@j-schreiber/sf-cli-security-audit 0.19.3 → 0.20.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -3
- package/lib/commands/org/audit/init.d.ts +1 -1
- package/lib/commands/org/audit/init.js +8 -8
- package/lib/commands/org/audit/init.js.map +1 -1
- package/lib/commands/org/audit/run.js +4 -1
- package/lib/commands/org/audit/run.js.map +1 -1
- package/lib/libs/audit-engine/auditRun.d.ts +7 -4
- package/lib/libs/audit-engine/auditRun.js +27 -9
- package/lib/libs/audit-engine/auditRun.js.map +1 -1
- package/lib/libs/audit-engine/file-manager/fileManager.d.ts +5 -6
- package/lib/libs/audit-engine/file-manager/fileManager.js +34 -15
- package/lib/libs/audit-engine/file-manager/fileManager.js.map +1 -1
- package/lib/libs/audit-engine/file-manager/fileManager.types.d.ts +1 -0
- package/lib/libs/audit-engine/index.d.ts +72 -43
- package/lib/libs/audit-engine/registry/context.types.d.ts +8 -2
- package/lib/libs/audit-engine/registry/definitions.d.ts +73 -44
- package/lib/libs/audit-engine/registry/policies/permissionSets.js +1 -1
- package/lib/libs/audit-engine/registry/policies/permissionSets.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/profiles.js +1 -1
- package/lib/libs/audit-engine/registry/policies/profiles.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/users.js +1 -1
- package/lib/libs/audit-engine/registry/policies/users.js.map +1 -1
- package/lib/libs/audit-engine/registry/policy.js +2 -2
- package/lib/libs/audit-engine/registry/policy.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.d.ts +3 -19
- package/lib/libs/audit-engine/registry/roles/roleManager.js +17 -29
- package/lib/libs/audit-engine/registry/roles/roleManager.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.types.d.ts +21 -3
- package/lib/libs/audit-engine/registry/roles/userRole.d.ts +7 -6
- package/lib/libs/audit-engine/registry/roles/userRole.js +78 -31
- package/lib/libs/audit-engine/registry/roles/userRole.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js +5 -4
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js +3 -3
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js +4 -4
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.d.ts +71 -42
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.js +26 -30
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/schema.d.ts +77 -43
- package/lib/libs/audit-engine/registry/shape/schema.js +22 -20
- package/lib/libs/audit-engine/registry/shape/schema.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/shapeValidation.d.ts +3 -0
- package/lib/libs/audit-engine/registry/shape/shapeValidation.js +36 -7
- package/lib/libs/audit-engine/registry/shape/shapeValidation.js.map +1 -1
- package/lib/libs/conf-init/auditConfig.d.ts +1 -0
- package/lib/libs/conf-init/auditConfig.js +18 -10
- package/lib/libs/conf-init/auditConfig.js.map +1 -1
- package/lib/libs/conf-init/defaultClassifications.d.ts +5 -7
- package/lib/libs/conf-init/defaultClassifications.js +18 -28
- package/lib/libs/conf-init/defaultClassifications.js.map +1 -1
- package/lib/libs/conf-init/init.types.d.ts +7 -6
- package/lib/libs/conf-init/init.types.js.map +1 -1
- package/lib/libs/quick-scan/userPermissionScanner.js +12 -9
- package/lib/libs/quick-scan/userPermissionScanner.js.map +1 -1
- package/lib/salesforce/connection.d.ts +52 -0
- package/lib/salesforce/connection.js +130 -0
- package/lib/salesforce/connection.js.map +1 -0
- package/lib/salesforce/describes/orgDescribe.d.ts +13 -2
- package/lib/salesforce/describes/orgDescribe.js +16 -0
- package/lib/salesforce/describes/orgDescribe.js.map +1 -1
- package/lib/salesforce/index.d.ts +1 -0
- package/lib/salesforce/index.js +1 -0
- package/lib/salesforce/index.js.map +1 -1
- package/lib/salesforce/mdapi/genericSettingsMetadata.d.ts +2 -2
- package/lib/salesforce/mdapi/genericSettingsMetadata.js.map +1 -1
- package/lib/salesforce/mdapi/mdapi.d.ts +4 -4
- package/lib/salesforce/mdapi/mdapi.js +8 -8
- package/lib/salesforce/mdapi/mdapi.js.map +1 -1
- package/lib/salesforce/mdapi/metadataRegistryEntry.d.ts +3 -3
- package/lib/salesforce/mdapi/metadataRegistryEntry.js +1 -9
- package/lib/salesforce/mdapi/metadataRegistryEntry.js.map +1 -1
- package/lib/salesforce/mdapi/namedMetadataToolingQueryable.d.ts +2 -2
- package/lib/salesforce/mdapi/namedMetadataToolingQueryable.js +1 -1
- package/lib/salesforce/mdapi/namedMetadataToolingQueryable.js.map +1 -1
- package/lib/salesforce/mdapi/namedMetadataType.d.ts +2 -2
- package/lib/salesforce/mdapi/namedMetadataType.js.map +1 -1
- package/lib/salesforce/mdapi/singletonMetadataType.d.ts +2 -2
- package/lib/salesforce/mdapi/singletonMetadataType.js.map +1 -1
- package/lib/salesforce/repositories/connected-apps/connected-apps.d.ts +2 -2
- package/lib/salesforce/repositories/connected-apps/connected-apps.js.map +1 -1
- package/lib/salesforce/repositories/connected-apps/oauth-tokens.d.ts +2 -2
- package/lib/salesforce/repositories/connected-apps/oauth-tokens.js +3 -7
- package/lib/salesforce/repositories/connected-apps/oauth-tokens.js.map +1 -1
- package/lib/salesforce/repositories/perm-sets/permission-sets.d.ts +2 -2
- package/lib/salesforce/repositories/perm-sets/permission-sets.js.map +1 -1
- package/lib/salesforce/repositories/profiles/profiles.d.ts +2 -2
- package/lib/salesforce/repositories/profiles/profiles.js.map +1 -1
- package/lib/salesforce/repositories/users/users.d.ts +3 -3
- package/lib/salesforce/repositories/users/users.js +6 -6
- package/lib/salesforce/repositories/users/users.js.map +1 -1
- package/messages/auditShapeValidation.md +4 -0
- package/messages/org.audit.run.md +4 -0
- package/messages/rules.enforceClassificationPresets.md +4 -8
- package/messages/salesforceConnectionErrors.md +11 -0
- package/oclif.manifest.json +1 -1
- package/package.json +1 -1
- package/lib/libs/audit-engine/registry/helpers/permissionsScanning.d.ts +0 -37
- package/lib/libs/audit-engine/registry/helpers/permissionsScanning.js +0 -81
- package/lib/libs/audit-engine/registry/helpers/permissionsScanning.js.map +0 -1
|
@@ -4,66 +4,85 @@
|
|
|
4
4
|
* the audit config that is used by rules and policies.
