npm - @j-schreiber/sf-cli-security-audit - Versions diffs - 0.2.0 → 0.4.0 - Mend

@j-schreiber/sf-cli-security-audit 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/lib/libs/policies/rules/allUsedAppsUnderManagement.js ADDED Viewed

@@ -0,0 +1,23 @@
+import { Messages } from '@salesforce/core';
+import PolicyRule from './policyRule.js';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.connectedApps');
+export default class AllUsedAppsUnderManagement extends PolicyRule {
+    constructor(opts) {
+        super(opts);
+    }
+    run(context) {
+        const result = this.initResult();
+        const resolvedConnectedApps = context.resolvedEntities;
+        Object.values(resolvedConnectedApps).forEach((app) => {
+            if (app.origin === 'OauthToken') {
+                result.violations.push({
+                    identifier: [app.name],
+                    message: messages.getMessage('violations.app-used-but-not-registered', [app.users.length, app.useCount]),
+                });
+            }
+        });
+        return Promise.resolve(result);
+    }
+}
+//# sourceMappingURL=allUsedAppsUnderManagement.js.map

package/lib/libs/policies/rules/allUsedAppsUnderManagement.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"allUsedAppsUnderManagement.js","sourceRoot":"","sources":["../../../../src/libs/policies/rules/allUsedAppsUnderManagement.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,qBAAqB,CAAC,CAAC;AAEpG,MAAM,CAAC,OAAO,OAAO,0BAA2B,SAAQ,UAAgC;IACtF,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA+C;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,qBAAqB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;YACnD,IAAI,GAAG,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;gBAChC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;oBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,wCAAwC,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;iBACzG,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/policies/rules/enforceCustomPermsClassificationOnProfiles.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { PartialPolicyRuleResult, RuleAuditContext } from '../interfaces/policyRuleInterfaces.js';
+import { ResolvedProfile } from '../profilePolicy.js';
+import PolicyRule, { RuleOptions } from './policyRule.js';
+export default class EnforceCustomPermsClassificationOnProfiles extends PolicyRule<ResolvedProfile> {
+    constructor(opts: RuleOptions);
+    run(context: RuleAuditContext<ResolvedProfile>): Promise<PartialPolicyRuleResult>;
+}

package/lib/libs/policies/rules/enforceCustomPermsClassificationOnProfiles.js ADDED Viewed

@@ -0,0 +1,51 @@
+import { Messages } from '@salesforce/core';
+import { permissionAllowedInPreset, PolicyRiskLevel } from '../types.js';
+import PolicyRule from './policyRule.js';
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
+export default class EnforceCustomPermsClassificationOnProfiles extends PolicyRule {
+    constructor(opts) {
+        super(opts);
+    }
+    run(context) {
+        const result = this.initResult();
+        const resolvedProfiles = context.resolvedEntities;
+        Object.values(resolvedProfiles).forEach((profile) => {
+            const customPerms = profile.metadata.customPermissions ?? [];
+            customPerms.forEach((perm) => {
+                const identifier = [profile.name, perm.name];
+                const classifiedPerm = this.resolveCustomPermission(perm.name);
+                if (classifiedPerm) {
+                    if (classifiedPerm.classification === PolicyRiskLevel.BLOCKED) {
+                        result.violations.push({
+                            identifier,
+                            message: messages.getMessage('violations.permission-is-blocked'),
+                        });
+                    }
+                    else if (!permissionAllowedInPreset(classifiedPerm.classification, profile.preset)) {
+                        result.violations.push({
+                            identifier,
+                            message: messages.getMessage('violations.classification-preset-mismatch', [
+                                classifiedPerm.classification,
+                                profile.preset,
+                            ]),
+                        });
+                    }
+                    else if (classifiedPerm.classification === PolicyRiskLevel.UNKNOWN) {
+                        result.warnings.push({
+                            identifier,
+                            message: messages.getMessage('warnings.permission-unknown'),
+                        });
+                    }
+                }
+                else {
+                    result.warnings.push({
+                        identifier,
+                        message: messages.getMessage('warnings.permission-not-classified-in-profile'),
+                    });
+                }
+            });
+        });
+        return Promise.resolve(result);
+    }
+}
+//# sourceMappingURL=enforceCustomPermsClassificationOnProfiles.js.map

