys found in the policies
|
|
7
|
+
*/
|
|
8
|
+
export declare function findContextKeys(policies: Policy[]): Promise<{
|
|
9
|
+
validKeys: string[];
|
|
10
|
+
invalidKeys: string[];
|
|
11
|
+
}>;
|
|
12
|
+
/**
|
|
13
|
+
* Get the context variables used in a policy
|
|
14
|
+
*
|
|
15
|
+
* @param policy - The policy to extract variables from
|
|
16
|
+
* @returns The list of variables used in the policy
|
|
17
|
+
*/
|
|
18
|
+
export declare function getContextKeysFromPolicy(policy: Policy): string[];
|
|
19
|
+
//# sourceMappingURL=findContextKeys.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"findContextKeys.d.ts","sourceRoot":"","sources":["../../../src/context_keys/findContextKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,2BAA2B,CAAC;AAGnD;;;;;GAKG;AACH,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IAAE,SAAS,EAAE,MAAM,EAAE,CAAC;IAAC,WAAW,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CAqBjH;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAiBjE"}
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.findContextKeys = findContextKeys;
|
|
4
|
+
exports.getContextKeysFromPolicy = getContextKeysFromPolicy;
|
|
5
|
+
const util_js_1 = require("../util.js");
|
|
6
|
+
/**
|
|
7
|
+
* Find all the context keys in a list of policies
|
|
8
|
+
*
|
|
9
|
+
* @param policies - The list of policies to search
|
|
10
|
+
* @returns The list of valid and invalid context keys found in the policies
|
|
11
|
+
*/
|
|
12
|
+
async function findContextKeys(policies) {
|
|
13
|
+
const rawKeys = new Set();
|
|
14
|
+
for (const policy of policies) {
|
|
15
|
+
getContextKeysFromPolicy(policy).forEach(v => rawKeys.add(v));
|
|
16
|
+
}
|
|
17
|
+
const validKeys = new Set();
|
|
18
|
+
const invalidKeys = new Set();
|
|
19
|
+
for (const key of rawKeys) {
|
|
20
|
+
const valid = await (0, util_js_1.isActualContextKey)(key);
|
|
21
|
+
if (valid) {
|
|
22
|
+
const normalizedKey = await (0, util_js_1.normalizeContextKeyCase)(key);
|
|
23
|
+
validKeys.add(normalizedKey);
|
|
24
|
+
}
|
|
25
|
+
else {
|
|
26
|
+
invalidKeys.add(key);
|
|
27
|
+
}
|
|
28
|
+
}
|
|
29
|
+
return {
|
|
30
|
+
validKeys: Array.from(validKeys),
|
|
31
|
+
invalidKeys: Array.from(invalidKeys)
|
|
32
|
+
};
|
|
33
|
+
}
|
|
34
|
+
/**
|
|
35
|
+
* Get the context variables used in a policy
|
|
36
|
+
*
|
|
37
|
+
* @param policy - The policy to extract variables from
|
|
38
|
+
* @returns The list of variables used in the policy
|
|
39
|
+
*/
|
|
40
|
+
function getContextKeysFromPolicy(policy) {
|
|
41
|
+
const variables = [];
|
|
42
|
+
for (const statement of policy.statements()) {
|
|
43
|
+
if (statement.isResourceStatement()) {
|
|
44
|
+
statement.resources().forEach(r => {
|
|
45
|
+
variables.push(...(0, util_js_1.getVariablesFromString)(r.value()));
|
|
46
|
+
});
|
|
47
|
+
for (const condition of statement.conditions()) {
|
|
48
|
+
variables.push(condition.conditionKey());
|
|
49
|
+
condition.conditionValues().forEach(v => {
|
|
50
|
+
variables.push(...(0, util_js_1.getVariablesFromString)(v));
|
|
51
|
+
});
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
return variables;
|
|
56
|
+
}
|
|
57
|
+
//# sourceMappingURL=findContextKeys.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"findContextKeys.js","sourceRoot":"","sources":["../../../src/context_keys/findContextKeys.ts"],"names":[],"mappings":";;AASA,0CAqBC;AAQD,4DAiBC;AAtDD,wCAAiG;AAEjG;;;;;GAKG;AACI,KAAK,UAAU,eAAe,CAAC,QAAkB;IACtD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,KAAI,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC7B,wBAAwB,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;IACtC,KAAI,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,MAAM,IAAA,4BAAkB,EAAC,GAAG,CAAC,CAAC;QAC5C,IAAG,KAAK,EAAE,CAAC;YACT,MAAM,aAAa,GAAG,MAAM,IAAA,iCAAuB,EAAC,GAAG,CAAC,CAAC;YACzD,SAAS,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO;QACL,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;QAChC,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC;KACrC,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,wBAAwB,CAAC,MAAc;IACrD,MAAM,SAAS,GAAa,EAAE,CAAA;IAC9B,KAAI,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;QAC3C,IAAG,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;YACnC,SAAS,CAAC,SAAS,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;gBAChC,SAAS,CAAC,IAAI,CAAC,GAAG,IAAA,gCAAsB,EAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;YACtD,CAAC,CAAC,CAAA;YACF,KAAI,MAAM,SAAS,IAAI,SAAS,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC9C,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;gBACzC,SAAS,CAAC,eAAe,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;oBACtC,SAAS,CAAC,IAAI,CAAC,GAAG,IAAA,gCAAsB,EAAC,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}
|
|
@@ -1,8 +1,22 @@
|
|
|
1
1
|
import { Policy } from "@cloud-copilot/iam-policy";
|
|
2
2
|
import { EvaluationResult } from "../evaluate.js";
|
|
3
3
|
import { AwsRequest } from "../request/request.js";
|
|
4
|
+
import { SCPAnalysis } from "../SCPAnalysis.js";
|
|
4
5
|
import { ServiceAuthorizer } from "../services/ServiceAuthorizer.js";
|
|
5
6
|
import { StatementAnalysis } from "../StatementAnalysis.js";
|
|
7
|
+
/**
|
|
8
|
+
* A set of service control policies for each level of an organization tree
|
|
9
|
+
*/
|
|
10
|
+
export interface ServiceControlPolicies {
|
|
11
|
+
/**
|
|
12
|
+
* The organization identifier for the organizational unit these policies apply to.
|
|
13
|
+
*/
|
|
14
|
+
orgIdentifier: string;
|
|
15
|
+
/**
|
|
16
|
+
* The policies that apply to this organizational unit.
|
|
17
|
+
*/
|
|
18
|
+
policies: Policy[];
|
|
19
|
+
}
|
|
6
20
|
/**
|
|
7
21
|
* A reqest to authorize a service action.
|
|
8
22
|
*/
|
|
@@ -15,6 +29,15 @@ export interface AuthorizationRequest {
|
|
|
15
29
|
* The identity policies that are applicable to the principal making the request.
|
|
16
30
|
*/
|
|
17
31
|
identityPolicies: Policy[];
|
|
32
|
+
/**
|
|
33
|
+
* The service control policies that apply to the principal making the request. In
|
|
34
|
+
* order of the orgnaization hierarchy. So the root ou SCPS should be first.
|
|
35
|
+
*/
|
|
36
|
+
serviceControlPolicies: ServiceControlPolicies[];
|
|
37
|
+
/**
|
|
38
|
+
* The resource policy that applies to the resource being accessed.
|
|
39
|
+
*/
|
|
40
|
+
resourcePolicy: Policy | undefined;
|
|
18
41
|
}
|
|
19
42
|
/**
|
|
20
43
|
* Authorizes a request.
|
|
@@ -41,4 +64,20 @@ export declare function getServiceAuthorizer(request: AuthorizationRequest): Ser
|
|
|
41
64
|
* @returns an array of statement analysis results
|
|
42
65
|
*/
|
|
43
66
|
export declare function analyzeIdentityPolicies(identityPolicies: Policy[], request: AwsRequest): StatementAnalysis[];
|
|
67
|
+
/**
|
|
68
|
+
* Analyzes a set of service control policies and the statements within them.
|
|
69
|
+
*
|
|
70
|
+
* @param serviceControlPolicies the service control policies to analyze
|
|
71
|
+
* @param request the request to analyze against
|
|
72
|
+
* @returns an array of SCP analysis results
|
|
73
|
+
*/
|
|
74
|
+
export declare function analyzeServiceControlPolicies(serviceControlPolicies: ServiceControlPolicies[], request: AwsRequest): SCPAnalysis[];
|
|
75
|
+
/**
|
|
76
|
+
* Analyze a resource policy and return the results
|
|
77
|
+
*
|
|
78
|
+
* @param resourcePolicy the resource policy to analyze
|
|
79
|
+
* @param request the request to analyze against
|
|
80
|
+
* @returns an array of statement analysis results
|
|
81
|
+
*/
|
|
82
|
+
export declare function analyzeResourcePolicy(resourcePolicy: Policy, request: AwsRequest): StatementAnalysis[];
|
|
44
83
|
//# sourceMappingURL=coreSimulatorEngine.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"coreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,2BAA2B,CAAC;AAGnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"coreSimulatorEngine.d.ts","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,2BAA2B,CAAC;AAGnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAElD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAEnD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AACrE,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC;;OAEG;IACH,aAAa,EAAE,MAAM,CAAC;IAEtB;;OAEG;IACH,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,OAAO,EAAE,UAAU,CAAC;IAEpB;;OAEG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAE1B;;;OAGG;IACH,sBAAsB,EAAE,sBAAsB,EAAE,CAAA;IAEhD;;OAEG;IACH,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;CACpC;AAID;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,gBAAgB,CAYzE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,iBAAiB,CAMrF;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,gBAAgB,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,UAAU,GAAG,iBAAiB,EAAE,CAe5G;AAED;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAAC,sBAAsB,EAAE,sBAAsB,EAAE,EAAE,OAAO,EAAE,UAAU,GAAG,WAAW,EAAE,CAsBlI;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,iBAAiB,EAAE,CAatG"}
|
|
@@ -3,8 +3,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.authorize = authorize;
|
|
4
4
|
exports.getServiceAuthorizer = getServiceAuthorizer;
|
|
5
5
|
exports.analyzeIdentityPolicies = analyzeIdentityPolicies;
|
|
6
|
+
exports.analyzeServiceControlPolicies = analyzeServiceControlPolicies;
|
|
7
|
+
exports.analyzeResourcePolicy = analyzeResourcePolicy;
|
|
6
8
|
const action_js_1 = require("../action/action.js");
|
|
7
9
|
const condition_js_1 = require("../condition/condition.js");
|
|
10
|
+
const principal_js_1 = require("../principal/principal.js");
|
|
8
11
|
const resource_js_1 = require("../resource/resource.js");
|
|
9
12
|
const DefaultServiceAuthorizer_js_1 = require("../services/DefaultServiceAuthorizer.js");
|
|
10
13
|
const serviceEngines = {};
|
|
@@ -18,10 +21,14 @@ const serviceEngines = {};
|
|
|
18
21
|
*/
|
|
19
22
|
function authorize(request) {
|
|
20
23
|
const identityAnalysis = analyzeIdentityPolicies(request.identityPolicies, request.request);
|
|
24
|
+
const scpAnalysis = analyzeServiceControlPolicies(request.serviceControlPolicies, request.request);
|
|
21
25
|
const serviceAuthorizer = getServiceAuthorizer(request);
|
|
26
|
+
const resourceAnalysis = request.resourcePolicy ? analyzeResourcePolicy(request.resourcePolicy, request.request) : [];
|
|
22
27
|
return serviceAuthorizer.authorize({
|
|
23
28
|
request: request.request,
|
|
24
29
|
identityStatements: identityAnalysis,
|
|
30
|
+
scpAnalysis,
|
|
31
|
+
resourceAnalysis
|
|
25
32
|
});
|
|
26
33
|
}
|
|
27
34
|
/**
|
|
@@ -60,4 +67,53 @@ function analyzeIdentityPolicies(identityPolicies, request) {
|
|
|
60
67
|
}
|
|
61
68
|
return analysis;
|
|
62
69
|
}
|
|
70
|
+
/**
|
|
71
|
+
* Analyzes a set of service control policies and the statements within them.
|
|
72
|
+
*
|
|
73
|
+
* @param serviceControlPolicies the service control policies to analyze
|
|
74
|
+
* @param request the request to analyze against
|
|
75
|
+
* @returns an array of SCP analysis results
|
|
76
|
+
*/
|
|
77
|
+
function analyzeServiceControlPolicies(serviceControlPolicies, request) {
|
|
78
|
+
const analysis = [];
|
|
79
|
+
for (const controlPolicy of serviceControlPolicies) {
|
|
80
|
+
const ouAnalysis = {
|
|
81
|
+
orgIdentifier: controlPolicy.orgIdentifier,
|
|
82
|
+
statementAnalysis: [],
|
|
83
|
+
};
|
|
84
|
+
for (const policy of controlPolicy.policies) {
|
|
85
|
+
for (const statement of policy.statements()) {
|
|
86
|
+
ouAnalysis.statementAnalysis.push({
|
|
87
|
+
statement,
|
|
88
|
+
resourceMatch: (0, resource_js_1.requestMatchesStatementResources)(request, statement),
|
|
89
|
+
actionMatch: (0, action_js_1.requestMatchesStatementActions)(request, statement),
|
|
90
|
+
conditionMatch: (0, condition_js_1.requestMatchesConditions)(request, statement.conditions()),
|
|
91
|
+
principalMatch: 'Match',
|
|
92
|
+
});
|
|
93
|
+
}
|
|
94
|
+
}
|
|
95
|
+
analysis.push(ouAnalysis);
|
|
96
|
+
}
|
|
97
|
+
return analysis;
|
|
98
|
+
}
|
|
99
|
+
/**
|
|
100
|
+
* Analyze a resource policy and return the results
|
|
101
|
+
*
|
|
102
|
+
* @param resourcePolicy the resource policy to analyze
|
|
103
|
+
* @param request the request to analyze against
|
|
104
|
+
* @returns an array of statement analysis results
|
|
105
|
+
*/
|
|
106
|
+
function analyzeResourcePolicy(resourcePolicy, request) {
|
|
107
|
+
const analysis = [];
|
|
108
|
+
for (const statement of resourcePolicy.statements()) {
|
|
109
|
+
analysis.push({
|
|
110
|
+
statement,
|
|
111
|
+
resourceMatch: (0, resource_js_1.requestMatchesStatementResources)(request, statement),
|
|
112
|
+
actionMatch: (0, action_js_1.requestMatchesStatementActions)(request, statement),
|
|
113
|
+
conditionMatch: (0, condition_js_1.requestMatchesConditions)(request, statement.conditions()),
|
|
114
|
+
principalMatch: (0, principal_js_1.requestMatchesStatementPrincipals)(request, statement),
|
|
115
|
+
});
|
|
116
|
+
}
|
|
117
|
+
return analysis;
|
|
118
|
+
}
|
|
63
119
|
//# sourceMappingURL=coreSimulatorEngine.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"coreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"coreSimulatorEngine.js","sourceRoot":"","sources":["../../../src/core_engine/coreSimulatorEngine.ts"],"names":[],"mappings":";;AA+DA,8BAYC;AASD,oDAMC;AASD,0DAeC;AASD,sEAsBC;AASD,sDAaC;AAtKD,mDAAqE;AACrE,4DAAqE;AAErE,4DAA8E;AAE9E,yDAA2E;AAE3E,yFAAmF;AA6CnF,MAAM,cAAc,GAAgD,EAAE,CAAC;AAEvE;;;;;;;GAOG;AACH,SAAgB,SAAS,CAAC,OAA6B;IACrD,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5F,MAAM,WAAW,GAAG,6BAA6B,CAAC,OAAO,CAAC,sBAAsB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACnG,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,qBAAqB,CAAC,OAAO,CAAC,cAAc,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAEtH,OAAO,iBAAiB,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,kBAAkB,EAAE,gBAAgB;QACpC,WAAW;QACX,gBAAgB;KACjB,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAAC,OAA6B;IAChE,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,WAAW,EAAE,CAAC;IACnE,IAAG,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,sDAAwB,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CAAC,gBAA0B,EAAE,OAAmB;IACrF,MAAM,QAAQ,GAAwB,EAAE,CAAC;IACzC,KAAI,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACrC,KAAI,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC;gBACZ,SAAS;gBACT,aAAa,EAAE,IAAA,8CAAgC,EAAC,OAAO,EAAE,SAAS,CAAC;gBACnE,WAAW,EAAE,IAAA,0CAA8B,EAAC,OAAO,EAAE,SAAS,CAAC;gBAC/D,cAAc,EAAE,IAAA,uCAAwB,EAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC;gBACzE,cAAc,EAAE,OAAO;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,6BAA6B,CAAC,sBAAgD,EAAE,OAAmB;IACjH,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,KAAI,MAAM,aAAa,IAAI,sBAAsB,EAAE,CAAC;QAClD,MAAM,UAAU,GAAgB;YAC9B,aAAa,EAAE,aAAa,CAAC,aAAa;YAC1C,iBAAiB,EAAE,EAAE;SACtB,CAAA;QACD,KAAI,MAAM,MAAM,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC3C,KAAI,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC3C,UAAU,CAAC,iBAAiB,CAAC,IAAI,CAAC;oBAChC,SAAS;oBACT,aAAa,EAAE,IAAA,8CAAgC,EAAC,OAAO,EAAE,SAAS,CAAC;oBACnE,WAAW,EAAE,IAAA,0CAA8B,EAAC,OAAO,EAAE,SAAS,CAAC;oBAC/D,cAAc,EAAE,IAAA,uCAAwB,EAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC;oBACzE,cAAc,EAAE,OAAO;iBACxB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5B,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,qBAAqB,CAAC,cAAsB,EAAE,OAAmB;IAC/E,MAAM,QAAQ,GAAwB,EAAE,CAAC;IACzC,KAAI,MAAM,SAAS,IAAI,cAAc,CAAC,UAAU,EAAE,EAAE,CAAC;QACnD,QAAQ,CAAC,IAAI,CAAC;YACZ,SAAS;YACT,aAAa,EAAE,IAAA,8CAAgC,EAAC,OAAO,EAAE,SAAS,CAAC;YACnE,WAAW,EAAE,IAAA,0CAA8B,EAAC,OAAO,EAAE,SAAS,CAAC;YAC/D,cAAc,EAAE,IAAA,uCAAwB,EAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC;YACzE,cAAc,EAAE,IAAA,gDAAiC,EAAC,OAAO,EAAE,SAAS,CAAC;SACtE,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
package/dist/cjs/evaluate.d.ts
CHANGED
|
@@ -1,2 +1,3 @@
|
|
|
1
1
|
export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | 'AllowedWithConditions' | 'ImplicitlyDenied' | 'Unknown';
|
|
2
|
+
export type ResourceEvaluationResult = 'NotApplicable' | 'Allowed' | 'ExplicitlyDenied' | 'AllowedForAccount' | 'DeniedForAccount' | 'ImplicityDenied';
|
|
2
3
|
//# sourceMappingURL=evaluate.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,uBAAuB,GAAG,kBAAkB,GAAG,SAAS,CAAC"}
|
|
1
|
+
{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,uBAAuB,GAAG,kBAAkB,GAAG,SAAS,CAAC;AACzH,MAAM,MAAM,wBAAwB,GAAG,eAAe,GAAG,SAAS,GAAG,kBAAkB,GAAG,mBAAmB,GAAG,kBAAkB,GAAG,iBAAiB,CAAC"}
|
|
@@ -1,9 +1,17 @@
|
|
|
1
|
+
import { ConditionKeyType } from "../ConditionKeys.js";
|
|
1
2
|
interface GlobalConditionKey {
|
|
2
3
|
key: string;
|
|
3
4
|
category: string;
|
|
4
|
-
dataType:
|
|
5
|
+
dataType: ConditionKeyType;
|
|
5
6
|
}
|
|
6
7
|
export declare function getGlobalConditionKey(key: string): GlobalConditionKey | undefined;
|
|
8
|
+
export declare function globalConditionKeyExists(key: string): boolean;
|
|
7
9
|
export declare function getGlobalConditionKeysByCategory(category: string): GlobalConditionKey[];
|
|
10
|
+
/**
|
|
11
|
+
* Get all the global condition keys as lower case strings
|
|
12
|
+
*
|
|
13
|
+
* @returns a list of all the global condition keys
|
|
14
|
+
*/
|
|
15
|
+
export declare function allGlobalConditionKeys(): string[];
|
|
8
16
|
export {};
|
|
9
17
|
//# sourceMappingURL=globalConditionKeys.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"globalConditionKeys.d.ts","sourceRoot":"","sources":["../../../src/global_conditions/globalConditionKeys.ts"],"names":[],"mappings":"AAAA,UAAU,kBAAkB;IAC1B,GAAG,EAAE,MAAM,CAAA;IACX,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,
|
|
1
|
+
{"version":3,"file":"globalConditionKeys.d.ts","sourceRoot":"","sources":["../../../src/global_conditions/globalConditionKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAEvD,UAAU,kBAAkB;IAC1B,GAAG,EAAE,MAAM,CAAA;IACX,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,gBAAgB,CAAA;CAC3B;AAyRD,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,kBAAkB,GAAG,SAAS,CAEjF;AAED,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAE7D;AAED,wBAAgB,gCAAgC,CAAC,QAAQ,EAAE,MAAM,GAAG,kBAAkB,EAAE,CAEvF;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,EAAE,CAEjD"}
|