Resolve Groups 7.1 dependency issue with Groups 6.1

[mitchelbaker-cisa]

🗣 Description

• Modify NonCompliantGroups7_1 such that Groups 6.1 compliance is taken into account. This is handled by a helper function which checks if Groups 6.1 is compliant/noncompliant.
• Unit tests which look at events/settings from both Groups 6.1/7.1
• Refactor a few of the Group ReportDetails functions into Utils.rego

💭 Motivation and context

Closes #67

Groups 7.1 did not handle the following conditions correctly:

If 6.1 is disabled (compliant), then 7.1 will automatically be compliant. If 6.1 is enabled (warning), then 7.1 must be disabled to be compliant, otherwise it is non-compliant (warning).

🧪 Testing

python run_unit_tests.py -b groups -c 7

✅ Pre-approval checklist

• [x] This PR has an informative and human-readable title.
• [x] Changes are limited to a single goal - eschew scope creep!
• [x] If applicable, All future TODOs are captured in issues, which are referenced in the PR description.
• [x] The relevant issues PR resolves are linked preferably via closing keywords.
• [x] All relevant type-of-change labels have been added.
• [x] I have read and agree to the CONTRIBUTING.md document.
• [x] These code changes follow cisagov code standards.
• [x] All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
• [x] Tests have been added and/or modified to cover the changes in this PR.
• [x] All new and existing tests pass.

✅ Pre-merge Checklist

• [ ] This PR has been smoke tested to ensure main is in a functional state when this PR is merged.
• [ ] Squash all commits into one PR level commit using the Squash and merge button.

✅ Post-merge Checklist

• [ ] Delete the branch to clean up.
• [ ] Close issues resolved by this PR if the closing keywords did not activate.

[LaurenBassett]

I think this PR is going to have merge conflicts with #87 , which is fine, but I might want to hold off on development until this is merged and I can handle the merge conflicts on my end?

[mitchelbaker-cisa]

I think this PR is going to have merge conflicts with #87 , which is fine, but I might want to hold off on development until this is merged and I can handle the merge conflicts on my end?

That seems like a reasonable path forward for handling any merge conflicts. Or assuming this PR gets merged in beforehand, branch off of 67-groups-prereq-issue so the changes are already there?

[mitchelbaker-cisa]

Not sure what's happening on our other test tenant but when I try to intentionally fail 6.1, instead I get a no log events found. 6.1 "Hide groups enabled" which should be a fail

Report Output showing no events found for 6.1

Are there any logs visible from within the investigator tool?

[buidav]

Are there any logs visible from within the investigator tool?

Woops my reply didn't get posted. It's another case where a Create Application log is generated rather than a Change Application log.

fix is to add CREATE_APPLICATION_SETTING to the groups key in this dictionary in provider.py

[snarve]

Hi @mitchelbaker-cisa

Sorry for the delay on reviewing this.

Here's my update:

Once I updated the setting 6.1 and 7.1 passed and failed as expected:

However, there is one use case where the settings were not changed and 7.1 errored out:

[snarve]

Use case 1: If 6.1 is non-complaint (existing or new groups can be hidden) then 7.1 is non-complaint as well, because even if a group with Restricted access is created it can be hidden (using the setting from 6.1)

Use case 2: If 6.1 is complaint (existing or new groups cannot be hidden) then 7.1 is complaint -> but with this we are stating that we do not need to confirm if the group is created with Restricted access, which means we can create a group where everyone has access. My understanding is, 7.1 still needs to be confirmed (check if Group is created with Restricted access) when 6.1 is complaint.

[snarve]

Since now we have two other related issues file to handle the use cases not covered here and also to re-evaluate 7.1 this PR is good to go, except for the minor duplicate code block.