package/lib/libs/policies/rules/enforceCustomPermsClassificationOnProfiles.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"enforceCustomPermsClassificationOnProfiles.js","sourceRoot":"","sources":["../../../../src/libs/policies/rules/enforceCustomPermsClassificationOnProfiles.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,yBAAyB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEzE,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,0CAA2C,SAAQ,UAA2B;IACjG,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA0C;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAClD,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,iBAAiB,IAAI,EAAE,CAAC;YAC7D,WAAW,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC3B,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC7C,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC/D,IAAI,cAAc,EAAE,CAAC;oBACnB,IAAI,cAAc,CAAC,cAAc,KAAK,eAAe,CAAC,OAAO,EAAE,CAAC;wBAC9D,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;4BACrB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;yBACjE,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,CAAC,yBAAyB,CAAC,cAAc,CAAC,cAAc,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;wBACrF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;4BACrB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;gCACxE,cAAc,CAAC,cAAc;gCAC7B,OAAO,CAAC,MAAM;6BACf,CAAC;yBACH,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,cAAc,CAAC,cAAc,KAAK,eAAe,CAAC,OAAO,EAAE,CAAC;wBACrE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;4BACnB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;yBAC5D,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,+CAA+C,CAAC;qBAC9E,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/policies/rules/enforceUserPermsClassificationOnPermSets.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { PartialPolicyRuleResult, RuleAuditContext } from '../interfaces/policyRuleInterfaces.js';
+import { ResolvedPermissionSet } from '../permissionSetPolicy.js';
+import PolicyRule, { RuleOptions } from './policyRule.js';
+export default class EnforceUserPermsClassificationOnPermSets extends PolicyRule<ResolvedPermissionSet> {
+    constructor(opts: RuleOptions);
+    run(context: RuleAuditContext<ResolvedPermissionSet>): Promise<PartialPolicyRuleResult>;
+}

package/lib/libs/policies/rules/enforceUserPermsClassificationOnPermSets.js ADDED Viewed

@@ -0,0 +1,51 @@
+import { Messages } from '@salesforce/core';
+import { permissionAllowedInPreset, PolicyRiskLevel } from '../types.js';
+import PolicyRule from './policyRule.js';
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
+export default class EnforceUserPermsClassificationOnPermSets extends PolicyRule {
+    constructor(opts) {
+        super(opts);
+    }
+    run(context) {
+        const result = this.initResult();
+        const resolvedPermsets = context.resolvedEntities;
+        Object.values(resolvedPermsets).forEach((permset) => {
+            const userPerms = permset.metadata.userPermissions ?? [];
+            userPerms.forEach((userPerm) => {
+                const identifier = [permset.name, userPerm.name];
+                const classifiedUserPerm = this.resolveUserPermission(userPerm.name);
+                if (classifiedUserPerm) {
+                    if (classifiedUserPerm.classification === PolicyRiskLevel.BLOCKED) {
+                        result.violations.push({
+                            identifier,
+                            message: messages.getMessage('violations.permission-is-blocked'),
+                        });
+                    }
+                    else if (!permissionAllowedInPreset(classifiedUserPerm.classification, permset.preset)) {
+                        result.violations.push({
+                            identifier,
+                            message: messages.getMessage('violations.classification-preset-mismatch', [
+                                classifiedUserPerm.classification,
+                                permset.preset,
+                            ]),
+                        });
+                    }
+                    else if (classifiedUserPerm.classification === PolicyRiskLevel.UNKNOWN) {
+                        result.warnings.push({
+                            identifier,
+                            message: messages.getMessage('warnings.permission-unknown'),
+                        });
+                    }
+                }
+                else {
+                    result.warnings.push({
+                        identifier,
+                        message: messages.getMessage('warnings.permission-not-classified-in-permission-set'),
+                    });
+                }
+            });
+        });
+        return Promise.resolve(result);
+    }
+}
+//# sourceMappingURL=enforceUserPermsClassificationOnPermSets.js.map