|
|
5
5
|
*/
|
|
6
6
|
export declare const BaseAuditConfigShape: {
|
|
7
|
-
|
|
7
|
+
controls: {
|
|
8
8
|
files: {
|
|
9
9
|
roles: {
|
|
10
|
+
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
11
|
+
permissions: import("zod").ZodOptional<import("zod").ZodXor<readonly [import("zod").ZodArray<import("zod").ZodString>, import("zod").ZodObject<{
|
|
12
|
+
allowedClassifications: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodEnum<typeof import("./schema.js").PermissionRiskLevel>>>;
|
|
13
|
+
userPermissions: import("zod").ZodOptional<import("zod").ZodObject<{
|
|
14
|
+
allowed: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
15
|
+
denied: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
16
|
+
required: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
17
|
+
}, import("zod/v4/core").$strip>>;
|
|
18
|
+
customPermissions: import("zod").ZodOptional<import("zod").ZodObject<{
|
|
19
|
+
allowed: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
20
|
+
denied: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
21
|
+
required: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
22
|
+
}, import("zod/v4/core").$strip>>;
|
|
23
|
+
}, import("zod/v4/core").$strip>]>>;
|
|
24
|
+
}, import("zod/v4/core").$strict>>;
|
|
25
|
+
};
|
|
26
|
+
permissions: {
|
|
10
27
|
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
11
28
|
allowedClassifications: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodEnum<typeof import("./schema.js").PermissionRiskLevel>>>;
|
|
12
|
-
|
|
13
|
-
|
|
29
|
+
userPermissions: import("zod").ZodOptional<import("zod").ZodObject<{
|
|
30
|
+
allowed: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
31
|
+
denied: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
32
|
+
required: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
33
|
+
}, import("zod/v4/core").$strip>>;
|
|
34
|
+
customPermissions: import("zod").ZodOptional<import("zod").ZodObject<{
|
|
35
|
+
allowed: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
36
|
+
denied: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
37
|
+
required: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
38
|
+
}, import("zod/v4/core").$strip>>;
|
|
14
39
|
}, import("zod/v4/core").$strip>>;
|
|
15
40
|
};
|
|
16
41
|
};
|
|
17
42
|
};
|
|
18
|
-
|
|
43
|
+
shape: {
|
|
19
44
|
files: {
|
|
20
45
|
userPermissions: {
|
|
21
|
-
schema: import("zod").ZodObject<{
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
}, import("zod/v4/core").$strip>;
|
|
28
|
-
entities: string;
|
|
46
|
+
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
47
|
+
label: import("zod").ZodOptional<import("zod").ZodString>;
|
|
48
|
+
reason: import("zod").ZodOptional<import("zod").ZodString>;
|
|
49
|
+
classification: import("zod").ZodEnum<typeof import("./schema.js").PermissionRiskLevel>;
|
|
50
|
+
}, import("zod/v4/core").$strip>>;
|
|
51
|
+
isCountable: boolean;
|
|
29
52
|
};
|
|
30
53
|
customPermissions: {
|
|
31
|
-
schema: import("zod").ZodObject<{
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
}, import("zod/v4/core").$strip>;
|
|
38
|
-
entities: string;
|
|
54
|
+
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
55
|
+
label: import("zod").ZodOptional<import("zod").ZodString>;
|
|
56
|
+
reason: import("zod").ZodOptional<import("zod").ZodString>;
|
|
57
|
+
classification: import("zod").ZodEnum<typeof import("./schema.js").PermissionRiskLevel>;
|
|
58
|
+
}, import("zod/v4/core").$strip>>;
|
|
59
|
+
isCountable: boolean;
|
|
39
60
|
};
|
|
61
|
+
};
|
|
62
|
+
};
|
|
63
|
+
inventory: {
|
|
64
|
+
files: {
|
|
40
65
|
profiles: {
|
|
41
|
-
schema: import("zod").ZodObject<{
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
}, import("zod/v4/core").$strip>;
|
|
50
|
-
entities: string;
|
|
66
|
+
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
67
|
+
role: import("zod").ZodString;
|
|
68
|
+
allowedLoginIps: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodObject<{
|
|
69
|
+
from: import("zod").ZodString;
|
|
70
|
+
to: import("zod").ZodString;
|
|
71
|
+
}, import("zod/v4/core").$strip>>>;
|
|
72
|
+
}, import("zod/v4/core").$strict>>;
|
|
73
|
+
isCountable: boolean;
|
|
51
74
|
};
|
|
52
75
|
permissionSets: {
|
|
53
|
-
schema: import("zod").ZodObject<{
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
}, import("zod/v4/core").$strip>;
|
|
58
|
-
entities: string;
|
|
76
|
+
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
77
|
+
role: import("zod").ZodString;
|
|
78
|
+
}, import("zod/v4/core").$strict>>;
|
|
79
|
+
isCountable: boolean;
|
|
59
80
|
};
|
|
60
81
|
users: {
|
|
61
|
-
schema: import("zod").ZodObject<{
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
}, import("zod/v4/core").$strip>;
|
|
66
|
-
entities: string;
|
|
82
|
+
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
83
|
+
role: import("zod").ZodString;
|
|
84
|
+
}, import("zod/v4/core").$strip>>;
|
|
85
|
+
isCountable: boolean;
|
|
67
86
|
};
|
|
68
87
|
};
|
|
69
88
|
};
|
|
@@ -82,6 +101,8 @@ export declare const BaseAuditConfigShape: {
|
|
|
82
101
|
path: string[];
|
|
83
102
|
errorName: string;
|
|
84
103
|
}[];
|
|
104
|
+
isCountable: boolean;
|
|
105
|
+
entities: string;
|
|
85
106
|
};
|
|
86
107
|
permissionSets: {
|
|
87
108
|
schema: import("zod").ZodObject<{
|
|
@@ -96,6 +117,8 @@ export declare const BaseAuditConfigShape: {
|
|
|
96
117
|
path: string[];
|
|
97
118
|
errorName: string;
|
|
98
119
|
}[];
|
|
120
|
+
isCountable: boolean;
|
|
121
|
+
entities: string;
|
|
99
122
|
};
|
|
100
123
|
connectedApps: {
|
|
101
124
|
schema: import("zod").ZodObject<{
|
|
@@ -106,6 +129,8 @@ export declare const BaseAuditConfigShape: {
|
|
|
106
129
|
}, import("zod/v4/core").$strip>>>;
|
|
107
130
|
options: import("zod").ZodOptional<import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodUnknown>>;
|
|
108
131
|
}, import("zod/v4/core").$strip>;
|
|
132
|
+
isCountable: boolean;
|
|
133
|
+
entities: string;
|
|
109
134
|
};
|
|
110
135
|
users: {
|
|
111
136
|
schema: import("zod").ZodObject<{
|
|
@@ -119,6 +144,8 @@ export declare const BaseAuditConfigShape: {
|
|
|
119
144
|
analyseLastNDaysOfLoginHistory: import("zod").ZodOptional<import("zod").ZodNumber>;
|
|
120
145
|
}, import("zod/v4/core").$strict>;
|
|
121
146
|
}, import("zod/v4/core").$strip>;
|
|
147
|
+
isCountable: boolean;
|
|
148
|
+
entities: string;
|
|
122
149
|
};
|
|
123
150
|
settings: {
|
|
124
151
|
schema: import("zod").ZodObject<{
|
|
@@ -129,6 +156,8 @@ export declare const BaseAuditConfigShape: {
|
|
|
129
156
|
}, import("zod/v4/core").$strip>>>;
|
|
130
157
|
options: import("zod").ZodOptional<import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodUnknown>>;
|
|
131
158
|
}, import("zod/v4/core").$strip>;
|
|
159
|
+
isCountable: boolean;
|
|
160
|
+
entities: string;
|
|
132
161
|
};
|
|
133
162
|
};
|
|
134
163
|
};
|
|
@@ -1,61 +1,57 @@
|
|
|
1
|
-
import { PermissionsClassificationFileSchema, PermissionSetsClassificationFileSchema, PolicyFileSchema, ProfilesClassificationFileSchema,
|
|
1
|
+
import { ComposableRolesFileSchema, PermissionControlsFileSchema, PermissionsClassificationFileSchema, PermissionSetsClassificationFileSchema, PolicyFileSchema, ProfilesClassificationFileSchema, UserClassificationFileSchema, UserPolicyFileSchema, } from './schema.js';
|
|
2
2
|
/**
|
|
3
3
|
* The shape defines the directory structure and schema files to
|
|
4
4
|
* parse YAML files. It is the foundation to derive the runtime type of
|
|
5
5
|
* the audit config that is used by rules and policies.
|
|
6
6
|
*/
|
|
7
7
|
export const BaseAuditConfigShape = {
|
|
8
|
-
|
|
8
|
+
controls: {
|
|
9
9
|
files: {
|
|
10
|
-
roles: { schema:
|
|
10
|
+
roles: { schema: ComposableRolesFileSchema },
|
|
11
|
+
permissions: { schema: PermissionControlsFileSchema },
|
|
11
12
|
},
|
|
12
13
|
},
|
|
13
|
-
|
|
14
|
+
shape: {
|
|
14
15
|
files: {
|
|
15
|
-
userPermissions: {
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
},
|
|
23
|
-
|
|
24
|
-
schema: ProfilesClassificationFileSchema,
|
|
25
|
-
entities: 'profiles',
|
|
26
|
-
},
|
|
27
|
-
permissionSets: {
|
|
28
|
-
schema: PermissionSetsClassificationFileSchema,
|
|
29
|
-
entities: 'permissionSets',
|
|
30
|
-
},
|
|
31
|
-
users: {
|
|
32
|
-
schema: UserClassificationFileSchema,
|
|
33
|
-
entities: 'users',
|
|
34
|
-
},
|
|
16
|
+
userPermissions: { schema: PermissionsClassificationFileSchema, isCountable: true },
|
|
17
|
+
customPermissions: { schema: PermissionsClassificationFileSchema, isCountable: true },
|
|
18
|
+
},
|
|
19
|
+
},
|
|
20
|
+
inventory: {
|
|
21
|
+
files: {
|
|
22
|
+
profiles: { schema: ProfilesClassificationFileSchema, isCountable: true },
|
|
23
|
+
permissionSets: { schema: PermissionSetsClassificationFileSchema, isCountable: true },
|
|
24
|
+
users: { schema: UserClassificationFileSchema, isCountable: true },
|
|
35
25
|
},
|
|
36
26
|
},
|
|
37
27
|
policies: {
|
|
38
28
|
files: {
|
|
39
29
|
profiles: {
|
|
40
30
|
schema: PolicyFileSchema,
|
|
41
|
-
dependencies: [
|
|
42
|
-
|
|
43
|
-
|
|
31
|
+
dependencies: [{ path: ['shape', 'userPermissions'], errorName: 'UserPermClassificationRequiredForProfiles' }],
|
|
32
|
+
isCountable: true,
|
|
33
|
+
entities: 'rules',
|
|
44
34
|
},
|
|
45
35
|
permissionSets: {
|
|
46
36
|
schema: PolicyFileSchema,
|
|
47
|
-
dependencies: [
|
|
48
|
-
|
|
49
|
-
|
|
37
|
+
dependencies: [{ path: ['shape', 'userPermissions'], errorName: 'UserPermClassificationRequiredForPermSets' }],
