@nice2dev/ui-tools 1.0.10

package/dist/access-control.d.ts

@@ -0,0 +1,726 @@
+/**
+ * @file access-control.ts
+ * @module @nice2dev/ui-tools/access-control
+ * @description PRO-12.3 — Access Control types
+ *
+ * IAM management, user directory, role manager, permission matrix,
+ * policy editor, access reviews, JIT access, MFA, SSO.
+ */
+/** Identity provider */
+export interface IdentityProvider {
+    readonly id: string;
+    readonly name: string;
+    readonly type: IdpType;
+    readonly enabled: boolean;
+    readonly config: IdpConfig;
+    readonly mappings: AttributeMappings;
+    readonly createdAt: Date;
+    readonly updatedAt: Date;
+}
+/** IDP type */
+export type IdpType = 'local' | 'ldap' | 'active_directory' | 'saml' | 'oidc' | 'oauth2' | 'scim';
+/** IDP config */
+export type IdpConfig = LdapConfig | SamlConfig | OidcConfig | ScimConfig;
+/** LDAP config */
+export interface LdapConfig {
+    readonly type: 'ldap' | 'active_directory';
+    readonly host: string;
+    readonly port: number;
+    readonly bindDn: string;
+    readonly baseDn: string;
+    readonly userSearchBase: string;
+    readonly userFilter: string;
+    readonly groupSearchBase?: string;
+    readonly groupFilter?: string;
+    readonly useSsl: boolean;
+    readonly startTls: boolean;
+    readonly connectionTimeout: number;
+    readonly searchTimeout: number;
+}
+/** SAML config */
+export interface SamlConfig {
+    readonly type: 'saml';
+    readonly entityId: string;
+    readonly ssoUrl: string;
+    readonly sloUrl?: string;
+    readonly certificate: string;
+    readonly signatureAlgorithm: string;
+    readonly digestAlgorithm: string;
+    readonly wantAssertionsSigned: boolean;
+    readonly wantMessagesSigned: boolean;
+    readonly allowUnsolicitedResponse: boolean;
+    readonly acsUrl: string;
+    readonly metadataUrl?: string;
+}
+/** OIDC config */
+export interface OidcConfig {
+    readonly type: 'oidc';
+    readonly issuer: string;
+    readonly clientId: string;
+    readonly clientSecret?: string;
+    readonly authorizationEndpoint: string;
+    readonly tokenEndpoint: string;
+    readonly userinfoEndpoint?: string;
+    readonly endSessionEndpoint?: string;
+    readonly jwksUri: string;
+    readonly scopes: readonly string[];
+    readonly responseType: string;
+    readonly redirectUri: string;
+    readonly usePkce: boolean;
+}
+/** SCIM config */
+export interface ScimConfig {
+    readonly type: 'scim';
+    readonly baseUrl: string;
+    readonly bearerToken?: string;
+    readonly version: '1.1' | '2.0';
+    readonly syncInterval: number;
+    readonly pushEnabled: boolean;
+}
+/** Attribute mappings */
+export interface AttributeMappings {
+    readonly username: string;
+    readonly email: string;
+    readonly firstName?: string;
+    readonly lastName?: string;
+    readonly displayName?: string;
+    readonly phone?: string;
+    readonly groups?: string;
+    readonly roles?: string;
+    readonly custom: Record<string, string>;
+}
+/** User */
+export interface IamUser {
+    readonly id: string;
+    readonly username: string;
+    readonly email: string;
+    readonly firstName?: string;
+    readonly lastName?: string;
+    readonly displayName?: string;
+    readonly phone?: string;
+    readonly avatar?: string;
+    readonly status: UserStatus;
+    readonly type: UserType;
+    readonly source: UserSource;
+    readonly roles: readonly string[];
+    readonly groups: readonly string[];
+    readonly permissions: readonly string[];
+    readonly attributes: Record<string, unknown>;
+    readonly mfaEnabled: boolean;
+    readonly mfaMethods: readonly MfaMethod[];
+    readonly passwordLastChanged?: Date;
+    readonly lastLogin?: Date;
+    readonly lastLoginIp?: string;
+    readonly loginCount: number;
+    readonly failedLoginAttempts: number;
+    readonly lockedUntil?: Date;
+    readonly createdAt: Date;
+    readonly updatedAt: Date;
+    readonly createdBy?: string;
+}
+/** User status */
+export type UserStatus = 'active' | 'inactive' | 'pending' | 'locked' | 'suspended' | 'archived';
+/** User type */
+export type UserType = 'human' | 'service' | 'machine' | 'bot';
+/** User source */
+export interface UserSource {
+    readonly providerId: string;
+    readonly providerType: IdpType;
+    readonly externalId?: string;
+}
+/** MFA method */
+export type MfaMethod = 'totp' | 'sms' | 'email' | 'webauthn' | 'push' | 'backup_codes';
+/** User search query */
+export interface UserSearchQuery {
+    readonly query?: string;
+    readonly status?: readonly UserStatus[];
+    readonly type?: readonly UserType[];
+    readonly roles?: readonly string[];
+    readonly groups?: readonly string[];
+    readonly providers?: readonly string[];
+    readonly mfaEnabled?: boolean;
+    readonly createdAfter?: Date;
+    readonly createdBefore?: Date;
+    readonly lastLoginAfter?: Date;
+    readonly lastLoginBefore?: Date;
+    readonly sortBy?: UserSortField;
+    readonly sortOrder?: 'asc' | 'desc';
+    readonly page: number;
+    readonly pageSize: number;
+}
+/** User sort field */
+export type UserSortField = 'username' | 'email' | 'displayName' | 'status' | 'createdAt' | 'lastLogin';
+/** User search result */
+export interface UserSearchResult {
+    readonly users: readonly IamUser[];
+    readonly total: number;
+    readonly page: number;
+    readonly pageSize: number;
+    readonly hasMore: boolean;
+}
+/** Role */
+export interface IamRole {
+    readonly id: string;
+    readonly name: string;
+    readonly displayName: string;
+    readonly description?: string;
+    readonly type: RoleType;
+    readonly permissions: readonly string[];
+    readonly inheritsFrom: readonly string[];
+    readonly constraints?: RoleConstraints;
+    readonly metadata: Record<string, unknown>;
+    readonly system: boolean;
+    readonly createdAt: Date;
+    readonly updatedAt: Date;
+}
+/** Role type */
+export type RoleType = 'system' | 'organization' | 'project' | 'custom';
+/** Role constraints */
+export interface RoleConstraints {
+    readonly maxUsers?: number;
+    readonly requiresMfa: boolean;
+    readonly ipWhitelist?: readonly string[];
+    readonly timeRestrictions?: TimeRestrictions;
+    readonly resourceScopes?: readonly ResourceScope[];
+}
+/** Time restrictions */
+export interface TimeRestrictions {
+    readonly daysOfWeek: readonly number[];
+    readonly startTime: string;
+    readonly endTime: string;
+    readonly timezone: string;
+}
+/** Resource scope */
+export interface ResourceScope {
+    readonly resourceType: string;
+    readonly resourceIds?: readonly string[];
+    readonly conditions?: Record<string, unknown>;
+}
+/** Role hierarchy */
+export interface RoleHierarchy {
+    readonly roots: readonly RoleNode[];
+}
+/** Role node */
+export interface RoleNode {
+    readonly role: IamRole;
+    readonly children: readonly RoleNode[];
+    readonly depth: number;
+}
+/** Permission */
+export interface Permission {
+    readonly id: string;
+    readonly name: string;
+    readonly displayName: string;
+    readonly description?: string;
+    readonly resource: string;
+    readonly action: PermissionAction;
+    readonly category: string;
+    readonly system: boolean;
+}
+/** Permission action */
+export type PermissionAction = 'create' | 'read' | 'update' | 'delete' | 'list' | 'execute' | 'manage' | 'admin' | '*';
+/** Permission matrix */
+export interface PermissionMatrix {
+    readonly resources: readonly PermissionResource[];
+    readonly roles: readonly string[];
+    readonly matrix: PermissionMatrixCell[][];
+}
+/** Permission resource */
+export interface PermissionResource {
+    readonly name: string;
+    readonly displayName: string;
+    readonly actions: readonly PermissionAction[];
+}
+/** Permission matrix cell */
+export interface PermissionMatrixCell {
+    readonly resource: string;
+    readonly action: PermissionAction;
+    readonly granted: boolean;
+    readonly inherited: boolean;
+    readonly inheritedFrom?: string;
+}
+/** Group */
+export interface IamGroup {
+    readonly id: string;
+    readonly name: string;
+    readonly displayName: string;
+    readonly description?: string;
+    readonly type: GroupType;
+    readonly source: GroupSource;
+    readonly roles: readonly string[];
+    readonly permissions: readonly string[];
+    readonly members: readonly GroupMember[];
+    readonly memberCount: number;
+    readonly parentGroupId?: string;
+    readonly childGroupIds: readonly string[];
+    readonly attributes: Record<string, unknown>;
+    readonly createdAt: Date;
+    readonly updatedAt: Date;
+}
+/** Group type */
+export type GroupType = 'security' | 'distribution' | 'organizational' | 'project' | 'dynamic';
+/** Group source */
+export interface GroupSource {
+    readonly providerId: string;
+    readonly providerType: IdpType;
+    readonly externalId?: string;
+    readonly syncEnabled: boolean;
+}
+/** Group member */
+export interface GroupMember {
+    readonly userId: string;
+    readonly username: string;
+    readonly displayName?: string;
+    readonly email?: string;
+    readonly membershipType: MembershipType;
+    readonly addedAt: Date;
+    readonly addedBy?: string;
+    readonly expiresAt?: Date;
+}
+/** Membership type */
+export type MembershipType = 'direct' | 'inherited' | 'dynamic';
+/** Dynamic group rule */
+export interface DynamicGroupRule {
+    readonly id: string;
+    readonly groupId: string;
+    readonly attribute: string;
+    readonly operator: RuleOperator;
+    readonly value: string;
+    readonly logic?: 'and' | 'or';
+}
+/** Rule operator */
+export type RuleOperator = 'equals' | 'not_equals' | 'contains' | 'not_contains' | 'starts_with' | 'ends_with' | 'matches' | 'in' | 'not_in';
+/** Access policy */
+export interface AccessPolicy {
+    readonly id: string;
+    readonly name: string;
+    readonly description?: string;
+    readonly enabled: boolean;
+    readonly version: number;
+    readonly effect: PolicyEffect;
+    readonly subjects: readonly PolicySubject[];
+    readonly resources: readonly PolicyResource[];
+    readonly actions: readonly string[];
+    readonly conditions?: PolicyConditions;
+    readonly priority: number;
+    readonly createdAt: Date;
+    readonly updatedAt: Date;
+    readonly createdBy: string;
+}
+/** Policy effect */
+export type PolicyEffect = 'allow' | 'deny';
+/** Policy subject */
+export interface PolicySubject {
+    readonly type: SubjectType;
+    readonly id: string;
+    readonly name?: string;
+}
+/** Subject type */
+export type SubjectType = 'user' | 'group' | 'role' | 'service' | 'any';
+/** Policy resource */
+export interface PolicyResource {
+    readonly type: string;
+    readonly id?: string;
+    readonly pattern?: string;
+    readonly tags?: Record<string, string>;
+}
+/** Policy conditions */
+export interface PolicyConditions {
+    readonly ipAddress?: IpCondition;
+    readonly time?: TimeCondition;
+    readonly mfa?: MfaCondition;
+    readonly context?: Record<string, ContextCondition>;
+}
+/** IP condition */
+export interface IpCondition {
+    readonly operator: 'in' | 'not_in';
+    readonly values: readonly string[];
+}
+/** Time condition */
+export interface TimeCondition {
+    readonly days?: readonly number[];
+    readonly hours?: TimeRange;
+    readonly timezone?: string;
+    readonly dateRange?: DateRange;
+}
+/** Time range */
+export interface TimeRange {
+    readonly start: string;
+    readonly end: string;
+}
+/** Date range */
+export interface DateRange {
+    readonly start: Date;
+    readonly end: Date;
+}
+/** MFA condition */
+export interface MfaCondition {
+    readonly required: boolean;
+    readonly methods?: readonly MfaMethod[];
+    readonly maxAge?: number;
+}
+/** Context condition */
+export interface ContextCondition {
+    readonly operator: ConditionOperator;
+    readonly value: unknown;
+}
+/** Condition operator */
+export type ConditionOperator = 'equals' | 'not_equals' | 'greater_than' | 'less_than' | 'contains' | 'not_contains' | 'exists';
+/** Access review campaign */
+export interface AccessReviewCampaign {
+    readonly id: string;
+    readonly name: string;
+    readonly description?: string;
+    readonly type: ReviewType;
+    readonly status: ReviewCampaignStatus;
+    readonly scope: ReviewScope;
+    readonly schedule: ReviewSchedule;
+    readonly reviewers: readonly Reviewer[];
+    readonly settings: ReviewSettings;
+    readonly statistics: ReviewStatistics;
+    readonly createdAt: Date;
+    readonly startedAt?: Date;
+    readonly endedAt?: Date;
+    readonly createdBy: string;
+}
+/** Review type */
+export type ReviewType = 'user_access' | 'group_membership' | 'role_assignment' | 'permission' | 'privileged_access';
+/** Review campaign status */
+export type ReviewCampaignStatus = 'draft' | 'scheduled' | 'in_progress' | 'completed' | 'cancelled';
+/** Review scope */
+export interface ReviewScope {
+    readonly users?: readonly string[];
+    readonly groups?: readonly string[];
+    readonly roles?: readonly string[];
+    readonly resources?: readonly string[];
+    readonly applications?: readonly string[];
+}
+/** Review schedule */
+export interface ReviewSchedule {
+    readonly startDate: Date;
+    readonly endDate: Date;
+    readonly recurrence?: ReviewRecurrence;
+    readonly reminderDays: readonly number[];
+}
+/** Review recurrence */
+export interface ReviewRecurrence {
+    readonly frequency: 'monthly' | 'quarterly' | 'semi-annual' | 'annual';
+    readonly dayOfMonth?: number;
+    readonly monthOfYear?: number;
+}
+/** Reviewer */
+export interface Reviewer {
+    readonly id: string;
+    readonly type: ReviewerType;
+    readonly userId?: string;
+    readonly groupId?: string;
+}
+/** Reviewer type */
+export type ReviewerType = 'manager' | 'resource_owner' | 'user' | 'group' | 'self';
+/** Review settings */
+export interface ReviewSettings {
+    readonly allowSelfReview: boolean;
+    readonly requireJustification: boolean;
+    readonly autoRemediateOnExpiry: boolean;
+    readonly defaultDecisionOnExpiry: AccessDecision;
+    readonly notifyOnDecision: boolean;
+    readonly escalationEnabled: boolean;
+    readonly escalationDays?: number;
+}
+/** Access decision */
+export type AccessDecision = 'approve' | 'revoke' | 'pending';
+/** Review statistics */
+export interface ReviewStatistics {
+    readonly totalItems: number;
+    readonly reviewed: number;
+    readonly approved: number;
+    readonly revoked: number;
+    readonly pending: number;
+    readonly completionPercent: number;
+}
+/** Access review item */
+export interface AccessReviewItem {
+    readonly id: string;
+    readonly campaignId: string;
+    readonly subject: ReviewSubjectInfo;
+    readonly access: ReviewAccessInfo;
+    readonly reviewer: ReviewerInfo;
+    readonly decision?: AccessDecision;
+    readonly justification?: string;
+    readonly decidedAt?: Date;
+    readonly remediatedAt?: Date;
+}
+/** Review subject info */
+export interface ReviewSubjectInfo {
+    readonly type: 'user' | 'service';
+    readonly id: string;
+    readonly name: string;
+    readonly email?: string;
+}
+/** Review access info */
+export interface ReviewAccessInfo {
+    readonly type: 'role' | 'group' | 'permission' | 'resource';
+    readonly id: string;
+    readonly name: string;
+    readonly grantedAt: Date;
+    readonly grantedBy?: string;
+    readonly lastUsed?: Date;
+    readonly risk?: RiskLevel;
+}
+/** Risk level */
+export type RiskLevel = 'critical' | 'high' | 'medium' | 'low' | 'none';
+/** Reviewer info */
+export interface ReviewerInfo {
+    readonly id: string;
+    readonly name: string;
+    readonly email?: string;
+}
+/** Entitlement report */
+export interface EntitlementReport {
+    readonly id: string;
+    readonly name: string;
+    readonly type: EntitlementReportType;
+    readonly generatedAt: Date;
+    readonly parameters: ReportParameters;
+    readonly data: readonly EntitlementEntry[];
+    readonly summary: EntitlementSummary;
+}
+/** Entitlement report type */
+export type EntitlementReportType = 'user_entitlements' | 'resource_access' | 'role_membership' | 'orphaned_accounts' | 'excessive_permissions' | 'sod_violations';
+/** Report parameters */
+export interface ReportParameters {
+    readonly users?: readonly string[];
+    readonly groups?: readonly string[];
+    readonly roles?: readonly string[];
+    readonly resources?: readonly string[];
+    readonly asOfDate?: Date;
+}
+/** Entitlement entry */
+export interface EntitlementEntry {
+    readonly subject: EntitlementSubject;
+    readonly entitlements: readonly Entitlement[];
+}
+/** Entitlement subject */
+export interface EntitlementSubject {
+    readonly type: 'user' | 'service';
+    readonly id: string;
+    readonly name: string;
+    readonly email?: string;
+    readonly department?: string;
+    readonly manager?: string;
+}
+/** Entitlement */
+export interface Entitlement {
+    readonly type: 'role' | 'group' | 'permission' | 'resource';
+    readonly id: string;
+    readonly name: string;
+    readonly source: EntitlementSource;
+    readonly grantedAt: Date;
+    readonly expiresAt?: Date;
+    readonly lastUsed?: Date;
+    readonly risk: RiskLevel;
+}
+/** Entitlement source */
+export type EntitlementSource = 'direct' | 'group' | 'role' | 'policy' | 'inherited';
+/** Entitlement summary */
+export interface EntitlementSummary {
+    readonly totalSubjects: number;
+    readonly totalEntitlements: number;
+    readonly byType: Record<string, number>;
+    readonly byRisk: Record<RiskLevel, number>;
+    readonly orphanedCount: number;
+    readonly excessiveCount: number;
+}
+/** JIT access request */
+export interface JitAccessRequest {
+    readonly id: string;
+    readonly requesterId: string;
+    readonly requesterName: string;
+    readonly accessType: JitAccessType;
+    readonly resource: JitResource;
+    readonly justification: string;
+    readonly duration: number;
+    readonly requestedAt: Date;
+    readonly status: JitRequestStatus;
+    readonly approvers: readonly JitApprover[];
+    readonly grantedAt?: Date;
+    readonly expiresAt?: Date;
+    readonly revokedAt?: Date;
+    readonly revokedBy?: string;
+    readonly metadata?: Record<string, unknown>;
+}
+/** JIT access type */
+export type JitAccessType = 'role_elevation' | 'resource_access' | 'privileged_session' | 'break_glass';
+/** JIT resource */
+export interface JitResource {
+    readonly type: string;
+    readonly id: string;
+    readonly name: string;
+    readonly permissions: readonly string[];
+}
+/** JIT request status */
+export type JitRequestStatus = 'pending' | 'approved' | 'denied' | 'active' | 'expired' | 'revoked' | 'cancelled';
+/** JIT approver */
+export interface JitApprover {
+    readonly userId: string;
+    readonly name: string;
+    readonly decision?: 'approved' | 'denied';
+    readonly decidedAt?: Date;
+    readonly comment?: string;
+}
+/** JIT policy */
+export interface JitPolicy {
+    readonly id: string;
+    readonly name: string;
+    readonly enabled: boolean;
+    readonly resources: readonly JitResourcePolicy[];
+    readonly maxDuration: number;
+    readonly requireJustification: boolean;
+    readonly minApprovers: number;
+    readonly autoApprove: boolean;
+    readonly autoApproveConditions?: PolicyConditions;
+    readonly notifyOnRequest: boolean;
+    readonly notifyOnApproval: boolean;
+    readonly notifyOnExpiry: boolean;
+}
+/** JIT resource policy */
+export interface JitResourcePolicy {
+    readonly resourceType: string;
+    readonly resourcePattern?: string;
+    readonly allowedRoles: readonly string[];
+    readonly allowedPermissions: readonly string[];
+    readonly approverGroups: readonly string[];
+}
+/** MFA config */
+export interface MfaConfig {
+    readonly enabled: boolean;
+    readonly required: boolean;
+    readonly methods: readonly MfaMethodConfig[];
+    readonly gracePeriodDays: number;
+    readonly rememberDeviceDays: number;
