@j-schreiber/sf-cli-security-audit 0.3.0 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/commands/org/audit/init.d.ts +1 -1
- package/lib/commands/org/audit/init.js +2 -2
- package/lib/commands/org/audit/init.js.map +1 -1
- package/lib/commands/org/audit/run.d.ts +1 -1
- package/lib/commands/org/audit/run.js +18 -6
- package/lib/commands/org/audit/run.js.map +1 -1
- package/lib/libs/{policies/initialisation → conf-init}/auditConfig.d.ts +1 -1
- package/lib/libs/{policies/initialisation → conf-init}/auditConfig.js +3 -5
- package/lib/libs/conf-init/auditConfig.js.map +1 -0
- package/lib/libs/{config → conf-init}/defaultPolicyClassification.d.ts +1 -1
- package/lib/libs/{config → conf-init}/defaultPolicyClassification.js +15 -15
- package/lib/libs/conf-init/defaultPolicyClassification.js.map +1 -0
- package/lib/libs/{policies/initialisation → conf-init}/permissionsClassification.d.ts +1 -2
- package/lib/libs/{policies/initialisation → conf-init}/permissionsClassification.js +5 -6
- package/lib/libs/conf-init/permissionsClassification.js.map +1 -0
- package/lib/libs/{policies/initialisation → conf-init}/policyConfigs.d.ts +1 -1
- package/lib/libs/{policies/initialisation → conf-init}/policyConfigs.js +8 -10
- package/lib/libs/conf-init/policyConfigs.js.map +1 -0
- package/lib/libs/core/classification-types.d.ts +20 -0
- package/lib/libs/core/classification-types.js +23 -0
- package/lib/libs/core/classification-types.js.map +1 -0
- package/lib/libs/{config/queries.js → core/constants.js} +1 -1
- package/lib/libs/core/constants.js.map +1 -0
- package/lib/libs/{config/audit-run → core/file-mgmt}/auditConfigFileManager.d.ts +19 -0
- package/lib/libs/{config/audit-run → core/file-mgmt}/auditConfigFileManager.js +23 -7
- package/lib/libs/core/file-mgmt/auditConfigFileManager.js.map +1 -0
- package/lib/libs/{config/audit-run → core/file-mgmt}/schema.d.ts +16 -15
- package/lib/libs/{config/audit-run → core/file-mgmt}/schema.js +5 -4
- package/lib/libs/core/file-mgmt/schema.js.map +1 -0
- package/lib/libs/core/mdapi/mdapiRetriever.d.ts +110 -0
- package/lib/libs/core/mdapi/mdapiRetriever.js +193 -0
- package/lib/libs/core/mdapi/mdapiRetriever.js.map +1 -0
- package/lib/libs/core/policy-types.d.ts +18 -0
- package/lib/libs/core/policy-types.js +28 -0
- package/lib/libs/core/policy-types.js.map +1 -0
- package/lib/libs/core/registries/connectedApps.d.ts +13 -0
- package/lib/libs/{config → core}/registries/connectedApps.js +2 -2
- package/lib/libs/core/registries/connectedApps.js.map +1 -0
- package/lib/libs/{config → core}/registries/permissionSets.d.ts +6 -0
- package/lib/libs/{config → core}/registries/permissionSets.js +1 -1
- package/lib/libs/core/registries/permissionSets.js.map +1 -0
- package/lib/libs/{config → core}/registries/profiles.d.ts +6 -0
- package/lib/libs/{config → core}/registries/profiles.js +2 -2
- package/lib/libs/core/registries/profiles.js.map +1 -0
- package/lib/libs/{config → core}/registries/ruleRegistry.d.ts +15 -5
- package/lib/libs/core/registries/ruleRegistry.js.map +1 -0
- package/lib/libs/core/registries/rules/allUsedAppsUnderManagement.d.ts +7 -0
- package/lib/libs/core/registries/rules/allUsedAppsUnderManagement.js.map +1 -0
- package/lib/libs/core/registries/rules/enforceCustomPermsClassificationOnProfiles.d.ts +7 -0
- package/lib/libs/{policies → core/registries}/rules/enforceCustomPermsClassificationOnProfiles.js +4 -3
- package/lib/libs/core/registries/rules/enforceCustomPermsClassificationOnProfiles.js.map +1 -0
- package/lib/libs/core/registries/rules/enforceUserPermsClassificationOnPermSets.d.ts +7 -0
- package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnPermSets.js +4 -3
- package/lib/libs/core/registries/rules/enforceUserPermsClassificationOnPermSets.js.map +1 -0
- package/lib/libs/core/registries/rules/enforceUserPermsClassificationOnProfiles.d.ts +7 -0
- package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnProfiles.js +4 -3
- package/lib/libs/core/registries/rules/enforceUserPermsClassificationOnProfiles.js.map +1 -0
- package/lib/libs/core/registries/rules/noUserCanSelfAuthorize.d.ts +7 -0
- package/lib/libs/core/registries/rules/noUserCanSelfAuthorize.js.map +1 -0
- package/lib/libs/{policies → core/registries}/rules/policyRule.d.ts +4 -4
- package/lib/libs/core/registries/rules/policyRule.js.map +1 -0
- package/lib/libs/{policies/interfaces/policyRuleInterfaces.d.ts → core/registries/types.d.ts} +14 -6
- package/lib/libs/core/registries/types.js +9 -0
- package/lib/libs/core/registries/types.js.map +1 -0
- package/lib/libs/{audit/types.d.ts → core/result-types.d.ts} +17 -0
- package/lib/libs/core/result-types.js +2 -0
- package/lib/libs/core/result-types.js.map +1 -0
- package/lib/libs/{utils.d.ts → core/utils.d.ts} +1 -1
- package/lib/libs/core/utils.js +13 -0
- package/lib/libs/core/utils.js.map +1 -0
- package/lib/libs/policies/auditRun.d.ts +22 -5
- package/lib/libs/policies/auditRun.js +46 -20
- package/lib/libs/policies/auditRun.js.map +1 -1
- package/lib/libs/policies/connectedAppPolicy.d.ts +3 -12
- package/lib/libs/policies/connectedAppPolicy.js +35 -14
- package/lib/libs/policies/connectedAppPolicy.js.map +1 -1
- package/lib/libs/policies/permissionSetPolicy.d.ts +4 -10
- package/lib/libs/policies/permissionSetPolicy.js +30 -18
- package/lib/libs/policies/permissionSetPolicy.js.map +1 -1
- package/lib/libs/policies/policy.d.ts +14 -7
- package/lib/libs/policies/policy.js +21 -3
- package/lib/libs/policies/policy.js.map +1 -1
- package/lib/libs/policies/profilePolicy.d.ts +4 -10
- package/lib/libs/policies/profilePolicy.js +18 -7
- package/lib/libs/policies/profilePolicy.js.map +1 -1
- package/lib/ux/auditRunMultiStage.d.ts +65 -0
- package/lib/ux/auditRunMultiStage.js +117 -0
- package/lib/ux/auditRunMultiStage.js.map +1 -0
- package/messages/org.audit.run.md +0 -4
- package/oclif.manifest.json +1 -1
- package/package.json +1 -1
- package/lib/libs/audit/types.js +0 -2
- package/lib/libs/audit/types.js.map +0 -1
- package/lib/libs/config/audit-run/auditConfigFileManager.js.map +0 -1
- package/lib/libs/config/audit-run/schema.js.map +0 -1
- package/lib/libs/config/defaultPolicyClassification.js.map +0 -1
- package/lib/libs/config/queries.js.map +0 -1
- package/lib/libs/config/registries/connectedApps.d.ts +0 -5
- package/lib/libs/config/registries/connectedApps.js.map +0 -1
- package/lib/libs/config/registries/permissionSets.js.map +0 -1
- package/lib/libs/config/registries/profiles.js.map +0 -1
- package/lib/libs/config/registries/ruleRegistry.js.map +0 -1
- package/lib/libs/config/registries/types.d.ts +0 -7
- package/lib/libs/config/registries/types.js +0 -2
- package/lib/libs/config/registries/types.js.map +0 -1
- package/lib/libs/mdapiRetriever.d.ts +0 -18
- package/lib/libs/mdapiRetriever.js +0 -60
- package/lib/libs/mdapiRetriever.js.map +0 -1
- package/lib/libs/policies/initialisation/auditConfig.js.map +0 -1
- package/lib/libs/policies/initialisation/permissionsClassification.js.map +0 -1
- package/lib/libs/policies/initialisation/policyConfigs.js.map +0 -1
- package/lib/libs/policies/interfaces/policyRuleInterfaces.js +0 -2
- package/lib/libs/policies/interfaces/policyRuleInterfaces.js.map +0 -1
- package/lib/libs/policies/rules/allUsedAppsUnderManagement.d.ts +0 -6
- package/lib/libs/policies/rules/allUsedAppsUnderManagement.js.map +0 -1
- package/lib/libs/policies/rules/enforceCustomPermsClassificationOnProfiles.d.ts +0 -6
- package/lib/libs/policies/rules/enforceCustomPermsClassificationOnProfiles.js.map +0 -1
- package/lib/libs/policies/rules/enforceUserPermsClassificationOnPermSets.d.ts +0 -6
- package/lib/libs/policies/rules/enforceUserPermsClassificationOnPermSets.js.map +0 -1
- package/lib/libs/policies/rules/enforceUserPermsClassificationOnProfiles.d.ts +0 -6
- package/lib/libs/policies/rules/enforceUserPermsClassificationOnProfiles.js.map +0 -1
- package/lib/libs/policies/rules/noUserCanSelfAuthorize.d.ts +0 -6
- package/lib/libs/policies/rules/noUserCanSelfAuthorize.js.map +0 -1
- package/lib/libs/policies/rules/policyRule.js.map +0 -1
- package/lib/libs/policies/types.d.ts +0 -36
- package/lib/libs/policies/types.js +0 -45
- package/lib/libs/policies/types.js.map +0 -1
- package/lib/libs/utils.js +0 -7
- package/lib/libs/utils.js.map +0 -1
- /package/lib/libs/{config/queries.d.ts → core/constants.d.ts} +0 -0
- /package/lib/libs/{config → core}/registries/ruleRegistry.js +0 -0
- /package/lib/libs/{policies → core/registries}/rules/allUsedAppsUnderManagement.js +0 -0
- /package/lib/libs/{policies → core/registries}/rules/noUserCanSelfAuthorize.js +0 -0
- /package/lib/libs/{policies → core/registries}/rules/policyRule.js +0 -0
package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnProfiles.js
RENAMED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
2
|
import { isNullish } from '../../utils.js';
|
|
3
|
-
import {
|
|
3
|
+
import { PermissionRiskLevel } from '../../classification-types.js';
|
|
4
|
+
import { permissionAllowedInPreset } from '../../policy-types.js';
|
|
4
5
|
import PolicyRule from './policyRule.js';
|
|
5
6
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
6
7
|
export default class EnforceUserPermsClassificationOnProfiles extends PolicyRule {
|
|
@@ -16,7 +17,7 @@ export default class EnforceUserPermsClassificationOnProfiles extends PolicyRule
|
|
|
16
17
|
const identifier = [profile.name, userPerm.name];
|
|
17
18
|
const classifiedUserPerm = this.resolveUserPermission(userPerm.name);
|
|
18
19
|
if (classifiedUserPerm) {
|
|
19
|
-
if (classifiedUserPerm.classification ===
|
|
20
|
+
if (classifiedUserPerm.classification === PermissionRiskLevel.BLOCKED) {
|
|
20
21
|
result.violations.push({
|
|
21
22
|
identifier,
|
|
22
23
|
message: messages.getMessage('violations.permission-is-blocked'),
|
|
@@ -31,7 +32,7 @@ export default class EnforceUserPermsClassificationOnProfiles extends PolicyRule
|
|
|
31
32
|
]),
|
|
32
33
|
});
|
|
33
34
|
}
|
|
34
|
-
else if (classifiedUserPerm.classification ===
|
|
35
|
+
else if (classifiedUserPerm.classification === PermissionRiskLevel.UNKNOWN) {
|
|
35
36
|
result.warnings.push({
|
|
36
37
|
identifier,
|
|
37
38
|
message: messages.getMessage('warnings.permission-unknown'),
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"enforceUserPermsClassificationOnProfiles.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/enforceUserPermsClassificationOnProfiles.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,wCAAyC,SAAQ,UAA2B;IAC/F,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA0C;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAClD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;gBACjD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;oBACpD,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;oBACjD,MAAM,kBAAkB,GAAG,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;oBACrE,IAAI,kBAAkB,EAAE,CAAC;wBACvB,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;4BACtE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gCACrB,UAAU;gCACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;6BACjE,CAAC,CAAC;wBACL,CAAC;6BAAM,IAAI,CAAC,yBAAyB,CAAC,kBAAkB,CAAC,cAAc,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;4BACzF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gCACrB,UAAU;gCACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;oCACxE,kBAAkB,CAAC,cAAc;oCACjC,OAAO,CAAC,MAAM;iCACf,CAAC;6BACH,CAAC,CAAC;wBACL,CAAC;6BAAM,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;4BAC7E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;gCACnB,UAAU;gCACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;6BAC5D,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;4BACnB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,+CAA+C,CAAC;yBAC9E,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
