From 6ef0dd80b0f42f4ad026ebdc8d543f10cfcb4077 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Mon, 25 Jan 2021 16:22:35 -0500
Subject: [PATCH] CIS 1.2.34: update api_server_encryption_provider_cipher

---
 .../kubernetes/shared.yml                     |  8 ++++
 .../rule.yml                                  | 43 +++++++++++--------
 .../tests/ocp4/e2e-remediation.sh             | 20 +++++++++
 .../tests/ocp4/e2e.yml                        |  3 ++
 4 files changed, 56 insertions(+), 18 deletions(-)
 create mode 100644 applications/openshift/api-server/api_server_encryption_provider_cipher/kubernetes/shared.yml
 create mode 100755 applications/openshift/api-server/api_server_encryption_provider_cipher/tests/ocp4/e2e-remediation.sh
 create mode 100644 applications/openshift/api-server/api_server_encryption_provider_cipher/tests/ocp4/e2e.yml

diff --git a/applications/openshift/api-server/api_server_encryption_provider_cipher/kubernetes/shared.yml b/applications/openshift/api-server/api_server_encryption_provider_cipher/kubernetes/shared.yml
new file mode 100644
index 00000000000..e865a294c1e
--- /dev/null
+++ b/applications/openshift/api-server/api_server_encryption_provider_cipher/kubernetes/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_ocp
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+spec:
+  encryption:
+    type: aescbc
diff --git a/applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml b/applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml
index 2df7ff32ee5..855844dbb24 100644
--- a/applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml
+++ b/applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml
@@ -5,20 +5,13 @@ prodtype: ocp4
 title: 'Configure the Encryption Provider Cipher'
 
 description: |-
-    To configure OpenShift to use the <tt>aescbc</tt> encryption provider,
-    follow the OpenShift documentation to create or modify an
-    <tt>EncryptionConfig</tt> file.
-    In this file, choose <tt>aescbc</tt> as the encryption provider:
-    <pre>kind: EncryptionConfig
-    apiVersion: v1
-    resources:
-      - resources:
-        - secrets
-        providers:
-        - aescbc:
-            keys:
-            - name: key1
-              secret: <i>32-byte base64-encoded secret</i></pre>
+    To ensure the correct cipher, set the encryption type <tt>aescbc</tt> in the
+    <tt>apiserver</tt> object which configures the API server itself.
+    <pre>
+    spec:
+      encryption:
+        type: aescbc
+    </pre>
 
 rationale: |-
     <tt>aescbc</tt> is currently the strongest encryption provider, it should
@@ -33,7 +26,21 @@ ocil_clause: '<tt>aescbc</tt> is not configured as the encryption provider'
 
 ocil: |-
     Run the following command:
-    <pre>$ oc get secrets encryption-config -n openshift-kube-apiserver -o json | jq -r '.data["encryption-config"]' | base64 -d | jq -r '.resources'</pre>
-    Verify that the <tt>aescbc</tt> encryption provider is used for all the desired
-    <tt>resources</tt>.
-
+    <pre>$ oc get apiserver cluster -ojson | jq -r '.spec.encryption.type'</pre>
+    The output should return <tt>aescdc</tt> as the encryption type.
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/config.openshift.io/v1/apiservers/cluster") | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    entity_check: "at least one"
+    filepath: '/apis/config.openshift.io/v1/apiservers/cluster'
+    yamlpath: '.spec.encryption.type'
+    values:
+    - value: 'aescbc'
+      type: "string"
+      operation: "pattern match"
diff --git a/applications/openshift/api-server/api_server_encryption_provider_cipher/tests/ocp4/e2e-remediation.sh b/applications/openshift/api-server/api_server_encryption_provider_cipher/tests/ocp4/e2e-remediation.sh
new file mode 100755
index 00000000000..1654e122e08
--- /dev/null
+++ b/applications/openshift/api-server/api_server_encryption_provider_cipher/tests/ocp4/e2e-remediation.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# This waits for etcd encryption to be enabled. The operator can apply the
+# remediation, but waiting for this to get applied is still something that
+# needs to be done outside of the operator.
+#
+# This patch sets the encryption setting and waits for it to be applied
+
+while true; do
+    status=$(oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}')
+
+    echo "Current Encryption Status:"
+    oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
+
+    if [ "$status" == "EncryptionCompleted" ]; then
+        exit 0
+    fi
+
+    sleep 5
+done
diff --git a/applications/openshift/api-server/api_server_encryption_provider_cipher/tests/ocp4/e2e.yml b/applications/openshift/api-server/api_server_encryption_provider_cipher/tests/ocp4/e2e.yml
new file mode 100644
index 00000000000..fd9b313e87b
--- /dev/null
+++ b/applications/openshift/api-server/api_server_encryption_provider_cipher/tests/ocp4/e2e.yml
@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS