@j-schreiber/sf-cli-security-audit 0.18.2 → 0.19.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -3
- package/lib/libs/audit-engine/auditRun.js +1 -1
- package/lib/libs/audit-engine/auditRun.js.map +1 -1
- package/lib/libs/audit-engine/auditRunLifecycle.d.ts +12 -0
- package/lib/libs/audit-engine/auditRunLifecycle.js +16 -0
- package/lib/libs/audit-engine/auditRunLifecycle.js.map +1 -0
- package/lib/libs/audit-engine/file-manager/fileManager.d.ts +3 -2
- package/lib/libs/audit-engine/file-manager/fileManager.js +19 -9
- package/lib/libs/audit-engine/file-manager/fileManager.js.map +1 -1
- package/lib/libs/audit-engine/file-manager/fileManager.types.d.ts +4 -0
- package/lib/libs/audit-engine/index.d.ts +15 -4
- package/lib/libs/audit-engine/index.js +2 -1
- package/lib/libs/audit-engine/index.js.map +1 -1
- package/lib/libs/audit-engine/registry/definitions.d.ts +15 -4
- package/lib/libs/audit-engine/registry/policies/permissionSets.d.ts +2 -2
- package/lib/libs/audit-engine/registry/policies/permissionSets.js +1 -1
- package/lib/libs/audit-engine/registry/policies/permissionSets.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/profiles.js +1 -1
- package/lib/libs/audit-engine/registry/policies/profiles.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/users.d.ts +2 -2
- package/lib/libs/audit-engine/registry/policies/users.js +1 -1
- package/lib/libs/audit-engine/registry/policies/users.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.d.ts +62 -0
- package/lib/libs/audit-engine/registry/roles/roleManager.js +168 -0
- package/lib/libs/audit-engine/registry/roles/roleManager.js.map +1 -0
- package/lib/libs/audit-engine/registry/roles/roleManager.types.d.ts +43 -0
- package/lib/libs/audit-engine/registry/roles/roleManager.types.js +2 -0
- package/lib/libs/audit-engine/registry/roles/roleManager.types.js.map +1 -0
- package/lib/libs/audit-engine/registry/roles/userRole.d.ts +12 -0
- package/lib/libs/audit-engine/registry/roles/userRole.js +75 -0
- package/lib/libs/audit-engine/registry/roles/userRole.js.map +1 -0
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.d.ts +2 -0
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js +36 -23
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.d.ts +2 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js +19 -9
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.d.ts +1 -0
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js +18 -3
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.d.ts +15 -4
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.js +6 -1
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/schema.d.ts +14 -7
- package/lib/libs/audit-engine/registry/shape/schema.js +10 -3
- package/lib/libs/audit-engine/registry/shape/schema.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/shapeValidation.d.ts +3 -0
- package/lib/libs/audit-engine/registry/shape/shapeValidation.js +37 -0
- package/lib/libs/audit-engine/registry/shape/shapeValidation.js.map +1 -0
- package/lib/libs/conf-init/auditConfig.js +1 -1
- package/lib/libs/conf-init/auditConfig.js.map +1 -1
- package/lib/salesforce/repositories/users/queries.d.ts +0 -1
- package/lib/salesforce/repositories/users/queries.js +0 -3
- package/lib/salesforce/repositories/users/queries.js.map +1 -1
- package/messages/auditShapeValidation.md +11 -0
- package/messages/org.audit.run.md +4 -4
- package/messages/rules.enforceClassificationPresets.md +12 -0
- package/messages/rules.users.md +4 -0
- package/oclif.manifest.json +1 -1
- package/package.json +2 -1
|
@@ -0,0 +1,168 @@
|
|
|
1
|
+
import { EventEmitter } from 'node:events';
|
|
2
|
+
import { Messages } from '@salesforce/core';
|
|
3
|
+
import { PermissionRiskLevel, UserPrivilegeLevel, } from '../shape/schema.js';
|
|
4
|
+
import { AuditRunLifecycleBus } from '../../auditRunLifecycle.js';
|
|
5
|
+
import { newRoleFromDefinition, newRoleFromOrdinals } from './userRole.js';
|
|
6
|
+
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
7
|
+
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
8
|
+
export default class RoleManager extends EventEmitter {
|
|
9
|
+
definitions;
|
|
10
|
+
classifications;
|
|
11
|
+
roles = {};
|
|
12
|
+
constructor(definitions, classifications) {
|
|
13
|
+
super();
|
|
14
|
+
this.definitions = definitions;
|
|
15
|
+
this.classifications = classifications;
|
|
16
|
+
if (this.definitions) {
|
|
17
|
+
for (const [roleName, roleDef] of Object.entries(this.definitions)) {
|
|
18
|
+
const normalizedName = normalize(roleName);
|
|
19
|
+
if (this.roles[normalizedName]) {
|
|
20
|
+
AuditRunLifecycleBus.emitResolveWarn(messages.getMessage('DuplicateRoleAfterNormalization', [
|
|
21
|
+
this.roles[normalizedName].roleName,
|
|
22
|
+
normalizedName,
|
|
23
|
+
]));
|
|
24
|
+
}
|
|
25
|
+
else {
|
|
26
|
+
this.roles[normalizedName] = newRoleFromDefinition(roleName, roleDef, this.classifications?.userPermissions);
|
|
27
|
+
}
|
|
28
|
+
}
|
|
29
|
+
}
|
|
30
|
+
else {
|
|
31
|
+
for (const legacyRole of Object.values(UserPrivilegeLevel)) {
|
|
32
|
+
this.roles[normalize(legacyRole)] = newRoleFromOrdinals(legacyRole, this.classifications?.userPermissions);
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
/**
|
|
37
|
+
* Scan userPermissions and customPermissions of a profile or permission set and
|
|
38
|
+
* get a unified scan result with violations (risk level not allowed) and warnings
|
|
39
|
+
* (risk level not classified)
|
|
40
|
+
*
|
|
41
|
+
* @param profileLike
|
|
42
|
+
* @param auditRun
|
|
43
|
+
* @param rootIdentifier Optional root identifier for messages to prepend.
