@auth0/auth0-checkmate 1.4.0

package/analyzer/tools/auth0.js

@@ -0,0 +1,443 @@
+const axios = require("axios");
+const CONSTANTS = require("../lib/constants");
+const logger = require("../lib/logger");
+const {
+  version: packageVersion,
+  name: packageName,
+} = require("../../package.json");
+const PER_PAGE = 100;
+//axios default config
+axios.defaults.headers.common["User-Agent"] =
+  `${packageName}/${packageVersion}`;
+
+async function getAccessToken(domain, client_id, client_secret, access_token) {
+  if (access_token) {
+    return access_token;
+  }
+  logger.log("info", `Getting an access token for client_id ${client_id}`);
+  logger.log("info", `Requesting scopes ${CONSTANTS.REQUIRED_SCOPES}`);
+  const tokenUrl = `https://${domain}/oauth/token`;
+  const headers = {
+    "Content-Type": "application/json",
+  };
+  const body = {
+    grant_type: "client_credentials",
+    client_id: client_id,
+    client_secret: client_secret,
+    audience: `https://${domain}/api/v2/`,
+    scopes: CONSTANTS.REQUIRED_SCOPES,
+  };
+
+  try {
+    const response = await axios.post(tokenUrl, body, { headers });
+    return response.data.access_token;
+  } catch (error) {
+    console.error("Error getting access token: %s", error.message);
+    process.exit(1);
+  }
+}
+
+async function getCustomDomains(domain, accessToken) {
+  const url = `https://${domain}/api/v2/custom-domains`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting custom domains`);
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log("error", `Failed to get custom domains ${error.message}`);
+    return [];
+  }
+}
+
+async function fetchClients(url, accessToken, page) {
+  try {
+    const response = await axios.get(url, {
+      params: {
+        per_page: PER_PAGE,
+        page: page,
+        is_global: false,
+        //include_fields: false,
+        //fields: `client_secret,signing_keys,encryption_key,client_authentication_methods`
+      },
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+      },
+    });
+
+    return response.data; // Array of clients
+  } catch (error) {
+    console.error("Error fetching clients:", error);
+    throw error;
+  }
+}
+async function getActions(domain, accessToken) {
+  const url = `https://${domain}/api/v2/actions/actions?installed=false`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting Actions`);
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log("error", `Failed to get actions ${error.message}`);
+    return [];
+  }
+}
+
+async function getApplications(domain, accessToken) {
+  const url = `https://${domain}/api/v2/clients`;
+  let allClients = [],
+    page = 0;
+  logger.log("info", `Getting Applications`);
+  try {
+    let hasMore = true;
+
+    while (hasMore) {
+      const clients = await fetchClients(url, accessToken, page);
+
+      if (clients.length < PER_PAGE) {
+        hasMore = false; // No more data to fetch
+      } else {
+        page++; // Move to the next page
+      }
+
+      allClients = allClients.concat(clients); // Add the current page's clients to the list
+    }
+
+    return allClients;
+  } catch (error) {
+    logger.log("error", `Failed to get clients ${error.message}`);
+    return [];
+  }
+}
+
+async function getConnections(domain, accessToken) {
+  const url = `https://${domain}/api/v2/connections?strategy=auth0`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting database connections`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log("error", `Failed to get database connections ${error.message}`);
+    return [];
+  }
+}
+
+async function getEmailProvider(domain, accessToken) {
+  const url = `https://${domain}/api/v2/emails/provider`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting email provider`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log("error", `Failed to get email provider ${error.message}`);
+    return null;
+  }
+}
+
+async function getLogStreams(domain, accessToken) {
+  const url = `https://${domain}/api/v2/log-streams`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting log streams`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log("error", `Failed to get log streams ${error.message}`);
+    return [error.response.data];
+  }
+}
+
+async function getBruteForceProtectionSetting(domain, accessToken) {
+  const url = `https://${domain}/api/v2/attack-protection/brute-force-protection`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting brute force setting`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log("error", `Failed to get brute force settings ${error.message}`);
+    return {};
+  }
+}
+async function getSuspiciousIpSetting(domain, accessToken) {
+  const url = `https://${domain}/api/v2/attack-protection/suspicious-ip-throttling`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting suspicious ip throttling`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log(
+      "error",
+      `Failed to get suspicious IP settings ${error.message}`,
+    );
+    return {};
+  }
+}
+async function getBreachedPasswordSetting(domain, accessToken) {
+  const url = `https://${domain}/api/v2/attack-protection/breached-password-detection`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting breached password setting`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log(
+      "error",
+      `Failed to get breached password settings ${error.message}`,
+    );
+    return {};
+  }
+}
+
+async function getBotDetectionSetting(domain, accessToken) {
+  const url = `https://${domain}/api/v2/anomaly/captchas`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting bot detection setting`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log(
+      "error",
+      `Failed to get bot detection settings ${error.message}`,
+    );
+    return {};
+  }
+}
+async function getAttackProtection(domain, accessToken) {
+  try {
+    var attackProtection = {};
+    const [
+      breachedPasswordDetection,
+      bruteForceProtection,
+      suspiciousIpThrottling,
