diff --git a/.github/workflows/run_powershell_tests.yaml b/.github/workflows/run_powershell_tests.yaml index 0c0471c42c..4e6dd097ac 100644 --- a/.github/workflows/run_powershell_tests.yaml +++ b/.github/workflows/run_powershell_tests.yaml @@ -7,6 +7,7 @@ on: paths: - "**.ps1" - "**.psm1" + - ".github/workflows/run_powershell_tests.yaml" pull_request: types: [opened, reopened] branches: @@ -24,7 +25,17 @@ jobs: - name: Check out repository code uses: actions/checkout@v3 + - name: Remove Graph 2.0 + shell: powershell + run: | + # Remove Microsoft.Graph module(s) from image until SCUBA steps up to 2.0+ + Write-Output "NOTICE: Removing Microsoft.Graph version 2.0. Remove this step when SCuBA steps up to this version." + Uninstall-Module Microsoft.Graph -ErrorAction SilentlyContinue + Get-InstalledModule Microsoft.Graph.* | %{ if($_.Name -ne "Microsoft.Graph.Authentication"){ Write-Output "Removing: $($_.Name)"; Uninstall-Module $_.Name -AllowPrerelease -AllVersions } } + Uninstall-Module Microsoft.Graph.Authentication -AllowPrerelease -AllVersions + - name: Run Pester Tests + if: '!cancelled()' shell: powershell run: | ./SetUp.ps1 diff --git a/.github/workflows/run_smoke_test.yaml b/.github/workflows/run_smoke_test.yaml index eb0b24e75c..77a91476e9 100644 --- a/.github/workflows/run_smoke_test.yaml +++ b/.github/workflows/run_smoke_test.yaml @@ -7,6 +7,8 @@ on: pull_request_review: types: [submitted] push: + paths: + - ".github/workflows/run_smoke_test.yaml" branches: - "main" - "*smoke*" @@ -26,6 +28,16 @@ jobs: steps: - name: Checkout repo code uses: actions/checkout@v3 + + - name: Remove Graph 2.0 + shell: powershell + run: | + # Remove Microsoft.Graph module(s) from image until SCUBA steps up to 2.0+ + Write-Output "NOTICE: Removing Microsoft.Graph version 2.0. Remove this step when SCuBA steps up to this version." + Uninstall-Module Microsoft.Graph -ErrorAction SilentlyContinue + Get-InstalledModule Microsoft.Graph.* | %{ if($_.Name -ne "Microsoft.Graph.Authentication"){ Write-Output "Removing: $($_.Name)"; Uninstall-Module $_.Name -AllowPrerelease -AllVersions } } + Uninstall-Module Microsoft.Graph.Authentication -AllowPrerelease -AllVersions + - name: Execute ScubaGear and Check Outputs run: | . Testing/Functional/SmokeTest/SmokeTestUtils.ps1 diff --git a/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 b/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 index 4300b176e5..fc7770eea4 100644 --- a/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 +++ b/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 @@ -100,6 +100,9 @@ function Export-AADProvider { # 2.7 Policy Bullet 2] $AdminConsentReqPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-MgPolicyAdminConsentRequestPolicy")) + # Read the properties and relationships of an authentication method policy + $AuthenticationMethodPolicy = ConvertTo-Json @($Tracker.TryCommand("Get-MgPolicyAuthenticationMethodPolicy")) + $SuccessfulCommands = ConvertTo-Json @($Tracker.GetSuccessfulCommands()) $UnSuccessfulCommands = ConvertTo-Json @($Tracker.GetUnSuccessfulCommands()) @@ -113,6 +116,7 @@ function Export-AADProvider { "privileged_roles": $PrivilegedRoles, "service_plans": $ServicePlans, "directory_settings": $DirectorySettings, + "authentication_method": $AuthenticationMethodPolicy, "aad_successful_commands": $SuccessfulCommands, "aad_unsuccessful_commands": $UnSuccessfulCommands, "@ diff --git a/Rego/AADConfig.rego b/Rego/AADConfig.rego index 7ad6abea15..83e6f1170c 100644 --- a/Rego/AADConfig.rego +++ b/Rego/AADConfig.rego @@ -361,15 +361,15 @@ tests[{ #-- # At this time we are unable to test for X because of NEW POLICY tests[{ - "PolicyId": PolicyId, - "Criticality" : "Should/Not-Implemented", - "Commandlet" : [], - "ActualValue" : [], - "ReportDetails" : NotCheckedDetails(PolicyId), - "RequirementMet" : false + "PolicyId": "MS.AAD.3.4v1", + "Criticality" : "Shall", + "Commandlet" : ["Get-MgPolicyAuthenticationMethodPolicy"], + "ActualValue" : [Policy.PolicyMigrationState], + "ReportDetails" : ReportDetailsBoolean(Status), + "RequirementMet" : Status }] { - PolicyId := "MS.AAD.3.4v1" - true + Policy := input.authentication_method[_] + Status := Policy.PolicyMigrationState == "migrationComplete" } #-- diff --git a/Testing/Unit/Rego/AAD/AADConfig_03_test.rego b/Testing/Unit/Rego/AAD/AADConfig_03_test.rego index d564073f08..657b78e5f6 100644 --- a/Testing/Unit/Rego/AAD/AADConfig_03_test.rego +++ b/Testing/Unit/Rego/AAD/AADConfig_03_test.rego @@ -1,6 +1,7 @@ package aad import future.keywords import data.report.utils.NotCheckedDetails +import data.report.utils.ReportDetailsBoolean # @@ -1285,16 +1286,40 @@ test_NotImplemented_Correct_V2 if { # # MS.AAD.3.4v1 #-- -test_NotImplemented_Correct_V3 if { +test_Migrated_Correct if { PolicyId := "MS.AAD.3.4v1" - Output := tests with input as { } + Output := tests with input as { + "authentication_method": [ + { + "PolicyMigrationState": "migrationComplete" + } + ] + } + + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] + + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + RuleOutput[0].ReportDetails == ReportDetailsBoolean(true) +} + +test_Migrated_Incorrect if { + PolicyId := "MS.AAD.3.4v1" + + Output := tests with input as { + "authentication_method": [ + { + "PolicyMigrationState": "preMigration" + } + ] + } RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] count(RuleOutput) == 1 not RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == NotCheckedDetails(PolicyId) + RuleOutput[0].ReportDetails == ReportDetailsBoolean(false) } #--