@cloud-copilot/iam-simulate/dist/cjs/condition/arn/arn.js

Simulate evaluation of AWS IAM policies

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.arnMatches = arnMatches;
const iam_utils_1 = require("@cloud-copilot/iam-utils");
const util_js_1 = require("../../util.js");
/**
 * Checks to see if a single ARN matches in ArnLike format
 *
 * @param policyArn the ARN to check against
 * @param requestArn the ARN to check
 * @param request the request to check
 * @returns if the ARN matches
 */
function arnMatches(policyArn, requestArn, request, expectMatch) {
    const policyParts = (0, iam_utils_1.splitArnParts)(policyArn);
    const requestParts = (0, iam_utils_1.splitArnParts)(requestArn);
    // If any of the parts are missing, return false
    if ((0, util_js_1.isNotDefined)(policyParts.partition) ||
        (0, util_js_1.isNotDefined)(policyParts.service) ||
        (0, util_js_1.isNotDefined)(policyParts.region) ||
        (0, util_js_1.isNotDefined)(policyParts.accountId) ||
        (0, util_js_1.isNotDefined)(policyParts.resource)) {
        return {
            matches: false,
            value: policyArn,
            errors: ['Invalid ARN']
        };
    }
    const resolvedPolicyArn = [
        'arn',
        policyParts.partition,
        policyParts.service,
        policyParts.region,
        policyParts.accountId,
        policyParts.resource
    ]
        .map((part) => (0, util_js_1.convertIamString)(part, request, { convertToRegex: false, replaceWildcards: false }))
        .join(':');
    const resolvedValue = resolvedPolicyArn == policyArn ? undefined : resolvedPolicyArn;
    // If any of the parts are missing, return false
    if ((0, util_js_1.isNotDefined)(requestParts.partition) ||
        (0, util_js_1.isNotDefined)(requestParts.service) ||
        (0, util_js_1.isNotDefined)(requestParts.region) ||
        (0, util_js_1.isNotDefined)(requestParts.accountId) ||
        (0, util_js_1.isNotDefined)(requestParts.resource)) {
        return {
            matches: false,
            value: policyArn,
            resolvedValue,
            errors: [`request ARN '${requestArn}' is not a valid ARN`]
        };
    }
    const allErrors = [];
    const replaceAndMatch = (policyPart, requestPart) => {
        const { pattern, errors } = (0, util_js_1.convertIamString)(policyPart, request, { replaceWildcards: true });
        allErrors.push(...(errors || []));
        return pattern.test(requestPart);
    };
    const matches = replaceAndMatch(policyParts.partition, requestParts.partition) &&
        replaceAndMatch(policyParts.service, requestParts.service) &&
        replaceAndMatch(policyParts.region, requestParts.region) &&
        replaceAndMatch(policyParts.accountId, requestParts.accountId) &&
        replaceAndMatch(policyParts.resource, requestParts.resource);
    return {
        matches: matches == expectMatch && allErrors.length == 0,
        value: policyArn,
        resolvedValue,
        errors: allErrors.length > 0 ? allErrors : undefined
    };
}
//# sourceMappingURL=arn.js.map