+      botDetection,
+    ] = await Promise.all([
+      getBreachedPasswordSetting(domain, accessToken),
+      getBruteForceProtectionSetting(domain, accessToken),
+      getSuspiciousIpSetting(domain, accessToken),
+      getBotDetectionSetting(domain, accessToken),
+    ]);
+    attackProtection = {
+      breachedPasswordDetection,
+      bruteForceProtection,
+      suspiciousIpThrottling,
+      botDetection,
+    };
+    return attackProtection;
+  } catch (error) {
+    logger.log(
+      "error",
+      `Failed to get attack protection settings ${error.message}`,
+    );
+    return {};
+  }
+}
+
+async function getEmailTemplate(domain, accessToken, templateName) {
+  try {
+    const response = await axios.get(
+      `https://${domain}/api/v2/email-templates/${templateName}`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+        },
+      },
+    );
+    return response.data;
+  } catch (error) {
+    logger.log(
+      "error",
+      `Failed to get email template because it is not configured ${templateName} - ${error.message}`,
+    );
+    return null; // Return null for templates that may not exist
+  }
+}
+
+async function getErrorPageTemplate(domain, accessToken) {
+  try {
+    const response = await axios.get(
+      `https://${domain}/api/v2/tenants/settings`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+        },
+      },
+    );
+    const payload = response.data.error_page.html;
+    return payload;
+  } catch (error) {
+    logger.log(
+      "error",
+      `Failed to get error page template because it is not configured - ${error.message}`,
+    );
+    return null; // Return null for templates that may not exist
+  }
+}
+
+async function getEmailTemplates(domain, accessToken) {
+  logger.log("info", `Getting email templates`);
+  const emailTemplates = await Promise.all(
+    CONSTANTS.EMAIL_TEMPLATES_TYPES.map(async (templateName) => {
+      const template = await getEmailTemplate(
+        domain,
+        accessToken,
+        templateName,
+      );
+      return { name: CONSTANTS.EMAIL_TEMPLATES_NAMES[templateName], template };
+    }),
+  );
+  //const nonEmptyTemplates = emailTemplates.filter((template) => !!template);
+  return emailTemplates;
+}
+
+async function getTenantSettings(domain, accessToken) {
+  const url = `https://${domain}/api/v2/tenants/settings`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting tenant setting`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log("error", `Failed to get tenant settings ${error.message}`);
+    return {};
+  }
+}
+
+async function getGuardianFactors(domain, accessToken) {
+  const url = `https://${domain}/api/v2/guardian/factors`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting MFA factors`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log("error", `Failed to get MFA factors ${error.message}`);
+    return {};
+  }
+}
+// policies
+async function getGuardianPolicies(domain, accessToken) {
+  const url = `https://${domain}/api/v2/guardian/policies`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting MFA policy`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log("error", `Failed to get MFA policies ${error.message}`);
+    return {};
+  }
+}
+// legacy rules and hooks
+async function getRules(domain, accessToken) {
+  const url = `https://${domain}/api/v2/rules?enabled=true`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("warn", `Getting rules`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log("error", `Failed to get rules ${error.message}`);
+    return [];
+  }
+}
+
+async function getHooks(domain, accessToken) {
+  const url = `https://${domain}/api/v2/hooks?enabled=true`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("warn", `Getting hooks`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log("error", `Failed to get hooks ${error.message}`);
+    return [];
+  }
+}
+
+async function getLogs(domain, accessToken) {
+  const logTypes = CONSTANTS.LOG_TYPES;
+  const fields = "type,hostname";
+  const per_page = 1;
+  const query = `type: (${logTypes.join(" ")}) AND hostname: ${domain}`;
+  const url = `https://${domain}/api/v2/logs?per_page=${per_page}&fields=${fields}&q=${query}`;
+  const encodedUrl = encodeURI(url);
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting logs`);
+  try {
+    const response = await axios.get(encodedUrl, { headers });
+    return { log_query: query, logs: response.data };
+  } catch (error) {
+    logger.log("error", `Failed to get logs ${error.message}`);
+    return { log_query: query, logs: [] };
+  }
+}
+// Early Access
+async function getNetworkACL(domain, accessToken) {
+    const url = `https://${domain}/api/v2/network-acls`;
+    const headers = { Authorization: `Bearer ${accessToken}` };
+    logger.log("info", `Getting Network ACL`);
+  
+    try {
+      const response = await axios.get(url, { headers });
+      return response.data;
+    } catch (error) {
+      logger.log("error", `Failed to get network ACL ${error.response.data.message}`);
+      return [error.response.data];
+    }
+}
+//Early Access
+async function getEventStreams(domain, accessToken) {
+  const url = `https://${domain}/api/v2/event-streams`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting event streams`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data.eventStreams;
+  } catch (error) {
+    logger.log("error", `Failed to get event streams ${error.message}`);
+    return [error.response.data];
+  }
+}
+module.exports = {
+  getAccessToken,
+  getCustomDomains,
+  getApplications,
+  getConnections,
+  getEmailProvider,
+  getEmailTemplates,
+  getErrorPageTemplate,
+  getBruteForceProtectionSetting,
+  getSuspiciousIpSetting,
+  getBreachedPasswordSetting,
+  getLogStreams,
+  getAttackProtection,
+  getTenantSettings,
+  getGuardianFactors,
+  getGuardianPolicies,
+  getBotDetectionSetting,
+  getRules,
+  getHooks,
+  getActions,
+  getLogs,
+  getNetworkACL,
+  getEventStreams,
+};

