@cloud-copilot/iam-simulate 0.1.5 → 0.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/ConditionKeys.d.ts +19 -0
- package/dist/cjs/ConditionKeys.d.ts.map +1 -0
- package/dist/cjs/ConditionKeys.js +27 -0
- package/dist/cjs/ConditionKeys.js.map +1 -0
- package/dist/cjs/SCPAnalysis.d.ts +6 -0
- package/dist/cjs/SCPAnalysis.d.ts.map +1 -0
- package/dist/cjs/SCPAnalysis.js +3 -0
- package/dist/cjs/SCPAnalysis.js.map +1 -0
- package/dist/cjs/context_keys/findContextKeys.d.ts +19 -0
- package/dist/cjs/context_keys/findContextKeys.d.ts.map +1 -0
- package/dist/cjs/context_keys/findContextKeys.js +57 -0
- package/dist/cjs/context_keys/findContextKeys.js.map +1 -0
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts +39 -0
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts.map +1 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.js +56 -0
- package/dist/cjs/core_engine/coreSimulatorEngine.js.map +1 -1
- package/dist/cjs/evaluate.d.ts +1 -0
- package/dist/cjs/evaluate.d.ts.map +1 -1
- package/dist/cjs/global_conditions/globalConditionKeys.d.ts +9 -1
- package/dist/cjs/global_conditions/globalConditionKeys.d.ts.map +1 -1
- package/dist/cjs/global_conditions/globalConditionKeys.js +78 -50
- package/dist/cjs/global_conditions/globalConditionKeys.js.map +1 -1
- package/dist/cjs/index.d.ts +4 -0
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js +10 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/principal/principal.d.ts +9 -1
- package/dist/cjs/principal/principal.d.ts.map +1 -1
- package/dist/cjs/principal/principal.js +17 -0
- package/dist/cjs/principal/principal.js.map +1 -1
- package/dist/cjs/request/requestPrincipal.d.ts.map +1 -1
- package/dist/cjs/request/requestPrincipal.js.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts +30 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +93 -7
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/ServiceAuthorizer.d.ts +3 -0
- package/dist/cjs/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/contextKeys.d.ts +9 -1
- package/dist/cjs/simulation_engine/contextKeys.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/contextKeys.js +27 -40
- package/dist/cjs/simulation_engine/contextKeys.js.map +1 -1
- package/dist/cjs/simulation_engine/simulation.d.ts +12 -1
- package/dist/cjs/simulation_engine/simulation.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.d.ts +15 -0
- package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.js +126 -15
- package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js +13 -4
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/cjs/util.d.ts +69 -0
- package/dist/cjs/util.d.ts.map +1 -1
- package/dist/cjs/util.js +166 -0
- package/dist/cjs/util.js.map +1 -1
- package/dist/esm/ConditionKeys.d.ts +19 -0
- package/dist/esm/ConditionKeys.d.ts.map +1 -0
- package/dist/esm/ConditionKeys.js +23 -0
- package/dist/esm/ConditionKeys.js.map +1 -0
- package/dist/esm/SCPAnalysis.d.ts +6 -0
- package/dist/esm/SCPAnalysis.d.ts.map +1 -0
- package/dist/esm/SCPAnalysis.js +2 -0
- package/dist/esm/SCPAnalysis.js.map +1 -0
- package/dist/esm/context_keys/findContextKeys.d.ts +19 -0
- package/dist/esm/context_keys/findContextKeys.d.ts.map +1 -0
- package/dist/esm/context_keys/findContextKeys.js +53 -0
- package/dist/esm/context_keys/findContextKeys.js.map +1 -0
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts +39 -0
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts.map +1 -1
- package/dist/esm/core_engine/coreSimulatorEngine.js +54 -0
- package/dist/esm/core_engine/coreSimulatorEngine.js.map +1 -1
- package/dist/esm/evaluate.d.ts +1 -0
- package/dist/esm/evaluate.d.ts.map +1 -1
- package/dist/esm/global_conditions/globalConditionKeys.d.ts +9 -1
- package/dist/esm/global_conditions/globalConditionKeys.d.ts.map +1 -1
- package/dist/esm/global_conditions/globalConditionKeys.js +76 -50
- package/dist/esm/global_conditions/globalConditionKeys.js.map +1 -1
- package/dist/esm/index.d.ts +4 -0
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js +4 -0
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/principal/principal.d.ts +9 -1
- package/dist/esm/principal/principal.d.ts.map +1 -1
- package/dist/esm/principal/principal.js +16 -0
- package/dist/esm/principal/principal.js.map +1 -1
- package/dist/esm/request/requestPrincipal.d.ts.map +1 -1
- package/dist/esm/request/requestPrincipal.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts +30 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +93 -7
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/ServiceAuthorizer.d.ts +3 -0
- package/dist/esm/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/simulation_engine/contextKeys.d.ts +9 -1
- package/dist/esm/simulation_engine/contextKeys.d.ts.map +1 -1
- package/dist/esm/simulation_engine/contextKeys.js +28 -40
- package/dist/esm/simulation_engine/contextKeys.js.map +1 -1
- package/dist/esm/simulation_engine/simulation.d.ts +12 -1
- package/dist/esm/simulation_engine/simulation.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.d.ts +15 -0
- package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.js +126 -16
- package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js +13 -4
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/esm/util.d.ts +69 -0
- package/dist/esm/util.d.ts.map +1 -1
- package/dist/esm/util.js +158 -0
- package/dist/esm/util.js.map +1 -1
- package/package.json +1 -1
|
@@ -1,27 +1,81 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.DefaultServiceAuthorizer = void 0;
|
|
4
|
+
/**
|
|
5
|
+
* The default authorizer for services.