|
|
44
|
+
* @returns
|
|
45
|
+
*/
|
|
46
|
+
scanProfileLike(profileLike, rootIdentifier) {
|
|
47
|
+
if (!profileLike.metadata) {
|
|
48
|
+
return { violations: [], warnings: [] };
|
|
49
|
+
}
|
|
50
|
+
const userPermsResult = this.scanPermissions(profileLike, 'userPermissions', rootIdentifier);
|
|
51
|
+
const customPermsResult = this.scanPermissions(profileLike, 'customPermissions', rootIdentifier);
|
|
52
|
+
userPermsResult.violations.push(...customPermsResult.violations);
|
|
53
|
+
userPermsResult.warnings.push(...customPermsResult.warnings);
|
|
54
|
+
return userPermsResult;
|
|
55
|
+
}
|
|
56
|
+
/**
|
|
57
|
+
* Checks if a role allows a certain classifcation level. If the role is
|
|
58
|
+
* not configured or unknown, always returns false.
|
|
59
|
+
*
|
|
60
|
+
* @param roleName
|
|
61
|
+
* @param permission
|
|
62
|
+
* @returns
|
|
63
|
+
*/
|
|
64
|
+
allowsPermission(roleName, permission) {
|
|
65
|
+
return this.getRole(roleName).isAllowed(permission);
|
|
66
|
+
}
|
|
67
|
+
/**
|
|
68
|
+
* Checks if a given role name is a valid role for the context
|
|
69
|
+
* of the current audit run.
|
|
70
|
+
*
|
|
71
|
+
* @param roleName
|
|
72
|
+
* @returns
|
|
73
|
+
*/
|
|
74
|
+
isValidRole(roleName) {
|
|
75
|
+
const normalisedRoleName = normalize(roleName);
|
|
76
|
+
return Boolean(this.roles[normalisedRoleName]);
|
|
77
|
+
}
|
|
78
|
+
/**
|
|
79
|
+
* Compares two roles (both must exist)
|
|
80
|
+
*
|
|
81
|
+
* @param baseRoleName
|
|
82
|
+
* @param compareWithName
|
|
83
|
+
* @returns
|
|
84
|
+
*/
|
|
85
|
+
compare(baseRoleName, compareWithName) {
|
|
86
|
+
const baseRole = this.getRole(baseRoleName);
|
|
87
|
+
const otherRole = this.getRole(compareWithName);
|
|
88
|
+
return baseRole.compareWith(otherRole);
|
|
89
|
+
}
|
|
90
|
+
/**
|
|
91
|
+
* Returns the role or throws an error, if role name is invalid.
|
|
92
|
+
*
|
|
93
|
+
* @param roleName
|
|
94
|
+
* @returns
|
|
95
|
+
*/
|
|
96
|
+
getRole(roleName) {
|
|
97
|
+
const normalisedRoleName = normalize(roleName);
|
|
98
|
+
if (this.roles[normalisedRoleName]) {
|
|
99
|
+
return this.roles[normalisedRoleName];
|
|
100
|
+
}
|
|
101
|
+
throw messages.createError('TriedToAccessRoleThatDoesNotExist', [roleName]);
|
|
102
|
+
}
|
|
103
|
+
// PRIVATE ZONE
|
|
104
|
+
scanPermissions(profile, permissionListName, rootIdentifier) {
|
|
105
|
+
const result = { warnings: [], violations: [] };
|
|
106
|
+
for (const perm of profile.metadata[permissionListName]) {
|
|
107
|
+
const identifier = rootIdentifier ? [...rootIdentifier, profile.name, perm.name] : [profile.name, perm.name];
|
|
108
|
+
const permClassification = this.resolvePerm(perm.name, permissionListName);
|
|
109
|
+
if (permClassification) {
|
|
110
|
+
if (permClassification.classification === PermissionRiskLevel.BLOCKED) {
|
|
111
|
+
result.violations.push({
|
|
112
|
+
identifier,
|
|
113
|
+
message: messages.getMessage('violations.permission-is-blocked'),
|
|
114
|
+
});
|
|
115
|
+
}
|
|
116
|
+
else if (!this.allowsPermission(profile.role, permClassification.name)) {
|
|
117
|
+
result.violations.push({
|
|
118
|
+
identifier,
|
|
119
|
+
message: messages.getMessage('violations.classification-preset-mismatch', [
|
|
120
|
+
permClassification.classification,
|
|
121
|
+
profile.role,
|
|
122
|
+
]),
|
|
123
|
+
});
|
|
124
|
+
}
|
|
125
|
+
else if (permClassification.classification === PermissionRiskLevel.UNKNOWN) {
|
|
126
|
+
result.warnings.push({
|
|
127
|
+
identifier,
|
|
128
|
+
message: messages.getMessage('warnings.permission-unknown'),
|
|
129
|
+
});
|
|
130
|
+
}
|
|
131
|
+
}
|
|
132
|
+
else {
|
|
133
|
+
result.warnings.push({
|
|
134
|
+
identifier,
|
|
135
|
+
message: messages.getMessage('warnings.permission-not-classified'),
|
|
136
|
+
});
|
|
137
|
+
}
|
|
138
|
+
}
|
|
139
|
+
return result;
|
|
140
|
+
}
|
|
141
|
+
resolvePerm(permName, listName) {
|
|
142
|
+
if (listName === 'userPermissions') {
|
|
143
|
+
return this.resolveUserPerm(permName);
|
|
144
|
+
}
|
|
145
|
+
else if (listName === 'customPermissions') {
|
|
146
|
+
return this.resolveCustomPerm(permName);
|
|
147
|
+
}
|
|
148
|
+
}
|
|
149
|
+
resolveUserPerm(permName) {
|
|
150
|
+
if (this.classifications?.userPermissions) {
|
|
151
|
+
return nameClassification(permName, this.classifications.userPermissions[permName]);
|
|
152
|
+
}
|
|
153
|
+
return undefined;
|
|
154
|
+
}
|
|
155
|
+
resolveCustomPerm(permName) {
|
|
156
|
+
if (this.classifications?.customPermissions) {
|
|
157
|
+
return nameClassification(permName, this.classifications.customPermissions[permName]);
|
|
158
|
+
}
|
|
159
|
+
return undefined;
|
|
160
|
+
}
|
|
161
|
+
}
|
|
162
|
+
function nameClassification(permName, perm) {
|
|
163
|
+
return perm ? { name: permName, ...perm } : undefined;
|
|
164
|
+
}
|
|
165
|
+
function normalize(roleName) {
|
|
166
|
+
return roleName.toUpperCase().replaceAll(' ', '_');
|
|
167
|
+
}
|
|
168
|
+
