enforced org rules

Author: 101arrowz

lib/commands/login/index.js

@@ -70,45 +70,42 @@ export const login = {
     }
 
     /** @type {prompts.Choice[]} */
-    const orgChoices = Object.values(settings.organizations)
+    const enforcedChoices = Object.values(settings.organizations)
+      .filter(org => org.plan.tier === 'enterprise')
       .map(org => ({
         title: org.name,
-        description: `${org.plan.tier} tier`,
-        selected: true,
         value: org.id
       }))
 
-    /** @type {string[]} */
-    let orgIDs = []
+    /** @type {string | null} */
+    let enforcedOrg = null
 
-    if (orgChoices.length > 1) {
-      const { ids } = await prompts({
-        type: 'multiselect',
-        name: 'ids',
-        instructions: '',
-        hint: '\n  Use ←/→/space to select and deselect, then hit enter to submit\n',
-        message: 'Which organizations\' policies would you like Socket to enforce?',
-        choices: orgChoices,
-        min: 0,
+    if (enforcedChoices.length > 1) {
+      const { id } = await prompts({
+        type: 'select',
+        name: 'id',
+        hint: '\n  Pick "None" if this is a personal device',
+        message: 'Which organization\'s policies should Socket globally enforce?',
+        choices: enforcedChoices.concat({
+          title: 'None',
+          value: null
+        }),
         onState: promptAbortHandler
       })
-      orgIDs = ids
-    } else if (orgChoices.length) {
+      enforcedOrg = id
+    } else if (enforcedChoices.length) {
       const { confirmOrg } = await prompts({
         type: 'confirm',
         name: 'confirmOrg',
-        message: `Enforce organization policies for ${orgChoices[0]?.title}?`,
+        message: `Should Socket globally enforce ${enforcedChoices[0]?.title}'s security policies?`,
         initial: true,
         onState: promptAbortHandler
       })
       if (confirmOrg) {
-        orgIDs = [orgChoices[0]?.value]
+        enforcedOrg = enforcedChoices[0]?.value
       }
     }
-    updateSetting('orgs', orgIDs.map(id => ({
-      id,
-      issueRules: settings.organizations[id].issueRules
-    })))
+    updateSetting('enforcedOrg', enforcedOrg)
     const oldKey = getSetting('apiKey')
     updateSetting('apiKey', apiKey)
     spinner.succeed(`API credentials ${oldKey ? 'updated' : 'set'}`)

lib/commands/logout/index.js

@@ -27,7 +27,7 @@ export const logout = {
     if (cli.input.length) cli.showHelp()
 
     updateSetting('apiKey', null)
-    updateSetting('orgs', null)
+    updateSetting('enforcedOrg', null)
     ora('Successfully logged out').succeed()
   }
 }

lib/shadow/link.cjs

@@ -5,34 +5,34 @@ const path = require('path')
 const which = require('which')
 
 if (process.platform === 'win32') {
-  console.error('Socket npm and socket npx wrapper Windows suppport is limited to WSL at this time.')
+  console.error('Socket dependency manager Windows suppport is limited to WSL at this time.')
   process.exit(1)
 }
 
 /**
  * @param {string} realDirname path to shadow/bin
  * @param {'npm' | 'npx'} binname
- * @returns {string} path to npm provided cli / npx bin
+ * @returns {string} path to original bin
  */
 function installLinks (realDirname, binname) {
-  const realNpmShadowBinDir = realDirname
-  // find npm being shadowed by this process
-  const npms = which.sync(binname, {
+  const realShadowBinDir = realDirname
+  // find package manager being shadowed by this process
+  const bins = which.sync(binname, {
     all: true
   })
   let shadowIndex = -1
-  const npmpath = npms.find((npmPath, i) => {
-    const isShadow = realpathSync(path.dirname(npmPath)) === realNpmShadowBinDir
+  const binpath = bins.find((binPath, i) => {
+    const isShadow = realpathSync(path.dirname(binPath)) === realShadowBinDir
     if (isShadow) {
       shadowIndex = i
     }
     return !isShadow
   })
-  if (npmpath && process.platform === 'win32') {
-    return npmpath
+  if (binpath && process.platform === 'win32') {
+    return binpath
   }
-  if (!npmpath) {
-    console.error('Socket unable to locate npm ensure it is available in the PATH environment variable')
+  if (!binpath) {
+    console.error(`Socket unable to locate ${binname}; ensure it is available in the PATH environment variable`)
     process.exit(127)
   }
   if (shadowIndex === -1) {

lib/shadow/npm-injection.cjs

@@ -36,33 +36,42 @@ try {
 
 const pubTokenPromise = sdkPromise.then(({ getDefaultKey, FREE_API_KEY }) => getDefaultKey() || FREE_API_KEY)
 const apiKeySettingsPromise = sdkPromise.then(async ({ setupSdk }) => {
-  const sdk = await setupSdk();
+  const sdk = await setupSdk()
   const result = await sdk.getSettings()
   if (!result.success) throw new Error('failed to fetch API key settings')
-  return result.data;
+  return result.data
 })
 
 /** @type {Promise<{ id: string, issueRules: import('../utils/settings.js').IssueRules }[]>} */
 const orgSettingsPromise = settingsPromise.then(async ({ getSetting, updateSetting }) => {
-  const orgs = getSetting('orgs') || [];
-  if (!orgs.length) return [];
-
+  const enforcedOrg = getSetting('enforcedOrg')
   const settings = await apiKeySettingsPromise
-  const newOrgs = orgs.filter(org => settings.organizations[org.id])
-    .map(org => {
-      const curOrg = settings.organizations[org.id];
-      return {
-        id: org.id,
-        issueRules: curOrg.plan.tier === 'enterprise' || curOrg.plan.tier === 'team'
-          ? curOrg.issueRules
-          : org.issueRules
-      }
-    })
+  const enforcedRules = enforcedOrg && settings.organizations[enforcedOrg] || {}
 
-  updateSetting('orgs', newOrgs);
+  /**
+   * @param {import('../utils/settings.js').IssueRules[string]} rule
+   * @returns {number}
+   */
+  const ruleStrength = (rule) => {
+    if (typeof rule === 'boolean') return rule ? 3 : 1
+    switch (rule.action) {
+      case 'error': return 3
+      case 'warn': return 2
+      case 'ignore': return 1
+      case 'defer': return 0
+    }
+  }
 
-  return newOrgs.map(({ id, issueRules }) => {
-    const defaultedRules = { ...issueRules };
+  return Object.values(settings.organizations).map(({ id, issueRules }) => {
+    const defaultedRules = { ...issueRules }
+    for (const rule in enforcedRules) {
+      if (
+        !defaultedRules[rule] ||
+        ruleStrength(enforcedRules[rule]) > ruleStrength(defaultedRules[rule])
+      ) {
+        defaultedRules[rule] = enforcedRules[rule]
+      }
+    }
     for (const rule in settings.defaultIssueRules) {
       if (!(rule in defaultedRules) || (
         typeof defaultedRules[rule] === 'object' &&
@@ -427,7 +436,7 @@ async function packagesHaveRiskyIssues (registry, pkgs, ora = null, input, outpu
 
       for await (const pkgData of batchScan(pkgs.map(pkg => pkg.pkgid))) {
         let failures = []
-        let warns = [];
+        let warns = []
         if (pkgData.type === 'missing') {
           failures.push({
             type: 'missingDependency'
@@ -439,7 +448,7 @@ async function packagesHaveRiskyIssues (registry, pkgs, ora = null, input, outpu
             if (typeof rules[issue.type] == 'boolean' || rules[issue.type].action === 'error') {
               failures.push(issue)
             } else if (rules[issue.type].action == 'warn') {
-              warns.push(issue);
+              warns.push(issue)
             }
           }
         }

lib/utils/settings.js

@@ -23,7 +23,7 @@ const settingsPath = path.join(dataHome, 'socket', 'settings')
  * @typedef {import('@socketsecurity/sdk').SocketSdkReturnType<'getSettings'>['data']['organizations'][string]['issueRules']} IssueRules
  */
 
-/** @type {{apiKey?: string | null, orgs?: { id: string, issueRules: IssueRules }[] | null}} */
+/** @type {{apiKey?: string | null, enforcedOrg?: string | null}} */
 let settings = {}
 
 if (fs.existsSync(settingsPath)) {