package/analyzer/tools/helpers.js

@@ -0,0 +1,71 @@
+const axios = require("axios");
+const semver = require("semver");
+const logger = require("../lib/logger");
+async function checkVulnerableVersion(currentVersion, advisoryData) {
+  const vulnerabilitiesAdvisory = [];
+  advisoryData.forEach((advisory) => {
+    advisory.vulnerabilities.forEach((vulnerability) => {
+      const vulnerableVersionRange = vulnerability.vulnerable_version_range;
+      const isVulnerable = semver.satisfies(
+        currentVersion,
+        vulnerableVersionRange,
+      );
+
+      if (isVulnerable) {
+        vulnerabilitiesAdvisory.push({
+          description: `Vulnerable to ${advisory.cve_id} (range: ${vulnerableVersionRange})`,
+          advisory_url: advisory.html_url,
+          advisory_summary: advisory.summary,
+          severity: advisory.severity,
+        });
+      }
+    });
+  });
+  return vulnerabilitiesAdvisory;
+}
+
+async function checkGitHubAdvisories(packageName, version) {
+  try {
+    const headers = {
+      Accept: "application/vnd.github.v3+json",
+    };
+    const url = `https://api.github.com/advisories?affects=${packageName}@${version}`;
+    const response = await axios.get(url, { headers });
+    const vulnFindings = await checkVulnerableVersion(version, response.data);
+    return vulnFindings;
+  } catch (error) {
+    logger.log(
+      "error",
+      `Failed to get github advisory skipping - ${error.message}`,
+    );
+    return [];
+  }
+}
+
+async function getActionDependencies(actionsList) {
+  var vulnDependencyList = [];
+  for (let i = 0; i < actionsList.length; i++) {
+    for (const dependency of actionsList[i].dependencies) {
+      var vulnFindings = await checkGitHubAdvisories(
+        dependency.name,
+        dependency.version,
+      );
+      if (vulnFindings.length > 0) {
+        vulnDependencyList.push({
+          name: dependency.name,
+          actionName: actionsList[i].name,
+          version: dependency.version,
+          vulnFindings: vulnFindings,
+          trigger: actionsList[i].supported_triggers[0].id,
+        });
+      }
+    }
+  }
+  return vulnDependencyList;
+}
+
+module.exports = {
+  checkVulnerableVersion,
+  checkGitHubAdvisories,
+  getActionDependencies,
+};

