@j-schreiber/sf-cli-security-audit 0.2.0 → 0.4.0

package/lib/libs/config/audit-run/schema.js

@@ -0,0 +1,45 @@
+import z from 'zod';
+import { PermissionRiskLevelPresets, PolicyRiskLevel } from '../../policies/types.js';
+const PermissionsClassificationSchema = z.object({
+    /** UI Label */
+    label: z.string().optional(),
+    /** An optional description to explain the classification */
+    reason: z.string().optional(),
+    /** Risk assessment of the permissions */
+    classification: z.enum(PolicyRiskLevel),
+});
+const PermsClassificationsMapSchema = z.record(z.string(), PermissionsClassificationSchema);
+const NamedPermissionsClassificationSchema = PermissionsClassificationSchema.extend({
+    /** Developer name of the permission, used in metadata */
+    name: z.string(),
+});
+const PolicyRuleConfigSchema = z.object({
+    enabled: z.boolean().default(true),
+    config: z.unknown().optional(),
+});
+const RuleMapSchema = z.record(z.string(), PolicyRuleConfigSchema);
+const PermSetConfig = z.object({
+    preset: z.enum(PermissionRiskLevelPresets),
+});
+const PermSetMap = z.record(z.string(), PermSetConfig);
+// FILE CONTENT SCHEMATA
+export const PolicyFileSchema = z.object({
+    enabled: z.boolean().default(true),
+    rules: RuleMapSchema.default({}),
+});
+export const ProfilesPolicyFileSchema = PolicyFileSchema.extend({
+    profiles: PermSetMap,
+});
+export const PermSetsPolicyFileSchema = PolicyFileSchema.extend({
+    permissionSets: PermSetMap,
+});
+export const PermissionsConfigFileSchema = z.object({
+    permissions: z.record(z.string(), PermissionsClassificationSchema),
+});
+export function isPermissionsConfig(cls) {
+    return cls.content?.permissions !== undefined;
+}
+export function isPolicyConfig(cls) {
+    return cls.content?.rules !== undefined;
+}
+//# sourceMappingURL=schema.js.map

package/lib/libs/config/audit-run/schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../src/libs/config/audit-run/schema.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AACpB,OAAO,EAAE,0BAA0B,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAEtF,MAAM,+BAA+B,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/C,eAAe;IACf,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,4DAA4D;IAC5D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,yCAAyC;IACzC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC;CACxC,CAAC,CAAC;AAEH,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,+BAA+B,CAAC,CAAC;AAE5F,MAAM,oCAAoC,GAAG,+BAA+B,CAAC,MAAM,CAAC;IAClF,yDAAyD;IACzD,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;CACjB,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IACtC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAClC,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC;AAEnE,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC;CAC3C,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,aAAa,CAAC,CAAC;AAEvD,wBAAwB;AAExB,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAClC,KAAK,EAAE,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;CACjC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,wBAAwB,GAAG,gBAAgB,CAAC,MAAM,CAAC;IAC9D,QAAQ,EAAE,UAAU;CACrB,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,wBAAwB,GAAG,gBAAgB,CAAC,MAAM,CAAC;IAC9D,cAAc,EAAE,UAAU;CAC3B,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC,MAAM,CAAC;IAClD,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,+BAA+B,CAAC;CACnE,CAAC,CAAC;AA0CH,MAAM,UAAU,mBAAmB,CAAC,GAAY;IAC9C,OAAQ,GAAqC,CAAC,OAAO,EAAE,WAAW,KAAK,SAAS,CAAC;AACnF,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,GAAY;IACzC,OAAQ,GAAyC,CAAC,OAAO,EAAE,KAAK,KAAK,SAAS,CAAC;AACjF,CAAC"}

package/lib/libs/config/defaultPolicyClassification.d.ts

@@ -0,0 +1,2 @@
+import { PermissionsClassification } from './audit-run/schema.js';
+export declare const DEFAULT_CLASSIFICATIONS: Record<string, PermissionsClassification>;

package/lib/libs/config/defaultPolicyClassification.js

@@ -0,0 +1,63 @@
+import { Messages } from '@salesforce/core';
+import { PolicyRiskLevel } from '../policies/types.js';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'policyclassifications');
+export const DEFAULT_CLASSIFICATIONS = {
+    CustomizeApplication: {
+        classification: PolicyRiskLevel.CRITICAL,
+        reason: messages.getMessage('CustomizeApplication'),
+    },
+    ModifyMetadata: {
+        classification: PolicyRiskLevel.CRITICAL,
+        reason: messages.getMessage('CustomizeApplication'),
+    },
+    ViewSetup: {
+        classification: PolicyRiskLevel.HIGH,
+        reason: messages.getMessage('ViewSetup'),
+    },
+    AuthorApex: {
+        classification: PolicyRiskLevel.CRITICAL,
+        reason: messages.getMessage('AuthorApex'),
+    },
+    ManageAuthProviders: {
+        classification: PolicyRiskLevel.CRITICAL,
+        reason: messages.getMessage('ManageAuthProviders'),
+    },
+    Packaging2: {
+        classification: PolicyRiskLevel.CRITICAL,
+        reason: messages.getMessage('Packaging'),
+    },
+    Packaging2Delete: {
+        classification: PolicyRiskLevel.CRITICAL,
+        reason: messages.getMessage('Packaging'),
+    },
+    Packaging2PromoteVersion: {
+        classification: PolicyRiskLevel.CRITICAL,
+        reason: messages.getMessage('Packaging'),
+    },
+    InstallPackaging: {
+        classification: PolicyRiskLevel.CRITICAL,
+        reason: messages.getMessage('Packaging'),
+    },
+    ApiEnabled: {
+        classification: PolicyRiskLevel.HIGH,
+        reason: messages.getMessage('ApiEnabled'),
+    },
+    ViewAllData: {
+        classification: PolicyRiskLevel.HIGH,
+        reason: messages.getMessage('ViewAllData'),
+    },
+    ModifyAllData: {
+        classification: PolicyRiskLevel.HIGH,
+        reason: messages.getMessage('ViewAllData'),
+    },
+    ManageTwoFactor: {
+        classification: PolicyRiskLevel.HIGH,
+        reason: messages.getMessage('ManageTwoFactor'),
+    },
+    CanApproveUninstalledApps: {
+        classification: PolicyRiskLevel.HIGH,
+        reason: messages.getMessage('CanApproveUninstalledApps'),
+    },
+};
+//# sourceMappingURL=defaultPolicyClassification.js.map

package/lib/libs/config/defaultPolicyClassification.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaultPolicyClassification.js","sourceRoot":"","sources":["../../../src/libs/config/defaultPolicyClassification.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAGvD,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,uBAAuB,CAAC,CAAC;AAEtG,MAAM,CAAC,MAAM,uBAAuB,GAA8C;IAChF,oBAAoB,EAAE;QACpB,cAAc,EAAE,eAAe,CAAC,QAAQ;QACxC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,sBAAsB,CAAC;KACpD;IACD,cAAc,EAAE;QACd,cAAc,EAAE,eAAe,CAAC,QAAQ;QACxC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,sBAAsB,CAAC;KACpD;IACD,SAAS,EAAE;QACT,cAAc,EAAE,eAAe,CAAC,IAAI;QACpC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC;KACzC;IACD,UAAU,EAAE;QACV,cAAc,EAAE,eAAe,CAAC,QAAQ;QACxC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC;KAC1C;IACD,mBAAmB,EAAE;QACnB,cAAc,EAAE,eAAe,CAAC,QAAQ;QACxC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,qBAAqB,CAAC;KACnD;IACD,UAAU,EAAE;QACV,cAAc,EAAE,eAAe,CAAC,QAAQ;QACxC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC;KACzC;IACD,gBAAgB,EAAE;QAChB,cAAc,EAAE,eAAe,CAAC,QAAQ;QACxC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC;KACzC;IACD,wBAAwB,EAAE;QACxB,cAAc,EAAE,eAAe,CAAC,QAAQ;QACxC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC;KACzC;IACD,gBAAgB,EAAE;QAChB,cAAc,EAAE,eAAe,CAAC,QAAQ;QACxC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC;KACzC;IACD,UAAU,EAAE;QACV,cAAc,EAAE,eAAe,CAAC,IAAI;QACpC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC;KAC1C;IACD,WAAW,EAAE;QACX,cAAc,EAAE,eAAe,CAAC,IAAI;QACpC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC;KAC3C;IACD,aAAa,EAAE;QACb,cAAc,EAAE,eAAe,CAAC,IAAI;QACpC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC;KAC3C;IACD,eAAe,EAAE;QACf,cAAc,EAAE,eAAe,CAAC,IAAI;QACpC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC;KAC/C;IACD,yBAAyB,EAAE;QACzB,cAAc,EAAE,eAAe,CAAC,IAAI;QACpC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,2BAA2B,CAAC;KACzD;CACF,CAAC"}

package/lib/libs/config/queries.d.ts

@@ -0,0 +1,5 @@
+export declare const CUSTOM_PERMS_QUERY = "SELECT Id,MasterLabel,DeveloperName FROM CustomPermission";
+export declare const PROFILES_QUERY = "SELECT Profile.Name,Profile.UserType,IsCustom FROM PermissionSet WHERE IsOwnedByProfile = TRUE";
+export declare const PERMISSION_SETS_QUERY = "SELECT Name,Label,IsCustom,NamespacePrefix FROM PermissionSet WHERE IsOwnedByProfile = FALSE AND NamespacePrefix = NULL";
+export declare const CONNECTED_APPS_QUERY = "SELECT Name,OptionsAllowAdminApprovedUsersOnly FROM ConnectedApplication";
+export declare const OAUTH_TOKEN_QUERY = "SELECT User.Username,UseCount,AppName FROM OauthToken";

package/lib/libs/config/queries.js

@@ -0,0 +1,6 @@
+export const CUSTOM_PERMS_QUERY = 'SELECT Id,MasterLabel,DeveloperName FROM CustomPermission';
+export const PROFILES_QUERY = 'SELECT Profile.Name,Profile.UserType,IsCustom FROM PermissionSet WHERE IsOwnedByProfile = TRUE';
+export const PERMISSION_SETS_QUERY = 'SELECT Name,Label,IsCustom,NamespacePrefix FROM PermissionSet WHERE IsOwnedByProfile = FALSE AND NamespacePrefix = NULL';
+export const CONNECTED_APPS_QUERY = 'SELECT Name,OptionsAllowAdminApprovedUsersOnly FROM ConnectedApplication';
+export const OAUTH_TOKEN_QUERY = 'SELECT User.Username,UseCount,AppName FROM OauthToken';
+//# sourceMappingURL=queries.js.map

package/lib/libs/config/queries.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"queries.js","sourceRoot":"","sources":["../../../src/libs/config/queries.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,kBAAkB,GAAG,2DAA2D,CAAC;AAC9F,MAAM,CAAC,MAAM,cAAc,GACzB,gGAAgG,CAAC;AACnG,MAAM,CAAC,MAAM,qBAAqB,GAChC,yHAAyH,CAAC;AAC5H,MAAM,CAAC,MAAM,oBAAoB,GAAG,0EAA0E,CAAC;AAC/G,MAAM,CAAC,MAAM,iBAAiB,GAAG,uDAAuD,CAAC"}

package/lib/libs/config/registries/connectedApps.d.ts

@@ -0,0 +1,5 @@
+import RuleRegistry from './ruleRegistry.js';
+export default class ConnectedAppsRuleRegistry extends RuleRegistry {
+    constructor();
+}
+export declare const ConnectedAppsRegistry: ConnectedAppsRuleRegistry;

package/lib/libs/config/registries/connectedApps.js

@@ -0,0 +1,13 @@
+import AllUsedAppsUnderManagement from '../../policies/rules/allUsedAppsUnderManagement.js';
+import NoUserCanSelfAuthorize from '../../policies/rules/noUserCanSelfAuthorize.js';
+import RuleRegistry from './ruleRegistry.js';
+export default class ConnectedAppsRuleRegistry extends RuleRegistry {
+    constructor() {
+        super({
+            AllUsedAppsUnderManagement,
+            NoUserCanSelfAuthorize,
+        });
+    }
+}
+export const ConnectedAppsRegistry = new ConnectedAppsRuleRegistry();
+//# sourceMappingURL=connectedApps.js.map

package/lib/libs/config/registries/connectedApps.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connectedApps.js","sourceRoot":"","sources":["../../../../src/libs/config/registries/connectedApps.ts"],"names":[],"mappings":"AAAA,OAAO,0BAA0B,MAAM,oDAAoD,CAAC;AAC5F,OAAO,sBAAsB,MAAM,gDAAgD,CAAC;AACpF,OAAO,YAAY,MAAM,mBAAmB,CAAC;AAE7C,MAAM,CAAC,OAAO,OAAO,yBAA0B,SAAQ,YAAY;IACjE;QACE,KAAK,CAAC;YACJ,0BAA0B;YAC1B,sBAAsB;SACvB,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,yBAAyB,EAAE,CAAC"}

package/lib/libs/config/registries/permissionSets.d.ts

@@ -0,0 +1,5 @@
+import RuleRegistry from './ruleRegistry.js';
+export default class PermSetsRuleRegistry extends RuleRegistry {
+    constructor();
+}
+export declare const PermissionSetsRegistry: PermSetsRuleRegistry;

package/lib/libs/config/registries/permissionSets.js

@@ -0,0 +1,11 @@
+import EnforceUserPermsClassificationOnPermSets from '../../policies/rules/enforceUserPermsClassificationOnPermSets.js';
+import RuleRegistry from './ruleRegistry.js';
+export default class PermSetsRuleRegistry extends RuleRegistry {
+    constructor() {
+        super({
+            EnforceUserPermissionClassifications: EnforceUserPermsClassificationOnPermSets,
+        });
+    }
+}
+export const PermissionSetsRegistry = new PermSetsRuleRegistry();
+//# sourceMappingURL=permissionSets.js.map

package/lib/libs/config/registries/permissionSets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionSets.js","sourceRoot":"","sources":["../../../../src/libs/config/registries/permissionSets.ts"],"names":[],"mappings":"AAAA,OAAO,wCAAwC,MAAM,kEAAkE,CAAC;AACxH,OAAO,YAAY,MAAM,mBAAmB,CAAC;AAE7C,MAAM,CAAC,OAAO,OAAO,oBAAqB,SAAQ,YAAY;IAC5D;QACE,KAAK,CAAC;YACJ,oCAAoC,EAAE,wCAAwC;SAC/E,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,oBAAoB,EAAE,CAAC"}

package/lib/libs/config/registries/profiles.d.ts

@@ -0,0 +1,5 @@
+import RuleRegistry from './ruleRegistry.js';
+export default class ProfilesRuleRegistry extends RuleRegistry {
+    constructor();
+}
+export declare const ProfilesRegistry: ProfilesRuleRegistry;

