From 5175ef32369af0af46741165bcf07fe5f77d9939 Mon Sep 17 00:00:00 2001 From: Roy Lane Date: Fri, 20 Dec 2024 15:58:49 -0500 Subject: [PATCH] sites rego: remove log event implementation --- .../Testing/RegoTests/sites/sites01_test.rego | 474 ------------------ .../RegoTests/sites/sites_api01_test.rego | 8 +- scubagoggles/rego/Sites.rego | 137 +---- 3 files changed, 12 insertions(+), 607 deletions(-) delete mode 100644 scubagoggles/Testing/RegoTests/sites/sites01_test.rego diff --git a/scubagoggles/Testing/RegoTests/sites/sites01_test.rego b/scubagoggles/Testing/RegoTests/sites/sites01_test.rego deleted file mode 100644 index a67e3d36..00000000 --- a/scubagoggles/Testing/RegoTests/sites/sites01_test.rego +++ /dev/null @@ -1,474 +0,0 @@ -package sites - -import future.keywords -import data.utils.FailTestNoEvent -import data.utils.FailTestGroupNonCompliant -import data.utils.FailTestOUNonCompliant -import data.utils.PassTestResult - -test_Sites_Disabled_Correct_V1 if { - # Test ensure Sites is disabled - PolicyId := SitesId1_1 - Output := tests with input as { - "sites_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Sites_Disabled_Correct_V2 if { - # Test ensure sites is disabled when there's multiple events and the most recent is correct - PolicyId := SitesId1_1 - Output := tests with input as { - "sites_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Sites_Disabled_Correct_V3 if { - # Test ensure sites is disabled when there are multiple OU's - PolicyId := SitesId1_1 - Output := tests with input as { - "sites_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Secondary OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Sites_Disabled_Correct_V4 if { - # Test sites is disabled when there are multiple OU's and an older event is non-complaint - PolicyId := SitesId1_1 - Output := tests with input as { - "sites_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Secondary OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Sites_Disabled_Correct_V5 if { - # Test Sites inheritance - PolicyId := SitesId1_1 - Output := tests with input as { - "sites_logs": {"items": [ - { - "id": {"time": "2022-12-10T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:29.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Second OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "INHERIT_FROM_PARENT"}, - {"name": "ORG_UNIT_NAME", "value": "Second OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Sites_Disabled_Incorrect_V1 if { - # Test sites is disabled when there is an event for a different service - PolicyId := SitesId1_1 - Output := tests with input as { - "sites_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Something else"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Service status for Sites is ON."}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Sites_Disabled_Incorrect_V2 if { - # Test Sites is disabled when there's only one event and it's wrong - PolicyId := SitesId1_1 - Output := tests with input as { - "sites_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Service status for Sites is ON."}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Sites_Disabled_Incorrect_V3 if { - # Test sites is disabled when there are multiple events and the most recent is wrong - PolicyId := SitesId1_1 - Output := tests with input as { - "sites_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - }, - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Service status for Sites is ON."}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Sites_Disabled_Incorrect_V4 if { - # Test sites is disabled when the Top-level OU is compliant but a secondary OU is non-compliant - PolicyId := SitesId1_1 - Output := tests with input as { - "sites_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Secondary OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - }, - } - - failedOU := [{"Name": "Secondary OU", - "Value": "Service status for Sites is ON."}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Sites_Disabled_Incorrect_V5 if { - # Test sites is disabled when there's only one event and it's wrong - PolicyId := SitesId1_1 - Output := tests with input as { - "sites_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Service status for Sites is ON."}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Sites_Disabled_Incorrect_V6 if { - # Test sites is disabled when there are no relevant events - PolicyId := SitesId1_1 - Output := tests with input as { - "sites_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Something else"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) -} - -test_Sites_Disabled_Incorrect_V7 if { - # Test Sites enabled in a group - PolicyId := SitesId1_1 - Output := tests with input as { - "sites_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "GROUP_EMAIL", "value": "group@example.com"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - failedGroup := [{"Name": "group@example.com", - "Value": "Service status for Sites is ON."}] - FailTestGroupNonCompliant(PolicyId, Output, failedGroup) -} - -test_Sites_Disabled_Incorrect_V8 if { - # Test Sites enabled in a group and an ou - PolicyId := SitesId1_1 - Output := tests with input as { - "sites_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Sites"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "GROUP_EMAIL", "value": "group@example.com"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:", - "
