@j-schreiber/sf-cli-security-audit 0.20.2 → 0.22.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -4
- package/lib/commands/org/audit/run.js +6 -2
- package/lib/commands/org/audit/run.js.map +1 -1
- package/lib/libs/audit-engine/index.d.ts +8 -0
- package/lib/libs/audit-engine/registry/definitions.d.ts +8 -0
- package/lib/libs/audit-engine/registry/definitions.js +2 -0
- package/lib/libs/audit-engine/registry/definitions.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/permissionSets.d.ts +4 -3
- package/lib/libs/audit-engine/registry/policies/permissionSets.js +1 -0
- package/lib/libs/audit-engine/registry/policies/permissionSets.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/profiles.d.ts +3 -1
- package/lib/libs/audit-engine/registry/policies/profiles.js +1 -0
- package/lib/libs/audit-engine/registry/policies/profiles.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/users.js +1 -1
- package/lib/libs/audit-engine/registry/policies/users.js.map +1 -1
- package/lib/libs/audit-engine/registry/policy.js +2 -6
- package/lib/libs/audit-engine/registry/policy.js.map +1 -1
- package/lib/libs/audit-engine/registry/result.types.d.ts +0 -8
- package/lib/libs/audit-engine/registry/roles/roleManager.d.ts +15 -5
- package/lib/libs/audit-engine/registry/roles/roleManager.js +86 -14
- package/lib/libs/audit-engine/registry/roles/roleManager.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.types.d.ts +24 -5
- package/lib/libs/audit-engine/registry/roles/roleManager.types.js +3 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.types.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/userRole.d.ts +28 -6
- package/lib/libs/audit-engine/registry/roles/userRole.js +102 -32
- package/lib/libs/audit-engine/registry/roles/userRole.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.d.ts +8 -0
- package/lib/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.js +39 -0
- package/lib/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.js.map +1 -0
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js +4 -16
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.d.ts +0 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js +17 -31
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.d.ts +8 -0
- package/lib/libs/audit-engine/registry/shape/schema.d.ts +33 -0
- package/lib/libs/audit-engine/registry/shape/schema.js +24 -3
- package/lib/libs/audit-engine/registry/shape/schema.js.map +1 -1
- package/lib/salesforce/mdapi/metadataRegistry.js +3 -1
- package/lib/salesforce/mdapi/metadataRegistry.js.map +1 -1
- package/messages/rules.enforceClassificationPresets.md +10 -2
- package/oclif.manifest.json +1 -1
- package/package.json +1 -1
|
@@ -1,10 +1,11 @@
|
|
|
1
|
-
import { Profile } from '@jsforce/jsforce-node/lib/api/metadata.js';
|
|
1
|
+
import { Profile, ProfileObjectPermissions } from '@jsforce/jsforce-node/lib/api/metadata.js';
|
|
2
2
|
import { PolicyRuleViolation, RuleComponentMessage } from '../result.types.js';
|
|
3
|
-
import { ComposableRolesControl, PermissionClassifications, ResolvedRoleDefinition, PermissionControls } from '../shape/schema.js';
|
|
3
|
+
import { ComposableRolesControl, PermissionClassifications, ResolvedRoleDefinition, PermissionControls, ObjectAccessControls, ObjectAccessControl } from '../shape/schema.js';
|
|
4
4
|
export type RoleManagerConfig = {
|
|
5
5
|
controls: {
|
|
6
6
|
roles?: ComposableRolesControl;
|
|
7
7
|
permissions?: PermissionControls;
|
|
8
|
+
objectAccess?: ObjectAccessControls;
|
|
8
9
|
};
|
|
9
10
|
shape: {
|
|
10
11
|
userPermissions?: PermissionClassifications;
|
|
@@ -15,14 +16,24 @@ export type OrgAuditShape = RoleManagerConfig['shape'];
|
|
|
15
16
|
export type OrgAuditControls = RoleManagerConfig['controls'];
|
|
16
17
|
export type ComposableRoleDefinition = ComposableRolesControl['string'];
|
|
17
18
|
export type DefinitiveRoleDefinition = Required<ResolvedRoleDefinition>;
|
|
18
|
-
export type
|
|
19
|
+
export type DefinitiveObjectAccessDef = Required<ObjectAccessControl['string']>;
|
|
20
|
+
export type ProfileLike = {
|
|
19
21
|
name: string;
|
|
20
|
-
|
|
22
|
+
type: 'Profile' | 'PermissionSet';
|
|
23
|
+
metadata?: PartialProfileLike;
|
|
24
|
+
};
|
|
25
|
+
export type RefinedProfileLike = {
|
|
26
|
+
name: string;
|
|
27
|
+
type: 'Profile' | 'PermissionSet';
|
|
21
28
|
metadata: PartialProfileLike;
|
|
22
29
|
};
|
|
30
|
+
export type ResolvedProfileLike = ProfileLike & {
|
|
31
|
+
role: string;
|
|
32
|
+
};
|
|
23
33
|
export type ScanResult = {
|
|
24
34
|
violations: PolicyRuleViolation[];
|
|
25
35
|
warnings: RuleComponentMessage[];
|
|
36
|
+
errors: RuleComponentMessage[];
|
|
26
37
|
};
|
|
27
38
|
export type UserRoleCompareResult = {
|
|
28
39
|
/**
|
|
@@ -47,11 +58,18 @@ export type IUserRole = {
|
|
|
47
58
|
isAllowed(perm: Partial<NamedPermissionClassification>): boolean;
|
|
48
59
|
compareWith(otherRole: IUserRole): UserRoleCompareResult;
|
|
49
60
|
};
|
|
50
|
-
export type PartialProfileLike = Pick<Profile, PermissionsListKey>;
|
|
61
|
+
export type PartialProfileLike = Pick<Profile, PermissionsListKey | 'objectPermissions'>;
|
|
51
62
|
export type TypedPermission = {
|
|
52
63
|
type: PermissionsListKey;
|
|
53
64
|
name: string;
|
|
54
65
|
};
|
|
66
|
+
/**
|
|
67
|
+
* JsForce does not yet expose "viewAllFields" property. This override augments
|
|
68
|
+
* the standard export to be able to audit for it.
