@j-schreiber/sf-cli-security-audit 0.7.0 → 0.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/libs/core/file-mgmt/auditConfigFileManager.js +8 -2
- package/lib/libs/core/file-mgmt/auditConfigFileManager.js.map +1 -1
- package/lib/libs/core/file-mgmt/schema.d.ts +4 -3
- package/lib/libs/core/file-mgmt/schema.js +12 -2
- package/lib/libs/core/file-mgmt/schema.js.map +1 -1
- package/lib/libs/core/registries/rules/noInactiveUsers.js +2 -2
- package/lib/libs/core/registries/rules/noInactiveUsers.js.map +1 -1
- package/lib/libs/core/registries/rules/policyRule.d.ts +2 -0
- package/lib/libs/core/registries/rules/policyRule.js +10 -0
- package/lib/libs/core/registries/rules/policyRule.js.map +1 -1
- package/messages/org.audit.init.md +3 -3
- package/messages/org.audit.run.md +11 -3
- package/messages/org.scan.user-perms.md +7 -5
- package/oclif.manifest.json +81 -81
- package/package.json +1 -1
|
@@ -4,6 +4,7 @@ import yaml from 'js-yaml';
|
|
|
4
4
|
import { Messages } from '@salesforce/core';
|
|
5
5
|
import { isEmpty } from '../utils.js';
|
|
6
6
|
import { classificationDefs, policyDefs } from '../policyRegistry.js';
|
|
7
|
+
import { throwAsSfError, } from './schema.js';
|
|
7
8
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
8
9
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'org.audit.run');
|
|
9
10
|
/**
|
|
@@ -69,8 +70,13 @@ export default class AuditConfigFileManager {
|
|
|
69
70
|
const filePath = path.join(dirPath.toString(), subdirName, `${fileName}.yml`);
|
|
70
71
|
if (fs.existsSync(filePath)) {
|
|
71
72
|
const fileContent = yaml.load(fs.readFileSync(filePath, 'utf-8'));
|
|
72
|
-
const
|
|
73
|
-
|
|
73
|
+
const parseResult = fileConfig.schema.safeParse(fileContent);
|
|
74
|
+
if (parseResult.success) {
|
|
75
|
+
parseResults[fileName] = { filePath, content: parseResult.data };
|
|
76
|
+
}
|
|
77
|
+
else {
|
|
78
|
+
throwAsSfError(`${fileName}.yml`, parseResult.error);
|
|
79
|
+
}
|
|
74
80
|
}
|
|
75
81
|
});
|
|
76
82
|
return parseResults;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auditConfigFileManager.js","sourceRoot":"","sources":["../../../../src/libs/core/file-mgmt/auditConfigFileManager.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAgB,MAAM,SAAS,CAAC;AACvC,OAAO,IAAI,MAAM,SAAS,CAAC;AAC3B,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,kBAAkB,EAAuB,UAAU,EAAe,MAAM,sBAAsB,CAAC;
|
|
1
|
+
{"version":3,"file":"auditConfigFileManager.js","sourceRoot":"","sources":["../../../../src/libs/core/file-mgmt/auditConfigFileManager.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAgB,MAAM,SAAS,CAAC;AACvC,OAAO,IAAI,MAAM,SAAS,CAAC;AAC3B,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,kBAAkB,EAAuB,UAAU,EAAe,MAAM,sBAAsB,CAAC;AACxG,OAAO,EAKL,cAAc,GACf,MAAM,aAAa,CAAC;AAErB,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,eAAe,CAAC,CAAC;AAE9F;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,OAAe,EAAkB,EAAE,CAAC,kBAAkB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AAEtG;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,OAAe,EAAE,IAAoB,EAAQ,EAAE;IAC7E,kBAAkB,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;AACzC,CAAC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,CAAC,OAAO,OAAO,sBAAsB;IACjC,kBAAkB,CAAC;IAE3B;QACE,IAAI,CAAC,kBAAkB,GAAG;YACxB,QAAQ,EAAE,UAAU;YACpB,eAAe,EAAE,kBAAkB;SACpC,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,OAAiB;QAC5B,MAAM,eAAe,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;QACrE,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QACvD,MAAM,IAAI,GAAG,EAAE,eAAe,EAAE,QAAQ,EAAE,CAAC;QAC3C,qBAAqB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACrC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;OAOG;IACI,IAAI,CAAC,aAAqB,EAAE,IAAoB;QACrD,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,eAAe,EAAE,aAAa,CAAC,CAAC;QAC/D,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IACnD,CAAC;IAEO,WAAW,CACjB,OAAiB,EACjB,UAAgD;QAEhD,MAAM,YAAY,GAAwC,EAAE,CAAC;QAC7D,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,EAAE;YACrF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,UAAU,EAAE,GAAG,QAAQ,MAAM,CAAC,CAAC;YAC9E,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;gBAClE,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;gBAC7D,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;oBACxB,YAAY,CAAC,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,CAAC,IAAI,EAAE,CAAC;gBACnE,CAAC;qBAAM,CAAC;oBACN,cAAc,CAAC,GAAG,QAAQ,MAAM,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC;gBACvD,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,YAAY,CAAC;IACtB,CAAC;IAEO,oBAAoB,CAAC,OAAsC,EAAE,aAAuB;QAC1F,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,EAAE,iBAAiB,CAAC,CAAC;QACvE,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,kBAAkB,CAAC,eAAe,CAAC;QACxD,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,EAAE;YACtD,MAAM,OAAO,GAAG,OAAO,CAAC,OAA8B,CAAC,CAAC;YACxD,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1C,6CAA6C;gBAC7C,QAAQ,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,OAAO,MAAM,CAAC,CAAC;gBACzD,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YACnE,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,aAAa,CAAC,OAA+B,EAAE,aAAuB;QAC5E,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,EAAE,UAAU,CAAC,CAAC;QAChE,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC;QACjD,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,EAAE;YACtD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAsB,CAAC,CAAC;YAChD,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1C,6CAA6C;gBAC7C,QAAQ,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,OAAO,MAAM,CAAC,CAAC;gBACzD,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YACnE,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,oBAAoB,CAAC,IAAoB;QAC/C,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,UAAU,EAAE,EAAE;YAChD,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,UAAyB,CAAC,CAAC;YAC9E,IAAI,SAAS,EAAE,YAAY,EAAE,CAAC;gBAC5B,SAAS,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,UAAU,EAAE,EAAE;oBAC5C,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;wBAC7C,MAAM,QAAQ,CAAC,WAAW,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;oBACnD,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,gBAAgB,CAAC,QAAkB,EAAE,QAAiC;IAC7E,MAAM,GAAG,GAAG,sBAAsB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACvD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC;AACtB,CAAC;AAED,SAAS,sBAAsB,CAAC,aAAuB,EAAE,QAAiC;IACxF,IAAI,aAAa,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAC9B,OAAO,sBAAsB,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAA4B,CAAC,CAAC;IAC/G,CAAC;SAAM,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,SAAS,CAAC;IACnB,CAAC;SAAM,CAAC;QACN,OAAO,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAoB,EAAE,OAAiB;IACpE,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5C,MAAM,gBAAgB,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACzG,MAAM,QAAQ,CAAC,WAAW,CAAC,oBAAoB,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,sBAAsB,EAAE,CAAC"}
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import z from 'zod';
|
|
2
2
|
import { PermissionRiskLevel } from '../classification-types.js';
|
|
3
3
|
import { ProfilesRiskPreset } from '../policy-types.js';
|
|
4
|
+
export declare function throwAsSfError(fileName: string, parseError: z.ZodError, rulePath?: PropertyKey[]): never;
|
|
4
5
|
declare const PermissionsClassificationSchema: z.ZodObject<{
|
|
5
6
|
label: z.ZodOptional<z.ZodString>;
|
|
6
7
|
reason: z.ZodOptional<z.ZodString>;
|
|
@@ -34,10 +35,10 @@ declare const PermSetMap: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
|
34
35
|
export declare const UsersPolicyConfig: z.ZodObject<{
|
|
35
36
|
defaultRoleForMissingUsers: z.ZodDefault<z.ZodEnum<typeof ProfilesRiskPreset>>;
|
|
36
37
|
analyseLastNDaysOfLoginHistory: z.ZodOptional<z.ZodNumber>;
|
|
37
|
-
}, z.z.core.$
|
|
38
|
+
}, z.z.core.$strict>;
|
|
38
39
|
export declare const NoInactiveUsersOptionsSchema: z.ZodObject<{
|
|
39
40
|
daysAfterUserIsInactive: z.ZodDefault<z.ZodNumber>;
|
|
40
|
-
}, z.z.core.$
|
|
41
|
+
}, z.z.core.$strict>;
|
|
41
42
|
export declare const PolicyFileSchema: z.ZodObject<{
|
|
42
43
|
enabled: z.ZodDefault<z.ZodBoolean>;
|
|
43
44
|
rules: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
@@ -84,7 +85,7 @@ export declare const UsersPolicyFileSchema: z.ZodObject<{
|
|
|
84
85
|
options: z.ZodObject<{
|
|
85
86
|
defaultRoleForMissingUsers: z.ZodDefault<z.ZodEnum<typeof ProfilesRiskPreset>>;
|
|
86
87
|
analyseLastNDaysOfLoginHistory: z.ZodOptional<z.ZodNumber>;
|
|
87
|
-
}, z.z.core.$
|
|
88
|
+
}, z.z.core.$strict>;
|
|
88
89
|
}, z.z.core.$strip>;
|
|
89
90
|
export type PermissionsClassification = z.infer<typeof PermissionsClassificationSchema>;
|
|
90
91
|
export type NamedPermissionsClassification = z.infer<typeof NamedPermissionsClassificationSchema>;
|
|
@@ -1,6 +1,16 @@
|
|
|
1
1
|
import z from 'zod';
|
|
2
|
+
import { Messages } from '@salesforce/core';
|
|
2
3
|
import { PermissionRiskLevel } from '../classification-types.js';
|
|
3
4
|
import { ProfilesRiskPreset } from '../policy-types.js';
|
|
5
|
+
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
6
|
+
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'org.audit.run');
|
|
7
|
+
export function throwAsSfError(fileName, parseError, rulePath) {
|
|
8
|
+
const issues = parseError.issues.map((zodIssue) => {
|
|
9
|
+
const definitivePath = rulePath ? [...rulePath, ...zodIssue.path] : zodIssue.path;
|
|
10
|
+
return definitivePath.length > 0 ? `${zodIssue.message} in "${definitivePath.join('.')}"` : zodIssue.message;
|
|
11
|
+
});
|
|
12
|
+
throw messages.createError('error.InvalidConfigFileSchema', [fileName, issues.join(', ')]);
|
|
13
|
+
}
|
|
4
14
|
const PermissionsClassificationSchema = z.object({
|
|
5
15
|
/** UI Label */
|
|
6
16
|
label: z.string().optional(),
|
|
@@ -25,11 +35,11 @@ const PermSetConfig = z.object({
|
|
|
25
35
|
const PermSetMap = z.record(z.string(), PermSetConfig);
|
|
26
36
|
const UserConfig = z.object({ role: z.enum(ProfilesRiskPreset) });
|
|
27
37
|
const UsersMap = z.record(z.string(), UserConfig);
|
|
28
|
-
export const UsersPolicyConfig = z.
|
|
38
|
+
export const UsersPolicyConfig = z.strictObject({
|
|
29
39
|
defaultRoleForMissingUsers: z.enum(ProfilesRiskPreset).default(ProfilesRiskPreset.STANDARD_USER),
|
|
30
40
|
analyseLastNDaysOfLoginHistory: z.number().optional(),
|
|
31
41
|
});
|
|
32
|
-
export const NoInactiveUsersOptionsSchema = z.
|
|
42
|
+
export const NoInactiveUsersOptionsSchema = z.strictObject({
|
|
33
43
|
daysAfterUserIsInactive: z.number().default(90),
|
|
34
44
|
});
|
|
35
45
|
// FILE CONTENT SCHEMATA
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../src/libs/core/file-mgmt/schema.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AACpB,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,MAAM,+BAA+B,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/C,eAAe;IACf,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,4DAA4D;IAC5D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,yCAAyC;IACzC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC;CAC5C,CAAC,CAAC;AAEH,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,+BAA+B,CAAC,CAAC;AAE5F,MAAM,oCAAoC,GAAG,+BAA+B,CAAC,MAAM,CAAC;IAClF,yDAAyD;IACzD,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;CACjB,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IACtC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAClC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC;AAEnE,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC;CACnC,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,aAAa,CAAC,CAAC;AAEvD,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAAE,CAAC,CAAC;AAElE,MAAM,QAAQ,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC;AAElD,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,
|
|
1
|
+
{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../src/libs/core/file-mgmt/schema.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,eAAe,CAAC,CAAC;AAE9F,MAAM,UAAU,cAAc,CAAC,QAAgB,EAAE,UAAsB,EAAE,QAAwB;IAC/F,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE;QAChD,MAAM,cAAc,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,QAAQ,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;QAClF,OAAO,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,OAAO,QAAQ,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;IAC/G,CAAC,CAAC,CAAC;IACH,MAAM,QAAQ,CAAC,WAAW,CAAC,+BAA+B,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC7F,CAAC;AAED,MAAM,+BAA+B,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/C,eAAe;IACf,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,4DAA4D;IAC5D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,yCAAyC;IACzC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC;CAC5C,CAAC,CAAC;AAEH,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,+BAA+B,CAAC,CAAC;AAE5F,MAAM,oCAAoC,GAAG,+BAA+B,CAAC,MAAM,CAAC;IAClF,yDAAyD;IACzD,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;CACjB,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IACtC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAClC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC;AAEnE,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC;CACnC,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,aAAa,CAAC,CAAC;AAEvD,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAAE,CAAC,CAAC;AAElE,MAAM,QAAQ,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC;AAElD,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,YAAY,CAAC;IAC9C,0BAA0B,EAAE,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,aAAa,CAAC;IAChG,8BAA8B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACtD,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,YAAY,CAAC;IACzD,uBAAuB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CAChD,CAAC,CAAC;AAEH,wBAAwB;AAExB,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAClC,KAAK,EAAE,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;CACjC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,wBAAwB,GAAG,gBAAgB,CAAC,MAAM,CAAC;IAC9D,QAAQ,EAAE,UAAU;CACrB,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,wBAAwB,GAAG,gBAAgB,CAAC,MAAM,CAAC;IAC9D,cAAc,EAAE,UAAU;CAC3B,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC,MAAM,CAAC;IAClD,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,+BAA+B,CAAC;CACnE,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,qBAAqB,GAAG,gBAAgB,CAAC,MAAM,CAAC;IAC3D,KAAK,EAAE,QAAQ;IACf,OAAO,EAAE,iBAAiB;CAC3B,CAAC,CAAC;AA+CH,MAAM,UAAU,mBAAmB,CAAC,GAAY;IAC9C,OAAQ,GAAqC,CAAC,OAAO,EAAE,WAAW,KAAK,SAAS,CAAC;AACnF,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,GAAY;IACzC,OAAQ,GAAyC,CAAC,OAAO,EAAE,KAAK,KAAK,SAAS,CAAC;AACjF,CAAC"}
|
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
2
|
import { NoInactiveUsersOptionsSchema } from '../../file-mgmt/schema.js';
|
|
3
3
|
import { differenceInDays } from '../../utils.js';
|
|
4
|
-
import PolicyRule from './policyRule.js';
|
|
4
|
+
import PolicyRule, { parseRuleOptions } from './policyRule.js';
|
|
5
5
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
6
6
|
const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.users');
|
|
7
7
|
export default class NoInactiveUsers extends PolicyRule {
|
|
8
8
|
ruleConfig;
|
|
9
9
|
constructor(localOpts) {
|
|
10
10
|
super(localOpts);
|
|
11
|
-
this.ruleConfig = NoInactiveUsersOptionsSchema
|
|
11
|
+
this.ruleConfig = parseRuleOptions('users.yml', ['rules', 'NoInactiveUsers'], NoInactiveUsersOptionsSchema, localOpts.ruleConfig);
|
|
12
12
|
}
|
|
13
13
|
run(context) {
|
|
14
14
|
const result = this.initResult();
