@cloud-copilot/iam-simulate 0.1.5 → 0.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/ConditionKeys.d.ts +19 -0
- package/dist/cjs/ConditionKeys.d.ts.map +1 -0
- package/dist/cjs/ConditionKeys.js +27 -0
- package/dist/cjs/ConditionKeys.js.map +1 -0
- package/dist/cjs/SCPAnalysis.d.ts +6 -0
- package/dist/cjs/SCPAnalysis.d.ts.map +1 -0
- package/dist/cjs/SCPAnalysis.js +3 -0
- package/dist/cjs/SCPAnalysis.js.map +1 -0
- package/dist/cjs/context_keys/findContextKeys.d.ts +19 -0
- package/dist/cjs/context_keys/findContextKeys.d.ts.map +1 -0
- package/dist/cjs/context_keys/findContextKeys.js +57 -0
- package/dist/cjs/context_keys/findContextKeys.js.map +1 -0
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts +39 -0
- package/dist/cjs/core_engine/coreSimulatorEngine.d.ts.map +1 -1
- package/dist/cjs/core_engine/coreSimulatorEngine.js +56 -0
- package/dist/cjs/core_engine/coreSimulatorEngine.js.map +1 -1
- package/dist/cjs/evaluate.d.ts +1 -0
- package/dist/cjs/evaluate.d.ts.map +1 -1
- package/dist/cjs/global_conditions/globalConditionKeys.d.ts +9 -1
- package/dist/cjs/global_conditions/globalConditionKeys.d.ts.map +1 -1
- package/dist/cjs/global_conditions/globalConditionKeys.js +78 -50
- package/dist/cjs/global_conditions/globalConditionKeys.js.map +1 -1
- package/dist/cjs/index.d.ts +4 -0
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js +10 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/principal/principal.d.ts +9 -1
- package/dist/cjs/principal/principal.d.ts.map +1 -1
- package/dist/cjs/principal/principal.js +17 -0
- package/dist/cjs/principal/principal.js.map +1 -1
- package/dist/cjs/request/requestPrincipal.d.ts.map +1 -1
- package/dist/cjs/request/requestPrincipal.js.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts +30 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/services/DefaultServiceAuthorizer.js +93 -7
- package/dist/cjs/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/cjs/services/ServiceAuthorizer.d.ts +3 -0
- package/dist/cjs/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/contextKeys.d.ts +9 -1
- package/dist/cjs/simulation_engine/contextKeys.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/contextKeys.js +27 -40
- package/dist/cjs/simulation_engine/contextKeys.js.map +1 -1
- package/dist/cjs/simulation_engine/simulation.d.ts +12 -1
- package/dist/cjs/simulation_engine/simulation.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.d.ts +15 -0
- package/dist/cjs/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/simulationEngine.js +126 -15
- package/dist/cjs/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js +13 -4
- package/dist/cjs/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/cjs/util.d.ts +69 -0
- package/dist/cjs/util.d.ts.map +1 -1
- package/dist/cjs/util.js +166 -0
- package/dist/cjs/util.js.map +1 -1
- package/dist/esm/ConditionKeys.d.ts +19 -0
- package/dist/esm/ConditionKeys.d.ts.map +1 -0
- package/dist/esm/ConditionKeys.js +23 -0
- package/dist/esm/ConditionKeys.js.map +1 -0
- package/dist/esm/SCPAnalysis.d.ts +6 -0
- package/dist/esm/SCPAnalysis.d.ts.map +1 -0
- package/dist/esm/SCPAnalysis.js +2 -0
- package/dist/esm/SCPAnalysis.js.map +1 -0
- package/dist/esm/context_keys/findContextKeys.d.ts +19 -0
- package/dist/esm/context_keys/findContextKeys.d.ts.map +1 -0
- package/dist/esm/context_keys/findContextKeys.js +53 -0
- package/dist/esm/context_keys/findContextKeys.js.map +1 -0
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts +39 -0
- package/dist/esm/core_engine/coreSimulatorEngine.d.ts.map +1 -1
- package/dist/esm/core_engine/coreSimulatorEngine.js +54 -0
- package/dist/esm/core_engine/coreSimulatorEngine.js.map +1 -1
- package/dist/esm/evaluate.d.ts +1 -0
- package/dist/esm/evaluate.d.ts.map +1 -1
- package/dist/esm/global_conditions/globalConditionKeys.d.ts +9 -1
- package/dist/esm/global_conditions/globalConditionKeys.d.ts.map +1 -1
- package/dist/esm/global_conditions/globalConditionKeys.js +76 -50
- package/dist/esm/global_conditions/globalConditionKeys.js.map +1 -1
- package/dist/esm/index.d.ts +4 -0
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js +4 -0
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/principal/principal.d.ts +9 -1
- package/dist/esm/principal/principal.d.ts.map +1 -1
- package/dist/esm/principal/principal.js +16 -0
- package/dist/esm/principal/principal.js.map +1 -1
- package/dist/esm/request/requestPrincipal.d.ts.map +1 -1