|
|
38
|
+
isCountable: true,
|
|
39
|
+
entities: 'rules',
|
|
50
40
|
},
|
|
51
41
|
connectedApps: {
|
|
52
42
|
schema: PolicyFileSchema,
|
|
43
|
+
isCountable: true,
|
|
44
|
+
entities: 'rules',
|
|
53
45
|
},
|
|
54
46
|
users: {
|
|
55
47
|
schema: UserPolicyFileSchema,
|
|
48
|
+
isCountable: true,
|
|
49
|
+
entities: 'rules',
|
|
56
50
|
},
|
|
57
51
|
settings: {
|
|
58
52
|
schema: PolicyFileSchema,
|
|
53
|
+
isCountable: true,
|
|
54
|
+
entities: 'rules',
|
|
59
55
|
},
|
|
60
56
|
},
|
|
61
57
|
},
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auditConfigShape.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/auditConfigShape.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mCAAmC,EACnC,sCAAsC,EACtC,gBAAgB,EAChB,gCAAgC,EAChC,
|
|
1
|
+
{"version":3,"file":"auditConfigShape.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/auditConfigShape.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EACzB,4BAA4B,EAC5B,mCAAmC,EACnC,sCAAsC,EACtC,gBAAgB,EAChB,gCAAgC,EAChC,4BAA4B,EAC5B,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAErB;;;;GAIG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,QAAQ,EAAE;QACR,KAAK,EAAE;YACL,KAAK,EAAE,EAAE,MAAM,EAAE,yBAAyB,EAAE;YAC5C,WAAW,EAAE,EAAE,MAAM,EAAE,4BAA4B,EAAE;SACtD;KACF;IACD,KAAK,EAAE;QACL,KAAK,EAAE;YACL,eAAe,EAAE,EAAE,MAAM,EAAE,mCAAmC,EAAE,WAAW,EAAE,IAAI,EAAE;YACnF,iBAAiB,EAAE,EAAE,MAAM,EAAE,mCAAmC,EAAE,WAAW,EAAE,IAAI,EAAE;SACtF;KACF;IACD,SAAS,EAAE;QACT,KAAK,EAAE;YACL,QAAQ,EAAE,EAAE,MAAM,EAAE,gCAAgC,EAAE,WAAW,EAAE,IAAI,EAAE;YACzE,cAAc,EAAE,EAAE,MAAM,EAAE,sCAAsC,EAAE,WAAW,EAAE,IAAI,EAAE;YACrF,KAAK,EAAE,EAAE,MAAM,EAAE,4BAA4B,EAAE,WAAW,EAAE,IAAI,EAAE;SACnE;KACF;IACD,QAAQ,EAAE;QACR,KAAK,EAAE;YACL,QAAQ,EAAE;gBACR,MAAM,EAAE,gBAAgB;gBACxB,YAAY,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,SAAS,EAAE,2CAA2C,EAAE,CAAC;gBAC9G,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,cAAc,EAAE;gBACd,MAAM,EAAE,gBAAgB;gBACxB,YAAY,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,SAAS,EAAE,2CAA2C,EAAE,CAAC;gBAC9G,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,aAAa,EAAE;gBACb,MAAM,EAAE,gBAAgB;gBACxB,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,KAAK,EAAE;gBACL,MAAM,EAAE,oBAAoB;gBAC5B,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,QAAQ,EAAE;gBACR,MAAM,EAAE,gBAAgB;gBACxB,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;SACF;KACF;CACF,CAAC"}
|
|
@@ -32,55 +32,85 @@ export declare enum UserPrivilegeLevel {
|
|
|
32
32
|
/** Disables the profile for audit */
|
|
33
33
|
UNKNOWN = "Unknown"
|
|
34
34
|
}
|
|
35
|
-
declare const
|
|
35
|
+
declare const IndividualPermissionControlSchema: z.ZodObject<{
|
|
36
|
+
allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
37
|
+
denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
38
|
+
required: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
39
|
+
}, z.z.core.$strip>;
|
|
40
|
+
export declare const PermissionControlSchema: z.ZodObject<{
|
|
41
|
+
allowedClassifications: z.ZodOptional<z.ZodArray<z.ZodEnum<typeof PermissionRiskLevel>>>;
|
|
42
|
+
userPermissions: z.ZodOptional<z.ZodObject<{
|
|
43
|
+
allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
44
|
+
denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
45
|
+
required: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
46
|
+
}, z.z.core.$strip>>;
|
|
47
|
+
customPermissions: z.ZodOptional<z.ZodObject<{
|
|
48
|
+
allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
49
|
+
denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
50
|
+
required: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
51
|
+
}, z.z.core.$strip>>;
|
|
52
|
+
}, z.z.core.$strip>;
|
|
53
|
+
export declare const PermissionControlsFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
54
|
+
allowedClassifications: z.ZodOptional<z.ZodArray<z.ZodEnum<typeof PermissionRiskLevel>>>;
|
|
55
|
+
userPermissions: z.ZodOptional<z.ZodObject<{
|
|
56
|
+
allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
57
|
+
denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
58
|
+
required: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
59
|
+
}, z.z.core.$strip>>;
|
|
60
|
+
customPermissions: z.ZodOptional<z.ZodObject<{
|
|
61
|
+
allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
62
|
+
denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
63
|
+
required: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
64
|
+
}, z.z.core.$strip>>;
|
|
65
|
+
}, z.z.core.$strip>>;
|
|
66
|
+
export declare const ResolvedRoleDefinitionSchema: z.ZodObject<{
|
|
67
|
+
permissions: z.ZodOptional<z.ZodObject<{
|
|
68
|
+
allowedClassifications: z.ZodOptional<z.ZodArray<z.ZodEnum<typeof PermissionRiskLevel>>>;
|
|
69
|
+
