@j-schreiber/sf-cli-security-audit 0.8.2 → 0.8.3

package/lib/libs/core/registries/helpers/permissionsScanning.js

@@ -0,0 +1,69 @@
+import { Messages } from '@salesforce/core';
+import { PermissionRiskLevel } from '../../classification-types.js';
+import { permissionAllowedInPreset } from '../../policy-types.js';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
+/**
+ * Scan userPermissions and customPermissions of a profile or permission set and
+ * get a unified scan result with violations (risk level not allowed) and warnings
+ * (risk level not classified)
+ *
+ * @param profileLike
+ * @param auditRun
+ * @param rootIdentifier Optional root identifier for messages to prepend.
+ * @returns
+ */
+export function scanProfileLike(profileLike, auditRun, rootIdentifier) {
+    if (!profileLike.metadata) {
+        return { violations: [], warnings: [] };
+    }
+    const userPermsResult = scanPermissions(profileLike, 'userPermissions', auditRun, rootIdentifier);
+    const customPermsResult = scanPermissions(profileLike, 'customPermissions', auditRun, rootIdentifier);
+    userPermsResult.violations.push(...customPermsResult.violations);
+    userPermsResult.warnings.push(...customPermsResult.warnings);
+    return userPermsResult;
+}
+export function scanPermissions(profile, permissionListName, auditRun, rootIdentifier) {
+    const result = { warnings: [], violations: [] };
+    for (const perm of profile.metadata[permissionListName]) {
+        const identifier = rootIdentifier ? [...rootIdentifier, profile.name, perm.name] : [profile.name, perm.name];
+        const permClassification = resolvePerm(perm.name, auditRun, permissionListName);
+        if (permClassification) {
+            if (permClassification.classification === PermissionRiskLevel.BLOCKED) {
+                result.violations.push({
+                    identifier,
+                    message: messages.getMessage('violations.permission-is-blocked'),
+                });
+            }
+            else if (!permissionAllowedInPreset(permClassification.classification, profile.preset)) {
+                result.violations.push({
+                    identifier,
+                    message: messages.getMessage('violations.classification-preset-mismatch', [
+                        permClassification.classification,
+                        profile.preset,
+                    ]),
+                });
+            }
+            else if (permClassification.classification === PermissionRiskLevel.UNKNOWN) {
+                result.warnings.push({
+                    identifier,
+                    message: messages.getMessage('warnings.permission-unknown'),
+                });
+            }
+        }
+        else {
+            result.warnings.push({
+                identifier,
+                message: messages.getMessage('warnings.permission-not-classified'),
+            });
+        }
+    }
+    return result;
+}
+export function resolvePerm(permName, auditRun, type) {
+    return nameClassification(permName, auditRun.classifications[type]?.content.permissions[permName]);
+}
+function nameClassification(permName, perm) {
+    return perm ? { name: permName, ...perm } : undefined;
+}
+//# sourceMappingURL=permissionsScanning.js.map

package/lib/libs/core/registries/helpers/permissionsScanning.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionsScanning.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/helpers/permissionsScanning.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAK5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AAElE,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAiBnH;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAC7B,WAAgC,EAChC,QAAwB,EACxB,cAAyB;IAEzB,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;QAC1B,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IAC1C,CAAC;IACD,MAAM,eAAe,GAAG,eAAe,CAAC,WAAW,EAAE,iBAAiB,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;IAClG,MAAM,iBAAiB,GAAG,eAAe,CAAC,WAAW,EAAE,mBAAmB,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;IACtG,eAAe,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IACjE,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAC7D,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,OAA4B,EAC5B,kBAAsC,EACtC,QAAwB,EACxB,cAAyB;IAEzB,MAAM,MAAM,GAAe,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC5D,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACxD,MAAM,UAAU,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,GAAG,cAAc,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7G,MAAM,kBAAkB,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,kBAAkB,CAAC,CAAC;QAChF,IAAI,kBAAkB,EAAE,CAAC;YACvB,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;gBACtE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU;oBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;iBACjE,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,CAAC,yBAAyB,CAAC,kBAAkB,CAAC,cAAc,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU;oBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;wBACxE,kBAAkB,CAAC,cAAc;wBACjC,OAAO,CAAC,MAAM;qBACf,CAAC;iBACH,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;gBAC7E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACnB,UAAU;oBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;iBAC5D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;gBACnB,UAAU;gBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oCAAoC,CAAC;aACnE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,QAAgB,EAChB,QAAwB,EACxB,IAAyB;IAEzB,OAAO,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC;AACrG,CAAC;AAED,SAAS,kBAAkB,CACzB,QAAgB,EAChB,IAAgC;IAEhC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC"}

