39948-vm/backend/scripts/check-public-access-hardening.ts
2026-07-01 15:45:38 +02:00

81 lines
2.0 KiB
JavaScript

#!/usr/bin/env node
import db from '../src/db/models/index.ts';
import AccessPolicyAuditService from '../src/services/access-policy-audit.ts';
import type {
AccessPolicyAuditReport,
PublicAccessHardeningSummary,
} from '../src/types/index.ts';
const shouldFix = process.argv.includes('--fix');
const EXIT_TIMEOUT_MS = 1500;
function summarizeReport(
report: AccessPolicyAuditReport,
): PublicAccessHardeningSummary {
return {
publicRolePermissions: report.publicRolePermissions.length,
publicUsersWithCustomPermissions:
report.publicUsersWithCustomPermissions.length,
productionPresentationAccessForNonPublicUsers:
report.productionPresentationAccessForNonPublicUsers.length,
};
}
function logJson(value: unknown): void {
console.log(JSON.stringify(value, null, 2));
}
function logError(error: unknown): void {
console.error(error);
}
async function main(): Promise<void> {
if (shouldFix) {
const result = await db.sequelize.transaction((transaction) =>
AccessPolicyAuditService.cleanupViolations({ transaction }),
);
logJson({
fixed: true,
summary: {
removedPublicRolePermissions: result.removedPublicRolePermissions,
clearedPublicUserCustomPermissions:
result.clearedPublicUserCustomPermissions,
removedNonPublicProductionPresentationGrants:
result.removedNonPublicProductionPresentationGrants,
},
});
return;
}
const report = await AccessPolicyAuditService.findViolations();
const hasViolations = AccessPolicyAuditService.hasViolations(report);
logJson({
ok: !hasViolations,
summary: summarizeReport(report),
report,
});
if (hasViolations) {
process.exitCode = 1;
}
}
main()
.catch((error) => {
logError(error);
process.exitCode = 1;
})
.finally(async () => {
try {
await Promise.race([
db.sequelize.close(),
new Promise((resolve) => setTimeout(resolve, EXIT_TIMEOUT_MS)),
]);
} finally {
process.exit(process.exitCode || 0);
}
});