@cloud-copilot/iam-simulate/dist/cjs/simulation_engine/unsafeSimulationEngine.js

Simulate evaluation of AWS IAM policies

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.runUnsafeSimulation = runUnsafeSimulation;
const iam_policy_1 = require("@cloud-copilot/iam-policy");
const strictContextKeys_js_1 = require("../context_keys/strictContextKeys.js");
const CoreSimulatorEngine_js_1 = require("../core_engine/CoreSimulatorEngine.js");
const request_js_1 = require("../request/request.js");
const requestContext_js_1 = require("../requestContext.js");
/**
 * Runs a simulation without input validation or context variable verification.
 * Use this if you know what you're doing.
 *
 * @param simulation The simulation to run.
 * @param simulationOptions Options for the simulation.
 * @returns The result of the simulation.
 */
function runUnsafeSimulation(simulation, simulationOptions) {
    const identityPolicies = Object.values(simulation.identityPolicies).map((p) => (0, iam_policy_1.loadPolicy)(p.policy, { name: p.name }));
    const serviceControlPolicies = simulation.serviceControlPolicies.map((scp) => {
        const ouId = scp.orgIdentifier;
        const policies = scp.policies.map((val) => (0, iam_policy_1.loadPolicy)(val.policy, { name: val.name }));
        return {
            orgIdentifier: ouId,
            policies: policies
        };
    });
    const resourceControlPolicies = simulation.resourceControlPolicies.map((rcp) => {
        const ouId = rcp.orgIdentifier;
        const policies = rcp.policies.map((val) => (0, iam_policy_1.loadPolicy)(val.policy, { name: val.name }));
        return {
            orgIdentifier: ouId,
            policies: policies
        };
    });
    const permissionBoundaries = simulation.permissionBoundaryPolicies?.map((val) => (0, iam_policy_1.loadPolicy)(val.policy, { name: val.name })) ?? undefined;
    const requestContext = new requestContext_js_1.RequestContextImpl(simulation.request.contextVariables);
    const request = new request_js_1.AwsRequestImpl(simulation.request.principal, {
        resource: simulation.request.resource.resource,
        accountId: simulation.request.resource.accountId
    }, simulation.request.action, requestContext);
    const analysis = (0, CoreSimulatorEngine_js_1.authorize)({
        request,
        sessionPolicy: undefined,
        identityPolicies,
        serviceControlPolicies,
        resourceControlPolicies,
        resourcePolicy: simulation.resourcePolicy ? (0, iam_policy_1.loadPolicy)(simulation.resourcePolicy) : undefined,
        permissionBoundaries,
        vpcEndpointPolicies: undefined,
        simulationParameters: {
            simulationMode: 'Strict',
            strictConditionKeys: new strictContextKeys_js_1.StrictContextKeys([])
        }
    });
    return analysis.result;
}
//# sourceMappingURL=unsafeSimulationEngine.js.map