@cloud-copilot/iam-utils 0.1.43 → 0.1.45

package/dist/cjs/actions.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Checks to see if the action matches the provided IAM action pattern.
+ *
+ * @param action the action to check, should not contain wildcards
+ * @param pattern the pattern to match against, may contain wildcards
+ * @returns true if the action matches the pattern, false otherwise
+ */
+export declare function actionMatchesPattern(action: string, pattern: string): boolean;
+//# sourceMappingURL=actions.d.ts.map

package/dist/cjs/actions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../../src/actions.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAuC7E"}

package/dist/cjs/actions.js

@@ -0,0 +1,65 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.actionMatchesPattern = actionMatchesPattern;
+/**
+ * Checks to see if the action matches the provided IAM action pattern.
+ *
+ * @param action the action to check, should not contain wildcards
+ * @param pattern the pattern to match against, may contain wildcards
+ * @returns true if the action matches the pattern, false otherwise
+ */
+function actionMatchesPattern(action, pattern) {
+    const unescapedAction = unescapeUnicodeCharacters(action);
+    const unescapedPattern = unescapeUnicodeCharacters(pattern);
+    // Full wildcard matches everything
+    if (unescapedPattern === '*') {
+        return true;
+    }
+    // Split into service and action parts
+    const patternColonIndex = unescapedPattern.indexOf(':');
+    const actionColonIndex = unescapedAction.indexOf(':');
+    // If pattern has no colon, it must match the entire action exactly (case-insensitive)
+    if (patternColonIndex === -1) {
+        if (actionColonIndex === -1) {
+            return unescapedAction.toLowerCase() === unescapedPattern.toLowerCase();
+        }
+        return false;
+    }
+    // If action has no colon but pattern does, no match
+    if (actionColonIndex === -1) {
+        return false;
+    }
+    const patternService = unescapedPattern.substring(0, patternColonIndex);
+    const patternAction = unescapedPattern.substring(patternColonIndex + 1);
+    const actionService = unescapedAction.substring(0, actionColonIndex);
+    const actionAction = unescapedAction.substring(actionColonIndex + 1);
+    // Service must match exactly (case-insensitive), no wildcards allowed
+    if (patternService.toLowerCase() !== actionService.toLowerCase()) {
+        return false;
+    }
+    // Match the action part with wildcards
+    const regex = convertStringToPattern(patternAction);
+    return regex.test(actionAction);
+}
+/**
+ * Converts an action string pattern to a regular expression for matching.
+ *
+ * @param actionString the IAM action pattern string to convert
+ * @returns RegExp that matches the pattern (case-insensitive)
+ */
+function convertStringToPattern(actionString) {
+    const pattern = '^' + actionString.replace(/\?/g, '.').replace(/\*/g, '.*?') + '$';
+    return new RegExp(pattern, 'i');
+}
+/**
+ * Unescapes unicode characters in a string.
+ *
+ * @param str The string to unescape
+ * @returns The string with any escaped unicode characters replaced with their actual characters
+ */
+function unescapeUnicodeCharacters(str) {
+    return str.replace(/\\u([\dA-Fa-f]{4})/gi, (match, code) => {
+        return String.fromCharCode(parseInt(code, 16));
+    });
+}
+//# sourceMappingURL=actions.js.map