|
|
2
|
+
import { ResolvedConnectedApp } from '../connectedApps.js';
|
|
3
|
+
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
|
+
export default class NoUserCanSelfAuthorize extends PolicyRule<ResolvedConnectedApp> {
|
|
5
|
+
constructor(opts: RuleOptions);
|
|
6
|
+
run(context: RuleAuditContext<ResolvedConnectedApp>): Promise<PartialPolicyRuleResult>;
|
|
7
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"noUserCanSelfAuthorize.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/noUserCanSelfAuthorize.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,qBAAqB,CAAC,CAAC;AAEpG,MAAM,CAAC,OAAO,OAAO,sBAAuB,SAAQ,UAAgC;IAClF,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA+C;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,qBAAqB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;YACnD,IAAI,CAAC,GAAG,CAAC,6BAA6B,EAAE,CAAC;gBACvC,IAAI,GAAG,CAAC,2BAA2B,EAAE,CAAC;oBACpC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;wBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,yDAAyD,CAAC;qBACxF,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;wBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,qCAAqC,CAAC;qBACpE,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
|
@@ -1,16 +1,16 @@
|
|
|
1
|
-
import { PartialPolicyRuleResult, RowLevelPolicyRule, RuleAuditContext } from '../
|
|
2
|
-
import { AuditRunConfig, NamedPermissionsClassification } from '../../
|
|
1
|
+
import { PartialPolicyRuleResult, RowLevelPolicyRule, RuleAuditContext } from '../types.js';
|
|
2
|
+
import { AuditRunConfig, NamedPermissionsClassification } from '../../file-mgmt/schema.js';
|
|
3
3
|
export type RuleOptions = {
|
|
4
4
|
auditContext: AuditRunConfig;
|
|
5
5
|
ruleDisplayName: string;
|
|
6
6
|
ruleConfig?: unknown;
|
|
7
7
|
};
|
|
8
|
-
export default abstract class PolicyRule implements RowLevelPolicyRule {
|
|
8
|
+
export default abstract class PolicyRule<EntityType> implements RowLevelPolicyRule<EntityType> {
|
|
9
9
|
auditContext: AuditRunConfig;
|
|
10
10
|
ruleDisplayName: string;
|
|
11
11
|
constructor(opts: RuleOptions);
|
|
12
12
|
protected initResult(): PartialPolicyRuleResult;
|
|
13
13
|
protected resolveUserPermission(permName: string): NamedPermissionsClassification | undefined;
|
|
14
14
|
protected resolveCustomPermission(permName: string): NamedPermissionsClassification | undefined;
|
|
15
|
-
abstract run(context: RuleAuditContext): Promise<PartialPolicyRuleResult>;
|
|
15
|
+
abstract run(context: RuleAuditContext<EntityType>): Promise<PartialPolicyRuleResult>;
|
|
16
16
|
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"policyRule.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/policyRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAK5C,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAQ7D,MAAM,CAAC,OAAO,OAAgB,UAAU;IAC/B,YAAY,CAAiB;IAC7B,eAAe,CAAS;IAE/B,YAAmB,IAAiB;QAClC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;QACtC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;IAC9C,CAAC;IAES,UAAU;QAClB,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,eAAe;YAC9B,UAAU,EAAE,IAAI,KAAK,EAAuB;YAC5C,eAAe,EAAE,IAAI,KAAK,EAA2B;YACrD,QAAQ,EAAE,IAAI,KAAK,EAAwB;YAC3C,MAAM,EAAE,IAAI,KAAK,EAAwB;SAC1C,CAAC;IACJ,CAAC;IAES,qBAAqB,CAAC,QAAgB;QAC9C,OAAO,kBAAkB,CACvB,QAAQ,EACR,IAAI,CAAC,YAAY,CAAC,eAAe,CAAC,eAAe,EAAE,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CACjF,CAAC;IACJ,CAAC;IAES,uBAAuB,CAAC,QAAgB;QAChD,OAAO,kBAAkB,CACvB,QAAQ,EACR,IAAI,CAAC,YAAY,CAAC,eAAe,CAAC,iBAAiB,EAAE,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CACnF,CAAC;IACJ,CAAC;CAGF;AAED,SAAS,kBAAkB,CACzB,QAAgB,EAChB,IAAgC;IAEhC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC"}
|
package/lib/libs/{policies/interfaces/policyRuleInterfaces.d.ts → core/registries/types.d.ts}
RENAMED
|
@@ -1,13 +1,21 @@
|
|
|
1
1
|
import { Connection } from '@salesforce/core';
|
|
2
|
-
import { AuditPolicyResult, PolicyRuleExecutionResult } from '
|
|
3
|
-
import { Optional } from '
|
|
2
|
+
import { AuditPolicyResult, PolicyRuleExecutionResult } from '../result-types.js';
|
|
3
|
+
import { Optional } from '../utils.js';
|
|
4
|
+
export declare const RuleRegistries: {
|
|
5
|
+
ConnectedApps: import("./connectedApps.js").default;
|
|
6
|
+
Profiles: import("./profiles.js").default;
|
|
7
|
+
PermissionSets: import("./permissionSets.js").default;
|
|
8
|
+
};
|
|
4
9
|
/**
|
|
5
10
|
* A rule must only implement a subset of the rule result. All optional
|
|
6
11
|
* properties are completed by the policy.
|
|
7
12
|
*/
|
|
8
13
|
export type PartialPolicyRuleResult = Optional<PolicyRuleExecutionResult, 'isCompliant' | 'compliantEntities' | 'violatedEntities'>;
|
|
9
|
-
|
|
10
|
-
|
|
14
|
+
/**
|
|
15
|
+
*
|
|
16
|
+
*/
|
|
17
|
+
export type RowLevelPolicyRule<ResolvedEntityType> = {
|
|
18
|
+
run(context: RuleAuditContext<ResolvedEntityType>): Promise<PartialPolicyRuleResult>;
|
|
11
19
|
};
|
|
12
20
|
export type IPolicy = {
|
|
13
21
|
run(context: AuditContext): Promise<AuditPolicyResult>;
|
|
@@ -18,10 +26,10 @@ export type AuditContext = {
|
|
|
18
26
|
*/
|
|
19
27
|
targetOrgConnection: Connection;
|
|
20
28
|
};
|
|
21
|
-
export type RuleAuditContext = AuditContext & {
|
|
29
|
+
export type RuleAuditContext<T> = AuditContext & {
|
|
22
30
|
/**
|
|
23
31
|
* Resolved entities from the policy. Can be permission sets,
|
|
24
32
|
* profiles, users, connected apps, etc.
