From f928e8d9bc2a145dc8096bd348395be243504351 Mon Sep 17 00:00:00 2001 From: Ted Kolovos <107076927+tkol2022@users.noreply.github.com> Date: Thu, 8 Aug 2024 15:31:47 -0400 Subject: [PATCH 1/2] changed Sharepoint policy 1.4 to not-implemented since it relies on deprecated field RequireAcceptingAccountMatchInvitedAccount --- .../ScubaGear/Rego/SharepointConfig.rego | 27 +++------- .../ScubaGear/Rego/Utils/ReportDetails.rego | 7 +++ .../Rego/Sharepoint/SharepointBaseConfig.rego | 1 - .../Sharepoint/SharepointConfig_01_test.rego | 45 ++--------------- .../TestPlans/sharepoint.pnp.testplan.yaml | 49 +------------------ .../TestPlans/sharepoint.spo.testplan.yaml | 49 +------------------ 6 files changed, 20 insertions(+), 158 deletions(-) diff --git a/PowerShell/ScubaGear/Rego/SharepointConfig.rego b/PowerShell/ScubaGear/Rego/SharepointConfig.rego index 3446b67b70..cea91ec62c 100644 --- a/PowerShell/ScubaGear/Rego/SharepointConfig.rego +++ b/PowerShell/ScubaGear/Rego/SharepointConfig.rego @@ -1,6 +1,7 @@ package sharepoint import rego.v1 import data.utils.report.NotCheckedDetails +import data.utils.report.NotCheckedDeprecation import data.utils.report.CheckedSkippedDetails import data.utils.report.ReportDetailsBoolean import data.utils.report.ReportDetailsBooleanWarning @@ -167,35 +168,19 @@ tests contains { # MS.SHAREPOINT.1.4v1 #-- -# If SharingCapability is set to Only People In Organization -# OR require account login to be the one on the invite enabled, -# the policy should pass. -tests contains { - "PolicyId": "MS.SHAREPOINT.1.4v1", - "Criticality": "Shall", - "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"], - "ActualValue": [ - Tenant.RequireAcceptingAccountMatchInvitedAccount, - SharingCapability - ], - "ReportDetails": ReportDetailsBoolean(Status), - "RequirementMet": Status -} if { - SharingCapability != ONLYPEOPLEINORG - Status := Tenant.RequireAcceptingAccountMatchInvitedAccount == true -} - +# Based on the fact that Microsoft has removed the setting from the admin center +# and you cannot set the value RequireAcceptingAccountMatchInvitedAccount from Set-SPOTenant anymore, +# we are setting this policy to not-implemented +# and will likely remove it from the baseline in the next version. tests contains { "PolicyId": PolicyId, "Criticality": "Shall/Not-Implemented", "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"], "ActualValue": [], - "ReportDetails": CheckedSkippedDetails(PolicyId, Reason), + "ReportDetails": NotCheckedDeprecation(PolicyId), "RequirementMet": false } if { - SharingCapability == ONLYPEOPLEINORG PolicyId := "MS.SHAREPOINT.1.4v1" - Reason := NAString(SliderSettings(0)) } #-- diff --git a/PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego b/PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego index 8cae3e9423..613f989c7b 100644 --- a/PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego +++ b/PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego @@ -44,6 +44,13 @@ NotCheckedDetails(PolicyId) := sprintf( [PolicyLink(PolicyId)] ) +# Use this when you need to make a policy not-implemented because of deprecation +NotCheckedDeprecation(PolicyId) := + concat(" ", [ + "This configuration setting has been deprecated and we are in the process of removing it from the baseline." + ]) + + # Note: Reason must include %v to reference policy in document. CheckedSkippedDetails(PolicyId, Reason) := sprintf( concat(" ", [Reason]), [PolicyLink(PolicyId)] diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointBaseConfig.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointBaseConfig.rego index d94f3edf3e..70c1938f83 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointBaseConfig.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointBaseConfig.rego @@ -5,7 +5,6 @@ SPOTenant := { "SharingCapability": 0, "OneDriveSharingCapability": 0, "SharingDomainRestrictionMode": 0, - "RequireAcceptingAccountMatchInvitedAccount": false, "DefaultSharingLinkType": 1, "DefaultLinkPermission": 1, "RequireAnonymousLinksExpireInDays": 30, diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego index 5656b2b9b2..39063222bd 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego @@ -2,6 +2,7 @@ package sharepoint_test import rego.v1 import data.sharepoint import data.utils.report.NotCheckedDetails +import data.utils.report.NotCheckedDeprecation import data.utils.report.CheckedSkippedDetails import data.utils.key.TestResult import data.utils.key.FAIL @@ -195,51 +196,11 @@ test_SharingDomainRestrictionMode_SharingCapability_Anyone_Incorrect if { # # Policy MS.SHAREPOINT.1.4v1 #-- -test_SameAccount_NotApplicable_V1 if { +test_RequireAcceptingAccountMatchInvitedAccount_NotImplemented_V1 if { PolicyId := "MS.SHAREPOINT.1.4v1" Output := sharepoint.tests with input.SPO_tenant as [SPOTenant] - ReportDetailsString := concat(" ", [ - "This policy is only applicable if External Sharing", - "is set to any value other than Only People In Your Organization.", - "See %v for more info" - ]) - TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true -} - -test_SameAccount_NotApplicable_V2 if { - PolicyId := "MS.SHAREPOINT.1.4v1" - - Tenant := json.patch(SPOTenant, [{"op": "add", "path": "RequireAcceptingAccountMatchInvitedAccount", "value": true}]) - - Output := sharepoint.tests with input.SPO_tenant as [Tenant] - - ReportDetailsString := concat(" ", [ - "This policy is only applicable if External Sharing", - "is set to any value other than Only People In Your Organization.", - "See %v for more info" - ]) - TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true -} - -test_SameAccount_Correct_V1 if { - Tenant := json.patch(SPOTenant, - [{"op": "add", "path": "RequireAcceptingAccountMatchInvitedAccount", "value": true}, - {"op": "add", "path": "SharingCapability", "value": 1}]) - - Output := sharepoint.tests with input.SPO_tenant as [Tenant] - - TestResult("MS.SHAREPOINT.1.4v1", Output, PASS, true) == true -} - -test_SameAccount_Incorrect if { - Tenant := json.patch(SPOTenant, - [{"op": "add", "path": "RequireAcceptingAccountMatchInvitedAccount", "value": false}, - {"op": "add", "path": "SharingCapability", "value": 1}]) - - Output := sharepoint.tests with input.SPO_tenant as [Tenant] - - TestResult("MS.SHAREPOINT.1.4v1", Output, FAIL, false) == true + TestResult(PolicyId, Output, NotCheckedDeprecation(PolicyId), false) == true } #-- \ No newline at end of file diff --git a/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml b/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml index 08d0050e04..74a2f7b8a2 100644 --- a/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml +++ b/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml @@ -95,53 +95,8 @@ TestPlan: - PolicyId: MS.SHAREPOINT.1.4v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.1.4v1 Non-compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAcceptingAccountMatchInvitedAccount = false - Preconditions: - - Command: Set-PnPTenant - Splat: - SharingCapability: ExternalUserSharingOnly - RequireAcceptingAccountMatchInvitedAccount: false - Postconditions: [] - ExpectedResult: false - - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); RequireAcceptingAccountMatchInvitedAccount = true - Preconditions: - - Command: Set-PnPTenant - Splat: - SharingCapability: ExternalUserAndGuestSharing - RequireAcceptingAccountMatchInvitedAccount: true - Postconditions: [] - ExpectedResult: true - - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); RequireAcceptingAccountMatchInvitedAccount = true - Preconditions: - - Command: Set-PnPTenant - Splat: - SharingCapability: ExistingExternalUserSharingOnly - RequireAcceptingAccountMatchInvitedAccount: true - Postconditions: [] - ExpectedResult: true - - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAcceptingAccountMatchInvitedAccount = true - Preconditions: - - Command: Set-PnPTenant - Splat: - SharingCapability: ExternalUserSharingOnly - RequireAcceptingAccountMatchInvitedAccount: true - Postconditions: [] - ExpectedResult: true - - TestDescription: MS.SHAREPOINT.1.4v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); RequireAcceptingAccountMatchInvitedAccount = true - Preconditions: - - Command: Set-PnPTenant - Splat: - SharingCapability: Disabled - RequireAcceptingAccountMatchInvitedAccount: true - Postconditions: [] - IsNotChecked: true - ExpectedResult: false - - TestDescription: MS.SHAREPOINT.1.4v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); RequireAcceptingAccountMatchInvitedAccount = false - Preconditions: - - Command: Set-PnPTenant - Splat: - SharingCapability: Disabled - RequireAcceptingAccountMatchInvitedAccount: false + - TestDescription: MS.SHAREPOINT.1.4v1 RequireAcceptingAccountMatchInvitedAccount Not-Implemented + Preconditions: [] Postconditions: [] IsNotChecked: true ExpectedResult: false diff --git a/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml b/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml index 2b3b07c362..e36e9a5ed9 