Description of problem: The rule ocp4-moderate-oauth-or-oauthclient-inactivity-timeout gets FAIL when the OAuth server timeout parameter accessTokenInactivityTimeout is configured as “600s”; However, when the OAuth server timeout parameter accessTokenInactivityTimeout is configured as “10min0s”, the rule gets PASS and there is no such issue. Version-Release number of selected component (if applicable): 4.8.0-0.nightly-2021-07-15-221145 + compliance-operator-v0.1.35 How reproducible: always Steps to Reproduce: 1. deploy compliance operator 2. Configure the OAuth server timeout, and wait until all pods in openshift-authentication namespace restart finished. # oc patch oauth cluster -p '{"spec":{"tokenConfig":{"accessTokenInactivityTimeout":"600s"}}}' --type=merge oauth.config.openshift.io/cluster patched # oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenInactivityTimeout}' 600s 3. Create ssb: # oc create -f - << EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: my-ssb-r > profiles: > - name: ocp4-moderate > kind: Profile > apiGroup: compliance.openshift.io/v1alpha1 > settingsRef: > name: default > kind: ScanSetting > apiGroup: compliance.openshift.io/v1alpha1 > EOF scansettingbinding.compliance.openshift.io/my-ssb-r created 4. Check the scan result for rule ocp4-moderate-oauth-or-oauthclient-inactivity-timeout Actual results: The scan result for rule ocp4-moderate-oauth-or-oauthclient-inactivity-timeout is FAIL when the OAuth server timeout is configured # oc get checkresult ocp4-moderate-oauth-or-oauthclient-inactivity-timeout NAME STATUS SEVERITY ocp4-moderate-oauth-or-oauthclient-inactivity-timeout FAIL medium Expected results: When the OAuth server timeout parameter accessTokenInactivityTimeout is configured as “600s” , the rule should be PASS. Per the instructions, the rule could be PASS when the OAuth server timeout is configured, or the OAuth client timeout is configured # oc get checkresult ocp4-moderate-oauth-or-oauthclient-inactivity-timeout -o=jsonpath={.instructions} To check if the OAuth server timeout is configured, run the following command: oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenInactivityTimeout}' the output should return a timeout value. To check if the OAuth client timeout is configured, run the following command: oc get oauthclients -ojson | jq -r '.items[] | { accessTokenInactivityTimeoutSeconds: .accessTokenInactivityTimeoutSeconds}' the output should return a timeout value per client. Additional info: However, when the OAuth server timeout parameter accessTokenInactivityTimeout is configured as “10min0s”, there is no such issue and rule gets PASS # oc patch oauth cluster -p '{"spec":{"tokenConfig":{"accessTokenInactivityTimeout":"10min0s"}}}' --type=merge oauth.config.openshift.io/cluster patched
I think https://github.com/ComplianceAsCode/content/commit/c72041d517f838db46fa072d5f8f7b6a70e9924d#diff-9f93b44270aaf266e5e117d05c1e74288bdd290afd99859b2ac901b83131f389 fixes this. Needs conformation, though.
@Matt Yes, when the OAuth server timeout parameter accessTokenInactivityTimeout is configured as “10min0s”, there is no such issue and rule gets PASS. The only problem is "600s" is valid configuration for oauth cluster. Why it doesn't work work for this rule? Thanks.
(In reply to xiyuan from comment #2) > @Matt > Yes, when the OAuth server timeout parameter accessTokenInactivityTimeout is > configured as “10min0s”, there is no such issue and rule gets PASS. > The only problem is "600s" is valid configuration for oauth cluster. Why it > doesn't work work for this rule? Thanks. Because the rule uses a variable and the rule's check asserts equality between the variable's value and the value in the API object. There's no way to convert the variable value between 600s and 10m0s in openscap even though they mean the same thing. And for some reason (I guess as a result of validation), the oauth server converts the value in seconds into value in minutes and seconds, so 600s becomes 10m0s on the oauth server side. The confusing instructions that say 600s should be fixed with the commit Matt linked which changed the value we check for from 600s to 10m0s. For now, if you can verify that the latest content builds show 10m in the instructions, I would leave the variable in. We will be working on exposing the variables better in one of the upcoming releases. If you think it would help, we can document in the instructions that the values are converted. As a last resort, we could remove the variable completely, but I wouldn't like that to be honest.
