@auth0/auth0-checkmate 1.4.0

package/analyzer/lib/executeCheck.js

@@ -0,0 +1,12 @@
+module.exports = function (name, checkFx) {
+  const result = {
+    checkName: name,
+    result: null,
+    details: [],
+    timestamp: Date.now(),
+  };
+  return checkFx(function callback(details) {
+    result.details = details;
+    return Promise.resolve(result);
+  });
+};

package/analyzer/lib/hooks/checkHooks.js

@@ -0,0 +1,43 @@
+/*
+[
+  {
+    "id": "test",
+    "name": "test",
+    "script": "",
+        "dependencies": {},
+        "enabled": true,
+        "triggerId": "post-user-registration"
+      }
+    ]
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function validateHooks(config) {
+  const report = [];
+  if (_.isEmpty(config)) {
+    report.push({
+      field: "no_enabled_hooks",
+      status: CONSTANTS.SUCCESS,
+    });
+    return report;
+  }
+  config.forEach((hook) => {
+    report.push({
+      name: hook.name,
+      value: hook.triggerId,
+      field: "enabled_hooks",
+      status: hook.enabled ? CONSTANTS.FAIL : CONSTANTS.SUCCESS,
+    });
+  });
+  // Return the validation report
+  return report;
+}
+function checkHooks(options) {
+  const { hooks } = options || [];
+  return executeCheck("checkHooks", (callback) => {
+    return callback(validateHooks(hooks));
+  });
+}
+module.exports = checkHooks;

package/analyzer/lib/listOfAnalyser.js

@@ -0,0 +1,24 @@
+const glob = require("glob");
+const path = require("path");
+// Array to hold the required modules
+let requiredModules = [];
+
+// Match only directories in the current directory
+const directories = glob.sync(path.join(__dirname, "/*/")); // Synchronously match directories in the current directory
+directories.forEach((directory) => {
+  // Match all files in each directory
+  const pathName = path.join(directory, "*.*");
+  const files = glob.sync(pathName); // Synchronously match files in the directory
+  files.forEach((file) => {
+    const filePath = path.resolve(file);
+    try {
+      const module = require(filePath); // Dynamically require the file
+      requiredModules.push(module); // Add the required module to the array
+    } catch (error) {
+      console.error(`Error requiring file: ${filePath}`, error);
+    }
+  });
+});
+
+// Export the required modules
+module.exports.checks = requiredModules;

package/analyzer/lib/log_streams/checkLogStream.js

@@ -0,0 +1,60 @@
+/*
+[
+  {
+    "id": "lst_0000000000014671",
+    "name": "Okta Logstream",
+    "type": "http",
+    "status": "active",
+    "filters": [
+      
+    ],
+    "isPriority": false
+  }
+]
+*/
+
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkLogStream(options) {
+  const { logStreams } = options;
+  return executeCheck("checkLogStream", (callback) => {
+    const report = [];
+    const hasInsufficientScope = _.some(logStreams, {
+      errorCode: "insufficient_scope",
+    });
+    if (hasInsufficientScope) {
+      return callback(report);
+    }
+    if (_.isEmpty(logStreams)) {
+      report.push({
+        field: "log_stream_not_configured",
+        status: CONSTANTS.FAIL,
+      });
+    } else {
+      logStreams.forEach((stream) => {
+        if (stream.status === "active") {
+          report.push({
+            field: "log_stream_active",
+            name: stream.name,
+            type: stream.type,
+            stream_status: stream.status,
+            status: CONSTANTS.SUCCESS,
+          });
+        } else {
+          report.push({
+            field: "log_stream_inactive",
+            name: stream.name,
+            type: stream.type,
+            stream_status: stream.status,
+            status: CONSTANTS.FAIL,
+          });
+        }
+      });
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkLogStream;

package/analyzer/lib/logger.js

@@ -0,0 +1,16 @@
+const { format, createLogger, transports } = require("winston");
+
+const { combine, timestamp, colorize } = format;
+const logger = createLogger({
+  level: process.env.DEBUG === "true" ? "debug" : "info",
+  format: combine(
+    colorize(),
+    timestamp(),
+    format.printf(
+      (info) => `${info.timestamp} - ${info.level}: ${info.message}`,
+    ),
+  ),
+  transports: [new transports.Console()],
+  exitOnError: false,
+});
+module.exports = logger;