userPermissions: z.ZodOptional<z.ZodObject<{
|
|
70
|
+
allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
71
|
+
denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
72
|
+
required: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
73
|
+
}, z.z.core.$strip>>;
|
|
74
|
+
customPermissions: z.ZodOptional<z.ZodObject<{
|
|
75
|
+
allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
76
|
+
denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
77
|
+
required: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
78
|
+
}, z.z.core.$strip>>;
|
|
79
|
+
}, z.z.core.$strip>>;
|
|
80
|
+
}, z.z.core.$strip>;
|
|
81
|
+
export declare const ComposableRolesFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
82
|
+
permissions: z.ZodOptional<z.ZodXor<readonly [z.ZodArray<z.ZodString>, z.ZodObject<{
|
|
83
|
+
allowedClassifications: z.ZodOptional<z.ZodArray<z.ZodEnum<typeof PermissionRiskLevel>>>;
|
|
84
|
+
userPermissions: z.ZodOptional<z.ZodObject<{
|
|
85
|
+
allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
86
|
+
denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
87
|
+
required: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
88
|
+
}, z.z.core.$strip>>;
|
|
89
|
+
customPermissions: z.ZodOptional<z.ZodObject<{
|
|
90
|
+
allowed: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
91
|
+
denied: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
92
|
+
required: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
93
|
+
}, z.z.core.$strip>>;
|
|
94
|
+
}, z.z.core.$strip>]>>;
|
|
95
|
+
}, z.z.core.$strict>>;
|
|
96
|
+
export declare const PermissionsClassificationFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
36
97
|
label: z.ZodOptional<z.ZodString>;
|
|
37
98
|
reason: z.ZodOptional<z.ZodString>;
|
|
38
99
|
classification: z.ZodEnum<typeof PermissionRiskLevel>;
|
|
39
100
|
}, z.z.core.$strip>>;
|
|
40
|
-
declare const
|
|
41
|
-
role: z.ZodString;
|
|
42
|
-
}, z.z.core.$strict>>;
|
|
43
|
-
declare const ProfilesMap: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
101
|
+
export declare const ProfilesClassificationFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
44
102
|
role: z.ZodString;
|
|
45
103
|
allowedLoginIps: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
46
104
|
from: z.ZodString;
|
|
47
105
|
to: z.ZodString;
|
|
48
106
|
}, z.z.core.$strip>>>;
|
|
49
107
|
}, z.z.core.$strict>>;
|
|
50
|
-
declare const
|
|
108
|
+
export declare const PermissionSetsClassificationFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
109
|
+
role: z.ZodString;
|
|
110
|
+
}, z.z.core.$strict>>;
|
|
111
|
+
export declare const UserClassificationFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
51
112
|
role: z.ZodString;
|
|
52
113
|
}, z.z.core.$strip>>;
|
|
53
|
-
export declare const RoleDefinitionsFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
54
|
-
allowedClassifications: z.ZodOptional<z.ZodArray<z.ZodEnum<typeof PermissionRiskLevel>>>;
|
|
55
|
-
allowedPermissions: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
56
|
-
deniedPermissions: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
57
|
-
}, z.z.core.$strip>>;
|
|
58
|
-
export declare const PermissionsClassificationFileSchema: z.ZodObject<{
|
|
59
|
-
permissions: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
60
|
-
label: z.ZodOptional<z.ZodString>;
|
|
61
|
-
reason: z.ZodOptional<z.ZodString>;
|
|
62
|
-
classification: z.ZodEnum<typeof PermissionRiskLevel>;
|
|
63
|
-
}, z.z.core.$strip>>;
|
|
64
|
-
}, z.z.core.$strip>;
|
|
65
|
-
export declare const ProfilesClassificationFileSchema: z.ZodObject<{
|
|
66
|
-
profiles: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
67
|
-
role: z.ZodString;
|
|
68
|
-
allowedLoginIps: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
69
|
-
from: z.ZodString;
|
|
70
|
-
to: z.ZodString;
|
|
71
|
-
}, z.z.core.$strip>>>;
|
|
72
|
-
}, z.z.core.$strict>>;
|
|
73
|
-
}, z.z.core.$strip>;
|
|
74
|
-
export declare const PermissionSetsClassificationFileSchema: z.ZodObject<{
|
|
75
|
-
permissionSets: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
76
|
-
role: z.ZodString;
|
|
77
|
-
}, z.z.core.$strict>>;
|
|
78
|
-
}, z.z.core.$strip>;
|
|
79
|
-
export declare const UserClassificationFileSchema: z.ZodObject<{
|
|
80
|
-
users: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
81
|
-
role: z.ZodString;
|
|
82
|
-
}, z.z.core.$strip>>;
|
|
83
|
-
}, z.z.core.$strip>;
|
|
84
114
|
export declare const PolicyFileSchema: z.ZodObject<{
|
|
85
115
|
enabled: z.ZodDefault<z.ZodBoolean>;
|
|
86
116
|
rules: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
@@ -110,13 +140,17 @@ export type NestedStructure = {
|
|
|
110
140
|
* risk or a structure of nested identifiers.
