Enhance AAD Functional Testplans to use configuration file inputs

[crutchfield]

💡 Summary

Enhance AAD Functional Testplans to use configuration file inputs. Many test cases are using RunCached driver but do not include test paths that would be transversed if configuration data (e.g., MS.AAD.7.4v1 RoleExclusion) was provided.

Motivation and context

This would be useful because it will provide more comprehensive testing.

Implementation notes

Please provide details for implementation, such as:

• Revisit each AAD policy test case using RunCached and evaluate needed configuration data to enhance test coverage.

Acceptance criteria

How do we know when this work is done?

• [ ] Test Plans have been updated with configuration data for appropriate test cases.

[tkol2022]

Upon review of the Rego code for the policies that reference the config file (there are numerous), it seems that all we might need to do is add functional test cases that modify the input.scuba_config part of the JSON. I don't think we need to read a config file. The capability to modify the JSON is already present since all of the AAD test cases do that. See two of the Rego policies that take exclusion inputs below:

7.4 count({y | some y in input.scuba_config.Aad[PolicyID].RoleExclusions.Users; y != null}) == 0

1.1 ExemptedUsers := input.scuba_config.Aad[PolicyID].CapExclusions.Users

Below is an example of how we might craft functional test cases that include exclusions: