From ae641ea402e6072d2c29869ea1f33e2a49f87226 Mon Sep 17 00:00:00 2001 From: Roy Lane Date: Sun, 22 Dec 2024 16:10:11 -0500 Subject: [PATCH] commoncontrols 12.1: correct Policy API implementation --- .../commoncontrols_api12_test.rego | 15 ++++++++---- scubagoggles/rego/Commoncontrols.rego | 24 +++++++++++++------ scubagoggles/rego/Utils.rego | 5 ++-- 3 files changed, 30 insertions(+), 14 deletions(-) diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api12_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api12_test.rego index 31a7eda7..e10f736d 100644 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api12_test.rego +++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api12_test.rego @@ -7,7 +7,7 @@ import data.utils.PassTestResult GoodCaseInputApi12 := { "policies": { "topOU": { - "takeout_service_status": {"serviceState": "ENABLED"}, + "takeout_service_status": {"serviceState": "DISABLED"}, "blogger_user_takeout": {"takeoutStatus": "DISABLED"}, "books_user_takeout": {"takeoutStatus": "DISABLED"}, "location_history_user_takeout": {"takeoutStatus": "DISABLED"}, @@ -20,7 +20,7 @@ GoodCaseInputApi12 := { }, "nextOU": { "takeout_service_status": {"serviceState": "DISABLED"}, - "blogger_user_takeout": {"takeoutStatus": "ENABLED"} + "blogger_user_takeout": {"takeoutStatus": "DISABLED"} } }, "tenant_info": { @@ -63,11 +63,12 @@ BadCaseInputApi12a := { "youtube_user_takeout": {"takeoutStatus": "DISABLED"} }, "nextOU": { - "location_history_user_takeout": {"takeoutStatus": "ENABLED"}, + "takeout_service_status": {"serviceState": "DISABLED"}, "play_console_user_takeout": {"takeoutStatus": "ENABLED"}, "youtube_user_takeout": {"takeoutStatus": "ENABLED"} }, "thirdOU": { + "takeout_service_status": {"serviceState": "ENABLED"}, "blogger_user_takeout": {"takeoutStatus": "ENABLED"}, "maps_user_takeout": {"takeoutStatus": "ENABLED"}, "play_user_takeout": {"takeoutStatus": "ENABLED"}, @@ -102,6 +103,8 @@ test_Takeout_Incorrect_1 if { "play", "youtube"] failedOU := [{"Name": "topOU", + "Value": NonComplianceMessage12_1a}, + {"Name": "topOU", "Value": NonComplianceMessage12_1(TakeoutApps(EnabledApps))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -110,11 +113,13 @@ test_Takeout_Incorrect_2 if { PolicyId := CommonControlsId12_1 Output := tests with input as BadCaseInputApi12a - EnabledApps1 := ["location_history", "play_console", "youtube"] + EnabledApps1 := ["play_console", "youtube"] EnabledApps2 := ["blogger", "maps", "play"] failedOU := [{"Name": "nextOU", "Value": NonComplianceMessage12_1(TakeoutApps(EnabledApps1))}, + {"Name": "thirdOU", "Value": NonComplianceMessage12_1a}, {"Name": "thirdOU", - "Value": NonComplianceMessage12_1(TakeoutApps(EnabledApps2))}] + "Value": NonComplianceMessage12_1(TakeoutApps(EnabledApps2))}, + {"Name": "topOU", "Value": NonComplianceMessage12_1a}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } diff --git a/scubagoggles/rego/Commoncontrols.rego b/scubagoggles/rego/Commoncontrols.rego index 6292347a..97792776 100644 --- a/scubagoggles/rego/Commoncontrols.rego +++ b/scubagoggles/rego/Commoncontrols.rego @@ -2022,6 +2022,12 @@ if { # GWS.COMMONCONTROLS.12 # ######################### +# +# Baseline GWS.COMMONCONTROLS.12.1 +#-- + +CommonControlsId12_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.12.1") + LogMessage12_1 := "UserTakeoutSettingsProto User Takeout " Msg12_1 := "The following apps with individual admin control have Takeout enabled: %s" @@ -2153,10 +2159,6 @@ if { count(EnabledApps) > 0 } -# -# Baseline GWS.COMMONCONTROLS.12.1 -#-- - default NoSuchEvent12_1 := false NoSuchEvent12_1 := true if { @@ -2169,8 +2171,6 @@ NoSuchEvent12_1 := true if { count(Events) == 0 } -CommonControlsId12_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.12.1") - Check12_1_OK if { not PolicyApiInUse not NoSuchEvent12_1 @@ -2178,6 +2178,17 @@ Check12_1_OK if { Check12_1_OK if {PolicyApiInUse} +NonCompliantOUs12_1 contains { + "Name": OU, + "Value": NonComplianceMessage12_1a + +} +if { + some OU, _ in input.policies + takeoutStatus := utils.AppExplicitStatus(input.policies, "takeout", OU) + takeoutStatus != "DISABLED" +} + Takeout := {"blogger": "Blogger", "books": "Google Books", "location_history": "Timeline - Location History", @@ -2195,7 +2206,6 @@ NonCompliantOUs12_1 contains { } if { some OU, settings in input.policies - utils.AppEnabled(input.policies, "takeout", OU) EnabledApps :=[value | some key, value in Takeout section := sprintf("%s_user_takeout", [key]) diff --git a/scubagoggles/rego/Utils.rego b/scubagoggles/rego/Utils.rego index bfe4313a..b9e00118 100644 --- a/scubagoggles/rego/Utils.rego +++ b/scubagoggles/rego/Utils.rego @@ -558,12 +558,13 @@ AppEnabled(policies, appName, orgunit) if { # been explicitly set in the given orgunit or group. The above functions will # tell you whether the app is enabled, but its state may be due to inheriting # the state from the top-level orgunit. In some cases, you need to know -# whether the state has been explicitly set (not inherited). +# whether the state has been explicitly set (not inherited). This function +# returns "ENABLED", "DISABLED" if explicitly set; it's undefined otherwise. AppExplicitStatus(policies, appName, orgunit) := appState if { serviceStatusName := AppServiceStatusName(appName) appState := upper(policies[orgunit][serviceStatusName].serviceState) -} else := "" +} # There are a lot of policies that have enabled/disabled states. The states # (values) in the log events are strings ("true", "false), while the states