feat(teams): add new check teams_meeting_chat_anonymous_users_disabled (#7579)

Co-authored-by: Andoni A <14891798+andoniaf@users.noreply.github.com>
Co-authored-by: MrCloudSec <hello@mistercloudsec.com>

tests/providers/m365/services/teams/teams_meeting_chat_anonymous_users_disabled/teams_meeting_chat_anonymous_users_disabled_test.py

@@ -0,0 +1,159 @@
+from unittest import mock
+
+from tests.providers.m365.m365_fixtures import DOMAIN, set_mocked_m365_provider
+
+
+class Test_teams_meeting_chat_anonymous_users_disabled:
+    def test_no_global_meeting_policy(self):
+        teams_client = mock.MagicMock()
+        teams_client.global_meeting_policy = None
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_m365_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_microsoft_teams"
+            ),
+            mock.patch(
+                "prowler.providers.m365.services.teams.teams_meeting_chat_anonymous_users_disabled.teams_meeting_chat_anonymous_users_disabled.teams_client",
+                new=teams_client,
+            ),
+        ):
+            from prowler.providers.m365.services.teams.teams_meeting_chat_anonymous_users_disabled.teams_meeting_chat_anonymous_users_disabled import (
+                teams_meeting_chat_anonymous_users_disabled,
+            )
+
+            check = teams_meeting_chat_anonymous_users_disabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_meeting_chat_allows_anonymous_users(self):
+        teams_client = mock.MagicMock()
+        teams_client.audited_tenant = "audited_tenant"
+        teams_client.audited_domain = DOMAIN
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_m365_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_microsoft_teams"
+            ),
+            mock.patch(
+                "prowler.providers.m365.services.teams.teams_meeting_chat_anonymous_users_disabled.teams_meeting_chat_anonymous_users_disabled.teams_client",
+                new=teams_client,
+            ),
+        ):
+            from prowler.providers.m365.services.teams.teams_meeting_chat_anonymous_users_disabled.teams_meeting_chat_anonymous_users_disabled import (
+                teams_meeting_chat_anonymous_users_disabled,
+            )
+            from prowler.providers.m365.services.teams.teams_service import (
+                GlobalMeetingPolicy,
+            )
+
+            teams_client.global_meeting_policy = GlobalMeetingPolicy(
+                meeting_chat_enabled_type="EnabledForEveryone"
+            )
+
+            check = teams_meeting_chat_anonymous_users_disabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert result[0].status_extended == "Meeting chat allows anonymous users."
+            assert result[0].resource == teams_client.global_meeting_policy.dict()
+            assert (
+                result[0].resource_name
+                == "Teams Meetings Global (Org-wide default) Policy"
+            )
+            assert result[0].resource_id == "teamsMeetingsGlobalPolicy"
+
+    def test_meeting_chat_does_not_allow_anonymous_users_enabled_except_anonymous(self):
+        teams_client = mock.MagicMock()
+        teams_client.audited_tenant = "audited_tenant"
+        teams_client.audited_domain = DOMAIN
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_m365_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_microsoft_teams"
+            ),
+            mock.patch(
+                "prowler.providers.m365.services.teams.teams_meeting_chat_anonymous_users_disabled.teams_meeting_chat_anonymous_users_disabled.teams_client",
+                new=teams_client,
+            ),
+        ):
+            from prowler.providers.m365.services.teams.teams_meeting_chat_anonymous_users_disabled.teams_meeting_chat_anonymous_users_disabled import (
+                teams_meeting_chat_anonymous_users_disabled,
+            )
+            from prowler.providers.m365.services.teams.teams_service import (
+                GlobalMeetingPolicy,
+            )
+
+            teams_client.global_meeting_policy = GlobalMeetingPolicy(
+                meeting_chat_enabled_type="EnabledExceptAnonymous"
+            )
+
+            check = teams_meeting_chat_anonymous_users_disabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == "Meeting chat does not allow anonymous users."
+            )
+            assert result[0].resource == teams_client.global_meeting_policy.dict()
+            assert (
+                result[0].resource_name
+                == "Teams Meetings Global (Org-wide default) Policy"
+            )
+            assert result[0].resource_id == "teamsMeetingsGlobalPolicy"
+
+    def test_meeting_chat_does_not_allow_anonymous_users_enabled_in_meeting_only(self):
+        teams_client = mock.MagicMock()
+        teams_client.audited_tenant = "audited_tenant"
+        teams_client.audited_domain = DOMAIN
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_m365_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_microsoft_teams"
+            ),
+            mock.patch(
+                "prowler.providers.m365.services.teams.teams_meeting_chat_anonymous_users_disabled.teams_meeting_chat_anonymous_users_disabled.teams_client",
+                new=teams_client,
+            ),
+        ):
+            from prowler.providers.m365.services.teams.teams_meeting_chat_anonymous_users_disabled.teams_meeting_chat_anonymous_users_disabled import (
+                teams_meeting_chat_anonymous_users_disabled,
+            )
+            from prowler.providers.m365.services.teams.teams_service import (
+                GlobalMeetingPolicy,
+            )
+
+            teams_client.global_meeting_policy = GlobalMeetingPolicy(
+                meeting_chat_enabled_type="EnabledInMeetingOnlyForAllExceptAnonymous"
+            )
+
+            check = teams_meeting_chat_anonymous_users_disabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == "Meeting chat does not allow anonymous users."
+            )
+            assert result[0].resource == teams_client.global_meeting_policy.dict()
+            assert (
+                result[0].resource_name
+                == "Teams Meetings Global (Org-wide default) Policy"
+            )
+            assert result[0].resource_id == "teamsMeetingsGlobalPolicy"

tests/providers/m365/services/teams/teams_service_test.py

@@ -30,6 +30,7 @@ def mock_get_global_meeting_policy(_):
         allow_anonymous_users_to_start_meeting=False,
         allow_external_users_to_bypass_lobby="EveryoneInCompanyExcludingGuests",
         allow_pstn_users_to_bypass_lobby=False,
+        meeting_chat_enabled_type="EnabledExceptAnonymous",
     )
 
 
@@ -126,5 +127,6 @@ class Test_Teams_Service:
                 allow_anonymous_users_to_start_meeting=False,
                 allow_external_users_to_bypass_lobby="EveryoneInCompanyExcludingGuests",
                 allow_pstn_users_to_bypass_lobby=False,
+                meeting_chat_enabled_type="EnabledExceptAnonymous",
             )
             teams_client.powershell.close()