@j-schreiber/sf-cli-security-audit 0.20.1 → 0.21.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -3
- package/lib/libs/audit-engine/index.d.ts +8 -0
- package/lib/libs/audit-engine/registry/definitions.d.ts +8 -0
- package/lib/libs/audit-engine/registry/definitions.js +2 -0
- package/lib/libs/audit-engine/registry/definitions.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/permissionSets.d.ts +4 -3
- package/lib/libs/audit-engine/registry/policies/permissionSets.js +1 -0
- package/lib/libs/audit-engine/registry/policies/permissionSets.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/profiles.d.ts +3 -1
- package/lib/libs/audit-engine/registry/policies/profiles.js +1 -0
- package/lib/libs/audit-engine/registry/policies/profiles.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/users.js +1 -1
- package/lib/libs/audit-engine/registry/policies/users.js.map +1 -1
- package/lib/libs/audit-engine/registry/policy.js +2 -6
- package/lib/libs/audit-engine/registry/policy.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.d.ts +15 -5
- package/lib/libs/audit-engine/registry/roles/roleManager.js +92 -14
- package/lib/libs/audit-engine/registry/roles/roleManager.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.types.d.ts +24 -5
- package/lib/libs/audit-engine/registry/roles/roleManager.types.js +3 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.types.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/userRole.d.ts +47 -6
- package/lib/libs/audit-engine/registry/roles/userRole.js +126 -32
- package/lib/libs/audit-engine/registry/roles/userRole.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.d.ts +8 -0
- package/lib/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.js +39 -0
- package/lib/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.js.map +1 -0
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js +4 -16
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.d.ts +0 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js +17 -31
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.d.ts +8 -0
- package/lib/libs/audit-engine/registry/shape/schema.d.ts +33 -0
- package/lib/libs/audit-engine/registry/shape/schema.js +24 -3
- package/lib/libs/audit-engine/registry/shape/schema.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/shapeValidation.js +15 -4
- package/lib/libs/audit-engine/registry/shape/shapeValidation.js.map +1 -1
- package/lib/salesforce/describes/orgDescribe.d.ts +6 -0
- package/lib/salesforce/describes/orgDescribe.js +10 -1
- package/lib/salesforce/describes/orgDescribe.js.map +1 -1
- package/lib/salesforce/mdapi/metadataRegistry.js +3 -1
- package/lib/salesforce/mdapi/metadataRegistry.js.map +1 -1
- package/messages/auditShapeValidation.md +4 -0
- package/messages/rules.enforceClassificationPresets.md +14 -2
- package/oclif.manifest.json +1 -1
- package/package.json +1 -1
|
@@ -1,37 +1,81 @@
|
|
|
1
1
|
import { merge } from '@salesforce/kit';
|
|
2
2
|
import { Messages } from '@salesforce/core';
|
|
3
|
-
import { PermissionRiskLevel, UserPrivilegeLevel,
|
|
3
|
+
import { PermissionRiskLevel, UserPrivilegeLevel, } from '../shape/schema.js';
|
|
4
4
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
5
5
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
6
6
|
export default class UserRole {
|
|
7
7
|
roleName;
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
constructor(roleName, allowedUserPermissions, allowedCustomPermissions, roleOrdinalValue) {
|
|
8
|
+
config;
|
|
9
|
+
objectAccess;
|
|
10
|
+
constructor(roleName, config) {
|
|
12
11
|
this.roleName = roleName;
|
|
13
|
-
this.
|
|
14
|
-
|
|
15
|
-
|
|
12
|
+
this.config = {
|
|
13
|
+
userPermissions: { allowed: new Set(), denied: new Set() },
|
|
14
|
+
customPermissions: { allowed: new Set(), denied: new Set() },
|
|
15
|
+
objectAccess: {},
|
|
16
|
+
isStrict: false,
|
|
17
|
+
...config,
|
|
18
|
+
};
|
|
19
|
+
this.objectAccess = {};
|
|
20
|
+
for (const [objName, objDef] of Object.entries(config.objectAccess ?? {})) {
|
|
21
|
+
this.objectAccess[objName] = {
|
|
22
|
+
allowRead: false,
|
|
23
|
+
allowCreate: false,
|
|
24
|
+
allowDelete: false,
|
|
25
|
+
allowEdit: false,
|
|
26
|
+
viewAllFields: false,
|
|
27
|
+
...objDef,
|
|
28
|
+
};
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
/**
|
|
32
|
+
* Evaluates if a permission is explicitly denied
|
|
33
|
+
*
|
|
34
|
+
* @param permission
|
|
35
|
+
* @returns
|
|
36
|
+
*/
|
|
37
|
+
isDenied(permission) {
|
|
38
|
+
if (permission.type === 'customPermissions') {
|
|
39
|
+
return this.config.customPermissions.denied.has(permission.name.toLowerCase());
|
|
40
|
+
}
|
|
41
|
+
else {
|
|
42
|
+
return this.config.userPermissions.denied.has(permission.name.toLowerCase());
|
|
43
|
+
}
|
|
16
44
|
}
|
|
45
|
+
/**
|
|
46
|
+
* Evaluates if a permission of type userPermission or customPermission
|
|
47
|
+
* is allowed for the role.
|
|
48
|
+
*
|
|
49
|
+
* @param permission
|
|
50
|
+
* @returns
|
|
51
|
+
*/
|
|
17
52
|
isAllowed(permission) {
|
|
18
53
|
if (permission.type === 'customPermissions') {
|
|
19
|
-
return this.
|
|
54
|
+
return this.config.customPermissions.allowed.has(permission.name);
|
|
20
55
|
}
|
|
21
56
|
else {
|
|
22
|
-
return this.
