@j-schreiber/sf-cli-security-audit 0.19.3 → 0.20.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -3
- package/lib/commands/org/audit/init.d.ts +1 -1
- package/lib/commands/org/audit/init.js +8 -8
- package/lib/commands/org/audit/init.js.map +1 -1
- package/lib/commands/org/audit/run.js +4 -1
- package/lib/commands/org/audit/run.js.map +1 -1
- package/lib/libs/audit-engine/auditRun.d.ts +7 -4
- package/lib/libs/audit-engine/auditRun.js +27 -9
- package/lib/libs/audit-engine/auditRun.js.map +1 -1
- package/lib/libs/audit-engine/file-manager/fileManager.d.ts +5 -6
- package/lib/libs/audit-engine/file-manager/fileManager.js +34 -15
- package/lib/libs/audit-engine/file-manager/fileManager.js.map +1 -1
- package/lib/libs/audit-engine/file-manager/fileManager.types.d.ts +1 -0
- package/lib/libs/audit-engine/index.d.ts +72 -43
- package/lib/libs/audit-engine/registry/context.types.d.ts +8 -2
- package/lib/libs/audit-engine/registry/definitions.d.ts +73 -44
- package/lib/libs/audit-engine/registry/policies/permissionSets.js +1 -1
- package/lib/libs/audit-engine/registry/policies/permissionSets.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/profiles.js +1 -1
- package/lib/libs/audit-engine/registry/policies/profiles.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/users.js +1 -1
- package/lib/libs/audit-engine/registry/policies/users.js.map +1 -1
- package/lib/libs/audit-engine/registry/policy.js +2 -2
- package/lib/libs/audit-engine/registry/policy.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.d.ts +3 -19
- package/lib/libs/audit-engine/registry/roles/roleManager.js +17 -29
- package/lib/libs/audit-engine/registry/roles/roleManager.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.types.d.ts +21 -3
- package/lib/libs/audit-engine/registry/roles/userRole.d.ts +7 -6
- package/lib/libs/audit-engine/registry/roles/userRole.js +78 -31
- package/lib/libs/audit-engine/registry/roles/userRole.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js +5 -4
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js +3 -3
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js +4 -4
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.d.ts +71 -42
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.js +26 -30
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/schema.d.ts +77 -43
- package/lib/libs/audit-engine/registry/shape/schema.js +22 -20
- package/lib/libs/audit-engine/registry/shape/schema.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/shapeValidation.d.ts +3 -0
- package/lib/libs/audit-engine/registry/shape/shapeValidation.js +36 -7
- package/lib/libs/audit-engine/registry/shape/shapeValidation.js.map +1 -1
- package/lib/libs/conf-init/auditConfig.d.ts +1 -0
- package/lib/libs/conf-init/auditConfig.js +18 -10
- package/lib/libs/conf-init/auditConfig.js.map +1 -1
- package/lib/libs/conf-init/defaultClassifications.d.ts +5 -7
- package/lib/libs/conf-init/defaultClassifications.js +18 -28
- package/lib/libs/conf-init/defaultClassifications.js.map +1 -1
- package/lib/libs/conf-init/init.types.d.ts +7 -6
- package/lib/libs/conf-init/init.types.js.map +1 -1
- package/lib/libs/quick-scan/userPermissionScanner.js +12 -9
- package/lib/libs/quick-scan/userPermissionScanner.js.map +1 -1
- package/lib/salesforce/connection.d.ts +52 -0
- package/lib/salesforce/connection.js +130 -0
- package/lib/salesforce/connection.js.map +1 -0
- package/lib/salesforce/describes/orgDescribe.d.ts +13 -2
- package/lib/salesforce/describes/orgDescribe.js +16 -0
- package/lib/salesforce/describes/orgDescribe.js.map +1 -1
- package/lib/salesforce/index.d.ts +1 -0
- package/lib/salesforce/index.js +1 -0
- package/lib/salesforce/index.js.map +1 -1
- package/lib/salesforce/mdapi/genericSettingsMetadata.d.ts +2 -2
- package/lib/salesforce/mdapi/genericSettingsMetadata.js.map +1 -1
- package/lib/salesforce/mdapi/mdapi.d.ts +4 -4
- package/lib/salesforce/mdapi/mdapi.js +8 -8
- package/lib/salesforce/mdapi/mdapi.js.map +1 -1
- package/lib/salesforce/mdapi/metadataRegistryEntry.d.ts +3 -3
- package/lib/salesforce/mdapi/metadataRegistryEntry.js +1 -9
- package/lib/salesforce/mdapi/metadataRegistryEntry.js.map +1 -1
- package/lib/salesforce/mdapi/namedMetadataToolingQueryable.d.ts +2 -2
- package/lib/salesforce/mdapi/namedMetadataToolingQueryable.js +1 -1
- package/lib/salesforce/mdapi/namedMetadataToolingQueryable.js.map +1 -1
