UNPKG

@cloud-copilot/iam-lens

Version:

Visibility in IAM in and across AWS accounts

github.com/cloud-copilot/iam-lens

cloud-copilot/iam-lens

54 lines 2.56 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
export type PermissionEffect = 'Allow' | 'Deny'; export type PermissionConditions = Record<string, Record<string, string[]>>; /** * An immutable representation of a single permission for a specific action. * * This will eventually have methods like "merge with another permission", * "check if overlaps with another permission", "subtract a deny permission", * etc and those will all return a new Permission instance. */ export declare class Permission { readonly effect: PermissionEffect; readonly service: string; readonly action: string; readonly resource: string[] | undefined; readonly notResource: string[] | undefined; readonly conditions: Record<string, Record<string, string[]>> | undefined; constructor(effect: PermissionEffect, service: string, action: string, resource: string[] | undefined, notResource: string[] | undefined, conditions: Record<string, Record<string, string[]>> | undefined); /** * Returns true if this Permission completely includes the other Permission. * Only supports merging of "Allow" permissions (same effect, service, action). */ includes(other: Permission): boolean; /** * Returns the union of this Permission with another. * If one includes the other, return the including Permission. * Otherwise, attempt to merge conditions and resource/notResource. * If merge yields a single Permission, return it; else return both. */ union(other: Permission): Permission[]; /** * Returns the intersection of this Permission with another. * Always returns exactly one Permission. If there is no overlap, * returns undefined. */ intersection(other: Permission): Permission | undefined; /** * Subtract a Deny permission from this Allow permission. * Returns an array of resulting Allow permissions (may be empty if fully denied). */ subtract(other: Permission): Permission[]; } /** * Returns a new PermissionConditions object with all operator and context keys lowercased. */ export declare function normalizeConditionKeys(conds: PermissionConditions): PermissionConditions; /** * Invert a set of IAM condition clauses for Deny → allow inversion. * Preserves ForAllValues:/ForAnyValue: prefixes and IfExists suffixes. * * @param conds the condition clauses to invert * @return a new set of inverted conditions */ export declare function invertConditions(conds: Record<string, Record<string, string[]>>): Record<string, Record<string, string[]>>; //# sourceMappingURL=permission.d.ts.map