@jmruthers/pace-core 0.6.6 → 0.6.8

package/audit-tool/audits/06-security-rbac.cjs

@@ -0,0 +1,554 @@
+/**
+ * Standard 6: Security & RBAC Audit
+ * @package @jmruthers/pace-core
+ * @module Audit/Standard6
+ * 
+ * Audits consuming apps for compliance with Standard 6: Security & RBAC.
+ * Validates RLS policies in SQL migrations, PagePermissionGuard coverage, and Edge Functions RBAC.
+ * 
+ * Reference: packages/core/docs/standards/6-security-rbac-standards.md
+ */
+
+const path = require('path');
+const fs = require('fs');
+const { findSQLFiles, findSourceFiles, readFileSafe, getRelativePath, directoryExists } = require('../utils/file-utils.cjs');
+const { getLineNumber, getCodeSnippet, isInCommentOrStringSQL, isInCommentOrString, importsFromPaceCore } = require('../utils/code-utils.cjs');
+
+/**
+ * Check RLS policy compliance in SQL migrations
+ */
+function checkRLSPolicies(consumingAppPath) {
+  const issues = [];
+  
+  // Find SQL migration files
+  const migrationsPath = path.join(consumingAppPath, 'supabase', 'migrations');
+  const altMigrationsPath = path.join(consumingAppPath, 'migrations');
+  
+  const migrationsDir = fs.existsSync(migrationsPath) ? migrationsPath : 
+                        (fs.existsSync(altMigrationsPath) ? altMigrationsPath : null);
+  
+  if (!migrationsDir) {
+    return issues; // No migrations directory, skip check
+  }
+  
+  const sqlFiles = findSQLFiles(migrationsDir);
+  
+  sqlFiles.forEach(filePath => {
+    try {
+      const content = readFileSafe(filePath);
+      if (!content) {
+        return;
+      }
+      
+      const relativePath = getRelativePath(filePath, consumingAppPath);
+      
+      // Find CREATE POLICY statements
+      const policyPattern = /CREATE\s+POLICY\s+["']?([^"'\s]+)["']?\s+ON\s+(\w+)\s+FOR\s+(\w+)/gi;
+      let match;
+      
+      while ((match = policyPattern.exec(content)) !== null) {
+        const policyName = match[1];
+        const tableName = match[2];
+        const operation = match[3].toLowerCase();
+        const policyStart = match.index;
+        
+        // Check policy naming: rbac_{operation}_{table_name}_{scope}
+        const expectedPattern = new RegExp(`^rbac_${operation}_${tableName}(?:_\\w+)?$`, 'i');
+        if (!expectedPattern.test(policyName)) {
+          issues.push({
+            type: 'rlsPolicy',
+            file: relativePath,
+            line: getLineNumber(content, policyStart),
+            message: `RLS policy '${policyName}' does not follow naming convention. Should be 'rbac_${operation}_${tableName}' or 'rbac_${operation}_${tableName}_scope'.`,
+            code: getCodeSnippet(content, policyStart, 0, 100),
+            severity: 'error',
+            fix: `Rename policy to follow pattern: rbac_${operation}_${tableName}`,
+          });
+        }
+        
+        // Find the USING/WITH CHECK clause
+        const policyEnd = content.indexOf(';', policyStart);
+        if (policyEnd === -1) continue;
+        
+        const policyBody = content.substring(policyStart, policyEnd);
+        
+        // Check for inline auth.uid() calls (performance issue)
+        const authUidPattern = /\bauth\.uid\s*\(/gi;
+        if (authUidPattern.test(policyBody) && !isInCommentOrStringSQL(content, content.indexOf('auth.uid', policyStart))) {
+          issues.push({
+            type: 'rlsPolicy',
+            file: relativePath,
+            line: getLineNumber(content, policyStart),
+            message: `RLS policy '${policyName}' contains inline auth.uid() call. Must use helper function instead for performance.`,
+            code: getCodeSnippet(content, policyStart, 0, 200),
+            severity: 'error',
+            fix: 'Replace auth.uid() with helper function like get_effective_user_id(). Helper functions must be STABLE SECURITY DEFINER.',
+          });
+        }
+        
+        // Check for subqueries in USING/WITH CHECK (performance issue)
+        const subqueryPattern = /(?:USING|WITH\s+CHECK)\s*\([^)]*(?:SELECT\s+[^)]+FROM[^)]+WHERE[^)]*)\)/gi;
+        if (subqueryPattern.test(policyBody)) {
+          issues.push({
+            type: 'rlsPolicy',
+            file: relativePath,
