From f5a824c629457fb30145aa49e2d2d93cbdcded22 Mon Sep 17 00:00:00 2001 From: Alden Hilton Date: Thu, 25 Jul 2024 09:27:39 -0700 Subject: [PATCH] Adjust 1.6 rego to only allow sharing to recipients --- Testing/RegoTests/drive/drive01_test.rego | 26 +++++++++++------------ rego/Drive.rego | 26 +++++++++++++++-------- 2 files changed, 30 insertions(+), 22 deletions(-) diff --git a/Testing/RegoTests/drive/drive01_test.rego b/Testing/RegoTests/drive/drive01_test.rego index fbd74a33..2e1ff982 100644 --- a/Testing/RegoTests/drive/drive01_test.rego +++ b/Testing/RegoTests/drive/drive01_test.rego @@ -1508,7 +1508,7 @@ test_SharingChecker_Correct_V1 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"}, + {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1536,7 +1536,7 @@ test_SharingChecker_Correct_V2 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"}, + {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1574,7 +1574,7 @@ test_SharingChecker_Correct_V3 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"}, + {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1584,7 +1584,7 @@ test_SharingChecker_Correct_V3 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"}, + {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"}, {"name": "ORG_UNIT_NAME", "value": "Secondary OU"}, ] }] @@ -1644,7 +1644,7 @@ test_SharingChecker_Incorrect_V2 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "ALLOWED"}, + {"name": "NEW_VALUE", "value": "ALL"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1662,7 +1662,7 @@ test_SharingChecker_Incorrect_V2 if { RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", ""]) + "files to Recipients only, suggested target audience, or public (no Google account required)"]) } test_SharingChecker_Incorrect_V3 if { @@ -1675,7 +1675,7 @@ test_SharingChecker_Incorrect_V3 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "ALLOWED"}, + {"name": "NEW_VALUE", "value": "ALL"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1685,7 +1685,7 @@ test_SharingChecker_Incorrect_V3 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "NOT_ALLOWED"}, + {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1703,7 +1703,7 @@ test_SharingChecker_Incorrect_V3 if { RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", ""]) + "files to Recipients only, suggested target audience, or public (no Google account required)"]) } test_SharingChecker_Incorrect_V4 if { @@ -1716,7 +1716,7 @@ test_SharingChecker_Incorrect_V4 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"}, + {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1726,7 +1726,7 @@ test_SharingChecker_Incorrect_V4 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "ALLOWED"}, + {"name": "NEW_VALUE", "value": "DOMAIN_OR_NAMED_PARTIES"}, {"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"}, ] }] @@ -1744,7 +1744,7 @@ test_SharingChecker_Incorrect_V4 if { RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", ""]) + "files to Recipients only, or suggested target audience"]) } test_SharingChecker_Incorrect_V5 if { @@ -1757,7 +1757,7 @@ test_SharingChecker_Incorrect_V5 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIE"}, + {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"}, {"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"}, ] }] diff --git a/rego/Drive.rego b/rego/Drive.rego index 0c3e7b8c..4777fb55 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -378,30 +378,38 @@ if { # # Baseline GWS.DRIVEDOCS.1.6v0.2 #-- + +GetFriendlyValue1_6(Value) := +"Recipients only, suggested target audience, or public (no Google account required)" if { + Value == "ALL" +} else := "Recipients only, or suggested target audience" if { + Value == "DOMAIN_OR_NAMED_PARTIES" +} else := Value + NonCompliantOUs1_6 contains { - "Name":OU, - "Value": concat("", ["Access Checker allows users to share ", - "files to the public (no Google account required)"]) + "Name": OU, + "Value": concat("", ["Access Checker allows users to share files to ", + GetFriendlyValue1_6(LastEvent.NewValue)]) } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) - contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", - LastEvent.NewValue) == false + AcceptableValues := {"NAMED_PARTIES_ONLY", "INHERIT_FROM_PARENT"} + not LastEvent.NewValue in AcceptableValues } NonCompliantGroups1_6 contains { "Name":Group, - "Value": concat("", ["Access Checker allows users to share ", - "files to the public (no Google account required)"]) + "Value": concat("", ["Access Checker allows users to share files to ", + GetFriendlyValue1_6(LastEvent.NewValue)]) } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) - contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", - LastEvent.NewValue) == false + AcceptableValues := {"NAMED_PARTIES_ONLY", "INHERIT_FROM_PARENT"} + not LastEvent.NewValue in AcceptableValues } tests contains {