OCP4/CIS 3.1.1: Write rule to ensure IdP has been configured

applications/openshift/authentication/idp_is_configured/rule.yml

@@ -0,0 +1,75 @@
+prodtype: ocp4
+
+title: "Configure An Identity Provider"
+
+# NOTE(jaosorior): this required a remediation that's written in go as opposed
+# to being a script like the ocp4 e2e remediations usually are... This
+# remediation doesn't work in the "moderate" profile, so this needs to be
+# figured out.
+
+description: |-
+  <p>
+  For users to interact with OpenShift Container Platform, they must first
+  authenticate to the cluster. The authentication layer identifies the user
+  associated with requests to the OpenShift Container Platform API. The
+  authorization layer then uses information about the requesting user to
+  determine if the request is allowed.
+  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/logging/cluster-logging-external.html",
+              text="Understanding authentication | Authentication | OpenShift Container Platform") }}}
+  </p>
+
+  <p>
+  The OpenShift Container Platform includes a built-in OAuth server for
+  token-based authentication. Developers and administrators obtain OAuth
+  access tokens to authenticate themselves to the API. It is recommended for
+  an administrator to configure OAuth to specify an identity provider after
+  the cluster is installed. User access to the cluster is managed through the
+  identity provider.
+  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/authentication/understanding-identity-provider.html",
+              text="Understanding identity provider configuration | Authentication | OpenShift Container Platform") }}}
+  </p>
+
+  <p>
+  OpenShift includes built-in role based access control (RBAC) to determine
+  whether a user is allowed to perform a given action within the cluster.
+  Roles can have cluster scope or local (i.e. project) scope.
+  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/authentication/using-rbac.html",
+              text="Using RBAC to define and apply permissions | Authentication | OpenShift Container Platform") }}}
+  </p>
+
+rationale: |-
+  <p>
+  With any authentication mechanism the ability to revoke credentials if they
+  are compromised or no longer required, is a key control. Kubernetes client
+  certificate authentication does not allow for this due to a lack of support
+  for certificate revocation.
+  </p>
+
+  <p>
+  OpenShift's built-in OAuth server allows credential revocation by relying on
+  the Identity provider, as well as giving the administrators the ability to
+  revoke any tokens given to a specific user.
+  </p>
+
+identifiers:
+  cce@ocp4: CCE-84088-4
+
+severity: medium
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/config.openshift.io/v1/oauths/cluster") | indent(4) }}}
+
+# NOTE(jaosorior): Here we're testing that ANYTHING has been set in
+# the identityProvidres section. We only care that it has been
+# configured to something.
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: 'true'
+    filepath: /apis/config.openshift.io/v1/oauths/cluster
+    yamlpath: ".spec.identityProviders[:].type"
+    entity_check: "at least one"
+    values:
+    - value: ".*"
+      operation: "pattern match"

applications/openshift/authentication/idp_is_configured/tests/ocp4/e2e.yml

@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS

ocp4/profiles/cis.profile

@@ -154,6 +154,7 @@ selections:
   ###
   #### 3.1 Authentication and Authorization
   # 3.1.1 Client certificate authentication should not be used for users
+    - idp_is_configured
   #### 3.2 Logging
   # 3.2.1 Ensure that a minimal audit policy is created
   # 3.2.2 Ensure that the audit policy covers key security concerns

shared/references/cce-redhat-avail.txt

@@ -468,7 +468,6 @@ CCE-84083-5
 CCE-84084-3
 CCE-84086-8
 CCE-84087-6
-CCE-84088-4
 CCE-84089-2
 CCE-84090-0
 CCE-84091-8

tests/ocp4e2e/e2e_test.go

@@ -74,6 +74,18 @@ func TestE2e(t *testing.T) {
 			ctx.waitForMachinePoolUpdate(t, "worker")
 		})
 
+		// empty cleanup function that will be a no-op if the profile setup is skipped.
+		var cleanup func() = func() {}
+		t.Run("Configure test IdP", func(t *testing.T) {
+			if ctx.Profile == "moderate" {
+				t.Skip("Skipping IdP setup as this doesn't work in this profile.")
+			}
+			cleanup = ctx.ensureIdP(t)
+		})
+
+		// These will get cleaned up at the end of the test
+		defer cleanup()
+
 		t.Run("Run second compliance scan", func(t *testing.T) {
 			ctx.doRescan(t, suite)
 			ctx.waitForComplianceSuite(t, suite)

tests/ocp4e2e/go.mod

@@ -4,12 +4,13 @@ go 1.14
 
 require (
 	github.com/cenkalti/backoff/v3 v3.2.2
+	github.com/openshift/cluster-authentication-operator v0.0.3-0.20210114132717-a573e0b50452
 	github.com/openshift/compliance-operator v0.1.19
 	github.com/openshift/machine-config-operator v0.0.1-0.20200913004441-7eba765c69c9
 	gopkg.in/yaml.v2 v2.3.0
-	k8s.io/api v0.19.0
-	k8s.io/apiextensions-apiserver v0.19.0
-	k8s.io/apimachinery v0.19.0
+	k8s.io/api v0.20.1
+	k8s.io/apiextensions-apiserver v0.20.0
+	k8s.io/apimachinery v0.20.1
 	k8s.io/client-go v12.0.0+incompatible
 	sigs.k8s.io/controller-runtime v0.6.2
 )