Added a new Rego function to ensure trial environments can only be cr…

…eated by admins (cisagov#110)

Rego/PowerPlatformConfig.rego

@@ -39,7 +39,7 @@ ReportDetailsString(Status, String) = Detail if {
 # Baseline 2.1: Policy 1
 #--
 tests[{
-    "Requirement" : "The ability to create additional environments SHALL be restricted to admins",
+    "Requirement" : "The ability to create production and sandbox environments SHALL be restricted to admins",
     "Control" : "Power Platform 2.1",
     "Criticality" : "Shall",
     "Commandlet" : "Get-TenantSettings",
@@ -52,6 +52,23 @@ tests[{
 }
 #--
 
+#
+# Baseline 2.1: Policy 2
+#--
+tests[{
+    "Requirement" : "The ability to create trial environments SHALL be restricted to admins",
+    "Control" : "Power Platform 2.1",
+    "Criticality" : "Shall",
+    "Commandlet" : "Get-TenantSettings",
+    "ActualValue" : EnvironmentCreation.disableTrialEnvironmentCreationByNonAdminUsers,
+    "ReportDetails" : ReportDetailsBoolean(Status),
+    "RequirementMet" : Status
+}] {
+    EnvironmentCreation := input.environment_creation
+    Status := EnvironmentCreation.disableTrialEnvironmentCreationByNonAdminUsers == true
+}
+#--
+
 
 ################
 # Baseline 2.2 #

Testing/Unit/Rego/PowerPlatform/PowerPlatformConfig2_01_test.rego

@@ -5,9 +5,9 @@ import future.keywords
 #
 # Policy 1
 #--
-test_disableEnvironmentCreationByNonAdminUsers_Correct if {
+test_disableProductionEnvironmentCreationByNonAdminUsers_Correct if {
     ControlNumber := "Power Platform 2.1"
-    Requirement := "The ability to create additional environments SHALL be restricted to admins"
+    Requirement := "The ability to create production and sandbox environments SHALL be restricted to admins"
 
     Output := tests with input as {
         "environment_creation": {
@@ -22,9 +22,9 @@ test_disableEnvironmentCreationByNonAdminUsers_Correct if {
     RuleOutput[0].ReportDetails == "Requirement met"
 }
 
-test_disableEnvironmentCreationByNonAdminUsers_Incorrect if {
+test_disableProductionEnvironmentCreationByNonAdminUsers_Incorrect if {
     ControlNumber := "Power Platform 2.1"
-    Requirement := "The ability to create additional environments SHALL be restricted to admins"
+    Requirement := "The ability to create production and sandbox environments SHALL be restricted to admins"
 
     Output := tests with input as {
         "environment_creation": {
@@ -38,3 +38,40 @@ test_disableEnvironmentCreationByNonAdminUsers_Incorrect if {
     not RuleOutput[0].RequirementMet
     RuleOutput[0].ReportDetails == "Requirement not met"
 }
+
+#
+# Policy 2
+#--
+test_disableTrialEnvironmentCreationByNonAdminUsers_Correct if {
+    ControlNumber := "Power Platform 2.1"
+    Requirement := "The ability to create trial environments SHALL be restricted to admins"
+
+    Output := tests with input as {
+        "environment_creation": {
+            "disableTrialEnvironmentCreationByNonAdminUsers" : true
+        }
+    }
+
+    RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement]
+
+    count(RuleOutput) == 1
+    RuleOutput[0].RequirementMet
+    RuleOutput[0].ReportDetails == "Requirement met"
+}
+
+test_disableTrialEnvironmentCreationByNonAdminUsers_Incorrect if {
+    ControlNumber := "Power Platform 2.1"
+    Requirement := "The ability to create trial environments SHALL be restricted to admins"
+
+    Output := tests with input as {
+        "environment_creation": {
+            "disableTrialEnvironmentCreationByNonAdminUsers" : false
+        }
+    }
+
+    RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement]
+
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    RuleOutput[0].ReportDetails == "Requirement not met"
+}