@j-schreiber/sf-cli-security-audit 0.11.0 → 0.11.2

package/lib/libs/{core/policies/settingsPolicy.js → audit-engine/registry/policies/settings.js}

@@ -1,14 +1,46 @@
+import z from 'zod';
 import { Messages } from '@salesforce/core';
-import { findSettingsName, SettingsRegistry } from '../registries/settings.js';
-import AnySettingsMetadata from '../mdapi/anySettingsMetadata.js';
-import Policy from './policy.js';
+import RuleRegistry from '../ruleRegistry.js';
+import EnforceSettings from '../rules/enforceSettings.js';
+import { MDAPI } from '../../../../salesforce/index.js';
+import Policy from '../policy.js';
 Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
 const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'policies.general');
+export class SettingsRuleRegistry extends RuleRegistry {
+    constructor() {
+        super({});
+    }
+    // eslint-disable-next-line class-methods-use-this
+    resolveRules(ruleObjs, auditContext) {
+        const result = { enabledRules: [], skippedRules: [], resolveErrors: [] };
+        Object.entries(ruleObjs).forEach(([ruleName, ruleConfig]) => {
+            const settingName = findSettingsName(ruleName);
+            if (settingName && ruleConfig.enabled) {
+                result.enabledRules.push(new EnforceSettings({
+                    auditConfig: auditContext,
+                    ruleDisplayName: ruleName,
+                    settingName,
+                    ruleConfig: SettingsRuleConfigSchema.parse(ruleConfig.options ?? {}),
+                }));
+            }
+            else if (!ruleConfig.enabled) {
+                result.skippedRules.push({ name: ruleName, skipReason: messages.getMessage('skip-reason.rule-not-enabled') });
+            }
+            else {
+                result.skippedRules.push({
+                    name: ruleName,
+                    skipReason: messages.getMessage('resolve-error.no-valid-settings-rule'),
+                });
+            }
+        });
+        return result;
+    }
+}
 export default class SettingsPolicy extends Policy {
     config;
     auditConfig;
-    constructor(config, auditConfig, registry = SettingsRegistry) {
-        super(config, auditConfig, registry);
+    constructor(config, auditConfig) {
+        super(config, auditConfig, new SettingsRuleRegistry());
         this.config = config;
         this.auditConfig = auditConfig;
     }
@@ -19,22 +51,22 @@ export default class SettingsPolicy extends Policy {
             resolved: 0,
         });
         const settingNames = extractSettingNames(this.config.rules);
-        const settingsRetriever = new AnySettingsMetadata(context.targetOrgConnection);
-        const actuallyResolvedSettings = await settingsRetriever.resolve(settingNames);
+        const settingsRetriever = MDAPI.create(context.targetOrgConnection);
+        const actuallyResolvedSettings = await settingsRetriever.resolve('Settings', settingNames);
         this.removeInvalidSettingsFromResolvedRules(actuallyResolvedSettings);
         this.emit('entityresolve', {
             total: numberOfRules,
             resolved: actuallyResolvedSettings.size,
         });
         return {
-            resolvedEntities: convertToRecord(actuallyResolvedSettings),
+            resolvedEntities: actuallyResolvedSettings,
             ignoredEntities: findIgnoredEntities(actuallyResolvedSettings, this.config.rules),
         };
     }
     removeInvalidSettingsFromResolvedRules(validSettings) {
         this.resolvedRules.enabledRules.forEach((rule, index) => {
             if (isEnforceSettingsRule(rule)) {
-                if (!validSettings.has(rule.settingName)) {
+                if (!validSettings[rule.settingName]) {
                     this.resolvedRules.enabledRules.splice(index, 1);
                     this.resolvedRules.skippedRules.push({
                         name: rule.ruleDisplayName,
@@ -48,13 +80,6 @@ export default class SettingsPolicy extends Policy {
 function isEnforceSettingsRule(cls) {
     return cls.ruleDisplayName !== undefined;
 }
-function convertToRecord(settingsMap) {
-    const result = {};
-    for (const [settingsName, settingsValue] of settingsMap.entries()) {
-        result[settingsName] = settingsValue;
-    }
-    return result;
-}
 function findIgnoredEntities(settingsMap, rules) {
     const result = new Array();
     for (const ruleName of Object.keys(rules)) {
@@ -62,7 +87,7 @@ function findIgnoredEntities(settingsMap, rules) {
         if (!maybeName) {
             continue;
         }
-        if (!settingsMap.has(maybeName) || !settingsMap.get(maybeName)) {
+        if (!settingsMap[maybeName]) {
             result.push({ name: maybeName, message: messages.getMessage('resolve-error.failed-to-resolve-setting') });
         }
     }
@@ -78,4 +103,9 @@ function extractSettingNames(rules) {
     }
     return names;
 }
-//# sourceMappingURL=settingsPolicy.js.map
+function findSettingsName(ruleName) {
+    const match = /^Enforce(.+)Settings$/.exec(ruleName);
+    return match ? match[1] : null;
+}
+const SettingsRuleConfigSchema = z.record(z.string(), z.unknown());
+//# sourceMappingURL=settings.js.map

