Changed Sharepoint policy 1.4 to not-implemented since it relies on d…

…eprecated field RequireAcceptingAccountMatchInvitedAccount (#1270) * changed Sharepoint policy 1.4 to not-implemented since it relies on deprecated field RequireAcceptingAccountMatchInvitedAccount * removed unnecessary parameter from NotCheckedDeprecation ruleset
cisagov · Aug 12, 2024 · a66e4df · a66e4df
1 parent 2e945ba
commit a66e4df
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 158 deletions.
diff --git a/PowerShell/ScubaGear/Rego/SharepointConfig.rego b/PowerShell/ScubaGear/Rego/SharepointConfig.rego
@@ -1,6 +1,7 @@
 package sharepoint
 import rego.v1
 import data.utils.report.NotCheckedDetails
+import data.utils.report.NotCheckedDeprecation
 import data.utils.report.CheckedSkippedDetails
 import data.utils.report.ReportDetailsBoolean
 import data.utils.report.ReportDetailsBooleanWarning
@@ -167,35 +168,19 @@ tests contains {
 # MS.SHAREPOINT.1.4v1
 #--
 
-# If SharingCapability is set to Only People In Organization
-# OR require account login to be the one on the invite enabled,
-# the policy should pass.
-tests contains {
-    "PolicyId": "MS.SHAREPOINT.1.4v1",
-    "Criticality": "Shall",
-    "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"],
-    "ActualValue": [
-        Tenant.RequireAcceptingAccountMatchInvitedAccount,
-        SharingCapability
-    ],
-    "ReportDetails": ReportDetailsBoolean(Status),
-    "RequirementMet": Status
-} if {
-    SharingCapability != ONLYPEOPLEINORG
-    Status := Tenant.RequireAcceptingAccountMatchInvitedAccount == true
-}
-
+# Based on the fact that Microsoft has removed the setting from the admin center
+# and you cannot set the value RequireAcceptingAccountMatchInvitedAccount from Set-SPOTenant anymore, 
+# we are setting this policy to not-implemented
+# and will likely remove it from the baseline in the next version.
 tests contains {
     "PolicyId": PolicyId,
     "Criticality": "Shall/Not-Implemented",
     "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"],
     "ActualValue": [],
-    "ReportDetails": CheckedSkippedDetails(PolicyId, Reason),
+    "ReportDetails": NotCheckedDeprecation,
     "RequirementMet": false
 } if {
-    SharingCapability == ONLYPEOPLEINORG
     PolicyId := "MS.SHAREPOINT.1.4v1"
-    Reason := NAString(SliderSettings(0))
 }
 #--
 

diff --git a/PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego b/PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego
@@ -44,6 +44,13 @@ NotCheckedDetails(PolicyId) := sprintf(
     [PolicyLink(PolicyId)]
 )
 
+# Use this when you need to make a policy not-implemented because of deprecation
+NotCheckedDeprecation :=
+    concat(" ", [
+    "This configuration setting has been deprecated and we are in the process of removing it from the baseline."
+    ])
+
+
 # Note: Reason must include %v to reference policy in document.
 CheckedSkippedDetails(PolicyId, Reason) := sprintf(
     concat(" ", [Reason]), [PolicyLink(PolicyId)]

diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointBaseConfig.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointBaseConfig.rego
@@ -5,7 +5,6 @@ SPOTenant := {
     "SharingCapability": 0,
     "OneDriveSharingCapability": 0,
     "SharingDomainRestrictionMode": 0,
-    "RequireAcceptingAccountMatchInvitedAccount": false,
     "DefaultSharingLinkType": 1,
     "DefaultLinkPermission": 1,
     "RequireAnonymousLinksExpireInDays": 30,

diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego
@@ -2,6 +2,7 @@ package sharepoint_test
 import rego.v1
 import data.sharepoint
 import data.utils.report.NotCheckedDetails
+import data.utils.report.NotCheckedDeprecation
 import data.utils.report.CheckedSkippedDetails
 import data.utils.key.TestResult
 import data.utils.key.FAIL
@@ -195,51 +196,11 @@ test_SharingDomainRestrictionMode_SharingCapability_Anyone_Incorrect if {
 #
 # Policy MS.SHAREPOINT.1.4v1
 #--
-test_SameAccount_NotApplicable_V1 if {
+test_RequireAcceptingAccountMatchInvitedAccount_NotImplemented_V1 if {
     PolicyId := "MS.SHAREPOINT.1.4v1"
 
     Output := sharepoint.tests with input.SPO_tenant as [SPOTenant]
 