//# sourceMappingURL=roleManager.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"roleManager.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/roleManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAEL,mBAAmB,EAEnB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAQlE,OAAiB,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAErF,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAOnH,MAAM,CAAC,OAAO,OAAO,WAAY,SAAQ,YAAY;IAGxB;IAAuC;IAF1D,KAAK,GAA6B,EAAE,CAAC;IAE7C,YAA2B,WAA6B,EAAU,eAA0C;QAC1G,KAAK,EAAE,CAAC;QADiB,gBAAW,GAAX,WAAW,CAAkB;QAAU,oBAAe,GAAf,eAAe,CAA2B;QAE1G,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBACnE,MAAM,cAAc,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;gBAC3C,IAAI,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;oBAC/B,oBAAoB,CAAC,eAAe,CAClC,QAAQ,CAAC,UAAU,CAAC,iCAAiC,EAAE;wBACrD,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,QAAQ;wBACnC,cAAc;qBACf,CAAC,CACH,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,GAAG,qBAAqB,CAAC,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC;gBAC/G,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,UAAU,IAAI,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBAC3D,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,GAAG,mBAAmB,CAAC,UAAU,EAAE,IAAI,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC;YAC7G,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;;;OASG;IACI,eAAe,CAAC,WAAgC,EAAE,cAAyB;QAChF,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;YAC1B,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;QAC1C,CAAC;QACD,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,iBAAiB,EAAE,cAAc,CAAC,CAAC;QAC7F,MAAM,iBAAiB,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,mBAAmB,EAAE,cAAc,CAAC,CAAC;QACjG,eAAe,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;QACjE,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC7D,OAAO,eAAe,CAAC;IACzB,CAAC;IAED;;;;;;;OAOG;IACI,gBAAgB,CAAC,QAAgB,EAAE,UAAkB;QAC1D,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACtD,CAAC;IAED;;;;;;OAMG;IACI,WAAW,CAAC,QAAgB;QACjC,MAAM,kBAAkB,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC/C,OAAO,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACjD,CAAC;IAED;;;;;;OAMG;IACI,OAAO,CAAC,YAAoB,EAAE,eAAuB;QAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChD,OAAO,QAAQ,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;IAED;;;;;OAKG;IACI,OAAO,CAAC,QAAgB;QAC7B,MAAM,kBAAkB,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QACxC,CAAC;QACD,MAAM,QAAQ,CAAC,WAAW,CAAC,mCAAmC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9E,CAAC;IAED,wBAAwB;IAEhB,eAAe,CACrB,OAA4B,EAC5B,kBAAsC,EACtC,cAAyB;QAEzB,MAAM,MAAM,GAAe,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC5D,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACxD,MAAM,UAAU,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,GAAG,cAAc,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7G,MAAM,kBAAkB,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;YAC3E,IAAI,kBAAkB,EAAE,CAAC;gBACvB,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;oBACtE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;qBACjE,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,IAAI,EAAE,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;oBACzE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;4BACxE,kBAAkB,CAAC,cAAc;4BACjC,OAAO,CAAC,IAAI;yBACb,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;oBAC7E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;qBAC5D,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACnB,UAAU;oBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oCAAoC,CAAC;iBACnE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,WAAW,CAAC,QAAgB,EAAE,QAA4B;QAChE,IAAI,QAAQ,KAAK,iBAAiB,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QACxC,CAAC;aAAM,IAAI,QAAQ,KAAK,mBAAmB,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAEO,eAAe,CAAC,QAAgB;QACtC,IAAI,IAAI,CAAC,eAAe,EAAE,eAAe,EAAE,CAAC;YAC1C,OAAO,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,eAAe,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC;QACtF,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,iBAAiB,CAAC,QAAgB;QACxC,IAAI,IAAI,CAAC,eAAe,EAAE,iBAAiB,EAAE,CAAC;YAC5C,OAAO,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,eAAe,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC;QACxF,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;CACF;AAED,SAAS,kBAAkB,CACzB,QAAgB,EAChB,IAA0C;IAE1C,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB;IACjC,OAAO,QAAQ,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AACrD,CAAC"}
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
import { Profile } from '@jsforce/jsforce-node/lib/api/metadata.js';
|
|
2
|
+
import { PolicyRuleViolation, RuleComponentMessage } from '../result.types.js';
|
|
3
|
+
import { PermissionClassifications } from '../shape/schema.js';
|
|
4
|
+
export type ResolvedProfileLike = {
|
|
5
|
+
name: string;
|
|
6
|
+
role: string;
|
|
7
|
+
metadata: PartialProfileLike;
|
|
8
|
+
};
|
|
9
|
+
export type ScanResult = {
|
|
10
|
+
violations: PolicyRuleViolation[];
|
|
11
|
+
warnings: RuleComponentMessage[];
|
|
12
|
+
};
|
|
13
|
+
export type UserRoleCompareResult = {
|
|
14
|
+
/**
|
|
15
|
+
* True if the given role is a superset of the other compared role.
|
|
16
|
+
* This means, it contains at least all allowed permissions and
|
|
17
|
+
* fewer denied permissions as the "other role".
|
|
18
|
+
*/
|
|
19
|
+
isSuperset: boolean;
|
|
20
|
+
/**
|
|
21
|
+
* List of permissions that are present in "this" role and
|
|
22
|
+
* missing in the compared "other" role.
|
|
23
|
+
*/
|
|
24
|
+
missingPermsInOther: string[];
|
|
25
|
+
/**
|
|
26
|
+
* List of permissions that are present in compared "other"
|
|
27
|
+
* role and missing in this role.
|
|
28
|
+
*/
|
|
29
|
+
missingPermsInThis: string[];
|
|
30
|
+
};
|
|
31
|
+
export type IUserRole = {
|
|
32
|
+
roleName: string;
|
|
33
|
+
isAllowed(perm: Partial<NamedPermissionClassification>): boolean;
|
|
34
|
+
compareWith(otherRole: IUserRole): UserRoleCompareResult;
|
|
35
|
+
};
|
|
36
|
+
export type PartialProfileLike = Pick<Profile, 'userPermissions' | 'customPermissions'>;
|
|
37
|
+
/**
|
|
38
|
+
* Moves the "name" from the classifications map to object prop
|
|
39
|
+
*/
|
|
40
|
+
export type NamedPermissionClassification = PermissionClassifications['string'] & {
|
|
41
|
+
name: string;
|
|
42
|
+
};
|
|
43
|
+
export type PermissionsListKey = keyof PartialProfileLike;
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"roleManager.types.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/roleManager.types.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { PermissionClassifications, RoleDefinitions, UserPrivilegeLevel } from '../shape/schema.js';
|
|
2
|
+
import { UserRoleCompareResult } from './roleManager.types.js';
|
|
3
|
+
export default class UserRole {
|
|
4
|
+
roleName: string;
|
|
5
|
+
private allowedPermissions;
|
|
6
|
+
private roleOrdinalValue?;
|
|
7
|
+
constructor(roleName: string, allowedPermissions: Set<string>, roleOrdinalValue?: number | undefined);
|
|
8
|
+
isAllowed(permissionName: string): boolean;
|
|
9
|
+
compareWith(otherRole: UserRole): UserRoleCompareResult;
|
|
10
|
+
}
|
|
11
|
+
export declare function newRoleFromDefinition(roleName: string, roleDef: RoleDefinitions['string'], perms?: PermissionClassifications): UserRole;
|
|
12
|
+
export declare function newRoleFromOrdinals(roleName: UserPrivilegeLevel, perms?: PermissionClassifications): UserRole;
|
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
import { PermissionRiskLevel, UserPrivilegeLevel, } from '../shape/schema.js';
|
|
2
|
+
export default class UserRole {
|
|
3
|
+
roleName;
|
|
4
|
+
allowedPermissions;
|
|
5
|
+
roleOrdinalValue;
|
|
6
|
+
constructor(roleName, allowedPermissions, roleOrdinalValue) {
|
|
7
|
+
this.roleName = roleName;
|
|
8
|
+
this.allowedPermissions = allowedPermissions;
|
|
9
|
+
this.roleOrdinalValue = roleOrdinalValue;
|
|
10
|
+
}
|
|
11
|
+
isAllowed(permissionName) {
|
|
12
|
+
return this.allowedPermissions.has(permissionName);
|
|
13
|
+
}
|
|
14
|
+
compareWith(otherRole) {
|
|
15
|
+
const missingPermsInOther = new Array();
|
|
16
|
+
const missingPermsInThis = new Array();
|
|
17
|
+
const isOrdinallyHigher = this.roleOrdinalValue && otherRole.roleOrdinalValue ? this.roleOrdinalValue >= otherRole.roleOrdinalValue : true;
|
|
18
|
+
const merged = new Set([...this.allowedPermissions, ...otherRole.allowedPermissions]);
|
|
19
|
+
for (const perm of merged) {
|
|
20
|
+
if (!this.allowedPermissions.has(perm)) {
|
|
21
|
+
missingPermsInThis.push(perm);
|
|
22
|
+
}
|
|
23
|
+
if (!otherRole.allowedPermissions.has(perm)) {
|
|
24
|
+
missingPermsInOther.push(perm);
|
|
25
|
+
}
|
|
26
|
+
}
|
|
27
|
+
return {
|
|
28
|
+
isSuperset: missingPermsInThis.length === 0 && isOrdinallyHigher,
|
|
29
|
+
missingPermsInThis,
|
|
30
|
+
missingPermsInOther,
|
|
31
|
+
};
|
|
32
|
+
}
|
|
33
|
+
}
|
|
34
|
+
export function newRoleFromDefinition(roleName, roleDef, perms) {
|
|
35
|
+
const allAllowed = new Set();
|
|
36
|
+
if (roleDef.allowedPermissions) {
|
|
37
|
+
for (const permName of roleDef.allowedPermissions) {
|
|
38
|
+
allAllowed.add(permName);
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
if (perms) {
|
|
42
|
+
for (const [permName, permDef] of Object.entries(perms)) {
|
|
43
|
+
if (roleDef.allowedClassifications && roleDef.allowedClassifications.includes(permDef.classification)) {
|
|
44
|
+
allAllowed.add(permName);
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
if (roleDef.deniedPermissions) {
|
|
49
|
+
for (const permName of roleDef.deniedPermissions) {
|
|
50
|
+
allAllowed.delete(permName);
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
return new UserRole(roleName, allAllowed);
|
|
54
|
+
}
|
|
55
|
+
export function newRoleFromOrdinals(roleName, perms) {
|
|
56
|
+
const roleOrdinalValue = resolvePresetOrdinalValue(roleName);
|
|
57
|
+
if (!perms || roleName === UserPrivilegeLevel.UNKNOWN) {
|
|
58
|
+
return new UserRole(roleName, new Set(), roleOrdinalValue);
|
|
59
|
+
}
|
|
60
|
+
const allAllowed = new Set();
|
|
61
|
+
for (const [permName, permDef] of Object.entries(perms)) {
|
|
62
|
+
if (roleOrdinalValue >= resolveRiskLevelOrdinalValue(permDef.classification)) {
|
|
63
|
+
allAllowed.add(permName);
|
|
64
|
+
}
|
|
65
|
+
}
|
|
66
|
+
return new UserRole(roleName, allAllowed, roleOrdinalValue);
|
|
67
|
+
}
|
|
68
|
+
function resolvePresetOrdinalValue(value) {
