-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
Quality / Stability / Reliability
-
False
-
-
False
-
-
-
CMP Sprint 105, CMP Sprint 106
-
Low
Description of problem:
Due to PR https://github.com/ComplianceAsCode/content/pull/11423, for rule ocp4-oauth-or-oauthclient-token-maxage, the variable ocp4-var-oauth-token-maxage should be set to make the rule PASS(if you don't want to use the default value).
Version-Release number of selected component (if applicable):
compliance-operator.v1.4.1
How reproducible:
Always
Steps to Reproduce:
Install Compliance OperatorCheck the yaml output of the rule ocp4-oauth-or-oauthclient-token-maxage
Actual results:
- There is no variable in the annotation.
- In the rule description/instructions, it says "the output should return a timeout value"
% oc get rule ocp4-oauth-or-oauthclient-token-maxage -o=jsonpath={.metadata.annotations} | jq -r
{
"compliance.openshift.io/image-digest": "pb-ocp4hrxvx",
"compliance.openshift.io/profiles": "ocp4-stig,ocp4-high-rev-4,ocp4-moderate,ocp4-high,ocp4-moderate-rev-4,ocp4-nerc-cip,ocp4-stig-v1r1",
"compliance.openshift.io/rule": "oauth-or-oauthclient-token-maxage",
"control.compliance.openshift.io/NIST-800-53": "AC-12",
"policies.open-cluster-management.io/controls": "AC-12",
"policies.open-cluster-management.io/standards": "NIST-800-53"
}
% oc get rule ocp4-oauth-or-oauthclient-token-maxage -o=jsonpath={.instructions}
To check if the OAuth server token max age is configured, run the following command:
oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenMaxAgeSeconds}'
the output should return a timeout value
To check if the OAuth client token max age is configured, run the following command:
oc get oauthclients -ojson | jq -r '.items[] | { accessTokenMaxAgeSeconds: .accessTokenMaxAgeSeconds}'
the output should return a timeout value per client.%
% oc get rule ocp4-oauth-or-oauthclient-token-maxage -o=jsonpath={.description}
You can configure OAuth tokens to have have a custom duration. By default, the tokens are valid for 24 hours (86400 seconds).
The maximum age can be either set in the OAuth server configuration or in any of the OAuth clients. The client settings override the OAuth server setting.
To set the OAuth server token max age, edit the OAuth server object: oc edit oauth cluster and set the.spec.tokenConfig.accessTokenMaxAgeSeconds parameter to the desired value:
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
...
spec:
tokenConfig:
accessTokenMaxAgeSeconds: 28800
To set the OAuth client token max age, edit the OAuth client object: oc edit oauthclient $clientname and set the top-level accessTokenMaxAgeSeconds attribute.
apiVersion: oauth.openshift.io/v1
grantMethod: auto
kind: OAuthClient
metadata:
...
accessTokenMaxAgeSeconds: 28800
For more information on configuring the OAuth server, consult the OpenShift documentation: https://docs.openshift.com/container-platform/4.7/authentication/configuring-internal-oauth.html
Expected results:
1. There should be "compliance.openshift.io/rule-variable: var-oauth-token-maxage" added in the the rule annotation. 2. For the instruction, should use "the output should return a targeted timeout value per client" rather than "the output should return a timeout value per client"
Additional info:
