Two-step verification for admins policy reduction throws exeption

[ebarti]

🐛 Summary

When evaluating the following policy in my environment, scubagoggles throws an uncaught exception as there is no group named WORKSPACE_ALL_ADMIN_GROUP. The org unit listed is root.

{
  "name" : "policies/awz2frpjeslov265asjnvrfpueffg",
  "customer" : "customers/C03krtfe4",
  "policyQuery" : {
    "query" : "entity.groups.exists(group, group.group_id == groupId('WORKSPACE_ALL_ADMIN_GROUP')) && entity.org_units.exists(org_unit, org_unit.org_unit_id == orgUnitId('04jha4ab0pkg0mx'))",
    "orgUnit" : "orgUnits/04jha4ab0pkg0mx",
    "group" : "WORKSPACE_ALL_ADMIN_GROUP",
    "sortOrder" : 399.00055
  },
  "setting" : {
    "type" : "settings/security.two_step_verification_enforcement",
    "value" : {
      "enforcedFrom" : "2024-01-30T05:30:00Z"
    }
  },
  "type" : "SYSTEM"
}

Exception:

To reproduce

Steps to reproduce the behavior:

1. Do this
2. Then this

Expected behavior

What did you expect to happen that didn't?

Any helpful log output or screenshots

Paste the results here:

File "/Users/XX/Github/ScubaGoggles/scubagoggles/policy_api.py", line 596, in _reduce
    group_name = self._group_id_map[group_id]
KeyError: 'WORKSPACE_ALL_ADMIN_GROUP'

Add any screenshots of the problem here.

[rlxdev]

Hi Eloi (@ebarti), Thanks for reporting this issue. Based on a response from Google, we have a candidate work-around for this issue, if you’re interested in trying this out. The branch is 572-google-all-admin-group-fix. If you do happen to try this out, I’d be appreciative of any feedback on whether it resolves your issue.

[ebarti]

@rlxdev Thank you, confirmed it did complete the scan after this fix

[rlxdev]

Hi Eloi (@ebarti), Thanks for confirming that the issue has been resolved in your environment. It’s very helpful for us to know that the change will work independently of our testing. We’ll now get this scheduled for merging into the mainline code.