diff --git a/scubagoggles/Testing/RegoTests/drive/drive01_test.rego b/scubagoggles/Testing/RegoTests/drive/drive01_test.rego index 02b70a5b..e9e36c50 100644 --- a/scubagoggles/Testing/RegoTests/drive/drive01_test.rego +++ b/scubagoggles/Testing/RegoTests/drive/drive01_test.rego @@ -388,7 +388,7 @@ test_Receiving_Incorrect_V2 if { } failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage1_2(GetFriendlyValue1_2("SHARING_ALLOWED"))}] + "Value": EventNonComplianceMessage1_2(EventGetFriendlyValue1_2("SHARING_ALLOWED"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -424,7 +424,7 @@ test_Receiving_Incorrect_V3 if { } failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage1_2(GetFriendlyValue1_2("SHARING_ALLOWED"))}] + "Value": EventNonComplianceMessage1_2(EventGetFriendlyValue1_2("SHARING_ALLOWED"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -460,7 +460,7 @@ test_Receiving_Incorrect_V4 if { } failedOU := [{"Name": "Test Secondary OU", - "Value": NonComplianceMessage1_2(GetFriendlyValue1_2("SHARING_ALLOWED"))}] + "Value": EventNonComplianceMessage1_2(EventGetFriendlyValue1_2("SHARING_ALLOWED"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -630,7 +630,7 @@ test_Warnings_Incorrect_V2 if { } failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage1_3(GetFriendlyValue1_3("SHARING_ALLOWED"))}] + "Value": EventNonComplianceMessage1_3(EventGetFriendlyValue1_3("SHARING_ALLOWED"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -666,7 +666,7 @@ test_Warnings_Incorrect_V3 if { } failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage1_3(GetFriendlyValue1_3("SHARING_ALLOWED"))}] + "Value": EventNonComplianceMessage1_3(EventGetFriendlyValue1_3("SHARING_ALLOWED"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -702,7 +702,7 @@ test_Warnings_Incorrect_V4 if { } failedOU := [{"Name": "Test Secondary OU", - "Value": NonComplianceMessage1_3(GetFriendlyValue1_3("SHARING_ALLOWED"))}] + "Value": EventNonComplianceMessage1_3(EventGetFriendlyValue1_3("SHARING_ALLOWED"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -922,8 +922,8 @@ test_NonGoogle_Incorrect_V2 if { } failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage1_4(GetFriendlyValue1_4("ANONYMOUS_PREVIEW", - "SHARING_ALLOWED"))}] + "Value": EventNonComplianceMessage1_4(EventGetFriendlyValue1_4("ANONYMOUS_PREVIEW", + "SHARING_ALLOWED"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -979,8 +979,8 @@ test_NonGoogle_Incorrect_V3 if { } failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage1_4(GetFriendlyValue1_4("ANONYMOUS_PREVIEW", - "SHARING_ALLOWED"))}] + "Value": EventNonComplianceMessage1_4(EventGetFriendlyValue1_4("ANONYMOUS_PREVIEW", + "SHARING_ALLOWED"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -1036,8 +1036,8 @@ test_NonGoogle_Incorrect_V4 if { } failedOU := [{"Name": "Test Secondary OU", - "Value": NonComplianceMessage1_4(GetFriendlyValue1_4("ALLOWED", - "SHARING_ALLOWED"))}] + "Value": EventNonComplianceMessage1_4(EventGetFriendlyValue1_4("ALLOWED", + "SHARING_ALLOWED"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } diff --git a/scubagoggles/Testing/RegoTests/drive/drive_api01_test.rego b/scubagoggles/Testing/RegoTests/drive/drive_api01_test.rego index 31de8d31..0287a06a 100644 --- a/scubagoggles/Testing/RegoTests/drive/drive_api01_test.rego +++ b/scubagoggles/Testing/RegoTests/drive/drive_api01_test.rego @@ -30,11 +30,6 @@ GoodDriveApi01 := { "allowNonGoogleInvites": true, "allowReceivingExternalFiles": false } - }, - "thirdOU": { - "security_session_controls": { - "webSessionDuration": "700m" - } } }, "tenant_info": { @@ -62,7 +57,20 @@ BadDriveApi01 := { }, "drive_and_docs_service_status": {"serviceState": "ENABLED" } - } + }, + "nextOU": { + "drive_and_docs_external_sharing": { + "externalSharingMode": "ALLOWLISTED_DOMAINS", + "warnForSharingOutsideAllowlistedDomains": false, + "allowNonGoogleInvitesInAllowlistedDomains": true + } + }, + "thirdOU": { + "drive_and_docs_external_sharing": { + "warnForExternalSharing": true + } + }, + "fourthOU": {"empty intentional?": "yes"} }, "tenant_info": { "topLevelOU": "topOU" @@ -91,12 +99,12 @@ BadDriveApi01a := { "drive_and_docs_external_sharing": { "accessCheckerSuggestions": "RECIPIENTS_OR_AUDIENCE", "allowNonGoogleInvites": true, - "allowNonGoogleInvitesInAllowlistedDomains": false, + "allowNonGoogleInvitesInAllowlistedDomains": true, "allowPublishingFiles": true, "allowReceivingExternalFiles": false, "allowReceivingFilesOutsideAllowlistedDomains": true, "allowedPartiesForDistributingContent": "ELIGIBLE_INTERNAL_USERS", - "externalSharingMode": "ALLOWED", + "externalSharingMode": "ALLOWLISTED_DOMAINS", "warnForExternalSharing": false, "warnForSharingOutsideAllowlistedDomains": true }, @@ -126,7 +134,9 @@ test_ExtSharing_Incorrect_1 if { PolicyId := DriveId1_1 Output := tests with input as BadDriveApi01 - failedOU := [{"Name": "topOU", + failedOU := [{"Name": "nextOU", + "Value": NonComplianceMessage1_1(GetFriendlyValue1_1("ALLOWLISTED_DOMAINS"))}, + {"Name": "topOU", "Value": NonComplianceMessage1_1(GetFriendlyValue1_1("ALLOWED"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -136,7 +146,7 @@ test_ExtSharing_Incorrect_2 if { Output := tests with input as BadDriveApi01a failedOU := [{"Name": "nextOU", - "Value": NonComplianceMessage1_1(GetFriendlyValue1_1("ALLOWED"))}] + "Value": NonComplianceMessage1_1(GetFriendlyValue1_1("ALLOWLISTED_DOMAINS"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -151,8 +161,10 @@ test_ReceiveExt_Incorrect_1 if { PolicyId := DriveId1_2 Output := tests with input as BadDriveApi01a - failedOU := [{"Name": "thirdOU", - "Value": NonComplianceMessage1_2(GetFriendlyValue1_2(true))}] + failedOU := [{"Name": "nextOU", + "Value": NonComplianceMessage1_2(GetSharingValue("ALLOWLISTED_DOMAINS"))}, + {"Name": "thirdOU", + "Value": NonComplianceMessage1_2(GetSharingValue("DISALLOWED"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -167,8 +179,10 @@ test_UserExtSharing_Incorrect_1 if { PolicyId := DriveId1_3 Output := tests with input as BadDriveApi01 - failedOU := [{"Name": "topOU", - "Value": NonComplianceMessage1_3("disabled")}] + failedOU := [{"Name": "nextOU", + "Value": NonComplianceMessage1_3(GetSharingValue("ALLOWLISTED_DOMAINS"))}, + {"Name": "topOU", + "Value": NonComplianceMessage1_3(GetSharingValue("ALLOWED"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -183,8 +197,10 @@ test_NonGoogle_Incorrect_1 if { PolicyId := DriveId1_4 Output := tests with input as BadDriveApi01 - failedOU := [{"Name": "topOU", - "Value": NonComplianceMessage1_4(GetFriendlyValue1_4(true, ""))}] + failedOU := [{"Name": "nextOU", + "Value": NonComplianceMessage1_4(GetSharingValue("ALLOWLISTED_DOMAINS"))}, + {"Name": "topOU", + "Value": NonComplianceMessage1_4(GetSharingValue("ALLOWED"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -193,7 +209,7 @@ test_NonGoogle_Incorrect_2 if { Output := tests with input as BadDriveApi01a failedOU := [{"Name": "nextOU", - "Value": NonComplianceMessage1_4(GetFriendlyValue1_4(true, ""))}] + "Value": NonComplianceMessage1_4(GetSharingValue("ALLOWLISTED_DOMAINS"))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -208,7 +224,9 @@ test_AllowPublish_Incorrect_1 if { PolicyId := DriveId1_5 Output := tests with input as BadDriveApi01 - failedOU := [{"Name": "topOU", + failedOU := [{"Name": "nextOU", + "Value": NonComplianceMessage1_5}, + {"Name": "topOU", "Value": NonComplianceMessage1_5}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -261,7 +279,9 @@ test_MoveContent_Incorrect_1 if { Output := tests with input as BadDriveApi01 value := "ALL_ELIGIBLE_USERS" - failedOU := [{"Name": "topOU", + failedOU := [{"Name": "nextOU", + "Value": NonComplianceMessage1_7(GetFriendlyValue1_7(value))}, + {"Name": "topOU", "Value": NonComplianceMessage1_7(GetFriendlyValue1_7(value))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } diff --git a/scubagoggles/Testing/RegoTests/groups/groups_api04_test.rego b/scubagoggles/Testing/RegoTests/groups/groups_api04_test.rego index 63a0cf00..5f24afc4 100644 --- a/scubagoggles/Testing/RegoTests/groups/groups_api04_test.rego +++ b/scubagoggles/Testing/RegoTests/groups/groups_api04_test.rego @@ -32,6 +32,11 @@ BadGroupsApi04 := { "createGroupsAccessLevel": "USERS_IN_DOMAIN" }, "groups_for_business_service_status": {"serviceState": "ENABLED"} + }, + "nextOU": { + "groups_for_business_groups_sharing": { + "createGroupsAccessLevel": "ANYONE_CAN_CREATE" + } } }, "tenant_info": { @@ -50,7 +55,9 @@ test_GroupsAPI_Creator_Incorrect_1 if { PolicyId := GroupsId4_1 Output := tests with input as BadGroupsApi04 - failedOU := [{"Name": "topOU", + failedOU := [{"Name": "nextOU", + "Value": NonComplianceMessage4_1("Any user")}, + {"Name": "topOU", "Value": NonComplianceMessage4_1("Users in your domain only")}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } diff --git a/scubagoggles/Testing/RegoTests/groups/groups_api05_test.rego b/scubagoggles/Testing/RegoTests/groups/groups_api05_test.rego index 7ed9999a..bd6860d8 100644 --- a/scubagoggles/Testing/RegoTests/groups/groups_api05_test.rego +++ b/scubagoggles/Testing/RegoTests/groups/groups_api05_test.rego @@ -32,6 +32,11 @@ BadGroupsApi05 := { "viewTopicsDefaultAccessLevel": "MANAGERS" }, "groups_for_business_service_status": {"serviceState": "ENABLED"} + }, + "nextOU": { + "groups_for_business_groups_sharing": { + "viewTopicsDefaultAccessLevel": "ANYONE_CAN_VIEW_TOPICS" + } } }, "tenant_info": { @@ -50,7 +55,9 @@ test_GroupsAPI_ViewTopics_Incorrect_1 if { PolicyId := GroupsId5_1 Output := tests with input as BadGroupsApi05 - failedOU := [{"Name": "topOU", + failedOU := [{"Name": "nextOU", + "Value": NonComplianceMessage5_1("Any user")}, + {"Name": "topOU", "Value": NonComplianceMessage5_1("Managers")}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } diff --git a/scubagoggles/rego/Drive.rego b/scubagoggles/rego/Drive.rego index bfd3e8f7..e57757f5 100644 --- a/scubagoggles/rego/Drive.rego +++ b/scubagoggles/rego/Drive.rego @@ -138,16 +138,27 @@ Check1_2_OK if { Check1_2_OK if {PolicyApiInUse} -GetFriendlyValue1_2(Value) := "cannot" if { +EventGetFriendlyValue1_2(Value) := "cannot" if { Value in {"SHARING_NOT_ALLOWED INHERIT_FROM_PARENT", false} } else := "can" -NonComplianceMessage1_2(value) := sprintf("Users %s receive files outside the domain", +EventNonComplianceMessage1_2(value) := sprintf("Users %s receive files outside the domain", [value]) +GetSharingValue(ShareSetting) := "allowlisted" if { + ShareSetting == "ALLOWLISTED_DOMAINS" +} else := "any" if { + ShareSetting == "ALLOWED" +} else := "no" if { + ShareSetting == "DISALLOWED" +} else := ShareSetting + +NonComplianceMessage1_2(Value) := sprintf("File sharing with %s domains, %s", + [Value, "receiving files permitted."]) + NonCompliantOUs1_2 contains { "Name": OU, - "Value": NonComplianceMessage1_2(GetFriendlyValue1_2(LastEvent.NewValue)) + "Value": EventNonComplianceMessage1_2(EventGetFriendlyValue1_2(LastEvent.NewValue)) } if { not PolicyApiInUse @@ -162,7 +173,7 @@ if { NonCompliantGroups1_2 contains { "Name": Group, - "Value": GetFriendlyValue1_2(LastEvent.NewValue) + "Value": EventNonComplianceMessage1_2(EventGetFriendlyValue1_2(LastEvent.NewValue)) } if { not PolicyApiInUse @@ -177,7 +188,7 @@ if { NonCompliantOUs1_2 contains { "Name": OU, - "Value": NonComplianceMessage1_2(GetFriendlyValue1_2(receiveExternal)) + "Value": NonComplianceMessage1_2(GetSharingValue("DISALLOWED")) } if { some OU, settings in input.policies @@ -187,6 +198,25 @@ if { receiveExternal != false } +NonCompliantOUs1_2 contains { + "Name": OU, + "Value": NonComplianceMessage1_2(GetSharingValue(extShare)) +} +if { + some OU, settings in input.policies + DriveEnabled(OU) + section := "drive_and_docs_external_sharing" + shareSetting := "externalSharingMode" + extShare := utils.GetApiSettingValue(section, shareSetting, OU) + extShare == "ALLOWLISTED_DOMAINS" + extShareSet := utils.ApiSettingExists(section, shareSetting, OU) + receiveSetting := "allowReceivingFilesOutsideAllowlistedDomains" + receiveExternal := utils.GetApiSettingValue(section, receiveSetting, OU) + receiveExternal != false + receiveExternalSet := utils.ApiSettingExists(section, receiveSetting, OU) + true in {extShareSet, receiveExternalSet} +} + tests contains { "PolicyId": DriveId1_2, "Criticality": "Should", @@ -240,16 +270,19 @@ AcceptableValues1_3 := {"SHARING_ALLOWED_WITH_WARNING", "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING", "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING_MAY_RECEIVE_FILES_FROM_ANYONE"} -GetFriendlyValue1_3(Value) := "enabled" if { +EventGetFriendlyValue1_3(Value) := "enabled" if { Value in AcceptableValues1_3 == true } else := "disabled" -NonComplianceMessage1_3(value) := sprintf("External Sharing Warning is %s", +EventNonComplianceMessage1_3(value) := sprintf("External Sharing Warning is %s", [value]) +NonComplianceMessage1_3(Value) := sprintf("File sharing with %s domains, %s", + [Value, "without warnings."]) + NonCompliantOUs1_3 contains { "Name": OU, - "Value": NonComplianceMessage1_3(GetFriendlyValue1_3(LastEvent.NewValue)) + "Value": EventNonComplianceMessage1_3(EventGetFriendlyValue1_3(LastEvent.NewValue)) } if { not PolicyApiInUse @@ -262,7 +295,7 @@ if { NonCompliantGroups1_3 contains { "Name": Group, - "Value": NonComplianceMessage1_3(GetFriendlyValue1_3(LastEvent.NewValue)) + "Value": EventNonComplianceMessage1_3(EventGetFriendlyValue1_3(LastEvent.NewValue)) } if { not PolicyApiInUse @@ -275,14 +308,40 @@ if { NonCompliantOUs1_3 contains { "Name": OU, - "Value": NonComplianceMessage1_3(GetFriendlyEnabledValue(warnExternal)) + "Value": NonComplianceMessage1_3(GetSharingValue(extShare)) +} +if { + some OU, settings in input.policies + DriveEnabled(OU) + section := "drive_and_docs_external_sharing" + shareSetting := "externalSharingMode" + extShare := utils.GetApiSettingValue(section, shareSetting, OU) + extShare == "ALLOWLISTED_DOMAINS" + extShareSet := utils.ApiSettingExists(section, shareSetting, OU) + warnSetting := "warnForSharingOutsideAllowlistedDomains" + warnShared := utils.GetApiSettingValue(section, warnSetting, OU) + warnShared != true + warnSharedSet := utils.ApiSettingExists(section, warnSetting, OU) + true in {extShareSet, warnSharedSet} +} + +NonCompliantOUs1_3 contains { + "Name": OU, + "Value": NonComplianceMessage1_3(GetSharingValue(extShare)) } if { some OU, settings in input.policies DriveEnabled(OU) - ExternalSharingAllowed(OU) - warnExternal := settings.drive_and_docs_external_sharing.warnForExternalSharing - warnExternal != true + section := "drive_and_docs_external_sharing" + shareSetting := "externalSharingMode" + extShare := utils.GetApiSettingValue(section, shareSetting, OU) + extShare == "ALLOWED" + extShareSet := utils.ApiSettingExists(section, shareSetting, OU) + warnSetting := "warnForExternalSharing" + warnShared := utils.GetApiSettingValue(section, warnSetting, OU) + warnShared != true + warnSharedSet := utils.ApiSettingExists(section, warnSetting, OU) + true in {extShareSet, warnSharedSet} } tests contains { @@ -349,19 +408,22 @@ AcceptableValues1_4_A := {"NOT_ALLOWED", "INHERIT_FROM_PARENT", true} AcceptableValues1_4_B := {"SHARING_NOT_ALLOWED", "INHERIT_FROM_PARENT"} -GetFriendlyValue1_4(Value_A, Value_B) := "disabled" if { +EventGetFriendlyValue1_4(Value_A, Value_B) := "disabled" if { Value_B in AcceptableValues1_4_B } else := "enabled but sharing items to non-google accounts is disabled" if { Value_A in AcceptableValues1_4_A } else := "enabled and items can be shared to non-google accounts" -NonComplianceMessage1_4(value) := sprintf("External Sharing is %s", +EventNonComplianceMessage1_4(value) := sprintf("External Sharing is %s", [value]) +NonComplianceMessage1_4(Value) := sprintf("File sharing with %s domains, %s", + [Value, "with non-Google users."]) + NonCompliantOUs1_4 contains { "Name": OU, - "Value": NonComplianceMessage1_4(GetFriendlyValue1_4(LastEvent_A.NewValue, - LastEvent_B.NewValue)) + "Value": EventNonComplianceMessage1_4(EventGetFriendlyValue1_4(LastEvent_A.NewValue, + LastEvent_B.NewValue)) } if { not PolicyApiInUse @@ -380,8 +442,8 @@ if { NonCompliantGroups1_4 contains { "Name": Group, - "Value": NonComplianceMessage1_4(GetFriendlyValue1_4(LastEvent_A.NewValue, - LastEvent_B.NewValue)) + "Value": EventNonComplianceMessage1_4(EventGetFriendlyValue1_4(LastEvent_A.NewValue, + LastEvent_B.NewValue)) } if { not PolicyApiInUse @@ -400,14 +462,40 @@ if { NonCompliantOUs1_4 contains { "Name": OU, - "Value": NonComplianceMessage1_4(GetFriendlyValue1_4(nonGoogle, "")) + "Value": NonComplianceMessage1_4(GetSharingValue(extShare)) +} +if { + some OU, settings in input.policies + DriveEnabled(OU) + section := "drive_and_docs_external_sharing" + shareSetting := "externalSharingMode" + extShare := utils.GetApiSettingValue(section, shareSetting, OU) + extShare == "ALLOWLISTED_DOMAINS" + extShareSet := utils.ApiSettingExists(section, shareSetting, OU) + nonGoogleSetting := "allowNonGoogleInvitesInAllowlistedDomains" + nonGoogle := utils.GetApiSettingValue(section, nonGoogleSetting, OU) + nonGoogle != false + nonGoogleSet := utils.ApiSettingExists(section, nonGoogleSetting, OU) + true in {extShareSet, nonGoogleSet} +} + +NonCompliantOUs1_4 contains { + "Name": OU, + "Value": NonComplianceMessage1_4(GetSharingValue(extShare)) } if { some OU, settings in input.policies DriveEnabled(OU) - ExternalSharingAllowed(OU) - nonGoogle := settings.drive_and_docs_external_sharing.allowNonGoogleInvites + section := "drive_and_docs_external_sharing" + shareSetting := "externalSharingMode" + extShare := utils.GetApiSettingValue(section, shareSetting, OU) + extShare == "ALLOWED" + extShareSet := utils.ApiSettingExists(section, shareSetting, OU) + nonGoogleSetting := "allowNonGoogleInvites" + nonGoogle := utils.GetApiSettingValue(section, nonGoogleSetting, OU) nonGoogle != false + nonGoogleSet := utils.ApiSettingExists(section, nonGoogleSetting, OU) + true in {extShareSet, nonGoogleSet} } tests contains { @@ -492,8 +580,16 @@ NonCompliantOUs1_5 contains { if { some OU, settings in input.policies DriveEnabled(OU) - allowPublish := settings.drive_and_docs_external_sharing.allowPublishingFiles + section := "drive_and_docs_external_sharing" + shareSetting := "externalSharingMode" + extShare := utils.GetApiSettingValue(section, shareSetting, OU) + extShare != "DISALLOWED" + extShareSet := utils.ApiSettingExists(section, shareSetting, OU) + allowPublishSetting := "allowPublishingFiles" + allowPublish := utils.GetApiSettingValue(section, allowPublishSetting, OU) allowPublish != false + allowPublishSet := utils.ApiSettingExists(section, allowPublishSetting, OU) + true in {extShareSet, allowPublishSet} } tests contains { @@ -683,8 +779,16 @@ NonCompliantOUs1_7 contains { if { some OU, settings in input.policies DriveEnabled(OU) - moveContent := settings.drive_and_docs_external_sharing.allowedPartiesForDistributingContent + section := "drive_and_docs_external_sharing" + shareSetting := "externalSharingMode" + extShare := utils.GetApiSettingValue(section, shareSetting, OU) + extShare != "DISALLOWED" + extShareSet := utils.ApiSettingExists(section, shareSetting, OU) + moveContentSetting := "allowedPartiesForDistributingContent" + moveContent := utils.GetApiSettingValue(section, moveContentSetting, OU) moveContent != "NONE" + moveContentSet := utils.ApiSettingExists(section, moveContentSetting, OU) + true in {extShareSet, moveContentSet} } tests contains { @@ -1372,7 +1476,7 @@ Check5_1_OK if { count(events) > 0 } -Check5_1_OK if {PolicyApiInUse} +# Check5_1_OK if {PolicyApiInUse} NonComplianceMessage5_1 := "Users can install Google Docs add-ons from add-ons store." diff --git a/scubagoggles/rego/Groups.rego b/scubagoggles/rego/Groups.rego index 9476131a..03876922 100644 --- a/scubagoggles/rego/Groups.rego +++ b/scubagoggles/rego/Groups.rego @@ -276,7 +276,7 @@ GetFriendlyValue4_1(Value) := "Administrators only" if { } else := "Users in your domain only" if { Value == "USERS_IN_DOMAIN" } else := "Any user" if { - Value == "WORLD" + Value in {"ANYONE_CAN_CREATE", "WORLD"} } else := Value NonComplianceMessage4_1(value) := sprintf("Groups can be created by: %s", [value]) @@ -363,7 +363,7 @@ GetFriendlyValue5_1(Value) := "Owners" if { } else := "Users in your domain only" if { Value == "DOMAIN_USERS" } else := "Any user" if { - Value == "PUBLIC" + Value in {"ANYONE_CAN_VIEW_TOPICS", "PUBLIC"} } else := Value NonComplianceMessage5_1(value) := sprintf("Group conversations can be viewed by: %s", [value]) diff --git a/scubagoggles/rego/Utils.rego b/scubagoggles/rego/Utils.rego index 10a016b7..333a41b8 100644 --- a/scubagoggles/rego/Utils.rego +++ b/scubagoggles/rego/Utils.rego @@ -430,7 +430,7 @@ ApiSettingExists(Section, Setting, OU) := true if { OUSettings := input.policies[OU] Section in object.keys(OUSettings) Setting in object.keys(OUSettings[Section]) -} +} else := false GetApiSettingValue(Section, Setting, OU) := Value if { not ApiSettingExists(Section, Setting, OU)