|
|
6
|
+
*/
|
|
4
7
|
class DefaultServiceAuthorizer {
|
|
5
8
|
authorize(request) {
|
|
9
|
+
const scpResult = this.serviceControlPolicyResult(request);
|
|
6
10
|
const identityStatementResult = this.identityStatementResult(request);
|
|
11
|
+
const resourcePolicyResult = this.resourcePolicyResult(request);
|
|
7
12
|
const principalAccount = request.request.principal.accountId();
|
|
8
13
|
const resourceAccount = request.request.resource?.accountId();
|
|
14
|
+
if (scpResult !== 'Allowed') {
|
|
15
|
+
return scpResult;
|
|
16
|
+
}
|
|
17
|
+
if (resourcePolicyResult === 'ExplicitlyDenied' || resourcePolicyResult === 'DeniedForAccount') {
|
|
18
|
+
return 'ExplicitlyDenied';
|
|
19
|
+
}
|
|
20
|
+
if (identityStatementResult === 'ExplicitlyDenied') {
|
|
21
|
+
return 'ExplicitlyDenied';
|
|
22
|
+
}
|
|
23
|
+
//Same Account
|
|
24
|
+
if (principalAccount === resourceAccount) {
|
|
25
|
+
if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount' || identityStatementResult === 'Allowed') {
|
|
26
|
+
return 'Allowed';
|
|
27
|
+
}
|
|
28
|
+
return 'ImplicitlyDenied';
|
|
29
|
+
}
|
|
30
|
+
//Cross Account
|
|
31
|
+
if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount') {
|
|
32
|
+
if (identityStatementResult === 'Allowed') {
|
|
33
|
+
return 'Allowed';
|
|
34
|
+
}
|
|
35
|
+
return 'ImplicitlyDenied';
|
|
36
|
+
}
|
|
37
|
+
return 'ImplicitlyDenied';
|
|
9
38
|
/**
|
|
10
39
|
* Add checks for:
|
|
11
|
-
* *
|
|
12
|
-
* * service
|
|
40
|
+
* * root user
|
|
41
|
+
* * service linked roles
|
|
42
|
+
* * resource control policies
|
|
13
43
|
* * boundary policies
|
|
14
44
|
* * vpc endpoint policies
|
|
15
45
|
* * session policies (maybe these are just part of identity policies?)
|
|
16
46
|
*/
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
47
|
+
}
|
|
48
|
+
/**
|
|
49
|
+
* Determine the result of the SCP analysis.
|
|
50
|
+
*
|
|
51
|
+
* @param request The request to authorize.
|
|
52
|
+
* @returns The result of the SCP analysis.
|
|
53
|
+
*/
|
|
54
|
+
serviceControlPolicyResult(request) {
|
|
55
|
+
const orgAllows = request.scpAnalysis.map((scpAnalysis) => {
|
|
56
|
+
return scpAnalysis.statementAnalysis.some((statement) => {
|
|
57
|
+
return this.identityStatementAllows(statement);
|
|
58
|
+
});
|
|
59
|
+
});
|
|
60
|
+
if (orgAllows.includes(false)) {
|
|
21
61
|
return 'ImplicitlyDenied';
|
|
22
62
|
}
|
|
23
|
-
|
|
63
|
+
const anyScpDeny = request.scpAnalysis.some((scpAnalysis) => {
|
|
64
|
+
return scpAnalysis.statementAnalysis.some((statement) => {
|
|
65
|
+
return this.identityStatementExplicitDeny(statement);
|
|
66
|
+
});
|
|
67
|
+
});
|
|
68
|
+
if (anyScpDeny) {
|
|
69
|
+
return 'ExplicitlyDenied';
|
|
70
|
+
}
|
|
71
|
+
return 'Allowed';
|
|
24
72
|
}
|
|
73
|
+
/**
|
|
74
|
+
* Evaluate the identity statements to determine the result.
|
|
75
|
+
*
|
|
76
|
+
* @param request The request to authorize.
|
|
77
|
+
* @returns The result of the identity statement analysis.
|
|
78
|
+
*/
|
|
25
79
|
identityStatementResult(request) {
|
|
26
80
|
const explicitDeny = request.identityStatements.some(s => this.identityStatementExplicitDeny(s));
|
|
27
81
|
if (explicitDeny) {
|
|
@@ -38,6 +92,38 @@ class DefaultServiceAuthorizer {
|
|
|
38
92
|
}
|
|
39
93
|
return 'ImplicitlyDenied';
|
|
40
94
|
}
|
|
95
|
+
/**
|
|
96
|
+
* Evaluate the resource policy to determine the result.
|
|
97
|
+
*
|
|
98
|
+
* @param request the request to authorize
|
|
99
|
+
* @returns the result of the resource policy analysis
|
|
100
|
+
*/
|
|
101
|
+
resourcePolicyResult(request) {
|
|
102
|
+
if (!request.resourceAnalysis) {
|
|
103
|
+
return 'NotApplicable';
|
|
104
|
+
}
|
|
105
|
+
const denyStatements = request.resourceAnalysis.filter(s => this.identityStatementExplicitDeny(s));
|
|
106
|
+
if (denyStatements.some(s => s.principalMatch === 'Match')) {
|
|
107
|
+
return 'ExplicitlyDenied';
|
|
108
|
+
}
|
|
109
|
+
if (denyStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
|
|
110
|
+
return 'DeniedForAccount';
|
|
111
|
+
}
|
|
112
|
+
const allowStatements = request.resourceAnalysis.filter(s => this.identityStatementAllows(s));
|
|
113
|
+
if (allowStatements.some(s => s.principalMatch === 'Match')) {
|
|
114
|
+
return 'Allowed';
|
|
115
|
+
}
|
|
116
|
+
if (allowStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
|
|
117
|
+
return 'AllowedForAccount';
|
|
118
|
+
}
|
|
119
|
+
return 'ImplicityDenied';
|
|
120
|
+
}
|
|
121
|
+
/**
|
|
122
|
+
* Checks if a statement is an identity statement that allows the request.
