@auth0/auth0-checkmate 1.4.0

package/package.json

@@ -0,0 +1,66 @@
+{
+  "name": "@auth0/auth0-checkmate",
+  "version": "1.4.0",
+  "description": "A command line tool for checking configuration of your Auth0 tenant",
+  "main": "analyzer/report.js",
+  "scripts": {
+    "start": "bin/index.js",
+    "format": "npx prettier --write .",
+    "lint": "eslint .",
+    "test": "nyc mocha tests/*"
+  },
+  "bin": {
+    "a0checkmate": "bin/index.js"
+  },
+  "engines": {
+    "node": ">=20.18.3"
+  },
+  "dependencies": {
+    "acorn": "^8.14.0",
+    "axios": "^1.12.0",
+    "chalk": "^4.1.2",
+    "cli-table3": "^0.6.5",
+    "estree-walker": "^2.0.2",
+    "figlet": "^1.8.0",
+    "glob": "^11.0.1",
+    "handlebars": "^4.7.8",
+    "i18n": "^0.15.1",
+    "inquirer": "^12.3.3",
+    "jsonwebtoken": "^9.0.2",
+    "lodash": "^4.17.21",
+    "moment": "^2.30.1",
+    "puppeteer": "^24.10.0",
+    "semver": "^7.7.1",
+    "winston": "^3.17.0"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.23.0",
+    "chai": "^5.2.0",
+    "eslint": "^9.23.0",
+    "eslint-plugin-mocha": "^10.5.0",
+    "globals": "^16.0.0",
+    "mocha": "^11.1.0",
+    "nock": "^14.0.1",
+    "nyc": "^17.1.0",
+    "proxyquire": "^2.1.3",
+    "sinon": "^19.0.2"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/auth0/auth0-checkmate.git"
+  },
+  "keywords": [
+    "auth0",
+    "analyzer",
+    "configuration"
+  ],
+  "author": "Auth0",
+  "license": "Apache-2.0",
+  "bugs": {
+    "url": "https://github.com/auth0/auth0-checkmate/issues"
+  },
+  "homepage": "https://github.com/auth0/auth0-checkmate#readme"
+}

