Fix experimental-encryption-provider-config test on OCP 3.11 - Issue #926 (#1024)

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
3 years ago · 11136317f2
parent 0de52d9818
commit 11136317f2
2 changed files with 134 additions and 3 deletions
--- a/cfg/rh-0.7/master.yaml
+++ b/cfg/rh-0.7/master.yaml
@ -591,11 +591,16 @@ groups:

        audit_config: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml | sed -n '2p' | awk '{ print $2 }' | xargs cat"
        tests:
+          bin_op: and
          test_items:
-            - path: "{.providers.aescbc.experimental-encryption-provider-config}"
+            - path: "{.resources[*].providers[*].aescbc.keys[*]}}"
+              compare:
+                op: has
+                value: "secret"
+            - path: "{.resources[*].providers[*].aescbc.keys[*]}}"
              compare:
                op: has
-                value: "aescbc"
+                value: "name"
        remediation: |
          Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config.
          See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html.
--- a/check/test_test.go
+++ b/check/test_test.go
@ -427,7 +427,7 @@ func TestExecuteJSONPath(t *testing.T) {
 	}{
 		{
 			"JSONPath parse works, results don't match",
-			"{.Kind}",
+			"{.resourcesproviders.aescbc}",
 			kubeletConfig{
 				Kind:       "KubeletConfiguration",
 				ApiVersion: "kubelet.config.k8s.io/v1beta1",
@ -1134,3 +1134,129 @@ func TestToNumeric(t *testing.T) {
 		})
 	}
 }
+
+func TestExecuteJSONPathOnEncryptionConfig(t *testing.T) {
+
+	type Resources struct {
+		Resources	[]string	`json:"resources"`
+		Providers	[]map[string]interface{}		`json:"providers"`
+	}
+
+	type EncryptionConfig struct {
+		Kind		string		`json:"kind"`
+		ApiVersion	string		`json:"apiVersion"`
+		Resources	[]Resources	`json:"resources"`
+	}
+
+	type Key struct {
+		Secret	string `json:"secret"`
+		Name	string `json:"name"`
+	}
+
+	type Aescbc struct {
+		Keys	[]Key	`json:"keys"`
+	}
+
+	type SecretBox struct {
+		Keys	[]Key	`json:"keys"`
+	}
+
+	type Aesgcm	struct {
+		Keys	[]Key	`json:"keys"`
+	}
+
+	// identity disable encryption when set as the first parameter
+	type Identity struct {}
+
+	cases := []struct {
+		name           string
+		jsonPath       string
+		jsonInterface  EncryptionConfig
+		expectedResult string
+		expectedToFail bool
+	}{
+		{
+			"JSONPath parse works, results match",
+			"{.resources[*].providers[*].aescbc.keys[*].secret}",
+			EncryptionConfig{
+				Kind: "EncryptionConfig",
+				ApiVersion: "v1",
+				Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+					{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+				}}}},
+			"secret1",
+			false,
+		},
+		{
+			"JSONPath parse works, results match",
+			"{.resources[*].providers[*].aescbc.keys[*].name}",
+			EncryptionConfig{
+				Kind: "EncryptionConfig",
+				ApiVersion: "v1",
+				Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+					{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+				}}}},
+			"name1",
+			false,
+		},
+		{
+			"JSONPath parse works, results don't match",
+			"{.resources[*].providers[*].aescbc.keys[*].secret}",
+			EncryptionConfig{
+				Kind: "EncryptionConfig",
+				ApiVersion: "v1",
+				Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+					{"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+				}}}},
+			"secret1",
+			true,
+		},
+		{
+			"JSONPath parse works, results match",
+			"{.resources[*].providers[*].aesgcm.keys[*].secret}",
+			EncryptionConfig{
+				Kind: "EncryptionConfig",
+				ApiVersion: "v1",
+				Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+					{"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+				}}}},
+			"secret1",
+			false,
+		},
+		{
+			"JSONPath parse works, results match",
+			"{.resources[*].providers[*].secretbox.keys[*].secret}",
+			EncryptionConfig{
+				Kind: "EncryptionConfig",
+				ApiVersion: "v1",
+				Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+					{"secretbox": SecretBox{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+				}}}},
+			"secret1",
+			false,
+		},
+		{
+			"JSONPath parse works, results match",
+			"{.resources[*].providers[*].aescbc.keys[*].secret}",
+			EncryptionConfig{
+				Kind: "EncryptionConfig",
+				ApiVersion: "v1",
+				Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+					{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}, Key{Secret: "secret2", Name: "name2"}}}},
+				}}}},
+			"secret1 secret2",
+			false,
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			result, err := executeJSONPath(c.jsonPath, c.jsonInterface)
+			if err != nil && !c.expectedToFail {
+				t.Fatalf("jsonPath:%q, expectedResult:%q got:%v", c.jsonPath, c.expectedResult, err)
+			}
+			if c.expectedResult != result && !c.expectedToFail {
+				t.Errorf("jsonPath:%q, expectedResult:%q got:%q", c.jsonPath, c.expectedResult, result)
+			}
+		})
+	}
+}