@cloud-copilot/iam-lens/dist/cjs/canWhat/canWhat.js

Visibility in IAM in and across AWS accounts

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.canWhat = canWhat;
const iam_policy_1 = require("@cloud-copilot/iam-policy");
const iam_shrink_1 = require("@cloud-copilot/iam-shrink");
const principals_js_1 = require("../principals.js");
const permissionSet_js_1 = require("./permissionSet.js");
async function canWhat(collectClient, input) {
    const { principal } = input;
    if (!principal) {
        throw new Error('Principal must be provided for can-what command');
    }
    const principalPolicies = await (0, principals_js_1.getAllPoliciesForPrincipal)(collectClient, principal);
    const identityPolicies = [
        ...principalPolicies.managedPolicies,
        ...principalPolicies.inlinePolicies,
        ...(principalPolicies.groupPolicies?.map((group) => group.managedPolicies).flat() || []),
        ...(principalPolicies.groupPolicies?.map((group) => group.inlinePolicies).flat() || [])
    ].map((policy) => (0, iam_policy_1.loadPolicy)(policy.policy));
    const allowedPermissions = await (0, permissionSet_js_1.buildPermissionSetFromPolicies)('Allow', identityPolicies);
    const identityDenyPermissions = await (0, permissionSet_js_1.buildPermissionSetFromPolicies)('Deny', identityPolicies);
    let finalPermissions = allowedPermissions;
    if (principalPolicies.permissionBoundary) {
        const boundaryPolicy = (0, iam_policy_1.loadPolicy)(principalPolicies.permissionBoundary.policy);
        const boundaryPermissions = await (0, permissionSet_js_1.buildPermissionSetFromPolicies)('Allow', [boundaryPolicy]);
        finalPermissions = allowedPermissions.intersection(boundaryPermissions);
    }
    const scpAllowsByLevel = [];
    const rcpAllowsByLevel = [];
    for (const level of principalPolicies.scps) {
        const scpPolicies = level.policies.map((scp) => (0, iam_policy_1.loadPolicy)(scp.policy));
        scpAllowsByLevel.push(await (0, permissionSet_js_1.buildPermissionSetFromPolicies)('Allow', scpPolicies));
        await (0, permissionSet_js_1.addPoliciesToPermissionSet)(identityDenyPermissions, 'Deny', scpPolicies);
    }
    const principalAccountDenyPermissions = identityDenyPermissions.clone();
    for (const level of principalPolicies.rcps) {
        const rcpPolicies = level.policies.map((rcp) => (0, iam_policy_1.loadPolicy)(rcp.policy));
        rcpAllowsByLevel.push(await (0, permissionSet_js_1.buildPermissionSetFromPolicies)('Allow', rcpPolicies));
        await (0, permissionSet_js_1.addPoliciesToPermissionSet)(principalAccountDenyPermissions, 'Deny', rcpPolicies);
    }
    for (const scpAllow of scpAllowsByLevel) {
        finalPermissions = finalPermissions.intersection(scpAllow);
    }
    for (const rcpAllow of rcpAllowsByLevel) {
        finalPermissions = finalPermissions.intersection(rcpAllow);
    }
    const permissionsAfterDeny = finalPermissions.subtract(principalAccountDenyPermissions);
    finalPermissions = permissionsAfterDeny.allow;
    const deniedPermissions = permissionsAfterDeny.deny;
    const allowStatements = (0, permissionSet_js_1.toPolicyStatements)(finalPermissions);
    const denyStatements = (0, permissionSet_js_1.toPolicyStatements)(deniedPermissions);
    const policyDocument = {
        Version: '2012-10-17',
        Statement: [...allowStatements, ...denyStatements]
    };
    if (input.shrinkActionLists) {
        await (0, iam_shrink_1.shrinkJsonDocument)({ iterations: 0 }, policyDocument);
    }
    return policyDocument;
}
//# sourceMappingURL=canWhat.js.map