@j-schreiber/sf-cli-security-audit 0.18.2 → 0.19.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -3
- package/lib/libs/audit-engine/auditRun.js +1 -1
- package/lib/libs/audit-engine/auditRun.js.map +1 -1
- package/lib/libs/audit-engine/auditRunLifecycle.d.ts +12 -0
- package/lib/libs/audit-engine/auditRunLifecycle.js +16 -0
- package/lib/libs/audit-engine/auditRunLifecycle.js.map +1 -0
- package/lib/libs/audit-engine/file-manager/fileManager.d.ts +3 -2
- package/lib/libs/audit-engine/file-manager/fileManager.js +19 -9
- package/lib/libs/audit-engine/file-manager/fileManager.js.map +1 -1
- package/lib/libs/audit-engine/file-manager/fileManager.types.d.ts +4 -0
- package/lib/libs/audit-engine/index.d.ts +15 -4
- package/lib/libs/audit-engine/index.js +2 -1
- package/lib/libs/audit-engine/index.js.map +1 -1
- package/lib/libs/audit-engine/registry/definitions.d.ts +15 -4
- package/lib/libs/audit-engine/registry/policies/permissionSets.d.ts +2 -2
- package/lib/libs/audit-engine/registry/policies/permissionSets.js +1 -1
- package/lib/libs/audit-engine/registry/policies/permissionSets.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/profiles.js +1 -1
- package/lib/libs/audit-engine/registry/policies/profiles.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/users.d.ts +2 -2
- package/lib/libs/audit-engine/registry/policies/users.js +1 -1
- package/lib/libs/audit-engine/registry/policies/users.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.d.ts +62 -0
- package/lib/libs/audit-engine/registry/roles/roleManager.js +168 -0
- package/lib/libs/audit-engine/registry/roles/roleManager.js.map +1 -0
- package/lib/libs/audit-engine/registry/roles/roleManager.types.d.ts +43 -0
- package/lib/libs/audit-engine/registry/roles/roleManager.types.js +2 -0
- package/lib/libs/audit-engine/registry/roles/roleManager.types.js.map +1 -0
- package/lib/libs/audit-engine/registry/roles/userRole.d.ts +12 -0
- package/lib/libs/audit-engine/registry/roles/userRole.js +75 -0
- package/lib/libs/audit-engine/registry/roles/userRole.js.map +1 -0
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.d.ts +2 -0
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js +36 -23
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.d.ts +2 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js +19 -9
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.d.ts +1 -0
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js +18 -3
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.d.ts +15 -4
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.js +6 -1
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/schema.d.ts +14 -7
- package/lib/libs/audit-engine/registry/shape/schema.js +10 -3
- package/lib/libs/audit-engine/registry/shape/schema.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/shapeValidation.d.ts +3 -0
- package/lib/libs/audit-engine/registry/shape/shapeValidation.js +37 -0
- package/lib/libs/audit-engine/registry/shape/shapeValidation.js.map +1 -0
- package/lib/libs/conf-init/auditConfig.js +1 -1
- package/lib/libs/conf-init/auditConfig.js.map +1 -1
- package/lib/salesforce/repositories/connected-apps/connected-apps.js +3 -2
- package/lib/salesforce/repositories/connected-apps/connected-apps.js.map +1 -1
- package/lib/salesforce/repositories/users/queries.d.ts +0 -1
- package/lib/salesforce/repositories/users/queries.js +0 -3
- package/lib/salesforce/repositories/users/queries.js.map +1 -1
- package/messages/auditShapeValidation.md +11 -0
- package/messages/org.audit.run.md +4 -4
- package/messages/rules.enforceClassificationPresets.md +12 -0
- package/messages/rules.users.md +4 -0
- package/oclif.manifest.json +1 -1
- package/package.json +2 -1
|
@@ -0,0 +1,168 @@
|
|
|
1
|
+
import { EventEmitter } from 'node:events';
|
|
2
|
+
import { Messages } from '@salesforce/core';
|
|
3
|
+
import { PermissionRiskLevel, UserPrivilegeLevel, } from '../shape/schema.js';
|
|
4
|
+
import { AuditRunLifecycleBus } from '../../auditRunLifecycle.js';
|
|
5
|
+
import { newRoleFromDefinition, newRoleFromOrdinals } from './userRole.js';
|
|
6
|
+
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
7
|
+
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
8
|
+
export default class RoleManager extends EventEmitter {
|
|
9
|
+
definitions;
|
|
10
|
+
classifications;
|
|
11
|
+
roles = {};
|
|
12
|
+
constructor(definitions, classifications) {
|
|
13
|
+
super();
|
|
14
|
+
this.definitions = definitions;
|
|
15
|
+
this.classifications = classifications;
|
|
16
|
+
if (this.definitions) {
|
|
17
|
+
for (const [roleName, roleDef] of Object.entries(this.definitions)) {
|
|
18
|
+
const normalizedName = normalize(roleName);
|
|
19
|
+
if (this.roles[normalizedName]) {
|
|
20
|
+
AuditRunLifecycleBus.emitResolveWarn(messages.getMessage('DuplicateRoleAfterNormalization', [
|
|
21
|
+
this.roles[normalizedName].roleName,
|
|
22
|
+
normalizedName,
|
|
23
|
+
]));
|
|
24
|
+
}
|
|
25
|
+
else {
|
|
26
|
+
this.roles[normalizedName] = newRoleFromDefinition(roleName, roleDef, this.classifications?.userPermissions);
|
|
27
|
+
}
|
|
28
|
+
}
|
|
29
|
+
}
|
|
30
|
+
else {
|
|
31
|
+
for (const legacyRole of Object.values(UserPrivilegeLevel)) {
|
|
32
|
+
this.roles[normalize(legacyRole)] = newRoleFromOrdinals(legacyRole, this.classifications?.userPermissions);
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
/**
|
|
37
|
+
* Scan userPermissions and customPermissions of a profile or permission set and
|
|
38
|
+
* get a unified scan result with violations (risk level not allowed) and warnings
|
|
39
|
+
* (risk level not classified)
|
|
40
|
+
*
|
|
41
|
+
* @param profileLike
|
|
42
|
+
* @param auditRun
|
|
43
|
+
* @param rootIdentifier Optional root identifier for messages to prepend.
