@aws-cdk/aws-iam
Version:
CDK routines for easily assigning correct and minimal IAM permissions
866 lines • 88.8 kB
JavaScript
"use strict";
var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o, _p, _q, _r, _s, _t, _u, _v;
Object.defineProperty(exports, "__esModule", { value: true });
exports.CompositePrincipal = exports.StarPrincipal = exports.Anyone = exports.AnyPrincipal = exports.AccountRootPrincipal = exports.SamlConsolePrincipal = exports.SamlPrincipal = exports.OpenIdConnectPrincipal = exports.WebIdentityPrincipal = exports.FederatedPrincipal = exports.CanonicalUserPrincipal = exports.OrganizationPrincipal = exports.ServicePrincipal = exports.AccountPrincipal = exports.ArnPrincipal = exports.PrincipalPolicyFragment = exports.SessionTagsPrincipal = exports.PrincipalWithConditions = exports.PrincipalBase = exports.ComparablePrincipal = void 0;
const jsiiDeprecationWarnings = require("../.warnings.jsii.js");
const JSII_RTTI_SYMBOL_1 = Symbol.for("jsii.rtti");
const cdk = require("@aws-cdk/core");
const region_info_1 = require("@aws-cdk/region-info");
const policy_statement_1 = require("./policy-statement");
const assume_role_policy_1 = require("./private/assume-role-policy");
const util_1 = require("./util");
/**
* Helper class for working with `IComparablePrincipal`s
*/
class ComparablePrincipal {
/**
* Whether or not the given principal is a comparable principal
*/
static isComparablePrincipal(x) {
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_IPrincipal(x);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, this.isComparablePrincipal);
}
throw error;
}
return 'dedupeString' in x;
}
/**
* Return the dedupeString of the given principal, if available
*/
static dedupeStringFor(x) {
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_IPrincipal(x);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, this.dedupeStringFor);
}
throw error;
}
return ComparablePrincipal.isComparablePrincipal(x) ? x.dedupeString() : undefined;
}
}
exports.ComparablePrincipal = ComparablePrincipal;
_a = JSII_RTTI_SYMBOL_1;
ComparablePrincipal[_a] = { fqn: "@aws-cdk/aws-iam.ComparablePrincipal", version: "1.201.0" };
/**
* Base class for policy principals
*/
class PrincipalBase {
constructor() {
this.grantPrincipal = this;
this.principalAccount = undefined;
/**
* When this Principal is used in an AssumeRole policy, the action to use.
*/
this.assumeRoleAction = 'sts:AssumeRole';
}
addToPolicy(statement) {
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_PolicyStatement(statement);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, this.addToPolicy);
}
throw error;
}
return this.addToPrincipalPolicy(statement).statementAdded;
}
addToPrincipalPolicy(_statement) {
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_PolicyStatement(_statement);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, this.addToPrincipalPolicy);
}
throw error;
}
// This base class is used for non-identity principals. None of them
// have a PolicyDocument to add to.
return { statementAdded: false };
}
addToAssumeRolePolicy(document) {
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_PolicyDocument(document);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, this.addToAssumeRolePolicy);
}
throw error;
}
// Default implementation of this protocol, compatible with the legacy behavior
document.addStatements(new policy_statement_1.PolicyStatement({
actions: [this.assumeRoleAction],
principals: [this],
}));
}
toString() {
// This is a first pass to make the object readable. Descendant principals
// should return something nicer.
return JSON.stringify(this.policyFragment.principalJson);
}
/**
* JSON-ify the principal
*
* Used when JSON.stringify() is called
*/
toJSON() {
// Have to implement toJSON() because the default will lead to infinite recursion.
return this.policyFragment.principalJson;
}
/**
* Returns a new PrincipalWithConditions using this principal as the base, with the
* passed conditions added.
*
* When there is a value for the same operator and key in both the principal and the
* conditions parameter, the value from the conditions parameter will be used.
*
* @returns a new PrincipalWithConditions object.
*/
withConditions(conditions) {
return new PrincipalWithConditions(this, conditions);
}
/**
* Returns a new principal using this principal as the base, with session tags enabled.
*
* @returns a new SessionTagsPrincipal object.
*/
withSessionTags() {
return new SessionTagsPrincipal(this);
}
}
exports.PrincipalBase = PrincipalBase;
_b = JSII_RTTI_SYMBOL_1;
PrincipalBase[_b] = { fqn: "@aws-cdk/aws-iam.PrincipalBase", version: "1.201.0" };
/**
* Base class for Principals that wrap other principals
*/
class PrincipalAdapter extends PrincipalBase {
constructor(wrapped) {
super();
this.wrapped = wrapped;
this.assumeRoleAction = this.wrapped.assumeRoleAction;
this.principalAccount = this.wrapped.principalAccount;
}
get policyFragment() { return this.wrapped.policyFragment; }
addToPolicy(statement) {
return this.wrapped.addToPolicy(statement);
}
addToPrincipalPolicy(statement) {
return this.wrapped.addToPrincipalPolicy(statement);
}
/**
* Append the given string to the wrapped principal's dedupe string (if available)
*/
appendDedupe(append) {
const inner = ComparablePrincipal.dedupeStringFor(this.wrapped);
return inner !== undefined ? `${this.constructor.name}:${inner}:${append}` : undefined;
}
}
/**
* An IAM principal with additional conditions specifying when the policy is in effect.
*
* For more information about conditions, see:
* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
*/
class PrincipalWithConditions extends PrincipalAdapter {
constructor(principal, conditions) {
super(principal);
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_IPrincipal(principal);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, PrincipalWithConditions);
}
throw error;
}
this.additionalConditions = conditions;
}
/**
* Add a condition to the principal
*/
addCondition(key, value) {
const existingValue = this.additionalConditions[key];
this.additionalConditions[key] = existingValue ? { ...existingValue, ...value } : value;
}
/**
* Adds multiple conditions to the principal
*
* Values from the conditions parameter will overwrite existing values with the same operator
* and key.
*/
addConditions(conditions) {
Object.entries(conditions).forEach(([key, value]) => {
this.addCondition(key, value);
});
}
/**
* The conditions under which the policy is in effect.
* See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
*/
get conditions() {
return this.mergeConditions(this.wrapped.policyFragment.conditions, this.additionalConditions);
}
get policyFragment() {
return new PrincipalPolicyFragment(this.wrapped.policyFragment.principalJson, this.conditions);
}
toString() {
return this.wrapped.toString();
}
/**
* JSON-ify the principal
*
* Used when JSON.stringify() is called
*/
toJSON() {
// Have to implement toJSON() because the default will lead to infinite recursion.
return this.policyFragment.principalJson;
}
dedupeString() {
return this.appendDedupe(JSON.stringify(this.conditions));
}
mergeConditions(principalConditions, additionalConditions) {
const mergedConditions = {};
Object.entries(principalConditions).forEach(([operator, condition]) => {
mergedConditions[operator] = condition;
});
Object.entries(additionalConditions).forEach(([operator, condition]) => {
// merge the conditions if one of the additional conditions uses an
// operator that's already used by the principal's conditions merge the
// inner structure.
const existing = mergedConditions[operator];
if (!existing) {
mergedConditions[operator] = condition;
return; // continue
}
// if either the existing condition or the new one contain unresolved
// tokens, fail the merge. this is as far as we go at this point.
if (cdk.Token.isUnresolved(condition) || cdk.Token.isUnresolved(existing)) {
throw new Error(`multiple "${operator}" conditions cannot be merged if one of them contains an unresolved token`);
}
mergedConditions[operator] = { ...existing, ...condition };
});
return mergedConditions;
}
}
exports.PrincipalWithConditions = PrincipalWithConditions;
_c = JSII_RTTI_SYMBOL_1;
PrincipalWithConditions[_c] = { fqn: "@aws-cdk/aws-iam.PrincipalWithConditions", version: "1.201.0" };
/**
* Enables session tags on role assumptions from a principal
*
* For more information on session tags, see:
* https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
*/
class SessionTagsPrincipal extends PrincipalAdapter {
constructor(principal) {
super(principal);
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_IPrincipal(principal);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, SessionTagsPrincipal);
}
throw error;
}
}
addToAssumeRolePolicy(doc) {
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_PolicyDocument(doc);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, this.addToAssumeRolePolicy);
}
throw error;
}
// Lazy import to avoid circular import dependencies during startup
// eslint-disable-next-line @typescript-eslint/no-require-imports
const adapter = require('./private/policydoc-adapter');
assume_role_policy_1.defaultAddPrincipalToAssumeRole(this.wrapped, new adapter.MutatingPolicyDocumentAdapter(doc, (statement) => {
statement.addActions('sts:TagSession');
return statement;
}));
}
dedupeString() {
return this.appendDedupe('');
}
}
exports.SessionTagsPrincipal = SessionTagsPrincipal;
_d = JSII_RTTI_SYMBOL_1;
SessionTagsPrincipal[_d] = { fqn: "@aws-cdk/aws-iam.SessionTagsPrincipal", version: "1.201.0" };
/**
* A collection of the fields in a PolicyStatement that can be used to identify a principal.