package/lib/libs/policies/rules/enforceUserPermsClassificationOnPermSets.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"enforceUserPermsClassificationOnPermSets.js","sourceRoot":"","sources":["../../../../src/libs/policies/rules/enforceUserPermsClassificationOnPermSets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,yBAAyB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEzE,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,wCAAyC,SAAQ,UAAiC;IACrG,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAAgD;QACzD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAClD,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,eAAe,IAAI,EAAE,CAAC;YACzD,SAAS,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;gBAC7B,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;gBACjD,MAAM,kBAAkB,GAAG,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBACrE,IAAI,kBAAkB,EAAE,CAAC;oBACvB,IAAI,kBAAkB,CAAC,cAAc,KAAK,eAAe,CAAC,OAAO,EAAE,CAAC;wBAClE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;4BACrB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;yBACjE,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,CAAC,yBAAyB,CAAC,kBAAkB,CAAC,cAAc,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;wBACzF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;4BACrB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;gCACxE,kBAAkB,CAAC,cAAc;gCACjC,OAAO,CAAC,MAAM;6BACf,CAAC;yBACH,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,kBAAkB,CAAC,cAAc,KAAK,eAAe,CAAC,OAAO,EAAE,CAAC;wBACzE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;4BACnB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;yBAC5D,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,sDAAsD,CAAC;qBACrF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/policies/rules/enforceUserPermsClassificationOnProfiles.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { PartialPolicyRuleResult, RuleAuditContext } from '../interfaces/policyRuleInterfaces.js';
+import { ResolvedProfile } from '../profilePolicy.js';
+import PolicyRule, { RuleOptions } from './policyRule.js';
+export default class EnforceUserPermsClassificationOnProfiles extends PolicyRule<ResolvedProfile> {
+    constructor(opts: RuleOptions);
+    run(context: RuleAuditContext<ResolvedProfile>): Promise<PartialPolicyRuleResult>;
+}

package/lib/libs/policies/rules/enforceUserPermsClassificationOnProfiles.js ADDED Viewed

@@ -0,0 +1,53 @@
+import { Messages } from '@salesforce/core';
+import { isNullish } from '../../utils.js';
+import { permissionAllowedInPreset, PolicyRiskLevel } from '../types.js';
+import PolicyRule from './policyRule.js';
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
+export default class EnforceUserPermsClassificationOnProfiles extends PolicyRule {
+    constructor(opts) {
+        super(opts);
+    }
+    run(context) {
+        const result = this.initResult();
+        const resolvedProfiles = context.resolvedEntities;
+        Object.values(resolvedProfiles).forEach((profile) => {
+            if (!isNullish(profile.metadata.userPermissions)) {
+                profile.metadata.userPermissions.forEach((userPerm) => {
+                    const identifier = [profile.name, userPerm.name];
+                    const classifiedUserPerm = this.resolveUserPermission(userPerm.name);
+                    if (classifiedUserPerm) {
+                        if (classifiedUserPerm.classification === PolicyRiskLevel.BLOCKED) {
+                            result.violations.push({
+                                identifier,
+                                message: messages.getMessage('violations.permission-is-blocked'),
+                            });
+                        }
+                        else if (!permissionAllowedInPreset(classifiedUserPerm.classification, profile.preset)) {
+                            result.violations.push({
+                                identifier,
+                                message: messages.getMessage('violations.classification-preset-mismatch', [
+                                    classifiedUserPerm.classification,
+                                    profile.preset,
+                                ]),
+                            });
+                        }
+                        else if (classifiedUserPerm.classification === PolicyRiskLevel.UNKNOWN) {
+                            result.warnings.push({
+                                identifier,
+                                message: messages.getMessage('warnings.permission-unknown'),
+                            });
+                        }
+                    }
+                    else {
+                        result.warnings.push({
+                            identifier,
+                            message: messages.getMessage('warnings.permission-not-classified-in-profile'),
+                        });
+                    }
+                });
+            }
+        });
+        return Promise.resolve(result);
+    }
+}
+//# sourceMappingURL=enforceUserPermsClassificationOnProfiles.js.map