- package/dist/esm/request/requestPrincipal.js.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts +30 -1
- package/dist/esm/services/DefaultServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/services/DefaultServiceAuthorizer.js +93 -7
- package/dist/esm/services/DefaultServiceAuthorizer.js.map +1 -1
- package/dist/esm/services/ServiceAuthorizer.d.ts +3 -0
- package/dist/esm/services/ServiceAuthorizer.d.ts.map +1 -1
- package/dist/esm/simulation_engine/contextKeys.d.ts +9 -1
- package/dist/esm/simulation_engine/contextKeys.d.ts.map +1 -1
- package/dist/esm/simulation_engine/contextKeys.js +28 -40
- package/dist/esm/simulation_engine/contextKeys.js.map +1 -1
- package/dist/esm/simulation_engine/simulation.d.ts +12 -1
- package/dist/esm/simulation_engine/simulation.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.d.ts +15 -0
- package/dist/esm/simulation_engine/simulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/simulationEngine.js +126 -16
- package/dist/esm/simulation_engine/simulationEngine.js.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.d.ts.map +1 -1
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js +13 -4
- package/dist/esm/simulation_engine/unsafeSimulationEngine.js.map +1 -1
- package/dist/esm/util.d.ts +69 -0
- package/dist/esm/util.d.ts.map +1 -1
- package/dist/esm/util.js +158 -0
- package/dist/esm/util.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"globalConditionKeys.d.ts","sourceRoot":"","sources":["../../../src/global_conditions/globalConditionKeys.ts"],"names":[],"mappings":"AAAA,UAAU,kBAAkB;IAC1B,GAAG,EAAE,MAAM,CAAA;IACX,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,
|
|
1
|
+
{"version":3,"file":"globalConditionKeys.d.ts","sourceRoot":"","sources":["../../../src/global_conditions/globalConditionKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAEvD,UAAU,kBAAkB;IAC1B,GAAG,EAAE,MAAM,CAAA;IACX,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,gBAAgB,CAAA;CAC3B;AAyRD,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,kBAAkB,GAAG,SAAS,CAEjF;AAED,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAE7D;AAED,wBAAgB,gCAAgC,CAAC,QAAQ,EAAE,MAAM,GAAG,kBAAkB,EAAE,CAEvF;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,EAAE,CAEjD"}
|
|
@@ -2,247 +2,262 @@ const globalConditionKeys = [
|
|
|
2
2
|
{
|
|
3
3
|
key: "aws:PrincipalArn",
|
|
4
4
|
category: "principal",
|
|
5
|
-
dataType: ""
|
|
5
|
+
dataType: "ARN"
|
|
6
6
|
},
|
|
7
7
|
{
|
|
8
8
|
key: "aws:PrincipalAccount",
|
|
9
9
|
category: "principal",
|
|
10
|
-
dataType: ""
|
|
10
|
+
dataType: "String"
|
|
11
11
|
},
|
|
12
12
|
{
|
|
13
13
|
key: "aws:PrincipalOrgPaths",
|
|
14
14
|
category: "principal",
|
|
15
|
-
dataType: ""
|
|
15
|
+
dataType: "ArrayOfString"
|
|
16
16
|
},
|
|
17
17
|
{
|
|
18
18
|
key: "aws:PrincipalOrgID",
|
|
19
19
|
category: "principal",
|
|
20
|
-
dataType: ""
|
|
20
|
+
dataType: "String"
|
|
21
21
|
},
|
|
22
22
|
{
|
|
23
23
|
key: "aws:PrincipalTag/tag-key",
|
|
24
24
|
category: "principal",
|
|
25
|
-
dataType: ""
|
|
25
|
+
dataType: "String"
|
|
26
26
|
},
|
|
27
27
|
{
|
|
28
28
|
key: "aws:PrincipalIsAWSService",
|
|
29
29
|
category: "principal",
|
|
30
|
-
dataType: ""
|
|
30
|
+
dataType: "Bool"
|
|
31
31
|
},
|
|
32
32
|
{
|
|
33
33
|
key: "aws:PrincipalServiceName",
|
|
34
34
|
category: "principal",
|
|
35
|
-
dataType: ""
|
|
35
|
+
dataType: "String"
|
|
36
36
|
},
|
|
37
37
|
{
|
|
38
38
|
key: "aws:PrincipalServiceNamesList",
|
|
39
39
|
category: "principal",
|
|
40
|
-
dataType: ""
|
|
40
|
+
dataType: "ArrayOfString"
|
|
41
41
|
},
|
|
42
42
|
{
|
|
43
43
|
key: "aws:PrincipalType",
|
|
44
44
|
category: "principal",
|
|
45
|
-
dataType: ""
|
|
45
|
+
dataType: "String"
|
|
46
46
|
},
|
|
47
47
|
{
|
|
48
48
|
key: "aws:userid",
|
|
49
49
|
category: "principal",
|
|
50
|
-
dataType: ""
|
|
50
|
+
dataType: "String"
|
|
51
51
|
},
|
|
52
52
|
{
|
|
53
53
|
key: "aws:username",
|
|
54
54
|
category: "principal",
|
|
55
|
-
dataType: ""
|
|
55
|
+
dataType: "String"
|
|
56
|
+
},
|
|
57
|
+
{
|
|
58
|
+
key: "aws:AssumedRoot",
|
|
59
|
+
category: "session",
|
|
60
|
+
dataType: "String",
|
|
56
61
|
},
|
|
57
62
|
{
|
|
58
63
|
key: "aws:FederatedProvider",
|
|
59
64
|
category: "session",
|
|
60
|
-
dataType: "",
|
|
65
|
+
dataType: "String",
|
|
61
66
|
},
|
|
62
67
|
{
|
|
63
68
|
key: "aws:TokenIssueTime",
|
|
64
69
|
category: "session",
|
|
65
|
-
dataType: "",
|
|
70
|
+
dataType: "Date",
|
|
66
71
|
},
|
|
67
72
|
{
|
|
68
73
|
key: "aws:MultiFactorAuthAge",
|
|
69
74
|
category: "session",
|
|
70
|
-
dataType: "",
|
|
75
|
+
dataType: "Numeric",
|
|
71
76
|
},
|
|
72
77
|
{
|
|
73
78
|
key: "aws:MultiFactorAuthPresent",
|
|
74
79
|
category: "session",
|
|
75
|
-
dataType: "",
|
|
80
|
+
dataType: "Bool",
|
|
81
|
+
},
|
|
82
|
+
{
|
|
83
|
+
key: "aws:ChatbotSourceArn",
|
|
84
|
+
category: "session",
|
|
85
|
+
dataType: "ARN",
|
|
76
86
|
},
|
|
77
87
|
{
|
|
78
88
|
key: "aws:Ec2InstanceSourceVpc",
|
|
79
89
|
category: "session",
|
|
80
|
-
dataType: "",
|
|
90
|
+
dataType: "String",
|
|
81
91
|
},
|
|
82
92
|
{
|
|
83
93
|
key: "aws:Ec2InstanceSourcePrivateIPv4",
|
|
84
94
|
category: "session",
|
|
85
|
-
dataType: "",
|
|
95
|
+
dataType: "IPAddress",
|
|
86
96
|
},
|
|
87
97
|
{
|
|
88
98
|
key: "aws:SourceIdentity",
|
|
89
99
|
category: "session",
|
|
90
|
-
dataType: "",
|
|
100
|
+
dataType: "String",
|
|
91
101
|
},
|
|
92
102
|
{
|
|
93
103
|
key: "ec2:RoleDelivery",
|
|
94
104
|
category: "session",
|
|
95
|
-
dataType: "",
|
|
105
|
+
dataType: "Numeric",
|
|
96
106
|
},
|
|
97
107
|
{
|
|
98
108
|
key: "ec2:SourceInstanceArn",
|
|
99
109
|
category: "session",
|
|
100
|
-
dataType: "",
|
|
110
|
+
dataType: "ARN",
|
|
101
111
|
},
|
|
102
112
|
{
|
|
103
113
|
key: "glue:RoleAssumedBy",
|
|
104
114
|
category: "session",
|
|
105
|
-
dataType: "",
|
|
115
|
+
dataType: "String",
|
|
106
116
|
},
|
|
107
117
|
{
|
|
108
118
|
key: "glue:CredentialIssuingService",
|
|
109
119
|
category: "session",
|
|
110
|
-
dataType: "",
|
|
120
|
+
dataType: "String",
|
|
111
121
|
},
|
|
112
122
|
{
|
|
113
123
|
key: "lambda:SourceFunctionArn",
|
|
114
124
|
category: "session",
|
|
115
|
-
dataType: "",
|
|
125
|
+
dataType: "ARN",
|
|
116
126
|
},
|
|
117
127
|
{
|
|
118
128
|
key: "ssm:SourceInstanceArn",
|
|
119
129
|
category: "session",
|
|
120
|
-
dataType: "",
|
|
130
|
+
dataType: "ARN",
|
|
121
131
|
},
|
|
122
132
|
{
|
|
123
133
|
key: "identitystore:UserId",
|
|
124
134
|
category: "session",
|
|
125
|
-
dataType: "",
|
|
135
|
+
dataType: "String",
|
|
126
136
|
},
|
|
127
137
|
{
|
|
128
138
|
key: "aws:SourceIp",
|
|
129
139
|
category: "network",
|
|
130
|
-
dataType: "",
|
|
140
|
+
dataType: "IPAddress",
|
|
131
141
|
},
|
|
132
142
|
{
|
|
133
143
|
key: "aws:SourceVpc",
|
|
134
144
|
category: "network",
|
|
135
|
-
dataType: "",
|
|
145
|
+
dataType: "String",
|
|
136
146
|
},
|
|
137
147
|
{
|
|
138
148
|
key: "aws:SourceVpce",
|
|
139
149
|
category: "network",
|
|
140
|
-
dataType: "",
|
|
150
|
+
dataType: "String",
|
|
141
151
|
},
|
|
142
152
|
{
|
|
143
153
|
key: "aws:VpcSourceIp ",
|
|
144
154
|
category: "network",
|
|
145
|
-
dataType: "",
|
|
155
|
+
dataType: "IPAddress",
|
|
146
156
|
},
|
|
147
157
|
{
|
|
148
158
|
key: "aws:ResourceAccount",
|
|
149
159
|
category: "resource",
|
|
150
|
-
dataType: "",
|
|
160
|
+
dataType: "String",
|
|
151
161
|
},
|
|
152
162
|
{
|
|
153
163
|
key: "aws:ResourceOrgID",
|
|
154
164
|
category: "resource",
|
|
155
|
-
dataType: "",
|
|
165
|
+
dataType: "String",
|
|
156
166
|
},
|
|
157
167
|
{
|
|
158
168
|
key: "aws:ResourceOrgPaths",
|
|
159
169
|
category: "resource",
|
|
160
|
-
dataType: "",
|
|
170
|
+
dataType: "ArrayOfString",
|
|
161
171
|
},
|
|
162
172
|
{
|
|
163
173
|
key: "aws:ResourceTag/tag-key",
|
|
164
174
|
category: "resource",
|
|
165
|
-
dataType: "",
|
|
175
|
+
dataType: "String",
|
|
166
176
|
},
|
|
167
177
|
{
|
|
168
178
|
key: "aws:CalledVia",
|
|
169
179
|
category: "request",
|
|
170
|
-
dataType: "",
|
|
180
|
+
dataType: "ArrayOfString",
|
|
171
181
|
},
|
|
172
182
|
{
|
|
173
183
|
key: "aws:CalledViaFirst",
|
|
174
184
|
category: "request",
|
|
175
|
-
dataType: "",
|
|
185
|
+
dataType: "String",
|
|
176
186
|
},
|
|
177
187
|
{
|
|
178
188
|
key: "aws:CalledViaLast",
|
|
179
189
|
category: "request",
|
|
180
|
-
dataType: "",
|
|
190
|
+
dataType: "String",
|
|
181
191
|
},
|
|
182
192
|
{
|
|
183
193
|
key: "aws:ViaAWSService",
|
|
184
194
|
category: "request",
|
|
185
|
-
dataType: "",
|
|
195
|
+
dataType: "Bool",
|
|
186
196
|
},
|
|
187
197
|
{
|
|
188
198
|
key: "aws:CurrentTime",
|
|
189
199
|
category: "request",
|
|
190
|
-
dataType: "",
|
|
200
|
+
dataType: "Date",
|
|
191
201
|
},
|
|
192
202
|
{
|
|
193
203
|
key: "aws:EpochTime",
|
|
194
204
|
category: "request",
|
|
195
|
-
dataType: "",
|
|
205
|
+
dataType: "Date", //Can Also be Numeric...