*
* This consists of the JSON used in the "Principal" field, and optionally a
* set of "Condition"s that need to be applied to the policy.
*
* Generally, a principal looks like:
*
* { '<TYPE>': ['ID', 'ID', ...] }
*
* And this is also the type of the field `principalJson`. However, there is a
* special type of principal that is just the string '*', which is treated
* differently by some services. To represent that principal, `principalJson`
* should contain `{ 'LiteralString': ['*'] }`.
*/
class PrincipalPolicyFragment {
/**
*
* @param principalJson JSON of the "Principal" section in a policy statement
* @param conditions conditions that need to be applied to this policy
*/
constructor(principalJson,
/**
* The conditions under which the policy is in effect.
* See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
*/
conditions = {}) {
this.principalJson = principalJson;
this.conditions = conditions;
}
}
exports.PrincipalPolicyFragment = PrincipalPolicyFragment;
_e = JSII_RTTI_SYMBOL_1;
PrincipalPolicyFragment[_e] = { fqn: "@aws-cdk/aws-iam.PrincipalPolicyFragment", version: "1.201.0" };
/**
* Specify a principal by the Amazon Resource Name (ARN).
* You can specify AWS accounts, IAM users, Federated SAML users, IAM roles, and specific assumed-role sessions.
* You cannot specify IAM groups or instance profiles as principals
*
* @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
*/
class ArnPrincipal extends PrincipalBase {
/**
*
* @param arn Amazon Resource Name (ARN) of the principal entity (i.e. arn:aws:iam::123456789012:user/user-name)
*/
constructor(arn) {
super();
this.arn = arn;
}
get policyFragment() {
return new PrincipalPolicyFragment({ AWS: [this.arn] });
}
toString() {
return `ArnPrincipal(${this.arn})`;
}
/**
* A convenience method for adding a condition that the principal is part of the specified
* AWS Organization.
*/
inOrganization(organizationId) {
return this.withConditions({
StringEquals: {
'aws:PrincipalOrgID': organizationId,
},
});
}
dedupeString() {
return `ArnPrincipal:${this.arn}`;
}
}
exports.ArnPrincipal = ArnPrincipal;
_f = JSII_RTTI_SYMBOL_1;
ArnPrincipal[_f] = { fqn: "@aws-cdk/aws-iam.ArnPrincipal", version: "1.201.0" };
/**
* Specify AWS account ID as the principal entity in a policy to delegate authority to the account.
*/
class AccountPrincipal extends ArnPrincipal {
/**
*
* @param accountId AWS account ID (i.e. 123456789012)
*/
constructor(accountId) {
super(new StackDependentToken(stack => `arn:${stack.partition}:iam::${accountId}:root`).toString());
this.accountId = accountId;
if (!cdk.Token.isUnresolved(accountId) && typeof accountId !== 'string') {
throw new Error('accountId should be of type string');
}
this.principalAccount = accountId;
}
toString() {
return `AccountPrincipal(${this.accountId})`;
}
}
exports.AccountPrincipal = AccountPrincipal;
_g = JSII_RTTI_SYMBOL_1;
AccountPrincipal[_g] = { fqn: "@aws-cdk/aws-iam.AccountPrincipal", version: "1.201.0" };
/**
* An IAM principal that represents an AWS service (i.e. sqs.amazonaws.com).
*/
class ServicePrincipal extends PrincipalBase {
/**
*
* @param service AWS service (i.e. sqs.amazonaws.com)
*/
constructor(service, opts = {}) {
super();
this.service = service;
this.opts = opts;
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_ServicePrincipalOpts(opts);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, ServicePrincipal);
}
throw error;
}
}
/**
* Translate the given service principal name based on the region it's used in.
*
* For example, for Chinese regions this may (depending on whether that's necessary
* for the given service principal) append `.cn` to the name.
*
* The `region-info` module is used to obtain this information.
*
* @example
* const principalName = iam.ServicePrincipal.servicePrincipalName('ec2.amazonaws.com');
*/
static servicePrincipalName(service) {
return new ServicePrincipalToken(service, {}).toString();
}
get policyFragment() {
return new PrincipalPolicyFragment({
Service: [
new ServicePrincipalToken(this.service, this.opts).toString(),
],
}, this.opts.conditions);
}
toString() {
return `ServicePrincipal(${this.service})`;
}
dedupeString() {
return `ServicePrincipal:${this.service}:${JSON.stringify(this.opts)}`;
}
}
exports.ServicePrincipal = ServicePrincipal;
_h = JSII_RTTI_SYMBOL_1;
ServicePrincipal[_h] = { fqn: "@aws-cdk/aws-iam.ServicePrincipal", version: "1.201.0" };
/**
* A principal that represents an AWS Organization
*/
class OrganizationPrincipal extends PrincipalBase {
/**
*
* @param organizationId The unique identifier (ID) of an organization (i.e. o-12345abcde)
*/
constructor(organizationId) {
super();
this.organizationId = organizationId;
}
get policyFragment() {
return new PrincipalPolicyFragment({ AWS: ['*'] }, { StringEquals: { 'aws:PrincipalOrgID': this.organizationId } });
}
toString() {
return `OrganizationPrincipal(${this.organizationId})`;
}
dedupeString() {
return `OrganizationPrincipal:${this.organizationId}`;
}
}
exports.OrganizationPrincipal = OrganizationPrincipal;
_j = JSII_RTTI_SYMBOL_1;
OrganizationPrincipal[_j] = { fqn: "@aws-cdk/aws-iam.OrganizationPrincipal", version: "1.201.0" };
/**
* A policy principal for canonicalUserIds - useful for S3 bucket policies that use
* Origin Access identities.
*
* See https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html
*
* and
*
* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
*
* for more details.
*
*/
class CanonicalUserPrincipal extends PrincipalBase {
/**
*
* @param canonicalUserId unique identifier assigned by AWS for every account.
* root user and IAM users for an account all see the same ID.
* (i.e. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be)
*/
constructor(canonicalUserId) {
super();
this.canonicalUserId = canonicalUserId;
}
get policyFragment() {
return new PrincipalPolicyFragment({ CanonicalUser: [this.canonicalUserId] });
}
toString() {
return `CanonicalUserPrincipal(${this.canonicalUserId})`;
}
dedupeString() {
return `CanonicalUserPrincipal:${this.canonicalUserId}`;
}
}
exports.CanonicalUserPrincipal = CanonicalUserPrincipal;
_k = JSII_RTTI_SYMBOL_1;
CanonicalUserPrincipal[_k] = { fqn: "@aws-cdk/aws-iam.CanonicalUserPrincipal", version: "1.201.0" };
/**
* Principal entity that represents a federated identity provider such as Amazon Cognito,
* that can be used to provide temporary security credentials to users who have been authenticated.
* Additional condition keys are available when the temporary security credentials are used to make a request.
* You can use these keys to write policies that limit the access of federated users.
*
* @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif
*/
class FederatedPrincipal extends PrincipalBase {
/**
*
* @param federated federated identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)
* @param conditions The conditions under which the policy is in effect.
