@k9securityio/k9-cdk
Version:
Provision strong AWS security policies easily using the AWS CDK.
47 lines • 6.41 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.getAllowedPrincipalArns = getAllowedPrincipalArns;
const aws_iam_1 = require("aws-cdk-lib/aws-iam");
/**
* Gets the unique set of AWS Principal ARNs (or tokenized representation) that appear in the Principal element of
* a Statement that Allows access from an existing PolicyDocument. Parallels K9PolicyFactory#getAllowedPrincipalArns.
*
* Notes & Limitations:
* * only examines 'AWS' principal types, so no e.g. Service principals
* * only collects Principals from statements without a Condition element
* * does not do anything with NotPrincipal
*
* @param policyDocument to analyze
* @return the set of allowed principal ARNs or tokens
*/
function getAllowedPrincipalArns(policyDocument) {
const allowedAWSPrincipals = new Set();
if (policyDocument.statementCount > 0) {
const policyJSON = policyDocument.toJSON();
for (let statementJson of policyJSON.Statement) {
let statement = aws_iam_1.PolicyStatement.fromJson(statementJson);
if (statement.effect == aws_iam_1.Effect.ALLOW
&& statement.hasPrincipal) {
if (statementJson?.Principal?.AWS
// Skip Statements with conditions because they're too complex
// to analyze right now. Skipping seems like the conservative approach.
&& undefined === statementJson.Condition) {
let awsPrincipals = statementJson.Principal.AWS;
if (typeof awsPrincipals == 'string') {
allowedAWSPrincipals.add(awsPrincipals);
}
else if (Array.isArray(awsPrincipals)) {
awsPrincipals.forEach(function (value) {
allowedAWSPrincipals.add(value);
});
}
else {
throw new Error(`Found unexpected and unhandled principal type: (${typeof awsPrincipals}): ${JSON.stringify(awsPrincipals)}`);
}
}
}
}
}
return allowedAWSPrincipals;
}
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXdzLWlhbS11dGlscy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3NyYy9hd3MtaWFtLXV0aWxzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBY0EsMERBNEJDO0FBMUNELGlEQUE4RTtBQUU5RTs7Ozs7Ozs7Ozs7R0FXRztBQUNILFNBQWdCLHVCQUF1QixDQUFDLGNBQThCO0lBQ3BFLE1BQU0sb0JBQW9CLEdBQUcsSUFBSSxHQUFHLEVBQVUsQ0FBQztJQUMvQyxJQUFJLGNBQWMsQ0FBQyxjQUFjLEdBQUcsQ0FBQyxFQUFFLENBQUM7UUFDdEMsTUFBTSxVQUFVLEdBQVEsY0FBYyxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBQ2hELEtBQUssSUFBSSxhQUFhLElBQUksVUFBVSxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQy9DLElBQUksU0FBUyxHQUFHLHlCQUFlLENBQUMsUUFBUSxDQUFDLGFBQWEsQ0FBQyxDQUFDO1lBQ3hELElBQUksU0FBUyxDQUFDLE1BQU0sSUFBSSxnQkFBTSxDQUFDLEtBQUs7bUJBQ3ZCLFNBQVMsQ0FBQyxZQUFZLEVBQUUsQ0FBQztnQkFDcEMsSUFBSSxhQUFhLEVBQUUsU0FBUyxFQUFFLEdBQUc7b0JBQ3JCLDhEQUE4RDtvQkFDOUQsd0VBQXdFO3VCQUNyRSxTQUFTLEtBQUssYUFBYSxDQUFDLFNBQVMsRUFDbEQsQ0FBQztvQkFDRCxJQUFJLGFBQWEsR0FBRyxhQUFhLENBQUMsU0FBUyxDQUFDLEdBQUcsQ0FBQztvQkFDaEQsSUFBSSxPQUFPLGFBQWEsSUFBSSxRQUFRLEVBQUUsQ0FBQzt3QkFDckMsb0JBQW9CLENBQUMsR0FBRyxDQUFDLGFBQWEsQ0FBQyxDQUFDO29CQUMxQyxDQUFDO3lCQUFNLElBQUksS0FBSyxDQUFDLE9BQU8sQ0FBQyxhQUFhLENBQUMsRUFBRSxDQUFDO3dCQUN4QyxhQUFhLENBQUMsT0FBTyxDQUFDLFVBQVUsS0FBSzs0QkFDbkMsb0JBQW9CLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDO3dCQUNsQyxDQUFDLENBQUMsQ0FBQztvQkFDTCxDQUFDO3lCQUFNLENBQUM7d0JBQ04sTUFBTSxJQUFJLEtBQUssQ0FBQyxtREFBbUQsT0FBTyxhQUFhLE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxhQUFhLENBQUMsRUFBRSxDQUFDLENBQUM7b0JBQ2hJLENBQUM7Z0JBQ0gsQ0FBQztZQUNILENBQUM7UUFDSCxDQUFDO0lBQ0gsQ0FBQztJQUNELE9BQU8sb0JBQW9CLENBQUM7QUFDOUIsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IEVmZmVjdCwgUG9saWN5RG9jdW1lbnQsIFBvbGljeVN0YXRlbWVudCB9IGZyb20gJ2F3cy1jZGstbGliL2F3cy1pYW0nO1xuXG4vKipcbiAqIEdldHMgdGhlIHVuaXF1ZSBzZXQgb2YgQVdTIFByaW5jaXBhbCBBUk5zIChvciB0b2tlbml6ZWQgcmVwcmVzZW50YXRpb24pIHRoYXQgYXBwZWFyIGluIHRoZSBQcmluY2lwYWwgZWxlbWVudCBvZlxuICogYSBTdGF0ZW1lbnQgdGhhdCBBbGxvd3MgYWNjZXNzIGZyb20gYW4gZXhpc3RpbmcgUG9saWN5RG9jdW1lbnQuICBQYXJhbGxlbHMgSzlQb2xpY3lGYWN0b3J5I2dldEFsbG93ZWRQcmluY2lwYWxBcm5zLlxuICpcbiAqIE5vdGVzICYgTGltaXRhdGlvbnM6XG4gKiAgKiBvbmx5IGV4YW1pbmVzICdBV1MnIHByaW5jaXBhbCB0eXBlcywgc28gbm8gZS5nLiBTZXJ2aWNlIHByaW5jaXBhbHNcbiAqICAqIG9ubHkgY29sbGVjdHMgUHJpbmNpcGFscyBmcm9tIHN0YXRlbWVudHMgd2l0aG91dCBhIENvbmRpdGlvbiBlbGVtZW50XG4gKiAgKiBkb2VzIG5vdCBkbyBhbnl0aGluZyB3aXRoIE5vdFByaW5jaXBhbFxuICpcbiAqIEBwYXJhbSBwb2xpY3lEb2N1bWVudCB0byBhbmFseXplXG4gKiBAcmV0dXJuIHRoZSBzZXQgb2YgYWxsb3dlZCBwcmluY2lwYWwgQVJOcyBvciB0b2tlbnNcbiAqL1xuZXhwb3J0IGZ1bmN0aW9uIGdldEFsbG93ZWRQcmluY2lwYWxBcm5zKHBvbGljeURvY3VtZW50OiBQb2xpY3lEb2N1bWVudCk6IFNldDxzdHJpbmc+IHtcbiAgY29uc3QgYWxsb3dlZEFXU1ByaW5jaXBhbHMgPSBuZXcgU2V0PHN0cmluZz4oKTtcbiAgaWYgKHBvbGljeURvY3VtZW50LnN0YXRlbWVudENvdW50ID4gMCkge1xuICAgIGNvbnN0IHBvbGljeUpTT046IGFueSA9IHBvbGljeURvY3VtZW50LnRvSlNPTigpO1xuICAgIGZvciAobGV0IHN0YXRlbWVudEpzb24gb2YgcG9saWN5SlNPTi5TdGF0ZW1lbnQpIHtcbiAgICAgIGxldCBzdGF0ZW1lbnQgPSBQb2xpY3lTdGF0ZW1lbnQuZnJvbUpzb24oc3RhdGVtZW50SnNvbik7XG4gICAgICBpZiAoc3RhdGVtZW50LmVmZmVjdCA9PSBFZmZlY3QuQUxMT1dcbiAgICAgICAgICAgICAgICAmJiBzdGF0ZW1lbnQuaGFzUHJpbmNpcGFsKSB7XG4gICAgICAgIGlmIChzdGF0ZW1lbnRKc29uPy5QcmluY2lwYWw/LkFXU1xuICAgICAgICAgICAgICAgICAgICAvLyBTa2lwIFN0YXRlbWVudHMgd2l0aCBjb25kaXRpb25zIGJlY2F1c2UgdGhleSdyZSB0b28gY29tcGxleFxuICAgICAgICAgICAgICAgICAgICAvLyB0byBhbmFseXplIHJpZ2h0IG5vdy4gIFNraXBwaW5nIHNlZW1zIGxpa2UgdGhlIGNvbnNlcnZhdGl2ZSBhcHByb2FjaC5cbiAgICAgICAgICAgICAgICAgICAgJiYgdW5kZWZpbmVkID09PSBzdGF0ZW1lbnRKc29uLkNvbmRpdGlvblxuICAgICAgICApIHtcbiAgICAgICAgICBsZXQgYXdzUHJpbmNpcGFscyA9IHN0YXRlbWVudEpzb24uUHJpbmNpcGFsLkFXUztcbiAgICAgICAgICBpZiAodHlwZW9mIGF3c1ByaW5jaXBhbHMgPT0gJ3N0cmluZycpIHtcbiAgICAgICAgICAgIGFsbG93ZWRBV1NQcmluY2lwYWxzLmFkZChhd3NQcmluY2lwYWxzKTtcbiAgICAgICAgICB9IGVsc2UgaWYgKEFycmF5LmlzQXJyYXkoYXdzUHJpbmNpcGFscykpIHtcbiAgICAgICAgICAgIGF3c1ByaW5jaXBhbHMuZm9yRWFjaChmdW5jdGlvbiAodmFsdWUpIHtcbiAgICAgICAgICAgICAgYWxsb3dlZEFXU1ByaW5jaXBhbHMuYWRkKHZhbHVlKTtcbiAgICAgICAgICAgIH0pO1xuICAgICAgICAgIH0gZWxzZSB7XG4gICAgICAgICAgICB0aHJvdyBuZXcgRXJyb3IoYEZvdW5kIHVuZXhwZWN0ZWQgYW5kIHVuaGFuZGxlZCBwcmluY2lwYWwgdHlwZTogKCR7dHlwZW9mIGF3c1ByaW5jaXBhbHN9KTogJHtKU09OLnN0cmluZ2lmeShhd3NQcmluY2lwYWxzKX1gKTtcbiAgICAgICAgICB9XG4gICAgICAgIH1cbiAgICAgIH1cbiAgICB9XG4gIH1cbiAgcmV0dXJuIGFsbG93ZWRBV1NQcmluY2lwYWxzO1xufSJdfQ==