improve cleaning script

4 years ago · 0940af138b
2 changed files with 51 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -34,6 +34,7 @@ On your workstation:
 * git
 * curl
 * oc
+* ansible

 On your OpenShift cluster(s):

@ -72,6 +73,20 @@ oc new-project exploitkit-log4j

 * Click **Test** and **Save**

+Save the Jira API key to the Ansible Vault:
+
+```sh
+ansible-vault create cleanup/ansible-vault.yaml
+```
+
+Seize the opportunity to also add your Central admin password and hostname.
+
+```yaml
+jira_password: foo
+central_admin_password: bar
+central_hostname: foo.bar
+```
+
 ### 2. Expose the registry

 Expose the OpenShift registry.
@ -159,16 +174,16 @@ REGISTRY_TOKEN="$(oc get secrets -n vulnerable-cicd -o json | jq -r '.items[] |
 podman login "$REGISTRY" --username sa --password "$REGISTRY_TOKEN"
 ```

-Deploy the vulnerable app.
+Run the cleanup script.

 ```sh
-oc kustomize deployment | oc apply -f -
+ansible-playbook cleanup/cleanup.yaml
 ```

-Run the cleanup script.
+Deploy the vulnerable app.

-```
-ansible-playbook cleanup/cleanup.yaml
+```sh
+oc kustomize deployment | oc apply -f -
 ```

 ## Demo scenario
--- a/cleanup/cleanup.yaml
+++ b/cleanup/cleanup.yaml
@ -11,6 +11,9 @@
    central_hostname: "{{ lookup('env', 'ROX_CENTRAL_ENDPOINT' )}}"
    jira_password: "{{ lookup('env', 'JIRA_PASSWORD' )}}"
  tasks:
+  - include_vars:
+      file: ansible-vault.yaml
+
  - assert:
      that:
      - central_admin_password|length > 0
@ -108,3 +111,31 @@
      dest: '{{ playbook_dir }}/../policy/log4shell.json'
    vars:
      notifier_id: '{{ create_notifier_response.json.id }}'
+
+  - name: Find the Log4Shell policy
+    uri:
+      url: '{{ acs_api }}/policies?query=Policy:Log4Shell'
+      validate_certs: '{{ validate_certs }}'
+      url_username: admin
+      url_password: '{{ central_admin_password }}'
+      force_basic_auth: yes
+    register: find_policies_response
+    changed_when: false
+
+  - set_fact:
+      policies: '{{ find_policies_response.json.policies | selectattr("name", "eq", "Log4Shell") | list }}'
+
+  - name: Delete the Log4Shell policy
+    uri:
+      url: '{{ acs_api }}/policies/{{ item.id }}'
+      method: DELETE
+      status_code: "200,404"
+      validate_certs: '{{ validate_certs }}'
+      url_username: admin
+      url_password: '{{ central_admin_password }}'
+      force_basic_auth: yes
+    register: delete_policy_response
+    changed_when: delete_policy_response.status == 200
+    with_items: '{{ policies }}'
+    loop_control:
+      label: '{{ item.name }}'