@cloud-copilot/iam-utils 0.1.53 → 0.1.55
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/index.d.ts +2 -0
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js +5 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/resourcePatterns.d.ts +9 -0
- package/dist/cjs/resourcePatterns.d.ts.map +1 -0
- package/dist/cjs/resourcePatterns.js +19 -0
- package/dist/cjs/resourcePatterns.js.map +1 -0
- package/dist/cjs/resourceTypes.d.ts +12 -0
- package/dist/cjs/resourceTypes.d.ts.map +1 -0
- package/dist/cjs/resourceTypes.js +138 -0
- package/dist/cjs/resourceTypes.js.map +1 -0
- package/dist/esm/index.d.ts +2 -0
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js +2 -0
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/resourcePatterns.d.ts +9 -0
- package/dist/esm/resourcePatterns.d.ts.map +1 -0
- package/dist/esm/resourcePatterns.js +16 -0
- package/dist/esm/resourcePatterns.js.map +1 -0
- package/dist/esm/resourceTypes.d.ts +12 -0
- package/dist/esm/resourceTypes.d.ts.map +1 -0
- package/dist/esm/resourceTypes.js +135 -0
- package/dist/esm/resourceTypes.js.map +1 -0
- package/package.json +1 -1
package/dist/cjs/index.d.ts
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
export { actionMatchesPattern } from './actions.js';
|
|
2
2
|
export { getResourceSegments, splitArnParts, type ArnParts } from './arn.js';
|
|
3
3
|
export { convertAssumedRoleArnToRoleArn, convertRoleArnToAssumedRoleArn, isArnPrincipal, isAssumedRoleArn, isFederatedUserArn, isIamRoleArn, isIamUserArn, isServicePrincipal } from './principals.js';
|
|
4
|
+
export { convertResourcePatternToRegex } from './resourcePatterns.js';
|
|
4
5
|
export { resourceArnWithWildcardsToRegex } from './resources.js';
|
|
6
|
+
export { resourceStringMatchesResourceTypePattern } from './resourceTypes.js';
|
|
5
7
|
export { bucketArn, isS3BucketOrObjectArn } from './s3.js';
|
|
6
8
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/cjs/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,KAAK,QAAQ,EAAE,MAAM,UAAU,CAAA;AAC5E,OAAO,EACL,8BAA8B,EAC9B,8BAA8B,EAC9B,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,kBAAkB,EACnB,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,+BAA+B,EAAE,MAAM,gBAAgB,CAAA;AAChE,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,KAAK,QAAQ,EAAE,MAAM,UAAU,CAAA;AAC5E,OAAO,EACL,8BAA8B,EAC9B,8BAA8B,EAC9B,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,kBAAkB,EACnB,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,6BAA6B,EAAE,MAAM,uBAAuB,CAAA;AACrE,OAAO,EAAE,+BAA+B,EAAE,MAAM,gBAAgB,CAAA;AAChE,OAAO,EAAE,wCAAwC,EAAE,MAAM,oBAAoB,CAAA;AAC7E,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA"}
|
package/dist/cjs/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.isS3BucketOrObjectArn = exports.bucketArn = exports.resourceArnWithWildcardsToRegex = exports.isServicePrincipal = exports.isIamUserArn = exports.isIamRoleArn = exports.isFederatedUserArn = exports.isAssumedRoleArn = exports.isArnPrincipal = exports.convertRoleArnToAssumedRoleArn = exports.convertAssumedRoleArnToRoleArn = exports.splitArnParts = exports.getResourceSegments = exports.actionMatchesPattern = void 0;
|
|
3
|
+
exports.isS3BucketOrObjectArn = exports.bucketArn = exports.resourceStringMatchesResourceTypePattern = exports.resourceArnWithWildcardsToRegex = exports.convertResourcePatternToRegex = exports.isServicePrincipal = exports.isIamUserArn = exports.isIamRoleArn = exports.isFederatedUserArn = exports.isAssumedRoleArn = exports.isArnPrincipal = exports.convertRoleArnToAssumedRoleArn = exports.convertAssumedRoleArnToRoleArn = exports.splitArnParts = exports.getResourceSegments = exports.actionMatchesPattern = void 0;
|
|
4
4
|
var actions_js_1 = require("./actions.js");
|
|
5
5
|
Object.defineProperty(exports, "actionMatchesPattern", { enumerable: true, get: function () { return actions_js_1.actionMatchesPattern; } });
|
|
6
6
|
var arn_js_1 = require("./arn.js");
|
|
@@ -15,8 +15,12 @@ Object.defineProperty(exports, "isFederatedUserArn", { enumerable: true, get: fu
|
|
|
15
15
|
Object.defineProperty(exports, "isIamRoleArn", { enumerable: true, get: function () { return principals_js_1.isIamRoleArn; } });
|
|
16
16
|
Object.defineProperty(exports, "isIamUserArn", { enumerable: true, get: function () { return principals_js_1.isIamUserArn; } });
|
|
17
17
|
Object.defineProperty(exports, "isServicePrincipal", { enumerable: true, get: function () { return principals_js_1.isServicePrincipal; } });
|
|