|
|
44
|
+
* @returns
|
|
45
|
+
*/
|
|
46
|
+
scanProfileLike(profileLike, rootIdentifier) {
|
|
47
|
+
if (!profileLike.metadata) {
|
|
48
|
+
return { violations: [], warnings: [] };
|
|
49
|
+
}
|
|
50
|
+
const userPermsResult = this.scanPermissions(profileLike, 'userPermissions', rootIdentifier);
|
|
51
|
+
const customPermsResult = this.scanPermissions(profileLike, 'customPermissions', rootIdentifier);
|
|
52
|
+
userPermsResult.violations.push(...customPermsResult.violations);
|
|
53
|
+
userPermsResult.warnings.push(...customPermsResult.warnings);
|
|
54
|
+
return userPermsResult;
|
|
55
|
+
}
|
|
56
|
+
/**
|
|
57
|
+
* Checks if a role allows a certain classifcation level. If the role is
|
|
58
|
+
* not configured or unknown, always returns false.
|
|
59
|
+
*
|
|
60
|
+
* @param roleName
|
|
61
|
+
* @param permission
|
|
62
|
+
* @returns
|
|
63
|
+
*/
|
|
64
|
+
allowsPermission(roleName, permission) {
|
|
65
|
+
return this.getRole(roleName).isAllowed(permission);
|
|
66
|
+
}
|
|
67
|
+
/**
|
|
68
|
+
* Checks if a given role name is a valid role for the context
|
|
69
|
+
* of the current audit run.
|
|
70
|
+
*
|
|
71
|
+
* @param roleName
|
|
72
|
+
* @returns
|
|
73
|
+
*/
|
|
74
|
+
isValidRole(roleName) {
|
|
75
|
+
const normalisedRoleName = normalize(roleName);
|
|
76
|
+
return Boolean(this.roles[normalisedRoleName]);
|
|
77
|
+
}
|
|
78
|
+
/**
|
|
79
|
+
* Compares two roles (both must exist)
|
|
80
|
+
*
|
|
81
|
+
* @param baseRoleName
|
|
82
|
+
* @param compareWithName
|
|
83
|
+
* @returns
|
|
84
|
+
*/
|
|
85
|
+
compare(baseRoleName, compareWithName) {
|
|
86
|
+
const baseRole = this.getRole(baseRoleName);
|
|
87
|
+
const otherRole = this.getRole(compareWithName);
|
|
88
|
+
return baseRole.compareWith(otherRole);
|
|
89
|
+
}
|
|
90
|
+
/**
|
|
91
|
+
* Returns the role or throws an error, if role name is invalid.
|
|
92
|
+
*
|
|
93
|
+
* @param roleName
|
|
94
|
+
* @returns
|
|
95
|
+
*/
|
|
96
|
+
getRole(roleName) {
|
|
97
|
+
const normalisedRoleName = normalize(roleName);
|
|
98
|
+
if (this.roles[normalisedRoleName]) {
|
|
99
|
+
return this.roles[normalisedRoleName];
|
|
100
|
+
}
|
|
101
|
+
throw messages.createError('TriedToAccessRoleThatDoesNotExist', [roleName]);
|
|
102
|
+
}
|
|
103
|
+
// PRIVATE ZONE
|
|
104
|
+
scanPermissions(profile, permissionListName, rootIdentifier) {
|
|
105
|
+
const result = { warnings: [], violations: [] };
|
|
106
|
+
for (const perm of profile.metadata[permissionListName]) {
|
|
107
|
+
const identifier = rootIdentifier ? [...rootIdentifier, profile.name, perm.name] : [profile.name, perm.name];
|
|
108
|
+
const permClassification = this.resolvePerm(perm.name, permissionListName);
|
|
109
|
+
if (permClassification) {
|
|
110
|
+
if (permClassification.classification === PermissionRiskLevel.BLOCKED) {
|
|
111
|
+
result.violations.push({
|
|
112
|
+
identifier,
|
|
113
|
+
message: messages.getMessage('violations.permission-is-blocked'),
|
|
114
|
+
});
|
|
115
|
+
}
|
|
116
|
+
else if (!this.allowsPermission(profile.role, permClassification.name)) {
|
|
117
|
+
result.violations.push({
|
|
118
|
+
identifier,
|
|
119
|
+
message: messages.getMessage('violations.classification-preset-mismatch', [
|
|
120
|
+
permClassification.classification,
|
|
121
|
+
profile.role,
|
|
122
|
+
]),
|
|
123
|
+
});
|
|
124
|
+
}
|
|
125
|
+
else if (permClassification.classification === PermissionRiskLevel.UNKNOWN) {
|
|
126
|
+
result.warnings.push({
|
|
127
|
+
identifier,
|
|
128
|
+
message: messages.getMessage('warnings.permission-unknown'),
|
|
129
|
+
});
|
|
130
|
+
}
|
|
131
|
+
}
|
|
132
|
+
else {
|
|
133
|
+
result.warnings.push({
|
|
134
|
+
identifier,
|
|
135
|
+
message: messages.getMessage('warnings.permission-not-classified'),
|
|
136
|
+
});
|
|
137
|
+
}
|
|
138
|
+
}
|
|
139
|
+
return result;
|
|
140
|
+
}
|
|
141
|
+
resolvePerm(permName, listName) {
|
|
142
|
+
if (listName === 'userPermissions') {
|
|
143
|
+
return this.resolveUserPerm(permName);
|
|
144
|
+
}
|
|
145
|
+
else if (listName === 'customPermissions') {
|
|
146
|
+
return this.resolveCustomPerm(permName);
|
|
147
|
+
}
|
|
148
|
+
}
|
|
149
|
+
resolveUserPerm(permName) {
|
|
150
|
+
if (this.classifications?.userPermissions) {
|
|
151
|
+
return nameClassification(permName, this.classifications.userPermissions[permName]);
|
|
152
|
+
}
|
|
153
|
+
return undefined;
|
|
154
|
+
}
|
|
155
|
+
resolveCustomPerm(permName) {
|
|
156
|
+
if (this.classifications?.customPermissions) {
|
|
157
|
+
return nameClassification(permName, this.classifications.customPermissions[permName]);
|
|
158
|
+
}
|
|
159
|
+
return undefined;
|
|
160
|
+
}
|
|
161
|
+
}
|
|
162
|
+
function nameClassification(permName, perm) {
|
|
163
|
+
return perm ? { name: permName, ...perm } : undefined;
|
|
164
|
+
}
|
|
165
|
+
function normalize(roleName) {
|
|
166
|
+
return roleName.toUpperCase().replaceAll(' ', '_');
|
|
167
|
+
}
|
|
168
|
+