package/dist/cjs/actions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"actions.js","sourceRoot":"","sources":["../../src/actions.ts"],"names":[],"mappings":";;AAOA,oDAuCC;AA9CD;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAAC,MAAc,EAAE,OAAe;IAClE,MAAM,eAAe,GAAG,yBAAyB,CAAC,MAAM,CAAC,CAAA;IACzD,MAAM,gBAAgB,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAA;IAE3D,mCAAmC;IACnC,IAAI,gBAAgB,KAAK,GAAG,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,sCAAsC;IACtC,MAAM,iBAAiB,GAAG,gBAAgB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACvD,MAAM,gBAAgB,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAErD,sFAAsF;IACtF,IAAI,iBAAiB,KAAK,CAAC,CAAC,EAAE,CAAC;QAC7B,IAAI,gBAAgB,KAAK,CAAC,CAAC,EAAE,CAAC;YAC5B,OAAO,eAAe,CAAC,WAAW,EAAE,KAAK,gBAAgB,CAAC,WAAW,EAAE,CAAA;QACzE,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,oDAAoD;IACpD,IAAI,gBAAgB,KAAK,CAAC,CAAC,EAAE,CAAC;QAC5B,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,cAAc,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAA;IACvE,MAAM,aAAa,GAAG,gBAAgB,CAAC,SAAS,CAAC,iBAAiB,GAAG,CAAC,CAAC,CAAA;IACvE,MAAM,aAAa,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC,EAAE,gBAAgB,CAAC,CAAA;IACpE,MAAM,YAAY,GAAG,eAAe,CAAC,SAAS,CAAC,gBAAgB,GAAG,CAAC,CAAC,CAAA;IAEpE,sEAAsE;IACtE,IAAI,cAAc,CAAC,WAAW,EAAE,KAAK,aAAa,CAAC,WAAW,EAAE,EAAE,CAAC;QACjE,OAAO,KAAK,CAAA;IACd,CAAC;IAED,uCAAuC;IACvC,MAAM,KAAK,GAAG,sBAAsB,CAAC,aAAa,CAAC,CAAA;IACnD,OAAO,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;AACjC,CAAC;AAED;;;;;GAKG;AACH,SAAS,sBAAsB,CAAC,YAAoB;IAClD,MAAM,OAAO,GAAG,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAClF,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;GAKG;AACH,SAAS,yBAAyB,CAAC,GAAW;IAC5C,OAAO,GAAG,CAAC,OAAO,CAAC,sBAAsB,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;QACzD,OAAO,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAA;IAChD,CAAC,CAAC,CAAA;AACJ,CAAC"}

package/dist/cjs/index.d.ts

@@ -1,4 +1,6 @@
+export { actionMatchesPattern } from './actions.js';
 export { getResourceSegments, splitArnParts, type ArnParts } from './arn.js';
 export { convertAssumedRoleArnToRoleArn, convertRoleArnToAssumedRoleArn, isArnPrincipal, isAssumedRoleArn, isFederatedUserArn, isIamRoleArn, isIamUserArn, isServicePrincipal } from './principals.js';
+export { resourceArnWithWildcardsToRegex } from './resources.js';
 export { bucketArn, isS3BucketOrObjectArn } from './s3.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/cjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,KAAK,QAAQ,EAAE,MAAM,UAAU,CAAA;AAC5E,OAAO,EACL,8BAA8B,EAC9B,8BAA8B,EAC9B,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,kBAAkB,EACnB,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,KAAK,QAAQ,EAAE,MAAM,UAAU,CAAA;AAC5E,OAAO,EACL,8BAA8B,EAC9B,8BAA8B,EAC9B,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,kBAAkB,EACnB,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,+BAA+B,EAAE,MAAM,gBAAgB,CAAA;AAChE,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA"}

package/dist/cjs/index.js

@@ -1,6 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isS3BucketOrObjectArn = exports.bucketArn = exports.isServicePrincipal = exports.isIamUserArn = exports.isIamRoleArn = exports.isFederatedUserArn = exports.isAssumedRoleArn = exports.isArnPrincipal = exports.convertRoleArnToAssumedRoleArn = exports.convertAssumedRoleArnToRoleArn = exports.splitArnParts = exports.getResourceSegments = void 0;
+exports.isS3BucketOrObjectArn = exports.bucketArn = exports.resourceArnWithWildcardsToRegex = exports.isServicePrincipal = exports.isIamUserArn = exports.isIamRoleArn = exports.isFederatedUserArn = exports.isAssumedRoleArn = exports.isArnPrincipal = exports.convertRoleArnToAssumedRoleArn = exports.convertAssumedRoleArnToRoleArn = exports.splitArnParts = exports.getResourceSegments = exports.actionMatchesPattern = void 0;
+var actions_js_1 = require("./actions.js");
+Object.defineProperty(exports, "actionMatchesPattern", { enumerable: true, get: function () { return actions_js_1.actionMatchesPattern; } });
 var arn_js_1 = require("./arn.js");
 Object.defineProperty(exports, "getResourceSegments", { enumerable: true, get: function () { return arn_js_1.getResourceSegments; } });
 Object.defineProperty(exports, "splitArnParts", { enumerable: true, get: function () { return arn_js_1.splitArnParts; } });
@@ -13,6 +15,8 @@ Object.defineProperty(exports, "isFederatedUserArn", { enumerable: true, get: fu
 Object.defineProperty(exports, "isIamRoleArn", { enumerable: true, get: function () { return principals_js_1.isIamRoleArn; } });
 Object.defineProperty(exports, "isIamUserArn", { enumerable: true, get: function () { return principals_js_1.isIamUserArn; } });
 Object.defineProperty(exports, "isServicePrincipal", { enumerable: true, get: function () { return principals_js_1.isServicePrincipal; } });
+var resources_js_1 = require("./resources.js");
+Object.defineProperty(exports, "resourceArnWithWildcardsToRegex", { enumerable: true, get: function () { return resources_js_1.resourceArnWithWildcardsToRegex; } });
 var s3_js_1 = require("./s3.js");
 Object.defineProperty(exports, "bucketArn", { enumerable: true, get: function () { return s3_js_1.bucketArn; } });
 Object.defineProperty(exports, "isS3BucketOrObjectArn", { enumerable: true, get: function () { return s3_js_1.isS3BucketOrObjectArn; } });