18
|
+
var resourcePatterns_js_1 = require("./resourcePatterns.js");
|
|
19
|
+
Object.defineProperty(exports, "convertResourcePatternToRegex", { enumerable: true, get: function () { return resourcePatterns_js_1.convertResourcePatternToRegex; } });
|
|
18
20
|
var resources_js_1 = require("./resources.js");
|
|
19
21
|
Object.defineProperty(exports, "resourceArnWithWildcardsToRegex", { enumerable: true, get: function () { return resources_js_1.resourceArnWithWildcardsToRegex; } });
|
|
22
|
+
var resourceTypes_js_1 = require("./resourceTypes.js");
|
|
23
|
+
Object.defineProperty(exports, "resourceStringMatchesResourceTypePattern", { enumerable: true, get: function () { return resourceTypes_js_1.resourceStringMatchesResourceTypePattern; } });
|
|
20
24
|
var s3_js_1 = require("./s3.js");
|
|
21
25
|
Object.defineProperty(exports, "bucketArn", { enumerable: true, get: function () { return s3_js_1.bucketArn; } });
|
|
22
26
|
Object.defineProperty(exports, "isS3BucketOrObjectArn", { enumerable: true, get: function () { return s3_js_1.isS3BucketOrObjectArn; } });
|
package/dist/cjs/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,2CAAmD;AAA1C,kHAAA,oBAAoB,OAAA;AAC7B,mCAA4E;AAAnE,6GAAA,mBAAmB,OAAA;AAAE,uGAAA,aAAa,OAAA;AAC3C,iDASwB;AARtB,+HAAA,8BAA8B,OAAA;AAC9B,+HAAA,8BAA8B,OAAA;AAC9B,+GAAA,cAAc,OAAA;AACd,iHAAA,gBAAgB,OAAA;AAChB,mHAAA,kBAAkB,OAAA;AAClB,6GAAA,YAAY,OAAA;AACZ,6GAAA,YAAY,OAAA;AACZ,mHAAA,kBAAkB,OAAA;AAEpB,+CAAgE;AAAvD,+HAAA,+BAA+B,OAAA;AACxC,iCAA0D;AAAjD,kGAAA,SAAS,OAAA;AAAE,8GAAA,qBAAqB,OAAA"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,2CAAmD;AAA1C,kHAAA,oBAAoB,OAAA;AAC7B,mCAA4E;AAAnE,6GAAA,mBAAmB,OAAA;AAAE,uGAAA,aAAa,OAAA;AAC3C,iDASwB;AARtB,+HAAA,8BAA8B,OAAA;AAC9B,+HAAA,8BAA8B,OAAA;AAC9B,+GAAA,cAAc,OAAA;AACd,iHAAA,gBAAgB,OAAA;AAChB,mHAAA,kBAAkB,OAAA;AAClB,6GAAA,YAAY,OAAA;AACZ,6GAAA,YAAY,OAAA;AACZ,mHAAA,kBAAkB,OAAA;AAEpB,6DAAqE;AAA5D,oIAAA,6BAA6B,OAAA;AACtC,+CAAgE;AAAvD,+HAAA,+BAA+B,OAAA;AACxC,uDAA6E;AAApE,4IAAA,wCAAwC,OAAA;AACjD,iCAA0D;AAAjD,kGAAA,SAAS,OAAA;AAAE,8GAAA,qBAAqB,OAAA"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Convert a resource pattern from iam-data to a regex pattern.
|
|
3
|
+
* Variables like `${BucketName}` become named capture groups.
|
|
4
|
+
*
|
|
5
|
+
* @param pattern - The IAM resource type ARN pattern (e.g. `arn:${Partition}:s3:::${BucketName}/${ObjectName}`)
|
|
6
|
+
* @returns A regex string anchored with `^...$` that matches concrete ARNs against the pattern
|
|
7
|
+
*/
|
|
8
|
+
export declare function convertResourcePatternToRegex(pattern: string): string;
|
|
9
|
+
//# sourceMappingURL=resourcePatterns.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resourcePatterns.d.ts","sourceRoot":"","sources":["../../src/resourcePatterns.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAOrE"}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.convertResourcePatternToRegex = convertResourcePatternToRegex;
|
|
4
|
+
/**
|
|
5
|
+
* Convert a resource pattern from iam-data to a regex pattern.
|
|
6
|
+
* Variables like `${BucketName}` become named capture groups.
|
|
7
|
+
*
|
|
8
|
+
* @param pattern - The IAM resource type ARN pattern (e.g. `arn:${Partition}:s3:::${BucketName}/${ObjectName}`)
|
|
9
|
+
* @returns A regex string anchored with `^...$` that matches concrete ARNs against the pattern
|
|
10
|
+
*/
|
|
11
|
+
function convertResourcePatternToRegex(pattern) {
|
|
12
|
+
const regex = pattern.replace(/\$\{.*?\}/g, (match) => {
|
|
13
|
+
const name = match.substring(2, match.length - 1);
|
|
14
|
+
const camelName = name.at(0)?.toLowerCase() + name.substring(1);
|
|
15
|
+
return `(?<${camelName}>(.+?))`;
|
|
16
|
+
});
|
|
17
|
+
return `^${regex}$`;
|
|
18
|
+
}
|
|
19
|
+
//# sourceMappingURL=resourcePatterns.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resourcePatterns.js","sourceRoot":"","sources":["../../src/resourcePatterns.ts"],"names":[],"mappings":";;AAOA,sEAOC;AAdD;;;;;;GAMG;AACH,SAAgB,6BAA6B,CAAC,OAAe;IAC3D,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE;QACpD,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;QAC/D,OAAO,MAAM,SAAS,SAAS,CAAA;IACjC,CAAC,CAAC,CAAA;IACF,OAAO,IAAI,KAAK,GAAG,CAAA;AACrB,CAAC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Checks whether a concrete resource ARN (possibly with wildcards) matches
|
|
3
|
+
* a resource-type ARN pattern from the Service Authorization Reference.
|
|
4
|
+
*
|
|
5
|
+
* A wildcard resource string (`"*"`) always matches.
