From 6c7bc5afea8d56a9a8150ce307a803dac97c31b0 Mon Sep 17 00:00:00 2001
From: Josh Cunningham <josh.cunningham@auth0.com>
Date: Fri, 2 Apr 2021 10:40:14 -0700
Subject: [PATCH] [DXEC-578] Fix SecZetta header formatting (#284)

* fix header formatting

* fix header formatting
---
 package-lock.json                    | 2 +-
 package.json                         | 2 +-
 rules.json                           | 2 +-
 src/rules/seczetta-get-risk-score.js | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index e6f0117c..d820a070 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "rules-templates",
-  "version": "0.20.0",
+  "version": "0.20.1",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
diff --git a/package.json b/package.json
index 18e9d018..bd28d5fa 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "rules-templates",
-  "version": "0.20.0",
+  "version": "0.20.1",
   "description": "Auth0 Rules Repository",
   "main": "./rules",
   "scripts": {
diff --git a/rules.json b/rules.json
index 891bed85..f5fd0f28 100644
--- a/rules.json
+++ b/rules.json
@@ -588,7 +588,7 @@
         "categories": [
           "marketplace"
         ],
-        "description": "<p><strong>Required configuration</strong> (this Rule will be skipped if any of the below are not defined):</p>\n<ul>\n<li><code>SECZETTA_API_KEY</code> API Token from your SecZetta tennant</li>\n<li><code>SECZETTA_BASE_URL</code> URL for your SecZetta tennant</li>\n<li><code>SECZETTA_ATTRIBUTE_ID</code> the id of the SecZetta attribute you are searching on (i.e personal<em>email, user</em>name, etc.)</li>\n<li>`SECZETTA<em>PROFILE</em>TYPE_ID' the id of the profile type this user's profile</li>\n<li><code>SECZETTA_ALLOWABLE_RISK</code> Set to a risk score integer value above which MFA is required</li>\n<li><code>SECZETTA_MAXIMUM_ALLOWED_RISK</code> Set to a maximum risk score integer value above which login fails.</li>\n</ul>\n<p><strong>Optional configuration:</strong></p>\n<ul>\n<li><code>SECZETTA_AUTHENTICATE_ON_ERROR</code> Choose whether or not the rule continues to authenticate on error</li>\n<li><code>SECZETTA_RISK_KEY</code> The attribute name on the account where the users risk score is stored</li>\n</ul>\n<p><strong>Helpful Hints</strong></p>\n<ul>\n<li>The SecZetta API documentation is located here: https://{{SECZETTA<em>BASE</em>URL}}/api/v1/</li>\n</ul>",
+        "description": "<p><strong>Required configuration</strong> (this Rule will be skipped if any of the below are not defined):</p>\n<ul>\n<li><code>SECZETTA_API_KEY</code> API Token from your SecZetta tennant</li>\n<li><code>SECZETTA_BASE_URL</code> URL for your SecZetta tennant</li>\n<li><code>SECZETTA_ATTRIBUTE_ID</code> the id of the SecZetta attribute you are searching on (i.e personal<em>email, user</em>name, etc.)</li>\n<li><code>SECZETTA_PROFILE_TYPE_ID</code> the id of the profile type this user's profile</li>\n<li><code>SECZETTA_ALLOWABLE_RISK</code> Set to a risk score integer value above which MFA is required</li>\n<li><code>SECZETTA_MAXIMUM_ALLOWED_RISK</code> Set to a maximum risk score integer value above which login fails.</li>\n</ul>\n<p><strong>Optional configuration:</strong></p>\n<ul>\n<li><code>SECZETTA_AUTHENTICATE_ON_ERROR</code> Choose whether or not the rule continues to authenticate on error</li>\n<li><code>SECZETTA_RISK_KEY</code> The attribute name on the account where the users risk score is stored</li>\n</ul>\n<p><strong>Helpful Hints</strong></p>\n<ul>\n<li>The SecZetta API documentation is located here: <code>https://{{SECZETTA_BASE_URL}}/api/v1/</code></li>\n</ul>",
         "code": "async function seczettaGrabRiskScore(user, context, callback) {\n  if (\n    !configuration.SECZETTA_API_KEY ||\n    !configuration.SECZETTA_BASE_URL ||\n    !configuration.SECZETTA_ATTRIBUTE_ID ||\n    !configuration.SECZETTA_PROFILE_TYPE_ID ||\n    !configuration.SECZETTA_ALLOWABLE_RISK ||\n    !configuration.SECZETTA_MAXIMUM_ALLOWED_RISK\n  ) {\n    console.log('Missing required configuration. Skipping.');\n    return callback(null, user, context);\n  }\n\n  const axios = require('axios@0.21.1');\n  const URL = require('url').URL;\n\n  let profileResponse;\n  let riskScoreResponse;\n\n  const attributeId = configuration.SECZETTA_ATTRIBUTE_ID;\n  const profileTypeId = configuration.SECZETTA_PROFILE_TYPE_ID;\n  const allowAuthOnError =\n    configuration.SECZETTA_AUTHENTICATE_ON_ERROR === 'true';\n\n  // Depends on the configuration\n  const uid = user.username || user.email;\n\n  const profileRequestUrl = new URL(\n    '/api/advanced_search/run',\n    configuration.SECZETTA_BASE_URL\n  );\n\n  const advancedSearchBody = {\n    advanced_search: {\n      label: 'All Contractors',\n      condition_rules_attributes: [\n        {\n          type: 'ProfileTypeRule',\n          comparison_operator: '==',\n          value: profileTypeId\n        },\n        {\n          type: 'ProfileAttributeRule',\n          condition_object_id: attributeId,\n          object_type: 'NeAttribute',\n          comparison_operator: '==',\n          value: uid\n        }\n      ]\n    }\n  };\n\n  try {\n    profileResponse = await axios.post(\n      profileRequestUrl.href,\n      advancedSearchBody,\n      {\n        headers: {\n          'Content-Type': 'application/json',\n          Authorization: 'Token token=' + configuration.SECZETTA_API_KEY,\n          Accept: 'application/json'\n        }\n      }\n    );\n\n    // If the user is not found via the advanced search\n    if (profileResponse.data.profiles.length === 0) {\n      console.log('Profile not found. Empty Array sent back!');\n      if (allowAuthOnError) {\n        return callback(null, user, context);\n      }\n      return callback(\n        new UnauthorizedError('Error retrieving SecZetta Risk Score.')\n      );\n    }\n  } catch (profileError) {\n    console.log(\n      `Error while calling SecZetta Profile API: ${profileError.message}`\n    );\n\n    if (allowAuthOnError) {\n      return callback(null, user, context);\n    }\n\n    return callback(\n      new UnauthorizedError('Error retrieving SecZetta Risk Score.')\n    );\n  }\n\n  // Should now have the profile in profileResponse. Lets grab it.\n  const objectId = profileResponse.data.profiles[0].id;\n\n  const riskScoreRequestUrl = new URL(\n    '/api/risk_scores?object_id=' + objectId,\n    configuration.SECZETTA_BASE_URL\n  );\n\n  try {\n    riskScoreResponse = await axios.get(riskScoreRequestUrl.href, {\n      headers: {\n        'Content-Type': 'application/json',\n        Authorization: 'Token token=' + configuration.SECZETTA_API_KEY,\n        Accept: 'application/json'\n      }\n    });\n  } catch (riskError) {\n    console.log(\n      `Error while calling SecZetta Risk Score API: ${riskError.message}`\n    );\n\n    if (allowAuthOnError) {\n      return callback(null, user, context);\n    }\n\n    return callback(\n      new UnauthorizedError('Error retrieving SecZetta Risk Score.')\n    );\n  }\n\n  // Should now finally have the risk score. Lets add it to the user\n  const riskScoreObj = riskScoreResponse.data.risk_scores[0];\n  const overallScore = riskScoreObj.overall_score;\n\n  const allowableRisk = parseInt(configuration.SECZETTA_ALLOWABLE_RISK, 10);\n  const maximumRisk = parseInt(configuration.SECZETTA_MAXIMUM_ALLOWED_RISK, 10);\n\n  // If risk score is below the maxium risk score but above allowable risk: Require MFA\n  if (\n    (allowableRisk &&\n      overallScore > allowableRisk &&\n      overallScore < maximumRisk) ||\n    allowableRisk === 0\n  ) {\n    console.log(\n      `Risk score ${overallScore} is greater than maximum of ${allowableRisk}. Prompting for MFA.`\n    );\n    context.multifactor = {\n      provider: 'any',\n      allowRememberBrowser: false\n    };\n    return callback(null, user, context);\n  }\n\n  // If risk score is above the maxium risk score: Fail authN\n  if (maximumRisk && overallScore >= maximumRisk) {\n    console.log(\n      `Risk score ${overallScore} is greater than maximum of ${maximumRisk}`\n    );\n    return callback(\n      new UnauthorizedError(\n        `A ${overallScore} risk score is too high. Maximum acceptable risk is ${maximumRisk}.`\n      )\n    );\n  }\n\n  if (configuration.SECZETTA_RISK_KEY) {\n    context.idToken[configuration.SECZETTA_RISK_KEY] = overallScore;\n    context.accessToken[configuration.SECZETTA_RISK_KEY] = overallScore;\n  }\n\n  return callback(null, user, context);\n}"
       },
       {
diff --git a/src/rules/seczetta-get-risk-score.js b/src/rules/seczetta-get-risk-score.js
index ac57ac2e..db9c2d5f 100644
--- a/src/rules/seczetta-get-risk-score.js
+++ b/src/rules/seczetta-get-risk-score.js
@@ -9,7 +9,7 @@
  *    - `SECZETTA_API_KEY` API Token from your SecZetta tennant
  *    - `SECZETTA_BASE_URL` URL for your SecZetta tennant
  *    - `SECZETTA_ATTRIBUTE_ID` the id of the SecZetta attribute you are searching on (i.e personal_email, user_name, etc.)
- *    - `SECZETTA_PROFILE_TYPE_ID' the id of the profile type this user's profile
+ *    - `SECZETTA_PROFILE_TYPE_ID` the id of the profile type this user's profile
  *    - `SECZETTA_ALLOWABLE_RISK` Set to a risk score integer value above which MFA is required
  *    - `SECZETTA_MAXIMUM_ALLOWED_RISK` Set to a maximum risk score integer value above which login fails.
  *
@@ -20,7 +20,7 @@
  *
  * **Helpful Hints**
  *
- *    - The SecZetta API documentation is located here: https://{{SECZETTA_BASE_URL}}/api/v1/
+ *    - The SecZetta API documentation is located here: `https://{{SECZETTA_BASE_URL}}/api/v1/`
  */
 async function seczettaGrabRiskScore(user, context, callback) {
   if (