UNPKG

@cloud-copilot/iam-simulate

Version:

Simulate evaluation of AWS IAM policies

github.com/cloud-copilot/iam-simulate

cloud-copilot/iam-simulate

129 lines 5.47 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
import { Policy } from '@cloud-copilot/iam-policy'; import { StrictContextKeys } from '../context_keys/strictContextKeys.js'; import { IdentityAnalysis, RcpAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js'; import { AwsRequest } from '../request/request.js'; import { ServiceAuthorizer } from '../services/ServiceAuthorizer.js'; export declare const validSimulationModes: readonly ["Strict", "Discovery"]; export type PolicyWithName = Policy<{ name: string; }>; /** * The mode of simulation for the core engine. * - Strict: Simulates the request as if it were being made in a real AWS environment. * - Discovery: Simulates the request but discovers under what conditions it would be allowed. */ export type SimulationMode = (typeof validSimulationModes)[number]; /** * Meta parameters for the simulation engine. */ export interface SimulationParameters { /** * The simulation mode to use for the request. */ simulationMode: SimulationMode; /** * Condition keys that should be evaluated strictly in the simulation. Used only in Discovery mode. * In Strict mode, all condition keys are evaluated strictly */ strictConditionKeys: StrictContextKeys; } /** * A set of service or resource control policies for each level of an organization tree */ export interface ControlPolicies { /** * The organization identifier for the organizational unit these policies apply to. */ orgIdentifier: string; /** * The policies that apply to this organizational unit. */ policies: PolicyWithName[]; } /** * A request to authorize a service action. */ export interface AuthorizationRequest { /** * The request to authorize. */ request: AwsRequest; /** * A session policy, if any, for the current Role or Federated User session. */ sessionPolicy: PolicyWithName | undefined; /** * The identity policies that are applicable to the principal making the request. */ identityPolicies: PolicyWithName[]; /** * The service control policies that apply to the principal making the request. In * order of the organization hierarchy. So the root ou SCPs should be first. */ serviceControlPolicies: ControlPolicies[]; /** * The resource control policies that apply to the resource being accessed. In * order of the organization hierarchy. So the root ou RCPs should be first. */ resourceControlPolicies: ControlPolicies[]; /** * The resource policy that applies to the resource being accessed. */ resourcePolicy: PolicyWithName | undefined; /** * The permission boundaries that apply to the principal making the request. */ permissionBoundaries: PolicyWithName[] | undefined; /** * The VPC endpoint policies that apply to the request, if any. */ vpcEndpointPolicies: PolicyWithName[] | undefined; /** * The simulation parameters for the request. */ simulationParameters: SimulationParameters; } /** * Authorizes a request. * * This assumes all policies have been validated and the request is fully complete and valid. * * @param request the request to authorize * @returns the result of the authorization */ export declare function authorize(request: AuthorizationRequest): RequestAnalysis; /** * Get the appropriate service authorizer for the request. Some services have specific authorization logic in * them. If there is no service specific authorizer, a default one will be used. * * @param request the request to get the authorizer for * @returns the service authorizer for the request */ export declare function getServiceAuthorizer(request: AuthorizationRequest): ServiceAuthorizer; /** * Analyzes a set of identity policies * * @param identityPolicies the identity policies to analyze * @param request the request to analyze against * @returns an array of statement analysis results */ export declare function analyzeIdentityPolicies(identityPolicies: PolicyWithName[], request: AwsRequest, simulationParameters: SimulationParameters): IdentityAnalysis; /** * Analyzes a set of service or resource control policies and the statements within them. * * @param controlPolicies the control policies to analyze * @param request the request to analyze against * @returns an array of SCP or RCP analysis results */ export declare function analyzeControlPolicies(controlPolicies: ControlPolicies[], request: AwsRequest, simulationParameters: SimulationParameters): ScpAnalysis | RcpAnalysis; /** * Analyze a resource policy and return the results * * @param resourcePolicy the resource policy to analyze * @param request the request to analyze against * @returns an array of statement analysis results */ export declare function analyzeResourcePolicy(resourcePolicy: PolicyWithName | undefined, request: AwsRequest, principalHasPermissionBoundary: boolean, simulationParameters: SimulationParameters): ResourceAnalysis; export declare function analyzePermissionBoundaryPolicies(permissionBoundaries: PolicyWithName[] | undefined, request: AwsRequest, simulationParameters: SimulationParameters): IdentityAnalysis | undefined; export declare function analyzeVpcEndpointPolicies(vpcEndPointPolicies: PolicyWithName[] | undefined, request: AwsRequest, simulationParameters: SimulationParameters): IdentityAnalysis | undefined; //# sourceMappingURL=CoreSimulatorEngine.d.ts.map