Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

519 policy api updates #538

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

519 policy api updates #538

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
deef641
commoncontrols: implement 1.1 - 1.3 & 16.2
rlxdev Dec 5, 2024
67abc58
gmail: implement 1.1, 8.1, 9.1, 10.1, & 12.1
rlxdev Dec 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
124 changes: 36 additions & 88 deletions scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
package commoncontrols

import future.keywords
import data.utils.FailTestBothNonCompliant
import data.utils.FailTestGroupNonCompliant
import data.utils.FailTestNoEvent
import data.utils.FailTestOUNonCompliant
import data.utils.PassTestResult

#
# GWS.COMMONCONTROLS.16.1
Expand Down Expand Up @@ -27,11 +33,7 @@ test_Unlisted_Correct_V1 if {
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
PassTestResult(PolicyId, Output)
}

test_Unlisted_Correct_V2 if {
Expand Down Expand Up @@ -67,11 +69,7 @@ test_Unlisted_Correct_V2 if {
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
PassTestResult(PolicyId, Output)
}

test_Unlisted_Incorrect_V1 if {
Expand All @@ -95,15 +93,9 @@ test_Unlisted_Incorrect_V1 if {
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Top-Level OU: Access to additional services without individual control is turned on</li>",
"</ul>"
])
failedOU := [{"Name": "Test Top-Level OU",
"Value": NonComplianceMessage16_1}]
FailTestOUNonCompliant(PolicyId, Output, failedOU)
}

test_Unlisted_Incorrect_V2 if {
Expand All @@ -118,15 +110,7 @@ test_Unlisted_Incorrect_V2 if {
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"No relevant event in the current logs for the top-level OU, Test Top-Level OU. While we are unable ",
"to determine the state from the logs, the default setting ",
"is non-compliant; manual check recommended."
])
FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
}
#--

Expand Down Expand Up @@ -156,11 +140,7 @@ test_EarlyAccessApps_OUs_Correct_V1 if {
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
PassTestResult(PolicyId, Output)
}

test_EarlyAccessApps_OUs_Correct_V2 if {
Expand Down Expand Up @@ -196,11 +176,7 @@ test_EarlyAccessApps_OUs_Correct_V2 if {
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
PassTestResult(PolicyId, Output)
}

test_EarlyAccessApps_OUs_Incorrect_V1 if {
Expand All @@ -225,15 +201,9 @@ test_EarlyAccessApps_OUs_Incorrect_V1 if {
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Top-Level OU: Service status is ON</li>",
"</ul>"
])
failedOU := [{"Name": "Test Top-Level OU",
"Value": NonComplianceMessage16_2}]
FailTestOUNonCompliant(PolicyId, Output, failedOU)
}

test_EarlyAccessApps_OUs_Incorrect_V2 if {
Expand Down Expand Up @@ -269,15 +239,9 @@ test_EarlyAccessApps_OUs_Incorrect_V2 if {
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Second-Level OU: Service status is ON</li>",
"</ul>"
])
failedOU := [{"Name": "Test Second-Level OU",
"Value": NonComplianceMessage16_2}]
FailTestOUNonCompliant(PolicyId, Output, failedOU)
}

test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V1 if {
Expand Down Expand Up @@ -313,15 +277,9 @@ test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V1 if {
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following groups are non-compliant:<ul>",
"<li>Test Group 1: Service status is ON</li>",
"</ul>"
])
failedGroup := [{"Name": "Test Group 1",
"Value": NonComplianceMessage16_2}]
FailTestGroupNonCompliant(PolicyId, Output, failedGroup)
}

test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V2 if {
Expand Down Expand Up @@ -368,16 +326,11 @@ test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V2 if {
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following groups are non-compliant:<ul>",
"<li>Test Group 1: Service status is ON</li>",
"<li>Test Group 2: Service status is ON</li>",
"</ul>"
])
failedGroup := [{"Name": "Test Group 1",
"Value": NonComplianceMessage16_2},
{"Name": "Test Group 2",
"Value": NonComplianceMessage16_2}]
FailTestGroupNonCompliant(PolicyId, Output, failedGroup)
}

test_EarlyAccessApps_OUs_Groups_Incorrect_V1 if {
Expand Down Expand Up @@ -424,18 +377,13 @@ test_EarlyAccessApps_OUs_Groups_Incorrect_V1 if {
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Top-Level OU: Service status is ON</li>",
"</ul><br>",
"The following groups are non-compliant:<ul>",
"<li>Test Group 1: Service status is ON</li>",
"<li>Test Group 2: Service status is ON</li>",
"</ul>"
])

failedGroup := [{"Name": "Test Group 1",
"Value": NonComplianceMessage16_2},
{"Name": "Test Group 2",
"Value": NonComplianceMessage16_2}]
failedOU := [{"Name": "Test Top-Level OU",
"Value": NonComplianceMessage16_2}]
FailTestBothNonCompliant(PolicyId, Output, failedOU, failedGroup)
}
#--
151 changes: 151 additions & 0 deletions scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api01_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,151 @@
package commoncontrols

import future.keywords
import data.utils
import data.utils.FailTestOUNonCompliant
import data.utils.PassTestResult

