Merge pull request #396 from acc-jon/issue394

#394: recognize that empty values for username and password in master…
tenable · Nov 20, 2020 · 6a24967 · 6a24967
2 parents 9058454 + 2b8e2cd
commit 6a24967
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/pkg/policies/opa/rego/gcp/google_container_cluster/gkeBasicAuthDisabled.rego b/pkg/policies/opa/rego/gcp/google_container_cluster/gkeBasicAuthDisabled.rego
@@ -2,7 +2,16 @@ package accurics
 
 gkeBasicAuthDisabled[api.id] {
     api := input.google_container_cluster[_]
-    auth := api.config.master_auth[_]
-    auth.username != null
-    auth.password != null
-}
+    auth := api.config.master_auth
+    # If username is not specified, basic auth is disabled
+    auth[_].username != null
+
+    # If username and password are both empty, basic auth is disabled
+    auths := auth[_]
+    not gkeBasicAuthEmptyCreds[ auths ]
+}
+
+gkeBasicAuthEmptyCreds[auth] {
+    auth := input.google_container_cluster[_].config.master_auth[_]
+    [auth.username,auth.password] == ["",""]
+}