arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 08:08:07 +00:00
Code Issues Releases Wiki Activity

Fix experimental-encryption-provider-config test on OCP 3.11 - Issue #926 (#1024)

Browse Source 
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
This commit is contained in:
tonyqui 2021-10-27 11:56:00 +02:00 committed by GitHub
parent 0de52d9818
commit 11136317f2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 134 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cfg/rh-0.7/master.yaml
View File

@ -591,11 +591,16 @@ groups:
audit_config: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml | sed -n '2p' | awk '{ print $2 }' | xargs cat" audit_config: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml | sed -n '2p' | awk '{ print $2 }' | xargs cat"
tests: tests:
bin_op: and
test_items: test_items:
- path: "{.providers.aescbc.experimental-encryption-provider-config}" - path: "{.resources[*].providers[*].aescbc.keys[*]}}"
compare: compare:
op: has op: has
value: "aescbc" value: "secret"
- path: "{.resources[*].providers[*].aescbc.keys[*]}}"
compare:
op: has
value: "name"
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config. Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config.
See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html. See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html.

128
check/test_test.go
View File

@ -427,7 +427,7 @@ func TestExecuteJSONPath(t *testing.T) {
}{ }{
{ {
"JSONPath parse works, results don't match", "JSONPath parse works, results don't match",
"{.Kind}", "{.resourcesproviders.aescbc}",
kubeletConfig{ kubeletConfig{
Kind: "KubeletConfiguration", Kind: "KubeletConfiguration",
ApiVersion: "kubelet.config.k8s.io/v1beta1", ApiVersion: "kubelet.config.k8s.io/v1beta1",
@ -1134,3 +1134,129 @@ func TestToNumeric(t *testing.T) {
}) })
} }
} }
func TestExecuteJSONPathOnEncryptionConfig(t *testing.T) {
type Resources struct {
Resources []string `json:"resources"`
Providers []map[string]interface{} `json:"providers"`
}
type EncryptionConfig struct {
Kind string `json:"kind"`
ApiVersion string `json:"apiVersion"`
Resources []Resources `json:"resources"`
}
type Key struct {
Secret string `json:"secret"`
Name string `json:"name"`
}
type Aescbc struct {
Keys []Key `json:"keys"`
}
type SecretBox struct {
Keys []Key `json:"keys"`
}
type Aesgcm struct {
Keys []Key `json:"keys"`
}
// identity disable encryption when set as the first parameter
type Identity struct {}
cases := []struct {
name string
jsonPath string
jsonInterface EncryptionConfig
expectedResult string
expectedToFail bool
}{
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].aescbc.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"secret1",
false,
},
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].aescbc.keys[*].name}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"name1",
false,
},
{
"JSONPath parse works, results don't match",
"{.resources[*].providers[*].aescbc.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"secret1",
true,
},
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].aesgcm.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"secret1",
false,
},
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].secretbox.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"secretbox": SecretBox{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"secret1",
false,
},
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].aescbc.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}, Key{Secret: "secret2", Name: "name2"}}}},
}}}},
"secret1 secret2",
false,
},
}
for _, c := range cases {
t.Run(c.name, func(t *testing.T) {
result, err := executeJSONPath(c.jsonPath, c.jsonInterface)
if err != nil && !c.expectedToFail {
t.Fatalf("jsonPath:%q, expectedResult:%q got:%v", c.jsonPath, c.expectedResult, err)
}
if c.expectedResult != result && !c.expectedToFail {
t.Errorf("jsonPath:%q, expectedResult:%q got:%q", c.jsonPath, c.expectedResult, result)
}
})
}
}