@j-schreiber/sf-cli-security-audit 0.22.0 → 0.23.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -3
- package/lib/libs/audit-engine/auditRun.js +6 -7
- package/lib/libs/audit-engine/auditRun.js.map +1 -1
- package/lib/libs/audit-engine/index.d.ts +9 -0
- package/lib/libs/audit-engine/registry/definitions.d.ts +9 -0
- package/lib/libs/audit-engine/registry/policies/settings.js +2 -0
- package/lib/libs/audit-engine/registry/policies/settings.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.d.ts +7 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.js +12 -0
- package/lib/libs/audit-engine/registry/roles/roleManager.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/userRole.d.ts +24 -1
- package/lib/libs/audit-engine/registry/roles/userRole.js +53 -5
- package/lib/libs/audit-engine/registry/roles/userRole.js.map +1 -1
- package/lib/libs/audit-engine/registry/ruleRegistry.js +7 -1
- package/lib/libs/audit-engine/registry/ruleRegistry.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.d.ts +0 -1
- package/lib/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.js +1 -7
- package/lib/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.d.ts +0 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js +3 -9
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.d.ts +0 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js +1 -7
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.d.ts +0 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js +1 -7
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/policyRule.d.ts +2 -0
- package/lib/libs/audit-engine/registry/rules/policyRule.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.d.ts +9 -0
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.js +2 -1
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/shapeValidation.d.ts +2 -2
- package/lib/libs/audit-engine/registry/shape/shapeValidation.js +36 -21
- package/lib/libs/audit-engine/registry/shape/shapeValidation.js.map +1 -1
- package/lib/salesforce/describes/orgDescribe.d.ts +9 -1
- package/lib/salesforce/describes/orgDescribe.js +37 -2
- package/lib/salesforce/describes/orgDescribe.js.map +1 -1
- package/lib/salesforce/describes/orgDescribe.types.d.ts +21 -2
- package/messages/auditShapeValidation.md +4 -0
- package/messages/rules.enforceClassificationPresets.md +1 -1
- package/oclif.manifest.json +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -89,7 +89,7 @@ FLAG DESCRIPTIONS
|
|
|
89
89
|
essentially control, if a permission is allowed in a certain profile / permission set.
|
|
90
90
|
```
|
|
91
91
|
|
|
92
|
-
_See code: [src/commands/org/audit/init.ts](https://github.com/j-schreiber/js-sf-cli-security-audit/blob/v0.
|
|
92
|
+
_See code: [src/commands/org/audit/init.ts](https://github.com/j-schreiber/js-sf-cli-security-audit/blob/v0.23.0/src/commands/org/audit/init.ts)_
|
|
93
93
|
|
|
94
94
|
## `sf org audit run`
|
|
95
95
|
|
|
@@ -134,7 +134,7 @@ FLAG DESCRIPTIONS
|
|
|
134
134
|
never truncated.
|
|
135
135
|
```
|
|
136
136
|
|
|
137
|
-
_See code: [src/commands/org/audit/run.ts](https://github.com/j-schreiber/js-sf-cli-security-audit/blob/v0.
|
|
137
|
+
_See code: [src/commands/org/audit/run.ts](https://github.com/j-schreiber/js-sf-cli-security-audit/blob/v0.23.0/src/commands/org/audit/run.ts)_
|
|
138
138
|
|
|
139
139
|
## `sf org scan user-perms`
|
|
140
140
|
|
|
@@ -183,7 +183,7 @@ FLAG DESCRIPTIONS
|
|
|
183
183
|
userPermissions.yml.
|
|
184
184
|
```
|
|
185
185
|
|
|
186
|
-
_See code: [src/commands/org/scan/user-perms.ts](https://github.com/j-schreiber/js-sf-cli-security-audit/blob/v0.
|
|
186
|
+
_See code: [src/commands/org/scan/user-perms.ts](https://github.com/j-schreiber/js-sf-cli-security-audit/blob/v0.23.0/src/commands/org/scan/user-perms.ts)_
|
|
187
187
|
|
|
188
188
|
<!-- commandsstop -->
|
|
189
189
|
|
|
@@ -4,6 +4,7 @@ import SfConnection from '../../salesforce/connection.js';
|
|
|
4
4
|
import { loadPolicy } from './registry/definitions.js';
|
|
5
5
|
import AcceptedRisks from './accepted-risks/acceptedRisks.js';
|
|
6
6
|
import { verifyRoleDefinitions } from './registry/shape/shapeValidation.js';
|
|
7
|
+
import RoleManager from './registry/roles/roleManager.js';
|
|
7
8
|
/**
|
|
8
9
|
* Instance of an audit run that manages high-level operations
|
|
9
10
|
*/
|
|
@@ -31,7 +32,7 @@ export default class AuditRun extends EventEmitter {
|
|
|
31
32
|
const sfCon = await SfConnection.create(targetOrgConnection);
|
|
32
33
|
this.emitStageUpdate('initialising');
|
|
33
34
|
const orgDescribe = await OrgDescribe.create(sfCon);
|
|
34
|
-
this.verifyAuditConfig(orgDescribe);
|
|
35
|
+
await this.verifyAuditConfig(orgDescribe);
|
|
35
36
|
this.emitStageUpdate('resolving');
|
|
36
37
|
const executablePolicies = await this.resolve(sfCon, orgDescribe);
|
|
37
38
|
this.emitStageUpdate('executing');
|
|
@@ -45,9 +46,10 @@ export default class AuditRun extends EventEmitter {
|
|
|
45
46
|
return result;
|
|
46
47
|
}
|
|
47
48
|
// PRIVATE ZONE
|
|
48
|
-
verifyAuditConfig(orgDescribe) {
|
|
49
|
+
async verifyAuditConfig(orgDescribe) {
|
|
49
50
|
if (this.config.controls.roles) {
|
|
50
|
-
const
|
|
51
|
+
const rm = new RoleManager({ controls: this.config.controls, shape: this.config.shape });
|
|
52
|
+
const roleWarnings = await verifyRoleDefinitions(rm.getRoleDefinitions(), orgDescribe);
|
|
51
53
|
for (const warning of roleWarnings) {
|
|
52
54
|
this.emitWarning(`${warning.path.join(' > ')}: ${warning.message}`);
|
|
53
55
|
}
|
|
@@ -67,10 +69,7 @@ export default class AuditRun extends EventEmitter {
|
|
|
67
69
|
return this.executablePolicies;
|
|
68
70
|
}
|
|
69
71
|
this.executablePolicies = this.loadPolicies();
|
|
70
|
-
const resolveResultPromises =
|
|
71
|
-
Object.values(this.executablePolicies).forEach((executable) => {
|
|
72
|
-
resolveResultPromises.push(executable.resolve({ targetOrgConnection, orgDescribe }));
|
|
73
|
-
});
|
|
72
|
+
const resolveResultPromises = Object.values(this.executablePolicies).map((executable) => executable.resolve({ targetOrgConnection, orgDescribe }));
|
|
74
73
|
await Promise.all(resolveResultPromises);
|
|
75
74
|
return this.executablePolicies;
|
|
76
75
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auditRun.js","sourceRoot":"","sources":["../../../src/libs/audit-engine/auditRun.ts"],"names":[],"mappings":"AAAA,OAAO,YAAY,MAAM,aAAa,CAAC;AAGvC,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAC1E,OAAO,YAAY,MAAM,gCAAgC,CAAC;AAG1D,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAEvD,OAAO,aAAa,MAAM,mCAAmC,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,qCAAqC,CAAC;
|
|
1
|
+
{"version":3,"file":"auditRun.js","sourceRoot":"","sources":["../../../src/libs/audit-engine/auditRun.ts"],"names":[],"mappings":"AAAA,OAAO,YAAY,MAAM,aAAa,CAAC;AAGvC,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAC1E,OAAO,YAAY,MAAM,gCAAgC,CAAC;AAG1D,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAEvD,OAAO,aAAa,MAAM,mCAAmC,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,qCAAqC,CAAC;AAC5E,OAAO,WAAW,MAAM,iCAAiC,CAAC;AAsB1D;;GAEG;AACH,MAAM,CAAC,OAAO,OAAO,QAAS,SAAQ,YAAY;IACzC,MAAM,CAAiB;IACtB,kBAAkB,CAAa;IAEvC,YAAmB,MAA+B;QAChD,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,EAAE,GAAG,MAAM,EAAE,CAAC;QAC5G,gBAAgB,CAAC,EAAE,CAAC,gBAAgB,EAAE,CAAC,OAAyB,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1G,CAAC;IAEM,uBAAuB,CAAC,UAAoB;QACjD,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC,UAAU,CAAC,KAAK,SAAS,EAAE,CAAC;YACxD,OAAO,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC,kBAAkB,EAAE,CAAC,MAAM,CAAC;QACzE,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,OAAO,CAAC,mBAA+B;QAClD,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;QAC7D,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;QACrC,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACpD,MAAM,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;QAC1C,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QAClC,MAAM,kBAAkB,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QAClE,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QAClC,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,kBAAkB,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC;QACjF,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG;YACb,KAAK,EAAE,mBAAmB,CAAC,iBAAiB,EAAE,CAAC,KAAK;YACpD,GAAG,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC;SACjC,CAAC;QACF,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QAClC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,eAAe;IAEP,KAAK,CAAC,iBAAiB,CAAC,WAAwB;QACtD,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YAC/B,MAAM,EAAE,GAAG,IAAI,WAAW,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;YACzF,MAAM,YAAY,GAAG,MAAM,qBAAqB,CAAC,EAAE,CAAC,kBAAkB,EAAE,EAAE,WAAW,CAAC,CAAC;YACvF,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;gBACnC,IAAI,CAAC,WAAW,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;IACH,CAAC;IAEO,WAAW,CAAC,OAAe;QACjC,MAAM,OAAO,GAAqB,EAAE,OAAO,EAAE,CAAC;QAC9C,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAChC,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,OAAO,CAAC,mBAAiC,EAAE,WAAwB;QAC/E,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC,kBAAkB,CAAC;QACjC,CAAC;QACD,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QAC9C,MAAM,qBAAqB,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CACtF,UAAU,CAAC,OAAO,CAAC,EAAE,mBAAmB,EAAE,WAAW,EAAE,CAAC,CACzD,CAAC;QACF,MAAM,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC,kBAAkB,CAAC;IACjC,CAAC;IAED;;;;;OAKG;IACK,QAAQ,CAAC,cAAoC;QACnD,MAAM,gBAAgB,GAAe,EAAE,CAAC;QACxC,MAAM,WAAW,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QACjE,KAAK,MAAM,CAAC,UAAU,EAAE,aAAa,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YACzE,MAAM,MAAM,GAAG,IAAI,CAAC,kBAAkB,EAAE,CAAC,UAAU,CAAC,CAAC;YACrD,IAAI,MAAM,EAAE,CAAC;gBACX,gBAAgB,CAAC,UAAU,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;YAC7E,CAAC;QACH,CAAC;QACD,OAAO;YACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,WAAW,EAAE,WAAW,CAAC,gBAAgB,CAAC;YAC1C,QAAQ,EAAE,gBAAgB;YAC1B,aAAa,EAAE,WAAW,CAAC,QAAQ,EAAE;SACtC,CAAC;IACJ,CAAC;IAEO,YAAY;QAClB,MAAM,IAAI,GAAc,EAAE,CAAC;QAC3B,KAAK,MAAM,UAAU,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3D,MAAM,MAAM,GAAG,UAAU,CAAC,UAAsB,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YAC/D,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,CAAC,WAAW,CAAC,eAAe,EAAE,CAAC,YAAoD,EAAE,EAAE;oBAC3F,IAAI,CAAC,IAAI,CAAC,iBAAiB,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,GAAG,YAAY,EAAE,CAAC,CAAC;gBAC5E,CAAC,CAAC,CAAC;gBACH,IAAI,CAAC,UAAU,CAAC,GAAG,MAAM,CAAC;YAC5B,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,eAAe,CAAC,QAAuB;QAC7C,MAAM,SAAS,GAAwB;YACrC,QAAQ;SACT,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IACtC,CAAC;CACF;AAED,SAAS,WAAW,CAAC,OAAmB;IACtC,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACpC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC,OAAO,IAAI,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;AACtG,CAAC;AAED,KAAK,UAAU,WAAW,CACxB,QAAmB,EACnB,mBAAiC,EACjC,WAAwB;IAExB,MAAM,YAAY,GAAuC,EAAE,CAAC;IAC5D,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE,EAAE;QAC3D,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC7B,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,mBAAmB,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACpD,MAAM,OAAO,GAAyB,EAAE,CAAC;IACzC,WAAW,CAAC,OAAO,CAAC,CAAC,YAAY,EAAE,EAAE;QACnC,MAAM,SAAS,GAAG,YAAY,CAAC,WAAW,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;QAClE,OAAO,CAAC,SAAS,CAAC,GAAG,YAAY,CAAC;IACpC,CAAC,CAAC,CAAC;IACH,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -63,6 +63,15 @@ export declare const ConfigFileManager: FileManager<{
