@j-schreiber/sf-cli-security-audit 0.22.0 → 0.24.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -3
- package/lib/libs/audit-engine/auditRun.js +6 -7
- package/lib/libs/audit-engine/auditRun.js.map +1 -1
- package/lib/libs/audit-engine/index.d.ts +21 -0
- package/lib/libs/audit-engine/registry/definitions.d.ts +23 -0
- package/lib/libs/audit-engine/registry/definitions.js +8 -0
- package/lib/libs/audit-engine/registry/definitions.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/connectedApps.js +1 -1
- package/lib/libs/audit-engine/registry/policies/connectedApps.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/objects.d.ts +12 -0
- package/lib/libs/audit-engine/registry/policies/objects.js +18 -0
- package/lib/libs/audit-engine/registry/policies/objects.js.map +1 -0
- package/lib/libs/audit-engine/registry/policies/permissionSets.js +4 -4
- package/lib/libs/audit-engine/registry/policies/permissionSets.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/profiles.d.ts +0 -2
- package/lib/libs/audit-engine/registry/policies/profiles.js +0 -5
- package/lib/libs/audit-engine/registry/policies/profiles.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/settings.js +4 -2
- package/lib/libs/audit-engine/registry/policies/settings.js.map +1 -1
- package/lib/libs/audit-engine/registry/policies/users.js +3 -3
- package/lib/libs/audit-engine/registry/policies/users.js.map +1 -1
- package/lib/libs/audit-engine/registry/policy.d.ts +9 -1
- package/lib/libs/audit-engine/registry/policy.js +5 -0
- package/lib/libs/audit-engine/registry/policy.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.d.ts +7 -1
- package/lib/libs/audit-engine/registry/roles/roleManager.js +12 -0
- package/lib/libs/audit-engine/registry/roles/roleManager.js.map +1 -1
- package/lib/libs/audit-engine/registry/roles/userRole.d.ts +24 -1
- package/lib/libs/audit-engine/registry/roles/userRole.js +53 -5
- package/lib/libs/audit-engine/registry/roles/userRole.js.map +1 -1
- package/lib/libs/audit-engine/registry/ruleRegistry.js +7 -1
- package/lib/libs/audit-engine/registry/ruleRegistry.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.d.ts +0 -1
- package/lib/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.js +1 -7
- package/lib/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.d.ts +0 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js +3 -9
- package/lib/libs/audit-engine/registry/rules/enforcePermissionPresets.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.d.ts +0 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js +1 -7
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.d.ts +0 -1
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js +1 -7
- package/lib/libs/audit-engine/registry/rules/enforcePermissionsOnUser.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/policyRule.d.ts +2 -0
- package/lib/libs/audit-engine/registry/rules/policyRule.js.map +1 -1
- package/lib/libs/audit-engine/registry/rules/privateExternalAccessForAllObjects.d.ts +7 -0
- package/lib/libs/audit-engine/registry/rules/privateExternalAccessForAllObjects.js +34 -0
- package/lib/libs/audit-engine/registry/rules/privateExternalAccessForAllObjects.js.map +1 -0
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.d.ts +21 -0
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.js +7 -1
- package/lib/libs/audit-engine/registry/shape/auditConfigShape.js.map +1 -1
- package/lib/libs/audit-engine/registry/shape/shapeValidation.d.ts +2 -2
- package/lib/libs/audit-engine/registry/shape/shapeValidation.js +36 -21
- package/lib/libs/audit-engine/registry/shape/shapeValidation.js.map +1 -1
- package/lib/salesforce/connection.d.ts +13 -0
- package/lib/salesforce/connection.js +35 -1
- package/lib/salesforce/connection.js.map +1 -1
- package/lib/salesforce/describes/orgDescribe.d.ts +10 -1
- package/lib/salesforce/describes/orgDescribe.js +38 -2
- package/lib/salesforce/describes/orgDescribe.js.map +1 -1
- package/lib/salesforce/describes/orgDescribe.types.d.ts +21 -2
- package/lib/salesforce/index.d.ts +2 -0
- package/lib/salesforce/index.js +1 -0
- package/lib/salesforce/index.js.map +1 -1
- package/lib/salesforce/mdapi/constants.d.ts +1 -0
- package/lib/salesforce/mdapi/constants.js +2 -1
- package/lib/salesforce/mdapi/constants.js.map +1 -1
- package/lib/salesforce/repositories/connected-apps/connected-apps.d.ts +6 -1
- package/lib/salesforce/repositories/connected-apps/connected-apps.js.map +1 -1
- package/lib/salesforce/repositories/object-definitions/object-definitions.d.ts +17 -0
- package/lib/salesforce/repositories/object-definitions/object-definitions.js +94 -0
- package/lib/salesforce/repositories/object-definitions/object-definitions.js.map +1 -0
- package/lib/salesforce/repositories/object-definitions/object-definitions.types.d.ts +60 -0
- package/lib/salesforce/repositories/object-definitions/object-definitions.types.js +9 -0
- package/lib/salesforce/repositories/object-definitions/object-definitions.types.js.map +1 -0
- package/lib/salesforce/repositories/perm-sets/permission-sets.d.ts +6 -1
- package/lib/salesforce/repositories/perm-sets/permission-sets.js.map +1 -1
- package/lib/salesforce/resolve-entity-lifecycle-bus.d.ts +3 -1
- package/lib/salesforce/resolve-entity-lifecycle-bus.js.map +1 -1
- package/messages/auditShapeValidation.md +4 -0
- package/messages/rules.enforceClassificationPresets.md +1 -1
- package/messages/rules.objects.md +3 -0
- package/oclif.lock +1056 -1703
- package/oclif.manifest.json +1 -1
- package/package.json +22 -22
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"roleManager.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/roleManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAA6B,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxG,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,
|
|
1
|
+
{"version":3,"file":"roleManager.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/roleManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAA6B,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxG,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,EAEL,oBAAoB,GAQrB,MAAM,wBAAwB,CAAC;AAChC,OAAiB,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAErF,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAQnH,MAAM,CAAC,OAAO,OAAO,WAAY,SAAQ,YAAY;IAGf;IAF5B,KAAK,GAA6B,EAAE,CAAC;IAE7C,YAAoC,WAA8B;QAChE,KAAK,EAAE,CAAC;QAD0B,gBAAW,GAAX,WAAW,CAAmB;QAEhE,IAAI,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpC,KAAK,MAAM,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzE,MAAM,cAAc,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;gBAC3C,IAAI,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;oBAC/B,oBAAoB,CAAC,eAAe,CAClC,QAAQ,CAAC,UAAU,CAAC,iCAAiC,EAAE;wBACrD,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,QAAQ;wBACnC,cAAc;qBACf,CAAC,CACH,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,GAAG,qBAAqB,CAAC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;gBACjF,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,UAAU,IAAI,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBAC3D,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,GAAG,mBAAmB,CAAC,