|
|
25
33
|
*/
|
|
26
|
-
resolvedEntities: Record<string,
|
|
34
|
+
resolvedEntities: Record<string, T>;
|
|
27
35
|
};
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
import { ConnectedAppsRegistry } from './connectedApps.js';
|
|
2
|
+
import { PermissionSetsRegistry } from './permissionSets.js';
|
|
3
|
+
import { ProfilesRegistry } from './profiles.js';
|
|
4
|
+
export const RuleRegistries = {
|
|
5
|
+
ConnectedApps: ConnectedAppsRegistry,
|
|
6
|
+
Profiles: ProfilesRegistry,
|
|
7
|
+
PermissionSets: PermissionSetsRegistry,
|
|
8
|
+
};
|
|
9
|
+
//# sourceMappingURL=types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/libs/core/registries/types.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAEjD,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,aAAa,EAAE,qBAAqB;IACpC,QAAQ,EAAE,gBAAgB;IAC1B,cAAc,EAAE,sBAAsB;CACvC,CAAC"}
|
|
@@ -35,6 +35,9 @@ export type EntityResolveError = {
|
|
|
35
35
|
*/
|
|
36
36
|
message: string;
|
|
37
37
|
};
|
|
38
|
+
/**
|
|
39
|
+
* Generic message for a particular element of a rule
|
|
40
|
+
*/
|
|
38
41
|
export type RuleComponentMessage = {
|
|
39
42
|
/**
|
|
40
43
|
* Path to a component. This can be a developer name of a connected app,
|
|
@@ -46,6 +49,9 @@ export type RuleComponentMessage = {
|
|
|
46
49
|
*/
|
|
47
50
|
message: string;
|
|
48
51
|
};
|
|
52
|
+
/**
|
|
53
|
+
*
|
|
54
|
+
*/
|
|
49
55
|
export type PolicyRuleSkipResult = {
|
|
50
56
|
/**
|
|
51
57
|
* Identifier of the rule, as it is configured in the policy.yml.
|
|
@@ -56,6 +62,10 @@ export type PolicyRuleSkipResult = {
|
|
|
56
62
|
*/
|
|
57
63
|
skipReason: string;
|
|
58
64
|
};
|
|
65
|
+
/**
|
|
66
|
+
* Full execution summary of a single rule. Includes audited entities,
|
|
67
|
+
* violations, execution errors, etc.
|
|
68
|
+
*/
|
|
59
69
|
export type PolicyRuleExecutionResult = {
|
|
60
70
|
/**
|
|
61
71
|
* Identifier of the rule, as it is configured in the policy.yml.
|
|
@@ -94,6 +104,10 @@ export type PolicyRuleExecutionResult = {
|
|
|
94
104
|
*/
|
|
95
105
|
warnings: RuleComponentMessage[];
|
|
96
106
|
};
|
|
107
|
+
/**
|
|
108
|
+
* Full execution result of a policy. Contains full results of each executed
|
|
109
|
+
* rule and more information about skipped rules, audited entities, etc.
|
|
110
|
+
*/
|
|
97
111
|
export type AuditPolicyResult = {
|
|
98
112
|
/**
|
|
99
113
|
* Flag that indicates, if the policy was executed.
|
|
@@ -132,6 +146,9 @@ export type AuditPolicyResult = {
|
|
|
132
146
|
*/
|
|
133
147
|
ignoredEntities: EntityResolveError[];
|
|
134
148
|
};
|
|
149
|
+
/**
|
|
150
|
+
* The final audit result, contains all policy results.
|
|
151
|
+
*/
|
|
135
152
|
export type AuditResult = {
|
|
136
153
|
/**
|
|
137
154
|
* All executed policies were compliant.
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"result-types.js","sourceRoot":"","sources":["../../../src/libs/core/result-types.ts"],"names":[],"mappings":""}
|
|
@@ -1,3 +1,3 @@
|
|
|
1
|
-
export declare function isEmpty(
|
|
1
|
+
export declare function isEmpty(anything?: unknown): boolean;
|
|
2
2
|
export declare function isNullish(anything: unknown): boolean;
|
|
3
3
|
export type Optional<T, K extends keyof T> = Pick<Partial<T>, K> & Omit<T, K>;
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
export function isEmpty(anything) {
|
|
2
|
+
if (isNullish(anything)) {
|
|
3
|
+
return true;
|
|
4
|
+
}
|
|
5
|
+
if (typeof anything === 'object') {
|
|
6
|
+
return Object.entries(anything).length === 0;
|
|
7
|
+
}
|
|
8
|
+
return false;
|
|
9
|
+
}
|
|
10
|
+
export function isNullish(anything) {
|
|
11
|
+
return !(Boolean(anything) && anything !== null);
|
|
12
|
+
}
|
|
13
|
+
//# sourceMappingURL=utils.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../src/libs/core/utils.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,OAAO,CAAC,QAAkB;IACxC,IAAI,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC,OAAO,CAAC,QAAS,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,QAAiB;IACzC,OAAO,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,KAAK,IAAI,CAAC,CAAC;AACnD,CAAC"}
|
|
@@ -1,19 +1,36 @@
|
|
|
1
|
+
import EventEmitter from 'node:events';
|
|
1
2
|
import { Connection } from '@salesforce/core';
|
|
2
|
-
import { AuditResult } from '../
|
|
3
|
-
import { AuditRunConfig } from '../
|
|
3
|
+
import { AuditResult } from '../core/result-types.js';
|
|
4
|
+
import { AuditRunConfig } from '../core/file-mgmt/schema.js';
|
|
5
|
+
import Policy from './policy.js';
|
|
6
|
+
type PolicyMap = Record<string, Policy>;
|
|
4
7
|
export declare function startAuditRun(directoryPath: string): AuditRun;
|
|
8
|
+
export type EntityResolveEvent = {
|
|
9
|
+
total: number;
|
|
10
|
+
resolved: number;
|
|
11
|
+
policyName: string;
|
|
12
|
+
};
|
|
5
13
|
/**
|
|
6
14
|
* Instance of an audit run that manages high-level operations
|
|
7
15
|
*/
|
|
8
|
-
export default class AuditRun {
|
|
16
|
+
export default class AuditRun extends EventEmitter {
|
|
9
17
|
configs: AuditRunConfig;
|
|
18
|
+
private executablePolicies?;
|
|
10
19
|
constructor(configs: AuditRunConfig);
|
|
11
20
|
/**
|
|
12
|
-
*
|
|
13
|
-
*
|
|
21
|
+
* Loads all policies, resolves entities and caches the results.
|
|
22
|
+
*
|
|
23
|
+
* @param targetOrgConnection
|
|
24
|
+
*/
|
|
25
|
+
resolve(targetOrgConnection: Connection): Promise<PolicyMap>;
|
|
26
|
+
/**
|
|
27
|
+
* Executes an initialised audit run. Resolves policies entities
|
|
28
|
+
* and executes all rules.