|
|
69
|
+
const indexOfValue = Object.values(UserPrivilegeLevel).indexOf(value);
|
|
70
|
+
return Object.keys(UserPrivilegeLevel).length - indexOfValue;
|
|
71
|
+
}
|
|
72
|
+
function resolveRiskLevelOrdinalValue(value) {
|
|
73
|
+
return Object.keys(PermissionRiskLevel).length - Object.keys(PermissionRiskLevel).indexOf(value.toUpperCase());
|
|
74
|
+
}
|
|
75
|
+
//# sourceMappingURL=userRole.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"userRole.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/userRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,mBAAmB,EAEnB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAG5B,MAAM,CAAC,OAAO,OAAO,QAAQ;IAElB;IACC;IACA;IAHV,YACS,QAAgB,EACf,kBAA+B,EAC/B,gBAAyB;QAF1B,aAAQ,GAAR,QAAQ,CAAQ;QACf,uBAAkB,GAAlB,kBAAkB,CAAa;QAC/B,qBAAgB,GAAhB,gBAAgB,CAAS;IAChC,CAAC;IAEG,SAAS,CAAC,cAAsB;QACrC,OAAO,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACrD,CAAC;IAEM,WAAW,CAAC,SAAmB;QACpC,MAAM,mBAAmB,GAAG,IAAI,KAAK,EAAU,CAAC;QAChD,MAAM,kBAAkB,GAAG,IAAI,KAAK,EAAU,CAAC;QAC/C,MAAM,iBAAiB,GACrB,IAAI,CAAC,gBAAgB,IAAI,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,IAAI,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC;QACnH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,kBAAkB,EAAE,GAAG,SAAS,CAAC,kBAAkB,CAAC,CAAC,CAAC;QACtF,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;YAC1B,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,SAAS,CAAC,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5C,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QACD,OAAO;YACL,UAAU,EAAE,kBAAkB,CAAC,MAAM,KAAK,CAAC,IAAI,iBAAiB;YAChE,kBAAkB;YAClB,mBAAmB;SACpB,CAAC;IACJ,CAAC;CACF;AAED,MAAM,UAAU,qBAAqB,CACnC,QAAgB,EAChB,OAAkC,EAClC,KAAiC;IAEjC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAC/B,KAAK,MAAM,QAAQ,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;YAClD,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACxD,IAAI,OAAO,CAAC,sBAAsB,IAAI,OAAO,CAAC,sBAAsB,CAAC,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;gBACtG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;QAC9B,KAAK,MAAM,QAAQ,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;YACjD,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IACD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,QAA4B,EAAE,KAAiC;IACjG,MAAM,gBAAgB,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IAC7D,IAAI,CAAC,KAAK,IAAI,QAAQ,KAAK,kBAAkB,CAAC,OAAO,EAAE,CAAC;QACtD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,IAAI,GAAG,EAAU,EAAE,gBAAgB,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,IAAI,gBAAgB,IAAI,4BAA4B,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAC7E,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,UAAU,EAAE,gBAAgB,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAyB;IAC1D,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACtE,OAAO,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,MAAM,GAAG,YAAY,CAAC;AAC/D,CAAC;AAED,SAAS,4BAA4B,CAAC,KAAa;IACjD,OAAO,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;AACjH,CAAC"}
|
|
@@ -2,8 +2,10 @@ import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
|
2
2
|
import { ResolvedUser } from '../policies/users.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforcePermissionPresets extends PolicyRule<ResolvedUser> {
|
|
5
|
+
private readonly roleManager;
|
|
5
6
|
constructor(opts: RuleOptions);
|
|
6
7
|
run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
|
|
7
8
|
private resolveProfileRole;
|
|
8
9
|
private resolvePermissionSetRole;
|
|
10
|
+
private auditPermissionsEntity;
|
|
9
11
|
}
|
|
@@ -1,24 +1,28 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
2
|
import { capitalize } from '../../../../utils.js';
|
|
3
|
-
import
|
|
3
|
+
import RoleManager from '../roles/roleManager.js';
|
|
4
4
|
import { UserPrivilegeLevel } from '../shape/schema.js';
|
|
5
5
|
import PolicyRule from './policyRule.js';
|
|
6
6
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
7
7
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.users');
|
|
8
8
|
export default class EnforcePermissionPresets extends PolicyRule {
|
|
9
|
+
roleManager;
|
|
9
10
|
constructor(opts) {
|
|
10
11
|
super(opts);
|
|
12
|
+
this.roleManager = new RoleManager(opts.auditConfig.definitions.roles, {
|
|
13
|
+
userPermissions: opts.auditConfig.classifications.userPermissions?.permissions,
|
|
14
|
+
});
|
|
11
15
|
}
|
|
12
16
|
run(context) {
|
|
13
17
|
const result = this.initResult();
|
|
14
18
|
const users = context.resolvedEntities;
|
|
15
19
|
for (const user of Object.values(users)) {
|
|
16
20
|
const profileRole = this.resolveProfileRole(user.profileName);
|
|
17
|
-
auditPermissionsEntity(result, user, 'profile', user.profileName, profileRole);
|
|
21
|
+
this.auditPermissionsEntity(result, user, 'profile', user.profileName, profileRole);
|
|
18
22
|
if (user.assignments) {
|
|
19
23
|
for (const assignment of user.assignments) {
|
|
20
24
|
const permsetRole = this.resolvePermissionSetRole(assignment.permissionSetIdentifier);
|
|
21
|
-
auditPermissionsEntity(result, user, 'permission set', assignment.permissionSetIdentifier, permsetRole);
|
|
25
|
+
this.auditPermissionsEntity(result, user, 'permission set', assignment.permissionSetIdentifier, permsetRole);
|
|
22
26
|
}
|