|
|
6
|
+
*
|
|
7
|
+
* @param resourceString - A concrete resource ARN or wildcard (`"*"`)
|
|
8
|
+
* @param resourcePattern - An ARN pattern from iam-data (e.g. `arn:${Partition}:s3:::${BucketName}/${ObjectName}`)
|
|
9
|
+
* @returns Whether the resource string matches the pattern
|
|
10
|
+
*/
|
|
11
|
+
export declare function resourceStringMatchesResourceTypePattern(resourceString: string, resourcePattern: string): boolean;
|
|
12
|
+
//# sourceMappingURL=resourceTypes.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resourceTypes.d.ts","sourceRoot":"","sources":["../../src/resourceTypes.ts"],"names":[],"mappings":"AAGA;;;;;;;;;GASG;AACH,wBAAgB,wCAAwC,CACtD,cAAc,EAAE,MAAM,EACtB,eAAe,EAAE,MAAM,GACtB,OAAO,CAsGT"}
|
|
@@ -0,0 +1,138 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.resourceStringMatchesResourceTypePattern = resourceStringMatchesResourceTypePattern;
|
|
4
|
+
const arn_js_1 = require("./arn.js");
|
|
5
|
+
const resourcePatterns_js_1 = require("./resourcePatterns.js");
|
|
6
|
+
/**
|
|
7
|
+
* Checks whether a concrete resource ARN (possibly with wildcards) matches
|
|
8
|
+
* a resource-type ARN pattern from the Service Authorization Reference.
|
|
9
|
+
*
|
|
10
|
+
* A wildcard resource string (`"*"`) always matches.
|
|
11
|
+
*
|
|
12
|
+
* @param resourceString - A concrete resource ARN or wildcard (`"*"`)
|
|
13
|
+
* @param resourcePattern - An ARN pattern from iam-data (e.g. `arn:${Partition}:s3:::${BucketName}/${ObjectName}`)
|
|
14
|
+
* @returns Whether the resource string matches the pattern
|
|
15
|
+
*/
|
|
16
|
+
function resourceStringMatchesResourceTypePattern(resourceString, resourcePattern) {
|
|
17
|
+
if (resourceString === '*') {
|
|
18
|
+
return true;
|
|
19
|
+
}
|
|
20
|
+
const resourceParts = (0, arn_js_1.splitArnParts)(resourceString);
|
|
21
|
+
const patternParts = (0, arn_js_1.splitArnParts)(resourcePattern);
|
|
22
|
+
if (!resourceComponentMatchesResourceTypeComponent(resourceParts.partition, patternParts.partition)) {
|
|
23
|
+
return false;
|
|
24
|
+
}
|
|
25
|
+
if (!resourceComponentMatchesResourceTypeComponent(resourceParts.service, patternParts.service)) {
|
|
26
|
+
return false;
|
|
27
|
+
}
|
|
28
|
+
if (!resourceComponentMatchesResourceTypeComponent(resourceParts.region, patternParts.region)) {
|
|
29
|
+
return false;
|
|
30
|
+
}
|
|
31
|
+
if (!resourceComponentMatchesResourceTypeComponent(resourceParts.accountId, patternParts.accountId)) {
|
|
32
|
+
return false;
|
|
33
|
+
}
|
|
34
|
+
const [resourceResourcePartsSegments, resourceResourceParts] = splitResourceTypeComponent(resourceParts.resource);
|
|
35
|
+
const [patternResourcePartsSegments, patternResourceParts] = splitResourceTypeComponent(patternParts.resource);
|
|
36
|
+
// If there are more segments in the resource than the pattern, it cannot match,
|
|
37
|
+
// unless the final pattern component is a variable (e.g. ${ObjectName}) which
|
|
38
|
+
// can span multiple segments (like S3 object keys with slashes).
|
|
39
|
+
if (resourceResourcePartsSegments > patternResourcePartsSegments) {
|
|
40
|
+
const lastPatternComponent = patternResourceParts.at(-1);
|
|
41
|
+
if (!isResourceTypeVariable(lastPatternComponent) || patternResourcePartsSegments === 1) {
|
|
42
|
+
return false;
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
// If there are fewer segments with contents in the resource than the pattern, and the last segment of the resource
|
|
46
|
+
// does not end with a wildcard, it cannot match
|
|
47
|
+
if (resourceResourceParts.length < patternResourceParts.length &&
|
|
48
|
+
!resourceResourceParts.at(-1)?.endsWith('*')) {
|
|
49
|
+
return false;
|
|
50
|
+
}
|
|
51
|
+
const compareLen = Math.min(resourceResourceParts.length, patternResourceParts.length);
|
|
52
|
+
for (let i = 0; i < compareLen; i++) {
|
|
53
|
+
const resourceComponent = resourceResourceParts[i];
|
|
54
|
+
const isLastPattern = i === patternResourceParts.length - 1;
|
|
55
|
+
const patternComponent = patternResourceParts[i];
|
|
56
|
+
if (!patternComponent) {
|
|
57
|
+
return false;
|
|
58
|
+
}
|
|
59
|
+
if (isResourceTypeVariable(patternComponent)) {
|
|
60
|
+
if (isLastPattern &&
|
|
61
|
+
resourceResourcePartsSegments > patternResourcePartsSegments &&
|
|
62
|
+
patternResourcePartsSegments > 1) {
|
|
63
|
+
// Variable at the end can absorb additional segments.
|
|
64
|
+
return true;
|
|
65
|
+
}
|
|
66
|
+
if (isLastPattern && resourceComponent?.endsWith('*')) {
|
|
67
|
+
// If the resource component ends with a wildcard, it matches everything after
|
|
68
|
+
break;
|
|
69
|
+
}
|
|
70
|
+
// These match anything, move along.