package/lib/libs/core/registries/permissionSets.d.ts

@@ -0,0 +1,11 @@
+import { PermissionSet } from '@jsforce/jsforce-node/lib/api/metadata.js';
+import RuleRegistry from './ruleRegistry.js';
+export type ResolvedPermissionSet = {
+    name: string;
+    preset: string;
+    metadata: PermissionSet;
+};
+export default class PermSetsRuleRegistry extends RuleRegistry {
+    constructor();
+}
+export declare const PermissionSetsRegistry: PermSetsRuleRegistry;

package/lib/libs/core/registries/permissionSets.js

@@ -0,0 +1,11 @@
+import RuleRegistry from './ruleRegistry.js';
+import EnforcePermissionsOnProfileLike from './rules/enforcePermissionsOnProfileLike.js';
+export default class PermSetsRuleRegistry extends RuleRegistry {
+    constructor() {
+        super({
+            EnforcePermissionClassifications: EnforcePermissionsOnProfileLike,
+        });
+    }
+}
+export const PermissionSetsRegistry = new PermSetsRuleRegistry();
+//# sourceMappingURL=permissionSets.js.map

package/lib/libs/core/registries/permissionSets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionSets.js","sourceRoot":"","sources":["../../../../src/libs/core/registries/permissionSets.ts"],"names":[],"mappings":"AACA,OAAO,YAAY,MAAM,mBAAmB,CAAC;AAC7C,OAAO,+BAA+B,MAAM,4CAA4C,CAAC;AAOzF,MAAM,CAAC,OAAO,OAAO,oBAAqB,SAAQ,YAAY;IAC5D;QACE,KAAK,CAAC;YACJ,gCAAgC,EAAE,+BAA+B;SAClE,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,oBAAoB,EAAE,CAAC"}

package/lib/libs/core/registries/profiles.d.ts

@@ -0,0 +1,11 @@
+import { Profile as ProfileMetadata } from '@jsforce/jsforce-node/lib/api/metadata.js';
+import RuleRegistry from './ruleRegistry.js';
+export type ResolvedProfile = {
+    name: string;
+    preset: string;
+    metadata: ProfileMetadata;
+};
+export default class ProfilesRuleRegistry extends RuleRegistry {
+    constructor();
+}
+export declare const ProfilesRegistry: ProfilesRuleRegistry;

package/lib/libs/core/registries/profiles.js

@@ -0,0 +1,11 @@
+import RuleRegistry from './ruleRegistry.js';
+import EnforcePermissionsOnProfileLike from './rules/enforcePermissionsOnProfileLike.js';
+export default class ProfilesRuleRegistry extends RuleRegistry {
+    constructor() {
+        super({
+            EnforcePermissionClassifications: EnforcePermissionsOnProfileLike,
+        });
+    }
+}
+export const ProfilesRegistry = new ProfilesRuleRegistry();
+//# sourceMappingURL=profiles.js.map

package/lib/libs/core/registries/profiles.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"profiles.js","sourceRoot":"","sources":["../../../../src/libs/core/registries/profiles.ts"],"names":[],"mappings":"AACA,OAAO,YAAY,MAAM,mBAAmB,CAAC;AAC7C,OAAO,+BAA+B,MAAM,4CAA4C,CAAC;AAQzF,MAAM,CAAC,OAAO,OAAO,oBAAqB,SAAQ,YAAY;IAC5D;QACE,KAAK,CAAC;YACJ,gCAAgC,EAAE,+BAA+B;SAClE,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,oBAAoB,EAAE,CAAC"}