package/dist/cjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,mCAA4E;AAAnE,6GAAA,mBAAmB,OAAA;AAAE,uGAAA,aAAa,OAAA;AAC3C,iDASwB;AARtB,+HAAA,8BAA8B,OAAA;AAC9B,+HAAA,8BAA8B,OAAA;AAC9B,+GAAA,cAAc,OAAA;AACd,iHAAA,gBAAgB,OAAA;AAChB,mHAAA,kBAAkB,OAAA;AAClB,6GAAA,YAAY,OAAA;AACZ,6GAAA,YAAY,OAAA;AACZ,mHAAA,kBAAkB,OAAA;AAEpB,iCAA0D;AAAjD,kGAAA,SAAS,OAAA;AAAE,8GAAA,qBAAqB,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,2CAAmD;AAA1C,kHAAA,oBAAoB,OAAA;AAC7B,mCAA4E;AAAnE,6GAAA,mBAAmB,OAAA;AAAE,uGAAA,aAAa,OAAA;AAC3C,iDASwB;AARtB,+HAAA,8BAA8B,OAAA;AAC9B,+HAAA,8BAA8B,OAAA;AAC9B,+GAAA,cAAc,OAAA;AACd,iHAAA,gBAAgB,OAAA;AAChB,mHAAA,kBAAkB,OAAA;AAClB,6GAAA,YAAY,OAAA;AACZ,6GAAA,YAAY,OAAA;AACZ,mHAAA,kBAAkB,OAAA;AAEpB,+CAAgE;AAAvD,+HAAA,+BAA+B,OAAA;AACxC,iCAA0D;AAAjD,kGAAA,SAAS,OAAA;AAAE,8GAAA,qBAAqB,OAAA"}

package/dist/cjs/resources.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Convert an AWS wildcard ARN pattern (e.g. "arn:aws:s3:::bucket/*") into a RegExp.
+ *
+ * @param pattern The ARN pattern string with wildcards
+ * @returns RegExp that matches ARNs according to the wildcard pattern
+ */
+export declare function resourceArnWithWildcardsToRegex(pattern: string): RegExp;
+//# sourceMappingURL=resources.d.ts.map

package/dist/cjs/resources.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resources.d.ts","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,wBAAgB,+BAA+B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAGvE"}

package/dist/cjs/resources.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resourceArnWithWildcardsToRegex = resourceArnWithWildcardsToRegex;
+/**
+ * Convert an AWS wildcard ARN pattern (e.g. "arn:aws:s3:::bucket/*") into a RegExp.
+ *
+ * @param pattern The ARN pattern string with wildcards
+ * @returns RegExp that matches ARNs according to the wildcard pattern
+ */
+function resourceArnWithWildcardsToRegex(pattern) {
+    const parts = pattern.split('*').map((s) => s.replace(/[-/\\^$+?.()|[\]{}]/g, '\\$&'));
+    return new RegExp('^' + parts.join('.*?') + '$');
+}
+//# sourceMappingURL=resources.js.map

package/dist/cjs/resources.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resources.js","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":";;AAMA,0EAGC;AATD;;;;;GAKG;AACH,SAAgB,+BAA+B,CAAC,OAAe;IAC7D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,sBAAsB,EAAE,MAAM,CAAC,CAAC,CAAA;IACtF,OAAO,IAAI,MAAM,CAAC,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAA;AAClD,CAAC"}

package/dist/esm/actions.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Checks to see if the action matches the provided IAM action pattern.
+ *
+ * @param action the action to check, should not contain wildcards
+ * @param pattern the pattern to match against, may contain wildcards
+ * @returns true if the action matches the pattern, false otherwise
+ */
+export declare function actionMatchesPattern(action: string, pattern: string): boolean;
+//# sourceMappingURL=actions.d.ts.map

package/dist/esm/actions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../../src/actions.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAuC7E"}

package/dist/esm/actions.js

@@ -0,0 +1,62 @@
+/**
+ * Checks to see if the action matches the provided IAM action pattern.
+ *
+ * @param action the action to check, should not contain wildcards
+ * @param pattern the pattern to match against, may contain wildcards
+ * @returns true if the action matches the pattern, false otherwise
+ */
+export function actionMatchesPattern(action, pattern) {
+    const unescapedAction = unescapeUnicodeCharacters(action);
+    const unescapedPattern = unescapeUnicodeCharacters(pattern);
+    // Full wildcard matches everything
+    if (unescapedPattern === '*') {
+        return true;
+    }
+    // Split into service and action parts
+    const patternColonIndex = unescapedPattern.indexOf(':');
+    const actionColonIndex = unescapedAction.indexOf(':');
+    // If pattern has no colon, it must match the entire action exactly (case-insensitive)
+    if (patternColonIndex === -1) {
+        if (actionColonIndex === -1) {
+            return unescapedAction.toLowerCase() === unescapedPattern.toLowerCase();
+        }
+        return false;
+    }
+    // If action has no colon but pattern does, no match
+    if (actionColonIndex === -1) {
+        return false;
+    }
+    const patternService = unescapedPattern.substring(0, patternColonIndex);
+    const patternAction = unescapedPattern.substring(patternColonIndex + 1);
+    const actionService = unescapedAction.substring(0, actionColonIndex);
+    const actionAction = unescapedAction.substring(actionColonIndex + 1);
+    // Service must match exactly (case-insensitive), no wildcards allowed
+    if (patternService.toLowerCase() !== actionService.toLowerCase()) {
+        return false;
+    }
+    // Match the action part with wildcards
+    const regex = convertStringToPattern(patternAction);
+    return regex.test(actionAction);
+}
+/**
+ * Converts an action string pattern to a regular expression for matching.
+ *
+ * @param actionString the IAM action pattern string to convert
+ * @returns RegExp that matches the pattern (case-insensitive)
+ */
+function convertStringToPattern(actionString) {
+    const pattern = '^' + actionString.replace(/\?/g, '.').replace(/\*/g, '.*?') + '$';
+    return new RegExp(pattern, 'i');
+}
+/**
+ * Unescapes unicode characters in a string.
+ *
+ * @param str The string to unescape
+ * @returns The string with any escaped unicode characters replaced with their actual characters
+ */
+function unescapeUnicodeCharacters(str) {
+    return str.replace(/\\u([\dA-Fa-f]{4})/gi, (match, code) => {
+        return String.fromCharCode(parseInt(code, 16));
+    });
+}
+//# sourceMappingURL=actions.js.map

package/dist/esm/actions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"actions.js","sourceRoot":"","sources":["../../src/actions.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAc,EAAE,OAAe;IAClE,MAAM,eAAe,GAAG,yBAAyB,CAAC,MAAM,CAAC,CAAA;IACzD,MAAM,gBAAgB,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAA;IAE3D,mCAAmC;IACnC,IAAI,gBAAgB,KAAK,GAAG,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,sCAAsC;IACtC,MAAM,iBAAiB,GAAG,gBAAgB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACvD,MAAM,gBAAgB,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAErD,sFAAsF;IACtF,IAAI,iBAAiB,KAAK,CAAC,CAAC,EAAE,CAAC;QAC7B,IAAI,gBAAgB,KAAK,CAAC,CAAC,EAAE,CAAC;YAC5B,OAAO,eAAe,CAAC,WAAW,EAAE,KAAK,gBAAgB,CAAC,WAAW,EAAE,CAAA;QACzE,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,oDAAoD;IACpD,IAAI,gBAAgB,KAAK,CAAC,CAAC,EAAE,CAAC;QAC5B,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,cAAc,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAA;IACvE,MAAM,aAAa,GAAG,gBAAgB,CAAC,SAAS,CAAC,iBAAiB,GAAG,CAAC,CAAC,CAAA;IACvE,MAAM,aAAa,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC,EAAE,gBAAgB,CAAC,CAAA;IACpE,MAAM,YAAY,GAAG,eAAe,CAAC,SAAS,CAAC,gBAAgB,GAAG,CAAC,CAAC,CAAA;IAEpE,sEAAsE;IACtE,IAAI,cAAc,CAAC,WAAW,EAAE,KAAK,aAAa,CAAC,WAAW,EAAE,EAAE,CAAC;QACjE,OAAO,KAAK,CAAA;IACd,CAAC;IAED,uCAAuC;IACvC,MAAM,KAAK,GAAG,sBAAsB,CAAC,aAAa,CAAC,CAAA;IACnD,OAAO,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;AACjC,CAAC;AAED;;;;;GAKG;AACH,SAAS,sBAAsB,CAAC,YAAoB;IAClD,MAAM,OAAO,GAAG,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;IAClF,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AACjC,CAAC;AAED;;;;;GAKG;AACH,SAAS,yBAAyB,CAAC,GAAW;IAC5C,OAAO,GAAG,CAAC,OAAO,CAAC,sBAAsB,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;QACzD,OAAO,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAA;IAChD,CAAC,CAAC,CAAA;AACJ,CAAC"}

