ScubaGear icon indicating copy to clipboard operation
ScubaGear copied to clipboard

Published 20 hours ago verified publisher icon cisagov

Sharepoint incorrectly produces N/A for policy 3.2 when using service principal but it should perform the policy check because the needed fields exist

Open tkol2022 opened this issue 1 year ago • 2 comments

💡 Summary

The Rego code for Sharepoint policy 3.2 incorrectly produces an N/A when you run with a service principal. I guess the coder thought that the Get-PnPTenant cmdlet does not contain the necessary fields, but based on my testing, it does contain them. I temporarily changed the Rego code and it worked when running with a service principal. The fix to correct this is easy and I provide a code snippet below that I tested with. The fields needed are FileAnonymousLinkType and FolderAnonymousLinkType.

Screenshots of the problem

Run the Sharepoint provider with a service principal and you will get the following:

image

After I fixed the code, this is what the report looks like. It matches the output when running with interactive authentication.

image

Code Fix

I commented out the lines that should be removed.

tests contains {
    "PolicyId": "MS.SHAREPOINT.3.2v1",
    "Criticality": "Shall",
    "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"],
    "ActualValue": [FileLinkType, FolderLinkType],
    "ReportDetails": FileAndFolderLinkPermission(FileLinkType, FolderLinkType),
    "RequirementMet": Status
} if {
    # input.OneDrive_PnP_Flag == false
    SharingCapability == ANYONE

    FileLinkType := Tenant.FileAnonymousLinkType
    FolderLinkType := Tenant.FolderAnonymousLinkType
    Conditions := [
        FileLinkType == 1,
        FolderLinkType == 1
    ]
    Status := count(FilterArray(Conditions, true)) == 2
}

# Test for N/A case
tests contains {
    "PolicyId": PolicyId,
    "Criticality": "Shall/Not-Implemented",
    "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"],
    "ActualValue": [],
    "ReportDetails": CheckedSkippedDetails(PolicyId, Reason),
    "RequirementMet": false
} if {
    PolicyId := "MS.SHAREPOINT.3.2v1"
    # input.OneDrive_PnP_Flag == false
    SharingCapability != ANYONE
    Reason := NAString(SliderSettings(2))
}

# tests contains {
#     "PolicyId": PolicyId,
#     "Criticality": "Shall/Not-Implemented",
#     "Commandlet": [],
#     "ActualValue": [],
#     "ReportDetails": NotCheckedDetails(PolicyId),
#     "RequirementMet": false
# } if {
#     PolicyId := "MS.SHAREPOINT.3.2v1"
#     input.OneDrive_PnP_Flag == true
# }
#--

Implementation notes

  • [ ] Modify the Rego code
  • [ ] Double check if we need to modify any of the functional tests
  • [ ] Revise the unit tests that pass the OneDrive_PnP_Flag or modify them if they no longer make sense after the code update

tkol2022 avatar Jul 18 '24 23:07 tkol2022

@mitchelbaker-cisa You can lump this with the quick fix in #1220.

tkol2022 avatar Aug 13 '24 00:08 tkol2022

You can probably take care of this one at the same time as well to maximize pull request resources: #1268 If you agree, you can self-assign.

tkol2022 avatar Aug 13 '24 16:08 tkol2022