package/analyzer/tools/summary.js

@@ -0,0 +1,84 @@
+const _ = require("lodash");
+module.exports.getSummaryReport = async (data) => {
+  const filteredData = _.map(data, (item) => {
+    const filteredDetails = _.flatMap(item.details, (detail) => {
+      if (_.isArray(detail.report)) {
+        // Process if the detail has a 'report' array
+        return _.filter(detail.report, (report) =>
+          ["red", "yellow"].includes(report.status),
+        ).map((report) =>
+          _.pick(report, [
+            "name",
+            "status",
+            "field",
+            "value",
+            "message",
+            "vulnFindings",
+            "pre_requisites",
+          ]),
+        );
+      }
+      // Process other fields if no 'report' array exists
+      return _.filter([detail], (detailItem) =>
+        ["red", "yellow"].includes(detailItem.status),
+      ).map((detailItem) =>
+        _.pick(detailItem, [
+          "name",
+          "title",
+          "description",
+          "docsPath",
+          "field",
+          "value",
+          "status",
+          "message",
+          "vulnFindings",
+          "pre_requisites",
+        ]),
+      );
+    });
+    // Only return items with 'red' or 'yellow' status after filtering
+    const detailsLength = _.uniqBy(filteredDetails, "name").length;
+    return {
+      name: item.name,
+      title: item.title,
+      description: item.description,
+      status: item.status,
+      disclaimer: item.disclaimer || null,
+      advisory: item.advisory || null,
+      pre_requisites: item.pre_requisites || null,
+      vulnFindings: item.vulnFindings || null,
+      severity: item.severity,
+      severity_message: item.severity_message,
+      docsPath: item.docsPath,
+      details: filteredDetails,
+      detailsLength: detailsLength > 0 ? detailsLength : filteredDetails.length,
+    };
+  }).filter((item) => item.details.length > 0); // Ensure that at least one detail exists
+
+  const transformedFindings = filteredData.map((finding) => ({
+    name: finding.name,
+    title: finding.title, // Set title from name
+    description: finding.description, // Set description
+    status: finding.status, // Set status
+    disclaimer: finding.disclaimer || null,
+    advisory: finding.advisory || null,
+    vulnFindings: finding.vulnFindings || [],
+    pre_requisites: finding.pre_requisites || null,
+    severity: finding.severity,
+    severity_message: finding.severity_message.replace(
+      "%s",
+      finding.details.length,
+    ),
+    docsPath: finding.docsPath,
+    details: finding.details,
+    detailsLength: finding.detailsLength, // Get the length of the details array
+  }));
+  const severityOrder = ["red", "yellow", "green", "blue", "violet"];
+
+  // Sort the array using the custom order
+  const sortedFindings = _.sortBy(transformedFindings, (item) =>
+    severityOrder.indexOf(item.status),
+  );
+  //console.log(JSON.stringify(sortedFindings, null, 2))
+  return sortedFindings;
+};

package/analyzer/tools/utils.js

@@ -0,0 +1,72 @@
+const moment = require("moment");
+const _ = require('lodash');
+function getFormattedDateTime() {
+    return moment().format("YYYY-MM-DD_HH:mm:ss").replace(/:/g, "_");
+}
+
+async function getToday(locale) {
+    const date = new Date();
+    const formattedDate = date.toLocaleDateString(locale, {
+        month: "long", // Full month name (e.g., 'January')
+        day: "numeric", // Day of the month (e.g., '20')
+        year: "numeric", // Full year (e.g., '2025')
+    });
+    return formattedDate;
+}
+
+function convertToTitleCase(str) {
+    // Insert space before each uppercase letter and capitalize the first letter
+    return str
+        .replace(/([a-z])([A-Z])/g, '$1 $2')  // Add space between lowercase and uppercase letters
+        .replace(/^./, (match) => match.toUpperCase()); // Capitalize the first letter
+}
+
+function tranformReport(grouped) {
+    const report = _.flatMap(grouped, (values, name) => {
+        const firstPartyValues = [];
+        const thirdPartyValues = [];
+        values.forEach((detail) => {
+            const firstReports = detail.report.filter(r => r.is_first_party === true);
+            const thirdReports = detail.report.filter(r => r.is_first_party === false);
+
+            if (firstReports.length) {
+                firstPartyValues.push({
+                    ...detail,
+                    report: firstReports
+                });
+            }
+
+            if (thirdReports.length) {
+                thirdPartyValues.push({
+                    ...detail,
+                    report: thirdReports
+                });
+            }
+        });
+
+        const result = [];
+
+        if (firstPartyValues.length) {
+            result.push({
+                name: `${name} (First-Party Application)`,
+                values: firstPartyValues
+            });
+        }
+
+        if (thirdPartyValues.length) {
+            result.push({
+                name: `${name} (Third-Party Application)`,
+                values: thirdPartyValues
+            });
+        }
+
+        return result;
+    });
+    return report;
+}
+module.exports = {
+    getFormattedDateTime,
+    getToday,
+    convertToTitleCase,
+    tranformReport
+};