|
23
27
|
}
|
|
24
28
|
}
|
|
@@ -30,31 +34,40 @@ export default class EnforcePermissionPresets extends PolicyRule {
|
|
|
30
34
|
resolvePermissionSetRole(permsetName) {
|
|
31
35
|
return this.auditConfig.classifications.permissionSets?.permissionSets[permsetName]?.role;
|
|
32
36
|
}
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
}
|
|
37
|
+
auditPermissionsEntity(result, user, entityType, entityIdentifier, entityPreset) {
|
|
38
|
+
if (entityPreset) {
|
|
39
|
+
if (entityPreset === UserPrivilegeLevel.UNKNOWN.toString()) {
|
|
40
|
+
result.violations.push({
|
|
41
|
+
identifier: [user.username, entityIdentifier],
|
|
42
|
+
message: messages.getMessage('violations.entity-unknown-but-used', [capitalize(entityType)]),
|
|
43
|
+
});
|
|
44
|
+
}
|
|
45
|
+
else if (!this.roleManager.isValidRole(entityPreset)) {
|
|
46
|
+
result.violations.push({
|
|
47
|
+
identifier: [user.username, entityIdentifier],
|
|
48
|
+
message: messages.getMessage('violations.invalid-entity-role', [capitalize(entityType), entityPreset]),
|
|
49
|
+
});
|
|
50
|
+
}
|
|
51
|
+
else if (this.roleManager.isValidRole(entityPreset) && this.roleManager.isValidRole(user.role)) {
|
|
52
|
+
const compareResult = this.roleManager.compare(user.role, entityPreset);
|
|
53
|
+
if (!compareResult.isSuperset) {
|
|
54
|
+
result.violations.push({
|
|
55
|
+
identifier: [user.username, entityIdentifier],
|
|
56
|
+
message: messages.getMessage('violations.entity-not-allowed-for-user-role', [
|
|
57
|
+
user.role,
|
|
58
|
+
entityType,
|
|
59
|
+
entityPreset,
|
|
60
|
+
]),
|
|
61
|
+
});
|
|
62
|
+
}
|
|
63
|
+
}
|
|
41
64
|
}
|
|
42
|
-
else
|
|
65
|
+
else {
|
|
43
66
|
result.violations.push({
|
|
44
67
|
identifier: [user.username, entityIdentifier],
|
|
45
|
-
message: messages.getMessage('violations.entity-not-
|
|
46
|
-
user.role,
|
|
47
|
-
entityType,
|
|
48
|
-
entityPreset,
|
|
49
|
-
]),
|
|
68
|
+
message: messages.getMessage('violations.entity-not-classified-but-used', [capitalize(entityType), entityType]),
|
|
50
69
|
});
|
|
51
70
|
}
|
|
52
71
|
}
|
|
53
|
-
else {
|
|
54
|
-
result.violations.push({
|
|
55
|
-
identifier: [user.username, entityIdentifier],
|
|
56
|
-
message: messages.getMessage('violations.entity-not-classified-but-used', [capitalize(entityType), entityType]),
|
|
57
|
-
});
|
|
58
|
-
}
|
|
59
72
|
}
|
|
60
73
|
//# sourceMappingURL=enforcePermissionPresets.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionPresets.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionPresets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAElD,OAAO,
|
|
1
|
+
{"version":3,"file":"enforcePermissionPresets.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionPresets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAElD,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC3D,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,KAAK,EAAE;YACrE,eAAe,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,eAAe,EAAE,WAAW;SAC/E,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,WAAW,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC9D,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;YACpF,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrB,KAAK,MAAM,UAAU,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBAC1C,MAAM,WAAW,GAAG,IAAI,CAAC,wBAAwB,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC;oBACtF,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,IAAI,EAAE,gBAAgB,EAAE,UAAU,CAAC,uBAAuB,EAAE,WAAW,CAAC,CAAC;gBAC/G,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAEO,kBAAkB,CAAC,WAAmB;QAC5C,OAAO,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC;IAChF,CAAC;IAEO,wBAAwB,CAAC,WAAmB;QAClD,OAAO,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,cAAc,EAAE,cAAc,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC;IAC5F,CAAC;IAEO,sBAAsB,CAC5B,MAA+B,EAC/B,IAAkB,EAClB,UAAkB,EAClB,gBAAwB,EACxB,YAAqB;QAErB,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,YAAY,KAAK,kBAAkB,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;gBAC3D,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;oBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oCAAoC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;iBAC7F,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE,CAAC;gBACvD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;oBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,gCAAgC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,YAAY,CAAC,CAAC;iBACvG,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACjG,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;gBACxE,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC;oBAC9B,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;wBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6CAA6C,EAAE;4BAC1E,IAAI,CAAC,IAAI;4BACT,UAAU;4BACV,YAAY;yBACb,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;gBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,UAAU,CAAC,CAAC;aAChH,CAAC,CAAC;QACL,CAAC;IACH,CAAC;CACF"}
|
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
2
|
-
import { ResolvedProfileLike } from '../
|
|
2
|
+
import { ResolvedProfileLike } from '../roles/roleManager.types.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforcePermissionsOnProfileLike extends PolicyRule<ResolvedProfileLike> {
|
|
5
|
+
private readonly roleManager;
|
|
5
6
|
constructor(opts: RuleOptions);
|
|
6
7
|
run(context: RuleAuditContext<ResolvedProfileLike>): Promise<PartialPolicyRuleResult>;
|
|
7
8
|
}
|
|
@@ -1,23 +1,33 @@
|
|
|
1
|
+
import { Messages } from '@salesforce/core';
|
|
1
2
|
import { isNullish } from '../../../../utils.js';
|
|
2
|
-
import
|
|
3
|
+
import RoleManager from '../roles/roleManager.js';
|
|
3
4
|
import PolicyRule from './policyRule.js';
|
|
5
|
+
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
6
|
+
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
4
7
|
export default class EnforcePermissionsOnProfileLike extends PolicyRule {
|
|
8
|
+
roleManager;
|
|
5
9
|
constructor(opts) {
|
|
6
10
|
super(opts);
|
|
11
|
+
this.roleManager = new RoleManager(opts.auditConfig.definitions.roles, {
|
|
12
|
+
userPermissions: opts.auditConfig.classifications.userPermissions?.permissions,
|
|
13
|
+
customPermissions: opts.auditConfig.classifications.customPermissions?.permissions,
|
|
14
|
+
});
|
|
7
15
|
}
|
|
8
16
|
run(context) {
|
|
9
17
|
const result = this.initResult();
|
|
10
18
|
const resolvedProfiles = context.resolvedEntities;
|
|
11
19
|
for (const profile of Object.values(resolvedProfiles)) {
|
|
12
|
-
if (!
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
20
|
+
if (!this.roleManager.isValidRole(profile.role)) {
|
|
21
|
+
result.errors.push({
|
|
22
|
+
identifier: [profile.name],
|
|
23
|
+
message: messages.getMessage('error.failed-to-resolve-role', [profile.role]),
|
|
24
|
+
});
|
|
25
|
+
continue;
|
|
16
26
|
}
|
|
17
|
-
if (!isNullish(profile.metadata
|
|
18
|
-
const
|
|
19
|
-
result.violations.push(...
|
|
20
|
-
result.warnings.push(...
|
|
27
|
+
if (!isNullish(profile.metadata)) {
|
|
28
|
+
const profileScanResult = this.roleManager.scanProfileLike(profile);
|
|
29
|
+
result.violations.push(...profileScanResult.violations);
|
|
30
|
+
result.warnings.push(...profileScanResult.warnings);
|
|
21
31
|
}
|
|
22
32
|
}
|
|
23
33
|
return Promise.resolve(result);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEjD,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAElD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,+BAAgC,SAAQ,UAA+B;IACzE,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,KAAK,EAAE;YACrE,eAAe,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,eAAe,EAAE,WAAW;YAC9E,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,iBAAiB,EAAE,WAAW;SACnF,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAA8C;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACtD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;oBACjB,UAAU,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;oBAC1B,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;iBAC7E,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YACD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACjC,MAAM,iBAAiB,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;gBACpE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;gBACxD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
|
@@ -2,6 +2,7 @@ import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
|
2
2
|
import { ResolvedUser } from '../policies/users.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforcePermissionsOnUser extends PolicyRule<ResolvedUser> {
|
|
5
|
+
private readonly roleManager;
|
|
5
6
|
constructor(opts: RuleOptions);
|
|
6
7
|
run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
|
|
7
8
|
private scanAssignedPermissionSets;
|
|
@@ -1,18 +1,33 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { Messages } from '@salesforce/core';
|
|
2
|
+
import RoleManager from '../roles/roleManager.js';
|
|
2
3
|
import PolicyRule from './policyRule.js';
|
|
4
|
+
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
5
|
+
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
3
6
|
export default class EnforcePermissionsOnUser extends PolicyRule {
|
|
7
|
+
roleManager;
|
|
4
8
|
constructor(opts) {
|
|
5
9
|
super(opts);
|
|
10
|
+
this.roleManager = new RoleManager(opts.auditConfig.definitions.roles, {
|
|
11
|
+
userPermissions: opts.auditConfig.classifications.userPermissions?.permissions,
|
|
12
|
+
customPermissions: opts.auditConfig.classifications.customPermissions?.permissions,
|
|
13
|
+
});
|
|
6
14
|
}
|
|
7
15
|
run(context) {
|
|
8
16
|
const result = this.initResult();
|
|
9
17
|
const users = context.resolvedEntities;
|
|
10
18
|
for (const user of Object.values(users)) {
|
|
19
|
+
if (!this.roleManager.isValidRole(user.role)) {
|
|
20
|
+
result.errors.push({
|
|
21
|
+
identifier: [user.username],
|
|
22
|
+
message: messages.getMessage('error.failed-to-resolve-role', [user.role]),
|
|
23
|
+
});
|
|
24
|
+
continue;
|
|
25
|
+
}
|
|
11
26
|
const { violations, warnings } = this.scanAssignedPermissionSets(user, user.assignments);
|
|
12
27
|
result.violations.push(...violations);
|
|
13
28
|
result.warnings.push(...warnings);
|
|
14
29
|
if (user.profileMetadata) {
|
|
15
|
-
const profileResult = scanProfileLike({ role: user.role, metadata: user.profileMetadata, name: user.profileName },
|
|
30
|
+
const profileResult = this.roleManager.scanProfileLike({ role: user.role, metadata: user.profileMetadata, name: user.profileName }, [user.username]);