", - "The following groups are non-compliant:" - ]) -} -#-- diff --git a/scubagoggles/Testing/RegoTests/sites/sites_api01_test.rego b/scubagoggles/Testing/RegoTests/sites/sites_api01_test.rego index 7c5c9f5c..c041440e 100644 --- a/scubagoggles/Testing/RegoTests/sites/sites_api01_test.rego +++ b/scubagoggles/Testing/RegoTests/sites/sites_api01_test.rego @@ -50,9 +50,9 @@ test_SitesAPI_NonComply_1 if { } failedOU := [{"Name": "nextOU", - "Value": "Service status for Sites is ON."}, + "Value": NonComplianceMessage1_1}, {"Name": "topOU", - "Value": "Service status for Sites is ON."}] + "Value": NonComplianceMessage1_1}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -77,8 +77,8 @@ test_SitesAPI_NonComply_2 if { } failedOU := [{"Name": "topOU", - "Value": "Service status for Sites is ON."}, + "Value": NonComplianceMessage1_1}, {"Name": "topOU (group \"Even More Secret Group\")", - "Value": "Service status for Sites is ON."}] + "Value": NonComplianceMessage1_1}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } diff --git a/scubagoggles/rego/Sites.rego b/scubagoggles/rego/Sites.rego index c9640e64..aca0a5d7 100644 --- a/scubagoggles/rego/Sites.rego +++ b/scubagoggles/rego/Sites.rego @@ -2,72 +2,9 @@ package sites import future.keywords import data.utils -import data.utils.PolicyApiInUse SitesEnabled(orgunit) := utils.AppEnabled(input.policies, "sites", orgunit) -FilterEventsOU(OrgUnit) := FilteredEvents if { - # If there exists at least the root OU and 1 more OU - # filter out organizational units that don't exist - input.organizational_unit_names - count(input.organizational_unit_names) >=2 - - # Filter the events by OrgUnit - Events := ToggleServiceEvents - FilteredEvents := { - Event | some Event in Events; - Event.OrgUnit == OrgUnit; - Event.OrgUnit in input.organizational_unit_names - } -} - -FilterEventsOU(OrgUnit) := FilteredEvents if { - # If only the root OU exists run like normal - input.organizational_unit_names - count(input.organizational_unit_names) < 2 - - # Filter the events by OrgUnit - Events := ToggleServiceEvents - FilteredEvents := {Event | some Event in Events; Event.OrgUnit == OrgUnit} -} - -FilterEventsOU(OrgUnit) := FilteredEvents if { - # If OUs variable does not exist run like normal - not input.organizational_unit_names - - # Filter the events by OrgUnit - Events := ToggleServiceEvents - FilteredEvents := {Event | some Event in Events; Event.OrgUnit == OrgUnit} -} - -FilterEventsGroup(Group) := FilteredEvents if { - Events := ToggleServiceEvents - FilteredEvents := {Event | some Event in Events; Event.Group == Group} -} - -ToggleServiceEvents contains { - "Timestamp": time.parse_rfc3339_ns(Item.id.time), - "TimestampStr": Item.id.time, - "NewValue": NewValue, - "OrgUnit": OrgUnit, - "Group": Group -} -if { - some Item in input.sites_logs.items - some Event in Item.events - Event.name == "TOGGLE_SERVICE_ENABLED" - - "SERVICE_NAME" in {Parameter.name | some Parameter in Event.parameters} - "NEW_VALUE" in {Parameter.name | some Parameter in Event.parameters} - - ServiceName := [Parameter.value | some Parameter in Event.parameters; Parameter.name == "SERVICE_NAME"][0] - NewValue := [Parameter.value | some Parameter in Event.parameters; Parameter.name == "NEW_VALUE"][0] - OrgUnit := utils.GetEventOu(Event) - Group := utils.GetEventGroup(Event) - - ServiceName == "Sites" -} - ############### # GWS.SITES.1 # ############### @@ -75,87 +12,29 @@ if { # # Baseline GWS.SITES.1.1 #-- -ServiceStatusOnMessage := "Service status for Sites is ON." -NonCompliantOUs1_1 contains { - "Name": OU, - "Value": ServiceStatusOnMessage -} if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := FilterEventsOU(OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "false" - LastEvent.NewValue != "INHERIT_FROM_PARENT" -} +SitesId1_1 := utils.PolicyIdWithSuffix("GWS.SITES.1.1") -NonCompliantGroups1_1 contains { - "Name": Group, - "Value": ServiceStatusOnMessage -} if { - not PolicyApiInUse - some Group in utils.GroupsWithEvents - Events := FilterEventsGroup(Group) - # Ignore Groups without any events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "false" - LastEvent.NewValue != "INHERIT_FROM_PARENT" -} +NonComplianceMessage1_1 := "Service status for Sites is enabled" NonCompliantOUs1_1 contains { "Name": OU, - "Value": ServiceStatusOnMessage -} if { - some OU, settings in input.policies - SitesEnabled(OU) -} - -# This check is done a few times below. It's True if either the policy API -# is in use or there is at least one event returned for the top-level orgunit. - -CheckOK if { - not PolicyApiInUse - events := FilterEventsOU(utils.TopLevelOU) - count(events) > 0 -} - -CheckOK if {PolicyApiInUse} - -SitesId1_1 := utils.PolicyIdWithSuffix("GWS.SITES.1.1") - -tests contains { - "PolicyId": SitesId1_1, - "Criticality": "Should", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true + "Value": NonComplianceMessage1_1 } if { - not PolicyApiInUse - DefaultSafe := false - not CheckOK + some OU, settings in input.policies + SitesEnabled(OU) } tests contains { "PolicyId": SitesId1_1, "Criticality": "Should", - "ReportDetails":utils.ReportDetails(NonCompliantOUs1_1, - NonCompliantGroups1_1), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_1, - "NonCompliantGroups": NonCompliantGroups1_1}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs1_1, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_1}, "RequirementMet": Status, "NoSuchEvent": false } if { - CheckOK - Conditions := {count(NonCompliantOUs1_1) == 0, - count(NonCompliantGroups1_1) == 0} - Status := (false in Conditions) == false + Status := count(NonCompliantOUs1_1) == 0 } #--