|
|
123
|
+
*
|
|
124
|
+
* @param statement The statement to check.
|
|
125
|
+
* @returns Whether the statement is an identity statement that allows the request.
|
|
126
|
+
*/
|
|
41
127
|
identityStatementAllows(statement) {
|
|
42
128
|
if (statement.resourceMatch &&
|
|
43
129
|
statement.actionMatch &&
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAIA,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,uBAAuB,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACtE,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAIA;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,uBAAuB,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACtE,MAAM,oBAAoB,GAAG,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;QAEhE,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAE7D,IAAG,SAAS,KAAK,SAAS,EAAE,CAAC;YAC3B,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAG,oBAAoB,KAAK,kBAAkB,IAAI,oBAAoB,KAAK,kBAAkB,EAAE,CAAC;YAC9F,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,IAAG,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YAClD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,cAAc;QACd,IAAG,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACxC,IAAG,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC/H,OAAO,SAAS,CAAA;YAClB,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,eAAe;QACf,IAAG,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACtF,IAAG,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBACzC,OAAO,SAAS,CAAA;YAClB,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,OAAO,kBAAkB,CAAA;QAEzB;;;;;;;;WAQG;IACL,CAAC;IAED;;;;;OAKG;IACI,0BAA0B,CAAC,OAAoC;QACpE,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE;YACxD,OAAO,WAAW,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;gBACtD,OAAO,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAA;YAChD,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,IAAG,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7B,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;YAC1D,OAAO,WAAW,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;gBACtD,OAAO,IAAI,CAAC,6BAA6B,CAAC,SAAS,CAAC,CAAA;YACtD,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,IAAG,UAAU,EAAE,CAAC;YACd,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAED;;;;;OAKG;IACI,uBAAuB,CAAC,OAAoC;QACjE,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,YAAY,EAAE,CAAC;YAChB,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/F,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9C,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAED;;;;;OAKG;IACI,oBAAoB,CAAC,OAAoC;QAC9D,IAAG,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC;YAC7B,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,MAAM,cAAc,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;QACnG,IAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,OAAO,CAAC,EAAE,CAAC;YAC1D,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QACD,IAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EAAE,CAAC;YACtE,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,MAAM,eAAe,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9F,IAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,OAAO,CAAC,EAAE,CAAC;YAC3D,OAAO,SAAS,CAAA;QAClB,CAAC;QACD,IAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EAAE,CAAC;YACvE,OAAO,mBAAmB,CAAA;QAC5B,CAAC;QAED,OAAO,iBAAiB,CAAA;IAE1B,CAAC;IAED;;;;;OAKG;IACI,uBAAuB,CAAC,SAA4B;QACzD,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEM,4BAA4B,CAAC,SAA4B;QAC9D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,2BAA2B,CAAC,SAA4B;QAC7D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,6BAA6B,CAAC,SAA4B;QAC/D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAtLD,4DAsLC"}
|
|
@@ -1,9 +1,12 @@
|
|
|
1
1
|
import { EvaluationResult } from "../evaluate.js";
|
|
2
2
|
import { AwsRequest } from "../request/request.js";
|
|
3
|
+
import { SCPAnalysis } from "../SCPAnalysis.js";
|
|
3
4
|
import { StatementAnalysis } from "../StatementAnalysis.js";
|
|
4
5
|
export interface ServiceAuthorizationRequest {
|
|
5
6
|
request: AwsRequest;
|
|
6
7
|
identityStatements: StatementAnalysis[];
|
|
8
|
+
scpAnalysis: SCPAnalysis[];
|
|
9
|
+
resourceAnalysis: StatementAnalysis[];
|
|
7
10
|
}
|
|
8
11
|
export interface ServiceAuthorizer {
|
|
9
12
|
authorize(request: ServiceAuthorizationRequest): EvaluationResult;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAC;IACpB,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;
|
|
1
|
+
{"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAC;IACpB,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,WAAW,EAAE,WAAW,EAAE,CAAC;IAC3B,gBAAgB,EAAE,iBAAiB,EAAE,CAAC;CACvC;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB,CAAA;CAClE"}
|
|
@@ -1,3 +1,11 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Get the allowed context keys for a request.
|
|
3
|
+
*
|
|
4
|
+
* @param service The service the action belongs to
|
|
5
|
+
* @param action The action to get the allowed context keys for
|
|
6
|
+
* @param resource The resource the action is being performed on
|
|
7
|
+
* @returns The allowed context keys for the request as lower case strings
|
|
8
|
+
* @throws error if the service or action does not exist
|
|
9
|
+
*/
|
|
1
10
|
export declare function allowedContextKeysForRequest(service: string, action: string, resource: string): Promise<string[]>;
|
|
2
|
-
export declare function convertPatternToRegex(pattern: string): string;
|
|
3
11
|
//# sourceMappingURL=contextKeys.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"AAIA;;;;;;;;GAQG;AACH,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAyBvH"}
|
|
@@ -1,53 +1,40 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.allowedContextKeysForRequest = allowedContextKeysForRequest;
|
|
4
|
-
exports.convertPatternToRegex = convertPatternToRegex;
|
|
5
4
|
const iam_data_1 = require("@cloud-copilot/iam-data");
|
|
5
|
+
const globalConditionKeys_js_1 = require("../global_conditions/globalConditionKeys.js");
|
|
6
|
+
const util_js_1 = require("../util.js");
|
|
7
|
+
/**
|
|
8
|
+
* Get the allowed context keys for a request.
