From f32cf59ad92ddbd67f03e1922691b61c9be37ea3 Mon Sep 17 00:00:00 2001 From: Roy Lane Date: Wed, 24 Jul 2024 21:22:39 -0400 Subject: [PATCH] meet: implement group checks (#329) --- Testing/RegoTests/meet/meet01_test.rego | 51 +++++++++++- Testing/RegoTests/meet/meet02_test.rego | 49 ++++++++++++ Testing/RegoTests/meet/meet03_test.rego | 50 +++++++++++- Testing/RegoTests/meet/meet04_test.rego | 55 ++++++++++++- rego/Meet.rego | 102 ++++++++++++++++++++---- 5 files changed, 286 insertions(+), 21 deletions(-) diff --git a/Testing/RegoTests/meet/meet01_test.rego b/Testing/RegoTests/meet/meet01_test.rego index 11afc21e..76a6f8ee 100644 --- a/Testing/RegoTests/meet/meet01_test.rego +++ b/Testing/RegoTests/meet/meet01_test.rego @@ -466,4 +466,53 @@ test_Access_Incorrect_V9 if { "While we are unable to determine the state from the logs, the default setting ", "is non-compliant; manual check recommended." ])} -#-- \ No newline at end of file +#-- + +test_Access_Incorrect_V10 if { + # Test group wrong + PolicyId := "GWS.MEET.1.1v0.2" + Output := tests with input as { + "meet_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + { + "name": "SETTING_NAME", + "value": "SafetyDomainLockProto users_allowed_to_join" + }, + {"name": "NEW_VALUE", "value": "LOGGED_IN"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + { + "name": "SETTING_NAME", + "value": "SafetyDomainLockProto users_allowed_to_join" + }, + {"name": "NEW_VALUE", "value": "ALL"}, + {"name": "GROUP_EMAIL", "value": "group@example.com"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "The following groups are non-compliant:" + ]) +} diff --git a/Testing/RegoTests/meet/meet02_test.rego b/Testing/RegoTests/meet/meet02_test.rego index 0069480e..5f4515ab 100644 --- a/Testing/RegoTests/meet/meet02_test.rego +++ b/Testing/RegoTests/meet/meet02_test.rego @@ -555,3 +555,52 @@ test_JoinExternalPers_Incorrect_V7 if { "What meetings can org users join is set to any meetings, ", "including meetings created with personal accounts"]) } + +test_JoinExternalPers_Incorrect_V8 if { + # Test group wrong + PolicyId := "GWS.MEET.2.1v0.2" + Output := tests with input as { + "meet_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + { + "name": "SETTING_NAME", + "value": "SafetyAccessLockProto meetings_allowed_to_join" + }, + {"name": "NEW_VALUE", "value": "SAME_DOMAIN"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + { + "name": "SETTING_NAME", + "value": "SafetyAccessLockProto meetings_allowed_to_join" + }, + {"name": "NEW_VALUE", "value": "ALL"}, + {"name": "GROUP_EMAIL", "value": "group@example.com"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "The following groups are non-compliant:" + ]) +} diff --git a/Testing/RegoTests/meet/meet03_test.rego b/Testing/RegoTests/meet/meet03_test.rego index 427c9093..cd6b79a7 100644 --- a/Testing/RegoTests/meet/meet03_test.rego +++ b/Testing/RegoTests/meet/meet03_test.rego @@ -327,4 +327,52 @@ test_HostMan_Incorrect_V5 if { "is non-compliant; manual check recommended." ]) } -#-- \ No newline at end of file +#-- + +test_HostMan_Incorrect_V6 if { + # Test group wrong + PolicyId := "GWS.MEET.3.1v0.2" + Output := tests with input as { + "meet_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + { + "name": "SETTING_NAME", + "value": "SafetyModerationLockProto host_management_enabled" + }, + {"name": "NEW_VALUE", "value": "true"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + { + "name": "SETTING_NAME", + "value": "SafetyModerationLockProto host_management_enabled" + }, + {"name": "NEW_VALUE", "value": "false"}, + {"name": "GROUP_EMAIL", "value": "group@example.com"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "The following groups are non-compliant:" + ]) +} diff --git a/Testing/RegoTests/meet/meet04_test.rego b/Testing/RegoTests/meet/meet04_test.rego index ea9ea2bf..d6d9562d 100644 --- a/Testing/RegoTests/meet/meet04_test.rego +++ b/Testing/RegoTests/meet/meet04_test.rego @@ -128,7 +128,7 @@ test_HostMan_Correct_V3 if { RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } -test_Access_Correct_V4 if { +test_HostMan_Correct_V4 if { # Test history setting when set to inherit from parent PolicyId := "GWS.MEET.4.1v0.2" Output := tests with input as { @@ -383,4 +383,55 @@ test_HostMan_Incorrect_V5 if { "is non-compliant; manual check recommended." ]) } -#-- \ No newline at end of file +#-- + +test_HostMan_Incorrect_V6 if { + # Test group wrong + PolicyId := "GWS.MEET.4.1v0.2" + Output := tests with input as { + "meet_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + { + "name": "SETTING_NAME", + "value": + "Warn for external participants External or unidentified participants in a meeting are given a label" + }, + {"name": "NEW_VALUE", "value": "true"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + { + "name": "SETTING_NAME", + "value": + "Warn for external participants External or unidentified participants in a meeting are given a label" + }, + {"name": "NEW_VALUE", "value": "false"}, + {"name": "GROUP_EMAIL", "value": "group@example.com"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "The following groups are non-compliant:" + ]) +} diff --git a/rego/Meet.rego b/rego/Meet.rego index ee0c5d41..cd92eb5f 100644 --- a/rego/Meet.rego +++ b/rego/Meet.rego @@ -32,6 +32,23 @@ if { LastEvent.NewValue != "DELETE_APPLICATION_SETTING" } +NonCompliantGroups1_1 contains { + "Name": Group, + "Value": concat(" ", [ + "Who can join meetings is set to", + GetFriendlyValue1_1(LastEvent.NewValue) + ]) +} +if { + some Group in utils.GroupsWithEvents + SettingName := "SafetyDomainLockProto users_allowed_to_join" + Events := utils.FilterEventsGroup(LogEvents, SettingName, Group) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + LastEvent.NewValue == "ALL" + LastEvent.NewValue != "DELETE_APPLICATION_SETTING" +} + tests contains { "PolicyId": "GWS.MEET.1.1v0.2", "Criticality": "Should", @@ -49,21 +66,19 @@ if { tests contains { "PolicyId": "GWS.MEET.1.1v0.2", "Criticality": "Should", - # Empty list in next line for non-compliant groups, as Meet settings can't be changed at the group level - "ReportDetails": utils.ReportDetails(NonCompliantOUs1_1, []), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_1}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs1_1, NonCompliantGroups1_1), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_1, "NonCompliantGroups": NonCompliantGroups1_1}, "RequirementMet": Status, "NoSuchEvent": false } if { Events := utils.FilterEventsOU(LogEvents, "SafetyDomainLockProto users_allowed_to_join", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs1_1) == 0 - # as long as it is not all, this is disabled. + Conditions := {count(NonCompliantOUs1_1) == 0, count(NonCompliantGroups1_1) == 0} + Status := (false in Conditions) == false } #-- - ############## # GWS.MEET.2 # ############## @@ -91,6 +106,23 @@ if { LastEvent.NewValue != "DELETE_APPLICATION_SETTING" } +NonCompliantGroups2_1 contains { + "Name": Group, + "Value": concat(" ", [ + "What meetings can org users join is set to", + GetFriendlyValue2_1(LastEvent.NewValue) + ]) +} +if { + some Group in utils.GroupsWithEvents + SettingName := "SafetyAccessLockProto meetings_allowed_to_join" + Events := utils.FilterEventsGroup(LogEvents, SettingName, Group) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + LastEvent.NewValue == "ALL" + LastEvent.NewValue != "DELETE_APPLICATION_SETTING" +} + tests contains { "PolicyId": "GWS.MEET.2.1v0.2", "Criticality": "Shall", @@ -108,19 +140,19 @@ if { tests contains { "PolicyId": "GWS.MEET.2.1v0.2", "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs2_1, []), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_1}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs2_1, NonCompliantGroups2_1), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_1, "NonCompliantGroups": NonCompliantGroups2_1}, "RequirementMet": Status, "NoSuchEvent": false } if { Events := utils.FilterEventsOU(LogEvents, "SafetyAccessLockProto meetings_allowed_to_join", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs2_1) == 0 + Conditions := {count(NonCompliantOUs2_1) == 0, count(NonCompliantGroups2_1) == 0} + Status := (false in Conditions) == false } #-- - ############## # GWS.MEET.3 # ############## @@ -148,6 +180,23 @@ if { LastEvent.NewValue != "DELETE_APPLICATION_SETTING" } +NonCompliantGroups3_1 contains { + "Name": Group, + "Value": concat(" ", [ + "Host management when video calls start is set to", + GetFriendlyValue3_1(LastEvent.NewValue) + ]) +} +if { + some Group in utils.GroupsWithEvents + SettingName := "SafetyModerationLockProto host_management_enabled" + Events := utils.FilterEventsGroup(LogEvents, SettingName, Group) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + LastEvent.NewValue == "false" + LastEvent.NewValue != "DELETE_APPLICATION_SETTING" +} + tests contains { "PolicyId": "GWS.MEET.3.1v0.2", "Criticality": "Shall", @@ -165,15 +214,16 @@ if { tests contains { "PolicyId": "GWS.MEET.3.1v0.2", "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs3_1, []), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs3_1}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs3_1, NonCompliantGroups3_1), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs3_1, "NonCompliantGroups": NonCompliantGroups3_1}, "RequirementMet": Status, "NoSuchEvent": false } if { Events := utils.FilterEventsOU(LogEvents, "SafetyModerationLockProto host_management_enabled", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs3_1) == 0 + Conditions := {count(NonCompliantOUs3_1) == 0, count(NonCompliantGroups3_1) == 0} + Status := (false in Conditions) == false } #-- @@ -205,6 +255,23 @@ if { LastEvent.NewValue != "DELETE_APPLICATION_SETTING" } +NonCompliantGroups4_1 contains { + "Name": Group, + "Value": concat(" ", [ + "Warning label for external or unidentified meeting participants is set to", + GetFriendlyValue4_1(LastEvent.NewValue) + ]) +} +if { + some Group in utils.GroupsWithEvents + SettingName := "Warn for external participants External or unidentified participants in a meeting are given a label" + Events := utils.FilterEventsGroup(LogEvents, SettingName, Group) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + LastEvent.NewValue == "false" + LastEvent.NewValue != "DELETE_APPLICATION_SETTING" +} + tests contains { "PolicyId": "GWS.MEET.4.1v0.2", "Criticality": "Shall", @@ -223,8 +290,8 @@ if { tests contains { "PolicyId": "GWS.MEET.4.1v0.2", "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs4_1, []), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs4_1}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs4_1, NonCompliantGroups4_1), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs4_1, "NonCompliantGroups": NonCompliantGroups4_1}, "RequirementMet": Status, "NoSuchEvent": false } @@ -232,7 +299,8 @@ if { SettingName := "Warn for external participants External or unidentified participants in a meeting are given a label" Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs4_1) == 0 + Conditions := {count(NonCompliantOUs4_1) == 0, count(NonCompliantGroups4_1) == 0} + Status := (false in Conditions) == false } #-- @@ -298,4 +366,4 @@ if { count(Events) > 0 Conditions := {count(NonCompliantOUs5_1) == 0, count(NonCompliantGroups5_1) == 0} Status := (false in Conditions) == false -} \ No newline at end of file +}