package/lib/libs/audit-engine/registry/policies/settings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/policies/settings.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,YAA2C,MAAM,oBAAoB,CAAC;AAC7E,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,EAAE,KAAK,EAAiB,MAAM,iCAAiC,CAAC;AACvE,OAAO,MAA+B,MAAM,cAAc,CAAC;AAM3D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAIjG,MAAM,OAAO,oBAAqB,SAAQ,YAAY;IACpD;QACE,KAAK,CAAC,EAAE,CAAC,CAAC;IACZ,CAAC;IAED,kDAAkD;IAClC,YAAY,CAC1B,QAA+B,EAC/B,YAA4B;QAE5B,MAAM,MAAM,GAA8B,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;QACpG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,EAAE;YAC1D,MAAM,WAAW,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;YAC/C,IAAI,WAAW,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;gBACtC,MAAM,CAAC,YAAY,CAAC,IAAI,CACtB,IAAI,eAAe,CAAC;oBAClB,WAAW,EAAE,YAAY;oBACzB,eAAe,EAAE,QAAQ;oBACzB,WAAW;oBACX,UAAU,EAAE,wBAAwB,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,IAAI,EAAE,CAAC;iBACrE,CAAC,CACH,CAAC;YACJ,CAAC;iBAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;gBAC/B,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC;YAChH,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC;oBACvB,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,sCAAsC,CAAC;iBACxE,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,MAAM,CAAC,OAAO,OAAO,cAAe,SAAQ,MAAyB;IACzC;IAA6B;IAAvD,YAA0B,MAAoB,EAAS,WAA2B;QAChF,KAAK,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,oBAAoB,EAAE,CAAC,CAAC;QAD/B,WAAM,GAAN,MAAM,CAAc;QAAS,gBAAW,GAAX,WAAW,CAAgB;IAElF,CAAC;IAES,KAAK,CAAC,eAAe,CAAC,OAAqB;QACnD,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;QAC5D,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,aAAa;YACpB,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5D,MAAM,iBAAiB,GAAG,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACpE,MAAM,wBAAwB,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QAC3F,IAAI,CAAC,sCAAsC,CAAC,wBAAwB,CAAC,CAAC;QACtE,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,aAAa;YACpB,QAAQ,EAAE,wBAAwB,CAAC,IAAI;SACxC,CAAC,CAAC;QACH,OAAO;YACL,gBAAgB,EAAE,wBAAwB;YAC1C,eAAe,EAAE,mBAAmB,CAAC,wBAAwB,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;SAClF,CAAC;IACJ,CAAC;IAEO,sCAAsC,CAAC,aAAgD;QAC7F,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;YACtD,IAAI,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;oBACrC,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;oBACjD,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,IAAI,CAAC;wBACnC,IAAI,EAAE,IAAI,CAAC,eAAe;wBAC1B,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,uCAAuC,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;qBAC7F,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,qBAAqB,CAAC,GAAY;IACzC,OAAQ,GAAuB,CAAC,eAAe,KAAK,SAAS,CAAC;AAChE,CAAC;AAED,SAAS,mBAAmB,CAC1B,WAA8C,EAC9C,KAA4B;IAE5B,MAAM,MAAM,GAAG,IAAI,KAAK,EAAsB,CAAC;IAC/C,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,SAAS;QACX,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5B,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,yCAAyC,CAAC,EAAE,CAAC,CAAC;QAC5G,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,KAA4B;IACvD,MAAM,KAAK,GAAG,EAAE,CAAC;IACjB,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,SAAS,EAAE,CAAC;YACd,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,KAAK,GAAG,uBAAuB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACjC,CAAC;AAED,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC"}

package/lib/libs/audit-engine/registry/policies/users.d.ts

@@ -0,0 +1,19 @@
+import RuleRegistry from '../ruleRegistry.js';
+import { User } from '../../../../salesforce/index.js';
+import Policy, { ResolveEntityResult } from '../policy.js';
+import { AuditContext } from '../context.types.js';
+import { UserPolicyConfig, UserPrivilegeLevel } from '../shape/schema.js';
+import { AuditRunConfig } from '../shape/auditConfigShape.js';
+export type ResolvedUser = User & {
+    role: UserPrivilegeLevel;
+};
+export default class UsersPolicy extends Policy<ResolvedUser> {
+    config: UserPolicyConfig;
+    auditConfig: AuditRunConfig;
+    private totalEntities;
+    private readonly classifications;
+    private readonly resolveOptions;
+    constructor(config: UserPolicyConfig, auditConfig: AuditRunConfig, registry: RuleRegistry);
+    protected resolveEntities(context: AuditContext): Promise<ResolveEntityResult<ResolvedUser>>;
+    private finaliseResolvedUsers;
+}

package/lib/libs/audit-engine/registry/policies/users.js

@@ -0,0 +1,76 @@
+import { Messages } from '@salesforce/core';
+import { Users } from '../../../../salesforce/index.js';
+import Policy, { getTotal } from '../policy.js';
+import { UserPrivilegeLevel } from '../shape/schema.js';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'policies.general');
+export default class UsersPolicy extends Policy {
+    config;
+    auditConfig;
+    totalEntities;
+    classifications;
+    resolveOptions;
+    constructor(config, auditConfig, registry) {
+        super(config, auditConfig, registry);
+        this.config = config;
+        this.auditConfig = auditConfig;
+        this.classifications = this.auditConfig.classifications.users?.users ?? {};
+        this.totalEntities = Object.keys(this.classifications).length;
+        this.resolveOptions = buildResolveOptions(this.config);
+    }
+    async resolveEntities(context) {
+        this.emit('entityresolve', {
+            total: this.totalEntities,
+            resolved: 0,
+        });
+        const usersRepo = new Users(context.targetOrgConnection);
+        const allUsersOnOrg = await usersRepo.resolve(this.resolveOptions);
+        this.totalEntities = allUsersOnOrg.size;
+        this.emit('entityresolve', {
+            total: this.totalEntities,
+            resolved: 0,
+        });
+        const result = this.finaliseResolvedUsers(allUsersOnOrg);
+        this.emit('entityresolve', {
+            total: this.totalEntities,
+            resolved: getTotal(result),
+        });
+        return result;
+    }
+    finaliseResolvedUsers(users) {
+        const resolvedEntities = {};
+        const ignoredEntities = {};
+        for (const user of users.values()) {
+            const finalUser = {
+                ...user,
+                role: this.classifications[user.username]?.role ?? this.config.options.defaultRoleForMissingUsers,
+            };
+            if (finalUser.role === UserPrivilegeLevel.UNKNOWN) {
+                ignoredEntities[user.username] = {
+                    name: user.username,
+                    message: messages.getMessage('user-with-role-unknown'),
+                };
+            }
+            else {
+                resolvedEntities[user.username] = finalUser;
+            }
+        }
+        return { resolvedEntities, ignoredEntities: Object.values(ignoredEntities) };
+    }
+}
+function buildResolveOptions(policyConfig) {
+    const opts = {};
+    if (policyConfig.rules['NoOtherApexApiLogins'] || policyConfig.rules['NoInactiveUsers']) {
+        opts.withLoginHistory = true;
+        opts.loginHistoryDaysToAnalyse = policyConfig.options.analyseLastNDaysOfLoginHistory;
+    }
+    if (policyConfig.rules['EnforcePermissionPresets']) {
+        opts.withPermissions = true;
+    }
+    if (policyConfig.rules['EnforcePermissionClassifications']) {
+        opts.withPermissions = true;
+        opts.withPermissionsMetadata = true;
+    }
+    return opts;
+}
+//# sourceMappingURL=users.js.map

package/lib/libs/audit-engine/registry/policies/users.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"users.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/policies/users.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAA6B,KAAK,EAAE,MAAM,iCAAiC,CAAC;AACnF,OAAO,MAAM,EAAE,EAAE,QAAQ,EAAuB,MAAM,cAAc,CAAC;AAGrE,OAAO,EAAyC,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAG/F,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAMjG,MAAM,CAAC,OAAO,OAAO,WAAY,SAAQ,MAAoB;IAKjC;IAAiC;IAJnD,aAAa,CAAS;IACb,eAAe,CAAsB;IACrC,cAAc,CAA+B;IAE9D,YAA0B,MAAwB,EAAS,WAA2B,EAAE,QAAsB;QAC5G,KAAK,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QADb,WAAM,GAAN,MAAM,CAAkB;QAAS,gBAAW,GAAX,WAAW,CAAgB;QAEpF,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC;QAC3E,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,MAAM,CAAC;QAC9D,IAAI,CAAC,cAAc,GAAG,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACzD,CAAC;IAES,KAAK,CAAC,eAAe,CAAC,OAAqB;QACnD,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,IAAI,CAAC,aAAa;YACzB,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,MAAM,SAAS,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACnE,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC,IAAI,CAAC;QACxC,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,IAAI,CAAC,aAAa;YACzB,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,qBAAqB,CAAC,aAAa,CAAC,CAAC;QACzD,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,IAAI,CAAC,aAAa;YACzB,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC;SAC3B,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,qBAAqB,CAAC,KAAwB;QACpD,MAAM,gBAAgB,GAAiC,EAAE,CAAC;QAC1D,MAAM,eAAe,GAAuC,EAAE,CAAC;QAC/D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAClC,MAAM,SAAS,GAAiB;gBAC9B,GAAG,IAAI;gBACP,IAAI,EAAE,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,0BAA0B;aAClG,CAAC;YACF,IAAI,SAAS,CAAC,IAAI,KAAK,kBAAkB,CAAC,OAAO,EAAE,CAAC;gBAClD,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG;oBAC/B,IAAI,EAAE,IAAI,CAAC,QAAQ;oBACnB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,wBAAwB,CAAC;iBACvD,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,SAAS,CAAC;YAC9C,CAAC;QACH,CAAC;QACD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC;IAC/E,CAAC;CACF;AAED,SAAS,mBAAmB,CAAC,YAA8B;IACzD,MAAM,IAAI,GAAiC,EAAE,CAAC;IAC9C,IAAI,YAAY,CAAC,KAAK,CAAC,sBAAsB,CAAC,IAAI,YAAY,CAAC,KAAK,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACxF,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;QAC7B,IAAI,CAAC,yBAAyB,GAAG,YAAY,CAAC,OAAO,CAAC,8BAA8B,CAAC;IACvF,CAAC;IACD,IAAI,YAAY,CAAC,KAAK,CAAC,0BAA0B,CAAC,EAAE,CAAC;QACnD,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;IAC9B,CAAC;IACD,IAAI,YAAY,CAAC,KAAK,CAAC,kCAAkC,CAAC,EAAE,CAAC;QAC3D,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;QAC5B,IAAI,CAAC,uBAAuB,GAAG,IAAI,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/lib/libs/{core/policies → audit-engine/registry}/policy.d.ts

@@ -1,19 +1,20 @@
 import EventEmitter from 'node:events';
-import { AuditPolicyResult, EntityResolveError } from '../result-types.js';
-import { AuditRunConfig, BasePolicyFileContent } from '../file-mgmt/schema.js';
-import RuleRegistry, { RegistryRuleResolveResult } from '../registries/ruleRegistry.js';
-import { AuditContext, IPolicy, RowLevelPolicyRule } from '../registries/types.js';
+import RuleRegistry, { RegistryRuleResolveResult } from './ruleRegistry.js';
+import { AuditPolicyResult, EntityResolveError } from './result.types.js';
+import { AuditContext, IPolicy, RowLevelPolicyRule } from './context.types.js';
+import { PolicyConfig } from './shape/schema.js';
+import { AuditRunConfig } from './shape/auditConfigShape.js';
 export type ResolveEntityResult<T> = {
     resolvedEntities: Record<string, T>;
     ignoredEntities: EntityResolveError[];
 };
 export default abstract class Policy<T> extends EventEmitter implements IPolicy {
-    config: BasePolicyFileContent;
+    config: PolicyConfig;
     auditConfig: AuditRunConfig;
     protected registry: RuleRegistry;
     protected resolvedRules: RegistryRuleResolveResult;
     protected entities?: ResolveEntityResult<T>;
-    constructor(config: BasePolicyFileContent, auditConfig: AuditRunConfig, registry: RuleRegistry);
+    constructor(config: PolicyConfig, auditConfig: AuditRunConfig, registry: RuleRegistry);
     getExecutableRules(): Array<RowLevelPolicyRule<T>>;
     /**
      * Resolves all entities of the policy.

package/lib/libs/{core/policies → audit-engine/registry}/policy.js

@@ -97,6 +97,8 @@ function evalResolvedEntities(ruleResult, entities) {
         violatedEntities: ruleResult.violatedEntities ?? Array.from(violatedEntities),
     };
 }
+// TODO: Can be removed when policy emit their resolve result
+// and we propagate this as an aggregated resolve status
 export function getTotal(resolveResult) {
     const resolvedCount = resolveResult.resolvedEntities ? Object.keys(resolveResult.resolvedEntities).length : 0;
     const ignoredCount = resolveResult.ignoredEntities ? resolveResult.ignoredEntities.length : 0;

package/lib/libs/audit-engine/registry/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../../src/libs/audit-engine/registry/policy.ts"],"names":[],"mappings":"AAAA,OAAO,YAAY,MAAM,aAAa,CAAC;AAYvC,MAAM,CAAC,OAAO,OAAgB,MAAU,SAAQ,YAAY;IAKjD;IACA;IACG;IANF,aAAa,CAA4B;IACzC,QAAQ,CAA0B;IAE5C,YACS,MAAoB,EACpB,WAA2B,EACxB,QAAsB;QAEhC,KAAK,EAAE,CAAC;QAJD,WAAM,GAAN,MAAM,CAAc;QACpB,gBAAW,GAAX,WAAW,CAAgB;QACxB,aAAQ,GAAR,QAAQ,CAAc;QAGhC,IAAI,CAAC,aAAa,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IACxE,CAAC;IAEM,kBAAkB;QACvB,OAAO,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC;IACzC,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,OAAO,CAAC,OAAqB;QACxC,yEAAyE;QACzE,4DAA4D;QAC5D,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO,EAAE,gBAAgB,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;QACvD,CAAC;QACD,IAAI,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QACtD,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,GAAG,CAAC,OAAqB;QACpC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO;gBACL,WAAW,EAAE,IAAI;gBACjB,OAAO,EAAE,KAAK;gBACd,aAAa,EAAE,EAAE;gBACjB,YAAY,EAAE,EAAE;gBAChB,eAAe,EAAE,EAAE;gBACnB,eAAe,EAAE,EAAE;aACpB,CAAC;QACJ,CAAC;QACD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAClD,MAAM,kBAAkB,GAAG,IAAI,KAAK,EAAoC,CAAC;QACzE,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,aAAa,CAAC,YAAY,EAAE,CAAC;YACnD,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,OAAO,EAAE,gBAAgB,EAAE,aAAa,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC;QACtG,CAAC;QACD,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QAC1D,MAAM,aAAa,GAA8C,EAAE,CAAC;QACpE,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;YACrC,6EAA6E;YAC7E,MAAM,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,GAAG,oBAAoB,CAAI,UAAU,EAAE,aAAa,CAAC,CAAC;YACnG,aAAa,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG;gBACnC,GAAG,UAAU;gBACb,WAAW,EAAE,UAAU,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC;gBAC/C,iBAAiB;gBACjB,gBAAgB;aACjB,CAAC;QACJ,CAAC;QACD,OAAO;YACL,WAAW,EAAE,WAAW,CAAC,aAAa,CAAC;YACvC,OAAO,EAAE,IAAI;YACb,aAAa;YACb,YAAY,EAAE,IAAI,CAAC,aAAa,CAAC,YAAY;YAC7C,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC;YAC5D,eAAe,EAAE,aAAa,CAAC,eAAe;SAC/C,CAAC;IACJ,CAAC;CAGF;AAED,SAAS,WAAW,CAAC,WAAsD;IACzE,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACxC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC,OAAO,IAAI,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;AACtG,CAAC;AAED,SAAS,oBAAoB,CAC3B,UAAmC,EACnC,QAAgC;IAEhC,MAAM,iBAAiB,GAAa,EAAE,CAAC;IACvC,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC3C,UAAU,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACpC,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9B,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC,CAAC,CAAC;IACH,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,gBAAgB,EAAE,EAAE;QAClE,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC5C,iBAAiB,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO;QACL,iBAAiB,EAAE,UAAU,CAAC,iBAAiB,IAAI,iBAAiB;QACpE,gBAAgB,EAAE,UAAU,CAAC,gBAAgB,IAAI,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC;KAC9E,CAAC;AACJ,CAAC;AAED,6DAA6D;AAC7D,wDAAwD;AACxD,MAAM,UAAU,QAAQ,CAAC,aAA2C;IAClE,MAAM,aAAa,GAAG,aAAa,CAAC,gBAAgB,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9G,MAAM,YAAY,GAAG,aAAa,CAAC,eAAe,CAAC,CAAC,CAAC,aAAa,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9F,OAAO,aAAa,GAAG,YAAY,CAAC;AACtC,CAAC"}

package/lib/libs/{core/result-types.d.ts → audit-engine/registry/result.types.d.ts}