|
|
57
|
+
return this.config.userPermissions.allowed.has(permission.name);
|
|
23
58
|
}
|
|
24
59
|
}
|
|
60
|
+
/**
|
|
61
|
+
* Runs a deep analysis of all access controls (permissions, object access, etc)
|
|
62
|
+
* of the role and determins which role is more permissive (or if they are intersecting)
|
|
63
|
+
*
|
|
64
|
+
* @param otherRole
|
|
65
|
+
* @returns
|
|
66
|
+
*/
|
|
25
67
|
compareWith(otherRole) {
|
|
26
68
|
const missingPermsInOther = new Array();
|
|
27
69
|
const missingPermsInThis = new Array();
|
|
28
|
-
const isOrdinallyHigher = this.roleOrdinalValue && otherRole.
|
|
29
|
-
|
|
70
|
+
const isOrdinallyHigher = this.config.roleOrdinalValue && otherRole.config.roleOrdinalValue
|
|
71
|
+
? this.config.roleOrdinalValue >= otherRole.config.roleOrdinalValue
|
|
72
|
+
: true;
|
|
73
|
+
const merged = new Set([...this.config.userPermissions.allowed, ...otherRole.config.userPermissions.allowed]);
|
|
30
74
|
for (const perm of merged) {
|
|
31
|
-
if (!this.
|
|
75
|
+
if (!this.config.userPermissions.allowed.has(perm)) {
|
|
32
76
|
missingPermsInThis.push(perm);
|
|
33
77
|
}
|
|
34
|
-
if (!otherRole.
|
|
78
|
+
if (!otherRole.config.userPermissions.allowed.has(perm)) {
|
|
35
79
|
missingPermsInOther.push(perm);
|
|
36
80
|
}
|
|
37
81
|
}
|
|
@@ -41,17 +85,44 @@ export default class UserRole {
|
|
|
41
85
|
missingPermsInOther,
|
|
42
86
|
};
|
|
43
87
|
}
|
|
88
|
+
/**
|
|
89
|
+
* Returns coerced object access for the role. If the object is
|
|
90
|
+
* not explicitly defined, the "strict" flag determins if the role
|
|
91
|
+
* allows access or not.
|
|
92
|
+
*
|
|
93
|
+
* @param objName
|
|
94
|
+
* @returns
|
|
95
|
+
*/
|
|
96
|
+
getObjectAccess(objName) {
|
|
97
|
+
const allowedObjectAccess = this.objectAccess[objName];
|
|
98
|
+
// if object is not explicitly defined, we allow access for roles that are "not strict"
|
|
99
|
+
if (!allowedObjectAccess) {
|
|
100
|
+
return {
|
|
101
|
+
allowCreate: !this.config.isStrict,
|
|
102
|
+
allowEdit: !this.config.isStrict,
|
|
103
|
+
allowRead: !this.config.isStrict,
|
|
104
|
+
allowDelete: !this.config.isStrict,
|
|
105
|
+
viewAllFields: !this.config.isStrict,
|
|
106
|
+
};
|
|
107
|
+
}
|
|
108
|
+
return allowedObjectAccess;
|
|
109
|
+
}
|
|
44
110
|
}
|
|
45
111
|
export function newRoleFromDefinition(roleName, config) {
|
|
46
|
-
const { permissions } = resolveRole(roleName, config.controls);
|
|
47
|
-
const
|
|
48
|
-
const
|
|
49
|
-
return new UserRole(roleName,
|
|
112
|
+
const { permissions, objectAccess, strict } = resolveRole(roleName, config.controls);
|
|
113
|
+
const userPermissions = buildAllowedPerms(permissions?.userPermissions, config.shape.userPermissions, permissions?.allowedClassifications);
|
|
114
|
+
const customPermissions = buildAllowedPerms(permissions?.customPermissions, config.shape.customPermissions, permissions?.allowedClassifications);
|
|
115
|
+
return new UserRole(roleName, { userPermissions, customPermissions, objectAccess, isStrict: strict });
|
|
50
116
|
}
|
|
51
117
|
export function newRoleFromOrdinals(roleName, perms) {
|
|
52
118
|
const roleOrdinalValue = resolvePresetOrdinalValue(roleName);
|
|
53
119
|
if (!perms || roleName === UserPrivilegeLevel.UNKNOWN) {
|
|
54
|
-
return new UserRole(roleName,
|
|
120
|
+
return new UserRole(roleName, {
|
|
121
|
+
userPermissions: { allowed: new Set(), denied: new Set() },
|
|
122
|
+
customPermissions: { allowed: new Set(), denied: new Set() },
|
|
123
|
+
roleOrdinalValue,
|
|
124
|
+
objectAccess: {},
|
|
125
|
+
});
|
|
55
126
|
}
|
|
56
127
|
const allAllowed = new Set();
|
|
57
128
|
for (const [permName, permDef] of Object.entries(perms)) {
|
|
@@ -59,7 +130,12 @@ export function newRoleFromOrdinals(roleName, perms) {
|
|
|
59
130
|
allAllowed.add(permName);
|
|
60
131
|
}
|
|
61
132
|
}
|
|
62
|
-
return new UserRole(roleName,
|
|
133
|
+
return new UserRole(roleName, {
|
|
134
|
+
userPermissions: { allowed: allAllowed, denied: new Set() },
|
|
135
|
+
customPermissions: { allowed: new Set(), denied: new Set() },
|
|
136
|
+
roleOrdinalValue,
|
|
137
|
+
objectAccess: {},
|
|
138
|
+
});
|
|
63
139
|
}
|
|
64
140
|
function resolvePresetOrdinalValue(value) {
|
|
65
141
|
const indexOfValue = Object.values(UserPrivilegeLevel).indexOf(value);
|
|
@@ -73,22 +149,37 @@ function resolveRole(roleName, controls) {
|
|
|
73
149
|
if (!rawRoleDef) {
|
|
74
150
|
throw messages.createError('TriedToAccessRoleThatDoesNotExist', [roleName]);
|
|
75
151
|
}
|
|
76
|
-
const
|
|
77
|
-
|
|
78
|
-
|
|
152
|
+
const aggregatedRoleDef = { strict: rawRoleDef.strict ?? false };
|
|
153
|
+
for (const controlType of ['permissions', 'objectAccess']) {
|
|
154
|
+
try {
|
|
155
|
+
aggregatedRoleDef[controlType] = resolveReferences(rawRoleDef[controlType], controls[controlType]);
|
|
156
|
+
}
|
|
157
|
+
catch (err) {
|
|
158
|
+
const errorDetails = err instanceof Error ? err.message : 'Unknown';
|
|
159
|
+
throw messages.createError('RoleReferencesControlThatDoesNotExist', [roleName, controlType, errorDetails]);
|
|
160
|
+
}
|
|
79
161
|
}
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
162
|
+
return aggregatedRoleDef;
|
|
163
|
+
}
|
|
164
|
+
function resolveReferences(roleDef, controls) {
|
|
165
|
+
const mergedControl = {};
|
|
166
|
+
