@syntropysoft/praetorian/dist/application/validators/SecurityValidator.js

Praetorian CLI – A universal multi-environment configuration validator for DevSecOps teams. Validate, compare, and secure YAML/ENV files with ease.

"use strict";
/**
 * Security Validator - Functional Programming
 *
 * Single Responsibility: Orchestrate security validation by delegating to pure functions
 * No state, no side effects, pure functions only
 */
Object.defineProperty(exports, "__esModule", { value: true });
exports.filterSecurityRulesBySeverity = exports.filterSecurityRulesByType = exports.isSecurityRuleEnabled = exports.isCriticalSecurityRule = exports.getSecuritySeverityLevel = exports.validateSecurity = void 0;
const SecretDetector_1 = require("./SecretDetector");
const PermissionValidator_1 = require("./PermissionValidator");
const VulnerabilityScanner_1 = require("./VulnerabilityScanner");
const ComplianceChecker_1 = require("./ComplianceChecker");
/**
 * Pure function to validate security
 */
const validateSecurity = (content, rules, context) => {
    // Guard clause: no content
    if (!content || content.trim().length === 0) {
        return createEmptySecurityResult();
    }
    // Guard clause: no rules
    if (!rules || rules.length === 0) {
        return createEmptySecurityResult();
    }
    const results = rules
        .filter(rule => rule.enabled)
        .map(rule => validateSingleSecurityRule(content, rule, context));
    const errors = results.flatMap(r => r.error ? [r.error] : []);
    const warnings = results.flatMap(r => r.warning ? [r.warning] : []);
    const valid = errors.length === 0;
    return {
        valid,
        errors,
        warnings,
        results,
        summary: createSecuritySummary(results),
        compliance: checkComplianceStatus(results)
    };
};
exports.validateSecurity = validateSecurity;
/**
 * Pure function to validate a single security rule
 */
const validateSingleSecurityRule = (content, rule, context) => {
    // Guard clause: invalid rule
    if (!rule || !rule.id) {
        return createFailedRuleResult(rule, 'Invalid security rule');
    }
    switch (rule.type) {
        case 'secret':
            return validateSecretRule(content, rule, context);
        case 'permission':
            return validatePermissionRule(content, rule, context);
        case 'vulnerability':
            return validateVulnerabilityRule(content, rule, context);
        case 'compliance':
            return validateComplianceRule(content, rule, context);
        default:
            return createFailedRuleResult(rule, `Unknown rule type: ${rule.type}`);
    }
};
/**
 * Pure function to validate secret rule
 */
const validateSecretRule = (content, rule, context) => {
    // Guard clause: not a secret rule
    if (rule.type !== 'secret') {
        return createFailedRuleResult(rule, 'Not a secret rule');
    }
    const secretRule = rule; // Type assertion for secret rule
    const secrets = (0, SecretDetector_1.detectSecrets)(content, [secretRule], context);
    if (secrets.length === 0) {
        return createPassedRuleResult(rule);
    }
    return createFailedRuleResult(rule, `Found ${secrets.length} potential secrets`, secrets[0]?.maskedValue);
};
/**
 * Pure function to validate permission rule
 */
const validatePermissionRule = (content, rule, context) => {
    // Guard clause: not a permission rule
    if (rule.type !== 'permission') {
        return createFailedRuleResult(rule, 'Not a permission rule');
    }
    const permissionRule = rule; // Type assertion for permission rule
    const permissions = (0, PermissionValidator_1.validatePermissions)(context.filePath, context.permissions, [permissionRule], context);
    if (permissions.length === 0 || permissions.every(p => p.valid)) {
        return createPassedRuleResult(rule);
    }
    const failedPermission = permissions.find(p => !p.valid);
    return createFailedRuleResult(rule, 'Invalid file permissions', failedPermission?.currentPermissions?.toString());
};
/**
 * Pure function to validate vulnerability rule
 */
const validateVulnerabilityRule = (content, rule, context) => {
    // Guard clause: not a vulnerability rule
    if (rule.type !== 'vulnerability') {
        return createFailedRuleResult(rule, 'Not a vulnerability rule');
    }
    const vulnerabilityRule = rule; // Type assertion for vulnerability rule
    const vulnerabilities = (0, VulnerabilityScanner_1.scanVulnerabilities)(content, [vulnerabilityRule], context);
    if (vulnerabilities.length === 0) {
        return createPassedRuleResult(rule);
    }
    return createFailedRuleResult(rule, `Found ${vulnerabilities.length} vulnerabilities`, vulnerabilities[0]?.type);
};
/**
 * Pure function to validate compliance rule
 */
const validateComplianceRule = (content, rule, context) => {
    // Guard clause: not a compliance rule
    if (rule.type !== 'compliance') {
        return createFailedRuleResult(rule, 'Not a compliance rule');
    }
    const complianceRule = rule; // Type assertion for compliance rule
    const compliance = (0, ComplianceChecker_1.checkCompliance)(content, [complianceRule], context);
    if (compliance.passed) {
        return createPassedRuleResult(rule);
    }
    return createFailedRuleResult(rule, `Compliance failed: ${compliance.failedRequirements.join(', ')}`);
};
/**
 * Pure function to create empty security result
 */
const createEmptySecurityResult = () => ({
    valid: true,
    errors: [],
    warnings: [],
    results: [],
    summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0, passed: 0, failed: 0 }
});
/**
 * Pure function to create passed rule result
 */
const createPassedRuleResult = (rule) => ({
    rule,
    passed: true
});
/**
 * Pure function to create failed rule result
 */
const createFailedRuleResult = (rule, message, matchedValue) => ({
    rule,
    passed: false,
    matchedValue,
    error: {
        code: `SECURITY_${rule.id.toUpperCase()}`,
        message,
        severity: mapSecuritySeverityToValidationSeverity(rule.severity),
        path: '',
        context: { matchedValue }
    }
});
/**
 * Pure function to create security summary
 */
const createSecuritySummary = (results) => {
    const total = results.length;
    const passed = results.filter(r => r.passed).length;
    const failed = results.filter(r => !r.passed).length;
    const critical = results.filter(r => !r.passed && r.rule.severity === 'critical').length;
    const high = results.filter(r => !r.passed && r.rule.severity === 'high').length;
    const medium = results.filter(r => !r.passed && r.rule.severity === 'medium').length;
    const low = results.filter(r => !r.passed && r.rule.severity === 'low').length;
    return { total, critical, high, medium, low, passed, failed };
};
/**
 * Pure function to check compliance status
 */
const checkComplianceStatus = (results) => {
    const complianceResults = results.filter(r => r.rule.type === 'compliance');
    if (complianceResults.length === 0) {
        return undefined;
    }
    const failedCompliance = complianceResults.filter(r => !r.passed);
    const standard = complianceResults[0]?.rule.type === 'compliance'
        ? complianceResults[0].rule.standard
        : 'ISO27001';
    return {
        standard,
        passed: failedCompliance.length === 0,
        failedRequirements: failedCompliance.map(r => r.rule.id)
    };
};
/**
 * Pure function to get security severity level
 */
const getSecuritySeverityLevel = (severity) => {
    switch (severity.toLowerCase()) {
        case 'critical': return 'critical';
        case 'high': return 'high';
        case 'medium': return 'medium';
        case 'low': return 'low';
        default: return 'medium';
    }
};
exports.getSecuritySeverityLevel = getSecuritySeverityLevel;
/**
 * Pure function to check if security rule is critical
 */
const isCriticalSecurityRule = (rule) => {
    return rule.severity === 'critical';
};
exports.isCriticalSecurityRule = isCriticalSecurityRule;
/**
 * Pure function to check if security rule is enabled
 */
const isSecurityRuleEnabled = (rule) => {
    return rule.enabled === true;
};
exports.isSecurityRuleEnabled = isSecurityRuleEnabled;
/**
 * Pure function to filter security rules by type
 */
const filterSecurityRulesByType = (rules, type) => {
    return rules.filter(rule => rule.type === type);
};
exports.filterSecurityRulesByType = filterSecurityRulesByType;
/**
 * Pure function to filter security rules by severity
 */
const filterSecurityRulesBySeverity = (rules, severity) => {
    return rules.filter(rule => rule.severity === severity);
};
exports.filterSecurityRulesBySeverity = filterSecurityRulesBySeverity;
/**
 * Pure function to map security severity to validation severity
 */
const mapSecuritySeverityToValidationSeverity = (securitySeverity) => {
    switch (securitySeverity) {
        case 'critical':
        case 'high':
            return 'error';
        case 'medium':
            return 'warning';
        case 'low':
            return 'info';
        default:
            return 'error';
    }
};
//# sourceMappingURL=SecurityValidator.js.map