* See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
* @param sessionTags Whether to enable session tagging (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
*/
constructor(federated, conditions, assumeRoleAction = 'sts:AssumeRole') {
super();
this.federated = federated;
this.conditions = conditions;
this.assumeRoleAction = assumeRoleAction;
}
get policyFragment() {
return new PrincipalPolicyFragment({ Federated: [this.federated] }, this.conditions);
}
toString() {
return `FederatedPrincipal(${this.federated})`;
}
dedupeString() {
return `FederatedPrincipal:${this.federated}:${this.assumeRoleAction}:${JSON.stringify(this.conditions)}`;
}
}
exports.FederatedPrincipal = FederatedPrincipal;
_l = JSII_RTTI_SYMBOL_1;
FederatedPrincipal[_l] = { fqn: "@aws-cdk/aws-iam.FederatedPrincipal", version: "1.201.0" };
/**
* A principal that represents a federated identity provider as Web Identity such as Cognito, Amazon,
* Facebook, Google, etc.
*/
class WebIdentityPrincipal extends FederatedPrincipal {
/**
*
* @param identityProvider identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)
* @param conditions The conditions under which the policy is in effect.
* See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
* @param sessionTags Whether to enable session tagging (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
*/
constructor(identityProvider, conditions = {}) {
super(identityProvider, conditions ?? {}, 'sts:AssumeRoleWithWebIdentity');
}
get policyFragment() {
return new PrincipalPolicyFragment({ Federated: [this.federated] }, this.conditions);
}
toString() {
return `WebIdentityPrincipal(${this.federated})`;
}
}
exports.WebIdentityPrincipal = WebIdentityPrincipal;
_m = JSII_RTTI_SYMBOL_1;
WebIdentityPrincipal[_m] = { fqn: "@aws-cdk/aws-iam.WebIdentityPrincipal", version: "1.201.0" };
/**
* A principal that represents a federated identity provider as from a OpenID Connect provider.
*/
class OpenIdConnectPrincipal extends WebIdentityPrincipal {
/**
*
* @param openIdConnectProvider OpenID Connect provider
* @param conditions The conditions under which the policy is in effect.
* See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
*/
constructor(openIdConnectProvider, conditions = {}) {
super(openIdConnectProvider.openIdConnectProviderArn, conditions ?? {});
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_IOpenIdConnectProvider(openIdConnectProvider);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, OpenIdConnectPrincipal);
}
throw error;
}
}
get policyFragment() {
return new PrincipalPolicyFragment({ Federated: [this.federated] }, this.conditions);
}
toString() {
return `OpenIdConnectPrincipal(${this.federated})`;
}
}
exports.OpenIdConnectPrincipal = OpenIdConnectPrincipal;
_o = JSII_RTTI_SYMBOL_1;
OpenIdConnectPrincipal[_o] = { fqn: "@aws-cdk/aws-iam.OpenIdConnectPrincipal", version: "1.201.0" };
/**
* Principal entity that represents a SAML federated identity provider
*/
class SamlPrincipal extends FederatedPrincipal {
constructor(samlProvider, conditions) {
super(samlProvider.samlProviderArn, conditions, 'sts:AssumeRoleWithSAML');
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_ISamlProvider(samlProvider);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, SamlPrincipal);
}
throw error;
}
}
toString() {
return `SamlPrincipal(${this.federated})`;
}
}
exports.SamlPrincipal = SamlPrincipal;
_p = JSII_RTTI_SYMBOL_1;
SamlPrincipal[_p] = { fqn: "@aws-cdk/aws-iam.SamlPrincipal", version: "1.201.0" };
/**
* Principal entity that represents a SAML federated identity provider for
* programmatic and AWS Management Console access.
*/
class SamlConsolePrincipal extends SamlPrincipal {
constructor(samlProvider, conditions = {}) {
super(samlProvider, {
...conditions,
StringEquals: {
'SAML:aud': 'https://signin.aws.amazon.com/saml',
},
});
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_ISamlProvider(samlProvider);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, SamlConsolePrincipal);
}
throw error;
}
}
toString() {
return `SamlConsolePrincipal(${this.federated})`;
}
}
exports.SamlConsolePrincipal = SamlConsolePrincipal;
_q = JSII_RTTI_SYMBOL_1;
SamlConsolePrincipal[_q] = { fqn: "@aws-cdk/aws-iam.SamlConsolePrincipal", version: "1.201.0" };
/**
* Use the AWS account into which a stack is deployed as the principal entity in a policy
*/
class AccountRootPrincipal extends AccountPrincipal {
constructor() {
super(new StackDependentToken(stack => stack.account).toString());
}
toString() {
return 'AccountRootPrincipal()';
}
}
exports.AccountRootPrincipal = AccountRootPrincipal;
_r = JSII_RTTI_SYMBOL_1;
AccountRootPrincipal[_r] = { fqn: "@aws-cdk/aws-iam.AccountRootPrincipal", version: "1.201.0" };
/**
* A principal representing all AWS identities in all accounts
*
* Some services behave differently when you specify `Principal: '*'`
* or `Principal: { AWS: "*" }` in their resource policy.
*
* `AnyPrincipal` renders to `Principal: { AWS: "*" }`. This is correct
* most of the time, but in cases where you need the other principal,
* use `StarPrincipal` instead.
*/
class AnyPrincipal extends ArnPrincipal {
constructor() {
super('*');
}
toString() {
return 'AnyPrincipal()';
}
}
exports.AnyPrincipal = AnyPrincipal;
_s = JSII_RTTI_SYMBOL_1;
AnyPrincipal[_s] = { fqn: "@aws-cdk/aws-iam.AnyPrincipal", version: "1.201.0" };
/**
* A principal representing all identities in all accounts
* @deprecated use `AnyPrincipal`
*/
class Anyone extends AnyPrincipal {
}
exports.Anyone = Anyone;
_t = JSII_RTTI_SYMBOL_1;
Anyone[_t] = { fqn: "@aws-cdk/aws-iam.Anyone", version: "1.201.0" };
/**
* A principal that uses a literal '*' in the IAM JSON language
*
* Some services behave differently when you specify `Principal: "*"`
* or `Principal: { AWS: "*" }` in their resource policy.
*
* `StarPrincipal` renders to `Principal: *`. Most of the time, you
* should use `AnyPrincipal` instead.
*/
class StarPrincipal extends PrincipalBase {
constructor() {
super(...arguments);
this.policyFragment = {
principalJson: { [util_1.LITERAL_STRING_KEY]: ['*'] },
conditions: {},
};
}
toString() {
return 'StarPrincipal()';
}
dedupeString() {
return 'StarPrincipal';
}
}
exports.StarPrincipal = StarPrincipal;
_u = JSII_RTTI_SYMBOL_1;
StarPrincipal[_u] = { fqn: "@aws-cdk/aws-iam.StarPrincipal", version: "1.201.0" };
/**
* Represents a principal that has multiple types of principals. A composite principal cannot
* have conditions. i.e. multiple ServicePrincipals that form a composite principal
*/
class CompositePrincipal extends PrincipalBase {
constructor(...principals) {
super();
this.principals = new Array();
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_IPrincipal(principals);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, CompositePrincipal);
}
throw error;
}
if (principals.length === 0) {
throw new Error('CompositePrincipals must be constructed with at least 1 Principal but none were passed.');
}
this.assumeRoleAction = principals[0].assumeRoleAction;
this.addPrincipals(...principals);
}
/**
* Adds IAM principals to the composite principal. Composite principals cannot have
* conditions.
