Adjust admin count rego check

cisagov · Aug 2, 2024 · 00e1048 · 00e1048
1 parent a795a68
commit 00e1048
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 8 deletions.
diff --git a/Testing/RegoTests/commoncontrols/commoncontrols06_test.rego b/Testing/RegoTests/commoncontrols/commoncontrols06_test.rego
@@ -90,7 +90,7 @@ test_Count_Correct_V2 if {
 }
 
 test_Count_Correct_V3 if {
-    # 4 super admins
+    # 8 super admins
     PolicyId := "GWS.COMMONCONTROLS.6.2v0.2"
     Output := tests with input as {
         "super_admins": [
@@ -109,7 +109,23 @@ test_Count_Correct_V3 if {
             {
                 "primaryEmail": "[email protected]",
                 "orgUnitPath": ""
-            }
+            },
+            {
+                "primaryEmail": "[email protected]",
+                "orgUnitPath": ""
+            },
+            {
+                "primaryEmail": "[email protected]",
+                "orgUnitPath": ""
+            },
+            {
+                "primaryEmail": "[email protected]",
+                "orgUnitPath": ""
+            },
+            {
+                "primaryEmail": "[email protected]",
+                "orgUnitPath": ""
+            },
         ]
     }
 
@@ -119,15 +135,15 @@ test_Count_Correct_V3 if {
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", [
         "The following super admins are configured: ",
-        "[email protected], [email protected], [email protected], ",
-        "admin4@example.org. <i>Note: Exceptions are ",
+        "[email protected], [email protected], [email protected], [email protected], ",
+        "[email protected], [email protected], [email protected], admin8@example.org. <i>Note: Exceptions are ",
         "allowed for \"break glass\" super admin accounts, ",
         "though we are not able to account for this automatically.</i>"
     ])
 }
 
 test_Count_Incorrect_V1 if {
-    # 5 super admins
+    # 9 super admins
     PolicyId := "GWS.COMMONCONTROLS.6.2v0.2"
     Output := tests with input as {
         "super_admins": [
@@ -150,6 +166,22 @@ test_Count_Incorrect_V1 if {
             {
                 "primaryEmail": "[email protected]",
                 "orgUnitPath": ""
+            },
+            {
+                "primaryEmail": "[email protected]",
+                "orgUnitPath": ""
+            },
+            {
+                "primaryEmail": "[email protected]",
+                "orgUnitPath": ""
+            },
+            {
+                "primaryEmail": "[email protected]",
+                "orgUnitPath": ""
+            },
+            {
+                "primaryEmail": "[email protected]",
+                "orgUnitPath": ""
             }
         ]
     }
@@ -160,8 +192,8 @@ test_Count_Incorrect_V1 if {
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", [
         "The following super admins are configured: ",
-        "[email protected], [email protected], [email protected], ",
-        "admin4@example.org, admin5@example.org. <i>Note: Exceptions are ",
+        "[email protected], [email protected], [email protected], [email protected], [email protected], ",
+        "admin6@example.org, [email protected], [email protected], admin9@example.org. <i>Note: Exceptions are ",
         "allowed for \"break glass\" super admin accounts, ",
         "though we are not able to account for this automatically.</i>"
     ])

diff --git a/rego/Commoncontrols.rego b/rego/Commoncontrols.rego
@@ -897,7 +897,7 @@ tests contains {
 }
 if {
     SuperAdmins := {Admin.primaryEmail | some Admin in input.super_admins}
-    Conditions := {count(SuperAdmins) >= 2, count(SuperAdmins) <= 4}
+    Conditions := {count(SuperAdmins) >= 2, count(SuperAdmins) <= 8}
     Status := (false in Conditions) == false
 }
 #--