|
|
111
141
|
*/
|
|
112
142
|
export declare const AcceptedRisksSchema: z.ZodType<NestedStructure>;
|
|
113
|
-
export type PermissionClassifications = z.infer<typeof
|
|
114
|
-
export type PermissionSetClassifications = z.infer<typeof
|
|
115
|
-
export type ProfileClassifications = z.infer<typeof
|
|
116
|
-
export type UserClassifications = z.infer<typeof
|
|
143
|
+
export type PermissionClassifications = z.infer<typeof PermissionsClassificationFileSchema>;
|
|
144
|
+
export type PermissionSetClassifications = z.infer<typeof PermissionSetsClassificationFileSchema>;
|
|
145
|
+
export type ProfileClassifications = z.infer<typeof ProfilesClassificationFileSchema>;
|
|
146
|
+
export type UserClassifications = z.infer<typeof UserClassificationFileSchema>;
|
|
117
147
|
export type PolicyConfig = z.infer<typeof PolicyFileSchema>;
|
|
118
148
|
export type UserPolicyConfig = z.infer<typeof UserPolicyFileSchema>;
|
|
119
149
|
export type AcceptedRuleRisks = z.infer<typeof AcceptedRisksSchema>;
|
|
120
|
-
export type
|
|
121
|
-
export type
|
|
150
|
+
export type PermissionControlSection = z.infer<typeof IndividualPermissionControlSchema>;
|
|
151
|
+
export type ResolvedRoleDefinition = z.infer<typeof ResolvedRoleDefinitionSchema>;
|
|
152
|
+
export type ComposableRolesControl = z.infer<typeof ComposableRolesFileSchema>;
|
|
153
|
+
export type PermissionControl = z.infer<typeof PermissionControlSchema>;
|
|
154
|
+
export type PermissionControls = z.infer<typeof PermissionControlsFileSchema>;
|
|
155
|
+
export declare function isPermissionControl(maybeRoleDef: unknown): maybeRoleDef is PermissionControl;
|
|
122
156
|
export {};
|
|
@@ -55,34 +55,31 @@ const PermSetConfig = z.strictObject({
|
|
|
55
55
|
const ProfileConfig = PermSetConfig.extend({
|
|
56
56
|
allowedLoginIps: z.array(z.object({ from: z.string().regex(IP4RegExp), to: z.string().regex(IP4RegExp) })).optional(),
|
|
57
57
|
});
|
|
58
|
-
const PermSetMap = z.record(z.string(), PermSetConfig);
|
|
59
|
-
const ProfilesMap = z.record(z.string(), ProfileConfig);
|
|
60
58
|
const UserConfig = z.object({ role: z.string() });
|
|
61
|
-
const UsersMap = z.record(z.string(), UserConfig);
|
|
62
59
|
const UsersPolicyOptions = z.strictObject({
|
|
63
60
|
defaultRoleForMissingUsers: z.string().default(UserPrivilegeLevel.STANDARD_USER),
|
|
64
61
|
analyseLastNDaysOfLoginHistory: z.number().optional(),
|
|
65
62
|
});
|
|
66
|
-
const
|
|
63
|
+
const IndividualPermissionControlSchema = z.object({
|
|
64
|
+
allowed: z.array(z.string()).optional(),
|
|
65
|
+
denied: z.array(z.string()).optional(),
|
|
66
|
+
required: z.array(z.string()).optional(),
|
|
67
|
+
});
|
|
68
|
+
// Controls File Schema
|
|
69
|
+
export const PermissionControlSchema = z.object({
|
|
67
70
|
allowedClassifications: z.array(z.enum(PermissionRiskLevel)).optional(),
|
|
68
|
-
|
|
69
|
-
|
|
71
|
+
userPermissions: IndividualPermissionControlSchema.optional(),
|
|
72
|
+
customPermissions: IndividualPermissionControlSchema.optional(),
|
|
70
73
|
});
|
|
71
|
-
|
|
72
|
-
|
|
74
|
+
export const PermissionControlsFileSchema = z.record(z.string(), PermissionControlSchema);
|
|
75
|
+
// new, V2
|
|
76
|
+
export const ResolvedRoleDefinitionSchema = z.object({ permissions: PermissionControlSchema.optional() });
|
|
77
|
+
export const ComposableRolesFileSchema = z.record(z.string(), z.object({ permissions: z.xor([z.array(z.string()), PermissionControlSchema]).optional() }).strict());
|
|
73
78
|
// Classification File Schemata
|
|
74
|
-
export const PermissionsClassificationFileSchema = z.
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
export const
|
|
78
|
-
profiles: ProfilesMap,
|
|
79
|
-
});
|
|
80
|
-
export const PermissionSetsClassificationFileSchema = z.object({
|
|
81
|
-
permissionSets: PermSetMap,
|
|
82
|
-
});
|
|
83
|
-
export const UserClassificationFileSchema = z.object({
|
|
84
|
-
users: UsersMap,
|
|
85
|
-
});
|
|
79
|
+
export const PermissionsClassificationFileSchema = z.record(z.string(), PermClassification);
|
|
80
|
+
export const ProfilesClassificationFileSchema = z.record(z.string(), ProfileConfig);
|
|
81
|
+
export const PermissionSetsClassificationFileSchema = z.record(z.string(), PermSetConfig);
|
|
82
|
+
export const UserClassificationFileSchema = z.record(z.string(), UserConfig);
|
|
86
83
|
// Policy File Schemata
|
|
87
84
|
export const PolicyFileSchema = z.object({
|
|
88
85
|
enabled: z.boolean().default(true),
|
|
@@ -98,4 +95,9 @@ const allowedRiskSchema = z.object({ reason: z.string() });
|
|
|
98
95
|
* risk or a structure of nested identifiers.