|
|
14
29
|
*
|
|
15
30
|
* @param targetOrgConnection
|
|
16
31
|
* @returns
|
|
17
32
|
*/
|
|
18
33
|
execute(targetCon: Connection): Promise<Omit<AuditResult, 'orgId'>>;
|
|
34
|
+
private loadPolicies;
|
|
19
35
|
}
|
|
36
|
+
export {};
|
|
@@ -1,35 +1,74 @@
|
|
|
1
|
+
// import fs from 'node:fs';
|
|
2
|
+
import EventEmitter from 'node:events';
|
|
3
|
+
import { loadAuditConfig } from '../core/file-mgmt/auditConfigFileManager.js';
|
|
1
4
|
import ProfilePolicy from './profilePolicy.js';
|
|
2
5
|
import PermissionSetPolicy from './permissionSetPolicy.js';
|
|
3
6
|
import ConnectedAppPolicy from './connectedAppPolicy.js';
|
|
4
|
-
import AuditConfig from './initialisation/auditConfig.js';
|
|
5
7
|
export function startAuditRun(directoryPath) {
|
|
6
|
-
const conf =
|
|
8
|
+
const conf = loadAuditConfig(directoryPath);
|
|
7
9
|
return new AuditRun(conf);
|
|
8
10
|
}
|
|
9
11
|
/**
|
|
10
12
|
* Instance of an audit run that manages high-level operations
|
|
11
13
|
*/
|
|
12
|
-
export default class AuditRun {
|
|
14
|
+
export default class AuditRun extends EventEmitter {
|
|
13
15
|
configs;
|
|
16
|
+
executablePolicies;
|
|
14
17
|
constructor(configs) {
|
|
18
|
+
super();
|
|
15
19
|
this.configs = configs;
|
|
16
20
|
}
|
|
17
21
|
/**
|
|
18
|
-
*
|
|
19
|
-
*
|
|
22
|
+
* Loads all policies, resolves entities and caches the results.
|
|
23
|
+
*
|
|
24
|
+
* @param targetOrgConnection
|
|
25
|
+
*/
|
|
26
|
+
async resolve(targetOrgConnection) {
|
|
27
|
+
if (this.executablePolicies) {
|
|
28
|
+
return this.executablePolicies;
|
|
29
|
+
}
|
|
30
|
+
this.executablePolicies = this.loadPolicies(this.configs);
|
|
31
|
+
const resolveResultPromises = [];
|
|
32
|
+
Object.values(this.executablePolicies).forEach((executable) => {
|
|
33
|
+
resolveResultPromises.push(executable.resolve({ targetOrgConnection }));
|
|
34
|
+
});
|
|
35
|
+
await Promise.all(resolveResultPromises);
|
|
36
|
+
return this.executablePolicies;
|
|
37
|
+
}
|
|
38
|
+
/**
|
|
39
|
+
* Executes an initialised audit run. Resolves policies entities
|
|
40
|
+
* and executes all rules.
|
|
20
41
|
*
|
|
21
42
|
* @param targetOrgConnection
|
|
22
43
|
* @returns
|
|
23
44
|
*/
|
|
24
45
|
async execute(targetCon) {
|
|
25
|
-
|
|
26
|
-
const results = await runPolicies(executablePolicies, targetCon);
|
|
46
|
+
this.executablePolicies = await this.resolve(targetCon);
|
|
47
|
+
const results = await runPolicies(this.executablePolicies, targetCon);
|
|
27
48
|
return {
|
|
28
49
|
auditDate: new Date().toISOString(),
|
|
29
50
|
isCompliant: isCompliant(results),
|
|
30
51
|
policies: results,
|
|
31
52
|
};
|
|
32
53
|
}
|
|
54
|
+
loadPolicies(config) {
|
|
55
|
+
const pols = {};
|
|
56
|
+
if (config.policies.Profiles) {
|
|
57
|
+
pols.Profiles = new ProfilePolicy(config.policies.Profiles.content, config);
|
|
58
|
+
}
|
|
59
|
+
if (config.policies.PermissionSets) {
|
|
60
|
+
pols.PermissionSets = new PermissionSetPolicy(config.policies.PermissionSets.content, config);
|
|
61
|
+
}
|
|
62
|
+
if (config.policies.ConnectedApps) {
|
|
63
|
+
pols.ConnectedApps = new ConnectedAppPolicy(config.policies.ConnectedApps.content, config);
|
|
64
|
+
}
|
|
65
|
+
Object.entries(pols).forEach(([policyName, policy]) => {
|
|
66
|
+
policy.addListener('entityresolve', (resolveStats) => {
|
|
67
|
+
this.emit(`entityresolve-${policyName}`, { policyName, ...resolveStats });
|
|
68
|
+
});
|
|
69
|
+
});
|
|
70
|
+
return pols;
|
|
71
|
+
}
|
|
33
72
|
}
|
|
34
73
|
function isCompliant(results) {
|
|
35
74
|
const list = Object.values(results);
|
|
@@ -50,17 +89,4 @@ async function runPolicies(policies, targetOrgConnection) {
|
|
|
50
89
|
});
|
|
51
90
|
return results;
|
|
52
91
|
}
|
|
53
|
-
function resolvePolicies(config) {
|
|
54
|
-
const pols = {};
|
|
55
|
-
if (config.policies.Profiles) {
|
|
56
|
-
pols.Profiles = new ProfilePolicy(config.policies.Profiles.content, config);
|
|
57
|
-
}
|
|
58
|
-
if (config.policies.PermissionSets) {
|
|
59
|
-
pols.PermissionSets = new PermissionSetPolicy(config.policies.PermissionSets.content, config);
|
|
60
|
-
}
|
|
61
|
-
if (config.policies.ConnectedApps) {
|
|
62
|
-
pols.ConnectedApps = new ConnectedAppPolicy(config.policies.ConnectedApps.content, config);
|
|
63
|
-
}
|
|
64
|
-
return pols;
|
|
65
|
-
}
|
|
66
92
|
//# sourceMappingURL=auditRun.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auditRun.js","sourceRoot":"","sources":["../../../src/libs/policies/auditRun.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"auditRun.js","sourceRoot":"","sources":["../../../src/libs/policies/auditRun.ts"],"names":[],"mappings":"AAAA,4BAA4B;AAC5B,OAAO,YAAY,MAAM,aAAa,CAAC;AAIvC,OAAO,EAAE,eAAe,EAAE,MAAM,6CAA6C,CAAC;AAC9E,OAAO,aAAa,MAAM,oBAAoB,CAAC;AAE/C,OAAO,mBAAmB,MAAM,0BAA0B,CAAC;AAC3D,OAAO,kBAAkB,MAAM,yBAAyB,CAAC;AAKzD,MAAM,UAAU,aAAa,CAAC,aAAqB;IACjD,MAAM,IAAI,GAAG,eAAe,CAAC,aAAa,CAAC,CAAC;IAC5C,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAQD;;GAEG;AACH,MAAM,CAAC,OAAO,OAAO,QAAS,SAAQ,YAAY;IAGtB;IAFlB,kBAAkB,CAAa;IAEvC,YAA0B,OAAuB;QAC/C,KAAK,EAAE,CAAC;QADgB,YAAO,GAAP,OAAO,CAAgB;IAEjD,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,OAAO,CAAC,mBAA+B;QAClD,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC,kBAAkB,CAAC;QACjC,CAAC;QACD,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1D,MAAM,qBAAqB,GAAwC,EAAE,CAAC;QACtE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,UAAU,EAAE,EAAE;YAC5D,qBAAqB,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,mBAAmB,EAAE,CAAC,CAAC,CAAC;QAC1E,CAAC,CAAC,CAAC;QACH,MAAM,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC,kBAAkB,CAAC;IACjC,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,OAAO,CAAC,SAAqB;QACxC,IAAI,CAAC,kBAAkB,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACxD,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,kBAAkB,EAAE,SAAS,CAAC,CAAC;QACtE,OAAO;YACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,WAAW,EAAE,WAAW,CAAC,OAAO,CAAC;YACjC,QAAQ,EAAE,OAAO;SAClB,CAAC;IACJ,CAAC;IAEO,YAAY,CAAC,MAAsB;QACzC,MAAM,IAAI,GAAc,EAAE,CAAC;QAC3B,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YAC7B,IAAI,CAAC,QAAQ,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC9E,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;YACnC,IAAI,CAAC,cAAc,GAAG,IAAI,mBAAmB,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAChG,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;YAClC,IAAI,CAAC,aAAa,GAAG,IAAI,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7F,CAAC;QACD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,EAAE,EAAE;YACpD,MAAM,CAAC,WAAW,CAAC,eAAe,EAAE,CAAC,YAAoD,EAAE,EAAE;gBAC3F,IAAI,CAAC,IAAI,CAAC,iBAAiB,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,GAAG,YAAY,EAAE,CAAC,CAAC;YAC5E,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,SAAS,WAAW,CAAC,OAAmB;IACtC,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC,OAAO,IAAI,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;AACtG,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,QAAmB,EAAE,mBAA+B;IAC7E,MAAM,YAAY,GAAsC,EAAE,CAAC;IAC3D,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE,EAAE;QAC3D,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC7B,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,mBAAmB,EAAE,CAAC,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACpD,MAAM,OAAO,GAAe,EAAE,CAAC;IAC/B,WAAW,CAAC,OAAO,CAAC,CAAC,YAAY,EAAE,EAAE;QACnC,MAAM,SAAS,GAAG,YAAY,CAAC,WAAW,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;QAClE,OAAO,CAAC,SAAS,CAAC,GAAG,YAAY,CAAC;IACpC,CAAC,CAAC,CAAC;IACH,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -1,18 +1,9 @@
|
|
|
1
|
-
import
|
|
2
|
-
import {
|
|
3
|
-
import { AuditContext } from './interfaces/policyRuleInterfaces.js';
|
|
1
|
+
import { AuditRunConfig, BasePolicyFileContent } from '../core/file-mgmt/schema.js';
|
|
2
|
+
import { AuditContext } from '../core/registries/types.js';
|
|
4
3
|
import Policy, { ResolveEntityResult } from './policy.js';
|
|
5
|
-
export type ResolvedConnectedApp = {
|
|
6
|
-
name: string;
|
|
7
|
-
origin: 'Installed' | 'OauthToken' | 'Owned';
|
|
8
|
-
onlyAdminApprovedUsersAllowed: boolean;
|
|
9
|
-
overrideByApiSecurityAccess: boolean;
|
|
10
|
-
useCount: number;
|
|
11
|
-
users: string[];
|
|
12
|
-
};
|
|
13
4
|
export default class ConnectedAppPolicy extends Policy {
|
|
14
5
|
config: BasePolicyFileContent;
|
|
15
6
|
auditConfig: AuditRunConfig;
|
|
16
|
-
constructor(config: BasePolicyFileContent, auditConfig: AuditRunConfig, registry?:
|
|
7
|
+
constructor(config: BasePolicyFileContent, auditConfig: AuditRunConfig, registry?: import("../core/registries/connectedApps.js").default);
|
|
17
8
|
protected resolveEntities(context: AuditContext): Promise<ResolveEntityResult>;
|
|
18
9
|
}
|
|
@@ -1,11 +1,11 @@
|
|
|
1
|
-
import
|
|
2
|
-
import {
|
|
3
|
-
import
|
|
4
|
-
import Policy from './policy.js';
|
|
1
|
+
import { CONNECTED_APPS_QUERY, OAUTH_TOKEN_QUERY } from '../core/constants.js';
|
|
2
|
+
import { RuleRegistries } from '../core/registries/types.js';
|
|
3
|
+
import MDAPI from '../core/mdapi/mdapiRetriever.js';
|
|
4
|
+
import Policy, { getTotal } from './policy.js';
|
|
5
5
|
export default class ConnectedAppPolicy extends Policy {
|
|
6
6
|
config;
|
|
7
7
|
auditConfig;
|
|
8
|
-
constructor(config, auditConfig, registry =
|
|
8
|
+
constructor(config, auditConfig, registry = RuleRegistries.ConnectedApps) {
|
|
9
9
|
super(config, auditConfig, registry);
|
|
10
10
|
this.config = config;
|
|
11
11
|
this.auditConfig = auditConfig;
|
|
@@ -14,19 +14,22 @@ export default class ConnectedAppPolicy extends Policy {
|
|
|
14
14
|
async resolveEntities(context) {
|
|
15
15
|
const successfullyResolved = {};
|
|
16
16
|
const ignoredEntities = {};
|
|
17
|
-
const metadataApi = new
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
}
|
|
17
|
+
const metadataApi = new MDAPI(context.targetOrgConnection);
|
|
18
|
+
this.emit('entityresolve', {
|
|
19
|
+
total: 0,
|
|
20
|
+
resolved: 0,
|
|
21
|
+
});
|
|
23
22
|
const installedApps = await context.targetOrgConnection.query(CONNECTED_APPS_QUERY);
|
|
23
|
+
this.emit('entityresolve', {
|
|
24
|
+
total: installedApps.totalSize,
|
|
25
|
+
resolved: 0,
|
|
26
|
+
});
|
|
24
27
|
installedApps.records.forEach((installedApp) => {
|
|
25
28
|
successfullyResolved[installedApp.Name] = {
|
|
26
29
|
name: installedApp.Name,
|
|
27
30
|
origin: 'Installed',
|
|
28
31
|
onlyAdminApprovedUsersAllowed: installedApp.OptionsAllowAdminApprovedUsersOnly,
|
|
29
|
-
overrideByApiSecurityAccess,
|
|
32
|
+
overrideByApiSecurityAccess: false,
|
|
30
33
|
useCount: 0,
|
|
31
34
|
users: [],
|
|
32
35
|
};
|
|
@@ -38,7 +41,7 @@ export default class ConnectedAppPolicy extends Policy {
|
|
|
38
41
|
name: token.AppName,
|
|
39
42
|
origin: 'OauthToken',
|
|
40
43
|
onlyAdminApprovedUsersAllowed: false,
|
|
41
|
-
overrideByApiSecurityAccess,
|
|
44
|
+
overrideByApiSecurityAccess: false,
|
|
42
45
|
useCount: token.UseCount,
|
|
43
46
|
users: [token.User.Username],
|
|
44
47
|
};
|
|
@@ -50,8 +53,26 @@ export default class ConnectedAppPolicy extends Policy {
|
|
|
50
53
|
}
|
|
51
54
|
}
|
|
52
55
|
});
|
|
56
|
+
this.emit('entityresolve', {
|
|
57
|
+
total: Object.keys(successfullyResolved).length,
|
|
58
|
+
resolved: 0,
|
|
59
|
+
});
|
|
60
|
+
let overrideByApiSecurityAccess = false;
|
|
61
|
+
const apiSecurityAccessSetting = await metadataApi.resolveSingleton('ConnectedAppSettings');
|
|
62
|
+
if (apiSecurityAccessSetting && apiSecurityAccessSetting.enableAdminApprovedAppsOnly) {
|
|
63
|
+
overrideByApiSecurityAccess = true;
|
|
64
|
+
}
|
|
65
|
+
Object.values(successfullyResolved).forEach((conApp) => {
|
|
66
|
+