|
|
69
|
+
*/
|
|
70
|
+
export type ExtendedObjectAccessPermissions = ProfileObjectPermissions & {
|
|
71
|
+
viewAllFields?: boolean | null | undefined;
|
|
72
|
+
};
|
|
55
73
|
/**
|
|
56
74
|
* Moves the "name" from the classifications map to object prop
|
|
57
75
|
*/
|
|
@@ -59,3 +77,4 @@ export type NamedPermissionClassification = PermissionClassifications['string']
|
|
|
59
77
|
name: string;
|
|
60
78
|
};
|
|
61
79
|
export type PermissionsListKey = 'userPermissions' | 'customPermissions';
|
|
80
|
+
export declare function isRefinedProfileLike(p: ProfileLike): p is RefinedProfileLike;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"roleManager.types.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/roleManager.types.ts"],"names":[],"mappings":""}
|
|
1
|
+
{"version":3,"file":"roleManager.types.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/roleManager.types.ts"],"names":[],"mappings":"AAoGA,MAAM,UAAU,oBAAoB,CAAC,CAAc;IACjD,OAAO,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC;AAClC,CAAC"}
|
|
@@ -1,15 +1,21 @@
|
|
|
1
|
-
import { PermissionClassifications, UserPrivilegeLevel } from '../shape/schema.js';
|
|
2
|
-
import { RoleManagerConfig, TypedPermission, UserRoleCompareResult } from './roleManager.types.js';
|
|
1
|
+
import { PermissionClassifications, UserPrivilegeLevel, ObjectAccessControl } from '../shape/schema.js';
|
|
2
|
+
import { RoleManagerConfig, TypedPermission, UserRoleCompareResult, DefinitiveObjectAccessDef } from './roleManager.types.js';
|
|
3
3
|
type UserRolePermissions = {
|
|
4
4
|
allowed: Set<string>;
|
|
5
5
|
denied: Set<string>;
|
|
6
6
|
};
|
|
7
|
+
type UserRoleConfig = {
|
|
8
|
+
userPermissions: UserRolePermissions;
|
|
9
|
+
customPermissions: UserRolePermissions;
|
|
10
|
+
objectAccess: ObjectAccessControl;
|
|
11
|
+
roleOrdinalValue?: number;
|
|
12
|
+
isStrict: boolean;
|
|
13
|
+
};
|
|
7
14
|
export default class UserRole {
|
|
8
15
|
roleName: string;
|
|
9
|
-
private
|
|
10
|
-
private
|
|
11
|
-
|
|
12
|
-
constructor(roleName: string, userPermissions: UserRolePermissions, customPermissions: UserRolePermissions, roleOrdinalValue?: number | undefined);
|
|
16
|
+
private config;
|
|
17
|
+
private objectAccess;
|
|
18
|
+
constructor(roleName: string, config: Partial<UserRoleConfig>);
|
|
13
19
|
/**
|
|
14
20
|
* Evaluates if a permission is explicitly denied
|
|
15
21
|
*
|
|
@@ -25,7 +31,23 @@ export default class UserRole {
|
|
|
25
31
|
* @returns
|
|
26
32
|
*/
|
|
27
33
|
isAllowed(permission: TypedPermission): boolean;
|
|
34
|
+
/**
|
|
35
|
+
* Runs a deep analysis of all access controls (permissions, object access, etc)
|
|
36
|
+
* of the role and determins which role is more permissive (or if they are intersecting)
|
|
37
|
+
*
|
|
38
|
+
* @param otherRole
|
|
39
|
+
* @returns
|
|
40
|
+
*/
|
|
28
41
|
compareWith(otherRole: UserRole): UserRoleCompareResult;
|
|
42
|
+
/**
|
|
43
|
+
* Returns coerced object access for the role. If the object is
|
|
44
|
+
* not explicitly defined, the "strict" flag determins if the role
|
|
45
|
+
* allows access or not.