const definitiveControls = controls ?? {};
|
|
167
|
+
const definitiveRoleDef = roleDef ?? {};
|
|
168
|
+
if (Array.isArray(definitiveRoleDef)) {
|
|
169
|
+
for (const controlRef of definitiveRoleDef) {
|
|
170
|
+
const referencedControl = definitiveControls[controlRef];
|
|
171
|
+
if (referencedControl) {
|
|
172
|
+
merge(mergedControl, referencedControl);
|
|
85
173
|
}
|
|
86
174
|
else {
|
|
87
|
-
throw
|
|
175
|
+
throw new Error(controlRef);
|
|
88
176
|
}
|
|
89
177
|
}
|
|
90
178
|
}
|
|
91
|
-
|
|
179
|
+
else {
|
|
180
|
+
merge(mergedControl, definitiveRoleDef);
|
|
181
|
+
}
|
|
182
|
+
return mergedControl;
|
|
92
183
|
}
|
|
93
184
|
function buildAllowedPerms(rolePermDef, permClassifications, allowedClassifications) {
|
|
94
185
|
const allowedPerms = new Set();
|
|
@@ -100,7 +191,7 @@ function buildAllowedPerms(rolePermDef, permClassifications, allowedClassificati
|
|
|
100
191
|
}
|
|
101
192
|
}
|
|
102
193
|
if (!rolePermDef) {
|
|
103
|
-
return allowedPerms;
|
|
194
|
+
return { allowed: allowedPerms, denied: new Set() };
|
|
104
195
|
}
|
|
105
196
|
if (rolePermDef.allowed) {
|
|
106
197
|
for (const permName of rolePermDef.allowed) {
|
|
@@ -117,6 +208,9 @@ function buildAllowedPerms(rolePermDef, permClassifications, allowedClassificati
|
|
|
117
208
|
allowedPerms.delete(permName);
|
|
118
209
|
}
|
|
119
210
|
}
|
|
120
|
-
return
|
|
211
|
+
return {
|
|
212
|
+
allowed: allowedPerms,
|
|
213
|
+
denied: new Set(rolePermDef.denied ? rolePermDef.denied.map((p) => p.toLowerCase()) : []),
|
|
214
|
+
};
|
|
121
215
|
}
|
|
122
216
|
//# sourceMappingURL=userRole.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"userRole.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/userRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAEL,mBAAmB,EACnB,kBAAkB,
|
|
1
|
+
{"version":3,"file":"userRole.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/userRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAEL,mBAAmB,EACnB,kBAAkB,GAInB,MAAM,oBAAoB,CAAC;AAU5B,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAenH,MAAM,CAAC,OAAO,OAAO,QAAQ;IAID;IAHlB,MAAM,CAAiB;IACvB,YAAY,CAA4C;IAEhE,YAA0B,QAAgB,EAAE,MAA+B;QAAjD,aAAQ,GAAR,QAAQ,CAAQ;QACxC,IAAI,CAAC,MAAM,GAAG;YACZ,eAAe,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC1E,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC5E,YAAY,EAAE,EAAE;YAChB,QAAQ,EAAE,KAAK;YACf,GAAG,MAAM;SACV,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,EAAE,CAAC;YAC1E,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG;gBAC3B,SAAS,EAAE,KAAK;gBAChB,WAAW,EAAE,KAAK;gBAClB,WAAW,EAAE,KAAK;gBAClB,SAAS,EAAE,KAAK;gBAChB,aAAa,EAAE,KAAK;gBACpB,GAAG,MAAM;aACV,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACI,QAAQ,CAAC,UAA2B;QACzC,IAAI,UAAU,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACjF,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAC/E,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACI,SAAS,CAAC,UAA2B;QAC1C,IAAI,UAAU,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACI,WAAW,CAAC,SAAmB;QACpC,MAAM,mBAAmB,GAAG,IAAI,KAAK,EAAU,CAAC;QAChD,MAAM,kBAAkB,GAAG,IAAI,KAAK,EAAU,CAAC;QAC/C,MAAM,iBAAiB,GACrB,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,SAAS,CAAC,MAAM,CAAC,gBAAgB;YAC/D,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,SAAS,CAAC,MAAM,CAAC,gBAAgB;YACnE,CAAC,CAAC,IAAI,CAAC;QACX,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9G,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;YAC1B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxD,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QACD,OAAO;YACL,UAAU,EAAE,kBAAkB,CAAC,MAAM,KAAK,CAAC,IAAI,iBAAiB;YAChE,kBAAkB;YAClB,mBAAmB;SACpB,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACI,eAAe,CAAC,OAAe;QACpC,MAAM,mBAAmB,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACvD,uFAAuF;QACvF,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,OAAO;gBACL,WAAW,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAClC,SAAS,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAChC,SAAS,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAChC,WAAW,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAClC,aAAa,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;aACrC,CAAC;QACJ,CAAC;QACD,OAAO,mBAAmB,CAAC;IAC7B,CAAC;CACF;AAED,MAAM,UAAU,qBAAqB,CAAC,QAAgB,EAAE,MAAyB;IAC/E,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACrF,MAAM,eAAe,GAAG,iBAAiB,CACvC,WAAW,EAAE,eAAe,EAC5B,MAAM,CAAC,KAAK,CAAC,eAAe,EAC5B,WAAW,EAAE,sBAAsB,CACpC,CAAC;IACF,MAAM,iBAAiB,GAAG,iBAAiB,CACzC,WAAW,EAAE,iBAAiB,EAC9B,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAC9B,WAAW,EAAE,sBAAsB,CACpC,CAAC;IACF,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,EAAE,eAAe,EAAE,iBAAiB,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;AACxG,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,QAA4B,EAAE,KAAiC;IACjG,MAAM,gBAAgB,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IAC7D,IAAI,CAAC,KAAK,IAAI,QAAQ,KAAK,kBAAkB,CAAC,OAAO,EAAE,CAAC;QACtD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE;YAC5B,eAAe,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC1E,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC5E,gBAAgB;YAChB,YAAY,EAAE,EAAE;SACjB,CAAC,CAAC;IACL,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,IAAI,gBAAgB,IAAI,4BAA4B,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAC7E,