|
|
99
96
|
*/
|
|
100
97
|
export const AcceptedRisksSchema = z.lazy(() => z.record(z.string(), z.union([allowedRiskSchema, AcceptedRisksSchema])));
|
|
98
|
+
// Guard Functions
|
|
99
|
+
export function isPermissionControl(maybeRoleDef) {
|
|
100
|
+
const parseResult = PermissionControlSchema.safeParse(maybeRoleDef);
|
|
101
|
+
return maybeRoleDef !== undefined && parseResult.success === true;
|
|
102
|
+
}
|
|
101
103
|
//# sourceMappingURL=schema.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/schema.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AAEpB,MAAM,SAAS,GAAG,2CAA2C,CAAC;AAE9D;;GAEG;AACH,MAAM,CAAN,IAAY,mBAaX;AAbD,WAAY,mBAAmB;IAC7B,+EAA+E;IAC/E,0CAAmB,CAAA;IACnB,6DAA6D;IAC7D,4CAAqB,CAAA;IACrB,sEAAsE;IACtE,oCAAa,CAAA;IACb,yDAAyD;IACzD,wCAAiB,CAAA;IACjB,qEAAqE;IACrE,kCAAW,CAAA;IACX,kFAAkF;IAClF,0CAAmB,CAAA;AACrB,CAAC,EAbW,mBAAmB,KAAnB,mBAAmB,QAa9B;AAED;;;GAGG;AACH,MAAM,CAAN,IAAY,kBAWX;AAXD,WAAY,kBAAkB;IAC5B,0CAA0C;IAC1C,6CAAuB,CAAA;IACvB,sCAAsC;IACtC,qCAAe,CAAA;IACf,wCAAwC;IACxC,+CAAyB,CAAA;IACzB,oCAAoC;IACpC,qDAA+B,CAAA;IAC/B,qCAAqC;IACrC,yCAAmB,CAAA;AACrB,CAAC,EAXW,kBAAkB,KAAlB,kBAAkB,QAW7B;AAED,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,eAAe;IACf,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,4DAA4D;IAC5D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,yCAAyC;IACzC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC;CAC5C,CAAC,CAAC;AAEH,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAE3E,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IACtC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACnC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtD,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC;AAEnE,MAAM,aAAa,GAAG,CAAC,CAAC,YAAY,CAAC;IACnC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;CACjB,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,aAAa,CAAC,MAAM,CAAC;IACzC,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;CACtH,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,
|
|
1
|
+
{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/schema.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AAEpB,MAAM,SAAS,GAAG,2CAA2C,CAAC;AAE9D;;GAEG;AACH,MAAM,CAAN,IAAY,mBAaX;AAbD,WAAY,mBAAmB;IAC7B,+EAA+E;IAC/E,0CAAmB,CAAA;IACnB,6DAA6D;IAC7D,4CAAqB,CAAA;IACrB,sEAAsE;IACtE,oCAAa,CAAA;IACb,yDAAyD;IACzD,wCAAiB,CAAA;IACjB,qEAAqE;IACrE,kCAAW,CAAA;IACX,kFAAkF;IAClF,0CAAmB,CAAA;AACrB,CAAC,EAbW,mBAAmB,KAAnB,mBAAmB,QAa9B;AAED;;;GAGG;AACH,MAAM,CAAN,IAAY,kBAWX;AAXD,WAAY,kBAAkB;IAC5B,0CAA0C;IAC1C,6CAAuB,CAAA;IACvB,sCAAsC;IACtC,qCAAe,CAAA;IACf,wCAAwC;IACxC,+CAAyB,CAAA;IACzB,oCAAoC;IACpC,qDAA+B,CAAA;IAC/B,qCAAqC;IACrC,yCAAmB,CAAA;AACrB,CAAC,EAXW,kBAAkB,KAAlB,kBAAkB,QAW7B;AAED,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,eAAe;IACf,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,4DAA4D;IAC5D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,yCAAyC;IACzC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC;CAC5C,CAAC,CAAC;AAEH,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAE3E,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IACtC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACnC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtD,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC;AAEnE,MAAM,aAAa,GAAG,CAAC,CAAC,YAAY,CAAC;IACnC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;CACjB,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,aAAa,CAAC,MAAM,CAAC;IACzC,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;CACtH,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAElD,MAAM,kBAAkB,GAAG,CAAC,CAAC,YAAY,CAAC;IACxC,0BAA0B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,kBAAkB,CAAC,aAAa,CAAC;IAChF,8BAA8B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACtD,CAAC,CAAC;AAEH,MAAM,iCAAiC,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACvC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACtC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACzC,CAAC,CAAC;AAEH,uBAAuB;AAEvB,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,sBAAsB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvE,eAAe,EAAE,iCAAiC,CAAC,QAAQ,EAAE;IAC7D,iBAAiB,EAAE,iCAAiC,CAAC,QAAQ,EAAE;CAChE,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,uBAAuB,CAAC,CAAC;AAE1F,UAAU;AACV,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,uBAAuB,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;AAE1G,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAC/C,CAAC,CAAC,MAAM,EAAE,EACV,CAAC,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,uBAAuB,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CACrG,CAAC;AAEF,+BAA+B;AAE/B,MAAM,CAAC,MAAM,mCAAmC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAE5F,MAAM,CAAC,MAAM,gCAAgC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,aAAa,CAAC,CAAC;AAEpF,MAAM,CAAC,MAAM,sCAAsC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,aAAa,CAAC,CAAC;AAE1F,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC;AAE7E,uBAAuB;AAEvB,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAClC,KAAK,EAAE,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;IAChC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtD,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,oBAAoB,GAAG,gBAAgB,CAAC,MAAM,CAAC;IAC1D,OAAO,EAAE,kBAAkB;CAC5B,CAAC,CAAC;AAUH,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAE3D;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAA+B,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CACzE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC,CAAC,CACxE,CAAC;AAsBF,kBAAkB;AAElB,MAAM,UAAU,mBAAmB,CAAC,YAAqB;IACvD,MAAM,WAAW,GAAG,uBAAuB,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IACpE,OAAO,YAAY,KAAK,SAAS,IAAI,WAAW,CAAC,OAAO,KAAK,IAAI,CAAC;AACpE,CAAC"}
|
|
@@ -1,3 +1,6 @@
|
|
|
1
1
|
import { ExtractAuditConfigTypes, RefineError } from '../../file-manager/fileManager.types.js';
|
|
2
|
+
import { OrgDescribe } from '../../../../salesforce/index.js';
|
|
2
3
|
import { BaseAuditConfigShape } from './auditConfigShape.js';
|
|
4
|
+
import { ComposableRolesControl } from './schema.js';
|
|
3
5
|
export declare const validator: (parseResult: ExtractAuditConfigTypes<typeof BaseAuditConfigShape>) => RefineError[];
|
|
6
|
+
export declare function verifyRoleDefinitions(roles: ComposableRolesControl, orgDescribe: OrgDescribe): RefineError[];
|
|
@@ -1,17 +1,18 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
|
+
import { isPermissionControl } from './schema.js';
|
|
2
3
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
3
4
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'auditShapeValidation');
|
|
4
5
|
export const validator = (parseResult) => {
|
|
5
6
|
const errors = [];
|
|
6
|
-
if (parseResult.
|
|
7
|
-
if (parseResult.
|
|
8
|
-
errors.push(...validateRoledEntity(parseResult.
