commoncontrols 12.1: correct Policy API implementation

cisagov · Jan 9, 2025 · ae641ea · ae641ea
1 parent 67abc58
commit ae641ea
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 14 deletions.
diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api12_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api12_test.rego
@@ -7,7 +7,7 @@ import data.utils.PassTestResult
 GoodCaseInputApi12 := {
     "policies": {
         "topOU": {
-            "takeout_service_status": {"serviceState": "ENABLED"},
+            "takeout_service_status": {"serviceState": "DISABLED"},
             "blogger_user_takeout": {"takeoutStatus": "DISABLED"},
             "books_user_takeout": {"takeoutStatus": "DISABLED"},
             "location_history_user_takeout": {"takeoutStatus": "DISABLED"},
@@ -20,7 +20,7 @@ GoodCaseInputApi12 := {
         },
         "nextOU": {
             "takeout_service_status": {"serviceState": "DISABLED"},
-            "blogger_user_takeout": {"takeoutStatus": "ENABLED"}
+            "blogger_user_takeout": {"takeoutStatus": "DISABLED"}
         }
     },
     "tenant_info": {
@@ -63,11 +63,12 @@ BadCaseInputApi12a := {
             "youtube_user_takeout": {"takeoutStatus": "DISABLED"}
         },
         "nextOU": {
-            "location_history_user_takeout": {"takeoutStatus": "ENABLED"},
+            "takeout_service_status": {"serviceState": "DISABLED"},
             "play_console_user_takeout": {"takeoutStatus": "ENABLED"},
             "youtube_user_takeout": {"takeoutStatus": "ENABLED"}
         },
         "thirdOU": {
+            "takeout_service_status": {"serviceState": "ENABLED"},
             "blogger_user_takeout": {"takeoutStatus": "ENABLED"},
             "maps_user_takeout": {"takeoutStatus": "ENABLED"},
             "play_user_takeout": {"takeoutStatus": "ENABLED"},
@@ -102,6 +103,8 @@ test_Takeout_Incorrect_1 if {
                     "play",
                     "youtube"]
     failedOU := [{"Name": "topOU",
+                 "Value": NonComplianceMessage12_1a},
+                 {"Name": "topOU",
                  "Value": NonComplianceMessage12_1(TakeoutApps(EnabledApps))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
@@ -110,11 +113,13 @@ test_Takeout_Incorrect_2 if {
     PolicyId := CommonControlsId12_1
     Output := tests with input as BadCaseInputApi12a
 
-    EnabledApps1 := ["location_history", "play_console", "youtube"]
+    EnabledApps1 := ["play_console", "youtube"]
     EnabledApps2 := ["blogger", "maps", "play"]
     failedOU := [{"Name": "nextOU",
                  "Value": NonComplianceMessage12_1(TakeoutApps(EnabledApps1))},
+                 {"Name": "thirdOU", "Value": NonComplianceMessage12_1a},
                  {"Name": "thirdOU",
-                 "Value": NonComplianceMessage12_1(TakeoutApps(EnabledApps2))}]
+                 "Value": NonComplianceMessage12_1(TakeoutApps(EnabledApps2))},
+                 {"Name": "topOU", "Value": NonComplianceMessage12_1a}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
diff --git a/scubagoggles/rego/Commoncontrols.rego b/scubagoggles/rego/Commoncontrols.rego
@@ -2022,6 +2022,12 @@ if {
 # GWS.COMMONCONTROLS.12 #
 #########################
 
+#
+# Baseline GWS.COMMONCONTROLS.12.1
+#--
+
+CommonControlsId12_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.12.1")
+
 LogMessage12_1 := "UserTakeoutSettingsProto User Takeout "
 
 Msg12_1 := "The following apps with individual admin control have Takeout enabled: %s"
@@ -2153,10 +2159,6 @@ if {
     count(EnabledApps) > 0
 }
 
-#
-# Baseline GWS.COMMONCONTROLS.12.1
-#--
-
 default NoSuchEvent12_1 := false
 
 NoSuchEvent12_1 := true if {
@@ -2169,15 +2171,24 @@ NoSuchEvent12_1 := true if {
     count(Events) == 0
 }
 
-CommonControlsId12_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.12.1")
-
 Check12_1_OK if {
     not PolicyApiInUse
     not NoSuchEvent12_1
 }
 
 Check12_1_OK if {PolicyApiInUse}
 
+NonCompliantOUs12_1 contains {
+    "Name": OU,
+    "Value": NonComplianceMessage12_1a
+
+}
+if {
+    some OU, _ in input.policies
+    takeoutStatus := utils.AppExplicitStatus(input.policies, "takeout", OU)
+    takeoutStatus != "DISABLED"
+}
+
 Takeout := {"blogger": "Blogger",
             "books": "Google Books",
             "location_history": "Timeline - Location History",
@@ -2195,7 +2206,6 @@ NonCompliantOUs12_1 contains {
 }
 if {
     some OU, settings in input.policies
-    utils.AppEnabled(input.policies, "takeout", OU)
     EnabledApps :=[value
 		           | some key, value in Takeout
                      section := sprintf("%s_user_takeout", [key])

diff --git a/scubagoggles/rego/Utils.rego b/scubagoggles/rego/Utils.rego
@@ -558,12 +558,13 @@ AppEnabled(policies, appName, orgunit) if {
 # been explicitly set in the given orgunit or group.  The above functions will
 # tell you whether the app is enabled, but its state may be due to inheriting
 # the state from the top-level orgunit.  In some cases, you need to know
-# whether the state has been explicitly set (not inherited).
+# whether the state has been explicitly set (not inherited).  This function
+# returns "ENABLED", "DISABLED" if explicitly set; it's undefined otherwise.
 
 AppExplicitStatus(policies, appName, orgunit) := appState if {
     serviceStatusName := AppServiceStatusName(appName)
     appState := upper(policies[orgunit][serviceStatusName].serviceState)
-} else := ""
+}
 
 # There are a lot of policies that have enabled/disabled states.  The states
 # (values) in the log events are strings ("true", "false), while the states