|
|
196
206
|
},
|
|
197
207
|
{
|
|
198
208
|
key: "aws:referer",
|
|
199
209
|
category: "request",
|
|
200
|
-
dataType: "",
|
|
210
|
+
dataType: "String",
|
|
201
211
|
},
|
|
202
212
|
{
|
|
203
213
|
key: "aws:RequestedRegion",
|
|
204
214
|
category: "request",
|
|
205
|
-
dataType: "",
|
|
215
|
+
dataType: "String",
|
|
206
216
|
},
|
|
207
217
|
{
|
|
208
218
|
key: "aws:RequestTag/tag-key",
|
|
209
219
|
category: "request",
|
|
210
|
-
dataType: "",
|
|
220
|
+
dataType: "String",
|
|
211
221
|
},
|
|
212
222
|
{
|
|
213
223
|
key: "aws:TagKeys",
|
|
214
224
|
category: "request",
|
|
215
|
-
dataType: "",
|
|
225
|
+
dataType: "ArrayOfString",
|
|
216
226
|
},
|
|
217
227
|
{
|
|
218
228
|
key: "aws:SecureTransport",
|
|
219
229
|
category: "request",
|
|
220
|
-
dataType: "",
|
|
230
|
+
dataType: "Bool",
|
|
221
231
|
},
|
|
222
232
|
{
|
|
223
233
|
key: "aws:SourceArn",
|
|
224
234
|
category: "request",
|
|
225
|
-
dataType: "",
|
|
235
|
+
dataType: "ARN",
|
|
226
236
|
},
|
|
227
237
|
{
|
|
228
238
|
key: "aws:SourceAccount",
|
|
229
239
|
category: "request",
|
|
230
|
-
dataType: "",
|
|
240
|
+
dataType: "String",
|
|
241
|
+
},
|
|
242
|
+
{
|
|
243
|
+
key: "aws:SourceOwner",
|
|
244
|
+
category: "request",
|
|
245
|
+
dataType: "String",
|
|
231
246
|
},
|
|
232
247
|
{
|
|
233
248
|
key: "aws:SourceOrgPaths",
|
|
234
249
|
category: "request",
|
|
235
|
-
dataType: "",
|
|
250
|
+
dataType: "ArrayOfString",
|
|
236
251
|
},
|
|
237
252
|
{
|
|
238
253
|
key: "aws:SourceOrgID",
|
|
239
254
|
category: "request",
|
|
240
|
-
dataType: "",
|
|
255
|
+
dataType: "String",
|
|
241
256
|
},
|
|
242
257
|
{
|
|
243
|
-
key: "aws:UserAgent
|
|
258
|
+
key: "aws:UserAgent",
|
|
244
259
|
category: "request",
|
|
245
|
-
dataType: "",
|
|
260
|
+
dataType: "String",
|
|
246
261
|
}
|
|
247
262
|
];
|
|
248
263
|
const keysByName = globalConditionKeys.reduce((acc, key) => {
|
|
@@ -258,7 +273,18 @@ const keysByCategory = globalConditionKeys.reduce((acc, key) => {
|
|
|
258
273
|
export function getGlobalConditionKey(key) {
|
|
259
274
|
return keysByName[key.toLowerCase()];
|
|
260
275
|
}
|
|
276
|
+
export function globalConditionKeyExists(key) {
|
|
277
|
+
return !!getGlobalConditionKey(key);
|
|
278
|
+
}
|
|
261
279
|
export function getGlobalConditionKeysByCategory(category) {
|
|
262
280
|
return keysByCategory[category.toLowerCase()] || [];
|
|
263
281
|
}
|
|
282
|
+
/**
|
|
283
|
+
* Get all the global condition keys as lower case strings
|
|
284
|
+
*
|
|
285
|
+
* @returns a list of all the global condition keys
|
|
286
|
+
*/
|
|
287
|
+
export function allGlobalConditionKeys() {
|
|
288
|
+
return Object.keys(keysByCategory);
|
|
289
|
+
}
|
|
264
290
|
//# sourceMappingURL=globalConditionKeys.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"globalConditionKeys.js","sourceRoot":"","sources":["../../../src/global_conditions/globalConditionKeys.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"globalConditionKeys.js","sourceRoot":"","sources":["../../../src/global_conditions/globalConditionKeys.ts"],"names":[],"mappings":"AAQA,MAAM,mBAAmB,GAAyB;IAChD;QACE,GAAG,EAAE,kBAAkB;QACvB,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,KAAK;KAChB;IACD;QACE,GAAG,EAAE,sBAAsB;QAC3B,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,uBAAuB;QAC5B,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,eAAe;KAC1B;IACD;QACE,GAAG,EAAE,oBAAoB;QACzB,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,0BAA0B;QAC/B,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,2BAA2B;QAChC,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,GAAG,EAAE,0BAA0B;QAC/B,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,+BAA+B;QACpC,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,eAAe;KAC1B;IACD;QACE,GAAG,EAAE,mBAAmB;QACxB,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,YAAY;QACjB,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,cAAc;QACnB,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;KACnB;IAED;QACE,GAAG,EAAE,iBAAiB;QACtB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,uBAAuB;QAC5B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,oBAAoB;QACzB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,GAAG,EAAE,wBAAwB;QAC7B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,GAAG,EAAE,4BAA4B;QACjC,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,GAAG,EAAE,sBAAsB;QAC3B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,KAAK;KAChB;IACD;QACE,GAAG,EAAE,0BAA0B;QAC/B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,kCAAkC;QACvC,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,WAAW;KACtB;IACD;QACE,GAAG,EAAE,oBAAoB;QACzB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,kBAAkB;QACvB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,GAAG,EAAE,uBAAuB;QAC5B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,KAAK;KAChB;IACD;QACE,GAAG,EAAE,oBAAoB;QACzB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,+BAA+B;QACpC,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,0BAA0B;QAC/B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,KAAK;KAChB;IACD;QACE,GAAG,EAAE,uBAAuB;QAC5B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,KAAK;KAChB;IACD;QACE,GAAG,EAAE,sBAAsB;QAC3B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IAED;QACE,GAAG,EAAE,cAAc;QACnB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,WAAW;KACtB;IACD;QACE,GAAG,EAAE,eAAe;QACpB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,gBAAgB;QACrB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,mBAAmB;QACxB