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"noInactiveUsers.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/noInactiveUsers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAA0B,4BAA4B,EAAE,MAAM,2BAA2B,CAAC;AAEjG,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAElD,OAAO,
|
|
1
|
+
{"version":3,"file":"noInactiveUsers.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/noInactiveUsers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAA0B,4BAA4B,EAAE,MAAM,2BAA2B,CAAC;AAEjG,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAElD,OAAO,UAAU,EAAE,EAA2B,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAExF,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,CAAC,OAAO,OAAO,eAAgB,SAAQ,UAAwB;IAC3D,UAAU,CAAyB;IAE3C,YAAmB,SAA0D;QAC3E,KAAK,CAAC,SAAS,CAAC,CAAC;QACjB,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAChC,WAAW,EACX,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAC5B,4BAA4B,EAC5B,SAAS,CAAC,UAAU,CACK,CAAC;IAC9B,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YACvD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,MAAM,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;gBAChE,IAAI,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,uBAAuB,EAAE,CAAC;oBACzD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;wBAC3B,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,EAAE;4BAC/D,UAAU;4BACV,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;yBACvC,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YACvD,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;gBACpB,MAAM,eAAe,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;gBACvE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAC3B,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,gCAAgC,EAAE;wBAC7D,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE;wBACxC,eAAe;qBAChB,CAAC;iBACH,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import z from 'zod';
|
|
1
2
|
import { PartialPolicyRuleResult, RowLevelPolicyRule, RuleAuditContext } from '../types.js';
|
|
2
3
|
import { AuditRunConfig, NamedPermissionsClassification } from '../../file-mgmt/schema.js';
|
|
3
4
|
export type RuleOptions = {
|
|
@@ -17,3 +18,4 @@ export default abstract class PolicyRule<EntityType> implements RowLevelPolicyRu
|
|
|
17
18
|
protected resolveCustomPermission(permName: string): NamedPermissionsClassification | undefined;
|
|
18
19
|
abstract run(context: RuleAuditContext<EntityType>): Promise<PartialPolicyRuleResult>;
|
|
19
20
|
}
|
|
21
|
+
export declare function parseRuleOptions(policyName: string, rulePath: string[], schema: z.ZodObject, anyObject?: unknown): z.infer<typeof schema>;
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { Messages } from '@salesforce/core';
|
|
2
|
+
import { throwAsSfError, } from '../../file-mgmt/schema.js';
|
|
2
3
|
Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
|
|
3
4
|
export default class PolicyRule {
|
|
4
5
|
opts;
|
|
@@ -25,6 +26,15 @@ export default class PolicyRule {
|
|
|
25
26
|
return nameClassification(permName, this.auditContext.classifications.customPermissions?.content.permissions[permName]);
|
|
26
27
|
}
|
|
27
28
|
}
|
|
29
|
+
export function parseRuleOptions(policyName, rulePath, schema, anyObject) {
|
|
30
|
+
const parseResult = schema.safeParse(anyObject ?? {});
|
|
31
|
+
if (parseResult.success) {
|
|
32
|
+
return parseResult.data;
|
|
33
|
+
}
|
|
34
|
+
else {
|
|
35
|
+
throwAsSfError(policyName, parseResult.error, [...rulePath, 'options']);
|
|
36
|
+
}
|
|
37
|
+
}
|
|
28
38
|
function nameClassification(permName, perm) {
|
|
29
39
|
return perm ? { name: permName, ...perm } : undefined;
|
|
30
40
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policyRule.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/policyRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"policyRule.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/policyRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAI5C,OAAO,EAIL,cAAc,GACf,MAAM,2BAA2B,CAAC;AAEnC,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAW7D,MAAM,CAAC,OAAO,OAAgB,UAAU;IAIT;IAHtB,YAAY,CAAiB;IAC7B,eAAe,CAAS;IAE/B,YAA6B,IAAiB;QAAjB,SAAI,GAAJ,IAAI,CAAa;QAC5C,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;QACtC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;IAC9C,CAAC;IAES,UAAU;QAClB,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,eAAe;YAC9B,UAAU,EAAE,IAAI,KAAK,EAAuB;YAC5C,eAAe,EAAE,IAAI,KAAK,EAA2B;YACrD,QAAQ,EAAE,IAAI,KAAK,EAAwB;YAC3C,MAAM,EAAE,IAAI,KAAK,EAAwB;SAC1C,CAAC;IACJ,CAAC;IAES,qBAAqB,CAAC,QAAgB;QAC9C,OAAO,kBAAkB,CACvB,QAAQ,EACR,IAAI,CAAC,YAAY,CAAC,eAAe,CAAC,eAAe,EAAE,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CACjF,CAAC;IACJ,CAAC;IAES,uBAAuB,CAAC,QAAgB;QAChD,OAAO,kBAAkB,CACvB,QAAQ,EACR,IAAI,CAAC,YAAY,CAAC,eAAe,CAAC,iBAAiB,EAAE,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CACnF,CAAC;IACJ,CAAC;CAGF;AAED,MAAM,UAAU,gBAAgB,CAC9B,UAAkB,EAClB,QAAkB,EAClB,MAAmB,EACnB,SAAmB;IAEnB,MAAM,WAAW,GAAG,MAAM,CAAC,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;IACtD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;QACxB,OAAO,WAAW,CAAC,IAAI,CAAC;IAC1B,CAAC;SAAM,CAAC;QACN,cAAc,CAAC,UAAU,EAAE,WAAW,CAAC,KAAK,EAAE,CAAC,GAAG,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CACzB,QAAgB,EAChB,IAAgC;IAEhC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC"}
|
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
# summary
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
Initialise a new audit config.