package/lib/libs/core/registries/ruleRegistry.d.ts

@@ -0,0 +1,37 @@
+import { EntityResolveError, PolicyRuleSkipResult } from '../result-types.js';
+import { AuditRunConfig, RuleMap } from '../../core/file-mgmt/schema.js';
+import { Constructor, RowLevelPolicyRule } from './types.js';
+/**
+ * Result contains the actually available and enabled rules
+ * from the raw config file. Rules that are not present in the
+ * policie's registry are errors, disabled rules are skipped.
+ */
+export type RegistryRuleResolveResult = {
+    enabledRules: Array<RowLevelPolicyRule<unknown>>;
+    skippedRules: PolicyRuleSkipResult[];
+    resolveErrors: EntityResolveError[];
+};
+/**
+ * The rule registry holds all available rules for a given policy at run time.
+ * It is designed to be extendible so we can easily register new rules and it will
+ * allow users to BYOR ("bring your own rules").
+ */
+export default class RuleRegistry {
+    rules: Record<string, Constructor<RowLevelPolicyRule<unknown>>>;
+    constructor(rules: Record<string, Constructor<RowLevelPolicyRule<unknown>>>);
+    /**
+     * Returns the display/config names of all registered rules
+     *
+     * @returns
+     */
+    registeredRules(): string[];
+    /**
+     * Resolves a given set of rule configs to actually registered rules. Unknown
+     * rules are ignored and disabled rules are skipped.
+     *
+     * @param ruleObjs
+     * @param auditContext
+     * @returns
+     */
+    resolveRules(ruleObjs: RuleMap, auditContext: AuditRunConfig): RegistryRuleResolveResult;
+}

package/lib/libs/core/registries/ruleRegistry.js

@@ -0,0 +1,48 @@
+import { Messages } from '@salesforce/core';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'policies.general');
+/**
+ * The rule registry holds all available rules for a given policy at run time.
+ * It is designed to be extendible so we can easily register new rules and it will
+ * allow users to BYOR ("bring your own rules").
+ */
+export default class RuleRegistry {
+    rules;
+    constructor(rules) {
+        this.rules = rules;
+    }
+    /**
+     * Returns the display/config names of all registered rules
+     *
+     * @returns
+     */
+    registeredRules() {
+        return Object.keys(this.rules);
+    }
+    /**
+     * Resolves a given set of rule configs to actually registered rules. Unknown
+     * rules are ignored and disabled rules are skipped.
+     *
+     * @param ruleObjs
+     * @param auditContext
+     * @returns
+     */
+    resolveRules(ruleObjs, auditContext) {
+        const enabledRules = new Array();
+        const skippedRules = new Array();
+        const resolveErrors = new Array();
+        Object.entries(ruleObjs).forEach(([ruleName, ruleConfig]) => {
+            if (this.rules[ruleName] && ruleConfig.enabled) {
+                enabledRules.push(new this.rules[ruleName]({ auditContext, ruleDisplayName: ruleName, ruleConfig: ruleConfig.options }));
+            }
+            else if (!ruleConfig.enabled) {
+                skippedRules.push({ name: ruleName, skipReason: messages.getMessage('skip-reason.rule-not-enabled') });
+            }
+            else {
+                resolveErrors.push({ name: ruleName, message: messages.getMessage('resolve-error.rule-not-registered') });
+            }
+        });
+        return { enabledRules, skippedRules, resolveErrors };
+    }
+}
+//# sourceMappingURL=ruleRegistry.js.map

package/lib/libs/core/registries/ruleRegistry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ruleRegistry.js","sourceRoot":"","sources":["../../../../src/libs/core/registries/ruleRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAK5C,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAajG;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,YAAY;IACL;IAA1B,YAA0B,KAA+D;QAA/D,UAAK,GAAL,KAAK,CAA0D;IAAG,CAAC;IAE7F;;;;OAIG;IACI,eAAe;QACpB,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAED;;;;;;;OAOG;IACI,YAAY,CAAC,QAAiB,EAAE,YAA4B;QACjE,MAAM,YAAY,GAAG,IAAI,KAAK,EAA+B,CAAC;QAC9D,MAAM,YAAY,GAAG,IAAI,KAAK,EAAwB,CAAC;QACvD,MAAM,aAAa,GAAG,IAAI,KAAK,EAAsB,CAAC;QACtD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,EAAE;YAC1D,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;gBAC/C,YAAY,CAAC,IAAI,CACf,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,YAAY,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,CACtG,CAAC;YACJ,CAAC;iBAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;gBAC/B,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC;YACzG,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,mCAAmC,CAAC,EAAE,CAAC,CAAC;YAC5G,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC;IACvD,CAAC;CACF"}

package/lib/libs/core/registries/rules/allUsedAppsUnderManagement.d.ts

@@ -0,0 +1,7 @@
+import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
+import { ResolvedConnectedApp } from '../connectedApps.js';
+import PolicyRule, { RuleOptions } from './policyRule.js';
+export default class AllUsedAppsUnderManagement extends PolicyRule<ResolvedConnectedApp> {
+    constructor(opts: RuleOptions);
+    run(context: RuleAuditContext<ResolvedConnectedApp>): Promise<PartialPolicyRuleResult>;
+}

package/lib/libs/core/registries/rules/allUsedAppsUnderManagement.js

@@ -0,0 +1,23 @@
+import { Messages } from '@salesforce/core';
+import PolicyRule from './policyRule.js';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.connectedApps');
+export default class AllUsedAppsUnderManagement extends PolicyRule {
+    constructor(opts) {
+        super(opts);
+    }
+    run(context) {
+        const result = this.initResult();
+        const resolvedConnectedApps = context.resolvedEntities;
+        Object.values(resolvedConnectedApps).forEach((app) => {
+            if (app.origin === 'OauthToken') {
+                result.violations.push({
+                    identifier: [app.name],
+                    message: messages.getMessage('violations.app-used-but-not-registered', [app.users.length, app.useCount]),
+                });
+            }
+        });
+        return Promise.resolve(result);
+    }
+}
+//# sourceMappingURL=allUsedAppsUnderManagement.js.map

package/lib/libs/core/registries/rules/allUsedAppsUnderManagement.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"allUsedAppsUnderManagement.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/allUsedAppsUnderManagement.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,qBAAqB,CAAC,CAAC;AAEpG,MAAM,CAAC,OAAO,OAAO,0BAA2B,SAAQ,UAAgC;IACtF,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA+C;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,qBAAqB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;YACnD,IAAI,GAAG,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;gBAChC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;oBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,wCAAwC,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;iBACzG,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/core/registries/rules/enforcePermissionPresets.d.ts

@@ -0,0 +1,7 @@
+import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
+import { ResolvedUser } from '../users.js';
+import PolicyRule, { RuleOptions } from './policyRule.js';
+export default class EnforcePermissionPresets extends PolicyRule<ResolvedUser> {
+    constructor(opts: RuleOptions);
+    run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
+}

package/lib/libs/core/registries/rules/enforcePermissionPresets.js

@@ -0,0 +1,58 @@
+import { Messages } from '@salesforce/core';
+import UsersRepository from '../../mdapi/usersRepository.js';
+import { ProfilesRiskPreset, resolvePresetOrdinalValue } from '../../policy-types.js';
+import { capitalize } from '../../utils.js';
+import PolicyRule from './policyRule.js';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.users');
+export default class EnforcePermissionPresets extends PolicyRule {
+    constructor(opts) {
+        super(opts);
+    }
+    async run(context) {
+        const result = this.initResult();
+        const users = context.resolvedEntities;
+        const userRepo = new UsersRepository(context.targetOrgConnection);
+        // options "with/without metadata - only identifiers"
+        const userPerms = await userRepo.resolveUserPermissions(Object.values(users), { withMetadata: false });
+        for (const user of Object.values(users)) {
+            const profilePreset = this.auditContext.policies.profiles?.content.profiles[user.profileName];
+            auditPermissionsEntity(result, user, 'profile', user.profileName, profilePreset?.preset);
+            const permsets = userPerms.get(user.userId);
+            if (permsets) {
+                for (const assignment of permsets.assignedPermissionsets) {
+                    const permsetPreset = this.auditContext.policies.permissionSets?.content.permissionSets[assignment.permissionSetIdentifier];
+                    auditPermissionsEntity(result, user, 'permission set', assignment.permissionSetIdentifier, permsetPreset?.preset);
+                }
+            }
+        }
+        return result;
+    }
+}
+function auditPermissionsEntity(result, user, entityType, entityIdentifier, entityPreset) {
+    if (entityPreset) {
+        if (entityPreset === ProfilesRiskPreset.UNKNOWN) {
+            result.violations.push({
+                identifier: [user.username, entityIdentifier],
+                message: messages.getMessage('violations.entity-unknown-but-used', [capitalize(entityType)]),
+            });
+        }
+        else if (resolvePresetOrdinalValue(entityPreset) < resolvePresetOrdinalValue(user.role)) {
+            result.violations.push({
+                identifier: [user.username, entityIdentifier],
+                message: messages.getMessage('violations.entity-not-allowed-for-user-role', [
+                    user.role,
+                    entityType,
+                    entityPreset,
+                ]),
+            });
+        }
+    }
+    else {
+        result.violations.push({
+            identifier: [user.username, entityIdentifier],
+            message: messages.getMessage('violations.entity-not-classified-but-used', [capitalize(entityType), entityType]),
+        });
+    }
+}
+//# sourceMappingURL=enforcePermissionPresets.js.map