@@ -1,4 +1,4 @@
-import { AuditRunConfigPolicies } from './file-mgmt/schema.js';
+import { AuditRunConfig } from './shape/auditConfigShape.js';
 /**
  * A single violation from a policy rule execution.
  */
@@ -167,6 +167,6 @@ export type AuditResult = {
      * Record map of all modules (policies) that were run.
      */
     policies: {
-        [P in keyof AuditRunConfigPolicies]: AuditPolicyResult;
+        [P in keyof AuditRunConfig['policies']]: AuditPolicyResult;
     };
 };

package/lib/libs/audit-engine/registry/result.types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=result.types.js.map

package/lib/libs/audit-engine/registry/result.types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"result.types.js","sourceRoot":"","sources":["../../../../src/libs/audit-engine/registry/result.types.ts"],"names":[],"mappings":""}

package/lib/libs/{core/registries → audit-engine/registry}/ruleRegistry.d.ts

@@ -1,6 +1,9 @@
-import { EntityResolveError, PolicyRuleSkipResult } from '../result-types.js';
-import { AuditRunConfig, RuleMap } from '../../core/file-mgmt/schema.js';
-import { Constructor, RowLevelPolicyRule } from './types.js';
+import { AuditRunConfig } from './shape/auditConfigShape.js';
+import { EntityResolveError, PolicyRuleSkipResult } from './result.types.js';
+import { RowLevelPolicyRule } from './context.types.js';
+import { PolicyConfig } from './shape/schema.js';
+export type Constructor<T, Args extends any[] = any[]> = new (...args: Args) => T;
+export type RuleHandlerMap = Record<string, Constructor<RowLevelPolicyRule<unknown>>>;
 /**
  * Result contains the actually available and enabled rules
  * from the raw config file. Rules that are not present in the
@@ -17,8 +20,8 @@ export type RegistryRuleResolveResult = {
  * allow users to BYOR ("bring your own rules").
  */
 export default class RuleRegistry {
-    rules: Record<string, Constructor<RowLevelPolicyRule<unknown>>>;
-    constructor(rules: Record<string, Constructor<RowLevelPolicyRule<unknown>>>);
+    private availableRules;
+    constructor(rules?: RuleHandlerMap);
     /**
      * Returns the display/config names of all registered rules
      *
@@ -30,8 +33,8 @@ export default class RuleRegistry {
      * rules are ignored and disabled rules are skipped.
      *
      * @param ruleObjs
-     * @param auditContext
+     * @param auditConfig
      * @returns
      */
-    resolveRules(ruleObjs: RuleMap, auditContext: AuditRunConfig): RegistryRuleResolveResult;
+    resolveRules(ruleObjs: PolicyConfig['rules'], auditConfig: AuditRunConfig): RegistryRuleResolveResult;
 }

package/lib/libs/{core/registries → audit-engine/registry}/ruleRegistry.js

@@ -7,9 +7,9 @@ const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'po
  * allow users to BYOR ("bring your own rules").
  */
 export default class RuleRegistry {
-    rules;
+    availableRules;
     constructor(rules) {
-        this.rules = rules;
+        this.availableRules = rules ?? {};
     }
     /**
      * Returns the display/config names of all registered rules
@@ -17,23 +17,23 @@ export default class RuleRegistry {
      * @returns
      */
     registeredRules() {
-        return Object.keys(this.rules);
+        return Object.keys(this.availableRules);
     }
     /**
      * Resolves a given set of rule configs to actually registered rules. Unknown
      * rules are ignored and disabled rules are skipped.
      *
      * @param ruleObjs
-     * @param auditContext
+     * @param auditConfig
      * @returns
      */
-    resolveRules(ruleObjs, auditContext) {
+    resolveRules(ruleObjs, auditConfig) {
         const enabledRules = new Array();
         const skippedRules = new Array();
         const resolveErrors = new Array();
         Object.entries(ruleObjs).forEach(([ruleName, ruleConfig]) => {
-            if (this.rules[ruleName] && ruleConfig.enabled) {
-                enabledRules.push(new this.rules[ruleName]({ auditContext, ruleDisplayName: ruleName, ruleConfig: ruleConfig.options }));
+            if (this.availableRules[ruleName] && ruleConfig.enabled) {
+                enabledRules.push(new this.availableRules[ruleName]({ auditConfig, ruleDisplayName: ruleName, ruleConfig: ruleConfig.options }));
             }
             else if (ruleConfig.enabled === false) {
                 skippedRules.push({ name: ruleName, skipReason: messages.getMessage('skip-reason.rule-not-enabled') });