|
|
46
|
+
*
|
|
47
|
+
* @param objName
|
|
48
|
+
* @returns
|
|
49
|
+
*/
|
|
50
|
+
getObjectAccess(objName: string): DefinitiveObjectAccessDef;
|
|
29
51
|
}
|
|
30
52
|
export declare function newRoleFromDefinition(roleName: string, config: RoleManagerConfig): UserRole;
|
|
31
53
|
export declare function newRoleFromOrdinals(roleName: UserPrivilegeLevel, perms?: PermissionClassifications): UserRole;
|
|
@@ -1,18 +1,32 @@
|
|
|
1
1
|
import { merge } from '@salesforce/kit';
|
|
2
2
|
import { Messages } from '@salesforce/core';
|
|
3
|
-
import { PermissionRiskLevel, UserPrivilegeLevel,
|
|
3
|
+
import { PermissionRiskLevel, UserPrivilegeLevel, } from '../shape/schema.js';
|
|
4
4
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
5
5
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
6
6
|
export default class UserRole {
|
|
7
7
|
roleName;
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
constructor(roleName, userPermissions, customPermissions, roleOrdinalValue) {
|
|
8
|
+
config;
|
|
9
|
+
objectAccess;
|
|
10
|
+
constructor(roleName, config) {
|
|
12
11
|
this.roleName = roleName;
|
|
13
|
-
this.
|
|
14
|
-
|
|
15
|
-
|
|
12
|
+
this.config = {
|
|
13
|
+
userPermissions: { allowed: new Set(), denied: new Set() },
|
|
14
|
+
customPermissions: { allowed: new Set(), denied: new Set() },
|
|
15
|
+
objectAccess: {},
|
|
16
|
+
isStrict: false,
|
|
17
|
+
...config,
|
|
18
|
+
};
|
|
19
|
+
this.objectAccess = {};
|
|
20
|
+
for (const [objName, objDef] of Object.entries(config.objectAccess ?? {})) {
|
|
21
|
+
this.objectAccess[objName] = {
|
|
22
|
+
allowRead: false,
|
|
23
|
+
allowCreate: false,
|
|
24
|
+
allowDelete: false,
|
|
25
|
+
allowEdit: false,
|
|
26
|
+
viewAllFields: false,
|
|
27
|
+
...objDef,
|
|
28
|
+
};
|
|
29
|
+
}
|
|
16
30
|
}
|
|
17
31
|
/**
|
|
18
32
|
* Evaluates if a permission is explicitly denied
|
|
@@ -22,10 +36,10 @@ export default class UserRole {
|
|
|
22
36
|
*/
|
|
23
37
|
isDenied(permission) {
|
|
24
38
|
if (permission.type === 'customPermissions') {
|
|
25
|
-
return this.customPermissions.denied.has(permission.name.toLowerCase());
|
|
39
|
+
return this.config.customPermissions.denied.has(permission.name.toLowerCase());
|
|
26
40
|
}
|
|
27
41
|
else {
|
|
28
|
-
return this.userPermissions.denied.has(permission.name.toLowerCase());
|
|
42
|
+
return this.config.userPermissions.denied.has(permission.name.toLowerCase());
|
|
29
43
|
}
|
|
30
44
|
}
|
|
31
45
|
/**
|
|
@@ -37,22 +51,31 @@ export default class UserRole {
|
|
|
37
51
|
*/
|
|
38
52
|
isAllowed(permission) {
|
|
39
53
|
if (permission.type === 'customPermissions') {
|
|
40
|
-
return this.customPermissions.allowed.has(permission.name);
|
|
54
|
+
return this.config.customPermissions.allowed.has(permission.name);
|
|
41
55
|
}
|
|
42
56
|
else {
|
|
43
|
-
return this.userPermissions.allowed.has(permission.name);
|
|
57
|
+
return this.config.userPermissions.allowed.has(permission.name);
|
|
44
58
|
}
|
|
45
59
|
}
|
|
60
|
+
/**
|
|
61
|
+
* Runs a deep analysis of all access controls (permissions, object access, etc)
|
|
62
|
+
* of the role and determins which role is more permissive (or if they are intersecting)
|
|
63
|
+
*
|
|
64
|
+
* @param otherRole
|
|
65
|
+
* @returns
|
|
66
|
+
*/
|
|
46
67
|
compareWith(otherRole) {
|
|
47
68
|
const missingPermsInOther = new Array();
|
|
48
69
|
const missingPermsInThis = new Array();
|
|
49
|
-
const isOrdinallyHigher = this.roleOrdinalValue && otherRole.
|
|
50
|
-
|
|
70
|
+
const isOrdinallyHigher = this.config.roleOrdinalValue && otherRole.config.roleOrdinalValue
|
|
71
|
+
? this.config.roleOrdinalValue >= otherRole.config.roleOrdinalValue
|
|
72
|
+
: true;
|
|
73
|
+
const merged = new Set([...this.config.userPermissions.allowed, ...otherRole.config.userPermissions.allowed]);
|
|
51
74
|
for (const perm of merged) {
|
|
52
|
-
if (!this.userPermissions.allowed.has(perm)) {
|
|
75
|
+
if (!this.config.userPermissions.allowed.has(perm)) {
|
|
53
76
|
missingPermsInThis.push(perm);
|
|
54
77
|
}
|
|
55
|
-
if (!otherRole.userPermissions.allowed.has(perm)) {
|
|
78
|
+
if (!otherRole.config.userPermissions.allowed.has(perm)) {
|
|
56
79
|
missingPermsInOther.push(perm);
|
|
57
80
|
}
|
|
58
81
|
}
|
|
@@ -62,17 +85,44 @@ export default class UserRole {
|
|
|
62
85
|
missingPermsInOther,
|
|
63
86
|
};
|
|
64
87
|
}
|
|
88
|
+
/**
|
|
89
|
+
* Returns coerced object access for the role. If the object is
|
|
90
|
+
* not explicitly defined, the "strict" flag determins if the role
|
|
91
|
+
* allows access or not.
|
|
92
|
+
*
|
|
93
|
+
* @param objName
|
|
94
|
+
* @returns
|
|
95
|
+
*/
|
|
96
|
+
getObjectAccess(objName) {
|
|
97
|
+
const allowedObjectAccess = this.objectAccess[objName];
|
|
98
|
+
// if object is not explicitly defined, we allow access for roles that are "not strict"
|
|
99
|
+
if (!allowedObjectAccess) {
|
|
100
|
+
return {
|
|
101
|
+
allowCreate: !this.config.isStrict,
|
|
102
|
+
allowEdit: !this.config.isStrict,
|
|
103
|
+
allowRead: !this.config.isStrict,
|
|
104
|
+
allowDelete: !this.config.isStrict,
|
|
105
|
+
viewAllFields: !this.config.isStrict,
|
|
106
|
+
};
|
|
107
|
+
}
|
|
108
|
+
return allowedObjectAccess;
|
|
109
|
+
}
|
|
65
110
|
}
|
|
66
111
|
export function newRoleFromDefinition(roleName, config) {
|
|
67
|
-
const { permissions } = resolveRole(roleName, config.controls);
|
|
68
|
-
const
|
|
69
|
-
const
|
|
70
|
-
return new UserRole(roleName,
|
|
112
|
+
const { permissions, objectAccess, strict } = resolveRole(roleName, config.controls);
|
|
113
|
+
const userPermissions = buildAllowedPerms(permissions?.userPermissions, config.shape.userPermissions, permissions?.allowedClassifications);
|
|
114
|
+
const customPermissions = buildAllowedPerms(permissions?.customPermissions, config.shape.customPermissions, permissions?.allowedClassifications);
|
|
115
|
+
return new UserRole(roleName, { userPermissions, customPermissions, objectAccess, isStrict: strict });
|
|
71
116
|
}
|
|
72
117
|
export function newRoleFromOrdinals(roleName, perms) {
|
|
73
118
|
const roleOrdinalValue = resolvePresetOrdinalValue(roleName);
|
|
74
119
|
if (!perms || roleName === UserPrivilegeLevel.UNKNOWN) {
|
|
75
|
-
return new UserRole(roleName, {
|
|
120
|
+
return new UserRole(roleName, {
|
|
121
|
+
userPermissions: { allowed: new Set(), denied: new Set() },
|
|
122
|
+
customPermissions: { allowed: new Set(), denied: new Set() },
|
|
123
|
+
roleOrdinalValue,
|
|
124
|
+
objectAccess: {},
|
|
125
|
+
});
|
|
76
126
|
}
|
|
77
127
|
const allAllowed = new Set();
|
|
78
128
|
for (const [permName, permDef] of Object.entries(perms)) {
|
|
@@ -80,7 +130,12 @@ export function newRoleFromOrdinals(roleName, perms) {
|
|
|
80
130
|
allAllowed.add(permName);
|
|
81
131
|
}
|
|
82
132
|
}
|
|
83
|
-
return new UserRole(roleName, {
|
|
133
|
+
return new UserRole(roleName, {
|
|
134
|
+
userPermissions: { allowed: allAllowed, denied: new Set() },
|
|
135
|
+
customPermissions: { allowed: new Set(), denied: new Set() },
|
|
136
|
+
roleOrdinalValue,
|
|
137
|
+
objectAccess: {},
|
|
138
|
+
});
|
|
84
139
|
}
|
|
85
140
|
function resolvePresetOrdinalValue(value) {
|
|
86
141
|
const indexOfValue = Object.values(UserPrivilegeLevel).indexOf(value);
|
|
@@ -94,22 +149,37 @@ function resolveRole(roleName, controls) {
|
|
|
94
149
|
if (!rawRoleDef) {
|
|
95
150
|
throw messages.createError('TriedToAccessRoleThatDoesNotExist', [roleName]);
|
|
96
151
|
}
|
|
97
|
-
const
|
|
98
|
-
|
|
99
|
-
|
|
152
|
+
const aggregatedRoleDef = { strict: rawRoleDef.strict ?? false };
|
|
153
|
+
for (const controlType of ['permissions', 'objectAccess']) {
|
|
154
|
+
try {
|
|
155
|
+
aggregatedRoleDef[controlType] = resolveReferences(rawRoleDef[controlType], controls[controlType]);
|
|
156
|
+
}
|
|
157
|
+
catch (err) {
|
|
158
|
+
const errorDetails = err instanceof Error ? err.message : 'Unknown';
|
|
159
|
+