package/lib/libs/core/registries/rules/enforcePermissionPresets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforcePermissionPresets.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/enforcePermissionPresets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,eAAe,MAAM,gCAAgC,CAAC;AAC7D,OAAO,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AAEtF,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAE5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC5E,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,KAAK,CAAC,GAAG,CAAC,OAAuC;QACtD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,MAAM,QAAQ,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QAClE,qDAAqD;QACrD,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,sBAAsB,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC;QACvG,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,aAAa,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC9F,sBAAsB,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,WAAW,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC;YACzF,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,QAAQ,EAAE,CAAC;gBACb,KAAK,MAAM,UAAU,IAAI,QAAQ,CAAC,sBAAsB,EAAE,CAAC;oBACzD,MAAM,aAAa,GACjB,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC,cAAc,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC;oBACxG,sBAAsB,CACpB,MAAM,EACN,IAAI,EACJ,gBAAgB,EAChB,UAAU,CAAC,uBAAuB,EAClC,aAAa,EAAE,MAAM,CACtB,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AACD,SAAS,sBAAsB,CAC7B,MAA+B,EAC/B,IAAkB,EAClB,UAAkB,EAClB,gBAAwB,EACxB,YAAiC;IAEjC,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,YAAY,KAAK,kBAAkB,CAAC,OAAO,EAAE,CAAC;YAChD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;gBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,oCAAoC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;aAC7F,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,yBAAyB,CAAC,YAAY,CAAC,GAAG,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1F,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;gBAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6CAA6C,EAAE;oBAC1E,IAAI,CAAC,IAAI;oBACT,UAAU;oBACV,YAAY;iBACb,CAAC;aACH,CAAC,CAAC;QACL,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;YACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;YAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,UAAU,CAAC,CAAC;SAChH,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}

package/lib/libs/core/registries/rules/enforcePermissionsOnProfileLike.d.ts

@@ -0,0 +1,7 @@
+import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
+import { ResolvedProfileLike } from '../helpers/permissionsScanning.js';
+import PolicyRule, { RuleOptions } from './policyRule.js';
+export default class EnforcePermissionsOnProfileLike extends PolicyRule<ResolvedProfileLike> {
+    constructor(opts: RuleOptions);
+    run(context: RuleAuditContext<ResolvedProfileLike>): Promise<PartialPolicyRuleResult>;
+}

package/lib/libs/core/registries/rules/enforcePermissionsOnProfileLike.js

@@ -0,0 +1,26 @@
+import { isNullish } from '../../utils.js';
+import { scanPermissions } from '../helpers/permissionsScanning.js';
+import PolicyRule from './policyRule.js';
+export default class EnforcePermissionsOnProfileLike extends PolicyRule {
+    constructor(opts) {
+        super(opts);
+    }
+    run(context) {
+        const result = this.initResult();
+        const resolvedProfiles = context.resolvedEntities;
+        for (const profile of Object.values(resolvedProfiles)) {
+            if (!isNullish(profile.metadata.userPermissions)) {
+                const userPermsScan = scanPermissions(profile, 'userPermissions', this.auditContext);
+                result.violations.push(...userPermsScan.violations);
+                result.warnings.push(...userPermsScan.warnings);
+            }
+            if (!isNullish(profile.metadata.customPermissions)) {
+                const customPermsScan = scanPermissions(profile, 'customPermissions', this.auditContext);
+                result.violations.push(...customPermsScan.violations);
+                result.warnings.push(...customPermsScan.warnings);
+            }
+        }
+        return Promise.resolve(result);
+    }
+}
+//# sourceMappingURL=enforcePermissionsOnProfileLike.js.map

package/lib/libs/core/registries/rules/enforcePermissionsOnProfileLike.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforcePermissionsOnProfileLike.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/enforcePermissionsOnProfileLike.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAuB,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACzF,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,+BAAgC,SAAQ,UAA+B;IAC1F,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA8C;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACtD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;gBACjD,MAAM,aAAa,GAAG,eAAe,CAAC,OAAO,EAAE,iBAAiB,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;gBACrF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;gBACpD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;YAClD,CAAC;YACD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;gBACnD,MAAM,eAAe,GAAG,eAAe,CAAC,OAAO,EAAE,mBAAmB,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;gBACzF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;gBACtD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/core/registries/rules/enforcePermissionsOnUser.d.ts