|
|
|
63
63
|
}, import("zod/v4/core").$strip>>;
|
|
64
64
|
}, import("zod/v4/core").$strip>>;
|
|
65
65
|
};
|
|
66
|
+
objectAccess: {
|
|
67
|
+
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
68
|
+
allowRead: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
69
|
+
allowCreate: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
70
|
+
allowEdit: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
71
|
+
allowDelete: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
72
|
+
viewAllFields: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
73
|
+
}, import("zod/v4/core").$strip>>>;
|
|
74
|
+
};
|
|
66
75
|
};
|
|
67
76
|
};
|
|
68
77
|
shape: {
|
|
@@ -88,6 +88,15 @@ export declare const AuditConfigShape: {
|
|
|
88
88
|
}, import("zod/v4/core").$strip>>;
|
|
89
89
|
}, import("zod/v4/core").$strip>>;
|
|
90
90
|
};
|
|
91
|
+
objectAccess: {
|
|
92
|
+
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
93
|
+
allowRead: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
94
|
+
allowCreate: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
95
|
+
allowEdit: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
96
|
+
allowDelete: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
97
|
+
viewAllFields: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
98
|
+
}, import("zod/v4/core").$strip>>>;
|
|
99
|
+
};
|
|
91
100
|
};
|
|
92
101
|
};
|
|
93
102
|
shape: {
|
|
@@ -4,6 +4,7 @@ import RuleRegistry from '../ruleRegistry.js';
|
|
|
4
4
|
import EnforceSettings from '../rules/enforceSettings.js';
|
|
5
5
|
import { MDAPI } from '../../../../salesforce/index.js';
|
|
6
6
|
import Policy from '../policy.js';
|
|
7
|
+
import RoleManager from '../roles/roleManager.js';
|
|
7
8
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
8
9
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'policies.general');
|
|
9
10
|
export class SettingsRuleRegistry extends RuleRegistry {
|
|
@@ -18,6 +19,7 @@ export class SettingsRuleRegistry extends RuleRegistry {
|
|
|
18
19
|
if (settingName && ruleConfig.enabled) {
|
|
19
20
|
result.enabledRules.push(new EnforceSettings({
|
|
20
21
|
auditConfig: auditContext,
|
|
22
|
+
roles: new RoleManager({ controls: auditContext.controls, shape: auditContext.shape }),
|
|
21
23
|
ruleDisplayName: ruleName,
|
|
22
24
|
settingName,
|
|
23
25
|
ruleConfig: SettingsRuleConfigSchema.parse(ruleConfig.options ?? {}),
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"settings.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/policies/settings.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,YAA2C,MAAM,oBAAoB,CAAC;AAC7E,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,EAAE,KAAK,EAAiB,MAAM,iCAAiC,CAAC;AACvE,OAAO,MAA+B,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"settings.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/policies/settings.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,YAA2C,MAAM,oBAAoB,CAAC;AAC7E,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,EAAE,KAAK,EAAiB,MAAM,iCAAiC,CAAC;AACvE,OAAO,MAA+B,MAAM,cAAc,CAAC;AAK3D,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAElD,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAIjG,MAAM,OAAO,oBAAqB,SAAQ,YAAY;IACpD;QACE,KAAK,CAAC,EAAE,CAAC,CAAC;IACZ,CAAC;IAED,kDAAkD;IAClC,YAAY,CAC1B,QAA+B,EAC/B,YAA4B;QAE5B,MAAM,MAAM,GAA8B,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;QACpG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,EAAE;YAC1D,MAAM,WAAW,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;YAC/C,IAAI,WAAW,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;gBACtC,MAAM,CAAC,YAAY,CAAC,IAAI,CACtB,IAAI,eAAe,CAAC;oBAClB,WAAW,EAAE,YAAY;oBACzB,KAAK,EAAE,IAAI,WAAW,CAAC,EAAE,QAAQ,EAAE,YAAY,CAAC,QAAQ,EAAE,KAAK,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC;oBACtF,eAAe,EAAE,QAAQ;oBACzB,WAAW;oBACX,UAAU,EAAE,wBAAwB,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,IAAI,EAAE,CAAC;iBACrE,CAAC,CACH,CAAC;YACJ,CAAC;iBAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;gBAC/B,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC;YAChH,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC;oBACvB,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,sCAAsC,CAAC;iBACxE,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,CAAC,OAAO,OAAO,cAAe,SAAQ,MAAyB;IACzC;IAA6B;IAAvD,YAA0B,MAAoB,EAAS,WAA2B;QAChF,KAAK,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,oBAAoB,EAAE,CAAC,CAAC;QAD3C,WAAM,GAAN,MAAM,CAAc;QAAS,gBAAW,GAAX,WAAW,CAAgB;IAElF,CAAC;IAES,KAAK,CAAC,eAAe,CAAC,OAAqB;QACnD,MAAM,aAAa,GAAG,2BAA2B,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACrE,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,aAAa,CAAC,MAAM;YAC3B,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,MAAM,iBAAiB,GAAG,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACpE,MAAM,wBAAwB,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QAC5F,IAAI,CAAC,sCAAsC,CAAC,wBAAwB,CAAC,CAAC;QACtE,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,aAAa,CAAC,MAAM;YAC3B,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC,MAAM;SACvD,CAAC,CAAC;QACH,OAAO;YACL,gBAAgB,EAAE,wBAAwB;YAC1C,eAAe,EAAE,mBAAmB,CAAC,wBAAwB,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;SAClF,CAAC;IACJ,CAAC;IAEO,sCAAsC,CAAC,aAAgD;QAC7F,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;YACtD,IAAI,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;oBACrC,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;oBACjD,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,IAAI,CAAC;wBACnC,IAAI,EAAE,IAAI,CAAC,eAAe;wBAC1B,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,uCAAuC,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;qBAC7F,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,2BAA2B,CAAC,KAA4B;IAC/D,MAAM,QAAQ,GAAG,EAAE,CAAC;IACpB,KAAK,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3D,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QACpD,IAAI,gBAAgB,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAY;IACzC,OAAQ,GAAuB,CAAC,eAAe,KAAK,SAAS,CAAC;AAChE,CAAC;AAED,SAAS,mBAAmB,CAC1B,WAA8C,EAC9C,KAA4B;IAE5B,MAAM,MAAM,GAAG,IAAI,KAAK,EAAsB,CAAC;IAC/C,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,SAAS;QACX,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC;YAC/F,SAAS;QACX,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5B,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,yCAAyC,CAAC,EAAE,CAAC,CAAC;QAC5G,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,KAAK,GAAG,uBAAuB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACjC,CAAC;AAED,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { EventEmitter } from 'node:events';
|
|
2
|
-
import { ProfileLike, RoleManagerConfig, ScanResult, UserRoleCompareResult } from './roleManager.types.js';
|
|
2
|
+
import { DefinitiveRoleDefinition, ProfileLike, RoleManagerConfig, ScanResult, UserRoleCompareResult } from './roleManager.types.js';
|
|
3
3
|
import UserRole from './userRole.js';
|
|
4
4
|
export default class RoleManager extends EventEmitter {
|
|
5
5
|
private readonly auditConfig;
|
|
@@ -48,6 +48,12 @@ export default class RoleManager extends EventEmitter {
|
|
|
48
48
|
* @returns
|
|
49
49
|
*/
|
|
50
50
|
getRole(roleName: string): UserRole;
|
|
51
|
+
/**
|
|
52
|
+
* Returns fully resolved roles
|
|
53
|
+
*
|
|
54
|
+
* @returns Record of roles (mapped by identifier)
|
|
55
|
+
*/
|
|
56
|
+
getRoleDefinitions(): Readonly<Record<string, DefinitiveRoleDefinition>>;
|
|
51
57
|
private assertProfileLikeIntegrity;
|
|
52
58
|
private scanPermissionList;
|
|
53
59
|
private resolvePerm;
|
|
@@ -118,6 +118,18 @@ export default class RoleManager extends EventEmitter {
|
|
|
118
118
|
}
|
|
119
119
|
throw messages.createError('TriedToAccessRoleThatDoesNotExist', [roleName]);
|
|
120
120
|
}
|
|
121
|
+
/**
|
|
122
|
+
* Returns fully resolved roles
|
|
123
|
+
*
|
|
124
|
+
* @returns Record of roles (mapped by identifier)
|
|
125
|
+
*/
|
|
126
|
+
getRoleDefinitions() {
|
|
127
|
+
const roleDefs = {};
|
|
128
|
+
for (const role of Object.values(this.roles)) {
|
|
129
|
+
roleDefs[role.roleName] = role.getDefinition();
|
|
130
|
+
}
|
|
131
|
+
return roleDefs;
|
|
132
|
+
}
|
|
121
133
|
// PRIVATE ZONE
|
|
122
134
|
assertProfileLikeIntegrity(role, profileLikes, identifier) {
|
|
123
135
|
const refineResult = { errors: [], profileLikes: [], role: undefined };
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"roleManager.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/roleManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAA6B,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxG,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,
|
|
1
|
+