|
|
9
|
+
*
|
|
10
|
+
* @param service The service the action belongs to
|
|
11
|
+
* @param action The action to get the allowed context keys for
|
|
12
|
+
* @param resource The resource the action is being performed on
|
|
13
|
+
* @returns The allowed context keys for the request as lower case strings
|
|
14
|
+
* @throws error if the service or action does not exist
|
|
15
|
+
*/
|
|
6
16
|
async function allowedContextKeysForRequest(service, action, resource) {
|
|
7
17
|
const actionDetails = await (0, iam_data_1.iamActionDetails)(service, action);
|
|
8
|
-
const actionConditionKeys = actionDetails.conditionKeys;
|
|
9
|
-
|
|
10
|
-
|
|
18
|
+
const actionConditionKeys = (0, util_js_1.lowerCaseAll)(actionDetails.conditionKeys);
|
|
19
|
+
const isWildCardOnly = await (0, util_js_1.isWildcardOnlyAction)(service, action);
|
|
20
|
+
if (isWildCardOnly) {
|
|
21
|
+
return [
|
|
22
|
+
...actionConditionKeys,
|
|
23
|
+
...(0, globalConditionKeys_js_1.allGlobalConditionKeys)()
|
|
24
|
+
];
|
|
11
25
|
}
|
|
12
|
-
const
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
const pattern = convertPatternToRegex(resourceType.arn);
|
|
16
|
-
const match = resource.match(new RegExp(pattern));
|
|
17
|
-
if (match) {
|
|
18
|
-
matchingResourceTypes.push(resourceType);
|
|
19
|
-
}
|
|
26
|
+
const resourceTypes = await (0, util_js_1.getResourceTypesForAction)(service, action, resource);
|
|
27
|
+
if (resourceTypes.length === 0) {
|
|
28
|
+
throw new Error(`No resource types found for action ${action} on service ${service}`);
|
|
20
29
|
}
|
|
21
|
-
if (
|
|
22
|
-
|
|
23
|
-
throw new Error(`found ${matchingResourceTypes.length} matching resource types for ${resource}: ${matchNames}`);
|
|
30
|
+
else if (resourceTypes.length > 1) {
|
|
31
|
+
throw new Error(`Multiple resource types found for action ${action} on service ${service}`);
|
|
24
32
|
}
|
|
25
|
-
|
|
33
|
+
const resourceTypeConditions = actionDetails.resourceTypes.find(rt => rt.name === resourceTypes[0].key).conditionKeys;
|
|
26
34
|
return [
|
|
27
|
-
...
|
|
28
|
-
...actionConditionKeys
|
|
35
|
+
...(0, util_js_1.lowerCaseAll)(resourceTypeConditions),
|
|
36
|
+
...actionConditionKeys,
|
|
37
|
+
...(0, globalConditionKeys_js_1.allGlobalConditionKeys)()
|
|
29
38
|
];
|
|
30
39
|
}
|
|
31
|
-
function convertPatternToRegex(pattern) {
|
|
32
|
-
const regex = pattern.replace(/\$\{.*?\}/g, (match) => {
|
|
33
|
-
const name = match.substring(2, match.length - 1);
|
|
34
|
-
const camelName = name.at(0)?.toLowerCase() + name.substring(1);
|
|
35
|
-
return `(?<${camelName}>(.*?))`;
|
|
36
|
-
});
|
|
37
|
-
return `^${regex}$`;
|
|
38
|
-
// const parts = pattern.split('/')
|
|
39
|
-
// const lastPart = parts[parts.length - 1]
|
|
40
|
-
// const modifiedParts = parts.map((part) => {
|
|
41
|
-
// if (part.startsWith('${') && part.endsWith('}')) {
|
|
42
|
-
// const name = part.substring(2, part.length - 1)
|
|
43
|
-
// const camelName = name.at(0)?.toLowerCase() + name.substring(1)
|
|
44
|
-
// if (part === lastPart) {
|
|
45
|
-
// return `(?<${camelName}>(.*))`
|
|
46
|
-
// }
|
|
47
|
-
// return `(?<${camelName}>([^\/]+))`
|
|
48
|
-
// }
|
|
49
|
-
// return part
|
|
50
|
-
// })
|
|
51
|
-
// return modifiedParts.join('\/')
|
|
52
|
-
}
|
|
53
40
|
//# sourceMappingURL=contextKeys.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":";;AAaA,oEAyBC;AAtCD,sDAA2D;AAC3D,wFAAqF;AACrF,wCAA2F;AAE3F;;;;;;;;GAQG;AACI,KAAK,UAAU,4BAA4B,CAAC,OAAe,EAAE,MAAc,EAAE,QAAgB;IAClG,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC9D,MAAM,mBAAmB,GAAG,IAAA,sBAAY,EAAC,aAAa,CAAC,aAAa,CAAC,CAAC;IAEtE,MAAM,cAAc,GAAG,MAAM,IAAA,8BAAoB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACnE,IAAG,cAAc,EAAE,CAAC;QAClB,OAAO;YACL,GAAG,mBAAmB;YACtB,GAAG,IAAA,+CAAsB,GAAE;SAC5B,CAAA;IACH,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,IAAA,mCAAyB,EAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IACjF,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,eAAe,OAAO,EAAE,CAAC,CAAA;IACvF,CAAC;SAAM,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,4CAA4C,MAAM,eAAe,OAAO,EAAE,CAAC,CAAA;IAC7F,CAAC;IACD,MAAM,sBAAsB,GAAG,aAAa,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,KAAK,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,CAAE,CAAC,aAAa,CAAA;IAEtH,OAAO;QACL,GAAG,IAAA,sBAAY,EAAC,sBAAsB,CAAC;QACvC,GAAG,mBAAmB;QACtB,GAAG,IAAA,+CAAsB,GAAE;KAC5B,CAAA;AACH,CAAC"}
|
|
@@ -8,6 +8,17 @@ export interface Simulation {
