groups 4.1, 5.1: correct for probable Google changes in enumeration v…

…alues drive 1.3, 1.4, 1.5, 1.7: correct misunderstanding of sharing option flags
cisagov · Dec 8, 2024 · 2cb1021 · 2cb1021
1 parent 7cf0d3c
commit 2cb1021
Show file tree

Hide file tree

Showing 7 changed files with 199 additions and 61 deletions.
diff --git a/scubagoggles/Testing/RegoTests/drive/drive01_test.rego b/scubagoggles/Testing/RegoTests/drive/drive01_test.rego
@@ -388,7 +388,7 @@ test_Receiving_Incorrect_V2 if {
     }
 
     failedOU := [{"Name": "Test Top-Level OU",
-                 "Value": NonComplianceMessage1_2(GetFriendlyValue1_2("SHARING_ALLOWED"))}]
+                 "Value": EventNonComplianceMessage1_2(EventGetFriendlyValue1_2("SHARING_ALLOWED"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -424,7 +424,7 @@ test_Receiving_Incorrect_V3 if {
     }
 
     failedOU := [{"Name": "Test Top-Level OU",
-                 "Value": NonComplianceMessage1_2(GetFriendlyValue1_2("SHARING_ALLOWED"))}]
+                 "Value": EventNonComplianceMessage1_2(EventGetFriendlyValue1_2("SHARING_ALLOWED"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -460,7 +460,7 @@ test_Receiving_Incorrect_V4 if {
     }
 
     failedOU := [{"Name": "Test Secondary OU",
-                 "Value": NonComplianceMessage1_2(GetFriendlyValue1_2("SHARING_ALLOWED"))}]
+                 "Value": EventNonComplianceMessage1_2(EventGetFriendlyValue1_2("SHARING_ALLOWED"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -630,7 +630,7 @@ test_Warnings_Incorrect_V2 if {
     }
 
     failedOU := [{"Name": "Test Top-Level OU",
-                 "Value": NonComplianceMessage1_3(GetFriendlyValue1_3("SHARING_ALLOWED"))}]
+                 "Value": EventNonComplianceMessage1_3(EventGetFriendlyValue1_3("SHARING_ALLOWED"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -666,7 +666,7 @@ test_Warnings_Incorrect_V3 if {
     }
 
     failedOU := [{"Name": "Test Top-Level OU",
-                 "Value": NonComplianceMessage1_3(GetFriendlyValue1_3("SHARING_ALLOWED"))}]
+                 "Value": EventNonComplianceMessage1_3(EventGetFriendlyValue1_3("SHARING_ALLOWED"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -702,7 +702,7 @@ test_Warnings_Incorrect_V4 if {
     }
 
     failedOU := [{"Name": "Test Secondary OU",
-                 "Value": NonComplianceMessage1_3(GetFriendlyValue1_3("SHARING_ALLOWED"))}]
+                 "Value": EventNonComplianceMessage1_3(EventGetFriendlyValue1_3("SHARING_ALLOWED"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -922,8 +922,8 @@ test_NonGoogle_Incorrect_V2 if {
     }
 
     failedOU := [{"Name": "Test Top-Level OU",
-                 "Value": NonComplianceMessage1_4(GetFriendlyValue1_4("ANONYMOUS_PREVIEW",
-                                                                      "SHARING_ALLOWED"))}]
+                 "Value": EventNonComplianceMessage1_4(EventGetFriendlyValue1_4("ANONYMOUS_PREVIEW",
+                                                                                "SHARING_ALLOWED"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -979,8 +979,8 @@ test_NonGoogle_Incorrect_V3 if {
     }
 
     failedOU := [{"Name": "Test Top-Level OU",
-                 "Value": NonComplianceMessage1_4(GetFriendlyValue1_4("ANONYMOUS_PREVIEW",
-                                                                      "SHARING_ALLOWED"))}]
+                 "Value": EventNonComplianceMessage1_4(EventGetFriendlyValue1_4("ANONYMOUS_PREVIEW",
+                                                                                "SHARING_ALLOWED"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -1036,8 +1036,8 @@ test_NonGoogle_Incorrect_V4 if {
     }
 
     failedOU := [{"Name": "Test Secondary OU",
-                 "Value": NonComplianceMessage1_4(GetFriendlyValue1_4("ALLOWED",
-                                                                      "SHARING_ALLOWED"))}]
+                 "Value": EventNonComplianceMessage1_4(EventGetFriendlyValue1_4("ALLOWED",
+                                                                                "SHARING_ALLOWED"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 

