@j-schreiber/sf-cli-security-audit 0.19.2 → 0.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (81) hide show
  1. package/README.md +3 -3
  2. package/lib/commands/org/audit/init.d.ts +1 -1
  3. package/lib/commands/org/audit/init.js +8 -8
  4. package/lib/commands/org/audit/init.js.map +1 -1
  5. package/lib/commands/org/audit/run.js +4 -1
  6. package/lib/commands/org/audit/run.js.map +1 -1
  7. package/lib/libs/audit-engine/auditRun.d.ts +3 -4
  8. package/lib/libs/audit-engine/auditRun.js +21 -9
  9. package/lib/libs/audit-engine/auditRun.js.map +1 -1
  10. package/lib/libs/audit-engine/file-manager/fileManager.d.ts +5 -6
  11. package/lib/libs/audit-engine/file-manager/fileManager.js +34 -15
  12. package/lib/libs/audit-engine/file-manager/fileManager.js.map +1 -1
  13. package/lib/libs/audit-engine/file-manager/fileManager.types.d.ts +1 -0
  14. package/lib/libs/audit-engine/index.d.ts +72 -43
  15. package/lib/libs/audit-engine/registry/context.types.d.ts +6 -0
  16. package/lib/libs/audit-engine/registry/definitions.d.ts +73 -44
  17. package/lib/libs/audit-engine/registry/policies/permissionSets.js +1 -1
  18. package/lib/libs/audit-engine/registry/policies/permissionSets.js.map +1 -1
  19. package/lib/libs/audit-engine/registry/policies/profiles.js +1 -1
  20. package/lib/libs/audit-engine/registry/policies/profiles.js.map +1 -1
  21. package/lib/libs/audit-engine/registry/policies/users.js +1 -1
  22. package/lib/libs/audit-engine/registry/policies/users.js.map +1 -1
  23. package/lib/libs/audit-engine/registry/policy.js +2 -2
  24. package/lib/libs/audit-engine/registry/policy.js.map +1 -1
  25. package/lib/libs/audit-engine/registry/roles/roleManager.d.ts +3 -19
  26. package/lib/libs/audit-engine/registry/roles/roleManager.js +17 -29
  27. package/lib/libs/audit-engine/registry/roles/roleManager.js.map +1 -1
  28. package/lib/libs/audit-engine/registry/roles/roleManager.types.d.ts +21 -3
  29. package/lib/libs/audit-engine/registry/roles/userRole.d.ts +7 -6
  30. package/lib/libs/audit-engine/registry/roles/userRole.js +78 -31
  31. package/lib/libs/audit-engine/registry/roles/userRole.js.map +1 -1
  32. package/lib/libs/audit-engine/registry/rules/enforceLoginIpRanges.d.ts +3 -9
  33. package/lib/libs/audit-engine/registry/rules/enforceLoginIpRanges.js +3 -13
  34. package/lib/libs/audit-engine/registry/rules/enforceLoginIpRanges.js.map +1 -1
  35. package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js +5 -4
  36. package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js.map +1 -1
  37. package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js +3 -3
  38. package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js.map +1 -1
  39. package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js +4 -4
  40. package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js.map +1 -1
  41. package/lib/libs/audit-engine/registry/rules/noInactiveUsers.d.ts +3 -9
  42. package/lib/libs/audit-engine/registry/rules/noInactiveUsers.js +5 -15
  43. package/lib/libs/audit-engine/registry/rules/noInactiveUsers.js.map +1 -1
  44. package/lib/libs/audit-engine/registry/rules/noOtherApexApiLogins.d.ts +1 -0
  45. package/lib/libs/audit-engine/registry/rules/noOtherApexApiLogins.js +39 -10
  46. package/lib/libs/audit-engine/registry/rules/noOtherApexApiLogins.js.map +1 -1
  47. package/lib/libs/audit-engine/registry/rules/policyRule.d.ts +3 -0
  48. package/lib/libs/audit-engine/registry/rules/policyRule.js +10 -0
  49. package/lib/libs/audit-engine/registry/rules/policyRule.js.map +1 -1
  50. package/lib/libs/audit-engine/registry/shape/auditConfigShape.d.ts +71 -42
  51. package/lib/libs/audit-engine/registry/shape/auditConfigShape.js +26 -30
  52. package/lib/libs/audit-engine/registry/shape/auditConfigShape.js.map +1 -1
  53. package/lib/libs/audit-engine/registry/shape/schema.d.ts +77 -43
  54. package/lib/libs/audit-engine/registry/shape/schema.js +22 -20
  55. package/lib/libs/audit-engine/registry/shape/schema.js.map +1 -1
  56. package/lib/libs/audit-engine/registry/shape/shapeValidation.d.ts +3 -0
  57. package/lib/libs/audit-engine/registry/shape/shapeValidation.js +36 -7
  58. package/lib/libs/audit-engine/registry/shape/shapeValidation.js.map +1 -1
  59. package/lib/libs/conf-init/auditConfig.d.ts +1 -0
  60. package/lib/libs/conf-init/auditConfig.js +15 -10
  61. package/lib/libs/conf-init/auditConfig.js.map +1 -1
  62. package/lib/libs/conf-init/defaultClassifications.d.ts +4 -6
  63. package/lib/libs/conf-init/defaultClassifications.js +18 -28
  64. package/lib/libs/conf-init/defaultClassifications.js.map +1 -1
  65. package/lib/libs/conf-init/init.types.d.ts +7 -6
  66. package/lib/libs/conf-init/init.types.js.map +1 -1
  67. package/lib/salesforce/repositories/users/queries.js +3 -3
  68. package/lib/salesforce/repositories/users/queries.js.map +1 -1
  69. package/lib/salesforce/repositories/users/user.types.d.ts +1 -0
  70. package/lib/salesforce/repositories/users/user.types.js.map +1 -1
  71. package/lib/salesforce/repositories/users/users.js +1 -0
  72. package/lib/salesforce/repositories/users/users.js.map +1 -1
  73. package/messages/auditShapeValidation.md +4 -0
  74. package/messages/org.audit.run.md +4 -0
  75. package/messages/rules.enforceClassificationPresets.md +4 -8
  76. package/messages/rules.users.md +6 -2
  77. package/oclif.manifest.json +1 -1
  78. package/package.json +1 -1
  79. package/lib/libs/audit-engine/registry/helpers/permissionsScanning.d.ts +0 -37
  80. package/lib/libs/audit-engine/registry/helpers/permissionsScanning.js +0 -81
  81. package/lib/libs/audit-engine/registry/helpers/permissionsScanning.js.map +0 -1