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;YAC/G,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;;;OASG;IACI,eAAe,CACpB,IAAY,EACZ,YAAyC,EACzC,aAAuB,EAAE;QAEzB,MAAM,iBAAiB,GAAG,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;QACtF,MAAM,MAAM,GAAe,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;QACxE,MAAM,YAAY,GAAG,IAAI,CAAC,0BAA0B,CAAC,IAAI,EAAE,iBAAiB,EAAE,UAAU,CAAC,CAAC;QAC1F,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,YAAY,CAAC,IAAI,IAAI,YAAY,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9D,KAAK,MAAM,WAAW,IAAI,YAAY,CAAC,YAAY,EAAE,CAAC;gBACpD,MAAM,eAAe,GAAG,CAAC,GAAG,UAAU,EAAE,WAAW,CAAC,IAAI,CAAC,CAAC;gBAC1D,KAAK,MAAM,OAAO,IAAI,CAAC,iBAAiB,EAAE,mBAAmB,CAAU,EAAE,CAAC;oBACxE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,kBAAkB,CACtD,YAAY,CAAC,IAAI,EACjB,WAAW,EACX,OAAO,EACP,eAAe,CAChB,CAAC;oBACF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;oBACtC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;gBACpC,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;;OAOG;IACI,gBAAgB,CAAC,IAAY,EAAE,YAA2B,EAAE,iBAA2B,EAAE;QAC9F,MAAM,MAAM,GAAe,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;QACxE,MAAM,YAAY,GAAG,IAAI,CAAC,0BAA0B,CAAC,IAAI,EAAE,YAAY,EAAE,cAAc,CAAC,CAAC;QACzF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,YAAY,CAAC,IAAI,IAAI,YAAY,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9D,KAAK,MAAM,WAAW,IAAI,YAAY,CAAC,YAAY,EAAE,CAAC;gBACpD,MAAM,UAAU,GAAG,4BAA4B,CAAC,YAAY,CAAC,IAAI,EAAE,WAAW,EAAE;oBAC9E,GAAG,cAAc;oBACjB,WAAW,CAAC,IAAI;iBACjB,CAAC,CAAC;gBACH,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;OAMG;IACI,WAAW,CAAC,QAAgB;QACjC,MAAM,kBAAkB,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC/C,OAAO,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACjD,CAAC;IAED;;;;;;OAMG;IACI,OAAO,CAAC,YAAoB,EAAE,eAAuB;QAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChD,OAAO,QAAQ,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;IAED;;;;;OAKG;IACI,OAAO,CAAC,QAAgB;QAC7B,MAAM,kBAAkB,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QACxC,CAAC;QACD,MAAM,QAAQ,CAAC,WAAW,CAAC,mCAAmC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9E,CAAC;IAED;;;;OAIG;IACI,kBAAkB;QACvB,MAAM,QAAQ,GAA6C,EAAE,CAAC;QAC9D,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7C,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;QACjD,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,wBAAwB;IAEhB,0BAA0B,CAChC,IAAY,EACZ,YAA2B,EAC3B,UAAoB;QAEpB,MAAM,YAAY,GAA4B,EAAE,MAAM,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QAChG,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,YAAY,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACzC,CAAC;aAAM,CAAC;YACN,YAAY,CAAC,MAAM,CAAC,IAAI,CACtB,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;gBAC3B,UAAU,EAAE,CAAC,GAAG,UAAU,EAAE,EAAE,CAAC,IAAI,CAAC;gBACpC,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,EAAE,CAAC,IAAI,CAAC,CAAC;aACrE,CAAC,CAAC,CACJ,CAAC;QACJ,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;YAC9B,IAAI,oBAAoB,CAAC,EAAE,CAAC,EAAE,CAAC;gBAC7B,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACrC,CAAC;iBAAM,CAAC;gBACN,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC;oBACvB,UAAU,EAAE,CAAC,GAAG,UAAU,EAAE,EAAE,CAAC,IAAI,CAAC;oBACpC,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,qCAAqC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;iBAC/E,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,OAAO,YAAY,CAAC;IACtB,CAAC;IAEO,kBAAkB,CACxB,IAAc,EACd,OAA2B,EAC3B,cAAkC,EAClC,cAAwB;QAExB,MAAM,MAAM,GAAgD,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC7F,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACpD,MAAM,UAAU,GAAG,CAAC,GAAG,cAAc,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAClD,MAAM,kBAAkB,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;YACvE,IAAI,kBAAkB,EAAE,CAAC;gBACvB,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;oBACtE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;qBACjE,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,kBAAkB,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,EAAE,CAAC;oBACpF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;4BACxE,kBAAkB,CAAC,cAAc;4BACjC,IAAI,CAAC,QAAQ;yBACd,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;oBAC7E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;qBAC5D,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,EAAE,CAAC;gBACpE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU;oBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,iCAAiC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;iBACjF,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACnB,UAAU;oBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oCAAoC,CAAC;iBACnE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,WAAW,CAAC,QAAgB,EAAE,QAA4B;QAChE,IAAI,QAAQ,KAAK,iBAAiB,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QACxC,CAAC;aAAM,IAAI,QAAQ,KAAK,mBAAmB,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAEO,eAAe,CAAC,QAAgB;QACtC,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,eAAe,EAAE,CAAC;YAC5C,OAAO,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC;QACxF,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,iBAAiB,CAAC,QAAgB;QACxC,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,iBAAiB,EAAE,CAAC;YAC9C,OAAO,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC1F,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;CACF;AAED,SAAS,4BAA4B,CACnC,IAAc,EACd,WAA+B,EAC/B,UAAoB;IAEpB,MAAM,UAAU,GAA6B,EAAE,CAAC;IAChD,KAAK,MAAM,YAAY,IAAI,WAAW,CAAC,QAAQ,CAAC,iBAAiB,IAAI,EAAE,EAAE,CAAC;QACxE,MAAM,aAAa,GAAG,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAChE,KAAK,MAAM,SAAS,IAAI,CAAC,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,CAAU,EAAE,CAAC;YAC3G,IAAI,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,SAAS,CAAC,EAAE,CAAC;gBAC3C,MAAM,aAAa,GAAG,YAAY,CAAC,SAAsC,CAAC,CAAC;gBAC3E,IAAI,aAAa,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,EAAE,CAAC;oBAC/C,UAAU,CAAC,IAAI,CAAC;wBACd,UAAU,EAAE,CAAC,GAAG,UAAU,EAAE,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC;wBAC3D,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,iCAAiC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;qBACjF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,kBAAkB,CACzB,QAAgB,EAChB,IAA0C;IAE1C,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB;IACjC,OAAO,QAAQ,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AACrD,CAAC"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { PermissionClassifications, UserPrivilegeLevel, ObjectAccessControl } from '../shape/schema.js';
|
|
2
|
-
import { RoleManagerConfig, TypedPermission, UserRoleCompareResult, DefinitiveObjectAccessDef } from './roleManager.types.js';
|
|
2
|
+
import { DefinitiveRoleDefinition, RoleManagerConfig, TypedPermission, UserRoleCompareResult, DefinitiveObjectAccessDef } from './roleManager.types.js';
|
|
3
3
|
type UserRolePermissions = {
|
|
4
4
|
allowed: Set<string>;
|
|
5
5
|
denied: Set<string>;
|
|
@@ -13,8 +13,25 @@ type UserRoleConfig = {
|
|
|
13
13
|
};
|
|
14
14
|
export default class UserRole {
|
|
15
15
|
roleName: string;
|
|
16
|
+
/**
|
|
17
|
+
* Merged role config from inline role and all composable controls.