+            line: getLineNumber(content, policyStart),
+            message: `RLS policy '${policyName}' contains subquery. Must use helper functions instead for performance.`,
+            code: getCodeSnippet(content, policyStart, 0, 200),
+            severity: 'error',
+            fix: 'Replace subquery with helper function. Helper functions must be STABLE SECURITY DEFINER SET search_path TO public.',
+          });
+        }
+        
+        // Check for inline current_setting calls (performance issue)
+        const currentSettingPattern = /\bcurrent_setting\s*\(/gi;
+        if (currentSettingPattern.test(policyBody) && !isInCommentOrStringSQL(content, content.indexOf('current_setting', policyStart))) {
+          issues.push({
+            type: 'rlsPolicy',
+            file: relativePath,
+            line: getLineNumber(content, policyStart),
+            message: `RLS policy '${policyName}' contains inline current_setting() call. Must use helper function instead for performance.`,
+            code: getCodeSnippet(content, policyStart, 0, 200),
+            severity: 'error',
+            fix: 'Replace current_setting() with helper function. Helper functions must be STABLE SECURITY DEFINER.',
+          });
+        }
+        
+        // Check for is_super_admin() without parameter (security risk)
+        const isSuperAdminWithoutParamPattern = /\bis_super_admin\s*\(\s*\)/gi;
+        if (isSuperAdminWithoutParamPattern.test(policyBody) && !isInCommentOrStringSQL(content, content.indexOf('is_super_admin', policyStart))) {
+          issues.push({
+            type: 'rlsPolicy',
+            file: relativePath,
+            line: getLineNumber(content, policyStart),
+            message: `RLS policy '${policyName}' uses is_super_admin() without parameter. Must use is_super_admin(safe_get_user_id_for_rls()) to avoid fallback strategy vulnerabilities.`,
+            code: getCodeSnippet(content, policyStart, 0, 200),
+            severity: 'error',
+            fix: 'Replace is_super_admin() with is_super_admin(safe_get_user_id_for_rls()) to require explicit parameter passing.',
+          });
+        }
+        
+        // Check for missing super-admin checks in authenticated policies
+        const isAuthenticatedPolicy = /TO\s+authenticated/i.test(policyBody);
+        const hasSuperAdminCheck = /\bis_super_admin\s*\(/i.test(policyBody);
+        const isPublicPolicy = /TO\s+(?:public|anon)/i.test(policyBody) || policyName.toLowerCase().includes('public') || policyName.toLowerCase().includes('anon');
+        
+        // Exception: User-scoped policies that only check user_id don't need super-admin
+        const isUserScopedOnly = /organisation_id\s+IS\s+NULL/i.test(policyBody) && 
+                                 /get_effective_user_id\s*\(\s*\)\s*=\s*user_id/i.test(policyBody) &&
+                                 !/\bOR\b/i.test(policyBody);
+        
+        // Skip check for public/anonymous policies or service role policies
+        if (isAuthenticatedPolicy && !hasSuperAdminCheck && !isPublicPolicy && !policyName.toLowerCase().includes('service')) {
+          if (!isUserScopedOnly) {
+            issues.push({
+              type: 'rlsPolicy',
+              file: relativePath,
+              line: getLineNumber(content, policyStart),
+              message: `RLS policy '${policyName}' for authenticated users is missing super-admin check. All authenticated policies must include is_super_admin(safe_get_user_id_for_rls()) as a bypass.`,
+              code: getCodeSnippet(content, policyStart, 0, 200),
+              severity: 'error',
+              fix: 'Add is_super_admin(safe_get_user_id_for_rls()) check. Pattern: (is_super_admin(safe_get_user_id_for_rls()) OR ...other checks...)',
+            });
+          }
+        }
+        
+        // Check for use of deprecated event access functions when RBAC permissions should be used
+        const usesEventAccess = /\bcheck_user_event_access\s*\(/i.test(policyBody);
+        const usesEventCreator = /\bcheck_user_is_event_creator\s*\(/i.test(policyBody);
+        const usesRBACPermission = /\bcheck_rbac_permission_with_context\s*\(/i.test(policyBody);
+        
+        // Tables that have page permissions and should use RBAC permission checks
+        const tablesWithPagePermissions = [
+          'trac_contacts', 'trac_risks', 'trac_journal_posts', 'trac_currency_rates',
+          'trac_accommodation', 'trac_activity', 'trac_transport',
+          'mint_budgets', 'mint_budget_variables',
+          'cake_dish', 'cake_meal', 'cake_item', 'cake_recipe',
+          'medi_profile', 'medi_action_plan'
+        ];
+        
+        const hasPagePermissions = tablesWithPagePermissions.some(t => 
+          tableName.toLowerCase().includes(t.toLowerCase())
+        );
+        
+        if (hasPagePermissions && (usesEventAccess || usesEventCreator) && !usesRBACPermission) {
+          issues.push({
+            type: 'rlsPolicy',
+            file: relativePath,
+            line: getLineNumber(content, policyStart),
+            message: `RLS policy '${policyName}' uses ${usesEventAccess ? 'check_user_event_access()' : 'check_user_is_event_creator()'} but table '${tableName}' has page permissions. Should use check_rbac_permission_with_context() with page-level permissions instead.`,
+            code: getCodeSnippet(content, policyStart, 0, 200),
+            severity: 'error',
+            fix: `Replace ${usesEventAccess ? 'check_user_event_access(event_id)' : 'check_user_is_event_creator(event_id)'} with check_rbac_permission_with_context('${operation}:page.{page_name}', '{page_name}', organisation_id, event_id::text, get_app_id('{app_name}')). See RBAC compliance standard for page name mapping.`,
+          });
+        }
+        
+        // Check for missing required field checks in event-scoped tables
+        const hasEventIdColumn = /event_id/i.test(policyBody) || tableName.toLowerCase().includes('trac_') || 
+                                  tableName.toLowerCase().includes('mint_') || 
+                                  tableName.toLowerCase().includes('cake_') ||
+                                  tableName.toLowerCase().includes('medi_');
+        const hasOrganisationIdColumn = /organisation_id/i.test(policyBody) || 
+                                        !tableName.toLowerCase().includes('rbac_') &&
+                                        !tableName.toLowerCase().includes('core_organisations');
+        
+        const checksEventIdNotNull = /event_id\s+IS\s+NOT\s+NULL/i.test(policyBody);
+        const checksOrganisationIdNotNull = /organisation_id\s+IS\s+NOT\s+NULL/i.test(policyBody);
+        
+        // For INSERT policies on event-scoped tables, event_id should be required
+        if (operation === 'insert' && hasEventIdColumn && !checksEventIdNotNull) {
+          issues.push({
+            type: 'rlsPolicy',
+            file: relativePath,
+            line: getLineNumber(content, policyStart),
+            message: `RLS INSERT policy '${policyName}' for event-scoped table '${tableName}' should require event_id IS NOT NULL. Permission checks need event_id to verify event-level roles.`,
+            code: getCodeSnippet(content, policyStart, 0, 200),
+            severity: 'error',
+            fix: 'Add event_id IS NOT NULL check to WITH CHECK clause. Pattern: event_id IS NOT NULL AND ...',
+          });
+        }
+        
+        // For authenticated policies, organisation_id should typically be checked
+        if (isAuthenticatedPolicy && hasOrganisationIdColumn && !checksOrganisationIdNotNull && 
+            !isUserScopedOnly && !tableName.toLowerCase().includes('rbac_')) {
+          // Exception: Some tables legitimately allow NULL organisation_id (e.g., user profiles)
+          const allowsNullOrg = /organisation_id\s+IS\s+NULL/i.test(policyBody) && 
+                                /get_effective_user_id\s*\(\s*\)\s*=\s*user_id/i.test(policyBody);
+          
+          if (!allowsNullOrg) {
+            issues.push({
+              type: 'rlsPolicy',
+              file: relativePath,
+              line: getLineNumber(content, policyStart),
+              message: `RLS policy '${policyName}' for table '${tableName}' should check organisation_id IS NOT NULL. Permission checks need organisation_id for proper RBAC context.`,
+              code: getCodeSnippet(content, policyStart, 0, 200),
+              severity: 'warning',
+              fix: 'Add organisation_id IS NOT NULL check. Pattern: organisation_id IS NOT NULL AND ...',
+            });
+          }
+        }
+      }
+      
+      // Check helper function definitions for required attributes
+      const functionPattern = /CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION\s+["']?(\w+)["']?\s*\([^)]*\)\s*RETURNS[^;]+LANGUAGE\s+plpgsql[^;]*AS/gi;
+      let funcMatch;
+      while ((funcMatch = functionPattern.exec(content)) !== null) {
+        const funcName = funcMatch[1];
+        const funcStart = funcMatch.index;
+        const funcEnd = content.indexOf('AS $$', funcStart);
+        if (funcEnd === -1) continue;
+        
+        const funcDef = content.substring(funcStart, funcEnd);
+        
+        // Only flag if function looks like it might be used in RLS (has common helper function patterns)
+        const isLikelyRLSHelper = /check_|get_|is_/.test(funcName.toLowerCase());
+        
+        // Check for security-critical functions with fallback strategies
+        if (funcName.toLowerCase() === 'is_super_admin' || funcName.toLowerCase().includes('super_admin')) {
+          const funcBodyStart = content.indexOf('AS $$', funcStart);
+          if (funcBodyStart !== -1) {
+            const funcBodyEnd = content.indexOf('$$;', funcBodyStart);
+            if (funcBodyEnd !== -1) {
+              const funcBody = content.substring(funcBodyStart, funcBodyEnd);
+              
+              // Check for DEFAULT NULL parameter (allows fallback strategies)
+              const hasDefaultNull = /p_\w+\s+UUID\s+DEFAULT\s+NULL/i.test(funcDef);
+              
+              // Check for multiple fallback patterns in function body
+              const hasFallbackPatterns = (
+                /IF\s+\w+\s+IS\s+NULL\s+THEN/i.test(funcBody) &&
+                /ELSE/i.test(funcBody) &&
+                (/\bauth\.uid\s*\(/i.test(funcBody) || /\bcurrent_setting\s*\(/i.test(funcBody))
+              );
+              
+              if (hasDefaultNull || hasFallbackPatterns) {
+                issues.push({
+                  type: 'rlsPolicy',
+                  file: relativePath,
+                  line: getLineNumber(content, funcStart),
+                  message: `Security-critical function '${funcName}' uses fallback strategies (DEFAULT NULL parameter or multiple fallback patterns). This is a security risk - functions should require explicit parameters and fail secure.`,
+                  code: getCodeSnippet(content, funcStart, 0, 300),
+                  severity: 'error',
+                  fix: 'Remove DEFAULT NULL parameter and all fallback logic. Function should require explicit parameter and return false if parameter is NULL (fail secure).',
+                });
+              }
+            }
+          }
+        }
+        
+        if (isLikelyRLSHelper) {
+          const hasStable = /\bSTABLE\b/i.test(funcDef);
+          const hasSecurityDefiner = /\bSECURITY\s+DEFINER\b/i.test(funcDef);
+          const hasSearchPath = /SET\s+search_path\s+TO\s+['"]?public['"]?/i.test(funcDef);
+          
+          if (!hasStable) {
+            issues.push({
+              type: 'rlsPolicy',
+              file: relativePath,
+              line: getLineNumber(content, funcStart),
+              message: `Helper function '${funcName}' missing STABLE attribute. RLS helper functions must be STABLE for performance.`,
+              code: getCodeSnippet(content, funcStart, 0, 150),
+              severity: 'error',
+              fix: 'Add STABLE attribute to function definition.',
+            });
+          }
+          
+          if (!hasSecurityDefiner) {
+            issues.push({
+              type: 'rlsPolicy',
+              file: relativePath,
+              line: getLineNumber(content, funcStart),
+              message: `Helper function '${funcName}' missing SECURITY DEFINER attribute. RLS helper functions must be SECURITY DEFINER to bypass RLS recursion.`,
+              code: getCodeSnippet(content, funcStart, 0, 150),
+              severity: 'error',
+              fix: 'Add SECURITY DEFINER attribute to function definition.',
+            });
+          }
+          
+          if (!hasSearchPath) {
+            issues.push({
+              type: 'rlsPolicy',
+              file: relativePath,
+              line: getLineNumber(content, funcStart),
+              message: `Helper function '${funcName}' missing SET search_path TO public. Required to prevent search path injection.`,
+              code: getCodeSnippet(content, funcStart, 0, 150),
+              severity: 'error',
+              fix: 'Add SET search_path TO public to function definition.',
+            });
+          }
+        }
+      }
+    } catch (error) {
+      // Skip files that can't be read
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Check PagePermissionGuard coverage (all protected pages have guard)
+ */
+function checkPagePermissionGuardCoverage(consumingAppPath) {
+  const issues = [];
+  
+  const srcDir = path.join(consumingAppPath, 'src');
+  if (!directoryExists(srcDir)) {
+    return issues;
+  }
+  
+  const sourceFiles = findSourceFiles(srcDir);
+  
+  // Helper to check if file is likely a page component
+  function isPageComponent(filePath, content) {
+    const fileName = path.basename(filePath);
+    const dirName = path.dirname(filePath);
+    const dirParts = dirName.split(path.sep);
+    
+    // EXCLUDE: Provider components, routing components, shared components
+    if (dirParts.some(part => part.toLowerCase() === 'providers' || part.toLowerCase() === 'provider')) {
+      return false;
+    }
+    if (/Route(s)?\.(tsx?|jsx?)$/i.test(fileName)) {
+      return false;
+    }
+    
+    // INCLUDE: Files in pages/ directory
+    if (dirParts.some(part => part.toLowerCase() === 'pages')) {
+      return true;
+    }
+    
+    // INCLUDE: Files matching *Page.tsx pattern
+    if (/Page\.(tsx?|jsx?)$/i.test(fileName)) {
+      return true;
+    }
+    
+    return false;
+  }
+  
+  sourceFiles.forEach(filePath => {
+    const content = readFileSafe(filePath);
+    if (!content) {
+      return;
+    }
+    
+    if (!isPageComponent(filePath, content)) {
+      return;
+    }
+    
+    const relativePath = getRelativePath(filePath, consumingAppPath);
+    const fileName = path.basename(filePath, path.extname(filePath));
+    
+    // Exclude public/error pages that don't need RBAC protection
+    // NotFound, 404, Error, Unauthorized, Forbidden, AccessDenied pages are public
+    const isPublicPage = /NotFound|not.*found|404|Error|Unauthorized|Forbidden|AccessDenied/i.test(fileName) ||
+                        /public|error|unauthorized|forbidden|access.*denied/i.test(relativePath);
+    
+    if (isPublicPage) {
+      return; // Skip public/error pages - they don't need PagePermissionGuard
+    }
+    
+    // Check if PagePermissionGuard is used
+    const hasPagePermissionGuard = /<PagePermissionGuard/.test(content) || 
+                                   /PagePermissionGuard\s*</.test(content);
+    
+    // Check if RBAC hooks are imported (indicates this should be protected)
+    const hasRBACHooks = importsFromPaceCore(content, 'useCan') ||
+                         importsFromPaceCore(content, 'useResourcePermissions') ||
+                         importsFromPaceCore(content, 'usePermissions') ||
+                         importsFromPaceCore(content, 'useRBAC');
+    
+    // Check if component returns JSX (likely a page)
+    const returnsJSX = /return\s*\(/.test(content) || /return\s+</.test(content);
+    
+    if (returnsJSX && !hasPagePermissionGuard) {
+      if (hasRBACHooks) {
+        // Definitely should be protected
+        issues.push({
+          type: 'rbacPageGuard',
+          file: relativePath,
+          line: 1,
+          message: 'Page component missing PagePermissionGuard wrapper. Pages using RBAC hooks must be protected.',
+          severity: 'error',
+          fix: 'Wrap page content with <PagePermissionGuard pageName="page-name" operation="read">',
+        });
+      } else {
+        // Might be a public page, but flag for review
+        issues.push({
+          type: 'rbacPageGuard',
+          file: relativePath,
+          line: 1,
+          message: 'Page component does not use PagePermissionGuard. Verify if this page should be protected.',
+          severity: 'warning',
+          fix: 'If page should be protected, wrap with <PagePermissionGuard pageName="page-name" operation="read">',
+        });
+      }
+    }
+    
+    // Check if PagePermissionGuard is used incorrectly (missing required props)
+    if (hasPagePermissionGuard) {
+      const pageGuardPattern = /<PagePermissionGuard[^>]*>/g;
+      let match;
+      while ((match = pageGuardPattern.exec(content)) !== null) {
+        if (isInCommentOrString(content, match.index)) {
+          continue;
+        }
+        
+        const guardProps = match[0];
+        const hasPageName = /pageName\s*=/.test(guardProps);
+        const hasOperation = /operation\s*=/.test(guardProps);
+        
+        if (!hasPageName || !hasOperation) {
+          issues.push({
+            type: 'rbacPageGuard',
+            file: relativePath,
+            line: getLineNumber(content, match.index),
+            message: 'PagePermissionGuard missing required props (pageName or operation)',
+            code: guardProps,
+            severity: 'error',
+            fix: 'Add required props: <PagePermissionGuard pageName="page-name" operation="read">',
+          });
+        }
+      }
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Check Edge Functions RBAC setup
+ */
+function checkEdgeFunctionsRBAC(consumingAppPath) {
+  const issues = [];
+  
+  const edgeFunctionsDir = path.join(consumingAppPath, 'supabase', 'functions');
+  if (!directoryExists(edgeFunctionsDir)) {
+    return issues; // No edge functions, skip
+  }
+  
+  // Find all edge function files
+  function findEdgeFunctionFiles(dir) {
+    const files = [];
+    if (!fs.existsSync(dir)) return files;
+    
+    const entries = fs.readdirSync(dir);
+    entries.forEach(entry => {
+      const entryPath = path.join(dir, entry);
+      const stat = fs.statSync(entryPath);
+      
+      if (stat.isDirectory()) {
+        // Look for index.ts or index.js in function directory
+        const indexFiles = ['index.ts', 'index.js', 'index.tsx', 'index.jsx'];
+        indexFiles.forEach(indexFile => {
+          const indexPath = path.join(entryPath, indexFile);
+          if (fs.existsSync(indexPath)) {
+            files.push(indexPath);
+          }
+        });
+      }
+    });
+    
+    return files;
+  }
+  
+  const edgeFunctionFiles = findEdgeFunctionFiles(edgeFunctionsDir);
+  
+  edgeFunctionFiles.forEach(filePath => {
+    const content = readFileSafe(filePath);
+    if (!content) {
+      return;
+    }
+    
+    const relativePath = getRelativePath(filePath, consumingAppPath);
+    
+    // Check for setupRBAC import
+    const hasSetupRBAC = /setupRBAC|from\s+['"]@jmruthers\/pace-core\/rbac['"]/.test(content);
+    
+    // Check for isPermitted usage
+    const hasIsPermitted = /\bisPermitted\s*\(/.test(content);
+    
+    // If function uses RBAC but doesn't call setupRBAC
+    if (hasIsPermitted && !hasSetupRBAC) {
+      issues.push({
+        type: 'edgeFunctionRBAC',
+        file: relativePath,
+        line: 1,
+        message: 'Edge function uses isPermitted() but does not call setupRBAC(). Must call setupRBAC() before using RBAC functions.',
+        severity: 'error',
+        fix: 'Add: import { setupRBAC, isPermitted } from \'@jmruthers/pace-core/rbac\'; and call setupRBAC() at the start of the handler.',
+      });
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Run audit for Standard 6: Security & RBAC
+ * @param {string} consumingAppPath - Path to consuming app
+ * @returns {object} - Audit results with issues array
+ */
+function runStandard6Audit(consumingAppPath) {
+  const issues = [];
+  
+  try {
+    issues.push(...checkRLSPolicies(consumingAppPath));
+    issues.push(...checkPagePermissionGuardCoverage(consumingAppPath));
+    issues.push(...checkEdgeFunctionsRBAC(consumingAppPath));
+  } catch (error) {
+    return {
+      standard: '06-security-rbac',
+      issues: [],
+      error: error.message,
+    };
+  }
+  
+  return {
+    standard: '06-security-rbac',
+    issues,
+    error: null,
+  };
+}
+
+module.exports = { runStandard6Audit };