39948-vm/backend/scripts/check-public-access-hardening.js

#!/usr/bin/env node

const db = require('../src/db/models');
const AccessPolicyAuditService = require('../src/services/access-policy-audit');

const shouldFix = process.argv.includes('--fix');
const EXIT_TIMEOUT_MS = 1500;

function summarizeReport(report) {
  return {
    publicRolePermissions: report.publicRolePermissions.length,
    publicUsersWithCustomPermissions:
      report.publicUsersWithCustomPermissions.length,
    productionPresentationAccessForNonPublicUsers:
      report.productionPresentationAccessForNonPublicUsers.length,
  };
}

async function main() {
  if (shouldFix) {
    const result = await db.sequelize.transaction((transaction) =>
      AccessPolicyAuditService.cleanupViolations({ transaction }),
    );

    console.log(
      JSON.stringify(
        {
          fixed: true,
          summary: {
            removedPublicRolePermissions: result.removedPublicRolePermissions,
            clearedPublicUserCustomPermissions:
              result.clearedPublicUserCustomPermissions,
            removedNonPublicProductionPresentationGrants:
              result.removedNonPublicProductionPresentationGrants,
          },
        },
        null,
        2,
      ),
    );
    return;
  }

  const report = await AccessPolicyAuditService.findViolations();
  const hasViolations = AccessPolicyAuditService.hasViolations(report);

  console.log(
    JSON.stringify(
      {
        ok: !hasViolations,
        summary: summarizeReport(report),
        report,
      },
      null,
      2,
    ),
  );

  if (hasViolations) {
    process.exitCode = 1;
  }
}

main()
  .catch((error) => {
    console.error(error);
    process.exitCode = 1;
  })
  .finally(async () => {
    try {
      await Promise.race([
        db.sequelize.close(),
        new Promise((resolve) => setTimeout(resolve, EXIT_TIMEOUT_MS)),
      ]);
    } finally {
      process.exit(process.exitCode || 0);
    }
  });