package/lib/libs/audit-engine/registry/ruleRegistry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ruleRegistry.js","sourceRoot":"","sources":["../../../../src/libs/audit-engine/registry/ruleRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAM5C,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAkBjG;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,YAAY;IACvB,cAAc,CAAC;IAEvB,YAAmB,KAAsB;QACvC,IAAI,CAAC,cAAc,GAAG,KAAK,IAAI,EAAE,CAAC;IACpC,CAAC;IAED;;;;OAIG;IACI,eAAe;QACpB,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC1C,CAAC;IAED;;;;;;;OAOG;IACI,YAAY,CAAC,QAA+B,EAAE,WAA2B;QAC9E,MAAM,YAAY,GAAG,IAAI,KAAK,EAA+B,CAAC;QAC9D,MAAM,YAAY,GAAG,IAAI,KAAK,EAAwB,CAAC;QACvD,MAAM,aAAa,GAAG,IAAI,KAAK,EAAsB,CAAC;QACtD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,EAAE;YAC1D,IAAI,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;gBACxD,YAAY,CAAC,IAAI,CACf,IAAI,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,CAC9G,CAAC;YACJ,CAAC;iBAAM,IAAI,UAAU,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;gBACxC,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC;YACzG,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,mCAAmC,CAAC,EAAE,CAAC,CAAC;YAC5G,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC;IACvD,CAAC;CACF"}

package/lib/libs/audit-engine/registry/rules/allUsedAppsUnderManagement.d.ts

@@ -0,0 +1,7 @@
+import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
+import { ConnectedApp } from '../../../../salesforce/index.js';
+import PolicyRule, { RuleOptions } from './policyRule.js';
+export default class AllUsedAppsUnderManagement extends PolicyRule<ConnectedApp> {
+    constructor(opts: RuleOptions);
+    run(context: RuleAuditContext<ConnectedApp>): Promise<PartialPolicyRuleResult>;
+}

package/lib/libs/audit-engine/registry/rules/allUsedAppsUnderManagement.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"allUsedAppsUnderManagement.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/allUsedAppsUnderManagement.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,qBAAqB,CAAC,CAAC;AAEpG,MAAM,CAAC,OAAO,OAAO,0BAA2B,SAAQ,UAAwB;IAC9E,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,qBAAqB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;YACnD,IAAI,GAAG,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;gBAChC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;oBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,wCAAwC,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;iBACzG,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/{core/registries → audit-engine/registry}/rules/enforcePermissionPresets.d.ts

@@ -1,7 +1,9 @@
-import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
-import { ResolvedUser } from '../users.js';
+import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
+import { ResolvedUser } from '../policies/users.js';
 import PolicyRule, { RuleOptions } from './policyRule.js';
 export default class EnforcePermissionPresets extends PolicyRule<ResolvedUser> {
     constructor(opts: RuleOptions);
     run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
+    private resolveProfileRole;
+    private resolvePermissionSetRole;
 }

package/lib/libs/{core/registries → audit-engine/registry}/rules/enforcePermissionPresets.js

@@ -1,7 +1,7 @@
 import { Messages } from '@salesforce/core';
-import UsersRepository from '../../mdapi/usersRepository.js';
-import { UserPrivilegeLevel, resolvePresetOrdinalValue } from '../../policy-types.js';
-import { capitalize } from '../../utils.js';
+import { capitalize } from '../../../../utils.js';
+import { resolvePresetOrdinalValue } from '../helpers/permissionsScanning.js';
+import { UserPrivilegeLevel } from '../shape/schema.js';
 import PolicyRule from './policyRule.js';
 Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
 const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.users');
@@ -9,24 +9,26 @@ export default class EnforcePermissionPresets extends PolicyRule {
     constructor(opts) {
         super(opts);
     }
-    async run(context) {
+    run(context) {
         const result = this.initResult();
         const users = context.resolvedEntities;
-        const userRepo = new UsersRepository(context.targetOrgConnection);
-        // options "with/without metadata - only identifiers"
-        const userPerms = await userRepo.resolveUserPermissions(Object.values(users), { withMetadata: false });
         for (const user of Object.values(users)) {
-            const profilePreset = this.auditContext.classifications.profiles?.content.profiles[user.profileName];
-            auditPermissionsEntity(result, user, 'profile', user.profileName, profilePreset?.role);
-            const permsets = userPerms.get(user.userId);
-            if (permsets) {
-                for (const assignment of permsets.assignedPermissionsets) {
-                    const permsetPreset = this.auditContext.classifications.permissionSets?.content.permissionSets[assignment.permissionSetIdentifier];
-                    auditPermissionsEntity(result, user, 'permission set', assignment.permissionSetIdentifier, permsetPreset?.role);
+            const profileRole = this.resolveProfileRole(user.profileName);
+            auditPermissionsEntity(result, user, 'profile', user.profileName, profileRole);
+            if (user.assignments) {
+                for (const assignment of user.assignments) {
+                    const permsetRole = this.resolvePermissionSetRole(assignment.permissionSetIdentifier);
+                    auditPermissionsEntity(result, user, 'permission set', assignment.permissionSetIdentifier, permsetRole);
                 }
             }
         }
-        return result;
+        return Promise.resolve(result);
+    }
+    resolveProfileRole(profileName) {
+        return this.auditConfig.classifications.profiles?.profiles[profileName]?.role;
+    }
+    resolvePermissionSetRole(permsetName) {
+        return this.auditConfig.classifications.permissionSets?.permissionSets[permsetName]?.role;
     }
 }
 function auditPermissionsEntity(result, user, entityType, entityIdentifier, entityPreset) {