package/analyzer/lib/multifactor/checkGuardianFactors.js

@@ -0,0 +1,72 @@
+/*
+[
+  {
+    "name": "sms",
+    "enabled": false,
+    "trial_expired": false
+  },
+  {
+    "name": "push-notification",
+    "enabled": false,
+    "trial_expired": false
+  },
+  {
+    "name": "otp",
+    "enabled": true,
+    "trial_expired": false
+  },
+  {
+    "name": "email",
+    "enabled": false,
+    "trial_expired": false
+  },
+  {
+    "name": "duo",
+    "enabled": false,
+    "trial_expired": false
+  },
+  {
+    "name": "webauthn-roaming",
+    "enabled": false,
+    "trial_expired": false
+  },
+  {
+    "name": "webauthn-platform",
+    "enabled": false,
+    "trial_expired": false
+  },
+  {
+    "name": "recovery-code",
+    "enabled": false,
+    "trial_expired": false
+  }
+]
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+function checkGuardianFactors(options) {
+  const { guardianFactors } = options || {};
+  return executeCheck("checkGuardianFactors", (callback) => {
+    const report = [];
+    const enabledFactors = _.map(
+      _.filter(guardianFactors, { enabled: true }),
+      "name",
+    );
+    if (_.isEmpty(enabledFactors)) {
+      report.push({
+        field: "mfa_factors_not_enabled",
+        status: CONSTANTS.FAIL,
+      });
+    } else {
+      report.push({
+        field: "mfa_factors_enabled",
+        value: enabledFactors.join(""),
+        status: CONSTANTS.SUCCESS,
+      });
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkGuardianFactors;

package/analyzer/lib/multifactor/checkGuardianPolicy.js

@@ -0,0 +1,40 @@
+/*
+[
+  "all-applications"
+]
+ */
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+function checkGuardianPolicy(options) {
+  const { guardianPolicies } = options || { policies: [] };
+  return executeCheck("checkGuardianPolicy", (callback) => {
+    const report = [];
+    if (_.isEmpty(guardianPolicies)) {
+      report.push({
+        field: "mfa_policy_set_to_never",
+        value: CONSTANTS.MULTIFACTOR_POLICY["empty"],
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    const policies = guardianPolicies.policies || [];
+    if (_.isEmpty(policies)) {
+      policies.push("empty");
+      report.push({
+        field: "mfa_policy_set_to_never",
+        value: CONSTANTS.MULTIFACTOR_POLICY[policies.join("")],
+        status: CONSTANTS.FAIL,
+      });
+    } else {
+      report.push({
+        field: "mfa_policy_set",
+        value: CONSTANTS.MULTIFACTOR_POLICY[policies.join("")],
+        status: CONSTANTS.SUCCESS,
+      });
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkGuardianPolicy;

package/analyzer/lib/network_acl/checkNetworkACL.js

@@ -0,0 +1,35 @@
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkNetworkACL(options) {
+  const { networkAcl } = options || [];
+  return executeCheck("checkNetworkACL", (callback) => {
+    const report = [];
+    const hasInsufficientScope = _.some(networkAcl, {
+      errorCode: "insufficient_scope",
+    });
+    if (hasInsufficientScope) {
+      return callback(report);
+    }
+    if (_.isEmpty(networkAcl)) {
+      report.push({
+        field: "no_network_acl",
+        status: CONSTANTS.FAIL,
+      });
+    } else {
+        networkAcl.forEach((acl) => {
+        if (!acl.active) {
+          report.push({
+            field: "network_acl_inactive",
+            name: acl.description.concat(`(${acl.acl_id})`),
+            status: CONSTANTS.FAIL,
+          });
+        }
+      });
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkNetworkACL;