|
|
18
|
+
* Resolves allowed classifications to actual permissions from the org,
|
|
19
|
+
* but keeps capitalisation (lower/upper case verbatim)
|
|
20
|
+
*/
|
|
16
21
|
private config;
|
|
22
|
+
/**
|
|
23
|
+
* Fully resolved object access, with partial definitions
|
|
24
|
+
* filled to default access ("allow: false")
|
|
25
|
+
*/
|
|
17
26
|
private objectAccess;
|
|
27
|
+
/**
|
|
28
|
+
* Fully resolved allowed and denied user permissions in lower case
|
|
29
|
+
*/
|
|
30
|
+
private normalizedUserPermissions;
|
|
31
|
+
/**
|
|
32
|
+
* Fully resolved allowed and denied custom permissions in lower case
|
|
33
|
+
*/
|
|
34
|
+
private normalizedCustomPermissions;
|
|
18
35
|
constructor(roleName: string, config: Partial<UserRoleConfig>);
|
|
19
36
|
/**
|
|
20
37
|
* Evaluates if a permission is explicitly denied
|
|
@@ -48,6 +65,12 @@ export default class UserRole {
|
|
|
48
65
|
* @returns
|
|
49
66
|
*/
|
|
50
67
|
getObjectAccess(objName: string): DefinitiveObjectAccessDef;
|
|
68
|
+
/**
|
|
69
|
+
* Returns the fully resolved role definition
|
|
70
|
+
*
|
|
71
|
+
* @returns
|
|
72
|
+
*/
|
|
73
|
+
getDefinition(): DefinitiveRoleDefinition;
|
|
51
74
|
}
|
|
52
75
|
export declare function newRoleFromDefinition(roleName: string, config: RoleManagerConfig): UserRole;
|
|
53
76
|
export declare function newRoleFromOrdinals(roleName: UserPrivilegeLevel, perms?: PermissionClassifications): UserRole;
|
|
@@ -5,8 +5,25 @@ Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
|
5
5
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
6
6
|
export default class UserRole {
|
|
7
7
|
roleName;
|
|
8
|
+
/**
|
|
9
|
+
* Merged role config from inline role and all composable controls.
|
|
10
|
+
* Resolves allowed classifications to actual permissions from the org,
|
|
11
|
+
* but keeps capitalisation (lower/upper case verbatim)
|
|
12
|
+
*/
|
|
8
13
|
config;
|
|
14
|
+
/**
|
|
15
|
+
* Fully resolved object access, with partial definitions
|
|
16
|
+
* filled to default access ("allow: false")
|
|
17
|
+
*/
|
|
9
18
|
objectAccess;
|
|
19
|
+
/**
|
|
20
|
+
* Fully resolved allowed and denied user permissions in lower case
|
|
21
|
+
*/
|
|
22
|
+
normalizedUserPermissions;
|
|
23
|
+
/**
|
|
24
|
+
* Fully resolved allowed and denied custom permissions in lower case
|
|
25
|
+
*/
|
|
26
|
+
normalizedCustomPermissions;
|
|
10
27
|
constructor(roleName, config) {
|
|
11
28
|
this.roleName = roleName;
|
|
12
29
|
this.config = {
|
|
@@ -16,6 +33,14 @@ export default class UserRole {
|
|
|
16
33
|
isStrict: false,
|
|
17
34
|
...config,
|
|
18
35
|
};
|
|
36
|
+
this.normalizedUserPermissions = {
|
|
37
|
+
allowed: toLowerCaseSet(this.config.userPermissions.allowed),
|
|
38
|
+
denied: toLowerCaseSet(this.config.userPermissions.denied),
|
|
39
|
+
};
|
|
40
|
+
this.normalizedCustomPermissions = {
|
|
41
|
+
allowed: toLowerCaseSet(this.config.customPermissions.allowed),
|
|
42
|
+
denied: toLowerCaseSet(this.config.customPermissions.denied),
|
|
43
|
+
};
|
|
19
44
|
this.objectAccess = {};
|
|
20
45
|
for (const [objName, objDef] of Object.entries(config.objectAccess ?? {})) {
|
|
21
46
|
this.objectAccess[objName] = {
|
|
@@ -36,10 +61,10 @@ export default class UserRole {
|
|
|
36
61
|
*/
|
|
37
62
|
isDenied(permission) {
|
|
38
63
|
if (permission.type === 'customPermissions') {
|
|
39
|
-
return this.
|
|
64
|
+
return this.normalizedCustomPermissions.denied.has(permission.name.toLowerCase());
|
|
40
65
|
}
|
|
41
66
|
else {
|
|
42
|
-
return this.
|
|
67
|
+
return this.normalizedUserPermissions.denied.has(permission.name.toLowerCase());
|
|
43
68
|
}
|
|
44
69
|
}
|
|
45
70
|
/**
|
|
@@ -51,10 +76,10 @@ export default class UserRole {
|
|
|
51
76
|
*/
|
|
52
77
|
isAllowed(permission) {
|
|
53
78
|
if (permission.type === 'customPermissions') {
|
|
54
|
-
return this.
|
|
79
|
+
return this.normalizedCustomPermissions.allowed.has(permission.name.toLowerCase());
|
|
55
80
|
}
|
|
56
81
|
else {
|
|
57
|
-
return this.
|
|
82
|
+
return this.normalizedUserPermissions.allowed.has(permission.name.toLowerCase());
|
|
58
83
|
}
|
|
59
84
|
}
|
|
60
85
|
/**
|
|
@@ -107,6 +132,26 @@ export default class UserRole {
|
|
|
107
132
|
}
|
|
108
133
|
return allowedObjectAccess;
|
|
109
134
|
}
|
|
135
|
+
/**
|
|
136
|
+
* Returns the fully resolved role definition
|
|
137
|
+
*
|
|
138
|
+
* @returns
|
|
139
|
+
*/
|
|
140
|
+
getDefinition() {
|
|
141
|
+
const userPermissions = {
|
|
142
|
+
allowed: Array.from(this.config.userPermissions.allowed),
|
|
143
|
+
denied: Array.from(this.config.userPermissions.denied),
|
|
144
|
+
};
|
|
145
|
+
const customPermissions = {
|
|
146
|
+
allowed: Array.from(this.config.customPermissions.allowed),
|
|
147
|
+
denied: Array.from(this.config.customPermissions.denied),
|
|
148
|
+
};
|
|
149
|
+
return {
|
|
150
|
+
objectAccess: this.objectAccess,
|
|
151
|
+
strict: this.config.isStrict,
|
|
152
|
+
permissions: { userPermissions, customPermissions },
|
|
153
|
+
};
|
|
154
|
+
}
|
|
110
155
|
}
|
|
111
156
|
export function newRoleFromDefinition(roleName, config) {
|
|
112
157
|
const { permissions, objectAccess, strict } = resolveRole(roleName, config.controls);
|
|
@@ -137,6 +182,9 @@ export function newRoleFromOrdinals(roleName, perms) {
|
|
|
137
182
|
objectAccess: {},
|
|
138
183
|
});
|
|
139
184
|
}
|
|
185
|
+
function toLowerCaseSet(names) {
|
|
186
|
+
return new Set(Array.from(names).map((permName) => permName.toLowerCase()));
|
|
187
|
+
}
|
|
140
188
|
function resolvePresetOrdinalValue(value) {
|
|
141
189
|
const indexOfValue = Object.values(UserPrivilegeLevel).indexOf(value);
|
|
142
190
|
return Object.keys(UserPrivilegeLevel).length - indexOfValue;
|
|
@@ -210,7 +258,7 @@ function buildAllowedPerms(rolePermDef, permClassifications, allowedClassificati
|
|
|
210
258
|
}
|
|
211
259
|
return {
|
|
212
260
|
allowed: allowedPerms,
|
|
213
|
-
denied: new Set(rolePermDef.denied
|
|
261
|
+
denied: new Set(rolePermDef.denied ?? []),
|
|
214
262
|
};
|
|
215
263
|
}
|
|
216
264
|
//# sourceMappingURL=userRole.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"userRole.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/userRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAEL,mBAAmB,EACnB,kBAAkB,GAInB,MAAM,oBAAoB,CAAC;AAU5B,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAenH,MAAM,CAAC,OAAO,OAAO,QAAQ;
|
|
1
|
+