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,WAAW;KACtB;IAED;QACE,GAAG,EAAE,qBAAqB;QAC1B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,mBAAmB;QACxB,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,sBAAsB;QAC3B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,eAAe;KAC1B;IACD;QACE,GAAG,EAAE,yBAAyB;QAC9B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IAED;QACE,GAAG,EAAE,eAAe;QACpB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,eAAe;KAC1B;IACD;QACE,GAAG,EAAE,oBAAoB;QACzB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,mBAAmB;QACxB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,mBAAmB;QACxB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,GAAG,EAAE,iBAAiB;QACtB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,GAAG,EAAE,eAAe;QACpB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,MAAM,EAAE,wBAAwB;KAC3C;IACD;QACE,GAAG,EAAE,aAAa;QAClB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,qBAAqB;QAC1B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,wBAAwB;QAC7B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,aAAa;QAClB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,eAAe;KAC1B;IACD;QACE,GAAG,EAAE,qBAAqB;QAC1B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,GAAG,EAAE,eAAe;QACpB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,KAAK;KAChB;IACD;QACE,GAAG,EAAE,mBAAmB;QACxB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,iBAAiB;QACtB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,oBAAoB;QACzB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,eAAe;KAC1B;IACD;QACE,GAAG,EAAE,iBAAiB;QACtB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,GAAG,EAAE,eAAe;QACpB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;KACnB;CACF,CAAA;AAED,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;IACzD,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,GAAG,GAAG,CAAC;IACjC,OAAO,GAAG,CAAC;AACb,CAAC,EAAE,EAAwC,CAAC,CAAC;AAE7C,MAAM,cAAc,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;IAC7D,MAAM,aAAa,GAAG,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IACjD,GAAG,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;IAC9C,GAAG,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7B,OAAO,GAAG,CAAC;AACb,CAAC,EAAE,EAA0C,CAAC,CAAC;AAE/C,MAAM,UAAU,qBAAqB,CAAC,GAAW;IAC/C,OAAO,UAAU,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,GAAW;IAClD,OAAO,CAAC,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,gCAAgC,CAAC,QAAgB;IAC/D,OAAO,cAAc,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;AACtD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,sBAAsB;IACpC,OAAO,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;AACrC,CAAC"}
|
package/dist/esm/index.d.ts
CHANGED
|
@@ -1,6 +1,10 @@
|
|
|
1
|
+
export { BaseConditionKeyType, isConditionKeyArray, type ConditionKeyType } from './ConditionKeys.js';
|
|
2
|
+
export { findContextKeys } from './context_keys/findContextKeys.js';
|
|
1
3
|
export { type EvaluationResult } from './evaluate.js';
|
|
4
|
+
export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
|
|
2
5
|
export { type Simulation } from './simulation_engine/simulation.js';
|
|
3
6
|
export { runSimulation } from './simulation_engine/simulationEngine.js';
|
|
4
7
|
export { type SimulationOptions } from './simulation_engine/simulationOptions.js';
|
|
5
8
|
export { runUnsafeSimulation } from './simulation_engine/unsafeSimulationEngine.js';
|
|
9
|
+
export { isWildcardOnlyAction, typeForContextKey } from './util.js';
|
|
6
10
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/esm/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,KAAK,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtG,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAClF,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC"}
|
package/dist/esm/index.js
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
export { isConditionKeyArray } from './ConditionKeys.js';
|
|
2
|
+
export { findContextKeys } from './context_keys/findContextKeys.js';
|
|
3
|
+
export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
|
|
1
4
|
export { runSimulation } from './simulation_engine/simulationEngine.js';
|
|
2
5
|
export { runUnsafeSimulation } from './simulation_engine/unsafeSimulationEngine.js';
|
|
6
|
+
export { isWildcardOnlyAction, typeForContextKey } from './util.js';
|
|
3
7
|
//# sourceMappingURL=index.js.map
|
package/dist/esm/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAwB,mBAAmB,EAAyB,MAAM,oBAAoB,CAAC;AACtG,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AAEpE,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAElF,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AAExE,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAC;AACpF,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { Principal } from "@cloud-copilot/iam-policy";
|
|
1
|
+
import { Principal, Statement } from "@cloud-copilot/iam-policy";
|
|
2
2
|
import { AwsRequest } from "../request/request.js";
|
|
3
3
|
export type PrincipalMatchResult = 'Match' | 'NoMatch' | 'AccountLevelMatch';
|
|
4
4
|
/**
|
|
@@ -27,4 +27,12 @@ export declare function requestMatchesNotPrincipal(request: AwsRequest, notPrinc
|
|
|
27
27
|
export declare function requestMatchesPrincipalStatement(request: AwsRequest, principalStatement: Principal): PrincipalMatchResult;
|
|
28
28
|
export declare function isAssumedRoleArn(principal: string): boolean;
|
|
29
29
|
export declare function roleArnFromAssumedRoleArn(assumedRoleArn: string): string;
|
|
30
|
+
/**
|
|
31
|
+
* Check if a request matches the Resource or NotResource elements of a statement.