{"version":3,"file":"roleManager.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/roleManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAA6B,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxG,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,EAEL,oBAAoB,GAQrB,MAAM,wBAAwB,CAAC;AAChC,OAAiB,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAErF,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAQnH,MAAM,CAAC,OAAO,OAAO,WAAY,SAAQ,YAAY;IAGf;IAF5B,KAAK,GAA6B,EAAE,CAAC;IAE7C,YAAoC,WAA8B;QAChE,KAAK,EAAE,CAAC;QAD0B,gBAAW,GAAX,WAAW,CAAmB;QAEhE,IAAI,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpC,KAAK,MAAM,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzE,MAAM,cAAc,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;gBAC3C,IAAI,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;oBAC/B,oBAAoB,CAAC,eAAe,CAClC,QAAQ,CAAC,UAAU,CAAC,iCAAiC,EAAE;wBACrD,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,QAAQ;wBACnC,cAAc;qBACf,CAAC,CACH,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,GAAG,qBAAqB,CAAC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;gBACjF,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,UAAU,IAAI,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBAC3D,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,GAAG,mBAAmB,CAAC,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;YAC/G,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;;;OASG;IACI,eAAe,CACpB,IAAY,EACZ,YAAyC,EACzC,aAAuB,EAAE;QAEzB,MAAM,iBAAiB,GAAG,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;QACtF,MAAM,MAAM,GAAe,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;QACxE,MAAM,YAAY,GAAG,IAAI,CAAC,0BAA0B,CAAC,IAAI,EAAE,iBAAiB,EAAE,UAAU,CAAC,CAAC;QAC1F,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,YAAY,CAAC,IAAI,IAAI,YAAY,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9D,KAAK,MAAM,WAAW,IAAI,YAAY,CAAC,YAAY,EAAE,CAAC;gBACpD,MAAM,eAAe,GAAG,CAAC,GAAG,UAAU,EAAE,WAAW,CAAC,IAAI,CAAC,CAAC;gBAC1D,KAAK,MAAM,OAAO,IAAI,CAAC,iBAAiB,EAAE,mBAAmB,CAAU,EAAE,CAAC;oBACxE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,kBAAkB,CACtD,YAAY,CAAC,IAAI,EACjB,WAAW,EACX,OAAO,EACP,eAAe,CAChB,CAAC;oBACF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;oBACtC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;gBACpC,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;;OAOG;IACI,gBAAgB,CAAC,IAAY,EAAE,YAA2B,EAAE,iBAA2B,EAAE;QAC9F,MAAM,MAAM,GAAe,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;QACxE,MAAM,YAAY,GAAG,IAAI,CAAC,0BAA0B,CAAC,IAAI,EAAE,YAAY,EAAE,cAAc,CAAC,CAAC;QACzF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,YAAY,CAAC,IAAI,IAAI,YAAY,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9D,KAAK,MAAM,WAAW,IAAI,YAAY,CAAC,YAAY,EAAE,CAAC;gBACpD,MAAM,UAAU,GAAG,4BAA4B,CAAC,YAAY,CAAC,IAAI,EAAE,WAAW,EAAE;oBAC9E,GAAG,cAAc;oBACjB,WAAW,CAAC,IAAI;iBACjB,CAAC,CAAC;gBACH,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;OAMG;IACI,WAAW,CAAC,QAAgB;QACjC,MAAM,kBAAkB,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC/C,OAAO,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACjD,CAAC;IAED;;;;;;OAMG;IACI,OAAO,CAAC,YAAoB,EAAE,eAAuB;QAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChD,OAAO,QAAQ,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;IAED;;;;;OAKG;IACI,OAAO,CAAC,QAAgB;QAC7B,MAAM,kBAAkB,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QACxC,CAAC;QACD,MAAM,QAAQ,CAAC,WAAW,CAAC,mCAAmC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9E,CAAC;IAED;;;;OAIG;IACI,kBAAkB;QACvB,MAAM,QAAQ,GAA6C,EAAE,CAAC;QAC9D,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7C,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;QACjD,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,wBAAwB;IAEhB,0BAA0B,CAChC,IAAY,EACZ,YAA2B,EAC3B,UAAoB;QAEpB,MAAM,YAAY,GAA4B,EAAE,MAAM,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QAChG,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,YAAY,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACzC,CAAC;aAAM,CAAC;YACN,YAAY,CAAC,MAAM,CAAC,IAAI,CACtB,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;gBAC3B,UAAU,EAAE,CAAC,GAAG,UAAU,EAAE,EAAE,CAAC,IAAI,CAAC;gBACpC,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,EAAE,CAAC,IAAI,CAAC,CAAC;aACrE,CAAC,CAAC,CACJ,CAAC;QACJ,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;YAC9B,IAAI,oBAAoB,CAAC,EAAE,CAAC,EAAE,CAAC;gBAC7B,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACrC,CAAC;iBAAM,CAAC;gBACN,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC;oBACvB,UAAU,EAAE,CAAC,GAAG,UAAU,EAAE,EAAE,CAAC,IAAI,CAAC;oBACpC,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,qCAAqC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;iBAC/E,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,OAAO,YAAY,CAAC;IACtB,CAAC;IAEO,kBAAkB,CACxB,IAAc,EACd,OAA2B,EAC3B,cAAkC,EAClC,cAAwB;QAExB,MAAM,MAAM,GAAgD,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC7F,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACpD,MAAM,UAAU,GAAG,CAAC,GAAG,cAAc,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAClD,MAAM,kBAAkB,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;YACvE,IAAI,kBAAkB,EAAE,CAAC;gBACvB,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;oBACtE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;qBACjE,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,kBAAkB,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,EAAE,CAAC;oBACpF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;4BACxE,kBAAkB,CAAC,cAAc;4BACjC,IAAI,CAAC,QAAQ;yBACd,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;oBAC7E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;qBAC5D,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,EAAE,CAAC;gBACpE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU;oBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,iCAAiC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;iBACjF,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACnB,UAAU;oBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oCAAoC,CAAC;iBACnE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,WAAW,CAAC,QAAgB,EAAE,QAA4B;QAChE,IAAI,QAAQ,KAAK,iBAAiB,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QACxC,CAAC;aAAM,IAAI,QAAQ,KAAK,mBAAmB,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAEO,eAAe,CAAC,QAAgB;QACtC,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,eAAe,EAAE,CAAC;YAC5C,OAAO,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC;QACxF,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,iBAAiB,CAAC,QAAgB;QACxC,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,iBAAiB,EAAE,CAAC;YAC9C,OAAO,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC1F,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;CACF;AAED,SAAS,4BAA4B,CACnC,IAAc,EACd,WAA+B,EAC/B,UAAoB;IAEpB,MAAM,UAAU,GAA6B,EAAE,CAAC;IAChD,KAAK,MAAM,YAAY,IAAI,WAAW,CAAC,QAAQ,CAAC,iBAAiB,IAAI,EAAE,EAAE,CAAC;QACxE,MAAM,aAAa,GAAG,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAChE,KAAK,MAAM,SAAS,IAAI,CAAC,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,CAAU,EAAE,CAAC;YAC3G,IAAI,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,SAAS,CAAC,EAAE,CAAC;gBAC3C,MAAM,aAAa,GAAG,YAAY,CAAC,SAAsC,CAAC,CAAC;gBAC3E,IAAI,aAAa,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,EAAE,CAAC;oBAC/C,UAAU,CAAC,IAAI,CAAC;wBACd,UAAU,EAAE,CAAC,GAAG,UAAU,EAAE,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC;wBAC3D,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,iCAAiC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;qBACjF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,kBAAkB,CACzB,QAAgB,EAChB,IAA0C;IAE1C,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB;IACjC,OAAO,QAAQ,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AACrD,CAAC"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { PermissionClassifications, UserPrivilegeLevel, ObjectAccessControl } from '../shape/schema.js';
|
|
2
|
-
import { RoleManagerConfig, TypedPermission, UserRoleCompareResult, DefinitiveObjectAccessDef } from './roleManager.types.js';
|
|
2
|
+
import { DefinitiveRoleDefinition, RoleManagerConfig, TypedPermission, UserRoleCompareResult, DefinitiveObjectAccessDef } from './roleManager.types.js';
|
|
3
3
|
type UserRolePermissions = {
|
|
4
4
|
allowed: Set<string>;
|
|
5
5
|
denied: Set<string>;
|
|
@@ -13,8 +13,25 @@ type UserRoleConfig = {
|
|
|
13
13
|
};
|
|
14
14
|
export default class UserRole {
|
|
15
15
|
roleName: string;
|
|
16
|
+
/**
|
|
17
|
+
* Merged role config from inline role and all composable controls.
|
|
18
|
+
* Resolves allowed classifications to actual permissions from the org,
|
|
19
|
+
* but keeps capitalisation (lower/upper case verbatim)
|
|
20
|
+
*/
|
|
16
21
|
private config;
|
|
22
|
+
/**
|
|
23
|
+
* Fully resolved object access, with partial definitions
|
|
24
|
+
* filled to default access ("allow: false")
|
|
25
|
+
*/
|
|
17
26
|
private objectAccess;
|
|
27
|
+
/**
|
|
28
|
+
* Fully resolved allowed and denied user permissions in lower case
|
|
29
|
+
*/
|
|
30
|
+
private normalizedUserPermissions;
|
|
31
|
+
/**
|
|
32
|
+
* Fully resolved allowed and denied custom permissions in lower case
|
|
33
|
+
*/
|
|
34
|
+
private normalizedCustomPermissions;
|
|
18
35
|
constructor(roleName: string, config: Partial<UserRoleConfig>);
|
|
19
36
|
/**
|
|
20
37
|
* Evaluates if a permission is explicitly denied
|
|
@@ -48,6 +65,12 @@ export default class UserRole {
|
|
|
48
65
|
* @returns
|
|
49
66
|
*/
|
|
50
67
|
getObjectAccess(objName: string): DefinitiveObjectAccessDef;
|
|
68
|
+
/**
|
|
69
|
+
* Returns the fully resolved role definition
|
|
70
|
+
*
|
|
71
|
+
* @returns
|
|
72
|
+
*/
|
|
73
|
+
getDefinition(): DefinitiveRoleDefinition;
|
|
51
74
|
}
|
|
52
75
|
export declare function newRoleFromDefinition(roleName: string, config: RoleManagerConfig): UserRole;
|
|
53
76
|
export declare function newRoleFromOrdinals(roleName: UserPrivilegeLevel, perms?: PermissionClassifications): UserRole;
|
|
@@ -5,8 +5,25 @@ Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
|
5
5
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
6
6
|
export default class UserRole {
|
|
7
7
|
roleName;
|
|
8
|
+
/**
|
|
9
|
+
* Merged role config from inline role and all composable controls.
|
|
10
|
+
* Resolves allowed classifications to actual permissions from the org,
|
|
11
|
+
* but keeps capitalisation (lower/upper case verbatim)
|
|
12
|
+
*/
|
|
8
13
|
config;
|
|
14
|
+
/**
|
|
15
|
+
* Fully resolved object access, with partial definitions
|
|
16
|
+
* filled to default access ("allow: false")
|
|
17
|
+
*/
|
|
9
18
|
objectAccess;
|
|
19
|
+
/**
|
|
20
|
+
* Fully resolved allowed and denied user permissions in lower case
|
|
21
|
+
*/
|
|
22
|
+
normalizedUserPermissions;
|
|
23
|
+
/**
|
|
24
|
+
* Fully resolved allowed and denied custom permissions in lower case
|
|
25
|
+
*/
|
|
26
|
+
normalizedCustomPermissions;
|
|
10
27
|
constructor(roleName, config) {
|
|
11
28
|
this.roleName = roleName;
|
|
12
29
|
this.config = {
|
|
@@ -16,6 +33,14 @@ export default class UserRole {
|
|
|
16
33
|
isStrict: false,
|
|
17
34
|
...config,
|
|
18
35
|
};
|
|
36
|
+
this.normalizedUserPermissions = {
|
|
37
|
+
allowed: toLowerCaseSet(this.config.userPermissions.allowed),
|
|
38
|
+
denied: toLowerCaseSet(this.config.userPermissions.denied),
|
|
39
|
+
};
|
|
40
|
+
this.normalizedCustomPermissions = {
|
|
41
|
+
allowed: toLowerCaseSet(this.config.customPermissions.allowed),
|
|
42
|
+
denied: toLowerCaseSet(this.config.customPermissions.denied),
|
|
43
|
+
};
|
|
19
44
|
this.objectAccess = {};
|
|
20
45
|
for (const [objName, objDef] of Object.entries(config.objectAccess ?? {})) {
|
|
21
46
|
this.objectAccess[objName] = {
|
|
@@ -36,10 +61,10 @@ export default class UserRole {
|
|
|
36
61
|
*/
|
|
37
62
|
isDenied(permission) {
|
|
38
63
|
if (permission.type === 'customPermissions') {
|
|
39
|
-
return this.
|
|
64
|
+
return this.normalizedCustomPermissions.denied.has(permission.name.toLowerCase());
|
|
40
65
|
}
|
|
41
66
|
else {
|
|
42
|
-
return this.
|
|
67
|
+
return this.normalizedUserPermissions.denied.has(permission.name.toLowerCase());
|
|
43
68
|
}
|
|
44
69
|
}
|
|
45
70
|
/**
|
|
@@ -51,10 +76,10 @@ export default class UserRole {
|
|
|
51
76
|
*/
|
|
52
77
|
isAllowed(permission) {
|
|
53
78
|
if (permission.type === 'customPermissions') {
|
|
54
|
-
return this.
|
|
79
|
+
return this.normalizedCustomPermissions.allowed.has(permission.name.toLowerCase());
|
|
55
80
|
}
|
|
56
81
|
else {
|
|
57
|
-
return this.
|
|
82
|
+
return this.normalizedUserPermissions.allowed.has(permission.name.toLowerCase());
|
|
58
83
|
}
|
|
59
84
|
}
|
|
60
85
|
/**
|
|
@@ -107,6 +132,26 @@ export default class UserRole {
|
|
|
107
132
|
}
|
|
108
133
|
return allowedObjectAccess;
|
|
109
134
|
}
|
|
135
|
+
/**
|
|
136
|
+
* Returns the fully resolved role definition
|
|
137
|
+
*
|
|
138
|
+
* @returns
|
|
139
|
+
*/
|
|
140
|
+
getDefinition() {
|
|
141
|
+
const userPermissions = {
|
|
142
|
+
allowed: Array.from(this.config.userPermissions.allowed),
|
|
143
|
+
denied: Array.from(this.config.userPermissions.denied),
|
|
144
|
+
};
|
|
145
|
+
const customPermissions = {
|
|
146
|
+
allowed: Array.from(this.config.customPermissions.allowed),
|
|
147
|
+
denied: Array.from(this.config.customPermissions.denied),
|
|
148
|
+
};
|
|
149
|
+
return {
|
|
150
|
+
objectAccess: this.objectAccess,
|
|
151
|
+
strict: this.config.isStrict,
|
|
152
|
+
permissions: { userPermissions, customPermissions },
|
|
153
|
+
};
|
|
154
|
+
}
|
|
110
155
|
}
|
|
111
156
|
export function newRoleFromDefinition(roleName, config) {
|
|
112
157
|
const { permissions, objectAccess, strict } = resolveRole(roleName, config.controls);
|
|
@@ -137,6 +182,9 @@ export function newRoleFromOrdinals(roleName, perms) {
|
|
|
137
182
|
objectAccess: {},
|
|
138
183
|
});
|
|
139
184
|
}
|
|
185
|
+
function toLowerCaseSet(names) {
|
|
186
|
+
return new Set(Array.from(names).map((permName) => permName.toLowerCase()));
|
|
187
|
+
}
|
|
140
188
|
function resolvePresetOrdinalValue(value) {
|
|
141
189
|
const indexOfValue = Object.values(UserPrivilegeLevel).indexOf(value);
|
|
142
190
|
return Object.keys(UserPrivilegeLevel).length - indexOfValue;
|
|
@@ -210,7 +258,7 @@ function buildAllowedPerms(rolePermDef, permClassifications, allowedClassificati
|
|
|
210
258
|
}
|
|
211
259
|
return {
|
|
212
260
|
allowed: allowedPerms,
|
|
213
|
-
denied: new Set(rolePermDef.denied
|
|
261
|
+
denied: new Set(rolePermDef.denied ?? []),
|
|
214
262
|
};
|
|
215
263
|
}
|
|
216
264
|
//# sourceMappingURL=userRole.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"userRole.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/userRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAEL,mBAAmB,EACnB,kBAAkB,GAInB,MAAM,oBAAoB,CAAC;AAU5B,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAenH,MAAM,CAAC,OAAO,OAAO,QAAQ;
|
|
1
|
+
{"version":3,"file":"userRole.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/userRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAEL,mBAAmB,EACnB,kBAAkB,GAInB,MAAM,oBAAoB,CAAC;AAU5B,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAenH,MAAM,CAAC,OAAO,OAAO,QAAQ;IAqBD;IApB1B;;;;OAIG;IACK,MAAM,CAAiB;IAC/B;;;OAGG;IACK,YAAY,CAA4C;IAChE;;OAEG;IACK,yBAAyB,CAAsB;IACvD;;OAEG;IACK,2BAA2B,CAAsB;IAEzD,YAA0B,QAAgB,EAAE,MAA+B;QAAjD,aAAQ,GAAR,QAAQ,CAAQ;QACxC,IAAI,CAAC,MAAM,GAAG;YACZ,eAAe,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC1E,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC5E,YAAY,EAAE,EAAE;YAChB,QAAQ,EAAE,KAAK;YACf,GAAG,MAAM;SACV,CAAC;QACF,IAAI,CAAC,yBAAyB,GAAG;YAC/B,OAAO,EAAE,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC;YAC5D,MAAM,EAAE,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC;SAC3D,CAAC;QACF,IAAI,CAAC,2BAA2B,GAAG;YACjC,OAAO,EAAE,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC;YAC9D,MAAM,EAAE,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC;SAC7D,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,EAAE,CAAC;YAC1E,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG;gBAC3B,SAAS,EAAE,KAAK;gBAChB,WAAW,EAAE,KAAK;gBAClB,WAAW,EAAE,KAAK;gBAClB,SAAS,EAAE,KAAK;gBAChB,aAAa,EAAE,KAAK;gBACpB,GAAG,MAAM;aACV,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACI,QAAQ,CAAC,UAA2B;QACzC,IAAI,UAAU,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,2BAA2B,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACpF,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,yBAAyB,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACI,SAAS,CAAC,UAA2B;QAC1C,IAAI,UAAU,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,2BAA2B,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACrF,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,yBAAyB,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACI,WAAW,CAAC,SAAmB;QACpC,MAAM,mBAAmB,GAAG,IAAI,KAAK,EAAU,CAAC;QAChD,MAAM,kBAAkB,GAAG,IAAI,KAAK,EAAU,CAAC;QAC/C,MAAM,iBAAiB,GACrB,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,SAAS,CAAC,MAAM,CAAC,gBAAgB;YAC/D,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,SAAS,CAAC,MAAM,CAAC,gBAAgB;YACnE,CAAC,CAAC,IAAI,CAAC;QACX,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9G,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;YAC1B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxD,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QACD,OAAO;YACL,UAAU,EAAE,kBAAkB,CAAC,MAAM,KAAK,CAAC,IAAI,iBAAiB;YAChE,kBAAkB;YAClB,mBAAmB;SACpB,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACI,eAAe,CAAC,OAAe;QACpC,MAAM,mBAAmB,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACvD,uFAAuF;QACvF,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,OAAO;gBACL,WAAW,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAClC,SAAS,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAChC,SAAS,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAChC,WAAW,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAClC,aAAa,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;aACrC,CAAC;QACJ,CAAC;QACD,OAAO,mBAAmB,CAAC;IAC7B,CAAC;IAED;;;;OAIG;IACI,aAAa;QAClB,MAAM,eAAe,GAAG;YACtB,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC;YACxD,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC;SACvD,CAAC;QACF,MAAM,iBAAiB,GAAG;YACxB,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC;YAC1D,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC;SACzD,CAAC;QACF,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC5B,WAAW,EAAE,EAAE,eAAe,EAAE,iBAAiB,EAAE;SACpD,CAAC;IACJ,CAAC;CACF;AAED,MAAM,UAAU,qBAAqB,CAAC,QAAgB,EAAE,MAAyB;IAC/E,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACrF,MAAM,eAAe,GAAG,iBAAiB,CACvC,WAAW,EAAE,eAAe,EAC5B,MAAM,CAAC,KAAK,CAAC,eAAe,EAC5B,WAAW,EAAE,sBAAsB,CACpC,CAAC;IACF,MAAM,iBAAiB,GAAG,iBAAiB,CACzC,WAAW,EAAE,iBAAiB,EAC9B,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAC9B,WAAW,EAAE,sBAAsB,CACpC,CAAC;IACF,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,EAAE,eAAe,EAAE,iBAAiB,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;AACxG,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,QAA4B,EAAE,KAAiC;IACjG,MAAM,gBAAgB,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IAC7D,IAAI,CAAC,KAAK,IAAI,QAAQ,KAAK,kBAAkB,CAAC,OAAO,EAAE,CAAC;QACtD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE;YAC5B,eAAe,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC1E,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC5E,gBAAgB;YAChB,YAAY,EAAE,EAAE;SACjB,CAAC,CAAC;IACL,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,IAAI,gBAAgB,IAAI,4BAA4B,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAC7E,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE;QAC5B,eAAe,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;QACnE,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;QAC5E,gBAAgB;QAChB,YAAY,EAAE,EAAE;KACjB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,KAAkB;IACxC,OAAO,IAAI,GAAG,CAAS,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AACtF,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAyB;IAC1D,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACtE,OAAO,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,MAAM,GAAG,YAAY,CAAC;AAC/D,CAAC;AAED,SAAS,4BAA4B,CAAC,KAAa;IACjD,OAAO,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;AACjH,CAAC;AAED,SAAS,WAAW,CAAC,QAAgB,EAAE,QAA0B;IAC/D,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAC,QAAQ,CAAC,CAAC;IAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,QAAQ,CAAC,WAAW,CAAC,mCAAmC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9E,CAAC;IACD,MAAM,iBAAiB,GAAsC,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,KAAK,EAAE,CAAC;IACpG,KAAK,MAAM,WAAW,IAAI,CAAC,aAAa,EAAE,cAAc,CAAU,EAAE,CAAC;QACnE,IAAI,CAAC;YACH,iBAAiB,CAAC,WAAW,CAAC,GAAG,iBAAiB,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC;QACrG,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YACpE,MAAM,QAAQ,CAAC,WAAW,CAAC,uCAAuC,EAAE,CAAC,QAAQ,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC,CAAC;QAC7G,CAAC;IACH,CAAC;IACD,OAAO,iBAA6C,CAAC;AACvD,CAAC;AAMD,SAAS,iBAAiB,CACxB,OAA0B,EAC1B,QAAiC;IAEjC,MAAM,aAAa,GAAG,EAAE,CAAC;IACzB,MAAM,kBAAkB,GAAG,QAAQ,IAAI,EAAE,CAAC;IAC1C,MAAM,iBAAiB,GAAsB,OAAO,IAAI,EAAE,CAAC;IAC3D,IAAI,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACrC,KAAK,MAAM,UAAU,IAAI,iBAAiB,EAAE,CAAC;YAC3C,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;YACzD,IAAI,iBAAiB,EAAE,CAAC;gBACtB,KAAK,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;YAC1C,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,SAAS,iBAAiB,CACxB,WAAsC,EACtC,mBAA+C,EAC/C,sBAAiC;IAEjC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IACvC,IAAI,sBAAsB,IAAI,mBAAmB,EAAE,CAAC;QAClD,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,EAAE,CAAC;YACtE,IAAI,sBAAsB,CAAC,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;gBAC5D,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE,CAAC;IAC9D,CAAC;IACD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;QACxB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YAC3C,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,IAAI,WAAW,CAAC,QAAQ,EAAE,CAAC;QACzB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,QAAQ,EAAE,CAAC;YAC5C,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;QACvB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;YAC1C,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IACD,OAAO;QACL,OAAO,EAAE,YAAY;QACrB,MAAM,EAAE,IAAI,GAAG,CAAS,WAAW,CAAC,MAAM,IAAI,EAAE,CAAC;KAClD,CAAC;AACJ,CAAC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
|
+
import RoleManager from './roles/roleManager.js';
|
|
2
3
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
3
4
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'policies.general');
|
|
4
5
|
/**
|
|
@@ -33,7 +34,12 @@ export default class RuleRegistry {
|
|
|
33
34
|
const resolveErrors = new Array();
|
|
34
35
|
Object.entries(ruleObjs).forEach(([ruleName, ruleConfig]) => {
|
|
35
36
|
if (this.availableRules[ruleName] && ruleConfig.enabled) {
|
|
36
|
-
enabledRules.push(new this.availableRules[ruleName]({
|
|
37
|
+
enabledRules.push(new this.availableRules[ruleName]({
|
|
38
|
+
auditConfig,
|
|
39
|
+
roles: new RoleManager({ controls: auditConfig.controls, shape: auditConfig.shape }),
|
|
40
|
+
ruleDisplayName: ruleName,
|
|
41
|
+
ruleConfig: ruleConfig.options,
|
|
42
|
+
}));
|
|
37
43
|
}
|
|
38
44
|
else if (ruleConfig.enabled === false) {
|
|
39
45
|
skippedRules.push({ name: ruleName, skipReason: messages.getMessage('skip-reason.rule-not-enabled') });
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ruleRegistry.js","sourceRoot":"","sources":["../../../../src/libs/audit-engine/registry/ruleRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"ruleRegistry.js","sourceRoot":"","sources":["../../../../src/libs/audit-engine/registry/ruleRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAK5C,OAAO,WAAW,MAAM,wBAAwB,CAAC;AAEjD,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAkBjG;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,YAAY;IACvB,cAAc,CAAC;IAEvB,YAAmB,KAAsB;QACvC,IAAI,CAAC,cAAc,GAAG,KAAK,IAAI,EAAE,CAAC;IACpC,CAAC;IAED;;;;OAIG;IACI,eAAe;QACpB,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC1C,CAAC;IAED;;;;;;;OAOG;IACI,YAAY,CAAC,QAA+B,EAAE,WAA2B;QAC9E,MAAM,YAAY,GAAG,IAAI,KAAK,EAA+B,CAAC;QAC9D,MAAM,YAAY,GAAG,IAAI,KAAK,EAAwB,CAAC;QACvD,MAAM,aAAa,GAAG,IAAI,KAAK,EAAsB,CAAC;QACtD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,EAAE;YAC1D,IAAI,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;gBACxD,YAAY,CAAC,IAAI,CACf,IAAI,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;oBAChC,WAAW;oBACX,KAAK,EAAE,IAAI,WAAW,CAAC,EAAE,QAAQ,EAAE,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,EAAE,CAAC;oBACpF,eAAe,EAAE,QAAQ;oBACzB,UAAU,EAAE,UAAU,CAAC,OAAO;iBAC/B,CAAC,CACH,CAAC;YACJ,CAAC;iBAAM,IAAI,UAAU,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;gBACxC,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC;YACzG,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,mCAAmC,CAAC,EAAE,CAAC,CAAC;YAC5G,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC;IACvD,CAAC;CACF"}
|
|
@@ -2,7 +2,6 @@ import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
|
2
2
|
import { ResolvedUser } from '../policies/users.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforceObjectAccessOnUser extends PolicyRule<ResolvedUser> {
|
|
5
|
-
private readonly roleManager;
|
|
6
5
|
constructor(opts: RuleOptions);
|
|
7
6
|
run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
|
|
8
7
|
}
|
|
@@ -1,20 +1,14 @@
|
|
|
1
|
-
import RoleManager from '../roles/roleManager.js';
|
|
2
1
|
import PolicyRule from './policyRule.js';
|
|
3
2
|
export default class EnforceObjectAccessOnUser extends PolicyRule {
|
|
4
|
-
roleManager;
|
|
5
3
|
constructor(opts) {
|
|
6
4
|
super(opts);
|
|
7
|
-
this.roleManager = new RoleManager({
|
|
8
|
-
controls: opts.auditConfig.controls,
|
|
9
|
-
shape: opts.auditConfig.shape,
|
|
10
|
-
});
|
|
11
5
|
}
|
|
12
6
|
run(context) {
|
|
13
7
|
const result = this.initResult();
|
|
14
8
|
const users = context.resolvedEntities;
|
|
15
9
|
for (const user of Object.values(users)) {
|
|
16
10
|
const profileLikes = buildProfileLikes(user);
|
|
17
|
-
const { violations, warnings, errors } = this.
|
|
11
|
+
const { violations, warnings, errors } = this.opts.roles.scanObjectAccess(user.role, profileLikes, [
|
|
18
12
|
user.username,
|
|
19
13
|
]);
|
|
20
14
|
result.errors.push(...errors);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforceObjectAccessOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"enforceObjectAccessOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.ts"],"names":[],"mappings":"AAGA,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,yBAA0B,SAAQ,UAAwB;IAC7E,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;YAC7C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE;gBACjG,IAAI,CAAC,QAAQ;aACd,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;YAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,IAAkB;IAC3C,MAAM,YAAY,GAAkB,EAAE,CAAC;IACvC,YAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;IAC/F,KAAK,MAAM,iBAAiB,IAAI,IAAI,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;QACvD,YAAY,CAAC,IAAI,CAAC;YAChB,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;YACpC,IAAI,EAAE,iBAAiB,CAAC,uBAAuB;YAC/C,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC"}
|
|
@@ -2,7 +2,6 @@ import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
|
2
2
|
import { ResolvedUser } from '../policies/users.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforcePermissionPresets extends PolicyRule<ResolvedUser> {
|
|
5
|
-
private readonly roleManager;
|
|
6
5
|
constructor(opts: RuleOptions);
|
|
7
6
|
run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
|
|
8
7
|
private resolveProfileRole;
|
|
@@ -1,18 +1,12 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
2
|
import { capitalize } from '../../../../utils.js';
|
|
3
|
-
import RoleManager from '../roles/roleManager.js';
|
|
4
3
|
import { UserPrivilegeLevel } from '../shape/schema.js';
|
|
5
4
|
import PolicyRule from './policyRule.js';
|
|
6
5
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
7
6
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.users');
|
|
8
7
|
export default class EnforcePermissionPresets extends PolicyRule {
|
|
9
|
-
roleManager;
|
|
10
8
|
constructor(opts) {
|
|
11
9
|
super(opts);
|
|
12
|
-
this.roleManager = new RoleManager({
|
|
13
|
-
controls: opts.auditConfig.controls,
|
|
14
|
-
shape: opts.auditConfig.shape,
|
|
15
|
-
});
|
|
16
10
|
}
|
|
17
11
|
run(context) {
|
|
18
12
|
const result = this.initResult();
|
|
@@ -43,14 +37,14 @@ export default class EnforcePermissionPresets extends PolicyRule {
|
|
|
43
37
|
message: messages.getMessage('violations.entity-unknown-but-used', [capitalize(entityType)]),
|
|
44
38
|
});
|
|
45
39
|
}
|
|
46
|
-
else if (!this.
|
|
40
|
+
else if (!this.opts.roles.isValidRole(entityPreset)) {
|
|
47
41
|
result.violations.push({
|
|
48
42
|
identifier: [user.username, entityIdentifier],
|
|
49
43
|
message: messages.getMessage('violations.invalid-entity-role', [capitalize(entityType), entityPreset]),
|
|
50
44
|
});
|
|
51
45
|
}
|
|
52
|
-
else if (this.
|
|
53
|
-
const compareResult = this.
