@cloud-copilot/iam-simulate 0.1.5 → 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/dist/cjs/ConditionKeys.d.ts +19 -0
  2. package/dist/cjs/ConditionKeys.d.ts.map +1 -0
  3. package/dist/cjs/ConditionKeys.js +27 -0
  4. package/dist/cjs/ConditionKeys.js.map +1 -0
  5. package/dist/cjs/SCPAnalysis.d.ts +6 -0
  6. package/dist/cjs/SCPAnalysis.d.ts.map +1 -0
  7. package/dist/cjs/SCPAnalysis.js +3 -0
  8. package/dist/cjs/SCPAnalysis.js.map +1 -0
  9. package/dist/cjs/context_keys/findContextKeys.d.ts +19 -0
  10. package/dist/cjs/context_keys/findContextKeys.d.ts.map +1 -0
  11. package/dist/cjs/context_keys/findContextKeys.js +57 -0
  12. package/dist/cjs/context_keys/findContextKeys.js.map +1 -0
  13. package/dist/cjs/core_engine/coreSimulatorEngine.d.ts +39 -0
  14. package/dist/cjs/core_engine/coreSimulatorEngine.d.ts.map +1 -1
  15. package/dist/cjs/core_engine/coreSimulatorEngine.js +56 -0
  16. package/dist/cjs/core_engine/coreSimulatorEngine.js.map +1 -1
  17. package/dist/cjs/evaluate.d.ts +1 -0
  18. package/dist/cjs/evaluate.d.ts.map +1 -1
  19. package/dist/cjs/global_conditions/globalConditionKeys.d.ts +9 -1
  20. package/dist/cjs/global_conditions/globalConditionKeys.d.ts.map +1 -1
  21. package/dist/cjs/global_conditions/globalConditionKeys.js +78 -50
  22. package/dist/cjs/global_conditions/globalConditionKeys.js.map +1 -1
  23. package/dist/cjs/index.d.ts +4 -0
  24. package/dist/cjs/index.d.ts.map +1 -1
  25. package/dist/cjs/index.js +10 -1
  26. package/dist/cjs/index.js.map +1 -1
  27. package/dist/cjs/principal/principal.d.ts +9 -1
  28. package/dist/cjs/principal/principal.d.ts.map +1 -1
  29. package/dist/cjs/principal/principal.js +17 -0
  30. package/dist/cjs/principal/principal.js.map +1 -1
  31. package/dist/cjs/request/requestPrincipal.d.ts.map +1 -1
  32. package/dist/cjs/request/requestPrincipal.js.map +1 -1
  33. package/dist/cjs/services/DefaultServiceAuthorizer.d.ts +30 -1
  34. package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
  35. package/dist/cjs/services/DefaultServiceAuthorizer.js +93 -7
  36. package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
  37. package/dist/cjs/services/ServiceAuthorizer.d.ts +3 -0
  38. package/dist/cjs/services/ServiceAuthorizer.d.ts.map +1 -1
  39. package/dist/cjs/simulation_engine/contextKeys.d.ts +9 -1
  40. package/dist/cjs/simulation_engine/contextKeys.d.ts.map +1 -1
  41. package/dist/cjs/simulation_engine/contextKeys.js +27 -40
  42. package/dist/cjs/simulation_engine/contextKeys.js.map +1 -1
  43. package/dist/cjs/simulation_engine/simulation.d.ts +12 -1
  44. package/dist/cjs/simulation_engine/simulation.d.ts.map +1 -1
  45. package/dist/cjs/simulation_engine/simulationEngine.d.ts +15 -0
  46. package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
  47. package/dist/cjs/simulation_engine/simulationEngine.js +126 -15
  48. package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
  49. package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts +1 -1
  50. package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
  51. package/dist/cjs/simulation_engine/unsafeSimulationEngine.js +13 -4
  52. package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map +1 -1
  53. package/dist/cjs/util.d.ts +69 -0
  54. package/dist/cjs/util.d.ts.map +1 -1
  55. package/dist/cjs/util.js +166 -0
  56. package/dist/cjs/util.js.map +1 -1
  57. package/dist/esm/ConditionKeys.d.ts +19 -0
  58. package/dist/esm/ConditionKeys.d.ts.map +1 -0
  59. package/dist/esm/ConditionKeys.js +23 -0
  60. package/dist/esm/ConditionKeys.js.map +1 -0
  61. package/dist/esm/SCPAnalysis.d.ts +6 -0
  62. package/dist/esm/SCPAnalysis.d.ts.map +1 -0
  63. package/dist/esm/SCPAnalysis.js +2 -0
  64. package/dist/esm/SCPAnalysis.js.map +1 -0
  65. package/dist/esm/context_keys/findContextKeys.d.ts +19 -0
  66. package/dist/esm/context_keys/findContextKeys.d.ts.map +1 -0
  67. package/dist/esm/context_keys/findContextKeys.js +53 -0
  68. package/dist/esm/context_keys/findContextKeys.js.map +1 -0
  69. package/dist/esm/core_engine/coreSimulatorEngine.d.ts +39 -0
  70. package/dist/esm/core_engine/coreSimulatorEngine.d.ts.map +1 -1
  71. package/dist/esm/core_engine/coreSimulatorEngine.js +54 -0
  72. package/dist/esm/core_engine/coreSimulatorEngine.js.map +1 -1
  73. package/dist/esm/evaluate.d.ts +1 -0
  74. package/dist/esm/evaluate.d.ts.map +1 -1
  75. package/dist/esm/global_conditions/globalConditionKeys.d.ts +9 -1
  76. package/dist/esm/global_conditions/globalConditionKeys.d.ts.map +1 -1
  77. package/dist/esm/global_conditions/globalConditionKeys.js +76 -50
  78. package/dist/esm/global_conditions/globalConditionKeys.js.map +1 -1
  79. package/dist/esm/index.d.ts +4 -0
  80. package/dist/esm/index.d.ts.map +1 -1
  81. package/dist/esm/index.js +4 -0
  82. package/dist/esm/index.js.map +1 -1
  83. package/dist/esm/principal/principal.d.ts +9 -1
  84. package/dist/esm/principal/principal.d.ts.map +1 -1
  85. package/dist/esm/principal/principal.js +16 -0
  86. package/dist/esm/principal/principal.js.map +1 -1
  87. package/dist/esm/request/requestPrincipal.d.ts.map +1 -1
  88. package/dist/esm/request/requestPrincipal.js.map +1 -1
  89. package/dist/esm/services/DefaultServiceAuthorizer.d.ts +30 -1
  90. package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
  91. package/dist/esm/services/DefaultServiceAuthorizer.js +93 -7
  92. package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
  93. package/dist/esm/services/ServiceAuthorizer.d.ts +3 -0
  94. package/dist/esm/services/ServiceAuthorizer.d.ts.map +1 -1
  95. package/dist/esm/simulation_engine/contextKeys.d.ts +9 -1
  96. package/dist/esm/simulation_engine/contextKeys.d.ts.map +1 -1
  97. package/dist/esm/simulation_engine/contextKeys.js +28 -40
  98. package/dist/esm/simulation_engine/contextKeys.js.map +1 -1
  99. package/dist/esm/simulation_engine/simulation.d.ts +12 -1
  100. package/dist/esm/simulation_engine/simulation.d.ts.map +1 -1
  101. package/dist/esm/simulation_engine/simulationEngine.d.ts +15 -0
  102. package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
  103. package/dist/esm/simulation_engine/simulationEngine.js +126 -16
  104. package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
  105. package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts +1 -1
  106. package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
  107. package/dist/esm/simulation_engine/unsafeSimulationEngine.js +13 -4
  108. package/dist/esm/simulation_engine/unsafeSimulationEngine.js.map +1 -1
  109. package/dist/esm/util.d.ts +69 -0
  110. package/dist/esm/util.d.ts.map +1 -1
  111. package/dist/esm/util.js +158 -0
  112. package/dist/esm/util.js.map +1 -1
  113. package/package.json +1 -1
@@ -1,27 +1,81 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.DefaultServiceAuthorizer = void 0;
4
+ /**
5
+ * The default authorizer for services.
