From f0f309001f36741b7627712f3d49472b56500159 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Wed, 24 Jul 2024 18:02:31 -0700 Subject: [PATCH] [#87] PR updates --- Testing/RegoTests/groups/groups02_test.rego | 4 +- Testing/RegoTests/groups/groups03_test.rego | 4 +- Testing/RegoTests/groups/groups04_test.rego | 73 ++++++++++++++++++++- Testing/RegoTests/groups/groups05_test.rego | 46 +++++++++++++ rego/Groups.rego | 24 ++++--- 5 files changed, 135 insertions(+), 16 deletions(-) diff --git a/Testing/RegoTests/groups/groups02_test.rego b/Testing/RegoTests/groups/groups02_test.rego index ca5848a9..5797389f 100644 --- a/Testing/RegoTests/groups/groups02_test.rego +++ b/Testing/RegoTests/groups/groups02_test.rego @@ -142,7 +142,7 @@ test_GroupAddExternal_Incorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + "Group owners have the ability to add external members to the group"]) } test_GroupAddExternal_Incorrect_V3 if { @@ -187,6 +187,6 @@ test_GroupAddExternal_Incorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + "Group owners have the ability to add external members to the group"]) } #-- \ No newline at end of file diff --git a/Testing/RegoTests/groups/groups03_test.rego b/Testing/RegoTests/groups/groups03_test.rego index 3bb6c59a..76137bdd 100644 --- a/Testing/RegoTests/groups/groups03_test.rego +++ b/Testing/RegoTests/groups/groups03_test.rego @@ -143,7 +143,7 @@ test_GroupIncomingMailPosting_Incorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) } @@ -190,7 +190,7 @@ test_GroupIncomingMailPosting_Incorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) } #-- \ No newline at end of file diff --git a/Testing/RegoTests/groups/groups04_test.rego b/Testing/RegoTests/groups/groups04_test.rego index 91219af8..7357de4b 100644 --- a/Testing/RegoTests/groups/groups04_test.rego +++ b/Testing/RegoTests/groups/groups04_test.rego @@ -128,7 +128,7 @@ test_GroupCreation_Incorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + "Anyone in the organization can create groups"]) } test_GroupCreation_Incorrect_V3 if { @@ -167,6 +167,75 @@ test_GroupCreation_Incorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + "Anyone in the organization can create groups"]) +} +#-- + +test_GroupCreation_Incorrect_V4 if { + # Test group creation restrictions when there's only one event and it's wrong + PolicyId := "GWS.GROUPS.4.1v0.1" + Output := tests with input as { + "groups_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "GroupsSharingSettingsProto who_can_create_groups"}, + {"name": "NEW_VALUE", "value": "WORLD"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) +} + +test_GroupCreation_Incorrect_V5 if { + # Test group creation restrictions when there are multiple events and the most recent is wrong + PolicyId := "GWS.GROUPS.4.1v0.1" + Output := tests with input as { + "groups_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "GroupsSharingSettingsProto who_can_create_groups"}, + {"name": "NEW_VALUE", "value": "WORLD"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2021-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "GroupsSharingSettingsProto who_can_create_groups"}, + {"name": "NEW_VALUE", "value": "ADMIN_ONLY"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "" + }, + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) } #-- \ No newline at end of file diff --git a/Testing/RegoTests/groups/groups05_test.rego b/Testing/RegoTests/groups/groups05_test.rego index bd80cdb3..894a3031 100644 --- a/Testing/RegoTests/groups/groups05_test.rego +++ b/Testing/RegoTests/groups/groups05_test.rego @@ -342,4 +342,50 @@ test_GroupConservationViewPermission_Incorrect_V7 if { RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) } +#-- + +test_GroupConservationViewPermission_Incorrect_V8 if { + # Test group conversation view permissions when there are multiple events and the most recent is wrong + PolicyId := "GWS.GROUPS.5.1v0.1" + Output := tests with input as { + "groups_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + { + "name": "SETTING_NAME", + "value": "GroupsSharingSettingsProto default_view_topics_access_level" + }, + {"name": "NEW_VALUE", "value": "PUBLIC"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2021-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + { + "name": "SETTING_NAME", + "value": "GroupsSharingSettingsProto default_view_topics_access_level" + }, + {"name": "NEW_VALUE", "value": "MEMBERS"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "" + }, + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) +} #-- \ No newline at end of file diff --git a/rego/Groups.rego b/rego/Groups.rego index c4743269..cb98c004 100644 --- a/rego/Groups.rego +++ b/rego/Groups.rego @@ -74,9 +74,9 @@ if { #-- GetFriendlyValue2_1(Value) := -"Group owner has the ability to add external members to the group" if { +"Group owners have the ability to add external members to the group" if { Value != "false" -} else := concat("", ["Group owner does not have the ability to ", +} else := concat("", ["Group owners do not have the ability to ", "add external members to the group"]) if { Value == "false" } else := Value @@ -135,11 +135,11 @@ if { # Baseline GWS.GROUPS.3.1v0.1 #-- -GetFriendlyValue3_1(Value) := concat("", ["Group owner has the ability to allow an ", - "external non-member to post to the group"]) if { - Value != "false" -} else := concat("", ["Group owner does not have the ability to allow an ", - "external non-member to post to the group"]) if { +GetFriendlyValue3_1(Value) := concat("", ["Group owners have the ability to allow an ", + "external non-group member to post to the group"]) if { + Value == "true" +} else := concat("", ["Group owners do not have the ability to allow an ", + "external non-group member to post to the group"]) if { Value == "false" } else := Value @@ -199,9 +199,11 @@ if { #-- GetFriendlyValue4_1(Value) := -"Group creation ability is not restricted to admins within the organization" if { - Value != "ADMIN_ONLY" -} +"Anyone in the organization can create groups" if { + Value == "USERS_IN_DOMAIN" +} else := "Anyone on the internet can create groups" if { + Value == "WORLD" +} else := Value NonCompliantOUs4_1 contains { "Name": OU, @@ -262,6 +264,8 @@ GetFriendlyValue5_1(Value) := "owners" Value == "MANAGERS" } else := "domain users" if { Value == "DOMAIN_USERS" +} else := "anyone on the internet" if { + Value == "PUBLIC" } else := Value NonCompliantOUs5_1 contains {