|
|
16
31
|
result.violations.push(...profileResult.violations);
|
|
17
32
|
result.warnings.push(...profileResult.warnings);
|
|
18
33
|
}
|
|
@@ -28,7 +43,7 @@ export default class EnforcePermissionsOnUser extends PolicyRule {
|
|
|
28
43
|
if (!assignedPermSet.metadata) {
|
|
29
44
|
continue;
|
|
30
45
|
}
|
|
31
|
-
const permsetScan = scanProfileLike({ role: user.role, metadata: assignedPermSet.metadata, name: assignedPermSet.permissionSetIdentifier },
|
|
46
|
+
const permsetScan = this.roleManager.scanProfileLike({ role: user.role, metadata: assignedPermSet.metadata, name: assignedPermSet.permissionSetIdentifier }, [user.username]);
|
|
32
47
|
result.violations.push(...permsetScan.violations);
|
|
33
48
|
result.warnings.push(...permsetScan.warnings);
|
|
34
49
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAGlD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC3D,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,KAAK,EAAE;YACrE,eAAe,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,eAAe,EAAE,WAAW;YAC9E,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,iBAAiB,EAAE,WAAW;SACnF,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;oBACjB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAC3B,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;iBAC1E,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YACD,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,0BAA0B,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACzF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;YACtC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBACzB,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CACpD,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,EAC3E,CAAC,IAAI,CAAC,QAAQ,CAAC,CAChB,CAAC;gBACF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;gBACpD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAEO,0BAA0B,CAAC,IAAkB,EAAE,WAAwC;QAC7F,MAAM,MAAM,GAAe,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;QAC5D,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,KAAK,MAAM,eAAe,IAAI,WAAW,EAAE,CAAC;YAC1C,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,CAAC;gBAC9B,SAAS;YACX,CAAC;YACD,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CAClD,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,eAAe,CAAC,QAAQ,EAAE,IAAI,EAAE,eAAe,CAAC,uBAAuB,EAAE,EACtG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAChB,CAAC;YACF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;YAClD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}
|
|
@@ -4,6 +4,17 @@
|
|
|
4
4
|
* the audit config that is used by rules and policies.
|
|
5
5
|
*/
|
|
6
6
|
export declare const BaseAuditConfigShape: {
|
|
7
|
+
definitions: {
|
|
8
|
+
files: {
|
|
9
|
+
roles: {
|
|
10
|
+
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
11
|
+
allowedClassifications: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodEnum<typeof import("./schema.js").PermissionRiskLevel>>>;
|
|
12
|
+
allowedPermissions: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
13
|
+
deniedPermissions: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
14
|
+
}, import("zod/v4/core").$strip>>;
|
|
15
|
+
};
|
|
16
|
+
};
|
|
17
|
+
};
|
|
7
18
|
classifications: {
|
|
8
19
|
files: {
|
|
9
20
|
userPermissions: {
|
|
@@ -29,7 +40,7 @@ export declare const BaseAuditConfigShape: {
|
|
|
29
40
|
profiles: {
|
|
30
41
|
schema: import("zod").ZodObject<{
|
|
31
42
|
profiles: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
32
|
-
role: import("zod").
|
|
43
|
+
role: import("zod").ZodString;
|
|
33
44
|
allowedLoginIps: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodObject<{
|
|
34
45
|
from: import("zod").ZodString;
|
|
35
46
|
to: import("zod").ZodString;
|
|
@@ -41,7 +52,7 @@ export declare const BaseAuditConfigShape: {
|
|
|
41
52
|
permissionSets: {
|
|
42
53
|
schema: import("zod").ZodObject<{
|
|
43
54
|
permissionSets: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
44
|
-
role: import("zod").
|
|
55
|
+
role: import("zod").ZodString;
|
|
45
56
|
}, import("zod/v4/core").$strict>>;
|
|
46
57
|
}, import("zod/v4/core").$strip>;
|
|
47
58
|
entities: string;
|
|
@@ -49,7 +60,7 @@ export declare const BaseAuditConfigShape: {
|
|
|
49
60
|
users: {
|
|
50
61
|
schema: import("zod").ZodObject<{
|
|
51
62
|
users: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
52
|
-
role: import("zod").
|
|
63
|
+
role: import("zod").ZodString;
|
|
53
64
|
}, import("zod/v4/core").$strip>>;
|
|
54
65
|
}, import("zod/v4/core").$strip>;
|
|
55
66
|
entities: string;
|
|
@@ -104,7 +115,7 @@ export declare const BaseAuditConfigShape: {
|
|
|
104
115
|
options: import("zod").ZodOptional<import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodUnknown>>;
|
|
105
116
|
}, import("zod/v4/core").$strip>>>;
|
|
106
117
|
options: import("zod").ZodObject<{
|
|
107
|
-
defaultRoleForMissingUsers: import("zod").ZodDefault<import("zod").
|
|
118
|
+
defaultRoleForMissingUsers: import("zod").ZodDefault<import("zod").ZodString>;
|
|
108
119
|
analyseLastNDaysOfLoginHistory: import("zod").ZodOptional<import("zod").ZodNumber>;
|
|
109
120
|
}, import("zod/v4/core").$strict>;
|
|
110
121
|
}, import("zod/v4/core").$strip>;
|