UNPKG

@cloud-copilot/iam-lens

Version:

Visibility in IAM in and across AWS accounts

github.com/cloud-copilot/iam-lens

cloud-copilot/iam-lens

106 lines 5.31 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
export type PermissionEffect = 'Allow' | 'Deny'; export type PermissionConditions = Record<string, Record<string, string[]>>; /** * An immutable representation of a single permission for a specific action. * * This will eventually have methods like "merge with another permission", * "check if overlaps with another permission", "subtract a deny permission", * etc and those will all return a new Permission instance. */ export declare class Permission { readonly effect: PermissionEffect; readonly service: string; readonly action: string; readonly resource: string[] | undefined; readonly notResource: string[] | undefined; readonly conditions: Record<string, Record<string, string[]>> | undefined; constructor(effect: PermissionEffect, service: string, action: string, resource: string[] | undefined, notResource: string[] | undefined, conditions: Record<string, Record<string, string[]>> | undefined); /** * Returns true if this Permission completely includes the other Permission. * Only supports merging of "Allow" permissions (same effect, service, action). */ includes(other: Permission): boolean; /** * Returns the union of this Permission with another. * If one includes the other, return the including Permission. * Otherwise, attempt to merge conditions and resource/notResource. * If merge yields a single Permission, return it; else return both. */ union(other: Permission): Permission[]; /** * Returns the intersection of this Permission with another. * Always returns exactly one Permission. If there is no overlap, * returns undefined. * * @param other The other Permission to intersect with. * @returns A new Permission representing the intersection of other and this, or undefined if there is no intersection. */ intersection(other: Permission): Permission | undefined; /** * Subtract a Deny permission from this Allow permission. * * Returns the resulting permissions, this can be: * - An empty array if the Allow is fully denied by the Deny * - A modified Allow permission or multiple Allow permissions * - It could also return the original Allow and Deny permission if subtraction cannot be expressed purely in Allow statements * * @param other the Deny permission to subtract */ subtract(other: Permission): Permission[]; } /** * Attempt to union two sets of permission conditions. * * If the conditions can be merged into a single block that allows all cases allowed by either, * returns the merged conditions. If they cannot be merged cleanly (e.g., differing operators * or incompatible numeric boundaries), returns null. * * @param a First set of conditions * @param b Second set of conditions * @returns Merged conditions or null if they cannot be merged */ export declare function unionConditions(a: Record<string, Record<string, string[]>>, b: Record<string, Record<string, string[]>>): Record<string, Record<string, string[]>> | null; /** * Intersect two sets of permission conditions. * * Attempt to find the intersection of two sets of IAM condition clauses. This will * combine condition operators and context keys, retaining only values that satisfy * both sets of conditions. If the intersection is empty or cannot be expressed * cleanly, returns null. * * @param conditionsA First set of conditions * @param conditionsB Second set of conditions * @returns Intersected conditions or null if intersection is empty or cannot be expressed */ export declare function intersectConditions(a: Record<string, Record<string, string[]>>, b: Record<string, Record<string, string[]>>): Record<string, Record<string, string[]>> | null; /** * Returns a new PermissionConditions object with all operator and context keys lowercased. */ export declare function normalizeConditionKeys(conds: PermissionConditions): PermissionConditions; /** * Invert a set of IAM condition clauses for Deny → allow inversion. * Preserves ForAllValues:/ForAnyValue: prefixes and IfExists suffixes. * * @param conds the condition clauses to invert * @return a new set of inverted conditions */ export declare function invertConditions(conds: Record<string, Record<string, string[]>>): Record<string, Record<string, string[]>>; /** * Apply Deny conditions to an Allow permission. * * A Deny permission with conditions (whether multiple operators or multiple keys under one * operator) acts as an AND, meaning the Allow needs to escape ANY one of them (OR when inverted). * Each condition key-value pair is inverted and creates a separate Allow permission. * * It is possible for any given condition to fully deny the Allow, in which case * that condition will produce no resulting Allow permission. The result is an array * of Allow permissions that apply after each Deny condition is applied. * * This may result in multiple Allow permission or an empty array if all are denied. * * @param allow the Allow permission * @param deny the Deny permission * @returns an array of resulting Allow permissions after applying Deny conditions */ export declare function applyDenyConditionsToAllow(allow: Permission, deny: Permission): Permission[]; //# sourceMappingURL=permission.d.ts.map