@j-schreiber/sf-cli-security-audit 0.4.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +20 -5
- package/lib/commands/org/audit/init.d.ts +3 -1
- package/lib/commands/org/audit/init.js +12 -2
- package/lib/commands/org/audit/init.js.map +1 -1
- package/lib/commands/org/audit/run.d.ts +1 -1
- package/lib/libs/{policies/initialisation → conf-init}/auditConfig.d.ts +9 -1
- package/lib/libs/{policies/initialisation → conf-init}/auditConfig.js +4 -6
- package/lib/libs/conf-init/auditConfig.js.map +1 -0
- package/lib/libs/{policies/initialisation → conf-init}/permissionsClassification.d.ts +4 -4
- package/lib/libs/conf-init/permissionsClassification.js +80 -0
- package/lib/libs/conf-init/permissionsClassification.js.map +1 -0
- package/lib/libs/{policies/initialisation → conf-init}/policyConfigs.d.ts +1 -1
- package/lib/libs/{policies/initialisation → conf-init}/policyConfigs.js +8 -10
- package/lib/libs/conf-init/policyConfigs.js.map +1 -0
- package/lib/libs/conf-init/presets/loose.d.ts +6 -0
- package/lib/libs/conf-init/presets/loose.js +35 -0
- package/lib/libs/conf-init/presets/loose.js.map +1 -0
- package/lib/libs/conf-init/presets/none.d.ts +30 -0
- package/lib/libs/conf-init/presets/none.js +54 -0
- package/lib/libs/conf-init/presets/none.js.map +1 -0
- package/lib/libs/conf-init/presets/strict.d.ts +4 -0
- package/lib/libs/conf-init/presets/strict.js +28 -0
- package/lib/libs/conf-init/presets/strict.js.map +1 -0
- package/lib/libs/conf-init/presets.d.ts +7 -0
- package/lib/libs/conf-init/presets.js +20 -0
- package/lib/libs/conf-init/presets.js.map +1 -0
- package/lib/libs/core/classification-types.d.ts +20 -0
- package/lib/libs/core/classification-types.js +23 -0
- package/lib/libs/core/classification-types.js.map +1 -0
- package/lib/libs/{config/queries.js → core/constants.js} +1 -1
- package/lib/libs/core/constants.js.map +1 -0
- package/lib/libs/{config/audit-run → core/file-mgmt}/auditConfigFileManager.d.ts +19 -0
- package/lib/libs/{config/audit-run → core/file-mgmt}/auditConfigFileManager.js +22 -7
- package/lib/libs/core/file-mgmt/auditConfigFileManager.js.map +1 -0
- package/lib/libs/{config/audit-run → core/file-mgmt}/schema.d.ts +10 -9
- package/lib/libs/{config/audit-run → core/file-mgmt}/schema.js +4 -3
- package/lib/libs/core/file-mgmt/schema.js.map +1 -0
- package/lib/libs/core/mdapi/mdapiRetriever.d.ts +52 -0
- package/lib/libs/core/mdapi/mdapiRetriever.js +116 -0
- package/lib/libs/core/mdapi/mdapiRetriever.js.map +1 -0
- package/lib/libs/core/mdapi/metadataRegistryEntry.d.ts +39 -0
- package/lib/libs/core/mdapi/metadataRegistryEntry.js +31 -0
- package/lib/libs/core/mdapi/metadataRegistryEntry.js.map +1 -0
- package/lib/libs/core/mdapi/namedMetadataToolingQueryable.d.ts +33 -0
- package/lib/libs/core/mdapi/namedMetadataToolingQueryable.js +41 -0
- package/lib/libs/core/mdapi/namedMetadataToolingQueryable.js.map +1 -0
- package/lib/libs/core/mdapi/namedMetadataType.d.ts +20 -0
- package/lib/libs/core/mdapi/namedMetadataType.js +36 -0
- package/lib/libs/core/mdapi/namedMetadataType.js.map +1 -0
- package/lib/libs/core/mdapi/singletonMetadataType.d.ts +21 -0
- package/lib/libs/core/mdapi/singletonMetadataType.js +35 -0
- package/lib/libs/core/mdapi/singletonMetadataType.js.map +1 -0
- package/lib/libs/core/policy-types.d.ts +18 -0
- package/lib/libs/core/policy-types.js +28 -0
- package/lib/libs/core/policy-types.js.map +1 -0
- package/lib/libs/core/registries/connectedApps.d.ts +13 -0
- package/lib/libs/{config → core}/registries/connectedApps.js +2 -2
- package/lib/libs/core/registries/connectedApps.js.map +1 -0
- package/lib/libs/{config → core}/registries/permissionSets.d.ts +6 -0
- package/lib/libs/{config → core}/registries/permissionSets.js +1 -1
- package/lib/libs/core/registries/permissionSets.js.map +1 -0
- package/lib/libs/{config → core}/registries/profiles.d.ts +6 -0
- package/lib/libs/{config → core}/registries/profiles.js +2 -2
- package/lib/libs/core/registries/profiles.js.map +1 -0
- package/lib/libs/{config → core}/registries/ruleRegistry.d.ts +13 -3
- package/lib/libs/core/registries/ruleRegistry.js.map +1 -0
- package/lib/libs/{policies → core/registries}/rules/allUsedAppsUnderManagement.d.ts +2 -2
- package/lib/libs/core/registries/rules/allUsedAppsUnderManagement.js.map +1 -0
- package/lib/libs/{policies → core/registries}/rules/enforceCustomPermsClassificationOnProfiles.d.ts +2 -2
- package/lib/libs/{policies → core/registries}/rules/enforceCustomPermsClassificationOnProfiles.js +4 -3
- package/lib/libs/core/registries/rules/enforceCustomPermsClassificationOnProfiles.js.map +1 -0
- package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnPermSets.d.ts +2 -2
- package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnPermSets.js +4 -3
- package/lib/libs/core/registries/rules/enforceUserPermsClassificationOnPermSets.js.map +1 -0
- package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnProfiles.d.ts +2 -2
- package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnProfiles.js +4 -3
- package/lib/libs/core/registries/rules/enforceUserPermsClassificationOnProfiles.js.map +1 -0
- package/lib/libs/{policies → core/registries}/rules/noUserCanSelfAuthorize.d.ts +2 -2
- package/lib/libs/core/registries/rules/noUserCanSelfAuthorize.js.map +1 -0
- package/lib/libs/{policies → core/registries}/rules/policyRule.d.ts +2 -2
- package/lib/libs/core/registries/rules/policyRule.js.map +1 -0
- package/lib/libs/{policies/interfaces/policyRuleInterfaces.d.ts → core/registries/types.d.ts} +7 -2
- package/lib/libs/core/registries/types.js +9 -0
- package/lib/libs/core/registries/types.js.map +1 -0
- package/lib/libs/{audit/types.d.ts → core/result-types.d.ts} +17 -0
- package/lib/libs/core/result-types.js +2 -0
- package/lib/libs/core/result-types.js.map +1 -0
