Skip to content

Commit

Permalink
Add Detailed report messages for Drive&Docs (#300)
Browse files Browse the repository at this point in the history 
Update Drive and Docs rego and unit tests to support detailed report messages and group override policy

---------

Co-authored-by: Lauren Bassett <[email protected]>
Co-authored-by: Alden Hilton <[email protected]>
Co-authored-by: Alden Hilton <[email protected]>
  • Loading branch information
@snarve @LaurenBassett @adhilto
4 people authored Jul 15, 2024
1 parent 9401ead commit d463678
Show file tree
Hide file tree
Showing 8 changed files with 792 additions and 244 deletions.
248 changes: 196 additions & 52 deletions Testing/RegoTests/drive/drive01_test.rego
View file

Large diffs are not rendered by default.

83 changes: 49 additions & 34 deletions Testing/RegoTests/drive/drive02_test.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ test_Managers_Correct_V1 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Managers_Correct_V2 if {
Expand Down Expand Up @@ -67,7 +67,7 @@ test_Managers_Correct_V2 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Managers_Correct_V3 if {
Expand Down Expand Up @@ -105,7 +105,7 @@ test_Managers_Correct_V3 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Managers_Incorrect_V1 if {
Expand Down Expand Up @@ -165,7 +165,8 @@ test_Managers_Incorrect_V2 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Top-Level OU: Members with manager access can override shared drive settings.</li></ul>"])
}

test_Managers_Incorrect_V3 if {
Expand Down Expand Up @@ -203,7 +204,8 @@ test_Managers_Incorrect_V3 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Top-Level OU: Members with manager access can override shared drive settings.</li></ul>"])
}

test_Managers_Incorrect_V4 if {
Expand Down Expand Up @@ -241,7 +243,8 @@ test_Managers_Incorrect_V4 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Secondary OU: Members with manager access can override shared drive settings.</li></ul>"])
}

test_Managers_Incorrect_V5 if {
Expand Down Expand Up @@ -307,7 +310,7 @@ test_Outside_Correct_V1 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Outside_Correct_V2 if {
Expand Down Expand Up @@ -351,7 +354,7 @@ test_Outside_Correct_V2 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Outside_Correct_V3 if {
Expand Down Expand Up @@ -395,7 +398,7 @@ test_Outside_Correct_V3 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Outside_Incorrect_V1 if {
Expand Down Expand Up @@ -458,7 +461,8 @@ test_Outside_Incorrect_V2 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Top-Level OU: Users outside the organization can access files in shared drives</li></ul>"])
}

test_Outside_Incorrect_V3 if {
Expand Down Expand Up @@ -502,7 +506,8 @@ test_Outside_Incorrect_V3 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Top-Level OU: Users outside the organization can access files in shared drives</li></ul>"])
}

test_Outside_Incorrect_V4 if {
Expand Down Expand Up @@ -546,7 +551,8 @@ test_Outside_Incorrect_V4 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Secondary OU: Users outside the organization can access files in shared drives</li></ul>"])
}

test_Outside_Incorrect_V5 if {
Expand Down Expand Up @@ -615,7 +621,7 @@ test_SharedDrive_Correct_V1 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_SharedDrive_Correct_V2 if {
Expand Down Expand Up @@ -659,7 +665,7 @@ test_SharedDrive_Correct_V2 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_SharedDrive_Correct_V3 if {
Expand Down Expand Up @@ -703,7 +709,7 @@ test_SharedDrive_Correct_V3 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_SharedDrive_Incorrect_V1 if {
Expand Down Expand Up @@ -766,7 +772,8 @@ test_SharedDrive_Incorrect_V2 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Top-Level OU: People who aren't shared drive members can be added to files</li></ul>"])
}

test_SharedDrive_Incorrect_V3 if {
Expand Down Expand Up @@ -810,9 +817,11 @@ test_SharedDrive_Incorrect_V3 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Top-Level OU: People who aren't shared drive members can be added to files</li></ul>"])
}


test_SharedDrive_Incorrect_V4 if {
# Test sharing setting when top OU is correct but secondary isn't
PolicyId := "GWS.DRIVEDOCS.2.3v0.2"
Expand Down Expand Up @@ -854,7 +863,8 @@ test_SharedDrive_Incorrect_V4 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Secondary OU: People who aren't shared drive members can be added to files</li></ul>"])
}

test_SharedDrive_Incorrect_V5 if {
Expand Down Expand Up @@ -905,7 +915,7 @@ test_Viewers_Correct_V1 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
{"name": "NEW_VALUE", "value": "false"},
{"name": "NEW_VALUE", "value": "true"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand All @@ -920,7 +930,7 @@ test_Viewers_Correct_V1 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Viewers_Correct_V2 if {
Expand All @@ -933,7 +943,7 @@ test_Viewers_Correct_V2 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
{"name": "NEW_VALUE", "value": "false"},
{"name": "NEW_VALUE", "value": "true"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand All @@ -943,7 +953,7 @@ test_Viewers_Correct_V2 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
{"name": "NEW_VALUE", "value": "true"},
{"name": "NEW_VALUE", "value": "false"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand All @@ -958,7 +968,7 @@ test_Viewers_Correct_V2 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Viewers_Correct_V3 if {
Expand All @@ -971,7 +981,7 @@ test_Viewers_Correct_V3 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
{"name": "NEW_VALUE", "value": "false"},
{"name": "NEW_VALUE", "value": "true"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand All @@ -981,7 +991,7 @@ test_Viewers_Correct_V3 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
{"name": "NEW_VALUE", "value": "false"},
{"name": "NEW_VALUE", "value": "true"},
{"name": "ORG_UNIT_NAME", "value": "Secondary OU"},
]
}]
Expand All @@ -996,7 +1006,7 @@ test_Viewers_Correct_V3 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Viewers_Incorrect_V1 if {
Expand Down Expand Up @@ -1041,7 +1051,7 @@ test_Viewers_Incorrect_V2 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
{"name": "NEW_VALUE", "value": "true"},
{"name": "NEW_VALUE", "value": "false"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand All @@ -1056,7 +1066,8 @@ test_Viewers_Incorrect_V2 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Top-Level OU: Viewers and commenters are allowed to download, print, and copy files</li></ul>"])
}

test_Viewers_Incorrect_V3 if {
Expand All @@ -1069,7 +1080,7 @@ test_Viewers_Incorrect_V3 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
{"name": "NEW_VALUE", "value": "true"},
{"name": "NEW_VALUE", "value": "false"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand All @@ -1079,7 +1090,7 @@ test_Viewers_Incorrect_V3 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
{"name": "NEW_VALUE", "value": "false"},
{"name": "NEW_VALUE", "value": "true"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand All @@ -1094,7 +1105,9 @@ test_Viewers_Incorrect_V3 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Top-Level OU: ",
"Viewers and commenters are allowed to download, print, and copy files</li></ul>"])
}

test_Viewers_Incorrect_V4 if {
Expand All @@ -1107,7 +1120,7 @@ test_Viewers_Incorrect_V4 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
{"name": "NEW_VALUE", "value": "false"},
{"name": "NEW_VALUE", "value": "true"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand All @@ -1117,7 +1130,7 @@ test_Viewers_Incorrect_V4 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
{"name": "NEW_VALUE", "value": "true"},
{"name": "NEW_VALUE", "value": "false"},
{"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"},
]
}]
Expand All @@ -1132,7 +1145,9 @@ test_Viewers_Incorrect_V4 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Secondary OU: ",
"Viewers and commenters are allowed to download, print, and copy files</li></ul>"])
}

test_Viewers_Incorrect_V5 if {
Expand Down
18 changes: 12 additions & 6 deletions Testing/RegoTests/drive/drive03_test.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ test_Sharing_Correct_V1 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Sharing_Correct_V2 if {
Expand Down Expand Up @@ -96,7 +96,7 @@ test_Sharing_Correct_V2 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Sharing_Correct_V3 if {
Expand Down Expand Up @@ -160,7 +160,7 @@ test_Sharing_Correct_V3 if {
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs."
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Sharing_Incorrect_V1 if {
Expand Down Expand Up @@ -234,7 +234,9 @@ test_Sharing_Incorrect_V2 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Top-Level OU: ",
"Users are allowed to remove/apply the security update for files they own or manage</li></ul>"])
}

test_Sharing_Incorrect_V3 if {
Expand Down Expand Up @@ -288,7 +290,9 @@ test_Sharing_Incorrect_V3 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Top-Level OU: ",
"Users are allowed to remove/apply the security update for files they own or manage</li></ul>"])
}

test_Sharing_Incorrect_V4 if {
Expand Down Expand Up @@ -352,7 +356,9 @@ test_Sharing_Incorrect_V4 if {
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Secondary OU: ",
"Users are allowed to remove/apply the security update for files they own or manage</li></ul>"])
}

test_Sharing_Incorrect_V5 if {
Expand Down
Loading

0 comments on commit d463678

Please sign in to comment.