diff --git a/PowerShell/ScubaGear/Modules/Providers/ExportSharePointProvider.psm1 b/PowerShell/ScubaGear/Modules/Providers/ExportSharePointProvider.psm1 index 1dbe7f9aa6..31b4ff7227 100644 --- a/PowerShell/ScubaGear/Modules/Providers/ExportSharePointProvider.psm1 +++ b/PowerShell/ScubaGear/Modules/Providers/ExportSharePointProvider.psm1 @@ -36,14 +36,14 @@ function Export-SharePointProvider { $UsedPnP = ConvertTo-Json $false if ($PnPFlag) { $SPOTenant = ConvertTo-Json @($Tracker.TryCommand("Get-PnPTenant")) - $SPOSite = ConvertTo-Json @($Tracker.TryCommand("Get-PnPTenantSite",@{"Identity"="$($SPOSiteIdentity)"; "Detailed"=$true}) | Select-Object -Property *) + $SPOSite = ConvertTo-Json @($Tracker.TryCommand("Get-PnPTenantSite",@{"Identity"="$($SPOSiteIdentity)";}) | Select-Object -Property *) $Tracker.AddSuccessfulCommand("Get-SPOTenant") $Tracker.AddSuccessfulCommand("Get-SPOSite") $UsedPnP = ConvertTo-Json $true } else { $SPOTenant = ConvertTo-Json @($Tracker.TryCommand("Get-SPOTenant")) - $SPOSite = ConvertTo-Json @($Tracker.TryCommand("Get-SPOSite", @{"Identity"="$($SPOSiteIdentity)"; "Detailed"=$true}) | Select-Object -Property *) + $SPOSite = ConvertTo-Json @($Tracker.TryCommand("Get-SPOSite", @{"Identity"="$($SPOSiteIdentity)";}) | Select-Object -Property *) $Tracker.AddSuccessfulCommand("Get-PnPTenant") $Tracker.AddSuccessfulCommand("Get-PnPTenantSite") } diff --git a/PowerShell/ScubaGear/Rego/SharepointConfig.rego b/PowerShell/ScubaGear/Rego/SharepointConfig.rego index 8dca19f1bd..78fb80c28b 100644 --- a/PowerShell/ScubaGear/Rego/SharepointConfig.rego +++ b/PowerShell/ScubaGear/Rego/SharepointConfig.rego @@ -41,18 +41,19 @@ Tenant := input.SPO_tenant[0] if { SharingCapability := Tenant.SharingCapability -SharingString := concat("", [ - "External Sharing is set to ", - SliderSettings(SharingCapability), - "." -]) +NAString(SharingSetting, Negation) := concat("", [ + "This policy is only applicable if the external sharing slider on the admin page is set to ", + SharingSetting, + ". ", + "See %v for more info" +]) if Negation == false +else := concat("", [ + "This policy is only applicable if the external sharing slider on the admin page is not set to ", + SharingSetting, + ". ", + "See %v for more info" +]) if Negation == true -NAString(SharingSetting) := concat("", [ - "This policy is only applicable if External Sharing is set to any value other than ", - SharingSetting, - ". ", - "See %v for more info" - ]) ################### @@ -160,7 +161,7 @@ tests contains { } if { SharingCapability == ONLYPEOPLEINORG PolicyId := "MS.SHAREPOINT.1.3v1" - Reason := NAString(SliderSettings(0)) + Reason := NAString(SliderSettings(0), true) } #-- @@ -237,9 +238,7 @@ tests contains { ErrStr := concat(" ", [ "Requirement not met:", - "External Sharing is set to", - SliderSettings(SharingCapability), - "and expiration date is not set to 30 days or less." + "total expiration days are not set to 30 days or less" ]) # Standard test to compare against baseline @@ -256,7 +255,11 @@ tests contains { "RequirementMet": Status } if { SharingCapability == ANYONE - Status := Tenant.RequireAnonymousLinksExpireInDays <= 30 + Conditions := [ + Tenant.RequireAnonymousLinksExpireInDays >= 1, + Tenant.RequireAnonymousLinksExpireInDays <= 30 + ] + Status := count(FilterArray(Conditions, true)) == 2 } # Test for N/A case @@ -270,7 +273,7 @@ tests contains { } if { PolicyId := "MS.SHAREPOINT.3.1v1" SharingCapability != ANYONE - Reason := NAString(SliderSettings(2)) + Reason := NAString(SliderSettings(2), false) } #-- @@ -300,7 +303,7 @@ FileAndFolderLinkPermission(2, 1) := concat(": ", [ ]) # This policy is only applicable if external sharing is set to "Anyone" -# Both link types must be 1 & OneDrive_PnP_Flag must be false for policy to pass +# Both link types must be 1 for policy to pass tests contains { "PolicyId": "MS.SHAREPOINT.3.2v1", "Criticality": "Shall", @@ -309,7 +312,6 @@ tests contains { "ReportDetails": FileAndFolderLinkPermission(FileLinkType, FolderLinkType), "RequirementMet": Status } if { - input.OneDrive_PnP_Flag == false SharingCapability == ANYONE FileLinkType := Tenant.FileAnonymousLinkType @@ -331,24 +333,12 @@ tests contains { "RequirementMet": false } if { PolicyId := "MS.SHAREPOINT.3.2v1" - input.OneDrive_PnP_Flag == false SharingCapability != ANYONE - Reason := NAString(SliderSettings(2)) -} - -tests contains { - "PolicyId": PolicyId, - "Criticality": "Shall/Not-Implemented", - "Commandlet": [], - "ActualValue": [], - "ReportDetails": NotCheckedDetails(PolicyId), - "RequirementMet": false -} if { - PolicyId := "MS.SHAREPOINT.3.2v1" - input.OneDrive_PnP_Flag == true + Reason := NAString(SliderSettings(2), false) } #-- + # # MS.SHAREPOINT.3.3v1 #-- @@ -405,10 +395,14 @@ tests contains { } if { PolicyId := "MS.SHAREPOINT.3.3v1" not SharingCapability in [ANYONE, NEWANDEXISTINGGUESTS] - Reason := concat(" ", [ - SharingString, - NAString(concat(" ", [SliderSettings(0), "or", SliderSettings(3)])) - ]) + Reason := NAString( + concat(" ", [ + SliderSettings(2), + "or", + SliderSettings(1) + ]), + false + ) } #-- @@ -420,17 +414,17 @@ tests contains { # MS.SHAREPOINT.4.2v1 #-- -# 1 == Allow users to run custom script on self-service created sites -# 2 == Prevent users from running custom script on self-service created sites +# Microsoft has planned to remove the custom scripting configuration option +# from SharePoint and OneDrive. We are setting this policy to not-implemented +# and will likely remove it from the baseline in the next version. tests contains { - "PolicyId": "MS.SHAREPOINT.4.2v1", - "Criticality": "Shall", + "PolicyId": PolicyId, + "Criticality": "Shall/Not-Implemented", "Commandlet": ["Get-SPOSite", "Get-PnPTenantSite"], - "ActualValue": [SitePolicy.DenyAddAndCustomizePages], - "ReportDetails": ReportDetailsBoolean(Status), - "RequirementMet": Status + "ActualValue": [], + "ReportDetails": NotCheckedDeprecation, + "RequirementMet": false } if { - some SitePolicy in input.SPO_site - Status := SitePolicy.DenyAddAndCustomizePages == 2 + PolicyId := "MS.SHAREPOINT.4.2v1" } #-- diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointBaseConfig.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointBaseConfig.rego index 70c1938f83..3a7a9e6ce4 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointBaseConfig.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointBaseConfig.rego @@ -12,8 +12,4 @@ SPOTenant := { "FolderAnonymousLinkType": 1, "EmailAttestationRequired": true, "EmailAttestationReAuthDays": 30 -} - -SPOSite := { - "DenyAddAndCustomizePages": 2 } \ No newline at end of file diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego index 3ae76b0de2..946f24c8d3 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego @@ -101,8 +101,8 @@ test_SharingDomainRestrictionMode_SharingCapability_OnlyPeopleInOrg_NotApplicabl Output := sharepoint.tests with input.SPO_tenant as [SPOTenant] ReportDetailsString := concat(" ", [ - "This policy is only applicable if External Sharing", - "is set to any value other than Only People In Your Organization.", + "This policy is only applicable if the external sharing slider", + "on the admin page is not set to Only People In Your Organization.", "See %v for more info" ]) TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_03_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_03_test.rego index 8b78a82427..87e75a142a 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_03_test.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_03_test.rego @@ -1,17 +1,19 @@ package sharepoint_test import rego.v1 import data.sharepoint -import data.utils.report.NotCheckedDetails import data.utils.report.CheckedSkippedDetails import data.utils.key.TestResult import data.utils.key.PASS +import data.utils.key.FAIL # # Policy MS.SHAREPOINT.3.1v1 #-- test_SharingCapability_Anyone_LinkExpirationValid_Correct_V1 if { - Tenant := json.patch(SPOTenant, [{"op": "add", "path": "SharingCapability", "value": 2}]) + Tenant := json.patch(SPOTenant, + [{"op": "add", "path": "SharingCapability", "value": 2}, + {"op": "add", "path": "RequireAnonymousLinksExpireInDays", "value": 30}]) Output := sharepoint.tests with input.SPO_tenant as [Tenant] @@ -28,7 +30,7 @@ test_SharingCapability_Anyone_LinkExpirationValid_Correct_V2 if { TestResult("MS.SHAREPOINT.3.1v1", Output, PASS, true) == true } -test_SharingCapability_Anyone_LinkExpirationInvalid_Incorrect if { +test_SharingCapability_Anyone_LinkExpirationInvalid_Incorrect_V1 if { Tenant := json.patch(SPOTenant, [{"op": "add", "path": "SharingCapability", "value": 2}, {"op": "add", "path": "RequireAnonymousLinksExpireInDays", "value": 31}]) @@ -37,9 +39,37 @@ test_SharingCapability_Anyone_LinkExpirationInvalid_Incorrect if { ReportDetailsString := concat(" ", [ "Requirement not met:", - "External Sharing is set to", - "Anyone", - "and expiration date is not set to 30 days or less." + "total expiration days are not set to 30 days or less" + ]) + TestResult("MS.SHAREPOINT.3.1v1", Output, ReportDetailsString, false) == true +} + +test_SharingCapability_Anyone_LinkExpirationInvalid_Incorrect_V2 if { + Tenant := json.patch(SPOTenant, + [{"op": "add", "path": "SharingCapability", "value": 2}, + {"op": "add", "path": "RequireAnonymousLinksExpireInDays", "value": -1}]) + + Output := sharepoint.tests with input.SPO_tenant as [Tenant] + + ReportDetailsString := concat(" ", [ + "Requirement not met:", + "total expiration days are not set to 30 days or less" + ]) + TestResult("MS.SHAREPOINT.3.1v1", Output, ReportDetailsString, false) == true +} + +test_SharingCapability_Anyone_LinkExpirationInvalid_Incorrect_V3 if { + # If "RequireAnonymousLinksExpireInDays" == 0, Anyone links is unchecked, + # the policy must indicate a fail for this case. + Tenant := json.patch(SPOTenant, + [{"op": "add", "path": "SharingCapability", "value": 2}, + {"op": "add", "path": "RequireAnonymousLinksExpireInDays", "value": 0}]) + + Output := sharepoint.tests with input.SPO_tenant as [Tenant] + + ReportDetailsString := concat(" ", [ + "Requirement not met:", + "total expiration days are not set to 30 days or less" ]) TestResult("MS.SHAREPOINT.3.1v1", Output, ReportDetailsString, false) == true } @@ -54,8 +84,8 @@ test_SharingCapability_OnlyPeopleInOrg_NotApplicable_V1 if { Output := sharepoint.tests with input.SPO_tenant as [Tenant] ReportDetailsString := concat(" ", [ - "This policy is only applicable if External Sharing is set to any value other than Anyone.", - "See %v for more info" + "This policy is only applicable if the external sharing slider", + "on the admin page is set to Anyone. See %v for more info" ]) TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } @@ -72,8 +102,8 @@ test_SharingCapability_ExistingGuests_NotApplicable_V1 if { Output := sharepoint.tests with input.SPO_tenant as [Tenant] ReportDetailsString := concat(" ", [ - "This policy is only applicable if External Sharing is set to any value other than Anyone.", - "See %v for more info" + "This policy is only applicable if the external sharing slider", + "on the admin page is set to Anyone. See %v for more info" ]) TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } @@ -90,8 +120,8 @@ test_SharingCapability_NewExistingGuests_NotApplicable_V1 if { Output := sharepoint.tests with input.SPO_tenant as [Tenant] ReportDetailsString := concat(" ", [ - "This policy is only applicable if External Sharing is set to any value other than Anyone.", - "See %v for more info" + "This policy is only applicable if the external sharing slider", + "on the admin page is set to Anyone. See %v for more info" ]) TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } @@ -106,8 +136,8 @@ test_SharingCapability_OnlyPeopleInOrg_NotApplicable_V2 if { Output := sharepoint.tests with input.SPO_tenant as [Tenant] ReportDetailsString := concat(" ", [ - "This policy is only applicable if External Sharing is set to any value other than Anyone.", - "See %v for more info" + "This policy is only applicable if the external sharing slider", + "on the admin page is set to Anyone. See %v for more info" ]) TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } @@ -124,8 +154,8 @@ test_SharingCapability_ExistingGuests_NotApplicable_V2 if { Output := sharepoint.tests with input.SPO_tenant as [Tenant] ReportDetailsString := concat(" ", [ - "This policy is only applicable if External Sharing is set to any value other than Anyone.", - "See %v for more info" + "This policy is only applicable if the external sharing slider", + "on the admin page is set to Anyone. See %v for more info" ]) TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } @@ -142,8 +172,8 @@ test_SharingCapability_NewExistingGuests_NotApplicable_V2 if { Output := sharepoint.tests with input.SPO_tenant as [Tenant] ReportDetailsString := concat(" ", [ - "This policy is only applicable if External Sharing is set to any value other than Anyone.", - "See %v for more info" + "This policy is only applicable if the external sharing slider", + "on the admin page is set to Anyone. See %v for more info" ]) TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } @@ -153,77 +183,150 @@ test_SharingCapability_NewExistingGuests_NotApplicable_V2 if { # Policy MS.SHAREPOINT.3.2v1 #-- test_File_Folder_AnonymousLinkType_Correct if { - Tenant := json.patch(SPOTenant, [{"op": "add", "path": "SharingCapability", "value": 2}]) + Tenant := json.patch(SPOTenant, [ + {"op": "add", "path": "SharingCapability", "value": 2}, + {"op": "add", "path": "FileAnonymousLinkType", "value": 1}, + {"op": "add", "path": "FolderAnonymousLinkType", "value": 1} + ]) Output := sharepoint.tests with input.SPO_tenant as [Tenant] - with input.OneDrive_PnP_Flag as false TestResult("MS.SHAREPOINT.3.2v1", Output, PASS, true) == true } test_File_Folder_AnonymousLinkType_Incorrect if { - Tenant := json.patch(SPOTenant, - [{"op": "add", "path": "SharingCapability", "value": 2}, - {"op": "add", "path": "FileAnonymousLinkType", "value": 2}, - {"op": "add", "path": "FolderAnonymousLinkType", "value": 2}]) + Tenant := json.patch(SPOTenant, [ + {"op": "add", "path": "SharingCapability", "value": 2}, + {"op": "add", "path": "FileAnonymousLinkType", "value": 2}, + {"op": "add", "path": "FolderAnonymousLinkType", "value": 2} + ]) Output := sharepoint.tests with input.SPO_tenant as [Tenant] - with input.OneDrive_PnP_Flag as false - ReportDetailString := "Requirement not met: both files and folders are not limited to view for Anyone" - TestResult("MS.SHAREPOINT.3.2v1", Output, ReportDetailString, false) == true + ReportDetailsString := "Requirement not met: both files and folders are not limited to view for Anyone" + TestResult("MS.SHAREPOINT.3.2v1", Output, ReportDetailsString, false) == true } test_Folder_AnonymousLinkType_Incorrect if { - Tenant := json.patch(SPOTenant, - [{"op": "add", "path": "SharingCapability", "value": 2}, - {"op": "add", "path": "FolderAnonymousLinkType", "value": 2}]) + Tenant := json.patch(SPOTenant, [ + {"op": "add", "path": "SharingCapability", "value": 2}, + {"op": "add", "path": "FileAnonymousLinkType", "value": 1}, + {"op": "add", "path": "FolderAnonymousLinkType", "value": 2} + ]) Output := sharepoint.tests with input.SPO_tenant as [Tenant] - with input.OneDrive_PnP_Flag as false - ReportDetailString := "Requirement not met: folders are not limited to view for Anyone" - TestResult("MS.SHAREPOINT.3.2v1", Output, ReportDetailString, false) == true + ReportDetailsString := "Requirement not met: folders are not limited to view for Anyone" + TestResult("MS.SHAREPOINT.3.2v1", Output, ReportDetailsString, false) == true } test_File_AnonymousLinkType_Incorrect if { - Tenant := json.patch(SPOTenant, - [{"op": "add", "path": "SharingCapability", "value": 2}, - {"op": "add", "path": "FileAnonymousLinkType", "value": 2}]) + Tenant := json.patch(SPOTenant, [ + {"op": "add", "path": "SharingCapability", "value": 2}, + {"op": "add", "path": "FileAnonymousLinkType", "value": 2}, + {"op": "add", "path": "FolderAnonymousLinkType", "value": 1} + ]) Output := sharepoint.tests with input.SPO_tenant as [Tenant] - with input.OneDrive_PnP_Flag as false - ReportDetailString := "Requirement not met: files are not limited to view for Anyone" - TestResult("MS.SHAREPOINT.3.2v1", Output, ReportDetailString, false) == true + ReportDetailsString := "Requirement not met: files are not limited to view for Anyone" + TestResult("MS.SHAREPOINT.3.2v1", Output, ReportDetailsString, false) == true } -test_AnonymousLinkType_UsingServicePrincipal if { - PolicyId := "MS.SHAREPOINT.3.2v1" +test_File_Folder_AnonymousLinkType_UsingServicePrincipal_Correct if { + # SharingCapability value of 2 equals "Anyone" + # FileAnonymousLinkType value of 1 equals "View" + # FolderAnonymousLinkType value of 1 equals "View" + Tenant := json.patch(SPOTenant, [ + {"op": "add", "path": "SharingCapability", "value": 2}, + {"op": "add", "path": "FileAnonymousLinkType", "value": 1}, + {"op": "add", "path": "FolderAnonymousLinkType", "value": 1} + ]) - Tenant := json.patch(SPOTenant, - [{"op": "add", "path": "SharingCapability", "value": 2}, - {"op": "add", "path": "FileAnonymousLinkType", "value": 2}]) + # Set PnP flag to true denoting use of service principal + Output := sharepoint.tests with input.SPO_tenant as [Tenant] + with input.OneDrive_PnP_Flag as true + TestResult("MS.SHAREPOINT.3.2v1", Output, PASS, true) == true +} + +test_File_Folder_AnonymousLinkType_UsingServicePrincipal_Incorrect if { + # SharingCapability value of 2 equals "Anyone" + # FileAnonymousLinkType value of 2 equals "Edit" + # FolderAnonymousLinkType value of 2 equals "Edit" + Tenant := json.patch(SPOTenant, [ + {"op": "add", "path": "SharingCapability", "value": 2}, + {"op": "add", "path": "FileAnonymousLinkType", "value": 2}, + {"op": "add", "path": "FolderAnonymousLinkType", "value": 2} + ]) + + # Set PnP flag to true denoting use of service principal + Output := sharepoint.tests with input.SPO_tenant as [Tenant] + with input.OneDrive_PnP_Flag as true + + ReportDetailsString := concat(": ", [ + FAIL, + "both files and folders are not limited to view for Anyone" + ]) + TestResult("MS.SHAREPOINT.3.2v1", Output, ReportDetailsString, false) == true +} + +test_File_AnonymousLinkType_UsingServicePrincipal_Incorrect if { + # SharingCapability value of 2 equals "Anyone" + # FileAnonymousLinkType value of 2 equals "Edit" + # FolderAnonymousLinkType value of 1 equals "View" + Tenant := json.patch(SPOTenant, [ + {"op": "add", "path": "SharingCapability", "value": 2}, + {"op": "add", "path": "FileAnonymousLinkType", "value": 2}, + {"op": "add", "path": "FolderAnonymousLinkType", "value": 1} + ]) + + # Set PnP flag to true denoting use of service principal + Output := sharepoint.tests with input.SPO_tenant as [Tenant] + with input.OneDrive_PnP_Flag as true + + # FAIL = Requirement not met + # ReportDetailsString = "Requirement not met: both files and folders are not limited to view for Anyone" + ReportDetailsString := concat(": ", [ + FAIL, + "files are not limited to view for Anyone" + ]) + TestResult("MS.SHAREPOINT.3.2v1", Output, ReportDetailsString, false) == true +} +test_Folder_AnonymousLinkType_UsingServicePrincipal_Incorrect if { + # SharingCapability value of 2 equals "Anyone" + # FileAnonymousLinkType value of 1 equals "View" + # FolderAnonymousLinkType value of 2 equals "Edit" + Tenant := json.patch(SPOTenant, [ + {"op": "add", "path": "SharingCapability", "value": 2}, + {"op": "add", "path": "FileAnonymousLinkType", "value": 1}, + {"op": "add", "path": "FolderAnonymousLinkType", "value": 2} + ]) + + # Set PnP flag to true denoting use of service principal Output := sharepoint.tests with input.SPO_tenant as [Tenant] - with input.OneDrive_PnP_Flag as true + with input.OneDrive_PnP_Flag as true - TestResult(PolicyId, Output, NotCheckedDetails(PolicyId), false) == true + ReportDetailsString := concat(": ", [ + FAIL, + "folders are not limited to view for Anyone" + ]) + TestResult("MS.SHAREPOINT.3.2v1", Output, ReportDetailsString, false) == true } test_File_Folder_AnonymousLinkType_SharingCapability_OnlyPeopleInOrg_NotApplicable if { PolicyId := "MS.SHAREPOINT.3.2v1" - Tenant := json.patch(SPOTenant, - [{"op": "add", "path": "FileAnonymousLinkType", "value": 2}, - {"op": "add", "path": "FolderAnonymousLinkType", "value": 2}]) + Tenant := json.patch(SPOTenant, [ + {"op": "add", "path": "FileAnonymousLinkType", "value": 