GoodCaseInputApi01 := {
"policies": {
"topOU": {
"security_two_step_verification_device_trust": {
"allowTrustingDevice": false
},
"security_two_step_verification_enforcement": {
"enforcedFrom": "2024-02-16T23:22:21.732Z"
},
"security_two_step_verification_enforcement_factor": {
"allowedSignInFactorSet": "PASSKEY_ONLY"
},
"security_two_step_verification_enrollment": {
"allowEnrollment": true
},
"security_two_step_verification_grace_period": {
"enrollmentGracePeriod": "168h"}
},
"nextOU": {
"security_two_step_verification_grace_period": {
"enrollmentGracePeriod": "604800s"}
}
},
"tenant_info": {
"topLevelOU": "topOU"
}
}

BadCaseInputApi01 := {
"policies": {
"topOU": {
"security_two_step_verification_device_trust": {
"allowTrustingDevice": true
},
"security_two_step_verification_enforcement": {
"enforcedFrom": "2025-02-16T23:22:21.732Z"
},
"security_two_step_verification_enforcement_factor": {
"allowedSignInFactorSet": "ALL"
},
"security_two_step_verification_enrollment": {
"allowEnrollment": false
},
"security_two_step_verification_grace_period": {
"enrollmentGracePeriod": "0s"}
},
"nextOU": {
"security_two_step_verification_enforcement": {
"enforcedFrom": "2028-02-16T23:22:21.732Z"
},
"security_two_step_verification_enforcement_factor": {
"allowedSignInFactorSet": "ALL"
},
"security_two_step_verification_enrollment": {
"allowEnrollment": true
}
},
"thirdOU": {
"security_two_step_verification_enforcement": {
"enforcedFrom": "2035-02-16T23:22:21.732Z"
},
"security_two_step_verification_enforcement_factor": {
"allowedSignInFactorSet": "PASSKEY_ONLY"
},
"security_two_step_verification_enrollment": {
"allowEnrollment": true
}
}
},
"tenant_info": {
"topLevelOU": "topOU"
}
}

BadCaseInputApi01a := {
"policies": {
"topOU": {
"security_login_challenges": {
"enableEmployeeIdChallenge": true
}
},
"nextOU": {
"security_login_challenges": {
"enableEmployeeIdChallenge": false
}
}
},
"tenant_info": {
"topLevelOU": "topOU"
}
}

test_2SV_Correct_1 if {
PolicyId := CommonControlsId1_1
Output := tests with input as GoodCaseInputApi01

PassTestResult(PolicyId, Output)
}

test_2SV_Incorrect_1 if {
PolicyId := CommonControlsId1_1
Output := tests with input as BadCaseInputApi01

failedOU := [{"Name": "nextOU",
"Value": NonComplianceMessage1_1b(GetFriendlyMethods("ALL"))},
{"Name": "thirdOU",
"Value": NonComplianceMessage1_1c},
{"Name": "topOU",
"Value": NonComplianceMessage1_1a}]
FailTestOUNonCompliant(PolicyId, Output, failedOU)
}

test_EnrollPeriod_Correct_1 if {
PolicyId := CommonControlsId1_2
Output := tests with input as GoodCaseInputApi01

PassTestResult(PolicyId, Output)
}

test_EnrollPeriod_Incorrect_1 if {
PolicyId := CommonControlsId1_2
Output := tests with input as BadCaseInputApi01

failedOU := [{"Name": "topOU",
"Value": NonComplianceMessage1_2(0,
utils.DurationToSeconds("7d"))}]
FailTestOUNonCompliant(PolicyId, Output, failedOU)
}

test_DeviceTrust_Correct_1 if {
PolicyId := CommonControlsId1_3
Output := tests with input as GoodCaseInputApi01

PassTestResult(PolicyId, Output)
}

test_DeviceTrust_Incorrect_1 if {
PolicyId := CommonControlsId1_3
Output := tests with input as BadCaseInputApi01

failedOU := [{"Name": "topOU",
"Value": NonComplianceMessage1_3}]
FailTestOUNonCompliant(PolicyId, Output, failedOU)
}
4 changes: 2 additions & 2 deletions scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api04_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ GoodCaseInputApi04 := {
}
}

BaseCaseInputApi04 := {
BadCaseInputApi04 := {
"policies": {
"topOU": {
"security_session_controls": {
Expand All @@ -56,7 +56,7 @@ test_CCAPI_ReAuth_Comply_1 if {

test_CCAPI_ReAuth_NonComply_1 if {
PolicyId := CommonControlsId4_1
Output := tests with input as BaseCaseInputApi04
Output := tests with input as BadCaseInputApi04

failedOU := [{"Name": "nextOU",
"Value": NonComplianceMessage4_1(GetFriendlyValue4_1(800 * 60))}]
Expand Down
Loading
Loading