package/lib/libs/policies/rules/enforceUserPermsClassificationOnProfiles.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"enforceUserPermsClassificationOnProfiles.js","sourceRoot":"","sources":["../../../../src/libs/policies/rules/enforceUserPermsClassificationOnProfiles.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C,OAAO,EAAE,yBAAyB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEzE,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,wCAAyC,SAAQ,UAA2B;IAC/F,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA0C;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAClD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;gBACjD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;oBACpD,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;oBACjD,MAAM,kBAAkB,GAAG,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;oBACrE,IAAI,kBAAkB,EAAE,CAAC;wBACvB,IAAI,kBAAkB,CAAC,cAAc,KAAK,eAAe,CAAC,OAAO,EAAE,CAAC;4BAClE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gCACrB,UAAU;gCACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;6BACjE,CAAC,CAAC;wBACL,CAAC;6BAAM,IAAI,CAAC,yBAAyB,CAAC,kBAAkB,CAAC,cAAc,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;4BACzF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gCACrB,UAAU;gCACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;oCACxE,kBAAkB,CAAC,cAAc;oCACjC,OAAO,CAAC,MAAM;iCACf,CAAC;6BACH,CAAC,CAAC;wBACL,CAAC;6BAAM,IAAI,kBAAkB,CAAC,cAAc,KAAK,eAAe,CAAC,OAAO,EAAE,CAAC;4BACzE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;gCACnB,UAAU;gCACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;6BAC5D,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;4BACnB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,+CAA+C,CAAC;yBAC9E,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/policies/rules/noUserCanSelfAuthorize.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { PartialPolicyRuleResult, RuleAuditContext } from '../interfaces/policyRuleInterfaces.js';
+import { ResolvedConnectedApp } from '../connectedAppPolicy.js';
+import PolicyRule, { RuleOptions } from './policyRule.js';
+export default class NoUserCanSelfAuthorize extends PolicyRule<ResolvedConnectedApp> {
+    constructor(opts: RuleOptions);
+    run(context: RuleAuditContext<ResolvedConnectedApp>): Promise<PartialPolicyRuleResult>;
+}

package/lib/libs/policies/rules/noUserCanSelfAuthorize.js ADDED Viewed

@@ -0,0 +1,31 @@
+import { Messages } from '@salesforce/core';
+import PolicyRule from './policyRule.js';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.connectedApps');
+export default class NoUserCanSelfAuthorize extends PolicyRule {
+    constructor(opts) {
+        super(opts);
+    }
+    run(context) {
+        const result = this.initResult();
+        const resolvedConnectedApps = context.resolvedEntities;
+        Object.values(resolvedConnectedApps).forEach((app) => {
+            if (!app.onlyAdminApprovedUsersAllowed) {
+                if (app.overrideByApiSecurityAccess) {
+                    result.warnings.push({
+                        identifier: [app.name],
+                        message: messages.getMessage('warnings.users-can-self-authorize-but-setting-overrides'),
+                    });
+                }
+                else {
+                    result.violations.push({
+                        identifier: [app.name],
+                        message: messages.getMessage('violations.users-can-self-authorize'),
+                    });
+                }
+            }
+        });
+        return Promise.resolve(result);
+    }
+}
+//# sourceMappingURL=noUserCanSelfAuthorize.js.map