|
|
|
8
8
|
};
|
|
9
9
|
contextVariables: Record<string, string | string[]>;
|
|
10
10
|
};
|
|
11
|
-
identityPolicies:
|
|
11
|
+
identityPolicies: {
|
|
12
|
+
name: string;
|
|
13
|
+
policy: any;
|
|
14
|
+
}[];
|
|
15
|
+
serviceControlPolicies: {
|
|
16
|
+
orgIdentifier: string;
|
|
17
|
+
policies: {
|
|
18
|
+
name: string;
|
|
19
|
+
policy: any;
|
|
20
|
+
}[];
|
|
21
|
+
}[];
|
|
22
|
+
resourcePolicy?: any;
|
|
12
23
|
}
|
|
13
24
|
//# sourceMappingURL=simulation.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAC;YACjB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;KACrD,CAAA;IAED,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;
|
|
1
|
+
{"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAC;YACjB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;KACrD,CAAA;IAED,gBAAgB,EAAE;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAC,EAAE,CAAC;IAChD,sBAAsB,EAAE;QACtB,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAC,EAAE,CAAA;KACxC,EAAE,CAAC;IACJ,cAAc,CAAC,EAAE,GAAG,CAAC;CACtB"}
|
|
@@ -1,11 +1,26 @@
|
|
|
1
1
|
import { ValidationError } from "@cloud-copilot/iam-policy";
|
|
2
|
+
import { EvaluationResult } from "../evaluate.js";
|
|
2
3
|
import { Simulation } from "./simulation.js";
|
|
3
4
|
import { SimulationOptions } from "./simulationOptions.js";
|
|
4
5
|
export interface SimulationErrors {
|
|
5
6
|
identityPolicyErrors?: Record<string, ValidationError[]>;
|
|
7
|
+
seviceControlPolicyErrors?: Record<string, ValidationError[]>;
|
|
8
|
+
resourcePolicyErrors?: ValidationError[];
|
|
6
9
|
message: string;
|
|
7
10
|
}
|
|
8
11
|
export interface SimulationResult {
|
|
12
|
+
errors?: SimulationErrors;
|
|
13
|
+
result?: {
|
|
14
|
+
evaluationResult: EvaluationResult;
|
|
15
|
+
};
|
|
9
16
|
}
|
|
17
|
+
/**
|
|
18
|
+
* Run a simulation with validation
|
|
19
|
+
*
|
|
20
|
+
* @param simulation The simulation to run
|
|
21
|
+
* @param simulationOptions Options for the simulation
|
|
22
|
+
* @returns
|
|
23
|
+
*/
|
|
10
24
|
export declare function runSimulation(simulation: Simulation, simulationOptions: Partial<SimulationOptions>): Promise<SimulationResult>;
|
|
25
|
+
export declare function normalizeSimulationParameters(simulation: Simulation): Promise<Record<string, string | string[]>>;
|
|
11
26
|
//# sourceMappingURL=simulationEngine.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,
|
|
1
|
+
{"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAoG,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAG9J,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAKlD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IACzD,yBAAyB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IAC9D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAC;IACzC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B,MAAM,CAAC,EAAE;QACP,gBAAgB,EAAE,gBAAgB,CAAA;KACnC,CAAA;CACF;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA+HpI;AAED,wBAAsB,6BAA6B,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CA0BtH"}
|
|
@@ -1,48 +1,159 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.runSimulation = runSimulation;
|
|
4
|
+
exports.normalizeSimulationParameters = normalizeSimulationParameters;
|
|
4
5
|
const iam_data_1 = require("@cloud-copilot/iam-data");
|
|
5
6
|
const iam_policy_1 = require("@cloud-copilot/iam-policy");
|
|
7
|
+
const ConditionKeys_js_1 = require("../ConditionKeys.js");
|
|
8
|
+
const coreSimulatorEngine_js_1 = require("../core_engine/coreSimulatorEngine.js");
|
|
9
|
+
const request_js_1 = require("../request/request.js");
|
|
10
|
+
const requestContext_js_1 = require("../requestContext.js");
|
|
11
|
+
const util_js_1 = require("../util.js");
|
|
6
12
|
const contextKeys_js_1 = require("./contextKeys.js");
|
|
13
|
+
/**
|
|
14
|
+
* Run a simulation with validation
|
|
15
|
+
*
|
|
16
|
+
* @param simulation The simulation to run
|
|
17
|
+
* @param simulationOptions Options for the simulation
|
|
18
|
+
* @returns
|
|
19
|
+
*/
|
|
7
20
|
async function runSimulation(simulation, simulationOptions) {
|
|
8
|
-
const identityPolicyErrors =
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
21
|
+
const identityPolicyErrors = {};
|
|
22
|
+
const identityPolicies = [];
|
|
23
|
+
simulation.identityPolicies.forEach((value) => {
|
|
24
|
+
const { name, policy } = value;
|
|
25
|
+
const validationErrors = (0, iam_policy_1.validateIdentityPolicy)(policy);
|
|
26
|
+
if (validationErrors.length == 0) {
|
|