- package/lib/libs/core/utils.js.map +1 -0
- package/lib/libs/policies/auditRun.d.ts +2 -2
- package/lib/libs/policies/auditRun.js +2 -2
- package/lib/libs/policies/auditRun.js.map +1 -1
- package/lib/libs/policies/connectedAppPolicy.d.ts +3 -12
- package/lib/libs/policies/connectedAppPolicy.js +6 -6
- package/lib/libs/policies/connectedAppPolicy.js.map +1 -1
- package/lib/libs/policies/permissionSetPolicy.d.ts +3 -10
- package/lib/libs/policies/permissionSetPolicy.js +17 -16
- package/lib/libs/policies/permissionSetPolicy.js.map +1 -1
- package/lib/libs/policies/policy.d.ts +4 -5
- package/lib/libs/policies/policy.js.map +1 -1
- package/lib/libs/policies/profilePolicy.d.ts +3 -10
- package/lib/libs/policies/profilePolicy.js +24 -31
- package/lib/libs/policies/profilePolicy.js.map +1 -1
- package/messages/org.audit.init.md +12 -0
- package/messages/policyclassifications.md +38 -2
- package/oclif.manifest.json +18 -2
- package/package.json +1 -1
- package/lib/libs/audit/types.js +0 -2
- package/lib/libs/audit/types.js.map +0 -1
- package/lib/libs/config/audit-run/auditConfigFileManager.js.map +0 -1
- package/lib/libs/config/audit-run/schema.js.map +0 -1
- package/lib/libs/config/defaultPolicyClassification.d.ts +0 -2
- package/lib/libs/config/defaultPolicyClassification.js +0 -63
- package/lib/libs/config/defaultPolicyClassification.js.map +0 -1
- package/lib/libs/config/queries.js.map +0 -1
- package/lib/libs/config/registries/connectedApps.d.ts +0 -5
- package/lib/libs/config/registries/connectedApps.js.map +0 -1
- package/lib/libs/config/registries/permissionSets.js.map +0 -1
- package/lib/libs/config/registries/profiles.js.map +0 -1
- package/lib/libs/config/registries/ruleRegistry.js.map +0 -1
- package/lib/libs/config/registries/types.d.ts +0 -7
- package/lib/libs/config/registries/types.js +0 -2
- package/lib/libs/config/registries/types.js.map +0 -1
- package/lib/libs/mdapiRetriever.d.ts +0 -18
- package/lib/libs/mdapiRetriever.js +0 -60
- package/lib/libs/mdapiRetriever.js.map +0 -1
- package/lib/libs/policies/initialisation/auditConfig.js.map +0 -1
- package/lib/libs/policies/initialisation/permissionsClassification.js +0 -71
- package/lib/libs/policies/initialisation/permissionsClassification.js.map +0 -1
- package/lib/libs/policies/initialisation/policyConfigs.js.map +0 -1
- package/lib/libs/policies/interfaces/policyRuleInterfaces.js +0 -2
- package/lib/libs/policies/interfaces/policyRuleInterfaces.js.map +0 -1
- package/lib/libs/policies/rules/allUsedAppsUnderManagement.js.map +0 -1
- package/lib/libs/policies/rules/enforceCustomPermsClassificationOnProfiles.js.map +0 -1
- package/lib/libs/policies/rules/enforceUserPermsClassificationOnPermSets.js.map +0 -1
- package/lib/libs/policies/rules/enforceUserPermsClassificationOnProfiles.js.map +0 -1
- package/lib/libs/policies/rules/noUserCanSelfAuthorize.js.map +0 -1
- package/lib/libs/policies/rules/policyRule.js.map +0 -1
- package/lib/libs/policies/types.d.ts +0 -36
- package/lib/libs/policies/types.js +0 -45
- package/lib/libs/policies/types.js.map +0 -1
- package/lib/libs/utils.js.map +0 -1
- /package/lib/libs/{config/queries.d.ts → core/constants.d.ts} +0 -0
- /package/lib/libs/{config → core}/registries/ruleRegistry.js +0 -0
- /package/lib/libs/{policies → core/registries}/rules/allUsedAppsUnderManagement.js +0 -0
- /package/lib/libs/{policies → core/registries}/rules/noUserCanSelfAuthorize.js +0 -0
- /package/lib/libs/{policies → core/registries}/rules/policyRule.js +0 -0
- /package/lib/libs/{utils.d.ts → core/utils.d.ts} +0 -0
- /package/lib/libs/{utils.js → core/utils.js} +0 -0
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"singletonMetadataType.js","sourceRoot":"","sources":["../../../../src/libs/core/mdapi/singletonMetadataType.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAC;AAClE,OAAO,qBAAqB,EAAE,EAA6B,QAAQ,EAAE,MAAM,4BAA4B,CAAC;AAExG;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,iBAAgD,SAAQ,qBAAgC;IACpG,YAAY,CAAS;IAC5B,YAAmB,IAA0C;QAC3D,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACrE,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,OAAO,CAAC,GAAe;QAClC,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;QAC5F,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACnD,OAAO,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACzD,CAAC;IAEO,eAAe,CAAC,YAA0B;QAChD,MAAM,IAAI,GAAG,YAAY,CAAC,mBAAmB,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;QAClH,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACjC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,kCAAkC,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC;IAC1E,CAAC;CACF"}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Presets can be assigned to profiles and permission sets.
|
|
3
|
+
* A preset allows permissions up to a fixed risk level.
|
|
4
|
+
*/
|
|
5
|
+
export declare enum ProfilesRiskPreset {
|
|
6
|
+
/** Allows up to "Critical" permissions */
|
|
7
|
+
DEVELOPER = "Developer",
|
|
8
|
+
/** Allows up to "High" permissions */
|
|
9
|
+
ADMIN = "Admin",
|
|
10
|
+
/** Allows up to "Medium" permissions */
|
|
11
|
+
POWER_USER = "Power User",
|
|
12
|
+
/** Allows only "Low" permissions */
|
|
13
|
+
STANDARD_USER = "Standard User",
|
|
14
|
+
/** Disables the profile for audit */
|
|
15
|
+
UNKNOWN = "Unknown"
|
|
16
|
+
}
|
|
17
|
+
export declare function resolvePresetOrdinalValue(value: string): number;
|
|
18
|
+
export declare function permissionAllowedInPreset(permClassification: string, preset: string): boolean;
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
import { PermissionRiskLevel, resolveRiskLevelOrdinalValue } from './classification-types.js';
|
|
2
|
+
/**
|
|
3
|
+
* Presets can be assigned to profiles and permission sets.
|
|
4
|
+
* A preset allows permissions up to a fixed risk level.