throw messages.createError('RoleReferencesControlThatDoesNotExist', [roleName, controlType, errorDetails]);
|
|
160
|
+
}
|
|
100
161
|
}
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
162
|
+
return aggregatedRoleDef;
|
|
163
|
+
}
|
|
164
|
+
function resolveReferences(roleDef, controls) {
|
|
165
|
+
const mergedControl = {};
|
|
166
|
+
const definitiveControls = controls ?? {};
|
|
167
|
+
const definitiveRoleDef = roleDef ?? {};
|
|
168
|
+
if (Array.isArray(definitiveRoleDef)) {
|
|
169
|
+
for (const controlRef of definitiveRoleDef) {
|
|
170
|
+
const referencedControl = definitiveControls[controlRef];
|
|
171
|
+
if (referencedControl) {
|
|
172
|
+
merge(mergedControl, referencedControl);
|
|
106
173
|
}
|
|
107
174
|
else {
|
|
108
|
-
throw
|
|
175
|
+
throw new Error(controlRef);
|
|
109
176
|
}
|
|
110
177
|
}
|
|
111
178
|
}
|
|
112
|
-
|
|
179
|
+
else {
|
|
180
|
+
merge(mergedControl, definitiveRoleDef);
|
|
181
|
+
}
|
|
182
|
+
return mergedControl;
|
|
113
183
|
}
|
|
114
184
|
function buildAllowedPerms(rolePermDef, permClassifications, allowedClassifications) {
|
|
115
185
|
const allowedPerms = new Set();
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"userRole.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/userRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAEL,mBAAmB,EACnB,kBAAkB,
|
|
1
|
+
{"version":3,"file":"userRole.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/userRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAEL,mBAAmB,EACnB,kBAAkB,GAInB,MAAM,oBAAoB,CAAC;AAU5B,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAenH,MAAM,CAAC,OAAO,OAAO,QAAQ;IAID;IAHlB,MAAM,CAAiB;IACvB,YAAY,CAA4C;IAEhE,YAA0B,QAAgB,EAAE,MAA+B;QAAjD,aAAQ,GAAR,QAAQ,CAAQ;QACxC,IAAI,CAAC,MAAM,GAAG;YACZ,eAAe,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC1E,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC5E,YAAY,EAAE,EAAE;YAChB,QAAQ,EAAE,KAAK;YACf,GAAG,MAAM;SACV,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,EAAE,CAAC;YAC1E,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG;gBAC3B,SAAS,EAAE,KAAK;gBAChB,WAAW,EAAE,KAAK;gBAClB,WAAW,EAAE,KAAK;gBAClB,SAAS,EAAE,KAAK;gBAChB,aAAa,EAAE,KAAK;gBACpB,GAAG,MAAM;aACV,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACI,QAAQ,CAAC,UAA2B;QACzC,IAAI,UAAU,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACjF,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAC/E,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACI,SAAS,CAAC,UAA2B;QAC1C,IAAI,UAAU,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACI,WAAW,CAAC,SAAmB;QACpC,MAAM,mBAAmB,GAAG,IAAI,KAAK,EAAU,CAAC;QAChD,MAAM,kBAAkB,GAAG,IAAI,KAAK,EAAU,CAAC;QAC/C,MAAM,iBAAiB,GACrB,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,SAAS,CAAC,MAAM,CAAC,gBAAgB;YAC/D,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,SAAS,CAAC,MAAM,CAAC,gBAAgB;YACnE,CAAC,CAAC,IAAI,CAAC;QACX,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9G,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;YAC1B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxD,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QACD,OAAO;YACL,UAAU,EAAE,kBAAkB,CAAC,MAAM,KAAK,CAAC,IAAI,iBAAiB;YAChE,kBAAkB;YAClB,mBAAmB;SACpB,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACI,eAAe,CAAC,OAAe;QACpC,MAAM,mBAAmB,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACvD,uFAAuF;QACvF,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,OAAO;gBACL,WAAW,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAClC,SAAS,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAChC,SAAS,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAChC,WAAW,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAClC,aAAa,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;aACrC,CAAC;QACJ,CAAC;QACD,OAAO,mBAAmB,CAAC;IAC7B,CAAC;CACF;AAED,MAAM,UAAU,qBAAqB,CAAC,QAAgB,EAAE,MAAyB;IAC/E,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACrF,MAAM,eAAe,GAAG,iBAAiB,CACvC,WAAW,EAAE,eAAe,EAC5B,MAAM,CAAC,KAAK,CAAC,eAAe,EAC5B,WAAW,EAAE,sBAAsB,CACpC,CAAC;IACF,MAAM,iBAAiB,GAAG,iBAAiB,CACzC,WAAW,EAAE,iBAAiB,EAC9B,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAC9B,WAAW,EAAE,sBAAsB,CACpC,CAAC;IACF,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,EAAE,eAAe,EAAE,iBAAiB,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;AACxG,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,QAA4B,EAAE,KAAiC;IACjG,MAAM,gBAAgB,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IAC7D,IAAI,CAAC,KAAK,IAAI,QAAQ,KAAK,