[#87] PR updates

cisagov · Jul 25, 2024 · f0f3090 · f0f3090
1 parent c30eef0
commit f0f3090
Show file tree

Hide file tree

Showing 5 changed files with 135 additions and 16 deletions.
diff --git a/Testing/RegoTests/groups/groups02_test.rego b/Testing/RegoTests/groups/groups02_test.rego
@@ -142,7 +142,7 @@ test_GroupAddExternal_Incorrect_V2 if {
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Test Top-Level OU: ",
-        "Group owner has the ability to add external members to the group</li></ul>"])
+        "Group owners have the ability to add external members to the group</li></ul>"])
 }
 
 test_GroupAddExternal_Incorrect_V3 if {
@@ -187,6 +187,6 @@ test_GroupAddExternal_Incorrect_V3 if {
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Test Top-Level OU: ",
-        "Group owner has the ability to add external members to the group</li></ul>"])
+        "Group owners have the ability to add external members to the group</li></ul>"])
 }
 #--
diff --git a/Testing/RegoTests/groups/groups03_test.rego b/Testing/RegoTests/groups/groups03_test.rego
@@ -143,7 +143,7 @@ test_GroupIncomingMailPosting_Incorrect_V2 if {
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Test Top-Level OU: ",
-        "Group owner has the ability to allow an ",
+        "Group owners have the ability to allow an ",
         "external non-member to post to the group</li></ul>"])
 }
 
@@ -190,7 +190,7 @@ test_GroupIncomingMailPosting_Incorrect_V3 if {
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Test Top-Level OU: ",
-        "Group owner has the ability to allow an ",
+        "Group owners have the ability to allow an ",
         "external non-member to post to the group</li></ul>"])
 }
 #--
diff --git a/Testing/RegoTests/groups/groups04_test.rego b/Testing/RegoTests/groups/groups04_test.rego
@@ -128,7 +128,7 @@ test_GroupCreation_Incorrect_V2 if {
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Test Top-Level OU: ",
-        "Group creation ability is not restricted to admins within the organization</li></ul>"])
+        "Anyone in the organization can create groups</li></ul>"])
 }
 
 test_GroupCreation_Incorrect_V3 if {
@@ -167,6 +167,75 @@ test_GroupCreation_Incorrect_V3 if {
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Test Top-Level OU: ",
-        "Group creation ability is not restricted to admins within the organization</li></ul>"])
+        "Anyone in the organization can create groups</li></ul>"])
+}
+#--
+
+test_GroupCreation_Incorrect_V4 if {
+    # Test group creation restrictions when there's only one event and it's wrong
+    PolicyId := "GWS.GROUPS.4.1v0.1"
+    Output := tests with input as {
+        "groups_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {"name": "SETTING_NAME", "value": "GroupsSharingSettingsProto who_can_create_groups"},
+                        {"name": "NEW_VALUE", "value": "WORLD"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": ""
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Test Top-Level OU: ",
+        "Anyone on the internet can create groups</li></ul>"])
+}
+
+test_GroupCreation_Incorrect_V5 if {
+    # Test group creation restrictions when there are multiple events and the most recent is wrong
+    PolicyId := "GWS.GROUPS.4.1v0.1"
+    Output := tests with input as {
+        "groups_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {"name": "SETTING_NAME", "value": "GroupsSharingSettingsProto who_can_create_groups"},
+                        {"name": "NEW_VALUE", "value": "WORLD"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            },
+            {
+                "id": {"time": "2021-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {"name": "SETTING_NAME", "value": "GroupsSharingSettingsProto who_can_create_groups"},
+                        {"name": "NEW_VALUE", "value": "ADMIN_ONLY"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": ""
+        },
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Test Top-Level OU: ",
+        "Anyone on the internet can create groups</li></ul>"])
 }
 #--
diff --git a/Testing/RegoTests/groups/groups05_test.rego b/Testing/RegoTests/groups/groups05_test.rego
@@ -342,4 +342,50 @@ test_GroupConservationViewPermission_Incorrect_V7 if {
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Test Top-Level OU: ",
         "Permission to view conversations is set to owners</li></ul>"])
 }
+#--
+
+test_GroupConservationViewPermission_Incorrect_V8 if {
+    # Test group conversation view permissions when there are multiple events and the most recent is wrong
+    PolicyId := "GWS.GROUPS.5.1v0.1"
+    Output := tests with input as {
+        "groups_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "GroupsSharingSettingsProto default_view_topics_access_level"
+                        },
+                        {"name": "NEW_VALUE", "value": "PUBLIC"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            },
+            {
+                "id": {"time": "2021-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "GroupsSharingSettingsProto default_view_topics_access_level"
+                        },
+                        {"name": "NEW_VALUE", "value": "MEMBERS"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": ""
+        },
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Test Top-Level OU: ",
+        "Permission to view conversations is set to anyone on the internet</li></ul>"])
+}
 #--
diff --git a/rego/Groups.rego b/rego/Groups.rego
@@ -74,9 +74,9 @@ if {
 #--
 
 GetFriendlyValue2_1(Value) :=
-"Group owner has the ability to add external members to the group" if {
+"Group owners have the ability to add external members to the group" if {
     Value != "false"
-} else := concat("", ["Group owner does not have the ability to ",
+} else := concat("", ["Group owners do not have the ability to ",
     "add external members to the group"]) if {
     Value == "false"
 } else := Value
@@ -135,11 +135,11 @@ if {
 # Baseline GWS.GROUPS.3.1v0.1
 #--
 
-GetFriendlyValue3_1(Value) := concat("", ["Group owner has the ability to allow an ",
-    "external non-member to post to the group"]) if {
-    Value != "false"
-} else := concat("", ["Group owner does not have the ability to allow an ",
-    "external non-member to post to the group"]) if {
+GetFriendlyValue3_1(Value) := concat("", ["Group owners have the ability to allow an ",
+    "external non-group member to post to the group"]) if {
+    Value == "true"
+} else := concat("", ["Group owners do not have the ability to allow an ",
+    "external non-group member to post to the group"]) if {
     Value == "false"
 } else := Value
 
@@ -199,9 +199,11 @@ if {
 #--
 
 GetFriendlyValue4_1(Value) :=
-"Group creation ability is not restricted to admins within the organization" if {
-    Value != "ADMIN_ONLY"
-}
+"Anyone in the organization can create groups" if {
+    Value == "USERS_IN_DOMAIN"
+} else := "Anyone on the internet can create groups" if {
+    Value == "WORLD"
+} else := Value
 
 NonCompliantOUs4_1 contains {
     "Name": OU,
@@ -262,6 +264,8 @@ GetFriendlyValue5_1(Value) := "owners"
     Value == "MANAGERS"
 } else := "domain users" if {
     Value == "DOMAIN_USERS"
+} else := "anyone on the internet" if {
+    Value == "PUBLIC"
 } else := Value
 
 NonCompliantOUs5_1 contains {