feat: added Enterprise varified domain notification policy (#294)

Legit-Labs · Mar 7, 2024 · 99268ac · 99268ac
1 parent d04f069
commit 99268ac
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 28 deletions.
diff --git a/cmd/wire_gen.go b/cmd/wire_gen.go
diff --git a/internal/clients/github/client.go b/internal/clients/github/client.go
@@ -517,14 +517,15 @@ func newHttpClients(ctx context.Context, token string) (client *http.Client, gra
 var enterpriseQuery struct {
 	Enterprise struct {
 		OwnerInfo struct {
-			MembersCanChangeRepositoryVisibilitySetting string
-			AllowPrivateRepositoryForkingSetting        string
-			MembersCanInviteCollaboratorsSetting        string
-			TwoFactorRequiredSetting                    string
-			MembersCanCreatePublicRepositoriesSetting   bool
-			DefaultRepositoryPermissionSetting          string
-			MembersCanDeleteRepositoriesSetting         string
-			SamlIdentityProvider                        struct {
+			MembersCanChangeRepositoryVisibilitySetting   string
+			AllowPrivateRepositoryForkingSetting          string
+			MembersCanInviteCollaboratorsSetting          string
+			TwoFactorRequiredSetting                      string
+			MembersCanCreatePublicRepositoriesSetting     bool
+			DefaultRepositoryPermissionSetting            string
+			MembersCanDeleteRepositoriesSetting           string
+			NotificationDeliveryRestrictionEnabledSetting string
+			SamlIdentityProvider                          struct {
 				ExternalIdentities struct {
 					TotalCount int
 				} `graphql:"externalIdentities(first: 1)"`
@@ -562,9 +563,11 @@ func (c *Client) collectSpecificEnterprises() ([]githubcollected.Enterprise, err
 		err := c.GraphQLClient().Query(c.context, &enterpriseQuery, variables)
 		if err != nil {
 			log.Printf("failed to get enterprise %v: %v", enterprise, err)
+			return nil, err
 		}
 		if enterpriseQuery.Enterprise.DatabaseId == 0 {
 			log.Printf("Failed to get enterprise %v . User is not a member of this enterprise", enterprise)
+			return nil, err
 		}
 		samlEnabled := enterpriseQuery.Enterprise.OwnerInfo.SamlIdentityProvider.ExternalIdentities.TotalCount > 0
 		codeAndSecurityPolicySettings, err := c.GetSecurityAndAnalysisForEnterprise(enterprise)
@@ -583,6 +586,7 @@ func (c *Client) collectSpecificEnterprises() ([]githubcollected.Enterprise, err
 			enterpriseQuery.Enterprise.OwnerInfo.TwoFactorRequiredSetting,
 			enterpriseQuery.Enterprise.OwnerInfo.DefaultRepositoryPermissionSetting,
 			enterpriseQuery.Enterprise.OwnerInfo.MembersCanDeleteRepositoriesSetting,
+			enterpriseQuery.Enterprise.OwnerInfo.NotificationDeliveryRestrictionEnabledSetting,
 			samlEnabled,
 			codeAndSecurityPolicySettings)
 		res = append(res, newEnter)

diff --git a/internal/collected/github/enterprise.go b/internal/collected/github/enterprise.go
@@ -7,23 +7,24 @@ import (
 )
 
 type Enterprise struct {
-	MembersCanChangeRepositoryVisibilitySetting string `json:"members_can_change_repository_visibility"`
-	RepositoriesForkingPolicy                   string `json:"repositories_forking_policy"`
-	ExternalCollaboratorsInvitePolicy           string `json:"external_collaborators_invite_policy"`
-	TwoFactorRequiredSetting                    string `json:"two_factor_required_setting"`
-	SamlEnabled                                 bool   `json:"saml_enabled"`
-	EnterpriseName                              string `json:"name"`
-	Url                                         string `json:"url"`
-	Id                                          int64  `json:"id"`
-	UserRole                                    string
-	MembersCanCreatePublicRepositoriesSetting   bool                               `json:"members_can_create_public_repositories"`
-	DefaultRepositoryPermissionSetting          string                             `json:"default_repository_permission_settings"`
-	MembersCanDeleteRepositoriesSetting         string                             `json:"member_can_delete_repository"`
-	CodeAndSecurityPolicySettings               *types.AnalysisAndSecurityPolicies `json:"code_analysis_and_security_policies"`
+	MembersCanChangeRepositoryVisibilitySetting   string `json:"members_can_change_repository_visibility"`
+	RepositoriesForkingPolicy                     string `json:"repositories_forking_policy"`
+	ExternalCollaboratorsInvitePolicy             string `json:"external_collaborators_invite_policy"`
+	TwoFactorRequiredSetting                      string `json:"two_factor_required_setting"`
+	SamlEnabled                                   bool   `json:"saml_enabled"`
+	EnterpriseName                                string `json:"name"`
+	Url                                           string `json:"url"`
+	Id                                            int64  `json:"id"`
+	UserRole                                      string
+	MembersCanCreatePublicRepositoriesSetting     bool                               `json:"members_can_create_public_repositories"`
+	DefaultRepositoryPermissionSetting            string                             `json:"default_repository_permission_settings"`
+	MembersCanDeleteRepositoriesSetting           string                             `json:"member_can_delete_repository"`
+	NotificationDeliveryRestrictionEnabledSetting string                             `json:"notification_delivery_restriction_enabled"`
+	CodeAndSecurityPolicySettings                 *types.AnalysisAndSecurityPolicies `json:"code_analysis_and_security_policies"`
 }
 