|
|
32
|
+
*
|
|
33
|
+
* @param request the request to check
|
|
34
|
+
* @param statement the statement to check against
|
|
35
|
+
* @returns true if the request matches the resources in the statement, false otherwise
|
|
36
|
+
*/
|
|
37
|
+
export declare function requestMatchesStatementPrincipals(request: AwsRequest, statement: Statement): PrincipalMatchResult;
|
|
30
38
|
//# sourceMappingURL=principal.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;
|
|
1
|
+
{"version":3,"file":"principal.d.ts","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AA4CnD,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,mBAAmB,CAAA;AAE5E;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAWzG;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,oBAAoB,CAiB/G;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,SAAS,GAAG,oBAAoB,CAgDzH;AAID,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED,wBAAgB,yBAAyB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAKxE;AAED;;;;;;GAMG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,oBAAoB,CAOjH"}
|
|
@@ -97,4 +97,20 @@ export function roleArnFromAssumedRoleArn(assumedRoleArn) {
|
|
|
97
97
|
const rolePathAndName = resourceParts.slice(1, -1).join('/');
|
|
98
98
|
return `arn:aws:iam::${stsParts[4]}:role/${rolePathAndName}`;
|
|
99
99
|
}
|
|
100
|
+
/**
|
|
101
|
+
* Check if a request matches the Resource or NotResource elements of a statement.
|
|
102
|
+
*
|
|
103
|
+
* @param request the request to check
|
|
104
|
+
* @param statement the statement to check against
|
|
105
|
+
* @returns true if the request matches the resources in the statement, false otherwise
|
|
106
|
+
*/
|
|
107
|
+
export function requestMatchesStatementPrincipals(request, statement) {
|
|
108
|
+
if (statement.isPrincipalStatement()) {
|
|
109
|
+
return requestMatchesPrincipal(request, statement.principals());
|
|
110
|
+
}
|
|
111
|
+
else if (statement.isNotPrincipalStatement()) {
|
|
112
|
+
return requestMatchesNotPrincipal(request, statement.notPrincipals());
|
|
113
|
+
}
|
|
114
|
+
throw new Error('Statement should have Principal or NotPrincipal');
|
|
115
|
+
}
|
|
100
116
|
//# sourceMappingURL=principal.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AA+CA;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAmB,EAAE,SAAsB;IACjF,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IAClH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,mBAAmB,CAAA;IAC5B,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAmB,EAAE,YAAyB;IACvF,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IACrH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,SAAS,CAAA;IAClB,CAAC;IAED;;;;;OAKG;IACH,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gCAAgC,CAAC,OAAmB,EAAE,kBAA6B;IACjG,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC9D,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,wBAAwB,EAAE,EAAE,CAAC;QACjD,IAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACpE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC7C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAChE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC5C,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACpE,OAAO,mBAAmB,CAAA;QAC5B,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,cAAc,EAAE,EAAE,CAAC;QACvC,IAAG,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,yBAAyB,CAAC,UAAU,CAAC,CAAA;YACrD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAM,OAAO,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,UAAU,EAAE,CAAC;gBACpF,OAAO,OAAO,CAAA;YAChB,CAAC;QACH,CAAC;QAED,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC1D,OAAO,OAAO,CAAA;QAChB,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,MAAM,mBAAmB,GAAG,wCAAwC,CAAA;AAEpE,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAChD,OAAO,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AAC5C,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,cAAsB;IAC9D,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,aAAa,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjD,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,eAAe,EAAE,CAAA;AAC9D,CAAC"}
|
|
1
|
+
{"version":3,"file":"principal.js","sourceRoot":"","sources":["../../../src/principal/principal.ts"],"names":[],"mappings":"AA+CA;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAmB,EAAE,SAAsB;IACjF,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IAClH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,mBAAmB,CAAA;IAC5B,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAmB,EAAE,YAAyB;IACvF,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC,gCAAgC,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAA;IACrH,IAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,SAAS,CAAA;IAClB,CAAC;IAED;;;;;OAKG;IACH,IAAG,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzC,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gCAAgC,CAAC,OAAmB,EAAE,kBAA6B;IACjG,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC9D,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,wBAAwB,EAAE,EAAE,CAAC;QACjD,IAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YACpE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC7C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAChE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC5C,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAG,kBAAkB,CAAC,kBAAkB,EAAE,EAAE,CAAC;QAC3C,IAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,CAAC;YACpE,OAAO,mBAAmB,CAAA;QAC5B,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,IAAG,kBAAkB,CAAC,cAAc,EAAE,EAAE,CAAC;QACvC,IAAG,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;YAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAA;YAC5C