- package/lib/salesforce/mdapi/namedMetadataType.d.ts +2 -2
- package/lib/salesforce/mdapi/namedMetadataType.js.map +1 -1
- package/lib/salesforce/mdapi/singletonMetadataType.d.ts +2 -2
- package/lib/salesforce/mdapi/singletonMetadataType.js.map +1 -1
- package/lib/salesforce/repositories/connected-apps/connected-apps.d.ts +2 -2
- package/lib/salesforce/repositories/connected-apps/connected-apps.js.map +1 -1
- package/lib/salesforce/repositories/connected-apps/oauth-tokens.d.ts +2 -2
- package/lib/salesforce/repositories/connected-apps/oauth-tokens.js +3 -7
- package/lib/salesforce/repositories/connected-apps/oauth-tokens.js.map +1 -1
- package/lib/salesforce/repositories/perm-sets/permission-sets.d.ts +2 -2
- package/lib/salesforce/repositories/perm-sets/permission-sets.js.map +1 -1
- package/lib/salesforce/repositories/profiles/profiles.d.ts +2 -2
- package/lib/salesforce/repositories/profiles/profiles.js.map +1 -1
- package/lib/salesforce/repositories/users/users.d.ts +3 -3
- package/lib/salesforce/repositories/users/users.js +6 -6
- package/lib/salesforce/repositories/users/users.js.map +1 -1
- package/messages/auditShapeValidation.md +4 -0
- package/messages/org.audit.run.md +4 -0
- package/messages/rules.enforceClassificationPresets.md +4 -8
- package/messages/salesforceConnectionErrors.md +11 -0
- package/oclif.manifest.json +1 -1
- package/package.json +1 -1
- package/lib/libs/audit-engine/registry/helpers/permissionsScanning.d.ts +0 -37
- package/lib/libs/audit-engine/registry/helpers/permissionsScanning.js +0 -81
- package/lib/libs/audit-engine/registry/helpers/permissionsScanning.js.map +0 -1
|
@@ -1,20 +1,18 @@
|
|
|
1
1
|
import { EventEmitter } from 'node:events';
|
|
2
2
|
import { Messages } from '@salesforce/core';
|
|
3
|
-
import { PermissionRiskLevel, UserPrivilegeLevel
|
|
3
|
+
import { PermissionRiskLevel, UserPrivilegeLevel } from '../shape/schema.js';
|
|
4
4
|
import { AuditRunLifecycleBus } from '../../auditRunLifecycle.js';
|
|
5
5
|
import { newRoleFromDefinition, newRoleFromOrdinals } from './userRole.js';
|
|
6
6
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
7
7
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
8
8
|
export default class RoleManager extends EventEmitter {
|
|
9
|
-
|
|
10
|
-
classifications;
|
|
9
|
+
auditConfig;
|
|
11
10
|
roles = {};
|
|
12
|
-
constructor(
|
|
11
|
+
constructor(auditConfig) {
|
|
13
12
|
super();
|
|
14
|
-
this.
|
|
15
|
-
this.
|
|
16
|
-
|
|
17
|
-
for (const [roleName, roleDef] of Object.entries(this.definitions)) {
|
|
13
|
+
this.auditConfig = auditConfig;
|
|
14
|
+
if (this.auditConfig.controls.roles) {
|
|
15
|
+
for (const [roleName] of Object.entries(this.auditConfig.controls.roles)) {
|
|
18
16
|
const normalizedName = normalize(roleName);
|
|
19
17
|
if (this.roles[normalizedName]) {
|
|
20
18
|
AuditRunLifecycleBus.emitResolveWarn(messages.getMessage('DuplicateRoleAfterNormalization', [
|
|
@@ -23,13 +21,13 @@ export default class RoleManager extends EventEmitter {
|
|
|
23
21
|
]));
|
|
24
22
|
}
|
|
25
23
|
else {
|
|
26
|
-
this.roles[normalizedName] = newRoleFromDefinition(roleName,
|
|
24
|
+
this.roles[normalizedName] = newRoleFromDefinition(roleName, this.auditConfig);
|
|
27
25
|
}
|
|
28
26
|
}
|
|
29
27
|
}
|
|
30
28
|
else {
|
|
31
29
|
for (const legacyRole of Object.values(UserPrivilegeLevel)) {
|
|
32
|
-
this.roles[normalize(legacyRole)] = newRoleFromOrdinals(legacyRole, this.
|
|
30
|
+
this.roles[normalize(legacyRole)] = newRoleFromOrdinals(legacyRole, this.auditConfig.shape?.userPermissions);
|
|
33
31
|
}
|
|
34
32
|
}
|
|
35
33
|
}
|
|
@@ -53,17 +51,6 @@ export default class RoleManager extends EventEmitter {
|
|
|
53
51
|
userPermsResult.warnings.push(...customPermsResult.warnings);
|
|
54
52
|
return userPermsResult;
|
|
55
53
|
}
|
|
56
|
-
/**
|
|
57
|
-
* Checks if a role allows a certain classifcation level. If the role is
|
|
58
|
-
* not configured or unknown, always returns false.
|
|
59
|
-
*
|
|
60
|
-
* @param roleName
|
|
61
|
-
* @param permission
|
|
62
|
-
* @returns
|
|
63
|
-
*/
|
|
64
|
-
allowsPermission(roleName, permission) {
|
|
65
|
-
return this.getRole(roleName).isAllowed(permission);
|
|
66
|
-
}
|
|
67
54
|
/**
|
|
68
55
|
* Checks if a given role name is a valid role for the context
|
|
69
56
|
* of the current audit run.
|
|
@@ -101,11 +88,12 @@ export default class RoleManager extends EventEmitter {
|
|
|
101
88
|
throw messages.createError('TriedToAccessRoleThatDoesNotExist', [roleName]);
|
|
102
89
|
}
|
|
103
90
|
// PRIVATE ZONE
|
|
104
|
-
scanPermissions(profile,
|
|
91
|
+
scanPermissions(profile, permissionType, rootIdentifier) {
|
|
105
92
|
const result = { warnings: [], violations: [] };
|
|
106
|
-
|
|
93
|
+
const role = this.getRole(profile.role);
|
|
94
|
+
for (const perm of profile.metadata[permissionType]) {
|
|
107
95
|
const identifier = rootIdentifier ? [...rootIdentifier, profile.name, perm.name] : [profile.name, perm.name];
|
|
108
|
-
const permClassification = this.resolvePerm(perm.name,
|
|
96
|
+
const permClassification = this.resolvePerm(perm.name, permissionType);
|
|
109
97
|
if (permClassification) {
|
|
110
98
|
if (permClassification.classification === PermissionRiskLevel.BLOCKED) {
|
|
111
99
|
result.violations.push({
|
|
@@ -113,7 +101,7 @@ export default class RoleManager extends EventEmitter {
|
|
|
113
101
|
message: messages.getMessage('violations.permission-is-blocked'),
|
|
114
102
|
});
|
|
115
103
|
}
|
|
116
|
-
else if (!
|
|
104
|
+
else if (!role.isAllowed({ name: permClassification.name, type: permissionType })) {
|
|
117
105
|
result.violations.push({
|
|
118
106
|
identifier,
|
|
119
107
|
message: messages.getMessage('violations.classification-preset-mismatch', [
|
|
@@ -147,14 +135,14 @@ export default class RoleManager extends EventEmitter {
|
|
|
147
135
|
}
|
|
148
136
|
}
|
|
149
137
|
resolveUserPerm(permName) {
|
|
150
|
-
if (this.
|
|
151
|
-
return nameClassification(permName, this.
|
|
138
|
+
if (this.auditConfig.shape?.userPermissions) {
|
|
139
|
+
return nameClassification(permName, this.auditConfig.shape.userPermissions[permName]);
|
|
152
140
|
}
|
|
153
141
|
return undefined;
|
|
154
142
|
}
|
|
155
143
|
resolveCustomPerm(permName) {
|
|
156
|
-
if (this.
|
|
157
|
-
return nameClassification(permName, this.
|
|
144
|
+
if (this.auditConfig.shape?.customPermissions) {
|
|
145
|
+
return nameClassification(permName, this.auditConfig.shape.customPermissions[permName]);
|
|
158
146
|
}
|
|
159
147
|
return undefined;
|
|
160
148
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"roleManager.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/roleManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,
|
|
1
|
+
{"version":3,"file":"roleManager.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/roleManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAA6B,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxG,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AASlE,OAAiB,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAErF,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,WAAY,SAAQ,YAAY;IAGf;IAF5B,KAAK,GAA6B,EAAE,CAAC;IAE7C,YAAoC,WAA8B;QAChE,KAAK,EAAE,CAAC;QAD0B,gBAAW,GAAX,WAAW,CAAmB;QAEhE,IAAI,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpC,KAAK,MAAM,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzE,MAAM,cAAc,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;gBAC3C,IAAI,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;oBAC/B,oBAAoB,CAAC,eAAe,CAClC,QAAQ,CAAC,UAAU,CAAC,iCAAiC,EAAE;wBACrD,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,QAAQ;wBACnC,cAAc;qBACf,CAAC,CACH,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,GAAG,qBAAqB,CAAC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;gBACjF,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,UAAU,IAAI,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBAC3D,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,GAAG,mBAAmB,CAAC,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;YAC/G,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;;;OASG;IACI,eAAe,CAAC,WAAgC,EAAE,cAAyB;QAChF,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;YAC1B,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;QAC1C,CAAC;QACD,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,iBAAiB,EAAE,cAAc,CAAC,CAAC;QAC7F,MAAM,iBAAiB,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,mBAAmB,EAAE,cAAc,CAAC,CAAC;QACjG,eAAe,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;QACjE,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC7D,OAAO,eAAe,CAAC;IACzB,CAAC;IAED;;;;;;OAMG;IACI,WAAW,CAAC,QAAgB;QACjC,MAAM,kBAAkB,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC/C,OAAO,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACjD,CAAC;IAED;;;;;;OAMG;IACI,OAAO,CAAC,YAAoB,EAAE,eAAuB;QAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChD,OAAO,QAAQ,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;IAED;;;;;OAKG;IACI,OAAO,CAAC,QAAgB;QAC7B,MAAM,kBAAkB,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QACxC,CAAC;QACD,MAAM,QAAQ,CAAC,WAAW,CAAC,mCAAmC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9E,CAAC;IAED,wBAAwB;IAEhB,eAAe,CACrB,OAA4B,EAC5B,cAAkC,EAClC,cAAyB;QAEzB,MAAM,MAAM,GAAe,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC5D,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACxC,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACpD,MAAM,UAAU,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,GAAG,cAAc,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7G,MAAM,kBAAkB,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;YACvE,IAAI,kBAAkB,EAAE,CAAC;gBACvB,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;oBACtE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;qBACjE,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,kBAAkB,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,EAAE,CAAC;oBACpF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;4BACxE,kBAAkB,CAAC,cAAc;4BACjC,OAAO,CAAC,IAAI;yBACb,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;oBAC7E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;qBAC5D,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACnB,UAAU;oBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oCAAoC,CAAC;iBACnE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,WAAW,CAAC,QAAgB,EAAE,QAA4B;QAChE,IAAI,QAAQ,KAAK,iBAAiB,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QACxC,CAAC;aAAM,IAAI,QAAQ,KAAK,mBAAmB,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAEO,eAAe,CAAC,QAAgB;QACtC,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,eAAe,EAAE,CAAC;YAC5C,OAAO,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC;QACxF,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,iBAAiB,CAAC,QAAgB;QACxC,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,iBAAiB,EAAE,CAAC;YAC9C,OAAO,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC1F,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;CACF;AAED,SAAS,kBAAkB,CACzB,QAAgB,EAChB,IAA0C;IAE1C,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB;IACjC,OAAO,QAAQ,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AACrD,CAAC"}
|
|
@@ -1,6 +1,20 @@
|
|
|
1
1
|
import { Profile } from '@jsforce/jsforce-node/lib/api/metadata.js';
|
|
2
2
|
import { PolicyRuleViolation, RuleComponentMessage } from '../result.types.js';
|
|
3
|
-
import { PermissionClassifications } from '../shape/schema.js';
|
|
3
|
+
import { ComposableRolesControl, PermissionClassifications, ResolvedRoleDefinition, PermissionControls } from '../shape/schema.js';
|
|
4
|
+
export type RoleManagerConfig = {
|
|
5
|
+
controls: {
|
|
6
|
+
roles?: ComposableRolesControl;
|
|
7
|
+
permissions?: PermissionControls;
|
|
8
|
+
};
|
|
9
|
+
shape: {
|
|
10
|
+
userPermissions?: PermissionClassifications;
|
|
11
|
+
customPermissions?: PermissionClassifications;
|
|
12
|
+
};
|
|
13
|
+
};
|
|
14
|
+
export type OrgAuditShape = RoleManagerConfig['shape'];
|
|
15
|
+
export type OrgAuditControls = RoleManagerConfig['controls'];
|
|
16
|
+
export type ComposableRoleDefinition = ComposableRolesControl['string'];
|
|
17
|
+
export type DefinitiveRoleDefinition = Required<ResolvedRoleDefinition>;
|
|
4
18
|
export type ResolvedProfileLike = {
|
|
5
19
|
name: string;
|
|
6
20
|
role: string;
|
|
@@ -33,11 +47,15 @@ export type IUserRole = {
|
|
|
33
47
|
isAllowed(perm: Partial<NamedPermissionClassification>): boolean;
|
|
34
48
|
compareWith(otherRole: IUserRole): UserRoleCompareResult;
|
|
35
49
|
};
|
|
36
|
-
export type PartialProfileLike = Pick<Profile,
|
|
50
|
+
export type PartialProfileLike = Pick<Profile, PermissionsListKey>;
|
|
51
|
+
export type TypedPermission = {
|
|
52
|
+
type: PermissionsListKey;
|
|
53
|
+
name: string;
|
|
54
|
+
};
|
|
37
55
|
/**
|
|
38
56
|
* Moves the "name" from the classifications map to object prop
|
|
39
57
|
*/
|
|
40
58
|
export type NamedPermissionClassification = PermissionClassifications['string'] & {
|
|
41
59
|
name: string;
|
|
42
60
|
};
|
|
43
|
-
export type PermissionsListKey =
|
|
61
|
+
export type PermissionsListKey = 'userPermissions' | 'customPermissions';
|
|
@@ -1,12 +1,13 @@
|
|
|
1
|
-
import { PermissionClassifications,
|
|
2
|
-
import { UserRoleCompareResult } from './roleManager.types.js';
|
|
1
|
+
import { PermissionClassifications, UserPrivilegeLevel } from '../shape/schema.js';
|
|
2
|
+
import { RoleManagerConfig, TypedPermission, UserRoleCompareResult } from './roleManager.types.js';
|
|
3
3
|
export default class UserRole {
|
|
4
4
|
roleName: string;
|
|
5
|
-
private
|
|
5
|
+
private allowedUserPermissions;
|
|
6
|
+
private allowedCustomPermissions;
|
|
6
7
|
private roleOrdinalValue?;
|
|
7
|
-
constructor(roleName: string,
|
|
8
|
-
isAllowed(
|
|
8
|
+
constructor(roleName: string, allowedUserPermissions: Set<string>, allowedCustomPermissions: Set<string>, roleOrdinalValue?: number | undefined);
|
|
9
|
+
isAllowed(permission: TypedPermission): boolean;
|
|
9
10
|
compareWith(otherRole: UserRole): UserRoleCompareResult;
|
|
10
11
|
}
|
|
11
|
-
export declare function newRoleFromDefinition(roleName: string,
|
|
12
|
+
export declare function newRoleFromDefinition(roleName: string, config: RoleManagerConfig): UserRole;
|
|
12
13
|
export declare function newRoleFromOrdinals(roleName: UserPrivilegeLevel, perms?: PermissionClassifications): UserRole;
|
|
@@ -1,26 +1,37 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { merge } from '@salesforce/kit';
|
|
2
|
+
import { Messages } from '@salesforce/core';
|
|
3
|
+
import { PermissionRiskLevel, UserPrivilegeLevel, isPermissionControl, } from '../shape/schema.js';
|
|
4
|
+
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
5
|
+
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
2
6
|
export default class UserRole {
|
|
3
7
|
roleName;
|
|
4
|
-
|
|
8
|
+
allowedUserPermissions;
|
|
9
|
+
allowedCustomPermissions;
|
|
5
10
|
roleOrdinalValue;
|
|
6
|
-
constructor(roleName,
|
|
11
|
+
constructor(roleName, allowedUserPermissions, allowedCustomPermissions, roleOrdinalValue) {
|
|
7
12
|
this.roleName = roleName;
|
|
8
|
-
this.
|
|
13
|
+
this.allowedUserPermissions = allowedUserPermissions;
|
|
14
|
+
this.allowedCustomPermissions = allowedCustomPermissions;
|
|
9
15
|
this.roleOrdinalValue = roleOrdinalValue;
|
|
10
16
|
}
|
|
11
|
-
isAllowed(
|
|
12
|
-
|
|
17
|
+
isAllowed(permission) {
|
|
18
|
+
if (permission.type === 'customPermissions') {
|
|
19
|
+
return this.allowedCustomPermissions.has(permission.name);
|
|
20
|
+
}
|
|
21
|
+
else {
|
|
22
|
+
return this.allowedUserPermissions.has(permission.name);
|
|
23
|
+
}
|
|
13
24
|
}
|
|
14
25
|
compareWith(otherRole) {
|
|
15
26
|
const missingPermsInOther = new Array();
|
|
16
27
|
const missingPermsInThis = new Array();
|
|
17
28
|
const isOrdinallyHigher = this.roleOrdinalValue && otherRole.roleOrdinalValue ? this.roleOrdinalValue >= otherRole.roleOrdinalValue : true;
|
|
18
|
-
const merged = new Set([...this.
|
|
29
|
+
const merged = new Set([...this.allowedUserPermissions, ...otherRole.allowedUserPermissions]);
|
|
19
30
|
for (const perm of merged) {
|
|
20
|
-
if (!this.
|
|
31
|
+
if (!this.allowedUserPermissions.has(perm)) {
|
|
21
32
|
missingPermsInThis.push(perm);
|
|
22
33
|
}
|
|
23
|
-
if (!otherRole.
|
|
34
|
+
if (!otherRole.allowedUserPermissions.has(perm)) {
|
|
24
35
|
missingPermsInOther.push(perm);
|
|
25
36
|
}
|
|
26
37
|
}
|
|
@@ -31,31 +42,16 @@ export default class UserRole {
|
|
|
31
42
|
};
|
|
32
43
|
}
|
|
33
44
|
}
|
|
34
|
-
export function newRoleFromDefinition(roleName,
|
|
35
|
-
const
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
}
|
|
40
|
-
}
|
|
41
|
-
if (perms) {
|
|
42
|
-
for (const [permName, permDef] of Object.entries(perms)) {
|
|
43
|
-
if (roleDef.allowedClassifications && roleDef.allowedClassifications.includes(permDef.classification)) {
|
|
44
|
-
allAllowed.add(permName);
|
|
45
|
-
}
|
|
46
|
-
}
|
|
47
|
-
}
|
|
48
|
-
if (roleDef.deniedPermissions) {
|
|
49
|
-
for (const permName of roleDef.deniedPermissions) {
|
|
50
|
-
allAllowed.delete(permName);
|
|
51
|
-
}
|
|
52
|
-
}
|
|
53
|
-
return new UserRole(roleName, allAllowed);
|
|
45
|
+
export function newRoleFromDefinition(roleName, config) {
|
|
46
|
+
const { permissions } = resolveRole(roleName, config.controls);
|
|
47
|
+
const userPerms = buildAllowedPerms(permissions?.userPermissions, config.shape.userPermissions, permissions?.allowedClassifications);
|
|
48
|
+
const customPerms = buildAllowedPerms(permissions?.customPermissions, config.shape.customPermissions, permissions?.allowedClassifications);
|
|
49
|
+
return new UserRole(roleName, userPerms, customPerms);
|
|
54
50
|
}
|
|
55
51
|
export function newRoleFromOrdinals(roleName, perms) {
|
|
56
52
|
const roleOrdinalValue = resolvePresetOrdinalValue(roleName);
|
|
57
53
|
if (!perms || roleName === UserPrivilegeLevel.UNKNOWN) {
|
|
58
|
-
return new UserRole(roleName, new Set(), roleOrdinalValue);
|
|
54
|
+
return new UserRole(roleName, new Set(), new Set(), roleOrdinalValue);
|
|
59
55
|
}
|
|
60
56
|
const allAllowed = new Set();
|
|
61
57
|
for (const [permName, permDef] of Object.entries(perms)) {
|
|
@@ -63,7 +59,7 @@ export function newRoleFromOrdinals(roleName, perms) {
|
|
|
63
59
|
allAllowed.add(permName);
|
|
64
60
|
}
|
|
65
61
|
}
|
|
66
|
-
return new UserRole(roleName, allAllowed, roleOrdinalValue);
|
|
62
|
+
return new UserRole(roleName, allAllowed, new Set(), roleOrdinalValue);
|
|
67
63
|
}
|
|
68
64
|
function resolvePresetOrdinalValue(value) {
|
|
69
65
|
const indexOfValue = Object.values(UserPrivilegeLevel).indexOf(value);
|
|
@@ -72,4 +68,55 @@ function resolvePresetOrdinalValue(value) {
|
|
|
72
68
|
function resolveRiskLevelOrdinalValue(value) {
|
|
73
69
|
return Object.keys(PermissionRiskLevel).length - Object.keys(PermissionRiskLevel).indexOf(value.toUpperCase());
|
|
74
70
|
}
|
|
71
|
+
function resolveRole(roleName, controls) {
|
|
72
|
+
const rawRoleDef = controls.roles?.[roleName];
|
|
73
|
+
if (!rawRoleDef) {
|
|
74
|
+
throw messages.createError('TriedToAccessRoleThatDoesNotExist', [roleName]);
|
|
75
|
+
}
|
|
76
|
+
const permissions = {};
|
|
77
|
+
if (isPermissionControl(rawRoleDef.permissions)) {
|
|
78
|
+
merge(permissions, rawRoleDef.permissions);
|
|
79
|
+
}
|
|
80
|
+
else {
|
|
81
|
+
for (const permRef of rawRoleDef.permissions ?? []) {
|
|
82
|
+
const referencedPerm = controls.permissions?.[permRef];
|
|
83
|
+
if (referencedPerm) {
|
|
84
|
+
merge(permissions, referencedPerm);
|
|
85
|
+
}
|
|
86
|
+
else {
|
|
87
|
+
throw messages.createError('RoleReferencesPermissionThatDoesNotExist', [roleName, permRef]);
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
}
|
|
91
|
+
return { permissions };
|
|
92
|
+
}
|
|
93
|
+
function buildAllowedPerms(rolePermDef, permClassifications, allowedClassifications) {
|
|
94
|
+
const allowedPerms = new Set();
|
|
95
|
+
if (allowedClassifications && permClassifications) {
|
|
96
|
+
for (const [permName, permDef] of Object.entries(permClassifications)) {
|
|
97
|
+
if (allowedClassifications.includes(permDef.classification)) {
|
|
98
|
+
allowedPerms.add(permName);
|
|
99
|
+
}
|
|
100
|
+
}
|
|
101
|
+
}
|
|
102
|
+
if (!rolePermDef) {
|
|
103
|
+
return allowedPerms;
|
|
104
|
+
}
|
|
105
|
+
if (rolePermDef.allowed) {
|
|
106
|
+
for (const permName of rolePermDef.allowed) {
|
|
107
|
+
allowedPerms.add(permName);
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
if (rolePermDef.required) {
|
|
111
|
+
for (const permName of rolePermDef.required) {
|
|
112
|
+
allowedPerms.add(permName);
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
if (rolePermDef.denied) {
|
|
116
|
+
for (const permName of rolePermDef.denied) {
|
|
117
|
+
allowedPerms.delete(permName);
|
|
118
|
+
}
|
|
119
|
+
}
|
|
120
|
+
return allowedPerms;
|
|
121
|
+
}
|
|
75
122
|
//# sourceMappingURL=userRole.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"userRole.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/userRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,mBAAmB,
|
|
1
|
+
{"version":3,"file":"userRole.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/userRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAEL,mBAAmB,EACnB,kBAAkB,EAClB,mBAAmB,GAEpB,MAAM,oBAAoB,CAAC;AAS5B,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,QAAQ;IAElB;IACC;IACA;IACA;IAJV,YACS,QAAgB,EACf,sBAAmC,EACnC,wBAAqC,EACrC,gBAAyB;QAH1B,aAAQ,GAAR,QAAQ,CAAQ;QACf,2BAAsB,GAAtB,sBAAsB,CAAa;QACnC,6BAAwB,GAAxB,wBAAwB,CAAa;QACrC,qBAAgB,GAAhB,gBAAgB,CAAS;IAChC,CAAC;IAEG,SAAS,CAAC,UAA2B;QAC1C,IAAI,UAAU,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAEM,WAAW,CAAC,SAAmB;QACpC,MAAM,mBAAmB,GAAG,IAAI,KAAK,EAAU,CAAC;QAChD,MAAM,kBAAkB,GAAG,IAAI,KAAK,EAAU,CAAC;QAC/C,MAAM,iBAAiB,GACrB,IAAI,CAAC,gBAAgB,IAAI,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,IAAI,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC;QACnH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,sBAAsB,EAAE,GAAG,SAAS,CAAC,sBAAsB,CAAC,CAAC,CAAC;QAC9F,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;YAC1B,IAAI,CAAC,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC3C,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,SAAS,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QACD,OAAO;YACL,UAAU,EAAE,kBAAkB,CAAC,MAAM,KAAK,CAAC,IAAI,iBAAiB;YAChE,kBAAkB;YAClB,mBAAmB;SACpB,CAAC;IACJ,CAAC;CACF;AAED,MAAM,UAAU,qBAAqB,CAAC,QAAgB,EAAE,MAAyB;IAC/E,MAAM,EAAE,WAAW,EAAE,GAAG,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,iBAAiB,CACjC,WAAW,EAAE,eAAe,EAC5B,MAAM,CAAC,KAAK,CAAC,eAAe,EAC5B,WAAW,EAAE,sBAAsB,CACpC,CAAC;IACF,MAAM,WAAW,GAAG,iBAAiB,CACnC,WAAW,EAAE,iBAAiB,EAC9B,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAC9B,WAAW,EAAE,sBAAsB,CACpC,CAAC;IAEF,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,QAA4B,EAAE,KAAiC;IACjG,MAAM,gBAAgB,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IAC7D,IAAI,CAAC,KAAK,IAAI,QAAQ,KAAK,kBAAkB,CAAC,OAAO,EAAE,CAAC;QACtD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,IAAI,GAAG,EAAU,EAAE,IAAI,GAAG,EAAU,EAAE,gBAAgB,CAAC,CAAC;IACxF,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,IAAI,gBAAgB,IAAI,4BAA4B,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAC7E,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,UAAU,EAAE,IAAI,GAAG,EAAU,EAAE,gBAAgB,CAAC,CAAC;AACjF,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAyB;IAC1D,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACtE,OAAO,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,MAAM,GAAG,YAAY,CAAC;AAC/D,CAAC;AAED,SAAS,4BAA4B,CAAC,KAAa;IACjD,OAAO,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;AACjH,CAAC;AAED,SAAS,WAAW,CAAC,QAAgB,EAAE,QAA0B;IAC/D,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAC,QAAQ,CAAC,CAAC;IAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,QAAQ,CAAC,WAAW,CAAC,mCAAmC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9E,CAAC;IACD,MAAM,WAAW,GAAG,EAAE,CAAC;IACvB,IAAI,mBAAmB,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChD,KAAK,CAAC,WAAW,EAAE,UAAU,CAAC,WAAW,CAAC,CAAC;IAC7C,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,OAAO,IAAI,UAAU,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;YACnD,MAAM,cAAc,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,CAAC;YACvD,IAAI,cAAc,EAAE,CAAC;gBACnB,KAAK,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;YACrC,CAAC;iBAAM,CAAC;gBACN,MAAM,QAAQ,CAAC,WAAW,CAAC,0CAA0C,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;YAC9F,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,EAAE,WAAW,EAAE,CAAC;AACzB,CAAC;AAED,SAAS,iBAAiB,CACxB,WAAsC,EACtC,mBAA+C,EAC/C,sBAAiC;IAEjC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IACvC,IAAI,sBAAsB,IAAI,mBAAmB,EAAE,CAAC;QAClD,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,EAAE,CAAC;YACtE,IAAI,sBAAsB,CAAC,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;gBAC5D,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;QACxB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YAC3C,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,IAAI,WAAW,CAAC,QAAQ,EAAE,CAAC;QACzB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,QAAQ,EAAE,CAAC;YAC5C,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;QACvB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;YAC1C,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC"}
|
|
@@ -9,8 +9,9 @@ export default class EnforcePermissionPresets extends PolicyRule {
|
|
|
9
9
|
roleManager;
|
|
10
10
|
constructor(opts) {
|
|
11
11
|
super(opts);
|
|
12
|
-
this.roleManager = new RoleManager(
|
|
13
|
-
|
|
12
|
+
this.roleManager = new RoleManager({
|
|
13
|
+
controls: opts.auditConfig.controls,
|
|
14
|
+
shape: opts.auditConfig.shape,
|
|
14
15
|
});
|
|
15
16
|
}
|
|
16
17
|
run(context) {
|
|
@@ -29,10 +30,10 @@ export default class EnforcePermissionPresets extends PolicyRule {
|
|
|
29
30
|
return Promise.resolve(result);
|
|
30
31
|
}
|
|
31
32
|
resolveProfileRole(profileName) {
|
|
32
|
-
return this.auditConfig.
|
|
33
|
+
return this.auditConfig.inventory.profiles?.[profileName]?.role;
|
|
33
34
|
}
|
|
34
35
|
resolvePermissionSetRole(permsetName) {
|
|
35
|
-
return this.auditConfig.
