UNPKG

@cloud-copilot/iam-simulate

Version:

Simulate evaluation of AWS IAM policies

github.com/cloud-copilot/iam-simulate

cloud-copilot/iam-simulate

60 lines 2.16 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
/** * Checks if a statement is an identity statement that allows the request. * * @param statement The statement to check. * @returns Whether the statement is an identity statement that allows the request. */ export function identityStatementAllows(statement) { if (statement.resourceMatch && statement.actionMatch && statement.conditionMatch === 'Match' && statement.statement.effect() === 'Allow') { return true; } return false; } // export function identityStatementUknownAllow(statement: StatementAnalysis): boolean { // if(statement.resourceMatch && // statement.actionMatch && // statement.conditionMatch === 'Unknown' && // statement.statement.effect() === 'Allow') { // return true; // } // return false // } // export function identityStatementUknownDeny(statement: StatementAnalysis): boolean { // if(statement.resourceMatch && // statement.actionMatch && // statement.conditionMatch === 'Unknown' && // statement.statement.effect() === 'Deny') { // return true; // } // return false // } export function identityStatementExplicitDeny(statement) { if (statement.resourceMatch && statement.actionMatch && statement.conditionMatch === 'Match' && statement.statement.effect() === 'Deny') { return true; } return false; } export function statementMatches(analysis) { return (analysis.resourceMatch && analysis.actionMatch && analysis.conditionMatch === 'Match' && ['Match', 'AccountLevelMatch', 'SessionRoleMatch', 'SessionUserMatch'].includes(analysis.principalMatch)); } /** * Determines whether ignored conditions are decisive for a statement and should be reported. * * @param analysis the analysis of the statement * @returns true if the ignored conditions are decisive, false otherwise */ export function reportIgnoredConditions(analysis) { return (analysis.resourceMatch && analysis.actionMatch && ['Match', 'AccountLevelMatch', 'SessionRoleMatch', 'SessionUserMatch'].includes(analysis.principalMatch)); } //# sourceMappingURL=StatementAnalysis.js.map