@j-schreiber/sf-cli-security-audit 0.2.0 → 0.4.0

package/lib/libs/policies/connectedAppPolicy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connectedAppPolicy.js","sourceRoot":"","sources":["../../../src/libs/policies/connectedAppPolicy.ts"],"names":[],"mappings":"AACA,OAAO,yBAAyB,MAAM,uCAAuC,CAAC;AAG9E,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAC/E,OAAO,cAAc,MAAM,sBAAsB,CAAC;AAElD,OAAO,MAAM,EAAE,EAAE,QAAQ,EAAuB,MAAM,aAAa,CAAC;AAYpE,MAAM,CAAC,OAAO,OAAO,kBAAmB,SAAQ,MAAM;IAE3C;IACA;IAFT,YACS,MAA6B,EAC7B,WAA2B,EAClC,WAAyB,IAAI,yBAAyB,EAAE;QAExD,KAAK,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAJ9B,WAAM,GAAN,MAAM,CAAuB;QAC7B,gBAAW,GAAX,WAAW,CAAgB;IAIpC,CAAC;IAED,kDAAkD;IACxC,KAAK,CAAC,eAAe,CAAC,OAAqB;QACnD,MAAM,oBAAoB,GAAyC,EAAE,CAAC;QACtE,MAAM,eAAe,GAAuC,EAAE,CAAC;QAC/D,MAAM,WAAW,GAAG,IAAI,cAAc,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACpE,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,CAAC;YACR,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,KAAK,CAAe,oBAAoB,CAAC,CAAC;QAClG,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,aAAa,CAAC,SAAS;YAC9B,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,YAAY,EAAE,EAAE;YAC7C,oBAAoB,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG;gBACxC,IAAI,EAAE,YAAY,CAAC,IAAI;gBACvB,MAAM,EAAE,WAAW;gBACnB,6BAA6B,EAAE,YAAY,CAAC,kCAAkC;gBAC9E,2BAA2B,EAAE,KAAK;gBAClC,QAAQ,EAAE,CAAC;gBACX,KAAK,EAAE,EAAE;aACV,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,KAAK,CAAa,iBAAiB,CAAC,CAAC;QAC/F,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;YACxC,IAAI,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,SAAS,EAAE,CAAC;gBACtD,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG;oBACpC,IAAI,EAAE,KAAK,CAAC,OAAO;oBACnB,MAAM,EAAE,YAAY;oBACpB,6BAA6B,EAAE,KAAK;oBACpC,2BAA2B,EAAE,KAAK;oBAClC,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,KAAK,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;iBAC7B,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC;gBAC/D,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC7E,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACtE,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,MAAM;YAC/C,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,IAAI,2BAA2B,GAAG,KAAK,CAAC;QACxC,MAAM,wBAAwB,GAAG,MAAM,WAAW,CAAC,2BAA2B,EAAE,CAAC;QACjF,IAAI,wBAAwB,IAAI,wBAAwB,CAAC,2BAA2B,EAAE,CAAC;YACrF,2BAA2B,GAAG,IAAI,CAAC;QACrC,CAAC;QACD,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE;YACrD,6CAA6C;YAC7C,MAAM,CAAC,2BAA2B,GAAG,2BAA2B,CAAC;QACnE,CAAC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC;QAC3G,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;YACvB,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC;SAC3B,CAAC,CAAC;QACH,8DAA8D;QAC9D,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/lib/libs/policies/initialisation/auditConfig.d.ts

@@ -0,0 +1,27 @@
+import { Connection } from '@salesforce/core';
+import { AuditRunConfig } from '../../config/audit-run/schema.js';
+/**
+ * Additional options how the config should be initialised.
+ */
+export type AuditInitOptions = {
+    targetDir?: string;
+};
+/**
+ * Exposes key functionality to load an audit config as static methods. This makes
+ * it easy to mock the results during tests.
+ */
+export default class AuditConfig {
+    /**
+     * Initialise a new audit config from target org and writes
+     * files to the destination directory.
+     *
+     * @param con
+     */
+    static init(targetCon: Connection, opts?: AuditInitOptions): Promise<AuditRunConfig>;
+    /**
+     * Loads an existing audit config from a source directory
+     *
+     * @param sourceDir
+     */
+    static load(sourceDir: string): AuditRunConfig;
+}

package/lib/libs/policies/initialisation/auditConfig.js

@@ -0,0 +1,41 @@
+import AuditConfigFileManager from '../../config/audit-run/auditConfigFileManager.js';
+import { initCustomPermissions, initUserPermissions } from './permissionsClassification.js';
+import { initConnectedApps, initPermissionSets, initProfiles } from './policyConfigs.js';
+/**
+ * Exposes key functionality to load an audit config as static methods. This makes
+ * it easy to mock the results during tests.
+ */
+export default class AuditConfig {
+    /**
+     * Initialise a new audit config from target org and writes
+     * files to the destination directory.
+     *
+     * @param con
+     */
+    static async init(targetCon, opts) {
+        const fileManager = new AuditConfigFileManager();
+        const conf = { classifications: {}, policies: {} };
+        conf.classifications.userPermissions = { content: await initUserPermissions(targetCon) };
+        const customPerms = await initCustomPermissions(targetCon);
+        if (customPerms) {
+            conf.classifications.customPermissions = { content: customPerms };
+        }
+        conf.policies.Profiles = { content: await initProfiles(targetCon) };
+        conf.policies.PermissionSets = { content: await initPermissionSets(targetCon) };
+        conf.policies.ConnectedApps = { content: initConnectedApps() };
+        if (opts?.targetDir) {
+            fileManager.save(opts.targetDir, conf);
+        }
+        return conf;
+    }
+    /**
+     * Loads an existing audit config from a source directory
+     *
+     * @param sourceDir
+     */
+    static load(sourceDir) {
+        const fileManager = new AuditConfigFileManager();
+        return fileManager.parse(sourceDir);
+    }
+}
+//# sourceMappingURL=auditConfig.js.map