,MAAM,OAAO,GAAG,yBAAyB,CAAC,UAAU,CAAC,CAAA;YACrD,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAM,OAAO,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,UAAU,EAAE,CAAC;gBACpF,OAAO,OAAO,CAAA;YAChB,CAAC;QACH,CAAC;QAED,IAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC;YAC1D,OAAO,OAAO,CAAA;QAChB,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,MAAM,mBAAmB,GAAG,wCAAwC,CAAA;AAEpE,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAChD,OAAO,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AAC5C,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,cAAsB;IAC9D,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,aAAa,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjD,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5D,OAAO,gBAAgB,QAAQ,CAAC,CAAC,CAAC,SAAS,eAAe,EAAE,CAAA;AAC9D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iCAAiC,CAAC,OAAmB,EAAE,SAAoB;IACzF,IAAG,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;QACpC,OAAO,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE,CAAC,CAAA;IACjE,CAAC;SAAM,IAAG,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;QAC9C,OAAO,0BAA0B,CAAC,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"requestPrincipal.d.ts","sourceRoot":"","sources":["../../../src/request/requestPrincipal.ts"],"names":[],"mappings":"AACA;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAE/B;;OAEG;IACH,KAAK,IAAI,MAAM,CAAC;IAEhB;;OAEG;IACH,SAAS,IAAI,MAAM,GAAG,SAAS,CAAC;CAEjC;AAED,qBAAa,oBAAqB,YAAW,gBAAgB;IAC/C,OAAO,CAAC,QAAQ,CAAC,QAAQ;gBAAR,QAAQ,EAAE,MAAM;IAE7C,SAAS,IAAI,MAAM,GAAG,SAAS;IAIxB,KAAK,IAAI,MAAM;
|
|
1
|
+
{"version":3,"file":"requestPrincipal.d.ts","sourceRoot":"","sources":["../../../src/request/requestPrincipal.ts"],"names":[],"mappings":"AACA;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAE/B;;OAEG;IACH,KAAK,IAAI,MAAM,CAAC;IAEhB;;OAEG;IACH,SAAS,IAAI,MAAM,GAAG,SAAS,CAAC;CAEjC;AAED,qBAAa,oBAAqB,YAAW,gBAAgB;IAC/C,OAAO,CAAC,QAAQ,CAAC,QAAQ;gBAAR,QAAQ,EAAE,MAAM;IAE7C,SAAS,IAAI,MAAM,GAAG,SAAS;IAIxB,KAAK,IAAI,MAAM;CAKvB"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"requestPrincipal.js","sourceRoot":"","sources":["../../../src/request/requestPrincipal.ts"],"names":[],"mappings":"AAkBA,MAAM,OAAO,oBAAoB;IAC/B,YAA6B,QAAgB;QAAhB,aAAQ,GAAR,QAAQ,CAAQ;IAAG,CAAC;IAEjD,SAAS;QACP,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC;IAEM,KAAK;QACV,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;
|
|
1
|
+
{"version":3,"file":"requestPrincipal.js","sourceRoot":"","sources":["../../../src/request/requestPrincipal.ts"],"names":[],"mappings":"AAkBA,MAAM,OAAO,oBAAoB;IAC/B,YAA6B,QAAgB;QAAhB,aAAQ,GAAR,QAAQ,CAAQ;IAAG,CAAC;IAEjD,SAAS;QACP,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC;IAEM,KAAK;QACV,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CAGF"}
|
|
@@ -1,9 +1,38 @@
|
|
|
1
|
-
import { EvaluationResult } from "../evaluate.js";
|
|
1
|
+
import { EvaluationResult, ResourceEvaluationResult } from "../evaluate.js";
|
|
2
2
|
import { StatementAnalysis } from "../StatementAnalysis.js";
|
|
3
3
|
import { ServiceAuthorizationRequest, ServiceAuthorizer } from "./ServiceAuthorizer.js";
|
|
4
|
+
/**
|
|
5
|
+
* The default authorizer for services.
|
|
6
|
+
*/
|
|
4
7
|
export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
|
|
5
8
|
authorize(request: ServiceAuthorizationRequest): EvaluationResult;
|
|
9
|
+
/**
|
|
10
|
+
* Determine the result of the SCP analysis.
|
|
11
|
+
*
|
|
12
|
+
* @param request The request to authorize.
|
|
13
|
+
* @returns The result of the SCP analysis.
|
|
14
|
+
*/
|
|
15
|
+
serviceControlPolicyResult(request: ServiceAuthorizationRequest): EvaluationResult;
|
|
16
|
+
/**
|
|
17
|
+
* Evaluate the identity statements to determine the result.
|
|
18
|
+
*
|
|
19
|
+
* @param request The request to authorize.
|
|
20
|
+
* @returns The result of the identity statement analysis.
|
|
21
|
+
*/
|
|
6
22
|
identityStatementResult(request: ServiceAuthorizationRequest): EvaluationResult;
|
|
23
|
+
/**
|
|
24
|
+
* Evaluate the resource policy to determine the result.
|
|
25
|
+
*
|
|
26
|
+
* @param request the request to authorize
|
|
27
|
+
* @returns the result of the resource policy analysis
|
|
28
|
+
*/
|
|
29
|
+
resourcePolicyResult(request: ServiceAuthorizationRequest): ResourceEvaluationResult;
|
|
30
|
+
/**
|
|
31
|
+
* Checks if a statement is an identity statement that allows the request.
|
|
32
|
+
*
|
|
33
|
+
* @param statement The statement to check.
|
|
34
|
+
* @returns Whether the statement is an identity statement that allows the request.
|
|
35
|
+
*/
|
|
7
36
|
identityStatementAllows(statement: StatementAnalysis): boolean;
|
|
8
37
|
identityStatementUknownAllow(statement: StatementAnalysis): boolean;
|
|
9
38
|
identityStatementUknownDeny(statement: StatementAnalysis): boolean;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAC5E,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,2BAA2B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAExF;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IACzD,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAiDxE;;;;;OAKG;IACI,0BAA0B,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAwBzF;;;;;OAKG;IACI,uBAAuB,CAAC,OAAO,EAAE,2BAA2B,GAAG,gBAAgB;IAoBtF;;;;;OAKG;IACI,oBAAoB,CAAC,OAAO,EAAE,2BAA2B,GAAG,wBAAwB;IAyB3F;;;;;OAKG;IACI,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAU9D,4BAA4B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUnE,2BAA2B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;IAUlE,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO;CAS5E"}
|
|
@@ -1,24 +1,78 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* The default authorizer for services.
|
|
3
|
+
*/
|
|
1
4
|
export class DefaultServiceAuthorizer {
|
|
2
5
|
authorize(request) {
|
|
6
|
+
const scpResult = this.serviceControlPolicyResult(request);
|
|
3
7
|
const identityStatementResult = this.identityStatementResult(request);
|
|
8
|
+
const resourcePolicyResult = this.resourcePolicyResult(request);
|
|
4
9
|
const principalAccount = request.request.principal.accountId();
|
|
5
10
|
const resourceAccount = request.request.resource?.accountId();
|
|
11
|
+
if (scpResult !== 'Allowed') {
|
|
12
|
+
return scpResult;
|
|
13
|
+
}
|
|
14
|
+
if (resourcePolicyResult === 'ExplicitlyDenied' || resourcePolicyResult === 'DeniedForAccount') {
|
|
15
|
+
return 'ExplicitlyDenied';
|
|
16
|
+
}
|
|
17
|
+
if (identityStatementResult === 'ExplicitlyDenied') {
|
|
18
|
+
return 'ExplicitlyDenied';
|
|
19
|
+
}
|
|
20
|
+
//Same Account
|
|
21
|
+
if (principalAccount === resourceAccount) {
|
|
22
|
+
if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount' || identityStatementResult === 'Allowed') {
|
|
23
|
+
return 'Allowed';
|
|
24
|
+
}
|
|
25
|
+
return 'ImplicitlyDenied';
|
|
26
|
+
}
|
|
27
|
+
//Cross Account
|
|
28
|
+
if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount') {
|
|
29
|
+
if (identityStatementResult === 'Allowed') {
|
|
30
|
+
return 'Allowed';
|
|
31
|
+
}
|
|
32
|
+
return 'ImplicitlyDenied';
|
|
33
|
+
}
|
|
34
|
+
return 'ImplicitlyDenied';
|
|
6
35
|
/**
|
|
7
36
|
* Add checks for:
|
|
8
|
-
* *
|
|
9
|
-
* * service
|
|
37
|
+
* * root user
|
|
38
|
+
* * service linked roles
|
|
39
|
+
* * resource control policies
|
|
10
40
|
* * boundary policies
|
|
11
41
|
* * vpc endpoint policies
|
|
12
42
|
* * session policies (maybe these are just part of identity policies?)
|
|
13
43
|
*/
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
44
|
+
}
|
|
45
|
+
/**
|
|
46
|
+
* Determine the result of the SCP analysis.
|
|
47
|
+
*
|
|
48
|
+
* @param request The request to authorize.
|
|
49
|
+
* @returns The result of the SCP analysis.
|
|
50
|
+
*/
|
|
51
|
+
serviceControlPolicyResult(request) {
|
|
52
|
+
const orgAllows = request.scpAnalysis.map((scpAnalysis) => {
|
|
53
|
+
return scpAnalysis.statementAnalysis.some((statement) => {
|
|
54
|
+
return this.identityStatementAllows(statement);
|
|
55
|
+
});
|
|
56
|
+
});
|
|
57
|
+
if (orgAllows.includes(false)) {
|
|
18
58
|
return 'ImplicitlyDenied';
|
|
19
59
|
}
|
|
20
|
-
|
|
60
|
+
const anyScpDeny = request.scpAnalysis.some((scpAnalysis) => {
|
|
61
|
+
return scpAnalysis.statementAnalysis.some((statement) => {
|
|
62
|
+
return this.identityStatementExplicitDeny(statement);
|
|
63
|
+
});
|
|
64
|
+
});
|
|
65
|
+
if (anyScpDeny) {
|
|
66
|
+
return 'ExplicitlyDenied';
|
|
67
|
+
}
|
|
68
|
+
return 'Allowed';
|
|
21
69
|
}
|
|
70
|
+
/**
|
|
71
|
+
* Evaluate the identity statements to determine the result.
|
|
72
|
+
*
|
|
73
|
+
* @param request The request to authorize.
|
|
74
|
+
* @returns The result of the identity statement analysis.
|
|
75
|
+
*/
|
|
22
76
|
identityStatementResult(request) {
|
|
23
77
|
const explicitDeny = request.identityStatements.some(s => this.identityStatementExplicitDeny(s));
|
|
24
78
|
if (explicitDeny) {
|
|
@@ -35,6 +89,38 @@ export class DefaultServiceAuthorizer {
|
|
|
35
89
|
}
|
|
36
90
|
return 'ImplicitlyDenied';
|
|
37
91
|
}
|
|
92
|
+
/**
|
|
93
|
+
* Evaluate the resource policy to determine the result.
|
|
94
|
+
*
|
|
95
|
+
* @param request the request to authorize
|
|
96
|
+
* @returns the result of the resource policy analysis
|
|
97
|
+
*/
|
|
98
|
+
resourcePolicyResult(request) {
|
|
99
|
+
if (!request.resourceAnalysis) {
|
|
100
|
+
return 'NotApplicable';
|
|
101
|
+
}
|
|
102
|
+
const denyStatements = request.resourceAnalysis.filter(s => this.identityStatementExplicitDeny(s));
|
|
103
|
+
if (denyStatements.some(s => s.principalMatch === 'Match')) {
|
|
104
|
+
return 'ExplicitlyDenied';
|
|
105
|
+
}
|
|
106
|
+
if (denyStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
|
|
107
|
+
return 'DeniedForAccount';
|
|
108
|
+
}
|
|
109
|
+
const allowStatements = request.resourceAnalysis.filter(s => this.identityStatementAllows(s));
|
|
110
|
+
if (allowStatements.some(s => s.principalMatch === 'Match')) {
|
|
111
|
+
return 'Allowed';
|
|
112
|
+
}
|
|
113
|
+
if (allowStatements.some(s => s.principalMatch === 'AccountLevelMatch')) {
|
|
114
|
+
return 'AllowedForAccount';
|
|
115
|
+
}
|
|
116
|
+
return 'ImplicityDenied';
|
|
117
|
+
}
|
|
118
|
+
/**
|
|
119
|
+
* Checks if a statement is an identity statement that allows the request.
|
|
120
|
+
*
|
|
121
|
+
* @param statement The statement to check.
|
|
122
|
+
* @returns Whether the statement is an identity statement that allows the request.
|
|
123
|
+
*/
|
|
38
124
|
identityStatementAllows(statement) {
|
|
39
125
|
if (statement.resourceMatch &&
|
|
40
126
|
statement.actionMatch &&
|