mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-21 22:28:07 +00:00
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
This commit is contained in:
parent
0de52d9818
commit
11136317f2
@ -591,11 +591,16 @@ groups:
|
||||
|
||||
audit_config: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml | sed -n '2p' | awk '{ print $2 }' | xargs cat"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
- path: "{.providers.aescbc.experimental-encryption-provider-config}"
|
||||
- path: "{.resources[*].providers[*].aescbc.keys[*]}}"
|
||||
compare:
|
||||
op: has
|
||||
value: "aescbc"
|
||||
value: "secret"
|
||||
- path: "{.resources[*].providers[*].aescbc.keys[*]}}"
|
||||
compare:
|
||||
op: has
|
||||
value: "name"
|
||||
remediation: |
|
||||
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config.
|
||||
See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html.
|
||||
|
@ -427,7 +427,7 @@ func TestExecuteJSONPath(t *testing.T) {
|
||||
}{
|
||||
{
|
||||
"JSONPath parse works, results don't match",
|
||||
"{.Kind}",
|
||||
"{.resourcesproviders.aescbc}",
|
||||
kubeletConfig{
|
||||
Kind: "KubeletConfiguration",
|
||||
ApiVersion: "kubelet.config.k8s.io/v1beta1",
|
||||
@ -1134,3 +1134,129 @@ func TestToNumeric(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestExecuteJSONPathOnEncryptionConfig(t *testing.T) {
|
||||
|
||||
type Resources struct {
|
||||
Resources []string `json:"resources"`
|
||||
Providers []map[string]interface{} `json:"providers"`
|
||||
}
|
||||
|
||||
type EncryptionConfig struct {
|
||||
Kind string `json:"kind"`
|
||||
ApiVersion string `json:"apiVersion"`
|
||||
Resources []Resources `json:"resources"`
|
||||
}
|
||||
|
||||
type Key struct {
|
||||
Secret string `json:"secret"`
|
||||
Name string `json:"name"`
|
||||
}
|
||||
|
||||
type Aescbc struct {
|
||||
Keys []Key `json:"keys"`
|
||||
}
|
||||
|
||||
type SecretBox struct {
|
||||
Keys []Key `json:"keys"`
|
||||
}
|
||||
|
||||
type Aesgcm struct {
|
||||
Keys []Key `json:"keys"`
|
||||
}
|
||||
|
||||
// identity disable encryption when set as the first parameter
|
||||
type Identity struct {}
|
||||
|
||||
cases := []struct {
|
||||
name string
|
||||
jsonPath string
|
||||
jsonInterface EncryptionConfig
|
||||
expectedResult string
|
||||
expectedToFail bool
|
||||
}{
|
||||
{
|
||||
"JSONPath parse works, results match",
|
||||
"{.resources[*].providers[*].aescbc.keys[*].secret}",
|
||||
EncryptionConfig{
|
||||
Kind: "EncryptionConfig",
|
||||
ApiVersion: "v1",
|
||||
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
|
||||
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
|
||||
}}}},
|
||||
"secret1",
|
||||
false,
|
||||
},
|
||||
{
|
||||
"JSONPath parse works, results match",
|
||||
"{.resources[*].providers[*].aescbc.keys[*].name}",
|
||||
EncryptionConfig{
|
||||
Kind: "EncryptionConfig",
|
||||
ApiVersion: "v1",
|
||||
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
|
||||
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
|
||||
}}}},
|
||||
"name1",
|
||||
false,
|
||||
},
|
||||
{
|
||||
"JSONPath parse works, results don't match",
|
||||
"{.resources[*].providers[*].aescbc.keys[*].secret}",
|
||||
EncryptionConfig{
|
||||
Kind: "EncryptionConfig",
|
||||
ApiVersion: "v1",
|
||||
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
|
||||
{"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
|
||||
}}}},
|
||||
"secret1",
|
||||
true,
|
||||
},
|
||||
{
|
||||
"JSONPath parse works, results match",
|
||||
"{.resources[*].providers[*].aesgcm.keys[*].secret}",
|
||||
EncryptionConfig{
|
||||
Kind: "EncryptionConfig",
|
||||
ApiVersion: "v1",
|
||||
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
|
||||
{"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
|
||||
}}}},
|
||||
"secret1",
|
||||
false,
|
||||
},
|
||||
{
|
||||
"JSONPath parse works, results match",
|
||||
"{.resources[*].providers[*].secretbox.keys[*].secret}",
|
||||
EncryptionConfig{
|
||||
Kind: "EncryptionConfig",
|
||||
ApiVersion: "v1",
|
||||
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
|
||||
{"secretbox": SecretBox{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
|
||||
}}}},
|
||||
"secret1",
|
||||
false,
|
||||
},
|
||||
{
|
||||
"JSONPath parse works, results match",
|
||||
"{.resources[*].providers[*].aescbc.keys[*].secret}",
|
||||
EncryptionConfig{
|
||||
Kind: "EncryptionConfig",
|
||||
ApiVersion: "v1",
|
||||
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
|
||||
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}, Key{Secret: "secret2", Name: "name2"}}}},
|
||||
}}}},
|
||||
"secret1 secret2",
|
||||
false,
|
||||
},
|
||||
}
|
||||
for _, c := range cases {
|
||||
t.Run(c.name, func(t *testing.T) {
|
||||
result, err := executeJSONPath(c.jsonPath, c.jsonInterface)
|
||||
if err != nil && !c.expectedToFail {
|
||||
t.Fatalf("jsonPath:%q, expectedResult:%q got:%v", c.jsonPath, c.expectedResult, err)
|
||||
}
|
||||
if c.expectedResult != result && !c.expectedToFail {
|
||||
t.Errorf("jsonPath:%q, expectedResult:%q got:%q", c.jsonPath, c.expectedResult, result)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user