//# sourceMappingURL=roleManager.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"roleManager.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/roleManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAEL,mBAAmB,EAEnB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAQlE,OAAiB,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAErF,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAOnH,MAAM,CAAC,OAAO,OAAO,WAAY,SAAQ,YAAY;IAGxB;IAAuC;IAF1D,KAAK,GAA6B,EAAE,CAAC;IAE7C,YAA2B,WAA6B,EAAU,eAA0C;QAC1G,KAAK,EAAE,CAAC;QADiB,gBAAW,GAAX,WAAW,CAAkB;QAAU,oBAAe,GAAf,eAAe,CAA2B;QAE1G,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBACnE,MAAM,cAAc,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;gBAC3C,IAAI,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;oBAC/B,oBAAoB,CAAC,eAAe,CAClC,QAAQ,CAAC,UAAU,CAAC,iCAAiC,EAAE;wBACrD,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,QAAQ;wBACnC,cAAc;qBACf,CAAC,CACH,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,GAAG,qBAAqB,CAAC,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC;gBAC/G,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,UAAU,IAAI,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBAC3D,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,GAAG,mBAAmB,CAAC,UAAU,EAAE,IAAI,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC;YAC7G,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;;;OASG;IACI,eAAe,CAAC,WAAgC,EAAE,cAAyB;QAChF,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;YAC1B,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;QAC1C,CAAC;QACD,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,iBAAiB,EAAE,cAAc,CAAC,CAAC;QAC7F,MAAM,iBAAiB,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,mBAAmB,EAAE,cAAc,CAAC,CAAC;QACjG,eAAe,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;QACjE,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC7D,OAAO,eAAe,CAAC;IACzB,CAAC;IAED;;;;;;;OAOG;IACI,gBAAgB,CAAC,QAAgB,EAAE,UAAkB;QAC1D,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACtD,CAAC;IAED;;;;;;OAMG;IACI,WAAW,CAAC,QAAgB;QACjC,MAAM,kBAAkB,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC/C,OAAO,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACjD,CAAC;IAED;;;;;;OAMG;IACI,OAAO,CAAC,YAAoB,EAAE,eAAuB;QAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChD,OAAO,QAAQ,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;IAED;;;;;OAKG;IACI,OAAO,CAAC,QAAgB;QAC7B,MAAM,kBAAkB,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QACxC,CAAC;QACD,MAAM,QAAQ,CAAC,WAAW,CAAC,mCAAmC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9E,CAAC;IAED,wBAAwB;IAEhB,eAAe,CACrB,OAA4B,EAC5B,kBAAsC,EACtC,cAAyB;QAEzB,MAAM,MAAM,GAAe,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC5D,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACxD,MAAM,UAAU,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,GAAG,cAAc,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7G,MAAM,kBAAkB,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;YAC3E,IAAI,kBAAkB,EAAE,CAAC;gBACvB,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;oBACtE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;qBACjE,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,IAAI,EAAE,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;oBACzE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;4BACxE,kBAAkB,CAAC,cAAc;4BACjC,OAAO,CAAC,IAAI;yBACb,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;oBAC7E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;qBAC5D,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACnB,UAAU;oBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oCAAoC,CAAC;iBACnE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,WAAW,CAAC,QAAgB,EAAE,QAA4B;QAChE,IAAI,QAAQ,KAAK,iBAAiB,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QACxC,CAAC;aAAM,IAAI,QAAQ,KAAK,mBAAmB,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAEO,eAAe,CAAC,QAAgB;QACtC,IAAI,IAAI,CAAC,eAAe,EAAE,eAAe,EAAE,CAAC;YAC1C,OAAO,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,eAAe,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC;QACtF,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,iBAAiB,CAAC,QAAgB;QACxC,IAAI,IAAI,CAAC,eAAe,EAAE,iBAAiB,EAAE,CAAC;YAC5C,OAAO,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,eAAe,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC;QACxF,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;CACF;AAED,SAAS,kBAAkB,CACzB,QAAgB,EAChB,IAA0C;IAE1C,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB;IACjC,OAAO,QAAQ,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AACrD,CAAC"}
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
import { Profile } from '@jsforce/jsforce-node/lib/api/metadata.js';
|
|
2
|
+
import { PolicyRuleViolation, RuleComponentMessage } from '../result.types.js';
|
|
3
|
+
import { PermissionClassifications } from '../shape/schema.js';
|
|
4
|
+
export type ResolvedProfileLike = {
|
|
5
|
+
name: string;
|
|
6
|
+
role: string;
|
|
7
|
+
metadata: PartialProfileLike;
|
|
8
|
+
};
|
|
9
|
+
export type ScanResult = {
|
|
10
|
+
violations: PolicyRuleViolation[];
|
|
11
|
+
warnings: RuleComponentMessage[];
|
|
12
|
+
};
|
|
13
|
+
export type UserRoleCompareResult = {
|
|
14
|
+
/**
|
|
15
|
+
* True if the given role is a superset of the other compared role.