kBAAkB,CAAC,OAAO,EAAE,CAAC;QACtD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE;YAC5B,eAAe,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC1E,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC5E,gBAAgB;YAChB,YAAY,EAAE,EAAE;SACjB,CAAC,CAAC;IACL,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,IAAI,gBAAgB,IAAI,4BAA4B,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAC7E,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE;QAC5B,eAAe,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;QACnE,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;QAC5E,gBAAgB;QAChB,YAAY,EAAE,EAAE;KACjB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAyB;IAC1D,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACtE,OAAO,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,MAAM,GAAG,YAAY,CAAC;AAC/D,CAAC;AAED,SAAS,4BAA4B,CAAC,KAAa;IACjD,OAAO,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;AACjH,CAAC;AAED,SAAS,WAAW,CAAC,QAAgB,EAAE,QAA0B;IAC/D,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAC,QAAQ,CAAC,CAAC;IAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,QAAQ,CAAC,WAAW,CAAC,mCAAmC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9E,CAAC;IACD,MAAM,iBAAiB,GAAsC,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,KAAK,EAAE,CAAC;IACpG,KAAK,MAAM,WAAW,IAAI,CAAC,aAAa,EAAE,cAAc,CAAU,EAAE,CAAC;QACnE,IAAI,CAAC;YACH,iBAAiB,CAAC,WAAW,CAAC,GAAG,iBAAiB,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC;QACrG,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YACpE,MAAM,QAAQ,CAAC,WAAW,CAAC,uCAAuC,EAAE,CAAC,QAAQ,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC,CAAC;QAC7G,CAAC;IACH,CAAC;IACD,OAAO,iBAA6C,CAAC;AACvD,CAAC;AAMD,SAAS,iBAAiB,CACxB,OAA0B,EAC1B,QAAiC;IAEjC,MAAM,aAAa,GAAG,EAAE,CAAC;IACzB,MAAM,kBAAkB,GAAG,QAAQ,IAAI,EAAE,CAAC;IAC1C,MAAM,iBAAiB,GAAsB,OAAO,IAAI,EAAE,CAAC;IAC3D,IAAI,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACrC,KAAK,MAAM,UAAU,IAAI,iBAAiB,EAAE,CAAC;YAC3C,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;YACzD,IAAI,iBAAiB,EAAE,CAAC;gBACtB,KAAK,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;YAC1C,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,SAAS,iBAAiB,CACxB,WAAsC,EACtC,mBAA+C,EAC/C,sBAAiC;IAEjC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IACvC,IAAI,sBAAsB,IAAI,mBAAmB,EAAE,CAAC;QAClD,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,EAAE,CAAC;YACtE,IAAI,sBAAsB,CAAC,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;gBAC5D,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE,CAAC;IAC9D,CAAC;IACD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;QACxB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YAC3C,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,IAAI,WAAW,CAAC,QAAQ,EAAE,CAAC;QACzB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,QAAQ,EAAE,CAAC;YAC5C,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;QACvB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;YAC1C,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IACD,OAAO;QACL,OAAO,EAAE,YAAY;QACrB,MAAM,EAAE,IAAI,GAAG,CAAS,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;KAClG,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
2
|
+
import { ResolvedUser } from '../policies/users.js';
|
|
3
|
+
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
|
+
export default class EnforceObjectAccessOnUser extends PolicyRule<ResolvedUser> {
|
|
5
|
+
private readonly roleManager;
|
|
6
|
+
constructor(opts: RuleOptions);
|
|
7
|
+
run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
|
|
8
|
+
}
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
import RoleManager from '../roles/roleManager.js';
|
|
2
|
+
import PolicyRule from './policyRule.js';
|
|
3
|
+
export default class EnforceObjectAccessOnUser extends PolicyRule {
|
|
4
|
+
roleManager;
|
|
5
|
+
constructor(opts) {
|
|
6
|
+
super(opts);
|
|
7
|
+
this.roleManager = new RoleManager({
|
|
8
|
+
controls: opts.auditConfig.controls,
|
|
9
|
+
shape: opts.auditConfig.shape,
|
|
10
|
+
});
|
|
11
|
+
}
|
|
12
|
+
run(context) {
|
|
13
|
+
const result = this.initResult();
|
|
14
|
+
const users = context.resolvedEntities;
|
|
15
|
+
for (const user of Object.values(users)) {
|
|
16
|
+
const profileLikes = buildProfileLikes(user);
|
|
17
|
+
const { violations, warnings, errors } = this.roleManager.scanObjectAccess(user.role, profileLikes, [
|
|
18
|
+
user.username,
|
|
19
|
+
]);
|
|
20
|
+
result.errors.push(...errors);
|
|
21
|
+
result.warnings.push(...warnings);
|
|
22
|
+
result.violations.push(...violations);
|
|
23
|
+
}
|
|
24
|
+
return Promise.resolve(result);
|
|
25
|
+
}
|
|
26
|
+
}
|
|
27
|
+
function buildProfileLikes(user) {
|
|
28
|
+
const profileLikes = [];
|
|
29
|
+
profileLikes.push({ metadata: user.profileMetadata, name: user.profileName, type: 'Profile' });
|
|
30
|
+
for (const permSetAssignment of user.assignments ?? []) {
|
|
31
|
+
profileLikes.push({
|
|
32
|
+
metadata: permSetAssignment.metadata,
|
|
33
|
+
name: permSetAssignment.permissionSetIdentifier,
|
|
34
|
+
type: 'PermissionSet',
|
|
35
|
+
});
|
|
36
|
+
}
|
|
37
|
+
return profileLikes;
|
|
38
|
+
}
|
|
39
|
+
//# sourceMappingURL=enforceObjectAccessOnUser.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"enforceObjectAccessOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.ts"],"names":[],"mappings":"AACA,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAGlD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,yBAA0B,SAAQ,UAAwB;IAC5D,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC;YACjC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;YACnC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK;SAC9B,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;YAC7C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE;gBAClG,IAAI,CAAC,QAAQ;aACd,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;YAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,IAAkB;IAC3C,MAAM,YAAY,GAAkB,EAAE,CAAC;IACvC,YAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;IAC/F,KAAK,MAAM,iBAAiB,IAAI,IAAI,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;QACvD,YAAY,CAAC,IAAI,CAAC;YAChB,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;YACpC,IAAI,EAAE,iBAAiB,CAAC,uBAAuB;YAC/C,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC"}
|
|
@@ -1,9 +1,5 @@
|
|
|
1
|
-
import { Messages } from '@salesforce/core';
|
|
2
|
-
import { isNullish } from '../../../../utils.js';
|
|
3
1
|
import RoleManager from '../roles/roleManager.js';
|
|
4
2
|
import PolicyRule from './policyRule.js';
|
|
5
|
-
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
6
|
-
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
7
3
|
export default class EnforcePermissionsOnProfileLike extends PolicyRule {
|
|
8
4
|
roleManager;
|
|
9
5
|
constructor(opts) {
|
|
@@ -17,18 +13,10 @@ export default class EnforcePermissionsOnProfileLike extends PolicyRule {
|
|
|
17
13
|
const result = this.initResult();
|
|
18
14
|
const resolvedProfiles = context.resolvedEntities;
|
|
19
15
|
for (const profile of Object.values(resolvedProfiles)) {
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
});
|
|
25
|
-
continue;
|
|
26
|
-
}
|
|
27
|
-
if (!isNullish(profile.metadata)) {
|
|
28
|
-
const profileScanResult = this.roleManager.scanProfileLike(profile);
|
|
29
|
-
result.violations.push(...profileScanResult.violations);
|
|
30
|
-
result.warnings.push(...profileScanResult.warnings);
|
|
31
|
-
}
|
|
16
|
+
const { errors, violations, warnings } = this.roleManager.scanPermissions(profile.role, profile);
|
|
17
|
+
result.errors.push(...errors);
|
|
18
|
+
result.warnings.push(...warnings);
|
|
19
|
+
result.violations.push(...violations);
|
|
32
20
|
}
|
|
33
21
|
return Promise.resolve(result);
|
|
34
22
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"AACA,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAElD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,+BAAgC,SAAQ,UAA+B;IACzE,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC;YACjC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;YACnC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK;SAC9B,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAA8C;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACtD,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACjG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;YAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
|
@@ -1,8 +1,5 @@
|
|
|
1
|
-
import { Messages } from '@salesforce/core';
|
|
2
1
|
import RoleManager from '../roles/roleManager.js';
|
|
3
2
|
import PolicyRule from './policyRule.js';
|
|
4
|
-
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
5
|
-
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
6
3
|
export default class EnforcePermissionsOnUser extends PolicyRule {
|
|
7
4
|
roleManager;
|
|
8
5
|
constructor(opts) {
|
|
@@ -16,38 +13,27 @@ export default class EnforcePermissionsOnUser extends PolicyRule {