 func NewEnterprise(membersCanChangeRepositoryVisibilitySetting string, name string, Url string, Id int64, isAdmin bool, repositoriesForkingPolicy string,
-	externalCollaboratorsInvitePolicy string, membersCanCreatePublicRepositoriesSetting bool, twoFactorRequiredSetting string, defaultRepositoryPermissionSetting string, membersCanDeleteRepositoriesSetting string, samlEnabled bool, codeAndSecurityPolicySettings *types.AnalysisAndSecurityPolicies) Enterprise {
+	externalCollaboratorsInvitePolicy string, membersCanCreatePublicRepositoriesSetting bool, twoFactorRequiredSetting string, defaultRepositoryPermissionSetting string, membersCanDeleteRepositoriesSetting string, notificationDeliveryRestrictionEnabledSetting string, samlEnabled bool, codeAndSecurityPolicySettings *types.AnalysisAndSecurityPolicies) Enterprise {
 	UserRole := permissions.EnterpriseNonAdminRole
 	if isAdmin {
 		UserRole = permissions.EnterpriseAdminRole
@@ -38,10 +39,11 @@ func NewEnterprise(membersCanChangeRepositoryVisibilitySetting string, name stri
 		Url:                                         Url,
 		Id:                                          Id,
 		UserRole:                                    UserRole,
-		MembersCanCreatePublicRepositoriesSetting: membersCanCreatePublicRepositoriesSetting,
-		DefaultRepositoryPermissionSetting:        defaultRepositoryPermissionSetting,
-		MembersCanDeleteRepositoriesSetting:       membersCanDeleteRepositoriesSetting,
-		CodeAndSecurityPolicySettings:             codeAndSecurityPolicySettings,
+		MembersCanCreatePublicRepositoriesSetting:     membersCanCreatePublicRepositoriesSetting,
+		DefaultRepositoryPermissionSetting:            defaultRepositoryPermissionSetting,
+		MembersCanDeleteRepositoriesSetting:           membersCanDeleteRepositoriesSetting,
+		NotificationDeliveryRestrictionEnabledSetting: notificationDeliveryRestrictionEnabledSetting,
+		CodeAndSecurityPolicySettings:                 codeAndSecurityPolicySettings,
 	}
 }
 

diff --git a/policies/github/enterprise.rego b/policies/github/enterprise.rego
@@ -171,3 +171,17 @@ default enable_push_protection_secret_scanning := true
 enable_push_protection_secret_scanning := false {
 	input.code_analysis_and_security_policies.secret_scanning_push_protection_enabled_for_new_repositories == true
 }
+
+# METADATA
+# scope: rule
+# title: Enterprise Should Send Email Notifications Only To Verified Domains
+# description: The enterprise should mitigate the leakage of sensitive data by allowing email notifications to be sent only to verified or approved domains.
+# custom:
+#   severity: MEDIUM
+#   remediationSteps: [Make sure you are an enterprise owner, Go to the Enterprise Landing page, Under the ‘Settings’ tab on the left click ‘Verified & approved domains’, Press the 'Add a domain' button and follow the instructions in the menu, Check the 'Restrict email notifications to only approved or verified domains' box, Press 'Save']
+#   requiredScopes: [admin:enterprise]
+default enable_email_notification_to_verified_domains := true
+
+enable_email_notification_to_verified_domains := false {
+	input.notification_delivery_restriction_enabled == "ENABLED"
+}
diff --git a/test/enterprise_test.go b/test/enterprise_test.go
@@ -9,7 +9,8 @@ import (
 
 func makeEnterpriseForPolicy(policy string) githubcollected.Enterprise {
 	return githubcollected.Enterprise{
-		MembersCanChangeRepositoryVisibilitySetting: policy,
+		MembersCanChangeRepositoryVisibilitySetting:   policy,
+		NotificationDeliveryRestrictionEnabledSetting: policy,
 		EnterpriseName: "name",
 		Url:            "url",
 	}
@@ -30,6 +31,21 @@ func TestEnterpriseVisibilityChangePolicy(t *testing.T) {
 	}
 }
 
+func TestEnterpriseNotificationRestrictionPolicy(t *testing.T) {
+	name := "Enterprise Should Send Email Notifications Only To Verified Domains"
+	testedPolicyName := "enable_email_notification_to_verified_domains"
+
+	policies := map[string]bool{
+		"ENABLED":   false,
+		"NO_POLICY": true,
+		"DISABLED":  true,
+	}
+
+	for i := range policies {
+		enterpriseTestTemplate(t, name, makeEnterpriseForPolicy(i), testedPolicyName, policies[i], scm_type.GitHub)
+	}
+}
+
 func enterpriseTestTemplate(t *testing.T, name string, mockData githubcollected.Enterprise, testedPolicyName string, expectFailure bool, scmType scm_type.ScmType) {
 	ns := namespace.Enterprise
 	PolicyTestTemplate(t, name, mockData, ns, testedPolicyName, expectFailure, scmType)