100644 --- a/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml +++ b/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml @@ -122,53 +122,8 @@ TestPlan: - PolicyId: MS.SHAREPOINT.1.4v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.1.4v1 Non-compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAcceptingAccountMatchInvitedAccount = false - Preconditions: - - Command: Set-SPOTenant - Splat: - SharingCapability: ExternalUserSharingOnly - RequireAcceptingAccountMatchInvitedAccount: false - Postconditions: [] - ExpectedResult: false - - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); RequireAcceptingAccountMatchInvitedAccount = true - Preconditions: - - Command: Set-SPOTenant - Splat: - SharingCapability: ExternalUserAndGuestSharing - RequireAcceptingAccountMatchInvitedAccount: true - Postconditions: [] - ExpectedResult: true - - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExistingExternalUserSharingOnly (Existing guests); RequireAcceptingAccountMatchInvitedAccount = true - Preconditions: - - Command: Set-SPOTenant - Splat: - SharingCapability: ExistingExternalUserSharingOnly - RequireAcceptingAccountMatchInvitedAccount: true - Postconditions: [] - ExpectedResult: true - - TestDescription: MS.SHAREPOINT.1.4v1 Compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAcceptingAccountMatchInvitedAccount = true - Preconditions: - - Command: Set-SPOTenant - Splat: - SharingCapability: ExternalUserSharingOnly - RequireAcceptingAccountMatchInvitedAccount: true - Postconditions: [] - ExpectedResult: true - - TestDescription: MS.SHAREPOINT.1.4v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); RequireAcceptingAccountMatchInvitedAccount = true - Preconditions: - - Command: Set-SPOTenant - Splat: - SharingCapability: Disabled - RequireAcceptingAccountMatchInvitedAccount: true - Postconditions: [] - IsNotChecked: true - ExpectedResult: false - - TestDescription: MS.SHAREPOINT.1.4v1 Non-Applicable - SharingCapability = Disabled (Only people in organization); RequireAcceptingAccountMatchInvitedAccount = false - Preconditions: - - Command: Set-SPOTenant - Splat: - SharingCapability: Disabled - RequireAcceptingAccountMatchInvitedAccount: false + - TestDescription: MS.SHAREPOINT.1.4v1 RequireAcceptingAccountMatchInvitedAccount Not-Implemented + Preconditions: [] Postconditions: [] IsNotChecked: true ExpectedResult: false From b18266206b64731d501c4053c8dff1de9b58c24b Mon Sep 17 00:00:00 2001 From: Ted Kolovos <107076927+tkol2022@users.noreply.github.com> Date: Fri, 9 Aug 2024 17:47:36 -0400 Subject: [PATCH 2/2] removed unnecessary parameter from NotCheckedDeprecation ruleset --- PowerShell/ScubaGear/Rego/SharepointConfig.rego | 2 +- PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego | 2 +- .../Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/PowerShell/ScubaGear/Rego/SharepointConfig.rego b/PowerShell/ScubaGear/Rego/SharepointConfig.rego index cea91ec62c..8dca19f1bd 100644 --- a/PowerShell/ScubaGear/Rego/SharepointConfig.rego +++ b/PowerShell/ScubaGear/Rego/SharepointConfig.rego @@ -177,7 +177,7 @@ tests contains { "Criticality": "Shall/Not-Implemented", "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"], "ActualValue": [], - "ReportDetails": NotCheckedDeprecation(PolicyId), + "ReportDetails": NotCheckedDeprecation, "RequirementMet": false } if { PolicyId := "MS.SHAREPOINT.1.4v1" diff --git a/PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego b/PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego index 613f989c7b..7ed82207f8 100644 --- a/PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego +++ b/PowerShell/ScubaGear/Rego/Utils/ReportDetails.rego @@ -45,7 +45,7 @@ NotCheckedDetails(PolicyId) := sprintf( ) # Use this when you need to make a policy not-implemented because of deprecation -NotCheckedDeprecation(PolicyId) := +NotCheckedDeprecation := concat(" ", [ "This configuration setting has been deprecated and we are in the process of removing it from the baseline." ]) diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego index 39063222bd..3ae76b0de2 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego @@ -201,6 +201,6 @@ test_RequireAcceptingAccountMatchInvitedAccount_NotImplemented_V1 if { Output := sharepoint.tests with input.SPO_tenant as [SPOTenant] - TestResult(PolicyId, Output, NotCheckedDeprecation(PolicyId), false) == true + TestResult(PolicyId, Output, NotCheckedDeprecation, false) == true } #-- \ No newline at end of file