package/tests/actions/checkActionsHardCodedValues.test.js

@@ -0,0 +1,106 @@
+const chai = require("chai");
+const expect = chai.expect;
+const checkActionsHardCodedValues = require("../../analyzer/lib/actions/checkActionsHardCodedValues"); // Import your function
+const CONSTANTS = require("../../analyzer/lib/constants"); // Assuming constants file is required
+
+describe("checkActionsHardCodedValues", function () {
+  it("should return an empty array when no actions have hardcoded values", async function () {
+    const input = {
+      actions: {
+        actions: [
+          {
+            id: "0cdb84c6-9faf-4344-b1c5-affa9db5a63f",
+            name: "Custom Phone Provider",
+            supported_triggers: [
+              { id: "custom-phone-provider", version: "v1" },
+            ],
+            created_at: "2024-12-05T03:14:55.811465959Z",
+            updated_at: "2024-12-05T03:14:55.831277001Z",
+            code: "exports.onExecuteCustomPhoneProvider = async (event, api) => {\n  // Code goes here\n  return;\n};",
+            dependencies: [],
+            runtime: "node18",
+            status: "built",
+            secrets: [],
+            all_changes_deployed: false,
+          },
+        ],
+      },
+    };
+
+    const reports = await checkActionsHardCodedValues(input);
+    expect(reports.details).to.be.an("array").that.is.empty;
+  });
+
+  it("should detect hardcoded values in action code", async function () {
+    const input = {
+      actions: {
+        actions: [
+          {
+            id: "89df9e29-d521-43f4-9b80-8a8f9623ad39",
+            name: "Console Log",
+            supported_triggers: [{ id: "post-login", version: "v3" }],
+            created_at: "2024-12-05T03:48:52.546705182Z",
+            updated_at: "2025-02-05T04:33:20.935611754Z",
+            code: 'exports.onExecutePostLogin = async (event, api) => {\n  const PASSWORD = "abcd1234";\n  console.log(JSON.stringify(event.user, null, 2));\n};',
+            dependencies: [{ name: "aws-sdk", version: "2.1448.0" }],
+            runtime: "node18-actions",
+            status: "built",
+            secrets: [],
+            all_changes_deployed: true,
+          },
+        ],
+        total: 1,
+      },
+    };
+
+    const reports = await checkActionsHardCodedValues(input);
+    expect(reports.details).to.have.lengthOf(1);
+    const report = reports.details[0];
+    expect(report.name).to.equal("Console Log (post-login)");
+    expect(report.report).to.have.lengthOf(1);
+    expect(report.report[0].variableName).to.equal("PASSWORD");
+    expect(report.report[0].type).to.equal("string");
+    expect(report.report[0].field).to.equal("hard_coded_value_detected");
+    expect(report.report[0].status).to.equal(CONSTANTS.FAIL);
+  });
+
+  it("should flag multiple hardcoded values in action code", async function () {
+    const input = {
+      actions: {
+        actions: [
+          {
+            id: "0cdb84c6-9faf-4344-b1c5-affa9db5a63f",
+            name: "Custom Phone Provider",
+            supported_triggers: [
+              { id: "custom-phone-provider", version: "v1" },
+            ],
+            created_at: "2024-12-05T03:14:55.811465959Z",
+            updated_at: "2024-12-05T03:14:55.831277001Z",
+            code: 'exports.onExecuteCustomPhoneProvider = async (event, api) => {\n  const PHONE_NUMBER = "123-456-7890";\n  const USERNAME = "user123";\n  return;\n};',
+            dependencies: [],
+            runtime: "node18",
+            status: "built",
+            secrets: [],
+            all_changes_deployed: false,
+          },
+        ],
+        total: 1,
+      },
+    };
+
+    const reports = await checkActionsHardCodedValues(input);
+    expect(reports.details).to.have.lengthOf(1);
+    const report = reports.details[0];
+    expect(report.name).to.equal(
+      "Custom Phone Provider (custom-phone-provider)",
+    );
+    expect(report.report).to.have.lengthOf(2);
+
+    // Check for each of the hardcoded values
+    expect(report.report[0].variableName).to.equal("PHONE_NUMBER");
+    expect(report.report[0].type).to.equal("string");
+
+    expect(report.report[1].variableName).to.equal("USERNAME");
+    expect(report.report[1].type).to.equal("string");
+  });
+});

package/tests/actions/checkActionsRuntime.test.js

@@ -0,0 +1,102 @@
+const chai = require("chai");
+const expect = chai.expect;
+
+const checkActionsRuntime = require("../../analyzer/lib/actions/checkActionsRuntime");
+const CONSTANTS = require("../../analyzer/lib/constants");
+
+describe("checkActionsRuntime", function () {
+  it("should not return a report when no actions are provided", function () {
+    const options = {};
+
+    checkActionsRuntime(options, (report) => {
+      expect(report).to.deep.equal([]);
+    });
+  });
+
+  it("should return a failure report for actions with outdated Node.js versions", function () {
+    const options = {
+      actions: {
+        actions: [
+          {
+            id: "0cdb84c6-9faf-4344-b1c5-affa9db5a63f",
+            name: "Custom Phone Provider",
+            runtime: "node16", // Outdated version
+            supported_triggers: [
+              { id: "custom-phone-provider", version: "v1" },
+            ],
+          },
+          {
+            id: "89df9e29-d521-43f4-9b80-8a8f9623ad39",
+            name: "Console Log",
+            runtime: "node22", // Valid version
+            supported_triggers: [{ id: "post-login", version: "v3" }],
+          },
+        ],
+      },
+    };
+
+    checkActionsRuntime(options, (report) => {
+      expect(report).to.deep.equal([
+        {
+          name: "Custom Phone Provider (custom-phone-provider)",
+          field: "old_node_version",
+          status: CONSTANTS.FAIL,
+          value: 16,
+        },
+      ]);
+    });
+  });
+
+  it("should not return a report for actions with valid Node.js versions", function () {
+    const options = {
+      actions: {
+        actions: [
+          {
+            id: "0cdb84c6-9faf-4344-b1c5-affa9db5a63f",
+            name: "Custom Phone Provider",
+            runtime: "node22", // Valid version
+            supported_triggers: [
+              { id: "custom-phone-provider", version: "v1" },
+            ],
+          },
+          {
+            id: "89df9e29-d521-43f4-9b80-8a8f9623ad39",
+            name: "Console Log",
+            runtime: "node22", // Valid version
+            supported_triggers: [{ id: "post-login", version: "v3" }],
+          },
+        ],
+      },
+    };
+
+    checkActionsRuntime(options, (report) => {
+      expect(report).to.deep.equal([]);
+    });
+  });
+
+  it("should return a failure report for actions with outdated Node.js versions and correct trigger names", function () {
+    const options = {
+      actions: {
+        actions: [
+          {
+            id: "7d24512b-aa56-4ddc-8b51-68583110c5fa",
+            name: "action example 1",
+            runtime: "node17", // Outdated version
+            supported_triggers: [{ id: "post-login", version: "v3" }],
+          },
+        ],
+      },
+    };
+
+    checkActionsRuntime(options, (report) => {
+      expect(report).to.deep.equal([
+        {
+          name: "action example 1 (post-login)",
+          field: "old_node_version",
+          status: CONSTANTS.FAIL,
+          value: 17,
+        },
+      ]);
+    });
+  });
+});

package/tests/actions/checkDependencies.test.js

@@ -0,0 +1,131 @@
+const { expect } = require("chai");
+const checkDependencies = require("../../analyzer/lib/actions/checkDependencies");
+const CONSTANTS = require("../../analyzer/lib/constants");
+
+// Directly mock the getActionDependencies function
+describe("checkDependencies", function () {
+  let originalGetActionDependencies;
+
+  // Save the original method to restore after each test
+  beforeEach(function () {
+    // Mock the getActionDependencies function
+    originalGetActionDependencies =
+      require("../../analyzer/tools/helpers").getActionDependencies;
+  });
+
+  afterEach(function () {
+    // Restore the original function after each test
+    require("../../analyzer/tools/helpers").getActionDependencies =
+      originalGetActionDependencies;
+  });
+
+  it("should return an empty report if no actions are provided", async function () {
+    const callback = (report) => {
+      // Assert that the report is empty
+      expect(report).to.be.an("array").that.is.empty;
+    };
+    await checkDependencies({ actions: [] }, callback);
+  });
+
+  it("should return an empty report if actions list is empty", async function () {
+    const callback = (report) => {
+      // Assert that the report is empty
+      expect(report).to.be.an("array").that.is.empty;
+    };
+    await checkDependencies({ actions: { actions: [] } }, callback);
+  });
+
+  it("should return a report with dependency vulnerabilities when high or critical vulnerabilities are found", async function () {
+    // Mocking the getActionDependencies to simulate vulnerabilities in dependencies
+    require("../../analyzer/tools/auth0").getActionDependencies = async () => [
+      {
+        actionName: "Custom Phone Provider",
+        trigger: "custom-phone-provider",
+        vulnFindings: [
+          { severity: "high", name: "aws-sdk", version: "2.1448.0" },
+          { severity: "low", name: "lodash", version: "4.17.21" },
+        ],
+      },
+    ];
+
+    const callback = (report) => {
+      expect(report.details).to.have.lengthOf(1);
+      expect(report.details[0]).to.deep.equal({
+        name: "Custom Phone Provider (custom-phone-provider-action)",
+        field: "dependency_with_vuln",
+        status: CONSTANTS.FAIL,
+        value: "aws-sdk version 2.1448.0",
+      });
+    };
+
+    await checkDependencies(
+      {
+        actions: {
+          actions: [
+            {
+              id: "0cdb84c6",
+              name: "Custom Phone Provider",
+              dependencies: [
+                {
+                  name: "aws-sdk",
+                  version: "2.1448.0",
+                },
+              ],
+              supported_triggers: [
+                {
+                  id: "custom-phone-provider",
+                  version: "v1",
+                },
+              ],
+            },
+          ],
+        },
+      },
+      callback,
+    );
+  });
+
+  it("should not return any vulnerabilities if no high or critical vulnerabilities are found", async function () {
+    // Mocking the getActionDependencies to simulate no critical or high vulnerabilities
+    require("../../analyzer/tools/auth0").getActionDependencies = async () => [
+      {
+        actionName: "Console Log",
+        trigger: "post-login",
+        vulnFindings: [
+          { severity: "low", name: "aws-sdk", version: "2.1448.0" },
+        ],
+      },
+    ];
+
+    const callback = (report) => {
+      // The report should be empty (no high/critical vulnerabilities)
+      expect(report.details).to.be.an("array").that.is.empty;
+    };
+
+    await checkDependencies(
+      {
+        actions: {
+          actions: [
+            {
+              id: "89df9e29",
+              name: "Console Log",
+              dependencies: [
+                {
+                  name: "aws-sdk",
+                  version: "2.1448.0",
+                },
+              ],
+              supported_triggers: [
+                {
+                  id: "post-login",
+                  version: "v1",
+                },
+              ],
+            },
+          ],
+        },
+      },
+      callback,
+    );
+  });
+});

