UNPKG

@cloud-copilot/iam-simulate

Version:

Simulate evaluation of AWS IAM policies

github.com/cloud-copilot/iam-simulate

cloud-copilot/iam-simulate

320 lines 11.8 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.convertIamString = convertIamString; exports.splitArnParts = splitArnParts; exports.getResourceSegments = getResourceSegments; exports.isDefined = isDefined; exports.isNotDefined = isNotDefined; exports.isWildcardOnlyAction = isWildcardOnlyAction; exports.getResourceTypesForAction = getResourceTypesForAction; exports.convertResourcePatternToRegex = convertResourcePatternToRegex; exports.lowerCaseAll = lowerCaseAll; exports.getVariablesFromString = getVariablesFromString; exports.isAssumedRoleArn = isAssumedRoleArn; exports.isIamUserArn = isIamUserArn; exports.isFederatedUserArn = isFederatedUserArn; const iam_data_1 = require("@cloud-copilot/iam-data"); const matchesNothing = new RegExp('a^'); const defaultStringReplaceOptions = { replaceWildcards: true, convertToRegex: true }; function convertIamString(value, request, replaceOptions) { const options = { ...defaultStringReplaceOptions, ...replaceOptions }; const errors = []; const newValue = value.replaceAll(/(\$\{.*?\})|(\*)|(\?)/gi, (match, args) => { if (match == '?') { return replacementValue(match, '\\?', '.', options); // return '.' } else if (match == '*') { return replacementValue(match, '\\*', '.*?', options); // return ".*?" } else if (match == '${*}') { return replacementValue(match, '\\$\\{\\*\\}', '\\*', options); // return "\\*" } else if (match == '${?}') { return replacementValue(match, '\\$\\{\\?\\}', '\\?', options); // return "\\?" } else if (match == '${$}') { return replacementValue(match, '\\$\\{\\$\\}', '\\$', options); // return "\\$" } // //This means it'a a variable const inTheBrackets = match.slice(2, -1); let defaultValue = undefined; const defaultParts = inTheBrackets.split(', '); if (defaultParts.length == 2) { const segmentAfterComma = defaultParts.at(1); if (segmentAfterComma?.startsWith("'") && segmentAfterComma.endsWith("'")) { defaultValue = segmentAfterComma.slice(1, -1); } } const variableName = defaultParts.at(0).trim(); const { value: requestValue, error: requestValueError } = getContextSingleValue(request, variableName); if (requestValue) { //TODO: Maybe escape the * in the resolved value to ${*} return options.convertToRegex ? escapeRegexCharacters(requestValue) : requestValue; } else if (defaultValue) { /* TODO: What happens in a request if a multi value context key is used in a string and there is a default value? Will it use the default value or will it fail the condition test? */ //TODO: Maybe escape the * in the resolved value to ${*} return options.convertToRegex ? escapeRegexCharacters(defaultValue) : defaultValue; } else { if (requestValueError == 'missing') { errors.push(`{${variableName}} not found in request context, and no default value provided. This will never match`); } else if (requestValueError == 'multivalue') { errors.push(`{${variableName}} is a multi value context key, and cannot be used for replacement. This will never match`); } /* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-no-value */ return match; } throw new Error('This should never happen'); }); if (!options.convertToRegex) { return newValue; } if (errors.length > 0) { return { pattern: matchesNothing, errors }; } return { pattern: new RegExp('^' + newValue + '$') }; } /** * Replace regex characters in a string with their escaped versions * * @param str the string to escape regex characters in * @returns the string with regex characters escaped */ function escapeRegexCharacters(str) { return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'); } /** * Get the string value of a context key only if it is a single value key * * @param requestContext the request context to get the value from * @param contextKeyName the name of the context key to get the value of * @returns the value of the context key if it is a single value key, undefined otherwise */ function getContextSingleValue(request, contextKeyName) { if (!request.contextKeyExists(contextKeyName)) { return { error: 'missing' }; } const keyValue = request.getContextKeyValue(contextKeyName); if (keyValue.isStringValue()) { return { value: keyValue.value }; } return { error: 'multivalue' }; } /** * Get the replacement value for a string * * @param originalString the original string to replace the value of * @param rawString the string to replace the value in * @param wildcard the value to replace the wildcard with * @param replaceWildcards if the wildcard or raw string should be used * @returns */ function replacementValue(original, escaped, regex, options) { if (!options.convertToRegex) { return original; } if (options.replaceWildcards) { return regex; } return escaped; } /** * Split an ARN into its parts * * @param arn the arn to split * @returns the parts of the ARN */ function splitArnParts(arn) { const parts = arn.split(':'); const partition = parts.at(1); const service = parts.at(2); const region = parts.at(3); const accountId = parts.at(4); const resource = parts.slice(5).join(':'); return { partition, service, region, accountId, resource }; } /** * Get the product/id segments of the resource portion of an ARN. * The first