|
|
16
|
+
* This means, it contains at least all allowed permissions and
|
|
17
|
+
* fewer denied permissions as the "other role".
|
|
18
|
+
*/
|
|
19
|
+
isSuperset: boolean;
|
|
20
|
+
/**
|
|
21
|
+
* List of permissions that are present in "this" role and
|
|
22
|
+
* missing in the compared "other" role.
|
|
23
|
+
*/
|
|
24
|
+
missingPermsInOther: string[];
|
|
25
|
+
/**
|
|
26
|
+
* List of permissions that are present in compared "other"
|
|
27
|
+
* role and missing in this role.
|
|
28
|
+
*/
|
|
29
|
+
missingPermsInThis: string[];
|
|
30
|
+
};
|
|
31
|
+
export type IUserRole = {
|
|
32
|
+
roleName: string;
|
|
33
|
+
isAllowed(perm: Partial<NamedPermissionClassification>): boolean;
|
|
34
|
+
compareWith(otherRole: IUserRole): UserRoleCompareResult;
|
|
35
|
+
};
|
|
36
|
+
export type PartialProfileLike = Pick<Profile, 'userPermissions' | 'customPermissions'>;
|
|
37
|
+
/**
|
|
38
|
+
* Moves the "name" from the classifications map to object prop
|
|
39
|
+
*/
|
|
40
|
+
export type NamedPermissionClassification = PermissionClassifications['string'] & {
|
|
41
|
+
name: string;
|
|
42
|
+
};
|
|
43
|
+
export type PermissionsListKey = keyof PartialProfileLike;
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"roleManager.types.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/roleManager.types.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { PermissionClassifications, RoleDefinitions, UserPrivilegeLevel } from '../shape/schema.js';
|
|
2
|
+
import { UserRoleCompareResult } from './roleManager.types.js';
|
|
3
|
+
export default class UserRole {
|
|
4
|
+
roleName: string;
|
|
5
|
+
private allowedPermissions;
|
|
6
|
+
private roleOrdinalValue?;
|
|
7
|
+
constructor(roleName: string, allowedPermissions: Set<string>, roleOrdinalValue?: number | undefined);
|
|
8
|
+
isAllowed(permissionName: string): boolean;
|
|
9
|
+
compareWith(otherRole: UserRole): UserRoleCompareResult;
|
|
10
|
+
}
|
|
11
|
+
export declare function newRoleFromDefinition(roleName: string, roleDef: RoleDefinitions['string'], perms?: PermissionClassifications): UserRole;
|
|
12
|
+
export declare function newRoleFromOrdinals(roleName: UserPrivilegeLevel, perms?: PermissionClassifications): UserRole;
|
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
import { PermissionRiskLevel, UserPrivilegeLevel, } from '../shape/schema.js';
|
|
2
|
+
export default class UserRole {
|
|
3
|
+
roleName;
|
|
4
|
+
allowedPermissions;
|
|
5
|
+
roleOrdinalValue;
|
|
6
|
+
constructor(roleName, allowedPermissions, roleOrdinalValue) {
|
|
7
|
+
this.roleName = roleName;
|
|
8
|
+
this.allowedPermissions = allowedPermissions;
|
|
9
|
+
this.roleOrdinalValue = roleOrdinalValue;
|
|
10
|
+
}
|
|
11
|
+
isAllowed(permissionName) {
|
|
12
|
+
return this.allowedPermissions.has(permissionName);
|
|
13
|
+
}
|
|
14
|
+
compareWith(otherRole) {
|
|
15
|
+
const missingPermsInOther = new Array();
|
|
16
|
+
const missingPermsInThis = new Array();
|
|
17
|
+
const isOrdinallyHigher = this.roleOrdinalValue && otherRole.roleOrdinalValue ? this.roleOrdinalValue >= otherRole.roleOrdinalValue : true;
|
|
18
|
+
const merged = new Set([...this.allowedPermissions, ...otherRole.allowedPermissions]);
|
|
19
|
+
for (const perm of merged) {
|
|
20
|
+
if (!this.allowedPermissions.has(perm)) {
|
|
21
|
+
missingPermsInThis.push(perm);
|
|
22
|
+
}
|
|
23
|
+
if (!otherRole.allowedPermissions.has(perm)) {
|
|
24
|
+
missingPermsInOther.push(perm);
|
|
25
|
+
}
|
|
26
|
+
}
|
|
27
|
+
return {
|
|
28
|
+
isSuperset: missingPermsInThis.length === 0 && isOrdinallyHigher,
|
|
29
|
+
missingPermsInThis,
|
|
30
|
+
missingPermsInOther,
|
|
31
|
+
};
|
|
32
|
+
}
|
|
33
|
+
}
|
|
34
|
+
export function newRoleFromDefinition(roleName, roleDef, perms) {
|
|
35
|
+
const allAllowed = new Set();
|
|
36
|
+
if (roleDef.allowedPermissions) {
|
|
37
|
+
for (const permName of roleDef.allowedPermissions) {
|
|
38
|
+
allAllowed.add(permName);
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
if (perms) {
|
|
42
|
+
for (const [permName, permDef] of Object.entries(perms)) {
|
|
43
|
+
if (roleDef.allowedClassifications && roleDef.allowedClassifications.includes(permDef.classification)) {
|
|
44
|
+
allAllowed.add(permName);
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
if (roleDef.deniedPermissions) {
|
|
49
|
+
for (const permName of roleDef.deniedPermissions) {
|
|
50
|
+
allAllowed.delete(permName);
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
return new UserRole(roleName, allAllowed);
|
|
54
|
+
}
|
|
55
|
+
export function newRoleFromOrdinals(roleName, perms) {
|
|
56
|
+
const roleOrdinalValue = resolvePresetOrdinalValue(roleName);
|
|
57
|
+
if (!perms || roleName === UserPrivilegeLevel.UNKNOWN) {
|
|
58
|
+
return new UserRole(roleName, new Set(), roleOrdinalValue);
|
|
59
|
+
}
|
|
60
|
+
const allAllowed = new Set();
|
|
61
|
+
for (const [permName, permDef] of Object.entries(perms)) {
|
|
62
|
+
if (roleOrdinalValue >= resolveRiskLevelOrdinalValue(permDef.classification)) {
|
|
63
|
+
allAllowed.add(permName);
|
|
64
|
+
}
|
|
65
|
+
}
|
|
66
|
+
return new UserRole(roleName, allAllowed, roleOrdinalValue);
|
|
67
|
+
}
|
|
68
|
+
function resolvePresetOrdinalValue(value) {