|
|
5
|
+
*/
|
|
6
|
+
export var ProfilesRiskPreset;
|
|
7
|
+
(function (ProfilesRiskPreset) {
|
|
8
|
+
/** Allows up to "Critical" permissions */
|
|
9
|
+
ProfilesRiskPreset["DEVELOPER"] = "Developer";
|
|
10
|
+
/** Allows up to "High" permissions */
|
|
11
|
+
ProfilesRiskPreset["ADMIN"] = "Admin";
|
|
12
|
+
/** Allows up to "Medium" permissions */
|
|
13
|
+
ProfilesRiskPreset["POWER_USER"] = "Power User";
|
|
14
|
+
/** Allows only "Low" permissions */
|
|
15
|
+
ProfilesRiskPreset["STANDARD_USER"] = "Standard User";
|
|
16
|
+
/** Disables the profile for audit */
|
|
17
|
+
ProfilesRiskPreset["UNKNOWN"] = "Unknown";
|
|
18
|
+
})(ProfilesRiskPreset || (ProfilesRiskPreset = {}));
|
|
19
|
+
export function resolvePresetOrdinalValue(value) {
|
|
20
|
+
return Object.keys(ProfilesRiskPreset).indexOf(value.toUpperCase().replace(' ', '_'));
|
|
21
|
+
}
|
|
22
|
+
export function permissionAllowedInPreset(permClassification, preset) {
|
|
23
|
+
// this works, as long as we are mindful when adding new risk levels and presets
|
|
24
|
+
const invertedPermValue = Object.keys(PermissionRiskLevel).length - resolveRiskLevelOrdinalValue(permClassification);
|
|
25
|
+
const invertedPresetValue = Object.keys(ProfilesRiskPreset).length - resolvePresetOrdinalValue(preset);
|
|
26
|
+
return invertedPresetValue >= invertedPermValue;
|
|
27
|
+
}
|
|
28
|
+
//# sourceMappingURL=policy-types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"policy-types.js","sourceRoot":"","sources":["../../../src/libs/core/policy-types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,4BAA4B,EAAE,MAAM,2BAA2B,CAAC;AAE9F;;;GAGG;AACH,MAAM,CAAN,IAAY,kBAWX;AAXD,WAAY,kBAAkB;IAC5B,0CAA0C;IAC1C,6CAAuB,CAAA;IACvB,sCAAsC;IACtC,qCAAe,CAAA;IACf,wCAAwC;IACxC,+CAAyB,CAAA;IACzB,oCAAoC;IACpC,qDAA+B,CAAA;IAC/B,qCAAqC;IACrC,yCAAmB,CAAA;AACrB,CAAC,EAXW,kBAAkB,KAAlB,kBAAkB,QAW7B;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAa;IACrD,OAAO,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;AACxF,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,kBAA0B,EAAE,MAAc;IAClF,gFAAgF;IAChF,MAAM,iBAAiB,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,MAAM,GAAG,4BAA4B,CAAC,kBAAkB,CAAC,CAAC;IACrH,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,MAAM,GAAG,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACvG,OAAO,mBAAmB,IAAI,iBAAiB,CAAC;AAClD,CAAC"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import RuleRegistry from './ruleRegistry.js';
|
|
2
|
+
export type ResolvedConnectedApp = {
|
|
3
|
+
name: string;
|
|
4
|
+
origin: 'Installed' | 'OauthToken' | 'Owned';
|
|
5
|
+
onlyAdminApprovedUsersAllowed: boolean;
|
|
6
|
+
overrideByApiSecurityAccess: boolean;
|
|
7
|
+
useCount: number;
|
|
8
|
+
users: string[];
|
|
9
|
+
};
|
|
10
|
+
export default class ConnectedAppsRuleRegistry extends RuleRegistry {
|
|
11
|
+
constructor();
|
|
12
|
+
}
|
|
13
|
+
export declare const ConnectedAppsRegistry: ConnectedAppsRuleRegistry;
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import AllUsedAppsUnderManagement from '
|
|
2
|
-
import NoUserCanSelfAuthorize from '
|
|
1
|
+
import AllUsedAppsUnderManagement from './rules/allUsedAppsUnderManagement.js';
|
|
2
|
+
import NoUserCanSelfAuthorize from './rules/noUserCanSelfAuthorize.js';
|
|
3
3
|
import RuleRegistry from './ruleRegistry.js';
|
|
4
4
|
export default class ConnectedAppsRuleRegistry extends RuleRegistry {
|
|
5
5
|
constructor() {
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"connectedApps.js","sourceRoot":"","sources":["../../../../src/libs/core/registries/connectedApps.ts"],"names":[],"mappings":"AAAA,OAAO,0BAA0B,MAAM,uCAAuC,CAAC;AAC/E,OAAO,sBAAsB,MAAM,mCAAmC,CAAC;AACvE,OAAO,YAAY,MAAM,mBAAmB,CAAC;AAU7C,MAAM,CAAC,OAAO,OAAO,yBAA0B,SAAQ,YAAY;IACjE;QACE,KAAK,CAAC;YACJ,0BAA0B;YAC1B,sBAAsB;SACvB,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,yBAAyB,EAAE,CAAC"}
|
|
@@ -1,4 +1,10 @@
|
|
|
1
|
+
import { PermissionSet } from '@jsforce/jsforce-node/lib/api/metadata.js';
|
|
1
2
|
import RuleRegistry from './ruleRegistry.js';
|
|
3
|
+
export type ResolvedPermissionSet = {
|
|
4
|
+
name: string;
|
|
5
|
+
preset: string;
|
|
6
|
+
metadata: PermissionSet;
|
|
7
|
+
};
|
|
2
8
|
export default class PermSetsRuleRegistry extends RuleRegistry {
|
|
3
9
|
constructor();
|
|
4
10
|
}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import EnforceUserPermsClassificationOnPermSets from '
|
|
1
|
+
import EnforceUserPermsClassificationOnPermSets from './rules/enforceUserPermsClassificationOnPermSets.js';
|
|
2
2
|
import RuleRegistry from './ruleRegistry.js';
|
|
3
3
|
export default class PermSetsRuleRegistry extends RuleRegistry {
|
|
4
4
|
constructor() {
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"permissionSets.js","sourceRoot":"","sources":["../../../../src/libs/core/registries/permissionSets.ts"],"names":[],"mappings":"AACA,OAAO,wCAAwC,MAAM,qDAAqD,CAAC;AAC3G,OAAO,YAAY,MAAM,mBAAmB,CAAC;AAO7C,MAAM,CAAC,OAAO,OAAO,oBAAqB,SAAQ,YAAY;IAC5D;QACE,KAAK,CAAC;YACJ,oCAAoC,EAAE,wCAAwC;SAC/E,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,oBAAoB,EAAE,CAAC"}
|
|
@@ -1,4 +1,10 @@
|
|
|
1
|
+
import { Profile as ProfileMetadata } from '@jsforce/jsforce-node/lib/api/metadata.js';
|
|
1
2
|
import RuleRegistry from './ruleRegistry.js';
|
|
3
|
+
export type ResolvedProfile = {
|
|
4
|
+
name: string;
|
|
5
|
+
preset: string;
|
|
6
|
+
metadata: ProfileMetadata;
|
|
7
|
+
};
|
|
2
8
|
export default class ProfilesRuleRegistry extends RuleRegistry {
|
|
3
9
|
constructor();
|
|
4
10
|
}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import EnforceCustomPermsClassificationOnProfiles from '
|
|
2
|
-
import EnforceUserPermsClassificationOnProfiles from '
|
|
1
|
+
import EnforceCustomPermsClassificationOnProfiles from './rules/enforceCustomPermsClassificationOnProfiles.js';
|
|
2
|
+
import EnforceUserPermsClassificationOnProfiles from './rules/enforceUserPermsClassificationOnProfiles.js';
|
|
3
3
|
import RuleRegistry from './ruleRegistry.js';
|
|
4
4
|
export default class ProfilesRuleRegistry extends RuleRegistry {
|
|
5
5
|
constructor() {
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"profiles.js","sourceRoot":"","sources":["../../../../src/libs/core/registries/profiles.ts"],"names":[],"mappings":"AACA,OAAO,0CAA0C,MAAM,uDAAuD,CAAC;AAC/G,OAAO,wCAAwC,MAAM,qDAAqD,CAAC;AAC3G,OAAO,YAAY,MAAM,mBAAmB,CAAC;AAQ7C,MAAM,CAAC,OAAO,OAAO,oBAAqB,SAAQ,YAAY;IAC5D;QACE,KAAK,CAAC;YACJ,sCAAsC,EAAE,0CAA0C;YAClF,oCAAoC,EAAE,wCAAwC;SAC/E,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,oBAAoB,EAAE,CAAC"}
|
|
@@ -1,7 +1,17 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import {
|
|
3
|
-
import {
|
|
1
|
+
import { EntityResolveError, PolicyRuleSkipResult } from '../result-types.js';
|
|
2
|
+
import { AuditRunConfig, RuleMap } from '../../core/file-mgmt/schema.js';
|
|
3
|
+
import { RowLevelPolicyRule } from './types.js';
|
|
4
4
|
type Constructor<T, Args extends any[] = any[]> = new (...args: Args) => T;
|
|
5
|
+
/**
|
|
6
|
+
* Result contains the actually available and enabled rules
|
|
7
|
+
* from the raw config file. Rules that are not present in the
|
|
8
|
+
* policie's registry are errors, disabled rules are skipped.