package/lib/libs/policies/initialisation/auditConfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auditConfig.js","sourceRoot":"","sources":["../../../../src/libs/policies/initialisation/auditConfig.ts"],"names":[],"mappings":"AAEA,OAAO,sBAAsB,MAAM,kDAAkD,CAAC;AACtF,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAC5F,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AASzF;;;GAGG;AACH,MAAM,CAAC,OAAO,OAAO,WAAW;IAC9B;;;;;OAKG;IACI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAqB,EAAE,IAAuB;QACrE,MAAM,WAAW,GAAG,IAAI,sBAAsB,EAAE,CAAC;QACjD,MAAM,IAAI,GAAmB,EAAE,eAAe,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;QACnE,IAAI,CAAC,eAAe,CAAC,eAAe,GAAG,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC,SAAS,CAAC,EAAE,CAAC;QACzF,MAAM,WAAW,GAAG,MAAM,qBAAqB,CAAC,SAAS,CAAC,CAAC;QAC3D,IAAI,WAAW,EAAE,CAAC;YAChB,IAAI,CAAC,eAAe,CAAC,iBAAiB,GAAG,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;QACpE,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,QAAQ,GAAG,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC,SAAS,CAAC,EAAE,CAAC;QACpE,IAAI,CAAC,QAAQ,CAAC,cAAc,GAAG,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;QAChF,IAAI,CAAC,QAAQ,CAAC,aAAa,GAAG,EAAE,OAAO,EAAE,iBAAiB,EAAE,EAAE,CAAC;QAC/D,IAAI,IAAI,EAAE,SAAS,EAAE,CAAC;YACpB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QACzC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;OAIG;IACI,MAAM,CAAC,IAAI,CAAC,SAAiB;QAClC,MAAM,WAAW,GAAG,IAAI,sBAAsB,EAAE,CAAC;QACjD,OAAO,WAAW,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;CACF"}

package/lib/libs/policies/initialisation/permissionsClassification.d.ts

@@ -0,0 +1,17 @@
+import { Connection } from '@salesforce/core';
+import { NamedPermissionsClassification, PermissionsConfig } from '../../config/audit-run/schema.js';
+/**
+ * Initialises a fresh set of user permissions from target org connection
+ *
+ * @param con
+ * @returns
+ */
+export declare function initUserPermissions(con: Connection): Promise<PermissionsConfig>;
+/**
+ * Initialises a fresh set of custom permissions from the target org
+ *
+ * @param con
+ * @returns
+ */
+export declare function initCustomPermissions(con: Connection): Promise<PermissionsConfig | undefined>;
+export declare const classificationSorter: (a: NamedPermissionsClassification, b: NamedPermissionsClassification) => number;

package/lib/libs/policies/initialisation/permissionsClassification.js

@@ -0,0 +1,71 @@
+import { DEFAULT_CLASSIFICATIONS } from '../../config/defaultPolicyClassification.js';
+import { PolicyRiskLevel, resolveRiskLevelOrdinalValue } from '../types.js';
+import { CUSTOM_PERMS_QUERY } from '../../config/queries.js';
+/**
+ * Initialises a fresh set of user permissions from target org connection
+ *
+ * @param con
+ * @returns
+ */
+export async function initUserPermissions(con) {
+    const permSet = await con.describe('PermissionSet');
+    const result = { permissions: {} };
+    const perms = parsePermissionsFromPermSet(permSet);
+    perms.sort(classificationSorter);
+    perms.forEach((perm) => (result.permissions[perm.name] = {
+        label: sanitiseLabel(perm.label),
+        classification: perm.classification,
+        reason: perm.reason,
+    }));
+    return result;
+}
+/**
+ * Initialises a fresh set of custom permissions from the target org
+ *
+ * @param con
+ * @returns
+ */
+export async function initCustomPermissions(con) {
+    const result = { permissions: {} };
+    const customPerms = await con.query(CUSTOM_PERMS_QUERY);
+    if (customPerms.records.length === 0) {
+        return undefined;
+    }
+    const perms = customPerms.records.map((cp) => ({
+        name: cp.DeveloperName,
+        label: cp.MasterLabel,
+        classification: PolicyRiskLevel.UNKNOWN,
+    }));
+    perms.forEach((perm) => (result.permissions[perm.name] = {
+        label: perm.label,
+        classification: perm.classification,
+    }));
+    return result;
+}
+function parsePermissionsFromPermSet(describe) {
+    const permFields = describe.fields.filter((field) => field.name.startsWith('Permissions'));
+    return permFields.map((field) => {
+        const policyName = field.name.replace('Permissions', '');
+        const defaultDef = DEFAULT_CLASSIFICATIONS[policyName];
+        if (defaultDef) {
+            return {
+                label: field.label,
+                name: policyName,
+                classification: defaultDef.classification,
+                reason: defaultDef.reason,
+            };
+        }
+        else {
+            return {
+                label: field.label,
+                name: policyName,
+                classification: PolicyRiskLevel.UNKNOWN,
+            };
+        }
+    });
+}
+function sanitiseLabel(rawLabel) {
+    return rawLabel?.replace(/[ \t]+$|[\r\n]+/g, '');
+}
+export const classificationSorter = (a, b) => resolveRiskLevelOrdinalValue(a.classification) - resolveRiskLevelOrdinalValue(b.classification);
+//# sourceMappingURL=permissionsClassification.js.map

