Skip to content

Commit

Permalink
Adjust 1.6 rego to only allow sharing to recipients
Browse files Browse the repository at this point in the history
  • Loading branch information
@adhilto
adhilto committed Jul 25, 2024
1 parent 5830660 commit f5a824c
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 22 deletions.
26 changes: 13 additions & 13 deletions Testing/RegoTests/drive/drive01_test.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1508,7 +1508,7 @@ test_SharingChecker_Correct_V1 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
{"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"},
{"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand Down Expand Up @@ -1536,7 +1536,7 @@ test_SharingChecker_Correct_V2 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
{"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"},
{"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand Down Expand Up @@ -1574,7 +1574,7 @@ test_SharingChecker_Correct_V3 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
{"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"},
{"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand All @@ -1584,7 +1584,7 @@ test_SharingChecker_Correct_V3 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
{"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"},
{"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"},
{"name": "ORG_UNIT_NAME", "value": "Secondary OU"},
]
}]
Expand Down Expand Up @@ -1644,7 +1644,7 @@ test_SharingChecker_Incorrect_V2 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
{"name": "NEW_VALUE", "value": "ALLOWED"},
{"name": "NEW_VALUE", "value": "ALL"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand All @@ -1662,7 +1662,7 @@ test_SharingChecker_Incorrect_V2 if {
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Top-Level OU: ",
"Access Checker allows users to share ",
"files to the public (no Google account required)</li></ul>"])
"files to Recipients only, suggested target audience, or public (no Google account required)</li></ul>"])
}

test_SharingChecker_Incorrect_V3 if {
Expand All @@ -1675,7 +1675,7 @@ test_SharingChecker_Incorrect_V3 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
{"name": "NEW_VALUE", "value": "ALLOWED"},
{"name": "NEW_VALUE", "value": "ALL"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand All @@ -1685,7 +1685,7 @@ test_SharingChecker_Incorrect_V3 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
{"name": "NEW_VALUE", "value": "NOT_ALLOWED"},
{"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand All @@ -1703,7 +1703,7 @@ test_SharingChecker_Incorrect_V3 if {
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Top-Level OU: ",
"Access Checker allows users to share ",
"files to the public (no Google account required)</li></ul>"])
"files to Recipients only, suggested target audience, or public (no Google account required)</li></ul>"])
}

test_SharingChecker_Incorrect_V4 if {
Expand All @@ -1716,7 +1716,7 @@ test_SharingChecker_Incorrect_V4 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
{"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"},
{"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
Expand All @@ -1726,7 +1726,7 @@ test_SharingChecker_Incorrect_V4 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
{"name": "NEW_VALUE", "value": "ALLOWED"},
{"name": "NEW_VALUE", "value": "DOMAIN_OR_NAMED_PARTIES"},
{"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"},
]
}]
Expand All @@ -1744,7 +1744,7 @@ test_SharingChecker_Incorrect_V4 if {
RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
"<ul><li>Test Secondary OU: ",
"Access Checker allows users to share ",
"files to the public (no Google account required)</li></ul>"])
"files to Recipients only, or suggested target audience</li></ul>"])
}

test_SharingChecker_Incorrect_V5 if {
Expand All @@ -1757,7 +1757,7 @@ test_SharingChecker_Incorrect_V5 if {
"events": [{
"parameters": [
{"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
{"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIE"},
{"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"},
{"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"},
]
}]
Expand Down
26 changes: 17 additions & 9 deletions rego/Drive.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -378,30 +378,38 @@ if {
#
# Baseline GWS.DRIVEDOCS.1.6v0.2
#--

GetFriendlyValue1_6(Value) :=
"Recipients only, suggested target audience, or public (no Google account required)" if {
Value == "ALL"
} else := "Recipients only, or suggested target audience" if {
Value == "DOMAIN_OR_NAMED_PARTIES"
} else := Value

NonCompliantOUs1_6 contains {
"Name":OU,
"Value": concat("", ["Access Checker allows users to share ",
"files to the public (no Google account required)"])
"Name": OU,
"Value": concat("", ["Access Checker allows users to share files to ",
GetFriendlyValue1_6(LastEvent.NewValue)])
} if {
some OU in utils.OUsWithEvents
Events := utils.FilterEventsOU(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", OU)
count(Events) > 0
LastEvent := utils.GetLastEvent(Events)
contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT",
LastEvent.NewValue) == false
AcceptableValues := {"NAMED_PARTIES_ONLY", "INHERIT_FROM_PARENT"}
not LastEvent.NewValue in AcceptableValues
}

NonCompliantGroups1_6 contains {
"Name":Group,
"Value": concat("", ["Access Checker allows users to share ",
"files to the public (no Google account required)"])
"Value": concat("", ["Access Checker allows users to share files to ",
GetFriendlyValue1_6(LastEvent.NewValue)])
} if {
some Group in utils.GroupsWithEvents
Events := utils.FilterEventsGroup(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", Group)
count(Events) > 0
LastEvent := utils.GetLastEvent(Events)
contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT",
LastEvent.NewValue) == false
AcceptableValues := {"NAMED_PARTIES_ONLY", "INHERIT_FROM_PARENT"}
not LastEvent.NewValue in AcceptableValues
}

tests contains {
Expand Down

0 comments on commit f5a824c

Please sign in to comment.