import { ArnPrincipal, Conditions, PolicyStatement } from 'aws-cdk-lib/aws-iam';
export type ArnEqualsTest = 'ArnEquals';
export type ArnLikeTest = 'ArnLike';
export type ArnConditionTest = ArnEqualsTest | ArnLikeTest;
export declare enum AccessCapability {
    ADMINISTER_RESOURCE = "administer-resource",
    READ_CONFIG = "read-config",
    READ_DATA = "read-data",
    WRITE_DATA = "write-data",
    DELETE_DATA = "delete-data"
}
export declare function getAccessCapabilityFromValue(accessCapabilityStr: string): AccessCapability;
export interface IAccessSpec {
    accessCapabilities: Array<AccessCapability> | AccessCapability;
    allowPrincipalArns: Array<string>;
    test?: ArnConditionTest;
}
/**
 * `IAWSServiceAccessGenerator` defines an interface that the k9 policy generators use to grant an AWS service
 * access to a protected resource.
 */
export interface IAWSServiceAccessGenerator {
    /**
     * Make an array of PolicyStatement objects that allow an AWS service, e.g. CloudFront, to access to the
     * protected AWS resource.
     */
    makeAllowStatements(): Array<PolicyStatement>;
    /**
     * Make a Conditions object that creates an exception for an AWS service in a protected resource's `DenyEveryoneElse`
     * statement.
     */
    makeConditionsToExceptFromDenyEveryoneElse(): Conditions;
}
/**
 * Check whether the provided access specs ensure that at least one principal can both read and administer configuration.
 * @param accessSpecsByCapability is a map of access specs keyed by access capability
 *
 * @return true when at least one principal that can administer and read configuration exists
 */
export declare function canPrincipalsManageResources(accessSpecsByCapability: Map<AccessCapability, IAccessSpec>): boolean;
/**
 * Converts a string to PascalCase, which is useful for e.g. policy types that don't
 * do not support spaces or hyphens in statement ids.
 *
 * @param input
 */
export declare function toPascalCase(input: string): string;
export declare class K9PolicyFactory {
    /**
     * Deduplicate an array of principals while preserving original order of principals.
     * Note that principals may contain either strings or objects, so naive array sorting
     * produces unstable results.
     *
     * @param principals
     */
    static deduplicatePrincipals(principals: Array<string | object>): Array<string | object>;
    /** @internal */
    _SUPPORTED_SERVICES: Set<string>;
    /** @internal */
    _K9CapabilityMapJSON: Object;
    /** @internal */
    _K9CapabilityMapByService: Map<string, Object>;
    getActions(service: string, accessCapability: AccessCapability): Array<string>;
    /** @internal */
    _mergeAccessSpecs(target: IAccessSpec, addition: IAccessSpec): void;
    mergeDesiredAccessSpecsByCapability(supportedCapabilities: Array<AccessCapability>, desiredAccess: Array<IAccessSpec>): Record<string, IAccessSpec>;
    makeAllowStatements(serviceName: string, supportedCapabilities: Array<AccessCapability>, desiredAccess: Array<IAccessSpec>, resourceArns: Array<string>, usePascalCase?: boolean): Array<PolicyStatement>;
    makeAllowStatement(sid: string, actions: Array<string>, principalArns: Array<string>, test: ArnConditionTest, resources: Array<string>): PolicyStatement;
    wasLikeUsed(accessSpecs: IAccessSpec[]): boolean;
    getAllowedPrincipalArns(accessSpecs: IAccessSpec[]): Array<string>;
    /**
       * k9 wants to deny all AWS accounts and IAM principals not explicitly allowed; this *should*
       * be straightforward, but it isn't because of the way aws-cdk merges and manipulates Principals.
       * @return list of principals for a DenyEveryoneElse statement
       */
    makeDenyEveryoneElsePrincipals(): ArnPrincipal[];
}