From 11136317f25bd0d3311896a556dc77741ec0d7aa Mon Sep 17 00:00:00 2001
From: tonyqui <tonyqui@hotmail.com>
Date: Wed, 27 Oct 2021 11:56:00 +0200
Subject: [PATCH] Fix experimental-encryption-provider-config test on OCP 3.11
- Issue #926 (#1024)
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
---
cfg/rh-0.7/master.yaml | 9 ++-
check/test_test.go | 128 ++++++++++++++++++++++++++++++++++++++++-
2 files changed, 134 insertions(+), 3 deletions(-)
diff --git a/cfg/rh-0.7/master.yaml b/cfg/rh-0.7/master.yaml
index 8c069a5..9db5393 100644
--- a/cfg/rh-0.7/master.yaml
+++ b/cfg/rh-0.7/master.yaml
@@ -591,11 +591,16 @@ groups:
audit_config: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml | sed -n '2p' | awk '{ print $2 }' | xargs cat"
tests:
+ bin_op: and
test_items:
- - path: "{.providers.aescbc.experimental-encryption-provider-config}"
+ - path: "{.resources[*].providers[*].aescbc.keys[*]}}"
+ compare:
+ op: has
+ value: "secret"
+ - path: "{.resources[*].providers[*].aescbc.keys[*]}}"
compare:
op: has
- value: "aescbc"
+ value: "name"
remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config.
See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html.
diff --git a/check/test_test.go b/check/test_test.go
index b918bec..8cbad72 100644
--- a/check/test_test.go
+++ b/check/test_test.go
@@ -427,7 +427,7 @@ func TestExecuteJSONPath(t *testing.T) {
}{
{
"JSONPath parse works, results don't match",
- "{.Kind}",
+ "{.resourcesproviders.aescbc}",
kubeletConfig{
Kind: "KubeletConfiguration",
ApiVersion: "kubelet.config.k8s.io/v1beta1",
@@ -1134,3 +1134,129 @@ func TestToNumeric(t *testing.T) {
})
}
}
+
+func TestExecuteJSONPathOnEncryptionConfig(t *testing.T) {
+
+ type Resources struct {
+ Resources []string `json:"resources"`
+ Providers []map[string]interface{} `json:"providers"`
+ }
+
+ type EncryptionConfig struct {
+ Kind string `json:"kind"`
+ ApiVersion string `json:"apiVersion"`
+ Resources []Resources `json:"resources"`
+ }
+
+ type Key struct {
+ Secret string `json:"secret"`
+ Name string `json:"name"`
+ }
+
+ type Aescbc struct {
+ Keys []Key `json:"keys"`
+ }
+
+ type SecretBox struct {
+ Keys []Key `json:"keys"`
+ }
+
+ type Aesgcm struct {
+ Keys []Key `json:"keys"`
+ }
+
+ // identity disable encryption when set as the first parameter
+ type Identity struct {}
+
+ cases := []struct {
+ name string
+ jsonPath string
+ jsonInterface EncryptionConfig
+ expectedResult string
+ expectedToFail bool
+ }{
+ {
+ "JSONPath parse works, results match",
+ "{.resources[*].providers[*].aescbc.keys[*].secret}",
+ EncryptionConfig{
+ Kind: "EncryptionConfig",
+ ApiVersion: "v1",
+ Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+ {"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+ }}}},
+ "secret1",
+ false,
+ },
+ {
+ "JSONPath parse works, results match",
+ "{.resources[*].providers[*].aescbc.keys[*].name}",
+ EncryptionConfig{
+ Kind: "EncryptionConfig",
+ ApiVersion: "v1",
+ Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+ {"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+ }}}},
+ "name1",
+ false,
+ },
+ {
+ "JSONPath parse works, results don't match",
+ "{.resources[*].providers[*].aescbc.keys[*].secret}",
+ EncryptionConfig{
+ Kind: "EncryptionConfig",
+ ApiVersion: "v1",
+ Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+ {"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+ }}}},
+ "secret1",
+ true,
+ },
+ {
+ "JSONPath parse works, results match",
+ "{.resources[*].providers[*].aesgcm.keys[*].secret}",
+ EncryptionConfig{
+ Kind: "EncryptionConfig",
+ ApiVersion: "v1",
+ Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+ {"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+ }}}},
+ "secret1",
+ false,
+ },
+ {
+ "JSONPath parse works, results match",
+ "{.resources[*].providers[*].secretbox.keys[*].secret}",
+ EncryptionConfig{
+ Kind: "EncryptionConfig",
+ ApiVersion: "v1",
+ Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+ {"secretbox": SecretBox{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+ }}}},
+ "secret1",
+ false,
+ },
+ {
+ "JSONPath parse works, results match",
+ "{.resources[*].providers[*].aescbc.keys[*].secret}",
+ EncryptionConfig{
+ Kind: "EncryptionConfig",
+ ApiVersion: "v1",
+ Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+ {"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}, Key{Secret: "secret2", Name: "name2"}}}},
+ }}}},
+ "secret1 secret2",
+ false,
+ },
+ }
+ for _, c := range cases {
+ t.Run(c.name, func(t *testing.T) {
+ result, err := executeJSONPath(c.jsonPath, c.jsonInterface)
+ if err != nil && !c.expectedToFail {
+ t.Fatalf("jsonPath:%q, expectedResult:%q got:%v", c.jsonPath, c.expectedResult, err)
+ }
+ if c.expectedResult != result && !c.expectedToFail {
+ t.Errorf("jsonPath:%q, expectedResult:%q got:%q", c.jsonPath, c.expectedResult, result)
+ }
+ })
+ }
+}
--
GitLab