package/lib/libs/policies/initialisation/permissionsClassification.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionsClassification.js","sourceRoot":"","sources":["../../../../src/libs/policies/initialisation/permissionsClassification.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,uBAAuB,EAAE,MAAM,6CAA6C,CAAC;AACtF,OAAO,EAAE,eAAe,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AAC5E,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAG7D;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,GAAe;IACvD,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;IACpD,MAAM,MAAM,GAAsB,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;IACtD,MAAM,KAAK,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IACnD,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACjC,KAAK,CAAC,OAAO,CACX,CAAC,IAAI,EAAE,EAAE,CACP,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;QAC/B,KAAK,EAAE,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC;QAChC,cAAc,EAAE,IAAI,CAAC,cAAc;QACnC,MAAM,EAAE,IAAI,CAAC,MAAM;KACpB,CAAC,CACL,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,GAAe;IACzD,MAAM,MAAM,GAAsB,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;IACtD,MAAM,WAAW,GAAG,MAAM,GAAG,CAAC,KAAK,CAAmB,kBAAkB,CAAC,CAAC;IAC1E,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrC,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAC7C,IAAI,EAAE,EAAE,CAAC,aAAa;QACtB,KAAK,EAAE,EAAE,CAAC,WAAW;QACrB,cAAc,EAAE,eAAe,CAAC,OAAO;KACxC,CAAC,CAAC,CAAC;IACJ,KAAK,CAAC,OAAO,CACX,CAAC,IAAI,EAAE,EAAE,CACP,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;QAC/B,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,cAAc,EAAE,IAAI,CAAC,cAAc;KACpC,CAAC,CACL,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,2BAA2B,CAAC,QAA+B;IAClE,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC;IAC3F,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QAC9B,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QACzD,MAAM,UAAU,GAAG,uBAAuB,CAAC,UAAU,CAAC,CAAC;QACvD,IAAI,UAAU,EAAE,CAAC;YACf,OAAO;gBACL,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,IAAI,EAAE,UAAU;gBAChB,cAAc,EAAE,UAAU,CAAC,cAAc;gBACzC,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,OAAO;gBACL,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,IAAI,EAAE,UAAU;gBAChB,cAAc,EAAE,eAAe,CAAC,OAAO;aACxC,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,aAAa,CAAC,QAAiB;IACtC,OAAO,QAAQ,EAAE,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAiC,EAAE,CAAiC,EAAU,EAAE,CACnH,4BAA4B,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,4BAA4B,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC"}

package/lib/libs/policies/initialisation/policyConfigs.d.ts

@@ -0,0 +1,25 @@
+import { Connection } from '@salesforce/core';
+import { BasePolicyFileContent, PermSetsPolicyFileContent, ProfilesPolicyFileContent } from '../../config/audit-run/schema.js';
+/**
+ * Initialises a new profiles policy with the local org's
+ * profiles and all default rules enabled.
+ *
+ * @param targetOrgCon
+ * @param targetDir
+ * @returns
+ */
+export declare function initProfiles(targetOrgCon: Connection): Promise<ProfilesPolicyFileContent>;
+/**
+ * Initialises a new permission sets policy with the local org's custom
+ * permissions and all default rules enabled.
+ *
+ * @param targetOrgCon
+ * @returns
+ */
+export declare function initPermissionSets(targetOrgCon: Connection): Promise<PermSetsPolicyFileContent>;
+/**
+ * Initialises a new connected apps policy with default rules enabled.
+ *
+ * @returns
+ */
+export declare function initConnectedApps(): BasePolicyFileContent;

package/lib/libs/policies/initialisation/policyConfigs.js

@@ -0,0 +1,67 @@
+import { PERMISSION_SETS_QUERY, PROFILES_QUERY } from '../../config/queries.js';
+import { ProfilesRegistry } from '../../config/registries/profiles.js';
+import { PermissionRiskLevelPresets } from '../types.js';
+import { PermissionSetsRegistry } from '../../config/registries/permissionSets.js';
+import { ConnectedAppsRegistry } from '../../config/registries/connectedApps.js';
+/**
+ * Initialises a new profiles policy with the local org's
+ * profiles and all default rules enabled.
+ *
+ * @param targetOrgCon
+ * @param targetDir
+ * @returns
+ */
+export async function initProfiles(targetOrgCon) {
+    const profiles = await targetOrgCon.query(PROFILES_QUERY);
+    const content = { enabled: true, profiles: {}, rules: {} };
+    profiles.records.forEach((permsetRecord) => {
+        content.profiles[permsetRecord.Profile.Name] = { preset: PermissionRiskLevelPresets.UNKNOWN };
+    });
+    ProfilesRegistry.registeredRules().forEach((ruleName) => {
+        content.rules[ruleName] = {
+            enabled: true,
+        };
+    });
+    return content;
+}
+/**
+ * Initialises a new permission sets policy with the local org's custom
+ * permissions and all default rules enabled.
+ *
+ * @param targetOrgCon
+ * @returns
+ */
+export async function initPermissionSets(targetOrgCon) {
+    const permSets = await targetOrgCon.query(PERMISSION_SETS_QUERY);
+    const content = {
+        enabled: true,
+        permissionSets: {},
+        rules: {},
+    };
+    permSets.records
+        .filter((permsetRecord) => permsetRecord.IsCustom)
+        .forEach((permsetRecord) => {
+        content.permissionSets[permsetRecord.Name] = { preset: PermissionRiskLevelPresets.UNKNOWN };
+    });
+    PermissionSetsRegistry.registeredRules().forEach((ruleName) => {
+        content.rules[ruleName] = {
+            enabled: true,
+        };
+    });
+    return content;
+}
+/**
+ * Initialises a new connected apps policy with default rules enabled.
+ *
+ * @returns
+ */
+export function initConnectedApps() {
+    const content = { enabled: true, rules: {} };
+    ConnectedAppsRegistry.registeredRules().forEach((ruleName) => {
+        content.rules[ruleName] = {
+            enabled: true,
+        };
+    });
+    return content;
+}
+//# sourceMappingURL=policyConfigs.js.map