|
|
9
|
+
*/
|
|
10
|
+
export type RegistryRuleResolveResult = {
|
|
11
|
+
enabledRules: Array<RowLevelPolicyRule<unknown>>;
|
|
12
|
+
skippedRules: PolicyRuleSkipResult[];
|
|
13
|
+
resolveErrors: EntityResolveError[];
|
|
14
|
+
};
|
|
5
15
|
/**
|
|
6
16
|
* The rule registry holds all available rules for a given policy at run time.
|
|
7
17
|
* It is designed to be extendible so we can easily register new rules and it will
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ruleRegistry.js","sourceRoot":"","sources":["../../../../src/libs/core/registries/ruleRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAK5C,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAgBjG;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,YAAY;IACL;IAA1B,YAA0B,KAA+D;QAA/D,UAAK,GAAL,KAAK,CAA0D;IAAG,CAAC;IAE7F;;;;OAIG;IACI,eAAe;QACpB,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAED;;;;;;;OAOG;IACI,YAAY,CAAC,QAAiB,EAAE,YAA4B;QACjE,MAAM,YAAY,GAAG,IAAI,KAAK,EAA+B,CAAC;QAC9D,MAAM,YAAY,GAAG,IAAI,KAAK,EAAwB,CAAC;QACvD,MAAM,aAAa,GAAG,IAAI,KAAK,EAAsB,CAAC;QACtD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,EAAE;YAC1D,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;gBAC/C,YAAY,CAAC,IAAI,CACf,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,YAAY,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CACrG,CAAC;YACJ,CAAC;iBAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;gBAC/B,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC;YACzG,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,mCAAmC,CAAC,EAAE,CAAC,CAAC;YAC5G,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC;IACvD,CAAC;CACF"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import {
|
|
1
|
+
import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
|
|
2
|
+
import { ResolvedConnectedApp } from '../connectedApps.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class AllUsedAppsUnderManagement extends PolicyRule<ResolvedConnectedApp> {
|
|
5
5
|
constructor(opts: RuleOptions);
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"allUsedAppsUnderManagement.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/allUsedAppsUnderManagement.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,qBAAqB,CAAC,CAAC;AAEpG,MAAM,CAAC,OAAO,OAAO,0BAA2B,SAAQ,UAAgC;IACtF,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA+C;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,qBAAqB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;YACnD,IAAI,GAAG,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;gBAChC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;oBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,wCAAwC,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;iBACzG,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
package/lib/libs/{policies → core/registries}/rules/enforceCustomPermsClassificationOnProfiles.d.ts
RENAMED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { PartialPolicyRuleResult, RuleAuditContext } from '../
|
|
2
|
-
import { ResolvedProfile } from '../
|
|
1
|
+
import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
|
|
2
|
+
import { ResolvedProfile } from '../profiles.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforceCustomPermsClassificationOnProfiles extends PolicyRule<ResolvedProfile> {
|
|
5
5
|
constructor(opts: RuleOptions);
|
package/lib/libs/{policies → core/registries}/rules/enforceCustomPermsClassificationOnProfiles.js
RENAMED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
|
-
import {
|
|
2
|
+
import { PermissionRiskLevel } from '../../classification-types.js';
|
|
3
|
+
import { permissionAllowedInPreset } from '../../policy-types.js';
|
|
3
4
|
import PolicyRule from './policyRule.js';
|
|
4
5
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
5
6
|
export default class EnforceCustomPermsClassificationOnProfiles extends PolicyRule {
|
|
@@ -15,7 +16,7 @@ export default class EnforceCustomPermsClassificationOnProfiles extends PolicyRu
|
|
|
15
16
|
const identifier = [profile.name, perm.name];
|
|
16
17
|
const classifiedPerm = this.resolveCustomPermission(perm.name);
|
|
17
18
|
if (classifiedPerm) {
|
|
18
|
-
if (classifiedPerm.classification ===
|
|
19
|
+
if (classifiedPerm.classification === PermissionRiskLevel.BLOCKED) {
|
|
19
20
|
result.violations.push({
|
|
20
21
|
identifier,
|
|
21
22
|
message: messages.getMessage('violations.permission-is-blocked'),
|
|
@@ -30,7 +31,7 @@ export default class EnforceCustomPermsClassificationOnProfiles extends PolicyRu
|
|
|
30
31
|
]),
|
|
31
32
|
});
|
|
32
33
|
}
|
|
33
|
-
else if (classifiedPerm.classification ===
|
|
34
|
+
else if (classifiedPerm.classification === PermissionRiskLevel.UNKNOWN) {
|
|
34
35
|
result.warnings.push({
|
|
35
36
|
identifier,
|
|
36
37
|
message: messages.getMessage('warnings.permission-unknown'),
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"enforceCustomPermsClassificationOnProfiles.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/enforceCustomPermsClassificationOnProfiles.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAC1D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,0CAA2C,SAAQ,UAA2B;IACjG,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA0C;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAClD,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,iBAAiB,IAAI,EAAE,CAAC;YAC7D,WAAW,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC3B,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC7C,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC/D,IAAI,cAAc,EAAE,CAAC;oBACnB,IAAI,cAAc,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;wBAClE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;4BACrB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;yBACjE,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,CAAC,yBAAyB,CAAC,cAAc,CAAC,cAAc,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;wBACrF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;4BACrB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;gCACxE,cAAc,CAAC,cAAc;gCAC7B,OAAO,CAAC,MAAM;6BACf,CAAC;yBACH,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,cAAc,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;wBACzE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;4BACnB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;yBAC5D,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,+CAA+C,CAAC;qBAC9E,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnPermSets.d.ts
RENAMED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { PartialPolicyRuleResult, RuleAuditContext } from '../
|
|
2
|
-
import { ResolvedPermissionSet } from '../
|
|
1
|
+
