New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
@contrail/policies
Advanced tools
@contrail/policies - npm Package Compare versions
Comparing version 2.0.5 to 2.0.6
@@ -35,3 +35,8 @@ export declare enum Operation { | ||
| export declare function checkPermission(principalReferences: string[], policy: Policy, operation: Operation): boolean; | ||
| export declare function checkPermissionOnManyPolicies(principalReferences: string[], policies: Policy[], operation: Operation): boolean; | ||
| export declare function evaluatePermissions(principalReferences: string[], policy: Policy, operation: Operation): { | ||
| permitted: boolean; | ||
| denied: boolean; | ||
| }; | ||
| export declare function getPermissionsOnResource(principalReferences: string[], policies: Policy[], resource: string): Array<Operation>; | ||
| export declare function addReadIfNeeded(permittedOperations: any, deniedOperations: any): void; |
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.addReadIfNeeded = exports.getPermissionsOnResource = exports.checkPermission = exports.Policy = exports.Version = exports.Effect = exports.Operation = void 0; | ||
| exports.addReadIfNeeded = exports.getPermissionsOnResource = exports.evaluatePermissions = exports.checkPermissionOnManyPolicies = exports.checkPermission = exports.Policy = exports.Version = exports.Effect = exports.Operation = void 0; | ||
| var Operation; | ||
@@ -25,6 +25,47 @@ (function (Operation) { | ||
| } | ||
| ; | ||
| const implicitReadPermissions = [Operation.create, Operation.update, Operation.delete]; | ||
| function checkPermission(principalReferences, policy, operation) { | ||
| if (policy.version === Version.V1) { | ||
| const { permitted, denied } = evaluatePermissions(principalReferences, policy, operation); | ||
| const allowed = permitted && !denied; | ||
| console.log('Policies: permitted:', permitted); | ||
| console.log('Policies: restricted:', denied); | ||
| console.log('Policies: allowed:', allowed); | ||
| return allowed; | ||
| } | ||
| else { | ||
| throw new InvalidPolicyError(`No permission check implemented for this policy version`); | ||
| } | ||
| } | ||
| exports.checkPermission = checkPermission; | ||
| function checkPermissionOnManyPolicies(principalReferences, policies, operation) { | ||
| if (policies.length === 0) { | ||
| console.log('No policies defined: Everyone is allowed.'); | ||
| return true; | ||
| } | ||
| let anyAllow = false; | ||
| let anyDeny = false; | ||
| for (const policy of policies) { | ||
| const { permitted, denied } = evaluatePermissions(principalReferences, policy, operation); | ||
| if (denied) { | ||
| anyDeny = true; | ||
| } | ||
| if (permitted) { | ||
| anyAllow = true; | ||
| } | ||
| } | ||
| if (anyDeny && anyAllow) { | ||
| console.log('Both Allow and Deny found in policies: Deny takes precedence.'); | ||
| return false; | ||
| } | ||
| if (anyAllow) { | ||
| console.log('At least one policy explicitly allows the operation.'); | ||
| return true; | ||
| } | ||
| console.log('All policies implicitly deny the operation.'); | ||
| return false; | ||
| } | ||
| exports.checkPermissionOnManyPolicies = checkPermissionOnManyPolicies; | ||
| function evaluatePermissions(principalReferences, policy, operation) { | ||
| if (policy.version === Version.V1) { | ||
| let permitted = false; | ||
@@ -36,3 +77,3 @@ let denied = false; | ||
| if (statement.principal === principalReference || statement.principal === '*') { | ||
| const hasImplicitReadPermission = statement.action.some(action => implicitReadPermissions.includes(action)); | ||
| const hasImplicitReadPermission = statement.action.some((action) => implicitReadPermissions.includes(action)); | ||
| if (statement.action.includes(operation)) { | ||
@@ -54,7 +95,3 @@ if (statement.effect === Effect.allow) { | ||
| } | ||
| const allowed = permitted && !denied; | ||
| console.log('Policies: permitted:', permitted); | ||
| console.log('Policies: restricted:', denied); | ||
| console.log('Policies: allowed:', allowed); | ||
| return allowed; | ||
| return { permitted, denied }; | ||
| } | ||
@@ -65,3 +102,3 @@ else { | ||
| } | ||
| exports.checkPermission = checkPermission; | ||
| exports.evaluatePermissions = evaluatePermissions; | ||
| function getPermissionsOnResource(principalReferences, policies, resource) { | ||
@@ -74,3 +111,3 @@ const permittedOperations = []; | ||
| if ((statement.principal === principalReference || statement.principal === '*') && | ||
| (statement.resource === "*" || statement.resource === resource)) { | ||
| (statement.resource === '*' || statement.resource === resource)) { | ||
| for (const action of statement.action) { | ||
@@ -89,3 +126,3 @@ if (statement.effect === Effect.allow) { | ||
| } | ||
| const allowedOperations = permittedOperations.filter(x => !deniedOperations.includes(x)); | ||
| const allowedOperations = permittedOperations.filter((x) => !deniedOperations.includes(x)); | ||
| return allowedOperations; | ||
@@ -92,0 +129,0 @@ } |
| { | ||
| "name": "@contrail/policies", | ||
| "version": "2.0.5", | ||
| "version": "2.0.6", | ||
| "description": "Library for managing and enforing policies", | ||
@@ -5,0 +5,0 @@ "main": "lib/index.js", |
No alert changes
Improved metrics
- Total package byte prevSize
- increased by22.06%
9657
- Lines of code
- increased by24.85%
211
No dependency changes