@@ -0,0 +1,8 @@
+import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
+import { ResolvedUser } from '../users.js';
+import PolicyRule, { RuleOptions } from './policyRule.js';
+export default class EnforcePermissionsOnUser extends PolicyRule<ResolvedUser> {
+    constructor(opts: RuleOptions);
+    run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
+    private scanAssignedPermissionSets;
+}

package/lib/libs/core/registries/rules/enforcePermissionsOnUser.js

@@ -0,0 +1,42 @@
+import UsersRepository from '../../mdapi/usersRepository.js';
+import { scanProfileLike } from '../helpers/permissionsScanning.js';
+import PolicyRule from './policyRule.js';
+export default class EnforcePermissionsOnUser extends PolicyRule {
+    constructor(opts) {
+        super(opts);
+    }
+    async run(context) {
+        const result = this.initResult();
+        const users = context.resolvedEntities;
+        const userRepo = new UsersRepository(context.targetOrgConnection);
+        const userPerms = await userRepo.resolveUserPermissions(Object.values(users), { withMetadata: true });
+        for (const user of Object.values(users)) {
+            const resolvedPerms = userPerms.get(user.userId);
+            if (!resolvedPerms) {
+                continue;
+            }
+            const permsetResult = this.scanAssignedPermissionSets(user, resolvedPerms.assignedPermissionsets);
+            result.violations.push(...permsetResult.violations);
+            result.warnings.push(...permsetResult.warnings);
+            if (resolvedPerms.profileMetadata) {
+                const profileResult = scanProfileLike({ preset: user.role, metadata: resolvedPerms.profileMetadata, name: user.profileName }, this.auditContext, [user.username]);
+                result.violations.push(...profileResult.violations);
+                result.warnings.push(...profileResult.warnings);
+            }
+        }
+        return result;
+    }
+    scanAssignedPermissionSets(user, actualAssignments) {
+        const result = { violations: [], warnings: [] };
+        for (const assignedPermSet of actualAssignments) {
+            if (!assignedPermSet.metadata) {
+                continue;
+            }
+            const permsetScan = scanProfileLike({ preset: user.role, metadata: assignedPermSet.metadata, name: assignedPermSet.permissionSetIdentifier }, this.auditContext, [user.username]);
+            result.violations.push(...permsetScan.violations);
+            result.warnings.push(...permsetScan.warnings);
+        }
+        return result;
+    }
+}
+//# sourceMappingURL=enforcePermissionsOnUser.js.map

package/lib/libs/core/registries/rules/enforcePermissionsOnUser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforcePermissionsOnUser.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/enforcePermissionsOnUser.ts"],"names":[],"mappings":"AAAA,OAAO,eAA4C,MAAM,gCAAgC,CAAC;AAC1F,OAAO,EAAE,eAAe,EAAc,MAAM,mCAAmC,CAAC;AAGhF,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,CAAC,OAAO,OAAO,wBAAyB,SAAQ,UAAwB;IAC5E,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,KAAK,CAAC,GAAG,CAAC,OAAuC;QACtD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvC,MAAM,QAAQ,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QAClE,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,sBAAsB,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC;QACtG,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,aAAa,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACjD,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,SAAS;YACX,CAAC;YACD,MAAM,aAAa,GAAG,IAAI,CAAC,0BAA0B,CAAC,IAAI,EAAE,aAAa,CAAC,sBAAsB,CAAC,CAAC;YAClG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;YACpD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;YAChD,IAAI,aAAa,CAAC,eAAe,EAAE,CAAC;gBAClC,MAAM,aAAa,GAAG,eAAe,CACnC,EAAE,MAAM,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,aAAa,CAAC,eAAe,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,EACtF,IAAI,CAAC,YAAY,EACjB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAChB,CAAC;gBACF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;gBACpD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,0BAA0B,CAAC,IAAkB,EAAE,iBAA4C;QACjG,MAAM,MAAM,GAAe,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;QAC5D,KAAK,MAAM,eAAe,IAAI,iBAAiB,EAAE,CAAC;YAChD,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,CAAC;gBAC9B,SAAS;YACX,CAAC;YACD,MAAM,WAAW,GAAG,eAAe,CACjC,EAAE,MAAM,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,eAAe,CAAC,QAAQ,EAAE,IAAI,EAAE,eAAe,CAAC,uBAAuB,EAAE,EACxG,IAAI,CAAC,YAAY,EACjB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAChB,CAAC;YACF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;YAClD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/lib/libs/core/registries/rules/noInactiveUsers.d.ts

@@ -0,0 +1,9 @@
+import { NoInactiveUsersOptions } from '../../file-mgmt/schema.js';
+import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
+import { ResolvedUser } from '../users.js';
+import PolicyRule, { ConfigurableRuleOptions } from './policyRule.js';
+export default class NoInactiveUsers extends PolicyRule<ResolvedUser> {
+    private ruleConfig;
+    constructor(localOpts: ConfigurableRuleOptions<NoInactiveUsersOptions>);
+    run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
+}

package/lib/libs/core/registries/rules/noInactiveUsers.js

@@ -0,0 +1,44 @@
+import { Messages } from '@salesforce/core';
+import { NoInactiveUsersOptionsSchema } from '../../file-mgmt/schema.js';
+import { differenceInDays } from '../../utils.js';
+import PolicyRule, { parseRuleOptions } from './policyRule.js';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.users');
+export default class NoInactiveUsers extends PolicyRule {
+    ruleConfig;
+    constructor(localOpts) {
+        super(localOpts);
+        this.ruleConfig = parseRuleOptions('users.yml', ['rules', 'NoInactiveUsers'], NoInactiveUsersOptionsSchema, localOpts.ruleConfig);
+    }
+    run(context) {
+        const result = this.initResult();
+        Object.values(context.resolvedEntities).forEach((user) => {
+            if (user.lastLogin) {
+                const diffInDays = differenceInDays(Date.now(), user.lastLogin);
+                if (diffInDays > this.ruleConfig.daysAfterUserIsInactive) {
+                    result.violations.push({
+                        identifier: [user.username],
+                        message: messages.getMessage('violations.inactive-since-n-days', [
+                            diffInDays,
+                            new Date(user.lastLogin).toISOString(),
+                        ]),
+                    });
+                }
+            }
+        });
+        Object.values(context.resolvedEntities).forEach((user) => {
+            if (!user.lastLogin) {
+                const createdNDaysAgo = differenceInDays(Date.now(), user.createdDate);
+                result.violations.push({
+                    identifier: [user.username],
+                    message: messages.getMessage('violations.has-never-logged-in', [
+                        new Date(user.createdDate).toISOString(),
+                        createdNDaysAgo,
+                    ]),
+                });
+            }
+        });
+        return Promise.resolve(result);
+    }
+}
+//# sourceMappingURL=noInactiveUsers.js.map

package/lib/libs/core/registries/rules/noInactiveUsers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"noInactiveUsers.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/noInactiveUsers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAA0B,4BAA4B,EAAE,MAAM,2BAA2B,CAAC;AAEjG,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAElD,OAAO,UAAU,EAAE,EAA2B,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAExF,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,CAAC,OAAO,OAAO,eAAgB,SAAQ,UAAwB;IAC3D,UAAU,CAAyB;IAE3C,YAAmB,SAA0D;QAC3E,KAAK,CAAC,SAAS,CAAC,CAAC;QACjB,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAChC,WAAW,EACX,CAAC,OAAO,EAAE,iBAAiB,CAAC,EAC5B,4BAA4B,EAC5B,SAAS,CAAC,UAAU,CACK,CAAC;IAC9B,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YACvD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,MAAM,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;gBAChE,IAAI,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,uBAAuB,EAAE,CAAC;oBACzD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;wBAC3B,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,EAAE;4BAC/D,UAAU;4BACV,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;yBACvC,CAAC;qBACH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YACvD,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;gBACpB,MAAM,eAAe,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;gBACvE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAC3B,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,gCAAgC,EAAE;wBAC7D,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE;wBACxC,eAAe;qBAChB,CAAC;iBACH,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/core/registries/rules/noOtherApexApiLogins.d.ts

@@ -0,0 +1,7 @@
+import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
+import { ResolvedUser } from '../users.js';
+import PolicyRule, { RuleOptions } from './policyRule.js';
+export default class NoOtherApexApiLogins extends PolicyRule<ResolvedUser> {
+    constructor(opts: RuleOptions);
+    run(context: RuleAuditContext<ResolvedUser>): Promise<PartialPolicyRuleResult>;
+}

package/lib/libs/core/registries/rules/noOtherApexApiLogins.js

@@ -0,0 +1,27 @@
+import { Messages } from '@salesforce/core';
+import PolicyRule from './policyRule.js';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.users');
+export default class NoOtherApexApiLogins extends PolicyRule {
+    constructor(opts) {
+        super(opts);
+    }
+    run(context) {
+        const result = this.initResult();
+        for (const user of Object.values(context.resolvedEntities)) {
+            if (!user.logins) {
+                continue;
+            }
+            for (const loginSummary of user.logins) {
+                if (loginSummary.loginType === 'Other Apex API') {
+                    result.violations.push({
+                        identifier: [user.username],
+                        message: messages.getMessage('violations.no-other-apex-api-logins', [loginSummary.loginCount]),
+                    });
+                }
+            }
+        }
+        return Promise.resolve(result);
+    }
+}
+//# sourceMappingURL=noOtherApexApiLogins.js.map