package/lib/libs/audit-engine/registry/rules/noInactiveUsers.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"noInactiveUsers.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/noInactiveUsers.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAExD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,UAAuC,MAAM,iBAAiB,CAAC;AAEtE,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,4BAA4B,GAAG,CAAC,CAAC,YAAY,CAAC;IAClD,uBAAuB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CAChD,CAAC,CAAC;AAIH,MAAM,CAAC,OAAO,OAAO,eAAgB,SAAQ,UAAwB;IAClD,UAAU,CAAC;IAE5B,YAAmB,SAA0D;QAC3E,KAAK,CAAC,SAAS,CAAC,CAAC;QACjB,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC3D,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YACvD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,MAAM,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;gBAChE,IAAI,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,uBAAuB,EAAE,CAAC;oBACzD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;wBAC3B,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,EAAE;4BAC/D,UAAU;4BACV,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;yBACvC,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YACvD,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;gBACpB,MAAM,eAAe,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;gBACvE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAC3B,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,gCAAgC,EAAE;wBAC7D,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE;wBACxC,eAAe;qBAChB,CAAC;iBACH,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF;AAED,SAAS,gBAAgB,CAAC,SAAmB;IAC3C,MAAM,WAAW,GAAG,4BAA4B,CAAC,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;IAC5E,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;QACxB,OAAO,WAAW,CAAC,IAAI,CAAC;IAC1B,CAAC;SAAM,CAAC;QACN,cAAc,CAAC,WAAW,EAAE,WAAW,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,iBAAiB,EAAE,SAAS,CAAC,CAAC,CAAC;IAC1F,CAAC;AACH,CAAC"}
1
+ {"version":3,"file":"noInactiveUsers.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/noInactiveUsers.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAExD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,4BAA4B,GAAG,CAAC,CAAC,YAAY,CAAC;IAClD,uBAAuB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CAChD,CAAC,CAAC;AAEH,MAAM,CAAC,OAAO,OAAO,eAAgB,SAAQ,UAAwB;IAClD,OAAO,CAAC;IAEzB,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,4BAA4B,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IAC/F,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YACvD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,MAAM,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;gBAChE,IAAI,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,uBAAuB,EAAE,CAAC;oBACtD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;wBAC3B,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,EAAE;4BAC/D,UAAU;4BACV,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;yBACvC,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YACvD,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;gBACpB,MAAM,eAAe,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;gBACvE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAC3B,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,gCAAgC,EAAE;wBAC7D,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE;wBACxC,eAAe;qBAChB,CAAC;iBACH,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
package/lib/libs/audit-engine/registry/rules/noOtherApexApiLogins.d.ts CHANGED
@@ -2,6 +2,7 @@ import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
2
2
  import { ResolvedUser } from '../policies/users.js';
3
3
  import PolicyRule, { RuleOptions } from './policyRule.js';
4
4
  export default class NoOtherApexApiLogins extends PolicyRule<ResolvedUser> {
5
+ private readonly options;
5
6
  constructor(opts: RuleOptions);
6
7
  run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
7
8
  }
package/lib/libs/audit-engine/registry/rules/noOtherApexApiLogins.js CHANGED
@@ -1,10 +1,16 @@
1
+ import z from 'zod';
1
2
  import { Messages } from '@salesforce/core';
2
3
  import PolicyRule from './policyRule.js';
3
4
  Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
4
5
  const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.users');
6
+ const NoOtherApexApiLoginsOptionsSchema = z.strictObject({
7
+ includeAllLoginAttempts: z.boolean().default(true),
8
+ });
5
9
  export default class NoOtherApexApiLogins extends PolicyRule {
10
+ options;
6
11
  constructor(opts) {
7
12
  super(opts);
13
+ this.options = this.parseOptions(NoOtherApexApiLoginsOptionsSchema, opts.ruleConfig, 'users.yml');
8
14
  }
9
15
  run(context) {
10
16
  const result = this.initResult();
@@ -12,19 +18,42 @@ export default class NoOtherApexApiLogins extends PolicyRule {
12
18
  if (!user.logins) {
13
19
  continue;
14
20
  }
15
- for (const loginSummary of user.logins) {
16
- if (loginSummary.loginType === 'Other Apex API') {
17
- result.violations.push({
18
- identifier: [user.username, new Date(loginSummary.lastLogin).toISOString()],
19
- message: messages.getMessage('violations.no-other-apex-api-logins', [
20
- loginSummary.loginCount,
21
- this.opts.auditConfig.policies.users?.options.analyseLastNDaysOfLoginHistory,
22
- ]),
23
- });
24
- }
21
+ const logins = filterLoginAggregate(this.options.includeAllLoginAttempts, user.logins);
22
+ for (const loginSummary of logins) {
23
+ result.violations.push({
24
+ identifier: [user.username, new Date(loginSummary.lastLogin).toISOString()],
25
+ message: messages.getMessage(loginSummary.includesAttempts
26
+ ? 'violations.no-attempted-other-apex-api-logins'
27
+ : 'violations.no-successful-other-apex-api-logins', [loginSummary.loginCount, this.opts.auditConfig.policies.users?.options.analyseLastNDaysOfLoginHistory]),
28
+ });
25
29
  }
26
30
  }
27
31
  return Promise.resolve(result);
28
32
  }
29
33
  }
34
+ function filterLoginAggregate(includeAll, userLogins) {
35
+ if (!userLogins) {
36
+ return [];
37
+ }
38
+ const apexApiLogins = userLogins.filter((login) => login.loginType === 'Other Apex API');
39
+ const filteredLogins = includeAll ? apexApiLogins : apexApiLogins.filter((login) => login.status === 'Success');
40
+ const map = filteredLogins.reduce((acc, login) => {
41
+ const key = `${login.loginType}::${login.application}`;
42
+ const existing = acc.get(key);
43
+ if (existing) {
44
+ existing.loginCount += login.loginCount;
45
+ existing.lastLogin = Math.max(existing.lastLogin, login.lastLogin);
46
+ existing.includesAttempts = existing.includesAttempts || login.status !== 'Success';
47
+ }
48
+ else {
49
+ acc.set(key, {
50
+ loginCount: login.loginCount,
51
+ lastLogin: login.lastLogin,
52
+ includesAttempts: login.status !== 'Success',
53
+ });
54
+ }
55
+ return acc;
56
+ }, new Map());
57
+ return Array.from(map.values());
58
+ }
30
59
  //# sourceMappingURL=noOtherApexApiLogins.js.map
package/lib/libs/audit-engine/registry/rules/noOtherApexApiLogins.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"noOtherApexApiLogins.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/noOtherApexApiLogins.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,CAAC,OAAO,OAAO,oBAAqB,SAAQ,UAAwB;IACxE,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC3D,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjB,SAAS;YACX,CAAC;YACD,KAAK,MAAM,YAAY,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBACvC,IAAI,YAAY,CAAC,SAAS,KAAK,gBAAgB,EAAE,CAAC;oBAChD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;wBAC3E,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,qCAAqC,EAAE;4BAClE,YAAY,CAAC,UAAU;4BACvB,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC,8BAA8B;yBAC7E,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
1
+ {"version":3,"file":"noOtherApexApiLogins.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/noOtherApexApiLogins.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,iCAAiC,GAAG,CAAC,CAAC,YAAY,CAAC;IACvD,uBAAuB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CACnD,CAAC,CAAC;AAEH,MAAM,CAAC,OAAO,OAAO,oBAAqB,SAAQ,UAAwB;IACvD,OAAO,CAAC;IAEzB,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,iCAAiC,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACpG,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC3D,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjB,SAAS;YACX,CAAC;YACD,MAAM,MAAM,GAAG,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,uBAAuB,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YACvF,KAAK,MAAM,YAAY,IAAI,MAAM,EAAE,CAAC;gBAClC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;oBAC3E,OAAO,EAAE,QAAQ,CAAC,UAAU,CAC1B,YAAY,CAAC,gBAAgB;wBAC3B,CAAC,CAAC,+CAA+C;wBACjD,CAAC,CAAC,gDAAgD,EACpD,CAAC,YAAY,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC,8BAA8B,CAAC,CACxG;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF;AAED,SAAS,oBAAoB,CAAC,UAAmB,EAAE,UAAkC;IACnF,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,aAAa,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,SAAS,KAAK,gBAAgB,CAAC,CAAC;IACzF,MAAM,cAAc,GAAG,UAAU,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;IAChH,MAAM,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QAC/C,MAAM,GAAG,GAAG,GAAG,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,WAAW,EAAE,CAAC;QACvD,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAE9B,IAAI,QAAQ,EAAE,CAAC;YACb,QAAQ,CAAC,UAAU,IAAI,KAAK,CAAC,UAAU,CAAC;YACxC,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;YACnE,QAAQ,CAAC,gBAAgB,GAAG,QAAQ,CAAC,gBAAgB,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC;QACtF,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE;gBACX,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,gBAAgB,EAAE,KAAK,CAAC,MAAM,KAAK,SAAS;aAC7C,CAAC,CAAC;QACL,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC,EAAE,IAAI,GAAG,EAAiC,CAAC,CAAC;IAE7C,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;AAClC,CAAC"}
package/lib/libs/audit-engine/registry/rules/policyRule.d.ts CHANGED
@@ -1,8 +1,10 @@
1
+ import z from 'zod';
1
2
  import { PartialPolicyRuleResult, RowLevelPolicyRule, RuleAuditContext } from '../context.types.js';
2
3
  import { AuditRunConfig } from '../definitions.js';
3
4
  export type RuleOptions = {
4
5
  auditConfig: AuditRunConfig;
5
6
  ruleDisplayName: string;
7
+ ruleConfig?: unknown;
6
8
  };
7
9
  export type ConfigurableRuleOptions<T> = RuleOptions & {
8
10
  ruleConfig: T;
@@ -13,5 +15,6 @@ export default abstract class PolicyRule<EntityType> implements RowLevelPolicyRu
13
15
  ruleDisplayName: string;
14
16
  constructor(opts: RuleOptions);
15
17
  protected initResult(): PartialPolicyRuleResult;
18
+ protected parseOptions<T>(schema: z.ZodType<T>, ruleConfig: unknown, policyFile: string): T;
16
19
  abstract run(context: RuleAuditContext<EntityType>): Promise<PartialPolicyRuleResult>;
17
20
  }
package/lib/libs/audit-engine/registry/rules/policyRule.js CHANGED
@@ -1,4 +1,5 @@
1
1
  import { Messages } from '@salesforce/core';
2
+ import { throwAsSfError } from '../schema.js';
2
3
  Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
3
4
  export default class PolicyRule {
4
5
  opts;
@@ -18,5 +19,14 @@ export default class PolicyRule {
18
19
  errors: new Array(),
19
20
  };
20
21
  }
22
+ parseOptions(schema, ruleConfig, policyFile) {
23
+ const parseResult = schema.safeParse(ruleConfig ?? {});
24
+ if (parseResult.success) {
25
+ return parseResult.data; // typed as T
26
+ }
27
+ else {
28
+ throwAsSfError(policyFile, parseResult.error, ['rules', this.ruleDisplayName, 'options']);
29
+ }
30
+ }
21
31
  }
22
32
  //# sourceMappingURL=policyRule.js.map
package/lib/libs/audit-engine/registry/rules/policyRule.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"policyRule.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/policyRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAK5C,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAW7D,MAAM,CAAC,OAAO,OAAgB,UAAU;IAIT;IAHtB,WAAW,CAAiB;IAC5B,eAAe,CAAS;IAE/B,YAA6B,IAAiB;QAAjB,SAAI,GAAJ,IAAI,CAAa;QAC5C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;QACpC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;IAC9C,CAAC;IAES,UAAU;QAClB,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,eAAe;YAC9B,UAAU,EAAE,IAAI,KAAK,EAAuB;YAC5C,eAAe,EAAE,IAAI,KAAK,EAA2B;YACrD,QAAQ,EAAE,IAAI,KAAK,EAAwB;YAC3C,MAAM,EAAE,IAAI,KAAK,EAAwB;SAC1C,CAAC;IACJ,CAAC;CAGF"}
1
+ {"version":3,"file":"policyRule.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/policyRule.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAI5C,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAY7D,MAAM,CAAC,OAAO,OAAgB,UAAU;IAIT;IAHtB,WAAW,CAAiB;IAC5B,eAAe,CAAS;IAE/B,YAA6B,IAAiB;QAAjB,SAAI,GAAJ,IAAI,CAAa;QAC5C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;QACpC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;IAC9C,CAAC;IAES,UAAU;QAClB,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,eAAe;YAC9B,UAAU,EAAE,IAAI,KAAK,EAAuB;YAC5C,eAAe,EAAE,IAAI,KAAK,EAA2B;YACrD,QAAQ,EAAE,IAAI,KAAK,EAAwB;YAC3C,MAAM,EAAE,IAAI,KAAK,EAAwB;SAC1C,CAAC;IACJ,CAAC;IAES,YAAY,CAAI,MAAoB,EAAE,UAAmB,EAAE,UAAkB;QACrF,MAAM,WAAW,GAAG,MAAM,CAAC,SAAS,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;QACvD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,aAAa;QACxC,CAAC;aAAM,CAAC;YACN,cAAc,CAAC,UAAU,EAAE,WAAW,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,IAAI,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC,CAAC;QAC5F,CAAC;IACH,CAAC;CAGF"}
package/lib/libs/audit-engine/registry/shape/auditConfigShape.d.ts CHANGED
@@ -4,66 +4,85 @@
4
4
  * the audit config that is used by rules and policies.
5
5
  */
6
6
  export declare const BaseAuditConfigShape: {
7
- definitions: {
7
+ controls: {
8
8
  files: {
9
9
  roles: {
10
+ schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
11
+ permissions: import("zod").ZodOptional<import("zod").ZodXor<readonly [import("zod").ZodArray<import("zod").ZodString>, import("zod").ZodObject<{
12
+ allowedClassifications: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodEnum<typeof import("./schema.js").PermissionRiskLevel>>>;
13
+ userPermissions: import("zod").ZodOptional<import("zod").ZodObject<{
14
+ allowed: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
15
+ denied: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
16
+ required: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
17
+ }, import("zod/v4/core").$strip>>;
18
+ customPermissions: import("zod").ZodOptional<import("zod").ZodObject<{
19
+ allowed: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
20
+ denied: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
21
+ required: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
22
+ }, import("zod/v4/core").$strip>>;
23
+ }, import("zod/v4/core").$strip>]>>;
24
+ }, import("zod/v4/core").$strict>>;
25
+ };
26
+ permissions: {
10
27
  schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
11
28
  allowedClassifications: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodEnum<typeof import("./schema.js").PermissionRiskLevel>>>;
12
- allowedPermissions: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
13
- deniedPermissions: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
29
+ userPermissions: import("zod").ZodOptional<import("zod").ZodObject<{
30
+ allowed: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
31
+ denied: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
32
+ required: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
33
+ }, import("zod/v4/core").$strip>>;
34
+ customPermissions: import("zod").ZodOptional<import("zod").ZodObject<{
35
+ allowed: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
36
+ denied: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
37
+ required: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
38
+ }, import("zod/v4/core").$strip>>;
14
39
  }, import("zod/v4/core").$strip>>;
15
40
  };
16
41
  };
17
42
  };
18
- classifications: {
43
+ shape: {
19
44
  files: {
20
45
  userPermissions: {
21
- schema: import("zod").ZodObject<{
22
- permissions: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
23
- label: import("zod").ZodOptional<import("zod").ZodString>;
24
- reason: import("zod").ZodOptional<import("zod").ZodString>;
25
- classification: import("zod").ZodEnum<typeof import("./schema.js").PermissionRiskLevel>;
26
- }, import("zod/v4/core").$strip>>;
27
- }, import("zod/v4/core").$strip>;
28
- entities: string;
46
+ schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
47
+ label: import("zod").ZodOptional<import("zod").ZodString>;
48
+ reason: import("zod").ZodOptional<import("zod").ZodString>;
49
+ classification: import("zod").ZodEnum<typeof import("./schema.js").PermissionRiskLevel>;
50
+ }, import("zod/v4/core").$strip>>;
51
+ isCountable: boolean;
29
52
  };
30
53
  customPermissions: {
31
- schema: import("zod").ZodObject<{
32
- permissions: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
33
- label: import("zod").ZodOptional<import("zod").ZodString>;
34
- reason: import("zod").ZodOptional<import("zod").ZodString>;
35
- classification: import("zod").ZodEnum<typeof import("./schema.js").PermissionRiskLevel>;
36
- }, import("zod/v4/core").$strip>>;
37
- }, import("zod/v4/core").$strip>;
38
- entities: string;
54
+ schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
55
+ label: import("zod").ZodOptional<import("zod").ZodString>;
56
+ reason: import("zod").ZodOptional<import("zod").ZodString>;
57
+ classification: import("zod").ZodEnum<typeof import("./schema.js").PermissionRiskLevel>;
58
+ }, import("zod/v4/core").$strip>>;
59
+ isCountable: boolean;
39
60
  };
61
+ };
62
+ };
63
+ inventory: {
64
+ files: {
40
65
  profiles: {
41
- schema: import("zod").ZodObject<{
42
- profiles: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
43
- role: import("zod").ZodString;
44
- allowedLoginIps: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodObject<{
45
- from: import("zod").ZodString;
46
- to: import("zod").ZodString;
47
- }, import("zod/v4/core").$strip>>>;
48
- }, import("zod/v4/core").$strict>>;
49
- }, import("zod/v4/core").$strip>;
50
- entities: string;
66
+ schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
67
+ role: import("zod").ZodString;
68
+ allowedLoginIps: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodObject<{
69
+ from: import("zod").ZodString;
70
+ to: import("zod").ZodString;
71
+ }, import("zod/v4/core").$strip>>>;
72
+ }, import("zod/v4/core").$strict>>;
73
+ isCountable: boolean;
51
74
  };
52
75
  permissionSets: {
53
- schema: import("zod").ZodObject<{
54
- permissionSets: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
55
- role: import("zod").ZodString;
56
- }, import("zod/v4/core").$strict>>;