(In reply to Jakub Hrozek from comment #3) > (In reply to xiyuan from comment #2) > > @Matt > > Yes, when the OAuth server timeout parameter accessTokenInactivityTimeout is > > configured as “10min0s”, there is no such issue and rule gets PASS. > > The only problem is "600s" is valid configuration for oauth cluster. Why it > > doesn't work work for this rule? Thanks. > > Because the rule uses a variable and the rule's check asserts equality > between the variable's value and the value in the API object. There's no way > to convert the variable value between 600s and 10m0s in openscap even though > they mean the same thing. And for some reason (I guess as a result of > validation), the oauth server converts the value in seconds into value in > minutes and seconds, so 600s becomes 10m0s on the oauth server side. > > The confusing instructions that say 600s should be fixed with the commit > Matt linked which changed the value we check for from 600s to 10m0s. > > For now, if you can verify that the latest content builds show 10m in the > instructions, I would leave the variable in. We will be working on exposing > the variables better in one of the upcoming releases. If you think it would > help, we can document in the instructions that the values are converted. As > a last resort, we could remove the variable completely, but I wouldn't like > that to be honest. @jhrozek Document it would be enough(in the instuction or openshift docs are both fine). I confirmed when 10min0s was set, the rule is working as expected.
PR: https://github.com/ComplianceAsCode/content/pull/7273
Fixed in https://github.com/ComplianceAsCode/content/pull/7273
Hi Jakub, I didn't find the note added for the rule. Did I use the wrong command? Thanks. Could you help to double check? Thanks. $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.9.0-0.nightly-2021-08-23-224104 True False 4h6m Cluster version is 4.9.0-0.nightly-2021-08-23-224104 $ oc get ip NAME CSV APPROVAL APPROVED install-64zqn compliance-operator.v0.1.39 Automatic true $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.39 Compliance Operator 0.1.39 Succeeded elasticsearch-operator.5.2.0-43 OpenShift Elasticsearch Operator 5.2.0-43 Succeeded $ oc get profilebundle.compliance NAME CONTENTIMAGE CONTENTFILE STATUS ocp4 registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7527f52d9ce5f22fe5453b23eb490ce1f7e64e0cf7112b13a294c4bc442ae35d ssg-ocp4-ds.xml VALID rhcos4 registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7527f52d9ce5f22fe5453b23eb490ce1f7e64e0cf7112b13a294c4bc442ae35d ssg-rhcos4-ds.xml VALID $ oc get pod NAME READY STATUS RESTARTS AGE compliance-operator-78f66d7ddf-26989 1/1 Running 1 (3m7s ago) 3m53s ocp4-openshift-compliance-pp-6d7c7db4bd-h5qv6 1/1 Running 0 2m31s rhcos4-openshift-compliance-pp-c7b548bd-j6h4s 1/1 Running 0 2m31s $ oc get rule ocp4-oauth-or-oauthclient-inactivity-timeout -o=jsonpath={.description} You can configure OAuth tokens to expire after a set period of inactivity. By default, no token inactivity timeout is set. The inactivity timeout can be either set in the OAuth server configuration or in any of the OAuth clients. The client settings override the OAuth server setting. To set the OAuth server inactivity timeout, edit the OAuth server object: oc edit oauth cluster and set the.spec.tokenConfig.accessTokenInactivityTimeout parameter to the desired value: apiVersion: config.openshift.io/v1 kind: OAuth metadata: ... spec: tokenConfig: accessTokenInactivityTimeout: 10m0s For more information on configuring the OAuth server, consult the OpenShift documentation: https://docs.openshift.com/container-platform/4.7/authentication/configuring-oauth-clients.html To edit the OAuth client inactivity timeout, edit the OAuth client object: oc edit oauthclient $clientname and set the top-level accessTokenInactivityTimeoutSeconds attribute. apiVersion: oauth.openshift.io/v1 grantMethod: auto kind: OAuthClient metadata: ... accessTokenInactivityTimeoutSeconds: 600 For more information on configuring the OAuth clients, consult the OpenShift documentation: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html-single/authentication_and_authorization/index#oauth-token-inactivity-timeout_configuring-internal-oauth $ oc-compliance view-result ocp4-moderate-oauth-or-oauthclient-inactivity-timeout +----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | KEY | VALUE | +----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Title | Configure OAuth tokens to | | | expire after a set period of | | | inactivity | +----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Status | FAIL | +----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Severity | medium | +----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Description | You can configure OAuth tokens | | | to expire after a set period | | | of inactivity. By default, no | | | token inactivity timeout is | | | set. | | | | | | | | | | | | The inactivity timeout can be | | | either set in the OAuth server | | | configuration or in any of | | | the OAuth clients. The client | | | settings override the OAuth | | | server setting. | | | | | | | | | | | | To set the OAuth server inactivity | | | timeout, edit the OAuth server | | | object: oc edit oauth cluster and set | | | the.spec.tokenConfig.accessTokenInactivityTimeout | | | parameter to the desired value: | | | | | | | | | | | | apiVersion: | | | config.openshift.io/v1 | | | | | | kind: OAuth | | | | | | metadata: | | | | | | ... | | | | | | spec: | | | | | | tokenConfig: | | | | | | | | | accessTokenInactivityTimeout: | | | 10m0s | | | | | | | | | | | | For more information on configuring the OAuth server, consult the OpenShift documentation: | | | https://docs.openshift.com/container-platform/4.7/authentication/configuring-oauth-clients.html | | | | | | | | | | | | To edit the OAuth client inactivity | | | timeout, edit the OAuth client | | | object: oc edit oauthclient | | | $clientname and set the top-level | | | accessTokenInactivityTimeoutSeconds | | | attribute. | | | | | | | | | | | | apiVersion: | | | oauth.openshift.io/v1 | | | | | | grantMethod: auto | | | | | | kind: OAuthClient | | | | | | metadata: | | | | | | ... | | | | | | accessTokenInactivityTimeoutSeconds: | | | 600 | | | | | | | | | | | | For more information on configuring the OAuth clients, consult the OpenShift documentation: | | | https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html-single/authentication_and_authorization/index#oauth-token-inactivity-timeout_configuring-internal-oauth | +----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Rationale | Terminating an idle session | | | within a short time period | | | reduces the window of | | | opportunity for unauthorized | | | personnel to take control of | | | a session that has been left | | | unattended. | +----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Instructions | To check if the OAuth server | | | timeout is configured, run the | | | following command: | | | | | | oc get oauth cluster | | | -ojsonpath='{.spec.tokenConfig.accessTokenInactivityTimeout}' | | | | | | the output should return a | | | timeout value. | | | | | | | | | | | | To check if the OAuth client | | | timeout is configured, run the | | | following command: | | | | | | oc get oauthclients -ojson | | | | jq -r '.items[] | { | | | accessTokenInactivityTimeoutSeconds: | | | .accessTokenInactivityTimeoutSeconds}' | | | | | | the output should return a | | | timeout value per client. | ...
Looking at the git log, I see that I've only added the new content to the oauth-inactivity-timeout rule, not to the compound one. Can you verify that the text looks good over there and if it does, I'll copy it over to the compound rule. Thanks for bringing this up.
Hi Jakub, Yes, it is available in the description for rule ocp4-oauth-inactivity-timeout. Is it possible to update note in the instruction part for rule ocp4-oauth-or-oauthclient-inactivity-timeout? Thanks. Not sure it is reasonable or not. $ oc get rule ocp4-oauth-inactivity-timeout -o=jsonpath={.description} You can configure OAuth tokens to expire after a set period of inactivity. By default, no token inactivity timeout is set. The inactivity timeout can be either set in the OAuth server configuration or in any of the OAuth clients. The client settings override the OAuth server setting. To set the OAuth server inactivity timeout, edit the OAuth server object: oc edit oauth cluster and set the.spec.tokenConfig.accessTokenInactivityTimeout parameter to the desired value: apiVersion: config.openshift.io/v1 kind: OAuth metadata: ... spec: tokenConfig: accessTokenInactivityTimeout: Please note that the OAuth server converts the value internally to a human-readable format, so that e.g. setting accessTokenInactivityTimeout=600s would be converted by the OAuth server to accessTokenInactivityTimeout=10m0s. For more information on configuring the OAuth server, consult the OpenShift documentation: https://docs.openshift.com/container-platform/4.7/authentication/configuring-oauth-clients.html[xiyuan@MiWiFi-RA69-srv func]
Per https://bugzilla.redhat.com/show_bug.cgi?id=1983062#c11 and https://bugzilla.redhat.com/show_bug.cgi?id=1983062#c12, move it to assigned.
Addressed with https://github.com/ComplianceAsCode/content/pull/7462 Thanks again for bringing this up.