package/lib/libs/core/registries/rules/noOtherApexApiLogins.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"noOtherApexApiLogins.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/noOtherApexApiLogins.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,aAAa,CAAC,CAAC;AAE5F,MAAM,CAAC,OAAO,OAAO,oBAAqB,SAAQ,UAAwB;IACxE,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAAuC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC3D,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjB,SAAS;YACX,CAAC;YACD,KAAK,MAAM,YAAY,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBACvC,IAAI,YAAY,CAAC,SAAS,KAAK,gBAAgB,EAAE,CAAC;oBAChD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC;wBAC3B,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,qCAAqC,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;qBAC/F,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/core/registries/rules/noUserCanSelfAuthorize.d.ts

@@ -0,0 +1,7 @@
+import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
+import { ResolvedConnectedApp } from '../connectedApps.js';
+import PolicyRule, { RuleOptions } from './policyRule.js';
+export default class NoUserCanSelfAuthorize extends PolicyRule<ResolvedConnectedApp> {
+    constructor(opts: RuleOptions);
+    run(context: RuleAuditContext<ResolvedConnectedApp>): Promise<PartialPolicyRuleResult>;
+}

package/lib/libs/core/registries/rules/noUserCanSelfAuthorize.js

@@ -0,0 +1,31 @@
+import { Messages } from '@salesforce/core';
+import PolicyRule from './policyRule.js';
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.connectedApps');
+export default class NoUserCanSelfAuthorize extends PolicyRule {
+    constructor(opts) {
+        super(opts);
+    }
+    run(context) {
+        const result = this.initResult();
+        const resolvedConnectedApps = context.resolvedEntities;
+        Object.values(resolvedConnectedApps).forEach((app) => {
+            if (!app.onlyAdminApprovedUsersAllowed) {
+                if (app.overrideByApiSecurityAccess) {
+                    result.warnings.push({
+                        identifier: [app.name],
+                        message: messages.getMessage('warnings.users-can-self-authorize-but-setting-overrides'),
+                    });
+                }
+                else {
+                    result.violations.push({
+                        identifier: [app.name],
+                        message: messages.getMessage('violations.users-can-self-authorize'),
+                    });
+                }
+            }
+        });
+        return Promise.resolve(result);
+    }
+}
+//# sourceMappingURL=noUserCanSelfAuthorize.js.map

package/lib/libs/core/registries/rules/noUserCanSelfAuthorize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"noUserCanSelfAuthorize.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/noUserCanSelfAuthorize.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,qBAAqB,CAAC,CAAC;AAEpG,MAAM,CAAC,OAAO,OAAO,sBAAuB,SAAQ,UAAgC;IAClF,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA+C;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,qBAAqB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;YACnD,IAAI,CAAC,GAAG,CAAC,6BAA6B,EAAE,CAAC;gBACvC,IAAI,GAAG,CAAC,2BAA2B,EAAE,CAAC;oBACpC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;wBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,yDAAyD,CAAC;qBACxF,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;wBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,qCAAqC,CAAC;qBACpE,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/core/registries/rules/policyRule.d.ts

@@ -0,0 +1,19 @@
+import z from 'zod';
+import { PartialPolicyRuleResult, RowLevelPolicyRule, RuleAuditContext } from '../types.js';
+import { AuditRunConfig } from '../../file-mgmt/schema.js';
+export type RuleOptions = {
+    auditContext: AuditRunConfig;
+    ruleDisplayName: string;
+};
+export type ConfigurableRuleOptions<T> = RuleOptions & {
+    ruleConfig: T;
+};
+export default abstract class PolicyRule<EntityType> implements RowLevelPolicyRule<EntityType> {
+    protected opts: RuleOptions;
+    auditContext: AuditRunConfig;
+    ruleDisplayName: string;
+    constructor(opts: RuleOptions);
+    protected initResult(): PartialPolicyRuleResult;
+    abstract run(context: RuleAuditContext<EntityType>): Promise<PartialPolicyRuleResult>;
+}
+export declare function parseRuleOptions(policyName: string, rulePath: string[], schema: z.ZodObject, anyObject?: unknown): z.infer<typeof schema>;