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE;QAC5B,eAAe,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;QACnE,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;QAC5E,gBAAgB;QAChB,YAAY,EAAE,EAAE;KACjB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAyB;IAC1D,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACtE,OAAO,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,MAAM,GAAG,YAAY,CAAC;AAC/D,CAAC;AAED,SAAS,4BAA4B,CAAC,KAAa;IACjD,OAAO,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;AACjH,CAAC;AAED,SAAS,WAAW,CAAC,QAAgB,EAAE,QAA0B;IAC/D,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAC,QAAQ,CAAC,CAAC;IAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,QAAQ,CAAC,WAAW,CAAC,mCAAmC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9E,CAAC;IACD,MAAM,iBAAiB,GAAsC,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,KAAK,EAAE,CAAC;IACpG,KAAK,MAAM,WAAW,IAAI,CAAC,aAAa,EAAE,cAAc,CAAU,EAAE,CAAC;QACnE,IAAI,CAAC;YACH,iBAAiB,CAAC,WAAW,CAAC,GAAG,iBAAiB,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC;QACrG,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YACpE,MAAM,QAAQ,CAAC,WAAW,CAAC,uCAAuC,EAAE,CAAC,QAAQ,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC,CAAC;QAC7G,CAAC;IACH,CAAC;IACD,OAAO,iBAA6C,CAAC;AACvD,CAAC;AAMD,SAAS,iBAAiB,CACxB,OAA0B,EAC1B,QAAiC;IAEjC,MAAM,aAAa,GAAG,EAAE,CAAC;IACzB,MAAM,kBAAkB,GAAG,QAAQ,IAAI,EAAE,CAAC;IAC1C,MAAM,iBAAiB,GAAsB,OAAO,IAAI,EAAE,CAAC;IAC3D,IAAI,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACrC,KAAK,MAAM,UAAU,IAAI,iBAAiB,EAAE,CAAC;YAC3C,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;YACzD,IAAI,iBAAiB,EAAE,CAAC;gBACtB,KAAK,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;YAC1C,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,SAAS,iBAAiB,CACxB,WAAsC,EACtC,mBAA+C,EAC/C,sBAAiC;IAEjC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IACvC,IAAI,sBAAsB,IAAI,mBAAmB,EAAE,CAAC;QAClD,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,EAAE,CAAC;YACtE,IAAI,sBAAsB,CAAC,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;gBAC5D,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE,CAAC;IAC9D,CAAC;IACD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;QACxB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YAC3C,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,IAAI,WAAW,CAAC,QAAQ,EAAE,CAAC;QACzB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,QAAQ,EAAE,CAAC;YAC5C,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;QACvB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;YAC1C,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IACD,OAAO;QACL,OAAO,EAAE,YAAY;QACrB,MAAM,EAAE,IAAI,GAAG,CAAS,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;KAClG,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
2
|
+
import { ResolvedUser } from '../policies/users.js';
|
|
3
|
+
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
|
+
export default class EnforceObjectAccessOnUser extends PolicyRule<ResolvedUser> {
|
|
5
|
+
private readonly roleManager;
|
|
6
|
+
constructor(opts: RuleOptions);
|
|
7
|
+
run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
|
|
8
|
+
}
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
import RoleManager from '../roles/roleManager.js';
|
|
2
|
+
import PolicyRule from './policyRule.js';
|
|
3
|
+
export default class EnforceObjectAccessOnUser extends PolicyRule {
|
|
4
|
+
roleManager;
|
|
5
|
+
constructor(opts) {
|
|
6
|
+
super(opts);
|
|
7
|
+
this.roleManager = new RoleManager({
|
|
8
|
+
controls: opts.auditConfig.controls,
|
|
9
|
+
shape: opts.auditConfig.shape,
|
|
10
|
+
});
|
|
11
|
+
}
|
|
12
|
+
run(context) {
|
|
13
|
+
const result = this.initResult();
|
|
14
|
+
const users = context.resolvedEntities;
|
|
15
|
+
for (const user of Object.values(users)) {
|
|
16
|
+
const profileLikes = buildProfileLikes(user);
|
|
17
|
+
const { violations, warnings, errors } = this.roleManager.scanObjectAccess(user.role, profileLikes, [
|
|
18
|
+
user.username,
|
|
19
|
+
]);
|
|
20
|
+
result.errors.push(...errors);
|
|
21
|
+
result.warnings.push(...warnings);
|
|
22
|
+
result.violations.push(...violations);
|
|
23
|
+
}
|
|
24
|
+
return Promise.resolve(result);
|
|
25
|
+
}
|
|
26
|
+
}
|
|
27
|
+
function buildProfileLikes(user) {
|
|
28
|
+
const profileLikes = [];
|
|
29
|
+
profileLikes.push({ metadata: user.profileMetadata, name: user.profileName, type: 'Profile' });
|
|
30
|
+
for (const permSetAssignment of user.assignments ?? []) {
|
|
31
|
+
profileLikes.push({
|
|
32
|
+
metadata: permSetAssignment.metadata,
|
|
33
|
+
name: permSetAssignment.permissionSetIdentifier,
|
|
34
|
+
type: 'PermissionSet',
|
|
35
|
+
});
|
|
36
|
+
}
|
|
37
|
+
return profileLikes;
|
|
38
|
+
}
|
|
39
|
+
//# sourceMappingURL=enforceObjectAccessOnUser.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"enforceObjectAccessOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.ts"],"names":[],"mappings":"AACA,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAGlD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,yBAA0B,SAAQ,UAAwB;IAC5D,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC;YACjC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;YACnC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK;SAC9B,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;YAC7C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE;gBAClG,IAAI,CAAC,QAAQ;aACd,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;YAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,IAAkB;IAC3C,MAAM,YAAY,GAAkB,EAAE,CAAC;IACvC,YAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;IAC/F,KAAK,MAAM,iBAAiB,IAAI,IAAI,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;QACvD,YAAY,CAAC,IAAI,CAAC;YAChB,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;YACpC,IAAI,EAAE,iBAAiB,CAAC,uBAAuB;YAC/C,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC"}