6
+ */
4
7
  class DefaultServiceAuthorizer {
5
8
  authorize(request) {
9
+ const scpResult = this.serviceControlPolicyResult(request);
6
10
  const identityStatementResult = this.identityStatementResult(request);
11
+ const resourcePolicyResult = this.resourcePolicyResult(request);
7
12
  const principalAccount = request.request.principal.accountId();
8
13
  const resourceAccount = request.request.resource?.accountId();
14
+ if (scpResult !== 'Allowed') {
15
+ return scpResult;
16
+ }
17
+ if (resourcePolicyResult === 'ExplicitlyDenied' || resourcePolicyResult === 'DeniedForAccount') {
18
+ return 'ExplicitlyDenied';
19
+ }
20
+ if (identityStatementResult === 'ExplicitlyDenied') {
21
+ return 'ExplicitlyDenied';
22
+ }
23
+ //Same Account
24
+ if (principalAccount === resourceAccount) {
25
+ if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount' || identityStatementResult === 'Allowed') {
26
+ return 'Allowed';
27
+ }
28
+ return 'ImplicitlyDenied';
29
+ }
30
+ //Cross Account
31
+ if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount') {
32
+ if (identityStatementResult === 'Allowed') {
33
+ return 'Allowed';
34
+ }
35
+ return 'ImplicitlyDenied';
36
+ }
37
+ return 'ImplicitlyDenied';
9
38
  /**
10
39
  * Add checks for:
11
- * * resource policies
12
- * * service control policies
40
+ * * root user
41
+ * * service linked roles
42
+ * * resource control policies
13
43
  * * boundary policies
14
44
  * * vpc endpoint policies
15
45
  * * session policies (maybe these are just part of identity policies?)
16
46
  */
17
- if (identityStatementResult === 'Allowed') {
18
- if (principalAccount === resourceAccount) {
19
- return identityStatementResult;
20
- }
47
+ }
48
+ /**
49
+ * Determine the result of the SCP analysis.
50
+ *
51
+ * @param request The request to authorize.
52
+ * @returns The result of the SCP analysis.
53
+ */
54
+ serviceControlPolicyResult(request) {
55
+ const orgAllows = request.scpAnalysis.map((scpAnalysis) => {
56
+ return scpAnalysis.statementAnalysis.some((statement) => {
57
+ return this.identityStatementAllows(statement);
58
+ });
59
+ });
60
+ if (orgAllows.includes(false)) {
21
61
  return 'ImplicitlyDenied';
22
62
  }
23
- return identityStatementResult;
63
+ const anyScpDeny = request.scpAnalysis.some((scpAnalysis) => {
64
+ return scpAnalysis.statementAnalysis.some((statement) => {
65
+ return this.identityStatementExplicitDeny(statement);
66
+ });
67
+ });
68
+ if (anyScpDeny) {
69
+ return 'ExplicitlyDenied';
70
+ }
71
+ return 'Allowed';
24
72
  }
73
+ /**
74
+ * Evaluate the identity statements to determine the result.
75
+ *
76
+ * @param request The request to authorize.
77
+ * @returns The result of the identity statement analysis.
78
+ */
25
79
  identityStatementResult(request) {
26
80
  const explicitDeny = request.identityStatements.some(s => this.identityStatementExplicitDeny(s));
27
81
  if (explicitDeny) {
@@ -38,6 +92,38 @@ class DefaultServiceAuthorizer {
38
92
  }
39
93
  return 'ImplicitlyDenied';
40
94
  }
95
+ /**
96
+ * Evaluate the resource policy to determine the result.
97
+ *
98
+ * @param request the request to authorize
99
+ * @returns the result of the resource policy analysis
100
+ */
101
+ resourcePolicyResult(request) {
102
+ if (!request.resourceAnalysis) {
103
+ return 'NotApplicable';
104
+ }
105
+ const denyStatements = request.resourceAnalysis.filter(s => this.identityStatementExplicitDeny(s));
106
+ if (denyStatements.some(s => s.principalMatch === 'Match')) {
107
+ return 'ExplicitlyDenied';
108
+ }
109
+ if (denyStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
110
+ return 'DeniedForAccount';
111
+ }
112
+ const allowStatements = request.resourceAnalysis.filter(s => this.identityStatementAllows(s));
113
+ if (allowStatements.some(s => s.principalMatch === 'Match')) {
114
+ return 'Allowed';
115
+ }
116
+ if (allowStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
117
+ return 'AllowedForAccount';
118
+ }
119
+ return 'ImplicityDenied';
120
+ }
121
+ /**
122
+ * Checks if a statement is an identity statement that allows the request.