27
|
+
identityPolicies.push((0, iam_policy_1.loadPolicy)(policy));
|
|
28
|
+
}
|
|
29
|
+
else {
|
|
30
|
+
identityPolicyErrors[name] = validationErrors;
|
|
31
|
+
}
|
|
32
|
+
});
|
|
33
|
+
const seviceControlPolicyErrors = {};
|
|
34
|
+
const serviceControlPolicies = simulation.serviceControlPolicies.map((scp) => {
|
|
35
|
+
const ouId = scp.orgIdentifier;
|
|
36
|
+
const validPolicies = [];
|
|
37
|
+
scp.policies.forEach((value) => {
|
|
38
|
+
const { name, policy } = value;
|
|
39
|
+
const validationErrors = (0, iam_policy_1.validateServiceControlPolicy)(policy);
|
|
40
|
+
if (validationErrors.length > 0) {
|
|
41
|
+
seviceControlPolicyErrors[name] = validationErrors;
|
|
42
|
+
}
|
|
43
|
+
else {
|
|
44
|
+
validPolicies.push((0, iam_policy_1.loadPolicy)(policy));
|
|
45
|
+
}
|
|
46
|
+
});
|
|
47
|
+
return {
|
|
48
|
+
orgIdentifier: ouId,
|
|
49
|
+
policies: validPolicies
|
|
50
|
+
};
|
|
51
|
+
});
|
|
52
|
+
const resourcePolicyErrors = simulation.resourcePolicy ? (0, iam_policy_1.validateResourcePolicy)(simulation.resourcePolicy) : [];
|
|
53
|
+
if (Object.keys(identityPolicyErrors).length > 0 ||
|
|
54
|
+
Object.keys(seviceControlPolicyErrors).length > 0 ||
|
|
55
|
+
resourcePolicyErrors.length > 0) {
|
|
14
56
|
return {
|
|
15
|
-
|
|
57
|
+
errors: {
|
|
58
|
+
identityPolicyErrors,
|
|
59
|
+
seviceControlPolicyErrors,
|
|
60
|
+
resourcePolicyErrors,
|
|
61
|
+
message: 'policy.errors'
|
|
62
|
+
}
|
|
16
63
|
};
|
|
17
64
|
}
|
|
65
|
+
const resourcePolicy = simulation.resourcePolicy ? (0, iam_policy_1.loadPolicy)(simulation.resourcePolicy) : undefined;
|
|
18
66
|
if (simulation.request.action.split(":").length != 2) {
|
|
19
67
|
return {
|
|
20
|
-
|
|
68
|
+
errors: {
|
|
69
|
+
message: 'invalid.action'
|
|
70
|
+
}
|
|
21
71
|
};
|
|
22
72
|
}
|
|
23
73
|
const [service, action] = simulation.request.action.split(":");
|
|
24
74
|
const validService = await (0, iam_data_1.iamServiceExists)(service);
|
|
25
75
|
if (!validService) {
|
|
26
76
|
return {
|
|
27
|
-
|
|
77
|
+
errors: {
|
|
78
|
+
message: 'invalid.service'
|
|
79
|
+
}
|
|
28
80
|
};
|
|
29
81
|
}
|
|
30
82
|
const validAction = await (0, iam_data_1.iamActionExists)(service, action);
|
|
31
83
|
if (!validAction) {
|
|
32
84
|
return {
|
|
33
|
-
|
|
85
|
+
errors: {
|
|
86
|
+
message: 'invalid.action'
|
|
87
|
+
}
|
|
34
88
|
};
|
|
35
89
|
}
|
|
36
90
|
const resourceArn = simulation.request.resource.resource;
|
|
91
|
+
const isWildCardOnlyAction = await (0, util_js_1.isWildcardOnlyAction)(service, action);
|
|
92
|
+
if (isWildCardOnlyAction) {
|
|
93
|
+
if (resourceArn !== "*") {
|
|
94
|
+
return {
|
|
95
|
+
errors: {
|
|
96
|
+
message: 'must.use.wildcard'
|
|
97
|
+
}
|
|
98
|
+
};
|
|
99
|
+
}
|
|
100
|
+
}
|
|
101
|
+
else {
|
|
102
|
+
const resourceTypes = await (0, util_js_1.getResourceTypesForAction)(service, action, resourceArn);
|
|
103
|
+
if (resourceTypes.length === 0) {
|
|
104
|
+
return {
|
|
105
|
+
errors: {
|
|
106
|
+
message: 'no.resource.types'
|
|
107
|
+
}
|
|
108
|
+
};
|
|
109
|
+
}
|
|
110
|
+
else if (resourceTypes.length > 1) {
|
|
111
|
+
return {
|
|
112
|
+
errors: {
|
|
113
|
+
message: 'multiple.resource.types'
|
|
114
|
+
}
|
|
115
|
+
};
|
|
116
|
+
}
|
|
117
|
+
}
|
|
118
|
+
const contextValues = await normalizeSimulationParameters(simulation);
|
|
119
|
+
const simulationResult = (0, coreSimulatorEngine_js_1.authorize)({
|
|
120
|
+
request: new request_js_1.AwsRequestImpl(simulation.request.principal, {
|
|
121
|
+
resource: simulation.request.resource.resource,
|
|
122
|
+
accountId: simulation.request.resource.accountId
|
|
123
|
+
}, simulation.request.action, new requestContext_js_1.RequestContextImpl(contextValues)),
|
|
124
|
+
identityPolicies,
|
|
125
|
+
serviceControlPolicies,
|
|
126
|
+
resourcePolicy
|
|
127
|
+
});
|
|
128
|
+
return {
|
|
129
|
+
result: {
|
|
130
|
+
evaluationResult: simulationResult
|
|
131
|
+
}
|
|
132
|
+
};
|
|
133
|
+
}
|
|
134
|
+
async function normalizeSimulationParameters(simulation) {
|
|
135
|
+
const [service, action] = simulation.request.action.split(":");
|
|
136
|
+
const resourceArn = simulation.request.resource.resource;
|
|
37
137
|
const contextVariablesForAction = new Set(await (0, contextKeys_js_1.allowedContextKeysForRequest)(service, action, resourceArn));
|
|
38
|
-
//
|
|
138
|
+
//Get the types of the context variables and set a string or array of strings based on that.