57
- }, import("zod/v4/core").$strip>;
58
- entities: string;
76
+ schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
77
+ role: import("zod").ZodString;
78
+ }, import("zod/v4/core").$strict>>;
79
+ isCountable: boolean;
59
80
  };
60
81
  users: {
61
- schema: import("zod").ZodObject<{
62
- users: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
63
- role: import("zod").ZodString;
64
- }, import("zod/v4/core").$strip>>;
65
- }, import("zod/v4/core").$strip>;
66
- entities: string;
82
+ schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
83
+ role: import("zod").ZodString;
84
+ }, import("zod/v4/core").$strip>>;
85
+ isCountable: boolean;
67
86
  };
68
87
  };
69
88
  };
@@ -82,6 +101,8 @@ export declare const BaseAuditConfigShape: {
82
101
  path: string[];
83
102
  errorName: string;
84
103
  }[];
104
+ isCountable: boolean;
105
+ entities: string;
85
106
  };
86
107
  permissionSets: {
87
108
  schema: import("zod").ZodObject<{
@@ -96,6 +117,8 @@ export declare const BaseAuditConfigShape: {
96
117
  path: string[];
97
118
  errorName: string;
98
119
  }[];
120
+ isCountable: boolean;
121
+ entities: string;
99
122
  };
100
123
  connectedApps: {
101
124
  schema: import("zod").ZodObject<{
@@ -106,6 +129,8 @@ export declare const BaseAuditConfigShape: {
106
129
  }, import("zod/v4/core").$strip>>>;
107
130
  options: import("zod").ZodOptional<import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodUnknown>>;
108
131
  }, import("zod/v4/core").$strip>;
132
+ isCountable: boolean;
133
+ entities: string;
109
134
  };
110
135
  users: {
111
136
  schema: import("zod").ZodObject<{
@@ -119,6 +144,8 @@ export declare const BaseAuditConfigShape: {
119
144
  analyseLastNDaysOfLoginHistory: import("zod").ZodOptional<import("zod").ZodNumber>;
120
145
  }, import("zod/v4/core").$strict>;
121
146
  }, import("zod/v4/core").$strip>;
147
+ isCountable: boolean;
148
+ entities: string;
122
149
  };
123
150
  settings: {
124
151
  schema: import("zod").ZodObject<{
@@ -129,6 +156,8 @@ export declare const BaseAuditConfigShape: {
129
156
  }, import("zod/v4/core").$strip>>>;
130
157
  options: import("zod").ZodOptional<import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodUnknown>>;
131
158
  }, import("zod/v4/core").$strip>;
159
+ isCountable: boolean;
160
+ entities: string;
132
161
  };
133
162
  };
134
163
  };
package/lib/libs/audit-engine/registry/shape/auditConfigShape.js CHANGED
@@ -1,61 +1,57 @@
1
- import { PermissionsClassificationFileSchema, PermissionSetsClassificationFileSchema, PolicyFileSchema, ProfilesClassificationFileSchema, RoleDefinitionsFileSchema, UserClassificationFileSchema, UserPolicyFileSchema, } from './schema.js';
1
+ import { ComposableRolesFileSchema, PermissionControlsFileSchema, PermissionsClassificationFileSchema, PermissionSetsClassificationFileSchema, PolicyFileSchema, ProfilesClassificationFileSchema, UserClassificationFileSchema, UserPolicyFileSchema, } from './schema.js';
2
2
  /**
3
3
  * The shape defines the directory structure and schema files to
4
4
  * parse YAML files. It is the foundation to derive the runtime type of
5
5
  * the audit config that is used by rules and policies.
6
6
  */
7
7
  export const BaseAuditConfigShape = {
8
- definitions: {
8
+ controls: {
9
9
  files: {
10
- roles: { schema: RoleDefinitionsFileSchema },
10
+ roles: { schema: ComposableRolesFileSchema },
11
+ permissions: { schema: PermissionControlsFileSchema },
11
12
  },
12
13
  },
13
- classifications: {
14
+ shape: {
14
15
  files: {
15
- userPermissions: {
16
- schema: PermissionsClassificationFileSchema,
17
- entities: 'permissions',
18
- },
19
- customPermissions: {
20
- schema: PermissionsClassificationFileSchema,
21
- entities: 'permissions',
22
- },
23
- profiles: {
24
- schema: ProfilesClassificationFileSchema,
25
- entities: 'profiles',
26
- },
27
- permissionSets: {
28
- schema: PermissionSetsClassificationFileSchema,
29
- entities: 'permissionSets',
30
- },
31
- users: {
32
- schema: UserClassificationFileSchema,
33
- entities: 'users',
34
- },
16
+ userPermissions: { schema: PermissionsClassificationFileSchema, isCountable: true },
17
+ customPermissions: { schema: PermissionsClassificationFileSchema, isCountable: true },
18
+ },
19
+ },
20
+ inventory: {
21
+ files: {
22
+ profiles: { schema: ProfilesClassificationFileSchema, isCountable: true },
23
+ permissionSets: { schema: PermissionSetsClassificationFileSchema, isCountable: true },
24
+ users: { schema: UserClassificationFileSchema, isCountable: true },
35
25
  },
36
26
  },
37
27
  policies: {
38
28
  files: {
39
29
  profiles: {
40
30
  schema: PolicyFileSchema,
41
- dependencies: [
42
- { path: ['classifications', 'userPermissions'], errorName: 'UserPermClassificationRequiredForProfiles' },
43
- ],
31
+ dependencies: [{ path: ['shape', 'userPermissions'], errorName: 'UserPermClassificationRequiredForProfiles' }],
32
+ isCountable: true,
33
+ entities: 'rules',
44
34
  },
45
35
  permissionSets: {
46
36
  schema: PolicyFileSchema,
47
- dependencies: [
48
- { path: ['classifications', 'userPermissions'], errorName: 'UserPermClassificationRequiredForPermSets' },
49
- ],
37
+ dependencies: [{ path: ['shape', 'userPermissions'], errorName: 'UserPermClassificationRequiredForPermSets' }],
38
+ isCountable: true,
39
+ entities: 'rules',
50
40
  },
51
41
  connectedApps: {
52
42
  schema: PolicyFileSchema,
43
+ isCountable: true,
44
+ entities: 'rules',
53
45
  },
54
46
  users: {
55
47
  schema: UserPolicyFileSchema,
48
+ isCountable: true,
49
+ entities: 'rules',
56
50
  },
57
51
  settings: {
58
52
  schema: PolicyFileSchema,
53
+ isCountable: true,
54
+ entities: 'rules',
59
55
  },
60
56
  },
61
57
  },
package/lib/libs/audit-engine/registry/shape/auditConfigShape.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auditConfigShape.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/auditConfigShape.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mCAAmC,EACnC,sCAAsC,EACtC,gBAAgB,EAChB,gCAAgC,EAChC,yBAAyB,EACzB,4BAA4B,EAC5B,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAErB;;;;GAIG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,WAAW,EAAE;QACX,KAAK,EAAE;YACL,KAAK,EAAE,EAAE,MAAM,EAAE,yBAAyB,EAAE;SAC7C;KACF;IACD,eAAe,EAAE;QACf,KAAK,EAAE;YACL,eAAe,EAAE;gBACf,MAAM,EAAE,mCAAmC;gBAC3C,QAAQ,EAAE,aAAa;aACxB;YACD,iBAAiB,EAAE;gBACjB,MAAM,EAAE,mCAAmC;gBAC3C,QAAQ,EAAE,aAAa;aACxB;YACD,QAAQ,EAAE;gBACR,MAAM,EAAE,gCAAgC;gBACxC,QAAQ,EAAE,UAAU;aACrB;YACD,cAAc,EAAE;gBACd,MAAM,EAAE,sCAAsC;gBAC9C,QAAQ,EAAE,gBAAgB;aAC3B;YACD,KAAK,EAAE;gBACL,MAAM,EAAE,4BAA4B;gBACpC,QAAQ,EAAE,OAAO;aAClB;SACF;KACF;IACD,QAAQ,EAAE;QACR,KAAK,EAAE;YACL,QAAQ,EAAE;gBACR,MAAM,EAAE,gBAAgB;gBACxB,YAAY,EAAE;oBACZ,EAAE,IAAI,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC,EAAE,SAAS,EAAE,2CAA2C,EAAE;iBACzG;aACF;YACD,cAAc,EAAE;gBACd,MAAM,EAAE,gBAAgB;gBACxB,YAAY,EAAE;oBACZ,EAAE,IAAI,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC,EAAE,SAAS,EAAE,2CAA2C,EAAE;iBACzG;aACF;YACD,aAAa,EAAE;gBACb,MAAM,EAAE,gBAAgB;aACzB;YACD,KAAK,EAAE;gBACL,MAAM,EAAE,oBAAoB;aAC7B;YACD,QAAQ,EAAE;gBACR,MAAM,EAAE,gBAAgB;aACzB;SACF;KACF;CACF,CAAC"}
1
+ {"version":3,"file":"auditConfigShape.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/auditConfigShape.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EACzB,4BAA4B,EAC5B,mCAAmC,EACnC,sCAAsC,EACtC,gBAAgB,EAChB,gCAAgC,EAChC,4BAA4B,EAC5B,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAErB;;;;GAIG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,QAAQ,EAAE;QACR,KAAK,EAAE;YACL,KAAK,EAAE,EAAE,MAAM,EAAE,yBAAyB,EAAE;YAC5C,WAAW,EAAE,EAAE,MAAM,EAAE,4BAA4B,EAAE;SACtD;KACF;IACD,KAAK,EAAE;QACL,KAAK,EAAE;YACL,eAAe,EAAE,EAAE,MAAM,EAAE,mCAAmC,EAAE,WAAW,EAAE,IAAI,EAAE;YACnF,iBAAiB,EAAE,EAAE,MAAM,EAAE,mCAAmC,EAAE,WAAW,EAAE,IAAI,EAAE;SACtF;KACF;IACD,SAAS,EAAE;QACT,KAAK,EAAE;YACL,QAAQ,EAAE,EAAE,MAAM,EAAE,gCAAgC,EAAE,WAAW,EAAE,IAAI,EAAE;YACzE,cAAc,EAAE,EAAE,MAAM,EAAE,sCAAsC,EAAE,WAAW,EAAE,IAAI,EAAE;YACrF,KAAK,EAAE,EAAE,MAAM,EAAE,4BAA4B,EAAE,WAAW,EAAE,IAAI,EAAE;SACnE;KACF;IACD,QAAQ,EAAE;QACR,KAAK,EAAE;YACL,QAAQ,EAAE;gBACR,MAAM,EAAE,gBAAgB;gBACxB,YAAY,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,SAAS,EAAE,2CAA2C,EAAE,CAAC;gBAC9G,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,cAAc,EAAE;gBACd,MAAM,EAAE,gBAAgB;gBACxB,YAAY,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,SAAS,EAAE,2CAA2C,EAAE,CAAC;gBAC9G,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,aAAa,EAAE;gBACb,MAAM,EAAE,gBAAgB;gBACxB,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,KAAK,EAAE;gBACL,MAAM,EAAE,oBAAoB;gBAC5B,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,QAAQ,EAAE;gBACR,MAAM,EAAE,gBAAgB;gBACxB,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;SACF;KACF;CACF,CAAC"}
package/lib/libs/audit-engine/registry/shape/schema.d.ts CHANGED
@@ -32,55 +32,85 @@ export declare enum UserPrivilegeLevel {
32
32
  /** Disables the profile for audit */
33
33
  UNKNOWN = "Unknown"
34
34
  }
35
- declare const PermissionClassifications: z.ZodRecord<z.ZodString, z.ZodObject<{
35
+ declare const IndividualPermissionControlSchema: z.ZodObject<{
36
+ allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
37
+ denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
38
+ required: z.ZodOptional<z.ZodArray<z.ZodString>>;
39
+ }, z.z.core.$strip>;
40
+ export declare const PermissionControlSchema: z.ZodObject<{
41
+ allowedClassifications: z.ZodOptional<z.ZodArray<z.ZodEnum<typeof PermissionRiskLevel>>>;
42
+ userPermissions: z.ZodOptional<z.ZodObject<{
43
+ allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
44
+ denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
45
+ required: z.ZodOptional<z.ZodArray<z.ZodString>>;
46
+ }, z.z.core.$strip>>;
47
+ customPermissions: z.ZodOptional<z.ZodObject<{
48
+ allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
49
+ denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
50
+ required: z.ZodOptional<z.ZodArray<z.ZodString>>;
51
+ }, z.z.core.$strip>>;
52
+ }, z.z.core.$strip>;
53
+ export declare const PermissionControlsFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
54
+ allowedClassifications: z.ZodOptional<z.ZodArray<z.ZodEnum<typeof PermissionRiskLevel>>>;
55
+ userPermissions: z.ZodOptional<z.ZodObject<{
56
+ allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
57
+ denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
58
+ required: z.ZodOptional<z.ZodArray<z.ZodString>>;
59
+ }, z.z.core.$strip>>;
60
+ customPermissions: z.ZodOptional<z.ZodObject<{
61
+ allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
62
+ denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
63
+ required: z.ZodOptional<z.ZodArray<z.ZodString>>;
64
+ }, z.z.core.$strip>>;
65
+ }, z.z.core.$strip>>;
66
+ export declare const ResolvedRoleDefinitionSchema: z.ZodObject<{
67
+ permissions: z.ZodOptional<z.ZodObject<{
68
+ allowedClassifications: z.ZodOptional<z.ZodArray<z.ZodEnum<typeof PermissionRiskLevel>>>;
69
+ userPermissions: z.ZodOptional<z.ZodObject<{
70
+ allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
71
+ denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
72
+ required: z.ZodOptional<z.ZodArray<z.ZodString>>;
73
+ }, z.z.core.$strip>>;
74
+ customPermissions: z.ZodOptional<z.ZodObject<{
75
+ allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
76
+ denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
77
+ required: z.ZodOptional<z.ZodArray<z.ZodString>>;
78
+ }, z.z.core.$strip>>;
79
+ }, z.z.core.$strip>>;
80
+ }, z.z.core.$strip>;
81
+ export declare const ComposableRolesFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
82
+ permissions: z.ZodOptional<z.ZodXor<readonly [z.ZodArray<z.ZodString>, z.ZodObject<{
83
+ allowedClassifications: z.ZodOptional<z.ZodArray<z.ZodEnum<typeof PermissionRiskLevel>>>;
84
+ userPermissions: z.ZodOptional<z.ZodObject<{
85
+ allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
86
+ denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
87
+ required: z.ZodOptional<z.ZodArray<z.ZodString>>;
88
+ }, z.z.core.$strip>>;
89
+ customPermissions: z.ZodOptional<z.ZodObject<{
90
+ allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
91
+ denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
92
+ required: z.ZodOptional<z.ZodArray<z.ZodString>>;
93
+ }, z.z.core.$strip>>;
94
+ }, z.z.core.$strip>]>>;
95
+ }, z.z.core.$strict>>;
96
+ export declare const PermissionsClassificationFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
36
97
  label: z.ZodOptional<z.ZodString>;
37
98
  reason: z.ZodOptional<z.ZodString>;
38
99
  classification: z.ZodEnum<typeof PermissionRiskLevel>;
39
100
  }, z.z.core.$strip>>;
40
- declare const PermSetMap: z.ZodRecord<z.ZodString, z.ZodObject<{
41
- role: z.ZodString;
42
- }, z.z.core.$strict>>;
43
- declare const ProfilesMap: z.ZodRecord<z.ZodString, z.ZodObject<{
101
+ export declare const ProfilesClassificationFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
44
102
  role: z.ZodString;
45
103
  allowedLoginIps: z.ZodOptional<z.ZodArray<z.ZodObject<{
46
104
  from: z.ZodString;
47
105
  to: z.ZodString;
48
106
  }, z.z.core.$strip>>>;
49
107
  }, z.z.core.$strict>>;
50
- declare const UsersMap: z.ZodRecord<z.ZodString, z.ZodObject<{
108
+ export declare const PermissionSetsClassificationFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
109
+ role: z.ZodString;
110
+ }, z.z.core.$strict>>;
111
+ export declare const UserClassificationFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
51
112
  role: z.ZodString;
52
113
  }, z.z.core.$strip>>;
53
- export declare const RoleDefinitionsFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
54
- allowedClassifications: z.ZodOptional<z.ZodArray<z.ZodEnum<typeof PermissionRiskLevel>>>;
55
- allowedPermissions: z.ZodOptional<z.ZodArray<z.ZodString>>;
56
- deniedPermissions: z.ZodOptional<z.ZodArray<z.ZodString>>;
57
- }, z.z.core.$strip>>;
58
- export declare const PermissionsClassificationFileSchema: z.ZodObject<{
59
- permissions: z.ZodRecord<z.ZodString, z.ZodObject<{
60
- label: z.ZodOptional<z.ZodString>;
61
- reason: z.ZodOptional<z.ZodString>;
62
- classification: z.ZodEnum<typeof PermissionRiskLevel>;
63
- }, z.z.core.$strip>>;
64
- }, z.z.core.$strip>;
65
- export declare const ProfilesClassificationFileSchema: z.ZodObject<{
66
- profiles: z.ZodRecord<z.ZodString, z.ZodObject<{
67
- role: z.ZodString;
68
- allowedLoginIps: z.ZodOptional<z.ZodArray<z.ZodObject<{
69
- from: z.ZodString;
70
- to: z.ZodString;
71
- }, z.z.core.$strip>>>;
72
- }, z.z.core.$strict>>;
73
- }, z.z.core.$strip>;
74
- export declare const PermissionSetsClassificationFileSchema: z.ZodObject<{
75
- permissionSets: z.ZodRecord<z.ZodString, z.ZodObject<{
76
- role: z.ZodString;
77
- }, z.z.core.$strict>>;
78
- }, z.z.core.$strip>;
79
- export declare const UserClassificationFileSchema: z.ZodObject<{
80
- users: z.ZodRecord<z.ZodString, z.ZodObject<{
81
- role: z.ZodString;
82
- }, z.z.core.$strip>>;
83
- }, z.z.core.$strip>;
84
114
  export declare const PolicyFileSchema: z.ZodObject<{
85
115
  enabled: z.ZodDefault<z.ZodBoolean>;
86
116
  rules: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
@@ -110,13 +140,17 @@ export type NestedStructure = {
110
140
  * risk or a structure of nested identifiers.