2}, + {"op": "add", "path": "FolderAnonymousLinkType", "value": 2} + ]) Output := sharepoint.tests with input.SPO_tenant as [Tenant] - with input.OneDrive_PnP_Flag as false ReportDetailsString := concat(" ", [ - "This policy is only applicable if External Sharing is set to any value other than Anyone.", - "See %v for more info" + "This policy is only applicable if the external sharing slider", + "on the admin page is set to Anyone. See %v for more info" ]) TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } @@ -237,11 +340,10 @@ test_File_Folder_AnonymousLinkType_SharingCapability_ExistingGuests_NotApplicabl {"op": "add", "path": "FolderAnonymousLinkType", "value": 2}]) Output := sharepoint.tests with input.SPO_tenant as [Tenant] - with input.OneDrive_PnP_Flag as false ReportDetailsString := concat(" ", [ - "This policy is only applicable if External Sharing is set to any value other than Anyone.", - "See %v for more info" + "This policy is only applicable if the external sharing slider", + "on the admin page is set to Anyone. See %v for more info" ]) TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } @@ -255,11 +357,10 @@ test_File_Folder_AnonymousLinkType_SharingCapability_NewExistingGuests_NotApplic {"op": "add", "path": "FolderAnonymousLinkType", "value": 2}]) Output := sharepoint.tests with input.SPO_tenant as [Tenant] - with input.OneDrive_PnP_Flag as false ReportDetailsString := concat(" ", [ - "This policy is only applicable if External Sharing is set to any value other than Anyone.", - "See %v for more info" + "This policy is only applicable if the external sharing slider", + "on the admin page is set to Anyone. See %v for more info" ]) TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } @@ -313,9 +414,9 @@ test_EmailAttestationReAuthDays_Incorrect_V2 if { Output := sharepoint.tests with input.SPO_tenant as [Tenant] - ReportDetailString := + ReportDetailsString := "Requirement not met: Expiration time for 'People who use a verification code' NOT set to 30 days or less" - TestResult("MS.SHAREPOINT.3.3v1", Output, ReportDetailString, false) == true + TestResult("MS.SHAREPOINT.3.3v1", Output, ReportDetailsString, false) == true } test_EmailAttestationRequired_Incorrect if { @@ -326,8 +427,8 @@ test_EmailAttestationRequired_Incorrect if { Output := sharepoint.tests with input.SPO_tenant as [Tenant] - ReportDetailString := "Requirement not met: Expiration time for 'People who use a verification code' NOT enabled" - TestResult("MS.SHAREPOINT.3.3v1", Output, ReportDetailString, false) == true + ReportDetailsString := "Requirement not met: Expiration time for 'People who use a verification code' NOT enabled" + TestResult("MS.SHAREPOINT.3.3v1", Output, ReportDetailsString, false) == true } test_EmailAttestationReAuthDays_SharingCapability_OnlyPeopleInOrg_NotApplicable if { @@ -340,9 +441,8 @@ test_EmailAttestationReAuthDays_SharingCapability_OnlyPeopleInOrg_NotApplicable Output := sharepoint.tests with input.SPO_tenant as [Tenant] ReportDetailsString := concat(" ", [ - "External Sharing is set to Only People In Your Organization.", - "This policy is only applicable if External Sharing is set to any value other than Only People In Your Organization", - "or Existing Guests. See %v for more info" + "This policy is only applicable if the external sharing slider on the admin page", + "is set to Anyone or New and Existing Guests. See %v for more info" ]) TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } @@ -357,9 +457,8 @@ test_EmailAttestationReAuthDays_SharingCapability_ExistingGuests_NotApplicable i Output := sharepoint.tests with input.SPO_tenant as [Tenant] ReportDetailsString := concat(" ", [ - "External Sharing is set to Existing Guests.", - "This policy is only applicable if External Sharing is set to any value other than Only People In Your Organization", - "or Existing Guests. See %v for more info" + "This policy is only applicable if the external sharing slider on the admin page", + "is set to Anyone or New and Existing Guests. See %v for more info" ]) TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailsString), false) == true } diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_04_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_04_test.rego index 790b539c73..36b38bedf2 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_04_test.