|
|
46
|
+
else if (this.opts.roles.isValidRole(entityPreset) && this.opts.roles.isValidRole(user.role)) {
|
|
47
|
+
const compareResult = this.opts.roles.compare(user.role, entityPreset);
|
|
54
48
|
if (!compareResult.isSuperset) {
|
|
55
49
|
result.violations.push({
|
|
56
50
|
identifier: [user.username, entityIdentifier],
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionPresets.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionPresets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAElD,OAAO,
|
|
1
|
+
{"version":3,"file":"enforcePermissionPresets.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionPresets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAElD,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC5E,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,WAAW,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC9D,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;YACpF,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrB,KAAK,MAAM,UAAU,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBAC1C,MAAM,WAAW,GAAG,IAAI,CAAC,wBAAwB,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC;oBACtF,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,IAAI,EAAE,gBAAgB,EAAE,UAAU,CAAC,uBAAuB,EAAE,WAAW,CAAC,CAAC;gBAC/G,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAEO,kBAAkB,CAAC,WAAmB;QAC5C,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC;IAClE,CAAC;IAEO,wBAAwB,CAAC,WAAmB;QAClD,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC;IACxE,CAAC;IAEO,sBAAsB,CAC5B,MAA+B,EAC/B,IAAkB,EAClB,UAAkB,EAClB,gBAAwB,EACxB,YAAqB;QAErB,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,YAAY,KAAK,kBAAkB,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;gBAC3D,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;oBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oCAAoC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;iBAC7F,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE,CAAC;gBACtD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;oBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,gCAAgC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,YAAY,CAAC,CAAC;iBACvG,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/F,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;gBACvE,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC;oBAC9B,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;wBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6CAA6C,EAAE;4BAC1E,IAAI,CAAC,IAAI;4BACT,UAAU;4BACV,YAAY;yBACb,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;gBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,UAAU,CAAC,CAAC;aAChH,CAAC,CAAC;QACL,CAAC;IACH,CAAC;CACF"}
|
|
@@ -2,7 +2,6 @@ import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
|
2
2
|
import { ResolvedProfileLike } from '../roles/roleManager.types.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforcePermissionsOnProfileLike extends PolicyRule<ResolvedProfileLike> {
|
|
5
|
-
private readonly roleManager;
|
|
6
5
|
constructor(opts: RuleOptions);
|
|
7
6
|
run(context: RuleAuditContext<ResolvedProfileLike>): Promise<PartialPolicyRuleResult>;
|
|
8
7
|
}
|
|
@@ -1,19 +1,13 @@
|
|
|
1
|
-
import RoleManager from '../roles/roleManager.js';
|
|
2
1
|
import PolicyRule from './policyRule.js';
|
|
3
2
|
export default class EnforcePermissionsOnProfileLike extends PolicyRule {
|
|
4
|
-
roleManager;
|
|
5
3
|
constructor(opts) {
|
|
6
4
|
super(opts);
|
|
7
|
-
this.roleManager = new RoleManager({
|
|
8
|
-
controls: opts.auditConfig.controls,
|
|
9
|
-
shape: opts.auditConfig.shape,
|
|
10
|
-
});
|
|
11
5
|
}
|
|
12
6
|
run(context) {
|
|
13
7
|
const result = this.initResult();
|
|
14
8
|
const resolvedProfiles = context.resolvedEntities;
|
|
15
9
|
for (const profile of Object.values(resolvedProfiles)) {
|
|
16
|
-
const { errors, violations, warnings } = this.
|
|
10
|
+
const { errors, violations, warnings } = this.opts.roles.scanPermissions(profile.role, profile);
|
|
17
11
|
result.errors.push(...errors);
|
|
18
12
|
result.warnings.push(...warnings);
|
|
19
13
|
result.violations.push(...violations);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"AAEA,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,+BAAgC,SAAQ,UAA+B;IAC1F,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA8C;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACtD,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAChG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;YAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
|
@@ -2,7 +2,6 @@ import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
|
2
2
|
import { ResolvedUser } from '../policies/users.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforcePermissionsOnUser extends PolicyRule<ResolvedUser> {
|
|
5
|
-
private readonly roleManager;
|
|
6
5
|
constructor(opts: RuleOptions);
|
|
7
6
|
run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
|
|
8
7
|
}
|
|
@@ -1,20 +1,14 @@
|
|
|
1
|
-
import RoleManager from '../roles/roleManager.js';
|
|
2
1
|
import PolicyRule from './policyRule.js';
|
|
3
2
|
export default class EnforcePermissionsOnUser extends PolicyRule {
|
|
4
|
-
roleManager;
|
|
5
3
|
constructor(opts) {
|
|
6
4
|
super(opts);
|
|
7
|
-
this.roleManager = new RoleManager({
|
|
8
|
-
controls: opts.auditConfig.controls,
|
|
9
|
-
shape: opts.auditConfig.shape,
|
|
10
|
-
});
|
|
11
5
|
}
|
|
12
6
|
run(context) {
|
|
13
7
|
const result = this.initResult();
|
|
14
8
|
const users = context.resolvedEntities;
|
|
15
9
|
for (const user of Object.values(users)) {
|
|
16
10
|
const profileLikes = buildProfileLikes(user);
|
|
17
|
-
const { violations, warnings, errors } = this.
|
|
11
|
+
const { violations, warnings, errors } = this.opts.roles.scanPermissions(user.role, profileLikes, [
|
|
18
12
|
user.username,
|
|
19
13
|
]);
|
|
20
14
|
result.errors.push(...errors);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"AAGA,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC5E,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;YAC7C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE;gBAChG,IAAI,CAAC,QAAQ;aACd,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;YAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,IAAkB;IAC3C,MAAM,YAAY,GAAkB,EAAE,CAAC;IACvC,YAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;IAC/F,KAAK,MAAM,iBAAiB,IAAI,IAAI,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;QACvD,YAAY,CAAC,IAAI,CAAC;YAChB,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;YACpC,IAAI,EAAE,iBAAiB,CAAC,uBAAuB;YAC/C,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC"}
|
|
@@ -1,8 +1,10 @@
|
|
|
1
1
|
import z from 'zod';
|
|
2
2
|
import { PartialPolicyRuleResult, RowLevelPolicyRule, RuleAuditContext } from '../context.types.js';
|
|
3
3
|
import { AuditRunConfig } from '../definitions.js';
|
|
4
|
+
import RoleManager from '../roles/roleManager.js';
|
|
4
5
|
export type RuleOptions = {
|
|
5
6
|
auditConfig: AuditRunConfig;
|
|
7
|
+
roles: RoleManager;
|
|
6
8
|
ruleDisplayName: string;
|
|
7
9
|
ruleConfig?: unknown;
|
|
8
10
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policyRule.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/policyRule.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAI5C,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"policyRule.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/policyRule.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAI5C,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAG9C,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAa7D,MAAM,CAAC,OAAO,OAAgB,UAAU;IAIT;IAHtB,WAAW,CAAiB;IAC5B,eAAe,CAAS;IAE/B,YAA6B,IAAiB;QAAjB,SAAI,GAAJ,IAAI,CAAa;QAC5C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;QACpC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;IAC9C,CAAC;IAES,UAAU;QAClB,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,eAAe;YAC9B,UAAU,EAAE,IAAI,KAAK,EAAuB;YAC5C,eAAe,EAAE,IAAI,KAAK,EAA2B;YACrD,QAAQ,EAAE,IAAI,KAAK,EAAwB;YAC3C,MAAM,EAAE,IAAI,KAAK,EAAwB;SAC1C,CAAC;IACJ,CAAC;IAES,YAAY,CAAI,MAAoB,EAAE,UAAmB,EAAE,UAAkB;QACrF,MAAM,WAAW,GAAG,MAAM,CAAC,SAAS,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;QACvD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,aAAa;QACxC,CAAC;aAAM,CAAC;YACN,cAAc,CAAC,UAAU,EAAE,WAAW,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,IAAI,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC,CAAC;QAC5F,CAAC;IACH,CAAC;CAGF"}
|
|
@@ -46,6 +46,15 @@ export declare const BaseAuditConfigShape: {
|
|
|
46
46
|
}, import("zod/v4/core").$strip>>;
|
|
47
47
|
}, import("zod/v4/core").$strip>>;
|
|
48
48
|
};
|
|
49
|
+
objectAccess: {
|
|
50
|
+
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
51
|
+
allowRead: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
52
|
+
allowCreate: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
53
|
+
allowEdit: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
54
|
+
allowDelete: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
55
|
+
viewAllFields: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
56
|
+
}, import("zod/v4/core").$strip>>>;
|
|
57
|
+
};
|
|
49
58
|
};
|
|
50
59
|
};
|
|
51
60
|
shape: {
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { ComposableRolesFileSchema, PermissionControlsFileSchema, PermissionsClassificationFileSchema, PermissionSetsClassificationFileSchema, PolicyFileSchema, ProfilesClassificationFileSchema, UserClassificationFileSchema, UserPolicyFileSchema, } from './schema.js';
|
|
1
|
+
import { ComposableRolesFileSchema, ObjectAccessControlFileSchema, PermissionControlsFileSchema, PermissionsClassificationFileSchema, PermissionSetsClassificationFileSchema, PolicyFileSchema, ProfilesClassificationFileSchema, UserClassificationFileSchema, UserPolicyFileSchema, } from './schema.js';
|
|
2
2
|
/**
|
|
3
3
|
* The shape defines the directory structure and schema files to
|
|
4
4
|
* parse YAML files. It is the foundation to derive the runtime type of
|
|
@@ -9,6 +9,7 @@ export const BaseAuditConfigShape = {
|
|
|
9
9
|
files: {
|
|
10
10
|
roles: { schema: ComposableRolesFileSchema },
|
|
11
11
|
permissions: { schema: PermissionControlsFileSchema },
|
|
12
|
+
objectAccess: { schema: ObjectAccessControlFileSchema },
|
|
12
13
|
},
|
|
13
14
|
},
|
|
14
15
|
shape: {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auditConfigShape.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/auditConfigShape.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EACzB,4BAA4B,EAC5B,mCAAmC,EACnC,sCAAsC,EACtC,gBAAgB,EAChB,gCAAgC,EAChC,4BAA4B,EAC5B,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAErB;;;;GAIG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,QAAQ,EAAE;QACR,KAAK,EAAE;YACL,KAAK,EAAE,EAAE,MAAM,EAAE,yBAAyB,EAAE;YAC5C,WAAW,EAAE,EAAE,MAAM,EAAE,4BAA4B,EAAE;
|
|
1
|
+
{"version":3,"file":"auditConfigShape.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/auditConfigShape.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EACzB,6BAA6B,EAC7B,4BAA4B,EAC5B,mCAAmC,EACnC,sCAAsC,EACtC,gBAAgB,EAChB,gCAAgC,EAChC,4BAA4B,EAC5B,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAErB;;;;GAIG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,QAAQ,EAAE;QACR,KAAK,EAAE;YACL,KAAK,EAAE,EAAE,MAAM,EAAE,yBAAyB,EAAE;YAC5C,WAAW,EAAE,EAAE,MAAM,EAAE,4BAA4B,EAAE;YACrD,YAAY,EAAE,EAAE,MAAM,EAAE,6BAA6B,EAAE;SACxD;KACF;IACD,KAAK,EAAE;QACL,KAAK,EAAE;YACL,eAAe,EAAE,EAAE,MAAM,EAAE,mCAAmC,EAAE,WAAW,EAAE,IAAI,EAAE;YACnF,iBAAiB,EAAE,EAAE,MAAM,EAAE,mCAAmC,EAAE,WAAW,EAAE,IAAI,EAAE;SACtF;KACF;IACD,SAAS,EAAE;QACT,KAAK,EAAE;YACL,QAAQ,EAAE,EAAE,MAAM,EAAE,gCAAgC,EAAE,WAAW,EAAE,IAAI,EAAE;YACzE,cAAc,EAAE,EAAE,MAAM,EAAE,sCAAsC,EAAE,WAAW,EAAE,IAAI,EAAE;YACrF,KAAK,EAAE,EAAE,MAAM,EAAE,4BAA4B,EAAE,WAAW,EAAE,IAAI,EAAE;SACnE;KACF;IACD,QAAQ,EAAE;QACR,KAAK,EAAE;YACL,QAAQ,EAAE;gBACR,MAAM,EAAE,gBAAgB;gBACxB,YAAY,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,SAAS,EAAE,2CAA2C,EAAE,CAAC;gBAC9G,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,cAAc,EAAE;gBACd,MAAM,EAAE,gBAAgB;gBACxB,YAAY,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,SAAS,EAAE,2CAA2C,EAAE,CAAC;gBAC9G,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,aAAa,EAAE;gBACb,MAAM,EAAE,gBAAgB;gBACxB,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,KAAK,EAAE;gBACL,MAAM,EAAE,oBAAoB;gBAC5B,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,QAAQ,EAAE;gBACR,MAAM,EAAE,gBAAgB;gBACxB,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;SACF;KACF;CACF,CAAC"}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { ExtractAuditConfigTypes, RefineError } from '../../file-manager/fileManager.types.js';
|
|
2
2
|
import { OrgDescribe } from '../../../../salesforce/index.js';
|
|
3
3
|
import { BaseAuditConfigShape } from './auditConfigShape.js';
|
|
4
|
-
import {
|
|
4
|
+
import { ResolvedRoleDefinition } from './schema.js';
|
|
5
5
|
export declare const validator: (parseResult: ExtractAuditConfigTypes<typeof BaseAuditConfigShape>) => RefineError[];
|
|
6
|
-
export declare function verifyRoleDefinitions(roles:
|
|
6
|
+
export declare function verifyRoleDefinitions(roles: Record<string, ResolvedRoleDefinition>, orgDescribe: OrgDescribe): Promise<RefineError[]>;
|
|
@@ -1,5 +1,4 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
|
-
import { isPermissionControl } from './schema.js';
|
|
3
2
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
4
3
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'auditShapeValidation');
|
|
5
4
|
export const validator = (parseResult) => {
|
|
@@ -31,35 +30,51 @@ export const validator = (parseResult) => {
|
|
|
31
30
|
}
|
|
32
31
|
return errors;
|
|
33
32
|
};
|
|
34
|
-
export function verifyRoleDefinitions(roles, orgDescribe) {
|
|
33
|
+
export async function verifyRoleDefinitions(roles, orgDescribe) {
|
|
35
34
|
const warnings = new Array();
|
|
35
|
+
const objectNames = [];
|
|
36
36
|
for (const [roleName, roleDef] of Object.entries(roles)) {
|
|
37
|
-
if (
|
|
38
|
-
|
|
37
|
+
if (roleDef.objectAccess) {
|
|
38
|
+
objectNames.push(...Object.keys(roleDef.objectAccess));
|
|
39
39
|
}
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
const
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
40
|
+
if (roleDef.permissions) {
|
|
41
|
+
for (const permissionBlockName of [
|
|
42
|
+
{ listName: 'userPermissions', isValid: (permName) => orgDescribe.isValid(permName) },
|
|
43
|
+
{ listName: 'customPermissions', isValid: (permName) => orgDescribe.isValidCustomPerm(permName) },
|
|
44
|
+
]) {
|
|
45
|
+
const permBlock = roleDef.permissions[permissionBlockName.listName];
|
|
46
|
+
if (!permBlock) {
|
|
47
|
+
continue;
|
|
48
|
+
}
|
|
49
|
+
for (const permProp of ['allowed', 'denied', 'required']) {
|
|
50
|
+
const namedPerms = permBlock[permProp];
|
|
51
|
+
if (namedPerms) {
|
|
52
|
+
for (const permName of namedPerms) {
|
|
53
|
+
if (!permissionBlockName.isValid(permName)) {
|
|
54
|
+
warnings.push({
|
|
55
|
+
path: ['Controls', 'Roles', roleName, permissionBlockName.listName, permProp, permName],
|
|
56
|
+
message: messages.getMessage('PermissionDoesNotExistOnOrg'),
|
|
57
|
+
});
|
|
58
|
+
}
|
|
57
59
|
}
|
|
58
60
|
}
|
|
59
61
|
}
|
|
60
62
|
}
|
|
61
63
|
}
|
|
62
64
|
}
|
|
65
|
+
const describes = await orgDescribe.describeSObjects(objectNames);
|
|
66
|
+
for (const [roleName, roleDef] of Object.entries(roles)) {
|
|
67
|
+
if (roleDef.objectAccess) {
|
|
68
|
+
for (const objectName of Object.keys(roleDef.objectAccess)) {
|
|
69
|
+
if (!describes.describes[objectName.toLowerCase()]) {
|
|
70
|
+
warnings.push({
|
|
71
|
+
path: ['Controls', 'Roles', roleName, 'objectAccess', objectName],
|
|
72
|
+
message: messages.getMessage('ObjectDoesNotExistOnOrg'),
|
|
73
|
+
});
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
}
|
|
77
|
+
}
|
|
63
78
|
return warnings;
|
|
64
79
|
}
|
|
65
80
|
function validateRoledEntity(roles, entries, entityName) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"shapeValidation.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/shapeValidation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"shapeValidation.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/shapeValidation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAM5C,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,sBAAsB,CAAC,CAAC;AAErG,MAAM,CAAC,MAAM,SAAS,GAAG,CAAC,WAAiE,EAAiB,EAAE;IAC5G,MAAM,MAAM,GAAkB,EAAE,CAAC;IACjC,IAAI,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QAC/B,IAAI,WAAW,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC,SAAS,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC;QAC9G,CAAC;QACD,IAAI,WAAW,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC;YACzC,MAAM,CAAC,IAAI,CACT,GAAG,mBAAmB,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC,SAAS,CAAC,cAAc,EAAE,gBAAgB,CAAC,CAC3G,CAAC;QACJ,CAAC;QACD,IAAI,WAAW,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;QACxG,CAAC;QACD,MAAM,WAAW,GAAG,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC,0BAA0B,CAAC;QACnF,MAAM,2BAA2B,GAC/B,WAAW,KAAK,SAAS,IAAI,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,WAAW,CAAC,KAAK,SAAS,CAAC;QACrF,IAAI,WAAW,IAAI,CAAC,2BAA2B,EAAE,CAAC;YAChD,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,wCAAwC,EAAE,CAAC,WAAW,CAAC,CAAC;gBACrF,IAAI,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,4BAA4B,CAAC;aACrE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,IAAI,CAAC,WAAW,CAAC,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5E,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oBAAoB,CAAC;YAClD,IAAI,EAAE,CAAC,UAAU,CAAC;SACnB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,KAA6C,EAC7C,WAAwB;IAExB,MAAM,QAAQ,GAAG,IAAI,KAAK,EAAe,CAAC;IAC1C,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,WAAW,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;QACzD,CAAC;QACD,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACxB,KAAK,MAAM,mBAAmB,IAAI;gBAChC,EAAE,QAAQ,EAAE,iBAAiB,EAAE,OAAO,EAAE,CAAC,QAAgB,EAAE,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAC7F,EAAE,QAAQ,EAAE,mBAAmB,EAAE,OAAO,EAAE,CAAC,QAAgB,EAAE,EAAE,CAAC,WAAW,CAAC,iBAAiB,CAAC,QAAQ,CAAC,EAAE;aACjG,EAAE,CAAC;gBACX,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;gBACpE,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,SAAS;gBACX,CAAC;gBACD,KAAK,MAAM,QAAQ,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,UAAU,CAAU,EAAE,CAAC;oBAClE,MAAM,UAAU,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;oBACvC,IAAI,UAAU,EAAE,CAAC;wBACf,KAAK,MAAM,QAAQ,IAAI,UAAU,EAAE,CAAC;4BAClC,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gCAC3C,QAAQ,CAAC,IAAI,CAAC;oCACZ,IAAI,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;oCACvF,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;iCAC5D,CAAC,CAAC;4BACL,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;IAClE,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,KAAK,MAAM,UAAU,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC3D,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;oBACnD,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,UAAU,CAAC;wBACjE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,yBAAyB,CAAC;qBACxD,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,mBAAmB,CAC1B,KAA6B,EAC7B,OAAqC,EACrC,UAAkB;IAElB,MAAM,MAAM,GAAkB,EAAE,CAAC;IACjC,KAAK,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3D,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,qBAAqB,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAClE,IAAI,EAAE,CAAC,UAAU,EAAE,UAAU,CAAC;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import SfConnection from '../connection.js';
|
|
2
|
-
import { Permission } from './orgDescribe.types.js';
|
|
2
|
+
import { Permission, SObjectsDescribeResult } from './orgDescribe.types.js';
|
|
3
3
|
export default class OrgDescribe {
|
|
4
|
+
private readonly con;
|
|
4
5
|
/**
|
|
5
6
|
* Caches initialised OrgDescribes by username.
|
|
6
7
|
*/
|
|
@@ -49,4 +50,11 @@ export default class OrgDescribe {
|
|
|
49
50
|
* @returns
|
|
50
51
|
*/
|
|
51
52
|
getCustomPermissions(): Permission[];
|
|
53
|
+
/**
|
|
54
|
+
* Sanitise and describe a list of sobject names.
|
|
55
|
+
*
|
|
56
|
+
* @param objectNames
|
|
57
|
+
* @returns
|
|
58
|
+
*/
|
|
59
|
+
describeSObjects(objectNames: string[]): Promise<SObjectsDescribeResult>;
|
|
52
60
|
}
|
|
@@ -3,13 +3,16 @@ import { CUSTOM_PERMS_QUERY } from './orgDescribe.types.js';
|
|
|
3
3
|
/** Minimum length for perm label to start fuzzy matching */
|
|
4
4
|
const FUZZY_MATCH_MIN_LENGTH = 15;
|
|
5
5
|
export default class OrgDescribe {
|
|
6
|
+
con;
|
|
6
7
|
/**
|
|
7
8
|
* Caches initialised OrgDescribes by username.
|
|
8
9
|
*/
|
|
9
10
|
static orgCache = new Map();
|
|
10
11
|
customPermissions;
|
|
11
12
|
userPermissions;
|
|
12
|
-
constructor() {
|
|
13
|
+
constructor(con) {
|
|
14
|
+
this.con = con;
|
|
15
|
+
}
|
|
13
16
|
/**
|
|
14
17
|
* Initialises a new OrgDescribe instance from an existing connection
|
|
15
18
|
* and caches it for repeated access.
|
|
@@ -22,7 +25,7 @@ export default class OrgDescribe {
|
|
|
22
25
|
if (maybeCache) {
|
|
23
26
|
return maybeCache;
|
|
24
27
|
}
|
|
25
|
-
const inst = new OrgDescribe();
|
|
28
|
+
const inst = new OrgDescribe(con);
|
|
26
29
|
inst.userPermissions = await fetchUserPermissions(con);
|
|
27
30
|
inst.customPermissions = await fetchCustomPermissions(con);
|
|
28
31
|
this.orgCache.set(con.coreConnection.instanceUrl, inst);
|
|
@@ -86,6 +89,35 @@ export default class OrgDescribe {
|
|
|
86
89
|
getCustomPermissions() {
|
|
87
90
|
return Array.from(this.customPermissions.values());
|
|
88
91
|
}
|
|
92
|
+
/**
|
|
93
|
+
* Sanitise and describe a list of sobject names.
|
|
94
|
+
*
|
|
95
|
+
* @param objectNames
|
|
96
|
+
* @returns
|
|
97
|
+
*/
|
|
98
|
+
async describeSObjects(objectNames) {
|
|
99
|
+
const result = { successes: [], errors: [], describes: {} };
|
|
100
|
+
const normalisedNames = normalise(objectNames);
|
|
101
|
+
const describePromises = normalisedNames.map((uniqueObjectName) => this.con.describe(uniqueObjectName));
|
|
102
|
+
const describes = await Promise.allSettled(describePromises);
|
|
103
|
+
for (const settledPromise of describes) {
|
|
104
|
+
if (settledPromise.status === 'fulfilled') {
|
|
105
|
+
result.successes.push(settledPromise.value.name);
|
|
106
|
+
result.describes[settledPromise.value.name.toLowerCase()] = settledPromise.value;
|
|
107
|
+
}
|
|
108
|
+
else {
|
|
109
|
+
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
|
|
110
|
+
const { reason } = settledPromise;
|
|
111
|
+
const name = normalisedNames[describes.indexOf(settledPromise)];
|
|
112
|
+
const reasonMessage = hasMessage(reason) ? reason.message : 'Failed to resolve with unknown error';
|
|
113
|
+
result.errors.push({ name, reason: reasonMessage });
|
|
114
|
+
}
|
|
115
|
+
}
|
|
116
|
+
return result;
|
|
117
|
+
}
|
|
118
|
+
}
|
|
119
|
+
function hasMessage(obj) {
|
|
120
|
+
return typeof obj === 'object' && obj !== null && 'message' in obj;
|
|
89
121
|
}
|
|
90
122
|
async function fetchUserPermissions(con) {
|
|
91
123
|
const describePerms = await parsePermsFromDescribe(con);
|
|
@@ -108,6 +140,9 @@ async function fetchCustomPermissions(con) {
|
|
|
108
140
|
function mergeMaps(...permMaps) {
|
|
109
141
|
return new Map(permMaps.flatMap((m) => [...m]));
|
|
110
142
|
}
|
|
143
|
+
function normalise(anyStrings) {
|
|
144
|
+
return Array.from(new Set(anyStrings.map((inputString) => inputString.toLowerCase())));
|
|
145
|
+
}
|
|
111
146
|
async function parsePermsFromDescribe(con) {
|
|
112
147
|
const permSet = await con.describe('PermissionSet');
|
|
113
148
|
const describeAvailablePerms = new Map();
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"orgDescribe.js","sourceRoot":"","sources":["../../../src/salesforce/describes/orgDescribe.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,sCAAsC,CAAC;AAE5D,OAAO,EAAE,kBAAkB,
|
|
1
|
+
{"version":3,"file":"orgDescribe.js","sourceRoot":"","sources":["../../../src/salesforce/describes/orgDescribe.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,sCAAsC,CAAC;AAE5D,OAAO,EAAE,kBAAkB,EAA0D,MAAM,wBAAwB,CAAC;AAEpH,4DAA4D;AAC5D,MAAM,sBAAsB,GAAG,EAAE,CAAC;AAClC,MAAM,CAAC,OAAO,OAAO,WAAW;IAQO;IAPrC;;OAEG;IACI,MAAM,CAAC,QAAQ,GAAG,IAAI,GAAG,EAAuB,CAAC;IAChD,iBAAiB,CAA2B;IAC5C,eAAe,CAA2B;IAElD,YAAqC,GAAiB;QAAjB,QAAG,GAAH,GAAG,CAAc;IAAG,CAAC;IAE1D;;;;;;OAMG;IACI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAiB;QAC1C,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC;QACrE,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,UAAU,CAAC;QACpB,CAAC;QACD,MAAM,IAAI,GAAG,IAAI,WAAW,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,eAAe,GAAG,MAAM,oBAAoB,CAAC,GAAG,CAAC,CAAC;QACvD,IAAI,CAAC,iBAAiB,GAAG,MAAM,sBAAsB,CAAC,GAAG,CAAC,CAAC;QAC3D,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;OAMG;IACI,kBAAkB,CAAC,cAAsB;QAC9C,MAAM,aAAa,GAAG,cAAc,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC5E,IAAI,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACjD,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,EAAE,CAAC;YACjD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;gBAChB,SAAS;YACX,CAAC;YACD,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YACzE,IACE,cAAc,KAAK,aAAa;gBAChC,CAAC,aAAa,CAAC,MAAM,IAAI,sBAAsB,IAAI,cAAc,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,EAC5F,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACI,kBAAkB;QACvB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC,CAAC;IACnD,CAAC;IAED;;;;OAIG;IACI,OAAO,CAAC,cAAsB;QACnC,OAAO,CACL,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,WAAW,EAAE,CAAC;YACtD,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,WAAW,EAAE,CAAC,EAAE,IAAI,KAAK,cAAc,CAChF,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACI,iBAAiB,CAAC,cAAsB;QAC7C,OAAO,CACL,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,cAAc,CAAC,WAAW,EAAE,CAAC;YACxD,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,cAAc,CAAC,WAAW,EAAE,CAAC,EAAE,IAAI,KAAK,cAAc,CAClF,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACI,oBAAoB;QACzB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,CAAC,CAAC;IACrD,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,gBAAgB,CAAC,WAAqB;QACjD,MAAM,MAAM,GAA2B,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;QACpF,MAAM,eAAe,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC;QAC/C,MAAM,gBAAgB,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,gBAAgB,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;QACxG,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;QAC7D,KAAK,MAAM,cAAc,IAAI,SAAS,EAAE,CAAC;YACvC,IAAI,cAAc,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;gBAC1C,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBACjD,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC;YACnF,CAAC;iBAAM,CAAC;gBACN,mEAAmE;gBACnE,MAAM,EAAE,MAAM,EAAE,GAAG,cAAc,CAAC;gBAClC,MAAM,IAAI,GAAG,eAAe,CAAC,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC;gBAChE,MAAM,aAAa,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,sCAAsC,CAAC;gBACnG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;;AAGH,SAAS,UAAU,CAAC,GAAY;IAC9B,OAAO,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,IAAI,SAAS,IAAI,GAAG,CAAC;AACrE,CAAC;AAED,KAAK,UAAU,oBAAoB,CAAC,GAAiB;IACnD,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,GAAG,CAAC,CAAC;IACxD,MAAM,aAAa,GAAG,MAAM,wBAAwB,CAAC,GAAG,CAAC,CAAC;IAC1D,OAAO,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;AACjD,CAAC;AAED,KAAK,UAAU,sBAAsB,CAAC,GAAiB;IACrD,MAAM,MAAM,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC7C,MAAM,WAAW,GAAG,MAAM,GAAG,CAAC,KAAK,CAAqB,kBAAkB,CAAC,CAAC;IAC5E,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,KAAK,MAAM,EAAE,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACrC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,EAAE;gBACzC,IAAI,EAAE,EAAE,CAAC,aAAa;gBACtB,KAAK,EAAE,EAAE,CAAC,WAAW;aACtB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,SAAS,CAAC,GAAG,QAAwC;IAC5D,OAAO,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,SAAS,CAAC,UAAoB;IACrC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAS,UAAU,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;AACjG,CAAC;AAED,KAAK,UAAU,sBAAsB,CAAC,GAAiB;IACrD,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;IACpD,MAAM,sBAAsB,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC7D,OAAO,CAAC,MAAM;SACX,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;SACvD,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;QACjB,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QACvD,sBAAsB,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE;YACjD,KAAK,EAAE,aAAa,CAAC,KAAK,CAAC,KAAK,CAAC;YACjC,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IACL,OAAO,sBAAsB,CAAC;AAChC,CAAC;AAED,KAAK,UAAU,wBAAwB,CAAC,GAAiB;IACvD,MAAM,aAAa,GAAG,IAAI,GAAG,EAAsB,CAAC;IACpD,MAAM,YAAY,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC;IACpE,KAAK,MAAM,OAAO,IAAI,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;gBACpD,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;YAChG,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,SAAS,aAAa,CAAC,QAAiB;IACtC,OAAO,QAAQ,EAAE,UAAU,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;AACtD,CAAC"}
|
|
@@ -1,11 +1,30 @@
|
|
|
1
|
-
import { Record } from '@jsforce/jsforce-node';
|
|
1
|
+
import { DescribeSObjectResult, Record as SfRecord } from '@jsforce/jsforce-node';
|
|
2
2
|
export declare const CUSTOM_PERMS_QUERY = "SELECT Id,MasterLabel,DeveloperName FROM CustomPermission";
|
|
3
3
|
export type Permission = {
|
|
4
4
|
name: string;
|
|
5
5
|
label?: string;
|
|
6
6
|
};
|
|
7
|
-
export type SfCustomPermission =
|
|
7
|
+
export type SfCustomPermission = SfRecord & {
|
|
8
8
|
Id: string;
|
|
9
9
|
MasterLabel: string;
|
|
10
10
|
DeveloperName: string;
|
|
11
11
|
};
|
|
12
|
+
export type SObjectsDescribeResult = {
|
|
13
|
+
/**
|
|
14
|
+
* Sanitised list of valid sobject names
|
|
15
|
+
*/
|
|
16
|
+
successes: string[];
|
|
17
|
+
/**
|
|
18
|
+
* Map of lowercase sobject names and corresponding
|
|
19
|
+
* describe results.
|
|
20
|
+
*/
|
|
21
|
+
describes: Record<string, DescribeSObjectResult>;
|
|
22
|
+
/**
|
|
23
|
+
* List of sobject names that do not exist on the target
|
|
24
|
+
* org with a reason of failure.
|
|
25
|
+
*/
|
|
26
|
+
errors: Array<{
|
|
27
|
+
name: string;
|
|
28
|
+
reason: string;
|
|
29
|
+
}>;
|
|
30
|
+
};
|
|
@@ -10,6 +10,10 @@ User policy option defaultRoleForMissingUsers is invalid: "%s" does not exist.
|
|
|
10
10
|
|
|
11
11
|
Permission does not exist on Org.
|
|
12
12
|
|
|
13
|
+
# ObjectDoesNotExistOnOrg
|
|
14
|
+
|
|
15
|
+
Object was not found on Org.
|
|
16
|
+
|
|
13
17
|
# FailedToParseAuditConfig
|
|
14
18
|
|
|
15
19
|
Failed to parse audit config at location %s: %s (%s).
|
|
@@ -8,7 +8,7 @@ Tried to access a role that does not exist: %s.
|
|
|
8
8
|
|
|
9
9
|
# RoleReferencesControlThatDoesNotExist
|
|
10
10
|
|
|
11
|
-
Role "%s" references
|
|
11
|
+
Role "%s" references %s control that does not exist: %s
|
|
12
12
|
|
|
13
13
|
# violations.classification-preset-mismatch
|
|
14
14
|
|
package/oclif.manifest.json
CHANGED
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@j-schreiber/sf-cli-security-audit",
|
|
3
3
|
"description": "Salesforce CLI plugin to automate highly configurable security audits",
|
|
4
|
-
"version": "0.
|
|
4
|
+
"version": "0.23.0",
|
|
5
5
|
"repository": {
|
|
6
6
|
"type": "git",
|
|
7
7
|
"url": "git+https://github.com/j-schreiber/js-sf-cli-security-audit"
|