diff --git a/scubagoggles/Testing/RegoTests/drive/drive_api01_test.rego b/scubagoggles/Testing/RegoTests/drive/drive_api01_test.rego
@@ -30,11 +30,6 @@ GoodDriveApi01 := {
                 "allowNonGoogleInvites": true,
                 "allowReceivingExternalFiles": false
             }
-        },
-        "thirdOU": {
-            "security_session_controls": {
-                "webSessionDuration": "700m"
-            }
         }
     },
     "tenant_info": {
@@ -62,7 +57,20 @@ BadDriveApi01 := {
             },
                 "drive_and_docs_service_status": {"serviceState": "ENABLED"
             }
-        }
+        },
+         "nextOU": {
+            "drive_and_docs_external_sharing": {
+                "externalSharingMode": "ALLOWLISTED_DOMAINS",
+                "warnForSharingOutsideAllowlistedDomains": false,
+                "allowNonGoogleInvitesInAllowlistedDomains": true
+            }
+        },
+         "thirdOU": {
+            "drive_and_docs_external_sharing": {
+                "warnForExternalSharing": true
+            }
+        },
+         "fourthOU": {"empty intentional?": "yes"}
     },
     "tenant_info": {
         "topLevelOU": "topOU"
@@ -91,12 +99,12 @@ BadDriveApi01a := {
             "drive_and_docs_external_sharing": {
                 "accessCheckerSuggestions": "RECIPIENTS_OR_AUDIENCE",
                 "allowNonGoogleInvites": true,
-                "allowNonGoogleInvitesInAllowlistedDomains": false,
+                "allowNonGoogleInvitesInAllowlistedDomains": true,
                 "allowPublishingFiles": true,
                 "allowReceivingExternalFiles": false,
                 "allowReceivingFilesOutsideAllowlistedDomains": true,
                 "allowedPartiesForDistributingContent": "ELIGIBLE_INTERNAL_USERS",
-                "externalSharingMode": "ALLOWED",
+                "externalSharingMode": "ALLOWLISTED_DOMAINS",
                 "warnForExternalSharing": false,
                 "warnForSharingOutsideAllowlistedDomains": true
                 },
@@ -126,7 +134,9 @@ test_ExtSharing_Incorrect_1 if {
     PolicyId := DriveId1_1
     Output := tests with input as BadDriveApi01
 
-    failedOU := [{"Name": "topOU",
+    failedOU := [{"Name": "nextOU",
+                 "Value": NonComplianceMessage1_1(GetFriendlyValue1_1("ALLOWLISTED_DOMAINS"))},
+                 {"Name": "topOU",
                  "Value": NonComplianceMessage1_1(GetFriendlyValue1_1("ALLOWED"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
@@ -136,7 +146,7 @@ test_ExtSharing_Incorrect_2 if {
     Output := tests with input as BadDriveApi01a
 
     failedOU := [{"Name": "nextOU",
-                 "Value": NonComplianceMessage1_1(GetFriendlyValue1_1("ALLOWED"))}]
+                 "Value": NonComplianceMessage1_1(GetFriendlyValue1_1("ALLOWLISTED_DOMAINS"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -151,8 +161,10 @@ test_ReceiveExt_Incorrect_1 if {
     PolicyId := DriveId1_2
     Output := tests with input as BadDriveApi01a
 
-    failedOU := [{"Name": "thirdOU",
-                 "Value": NonComplianceMessage1_2(GetFriendlyValue1_2(true))}]
+    failedOU := [{"Name": "nextOU",
+                 "Value": NonComplianceMessage1_2(GetSharingValue("ALLOWLISTED_DOMAINS"))},
+                 {"Name": "thirdOU",
+                 "Value": NonComplianceMessage1_2(GetSharingValue("DISALLOWED"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -167,8 +179,10 @@ test_UserExtSharing_Incorrect_1 if {
     PolicyId := DriveId1_3
     Output := tests with input as BadDriveApi01
 