+    readonly enforcementPolicy: MfaEnforcementPolicy;
+}
+/** MFA method config */
+export interface MfaMethodConfig {
+    readonly method: MfaMethod;
+    readonly enabled: boolean;
+    readonly config: Record<string, unknown>;
+}
+/** MFA enforcement policy */
+export interface MfaEnforcementPolicy {
+    readonly scope: 'all' | 'roles' | 'groups' | 'conditions';
+    readonly roles?: readonly string[];
+    readonly groups?: readonly string[];
+    readonly conditions?: MfaConditionConfig;
+}
+/** MFA condition config */
+export interface MfaConditionConfig {
+    readonly newDevice: boolean;
+    readonly newLocation: boolean;
+    readonly sensitiveAction: boolean;
+    readonly riskScore?: number;
+}
+/** User MFA status */
+export interface UserMfaStatus {
+    readonly userId: string;
+    readonly enabled: boolean;
+    readonly enforced: boolean;
+    readonly methods: readonly UserMfaMethod[];
+    readonly backupCodesRemaining: number;
+    readonly lastVerification?: Date;
+}
+/** User MFA method */
+export interface UserMfaMethod {
+    readonly method: MfaMethod;
+    readonly enrolledAt: Date;
+    readonly lastUsed?: Date;
+    readonly phoneNumber?: string;
+    readonly email?: string;
+    readonly deviceName?: string;
+}
+/** SSO config */
+export interface SsoConfig {
+    readonly id: string;
+    readonly name: string;
+    readonly enabled: boolean;
+    readonly type: SsoType;
+    readonly config: SamlConfig | OidcConfig;
+    readonly userProvisioning: UserProvisioningConfig;
+    readonly sessionConfig: SsoSessionConfig;
+    readonly createdAt: Date;
+    readonly updatedAt: Date;
+}
+/** SSO type */
+export type SsoType = 'saml' | 'oidc';
+/** User provisioning config */
+export interface UserProvisioningConfig {
+    readonly enabled: boolean;
+    readonly autoCreate: boolean;
+    readonly autoUpdate: boolean;
+    readonly deactivateOnRemoval: boolean;
+    readonly defaultRoles: readonly string[];
+    readonly defaultGroups: readonly string[];
+}
+/** SSO session config */
+export interface SsoSessionConfig {
+    readonly maxSessionDuration: number;
+    readonly idleTimeout: number;
+    readonly singleLogoutEnabled: boolean;
+    readonly forceReauthentication: boolean;
+}
+/** User session */
+export interface UserSession {
+    readonly id: string;
+    readonly userId: string;
+    readonly username: string;
+    readonly createdAt: Date;
+    readonly lastActivityAt: Date;
+    readonly expiresAt: Date;
+    readonly ipAddress: string;
+    readonly userAgent: string;
+    readonly device: DeviceInfo;
+    readonly location?: GeoLocation;
+    readonly authMethod: string;
+    readonly mfaUsed: boolean;
+    readonly current: boolean;
+    readonly trusted: boolean;
+}
+/** Device info */
+export interface DeviceInfo {
+    readonly type: 'desktop' | 'mobile' | 'tablet' | 'unknown';
+    readonly os: string;
+    readonly osVersion?: string;
+    readonly browser: string;
+    readonly browserVersion?: string;
+    readonly deviceId?: string;
+    readonly trusted: boolean;
+}
+/** Geo location */
+export interface GeoLocation {
+    readonly country: string;
+    readonly region?: string;
+    readonly city?: string;
+    readonly latitude?: number;
+    readonly longitude?: number;
+}
+/** Session policy */
+export interface SessionPolicy {
+    readonly maxConcurrentSessions: number;
+    readonly absoluteTimeout: number;
+    readonly idleTimeout: number;
+    readonly renewalThreshold: number;
+    readonly bindToIp: boolean;
+    readonly bindToDevice: boolean;
+    readonly allowRememberMe: boolean;
+    readonly rememberMeDuration: number;
+}
+/** Session action */
+export interface SessionAction {
+    readonly type: SessionActionType;
+    readonly sessionId?: string;
+    readonly userId?: string;
+    readonly reason?: string;
+}
+/** Session action type */
+export type SessionActionType = 'revoke' | 'revoke_all' | 'revoke_all_except_current' | 'extend' | 'trust_device' | 'untrust_device';
+//# sourceMappingURL=access-control.d.ts.map