import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
|
|
2
|
+
import { ResolvedPermissionSet } from '../permissionSets.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforceUserPermsClassificationOnPermSets extends PolicyRule<ResolvedPermissionSet> {
|
|
5
5
|
constructor(opts: RuleOptions);
|
package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnPermSets.js
RENAMED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
|
-
import {
|
|
2
|
+
import { PermissionRiskLevel } from '../../classification-types.js';
|
|
3
|
+
import { permissionAllowedInPreset } from '../../policy-types.js';
|
|
3
4
|
import PolicyRule from './policyRule.js';
|
|
4
5
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
5
6
|
export default class EnforceUserPermsClassificationOnPermSets extends PolicyRule {
|
|
@@ -15,7 +16,7 @@ export default class EnforceUserPermsClassificationOnPermSets extends PolicyRule
|
|
|
15
16
|
const identifier = [permset.name, userPerm.name];
|
|
16
17
|
const classifiedUserPerm = this.resolveUserPermission(userPerm.name);
|
|
17
18
|
if (classifiedUserPerm) {
|
|
18
|
-
if (classifiedUserPerm.classification ===
|
|
19
|
+
if (classifiedUserPerm.classification === PermissionRiskLevel.BLOCKED) {
|
|
19
20
|
result.violations.push({
|
|
20
21
|
identifier,
|
|
21
22
|
message: messages.getMessage('violations.permission-is-blocked'),
|
|
@@ -30,7 +31,7 @@ export default class EnforceUserPermsClassificationOnPermSets extends PolicyRule
|
|
|
30
31
|
]),
|
|
31
32
|
});
|
|
32
33
|
}
|
|
33
|
-
else if (classifiedUserPerm.classification ===
|
|
34
|
+
else if (classifiedUserPerm.classification === PermissionRiskLevel.UNKNOWN) {
|
|
34
35
|
result.warnings.push({
|
|
35
36
|
identifier,
|
|
36
37
|
message: messages.getMessage('warnings.permission-unknown'),
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"enforceUserPermsClassificationOnPermSets.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/enforceUserPermsClassificationOnPermSets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,wCAAyC,SAAQ,UAAiC;IACrG,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAAgD;QACzD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAClD,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,eAAe,IAAI,EAAE,CAAC;YACzD,SAAS,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;gBAC7B,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;gBACjD,MAAM,kBAAkB,GAAG,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBACrE,IAAI,kBAAkB,EAAE,CAAC;oBACvB,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;wBACtE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;4BACrB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;yBACjE,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,CAAC,yBAAyB,CAAC,kBAAkB,CAAC,cAAc,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;wBACzF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;4BACrB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;gCACxE,kBAAkB,CAAC,cAAc;gCACjC,OAAO,CAAC,MAAM;6BACf,CAAC;yBACH,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;wBAC7E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;4BACnB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;yBAC5D,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,sDAAsD,CAAC;qBACrF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnProfiles.d.ts
RENAMED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { PartialPolicyRuleResult, RuleAuditContext } from '../
|
|
2
|
-
import { ResolvedProfile } from '../
|
|
1
|
+
import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
|
|
2
|
+
import { ResolvedProfile } from '../profiles.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class EnforceUserPermsClassificationOnProfiles extends PolicyRule<ResolvedProfile> {
|
|
5
5
|
constructor(opts: RuleOptions);
|
package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnProfiles.js
RENAMED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
2
|
import { isNullish } from '../../utils.js';
|
|
3
|
-
import {
|
|
3
|
+
import { PermissionRiskLevel } from '../../classification-types.js';
|
|
4
|
+
import { permissionAllowedInPreset } from '../../policy-types.js';
|
|
4
5
|
import PolicyRule from './policyRule.js';
|
|
5
6
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
|
|
6
7
|
export default class EnforceUserPermsClassificationOnProfiles extends PolicyRule {
|
|
@@ -16,7 +17,7 @@ export default class EnforceUserPermsClassificationOnProfiles extends PolicyRule
|
|
|
16
17
|
const identifier = [profile.name, userPerm.name];
|
|
17
18
|
const classifiedUserPerm = this.resolveUserPermission(userPerm.name);
|
|
18
19
|
if (classifiedUserPerm) {
|
|
19
|
-
if (classifiedUserPerm.classification ===
|
|
20
|
+
if (classifiedUserPerm.classification === PermissionRiskLevel.BLOCKED) {
|
|
20
21
|
result.violations.push({
|
|
21
22
|
identifier,
|
|
22
23
|
message: messages.getMessage('violations.permission-is-blocked'),
|
|
@@ -31,7 +32,7 @@ export default class EnforceUserPermsClassificationOnProfiles extends PolicyRule
|
|
|
31
32
|
]),
|
|
32
33
|
});
|
|
33
34
|
}
|
|
34
|
-
else if (classifiedUserPerm.classification ===
|
|
35
|
+
else if (classifiedUserPerm.classification === PermissionRiskLevel.UNKNOWN) {
|
|
35
36
|
result.warnings.push({
|
|
36
37
|
identifier,
|
|
37
38
|
message: messages.getMessage('warnings.permission-unknown'),
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"enforceUserPermsClassificationOnProfiles.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/enforceUserPermsClassificationOnProfiles.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,wCAAyC,SAAQ,UAA2B;IAC/F,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA0C;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAClD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;gBACjD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;oBACpD,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;oBACjD,MAAM,kBAAkB,GAAG,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;oBACrE,IAAI,kBAAkB,EAAE,CAAC;wBACvB,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;4BACtE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gCACrB,UAAU;gCACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;6BACjE,CAAC,CAAC;wBACL,CAAC;6BAAM,IAAI,CAAC,yBAAyB,CAAC,kBAAkB,CAAC,cAAc,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;4BACzF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gCACrB,UAAU;gCACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;oCACxE,kBAAkB,CAAC,cAAc;oCACjC,OAAO,CAAC,MAAM;iCACf,CAAC;6BACH,CAAC,CAAC;wBACL,CAAC;6BAAM,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;4BAC7E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;gCACnB,UAAU;gCACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;6BAC5D,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;4BACnB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,+CAA+C,CAAC;yBAC9E,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { PartialPolicyRuleResult, RuleAuditContext } from '../