segment is the product segment and the second segment is the resource id segment. * This could be split by a colon or a slash, so it checks for both. It also checks for S3 buckets/objects. * * @param resource The resource to get the resource segments. Must be an ARN resource. * @returns a tuple with the first segment being the product segment (including the separator) and the second segment being the resource id. */ function getResourceSegments(resource) { if (!resource.isArnResource()) { throw new Error(`Resource ${resource.value()} is not an ARN resource`); } const resourceString = resource.resource(); // This is terrible, and I hate it if (resource.service() === 's3' && resource.account() === '' && resource.region() === '') { return ['', resourceString]; } const slashIndex = resourceString.indexOf('/'); const colonIndex = resourceString.indexOf(':'); let splitIndex = slashIndex; if (slashIndex != -1 && colonIndex != -1) { splitIndex = Math.min(slashIndex, colonIndex) + 1; } else if (colonIndex == -1) { splitIndex = slashIndex + 1; } else if (slashIndex == -1) { splitIndex = colonIndex + 1; } else { throw new Error(`Unable to split resource ${resource}`); } return [resourceString.slice(0, splitIndex), resourceString.slice(splitIndex)]; } /** * Checks if a value is defined and not null and narrows the type to the defined type * * @param value the value to check if it is defined * @returns if the value is defined and not null */ function isDefined(value) { return value !== undefined && value !== null; } /** * Checks if a value is not defined or null * * @param value the value to check if it is not defined * @returns if the value is not defined or null */ function isNotDefined(value) { return !isDefined(value); } /** * Checks if an action is a wildcard only action * * @param service the service the action belongs to * @param action the action to check if it is a wildcard only action * @returns if the action is a wildcard only action * @throws an error if the service or action does not exist */ async function isWildcardOnlyAction(service, action) { const actionDetails = await (0, iam_data_1.iamActionDetails)(service, action); return actionDetails.resourceTypes.length === 0; } /** * Get the the possible resource types for an action and resource * * @param service the service the action belongs to * @param action the action to get the resource type for * @param resource the resource type matching the action, if any * @throws an error if the service or action does not exist, or if the action is a wildcard only action */ async function getResourceTypesForAction(service, action, resource) { const actionDetails = await (0, iam_data_1.iamActionDetails)(service, action); if (actionDetails.resourceTypes.length === 0) { throw new Error(`${service}:${action} does not have any resource types`); } const matchingResourceTypes = []; for (const rt of actionDetails.resourceTypes) { const resourceType = await (0, iam_data_1.iamResourceTypeDetails)(service, rt.name); const pattern = convertResourcePatternToRegex(resourceType.arn); const match = resource.match(new RegExp(pattern)); if (match) { matchingResourceTypes.push(resourceType); } } return matchingResourceTypes; } /** * Convert a resource pattern from iam-data to a regex pattern * * @param pattern the pattern to convert to a regex * @returns the regex pattern */ function convertResourcePatternToRegex(pattern) { const regex = pattern.replace(/\$\{.*?\}/g, (match) => { const name = match.substring(2, match.length - 1); const camelName = name.at(0)?.toLowerCase() + name.substring(1); return `(?<${camelName}>(.+?))`; }); return `^${regex}$`; } /** * Lowercase all strings in an array * * @param strings the strings to lowercase * @returns the lowercased strings */ function lowerCaseAll(strings) { return strings.map((s) => s.toLowerCase()); } /** * Gets the IAM variables from a string * * @param value the string to get the variables from * @returns the variables in the string, if any */ function getVariablesFromString(value) { const matches = value.match(/\$\{.*?\}/g); if (matches) { return matches.map((m) => { const inBrackets = m.slice(2, -1); if (inBrackets.includes(',')) { return inBrackets.split(',')[0].trim(); } return inBrackets; }); } return []; } const assumedRoleArnRegex = /^arn:aws:sts::\d{12}:assumed-role\/.*$/; /** * Tests if a principal string is an assumed role ARN * * @param principal the principal string to test * @returns true if the principal is an assumed role ARN, false otherwise */ function isAssumedRoleArn(principal) { return assumedRoleArnRegex.test(principal); } const userArnRegex = /^arn:aws:iam::\d{12}:user\/.*$/; /** * Test if a principal string is an IAM user ARN * * @param principal the principal string to test * @returns true if the principal is an IAM user ARN, false otherwise */ function isIamUserArn(principal) { return userArnRegex.test(principal); } const federatedUserArnRegex = /^arn:aws:sts::\d{12}:federated-user\/.*$/; /** * Test if a principal string is a federated user ARN * * @param principal the principal string to test * @returns true if the principal is a federated user ARN, false otherwise */ function isFederatedUserArn(principal) { return federatedUserArnRegex.test(principal); } //# sourceMappingURL=util.js.map