-    ReportDetailsString := concat(" ", [
-        "This policy is only applicable if External Sharing",
-        "is set to any value other than Only People In Your Organization.",
-        "See %v for more info"
-        ])
-    TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true
-}
-
-test_SameAccount_NotApplicable_V2 if {
-    PolicyId := "MS.SHAREPOINT.1.4v1"
-
-    Tenant := json.patch(SPOTenant, [{"op": "add", "path": "RequireAcceptingAccountMatchInvitedAccount", "value": true}])
-
-    Output := sharepoint.tests with input.SPO_tenant as [Tenant]
-
-    ReportDetailsString := concat(" ", [
-        "This policy is only applicable if External Sharing",
-        "is set to any value other than Only People In Your Organization.",
-        "See %v for more info"
-        ])
-    TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true
-}
-
-test_SameAccount_Correct_V1 if {
-    Tenant := json.patch(SPOTenant,
-                [{"op": "add", "path": "RequireAcceptingAccountMatchInvitedAccount", "value": true},
-                {"op": "add", "path": "SharingCapability", "value": 1}])
-
-    Output := sharepoint.tests with input.SPO_tenant as [Tenant]
-
-    TestResult("MS.SHAREPOINT.1.4v1", Output, PASS, true) == true
-}
-
-test_SameAccount_Incorrect if {
-    Tenant := json.patch(SPOTenant,
-                [{"op": "add", "path": "RequireAcceptingAccountMatchInvitedAccount", "value": false},
-                {"op": "add", "path": "SharingCapability", "value": 1}])
-
-    Output := sharepoint.tests with input.SPO_tenant as [Tenant]
-
-    TestResult("MS.SHAREPOINT.1.4v1", Output, FAIL, false) == true
+    TestResult(PolicyId, Output, NotCheckedDeprecation, false) == true
 }
 #--
diff --git a/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml b/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml
@@ -95,53 +95,8 @@ TestPlan:
   - PolicyId: MS.SHAREPOINT.1.4v1
     TestDriver: RunScuba
     Tests:
-      - TestDescription: MS.SHAREPOINT.1.4v1 Non-compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAcceptingAccountMatchInvitedAccount = false
-        Preconditions:
-          - Command: Set-PnPTenant
-            Splat:
-              SharingCapability: ExternalUserSharingOnly
-              RequireAcceptingAccountMatchInvitedAccount: false
-        Postconditions: []
-        ExpectedResult: false
-      - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); RequireAcceptingAccountMatchInvitedAccount = true
-        Preconditions:
-          - Command: Set-PnPTenant
-            Splat:
-              SharingCapability: ExternalUserAndGuestSharing
-              RequireAcceptingAccountMatchInvitedAccount: true
-        Postconditions: []
-        ExpectedResult: true
-      - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); RequireAcceptingAccountMatchInvitedAccount = true
-        Preconditions:
-          - Command: Set-PnPTenant
-            Splat:
-              SharingCapability: ExistingExternalUserSharingOnly
-              RequireAcceptingAccountMatchInvitedAccount: true
-        Postconditions: []
-        ExpectedResult: true
-      - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAcceptingAccountMatchInvitedAccount = true
-        Preconditions:
-          - Command: Set-PnPTenant
-            Splat:
-              SharingCapability: ExternalUserSharingOnly
-              RequireAcceptingAccountMatchInvitedAccount: true
-        Postconditions: []
-        ExpectedResult: true
-      - TestDescription: MS.SHAREPOINT.1.4v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); RequireAcceptingAccountMatchInvitedAccount = true
-        Preconditions:
-          - Command: Set-PnPTenant
-            Splat:
-              SharingCapability: Disabled
-              RequireAcceptingAccountMatchInvitedAccount: true
-        Postconditions: []
-        IsNotChecked: true
-        ExpectedResult: false
-      - TestDescription: MS.SHAREPOINT.1.4v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); RequireAcceptingAccountMatchInvitedAccount = false
-        Preconditions:
-          - Command: Set-PnPTenant
-            Splat:
-              SharingCapability: Disabled
-              RequireAcceptingAccountMatchInvitedAccount: false
+      - TestDescription: MS.SHAREPOINT.1.4v1 RequireAcceptingAccountMatchInvitedAccount Not-Implemented
+        Preconditions: []
         Postconditions: []
         IsNotChecked: true
         ExpectedResult: false

diff --git a/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml b/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml
@@ -122,53 +122,8 @@ TestPlan:
   - PolicyId: MS.SHAREPOINT.1.4v1
     TestDriver: RunScuba
     Tests:
-      - TestDescription: MS.SHAREPOINT.1.4v1 Non-compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAcceptingAccountMatchInvitedAccount = false
-        Preconditions:
-          - Command: Set-SPOTenant
-            Splat:
-              SharingCapability: ExternalUserSharingOnly
-              RequireAcceptingAccountMatchInvitedAccount: false
-        Postconditions: []
-        ExpectedResult: false
-      - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); RequireAcceptingAccountMatchInvitedAccount = true
-        Preconditions:
-          - Command: Set-SPOTenant
-            Splat:
-              SharingCapability: ExternalUserAndGuestSharing
-              RequireAcceptingAccountMatchInvitedAccount: true
-        Postconditions: []
-        ExpectedResult: true
-      - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); RequireAcceptingAccountMatchInvitedAccount = true
-        Preconditions:
-          - Command: Set-SPOTenant
-            Splat:
-              SharingCapability: ExistingExternalUserSharingOnly
-              RequireAcceptingAccountMatchInvitedAccount: true
-        Postconditions: []
-        ExpectedResult: true
-      - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAcceptingAccountMatchInvitedAccount = true
-        Preconditions:
-          - Command: Set-SPOTenant
-            Splat:
-              SharingCapability: ExternalUserSharingOnly
-              RequireAcceptingAccountMatchInvitedAccount: true
-        Postconditions: []
-        ExpectedResult: true
-      - TestDescription: MS.SHAREPOINT.1.4v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); RequireAcceptingAccountMatchInvitedAccount = true
-        Preconditions:
-          - Command: Set-SPOTenant
-            Splat:
-              SharingCapability: Disabled
-              RequireAcceptingAccountMatchInvitedAccount: true
-        Postconditions: []
-        IsNotChecked: true
-        ExpectedResult: false
-      - TestDescription: MS.SHAREPOINT.1.4v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); RequireAcceptingAccountMatchInvitedAccount = false
-        Preconditions:
-          - Command: Set-SPOTenant
-            Splat:
-              SharingCapability: Disabled
-              RequireAcceptingAccountMatchInvitedAccount: false
+      - TestDescription: MS.SHAREPOINT.1.4v1 RequireAcceptingAccountMatchInvitedAccount Not-Implemented
+        Preconditions: []
         Postconditions: []
         IsNotChecked: true
         ExpectedResult: false