|
|
71
|
+
continue;
|
|
72
|
+
}
|
|
73
|
+
if (!resourceComponent) {
|
|
74
|
+
return false;
|
|
75
|
+
}
|
|
76
|
+
const resourceComponentPattern = '^' + resourceComponent.replace(/\?/g, '.').replace(/\*/g, '.*?') + '$';
|
|
77
|
+
const regex = new RegExp(resourceComponentPattern);
|
|
78
|
+
const match = patternComponent.match(regex);
|
|
79
|
+
if (match) {
|
|
80
|
+
if (isLastPattern && resourceComponent.endsWith('*')) {
|
|
81
|
+
// If the resource component ends with a wildcard, it matches everything after
|
|
82
|
+
break;
|
|
83
|
+
}
|
|
84
|
+
continue;
|
|
85
|
+
}
|
|
86
|
+
else {
|
|
87
|
+
return false;
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
return true;
|
|
91
|
+
}
|
|
92
|
+
/**
|
|
93
|
+
* Split a resource component on colons and slashes into its segments.
|
|
94
|
+
*
|
|
95
|
+
* @param component - The resource portion of an ARN
|
|
96
|
+
* @returns A tuple of [total segment count, non-empty segments]
|
|
97
|
+
*/
|
|
98
|
+
function splitResourceTypeComponent(component) {
|
|
99
|
+
const parts = component?.split(/[:/]/) ?? [];
|
|
100
|
+
return [parts.length, parts.filter((p) => p && p !== '')];
|
|
101
|
+
}
|
|
102
|
+
/**
|
|
103
|
+
* Check whether a single ARN component from a resource string matches
|
|
104
|
+
* the corresponding component from a resource-type pattern.
|
|
105
|
+
*
|
|
106
|
+
* @param resourceComponent - The component value from the concrete ARN
|
|
107
|
+
* @param resourceTypeComponent - The component value from the pattern ARN
|
|
108
|
+
* @returns Whether the resource component matches the pattern component
|
|
109
|
+
*/
|
|
110
|
+
function resourceComponentMatchesResourceTypeComponent(resourceComponent, resourceTypeComponent) {
|
|
111
|
+
if (resourceTypeComponent === '*' || resourceTypeComponent === resourceComponent) {
|
|
112
|
+
return true;
|
|
113
|
+
}
|
|
114
|
+
if (!resourceComponent || !resourceTypeComponent) {
|
|
115
|
+
return false;
|
|
116
|
+
}
|
|
117
|
+
if (isResourceTypeVariable(resourceTypeComponent)) {
|
|
118
|
+
// If the entire component is a single variable, it matches anything
|
|
119
|
+
return true;
|
|
120
|
+
}
|
|
121
|
+
const pattern = (0, resourcePatterns_js_1.convertResourcePatternToRegex)(resourceTypeComponent);
|
|
122
|
+
const regex = new RegExp(pattern);
|
|
123
|
+
const match = resourceComponent.match(regex);
|
|
124
|
+
return !!match;
|
|
125
|
+
}
|
|
126
|
+
/**
|
|
127
|
+
* Check whether a pattern component is a single IAM variable placeholder (e.g. `${BucketName}`).
|
|
128
|
+
*
|
|
129
|
+
* @param component - The component string to check
|
|
130
|
+
* @returns Whether the component is a variable placeholder
|
|
131
|
+
*/
|
|
132
|
+
function isResourceTypeVariable(component) {
|
|
133
|
+
if (!component) {
|
|
134
|
+
return false;
|
|
135
|
+
}
|
|
136
|
+
return component.match(/^\$\{[0-9a-zA-Z]+\}$/) !== null;
|
|
137
|
+
}
|
|
138
|
+
//# sourceMappingURL=resourceTypes.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resourceTypes.js","sourceRoot":"","sources":["../../src/resourceTypes.ts"],"names":[],"mappings":";;AAaA,4FAyGC;AAtHD,qCAAwC;AACxC,+DAAqE;AAErE;;;;;;;;;GASG;AACH,SAAgB,wCAAwC,CACtD,cAAsB,EACtB,eAAuB;IAEvB,IAAI,cAAc,KAAK,GAAG,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,aAAa,GAAG,IAAA,sBAAa,EAAC,cAAc,CAAC,CAAA;IACnD,MAAM,YAAY,GAAG,IAAA,sBAAa,EAAC,eAAe,CAAC,CAAA;IAEnD,IACE,CAAC,6CAA6C,CAAC,aAAa,CAAC,SAAS,EAAE,YAAY,CAAC,SAAS,CAAC,EAC/F,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,CAAC,6CAA6C,CAAC,aAAa,CAAC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC;QAChG,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,CAAC,6CAA6C,CAAC,aAAa,CAAC,MAAM,EAAE,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9F,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IACE,CAAC,6CAA6C,CAAC,aAAa,CAAC,SAAS,EAAE,YAAY,CAAC,SAAS,CAAC,EAC/F,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,CAAC,6BAA6B,EAAE,qBAAqB,CAAC,GAAG,0BAA0B,CACvF,aAAa,CAAC,QAAQ,CACvB,CAAA;IACD,MAAM,CAAC,4BAA4B,EAAE,oBAAoB,CAAC,GAAG,0BAA0B,CACrF,YAAY,CAAC,QAAQ,CACtB,CAAA;IAED,gFAAgF;IAChF,8EAA8E;IAC9E,iEAAiE;IACjE,IAAI,6BAA6B,GAAG,4BAA4B,EAAE,CAAC;QACjE,MAAM,oBAAoB,GAAG,oBAAoB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAA;QACxD,IAAI,CAAC,sBAAsB,CAAC,oBAAoB,CAAC,IAAI,4BAA4B,KAAK,CAAC,EAAE,CAAC;YACxF,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,mHAAmH;IACnH,gDAAgD;IAChD,IACE,qBAAqB,CAAC,MAAM,GAAG,oBAAoB,CAAC,MAAM;QAC1D,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,GAAG,CAAC,EAC5C,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,qBAAqB,CAAC,MAAM,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAA;IACtF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,iBAAiB,GAAG,qBAAqB,CAAC,CAAC,CAAC,CAAA;QAClD,MAAM,aAAa,GAAG,CAAC,KAAK,oBAAoB,CAAC,MAAM,GAAG,CAAC,CAAA;QAC3D,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAA;QAEhD,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAI,sBAAsB,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC7C,IACE,aAAa;gBACb,6BAA6B,GAAG,4BAA4B;gBAC5D,4BAA4B,GAAG,CAAC,EAChC,CAAC;gBACD,sDAAsD;gBACtD,OAAO,IAAI,CAAA;YACb,CAAC;YACD,IAAI,aAAa,IAAI,iBAAiB,EAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtD,8EAA8E;gBAC9E,MAAK;YACP,CAAC;YAED,oCAAoC;YACpC,SAAQ;QACV,CAAC;QAED,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,wBAAwB,GAC5B,GAAG,GAAG,iBAAiB,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;QACzE,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,wBAAwB,CAAC,CAAA;QAClD,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QAC3C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,aAAa,IAAI,iBAAiB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrD,8EAA8E;gBAC9E,MAAK;YACP,CAAC;YACD,SAAQ;QACV,CAAC;aAAM,CAAC;YACN,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;GAKG;AACH,SAAS,0BAA0B,CAAC,SAA6B;IAC/D,MAAM,KAAK,GAAG,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAA;IAC5C,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;AAC3D,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,6CAA6C,CACpD,iBAAqC,EACrC,qBAAyC;IAEzC,IAAI,qBAAqB,KAAK,GAAG,IAAI,qBAAqB,KAAK,iBAAiB,EAAE,CAAC;QACjF,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,CAAC,iBAAiB,IAAI,CAAC,qBAAqB,EAAE,CAAC;QACjD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,sBAAsB,CAAC,qBAAqB,CAAC,EAAE,CAAC;QAClD,oEAAoE;QACpE,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,OAAO,GAAG,IAAA,mDAA6B,EAAC,qBAAqB,CAAC,CAAA;IACpE,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,CAAA;IACjC,MAAM,KAAK,GAAG,iBAAiB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAC5C,OAAO,CAAC,CAAC,KAAK,CAAA;AAChB,CAAC;AAED;;;;;GAKG;AACH,SAAS,sBAAsB,CAAC,SAA6B;IAC3D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,KAAK,CAAA;IACd,CAAC;IACD,OAAO,SAAS,CAAC,KAAK,CAAC,sBAAsB,CAAC,KAAK,IAAI,CAAA;AACzD,CAAC"}
|
package/dist/esm/index.d.ts
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
export { actionMatchesPattern } from './actions.js';
|
|
2
2
|
export { getResourceSegments, splitArnParts, type ArnParts } from './arn.js';
|
|
3
3
|
export { convertAssumedRoleArnToRoleArn, convertRoleArnToAssumedRoleArn, isArnPrincipal, isAssumedRoleArn, isFederatedUserArn, isIamRoleArn, isIamUserArn, isServicePrincipal } from './principals.js';
|
|
4
|
+
export { convertResourcePatternToRegex } from './resourcePatterns.js';
|
|
4
5
|
export { resourceArnWithWildcardsToRegex } from './resources.js';
|
|
6
|
+
export { resourceStringMatchesResourceTypePattern } from './resourceTypes.js';
|
|
5
7
|
export { bucketArn, isS3BucketOrObjectArn } from './s3.js';
|
|
6
8
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/esm/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,KAAK,QAAQ,EAAE,MAAM,UAAU,CAAA;AAC5E,OAAO,EACL,8BAA8B,EAC9B,8BAA8B,EAC9B,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,kBAAkB,EACnB,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,+BAA+B,EAAE,MAAM,gBAAgB,CAAA;AAChE,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,KAAK,QAAQ,EAAE,MAAM,UAAU,CAAA;AAC5E,OAAO,EACL,8BAA8B,EAC9B,8BAA8B,EAC9B,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,kBAAkB,EACnB,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,6BAA6B,EAAE,MAAM,uBAAuB,CAAA;AACrE,OAAO,EAAE,+BAA+B,EAAE,MAAM,gBAAgB,CAAA;AAChE,OAAO,EAAE,wCAAwC,EAAE,MAAM,oBAAoB,CAAA;AAC7E,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA"}
|
package/dist/esm/index.js
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
export { actionMatchesPattern } from './actions.js';
|
|
2
2
|
export { getResourceSegments, splitArnParts } from './arn.js';
|
|
3
3
|
export { convertAssumedRoleArnToRoleArn, convertRoleArnToAssumedRoleArn, isArnPrincipal, isAssumedRoleArn, isFederatedUserArn, isIamRoleArn, isIamUserArn, isServicePrincipal } from './principals.js';
|
|
4
|
+
export { convertResourcePatternToRegex } from './resourcePatterns.js';
|
|
4
5
|
export { resourceArnWithWildcardsToRegex } from './resources.js';
|
|
6
|
+
export { resourceStringMatchesResourceTypePattern } from './resourceTypes.js';
|
|
5
7
|
export { bucketArn, isS3BucketOrObjectArn } from './s3.js';
|
|
6
8
|
//# sourceMappingURL=index.js.map
|
package/dist/esm/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAiB,MAAM,UAAU,CAAA;AAC5E,OAAO,EACL,8BAA8B,EAC9B,8BAA8B,EAC9B,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,kBAAkB,EACnB,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,+BAA+B,EAAE,MAAM,gBAAgB,CAAA;AAChE,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAiB,MAAM,UAAU,CAAA;AAC5E,OAAO,EACL,8BAA8B,EAC9B,8BAA8B,EAC9B,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,kBAAkB,EACnB,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,6BAA6B,EAAE,MAAM,uBAAuB,CAAA;AACrE,OAAO,EAAE,+BAA+B,EAAE,MAAM,gBAAgB,CAAA;AAChE,OAAO,EAAE,wCAAwC,EAAE,MAAM,oBAAoB,CAAA;AAC7E,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Convert a resource pattern from iam-data to a regex pattern.
|
|
3
|
+
* Variables like `${BucketName}` become named capture groups.
|
|
4
|
+
*
|
|
5
|
+
* @param pattern - The IAM resource type ARN pattern (e.g. `arn:${Partition}:s3:::${BucketName}/${ObjectName}`)
|
|
6
|
+
* @returns A regex string anchored with `^...$` that matches concrete ARNs against the pattern
|
|
7
|
+
*/
|
|
8
|
+
export declare function convertResourcePatternToRegex(pattern: string): string;
|
|
9
|
+
//# sourceMappingURL=resourcePatterns.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resourcePatterns.d.ts","sourceRoot":"","sources":["../../src/resourcePatterns.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAOrE"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Convert a resource pattern from iam-data to a regex pattern.
|
|
3
|
+
* Variables like `${BucketName}` become named capture groups.
|
|
4
|
+
*
|
|
5
|
+
* @param pattern - The IAM resource type ARN pattern (e.g. `arn:${Partition}:s3:::${BucketName}/${ObjectName}`)
|
|
6
|
+
* @returns A regex string anchored with `^...$` that matches concrete ARNs against the pattern
|
|
7
|
+
*/
|
|
8
|
+
export function convertResourcePatternToRegex(pattern) {
|
|
9
|
+
const regex = pattern.replace(/\$\{.*?\}/g, (match) => {
|
|
10
|
+
const name = match.substring(2, match.length - 1);
|
|
11
|
+
const camelName = name.at(0)?.toLowerCase() + name.substring(1);
|
|
12
|
+
return `(?<${camelName}>(.+?))`;
|
|
13
|
+
});
|
|
14
|
+
return `^${regex}$`;
|
|
15
|
+
}
|
|
16
|
+
//# sourceMappingURL=resourcePatterns.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resourcePatterns.js","sourceRoot":"","sources":["../../src/resourcePatterns.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,UAAU,6BAA6B,CAAC,OAAe;IAC3D,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE;QACpD,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;QAC/D,OAAO,MAAM,SAAS,SAAS,CAAA;IACjC,CAAC,CAAC,CAAA;IACF,OAAO,IAAI,KAAK,GAAG,CAAA;AACrB,CAAC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Checks whether a concrete resource ARN (possibly with wildcards) matches
|
|
3
|
+
* a resource-type ARN pattern from the Service Authorization Reference.
|
|
4
|
+
*
|
|
5
|
+
* A wildcard resource string (`"*"`) always matches.
|
|
6
|
+
*
|
|
7
|
+
* @param resourceString - A concrete resource ARN or wildcard (`"*"`)
|
|
8
|
+
* @param resourcePattern - An ARN pattern from iam-data (e.g. `arn:${Partition}:s3:::${BucketName}/${ObjectName}`)
|
|
9
|
+
* @returns Whether the resource string matches the pattern
|
|
10
|
+
*/
|
|
11
|
+
export declare function resourceStringMatchesResourceTypePattern(resourceString: string, resourcePattern: string): boolean;
|
|
12
|
+
//# sourceMappingURL=resourceTypes.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resourceTypes.d.ts","sourceRoot":"","sources":["../../src/resourceTypes.ts"],"names":[],"mappings":"AAGA;;;;;;;;;GASG;AACH,wBAAgB,wCAAwC,CACtD,cAAc,EAAE,MAAM,EACtB,eAAe,EAAE,MAAM,GACtB,OAAO,CAsGT"}
|
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
import { splitArnParts } from './arn.js';
|
|
2
|
+
import { convertResourcePatternToRegex } from './resourcePatterns.js';
|
|
3
|
+
/**
|
|
4
|
+
* Checks whether a concrete resource ARN (possibly with wildcards) matches
|
|
5
|
+
* a resource-type ARN pattern from the Service Authorization Reference.
|
|
6
|
+
*
|
|
7
|
+
* A wildcard resource string (`"*"`) always matches.
|
|
8
|
+
*
|
|
9
|
+
* @param resourceString - A concrete resource ARN or wildcard (`"*"`)
|
|
10
|
+
* @param resourcePattern - An ARN pattern from iam-data (e.g. `arn:${Partition}:s3:::${BucketName}/${ObjectName}`)
|
|
11
|
+
* @returns Whether the resource string matches the pattern
|
|
12
|
+
*/
|
|
13
|
+
export function resourceStringMatchesResourceTypePattern(resourceString, resourcePattern) {
|
|
14
|
+
if (resourceString === '*') {
|
|
15
|
+
return true;
|
|
16
|
+
}
|
|
17
|
+
const resourceParts = splitArnParts(resourceString);
|
|
18
|
+
const patternParts = splitArnParts(resourcePattern);
|
|
19
|
+
if (!resourceComponentMatchesResourceTypeComponent(resourceParts.partition, patternParts.partition)) {
|
|
20
|
+
return false;
|
|
21
|
+
}
|
|
22
|
+
if (!resourceComponentMatchesResourceTypeComponent(resourceParts.service, patternParts.service)) {
|
|
23
|
+
return false;
|
|
24
|
+
}
|
|
25
|
+
if (!resourceComponentMatchesResourceTypeComponent(resourceParts.region, patternParts.region)) {
|
|
26
|
+
return false;
|
|
27
|
+
}
|
|
28
|
+
if (!resourceComponentMatchesResourceTypeComponent(resourceParts.accountId, patternParts.accountId)) {
|
|
29
|
+
return false;
|
|
30
|
+
}
|
|
31
|
+
const [resourceResourcePartsSegments, resourceResourceParts] = splitResourceTypeComponent(resourceParts.resource);
|
|
32
|
+
const [patternResourcePartsSegments, patternResourceParts] = splitResourceTypeComponent(patternParts.resource);
|
|
33
|
+
// If there are more segments in the resource than the pattern, it cannot match,
|
|
34
|
+
// unless the final pattern component is a variable (e.g. ${ObjectName}) which
|
|
35
|
+
// can span multiple segments (like S3 object keys with slashes).
|
|
36
|
+
if (resourceResourcePartsSegments > patternResourcePartsSegments) {
|
|
37
|
+
const lastPatternComponent = patternResourceParts.at(-1);
|
|
38
|
+
if (!isResourceTypeVariable(lastPatternComponent) || patternResourcePartsSegments === 1) {
|
|
39
|
+
return false;
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
// If there are fewer segments with contents in the resource than the pattern, and the last segment of the resource
|
|
43
|
+
// does not end with a wildcard, it cannot match
|
|
44
|
+
if (resourceResourceParts.length < patternResourceParts.length &&
|
|
45
|
+
!resourceResourceParts.at(-1)?.endsWith('*')) {
|
|
46
|
+
return false;
|
|
47
|
+
}
|
|
48
|
+
const compareLen = Math.min(resourceResourceParts.length, patternResourceParts.length);
|
|
49
|
+
for (let i = 0; i < compareLen; i++) {
|
|
50
|
+
const resourceComponent = resourceResourceParts[i];
|
|
51
|
+
const isLastPattern = i === patternResourceParts.length - 1;
|
|
52
|
+
const patternComponent = patternResourceParts[i];
|
|
53
|
+
if (!patternComponent) {
|
|
54
|
+
return false;
|
|
55
|
+
}
|
|
56
|
+
if (isResourceTypeVariable(patternComponent)) {
|
|
57
|
+
if (isLastPattern &&
|
|
58
|
+
resourceResourcePartsSegments > patternResourcePartsSegments &&
|
|
59
|
+
patternResourcePartsSegments > 1) {
|
|
60
|
+
// Variable at the end can absorb additional segments.
|
|
61
|
+
return true;
|
|
62
|
+
}
|
|
63
|
+
if (isLastPattern && resourceComponent?.endsWith('*')) {
|
|
64
|
+
// If the resource component ends with a wildcard, it matches everything after
|
|
65
|
+
break;
|
|
66
|
+
}
|
|
67
|
+
// These match anything, move along.
|
|
68
|
+
continue;
|
|
69
|
+
}
|
|
70
|
+
if (!resourceComponent) {
|
|
71
|
+
return false;
|
|
72
|
+
}
|
|
73
|
+
const resourceComponentPattern = '^' + resourceComponent.replace(/\?/g, '.').replace(/\*/g, '.*?') + '$';
|
|
74
|
+
const regex = new RegExp(resourceComponentPattern);
|
|
75
|
+
const match = patternComponent.match(regex);
|
|
76
|
+
if (match) {
|
|
77
|
+
if (isLastPattern && resourceComponent.endsWith('*')) {
|
|
78
|
+
// If the resource component ends with a wildcard, it matches everything after
|
|
79
|
+
break;
|
|
80
|
+
}
|
|
81
|
+
continue;
|
|
82
|
+
}
|
|
83
|
+
else {
|
|
84
|
+
return false;
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
return true;
|
|
88
|
+
}
|
|
89
|
+
/**
|
|
90
|
+
* Split a resource component on colons and slashes into its segments.
|
|
91
|
+
*
|
|
92
|
+
* @param component - The resource portion of an ARN
|
|
93
|
+
* @returns A tuple of [total segment count, non-empty segments]
|
|
94
|
+
*/
|
|
95
|
+
function splitResourceTypeComponent(component) {
|
|
96
|
+
const parts = component?.split(/[:/]/) ?? [];
|
|
97
|
+
return [parts.length, parts.filter((p) => p && p !== '')];
|
|
98
|
+
}
|
|
99
|
+
/**
|
|
100
|
+
* Check whether a single ARN component from a resource string matches
|
|
101
|
+
* the corresponding component from a resource-type pattern.
|
|
102
|
+
*
|
|
103
|
+
* @param resourceComponent - The component value from the concrete ARN
|
|
104
|
+
* @param resourceTypeComponent - The component value from the pattern ARN
|
|
105
|
+
* @returns Whether the resource component matches the pattern component
|
|
106
|
+
*/
|
|
107
|
+
function resourceComponentMatchesResourceTypeComponent(resourceComponent, resourceTypeComponent) {
|
|
108
|
+
if (resourceTypeComponent === '*' || resourceTypeComponent === resourceComponent) {
|
|
109
|
+
return true;
|
|
110
|
+
}
|
|
111
|
+
if (!resourceComponent || !resourceTypeComponent) {
|
|
112
|
+
return false;
|
|
113
|
+
}
|
|
114
|
+
if (isResourceTypeVariable(resourceTypeComponent)) {
|
|
115
|
+
// If the entire component is a single variable, it matches anything
|
|
116
|
+
return true;
|
|
117
|
+
}
|
|
118
|
+
const pattern = convertResourcePatternToRegex(resourceTypeComponent);
|
|
119
|
+
const regex = new RegExp(pattern);
|
|
120
|
+
const match = resourceComponent.match(regex);
|
|
121
|
+
return !!match;
|
|
122
|
+
}
|
|
123
|
+
/**
|
|
124
|
+
* Check whether a pattern component is a single IAM variable placeholder (e.g. `${BucketName}`).
