2081952 – The rule content_rule_oauth_or_oauthclient_inactivity_timeout is failing after setting "accessTokenInactivityTimeout: 10m0s"

Bug 2081952 - The rule content_rule_oauth_or_oauthclient_inactivity_timeout is failing after setting "accessTokenInactivityTimeout: 10m0s"

Summary: The rule content_rule_oauth_or_oauthclient_inactivity_timeout is failing afte...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Compliance Operator
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Vincent Shen
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-05 05:05 UTC by Mithilesh Kaur Bagga
Modified:	2022-09-15 07:06 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	Cause: content_rule_oauth_or_oauthclient_inactivity_timeout didn't account for a configurable timeout set by the deployment when assessing compliance for timeouts. Consequence: This would result in the rule failing, even when the configured timeout what justified, or deemed valid. Fix: Use an updated version of the compliance operator content that uses var_oauth_inactivity_timeout variable to set valid timeout length. Result: The scan will report successful for deployments overriding the default timeout.
Clone Of:
Environment:
Last Closed:	2022-07-14 12:40:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	ComplianceAsCode content pull 9008	0	None	Merged	OCP: use variable for oauthclient_inactivity_timeout	2022-06-23 15:03:23 UTC
Red Hat Product Errata	RHBA-2022:5537	0	None	None	None	2022-07-14 12:41:05 UTC

Comment 2 xiyuan 2022-07-01 08:58:51 UTC

Verification pass with 4.11.0-0.nightly-2022-06-30-005428 and latest cotent pull from quay.io/compliance-operator/compliance-operator-content:latest
1. when the variable value in tailored profile equals with the value on the cluster, the rule PASS: 
# oc patch oauth cluster -p '{"spec":{"tokenConfig":{"accessTokenInactivityTimeout":"15m0s"}}}' --type=merge
oauth.config.openshift.io/cluster patched
$ oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenInactivityTimeout}'
15m0s
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: test-oauth-inactivity-timeout                        
  namespace: openshift-compliance
spec:                                         
  description: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout
  title: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout
  enableRules:
    - name: ocp4-oauth-or-oauthclient-inactivity-timeout
      rationale: platform
  setValues:
  - name: ocp4-var-oauth-inactivity-timeout
    rationale: platform
    value: '15m0s'
EOF
tailoredprofile.compliance.openshift.io/test-oauth-inactivity-timeout created
$ oc get tp
NAME                            STATE
test-oauth-inactivity-timeout   READY

$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: test
profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: TailoredProfile
    name: test-oauth-inactivity-timeout
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default
EOF
scansettingbinding.compliance.openshift.io/test created

$oc get suite
NAME   PHASE     RESULT
test   DONE          COMPLIANT
$ oc get ccr
NAME                                                                    STATUS   SEVERITY
test-oauth-inactivity-timeout-oauth-or-oauthclient-inactivity-timeout   PASS     medium

2. when the variable value in tailored profile different from the value on the cluster, the rule FAIL: 
$ oc patch oauth cluster -p '{"spec":{"tokenConfig":{"accessTokenInactivityTimeout":"10m0s"}}}' --type=merge
oauth.config.openshift.io/cluster patched
$ oc get co authentication -w
NAME             VERSION                              AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication   4.11.0-0.nightly-2022-06-30-005428   True        True          False      6h52m   APIServerDeploymentProgressing: deployment/apiserver.openshift-oauth-apiserver: 1/3 pods have been updated to the latest generation...
authentication   4.11.0-0.nightly-2022-06-30-005428   True        True          False      6h52m   APIServerDeploymentProgressing: deployment/apiserver.openshift-oauth-apiserver: 2/3 pods have been updated to the latest generation...
authentication   4.11.0-0.nightly-2022-06-30-005428   True        True          False      6h53m   OAuthServerDeploymentProgressing: deployment/oauth-openshift.openshift-authentication: 1/3 pods have been updated to the latest generation
authentication   4.11.0-0.nightly-2022-06-30-005428   True        True          False      6h53m   OAuthServerDeploymentProgressing: deployment/oauth-openshift.openshift-authentication: 1/3 pods have been updated to the latest generation
authentication   4.11.0-0.nightly-2022-06-30-005428   True        True          False      6h54m   OAuthServerDeploymentProgressing: deployment/oauth-openshift.openshift-authentication: 1/3 pods have been updated to the latest generation
authentication   4.11.0-0.nightly-2022-06-30-005428   True        True          False      6h54m   OAuthServerDeploymentProgressing: deployment/oauth-openshift.openshift-authentication: 1/3 pods have been updated to the latest generation
authentication   4.11.0-0.nightly-2022-06-30-005428   True        True          False      6h54m   OAuthServerDeploymentProgressing: deployment/oauth-openshift.openshift-authentication: 1/3 pods have been updated to the latest generation
authentication   4.11.0-0.nightly-2022-06-30-005428   True        False         False      6h56m  
$ oc compliance rerun-now scansettingbinding test
Rerunning scans from 'test': test-oauth-inactivity-timeout
Re-running scan 'openshift-compliance/test-oauth-inactivity-timeout'
$ oc get suite 
NAME   PHASE     RESULT
test   DONE          NON-COMPLIANT
$ oc get ccr
NAME                                                                    STATUS   SEVERITY
test-oauth-inactivity-timeout-oauth-or-oauthclient-inactivity-timeout   FAIL     medium

Comment 5 xiyuan 2022-07-08 07:47:16 UTC

Verification pass with compliance-operator.v0.1.53 + 4.11.0-rc.1
$ oc get ip
NAME            CSV                           APPROVAL    APPROVED
install-hksfh   compliance-operator.v0.1.53   Automatic   true
$ oc get csv
NAME                            DISPLAY                            VERSION   REPLACES   PHASE
compliance-operator.v0.1.53     Compliance Operator                0.1.53               Succeeded
elasticsearch-operator.v5.5.0   OpenShift Elasticsearch Operator   5.5.0                Succeeded

1. when value diff between the value set for the variable and rthe value on the cluster:
$ oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: TailoredProfile
> metadata:
>   name: test-oauth-inactivity-timeout                        
>   namespace: openshift-compliance
> spec:                                         
>   description: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout
>   title: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout
>   enableRules:
>     - name: ocp4-oauth-or-oauthclient-inactivity-timeout
>       rationale: platform
>   setValues:
>   - name: ocp4-var-oauth-inactivity-timeout
>     rationale: platform
>     value: '15m0s'
> EOF
tailoredprofile.compliance.openshift.io/test-oauth-inactivity-timeout created
$ oc get co  authentication -w 
NAME             VERSION       AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication   4.11.0-rc.1   True        True          False      90m     APIServerDeploymentProgressing: deployment/apiserver.openshift-oauth-apiserver: 1/3 pods have been updated to the latest generation...
authentication   4.11.0-rc.1   True        True          False      91m     APIServerDeploymentProgressing: deployment/apiserver.openshift-oauth-apiserver: 2/3 pods have been updated to the latest generation...
authentication   4.11.0-rc.1   True        True          False      91m     APIServerDeploymentProgressing: deployment/apiserver.openshift-oauth-apiserver: 2/3 pods have been updated to the latest generation
authentication   4.11.0-rc.1   True        False         False      92m     
authentication   4.11.0-rc.1   True        False         False      92m     
authentication   4.11.0-rc.1   True        False         False      92m     
^C$  oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: test
> profiles:
>   - apiGroup: compliance.openshift.io/v1alpha1
>     kind: TailoredProfile
>     name: test-oauth-inactivity-timeout
> settingsRef:
>   apiGroup: compliance.openshift.io/v1alpha1
>   kind: ScanSetting
>   name: default
> EOF
scansettingbinding.compliance.openshift.io/test created
$ oc get suite -w
NAME   PHASE     RESULT
test   RUNNING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          NON-COMPLIANT
test   DONE          NON-COMPLIANT
^C$ oc get ccr
NAME                                                                    STATUS   SEVERITY

2. when value equal between the value set for the variable and rthe value on the cluster:
$ oc patch oauth cluster -p '{"spec":{"tokenConfig":{"accessTokenInactivityTimeout":"15m0s"}}}' --type=merge
oauth.config.openshift.io/cluster patched
$ oc compliance rerun-now scansettingbinding test
Rerunning scans from 'test': test-oauth-inactivity-timeout
Re-running scan 'openshift-compliance/test-oauth-inactivity-timeout'
$ oc get suite -w
NAME   PHASE     RESULT
test   RUNNING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          COMPLIANT
test   DONE          COMPLIANT
^C $ oc get ccr
NAME                                                                    STATUS   SEVERITY
test-oauth-inactivity-timeout-oauth-or-oauthclient-inactivity-timeout   PASS     medium

3. Check the default remediation works or not: 
Delete tp and ssb and check when no variable set:
$ oc delete ssb --all
scansettingbinding.compliance.openshift.io "test" deleted
$ oc delete tp --all
tailoredprofile.compliance.openshift.io "test-oauth-inactivity-timeout" deleted
$ oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: TailoredProfile
> metadata:
>   name: test-oauth-inactivity-timeout                        
>   namespace: openshift-compliance
> spec:                                         
>   description: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout
>   title: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout
>   enableRules:
>     - name: ocp4-oauth-or-oauthclient-inactivity-timeout
>       rationale: platform
> EOF
tailoredprofile.compliance.openshift.io/test-oauth-inactivity-timeout created
$  oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: test                                                 
profiles:                        
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: TailoredProfile                                                         
    name: test-oauth-inactivity-timeout
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default
EOF                                        
scansettingbinding.compliance.openshift.io/test created
$ oc get suite -w
NAME   PHASE     RESULT
test   RUNNING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          NON-COMPLIANT
test   DONE          NON-COMPLIANT

$ oc get cr
NAME                                                                    STATE
test-oauth-inactivity-timeout-oauth-or-oauthclient-inactivity-timeout   NotApplied
$ oc patch ssb test -p '{"settingsRef":{"name":"default-auto-apply"}}' --type='merge'
scansettingbinding.compliance.openshift.io/test patched
$ oc compliance rerun-now scansettingbinding test
Rerunning scans from 'test': test-oauth-inactivity-timeout
Re-running scan 'openshift-compliance/test-oauth-inactivity-timeout'

$ oc get cr
NAME                                                                    STATE
test-oauth-inactivity-timeout-oauth-or-oauthclient-inactivity-timeout   Applied
$ oc compliance rerun-now scansettingbinding test
Rerunning scans from 'test': test-oauth-inactivity-timeout
Re-running scan 'openshift-compliance/test-oauth-inactivity-timeout'
[xiyuan@MiWiFi-RA69-srv func]NAME   PHASE       RESULT
test   LAUNCHING   NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          COMPLIANT
test   DONE          COMPLIANT
^C$ oc get ccr
NAME                                                                    STATUS   SEVERITY
test-oauth-inactivity-timeout-oauth-or-oauthclient-inactivity-timeout   PASS     medium
$  oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenInactivityTimeout}'
10m0s

Comment 7 errata-xmlrpc 2022-07-14 12:40:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:5537

Note You need to log in before you can comment on or make changes to this bug.