package/tests/attack_protection/checkBreachedPassword.test.js

@@ -0,0 +1,253 @@
+const { expect } = require("chai");
+const checkBreachedPassword = require("../../analyzer/lib/attack_protection/checkBreachedPassword");
+const CONSTANTS = require("../../analyzer/lib/constants");
+
+describe("checkBreachedPassword", function () {
+  it("should return a success when breachedPasswordDetection is enabled and correctly configured", function () {
+    const options = {
+      attackProtection: {
+        breachedPasswordDetection: {
+          enabled: true,
+          shields: ["user_notification", "admin_notification", "block"],
+          admin_notification_frequency: ["daily", "weekly"],
+          method: "standard",
+          stage: {
+            "pre-user-registration": {
+              shields: ["block", "admin_notification"],
+            },
+            "pre-change-password": {
+              shields: ["block"],
+            },
+          },
+        },
+      },
+    };
+
+    checkBreachedPassword(options, (report) => {
+      // Check if the report contains the expected success statuses for all fields
+      expect(report).to.deep.include({
+        field: "enabled",
+        status: CONSTANTS.SUCCESS,
+      });
+      expect(report).to.deep.include({
+        field: "shields_values",
+        status: CONSTANTS.SUCCESS,
+      });
+      expect(report).to.deep.include({
+        field: "admin_frequency_values",
+        status: CONSTANTS.SUCCESS,
+      });
+      expect(report).to.deep.include({
+        field: "method_value",
+        status: CONSTANTS.SUCCESS,
+      });
+      expect(report).to.deep.include({
+        field: "stage_pre_user_shields",
+        status: CONSTANTS.SUCCESS,
+      });
+      expect(report).to.deep.include({
+        field: "stage_pre_change_password_shields",
+        status: CONSTANTS.SUCCESS,
+      });
+    });
+  });
+
+  it("should return failure when breachedPasswordDetection is disabled", function () {
+    const options = {
+      attackProtection: {
+        breachedPasswordDetection: {
+          enabled: false,
+          shields: ["user_notification"],
+          admin_notification_frequency: ["daily"],
+          method: "standard",
+          stage: {
+            "pre-user-registration": {
+              shields: ["block"],
+            },
+            "pre-change-password": {
+              shields: ["block"],
+            },
+          },
+        },
+      },
+    };
+
+    checkBreachedPassword(options, (report) => {
+      expect(report).to.deep.include({
+        field: "disabled",
+        status: CONSTANTS.FAIL,
+      });
+    });
+  });
+
+  it("should return failure when shields have invalid values", function () {
+    const options = {
+      attackProtection: {
+        breachedPasswordDetection: {
+          enabled: true,
+          shields: ["user_notification", "invalid_shield"],
+          admin_notification_frequency: ["daily"],
+          method: "standard",
+          stage: {
+            "pre-user-registration": {
+              shields: ["block"],
+            },
+          },
+        },
+      },
+    };
+
+    checkBreachedPassword(options, (report) => {
+      expect(report).to.deep.include({
+        field: "shields_invalid_values",
+        status: CONSTANTS.FAIL,
+      });
+    });
+  });
+
+  it("should return failure when admin_notification_frequency has invalid values", function () {
+    const options = {
+      attackProtection: {
+        breachedPasswordDetection: {
+          enabled: true,
+          shields: ["user_notification"],
+          admin_notification_frequency: ["invalid_frequency"],
+          method: "standard",
+          stage: {
+            "pre-user-registration": {
+              shields: ["block"],
+            },
+          },
+        },
+      },
+    };
+
+    checkBreachedPassword(options, (report) => {
+      expect(report).to.deep.include({
+        field: "admin_frequency_invalid_values",
+        status: CONSTANTS.FAIL,
+      });
+    });
+  });
+
+  it("should return failure when method is invalid", function () {
+    const options = {
+      attackProtection: {
+        breachedPasswordDetection: {
+          enabled: true,
+          shields: ["user_notification"],
+          admin_notification_frequency: ["daily"],
+          method: "invalid_method",
+          stage: {
+            "pre-user-registration": {
+              shields: ["block"],
+            },
+          },
+        },
+      },
+    };
+
+    checkBreachedPassword(options, (report) => {
+      expect(report).to.deep.include({
+        field: "method_invalid_value",
+        status: CONSTANTS.FAIL,
+      });
+    });
+  });
+
+  it("should return failure when pre-user-registration stage is missing or incorrectly configured", function () {
+    const options = {
+      attackProtection: {
+        breachedPasswordDetection: {
+          enabled: true,
+          shields: ["user_notification"],
+          admin_notification_frequency: ["daily"],
+          method: "standard",
+          stage: {},
+        },
+      },
+    };
+
+    checkBreachedPassword(options, (report) => {
+      expect(report).to.deep.include({
+        field: "stage_pre_user_missing",
+        status: CONSTANTS.FAIL,
+      });
+    });
+  });
+
+  it("should return failure when pre-user-registration shields are not configured", function () {
+    const options = {
+      attackProtection: {
+        breachedPasswordDetection: {
+          enabled: true,
+          shields: ["user_notification"],
+          admin_notification_frequency: ["daily"],
+          method: "standard",
+          stage: {
+            "pre-user-registration": {
+              shields: [],
+            },
+          },
+        },
+      },
+    };
+
+    checkBreachedPassword(options, (report) => {
+      expect(report).to.deep.include({
+        field: "stage_pre_user_shields_not_configured",
+        status: CONSTANTS.FAIL,
+      });
+    });
+  });
+
+  it("should return failure when pre-change-password shields are not configured", function () {
+    const options = {
+      attackProtection: {
+        breachedPasswordDetection: {
+          enabled: true,
+          shields: ["user_notification"],
+          admin_notification_frequency: ["daily"],
+          method: "standard",
+          stage: {
+            "pre-change-password": {
+              shields: [],
+            },
+          },
+        },
+      },
+    };
+
+    checkBreachedPassword(options, (report) => {
+      expect(report).to.deep.include({
+        field: "stage_pre_change_password_shields_not_configured",
+        status: CONSTANTS.FAIL,
+      });
+    });
+  });
+
+  it("should return failure if shields are empty but monitoring mode is enabled", function () {
+    const options = {
+      attackProtection: {
+        breachedPasswordDetection: {
+          enabled: true,
+          shields: [],
+          admin_notification_frequency: ["daily"],
+          method: "standard",
+          stage: {
+            "pre-user-registration": {
+              shields: ["block"],
+            },
+          },
+        },
+      },
+    };
+
+    checkBreachedPassword(options, (report) => {
+      expect(report).to.deep.include({
+        field: "monitoring_mode",
+        status: CONSTANTS.FAIL,
+      });
+    });
+  });
+});