|
|
2
|
-
import { ResolvedConnectedApp } from '../
|
|
1
|
+
import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
|
|
2
|
+
import { ResolvedConnectedApp } from '../connectedApps.js';
|
|
3
3
|
import PolicyRule, { RuleOptions } from './policyRule.js';
|
|
4
4
|
export default class NoUserCanSelfAuthorize extends PolicyRule<ResolvedConnectedApp> {
|
|
5
5
|
constructor(opts: RuleOptions);
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"noUserCanSelfAuthorize.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/noUserCanSelfAuthorize.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,qBAAqB,CAAC,CAAC;AAEpG,MAAM,CAAC,OAAO,OAAO,sBAAuB,SAAQ,UAAgC;IAClF,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA+C;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,qBAAqB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;YACnD,IAAI,CAAC,GAAG,CAAC,6BAA6B,EAAE,CAAC;gBACvC,IAAI,GAAG,CAAC,2BAA2B,EAAE,CAAC;oBACpC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;wBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,yDAAyD,CAAC;qBACxF,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;wBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,qCAAqC,CAAC;qBACpE,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { PartialPolicyRuleResult, RowLevelPolicyRule, RuleAuditContext } from '../
|
|
2
|
-
import { AuditRunConfig, NamedPermissionsClassification } from '../../
|
|
1
|
+
import { PartialPolicyRuleResult, RowLevelPolicyRule, RuleAuditContext } from '../types.js';
|
|
2
|
+
import { AuditRunConfig, NamedPermissionsClassification } from '../../file-mgmt/schema.js';
|
|
3
3
|
export type RuleOptions = {
|
|
4
4
|
auditContext: AuditRunConfig;
|
|
5
5
|
ruleDisplayName: string;
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"policyRule.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/policyRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAK5C,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAQ7D,MAAM,CAAC,OAAO,OAAgB,UAAU;IAC/B,YAAY,CAAiB;IAC7B,eAAe,CAAS;IAE/B,YAAmB,IAAiB;QAClC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;QACtC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;IAC9C,CAAC;IAES,UAAU;QAClB,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,eAAe;YAC9B,UAAU,EAAE,IAAI,KAAK,EAAuB;YAC5C,eAAe,EAAE,IAAI,KAAK,EAA2B;YACrD,QAAQ,EAAE,IAAI,KAAK,EAAwB;YAC3C,MAAM,EAAE,IAAI,KAAK,EAAwB;SAC1C,CAAC;IACJ,CAAC;IAES,qBAAqB,CAAC,QAAgB;QAC9C,OAAO,kBAAkB,CACvB,QAAQ,EACR,IAAI,CAAC,YAAY,CAAC,eAAe,CAAC,eAAe,EAAE,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CACjF,CAAC;IACJ,CAAC;IAES,uBAAuB,CAAC,QAAgB;QAChD,OAAO,kBAAkB,CACvB,QAAQ,EACR,IAAI,CAAC,YAAY,CAAC,eAAe,CAAC,iBAAiB,EAAE,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CACnF,CAAC;IACJ,CAAC;CAGF;AAED,SAAS,kBAAkB,CACzB,QAAgB,EAChB,IAAgC;IAEhC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC"}
|
package/lib/libs/{policies/interfaces/policyRuleInterfaces.d.ts → core/registries/types.d.ts}
RENAMED
|
@@ -1,6 +1,11 @@
|
|
|
1
1
|
import { Connection } from '@salesforce/core';
|
|
2
|
-
import { AuditPolicyResult, PolicyRuleExecutionResult } from '
|
|
3
|
-
import { Optional } from '
|
|
2
|
+
import { AuditPolicyResult, PolicyRuleExecutionResult } from '../result-types.js';
|
|
3
|
+
import { Optional } from '../utils.js';
|
|
4
|
+
export declare const RuleRegistries: {
|
|
5
|
+
ConnectedApps: import("./connectedApps.js").default;
|
|
6
|
+
Profiles: import("./profiles.js").default;
|
|
7
|
+
PermissionSets: import("./permissionSets.js").default;
|
|
8
|
+
};
|
|
4
9
|
/**
|
|
5
10
|
* A rule must only implement a subset of the rule result. All optional
|
|
6
11
|
* properties are completed by the policy.
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
import { ConnectedAppsRegistry } from './connectedApps.js';
|
|
2
|
+
import { PermissionSetsRegistry } from './permissionSets.js';
|
|
3
|
+
import { ProfilesRegistry } from './profiles.js';
|
|
4
|
+
export const RuleRegistries = {
|
|
5
|
+
ConnectedApps: ConnectedAppsRegistry,
|
|
6
|
+
Profiles: ProfilesRegistry,
|
|
7
|
+
PermissionSets: PermissionSetsRegistry,
|
|
8
|
+
};
|
|
9
|
+
//# sourceMappingURL=types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/libs/core/registries/types.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAEjD,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,aAAa,EAAE,qBAAqB;IACpC,QAAQ,EAAE,gBAAgB;IAC1B,cAAc,EAAE,sBAAsB;CACvC,CAAC"}
|
|
@@ -35,6 +35,9 @@ export type EntityResolveError = {
|
|
|
35
35
|
*/
|
|
36
36
|
message: string;
|
|
37
37
|
};
|
|
38
|
+
/**
|
|
39
|
+
* Generic message for a particular element of a rule
|
|
40
|
+
*/
|
|
38
41
|
export type RuleComponentMessage = {
|
|
39
42
|
/**
|
|
40
43
|
* Path to a component. This can be a developer name of a connected app,
|
|
@@ -46,6 +49,9 @@ export type RuleComponentMessage = {
|
|
|
46
49
|
*/
|
|
47
50
|
message: string;
|
|
48
51
|
};
|
|
52
|
+
/**
|
|
53
|
+
*
|
|
54
|
+
*/
|
|
49
55
|
export type PolicyRuleSkipResult = {
|
|
50
56
|
/**
|
|
51
57
|
* Identifier of the rule, as it is configured in the policy.yml.
|
|
@@ -56,6 +62,10 @@ export type PolicyRuleSkipResult = {
|
|
|
56
62
|
*/
|
|
57
63
|
skipReason: string;
|
|
58
64
|
};
|
|
65
|
+
/**
|
|
66
|
+
* Full execution summary of a single rule. Includes audited entities,
|
|
67
|
+
* violations, execution errors, etc.
|
|
68
|
+
*/
|
|
59
69
|
export type PolicyRuleExecutionResult = {
|
|
60
70
|
/**
|
|
61
71
|
* Identifier of the rule, as it is configured in the policy.yml.
|
|
@@ -94,6 +104,10 @@ export type PolicyRuleExecutionResult = {
|
|
|
94
104
|
*/
|
|
95
105
|
warnings: RuleComponentMessage[];
|
|
96
106
|
};
|
|
107
|
+
/**
|
|
108
|
+
* Full execution result of a policy. Contains full results of each executed
|
|
109
|
+
* rule and more information about skipped rules, audited entities, etc.
|
|
110
|
+
*/
|
|
97
111
|
export type AuditPolicyResult = {
|
|
98
112
|
/**
|
|
99
113
|
* Flag that indicates, if the policy was executed.
|
|
@@ -132,6 +146,9 @@ export type AuditPolicyResult = {
|
|
|
132
146
|
*/
|
|
133
147
|
ignoredEntities: EntityResolveError[];
|
|
134
148
|
};
|
|
149
|
+
/**
|
|
150
|
+
* The final audit result, contains all policy results.
|
|
151
|
+
*/
|
|
135
152
|
export type AuditResult = {
|
|
136
153
|
/**
|
|
137
154
|
* All executed policies were compliant.
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"result-types.js","sourceRoot":"","sources":["../../../src/libs/core/result-types.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../src/libs/core/utils.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,OAAO,CAAC,QAAkB;IACxC,IAAI,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC,OAAO,CAAC,QAAS,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,QAAiB;IACzC,OAAO,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,KAAK,IAAI,CAAC,CAAC;AACnD,CAAC"}
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import EventEmitter from 'node:events';
|
|
2
2
|
import { Connection } from '@salesforce/core';
|
|
3
|
-
import { AuditResult } from '../
|
|
4
|
-
import { AuditRunConfig } from '../
|
|
3
|
+
import { AuditResult } from '../core/result-types.js';
|
|
4
|
+
import { AuditRunConfig } from '../core/file-mgmt/schema.js';
|
|
5
5
|
import Policy from './policy.js';
|
|
6
6
|
type PolicyMap = Record<string, Policy>;
|
|
7
7
|
export declare function startAuditRun(directoryPath: string): AuditRun;
|
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
// import fs from 'node:fs';
|
|
2
2
|
import EventEmitter from 'node:events';
|
|
3
|
+
import { loadAuditConfig } from '../core/file-mgmt/auditConfigFileManager.js';
|
|
3
4
|
import ProfilePolicy from './profilePolicy.js';
|
|
4
5
|
import PermissionSetPolicy from './permissionSetPolicy.js';
|
|
5
6
|
import ConnectedAppPolicy from './connectedAppPolicy.js';
|
|
6
|
-
import AuditConfig from './initialisation/auditConfig.js';
|
|
7
7
|
export function startAuditRun(directoryPath) {
|
|
8
|
-
const conf =
|
|
8
|
+
const conf = loadAuditConfig(directoryPath);
|
|
9
9
|
return new AuditRun(conf);
|
|
10
10
|
}
|
|
11
11
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auditRun.js","sourceRoot":"","sources":["../../../src/libs/policies/auditRun.ts"],"names":[],"mappings":"AAAA,4BAA4B;AAC5B,OAAO,YAAY,MAAM,aAAa,CAAC;AAIvC,OAAO,aAAa,MAAM,oBAAoB,CAAC;AAE/C,OAAO,mBAAmB,MAAM,0BAA0B,CAAC;AAC3D,OAAO,kBAAkB,MAAM,yBAAyB,CAAC;
|
|
1
|
+
{"version":3,"file":"auditRun.js","sourceRoot":"","sources":["../../../src/libs/policies/auditRun.ts"],"names":[],"mappings":"AAAA,4BAA4B;AAC5B,OAAO,YAAY,MAAM,aAAa,CAAC;AAIvC,OAAO,EAAE,eAAe,EAAE,MAAM,6CAA6C,CAAC;AAC9E,OAAO,aAAa,MAAM,oBAAoB,CAAC;AAE/C,OAAO,mBAAmB,MAAM,0BAA0B,CAAC;AAC3D,OAAO,kBAAkB,MAAM,yBAAyB,CAAC;AAKzD,MAAM,UAAU,aAAa,CAAC,aAAqB;IACjD,MAAM,IAAI,GAAG,eAAe,CAAC,aAAa,CAAC,CAAC;IAC5C,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAQD;;GAEG;AACH,MAAM,CAAC,OAAO,OAAO,QAAS,SAAQ,YAAY;IAGtB;IAFlB,kBAAkB,CAAa;IAEvC,YAA0B,OAAuB;QAC/C,KAAK,EAAE,CAAC;QADgB,YAAO,GAAP,OAAO,CAAgB;IAEjD,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,OAAO,CAAC,mBAA+B;QAClD,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC,kBAAkB,CAAC;QACjC,CAAC;QACD,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1D,MAAM,qBAAqB,GAAwC,EAAE,CAAC;QACtE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,UAAU,EAAE,EAAE;YAC5D,qBAAqB,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,mBAAmB,EAAE,CAAC,CAAC,CAAC;QAC1E,CAAC,CAAC,CAAC;QACH,MAAM,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC,kBAAkB,CAAC;IACjC,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,OAAO,CAAC,SAAqB;QACxC,IAAI,CAAC,kBAAkB,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACxD,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,kBAAkB,EAAE,SAAS,CAAC,CAAC;QACtE,OAAO;YACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,WAAW,EAAE,WAAW,CAAC,OAAO,CAAC;YACjC,QAAQ,EAAE,OAAO;SAClB,CAAC;IACJ,CAAC;IAEO,YAAY,CAAC,MAAsB;QACzC,MAAM,IAAI,GAAc,EAAE,CAAC;QAC3B,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YAC7B,IAAI,CAAC,QAAQ,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC9E,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;YACnC,IAAI,CAAC,cAAc,GAAG,IAAI,mBAAmB,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAChG,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;YAClC,IAAI,CAAC,aAAa,GAAG,IAAI,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7F,CAAC;QACD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,EAAE,EAAE;YACpD,MAAM,CAAC,WAAW,CAAC,eAAe,EAAE,CAAC,YAAoD,EAAE,EAAE;gBAC3F,IAAI,CAAC,IAAI,CAAC,iBAAiB,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,GAAG,YAAY,EAAE,CAAC,CAAC;YAC5E,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,SAAS,WAAW,CAAC,OAAmB;IACtC,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC,OAAO,IAAI,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;AACtG,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,QAAmB,EAAE,mBAA+B;IAC7E,MAAM,YAAY,GAAsC,EAAE,CAAC;IAC3D,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE,EAAE;QAC3D,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC7B,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,mBAAmB,EAAE,CAAC,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACpD,MAAM,OAAO,GAAe,EAAE,CAAC;IAC/B,WAAW,CAAC,OAAO,CAAC,CAAC,YAAY,EAAE,EAAE;QACnC,MAAM,SAAS,GAAG,YAAY,CAAC,WAAW,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;QAClE,OAAO,CAAC,SAAS,CAAC,GAAG,YAAY,CAAC;IACpC,CAAC,CAAC,CAAC;IACH,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -1,18 +1,9 @@
|
|
|
1
|
-
import
|
|
2
|
-
import {
|
|
3
|
-
import { AuditContext } from './interfaces/policyRuleInterfaces.js';
|
|
1
|
+
import { AuditRunConfig, BasePolicyFileContent } from '../core/file-mgmt/schema.js';
|
|
2
|
+
import { AuditContext } from '../core/registries/types.js';
|
|
4
3
|
import Policy, { ResolveEntityResult } from './policy.js';
|
|
5
|
-
export type ResolvedConnectedApp = {
|
|
6
|
-
name: string;
|
|
7
|
-
origin: 'Installed' | 'OauthToken' | 'Owned';
|
|
8
|
-
onlyAdminApprovedUsersAllowed: boolean;
|
|
9
|
-
overrideByApiSecurityAccess: boolean;
|
|
10
|
-
useCount: number;
|
|
11
|
-
users: string[];
|
|
12
|
-
};
|
|
13
4
|
export default class ConnectedAppPolicy extends Policy {
|
|
14
5
|
config: BasePolicyFileContent;
|
|
15
6
|
auditConfig: AuditRunConfig;
|
|
16
|
-
constructor(config: BasePolicyFileContent, auditConfig: AuditRunConfig, registry?:
|
|
7
|
+
constructor(config: BasePolicyFileContent, auditConfig: AuditRunConfig, registry?: import("../core/registries/connectedApps.js").default);
|
|
17
8
|
protected resolveEntities(context: AuditContext): Promise<ResolveEntityResult>;
|
|
18
9
|
}
|
|
@@ -1,11 +1,11 @@
|
|
|
1
|
-
import
|
|
2
|
-
import {
|
|
3
|
-
import
|
|
1
|
+
import { CONNECTED_APPS_QUERY, OAUTH_TOKEN_QUERY } from '../core/constants.js';
|
|
2
|
+
import { RuleRegistries } from '../core/registries/types.js';
|
|
3
|
+
import MDAPI from '../core/mdapi/mdapiRetriever.js';
|
|
4
4
|
import Policy, { getTotal } from './policy.js';
|
|
5
5
|
export default class ConnectedAppPolicy extends Policy {
|
|
6
6
|
config;
|
|
7
7
|
auditConfig;
|
|
8
|
-
constructor(config, auditConfig, registry =
|
|
8
|
+
constructor(config, auditConfig, registry = RuleRegistries.ConnectedApps) {
|
|
9
9
|
super(config, auditConfig, registry);
|
|
10
10
|
this.config = config;
|
|
11
11
|
this.auditConfig = auditConfig;
|
|
@@ -14,7 +14,7 @@ export default class ConnectedAppPolicy extends Policy {
|
|
|
14
14
|
async resolveEntities(context) {
|
|
15
15
|
const successfullyResolved = {};
|
|
16
16
|
const ignoredEntities = {};
|
|
17
|
-
const metadataApi = new
|
|
17
|
+
const metadataApi = new MDAPI(context.targetOrgConnection);
|
|
18
18
|
this.emit('entityresolve', {
|
|
19
19
|
total: 0,
|
|
20
20
|
resolved: 0,
|
|
@@ -58,7 +58,7 @@ export default class ConnectedAppPolicy extends Policy {
|
|
|
58
58
|
resolved: 0,
|
|
59
59
|
});
|
|
60
60
|
let overrideByApiSecurityAccess = false;
|
|
61
|
-
const apiSecurityAccessSetting = await metadataApi.