package/lib/libs/config/registries/profiles.js

@@ -0,0 +1,13 @@
+import EnforceCustomPermsClassificationOnProfiles from '../../policies/rules/enforceCustomPermsClassificationOnProfiles.js';
+import EnforceUserPermsClassificationOnProfiles from '../../policies/rules/enforceUserPermsClassificationOnProfiles.js';
+import RuleRegistry from './ruleRegistry.js';
+export default class ProfilesRuleRegistry extends RuleRegistry {
+    constructor() {
+        super({
+            EnforceCustomPermissionClassifications: EnforceCustomPermsClassificationOnProfiles,
+            EnforceUserPermissionClassifications: EnforceUserPermsClassificationOnProfiles,
+        });
+    }
+}
+export const ProfilesRegistry = new ProfilesRuleRegistry();
+//# sourceMappingURL=profiles.js.map

package/lib/libs/config/registries/profiles.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"profiles.js","sourceRoot":"","sources":["../../../../src/libs/config/registries/profiles.ts"],"names":[],"mappings":"AAAA,OAAO,0CAA0C,MAAM,oEAAoE,CAAC;AAC5H,OAAO,wCAAwC,MAAM,kEAAkE,CAAC;AACxH,OAAO,YAAY,MAAM,mBAAmB,CAAC;AAE7C,MAAM,CAAC,OAAO,OAAO,oBAAqB,SAAQ,YAAY;IAC5D;QACE,KAAK,CAAC;YACJ,sCAAsC,EAAE,0CAA0C;YAClF,oCAAoC,EAAE,wCAAwC;SAC/E,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,oBAAoB,EAAE,CAAC"}

package/lib/libs/config/registries/ruleRegistry.d.ts

@@ -0,0 +1,29 @@
+import { AuditRunConfig, RuleMap } from '../audit-run/schema.js';
+import { RowLevelPolicyRule } from '../../policies/interfaces/policyRuleInterfaces.js';
+import { RegistryRuleResolveResult } from './types.js';
+type Constructor<T, Args extends any[] = any[]> = new (...args: Args) => T;
+/**
+ * The rule registry holds all available rules for a given policy at run time.
+ * It is designed to be extendible so we can easily register new rules and it will
+ * allow users to BYOR ("bring your own rules").
+ */
+export default class RuleRegistry {
+    rules: Record<string, Constructor<RowLevelPolicyRule<unknown>>>;
+    constructor(rules: Record<string, Constructor<RowLevelPolicyRule<unknown>>>);
+    /**
+     * Returns the display/config names of all registered rules
+     *
+     * @returns
+     */
+    registeredRules(): string[];
+    /**
+     * Resolves a given set of rule configs to actually registered rules. Unknown
+     * rules are ignored and disabled rules are skipped.
+     *
+     * @param ruleObjs
+     * @param auditContext
+     * @returns
+     */
+    resolveRules(ruleObjs: RuleMap, auditContext: AuditRunConfig): RegistryRuleResolveResult;
+}
+export {};

package/lib/libs/config/registries/ruleRegistry.js

@@ -0,0 +1,48 @@
+import { Messages } from '@salesforce/core';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'policies.general');
+/**
+ * The rule registry holds all available rules for a given policy at run time.
+ * It is designed to be extendible so we can easily register new rules and it will
+ * allow users to BYOR ("bring your own rules").
+ */
+export default class RuleRegistry {
+    rules;
+    constructor(rules) {
+        this.rules = rules;
+    }
+    /**
+     * Returns the display/config names of all registered rules
+     *
+     * @returns
+     */
+    registeredRules() {
+        return Object.keys(this.rules);
+    }
+    /**
+     * Resolves a given set of rule configs to actually registered rules. Unknown
+     * rules are ignored and disabled rules are skipped.
+     *
+     * @param ruleObjs
+     * @param auditContext
+     * @returns
+     */
+    resolveRules(ruleObjs, auditContext) {
+        const enabledRules = new Array();
+        const skippedRules = new Array();
+        const resolveErrors = new Array();
+        Object.entries(ruleObjs).forEach(([ruleName, ruleConfig]) => {
+            if (this.rules[ruleName] && ruleConfig.enabled) {
+                enabledRules.push(new this.rules[ruleName]({ auditContext, ruleDisplayName: ruleName, ruleConfig: ruleConfig.config }));
+            }
+            else if (!ruleConfig.enabled) {
+                skippedRules.push({ name: ruleName, skipReason: messages.getMessage('skip-reason.rule-not-enabled') });
+            }
+            else {
+                resolveErrors.push({ name: ruleName, message: messages.getMessage('resolve-error.rule-not-registered') });
+            }
+        });
+        return { enabledRules, skippedRules, resolveErrors };
+    }
+}
+//# sourceMappingURL=ruleRegistry.js.map

