@cloud-copilot/iam-simulate/dist/cjs/services/StsServiceAuthorizer.js

Simulate evaluation of AWS IAM policies

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.StsServiceAuthorizer = void 0;
const DefaultServiceAuthorizer_js_1 = require("./DefaultServiceAuthorizer.js");
/**
 * The default authorizer for services.
 */
class StsServiceAuthorizer extends DefaultServiceAuthorizer_js_1.DefaultServiceAuthorizer {
    authorize(request) {
        if (request.request.action.value().toLowerCase() === 'sts:getcalleridentity') {
            return {
                result: 'Allowed',
                sameAccount: true
            };
        }
        return super.authorize(request);
    }
    /**
     * Determines if the service trusts the principal's Account's IAM policies
     *
     * @param sameAccount - If the principal and resource are in the same account
     * @param resourceAnalysis - The resource policy analysis
     * @returns true if the service trusts the principal's account IAM policies
     */
    serviceTrustsPrincipalAccount(sameAccount, resourceAnalysis, resource) {
        //If there is no resource policy, the service trusts the principal's account IAM policies
        if (sameAccount && resourceAnalysis.result === 'NotApplicable') {
            return true;
        }
        /*
          If there is a resource policy, for instance a role trust policy,
          the trust policy must explicitly allow the principal's account,
          even if the principal and resource are in the same account.
        */
        return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
    }
}
exports.StsServiceAuthorizer = StsServiceAuthorizer;
//# sourceMappingURL=StsServiceAuthorizer.js.map