@cloud-copilot/iam-simulate/dist/cjs/services/IamServiceAuthorizer.js

Simulate evaluation of AWS IAM policies

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.IamServiceAuthorizer = void 0;
const util_js_1 = require("../util.js");
const DefaultServiceAuthorizer_js_1 = require("./DefaultServiceAuthorizer.js");
const deniedActionsForManagedPolicies = new Set([
    'iam:createpolicy',
    'iam:createpolicyversion',
    'iam:deletepolicy',
    'iam:deletepolicyversion',
    'iam:setdefaultpolicyversion',
    'iam:tagpolicy',
    'iam:untagpolicy'
]);
const deniedActionsForAwsManagedRoles = new Set([
    'iam:attachrolepolicy',
    'iam:createrole',
    'iam:createservicelinkedrole',
    'iam:deleterole',
    'iam:deleterolepermissionsboundary',
    'iam:deleterolepolicy',
    'iam:deleteservicelinkedrole',
    'iam:detachrolepolicy',
    'iam:passrole',
    'iam:putrolepermissionsboundary',
    'iam:putrolepolicy',
    'iam:tagrole',
    'iam:untagrole',
    'iam:updateassumerolepolicy',
    'iam:updaterole',
    'iam:updateroledescription'
]);
/**
 * Service authorizer for IAM service requests.
 */
class IamServiceAuthorizer extends DefaultServiceAuthorizer_js_1.DefaultServiceAuthorizer {
    authorize(request) {
        const baseResult = super.authorize(request);
        const resourceParts = (0, util_js_1.splitArnParts)(request.request.resource.value());
        // If the request is for a managed policy and the action is one of the denied actions,
        // we return implicitly denied.
        if (deniedActionsForManagedPolicies.has(request.request.action.value().toLowerCase()) &&
            resourceParts.resource?.toLowerCase()?.startsWith('policy/') &&
            resourceParts.accountId == 'aws') {
            return {
                ...baseResult,
                result: 'ImplicitlyDenied'
            };
        }
        // If the request is for an AWS managed role and the action is one of the denied actions,
        // we return implicitly denied.
        if (deniedActionsForAwsManagedRoles.has(request.request.action.value().toLowerCase()) &&
            resourceParts.resource?.toLowerCase()?.startsWith('role/aws-reserved/')) {
            return {
                ...baseResult,
                result: 'ImplicitlyDenied'
            };
        }
        return baseResult;
    }
}
exports.IamServiceAuthorizer = IamServiceAuthorizer;
//# sourceMappingURL=IamServiceAuthorizer.js.map