package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforcePermissionPresets.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionPresets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAElD,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC5E,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,WAAW,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC9D,sBAAsB,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;YAC/E,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrB,KAAK,MAAM,UAAU,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBAC1C,MAAM,WAAW,GAAG,IAAI,CAAC,wBAAwB,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC;oBACtF,sBAAsB,CAAC,MAAM,EAAE,IAAI,EAAE,gBAAgB,EAAE,UAAU,CAAC,uBAAuB,EAAE,WAAW,CAAC,CAAC;gBAC1G,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAEO,kBAAkB,CAAC,WAAmB;QAC5C,OAAO,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC;IAChF,CAAC;IAEO,wBAAwB,CAAC,WAAmB;QAClD,OAAO,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,cAAc,EAAE,cAAc,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC;IAC5F,CAAC;CACF;AAED,SAAS,sBAAsB,CAC7B,MAA+B,EAC/B,IAAkB,EAClB,UAAkB,EAClB,gBAAwB,EACxB,YAAiC;IAEjC,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,YAAY,KAAK,kBAAkB,CAAC,OAAO,EAAE,CAAC;YAChD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;gBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oCAAoC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;aAC7F,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,yBAAyB,CAAC,YAAY,CAAC,GAAG,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1F,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;gBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6CAA6C,EAAE;oBAC1E,IAAI,CAAC,IAAI;oBACT,UAAU;oBACV,YAAY;iBACb,CAAC;aACH,CAAC,CAAC;QACL,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;YACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;YAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,UAAU,CAAC,CAAC;SAChH,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}

package/lib/libs/{core/registries → audit-engine/registry}/rules/enforcePermissionsOnProfileLike.d.ts

@@ -1,4 +1,4 @@
-import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
+import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
 import { ResolvedProfileLike } from '../helpers/permissionsScanning.js';
 import PolicyRule, { RuleOptions } from './policyRule.js';
 export default class EnforcePermissionsOnProfileLike extends PolicyRule<ResolvedProfileLike> {

package/lib/libs/{core/registries → audit-engine/registry}/rules/enforcePermissionsOnProfileLike.js

@@ -1,4 +1,4 @@
-import { isNullish } from '../../utils.js';
+import { isNullish } from '../../../../utils.js';
 import { scanPermissions } from '../helpers/permissionsScanning.js';
 import PolicyRule from './policyRule.js';
 export default class EnforcePermissionsOnProfileLike extends PolicyRule {
@@ -10,12 +10,12 @@ export default class EnforcePermissionsOnProfileLike extends PolicyRule {
         const resolvedProfiles = context.resolvedEntities;
         for (const profile of Object.values(resolvedProfiles)) {
             if (!isNullish(profile.metadata.userPermissions)) {
-                const userPermsScan = scanPermissions(profile, 'userPermissions', this.auditContext);
+                const userPermsScan = scanPermissions(profile, 'userPermissions', this.auditConfig);
                 result.violations.push(...userPermsScan.violations);
                 result.warnings.push(...userPermsScan.warnings);
             }
             if (!isNullish(profile.metadata.customPermissions)) {
-                const customPermsScan = scanPermissions(profile, 'customPermissions', this.auditContext);
+                const customPermsScan = scanPermissions(profile, 'customPermissions', this.auditConfig);
                 result.violations.push(...customPermsScan.violations);
                 result.warnings.push(...customPermsScan.warnings);
             }

package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEjD,OAAO,EAAuB,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACzF,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,+BAAgC,SAAQ,UAA+B;IAC1F,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA8C;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACtD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;gBACjD,MAAM,aAAa,GAAG,eAAe,CAAC,OAAO,EAAE,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;gBACpF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;gBACpD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;YAClD,CAAC;YACD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;gBACnD,MAAM,eAAe,GAAG,eAAe,CAAC,OAAO,EAAE,mBAAmB,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;gBACxF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;gBACtD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/{core/registries → audit-engine/registry}/rules/enforcePermissionsOnUser.d.ts

@@ -1,5 +1,5 @@
-import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
-import { ResolvedUser } from '../users.js';
+import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
+import { ResolvedUser } from '../policies/users.js';
 import PolicyRule, { RuleOptions } from './policyRule.js';
 export default class EnforcePermissionsOnUser extends PolicyRule<ResolvedUser> {
     constructor(opts: RuleOptions);

package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js

@@ -0,0 +1,38 @@
+import { scanProfileLike } from '../helpers/permissionsScanning.js';
+import PolicyRule from './policyRule.js';
+export default class EnforcePermissionsOnUser extends PolicyRule {
+    constructor(opts) {
+        super(opts);
+    }
+    run(context) {
+        const result = this.initResult();
+        const users = context.resolvedEntities;
+        for (const user of Object.values(users)) {
+            const { violations, warnings } = this.scanAssignedPermissionSets(user, user.assignments);
+            result.violations.push(...violations);
+            result.warnings.push(...warnings);
+            if (user.profileMetadata) {
+                const profileResult = scanProfileLike({ role: user.role, metadata: user.profileMetadata, name: user.profileName }, this.auditConfig, [user.username]);
+                result.violations.push(...profileResult.violations);
+                result.warnings.push(...profileResult.warnings);
+            }
+        }
+        return Promise.resolve(result);
+    }
+    scanAssignedPermissionSets(user, assignments) {
+        const result = { violations: [], warnings: [] };
+        if (!assignments) {
+            return result;
+        }
+        for (const assignedPermSet of assignments) {
+            if (!assignedPermSet.metadata) {
+                continue;
+            }
+            const permsetScan = scanProfileLike({ role: user.role, metadata: assignedPermSet.metadata, name: assignedPermSet.permissionSetIdentifier }, this.auditConfig, [user.username]);
+            result.violations.push(...permsetScan.violations);
+            result.warnings.push(...permsetScan.warnings);
+        }
+        return result;
+    }
+}
+//# sourceMappingURL=enforcePermissionsOnUser.js.map