package/lib/libs/policies/rules/noUserCanSelfAuthorize.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"noUserCanSelfAuthorize.js","sourceRoot":"","sources":["../../../../src/libs/policies/rules/noUserCanSelfAuthorize.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,qBAAqB,CAAC,CAAC;AAEpG,MAAM,CAAC,OAAO,OAAO,sBAAuB,SAAQ,UAAgC;IAClF,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA+C;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,qBAAqB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;YACnD,IAAI,CAAC,GAAG,CAAC,6BAA6B,EAAE,CAAC;gBACvC,IAAI,GAAG,CAAC,2BAA2B,EAAE,CAAC;oBACpC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;wBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,yDAAyD,CAAC;qBACxF,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;wBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,qCAAqC,CAAC;qBACpE,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/policies/rules/policyRule.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import { PartialPolicyRuleResult, RowLevelPolicyRule, RuleAuditContext } from '../interfaces/policyRuleInterfaces.js';
+import { AuditRunConfig, NamedPermissionsClassification } from '../../config/audit-run/schema.js';
+export type RuleOptions = {
+    auditContext: AuditRunConfig;
+    ruleDisplayName: string;
+    ruleConfig?: unknown;
+};
+export default abstract class PolicyRule<EntityType> implements RowLevelPolicyRule<EntityType> {
+    auditContext: AuditRunConfig;
+    ruleDisplayName: string;
+    constructor(opts: RuleOptions);
+    protected initResult(): PartialPolicyRuleResult;
+    protected resolveUserPermission(permName: string): NamedPermissionsClassification | undefined;
+    protected resolveCustomPermission(permName: string): NamedPermissionsClassification | undefined;
+    abstract run(context: RuleAuditContext<EntityType>): Promise<PartialPolicyRuleResult>;
+}

package/lib/libs/policies/rules/policyRule.js ADDED Viewed

@@ -0,0 +1,29 @@
+import { Messages } from '@salesforce/core';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+export default class PolicyRule {
+    auditContext;
+    ruleDisplayName;
+    constructor(opts) {
+        this.auditContext = opts.auditContext;
+        this.ruleDisplayName = opts.ruleDisplayName;
+    }
+    initResult() {
+        return {
+            ruleName: this.ruleDisplayName,
+            violations: new Array(),
+            mutedViolations: new Array(),
+            warnings: new Array(),
+            errors: new Array(),
+        };
+    }
+    resolveUserPermission(permName) {
+        return nameClassification(permName, this.auditContext.classifications.userPermissions?.content.permissions[permName]);
+    }
+    resolveCustomPermission(permName) {
+        return nameClassification(permName, this.auditContext.classifications.customPermissions?.content.permissions[permName]);
+    }
+}
+function nameClassification(permName, perm) {
+    return perm ? { name: permName, ...perm } : undefined;
+}
+//# sourceMappingURL=policyRule.js.map

package/lib/libs/policies/rules/policyRule.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"policyRule.js","sourceRoot":"","sources":["../../../../src/libs/policies/rules/policyRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAS5C,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAQ7D,MAAM,CAAC,OAAO,OAAgB,UAAU;IAC/B,YAAY,CAAiB;IAC7B,eAAe,CAAS;IAE/B,YAAmB,IAAiB;QAClC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;QACtC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;IAC9C,CAAC;IAES,UAAU;QAClB,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,eAAe;YAC9B,UAAU,EAAE,IAAI,KAAK,EAAuB;YAC5C,eAAe,EAAE,IAAI,KAAK,EAA2B;YACrD,QAAQ,EAAE,IAAI,KAAK,EAAwB;YAC3C,MAAM,EAAE,IAAI,KAAK,EAAwB;SAC1C,CAAC;IACJ,CAAC;IAES,qBAAqB,CAAC,QAAgB;QAC9C,OAAO,kBAAkB,CACvB,QAAQ,EACR,IAAI,CAAC,YAAY,CAAC,eAAe,CAAC,eAAe,EAAE,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CACjF,CAAC;IACJ,CAAC;IAES,uBAAuB,CAAC,QAAgB;QAChD,OAAO,kBAAkB,CACvB,QAAQ,EACR,IAAI,CAAC,YAAY,CAAC,eAAe,CAAC,iBAAiB,EAAE,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CACnF,CAAC;IACJ,CAAC;CAGF;AAED,SAAS,kBAAkB,CACzB,QAAgB,EAChB,IAAgC;IAEhC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC"}

package/lib/libs/policies/salesforceStandardTypes.d.ts ADDED Viewed

@@ -0,0 +1,39 @@
+import { Record } from '@jsforce/jsforce-node';
+import { Profile as JsForceProfile } from '@jsforce/jsforce-node/lib/api/metadata.js';
+export type CustomPermission = Record & {
+    Id: string;
+    MasterLabel: string;
+    DeveloperName: string;
+};
+export type ConnectedApp = Record & {
+    Id: string;
+    Name: string;
+    OptionsAllowAdminApprovedUsersOnly: boolean;
+};
+export type OauthToken = Record & {
+    Id: string;
+    User: Pick<User, 'Username'>;
+    AppName: string;
+    UseCount: number;
+};
+export type User = Record & {
+    Username: string;
+};
+export type Profile = ProfileBasic & {
+    Metadata: JsForceProfile;
+};
+type ProfileBasic = Record & {
+    Id: string;
+    Name: string;
+    UserType: string;
+};
+export type PermissionSet = Record & {
+    Id: string;
+    IsOwnedByProfile: boolean;
+    IsCustom: boolean;
+    Name: string;
+    Label: string;
+    Profile: ProfileBasic;
+    NamespacePrefix?: string;
+};
+export {};

package/lib/libs/policies/salesforceStandardTypes.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=salesforceStandardTypes.js.map

package/lib/libs/policies/salesforceStandardTypes.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"salesforceStandardTypes.js","sourceRoot":"","sources":["../../../src/libs/policies/salesforceStandardTypes.ts"],"names":[],"mappings":""}

package/lib/libs/policies/types.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+export declare enum PolicyRiskLevel {
+    /** Blacklisted permissions that are considered too critical and not allowed */
+    BLOCKED = "Blocked",
+    /** Developer permissions, allow to modify the application */
+    CRITICAL = "Critical",
+    /** Admin permissions, allow to manage users and change permissions */
+    HIGH = "High",
+    /** Elevated business permissions for privileged users */
+    MEDIUM = "Medium",
+    /** Regular user permissions, typically needed for day-to-day work */
+    LOW = "Low",
+    /** Not categorized or unknown permission */
+    UNKNOWN = "Unknown"
+}
+/**
+ * Presets can be assigned to profiles and permission sets.
+ * A preset allows permissions up to a fixed risk level.
+ */
+export declare enum PermissionRiskLevelPresets {
+    /** Allows up to "Critical" permissions */
+    DEVELOPER = "Developer",
+    /** Allows up to "High" permissions */
+    ADMIN = "Admin",
+    /** Allows up to "Medium" permissions */
+    POWER_USER = "Power User",
+    /** Allows only "Low" permissions */
+    STANDARD_USER = "Standard User",
+    /** Disables the profile for audit */
+    UNKNOWN = "Unknown"
+}
+export type PolicyWriteResult = {
+    paths: Record<string, string>;
+};
+export declare function resolveRiskLevelOrdinalValue(value: string): number;
+export declare function resolvePresetOrdinalValue(value: string): number;
+export declare function permissionAllowedInPreset(permClassification: string, preset: string): boolean;

package/lib/libs/policies/types.js ADDED Viewed

@@ -0,0 +1,45 @@
+export var PolicyRiskLevel;
+(function (PolicyRiskLevel) {
+    /** Blacklisted permissions that are considered too critical and not allowed */
+    PolicyRiskLevel["BLOCKED"] = "Blocked";
+    /** Developer permissions, allow to modify the application */
+    PolicyRiskLevel["CRITICAL"] = "Critical";
+    /** Admin permissions, allow to manage users and change permissions */
+    PolicyRiskLevel["HIGH"] = "High";
+    /** Elevated business permissions for privileged users */
+    PolicyRiskLevel["MEDIUM"] = "Medium";
+    /** Regular user permissions, typically needed for day-to-day work */
+    PolicyRiskLevel["LOW"] = "Low";
+    /** Not categorized or unknown permission */
+    PolicyRiskLevel["UNKNOWN"] = "Unknown";
+})(PolicyRiskLevel || (PolicyRiskLevel = {}));
+/**
+ * Presets can be assigned to profiles and permission sets.
+ * A preset allows permissions up to a fixed risk level.
+ */
+export var PermissionRiskLevelPresets;
+(function (PermissionRiskLevelPresets) {
+    /** Allows up to "Critical" permissions */
+    PermissionRiskLevelPresets["DEVELOPER"] = "Developer";
+    /** Allows up to "High" permissions */
+    PermissionRiskLevelPresets["ADMIN"] = "Admin";
+    /** Allows up to "Medium" permissions */
+    PermissionRiskLevelPresets["POWER_USER"] = "Power User";
+    /** Allows only "Low" permissions */
+    PermissionRiskLevelPresets["STANDARD_USER"] = "Standard User";
+    /** Disables the profile for audit */
+    PermissionRiskLevelPresets["UNKNOWN"] = "Unknown";
+})(PermissionRiskLevelPresets || (PermissionRiskLevelPresets = {}));
+export function resolveRiskLevelOrdinalValue(value) {
+    return Object.keys(PolicyRiskLevel).indexOf(value.toUpperCase());
+}
+export function resolvePresetOrdinalValue(value) {
+    return Object.keys(PermissionRiskLevelPresets).indexOf(value.toUpperCase().replace(' ', '_'));
+}
+export function permissionAllowedInPreset(permClassification, preset) {
+    // this works, as long as we are mindful when adding new risk levels and presets
+    const invertedPermValue = Object.keys(PolicyRiskLevel).length - resolveRiskLevelOrdinalValue(permClassification);
+    const invertedPresetValue = Object.keys(PermissionRiskLevelPresets).length - resolvePresetOrdinalValue(preset);
+    return invertedPresetValue >= invertedPermValue;
+}
+//# sourceMappingURL=types.js.map

package/lib/libs/policies/types.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/libs/policies/types.ts"],"names":[],"mappings":"AAAA,MAAM,CAAN,IAAY,eAaX;AAbD,WAAY,eAAe;IACzB,+EAA+E;IAC/E,sCAAmB,CAAA;IACnB,6DAA6D;IAC7D,wCAAqB,CAAA;IACrB,sEAAsE;IACtE,gCAAa,CAAA;IACb,yDAAyD;IACzD,oCAAiB,CAAA;IACjB,qEAAqE;IACrE,8BAAW,CAAA;IACX,4CAA4C;IAC5C,sCAAmB,CAAA;AACrB,CAAC,EAbW,eAAe,KAAf,eAAe,QAa1B;AAED;;;GAGG;AACH,MAAM,CAAN,IAAY,0BAWX;AAXD,WAAY,0BAA0B;IACpC,0CAA0C;IAC1C,qDAAuB,CAAA;IACvB,sCAAsC;IACtC,6CAAe,CAAA;IACf,wCAAwC;IACxC,uDAAyB,CAAA;IACzB,oCAAoC;IACpC,6DAA+B,CAAA;IAC/B,qCAAqC;IACrC,iDAAmB,CAAA;AACrB,CAAC,EAXW,0BAA0B,KAA1B,0BAA0B,QAWrC;AAMD,MAAM,UAAU,4BAA4B,CAAC,KAAa;IACxD,OAAO,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAa;IACrD,OAAO,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;AAChG,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,kBAA0B,EAAE,MAAc;IAClF,gFAAgF;IAChF,MAAM,iBAAiB,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,MAAM,GAAG,4BAA4B,CAAC,kBAAkB,CAAC,CAAC;IACjH,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC,MAAM,GAAG,yBAAyB,CAAC,MAAM,CAAC,CAAC;IAC/G,OAAO,mBAAmB,IAAI,iBAAiB,CAAC;AAClD,CAAC"}

package/lib/libs/utils.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export declare function isEmpty(anything?: unknown): boolean;
+export declare function isNullish(anything: unknown): boolean;
+export type Optional<T, K extends keyof T> = Pick<Partial<T>, K> & Omit<T, K>;

package/lib/libs/utils.js ADDED Viewed

@@ -0,0 +1,13 @@
+export function isEmpty(anything) {
+    if (isNullish(anything)) {
+        return true;
+    }
+    if (typeof anything === 'object') {
+        return Object.entries(anything).length === 0;
+    }
+    return false;
+}
+export function isNullish(anything) {
+    return !(Boolean(anything) && anything !== null);
+}
+//# sourceMappingURL=utils.js.map

package/lib/libs/utils.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/libs/utils.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,OAAO,CAAC,QAAkB;IACxC,IAAI,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC,OAAO,CAAC,QAAS,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,QAAiB;IACzC,OAAO,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,KAAK,IAAI,CAAC,CAAC;AACnD,CAAC"}

package/lib/ux/auditRunMultiStage.d.ts ADDED Viewed

@@ -0,0 +1,65 @@
+import { MultiStageOutput, MultiStageOutputOptions } from '@oclif/multi-stage-output';
+import AuditRun from '../libs/policies/auditRun.js';
+export declare const LOAD_AUDIT_CONFIG = "Loading audit config";
+export declare const RESOLVE_POLICIES = "Resolving policies";
+export declare const EXECUTE_RULES = "Executing rules";
+export declare const FINALISE = "Formatting results";
+export type AuditRunStageOptions = {
+    targetOrg: string;
+    directoryRootPath: string;
+    jsonEnabled?: boolean;
+};
+/**
+ * This type mimics the original "StageBlockInfo" type from
+ * MultiStageOutput and allows us to make test asserts.
+ */
+type StageBlockInfo<T> = {
+    stage: string;
+    type: 'dynamic-key-value' | 'static-key-value' | 'message';
+    label?: string;
+    get(data: T): string;
+};
+export default class AuditRunMultiStageOutput {
+    mso: MultiStageOutput<AuditRunData>;
+    stageSpecificBlocks: Array<StageBlockInfo<AuditRunData>>;
+    private polStats;
+    constructor(opts: MultiStageOutputOptions<AuditRunData>);
+    /**
+     * In unit tests, we stub the actual UX class to hide output in terminal.
+     *
+     * @param opts
+     * @returns
+     */
+    static initUx(opts: MultiStageOutputOptions<AuditRunData>): MultiStageOutput<AuditRunData>;
+    /**
+     * This pattern allows to stub multi-stage outputs in tests to mute output
+     * to stdout during test execution.
+     *
+     * In your code, create a new instance like this
+     * ```
+     * const ms = AuditRunMultiStageOutput.create(sobj, flags.json);
+     * ```
+     *
+     * @param opts
+     * @param jsonEnabled
+     * @returns
+     */
+    static create(opts: AuditRunStageOptions): AuditRunMultiStageOutput;
+    start(): void;
+    startPolicyResolve(runInstance: AuditRun): void;
+    startRuleExecution(): void;
+    finish(): void;
+    private addPolicyStatsListener;
+}
+export type AuditRunData = {
+    enabledRulesInPolicy: string[];
+    currentStatus: string;
+    policies: PolicyStatistics;
+};
+type PolicyStatistics = {
+    [policyName: string]: {
+        total?: number;
+        resolved?: number;
+    };
+};
+export {};