commoncontrols: implement 1.1 - 1.3 & 16.2

cisagov · Dec 20, 2024 · 6385824 · 6385824
1 parent 864469b
commit 6385824
Show file tree

Hide file tree

Showing 7 changed files with 449 additions and 144 deletions.
diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego
@@ -1,5 +1,11 @@
 package commoncontrols
+
 import future.keywords
+import data.utils.FailTestBothNonCompliant
+import data.utils.FailTestGroupNonCompliant
+import data.utils.FailTestNoEvent
+import data.utils.FailTestOUNonCompliant
+import data.utils.PassTestResult
 
 #
 # GWS.COMMONCONTROLS.16.1
@@ -27,11 +33,7 @@ test_Unlisted_Correct_V1 if {
         }
     }
 
-    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
-    count(RuleOutput) == 1
-    RuleOutput[0].RequirementMet
-    not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
+    PassTestResult(PolicyId, Output)
 }
 
 test_Unlisted_Correct_V2 if {
@@ -67,11 +69,7 @@ test_Unlisted_Correct_V2 if {
         }
     }
 
-    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
-    count(RuleOutput) == 1
-    RuleOutput[0].RequirementMet
-    not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
+    PassTestResult(PolicyId, Output)
 }
 
 test_Unlisted_Incorrect_V1 if {
@@ -95,15 +93,9 @@ test_Unlisted_Incorrect_V1 if {
         }
     }
 
-    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
-    count(RuleOutput) == 1
-    not RuleOutput[0].RequirementMet
-    not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == concat("", [
-        "The following OUs are non-compliant:<ul>",
-        "<li>Test Top-Level OU: Access to additional services without individual control is turned on</li>",
-        "</ul>"
-    ])
+    failedOU := [{"Name": "Test Top-Level OU",
+                  "Value": NonComplianceMessage16_1}]
+    FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
 test_Unlisted_Incorrect_V2 if {
@@ -118,15 +110,7 @@ test_Unlisted_Incorrect_V2 if {
         }
     }
 
-    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
-    count(RuleOutput) == 1
-    not RuleOutput[0].RequirementMet
-    RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == concat("", [
-        "No relevant event in the current logs for the top-level OU, Test Top-Level OU. While we are unable ",
-        "to determine the state from the logs, the default setting ",
-        "is non-compliant; manual check recommended."
-    ])
+    FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
 }
 #--
 
@@ -156,11 +140,7 @@ test_EarlyAccessApps_OUs_Correct_V1 if {
         }
     }
 
-    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
-    count(RuleOutput) == 1
-    RuleOutput[0].RequirementMet
-    not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
+    PassTestResult(PolicyId, Output)
 }
 
 test_EarlyAccessApps_OUs_Correct_V2 if {
@@ -196,11 +176,7 @@ test_EarlyAccessApps_OUs_Correct_V2 if {
         }
     }
 
-    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
-    count(RuleOutput) == 1
-    RuleOutput[0].RequirementMet
-    not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
+    PassTestResult(PolicyId, Output)
 }
 
 test_EarlyAccessApps_OUs_Incorrect_V1 if {
@@ -225,15 +201,9 @@ test_EarlyAccessApps_OUs_Incorrect_V1 if {
         }
     }
 
-    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
-    count(RuleOutput) == 1
-    not RuleOutput[0].RequirementMet
-    not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == concat("", [
-        "The following OUs are non-compliant:<ul>",
-        "<li>Test Top-Level OU: Service status is ON</li>",
-        "</ul>"
-    ])
+    failedOU := [{"Name": "Test Top-Level OU",
+                  "Value": NonComplianceMessage16_2}]
+    FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
 test_EarlyAccessApps_OUs_Incorrect_V2 if {
@@ -269,15 +239,9 @@ test_EarlyAccessApps_OUs_Incorrect_V2 if {
         }
     }
 
-    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
-    count(RuleOutput) == 1
-    not RuleOutput[0].RequirementMet
-    not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == concat("", [
-        "The following OUs are non-compliant:<ul>",
-        "<li>Test Second-Level OU: Service status is ON</li>",
-        "</ul>"
-    ])
+    failedOU := [{"Name": "Test Second-Level OU",
+                  "Value": NonComplianceMessage16_2}]
+    FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
 test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V1 if {
@@ -313,15 +277,9 @@ test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V1 if {
         }
     }
 