111
141
  */
112
142
  export declare const AcceptedRisksSchema: z.ZodType<NestedStructure>;
113
- export type PermissionClassifications = z.infer<typeof PermissionClassifications>;
114
- export type PermissionSetClassifications = z.infer<typeof PermSetMap>;
115
- export type ProfileClassifications = z.infer<typeof ProfilesMap>;
116
- export type UserClassifications = z.infer<typeof UsersMap>;
143
+ export type PermissionClassifications = z.infer<typeof PermissionsClassificationFileSchema>;
144
+ export type PermissionSetClassifications = z.infer<typeof PermissionSetsClassificationFileSchema>;
145
+ export type ProfileClassifications = z.infer<typeof ProfilesClassificationFileSchema>;
146
+ export type UserClassifications = z.infer<typeof UserClassificationFileSchema>;
117
147
  export type PolicyConfig = z.infer<typeof PolicyFileSchema>;
118
148
  export type UserPolicyConfig = z.infer<typeof UserPolicyFileSchema>;
119
149
  export type AcceptedRuleRisks = z.infer<typeof AcceptedRisksSchema>;
120
- export type RoleDefinitions = z.infer<typeof RoleDefinitionsFileSchema>;
121
- export type RoledEntityMap = z.infer<typeof PermSetMap>;
150
+ export type PermissionControlSection = z.infer<typeof IndividualPermissionControlSchema>;
151
+ export type ResolvedRoleDefinition = z.infer<typeof ResolvedRoleDefinitionSchema>;
152
+ export type ComposableRolesControl = z.infer<typeof ComposableRolesFileSchema>;
153
+ export type PermissionControl = z.infer<typeof PermissionControlSchema>;
154
+ export type PermissionControls = z.infer<typeof PermissionControlsFileSchema>;
155
+ export declare function isPermissionControl(maybeRoleDef: unknown): maybeRoleDef is PermissionControl;
122
156
  export {};
package/lib/libs/audit-engine/registry/shape/schema.js CHANGED
@@ -55,34 +55,31 @@ const PermSetConfig = z.strictObject({
55
55
  const ProfileConfig = PermSetConfig.extend({
56
56
  allowedLoginIps: z.array(z.object({ from: z.string().regex(IP4RegExp), to: z.string().regex(IP4RegExp) })).optional(),
57
57
  });
58
- const PermSetMap = z.record(z.string(), PermSetConfig);
59
- const ProfilesMap = z.record(z.string(), ProfileConfig);
60
58
  const UserConfig = z.object({ role: z.string() });
61
- const UsersMap = z.record(z.string(), UserConfig);
62
59
  const UsersPolicyOptions = z.strictObject({
63
60
  defaultRoleForMissingUsers: z.string().default(UserPrivilegeLevel.STANDARD_USER),
64
61
  analyseLastNDaysOfLoginHistory: z.number().optional(),
65
62
  });
66
- const RoleDefinition = z.object({
63
+ const IndividualPermissionControlSchema = z.object({
64
+ allowed: z.array(z.string()).optional(),
65
+ denied: z.array(z.string()).optional(),
66
+ required: z.array(z.string()).optional(),
67
+ });
68
+ // Controls File Schema
69
+ export const PermissionControlSchema = z.object({
67
70
  allowedClassifications: z.array(z.enum(PermissionRiskLevel)).optional(),
68
- allowedPermissions: z.array(z.string()).optional(),
69
- deniedPermissions: z.array(z.string()).optional(),
71
+ userPermissions: IndividualPermissionControlSchema.optional(),
72
+ customPermissions: IndividualPermissionControlSchema.optional(),
70
73
  });
71
- // Definition File Schemata
72
- export const RoleDefinitionsFileSchema = z.record(z.string(), RoleDefinition);
74
+ export const PermissionControlsFileSchema = z.record(z.string(), PermissionControlSchema);
75
+ // new, V2
76
+ export const ResolvedRoleDefinitionSchema = z.object({ permissions: PermissionControlSchema.optional() });
77
+ export const ComposableRolesFileSchema = z.record(z.string(), z.object({ permissions: z.xor([z.array(z.string()), PermissionControlSchema]).optional() }).strict());
73
78
  // Classification File Schemata
74
- export const PermissionsClassificationFileSchema = z.object({
75
- permissions: PermissionClassifications,
76
- });
77
- export const ProfilesClassificationFileSchema = z.object({
78
- profiles: ProfilesMap,
79
- });
80
- export const PermissionSetsClassificationFileSchema = z.object({
81
- permissionSets: PermSetMap,
82
- });
83
- export const UserClassificationFileSchema = z.object({
84
- users: UsersMap,
85
- });
79
+ export const PermissionsClassificationFileSchema = z.record(z.string(), PermClassification);
80
+ export const ProfilesClassificationFileSchema = z.record(z.string(), ProfileConfig);
81
+ export const PermissionSetsClassificationFileSchema = z.record(z.string(), PermSetConfig);
82
+ export const UserClassificationFileSchema = z.record(z.string(), UserConfig);
86
83
  // Policy File Schemata
87
84
  export const PolicyFileSchema = z.object({
88
85
  enabled: z.boolean().default(true),
@@ -98,4 +95,9 @@ const allowedRiskSchema = z.object({ reason: z.string() });
98
95
  * risk or a structure of nested identifiers.
99
96
  */
100
97
  export const AcceptedRisksSchema = z.lazy(() => z.record(z.string(), z.union([allowedRiskSchema, AcceptedRisksSchema])));
98
+ // Guard Functions
99
+ export function isPermissionControl(maybeRoleDef) {
100
+ const parseResult = PermissionControlSchema.safeParse(maybeRoleDef);
101
+ return maybeRoleDef !== undefined && parseResult.success === true;
102
+ }
101
103
  //# sourceMappingURL=schema.js.map