package/lib/libs/config/registries/ruleRegistry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ruleRegistry.js","sourceRoot":"","sources":["../../../../src/libs/config/registries/ruleRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAM5C,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAKjG;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,YAAY;IACL;IAA1B,YAA0B,KAA+D;QAA/D,UAAK,GAAL,KAAK,CAA0D;IAAG,CAAC;IAE7F;;;;OAIG;IACI,eAAe;QACpB,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAED;;;;;;;OAOG;IACI,YAAY,CAAC,QAAiB,EAAE,YAA4B;QACjE,MAAM,YAAY,GAAG,IAAI,KAAK,EAA+B,CAAC;QAC9D,MAAM,YAAY,GAAG,IAAI,KAAK,EAAwB,CAAC;QACvD,MAAM,aAAa,GAAG,IAAI,KAAK,EAAsB,CAAC;QACtD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,EAAE;YAC1D,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;gBAC/C,YAAY,CAAC,IAAI,CACf,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,YAAY,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CACrG,CAAC;YACJ,CAAC;iBAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;gBAC/B,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC;YACzG,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,mCAAmC,CAAC,EAAE,CAAC,CAAC;YAC5G,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC;IACvD,CAAC;CACF"}

package/lib/libs/config/registries/types.d.ts

@@ -0,0 +1,7 @@
+import { EntityResolveError, PolicyRuleSkipResult } from '../../audit/types.js';
+import { RowLevelPolicyRule } from '../../policies/interfaces/policyRuleInterfaces.js';
+export type RegistryRuleResolveResult = {
+    enabledRules: Array<RowLevelPolicyRule<unknown>>;
+    skippedRules: PolicyRuleSkipResult[];
+    resolveErrors: EntityResolveError[];
+};

package/lib/libs/config/registries/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/lib/libs/config/registries/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/libs/config/registries/types.ts"],"names":[],"mappings":""}

package/lib/libs/mdapiRetriever.d.ts

@@ -0,0 +1,18 @@
+import { Connection } from '@salesforce/core';
+import { ConnectedAppSettings, PermissionSet } from '@jsforce/jsforce-node/lib/api/metadata.js';
+export type PermissionSetMetadata = {
+    PermissionSet: PermissionSet;
+};
+export type ConnectedAppSettingsFileContent = {
+    ConnectedAppSettings: ConnectedAppSettings;
+};
+export default class MdapiRetriever {
+    private connection;
+    private readonly retrieveOptions;
+    constructor(connection: Connection);
+    retrievePermissionsets(componentNames: string[]): Promise<Record<string, PermissionSet>>;
+    retrieveConnectedAppSetting(): Promise<ConnectedAppSettings | undefined>;
+    private retrieve;
+}
+export declare function parseAsPermissionset(filePath: string): PermissionSet;
+export declare function parseAsConnectedAppSetting(filePath: string): ConnectedAppSettings;

package/lib/libs/mdapiRetriever.js

@@ -0,0 +1,60 @@
+import { readFileSync } from 'node:fs';
+import { ComponentSet } from '@salesforce/source-deploy-retrieve';
+import { XMLParser } from 'fast-xml-parser';
+const parser = new XMLParser({
+    isArray: (jpath) => ['userPermissions', 'fieldPermissions', 'customPermissions', 'classAccesses'].includes(jpath),
+});
+export default class MdapiRetriever {
+    connection;
+    retrieveOptions;
+    constructor(connection) {
+        this.connection = connection;
+        this.retrieveOptions = {
+            usernameOrConnection: this.connection,
+            output: '.jsc/retrieves',
+        };
+    }
+    async retrievePermissionsets(componentNames) {
+        const components = componentNames.map((cname) => ({ type: 'PermissionSet', fullName: cname }));
+        if (components.length === 0) {
+            return {};
+        }
+        const retrieveResult = await this.retrieve(components);
+        const result = {};
+        retrieveResult.components
+            .getSourceComponents()
+            .toArray()
+            .forEach((sourceComponent) => {
+            if (sourceComponent.xml) {
+                result[sourceComponent.name] = parseAsPermissionset(sourceComponent.xml);
+            }
+        });
+        return result;
+    }
+    async retrieveConnectedAppSetting() {
+        const cmp = { type: 'Settings', fullName: 'ConnectedApp' };
+        const retrieveResult = await this.retrieve([cmp]);
+        if (retrieveResult.components.getSourceComponents().toArray().length === 1) {
+            const filePath = retrieveResult.components.getSourceComponents().toArray()[0].xml;
+            if (filePath) {
+                return parseAsConnectedAppSetting(filePath);
+            }
+        }
+        return undefined;
+    }
+    async retrieve(components) {
+        const compSet = new ComponentSet(components);
+        const retrieveRequest = await compSet.retrieve(this.retrieveOptions);
+        const retrieveResult = await retrieveRequest.pollStatus();
+        return retrieveResult;
+    }
+}
+export function parseAsPermissionset(filePath) {
+    const cmpSrcContent = readFileSync(filePath, 'utf-8');
+    return parser.parse(cmpSrcContent).PermissionSet;
+}
+export function parseAsConnectedAppSetting(filePath) {
+    const cmpSrcContent = readFileSync(filePath, 'utf-8');
+    return parser.parse(cmpSrcContent).ConnectedAppSettings;
+}
+//# sourceMappingURL=mdapiRetriever.js.map

package/lib/libs/mdapiRetriever.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mdapiRetriever.js","sourceRoot":"","sources":["../../src/libs/mdapiRetriever.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEvC,OAAO,EAAiB,YAAY,EAAsC,MAAM,oCAAoC,CAAC;AACrH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAG5C,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,OAAO,EAAE,CAAC,KAAK,EAAW,EAAE,CAC1B,CAAC,iBAAiB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,eAAe,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;CAChG,CAAC,CAAC;AAUH,MAAM,CAAC,OAAO,OAAO,cAAc;IAGN;IAFV,eAAe,CAAqB;IAErD,YAA2B,UAAsB;QAAtB,eAAU,GAAV,UAAU,CAAY;QAC/C,IAAI,CAAC,eAAe,GAAG;YACrB,oBAAoB,EAAE,IAAI,CAAC,UAAU;YACrC,MAAM,EAAE,gBAAgB;SACzB,CAAC;IACJ,CAAC;IAEM,KAAK,CAAC,sBAAsB,CAAC,cAAwB;QAC1D,MAAM,UAAU,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/F,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QACvD,MAAM,MAAM,GAAkC,EAAE,CAAC;QACjD,cAAc,CAAC,UAAU;aACtB,mBAAmB,EAAE;aACrB,OAAO,EAAE;aACT,OAAO,CAAC,CAAC,eAAe,EAAE,EAAE;YAC3B,IAAI,eAAe,CAAC,GAAG,EAAE,CAAC;gBACxB,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC,CAAC,CAAC;QACL,OAAO,MAAM,CAAC;IAChB,CAAC;IAEM,KAAK,CAAC,2BAA2B;QACtC,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAC;QAC3D,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAClD,IAAI,cAAc,CAAC,UAAU,CAAC,mBAAmB,EAAE,CAAC,OAAO,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3E,MAAM,QAAQ,GAAG,cAAc,CAAC,UAAU,CAAC,mBAAmB,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YAClF,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,0BAA0B,CAAC,QAAQ,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,UAA2B;QAChD,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,UAAU,CAAC,CAAC;QAC7C,MAAM,eAAe,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrE,MAAM,cAAc,GAAG,MAAM,eAAe,CAAC,UAAU,EAAE,CAAC;QAC1D,OAAO,cAAc,CAAC;IACxB,CAAC;CACF;AAED,MAAM,UAAU,oBAAoB,CAAC,QAAgB;IACnD,MAAM,aAAa,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACtD,OAAQ,MAAM,CAAC,KAAK,CAAC,aAAa,CAA2B,CAAC,aAAa,CAAC;AAC9E,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,QAAgB;IACzD,MAAM,aAAa,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACtD,OAAQ,MAAM,CAAC,KAAK,CAAC,aAAa,CAAqC,CAAC,oBAAoB,CAAC;AAC/F,CAAC"}

package/lib/libs/policies/auditRun.d.ts

@@ -0,0 +1,36 @@
+import EventEmitter from 'node:events';
+import { Connection } from '@salesforce/core';
+import { AuditResult } from '../audit/types.js';
+import { AuditRunConfig } from '../config/audit-run/schema.js';
+import Policy from './policy.js';
+type PolicyMap = Record<string, Policy>;
+export declare function startAuditRun(directoryPath: string): AuditRun;
+export type EntityResolveEvent = {
+    total: number;
+    resolved: number;
+    policyName: string;
+};
+/**
+ * Instance of an audit run that manages high-level operations
+ */
+export default class AuditRun extends EventEmitter {
+    configs: AuditRunConfig;
+    private executablePolicies?;
+    constructor(configs: AuditRunConfig);
+    /**
+     * Loads all policies, resolves entities and caches the results.
+     *
+     * @param targetOrgConnection
+     */
+    resolve(targetOrgConnection: Connection): Promise<PolicyMap>;
+    /**
+     * Executes an initialised audit run. Resolves policies entities
+     * and executes all rules.
+     *
+     * @param targetOrgConnection
+     * @returns
+     */
+    execute(targetCon: Connection): Promise<Omit<AuditResult, 'orgId'>>;
+    private loadPolicies;
+}
+export {};

package/lib/libs/policies/auditRun.js

@@ -0,0 +1,92 @@
+// import fs from 'node:fs';
+import EventEmitter from 'node:events';
+import ProfilePolicy from './profilePolicy.js';
+import PermissionSetPolicy from './permissionSetPolicy.js';
+import ConnectedAppPolicy from './connectedAppPolicy.js';
+import AuditConfig from './initialisation/auditConfig.js';
+export function startAuditRun(directoryPath) {
+    const conf = AuditConfig.load(directoryPath);
+    return new AuditRun(conf);
+}
+/**
+ * Instance of an audit run that manages high-level operations
+ */
+export default class AuditRun extends EventEmitter {
+    configs;
+    executablePolicies;
+    constructor(configs) {
+        super();
+        this.configs = configs;
+    }
+    /**
+     * Loads all policies, resolves entities and caches the results.
+     *
+     * @param targetOrgConnection
+     */
+    async resolve(targetOrgConnection) {
+        if (this.executablePolicies) {
+            return this.executablePolicies;
+        }
+        this.executablePolicies = this.loadPolicies(this.configs);
+        const resolveResultPromises = [];
+        Object.values(this.executablePolicies).forEach((executable) => {
+            resolveResultPromises.push(executable.resolve({ targetOrgConnection }));
+        });
+        await Promise.all(resolveResultPromises);
+        return this.executablePolicies;
+    }
+    /**
+     * Executes an initialised audit run. Resolves policies entities
+     * and executes all rules.
+     *
+     * @param targetOrgConnection
+     * @returns
+     */
+    async execute(targetCon) {
+        this.executablePolicies = await this.resolve(targetCon);
+        const results = await runPolicies(this.executablePolicies, targetCon);
+        return {
+            auditDate: new Date().toISOString(),
+            isCompliant: isCompliant(results),
+            policies: results,
+        };
+    }
+    loadPolicies(config) {
+        const pols = {};
+        if (config.policies.Profiles) {
+            pols.Profiles = new ProfilePolicy(config.policies.Profiles.content, config);
+        }
+        if (config.policies.PermissionSets) {
+            pols.PermissionSets = new PermissionSetPolicy(config.policies.PermissionSets.content, config);
+        }
+        if (config.policies.ConnectedApps) {
+            pols.ConnectedApps = new ConnectedAppPolicy(config.policies.ConnectedApps.content, config);
+        }
+        Object.entries(pols).forEach(([policyName, policy]) => {
+            policy.addListener('entityresolve', (resolveStats) => {
+                this.emit(`entityresolve-${policyName}`, { policyName, ...resolveStats });
+            });
+        });
+        return pols;
+    }
+}
+function isCompliant(results) {
+    const list = Object.values(results);
+    return list.reduce((prevVal, currentVal) => prevVal && currentVal.isCompliant, list[0].isCompliant);
+}
+async function runPolicies(policies, targetOrgConnection) {
+    const resultsArray = [];
+    const policiesList = [];
+    Object.entries(policies).forEach(([policyKey, executable]) => {
+        policiesList.push(policyKey);
+        resultsArray.push(executable.run({ targetOrgConnection }));
+    });
+    const arrayResult = await Promise.all(resultsArray);
+    const results = {};
+    arrayResult.forEach((policyResult) => {
+        const policyKey = policiesList[arrayResult.indexOf(policyResult)];
+        results[policyKey] = policyResult;
+    });
+    return results;
+}
+//# sourceMappingURL=auditRun.js.map

package/lib/libs/policies/auditRun.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auditRun.js","sourceRoot":"","sources":["../../../src/libs/policies/auditRun.ts"],"names":[],"mappings":"AAAA,4BAA4B;AAC5B,OAAO,YAAY,MAAM,aAAa,CAAC;AAIvC,OAAO,aAAa,MAAM,oBAAoB,CAAC;AAE/C,OAAO,mBAAmB,MAAM,0BAA0B,CAAC;AAC3D,OAAO,kBAAkB,MAAM,yBAAyB,CAAC;AACzD,OAAO,WAAW,MAAM,iCAAiC,CAAC;AAK1D,MAAM,UAAU,aAAa,CAAC,aAAqB;IACjD,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC7C,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAQD;;GAEG;AACH,MAAM,CAAC,OAAO,OAAO,QAAS,SAAQ,YAAY;IAGtB;IAFlB,kBAAkB,CAAa;IAEvC,YAA0B,OAAuB;QAC/C,KAAK,EAAE,CAAC;QADgB,YAAO,GAAP,OAAO,CAAgB;IAEjD,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,OAAO,CAAC,mBAA+B;QAClD,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC,kBAAkB,CAAC;QACjC,CAAC;QACD,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1D,MAAM,qBAAqB,GAAwC,EAAE,CAAC;QACtE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,UAAU,EAAE,EAAE;YAC5D,qBAAqB,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,mBAAmB,EAAE,CAAC,CAAC,CAAC;QAC1E,CAAC,CAAC,CAAC;QACH,MAAM,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC,kBAAkB,CAAC;IACjC,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,OAAO,CAAC,SAAqB;QACxC,IAAI,CAAC,kBAAkB,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACxD,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,kBAAkB,EAAE,SAAS,CAAC,CAAC;QACtE,OAAO;YACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,WAAW,EAAE,WAAW,CAAC,OAAO,CAAC;YACjC,QAAQ,EAAE,OAAO;SAClB,CAAC;IACJ,CAAC;IAEO,YAAY,CAAC,MAAsB;QACzC,MAAM,IAAI,GAAc,EAAE,CAAC;QAC3B,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YAC7B,IAAI,CAAC,QAAQ,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC9E,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;YACnC,IAAI,CAAC,cAAc,GAAG,IAAI,mBAAmB,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAChG,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;YAClC,IAAI,CAAC,aAAa,GAAG,IAAI,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7F,CAAC;QACD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,EAAE,EAAE;YACpD,MAAM,CAAC,WAAW,CAAC,eAAe,EAAE,CAAC,YAAoD,EAAE,EAAE;gBAC3F,IAAI,CAAC,IAAI,CAAC,iBAAiB,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,GAAG,YAAY,EAAE,CAAC,CAAC;YAC5E,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,SAAS,WAAW,CAAC,OAAmB;IACtC,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC,OAAO,IAAI,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;AACtG,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,QAAmB,EAAE,mBAA+B;IAC7E,MAAM,YAAY,GAAsC,EAAE,CAAC;IAC3D,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE,EAAE;QAC3D,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC7B,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,mBAAmB,EAAE,CAAC,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACpD,MAAM,OAAO,GAAe,EAAE,CAAC;IAC/B,WAAW,CAAC,OAAO,CAAC,CAAC,YAAY,EAAE,EAAE;QACnC,MAAM,SAAS,GAAG,YAAY,CAAC,WAAW,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;QAClE,OAAO,CAAC,SAAS,CAAC,GAAG,YAAY,CAAC;IACpC,CAAC,CAAC,CAAC;IACH,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/lib/libs/policies/connectedAppPolicy.d.ts

@@ -0,0 +1,18 @@
+import RuleRegistry from '../config/registries/ruleRegistry.js';
+import { AuditRunConfig, BasePolicyFileContent } from '../config/audit-run/schema.js';
+import { AuditContext } from './interfaces/policyRuleInterfaces.js';
+import Policy, { ResolveEntityResult } from './policy.js';
+export type ResolvedConnectedApp = {
+    name: string;
+    origin: 'Installed' | 'OauthToken' | 'Owned';
+    onlyAdminApprovedUsersAllowed: boolean;
+    overrideByApiSecurityAccess: boolean;
+    useCount: number;
+    users: string[];
+};
+export default class ConnectedAppPolicy extends Policy {
+    config: BasePolicyFileContent;
+    auditConfig: AuditRunConfig;
+    constructor(config: BasePolicyFileContent, auditConfig: AuditRunConfig, registry?: RuleRegistry);
+    protected resolveEntities(context: AuditContext): Promise<ResolveEntityResult>;
+}

package/lib/libs/policies/connectedAppPolicy.js

@@ -0,0 +1,78 @@
+import ConnectedAppsRuleRegistry from '../config/registries/connectedApps.js';
+import { CONNECTED_APPS_QUERY, OAUTH_TOKEN_QUERY } from '../config/queries.js';
+import MdapiRetriever from '../mdapiRetriever.js';
+import Policy, { getTotal } from './policy.js';
+export default class ConnectedAppPolicy extends Policy {
+    config;
+    auditConfig;
+    constructor(config, auditConfig, registry = new ConnectedAppsRuleRegistry()) {
+        super(config, auditConfig, registry);
+        this.config = config;
+        this.auditConfig = auditConfig;
+    }
+    // eslint-disable-next-line class-methods-use-this
+    async resolveEntities(context) {
+        const successfullyResolved = {};
+        const ignoredEntities = {};
+        const metadataApi = new MdapiRetriever(context.targetOrgConnection);
+        this.emit('entityresolve', {
+            total: 0,
+            resolved: 0,
+        });
+        const installedApps = await context.targetOrgConnection.query(CONNECTED_APPS_QUERY);
+        this.emit('entityresolve', {
+            total: installedApps.totalSize,
+            resolved: 0,
+        });
+        installedApps.records.forEach((installedApp) => {
+            successfullyResolved[installedApp.Name] = {
+                name: installedApp.Name,
+                origin: 'Installed',
+                onlyAdminApprovedUsersAllowed: installedApp.OptionsAllowAdminApprovedUsersOnly,
+                overrideByApiSecurityAccess: false,
+                useCount: 0,
+                users: [],
+            };
+        });
+        const usersOAuthToken = await context.targetOrgConnection.query(OAUTH_TOKEN_QUERY);
+        usersOAuthToken.records.forEach((token) => {
+            if (successfullyResolved[token.AppName] === undefined) {
+                successfullyResolved[token.AppName] = {
+                    name: token.AppName,
+                    origin: 'OauthToken',
+                    onlyAdminApprovedUsersAllowed: false,
+                    overrideByApiSecurityAccess: false,
+                    useCount: token.UseCount,
+                    users: [token.User.Username],
+                };
+            }
+            else {
+                successfullyResolved[token.AppName].useCount += token.UseCount;
+                if (!successfullyResolved[token.AppName].users.includes(token.User.Username)) {
+                    successfullyResolved[token.AppName].users.push(token.User.Username);
+                }
+            }
+        });
+        this.emit('entityresolve', {
+            total: Object.keys(successfullyResolved).length,
+            resolved: 0,
+        });
+        let overrideByApiSecurityAccess = false;
+        const apiSecurityAccessSetting = await metadataApi.retrieveConnectedAppSetting();
+        if (apiSecurityAccessSetting && apiSecurityAccessSetting.enableAdminApprovedAppsOnly) {
+            overrideByApiSecurityAccess = true;
+        }
+        Object.values(successfullyResolved).forEach((conApp) => {
+            // eslint-disable-next-line no-param-reassign
+            conApp.overrideByApiSecurityAccess = overrideByApiSecurityAccess;
+        });
+        const result = { resolvedEntities: successfullyResolved, ignoredEntities: Object.values(ignoredEntities) };
+        this.emit('entityresolve', {
+            total: getTotal(result),
+            resolved: getTotal(result),
+        });
+        // also query from tooling, to get additional information info
+        return result;
+    }
+}
+//# sourceMappingURL=connectedAppPolicy.js.map