123
+ *
124
+ * @param statement The statement to check.
125
+ * @returns Whether the statement is an identity statement that allows the request.
126
+ */
41
127
  identityStatementAllows(statement) {
42
128
  if (statement.resourceMatch &&
43
129
  statement.actionMatch &&
@@ -1 +1 @@
1
- {"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAIA,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,uBAAuB,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACtE,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAC7D;;;;;;;WAOG;QACH,IAAG,uBAAuB,KAAK,SAAS,EAAE,CAAC;YACzC,IAAG,gBAAgB,KAAK,eAAe,EAAE,CAAC;gBACxC,OAAO,uBAAuB,CAAA;YAChC,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QACD,OAAO,uBAAuB,CAAC;IACjC,CAAC;IAEM,uBAAuB,CAAC,OAAoC;QACjE,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,YAAY,EAAE,CAAC;YAChB,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/F,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9C,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAEM,uBAAuB,CAAC,SAA4B;QACzD,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEM,4BAA4B,CAAC,SAA4B;QAC9D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,2BAA2B,CAAC,SAA4B;QAC7D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,6BAA6B,CAAC,SAA4B;QAC/D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAjFD,4DAiFC"}
1
+ {"version":3,"file":"DefaultServiceAuthorizer.js","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":";;;AAIA;;GAEG;AACH,MAAa,wBAAwB;IAC5B,SAAS,CAAC,OAAoC;QACnD,MAAM,SAAS,GAAG,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,uBAAuB,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACtE,MAAM,oBAAoB,GAAG,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;QAEhE,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,CAAA;QAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAA;QAE7D,IAAG,SAAS,KAAK,SAAS,EAAE,CAAC;YAC3B,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAG,oBAAoB,KAAK,kBAAkB,IAAI,oBAAoB,KAAK,kBAAkB,EAAE,CAAC;YAC9F,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,IAAG,uBAAuB,KAAK,kBAAkB,EAAE,CAAC;YAClD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,cAAc;QACd,IAAG,gBAAgB,KAAK,eAAe,EAAE,CAAC;YACxC,IAAG,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBAC/H,OAAO,SAAS,CAAA;YAClB,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,eAAe;QACf,IAAG,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,KAAK,mBAAmB,EAAE,CAAC;YACtF,IAAG,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBACzC,OAAO,SAAS,CAAA;YAClB,CAAC;YACD,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,OAAO,kBAAkB,CAAA;QAEzB;;;;;;;;WAQG;IACL,CAAC;IAED;;;;;OAKG;IACI,0BAA0B,CAAC,OAAoC;QACpE,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE;YACxD,OAAO,WAAW,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;gBACtD,OAAO,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAA;YAChD,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,IAAG,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7B,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;YAC1D,OAAO,WAAW,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;gBACtD,OAAO,IAAI,CAAC,6BAA6B,CAAC,SAAS,CAAC,CAAA;YACtD,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,IAAG,UAAU,EAAE,CAAC;YACd,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAED;;;;;OAKG;IACI,uBAAuB,CAAC,OAAoC;QACjE,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,YAAY,EAAE,CAAC;YAChB,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,MAAM,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/F,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9C,CAAC;QAED,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAG,aAAa,EAAE,CAAC;YACjB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO,kBAAkB,CAAA;IAC3B,CAAC;IAED;;;;;OAKG;IACI,oBAAoB,CAAC,OAAoC;QAC9D,IAAG,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC;YAC7B,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,MAAM,cAAc,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC;QACnG,IAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,OAAO,CAAC,EAAE,CAAC;YAC1D,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QACD,IAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EAAE,CAAC;YACtE,OAAO,kBAAkB,CAAA;QAC3B,CAAC;QAED,MAAM,eAAe,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9F,IAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,OAAO,CAAC,EAAE,CAAC;YAC3D,OAAO,SAAS,CAAA;QAClB,CAAC;QACD,IAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,EAAE,CAAC;YACvE,OAAO,mBAAmB,CAAA;QAC5B,CAAC;QAED,OAAO,iBAAiB,CAAA;IAE1B,CAAC;IAED;;;;;OAKG;IACI,uBAAuB,CAAC,SAA4B;QACzD,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEM,4BAA4B,CAAC,SAA4B;QAC9D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,2BAA2B,CAAC,SAA4B;QAC7D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,SAAS;YACtC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEM,6BAA6B,CAAC,SAA4B;QAC/D,IAAG,SAAS,CAAC,aAAa;YACxB,SAAS,CAAC,WAAW;YACrB,SAAS,CAAC,cAAc,KAAK,OAAO;YACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAtLD,4DAsLC"}
@@ -1,9 +1,12 @@
1
1
  import { EvaluationResult } from "../evaluate.js";
2
2
  import { AwsRequest } from "../request/request.js";
3
+ import { SCPAnalysis } from "../SCPAnalysis.js";
3
4
  import { StatementAnalysis } from "../StatementAnalysis.js";
4
5
  export interface ServiceAuthorizationRequest {
5
6
  request: AwsRequest;
6
7
  identityStatements: StatementAnalysis[];
8
+ scpAnalysis: SCPAnalysis[];
9
+ resourceAnalysis: StatementAnalysis[];
7
10
  }
8
11
  export interface ServiceAuthorizer {
9
12
  authorize(request: ServiceAuthorizationRequest): EvaluationResult;
@@ -1 +1 @@
1
- {"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAC;IACpB,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;CACzC;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB,CAAA;CAClE"}
1
+ {"version":3,"file":"ServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/ServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,UAAU,CAAC;IACpB,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,WAAW,EAAE,WAAW,EAAE,CAAC;IAC3B,gBAAgB,EAAE,iBAAiB,EAAE,CAAC;CACvC;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB,CAAA;CAClE"}
@@ -1,3 +1,11 @@
1
+ /**
2
+ * Get the allowed context keys for a request.
