UNPKG

@cloud-copilot/iam-simulate

Version:

Simulate evaluation of AWS IAM policies

github.com/cloud-copilot/iam-simulate

cloud-copilot/iam-simulate

49 lines 2.42 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.allowedContextKeysForRequest = allowedContextKeysForRequest; const iam_data_1 = require("@cloud-copilot/iam-data"); const util_js_1 = require("../util.js"); /** * Get the allowed context keys for a request. * * @param service The service the action belongs to * @param action The action to get the allowed context keys for * @param resource The resource the action is being performed on * @param bucketAbacEnabled Whether ABAC is enabled on the S3 bucket (only applies to S3) * @returns The allowed context keys for the request as lower case strings * @throws error if the service or action does not exist */ async function allowedContextKeysForRequest(service, action, resource, bucketAbacEnabled) { const actionDetails = await (0, iam_data_1.iamActionDetails)(service, action); const actionConditionKeys = (0, util_js_1.lowerCaseAll)(actionDetails.conditionKeys); const isWildCardOnly = await (0, util_js_1.isWildcardOnlyAction)(service, action); if (isWildCardOnly) { return [...actionConditionKeys, ...lowerCaseGlobalConditionKeys()]; } const resourceTypes = await (0, util_js_1.getResourceTypesForAction)(service, action, resource); if (resourceTypes.length === 0) { throw new Error(`No resource types found for action ${action} on service ${service}`); } else if (resourceTypes.length > 1) { throw new Error(`Multiple resource types found for action ${action} on service ${service}`); } const resourceTypeConditions = actionDetails.resourceTypes.find((rt) => rt.name === resourceTypes[0].key).conditionKeys; const allKeys = [ ...(0, util_js_1.lowerCaseAll)(resourceTypeConditions), ...actionConditionKeys, ...lowerCaseGlobalConditionKeys() ]; if (!(0, util_js_1.isS3BucketOrObjectArn)(resource) || bucketAbacEnabled) { return allKeys; } // Filter out S3 ABAC keys if bucket ABAC is not enabled return allKeys.filter((key) => !key.startsWith('aws:resourcetag/') && !key.startsWith('s3:buckettag/')); } let lowerCaseConditionKeys; function lowerCaseGlobalConditionKeys() { if (!lowerCaseConditionKeys) { lowerCaseConditionKeys = (0, iam_data_1.getAllGlobalConditionKeys)().map((k) => k.toLowerCase()); } return lowerCaseConditionKeys; } //# sourceMappingURL=contextKeys.js.map