From 32bd22a7796612fda444dcc9dc8109dbd8602525 Mon Sep 17 00:00:00 2001 From: mitchelbaker-cisa Date: Mon, 23 Sep 2024 23:42:20 +0000 Subject: [PATCH] change sharepoint policy 4.2 to not implemented, update unit/functional tests --- .../ScubaGear/Rego/SharepointConfig.rego | 18 +++++++++--------- .../Rego/Sharepoint/SharepointBaseConfig.rego | 4 ---- .../Sharepoint/SharepointConfig_04_test.rego | 17 +++++------------ .../TestPlans/sharepoint.pnp.testplan.yaml | 11 +++-------- .../TestPlans/sharepoint.spo.testplan.yaml | 13 +++++-------- 5 files changed, 22 insertions(+), 41 deletions(-) diff --git a/PowerShell/ScubaGear/Rego/SharepointConfig.rego b/PowerShell/ScubaGear/Rego/SharepointConfig.rego index 7a0d351f1..78fb80c28 100644 --- a/PowerShell/ScubaGear/Rego/SharepointConfig.rego +++ b/PowerShell/ScubaGear/Rego/SharepointConfig.rego @@ -414,17 +414,17 @@ tests contains { # MS.SHAREPOINT.4.2v1 #-- -# 1 == Allow users to run custom script on self-service created sites -# 2 == Prevent users from running custom script on self-service created sites +# Microsoft has planned to remove the custom scripting configuration option +# from SharePoint and OneDrive. We are setting this policy to not-implemented +# and will likely remove it from the baseline in the next version. tests contains { - "PolicyId": "MS.SHAREPOINT.4.2v1", - "Criticality": "Shall", + "PolicyId": PolicyId, + "Criticality": "Shall/Not-Implemented", "Commandlet": ["Get-SPOSite", "Get-PnPTenantSite"], - "ActualValue": [SitePolicy.DenyAddAndCustomizePages], - "ReportDetails": ReportDetailsBoolean(Status), - "RequirementMet": Status + "ActualValue": [], + "ReportDetails": NotCheckedDeprecation, + "RequirementMet": false } if { - some SitePolicy in input.SPO_site - Status := SitePolicy.DenyAddAndCustomizePages == 2 + PolicyId := "MS.SHAREPOINT.4.2v1" } #-- diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointBaseConfig.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointBaseConfig.rego index 70c1938f8..3a7a9e6ce 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointBaseConfig.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointBaseConfig.rego @@ -12,8 +12,4 @@ SPOTenant := { "FolderAnonymousLinkType": 1, "EmailAttestationRequired": true, "EmailAttestationReAuthDays": 30 -} - -SPOSite := { - "DenyAddAndCustomizePages": 2 } \ No newline at end of file diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_04_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_04_test.rego index 790b539c7..36b38bedf 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_04_test.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_04_test.rego @@ -2,8 +2,7 @@ package sharepoint_test import rego.v1 import data.sharepoint import data.utils.key.TestResult -import data.utils.key.FAIL -import data.utils.key.PASS +import data.utils.report.NotCheckedDeprecation @@ -11,16 +10,10 @@ import data.utils.key.PASS # Policy MS.SHAREPOINT.4.2v1 #-- test_DenyAddAndCustomizePages_Correct if { - Output := sharepoint.tests with input.SPO_site as [SPOSite] + PolicyId := "MS.SHAREPOINT.4.2v1" - TestResult("MS.SHAREPOINT.4.2v1", Output, PASS, true) == true -} - -test_DenyAddAndCustomizePages_Incorrect if { - Site := json.patch(SPOSite, [{"op": "add", "path": "DenyAddAndCustomizePages", "value": 1}]) - - Output := sharepoint.tests with input.SPO_site as [Site] - - TestResult("MS.SHAREPOINT.4.2v1", Output, FAIL, false) == true + Output := sharepoint.tests with input.SPO_tenant as [SPOTenant] + + TestResult(PolicyId, Output, NotCheckedDeprecation, false) == true } #-- diff --git a/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml b/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml index f2d5ef256..c2fedf597 100644 --- a/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml +++ b/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml @@ -400,13 +400,8 @@ TestPlan: - PolicyId: MS.SHAREPOINT.4.2v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.4.2v1 Non-compliant DenyAddAndCustomizePages disabled - Preconditions: - - Command: "Set-PnPTenantSite -Identity $((Get-PnPTenantInstance).PortalUrl) -DenyAddAndCustomizePages:$false" + - TestDescription: MS.SHAREPOINT.4.2v1 Non-compliant DenyAddAndCustomizePages Not-Implemented + Preconditions: [] Postconditions: [] + IsNotChecked: true ExpectedResult: false - - TestDescription: MS.SHAREPOINT.4.2v1 Compliant DenyAddAndCustomizePages enabled - Preconditions: - - Command: "Set-PnPTenantSite -Identity $((Get-PnPTenantInstance).PortalUrl) -DenyAddAndCustomizePages" - Postconditions: [] - ExpectedResult: true diff --git a/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml b/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml index 37b2a47b5..24c53bb11 100644 --- a/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml +++ b/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml @@ -150,6 +150,8 @@ TestPlan: - Command: Set-SPOTenant Splat: SharingCapability: ExternalUserAndGuestSharing + - Command: Set-SPOTenant + Splat: DefaultSharingLinkType: AnonymousAccess Postconditions: [] ExpectedResult: false @@ -400,13 +402,8 @@ TestPlan: - PolicyId: MS.SHAREPOINT.4.2v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.4.2v1 Non-compliant DenyAddAndCustomizePages disabled - Preconditions: - - Command: '$Site=[System.Uri]((Get-SPOSite)[0].Url);Set-SPOSite -Identity "$($Site.Scheme)://$($Site.Authority)" -DenyAddAndCustomizePages:$false' + - TestDescription: MS.SHAREPOINT.4.2v1 Non-compliant DenyAddAndCustomizePages Not-Implemented + Preconditions: [] Postconditions: [] + IsNotChecked: true ExpectedResult: false - - TestDescription: MS.SHAREPOINT.4.2v1 Compliant DenyAddAndCustomizePages enabled - Preconditions: - - Command: '$Site=[System.Uri]((Get-SPOSite)[0].Url);Set-SPOSite -Identity "$($Site.Scheme)://$($Site.Authority)" -DenyAddAndCustomizePages:$true' - Postconditions: [] - ExpectedResult: true