3
+ *
4
+ * @param service The service the action belongs to
5
+ * @param action The action to get the allowed context keys for
6
+ * @param resource The resource the action is being performed on
7
+ * @returns The allowed context keys for the request as lower case strings
8
+ * @throws error if the service or action does not exist
9
+ */
1
10
  export declare function allowedContextKeysForRequest(service: string, action: string, resource: string): Promise<string[]>;
2
- export declare function convertPatternToRegex(pattern: string): string;
3
11
  //# sourceMappingURL=contextKeys.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"AAEA,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CA4BvH;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAsB7D"}
1
+ {"version":3,"file":"contextKeys.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":"AAIA;;;;;;;;GAQG;AACH,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAyBvH"}
@@ -1,53 +1,40 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.allowedContextKeysForRequest = allowedContextKeysForRequest;
4
- exports.convertPatternToRegex = convertPatternToRegex;
5
4
  const iam_data_1 = require("@cloud-copilot/iam-data");
5
+ const globalConditionKeys_js_1 = require("../global_conditions/globalConditionKeys.js");
6
+ const util_js_1 = require("../util.js");
7
+ /**
8
+ * Get the allowed context keys for a request.
9
+ *
10
+ * @param service The service the action belongs to
11
+ * @param action The action to get the allowed context keys for
12
+ * @param resource The resource the action is being performed on
13
+ * @returns The allowed context keys for the request as lower case strings
14
+ * @throws error if the service or action does not exist
15
+ */
6
16
  async function allowedContextKeysForRequest(service, action, resource) {
7
17
  const actionDetails = await (0, iam_data_1.iamActionDetails)(service, action);
8
- const actionConditionKeys = actionDetails.conditionKeys;
9
- if (actionDetails.resourceTypes.length === 0) {
10
- return actionConditionKeys;
18
+ const actionConditionKeys = (0, util_js_1.lowerCaseAll)(actionDetails.conditionKeys);
19
+ const isWildCardOnly = await (0, util_js_1.isWildcardOnlyAction)(service, action);
20
+ if (isWildCardOnly) {
21
+ return [
22
+ ...actionConditionKeys,
23
+ ...(0, globalConditionKeys_js_1.allGlobalConditionKeys)()
24
+ ];
11
25
  }
12
- const matchingResourceTypes = [];
13
- for (const rt of actionDetails.resourceTypes) {
14
- const resourceType = await (0, iam_data_1.iamResourceTypeDetails)(service, rt.name);
15
- const pattern = convertPatternToRegex(resourceType.arn);
16
- const match = resource.match(new RegExp(pattern));
17
- if (match) {
18
- matchingResourceTypes.push(resourceType);
19
- }
26
+ const resourceTypes = await (0, util_js_1.getResourceTypesForAction)(service, action, resource);
27
+ if (resourceTypes.length === 0) {
28
+ throw new Error(`No resource types found for action ${action} on service ${service}`);
20
29
  }
21
- if (matchingResourceTypes.length != 1) {
22
- const matchNames = matchingResourceTypes.map(rt => rt.key).join(", ");
23
- throw new Error(`found ${matchingResourceTypes.length} matching resource types for ${resource}: ${matchNames}`);
30
+ else if (resourceTypes.length > 1) {
31
+ throw new Error(`Multiple resource types found for action ${action} on service ${service}`);
24
32
  }
25
- console.log(matchingResourceTypes[0].key);
33
+ const resourceTypeConditions = actionDetails.resourceTypes.find(rt => rt.name === resourceTypes[0].key).conditionKeys;
26
34
  return [
27
- ...matchingResourceTypes[0].conditionKeys,
28
- ...actionConditionKeys
35
+ ...(0, util_js_1.lowerCaseAll)(resourceTypeConditions),
36
+ ...actionConditionKeys,
37
+ ...(0, globalConditionKeys_js_1.allGlobalConditionKeys)()
29
38
  ];
30
39
  }
31
- function convertPatternToRegex(pattern) {
32
- const regex = pattern.replace(/\$\{.*?\}/g, (match) => {
33
- const name = match.substring(2, match.length - 1);
34
- const camelName = name.at(0)?.toLowerCase() + name.substring(1);
35
- return `(?<${camelName}>(.*?))`;
36
- });
37
- return `^${regex}$`;
38
- // const parts = pattern.split('/')
39
- // const lastPart = parts[parts.length - 1]
40
- // const modifiedParts = parts.map((part) => {
41
- // if (part.startsWith('${') && part.endsWith('}')) {
42
- // const name = part.substring(2, part.length - 1)
43
- // const camelName = name.at(0)?.toLowerCase() + name.substring(1)
44
- // if (part === lastPart) {
45
- // return `(?<${camelName}>(.*))`
46
- // }
47
- // return `(?<${camelName}>([^\/]+))`
48
- // }
49
- // return part
50
- // })
51
- // return modifiedParts.join('\/')
52
- }
53
40