|
|
39
139
|
const allowedContextKeys = {};
|
|
40
140
|
for (const key of Object.keys(simulation.request.contextVariables)) {
|
|
41
|
-
|
|
42
|
-
|
|
141
|
+
const value = simulation.request.contextVariables[key];
|
|
142
|
+
const lowerCaseKey = key.toLowerCase();
|
|
143
|
+
if (contextVariablesForAction.has(lowerCaseKey)) {
|
|
144
|
+
const conditionType = await (0, util_js_1.typeForContextKey)(lowerCaseKey);
|
|
145
|
+
const normalizedKey = await (0, util_js_1.normalizeContextKeyCase)(lowerCaseKey);
|
|
146
|
+
if ((0, ConditionKeys_js_1.isConditionKeyArray)(conditionType)) {
|
|
147
|
+
allowedContextKeys[normalizedKey] = [value].flat();
|
|
148
|
+
}
|
|
149
|
+
else if (Array.isArray(value)) {
|
|
150
|
+
allowedContextKeys[normalizedKey] = value[0];
|
|
151
|
+
}
|
|
152
|
+
else {
|
|
153
|
+
allowedContextKeys[normalizedKey] = value;
|
|
154
|
+
}
|
|
43
155
|
}
|
|
44
156
|
}
|
|
45
|
-
|
|
46
|
-
return {};
|
|
157
|
+
return allowedContextKeys;
|
|
47
158
|
}
|
|
48
159
|
//# sourceMappingURL=simulationEngine.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"simulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"simulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":";;AAiCA,sCA+HC;AAED,sEA0BC;AA5LD,sDAA4E;AAC5E,0DAA8J;AAC9J,0DAA0D;AAC1D,kFAA0F;AAE1F,sDAAuD;AACvD,4DAA0D;AAC1D,wCAAyH;AACzH,qDAAgE;AAkBhE;;;;;;GAMG;AACI,KAAK,UAAU,aAAa,CAAC,UAAsB,EAAE,iBAA6C;IACvG,MAAM,oBAAoB,GAAsC,EAAE,CAAC;IACnE,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,UAAU,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;QAC5C,MAAM,EAAC,IAAI,EAAE,MAAM,EAAC,GAAG,KAAK,CAAC;QAC7B,MAAM,gBAAgB,GAAG,IAAA,mCAAsB,EAAC,MAAM,CAAC,CAAC;QACxD,IAAG,gBAAgB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAChC,gBAAgB,CAAC,IAAI,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,CAAC,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,oBAAoB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,yBAAyB,GAAsC,EAAE,CAAC;IACxE,MAAM,sBAAsB,GAA6B,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACrG,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC;QAC/B,MAAM,aAAa,GAAa,EAAE,CAAC;QAEnC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;YAC7B,MAAM,EAAC,IAAI,EAAE,MAAM,EAAC,GAAG,KAAK,CAAC;YAC7B,MAAM,gBAAgB,GAAG,IAAA,yCAA4B,EAAC,MAAM,CAAC,CAAC;YAC9D,IAAG,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,yBAAyB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC;YACrD,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,CAAC,CAAC;YACzC,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,aAAa;SACxB,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,oBAAoB,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAA,mCAAsB,EAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAEhH,IAAG,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,MAAM,GAAG,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,MAAM,GAAG,CAAC;QACjD,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO;YACL,MAAM,EAAE;gBACN,oBAAoB;gBACpB,yBAAyB;gBACzB,oBAAoB;gBACpB,OAAO,EAAE,eAAe;aACzB;SACF,CAAA;IACH,CAAC;IAED,MAAM,cAAc,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAA,uBAAU,EAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAErG,IAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACpD,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,gBAAgB;aAC1B;SACF,CAAA;IACH,CAAC;IAED,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,YAAY,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,CAAC,CAAC;IACrD,IAAG,CAAC,YAAY,EAAE,CAAC;QACjB,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,iBAAiB;aAC3B;SACF,CAAA;IACH,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,IAAA,0BAAe,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3D,IAAG,CAAC,WAAW,EAAE,CAAC;QAChB,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,gBAAgB;aAC1B;SACF,CAAA;IACH,CAAC;IAED,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IACzD,MAAM,oBAAoB,GAAG,MAAM,IAAA,8BAAoB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACzE,IAAG,oBAAoB,EAAE,CAAC;QACxB,IAAG,WAAW,KAAK,GAAG,EAAE,CAAC;YACvB,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,mBAAmB;iBAC7B;aACF,CAAA;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,aAAa,GAAG,MAAM,IAAA,mCAAyB,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;QACpF,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,mBAAmB;iBAC7B;aAEF,CAAA;QACH,CAAC;aAAM,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,yBAAyB;iBACnC;aACF,CAAA;QACH,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,6BAA6B,CAAC,UAAU,CAAC,CAAC;IAEtE,MAAM,gBAAgB,GAAG,IAAA,kCAAS,EAAC;QACjC,OAAO,EAAE,IAAI,2BAAc,CACzB,UAAU,CAAC,OAAO,CAAC,SAAS,EAC5B;YACE,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;YAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;SACjD,EACD,UAAU,CAAC,OAAO,CAAC,MAAM,EACzB,IAAI,sCAAkB,CAAC,aAAa,CAAC,CACtC;QACD,gBAAgB;QAChB,sBAAsB;QACtB,cAAc;KACf,CAAC,CAAA;IAEF,OAAO;QACL,MAAM,EAAE;YACN,gBAAgB,EAAE,gBAAgB;SACnC;KACF,CAAA;AACH,CAAC;AAEM,KAAK,UAAU,6BAA6B,CAAC,UAAsB;IACxE,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IACzD,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC,MAAM,IAAA,6CAA4B,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAA;IAE3G,4FAA4F;IAC5F,MAAM,kBAAkB,GAAsC,EAAE,CAAC;IACjE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACnE,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACvD,MAAM,YAAY,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QACvC,IAAI,yBAAyB,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;YAEhD,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAiB,EAAC,YAAY,CAAC,CAAC;YAC5D,MAAM,aAAa,GAAG,MAAM,IAAA,iCAAuB,EAAC,YAAY,CAAC,CAAC;YAElE,IAAG,IAAA,sCAAmB,EAAC,aAAa,CAAC,EAAE,CAAC;gBACtC,kBAAkB,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;YACrD,CAAC;iBAAM,IAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC/B,kBAAkB,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC/C,CAAC;iBAAM,CAAC;gBACN,kBAAkB,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC;YAC5C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,kBAAkB,CAAA;AAC3B,CAAC"}
|
|
@@ -2,7 +2,7 @@ import { type EvaluationResult } from "../evaluate.js";
|
|
|
2
2
|
import { Simulation } from "./simulation.js";
|
|
3
3
|
import { SimulationOptions } from "./simulationOptions.js";
|
|
4
4
|
/**
|
|
5
|
-
* Runs a simulation without input validation or context
|
|
5
|
+
* Runs a simulation without input validation or context variable verification.