package/analyzer/lib/rules/checkRules.js

@@ -0,0 +1,102 @@
+/*
+[
+  {
+    "id": "rul_IYlu62iBa6K52fBi",
+    "enabled": false,
+    "name": "Dump Rule",
+    "order": 1,
+    "stage": "login_success"
+  },
+  {
+    "id": "rul_RFtsxXcHptdfNytp",
+    "enabled": false,
+    "name": "auth0-account-link-extension",
+    "order": 7,
+    "stage": "login_success"
+  },
+  {
+    "id": "rul_PUbmUscnlFfvqWEo",
+    "enabled": false,
+    "name": "Link Accounts with Same Email Address while Merging Metadata",
+    "order": 6,
+    "stage": "login_success"
+  },
+  {
+    "id": "rul_2UMKolzalvxt4x5k",
+    "enabled": false,
+    "name": "Link Accounts with Same Email Address while Merging Metadata For FB",
+    "order": 11,
+    "stage": "login_success"
+  },
+  {
+    "id": "rul_U9tyXS894nPYxHPT",
+    "enabled": false,
+    "name": "redirect rule rule",
+    "order": 9,
+    "stage": "login_success"
+  },
+  {
+    "id": "rul_f4K2T8LBE5sdM6sk",
+    "enabled": false,
+    "name": "Add attributes to a user for facebook connection",
+    "order": 10,
+    "stage": "login_success"
+  },
+  {
+    "id": "rul_A892yaO7K5dpmzhr",
+    "enabled": false,
+    "name": "Redirect rule for capturing email",
+    "order": 13,
+    "stage": "login_success"
+  },
+  {
+    "id": "rul_Wcr19IorVdhsRfnc",
+    "enabled": false,
+    "name": "MYOB SAML",
+    "order": 15,
+    "stage": "login_success"
+  },
+  {
+    "id": "rul_YFDdYGJSIwMPzsZR",
+    "enabled": true,
+    "name": "Override SAML Certificate",
+    "order": 14,
+    "stage": "login_success"
+  }
+]
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function validateRules(config) {
+  const report = [];
+  if (_.isEmpty(config)) {
+    report.push({
+      field: "no_enabled_rules",
+      status: CONSTANTS.SUCCESS,
+    });
+    return report;
+  }
+  config.forEach((rule) => {
+    if (rule.enabled) {
+      report.push({
+        name: rule.name,
+        value: rule.id,
+        field: "enabled_rules",
+        status: CONSTANTS.FAIL,
+      });
+    }
+    return;
+  });
+  // Return the validation report
+  return report;
+}
+function checkRules(options) {
+  const { rules } = options || [];
+  return executeCheck("checkRules", (callback) => {
+    const report = validateRules(rules);
+    return callback(report);
+  });
+}
+module.exports = checkRules;

package/analyzer/lib/tenant_settings/checkDefaultAudience.js

@@ -0,0 +1,53 @@
+/*
+{
+  "allowed_logout_urls": [
+    "https://contoso.com"
+  ],
+  "default_redirection_uri": "https://contoso.com/login",
+  "support_email": "",
+  "support_url": "",
+  "sandbox_version": "22",
+  "sandbox_versions_available": [
+    "22",
+    "18",
+    "16",
+    "12"
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+const defaultValues = {
+  allowed_logout_urls: [],
+  default_redirection_uri: [],
+  default_audience: "",
+  default_directory: "",
+  support_email: null,
+  support_url: null,
+};
+function checkDefaultAudience(options) {
+  const { tenant } = options || {};
+  return executeCheck("checkDefaultAudience", (callback) => {
+    const report = [];
+    const { default_audience } = _.defaultsDeep({}, tenant, defaultValues);
+    if (_.isNil(default_audience) || _.isEmpty(default_audience)) {
+      report.push({
+        field: "no_default_audience",
+        attr: "default_audience",
+        status: CONSTANTS.INFO,
+      });
+    } else {
+      report.push({
+        field: "default_audience",
+        attr: "default_audience",
+        value: default_audience,
+        status: CONSTANTS.FAIL,
+      });
+    }
+
+    return callback(report);
+  });
+}
+
+module.exports = checkDefaultAudience;

package/analyzer/lib/tenant_settings/checkDefaultDirectory.js

@@ -0,0 +1,48 @@
+/*
+{
+  "allowed_logout_urls": [
+    "https://contoso.com"
+  ],
+  "default_redirection_uri": "https://contoso.com/login",
+  "support_email": "",
+  "support_url": "",
+  "sandbox_version": "22",
+  "sandbox_versions_available": [
+    "22",
+    "18",
+    "16",
+    "12"
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+const defaultValues = {
+  allowed_logout_urls: [],
+  default_redirection_uri: [],
+  default_audience: "",
+  default_directory: "",
+  support_email: null,
+  support_url: null,
+};
+function checkDefaultDirectory(options) {
+  const { tenant } = options || {};
+  return executeCheck("checkDefaultDirectory", (callback) => {
+    const report = [];
+    const { default_directory } = _.defaultsDeep({}, tenant, defaultValues);
+    report.push({
+      field:
+        _.isNil(default_directory) || _.isEmpty(default_directory)
+          ? "no_default_directory"
+          : "default_directory",
+      attr: "default_directory",
+      value: default_directory,
+      status: _.isNil(default_directory) || _.isEmpty(default_directory) ? CONSTANTS.INFO : CONSTANTS.FAIL,
+    });
+    return callback(report);
+  });
+}
+
+module.exports = checkDefaultDirectory;

package/analyzer/lib/tenant_settings/checkEnabledDynamicClientRegistration.js

@@ -0,0 +1,60 @@
+
+/*
+{
+  "allowed_logout_urls": [
+    "https://contoso.com"
+  ],
+  "flags": {
+    "allow_changing_enable_sso": true,
+    "disable_impersonation": true,
+    "enable_dynamic_client_registration": true, // Can be false or undefined
+    "enable_sso": true,
+    "universal_login": true,
+    "revoke_refresh_token_grant": false,
+    "disable_clickjack_protection_headers": false
+  },
+  "default_redirection_uri": "https://contoso.com/login",
+  "support_email": "",
+  "support_url": "",
+  "sandbox_version": "22",
+  "sandbox_versions_available": [
+    "22",
+    "18",
+    "16",
+    "12"
+  ]
+}
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkEnabledDynamicClientRegistration(options) {
+  const { tenant } = options || {};
+  return executeCheck("checkEnabledDynamicClientRegistration", (callback) => {
+    const report = [];
+    if (_.isEmpty(tenant)) {
+      report.push({
+        field: "tenant_setting_missing",
+        status: CONSTANTS.FAIL,
+      });
+      return callback(report);
+    }
+    const { flags } = tenant;
+
+    if (flags?.enable_dynamic_client_registration) {
+      report.push({
+        field: "enabled_dynamic_client_registration",
+        status: CONSTANTS.FAIL, //to surface this configuration in the report
+      });
+    } else {
+      report.push({
+        field: "enable_dynamic_client_registration",
+        status: CONSTANTS.FAIL,
+      });
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkEnabledDynamicClientRegistration;

package/analyzer/lib/tenant_settings/checkSandboxVersion.js

@@ -0,0 +1,37 @@
+/*
+{
+  "allowed_logout_urls": [
+    "https://contoso.com"
+  ],
+  "default_redirection_uri": "https://contoso.com/login",
+  "support_email": "",
+  "support_url": "",
+  "sandbox_version": "22",
+  "sandbox_versions_available": [
+    "22",
+    "18",
+    "16",
+    "12"
+  ]
+}
+*/
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+function checkSandboxVersion(options) {
+  const { tenant } = options || {};
+  return executeCheck("checkSandboxVersion", (callback) => {
+    const report = [];
+    const sandbox_version = Number(tenant.sandbox_version);
+    if (sandbox_version < CONSTANTS.MINIMUM_NODE_VERSION) {
+      report.push({
+        field: "sandbox_version",
+        attr: "sandbox_version",
+        value: sandbox_version,
+        status: CONSTANTS.FAIL,
+      });
+    }
+    return callback(report);
+  });
+}
+
+module.exports = checkSandboxVersion;