  //# sourceMappingURL=contextKeys.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":";;AAEA,oEA4BC;AAED,sDAsBC;AAtDD,sDAAiG;AAE1F,KAAK,UAAU,4BAA4B,CAAC,OAAe,EAAE,MAAc,EAAE,QAAgB;IAClG,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC9D,MAAM,mBAAmB,GAAG,aAAa,CAAC,aAAa,CAAC;IACxD,IAAG,aAAa,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5C,OAAO,mBAAmB,CAAA;IAC5B,CAAC;IAED,MAAM,qBAAqB,GAAmB,EAAE,CAAC;IACjD,KAAI,MAAM,EAAE,IAAI,aAAa,CAAC,aAAa,EAAE,CAAC;QAC5C,MAAM,YAAY,GAAG,MAAM,IAAA,iCAAsB,EAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;QACpE,MAAM,OAAO,GAAG,qBAAqB,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAClD,IAAG,KAAK,EAAE,CAAC;YACT,qBAAqB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,IAAG,qBAAqB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACrC,MAAM,UAAU,GAAG,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtE,MAAM,IAAI,KAAK,CAAC,SAAS,qBAAqB,CAAC,MAAM,gCAAgC,QAAQ,KAAK,UAAU,EAAE,CAAC,CAAC;IAClH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAE1C,OAAO;QACL,GAAG,qBAAqB,CAAC,CAAC,CAAC,CAAC,aAAa;QACzC,GAAG,mBAAmB;KACvB,CAAA;AACH,CAAC;AAED,SAAgB,qBAAqB,CAAC,OAAe;IACnD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE;QACpD,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;QAC/D,OAAO,MAAM,SAAS,SAAS,CAAA;IACjC,CAAC,CAAC,CAAA;IACF,OAAO,IAAI,KAAK,GAAG,CAAA;IAEnB,mCAAmC;IACnC,2CAA2C;IAC3C,8CAA8C;IAC9C,uDAAuD;IACvD,sDAAsD;IACtD,sEAAsE;IACtE,+BAA+B;IAC/B,uCAAuC;IACvC,QAAQ;IACR,yCAAyC;IACzC,MAAM;IACN,gBAAgB;IAChB,KAAK;IACL,kCAAkC;AACpC,CAAC"}
1
+ {"version":3,"file":"contextKeys.js","sourceRoot":"","sources":["../../../src/simulation_engine/contextKeys.ts"],"names":[],"mappings":";;AAaA,oEAyBC;AAtCD,sDAA2D;AAC3D,wFAAqF;AACrF,wCAA2F;AAE3F;;;;;;;;GAQG;AACI,KAAK,UAAU,4BAA4B,CAAC,OAAe,EAAE,MAAc,EAAE,QAAgB;IAClG,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC9D,MAAM,mBAAmB,GAAG,IAAA,sBAAY,EAAC,aAAa,CAAC,aAAa,CAAC,CAAC;IAEtE,MAAM,cAAc,GAAG,MAAM,IAAA,8BAAoB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACnE,IAAG,cAAc,EAAE,CAAC;QAClB,OAAO;YACL,GAAG,mBAAmB;YACtB,GAAG,IAAA,+CAAsB,GAAE;SAC5B,CAAA;IACH,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,IAAA,mCAAyB,EAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IACjF,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,eAAe,OAAO,EAAE,CAAC,CAAA;IACvF,CAAC;SAAM,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,4CAA4C,MAAM,eAAe,OAAO,EAAE,CAAC,CAAA;IAC7F,CAAC;IACD,MAAM,sBAAsB,GAAG,aAAa,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,KAAK,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,CAAE,CAAC,aAAa,CAAA;IAEtH,OAAO;QACL,GAAG,IAAA,sBAAY,EAAC,sBAAsB,CAAC;QACvC,GAAG,mBAAmB;QACtB,GAAG,IAAA,+CAAsB,GAAE;KAC5B,CAAA;AACH,CAAC"}
@@ -8,6 +8,17 @@ export interface Simulation {
8
8
  };
9
9
  contextVariables: Record<string, string | string[]>;
10
10
  };
11
- identityPolicies: Record<string, any>[];
11
+ identityPolicies: {
12
+ name: string;
13
+ policy: any;
14
+ }[];
15
+ serviceControlPolicies: {
16
+ orgIdentifier: string;
17
+ policies: {
18
+ name: string;
19
+ policy: any;
20
+ }[];
21
+ }[];
22
+ resourcePolicy?: any;
12
23
  }
13
24
  //# sourceMappingURL=simulation.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAC;YACjB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;KACrD,CAAA;IAED,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;CACzC"}
1
+ {"version":3,"file":"simulation.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulation.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM,CAAC;YACjB,SAAS,EAAE,MAAM,CAAA;SAClB,CAAA;QACD,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;KACrD,CAAA;IAED,gBAAgB,EAAE;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAC,EAAE,CAAC;IAChD,sBAAsB,EAAE;QACtB,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,GAAG,CAAA;SAAC,EAAE,CAAA;KACxC,EAAE,CAAC;IACJ,cAAc,CAAC,EAAE,GAAG,CAAC;CACtB"}
@@ -1,11 +1,26 @@
1
1
  import { ValidationError } from "@cloud-copilot/iam-policy";
2
+ import { EvaluationResult } from "../evaluate.js";
2
3
  import { Simulation } from "./simulation.js";
3
4
  import { SimulationOptions } from "./simulationOptions.js";
4
5
  export interface SimulationErrors {
5
6
  identityPolicyErrors?: Record<string, ValidationError[]>;
7
+ seviceControlPolicyErrors?: Record<string, ValidationError[]>;
8
+ resourcePolicyErrors?: ValidationError[];
6
9
  message: string;
7
10
  }
8
11
  export interface SimulationResult {
12
+ errors?: SimulationErrors;
13
+ result?: {
14
+ evaluationResult: EvaluationResult;
15
+ };
9
16
  }
17
+ /**
18
+ * Run a simulation with validation
19
+ *
20
+ * @param simulation The simulation to run
21
+ * @param simulationOptions Options for the simulation
22
+ * @returns
23
+ */
10
24
  export declare function runSimulation(simulation: Simulation, simulationOptions: Partial<SimulationOptions>): Promise<SimulationResult>;
25
+ export declare function normalizeSimulationParameters(simulation: Simulation): Promise<Record<string, string | string[]>>;
11
26
  //# sourceMappingURL=simulationEngine.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAwB,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAElF,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;CAEhC;AAED,wBAAsB,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA8CpI"}
1
+ {"version":3,"file":"simulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":"AACA,OAAO,EAAoG,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAG9J,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAKlD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IACzD,yBAAyB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;IAC9D,oBAAoB,CAAC,EAAE,eAAe,EAAE,CAAC;IACzC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B,MAAM,CAAC,EAAE;QACP,gBAAgB,EAAE,gBAAgB,CAAA;KACnC,CAAA;CACF;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA+HpI;AAED,wBAAsB,6BAA6B,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CA0BtH"}
@@ -1,48 +1,159 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.runSimulation = runSimulation;
4
+ exports.normalizeSimulationParameters = normalizeSimulationParameters;
4
5