|
|
125
|
+
*
|
|
126
|
+
* @param component - The component string to check
|
|
127
|
+
* @returns Whether the component is a variable placeholder
|
|
128
|
+
*/
|
|
129
|
+
function isResourceTypeVariable(component) {
|
|
130
|
+
if (!component) {
|
|
131
|
+
return false;
|
|
132
|
+
}
|
|
133
|
+
return component.match(/^\$\{[0-9a-zA-Z]+\}$/) !== null;
|
|
134
|
+
}
|
|
135
|
+
//# sourceMappingURL=resourceTypes.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resourceTypes.js","sourceRoot":"","sources":["../../src/resourceTypes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AACxC,OAAO,EAAE,6BAA6B,EAAE,MAAM,uBAAuB,CAAA;AAErE;;;;;;;;;GASG;AACH,MAAM,UAAU,wCAAwC,CACtD,cAAsB,EACtB,eAAuB;IAEvB,IAAI,cAAc,KAAK,GAAG,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,aAAa,GAAG,aAAa,CAAC,cAAc,CAAC,CAAA;IACnD,MAAM,YAAY,GAAG,aAAa,CAAC,eAAe,CAAC,CAAA;IAEnD,IACE,CAAC,6CAA6C,CAAC,aAAa,CAAC,SAAS,EAAE,YAAY,CAAC,SAAS,CAAC,EAC/F,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,CAAC,6CAA6C,CAAC,aAAa,CAAC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC;QAChG,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,CAAC,6CAA6C,CAAC,aAAa,CAAC,MAAM,EAAE,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9F,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IACE,CAAC,6CAA6C,CAAC,aAAa,CAAC,SAAS,EAAE,YAAY,CAAC,SAAS,CAAC,EAC/F,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,CAAC,6BAA6B,EAAE,qBAAqB,CAAC,GAAG,0BAA0B,CACvF,aAAa,CAAC,QAAQ,CACvB,CAAA;IACD,MAAM,CAAC,4BAA4B,EAAE,oBAAoB,CAAC,GAAG,0BAA0B,CACrF,YAAY,CAAC,QAAQ,CACtB,CAAA;IAED,gFAAgF;IAChF,8EAA8E;IAC9E,iEAAiE;IACjE,IAAI,6BAA6B,GAAG,4BAA4B,EAAE,CAAC;QACjE,MAAM,oBAAoB,GAAG,oBAAoB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAA;QACxD,IAAI,CAAC,sBAAsB,CAAC,oBAAoB,CAAC,IAAI,4BAA4B,KAAK,CAAC,EAAE,CAAC;YACxF,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,mHAAmH;IACnH,gDAAgD;IAChD,IACE,qBAAqB,CAAC,MAAM,GAAG,oBAAoB,CAAC,MAAM;QAC1D,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,GAAG,CAAC,EAC5C,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,qBAAqB,CAAC,MAAM,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAA;IACtF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,iBAAiB,GAAG,qBAAqB,CAAC,CAAC,CAAC,CAAA;QAClD,MAAM,aAAa,GAAG,CAAC,KAAK,oBAAoB,CAAC,MAAM,GAAG,CAAC,CAAA;QAC3D,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAA;QAEhD,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAI,sBAAsB,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC7C,IACE,aAAa;gBACb,6BAA6B,GAAG,4BAA4B;gBAC5D,4BAA4B,GAAG,CAAC,EAChC,CAAC;gBACD,sDAAsD;gBACtD,OAAO,IAAI,CAAA;YACb,CAAC;YACD,IAAI,aAAa,IAAI,iBAAiB,EAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtD,8EAA8E;gBAC9E,MAAK;YACP,CAAC;YAED,oCAAoC;YACpC,SAAQ;QACV,CAAC;QAED,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,wBAAwB,GAC5B,GAAG,GAAG,iBAAiB,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,CAAA;QACzE,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,wBAAwB,CAAC,CAAA;QAClD,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QAC3C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,aAAa,IAAI,iBAAiB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrD,8EAA8E;gBAC9E,MAAK;YACP,CAAC;YACD,SAAQ;QACV,CAAC;aAAM,CAAC;YACN,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;GAKG;AACH,SAAS,0BAA0B,CAAC,SAA6B;IAC/D,MAAM,KAAK,GAAG,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAA;IAC5C,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;AAC3D,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,6CAA6C,CACpD,iBAAqC,EACrC,qBAAyC;IAEzC,IAAI,qBAAqB,KAAK,GAAG,IAAI,qBAAqB,KAAK,iBAAiB,EAAE,CAAC;QACjF,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,CAAC,iBAAiB,IAAI,CAAC,qBAAqB,EAAE,CAAC;QACjD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,sBAAsB,CAAC,qBAAqB,CAAC,EAAE,CAAC;QAClD,oEAAoE;QACpE,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,OAAO,GAAG,6BAA6B,CAAC,qBAAqB,CAAC,CAAA;IACpE,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,CAAA;IACjC,MAAM,KAAK,GAAG,iBAAiB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAC5C,OAAO,CAAC,CAAC,KAAK,CAAA;AAChB,CAAC;AAED;;;;;GAKG;AACH,SAAS,sBAAsB,CAAC,SAA6B;IAC3D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,KAAK,CAAA;IACd,CAAC;IACD,OAAO,SAAS,CAAC,KAAK,CAAC,sBAAsB,CAAC,KAAK,IAAI,CAAA;AACzD,CAAC"}
|