|
|
69
|
+
const indexOfValue = Object.values(UserPrivilegeLevel).indexOf(value);
|
|
70
|
+
return Object.keys(UserPrivilegeLevel).length - indexOfValue;
|
|
71
|
+
}
|
|
72
|
+
function resolveRiskLevelOrdinalValue(value) {
|
|
73
|
+
return Object.keys(PermissionRiskLevel).length - Object.keys(PermissionRiskLevel).indexOf(value.toUpperCase());
|
|
74
|
+
}
|
|
75
|
+
//# sourceMappingURL=userRole.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"userRole.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/userRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,mBAAmB,EAEnB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAG5B,MAAM,CAAC,OAAO,OAAO,QAAQ;IAElB;IACC;IACA;IAHV,YACS,QAAgB,EACf,kBAA+B,EAC/B,gBAAyB;QAF1B,aAAQ,GAAR,QAAQ,CAAQ;QACf,uBAAkB,GAAlB,kBAAkB,CAAa;QAC/B,qBAAgB,GAAhB,gBAAgB,CAAS;IAChC,CAAC;IAEG,SAAS,CAAC,cAAsB;QACrC,OAAO,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACrD,CAAC;IAEM,WAAW,CAAC,SAAmB;QACpC,MAAM,mBAAmB,GAAG,IAAI,KAAK,EAAU,CAAC;QAChD,MAAM,kBAAkB,GAAG,IAAI,KAAK,EAAU,CAAC;QAC/C,MAAM,iBAAiB,GACrB,IAAI,CAAC,gBAAgB,IAAI,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,IAAI,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC;QACnH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,kBAAkB,EAAE,GAAG,SAAS,CAAC,kBAAkB,CAAC,CAAC,CAAC;QACtF,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;YAC1B,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,SAAS,CAAC,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5C,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QACD,OAAO;YACL,UAAU,EAAE,kBAAkB,CAAC,MAAM,KAAK,CAAC,IAAI,iBAAiB;YAChE,kBAAkB;YAClB,mBAAmB;SACpB,CAAC;IACJ,CAAC;CACF;AAED,MAAM,UAAU,qBAAqB,CACnC,QAAgB,EAChB,OAAkC,EAClC,KAAiC;IAEjC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAC/B,KAAK,MAAM,QAAQ,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;YAClD,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACxD,IAAI,OAAO,CAAC,sBAAsB,IAAI,OAAO,CAAC,sBAAsB,CAAC,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;gBACtG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;QAC9B,KAAK,MAAM,QAAQ,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;YACjD,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IACD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,QAA4B,EAAE,KAAiC;IACjG,MAAM,gBAAgB,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IAC7D,IAAI,CAAC,KAAK,IAAI,QAAQ,KAAK,kBAAkB,CAAC,OAAO,EAAE,CAAC;QACtD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,IAAI,GAAG,EAAU,EAAE,gBAAgB,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,IAAI,gBAAgB,IAAI,4BAA4B,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAC7E,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,UAAU,EAAE,gBAAgB,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAyB;IAC1D,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACtE,OAAO,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,MAAM,GAAG,YAAY,CAAC;AAC/D,CAAC;AAED,SAAS,4BAA4B,CAAC,KAAa;IACjD,OAAO,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;AACjH,CAAC"}
|
|
@@ -2,8 +2,10 @@ import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
|
2
2
|
import { ResolvedUser } from '../policies/users.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforcePermissionPresets extends PolicyRule<ResolvedUser> {
|
|
5
|
+
private readonly roleManager;
|
|
5
6
|
constructor(opts: RuleOptions);
|
|
6
7
|
run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
|
|
7
8
|
private resolveProfileRole;
|
|
8
9
|
private resolvePermissionSetRole;
|
|
10
|
+
private auditPermissionsEntity;
|
|
9
11
|
}
|
|
@@ -1,24 +1,28 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
2
|
import { capitalize } from '../../../../utils.js';
|
|
3
|
-
import
|
|
3
|
+
import RoleManager from '../roles/roleManager.js';
|
|
4
4
|
import { UserPrivilegeLevel } from '../shape/schema.js';
|
|
5
5
|
import PolicyRule from './policyRule.js';
|
|
6
6
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
7
7
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.users');
|
|
8
8
|
export default class EnforcePermissionPresets extends PolicyRule {
|
|
9
|
+
roleManager;
|
|
9
10
|
constructor(opts) {
|
|
10
11
|
super(opts);
|
|
12
|
+
this.roleManager = new RoleManager(opts.auditConfig.definitions.roles, {
|
|
13
|
+
userPermissions: opts.auditConfig.classifications.userPermissions?.permissions,
|
|
14
|
+
});
|
|
11
15
|
}
|
|
12
16
|
run(context) {
|
|
13
17
|
const result = this.initResult();
|
|
14
18
|
const users = context.resolvedEntities;
|
|
15
19
|
for (const user of Object.values(users)) {
|
|
16
20
|
const profileRole = this.resolveProfileRole(user.profileName);
|
|
17
|
-
auditPermissionsEntity(result, user, 'profile', user.profileName, profileRole);
|
|
21
|
+
this.auditPermissionsEntity(result, user, 'profile', user.profileName, profileRole);
|
|
18
22
|
if (user.assignments) {
|
|
19
23
|
for (const assignment of user.assignments) {
|
|
20
24
|
const permsetRole = this.resolvePermissionSetRole(assignment.permissionSetIdentifier);
|
|
21
|
-
auditPermissionsEntity(result, user, 'permission set', assignment.permissionSetIdentifier, permsetRole);
|
|
25
|
+
this.auditPermissionsEntity(result, user, 'permission set', assignment.permissionSetIdentifier, permsetRole);
|
|
22
26
|
}
|
|
23
27
|
}
|
|
24
28
|
}
|
|
@@ -30,31 +34,40 @@ export default class EnforcePermissionPresets extends PolicyRule {
|
|
|
30
34
|
resolvePermissionSetRole(permsetName) {
|
|
31
35
|
return this.auditConfig.classifications.permissionSets?.permissionSets[permsetName]?.role;
|
|
32
36
|
}
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
}
|
|
37
|
+
auditPermissionsEntity(result, user, entityType, entityIdentifier, entityPreset) {
|
|
38
|
+
if (entityPreset) {
|
|
39
|
+
if (entityPreset === UserPrivilegeLevel.UNKNOWN.toString()) {
|
|
40
|
+
result.violations.push({
|
|
41
|
+
identifier: [user.username, entityIdentifier],
|
|
42
|
+
message: messages.getMessage('violations.entity-unknown-but-used', [capitalize(entityType)]),
|
|
43
|
+
});
|
|
44
|
+
}
|
|
45
|
+
else if (!this.roleManager.isValidRole(entityPreset)) {
|
|
46
|
+
result.violations.push({
|
|
47
|
+
identifier: [user.username, entityIdentifier],
|
|
48
|
+
message: messages.getMessage('violations.invalid-entity-role', [capitalize(entityType), entityPreset]),
|
|
49
|
+
});
|
|
50
|
+
}
|
|
51
|
+
else if (this.roleManager.isValidRole(entityPreset) && this.roleManager.isValidRole(user.role)) {
|
|
52
|
+
const compareResult = this.roleManager.compare(user.role, entityPreset);
|
|
53
|
+
if (!compareResult.isSuperset) {
|
|
54
|
+
result.violations.push({
|
|
55
|
+
identifier: [user.username, entityIdentifier],
|
|
56
|
+
message: messages.getMessage('violations.entity-not-allowed-for-user-role', [
|
|
57
|
+
user.role,
|
|
58
|
+
entityType,
|
|
59
|
+
entityPreset,
|
|
60
|
+
]),
|
|
61
|
+
});
|
|
62
|
+
}
|
|
63
|
+
}
|
|
41
64
|
}
|
|
42
|
-
else
|
|
65
|
+
else {
|
|
43
66
|
result.violations.push({
|
|
44
67
|
identifier: [user.username, entityIdentifier],
|
|
45
|
-
message: messages.getMessage('violations.entity-not-
|
|
46
|
-
user.role,
|
|
47
|
-
entityType,
|
|
48
|
-
entityPreset,
|
|
49
|
-
]),
|
|
68
|
+
message: messages.getMessage('violations.entity-not-classified-but-used', [capitalize(entityType), entityType]),
|
|
50
69
|
});
|
|
51
70
|
}
|
|
52
71
|
}
|
|
53
|
-
else {
|
|
54
|
-
result.violations.push({
|
|
55
|
-
identifier: [user.username, entityIdentifier],
|
|
56
|
-
message: messages.getMessage('violations.entity-not-classified-but-used', [capitalize(entityType), entityType]),
|
|
57
|
-
});
|
|
58
|
-
}
|
|
59
72
|
}
|
|
60
73
|
//# sourceMappingURL=enforcePermissionPresets.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionPresets.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionPresets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAElD,OAAO,
|
|
1
|
+
{"version":3,"file":"enforcePermissionPresets.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionPresets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAElD,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC3D,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,KAAK,EAAE;YACrE,eAAe,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,eAAe,EAAE,WAAW;SAC/E,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,WAAW,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC9D,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;YACpF,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrB,KAAK,MAAM,UAAU,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBAC1C,MAAM,WAAW,GAAG,IAAI,CAAC,wBAAwB,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC;oBACtF,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,IAAI,EAAE,gBAAgB,EAAE,UAAU,CAAC,uBAAuB,EAAE,WAAW,CAAC,CAAC;gBAC/G,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAEO,kBAAkB,CAAC,WAAmB;QAC5C,OAAO,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC;IAChF,CAAC;IAEO,wBAAwB,CAAC,WAAmB;QAClD,OAAO,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,cAAc,EAAE,cAAc,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC;IAC5F,CAAC;IAEO,sBAAsB,CAC5B,MAA+B,EAC/B,IAAkB,EAClB,UAAkB,EAClB,gBAAwB,EACxB,YAAqB;QAErB,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,YAAY,KAAK,kBAAkB,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;gBAC3D,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;oBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oCAAoC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;iBAC7F,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE,CAAC;gBACvD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;oBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,gCAAgC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,YAAY,CAAC,CAAC;iBACvG,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACjG,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;gBACxE,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC;oBAC9B,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;wBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6CAA6C,EAAE;4BAC1E,IAAI,CAAC,IAAI;4BACT,UAAU;4BACV,YAAY;yBACb,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;gBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,UAAU,CAAC,CAAC;aAChH,CAAC,CAAC;QACL,CAAC;IACH,CAAC;CACF"}
|
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
2
|
-
import { ResolvedProfileLike } from '../
|
|
2
|
+
import { ResolvedProfileLike } from '../roles/roleManager.types.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforcePermissionsOnProfileLike extends PolicyRule<ResolvedProfileLike> {
|
|
5
|
+
private readonly roleManager;
|
|
5
6
|
constructor(opts: RuleOptions);
|
|
6
7
|
run(context: RuleAuditContext<ResolvedProfileLike>): Promise<PartialPolicyRuleResult>;
|
|
7
8
|
}
|
|
@@ -1,23 +1,33 @@
|
|
|
1
|
+
import { Messages } from '@salesforce/core';
|
|
1
2
|
import { isNullish } from '../../../../utils.js';
|
|
2
|
-
import
|
|
3
|
+
import RoleManager from '../roles/roleManager.js';
|
|
3
4
|
import PolicyRule from './policyRule.js';
|
|
5
|
+
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
6
|
+
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
4
7
|
export default class EnforcePermissionsOnProfileLike extends PolicyRule {
|
|
8
|
+
roleManager;
|
|
5
9
|
constructor(opts) {
|
|
6
10
|
super(opts);
|
|
11
|
+
this.roleManager = new RoleManager(opts.auditConfig.definitions.roles, {
|
|
12
|
+
userPermissions: opts.auditConfig.classifications.userPermissions?.permissions,
|
|
13
|
+
customPermissions: opts.auditConfig.classifications.customPermissions?.permissions,
|
|
14
|
+
});
|
|
7
15
|
}
|
|
8
16
|
run(context) {
|
|
9
17
|
const result = this.initResult();
|
|
10
18
|
const resolvedProfiles = context.resolvedEntities;
|
|
11
19
|
for (const profile of Object.values(resolvedProfiles)) {
|
|
12
|
-
if (!
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
20
|
+
if (!this.roleManager.isValidRole(profile.role)) {
|
|
21
|
+
result.errors.push({
|
|
22
|
+
identifier: [profile.name],
|
|
23
|
+
message: messages.getMessage('error.failed-to-resolve-role', [profile.role]),
|
|
24
|
+
});
|
|
25
|
+
continue;
|
|
16
26
|
}
|
|
17
|
-
if (!isNullish(profile.metadata
|
|
18
|
-
const
|
|
19
|
-
result.violations.push(...
|
|
20
|
-
result.warnings.push(...
|
|
27
|
+
if (!isNullish(profile.metadata)) {
|
|
28
|
+
const profileScanResult = this.roleManager.scanProfileLike(profile);
|
|
29
|
+
result.violations.push(...profileScanResult.violations);
|
|
30
|
+
result.warnings.push(...profileScanResult.warnings);
|
|
21
31
|
}
|
|
22
32
|
}
|
|
23
33
|
return Promise.resolve(result);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEjD,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAElD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,+BAAgC,SAAQ,UAA+B;IACzE,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,KAAK,EAAE;YACrE,eAAe,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,eAAe,EAAE,WAAW;YAC9E,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,iBAAiB,EAAE,WAAW;SACnF,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAA8C;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACtD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;oBACjB,UAAU,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;oBAC1B,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;iBAC7E,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YACD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACjC,MAAM,iBAAiB,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;gBACpE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;gBACxD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
|
@@ -2,6 +2,7 @@ import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
|
2
2
|
import { ResolvedUser } from '../policies/users.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforcePermissionsOnUser extends PolicyRule<ResolvedUser> {
|
|
5
|
+
private readonly roleManager;
|
|
5
6
|
constructor(opts: RuleOptions);
|
|
6
7
|
run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
|
|
7
8
|
private scanAssignedPermissionSets;
|
|
@@ -1,18 +1,33 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { Messages } from '@salesforce/core';
|
|
2
|
+
import RoleManager from '../roles/roleManager.js';
|
|
2
3
|
import PolicyRule from './policyRule.js';
|
|
4
|
+
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
5
|
+
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
3
6
|
export default class EnforcePermissionsOnUser extends PolicyRule {
|
|
7
|
+
roleManager;
|
|
4
8
|
constructor(opts) {
|
|
5
9
|
super(opts);
|
|
10
|
+
this.roleManager = new RoleManager(opts.auditConfig.definitions.roles, {
|
|
11
|
+
userPermissions: opts.auditConfig.classifications.userPermissions?.permissions,
|
|
12
|
+
customPermissions: opts.auditConfig.classifications.customPermissions?.permissions,
|
|
13
|
+
});
|
|
6
14
|
}
|
|
7
15
|
run(context) {
|
|
8
16
|
const result = this.initResult();
|
|
9
17
|
const users = context.resolvedEntities;
|
|
10
18
|
for (const user of Object.values(users)) {
|
|
19
|
+
if (!this.roleManager.isValidRole(user.role)) {
|
|
20
|
+
result.errors.push({
|
|
21
|
+
identifier: [user.username],
|
|
22
|
+
message: messages.getMessage('error.failed-to-resolve-role', [user.role]),
|
|
23
|
+
});
|
|
24
|
+
continue;
|
|
25
|
+
}
|
|
11
26
|
const { violations, warnings } = this.scanAssignedPermissionSets(user, user.assignments);
|
|
12
27
|
result.violations.push(...violations);
|
|
13
28
|
result.warnings.push(...warnings);
|
|
14
29
|
if (user.profileMetadata) {
|
|
15
|
-
const profileResult = scanProfileLike({ role: user.role, metadata: user.profileMetadata, name: user.profileName },
|
|
30
|
+
const profileResult = this.roleManager.scanProfileLike({ role: user.role, metadata: user.profileMetadata, name: user.profileName }, [user.username]);