  const iam_data_1 = require("@cloud-copilot/iam-data");
5
6
  const iam_policy_1 = require("@cloud-copilot/iam-policy");
7
+ const ConditionKeys_js_1 = require("../ConditionKeys.js");
8
+ const coreSimulatorEngine_js_1 = require("../core_engine/coreSimulatorEngine.js");
9
+ const request_js_1 = require("../request/request.js");
10
+ const requestContext_js_1 = require("../requestContext.js");
11
+ const util_js_1 = require("../util.js");
6
12
  const contextKeys_js_1 = require("./contextKeys.js");
13
+ /**
14
+ * Run a simulation with validation
15
+ *
16
+ * @param simulation The simulation to run
17
+ * @param simulationOptions Options for the simulation
18
+ * @returns
19
+ */
7
20
  async function runSimulation(simulation, simulationOptions) {
8
- const identityPolicyErrors = Object.keys(simulation.identityPolicies).reduce((acc, key) => {
9
- acc[key] == (0, iam_policy_1.validatePolicySyntax)(simulation.identityPolicies[key]);
10
- return acc;
11
- }, {});
12
- const errorCount = Object.values(identityPolicyErrors).flat().length;
13
- if (errorCount > 0) {
21
+ const identityPolicyErrors = {};
22
+ const identityPolicies = [];
23
+ simulation.identityPolicies.forEach((value) => {
24
+ const { name, policy } = value;
25
+ const validationErrors = (0, iam_policy_1.validateIdentityPolicy)(policy);
26
+ if (validationErrors.length == 0) {
27
+ identityPolicies.push((0, iam_policy_1.loadPolicy)(policy));
28
+ }
29
+ else {
30
+ identityPolicyErrors[name] = validationErrors;
31
+ }
32
+ });
33
+ const seviceControlPolicyErrors = {};
34
+ const serviceControlPolicies = simulation.serviceControlPolicies.map((scp) => {
35
+ const ouId = scp.orgIdentifier;
36
+ const validPolicies = [];
37
+ scp.policies.forEach((value) => {
38
+ const { name, policy } = value;
39
+ const validationErrors = (0, iam_policy_1.validateServiceControlPolicy)(policy);
40
+ if (validationErrors.length > 0) {
41
+ seviceControlPolicyErrors[name] = validationErrors;
42
+ }
43
+ else {
44
+ validPolicies.push((0, iam_policy_1.loadPolicy)(policy));
45
+ }
46
+ });
47
+ return {
48
+ orgIdentifier: ouId,
49
+ policies: validPolicies
50
+ };
51
+ });
52
+ const resourcePolicyErrors = simulation.resourcePolicy ? (0, iam_policy_1.validateResourcePolicy)(simulation.resourcePolicy) : [];
53
+ if (Object.keys(identityPolicyErrors).length > 0 ||
54
+ Object.keys(seviceControlPolicyErrors).length > 0 ||
55
+ resourcePolicyErrors.length > 0) {
14
56
  return {
15
- identityPolicyErrors
57
+ errors: {
58
+ identityPolicyErrors,
59
+ seviceControlPolicyErrors,
60
+ resourcePolicyErrors,
61
+ message: 'policy.errors'
62
+ }
16
63
  };
17
64
  }
65
+ const resourcePolicy = simulation.resourcePolicy ? (0, iam_policy_1.loadPolicy)(simulation.resourcePolicy) : undefined;
18
66
  if (simulation.request.action.split(":").length != 2) {
19
67
  return {
20
- message: 'invalid.action'
68
+ errors: {
69
+ message: 'invalid.action'
70
+ }
21
71
  };
22
72
  }
23
73
  const [service, action] = simulation.request.action.split(":");
24
74
  const validService = await (0, iam_data_1.iamServiceExists)(service);
25
75
  if (!validService) {
26
76
  return {
27
- message: 'invalid.service'
77
+ errors: {
78
+ message: 'invalid.service'
79
+ }
28
80
  };
29
81
  }
30
82
  const validAction = await (0, iam_data_1.iamActionExists)(service, action);
31
83
  if (!validAction) {
32
84
  return {
33
- message: 'invalid.action'
85
+ errors: {
86
+ message: 'invalid.action'
87
+ }
34
88
  };
35
89
  }
36
90
  const resourceArn = simulation.request.resource.resource;
91
+ const isWildCardOnlyAction = await (0, util_js_1.isWildcardOnlyAction)(service, action);
92
+ if (isWildCardOnlyAction) {
93
+ if (resourceArn !== "*") {
94
+ return {
95
+ errors: {
96
+ message: 'must.use.wildcard'
97
+ }
98
+ };
99
+ }
100
+ }
101
+ else {
102
+ const resourceTypes = await (0, util_js_1.getResourceTypesForAction)(service, action, resourceArn);
103
+ if (resourceTypes.length === 0) {
104
+ return {
105
+ errors: {
106
+ message: 'no.resource.types'
107
+ }
108
+ };
109
+ }
110
+ else if (resourceTypes.length > 1) {
111
+ return {
112
+ errors: {
113
+ message: 'multiple.resource.types'
114
+ }
115
+ };
116
+ }
117
+ }
118
+ const contextValues = await normalizeSimulationParameters(simulation);
119
+ const simulationResult = (0, coreSimulatorEngine_js_1.authorize)({
120
+ request: new request_js_1.AwsRequestImpl(simulation.request.principal, {
121
+ resource: simulation.request.resource.resource,
122
+ accountId: simulation.request.resource.accountId
123
+ }, simulation.request.action, new requestContext_js_1.RequestContextImpl(contextValues)),
124
+ identityPolicies,
125
+ serviceControlPolicies,
126
+ resourcePolicy
127
+ });
128
+ return {
129
+ result: {
130
+ evaluationResult: simulationResult
131
+ }
132
+ };
133
+ }
134
+ async function normalizeSimulationParameters(simulation) {
135
+ const [service, action] = simulation.request.action.split(":");
136
+ const resourceArn = simulation.request.resource.resource;
37
137
  const contextVariablesForAction = new Set(await (0, contextKeys_js_1.allowedContextKeysForRequest)(service, action, resourceArn));
38
- // We need to get the types of the context variables and set a string or array of strings based on that.
138
+ //Get the types of the context variables and set a string or array of strings based on that.
