Merge pull request #6158 from JAORMX/basic-auth

ocp4: fix basic-auth check
ComplianceAsCode · Oct 7, 2020 · 65890b1 · 65890b1
2 parents 6e66cfe + 896385b
commit 65890b1
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 9 deletions.
diff --git a/...ver/api_server_basic_auth/oval/shared.xml → ...erver/api_server_basic_auth/oval/ocp3.xml b/...ver/api_server_basic_auth/oval/shared.xml → ...erver/api_server_basic_auth/oval/ocp3.xml
@@ -14,17 +14,9 @@
     <ind:object object_ref="object_api_server_basic_auth" />
   </ind:textfilecontent54_test>
 
-{{%- if product == "ocp4" %}}
-  <ind:textfilecontent54_object id="object_api_server_basic_auth" version="1">
-    <ind:filepath>/etc/kubernetes/static-pod-resources/configmaps/config/config.yaml</ind:filepath>
-    <ind:pattern operation="pattern match">^.*"basic-auth-file"\:[\s]*\[.*"(\S+)".*\][,]*.*$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-{{% else %}}
   <ind:textfilecontent54_object id="object_api_server_basic_auth" version="1">
     <ind:filepath>/etc/origin/master/master-config.yaml</ind:filepath>
     <ind:pattern operation="pattern match">^[\s]*basic-auth-file\:[\n]+[\s*]-[\s]*(\S+)[\s]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
-{{%- endif %}}
 </def-group>
diff --git a/applications/openshift/api-server/api_server_basic_auth/rule.yml b/applications/openshift/api-server/api_server_basic_auth/rule.yml
@@ -48,8 +48,27 @@ ocil: |-
     Run the following command on the master node(s):
 {{%- if product == "ocp4" %}}
     <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["basic-auth-file"]'</pre>
-    The output should return <pre>false</pre>.
+    The output should return <pre>null</pre>.
 {{% else %}}
     <pre>$ sudo grep -A2 basic-auth-file /etc/origin/master/master-config.yaml</pre>
 {{%- endif %}}
     The output should return no output.
+
+{{%- if product == "ocp4" %}}
+warnings:
+    - general: |-
+        {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-kube-apiserver/configmaps/config") | indent(8) }}}
+{{%- endif %}}
+
+# This is updated for OCP4
+template:
+    name: yamlfile_value
+    vars:
+        filepath: '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'
+        yamlpath: ".data['config.yaml']"
+        value: "basic-auth"
+        type: "string"
+        operation: "pattern match"
+        entity_check: "none satisfy"
+        ocp_data: "true"
+