Fixed with https://github.com/ComplianceAsCode/content/commit/a294642e4bf04bfc16b64de5262ffaa406941948
[Bug_Verification] It looks good. Now, The rule descriptions has note which clarifies the things about accessTokenInactivityTimeout parameter and it's value which user can refer. Verified on: 4.9.0-0.nightly-2021-09-23-142241 + compliance-operator.v0.1.41 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.9.0-0.nightly-2021-09-23-142241 True False 8h Cluster version is 4.9.0-0.nightly-2021-09-23-142241 $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.41 Compliance Operator 0.1.41 Succeeded elasticsearch-operator.5.2.2-7 OpenShift Elasticsearch Operator 5.2.2-7 Succeeded $ oc get pods NAME READY STATUS RESTARTS AGE compliance-operator-c769749d5-8pjgm 1/1 Running 1 (7h55m ago) 7h56m ocp4-openshift-compliance-pp-64dbd7c98f-dwhdz 1/1 Running 0 7h54m rhcos4-openshift-compliance-pp-66575dc885-lb9vh 1/1 Running 0 7h54m $ oc get rules ocp4-oauth-or-oauthclient-inactivity-timeout -ojsonpath={.description} You can configure OAuth tokens to expire after a set period of inactivity. By default, no token inactivity timeout is set. The inactivity timeout can be either set in the OAuth server configuration or in any of the OAuth clients. The client settings override the OAuth server setting. To set the OAuth server inactivity timeout, edit the OAuth server object: oc edit oauth cluster and set the.spec.tokenConfig.accessTokenInactivityTimeout parameter to the desired value: apiVersion: config.openshift.io/v1 kind: OAuth metadata: ... spec: tokenConfig: accessTokenInactivityTimeout: 10m0s Please note that the OAuth server converts the value internally to a human-readable format, so that e.g. setting accessTokenInactivityTimeout=600s would be converted by the OAuth server to accessTokenInactivityTimeout=10m0s. For more information on configuring the OAuth server, consult the OpenShift documentation: https://docs.openshift.com/container-platform/4.7/authentication/configuring-oauth-clients.html To edit the OAuth client inactivity timeout, edit the OAuth client object: oc edit oauthclient $clientname and set the top-level accessTokenInactivityTimeoutSeconds attribute. apiVersion: oauth.openshift.io/v1 grantMethod: auto kind: OAuthClient metadata: ... accessTokenInactivityTimeoutSeconds: 600 For more information on configuring the OAuth clients, consult the OpenShift documentation: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html-single/authentication_and_authorization/index#oauth-token-inactivity-timeout_configuring-internal-oauth $ oc-compliance view-result ocp4-moderate-oauth-or-oauthclient-inactivity-timeout |head -100 +----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | KEY | VALUE | +----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Title | Configure OAuth tokens to | | | expire after a set period of | | | inactivity | +----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Status | FAIL | +----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Severity | medium | +----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Description | You can configure OAuth tokens | | | to expire after a set period | | | of inactivity. By default, no | | | token inactivity timeout is | | | set. | | | | | | | | | | | | The inactivity timeout can be | | | either set in the OAuth server | | | configuration or in any of | | | the OAuth clients. The client | | | settings override the OAuth | | | server setting. | | | | | | | | | | | | To set the OAuth server inactivity | | | timeout, edit the OAuth server | | | object: oc edit oauth cluster and set | | | the.spec.tokenConfig.accessTokenInactivityTimeout | | | parameter to the desired value: | | | | | | | | | | | | apiVersion: | | | config.openshift.io/v1 | | | | | | kind: OAuth | | | | | | metadata: | | | | | | ... | | | | | | spec: | | | | | | tokenConfig: | | | | | | | | | accessTokenInactivityTimeout: | | | 10m0s | | | | | | | | | | | | Please note that the OAuth | | | server converts the value | | | internally to a human-readable | | | format, | | | | | | so that e.g. setting | | | accessTokenInactivityTimeout=600s | | | would be converted by the OAuth | | | | | | server to | | | accessTokenInactivityTimeout=10m0s. | | | | | | | | | | | | For more information on configuring the OAuth server, consult the OpenShift documentation: | | | https://docs.openshift.com/container-platform/4.7/authentication/configuring-oauth-clients.html | | | | | | | | | | | | To edit the OAuth client inactivity | | | timeout, edit the OAuth client | | | object: oc edit oauthclient | | | $clientname and set the top-level | | | accessTokenInactivityTimeoutSeconds | | | attribute. | | | | | | | | | | | | apiVersion: | | | oauth.openshift.io/v1 | | | | | | grantMethod: auto | | | | | | kind: OAuthClient | | | | | | metadata: | | | | | | ... | | | | | | accessTokenInactivityTimeoutSeconds: | | | 600 | | | | | | | | | | | | For more information on configuring the OAuth clients, consult the OpenShift documentation: |
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4530