Skip to content

Commit

Permalink
Merge branch 'main' into dependabot/go_modules/gorm.io/driver/postgre…
Browse files Browse the repository at this point in the history
…s-1.2.0
  • Loading branch information
yoavrotems authored Oct 27, 2021
2 parents f2d5fc3 + 1113631 commit 6b0fadd
Show file tree
Hide file tree
Showing 2 changed files with 134 additions and 3 deletions.
9 changes: 7 additions & 2 deletions cfg/rh-0.7/master.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -591,11 +591,16 @@ groups:

audit_config: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml | sed -n '2p' | awk '{ print $2 }' | xargs cat"
tests:
bin_op: and
test_items:
- path: "{.providers.aescbc.experimental-encryption-provider-config}"
- path: "{.resources[*].providers[*].aescbc.keys[*]}}"
compare:
op: has
value: "secret"
- path: "{.resources[*].providers[*].aescbc.keys[*]}}"
compare:
op: has
value: "aescbc"
value: "name"
remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config.
See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html.
Expand Down
128 changes: 127 additions & 1 deletion check/test_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -427,7 +427,7 @@ func TestExecuteJSONPath(t *testing.T) {
}{
{
"JSONPath parse works, results don't match",
"{.Kind}",
"{.resourcesproviders.aescbc}",
kubeletConfig{
Kind: "KubeletConfiguration",
ApiVersion: "kubelet.config.k8s.io/v1beta1",
Expand Down Expand Up @@ -1134,3 +1134,129 @@ func TestToNumeric(t *testing.T) {
})
}
}

func TestExecuteJSONPathOnEncryptionConfig(t *testing.T) {

type Resources struct {
Resources []string `json:"resources"`
Providers []map[string]interface{} `json:"providers"`
}

type EncryptionConfig struct {
Kind string `json:"kind"`
ApiVersion string `json:"apiVersion"`
Resources []Resources `json:"resources"`
}

type Key struct {
Secret string `json:"secret"`
Name string `json:"name"`
}

type Aescbc struct {
Keys []Key `json:"keys"`
}

type SecretBox struct {
Keys []Key `json:"keys"`
}

type Aesgcm struct {
Keys []Key `json:"keys"`
}

// identity disable encryption when set as the first parameter
type Identity struct {}

cases := []struct {
name string
jsonPath string
jsonInterface EncryptionConfig
expectedResult string
expectedToFail bool
}{
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].aescbc.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"secret1",
false,
},
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].aescbc.keys[*].name}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"name1",
false,
},
{
"JSONPath parse works, results don't match",
"{.resources[*].providers[*].aescbc.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"secret1",
true,
},
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].aesgcm.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"secret1",
false,
},
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].secretbox.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"secretbox": SecretBox{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"secret1",
false,
},
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].aescbc.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}, Key{Secret: "secret2", Name: "name2"}}}},
}}}},
"secret1 secret2",
false,
},
}
for _, c := range cases {
t.Run(c.name, func(t *testing.T) {
result, err := executeJSONPath(c.jsonPath, c.jsonInterface)
if err != nil && !c.expectedToFail {
t.Fatalf("jsonPath:%q, expectedResult:%q got:%v", c.jsonPath, c.expectedResult, err)
}
if c.expectedResult != result && !c.expectedToFail {
t.Errorf("jsonPath:%q, expectedResult:%q got:%q", c.jsonPath, c.expectedResult, result)
}
})
}
}

0 comments on commit 6b0fadd

Please sign in to comment.