Implemented 5.1 in rego

cisagov · Jun 24, 2024 · 69913e2 · 69913e2
1 parent 46219c7
commit 69913e2
Show file tree

Hide file tree

Showing 2 changed files with 252 additions and 0 deletions.
diff --git a/Testing/RegoTests/classroom/classroom05_test.rego b/Testing/RegoTests/classroom/classroom05_test.rego
@@ -0,0 +1,188 @@
+package classroom
+import future.keywords
+
+#
+# GWS.CLASSROOM.5.1v0.2
+#--
+
+test_ClassroomCreation_Correct_V1 if {
+    # Test only teachers can unenroll students when there's only one event
+    PolicyId := "GWS.CLASSROOM.5.1v0.2"
+    Output := tests with input as {
+        "classroom_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {"name":"SETTING_NAME",
+                        "value": "TeacherPermissionsSettingProto who_can_create_class"},
+                        {"name": "NEW_VALUE", "value": "3"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": "Test Top-Level OU"
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
+}
+
+test_ClassroomCreation_Correct_V2 if {
+    # Test when there's multiple events, with the chronological latest
+    # correct but not last in json list
+    PolicyId := "GWS.CLASSROOM.5.1v0.2"
+    Output := tests with input as {
+        "classroom_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {"name":"SETTING_NAME",
+                        "value": "TeacherPermissionsSettingProto who_can_create_class"},
+                        {"name": "NEW_VALUE", "value": "3"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            },
+            {
+                "id": {"time": "2021-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {"name":"SETTING_NAME",
+                        "value": "TeacherPermissionsSettingProto who_can_create_class"},
+                        {"name": "NEW_VALUE", "value": "2"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": "Test Top-Level OU"
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
+}
+
+# No tests for multiple OUs, inheritance, groups, etc as this setting can't be controlled at the OU or group level
+
+test_ClassroomCreation_Incorrect_V1 if {
+    # Test when there's only one event and it's wrong
+    PolicyId := "GWS.CLASSROOM.5.1v0.2"
+    Output := tests with input as {
+        "classroom_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {"name":"SETTING_NAME",
+                        "value": "TeacherPermissionsSettingProto who_can_create_class"},
+                        {"name": "NEW_VALUE", "value": "1"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": "Test Top-Level OU"
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == concat("", [
+        "The following OUs are non-compliant:<ul><li>Test Top-Level OU: ",
+        "Who can create classes is set to anyone in this domain</li></ul>"
+    ])
+}
+
+test_ClassroomCreation_Incorrect_V2 if {
+    # Test when there's multiple events, with the chronological latest
+    # incorrect but not last in json list
+    PolicyId := "GWS.CLASSROOM.5.1v0.2"
+    Output := tests with input as {
+        "classroom_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {"name":"SETTING_NAME",
+                        "value": "TeacherPermissionsSettingProto who_can_create_class"},
+                        {"name": "NEW_VALUE", "value": "2"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            },
+            {
+                "id": {"time": "2021-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {"name":"SETTING_NAME",
+                        "value": "TeacherPermissionsSettingProto who_can_create_class"},
+                        {"name": "NEW_VALUE", "value": "3"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": "Test Top-Level OU"
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == concat("", [
+        "The following OUs are non-compliant:<ul><li>Test Top-Level OU: ",
+        "Who can create classes is set to all pending and verified teachers</li></ul>"
+    ])
+}
+
+
+test_ClassroomCreation_Incorrect_V3 if {
+    # Test when there no applicable event
+    PolicyId := "GWS.CLASSROOM.5.1v0.2"
+    Output := tests with input as {
+        "classroom_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {"name":"SETTING_NAME",
+                        "value": "something else"},
+                        {"name": "NEW_VALUE", "value": "false"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": "Test Top-Level OU"
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == concat("", [
+        "No relevant event in the current logs for the top-level OU, Test Top-Level OU. ",
+        "While we are unable to determine the state from the logs, the default setting ",
+        "is non-compliant; manual check recommended."
+    ])
+}
diff --git a/rego/Classroom.rego b/rego/Classroom.rego
@@ -311,3 +311,67 @@ if {
     Status := count(NonCompliantOUs4_1) == 0
 }
 #--
+
+
+###################
+# GWS.CLASSROOM.5 #
+###################
+
+#
+# Baseline GWS.CLASSROOM.5.1v0.2
+#--
+GetFriendlyValue5_1(Value) := "anyone in this domain" if {
+    Value == "1"
+} else := "all pending and verified teachers" if {
+    Value == "2"
+} else := Value
+
+NonCompliantOUs5_1 contains {
+    "Name": OU,
+    "Value":  concat(" ", [
+        "Who can create classes is set to",
+        GetFriendlyValue5_1(LastEvent.NewValue)
+    ])
+} if {
+    some OU in utils.OUsWithEvents
+    Events := utils.FilterEventsOU(LogEvents, "TeacherPermissionsSettingProto who_can_create_class", OU)
+    # Ignore OUs without any events. We're already asserting that the
+    # top-level OU has at least one event; for all other OUs we assume
+    # they inherit from a parent OU if they have no events.
+    count(Events) > 0
+    LastEvent := utils.GetLastEvent(Events)
+    LastEvent.NewValue != "3"
+    LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
+}
+
+tests contains {
+    "PolicyId": "GWS.CLASSROOM.5.1v0.2",
+    "Criticality": "Shall",
+    "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
+    "ActualValue": "No relevant event in the current logs",
+    "RequirementMet": DefaultSafe,
+    "NoSuchEvent": true
+}
+if {
+    DefaultSafe := false
+    SettingName := "TeacherPermissionsSettingProto who_can_create_class"
+    Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
+    count(Events) == 0
+}
+
+tests contains {
+    "PolicyId": "GWS.CLASSROOM.5.1v0.2",
+    "Criticality": "Shall",
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs5_1, []),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs5_1},
+    "RequirementMet": Status,
+    "NoSuchEvent": false
+}
+if {
+    SettingName := "TeacherPermissionsSettingProto who_can_create_class"
+    Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
+    count(Events) > 0
+    Status := count(NonCompliantOUs5_1) == 0
+}
+#--
+