|
|
4
4
|
|
|
5
5
|
# description
|
|
6
6
|
|
|
7
|
-
|
|
7
|
+
Uses your org's configuration to set up a new audit config at the target destination. This creates the basic classification and policy files that make up an audit config. You can select from presets to initialise risk levels with default values. After initialisation, you can customize the files to suit your needs.
|
|
8
8
|
|
|
9
9
|
# flags.target-org.summary
|
|
10
10
|
|
|
@@ -16,7 +16,7 @@ Directory where the audit config is initialised. If not set, the root directory
|
|
|
16
16
|
|
|
17
17
|
# flags.preset.summary
|
|
18
18
|
|
|
19
|
-
|
|
19
|
+
Preset to initialise defaults for permission risk levels.
|
|
20
20
|
|
|
21
21
|
# flags.preset.description
|
|
22
22
|
|
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
# summary
|
|
2
2
|
|
|
3
|
-
Audit your org.
|
|
3
|
+
Audit your org with an existing config.
|
|
4
4
|
|
|
5
5
|
# description
|
|
6
6
|
|
|
7
|
-
Loads
|
|
7
|
+
Loads an existing audit config from the source directory and audits the target org. The audit run always creates a comprehensive report in JSON format.
|
|
8
8
|
|
|
9
9
|
# flags.target-org.summary
|
|
10
10
|
|
|
@@ -12,7 +12,7 @@ The org that is audited.
|
|
|
12
12
|
|
|
13
13
|
# flags.source-dir.summary
|
|
14
14
|
|
|
15
|
-
|
|
15
|
+
Source directory of the audit config to run.
|
|
16
16
|
|
|
17
17
|
# flags.source-dir.description
|
|
18
18
|
|
|
@@ -47,3 +47,11 @@ The "Profiles" policy requires at least userPermissions to be initialised, but n
|
|
|
47
47
|
# UserPermClassificationRequiredForPermSets
|
|
48
48
|
|
|
49
49
|
The "Permission Sets" policy requires at least userPermissions to be initialised, but none were found at the target directory.
|
|
50
|
+
|
|
51
|
+
# error.InvalidConfigFileSchema
|
|
52
|
+
|
|
53
|
+
Failed to parse %s: %s.
|
|
54
|
+
|
|
55
|
+
# error.InvalidConfigFileSchema.actions
|
|
56
|
+
|
|
57
|
+
Verify that your config matches the expected schema.
|
|
@@ -1,18 +1,18 @@
|
|
|
1
1
|
# summary
|
|
2
2
|
|
|
3
|
-
Performs a quick scan
|
|
3
|
+
Performs a quick scan for specific user permissions.
|
|
4
4
|
|
|
5
5
|
# description
|
|
6
6
|
|
|
7
|
-
The
|
|
7
|
+
The target org is scanned "in memory" and searches Profiles and Permission Sets for the named user permissions. This command does not need an audit config and does not create a report file.
|
|
8
8
|
|
|
9
9
|
# flags.name.summary
|
|
10
10
|
|
|
11
|
-
One or more permissions to be
|
|
11
|
+
One or more permissions to be searched for.
|
|
12
12
|
|
|
13
13
|
# flags.name.description
|
|
14
14
|
|
|
15
|
-
You can specify any valid user permission on your org, such as "AuthorApex", "CustomizeApplication" or "ViewSetup". If you are unsure what permissions are available on your org, initialise a new audit config and check the created userPermissions.yml.
|
|
15
|
+
You can specify any valid user permission on your org, such as "AuthorApex", "CustomizeApplication" or "ViewSetup". If you are unsure what permissions are available on your org, initialise a new audit config and check the created userPermissions.yml. Currently, the names are not validated: If you have a typo (such as "AutorApex", the scan will retun 0 results).
|
|
16
16
|
|
|
17
17
|
# flags.target-org.summary
|
|
18
18
|
|
|
@@ -20,7 +20,9 @@ The target org to scan.
|
|
|
20
20
|
|
|
21
21
|
# examples
|
|
22
22
|
|
|
23
|
-
-
|
|
23
|
+
- Search for multiple permissions on MyTargetOrg
|
|
24
|
+
|
|
25
|
+
<%= config.bin %> <%= command.id %> -o MyTargetOrg -n AuthorApex -n ModifyMetadata
|
|
24
26
|
|
|
25
27
|
# success.scanned-entities-count
|
|
26
28
|
|
package/oclif.manifest.json
CHANGED
|
@@ -1,11 +1,12 @@
|
|
|
1
1
|
{
|
|
2
2
|
"commands": {
|
|
3
|
-
"org:
|
|
3
|
+
"org:audit:init": {
|
|
4
4
|
"aliases": [],
|
|
5
5
|
"args": {},
|
|
6
|
-
"description": "
|
|
6
|
+
"description": "Uses your org's configuration to set up a new audit config at the target destination. This creates the basic classification and policy files that make up an audit config. You can select from presets to initialise risk levels with default values. After initialisation, you can customize the files to suit your needs.",
|
|
7
7
|
"examples": [
|
|
8
|
-
"<%= config.bin %> <%= command.id %>"
|
|
8
|
+
"Initialise audit policies at the root directory\n<%= config.bin %> <%= command.id %> -o MyTargetOrg",
|
|
9
|
+
"Initialise audit config at custom directory with preset\n<%= config.bin %> <%= command.id %> -o MyTargetOrg -d my_dir -p loose"
|
|
9
10
|
],
|
|
10
11
|
"flags": {
|
|
11
12
|
"json": {
|
|
@@ -23,26 +24,41 @@
|
|
|
23
24
|
"multiple": false,
|
|
24
25
|
"type": "option"
|
|
25
26
|
},
|
|
26
|
-
"name": {
|
|
27
|
-
"char": "n",
|
|
28
|
-
"description": "You can specify any valid user permission on your org, such as \"AuthorApex\", \"CustomizeApplication\" or \"ViewSetup\". If you are unsure what permissions are available on your org, initialise a new audit config and check the created userPermissions.yml.",
|
|
29
|
-
"name": "name",
|
|
30
|
-
"required": true,
|
|
31
|
-
"summary": "One or more permissions to be scanned.",
|
|
32
|
-
"hasDynamicHelp": false,
|
|
33
|
-
"multiple": true,
|
|
34
|
-
"type": "option"
|
|
35
|
-
},
|
|
36
27
|
"target-org": {
|
|
37
28
|
"char": "o",
|
|
38
29
|
"name": "target-org",
|
|
39
30
|
"noCacheDefault": true,
|
|
40
31
|
"required": true,
|
|
41
|
-
"summary": "
|
|
32
|
+
"summary": "Target org to export permissions, profiles, users, etc.",
|
|
42
33
|
"hasDynamicHelp": true,
|
|
43
34
|
"multiple": false,
|
|
44
35
|
"type": "option"
|
|
45
36
|
},
|
|
37
|
+
"output-dir": {
|
|
38
|
+
"char": "d",
|
|
39
|
+
"name": "output-dir",
|
|
40
|
+
"required": false,
|
|
41
|
+
"summary": "Directory where the audit config is initialised. If not set, the root directory will be used.",
|
|
42
|
+
"default": "",
|
|
43
|
+
"hasDynamicHelp": false,
|
|
44
|
+
"multiple": false,
|
|
45
|
+
"type": "option"
|
|
46
|
+
},
|
|
47
|
+
"preset": {
|
|
48
|
+
"char": "p",
|
|
49
|
+
"description": "The selected preset is applied before any other default mechanisms (such as template configs). This means, values from a selected template override the preset. Consult the documentation to learn more about the rationale behind the default risk levels. The risk levels interact with the configured preset on profiles and permission sets and essentially control, if a permission is allowed in a certain profile / permission set.",
|
|
50
|
+
"name": "preset",
|
|
51
|
+
"summary": "Preset to initialise defaults for permission risk levels.",
|
|
52
|
+
"default": "strict",
|
|
53
|
+
"hasDynamicHelp": false,
|
|
54
|
+
"multiple": false,
|
|
55
|
+
"options": [
|
|
56
|
+
"strict",
|
|
57
|
+
"loose",
|
|
58
|
+
"none"
|
|
59
|
+
],
|
|
60
|
+
"type": "option"
|
|
61
|
+
},
|
|
46
62
|
"api-version": {
|
|
47
63
|
"description": "Override the api version used for api requests made by this command",
|
|
48
64
|
"name": "api-version",
|
|
@@ -53,38 +69,37 @@
|
|
|
53
69
|
},
|
|
54
70
|
"hasDynamicHelp": true,
|
|
55
71
|
"hiddenAliases": [],
|
|
56
|
-
"id": "org:
|
|
72
|
+
"id": "org:audit:init",
|
|
57
73
|
"pluginAlias": "@j-schreiber/sf-cli-security-audit",
|
|
58
74
|
"pluginName": "@j-schreiber/sf-cli-security-audit",
|
|
59
75
|
"pluginType": "core",
|
|
60
76
|
"strict": true,
|
|
61
|
-
"summary": "
|
|
77
|
+
"summary": "Initialise a new audit config.",
|
|
62
78
|
"enableJsonFlag": true,
|
|
63
79
|
"isESM": true,
|
|
64
80
|
"relativePath": [
|
|
65
81
|
"lib",
|
|
66
82
|
"commands",
|
|
67
83
|
"org",
|
|
68
|
-
"
|
|
69
|
-
"
|
|
84
|
+
"audit",
|
|
85
|
+
"init.js"
|
|
70
86
|
],
|
|
71
87
|
"aliasPermutations": [],
|
|
72
88
|
"permutations": [
|
|
73
|
-
"org:
|
|
74
|
-
"
|
|
75
|
-
"
|
|
76
|
-
"org:
|
|
77
|
-
"
|
|
78
|
-
"
|
|
89
|
+
"org:audit:init",
|
|
90
|
+
"audit:org:init",
|
|
91
|
+
"audit:init:org",
|
|
92
|
+
"org:init:audit",
|
|
93
|
+
"init:org:audit",
|
|
94
|
+
"init:audit:org"
|
|
79
95
|
]
|
|
80
96
|
},
|
|
81
|
-
"org:audit:
|
|
97
|
+
"org:audit:run": {
|
|
82
98
|
"aliases": [],
|
|
83
99
|
"args": {},
|
|
84
|
-
"description": "
|
|
100
|
+
"description": "Loads an existing audit config from the source directory and audits the target org. The audit run always creates a comprehensive report in JSON format.",
|
|
85
101
|
"examples": [
|
|
86
|
-
"
|
|
87
|
-
"Initialise audit config at custom directory with preset\n<%= config.bin %> <%= command.id %> -o MyTargetOrg -d my_dir -p loose"
|
|
102
|
+
"Audit the org MyTargetOrg with the config in configs/prod\n<%= config.bin %> <%= command.id %> -o MyTargetOrg -d configs/prod"
|
|
88
103
|
],
|
|
89
104
|
"flags": {
|
|
90
105
|
"json": {
|
|
@@ -107,36 +122,21 @@
|
|
|
107
122
|
"name": "target-org",
|
|
108
123
|
"noCacheDefault": true,
|
|
109
124
|
"required": true,
|
|
110
|
-
"summary": "
|
|
125
|
+
"summary": "The org that is audited.",
|
|
111
126
|
"hasDynamicHelp": true,
|
|
112
127
|
"multiple": false,
|
|
113
128
|
"type": "option"
|
|
114
129
|
},
|
|
115
|
-
"
|
|
130
|
+
"source-dir": {
|
|
116
131
|
"char": "d",
|
|
117
|
-
"name": "
|
|
132
|
+
"name": "source-dir",
|
|
118
133
|
"required": false,
|
|
119
|
-
"summary": "
|
|
134
|
+
"summary": "Source directory of the audit config to run.",
|
|
120
135
|
"default": "",
|
|
121
136
|
"hasDynamicHelp": false,
|
|
122
137
|
"multiple": false,
|
|
123
138
|
"type": "option"
|
|
124
139
|
},
|
|
125
|
-
"preset": {
|
|
126
|
-
"char": "p",
|
|
127
|
-
"description": "The selected preset is applied before any other default mechanisms (such as template configs). This means, values from a selected template override the preset. Consult the documentation to learn more about the rationale behind the default risk levels. The risk levels interact with the configured preset on profiles and permission sets and essentially control, if a permission is allowed in a certain profile / permission set.",
|
|
128
|
-
"name": "preset",
|
|
129
|
-
"summary": "Select a preset to initialise permission classifications (risk levels).",
|
|
130
|
-
"default": "strict",
|
|
131
|
-
"hasDynamicHelp": false,
|
|
132
|
-
"multiple": false,
|
|
133
|
-
"options": [
|
|
134
|
-
"strict",
|
|
135
|
-
"loose",
|
|
136
|
-
"none"
|
|
137
|
-
],
|
|
138
|
-
"type": "option"
|
|
139
|
-
},
|
|
140
140
|
"api-version": {
|
|
141
141
|
"description": "Override the api version used for api requests made by this command",
|
|
142
142
|
"name": "api-version",
|
|
@@ -147,12 +147,12 @@
|
|
|
147
147
|
},
|
|
148
148
|
"hasDynamicHelp": true,
|
|
149
149
|
"hiddenAliases": [],
|
|
150
|
-
"id": "org:audit:
|
|
150
|
+
"id": "org:audit:run",
|
|
151
151
|
"pluginAlias": "@j-schreiber/sf-cli-security-audit",
|
|
152
152
|
"pluginName": "@j-schreiber/sf-cli-security-audit",
|
|
153
153
|
"pluginType": "core",
|
|
154
154
|
"strict": true,
|
|
155
|
-
"summary": "
|
|
155
|
+
"summary": "Audit your org with an existing config.",
|
|
156
156
|
"enableJsonFlag": true,
|
|
157
157
|
"isESM": true,
|
|
158
158
|
"relativePath": [
|
|
@@ -160,24 +160,24 @@
|
|
|
160
160
|
"commands",
|
|
161
161
|
"org",
|
|
162
162
|
"audit",
|
|
163
|
-
"
|
|
163
|
+
"run.js"
|
|
164
164
|
],
|
|
165
165
|
"aliasPermutations": [],
|
|
166
166
|
"permutations": [
|
|
167
|
-
"org:audit:
|
|
168
|
-
"audit:org:
|
|
169
|
-
"audit:
|
|
170
|
-
"org:
|
|
171
|
-
"
|
|
172
|
-
"
|
|
167
|
+
"org:audit:run",
|
|
168
|
+
"audit:org:run",
|
|
169
|
+
"audit:run:org",
|
|
170
|
+
"org:run:audit",
|
|
171
|
+
"run:org:audit",
|
|
172
|
+
"run:audit:org"
|
|
173
173
|
]
|
|
174
174
|
},
|
|
175
|
-
"org:
|
|
175
|
+
"org:scan:user-perms": {
|
|
176
176
|
"aliases": [],
|
|
177
177
|
"args": {},
|
|
178
|
-
"description": "
|
|
178
|
+
"description": "The target org is scanned \"in memory\" and searches Profiles and Permission Sets for the named user permissions. This command does not need an audit config and does not create a report file.",
|
|
179
179
|
"examples": [
|
|
180
|
-
"
|
|
180
|
+
"Search for multiple permissions on MyTargetOrg\n<%= config.bin %> <%= command.id %> -o MyTargetOrg -n AuthorApex -n ModifyMetadata"
|
|
181
181
|
],
|
|
182
182
|
"flags": {
|
|
183
183
|
"json": {
|
|
@@ -195,26 +195,26 @@
|
|
|
195
195
|
"multiple": false,
|
|
196
196
|
"type": "option"
|
|
197
197
|
},
|
|
198
|
+
"name": {
|
|
199
|
+
"char": "n",
|
|
200
|
+
"description": "You can specify any valid user permission on your org, such as \"AuthorApex\", \"CustomizeApplication\" or \"ViewSetup\". If you are unsure what permissions are available on your org, initialise a new audit config and check the created userPermissions.yml. Currently, the names are not validated: If you have a typo (such as \"AutorApex\", the scan will retun 0 results).",
|
|
201
|
+
"name": "name",
|
|
202
|
+
"required": true,
|
|
203
|
+
"summary": "One or more permissions to be searched for.",
|
|
204
|
+
"hasDynamicHelp": false,
|
|
205
|
+
"multiple": true,
|
|
206
|
+
"type": "option"
|
|
207
|
+
},
|
|
198
208
|
"target-org": {
|
|
199
209
|
"char": "o",
|
|
200
210
|
"name": "target-org",
|
|
201
211
|
"noCacheDefault": true,
|
|
202
212
|
"required": true,
|
|
203
|
-
"summary": "The org
|
|
213
|
+
"summary": "The target org to scan.",
|
|
204
214
|
"hasDynamicHelp": true,
|
|
205
215
|
"multiple": false,
|
|
206
216
|
"type": "option"
|
|
207
217
|
},
|
|
208
|
-
"source-dir": {
|
|
209
|
-
"char": "d",
|
|
210
|
-
"name": "source-dir",
|
|
211
|
-
"required": false,
|
|
212
|
-
"summary": "Location of the audit config.",
|
|
213
|
-
"default": "",
|
|
214
|
-
"hasDynamicHelp": false,
|
|
215
|
-
"multiple": false,
|
|
216
|
-
"type": "option"
|
|
217
|
-
},
|
|
218
218
|
"api-version": {
|
|
219
219
|
"description": "Override the api version used for api requests made by this command",
|
|
220
220
|
"name": "api-version",
|
|
@@ -225,31 +225,31 @@
|
|
|
225
225
|
},
|
|
226
226
|
"hasDynamicHelp": true,
|
|
227
227
|
"hiddenAliases": [],
|
|
228
|
-
"id": "org:
|
|
228
|
+
"id": "org:scan:user-perms",
|
|
229
229
|
"pluginAlias": "@j-schreiber/sf-cli-security-audit",
|
|
230
230
|
"pluginName": "@j-schreiber/sf-cli-security-audit",
|
|
231
231
|
"pluginType": "core",
|
|
232
232
|
"strict": true,
|
|
233
|
-
"summary": "
|
|
233
|
+
"summary": "Performs a quick scan for specific user permissions.",
|
|
234
234
|
"enableJsonFlag": true,
|
|
235
235
|
"isESM": true,
|
|
236
236
|
"relativePath": [
|
|
237
237
|
"lib",
|
|
238
238
|
"commands",
|
|
239
239
|
"org",
|
|
240
|
-
"
|
|
241
|
-
"
|
|
240
|
+
"scan",
|
|
241
|
+
"user-perms.js"
|
|
242
242
|
],
|
|
243
243
|
"aliasPermutations": [],
|
|
244
244
|
"permutations": [
|
|
245
|
-
"org:
|
|
246
|
-
"
|
|
247
|
-
"
|
|
248
|
-
"org:
|
|
249
|
-
"
|
|
250
|
-
"
|
|
245
|
+
"org:scan:user-perms",
|
|
246
|
+
"scan:org:user-perms",
|
|
247
|
+
"scan:user-perms:org",
|
|
248
|
+
"org:user-perms:scan",
|
|
249
|
+
"user-perms:org:scan",
|
|
250
|
+
"user-perms:scan:org"
|
|
251
251
|
]
|
|
252
252
|
}
|
|
253
253
|
},
|
|
254
|
-
"version": "0.7.
|
|
254
|
+
"version": "0.7.1"
|
|
255
255
|
}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@j-schreiber/sf-cli-security-audit",
|
|
3
3
|
"description": "Salesforce CLI plugin to automate highly configurable security audits",
|
|
4
|
-
"version": "0.7.
|
|
4
|
+
"version": "0.7.1",
|
|
5
5
|
"repository": {
|
|
6
6
|
"type": "https",
|
|
7
7
|
"url": "https://github.com/j-schreiber/js-sf-cli-security-audit"
|