|
|
61
|
+
const apiSecurityAccessSetting = await metadataApi.resolveSingleton('ConnectedAppSettings');
|
|
62
62
|
if (apiSecurityAccessSetting && apiSecurityAccessSetting.enableAdminApprovedAppsOnly) {
|
|
63
63
|
overrideByApiSecurityAccess = true;
|
|
64
64
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"connectedAppPolicy.js","sourceRoot":"","sources":["../../../src/libs/policies/connectedAppPolicy.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"connectedAppPolicy.js","sourceRoot":"","sources":["../../../src/libs/policies/connectedAppPolicy.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAC/E,OAAO,EAAgB,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE3E,OAAO,KAAK,MAAM,iCAAiC,CAAC;AACpD,OAAO,MAAM,EAAE,EAAE,QAAQ,EAAuB,MAAM,aAAa,CAAC;AAGpE,MAAM,CAAC,OAAO,OAAO,kBAAmB,SAAQ,MAAM;IAE3C;IACA;IAFT,YACS,MAA6B,EAC7B,WAA2B,EAClC,QAAQ,GAAG,cAAc,CAAC,aAAa;QAEvC,KAAK,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAJ9B,WAAM,GAAN,MAAM,CAAuB;QAC7B,gBAAW,GAAX,WAAW,CAAgB;IAIpC,CAAC;IAED,kDAAkD;IACxC,KAAK,CAAC,eAAe,CAAC,OAAqB;QACnD,MAAM,oBAAoB,GAAyC,EAAE,CAAC;QACtE,MAAM,eAAe,GAAuC,EAAE,CAAC;QAC/D,MAAM,WAAW,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QAC3D,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,CAAC;YACR,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,KAAK,CAAe,oBAAoB,CAAC,CAAC;QAClG,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,aAAa,CAAC,SAAS;YAC9B,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,YAAY,EAAE,EAAE;YAC7C,oBAAoB,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG;gBACxC,IAAI,EAAE,YAAY,CAAC,IAAI;gBACvB,MAAM,EAAE,WAAW;gBACnB,6BAA6B,EAAE,YAAY,CAAC,kCAAkC;gBAC9E,2BAA2B,EAAE,KAAK;gBAClC,QAAQ,EAAE,CAAC;gBACX,KAAK,EAAE,EAAE;aACV,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,KAAK,CAAa,iBAAiB,CAAC,CAAC;QAC/F,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;YACxC,IAAI,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,SAAS,EAAE,CAAC;gBACtD,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG;oBACpC,IAAI,EAAE,KAAK,CAAC,OAAO;oBACnB,MAAM,EAAE,YAAY;oBACpB,6BAA6B,EAAE,KAAK;oBACpC,2BAA2B,EAAE,KAAK;oBAClC,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,KAAK,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;iBAC7B,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC;gBAC/D,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC7E,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACtE,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,MAAM;YAC/C,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,IAAI,2BAA2B,GAAG,KAAK,CAAC;QACxC,MAAM,wBAAwB,GAAG,MAAM,WAAW,CAAC,gBAAgB,CAAC,sBAAsB,CAAC,CAAC;QAC5F,IAAI,wBAAwB,IAAI,wBAAwB,CAAC,2BAA2B,EAAE,CAAC;YACrF,2BAA2B,GAAG,IAAI,CAAC;QACrC,CAAC;QACD,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE;YACrD,6CAA6C;YAC7C,MAAM,CAAC,2BAA2B,GAAG,2BAA2B,CAAC;QACnE,CAAC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC;QAC3G,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;YACvB,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC;SAC3B,CAAC,CAAC;QACH,8DAA8D;QAC9D,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}
|
|
@@ -1,17 +1,10 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import {
|
|
3
|
-
import RuleRegistry from '../config/registries/ruleRegistry.js';
|
|
4
|
-
import { AuditContext } from './interfaces/policyRuleInterfaces.js';
|
|
1
|
+
import { AuditRunConfig, PermSetsPolicyFileContent } from '../core/file-mgmt/schema.js';
|
|
2
|
+
import { AuditContext } from '../core/registries/types.js';
|
|
5
3
|
import Policy, { ResolveEntityResult } from './policy.js';
|
|
6
|
-
export type ResolvedPermissionSet = {
|
|
7
|
-
name: string;
|
|
8
|
-
preset: string;
|
|
9
|
-
metadata: PermissionSet;
|
|
10
|
-
};
|
|
11
4
|
export default class PermissionSetPolicy extends Policy {
|
|
12
5
|
config: PermSetsPolicyFileContent;
|
|
13
6
|
auditContext: AuditRunConfig;
|
|
14
7
|
private totalEntities;
|
|
15
|
-
constructor(config: PermSetsPolicyFileContent, auditContext: AuditRunConfig, registry?:
|
|
8
|
+
constructor(config: PermSetsPolicyFileContent, auditContext: AuditRunConfig, registry?: import("../core/registries/permissionSets.js").default);
|
|
16
9
|
protected resolveEntities(context: AuditContext): Promise<ResolveEntityResult>;
|
|
17
10
|
}
|