-    failedOU := [{"Name": "topOU",
-                 "Value": NonComplianceMessage1_3("disabled")}]
+    failedOU := [{"Name": "nextOU",
+                 "Value": NonComplianceMessage1_3(GetSharingValue("ALLOWLISTED_DOMAINS"))},
+                 {"Name": "topOU",
+                 "Value": NonComplianceMessage1_3(GetSharingValue("ALLOWED"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -183,8 +197,10 @@ test_NonGoogle_Incorrect_1 if {
     PolicyId := DriveId1_4
     Output := tests with input as BadDriveApi01
 
-    failedOU := [{"Name": "topOU",
-                 "Value": NonComplianceMessage1_4(GetFriendlyValue1_4(true, ""))}]
+    failedOU := [{"Name": "nextOU",
+                 "Value": NonComplianceMessage1_4(GetSharingValue("ALLOWLISTED_DOMAINS"))},
+                 {"Name": "topOU",
+                 "Value": NonComplianceMessage1_4(GetSharingValue("ALLOWED"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -193,7 +209,7 @@ test_NonGoogle_Incorrect_2 if {
     Output := tests with input as BadDriveApi01a
 
     failedOU := [{"Name": "nextOU",
-                 "Value": NonComplianceMessage1_4(GetFriendlyValue1_4(true, ""))}]
+                 "Value": NonComplianceMessage1_4(GetSharingValue("ALLOWLISTED_DOMAINS"))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -208,7 +224,9 @@ test_AllowPublish_Incorrect_1 if {
     PolicyId := DriveId1_5
     Output := tests with input as BadDriveApi01
 
-    failedOU := [{"Name": "topOU",
+    failedOU := [{"Name": "nextOU",
+                 "Value": NonComplianceMessage1_5},
+                 {"Name": "topOU",
                  "Value": NonComplianceMessage1_5}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
@@ -261,7 +279,9 @@ test_MoveContent_Incorrect_1 if {
     Output := tests with input as BadDriveApi01
 
     value := "ALL_ELIGIBLE_USERS"
-    failedOU := [{"Name": "topOU",
+    failedOU := [{"Name": "nextOU",
+                 "Value": NonComplianceMessage1_7(GetFriendlyValue1_7(value))},
+                 {"Name": "topOU",
                  "Value": NonComplianceMessage1_7(GetFriendlyValue1_7(value))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }

diff --git a/scubagoggles/Testing/RegoTests/groups/groups_api04_test.rego b/scubagoggles/Testing/RegoTests/groups/groups_api04_test.rego
@@ -32,6 +32,11 @@ BadGroupsApi04 := {
                 "createGroupsAccessLevel": "USERS_IN_DOMAIN"
             },
             "groups_for_business_service_status": {"serviceState": "ENABLED"}
+        },
+        "nextOU": {
+            "groups_for_business_groups_sharing": {
+                "createGroupsAccessLevel": "ANYONE_CAN_CREATE"
+            }
         }
     },
     "tenant_info": {
@@ -50,7 +55,9 @@ test_GroupsAPI_Creator_Incorrect_1 if {
     PolicyId := GroupsId4_1
     Output := tests with input as BadGroupsApi04
 
-    failedOU := [{"Name": "topOU",
+    failedOU := [{"Name": "nextOU",
+                 "Value": NonComplianceMessage4_1("Any user")},
+                 {"Name": "topOU",
                  "Value": NonComplianceMessage4_1("Users in your domain only")}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
diff --git a/scubagoggles/Testing/RegoTests/groups/groups_api05_test.rego b/scubagoggles/Testing/RegoTests/groups/groups_api05_test.rego
@@ -32,6 +32,11 @@ BadGroupsApi05 := {
                 "viewTopicsDefaultAccessLevel": "MANAGERS"
             },
             "groups_for_business_service_status": {"serviceState": "ENABLED"}
+        },
+        "nextOU": {
+            "groups_for_business_groups_sharing": {
+                "viewTopicsDefaultAccessLevel": "ANYONE_CAN_VIEW_TOPICS"
+            }
         }
     },
     "tenant_info": {
@@ -50,7 +55,9 @@ test_GroupsAPI_ViewTopics_Incorrect_1 if {
     PolicyId := GroupsId5_1
     Output := tests with input as BadGroupsApi05
 
-    failedOU := [{"Name": "topOU",
+    failedOU := [{"Name": "nextOU",
+                 "Value": NonComplianceMessage5_1("Any user")},
+                 {"Name": "topOU",
                  "Value": NonComplianceMessage5_1("Managers")}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }