From 0fd8dd162e5f81b71f22588e40fb8ebcb7c9e904 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Thu, 1 Aug 2024 14:18:58 -0700 Subject: [PATCH] [#315] Rego update - remove 10.1 rego and unit tests and update numbering --- .../commoncontrols/commoncontrols10_test.rego | 79 +++++++------------ rego/Commoncontrols.rego | 73 +++++++---------- 2 files changed, 58 insertions(+), 94 deletions(-) diff --git a/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego b/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego index b97500eb..b5631535 100644 --- a/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego +++ b/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego @@ -4,33 +4,10 @@ import future.keywords # # GWS.COMMONCONTROLS.10.1v0.2 #-- -test_AllowList_Correct_V1 if { - # Test not implemented - PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" - Output := tests with input as { - "commoncontrols_logs": {"items": [ - - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Currently not able to be tested automatically; please manually check." -} -#-- - -# -# GWS.COMMONCONTROLS.10.2v0.2 -#-- test_AccessControl_Correct_V1 if { # Test restricted when there is no _HIGH_RISK event present # (not all services have a risk version, just Drive and Gmail) - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -58,7 +35,7 @@ test_AccessControl_Correct_V1 if { test_AccessControl_Correct_V2 if { # Test allowed with not high risk allowed - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -96,7 +73,7 @@ test_AccessControl_Correct_V2 if { test_AccessControl_Correct_V3 if { # Test restricted with not high risk disallowed - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -134,7 +111,7 @@ test_AccessControl_Correct_V3 if { test_AccessControl_Correct_V4 if { # Test multiple services - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -182,7 +159,7 @@ test_AccessControl_Correct_V4 if { test_AccessControl_Correct_V5 if { # Test multiple services, multiple events - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -251,7 +228,7 @@ test_AccessControl_Correct_V5 if { test_AccessControl_Incorrect_V1 if { # Test unrestricted when there is no _HIGH_RISK event present # (not all services have a risk version, just Drive and Gmail) - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -279,7 +256,7 @@ test_AccessControl_Incorrect_V1 if { test_AccessControl_Incorrect_V2 if { # Test unrestricted with not high risk disallowed - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -317,7 +294,7 @@ test_AccessControl_Incorrect_V2 if { test_AccessControl_Incorrect_V3 if { # Test unrestricted with no high risk version - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -345,7 +322,7 @@ test_AccessControl_Incorrect_V3 if { test_AccessControl_Incorrect_V4 if { # Test no events - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ @@ -368,11 +345,11 @@ test_AccessControl_Incorrect_V4 if { #-- # -# GWS.COMMONCONTROLS.10.3v0.2 +# GWS.COMMONCONTROLS.10.2v0.2 #-- test_Consent_Correct_V1 if { # Test disallow with no high risk version - PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -400,7 +377,7 @@ test_Consent_Correct_V1 if { test_Consent_Correct_V2 if { # Test disallow with high risk version - PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -438,7 +415,7 @@ test_Consent_Correct_V2 if { test_Consent_Incorrect_V1 if { # Test allow with no high risk version - PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -466,7 +443,7 @@ test_Consent_Incorrect_V1 if { test_Consent_Incorrect_V2 if { # Test allow with high risk version allowed - PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -504,7 +481,7 @@ test_Consent_Incorrect_V2 if { test_Consent_Incorrect_V3 if { # Test allow with high risk version blocked - PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -542,7 +519,7 @@ test_Consent_Incorrect_V3 if { test_Consent_Incorrect_V4 if { # Test no events - PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ @@ -565,11 +542,11 @@ test_Consent_Incorrect_V4 if { #-- # -# GWS.COMMONCONTROLS.10.4v0.2 +# GWS.COMMONCONTROLS.10.3v0.2 #-- test_Internal_Correct_V1 if { # Test basic - PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -596,7 +573,7 @@ test_Internal_Correct_V1 if { test_Internal_Correct_V2 if { # Test multiple events - PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -632,7 +609,7 @@ test_Internal_Correct_V2 if { test_Internal_Incorrect_V1 if { # Test basic - PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -663,7 +640,7 @@ test_Internal_Incorrect_V1 if { test_Internal_Incorrect_V2 if { # Test multiple events - PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -703,7 +680,7 @@ test_Internal_Incorrect_V2 if { test_Internal_Incorrect_V3 if { # Test no events - PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ @@ -726,11 +703,11 @@ test_Internal_Incorrect_V3 if { #-- # -# GWS.COMMONCONTROLS.10.5v0.2 +# GWS.COMMONCONTROLS.10.4v0.2 #-- test_Unconfigured_Correct_V1 if { # Test basic - PolicyId := "GWS.COMMONCONTROLS.10.5v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -757,7 +734,7 @@ test_Unconfigured_Correct_V1 if { test_Unconfigured_Correct_V2 if { # Test basic multiple events - PolicyId := "GWS.COMMONCONTROLS.10.5v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -793,7 +770,7 @@ test_Unconfigured_Correct_V2 if { test_Unconfigured_Incorrect_V1 if { # Test unblock - PolicyId := "GWS.COMMONCONTROLS.10.5v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -825,7 +802,7 @@ test_Unconfigured_Incorrect_V1 if { test_Unconfigured_Incorrect_V2 if { # Test signin only - PolicyId := "GWS.COMMONCONTROLS.10.5v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -857,7 +834,7 @@ test_Unconfigured_Incorrect_V2 if { test_Unconfigured_Incorrect_V3 if { # Test no events - PolicyId := "GWS.COMMONCONTROLS.10.5v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ diff --git a/rego/Commoncontrols.rego b/rego/Commoncontrols.rego index 7136dd38..357a7fdb 100644 --- a/rego/Commoncontrols.rego +++ b/rego/Commoncontrols.rego @@ -1014,19 +1014,6 @@ tests contains { # # Baseline GWS.COMMONCONTROLS.10.1v0.2 #-- -tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.1v0.2", - "Criticality": "Shall/Not-Implemented", - "ReportDetails": "Currently not able to be tested automatically; please manually check.", - "ActualValue": "", - "RequirementMet": false, - "NoSuchEvent": true -} -#-- - -# -# Baseline GWS.COMMONCONTROLS.10.2v0.2 -#-- # NOTE: App access cannot be controlled at the group/OU level @@ -1091,15 +1078,15 @@ UnrestrictedServices10_2 contains Service if { not concat("", [Service, "_HIGH_RISK"]) in HighRiskBlocked } -ReportDetails10_2(true) := "Requirement met." +ReportDetails10_1(true) := "Requirement met." -ReportDetails10_2(false) := concat("", [ +ReportDetails10_1(false) := concat("", [ "The following services allow access: ", concat(", ", UnrestrictedServices10_2), "." ]) tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.2v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.1v0.2", "Criticality": "Shall", "ReportDetails": concat("", [ "No API Access Allowed/Blocked events in the current logs. ", @@ -1117,16 +1104,16 @@ if { } tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.2v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.1v0.2", "Criticality": "Shall", - "ReportDetails": ReportDetails10_2(Status), + "ReportDetails": ReportDetails10_1(Status), "RequirementMet": Status, "NoSuchEvent": false } if { Events := APIAccessEvents count(Events) > 0 - Status := count(UnrestrictedServices10_2) == 0 + Status := count(UnrestrictedServices10_1) == 0 } # Note that the above logic doesn't filter for OU. As the logic for this setting @@ -1135,10 +1122,10 @@ if { #-- # -# Baseline GWS.COMMONCONTROLS.10.3v0.2 +# Baseline GWS.COMMONCONTROLS.10.2v0.2 #-- # Identify services whose most recent event is an allow event -UnrestrictedServices10_3 contains Service if { +UnrestrictedServices10_2 contains Service if { # Iterate through all services some Service in {Event.ServiceName | some Event in APIAccessEvents} # Ignore services that end risk _HIGH_RISK. Those are handled later @@ -1154,15 +1141,15 @@ UnrestrictedServices10_3 contains Service if { Event.EventName == "ALLOW_SERVICE_FOR_OAUTH2_ACCESS" } -ReportDetails10_3(true) := "Requirement met." +ReportDetails10_2(true) := "Requirement met." -ReportDetails10_3(false) := concat("", [ +ReportDetails10_2(false) := concat("", [ "The following services allow access: ", - concat(", ", UnrestrictedServices10_3), "." + concat(", ", UnrestrictedServices10_2), "." ]) tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.3v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.2v0.2", "Criticality": "SHALL", "ReportDetails": concat("", [ "No API Access Allowed/Blocked events in the current logs. ", @@ -1180,21 +1167,21 @@ if { } tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.3v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.2v0.2", "Criticality": "Shall", - "ReportDetails": ReportDetails10_3(Status), + "ReportDetails": ReportDetails10_2(Status), "RequirementMet": Status, "NoSuchEvent": false } if { Events := APIAccessEvents count(Events) > 0 - Status := count(UnrestrictedServices10_3) == 0 + Status := count(UnrestrictedServices10_2) == 0 } #-- # -# Baseline GWS.COMMONCONTROLS.10.4v0.2 +# Baseline GWS.COMMONCONTROLS.10.3v0.2 #-- # NOTE: this setting cannot be set at the group level. @@ -1216,7 +1203,7 @@ if { OrgUnit := [Parameter.value | some Parameter in Event.parameters; Parameter.name == "ORG_UNIT_NAME"][0] } -NonCompliantOUs10_4 contains { +NonCompliantOUs10_3 contains { "Name": OU, "Value": "Trust internal apps is ON" } if { @@ -1231,7 +1218,7 @@ NonCompliantOUs10_4 contains { } tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.4v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.3v0.2", "Criticality": "Shall", "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), "ActualValue": "No relevant event for the top-level OU in the current logs", @@ -1245,22 +1232,22 @@ if { } tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.4v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.3v0.2", "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs10_4, []), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs10_4}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs10_3, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs10_3}, "RequirementMet": Status, "NoSuchEvent": false } if { Events := {Event | some Event in DomainOwnedAppAccessEvents; Event.OrgUnit == utils.TopLevelOU} count(Events) > 0 - Status := count(NonCompliantOUs10_4) == 0 + Status := count(NonCompliantOUs10_3) == 0 } #-- # -# Baseline GWS.COMMONCONTROLS.10.5v0.2 +# Baseline GWS.COMMONCONTROLS.10.4v0.2 #-- # NOTE: this setting cannot be set at the group level. @@ -1283,13 +1270,13 @@ if { OrgUnit := [Parameter.value | some Parameter in Event.parameters; Parameter.name == "ORG_UNIT_NAME"][0] } -GetFriendlyValue10_5(Value) := "Allow users to access any third-party apps" if { +GetFriendlyValue10_4(Value) := "Allow users to access any third-party apps" if { Value == "UNBLOCK_ALL_THIRD_PARTY_API_ACCESS" } else := "Allow users to access third-party apps that only request basic info needed for Sign in with Google." if { Value == "SIGN_IN_ONLY_THIRD_PARTY_API_ACCESS" } else := concat(" ", [Value, "seconds"]) -NonCompliantOUs10_5 contains { +NonCompliantOUs10_4 contains { "Name": OU, "Value": concat("", ["Unconfigured third-party app access is set to ", GetFriendlyValue10_5(LastEvent.EventName)]) } if { @@ -1304,7 +1291,7 @@ NonCompliantOUs10_5 contains { } tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.5v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.4v0.2", "Criticality": "Shall", "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), "ActualValue": "No relevant event for the top-level OU in the current logs", @@ -1318,17 +1305,17 @@ if { } tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.5v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.4v0.2", "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs10_5, []), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs10_5}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs10_4, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs10_4}, "RequirementMet": Status, "NoSuchEvent": false } if { Events := {Event | some Event in UnconfiguredAppAccessEvents; Event.OrgUnit == utils.TopLevelOU} count(Events) > 0 - Status := count(NonCompliantOUs10_5) == 0 + Status := count(NonCompliantOUs10_4) == 0 } #--