|
|
6
6
|
* Use this if you know what you're doing.
|
|
7
7
|
*
|
|
8
8
|
* @param simulation The simulation to run.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"unsafeSimulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,gBAAgB,
|
|
1
|
+
{"version":3,"file":"unsafeSimulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,gBAAgB,CAuB3H"}
|
|
@@ -6,7 +6,7 @@ const coreSimulatorEngine_js_1 = require("../core_engine/coreSimulatorEngine.js"
|
|
|
6
6
|
const request_js_1 = require("../request/request.js");
|
|
7
7
|
const requestContext_js_1 = require("../requestContext.js");
|
|
8
8
|
/**
|
|
9
|
-
* Runs a simulation without input validation or context
|
|
9
|
+
* Runs a simulation without input validation or context variable verification.
|
|
10
10
|
* Use this if you know what you're doing.
|
|
11
11
|
*
|
|
12
12
|
* @param simulation The simulation to run.
|
|
@@ -14,8 +14,15 @@ const requestContext_js_1 = require("../requestContext.js");
|
|
|
14
14
|
* @returns The result of the simulation.
|
|
15
15
|
*/
|
|
16
16
|
function runUnsafeSimulation(simulation, simulationOptions) {
|
|
17
|
-
|
|
18
|
-
const
|
|
17
|
+
const identityPolicies = Object.values(simulation.identityPolicies).map(p => (0, iam_policy_1.loadPolicy)(p.policy));
|
|
18
|
+
const serviceControlPolicies = simulation.serviceControlPolicies.map((scp) => {
|
|
19
|
+
const ouId = scp.orgIdentifier;
|
|
20
|
+
const policies = scp.policies.map(val => (0, iam_policy_1.loadPolicy)(val.policy));
|
|
21
|
+
return {
|
|
22
|
+
orgIdentifier: ouId,
|
|
23
|
+
policies: policies
|
|
24
|
+
};
|
|
25
|
+
});
|
|
19
26
|
const requestContext = new requestContext_js_1.RequestContextImpl(simulation.request.contextVariables);
|
|
20
27
|
const request = new request_js_1.AwsRequestImpl(simulation.request.principal, {
|
|
21
28
|
resource: simulation.request.resource.resource,
|
|
@@ -23,7 +30,9 @@ function runUnsafeSimulation(simulation, simulationOptions) {
|
|
|
23
30
|
}, simulation.request.action, requestContext);
|
|
24
31
|
return (0, coreSimulatorEngine_js_1.authorize)({
|
|
25
32
|
request,
|
|
26
|
-
identityPolicies
|
|
33
|
+
identityPolicies,
|
|
34
|
+
serviceControlPolicies,
|
|
35
|
+
resourcePolicy: simulation.resourcePolicy ? (0, iam_policy_1.loadPolicy)(simulation.resourcePolicy) : undefined
|
|
27
36
|
});
|
|
28
37
|
}
|
|
29
38
|
//# sourceMappingURL=unsafeSimulationEngine.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"unsafeSimulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":";;AAgBA,
|
|
1
|
+
{"version":3,"file":"unsafeSimulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":";;AAgBA,kDAuBC;AAvCD,0DAAuD;AACvD,kFAA0F;AAE1F,sDAAuD;AACvD,4DAA0D;AAI1D;;;;;;;GAOG;AACH,SAAgB,mBAAmB,CAAC,UAAsB,EAAE,iBAA6C;IACvG,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAA,uBAAU,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IACnG,MAAM,sBAAsB,GAA6B,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACrG,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC;QAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;QAEjE,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,QAAQ;SACnB,CAAA;IACH,CAAC,CAAC,CAAA;IACF,MAAM,cAAc,GAAG,IAAI,sCAAkB,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAA;IAClF,MAAM,OAAO,GAAG,IAAI,2BAAc,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE;QAC/D,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;QAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;KACjD,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IAE9C,OAAO,IAAA,kCAAS,EAAC;QACf,OAAO;QACP,gBAAgB;QAChB,sBAAsB;QACtB,cAAc,EAAE,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAA,uBAAU,EAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS;KAC9F,CAAC,CAAC;AACL,CAAC"}
|