From 0940af138bcf22c893df59cd41737194d3bf8744 Mon Sep 17 00:00:00 2001
From: Nicolas MASSE <nicolas.masse@itix.fr>
Date: Thu, 24 Feb 2022 12:05:13 +0100
Subject: [PATCH] improve cleaning script

---
 README.md            | 25 ++++++++++++++++++++-----
 cleanup/cleanup.yaml | 31 +++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index d8d22b5..7f25ef7 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,7 @@ On your workstation:
 * git
 * curl
 * oc
+* ansible
 
 On your OpenShift cluster(s):
 
@@ -72,6 +73,20 @@ oc new-project exploitkit-log4j
 
 * Click **Test** and **Save**
 
+Save the Jira API key to the Ansible Vault:
+
+```sh
+ansible-vault create cleanup/ansible-vault.yaml
+```
+
+Seize the opportunity to also add your Central admin password and hostname.
+
+```yaml
+jira_password: foo
+central_admin_password: bar
+central_hostname: foo.bar
+```
+
 ### 2. Expose the registry
 
 Expose the OpenShift registry.
@@ -159,16 +174,16 @@ REGISTRY_TOKEN="$(oc get secrets -n vulnerable-cicd -o json | jq -r '.items[] |
 podman login "$REGISTRY" --username sa --password "$REGISTRY_TOKEN"
 ```
 
-Deploy the vulnerable app.
+Run the cleanup script.
 
 ```sh
-oc kustomize deployment | oc apply -f -
+ansible-playbook cleanup/cleanup.yaml
 ```
 
-Run the cleanup script.
+Deploy the vulnerable app.
 
-```
-ansible-playbook cleanup/cleanup.yaml
+```sh
+oc kustomize deployment | oc apply -f -
 ```
 
 ## Demo scenario
diff --git a/cleanup/cleanup.yaml b/cleanup/cleanup.yaml
index d821c05..581269c 100644
--- a/cleanup/cleanup.yaml
+++ b/cleanup/cleanup.yaml
@@ -11,6 +11,9 @@
     central_hostname: "{{ lookup('env', 'ROX_CENTRAL_ENDPOINT' )}}"
     jira_password: "{{ lookup('env', 'JIRA_PASSWORD' )}}"
   tasks:
+  - include_vars:
+      file: ansible-vault.yaml
+
   - assert:
       that:
       - central_admin_password|length > 0
@@ -108,3 +111,31 @@
       dest: '{{ playbook_dir }}/../policy/log4shell.json'
     vars:
       notifier_id: '{{ create_notifier_response.json.id }}'
+
+  - name: Find the Log4Shell policy
+    uri:
+      url: '{{ acs_api }}/policies?query=Policy:Log4Shell'
+      validate_certs: '{{ validate_certs }}'
+      url_username: admin
+      url_password: '{{ central_admin_password }}'
+      force_basic_auth: yes
+    register: find_policies_response
+    changed_when: false
+
+  - set_fact:
+      policies: '{{ find_policies_response.json.policies | selectattr("name", "eq", "Log4Shell") | list }}'
+
+  - name: Delete the Log4Shell policy
+    uri:
+      url: '{{ acs_api }}/policies/{{ item.id }}'
+      method: DELETE
+      status_code: "200,404"
+      validate_certs: '{{ validate_certs }}'
+      url_username: admin
+      url_password: '{{ central_admin_password }}'
+      force_basic_auth: yes
+    register: delete_policy_response
+    changed_when: delete_policy_response.status == 200
+    with_items: '{{ policies }}'
+    loop_control:
+      label: '{{ item.name }}'