package/dist/esm/index.d.ts

@@ -1,4 +1,6 @@
+export { actionMatchesPattern } from './actions.js';
 export { getResourceSegments, splitArnParts, type ArnParts } from './arn.js';
 export { convertAssumedRoleArnToRoleArn, convertRoleArnToAssumedRoleArn, isArnPrincipal, isAssumedRoleArn, isFederatedUserArn, isIamRoleArn, isIamUserArn, isServicePrincipal } from './principals.js';
+export { resourceArnWithWildcardsToRegex } from './resources.js';
 export { bucketArn, isS3BucketOrObjectArn } from './s3.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,KAAK,QAAQ,EAAE,MAAM,UAAU,CAAA;AAC5E,OAAO,EACL,8BAA8B,EAC9B,8BAA8B,EAC9B,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,kBAAkB,EACnB,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,KAAK,QAAQ,EAAE,MAAM,UAAU,CAAA;AAC5E,OAAO,EACL,8BAA8B,EAC9B,8BAA8B,EAC9B,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,kBAAkB,EACnB,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,+BAA+B,EAAE,MAAM,gBAAgB,CAAA;AAChE,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA"}

package/dist/esm/index.js

@@ -1,4 +1,6 @@
+export { actionMatchesPattern } from './actions.js';
 export { getResourceSegments, splitArnParts } from './arn.js';
 export { convertAssumedRoleArnToRoleArn, convertRoleArnToAssumedRoleArn, isArnPrincipal, isAssumedRoleArn, isFederatedUserArn, isIamRoleArn, isIamUserArn, isServicePrincipal } from './principals.js';
+export { resourceArnWithWildcardsToRegex } from './resources.js';
 export { bucketArn, isS3BucketOrObjectArn } from './s3.js';
 //# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAiB,MAAM,UAAU,CAAA;AAC5E,OAAO,EACL,8BAA8B,EAC9B,8BAA8B,EAC9B,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,kBAAkB,EACnB,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAiB,MAAM,UAAU,CAAA;AAC5E,OAAO,EACL,8BAA8B,EAC9B,8BAA8B,EAC9B,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,kBAAkB,EACnB,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,+BAA+B,EAAE,MAAM,gBAAgB,CAAA;AAChE,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA"}

package/dist/esm/resources.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Convert an AWS wildcard ARN pattern (e.g. "arn:aws:s3:::bucket/*") into a RegExp.
+ *
+ * @param pattern The ARN pattern string with wildcards
+ * @returns RegExp that matches ARNs according to the wildcard pattern
+ */
+export declare function resourceArnWithWildcardsToRegex(pattern: string): RegExp;
+//# sourceMappingURL=resources.d.ts.map

package/dist/esm/resources.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resources.d.ts","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,wBAAgB,+BAA+B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAGvE"}

package/dist/esm/resources.js

@@ -0,0 +1,11 @@
+/**
+ * Convert an AWS wildcard ARN pattern (e.g. "arn:aws:s3:::bucket/*") into a RegExp.
+ *
+ * @param pattern The ARN pattern string with wildcards
+ * @returns RegExp that matches ARNs according to the wildcard pattern
+ */
+export function resourceArnWithWildcardsToRegex(pattern) {
+    const parts = pattern.split('*').map((s) => s.replace(/[-/\\^$+?.()|[\]{}]/g, '\\$&'));
+    return new RegExp('^' + parts.join('.*?') + '$');
+}
+//# sourceMappingURL=resources.js.map

package/dist/esm/resources.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resources.js","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,UAAU,+BAA+B,CAAC,OAAe;IAC7D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,sBAAsB,EAAE,MAAM,CAAC,CAAC,CAAA;IACtF,OAAO,IAAI,MAAM,CAAC,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAA;AAClD,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloud-copilot/iam-utils",
-  "version": "0.1.43",
+  "version": "0.1.45",
   "description": "Various utilities for working with AWS IAM information",
   "exports": {
     ".": {