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/Sharepoint/SharepointConfig_04_test.rego @@ -2,8 +2,7 @@ package sharepoint_test import rego.v1 import data.sharepoint import data.utils.key.TestResult -import data.utils.key.FAIL -import data.utils.key.PASS +import data.utils.report.NotCheckedDeprecation @@ -11,16 +10,10 @@ import data.utils.key.PASS # Policy MS.SHAREPOINT.4.2v1 #-- test_DenyAddAndCustomizePages_Correct if { - Output := sharepoint.tests with input.SPO_site as [SPOSite] + PolicyId := "MS.SHAREPOINT.4.2v1" - TestResult("MS.SHAREPOINT.4.2v1", Output, PASS, true) == true -} - -test_DenyAddAndCustomizePages_Incorrect if { - Site := json.patch(SPOSite, [{"op": "add", "path": "DenyAddAndCustomizePages", "value": 1}]) - - Output := sharepoint.tests with input.SPO_site as [Site] - - TestResult("MS.SHAREPOINT.4.2v1", Output, FAIL, false) == true + Output := sharepoint.tests with input.SPO_tenant as [SPOTenant] + + TestResult(PolicyId, Output, NotCheckedDeprecation, false) == true } #-- diff --git a/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml b/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml index eb5939a8fa..be13a85c59 100644 --- a/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml +++ b/Testing/Functional/Products/TestPlans/sharepoint.pnp.testplan.yaml @@ -184,6 +184,14 @@ TestPlan: SharingCapability: ExternalUserAndGuestSharing Postconditions: [] ExpectedResult: true + - TestDescription: MS.SHAREPOINT.3.1v1 Non-Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); RequireAnonymousLinksExpireInDays = 0 (Anyone links in unchecked state) + Preconditions: + - Command: Set-PnPTenant + Splat: + RequireAnonymousLinksExpireInDays: 0 + SharingCapability: ExternalUserAndGuestSharing + Postconditions: [] + ExpectedResult: false - TestDescription: MS.SHAREPOINT.3.1v1 Non-Compliant - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAnonymousLinksExpireInDays = 30 Preconditions: - Command: Set-PnPTenant @@ -242,8 +250,63 @@ TestPlan: - PolicyId: MS.SHAREPOINT.3.2v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.3.2v1 Not Checked - Preconditions: [] + - TestDescription: MS.SHAREPOINT.3.2v1 Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); FileAnonymousLinkType = View; FolderAnonymousLinkType = View + Preconditions: + - Command: Set-PnPTenant + Splat: + SharingCapability: ExternalUserAndGuestSharing + FileAnonymousLinkType: View + FolderAnonymousLinkType: View + Postconditions: [] + ExpectedResult: true + - TestDescription: MS.SHAREPOINT.3.2v1 Non-compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); FileAnonymousLinkType = Edit; FolderAnonymousLinkType = View + Preconditions: + - Command: Set-PnPTenant + Splat: + SharingCapability: ExternalUserAndGuestSharing + FileAnonymousLinkType: Edit + FolderAnonymousLinkType: View + Postconditions: [] + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.2v1 Non-compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); FileAnonymousLinkType = View; FolderAnonymousLinkType = Edit + Preconditions: + - Command: Set-PnPTenant + Splat: + SharingCapability: ExternalUserAndGuestSharing + FileAnonymousLinkType: View + FolderAnonymousLinkType: Edit + Postconditions: [] + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.2v1 Non-compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); FileAnonymousLinkType = Edit; FolderAnonymousLinkType = Edit + Preconditions: + - Command: Set-PnPTenant + Splat: + SharingCapability: ExternalUserAndGuestSharing + FileAnonymousLinkType: Edit + FolderAnonymousLinkType: Edit + Postconditions: [] + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.2v1 Non-Applicable - SharingCapability = Disabled (Only people in your organization) + Preconditions: + - Command: Set-PnPTenant + Splat: + SharingCapability: Disabled + Postconditions: [] + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.2v1 Non-Applicable - SharingCapability = ExistingExternalUserSharingOnly (Existing guests) + Preconditions: + - Command: Set-PnPTenant + Splat: + SharingCapability: ExistingExternalUserSharingOnly + Postconditions: [] + IsNotChecked: true + ExpectedResult: false + - TestDescription: MS.SHAREPOINT.3.2v1 Non-Applicable - SharingCapability = ExternalUserSharingOnly (New and existing guests) + Preconditions: + - Command: Set-PnPTenant + Splat: + SharingCapability: ExternalUserSharingOnly Postconditions: [] IsNotChecked: true ExpectedResult: false @@ -349,13 +412,8 @@ TestPlan: - PolicyId: MS.SHAREPOINT.4.2v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.4.2v1 Non-compliant DenyAddAndCustomizePages disabled - Preconditions: - - Command: "Set-PnPTenantSite -Identity $((Get-PnPTenantInstance).PortalUrl) -DenyAddAndCustomizePages:$false" + - TestDescription: MS.SHAREPOINT.4.2v1 Non-compliant DenyAddAndCustomizePages Not-Implemented + Preconditions: [] Postconditions: [] + IsNotChecked: true ExpectedResult: false - - TestDescription: MS.SHAREPOINT.4.2v1 Compliant DenyAddAndCustomizePages enabled - Preconditions: - - Command: "Set-PnPTenantSite -Identity $((Get-PnPTenantInstance).PortalUrl) -DenyAddAndCustomizePages" - Postconditions: [] - ExpectedResult: true diff --git a/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml b/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml index e36e9a5ed9..19e0e366a5 100644 --- a/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml +++ b/Testing/Functional/Products/TestPlans/sharepoint.spo.testplan.yaml @@ -150,6 +150,8 @@ TestPlan: - Command: Set-SPOTenant Splat: SharingCapability: ExternalUserAndGuestSharing + - Command: Set-SPOTenant + Splat: DefaultSharingLinkType: AnonymousAccess Postconditions: [] ExpectedResult: false @@ -207,6 +209,14 @@ TestPlan: SharingCapability: ExternalUserAndGuestSharing Postconditions: [] ExpectedResult: true + - TestDescription: MS.SHAREPOINT.3.1v1 Non-Compliant - SharingCapability = ExternalUserAndGuestSharing (Anyone); RequireAnonymousLinksExpireInDays = 0 (Anyone links in unchecked state) + Preconditions: + - Command: Set-SPOTenant + Splat: + RequireAnonymousLinksExpireInDays: 0 + SharingCapability: ExternalUserAndGuestSharing + Postconditions: [] + ExpectedResult: false - TestDescription: MS.SHAREPOINT.3.1v1 Non-Applicable - SharingCapability = ExternalUserSharingOnly (New and existing guests); RequireAnonymousLinksExpireInDays = 30 Preconditions: - Command: Set-SPOTenant @@ -279,8 +289,6 @@ TestPlan: - Command: Set-SPOTenant Splat: SharingCapability: Disabled - FileAnonymousLinkType: View - FolderAnonymousLinkType: View Postconditions: [] IsNotChecked: true ExpectedResult: false @@ -289,8 +297,6 @@ TestPlan: - Command: Set-SPOTenant Splat: SharingCapability: ExistingExternalUserSharingOnly - FileAnonymousLinkType: View - FolderAnonymousLinkType: View Postconditions: [] IsNotChecked: true ExpectedResult: false @@ -299,8 +305,6 @@ TestPlan: - Command: Set-SPOTenant Splat: SharingCapability: ExternalUserSharingOnly - FileAnonymousLinkType: View - FolderAnonymousLinkType: View Postconditions: [] IsNotChecked: true ExpectedResult: false @@ -406,13 +410,8 @@ TestPlan: - PolicyId: MS.SHAREPOINT.4.2v1 TestDriver: RunScuba Tests: - - TestDescription: MS.SHAREPOINT.4.2v1 Non-compliant DenyAddAndCustomizePages disabled - Preconditions: - - Command: '$Site=[System.Uri]((Get-SPOSite)[0].Url);Set-SPOSite -Identity "$($Site.Scheme)://$($Site.Authority)" -DenyAddAndCustomizePages:$false' + - TestDescription: MS.SHAREPOINT.4.2v1 Non-compliant DenyAddAndCustomizePages Not-Implemented + Preconditions: [] Postconditions: [] + IsNotChecked: true ExpectedResult: false - - TestDescription: MS.SHAREPOINT.4.2v1 Compliant DenyAddAndCustomizePages enabled - Preconditions: - - Command: '$Site=[System.Uri]((Get-SPOSite)[0].Url);Set-SPOSite -Identity "$($Site.Scheme)://$($Site.Authority)" -DenyAddAndCustomizePages:$true' - Postconditions: [] - ExpectedResult: true