package/lib/libs/policies/initialisation/policyConfigs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policyConfigs.js","sourceRoot":"","sources":["../../../../src/libs/policies/initialisation/policyConfigs.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAOhF,OAAO,EAAE,gBAAgB,EAAE,MAAM,qCAAqC,CAAC;AACvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AACzD,OAAO,EAAE,sBAAsB,EAAE,MAAM,2CAA2C,CAAC;AACnF,OAAO,EAAE,qBAAqB,EAAE,MAAM,0CAA0C,CAAC;AAEjF;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,YAAwB;IACzD,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,KAAK,CAAgB,cAAc,CAAC,CAAC;IACzE,MAAM,OAAO,GAA8B,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IACtF,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,EAAE;QACzC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,0BAA0B,CAAC,OAAO,EAAE,CAAC;IAChG,CAAC,CAAC,CAAC;IACH,gBAAgB,CAAC,eAAe,EAAE,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;QACtD,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG;YACxB,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC,CAAC,CAAC;IACH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,YAAwB;IAC/D,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,KAAK,CAAgB,qBAAqB,CAAC,CAAC;IAChF,MAAM,OAAO,GAA8B;QACzC,OAAO,EAAE,IAAI;QACb,cAAc,EAAE,EAAE;QAClB,KAAK,EAAE,EAAE;KACV,CAAC;IACF,QAAQ,CAAC,OAAO;SACb,MAAM,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC;SACjD,OAAO,CAAC,CAAC,aAAa,EAAE,EAAE;QACzB,OAAO,CAAC,cAAc,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,0BAA0B,CAAC,OAAO,EAAE,CAAC;IAC9F,CAAC,CAAC,CAAC;IACL,sBAAsB,CAAC,eAAe,EAAE,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;QAC5D,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG;YACxB,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC,CAAC,CAAC;IACH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,OAAO,GAA0B,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IACpE,qBAAqB,CAAC,eAAe,EAAE,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;QAC3D,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG;YACxB,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC,CAAC,CAAC;IACH,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/lib/libs/policies/interfaces/policyRuleInterfaces.d.ts

@@ -0,0 +1,30 @@
+import { Connection } from '@salesforce/core';
+import { AuditPolicyResult, PolicyRuleExecutionResult } from '../../audit/types.js';
+import { Optional } from '../../utils.js';
+/**
+ * A rule must only implement a subset of the rule result. All optional
+ * properties are completed by the policy.
+ */
+export type PartialPolicyRuleResult = Optional<PolicyRuleExecutionResult, 'isCompliant' | 'compliantEntities' | 'violatedEntities'>;
+/**
+ *
+ */
+export type RowLevelPolicyRule<ResolvedEntityType> = {
+    run(context: RuleAuditContext<ResolvedEntityType>): Promise<PartialPolicyRuleResult>;
+};
+export type IPolicy = {
+    run(context: AuditContext): Promise<AuditPolicyResult>;
+};
+export type AuditContext = {
+    /**
+     * Connection to the target org
+     */
+    targetOrgConnection: Connection;
+};
+export type RuleAuditContext<T> = AuditContext & {
+    /**
+     * Resolved entities from the policy. Can be permission sets,
+     * profiles, users, connected apps, etc.
+     */
+    resolvedEntities: Record<string, T>;
+};

package/lib/libs/policies/interfaces/policyRuleInterfaces.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=policyRuleInterfaces.js.map

package/lib/libs/policies/interfaces/policyRuleInterfaces.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policyRuleInterfaces.js","sourceRoot":"","sources":["../../../../src/libs/policies/interfaces/policyRuleInterfaces.ts"],"names":[],"mappings":""}

package/lib/libs/policies/permissionSetPolicy.d.ts

@@ -0,0 +1,17 @@
+import { PermissionSet } from '@jsforce/jsforce-node/lib/api/metadata.js';
+import { AuditRunConfig, PermSetsPolicyFileContent } from '../config/audit-run/schema.js';
+import RuleRegistry from '../config/registries/ruleRegistry.js';
+import { AuditContext } from './interfaces/policyRuleInterfaces.js';
+import Policy, { ResolveEntityResult } from './policy.js';
+export type ResolvedPermissionSet = {
+    name: string;
+    preset: string;
+    metadata: PermissionSet;
+};
+export default class PermissionSetPolicy extends Policy {
+    config: PermSetsPolicyFileContent;
+    auditContext: AuditRunConfig;
+    private totalEntities;
+    constructor(config: PermSetsPolicyFileContent, auditContext: AuditRunConfig, registry?: RuleRegistry);
+    protected resolveEntities(context: AuditContext): Promise<ResolveEntityResult>;
+}