{"version":3,"file":"userRole.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/roles/userRole.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAEL,mBAAmB,EACnB,kBAAkB,GAInB,MAAM,oBAAoB,CAAC;AAU5B,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAenH,MAAM,CAAC,OAAO,OAAO,QAAQ;IAqBD;IApB1B;;;;OAIG;IACK,MAAM,CAAiB;IAC/B;;;OAGG;IACK,YAAY,CAA4C;IAChE;;OAEG;IACK,yBAAyB,CAAsB;IACvD;;OAEG;IACK,2BAA2B,CAAsB;IAEzD,YAA0B,QAAgB,EAAE,MAA+B;QAAjD,aAAQ,GAAR,QAAQ,CAAQ;QACxC,IAAI,CAAC,MAAM,GAAG;YACZ,eAAe,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC1E,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC5E,YAAY,EAAE,EAAE;YAChB,QAAQ,EAAE,KAAK;YACf,GAAG,MAAM;SACV,CAAC;QACF,IAAI,CAAC,yBAAyB,GAAG;YAC/B,OAAO,EAAE,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC;YAC5D,MAAM,EAAE,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC;SAC3D,CAAC;QACF,IAAI,CAAC,2BAA2B,GAAG;YACjC,OAAO,EAAE,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC;YAC9D,MAAM,EAAE,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC;SAC7D,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,EAAE,CAAC;YAC1E,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG;gBAC3B,SAAS,EAAE,KAAK;gBAChB,WAAW,EAAE,KAAK;gBAClB,WAAW,EAAE,KAAK;gBAClB,SAAS,EAAE,KAAK;gBAChB,aAAa,EAAE,KAAK;gBACpB,GAAG,MAAM;aACV,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACI,QAAQ,CAAC,UAA2B;QACzC,IAAI,UAAU,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,2BAA2B,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACpF,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,yBAAyB,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACI,SAAS,CAAC,UAA2B;QAC1C,IAAI,UAAU,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,2BAA2B,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACrF,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,yBAAyB,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACI,WAAW,CAAC,SAAmB;QACpC,MAAM,mBAAmB,GAAG,IAAI,KAAK,EAAU,CAAC;QAChD,MAAM,kBAAkB,GAAG,IAAI,KAAK,EAAU,CAAC;QAC/C,MAAM,iBAAiB,GACrB,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,SAAS,CAAC,MAAM,CAAC,gBAAgB;YAC/D,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,SAAS,CAAC,MAAM,CAAC,gBAAgB;YACnE,CAAC,CAAC,IAAI,CAAC;QACX,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9G,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;YAC1B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxD,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QACD,OAAO;YACL,UAAU,EAAE,kBAAkB,CAAC,MAAM,KAAK,CAAC,IAAI,iBAAiB;YAChE,kBAAkB;YAClB,mBAAmB;SACpB,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACI,eAAe,CAAC,OAAe;QACpC,MAAM,mBAAmB,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACvD,uFAAuF;QACvF,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,OAAO;gBACL,WAAW,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAClC,SAAS,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAChC,SAAS,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAChC,WAAW,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAClC,aAAa,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ;aACrC,CAAC;QACJ,CAAC;QACD,OAAO,mBAAmB,CAAC;IAC7B,CAAC;IAED;;;;OAIG;IACI,aAAa;QAClB,MAAM,eAAe,GAAG;YACtB,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC;YACxD,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC;SACvD,CAAC;QACF,MAAM,iBAAiB,GAAG;YACxB,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC;YAC1D,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC;SACzD,CAAC;QACF,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC5B,WAAW,EAAE,EAAE,eAAe,EAAE,iBAAiB,EAAE;SACpD,CAAC;IACJ,CAAC;CACF;AAED,MAAM,UAAU,qBAAqB,CAAC,QAAgB,EAAE,MAAyB;IAC/E,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACrF,MAAM,eAAe,GAAG,iBAAiB,CACvC,WAAW,EAAE,eAAe,EAC5B,MAAM,CAAC,KAAK,CAAC,eAAe,EAC5B,WAAW,EAAE,sBAAsB,CACpC,CAAC;IACF,MAAM,iBAAiB,GAAG,iBAAiB,CACzC,WAAW,EAAE,iBAAiB,EAC9B,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAC9B,WAAW,EAAE,sBAAsB,CACpC,CAAC;IACF,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,EAAE,eAAe,EAAE,iBAAiB,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;AACxG,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,QAA4B,EAAE,KAAiC;IACjG,MAAM,gBAAgB,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IAC7D,IAAI,CAAC,KAAK,IAAI,QAAQ,KAAK,kBAAkB,CAAC,OAAO,EAAE,CAAC;QACtD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE;YAC5B,eAAe,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC1E,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;YAC5E,gBAAgB;YAChB,YAAY,EAAE,EAAE;SACjB,CAAC,CAAC;IACL,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,IAAI,gBAAgB,IAAI,4BAA4B,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAC7E,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE;QAC5B,eAAe,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;QACnE,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,GAAG,EAAU,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE;QAC5E,gBAAgB;QAChB,YAAY,EAAE,EAAE;KACjB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,KAAkB;IACxC,OAAO,IAAI,GAAG,CAAS,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AACtF,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAyB;IAC1D,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACtE,OAAO,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,MAAM,GAAG,YAAY,CAAC;AAC/D,CAAC;AAED,SAAS,4BAA4B,CAAC,KAAa;IACjD,OAAO,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;AACjH,CAAC;AAED,SAAS,WAAW,CAAC,QAAgB,EAAE,QAA0B;IAC/D,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAC,QAAQ,CAAC,CAAC;IAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,QAAQ,CAAC,WAAW,CAAC,mCAAmC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9E,CAAC;IACD,MAAM,iBAAiB,GAAsC,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,KAAK,EAAE,CAAC;IACpG,KAAK,MAAM,WAAW,IAAI,CAAC,aAAa,EAAE,cAAc,CAAU,EAAE,CAAC;QACnE,IAAI,CAAC;YACH,iBAAiB,CAAC,WAAW,CAAC,GAAG,iBAAiB,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC;QACrG,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YACpE,MAAM,QAAQ,CAAC,WAAW,CAAC,uCAAuC,EAAE,CAAC,QAAQ,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC,CAAC;QAC7G,CAAC;IACH,CAAC;IACD,OAAO,iBAA6C,CAAC;AACvD,CAAC;AAMD,SAAS,iBAAiB,CACxB,OAA0B,EAC1B,QAAiC;IAEjC,MAAM,aAAa,GAAG,EAAE,CAAC;IACzB,MAAM,kBAAkB,GAAG,QAAQ,IAAI,EAAE,CAAC;IAC1C,MAAM,iBAAiB,GAAsB,OAAO,IAAI,EAAE,CAAC;IAC3D,IAAI,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACrC,KAAK,MAAM,UAAU,IAAI,iBAAiB,EAAE,CAAC;YAC3C,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;YACzD,IAAI,iBAAiB,EAAE,CAAC;gBACtB,KAAK,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;YAC1C,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,SAAS,iBAAiB,CACxB,WAAsC,EACtC,mBAA+C,EAC/C,sBAAiC;IAEjC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IACvC,IAAI,sBAAsB,IAAI,mBAAmB,EAAE,CAAC;QAClD,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,EAAE,CAAC;YACtE,IAAI,sBAAsB,CAAC,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;gBAC5D,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,IAAI,GAAG,EAAU,EAAE,CAAC;IAC9D,CAAC;IACD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;QACxB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YAC3C,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,IAAI,WAAW,CAAC,QAAQ,EAAE,CAAC;QACzB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,QAAQ,EAAE,CAAC;YAC5C,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;QACvB,KAAK,MAAM,QAAQ,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;YAC1C,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IACD,OAAO;QACL,OAAO,EAAE,YAAY;QACrB,MAAM,EAAE,IAAI,GAAG,CAAS,WAAW,CAAC,MAAM,IAAI,EAAE,CAAC;KAClD,CAAC;AACJ,CAAC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
|
+
import RoleManager from './roles/roleManager.js';
|
|
2
3
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
3
4
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'policies.general');
|
|
4
5
|
/**
|
|
@@ -33,7 +34,12 @@ export default class RuleRegistry {
|
|
|
33
34
|
const resolveErrors = new Array();
|
|
34
35
|
Object.entries(ruleObjs).forEach(([ruleName, ruleConfig]) => {
|
|
35
36
|
if (this.availableRules[ruleName] && ruleConfig.enabled) {
|
|
36
|
-
enabledRules.push(new this.availableRules[ruleName]({
|
|
37
|
+
enabledRules.push(new this.availableRules[ruleName]({
|
|
38
|
+
auditConfig,
|
|
39
|
+
roles: new RoleManager({ controls: auditConfig.controls, shape: auditConfig.shape }),
|
|
40
|
+
ruleDisplayName: ruleName,
|
|
41
|
+
ruleConfig: ruleConfig.options,
|
|
42
|
+
}));
|
|
37
43
|
}
|
|
38
44
|
else if (ruleConfig.enabled === false) {
|
|
39
45
|
skippedRules.push({ name: ruleName, skipReason: messages.getMessage('skip-reason.rule-not-enabled') });
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ruleRegistry.js","sourceRoot":"","sources":["../../../../src/libs/audit-engine/registry/ruleRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"ruleRegistry.js","sourceRoot":"","sources":["../../../../src/libs/audit-engine/registry/ruleRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAK5C,OAAO,WAAW,MAAM,wBAAwB,CAAC;AAEjD,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAkBjG;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,YAAY;IACvB,cAAc,CAAC;IAEvB,YAAmB,KAAsB;QACvC,IAAI,CAAC,cAAc,GAAG,KAAK,IAAI,EAAE,CAAC;IACpC,CAAC;IAED;;;;OAIG;IACI,eAAe;QACpB,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC1C,CAAC;IAED;;;;;;;OAOG;IACI,YAAY,CAAC,QAA+B,EAAE,WAA2B;QAC9E,MAAM,YAAY,GAAG,IAAI,KAAK,EAA+B,CAAC;QAC9D,MAAM,YAAY,GAAG,IAAI,KAAK,EAAwB,CAAC;QACvD,MAAM,aAAa,GAAG,IAAI,KAAK,EAAsB,CAAC;QACtD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,EAAE;YAC1D,IAAI,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;gBACxD,YAAY,CAAC,IAAI,CACf,IAAI,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;oBAChC,WAAW;oBACX,KAAK,EAAE,IAAI,WAAW,CAAC,EAAE,QAAQ,EAAE,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,EAAE,CAAC;oBACpF,eAAe,EAAE,QAAQ;oBACzB,UAAU,EAAE,UAAU,CAAC,OAAO;iBAC/B,CAAC,CACH,CAAC;YACJ,CAAC;iBAAM,IAAI,UAAU,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;gBACxC,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC;YACzG,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,mCAAmC,CAAC,EAAE,CAAC,CAAC;YAC5G,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC;IACvD,CAAC;CACF"}
|
|
@@ -2,7 +2,6 @@ import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
|
2
2
|
import { ResolvedUser } from '../policies/users.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforceObjectAccessOnUser extends PolicyRule<ResolvedUser> {
|
|
5
|
-
private readonly roleManager;
|
|
6
5
|
constructor(opts: RuleOptions);
|
|
7
6
|
run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
|
|
8
7
|
}
|
|
@@ -1,20 +1,14 @@
|
|
|
1
|
-
import RoleManager from '../roles/roleManager.js';
|
|
2
1
|
import PolicyRule from './policyRule.js';
|
|
3
2
|
export default class EnforceObjectAccessOnUser extends PolicyRule {
|
|
4
|
-
roleManager;
|
|
5
3
|
constructor(opts) {
|
|
6
4
|
super(opts);
|
|
7
|
-
this.roleManager = new RoleManager({
|
|
8
|
-
controls: opts.auditConfig.controls,
|
|
9
|
-
shape: opts.auditConfig.shape,
|
|
10
|
-
});
|
|
11
5
|
}
|
|
12
6
|
run(context) {
|
|
13
7
|
const result = this.initResult();
|
|
14
8
|
const users = context.resolvedEntities;
|
|
15
9
|
for (const user of Object.values(users)) {
|
|
16
10
|
const profileLikes = buildProfileLikes(user);
|
|
17
|
-
const { violations, warnings, errors } = this.
|
|
11
|
+
const { violations, warnings, errors } = this.opts.roles.scanObjectAccess(user.role, profileLikes, [
|
|
18
12
|
user.username,
|
|
19
13
|
]);
|
|
20
14
|
result.errors.push(...errors);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforceObjectAccessOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"enforceObjectAccessOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforceObjectAccessOnUser.ts"],"names":[],"mappings":"AAGA,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,yBAA0B,SAAQ,UAAwB;IAC7E,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;YAC7C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE;gBACjG,IAAI,CAAC,QAAQ;aACd,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;YAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,IAAkB;IAC3C,MAAM,YAAY,GAAkB,EAAE,CAAC;IACvC,YAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;IAC/F,KAAK,MAAM,iBAAiB,IAAI,IAAI,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;QACvD,YAAY,CAAC,IAAI,CAAC;YAChB,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;YACpC,IAAI,EAAE,iBAAiB,CAAC,uBAAuB;YAC/C,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC"}
|
|
@@ -2,7 +2,6 @@ import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
|
2
2
|
import { ResolvedUser } from '../policies/users.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforcePermissionPresets extends PolicyRule<ResolvedUser> {
|
|
5
|
-
private readonly roleManager;
|
|
6
5
|
constructor(opts: RuleOptions);
|
|
7
6
|
run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
|
|
8
7
|
private resolveProfileRole;
|
|
@@ -1,18 +1,12 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
2
|
import { capitalize } from '../../../../utils.js';
|
|
3
|
-
import RoleManager from '../roles/roleManager.js';
|
|
4
3
|
import { UserPrivilegeLevel } from '../shape/schema.js';
|
|
5
4
|
import PolicyRule from './policyRule.js';
|
|
6
5
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
7
6
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.users');
|
|
8
7
|
export default class EnforcePermissionPresets extends PolicyRule {
|
|
9
|
-
roleManager;
|
|
10
8
|
constructor(opts) {
|
|
11
9
|
super(opts);
|
|
12
|
-
this.roleManager = new RoleManager({
|
|
13
|
-
controls: opts.auditConfig.controls,
|
|
14
|
-
shape: opts.auditConfig.shape,
|
|
15
|
-
});
|
|
16
10
|
}
|
|
17
11
|
run(context) {
|
|
18
12
|
const result = this.initResult();
|
|
@@ -43,14 +37,14 @@ export default class EnforcePermissionPresets extends PolicyRule {
|
|
|
43
37
|
message: messages.getMessage('violations.entity-unknown-but-used', [capitalize(entityType)]),
|
|
44
38
|
});
|
|
45
39
|
}
|
|
46
|
-
else if (!this.
|
|
40
|
+
else if (!this.opts.roles.isValidRole(entityPreset)) {
|
|
47
41
|
result.violations.push({
|
|
48
42
|
identifier: [user.username, entityIdentifier],
|
|
49
43
|
message: messages.getMessage('violations.invalid-entity-role', [capitalize(entityType), entityPreset]),
|
|
50
44
|
});
|
|
51
45
|
}
|
|
52
|
-
else if (this.
|
|
53
|
-
const compareResult = this.
|
|
46
|
+
else if (this.opts.roles.isValidRole(entityPreset) && this.opts.roles.isValidRole(user.role)) {
|
|
47
|
+
const compareResult = this.opts.roles.compare(user.role, entityPreset);
|
|
54
48
|
if (!compareResult.isSuperset) {
|
|
55
49
|
result.violations.push({
|
|
56
50
|
identifier: [user.username, entityIdentifier],
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionPresets.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionPresets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAElD,OAAO,
|
|
1
|
+
{"version":3,"file":"enforcePermissionPresets.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionPresets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAElD,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC5E,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,WAAW,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC9D,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;YACpF,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrB,KAAK,MAAM,UAAU,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBAC1C,MAAM,WAAW,GAAG,IAAI,CAAC,wBAAwB,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC;oBACtF,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,IAAI,EAAE,gBAAgB,EAAE,UAAU,CAAC,uBAAuB,EAAE,WAAW,CAAC,CAAC;gBAC/G,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAEO,kBAAkB,CAAC,WAAmB;QAC5C,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC;IAClE,CAAC;IAEO,wBAAwB,CAAC,WAAmB;QAClD,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC;IACxE,CAAC;IAEO,sBAAsB,CAC5B,MAA+B,EAC/B,IAAkB,EAClB,UAAkB,EAClB,gBAAwB,EACxB,YAAqB;QAErB,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,YAAY,KAAK,kBAAkB,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;gBAC3D,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;oBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oCAAoC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;iBAC7F,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE,CAAC;gBACtD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;oBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,gCAAgC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,YAAY,CAAC,CAAC;iBACvG,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/F,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;gBACvE,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC;oBAC9B,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;wBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6CAA6C,EAAE;4BAC1E,IAAI,CAAC,IAAI;4BACT,UAAU;4BACV,YAAY;yBACb,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;gBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,UAAU,CAAC,CAAC;aAChH,CAAC,CAAC;QACL,CAAC;IACH,CAAC;CACF"}
|
|
@@ -2,7 +2,6 @@ import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
|
2
2
|
import { ResolvedProfileLike } from '../roles/roleManager.types.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforcePermissionsOnProfileLike extends PolicyRule<ResolvedProfileLike> {
|
|
5
|
-
private readonly roleManager;
|
|
6
5
|
constructor(opts: RuleOptions);
|
|
7
6
|
run(context: RuleAuditContext<ResolvedProfileLike>): Promise<PartialPolicyRuleResult>;
|
|
8
7
|
}
|
|
@@ -1,19 +1,13 @@
|
|
|
1
|
-
import RoleManager from '../roles/roleManager.js';
|
|
2
1
|
import PolicyRule from './policyRule.js';
|
|
3
2
|
export default class EnforcePermissionsOnProfileLike extends PolicyRule {
|
|
4
|
-
roleManager;
|
|
5
3
|
constructor(opts) {
|
|
6
4
|
super(opts);
|
|
7
|
-
this.roleManager = new RoleManager({
|
|
8
|
-
controls: opts.auditConfig.controls,
|
|
9
|
-
shape: opts.auditConfig.shape,
|
|
10
|
-
});
|
|
11
5
|
}
|
|
12
6
|
run(context) {
|
|
13
7
|
const result = this.initResult();
|
|
14
8
|
const resolvedProfiles = context.resolvedEntities;
|
|
15
9
|
for (const profile of Object.values(resolvedProfiles)) {
|
|
16
|
-
const { errors, violations, warnings } = this.
|
|
10
|
+
const { errors, violations, warnings } = this.opts.roles.scanPermissions(profile.role, profile);
|
|
17
11
|
result.errors.push(...errors);
|
|
18
12
|
result.warnings.push(...warnings);
|
|
19
13
|
result.violations.push(...violations);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"AAEA,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,+BAAgC,SAAQ,UAA+B;IAC1F,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA8C;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACtD,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAChG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;YAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
|
@@ -2,7 +2,6 @@ import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
|
2
2
|
import { ResolvedUser } from '../policies/users.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforcePermissionsOnUser extends PolicyRule<ResolvedUser> {
|
|
5
|
-
private readonly roleManager;
|
|
6
5
|
constructor(opts: RuleOptions);
|
|
7
6
|
run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
|
|
8
7
|
}
|
|
@@ -1,20 +1,14 @@
|
|
|
1
|
-
import RoleManager from '../roles/roleManager.js';
|
|
2
1
|
import PolicyRule from './policyRule.js';
|
|
3
2
|
export default class EnforcePermissionsOnUser extends PolicyRule {
|
|
4
|
-
roleManager;
|
|
5
3
|
constructor(opts) {
|
|
6
4
|
super(opts);
|
|
7
|
-
this.roleManager = new RoleManager({
|
|
8
|
-
controls: opts.auditConfig.controls,
|
|
9
|
-
shape: opts.auditConfig.shape,
|
|
10
|
-
});
|
|
11
5
|
}
|
|
12
6
|
run(context) {
|
|
13
7
|
const result = this.initResult();
|
|
14
8
|
const users = context.resolvedEntities;
|
|
15
9
|
for (const user of Object.values(users)) {
|
|
16
10
|
const profileLikes = buildProfileLikes(user);
|
|
17
|
-
const { violations, warnings, errors } = this.
|
|
11
|
+
const { violations, warnings, errors } = this.opts.roles.scanPermissions(user.role, profileLikes, [
|
|
18
12
|
user.username,
|
|
19
13
|
]);
|
|
20
14
|
result.errors.push(...errors);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"AAGA,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC5E,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;YAC7C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE;gBAChG,IAAI,CAAC,QAAQ;aACd,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;YAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,IAAkB;IAC3C,MAAM,YAAY,GAAkB,EAAE,CAAC;IACvC,YAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;IAC/F,KAAK,MAAM,iBAAiB,IAAI,IAAI,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;QACvD,YAAY,CAAC,IAAI,CAAC;YAChB,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;YACpC,IAAI,EAAE,iBAAiB,CAAC,uBAAuB;YAC/C,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC"}
|
|
@@ -1,8 +1,10 @@
|
|
|
1
1
|
import z from 'zod';
|
|
2
2
|
import { PartialPolicyRuleResult, RowLevelPolicyRule, RuleAuditContext } from '../context.types.js';
|
|
3
3
|
import { AuditRunConfig } from '../definitions.js';
|
|
4
|
+
import RoleManager from '../roles/roleManager.js';
|
|
4
5
|
export type RuleOptions = {
|
|
5
6
|
auditConfig: AuditRunConfig;
|
|
7
|
+
roles: RoleManager;
|
|
6
8
|
ruleDisplayName: string;
|
|
7
9
|
ruleConfig?: unknown;
|
|
8
10
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policyRule.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/policyRule.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAI5C,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"policyRule.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/policyRule.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAI5C,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAG9C,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAa7D,MAAM,CAAC,OAAO,OAAgB,UAAU;IAIT;IAHtB,WAAW,CAAiB;IAC5B,eAAe,CAAS;IAE/B,YAA6B,IAAiB;QAAjB,SAAI,GAAJ,IAAI,CAAa;QAC5C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;QACpC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;IAC9C,CAAC;IAES,UAAU;QAClB,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,eAAe;YAC9B,UAAU,EAAE,IAAI,KAAK,EAAuB;YAC5C,eAAe,EAAE,IAAI,KAAK,EAA2B;YACrD,QAAQ,EAAE,IAAI,KAAK,EAAwB;YAC3C,MAAM,EAAE,IAAI,KAAK,EAAwB;SAC1C,CAAC;IACJ,CAAC;IAES,YAAY,CAAI,MAAoB,EAAE,UAAmB,EAAE,UAAkB;QACrF,MAAM,WAAW,GAAG,MAAM,CAAC,SAAS,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;QACvD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,aAAa;QACxC,CAAC;aAAM,CAAC;YACN,cAAc,CAAC,UAAU,EAAE,WAAW,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,IAAI,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC,CAAC;QAC5F,CAAC;IACH,CAAC;CAGF"}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
import { PartialPolicyRuleResult, RuleAuditContext } from '../context.types.js';
|
|
2
|
+
import { ObjectDefinition } from '../../../../salesforce/index.js';
|
|
3
|
+
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
|
+
export default class PrivateExternalAccessForAllObjects extends PolicyRule<ObjectDefinition> {
|
|
5
|
+
constructor(opts: RuleOptions);
|
|
6
|
+
run(context: RuleAuditContext<ObjectDefinition>): Promise<PartialPolicyRuleResult>;
|
|
7
|
+
}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
import { Messages } from '@salesforce/core';
|
|
2
|
+
import PolicyRule from './policyRule.js';
|
|
3
|
+
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
4
|
+
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.objects');
|
|
5
|
+
const allowedSharingValues = ['Private', 'ControlledByParent'];
|
|
6
|
+
export default class PrivateExternalAccessForAllObjects extends PolicyRule {
|
|
7
|
+
constructor(opts) {
|
|
8
|
+
super(opts);
|
|
9
|
+
}
|
|
10
|
+
run(context) {
|
|
11
|
+
const result = this.initResult();
|
|
12
|
+
const ruleRelevantObjects = Object.values(context.resolvedEntities).filter((objectDef) => objectDef.type === 'SObject' &&
|
|
13
|
+
objectDef.label &&
|
|
14
|
+
(objectDef.isSharingControllable || (objectDef.isCustom && objectDef.sharingModel === 'Edit')));
|
|
15
|
+
// did not find a way to reliably determine the sobjects that are actually shareable/configurable
|
|
16
|
+
// even SF apparently does not know: View canvas shows 190 objects, edit canvas only 130.
|
|
17
|
+
// the idea is to first filter the objects that are actually configurable, then only iterate
|
|
18
|
+
// on the objects and evaluate the externalSharing prop.
|
|
19
|
+
const cleanedFalsePositives = ruleRelevantObjects.filter((objectDef) => objectDef.internalSharing !== 'Private');
|
|
20
|
+
for (const objectDef of cleanedFalsePositives) {
|
|
21
|
+
if (!allowedSharingValues.includes(objectDef.externalSharing)) {
|
|
22
|
+
result.violations.push({
|
|
23
|
+
identifier: [objectDef.developerName],
|
|
24
|
+
message: messages.getMessage('violation.external-sharing-model-not-private', [
|
|
25
|
+
objectDef.label,
|
|
26
|
+
objectDef.externalSharing,
|
|
27
|
+
]),
|
|
28
|
+
});
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
return Promise.resolve(result);
|
|
32
|
+
}
|
|
33
|
+
}
|
|
34
|
+
//# sourceMappingURL=privateExternalAccessForAllObjects.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"privateExternalAccessForAllObjects.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/rules/privateExternalAccessForAllObjects.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,eAAe,CAAC,CAAC;AAE9F,MAAM,oBAAoB,GAA+C,CAAC,SAAS,EAAE,oBAAoB,CAAU,CAAC;AAEpH,MAAM,CAAC,OAAO,OAAO,kCAAmC,SAAQ,UAA4B;IAC1F,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA2C;QACpD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,mBAAmB,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,MAAM,CACxE,CAAC,SAAS,EAAE,EAAE,CACZ,SAAS,CAAC,IAAI,KAAK,SAAS;YAC5B,SAAS,CAAC,KAAK;YACf,CAAC,SAAS,CAAC,qBAAqB,IAAI,CAAC,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,YAAY,KAAK,MAAM,CAAC,CAAC,CACjG,CAAC;QACF,iGAAiG;QACjG,yFAAyF;QACzF,4FAA4F;QAC5F,wDAAwD;QACxD,MAAM,qBAAqB,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,eAAe,KAAK,SAAS,CAAC,CAAC;QACjH,KAAK,MAAM,SAAS,IAAI,qBAAqB,EAAE,CAAC;YAC9C,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,SAAS,CAAC,eAAe,CAAC,EAAE,CAAC;gBAC9D,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,SAAS,CAAC,aAAa,CAAC;oBACrC,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,8CAA8C,EAAE;wBAC3E,SAAS,CAAC,KAAK;wBACf,SAAS,CAAC,eAAe;qBAC1B,CAAC;iBACH,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
|
@@ -46,6 +46,15 @@ export declare const BaseAuditConfigShape: {
|
|
|
46
46
|
}, import("zod/v4/core").$strip>>;
|
|
47
47
|
}, import("zod/v4/core").$strip>>;
|
|
48
48
|
};
|
|
49
|
+
objectAccess: {
|
|
50
|
+
schema: import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
51
|
+
allowRead: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
52
|
+
allowCreate: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
53
|
+
allowEdit: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
54
|
+
allowDelete: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
55
|
+
viewAllFields: import("zod").ZodOptional<import("zod").ZodBoolean>;
|
|
56
|
+
}, import("zod/v4/core").$strip>>>;
|
|
57
|
+
};
|
|
49
58
|
};
|
|
50
59
|
};
|
|
51
60
|
shape: {
|
|
@@ -167,6 +176,18 @@ export declare const BaseAuditConfigShape: {
|
|
|
167
176
|
isCountable: boolean;
|
|
168
177
|
entities: string;
|
|
169
178
|
};
|
|
179
|
+
objects: {
|
|
180
|
+
schema: import("zod").ZodObject<{
|
|
181
|
+
enabled: import("zod").ZodDefault<import("zod").ZodBoolean>;
|
|
182
|
+
rules: import("zod").ZodDefault<import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodObject<{
|
|
183
|
+
enabled: import("zod").ZodDefault<import("zod").ZodBoolean>;
|
|
184
|
+
options: import("zod").ZodOptional<import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodUnknown>>;
|
|
185
|
+
}, import("zod/v4/core").$strip>>>;
|
|
186
|
+
options: import("zod").ZodOptional<import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodUnknown>>;
|
|
187
|
+
}, import("zod/v4/core").$strip>;
|
|
188
|
+
isCountable: boolean;
|
|
189
|
+
entities: string;
|
|
190
|
+
};
|
|
170
191
|
};
|
|
171
192
|
};
|
|
172
193
|
};
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { ComposableRolesFileSchema, PermissionControlsFileSchema, PermissionsClassificationFileSchema, PermissionSetsClassificationFileSchema, PolicyFileSchema, ProfilesClassificationFileSchema, UserClassificationFileSchema, UserPolicyFileSchema, } from './schema.js';
|
|
1
|
+
import { ComposableRolesFileSchema, ObjectAccessControlFileSchema, PermissionControlsFileSchema, PermissionsClassificationFileSchema, PermissionSetsClassificationFileSchema, PolicyFileSchema, ProfilesClassificationFileSchema, UserClassificationFileSchema, UserPolicyFileSchema, } from './schema.js';
|
|
2
2
|
/**
|
|
3
3
|
* The shape defines the directory structure and schema files to
|
|
4
4
|
* parse YAML files. It is the foundation to derive the runtime type of
|
|
@@ -9,6 +9,7 @@ export const BaseAuditConfigShape = {
|
|
|
9
9
|
files: {
|
|
10
10
|
roles: { schema: ComposableRolesFileSchema },
|
|
11
11
|
permissions: { schema: PermissionControlsFileSchema },
|
|
12
|
+
objectAccess: { schema: ObjectAccessControlFileSchema },
|
|
12
13
|
},
|
|
13
14
|
},
|
|
14
15
|
shape: {
|
|
@@ -53,6 +54,11 @@ export const BaseAuditConfigShape = {
|
|
|
53
54
|
isCountable: true,
|
|
54
55
|
entities: 'rules',
|
|
55
56
|
},
|
|
57
|
+
objects: {
|
|
58
|
+
schema: PolicyFileSchema,
|
|
59
|
+
isCountable: true,
|
|
60
|
+
entities: 'rules',
|
|
61
|
+
},
|
|
56
62
|
},
|
|
57
63
|
},
|
|
58
64
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auditConfigShape.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/auditConfigShape.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EACzB,4BAA4B,EAC5B,mCAAmC,EACnC,sCAAsC,EACtC,gBAAgB,EAChB,gCAAgC,EAChC,4BAA4B,EAC5B,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAErB;;;;GAIG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,QAAQ,EAAE;QACR,KAAK,EAAE;YACL,KAAK,EAAE,EAAE,MAAM,EAAE,yBAAyB,EAAE;YAC5C,WAAW,EAAE,EAAE,MAAM,EAAE,4BAA4B,EAAE;
|
|
1
|
+
{"version":3,"file":"auditConfigShape.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/shape/auditConfigShape.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EACzB,6BAA6B,EAC7B,4BAA4B,EAC5B,mCAAmC,EACnC,sCAAsC,EACtC,gBAAgB,EAChB,gCAAgC,EAChC,4BAA4B,EAC5B,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAErB;;;;GAIG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,QAAQ,EAAE;QACR,KAAK,EAAE;YACL,KAAK,EAAE,EAAE,MAAM,EAAE,yBAAyB,EAAE;YAC5C,WAAW,EAAE,EAAE,MAAM,EAAE,4BAA4B,EAAE;YACrD,YAAY,EAAE,EAAE,MAAM,EAAE,6BAA6B,EAAE;SACxD;KACF;IACD,KAAK,EAAE;QACL,KAAK,EAAE;YACL,eAAe,EAAE,EAAE,MAAM,EAAE,mCAAmC,EAAE,WAAW,EAAE,IAAI,EAAE;YACnF,iBAAiB,EAAE,EAAE,MAAM,EAAE,mCAAmC,EAAE,WAAW,EAAE,IAAI,EAAE;SACtF;KACF;IACD,SAAS,EAAE;QACT,KAAK,EAAE;YACL,QAAQ,EAAE,EAAE,MAAM,EAAE,gCAAgC,EAAE,WAAW,EAAE,IAAI,EAAE;YACzE,cAAc,EAAE,EAAE,MAAM,EAAE,sCAAsC,EAAE,WAAW,EAAE,IAAI,EAAE;YACrF,KAAK,EAAE,EAAE,MAAM,EAAE,4BAA4B,EAAE,WAAW,EAAE,IAAI,EAAE;SACnE;KACF;IACD,QAAQ,EAAE;QACR,KAAK,EAAE;YACL,QAAQ,EAAE;gBACR,MAAM,EAAE,gBAAgB;gBACxB,YAAY,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,SAAS,EAAE,2CAA2C,EAAE,CAAC;gBAC9G,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,cAAc,EAAE;gBACd,MAAM,EAAE,gBAAgB;gBACxB,YAAY,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAAE,SAAS,EAAE,2CAA2C,EAAE,CAAC;gBAC9G,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,aAAa,EAAE;gBACb,MAAM,EAAE,gBAAgB;gBACxB,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,KAAK,EAAE;gBACL,MAAM,EAAE,oBAAoB;gBAC5B,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,QAAQ,EAAE;gBACR,MAAM,EAAE,gBAAgB;gBACxB,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;YACD,OAAO,EAAE;gBACP,MAAM,EAAE,gBAAgB;gBACxB,WAAW,EAAE,IAAI;gBACjB,QAAQ,EAAE,OAAO;aAClB;SACF;KACF;CACF,CAAC"}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { ExtractAuditConfigTypes, RefineError } from '../../file-manager/fileManager.types.js';
|
|
2
2
|
import { OrgDescribe } from '../../../../salesforce/index.js';
|
|
3
3
|
import { BaseAuditConfigShape } from './auditConfigShape.js';
|
|
4
|
-
import {
|
|
4
|
+
import { ResolvedRoleDefinition } from './schema.js';
|
|
5
5
|
export declare const validator: (parseResult: ExtractAuditConfigTypes<typeof BaseAuditConfigShape>) => RefineError[];
|
|
6
|
-
export declare function verifyRoleDefinitions(roles:
|
|
6
|
+
export declare function verifyRoleDefinitions(roles: Record<string, ResolvedRoleDefinition>, orgDescribe: OrgDescribe): Promise<RefineError[]>;
|