Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix bug with msaad52v1 only admins consent to apps #1043

Merged
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
modified Rego policy 5.2 and unit tests to account for Microsoft upda…
…tes to tenant output data
tkol2022 committed Mar 29, 2024
commit 21763d5b465ac1e3457e41f77a7b5581a586bb8a
49 changes: 3 additions & 46 deletions PowerShell/ScubaGear/Rego/AADConfig.rego
Original file line number Diff line number Diff line change
@@ -520,64 +520,26 @@
# MS.AAD.5.2v1
#--

# # Save the policy Id of any user allowed to consent to third
# # party applications
# BadDefaultGrantPolicies contains Policy.Id if {
# some Policy in input.authorization_policies
# # count(Policy.PermissionGrantPolicyIdsAssignedToDefaultUserRole) != 0
# "ManagePermissionGrantsForSelf.microsoft-user-default-legacy" in Policy.PermissionGrantPolicyIdsAssignedToDefaultUserRole
# }

# BadDefaultGrantPolicies contains Policy.Id if {
# some Policy in input.authorization_policies
# "ManagePermissionGrantsForSelf.microsoft-user-default-low" in Policy.PermissionGrantPolicyIdsAssignedToDefaultUserRole
# }

# # Get all policy Ids
# AllDefaultGrantPolicies contains {
# "DefaultUser_DefaultGrantPolicy": Policy.PermissionGrantPolicyIdsAssignedToDefaultUserRole,
# "PolicyId": Policy.Id
# } if {
# some Policy in input.authorization_policies
# }

# # If there is a policy that allows user to cconsent to third party apps, fail
# tests contains {
# "PolicyId": "MS.AAD.5.2v1",
# "Criticality": "Shall",
# "Commandlet": ["Get-MgBetaPolicyAuthorizationPolicy"],
# "ActualValue": {"all_grant_policy_values": AllDefaultGrantPolicies},
# "ReportDetails": ReportFullDetailsArray(BadPolicies, DescriptionStr),
# "RequirementMet": Status
# } if {
# print("got here 1")
# BadPolicies := BadDefaultGrantPolicies
# # print(count(BadPolicies))
# print("got here 2")
# Status := count(BadPolicies) == 0
# DescriptionStr := "authorization policies found that allow non-admin users to consent to third-party applications"
# }

# Return the Id if non-compliant user consent policies
BadDefaultGrantPolicies contains Policy.Id if {
some Policy in input.authorization_policies
# count(Policy.PermissionGrantPolicyIdsAssignedToDefaultUserRole) != 0
"ManagePermissionGrantsForSelf.microsoft-user-default-legacy" in Policy.PermissionGrantPolicyIdsAssignedToDefaultUserRole

Check warning on line 526 in PowerShell/ScubaGear/Rego/AADConfig.rego

GitHub Actions / Unit / OPA Unit Tests

Line too long. To learn more, see: https://docs.styra.com/regal/rules/style/line-length
}

BadDefaultGrantPolicies contains Policy.Id if {
some Policy in input.authorization_policies
"ManagePermissionGrantsForSelf.microsoft-user-default-low" in Policy.PermissionGrantPolicyIdsAssignedToDefaultUserRole

Check warning on line 531 in PowerShell/ScubaGear/Rego/AADConfig.rego

GitHub Actions / Unit / OPA Unit Tests

Line too long. To learn more, see: https://docs.styra.com/regal/rules/style/line-length
}

# Get all policy Ids
# Return all policy Ids
AllDefaultGrantPolicies contains {
"DefaultUser_DefaultGrantPolicy": Policy.PermissionGrantPolicyIdsAssignedToDefaultUserRole,
"PolicyId": Policy.Id
} if {
some Policy in input.authorization_policies
}

# If there is a policy that allows user to cconsent to third party apps, fail
# If there is a policy that allows user to consent to third party apps, fail
tests contains {
"PolicyId": "MS.AAD.5.2v1",
"Criticality": "Shall",
@@ -586,13 +548,8 @@
"ReportDetails": ReportFullDetailsArray(BadPolicies, DescriptionStr),
"RequirementMet": Status
} if {
print("got here 1")
BadPolicies := BadDefaultGrantPolicies
# print(BadPolicies)
# print(count(BadPolicies))
# print("got here 2")
Status := count(BadPolicies) == 0
# print(Status)
DescriptionStr := "authorization policies found that allow non-admin users to consent to third-party applications"
}
#--
@@ -1033,7 +990,7 @@
"ReportDetails": ReportDetailsArrayLicenseWarning(GlobalAdminsWithoutActivationAlert, DescriptionString),
"RequirementMet": Status
} if {
DescriptionString := "role(s) or group(s) without notification e-mail configured for Global Administrator activations found"

Check warning on line 993 in PowerShell/ScubaGear/Rego/AADConfig.rego

GitHub Actions / Unit / OPA Unit Tests

Line too long. To learn more, see: https://docs.styra.com/regal/rules/style/line-length
Conditions := [
count(Aad2P2Licenses) > 0,
count(GlobalAdminsWithoutActivationAlert) == 0
9 changes: 0 additions & 9 deletions PowerShell/ScubaGear/Rego/Utils/AAD.rego
Original file line number Diff line number Diff line change
@@ -34,25 +34,16 @@ INT_MAX := 2147483647
# If the number of items is greater than our REPORTARRAYMAXCOUNT, the item list is
# truncated for readability purposes.
ReportFullDetailsArray(Array, String) := Description([ArraySizeStr(Array), String]) if {
print(Array)
print(count(Array))
count(Array) == 0
print(Description([ArraySizeStr(Array), String]))
print()
}

ReportFullDetailsArray(Array, String) := Details if {
print(Array)
print(count(Array))
count(Array) > 0
count(Array) <= REPORTARRAYMAXCOUNT
# print("got here in 2nd function")
Details := Description([
ArraySizeStr(Array),
concat(":<br/>", [String, concat(", ", Array)])
])
print("got breakpoint2 in 2nd function")
print(Details)
}

ReportFullDetailsArray(Array, String) := Details if {
108 changes: 54 additions & 54 deletions PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_05_test.rego
Original file line number Diff line number Diff line change
@@ -75,39 +75,39 @@ test_AllowedToCreateApps_Incorrect_V2 if {
#
# Policy MS.AAD.5.2v1
#--
# test_UserConsentNotAllowed_Correct if {
# Output := aad.tests with input as {
# "authorization_policies": [
# {
# "PermissionGrantPolicyIdsAssignedToDefaultUserRole": [
# "ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-chat",
# "ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team"
# ],
# "Id": "authorizationPolicy"
# }
# ]
# }

# ReportDetailStr :=
# "0 authorization policies found that allow non-admin users to consent to third-party applications"
# TestResult("MS.AAD.5.2v1", Output, ReportDetailStr, true) == true
# }

# test_UserConsentNotAllowedEmptyDefaultUserArray_Correct if {
# Output := aad.tests with input as {
# "authorization_policies": [
# {
# "PermissionGrantPolicyIdsAssignedToDefaultUserRole": [
# ],
# "Id": "authorizationPolicy"
# }
# ]
# }

# ReportDetailStr :=
# "0 authorization policies found that allow non-admin users to consent to third-party applications"
# TestResult("MS.AAD.5.2v1", Output, ReportDetailStr, true) == true
# }
test_UserConsentNotAllowed_Correct if {
Output := aad.tests with input as {
"authorization_policies": [
{
"PermissionGrantPolicyIdsAssignedToDefaultUserRole": [
"ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-chat",
"ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team"
],
"Id": "authorizationPolicy"
}
]
}

ReportDetailStr :=
"0 authorization policies found that allow non-admin users to consent to third-party applications"
TestResult("MS.AAD.5.2v1", Output, ReportDetailStr, true) == true
}

test_UserConsentNotAllowedEmptyDefaultUserArray_Correct if {
Output := aad.tests with input as {
"authorization_policies": [
{
"PermissionGrantPolicyIdsAssignedToDefaultUserRole": [
],
"Id": "authorizationPolicy"
}
]
}

ReportDetailStr :=
"0 authorization policies found that allow non-admin users to consent to third-party applications"
TestResult("MS.AAD.5.2v1", Output, ReportDetailStr, true) == true
}

test_UserConsentFromVerifiedPublishersAllowed_Incorrect if {
Output := aad.tests with input as {
@@ -131,27 +131,27 @@ test_UserConsentFromVerifiedPublishersAllowed_Incorrect if {
TestResult("MS.AAD.5.2v1", Output, ReportDetailStr, false) == true
}

# test_UserConsentAllowed_Incorrect if {
# Output := aad.tests with input as {
# "authorization_policies": [
# {
# "PermissionGrantPolicyIdsAssignedToDefaultUserRole": [
# "ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-chat",
# "ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team",
# "ManagePermissionGrantsForSelf.microsoft-user-default-low"
# ],
# "Id": "authorizationPolicy"
# }
# ]
# }

# ReportDetailStr := concat("", [
# "1 authorization policies found that allow non-admin users to consent to third-party applications:",
# "<br/>Bad policy"
# ])

# TestResult("MS.AAD.5.2v1", Output, ReportDetailStr, false) == true
# }
test_UserConsentAllowed_Incorrect if {
Output := aad.tests with input as {
"authorization_policies": [
{
"PermissionGrantPolicyIdsAssignedToDefaultUserRole": [
"ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-chat",
"ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team",
"ManagePermissionGrantsForSelf.microsoft-user-default-low"
],
"Id": "authorizationPolicy"
}
]
}

ReportDetailStr := concat("", [
"1 authorization policies found that allow non-admin users to consent to third-party applications:",
"<br/>authorizationPolicy"
])

TestResult("MS.AAD.5.2v1", Output, ReportDetailStr, false) == true
}
#--

#
2 changes: 1 addition & 1 deletion Testing/RunUnitTests.ps1
Original file line number Diff line number Diff line change
@@ -156,7 +156,7 @@ function Invoke-ControlGroupItem {

elseif(Test-Path -Path $Filename.Fullname -PathType Leaf) {
Write-Output "`nTesting Control Group $ControlGroup"
..\opa_windows_amd64.exe test $RegoPolicyPath .\$($Filename.Fullname) $Flag
& $OPAExe test $RegoPolicyPath .\$($Filename.Fullname) $Flag
tkol2022 marked this conversation as resolved.
Show resolved Hide resolved
}
else {
Get-ErrorMsg FileIOError, $Filename