39
139
  const allowedContextKeys = {};
40
140
  for (const key of Object.keys(simulation.request.contextVariables)) {
41
- if (contextVariablesForAction.has(key)) {
42
- allowedContextKeys[key] = simulation.request.contextVariables[key];
141
+ const value = simulation.request.contextVariables[key];
142
+ const lowerCaseKey = key.toLowerCase();
143
+ if (contextVariablesForAction.has(lowerCaseKey)) {
144
+ const conditionType = await (0, util_js_1.typeForContextKey)(lowerCaseKey);
145
+ const normalizedKey = await (0, util_js_1.normalizeContextKeyCase)(lowerCaseKey);
146
+ if ((0, ConditionKeys_js_1.isConditionKeyArray)(conditionType)) {
147
+ allowedContextKeys[normalizedKey] = [value].flat();
148
+ }
149
+ else if (Array.isArray(value)) {
150
+ allowedContextKeys[normalizedKey] = value[0];
151
+ }
152
+ else {
153
+ allowedContextKeys[normalizedKey] = value;
154
+ }
43
155
  }
44
156
  }
45
- // Implementation goes here
46
- return {};
157
+ return allowedContextKeys;
47
158
  }
48
159
  //# sourceMappingURL=simulationEngine.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"simulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":";;AAeA,sCA8CC;AA7DD,sDAA4E;AAC5E,0DAAkF;AAClF,qDAAgE;AAazD,KAAK,UAAU,aAAa,CAAC,UAAsB,EAAE,iBAA6C;IACvG,MAAM,oBAAoB,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,GAAW,EAAE,EAAE;QAChG,GAAG,CAAC,GAAG,CAAC,IAAI,IAAA,iCAAoB,EAAC,UAAU,CAAC,gBAAgB,CAAC,GAAU,CAAC,CAAC,CAAC;QAC1E,OAAO,GAAG,CAAA;IACZ,CAAC,EAAE,EAAuC,CAAC,CAAC;IAE5C,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC;IACrE,IAAG,UAAU,GAAG,CAAC,EAAE,CAAC;QAClB,OAAO;YACL,oBAAoB;SACrB,CAAA;IACH,CAAC;IAED,IAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACpD,OAAO;YACL,OAAO,EAAE,gBAAgB;SAC1B,CAAA;IACH,CAAC;IAED,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,YAAY,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,CAAC,CAAC;IACrD,IAAG,CAAC,YAAY,EAAE,CAAC;QACjB,OAAO;YACL,OAAO,EAAE,iBAAiB;SAC3B,CAAA;IACH,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,IAAA,0BAAe,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3D,IAAG,CAAC,WAAW,EAAE,CAAC;QAChB,OAAO;YACL,OAAO,EAAE,gBAAgB;SAC1B,CAAA;IACH,CAAC;IAED,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IACzD,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC,MAAM,IAAA,6CAA4B,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAA;IAE3G,wGAAwG;IACxG,MAAM,kBAAkB,GAAsC,EAAE,CAAC;IACjE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACnE,IAAI,yBAAyB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACvC,kBAAkB,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,OAAO,EAAsB,CAAC;AAChC,CAAC"}
1
+ {"version":3,"file":"simulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/simulationEngine.ts"],"names":[],"mappings":";;AAiCA,sCA+HC;AAED,sEA0BC;AA5LD,sDAA4E;AAC5E,0DAA8J;AAC9J,0DAA0D;AAC1D,kFAA0F;AAE1F,sDAAuD;AACvD,4DAA0D;AAC1D,wCAAyH;AACzH,qDAAgE;AAkBhE;;;;;;GAMG;AACI,KAAK,UAAU,aAAa,CAAC,UAAsB,EAAE,iBAA6C;IACvG,MAAM,oBAAoB,GAAsC,EAAE,CAAC;IACnE,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,UAAU,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;QAC5C,MAAM,EAAC,IAAI,EAAE,MAAM,EAAC,GAAG,KAAK,CAAC;QAC7B,MAAM,gBAAgB,GAAG,IAAA,mCAAsB,EAAC,MAAM,CAAC,CAAC;QACxD,IAAG,gBAAgB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAChC,gBAAgB,CAAC,IAAI,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,CAAC,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,oBAAoB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,yBAAyB,GAAsC,EAAE,CAAC;IACxE,MAAM,sBAAsB,GAA6B,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACrG,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC;QAC/B,MAAM,aAAa,GAAa,EAAE,CAAC;QAEnC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;YAC7B,MAAM,EAAC,IAAI,EAAE,MAAM,EAAC,GAAG,KAAK,CAAC;YAC7B,MAAM,gBAAgB,GAAG,IAAA,yCAA4B,EAAC,MAAM,CAAC,CAAC;YAC9D,IAAG,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,yBAAyB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC;YACrD,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,IAAA,uBAAU,EAAC,MAAM,CAAC,CAAC,CAAC;YACzC,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,aAAa;SACxB,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,MAAM,oBAAoB,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAA,mCAAsB,EAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAEhH,IAAG,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,MAAM,GAAG,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,MAAM,GAAG,CAAC;QACjD,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO;YACL,MAAM,EAAE;gBACN,oBAAoB;gBACpB,yBAAyB;gBACzB,oBAAoB;gBACpB,OAAO,EAAE,eAAe;aACzB;SACF,CAAA;IACH,CAAC;IAED,MAAM,cAAc,GAAG,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAA,uBAAU,EAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAErG,IAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACpD,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,gBAAgB;aAC1B;SACF,CAAA;IACH,CAAC;IAED,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,YAAY,GAAG,MAAM,IAAA,2BAAgB,EAAC,OAAO,CAAC,CAAC;IACrD,IAAG,CAAC,YAAY,EAAE,CAAC;QACjB,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,iBAAiB;aAC3B;SACF,CAAA;IACH,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,IAAA,0BAAe,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3D,IAAG,CAAC,WAAW,EAAE,CAAC;QAChB,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,gBAAgB;aAC1B;SACF,CAAA;IACH,CAAC;IAED,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IACzD,MAAM,oBAAoB,GAAG,MAAM,IAAA,8BAAoB,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACzE,IAAG,oBAAoB,EAAE,CAAC;QACxB,IAAG,WAAW,KAAK,GAAG,EAAE,CAAC;YACvB,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,mBAAmB;iBAC7B;aACF,CAAA;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,aAAa,GAAG,MAAM,IAAA,mCAAyB,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;QACpF,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,mBAAmB;iBAC7B;aAEF,CAAA;QACH,CAAC;aAAM,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,OAAO;gBACL,MAAM,EAAE;oBACN,OAAO,EAAE,yBAAyB;iBACnC;aACF,CAAA;QACH,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,6BAA6B,CAAC,UAAU,CAAC,CAAC;IAEtE,MAAM,gBAAgB,GAAG,IAAA,kCAAS,EAAC;QACjC,OAAO,EAAE,IAAI,2BAAc,CACzB,UAAU,CAAC,OAAO,CAAC,SAAS,EAC5B;YACE,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;YAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;SACjD,EACD,UAAU,CAAC,OAAO,CAAC,MAAM,EACzB,IAAI,sCAAkB,CAAC,aAAa,CAAC,CACtC;QACD,gBAAgB;QAChB,sBAAsB;QACtB,cAAc;KACf,CAAC,CAAA;IAEF,OAAO;QACL,MAAM,EAAE;YACN,gBAAgB,EAAE,gBAAgB;SACnC;KACF,CAAA;AACH,CAAC;AAEM,KAAK,UAAU,6BAA6B,CAAC,UAAsB;IACxE,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IACzD,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC,MAAM,IAAA,6CAA4B,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAA;IAE3G,4FAA4F;IAC5F,MAAM,kBAAkB,GAAsC,EAAE,CAAC;IACjE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACnE,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACvD,MAAM,YAAY,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QACvC,IAAI,yBAAyB,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;YAEhD,MAAM,aAAa,GAAG,MAAM,IAAA,2BAAiB,EAAC,YAAY,CAAC,CAAC;YAC5D,MAAM,aAAa,GAAG,MAAM,IAAA,iCAAuB,EAAC,YAAY,CAAC,CAAC;YAElE,IAAG,IAAA,sCAAmB,EAAC,aAAa,CAAC,EAAE,CAAC;gBACtC,kBAAkB,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;YACrD,CAAC;iBAAM,IAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC/B,kBAAkB,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC/C,CAAC;iBAAM,CAAC;gBACN,kBAAkB,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC;YAC5C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,kBAAkB,CAAA;AAC3B,CAAC"}
@@ -2,7 +2,7 @@ import { type EvaluationResult } from "../evaluate.js";
2
2
  import { Simulation } from "./simulation.js";
3
3
  import { SimulationOptions } from "./simulationOptions.js";
4
4
  /**
5
- * Runs a simulation without input validation or context error verification.
5
+ * Runs a simulation without input validation or context variable verification.
6
6
  * Use this if you know what you're doing.
7
7
  *
8
8
  * @param simulation The simulation to run.
@@ -1 +1 @@
1
- {"version":3,"file":"unsafeSimulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,gBAAgB,CAa3H"}
1
+ {"version":3,"file":"unsafeSimulationEngine.d.ts","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,gBAAgB,CAuB3H"}
@@ -6,7 +6,7 @@ const coreSimulatorEngine_js_1 = require("../core_engine/coreSimulatorEngine.js"
6
6
  const request_js_1 = require("../request/request.js");
7
7
  const requestContext_js_1 = require("../requestContext.js");
8
8
  /**
9
- * Runs a simulation without input validation or context error verification.
9
+ * Runs a simulation without input validation or context variable verification.
10
10
  * Use this if you know what you're doing.
11
11
  *
12
12
  * @param simulation The simulation to run.
@@ -14,8 +14,15 @@ const requestContext_js_1 = require("../requestContext.js");
14
14
  * @returns The result of the simulation.
15
15
  */
16
16
  function runUnsafeSimulation(simulation, simulationOptions) {
17
- // Implementation goes here
18
- const identityPolicies = Object.values(simulation.identityPolicies).map(p => (0, iam_policy_1.loadPolicy)(p));
17
+ const identityPolicies = Object.values(simulation.identityPolicies).map(p => (0, iam_policy_1.loadPolicy)(p.policy));
18
+ const serviceControlPolicies = simulation.serviceControlPolicies.map((scp) => {
19
+ const ouId = scp.orgIdentifier;
20
+ const policies = scp.policies.map(val => (0, iam_policy_1.loadPolicy)(val.policy));
21
+ return {
22
+ orgIdentifier: ouId,
23
+ policies: policies
24
+ };
25
+ });
19
26
  const requestContext = new requestContext_js_1.RequestContextImpl(simulation.request.contextVariables);
20
27
  const request = new request_js_1.AwsRequestImpl(simulation.request.principal, {
21
28
  resource: simulation.request.resource.resource,
@@ -23,7 +30,9 @@ function runUnsafeSimulation(simulation, simulationOptions) {
23
30
  }, simulation.request.action, requestContext);
24
31
  return (0, coreSimulatorEngine_js_1.authorize)({
25
32
  request,
26
- identityPolicies
33
+ identityPolicies,
34
+ serviceControlPolicies,
35
+ resourcePolicy: simulation.resourcePolicy ? (0, iam_policy_1.loadPolicy)(simulation.resourcePolicy) : undefined
27
36
  });
28
37
  }
29
38
  //# sourceMappingURL=unsafeSimulationEngine.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"unsafeSimulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":";;AAgBA,kDAaC;AA7BD,0DAAuD;AACvD,kFAAkE;AAElE,sDAAuD;AACvD,4DAA0D;AAI1D;;;;;;;GAOG;AACH,SAAgB,mBAAmB,CAAC,UAAsB,EAAE,iBAA6C;IACrG,2BAA2B;IAC7B,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAA,uBAAU,EAAC,CAAC,CAAC,CAAC,CAAC;IAC5F,MAAM,cAAc,GAAG,IAAI,sCAAkB,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAA;IAClF,MAAM,OAAO,GAAG,IAAI,2BAAc,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE;QAC/D,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;QAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;KACjD,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IAE9C,OAAO,IAAA,kCAAS,EAAC;QACf,OAAO;QACP,gBAAgB;KACjB,CAAC,CAAC;AACL,CAAC"}
1
+ {"version":3,"file":"unsafeSimulationEngine.js","sourceRoot":"","sources":["../../../src/simulation_engine/unsafeSimulationEngine.ts"],"names":[],"mappings":";;AAgBA,kDAuBC;AAvCD,0DAAuD;AACvD,kFAA0F;AAE1F,sDAAuD;AACvD,4DAA0D;AAI1D;;;;;;;GAOG;AACH,SAAgB,mBAAmB,CAAC,UAAsB,EAAE,iBAA6C;IACvG,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAA,uBAAU,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IACnG,MAAM,sBAAsB,GAA6B,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACrG,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC;QAC/B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,IAAA,uBAAU,EAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;QAEjE,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,QAAQ;SACnB,CAAA;IACH,CAAC,CAAC,CAAA;IACF,MAAM,cAAc,GAAG,IAAI,sCAAkB,CAAC,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAA;IAClF,MAAM,OAAO,GAAG,IAAI,2BAAc,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE;QAC/D,QAAQ,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ;QAC9C,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS;KACjD,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IAE9C,OAAO,IAAA,kCAAS,EAAC;QACf,OAAO;QACP,gBAAgB;QAChB,sBAAsB;QACtB,cAAc,EAAE,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAA,uBAAU,EAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS;KAC9F,CAAC,CAAC;AACL,CAAC"}