|
|
@@ -1,9 +1,5 @@
|
|
|
1
|
-
import { Messages } from '@salesforce/core';
|
|
2
|
-
import { isNullish } from '../../../../utils.js';
|
|
3
1
|
import RoleManager from '../roles/roleManager.js';
|
|
4
2
|
import PolicyRule from './policyRule.js';
|
|
5
|
-
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
6
|
-
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
7
3
|
export default class EnforcePermissionsOnProfileLike extends PolicyRule {
|
|
8
4
|
roleManager;
|
|
9
5
|
constructor(opts) {
|
|
@@ -17,18 +13,10 @@ export default class EnforcePermissionsOnProfileLike extends PolicyRule {
|
|
|
17
13
|
const result = this.initResult();
|
|
18
14
|
const resolvedProfiles = context.resolvedEntities;
|
|
19
15
|
for (const profile of Object.values(resolvedProfiles)) {
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
});
|
|
25
|
-
continue;
|
|
26
|
-
}
|
|
27
|
-
if (!isNullish(profile.metadata)) {
|
|
28
|
-
const profileScanResult = this.roleManager.scanProfileLike(profile);
|
|
29
|
-
result.violations.push(...profileScanResult.violations);
|
|
30
|
-
result.warnings.push(...profileScanResult.warnings);
|
|
31
|
-
}
|
|
16
|
+
const { errors, violations, warnings } = this.roleManager.scanPermissions(profile.role, profile);
|
|
17
|
+
result.errors.push(...errors);
|
|
18
|
+
result.warnings.push(...warnings);
|
|
19
|
+
result.violations.push(...violations);
|
|
32
20
|
}
|
|
33
21
|
return Promise.resolve(result);
|
|
34
22
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"AACA,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAElD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,+BAAgC,SAAQ,UAA+B;IACzE,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC;YACjC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;YACnC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK;SAC9B,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAA8C;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACtD,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACjG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;YAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
|
@@ -1,8 +1,5 @@
|
|
|
1
|
-
import { Messages } from '@salesforce/core';
|
|
2
1
|
import RoleManager from '../roles/roleManager.js';
|
|
3
2
|
import PolicyRule from './policyRule.js';
|
|
4
|
-
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
5
|
-
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
6
3
|
export default class EnforcePermissionsOnUser extends PolicyRule {
|
|
7
4
|
roleManager;
|
|
8
5
|
constructor(opts) {
|
|
@@ -16,38 +13,27 @@ export default class EnforcePermissionsOnUser extends PolicyRule {
|
|
|
16
13
|
const result = this.initResult();
|
|
17
14
|
const users = context.resolvedEntities;
|
|
18
15
|
for (const user of Object.values(users)) {
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
continue;
|
|
25
|
-
}
|
|
26
|
-
const { violations, warnings } = this.scanAssignedPermissionSets(user, user.assignments);
|
|
27
|
-
result.violations.push(...violations);
|
|
16
|
+
const profileLikes = buildProfileLikes(user);
|
|
17
|
+
const { violations, warnings, errors } = this.roleManager.scanPermissions(user.role, profileLikes, [
|
|
18
|
+
user.username,
|
|
19
|
+
]);
|
|
20
|
+
result.errors.push(...errors);
|
|
28
21
|
result.warnings.push(...warnings);
|
|
29
|
-
|
|
30
|
-
const profileResult = this.roleManager.scanProfileLike({ role: user.role, metadata: user.profileMetadata, name: user.profileName }, [user.username]);
|
|
31
|
-
result.violations.push(...profileResult.violations);
|
|
32
|
-
result.warnings.push(...profileResult.warnings);
|
|
33
|
-
}
|
|
22
|
+
result.violations.push(...violations);
|
|
34
23
|
}
|
|
35
24
|
return Promise.resolve(result);
|
|
36
25
|
}
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
result.violations.push(...permsetScan.violations);
|
|
48
|
-
result.warnings.push(...permsetScan.warnings);
|
|
49
|
-
}
|
|
50
|
-
return result;
|
|
26
|
+
}
|
|
27
|
+
function buildProfileLikes(user) {
|
|
28
|
+
const profileLikes = [];
|
|
29
|
+
profileLikes.push({ metadata: user.profileMetadata, name: user.profileName, type: 'Profile' });
|
|
30
|
+
for (const permSetAssignment of user.assignments ?? []) {
|
|
31
|
+
profileLikes.push({
|
|
32
|
+
metadata: permSetAssignment.metadata,
|
|
33
|
+
name: permSetAssignment.permissionSetIdentifier,
|
|
34
|
+
type: 'PermissionSet',
|
|
35
|
+
});
|
|
51
36
|
}
|
|
37
|
+
return profileLikes;
|
|
52
38
|
}
|
|
53
39
|
