@cloud-copilot/iam-lens/dist/esm/whoCan/requestAnalysis.js

Visibility in IAM in and across AWS accounts

import { getDenialReasons } from '@cloud-copilot/iam-simulate';
/**
 * Convert a RequestAnalysis to a LightResourceAnalysis.
 *
 * @param analysis - The full RequestAnalysis to convert
 * @returns A LightResourceAnalysis with only the essential result fields
 */
function toLightResourceAnalysis(analysis) {
    return {
        result: analysis.result,
        sameAccount: analysis.sameAccount,
        identityAnalysis: analysis.identityAnalysis
            ? { result: analysis.identityAnalysis.result }
            : undefined,
        resourceAnalysis: analysis.resourceAnalysis
            ? { result: analysis.resourceAnalysis.result }
            : undefined,
        scpAnalysis: analysis.scpAnalysis ? { result: analysis.scpAnalysis.result } : undefined,
        rcpAnalysis: analysis.rcpAnalysis ? { result: analysis.rcpAnalysis.result } : undefined,
        permissionBoundaryAnalysis: analysis.permissionBoundaryAnalysis
            ? { result: analysis.permissionBoundaryAnalysis.result }
            : undefined,
        blockedBy: new Set(analysis.blockedBy)
    };
}
/**
 * Convert a full RequestAnalysis to a LightRequestAnalysis.
 *
 * @param executionResult - The denied execution result containing the RequestAnalysis to convert
 * @returns A LightRequestAnalysis with only the essential fields
 */
export function toLightRequestAnalysis(executionResult) {
    if (executionResult.type === 'denied_single') {
        return {
            type: 'single',
            overallResult: executionResult.analysis.result,
            ...toLightResourceAnalysis(executionResult.analysis)
        };
    }
    // Wildcard case
    const patterns = executionResult.deniedPatterns.map((details) => ({
        pattern: details.pattern,
        resourceType: details.resourceType,
        ...toLightResourceAnalysis(details.analysis)
    }));
    return {
        type: 'wildcard',
        overallResult: executionResult.overallResult,
        patterns
    };
}
/**
 * Gets the denial reasons for a denied SimulationResult.
 *
 * @param executionResult - The denied execution result containing the RequestAnalysis with denial reasons
 * @returns A WhoCanDenyDetail object containing the denial reasons and other details to be returned to the user
 */
export function convertToDenialDetails(executionResult) {
    const { principal, action } = executionResult.workItem;
    const [service, actionName] = action.split(':');
    if (executionResult.type === 'denied_single') {
        return {
            type: 'single',
            principal,
            service,
            action: actionName,
            details: getDenialReasons(executionResult.analysis)
        };
    }
    // Wildcard case
    return {
        type: 'wildcard',
        principal,
        service,
        action: actionName,
        deniedResources: executionResult.deniedPatterns.map((pattern) => ({
            pattern: pattern.pattern,
            resourceType: pattern.resourceType,
            details: getDenialReasons(pattern.analysis)
        }))
    };
}
//# sourceMappingURL=requestAnalysis.js.map