-    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
-    count(RuleOutput) == 1
-    not RuleOutput[0].RequirementMet
-    not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == concat("", [
-        "The following groups are non-compliant:<ul>",
-        "<li>Test Group 1: Service status is ON</li>",
-        "</ul>"
-    ])
+    failedGroup := [{"Name": "Test Group 1",
+                     "Value": NonComplianceMessage16_2}]
+    FailTestGroupNonCompliant(PolicyId, Output, failedGroup)
 }
 
 test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V2 if {
@@ -368,16 +326,11 @@ test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V2 if {
         }
     }
 
-    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
-    count(RuleOutput) == 1
-    not RuleOutput[0].RequirementMet
-    not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == concat("", [
-        "The following groups are non-compliant:<ul>",
-        "<li>Test Group 1: Service status is ON</li>",
-        "<li>Test Group 2: Service status is ON</li>",
-        "</ul>"
-    ])
+    failedGroup := [{"Name": "Test Group 1",
+                     "Value": NonComplianceMessage16_2},
+                    {"Name": "Test Group 2",
+                     "Value": NonComplianceMessage16_2}]
+    FailTestGroupNonCompliant(PolicyId, Output, failedGroup)
 }
 
 test_EarlyAccessApps_OUs_Groups_Incorrect_V1 if {
@@ -424,18 +377,13 @@ test_EarlyAccessApps_OUs_Groups_Incorrect_V1 if {
         }
     }
 