|
|
7
|
+
if (parseResult.controls.roles) {
|
|
8
|
+
if (parseResult.inventory.profiles) {
|
|
9
|
+
errors.push(...validateRoledEntity(parseResult.controls.roles, parseResult.inventory.profiles, 'profiles'));
|
|
9
10
|
}
|
|
10
|
-
if (parseResult.
|
|
11
|
-
errors.push(...validateRoledEntity(parseResult.
|
|
11
|
+
if (parseResult.inventory.permissionSets) {
|
|
12
|
+
errors.push(...validateRoledEntity(parseResult.controls.roles, parseResult.inventory.permissionSets, 'permissionSets'));
|
|
12
13
|
}
|
|
13
|
-
if (parseResult.
|
|
14
|
-
errors.push(...validateRoledEntity(parseResult.
|
|
14
|
+
if (parseResult.inventory.users) {
|
|
15
|
+
errors.push(...validateRoledEntity(parseResult.controls.roles, parseResult.inventory.users, 'users'));
|
|
15
16
|
}
|
|
16
17
|
}
|
|
17
18
|
if (!parseResult.policies || Object.keys(parseResult.policies).length === 0) {
|
|
@@ -22,6 +23,34 @@ export const validator = (parseResult) => {
|
|
|
22
23
|
}
|
|
23
24
|
return errors;
|
|
24
25
|
};
|
|
26
|
+
export function verifyRoleDefinitions(roles, orgDescribe) {
|
|
27
|
+
const warnings = new Array();
|
|
28
|
+
for (const [roleName, roleDef] of Object.entries(roles)) {
|
|
29
|
+
if (!isPermissionControl(roleDef.permissions) || !roleDef.permissions) {
|
|
30
|
+
continue;
|
|
31
|
+
}
|
|
32
|
+
for (const permissionBlockName of ['userPermissions', 'customPermissions']) {
|
|
33
|
+
const permBlock = roleDef.permissions[permissionBlockName];
|
|
34
|
+
if (!permBlock) {
|
|
35
|
+
continue;
|
|
36
|
+
}
|
|
37
|
+
for (const permProp of ['allowed', 'denied', 'required']) {
|
|
38
|
+
const namedPerms = permBlock[permProp];
|
|
39
|
+
if (namedPerms) {
|
|
40
|
+
for (const permName of namedPerms) {
|
|
41
|
+
if (!orgDescribe.isValid(permName)) {
|
|
42
|
+
warnings.push({
|
|
43
|
+
path: ['Controls', 'Roles', roleName, permissionBlockName, permProp, permName],
|
|
44
|
+
message: messages.getMessage('PermissionDoesNotExistOnOrg'),
|
|
45
|
+
});
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
return warnings;
|
|
53
|
+
}
|
|
25
54
|
function validateRoledEntity(roles, entries, entityName) {
|
|
26
55
|
const errors = [];
|
|
27
56
|
for (const [identifier, entity] of Object.entries(entries)) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"shapeValidation.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/shapeValidation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"shapeValidation.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/shapeValidation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAI5C,OAAO,EAA0B,mBAAmB,EAAgC,MAAM,aAAa,CAAC;AAExG,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,sBAAsB,CAAC,CAAC;AAErG,MAAM,CAAC,MAAM,SAAS,GAAG,CAAC,WAAiE,EAAiB,EAAE;IAC5G,MAAM,MAAM,GAAkB,EAAE,CAAC;IACjC,IAAI,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QAC/B,IAAI,WAAW,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC,SAAS,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC;QAC9G,CAAC;QACD,IAAI,WAAW,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC;YACzC,MAAM,CAAC,IAAI,CACT,GAAG,mBAAmB,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC,SAAS,CAAC,cAAc,EAAE,gBAAgB,CAAC,CAC3G,CAAC;QACJ,CAAC;QACD,IAAI,WAAW,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;QACxG,CAAC;IACH,CAAC;IACD,IAAI,CAAC,WAAW,CAAC,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5E,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oBAAoB,CAAC;YAClD,IAAI,EAAE,CAAC,UAAU,CAAC;SACnB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF,MAAM,UAAU,qBAAqB,CAAC,KAA6B,EAAE,WAAwB;IAC3F,MAAM,QAAQ,GAAG,IAAI,KAAK,EAAe,CAAC;IAC1C,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YACtE,SAAS;QACX,CAAC;QACD,KAAK,MAAM,mBAAmB,IAAI,CAAC,iBAAiB,EAAE,mBAAmB,CAAU,EAAE,CAAC;YACpF,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,mBAAmB,CAAC,CAAC;YAC3D,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,SAAS;YACX,CAAC;YACD,KAAK,MAAM,QAAQ,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,UAAU,CAAU,EAAE,CAAC;gBAClE,MAAM,UAAU,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;gBACvC,IAAI,UAAU,EAAE,CAAC;oBACf,KAAK,MAAM,QAAQ,IAAI,UAAU,EAAE,CAAC;wBAClC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;4BACnC,QAAQ,CAAC,IAAI,CAAC;gCACZ,IAAI,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,mBAAmB,EAAE,QAAQ,EAAE,QAAQ,CAAC;gCAC9E,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;6BAC5D,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,mBAAmB,CAC1B,KAA6B,EAC7B,OAAqC,EACrC,UAAkB;IAElB,MAAM,MAAM,GAAkB,EAAE,CAAC;IACjC,KAAK,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3D,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,qBAAqB,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAClE,IAAI,EAAE,CAAC,UAAU,EAAE,UAAU,CAAC;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
|
@@ -22,5 +22,6 @@ export default class AuditConfig {
|
|
|
22
22
|
* @param con
|
|
23
23
|
*/
|
|
24
24
|
static init(targetCon: Connection, opts?: AuditInitOptions): Promise<AuditRunConfig>;
|
|
25
|
+
private static initSubtype;
|
|
25
26
|
}
|
|
26
27
|
export declare function initPolicyConfig<P extends Policies>(policyName: P): (typeof PolicyDefinitions)[P]['configType'];
|