|
|
16
31
|
result.violations.push(...profileResult.violations);
|
|
17
32
|
result.warnings.push(...profileResult.warnings);
|
|
18
33
|
}
|
|
@@ -28,7 +43,7 @@ export default class EnforcePermissionsOnUser extends PolicyRule {
|
|
|
28
43
|
if (!assignedPermSet.metadata) {
|
|
29
44
|
continue;
|
|
30
45
|
}
|
|
31
|
-
const permsetScan = scanProfileLike({ role: user.role, metadata: assignedPermSet.metadata, name: assignedPermSet.permissionSetIdentifier },
|
|
46
|
+
const permsetScan = this.roleManager.scanProfileLike({ role: user.role, metadata: assignedPermSet.metadata, name: assignedPermSet.permissionSetIdentifier }, [user.username]);
|
|
32
47
|
result.violations.push(...permsetScan.violations);
|
|
33
48
|
result.warnings.push(...permsetScan.warnings);
|
|
34
49
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAGlD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC3D,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,KAAK,EAAE;YACrE,eAAe,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,eAAe,EAAE,WAAW;YAC9E,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,iBAAiB,EAAE,WAAW;SACnF,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;oBACjB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAC3B,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;iBAC1E,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YACD,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,0BAA0B,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACzF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;YACtC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBACzB,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CACpD,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,EAC3E,CAAC,IAAI,CAAC,QAAQ,CAAC,CAChB,CAAC;gBACF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;gBACpD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAEO,0BAA0B,CAAC,IAAkB,EAAE,WAAwC;QAC7F,MAAM,MAAM,GAAe,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;QAC5D,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,KAAK,MAAM,eAAe,IAAI,WAAW,EAAE,CAAC;YAC1C,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,CAAC;gBAC9B,SAAS;YACX,CAAC;YACD,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CAClD,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,eAAe,CAAC,QAAQ,EAAE,IAAI,EAAE,eAAe,CAAC,uBAAuB,EAAE,EACtG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAChB,CAAC;YACF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;YAClD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}
|
|
@@ -4,6 +4,17 @@
|
|
|
4
4
|
* the audit config that is used by rules and policies.
|
|
5
5
|
*/
|
|
6
6
|
export declare const BaseAuditConfigShape: {
|
|
7
|
+
definitions: {
|
|
8
|
+
files: {
|
|
9
|
+
roles: {
|
|
10
|
+
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
11
|
+
allowedClassifications: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodEnum<typeof import("./schema.js").PermissionRiskLevel>>>;
|
|
12
|
+
allowedPermissions: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
13
|
+
deniedPermissions: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
14
|
+
}, import("zod/v4/core").$strip>>;
|
|
15
|
+
};
|
|
16
|
+
};
|
|
17
|
+
};
|
|
7
18
|
classifications: {
|
|
8
19
|
files: {
|
|
9
20
|
userPermissions: {
|
|
@@ -29,7 +40,7 @@ export declare const BaseAuditConfigShape: {
|
|
|
29
40
|
profiles: {
|
|
30
41
|
schema: import("zod").ZodObject<{
|
|
31
42
|
profiles: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
32
|
-
role: import("zod").
|
|
43
|
+
role: import("zod").ZodString;
|
|
33
44
|
allowedLoginIps: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodObject<{
|
|
34
45
|
from: import("zod").ZodString;
|
|
35
46
|
to: import("zod").ZodString;
|
|
@@ -41,7 +52,7 @@ export declare const BaseAuditConfigShape: {
|
|
|
41
52
|
permissionSets: {
|
|
42
53
|
schema: import("zod").ZodObject<{
|
|
43
54
|
permissionSets: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
44
|
-
role: import("zod").
|
|
55
|
+
role: import("zod").ZodString;
|
|
45
56
|
}, import("zod/v4/core").$strict>>;
|
|
46
57
|
}, import("zod/v4/core").$strip>;
|
|
47
58
|
entities: string;
|
|
@@ -49,7 +60,7 @@ export declare const BaseAuditConfigShape: {
|
|
|
49
60
|
users: {
|
|
50
61
|
schema: import("zod").ZodObject<{
|
|
51
62
|
users: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
52
|
-
role: import("zod").
|
|
63
|
+
role: import("zod").ZodString;
|
|
53
64
|
}, import("zod/v4/core").$strip>>;
|
|
54
65
|
}, import("zod/v4/core").$strip>;
|
|
55
66
|
entities: string;
|
|
@@ -104,7 +115,7 @@ export declare const BaseAuditConfigShape: {
|
|
|
104
115
|
options: import("zod").ZodOptional<import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodUnknown>>;
|
|
105
116
|
}, import("zod/v4/core").$strip>>>;
|
|
106
117
|
options: import("zod").ZodObject<{
|
|
107
|
-
defaultRoleForMissingUsers: import("zod").ZodDefault<import("zod").
|
|
118
|
+
defaultRoleForMissingUsers: import("zod").ZodDefault<import("zod").ZodString>;
|
|
108
119
|
analyseLastNDaysOfLoginHistory: import("zod").ZodOptional<import("zod").ZodNumber>;
|
|
109
120
|
}, import("zod/v4/core").$strict>;
|
|
110
121
|
}, import("zod/v4/core").$strip>;
|