package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAc,MAAM,mCAAmC,CAAC;AAGhF,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC5E,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,0BAA0B,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACzF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;YACtC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBACzB,MAAM,aAAa,GAAG,eAAe,CACnC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,EAC3E,IAAI,CAAC,WAAW,EAChB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAChB,CAAC;gBACF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;gBACpD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAEO,0BAA0B,CAAC,IAAkB,EAAE,WAAwC;QAC7F,MAAM,MAAM,GAAe,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;QAC5D,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,KAAK,MAAM,eAAe,IAAI,WAAW,EAAE,CAAC;YAC1C,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,CAAC;gBAC9B,SAAS;YACX,CAAC;YACD,MAAM,WAAW,GAAG,eAAe,CACjC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,eAAe,CAAC,QAAQ,EAAE,IAAI,EAAE,eAAe,CAAC,uBAAuB,EAAE,EACtG,IAAI,CAAC,WAAW,EAChB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAChB,CAAC;YACF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;YAClD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/lib/libs/{core/registries → audit-engine/registry}/rules/enforceSettings.d.ts

@@ -1,5 +1,5 @@
-import { SalesforceSetting } from '../../mdapi/anySettingsMetadata.js';
-import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
+import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
+import { SalesforceSetting } from '../policies/settings.js';
 import PolicyRule, { ConfigurableRuleOptions } from './policyRule.js';
 type EnforceSettingsOpts = ConfigurableRuleOptions<Record<string, unknown>> & {
     settingName: string;

package/lib/libs/audit-engine/registry/rules/enforceSettings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforceSettings.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforceSettings.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAAuC,MAAM,iBAAiB,CAAC;AAEtE,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,gBAAgB,CAAC,CAAC;AAM/F,MAAM,CAAC,OAAO,OAAO,eAAgB,SAAQ,UAAmB;IAG1B;IAF7B,WAAW,CAAC;IAEnB,YAAoC,WAAgC;QAClE,KAAK,CAAC,WAAW,CAAC,CAAC;QADe,gBAAW,GAAX,WAAW,CAAqB;QAElE,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC;IAClD,CAAC;IAEM,GAAG,CAAC,OAA4C;QACrD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,cAAc,GAAG,OAAO,CAAC,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;QAC9E,MAAM,cAAc,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,WAAW,UAAU,CAAC;QACjE,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,CAAC,cAAc,CAAC,EAAE,cAAc,CAAC,CAAC;QACrF,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnC,MAAM,CAAC,iBAAiB,GAAG,CAAC,cAAc,CAAC,CAAC;YAC5C,MAAM,CAAC,gBAAgB,GAAG,EAAE,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,iBAAiB,GAAG,EAAE,CAAC;YAC9B,MAAM,CAAC,gBAAgB,GAAG,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,WAAW,UAAU,CAAC,CAAC;QACxE,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF;AAED,SAAS,aAAa,CACpB,cAAiC,EACjC,WAAoC,EACpC,SAAmB,EACnB,YAAgC;IAEhC,KAAK,MAAM,CAAC,WAAW,EAAE,aAAa,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;QAC1E,MAAM,YAAY,GAAG,CAAC,GAAG,SAAS,EAAE,WAAW,CAAC,CAAC;QACjD,IAAI,CAAC,YAAY,IAAI,YAAY,CAAC,WAAW,CAAC,KAAK,SAAS,EAAE,CAAC;YAC7D,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC;gBACxB,UAAU,EAAE,YAAY;gBACxB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;aACjE,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QACD,IAAI,OAAO,aAAa,KAAK,QAAQ,IAAI,YAAY,EAAE,CAAC;YACtD,aAAa,CACX,aAAkC,EAClC,WAAW,EACX,YAAY,EACZ,YAAY,CAAC,WAAW,CAAsB,CAC/C,CAAC;QACJ,CAAC;aAAM,IACL,OAAO,aAAa,KAAK,QAAQ;YACjC,OAAO,aAAa,KAAK,SAAS;YAClC,OAAO,aAAa,KAAK,QAAQ,EACjC,CAAC;YACD,IAAI,aAAa,KAAK,YAAY,CAAC,WAAW,CAAC,EAAE,CAAC;gBAChD,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC;oBAC1B,UAAU,EAAE,YAAY;oBACxB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,0CAA0C,EAAE;wBACvE,aAAa;wBACb,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;qBAClC,CAAC;iBACH,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC"}

package/lib/libs/audit-engine/registry/rules/noInactiveUsers.d.ts

@@ -0,0 +1,14 @@
+import z from 'zod';
+import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
+import { ResolvedUser } from '../policies/users.js';
+import PolicyRule, { ConfigurableRuleOptions } from './policyRule.js';
+declare const NoInactiveUsersOptionsSchema: z.ZodObject<{
+    daysAfterUserIsInactive: z.ZodDefault<z.ZodNumber>;
+}, z.z.core.$strict>;
+type NoInactiveUsersOptions = z.infer<typeof NoInactiveUsersOptionsSchema>;
+export default class NoInactiveUsers extends PolicyRule<ResolvedUser> {
+    private readonly ruleConfig;
+    constructor(localOpts: ConfigurableRuleOptions<NoInactiveUsersOptions>);
+    run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
+}
+export {};