@k9securityio/k9-cdk
Version:
Provision strong AWS security policies easily using the AWS CDK.
48 lines • 6.45 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.getAllowedPrincipalArns = void 0;
const aws_iam_1 = require("aws-cdk-lib/aws-iam");
/**
* Gets the unique set of AWS Principal ARNs (or tokenized representation) that appear in the Principal element of
* a Statement that Allows access from an existing PolicyDocument. Parallels K9PolicyFactory#getAllowedPrincipalArns.
*
* Notes & Limitations:
* * only examines 'AWS' principal types, so no e.g. Service principals
* * only collects Principals from statements without a Condition element
* * does not do anything with NotPrincipal
*
* @param policyDocument to analyze
* @return the set of allowed principal ARNs or tokens
*/
function getAllowedPrincipalArns(policyDocument) {
const allowedAWSPrincipals = new Set();
if (policyDocument.statementCount > 0) {
const policyJSON = policyDocument.toJSON();
for (let statementJson of policyJSON.Statement) {
let statement = aws_iam_1.PolicyStatement.fromJson(statementJson);
if (statement.effect == aws_iam_1.Effect.ALLOW
&& statement.hasPrincipal) {
if (statementJson?.Principal?.AWS
// Skip Statements with conditions because they're too complex
// to analyze right now. Skipping seems like the conservative approach.
&& undefined === statementJson.Condition) {
let awsPrincipals = statementJson.Principal.AWS;
if (typeof awsPrincipals == 'string') {
allowedAWSPrincipals.add(awsPrincipals);
}
else if (Array.isArray(awsPrincipals)) {
awsPrincipals.forEach(function (value) {
allowedAWSPrincipals.add(value);
});
}
else {
throw new Error(`Found unexpected and unhandled principal type: (${typeof awsPrincipals}): ${JSON.stringify(awsPrincipals)}`);
}
}
}
}
}
return allowedAWSPrincipals;
}
exports.getAllowedPrincipalArns = getAllowedPrincipalArns;
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXdzLWlhbS11dGlscy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3NyYy9hd3MtaWFtLXV0aWxzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLGlEQUE4RTtBQUU5RTs7Ozs7Ozs7Ozs7R0FXRztBQUNILFNBQWdCLHVCQUF1QixDQUFDLGNBQThCO0lBQ3BFLE1BQU0sb0JBQW9CLEdBQUcsSUFBSSxHQUFHLEVBQVUsQ0FBQztJQUMvQyxJQUFJLGNBQWMsQ0FBQyxjQUFjLEdBQUcsQ0FBQyxFQUFFLENBQUM7UUFDdEMsTUFBTSxVQUFVLEdBQVEsY0FBYyxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBQ2hELEtBQUssSUFBSSxhQUFhLElBQUksVUFBVSxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQy9DLElBQUksU0FBUyxHQUFHLHlCQUFlLENBQUMsUUFBUSxDQUFDLGFBQWEsQ0FBQyxDQUFDO1lBQ3hELElBQUksU0FBUyxDQUFDLE1BQU0sSUFBSSxnQkFBTSxDQUFDLEtBQUs7bUJBQ3ZCLFNBQVMsQ0FBQyxZQUFZLEVBQUUsQ0FBQztnQkFDcEMsSUFBSSxhQUFhLEVBQUUsU0FBUyxFQUFFLEdBQUc7b0JBQ3JCLDhEQUE4RDtvQkFDOUQsd0VBQXdFO3VCQUNyRSxTQUFTLEtBQUssYUFBYSxDQUFDLFNBQVMsRUFDbEQsQ0FBQztvQkFDRCxJQUFJLGFBQWEsR0FBRyxhQUFhLENBQUMsU0FBUyxDQUFDLEdBQUcsQ0FBQztvQkFDaEQsSUFBSSxPQUFPLGFBQWEsSUFBSSxRQUFRLEVBQUUsQ0FBQzt3QkFDckMsb0JBQW9CLENBQUMsR0FBRyxDQUFDLGFBQWEsQ0FBQyxDQUFDO29CQUMxQyxDQUFDO3lCQUFNLElBQUksS0FBSyxDQUFDLE9BQU8sQ0FBQyxhQUFhLENBQUMsRUFBRSxDQUFDO3dCQUN4QyxhQUFhLENBQUMsT0FBTyxDQUFDLFVBQVUsS0FBSzs0QkFDbkMsb0JBQW9CLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDO3dCQUNsQyxDQUFDLENBQUMsQ0FBQztvQkFDTCxDQUFDO3lCQUFNLENBQUM7d0JBQ04sTUFBTSxJQUFJLEtBQUssQ0FBQyxtREFBbUQsT0FBTyxhQUFhLE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxhQUFhLENBQUMsRUFBRSxDQUFDLENBQUM7b0JBQ2hJLENBQUM7Z0JBQ0gsQ0FBQztZQUNILENBQUM7UUFDSCxDQUFDO0lBQ0gsQ0FBQztJQUNELE9BQU8sb0JBQW9CLENBQUM7QUFDOUIsQ0FBQztBQTVCRCwwREE0QkMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgeyBFZmZlY3QsIFBvbGljeURvY3VtZW50LCBQb2xpY3lTdGF0ZW1lbnQgfSBmcm9tICdhd3MtY2RrLWxpYi9hd3MtaWFtJztcblxuLyoqXG4gKiBHZXRzIHRoZSB1bmlxdWUgc2V0IG9mIEFXUyBQcmluY2lwYWwgQVJOcyAob3IgdG9rZW5pemVkIHJlcHJlc2VudGF0aW9uKSB0aGF0IGFwcGVhciBpbiB0aGUgUHJpbmNpcGFsIGVsZW1lbnQgb2ZcbiAqIGEgU3RhdGVtZW50IHRoYXQgQWxsb3dzIGFjY2VzcyBmcm9tIGFuIGV4aXN0aW5nIFBvbGljeURvY3VtZW50LiAgUGFyYWxsZWxzIEs5UG9saWN5RmFjdG9yeSNnZXRBbGxvd2VkUHJpbmNpcGFsQXJucy5cbiAqXG4gKiBOb3RlcyAmIExpbWl0YXRpb25zOlxuICogICogb25seSBleGFtaW5lcyAnQVdTJyBwcmluY2lwYWwgdHlwZXMsIHNvIG5vIGUuZy4gU2VydmljZSBwcmluY2lwYWxzXG4gKiAgKiBvbmx5IGNvbGxlY3RzIFByaW5jaXBhbHMgZnJvbSBzdGF0ZW1lbnRzIHdpdGhvdXQgYSBDb25kaXRpb24gZWxlbWVudFxuICogICogZG9lcyBub3QgZG8gYW55dGhpbmcgd2l0aCBOb3RQcmluY2lwYWxcbiAqXG4gKiBAcGFyYW0gcG9saWN5RG9jdW1lbnQgdG8gYW5hbHl6ZVxuICogQHJldHVybiB0aGUgc2V0IG9mIGFsbG93ZWQgcHJpbmNpcGFsIEFSTnMgb3IgdG9rZW5zXG4gKi9cbmV4cG9ydCBmdW5jdGlvbiBnZXRBbGxvd2VkUHJpbmNpcGFsQXJucyhwb2xpY3lEb2N1bWVudDogUG9saWN5RG9jdW1lbnQpOiBTZXQ8c3RyaW5nPiB7XG4gIGNvbnN0IGFsbG93ZWRBV1NQcmluY2lwYWxzID0gbmV3IFNldDxzdHJpbmc+KCk7XG4gIGlmIChwb2xpY3lEb2N1bWVudC5zdGF0ZW1lbnRDb3VudCA+IDApIHtcbiAgICBjb25zdCBwb2xpY3lKU09OOiBhbnkgPSBwb2xpY3lEb2N1bWVudC50b0pTT04oKTtcbiAgICBmb3IgKGxldCBzdGF0ZW1lbnRKc29uIG9mIHBvbGljeUpTT04uU3RhdGVtZW50KSB7XG4gICAgICBsZXQgc3RhdGVtZW50ID0gUG9saWN5U3RhdGVtZW50LmZyb21Kc29uKHN0YXRlbWVudEpzb24pO1xuICAgICAgaWYgKHN0YXRlbWVudC5lZmZlY3QgPT0gRWZmZWN0LkFMTE9XXG4gICAgICAgICAgICAgICAgJiYgc3RhdGVtZW50Lmhhc1ByaW5jaXBhbCkge1xuICAgICAgICBpZiAoc3RhdGVtZW50SnNvbj8uUHJpbmNpcGFsPy5BV1NcbiAgICAgICAgICAgICAgICAgICAgLy8gU2tpcCBTdGF0ZW1lbnRzIHdpdGggY29uZGl0aW9ucyBiZWNhdXNlIHRoZXkncmUgdG9vIGNvbXBsZXhcbiAgICAgICAgICAgICAgICAgICAgLy8gdG8gYW5hbHl6ZSByaWdodCBub3cuICBTa2lwcGluZyBzZWVtcyBsaWtlIHRoZSBjb25zZXJ2YXRpdmUgYXBwcm9hY2guXG4gICAgICAgICAgICAgICAgICAgICYmIHVuZGVmaW5lZCA9PT0gc3RhdGVtZW50SnNvbi5Db25kaXRpb25cbiAgICAgICAgKSB7XG4gICAgICAgICAgbGV0IGF3c1ByaW5jaXBhbHMgPSBzdGF0ZW1lbnRKc29uLlByaW5jaXBhbC5BV1M7XG4gICAgICAgICAgaWYgKHR5cGVvZiBhd3NQcmluY2lwYWxzID09ICdzdHJpbmcnKSB7XG4gICAgICAgICAgICBhbGxvd2VkQVdTUHJpbmNpcGFscy5hZGQoYXdzUHJpbmNpcGFscyk7XG4gICAgICAgICAgfSBlbHNlIGlmIChBcnJheS5pc0FycmF5KGF3c1ByaW5jaXBhbHMpKSB7XG4gICAgICAgICAgICBhd3NQcmluY2lwYWxzLmZvckVhY2goZnVuY3Rpb24gKHZhbHVlKSB7XG4gICAgICAgICAgICAgIGFsbG93ZWRBV1NQcmluY2lwYWxzLmFkZCh2YWx1ZSk7XG4gICAgICAgICAgICB9KTtcbiAgICAgICAgICB9IGVsc2Uge1xuICAgICAgICAgICAgdGhyb3cgbmV3IEVycm9yKGBGb3VuZCB1bmV4cGVjdGVkIGFuZCB1bmhhbmRsZWQgcHJpbmNpcGFsIHR5cGU6ICgke3R5cGVvZiBhd3NQcmluY2lwYWxzfSk6ICR7SlNPTi5zdHJpbmdpZnkoYXdzUHJpbmNpcGFscyl9YCk7XG4gICAgICAgICAgfVxuICAgICAgICB9XG4gICAgICB9XG4gICAgfVxuICB9XG4gIHJldHVybiBhbGxvd2VkQVdTUHJpbmNpcGFscztcbn0iXX0=