EXO 2.7 Rego Bug Fix | Only Enabled Correctly Configured Rules Pass

[rgbrow1949]

🗣 Description

• Adds extra line in EXO 2.7 rego that filters the rules analyzed in the code by whether the rules are enabled.
• Writes unit testing for EXO 2.7 to accommodate for the new logic.

💭 Motivation and context

• Before this pull request, EXO 2.7 will pass if the rule is correctly configured but disabled, defeating the purpose of the baseline control. The solution is to add a line of rego code before checking the rule to see if it is correctly configured that filters the rules down to only the enabled rules.
• This pull request closes issues 126 and 27.

🧪 Testing

• I tested my changes on a test tenant by creating two rules: a correctly configured rule and an incorrectly configured rule. After making the change in the rego code, I confirmed that when the correctly configured rule is enabled that the test passes. I also tested if they were both disabled, both enabled, and if the incorrect rule is enabled and the correct is disabled. Each case passed or failed appropriately.
• I also ran the unit tests for Exchange Online and confirmed that all tests pass.
• A reviewer should confirm that all unit tests pass and confirm that a correctly configured rule that is disabled fails the test and only a correctly configured rule that is enabled succeeds.

---

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• Changes are limited to a single goal - eschew scope creep!
• All future TODOs are captured in issues, which are referenced
  in code comments.
• All relevant type-of-change labels have been added.
• I have read the CONTRIBUTING document.
• These code changes follow cisagov code standards.
• All relevant repo and/or project documentation has been updated
  to reflect the changes in this PR.
• Tests have been added and/or modified to cover the changes in this PR.
• All new and existing tests pass.

✅ Pre-merge checklist

• Revert dependencies to default branches.
• Finalize version.

✅ Post-merge checklist

• Add a tag or create a release.

[adhilto]

Looks great. I tested this by disabling the needed mail flow rule. On main 2.7, incorrectly passes but on this branch, it correctly displays a failure. After re-enabling it, it correctly showed a pass.

[schrolla]

I tested out the changes using our G5 test tenant. There I noticed that the updates did cover cases where one or more rules were present but disabled. Those worked correctly. However, the implementation notes and admin center showed each rule also has a Mode setting which can be set to one of the following: Enforce,Audit, or AuditAndNotify. The latter will flag such message, but not actually enforce the baseline policy item. As such, I recommend checking each rules mode and only considering those set to Enforce as properly meeting the intent of the rule since the baseline includes setting the mode to Enforce in the implementation guidance.

I've made code suggestions to both the provider and unit tests that should address this. I actually tested the provider change, but didn't validate the suggested unit test changes.

Let me know what you think about the proposed changes or reach out if you wish to discuss further.

[rgbrow1949]

I have pushed changes to the Rego and the Unit Testing so now it requires rules to be both Enforced and Enabled. @schrolla How does it look now?

[schrolla]

The updates address the additional use cases identified before. Minor change requested to update error text for clarity. Update required in test and associated unit tests. I tried to note suggestions for each, but there may be additional unit tests to update. Fix and validate unit tests pass to ensure all have been updated as needed.

[rgbrow1949]

Error messages have been updated.

[schrolla]

Re-ran tests and shows updated error message when set to fail. All unit tests also pass. Looks good for merge to me.

[rgbrow1949]

Merge ready