-    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
-    count(RuleOutput) == 1
-    not RuleOutput[0].RequirementMet
-    not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == concat("", [
-        "The following OUs are non-compliant:<ul>",
-        "<li>Test Top-Level OU: Service status is ON</li>",
-        "</ul><br>",
-        "The following groups are non-compliant:<ul>",
-        "<li>Test Group 1: Service status is ON</li>",
-        "<li>Test Group 2: Service status is ON</li>",
-        "</ul>"
-    ])
+
+    failedGroup := [{"Name": "Test Group 1",
+                     "Value": NonComplianceMessage16_2},
+                    {"Name": "Test Group 2",
+                     "Value": NonComplianceMessage16_2}]
+    failedOU := [{"Name": "Test Top-Level OU",
+                  "Value": NonComplianceMessage16_2}]
+    FailTestBothNonCompliant(PolicyId, Output, failedOU, failedGroup)
 }
 #--
diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api01_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api01_test.rego
@@ -0,0 +1,151 @@
+package commoncontrols
+
+import future.keywords
+import data.utils
+import data.utils.FailTestOUNonCompliant
+import data.utils.PassTestResult
+
+GoodCaseInputApi01 := {
+    "policies": {
+        "topOU": {
+            "security_two_step_verification_device_trust": {
+                "allowTrustingDevice": false
+            },
+            "security_two_step_verification_enforcement": {
+                "enforcedFrom": "2024-02-16T23:22:21.732Z"
+            },
+            "security_two_step_verification_enforcement_factor": {
+                "allowedSignInFactorSet": "PASSKEY_ONLY"
+            },
+            "security_two_step_verification_enrollment": {
+                "allowEnrollment": true
+            },
+            "security_two_step_verification_grace_period": {
+                "enrollmentGracePeriod": "168h"}
+        },
+        "nextOU": {
+            "security_two_step_verification_grace_period": {
+                "enrollmentGracePeriod": "604800s"}
+        }
+    },
+    "tenant_info": {
+        "topLevelOU": "topOU"
+    }
+}
+
+BadCaseInputApi01 := {
+    "policies": {
+        "topOU": {
+            "security_two_step_verification_device_trust": {
+                "allowTrustingDevice": true
+            },
+            "security_two_step_verification_enforcement": {
+                "enforcedFrom": "2025-02-16T23:22:21.732Z"
+            },
+            "security_two_step_verification_enforcement_factor": {
+                "allowedSignInFactorSet": "ALL"
+            },
+            "security_two_step_verification_enrollment": {
+                "allowEnrollment": false
+            },
+            "security_two_step_verification_grace_period": {
+                "enrollmentGracePeriod": "0s"}
+        },
+        "nextOU": {
+            "security_two_step_verification_enforcement": {
+                "enforcedFrom": "2028-02-16T23:22:21.732Z"
+            },
+            "security_two_step_verification_enforcement_factor": {
+                "allowedSignInFactorSet": "ALL"
+            },
+            "security_two_step_verification_enrollment": {
+                "allowEnrollment": true
+            }
+        },
+        "thirdOU": {
+            "security_two_step_verification_enforcement": {
+                "enforcedFrom": "2035-02-16T23:22:21.732Z"
+            },
+            "security_two_step_verification_enforcement_factor": {
+                "allowedSignInFactorSet": "PASSKEY_ONLY"
+            },
+            "security_two_step_verification_enrollment": {
+                "allowEnrollment": true
+            }
+        }
+    },
+    "tenant_info": {
+        "topLevelOU": "topOU"
+    }
+}
+
+BadCaseInputApi01a := {
+    "policies": {
+        "topOU": {
+            "security_login_challenges": {
+                "enableEmployeeIdChallenge": true
+            }
+        },
+         "nextOU": {
+            "security_login_challenges": {
+                "enableEmployeeIdChallenge": false
+            }
+        }
+    },
+    "tenant_info": {
+        "topLevelOU": "topOU"
+    }
+}
+
+test_2SV_Correct_1 if {
+    PolicyId := CommonControlsId1_1
+    Output := tests with input as GoodCaseInputApi01
+
+    PassTestResult(PolicyId, Output)
+}
+
+test_2SV_Incorrect_1 if {
+    PolicyId := CommonControlsId1_1
+    Output := tests with input as BadCaseInputApi01
+
+    failedOU := [{"Name": "nextOU",
+                  "Value": NonComplianceMessage1_1b(GetFriendlyMethods("ALL"))},
+                 {"Name": "thirdOU",
+                  "Value": NonComplianceMessage1_1c},
+                 {"Name": "topOU",
+                  "Value": NonComplianceMessage1_1a}]
+    FailTestOUNonCompliant(PolicyId, Output, failedOU)
+}
+
+test_EnrollPeriod_Correct_1 if {
+    PolicyId := CommonControlsId1_2
+    Output := tests with input as GoodCaseInputApi01
+
+    PassTestResult(PolicyId, Output)
+}
+
+test_EnrollPeriod_Incorrect_1 if {
+    PolicyId := CommonControlsId1_2
+    Output := tests with input as BadCaseInputApi01
+
+    failedOU := [{"Name": "topOU",
+                  "Value": NonComplianceMessage1_2(0,
+                                                   utils.DurationToSeconds("7d"))}]
+    FailTestOUNonCompliant(PolicyId, Output, failedOU)
+}
+
+test_DeviceTrust_Correct_1 if {
+    PolicyId := CommonControlsId1_3
+    Output := tests with input as GoodCaseInputApi01
+
+    PassTestResult(PolicyId, Output)
+}
+
+test_DeviceTrust_Incorrect_1 if {
+    PolicyId := CommonControlsId1_3
+    Output := tests with input as BadCaseInputApi01
+
+    failedOU := [{"Name": "topOU",
+                  "Value": NonComplianceMessage1_3}]
+    FailTestOUNonCompliant(PolicyId, Output, failedOU)
+}
diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api04_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api04_test.rego
@@ -29,7 +29,7 @@ GoodCaseInputApi04 := {
     }
 }
 
-BaseCaseInputApi04 := {
+BadCaseInputApi04 := {
     "policies": {
         "topOU": {
             "security_session_controls": {
@@ -56,7 +56,7 @@ test_CCAPI_ReAuth_Comply_1 if {
 
 test_CCAPI_ReAuth_NonComply_1 if {
     PolicyId := CommonControlsId4_1
-    Output := tests with input as BaseCaseInputApi04
+    Output := tests with input as BadCaseInputApi04
 
     failedOU := [{"Name": "nextOU",
                  "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(800 * 60))}]