|
|
|
16
13
|
const result = this.initResult();
|
|
17
14
|
const users = context.resolvedEntities;
|
|
18
15
|
for (const user of Object.values(users)) {
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
continue;
|
|
25
|
-
}
|
|
26
|
-
const { violations, warnings } = this.scanAssignedPermissionSets(user, user.assignments);
|
|
27
|
-
result.violations.push(...violations);
|
|
16
|
+
const profileLikes = buildProfileLikes(user);
|
|
17
|
+
const { violations, warnings, errors } = this.roleManager.scanPermissions(user.role, profileLikes, [
|
|
18
|
+
user.username,
|
|
19
|
+
]);
|
|
20
|
+
result.errors.push(...errors);
|
|
28
21
|
result.warnings.push(...warnings);
|
|
29
|
-
|
|
30
|
-
const profileResult = this.roleManager.scanProfileLike({ role: user.role, metadata: user.profileMetadata, name: user.profileName }, [user.username]);
|
|
31
|
-
result.violations.push(...profileResult.violations);
|
|
32
|
-
result.warnings.push(...profileResult.warnings);
|
|
33
|
-
}
|
|
22
|
+
result.violations.push(...violations);
|
|
34
23
|
}
|
|
35
24
|
return Promise.resolve(result);
|
|
36
25
|
}
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
result.violations.push(...permsetScan.violations);
|
|
48
|
-
result.warnings.push(...permsetScan.warnings);
|
|
49
|
-
}
|
|
50
|
-
return result;
|
|
26
|
+
}
|
|
27
|
+
function buildProfileLikes(user) {
|
|
28
|
+
const profileLikes = [];
|
|
29
|
+
profileLikes.push({ metadata: user.profileMetadata, name: user.profileName, type: 'Profile' });
|
|
30
|
+
for (const permSetAssignment of user.assignments ?? []) {
|
|
31
|
+
profileLikes.push({
|
|
32
|
+
metadata: permSetAssignment.metadata,
|
|
33
|
+
name: permSetAssignment.permissionSetIdentifier,
|
|
34
|
+
type: 'PermissionSet',
|
|
35
|
+
});
|
|
51
36
|
}
|
|
37
|
+
return profileLikes;
|
|
52
38
|
}
|
|
53
39
|
//# sourceMappingURL=enforcePermissionsOnUser.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"AACA,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAGlD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC3D,WAAW,CAAC;IAE7B,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC;YACjC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;YACnC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK;SAC9B,CAAC,CAAC;IACL,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;YAC7C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE;gBACjG,IAAI,CAAC,QAAQ;aACd,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;YAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,IAAkB;IAC3C,MAAM,YAAY,GAAkB,EAAE,CAAC;IACvC,YAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;IAC/F,KAAK,MAAM,iBAAiB,IAAI,IAAI,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;QACvD,YAAY,CAAC,IAAI,CAAC;YAChB,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;YACpC,IAAI,EAAE,iBAAiB,CAAC,uBAAuB;YAC/C,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC"}
|
|
@@ -8,6 +8,7 @@ export declare const BaseAuditConfigShape: {
|
|
|
8
8
|
files: {
|
|
9
9
|
roles: {
|
|
10
10
|
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
11
|
+
strict: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
11
12
|
permissions: import("zod").ZodOptional<import("zod").ZodXor<readonly [import("zod").ZodArray<import("zod").ZodString>, import("zod").ZodObject<{
|
|
12
13
|
allowedClassifications: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodEnum<typeof import("./schema.js").PermissionRiskLevel>>>;
|
|
13
14
|
userPermissions: import("zod").ZodOptional<import("zod").ZodObject<{
|
|
@@ -21,6 +22,13 @@ export declare const BaseAuditConfigShape: {
|
|
|
21
22
|
required: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
|
|
22
23
|
}, import("zod/v4/core").$strip>>;
|
|
23
24
|
}, import("zod/v4/core").$strip>]>>;
|
|
25
|
+
objectAccess: import("zod").ZodOptional<import("zod").ZodXor<readonly [import("zod").ZodArray<import("zod").ZodString>, import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
26
|
+
allowRead: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
27
|
+
allowCreate: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
28
|
+
allowEdit: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
29
|
+
allowDelete: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
30
|
+
viewAllFields: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
31
|
+
}, import("zod/v4/core").$strip>>]>>;
|
|
24
32
|
}, import("zod/v4/core").$strict>>;
|
|
25
33
|
};
|
|
26
34
|
permissions: {
|