package/lib/libs/policies/permissionSetPolicy.js

@@ -0,0 +1,61 @@
+import { Messages } from '@salesforce/core';
+import MdapiRetriever from '../mdapiRetriever.js';
+import PermSetsRuleRegistry from '../config/registries/permissionSets.js';
+import Policy, { getTotal } from './policy.js';
+import { PermissionRiskLevelPresets } from './types.js';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'policies.general');
+export default class PermissionSetPolicy extends Policy {
+    config;
+    auditContext;
+    totalEntities;
+    constructor(config, auditContext, registry = new PermSetsRuleRegistry()) {
+        super(config, auditContext, registry);
+        this.config = config;
+        this.auditContext = auditContext;
+        this.totalEntities = this.config.permissionSets ? Object.keys(this.config.permissionSets).length : 0;
+    }
+    async resolveEntities(context) {
+        this.emit('entityresolve', {
+            total: this.totalEntities,
+            resolved: 0,
+        });
+        const successfullyResolved = {};
+        const unresolved = {};
+        const retriever = new MdapiRetriever(context.targetOrgConnection);
+        const resolvedPermsets = await retriever.retrievePermissionsets(filterCategorizedPermsets(this.config.permissionSets));
+        Object.entries(resolvedPermsets).forEach(([permsetName, resolvedPermset]) => {
+            successfullyResolved[permsetName] = {
+                metadata: resolvedPermset,
+                preset: this.config.permissionSets[permsetName].preset,
+                name: permsetName,
+            };
+        });
+        Object.entries(this.config.permissionSets).forEach(([key, val]) => {
+            if (successfullyResolved[key] === undefined) {
+                if (val.preset === PermissionRiskLevelPresets.UNKNOWN) {
+                    unresolved[key] = { name: key, message: messages.getMessage('preset-unknown', ['Permission Set']) };
+                }
+                else {
+                    unresolved[key] = { name: key, message: messages.getMessage('entity-not-found') };
+                }
+            }
+        });
+        const result = { resolvedEntities: successfullyResolved, ignoredEntities: Object.values(unresolved) };
+        this.emit('entityresolve', {
+            total: this.totalEntities,
+            resolved: getTotal(result),
+        });
+        return result;
+    }
+}
+function filterCategorizedPermsets(permSets) {
+    const filteredNames = [];
+    Object.entries(permSets).forEach(([key, val]) => {
+        if (val.preset !== PermissionRiskLevelPresets.UNKNOWN) {
+            filteredNames.push(key);
+        }
+    });
+    return filteredNames;
+}
+//# sourceMappingURL=permissionSetPolicy.js.map

package/lib/libs/policies/permissionSetPolicy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionSetPolicy.js","sourceRoot":"","sources":["../../../src/libs/policies/permissionSetPolicy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,cAAc,MAAM,sBAAsB,CAAC;AAClD,OAAO,oBAAoB,MAAM,wCAAwC,CAAC;AAK1E,OAAO,MAAM,EAAE,EAAE,QAAQ,EAAuB,MAAM,aAAa,CAAC;AACpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,YAAY,CAAC;AAExD,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAOjG,MAAM,CAAC,OAAO,OAAO,mBAAoB,SAAQ,MAAM;IAG5C;IACA;IAHD,aAAa,CAAS;IAC9B,YACS,MAAiC,EACjC,YAA4B,EACnC,WAAyB,IAAI,oBAAoB,EAAE;QAEnD,KAAK,CAAC,MAAM,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;QAJ/B,WAAM,GAAN,MAAM,CAA2B;QACjC,iBAAY,GAAZ,YAAY,CAAgB;QAInC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IACvG,CAAC;IAES,KAAK,CAAC,eAAe,CAAC,OAAqB;QACnD,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,IAAI,CAAC,aAAa;YACzB,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,MAAM,oBAAoB,GAA0C,EAAE,CAAC;QACvE,MAAM,UAAU,GAAuC,EAAE,CAAC;QAC1D,MAAM,SAAS,GAAG,IAAI,cAAc,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QAClE,MAAM,gBAAgB,GAAG,MAAM,SAAS,CAAC,sBAAsB,CAC7D,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CACtD,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,EAAE,eAAe,CAAC,EAAE,EAAE;YAC1E,oBAAoB,CAAC,WAAW,CAAC,GAAG;gBAClC,QAAQ,EAAE,eAAe;gBACzB,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC,MAAM;gBACtD,IAAI,EAAE,WAAW;aAClB,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE;YAChE,IAAI,oBAAoB,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;gBAC5C,IAAI,GAAG,CAAC,MAAM,KAAK,0BAA0B,CAAC,OAAO,EAAE,CAAC;oBACtD,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC,gBAAgB,CAAC,CAAC,EAAE,CAAC;gBACtG,CAAC;qBAAM,CAAC;oBACN,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBACpF,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QACtG,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,IAAI,CAAC,aAAa;YACzB,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC;SAC3B,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,SAAS,yBAAyB,CAAC,QAA8B;IAC/D,MAAM,aAAa,GAAa,EAAE,CAAC;IACnC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE;QAC9C,IAAI,GAAG,CAAC,MAAM,KAAK,0BAA0B,CAAC,OAAO,EAAE,CAAC;YACtD,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,aAAa,CAAC;AACvB,CAAC"}

package/lib/libs/policies/policy.d.ts

@@ -0,0 +1,32 @@
+import EventEmitter from 'node:events';
+import { AuditPolicyResult, EntityResolveError } from '../audit/types.js';
+import { AuditRunConfig, BasePolicyFileContent } from '../config/audit-run/schema.js';
+import RuleRegistry from '../config/registries/ruleRegistry.js';
+import { RegistryRuleResolveResult } from '../config/registries/types.js';
+import { AuditContext, IPolicy } from './interfaces/policyRuleInterfaces.js';
+export type ResolveEntityResult = {
+    resolvedEntities: Record<string, unknown>;
+    ignoredEntities: EntityResolveError[];
+};
+export default abstract class Policy extends EventEmitter implements IPolicy {
+    config: BasePolicyFileContent;
+    auditConfig: AuditRunConfig;
+    protected registry: RuleRegistry;
+    protected resolvedRules: RegistryRuleResolveResult;
+    protected entities?: ResolveEntityResult;
+    constructor(config: BasePolicyFileContent, auditConfig: AuditRunConfig, registry: RuleRegistry);
+    /**
+     * Resolves all entities of the policy.
+     */
+    resolve(context: AuditContext): Promise<ResolveEntityResult>;
+    /**
+     * Runs all rules of a policy. If the entities are not yet resolved, they are
+     * resolved on the fly before rules are executed.
+     *
+     * @param context
+     * @returns
+     */
+    run(context: AuditContext): Promise<AuditPolicyResult>;
+    protected abstract resolveEntities(context: AuditContext): Promise<ResolveEntityResult>;
+}
+export declare function getTotal(resolveResult: ResolveEntityResult): number;

package/lib/libs/policies/policy.js

@@ -0,0 +1,95 @@
+import EventEmitter from 'node:events';
+export default class Policy extends EventEmitter {
+    config;
+    auditConfig;
+    registry;
+    resolvedRules;
+    entities;
+    constructor(config, auditConfig, registry) {
+        super();
+        this.config = config;
+        this.auditConfig = auditConfig;
+        this.registry = registry;
+        this.resolvedRules = registry.resolveRules(config.rules, auditConfig);
+    }
+    /**
+     * Resolves all entities of the policy.
+     */
+    async resolve(context) {
+        if (!this.entities) {
+            this.entities = await this.resolveEntities(context);
+        }
+        return this.entities;
+    }
+    /**
+     * Runs all rules of a policy. If the entities are not yet resolved, they are
+     * resolved on the fly before rules are executed.
+     *
+     * @param context
+     * @returns
+     */
+    async run(context) {
+        if (!this.config.enabled) {
+            return {
+                isCompliant: true,
+                enabled: false,
+                executedRules: {},
+                skippedRules: [],
+                auditedEntities: [],
+                ignoredEntities: [],
+            };
+        }
+        const resolveResult = await this.resolve(context);
+        const ruleResultPromises = Array();
+        for (const rule of this.resolvedRules.enabledRules) {
+            ruleResultPromises.push(rule.run({ ...context, resolvedEntities: resolveResult.resolvedEntities }));
+        }
+        const ruleResults = await Promise.all(ruleResultPromises);
+        const executedRules = {};
+        for (const ruleResult of ruleResults) {
+            const { compliantEntities, violatedEntities } = evalResolvedEntities(ruleResult, resolveResult);
+            executedRules[ruleResult.ruleName] = {
+                ...ruleResult,
+                isCompliant: ruleResult.violations.length === 0,
+                compliantEntities,
+                violatedEntities,
+            };
+        }
+        return {
+            isCompliant: isCompliant(executedRules),
+            enabled: true,
+            executedRules,
+            skippedRules: this.resolvedRules.skippedRules,
+            auditedEntities: Object.keys(resolveResult.resolvedEntities),
+            ignoredEntities: resolveResult.ignoredEntities,
+        };
+    }
+}
+function isCompliant(ruleResults) {
+    const list = Object.values(ruleResults);
+    if (list.length === 0) {
+        return true;
+    }
+    return list.reduce((prevVal, currentVal) => prevVal && currentVal.isCompliant, list[0].isCompliant);
+}
+function evalResolvedEntities(ruleResult, entities) {
+    const compliantEntities = [];
+    const violatedEntities = new Set();
+    ruleResult.violations.forEach((vio) => {
+        if (vio.identifier.length > 0) {
+            violatedEntities.add(vio.identifier[0]);
+        }
+    });
+    Object.keys(entities.resolvedEntities).forEach((entityIdentifier) => {
+        if (!violatedEntities.has(entityIdentifier)) {
+            compliantEntities.push(entityIdentifier);
+        }
+    });
+    return { compliantEntities, violatedEntities: Array.from(violatedEntities) };
+}
+export function getTotal(resolveResult) {
+    const resolvedCount = resolveResult.resolvedEntities ? Object.keys(resolveResult.resolvedEntities).length : 0;
+    const ignoredCount = resolveResult.ignoredEntities ? resolveResult.ignoredEntities.length : 0;
+    return resolvedCount + ignoredCount;
+}
+//# sourceMappingURL=policy.js.map

package/lib/libs/policies/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../src/libs/policies/policy.ts"],"names":[],"mappings":"AAAA,OAAO,YAAY,MAAM,aAAa,CAAC;AAWvC,MAAM,CAAC,OAAO,OAAgB,MAAO,SAAQ,YAAY;IAK9C;IACA;IACG;IANF,aAAa,CAA4B;IACzC,QAAQ,CAAuB;IAEzC,YACS,MAA6B,EAC7B,WAA2B,EACxB,QAAsB;QAEhC,KAAK,EAAE,CAAC;QAJD,WAAM,GAAN,MAAM,CAAuB;QAC7B,gBAAW,GAAX,WAAW,CAAgB;QACxB,aAAQ,GAAR,QAAQ,CAAc;QAGhC,IAAI,CAAC,aAAa,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IACxE,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,OAAO,CAAC,OAAqB;QACxC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,IAAI,CAAC,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QACtD,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,GAAG,CAAC,OAAqB;QACpC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO;gBACL,WAAW,EAAE,IAAI;gBACjB,OAAO,EAAE,KAAK;gBACd,aAAa,EAAE,EAAE;gBACjB,YAAY,EAAE,EAAE;gBAChB,eAAe,EAAE,EAAE;gBACnB,eAAe,EAAE,EAAE;aACpB,CAAC;QACJ,CAAC;QACD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAClD,MAAM,kBAAkB,GAAG,KAAK,EAAoC,CAAC;QACrE,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,aAAa,CAAC,YAAY,EAAE,CAAC;YACnD,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,OAAO,EAAE,gBAAgB,EAAE,aAAa,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC;QACtG,CAAC;QACD,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QAC1D,MAAM,aAAa,GAA8C,EAAE,CAAC;QACpE,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;YACrC,MAAM,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,GAAG,oBAAoB,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;YAChG,aAAa,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG;gBACnC,GAAG,UAAU;gBACb,WAAW,EAAE,UAAU,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC;gBAC/C,iBAAiB;gBACjB,gBAAgB;aACjB,CAAC;QACJ,CAAC;QACD,OAAO;YACL,WAAW,EAAE,WAAW,CAAC,aAAa,CAAC;YACvC,OAAO,EAAE,IAAI;YACb,aAAa;YACb,YAAY,EAAE,IAAI,CAAC,aAAa,CAAC,YAAY;YAC7C,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC;YAC5D,eAAe,EAAE,aAAa,CAAC,eAAe;SAC/C,CAAC;IACJ,CAAC;CAGF;AAED,SAAS,WAAW,CAAC,WAAsD;IACzE,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACxC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC,OAAO,IAAI,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;AACtG,CAAC;AAED,SAAS,oBAAoB,CAC3B,UAAmC,EACnC,QAA6B;IAE7B,MAAM,iBAAiB,GAAa,EAAE,CAAC;IACvC,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC3C,UAAU,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACpC,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9B,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC,CAAC,CAAC;IACH,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,gBAAgB,EAAE,EAAE;QAClE,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC5C,iBAAiB,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,CAAC;AAC/E,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,aAAkC;IACzD,MAAM,aAAa,GAAG,aAAa,CAAC,gBAAgB,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9G,MAAM,YAAY,GAAG,aAAa,CAAC,eAAe,CAAC,CAAC,CAAC,aAAa,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9F,OAAO,aAAa,GAAG,YAAY,CAAC;AACtC,CAAC"}

package/lib/libs/policies/profilePolicy.d.ts

@@ -0,0 +1,17 @@
+import { Profile as ProfileMetadata } from '@jsforce/jsforce-node/lib/api/metadata.js';
+import { AuditRunConfig, ProfilesPolicyFileContent } from '../config/audit-run/schema.js';
+import RuleRegistry from '../config/registries/ruleRegistry.js';
+import { AuditContext } from './interfaces/policyRuleInterfaces.js';
+import Policy, { ResolveEntityResult } from './policy.js';
+export type ResolvedProfile = {
+    name: string;
+    preset: string;
+    metadata: ProfileMetadata;
+};
+export default class ProfilePolicy extends Policy {
+    config: ProfilesPolicyFileContent;
+    auditConfig: AuditRunConfig;
+    private totalEntities;
+    constructor(config: ProfilesPolicyFileContent, auditConfig: AuditRunConfig, registry?: RuleRegistry);
+    protected resolveEntities(context: AuditContext): Promise<ResolveEntityResult>;
+}

package/lib/libs/policies/profilePolicy.js

@@ -0,0 +1,71 @@
+import { Messages } from '@salesforce/core';
+import { isNullish } from '../utils.js';
+import ProfilesRuleRegistry from '../config/registries/profiles.js';
+import Policy, { getTotal } from './policy.js';
+import { PermissionRiskLevelPresets } from './types.js';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'policies.general');
+export default class ProfilePolicy extends Policy {
+    config;
+    auditConfig;
+    totalEntities;
+    constructor(config, auditConfig, registry = new ProfilesRuleRegistry()) {
+        super(config, auditConfig, registry);
+        this.config = config;
+        this.auditConfig = auditConfig;
+        this.totalEntities = this.config.profiles ? Object.keys(this.config.profiles).length : 0;
+    }
+    async resolveEntities(context) {
+        this.emit('entityresolve', {
+            total: this.totalEntities,
+            resolved: 0,
+        });
+        const successfullyResolved = {};
+        const ignoredEntities = {};
+        const profileQueryResults = Array();
+        const definitiveProfiles = this.config.profiles ?? {};
+        Object.entries(definitiveProfiles).forEach(([profileName, profileDef]) => {
+            if (profileDef.preset !== PermissionRiskLevelPresets.UNKNOWN) {
+                const qr = Promise.resolve(context.targetOrgConnection.tooling.query(`SELECT Name,Metadata FROM Profile WHERE Name = '${profileName}'`));
+                profileQueryResults.push(qr);
+            }
+            else {
+                ignoredEntities[profileName] = {
+                    name: profileName,
+                    message: messages.getMessage('preset-unknown', ['Profile']),
+                };
+            }
+        });
+        const queryResults = await Promise.all(profileQueryResults);
+        queryResults.forEach((qr) => {
+            if (qr.records && qr.records.length > 0) {
+                const record = qr.records[0];
+                if (isNullish(record.Metadata)) {
+                    ignoredEntities[record.Name] = {
+                        name: record.Name,
+                        message: messages.getMessage('profile-invalid-no-metadata'),
+                    };
+                }
+                else {
+                    successfullyResolved[record.Name] = {
+                        name: record.Name,
+                        preset: definitiveProfiles[record.Name].preset,
+                        metadata: record.Metadata,
+                    };
+                }
+            }
+        });
+        Object.keys(definitiveProfiles).forEach((profileName) => {
+            if (successfullyResolved[profileName] === undefined && ignoredEntities[profileName] === undefined) {
+                ignoredEntities[profileName] = { name: profileName, message: messages.getMessage('entity-not-found') };
+            }
+        });
+        const result = { resolvedEntities: successfullyResolved, ignoredEntities: Object.values(ignoredEntities) };
+        this.emit('entityresolve', {
+            total: this.totalEntities,
+            resolved: getTotal(result),
+        });
+        return result;
+    }
+}
+//# sourceMappingURL=profilePolicy.js.map

package/lib/libs/policies/profilePolicy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"profilePolicy.js","sourceRoot":"","sources":["../../../src/libs/policies/profilePolicy.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAI5C,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAExC,OAAO,oBAAoB,MAAM,kCAAkC,CAAC;AAEpE,OAAO,MAAM,EAAE,EAAE,QAAQ,EAAuB,MAAM,aAAa,CAAC;AAEpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,YAAY,CAAC;AAExD,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAQjG,MAAM,CAAC,OAAO,OAAO,aAAc,SAAQ,MAAM;IAGtC;IACA;IAHD,aAAa,CAAS;IAC9B,YACS,MAAiC,EACjC,WAA2B,EAClC,WAAyB,IAAI,oBAAoB,EAAE;QAEnD,KAAK,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAJ9B,WAAM,GAAN,MAAM,CAA2B;QACjC,gBAAW,GAAX,WAAW,CAAgB;QAIlC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3F,CAAC;IAES,KAAK,CAAC,eAAe,CAAC,OAAqB;QACnD,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,IAAI,CAAC,aAAa;YACzB,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,MAAM,oBAAoB,GAAoC,EAAE,CAAC;QACjE,MAAM,eAAe,GAAuC,EAAE,CAAC;QAE/D,MAAM,mBAAmB,GAAG,KAAK,EAAoC,CAAC;QACtE,MAAM,kBAAkB,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;QACtD,MAAM,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,EAAE,UAAU,CAAC,EAAE,EAAE;YACvE,IAAI,UAAU,CAAC,MAAM,KAAK,0BAA0B,CAAC,OAAO,EAAE,CAAC;gBAC7D,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CACxB,OAAO,CAAC,mBAAmB,CAAC,OAAO,CAAC,KAAK,CACvC,mDAAmD,WAAW,GAAG,CAClE,CACF,CAAC;gBACF,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC/B,CAAC;iBAAM,CAAC;gBACN,eAAe,CAAC,WAAW,CAAC,GAAG;oBAC7B,IAAI,EAAE,WAAW;oBACjB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC,SAAS,CAAC,CAAC;iBAC5D,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;QAC5D,YAAY,CAAC,OAAO,CAAC,CAAC,EAAE,EAAE,EAAE;YAC1B,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxC,MAAM,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;gBAC7B,IAAI,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC/B,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG;wBAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;wBACjB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;qBAC5D,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG;wBAClC,IAAI,EAAE,MAAM,CAAC,IAAI;wBACjB,MAAM,EAAE,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM;wBAC9C,QAAQ,EAAE,MAAM,CAAC,QAAQ;qBAC1B,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,EAAE;YACtD,IAAI,oBAAoB,CAAC,WAAW,CAAC,KAAK,SAAS,IAAI,eAAe,CAAC,WAAW,CAAC,KAAK,SAAS,EAAE,CAAC;gBAClG,eAAe,CAAC,WAAW,CAAC,GAAG,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACzG,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC;QAC3G,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,IAAI,CAAC,aAAa;YACzB,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC;SAC3B,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/lib/libs/policies/rules/allUsedAppsUnderManagement.d.ts

@@ -0,0 +1,7 @@
+import { ResolvedConnectedApp } from '../connectedAppPolicy.js';
+import { PartialPolicyRuleResult, RuleAuditContext } from '../interfaces/policyRuleInterfaces.js';
+import PolicyRule, { RuleOptions } from './policyRule.js';
+export default class AllUsedAppsUnderManagement extends PolicyRule<ResolvedConnectedApp> {
+    constructor(opts: RuleOptions);
+    run(context: RuleAuditContext<ResolvedConnectedApp>): Promise<PartialPolicyRuleResult>;
+}