//# sourceMappingURL=enforcePermissionsOnUser.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"AACA,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAGlD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC3D,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC;YACjC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;YACnC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK;SAC9B,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;YAC7C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE;gBACjG,IAAI,CAAC,QAAQ;aACd,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;YAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,IAAkB;IAC3C,MAAM,YAAY,GAAkB,EAAE,CAAC;IACvC,YAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;IAC/F,KAAK,MAAM,iBAAiB,IAAI,IAAI,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;QACvD,YAAY,CAAC,IAAI,CAAC;YAChB,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;YACpC,IAAI,EAAE,iBAAiB,CAAC,uBAAuB;YAC/C,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC"}
|
|
@@ -8,6 +8,7 @@ export declare const BaseAuditConfigShape: {
|
|
|
8
8
|
files: {
|
|
9
9
|
roles: {
|
|
10
10
|
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
11
|
+
strict: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
11
12
|
permissions: import("zod").ZodOptional<import("zod").ZodXor<readonly [import("zod").ZodArray<import("zod").ZodString>, import("zod").ZodObject<{
|
|
12
13
|
allowedClassifications: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodEnum<typeof import("./schema.js").PermissionRiskLevel>>>;
|
|
13
14
|
userPermissions: import("zod").ZodOptional<import("zod").ZodObject<{
|
|
@@ -21,6 +22,13 @@ export declare const BaseAuditConfigShape: {
|
|
|
21
22
|
required: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
22
23
|
}, import("zod/v4/core").$strip>>;
|
|
23
24
|
}, import("zod/v4/core").$strip>]>>;
|
|
25
|
+
objectAccess: import("zod").ZodOptional<import("zod").ZodXor<readonly [import("zod").ZodArray<import("zod").ZodString>, import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
26
|
+
allowRead: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
27
|
+
allowCreate: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
28
|
+
allowEdit: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
29
|
+
allowDelete: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
30
|
+
viewAllFields: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
31
|
+
}, import("zod/v4/core").$strip>>]>>;
|
|
24
32
|
}, import("zod/v4/core").$strict>>;
|
|
25
33
|
};
|
|
26
34
|
permissions: {
|
|
@@ -50,6 +50,13 @@ export declare const PermissionControlSchema: z.ZodObject<{
|
|
|
50
50
|
required: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
51
51
|
}, z.z.core.$strip>>;
|
|
52
52
|
}, z.z.core.$strip>;
|
|
53
|
+
export declare const ObjectAccessControlSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
54
|
+
allowRead: z.ZodOptional<z.ZodBoolean>;
|
|
55
|
+
allowCreate: z.ZodOptional<z.ZodBoolean>;
|
|
56
|
+
allowEdit: z.ZodOptional<z.ZodBoolean>;
|
|
57
|
+
allowDelete: z.ZodOptional<z.ZodBoolean>;
|
|
58
|
+
viewAllFields: z.ZodOptional<z.ZodBoolean>;
|
|
59
|
+
}, z.z.core.$strip>>;
|
|
53
60
|
export declare const PermissionControlsFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
54
61
|
allowedClassifications: z.ZodOptional<z.ZodArray<z.ZodEnum<typeof PermissionRiskLevel>>>;
|
|
55
62
|
userPermissions: z.ZodOptional<z.ZodObject<{
|
|
@@ -63,7 +70,15 @@ export declare const PermissionControlsFileSchema: z.ZodRecord<z.ZodString, z.Zo
|
|
|
63
70
|
required: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
64
71
|
}, z.z.core.$strip>>;
|
|
65
72
|
}, z.z.core.$strip>>;
|
|
73
|
+
export declare const ObjectAccessControlFileSchema: z.ZodRecord<z.ZodString, z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
74
|
+
allowRead: z.ZodOptional<z.ZodBoolean>;
|
|
75
|
+
allowCreate: z.ZodOptional<z.ZodBoolean>;
|
|
76
|
+
allowEdit: z.ZodOptional<z.ZodBoolean>;
|
|
77
|
+
allowDelete: z.ZodOptional<z.ZodBoolean>;
|
|
78
|
+
viewAllFields: z.ZodOptional<z.ZodBoolean>;
|
|
79
|
+
}, z.z.core.$strip>>>;
|
|
66
80
|
export declare const ResolvedRoleDefinitionSchema: z.ZodObject<{
|
|
81
|
+
strict: z.ZodOptional<z.ZodBoolean>;
|
|
67
82
|
permissions: z.ZodOptional<z.ZodObject<{
|
|
68
83
|
allowedClassifications: z.ZodOptional<z.ZodArray<z.ZodEnum<typeof PermissionRiskLevel>>>;
|
|
69
84
|
userPermissions: z.ZodOptional<z.ZodObject<{
|
|
@@ -77,8 +92,16 @@ export declare const ResolvedRoleDefinitionSchema: z.ZodObject<{
|
|
|
77
92
|
required: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
78
93
|
}, z.z.core.$strip>>;
|
|
79
94
|
}, z.z.core.$strip>>;
|
|
95
|
+
objectAccess: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
96
|
+
allowRead: z.ZodOptional<z.ZodBoolean>;
|
|
97
|
+
allowCreate: z.ZodOptional<z.ZodBoolean>;
|
|
98
|
+
allowEdit: z.ZodOptional<z.ZodBoolean>;
|
|
99
|
+
allowDelete: z.ZodOptional<z.ZodBoolean>;
|
|
100
|
+
viewAllFields: z.ZodOptional<z.ZodBoolean>;
|
|
101
|
+
}, z.z.core.$strip>>>;
|
|
80
102
|
}, z.z.core.$strip>;
|
|
81
103
|
export declare const ComposableRolesFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
104
|
+
strict: z.ZodOptional<z.ZodBoolean>;
|
|
82
105
|
permissions: z.ZodOptional<z.ZodXor<readonly [z.ZodArray<z.ZodString>, z.ZodObject<{
|
|
83
106
|
allowedClassifications: z.ZodOptional<z.ZodArray<z.ZodEnum<typeof PermissionRiskLevel>>>;
|
|
84
107
|
userPermissions: z.ZodOptional<z.ZodObject<{
|
|
@@ -92,6 +115,13 @@ export declare const ComposableRolesFileSchema: z.ZodRecord<z.ZodString, z.ZodOb
|
|
|
92
115
|
required: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
93
116
|
}, z.z.core.$strip>>;
|
|
94
117
|
}, z.z.core.$strip>]>>;
|
|
118
|
+
objectAccess: z.ZodOptional<z.ZodXor<readonly [z.ZodArray<z.ZodString>, z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
119
|
+
allowRead: z.ZodOptional<z.ZodBoolean>;
|
|
120
|
+
allowCreate: z.ZodOptional<z.ZodBoolean>;
|
|
121
|
+
allowEdit: z.ZodOptional<z.ZodBoolean>;
|
|
122
|
+
allowDelete: z.ZodOptional<z.ZodBoolean>;
|
|
123
|
+
viewAllFields: z.ZodOptional<z.ZodBoolean>;
|
|
124
|
+
}, z.z.core.$strip>>]>>;
|
|
95
125
|
}, z.z.core.$strict>>;
|
|
96
126
|
export declare const PermissionsClassificationFileSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
97
127
|
label: z.ZodOptional<z.ZodString>;
|
|
@@ -152,5 +182,8 @@ export type ResolvedRoleDefinition = z.infer<typeof ResolvedRoleDefinitionSchema
|
|
|
152
182
|
export type ComposableRolesControl = z.infer<typeof ComposableRolesFileSchema>;
|
|
153
183
|
export type PermissionControl = z.infer<typeof PermissionControlSchema>;
|
|
154
184
|
export type PermissionControls = z.infer<typeof PermissionControlsFileSchema>;
|
|
185
|
+
export type ObjectAccessControl = z.infer<typeof ObjectAccessControlSchema>;
|
|
186
|
+
export type ObjectAccessControls = z.infer<typeof ObjectAccessControlFileSchema>;
|
|
155
187
|
export declare function isPermissionControl(maybeRoleDef: unknown): maybeRoleDef is PermissionControl;
|
|
188
|
+
export declare function isObjectAccessControl(maybeObjectDef: unknown): maybeObjectDef is ObjectAccessControl;
|
|
156
189
|
export {};
|
|
@@ -71,10 +71,27 @@ export const PermissionControlSchema = z.object({
|
|
|
71
71
|
userPermissions: IndividualPermissionControlSchema.optional(),
|
|
72
72
|
customPermissions: IndividualPermissionControlSchema.optional(),
|
|
73
73
|
});
|
|
74
|
+
export const ObjectAccessControlSchema = z.record(z.string(), z.object({
|
|
75
|
+
allowRead: z.boolean().optional(),
|
|
76
|
+
allowCreate: z.boolean().optional(),
|
|
77
|
+
allowEdit: z.boolean().optional(),
|
|
78
|
+
allowDelete: z.boolean().optional(),
|
|
79
|
+
viewAllFields: z.boolean().optional(),
|
|
80
|
+
}));
|
|
74
81
|
export const PermissionControlsFileSchema = z.record(z.string(), PermissionControlSchema);
|
|
75
|
-
|
|
76
|
-
export const ResolvedRoleDefinitionSchema = z.object({
|
|
77
|
-
|
|
82
|
+
export const ObjectAccessControlFileSchema = z.record(z.string(), ObjectAccessControlSchema);
|
|
83
|
+
export const ResolvedRoleDefinitionSchema = z.object({
|
|
84
|
+
strict: z.boolean().optional(),
|
|
85
|
+
permissions: PermissionControlSchema.optional(),
|
|
86
|
+
objectAccess: ObjectAccessControlSchema.optional(),
|
|
87
|
+
});
|
|
88
|
+
export const ComposableRolesFileSchema = z.record(z.string(), z
|
|
89
|
+
.object({
|
|
90
|
+
strict: z.boolean().optional(),
|
|
91
|
+
permissions: z.xor([z.array(z.string()), PermissionControlSchema]).optional(),
|
|
92
|
+
objectAccess: z.xor([z.array(z.string()), ObjectAccessControlSchema]).optional(),
|
|
93
|
+
})
|
|
94
|
+
.strict());
|
|
78
95
|
// Classification File Schemata
|
|
79
96
|
export const PermissionsClassificationFileSchema = z.record(z.string(), PermClassification);
|
|
80
97
|
export const ProfilesClassificationFileSchema = z.record(z.string(), ProfileConfig);
|
|
@@ -100,4 +117,8 @@ export function isPermissionControl(maybeRoleDef) {
|
|
|
100
117
|
const parseResult = PermissionControlSchema.safeParse(maybeRoleDef);
|
|
101
118
|
return maybeRoleDef !== undefined && parseResult.success === true;
|
|
102
119
|
}
|
|
120
|
+
export function isObjectAccessControl(maybeObjectDef) {
|
|
121
|
+
const parseResult = ObjectAccessControlSchema.safeParse(maybeObjectDef);
|
|
122
|
+
return maybeObjectDef !== undefined && parseResult.success === true;
|
|
123
|
+
}
|
|
103
124
|
//# sourceMappingURL=schema.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/schema.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AAEpB,MAAM,SAAS,GAAG,2CAA2C,CAAC;AAE9D;;GAEG;AACH,MAAM,CAAN,IAAY,mBAaX;AAbD,WAAY,mBAAmB;IAC7B,+EAA+E;IAC/E,0CAAmB,CAAA;IACnB,6DAA6D;IAC7D,4CAAqB,CAAA;IACrB,sEAAsE;IACtE,oCAAa,CAAA;IACb,yDAAyD;IACzD,wCAAiB,CAAA;IACjB,qEAAqE;IACrE,kCAAW,CAAA;IACX,kFAAkF;IAClF,0CAAmB,CAAA;AACrB,CAAC,EAbW,mBAAmB,KAAnB,mBAAmB,QAa9B;AAED;;;GAGG;AACH,MAAM,CAAN,IAAY,kBAWX;AAXD,WAAY,kBAAkB;IAC5B,0CAA0C;IAC1C,6CAAuB,CAAA;IACvB,sCAAsC;IACtC,qCAAe,CAAA;IACf,wCAAwC;IACxC,+CAAyB,CAAA;IACzB,oCAAoC;IACpC,qDAA+B,CAAA;IAC/B,qCAAqC;IACrC,yCAAmB,CAAA;AACrB,CAAC,EAXW,kBAAkB,KAAlB,kBAAkB,QAW7B;AAED,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,eAAe;IACf,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,4DAA4D;IAC5D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,yCAAyC;IACzC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC;CAC5C,CAAC,CAAC;AAEH,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAE3E,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IACtC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACnC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtD,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC;AAEnE,MAAM,aAAa,GAAG,CAAC,CAAC,YAAY,CAAC;IACnC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;CACjB,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,aAAa,CAAC,MAAM,CAAC;IACzC,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;CACtH,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAElD,MAAM,kBAAkB,GAAG,CAAC,CAAC,YAAY,CAAC;IACxC,0BAA0B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,kBAAkB,CAAC,aAAa,CAAC;IAChF,8BAA8B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACtD,CAAC,CAAC;AAEH,MAAM,iCAAiC,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACvC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACtC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACzC,CAAC,CAAC;AAEH,uBAAuB;AAEvB,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,sBAAsB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvE,eAAe,EAAE,iCAAiC,CAAC,QAAQ,EAAE;IAC7D,iBAAiB,EAAE,iCAAiC,CAAC,QAAQ,EAAE;CAChE,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,uBAAuB,CAAC,CAAC;AAE1F,
|
|
1
|
+
{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/schema.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AAEpB,MAAM,SAAS,GAAG,2CAA2C,CAAC;AAE9D;;GAEG;AACH,MAAM,CAAN,IAAY,mBAaX;AAbD,WAAY,mBAAmB;IAC7B,+EAA+E;IAC/E,0CAAmB,CAAA;IACnB,6DAA6D;IAC7D,4CAAqB,CAAA;IACrB,sEAAsE;IACtE,oCAAa,CAAA;IACb,yDAAyD;IACzD,wCAAiB,CAAA;IACjB,qEAAqE;IACrE,kCAAW,CAAA;IACX,kFAAkF;IAClF,0CAAmB,CAAA;AACrB,CAAC,EAbW,mBAAmB,KAAnB,mBAAmB,QAa9B;AAED;;;GAGG;AACH,MAAM,CAAN,IAAY,kBAWX;AAXD,WAAY,kBAAkB;IAC5B,0CAA0C;IAC1C,6CAAuB,CAAA;IACvB,sCAAsC;IACtC,qCAAe,CAAA;IACf,wCAAwC;IACxC,+CAAyB,CAAA;IACzB,oCAAoC;IACpC,qDAA+B,CAAA;IAC/B,qCAAqC;IACrC,yCAAmB,CAAA;AACrB,CAAC,EAXW,kBAAkB,KAAlB,kBAAkB,QAW7B;AAED,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,eAAe;IACf,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,4DAA4D;IAC5D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,yCAAyC;IACzC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC;CAC5C,CAAC,CAAC;AAEH,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAE3E,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IACtC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACnC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtD,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC;AAEnE,MAAM,aAAa,GAAG,CAAC,CAAC,YAAY,CAAC;IACnC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;CACjB,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,aAAa,CAAC,MAAM,CAAC;IACzC,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;CACtH,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAElD,MAAM,kBAAkB,GAAG,CAAC,CAAC,YAAY,CAAC;IACxC,0BAA0B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,kBAAkB,CAAC,aAAa,CAAC;IAChF,8BAA8B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACtD,CAAC,CAAC;AAEH,MAAM,iCAAiC,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACvC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACtC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACzC,CAAC,CAAC;AAEH,uBAAuB;AAEvB,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,sBAAsB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvE,eAAe,EAAE,iCAAiC,CAAC,QAAQ,EAAE;IAC7D,iBAAiB,EAAE,iCAAiC,CAAC,QAAQ,EAAE;CAChE,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAC/C,CAAC,CAAC,MAAM,EAAE,EACV,CAAC,CAAC,MAAM,CAAC;IACP,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACjC,WAAW,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACnC,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACjC,WAAW,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACnC,aAAa,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CACtC,CAAC,CACH,CAAC;AAEF,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,uBAAuB,CAAC,CAAC;AAE1F,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,yBAAyB,CAAC,CAAC;AAE7F,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC9B,WAAW,EAAE,uBAAuB,CAAC,QAAQ,EAAE;IAC/C,YAAY,EAAE,yBAAyB,CAAC,QAAQ,EAAE;CACnD,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAC/C,CAAC,CAAC,MAAM,EAAE,EACV,CAAC;KACE,MAAM,CAAC;IACN,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC9B,WAAW,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,uBAAuB,CAAC,CAAC,CAAC,QAAQ,EAAE;IAC7E,YAAY,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,yBAAyB,CAAC,CAAC,CAAC,QAAQ,EAAE;CACjF,CAAC;KACD,MAAM,EAAE,CACZ,CAAC;AAEF,+BAA+B;AAE/B,MAAM,CAAC,MAAM,mCAAmC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAE5F,MAAM,CAAC,MAAM,gCAAgC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,aAAa,CAAC,CAAC;AAEpF,MAAM,CAAC,MAAM,sCAAsC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,aAAa,CAAC,CAAC;AAE1F,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC;AAE7E,uBAAuB;AAEvB,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAClC,KAAK,EAAE,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;IAChC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtD,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,oBAAoB,GAAG,gBAAgB,CAAC,MAAM,CAAC;IAC1D,OAAO,EAAE,kBAAkB;CAC5B,CAAC,CAAC;AAUH,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAE3D;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAA+B,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CACzE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC,CAAC,CACxE,CAAC;AAwBF,kBAAkB;AAElB,MAAM,UAAU,mBAAmB,CAAC,YAAqB;IACvD,MAAM,WAAW,GAAG,uBAAuB,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IACpE,OAAO,YAAY,KAAK,SAAS,IAAI,WAAW,CAAC,OAAO,KAAK,IAAI,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,cAAuB;IAC3D,MAAM,WAAW,GAAG,yBAAyB,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;IACxE,OAAO,cAAc,KAAK,SAAS,IAAI,WAAW,CAAC,OAAO,KAAK,IAAI,CAAC;AACtE,CAAC"}
|