|
|
36
|
+
return this.auditConfig.inventory.permissionSets?.[permsetName]?.role;
|
|
36
37
|
}
|
|
37
38
|
auditPermissionsEntity(result, user, entityType, entityIdentifier, entityPreset) {
|
|
38
39
|
if (entityPreset) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionPresets.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionPresets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAElD,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC3D,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC,
|
|
1
|
+
{"version":3,"file":"enforcePermissionPresets.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionPresets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAElD,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC3D,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC;YACjC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;YACnC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK;SAC9B,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,WAAW,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC9D,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;YACpF,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrB,KAAK,MAAM,UAAU,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBAC1C,MAAM,WAAW,GAAG,IAAI,CAAC,wBAAwB,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC;oBACtF,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,IAAI,EAAE,gBAAgB,EAAE,UAAU,CAAC,uBAAuB,EAAE,WAAW,CAAC,CAAC;gBAC/G,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAEO,kBAAkB,CAAC,WAAmB;QAC5C,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC;IAClE,CAAC;IAEO,wBAAwB,CAAC,WAAmB;QAClD,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC;IACxE,CAAC;IAEO,sBAAsB,CAC5B,MAA+B,EAC/B,IAAkB,EAClB,UAAkB,EAClB,gBAAwB,EACxB,YAAqB;QAErB,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,YAAY,KAAK,kBAAkB,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;gBAC3D,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;oBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oCAAoC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;iBAC7F,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE,CAAC;gBACvD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;oBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,gCAAgC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,YAAY,CAAC,CAAC;iBACvG,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACjG,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;gBACxE,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC;oBAC9B,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;wBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6CAA6C,EAAE;4BAC1E,IAAI,CAAC,IAAI;4BACT,UAAU;4BACV,YAAY;yBACb,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;gBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,UAAU,CAAC,CAAC;aAChH,CAAC,CAAC;QACL,CAAC;IACH,CAAC;CACF"}
|
|
@@ -8,9 +8,9 @@ export default class EnforcePermissionsOnProfileLike extends PolicyRule {
|
|
|
8
8
|
roleManager;
|
|
9
9
|
constructor(opts) {
|
|
10
10
|
super(opts);
|
|
11
|
-
this.roleManager = new RoleManager(
|
|
12
|
-
|
|
13
|
-
|
|
11
|
+
this.roleManager = new RoleManager({
|
|
12
|
+
controls: opts.auditConfig.controls,
|
|
13
|
+
shape: opts.auditConfig.shape,
|
|
14
14
|
});
|
|
15
15
|
}
|
|
16
16
|
run(context) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEjD,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAElD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,+BAAgC,SAAQ,UAA+B;IACzE,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC
|
|
1
|
+
{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEjD,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAElD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,+BAAgC,SAAQ,UAA+B;IACzE,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC;YACjC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;YACnC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK;SAC9B,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAA8C;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACtD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;oBACjB,UAAU,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;oBAC1B,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;iBAC7E,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YACD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACjC,MAAM,iBAAiB,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;gBACpE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;gBACxD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
|
@@ -7,9 +7,9 @@ export default class EnforcePermissionsOnUser extends PolicyRule {
|
|
|
7
7
|
roleManager;
|
|
8
8
|
constructor(opts) {
|
|
9
9
|
super(opts);
|
|
10
|
-
this.roleManager = new RoleManager(
|
|
11
|
-
|
|
12
|
-
|
|
10
|
+
this.roleManager = new RoleManager({
|
|
11
|
+
controls: opts.auditConfig.controls,
|
|
12
|
+
shape: opts.auditConfig.shape,
|
|
13
13
|
});
|
|
14
14
|
}
|
|
15
15
|
run(context) {
|
|
@@ -18,7 +18,7 @@ export default class EnforcePermissionsOnUser extends PolicyRule {
|
|
|
18
18
|
for (const user of Object.values(users)) {
|
|
19
19
|
if (!this.roleManager.isValidRole(user.role)) {
|
|
20
20
|
result.errors.push({
|
|
21
|
-
identifier: [user.username],
|
|
21
|
+
identifier: [user.username, user.role],
|
|
22
22
|
message: messages.getMessage('error.failed-to-resolve-role', [user.role]),
|
|
23
23
|
});
|
|
24
24
|
continue;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAGlD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC3D,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC
|
|
1
|
+
{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAGlD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC3D,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC;YACjC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;YACnC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK;SAC9B,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;oBACjB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC;oBACtC,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;iBAC1E,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YACD,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,0BAA0B,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACzF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;YACtC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBACzB,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CACpD,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,EAC3E,CAAC,IAAI,CAAC,QAAQ,CAAC,CAChB,CAAC;gBACF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;gBACpD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAEO,0BAA0B,CAAC,IAAkB,EAAE,WAAwC;QAC7F,MAAM,MAAM,GAAe,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;QAC5D,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,KAAK,MAAM,eAAe,IAAI,WAAW,EAAE,CAAC;YAC1C,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,CAAC;gBAC9B,SAAS;YACX,CAAC;YACD,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CAClD,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,eAAe,CAAC,QAAQ,EAAE,IAAI,EAAE,eAAe,CAAC,uBAAuB,EAAE,EACtG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAChB,CAAC;YACF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;YAClD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}
|