// eslint-disable-next-line no-param-reassign
|
|
67
|
+
conApp.overrideByApiSecurityAccess = overrideByApiSecurityAccess;
|
|
68
|
+
});
|
|
69
|
+
const result = { resolvedEntities: successfullyResolved, ignoredEntities: Object.values(ignoredEntities) };
|
|
70
|
+
this.emit('entityresolve', {
|
|
71
|
+
total: getTotal(result),
|
|
72
|
+
resolved: getTotal(result),
|
|
73
|
+
});
|
|
53
74
|
// also query from tooling, to get additional information info
|
|
54
|
-
return
|
|
75
|
+
return result;
|
|
55
76
|
}
|
|
56
77
|
}
|
|
57
78
|
//# sourceMappingURL=connectedAppPolicy.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"connectedAppPolicy.js","sourceRoot":"","sources":["../../../src/libs/policies/connectedAppPolicy.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"connectedAppPolicy.js","sourceRoot":"","sources":["../../../src/libs/policies/connectedAppPolicy.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAC/E,OAAO,EAAgB,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE3E,OAAO,KAAK,MAAM,iCAAiC,CAAC;AACpD,OAAO,MAAM,EAAE,EAAE,QAAQ,EAAuB,MAAM,aAAa,CAAC;AAGpE,MAAM,CAAC,OAAO,OAAO,kBAAmB,SAAQ,MAAM;IAE3C;IACA;IAFT,YACS,MAA6B,EAC7B,WAA2B,EAClC,QAAQ,GAAG,cAAc,CAAC,aAAa;QAEvC,KAAK,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAJ9B,WAAM,GAAN,MAAM,CAAuB;QAC7B,gBAAW,GAAX,WAAW,CAAgB;IAIpC,CAAC;IAED,kDAAkD;IACxC,KAAK,CAAC,eAAe,CAAC,OAAqB;QACnD,MAAM,oBAAoB,GAAyC,EAAE,CAAC;QACtE,MAAM,eAAe,GAAuC,EAAE,CAAC;QAC/D,MAAM,WAAW,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QAC3D,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,CAAC;YACR,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,KAAK,CAAe,oBAAoB,CAAC,CAAC;QAClG,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,aAAa,CAAC,SAAS;YAC9B,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,YAAY,EAAE,EAAE;YAC7C,oBAAoB,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG;gBACxC,IAAI,EAAE,YAAY,CAAC,IAAI;gBACvB,MAAM,EAAE,WAAW;gBACnB,6BAA6B,EAAE,YAAY,CAAC,kCAAkC;gBAC9E,2BAA2B,EAAE,KAAK;gBAClC,QAAQ,EAAE,CAAC;gBACX,KAAK,EAAE,EAAE;aACV,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,KAAK,CAAa,iBAAiB,CAAC,CAAC;QAC/F,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;YACxC,IAAI,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,SAAS,EAAE,CAAC;gBACtD,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG;oBACpC,IAAI,EAAE,KAAK,CAAC,OAAO;oBACnB,MAAM,EAAE,YAAY;oBACpB,6BAA6B,EAAE,KAAK;oBACpC,2BAA2B,EAAE,KAAK;oBAClC,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,KAAK,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;iBAC7B,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC;gBAC/D,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC7E,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACtE,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,MAAM;YAC/C,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,IAAI,2BAA2B,GAAG,KAAK,CAAC;QACxC,MAAM,wBAAwB,GAAG,MAAM,WAAW,CAAC,gBAAgB,CAAC,sBAAsB,CAAC,CAAC;QAC5F,IAAI,wBAAwB,IAAI,wBAAwB,CAAC,2BAA2B,EAAE,CAAC;YACrF,2BAA2B,GAAG,IAAI,CAAC;QACrC,CAAC;QACD,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE;YACrD,6CAA6C;YAC7C,MAAM,CAAC,2BAA2B,GAAG,2BAA2B,CAAC;QACnE,CAAC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC;QAC3G,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;YACvB,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC;SAC3B,CAAC,CAAC;QACH,8DAA8D;QAC9D,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}
|
|
@@ -1,16 +1,10 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import {
|
|
3
|
-
import RuleRegistry from '../config/registries/ruleRegistry.js';
|
|
4
|
-
import { AuditContext } from './interfaces/policyRuleInterfaces.js';
|
|
1
|
+
import { AuditRunConfig, PermSetsPolicyFileContent } from '../core/file-mgmt/schema.js';
|
|
2
|
+
import { AuditContext } from '../core/registries/types.js';
|
|
5
3
|
import Policy, { ResolveEntityResult } from './policy.js';
|
|
6
|
-
export type ResolvedPermissionSet = {
|
|
7
|
-
name: string;
|
|
8
|
-
preset: string;
|
|
9
|
-
metadata: PermissionSet;
|
|
10
|
-
};
|
|
11
4
|
export default class PermissionSetPolicy extends Policy {
|
|
12
5
|
config: PermSetsPolicyFileContent;
|
|
13
6
|
auditContext: AuditRunConfig;
|
|
14
|
-
|
|
7
|
+
private totalEntities;
|
|
8
|
+
constructor(config: PermSetsPolicyFileContent, auditContext: AuditRunConfig, registry?: import("../core/registries/permissionSets.js").default);
|
|
15
9
|
protected resolveEntities(context: AuditContext): Promise<ResolveEntityResult>;
|
|
16
10
|
}
|
|
@@ -1,33 +1,40 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
|
-
import
|
|
3
|
-
import
|
|
4
|
-
import
|
|
5
|
-
import {
|
|
2
|
+
import MDAPI from '../core/mdapi/mdapiRetriever.js';
|
|
3
|
+
import { RuleRegistries } from '../core/registries/types.js';
|
|
4
|
+
import { ProfilesRiskPreset } from '../core/policy-types.js';
|
|
5
|
+
import Policy, { getTotal } from './policy.js';
|
|
6
6
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
7
7
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'policies.general');
|
|
8
8
|
export default class PermissionSetPolicy extends Policy {
|
|
9
9
|
config;
|
|
10
10
|
auditContext;
|
|
11
|
-
|
|
11
|
+
totalEntities;
|
|
12
|
+
constructor(config, auditContext, registry = RuleRegistries.PermissionSets) {
|
|
12
13
|
super(config, auditContext, registry);
|
|
13
14
|
this.config = config;
|
|
14
15
|
this.auditContext = auditContext;
|
|
16
|
+
this.totalEntities = this.config.permissionSets ? Object.keys(this.config.permissionSets).length : 0;
|
|
15
17
|
}
|
|
16
18
|
async resolveEntities(context) {
|
|
19
|
+
this.emit('entityresolve', {
|
|
20
|
+
total: this.totalEntities,
|
|
21
|
+
resolved: 0,
|
|
22
|
+
});
|
|
17
23
|
const successfullyResolved = {};
|
|
18
24
|
const unresolved = {};
|
|
19
|
-
const retriever = new
|
|
20
|
-
const resolvedPermsets = await retriever.
|
|
21
|
-
Object.entries(resolvedPermsets).forEach(([permsetName, resolvedPermset]) => {
|
|
22
|
-
successfullyResolved[permsetName] = {
|
|
23
|
-
metadata: resolvedPermset,
|
|
24
|
-
preset: this.config.permissionSets[permsetName].preset,
|
|
25
|
-
name: permsetName,
|
|
26
|
-
};
|
|
27
|
-
});
|
|
25
|
+
const retriever = new MDAPI(context.targetOrgConnection);
|
|
26
|
+
const resolvedPermsets = await retriever.resolve('PermissionSet', filterCategorizedPermsets(this.config.permissionSets));
|
|
28
27
|
Object.entries(this.config.permissionSets).forEach(([key, val]) => {
|
|
29
|
-
|
|
30
|
-
|
|
28
|
+
const resolved = resolvedPermsets[key];
|
|
29
|
+
if (resolved) {
|
|
30
|
+
successfullyResolved[key] = {
|
|
31
|
+
metadata: resolved,
|
|
32
|
+
preset: this.config.permissionSets[key].preset,
|
|
33
|
+
name: key,
|
|
34
|
+
};
|
|
35
|
+
}
|
|
36
|
+
else if (successfullyResolved[key] === undefined) {
|
|
37
|
+
if (val.preset === ProfilesRiskPreset.UNKNOWN) {
|
|
31
38
|
unresolved[key] = { name: key, message: messages.getMessage('preset-unknown', ['Permission Set']) };
|
|
32
39
|
}
|
|
33
40
|
else {
|
|
@@ -35,13 +42,18 @@ export default class PermissionSetPolicy extends Policy {
|
|
|
35
42
|
}
|
|
36
43
|
}
|
|
37
44
|
});
|
|
38
|
-
|
|
45
|
+
const result = { resolvedEntities: successfullyResolved, ignoredEntities: Object.values(unresolved) };
|
|
46
|
+
this.emit('entityresolve', {
|
|
47
|
+
total: this.totalEntities,
|
|
48
|
+
resolved: getTotal(result),
|
|
49
|
+
});
|
|
50
|
+
return result;
|
|
39
51
|
}
|
|
40
52
|
}
|
|
41
53
|
function filterCategorizedPermsets(permSets) {
|
|
42
54
|
const filteredNames = [];
|
|
43
55
|
Object.entries(permSets).forEach(([key, val]) => {
|
|
44
|
-
if (val.preset !==
|
|
56
|
+
if (val.preset !== ProfilesRiskPreset.UNKNOWN) {
|
|
45
57
|
filteredNames.push(key);
|
|
46
58
|
}
|
|
47
59
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"permissionSetPolicy.js","sourceRoot":"","sources":["../../../src/libs/policies/permissionSetPolicy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"permissionSetPolicy.js","sourceRoot":"","sources":["../../../src/libs/policies/permissionSetPolicy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,MAAM,iCAAiC,CAAC;AAEpD,OAAO,EAAgB,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC3E,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAG7D,OAAO,MAAM,EAAE,EAAE,QAAQ,EAAuB,MAAM,aAAa,CAAC;AAEpE,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAEjG,MAAM,CAAC,OAAO,OAAO,mBAAoB,SAAQ,MAAM;IAG5C;IACA;IAHD,aAAa,CAAS;IAC9B,YACS,MAAiC,EACjC,YAA4B,EACnC,QAAQ,GAAG,cAAc,CAAC,cAAc;QAExC,KAAK,CAAC,MAAM,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;QAJ/B,WAAM,GAAN,MAAM,CAA2B;QACjC,iBAAY,GAAZ,YAAY,CAAgB;QAInC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IACvG,CAAC;IAES,KAAK,CAAC,eAAe,CAAC,OAAqB;QACnD,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,IAAI,CAAC,aAAa;YACzB,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,MAAM,oBAAoB,GAA0C,EAAE,CAAC;QACvE,MAAM,UAAU,GAAuC,EAAE,CAAC;QAC1D,MAAM,SAAS,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACzD,MAAM,gBAAgB,GAAG,MAAM,SAAS,CAAC,OAAO,CAC9C,eAAe,EACf,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CACtD,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE;YAChE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACvC,IAAI,QAAQ,EAAE,CAAC;gBACb,oBAAoB,CAAC,GAAG,CAAC,GAAG;oBAC1B,QAAQ,EAAE,QAAQ;oBAClB,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,MAAM;oBAC9C,IAAI,EAAE,GAAG;iBACV,CAAC;YACJ,CAAC;iBAAM,IAAI,oBAAoB,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;gBACnD,IAAI,GAAG,CAAC,MAAM,KAAK,kBAAkB,CAAC,OAAO,EAAE,CAAC;oBAC9C,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC,gBAAgB,CAAC,CAAC,EAAE,CAAC;gBACtG,CAAC;qBAAM,CAAC;oBACN,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBACpF,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QACtG,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,IAAI,CAAC,aAAa;YACzB,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC;SAC3B,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,SAAS,yBAAyB,CAAC,QAA8B;IAC/D,MAAM,aAAa,GAAa,EAAE,CAAC;IACnC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE;QAC9C,IAAI,GAAG,CAAC,MAAM,KAAK,kBAAkB,CAAC,OAAO,EAAE,CAAC;YAC9C,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,aAAa,CAAC;AACvB,CAAC"}
|