*
* @param principals IAM principals that will be added to the composite principal
*/
addPrincipals(...principals) {
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_IPrincipal(principals);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, this.addPrincipals);
}
throw error;
}
this.principals.push(...principals);
return this;
}
addToAssumeRolePolicy(doc) {
try {
jsiiDeprecationWarnings._aws_cdk_aws_iam_PolicyDocument(doc);
}
catch (error) {
if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
Error.captureStackTrace(error, this.addToAssumeRolePolicy);
}
throw error;
}
for (const p of this.principals) {
assume_role_policy_1.defaultAddPrincipalToAssumeRole(p, doc);
}
}
get policyFragment() {
// We only have a problem with conditions if we are trying to render composite
// princpals into a single statement (which is when `policyFragment` would get called)
for (const p of this.principals) {
const fragment = p.policyFragment;
if (fragment.conditions && Object.keys(fragment.conditions).length > 0) {
throw new Error('Components of a CompositePrincipal must not have conditions. ' +
`Tried to add the following fragment: ${JSON.stringify(fragment)}`);
}
}
const principalJson = {};
for (const p of this.principals) {
util_1.mergePrincipal(principalJson, p.policyFragment.principalJson);
}
return new PrincipalPolicyFragment(principalJson);
}
toString() {
return `CompositePrincipal(${this.principals})`;
}
dedupeString() {
const inner = this.principals.map(ComparablePrincipal.dedupeStringFor);
if (inner.some(x => x === undefined)) {
return undefined;
}
return `CompositePrincipal[${inner.join(',')}]`;
}
}
exports.CompositePrincipal = CompositePrincipal;
_v = JSII_RTTI_SYMBOL_1;
CompositePrincipal[_v] = { fqn: "@aws-cdk/aws-iam.CompositePrincipal", version: "1.201.0" };
/**
* A lazy token that requires an instance of Stack to evaluate
*/
class StackDependentToken {
constructor(fn) {
this.fn = fn;
this.creationStack = cdk.captureStackTrace();
}
resolve(context) {
return this.fn(cdk.Stack.of(context.scope));
}
toString() {
return cdk.Token.asString(this);
}
/**
* JSON-ify the token
*
* Used when JSON.stringify() is called
*/
toJSON() {
return '<unresolved-token>';
}
}
class ServicePrincipalToken {
constructor(service, opts) {
this.service = service;
this.opts = opts;
this.creationStack = cdk.captureStackTrace();
}
resolve(ctx) {
if (this.opts.region) {
// Special case, handle it separately to not break legacy behavior.
return region_info_1.RegionInfo.get(this.opts.region).servicePrincipal(this.service) ??
region_info_1.Default.servicePrincipal(this.service, this.opts.region, cdk.Aws.URL_SUFFIX);
}
const stack = cdk.Stack.of(ctx.scope);
return stack.regionalFact(region_info_1.FactName.servicePrincipal(this.service), region_info_1.Default.servicePrincipal(this.service, stack.region, cdk.Aws.URL_SUFFIX));
}
toString() {
return cdk.Token.asString(this, {
displayHint: this.service,
});
}
/**
* JSON-ify the token
*
* Used when JSON.stringify() is called
*/
toJSON() {
return `<${this.service}>`;
}
}
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicHJpbmNpcGFscy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbInByaW5jaXBhbHMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBQUEscUNBQXFDO0FBQ3JDLHNEQUFxRTtBQUdyRSx5REFBNEU7QUFDNUUscUVBQStFO0FBRS9FLGlDQUE0RDtBQStFNUQ7O0dBRUc7QUFDSCxNQUFhLG1CQUFtQjtJQUM5Qjs7T0FFRztJQUNJLE1BQU0sQ0FBQyxxQkFBcUIsQ0FBQyxDQUFhOzs7Ozs7Ozs7O1FBQy9DLE9BQU8sY0FBYyxJQUFJLENBQUMsQ0FBQztLQUM1QjtJQUVEOztPQUVHO0lBQ0ksTUFBTSxDQUFDLGVBQWUsQ0FBQyxDQUFhOzs7Ozs7Ozs7O1FBQ3pDLE9BQU8sbUJBQW1CLENBQUMscUJBQXFCLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxZQUFZLEVBQUUsQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDO0tBQ3BGOztBQWJILGtEQWNDOzs7QUF1Q0Q7O0dBRUc7QUFDSCxNQUFzQixhQUFhO0lBQW5DO1FBQ2tCLG1CQUFjLEdBQWUsSUFBSSxDQUFDO1FBQ2xDLHFCQUFnQixHQUF1QixTQUFTLENBQUM7UUFPakU7O1dBRUc7UUFDYSxxQkFBZ0IsR0FBVyxnQkFBZ0IsQ0FBQztLQThEN0Q7SUE1RFEsV0FBVyxDQUFDLFNBQTBCOzs7Ozs7Ozs7O1FBQzNDLE9BQU8sSUFBSSxDQUFDLG9CQUFvQixDQUFDLFNBQVMsQ0FBQyxDQUFDLGNBQWMsQ0FBQztLQUM1RDtJQUVNLG9CQUFvQixDQUFDLFVBQTJCOzs7Ozs7Ozs7O1FBQ3JELG9FQUFvRTtRQUNwRSxtQ0FBbUM7UUFDbkMsT0FBTyxFQUFFLGNBQWMsRUFBRSxLQUFLLEVBQUUsQ0FBQztLQUNsQztJQUVNLHFCQUFxQixDQUFDLFFBQXdCOzs7Ozs7Ozs7O1FBQ25ELCtFQUErRTtRQUMvRSxRQUFRLENBQUMsYUFBYSxDQUFDLElBQUksa0NBQWUsQ0FBQztZQUN6QyxPQUFPLEVBQUUsQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUM7WUFDaEMsVUFBVSxFQUFFLENBQUMsSUFBSSxDQUFDO1NBQ25CLENBQUMsQ0FBQyxDQUFDO0tBQ0w7SUFFTSxRQUFRO1FBQ2IsMEVBQTBFO1FBQzFFLGlDQUFpQztRQUNqQyxPQUFPLElBQUksQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLGNBQWMsQ0FBQyxhQUFhLENBQUMsQ0FBQztLQUMxRDtJQUVEOzs7O09BSUc7SUFDSSxNQUFNO1FBQ1gsa0ZBQWtGO1FBQ2xGLE9BQU8sSUFBSSxDQUFDLGNBQWMsQ0FBQyxhQUFhLENBQUM7S0FDMUM7SUFFRDs7Ozs7Ozs7T0FRRztJQUNJLGNBQWMsQ0FBQyxVQUFzQjtRQUMxQyxPQUFPLElBQUksdUJBQXVCLENBQUMsSUFBSSxFQUFFLFVBQVUsQ0FBQyxDQUFDO0tBQ3REO0lBRUQ7Ozs7T0FJRztJQUNJLGVBQWU7UUFDcEIsT0FBTyxJQUFJLG9CQUFvQixDQUFDLElBQUksQ0FBQyxDQUFDO0tBQ3ZDOztBQXBFSCxzQ0EwRUM7OztBQUVEOztHQUVHO0FBQ0gsTUFBZSxnQkFBaUIsU0FBUSxhQUFhO0lBSW5ELFlBQStCLE9BQW1CO1FBQ2hELEtBQUssRUFBRSxDQUFDO1FBRHFCLFlBQU8sR0FBUCxPQUFPLENBQVk7UUFIbEMscUJBQWdCLEdBQUcsSUFBSSxDQUFDLE9BQU8sQ0FBQyxnQkFBZ0IsQ0FBQztRQUNqRCxxQkFBZ0IsR0FBRyxJQUFJLENBQUMsT0FBTyxDQUFDLGdCQUFnQixDQUFDO0tBSWhFO0lBRUQsSUFBVyxjQUFjLEtBQThCLE9BQU8sSUFBSSxDQUFDLE9BQU8sQ0FBQyxjQUFjLENBQUMsRUFBRTtJQUU1RixXQUFXLENBQUMsU0FBMEI7UUFDcEMsT0FBTyxJQUFJLENBQUMsT0FBTyxDQUFDLFdBQVcsQ0FBQyxTQUFTLENBQUMsQ0FBQztLQUM1QztJQUNELG9CQUFvQixDQUFDLFNBQTBCO1FBQzdDLE9BQU8sSUFBSSxDQUFDLE9BQU8sQ0FBQyxvQkFBb0IsQ0FBQyxTQUFTLENBQUMsQ0FBQztLQUNyRDtJQUVEOztPQUVHO0lBQ08sWUFBWSxDQUFDLE1BQWM7UUFDbkMsTUFBTSxLQUFLLEdBQUcsbUJBQW1CLENBQUMsZUFBZSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUNoRSxPQUFPLEtBQUssS0FBSyxTQUFTLENBQUMsQ0FBQyxDQUFDLEdBQUcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLElBQUksS0FBSyxJQUFJLE1BQU0sRUFBRSxDQUFDLENBQUMsQ0FBQyxTQUFTLENBQUM7S0FDeEY7Q0FDRjtBQUVEOzs7OztHQUtHO0FBQ0gsTUFBYSx1QkFBd0IsU0FBUSxnQkFBZ0I7SUFHM0QsWUFBWSxTQUFxQixFQUFFLFVBQXNCO1FBQ3ZELEtBQUssQ0FBQyxTQUFTLENBQUMsQ0FBQzs7Ozs7OytDQUpSLHVCQUF1Qjs7OztRQUtoQyxJQUFJLENBQUMsb0JBQW9CLEdBQUcsVUFBVSxDQUFDO0tBQ3hDO0lBRUQ7O09BRUc7SUFDSSxZQUFZLENBQUMsR0FBVyxFQUFFLEtBQWdCO1FBQy9DLE1BQU0sYUFBYSxHQUFHLElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUNyRCxJQUFJLENBQUMsb0JBQW9CLENBQUMsR0FBRyxDQUFDLEdBQUcsYUFBYSxDQUFDLENBQUMsQ0FBQyxFQUFFLEdBQUcsYUFBYSxFQUFFLEdBQUcsS0FBSyxFQUFFLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQztLQUN6RjtJQUVEOzs7OztPQUtHO0lBQ0ksYUFBYSxDQUFDLFVBQXNCO1FBQ3pDLE1BQU0sQ0FBQyxPQUFPLENBQUMsVUFBVSxDQUFDLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxHQUFHLEVBQUUsS0FBSyxDQUFDLEVBQUUsRUFBRTtZQUNsRCxJQUFJLENBQUMsWUFBWSxDQUFDLEdBQUcsRUFBRSxLQUFLLENBQUMsQ0FBQztRQUNoQyxDQUFDLENBQUMsQ0FBQztLQUNKO0lBRUQ7OztPQUdHO0lBQ0gsSUFBVyxVQUFVO1FBQ25CLE9BQU8sSUFBSSxDQUFDLGVBQWUsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLGNBQWMsQ0FBQyxVQUFVLEVBQUUsSUFBSSxDQUFDLG9CQUFvQixDQUFDLENBQUM7S0FDaEc7SUFFRCxJQUFXLGNBQWM7UUFDdkIsT0FBTyxJQUFJLHVCQUF1QixDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsY0FBYyxDQUFDLGFBQWEsRUFBRSxJQUFJLENBQUMsVUFBVSxDQUFDLENBQUM7S0FDaEc7SUFFTSxRQUFRO1FBQ2IsT0FBTyxJQUFJLENBQUMsT0FBTyxDQUFDLFFBQVEsRUFBRSxDQUFDO0tBQ2hDO0lBRUQ7Ozs7T0FJRztJQUNJLE1BQU07UUFDWCxrRkFBa0Y7UUFDbEYsT0FBTyxJQUFJLENBQUMsY0FBYyxDQUFDLGFBQWEsQ0FBQztLQUMxQztJQUVNLFlBQVk7UUFDakIsT0FBTyxJQUFJLENBQUMsWUFBWSxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUM7S0FDM0Q7SUFFTyxlQUFlLENBQUMsbUJBQStCLEVBQUUsb0JBQWdDO1FBQ3ZGLE1BQU0sZ0JBQWdCLEdBQWUsRUFBRSxDQUFDO1FBQ3hDLE1BQU0sQ0FBQyxPQUFPLENBQUMsbUJBQW1CLENBQUMsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLFFBQVEsRUFBRSxTQUFTLENBQUMsRUFBRSxFQUFFO1lBQ3BFLGdCQUFnQixDQUFDLFFBQVEsQ0FBQyxHQUFHLFNBQVMsQ0FBQztRQUN6QyxDQUFDLENBQUMsQ0FBQztRQUVILE1BQU0sQ0FBQyxPQUFPLENBQUMsb0JBQW9CLENBQUMsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLFFBQVEsRUFBRSxTQUFTLENBQUMsRUFBRSxFQUFFO1lBQ3JFLG1FQUFtRTtZQUNuRSx1RUFBdUU7WUFDdkUsbUJBQW1CO1lBQ25CLE1BQU0sUUFBUSxHQUFHLGdCQUFnQixDQUFDLFFBQVEsQ0FBQyxDQUFDO1lBQzVDLElBQUksQ0FBQyxRQUFRLEVBQUU7Z0JBQ2IsZ0JBQWdCLENBQUMsUUFBUSxDQUFDLEdBQUcsU0FBUyxDQUFDO2dCQUN2QyxPQUFPLENBQUMsV0FBVzthQUNwQjtZQUVELHFFQUFxRTtZQUNyRSxpRUFBaUU7WUFDakUsSUFBSSxHQUFHLENBQUMsS0FBSyxDQUFDLFlBQVksQ0FBQyxTQUFTLENBQUMsSUFBSSxHQUFHLENBQUMsS0FBSyxDQUFDLFlBQVksQ0FBQyxRQUFRLENBQUMsRUFBRTtnQkFDekUsTUFBTSxJQUFJLEtBQUssQ0FBQyxhQUFhLFFBQVEsMkVBQTJFLENBQUMsQ0FBQzthQUNuSDtZQUVELGdCQUFnQixDQUFDLFFBQVEsQ0FBQyxHQUFHLEVBQUUsR0FBRyxRQUFRLEVBQUUsR0FBRyxTQUFTLEVBQUUsQ0FBQztRQUM3RCxDQUFDLENBQUMsQ0FBQztRQUNILE9BQU8sZ0JBQWdCLENBQUM7S0FDekI7O0FBbkZILDBEQW9GQzs7O0FBRUQ7Ozs7O0dBS0c7QUFDSCxNQUFhLG9CQUFxQixTQUFRLGdCQUFnQjtJQUN4RCxZQUFZLFNBQXFCO1FBQy9CLEtBQUssQ0FBQyxTQUFTLENBQUMsQ0FBQzs7Ozs7OytDQUZSLG9CQUFvQjs7OztLQUc5QjtJQUVNLHFCQUFxQixDQUFDLEdBQW1COzs7Ozs7Ozs7O1FBQzlDLG1FQUFtRTtRQUVuRSxpRUFBaUU7UUFDakUsTUFBTSxPQUFPLEdBQWlELE9BQU8sQ0FBQyw2QkFBNkIsQ0FBQyxDQUFDO1FBRXJHLG9EQUErQixDQUFDLElBQUksQ0FBQyxPQUFPLEVBQUUsSUFBSSxPQUFPLENBQUMsNkJBQTZCLENBQUMsR0FBRyxFQUFFLENBQUMsU0FBUyxFQUFFLEVBQUU7WUFDekcsU0FBUyxDQUFDLFVBQVUsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO1lBQ3ZDLE9BQU8sU0FBUyxDQUFDO1FBQ25CLENBQUMsQ0FBQyxDQUFDLENBQUM7S0FDTDtJQUVNLFlBQVk7UUFDakIsT0FBTyxJQUFJLENBQUMsWUFBWSxDQUFDLEVBQUUsQ0FBQyxDQUFDO0tBQzlCOztBQW5CSCxvREFvQkM7OztBQUVEOzs7Ozs7Ozs7Ozs7OztHQWNHO0FBQ0gsTUFBYSx1QkFBdUI7SUFDbEM7Ozs7T0FJRztJQUNILFlBQ2tCLGFBQTBDO0lBQzFEOzs7T0FHRztJQUNhLGFBQXlCLEVBQUU7UUFMM0Isa0JBQWEsR0FBYixhQUFhLENBQTZCO1FBSzFDLGVBQVUsR0FBVixVQUFVLENBQWlCO0tBQzVDOztBQWJILDBEQWNDOzs7QUFFRDs7Ozs7O0dBTUc7QUFDSCxNQUFhLFlBQWEsU0FBUSxhQUFhO0lBQzdDOzs7T0FHRztJQUNILFlBQTRCLEdBQVc7UUFDckMsS0FBSyxFQUFFLENBQUM7UUFEa0IsUUFBRyxHQUFILEdBQUcsQ0FBUTtLQUV0QztJQUVELElBQVcsY0FBYztRQUN2QixPQUFPLElBQUksdUJBQXVCLENBQUMsRUFBRSxHQUFHLEVBQUUsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxDQUFDO0tBQ3pEO0lBRU0sUUFBUTtRQUNiLE9BQU8sZ0JBQWdCLElBQUksQ0FBQyxHQUFHLEdBQUcsQ0FBQztLQUNwQztJQUVEOzs7T0FHRztJQUNJLGNBQWMsQ0FBQyxjQUFzQjtRQUMxQyxPQUFPLElBQUksQ0FBQyxjQUFjLENBQUM7WUFDekIsWUFBWSxFQUFFO2dCQUNaLG9CQUFvQixFQUFFLGNBQWM7YUFDckM7U0FDRixDQUFDLENBQUM7S0FDSjtJQUVNLFlBQVk7UUFDakIsT0FBTyxnQkFBZ0IsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO0tBQ25DOztBQS9CSCxvQ0FnQ0M7OztBQUVEOztHQUVHO0FBQ0gsTUFBYSxnQkFBaUIsU0FBUSxZQUFZO0lBR2hEOzs7T0FHRztJQUNILFlBQTRCLFNBQWM7UUFDeEMsS0FBSyxDQUFDLElBQUksbUJBQW1CLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxPQUFPLEtBQUssQ0FBQyxTQUFTLFNBQVMsU0FBUyxPQUFPLENBQUMsQ0FBQyxRQUFRLEVBQUUsQ0FBQyxDQUFDO1FBRDFFLGNBQVMsR0FBVCxTQUFTLENBQUs7UUFFeEMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsWUFBWSxDQUFDLFNBQVMsQ0FBQyxJQUFJLE9BQU8sU0FBUyxLQUFLLFFBQVEsRUFBRTtZQUN2RSxNQUFNLElBQUksS0FBSyxDQUFDLG9DQUFvQyxDQUFDLENBQUM7U0FDdkQ7UUFDRCxJQUFJLENBQUMsZ0JBQWdCLEdBQUcsU0FBUyxDQUFDO0tBQ25DO0lBRU0sUUFBUTtRQUNiLE9BQU8sb0JBQW9CLElBQUksQ0FBQyxTQUFTLEdBQUcsQ0FBQztLQUM5Qzs7QUFqQkgsNENBa0JDOzs7QUFzQkQ7O0dBRUc7QUFDSCxNQUFhLGdCQUFpQixTQUFRLGFBQWE7SUFnQmpEOzs7T0FHRztJQUNILFlBQTRCLE9BQWUsRUFBbUIsT0FBNkIsRUFBRTtRQUMzRixLQUFLLEVBQUUsQ0FBQztRQURrQixZQUFPLEdBQVAsT0FBTyxDQUFRO1FBQW1CLFNBQUksR0FBSixJQUFJLENBQTJCOzs7Ozs7K0NBcEJsRixnQkFBZ0I7Ozs7S0FzQjFCO0lBckJEOzs7Ozs7Ozs7O09BVUc7SUFDSSxNQUFNLENBQUMsb0JBQW9CLENBQUMsT0FBZTtRQUNoRCxPQUFPLElBQUkscUJBQXFCLENBQUMsT0FBTyxFQUFFLEVBQUUsQ0FBQyxDQUFDLFFBQVEsRUFBRSxDQUFDO0tBQzFEO0lBVUQsSUFBVyxjQUFjO1FBQ3ZCLE9BQU8sSUFBSSx1QkFBdUIsQ0FBQztZQUNqQyxPQUFPLEVBQUU7Z0JBQ1AsSUFBSSxxQkFBcUIsQ0FBQyxJQUFJLENBQUMsT0FBTyxFQUFFLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQyxRQUFRLEVBQUU7YUFDOUQ7U0FDRixFQUFFLElBQUksQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLENBQUM7S0FDMUI7SUFFTSxRQUFRO1FBQ2IsT0FBTyxvQkFBb0IsSUFBSSxDQUFDLE9BQU8sR0FBRyxDQUFDO0tBQzVDO0lBRU0sWUFBWTtRQUNqQixPQUFPLG9CQUFvQixJQUFJLENBQUMsT0FBTyxJQUFJLElBQUksQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUM7S0FDeEU7O0FBdENILDRDQXVDQzs7O0FBRUQ7O0dBRUc7QUFDSCxNQUFhLHFCQUFzQixTQUFRLGFBQWE7SUFDdEQ7OztPQUdHO0lBQ0gsWUFBNEIsY0FBc0I7UUFDaEQsS0FBSyxFQUFFLENBQUM7UUFEa0IsbUJBQWMsR0FBZCxjQUFjLENBQVE7S0FFakQ7SUFFRCxJQUFXLGNBQWM7UUFDdkIsT0FBTyxJQUFJLHVCQUF1QixDQUNoQyxFQUFFLEdBQUcsRUFBRSxDQUFDLEdBQUcsQ0FBQyxFQUFFLEVBQ2QsRUFBRSxZQUFZLEVBQUUsRUFBRSxvQkFBb0IsRUFBRSxJQUFJLENBQUMsY0FBYyxFQUFFLEVBQUUsQ0FDaEUsQ0FBQztLQUNIO0lBRU0sUUFBUTtRQUNiLE9BQU8seUJBQXlCLElBQUksQ0FBQyxjQUFjLEdBQUcsQ0FBQztLQUN4RDtJQUVNLFlBQVk7UUFDakIsT0FBTyx5QkFBeUIsSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDO0tBQ3ZEOztBQXRCSCxzREF1QkM7OztBQUVEOzs7Ozs7Ozs7Ozs7R0FZRztBQUNILE1BQWEsc0JBQXVCLFNBQVEsYUFBYTtJQUN2RDs7Ozs7T0FLRztJQUNILFlBQTRCLGVBQXVCO1FBQ2pELEtBQUssRUFBRSxDQUFDO1FBRGtCLG9CQUFlLEdBQWYsZUFBZSxDQUFRO0tBRWxEO0lBRUQsSUFBVyxjQUFjO1FBQ3ZCLE9BQU8sSUFBSSx1QkFBdUIsQ0FBQyxFQUFFLGFBQWEsRUFBRSxDQUFDLElBQUksQ0FBQyxlQUFlLENBQUMsRUFBRSxDQUFDLENBQUM7S0FDL0U7SUFFTSxRQUFRO1FBQ2IsT0FBTywwQkFBMEIsSUFBSSxDQUFDLGVBQWUsR0FBRyxDQUFDO0tBQzFEO0lBRU0sWUFBWTtRQUNqQixPQUFPLDBCQUEwQixJQUFJLENBQUMsZUFBZSxFQUFFLENBQUM7S0FDekQ7O0FBckJILHdEQXNCQzs7O0FBRUQ7Ozs7Ozs7R0FPRztBQUNILE1BQWEsa0JBQW1CLFNBQVEsYUFBYTtJQUduRDs7Ozs7O09BTUc7SUFDSCxZQUNrQixTQUFpQixFQUNqQixVQUFzQixFQUN0QyxtQkFBMkIsZ0JBQWdCO1FBQzNDLEtBQUssRUFBRSxDQUFDO1FBSFEsY0FBUyxHQUFULFNBQVMsQ0FBUTtRQUNqQixlQUFVLEdBQVYsVUFBVSxDQUFZO1FBSXRDLElBQUksQ0FBQyxnQkFBZ0IsR0FBRyxnQkFBZ0IsQ0FBQztLQUMxQztJQUVELElBQVcsY0FBYztRQUN2QixPQUFPLElBQUksdUJBQXVCLENBQUMsRUFBRSxTQUFTLEVBQUUsQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLEVBQUUsRUFBRSxJQUFJLENBQUMsVUFBVSxDQUFDLENBQUM7S0FDdEY7SUFFTSxRQUFRO1FBQ2IsT0FBTyxzQkFBc0IsSUFBSSxDQUFDLFNBQVMsR0FBRyxDQUFDO0tBQ2hEO0lBRU0sWUFBWTtRQUNqQixPQUFPLHNCQUFzQixJQUFJLENBQUMsU0FBUyxJQUFJLElBQUksQ0FBQyxnQkFBZ0IsSUFBSSxJQUFJLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsRUFBRSxDQUFDO0tBQzNHOztBQTdCSCxnREE4QkM7OztBQUVEOzs7R0FHRztBQUNILE1BQWEsb0JBQXFCLFNBQVEsa0JBQWtCO0lBRTFEOzs7Ozs7T0FNRztJQUNILFlBQVksZ0JBQXdCLEVBQUUsYUFBeUIsRUFBRTtRQUMvRCxLQUFLLENBQUMsZ0JBQWdCLEVBQUUsVUFBVSxJQUFJLEVBQUUsRUFBRSwrQkFBK0IsQ0FBQyxDQUFDO0tBQzVFO0lBRUQsSUFBVyxjQUFjO1FBQ3ZCLE9BQU8sSUFBSSx1QkFBdUIsQ0FBQyxFQUFFLFNBQVMsRUFBRSxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsRUFBRSxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsQ0FBQztLQUN0RjtJQUVNLFFBQVE7UUFDYixPQUFPLHdCQUF3QixJQUFJLENBQUMsU0FBUyxHQUFHLENBQUM7S0FDbEQ7O0FBbkJILG9EQW9CQzs7O0FBRUQ7O0dBRUc7QUFDSCxNQUFhLHNCQUF1QixTQUFRLG9CQUFvQjtJQUU5RDs7Ozs7T0FLRztJQUNILFlBQVkscUJBQTZDLEVBQUUsYUFBeUIsRUFBRTtRQUNwRixLQUFLLENBQUMscUJBQXFCLENBQUMsd0JBQXdCLEVBQUUsVUFBVSxJQUFJLEVBQUUsQ0FBQyxDQUFDOzs7Ozs7K0NBVC9ELHNCQUFzQjs7OztLQVVoQztJQUVELElBQVcsY0FBYztRQUN2QixPQUFPLElBQUksdUJBQXVCLENBQUMsRUFBRSxTQUFTLEVBQUUsQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLEVBQUUsRUFBRSxJQUFJLENBQUMsVUFBVSxDQUFDLENBQUM7S0FDdEY7SUFFTSxRQUFRO1FBQ2IsT0FBTywwQkFBMEIsSUFBSSxDQUFDLFNBQVMsR0FBRyxDQUFDO0tBQ3BEOztBQWxCSCx3REFtQkM7OztBQUVEOztHQUVHO0FBQ0gsTUFBYSxhQUFjLFNBQVEsa0JBQWtCO0lBQ25ELFlBQVksWUFBMkIsRUFBRSxVQUFzQjtRQUM3RCxLQUFLLENBQUMsWUFBWSxDQUFDLGVBQWUsRUFBRSxVQUFVLEVBQUUsd0JBQXdCLENBQUMsQ0FBQzs7Ozs7OytDQUZqRSxhQUFhOzs7O0tBR3ZCO0lBRU0sUUFBUTtRQUNiLE9BQU8saUJBQWlCLElBQUksQ0FBQyxTQUFTLEdBQUcsQ0FBQztLQUMzQzs7QUFQSCxzQ0FRQzs7O0FBRUQ7OztHQUdHO0FBQ0gsTUFBYSxvQkFBcUIsU0FBUSxhQUFhO0lBQ3JELFlBQVksWUFBMkIsRUFBRSxhQUF5QixFQUFFO1FBQ2xFLEtBQUssQ0FBQyxZQUFZLEVBQUU7WUFDbEIsR0FBRyxVQUFVO1lBQ2IsWUFBWSxFQUFFO2dCQUNaLFVBQVUsRUFBRSxvQ0FBb0M7YUFDakQ7U0FDRixDQUFDLENBQUM7Ozs7OzsrQ0FQTSxvQkFBb0I7Ozs7S0FROUI7SUFFTSxRQUFRO1FBQ2IsT0FBTyx3QkFBd0IsSUFBSSxDQUFDLFNBQVMsR0FBRyxDQUFDO0tBQ2xEOztBQVpILG9EQWFDOzs7QUFFRDs7R0FFRztBQUNILE1BQWEsb0JBQXFCLFNBQVEsZ0JBQWdCO0lBQ3hEO1FBQ0UsS0FBSyxDQUFDLElBQUksbUJBQW1CLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLENBQUMsUUFBUSxFQUFFLENBQUMsQ0FBQztLQUNuRTtJQUVNLFFBQVE7UUFDYixPQUFPLHdCQUF3QixDQUFDO0tBQ2pDOztBQVBILG9EQVFDOzs7QUFFRDs7Ozs7Ozs7O0dBU0c7QUFDSCxNQUFhLFlBQWEsU0FBUSxZQUFZO0lBQzVDO1FBQ0UsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDO0tBQ1o7SUFFTSxRQUFRO1FBQ2IsT0FBTyxnQkFBZ0IsQ0FBQztLQUN6Qjs7QUFQSCxvQ0FRQzs7O0FBRUQ7OztHQUdHO0FBQ0gsTUFBYSxNQUFPLFNBQVEsWUFBWTs7QUFBeEMsd0JBQTRDOzs7QUFFNUM7Ozs7Ozs7O0dBUUc7QUFDSCxNQUFhLGFBQWMsU0FBUSxhQUFhO0lBQWhEOztRQUNrQixtQkFBYyxHQUE0QjtZQUN4RCxhQUFhLEVBQUUsRUFBRSxDQUFDLHlCQUFrQixDQUFDLEVBQUUsQ0FBQyxHQUFHLENBQUMsRUFBRTtZQUM5QyxVQUFVLEVBQUUsRUFBRTtTQUNmLENBQUM7S0FTSDtJQVBRLFFBQVE7UUFDYixPQUFPLGlCQUFpQixDQUFDO0tBQzFCO0lBRU0sWUFBWTtRQUNqQixPQUFPLGVBQWUsQ0FBQztLQUN4Qjs7QUFaSCxzQ0FhQzs7O0FBRUQ7OztHQUdHO0FBQ0gsTUFBYSxrQkFBbUIsU0FBUSxhQUFhO0lBSW5ELFlBQVksR0FBRyxVQUF3QjtRQUNyQyxLQUFLLEVBQUUsQ0FBQztRQUhPLGVBQVUsR0FBRyxJQUFJLEtBQUssRUFBYyxDQUFDOzs7Ozs7K0NBRjNDLGtCQUFrQjs7OztRQU0zQixJQUFJLFVBQVUsQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFO1lBQzNCLE1BQU0sSUFBSSxLQUFLLENBQUMseUZBQXlGLENBQUMsQ0FBQztTQUM1RztRQUNELElBQUksQ0FBQyxnQkFBZ0IsR0FBRyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUMsZ0JBQWdCLENBQUM7UUFDdkQsSUFBSSxDQUFDLGFBQWEsQ0FBQyxHQUFHLFVBQVUsQ0FBQyxDQUFDO0tBQ25DO0lBRUQ7Ozs7O09BS0c7SUFDSSxhQUFhLENBQUMsR0FBRyxVQUF3Qjs7Ozs7Ozs7OztRQUM5QyxJQUFJLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxHQUFHLFVBQVUsQ0FBQyxDQUFDO1FBQ3BDLE9BQU8sSUFBSSxDQUFDO0tBQ2I7SUFFTSxxQkFBcUIsQ0FBQyxHQUFtQjs7Ozs7Ozs7OztRQUM5QyxLQUFLLE1BQU0sQ0FBQyxJQUFJLElBQUksQ0FBQyxVQUFVLEVBQUU7WUFDL0Isb0RBQStCLENBQUMsQ0FBQyxFQUFFLEdBQUcsQ0FBQyxDQUFDO1NBQ3pDO0tBQ0Y7SUFFRCxJQUFXLGNBQWM7UUFDdkIsOEVBQThFO1FBQzlFLHNGQUFzRjtRQUN0RixLQUFLLE1BQU0sQ0FBQyxJQUFJLElBQUksQ0FBQyxVQUFVLEVBQUU7WUFDL0IsTUFBTSxRQUFRLEdBQUcsQ0FBQyxDQUFDLGNBQWMsQ0FBQztZQUNsQyxJQUFJLFFBQVEsQ0FBQyxVQUFVLElBQUksTUFBTSxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVSxDQUFDLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRTtnQkFDdEUsTUFBTSxJQUFJLEtBQUssQ0FDYiwrREFBK0Q7b0JBQy9ELHdDQUF3QyxJQUFJLENBQUMsU0FBUyxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUMsQ0FBQzthQUN2RTtTQUNGO1FBRUQsTUFBTSxhQUFhLEdBQWdDLEVBQUUsQ0FBQztRQUV0RCxLQUFLLE1BQU0sQ0FBQyxJQUFJLElBQUksQ0FBQyxVQUFVLEVBQUU7WUFDL0IscUJBQWMsQ0FBQyxhQUFhLEVBQUUsQ0FBQyxDQUFDLGNBQWMsQ0FBQyxhQUFhLENBQUMsQ0FBQztTQUMvRDtRQUVELE9BQU8sSUFBSSx1QkFBdUIsQ0FBQyxhQUFhLENBQUMsQ0FBQztLQUNuRDtJQUVNLFFBQVE7UUFDYixPQUFPLHNCQUFzQixJQUFJLENBQUMsVUFBVSxHQUFHLENBQUM7S0FDakQ7SUFFTSxZQUFZO1FBQ2pCLE1BQU0sS0FBSyxHQUFHLElBQUksQ0FBQyxVQUFVLENBQUMsR0FBRyxDQUFDLG1CQUFtQixDQUFDLGVBQWUsQ0FBQyxDQUFDO1FBQ3ZFLElBQUksS0FBSyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsS0FBSyxTQUFTLENBQUMsRUFBRTtZQUFFLE9BQU8sU0FBUyxDQUFDO1NBQUU7UUFDM0QsT0FBTyxzQkFBc0IsS0FBSyxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsR0FBRyxDQUFDO0tBQ2pEOztBQTNESCxnREE0REM7OztBQUVEOztHQUVHO0FBQ0gsTUFBTSxtQkFBbUI7SUFFdkIsWUFBNkIsRUFBNkI7UUFBN0IsT0FBRSxHQUFGLEVBQUUsQ0FBMkI7UUFDeEQsSUFBSSxDQUFDLGFBQWEsR0FBRyxHQUFHLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztLQUM5QztJQUVNLE9BQU8sQ0FBQyxPQUE0QjtRQUN6QyxPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUM7S0FDN0M7SUFFTSxRQUFRO1FBQ2IsT0FBTyxHQUFHLENBQUMsS0FBSyxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsQ0FBQztLQUNqQztJQUVEOzs7O09BSUc7SUFDSSxNQUFNO1FBQ1gsT0FBTyxvQkFBb0IsQ0FBQztLQUM3QjtDQUNGO0FBRUQsTUFBTSxxQkFBcUI7SUFFekIsWUFDbUIsT0FBZSxFQUNmLElBQTBCO1FBRDFCLFlBQU8sR0FBUCxPQUFPLENBQVE7UUFDZixTQUFJLEdBQUosSUFBSSxDQUFzQjtRQUMzQyxJQUFJLENBQUMsYUFBYSxHQUFHLEdBQUcsQ0FBQyxpQkFBaUIsRUFBRSxDQUFDO0tBQzlDO0lBRU0sT0FBTyxDQUFDLEdBQXdCO1FBQ3JDLElBQUksSUFBSSxDQUFDLElBQUksQ0FBQyxNQUFNLEVBQUU7WUFDcEIsbUVBQW1FO1lBQ25FLE9BQU8sd0JBQVUsQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDO2dCQUNwRSxxQkFBTyxDQUFDLGdCQUFnQixDQUFDLElBQUksQ0FBQyxPQUFPLEVBQUUsSUFBSSxDQUFDLElBQUksQ0FBQyxNQUFNLEVBQUUsR0FBRyxDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUMsQ0FBQztTQUNoRjtRQUVELE1BQU0sS0FBSyxHQUFHLEdBQUcsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUN0QyxPQUFPLEtBQUssQ0FBQyxZQUFZLENBQ3ZCLHNCQUFRLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxFQUN2QyxxQkFBTyxDQUFDLGdCQUFnQixDQUFDLElBQUksQ0FBQyxPQUFPLEVBQUUsS0FBSyxDQUFDLE1BQU0sRUFBRSxHQUFHLENBQUMsR0FBRyxDQUFDLFVBQVUsQ0FBQyxDQUN6RSxDQUFDO0tBQ0g7SUFFTSxRQUFRO1FBQ2IsT0FBTyxHQUFHLENBQUMsS0FBSyxDQUFDLFFBQVEsQ0FBQyxJQUFJLEVBQUU7WUFDOUIsV0FBVyxFQUFFLElBQUksQ0FBQyxPQUFPO1NBQzFCLENBQUMsQ0FBQztLQUNKO0lBRUQ7Ozs7T0FJRztJQUNJLE1BQU07UUFDWCxPQUFPLElBQUksSUFBSSxDQUFDLE9BQU8sR0FBRyxDQUFDO0tBQzVCO0NBQ0YiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgKiBhcyBjZGsgZnJvbSAnQGF3cy1jZGsvY29yZSc7XG5pbXBvcnQgeyBEZWZhdWx0LCBGYWN0TmFtZSwgUmVnaW9uSW5mbyB9IGZyb20gJ0Bhd3MtY2RrL3JlZ2lvbi1pbmZvJztcbmltcG9ydCB7IElPcGVuSWRDb25uZWN0UHJvdmlkZXIgfSBmcm9tICcuL29pZGMtcHJvdmlkZXInO1xuaW1wb3J0IHsgUG9saWN5RG9jdW1lbnQgfSBmcm9tICcuL3BvbGljeS1kb2N1bWVudCc7XG5pbXBvcnQgeyBDb25kaXRpb24sIENvbmRpdGlvbnMsIFBvbGljeVN0YXRlbWVudCB9IGZyb20gJy4vcG9saWN5LXN0YXRlbWVudCc7XG5pbXBvcnQgeyBkZWZhdWx0QWRkUHJpbmNpcGFsVG9Bc3N1bWVSb2xlIH0gZnJvbSAnLi9wcml2YXRlL2Fzc3VtZS1yb2xlLXBvbGljeSc7XG5pbXBvcnQgeyBJU2FtbFByb3ZpZGVyIH0gZnJvbSAnLi9zYW1sLXByb3ZpZGVyJztcbmltcG9ydCB7IExJVEVSQUxfU1RSSU5HX0tFWSwgbWVyZ2VQcmluY2lwYWwgfSBmcm9tICcuL3V0aWwnO1xuXG4vKipcbiAqIEFueSBvYmplY3QgdGhhdCBoYXMgYW4gYXNzb2NpYXRlZCBwcmluY2lwYWwgdGhhdCBhIHBlcm1pc3Npb24gY2FuIGJlIGdyYW50ZWQgdG9cbiAqL1xuZXhwb3J0IGludGVyZmFjZSBJR3JhbnRhYmxlIHtcbiAgLyoqXG4gICAqIFRoZSBwcmluY2lwYWwgdG8gZ3JhbnQgcGVybWlzc2lvbnMgdG9cbiAgICovXG4gIHJl